Sei sulla pagina 1di 339

-

Red Hat System


-
Administration 11
Student Workbook
RH134-RHEL?-en-1-20140610
- MAN-RH134SKE-R2

-
.;ii
'

·�
' I

ri·

-�,
1 !
.-

rr
Comprehensive, hands-on training that solves real world problems

Red Hat System


Administration 11
Student Workbook

© 2014 Red H a t , I n c . R H 1 34-RHEL7 - e n -1 -20140610


··_.:.:-=- ·- :."

rr /

r'"i·

. �.· :: ·.
!i I

·r-;
. I

·�!
., ;

r
i I, !

19'"'! ..
: I

ri -
-

RED HAT SYSTEM


-

-
ADMINISTRATION II
-

-
-

R H 1 34
-

Red Hat Enterprise Linux 7 RH134


-
Red Hat System Administration II
Edition 1
-

Authors: Wander Boessenkool, Bruce Wolfe, Scott McBrien, George Hacker,


-
Chen Chang
Editor: Steven Bonneville

-
Copyright© 2014 Red Hat, Inc.

The contents of this course and all its modules and related materials, including handouts to
-
audience members, are Copyright© 2014 Red Hat, Inc.

No part of this publication may be stored in a retrieval system, transmitted or reproduced in


-
any way, including, but not limited to, photocopy, photograph, magnetic, electronic or other
record, without the prior written permission of Red Hat, Inc.

-
This instructional program, including all material provided herein, is supplied without any
guarantees from Red Hat, Inc. Red Hat, Inc. assumes no liability for damages or legal action
arising from the use or misuse of contents or details contained herein.

If you believe Red Hat training materials are being used, copied, or otherwise improperly
distributed please e-mail training@redhat.com or phone toll-free (USA) +1 (866) 626-2994 -

or +1 (919) 754-3700.

Red Hat, Red Hat Enterprise Linux, the Shadowman logo, JBoss, Hibernate, Fedora, the -

Infinity Logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and
other countries.
-
Linux® is the registered trademark of Linus Torvalds in the United States and other
countries.
-
Java® is a registered trademark of Oracle and/or its affiliates.

XFS® is a registered trademark of Silicon Graphics International Corp. or its subsidiaries in -

the United States and /or other countries.

The OpenStack® Word Mark and OpenStack Logo are either registered trademarks/service -

marks or trademarks/service marks of the OpenStack Foundation, in the United States


and other countries and are used with the OpenStack Foundation's permission. We are not
affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack -

community.

All other trademarks are the property of their respective owners.

C o n t r i b utors: R o b Loc ke, Bowe Stric k l a n d , Fo r rest Tay l o r, R u d o l f Kastl

Reviewers: M i c h a e l P h i l l i ps, L a rs B o h n s a c k , M i c h a e l B a s hford , C l i nt T i n s l ey -

-
�I

-
I

-
-

-
-

Document Conventions xi

-
N otes a n d Wa r n i n g s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x i

Introduction xiii
Red H a t Syste m A d m i n istrat i o n I I . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x i i i
-
O r i e n t a t i o n to t h e C l assroom E n v i ro n m e n t . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x i v
I nt e r n at i o n a l i z a t i o n . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv

- 1 . Automating Instal l ation with Kickstart


Defi n i n g t h e A n aconda K i c ksta rt Syst e m . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Practice: K i c kstart F i l e Syntax a n d M o d ification 8
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

- D e p l oy i n g a N ew V i rt u a l Syste m w i t h K i c ksta rt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 2
Practice: I n sta l l i n g a Syste m U s i n g K i c ksta rt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 6
C h a pt e r Test: A u t o m a t i n g I n sta l l at i o n w i t h K i c kstart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 0
-
2. Using Regular Expressions with grep 23
Reg u l a r E x p re s s i o n s Fu n d a m e nta l s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Practice: Match t h e Reg u l a r E x p ressi o n . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
-
M a tc h i n g Text w i t h grep . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Practice: U s i n g grep with Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
-
Lab: U s i n g Reg u l a r E x p ress i o n s with g re p . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

3. Creating and Editing Text Files with vim 41


T h e v i m Text Editor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
-
Practice: v i m M o d e s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
B as i c vim Workflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Practice: Basic v i m Wor kf l ow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
-
Ed i t i n g w i t h v i m . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Practice: E d i t a F i l e w i t h v i m . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
L a b : E d i t a Syst e m F i l e w i t h v i m . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
-

4. Scheduling Future Linux Tasks 61


S c h e d u l i n g O ne-Ti m e Tasks w i t h at . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
- Pract ice: S c h e d u l i n g O n e-Ti m e Ta sks w i t h at . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
S c h e d u l i ng R e c u r r i n g J o bs w i t h cron . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Practice: S c h e d u l i n g Rec u r r i n g Jobs w i t h cron . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
- S c h e d u l i n g Syste m cron Jobs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
P ractice: S c he d u l i n g System c r o n J o bs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
M a n a g i n g Te m p o ra ry F i l es . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
-
Practice: M a n a g i n g Te m porary F i les . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
C h a pt e r Test: S c h e d u l i n g Fut u re L i n u x Tas ks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

- 5. Managing Priority o f Linux Processes 83


P rocess Prio rity a n d " n ice" Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Practice: Process Priority a n d " n ice" C o n cepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
- U s i n g n i ce a n d re n ice to I nf l u e nce Process Priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Practice: D i scove r i n g P rocess Priorities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
L a b : M a n a g i n g Priority of L i n u x Processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
-
6 . Controlling Access to Files with Access Control Lists (ACLs) 97
POS I X Access Control L ists (ACLs) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
Practice: I nt e r p ret ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 03
-
S e c u r i n g F i l es w i t h ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Practice: U s i n g A C L s to G ra n t a n d L i m it Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
L a b : C o n t ro l l i n g Access to F i l e s w i t h Access Control L i sts ( A C L s ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
-

-
RH134- R H E L 7 - e n -1-2014061 0 vii

-
-

RH134
-

7. Managing SELinux Security 123


E n a b l i n g a n d M o n it o r i n g Secu rity E n h a n ce d L i n u x (S E L i n u x ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124 -
Practice: S E L i n u x Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
C h a n g i n g S E L i n u x Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
Pract ice: C h a n g i n g S E L i n u x Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132 -

C h a n g i n g S E L i n u x Contexts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
Pract ice: C h a n g i n g S E L i n u x Contexts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
C h a n g i n g S E L i n u x Boo l e a n s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137 -

Practice: C h a n g i n g S E L i n u x Boo l e a n s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139


Tro u b l es h o o t i n g S E L i n u x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
Practice: Tro u b l es h o ot i n g S E L i n u x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144 -

Lab: M a n a g i n g S E L i n u x Secu rity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 47

8. Connecting to Network-defined Users and Groups 153


-
U s i n g I d e n t ity M a n a g e ment S e rv i ces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 5 4
Practice: C o n n ecti n g to a Centra l L DA P a n d Kerberos S e r v e r . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 6 0
Lab: Co n necti n g to N etwork-def i n e d U s e rs a n d G ro u p s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 62 -

9. Adding Disks, Partitions, and File Systems to a Linux System 167


Ad d i n g Pa rtitions, F i l e Systems, a n d Persistent M o u nts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 68
-
Pract ice: A d d i n g Pa rtitions, F i l e Systems, a n d Persistent M o u nts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
M a n a g i n g Swa p S pace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
Pract ice: A d d i n g a n d E n a b l i n g Swa p S pace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
Lab: A d d i n g D i s ks, Pa rtitions, a n d F i l e Syst e m s to a L i n u x System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190

10. Managing Logical Volume Management (LVM) Storage 197


-
Log i c a l Vo l u m e M a n a g e m e nt C o n ce pts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 9 8
Practice: Logica l Vo l u m e M a n a g e m e nt C o n c e pts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 0 0
M a n a g i n g Log ica l Vo l u mes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
-
Practice: A d d i n g a Log ical Vo l u m e . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208
Exte n d i n g Log ica l Vo l u mes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
Practice: Exte n d i n g a Log ica l Vo l u m e . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
-
Lab: M a n a g i n g Log ica l Vo l u m e M a n a g e m e nt ( LV M ) Stora g e . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221

11. Accessing Network Storage with Network File System (NFS) 227
M o u n t i n g N etwork Storage w i t h N FS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 2 8 -

Practice: M o u n t i n g a n d U n m o u nt i n g N FS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 3 1
Auto m o u n t i n g N e t w o r k Stora g e w i t h N FS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 3 4
Practice: A u to m o u n t i n g N FS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238 -

Lab: Acces s i n g N etwork Stora g e w i t h N etwo r k File System ( N FS ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242

12. Accessing Network Storage with SMB 249 -

Acces s i n g N etwork Storage with S M B . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 5 0


Pract ice: M o u nt i n g a S M B F i l e Syst e m . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 5 4
L a b : Access i n g N etwork Stora g e w i t h S M B . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 5 6 -

13. Controlling and Troubleshooting the Red Hat Enterprise Linux Boot Process 265
The Red H a t Enterp rise L i n u x Boot Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266
-
P ractice: S e l e ct i n g a Boot Ta rget . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270
Repa i r i n g Common Boot I s s u es . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272
Practice: Resetti n g a Lost root Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
Repa i r i n g File System I ssues at Boot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277
Pract ice: R e pa i r i n g Boot Pro b l e m s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278
Repa i r i n g Boot L o a d e r I ssues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280 -

-
viii R H134- R H E L 7 - e n -1 -2014061 0

-
-

Practice: Repa i r i n g a Boot L o a d e r P ro b l e m . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282


L a b : Contro l l i n g and Tro u b l es hoot i n g t h e Red Hat E n t e r p r i s e L i n u x Boot P rocess . . . . . . . . 284
-

14. Limiting Network Communication with firewalld 287


L i m it i n g Netwo r k C o m m u n ication 288
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

- P ractice: L i m i t i n g N etwork Co m m u n icat i o n . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 9 5


L a b : L i m it i n g N etwork C o m m u n icat i o n . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297

15. Comprehensive Review of System Administration I I 301


-
Red Hat System A d m i n istrat i o n I I C o m p re h e n s i ve Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302
Lab: C o m p re h e n s ive Review of System A d m i n istra t i o n II 305
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

- R H134- R H E L 7-en-1-20140610 ix

-
-


! '

""'""
I

-
i

-.

x
-
-
-
- Document Conventions
- N otes a n d Wa r n i n g s

- Note

-
" N otes" a re t i ps, s h o rtcuts o r a lternative a p p roaches to t h e t a s k at h a n d . I g n o r i n g a
note s h o u l d have no negative conseq u e n ces, b u t yo u m i g ht m iss o u t o n a t r i c k that
m a kes yo u r l ife e a s i e r.

-
-
Comparison
" C o m pa ri s o n s " l o o k at s i m i l a rities a n d d i fferences betwe e n t h e t e c h n o l o g y o r topic

-
being d i s c u ssed a n d s i m i l a r tec h n o l o g ies o r topics i n ot h e r o p e rat i n g syst e m s o r
e n v i ro n m e nts.

- --
R References

-
" References" describe w h ere to f i n d exte r n a l doc u mentation re l eva n t to a s u bject.

.
- ' Important
" I m portant" boxes deta i l t h i n g s t h a t a re e a s i l y m i ssed: confi g u ra t i o n c h a nges t h at

-
o n l y a p p l y to t h e c u rrent sess i o n , or s e r v i ces that need resta rti n g before a n u pdate
w i l l a p p l y. I g n o r i n g a box l a b e l e d " I m porta n t " will not c a u s e data l oss, b u t may cause
i r ritation and f r u st ra t i o n .

- Warning

- " W a r n i n g s " s h o u l d n ot be i g n o re d . I g n o r i n g warn i n g s w i l l most l i ke l y cause data l oss.

-
-
-
-
-
- RH134- R H E L 7 - en -1 -2014061 0 xi

-
-

-
I

xii
-

-
Introduction
-
Red H at Syste m Ad m i n i st ra t i o n I I
T h i s c o u rse i s specifica l l y d e s i g n e d for st u d e nts w h o h a ve co m p l eted Red Hat Syst e m
- A d m i n istrat i o n I ( R H 1 24). Red H a t System A d m i n istra t i o n I I ( R H134) focuses on t h e k e y t a s k s
needed to become a f u l l t i m e L i n u x A d m i n istrator a n d to va l idate those s k i l l s v i a t h e Red
H a t Certified System A d m i n istrator exam. T h i s c o u rse g o e s deeper into enterprise L i n u x
- a d m i n istra t i o n i n c l u d i n g f i l esyste m s a n d partit i o n i n g , l o g i c a l vo l u mes, S E L i n u x , f i rewa l l i n g , a n d
t ro u b l eshoot i n g .

-
Course Objectives
• E x pa n d a n d exte n d o n s k i l l s g a i n e d d u r i n g t h e Red H a t Syste m A d m i n istrat i o n I ( R H 1 24) cou rse.
-
• B u i l d s ki l l s n e e d e d by an R H CSA-certified Red Hat E n t e r p rise L i n u x system a d m i n istrator

- Audience
• This c o u rse is s i n g u l a r l y d e s i g n e d for stu d e nts w h o h ave c o m p l eted Red Hat Syst e m
Ad m i n istration I ( R H 1 24). The o rg a n ization o f t o p i c s i s s u c h t h a t it i s n ot a p p ro p riate for
- st u d e n t to use R H1 3 4 a s a c u r r i c u l u m entry p o i n t . St u d e nts who have not taken a prev i o u s
R e d Hat cou rse a re e n co u ra g e d to t a ke e i t h e r Syste m A d m i n istra t i o n I if they a re new to
L i n u x o r the R H CS A Fa st Tra c k c o u rse ( R H200) if t h ey a re experienced with e n t e r p r i s e L i n u x
-
ad m i n istrat i o n .

-
Prerequisites
• H a v i n g sat t h e Red H a t Syste m A d m i n i st rati o n I ( R H1 24) cou rse, or e q u iva l e n t k n o w l e d g e.

- R H134- R H E L 7 - en -1-2014061 0 xiii

-
-

I nt ro d u c t i o n
-

O ri e ntat i o n to t h e C l a ss ro o m E nv i ro n m e nt -

I n t h i s cou rse, students w i l l d o most h a n ds-on practice exercises a n d l a b work w i t h two c o m p u t e r


systems, w h i c h w i l l b e refe rred to a s d e s k t o p a n d s e rve r . These m a c h i n e s h a v e t h e hostnames -
des ktopX.ex a m p l e.co m an d se rve rX.exa m p l e.co m , w h e re t h e X i n the c o m p uters' h o st n a m e s w i l l
b e a n u m be r that wi l l vary from s t u d e n t t o stu d e nt. Both m a c h i nes have a sta n d a rd u s e r account,
student, w i t h t h e password student. T h e root password o n both systems is redhat. -

I n a l ive i nstructor- l e d c l a ss roo m, students w i l l be a s s i g n e d a p hysica l c o m p u t e r ( " fo u n d at i o nX " )


w h i c h w i l l be used t o access t h ese two m a c h i n es. T h e d e s k t o p a n d se rve r syste m s a re v i rtu a l -
m a c h ines r u n n i n g on t h a t host. S t u d e nts s ho u l d l o g i n t o t h i s m a c h i n e as u s e r kiosk w i t h t h e
password redhat.
-
On fo u n d a t i o nX , a s p ec i a l com m a n d ca l l ed r h t - vm c t l is u s e d to work with t h e d e s k t o p
a n d se rve r m a c h i n es. T h e co m m a n d s i n t h e ta b l e b e l ow s h o u l d be r u n a s t h e kiosk u s e r o n
fou n d at i o nX , a n d can b e u s e d w i t h se rve r ( a s i n t h e exa m p l es) o r desktop. -

rht - vmc t l commands


Act i o n Co m m a n d -

Sta rt se rve r m a c h i n e r h t - vm c t l s t a r t server


V i ew " p hys ica l con s o l e " to l o g i n a n d work r h t - vm c t l view se rve r
-
w i t h se rve r m a c h i n e
Reset serve r m a c h i n e to its prev i o u s state r h t - vmc t l reset s e rve r
a n d resta rts v i r t u a l m a c h i n e -

A t t h e start o f a l a b exercise, if t h e i n st r u c t i o n " reset yo u r server" a p p e a rs, t h a t m e a n s t h e


c o m m a n d r h t - vm c t l r e s e t server s h o u l d b e r u n i n a p ro m pt on t h e fo u n da t i o nX syste m a s -

u s e r kiosk. Li kewise, i f t h e i nstruction " reset yo u r d e s ktop" a p pea rs, t h at m e a n s t h e c o m m a n d


r h t - vm c tl r e s e t d e s k t o p s h o u l d be r u n o n fo u n d a t i o nX a s user kiosk.
-

E a c h st u d e n t is on t h e 1 Pv4 n etwork 172.25.X.0/24, w h e re t h e X matches t h e n u m be r of t h e i r


d e s ktopX a n d s e rverX systems. T h e i n st r u ctor r u n s a centra l u t i l ity server w h i c h a c t s a s a router
for t h e c l assroom netwo r ks and which p rov ides D NS , D H C P, H T T P, a n d ot h e r content services, -

c l a s s room.exa m p l e.co m .

Classroom Machines -

M a ch i n e n a m e I P a d d resses Role
d e s ktopX .exa m p l e. c o m 172.25.X .1 0 S t u d e nt " c l i e n t " c o m p ut e r
-

se rverX.exa m p l e.com 172.25.X.11 Student "serve r " c o m p uter


c l a ssroom .exa m p l e.com 172.25.254.254 C l assroom u t i l ity server
-

-
xiv RH134- R H E L 7 - e n -1 -2014061 0
-

l nternationa l i z a t i o n
-

I nte r n a t i o n a I iza t i o n
-

- Language support
Red H a t Enterprise L i n u x 7 offi c ia l l y s u ppo rts 22 l a n g u a g e s : E n g l is h , A s s a m ese, Be n g a l i, C h i n ese
(S i m p l if i e d ) , C h i n ese (Tra d i t io n a l ) , Fre n c h , German, Guj a ra t i , H i n d i , I ta l ia n , J a p a n ese, Ka n n a d a ,
-
Korea n , M a l aya l a m , M a ra t h i , O d i a , Port u g uese ( B ra z i l i a n), P u nj a b i , R u s s i a n , S p a n i s h , Ta m i l , a n d
Te l u g u .

-
Per-user language selection
U sers may p refer to use a d iffe rent l a n g u a g e for t h e i r d e s ktop e n v i ro n m e n t t h a n t h e syste m ­
- w i d e d e fa u lt. T h e y may a l so wa n t to s e t t h e i r account to use a d iffe rent keyboa rd l ayout o r i n p u t
method.

- Language settings
I n t h e G N O M E desktop e n v i ro n m e nt, t h e u s e r may be prom pted to set t h e i r p refe r red l a n g u a g e
a n d i n p u t method o n fi rst l o g i n . I f n ot, t h e n t h e easiest way f o r a n i n d i v i d u a l u s e r to a dj u st t h e i r
- p refe rred l a n g u a g e a n d i n put m e t h o d sett i n g s i s t o u s e t h e Region & Language a p p l ication. R u n
t h e c o m m a n d gnome - co n t rol - c e n t .:: r region, or from t h e t o p b a r, s e l ect (User) > Settings.
I n t h e w i n d ow that opens, sel ect Region & Language. T h e u s e r ca n c l i c k t h e Language box a n d
-
s e l ect t h e i r p refe rred l a n g u a g e f ro m t h e l ist t h a t a p pea rs. T h i s wi l l a l so u pdate t h e Formats
sett i n g to t h e defa u l t for that l a n g u a g e. The next t i m e t h e u s e r l o g s i n , t h ese c h a n g e s w i l l take
f u 1 1 effect.
-

These sett i n g s affect the GNO M E d e s ktop e n v i ro n ment and any a p p l ications, i n c l u d i n g gnome ­
t e rminal, sta rted i n s i d e it. H oweve r, t hey d o not a p p l y to t h a t acco u nt if accessed t h ro u g h a n
-
s s h l o g i n from a remote system o r a l o ca l text c o n s o l e (s u c h a s t t y2).

- Note
A u s e r ca n m a ke t h e i r s h e l l e n v i ro n m e n t u s e the s a m e LANG sett i n g as t h e i r g ra p h i c a l
e n v i ro n ment, eve n w h e n t h ey l o g i n t h ro u g h a text c o n s o l e o r ove r ssh. O n e w a y to d o
-
t h i s i s to p l a c e c o d e s i m i l a r to t h e fo l l owi n g i n t h e u s e r ' s -I. bash r e f i l e. T h i s exa m p l e
c o d e w i l l set t h e l a n g u a g e u s e d o n a text l o g i n t o match t h e o n e c u r re n t l y set f o r t h e
-
u s e r ' s G N O M E d e s ktop e n v i ro n m e nt:

i=$ ( g r e p ' La n g u age= ' /var/li b/Ac c o u n t S e r vice/ u s e r s /${USER} \


- I sed ' s / Lan g u age=// ' )
if [ "$i" ! = " " ] ; then
expo r t LANG=$i
fi
-

J a pa nese, Kore a n , C h i nese, o r other l a n g u a g e s with a n o n - L at i n c h a racter set may not


d i s p l ay p rope r l y o n l oca l text consol es.
-

I n d i vi d u a l co m m a n d s c a n be made to use a n o t h e r l a n g u a g e by sett i n g the LANG va ria b l e on t h e


-
com m a n d l i n e :

- I [ u s e r@h o s t - ] $ LANG=fr_FR.utf8 date

- xv
R H134- R H E L 7-en-1 -2014061 0
-

I nt ro d u c t i o n

I jeu. av ril 2 4 17 : 5 5 : 01 C D T 2014


L_ __

-
S u bseq u e n t c o m m a n d s w i l l reve rt to u s i n g t h e system ' s d e fa u l t l a n g u a g e for output. T h e locale
com m a n d c a n be used to c h e c k the c u rrent va l u e of LANG and ot h e r re lated enviro n m e n t
va r i a b les. -

Input method settings


G N O M E 3 i n Red Hat Enterprise L i n u x 7 a u to m a t i ca l l y uses t h e IBus i n p u t method s e l e c t i o n
-
syste m , w h i c h m a kes it e a s y to c h a n g e keyboard l ayo uts a n d i n p u t m e t h o d s q u ic k l y.

The Region & Language a p p l ication ca n a l so be used to e n a b l e a lternat ive i n p ut methods. I n t h e


-
Region & Language a p p l icat i o n ' s w i n d ow, t h e Input Sources b o x s h ows w h a t i n put m e t h o d s a re
c u r re n t l y ava i l a b l e. By defa u l t . English ( US) may be t h e o n l y ava i l a b l e m e t h o d . H ig h l ig h t English
( US) a n d c l i c k t h e keyboard icon to see t h e c u rrent keyboard l ayout.
-

To a d d a n ot h e r i n put method, c l i c k t h e+ b utton at t h e bottom l eft of the Input Sources w i n d ow.


An Add an Input Source w i n dow w i l l o p e n . S e l ect you r l a n g u a g e, a n d t h e n you r p referred i n p u t
-
m e t h o d o r key b o a rd l ayout.

O n ce m o re t h a n o n e i n put method i s confi g u re d , the user c a n switch between them q u ic k l y by


ty p i n g S u p e r +Space (so m e t i mes ca l l e d Windows+Space). A status indicator w i l l a l so a p p e a r -

i n t h e G N O M E top bar, w h i c h h a s two f u n c t i o n s : I t i n d icates w h i c h i n p u t method is active, a n d


acts a s a m e n u that c a n be used to switc h betwe e n i n put m e t h o d s o r s e l ect a d va n ced featu res o f
m o re co m p l ex i n p ut methods. -

S o m e of t h e methods a re m a r ked w i t h g e a rs, wh i c h i n d icate t h a t those m e t h o d s have advanced


config u ra t i o n options a n d capa b i l i t i es. Fo r exa m p le, t h e J a p a nese Japanese (Kana Kanji) i n p u t -

m e t h o d a l l ows t h e user to p re-ed it t e x t i n L a t i n a n d use Down Ar r ow a n d U p Ar row keys t o


s e l ect t h e correct c h a racters to use.
-
US E n g l i s h spea kers may find a l so this usefu l . Fo r exa m p l e, u n d e r English ( United States) is the
key board l ayout English (international AltGr dead keys), which t reats Alt G r (o r t h e r i g h t Alt )
on a PC 1 04/1 0 5 - key keyboard as a "seco n d a ry-shift" m o d i f i e r key a n d d e a d key act ivati o n key -

for t y p i n g a d d i t i o n a l c h a racte rs. T h e re a re a l so Dvora k a n d ot h e r a l ternat ive l ayouts ava i l a b l e.

-
Note
Any U n icode c h a racter c a n be e ntered i n t h e G N O M E d e s ktop e n v i ro n m e n t if t h e u s e r
k n ows t h e c h a racter's U n icode code point, by typ i n g Ct r l+Shift + U , fo l l owed by t h e -

code p o i n t . Aft e r Ct r l+Shi f t + U h a s been t y p e d , a n u nd e r l i ne d u w i l l be d i s p l ayed to


i n d icate that t h e system is wait i n g for U n icode code p o i n t e n t ry.
-

Fo r exa m p l e, the l owercase Greek l etter l a m bd a h a s t h e c o d e p o i n t U+03BB, a n d c a n be


e nt e re d by ty p i n g Ct r l+Shift + U , t h e n 03bb, t h e n E n t e r .
-

System-wide default langua ge settings -


T h e syste m ' s defa u l t l a n g u a g e is set to US E n g l is h , u s i n g t h e U T F-8 e ncod i n g of U n icode as its
c h a racter set (en_us . u t f8) , but t h i s ca n be c h a n g e d d u r i n g o r after i n st a l l a t i o n .
-
From t h e co m m a n d l i ne, root c a n c h a n g e t h e syste m-wide loca l e sett i n g s w i t h t h e locale c t l
com m a n d . I f locale c t l is r u n w i t h n o a rg u ments, it w i l l d i s p l ay t h e c u rrent syste m - w i d e l o ca l e
sett i n g s .
-

-
xvi R H134- R H E L 7-en-1 -2014061 0

-
-
-
- L a n g u a g e packs

- To set t h e system - w i d e l a n g u a g e, r u n t h e c o m m a n d locale c t l set - locale LANG=1oca1e,


w h e re locale is t h e a p p ro p riate $LANG fro m t h e " La n g u a g e Codes Refere n c e " t a b l e i n
t h i s c h a p t e r. T h e c h a n g e w i l l take effect for u s e rs o n t h e i r n ext l o g i n , a n d i s stored i n

- /etc/locale . cont.

I
[ r o o t @h o s t - ] # localectl set-locale LANG=fr_FR.utf8

- I n G N O M E, a n a d m i n istrative u s e r c a n c h a n g e t h i s sett i n g from Region & Language a n d c l i c k i n g

-
t h e Login Screen button at t h e u p per-right c o r n e r o f t h e w i n d ow. C h a n g i n g t h e Language
of t h e l o g i n screen w i l l a l so adjust t h e syst e m - w i d e defa u l t l a n g ua g e sett i n g stored i n t h e
/etc/locale . conf confi g u ra t i o n f i l e.

- '
Important

-
Loca l text c o n so l es s u c h as t ty2 a re m o re l i m ited i n t h e fonts t h a t t h ey c a n d i s p l a y
t h a n g nome - t e rminal a n d s s h ses s i o n s . For exa m p l e, J a p a n ese, Korea n , a n d C h i n ese
c h a racters m a y not display as expected o n a l oc a l text console. For this reas o n , it may

-
m a ke sense to u s e E n g l i s h o r a n ot h e r l a n g u a g e with a Latin c h a racter set for t h e
syste m ' s text c o n s o l e.

-
\,. i kewise, l o c a l text consoles a re m o re l i m ited i n t h e i n p u t m et h o d s they s u p p o rt . a n d
t h i s i s m a n a g e d s e p a rate l y f r o m t h e g ra p h i c a l des ktop enviro n m e nt. T h e ava i l a b l e
g l o b a l i n put sett i n g s ca n be confi g u re d t h ro u g h localec t l f o r both l oca l text v i rt u a l

-
consoles a n d t h e X11 g ra p h i c a l enviro n m e nt . See t h e localec t l(1 ) , kbd(4), a n d
vconsole . conf(5) m a n pages for m o re i nfo r m a t i o n .

- Langua ge packs

-
W h e n u s i n g n o n- E n g l is h l a n g u a ges, you may wa n t to i n sta l l a d d itio n a l " l a n g ua g e pac ks" to
p rovide a d d i t i o n a l t ra n s l ations, d ic t i o n a ries, a n d so fo rth. To view t h e l ist of ava i l a b l e l a n g pa c ks,
run yum langavailable. To view the l i st of l a n g packs c u r re n t l y i n sta l l ed o n the system,

-
r u n yum langlis t . To a d d a n a d d i t i o n a l l a n g pa c k to t h e system, r u n yum lan g i n s t all
code, w h e re code is t h e code in s q u a re b ra c kets after t h e l a n g uage n a m e in t h e o u t p u t of yum
langavailable.

- R References

- locale(7 ) , localec tl(1), kbd(4), locale . conf(5), vconsole . conf(5),


u nicode(7 ) , u t f - 8(7), a n d yum - langpacks(8) man pages

- Convers i o n s betwee n t h e n a mes of t h e g r a p h i ca l d e s ktop enviro n me n t ' s


X11 l ayouts a n d t h e i r n a m es i n locale c t l c a n b e fou n d i n t h e f i l e

-
/u s r / s h a re/Xll/xkb/ r u les/base . ls t .

-
-
- R H134- R H E L7 -en -1 -2014061 0 xvii

-
I n t roduct i o n

Language Codes Reference


Language Codes
Lang u a g e $ L A N G va l u e

E n g l i s h ( U S) en_U S . utfB

Assa mese as_ I N . utfB

B e n g a li b n _IN.u tfB

C hinese ( Si m p lified) z h _C N . utfB

C hinese ( Traditio n a l) z h _TW.u tfB

Fre n c h f r _ F R . u tfB

German de_ D E . u tfB

G u j a rati g u_ I N . u t fB

Hindi h i _I N . utfB

Ita lian it_ I T. u tfB

Japanese ja_JP.utfB

K a n nada k n_I N . u tfB

Korean ko_ K R . u tfB

M a l ayala m m l_ I N . utfB

M a rathi m r_ I N . u tfB

Odia o r _ I N . u tfB

Po rtug u e se ( B ra z i l i a n) pt_BR. utfB

P u nj a b i pa_ I N . u tfB

R u ssian r u _ R U . u tfB

S pa n i s h es_E S . utfB

Ta m i l ta_I N . u tfB

Te l u g u te_ I N . u tfB

xviii R H1 3 4 - R H EL 7 - e n-1-20140610
red h at ®
® TRAINING

CHAPTER 1

AUTOMATING INSTALLATION
WITH KICKSTART

Overview

Goal To a utomate t h e i n sta l l a t i o n of R e d Hat Ente r p r i s e L i n u x


systems w i t h K i c kstart.

Objectives • E x p l a i n K i c kstart c o n cepts a n d arc h itecture.

• C reate a K i c kstart confi g u ra t i o n file.

Sections • Defi n i n g t h e A n a c o n d a K i c kstart System (and Pract i c e)

• D e p l o y i n g a N e w V i rt u a l System w i t h K i c kst a rt (a n d
Practice)

Chapter Test • Automat i n g I n st a l l a t i o n w i t h K i c kstart

R H 1 3 4 - R HEL 7 - e n-1-20140610
-

C h a pter 1 . A u t o m a t i n g I nsta l l a t i o n w i t h K i c kstart


-

Defi n i n g t h e A n a c o n d a K i c ksta rt Syste m -

Objectives -

Afte r co m p l e t i n g th is sect i o n , st u d e nts s h o u l d be a b l e to i d e ntify key config u ration e l e m e n t s


fo u n d i n s i d e a K i c kstart confi g u ra t i o n f i l e.
-

Introduction to Kickstart installations


A system a d m i n istrator can a utomate the i n sta l l at i o n of Red Hat Enterprise L i n u x u s i n g a -

fea t u re ca l l ed Kickstart. A n a c o n d a , t h e Red H a t i nsta l l e r, n e e d s to be to l d how to i n sta l l a syste m :


partition d isks, confi g u re network i nte rfaces, s e l ect w h i c h packages t o i n sta l l , etc. T h i s i s a n
i nt e ractive p rocess b y defa u lt. A K i c kstart i n sta l l a t i o n uses a text f i l e t o prov i d e a l l o f t h e a n swers -

to t h ese q u estions, so n o i n t e ract i o n is req u i re d .

-
Comparison
K i c kstart i n Red H a t Enterprise L i n u x is s i m i l a r to J u m psta rt for O ra c l e S o l a ris, o r to a n
-
u natte n d e d i n sta l l a t i o n for M i c rosoft W i n d ows.

-
K i c kstart config u ration f i l e s beg i n with a l i st of c o m m a n d s that d e f i n e how the target m a c h i n e is
to b e i n sta l l ed. L i n es that start w i t h# c h a racters a re co m m e nts that a re i g n o red by the i n sta l l e r.
A d d i t i o n a l sect i o n s beg i n w i t h a l i n e t h a t starts with a % c h a racter a n d e n d with a l i n e w i t h t h e
-
%e nd d i rect ive.

The %pac kages sect i o n s p e c ifies the software to be i n sta l l e d o n the t a rg et syste m . I nd i v i d u a l
-
packages a re s pecified by n a m e (w i t h o u t vers i o n s) . Pa ckage g ro u ps ca n be s pecified by n a m e
o r I D, a n d start with a n@ c h a racter. E n v i ro n m e nt g ro u ps (g ro u p s o f package g rou ps) ca n
be specified with the@" fo l l owed i m m ed iate l y by t h e n a m e o r I D of t h e e n v i ro n m e n t g ro u p.
-
Grou ps have m a n d atory, defa u lt. a n d o p t i o n a l c o m p o n ents. N o r m a l l y, m a n datory a n d d e fa u l t
c o m p o n e nts w i l l be i n sta l l e d by K i c kstart. Package o r g ro u p n a m e s t h a t a re preceded w i t h a
- c h a racter a re exc l u d e d from i n sta l l a t i o n u n l ess they a re m a n d atory o r i n sta l l ed d u e to R P M
-
d e p e n d e n c i es from ot h e r p a c ka g es.

Two a d d i t i o n a l sections a re the %p r e a n d %post s c r i pts. %pos t s c r i pts a re m o re com m o n . They


-
confi g u re the system after a l l of the softwa re has been insta l l e d . The %p r e script i s executed
b efore a n y disk partit i o n i n g i s done.
-
T h e config u ra t i o n co m m a n d s m u s t b e s p e c ified f i rst. The %p re, %pos t , and %pac kages ca n
occ u r i n a n y order after t h e config u ra t i o n c o m m a n d s .

Kickstart configuration file co m m ands


Installation commands -

· u r l: S p e c ifies the locat i o n for t h e i n sta l l a t i o n m e d i a .

Example: -

I u r l - - u r l= " f t p : / / i n s t al l s e r ve r . example . com/ p u b / RHE L7/dvd "


J -

-
2 R H134- R H E L7 - e n -1-20140610

-
-

K i c ksta rt confi g u ra t i o n f i l e com m a n d s


-

• repo: T h i s o p t i o n te l l s A n a c o n d a w h ere to f i n d t h e packages f o r i n sta l l at i o n . T h i s option m u st


point to a va l i d yum reposito ry.
-

Exa m p l e:

-
r e p o - - name= " C u s t om Pac kage s " - - base u r l= " f t p : // r e p o . example . com/c u s t o m "

- · t e x t : Fo rces t e x t m o d e i n sta l l .

· vnc: A l l ows the g ra p h i c a l i nsta l l a t i o n t o b e viewed remote l y via V N C .


-
Exa m p l e :

- I v n c - - p a s swo r d= r e d h a t

• as kmet hod: Do not a utomatica l l y use t h e C D- R O M a s t h e s o u rce of p a c kages when i nsta l l a t i o n


-
m e d i a i s detected i n t h e C D- R O M d ri ve.

Partitioning commands
-
• clea r pa r t : C l e a rs t h e specified p a r t i t i o n s before i n sta l l a t i o n .

Exa m p l e :
-

clea r p a r t - - all - - d rive s = s d a , s d b - - i n i t label

· pa r t : S p e c ifies the s i ze, fo rmat, and n a m e of a partition.

- Exa m p l e:

p a r t /home - - f s t ype=ext4 - - label= homes - - size=4096 - - maxsize=8192 - - g r ow


....

· ignoredisk: I g n o res the specified d i s ks w h e n i n sta l l i n g .

-
Exa m p l e:

-
I i g n o r e d i s k - - d rives=sdc

• boot load e r : Defines w h e re to i n sta l l the boot l o a d e r.


-

Exa m p l e :

-
b o o t load e r - - l o c a t i o n =m b r - - bo o t - d rive= s d a

-
· volg r o u p, logvol: C reates LV M vo l u m e g ro u ps a n d l o g ica l vo l u m es.

Exa m p l e :

p a r t pv . 01 - - size=8192
volg r o u p myvg pv . 01
logvol I - - vg n ame=myvg - - f s t y pe=xfs - - s iz e = 2048 - - n ame= r o o t v o l - - g r ow
-

- R H134- R H E L7-en-1-2014061 0 3

-
-

C h a pter 1 . A u t o m a t i n g I n sta l l ation with K i c kstart


-

l o g v o l / va r - - vg n ame=myvg - - f s ty pe =xfs - - s i ze=4096 - - n ame=va r v o l

-
• z e rom b r : D i s ks whose formatt i n g i s u n recog n iz e d a re i n it i a l ized.

Network commands
-
· netwo r k: C o n f i g u res network i n f o r m a t i o n for t a rg et system a n d activates n etwo r k d evices i n
i n sta l l e r e n v i ro n m e nt.
-
Exa m p l e :

I netwo r k - - device=e t h e - - boo t p r o t o = d h c p -

• firewall: T h i s option defines how t h e fi rewa l l w i l l be confi g u re d o n t h e ta rget syste m .


-

Exa m p l e :

I f i r ewall - - e n abled - - s e rvice= s s h , c u p s

Configuration commands -

• lang: T h i s req u i re d c o m m a n d sets t h e l a n g u a g e to use d u ri n g i n sta l l at i o n a n d t h e defa u l t


l a n g ua g e of t h e i n sta l l e d system.
-
Exa m p l e :

I lang e n_US . UTF - 8 -

· keyboard: T h i s req u i red c o m m a n d sets t h e syst e m key board type.


-

Exa m p l e:

-
keybo a r d - - vc keymap = u s - - xlayo u t s = ' u s', ' u s'

• t imezone: Defines t i m ezone, NTP se rvers, a n d w h e t h e r the ha rdwa re c l o c k uses UTC. -

Exa m p l e :
-

t imez o n e - - u t c - - n t p s e r v e r s = t ime . example . com E u r o pe/Am s t e r d am

• a uth : T h i s req u i re d c o m m a n d sets u p t h e a u t h e ntication o p t i o n s for t h e syste m .

E xa m p l e:
-

a u t h - - u s e s h adow - - e n ablemd5 - - p a s s algo = s ha512


-

· root pw: Defines the i n i t i a l root password.

Exa m p l e :

r o o t pw - - plain t e x t r e d h a t
-

4 R H134- R H E L 7-en-1 -2014061 0 -

--
-

K i c kstart confi g u ra t i o n f i l e com m a n d s


-

or

r o o t pw - - isc r y p t e d $6$KU n F f rTzOBj v . PiH$YlBbOtXBkWz o M u Rfb0 . SpbQ . . . . XDR1U u c h o MG 1

-
• selinux: Sets t h e state of S E L i n u x o n t h e i n sta l l e d syst e m .

Exa m p l e:

I
-

selin u x - - en f o r c i n g

• se rvices: M o d ifies t h e defa u lt set of s e rvices that w i l l r u n under t h e defa u l t r u n l e ve l .

Exa m p l e :
-

sevices - - disable d = n e two r k , i p t ables , i p 6 t ables - - enabled=Netwo r kManage r , f i r ewalld


-

• g ro u p , u s e r : C reate a l oca l g ro u p o r u s e r on t h e syst e m .

- Exa m p l e:

g ro u p - - n ame=admin s - - gid=10001
u s e r - - name=j d o e - - g e c o s = " J o h n Doe " - - g r o u p s=admin s - - pas swo rd=changeme - - p l aint e x t
-

-
Miscellaneous commands
• logging: This co m m a n d d e f i n es how A n a c o n d a w i l l l o g d u ri n g t h e i n sta l l at i o n .

-
Exa m p l e :

l o g g i n g - - h o s t=log h o s t . example . com - - level=info


-

• f i r s t boo t : Dete r m i n es w h e t h e r f i rstboot sta rts the fi rst t i m e the system i s booted.

- Exa m p l e :

-
I f i r s t b o o t - - disabled

• reboo t , powe roff, halt: S p e c ify what s h o u l d h a p p e n after t h e i n sta l l at i o n f i n i s hes.


-

Note
- The ksve rdiff u t i l ity from t h e pykickstart packa g e i s u sefu l for i d e n t ifyi n g c h a n g es i n
K i c kstart f i l e syntax between two vers i o n s o f Red H a t Enterprise L i n u x o r Fed o ra.

- Fo r exa m p l e, ksve rdiff - f RHEL6 - t RHEL 7 w i l l i d e ntify c h a nges i n


syntax from R H EL 6 t o R H E L 7. Ava i l a b l e vers i o n s a re l i sted i n t h e t o p o f t h e f i l e
/ u s r /lib/py t h o n 2 .7 / s it e - pac kage s /pykic k s t a r t /ve r s ion.py.
-

- R H134- R H EL 7-en-1-2014061 0 5

-
-

C h a pter 1 . Auto m a t i n g I nsta l l a t i o n w i t h K i c kstart


-

Example Kickstart file:


-

#ve r si o n = R H E L 7
# System a u t h o r i z a t i o n i n f o r m a t i o n
a u t h - - u s e s hadow - - e n ablemd5 -

# U s e n e two r k i n s t allat i o n
u r l - - u r l= " h t t p : //clas s r o o m . example . com/con t e n t / r hel7 . 0/x86_64/dvd / "
# F i r ewall c o n fig u r a t i o n
f i r ewall - - e n abled - - s e rvice= s s h -

f i r s t bo o t - - disable
i g n o r e d i s k - - only - u s e=vda
# Keybo a r d layo u t s -
keyboa r d - - vc keymap = u s - - xlayo u t s = ' u s ' , ' u s '
# System l a n g u age
lang e n_US . UTF - 8
# I n s t allat i o n log g i n g level -

l o g g i n g - - level=info
# N e t wo r k info rmation
n e t wo r k - - boo t p r o t o = d h c p
# R o o t pas swo rd
-

r o o t pw - - is c r y p t e d $6$/h/M umva r r 2 d Krv1$K rv7 h 9 . QoV0s . . . . foMXsGXP1KllaiJ /w7EWi L1


# SELinux config u r a t i o n
sel in ux - - e n f o r c i n g -
# System se rvices
s e rvices - - d i s abled= " kd u m p , r h smce r t d " - - enabled = " n e t wo r k , s s h d , rsyslog , c h ronyd "
# System t imezone
t imezone - - u t c Ame r i c a / L o s_An geles -

# System b o o t loade r c o n f i g u r a t i o n
b o o tload e r - - locat i o n =m b r - - bo o t - d r ive=vda
# Clear t h e Mas t e r B o o t Rec o r d
zerombr
-

# P a r t i t i o n cle a r i n g i n f o rmation
clearpart - - all - - i n i t label
# D i s k p a r t i t i o n i n g i n f o r ma t i o n -
p art I - - f s t ype= " xf s " - - o n d i s k=vda - - size=10000

%pac kages
@c o r e -

c h rony
c l o u d - in i t
d r a c u t - config - ge n e r i c
d r ac u t - n o r e s c u e
-

f i r ewalld
g rub2
k e r nel -
r sync
tar
- Netwo r kManag e r
- plymo u t h -

%e n d

%po s t - - e r r o r o n fail
-

# F o r cloud imag e s , ' e t h 0 ' is t h e p r ed i ct able device name , since


# we d o n ' t wan t t o be t ied t o s pecific v i r t ual ( ! } h a r dwa r e -
rm - f / e t c / u d e v / r u l e s . d / 7 0 *
ln - s /dev/null / e t c / u d e v / r u l e s . d/80 - ne t - name - s l o t . r u l e s

# s imple e t h 0 c o n f i g , a g a i n n o t h a r d - coded t o t h e b u ild h a r dwar e -

c a t > / e t c / s y s c o n f i g / n e t wo r k - s c r i p t s /ifcfg - et h 0 << EOF


DEVICE= " e t h 0 "
BOOTPROTO= " d h c p "
-

-
6 RH134- R H E L7 - e n -1 -2014061 0

-
-

Exa m p l e K i c kstart f i l e:
-

ON BOOT= " ye s "


TYPE= " Et h e r ne t "
- USERCTL= " ye s "
PEERDNS= " ye s "
IPV6 I N IT= " n o "
EOF
-

%en d

_,
-

� Note

-
In a K i c kstart f i l e, m i ss ing req u i red va l u es cause t h e insta l l e r to i nt e ractive l y p ro m pt
for an a n swer o r to abort t h e insta l l a tion ent i re l y.

References
- ksve rd iff(1 } man page

T h e file /usr /share/doc/pykic k s t a r t - * /kicks t a r t - docs. t x t p rovided by t h e


-
pykickstart package conta ins u s e f u l and deta i le d info r m a tion o n t h e syntax of K i c ksta rt
f i l es.

-
Add iti ona l information may b e ava i l a b l e in the Red Hat Enterprise Linux Installation
Guide for R H E L 7 l o cated at:
htt ps:/ /access.redhat.com/docs/
-

- RH134- R H E L 7-en-1 -2014061 0 7

-
-

C h a pter 1 . A u t o m a t i n g I nsta l l ation w i t h K i c kstart


-

P ra ct i ce : K i c ksta rt F i l e Sy ntax a n d
-

M o d i f i ca t i o n

Quiz
-

Match t h e fo l l o w i n g K i c kstart com m a nds w i t h t h e i r desc r i p t i o n s i n t h e t a b l e.

I l��I I
-

%packages clearpart network

�I I I I�
-

rootpw services timezone


-

Desc r i p t i o n Com m a n d

S e ct i o n o f a K i c ksta rt c o n f i g u ra t i o n f i l e t h at s p e c i f i e s
w h a t softwa re i s i n sta l l e d o n t h e n e w syste m . -

R e q u i re d K i c ksta rt c o m m a n d t h a t c o n f i g u res h ow u s e rs -

a cc e s s t h e syste m .

L o c a t i o n o f t h e softwa re u s e d b y K i c ksta rt to i n st a l l a
syste m . -

-
S c r i pt i n g i n a K i c ksta rt c o n f i g u ra t i o n f i l e t h a t i s
e x e c u t e d a f t e r t h e s oftwa re i s i n st a l l e d o n a syst e m .
-

K i c ksta rt c o m m a n d t h a t s p e c i f i e s w h i c h p a rt i t i o n s
-
s h o u l d b e c l e a re d befo re i n st a l l a t i o n .

-
M o d i f i e s w h i c h s e r v i ce s w i l l s t a r t b y d e fa u l t a t syst e m
boot.
-

-
8 R H134- R H E L 7-en-1-2014061 0

-
-

Quiz
-

-
Description Com m a n d

- D e f i n es t h e d e fa u l t a u t h e n t i c a t i o n c r e d e n t i a l s f o r t h e
s u p e r u s e r.

K i c ks t a rt c o m m a n d t h a t s p e c i f i es t h e s ize, f o r m a t , a n d
- n a m e of a d i s k p a r t i t i o n .

-
Ki c ksta rt co m m a n d u s e d to s p e c i fy NTP s e r v e r s .

-
D e t e r m i n e s t h e n et wo r k co n f i g u ra t i o n f o r t h e
i n sta l l a t i o n a n d t h e ta rget syste m .
-

- R H134- R H E L 7-e n-1-201 4 0 61 0 9

-
-

C h a pte r 1 . Automating I nsta l l at i on w i t h K i c kstart


-

S olution
-

Match t h e fo l l owing K i c kstart com m a n d s with t h e i r d e s c r i pti ons in the ta b l e.


-

Description Command
-

S e ct i o n of a K i c k s t a rt c o n f i g u ra t i o n f i l e t h at s p e c i f i e s %packages
-
w h a t softwa re i s i n st a l l ed o n t h e n e w syste m .

R e q u i re d K i c ksta rt c o m m a n d t h a t c o n f i g u re s h o w u s e rs auth
a ccess t h e syste m .
-

L o c at i o n of t h e softwa re u s e d by K i c ks t a r t to i n st a l l a url -

syste m .

S c r i pt i n g i n a K i c k s t a rt c o n f i g u ra t i o n f i l e t h a t i s %post
e x e c u t e d a f t e r t h e s oftwa re i s i n sta l l e d o n a syste m . -

K i c ksta rt c o m m a n d t h a t s p e c i f i es w h i c h p a rt i t i o n s clearpart -

s h o u l d b e c l e a re d b e f o re i n st a l l a t i o n .

M o d i f i e s w h i c h s e r v i c e s w i l l sta rt by d e fa u l t a t syst e m services


b o ot. -

-
D e f i n es t h e d e fa u l t a u t h e n t i ca t i o n c re d e n t i a l s fo r t h e rootpw
s u p e r u s e r.
-

K i c ksta rt c o m m a n d t h a t s p e c i f i es t h e s ize, fo r m a t , a n d part


-
n a m e of a d i s k p a rt i t i o n .

-
K i c ksta rt co m m a n d u s e d to s p e c i fy NTP s e rvers. timezone

-
10 R H134- R H E L7 -en-1 -20140610

-
S o l ution

Desc r i p t i o n Co m m a n d

D e te r m ines t h e netwo r k conf i g u rat i on for t h e network


insta l l a t i o n a n d t h e t a r g e t system.

R H1 34- R H E L 7-en-1-2014061 0 11
-

C h a pte r 1 . Autom ating Insta l l ation w i t h K i c kstart


-

D e p l oy i n g a N ew V i rt u a l Syste m w i t h K i c ksta rt -

Objectives -

Afte r co m p l et ing t h i s section, students s h o u ld be a b l e to:

-
• C reate a K i c kstart conf i g u ration f i l e w i t h the system - config - kic k s t a r t u t i l ity.

• M odify an existing K i c ksta rt conf i g u ra t i on f i l e with a text edito r and c h e c k its syntax w i t h
ksvalid a t o r .

• P u b l i s h a K i c kstart config u ration f i l e to t h e insta l l e r.


-
• Perform a netwo r k K i c kstart insta l l a t i on.

Kickstart installation steps -

An o rde red p rocess is req u i red to a utomate t h e s u ccessf u l insta l l ation of Red Hat Ente r p r i s e
Linux.
-

T h re e s t e p s m u st be ta ken to pe rfo r m a K i c kstart insta l l ation:


1. C reate a K i c ksta rt conf i g u ra t i on fi l e.
-

2. P u b l i s h t h e Kickstart config u ra t i on f i l e t o t h e insta l l e r.

-
3. Boot Anaconda and po int it to the K i c kstart conf i g u rat ion f i l e.

Creating a Kickstart configuration file -

T h e re a re two ways to create a K i c kstart config u ration f i l e :


• U s e t h e sys t em - config - kic k s t a r t uti l ity.
-

• U s e a text editor.

T h e system - config - kic k s t a r t u t i l ity presents a n u m b e r of g ra p h i c a l d i a l o g boxes, t a kes


-
inputs from t h e user, t h en c reates a text file with K i c kstart directives t h a t correspond to t h e
u s e r ' s c h o i ces. E a c h di a l og box corresponds to a category of q u est i ons as ked by t h e R e d H a t
insta l l er, Anaconda . Optiona l l y, an exist ing config u ration f i l e can b e p a s s e d a s an a rg u m ent and -
system - config - kic k s t a r t wi l l u s e it to popu l ate va l u es for config u ra t i on options. syst em ­
config - ki c k s t a r t is p rovided by t h e system-config-kickstart package.
-

-
12 R H134- R H E L7 -en-1 -2014061 0

-
C reat i n g a K i c kstart c o n f i g u ra t i o n f i l e

Kickstart Configurator

File Help

,-----
) Basic Configuration
j
Master Boot Record

0 Clear Master Boot Record


installation Method

i Boot Loader Options @ Do not clear Master Boot Record


I

Partitions

@ Remove all existing partitions

� Remove existing Linux partitions

, Firewall Configuration r-, Preserve existing parti tions


i
! Di splay Configuration
! Disk label
i Package Selection
I n Initialize the disk label

I
Pre-Installation Scri pt
'�' Do not initialize the disk label
I Post-Installation Script

j
Layout

! Device/
I

Mount Point/
J Partition Number Type Format Size (MB)

I
RAID

j L _RA�ID��
I_

Add ��j � I LlJ�e __ __

Figure 1.1: Configuring storage with system-config-kickstart

C reat i n g a K i c kstart c o n f i g u rat i o n f i l e from s c ra t c h w i t h a text ed itor is ra re. T h e A n a conda


i n sta l l e r c reates a f i l e ca l l ed / root / anacon d a - ks . cfg that conta i n s the K i c kstart d i rect ives
t h a t c a n be u s ed to g e n e rate t h e f res h l y i n sta l l ed syst e m . This file m a kes a good sta r t i n g p o i n t
w h e n c rea t i n g a K i c kstart confi g u ra t i o n f i l e w i t h a t e x t edi t o r.

The fo l l o w i n g are s o m e reas o n s f o r c reat i n g a K i c k sta rt f i l e m a n u a l l y i n stead of u s i n g sys t em ­


config-kic k s t a r t :

1. T h e G U I a nd/or s y s t em-config-ki c k s t a r t i s u n a v a i l a b l e .

2. Advan ced d i s k p a r t i t i o n c o n f i g u ra t i o n i n s t r u c t i o n s a re n e eded. s y s t em-config ­


kic k s t a r t does n ot su pport LV M a nd softwa re R A I D.

3. Individ u a l p a c ka g es need to b e i n cluded or o m itted (not j u st g ro u ps).

4. M o re adva nced s c r i p t i n g is n e eded i n the %p re a nd %post s e c t i o n s .

ksvalida t o r i s a u t i l it y t h a t c h e c k s for syntax e r rors i n a K i c kstart c o n f i g u ra t i o n f i l e. I t w i l l


e n s u re keywords a nd o p t i o n s a re p r o p e r l y u s ed , b u t i t w i l l n o t va l idate U R L p a t h s , i nd i v i d u a l
packages, o r g ro u p s , n o r any part of %post o r %p re s c r i pt s . For i n s t a n ce, i f t h e f i r ewall --
d isabled d i rective is m i s s p e l l ed, ksvalidator c o u ld p roduce o n e of t h e fo l l o w i n g e r rors:

[ s t u d e n t@ d e s kto p X ] $ ksvalidat o r /tmp/anaconda-ks.cfg


The following p r oblem oc c u r r ed o n line 1 0 of the kicks t a r t file :

U n k n own comman d : f r ewall

[ s t u d e n t @d e s k t o pX]$ ksvalidator /tmp/anaconda - ks . cfg


The following p r oblem o c c u r red o n line 10 o f the k i c k s t a r t fil e :

R H134- R H E L 7-e n-1-201 40610 13


-

C h a pter 1 . Automating I nsta l l ation with K i c kstart


-

I n o s u c h o p t io n : - - d s abled
L�=-��
-

The pykickstart R P M p rovides ksvalid a t o r .

-
Publish the Kickstart configuration file to Anaconda
M a ke the K i c kstart conf i g u ration f i l e ava i l a b l e to t h e insta l l e r :
-
• N etwork se rvers: F T P, HTTP, N FS

• D H C P/T F T P s e rve r
-

• U S B d i s k o r C D- R O M

• L o c a l h a rd d i s k -

T h e insta l l e r m u st be a b l e t o access t h e K ickstart f i l e to b e g in an a utomated insta l l a t i on.


A l t h o u g h t h e re a re severa l methods to m a ke t h e K i c kstart config u ration f i l e ava i l a b l e, t h e most -
c o m m on i s t h ro u g h a network server such as an F T P server, a web server, o r an N FS se rve r.
N etwork se rvers fa c i l itate K i c ksta rt f i l e m a intenance beca use c hanges only need to be m a d e
once a n d t a ke effect i m m e d iate l y. -

Prov i d ing K i c kstart f i l es on U S B or C D - R O M i s a not h e r conveni ent way to p u b l i s h conf i g u ration


fi l es. The K i c kstart conf i g u ration f i l e is e m be d d e d on t h e boot media used to start t h e -
insta l l at i on. W h en c h ang es a re m a d e , new i n sta l l a t ion m e d i a m u st be generated.

I t is poss i b l e to p rovide t h e K i c kstart file on a local d i s k. T h i s a l l ows a q u i c k way to re b u i l d a -


deve l o p m ent s e rver.

-
Boot Anaconda and point it to the Kickstart
configuration file -
Once a K i c kstart m e t h o d is c h osen, t h e insta l l e r m ust be told w h e re t h e K i c ksta rt f i l e is l ocated.
This is done by pass ing a ks=L OCATION a rg u m ent t o t h e insta l l ation ke rne l . T h e fo l l owing a re
some s a m p l e s p e c ificat ions: -

ks=htt p://server/dir/fi/e
-
• ks=ftp://server/dir/file

• ks nfs:server:/dir/fi/e
=

-
• ks=hd:device:/dir/file

• ks cdrom:/dir/file
= -

-
14 RH134- R H E L7 - en-1 -2014061 0

-
Boot A n a co nda a nd point it to t h e K i cksta rt co nfig u r a t i o n f i l e

Figure 1.2: Specifying the Kickstart file location during PXE boot

For v i r t u a l m a chi n e i n sta l l atio n s usin g the V i r t u a l M a c h i n e M a n a g e r or v i r t -manag e r , t h e


K i ckstart U R L c a n b e s p e cified i n a b o x u nder U R L O p t i o n s. W h e n i n st a l ling p h y s i c a l m a c h i n e s ,
b o o t u s i n g in sta l l a t i o n m edia a nd p ress t h e T a b k e y to i nt e r r u pt t h e b o ot p rocess. E n t e r o n e of
the ks= entries a b ove a s a p a ra m et e r to the insta l l atio n ker n e l .

References
k svalidator(1) a nd sys t e m - config-kic ks t a r t (8 ) m a n pages

R H1 3 4- R H E L 7-e n -1 -201 4 0 61 0 15
-

C h a pter 1 . Autom ating Insta l l a t ion w i t h K i c kstart


-

P ra c t i ce : I n sta l l i n g a Syste m U s i n g K i c ksta rt -

Guided exercise -

In t h i s l a b, you w i l l c reate a K i c ksta rt conf i g u ration f i l e, conf i r m it is syntact ica l ly correct, and
p u b l is h it for use.
-

Resou rces
Files: /root/ana conda - ks.cfg -

Machines: de s k t opX and serverx

Outcomes -

Yo u w i l l have a K i c ksta rt conf i g u rat ion f i l e based on t h e anaconda - ks . cfg f i l e on d e s k t opX.


It w i l l i nsta l l packages from c lass room . example . com, u s e D H C P for netwo r k i n g , pa rtition
-
stora g e and insta l l packages a cco rd ing to specifications, and p e rform m ino r c usto m i zation of
the new l y insta l l e d syst e m . A d d it iona l l y, you w i l l g o t h ro u g h the p rocess of u s ing you r K i c ksta rt
config u ration f i l e to re i n sta l l se rve rX.
-

Before you begin . . .


• Reset yo u r de s k t opX syst e m .
-

• Log into a n d s e t u p yo u r d e s k t o pX syste m .

[ s t u d e n t@d es k t opX - ] $ lab kick start setup -

D 1. Copy / root/anaconda - ks . c f g o n de s k t opX t o a f i l e ca l l ed kic k s t a r t . c f g t h at -


s t u d e n t ca n e d it.

[ s t u d e n t @d e s k t o p X - ] $ sudo cat /root/anaconda - ks . cfg > kic kstart .cfg ...,.


-·- ---�--�-=·--=-----�-·-���- · · - ·- - ---- - -==-"'"-"-
- -��---------=- - --��-�� =-- - - l

D 2. M a ke t h e fol l owing c h ang es to kic k s t a r t . c f g .


-

D 2.1 . C h a n g e t h e u r l c o m m and t o s pecify t h e H T T P i n sta l l at i on s o u rce m e d i a u s e d in


the c l a s s ro o m :
-

u rl - - u r l= " h t t p : / / c las s room . example . c om/co n t e n t / r h el7 . 0/x86_64/dvd / "

-
D 2.2. Config u re t h e network t o u se D H C P. T h e re s h o u l d only be a sing l e n e t wo r k
d i rective t h a t looks l i ke t h e fo l l owing:
-

n e two r k - - b oo t p r o t o= d h c p

D 2.3. M od i fy t h e disk config u ration to only h a ve t h e fo l l owing t h ree d i rectives:


-

- - --- --- -�- -- -


- - -�
- -- -�---- - · -----·- - -�-- - -----

# Clear t h e Mas t e r B o o t Reco r d


z e r o mb r
-

# P a r t i t io n clea r i n g i n f o r m a t i o n
clear p a r t - - all - - i n i t label
# Disk p a r t i t io n i n g i n f o rmation -

-
16 RH134- R H E L7-en-1 -2014061 0

-
-

G u i d e d exerc i s e
-

part I - - fs t ype= " xf s " - - o n d i s k=vda - - size=5120

-
Be s u re the size is a d j u sted to 5120.

D 2.4. Co m m ent the reboot d i rective :


-

I #reboot

D 2.5. C hange t h e packages that a re insta l l ed to inc l u d e ht t pd , b u t not cloud - in i t .


S i m p l ify t h e p a c k a g e s p e c i f i cat ion to l o o k exact l y l i ke t h e fo l l owing :
-

@co r e
ch rony
- d r acu t - config - ge n e r i c
d r acu t - n o r e s c u e
f i r ewalld
g rub2
-
kernel
rsync
tar
-
h t t pd
- plymo u t h

D 2 . 6 . D e l ete a l l o f t h e content in t h e %post section except f o r t h e fo l l o w i n g l ines:

%po s t - - e r r o r o n fail
- # make s u re fi r s t bo o t d o e s n ' t s t a r t
e c h o " RUN_F I RSTBOOT=NO " > / e t c / sy s c o n f i g /f i r s t b o o t
# a p p e n d / e t c / i s s u e wi t h a c u s t om m e s s ag e
e c h o " Kic k s t a r t e d f o r c l a s s o n $ ( d a t e ) " >> / e t c / i s s u e
-
%e n d

-
D 2 .7. Set t h e r o o t password to r e dh a t . Change t h e l ine t h a t sta rts w i t h rootpw t o :

I r o o t pw - - plain t e x t r e d h a t
-

D 3. U s e t h e ksvalidat o r com m a n d to check t h e K i c kstart file for syntax e r ro rs.

-
I
i
[ s t u d e n t@d e s k t o pX - ] $ ksvalidat o r kicks tart . cfg

- D 4. Copy kic ks t a r t . cfg to t h e /va r /www/html/ks - config d i recto ry.

[ s t u d e n t @d e s k topX - ] $ sudo cp - s tude n t /kicks tart . cfg /var /www/ html/ k s - config
-

D 5. R u n t h e lab kic k s t a r t g ra d ing s c r i pt on de s k t opX to conf i r m t h e s p e c ified c h a n g e s


have b e e n m a d e a n d t h e k i c kstart f i l e i s ava i l a b l e via HTTP.
-

[ r oo t @d e s k t o pX - ] # lab kicksta r t g rade


Kic k s t a r t file available via HTTP . . . . . PASS
C o n f i r m i n g i n s t allation media . . . . . . . . . PASS
-

C h e c k i n g i n s t alled d i s k size . . . . . . . . . . PASS


C o n f i r m i n g n e t wo r k c o n f i g u ra t i o n . . . . . . PASS
-

- RH134- R H E L 7-en-1 -2014061 0 17

-
-

C h a pte r 1 . A u t o m ating I nsta l l at ion w i t h K i c ksta rt


-

C h e c k i n g s o f t wa r e pac kage s e l e c t i o n . . . PASS


I -

D 6. PX E-boot t h e se rverx v i rt u a l m a c h ine and initiate a K i c kstart insta l l ation.

D 6.1 . Boot t h e se rverX v i rt u a l m a c h ine. Q u ic k l y, d u r ing t h e boot s e q u ence, it w i l l -

d i s p l ay t h e fo l l ow ing message:

I P r e s s F12 f o r b o o t me n u . -

Press F12 to g et to t h e boot m en u .


-

D 6.2. Yo u s h o u l d see a m enu s i m i l a r to t h e fo l l owing:

-
Select b o o t device :

1. Vi r t i o d i s k P C I : 0 : 4
2. Vi r t io d i s k PCI : 0 : 5 -
3. Legacy o p t io n r o m
4. i P X E { PC ! 00 : 03 . 0 )

S e l ect t h e nu m b e r t h a t s e l ects t h e i P X E device.

D 6.3. Use the a r row keys to h i g h l i g h t the l ine that rea d s , Instal l Red Hat Enterprise -

Linux 7.0. P ress t h e Tab key to see t h e fu l l conf i g u ration o p t i ons. A d d t h e


ks=h t t p : I /des k t o pX . example . com/ks - config/kic k s t a r t . cfg d i rective
to t h e end of the l ine, t h en press E n t e r . -

. . . /dvd q u i e t k s = h t t p : //d e s k t opX . example . com/ k s - c o n f i g / k i c k s t a r t . c f g


-

I t takes a co u p l e m inutes for the insta l l ation to beg i n . I f it a borts o r pro m pts for
input, m a ke corrections to you r K i c kstart config u ration file, p u b l i s h it, t hen try
-
a g a in.

D 7. Watch t h e insta l l ation and wa it for it to com p l ete.


-

D 7.1 . Once t h e insta l l ation g ets started, you s h o u l d see a g ra p h i c a l s c reen a p pe a r as


Anaconda fo rmats t h e h a rd d r i ve, t h en insta l l s packages.
-

D 7.2 . T h e insta l l e r w i l l pause once the insta l l at i on i s fini s h e d . C l i c k the Reboot b u tton
to cont inue. s e rve rX s h o u l d d i s p l ay t h e fo l l owing w h e n it fini s hes booting:
-

Red Hat E n t e r p r ise Linux Se rve r 7 . 0 { Maipo )


Ke r n el 3 . 10 . 0 - 84 . el7 . x 8 6_64 o n an x86_64
-
Kic k s t a r t ed for c l a s s on F r i Feb 2 8 2 0 : 08 : 22 EST 2 01 4
s e rve r x login :

D 8. Log i nto se rve rX a s roo t , downl o a d , and run t h e g ra d i n g s c r i pt.

[ ro o t @ s e rve rX - ] # curl http : //classroom. example .com/pub/materials/lab - kickstart - -

o lab - kickstart
[ r o o t @ s e r v e r x - ] # c hmod 755 lab - kic kstart
[ r oo t@ s e r v e r x - ] # . /lab - kic k start grade -

-
18 RH134- R H E L7-e n-1-2014061 0

-
G u i d e d exercise

C o n f i r m i n g i n s t al l a t i o n media . . . . . . . . . PASS
C h e c k i n g i n s t alled d i s k s i z e . . . . . . . . . . PASS
C o n f i r m i n g n e t wo r k c o n f i g u ration . . . . . . PASS
C h e c k i n g s o f t w a r e pac kage selec t i o n PASS
C h e c k i n g effec t s of k ic k s t a r t %po s t . . . PASS

R H134- R H E L7-en-1-2014061 0 19

-
-

C h a pte r 1 . Automating I nsta l l at i on w i t h K i c kstart


-

C h a pt e r Test: A u t o m a t i n g I n sta l l a t i o n w i t h
-

K i c ksta rt
-

Quiz
-

T h e steps to insta l l a Red H a t Enterprise L inu x server u sing K i c ksta rt fo l l ow. Indicate t h e order in
w h i c h the steps s h o u l d b e taken.
-
a . C h e c k t h e conf ig u ration f i l e for syntax e r ro rs w i t h ksvalida t or .

b. Boot Anaconda from insta l l at i on m e d ia.


-

c. Use a text e d itor to add l o g ica l vo l u me mana g e m e nt c o m m ands to t h e K i c kstart


config u ration f i l e .
-

d . Spec ify t h e ks= option to po int t h e insta l l e r to t h e K i c ksta rt conf ig u ration f i l e.

e. Use system - config - kic k s t a r t to c reate a K i c kstart conf ig u ration f i l e. -

f. Pu b l i s h t h e Kic ksta rt config u ra t i o n f i l e via H T T P, FTP, o r N FS.


-

20 R H134- R H E L 7 -en-1 -2014061 0 -

-
-

S o l u t i on
-

Solution
-

The steps to insta l l a Red Hat Enterprise L inux s e rver u s i n g K i c kstart fo l l ow. I n d i cate the order in
w h i c h the steps s h o u l d be ta ken.
-

3 a. C h e c k t h e config u rat ion f i l e for syntax e rrors w i t h ksvalid a t o r .

-
5 b. B o o t Ana cond a f r o m i n sta l l ation m e d i a .

2 c. U s e a t e x t e d i t o r to a d d l o g i c a l vo l u m e mana g e m ent com mand s to t h e K i c kstart


-
config u ration f i l e.

6 d . S pe c i fy t h e ks= option to p oint t h e insta l l e r to t h e K i c kstart confi g u ration f i l e.

-
1 e. U s e system - config - ki c k s t a r t to c reate a K i c ksta rt conf i g u ra t i on f i l e.

4 f. P u b l i s h t h e K i c kstart config u ra t i on f i l e via HTTP, FTP, or N FS .


-

- RH134- R H E L7 -en-1 -2014061 0 21

-
-

C h a pte r 1 . A u t o m a t i n g I n sta l l at i o n w i t h K i c kstart


-

S u m m a ry -

Defi n i n g the A n a co nda K i c kstart System


• K i c kstart a utomates Red Hat Enterprise L i n u x i n sta l l a t i o n u s i n g a text f i l e. -

• K i c kstart config u ration f i l e s start with comma nds, fo l l owed by t h e %pac kages
section.
-

• Optional %po s t a nd %p r e sections ca n conta i n scripting t hat c u stomizes


i n sta l l at i o ns.
-

D e p l oy i n g a N ew V i rt u a l System with K i c kstart


• The sys t em - config - ki c k s t a r t u t i l ity ca n b e u s ed to create a K i c kstart
-
confi g u ra t i o n f i l e.

• A n o t h e r way to c reate a K i c kstart confi g u ration f i l e is to u s e a text editor a nd t h e


-
ksvalid a t o r c o m m a nd to c h e c k for syntax errors.

• T h e ks=ks fil e - loca tion option to t h e A n a c o nda ker n e l specifies w h e re to f i nd


t h e K i c kstart confi g u ra t i o n f i l e. -

-
22 R H1 3 4- R H E L7 - e n -1-2014061 0

-
red h at ®

®
TRAINING

CHAPT E R 2

USING REGULAR EXPRESSI ONS


WITH GRE P

Overv iew

Goal To write reg u l a r expressions u s i n g g r e p to i s o l a t e or l o cate


content i n text fi les.

Objectives • C reate re g u l a r e x p re s s i o n s to match text patte r n s .

• Use g r e p to l ocate content i n f i l e s.

Sections • R e g u l a r E x p ress i o n Fu n d a m e n t a l s (a n d Practi ce)

• Matc h i n g Text with grep (and Practice)

• Using g r e p with Logs (a n d Pract ice)

Lab • U s i n g Re g u l a r E x p re s s i o n s with g r e p

R H 1 3 4- R H E L7 -en-1-20140610 23
-

C h a pter 2. U s i n g Reg u l a r E x p ressi o n s w i t h g re p


-

Re g u l a r E x p ress i o n s Fu n d a m e nta l s -

Objectives -

After com p l e t i n g t h i s sect i o n , students s h o u l d be a b l e to:

• C reate reg u l a r express i o n s that match des i red data. -

• Use grep to a p p l y reg u l a r expressi o n s to text f i l es.


-

Writing regular expressions


Reg u l a r expres s i o n s is a patte rn-matc h i n g l a n g u a g e u sed for e n a b l i n g a p p l i c a t i o n s to s ift
-
t h ro u g h data l o o k i n g fo r s p e c ific content. In addi t i o n to vim, g rep, a nd less u s i n g reg u l a r
expressions, p ro g ra m m i n g l a n g u a g es s u c h as Pe r l , Pyt h o n , a nd C a l l u s e reg u l a r e x p re s s i o n s
w h e n u s i n g patte r n - m a tc h i n g c r i t e r i a .
-

Reg u l a r expressi o n s a re a l a n g u a g e o f t h e i r own, w h i c h m e a n s t h ey h a v e t h e i r own sy n t a x a n d


r u l es. This sect i o n w i l l take a l o o k at t h e s y n t a x u s ed i n creat i n g reg u l a r expres s i o n s , a s we l l as
-
showing some exa m p l es of u s i ng reg u l a r express i o n s .

A simple regular expression


-

The s i m p l est reg u l a r e x p ress i o n is a n exact match. A n exact match is w h e n t h e c h a racters i n t h e


reg u l a r express i o n match t h e t y p e and o rder i n t h e d a t a t h a t i s b e i n g searc h ed.
-

S u p pose that a u s e r was l o o k i n g t h ro u g h the fo l l owi n g f i l e of data l o o k i n g for a l l o cc u r re n ces of


t h e pattern c a t :
-
r
! cat
dog
1 concatenate -
do g ma
category
e d u c ated
boondoggle -

vindication
c h ilidog

cat i s a n exact match of a c , fo l l owed by an a, fol l owed by a t. U s i n g cat a s the reg u l a r


expressi o n w h i l e searc h i n g t h e prev i o u s f i l e g ives t h e fo l l ow i n g matches:
-

I cat
l
c o n c at e n a t e
cat e g o r y -
e d ucat e d
vindication

Using line anchors

The p rev i o u s sect i o n u s ed a n exact match reg u l a r e x p ression on a f i l e of data. N ote t h a t t h e -


reg u l a r expres s i o n wou ld m atch t h e data n o m a t t e r w h e re o n t h e l i n e it o c c u r red: b eg i n n i n g ,
e nd, o r m iddl e of t h e word o r l i ne. O n e w a y t h a t ca n b e u sed to contro l t h e l o c a t i o n of w h e re t h e
reg u l a r express i o n l o o k s f o r a matc h is a line anchor. -

-
24 RH134- R H E L 7 - e n -1 -2014061 0

-
-

Writ i n g reg u l a r e x p ress i o n s


-

Use a "· a b eg i n n i n g of l i n e a n c h o r, o r $, a n e n d of l i n e a n c h o r. U s i n g t h e f i l e f r o m e a r l i e r:

cat
-

dog
concatenate
- dogma
category
educated
b o o n d o g gle
-
vindication
chilidog

-
To h a ve t h e reg u l a r e x p ression match cat, b u t o n l y if it occ u rs at the beg i n n i n g of the l i ne in
the f i l e, use "cat. A p p l y i n g the reg u l a r e x p ression "cat to the data wou l d yie l d t h e fo l l owi n g
matches:
-

cat
cat e g o r y
-

I f u s e rs only wanted to l ocate l i n es i n t h e file t h a t e n d e d w i t h d o g , u s e that exact e x p ression a n d


a n e n d o f l i n e a n c h o r t o c reate t h e reg u l a r e x p ression d o g$. A p p l y i n g d o g$ t o t h e f i l e wou l d f i n d
-
t w o matches:
j
dog
- I, c h ilidog
i
I f u s e rs wa nted to m a ke s u re t h a t t h e pattern was t h e o n l y t h i n g o n a l i ne, use both t h e
-
b eg i n n i n g a n d e n d of l i n e a n c h o rs. " ca t $ wou l d l ocate o n l y o n e l i n e i n t h e f i l e, o n e w i t h a
b eg i n n i n g of a l i n e, a c, fol lowed by a n a, fo l l owed w i t h a t , a n d e n d i n g with an e n d of l i n e.

-
A n ot h e r type of a n c h o r is t h e word boundary. \< a n d \> c a n be used to res pective l y match t h e
b eg i n n i n g a n d e n d o f a word.

- Wildcards and multipliers

Reg u l a r ex p ress i o n s u s e a . as t h e u n restricted w i l dca rd c h a ra cter. A reg u l a r express i o n of c . t


- w i l l l o o k for data conta i n i n g a c, fo l l owed by a n y o n e c h a racter, fo l l owed by a t . E xa m p l es of data
t h a t wou l d match t h i s reg u la r ex p re s s i o n ' s pattern a re cat. cot, a n d cut, b u t a l so c5t and cot.

-
Another type of w i l d ca rd used i n reg u la r e x p ressions i s a set of accepta b l e c h a racters at a
s pecific c h a racter pos i t i o n . W h e n u s i n g a n u n rest ricted w i l d ca rd , u s e rs cou l d not predict t h e
c h a racter that wo u l d m a t c h t h e w i l d ca rd; however, if u s e rs wanted to o n l y m a t c h t h e words cat.
- cot, and cut. but not o d d ite m s l i ke c5t o r cQt, re p l ace the u n restricted w i l dcard w i t h one w h e re
accepta b l e c h a ra cters a re s p e c i f i e d . I f t h e reg u l a r ex p ress i o n was c h a n g e d to c [ aou ] t , it wo u l d
b e s p e c ifyi n g that t h e reg u la r e x p ression s h o u l d match patt e r n s t h a t start with a c , a re fo l l owed
- by a n a o r a n o o r a u , fo l l owed by a t.

M u l t i p l ie rs a re a m e c h a n i s m u s e d ofte n w i t h w i l d ca rd s . M u lt i p l ie rs a p p l y to the p re v i o u s
-
c h a racter i n t h e reg u l a r e x p ress i o n . O n e of t h e m o re co m m o n m u l t i p l i e rs used is * . A * , w h e n
used i n a reg u l a r e x p ression, m o d ifies t h e prev i o u s c h a racter to m e a n z e r o to i nf i n itely m a n y o f
t h a t c h a racter. I f a reg u l a r e x p ress i o n of c . * t was used, it wou l d m a t c h ct, c a t , c o a t , c u l ve rt , etc.;
-
any data that started with a c , t h e n zero to i n f i n itely m a ny c h a racte rs, e n d i n g with a t .

A n o t h e r ty p e of m u lt i p l i e r wo u l d i n d i cate t h e n u m be r o f p revious c h a racters d e s i re d i n t h e


patte r n . A n exa m p l e of u s i n g a n e x p l icit m u l t i p l ie r wo u l d b e c . \ { 2 \ } t . U s i n g t h i s reg u l a r
-

- R H1 3 4- R H E L 7-en-1 -20140610 25

-
-

C h a pter 2. U s i n g Reg u l a r E x p ress i o n s w i t h g re p


-

e x p ress i o n , u s e rs a re l o o k i n g f o r data t h a t beg i n s w i t h a c , fo l l owed by exact l y any two


c h a racters, e n d i n g with a t . -

. ...-.; .
1
v-<"1 Note
-

I n t h e p revious exa m p l es, B a s h reg e x synta x is b e i n g u s e d . T h e re a re s o m e


s l i g h t d i fferences i n t h e s y n t a x used for reg u l a r e x p res s i o n s betwee n d ifferent
i m p l e m e ntations ( B a s h , Pyt h o n , Per l , etc.). -

R References
regex(7) m a n page
-

-
26 R H134- R H E L7-en-1 -2014061 0

-
-

Practice: M a t c h t h e Reg u l a r E x p ress i o n


-

-
P ra ct i ce: M at c h t h e R e g u l a r E x p ress i o n

- Quiz
Match t h e fo l l owi n g words to t h e reg u l a r e x p re s s i o n t h a t wou l d u n i q u e l y match t h e m i n t h e ta b l e.
-

-
B I n st a l l e d
EJ G B G
-

Word or p h rase Reg u l ar express ion

Aug 1 9 13 : 45 : 41 Updated : lvm2 -


- libs - 2 . 0 2 . 9 5 - 10 . el6_3 . 3 . x 8 6_64

-
Aug 1 9 1 7 : 33 : 15 Installed : wireshark ­
gnome - 1 . 2 . 1 5 - 2 . el6_2 . 1 . x8 6_64
-

io scheduler deadline registered


-

J an 2 7 10 : 3 8 : 47 serverx
-
NetworkManager [ 2 1 7 9 ] : ifcfg - wlan :
error : Missing SS I D
-

J an 2 5 1 6 : 0 2 : 46 serverx
-
pulseau dio [ 3 0 0 14 ] : main . c :
unable to contact D - Bus :
- org . freedesktop . DBus . Error . NoServer :
Connection ref used

J an 2 7 1 0 : 3 9 : 5 7 serverX ntpd [ 2464 ] :


- time reset - 0 . 252602 s

- R H134- R H E L 7 - en -1-2014061 0 27

-
-

C h a pter 2. U s i n g Reg u l a r E x p ress i o n s w i t h g re p


-

Solution -

Match t h e fo l l o w i n g words to t h e reg u l a r express i o n t h a t wo u l d u n i q u e l y m a t c h t h e m i n t h e ta b l e.

Wo rd o r p h ra s e Re g u l a r e x p re s s i o n

Aug 1 9 1 3 : 45 : 4 1 Updated : lvm2 -


libs - 2 . 0 2 . 9 5 - 1 0 . el6_3 . 3 . x8 6_64 -

-
Aug 1 9 1 7 : 33 : 1 5 Installed : wireshark - I nsta l l ed
gnome - 1 . 2 . 1 5 - 2 . el6_2 . 1 . x 8 6_64
-

io scheduler deadline registered Ai


-

J an 2 7 1 0 : 3 8 : 47 serverx e r ro r
-
NetworkManager [ 2 1 7 9 ] : ifcfg - wlan :
error : Missing SS I D
-

J an 2 5 1 6 : 0 2 : 46 se rve r x E r ro r
-
pulseaudio [ 3 0 0 14 ] : main . c :
Unable to contact D - Bus :
-
org . freedesktop . D Bus . Erro r . NoServer :
Connection ref used
-

J an 2 7 1 0 : 3 9 : 5 7 serve r X ntpd [ 2 464 ] : s$


-
time reset - 0 . 2 5 2 6 0 2 s

-
28 R H1 3 4- R H E L 7-en-1 -2014061 0

-
-

M atch i n g Text with g re p


-

-
M a tc h i n g Text w i t h g r e p

- Objectives
Afte r c o m p l e t i n g t h i s sect i o n , s t u d e nts s h o u l d be a b l e to:

• Use the grep co m m a n d with co m m o n o pt i o n s.

• Use g r e p to search f i l e s a n d data from p i ped com m a n d s.


-
Using g r e p
g rep i s a co m m a n d p rov i d ed a s part of t h e d i st r i b u t i o n w h i c h u t i l izes reg u l a r e x p ress i o n s to
-
i s o l ate matc h i n g data.

g rep usage
-
The basic usage of g re p is to p rov i d e a reg u l a r expression a n d a fi l e o n w h i c h t h e reg u l a r
e x p ress i o n s h o u l d b e m a t c h e d .
-
[ s t u d e n t@ s e r v e r x - ] $ grep ' cat$ ' /usr/share/dict/words

-
Note

-
Because reg u l a r e x p res s i o n s oft e n conta i n s h e l l meta c h a racters ( s u c h as $, * , a n d
ot h e rs), it i s reco m m en d e d p ractice t o u s e s i n g l e q u otes ( ' ) to e n c a p s u l ate t h e reg u l a r
e x p ression o n t h e com m a n d l i n e.
-

g r e p c a n be used i n conj u n c t i o n w i t h ot h e r co m m a n d s u s i n g a 1 .

;
-
I [ r o o t@se rve X - ] # ps aux I grep ' Astudent '
i

- g re p options

g re p h a s m a ny usef u l o p t i o n s for adjust i n g how it uses t h e p rovided reg u l a r e x p ress i o n w i t h


- data.

Option Fu n c t i o n
- -i Use t h e reg u l a r express ion p rov i d e d ; however, d o not e n fo rce case
s e n s i t ivity (run case- i n s e n s i t ive).

- -v O n l y d i s p l a y l i nes that D O N OT conta i n matches t o t h e reg u l a r


e x p ress i o n .
-r A p p l y t h e search for data m a t c h i n g t h e reg u l a r expres s i o n rec u rsive l y
- t o a g ro u p o f files o r d i recto r i e s .
- A <NUMBER> D i s p l ay < N U M B E R > of l i nes after t h e reg u l a r ex press i o n m a t c h .
- - B <NUM BER> D i s p l a y < N U M B E R > of l i nes before t h e reg u l a r express i o n match.
-e W i t h m u lt i p l e - e o p t i o n s u s e d , m u lt i p l e reg u l a r express i o n s c a n b e
s u p p l i e d a n d wi l l be used w i t h a l o g i c a l o r.
-

- RH134- R H E L 7-en-1-2014061 0 29

-
-

C h a pter 2. U s i n g Reg u l a r E x p ress i o n s w i t h g re p


-

T h e re a re m a n y ot h e r o p t i o n s to g re p a s we l l , b u t t h ese a re s o m e that a re used freq u e n t l y.


-
g r ep examples

Fo r t h e next few exa m p l es, u s e t h e fo l l ow i n g f i l e conte nts, stored i n a f i l e n a m e d dogs - n - ca t s .


-

[ s t u d e n t@ s e r v e r x - ] $ cat dogs - n - cats


# This file c o n t ai n s wo r d s wit h c a t s and d o g s
Cat
-

dog
concatenate
dogma -
category
e d u cated
boondoggle
vindication -

Chilidog

-
Reg u l a r e x p ressions a re case-se n s i t i ve by defa u lt ; u s i n g the - i option with g re p w i l l cause it to
t reat t h e reg u l a r expre s s i o n without case sensitivity.

[ s t u d e n t@s e r v e r X - ] $ g rep - i ' cat ' do gs - n -cats


-

# This file c o n t ai n s wo r d s wit h cats and d o g s


Cat
c o n catenate -
category
ed uc at ed
v i n d ication
-

S o m et i m es, u s e rs k n ow what t hey a re not l o o k i n g for, i n stead of what t h ey a re l o o k i n g for. I n


t h ose cases, u s i n g - v i s q u ite h a n d y. I n t h e fo l l owi n g exa m p le, a l l l i nes, case i n s e n s i t ive, t h a t d o -

not conta i n t h e reg u l a r e x p ression 'cat' w i l l d i s p l ay.

[ s t u d e n t @ s e r v e r x - ] $ g rep - i - v ' cat ' dog s-n - cats -

dog
dogma
boondoggle
C h ilidog
-

A no t h e r p ra c t i c a l exa m p l e of u s i n g - v is need i n g to l o o k at a f i l e, but not wa n t i n g to be


-
d i st ra cted with content i n c o m m e nts. In the fo l l o w i n g exa m p le, the reg u l a r express i o n w i l l match
a l l l i nes t h a t begin w i t h a # or ; (ty p i ca l c h a racters t h a t i n d icate t h e line w i l l b e i nt e r p reted a s a
co m m ent). -

[ s t u d e n t@ s e r v e r x - ] $ grep - v ' A [# ; ] ' <FILENAME>


-

There a re t i m e s w h e re u s e rs need to l o o k for l i nes t h at conta i n i nformation so d iffe re n t t h a t


u s e rs ca n n ot c reate j u st o n e reg u l a r e x p ression to f i n d a l l t h e data. g r e p p rov i d es t h e - e o p t i o n
-
for t h ese s i t u a t i o n s . I n t h e fo l l ow i n g exa m p l e, u s e rs w i l l l ocate a l l occu rre n ces of e i t h e r 'cat' o r
'dog '.

[ s t u d e n t@s e rv e r X - ] $ g rep - e ' cat ' - e ' do g ' dog s - n -cats


-

# This file c o n t ai n s wo r d s wit h cats and dog s


dog
c o n cat e n a t e

-
30 R H134 - R H E L7 - e n - 1 - 2014061 0

-
-

U s i n g g re p
-

dogma
cat e g o ry
- educated
boondoggle
vind icat i o n
Chilidog
-

,-

- :(�L_J
R References
g re p (1 ) m a n p a g e

...

R H134-R H E L7 - e n -1 -2014061 0 31
-

C h a pter 2. U s i n g Reg u l a r E x p ress i o n s w i t h grep


-

P ra ct i ce : U s i n g g r e p w i t h Lo g s

Guided exercise -

I n t h i s l a b , you w i l l u s e reg u l a r ex p ress i o n s a n d g re p to l ocate s p e c ific l o g e n t ries i n l o g f i l es .

Reso u rces: -

files: /va r/ l o g /messages


Machines: s e rverX -

Outcomes:
U s i n g reg u l a r e x p res s i o n s a n d t h e g r e p com m a n d , you ca n isol ate s p e c i f i c m essages or g ro u p s -

of messa g e s based o n t h e sea rch criteria p rov i d e d .

Before you begin . . . -

• Reset yo u r se rve rX syste m .

• Log into a n d set u p yo u r se rve rx syst e m . -

-� - - -- ---- ---- --- - � ---- - ---------- ------�

[ s t ud e n t@ s e rverX - ] $ lab grep s e t u p


�- -- -- -------- -�----------- -- -- -----
- ------------ - - ---- --�
-

D 1. E l evate yo u r p r i v i l eges t o g a i n a root l o g i n u s i n g su - .


- ---
- - -- � -

D 1 .1.
--- - - --
- - -- - - -- -- - - ---- - - --�--
---
- -- --

! [ s t u d e n t@s e rverX - ] $ su -
� --- -
--- -

D 2. C raft a reg u l a r e x p ression and u s e grep to d i s p l ay a l l logs i n /va r /log/messages from -

the S t a r t Time repo rted by lab g re p s e t u p .

D 2 .1 . T h e fo l l o w i n g com m a n d s a s s u m e a start t i m e p rovi d ed by t h e lab g r e p script of -

A p r i l 1 1 5:53.

C h e c k the c u rrent t i m e s o we k n ow not o n l y the sta r t i n g t i m e, but the e n d i n g -

t i m e o f t h e messages we a re l o o k i n g for.

j
---�-- - -- --------��-- ""!

! [ ro o t @se rverX - ] # date


. Tue Ap r 1 15 : 54 : 55 EDT 2014
-

��-i- -�-- ---


- - --
- ---- - - =------

D 2.2. 1!
[ ro o t @se rverX - ] # g r e p ' AApr 1 15 : 5 [ 34 ] ' /var/log/messages
-

Apr 1 15 : 53 : 2 5 s e r v e r X ima_daemo n [ 14847 ] : l o g g i n g ACC ESS :


927265f3c0e95f4ae6294451060d0717
Apr 1 15 : 53 : 25 s e r v e r X ima_daemo n [ 14848 ] : logging ACCESS : -

b4866e8f2ec0058abeldc0a142 e 0 b 7 3 7
A p r 1 15 : 53 : 2 5 s e r v e r x ima_daemo n [ 14849 ] : l o g g i n g ACCESS :
7afa51b31aabca0 6 5 d d 3 5 8 c c 4 7 5 d 8 8 6 3
. . . O u t p u t T r u nc a t e d . . . -

i
-----------

D 3. M o d i fy y o u r reg u l a r express i o n to l ocate the fi rst ERROR messa g e. -

D 3.1 .
- ------- ---------�--

[ ro o t@se rverx - ] # g rep ' AAp r 1 15 : 5 [ 34 ] . * E RROR ' /var/log/messages head -


n 1
-

-
32 RH134- R H E L7-en-1 -2014061 0

-
-

G u i d e d exercise
-

Ap r 1 15 : 53 : 30 se rverx d a t abase [ 14 87 7 ] : b a d e n t ry ERROR :


2 e 2 8 5 64860d5c 6e5151a31f d 9 2 3 c 7 b 6 1 i nvalid
-

D 4. Log messages a re g e n e rated by a p p l i c a t i o n s. T h e re i s no a d o pted sta n d a rd o n what


keywo rds o r i nf o r m a t i o n s h o u l d be p rov i d e d a s pa rt of a l o g message.
-

U s i n g a n o p t i o n to g r e p , l o o k fo r a l l l o g s after t h e sta rt t i m e t h a t conta i n t h e word


ERROR, i g n o r i n g t h e case of t h e reg u l a r e x p re s s i o n .
-

D 4.1 . ! [ r o o t @ s e r v e r x - ] # g rep - i ' "Apr 1 15 : 5 [ 34] . * ERROR ' /var/log/messages


'

D 5. Use t h e - v o p t i o n with g rep, as we l l as a reg u l a r ex p ress i o n , to l ocate t h e ERROR


message t h a t d o e s not conta i n a c h e c ks u m in its message body.
-

D 5.1 . I n t h i s s i t u a t i o n , it may be u s ef u l to use o n e g rep a n d reg u l a r e x p ress i o n to meet


s o m e of t h e criteria, a n d a n o t h e r to f u r t h e r f i lter t h e res u lts to g et t h e d es i re d
- content.

[ r oo t @ s e r v e r x - ] # g rep ' "Apr 1 15 : 5 [ 34 ] . * ERROR ' /var/log/messages I g r e p -


- v ' [ a - z9 - 9 ] \ { 3 2 \ } '

- RH134- R H E L 7-en-1-2014061 0 33

-
C h a pter 2. Using Reg u l a r Exp ressio n s wit h g re p

L a b: U s i n g R e g u l a r E x p res s i o n s wit h g re p

Performance checkl ist


I n t his l a b , y o u wi l l u s e re g u l a r expressi o n s a n d g r e p w it h text fi l e s to l ocate re q u ested d a t a .

Resou rces:

Files: h t t p : / / c l as s r o o m . e x a m p l e . c o m / p u b /m a t e r i al s / aw e s o m e_l o g s

Machines: serve r X

O utcomes:
Fo l l o w t h e c l u e s and h e l p D r. Z i n g r u b e r recover the lost " a rt w o r k."

D r. Z i n g ru b e r : " H e l l o ! I h e a r y o u a re the person t o ta l k to a b o u t Red Hat E n t e r p ri s e L i n u x syste m s


a d ministra t i o n h e l p? "

Yes, t h at i s m e .

D r. Z i n g r u b e r: " M a y b e y o u c a n h e l p m e , t h e n ; you a re m y l a s t h o pe. S o m et h i n g t e r ri b l e h a s


h a p p e n e d . T h e re h a s b e e n a h eist at t h e M u s e u m of Aweso m e ! "

W h a t w a s stol e n?

D r. Zin g r u b e r : " I t was a w o r k by Wa n d e r van G o g h."

Wander va n G o g h? N eve r heard of h i m .

D r. Z i n g r u b e r : " I a m n o t s u r p r i s e d . H e i s a desce n d a nt o f Vin cent va n G o g h , b u t i s fa r, FA R m o re


i n s a n e. T h i s is one of h i s m ost i m portant p i eces, w hi c h i s why we have it at t h e M u s e u m of
Awesom e."

I see. W h e n was t h e p i e c e ta ken?

D r. Zin g r u b e r : "It was A u g u s t 8 sometime b e tween 1 : 0 0 pm and 3 : 0 0 pm."

Wait. w h a t ? It was t a k e n A u g u s t 8, a n d you a re j u st now i nvest i g a t i n g ?

D r. Z i n g r u b e r : " Yes, w e l l , t o be f ra n k , n o o n e rea l l y n o t i c e d it was m i ssing u n t i l now. Y o u see, while


t h e piece was i n t h e M u s e u m of Awes o m e , it was i n the H a l l of M i l d l y Aweso m e . I f y o u g o t o the
M u s e u m of Awesome, a re y o u g o i n g t o t h e H a l l of M i l dly Awe s o m e or t h e C a v e r n of S u p r e m e
Awes o m e? Beca u s e of its p l a ce m e nt. n o o n e rea l l y l o oks a t i t . a n d j u s t b e t w e e n you a n d m e , i t
k i n d of c r e e p s m e o u t . "

U m . . . Okay. S o w h a t e l s e c a n you tell m e a b out t h e h e ist?

D r. Zin g r u b e r : "Well, we d o have a va r i ety of logs for d ifferent t h i n g s . You c a n d o w n l o a d t h e m


f r o m h t t p : //clas s r oom . example . com/pu b /mat e r ials /awe some_log s . I t h i n k t h e p l a ce
to start y o u r invest i g a t i o n w o uld be doo r . log a ro u n d t h e t i m e of t h e event."

Before you begin ...


Reset y o u r s e rv e r X syst e m .

1. D o w n l o a d t h e l o g s to y o u r m a c h i n e, a n d c h a n g e d i rectory to t h e l o g s directo ry.

34 R H1 3 4 - R H EL 7 - e n - 1 -20140610
-

Perfo r m a n ce c h e c k l ist
-

2. U s e g re p to sea rch t h ro u g h the door . log. Fo l low a n y f u rt h e r i n st r u ct i o n s you m a y find i n


the logs.
-

R H1 3 4- R H E L7-en-1-2014061 0 35

-
-

C h a pter 2. U s i n g Reg u l a r E x p ress i o n s w i t h g re p

Solution
-

I n t h i s l a b , you w i l l use reg u l a r express i o n s a n d g re p with text f i l e s to l ocate requ ested data.

Resou rces:
Files: h t t p : / / c l a s s r o o m . e x am p l e . c o m / p u b / m a t e r i a l s /awe s o m e_lo g s

Machines: s e rverX -

Outcomes:
Fo l l ow t h e c l u e s a n d h e l p D r. Z i n g r u be r recover t h e lost " a rtwork."

D r. Z i n g r u be r: " H e l lo! I h e a r you a re the person to ta l k to about Red Hat E n t e r p rise L i n u x syst e m s
a d m i n istra t i o n h e l p? "
-

Yes, t h a t i s m e.

D r. Z i n g r u be r : " M aybe you ca n h e l p me, t h e n ; you a re my l a st h o pe. S o m et h i n g terr i b l e h a s -

h a p p e n e d . T h e re has been a h e ist at t h e M us e u m of Aweso m e ! "

W h a t wa s sto l e n? -

D r. Z i n g r u ber: " I t was a work by Wa n d e r va n Gogh."

Wa n d e r va n Gog h? Never h e a rd of h i m . -

D r. Z i n g r u be r : " I a m n o t s u r p rised. H e is a desce n d a nt o f V i n c e n t va n Gog h , b u t is fa r, FA R m o re


i n sa n e. T h i s is o n e of h i s most i m p o rt a n t p i eces, w h i c h is why we have it at t h e M u s e u m of -

Awe s o m e."

I see. W h e n wa s the p iece taken? -

D r. Z i n g r u be r: " I t wa s Au g u s t 8 somet ime between 1 : 00pm and 3 : 00 pm."

Wait, what? It was taken A u g u st 8 , a n d you a re j u st now i nvest i g a t i n g ? -

D r. Z i n g r u ber: " Yes, we l l , to b e fra n k, n o o n e rea l ly noticed it w a s m i s s i n g u n t i l n ow. You s e e , w h i l e


t h e piece w a s i n t h e M us e u m o f Awesome, it w a s i n t h e H a l l o f M i l d l y Aweso me. I f y o u g o to t h e -

M u s e u m o f Awesome, a re yo u g o i n g to t h e H a l l o f M i l d l y Aweso m e o r t h e Cavern o f S u p re m e


Awe s o m e? Beca use of i t s p l acement, n o o n e rea l ly l o o k s at i t , a n d j u st between y o u a n d me, it
k i n d of creeps m e out." -

Um ... O kay. So what e l se c a n you t e l l m e a bout the h e i st?


-
D r. Z i n g r u be r : " We l l , we d o have a variety of l o g s for d i ffe rent t h i n g s . Yo u can d ow n l o a d t h e m
f r o m ht t p : //class room . example . com/pub/ma t e rials/awesome_logs. I t h i n k t h e p l ace
to sta rt yo u r i nvest igation wou l d b e door . log a ro u n d t h e time of t h e event."
-

Before you begin ...


• Reset yo u r se rverX syste m .
-

1. D ow n l oa d t h e logs to yo u r m a c h i ne, a n d c h a n g e d i rectory to t h e l o g s d i rectory.


r--------
--�---�
- ---��- · - - -
;
- -,
T-�-------·- --

I
[ r oo t @ s e r v e r X - ] # w g e t - r - 1 1 - np h t t p : //classroom . example . com/pub/mate rials/
-

awe some_logs
[ roo t@ s e r v e rX - ] # cd class room . example . com/pub/mat e r ials/awesome_logs i
-

-
36 RH1 34- R H E L7-en-1-2014061 0

-
-

Sol ution
-

2. Use g r e p to search t h ro u g h t h e door . log. Fo l l ow a n y f u rt h e r i n s t r u c t i o n s you m a y f i n d in


t h e logs.
-

D r. Z i n g r u be r n oted t h at t h e t h eft occu rred betwee n 1 : 0 0 p.m. and 3:00 p.m., o r i n 24- h o u r
f o r m a t ( u s e d by l o g s), 1 3 : 0 0 to 1 5:00. O u r reg u l a r ex p ression s h o u l d use t h e date a n d h o u r
-
f i e l d o f t h e t i m e to get t h e re l evant e n t ries.

- ! [ r o o t @s e r v e r x - ] # g rep ' AAug * 8 1 ( 34 5 ] ' door . log

N ote t h a t t h e re a re TWO space c h a racters between Aug a n d 8 in t h e log f i l e date format. To


-
a d d ress t h is, you ca n use two s paces i n yo u r reg u l a r e x p ression o r a m u lt i p l ie r o n t h e s pace
c h a racter. You may h a ve to look t h rou g h the matched data to find what you a re l o o k i n g for.
I f you ca n not, try t h e fo l l ow i n g :
-

[ r oo t @s e r v e r X - ] # g rep ' AAug * 8 14 . *0PEN ' door . log


. . . Output T r u ncated . . .
Aug 8 14 : 3 7 : 03 alarm_m o n i t o r activi t y : bac k d o o r : OPEN D r Zi n g r u be r : " O h yes . . .
-

Aug 8 14 : 40 : 01 alarm_m o n i t o r activi t y : bac k d o o r : OPEN l o o k h e r e , y o u c a n see


Aug 8 14 : 41 : 26 alarm_mo n i t o r ac t ivi t y : bac k d oo r : OPEN the d o o r s t ayed o p e n .
- Aug 8 14 : 43 : 5 5 alarm_mo n i t o r activity : bac k d oo r : OPEN Now t ha t we k n ow a m o r e
Aug 8 14 : 46 : 20 alarm_mo n i t o r ac t ivi t y : bac k d oo r : OPEN exac t t ime , we s h o uld
Aug 8 14 : 48 : 31 alarm_mo n i t o r ac t ivi t y : b a c k d o o r : OPEN c h e c k wall . lo g for the
Aug 8 14 : 51 : 30 ala rm_m o n i t o r ac t ivi t y : bac k d o o r : OPEN same p e r iod .
- Output T r uncated . . .

-
I n t h e door . log e n t ries, we we re refe rred to t h e wall . log f i l e, b u t we now have a m o re
n a rrow t i m e. U s e g r e p to l o o k betwe e n t i m e codes 14:37 a n d 14:51.

- [ r oo t @s e r v e r X - ] # grep ' AAug * 8 14 : ( 34 5 ] ' wall . log

Note t h at, a g a i n , t h e re a re TWO s pace c h a racters between Au g a n d 8 i n the log f i l e date


-
fo rmat. To a d d ress t h is, you ca n use two s paces in y o u r reg u l a r e x p ression o r a m u l t i p l i e r on
the space c h a racter. Yo u may have to l o o k t h ro u g h the matched data to f i n d w h a t you a re
-
l o o k i n g for. I f you ca n not, t ry t h e fo l l ow i n g :

[ r o o t @s e r v e r X - ] # g r e p ' AAug * 8 14 . * ALERT ' wall . log


-
Aug 8 14 : 3 7 : 03 alarm_m o n i t o r ALERT : Mildly Awesome : D r . Zi n g r u be r : Ah , yes h e r e
A u g 8 14 : 40 : 01 alarm_m o n i t o r ALERT : Mildly Awesome : it i s , l o o k s l i k e t hey
Aug 8 14 : 41 : 26 alarm_m o n i t o r ALERT : Mildly Awe some : d i g i t ized the imag e . We
Aug 8 14 : 43 : 55 alarm_mo n it o r ALERT : Mildly Awe some : should c h e c k p r oxy . lo g at
- Aug 8 14 : 46 : 20 alarm_m o n i t o r ALERT : Mildly Awe some : 14 : 40 . The d i g i t alized
Aug 8 14 : 48 : 31 alarm_mo n i t o r ALERT : Mildly Awesome : image will be o n t h e 2 4
Aug 8 14 : 51 : 30 alarm_mon i t o r ALERT : Mildly Awesome : l i n e s followi n g t h e log .

I n t h e wall . log e n t r ies, we were refe rred to t h e p roxy . log f i l e, b u t we now have a n exact
t i m e. Use g r e p to l ook betwee n time code 1 4:40. A d d i t i o n a l l y, not o n l y d o we want t h e l i n e
-
f o r t i m e c o d e 1 4:40, b u t a l s o t h e 24 l i n e s t h a t fo l l ow t h a t l o g e n t ry.

[ ro o t@se r v e r x - ] # g r e p -A 24 ' 14 : 40 ' p roxy . log


- I

You s h o u l d now h ave recovered t h e " a rtwork."


-

-
R H134- R H E L 7 - en -1-2014061 0 37

-
-

C h a pter 2. U s i n g Reg u l a r E x p ress i o n s w i t h g re p

Aug 8 14 : 40 : 03 O u t b o u n d d a t a Cap t u r e d . . . D r . Zin g r u b e r : You f o u n d i t , t h a n k you !


. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . MMMMMMMMMMMMMMN- . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . : MMMMMMMMMMMMMMMMMMMMM? . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . DMMMMMMN88MMMMNZZZZMMMMMMMN . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . +MMMMMMMZZZZZZZZZZZMMBZMMMMMMM? . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . MMMMMMMMZZZZZZZZZZZZZZZZZMMMMMMMM . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . MMMMMMMMMZOMMMMMMZZZZZZZZZZMMMMMMMM . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . MMMMMMMMMOZZZNZZZZZZZZZZZZZZMMMMMMMMM . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . MMMMMMDDDNMZZZZZZZZZZZZZZZZZZZMMMMMMMMM . . . . . . . . . . . . . . . . . . . . . -
. . . . . . . . . . . . . . . . . . . +MMM$ZZZZZ8MMMZZZZZZZZZZZZZZZZZMMMMMMMMM- . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . MMMMZZZZZZZDMMMMMMMNZZZZZZZZZZZNZ8MMMMMMM . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . MMMMOZZZZZZZZZMMMMMMMZZZZZZZZZZZZZZZDMMMM . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . , MMMMMMZZZZZZZZZZZZMMMMZZZZZZZZZZZZZZZZMMMZ . . . . . . . . . . . . . . . . . . . -

. . . . . . . . . . . . . . . . . . DMMMMMMMMZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZMMMD . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . ZMMMMMMMMMMDZZZZZZZZZZZZZZZZZZZZZZZZZZMMMMN . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . , MMMMMMMMN . . : MNZZZZZZZZZZZZZZZZZZZZZZMMMMM7 . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . MMMMMMMM? . . . M , MMMZZZZZZZZZZZZZZZZMMMMMMM . . . . . . . . . . . . . . . . . . .
-

. . . . . . . . . . . . . . . . . . . MMMMMN7MMI . . . . . MMMMMM M M N N N NN M M MMMMMMMMMM . . . . . . . . . . . . . . . . . . . .


. . . . . . . . . . . . . . . . . . . . . . . 7MM . . . . . I DZ= . . $ , = I MMMMMMMMMM . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . MMMMMMMMMM . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . I M M M , . . . NMMMMMMMMM Z88 . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . MMN . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IMD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . , . . . . . . . . . , , . . . . . . . . , . . , , , , . . . , , . . . . . . . . . . $M . , , . . . . . . , , . . . . . , . . . . . . . , , . . . . . . . -

-
38 RH134- R H E L7- e n -1-2014061 0

-
-

Solution
-

S u m m a ry
-

Reg u l a r E x p ress i o n s Fu n d a m e n t a l s
Write reg u l a r e x p res s i o n s to match data.
-

M a t c h i n g Text w i t h g re p
U s i n g g r e p w i t h reg u l a r e x p ress i o n s to i s o l a t e t e x t d a t a .
-

- 39
R H134- R H E L 7-en-1-2014061 0
-


i

�I
!

40
red h at ®

®
TRAINING

CHAPTE R 3

CRE ATING A ND E DITING TEXT


FILES WITH V I M

Overview

Goal I n t ro d u c e t h e vim text editor.

Objectives •
E x p l a i n t h e t h ree m a i n modes of vim.

• O p e n , e d it, and save text fi les.


Use e d it o r s h o rtcuts.

Sections •
The v i m Tex t Editor (a n d Pra c t i c e)


B a s i c v i m Workflow (and Practi ce)

.
E d i t i n g w i t h v i m (a n d Pract ice)

Lab •
Edit a syst e m f i l e with v i m

R H1 3 4 - R H E L 7 - e n -1 -20140610 41
-

C h a pter 3. C re a t i n g a n d E d i t i n g Text F i l e s w i t h v i m

T h e vi m Text Ed i t o r

Objectives
After co m p l e t i n g t h i s sect i o n , st u d e nts s h o u l d b e a b l e to:

• E x p l a i n the t h ree m a i n m o d es of vim.

Introduction to vim
E d i t i n g text f i l es is o n e of t h e most c o m m o n tasks a system a d m i n istrator w i l l perform o n a L i n u x
syst e m . A s s u c h , t h e re is a w i d e va riety of text e d itors ava i l a b l e. O n e o f t h e o l d e r, b u t m o s t w i d e l y -

u s e d , ed itors i s v i . v i sta n d s f o r Visual Interface, a s it w a s o n e o f t h e f i rst text ed itors t o actua l l y


d i s p l a y t h e w o r k i n g d o c u m e n t w h i l e i t was b e i n g e d ited. Befo re that, m ost e d i t o rs we re l i ne­
based (su c h a s ed, and t h e st i l l w i d e l y u s e d ex). In reg u l a r use, vi and vim a re n o r m a l l y referred
to a s v. i. (two l ette rs) and vim.

V I IMproved
The vers i o n of vi that is s h i p ped with Red H a t E n t e r p rise L i n u x 7 is ca l l e d vim. vim sta n d s for
VI IMproved, a s vim comes with many featu res n ot fo u nd i n the o r i g i n a l vi, w h i l e sti l l re m a i n i n g
-
(m ost l y) bac kwa rd-co m pa t i b l e. A m o n g t h e n e w featu res a re popu l a r o pt i o n s , s u c h a s syntax
h ig h l ig h t i n g , c o m p l e t i o n modes, and s p e l l - c h e c k i n g .

-
vim i s h i g h l y exte n s i b l e. I t s u pports s c r i p t i n g i n m u lt i p l e l a n g u a g es, f i l e-ty pe p l u g - i n s , d i fferent
text-co m p l e t i o n modes, and many ot h e r opti o n s . I t ca n be a d a pted to a l m ost any ro l e , and has
been. There a re exte n s i o n s and m a c ros ava i l a b l e o n the I nternet for a l m ost a ny p u rpose, from
h e l p i n g to edit a certa i n type of f i l e (s u c h a s D o c Book), co m p l et i o n p l u s i n t rospection for a l most
a l l progra m m i n g l a n g u a ges in existence, to m o re m u n d a n e tasks such as m a n a g i n g To Do l i sts.
-

Important
W h e n a n u n p r i v i l e g e d user i nvokes t h e co m m a n d vi o n a Red H a t E n t e r p r i se L i n u x 7
m a c h i n e , t h e com m a n d that is executed w i l l b e vim. T h i s is d o n e w i t h a n a l ia s that is
set from / e t c / p rofile . d/vim . s h w h e n t h e s h e l l sta rts.
-

This a l ia s i s not set for u s e rs with a U I D l es s t h a n o r e q u a l to 200. These u s e rs w i l l


execute vi, w h i c h i s vim i n vi c o m p at i b l e m o d e . This mea n s t h a t a n y fea t u res not
fou n d i n c l as s i c vi w i l l b e d i s a b l e d . -

I t i s reco m m e n d e d to a l ways execute t h e v i m co m m a n d w h e n ever t h e n ewer


fea t u res a re wa nted, and to not re l y o n an a l ia s that m i g ht not be ava i l a b l e. T h i s i s
reco m m e n d e d especia l l y w h e n u se rs a l so reg u l a r l y h a v e to w o r k a s r o o t .

Why learn vim?


-
Eve ry syst e m a d m i n istrator w i l l h a v e a p refere n c e for a text e d itor. S o m e w i l l p refer gedit, ot h e rs
l i ke nano, a n d t h e re eve n a re peo p l e w h o p refe r emac s . Eve n if o n e a l re a d y h a s a n editor of
c h o ice, it is i m portant to be fa m i l i a r w i t h t h e b a s i c s of vim or vi for o n e s i m p l e rea s o n : I t ' s t h e
-
e d i t o r that o n e c a n c o u n t o n to be i n sta l l e d o n w h a tever system is b e i n g w o r k e d o n .

42 R H134- R H E L 7-en-1 -2014061 0

-
-

D iffere nt v e rs i o n s of vim
-

Different versions of vim


-
T h ree d i st i nct va r i a t i o n s of v i m c a n be i nsta l l e d o n a n Red H a t E n t e r p r i s e L i n u x syste m . Each
vers i o n h a s its own use case, and va riations ca n b e i n sta l l e d s i d e by s i d e. The va r i a t i o n s co m e in
t h ese t h ree packages:
-

• vim-minimal: This package o n l y p rovides vi and related c o m m a n d s ( l i ke rvi, t h e rest ricted


vers i o n that ca n n ot spawn c o m m a n d s o r a s h e l l ) . This i s the vers i o n i n c l u d e d i n a m i n i m a l
i n sta l l at i o n o f R e d H a t Enterprise L i n u x 7.

• vim-enhanced: T h i s package p rovides the vim com m a n d (a n d fri e n d s) , p rovi d i n g feat u res s u c h
-
as syntax h i g h l ig h t i n g , f i l e-type p l u g- i n s , a n d s p e l l c h e c k i n g .

• vim-Xl l : T h i s p a c k a g e p rov i d e s gvim, a vers i o n of v i m t h a t r u n s i n i t s o w n g ra p h i c a l w i n d ow


- i nstead of i n a ter m i n a l . O n e of t h e big fea t u res of gvim is t h e m e n u b a r, usef u l w h e n o n e i s
l e a r n i n g v i m o r ca n ' t re m e m b e r a s pecific co m m a n d . ( N ote: D e pe n d i n g o n t h e t e r m i n a l type
and vim per-u s e r config u ra t i o n , it ca n be poss i b l e to u s e a mouse i n s i d e a reg u l a r vim sess i o n
- as we l l .)

A modal editor
vim is not t h e easiest e d itor to l e a r n . This is p a r t l y beca u s e a l l co m m a n d s in vim a re g e a re d
towa rd s peed a n d eff i c i e n cy, a n d n ot e a s e o f re m e m b ra n ce, a n d part l y because v i m i s a modal
- e d itor. Modal editor m e a n s that t h e f u n ction of certa i n c o m m a n d s a n d key p resses c h a n ges based
o n what m o d e is act ive.

-
vim has t h ree p r i m a ry m o d e s :

Fu n c t i o n Mode
- Command m o d e T h i s m o d e is used for f i l e n a v i g a t i o n , cut a n d paste, a n d s i m p l e
c o m m a n d s . U n d o, redo, a n d ot h e rs a re a l so p e rformed f r o m t h i s m o d e.
Insert mode T h i s m o d e i s used for n o r m a l t e x t e d i t i n g . Replace m o d e is a
va r i a t i o n on ins e r t m o d e t h a t re p l a ces text i n stead of i n se r t i n g it.
Ex m o d e T h i s m o d e is u s e d to s a v e , q u it . a n d open f i l es, as we l l a s s e a r c h
- & re p l a c e a n d ot h e r m o re co m p l e x o p e rat i o n s . Fro m t h is m o d e , i t
i s poss i b l e to i n sert t h e o u t p u t of progra m s i nto the c u rrent f i l e,
confi g u re vim, a n d m u c h m o re. Eve ryt h i n g that is poss i b l e u s i n g ex
can b e done from this mode.

-
R References
vim(1 ) m a n p a g e
-
vim built-in h e l p

-
R H134- R H E L7-en-1-2014061 0 43

-
-

C h a pter 3. C reat i n g a n d E d i t i n g Text F i l e s with v i m

P ra ct i ce: v i m M o d es

Quiz
M atch t h e items that fo l l ow to t h e i r cou nterparts i n t h e ta b l e.

Command m o d e
II Ex m o d e II Insert m o d e

Fu n ct i o n Mode

Th i s m o d e i s u s e d fo r f i l e n a v i g a t i o n , c u t a n d p a ste, a n d
s i m p l e com mands.

Th i s m o d e i s u s e d fo r n o r m a l text e d i t i n g .

Th i s m o d e i s u s e d t o s a v e , q u i t , a n d o p e n f i l e s , a s
w e l l a s s e a rc h & re p l a ce a n d ot h e r m o re co m p l ex
o p e ra t i o n s .

44 RH134- R H E L 7 - e n -1 -2014061 0
-

Sol ution
-

Solution
-

Match t h e items t h a t fo l l ow to t h e i r c o u nterpa rts i n t h e ta b l e.

Fu n c t i o n Mode

Th i s m o d e i s u s e d fo r f i l e n a v i g a t i o n , c u t a n d p a ste, a n d Command m o d e
s i m p l e co m m a n d s .

- Th i s m o d e i s u s e d for n o r m a l text e d i t i n g . Insert m o d e

-
Th i s m o d e i s u s e d to s a ve , q u i t , a n d o p e n f i l es , a s Ex mode
we l l a s s e a r c h & re p l a ce a n d ot h e r m o re c o m p l ex
o p e ra t i o n s .

- RH134- R H E L 7 - en -1 -2014061 0 45

-
-

C h a pter 3. C re a t i n g a n d E d i t i n g Text F i l es w i t h v i m

B a s i c vim Wo rkf l ow
-

Objectives -

Afte r co m p l e t i n g t h i s sect i o n , students s h o u l d b e a b l e to:

• O p e n text f i l es. -

• M ove the c u rsor.

• I n sert a n d re p l ace text.

• Save f i l es. --

• Get h e l p.

Editor basics
No matter w h a t e d itor you use, you s h o u l d a l ways be a b l e to p e rform t h e fo l l ow i n g t h ree tasks:

• O p e n a new o r exist i n g f i l e.

• M a ke c h a n g es a nd/o r i n s e rt new text.

• Save the file and exit the ed itor.


-
Opening files
The easi est way to open a f i l e i n vim i s to s pecify it as a n a rg u m e n t on t h e c o m m a n d l i ne. Fo r
exa m p l e, to o p e n t h e f i l e ca l l e d / e t c / h o s t s , you cou l d execute t h e fo l l ow i n g com m a n d : -

[ ro o t@s e r v e r x - ] # vim /etc/hosts l


Note
-

I f you try to o p e n a f i l e that does not exist, b u t t h e d i rectory you s p e c ify is ava i l a b le,
vim w i l l i nform you that you a re editing a [ New File ] , and c reate t h e file w h e n you
f i rst save it. -

After o pe n i n g a f i l e, vim w i l l start in command m o d e. At the bottom l eft of the scre e n , you w i l l
s e e i n fo r m a t i o n a bout t h e o p e n e d f i l e (fi l e n a m e, n u m ber o f l i nes, n u m be r o f c h a racters). A t t h e
bott o m r i g ht, you wi l l see t h e c u rrent c u rsor p o s i t i o n ( l ine, c h a racter), a n d w h a t p a r t o f t h e f i l e
is b e i n g d i s p l ayed (All for a l l , Top for t h e fi rst l i n es of a f i l e, Bot for t h e bottom of a f i l e, o r a -

p e rce nta g e to i n d icate w h e re i n t h e f i l e you a re). T h e bottom l i n e is ca l l e d t h e Ruler i n vim terms.

--

46 R H134- R H E L 7-en-1-2014061 0

-
-

Editor basics
-

root@ in structor:• ------ - - . -"- ;


' File Edit View Search Terminal Help
027 . 0 . G . l 1 o c a1 host 1 o c a1 host . 1 oc a1 domain
: :1
1 92 . 1 68 . 0 . 254
1 o c a1 host6 1 o c a1 ho s t 6 . 1 o c al domain6
inst ruc t o r . exampl e . c om inst ruc t o r i
i:
Ii '
- Ii

-
" / e t c /hos t s " 3L , 158C

Figure 3. 1 :
1,1
---- -- AU I
-
vim displaying a freshly opened file

Editing text
-
I f you have ever u s e d vi o r vim befo re, you m i g ht have noticed that i n command m o d e , most
keys d o n ' t exa c t l y d o what you wo u l d expect. This i s beca use i n command mode, keys a re
n ot m a p p e d to i n sert t h e c h a racters you p ress, b u t rat h e r to perform c o m m a n d s l i ke c u rsor
-
move m ents, copy-a n d - paste actions, a n d m o re.

To switch to insert m o d e, t h ere a re c o m m a n d s ava i l a b l e to y o u , each a s s i g n e d to a d i fferent key


-
on yo u r keyb o a rd :

Key R es u l t
-
i Switch to insert mode, a n d start i n se r t i n g before t h e c u rrent c u rs o r position
( i n sert).
- a Switch to insert mode, a n d start i n se r t i n g after t h e c u rrent c u rsor p o s i t i o n
(a p p e n d ) .

-
I M ove t h e c u rs o r to t h e start of t h e cu rrent l i n e a n d switch to insert mode.
A M ove t h e c u rsor to t h e end of t h e c u rrent l i n e a n d switch to insert m o d e.
R Switch to replace mode, start i n g at t h e c h a racter u n d e r y o u r c u rs o r. I n
-
replace mode, text i s not i n serte d , b u t e a c h c h a racter y o u enter re p l aces a
c h a racter in t h e c u rrent d o c u m e nt. (vim a n d vi a l so c o m e with m o re powerf u l
re p l a ce m e n t co m ma n d s ; t h ese a re d i scussed i n a n ot h e r sect i o n . )
-
0 O p e n a new l i ne below t h e c u rrent o n e , a n d switch to insert m o d e .
0 O p e n a new l i n e above t h e c u rrent o n e, a n d sw itc h to insert m o d e .
-

W h e n ever you a re i n insert o r replace mode, t h e r u l e r w i l l d i s p l ay - - I NSERT - - o r - - REP LACE - - .


-
To ret u r n to command m o d e, you c a n p ress Esc.

The vers i o n of vi and vim that s h i ps with Red H a t Enterprise Linux is confi g u re d to recog n ize
and use the n o r m a l c u rs o r keys, as we l l as keys l i ke PgUp and End w h i l e in both insert a n d
-

- R H134- R H E L 7-en-1 -20140610 47

-
C h a pter 3. C re a t i n g a n d E d it i n g Text F i l e s w i t h v i m

command m o d e . T h i s i s n o t t h e defa u l t b e h a v i o r o n a l l i n sta l l a t i o n s o f v i . I n f a c t . o l d e r v e r s i o n s


of vi d i d not re c o g n i z e c u rs o r k e y s at a l l , a n d o n l y a l l owed y o u to move t h e c u rs o r f r o m w i t h i n
command m o d e u s i n g keys l i ke hj kl.

In the fo l l o w i n g t a b l e, y o u w i l l find some of the keys y o u can u s e from command m o d e to m ove


your cursor:

Key Res u l t

h C u rs o r l eft o n e p o s i t i o n

l C u rs o r r i g h t o n e p o s i t i o n

j C u rs o r d ow n o n e l i n e

k C u rs o r u p o n e l i n e

A
M ove t o t h e b e g i n n i n g of t h e c u r rent l i n e .

$ M ove t o t h e e n d of t h e c u rrent l i n e .

99 M ove t o t h e f i rst l i n e of t h e d o c u m e n t.

G M ove t o the l a st l i n e of the d o c u m e n t .

N ote
Press i n g Esc w i l l a l ways ca n c e l the c u r re nt c o m m a n d , o r ret u r n to command m o d e.
I t is an ofte n - s e e n p r a c t i c e to p re s s Esc t w i c e ( o r eve n m o re) to e n s u re a ret u r n t o
command m o d e.

S a v i n g files
S a v i n g fi l es i n vim i s done f r o m ex m o d e . You c a n enter ex m o d e by press i n g : (a colon) f r o m
w it h i n command m o d e . After e n t e r i n g ex m o d e , t h e r u l e r w i l l d i s p l a y a c o l o n ( : ) a n d w a i t for a
c o m m a n d to be t y p e d . Co m m a n d s a re c o m p leted by p ress i n g E n t e r.

T h e f o l l o w i n g is a s h o r t l i st of c o m m a n d s to save a n d q u it y o u r cu rrent f i l e f ro m ex m o d e. T h i s i s
by n o m e a n s a f u l l l i s t of c o m m a n d s t h at c a n b e u s e d .

Command Result

: wq Save a n b q u i t t h e c u rrent f i l e .

:x Save t h e c u rrent f i l e i f t h e re a re u n saved cha n g es, t h e n q u it.

:w Save t h e c u r r e n t f i l e a n d r e m a i n i n ed itor.

: w < filename> Save t h e c u r r e n t f i l e u n d e r a d i ffe rent f i l e n a m e .

:q Q u it t h e c u r re n t f i l e (o n l y i f t h e re a re n o u n saved c h a n g es).

:q! Q u it t h e c u r re n t f i l e, i g n o r i n g a ny u n saved c h a n g es.

A s h ort s u m m a ry of t h e p r e v i o u s t a b l e i s that w saves (writes), q q u i ts, and ! forces a n a c t i o n


( d o - w h a t - l - say-not-w h a t - 1 - wa nt).

Getting hel p
vim c o m e s w i t h exte n s i ve o n l i n e h e l p , ava i l a b l e i n t h e ed itor itse l f. Ty p i n g : help f r o m command
m o d e w i l l l a u n c h t h e f i rst s c re e n , w h i c h i n c l u d e s t h e h e l p n e e d e d to n a v i g a t e t h e h e l p .

48 R H 134- R H E L7 - e n -1 -201 4061 0


-

Gett i n g h e l p
-

H e l p f o r a specific s u bject c a n b e obtai n e d b y ty p i n g : h e l p subj ec t from command mode.

-
H e l p sc ree n s open i n a new split window, a n d ca n b e c l osed w i t h : q. To l e a r n m o re a b o u t s p l it
w i n dows, u s e : help windows.

- Th ere i s a l so a semi-inte ractive t u t o r ava i l a b l e. Sta rt i n g the c o m m a n d vim t u t o r from t h e


co m m a n d l i n e w i l l l a u n c h a g u id e d t o u r of v i m t h a t t a k e s a new u s e r t h ro u g h t h e basics i n a bo u t
a n h o u r.
-

R References
-
vim(1 ) m a n page

vim b u i lt-in h e l p

- R H 1 3 4- R H E L7-en-1 -2014061 0 49

-
-

C h a pter 3. C reat i n g a n d E d i t i n g Text F i l es with v i m

P ra ct i ce: B a s i c v i m Wo r kf l ow
-

Guided exercise
I n t h i s l a b, you w i l l edit a text f i l e u s i n g vim.

-
-

�-..
Machines:desktopX
-

Outcomes
A s u ccessfu l l y ed ited text f i l e .
-

Before you begin. . .


A worki n g s t udent acco u n t o n d e s k t o pX.
-

D 1. L o g i nto yo u r de s k t o pX syste m a s s t u d e n t a n d o p e n a t e rm i n a l .

D 2. O p e n t h e (n ew) f i l e /home/ s t u d e n t /vim - p ract ice . t x t i n vim. Yo u do not h ave t o -


create t h i s f i l e fi rst.
.
D 2 ·1 .
I ��� u d e n t@d e s k t o p X - ] $ vim vim - p ractic e . t x t
.
-

D 3. I n sert t h e fo l l ow i n g text:
-

I T h i s i s my vim p r a c t ice file .


ii T h e r e a r e many like it , b u t t h is o n e is mine .
-

D 3.1 . Press i o r a to g o i nto insert m o d e .

D 3.2. Ty pe t h e t e x t s ho wn p rev i o u s l y.
-

D 3.3. Press Esc to go b a c k into command m ode.


-

D 4. I n sert a new l i n e at the bott o m with t h e fo l l ow i n g contents:

!
! M o r e l i ne s , I wan t m o r e l i n e s ! -

D 4.1 . Press o to o p e n a n e w l i n e beneath t h e cu rrent o n e a n d i m m e d iate l y switch to


-
insert m o d e.

D 4.2. Type t h e l i n e to be a d d e d .
-

D 4 . 3 . Press Esc to g o b a c k i nto command mode.

D 5. Save a n d q u i t yo u r f i l e. -

D 5.1 . Fro m command m o d e , e n t e r : wq , t h e n p ress E n t e r .


-

50 R H134- R H E L 7-en-1 -2014061 0 -

-
-

Editing with vim


-

Ed it i n g w i t h v i m
-

- Objectives
After co m p l et i n g t h i s section, students s h o u l d be a b l e to:

- • Use m ove m e n t s h o rtcuts.

• Copy and paste text.


- • Use search and rep l a ce.

• U n d o (a n d redo) t h e i r actions.
-

Movement
- I n a d d i t i o n to t h e bori n g o l d s i n g l e c h a racter/ l i n e c u rsor m ove ments o n e can p e rform i n
command mode, t h e re a re a l so q u ite a few a d va n ced m ove m e n t co m m a n d s t o h e l p u s e rs
navigate d o c u m e nts m o re effi c i e n t l y. These s h o rtcuts a l low t h e c u rs o r to be moved p e r word ,
- senten ce, o r p a ra g ra p h . Keep i n m i n d that u n l i ke reg u l a r c u rsor m ove m e nts, t h e s e co m m a n d s
o n l y w o r k i n command m o d e , a n d n o t i n insert mode.

- Key Res u l t
w M ove c u rsor to beg i n n i n g of n ext word (W i n c l udes p u nctuation).

- b M ove c u rsor to beg i n n i n g of p revious word (B i n c l u d e s p u n c t u a t i o n ) .

( M ove c u rsor to beg i n n i n g of c u r re n t o r p revious s e n t e n ce.

- ) M ove c u rsor to beg i n n i n g of next senten ce.

{ M ove to beg i n n i n g of c u r re n t/p rev i o u s p a ra g ra p h .

} M ove c u rsor to beg i n n i n g of next p a ra g ra p h .


-
A l l m ove m e n t co m m a n d s c a n be p refixed by ty p i n g a n u m be r, e.g., s w to m ove t h e c u rsor
five words, o r 12j to m ove t h e c u rsor 12 l i nes down. In fact. every s i n g l e com m a n d ( i n c l u d i n g
- switc h i n g t o insert m o d e) c a n be repeated a f i x e d n u m be r of t i m es by typ i n g t h e n u m be r of
repeats before t h e a c t u a l com m a n d . In vim t e r m i n o l og y, t h is is refe rred to as t h e count.

-
Replacing text
vim a l l ows u s e rs to e a s i l y re p l ace l a rg e (a n d s m a l l ) a m o u nts of text u s i n g a "c h a n g e " co m m a n d .
- T h e " c h a n g e " com m a n d works b y p ress i n g t h e c key, fo l l owed b y a c u rsor move m e nt ; for
exa m p l e , cw to c h a n g e from the c u rrent c u rs o r p o s i t i o n to the end of the c u rre n t word. The text
to be re p l aced is d e l eted (a nd put o n the u n n a m e d reg ister), and the vim sw itc h e s to insert m o d e.
-
There a re a few s h o rtcuts ava i l a b l e to m a ke e d i t i n g eve n m o re efficient:

Press i n g c twice ( c c ) will start re p l a ce i n a line-wise fas h i o n , rep l a c i n g t h e e n t i re line (or


-

m u lt i p l e l i n es w h e n p refixed with a n u m b e r). T h i s s a m e t r i c k a p p l ies to a n u m be r of other


co m m a n d s (s u c h a s d e l ete) as we l l .
-
• M ost m ove m e n t c o m m a n d s c a n b e p refixed w i t h i a n d a t o sel ect t h e inner o r a vers i o n o f t h e
move m e n t . Fo r exa m p le, ciw w i l l re p l ace t h e e n t i re c u rrent word, not j u st f r o m t h e c u rrent
c u rs o r p o s i t i o n , and caw wi l l do the same, but i n c l u d i n g a ny surrou n d i n g w h ite s pace.
-

- R H134- R H E L 7 - en -1 -2014061 0 51

-
-

C h a pter 3. C reat i n g a n d E d i t i n g Text F i l es w i t h v i m

• To re p l a c e to t h e e n d o f t h e l i n e, o n e ca n u s e c $ , b u t C d o e s t h e s a m e. ( T h i s t r i c k a l so a p p l ies
to va r i o u s ot h e r co m m a nd s , s u c h a s d e l et i n g .) -

• To j u st re p l ace t h e c h a racter u n d e r t h e c u rs o r, p ress r fo l l owed by t h e new c h a racter.

To c h a n g e t h e case of t h e c h a racter u n d e r t h e c u rsor, p ress -.

Deleting text -

D e l et i n g text works t h e s a m e as re p l a c i n g text. T h e c o m m a n d for d e l e t i n g text is d, a n d a l l t h e


s a m e m ove m e nt s t h a t a re va l i d fo r c h a n g i n g t e x t a p p l y to d e l et i n g as we l l , i n c l u d i n g D to d e lete
from the c u rsor to t h e end of t h e l i ne. -

To j u st d e l ete the c h a racter u n d e r the c u rsor, u s e x.


-

Copy and paste


vim uses s l ig h t l y d iffe rent term i n o l o g y to d e s c r i b e copy a n d p a ste o p e rat i o n s t h a n most peo p l e -

a re u s e d to c u r re n t l y. A c o py operat i o n i s ca l l e d yank, a n d p a ste is ca l l e d put. T h i s i s ref l e cted i n


t h e keyboard c o m m a n d s as s i g ned t o t h e s e o p e rati o n s : yank i s y fo l l owed b y a m ove m e nt , a n d
put o p e rat i o n s a re pe rfo r m e d w i t h p a n d P . -

Ya n k operat i o n s fol l ow t h e s a m e g e n e ra l s c h e m a a s re p l ace a n d d e l ete o p e ra t i o n s : A u s e r


optiona l l y types t h e n u m be r of t i m es to re peat a n o p e ra t i o n , fol l owed by y, fo l l owed by a -

movement. Fo r exa m p l e, 5yaw w i l l copy t h e cu rrent word a n d t h e n ext fo u r (fo r a tota l of five).
P res s i n g yy w i l l ya n k t h e e n t i re l i ne, etc.
-

Putt i n g ( p a st i n g ) i s d o n e w i t h the p a n d P co m m a n d s ; l owercase p w i l l put after the c u rrent


c u rsor (o r b e l ow t h e c u rrent line when l i n e-wise data i s bei n g pasted ), w h i l e u p p e rcase P puts
before t h e c u rrent c u rs o r position, or a bove t h e c u rrent l i ne. L i ke all ot h e r com m a n ds , a p u t -

co m m a n d c a n b e p refi xed with t h e n u m be r o f t i m e s to paste t h e register.

Multiple registers -

I n stead of j ust o n e c l i p bo a rd for copy a n d paste, vim h a s 26 n a m e d registers, a n d a n u m be r


o f specia l p u rpose reg i sters a s we l l . H a v i n g m u lt i p l e registers ava i l a b l e a l l ows u s e rs t o m o re
-
effi c i e nt l y c u t a n d paste, without h a v i n g to worry a b o u t l o s i n g data or m o v i n g t h e c u rsor a ro u n d
t o o m u c h . I f a reg ister to use i s n o t s p e c i f i e d , t h e " u n n a m e d " reg i ster w i l l b e used. N o r m a l
11
reg isters a re ca l l e d a to z , a n d a re s e l ected b y p u tt i n g regi s t e rname betwe e n t h e count f o r a
co m m a n d a n d t h e act u a l c o m m a n d ; for exa m p l e, to c o py t h e c u rrent l i n e a n d t h e n ext two i nto
11
the t reg ister, o n e ca n use t h e com m a n d 3 t yy .
11 -
To p u t out of a n a m e d reg ister, s i m p l y p u t regi s t e rname i n front of t h e p u t co m m a n d ; for
11
exa m p l e, s p w i l l p u t after the c u rsor out of the s reg i ster.

Important
W h e n ever a n a m e d reg i ster is u s e d , t h e u n n a m e d reg ister w i l l be u pd a t e d as we l l .

D e l ete a n d c h a n g e o p e rat i o n s c a n b e p refixed w i t h a reg i ster s e l ection a s we l l . W h e n n o reg ister -


is specified, o n l y the u n n a m e d reg ister w i l l be u s e d . W h e n the u p p e rcase vers i o n of a reg ister is
used, t h e text t h a t is being cut or ya n ke d i s a p pe n d e d to t h a t reg ister i n stead of overwrit i n g it.
-

52 R H134- R H E L 7 - e n -1 -2014061 0

-
-
-
- Visual mode

-
Special registers

3
T h e re a re 1 0 numbered registe rs, " 0 t h ro u g h " 9. Register " 0 w i l l a l ways have a copy of t h e m ost
recent ya n ked text, w h i l e reg ister "1 wi l l have a copy of the m ost recent d e leted text. When new

- text i s c h a n g e d o r d e l eted, the conte nts of "1 w i l l s h ift i n to " 2 , " 2 into etc. " ,

- ' Important
U n l i ke the n a m e d registers, t h e content of t h e n u m bered reg isters is not saved

-
between sess i o n s .

Visual mode
To avoid h a v i n g to consta n t l y c o u n t t h e n u m be r of l i nes, words, o r c h a ra cters to s pe c ify for

-
c o m m a n ds, vim a l so comes with a Visual (se l ect) m o d e. Afte r ente r i n g visual m o d e ( i n d icated by
- - VISUA L - - i n t h e r u l e r), a n y c u rs o r move m e nts w i l l sta rt s e l e c t i n g text. Any c h a n ge, d e l ete, o r
ya n k co m m a n d s i s s u e d i n visual m o d e do not n e e d a c u rs o r move m e n t part. b u t w i l l i nstead work

-
o n t h e s e l ected text.

Visual mode comes in t h ree f l a vors: c h a racter-based (sta rted with v), l i n e-based (sta rted with V),

-
a n d b l o c k-based (sta rted with C t rl +V). W h e n u s i n g gv im, t h e m o u s e can a l so be u s e d to s e l ect
text.

-
A n y ex c o m m a n d s issued i n visual mode w i l l by defa u lt work o n the s e l ected text a s we l l .

Searching

-
Searc h i n g i n t h e c u rrent d o c u m e n t can be sta rted i n two ways: by p ress i n g I to search forward
from the c u rsor posit i o n , or by p ress i n g ? to search bac kwa rd from the c u rrent c u rsor p o s i t i o n .
After e n t e r i n g s e a r c h mode, a reg u l a r ex p ress i o n can be typed to searc h for, a n d p ress i n g E n t e r

-
w i l l j u m p t o t h e fi rst m a t c h ( i f a ny).

To search for the next o r p rev i o u s match, use n and N res pectively.

- Bonus shortcut: * w i l l i n sta n t l y search fo rwa rd for t h e word u n d e r t h e c u rsor.

- Search and Replace


Search a n d re p l ace i n vim is i m p l e m e nted i n ex m ode, a n d uses t h e s a m e syntax as o n e wou l d

-
u s e w i t h sed for search a n d re p l a ce, i n c l u d i n g t h e capa b i l ity t o search u s i n g reg u l a r ex p ress i o n s :

ranges /pa t te rn/s t ri ng/ flags

- t
range c a n be a l i n e n u m ber (42), a ra n g e of l i n e n u m bers ( 1 , 7 for l i n es 1-7), a search term (I
README\ . xt / ), % for a l l the l i nes in the c u rrent d o c u m e n t (sea rc h and re p lace n o r m a l ly o n l y
works o n t h e c u r re n t l i n e), o r ' < , ' > for t h e c u rre n t visual s e l ection.

- Two of t h e m ost co m m o n flags a re g, to enable re p l a c i n g m o re than o n e occ u r re n ce of


pa t te rn p e r l i ne, and i, to m a ke t h e cu rrent search case-i n s e n s i t i ve.

- Search and Replace example


Fo r exa m p l e, to sea rc h for every occu rrence of t h e word "cat" a n d re p l ace it w i t h " d o g " in a l l

-
l i nes, reg a rd l ess of case, b u t o n l y i f i t ' s a fu l l word, a n d not i n s o m et h i n g l i ke "cata l o g " , o n e cou l d
u s e t h e fo l l ow i n g co m m a n d :

- R H134- R H E L 7-en-1-20140610 53

-
-

C h a pter 3. C reat i n g a n d E d i t i n g Text F i l es with v i m -

I : %s / \ < cat \>/ d o g/ gi


-

Undo and redo -

To a l l ow for h u m a n i m p e rfecti o n , vim is fitted w i t h a n u n d o/red o mecha n i s m . S i m p l y p ress i n g u


i n command m o d e w i l l u n d o t h e l a st a c t i o n . I f too m u c h h a s b e e n u n d one, p res s i n g Ct rl+ r wi l l
redo t h e l ast u n do. -

Bonus awesomeness: P res s i n g . ( pe r i o d ) from command mode w i l l redo t h e l a st edit a c t i o n , but


o n the c u r rent l i n e. This ca n b e used to eas i l y perform t h e s a m e e d it action m u lt i p l e t i m es. -

R References
i
-\\___,
vim(l ) m a n page

vim b u i l t - i n h e l p -

54 RH134- R H E L 7 - e n -1 -2014061 0

-
-

Practice: Edit a F i l e w i t h v i m
-

P ra c t i ce: Ed it a F i l e w i t h v i m
-

- Guided exercise
I n t h i s l a b, you w i l l e d i t a f i l e u s i n g vim.
-

Resou rces

-
Machines: deskt opX
Files: / u s r / s h a re/doc/vim - common - * /READM E . t xt

- Outcomes
A copy of t h e vim README . t x t w h i c h h a s b e e n ed ited accord i n g to t h e i n st r u c t i o n s i n t h i s
practice exercise.
-

Before you begin . . .


N/A
-

D 1. L o g i nto yo u r deskt opX system a s s t udent a n d o p e n a t e r m i n a l .

D 2. C reate a copy o f t h e f i l e / u s r Is h a r e/doc/vim - common - * / README . txt i n yo u r h o m e


d i rectory.

D 2.1 .
- [ s t u d e n t @d e s k t o pX - ] $ cp / u s r/share/doc/vim - common - * / README . txt
[--- - -- ----- -·-
--�----�-- -�

D 3. Open /home/ s t u d e n t / README . txt i n vim.


-

D 3.1 .
[ s t u d e n t @d e s k t opX - ] $ vim README . txt

D 4. J u m p to the sect ion t i t l e d MAI N AUTHOR, then put yo u r c u rsor o n t h e A i n AUTHOR.

- D 4.1 . Fro m command m o d e, type t h e fo l l ow i n g , t h e n press E n t e r . T h i s w i l l j u m p to t h e


fi rst occ u r rence o f t h e text:

- /MAIN AUTHOR

D 4.2. Press w to move the c u rsor one word to the r i g ht; t h i s s h o u l d put you o n t h e A i n
-
AUTHOR.

D 5. C h a n g e t h i s occu rrence of the word AUTHOR to ROCKSTAR.


-

D 5.1 . Fro m command m o d e, t y p e cw to c h a n g e t h e word u n d e r t h e c u rs o r.

- D 5.2. Type ROCKSTAR.

D 5.3. Press Esc to ret u r n to command m o d e.

D 6. U n d o yo u r p revious e d it.

D 6.1 . P ress u t o u n d o yo u r l a st e d it.


-

- RH134- R H E L 7-en-1 -2014061 0 55

-
-

C h a pter 3. C rea t i n g a n d E d i t i n g Text F i l e s w i t h v i m

D 7. Redo ( i .e., u n d o yo u r u n d o) yo u r l a st e d it.


-

D 7.1 . P ress C t rl+r to red o yo u r l a st u n do.

D 8. U s i n g visual mode, m a ke a copy of t h e I N STAL LATION p a ra g ra p h ( i n c l u d i n g h e a d e r) a n d -

p l ace it at t h e e n d o f t h e f i l e.

D 8.1 . M ove t h e c u rsor to t h e sta rt o f t h e I NSTAL LATION sect i o n b y sea rc h i n g for -


A INSTAL LATION. Fro m command m od e, type:

!
i / " I N STAL LATION -
I

D 8.2. Enter visual line m o d e by p ress i n g V. -

D 8.3. M ove t h e c u rsor to t h e e n d of section by t y p i n g 3 } . T h i s w i l l m ove t h e c u rsor


t h ree p a ra g ra p h s d o w n , s e l ect i n g o u r e n t i re sect i o n . ( T h e heading counts a s a
-
p a ra g ra p h . )

D 8.4. Press y to yank (co py) t h e sel ected l i n es to t h e u n na m e d b u ffer.


-
D 8.5. M ove t h e c u rsor to t h e e n d of t h e d o c u m e nt by press i n g G.

D 8.6. Put (paste) t h e u n n a m e d b u ffer b e l ow t h e c u r re n t l i n e by p res s i n g p. -

D 9. In the e n t i re d o c u m e nt. re p l ace each occu rre n c e of README with P LEASE_READ_ME.


-
D 9.1. From command mode, ty p e t h e fo l l ow i n g :

i : %s/ R EADME/P L EASE_READ_ME/g


------
-- -- ---�-� .----1
I -

• The : ente rs Ex m o d e.
-
• % i n d i cates that we wa n t to w o r k on every l i ne i n t h e d o c u m e nt.

s/README/PLEASE_READ_ME/ is the search and re p l ace co m m a n d .


-

• T h e t ra i l i n g g i n d icates t h a t t h i s re p l a ce o p e ra t i o n can b e p e rformed m o re t h e n


once per l i ne.
-

D 1 0. Exit w i t h o u t savi n g yo u r c h a n g es.

D 1 0.1 . Fro m Command m o d e type : q ! . -

The : e nters ex mode, t h e q i n d icates we want to q u it. a n d t h e ! te l l s vim to force


the q u it, s i n c e we have u n saved c h a n g es. -

D 11. Clean u p by remov i n g yo u r READM E . t x t .


-
D 11.1 .
[ s t ud e n t@de s k topX - ] $ rm README . t xt

56 R H134- R H E L7-e n -1 -2014061 0

-
-

Lab: Edit a System F i l e with v i m


-

-
La b: Ed it a Syste m F i l e w i t h v i m

- Performance checklist
I n t h i s l a b , you w i l l c reate a n d e d i t a new syste m f i l e u s i n g vim.

Resou rces
Files: / e t c /mot d
-
Machines: d e s k t o pX

-
Outcomes
A n u p dated /et c/mo t d f i l e o n de s k t opX.

Before you begin . . .


-
N /A

Yo u have been a s ke d to u pdate t h e Message-Of-The-Day ( M OTD) f i l e on de sk t opX. T h i s f i l e


-
i s ca l l e d /et c/mo t d , a n d its contents a r e d i s p l ayed to u s e r s u p o n a s u ccessfu l l o g i n o n t h e
co m m a n d l i ne.
-
1. U pdate t h e / e t c /motd f i l e o n deskt opX to rea d :

d e s k t opX . example . com


-

Please be c a r e f u l .

2. Test y o u r c h a n g es by u s i n g ssh to con n ect to the s t u d e n t acco u n t o n localho s t . I f a l l


goes we l l , you s h o u l d see y o u r new message after a u t h e nticat i o n . C l ose t h e s s h c o n n e c t i o n
-
w h e n you a re d o n e test i n g .

3. Edit /et c/mo t d a g a i n. T h i s t i me, re p l ace t h e X i n d e s k t opX . example . c o m w i t h you r


act u a l stat i o n n u m be r, u s i n g search a n d re p l a ce. Yo u a re a l so a s ke d to re peat t h e " Please
-
be careful . " l i n e two m o re t i mes.

4. Test yo u r c h a n g e s by u s i n g ssh to co n nect to s t u d e n t@localhost a g a i n .


-

-
RH134- R H E L 7 - e n -1-2014061 0 57

-
-

C h a pter 3. C reat i n g a n d E d i t i n g Text F i l es with v i m


-

Solution -

I n t h i s l a b, you w i l l create a n d edit a new system f i l e u s i n g vim.


-
Resou rces
Files: / e t c/mo t d
Machines: d e s k t opX
-

Outcomes
-
A n u pdated /et c/mo t d f i l e o n d e s k t opX.

Before you begin .•.

-
N /A

Yo u h ave been a s ked to u pdate the Message-Of-The-Day ( M OT D ) file o n d e s k t opX. This f i l e


is ca l l ed /etc/mo t d , a n d i t s contents a re d i s p l ayed to u s e rs u p o n a s u ccessf u l l o g i n o n t h e -

co m m a n d l i n e.

1. U pdate t h e /et c/mo t d f i l e o n de s k t opX to rea d : -

- ----- - - - - � --� - ---�· - --- � -- �


i
!
- �

d e s k t opX . example . c om
-
-
-
-
-

- -

Please be c a r e fu l .
-
-
--

1 .1 . L o g i nto yo u r d e s k t opX system as s t ud e n t a n d o p e n a term i n a l . -

1 .2. S i n c e /et c/mo t d i s a syste m f i l e, y o u w i l l n e e d to e l evate you r privi l e g es.


----------- ·- - - - - - - ·-
-
1

[ s t u d e n t@d e s k t o p X - ) $ su
Passwo r d : redhat i
- - -- - - - - ----- -- �-- ___ J -

1.3. Open / e t c/mo t d in vim .


.-- -

[ r oo t@de s k t o p X - ) # vim /et c/motd


, -
i

1 .4. Enter insert m o d e by p ress i n g i or a, t h e n type t h e fo l l owing text: -

,
- -�-- - � -- ----
- -
-�· ---- - , --- -- �-- -

; d e s k t o p X . example . com
:

Please be c a r e f u l .
�-- -

1 . 5. P ress Esc to exit insert m o d e a n d ret u r n to command mode, t h e n type : wq to e n t e r ex -

m o d e to save a n d q u it.

2. Test your c h a n g e s by u s i n g s s h to con nect to t h e student account o n localhos t . I f a l l -

goes we l l , you s h o u l d s e e you r new mess a g e after a u t he n t i cation. C l ose t h e s s h con nection
w h e n you a re d o n e test i n g .
-
- ----- - --�-�--�--
2 .1 .
[ r o o t @d e s k t o p X - ) # ssh st udent@localhos t
T h e a u t h e n t ic i t y o f h o s t ' localh o s t ( : : 1 ) can ' t be e s tablished .
RSA key f i n g e r p r i n t is xx : xx : xx : xx : xx : xx : x x : xx : xx : xx : xx : xx : xx : xx : xx : xx .

58 R H134- R H E L7 - e n -1 -2014061 0

-
-

Solution
-

A r e you s u r e you wan t t o c o n t i n u e c o n n ec t i n g ( ye s / n o ) ? yes


Wa r n in g : P e r m a n e n t l y a d d e d ' local h o s t ' ( RSA ) to t h e li s t o f kn own h o s t s .
- s t ud e n t@localhos t ' s p a s swo r d : student
d e s k t opX . example . c om

Please be c a r e f u l .
-
[ s t ud e n t@de s k t opX - ] $ exit

- 3. E d i t /et c/mot d a g a i n . T h i s t i m e, re p l ace t h e X i n d e s k t opX . example . c o m w i t h yo u r


a c t u a l station n u m be r, u s i n g s e a rc h a n d re p l a ce. Yo u a re a l so a s ke d t o re peat t h e " Please
be c ar e f u l . " l i n e two m o re t i mes.
-
3.1 . Open /et c/mo t d in vim. M a ke s u re that you a re sti l l work i n g a s roo t .

- I [ roo t@de s k t opX - ] # vim /etc/motd

3.2. U s e search a n d re p l a c e to re p l ace X w i t h yo u r a ct u a l stat i o n n u m ber. T h e exa m p l e t h a t


- fo l l ows a s s u m es that you a re stat i o n n u m be r 99.

Fro m command mode, e n t e r ex m o d e a n d re p l ace a l l occu rrences of X with 99 by ty p i n g


- t h e fol lowi n g :

r
: : %s/X/99/g
-

3.3. M ove yo u r c u rsor to l i n e n u m be r t h ree by ty p i n g the fo l l ow i n g from command mode:


-

i
'
:3

-
3.4. Ya n k (co py) t h e c u rrent l i n e, t h e n p u t ( p a ste) it twice, by t y p i n g yy2 p.

The yy pa rt ya n k s the c u rrent l i ne, and 2p puts it twi ce.


-
3.5. Save and q u it by ty p i n g : wq.

- 4. Test your c h a n ges by u s i n g ssh to c o n n ect to s t u d e n t @localhos t a g a i n .

4.1 .
[ r oot@des k t o pX - ] # ssh student@localhost
- s t u d e n t@local h os t ' s p a s swo r d : student
d e s k t o p 9 9 . example . com

Please be c a r e f u l .
- Please be c a r e f u l .
Please be c a r e f u l .
[ s t u d e n t@de s k t opX - ] $ exit
-

- RH134- R H E L7-en-1 -2014061 0 59

-
-

C h a pter 3. C reati n g a n d E d i t i n g Text F i l es w i t h v i m


-

S u m m a ry -

The v i m Text Editor


• vim has t h ree main m o d es. -
• Command m o d e for file n a v i g a t i o n and s i m p l e c o m m a n d s .

• Insert m o d e for n o r m a l t e x t e d i t i n g . -

• Ex mode for savi n g , q u itt i n g , a n d perfo r m i n g m o re c o m p l ex co m m a n ds.

Basic vim Workflow -

• Both t h e c u rsor keys and h j kl can b e used to m ove the c u rs o r.

• Escape exits t h e cu rrent co m m a n d o r m o d e, press twice to a l ways e n d i n co m m a n d


mode.

• :w saves, : q q u ites, : wq saves a n d q u its. -

Edit i n g w i t h vim
• Fa st c u rsor co m ma n d s : wb ( ) { } . -

• c enter c h a n g e mode.
-
• d and y to c u t and copy, p to pa ste.

-
60 R H134- R H E L 7-en-1-20140610

-
red h at ®

®
TRAINING

CHAPTE R 4

SCH E DULING FUTURE LINUX


TASKS

Overview

Goal S c h e d u l e t a s k s to a u t o m at i c a l l y execute in t h e f u t u re.

Objectives • S c h e d u l e o n e - t i m e tasks w i t h at.

• S c h e d u l e rec u r r i ng jobs with c ro n .

• S c h e d u l e rec u r r i n g system jobs.

• M a n a g e tem porary f i l e s .

Sections • S c he d u l i n g O n e - T i m e Ta s k s w i t h at (a n d P ra c t i ce)

• S c he d u l i n g R e c u r r i n g J o b s w i t h cron (and P ra c t i c e)

• S c h e d u l i n g Syste m c ro n J o bs (and Pra c t ice)

• M a n a g i n g Te m porary F i l es (and P ra c t i ce)

Chapter Test • S c h e d u l i n g Fut u re L i n u x Tas k s

RH134- R H E L 7 - e n -1 -2014 0610 61


-

C h a pter 4. S c h ed u l i n g Fut u re L i n u x Ta sks


-

S c h e d u l i n g O n e - T i m e Ta s ks wit h at -

Objective
After com p l e t i n g t h i s sect i o n , students s h o u l d b e a b l e to s c h ed u l e one-t i m e t a s ks w i t h a t .
-

Scheduling future tasks


Fro m t i m e to t i m e, an a d m i n istrator (o r e n d u s e r) wants to r u n a co m m a n d , or set of c o m m a n d s ,
at a s e t p o i n t i n t h e f u t u re. E x a m p l e s i n c l u d e t h e office worker w h o wa nts to s c h ed u l e a n e m a i l
to h i s boss, as we l l as t h e system a d m i n i st rator work i n g o n a f i rewa l l confi g u ra t i o n w h o puts a
"safety" j o b i n p l ace to reset t h e f i rewa l l sett i n g s i n t e n m i n utes' t i me, u n l ess h e deactivates the
-
j o b before t h e n .

T h e s e sched u l e d com m a n d s a re often ca l l ed tasks o r jobs.


-

Scheduling one-time tasks with at


-
O n e of t h e s o l u t i o n s ava i l a b l e to u s e rs of a Red H a t E nterprise L i n u x syste m for s c h ed u l i n g
fut u re tasks is at. T h i s is n o t a sta n d a l o n e too l , b u t rat h e r a system d a e m o n (atd), w i t h a set
of comma n d - l i n e too l s to i nteract with the d a e m o n (at , atq, and m o re). In a d e fa u l t Red Hat
-
Enterprise L i n u x i n sta l l a t i o n , t h e atd d a e m o n w i l l b e i n sta l l e d and e n a b l e d a ut o m a t i ca l l y. The
a t d daemon c a n be fo u n d i n t h e at package.

-
U s e rs ( i n c l u d i n g roo t ) c a n q u e u e u p jobs for t h e a t d d a e m o n u s i n g t h e c o m m a n d - l i n e tool at.
T h e atd daemon prov i d e s 26 q u e u e s , a to z, w i t h j o b s i n a l p h a betica l l y l a t e r q u eu e s gett i n g less
system prio rity ( h i g h e r nice l eve l s , d i sc u ssed i n a later cha pter).
-

Scheduling jobs
A n ew j o b c a n be s c h e d u l ed by u s i n g t h e com m a n d at < TIMESPEC>. at w i l l t h e n read t h e
-
c o m m a n d s to execute from s t din. For l a rg e r c o m m a n d s , a n d typo-se n s i t i ve com m a n ds, it i s
often easier t o u s e i n p u t red i rect i o n f r o m a script f i l e , e.g . , at now +5min < mys c r i p t , t h a n
typ i n g a l l t h e c o m m a n d s by h a n d i n a term i n a l w i n d ow. W h e n entering c o m m a n d s by h a n d , you
-
ca n f i n i s h yo u r i n p ut by p ress i n g Ct r! +D.

The < TIMESPEC> a l l ows for many powerf u l c o m b i n a t i o n s , g i v i n g users a n (a l m ost) free-fo r m way -
of descri b i n g exact l y when a j o b s h o u l d b e run. Ty pica l l y, t h ey start w i t h a t i m e, e.g., 0 2 : aa pm,
15 : 59, o r even t e a t ime, fo l l owed by an o pt i o n a l date o r n u m be r of d a ys in the f u t u re.
-
S o m e exa m p l e s of co m b i n a t i o n s t h a t can be u s e d a re l isted in t h e fo l l ow i n g text. Fo r a c o m p l ete
l i st. see the t imespec defi n i t i o n in the refere n ces.
-
· now +5min

teatime tomor row (tea t i m e is 16 : ea)

· noon +4 days

· 5pm august 3 2016 -

62 R H134- R H E L7-en-1 -2014061 0

-
-

I ns pecting a n d m a n a g i n g j o b s
-

Inspecting and managing jobs


-

Inspecting jobs
To get a n ove rview of t h e pe n d i n g j o b s for yo u r user, u s e t h e co m m a n d atq o r, a lternative l y, t h e
-
a l ias at 1 -
.

R u n n i n g t h is com m a n d g ives t h e fo l l ow i n g o u t p ut:


-

[ s t u d e n t@d e s k t opX - ] $ atq


28 M o n F e b 2 05 : 13 : 00 2015 a s t u d e n t
- 2 9 M o n F e b 3 16 : 00 : 00 2 0 1 4 h s t u d e n t
2 7 Tue F e b 4 12 : 00 : 00 2014 a s t u d e n t

- T h i s s h ows fo u r col u m ns for every j o b sched u l e d to run in the fut u re:

• The j o b n u m be r, 28 i n t h e fi rst l i n e.
-
• T h e date a n d t i m e s c h e d u l e d for t h a t job, Mon Feb 2 0 5 : 13 : ea 2015 i n t h e fi rst l i n e.

• T h e q u e u e for t h e j o b, a i n t h e fi rst l i ne, but h i n t h e seco n d .


-

• T h e ow n e r o f t h e j o b (a n d t h e u s e r a s w h i c h t h e j o b w i l l r u n ) , st u d e n t i n a l l o u r l i n es.

A
-

Important
T N o r m a l , u n p r iv i l eg e d u s e rs c a n o n l y see a n d control t h e i r own jobs. root c a n see a n d
-
m a n a g e a l l j o bs.

-
To i n s pect t h e actua l com m a n d s t h a t w i l l r u n when a j o b i s executed, use the co m m a n d at - c
<JOBNUMBER>. T h i s o u t p u t w i l l fi rst s h ow t h e environment for t h e j o b b e i n g set u p to ref l e ct t h e
e n v i ro n m e n t o f t h e u s e r w h o c reated the j o b at t h e t i m e it w a s created, fo l l owed by t h e act u a l
-
com m a n d s t o b e r u n .

Removing jobs
- The a t rm <JOBNUMBER> w i l l rem ove a sched u l e d job. T h i s is usefu l w h e n a j o b is no l o n g e r
n e e d e d ; f o r exa m p l e, w h e n a remote fi rewa l l config u ra t i o n s u ccee d e d , a n d d o e s n o t need to b e
reset.
-

R References
-
a t ( 1 ) a n d atd(8) m a n p a g e s

/ u s r / s hare/doc/at - * / t imespec
-

R H134- R H E L7-en-1 -2014061 0 63

-
-

C h a pter 4. S c h e d u l i n g Fut u re L i n u x Ta sks


-

P ra ct ice: S c h e d u l i n g O n e - T i m e Ta s ks wit h a t -

Guided exercise
I n t h i s l a b , you w i l l sched u l e o n e-t i m e tasks for t h e f u t u re.
-

�·· ·:desktopX
Machines -
Outcomes
T h ree jobs sched u l ed for t h e f u t u re, w i t h one executed, a n d two re m oved a g a i n .
-

D 1. L o g i nto y o u r d e s k t opX m a c h i n e as s t u d e n t a n d o p e n a ter m i n a l w i n d ow.

D 2. S c h e d u l e a task for t h ree m i n utes i n t h e f u t u re. The t a s k s h o u l d w r i t e a t i m esta m p t o -


/home/ s t u d e n t /myj ob.

D 2 ·1 .
J [ s t u d e n t @d e s k t o pX - ]$ echo " d a t e > -/myj o b " I at now +3min -

D 3. I n s pect the l ist of tasks sched u l e d for exe c u t i o n in t h e f u t u re for yo u r user.


��-�--- - - - · - - -
0 3.1 .
�-----

I [ s t u d e n t @d e s k t o pX - ] $ atq
i 1 Thu J a n 30 05 : 13 : 00 2014 a s t u d e n t
� -
� �·�---

D 4. Wa it for your job to r u n , t h e n i n s pect the contents of /home/ s t u d e n t /myj ob.


-
D 4.1 . Repeate d l y r u n a t q u n t i l your job d i s a p p e a rs from t h e l i st, or ( i f yo u o n l y h a ve
o n e p e n d i n g j o b a n d l i ke script i n g ) :
� ---------··--- � . - - -- - - · - - -- - �- -----�
-

[ s t u d e n t @d e s k t o pX - ] $ while [ $ ( at q I wc - 1 ) - gt 0 ] ; do sleep ls ; done

D 4· 2 · j [ s t u d e n t@de s k t o pX - ] $ cat myj ob l -

D 5. S c h ed u l e a job to run at 16 : e a tomorrow, u s i n g the g q u e u e. This job s h o u l d create a -

new f i l e ca l le d /home/st u d e n t / t ea.

D 5.1 .
[ s t u d e n t @d e s k t o pX - ] $ at - q g teatime tomor row
-

at> t o u c h / home/ s t udent/tea


at> C t r l+D
-

D 6. S c h ed u l e a job, t h i s time in the b q u eue, to run at 1 6: 0 5 tomorrow. This j o b s h o u l d c reate


the file /home/ s t u d e n t /cookies.

D 6.1 .
[ s t u d e n t @d e s k t opX - ] $ a t - q b 16 : 05 tomo r r ow
at> touch /home/student /cookies
at> Ct rl+D

D 7. I n s pect your pen d i n g jobs. I ns pect t h e act u a l com m a n d s yo u r jobs w i l l r u n a s we l l . -

-
64 RH134- R H E L 7-en-1 -2014061 0
-

G u i d e d exercise
-

D 7.1 .
[ s t u d e n t @d e s k t o p X - ] $ atq
-
2 F r i J a n 31 16 : 00 : 00 2014 g s t u d e n t
3 F r i J a n 31 16 : 05 : 00 2014 b s t u d e n t

D 7.2 .
[ s t u d e n t@de s k t o pX - ] $ at - c 2
-

[ s t u d e n t @d e s k t o p X - ] $ at - c 3

-
D 8. Yo u have d e c i d e d y o u d o n ' t actua l l y l i ke tea that m u c h . Rem ove t h e j o b that w rites t h e
f i l e /home/s t ud e n t / t ea, b u t keep t h e j o b that w r ites /home/ s t ud e n t /cookies (yo u
l i ke cookies).
-

D 8·1 .
I [ s t ud e n t@de s k t opX - ] $ at rm 2
-

Important: I f yo u r j o b to write / home/ s t u d e n t / t e a h a d a d i fferent n u m be r


t h a n 2, u s e t h a t n u m be r i n t h e p revious com m a n d .
-

- R H134- R H E L 7 - e n -1-2014061 0 65

-
C h a pte r 4. S c h e d u l i n g Fut u re L i n u x Ta s k s

S c h e d u l i n g Rec u rri n g J o bs w i t h c ro n

O bjective
After c o m p l et i n g t h i s s e c t i o n , st u d e n t s s h o u l d be a b l e to s c h e d u l e rec u r r i n g j o bs w i t h c ron.

Introduction to cron
U s i n g a t , o n e c o u l d , in t h e o ry, s c h e d u l e a rec u r r i n g j o b by havi n g t h e j o b resu b m i t a n e w j o b
at t h e e n d of its exec u t i o n . I n p ra c t i c e , t h i s t u r n s o u t t o be a bad id ea. R e d H a t E n t e r p r i s e
L i n u x syst e m s s h i p w i t h t h e c r ond d a e m o n e n a b l e d a n d started by defa u l t s p e cifica l l y for
rec u r r i n g j o bs. c rond i s c o n t ro l l e d by m u l t i p l e c o n f i g u ra t i o n fi l e s, one per user (e d it e d with
t h e c r on tab(1) c o m m a n d ) , a n d syste m w i d e f i l e s. T h e s e c o n fi g u ra t i o n files g i ve u s e rs a n d
a d m i n i s t rators f i n e - g ra i n e d c o n t ro l o v e r exact l y w h e n t h e i r re c u r r i n g j o bs s h o u l d b e e x e c u t e d .
T h e c rond d a e m o n i s i n s t a l l e d as part of t h e cronie p a c k a g e .

I f t h e c o m m a n d s r u n f ro m a c ron j o b p r o d u c e a ny o u t p u t to e i t h e r s t dou t o r s t de r r t h a t
i s not red i r e c t e d , t h e c rond d a e m o n w i l l atte m pt to e m a i l t h a t o u t p u t t o t h e u s e r o w n i n g t h a t
j o b ( u n less ove r r i d d e n ) u s i n g t h e m a i l s e r v e r c o n f i g u re d o n t h e syst e m . D e p e n d i n g o n t h e
e nv i r o n m e n t t h i s m a y n e e d a d d it i o n a l c o n fi g u ra t i o n .

Schedul ing jobs


N o r m a l u s e rs c a n use t h e c r ontab c o m m a n d to m a n a g e t h e i r j o b s . T h i s c o m m a n d c a n be c a l l e d
i n fo u r d i f f e r e n t ways:

Command I ntended u s e

c rontab - 1 L i st t h e j o b s for t h e c u r r e n t u s e r.

c ron tab -r R e m ove all j o b s f o r t h e c u r re n t u s e rs.

c rontab -e Edit j o b s f o r the c u r r e n t u s e r.

c rontab < fi l ename> R e m ove a l l j o bs, a n d re p l a c e w i t h t h e j o b s read f r o m


< fil ename>. I f n o f i l e i s s p e c i f i e d , stdin w i l l b e u s e d .

N ote
root c a n u s e t h e o p t i o n -u <username> t o m a n a g e t h e j o bs for a n o t h e r u s e r. I t i s
n o t r ec o m m e n d e d t o u s e t h e c ron t ab c o m m a n d t o m a n a g e system j o bs; i n st e a d , t h e
m e t h o d s d e s c r i b e d i n t h e next s e c t i o n s h o u l d b e u s e d .

Job format
W h e n e d i t i n g j o bs w i t h t h e c rontab - e , an e d it o r w i l l be sta rted (vi by d e fa u l t. u n l e s s t h e
EDITOR e nv i r o n m e n t v a r i a b l e has b e e n s e t t o s o m e t h i n g d ifferent). T h e f i l e b e i n g e d i t e d w i l l
have o n e j o b p e r l i n e. E m pty l i nes a re a l l o w e d , a n d c o m m e nt s start t h e i r l i n e w i t h a h a s h s y m b o l
(#). E n v i ro n m e nt va r i a b l es c a n a l so b e d e c l a re d , u s i n g t h e f o r m a t NAME=value, a n d w i l l affect
a l l l i nes below the l i n e w h e re they a re d e c l a re d . C o m m o n e nv i ro n m e nt v a r i a b l e s in a c rontab
i n c l u d e SHELL a n d MAI LTO. Sett i n g t h e SHELL va r i a b l e w i l l c h a n g e w h i c h s h e l l is u s e d to
execute the c o m m a n d s o n t h e l i n e s b e l o w it, w h i l e sett i n g the MAI LTO va r i a b l e w i l l c h a n g e w i l l
e m a i l a d d ress o u t p u t ( i f a ny) w i l l b e m a i l e d to.

66 R H 1 34- R H E L 7 - e n-1-20140610
-

J o b format
-

- Important
S e n d i n g e m a i l m a y req u i re a d d it i o n a l confi g u ra t i o n of t h e loca l m a i l server o r S M T P
re lay o n a syste m .
-

I n d i v i d u a l jobs co n s i s t of s i x fie l d s deta i l i n g w h e n a n d w h a t s h o u l d be exec uted. W h e n a l l f i v e o f


-
t h e fi rst fie l d s match t h e c u rrent date a n d t i m e, t h e co m m a n d i n t h e l a st f i e l d w i l l b e executed.
These fie l d s a re (in o rd e r):

- • M i n utes

• H o u rs
-
• Day-of- M o n t h

• Month
-

• Day-of-We e k

- • Co m m a n d

-
Important
W h e n t h e " Day-of- M o n t h " a n d " Day-of-Week" fie l d s a re both ot h e r t h a n * , t h e
com m a n d w i l l b e executed w h e n either
o f t h ese t w o f i e l d s match. T h i s c a n b e u s e d , for
- exa m p l e, to run a c o m m a n d o n t h e 15th of every m o n t h , and every Fri d ay.

- T h e fi rst five of t h ese f i e l d s a l l u s e t h e s a m e syntax r u l es:

• * for " D o n ' t Ca re" /a l ways


-
• A n u m be r to s pecify a n u m be r of m i n utes or h o u rs, a d a te, o r a weekday. ( Fo r weekd ays, e
e q u a l s S u n d ay, 1 eq u a l s M o n d a y, 2 e q u a l s Tu esd ay, etc. 7 a l so e q u a l s S u n d ay.)

- • x - y for a ra nge, x to y i n c l u s ive

• x, y for l ists. Lists c a n i n c l u d e ra n g es as we l l , e.g .. 5, 10 - 13 , 17 i n t h e " M in utes" co l u m n to


- i n d icate that a job s h o u l d r u n at 5 m i n utes past the h o u r, 10 m i n utes past. 11 m i n utes past. 1 2
m i n utes past. 1 3 m i n utes past, a n d 17 m i n utes past.

- • *Ix to i n d i cate an i nterva l of x, e.g .. * 1 7 in the m i n utes co l u m n w i l l run a j o b exac t l y every


seven m i n utes.

- A d d i t io n a l l y, three-letter E n g l i s h a b b reviat i o n s can be used for both m o n t h and wee kdays, e.g ..
Jan, Fe b a n d Tu e, Wed.

The last field conta i n s the co m m a n d to be executed. This c o m m a n d w i l l be executed by /bin/sh,


-
u n l ess a SHELL e n v i ro n m e nt va r i a b l e has b e e n d e c l a re d . I f the com m a n d conta i n s an u nesca ped
percentage s i g n (%) t h a t perce ntage s i g n will b e t reated a s a n e w l i ne, a n d eve ryt h i n g after the
p e rce ntage s i g n w i l l b e fed to t h e co m m a n d o n s t din.
-

Example cron jobs


S o m e exa m p l e c ro n jobs:
-

-
R H134- R H E L7-en-1-201 4 0 61 0 67

-
-

C h a pter 4. S c h e d u l i n g Fut u re L i n u x Tasks


-

• 0 9 2 2 * / u s r / local/bin/year ly_bac k u p
-
Execute t h e co m m a n d / u s r /local/bin/ye a rly_bac k u p at exact l y 9 a . m . o n Fe b r u a ry 2 n d ,
every yea r.

• * 1 7 9 - 16 * J ul 5 echo " Chime "

S e n d a n e m a i l conta i n i n g t h e w o rd Chime to t h e o w n e r of t h is job, every seve n m i n utes


-
between 9 a . m . a n d 5 p.m., on every Friday i n J u l y.

• 58 23 * * 1 - 5 / u s r/local/bin/daily_r e p o r t
-

R u n t h e c o m m a n d / u s r /local/ bin/daily_repo r t every weekday at t w o m i n utes before


m i d n i g ht.
-
• 0 9 * * 1 - 5 mu t t - s " Checking in '' boss@example . com % Hi t he r e bos s ,
j u s t checking in .
-
Eve ry workday ( M o n d ay to Fri d ay), at 9 a.m. s h a r p , s e n d a m a i l messa g e to
bos s@example . com u s i n g m u t t .
-

R References
c rond(8), c ro n t ab(1), a n d c ro n t ab(5) m a n p a g e s -

68 R H134- R H E L 7-en-1 -2014061 0

-
-

P ractice: S c h e d u l i n g R e c u r r i n g J o b s with c ro n
-

P ra ct i ce: S c h e d u l i n g Rec u r r i n g J o bs w i t h c ro n
-

-
Guided exercise
I n t h i s l a b , you w i l l s c h ed u l e a rec u r r i n g j o b u s i n g c ron.

�IHH -
Machines ;desktopX
-

Outcomes
A rec u r r i n g j o b is s c h e d u l ed, a n d t h e n re m oved a g a i n .
-

D 1. L o g i nto yo u r deskt opX m a c h i n e a s s t uden t .

- D 2. S c h ed u l e a rec u rr i n g j o b t h at...

• ... runs a s yo u r s t u d e n t u s e r.

ee
-
• . .. r u n s every two m i n utes betwe e n 09 : a n d 16 : 59 on M o nd a y to Fri d ay.

• ... a p p e n d s t h e c u rrent date a n d t i m e to t h e fi l e


-
/home/ s t u d e n t /my_f i r s t_c ron_j ob.

D 2.1. Sta rt the c ro n t a b e d itor.


-

[ s t u d e n t @d e s k t o p X - ] $ c ro n t ab - e

D 2 . 2 . I nsert t h e fo l l owi n g l i n e :

- * /2 9 - 16 * * 1 - 5 d a t e >> / h ome/ s t u d e n t /my_f i r s t_c r o n_j ob


�--- -------- -- --

D 2.3. Save yo u r c h a n g e s a n d q u it t h e e d itor ( : wq).


-

D 3. I n s pect a l l of y o u r sched u l e d c r o n j o bs.

D 3.1 .
[ s t u d e n t @d e s k t o pX - ] $ c ro n t ab - 1
-

----�--
- ------ --

- D 4. Wait for yo u r j o b to r u n at least o n ce or twice, t h e n i n s pect t h e contents of t h e


/home/s t u d e n t /my_f i r s t_c ro n_j ob f i l e.

D 4.1 .
- [ s t u d e n t @d e s k t o p X - ] $ cat -/my_first_c r on_j ob
j__________ - ---- - ------ --

D 5. R e m ove all of the cron jobs for st u d e nt.


-

D 5.1 .
s t ud e n t@de s k t o p X - ] $ c ro n t ab - r

- RH134- R H E L7-en-1 -2014061 0 69

-
-

C h a pter 4. S c h ed u l i n g Fut u re L i n u x Ta s k s
-

S c h e d u l i n g Syste m c ro n J o bs -

Objectives
Afte r co m p l et i n g t h i s sect i o n , st u d e nts s h o u l d be a b l e to:

• S c h ed u l e rec u r r i n g system tasks.

System cron jobs -

A p a rt from user c ro n jobs, t h e re a re a l so system c r o n jobs.

Syste m cron j o b s a re not defined using t h e c r o n t ab c o m m a n d , b u t a re i n stead confi g u re d i n -

a s e t o f confi g u ration f i l es. The m a i n d iffe rence i n t h e s e confi g u ra t i o n f i l e s is a n extra fie l d ,


l ocated betwe e n t h e Day - of - Week f i e l d a n d t h e Command f i e l d , specify i n g u n d e r w h i c h u s e r a
j o b s h o u l d be r u n . -

T h e / etc /c ron t ab h a s a u s e f u l sy ntax d i a g ra m i n t h e i n c l u d e d com m e nts.


.-- --- - - -
I # F o r d e tails see man 4 c ro n t a b s

# Example o f j o b d e f i n i t io n :
# . - - - - - - - - - - - - - - - - min u t e ( 0 - 5 9 )
-

# I - - - - - - - - - - - - - hou r ( 0 - 23 )
# I - - - - - - - - - - day of mon t h ( 1 - 31 )
; # I mon t h ( 1 - 12 ) OR j an , feb , ma r , a p r

'.I : :
-
day of wee k ( 0 - 6 ) ( S u n d ay=0 o r 7 ) OR s u n , mo n , t u e , we d , t h u , f r i , sat

# * * * u s e r - name command t o be e x e c u t e d
L ________ _ -

Syste m c r o n jobs are defi n e d i n two l o c a t i o n s : /e t c/c ron t ab and / e t c / c r o n . d / * . Packages


that i n sta l l c ro n jobs s h o u l d d o so by p l a c i n g a file i n / e t c / c r o n . d/, b u t a d m i n ist rators can
-
a l so use this l ocat i o n to m o re easi l y g ro u p re l ated jobs i nto a s i n g l e f i l e, o r to p u s h jobs u s i n g a
confi g u ra t i o n m a n a g e m e nt system.

-
T h e re are a l so predefi n e d jobs that run every h o u r, d a y, wee k, a n d month. These jobs w i l l execute
a l l s c ripts p l aced in /etc/c ron . hou r ly/, / e t c / c r o n . daily/, / e t c / c r o n . wee kly/, a n d
/ e t c / c r o n . mont hly/ respectively. P l ease n ote t h a t t h ese d i rectories conta i n executable
-
scripts, a n d not c r on config u ration f i l es.

Important -

M a ke s u re to make a n y scri pts you p l ace i n these d irectories executa b l e. I f a s c r i pt i s


n ot m a d e executa b l e (e.g., w i t h c hmod + x ) , it w i l l not b e r u n .
-

T h e / e t c / c r o n . hou rly/ * s cr i pts a re executed u s i n g t h e r u n - par t s c o m m a n d , from a j o b


-
defi n e d i n / e t c / c ron . d/0hou rly. T h e d a i l y, wee k l y, a n d m o n t h l y j o b s a re a l so executed u s i n g
t h e r u n - p a r t s c o m m a n d , b u t f r o m a d iffe re nt config u ration f i l e : / e t c/anac r o n t ab.

In the past, / e t c / anac ron t ab was h a n d l ed by a s e p a rate d a e m o n (anac ron), but in Red Hat
Enterprise L i n u x 7, t h e file i s p a rsed by the reg u l a r c r ond d a e m o n . T h e p u rpose of this file is
to m a ke s u re t h a t i m portant jobs w i l l a l ways b e run, and not s k i p p e d a c c i d enta l l y beca u s e the
syst e m wa s t u r n e d off o r h i be r n a t i n g when t h e j o b s h o u l d have b e e n executed. -

70 R H 1 34- R H E L7-en-1 -2014061 0

-
-

System cron jobs


-

The syntax of / e t c/anac r o n t ab is d iffe rent from t h e o t h e r c ron confi g u ra t i o n f i l es. It conta i n s
exa c t l y fo u r f i e l d s p e r l i ne:
-

• Period in d ays

- Once p e r how many d a ys this j o b s h o u l d b e r u n .

Delay in min u t e s
-
T h e a m o u nt o f t i m e t h e c ron d a e m o n s h o u l d w a i t before start i n g t h i s job.

· Job ident ifie r


-

This is t h e n a m e of t h e f i l e i n /va r/s pool/anac ron/ that wi l l be u s e d to c h e c k if t h i s j o b h a s


r u n . W h e n c r o n sta rts a j o b f r o m /etc/anac r o n t ab, it w i l l u p d ate t h e t i m esta m p on t h i s f i l e.
-
The s a m e ti mesta m p is used to c h e c k w h e n a j o b h a s l a st r u n i n t h e past.

• Command
-

The co m m a n d to b e executed

- /et c/anac r o n t a b a l so conta i n s e n v i ro n m e nt va ri a b l e d e c l a rations u s i n g t h e syntax


NAME=value. Of s p e c i a l i n t e rest is START_HOURS_RANGE: J o bs w i l l not b e started o u t s i d e of
this ra n g e.
-

R References
_J
- c rond(8), c ro n t ab(l), a n d c rontab(5), anac ron(8), a n d anac r o n t ab ( 5 ) m a n pages

- R H134- R H E L7-en-1-2014061 0 71
C h a pter 4. S c h ed u l i n g Fut u re L i n u x Ta sks

P ra c t i ce: S c h e d u l i n g Syst e m c ro n J o b s

Guided exercise
I n t h i s l a b , y o u w i l l w o r k w i t h rec u rr i n g system j o bs.

R e s o u rc e s

Files: · / e t c / c ron t a b

· / e t c / c ron . d / *

/ e t c / c ron . { hou r l y , d aily , weekly , mon t h ly } / *

Machines: d e s ktopx

Outcomes
A d a i l y j o b to c o u n t t h e n u m b e r of a c t i v e u s e rs, a n d a n u p d a t e d c ron j o b to g a t h e r s y s t e m
p e rform a n c e d a t a .

D 1. L o g i n t o y o u r d e s k t opX system a s s t u d e n t , t h e n e l evate y o u r p r i v i l e g e s t o r oo t .

D 1 .1 .
[ s t u d e n t@des k t o pX - ] $ s u
Passwo r d : redhat

D 2. C reate a n ew d a i l y c r on job t h a t l o g s a m e s s a g e to t h e system log w i t h the n u m b e r of


c u r re n t l y a c t i v e u s e rs (w -h I we - 1). You c a n u s e t h e log g e r c o m m a n d t o s e n d
m e s s a g es to t h e system l o g .

D 2 .1 . O p e n a n ew f i l e i n / e t c / c ron . daily i n a n ed itor, e.g . .


/ e t c / c r on . daily / u s e r cou n t .

[ r o o t @d e s k t o pX - ] # vim /etc/cron . daily/usercount

D 2.2. Write t h e s c r i pt that logs the n u m b e r of a c t i v e u s e rs to the syste m l o g .

I n sert t h e f o l l o w i n g i n y o u r e d i t o r :

# ! /bin/bash
USERCOUNT=$ ( w - h I wc - 1 )
l o g g e r " T h e r e are c u r r e n t ly ${USERCOUNT} act ive u s e r s "

D 2 . 3 . M a ke t h e s c r i pt e x e c ut a b l e :

[ r o o t@d e s k t opX - ] # chmod + x /etc/cron.daily/usercount

D 3. The sysstat p a c ka g e, w h e n i n sta l l e d , has a cron job that runs every 1 0 m i n utes, c o l l e ct i n g
data u s i n g a c o m m a n d c a l l e d sal. M a k e s u re t h i s p a c k a g e i s i n sta l l e d , t h e n c h a n g e t h i s
j o b t o r u n eve ry f i v e m i n u tes.

D 3.1 . M a ke s u re t h e sysstat p a c ka g e is i n sta l l e d .

72 R H 1 3 4 - R H E L 7 - e n -1-20140610
-

G u i d e d exercise
-

[ r o o t @d e s k t o p X - ] # yum - y install sysstat


-

D 3.2. F i n d out i n w h i c h f i l e the sysstat package has config u re d the c ron jobs. Cron j o b s
a re g e n e ra l l y confi g u red i n fi l es m a rked a s a conf i g u ra t i o n f i l e for t h e p a c k a g e
-
m a n a g e r.

-
I [ ro o t @d e s k t o pX - ] # rpm - q c sysstat
:

/etc/c ron . d / s ys s t at l oo ks p ro m i s i n g .
-
D 3 . 3 . O p e n / e t c / c r o n . d/sys s t a t i n a n editor.

-
[ ro o t@de s k t o p X - ] # vim /etc/cron . d/sysstat

D 3.4. C h a n g e * /10 o n the sal l i n e to * /5.


-

D 3.5. Save yo u r c h a n g e s a n d exit.

- D 3.6. M o nitor the f i l e s in /var /log/sa to see w h e n t h e i r sizes and t i m esta m p s


c h a nge.

- [ ro o t @d e s k t o p X - ] # watc h ls - 1 /var/log/sa

- R H134- R H E L7-en-1-2014061 0 73

-
-

C h a pte r 4. S c h e d u l i ng Fut u re L i n u x Ta s k s
-

M a n a g i n g Te m po ra ry Fi l es
-

Objectives -

Aft e r co m p l et i n g t h i s sect i o n , s t u d e n t s s h o u l d be a b l e to m a n a g e t e m p o ra ry f i l e s u s i n g
syst emd - t mpfiles.
-

M anaging temporary files with systemd-tmpfi les


A m o d e r n system req u i res a l a rg e n u m be r of t e m p o ra ry f i l e s a n d d i recto ries. N ot j u st t h e h i g h l y
-
u s e r-visi b l e o n e s s u c h as / t m p t h a t g e t u s e d a n d a b u sed b y reg u l a r u s e rs , b u t a l so m o re task­
specific ones such as daemon a n d u s e r-specific volatile d i recto ries u nd e r /run. I n this context.
vo l a t i l e m e a n s that t h e file system sto r i n g t hese files o n l y exists in m e m o ry. When the system
-
reboots o r l oses powe r, a l l the contents of vo l at i l e stora g e w i l l b e g o ne.

To keep a system r u n n i n g c l e a n l y, it is n e cessary for t h ese d i rectories a n d f i l e s to be created


-
w h e n t h ey d o not exist, s i n c e d a e m o n s a n d scri pts m i g ht re l y on t h e m b e i n g t h e re, and for o l d
f i l e s to be p u rg e d s o t h a t t h ey d o n ot f i l l u p d i s k s pace o r p rovi d e fa u lty i nfo r m a t i o n .

I n t h e p a s t . system a d m i n istrators re l ie d o n R P M p a c k a g e s a n d Syste m V i n it-scripts to c reate


t h ese d i rectories, a n d a too l ca l l e d tmpwat ch to rem ove o l d , u n u s e d f i l es from confi g u re d
d i rectories.
-

In Red Hat Enterp rise L i n u x 7 syst emd p rovides a m o re s t r u ct u re d , and confi g u ra b l e, method to
m a n a g e tem pora ry d i rectories and f i l es: syst emd - t mpfiles.
-

When syst emd starts a syst e m , one of the first service u n its l a u n c h e d i s syst emd ­
t mpfiles - s e t u p. T h i s service r u n s t h e co m m a n d syst emd - t mpfiles - - c reate
remove. This command rea d s confi g u ra t i o n f i l es from /usr /lib/ t m pfiles . d / * . conf, -

/ r u n /tmpfiles . d / * . conf, and / e t c / t mpfiles . d / * . conf. A ny files and d i rectories


m a rked for d e letion i n those confi g u ra t i o n f i l e s w i l l be re m oved, and a n y files a n d d i rectories
m a rked for creation (o r p e r m i s s i o n fi xes) w i l l be c reated w i t h t h e correct p e r m i s s i o n s if -

necessa ry.

Regular cleaning -

To m a ke s u re that l o n g - r u n n i n g syst e m s do not f i l l u p t h e i r d i s ks with sta l e data, t h e re is a l so


systemd timer unit that ca l l s syst emd - tmpfiles - - clean on a reg u l a r interva l .
-
sys t emd t i m e r u n its a re a specia l t y p e o f sys t emd service t h a t h a v e a [ Time r ] b l o c k
i n d i c a t i n g how often t h e service w i t h t h e s a m e n a m e s h o u l d b e started.
-
O n a Red H at E nterprise L i n u x 7 syst e m , t h e confi g u ra t i o n for the sys t emd - tmpfiles ­
clean . t im e r u n it l ooks l i ke t h is :
-
[ Time r ]
O n B o o t Sec=15min
O n U n itAc t iveSec=ld
-

T h i s i n d icates that the service with the s a m e n a m e (syst emd - t mpfiles - clean . se rvice) w i l l
b e sta rted 1 5 m i n utes after syst emd h a s sta rte d , a n d t h e n o n ce every 24 h o u rs afterwa rd s.
-

The com m a n d syst emd - t mpfiles - - clean pa rses the s a m e config u ra t i o n f i l es as t h e


syst emd - t mpfiles - - c reate, b u t i n stead o f c reat i n g f i l e s a n d d i rectories, it w i l l p u rg e a l l
-

74 R H134- R H E L 7-e n-1-2014061 0 -

-
-

M a n a g i n g t e m p o ra ry f i l e s w i t h system d-t m pf i l e s
-

f i l es w h i c h h a v e n ot b e e n accessed, c h a n g e d , o r m o d i f i e d m o re rece n t l y t h a n t h e m a x i m u m a g e
-
defi n e d i n t h e confi g u ra t i o n f i l e.

Important
-
T h e m a n p a g e t mpfiles . d ( 5 ) c l a i m s t h a t f i l e s " o l d e r t h a n " t h e a g e in t h e date f i e l d of
t h e config u ra t i o n f i l e a re re m oved. T h i s is n ot exact l y t r u e.
-
F i l e s o n a L i n u x f i l e system fo l l ow i n g t h e POS I X sta n d a rd have t h re e t i mesta m ps:
a t ime, t h e last time t h e file was acces s e d , mt ime, t h e last t i m e t h e file's contents were
m o d i f i e d , a n d c t ime, the last t i m e the f i l e ' s sta t u s was c h a n g e d ( by chown, ch mod,
-
and so on). M ost L i n u x file syste m s d o n o t have a c reation time sta m p . This i s c o m m o n
a m o n g U n i x - l i ke f i l e syste m s .
-
F i l es w i l l b e con s i d e red u n u s e d if a // three t i m esta m p s a re o l d e r t h a n t h e syst emd ­
t mpfiles a g e confi g u ra t i o n . I f any of t h e t h ree t i m esta m ps a re newer t h a n t h e a g e
confi g u ra t i o n , t h e f i l e w i l l not b e re moved d u e to a g e by sys t emd - tmpfiles.
-

T h e s t at c o m m a n d ca n b e run on a file to see the va l ues of a l l t h re e of its t i m e


sta m ps. T h e ls - 1 co m m a n d n o r m a l l y d i s p l ays mt ime.
-

systemd-tmpfiles configuration files


-
The format of t h e confi g u ration f i l es for syst emd - t mpfiles is deta i l ed i n t h e t mpfiles . d ( 5 )
m a n u a l page.
-
The basic syntax c o n s ists of seve n co l u m n s : Ty pe, Pat h , M o d e, U I D, G I D, Age, a n d A rg u m e nt. Type
refers to t h e a c t i o n t h a t sys t emd - t m pfiles s h o u l d ta ke; for exa m p l e, d to create a d i rectory
if it does not yet exist, o r z to rec u rs i v e l y restore S E L i n u x contexts and f i l e p e r m i s s i o n s a n d
-
owners h i p.

-�--- �-· --1


Some exa m p l es w i t h e x p l a nations:
-

i

d / r u n / s y s t em d / s e a t s 0755 r o o t r o o t -
- -- - ------ �------- ------- �-
-
W h e n c reat i n g fi l es a n d d i rectories, c reate t h e d i rectory / r u n/sys t emd/sea t s if it does not
yet exist, owned by the user root and t h e g r o u p roo t , with perm i s s i o n s set to rwx r - x r - x. T h i s
-
d i rectory wi l l not be a utomatica l l y p u rg e d .

D /home/ s t u d e n t 0 7 0 0 s t ud e n t s t ud e n t l d
-

C reate t h e d i rectory / home/ s t u d e n t if it d o e s not y e t e x i s t . I f i t does e x i s t , e m pty it of a l l


contents. W h e n syst emd - tmpfiles - - c lean i s r u n , remove a l l f i l es w h i c h have not been
- a ccessed , c h a n g e d , o r m o d ified i n m o re than o n e day.

-- ..-----···1
�-----�--
- -- --- ----- - - - ·-----�---------- --------�---
- -

L / r u n/ f s t a bl i n k - r o o t r o o t - / e t c / f s t a b
___

·-
� ---
C reate t h e sy m b o l i c l i n k / r u n /f s t abli n k p o i n t i n g to / e t c / f s t ab. Never a u t o m at ica l l y p u rg e
t h i s l i ne.
-

Configuration file precedence


Confi g u ra t i o n f i l es ca n l ive i n t h ree p l aces:
-

- R H1 34- R H E L7 -en -1 -2014061 0 75

-
-

C h a pter 4. S c h e d u l i n g Futu re L i n u x Ta sks


-

• l e t c l tmpfiles . dl * . conf
-
• l r u nlt mpfiles . d l * . co n f

· l u s rllibl t m pfiles . d l * . conf


-

The f i l es i n lusr lliblt mpfiles . di a re p rov i d e d by t h e re l eva nt R P M p a c k a g es, and s h o u l d


n o t be edited by syst e m a d m i n istrato rs. T h e f i l e s u n d e r l r u n l t mpfile s . d i a re t h e m s e l ves
-
vo l a t i l e f i l es, n o r ma l l y used by d a e m o n s to m a n a g e t h e i r own r u n t i m e tem p o ra ry f i l es, and the
fi l es u nd e r l e t c l t mpfiles . di a re meant for a d m i n istrators to confi g u re c u stom t e m p o ra ry
l ocations, a n d to ove r r i d e ve n d o r- p rovi d e d defa u lts.
-

I f a file i n l r u n l t mpfiles . di h a s t h e s a m e f i l e name as a file i n lusr lliblt mpfiles . di,


then t h e file i n l r u n l t mpfiles . di wi l l b e u s e d . I f a file i n l e t c l t mpfile s . di h a s t h e same
file n a m e a s a fi l e i n either l r u n l tmpfiles . d i o r lusr llibltmpfiles . di, then t h e file i n -

l e t c l tmpfile s . d i w i l l be used.

Given these p re ce d e n c e r u l es, a n a d m i n istrator ca n easily ove r r i d e ve n d o r - p rovided sett i n g s -

b y copying t h e re l eva n t f i l e t o let c l t mpfile s . d i , a n d t h e n e d i t i n g i t . Wo r k i n g i n t h i s fa s h i o n


e n s u res t h a t a d m i n istrator- p rovided sett i n g s ca n b e e a s i l y m a n a g e d from a centra l confi g u ration
management syst e m , and not be ove rwritten by a n u pdate to a packa g e. -

N ote -

W h e n test i n g new or mod ified confi g u ra t i o n s , it c a n be u sefu l to o n l y a p p l y t h e


co m m a n d s o u t of o n e confi g u ra t i o n f i l e. T h i s ca n be a c h ieved b y s pe c i fy i n g t h e n a m e
-
o f t h e confi g u ra t i o n f i l e on t h e co m m a n d l i n e.

R References
sys t emd - tmpfiles(8), tmpfiles . d(5), s t a t (1 ) , s t a t (2), a n d sys t emd . t im e r ( 5 )
-
m a n p ages

-
76 R H134- R H E L 7-en-1-2014061 0

-
-

Practice: M a n a g i n g Te m p o ra ry F i l es
-

-
P ra c t i ce: M a n a g i n g Te m po ra ry F i l es

- Guided exercise
I n t h i s l a b , you w i l l config u re yo u r system to p u rg e f i l e s o l d e r t h a n 5 d a ys from / t m p . You w i l l
- a l so a d d a n e w t e m p o ra ry d i rectory ca l le d / r u n / gallif r ey t o b e automatica l l y c reated, w i t h
f i l es w h i c h have been u n u sed for m o re t h a n 30 seco n d s b e i n g automat ica l ly p u rg e d .

-
Resou rces
Files: /et c / t mpfiles . d /

- / u s r / lib/t mpfiles . d/ t m p . c o n f
Machines: serverx

-
Outcomes:
A new tem porary d i rectory ca l l e d / r u n/ gallif r ey, set u p for a u t o m a t i c p u rg i n g , a n d a
modified p u rg i n g config u ra t i o n for / t mp.
-

Before you begin ...


Reset you r serverX syste m .
-

I n pro d u ct i o n , y o u h a v e r u n i nto a n u m be r of issues:


• / t m p is r u n n i n g o u t of d i s k s pace. It see m s t h a t a l l o w i n g f i l e s to be u n used for 1 0 d ays before
-
they a re d e l eted is too l o n g for y o u r site. Yo u have d ete r m i ned that d e l et i n g f i l e s afte r five
days of d i s u se is accepta b l e.

- • Yo u r t i m e-trave l researc h d a e m o n galli f rey needs a s e p a rate t e m p o rary d i rectory ca l l e d


/ r u n / g allif rey. F i l e s i n t h i s d i rectory s h o u l d be p u rg e d a utomatica l l y after t h ey h a v e b e e n
u n u s e d f o r 30 seco n d s . O n l y root s h o u l d h a v e r e a d a n d w rite access to / r u n/gallif r ey.
-

D 1. /tmp is u n d e r syst emd - t mpfiles contro l . To ove r r i d e the u pst rea m sett i n g s, copy
/ u s r/lib/t mpfiles . d / t m p . conf to / e t c / t m pfiles . d /.

D 1.1 .
[ s t u d e n t@s e r v e r X - ] $ s u d o c p /us r/lib/tmpfiles . d/tmp . conf /etc/tmpfiles . d l ,
- = - ---------�-----�--- - __j
_ _ ____ _____

-
D 2. Find t h e line i n / e t c / t mpfiles . d/t mp . conf that contro l s t h e p u rg i n g interval fo r
/tmp, a n d c h a n g e t h e i nte rva l from 10d to 5d.
-
D 2.1 . O p e n / e t c / tmpfile s . d/t mp . c o n f i n a n e d itor a n d m a ke t h e c h a n g e, o r :

-
[ s t u d e n t@se r v e r X - ] $ sudo s e d - i ' /Ad . tmp /s/10d/5d/ ' /etc/tmpfiles . d /
tmp . conf

- D 3. Test i f sys t emd - tmpfiles - - clean accepts t h e new confi g u ration.

[ s t u d e n t @se r v e r X - ] $ sudo systemd - t mpfiles - - clean tmp . conf


- ------�-�- -----
---- ---- -=--�--�--·----- ---!

D 4. C reate a new confi g u ra t i o n f i l e / e t c / t mpfiles . d/gallif r ey . conf w i t h t h e


-
fo l l ow i n g content:

- 77
RH 1 3 4- R H E L7-en-1-2014061 0

-
-

C h a pter 4. S c h e d u l i n g Fut u re L i n u x Tasks


-

# Set u p / r u n /g alli f r e y , owned b y r o o t wit h 0 7 0 0 p e r m i s s i o n s


# F i l e s n o t u s e d f o r 30 s e c o n d s will be a u t omat ically dele t e d -
d / r u n /gallif rey 0 7 0 0 r o o t r o o t 30s

D 5. Test yo u r new confi g u ra t i o n for c reat i n g / r u n /galli f r ey. -

D 5.1 .
[ s t u d e n t@ s e r ve r x - ] $ sudo systemd - tmpfiles - - c reate gallifrey . conf
-

D 5.2.
[ s t ud e n t@ s e r v e r x - ] $ ls - ld / r u n / galli f r ey
d rwx - - - - - - . 2 r o o t r o o t Feb 19 10 : 2 9 / r u n /gallifrey -

D 6. Test t h e p u rg i n g of yo u r / r u n / gallif rey d i recto ry.


-

D 6.1 . C reate a n e w f i l e u n d e r / r u n/gallif rey.

[ s t u d e n t@s e r v e r x - ] $ sudo touch / r u n/galli f rey/companion


-

D 6.2. Wait for at l e a st 30 seco n d s . -

I [ s t u d e n t@ s e r v e r X - ] $ sleep 30s
-

D 6.3. H ave sys t emd - t mpfiles c l e a n the / r u n /gallif rey d i recto ry.

-
[ s t u d e n t @ s e r v e r x - ] $ sudo syst emd - tmpfiles - - clean gallifrey . conf

D 6.4. I n s pect the contents of / r u n/gallif r ey. -

[ s t u d e n t @s e r v e r x - ] $ sudo ls -1 / r un/gallifrey
-

-
78 R H134- R H E L 7-en-1-20140610

-
-

C h a pter Test: S c h e d u l i n g Fut u re L i n u x Ta sks


-

-
C h a pt e r Test: S c h e d u l i n g Fu t u re L i n u x Ta s ks

- Quiz

- Match t h e d e s c r i p t i o n s to the re leva n t c r on o r at jobs.

-
Ea r l y on C h r i st m a s m o r n i n g Eve ry T h u rs d a y a t 5 : 0 0 p. m .

-
Eve ry We d n es d a y a t 1 2 : 3 0 p . m .

-
J u s t a f t e r m i d n i g h t o n e v e r y M o n d a y a n d every 1 st o f t h e m o n t h .

-
Next T h u rs d a y a t 5 : 0 0 p . m . I Next Wed n e s d a y a t 1 2 : 3 0 p . m .

Job T i m e desc r i p t i o n
-

-
3 0 6 2 5 12 * /us r /local/
b in/open_p r esents

30 12 * * 3 r eboot

0 17 * * 4 rm - r f /home/
- student

-
echo r eboot I at 12 : 3 0
wednesday
-

3 0 1 * 1 /shin/dump 0uf I
-
dev/st0 /home

- 79
RH134- R H E L7 - e n -1 -2014061 0

-
C h a pt e r 4. S c h e d u l i n g Fu t u re L i n u x Ta s k s

Job Ti m e d escr i p t i o n

echo " u serdel - r stu dent "


at 17 : 0 0 t h ursday

80 R H1 3 4- R H E L 7 - e n-1-20140610
-

Sol ution
-

Solution
-

Match t h e desc r i p t i o n s to t h e relevant c ron o r at jobs.

Job Ti m e description

30 6 2 5 12 * /usr/local/ E a r l y on C h r i st m a s m o r n i n g

-
bin/open_pres ents

- 30 1 2 * * 3 reboot Eve ry We d n e s d a y at 1 2 : 3 0 p . m .

-
0 17 * * 4 rm - r f /home/ Eve ry T h u rs d a y at 5 : 0 0 p . m .
stu dent
-

echo reboot I at 1 2 : 3 0 Next We d n e s d a y a t 1 2 : 3 0 p . m .


-
wednesday

-
3 0 1 * 1 /shin/dump 0 u f I J u s t a ft e r m i d n i g h t o n eve r y
dev/st0 /home M o n d a y a n d every 1 st of t h e m o n t h .
-

-
echo " userdel - r stu dent " I Next T h u rs d a y at 5 : 0 0 p . m .
at 1 7 : 0 0 thursday

- RH134- R H E L 7-en-1-2014061 0 81

-
-

C h a pter 4. S c h e d u l i n g Fut u re L i n u x Tasks


-

S u m m a ry -

Sched u l i n g O n e-Ti m e Ta sks with at


· at sched u l e s f u t u re jo bs . -

· atq l i sts s c h e d u l e d j o bs.

-
· at -c i n s pects s c h e d u l e d j o bs.

· at rm removes s c h ed u l e d f u t u re j o bs.
-

Sched u l i n g Recu r r i n g Jobs with cron


· c ro n t ab - e e d its a user c rontab.
-

• S i x col u m n s i n a crontab: M i n utes, H o u rs, Day-of- M o n t h , Month, Day-of-Week, and


Command.
-
S c h ed u l i n g Syst e m cron J o b s
• System cronta b s h a v e a n extra col u m n: U s e r n ame.
-
• Syst e m c ronta b files i n / e t c / c r o n t a b a n d / e t c / c r o n . d/ * .

• S c r i pts co n tro l l ed b y / e t c/anac r o n t a b i n


-
/ e t c / c r o n . { h o u r ly , daily , weekly , mon t hly}/.

M a n a g i n g Te m p o ra ry F i l e s
-
· syst emd - t mpfiles is used to m a n a g e t e m p o ra ry fi l es a n d vo l a t i l e stora g e.

• C a l l e d d u r i n g boot fro m syst emd - t mpfiles - se t u p . se rvice.


-

• Ca l l ed at reg u l a r i n te rva l s from syst emd - t m pfiles - c lean . t ime r .

• Conf i g u re d f ro m / u s r /lib/tmpfile s . d / * . conf a n d -

/etc/ tmpfiles . d / * conf.

• Files i n / e t c / t mpfiles . d/ take preced e n ce over s i m i l a r l y n a m e d files in -


/ u s r/lib/ tmpfiles . d/.

-
82 RH134- R H E L7 - e n -1-2014061 0

-
red h at ®
® TRAINING

CHAPTER 5

MA NAGING PRI ORITY OF LINUX


PROCESSES

Overview

Goal To i n f l u e n c e t h e relative p r i o r i t i e s at w h i c h L i n u x processes


run.

Objectives • D e s c r i b e n i ce levels.

• Set n i ce l eve l s on n e w and e x i st i n g processes.

Sections • P rocess P r i o r i t i e s a n d " n i ce" C o n c e pt s (a n d Practice)

• U s i n g n i ce a n d r e n i c e to I nf l u e n c e Process Prio rity (a n d


P ra c t i ce)

Lab .
M a n a g i n g P r i o r ity of L i n u x P rocesses

R H1 3 4- R H E L 7 - e n -1 -20140610 83
-

C h a pter 5. M a n a g i n g Prio rity of L i n u x Processes


-

P rocess P r i o rity a n d " n i c e " Co n ce pt s -

Objectives -

Aft e r co m p l e t i n g t h i s sect i o n , st u d e nts s h o u l d be a b l e to d e s c r i b e nice l e ve l s a n d t h e i r effects.


-

Linux process scheduling and multitasking


M o d e r n c o m p uter syste m s ra n g e from l ow-e n d p rocessors t h a t ca n o n l y execute o n e s i n g l e
i n st r u c t i o n at a t i m e to h i g h-perfo r m i n g s u p e rc o m p uters w i t h h u n d re d s of C P U s e a c h a n d -

m u lt i p l e cores o n e a c h C P U , perfo r m i n g h u n d re d s of i n st r u ct i o n s i n p a ra l l e l . B u t a l l o f t h ese


systems tend to have one t h i n g i n c o m m o n : T h ey a l ways need to run m ore p rocesses than t hey
-
act u a l l y h a ve co res.

The way L i n u x (a n d ot h e r o p e rat i n g syst e m s) can act u a l l y r u n m o re p rocesses (a n d t h re a d s) t h a n


t h e re a re a ct u a l p rocessi n g u n its ava i l a b l e i s by e m p l oy i n g a tech n i q u e ca l l e d time-slicing. T h e -

o p e rat i n g syste m process scheduler w i l l ra p i d l y switch betwee n p rocesses o n a s i n g l e core, g i v i n g


a u s e r t h e i m p ression that t h e re a re m o re processes r u n n i n g at t h e s a m e t i m e.
-
T h e p a rt of t h e L i n u x ke r n e l that perfo r m s t h i s switc h i n g is ca l l e d t h e process scheduler.

Relative priorities -

S i n ce not every p rocess i s as i m portant a s a n o t h e r one, t h e s c h ed u l e r c a n be t o l d to use d i ffe rent


s c h e d u l i n g p o l i ci es for d i fferent processes. The s c h ed u l i n g policy used for m ost processes
-
r u n n i n g o n a reg u l a r system is ca l l e d SCHED_OTHER (a l so ca l l e d SCHED_NORMAL), b u t t h e re a re
ot h e r p o l ic ies ava i l a b l e for d i ffere n t p u rposes.

S i n c e not a l l p rocesses a re c reated e q u a l l y, p rocesses r u n n i n g with t h e SCHED_NORMAL p o l icy ••

c a n b e given a rel ative pr i o rity. This p r i o rity i s ca l l ed the nice va l u e of a process, and t h e re a re
exact l y 40 d iffe rent leve l s of n i ce n es s a p rocess c a n have.
-

These n i ce leve l s ra n g e from - 20 to 19. By defa u lt, p rocesses w i l l i n h e r it t h e i r n ice l eve l from
t h e i r parent, w h i c h is u s u a l l y 0. H i g h e r n ice leve l s i n d i cate l e s s p r i o rity (t h e p rocess ea s i l y g ives
up its CPU usage for o thers), w h i l e lower nice l eve l s i n d icate a h i g h e r p r i o rity (the process i s less -

i n c l i n e d to give up t h e C P U ) . I f t h e re i s n o conte n t i o n for reso u rces-for exa m p l e, when t h e re are


fewe r active p rocesses than ava i l a b l e C P U cores-eve n processes with a high n ice l evel w i l l s t i l l
use a l l ava i l a b l e C P U resou rces t h ey c a n . But w h e n t h e re a re m o re processes request i n g C P U -

t i m e t h a n ava i l a b l e cores, t h e processes w i t h a h i g h e r n ice l eve l w i l l receive l e s s C P U t i m e t h a n


t h ose with a lower n i c e leve l .
-

H i g h e r P r i o rity Lowe r Priority


- 2 0- 1 9 0 18 19
Nice Leve! -

R T -99 -3 - 2 0 1 20 38 39
top [PR] -

Figure 5. 1 : Nice levels and how they are reported by top

Nice levels and permissions


S i nce sett i n g a l ow n i c e l evel o n a C P U - h u n g ry p rocess m i g h t n e g a t i ve l y i m pact t h e perfo r m a n c e
of o t h e r p rocesses ru n n i n g o n t h e s a m e syst e m , o n l y r o o t ( m o re d eta i l e d : u se rs with t h e -

-
84 R H134- R H E L 7-en-1 -2014061 0

-
-
-
- N ice l eve l s a n d p e r m i s s i o n s

-
CAP_SYS_NICE capa b i l ity) i s a l l owed t o s e t n e g a t i ve n i ce l eve l s a n d lower t h e n ice level o n
exist i n g p rocesses.

-
Reg u l a r, u n p r i v i l e g e d u s e rs a re o n l y a l lowed to set positive n ice leve l s. Fu r t h e r m o re, t h ey a re
o n l y a l l owed to raise t h e n ice l eve l o n t h e i r exist i n g p rocess, b u t ca n not lower t h e m .

- '
Important
T h e re a re m o re ways to i n f l u e n ce p rocess p r i o rity a n d resou rce u s a g e t h a n j u s t n ice

- l eve l s . T h e re a re a l ternate s c h ed u l e r p o l i c i e s a n d sett i n g s , control groups ( c g r o u ps),


and m o re. N ice leve l s a re, however, the e a s iest to u s e, and ca n b e used by reg u l a r users
as we l l as syste m a d m i n i st rato rs.

-
- : R References
U'"L_
! ---

nice(l) a n d s c h e d_se t scheduler(2) m a n pages

-
-
-
-
-
-
-
-
-
-
-
-
- R H134- R H E L 7-en-1-2014061 0 85

-
C h a pt e r 5. M a n a g i n g P r i o r i t y of L i n u x Processes

P ract i c e : P rocess P r i o ri t y a n d " n i c e " C o n c e p t s

Quiz
M a t c h t h e fo l l o w i n g i t e m s t o t h e i r d e s c r i p t i o n i n t h e t a b l e .

- 20 - +19 I H i g h nice l e v e l N e g a t i v e n i c e l ev e l

Reg u l a r users
IB
Desc r i p t i o n Item

T h ese k i nds of p ro cesses easi l y g i ve u p t h e i r C P U


reso u rces f o r ot h e rs.

T h ese k i n d s of p ro c esses a tte m pt to ke e p C P U u s a g e to


t h e m se l ves.

Cannot a ssi g n ne g a t i v e nice l e v e l s

Can reni c e p rocesses b e l ong i ng to ot h e r u se rs

T h e co m p l ete ran g e of nice l ev e l s

86 R H1 3 4- R H E L7 - e n -1 -20140610
-

Sol ution
-

Solution
Match t h e fo l l ow i n g ite m s to t h e i r d e s c r i p t i o n in t h e ta b l e.

Description I tem
I
-

Th e s e k i n d s of p ro c e s s e s e a s i l y g i ve u p t h e i r C P U H i g h n i c e l eve l
- re s o u rces fo r ot h e rs .

-
Th e s e k i n d s of p ro c e s s e s a t t e m pt to ke e p C P U u s a g e t o Neg a t i ve n i ce
t h e m s e l ve s . l eve l

C a n n o t a ss i g n n e g a t i v e n i c e l eve l s Re g u l a r u s e rs
-

C a n re n i c e p ro c e s s e s b e l o n g i n g to ot h e r u s e rs root
-

Th e c o m p l ete ra n g e of n i c e l e ve l s - 20 - +19
-

- 87
R H134- R H E L7-en-1 -2014061 0

-
-

C h a pter 5. M a n a g i n g Priority of L i n u x Processes


-

U s i n g n i ce a n d re n i ce to I nf l u e n c e P rocess -

P r i o rity
-

Objectives
-
Afte r com p l et i n g t h i s sect i o n , s t u d e n t s s h o u l d be a b l e to:

• L a u n c h p rocesses with a n i c e l evel set.


-

• M od ify the n i ce level on a r u n n i n g p rocess.

• Report on n i ce l eve l s for p rocesses. -

Reporting on nice levels -


T h e n i ce leve l s fo r ex ist i n g p rocesses ca n be viewed i n a n u m be r of d i fferent ways. M ost p rocess
m a n a g e m e nt too l s ( l i ke gnome-system-monitor) a l ready d i s p l a y the nice l eve l by defa u lt, o r can
be confi g u re to d i s p lay the n i ce l eve l . -

Displaying nice levels with top


T h e t o p com m a n d ca n be used to i nteractively view (a nd m a n a ge) p rocesses. I n a defa u l t -
config u ra t i o n , t o p w i l l d i s p l a y two co l u m n s o f i nterest t o t h e n ice l eve l : N I with t h e actu a l n ice
leve l , and PR, w h i c h d i s p l ays the n i ce level as m a p ped to a l a rg e r p r i o r ity q u e u e, with a n ice l ev e l
of - 20 m a p p i n g to a p r i o r ity of 0 a n d a n i ce l evel of +19 m a p p i n g to a p r i o rity of 39. -

Displayi ng nice levels w ith ps


T h e ps c o m m a n d can a l s o d i s p l ay n i c e l evels for p rocesses, a l t h o u g h it d oes not do so i n m ost of -
its d e fa u l t o u t p u t fo rmats. U s e rs ca n req u est exact l y the co l u m n s t h ey want from ps, h owever,
a n d t h e n a m e for t h e n i ce fie l d is nice.
-
T h e fo l l o w i n g exa m p l e req u ests a l i st of a l l p rocesses, with t h e i r pid, n a me, and nice l eve l , so rted
i n desce n d i n g order by n ice leve l :
-

1
[ s t u d e n t @d e s k t o pX - ] $ ps axo pid , comm , nice s o r t = nice
NI
- - -

PID COMMAND
74 k h ug e paged 19 -
688 alsac t l 19
1 9 5 3 t r ac ke r - mine r - f 1 9
7 3 k s md 5
714 r t ki t - d aemon 1
-

-
Important
S o m e processes m i g ht report a - as t h e i r n i ce l e v e l . T h e s e p rocesses are b e i n g r u n
w i t h a d i fferent s c h e d u l i n g p o l icy, a n d w i l l a l m ost certa i n l y b e co n s i d e re d a h i g h e r -

p r i ority b y t h e s c h e d u l e r. It i s poss i b l e t o d i s p lay t h e s c h e d u l e r p o l icy b y req u est i n g t h e


e l s f i e l d from p s . A T S i n t h i s fie l d i n d icates t h e process i s r u n u n d e r SCHED_NORMAL
-
a n d ca n use nice leve l s; a nyt h i n g e l se m e a n s a d i ffe rent s c h ed u l e r p o l icy i s b e i n g u s e d .

-
88 R H134- R H E L 7-en-1-20140610

-
-

L a u n c h i n g p rocesses with a d iffe re nt n i c e l evel


-

Launching processes with a different nice level


-
Whe never a p rocess is started, it w i l l n o r m a l l y i n h e rit t h e n ice level from its p a rent. This m e a n s
that w h e n a p rocess i s sta rted f r o m t h e co m m a n d l i ne, it w i l l g et t h e s a m e n ice level a s the s h e l l
p rocess t h a t i t was started from. I n m ost cases, t h i s w i l l res u l t i n new p rocesses r u n n i n g with a
-
n i ce l evel of 0.

To start a p rocess w i t h a d iffe re nt n ice leve l , both u s e rs a n d system a d m i n istrators c a n run


-
t h e i r co m m a n d s u s i n g t h e nice too l . Wit h o u t a n y ot h e r options, ru n n i n g nice <COMMAND>
w i l l start <COMMAND> w i t h a n i ce level of 10. Ot h e r n i ce leve l s ca n be s e l ected by u s i n g
t h e - n <NICELEVEL > option t o t h e n i c e co m m a n d . For exa m ple, to start t h e c o m m a n d
-
dogecoinmi n e r w i t h a n ice l eve l of 1 5 a n d s e n d it to t h e backg ro u n d i m m e d i a t e l y, t h e fo l l ow i n g
co m m a n d c a n be u s e d :

-
[ s t u d e n t@d e s k t o pX - ] $ nice - n 15 dogecoinminer &

-
Important
U n p r i v i l e g e d u s e rs a re o n l y a l l owed to set a positive n i ce level (0 to 19). O n l y root c a n
-
s e t a n e g a tive n ice l eve l ( - 20 to - 1) .

Changing the nice level of an existing process


The n i ce l eve l of a n existing p rocess ca n be c h a n g e d from t h e co m m a n d l i n e u s i n g t h e renice
-
com m a n d . T h e syntax for t h e renice co m m a n d is as fo l l ows:

renice - n <NICELEVEL > <PIO> • • .

For exa m p l e, to c h a n g e t h e n i ce level of a l l o r i g ami@home p rocesses to - 7 , a system


a d m i n istrator co u l d use t h e fo l l owi n g com m a n d ( n ote that m o re t h a n one P I D c a n b e s pecified at
- once):

[ r o o t @d e s k t o pX - ] # renice -n -7 $ ( pg r e p origami@home )
-

Important
-

Reg u l a r u s e rs a re o n l y a l lowed to raise t h e n ice l eve l o n t h e i r p rocesses. O n l y root c a n


u s e renice to lower t h e nice leve l .
-

T h e t o p co m ma n d c a n a l so be u s e d t o ( i n t e ra ct ive l y) c h a n g e t h e n ice l e v e l o n a p rocess. Fro m


-
w it h i n t o p , p ress r, fo l l owed by t h e P I D to be c h a n g e d a n d t h e new n i c e leve l .

R References
-

nice(l), r e n ice(l), a n d top(l) m a n p a g e s

- 89
R H134- R H E L7-en-1 -2014061 0

-
C h apter 5. M a n a g i n g P r i o r i t y of L i n u x P rocesses

P ra c t i c e : D i scove ri n g P rocess P r i o r i t i e s

Guided exercise
In t h i s exercise, y o u w i l l e x p e r i e n ce t h e i n f l u e n c e t h a t n i ce l e v e l s h a ve o n r e l a t ive p rocess
p r i o r i t i es.

Outcomes:
A n i n teractive tour of the effects of n i c e l ev e l s .

Before you begin ...

None

D 1. L o g i n a s s t ud e n t to y o u r d e s k t opX syst e m .

D 2. U s i n g t h e s p e c i a l f i l e / p roc/cpu info, d ete r m i n e t h e n u m be r of C P U cores i n y o u r


d e s kt opX syst e m , t h e n sta rt two i n st a n c e s of t h e c o m m a n d shalsum /dev/ z e r o &
for e a c h c o re.

D 2 .1 . T o d et e r m i n e t h e n u m be r of cores u s i n g / p roc / c puinfo:

[ s t ud e n t@d e s ktopX - ] $ NCORES=$ ( grep -c ' Aprocesso r ' /proc/cpuinfo

D 2 . 2 . E i t h e r m a n u a l l y or w i t h a s c r i pt, start two s halsum /dev/ z e r o & c o m m a n d s


fo r eve ry c o re i n y o u r syst e m .

N ote
The seq c o m m a n d p r i n t s a l is t of n u m b e rs.

[ s t u d e n t@ d e s ktopX - ] $ for I in $ ( seq $ ( ( NCORES * 2 ) ) )


> do
> shatsum /dev/zero &
> done

D 3. Verify t h at you have a l l t h e b a c k g ro u n d j o bs r u n n i n g t h a t you expected (two for e v e ry


c o re i n y o u r syste m ) .

D 3.1.
[ student@d e s k t opX - ] $ j obs
[1] - R u n n i n g s h als um / d e v / z e r o &
[ 2 ] + Running s h alsum / d ev/ze r o &

D 4. I n s p e c t t h e C P U u s a g e (as a p e r c e n t a g e ) of a l l y o u r s halsum p ro c e s s e s , u s i n g t h e ps a n d
p g r e p c o m m a n d s . W h a t d o y o u noti ce?

90 R H1 3 4- R H E L 7 - e n-1 -2014 061 0


-

G u i d e d exerc i s e
-

D 4.1 .
[ s t u d e n t @d e s k t o pX - ] $ ps u $ ( pg r e p sha1sum )
-
I - �
-- - -.-- -

D 4.2. The C P U p e rce n t a g e for a l l sha1sum p rocesses is a b o u t equa l .

- D 5. Use t h e killall co m m a n d to termi nate a l l yo u r sha1sum p rocesses.

D 5.1.
[ s t u d e n t @d e s k t opX - ] $ killall sha1sum
-

D 6. Sta rt two sha1sum /dev/ z e r o & c o m m a n d s for each of yo u r cores, but g i ve exact l y
- o n e o f t h e m a n i ce level o f 10.

D 6.1 .
[ s t u d e n t@d e s k t o pX - ] $ f o r I in $ ( s e q $ ( ( NCORES * 2 - 1 ) ) )
- > do
> sha1sum /dev/zero &
> done
[ s t u d e n t @d e s k t o p X - ] $ nice - n10 sha1sum /dev/zero&
-

D 7. U s i n g t h e p s co m m a n d , i n s pect t h e C P U u s a g e of y o u r shalsum com m a n d s. M a ke s u re


- you i n c l u d e t h e n i ce l evel i n your o u t p ut. as we l l as t h e P I O a n d t h e C P U u s a g e. What d o
y o u noti ce?

D 7.1 .
- l [ s t u d e n t @d e s k t o p X - ] $ ps - opid , pcpu , nic e , comm $ ( pgrep sha1sum )

D 7.2. T h e i n st a n ce of s halsum w i t h t h e n i ce l ev e l of 10 gets s i g n ifica n t l y l e s s C P U t h a n


-
t h e ot h e r i nstan ce(s).

D 8. Use t h e renice co m m a n d to set t h e n i ce l eve l of the shalsum with a n ice level of 10


-
down to 5. The P I O s h o u l d sti l l be vis i b l e i n t h e output of t h e p revious step.

D i d t h i s work? W h y n ot?
-

D 8.1 .
[ s t u d e n t @d e s k t opX - ] $ renice - n 5 <PIO>
r e n i c e : failed to s e t p r i o r i t y f o r <PIO> ( p r o c e s s I D ) : P e r m i s s i o n d e n ied
-

D 8.2. U n p r i v i l e g e d u s e rs a re not a l l owed to set n e g a t ive n ice va l u es o r lower the n ice


-
va l u e o n an ex ist i n g p rocess.

D 9. U s i n g the sudo and renice com m a nd s , set the n ice l eve l for the p rocess you ident ified
-
i n t h e prev i o u s step to - 10.

D 9 ·1 · i [ s t u d e n t@de s k t o p X - ] $ sudo r enice - n - 10 <PIO>


-

D 1 0. Sta rt t h e t o p c o m m a n d as root, t h e n use t o p to lower t h e nice l evel for t h e shalsum


p rocess using t h e most CPU back down to 0. W h a t d o you o bse rve afterwa rds?
-

D l 0.1 .
j [ s t u d e n t @d e s k t o pX - ]$ sudo top
I
-

D 1 0.2. I d e nt ify t h e shalsum process u s i n g t h e m ost C P U . It w i l l be near t h e t o p of t h e


scre e n .
-

- R H134- R H E L7-e n-1-2014061 0 91

-
-

C h a pter 5. M a n a g i n g Priority of L i n u x Processes


-

D 1 0.3. Press r to e n t e r renice mode, t h e n enter the P I O you i d e n t i f i e d , o r p ress E n t e r if


t h e offe red d e fa u lt P I O i s t h e o n e you want. -

D 1 0.4. Enter 0, t h e n p ress E n t e r .

D 1 0.5. A l l shalsum c o m m a n d s a re a g a i n u s i n g a n (a l m ost) eq u a l a m o u nt of C P U .

D 11. Important: C l e a n u p by e x it i n g t o p a n d k i l l i n g a l l y o u r shalsum p rocesses. -

D 1 1 .1. Press q to exit top.

D ll .2. I [
i s t u d e n t @d es k t o p X - J$ k i· 11 a 11 s h a1sum
-

92 RH134- R H E L 7 - e n -1-2014061 0

-
-

L a b : M a n a g i n g Prio rity of L i n u x Processes


-

L a b : M a n a g i n g P r i o rity of L i n u x P rocesses

-
Performance checklist
I n t h i s l a b , you w i l l searc h for processes w i t h h i g h C P U co n s u m pt i o n a n d a dj u s t t h e i r n ice l ev e l s .
-
Resou rces
Files: / u s r /local/ bin/lab nice
-
Machines: de s k t opx

Outcomes:
-
The n ice level of t h e top C P U c o n s u m e rs a d j u sted to p l a y we l l with o t h e rs.

Before you begin ...


-
• Reset yo u r d e s k t opx system.

• Log i nto and set u p yo u r d e s k t opX syst e m .


-

[ s t u d e n t@de s k t o p X - ] $ lab nice s e t u p

1. U s i n g e i t h e r t o p o r ps, i d e ntify t h e two top CPU co n s u m e rs o n yo u r d e s k t opX syste m . If


gnome - shell is a m o n g the t o p two, i g n o re it a n d take the next h i g h est p rocess. M a ke s u re
- to n ote t h e p rocess I Ds of these two p rocesses.

2. Fro m t h e co m m a n d l i ne, s e t t h e n i ce level of t h e p rocesses y o u fo u n d i n t h e p revious s t e p to


- Hl.

3. Grade yo u r work by r u n n i n g the fo l l owi n g co m m a n d :


-

[ s t u d e n t@de s k t opX - ] $ lab nice g rade


----
--- - - ----
�� --

-
4. Important cleanup: W h e n you h ave s uccessf u l l y g ra d e d you r work, c l e a n up by r u n n i n g t h e
fo l l owi n g co m m a n d :

-
[ s t u d e n t@d e s k t o pX - ] $ lab nice clean
---- -� -

- R H1 3 4- R H E L7-en-1 -20140610 93

-
C h a pt e r s . M a n a g i n g P r i o r ity of L i n u x P rocesses

Solut ion
I n t h i s l a b , y o u w i l l search for p rocesses w i t h h i g h C P U co n s u m p t i o n a n d a d j u s t t h e i r n i c e levels.

Reso u rces

Files: / u s r/local/ bin/lab nice

Machines: d e s k t opX

Outcomes:
T h e n i ce l eve l of t h e top CPU c o n s u m e rs a dj u sted to play well with o t h e rs .

Before you begin . . .


Reset y o u r d e s k t opX system.

L o g i n t o and set u p y o u r d e s k t opX syste m .

[ s t u d e n t@d e s ktopX - ] $ lab nice setup

1. U s i n g e i t h e r t o p o r p s , i d e ntify the two top CPU c o n s u m e rs o n your d e s ktopX syst e m . If


gnome - s hell i s a m o n g the top two, i g nore i t and take the next h i g h est p rocess. M a ke s u re
to n ote t h e p rocess I D s of t h e s e two p rocesses.

1 .1 . E i t h e r r u n t o p a n d note t h e t w o t o p p rocesses, o r r u n t h e fo l l ow i n g :

I [ s t u d e n t@d e s k t o p X - ] $ ps aux - - sor t=pcpu

W h e n u s i n g the p s vers i o n , the top C P U c o n s u mers w i l l be o n the bott o m , with t h e i r P I D


l i sted i n t h e s e c o n d co l u m n .

2. Fro m t h e c o m m a n d l i ne, set t h e n i c e l ev e l of t h e p rocesses y o u fo u n d i n t h e p rev i o u s step t o


10.

2 .1 .
[ s t u d e nt@d e s ktopX - ] $ sudo renice - n 1 0 <PROCESSPID1> <PROCESSPID2>

M a ke s u re to r e p l a c e <PROCESSPID1 > a n d <PROCESSPID2> w i t h t h e process I D s you


i d e n t i f i e d i n the prev i o u s step.

3. G ra d e y o u r work by r u n n i n g the fo l l o w i n g c o m m a n d :

I [ s t u d e n t @d e s k t o pX - ] $ lab nice grade

4. Important cleanup: W h e n you have s u ccessf u l l y g ra d e d y o u r w o r k , c l e a n u p by r u n n i n g t h e


following command:

[ s t u d e n t @des k t o p X - ] $ lab nice clean

94 R H1 3 4- R H E L 7-en-1 -2014061 0
-

Sol ution
-

S u m m a ry
-

Process Prio rity a n d " n ic e " Con cepts


• A l l p rocesses on a L i n u x system h ave a re l a t i ve priority.

• The niceness of a p rocess i n f l u e n ces its p r i o rity.

-
U s i n g n i ce a n d re n ice to I nf l u e n c e Process P r i ority
· nice i s used to set t h e n i ce l eve l for new p rocesses.

- · renice a n d t o p c a n be used to m o d ify t h e n ice l eve l on a n exist i n g p rocess.

• Bot h ps and top ca n be used to report on n ic e l evels.


-

- R H134- R H E L7-en-1-2014061 0 95

-
-

r-1
96
red h at ®
® TRAINING

CHAPTE R 6

CONTROLLING ACCESS TO
FILES WITH ACCESS CONTROL
LISTS ( ACLS)

Overview

Goal To m a n a g e f i l e secu rity u s i n g POS I X a ccess control l i st s


( A C Ls).

Objectives • Desc r i be POS I X access control l i sts.

• M a n a g e POS I X access c o ntrol l i sts.

Sections • POS I X Access Control L i st s ( A C L s ) (and P ra c t i c e)

• S e c u r i n g F i l e s w i t h A C L s (and Practi ce)

Lab • Contro l l i n g Access to F i l e s with Access Control L i sts


(AC Ls)

R H 1 34- R H E L7 - e n -1-20140610 97
-

C h a pter 6. C o n t ro l l i n g Access to F i l e s w i t h Access C o n t ro l L i sts (AC Ls)

POS I X Access C o n t ro l L i sts (AC Ls) -

Objectives
Afte r co m p l et i n g t h i s sect i o n , st u d e nts s h o u l d be a b l e to:

-
• D e s c r i b e A C L s and fi l e system m o u n t options.

View and i nt e r p ret ACLs w i t h ls and g e t facl, describe t h e A C L mask a n d ACL p e r m i s s i o n


-
preced e n ce.

Access control list concepts -

Sta n d a rd L i n u x f i l e p e r m i s s i o n s a re s a t i sfactory for m ost s i t u a t i o n s , b u t t h ey have l i m itations.


Pe r m i s s i o n s rest rict i n g access to a file a re l i m ited to t h e file o w n e r, m e m b e rs h i p of a s i n g l e
g ro u p, o r everyo n e e l se. I t m a y n o t b e a p p rop riate f o r t h e process ( a r u n n i n g p rog ra m) to b e a -

m e m be r of t h e f i l e ' s ow n i n g g ro u p, a n d even l ess d e s i ra b l e to g ra n t p e r m i ss i o n to everyo ne.

A C L s a l low f i n e- g ra i n e d p e r m issions to b e a l l ocated to a f i l e. N a m e d u s e rs o r named grou ps, as


we l l a s u s e rs and groups i d e n t ified by a U I D o r G U I D, can b e g ra nted p e r m issions, i n a d d i t i o n
to t h e sta n d a rd file owner, group-owner, a n d other f i l e p e r m i s s i o n s . The s a m e p e r m i s s i o n f l a g s
a p p l y : r - read , w - write, a n d x - execute (on f i l es, s e a rc h for d i rectories).

T h e file owner c a n set ACLs o n i n d iv i d u a l f i l es o r d i rectories. N e w files and s u b d i recto ries ca n


a u to m atica l l y i n h e rit A C L sett i n g s from t h e parent d i rectory default ACLs, if t h ey a re set. S i m i l a r -

t o n o rma l f i l e a ccess ru les, t h e parent d i rectory h i e ra rchy w i l l n e e d a t l e a st t h e other execute


p e r m i s s i o n set to e n a b l e named u s e rs and named g ro u ps to h a ve access.

File system mount option


T h e f i l e syste m needs to be m o u nted w i t h A C L s u p port e n a b l ed . X F S f i l e syst e m s have b u i lt-
-
i n A C L s u p port. Ext4 file syst e m s c reated o n Red Hat Enterprise L i n u x 7 have t h e acl o p t i o n
e n a b l ed by d e fa u lt, b u t e x t 4 f i l e syst e m s c reated i n ea r l i e r vers i o n s o f Red Hat E n t e r p r i s e L i n u x
m a y n e e d t h e a c l opt i o n i n c l u d e d w i t h t h e m o u n t req u est. o r s e t i n t h e s u pe r b l oc k .
-

Viewing and interpreting ACL permissions


The ls - 1 c o m m a n d o n l y o u t p u t s m i n i m a l ACL sett i n g deta i l s : -

[ s t u d e n t@s e rve rx s t eamie s ] $ ls - 1 r o s t e r . txt


- rwx rw- - - - + 1 s t u d e n t c o n t rolle r 130 M a r 19 2 3 : 56 r o s t e r . t x t
-

T h e " + " at t h e e n d o f t h e 1 0 - c h a racter p e r m i s s i o n st r i n g i n d icates t hat t h e re a re A C L sett i n g s


associated w i t h t h i s f i l e. I nt e r p ret t h e user, group, a n d other " rwx " f l a g s a s :

· user: S h ows t h e user A C L sett i n g s, w h i c h a re t h e s a m e a s t h e sta n d a rd user f i l e sett i n g s ; rwx. -

· group: S h ows the c u rrent A C L mask sett i n g s , n ot the group-owner sett i n g s ; rw.
· other: S h ows the other ACL sett i n g s, w h i c h a re the s a m e a s t h e sta n d a rd other f i l e sett i n g s ; n o
access.

-
98 R H1 3 4- R H E L 7-en-1-2014061 0

-
-
-
- Viewi n g a n d i nt e r p ret i n g A C L p e r m i s s i o n s

- ' Important

-
C h a n g i n g g r o u p p e r m i s s i o n s o n a f i l e w i t h a n A C L by u s i n g chmod does n o t c h a n g e
t h e g ro u p-ow n e r p e r m issions, b u t d o e s c h a n g e t h e A C L m a s k . U s e setfacl - m
g : : pe rms fil e i f t h e i ntent i s to u pdate t h e f i l e ' s g ro u p-ow n e r p e r m i s s i o n s .

- View file ACLs

-
To d i s p l a y A C L sett i n g s on a fi le, use get facl fil e :

[ s t u d e n t @ s e r v e r x s t eamies ] $ getfacl roste r . txt

-
# file : r o s t e r . t x t
# owne r : s t u d e n t
# g r o u p : c o n t r olle r
u s e r : : rwx

- u s e r : j am e s : - - ­
u s e r : 1005 : rwx
g r o u p : : rwx
#effe c t ive : rw ­
#effec t ive : rw -

-
group : sodor : r - ­
g r o u p : 2210 : rwx #effe c t ive : rw -
mas k : : rw ­
othe r : : - - -

- Ta ke a l o o k at e a c h s e c t i o n of t h e p rev i o u s exa m p l e :

-
Opening comment entries:

# file : r o s t e r . t x t

-
# owne r : s t u d e n t
# g r o u p : c o n t rolle r

-
The f i rst t h re e l i nes a re c o m m e nts that i d e nt ify t h e f i l e n a me, ow n e r ( s t u d e n t ) , a n d g roup­
owner ( c o n t rolle r ) . I f t h e re a re a ny a d d i t io n a l f i l e f l a g s-for exa m p l e, s e t uid o r set gid­
then a fo u rt h co m m e n t l i n e w i l l a p p e a r s h o w i n g w h i c h f l a g s a re set.

- User entries:

u s e r : : rwx 0
u s e r : j ames : - - - 0

-
u s e r : 1005 : rwx #effe c t ive : rw - E)

O F i l e o w n e r p e r m i s s i o n s. s t u d e n t has rwx.

- O

E)
N a m e d u s e r p e r m i ss i o n s . O n e e n t ry for e a c h n a m e d u s e r associated w i t h t h i s f i l e. j ames
has NO p e r m i s s i o n s .

-
N a m e d u s e r p e r m i s s i ons. U I D 1005 h a s rwx, b u t t h e m a s k l i m its t h e effective p e r m i s s i o n s
to rw o n l y.
Group entries:

- g r o u p : : rwx

g r o u p : s od o r : r - ­
#effect ive : rw - 0
0

- g r o u p : 2210 : rwx #effec t ive : rw - E)

- R H134- R H E L7-e n -1-2014061 0 99

-
-

C h a pter 6. C o n t ro l l i n g Access to F i l es w i t h Access C o n t ro l L i sts (AC Ls)

O G rou p-ow n e r p e r m i s s i o n s. cont rolle r h a s rwx, but t h e m a s k l i m its t h e effective


p e r m i s s i o n s to rw o n l y.
O N a m e d g ro u p p e r m i s s i o n s . O n e e n t ry for e a c h n a m e d g ro u p associated w i t h t h i s f i l e. sodor
has r o n l y.
O N a m e d g r o u p p e r m i s s i o n s . G I D 2210 has rwx, b u t t h e m a s k l i m its t h e effective p e r m issions
to rw o n l y.
Mask entry:

i! m�s k : : rw­
-

� -� ·
�------

-
M a s k sett i n g s s h ow t h e m a x i m u m p e r m i s s i o n s poss i b l e fo r a l l n a m e d u s e rs, t h e grou p-ow n e r a n d
n a m e d grou ps. U I D 1 0 0 5 , c o n t rolle r, a n d G I D 2 2 1 0 ca n n ot execute t h i s f i l e , eve n t h o u g h each
e nt ry has t h e execute p e r m ission set.

Other entry:

� he r : : - - -

Ot h e r or " w o r l d " p e r m i s s i o n s . A l l ot h e r U I Ds a n d G I D s have N O p e r m i s s i o n s .

View directory ACLs


To d i s p lay A C L sett i n g s o n a d i rectory, u s e getfacl /di r e c t o ry:
'
[ s t u d e n t @ s e r v e r x s t eamies ] $ get facl
'

# file : . -
# owne r : s t u d e n t
# g r o u p : c on t r olle r
# flag s : - s -
u s e r : : rwx -

u s e r : j ames : - - ­
u s e r : 1005 : rwx
g r o u p : : rwx
group : sodor : r - x
-

g r o u p : 2210 : rwx
mas k : : rwx
other : : - - ­
default : u s e r : : rwx
default : u s e r : j ames : - - ­
default : g r o u p : : rwx
default : g r o u p : so d o r : r - x
default : ma s k : : rwx
default : o t h e r : : - - -
'-- --·-------�-- �----'
-

Ta ke a look at e a c h section of t h e prev i o u s exa m p l e:

Opening comment entries:

# file : .
# own e r : student
# group : c on t r olle r
# flag s : -s-
L_ ___

The fi rst t h ree l i nes a re c o m ments that i d e nt ify t h e d i rectory n a me, owner ( s t u d e n t ) , a n d
g ro u p-ow n e r ( c o n t rolle r). I f t h e re a re a ny a d d i t i o n a l d i rectory f l a g s ( s e t u i d , se t gid,
s t i c ky), then a fo u rt h comment l i n e w i l l a p pe a r s h o w i n g t h e set f l a g s - i n this case, s e t gid.

100 RH1 34- R H E L 7-en-1 -2014061 0

-
-

V i ew i n g a n d i nterpret i n g A C L p e r m i s s i o n s
-

Standard ACL entries:


-
u s e r : : rwx
u s e r : j am e s : - - ­
u s e r : 1005 : rwx
-
g r o u p : : rwx
group : sodor : r - x
g r o u p : 2210 : rwx
mas k : : rwx
-
othe r : : - - -

-
The A C L p e r m i s s i o n s o n t h is d i rectory are t h e s a m e a s t h e f i l e exa m p l e e a r l i e r, b u t a p p l y to t h e
d i recto ry. The key d i ffere n ce i s t h e i n c l u s i o n of t h e execute p e r m i s s i o n o n t h e s e e n t r i e s (w h e n
a p p ro p riate) to a l l ow d i rectory s e a r c h p e r m i s s i o n .
-
Default user entries:

-
default : u se r : : rwx 0
d e f a u l t : u s e r : j ames : - - - 0

O Defa u lt f i l e o w n e r A C L p e r m i s s i o ns. The f i l e ow n e r w i l l get rwx, read/write on new f i l e s a n d


execute on n e w s u b d i rectories.
- O Defa u lt n a m e d u s e r A C L p e r m issions. O n e e n t ry for e a c h n a m e d u s e r w h o w i l l a u to m a t i ca l l y
g e t defa u l t A C L s a p p l ied t o n e w f i l es o r s u b d i rectories. j ames w i l l a l ways defa u l t to N O
p e r m issions.
- Default group entries:

- default : g r o u p : : rwx 0
default : g r o u p : s o d o r : r - x 0

O Defa u lt g rou p-ow n e r A C L p e r m i s s i o n s. T h e f i l e g ro u p-ow n e r w i l l get rwx, rea d /w rite o n n e w


f i l e s a n d execute o n new s u b d i rectories.

-
O Defa u l t n a m e d g r o u p A C L p e r m issions. O n e e ntry for e a c h n a m ed g ro u p w h i c h w i l l
a u to mati ca l l y g e t defa u l t ACLs . sodor wi l l g et r x , read -o n l y o n n ew fi les, a n d execute o n
new s u b d i rectories.
Default ACL mask entry:

! d e f a u l t : mas k : : rwx
-
J

Defa u lt m a s k sett i n g s s how t h e i n it i a l m a x i m u m p e r m i s s i o n s poss i b l e for a l l new f i l es o r


d i rectories c reated t h a t h ave n a m e d u s e r ACLs, t h e g ro u p-ow n e r A C L , o r n a m e d g ro u p ACLs:
- read and w r ite for new f i l e s and execute permission o n new s u b d i rectories, new f i l e s never get
execute p e r m i s s i o n .

- Default other entry:

j default : other : : - - -
- 1

Defa u lt other or "wo r l d " p e r m i s s i o n s . A l l ot h e r U I Ds a n d G I D s h ave N O p e r m i s s i o n s to new f i l es o r


new s u b d i rectories.
-

- R H1 3 4- R H E L 7-e n-1-20140610 1 01

-
-

C h a pter 6. Contro l l i n g Access to F i l es w i t h Access C o n t ro l Lists (AC Ls)

The default entries i n the p revious exa m p l e do not i n c l u d e the n a m e d user ( U I D 1005) a n d
n a m e d g ro u p (G I D 2210); conseq u e n t l y, t h ey w i l l n o t a u to m a t i ca l l y g e t i n it i a l A C L e n t r i e s
-
a d d e d for t h e m to a n y new f i l e s o r n e w s u b d i recto ries. T h i s effect i ve l y l i m i t s t h e m to f i l es a n d
s u b d i rectories that they a l re a d y have A C L s o n , o r if t h e rel eva n t f i l e ow n e r a d d s t h e A C L later
using set facl. They c a n sti l l c reate their own f i l e s and s u b d i rectories.

N ote
-

The o u t p u t f rom g e t facl ca n be u s e d as i n pu t to se t facl. Use g e t facl - R /


di rec tory to g e n e rate o u t p u t for t h e d i rectory a n d its content. T h i s o u t p u t c a n b e
s a v e d a n d used for recovery by passi n g t h e o u t p u t to se t facl - - se t - file = file to -

d o a m a s s u pdate.

T he ACL mask
T h e A C L m a s k defines t h e m a x i m u m p e r m i s s i o n s t h a t ca n be g ra nted to named users, t h e group­
owner, a n d named groups. It d oes not restrict t h e p e r m i s s i o n s of t h e file owner or other u s e rs. A l l
f i l es a n d d i rectories t h a t i m p l e m e n t A C L s w i l l have a n A C L m a s k.

T h e m a s k c a n be viewed w i t h get facl a n d ex p l i c i t l y set w i t h s e t facl. It w i l l be ca l c u l ated a n d -

a d d e d a utomatica l l y if it i s n ot ex p l i c i t l y s e t , b u t it cou l d a l s o b e i n herited f r o m a p a r e n t d i rectory


defa u lt mask sett i n g . By defa u l t , the m a s k i s reca l c u l ated w h e n ever any of the affected ACLs is
a d d e d , m o d ified, or d e l eted.

ACL per mission precedence


W h e n dete r m i n i n g whet h e r a p rocess (a r u n n i n g p rog ra m) ca n a ccess a fi l e, f i l e p e r m i s s i o n s a n d -

A C L s a re a p p l i e d as fo l l ows:

• I f the p rocess i s run n i n g a s t h e user that owns t h e file, t h e n t h e f i l e ' s user A C L p e r m i s s i o n s -

a p p l y.

• I f t h e p rocess is ru n n i n g as a u s e r t h a t is l i sted i n a n a m e d u s e r A C L ent ry, t h e n t h e n a m e d -


u s e r A C L p e r m i s s i o n s a p p l y ( a s l o n g a s it is perm itted by t h e m a s k) .

• I f t h e p rocess i s ru n n i n g a s a g ro u p t h a t matches t h e g ro u p- o w n e r of t h e f i l e, or as a g ro u p
w i t h a n expl icit n a m e d g r o u p A C L e n t ry, t h e n t h e m a tc h i n g A C L p e r m i s s i o n s a p p l y ( a s l o n g a s
it i s p e r m itted b y t h e m a s k) .

• o t h e r w i s e , t h e f i l e ' s other A C L p e r m i s s i o n s a p p l y.

R References -

acl(5 ) , get facl(1 ) , ls(1) m a n pages

102 R H134- R H E L7 - e n -1-2014061 0

-
P ract ice: I nterpret A C L s
-

P ra ct i ce: I nte r p ret AC L s

Quiz

Match t h e fo l l owi n g ite m s to t h e i r cou nterparts i n t h e t a b l e.

default : m : : rx /directory I
default : user : mary : rx I directory 11 g : : rw I directory

g : : rw file
II getfacl / directory I
group : hug : rwx /directory
II user : : rx file

user : mary : rx file

Desc ription A C L o p e ra t i o n

D i s p l a y A C L s o n a d i recto ry.

Na m e d u s e r w i t h rea d , exec u t e p e r m i s s i o n s
fo r a f i l e.

F i l e o w n e r w i t h rea d , ex e c u t e p e r m i s s i o n s
for a fi le.

Rea d , w r i te p e r m i s s i o n s f o r a d i re c t o r y
g ra n t e d t o t h e d i re c t o r y g ro u p - o w n e r.

Rea d , w r i te p e r m i s s i o n s fo r a f i l e g ra n t e d to
the f i l e g ro u p - o w n e r.
-

R H134- R H E L7-en-1 -2014061 0 103


C h a pt e r 6. C o n t ro l l i n g Access to F i l es w i t h Access C o ntrol L i sts ( A C Ls)

Des c r i pt i o n A C L o p e rat i o n

R e a d , w r i te, e x e c u t e p e r m i ssions f o r a
d i rectory g rant e d to a na m e d g ro u p .

Rea d , exec u te p e r m i ssi ons set a s t h e d efau l t


m a sk.

N a m e d u s e r g ranted init i a l r e a d p e r m i ss i on
for new f i l es a nd re a d , e x e c u t e p e r m i ssi o n
f o r new su b d i re c t o r i es.

104 R H 1 34- R H E L7 - e n-1-20140610


-

Sol ution
-

Solution
-

Match t h e fo l l ow i n g items to t h e i r cou nterparts i n t h e t a b l e.

Desc r i pt i o n A C L o p e ra t i o n

D i s p l a y A C L s o n a d i re c t o ry. getfacl /d irectory

Na m e d u s e r w i t h re a d , e x e c u te p e r m i s s i o n s user : mary : r x file


- f o r a f i l e.

-
F i l e ow n e r w i t h re a d , e x e c u t e pe r m i s s i o n s user : : rx file
f o r a f i l e.

R e a d , w r i t e p e r m i s s i o n s f o r a d i re c t o ry g : : rw /directory
g ra n t e d to t h e d i re c t o r y g ro u p-ow n e r.

R e a d , w r i t e p e r m i s s i o n s fo r a f i l e g ra n t e d t o g : : rw f ile
t h e f i l e g ro u p - ow n e r.
-

R e a d , w r i te, exe c u t e p e r m i s s i o n s f o r a group : hug : rwx


-
d i re c t o r y g ra n t e d to a n a m e d g r o u p . / d irectory

R e a d , e x e c u t e p e r m i s s i o n s set a s t h e d e fa u l t default : m : : rx
mask. / d irectory
-

Na m e d u s e r g ra n t e d i n i t i a l r e a d p e r m i s s i o n default : user : mary : rx


-

fo r n ew f i l es a n d re a d , e x e c u t e p e r m i s s i o n / directory
fo r n ew s u b d i re c t o r i e s .
-

RH134- R H E L7 - e n -1-2014061 0 105

-
-

C h a pte r 6. Contro l l i n g Access to F i l es w i t h Access C o n t ro l Lists (AC Ls)

S e c u r i n g F i l es w i t h AC L s

Objectives -

After com p l e t i n g t h i s sect i o n , stu d e nts s h o u l d b e a b l e to:

• C h a n g e reg u l a r AC L f i l e p e r m i s s i o n s u s i n g set facl. -

• Contro l defa u lt A C L file p e r m i s s i o n s for new f i l es and d i rectories.


-

Changing ACL file permissions


U s e set facl to a d d , m o d i fy, or rem ove sta n d a rd A C L s on f i l e s a n d d i rectories.
-

A C L s u s e the n o r m a l file system representation of p e r m i s s i o n s , " r " for read p e r m i s s i o n , " w "
for w rite p e r m i s s i o n , a n d " x " for execute p e r m i s s i o n . A " - " (d a s h ) i n d icates t h a t t h e re l eva n t
p e r m i s s i o n is a bsent. W h e n (recursive l y) sett i n g A C L s , a n u p p e rcase " X " c a n b e used to i n d icate
that execute p e r m i s s i o n s h o u l d o n l y be set on d i recto r i es and n ot reg u l a r f i l es , u n less the f i l e
a l ready h a s t h e re leva n t execute p e r m i s s i o n . T h i s i s t h e s a m e behavior as chmod.
-

Adding o r modifying a n ACL


A C L s ca n be set via t h e c o m m a n d l i n e u s i n g - m, or passed in v i a a f i l e u s i n g - M (use 1 1 - 1 1 (dash)
i n stead of a f i l e n a m e for stdin). These two opt i o n s a re t h e " m od ify" options; t hey a d d new A C L
e n t ries o r re p l ace specific e x i s t i n g A C L e n t ries o n a f i l e or d i recto ry. Any ot h e r exist i n g A C L
e n t ries o n t h e f i l e or d i rectory re m a i n u nt o u c h e d .
-

N ote
-

Use t h e - - se t or - - se t - file options to co m p l ete l y re p l ace t h e A C L sett i n g s o n a


file.
-

W h e n fi rst defi n i n g a n A C L o n a f i l e, if t h e add o p e rat i o n does n ot i n c l u d e sett i n g s for t h e file


owner, group-owner, o r other p e r m i s s i o n s , t h e n t h ey w i l l b e set based o n t h e c u rrent sta n d a rd -

f i l e p e r m i s s i o n s (t hese a re a l s o k n o w n as t h e base A C L s a n d ca n not be d e l eted), a n d a new mask


va l u e w i l l be ca l c u lated a n d a d d e d as we l l .
-
To a d d o r modify a user o r named user ACL:

J [ s t ud e n t@s e r v e r x - ] $ setfacl - m u : name : rX file -

L__· ������- -����--'

I f name i s l eft b l a n k, t h e n it a p p l i e s to t h e file owner, ot h e r w i s e name c a n be a u se r n a m e o r U I D


va l ue. I n t h i s exa m p l e, t h e p e r m i s s i o n s g ra nted wo u l d b e rea d -o n l y, a n d i f a l ready set. execute
(u n l ess file was a d i recto ry, i n w h i c h case t h e d i rectory wo u l d get t h e execute p e r m i s s i o n set to
a l l ow d i rectory search).

A C L file owner and sta n d a rd file owner permissions a re e q u iva l e nt; conseq u e n t l y, u s i n g c hmod on
the file owner p e r m i s s i o n s i s e q u iva l ent to using se t facl o n the file owner p e r m i s s i o n s. c hmod
has n o effect on n a m e d u s e rs.

To add o r mod ify a group o r named group ACL:

106 RH134- R H E L7 - e n -1-20140610

-
-

Changing ACL file permissions


-

[ s t ud e n t@se rve rx - ] $ set facl - m g : name : rw file

T h i s fo l l ows t h e s a m e pattern for a d d i n g or m o d ify i n g a u s e r A C L . I f name is l eft b l a n k, t h e n it


a p p l ies to t h e group-owner. O t h e rw i se, spec ify a g ro u p name o r G I D va l u e for a named group. T h e
-
p e r m i s s i o n s wo u l d be r e a d a n d write i n t h i s exa m p l e.

chmod h a s no effect o n a ny g r o u p p e r m i s s i o n s for f i l e s with A C L sett i n g s , b u t it u pdates t h e A C L


-
mask.

To a d d o r m o d ify t h e other A C L :
-

I
l
[ s t u d e n t@se rve rx - ] $ setfacl - m o : : - file

-
other o n l y a ccepts perm ission sett i n g s. I t is co m m on for t h e p e r m i s s i o n to be set to " - " (d a s h ) ,
w h i c h s p e c i f i e s t h a t other users h a ve N O p e r m issions, b u t a n y of t h e sta n d a rd p e r m i s s i o n s c a n
- b e s pe c i f i e d .

A C L other a n d sta n d a rd other p e r m i s s i o n s a re e q u iva l ent, so u s i n g c hmod on t h e other


-
p e r m i s s i o n s is e q u iva l ent to u s i n g s e t facl on t h e other p e r m i s s i o n s.

Add m u lt i p l e entries via the s a m e c o m m a n d , a n d comma-separate e a c h of t h e entries:

I
-

[ s t u d e n t@ s e r v e r x - ] $ setfacl - m u : : rwx , g : sodor : rX , o : : - fil e


'

-
This w i l l set t h e file owner to rea d , w r ite, a n d exec ute, set t h e n a m e d g r o u p sodor to read-o n l y
a n d co n d i t i o n a l execute, a n d rest rict a l l other u s e rs t o N O p e r m i s s i o n s. T h e group-owner w i l l
m a i nt a i n t h e i r exist i n g f i l e or A C L p e r m i s s i o n s a n d ot h e r " na m e d " e n t ries w i l l re m a i n u n c h a n g e d .
-

Using getfacl as input


The o u t p u t from getfacl can be used a s i n p u t to set facl:
-

I
'
[ s t ud e n t@se rve rx - ] $ getfacl fil e -A I setfacl - - set - file = - file - B

-
- - s et - file accepts i n put from a f i l e or stdin, a n d t h e " - " (dash) s p e c i f i e s t h e use of stdin. I n
t h i s case, file-8 w i l l have the s a m e A C L sett i n g s a s file-A.
-

Setting an explicit ACL mask


A n A C L m a s k c a n be e x p l icit l y set o n a f i l e o r d i rectory to l i m it t h e m a x i m u m effective
- p e r m i s s i o n s for n a m e d u s e rs, the g ro u p-ow n e r, and n a m e d g ro u ps. This rest ricts a ny exist i n g
p e r m i s s i o n s t hat exceed t h e m a s k , b u t d o e s n ot h i n g to p e r m i s s i o n s t h a t a re l e s s p e r m i ssive t h a n
the mask.

I
-

[ s t u d e n t@se rve rx - ] $ setfacl - m m : : r file

-
This wou l d a d d a m a s k va l u e t h a t rest ricted a ny named users, t h e group-owner, a n d a n y named
groups to read-o n l y p e r m i s s i o n , reg a rd l ess of t h e i r exist i n g sett i n g s. The file owner a n d other
-
u sers a re not i m pacted by t h e m a s k sett i n g .

getfacl w i l l s h ow a n "effective" c o m m e nt b e s i d e entries t h a t a re b e i n g rest ricted b y a m a s k


sett i n g .
-

- R H1 3 4- R H E L7-en-1-2014061 0 1 07

-
-

C h a pter 6. C o n t ro l l i n g Access to F i l es w i t h Access Contro l Lists (AC Ls)

Important
By d e fa u lt. the ACL mask is reca l c u l ated each time one of the i m pacted ACL sett i n g s
( n a m e d u s e rs, g ro u p-own e r, o r n a m e d g ro u ps) i s m o d i f i e d o r d e l et e d , potent i a l l y
-
resett i n g a p revi o u s expl icit m a s k sett i n g .

To a v o i d t h e m a s k reca l c u l a t i o n , u s e - n o r i n c l u d e a m a s k sett i n g ( - m m : : pe rms) w i t h


-
a ny s e t facl o p e ra t i o n t h a t m o d ifies m a s k-affected A C L sett i n g s .

-
Recursive A C L modifications
W h e n sett i n g a n A C L on a d i recto ry, it is c o m m o n to want to a p p l y t h e A C L rec u rsive l y to t h e
d i rectory s t r u ct u re a n d f i l es. Use t h e - R o p t i o n to d o t h is. T h e " X " (ca pita l X ) p e r m i s s i o n i s
-
oft e n used w i t h recurs i o n , so t hat f i l es w i t h t h e execute p e r m i s s i o n s e t ret a i n t h e sett i n g a n d
d i rectories g et t h e execute p e r m i s s i o n s e t t o a l l ow d i rectory searc h . I t i s c o n s i d e re d good
practice to a l so u s e t h e u p percase X when n o n - re c u rs i v e l y sett i n g ACLs, a s it p reve nts an
a d m i n istrator from a c c i d e n ta l l y a d d i n g execute permissions to a reg u l a r f i l e.

I
j [ s t u d e n t @ s e r v e r X - ) $ set facl - R -m u : name : rx di rec tory
-
L

T h i s wo u l d a d d t h e u s e r name to t h e directory a n d a l l exist i n g f i l e s a n d s u b d i rectories, g ra n t i n g


rea d -o n l y a n d c o n d i t i o n a l execute.

Deleting a n AC L
D e l e t i n g s p e c i f i c ACL ent ries fo l l ows t h e s a m e basic fo rmat as t h e mod ify o p e ra t i o n , except t h e -
" :perms" s h o u l d n o t be specified.
r-
i [ s t u d e n t @ s e r v e r x - ) $ set facl - x u : name , g : name file -
L - - - -·- ------ �-------- ---------- -------

T h i s wo u l d o n l y remove t h e n a m e d u s e r a n d t h e n a m e d g ro u p from t h e l i st of f i l e o r d i rectory


ACLs. Any ot h e r exist i n g ACLs re m a i n act ive. -

It i s poss i b l e to use the d e l ete ( - x) a n d m o dify ( - m) operat i o n s in the s a m e s e t facl o p e ra t i o n .


-
T h e m a s k c a n o n l y be d e l eted i f t h e re a re no o t h e r ACLs s e t (exc l u d i n g t h e base ACLs w h i c h
c a n not b e d e l et e d ) , so it m u st be d e l eted l a st. T h e f i l e w i l l n o l o n g e r h a v e A C L s a n d ls - 1 w i l l
n o t s h o w t h e " + " sym b o l next t o t h e p e r m i s s i o n s s t r i n g . A lternative l y, t o d e l ete A L L A C L s o n a -
f i l e o r d i rectory ( i n c l u d i n g default A C L s o n d i recto ries), use:

r
! [ s t u d e n t @ s e r v e r x - ) $ set facl - b file -
i

Controlling default ACL file permissions


A d i rectory c a n h ave default A C L s set on it that a re a utomatica l l y i n h e rited by a l l new f i l e s a n d
n e w s u b d i rectories. T h e re ca n be default A C L p e r m issions s e t fo r e a c h o f t h e sta n d a rd A C L
sett i ngs, i n c l u d i n g a d e fa u lt m a s k . --

A d i rectory sti l l req u i res sta n d a rd A C L s for a c c e s s contro l beca use default A C L s do n o t
i m p l e m e n t a c c e s s c o n t r o l for t h e d i recto ry; they o n l y p rov i d e A C L p e r m i s s i o n i n h eritance -
s u p port.

An example:
-

-
108 R H134- R H E L 7-en-1 -2014061 0

-
-

Contro l l i n g d e fa u l t A C L f i l e p e r m i s s i o n s
-

[ s t u d e n t @ s e r v e r X - ] $ setfacl - m d : u : name : rx di rec tory

This a d d s a d e fa u l t n a m e d u s e r (d : u : name) w i t h rea d -o n l y permission a n d execute p e r m i s s i o n


o n s u b d i rectories.
-

The set facl co m m a n d for a d d i n g a default ACL for each of t h e A C L types is exact l y t h e s a m e
a s fo r sta n d a rd A C L s , b u t prefaced w i t h d : . A lt e r n a t i ve l y, use the - d o p t i o n o n t h e c o m m a n d
l i ne.

-
Important
W h e n sett i n g default A C L s on a d i rectory, e n s u re t h a t u s e rs w i l l be a b l e to access t h e
contents o f n e w s u b d i rectories c reated i n it by i n c l u d i n g t h e execute p e r m i s s i o n o n t h e
-
default ACL.

U s e rs w i l l n ot a u t o m atica l l y get t h e execute p e r m i s s i o n set o n n e w l y created reg u la r


- f i l e s because u n l ike n e w d i rectories, t h e A C L mask of a n e w reg u la r f i l e i s rw - .


- < · · :41;.;,.,
Note
N ew f i l e s a n d n e w s u bd i rectories cont i n u e to get t h e i r owner U I D a n d pri m a ry g r o u p
-
G I D va l ues s e t from t h e c reat i n g u s e r, except w h e n t h e parent d i rectory s e t gid f l a g i s
e n a b l e d , i n w h i c h c a s e t h e p r i m a ry g ro u p G I D w i l l b e t h e s a m e a s t h e p a r e n t d i rectory
G I D.
-

Deleting default ACLs


-

D e l e t i n g a default ACL i s a l so the same as d e l e t i n g a sta n d a rd ACL; a g a i n , p refa ce with d : , o r use


the - d opti o n .
-

I [ s t u d e n t@ s e r v e r x - ] $ setfacl - x d : u : name di rectory

- T h i s rem oves t h e default A C L that wa s a d d e d i n t h e prev i o u s exa m p l e.

To d e l ete a l l default AC Ls on a d i recto ry, use s e t facl - k /di rec tory. To d e l ete A L L AC Ls o n
- a d i recto ry, u s e s e t facl - b /di rectory.

- R References
acl( 5 ) , set facl(l) m a n pages

- R H134- R H E L 7-en-1 -2014061 0 1 09

-
-

C h a pter 6. Contro l l i n g Access to F i l es with Access C o n t ro l L i sts (AC Ls)

P ra ct i ce: U s i n g AC Ls to G ra nt a n d L i m it
Access
-

Guided exercise
-
I n t h i s l a b , you w i l l a d d a n a m e d g ro u p access control l ist (ACL) a n d a n a m e d u s e r A C L to a n
exist i n g s h a re fo l d e r a n d i t s content. Yo u w i l l set u p default A C L s t o e n s u re f u t u re f i l es a n d
d i rectories g e t t h e correct p e r m issions.
-

Resou rces:
Files: / s h a res/st eamies/ * , -

/shares/st eamies/display_engines . s h
Machines: se rverX

Outcomes:
M e m be rs of t h e sodor g ro u p w i l l have t h e s a m e access p e r m issions as t h e c o n t rolle r
g ro up o n t h e s t eamies d i recto ry, except j ames , w h o h a s n o access.

E x i s t i n g f i l e s and d i rectories w i l l be u p d ated to ref l ect the new sodor a n d j ames A C L


p e r m i s s i o n s.

• New f i l es a n d d i recto ries w i l l automatica l l y g et t h e correct A C L a n d f i l e p e r m issions.


-

Before you begin . . .


Reset yo u r s e rverX syst e m .
-

• Log into a n d s e t u p yo u r se rver system.


-- -- ·-- - ----- -- . ���-

[ s t u d e n t@ s e r v e r x - ] $ lab acl setup -

---- ---- -· � - - -----


- -------- __ j

• Open a te r m i n a l .
-

Switch t o root u s i n g s u d o - i.

S t u d e nt is a contro l l e r for t h e Sodor I s l a n d Ra i l n etwork. T h e re is a prope r l y confi g u re d s h a re -

d i rectory l ocated at / s h a r e s / s t eamies that hosts f i l es deta i l i n g roste r i n g , ste a m e n g i n es, etc.

C u r re n t l y, o n l y m e m b e rs of the cont roller g r o u p h a ve access to this d i recto ry, but it has been -

d e c i d e d t h at m e m bers of t h e sodo r g r o u p wo u l d b e n efit from f u l l access to this d i recto ry.

J a m es, a m e m b e r of t h e sodor g ro u p, h a s ca u s e d chaos and confusion o n m a n y occa s i o n s , so h e


i s to be d e n i e d access to t h e d i recto ry, at l east u n t i l h e s h ows that he is a really useful engine.

You r task i s to a d d a p p ro p riate ACLs to t h e d i rectory a n d its conte nts, so that m e m b e rs of t h e


-
s o d o r g ro u p h a v e fu l l access, but d e n y u s e r j ames a ny access. M a ke s u re t h a t f u t u re f i l es a n d
d i rectories stored i n / s h a r e s / s t eamies g e t a p p ro p r i ate A C L s a p p l i e d .
-
Important information:

· cont roller g ro u p : s t u d e n t

110 R H134- R H E L 7 - e n -1-2014061 0 -

-
-

G u i d ed exercise
-

• sod o r g ro u p : t homas, j ames

-
• T h e re i s a s u b d i rectory ca l l e d e n g ines a n d n u merous f i l es to test t h e ACLs. A l so, t h e re i s a n
executa b l e script you can test.

- • T h o m a s and J a m e s have t h e i r passwords set to redhat.


• A l l c h a n g es s h o u l d occ u r to d i rectory s t eamies and its f i l es ; do not a d j u st the shares
- d i recto ry.

D 1. A d d t h e n a m e d A C L s t o t h e s t eamies d i rectory a n d a l l of i t s content.


-
D 1 .1 . U s e set facl t o rec u rs i ve l y u p d ate t h e s t e amies d i recto ry, g ra n t i n g t h e sodor
g ro u p rea d , write, an d con d i t i o n a l ex ecute p e r m i s s i o n s .
-
:--·
I [ root@se rve rX - ] # set facl - Rm g : sodor : rwX /shares/st eamies
i

-
- R recu rsive, - m m o d ify/a d d , : rwx rea d/w rite/execute ( b u t o n l y on d i rectories
a n d exist i n g executa b l es)

- D 1.2. U s e set facl to rec u rsively u p d ate t h e s t e amies d i recto ry, d e n y i n g t h e user
j ames from t h e sodor g r o u p any access.

-
I; [ r oo t @ s e r v e r x - ] # setfacl - Rm u : j ames : - /shares/st eamies

-
- R recu rs i ve, - m m o d i fy/a d d , : - no p e r m i s s i o n s

D 2. A d d t h e n a m e d ACLs a s default ACLs to s u pport f u t u re f i l e a n d d i rectory a d d i t i o n s .

D 2 .1 .
-
U s e set facl t o a d d a defa u lt a ccess r u l e f o r t h e sod o r g roup. G ra n t read , w rite,
and execute p e r m i s s i o n s o n the s t eamies d i recto ry.

- !
I [ r oo t @ s e r v e r X - ] # set facl - m d : g : sodor : rwx /shares/steamies

- m mod ify/a d d , d : g defa u lt g ro u p, : rwx read/w rite/execute (needed for pro p e r


s u b d i rectory creat i o n a n d a ccess)

- D 2.2. Use set facl to add a defa u lt access r u l e for the u s e r j ames. Deny a l l access to
the s t eamies d i rectory.

i
- i [ r oot@se rve rx - ] # setfacl - m d : u : j ames : - /shares/steamies

- m m o d ify/a d d , d : u defa u lt u s e r, : - no p e r m i s s i o n s
-

D 3. Ve rify yo u r A C L c h a n ges.

- T h o m a s s h o u l d be a b l e to read a ny f i l e, c reate a n e w d i rectory w i t h a new f i l e i n it, a n d


execute t h e display_engines . s h s c r i pt.

- J a m es s h o u l d not be a b l e to rea d , write, or execute a ny f i l e; t h i s i n c l u des b e i n g u n a b l e to


l i st the d i rectory contents.

- R H1 3 4- R H E L 7-en-1 -20140610 111

-
-

C h a pter 6. Contro l l i n g Access to F i l es w i t h Access Contro l L i sts (AC Ls)


-

Use sudo -i - u use r to switch to yo u r test u s e rs. Use exit o r Ct rl +D to l eave t h e


test u s e r s he l l .
-

[ r o o t @ s e r v e r x - ] # exit
[ s t u d e n t@s e rverx - ] $ sudo -i -u thomas -
[ t homas@s e r v e r x - ] $ cd /shares/steamies/

D 3.1 . U s e c a t to c h e c k t h a t T h o m a s c a n read a fi l e. -

[ t homas@s e rv e r x s t eamie s ] $ cat r o s t e r . t xt


James - S h u n t in g a t B r e n d am d o c k s -

P e r c y - Ove r n i g h t m a i l r u n
H e n r y - Flying Kip p e r r u n
Thomas - A n n ie a n d Clarabel, Knapfo rd line
-

D 3.2. U s e dis play_engines . sh to check t h at T h o m a s c a n execute a scri pt.

I
-

l!
[ t homas@s e rverx s t eamie s ] $ . /display_engines . sh
They ' re two , t h ey ' r e f o u r , t h ey ' r e six , t h ey ' re e i g h t
I Edwa r d wan t s to h e l p a n d s h a r e -

. Toby , well let ' s say , h e ' s s q u a r e

D 3.3. U s e mkdir to create a d i rectory a s Thomas.

Use echo to c reate a file i n t h e new d i rectory a s T h o m a s. -

Switch b a c k to st u d e n t w h e n you a re f i n i s h e d .
-

[ t h omas@s e r v e r x s t eamie s ] $ mkdir t idmou t h


[ t homas@s e r v e r x s t eamie s ] $ echo " t oot toot " > tidmout h/whistle . txt
[ t homas@s e rverx s t eamies ] $ exit -

D 3.4. U s e cd to try and c h a n g e i nto the d i rectory a s J a m es, and a l so try ls to l i st t h e


d i recto ry. B o t h com m a n d s s h o u l d fa i l with Pe rmission denied. -

Yo u co u l d t ry o n e o r m o re of the co m m a n d s T h o m a s i s s u e d , b u t as J a m es,
to f u r t h e r verify his lack of access. Try p refi x i n g each file with t h e f u l l path, -

/shares/st eamies, because yo u c a n not cd i nto t h e d i recto ry.

Switch back to s t u d e n t w h e n you a re f i n i s h e d test i n g j ames. -

[ s t u d e n t@se rverx - ] $ s u d o - i - u j ames


[ j ames@s e r v e r x - ] $ cd /shares/st eamies/
-

- bash : c d : / s h a r e s / s t e amies / : P e r m i s s i o n d e n i e d
[ j ames@s e rve rX - ] $ ls /shares/steamies/
ls : c a n n o t open d i r ec t o ry / s h a r e s / s teamie s : P e r m i s s i o n denied
[ j ames@s e rve rX - ] $ cat /shares/st eamies/rost e r . txt
cat : / s h a r e s / s t eamie s / r o s t e r . t x t : P e r m i s s i o n denied
[ j ames@s e r v e r x - ] $ exit
-

D 3.5. Use get facl to see a l l the ACLs o n /shares/st eamies a n d the ACLs on
/shares/st eamies / t idmou t h . -

-
112 R H134- R H E L 7-en-1 -2014061 0

-
-

G u i d ed exercise
-

- ��
- /�<>, Note
U s e newg r p c ont rolle r to switch student to t h e controller g ro u p.

- T h e lab acl set u p s c r i p t a d d s controller as a s u p p l e m e n t a ry g ro u p


to student; however, u n l es s y o u h a ve restarted t h e s h e l l p r i o r to t h i s
s t e p , t h e n t h e c u rre nt s h e l l d oes not y e t recog n ize t h e new m e m be rs h i p
- a n d getfac l o n t idmou t h w i l l g et Permission denied.

-
[ s t u d e n t@serve rX - ] $ newg r p cont roller
[ s t u d e n t@s e rv e r X - ] $ getfacl /shares/steamies
g e t facl : Removin g lead i n g ' / ' f r o m a b s o l u t e pat h names
- # file : s h a r e s / s t eamie s /
# owne r : r o o t
# g r o u p : c o n t r olle r
# flag s : - s -
u s e r : : rwx
-

u s e r : j ames : - - -
g r o u p : : rwx
g r o u p : s o do r : rwx
mas k : : rwx
other : : - - ­
d e f a u l t : us e r : : rwx
- d e f a u l t : u s e r : j ames : - - ­
d e f a u l t : g r o u p : : rwx
d e f a u l t : g r o u p : s odo r : rwx
d e f a u l t : mas k : : rwx
d e f a u l t : ot he r : : - - -
-

[ s t u d e n t @s e r v e r X - ] $ getfacl /shares/steamies/tidmo u t h
- g e t facl : Removi n g lead i n g ' / ' f r o m a b s o l u t e p a t h names
# file : s h a r e s / s t eamie s / t i d mo u t h
# owne r : t h omas
# g r o u p : c o n t rolle r
- # flag s : - s -
u s e r : : rwx
u s e r : j ames : - - -
g r o u p : : rwx
g r o u p : s o do r : rwx
-

mas k : : rwx
other : : - - ­
- d e f a u l t : u s e r : : rwx
d e f a u l t : us e r : j ames : - - ­
d e f a u l t : g r o u p : : rwx
d e f a u l t : g r o u p : s odo r : rwx
-
default : mas k : : rwx
d e f a u l t : ot h e r : : - - -

- R H134- R H E L7-en-1-2014061 0 113

-
C h a p t e r 6. C o n t ro l l i n g Access to F i l es w i t h Access C o n t ro l L i st s ( A C Ls)

L a b : Co n t ro l l i n g Access t o F i l es w i t h Access
Cont ro l L i sts (AC L s)

Performance checklist

I n t h i s l a b , you w i l l u p d a te a c o l l a bo ra t i v e d i re ctory t o have t h e correct g ro u p own e rs h i p a n d


p e r m i s s i o n s . Yo u w i l l a d d A C L s to a l l o w a n ot h e r g ro u p t o h a v e a p p ro p r i a t e p e r m i s s i o n s , w h i l e
l i m i t i n g p e r m i s s i o n s f o r a s p e c i f i c u s e r.

Resources:

Files: / s ha r e s / c a s e s / *

Machines: s e rve rX

Outco m e s :
M e m b e rs of t h e baker s t reet g ro u p w i l l have c o r r e ct a ccess p e r m i s s i o n s to t h e cases
d i re cto ry.

M e m b e r s of t h e scot landyard g r o u p w i l l have read/write a ccess to t h e cases d i recto ry,


except u s e r j on e s , w h o o n l y h a s read a ccess. A l l m e m b ers of t h e s c o t landyard g ro u p
s h o u l d h a v e e x e c u t e o n t h e d i recto ry.

N e w f i l e s a n d d i recto r i e s w i l l a u t o m a t i c a l l y g et t h e c o r rect g ro u p o w n e rs h i p, A C L , a n d f i l e
p e r m i s s i o n s.

Before you begin . . .


Reset y o u r s e r v e r X system (see note).

Log into a n d set up y o u r s e rver syst e m (see note).

I [ s t u d e n t@serverX - ] $ lab acl setup

Open a t e r m i n a l .

Switch to r o o t u s i n g s u d o - i.

N ote
I f y o u reset your s e r v e r for the " U s i n g A C L s t o G ra n t and L i m i t Access" p ra c t i c e
e x e r c i s e a n d y o u have not t a m p e re d w i t h t h e / s ha r e s/ cases d i recto ry, t h e n y o u d o
N OT n e e d t o reset t h e server o r r e r u n t h e l a b s e t u p f o r t h i s l a b.

T h e B a k e r S t reet d et e ct i v e a g e ncy is sett i n g u p a c o l l a b o ra t i v e s h a re d i re ctory to h o l d c a s e f i l e s ,


w h i c h m e m bers of t h e bake r s t r e e t g r o u p w i l l h a v e r e a d a n d w r ite p e r m i s s i o n s o n .

T h e l e a d d et e c t i v e , S h e r l o c k H o l m e s , h a s d e c i d e d t h a t m e m b e rs o f t h e s c o t landyard g ro u p
s h o u l d a l s o b e a b l e to r e a d a n d w r i t e to t h e s h a re d i recto ry. H owever, H o l m e s t h i n ks t h at

114 R H 1 3 4- R H E L 7 - e n-1-2014061 0
-

Perfo r m a n ce c h e c k l ist
-

I n spector Peter Jones (a m e m b e r of t h e scot landya r d g ro u p) i s an i m b e c i l e, and as s u c h ,


J o n e s s h o u l d have h i s access to t h e d i rectory rest ricted to rea d -o n l y.

M rs. H u d so n has l i m ited L i n u x s ki l l s a n d was o n l y a b l e to c reate t h e s h a re d i rectory a n d copy


some f i l es i nto it. B e i n g tea t i m e, she has a s ke d you to co m p l ete the job, w h i l e she o rg a n izes tea
-
and b i s c u i t s for H o l mes and Watso n .

Yo u r t a s k i s to co m p l ete t h e set u p of t h e s h a re d i recto ry. T h e d i rectory a n d a l l o f i t s contents


-
s h o u l d b e owned by t h e bake r s t reet g ro u p , with t h e files u pdated to read and write for t h e
o w n e r a n d g ro u p (bake r s t r e e t ) . O t h e r u s e rs s h o u l d h a ve n o p e r m i s s i o n s. Yo u a l so n e e d t o
p rov i d e read a n d write p e r m i s s i o n s f o r t h e scot landyard g ro u p , w i t h t h e except i o n o f j on e s ,
-
w h o o n l y g ets rea d p e r m i s s i o n s . M a ke s u re yo u r set u p a p p l ies t o exist i n g a n d f u t u re f i l es.

Important information:
-

• S h a re d i rectory: / s h a r es/cases
-
· bake r s t reet g ro u p: holmes , wat son

· scot landyard g ro u p : les t r ade , g regson, j ones


-

• Two f i l es exist i n t h e d i rectory: adven t u r e s . t x t and moriar t y . t x t .

- • A l l five u s e r passwo rd s a re redhat.


• A l l c h a n ges sho u l d occ u r to d i rectory cases and its fi l es ; do not a dj u st the s h a r e s d i recto ry.
-
W h e n you a re done, r u n t h e c o m m a n d lab acl g rade f ro m yo u r m a c h i n e to verify yo u r work.

1. T h e cases d i rectory a n d its content s h o u l d b e l o n g to g r o u p bake r s t ree t . N ew f i l e s a d d e d


-
i n t h e cases d i rectory s h o u l d a u tomatica l l y b e l o n g to t h e g ro u p bake r s t r ee t . E x i s t i n g
(Hint:
f i l e s s h o u l d be s e t to rw for u s e r a n d g ro u p . d o not use setfacl.)

...
2. Add A C L s to the cases d i rectory (a n d its contents) t h a t a l low m e m bers of t h e
scot landyard g ro u p to h a v e read/w r ite access o n t h e f i l e s a n d execute o n t h e d i recto ry.
Restrict user j ones to read a c cess on t h e f i l e s a n d execute on t h e d i recto ry.

3. Add A C L s that e n s u re any new f i l e or d i rectory in the cases d i rectory have the correct
p e r m issions a p p l ied for ALL a u t h orized u sers and g ro u ps.
-

4. Ve rify that you have m a d e yo u r ACL a n d f i l e system c h a nges correct l y.

- U s e ls a n d getfacl to review yo u r sett i n g s on / s h a r e s /cases.

Fro m s t u d e n t , u s e sudo i - u user to switch to both holmes and les t r ade. Ve rify
-

- t h a t you ca n write to a f i l e , read from a f i l e , m a ke a d i recto ry, a n d w r ite to a f i l e i n t h e n e w


d i recto ry. Use ls to c h e c k t h e n e w d i rectory p e r m i s s i o n s a n d get facl to review t h e new
d i rectory ACLs.
-

From s t u d e n t , use sudo - i - u j ones to switch u s e rs. Try writ i n g to a fi l e (it should fail)
a n d t ry to ma ke a new d i rectory (it should fail). As j on e s , you s h o u l d be a b l e to rea d from
- t h e adven t u r es . t x t fi l e i n the cases d i rectory and read from t h e " test" file w ritten in
either of t h e n e w d i recto ries c reated by holmes and l e s t rade.

- R H134- R H E L 7-en-1-2014061 0 115

-
-

C h a pter 6. Contro l l i n g Access to F i l es w i t h Access Control Lists (AC Ls)


-

·"""'< .

i/''.hl Note -

T h e set of tests a bove a re s o m e of t h e tests you co u l d p e rfo r m to c h e c k t h a t


access p e r m i s s i o n s a re correct. You s h o u l d d evise a p p ro p riate access va l id a t i o n
-
tests f o r yo u r e n v i ro n m e nt.

5. W h e n you a re d o n e, run the c o m m a n d lab acl g rade from yo u r se rverx m a c h i n e to


verify yo u r work.
-

-
116 R H134- R H E L7-en-1 -2014061 0

-
-

Solution
-

Solution
-
In t h i s l a b , you wi l l u p d ate a co l l a b o rative d i rectory to have the correct g r o u p owners h i p a n d
p e r m i s s i o n s . Yo u w i l l a d d ACLs to a l low a n ot h e r g ro u p to h a v e a p p ro p riate p e r m i s s i o n s , w h i l e
- l i m i t i n g p e r m i s s i o n s f o r a specific u s e r.

Resou rces:
- Files: /shares/case s / *
Machines: serverX
-
Outcomes:
• M e m b e rs of t h e bake r s t reet g r o u p w i l l have correct access p e r m i s s i o n s to t h e cases
d i recto ry.
-

• M e m b e rs of t h e scot landya r d g r o u p w i l l h ave rea d/write access to t h e cases d i rectory,


except u s e r j on e s , w h o o n l y h a s read access. A l l m e m b e rs of t h e s c o t landyard g ro u p
-
s h o u l d have execute o n t h e d i recto ry.

• New f i l e s a n d d i rectories wi l l a u to matica l l y get t h e correct g ro u p o w n e r s h i p , A C L , a n d fi l e


p e r m i s s i o n s.

Before you begin . . .


- • Reset yo u r s e r v e r X system (see note).

• Log into and set up yo u r server syste m (see note).


-
i
l [ s t u d e n t@ s e r v e r x -] $ lab acl s e t u p
'

-
• Open a terminal.

Switch to r o o t u s i n g s u d o - i.
-

Note
-
I f you reset you r server for t h e " U s i n g A C L s to G ra n t a n d L i m i t Access" practice
exerc i s e and you have not t a m p e red with the /shar es/cases d i rectory, then you d o
N OT n e e d to reset t h e s e rver o r rer u n t h e l a b set u p fo r t h i s l a b .

The B a k e r St reet d etective a g e n cy i s sett i n g u p a col l a borative s h a re d i rectory to h o l d c a s e f i l e s ,


-
w h i c h m e m b e rs of t h e bake r s t reet g r o u p w i l l h ave r e a d a n d w r i t e p e r m i s s i o n s o n .

The l e a d d etective, S h e r lock H o l mes, h a s d e c i d e d that m e m b e rs of t h e s c o t landyard g r o u p


- s h o u l d a l so b e a b l e to r e a d a n d w r i t e to t h e s h a re d i recto ry. H oweve r, H o l mes t h i n ks t hat
I n s pector Pete r J o n e s (a m e m b e r of t h e scot landya r d g ro u p) is an i m b e c i l e , and as s u c h ,
J o n es s h o u l d h a v e h is a ccess t o t h e d i rectory restricted to rea d -o n l y.
-
M rs. H u d s o n has l i m ited L i n u x s k i l l s a n d was o n l y a b l e to c reate t h e s h a re d i rectory a n d copy
some f i l e s i nto it. B e i n g tea t i m e , she has a s ke d you to c o m p l ete the job, w h i l e she o rg a n izes tea
-
and b i s c u i t s for H o l m e s a n d Watso n .

Yo u r t a s k is to co m p l ete the set u p of t h e s h a re d i recto ry. The d i rectory a n d a l l of its contents


s h o u l d b e owned by the bake r s t reet g ro u p , with t h e files u pdated to read and write for the
-

- 117
RH134- R H EL 7 - e n -1 -2014061 0

-
-

C h a pter 6. C o n t ro l l i n g Access to F i l es w i t h Access C o n t ro l Lists (AC Ls)


-

owner and g ro u p (bake r s t reet). O t h e r u s e rs s h o u l d have n o p e r m i s s i o n s . Yo u a l so need to


p rovide read a n d write p e r m i s s i o n s for t h e scot landyard g ro u p , with t h e except i o n of j ones, -
w h o only g ets read p e r m i ss i o n s. M a ke s u re you r s et u p a p p l ies to exist i n g and f u t u re f i l es.

Important information:
-

• S h a re d i rectory: /shares /cases

• bake r s t reet group: holmes, wat s o n -

• scot landya r d g ro u p : les t r ade, g r egson, j ones


-
• Two fi l e s exist i n t h e d i rectory: adven t u r e s . t x t a n d mo r i a r t y . t x t .

• A l l five u s e r passwords a re redhat. -

• A l l c h a n g e s s h o u l d occ u r to d i rectory cases a n d its fil es; d o not adjust the shares d i recto ry.

W h e n you a re d o n e, r u n t h e com m a n d lab acl g r ade from yo u r m a c h i n e to verify yo u r work. -

1. The cases d i rectory and its content s h o u l d b e l o n g to group bake r s t r e e t . New f i l es a d d e d


i n t h e cases d i rectory s h o u l d a utomat ica l l y b e l o n g to t h e g r o u p bake r s t ree t . E x i s t i n g -
(Hint:
f i l e s s h o u l d b e set to rw f o r u s e r a n d g ro u p. d o not use set facl.)

1 .1 . Use c h g r p to rec u rs i ve l y u pdate g ro u p o w n e rsh i p o n t h e d i rectory a n d its contents. -


i�·--�--- �--

1 [ r oo t@ s e r v e r X - ] # c h g r p - R bake r s t reet /shares/cases


i -

1.2. Use c hmod to u p d ate the s e t gid f l a g o n t h e d i recto ry.

r-- -
1 [ r oot@se rve rX - ] # chmod g+s /shares/cases
L__

1 .3. U s e c hmod to u p d ate a l l exist i n g f i l e p e r m i s s i o n s to rw for owner a n d g ro u p. -

I [ r oo t@ s e r v e r X - ] # chmod 660 /shares/cases/*


L___�����---' -

2. Add ACLs to t h e cases d i rectory (a n d its contents) that a l low m e m b e rs of the


scot landyard g ro u p to have read/write access o n t h e f i l es and execute o n t h e d i recto ry. -
Rest rict u s e r j ones to read access o n t h e f i l e s a n d execute o n t h e d i recto ry.

2.1. U s e s e t facl to rec u rs i ve l y u pdate t h e e x i s t i n g cases d i rectory a n d its content. Gra n t -


t h e g ro u p scot landyard read , w r i t e , a n d c o n d i t i o n a l execute p e r m i s s i o n s.

! [ ro o t@s e rve rX - ] # set facl - Rm g : scot landyard : rwx /shares/cases -


I

2.2. U s e s e t facl to rec u rsive l y u p d ate t h e existing cases d i rectory a n d its content. G ra n t
-
t h e u s e r j ones read a n d co n d i t i o n a l e x e c u t e permissions.

� o o t @ s e r v e r X - ] # setfacl - Rm u : j on e s : rx /shares/cases
-

3. Add A C L s t h a t e n s u re any new f i l e o r d i rectory in the cases d i rectory have the correct
p e r m i s s i o n s a p p l i e d fo r ALL a u t h o rized u s e rs and g ro u ps. -

-
118 R H1 3 4- R H E L 7-en-1 -2014061 0

-
-

Sol ution
-

3.1 . Use set facl to u p d ate t h e default p e r m i s s i o n s for m e m b e rs of t h e scot landya rd


g ro u p. Defa u l t p e r m i s s i o n s a re rea d , write, and execute (needed fo r p ro p e r s u b d i rectory
-
creation and access).

:
- l [ root@s e r v e r x - ] # set facl -m d : g : scotlandyard : rwx /shares/cases
!

3.2. Use set facl to u p d ate t h e default p e r m i s s i o n s fo r scot landyard u s e r j ones.


-
Defa u lt permissions a re read a n d execute ( n e e d e d for pro p e r s u b d i rectory a ccess).

[ r oot@s e r v e r x - ] # setfacl -m d : u : j ones : rx /shares/cases


-

4. Ve rify t h at you have m a d e yo u r ACL a n d f i l e syst e m c h a n g es correct l y.


-

Use ls a n d get facl to review your sett i n g s on / s h a r es/cases.

-
Fro m s t uden t , use sudo - i - u use r to switch to both holmes and le s t rade. Ve rify
that you ca n write to a f i l e , read from a f i l e , m a ke a d i recto ry, and write to a f i l e in t h e new
d i rectory. Use ls to c h e c k the new d i rectory p e r m i s s i o n s and get facl to review the new
-
d i rectory ACLs.

Fro m s t uden t , u s e sudo - i - u j ones to switch u s e rs. Try writing to a file (it should fail)
-
a n d t ry to m a ke a n ew d i rectory (it should fail). As j ones, you s h o u l d be a b l e to read from
t h e adven t u r e s . t x t file i n t h e cases d i rectory and read from t h e " test " file w ritten in
either of t h e new d i rectories c reated by holmes and lest rade.
-

4.1 . Use ls to c h e c k t h e cases d i rectory and its content. Look for g ro u p o w n e rs h i p,


d i rectory a n d f i l e p e r m i s s i o n s , the d i recto ry s e t gid f l a g , a n d t h e " + " i n d icat i n g A C L s
- exist.

[ r oot@s e rve r x - ] # ls - ld /shares/cases


d rwxrws - - - + 2 root ba k e r s t reet 46 M a r 18 06 : 56 / s h a r e s /cases
[ r oot@s e r v e r x
-

- ] # ls - 1 /shares/cases
t o t al 16
- rw - rw- - - - + 1 r o o t bak e r s t reet 22 Mar 18 0 6 : 56 adve n t u r e s . t x t
- - rw - rw- - - - + 1 r o o t bake r s t reet 8 M a r 18 0 6 : 56 d o_NOT_dele t e . g ra d i n g . t x t
- rw - rw - - - - + 1 r o o t b a k e r s t r e e t 38 M a r 18 0 6 : 56 m o r i a r t y . t x t

4 . 2 . Use get facl a n d review its output. Look for t h e n a m ed u s e r a n d n a m e d g ro u p e n t r i e s


i n both t h e sta n d a rd a n d defa u lt A C L s .

[ root@s e r v e r x - ] # g e t facl /shares/cases


-

g e t fac l : Removing lead i n g ' / ' from a b s ol u t e path names


# file : s h a r e s / c a s e s
- # own e r : r o o t
# g r o u p : b a ke r s t r e e t
# flag s : - s -
u s e r : : rwx
user : j ones : r - x
-

g ro u p : : rwx
g r o u p : s c o t la nd y a r d : rwx
mas k : : rwx
other : : - - ­
-

default : u s e r : : rwx

-
R H134- R H E L 7-en-1-20140610 119

-
-

C h a pter 6. Contro l l i n g Access to F i l es w i t h Access C o n t ro l L i sts (ACLs)


-

default : u s e r : j o n e s : r - x
default : g r o u p : : rwx
default : g r o u p : s c o t landyard : rwx -

default : mas k : : rwx


default : ot h e r : : - - -

4.3. Perfo r m the fo l l o w i n g o p e rat i o n s as holmes . Repeat as les t r ade, re p l a c i n g a n y


refe re n ce t o holmes i n each o f t h e com m a n d s. C h e c k that yo u g e t t h e expected access
behavior. -

[ s t u d e n t @ s e r v e r x - ] $ sudo - i - u holmes
[ h olmes@s e r v e rX - ) $ cd /shares/cases -

[ holmes@s e r v e r x cases ) $ echo hello > holmes . tx t


[ h olmes@s e r v e r x cases ] $ c a t adve n t u res . tx t
The Adve n t u r e s of . . . -
[ h olmes@s e r v e r X c a s e s ] $ mkdir holmes . di r
[ h olmes@s e r v e r x cases ] $ echo hello > holmes . di r / t e s t . txt
[ h olmes@s e r v e r x cases ] $ ls - ld holmes . di r
d rwxrws - - - + 2 holmes bake r s t reet 2 1 M a r 18 0 7 : 35 holmes . di r -

[ h olmes@s e r v e r x cases ) $ l s - 1 holme s . d i r


t o t al 8
- rw - rw- - - - + 1 h olmes b a ke r s t reet 6 M a r 18 0 7 : 39 t e s t . t x t
[ holmes@s e r v e r x cases ] $ getfacl holmes . di r
-

# file : holmes . d i r
# owne r : holmes
# g r o u p : bake r s t r e e t -
# flag s : - s -
u s e r : : rwx
u s e r : j on e s : r - x
g r o u p : : rwx -

g r o u p : s c o t la n d y a r d : rwx
mas k : : rwx
other : : - - -
default : u s e r : : rwx
-

default : u s e r : j o n e s : r - x
default : g r o u p : : rwx
default : g ro u p : s c o t landyar d : rwx -
default : mas k : : rwx
default : o t h e r : : - - -

[ holmes@s e r v e r x c a s e s ) $ exit -

logout
[ s t u d e n t@s e r ve rX - ) $
-

4.4. Perfo r m t h e fo l l o w i n g o p e ra t i o n s as j ones. C h e c k t h a t y o u g e t t h e expected a ccess


behavior.
-

[ s t u d e n t @se r v e r X - ) # sudo - i - u j ones


[ j o n e s@s e r v e r X - ) # cd /shares/cases
[ j o n e s@s e r v e r x cases ) # echo hello > j ones . txt -

- ba s h : j on e s . t x t : P e r m i s s i o n denied
[ j o n e s @s e r v e r x cases ] # cat adve n t u res . tx t
The Adven t u r e s o f . . . -
[ j ones@s e r v e r x c a s e s ) # mkdir j ones . di r
m k d i r : can n o t c r eate d i r e c t o r y ' j o n e s . d i r ' : P e r m i s s i o n d e n ied
[ j o nes@s e r v e r x c a s e s ) # cat holmes . di r / t e s t . tx t
hello -

[ j o n e s@se r v e r x c a s e s ] # exit
logout

-
120 R H134- R H E L 7 - e n -1 -2014061 0

-
-

Solution
-

[ s t udent@serverX - ] #

......


,
Note
- T h e set of tests a b ove a re some of the tests you c o u l d p e rform to c h e c k that
a ccess permissions a re correct. You s h o u l d d evise a ppropriate a ccess va l id a t i o n
t e s t s for you r enviro n m e nt.
-

5. W h e n you a re d o n e, r u n the co m m a n d lab acl g r ade from yo u r se rve rx m a c h i n e to


verify yo u r work.

5.1 .
- [ s t u d e n t@s e rverX - ] $ lab acl g rade

...

- RH134- R H E L 7-en-1 -2014061 0 121

-
-

C h a pter 6. C o n t ro l l i n g Access to F i l es w i t h Access Contro l L i st s (AC Ls)


-

S u m m a ry
-

POS I X Access Control L i sts (ACLs)


•A C L s p rov i d e f i n e - g ra i n e d access control to files and d i rectories.
-

• T h e file system m u st be m o u nted w i t h A C L s u p port e n a b l e d ; X FS has b u i l t - i n ACL


s u p p o rt.
-

11+11
· l s - 1 i n d icates the presence of ACL sett i n g s w i t h t h e c h a racter. T h e g ro u p
p e r m i s s i o n s s h ow t h e mask sett i n g s .
-

· get facl fil e d i s p l ays t h e ACLs o n a f i l e or d i rectory; d i rectory ACLs i n c l u d e


defa u l t ACLs.
-

• A n A C L mask defines the m a x i m u m p e r m issions named users, t h e group-owner, a n d


named groups c a n have.
-
• ACL p e r m i s s i o n p rece d e n c e i s user, named users, groups, a n d t h e n others.

Sec u r i n g F i l es with ACLs


-
• H ow to u s e set facl -m a cl_spec to a d d o r m o d i fy.

• How to use set facl - x a cl_spec to d e l ete.


-

• Defa u lt AC Ls ca n be set o n a d i rectory; p reface t h e ac/_spec w i t h d : . I n c l u d e exec ute


p e r m i ssion to e n s u re access to new s u b d i recto ries.
-

• How to use -R for rec u rsive, - b to d e l ete a l l AC Ls, - k to d e l ete a l l defa u lt A C L s.

• T h e acl_spec h a s t h e patt e r n type : name : perms. -

• type ca n be u , g, o, o r m.
-
• name c a n be a u s e r name, uid, g ro u p - name, o r gid. A n e m pty name i m p l i es file
owner o r group owner.

X.
-
11 - 11
• perms a re r, w, x, o r m e a n s u n set.

-
122 R H134- R H E L7-en-1-2014061 0

-
red hat ®

®
TRAINING

CHAPTE R 7

MA NAGING SELINUX SECURITY

Overview

Goal To m a n a g e t h e S e c u r i t y E n h a n ced L i n u x ( S E L i n u x ) behavior


of a syst e m to keep i t s e c u re i n case of a network service
c o m p ro m i se.

Objectives • E x p l a i n t h e b a s i c s of S E L i n u x p e r m i s s i o n s .

• C h a n g e S E L i n u x m o d e s with setenforce.

• C h a n g e f i l e c o ntexts w i t h s e m a n a g e and restorec on.

• M a n a g e S E L i n u x booleans w i t h setseboo l .

• E xa m i n e l o g s a n d use sea l ert to t ro u b l e s h oot S E L i n u x


v i o l a t i o n s.

Sections • E n a b l i n g a n d M o n i t o r i n g S E L i n u x (and Pra c t i ce)

• C h a n g i n g S E L i n u x Modes (and Pract i ce)

• C h a n g i n g S E L i n u x C o n texts (and Pract ice)

• C h a n g i n g S E L i n u x B o o l e a n s (and Practice)

• Trou b l e s h o ot i n g S E L i n u x (a nd Practi ce)

Lab • Managing S E L i n u x Security

R H1 3 4 - R H E L 7-e n-1-20140610 123


C h a p t e r 7. M a n a g i n g S E L i n u x S e c u rity

E n a b l i n g a n d M o n it o r i n g S e c u rity E n h a n ce d
L i n u x (S E L i n u x)

Object ives
Aft e r c o m p l e t i n g t h i s s e c t i o n , st u d e nts s h o u l d be a b l e to:

E x p l a i n the basics of S E L i n u x p e r m i s s i o n s and context t ra n s i t i o ns.

D i s p l a y t h e c u rrent S E L i n u x mode.

C o rrectly i n t e r p ret t h e S E L i n u x c o n text of a f i l e.

Correctly i nt e r p ret t h e S E L i n u x c o n text of a p rocess.

I d e nt i fy cu r r e n t S E L i n u x Boolean sett i n g s .

Basic S E Linux security concepts


S e c u rity E n h a n c e d L i n u x ( S E L i n u x ) i s a n a d d i t i o n a l l a y e r of system sec u r ity. A p r i m a ry g o a l o f
S E L i n u x i s to p rotect u s e r d a t a from system s e r v i c e s t h at have b e e n c o m p ro m i s e d . M os t L i n u x
a d m i n i strat o rs a r e fa m i l i a r w i t h t h e sta n d a rd u s e r/g ro u p/ot h e r p e r m i s s i o n s e c u rity m o d e l . T h i s
i s a user a n d g ro u p- b a s e d m o d e l k n o w n a s d i scret i o n a ry access contro l . S E L i n u x p r o v i d e s a n
a d d i t i o n a l l a y e r o f s e c u r i t y t h at i s o bj e c t - b a s e d a n d c o n t ro l l e d b y m o re s o p h i s t i cated r u l es ,
k n o w n as m a n d a to ry a c cess c o n t r o l .

©@Apache

/var/www/btmJ
/l� /tmp /var/tmp
Figure 7.1: Apache service without SELinux protection

To a l l o w r e m ot e a n o n y m o u s access to a web s e r v e r, f i rewa l l ports m u st be o p e n e d . H owever,


t h i s g i ves m a l i c i o u s p e o p l e a n o p p o r t u n ity to c r a c k t h e syste m t h r o u g h a s e c u r ity e x p l o i t , a n d i f
t h e y c o m p r o m i s e t h e w e b s e rver p rocess, g a i n its p e r m i s s i o n s : t h e p e r m i s s i o n s of t h e apache
u s e r a n d t h e apache g ro u p . T h a t u s e r/g ro u p h a s r e a d a ccess to t h i n g s l i ke t h e d o c u m e n t root
(Ivar /www / h tml), a s w e l l a s w r i t e access to / t m p , /var / t mp, and any o t h e r f i l es/d i re ctories
t h a t are w o r l d -w r i ta b l e .

124 R H 1 3 4- R H E L 7 - e n-1 -20140610


B a s i c S E L i n u x s e c u r i ty c o n c e pts

S E Linux
Enforcing

/var/www/fltml /tmp /var/tmp

Figure 7.2: Apache service with SELinux protection

S E L i n u x i s a set of s e c u rity r u l e s t h a t dete r m i n e w h i c h p rocess can a ccess w h i c h f i l e s ,


d i re c t o r i e s , a n d p o rts. Eve ry f i l e, p ro cess, d i recto ry, a n d port h a s a s p e c i a l secu r i ty l a b e l ca l l e d a
S E L i n u x context. A context is a n a m e t h at is u s e d by t h e S E L i n u x p o l i c y to dete r m i n e w h e t h e r a
p rocess c a n a ccess a f i l e , d i re ctory, or port. By d e fa u l t , t h e p o l i c y d o e s not a l low a n y i nt e ra c t i o n
u n l es s a n e x p l i cit r u l e g ra n ts a c c e s s . I f t h e re i s no a l l o w r u l e , n o a ccess i s a l l ow e d .

S E L i n u x l a b e l s have severa l c o ntexts: u s e r, role, type, a n d s e n s it i v ity. T h e t a r g e t e d p o l i cy, w h i c h


i s t h e d e fa u lt p o l i c y e n a b l e d i n R e d H a t E n t e r p r i s e L i n u x , b a s e s i t s r u l e s o n t h e t h i rd c o n text:
the type context. Type cont ext n a m e s u s u a l l y end w i t h _t. The type context for the w e b server
i s h t t pd_t. T h e type context f o r f i l es and d i rectories n o r m a l l y fo u n d i n /var /www/html is
h t t pd_sys_c o n t e n t_t. T h e type cont exts f o r f i l es and d i recto r i e s n o r m a l l y fo u n d i n / t mp a n d
/ v a r / t m p i s tmp_t. T h e t y p e c o ntext f o r w e b s e r v e r p o rts i s h t t p_po r t_t.

T h e re i s a p o l i cy r u l e that p e r m its A p a c h e (the web se rve r p rocess r u n n i n g as h t t pd_t ) to


a ccess f i l e s and d i recto r i e s with a c o ntext n o r m a l l y fo u n d i n /var /www/h tml and o t h e r w e b
s e r v e r d i rectories ( h t t pd_sys_c o n t en t_t ) . T h e re i s n o a l l o w r u l e i n t h e p o l i cy for f i l e s
n o r m a l l y f o u n d i n / t m p a n d /var / t m p , so a c cess i s n ot p e r m itted. W i t h S E L i n u x , a m a l i c i o u s
u s e r c o u l d n ot access t h e / t m p d i recto ry. S E L i n u x has r u l e s for rem ote f i l e syste m s s u c h a s N FS
a n d C I FS , a l t h o u g h a l l f i l e s on t h e s e f i l e syste m s a r e l a b e l e d w i t h t h e s a m e context.

M a ny c o m m a n d s t h a t deal with f i l e s h ave a n o p t i o n ( u s u a l l y - Z) t o d i s p l a y o r set S E L i n u x


c o n texts. For i n stance, p s , l s , c p , a n d m k d i r a l l u s e t h e - z o p t i o n t o d i s p lay o r set S E L i n u x
contexts.

[ r o o t@ s e r v e r X -]# ps axz
LABEL PID TTY STAT TIME COMMAND
s y s t em_u : syst em_r : in i t_t : s 0 1 ? Ss 0 : 09 / u s r /lib/ sys t em d / . . .
s y s t e m_u : sy s t em_r : k e r n e l_t : s 0 2 ? s 0 : 0 0 [ k t h r e ad d ]
s y s t em_u : s y s t em_r : k e rnel_t : s 0 3 ? s 0 : 00 [ k s o f t i r q d / 0 ]
[ . . . O u t p u t omitted . . . ]
[ r oot@se rverX - ] # systemc t l start httpd
[ r oot@se rverX -]# ps - ZC h t t pd
LABEL P I D TTY TIME CMD
s y s t e m_u : s y s t e m_r : h t t pd_t : s 0 1608 ? 0 0 : 00 : 0 5 h t t p d
s y s t e m_u : syst em_r : h t t pd_t : s 0 1609 ? 0 0 : 00 : 0 0 h t t p d
[ . . . O u t p u t omi t t e d . . . ]
[ r oot@se rverX - ] # ls - Z /home
d rwx- - - - - - . r o o t root s y s t em_u : o bj e c t_r : lo st_foun d_t : s0 los t+fou n d
d rwx - - - - - - . s t u dent s t u d e n t u n c o nfin ed_u : o bj ect_r : u s e r_home_dir_t : s 0 s t u d e n t
d rwx- - - - - - . v i s i t o r v i s i t o r unconfin e d_u : o bj ec t_r : u s e r_home_dir_t : s 0 v i s i t o r
[ r oot@se rverX - ] # ls - z /var/www
d rwx r - x r - x . root root s y s t em_u : o bj ec t_r : h t t pd_sys_s c r ip t_exec_t : s0 cgi - bi n
d rwxr - x r - x . r o o t root s y s t em_u : o b j ec t_r : h t t p d_sys_c o n t e n t_t : s 0 e r ro r
d rwxr - x r - x . root root s y s t e m_u : o bj ec t_r : h t t pd_sys_c o n t e n t_t : s0 h t m l

R H1 3 4 - R H E L 7-en-1 -2014061 0 125


C h a p te r 7. M a n a g i n g S E L i n u x S e c u rity

d rwx r - x r - x . r o o t root sys t em_u : o b j e c t_r : h t t pd_sys_c o n t e n t_t : s 0 ico n s

S E L i nux modes
Fo r t ro u b l e s h oo t i n g pu rposes, S E L i n u x p rotection c a n be t e m p o ra r i l y d i s a b l e d u s i n g S E L i n u x
modes.

SELinux
Enforcing

Figure 7.3: SELinux enforcing mode

In enforcing mode, S E L i n u x a c t i v e l y d e n i e s access to t h e w e b server atte m p t i n g to read f i l e s w i t h


t m p_t t y p e co ntext. I n e n f o r c i n g m o d e , S E L i n u x bot h l o g s a n d p rotects.

S E Linux
Permissive

_/var/wwwffltml /tmp /var/tmp ,

Figure 7.4: SELinux permissive mode

Permissive mode i s often used to t r o u b l e s h oot i s s u e s . In p e r m i s s i v e m o d e , S E L i n u x a l l ows a l l


i n t e ract i o n s , even i f t h e re i s n o e x p l i c it r u l e , a n d i t l o g s t h os e i nt e ra c t i o n s i t w o u l d h a ve d e n i e d
i n e n f o rc i n g mode. T h i s m o d e c a n b e u s e d to t e m p o ra r i l y a l l o w a ccess to content t h at S E L i n u x is
rest ricti n g . N o reboot i s re q u i re d t o g o f r o m e n f o r c i n g to p e r m i s s i v e o r back a g a i n .

A t h ird m o d e, disabled, c o m p l e t e l y d i s a b l e s S E L i n u x . A system reb oot i s re q u i re d t o d i s a b l e


S E L i n u x e n t i re l y, o r to g e t from d i sa b l ed m o d e to e n f o r c i n g o r p e r m iss ive mode.

I m portant
It is bette r to u s e p e r m i ss ive m o d e t h a n to t u r n off S E L i n u x e n t i r e l y. O n e reason for
this i s that even i n p e r m i ss i v e m o d e , t h e kernel w i l l a u t o m at i c a l l y m a i nt a i n S E L i n u x
f i l e system l a b e l s a s n e e d e d , avoi d i n g t h e n e e d f o r a n e x p e n s i ve re l a b e l i n g o f t h e f i l e
system w h e n t h e system is re b o oted w i t h S E L i n u x e n a b l e d .

To d i s p l a y t h e c u rrent S E L i n u x m o d e i n effect, u s e t h e g e t e n f o r c e c o m m a n d .

I [ r oot@s e r v e r X - ] # getenforce

126 R H1 3 4- R H E L 7 - e n-1-2014061 0
-

S E L i n u x Boo l e a n s
-

I Enfo r c i n g
I

S E L inux Booleans
-
S E L i n u x Boo l e a n s a re switches that c h a n g e t h e b e h a v i o r of t h e S E L i n u x p o l icy. S E L i n u x Boo l e a n s
a re r u l es t h a t c a n b e e n a b led o r d isa b l ed . They c a n be used b y secu rity a d m i n i st rators t o t u n e
t h e pol icy to m a ke s e l ective a dj u s t m e nts.
-
The g e t s e bool c o m m a n d is used to d i s p l a y S E L i n u x Boo l e a n s and t h e i r c u rre n t va l ue. The - a
option causes t h i s c o m m a n d to l i st a l l of t h e B o o l e a n s .

-
[ ro o t @s e r v e r X - ] # get sebool - a
ab r t_ano n_w r i t e - - > off
allow_c o n sole_l o g i n - - > o n
- allow_c o r o s yn c_rw_t m p f s - - > off
[ . . . O u t p u t omi t t e d . . . ]

R References

-
selinux(8), g e t e nforce(8), ls(1 ) , p s (1 ) , a n d g e t sebool(8) m a n pages

.-

- R H134- R H E L 7-en-1 -2014061 0 127

-
C h a pte r 7. M a n a g i n g S E L i n u x Secu r i ty

P ract i c e : S E L i n u x C o n ce pts

Quiz
M a t c h t h e fo l l o w i n g i t e m s t o t h e i r c o u n t e r p a rt s i n t h e t a b l e.

Boo l e a n II C o ntext II Disab led mode II E n f o rc i n g m o d e

P e r m i s s i ve m o d e

Ter m Descr i pt i o n

Po l i cy r u l e s a re o b eyed a n d v i o l a t i o n s l o g g e d

L a b e l o n p ro c e s s e s , fi l e s, a n d p o rts t h a t d e te r m i n e
a ccess

A reboot is req u i red to t ra n s i t i o n to t h i s m o d e

S w i t c h t h a t e n a b l es/d i s a b l e s a set of p o l i c y r u l e s

P o l i cy r u l e v i o l a t i o n s o n l y p ro d u c e l o g m es s a g es

128 R H1 3 4- R H E L 7 - e n -1 -201 4061 0


-

Solution
-

Solution
-

Match t h e fo l l ow i n g items to t h e i r cou nterparts i n t h e ta b l e.

Te r m Desc r i p t i o n

Po l i c y r u l es a re o b ey e d a n d v i o l a t i o n s l o g g e d E n f o rc i n g m o d e

L a b e l o n p ro c e s s e s , f i l es , a n d p o r t s t h a t d et e r m i n e C o n text
- a cc e s s

-
A re b o o t i s req u i re d to t ra n s i t i o n to t h i s m o d e Disa b l ed mode

-
S w i t c h t h a t e n a b l e s/d i s a b l e s a set of p o l i cy r u l e s Boo l e a n

Po l i c y r u l e v i o l a t i o n s o n l y p ro d u c e l o g m e s s a g e s Pe r m i s s i ve m o d e

..

- R H134- R H E L 7-en-1-2014061 0 129

-
-

C h a pte r 7. M a n a g i n g S E L i n u x Secu rity

C h a n g i n g S E L i n u x M o d es
-

Objectives
-
After com p l e t i n g t h i s sect i o n , s t u d e n t s s h o u l d be a b l e to:

• C h a n g e the c u rrent S E L i n u x mode of a syste m .

• S e t t h e defa u l t S E L i n u x m o d e of a syste m .

Fo r t ro u b l es h o o t i n g p u r poses, S E L i n u x p rotect i o n c a n be t e m p o ra r i l y d i s a b l e d u s i n g S E L i n u x -

m o d es. T h i s section w i l l l o o k at h o w t o c h a n g e S E L i n u x modes t e m pora r i l y betwe e n enforc i n g


a n d p e r m i ssive m o d e . I t w i l l a l so l o o k at h ow to s e t t h e defa u lt S E L i n u x m o d e t h at i s d ete r m i n ed
at boot t i m e. -

Changing the current S E Linux mode -

T h e setenforce com m a n d mod ifies t h e c u rrent S E L i n u x m o d e :

[ ro o t @ s e r v e r X - ] # getenforce -

Enforcing
[ r o o t@ s e r v e r x - ] # setenforce
u sage : s e t e n f o r c e [ E n f o r c i n g I P e r m i s s ive I 1 I 0 ]
[ r o o t@ s e r v e r X - ] # setenforce a
-

[ r oo t @se rverX - ] # getenforce


P e r m i s s ive
[ ro o t@ s e r v e r X - ] # setenforce Enforcing -
[ r oo t@ s e r v e r x - ] # getenforce
Enforcing

Another way to t e m p o ra r i l y set t h e S E L i n u x m o d e i s to pass a parameter to t h e ke r n e l at boot


t i m e. Pa s s i n g a ke r n e l a rg u m e nt of enforcing=E> ca u ses t h e system to boot i nto p e r m i ss ive
m o d e. A va l u e of 1 wou l d s p e c ify enforc i n g mode. S E L i n u x ca n b e d i s a b l e d w h e n the selinux=E> -

a rg u ment is specified. A va l u e of 1 wo u l d e n a b l e S E L i n u x .

Setting the default S E Linux mode -

T h e confi g u ration f i l e t h a t dete r m i n es what t h e S E L i n u x m o d e i s at boot t i m e i s


/ e t c/selinux/config. N otice t h a t it conta i n s s o m e usef u l co m m e nts: -

.---- ·

ji
!
I # This file c o n t r o l s t h e s t a t e of S E L i n u x on t h e s y s t e m .
# S E L I N UX= can take o n e of t h e s e t h ree value s : -
# e n f o r c i n g - S E L i n u x sec u r i t y policy is e n f o rced .
! # p e r m i s s ive - S E L i n u x p r i n t s wa r n i n g s i n s tead o f e n f o r c in g .
! # d isabled - No S E L i n u x policy is loaded .
S E L I NUX=e n f o r c ing
!
-

# S E L I N UXTYPE= can take o n e o f these two value s :


# targeted - Targeted p rocesses are protected ,
# minimum - Modification of t a r g e t e d policy . Only s e l e c t e d p r oc e s s e s

I
# are p r otected . -

# mls - M u l t i Level Sec u r i t y p r o t ec t i o n .


I S E L I NUXTYPE= t a r ge t e d
L_ -

U s e /etc/selinux/config to c h a n g e t h e defa u lt S E L i n u x m o d e at boot t i m e. I n t h e exa m p l e


s h o w n , it i s s e t t o enforc i n g mode.
-

130 R H134- R H E L7-en-1-2014061 0 -

-
-

Sett i n g t h e defa u l t S E L i n u x m o d e
-

-
Note
I n o l d e r re l e a ses of Red H a t Enterprise L i n u x , t h e defa u l t S E L i n u x m o d e was set i n a
f i l e ca l l e d / e t c/sysconfig/selinux. I n R H E L7, t h i s f i l e is a sym bo l i c l i n k t h a t points
-
to / e t c/selinux/confi�

-
Pa ss i n g the selinux= and/o r the e nf or cing= kernel a rg u m e nts ove r r i d e s any of t h e defa u l t
va l u e s specified i n / e t c/selinux/config.

R References
g e t enforce(1), s e t enforce(1), a n d selinux_config(S) m a n pages
-

- RH134- R H E L 7-en-1 -2014061 0 131

-
-

C h a pter 7. M a n a g i n g S E L i n u x Secu rity


-

P ra ct i ce : C h a n g i n g S E L i n u x M o d es -

Guided exercise -

I n t h i s l a b , you w i l l m a n a g e S E L i n u x m o d e s , both t e m p o ra r i l y a n d p e rsiste n t l y.

�iiM"U-
-

Machines ;serverX -

Outcomes:
Yo u w i l l get p ractice v i e w i n g a n d sett i n g t h e c u rrent S E L i n u x mode.
-

D 1. Log i n a s root o n se rve rX. D i s p l ay t h e c u rre n t S E L i n u x m ode.

!
-·- - · - - - - -···-- · . �----- ---- --------- - - ·· ------

!
[ r o o t@se rverx - ] # getenforce
Enforcing
;.,_- -. . J
�-- - - - - - - - - - - - - - - - - -- - ------- - ---------
-
D 2. C h a n g e the defa u l t S E L i n u x mode to p e r m iss ive and reboot.
-- - - - - - ------

[ r o o t @ s e r v e r X - ] # vi /etc /selinux/config -

: [ ro o t@se rve rx - ] # grep ' ASELINUX ' / e t c/selinux/config


i S E L I N UX=permis sive
l S E L I N UXTYP E = t a r g e t e d
[ r o o t @ s e r v e r x - ] # reboot
-

· --- --��-- - - - - - ··

D 3. W h e n se rverX comes back up, log i n a s root and d i s p l ay the c u rrent S E L i n u x mode. -

[ r oo t @ s e r v e r X - ] # getenforce
P e r m i s s ive -
___ j

D 4. C h a n g e t h e defa u l t S E L i n u x m o d e to e nforc i n g .
-

[ r o o t@ s e r v e r x - ] # vi /etc/selinux/config
[ r oo t @ s e r v e r x - ] # grep ' ASELINUX ' / e t c / selinux/config
S E L I N UX=enf o r c i n g
S E L I N UXTYPE= t a r g e t e d
- - -- - --- - - - --- . �·------� _ .J

D 5. Set the c u rrent S E L i n u x mode to e nforc i n g . -

i --��--- -

[ ro o t @ s e r v e r x - ] # setenforce 1
[ r o o t @s e rv e r X - ] # getenforce
-

Enforcing

-
132 R H134- R H E L 7-en-1 -2014061 0

-
-

C h a n g i n g S E L i n u x Contexts
-

C h a n g i n g S E L i n u x Co n texts
-

- Objectives
After c o m p l et i n g t h i s section, s t u d e nts s h o u l d be a b l e to:

- • Set t h e S E L i n u x s e c u rity context of files i n t h e p o l icy.

• Restore t h e S E L i n u x secu rity context of f i l es.


-
Initial S E Linux context
Typica l l y, t h e S E L i n u x context of a f i l e ' s parent d i rectory dete r m i n es its i n it i a l S E L i n u x context.
-
The context of t h e parent d i rectory is ass i g n e d to the n e w l y c reated f i l e. This works for
c o m m a n d s l i ke vim, c p , and touch. H oweve r, if a file i s c reated el sew h e re a n d the p e r m is s i o n s
a re p rese rved (a s w i t h m v o r c p a) t h e o r i g i n a l S E L i n u x context w i l l be u n c h a n g e d .
- ,

[ r oo t @ s e r v e r X - ] # ls - Zd /var/www / html/
d rwx r - x r - x . r o o t r o o t s y s t em_u : o b j ect_r : h t t pd_sys_c o n t e n t_t : s0 /var /www/ h tml/
- [ r oot@s e rve rX - ] # t o u c h /var/www / h tml/index . html
[ r oot@s e r v e r x - ] # ls -z /va r /www / html/index . html
- rw - r - - r - - . root root u n c o n f i n ed_u : o b j e c t _ r : h t t pd_sys_c o n t e n t_t : s 0 /var /www/ h t ml/
- i n d e x . h tml

- Changing the S E Linux context of a file


T h e re a re two co m m a n d s that a re used to c h a n g e t h e S E L i n u x context of files: c h c o n a n d
r e s t o recon. The c h c o n com m a n d c h a n ges t h e context o f t h e f i l e to t h e context s p e c ified as
- a n a rg u m e nt to t h e c o m m a n d . Often the - t o p t i o n is u s e d to s pecify only t h e type component of
t h e context.

- T h e r e s t o recon c o m m a n d i s the p referred m e t h od for c h a n g i n g the S E L i n u x context of a f i l e o r


d i rectory. U n l i ke c h c o n , t h e context i s n o t ex p l icit l y s pe c i f i e d when u s i n g t h i s co m m a n d . I t uses
rules i n t h e S E L i n u x p o l icy to d et e r m i n e what t h e context of t h e f i l e s h o u l d be.
-

Note
chcon s h o u l d not be used to c h a n g e t h e S E L i n u x context of f i l es. M istakes ca n b e
m a d e w h e n s p e c i fy i n g t h e context e x p l i c i t l y. F i l e contexts w i l l b e c h a n g e d b a c k t o t h e i r
defa u l t context if t h e syst e m ' s f i l e syste m s a re re l a b e l ed at boot t i m e.
-

[ r oot@s e r v e r x - ] # mkdir /vi r t u al


-
[ r oot@se rve rX - ] # ls - Zd /vir tu al
d rwxr - x r - x . r o o t r o o t u nc o n f i n ed_u : o b j ec t_r : defaul t_t : s 0 /vi r t ual
[ r oot@s e r v e r x - ] # chcon -t h t t pd_sys_con t e n t_t /vi r t u al
- [ r oot@s e rv e r x - ] # ls - Zd /vi r t ual
d rwx r - x r - x . r o o t r o o t u nc o n f i n ed_u : obj e c t _ r : h t t p d_sys_c o n t e n t_t : s e /vi r t u al
[ r oot@s e r v e r x - ] # r e s t o recon -v /vi r t ual
r e s t o r e c o n r e s e t / v i r t ual c o n t e x t u n c o n f i n e d_u : o b j ect_r : h t t pd_sys_c o n t e n t_t : se - >
- u n c o nf i n e d_u : o bj e c t_r : d e f a u l t_t : s e
[ r oot@s e r v e r x - ] # ls - Zd /vi r t u al
d rwx r - x r - x . r o o t r o o t u nc o n f i ned_u : o bj e c t _ r : d e f a u l t_t : se /vi r t ual
-

- R H134- R H EL 7-en-1-20140610 133

-
-

C h a pte r 7. M a n a g i n g S E L i n u x Secu rity


-

Defining S E Linux default file context rules -


T h e semanage fco n t ex t co m m a n d c a n be u s e d to d i s p l ay or m o d ify t h e r u l es t h a t t h e
r e s t orecon c o m m a n d u s e s t o s e t defa u lt f i l e contexts. I t u s e s exte n d e d reg u l a r ex p re s s i o n s
to s pecify t h e path a n d f i l e n a m es. The m ost c o m m o n exte n d e d reg u l a r e x p r e s s i o n u s e d i n -
fcontext ru l es i s ( / . * ) ? , w h i c h m e a n s "opt i o n a l l y, m a t c h a I fo l l owed b y a ny n u m be r of
c h a racters". I t matches the d i rectory l isted before the expres s i o n and everyt h i n g in t h a t
d i rectory rec u rsively. -

T h e res t o recon com m a n d is part of t h e policyc o r eu t il package, a n d semanage is p a rt of


the policyco r e u t i l - pyt hon package. -

[ r oo t@s e r v e r x - ] # t o u c h / t mp/file1 / t mp/file2


[ root@s e rve rX - ] # ls -z / t mp/file * -
- rw - r - - r - - . r o o t r o o t u n c o n fi ne d_u : o bj ect_r : u s e r_t m p_t : s e / t mp/file1
- rw - r - - r - - . root root u n c o n fi n ed_u : o b j ec t_r : u s e r_ t m p_t : s e / t mp/file2
[ r oot@s e r v e r x - ] # mv / tmp/file1 /var/www/ h t ml/
[ root@s e r v e r x - ] # c p / t mp/file2 /var/www/ html/ -

[ r oot@s e r v e r X - ] # ls -z /var/www / html/file*


- rw - r - - r - - . r o o t r o o t u n c o n fi ne d_u : ob j ect_r : u s e r_tmp_t : se /var /www/ h t ml/file1
- rw - r - - r - - . root root u n c o n fi ne d_u : ob j ect_r : h t t pd_sys_c o n t e n t_t : se /var /www/
h t ml/file2
-

[ root@s e r v e r x - ] # semanage fcontext - 1

/var/www ( / . * ) ? all files s y s t em_u : o b j e c t_r : h t t pd_sy s_co n t e n t_t : se -

[ r oot@s e r v e r x - ] # r e s t o recon - Rv /var/www/


r e s t o r e c o n r e s e t / va r /www/ h t ml/file1 c o n t e x t u n c o n f i n ed_u : ob j ect_r : u s e r_tmp_t : s e
- > sys t em_u : o bj ect_r : h t t pd_sys_c o n t e n t_t : se -

[ r oot@s e r v e r x - ] # ls - z /var/www / html/file *


I - rw - r - - r - - . r o o t r o o t s y s t em_u : ob j ec t_r : h t t pd_sys_co n t e n t_t : se

1.;- - rw�;�� �� ��:! :!��


/

/var /www/ h t ml/file2


1 1
u n c o n fi ne d_u : ob j ect_r : h t t pd_sys_c o n t e n t_t : s e
-

'-- -- �-��-��- --��-

-
T h e fo l l ow i n g exa m p l e s h ows h ow to use semanage to a d d a co ntext for a new d i recto ry.

[ r oot@s e r v e r x - ] # mkdir /vi rt ual -


[ root@s e r v e r x - ] # touch /vi r t u al/index . html
[ r oot@s e r v e rx - ] # ls - Zd /vi r t ual/
d rwx r - x r - x . r o o t r o o t u n c o n fi n e d_u : o bj ect_r : d e f a u l t_t : s e /vi r t ual/
[ r oot@s e r v e r x - ] # ls -z /virt ual/
- rw - r - - r - - . r o o t r o o t u n c o n fi ne d_u : o b j ec t_r : d e f a u l t_t : se i n d e x . h t m l
[ r oot@s e r v e r x - ] # semanage fcontext - a - t h t t p d_sys_c o n t e n t_t ' /virt u al ( / . * ) ? '
[ r oot@s e r v e r X - ] # r e s t o recon - RFvv /vi r t u al -
[ r oot@s e r v e r x - ] # ls - Zd /vi r t ual/
d rwxr - x r - x . r o o t r o o t s y s t em_u : obj e c t_r : h t t pd_s y s _c o n t e n t_t : se / v i r t ual/
[ r oot@s e r v e rx - ] # ls -Z /vi r t ual/
- rw - r - - r - - . r o o t r o o t s y s t em_u : o bj ec t_r : h t t pd_sys_c o n t e n t_t : se i n d e x . h t m l -

R References -

chcon(l), rest o r econ(8), a n d semanage(8) m a n pages


-

-
134 R H134- R H E L 7 - e n -1-2014061 0

-
-

P ract i ce: C h a n g i n g S E L i n u x Contexts


-

-
P ra ct i ce: C h a n g i n g S E L i n u x C o n t exts

- Guided exercise

-
I n t h i s l a b , you w i l l persistent l y c h a n g e t h e S E L i n u x context of a d i rectory a n d its contents.

Resou rces
-
Files: /et c / h t t pd/conf/h t t pd . conf
Machines: serverx
-

Outcomes:
Yo u w i l l h a ve a web server that p u b l i s h es w e b content from a n o n -sta n d a rd d o c u m e n t root.
-

Before you begin . . .


Yo u s h o u l d h a ve a worki n g R H E L 7 system w i t h S E L i n u x i n e nforc i n g m o d e.
-

D 1. Log i n as root o n se rverx. Use yum to i n sta l l t h e A p a c h e w e b s erver.

-
[ r oot@s e r v e r X - ] # yum i n s t all - y h t t pd

-
D 2. Config u re A p a c h e to use a d o c u m e nt root i n a n o n -sta n d a rd location.

D 2.1 . C reate t h e n e w d o c u m e nt root, / c u s t om.

- D 2.2. C reate t h e index . h t ml with some recog n i za b l e content.

[ r oot@s e r v e r X - ] # e c h o ' This is serverX . ' > / c u s t om/index . html


-

D 2.3. Confi g u re A p a c h e to use t h e new l ocat i o n . You need to re p l ace the two
occurrences of "/va r/www/ht m l " with "/c u st o m " in t h e A p a c h e conf i g u ra t i o n f i l e ,
/ e t c / h t t pd/conf/ h t t pd . conf.

- [ r o o t@se rve rX - ] # vi /etc/ht t pd/conf/h t t pd . conf


[ r o o t @se rve r X - ] # grep c u s t om /etc/h t t pd/conf/ h t t p d . conf
Docume n t Root " / c u s t o m "
<Di r e c t o ry " / c u s t o m " >
-

D 3. S t a r t t h e A p a c h e w e b se rvice.
-

[ r oot@s e rve rX - ) # syst emc t l s t a r t h t t pd

D 4.
-
O p e n a web b rowser on se rve rX a n d t ry to view t h e fo l l ow i n g U R L:
h t t p : I / l o c a l h o s t / i n d e x . h t m l . Yo u w i l l get a n e rror m e s s a g e that says you d o n ot
have p e r m i s s i o n to access t h e f i l e .
-

- R H134- R H E L 7-en-1-2014061 0 135


-

C h a pte r 7. M a n a g i n g S E L i n u x Secu rity


-

D 5. Define a S E L i n u x file context r u l e that sets the context type to h t t pd_sys_c o n t e n t_t
for / c u s t om and a l l the f i l es b e l ow it. -

I [ root@serverX - ] # semanage fcontext - a -t h t t pd_sys_content_t ' /c u s t om ( / . * ) ? '


-

D 6. U s e r e s t o recon to c h a n g e t h e i r contexts.
-
[ r oo t@ s e r v e r X - ] # resto recon - Rv /custom
r e s t o r e c o n r e s e t / c u s t om c o n t ex t u n c o n fi n e d_u : obj e c t _ r : d e f a u l t_t : s 0 -
> u n c o nf i ned_u : o bj e c t_r : h t t pd_sys_c o n t e n t_t : s0
r e s t o r e c o n r e s e t / c u s t om / i n d e x . h t m l c o n t e x t u n c o n f i n e d_u : ob j e c t_r : default_t : s0 - -

> u n c o nf i ned_u : o bj e c t_r : h t t pd_sys_c o n t e n t_t : s 0

-
D 7. Try to view h t t p : I / l o c al h o s t / i n d e x . h t m l a g a i n . Yo u s h o u l d s e e t h e message " T h i s
i s serverX." d i s p l ayed.

-
136 R H134- R H E L7-en-1-2014061 0
-

C h a n g i n g S E L i n u x Boo l e a n s
-

C h a n g i n g S E L i n u x B oo l ea n s
-

- Objectives
Afte r c o m p l e t i n g t h i s section, students s h o u l d be a b l e to use S E L i n u x Boo l e a n s to m a ke
a dj u st m ents to p o l icy b e h a v i o r.
-

S E Linux Booleans
- S E L i n u x Boo l e a n s a re switches that c h a n g e the b e h a v i o r of the S E L i n u x p o l icy. S E L i n u x Boo l e a n s
a re r u l es that ca n b e e n a b l e d o r d i s a b l e d . They c a n b e u s e d by sec u r ity a d m i n istrators t o t u n e
t h e pol icy to m a ke s e l ective a dj u st m e nts.
-

The selinux - policy - d evel package p rovides many m a n u a l pages, *_selinux(8), w h i c h


ex p l a i n t h e p u rpose of t h e Boo l ea n s ava i l a b l e fo r va r i o u s s e rv ices. I f t h i s packa g e h a s b e e n
- i n sta l l e d , t h e m a n - k ' _selinux ' com m a n d ca n l ist t h ese docu m e nts.

The g e t s e bool c o m m a n d i s used to d i s p l a y S E L i n u x Boo l e a n s a n d se t sebool i s used to


- mod ify them. s e t s e bool - P m o d ifies t h e S E L i n u x p o l i c y to m a ke t h e m o d i f i ca t i o n p e rs i stent.
semanage boolean 1 w i l l s h ow whet h e r o r not a B o o l e a n i s persistent, a l o n g with a short
-

desc r i p t i o n of t h e Boo l e a n .
-

[ r oot@s e r v e r x - ] # g e t sebool - a
ab r t_a no n_w r i t e - - > o f f
-
ab r t_handle_eve n t - - > off
a b r t_upload_wa t c h_a n o n_w r i t e > on
- -

an t ivi r u s_can_s c a n_sy s t em - - > o f f


an t ivi r u s_use_j i t - - > o f f
-

[ r oot@s e r v e r x - ] # get sebool h t t pd_enable_homed i r s


h t t pd_e n a ble_home d i r s - - > off
- [ r o o t @s e r v e r x - ] # s e t s ebool h t t pd_enable_homedi r s on
[ r o o t @s e r v e r x - ] # semanage boolean -1 I grep h t t pd_enable_homed i r s
h t t pd_e n a ble_homed i r s ( on o f f ) Allow h t t pd t o enable home d i r s
[ r o o t@se r v e r x - ] # get sebool h t t pd_enable_homed i r s
h t t p d_e n a ble_homed i r s - - > o n
-

[ root@s e r v e r X - ] # set sebool - P h t t pd_enable_homed i r s on


[ r oo t @s e r v e r x - ] # semanage boolean -1 I grep h t t pd_enable_homedir s
h t t pd_enable_h ome d i r s ( on o n ) Allow h t t pd t o enable home d i r s

To o n l y l i st l o ca l m o d ificat i o n s to t h e state of t h e S E L i n u x b o o l e a n s (a ny setti n g t h a t d i ffers f r o m


-
the defa u l t i n t h e p o l icy), t h e co m m a n d semanage boolean - 1 - C ca n be u s e d .

[ r o o t @s e r v e r x - ] # semanage boolean - 1 - c
S E L i n u x b o o lean State Default D e s c r i p t io n

c r o n_c an_relabel ( off on ) Allow c r o n t o can r elabel


- L____. �����

- R H134- R H E L7-en-1-2014061 0 137


-

C h a pte r 7. M a n a g i n g S E L i n u x S e c u r ity

�R :
'

References
boolean s ( 8) , g e t sebool(S), set sebool(S), semanage(8), semanag e - boolean(8)
m a n pages
-

138 R H134- R H E L 7 - e n -1 -2014061 0


-

P ract ice: C h a n g i n g S E L i n u x Boo l e a n s


-

P ra c t i ce: C h a n g i n g S E L i n u x B oo l ea n s

- Guided exercise

-
A p a c h e c a n p u b l i s h web content h osted i n u s e rs ' h o m e d i rectories, b u t S E L i n u x p reve nts t h i s by
d e fa u lt. In t h i s exercise, you wi l l i d e n t ify and c h a n g e the S E L i n u x B o o l e a n that w i l l p e r m it A p a c h e
to access u s e r home d i rectories.
-

Resou rces
Files: / e t c /h t t pd/conf . d / u s e r d i r . conf
Machines:
-
serverx

- Outcomes:
Yo u w i l l have a web server that p u b l is h es web content from u s e rs ' h o m e d i recto ries.

- Before you begin . . .


T h e Apache web se rve r s h o u l d a l re a d y be i n sta l le d and r u n n i n g on se rve rX.exa m p l e.co m .

- 0 1. L o g i n as root o n serve rX. E n a b l e t h e A p a c h e featu re t h a t p e r m its


u s e rs to p u b l i s h web content from t h e i r home d i rectories. Edit the
/ e t c / h t t pd/conf . d / u s e r d i r . conf confi g u ra t i o n file and c h a n g e t h e l i n e with t h e
- U s e rDir d i rective t o rea d a s fo l l ows:

U s e r D i r p u blic_h t m l
-

[ root@s e r v e r X - ] # vi / e t c / h t t pd/conf . d/userdir . conf


- [ r o o t@s e r v e r X - ] # grep ' A * U serDir ' /etc/ h t t pd/conf . d/userdir . conf
U s e r D i r p u b lic_h t m l
'
�-· - ---�-�� --"-

- 0 2. Restart t h e A p a c h e we b s e rvice to m a ke t h e c h a n g es take effect.

[ r o o t@s e r v e r X - ] # syst emc t l restart h t t pd

O 3. C reate some web content t h a t is p u b l i s h e d from a u s e r ' s h o m e d i recto ry.


-
0 3.1 . L o g i n a s s t u d e n t i n a n o t h e r w i n d o w a n d c reate a pu blic_html d i recto ry.

- [ s t u d e n t@s e rv e r X - ] $ mkdir -/public_h tml


-��- ----- --- - -- --
· ·-

0 3.2. C reate some content in a index . html fi l e.


-

[ s t u d e n t @s e r v e r X - ] $ echo ' This is s t u d e n t content on serverX . ' > -I


pu blic_html/index . html
-

0 3.3. C h a n g e t h e p e r m i s s i o n s on s t u d e n t ' s h o m e d i rectory so Apache c a n a ccess t h e


-
pu blic_html s u b d i recto ry.

- R H134-R H E L7-e n-1-2014061 0 139

-
-

C h a pter 7. M a n a g i n g S E L i n u x Secu rity


-

� [ s t u d e n t@ s e r v e r X - ] $ c hmod 7 1 1 -
-

D 4. O p e n a web b rows e r o n se rverX a n d try to view t h e fo l l o w i n g U R L :


h t t p : / / l o c al h o s t / - s t u d e n t / i n d e x . h t m l. Yo u w i l l g et a n e r r o r message t h a t says -
you d o not have p e r m i s s i o n to access t h e f i l e.

D 5. In yo u r root w i n d ow, use t h e g e t sebool co m m a n d to see if t h e re a re a n y Boo l e a n s t h a t


-
rest rict access to h o m e d i rectories.

[ r o o t @ s e rve rX - ] # g e t s e bool - a I grep home -


[ . . . O u t p u t omi t t ed . . . ]
h t t p d_enable_home d i r s - - > o f f
[ . . . O u t p u t omi t t e d . . . ]
-

D 6. U s e set sebool to e n a b l e home d i rectory a ccess p e rs i ste n t l y.

J
-

! [ r oo t @ s e r v e r X - ] # set sebool - P h t t pd_enable_home d i r s on


i

D 7. Try to view h t t p : / / l o c a l h o s t / - s t u d e n t / i n d e x . h t m l a g a i n . Yo u s h o u l d s e e t h e -

message "This i s stu d e n t c o n t e n t o n se rverX."

-
140 R H134- R H E L 7-en-1-2014061 0

-
-

Tro u b l e s h ooting S E L i n u x
-

Tro u b l es h oot i n g S E L i n u x
-

-
Objectives
After c o m p l e t i n g t h i s sect i o n , stude nts s h o u l d be a b l e to u s e S E L i n u x l o g a n a l ys i s too ls.

-
Troubleshooting S E Linux issues
What s h o u l d be d o n e w h e n S E L i n u x p reve nts access to f i l e s on a se rver? T h e re is a s e q u e n ce of
-
steps t h a t s h o u l d be taken w h e n t h i s occu rs.

1. Before t h i n k i n g of m a k i n g any adjust m e nts, c o n s i d e r that S E L i n u x may b e d o i n g its j o b


correct l y by p ro h i b i t i n g t h e att e m pted a ccess. I f a web server t ri e s to access f i l e s i n /home,
-
this cou l d s i g n a l a c o m p ro m ise of the service if w e b content i s n ' t p u b l is h e d by u s e rs. If
access s h o u l d have been g ra nted, t h e n a d d it i o n a l steps need to b e taken to s o l ve the
-
p ro b l e m .

2. The m o s t co m m o n S E L i n u x i s s u e is a n i n co r rect f i l e co ntext. T h i s ca n occ u r w h e n a f i l e is


created i n a l o c a t i o n w i t h o n e file context and moved i nto a p l a c e w h e re a d i fferent context
-
i s expected. In m ost cases, r u n n i n g r e s t o recon w i l l correct the i s s u e. C o r rect i n g issues in
this way has a very n a r row i m pact o n the secu rity of the rest of the syste m .

-
3. A n o t h e r re m e d y f o r a too-rest r i ctive access cou l d be t h e adj u s t m e n t o f a B o o l e a n . Fo r
exa m p l e , t h e f t pd_anon_w r i t e Boo l e a n contro l s whether a n o n y m o u s F T P u s e rs ca n
u p l o a d fi les. T h i s B o o l e a n wo u l d have to be t u rned on if it is d e s i ra b l e to a l low a n onymous
-
FTP u se rs to u p l oa d fi les to a se rver. Adj u s t i n g Boo l e a n s req u i res m o re ca re because they
ca n h ave a b ro a d i m pact on system s e c u r ity.

-
4. I t is poss i b l e t h a t t h e S E L i n u x p o l icy h a s a b u g t h a t p revents a l e g i t i mate a ccess. S i nce
S E L i n u x h a s m a t u re d , t h i s i s a ra re occ u r r e n ce. W h e n it i s c l e a r that a pol icy bug has been
i d e nt i f i e d , contact Red Hat s u p port to report t h e b u g so it ca n b e reso lved.
-

Monitoring S E Linux vio lations


- The set roubles hoot - server package m u st be i n sta l l e d to send S E L i n u x messages
to /var /log/messages. set rou bleshoo t - se rve r l iste n s for a u d it messages in
/var /log/audit/audit . log a n d s e n d s a s h ort s u m m a ry to /va r /log/me ssages. T h i s
s u m m a ry i n c l u d e s u n iq u e i d e n t ifiers ( UU/Ds) for S E L i n u x v i o l at i o n s t h a t can b e u s e d to g a t h e r
f u r t h e r i nform a t i o n . seale r t - 1 UUID i s u s e d to prod uce a re port for a specific i nc i d e nt.
seale r t - a /va r /log/au d i t / audit . log i s used to p rod uce reports for a l l i n c i d ents i n that
- f i l e.

C o n s i d e r t h e fo l l ow i n g s a m p l e seq u e n ce of c o m m a n d s o n a sta n d a rd A p a c h e w e b se rver:


-

i [ r oot@s e r v e r x - ]# touch / root /file3


[ r oot@s e rve rX - ] # mv / root /file3 /var /www / html
- [ r o o t @s e rve rx - ] # systemctl s t a r t h t t pd
[ r oo t @s e r v e r X - ] # c u r l ht t p : //localhost/file3
< ! DOCTYPE HTM L P U B L I C " - // I ET F / / DTD HTM L 2 . El / / E N " >
< h t ml><head>
- < t i t le>4El3 F o r b i d d e n < / t i t le>
</head><body>
< h l> F o r b i d d e n < / h l>
<p>Yo u d o n ' t have pe rmission to acc e s s /file3
-

- R H134- R H E L7-en-1 -2014061 0 1 41

-
-

C h a pte r 7. M a n a g i n g S E L i n u x Secu rity


-

o n t h i s s e r ve r . </p>
</body></ h t ml>
[ r oot@s e r v e r X - ] # t ail /var/log/audit/audit . log -

type=AVC m s g = a u d it { 1392944135 . 48 2 : 42 9 ) : ave : d e nied { g e t at t r } f o r


pid=1689 comm= " h t t pd " pat h = " /va r/www/ h tml/file 3 " dev= " vdal " i n o = 8 9 8 8 9 8 1 -
s c o n t e x t = s y s t em_u : sy s t em_r : h t t pd_t : s8
t c o n t e x t = u n c o n f i n ed_u : o b j ect_r : admi n_home_t : s 8 t c l a s s=file

[ r oot@s e r v e r X - ] # t ail /var/log/messages -

F e b 28 19 : 55 : 42 s e r v e r X s e t r o u b l e s h oo t : S E L i n u x i s p reve n t i n g / u s r / s b i n / h t t p d
f rom g e t at t r acc e s s o n t h e file . F o r c o m p l e t e S E L i n u x m e s s ag e s . r u n
s eale r t - 1 613ca624 - 248d - 48a2 - a7 d 9 - d 2 8 f 5 b b e 2 7 6 3
-

[ r oot@s e r v e r X - ] # seale r t - 1 613ca624 - 248d - 48a2 - a7d9 - d2Bf5bbe2763


S E L i n u x i s p r even t i n g / u s r / s b i n / h t t pd from g e t at t r acce s s o n the file
-
Plugin c a t c h al l { 188 . c o n f id e n c e ) s u g g e s t s * * * * * * * * * * * * * * * * * * * * * * * * * *

I f you believe t h a t h t t pd s ho u l d b e allowed g e t at t r a c c e s s o n t h e


file by default . -

The n you s h o u l d r e p o r t t h i s as a b u g .
You can g e n e r a t e a local policy m o d u l e to allow t h is acce s s .
Do
allow this access for n ow by exec u t i n g :
-

# g r e p h t t pd /var/log / au d i t /au d i t . lo g I a u d i t 2 al l ow - M mypol


# semod ule -i mypol . p p
-

Ad d i t ional I n f o r ma t i o n :
Source Context s y s t em_u : sy s t em_r : h t t p d_t : s 8
Target Context u n c o n f i n ed_u : o bj e c t_r : admin_home_t : s 8 -

Ta r g e t O b j e c t s [ file ]
Source h t t pd
Source Path /us r/sbin/httpd
Po r t < U n k n own>
-

Host s e r ve r X . exam p l e . com


S o u r c e RPM Pac k a g e s h t t pd - 2 . 4 . 6 - 14 . el7 . x86_64
T a r g e t RPM P a c k a g e s ....
P o l i c y RPM selin u x - policy - 3 . 12 . 1 - 124 . el7 . n o a r c h
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing -

H o s t Name s e r v e r X . example . com


Plat f o r m L i n u x s e rve rX . example . com 3 . 18 . 8 - 84 . el7 . x 8 6_64 #1
SMP Tue Feb 4 16 : 28 : 19 EST 2814 x86_64 x86 64
Ale r t C o u n t 2
-

F i r s t S e en 2 8 14 - 8 2 - 28 19 : 55 : 35 EST
L ast Seen 2814 - 82 - 28 19 : 55 : 35 EST
Local ID 613ca624 - 248d - 48a2 - a7 d 9 - d 2 8 f 5 b b e 2 7 6 3 -

Raw Audit M e s s ag e s
type=AVC m s g = a u dit { 1392944135 . 48 2 : 42 9 ) : ave : d e n ied { g e t a t t r } f o r
pid=1689 comm= " h t t p d " path= " /va r /www/ h t ml/file 3 " dev= " vdal " ino=8988981 -

s c o n t e x t = s y s t em_u : sy s t em_r : h t t pd_t : s8


t c o n t e x t = u n c o n fi n e d_u : o b j ec t_r : admin_h ome_t : s 8 tclass=file

type=SYSCA L L m s g=audi t ( 1392944135 . 48 2 : 429 ) : a r c h= x86_64 syscall=l s t a t


-

s u c c e s s = n o e x i t = EACCES a8=7f9fed8edea8 a1=7fff7bffc778 a2=7fff 7 b f f c 7 7 8


a 3 = 8 i t e m s = 8 p p i d = 1 6 8 8 pid=1689 auid=42949 6 7 2 9 5 uid=48 g i d = 4 8 e u id=48
s uid=48 f s u id=48 e g id=48 sgid=48 f s g id=48 t t y= ( no n e ) se s=42949 6 7 2 9 5 -
comm= h t t pd e x e =/ u s r / s b i n / h t t pd s u b j = s y s t em_u : s y s t em_r : h t t pd_t : s 8 key= ( n u l l )

-
142 R H134- R H E L 7-en-1 -2014061 0

-
-

M o n itoring S E L i n u x v i o l a t i o n s
-

Has h : h t t p d , h t t pd_t , admin_h ome_t , file , g e t at t r

���
4- �'>
Note
- The " Raw A u d i t M essages" section reve a l s t h e t a rget f i l e that is t h e p ro b l e m ,
/var /www/ h t ml/file3. A l so, t h e t a rget context, t c o n t e x t , d o es n ' t l o o k l i ke i t
b e l o n g s with a w e b server. U s e t h e r e s t o r econ /var /www/ h t ml/file3 com ma n d
to fix t h e fi l e co ntext. I f t h e re a re ot h e r f i l e s t h a t n e e d to be a dj u sted, res t o recon ca n
recu rsively reset t h e context: r e s t o recon - R /var /www/ .

L.
References
-
s eale r t ( 8 ) m a n p a g e

- RH134- R H E L 7-en-1-2014061 0 143


-

C h a pt e r 7. M a n a g i n g S E L i n u x Secu rity
-

P ra ct i ce: Tro u b l es h oot i n g S E L i n u x


-

Guided exercise -

I n t h i s l a b , you w i l l l e a r n how to t ro u b l es h oot S E L i n u x s ec u r ity d e n i a ls.

C h a n g i n g t h e Docume n t Root of a n Apache web server i n t ro d u ces S E L i n u x a ccess d e n i a l s. In t h i s


exercise, y o u w i l l s e e h o w t h a t iss u e cou l d have b e e n i d e n t if i e d a n d res o l ved.

�-.. -
-

Machines:serverx
-

Outcomes:
Yo u w i l l get some e x p e r i e n ce u s i n g S E L i n u x t ro u b l es h ooti n g tools.

Before you begin •..

T h e Apache web server s h o u l d a l re a d y be i n sta l l e d and ru n n i n g o n serve rX.exa m p l e.co m .


-

Yo u s h o u l d have co m p l eted t h e steps o f t h e " C h a n g i n g S E L i n u x Contexts" p ract ice exercise.

D 1. Log i n as r o o t o n s e rve rX. R e m ove t h e f i l e context r u l e c reated e a r l i e r a n d restore t h e -


/ c u s t om d i rectory struct u re b a c k t o i t s o r i g i n a l S E L i n u x context.

D 1 .1 . Remove t h e f i l e context r u l e y o u a d d ed i n t h e e a r l i e r l a b.
-
� -- -- �
- �
- ---�- - - -- - -- -- -- --�-����� -

: [ ro o t @s e r v e r x - ] # s emanage fcontext - d - t h t t pd_sys_content_t ' /


; custom ( / . * ) ? '
' -
- -- - - . - -- - �
-
...,... = - �,.... �
� -- · - -=-==--�
-==-�-- -

D 1.2.
- - ---
--

C h a n g e t h e file contexts to their o r i g i n a l va l u es.


...

[ ro o t @s e r v e r x - ] # resto recon - Rv /custom


r e s t o r e c o n r e s e t / c u s t om c o n t e x t
u n c o n fi n e d_u : o bj e c t_r : h t t pd_sys_c o n t e n t_t : s 0 -
- > u n c o n fin ed_u : o b j ect_r : d e fa u l t_t : s 0
r e s t o r e c o n r e s e t / c u s t om/index . h t m l c o n t e x t
u n c o n fin ed_u : o b j e c t_r : h t t pd_sys_
c o n t e n t_t : s0 - > u n c o n f ined_u : ob j e c t_r : d e f a u l t_t : s0 -

D 2. O p e n a web browser o n se rverX a n d try to v i ew the fo l l o w i n g U R L:


-
h t t p : / / l o c a l h o s t / i n d e x . h t m l. You w i l l g et a n error message t h at says you do not
have perm iss i o n to access the f i l e.

D 3.
-
View the contents of /var /log/messages. Yo u s h o u l d see s o m e o u t p ut s i m i l a r to t h e
fo l l owi n g :
----- - - -----
-
[ ro o t @s e rve rX - ] # t ail /var/log/messages
[ . . . O u t p u t omi t t e d . . . ]
F e b 19 12 : 00 : 35 s e r v e r x s e t r o u b l e s h oo t : S E L i n u x is p r ev e n t i n g / u s r / s b i n / h t t pd
f rom g e t at t r acc e s s on t h e file . F o r c o m p l e t e S E L i n u x m e s s a g e s . r u n -

seale r t - 1 82ead554 - c 3c b - 4664 - 85ff - e6f256437c6c


[ . . . O u t p u t omi t t e d . . . ]
I
-

144 R H134- R H E L 7-en-1 -2014061 0 -

-
-

G u i d e d exerc i s e
-

D 4. R u n t h e s u g g ested seale r t com m a n d a n d see i f you ca n i d e n t i fy t h e i s s u e a n d a


poss i b l e reso l ut i o n .
-

[ r o o t@ s e r v e r x - ] # seale r t - 1 82ead554 - c3c b - 4664 - 85ff - e6f256437c6c


S E L i n u x i s p r eve n t i n g / u s r / s b i n/ h t t pd from g e t a t t r acce s s o n the file
-

* * * * *
P l u g i n c a t c h all_labels { 83 . 8 c o n f i d e nc e ) s u g g e s t s

- I f you wan t t o allow h t t pd t o have g e t at t r acc e s s o n t h e file


Then y o u need t o c h a n g e the label o n $FIX_TARGET_PATH
Do
# semanage f c o n t e x t - a - t F I L E_TYP E ' $F I X_TARGET_PATH '
-
w h e r e F I LE_TYP E is o n e of t h e followi n g : N e t wo r kManage r_log_t ,
h t t pd_sys_c o n t e n t_t , h t t pd_sys_h t ac c e s s_t , h t t p d_sys_ r a_c o n t e n t_t ,
h t t pd_sys_rw_c o n t e n t_t , h t t pd_sys_s c r i pt_exec_t , h t t pd_t m p_t , . . .
T h e n execu t e :
r e s t o r e c o n - v ' $F IX_TARGET_PATH '
-

- P l u g i n c a t c h all { 17 . 1 c o n f id e n c e ) s u g g e s t s * * * * * * * * * * * * * * * * * * * * * * * * * *

I f y o u believe t hat h t t p d s h o u l d b e allowed g e t at t r acc e s s o n t h e file by


default .
-
T h e n y o u s h o uld r e po r t t h is as a b u g .
You can g e n e r a t e a local policy m o d u l e to allow t h i s acce s s .
Do
allow t h is acce s s f o r now by exec u t i n g :
-
# g r e p h t t pd /var/lo g / a u d i t / au d i t . lo g I a u d i t 2allow - M mypol
# semo d u l e -i mypol . pp

Ad d i t i o n al I n f o rmatio n :
Sou rce Context s y s t em_u : s y s t em_r : h t t pd_t : s0
Target Context u n c o n fi n ed_u : obj ect_r : d e f a u l t_t : s0
....
Ta r g e t O b j e c t s [ file ]
S o u rce httpd
Sou rce Path / u s r / s bi n/ h t t p d
-
Po r t < U n k n own>
Host se r v e r X . example . com
S o u rce RPM Pac kag e s h t t pd - 2 . 4 . 6 - 14 . el7 . x86_64
Ta r g e t RPM Pac kages
- Policy RPM s e l i n u x - policy - 3 . 12 . 1 - 124 . el7 . n o a r c h
Se l i nux Enabled True
Policy Type targeted
E n f o r c i n g Mode Enforcing
Host N ame s e r v e r X . example . com
Plat f o r m L i n u x s e rverX . example . c om 3 . 10 . 0 - 84 . el7 . x 8 6_64 # 1
SM P T u e Feb 4 16 : 28 : 19 E S T 2 0 1 4 x86_64 x86_64
-
Ale r t c o u n t 9
First Seen 2 0 14 - 0 2 - 19 10 : 33 : 06 EST
Last Seen 2014 - 02 - 19 12 : 00 : 32 EST
Lo c al I D 82ead554 - c 3c b - 4664 - 85ff - e6f256437c6c

Raw Aud i t M e s sages


type=AVC m s g = a u di t { 1392829232 . 3 : 1782 ) : ave : d e n ied { g e t at t r } for
pid=11870 comm= " h t t p d " pat h = " /c u s t om/index . h t m l " dev= " vda1 " ino=11520682
s c o n t e x t = s y s t em_u : sy s t em_r : h t t pd_t : s0
-

t c o n t e x t = u n c onfin ed_u : o bj e c t_r : default_t : s 0 t c lass=file

-
t y p e =SYSCA L L m s g = a u d i t { 1 3 9 2 8 2 9 2 3 2 . 3 : 1782 ) : a r c h =x86_64 s y s c all= l s t a t s u c c e s s = n o
e x i t = EACCES a0=7f1854a3b068 a1=7fff493f2ff0 a2=7fff493f2ff0
a3=ffffffffffffffff i t em s =0 p p i d = 11866 pid=11870 auid =4294967295 u id=48
g id=48 e u id=48 s u id=48 f s uid=48 egid=48 s g id=48 f s g id =4 8 t t y= ( n o n e )
-

-
RH134- R H E L 7-en-1 -2014061 0 145
-

C h a pter 7. M a n a g i n g S E L i n u x Secu rity


-

s e s =4294967295 comm= h t t pd exe=/u s r / s b i n / h t t p d


s u bj = sy s t em_u : s y s t em_r : h t t p d_t : se key= ( n ull )
-

H a s h : h t t pd , h t t pd_t , defaul t_t , file , g e t a t t r

D 5. Read the o u t p u t from the seale r t com m a n d . I d e ntify w h i c h f i l e the A p a c h e web server -

i s having t ro u b l e w i t h a n d l o o k for a poss i b l e re medy.

D 5.1 . At t h e top of t h e o u t p ut , a s o l u t i o n is reco m m e n d e d . -

# s emanage f c o n t e x t - a - t F I L E_TYP E ' $F I X_TARGET_PATH '


w h e r e F I LE_TYPE is o n e of t h e followi n g : Ne two r kManage r_log_t , -

h t t pd_sys_c o n t e n t_t , h t t p d_sys_h t a c c e s s_t , h t t pd_sys_ra_c o n t e n t_t ,


h t t pd_sys_rw_c o n t e n t_t , h t t pd_sys_s c r i p t_exec_t , h t t pd_tmp_t , . . .
T h e n exec u t e :
-
r e s t o r e c o n - v ' $F I X_TARGET_PATH '

D 5.2. Look at t h e raw AVC message to i d e ntify t h e re l evant process a n d f i l e that is ....

ca u s i n g t h e a l e rt.

Raw Au d i t M e s s a g e s -

type=AVC msg=au d i t ( 1 3 9 2 8 2 9 2 3 2 . 3 : 1782 ) : ave : d e n i e d { g e t at t r } f o r


p i d = 1 1 8 7 0 comm= " h t t p d " pat h = " /c u s tom/index . h t m l " dev= " vda1 " ino=11520682
s c o n t ex t = s y s t em_u : sy s t em_r : h t t pd_t : s e
t c o n t e x t = u n c o n f i n ed_u : ob j e c t_r : defaul t_t : se t c l a s s =file
-

D 5.3. The p rocess i nvolved in the secu rity d e n i a l is the h t t pd A p a c h e we b s e rver a n d -

t h e f i l e is / c u s tom/index . h t ml.

D 6. E a r l i e r, we res o l ve d this issue u s i n g semanage and r e s t o r econ. You m u st d e c i d e if t h i s -


S E L i n u x v i o l a t i o n i s a secu rity b r e a c h o r if it i s a l e g i t i m ate access t h a t req u i res S E L i n u x
to b e a dj u sted t o h a n d l e a n o n-sta n d a rd d i rectory st r u ct u re.
-

-,

-
146 R H134- R H E L 7-en-1-2014061 0

-
-

Lab: M a n a g i n g S E L i n u x Secu rity


-

-
L a b : M a n a g i n g S E L i n u x S e c u rity

- Perform ance checklist


I n t h i s l a b, you w i l l s o l ve a n S E L i n u x a ccess d e n i a l p ro b l e m . System a d m i n istrators a re h a v i n g
- t rou b l e gett i n g a new w e b s e r v e r to d e l iver content to c l i e n t s w h e n S E L i n u x is i n enforc i n g m o d e.

S o l ve t h i s p ro b l e m by m a k i n g a dj us t m e nts to S E L i n u x . D o n ot d i sa b l e S E L i n u x o r p u t it i n
p e r m i s s ive m ode. D o n ot m ove t h e web content o r reco nfig u re A p a c h e i n a ny way.

�#WM-
-

- Machines:serverx
Outcomes:
-
La u n c h i n g a we b s e rv e r on se rve rx a n d p o i n t i n g it to h t t p : / / l o c a l h o s t / l a b - c o n t e n t w i l l
d i s p l ay web content i n stead o f a n e rror messa g e.

- Before you begin . . .


• Reset yo u r se rve rx syste m .

- Log i nto a n d set u p y o u r se rverx system.

[ s t u d e n t@ s e r v e r X - ] $ l a b selinux s e t u p
-

1. L a u n c h a w e b b rowser o n se rverX a n d b rowse to h t t p : / / l o c a l h o s t / l a b - c o n t e n t .


-
Yo u wi l l see a n e r ro r message.

2. Research a n d i d e nt i fy t h e S E L i n u x i s s u e t h a t i s p reve n t i n g Apache from s e rv i n g web


content.
-

3. Reso l ve the S E L i n u x i s s u e t h a t is preve n t i n g A p a c h e from serv i n g web content.

- 4. Ve rify t h e S E L i n u x issue h a s b e e n res o l ve d and Apache is able to se rve w e b conte nt.

5. R u n the lab selinux g r ade co m m a n d to conf i r m y o u r f i n d i n g s.


-

-
R H134- R H E L 7-en-1-2014061 0 147

-
-

C h a pter ?. M a n a g i n g S E L i n u x Secu rity


-

Solution
-

I n t h i s l a b , you w i l l s o l ve a n S E Li n u x access d e n i a l p ro b l e m . System a d m i n istrators a re h a v i n g


t ro u b l e gett i n g a new w e b se rver to d e l iver c o n t e n t to c l ie n t s w h e n S E L i n u x i s i n enforc i n g m o d e.
-

S o l ve t h i s p ro b l e m by m a k i n g a dj u stments to S E L i n u x. Do n ot d i sa b l e S E L i n u x o r p u t it i n
p e r m i ssive mode. Do n ot m ove t h e w e b content o r reco nfi g u re A pa c h e i n a n y way.
-

�*""*-
Machines:serverx -

Outcomes:
L a u n c h i n g a web server on s e rve rX a n d p o i n t i n g it to h t t p : / / l o c al h o s t / l a b - c o n t e n t w i l l
-
d i s p l a y w e b content i n stead o f a n e rror message.

Before you begin . . .


-
• Reset yo u r se rve rx syst e m .

• Log i nto a n d s e t u p yo u r se rve rX system.


-

l a b selinux s e t u p
�.------- ·- - -- ----------
-�- - - ---- ---
· -·--·------�
-
1. L a u n c h a web browser o n s e r v e r x a n d b rowse to h t t p : I / l o c al h o s t / l a b - c o n t e n t .
Yo u wi l l see a n error message.
-
2. Research and i d e n t ify t h e S E L i n u x issue t h a t i s p reve n t i n g Apache from s e rv i n g w e b
content.
-
Look i n /var /log/messages for h e l pf u l error messages.

[ r oot@s e r v e rX - ] # t ail /var/log/messages


[ . . . O u t p u t omi t t ed . . . ]
-

Feb 20 13 : 55 : 59 s e r v e r X d b u s - d aemon : d b u s [ 4 2 7 ] : [ sy s t e m ] S u c c e s s f ully ac t iv a t e d


se rvice ' o r g . f e d o r a p roj e c t . S e t r o u b l e s h oo t d '
F e b 20 13 : 5 5 : 5 9 s e r v e r X d b u s [ 4 27 ] : [ sy s t e m ] S u c c e s s f u lly ac t ivated s e rvice -
' o r g . fed o rap r o j e c t . S e t r o u bl e s h o o t d '
F e b 20 13 : 56 : 01 s e r v e r X s e t r o u bl e s h oo t : P l u g i n Exc e p t io n r e s t o r e c o n
F e b 20 13 : 56 : 01 s e r v e r X s e t r o u bl e s h o o t : S E L i n u x i s p r eve n t i n g / u s r / s b i n/ h t t p d
f r om o p e n acce s s o n t h e file . F o r comple t e S E L i n u x mes sage s . r u n seal e r t - 1 -

160dae b d - 0359 - 4f 7 2 - 9 d d e - 46e7fd 244e27


- - - -----�-�� - �----- -- ��---�-

-
Especia l l y note t h e s e t roubleshootd messages. R u n seale r t to get m o re d eta i l ed
i nfo r m a t i o n a bout t h e S E L i n u x e rro r.

[ r oot@se r v e r X - ] # seale r t - 1 160daebd - 0359 - 4f72 - 9dde - 46e7fd244e27


-

SELin ux is p r eve n t i n g / u s r / s b i n/ h t t p d from o p e n ac c e s s o n t h e file

Plugin c a t c h all_boolean ( 89 . 3 c o n f id e n c e ) s u g g e s t s * * * * * * * * * * * * * * * * * *
-

I f you wan t t o allow h t t pd t o read u s e r c o n t e n t


T h e n y o u m u s t t e ll S E L i n u x a b o u t t his by e n a b l i n g t h e ' h t t pd_read_u s e r_co n t en t '
boolean . -

You can read ' No n e ' man page f o r m o r e d e t ai l s .


Do
s e t s e b o o l - P h t t p d_read_u s e r_c o n t e n t 1
-

-
148 RH134- R H E L7-en-1 -20140610

-
-

Solution
-

* * * * *
Plugin c a t c h all ( 11 . 6 c o n f i d e n c e ) s u g g e s t s * * * * * * * * * * * * * * * * * * * * * * * * * *

I f y o u believe t h a t h t t pd s h o uld b e allowed o p e n a c c e s s o n t h e file by default .


T h e n y o u s h o uld r e p o r t t h i s as a b u g .
Y o u c a n g e n e r a t e a local policy m o d u l e to allow t h i s acc e s s .
Do
-

allow t his ac c e s s f o r now by exec u t i n g :


# g r e p h t t pd /var/log / a u d i t / a u d it . lo g I audit 2allow - M mypol
-
# semodule -i mypol . pp

Ad d i t ional I n f o rmation :
Source Context s y s t em_u : sy s t em_r : h t t pd_t : s 0
Target Context u n c o n f i ned_u : o bj ect_r : u s e r_t m p_t : s0
Ta r g e t Obj e c t s [ file ]
Sou rce h t t pd
-
Source Path /usr/sbin/httpd
Po r t <Un k n own>
Host s e r v e r X . example . com
-
S o u r c e RPM Packages h t t pd - 2 . 4 . 6 - 14 . el7 . x 8 6_64
Ta r g e t RPM Pac kages
Policy RPM selin u x - policy - 3 . 12 . 1 - 124 . el7 . n o a r c h
Seli n u x Enabled True
- Policy Type targeted
Enforcing Mode Enforcing
H o st Name s e r v e rX . example . c om
Pla t f o r m Linux s e rverX . example . c om 3 . 10 . 0 - 84 . el7 . x86_64 #1
SMP Tue F e b 4 16 : 28 : 19 EST 2014 x86_64 x86_64
-

Ale r t C o u n t 1
First Seen 2014 - 0 2 - 20 13 : 55 : 56 EST
- Last Seen 2014 - 02 - 20 13 : 55 : 56 EST
Local ID 160daebd - 0359 - 4f72 - 9d d e - 46 e 7 fd244e27

Raw Au d i t M e s s ag e s
- t y p e=AVC msg=au d i t { 1392922556 . 86 2 : 494 ) : ave : d e n ie d { op e n } f o r pid=24492
comm= " h t t p d " p a t h = " /va r /we b - c o n t e n t / lab - co n t e n t /i n d e x . h t m l " dev= " vda1 "
ino=29062705 s c o n t e x t = s y s t em_u : sy s t em_r : h t t pd_t : s 0
t c o n t ex t = u n c o nfin ed_u : o bj e c t _ r : u s e r_tmp_t : s 0 t c l a s s=file
-

type=SYSCA L L m s g = a u d i t { 1 3 9 2 9 2 2 556 . 8 62 : 494 ) : a r c h =x 8 6_64 s y s c all=open s u c c e s s = n o


-
e x i t =EACCES a0=7fda4c92eb40 a1=80000 a 2 = 0 a 3 = 0 i t em s =0 p p i d=24487 pid=24492
auid=4294967295 uid=48 gid=48 e u id=48 s u id=48 f s u id=48 e g id=48 sgid=48 f s g id=48
t t y= ( n o n e ) s e s=4294967 2 9 5 comm=h t t p d exe=/ u s r / s b i n / h t t p d
s u b j = sy s t em_u : s y s t em_r : h t t pd_t : s 0 key= ( n ull )

H a s h : h t t pd , h t t pd_t , u s e r_tm p_t , f ile , o p e n

-
Looking c l ose l y at t h e raw a u d it messages, yo u see t h a t A p a c h e c a n n ot access
/va r/web - co n t e n t /lab - c o n t e n t /index . h tml.

- 3. Resolve t h e S E L i n u x issue that i s p reve n t i n g Apache from serv i n g w e b content.

/var /we b - c o n t e n t is a n o n sta n d a rd location for Apache web conte nt. D i s p l ay t h e S E L i n u x


- context o f /var/web - c o n t e n t a n d t h e sta n d a rd d oc u m e nt root. /var/www/ h t ml.

[ r oo t @ s e r v e r x - ) # ls -d - z /var/we b - content /var/www/html


- d rwx r - x r - x . r o o t r o o t u n c o n fi ned_u : o bj e c t_r : va r_t : s 0 /var/we b - co n t e n t
d rwx r - x r - x . r o o t r o o t s y s t e m_u : o bj ec t_r : h t t pd_sys_c o n t e n t_t : s0 /var /www/ h t m l

- R H1 3 4- R H E L7-en-1 -2014061 0 149

-
-

C h a pter 7. M a na g i n g S E L i n u x S e c u rity
.-

C reate a file context r u l e that w i l l set t h e defa u lt type to h t t pd_sys_c o n t e n t_t fo r


/var /we b - con t e n t a n d a l l fi l es b e l ow it. -

f" [ r oo t @ s e rverx - ] #
1 content ( / . * ) ? '
semanage fcont ext - a -t h t t pd_sys_cont ent_t ' /var/web -
-

U s e t h e r e s t o recon co m m a n d to set t h e S E L i n u x context for t h e f i l e s i n


/va r /we b - con t e n t . -

[ r oo t@ s e r ve rx - ] # r e s t o recon - R /var /we b - content/


-

4. Ve rify the S E L i n u x issue h a s been reso l ved and Apache i s a b l e to se rve web content.
-
Use y o u r web browser to refresh the h t t p : I / l o c al h o s t / l a b - c o n t e n t l i n k . N ow you
s h o u l d see some web content.

T his i s t h e c o n t e n t f o r t h e S E L i n u x c h a p t e r t e s t .

5. R u n the lab selinux g rade c o m m a n d to confirm yo u r f i n d i n g s .

[ r o o t@se rverX - ] # l a b selinux g r ade -

C o n f i r m i n g SELinux is i n e n f o r c i n g mode . . . PASS


C o n f i r m i n g files a r e in e x p e c t e d location . . . PASS
C o n f i r m i n g t h e Apac h e Docume n t Ro o t is u n c hanged . . . PASS
-
C o n f i r m i n g t h e web c o n t e n t is a c c e s sible . . . PASS

....
150 R H134- R H E L 7-en-1-2014061 0

-
-

Sol ution
-

S u m m a ry
-

E n a b l i n g a n d M o n itoring Secu rity E n h a n c e d L i n u x ( S E L i n u x)


· g e t e n f o r c e d i s p l ays t h e c u r rent S E L i n u x mode, w h i c h dete r m i nes w h e t h e r S E L i n u x
-
r u l es a re a p p l i ed.

• The -Z option to ls and ps d i s p l ays S E L i n u x co ntext l a b e l s o n files and p rocesses.


-

get sebool -a d i s p l ays a l l S E L i n u x Boo l e a n s and their c u rrent va l u e.

- C h a n g i n g S E L i n u x Modes
· setenforce c h a n g e s t h e cu r re n t S E L i n u x m o d e of a syste m .

- • The defa u l t S E L i n u x m o d e o f a syst e m is d e f i n e d i n t h e / e t c / selinux/config f i l e.

C h a n g i n g S E L i n u x Co ntexts
- • The semanage fcontext com m a n d i s used to m a n a g e S E L i n u x p o l icy r u l es that
dete r m i n e t h e defa u l t co ntext for f i l es and d i rectories.

-
· r e s t o recon a p p l ies t h e context d e f i n e d by t h e S E L i n u x p o l icy to f i l e s a n d
d i recto ries.

• A l t h o u g h t h e chcon c o m m a n d ca n c h a n g e t h e S E L i n u x context f i l es , it s h o u l d n ' t be


-
used because t h e c h a n g e may not p e rs i st.

C h a n g i n g S E L i n u x Boo l e a n s
-
· s e t s e bool activates/deact ivates S E L i n u x p o l icy r u l es.

· semanage boolean - 1 d i s p l ays t h e persistent va l u e of S E L i n u x Boo l e a n s.


-

• M a n pages t hat e n d w i t h _selinux ofte n p rovide usef u l i n fo r m a t i o n a b o u t S E L i n u x


Boo l e a n s .
-

Tro u b l es h oot i n g S E L i n u x
· s e t r o u bleshootd g e n e rates l o g messages i n /var /log/me ssages.
-

• The seale r t co m m a n d d i s p l ays usefu l information that h e l ps with S E L i n u x


t rou b l es h o ot i n g .
-

- R H134- R H E L7-en-1-2014061 0 1 51

-
-
I

152
red h at ®

®
TRAINING

CHAPTER 8

CONNECTI NG TO NETWORK·
D E F INE D USERS A ND GROUPS

Overv i e w

Goal To confi g u re syst e m s to u s e c e n t ra l i d e ntity m a n a g e m e nt


services.

Objectives U s e centra l i ze d i d e n t i t y m a n a g e m e nt services.

Sections • U s i n g I d e nt i t y M a n a g e m e nt S e rv i ces (a n d P ra ct i c e)

Lab • C o n n e c t i n g to N et w o r k - d e f i n e d U se rs a n d G ro u ps

R H 1 34- R H E L 7-en-1-20140610 153


-

C h a pter 8. C o n n e c t i n g to N etwork-d e f i n e d Users a n d G ro u p s


-

U s i n g I d e n t ity M a n a g e m e n t S e rvi ces


-

Objectives -

After co m p l et i n g t h i s sect i o n , students s h o u l d be a b l e to u s e c e n t ra lized i d e n t ity m a n a g e m e n t


se rvices.
-

User information and authentication services


-

Need for centralized identity managem ent


M o d e r n c o m p uter i nfrast r u c t u res t e n d to consist of m a ny m a c h i nes, w i t h m u l t i p l e services
r u n n i n g o n them. Kee p i n g loca l user accou nts for a l l t h ese m a c h i n e s and their services i n sync i s -

a d a u nt i n g t a s k , eve n m o re so w h e n passwords n e e d to re m a i n synced.

A s o l u t i o n to this is to not sto re acco u n t i nfo r m a t i o n o n loca l syste ms, b u t i n stead ret ri eve t h i s -

i nf o r m a t i o n f r o m a centra l ized sto re. H a v i n g u s e r i nfo r m a t i o n , a n d t h e associated a u t h e ntication


i nformat i o n , centra l ized a l so a l l ows for somet h i n g ca l l ed Single Sign-On (SSO). W i t h SSO, a
u s e r a u t h e nticates once u s i n g a password (or ot h e r m e a n s ) , a n d t h e n obta i n s a form of t i c ket o r -

c o o k i e t h a t can be u s e d to a utomatica l l y a u t h e n t icate t o ot h e r s e rv ices.

User information and authentication -

A centra l ized i d e n t ity m a n a g e me n t syst e m wi l l need to p rov i d e at l east two services:

-
1. Account information: This i n c l u d e s i nform a t i o n such a s a u s e r n a me, home d i rectory locat i o n ,
U I D a n d G I D, g ro u p m e m b e rs h i ps, e t c . Po p u l a r s o l u t i o n s i n c l u d e LDAP ( L i g htwe i g h t
D i rectory Access Protoco l ) , used i n m u lt i p l e prod u cts s u c h as Active D i rectory a n d I PA
-
Server, a n d Network Information Services ( N I S).

2. Authentication information: A m e a n s f o r a syst e m to va l i d ate t h at a u s e r i s w h o h e/s h e


c l a i m s t o be. T h i s c a n be d o n e b y p rov i d i n g a c ry ptog ra p h i c password h a s h t o t h e c l i e n t -

syste m , or by send i n g t h e (e n c rypted) password to t h e server, a n d rece i v i n g a res p o n se. A n


L D A P server ca n p rov i d e a u t h e ntication i nfo r m a t i o n i n a d d it i o n t o acco u n t info r m a t i o n .
-
Kerberos o n l y prov i d e s S S O a u t h e nticat i o n services, a n d i s typica l l y used a l o n g s i d e L D A P
u s e r i nformation. Ke rbe ros is u s e d i n bot h I PA S e rver a n d Active D i recto ry.

O n a Red Hat Enterprise L i n u x 7 syste m , local u s e r i nf o r m a t i o n is p rovided by /etc/pas swd, -

w h i l e a u t h e ntication i nfo r m a t i o n (in t h e form of a h a s h ed password) i s p rov i d e d by


/ etc /s h adow.

Attaching a system to centralized L DA P and Kerberos


servers -

Authconfig
-
Config u r i n g a Red Hat E n t e r p rise L i n u x 7 system to u s e ce n t ra l ized i d e n t ity m a n a g e m e nt
se rvices req u i res the e d i t i n g of va r i o u s f i l es, a n d t h e confi g u ra t i o n of some d a e m o n s . Fo r
atta c h i n g to centra l L D A P a n d Ke r b e ros servers, t h e fo l l ow i n g f i les, at a m i n i m u m , wou l d need to -
b e u p d ated:

• / e t c/ldap . conf: Fo r i n f o r m a t i o n a b o u t t h e c e n t ra l LDAP server a n d its sett i n g s . -

-
154 RH134- R H E L7-en-1-2014061 0

-
-

Atta c h i n g a system to c e n t ra l ized L D A P a n d Ke r b e ros servers


-

· / e t c / k r b5 . conf: Fo r info r m a t i o n a b o u t the centra l Ke r b e ros i n f ra st r u ct u re.

-
· / etc/ s s s d/ s s s d . conf: To confi g u re the system security services daemon ( s s s d ) , t h e
d a e m o n respo n s i b l e f o r retrievi n g a n d c a c h i n g user i n f o r m a t i o n a n d a ut h e n t ication i nfo.

- · / e t c / n s swit c h . conf: To i n d icate to t h e system w h i c h u s e r i n fo r m a t i o n a n d a ut h e ntication


services s h o u l d b e used.

- · / e t c / pam . d/ * : Config u r i n g how a ut h e n t i c a t i o n should be h a n d l e d for various services.

/et c/openldap/cac e r t s : To store the root certificate authorities (CA) that ca n va l i d ate t h e
- S S L certificates used to i d e n t ify L DA P se rvers.

The sssd d a e m o n w i l l need to be e n a b l e d a n d sta rted before t h e syste m c a n use it.


-
With t h i s n u m be r of f i l e s and services to confi g u re, a m i stake is e a s i l y m a d e. Red Hat Enterprise
Linux 7 s h i ps with a s u ite of too l s to a uto m a te t h ese confi g u ra t i o n s : au t hconfig. a u t hconfig
consists of t h ree re l ated too l s that c a n a l l p e rfo r m t h e same a c t i o n s :
-

· aut hconfig: A co m m a n d - l i n e too l . T h i s t o o l c a n be used to a u t o m ate confi g u ra t i o n s across a


n u m be r of systems . The co m m a n d s used w i t h a u t hconfig tend to be very l o n g , w i t h m u l t i p l e
-
options bei n g passed i n . T h i s too l i s i n st a l l e d u s i n g t h e authconfig p a c k a g e.

· au t hconfig - t u i: The interact ive vers i o n of aut hconfig. Uses a m e n u - d r iven text interface.
-
Can be used ove r ssh. This too l is i n sta l l e d u s i n g t h e authconfig p a c k a g e.

· aut hconfig - g t k: This vers i o n l a u n c h e s a g ra p h i c a l i nte rface. I t c a n a l so be l a u n c h e d a s


-
sys t em - config - au t hent icat ion. T h i s tool i s i n sta l l ed u s i n g t h e a u t hconfig - g t k
p a c k a g e.

- Necessary L DA P parameters
To c o n n ect to a c e n t ra l L DA P server for u s e r i nformat i o n , aut hconfig n e e d s a n u m be r of
sett i n g s :
-

• The h o s t n a m e of t h e L D A P server(s)

- • The base DN ( D i st i n g u i s hed N a m e) of t h e p a rt of t h e L D A P t ree w h e re the syste m


s h o u l d l o o k fo r u s e rs. This typica l l y looks s o m e t h i n g l i ke d c=example , dc=com, o r
ou=People , o=Ponyco rp. This i n fo r m a t i o n w i l l be p rov i d e d by yo u r L DA P server
- a d m i n i st rator.

• I f S S L/T L S is u s e d to e n c rypt com m u n i ca t i o n s with t h e L D A P server, a root CA certificate t h a t


- c a n va l i d a t e t h e certificates is offe red by t h e L DA P s e rver.

Important: A syste m w i l l a l so n e e d some extra p a c ka g e s i n s ta l l ed to p rov ide L D A P c l ient


-
f u n ct i o n a l ity. I n sta l l i n g sssd will prov i d e a l l t h e n e cessa ry d e p e n d e n c ies.

Necessary Kerberos parameters

- To confi g u re a syste m to use a ce n t ra l ized Ke r b e ros system for user a ut h e ntication,


au t hconfig wi ll n e e d t h e fo l l owing sett i n g s :

-
• T h e n a m e o f t h e Kerberos realm to u s e . A Ke r b e ros rea l m is a d o m a i n of m a c h i nes t h at a l l u s e
a com m o n s e t of Ke r b e ros s e rvers a n d u s e rs for a u t h e ntication.

• O n e o r m o re key distribution centers ( K D C ) . T h i s is t h e host name of yo u r Ke r b e ros server(s).


-

- RH134- R H E L 7 - e n -1 -2014061 0 155

-
-

C h a pter 8. C o n n e c t i n g to N etwork-de f i n e d U s e rs a n d G ro u p s
-

• T h e h o s t n a m e of o n e o r m o re admin servers. T h i s i s t h e m a c h i n e t h a t c l i e nts w i l l ta l k to w h e n


they wa n t to c h a n g e t h e i r password, o r pe rfo r m ot h e r u s e r m o d ifica t i o n s. T h i s i s typica l l y t h e -
s a m e a s t h e p r i m a ry K O C , but it c a n b e a d iffe rent m a c h i ne.

In a d d it i o n , an a d m i n istrator can s pec ify i f DNS s h o u l d be used to l o o k up the rea l m to use for a -
specific host n a m e, a n d to a utomatica l l y f i n d t h e K D C s a n d a d m i n se rve rs. A n extra package c a n
be i n sta l l e d to h e l p d e b u g Ke rberos i s s u es, a n d to work with Ke r b e ros t i c kets f r o m t h e com m a n d
l i n e : krbS-workstation. -

Using authconfig-gtk
To use aut hconfig - g t k to confi g u re a syst e m for L DA P + Ke r b e ros, u s e t h e fo l l ow i n g steps: -

1. I nsta l l a l l the necessa ry packages:


-
[ s t u d e n t@demo - ) $ s u d o y u m - y install authconfig - gt k sssd k r b 5 - wo r k s tation

2. L a u n c h au t hconfig - g t k, e i t h e r from the c o m m a n d l i n e o r from Applications> Sundry > -

Authentication. En ter t h e root pa ssword w h e n p ro m pted.

3. O n t h e Identity & Authentication tab, s e l ect L D A P from t h e U s e r Acc o u n t Dat abase -

d rop - down. F i l l out the LDAP Search Base DN and LDAP Server f i e l ds.

Authentication C.Onflgur.itlon -

I de n t ity & A u t h e n t i c a t i o n . Advan c e d Options ; Password O p ti o n s

U ser Account C o n fi g u ration : i


-
i

I
User Account Database: L DAP ..,

-
LDAP S e a r c h B a s e D N : dc = e x a m p l e , dc = c o m

L DAP S e r v e r : c l a s s r o om . e x am p l e . c o m
-

fl' Use TL S to e n c rypt c o n n e c t i o n s

� D o w n l o a d C A C e r tific ate . . . I
-
. !

Authentication Confi g u ration

Authentication Method: K e r b e r o s p a s sw o r d v -

Realm: EXAM P L E . C O M
I -
I
KDCs: cl a s s r o o m . e x a m p l e . c o m

Admin Servers: classroom.example.com -

- U s e D N S to resolve ho st s to realms

U s e D N S to l o c a t e K D C s for r e a l m s -

---- -- - - -------- · - · ---

-
Revert Cancel Apply

Figure 8. 1 : Main authconfig-gtk window


-

-
156 R H134- R H E L 7-en-1 -2014061 0

-
-

Atta c h i n g a Syst e m to a n I PA S e rver


-

4. I f the LDAP server s u p p o rts TLS, check the Use TLS t o encrypt connections box, and use
t h e Download CA Certificate b utton to d o w n l oa d the CA certificate.

5. Fro m t h e Authentication Method d ropdow n , s e l ect Kerberos password, and fi l l o u t the


Realm, K DCs, and Admin Servers fie l d s. T h e last two f i e l d s a re n ot ava i l a b l e i f t h e Use D N S
-
t o locate K DCs for realms option is c h e c ke d .

6. I f centra l h o m e d i rectories a re not ava i l a b l e , u s e rs c a n c reate d i rectories o n fi rst l o g i n b y


-
c h e c k i n g t h e Create home director ies on the first login b o x o n t h e Advanced Options t a b .

7. C l ic k t h e Apply button to save a n d activate t h e c h a n g es. This w i l l write a l l rel eva nt


- confi g u ration files and (re)sta rt t h e s s s d service.

Testing a configuration
- To test t h e L D A P + Kerbe ros confi g u ra t i o n , a n a d m i n istrator c a n s i m p l y atte m pt to l o g i nto t h e
system (ove r s s h ) u s i n g t h e credent i a l s o f o n e of t h e n etwork users. I n a d d it i o n , t h e g e t e n t
c o m m a n d c a n be u s e d to ret rieve i n fo r m a t i o n a b o u t a network user, i n t h e fo r m g e t e n t
passwd <USERNAME>.

Important: In t h e d e fa u lt confi g u ra t i o n , s s s d w i l l not e n u m e rate network u s e rs when n o


- u s e r n a m e is specified to t h e g e t e n t co m m a n d . T h i s is d o n e to k e e p t h e g ra p h i c a l l o g i n screen
u n c l uttered a n d to save va l u a b l e network reso u rces and t i m e.

-
Attaching a System to an I PA Server
Red Hat provides a n i nteg rated s o l u t ion for confi g u r i n g L D A P a n d Ke r b e ros: I PA ( I d e n t ity,
-
Pol icy, a n d A u d i t i n g ) S e rver. I PA S e rver p rovi d e s L DA P a n d Kerberos, c o m b i n e d w i t h a s u ite of
both co m m a n d - l i n e a n d web-based a d m i n istra t i o n too ls. A p a rt from user a n d a u t h e n t i cat i o n
i nformat i o n , I PA S e rver can c e n t ra l i ze sudo r u l es , S S H p u b l i c keys, S S H h ost keys, T L S
-
certificates, a ut o m o u n t e r m a ps , a n d m u c h m o re.

Using ipa-client

-
A Red H a t Enterprise L i n u x 7 system can be conf i g u re d to u s e a n I PA server u s i n g t h e
aut hconfig s u ite of t o o l s , b u t a specia l ized t o o l a lso exists: ipa - clien t - i n s t all. This
command ca n be i n sta l l e d from t h e ipa-client package, which p u l l s i n all dependencies (s u c h a s
-
sssd) .

O n e of t h e be nefits of u s i n g ipa - client - in s t all is t h a t it can ret rieve a l m ost a l l


n ecessary i nfor m a t i o n from D N S (wh e n confi g u re d e i t h e r b y t h e I PA se rver o r m a n u a l l y b y a n
-
a d m i n istrator), a s we l l a s c reate host entries a n d m o re o n t h e I PA se rver. This a l l ows a n I PA
s e rver a d m i n istrato r to set access p o l icies for t h a t host. create service principals (e.g., for N FSv4
-
e xp o rts), and m o re.

W h e n ipa - clien t - i n s t all is run without any a rg u m e nts, it w i l l f i rst atte m pt to ret rieve
i nfo r m a t i o n abo u t the I PA server config u re d for its D N S d o m a i n from D N S. If t h a t fa i l s , it w i l l
-
p ro m pt t h e a d m i n istrator for t h e n e cessary informat i o n , s u c h a s t h e d o m a i n n a m e o f t h e I PA
s e rver a n d t h e rea l m to use. O t h e r i n fo r m a t i o n t h a t n e e d s to be p rovided a re t h e u s e r n a m e a n d
password o f a n acco u nt t h a t i s a l l owed t o c reate n ew m a c h i n e entries o n t h e I PA server. U n l ess
-
a not h e r account has been created for this, the defa u l t I PA s e rver a d m i n i st rator accou nt (admin)
c a n b e used for t h i s .
-
T h e fol l ow i n g is a n exa m p l e of a ( m ost l y) D N S d riven confi g u ra t i o n :

-
!
'
[ s t u d e n t @d e s k t o p - ] $ s u d o ipa - clien t - i n s t all

- R H134- R H E L 7-en-1 -2014061 0 1 57

-
-

C h a pter 8. C o n n e ct i n g to N etwork-def i n e d U se rs a n d G r o u p s
-

Discove ry w a s s u c c e s s f u l !
H o s t name : d e s k t o p . domain s . example . c om
Realm : DOMAI N S . EXAM P L E . COM
DNS Domain : s e r ve r . domain s . example . com
I PA Serve r : s e r ve r . domains . example . com
BaseDN : d c = s e r ve r , d c = d omain S , d c =example , dc = c om
-

C o n t i n u e to config u r e t h e s y s t e m wit h t h e s e val u e s ? [ n o ] : yes


U s e r a u t h o r i z e d t o e n r oll c o m p u t e r s : admin
Syn c h r o n iz i n g t ime wit h KOC . . . -
Passwo r d f o r admin@DOMAI N S . EXAMP LE . COM : redhat123
S u c c e s s f ully r e t rieved CA c e r t
S u bj ec t : CN=Ce r t ificate Au t h o r i t y , O=DOMAI N S . EXAM P L E . COM
Issuer : CN=Ce r t ificate Au t ho r i t y , O=DOMAI NS . EXAM P L E . COM -

Valid F r o m : Thu Feb 2 7 13 : 31 : S4 2 S14 UTC


Valid U n t il : Mon Feb 2 7 13 : 31 : S4 2S34 UTC

E n r olled in I PA r e alm DOMAI NS . EXAMP LE . COM


-

C r eated / e t c /ipa/defaul t . c o n f
N ew SSSD c o n f i g will be c r eated
Config u r e d / e t c / s s s d / s s s d . c o n f -
Config u red / e t c / k r b 5 . co n f f o r I PA r ealm DOMAI N S . EXAM P L E . COM
Adding SSH p u blic key f r o m / e t c / s s h / s s h_ho s t _ r s a_key . p u b
Adding SSH p u b lic k e y f r om / e t c / s s h / s s h_ho s t_e c d s a_key . p u b
SSSD e nabled -

Config u r e d / e t c / o p e n l d ap/ldap . co n f
C o n fig u r ed / e t c / s s h / s s h_c onfig
C o n f ig u r e d / e t c / s s h / s s hd_c o n f i g
Client config u r at i o n c o m p le t e .
-

It is poss i b l e to s pecify a l l n e e d e d i nformation as co m m a n d - l i n e a rg u m e nts, a l l owi n g for -


u n atte n d e d set u p s as part of a n i n it i a l system confi g u ra t i o n ; for exa m p le, from a kickstart. See
the m a n u a l pa g e for ipa - client - i n s t all(1 ) for m o re i nfo r m a t i o n .
-

J oining a system to Active Directory


Red Hat Enterprise L i n u x 7 featu res m u lt i p l e m e t h o d s o f j oi n i n g a system to Active D i recto ry.
-
A d m i n istrators c a n c h oose to i nsta l l t h e samba-winbind package a n d confi g u re winbind t h ro u g h
t h e aut hconfig fa m i l y of t o o l s , o r a d m i n i strators ca n i n sta l l b o t h sssd a n d realmd packages
a n d use sssd and t h e realm co m ma n d .
-

Note
-
The realm com m a n d ca n a l so be used to j o i n K e r b e ros rea l m s, o r I PA s e rver d o m a i n s ,
but t h e f i n a l config u ra t i o n w i l l b e s l i g ht l y d iffe rent; for exa m p l e, u s e rs w i l l have
@domain a p p e n d e d to t h e i r u s e r n a m es. ipa - clien t - i n s t all i s the p refe rred -
method to join I PA d o m a i ns.

· - ��-
-

Note
S i n c e t h e re is n o Active D i rectory server r u n n i n g i n t h e c l assroo m , t h e re i s n o c u rrent -
possi b i l ity to p ra c t i c e t h ese steps.

-
T h e fo l lowi n g i s an exa m p l e of u s i n g r ealmd to join an Active D i rectory d o m a i n , and a l l ow Act ive
D i rectory u s e rs to l o g i nto the l oca l syste m . This exa m p l e a ss u m es that the Active D i rectory
d o m a i n is ca l l e d domain . example . com.
-

-
158 R H134- R H E L 7 - e n -1-2014061 0

-
-

J o i n i n g a system to Active D i rectory


-

1. I n sta l l t h e n e cessa ry packages: rea/md.

-
I [ s t ud e n t@demo - ] $ yum - y i n s t all realmd

- 2. D i scove r t h e sett i n g s f o r t h e domain . example . c o m d o m a i n .

I [ s t u d e n t@demo - ] $ sudo realm discove r domain . example . com


- '

3. J o i n the Active D i rectory d o m a i n ; t h i s w i l l i n sta l l a l l necessary packag es, and confi g u re


-
s s s d , pam, / e t c / n s swit c h . conf, etc.

[ s t u d e n t@demo - ] $ sudo realm j oi n domain . example . com


-

T h i s w i l l atte m pt to j o i n t h e l o c a l system to Act ive D i rectory u s i n g t h e Adminis t r a t o r


a c c o u n t ; enter t h e pa ssword f o r t h i s acco u n t w h e n prom pted. To u s e a d iffe re nt accou nt, u s e
-
t h e - - u s e r a rg u m e nt.

4. Active D i rectory acco u n t s a re now u s a b l e o n the l o c a l syst e m , b u t l o g i n s using Active


- D i rectory a re st i l l d i s a b l e d . To e n a b l e l o g i n s , use t h e fo l l o w i n g com m a nd:

-
I [ s t ud e n t@demo - ] $ s u d o r ealm permit - - realm domain . example . com - - all

To o n l y a l low certa i n users to l o g i n , re p l ace - - all with a l ist of those users. For exa m p l e :
-
[ s t ud e n t@demo - ] $ sudo realm permit - - r ealm domain . example . com DOMAIN\\Itchy DOMAIN \
\Sc r a t c hy

Note
By d e fa u lt, d o m a i n users m ust u s e t h e i r f u l l y q u a l ified n a me to l o g i n ; e.g . ,
ipause r@ipa . example . com for I PA u s e rs, o r DOMAIN\Pic a r d for Active D i rectory.
To d i s a b l e t h i s , c h a n g e t h e u s e_fu lly_qu alified_names sett i n g i n t h e correct
-
d o m a i n block i n /etc/sssd/sssd . conf to Fa lse, o r re m ove it e n t i re l y, then restart
the sssd se rvice.

'I R References
-
jj�
' -
au t hconfig(8), a u t hconfig - t ui(8), a u t hconfig - g t k(8), s s sd(8), sssd - ipa(8),
s s s d . conf(5), sssd - ad, and r ealm(8) man pages
-

- R H134- R H E L 7-en-1 -2014061 0 1 59

-
-

C h a pter 8. C o n n e ct i n g to N etwork-d e f i n e d U s e rs a n d Groups


-

P ra ct i ce: Co n n ect i n g to a Ce nt ra l L DA P a n d -

Ke r b e ros S e rve r
-

Guided exercise
-

I n t h i s l a b , you w i l l con nect yo u r d e s k t opX syste m to become a c l ient of t h e L DA P server


r u n n i n g o n class room . example . com. Yo u w i l l confi g u re your d e s k t opX system to use the
-
Kerberos i nfrast r u ct u re p rovided by class room . example . com for a d d i t i o n a l a u t h e ntication.

Reso u rces:
Files:
-

h t t p : / / c l a s s r oom . e xample . c o m/ p u b /example - c a . c r t

Machines: deskt opX


-

Outcomes:
d e s k t opX confi g u red for L D A P u s e r i nf o r m a t i o n a n d Ke r b e ros a u t h e nt i c a t i o n from
-
class room . example . com.

Before you begin ...


-
• Reset yo u r des kt opX syste m.

To s i m p l ify user m a n a g e m e nt, yo u r c o m p a ny h a s decided to switch to c e n t ra l i zed user


-
m a n a g e m e nt. Another tea m has a l re a d y set u p a l l the req u i re d LDAP and Ke r b e ros services.
Ce nt ra l ized home d i rectories a re n ot yet ava i l a b l e , so the syste m s h o u l d be config u re d to c reate
l oca l home d i rectories when a user fi rst logs i n .
-

G i v e n t h e fo l l ow i n g i nformat i o n , confi g u re you r d e s k t opX syst e m to u s e u s e r i nfo r m a t i o n from


t h e LDAP server, a n d a u t h e nt i cation servi ces from t h e Ke r b e ros K D C . D N S service reco rds for
-
the rea l m have not yet been confi g u re d , so you w i l l have to confi g u re Ke r b e ros sett i n g s m a n u a l l y.

Name Va l u e
-
L D A P server ldap : //clas s r oom . example . com
L D A P base D N dc=example , dc =com
-
Use T L S Yes
Root CA h t t p : //class room . example . com/pu b/example - ca . c r t
-
Kerberos rea l m EXAMP L E . COM
Ke r b e ros K D C clas s r oom . example . com
Ke r b e ros a d m i n server clas s r oom . example . com -

D 1. Sta rt by i n sta l l i n g t h e necessary packages: sssd, krbS-workstation , a n d authconfig-gtk.


-

D 1 .1 .
[ s t u d e n t@de s k t o pX - ] $ sudo yum - y install sssd authconfig - gt k krb5 -
wo r k s t ation
-
- -�------�-�- � � � - - - - -�-----·--- ------

D 2. L a u n c h t h e Authentication Configuration a p p l icat i o n , then a p p l y the sett i n g s from the


t a b l e for both LDAP and Ke r b e ros options. -

-
160 R H134- R H E L7-en-1 -2014061 0

-
-

G u i d e d exercise
-

D 2 .1 . E i t h e r l a u n c h syst em - config - au t he n t ication from t h e c o m m a n d l i ne,


o r l a u n c h Applications > Sundry > Authentication. Enter t h e root pa ssword
-
( r e d h a t ) w h e n asked.

D 2.2. M a ke s u re t h e Identity & Authentication ta b i s open.


-

D 2.3. In t h e User Account Database, s e l ect L DA P.

- D 2 .4. E n t e r dc =example , dc=com i n t h e LDAP Search Base DN fie l d , a n d


class room . example . com i n t h e LDA P Server fie l d .

- D 2 . 5 . M a ke s u re t h e Use T LS t o encrypt connections box is c h ecked, t h e n c l ick t h e


Download C A Certificate. . . button.

-
D 2.6. En ter h t t p : I/class room . example . com/pu b/example - ca . crt i n t h e
Certificate U R L f i e l d , t h e n c l i c k OK.

D 2 .7. S e l ect Kerberos password from t h e Authentication Method dropdown, a n d


u n c h e c k b o t h Use DNS . . . boxes.

D 2.8. Enter EXAMP LE . COM i n t h e REALM f i e l d , and clas s r oom . example . com i n both
-
the K DCs and Admin Servers f i e l d s.

D 2.9. Switch to t h e Advanced Options t a b a n d p l ace a c h e c k m a r k i n t h e Create home


-
directories on the first login box.

D 2.1 0. C l i c k t h e A pply button to a p p l y yo u r c h a n g es.


-

D 3. Use both g e t e n t a n d ssh to verify yo u r work. You can use the u s e r n a m e lda puse rx
(w h e re X is yo u r stat i o n n u m ber) with t h e password kerberos. P l ease n ote t h a t you r
- u s e rs w i l l n o t yet have a h o m e d i rectory m o u nted.

D 3.1 .
[ s t u d e n t@de s k t o pX - ] $ getent pas swd ldapuserX
- l d ap u s e rX : * : 170X : 17 0X : L DAP T e s t U s e r X : / h ome/ g u e s t s/ldap u s e rX : / b i n / b a s h

D 3.2.
- [ s t u d e n t@de s k t o pX - ] $ ssh ldapuse rX@localhost
The a u t h e n t ic i t y o f h o s t ' lo c a l h o s t ( : : 1 ) ' can ' t b e e s t a b l i s h e d .
EDCSA key f i n g e r p r i n t is XX : XX : XX : XX : XX : XX : XX : XX : XX : XX : XX : XX : XX : XX : XX : XX .

-
A r e y o u s u r e y o u want t o c o n t i n u e c o n n e c t ing ( ye s / n o ) ? yes
Wa r n i n g : P e rman e n t ly added ' localh o s t ' ( ECDSA ) to the list o f k n own h o s t s ·
ldap u s e rX@localho s t ' s p a s s wo r d : kerbe ros
1
C r e a t i n g home d i r ec t o ry fo r l d ap u s e rX .

I
-
[ ld ap u s e rX@d e s k t o pX$ ] $ pwd
/ h o m e / g u e s t s/ldap u s e r x
[ ld a p u s e rX@d e s k t o pX$ ] $ ls - a
. ba s h_h i s t o ry . bas h_p rofile . cache . mo zilla
- . bash_logo u t . ba s h r c . co n f i g
[ l d a p u s e rX@d e s k t o pX$ ] $ logout
!

-
RH134- R H E L 7-en-1-20140610 1 61

-
-
-
C h a pter 8. C o n n e ct i n g to N etwork-d efined U s e rs a n d G ro u ps
-
L a b: Co n n e ct i n g to N etwo r k - d ef i n e d U s e rs a n d -
G ro u ps
-
Performance checklist
-
I n t h i s l a b , you w i l l confi g u re your de s k t opX syst e m to become a c l ient of t h e I PA s e rver r u n n i n g

-
o n se rve rx.

�·" ,.____....
Machine: -
Outcomes:
Yo u r deskt opX syst e m s h o u l d use t h e netwo r k u s e rs a n d g ro u p s defi n e d by t h e I PA server
r u n n i n g o n se rve rX for bot h user i nformation and a u t h e n t i c a t i o n .
-
Before you begin . . .
I f you have n ' t a l ready done so at t h e start of t h e p rev i o u s exercise:
-
Reset yo u r se rve rx syste m .
-
L o g i nto a n d set u p yo u r s e r verX syste m . P l ea s e n ote: T h i s step wi l l t a ke a p p rox i m ate l y 1 5
m i n utes.
-
[ s t u d e n t@ s e r v e r X - ] $ lab ipaclient setup

A l ways perform t h i s ste p :


-
• Reset yo u r de s k t opX system. Yo u c a n reset yo u r d e s k t opX syste m w h i l e t h e set u p o n
se rve rx is st i l l r u n n i n g .
-
• Wa it f o r t h e set u p o n s e rverx to co m p l ete before cont i n u i n g .
-
I n y o u r c o m p a n y ' s q uest f o r a centra l u s e r i nform a t i o n a n d a u t hentication syst e m , y o u have
sett l e d on u s i n g a n I PA server for centra l u s e r m a n a g e m e nt. Another d e p a rt m e nt has a l ready
confi g u red a n I PA server o n your se rve rX m a c h i ne. T h i s I PA server is confi g u re d w i t h a l l t h e -
re l eva nt D N S S RV records for t h e fo l l ow i n g sett i n g s :

Name Va l u e -
Rea l m SERVERX . EXAMP L E . COM, w h e re X is yo u r sta t i o n n u m be r.
Domain s e rverX . example . c o m , w h e re X i s y o u r stat i o n n u m be r. -
N ote t h a t yo u r d e s k t opX m a c h i n e is not a part of t h i s D N S

A d m i n istra t i ve u s e r
domain.
admin
-
Password redhat 123

A user has a l ready been confi g u red for you to test w i t h . The u s e r n a m e is ipau s e r , and t h e

-
password i s passwo r d . D u e to t h e pa ssword p o l i cy, t h i s password w i l l n e e d to b e c h a n g e d o n
fi rst l o g i n . C h a n g e t h i s password to redhat123.

1 62 RH134- R H E L7-en-1 -2014061 0


-
-
-

Perfo r m a n ce c h e c k l ist
-

Ce nt ra l home d i rectories have not yet been configured, so for now, confi g u re t h e syst e m to
a ut o m a t i ca l l y create a new loca l h o m e d i rectory when a user f i rst l o g s i n .
-

W h e n you h a v e co m p l eted yo u r work, r u n l a b ipaclien t g r ade o n your de sk t opX m a c h i n e


to verify yo u r work.
-

1. I nsta l l t h e ipa-c/ient packa g e o n yo u r d e s k t opX m a c h i n e.

- 2. Config u re yo u r system, u s i n g ipa - clien t - ins t all, to use t h e I PA s e r v e r set u p for t h e


se rve rx . example . c o m D N S d o m a i n . H o m e d i rectories s h o u l d a u tomatica l ly be c reated,
and NTP s h o u l d be not b e confi g u red d u r i n g t h i s p rocess.
-

3. Ve rify that you ca n now s u ccessf u l l y log i nto de s k t opX a s t h e user ipau s e r by u s i n g s s h .
T h e i n i t i a l password i s pas swo r d , b u t t h i s s h o u l d be c h a n g e d to redhat123. D u e to t h e
- password c h a n g e req u i re m e nt , y o u w i l l have to l o g i n twice.

4. R u n lab ipaclien t g r ade on yo u r d e s k t opX m a c h i n e to verify your work.

- R H134- R H E L7-en-1 -20140610 163


-

C h a pter 8. C o n n ecti n g to N etwork-defi n e d Users a n d G ro u p s


-

Solution
-

I n t h i s l a b , you w i l l confi g u re y o u r d e s k t o pX system to beco m e a c l ie n t of t h e I PA server r u n n i n g


o n se rve rX.

�IH' IE�
-

Machines -

Outcomes:
Yo u r d es k t opX system s h o u l d use t h e n etwo r k u s e rs a n d g ro u p s d efi n e d by t h e I PA s e rver
-
r u n n i n g o n se rve rx for both u s e r i nfo r m a t i o n a n d a ut h e n t icat i o n .

Before you begin ...


-
I f you have n ' t a l ready done so at the start of t h e p rev i o u s exercise:

• Reset y o u r se rverx syst e m .


-

• Log into a n d s e t u p yo u r se rve rX syst e m . P l ease n ote: T h i s step wi l l take a p p rox i m at e l y 1 5


m i n utes.
r----
� -�- - - - - �- -

I [ s t ud e n t@ s e r v e r x - ] $ lab ipaclien t setup

-
A l ways p e rform this step:

• Reset yo u r de s k t opX system. Yo u ca n reset you r de sk t opX syste m w h i l e t h e set u p on


-
se rve rX i s sti l l ru n n i n g .

• W a i t f o r t h e set u p o n se rverx t o co m p l ete before conti n u i n g .


-

I n y o u r c o m p a n y ' s q u est for a ce n t ra l u s e r info r m a t i o n a n d a u t h e nticat i o n syste m , y o u have


sett l e d o n u s i n g a n I PA server for c e n t ra l user m a n a g e m e nt. A n o t h e r d e pa rt m ent h a s a l ready
confi g u re d a n I PA serve r o n y o u r se rve rx m a c h i ne. T h i s I PA server is confi g u red with a l l the -

re l evant DNS S R V records for t h e fo l l owi n g sett i n g s:

Name Va l u e -

Rea l m SERVERX . EXAM P L E . COM, w h e re X i s yo u r station n u m be r.


Domain s e rv e rX . example . com, w h e re X i s yo u r stat ion n u m be r. -

N ote t h a t yo u r d e s k t opX m a c h i n e is n ot a part of t h i s D N S


domain.
-
Ad m i n istrative user admin
Password r e dh at 123
-

A user has a l ready been confi g u re d for you to test with. T h e u s e r n a m e is ipau s e r , and t h e
password is passwo r d. D u e to t h e password p o l icy, t h i s password w i l l n e e d to be c h a n g e d o n
fi rst l o g i n . C h a n g e t h i s pa ssword t o r e d h a t 123. -

C e n t ra l home d i recto ries have not yet been confi g u re d , so fo r n ow, confi g u re t h e system to
a u to m atica l l y c reate a n ew l o c a l h o m e d i rectory w h e n a user fi rst logs i n . -

W h e n yo u have co m p l eted you r w o r k , r u n lab ipaclie n t g r ad e on yo u r deskt opX m a c h i n e


t o verify yo u r work.
-

1 64 R H 1 34- R H E L 7-e n-1-2014061 0 -

-
-

Solution
-

1. I n sta l l t h e ipa-client packa g e o n yo u r d e s k t opX m a c h i ne.


-
1 .1 .
[ s t u d e n t @d e s k topX - ] $ sudo yum - y i n s t all ipa - client

- 2. Confi g u re yo u r syst e m , u s i n g ipa - clien t - i n s t all, to use t h e I PA server set u p for the
serverX . example . com DNS d o m a i n . Home d i rectories s h o u l d a u to m atica l l y be c reated,
and NTP s h o u l d b e n ot b e config u red d u ri n g t h is p rocess.
-

I
2.1 .
[ s t u d e n t @d e s k t opX - ] $ sudo ipa - clien t - install - - domain=se rve rX . example . com - - no -
n t p - - mkhomedir I
- D i s c o v e r y was s u c c e s s f u l !
H o s t name : d e s k topX . example . c om
Realm : S E RVERX . example . com
D N S Domai n : s e r v e r X . example . c om
I PA S e r ve r : s e r v e r X . example . co m
-

BaseDN : d c = s e r v e r X , d c = example . c om

- C o n t i n u e t o config u r e t h e s y s t e m wit h these values? [ n o ] : yes


User a u t h o rized t o e n roll comp u t e r s : admin
Pas swo r d f o r admin@SERVERX . EXAMP L E . COM : redhat 123

- C l i e n t c o n f i g u r a t i o n complet e .

-
3. Ve rify that you ca n now s u ccessf u l l y log i nto de sk t opX as the user ipau s e r by u s i n g ssh.
The initial password is pas swo rd, but t h i s s h o u l d be c h a n ged to redhat 123. D u e to t h e
pa sswo rd c h a n g e req u i re m e nt , you w i l l have to l o g i n twice.
-
3.1 .
[ s t u d e n t @d e s k t opX - ] $ ssh ipaus e r@desktopX . example . com
i p a u s e r@d e s k t o pX . example . c om ' s p a s swo r d : pas swo rd
Pas swo r d e x p i r e d . Change yo u r pas swo r d now .
C r e a t i n g home d i r e c t o ry f o r i p a u se r .
-

WARN I N G : Yo u r pas swo rd has e x p i r e d .


Y o u m u s t c h a n g e y o u r p a s swo r d now a n d login again !
- C h a n g i n g p a s swo r d f o r u s e r i p a u s e r .
C u r r e n t p a s s wo r d : passwo rd
N ew p a s swo r d : redhat123
Retype n ew p a s swo r d : redhat123
- pas swd : all a u t h e n t ic a t i o n t o k e n s u pd a t e d s u c c e s sfully .
C o n n e c t i o n t o d e s k t opX . example . co m c l o s e d .
[ s t u d e n t @d e s k t opX - ] $ ssh ipause r@desktopX . example . com
- ipau s e r@d e s k t o pX . example . c om ' s p a s swo r d : redhat 123
L a s t l o g i n : Wed Feb 2 6 0 5 : 19 : 15 2014 f r o m d e s k t o pX . example . com
- s h - 4 . 2$ logo u t

-
4. Run lab ipaclie n t g r ade o n yo u r d e s k t opX m a c h i n e to verify yo u r work.

4.1 .
- [ s t u d e n t@de s k t opX - ] $ lab ipaclient g r ad e
-------��- -- --�-

- R H134- R H E L7 -en -1 -2014061 0 165


-

C h a pter 8. C o n n e ct i n g to N etwork-defi n e d U s e rs a n d Gro u ps


-

S u m m a ry -

U s i n g I d e n t i ty M a n a g e ment S e rvices
· a u t hconfig { , - g t k , - t u i } c a n b e u s e d to confi g u re a syste m to u s e c e n t ra l ized -

i d e n t ity m a n a g e m ent services.

• sssd is confi g u red to ret rieve, va l i d ate, a n d cache a ut h e n t i c a t i o n and u s e r -

i n f o r m a t i o n i n t h e backg ro u n d .

-
166 RH134- R H E L7-en-1 -2014061 0
red h at ®

®
TRAINING

CHAPTE R 9

A D DING D ISKS, PARTITIONS,


A ND FILE SYSTEMS TO A LINUX
SYSTEM

Overview

Goal To c reate a n d m a n a g e d is k s , partitions, a n d f i l e syst e m s


from the c o m m a n d l i ne.

Objectives • M a n a g e s i m p l e p a r t i t i o n s a n d f i l e systems.

• M a n a g e swa p spa ce.

Sections • A d d i n g Part i t io n s , F i l e Systems, a n d Pers i stent M o u n t s


(a nd Practice)

• Adding a n d E n a b l i n g Swa p S p a c e (and P ra c t i c e )

Lab • A d d i n g D i s ks, Part it i o ns, a n d F i l e Syste m s to a L i n u x


System

R H134- R H E L 7-en-1-20140610 1 67
-

C h a pter 9. A d d i n g D i s ks, Pa r t i t i o n s , a n d F i l e Syste m s to a L i n u x System


-

Ad d i n g Pa rt i t i o n s, F i l e Syst e m s , a n d Pe rs i st e n t
-

M o u nts
-

Objectives
After c o m p l e t i n g t h i s sect i o n , stu d e nts s h o u l d be a b l e to: -

• C reate and remove d i s k p a r t i t i o n s o n d i s ks with an M B R partitio n i n g s c h e m e u s i n g fdisk.

-
• C reate a n d re m ove disk p a r t i t i o n s o n d i s ks with a GPT p a r t it i o n i n g s c h e m e using gdisk.

• Fo rmat devices with f i l e syste m s u s i n g mkfs.


-

• M o u nt f i l e syste m s i nto t h e d i rectory t ree.

Disk partitioning -

D i s k partit i o n i n g a l l ows a h a rd d rive to be d ivided i nto m u l t i p l e l o g i ca l stora g e u n its refe rred


to a s partitions. By sepa rat i n g a d i s k i nto part i t i o n s , system a d m i n i strators c a n use d iffe rent
-
partitions to perform d iffe rent f u n c t i o n s . Some exa m p l e s of s i t u a t i o n s w h e re disk partit i o n i n g i s
n ecessary o r b e n efic i a l a re :
-
• L i m it ava i l a b l e s pace to a p p l icat i o n s o r users.

• A l l ow m u lt i boot i n g of d i fferent o p e rat i n g syst e m s from the s a m e d i s k .


-

• S e parate operat i n g syste m a n d p ro g ra m files from u s e r f i l es.

• C reate s e p a rate a rea for O S v i rt u a l m e m ory swa p p i n g . -

• L i m it d i s k s pace u s a g e to i m prove p e rfo r m a n c e o f d i a g n ostic too l s a n d b a c k u p i m a g i n g .


-
MB R partitioning scheme
S i nce 1982, t h e Master Boot Record (MBR) partit i o n i n g sc h e m e h a s d i ctated how d i s ks s h o u l d b e
partitioned o n systems r u n n i n g B I O S fi r mwa re. T h i s s c h e m e s u p ports a m a x i m u m of fo u r p r i m a ry
-
partitions. On L i n u x syste m s , with t h e use of exte n d e d a n d l o g i c a l partitions, a d m i n istrator ca n
create a m a x i m u m of 1 5 p a r t i t i o n s. S i n c e partition size data a re sto red as 32-bit va l u es, d i s ks
p a r t i t i o n e d w i t h t h e M B R s c h e m e have a max i m u m d i s k a n d partition size l i m i t of 2 T i B .
-

W i t h t h e a d ve n t o f h a rd d rives with eve r- i n c rea s i n g capac ity, t h e 2 TiB d i s k a n d p a r t i t i o n s i ze


l i m it of t h e a g e d M B R partit i o n i n g s c h e m e is no l o n g e r a t he o ret i c a l l i mit. b u t rath e r a rea l-wo r l d
-
p ro b l e m that i s b e i n g e n c o u n tered m ore a n d m o re freq u e n t l y i n p rod u c t i o n enviro n m e nts. As a
res u lt. t h e l e g a c y M B R s c h e m e is i n t h e p rocess of b e i n g s u p e rs e d e d by t h e new GUID Partition
Table (GPT) for d i s k pa rt i t i o n i n g .
-

G PT partitioning scheme
For syste m s r u n n i n g Unified Extensible Firmware Interface (UEFI) fi rmwa re, G PT is t h e
-
sta n d a rd f o r l a y i n g o u t p a r t i t i o n ta b l e s o n physica l h a rd d i s ks. GPT is p a r t o f t h e U E F I sta n d a rd
a n d a d d resses m a ny of t h e l i m itations i m posed by t h e o l d M B R-based s c h e m e. Per U E F I
spec ifica t i o n s , G PT defa u l t s t o s u p p o r t i n g u p t o 1 2 8 partitions. U n l i ke M B R. w h i c h uses 3 2 bits
-
for sto r i n g logical block a d d resses and size info r m a t i o n , GPT a l l ocates 64 bits for l o g i c a l b l oc k
a d d resses. This a l l ows G PT to acco m m od ate part i t i o n s a n d d i s ks of u p t o 8 zebibyte (ZiB), o r 8
b i l l io n te b i bytes.
-

168 RH134- R H E L 7-en-1 -2014061 0 -

-
-

M a n a g i n g M B R partitions with fd i s k
-

-
Note
G P T ' s 8-Zi B l i m it is based on a 512-byte b l o c k size. W i t h h a rd d rive ve n d o rs
t ra n s it i o n i n g to 4,096-byte b l oc ks , t h i s l i m itation w i l l i n c rease to 64 Z i B.
-

I n a d d i t i o n to a d d re s s i n g t h e l i m itat i o n s of t h e M B R partit i o n i n g s c h e m e, G PT a l so offers


-
some a d d it i o n a l featu res and b e n efits. Per its n a m esa ke, GPT uses 128-bit G U I D s to u n i q u e l y
i d ent ify e a c h d i s k a n d partit i o n . I n contrast to M B R, w h i c h h a s a s i n g l e p o i n t o f fa i l u re, GPT
offe rs red u n d a ncy of its part i t i o n t a b l e i n fo r m a t i o n . T h e p r i m a ry GPT res i d es at t h e head of
-
t h e d i s k, w h i l e a backu p co py, the seco n d a ry G PT. i s housed at the end of the disk. In a d d i t i o n ,
G PT e m p l oys t h e u s e of C RC c h e c ks u m to detect e rro rs a n d corru p t i o n i n t h e GPT header a n d
p a r t i t i o n ta b l e.
-

Managing M BR partitions with fdisk


-
Pa rt it i o n e d itors a re p ro g ra m s w h i c h a l low a d m i n istrators to m a ke c h a n g es to a d is k ' s partit i o n s ,
s u c h a s c reati n g p a r t i t i o n s , d e l e t i n g p a rt i t i o n s , a n d c h a n g i n g partit i o n types. Fo r d i s ks with t h e
M B R partit i o n i n g s c h e m e, the f d i s k partit i o n e d itor c a n be u s e d to p e rform t hese operat i o n s .
-

Creating MB R disk partitions


C rea t i n g a n M B R-sty l e d is k partit i o n i nvol ves e i g ht steps:
-

1. S pe cify t h e disk device to c reate the partition o n .

-
As t h e r o o t u s e r, execute t h e fdisk co m ma n d a n d spec ify t h e d i s k d evice n a m e as a n
a rg u me nt. T h i s w i l l s t a r t t h e fdisk co m m a n d i n interact ive m o d e, a n d w i l l present a
command prom pt.
-
-�---·-·-·------·--- -- - --�-, ��- ---- -- -- - -

[ r o o t @ s e r v e r x - ] # fdisk /dev/vdb
Welcome to f d i s k ( ut il - li n u x 2 . 2 3 . 2 ) .
-

C h a n g e s will remain in memo r y only , u n t il you d e c i d e to w r i t e t h em .


Be c a r e f u l b e f o r e u s i n g t h e w r i t e comman d .
-

Command ( m f o r h e lp ) :

-
2. Req u est a new p r i m a ry o r exte n d e d p a r t i t i o n .

E n t e r n to req u est a new p a r t i t i o n a n d s p e c ify w h et h e r t h e p a r t i t i o n s h o u l d b e created as a


-
primary or extended partition. The d e fa u l t s e l ect i o n is t h e primary partition type.

- P a r t i t io n t y p e :
p p r ima ry ( 8 p r imary , 8 e x t e n d e d , 4 f r e e )
e extended
S e l e c t ( de f a u l t p ) : p
-
· ·-- ·-------

- RH134- R H E L 7 -en -1 -2014061 0 1 69

-
-

C h a pter 9. A d d i n g D i s ks, Pa rt i t i o n s , a n d F i l e Syst e m s to a L i n u x System


-

< ·"-".
� Note -

Fo r s i t u a t i o n s w h e re m o re t h a n fou r partitions a re n e e d e d o n a d i s k , t h i s l i m it ca n
b e bypassed by c reat i n g t h re e p r i m a ry partitions a n d o n e exte n d e d partition. T h i s
-
exte n d e d p a r t i t i o n serves a s a conta i n e r w i t h i n w h i c h m u lt i p l e l o g i c a l partitions
ca n b e c reated.

3. S pecify par ti ti o n n u m be r.
-

T h i s p a r t i t i o n n u m be r se rves as t h e i d entification n u m be r of t h e n e w pa rtition on t h e d i s k


f o r use i n f u t u re partition o p e rati o n s . T h e d e fa u lt va l u e is t h e l owest u n used partition
n u m be r. -

I P a r t i t i o n n u m b e r ( 1 - 4 , default 1 } : 1
-

4. S pe c ify t h e fi rst sector on t h e d i s k t h a t t h e new part i t i o n w i l l start o n .


-
The d e fa u lt va l u e i s t h e fi rst ava i l a b l e sector o n t h e d i s k .

F i r s t s e c t o r ( 2048 - 20971519 , d e f a u l t 2048 } : 2048 -

5. S pe c ify the l a st sector o n the d i s k t h a t the new partition w i l l end o n .


-

T h e d e fa u l t va l u e i s t h e l ast o f t h e ava i la b l e, u n a l l ocated sectors c o nt i g u o u s to t h e new


partit i o n ' s fi rst sector.
-

L a s t s e c t o r , + s ec t o r s or + s i z e { K , M , G } ( 6144 - 20971519 , d e f a u l t 2097 1519 } : 1050623

In a d d it i o n to the e n d i n g secto r n u m be r, fdisk can a l so accept a n u m be r repres e n t i n g t h e


d e s i re d size of t h e p a r t i t i o n e x p ressed i n sectors.
-

Last s ec t o r , + s ec t o r s o r + s i z e { K , M , G} ( 6144 - 20971519 , default 2097 1519 } : +52488

The f i n a l , a n d most user-frie n d l y, i n p u t o p t i o n offe red by fdisk i s to s p e c ify t h e size of t h e


new p a r t i t i o n i n u n its of K i B , M i B , o r G i B.
-

Last s ec t o r , + s ec t o r s or + s i z e { K , M , G } ( 6144 - 20971519 , d e f a u l t 2 0 9 7 1519 } : +512M


Once the p a r t i t i o n ' s e n d i n g b o u n d a ry is entered, fdis k w i l l t h e n d i s p l a y a confi r m a t i o n of
the p a r t i t i o n creat i o n .

Pa r t i t i o n 1 o f t y p e L i n u x a n d o f s i z e 5 1 2 M i B is s e t

-
6. Def i n e partition type.

I f t h e newly c reated partition s h o u l d have a type other than Linux, e n t e r t h e t c o m m a n d


-
to c h a n g e a partit i o n ' s type. E n t e r t h e hex code for t h e new partit i o n type. I f n e e d e d , a

-
170 R H1 3 4- R H E L7-en-1 -2014061 0

-
-

M a n a g i n g M B R p a r t i t i o n s with fd i s k
-

ta b l e o f t h e hex c o d e s f o r a l l partition t y p e s c a n b e d i s p l ayed w i t h t h e L co m m a n d . Sett i n g


t h e partition t y p e correct l y is c r u c i a l , s i n ce s o m e too l s re l y o n it t o f u nction p r o p e r l y. Fo r
-
exa m p l e, w h e n t h e L i n u x ke r n e l e n co u nters a partition of type Oxfd, L i n u x R A I D, it wi l l
atte m pt to a utostart t h e R A I D vo l u m e.
-

Command ( m f o r help ) : t
Selec t e d p a r t i t io n 1
Hex code ( t y p e L t o l i s t all codes ) : 82
Ch ange d t y p e o f p a r t i t io n ' Li n u x ' t o ' Li n u x swap I Sola r i s '
-

- 7. Save partition t a b l e c h a n g es.

Issue t h e w co m m a n d to fi n a l ize the p a r t i t i o n c re a t i o n req uest by w r i t i n g the c h a n ges to t h e


-
d i s k ' s pa r ti ti o n t a b l e a n d exit i n g the f dis k p rog ra m .

Comman d ( m f o r help ) : w
- The p a r t i t i o n table h a s b e e n al t e r e d !

Callin g i o c t l ( ) to re - read p a r t i t i o n t a b l e .

- WARN I N G : Re - r e a d i n g t h e p a r t it i o n t able failed wit h e r r o r 16 : Device o r r e s o u r c e


busy .
The k e r nel s t ill u s e s t h e old t able . The new t able will be u s e d at
t h e n e x t r e b o o t o r af t e r you r u n p a r t p r o be ( 8 } o r k p a r t x ( 8 }
Syncing d i s k s .
-

- 8. I n itiate a ke r n e l re-read of t h e new partition ta b l e.

R u n t h e pa r t p robe com m a n d with t h e d i s k device n a m e as a n a rg u ment to force a re-re a d


-
o f its p a r t i t i o n t a b l e.

[ root@s e rv e r x - ] # p a r t p robe /dev/vdb


-

Important
-
T h e fdis k program q u e u es a l l p a r t i t i o n t a b l e e d its a n d w r ites t h e m to d i s k o n l y
w h e n t h e a d m i n istrator i s s u es t h e w co m m a n d t o w r ite a l l partition t a b l e c h a nges
- to d i sk. I f t h e w co m m a n d i s not executed p r i o r to exiting t h e i nteractive f disk
sess i o n , a l l req u ested c h a n ges to t h e p a r t i t i o n t a b l e wi l l be d i scarded a n d t h e
d i s k's p a r t i t i o n ta b l e w i l l re m a i n u n c h a n g ed. T h i s feat u re is especia l l y u s ef u l w h e n
e r ro n e o u s co m m a n d s a re issued to fdisk. To d is c a rd t h e e r ro n e o u s c o m m a n d s
a n d avo i d t h e i r u n i nt e n d e d conseq u e n ces, s i m p l y e x i t f d i s k without sav i n g t h e
partition t a b l e c h a n g es.
-

Removing MB R disk partitions


There a re five steps n e e d e d to re m ove a partition from a d i s k with t h e M B R partit i o n i n g layout
u s i n g fdisk.
-

1. Spec ify t h e d i s k w h i c h conta i n s t h e p a r t i t i o n to b e rem oved.

-
Execute the f d i s k com m a n d and specify the d i s k device name a s an a rg u m e nt.

- R H134- R H E L 7-en-1-2014061 0 171

-
-

C h a pter 9. Ad d i n g D i s ks, Pa rtitions, a n d F i l e Syste m s to a L i n u x System


-

[ roo t@se rverX - ] # fdisk /dev/vdb


Welcome to f d i s k ( u t il - li n u x 2 . 2 3 . 2 ) . -

C h a n g e s will remain in memo ry only , u n t il y o u d e c i d e to w r i t e t h em .


Be c a r e f u l befo r e u s i n g t h e w r i t e comman d .
-

Command ( m f o r h e lp ) :
I -

2. I d e ntify t h e part i t i o n n u m be r of t h e part i t i o n to d e l ete.

Enter p to pr i n t the partition ta b l e and fdisk w i l l d i s p l a y information a b o u t the d i s k and its -

partitions.

-
Command ( m f o r h e lp ) : p

D i s k /dev/vd b : 18 . 7 G B , 18737418248 byt e s , 28971528 sec t o r s


Units s ec t o r s o f 1 * 5 1 2 5 1 2 byt e s -
Sec t o r s i z e ( lo g ical/physical ) : 512 b y t e s I 512 b y t e s
= =

I / D size ( minimum/o p t imal ) : 512 b y t e s I 512 b y t e s


D i s k l a b e l t y pe : d o s
D i s k id e n t ifie r : 8 x d 2368138 -

Device Boot Start End Bloc k s Id sys t e m


/d ev/vd b l 2848 1858623 524288 82 Lin u x s w a p I S o l a r i s -

3. Req u est t h e partit i o n d e l et i o n .


-

Enter t h e d com m a n d to i n itiate partition rem ova l a n d spec ify the partition n u m be r of t h e
partition to be re m oved.
-

Command ( m f o r h e lp ) : d
Sele c t e d p a r t i t i o n 1
P a r t i t i o n 1 is d e l e t e d -

4. Save part i t i o n ta b l e c h a n g es.


-

I s s u e t h e w com m a n d to f i n a l ize the part i t i o n rem ova l req u est by writ i n g the c h a n g e s to t h e
d i s k ' s partition t a b l e.
-

Command ( m f o r h e lp ) : w
The p a r t i t io n table h a s been alt e red !

Calling ioc t l ( ) t o r e - read p a r t i t io n t able .

WARN I N G : R e - r e a d i n g t h e p a r t i t io n t able failed wit h e r r o r 16 : Device o r r e s o u r c e -·


busy .
The k e r n e l s t ill u s e s t h e old t able . The n ew table will be u s e d a t
the next reboot o r after you r u n par t probe ( 8 ) o r kpartx ( 8 )
Syncing d i s k s . -

5. I n itiate a k e r n e l re-read of the new partition t a b l e.


-

I nform t h e ke r n e l to re-read t h e partition t a b l e w i t h pa r t p robe.

-
172 R H134- R H E L 7 - e n -1-2014061 0

-
-

M a n a g i n g G PT partit i o n s with g d i s k
-

[ ro o t @ s e r v e r X - ] # pa r t p robe /dev/vdb
-

M anaging G PT partitions with gdisk


-
Fo r d i s ks w i t h t h e G PT p a rtitio n i n g s c h e m e , t h e gdisk p a rt i t i o n e d itor c a n be used to m a n a g e
partit i o n s.

Warning
W h i l e G PT s u pport h a s b e e n a d d e d to fdisk, it is sti l l c o n s i d e re d e x p e r i menta l , so t h e
-
g d i s k com m a n d s h o u l d be u s e d to m a ke p a rtiti o n c h a n g es o n d i s ks part i t i o n e d w i t h
t h e G PT partit i o n i n g s c h e m e.

Creating G PT disk partitions


T h e re a re e i g ht steps req u i re d to c reate a G PT-sty l e partit i o n .

1. S pecify t h e d i s k device to c reate t h e partition o n .


-
Execute t h e g d i s k com m a n d a n d specify t h e d i s k device n a m e as a n a rg u m e nt. T h i s w i l l
start t h e gdis k co m m a n d i n i nt e ract ive mode, a n d w i l l p resent a command prom pt.

-
[ ro o t@se r v e r x - ] # gdisk /dev/vdb
GPT f d i s k ( g d is k ) ve r s i o n 0 . 8 . 6

- P a r t i t io n table scan :
MBR : not p resent
BSD : n o t p r e s e n t
APM : n o t p r e s e n t
GPT : n o t p r e s e n t
-

C r ea t i n g n e w G P T e n t r i e s .
-
Command { ? f o r help ) :

- 2. Req u est a new partit ion.

E nt e r n to c reate a new p a r t i t i o n .

I
-

Command { ? f o r h e lp ) : n

-
3. S p e c ify the partition n u m be r.

T h i s partition n u m be r se rves a s t h e i d e n t ification n u m be r of t h e partition on t h e d i s k for


-
u s e i n f u t u re partition o p e rat i o n s . T h e defa u lt va l u e i s t h e l owest u n u sed partition n u m be r.

P a r t i t io n n u m b e r { 1 - 12 8 , d e f a u l t 1 ) : 1
-

4. S p e c ify t h e d i s k l ocat i o n t h a t t h e new partition w i l l start from.


-
gdisk a l l ows for two d i fferent i n put types. The fi rst i n p u t type i s a n absol ute disk sector
n u m be r represe n t i n g t h e fi rst sector of t h e n ew p a rtit i o n .
-

- RH134- R H E L7-en-1-2014061 0 173

-
-

C h a pter 9. A d d i n g D i s ks, Pa rtitions, a n d F i l e Syst e m s to a L i n u x Syste m


-

F i r s t s e c t o r ( 34 - 209 7148 6 , d e f a u l t = 2048 ) o r {+ - } si z e { KMGTP} : 2048


-

The seco n d i n p u t type i n d icates t h e partit i o n ' s start i n g sector by its position re l a t ive to
the fi rst o r l a st sector of the fi rst contig u o u s b l o c k of free sectors o n the d isk. U s i n g t h i s
-
re l a t ive sector p o s i t i o n format, i n p u t is s p e c i f i e d i n u n its of K i B, M i B, G i B , TiB, o r P i B .

Fo r exa m p l e, a va l u e of + 51 2 M s i g n ifies a s e c t o r pos i t i o n t h a t i s 512 M i B after the beginning


-
o f t h e n e x t g ro u p o f cont i g u o u s ava i l a b l e sectors. O n t h e ot h e r h a n d , a va l u e o f · 51 2 M
d e n otes a secto r pos i t i o n e d 5 1 2 M i B before t h e e n d o f t h i s g ro u p o f cont i g u o u s ava i l a b l e
sectors.

5. S pecify the l a st sector o n the d i s k that the new part i t i o n w i l l end o n .

-
The defa u l t va l u e i s t h e l a st of t h e ava i l a b l e, u n a l l ocated sectors cont i g u o u s to t h e new
partit i o n ' s fi rst sector.

-
L a s t s e c t o r { 2048 - 2 0 9 7 148 6 , d e f a u l t = 20971486 ) o r {+ - } s iz e { KMGTP} : 1050623

In a d d i t i o n to the a bsol ute e n d i n g sector n u m ber, gdis k a l so offe rs the m ore u s e r-f r i e n d l y -

i n p u t o p t i o n o f s p e c i fy i n g t h e e n d b o u n d a ry o f t h e n e w pa rtition i n u n its o f K i B , M i B, G i B,
T i B , o r P i B from t h e b e g i n n i n g o r e n d of t h e g ro u p of cont i g u o u s ava i l a b l e sectors. A va l u e
o f + 51 2 M s i g n ifies a n e n d i n g p a r t i t i o n position t h a t i s 5 1 2 M i Bafter t h e f i rst sector. -

� e c t o r ( 2048 - 2097148 6 , default = 20971486 ) o r {+ - } s iz e { KMGTP} : +512M


-

A va l u e of · 51 2 M i n d icates an e n d i n g partition posit i o n t h a t is 512 M i B before the e n d of t h e


cont i g u o u s ava i l a b l e sectors. -

I L a s t s e c t o r { 2048 - 2097148 6 , default = 20971486 ) o r {+ - } s iz e { KMGTP} : - 512M


-

6. Defi n e partition type.

N ew partitions c reated by g d i s k d e fa u lt to type Linux f i l e syste m . I f a d i ffere n t partition


type i s d e s i red, enter t h e corres p o n d i n g hex code. I f n e e d e d , a table of t h e hex codes for a l l
p a rt i t i o n types c a n b e d i s p l ayed w i t h t h e L co m m a n d .
-

C u r r e n t t y p e is ' Li n u x filesy s t e m '


-
H e x c o d e o r G U I D ( L t o sh o w c o d e s , E n t e r = 8300 ) : aeee
C h a n g e d type of p a r t i t i o n to ' Li n u x LVM '

-
7. Save p a r t i t i o n t a b l e c h a n ges.

I ss u e t h e w co m m a n d to f i n a l ize the partition c reat i o n req u est by w r it i n g the c h a n g e s to t h e -


d i s k ' s pa rtition t a b l e. Enter y w h e n gdisk p ro m pts f o r a f i n a l conf i r m at i o n .

Command ( ? f o r help ) : w

Final c h e c k s comple t e . Abo u t t o w r i t e GPT d a t a . T H I S WI L L OVERWRITE EXI ST I N G


PARTITIONS ! !
-

-
174 R H134- R H E L 7-en-1 -2014061 0

-
-

M a n a g i n g GPT p a rt i t i o n s with g d i s k
-

Do y o u wan t to p r oceed? ( Y/ N ) : y
O K ; w r i t i n g new G U I D p a r t i t io n t able ( GPT ) t o /dev/vd b .
.... The o p e r a t i o n has completed s u c c e s s f ully .

8. I n itiate a ke r n e l re-read of the new p a r t i t i o n tab l e.


-

R u n t h e pa r t p robe co m m a n d with t h e d i s k device n a m e as a n a rg u m e n t to fo rce a re-read


of its partition t a b l e.
-

[ r oot@se r v e r x - ] # partp robe /dev/vdb

Important
-
The g d i s k p ro g ra m q u e u e s a l l part i t i o n t a b l e e d its a n d writes t h e m to d i s k o n l y w h e n
t h e a d m i n istrator issues t h e w com m a n d to w r i t e a l l p a r t i t i o n ta b l e c h a n g es to d i s k.
I f t h e w com m a n d is not executed p r i o r to e x i t i n g t h e i n teractive g d i s k sessi o n , a l l
-
req uested c h a n ges t o t h e par ti tion t a b l e w i l l b e d iscard e d a n d t h e d i s k's partition ta b l e
w i l l re m a i n u n c ha n g ed. T h i s feat u re i s e s p e c i a l l y usefu l w h e n e r ro n e o u s c o m m a n d s
a re i s s u e d to g d i s k . To d iscard t h e e r ro n e o u s c o m m a n d s a n d a v o i d t h e i r u n i ntended
-
conseq u e n ces, s i m p l y exit g d i s k without s a v i n g t h e partition ta b l e c h a n g es.

Removing GPT disk partitions


There a re five steps req u i red to remove a p a r t i t i o n from a d i s k with t h e GPT p a r t it i o n i n g s c h e m e
-
using gdisk.

1. S pecify t h e d i s k w h i c h conta i n s t h e p a r t it i o n t o be re moved.


-

Execute the gdisk c o m m a n d and specify the disk device name a s an a rg u m e nt.

[ ro o t @ s e r v e r x - ] # g d i s k /dev/vdb
-

GPT f d i s k ( g d i s k ) ve r s i o n 0 . 8 . 6

- P a r t i t io n t able scan :
M B R : p r o t ec t ive
BSD : n o t p r e s e n t
APM : n o t p r e s e n t
- GPT : p re s e n t

F o u n d valid G P T w i t h p ro t e c t ive M B R ; u s ing GPT .

Command ( ? f o r help ) :
-

- 2. I d e nt ify t h e partition n u m be r of t h e p a r t i t i o n to d e l ete.

E n t e r p to p r i n t the part i t i o n t a b l e. N ote t h e n u m be r i n the Number fie l d for the partit i o n to


be d e l eted.

Command ( ? f o r help ) : p
-
D i s k /dev/vd b : 20971520 s ec t o r s , 1 0 . 0 G i B
L o g ical s ec t o r size : 512 b y t e s
D i s k i d e n t ifie r ( GU I D ) : 8B181B97 - 52 5 9 - 4C 8 F - 8 8 25 - 1A973B8FA553
P a r t i t ion table holds u p t o 128 e n t r i e s
- F i r s t u sable s e c t o r i s 3 4 , last u s ab l e s e c t o r i s 20971486

- R H134- R H E L 7-en-1 -2014061 0 175

-
-

C h a pter 9. A d d i n g D i s ks, Pa rtitions, a n d F i l e Syst e m s to a L i n u x System


-

P a r t i t i o n s will be alig ned o n 2048 - s e c t o r b o u n d a r i e s


Total f r ee space is 1 9 9 2 2 8 7 7 s e c t o r s ( 9 . 5 GiB )
-
Number Start ( secto r ) E n d ( s e c t o r ) Size Code Name
1 2048 1050623 512 . 0 MiB 8E00 L i n u x LVM

3. Req u est the partition d e l et i o n .

Enter t h e d c o m m a n d to i n itiate partition rem ova l . -

Command ( ? fo r help ) : d
Using 1
-

4. Save p a r t i t i o n ta b l e c h a n g es. -

Issue t h e w c o m m a n d to f i n a l ize t h e partition rem ova l req u est by w r i t i n g t h e c h a n g es to the


disk's partition ta b l e. Enter y when gdisk prom pts for a f i n a l confi r m a t i o n . -

Command { ? fo r help ) : w
-
Final c h e c k s comple t e . Abo u t to w r i t e GPT data . T H I S WI L L OVERWRITE EXIST I N G
PARTI T I O N S ! !

Do y o u wan t t o p r oceed? ( YIN ) : y -


O K ; w r i t i n g new G U I D p a r t i t i o n table ( GPT ) to /d ev/vd b .
The o p e r a t i o n has completed s u c c e s s f ully .

5. I n itiate a ke r n e l re-read of the new partition t a b l e.

I nform t h e kern e l to re-read t h e par ti tion ta b l e w i t h par t p robe. -

I
i [ r oo t @s e r v e rx - ] # part probe /dev/vdb
I

Creating file systems


Aft e r a b l o c k d evice h a s been created, t h e n e x t s t e p is a p p l y i n g a f i l e syst e m f o r m a t to it. A f i l e -

system a p p l i es a struct u re to t h e b l o c k d evice so t h a t d a t a c a n be stored a n d ret rieved f r o m it.


Red Hat E n t e r p r i s e L i n u x s u p ports m a ny d iffe rent file system types, b u t two co m m o n o n es are
-
xfs a n d ext4. xfs i s used by defa u l t i n anaconda, t h e i n sta l l e r for Red H a t Enterprise L i n ux.

The mkfs co m ma n d c a n be used to a p p l y a f i l e syste m to a b l oc k d evice. I f n o type is s pecified,


a n exte n d e d type two (ext2) f i l e syste m w i l l b e u s e d , which for m a ny uses i s n ot d e s i ra b l e. To -

spec ify t h e f i l e syste m type, a - t s h o u l d b e u s e d .

[ r oo t @s e rv e r x - ] # mkfs - t xfs /dev/vdbl -

me t a - d a t a= / d ev/vd b 1 isize=256 a g c ou n t = 4 , agsize=16384 b l k s


sect sz=512 at t r = 2 , p r oj i d 3 2 b i t = 1
c rc=0 -
data b s ize=4096 b l o c k s=65536 , imaxp c t = 2 5
s u ni t = 0 swi d t h = 0 b l k s
naming =ve r s ion 2 b s ize=4096 a s c i i - ci=0 f type=0
log = in t e r nal log b s ize=4096 blocks=853 , version=2 -
sect sz=512 s u n i t = 0 bl k s , lazy - co u n t = 1
r ealtime = n o n e e x t s z=4096 blocks=0 , r t ex t e n t s = 0

176 R H1 3 4- R H E L 7-en-1 -2014061 0 -

-
-

M o u n t i n g f i l e syst e m s
-

M ounting file systems


-
O n ce t h e f i l e system fo r m a t h a s b e e n a p p l i e d , t h e l a s t step t o a d d i n g a n e w fi l e syst e m i s t o
attach t h e f i l e system i n to t h e d i rectory struct u re. W h e n t h e f i l e syste m is atta c h e d i nto t h e
d i rectory h i e ra rchy, u s e r s pace u t i l ities ca n access o r write f i l e s o n t h e device.
-

Manually mounting file systems


A d m i n istrators c a n u s e t h e mou n t co m m a n d to m a n u a l l y atta c h t h e device onto a d i rectory
-
l ocat i o n , or mount point, by s pecify i n g t h e device a n d t h e m o u nt p o i n t , as wel l as a n y o p t i o n s
t hat m a y be desired, to c u sto m ize t h e behavior of t h e d ev i ce.
-

I [ ro o t@se r v e rX - ]# mount /dev/vdb1 /mnt

-
The mou n t ca n a l so be used to v i ew c u rre n t l y m o u nted f i l e syste ms, the m o u n t points, a n d
options.

-
[ r oo t @ s e r v e r x - ] # mount I g rep vdb1
/dev/vd b 1 o n /mnt type x f s ( rw , relat ime , s eclabel , at t r 2 , inode64 , n o q u o t a )

M a n u a l l y m o u n t i n g a fi l e system is a n exce l l e n t w a y to verify that a form atted d evice is


acces s i b l e o r wo r k i n g i n t h e way d e s i red. However, once t h e system i s re booted , t h e file syst e m ,
- w h i l e it st i l l exists a n d h a s i n t a c t d a t a , wi l l not b e m o u nted i nto t h e d i rectory t ree a g a i n . I f a n
a d m i n istrator wa nts t h e f i l e syste m t o b e p e rs iste n t l y m o u nted, a l is t i n g f o r t h e f i l e system n e e d s
to be a d d e d to / e t c / f s t ab.
-

Pe rsistently mounting file systems


By a d d i n g a l isti n g for a device into t h e / e t c / f s t a b f i l e, a d m i n istrators can confi g u re a d evice
-
to be m o u nted to a m o u nt p o i n t at system boot.

/ e t c / f s t ab is a w h ite s pace-d e l i mited file w i t h s i x f i e l d s p e r l i ne.


-

[ r oo t @ s e r v e r X - ] # cat /etc/fstab
#
- # / e t c /f s t ab
# C r ea t e d by a n ac o n d a on T h u M a r 20 14 : 5 2 : 46 2014
#
# Ac c e s sible filesys t ems , by refe r e n c e , a r e main t ai n e d u n d e r ' /dev/dis k '
# See man pag e s f s t ab { 5 ) , f i n d f s { B ) , mou n t ( B ) and/o r b l k id ( B ) f o r m o r e i n f o
-

#
U U I D= 7 a20315d - ed 8 b - 4e 7 5 - a5 b 6 - 24ff9e1f9838 I xfs d e f a u l t s 1 1
-

T h e fi rst f i e l d specifies t h e d evice to be used. I n t h e p rev i o u s exa m p l e, t h e U U I D is b e i n g used


to s pec ify t h e device. A lternative l y, t h e device f i l e co u l d b e used; for exa m p le, /dev/vd bl. T h e
-
U U I D i s stored i n t h e fi l e syst e m s u pe r b l o c k a n d c r e a t e d w h e n t h e f i l e system i s created.

-
RH 1 3 4- R H E L 7-en-1-2014061 0 177

-
-

C h a pter 9. A d d i n g Disks, Pa rtitions, a n d F i l e Syste m s to a L i n u x Syste m


-

< �':·::-)
tdc.SJ N ote -

U s i n g t h e U U I D is p refera b l e beca u s e b l o c k device i d e n t i f i e rs ca n c h a n g e i n certa i n


sce n a rios, s u c h a s a c l o u d prov i d e r c h a n g i n g t h e u n d e r l y i n g stora g e layer o f a v i rt u a l -
m a c h i ne. T h e b l o c k d evice f i l e m a y c h a n g e, b u t t h e U U I D w o u l d re m a i n i ntact i n t h e
s u p e r b l o c k o f t h e device.
-
The blkid co m m a n d ca n b e used to sca n the b l o c k d ev i ces c o n n ected to a m a c h i n e
a n d report o n d a t a l i ke t h e a s s i g n e d U U I D a n d f i l e syst e m fo rmat.
-

[ ro o t @se r v e r x - ] # blkid /dev/vdbl


/dev/vd b 1 : U U I D = " 2 26a7c4f - e309 - 4cb3 - 9e 7 6 - 6 e f 9 7 2 d d 8 6 0 0 " TYPE= " xf s "

T h e seco n d fie l d i s t h e m o u nt p o i n t w h e re t h e device s h o u l d b e attached i n t o t h e d i rectory


h i e ra rchy. The m o u nt point s h o u l d a l ready exist; if it does n ot , it c a n b e c reated with m k d i r . -

T h e t h i rd f i e l d conta i n s t h e fi l e system t y p e t h a t h a s b e e n a p p l i e d to t h e b l o c k device.


-
The fourth fie l d i s the l i st of opti o n s that s h o u l d b e a p p l i e d to the device w h e n m o u nted to
c u stomize the behavior. T h i s f i e l d i s req u i red, and t h e re i s a set of co m m o n l y used o p t i o n s ca l l e d
defau l t s . O ther opt i o n s a re d o c u m e nted i n t h e mou n t m a n page. -

T h e l ast two f i e l d s a re t h e d u m p f l a g a n d fsck o r d e r. T h e d u m p f l a g is used w i t h t h e d u m p


c o m m a n d to m a ke a b a c k u p of t h e contents o f t h e device. T h e f s c k o r d e r fie l d d ete r m i n e s if t h e
-
f s c k s h o u l d be r u n at b o o t t i me, i n t h e eve nt t h a t t h e f i l e system w a s not u n m o u nted c l e a n l y.
T h e va l u e of t h e fsck o rd e r i n d icates t h e order i n w h i c h f i l e syst e m s s h o u l d have f s c k r u n on
them i f m u lt i p l e file syste m s a re req u i re d to b e c h e c ke d .
-

i U U I D=226a7c4f - e309 - 4c b 3 - 9e 7 6 - 6ef972dd 8600 /mnt xfs defaults 1 2


-

N ote
-
Havi n g a n i n correct e n t ry i n / e t c / f s t ab m a y re n d e r t h e m a c h i n e u n boota b l e.
To avoid t h a t s i t u a t i o n , a n a d m i n istrator s h o u l d verify t h a t t h e entry is va l i d by
u n m o u nt i n g the new f i l e syst e m and u s i n g mou n t - a, w h i c h read s /e t c/f st ab, to
-
m o u n t the file syste m back into p l a ce. I f the mou n t - a co m m a n d ret u r n s an error, it
sho u l d b e corrected before re boot i n g t h e m a c h i n e.

R References
-
fdisk(8), gdis k(8), mkfs(8), mou n t (8), f s t ab(5) m a n pages

-
178 R H134- R H E L 7 - e n -1-20140610

-
-

Practice: A d d i n g Pa r t i t i o n s , F i l e Syst e m s , a n d Persistent M o u nts


-

P ra ct i ce: Ad d i n g Pa rt i t i o n s, F i l e Syste m s , a n d
-

Pe rs i stent M o u n t s
-

Guided exercise
-
I n t h i s l a b, you w i l l c reate an M B R p a r t i t i o n on a n ew l y a l l ocated d i s k , format t h e p a rt i t i o n w i t h

�Machines
a n e x t 4 f i l e syst e m , a n d confi g u re t h e f i l e system f o r persistent m o u n t i n g .

·iiM:serverx
-
-

-
Outcomes:
1 G i B ext4 f i l e system on seco n d d i s k persiste n t l y mou nted at /a r ch ive.
-
Before you begin ...
• Reset yo u r serverX system.
-
• Log i nto s e rverX.

Sw itch to root u s i n g sudo - i.


-

Yo u have b e e n asked to a rc h ive data to a new d i recto ry, / a r c hive, o n se rverX. Yo u have b e e n
a l l ocated a s e c o n d d i s k f o r t h i s p u r pose. T h e / a r c hive d i rectory w i l l req u i re 1 G i B of s pace. To
- m a ke s u re t h a t t h e /arc hive d i rectory is a l ways ava i l a b l e for use, you w i l l need to config u re t h e
n e w l y c reated fi l e system t o be p e rs i stent l y m o u nted at /a r chive eve n after a se rver reboot.

- Once you have co m p l eted yo u r work, reboot your serverX m a c h i n e and verify that the new l y
c reated f i l e system is p e rs i ste n t l y m o u nted at / a r c hive after t h e reboot.

-
D 1. C reate a 1 G i B M B R p a rt i t i o n o n /dev/vd b o f type Linux.
D 1 .1 . Use f d i s k t o m o d i fy t h e seco n d d isk.

-
[ r oo t @ s e r v e r x - ] # f d i s k /dev/vdb

- D 1.2. D i s p l ay t h e orig i n a l partition t a b l e, t h e n a d d a new partition that i s 1 GiB i n s ize.

Command (m for h e lp ) : p
-
Dis k /dev/vd b : 10 . 7 G B , 10737418240 byt e s , 20971520 s ec t o r s
U n i t s = sec t o r s o f 1 * 5 1 2 5 1 2 bytes
Sec t o r size ( lo g i c al / p h y s ical ) : 512 b y t e s I 512 b y t e s
=

-
I / O size ( mi n i m u m/ o p t im al ) : 512 b y t e s I 512 b y t e s
D i s k l a b e l t y pe : d o s
D i s k i d e n t i f ie r : 0xfd41a9d3
-
Device Boot Start End Blo c k s Id Sy s t em

Command ( m f o r h e lp ) : n
- P a r t i t io n t y pe :
p p r ima ry { 0 p r im a r y , 0 e x t e n d e d , 4 f ree )
e extended
S e l e c t ( d efault p ) : p
-

- R H134- R H E L 7 - en -1 -2014061 0 179

-
-

C h a pter 9. A d d i n g Disks, Pa rt itions, a n d F i l e Syste m s to a L i n u x System


-

Pa r t i t io n number ( 1 - 4 , default 1 ) : 1
F i r s t sec t o r { 2048 - 2 0 9 7 1519 , default 2048 ) : E n t e r
U s i n g d e f a u l t val u e 2 0 4 8 -

Las t s e c t o r , +sec t o r s o r + s i z e { K , M , G} ( 2048 - 20971519 , default


20971519 ) : +1G
Par t i t io n 1 o f t y p e Linux a n d o f size 1 G i B i s s e t
-

D 1.3. S ave the partition t a b l e c h a n g es.


-

Command ( m f o r help ) : w
The p a r t i t i o n table has been al t e r e d !
-
Calling i o c t l ( ) t o r e - r e ad p a r t i t io n table .
Sync i n g d i s k s .

D 1 .4. I f fdisk issues a wa r n i n g , then run t h e par t p robe co m m a n d to m a ke the ke r n e l


aware o f t h e partition ta b l e c h a n ge. T h i s w i l l not be n e cessary if t h e d i s k d evice i s
c u rre n t l y u n used. -

I [ r o o t @s e r v e r x - ] # par t p robe
-

D 2. Fo r m a t t h e n ew l y created p a r t i t i o n with the ext4 f i l e syste m .


-
[ r o o t @ s e r v e r X - ] # mkfs - t ext4 /dev/vdb1
m k e 2 f s 1 . 42 . 9 ( 28 - Dec - 2013 )
Filesys t em label=
OS type : L i n u x -

B l o c k size=4096 ( log=2 )
F r agme n t size=4096 ( lo g = 2 )
S t r id e = 0 bloc k s , S t r ipe wid t h= 0 bloc k s
65536 inode s , 262144 b lo c k s
-

13107 bloc k s ( 5 . 00% ) r e s e r v e d f o r t h e s u p e r u s e r


F i r s t d a t a block=0
Maximum file s y s t em bloc k s =268435456 -
8 block g r o u p s
3 2 7 6 8 bloc k s p e r g r o u p , 3 2 7 6 8 f r agme n t s p e r g r o u p
8192 inodes per g roup
S u p e r block bac k u p s s t o r e d o n bloc k s : -

32768 , 98304, 163840 , 2 2 9 3 7 6

Allo c a t i n g g r o u p table s : d o n e -
W r i t i n g inode table s : d o n e
C r e a t i n g j o u r nal ( 8192 bloc k s ) : d o n e
W r i t i n g s u p e r bloc k s and f i l e s y s t e m acc o u n t i n g info r m a t i o n : d o n e
-

D 3. C o n fi g u re t h e n ew l y c reated f i l e system to persiste n t l y m o u nt at / a r c hive.

D 3.1 .
-
C reate t h e /archive d i rectory m o u nt point.

! [ r oot@se rve r x - ] # mkdir /archive -


I

D 3.2. Dete r m i n e t h e U U I D of t h e new partition on t h e second d i s k .


-

[ r oot@se r v e r x - ] # blkid /dev/vdb1


/dev/vd b 1 : U U I D = " 5 f c b 2 34a - cf18 - 4d 0 d - 96ab - 66a4d1ad 0 8 f 5 " TYPE= " ex t 4 "
-

-
180 R H1 3 4- R H E L 7-en-1-2014061 0

-
-

G u i d e d exercise
-

D 3.3. A d d an e n t ry to /et c/fst ab.

-
U U I D=5fcb234a - cf18 - 4d0d - 9 6ab - 66a4d1ad 08f5 / a r c h ive e x t 4 d e f au l t s 0 2

- D 4. Test m o u n t i n g t h e n e w l y c reated f i l e syst e m .

D 4.1 . Execute t h e mou n t co m m a n d to m o u n t t h e new f i l e syste m u s i n g t h e new e n t ry


- a d d e d to /etc/fs t ab.

I [ r oo t @ s e rverX - ] # mount - a
- I

D 4.2. Ve rify t h a t t h e new f i l e syst e m is m o u nted at /arc hive.


-
[ ro o t@se rve rx - ] # moun t I g re p - w /archive
/dev/vdb1 on / a r c h ive type e x t 4 ( rw , relatime , seclabel , dat a=o r d e r e d )

D 5. Reboot se rve rX. After the se rver has reboote d , log in and verify t h a t /dev/vd bl is
m o u nted at / a r c h ive.
-

[ s t u d e n t @ s e r v e r x - ] $ mount I g r e p A/
/dev/vda1 o n I type x f s ( rw , relat ime , seclabel , a t t r 2 , i n o d e 64 , n o q u o t a )
- / dev/vd b l o n / a r c h ive t y pe e x t 4 ( rw , relat ime , s eclabel , da t a=o r d e r e d )

- RH134- R H E L7-en-1 -20140610 1 81

-
-

C h a pter 9. A d d i n g D i s ks, Pa rtitions, a n d F i l e Syste m s to a L i n u x Syste m


-

M a n a g i n g Swa p S pa ce -

Objectives -

Aft e r co m p l et i n g t h i s sect i o n , st u d ents s h o u l d be a b l e to:

-
• C reate and format a par ti ti o n for swa p s pace.

• Act ivate the swa p s p a ce.

Swap space concepts


A swap space i s a n a rea of a d i s k w h i c h c a n be u s e d w i t h t h e L i n u x ke r n e l m e m o r y m a n a g e m e n t -

s u bsyste m . Swa p s p a c e s a re used to s u p p l e m e n t t h e syst e m R A M by h o l d i n g i n active pages of


m e m o ry. T h e c o m b i n e d syste m R A M p l u s swa p spaces is ca l l ed virtual memory.
-

W h e n the m e m ory u s a g e o n a system exceeds a d e f i n e d l i m it, t h e ker n e l w i l l c o m b t h ro u g h R A M


l o o k i n g for i d l e m e mory pages a s s i g n e d to processes. T h e ke r n e l writes t h e i d l e p a g e to t h e swa p
a rea, a n d wi l l rea ssi g n t h e R A M page to be used by a n other p rocess. I f a p ro g ra m req u i res access -

to a page that has been w ritten to d i s k , the ke r n e l w i l l locate a n ot h e r i d l e page of m e m o ry, write
it to d i s k , t h e n reca l l the needed page from the swa p a rea.
-

Since swa p a reas res i d e o n d i s k, swa p i s i n c red i b l y s l ow when c o m p a red with RAM. W h i l e it is
used to a u g m e n t syste m R A M , usage of swap spaces s h o u l d be kept to a m i n i m u m w h e n ever
poss i b l e. -

Create a swap space


-
To c reate a swa p s pa ce, a n a d m i n istrator needs to do t h re e t h i ng s :
• C reate a p a rt i t i o n .
-
• S e t t h e t y p e of t h e p a r t i t i o n as 82 L i n u x swap.

• Fo rmat a swa p s i g n a t u re o n t h e device.


-

Create a partition
Use a too l , s u c h as fdisk, to c reate a partition of t h e d e s i re d s ize. I n t h e fo l l o w i n g exa m p l e, a
-
256 M i B partition wi l l be c reated.

[ r oot@se r v e r x - ] # fdisk /dev/vdb


Welcome to f d i s k ( u t i l - l i n u x 2 . 23 . 2 ) .
-

C h a n g e s will r emain in memory o n ly , u n til y o u decide to w r i t e t h em .


Be c a r e f u l b e f o r e u s i n g t h e w r i t e c omman d . -

Device d o e s n o t c o n t ai n a rec o g n iz e d par t i t io n table


Buildi n g a new D D S d i s klabel wi t h d i s k i d e n t ifie r 0x34e4e6d 7 .
-

Command ( m f o r help ) : n
P a r t i t io n t y p e :
p p r ima r y { 8 p r ima r y , 0 e x t e n d e d , 4 f r e e )
e extended
-

S e l e c t ( de f a u l t p ) : p
P a r t i t io n n u m b e r ( 1 - 4 , default 1 ) : 1
F i r s t s ec t o r { 2848 - 28971519 , default 2848 ) : E n t e r -

-
1 82 RH1 34- R H E L 7 - e n -1 -2014061 0

-
-

Activate a swa p space


-

U s i n g d e f a u l t v a l u e 2048
Last s e c t o r , + s ec t o r s o r + s i z e { K , M , G} ( 2048 - 20971519 , default 2 0 9 7 1519 ) : +256M
- P a r t i t io n 1 of t y pe Linux a n d o f size 2 5 6 MiB is s e t

Command ( m f o r h e lp ) : p

-
Di s k / d ev/vd b : 10 . 7 G B , 10737418240 byt e s , 20971520 s ec t o r s
Units sec t o r s of 1 * 5 1 2 = 5 1 2 byt e s
Sec t o r s i z e ( lo g ical/physical ) : 5 1 2 b y t e s I 5 1 2 b y t e s
=

-
I/O s i z e ( minimum/ o p t imal ) : 512 b y t e s I 512 b y t e s
Dis k label type : d o s
Dis k i d e n t ifie r : 0x34e4e6d7

- Device Boot Start End Bloc k s Id Sys t e m


/dev/vd b l 2048 526335 262144 83 Linux

-
Assign the partition type
Afte r t h e swa p partition has b e e n c reated, it is reco m m e n d e d p ractice to change t h e partit i o n ' s
type, o r system I D, to 8 2 L i n u x Swap. I n t h e past, too l s l o o k e d at t h e partition t y p e t o
-
dete r m i n e if the device s h o u l d b e act ivated; h owever, t h a t is n o l o n g e r t h e case. Even t h o u g h
t h e p a r t i t i o n type is not used by u t i l it i es a ny l o n g e r, h a v i n g t h e ty pe set a l l ows a d m i n i s t rators to
q u i c k l y dete r m i n e the p a rt i t i o n ' s p u rpose. The fo l l ow i n g exa m p l e c o n t i n u e s fro m w i t h i n fdisk.
-

Command ( m f o r help ) : t
Selec t e d p a r t i t i o n 1
-
Hex c o d e ( type L to l i s t all c o d e s ) : 82
C h a n g e d t y pe o f p a r t i t io n ' Li n u x ' t o ' Li n u x swap I Sola r i s '

- Command ( m f o r help ) : p

Dis k /dev/vd b : 10 . 7 G B , 10737418240 b y t e s , 20971520 s ec t o r s


Units s ec t o r s o f 1 * 5 1 2 5 1 2 bytes
Sec t o r size ( lo g ical/physical ) : 512 b y t e s I 512 b y t e s
= =

I/O s i z e ( minimum/ o p t imal ) : 512 b y t e s I 5 1 2 b y t e s


Di s k label type : d o s
-
Dis k i d e n t ifie r : 0x34e4e6d7

Device Boot Start End Bloc k s Id Sys t e m


/dev/vd b l 2048 526335 262144 82 L i n u x swap I Solaris
-

Format the device

-
The m k swap com m a n d a p p l ies a swap signature to t h e device. U n l ike ot h e r fo rmatt i n g u t i l ities,
mkswap w rites a s i n g l e b l oc k of data at t h e beg i n n i n g of t h e d evice, l ea v i n g the rest of t h e d e v i ce
u nfo r m atted so it ca n be used for sto r i n g m e m o ry pages.
-

[ r o o t @ s e r v e r X - ] # mkswap /dev/vdbl
Set t i n g up swap space v e r s i o n 1, size = 262140 KiB
- n o label , U U I D= f b d 7 fa60 - b 7 8 1 - 44a8 - 96 1 b - 37ac3ef572bf

- Activate a swap s pace


A n a d m i n istrator c a n u s e t h e swapon com m a n d to activate a form atted swa p s pace. swapon ca n
be ca l l e d o n t h e devi ce, or swapon - a w i l l activate a l l swa p s paces l isted i n t h e / e t c / f s t a b
- f i l e.

[ r oo t@ s e r v e r X - ] # free
-

- R H134- R H EL 7-en-1 -2014061 0 183

-
-

C h a pter 9. Ad d i n g Disks, Pa rtitions, a n d F i l e Syst e m s to a L i n u x System


-

t o t al u s ed f r ee shared b u ff e r s cached
Mem : 1885252 791812 1093440 17092 688 292024
- /+ b u f f e r s/cache : 499100 1386152 -
Swap : 0 0 0
[ r oo t @ s e r v e r x - ] # swapon /dev/vdb1
[ r o o t @s e rverx - ] # free
t o t al u s ed f r ee s h a r ed buffe rs cached
-

Mem : 1885252 7 9 2 116 1093136 17092 692 292096


- /+ buffe r s/cache : 499328 1385924
swap : 262140 0 262140 -

Persistently activate swap space


-
I t i s l i ke l y t h a t a swa p s pace w i l l b e req u i re d to a utomat ica l ly activate every t i m e t h e m a c h i n e
boots. I n o r d e r f o r t h e m a c h i n e to a ct i vate t h e swa p s pace at every boot, it m u st b e confi g u red i n
t h e /etc/fs t ab f i l e.
-

I f n e e d e d , a n a d m i n istrator c a n dea ctivate a swa p s pace u s i n g t h e swapoff co m m a n d . A


swapoff w i l l o n l y be s u ccessf u l if a n y swa pped data can be w ritten to o t h e r act ive swa p s paces
-
o r back i nto m e m o ry. I f data ca n n ot b e w ritten to other p l aces, the swapoff w i l l fa i l , w i t h a n
error, a n d t h e swa p s pace w i l l stay act i ve.
-
The fo l l o w i n g is an exa m p l e l i n e in / e t c / f s t ab a d d i n g a p rev i o u s l y c reated swap s pace.

!
I U U I D= f b d 7 fa60 - b781 - 44a8 - 9 6 1 b - 37ac3ef572bf swap swap defaults 0 0 -
I

T h e exa m p l e uses the U U I D as t h e f i rst f i e l d . The U U I D is stored i n t h e swa p s i g n a t u re stored


-
o n the device, and wa s pa rt of t h e o u t p u t of mkswap. I f t h e o u t p u t of mkswap has been l ost, the
blkid com m a n d can be used to scan the system and re port o n a l l atta c h e d b l ock devices. I f t h e
a d m i n istrator d o e s n o t w i s h to use t h e U U I D, t h e raw device n a m e c a n a l so be u s e d i n t h e f i rst
-
field.

The seco n d f i e l d is typica l l y reserved f o r t h e mou n t poin t . H owever, f o r swa p devices, w h i c h


-
a re not access i b l e t h ro u g h t h e d i rectory structu re, t h i s fie l d i s t h e p l a c e h o l d e r va l u e swap.

T h e t h ird fie l d i s the file syst e m type. T h e file system type for a swa p space i s swap.
-

The fourth f i e l d is for options. In t h e exa m p le, t h e option defau l t s i s used. defau l t s i n c l u d e s
t h e m o u n t option au to, w h i c h is w h a t ca u ses t h e swa p s p a c e to b e a u t o m a t ica l l y act ivated a t
-
boot.

T h e f i n a l two fie l d s a re the d u m p f l a g and fsc k order. Swa p s p a ces req u i re n e i t h e r b a c k i n g up n o r


-
fi l e syst e m c h e c k i n g .

A!lit;;,,,,
Note -
k?'.:>J
By d e fa u lt, swa p s paces a re u s e d i n series, m ea n i n g t h a t t h e f i rst act ivated swa p space
w i l l b e used u nt i l it i s f u l l , then the k e r n e l w i l l start using t h e secon d swa p space. Swa p -

space p r i orities a re d i s p l ayed w i t h swapon - s, a n d c a n b e set w i t h t h e p ri= m o u n t


o pt i o n . I f swa p s paces h a v e t h e s a m e p r i o rity, t h e kern e l w i l l write to t h e m ro u n d - ro b i n
i n stead o f w r it i n g to a s i n g l e swa p s pace u n t i l it i s a t c a p a city. -

-
184 R H134- R H E L7-e n -1 -2014061 0

-
-

Act i vate a swa p space


-

j, (J------i
ii
- il R I References
JJ__:
mkswap(8), swapon(8), swapoff(8), mou n t (8), fdisk(8) m a n pages

- R H134- R H E L7 - e n -1-20140610 1 85

-
-

C h a pter 9. A d d i n g D i s ks, Pa rtitions, a n d F i l e Syste m s to a L i n u x System

P ract i c e : Ad d i n g a n d E n a b l i n g Swa p S pa ce -

Guided exercise
I n t h i s l a b , you w i l l c reate a swap par ti ti o n a n d e n a b l e it for use.

�iliMachin:
WIF� -

Outcomes:
Yo u r serverX host w i l l h a ve 500 M i B of swa p space r u n n i n g o n its second d i s k.

Before you begin . . .


Log into serverX.
-

Switch to root using sudo - i.

N o swap p a rtit i o n was created d u ri n g t h e i n sta l l at i o n of s e rverX. D u r i n g pea k u s a g e , t h e se rver


has been r u n n i n g out of p hysica l m e m o ry. Yo u have o rdered a d d i t i o n a l RAM a n d a re a n x i o u s l y
wa i t i n g fo r i t s a rr i va l . I n t h e mean ti me, you d e c i d e to a l l eviate t h e p ro b l e m by e n a b l i n g swa p
space on t h e second d i s k. To m a ke s u re t h at t h e n e w l y a d d e d swap space is a l ways ava i l a b l e for
u se, you w i l l a l so need to confi g u re it to be e n a b l e d upon boot.

O n ce you have c o m p l eted yo u r work, reboot yo u r se rverX m a c h i n e and verify that the swa p
-
s pace is ava i l a b l e after t h e reboot.

D 1. C reate a 5 0 0 M i B partition o n /dev/vdb o f type Linux swap. -

D 1 .1 . U s e f d i s k to mod ify t h e seco n d d i s k.

[ r o o t @ s e r v e r X - ] # fdisk /dev/vdb
-

D 1.2. Pr i n t t h e o r i g i n a l partition ta b l e, then c reate a new part i t i o n t h a t i s 500 MiB i n -


s i ze.
--- -- - -- ----

Command ( m f o r help ) : p -

Dis k /dev/vd b : 10 . 7 G B , 10737418240 b y t e s , 20971520 s ec t o r s


Units = s ec t o r s o f 1 512
* 5 1 2 bytes
=

Sec t o r size ( lo g ical/ p h y s ical ) : 5 1 2 b y t e s I 512 byt e s


-

I/O s i z e ( minimum/o p t imal ) : 5 1 2 b y t e s I 5 1 2 bytes


Dis k label type : dos
Dis k i d e n t ifie r : 0xfd41a9d3 -

Device Boot Start End Blo c k s Id Sys t em


/dev/vd b l 2048 2 0 9 9199 1048576 83 Linux
-

Command (m f o r hel p ) : n
Par t i t io n type :
p p r ima r y ( 1 p r ima r y , 0 e x t e nded , 3 f r e e )
e extended
-

Sele c t ( default p ) : p
Pa r t it i o n n umbe r ( 2 - 4 , d efa u l t 2 ) : 2
F i r s t s ec t o r ( 2099200 - 2097151 9 , default 2099200 ) : E n t e r

-
186 R H1 3 4- R H E L7-en-1 -2014061 0
-

G u id e d exercise
-

U s i n g d e f a ul t value 2099200
L a s t s e c t o r , + s e c t o r s or + s i z e { K , M , G } ( 2099200 - 209 71519 , default
- 20971519 ) : +500M
P a r t i t io n 2 o f t y p e L i n u x and of s i z e 500 MiB is set

Command (m f o r h e lp ) : p
-

D i s k / d ev/vd b : 10 . 7 G B , 10737418240 by t e s , 20971520 s ect o r s


Units = sec t o r s o f 1 * 512 = 512 byt e s
Sec t o r s i z e ( lo g ical/ p h ysical ) : 5 1 2 b y t e s I 5 1 2 b y t e s
I / O s i z e ( mi n im u m / o p t imal ) : 512 b y t e s I 512 b y t e s
Dis k l a b e l t y p e : d o s
Dis k i d e n t i f ie r : 0xfd41a9d3
-

Device Boot Start End Blo c k s Id Sy s t e m


/dev/vd bl 2048 2099199 1048576 83 Linux
/dev/vdb2 2099200 3123199 512000 83 Linux

D 1.3. Set the n e w l y c reated pa rtition to type Linux swap.


-

Command (m for h e l p ) : t
P a r t i t io n n u m b e r ( 1 , 2 , default 2 ) : 2
-
Hex c o d e ( t y p e L t o l i s t all codes ) : L

1 FAT12 27 Hidden NTFS Win 82 L i n u x swap I So c l DRDOS / s e c ( FAT -


-

Hex c o d e ( t ype L t o l i s t all c o d e s ) : 82


C h a n g e d t y pe o f partition ' Li n u x ' t o ' Li n u x swap I Solaris '

Command ( m f o r h e lp ) : p
-

Di s k / d ev/vd b : 10 . 7 G B , 10737418240 byt e s , 20971520 sec t o r s


- Units sec t o r s o f 1 * 5 1 2 512 bytes
Sec t o r s i z e ( lo g ical/ p h y s ical ) : 5 1 2 b y t e s I 5 1 2 b y t e s
= =

I / O s i z e ( mi n im u m / o p t imal ) : 512 b y t e s I 512 b y t e s


Dis k l a b e l t y p e : d o s
D i s k i d e n t if ie r : 0xfd41a9d3

Device Boot Start End Bloc k s Id Sys t em


/dev/vd b l 2048 2099199 104 8 5 7 6 83 Linux
/dev/vd b 2 2099200 3123199 512000 82 L i n u x swap I S o l a r i s

- D 1 .4. Save the partition t a b l e c h a n ges.

Command ( m f o r h e l p ) : w
The p a r t i t i o n t a b l e has been alt e r e d !

Call i n g ioc t l ( ) t o r e - read p a r t i t i o n table .

- WARN I N G : Re - r e a d i n g t h e p a r t i t io n t a b l e failed wi t h e r ro r 16 : Device o r


resou rce busy .
The k e r n e l s t il l u s e s t h e old t able . T h e n ew table will be u s e d at
the next reboot or aft e r you run p a r t p r o be ( 8 ) or k p a r t x ( 8 )
Syn c i n g d i s k s .
-

- D 1 . 5. R u n p ar t p robe to m a ke t h e ke r n e l awa re of t h e partition ta b l e c h a n g e .

- R H134- R H E L7-en-1-2014061 0 187

-
-

C h a pter 9. A d d i n g D i s ks, Pa rtitions, a n d F i l e Syste m s to a L i n u x System

I [ r o o t @s e r v e r x - ] # p a r t p robe

D 2. I n it i a l ize t h e n e w l y c reated partition as swa p s pace.

[ r oo t@se rve rX - ] # mkswap /dev/vdb2 -

Se t t i n g u p swa p s pace ve r s i o n 1, size = 511996 KiB


n o label , U U I D=74f8f3e 1 - 6af3 - 4e51 - 9ab5 - c 48e52bf4a7b
-

D 3. E n a b l e t h e newly c reated swa p s pace.

D 3.1 . C reat i n g a n d i n it i a l i z i n g swa p s pace d o e s n ot yet e n a b l e it for use, a s s h o w n by -

t h e f r ee a n d swapon - s com m a n d .

[ roo t@se r v e r x - ] # free


-

t o tal used free shared b u f fe r s cached


Mem : 1885252 557852 1327400 17096 1080 246040
- /+ b u f f e r s / c ac h e : 310732 1574520
Swap : 0 0 0

[ root@se r v e r x - ] # swapon - s
-

[ root@se r v e r x - ] #

D 3.2. E n a b l e t h e n e w l y created swa p spa ce.

I [ root@se r v e r X - ] # swapon /dev/vdb2 -

D 3.3. Ve rify that the n ew l y c reated swa p space i s now ava i l a b le.
-

[ root@se r v e r X - ] # swapon - s
Filename Type Size Used P r i o r i t y
/dev/vdb2 p a r t i t io n 511996 0 - 1 -

D 3.4. D i s a b l e t h e swa p s p a ce.


-

I [ root@se r v e r x - ] # swapoff /dev/vdb2

D 3.5. Ve rify that the swa p space is d i s a b l e d .

[ ro o t @s e rve rx - ] # swapon - s
-

[ r o o t @s e r v e r X - ] #

-
D 4. Confi g u re the n ew swa p space so t h at it i s e n a b l e d u p o n boot.

D 4.1 . Determ i n e t h e U U I D of t h e new swa p partition o n t h e seco n d d i s k.


-

[ r oot@se r v e r x - ] # blkid /dev/vdb2


/dev/vd b 2 : U U I D = " 74f8f3e1 - 6af3 - 4e51 - 9ab 5 - c48e52 bf4a7 b " TYPE= " swap "
-

188 RH134- R H E L 7-e n-1-2014061 0 -

-
-

G u i d e d exercise
-

D 4.2. A d d a n e n t ry to /et c/fs t ab.


-
U U I D=74f8f3e1 - 6af3 - 4e51 - 9a b 5 - c48e52bf4a7b swap swap defau l t s 0 0

- D 4.3. Test e n a b l i n g t h e swa p space u s i n g t h e entry j u st a d d ed to /e t c/f s t ab.

-
I [ r o ot@se rve rX - ] # swapon - a

D 4.4. Ve rify t h a t t h e n e w swa p space was e n a b l ed .


-

[ ro o t @ s e r v e r x - ] # swapon - s
Filename Type Size Used Priority
/dev/vdb2 partition 511996 0 -1
-

D 5. R e b oot se rve rX. Afte r t h e server h a s rebooted, l o g i n a n d verify t h a t swa p s pace is


- enabled.

[ s t u d e n t @ s e r v e r X - ] # swapon - s
- Filename Type Size Used P r io r i t y
/d ev/vd b 2 partition 511996 0 -1

- R H134- R H E L 7 -en -1 -2014061 0 189

-
C h a pter 9. A d d i n g D i s ks, Pa rtitions, a n d F i l e Syste m s to a L i n u x Syste m

L a b : Ad d i n g D i s ks, Pa rt i t i o n s, a n d F i l e Syste m s
t o a L i n u x Syste m

Performance checklist
-

I n t h i s l a b , you w i l l c reate a GPT p a r t i t i o n on a n e w l y a l located d i s k , fo r m a t t h e partition w i t h a n


X FS f i l e syste m , a n d confi g u re t h e f i l e system f o r p e rs i stent m o u nt i n g . Yo u w i l l a l so c reate two
512 M i B swa p partitions. You w i l l confi g u re one of t h e swa p part i t i o n s to h a ve a prio rity of 1.

�11.!l'F;i-----.-
MachinH
Outcomes:
• 2 G i B X FS f i l e system on a GPT p a r t i t i o n on t h e second d i s k . T h e f i l e system is persiste n t l y
m o u nted at /backup.

• A 512 MiB swa p partition e n a b l e d o n the seco n d disk with defa u l t p r i o rity.

• A n o t h e r 512 M i B swa p p a rtition e n a b l e d on t h e second d i s k w i t h a p r i o rity of 1 .

Before you begin. . .


• Reset yo u r s e rverX system.
-

• Log into s e rve rX.

Switch to root using sudo - i.

Yo u h ave b e e n as ked to copy i m portant d ata from t h e pri m a ry d i s k on serverX to a separate d i s k


f o r safeke e p i n g . You h a v e been a l l ocated a seco n d d i s k on serverX f o r t h i s p u rpose. Yo u have
decided to c reate a 2 GiB G PT partition o n t h e second disk and format it with the X FS file system.
To e n s u re t h a t this new file syste m i s a l ways ava i l a b le, you w i l l confi g u re it to p e rs i ste n t l y m o u nt.

To c o m p e n sate for t h e s h o rtage of physica l m e m o ry o n serverX, you wa n t to c reate and e n a b l e


some swa p s p a c e f o r u s e . Yo u wi l l create t w o 5 1 2 M i B swa p partitions o n t h e s e c o n d d i s k a n d set
the prio rity of one of the swa p partit i o n s to 1 so t h a t it is p referred ove r t h e other swa p partit i o n . -

Reboot yo u r serverX m a c h i n e. Ve rify t h a t t h e n e w l y c reated X FS f i l e system is persiste n t l y


m o u nted at / b a c k u p . A l so confi r m t h a t two swa p s paces a re activated u p o n boot, a n d o n e o f t h e
swa p s paces h a s t h e defa u lt priority o f - 1 a n d t h e ot h e r has a p r i o rity o f 1 .

W h e n y o u h a ve com p l eted you r w o r k , r u n l a b d i s k g r ade o n yo u r s e rverX m a c h i n e to verify


yo u r work.

1. C reate a 2 GiB GPT partition o n /dev/vdb of type Linux.


2. C reate two 512 M i B partitions o n /dev/vdb of type Linux swap.

3. Fo rmat t h e n e w l y c reated pa rtitions. Fo rmat t h e 2 GiB partition with an X FS f i l e syste m . -

I n itia l i ze t h e t w o 512 M i B partit i o n s a s swa p s pace.

4. Confi g u re the newly c reated X FS fi l e syst e m to persiste n t l y m o u n t at /backup.

-
190 R H134- R H E L 7-en-1-2014061 0
-

Perfo r m a n ce c h e c k l ist
-

5. Config u re the n e w l y created swa p spaces to b e e n a b l e d at boot. Set one of t h e swa p s paces
to b e p referred ove r t h e o t h e r.
-

6. Reboot serverX. Afte r t h e server has re booted, l o g i n and verify that /dev/vd b l i s m o u nted
at /bac kup. A l so verify that two 512 M i B swa p p a r t i t i o n s a re e n a b l e d , and that one has
-
defa u l t prio rity and t h e o t h e r h a s a prio rity of 1 .

7. W h e n you have c o m p l eted yo u r work, r u n lab d i s k g r ade o n t h e s e rve r X m a c h i ne to


verify yo u r work.

- R H134- R H E L 7-en-1-2014061 0 191

-
C h a pter 9. A d d i n g D i s ks, Pa r t i t i o n s, a n d F i l e Syst e m s to a L i n u x System

Solut ion
In t h i s l a b, you w i l l c reate a G PT p a r t i t i o n o n a n e w l y a l l o cated d i s k , format the p a r t i t i o n w i t h a n
X FS f i l e syst e m , a n d c o n f i g u re t h e f i l e system f o r p e r s i s t e n t m o u n t i n g . You w i l l a l s o c reate two
512 MiB swap p a r t i t i o n s . Yo u w i l l c o n f i g u re one of the swa p p a rt i t i o n s to h ave a p r i o rity of 1.

rMachines:
'*'*
- �
Outcomes:
2 GiB X F S file system o n a G PT partition o n the second d i s k. T h e file syst e m i s persist e n t l y
m o u nted at /bac k u p .

A 5 1 2 M i B swa p part i t i o n e n a b l e d o n t h e s e c o n d d i s k w i t h d e fa u l t p r i o r i ty.

• A n o t h e r 512 M i B swap p a r t i t i o n e n a b l e d on t h e s e c o n d d i s k w i t h a p r i o r ity of 1 .

Before you begin . . .


R e s e t y o u r serverX syst e m .

Log i n t o serve r X .

S w i t c h to root u s i n g s u d o - i.

You have b e e n a s ked to copy i m p o r t a n t d ata from t h e p r i m a ry d i s k on s e r v e r X to a s e pa rate d i s k


f o r safeke e p i n g . Y o u h ave b e e n a l l o cated a s e c o n d d i s k o n s e r v e r X for t h i s p u rpose. Y o u h a ve
d e c i ded to c reate a 2 G i B G PT pa r t i t i o n on t h e s e c o n d d is k a n d format it w i t h t h e X F S f i l e system.
To e n s u re t h a t this n e w file system i s a l ways ava i l a b l e, you w i l l c o n f i g u re it to p e rs i st e n t l y m o u n t .

To c o m p e n sate f o r t h e s h o rt a g e of p h y s i c a l m e m o r y o n serve r X , you want to c reate a n d e n a b l e


s o m e swap s p a c e f o r u s e . You w i l l c reate t w o 5 1 2 M i B swa p p a r t i t i o n s o n t h e s e c o n d d i s k a n d set
the p r i o r ity of one of the swa p p a r t i t i o n s to 1 s o t h at i t i s p re f e r re d over the other swap p a r t i t i o n .

Re boot y o u r s e r v e r X m a c h i n e . Ve r i fy t h at t h e n e w l y c reated X F S f i l e system i s p e r s i st e n t l y


m o u nted a t / bac kup. A l s o c o n f i r m t h a t two swa p s p a c e s a re a c t ivated u p o n b o o t , a n d o n e o f t h e
swa p s pa ces h a s t h e d e fa u lt p r i o r i ty of - 1 a n d t h e o t h e r h a s a p r i o r ity of 1 .

W h e n you have com p l eted y o u r w o r k , r u n lab d i s k g rade o n y o u r s e r v e r X m a c h i n e t o verify


your work.

1. C reate a 2 G i B G P T p a r t i t i o n o n /dev/vdb o f t y p e Linux.


1 .1 . Use gdisk to m o d ify t h e s e c o n d d i s k .

I [ root@serverX - ] # gdisk /dev/vdb

1.2. Add a new p a r t i t i o n t h a t i s 2 G i B in s i ze.

Command ( ? fo r h e l p ) : n
Partition n u m b e r ( 1 - 128 , d efault 1 ) : 1
F i r s t s e c t o r ( 34 - 20971486 , default = 2048 ) o r { + - } size {KMGTP} : Enter
Last sect o r ( 2048 - 2097148 6 , default = 20971486 ) o r { + - } s i z e { KMGTP} : +2G
C u r r e n t type i s ' Li n u x filesys tem '

192 R H1 3 4 - R H E L 7 - e n -1 - 2 01 40610
-

Solution
-

1.3. S e t t h e new partition to t y p e Linux.


-
j H e x code or GUID ( L t o s h ow c o d e s , E n t e r = 8 3 00 ) : E n t e r
C h a n g e d t y pe of p a r t i t i o n t o ' Li n u x filesy s t e m '

2. C reate two 512 MiB p a rtit i o n s o n /dev/vd b of type Linux swap.


2 .1 . A d d a partition that i s 512 M i B.

Command ( ? fo r help ) : n
- P a r t it io n n u m b e r ( 2 - 12 8 , d efa u l t 2 ) : 2
F i r s t s e c t o r ( 34 - 2097148 6 , d e f a u l t = 4196352 ) o r {+ - } s i z e { KMGTP} : E n t e r
L a s t sec t o r ( 4196352 - 2097148 6 , d efa u l t = 2097 1486 ) o r { + - } s ize{KMGTP } : +512M
C u r r e n t type i s ' Li n u x filesy s t em '
-

2.2. Set t h e partition to type Linux swap.


-

Hex code o r G U I D ( L t o s h ow c o d e s , E n t e r = 8300 ) : L

8 2 0 0 L i n u x swap 8300 L i n u x file s y s t e m 8 3 0 1 Lin u x r e s e rved


-

Hex c o d e or G U I D ( L t o s h ow c o d e s , E n t e r = 8300 ) : 8200


Changed type o f p a r t i t io n t o ' Li n u x swap '
-

2.3. A d d a n o t h e r partition t h a t is 512 M i B, a n d set its type to Linux swap.


-
i Command ( ? for hel p ) : n
P a r t i t i o n n u m b e r ( 3 - 12 8 , default 3 ) : 3
F i r s t sec t o r ( 34 - 2097148 6 , d e f a u l t = 5244928 ) o r {+ - } s i z e { KMGTP} : E n t e r
-
L a s t sec t o r ( 52449 2 8 - 2 0 9 7 148 6 , default = 2 0 9 7 1486 ) o r { + - } s iz e { KMGTP} : +512M
C u r r e n t type i s ' Li n u x file s y s t em '
H e x c o d e o r G U I D ( L to s h ow c o d e s , E n t e r 8300 ) : 8200
-
Changed t y pe o f p a r t i t i o n t o ' Li n u x swap '

2 .4. Ve rify t h e partitions.


-

Command ( ? f o r help ) : p
Dis k /dev/vd b : 20971520 s e c t o r s , 10 . 0 GiB
- L o g ical sec t o r size : 512 byt e s
D i s k ide n t if i e r ( GU I D ) : 9918D50 7 - 7344 - 406A - 990 2 - D2503FA028EF
Pa r t i t io n table h o l d s up t o 128 e n t ries
F i r s t u s able s ec t o r i s 3 4 , l a s t u s able s ec t o r i s 20971486
P a r t i t i o n s will be ali g n e d o n 2048 - se c t o r b o u n d a ri e s
-

To t al f r e e s pace i s 1 4 6 7 9 9 9 7 s e c t o r s ( 7 . 0 GiB )

-
Number Start ( secto r ) End ( se c t o r ) Size Code N ame
1 2048 4196351 2 . 0 GiB 8300 L i n u x filesys t em
2 4196352 5244927 5 12 . 0 M i B 8 2 00 L i n u x swap
3 5244928 6293503 512 . 0 M i B 8 2 00 L i n u x swap
-

2.5. Save the c h a nges to the p a r t i t i o n t a b l e.


-
I Command ( ? f o r help ) : w

- R H1 3 4- R H E L 7-en-1 -2014061 0 193

-
-

C h a pter 9. A d d i n g D i s ks, Pa rt i t i o n s , a n d F i l e Syste m s to a L i n u x Syste m

F i n al chec k s complet e . Abo u t to w r i t e GPT d at a . T H I S WI L L OVERWRITE EXIST I N G


PARTITIONS ! !
-
Do you wan t to p r oceed? ( Y/ N ) : y
O K ; w r i t i n g new G U I D p a r t i t i o n t able ( GPT ) to /dev/vd b .
The o p e r a t i o n has compl e t e d s u c c e s s fully . -

2.6. R u n p a r t p robe to m a ke t h e k e r n e l awa re of t h e partiti o n ta b l e c h a n ge.


-
I
r

[ ro o t @ s e r v e r X - ] # pa r t p robe
!
-
3. Fo r m a t the newly c reated part i t i o n s . Fo rmat the 2 GiB p a r t i t i o n with an X FS f i l e syst e m .
I n iti a l ize t h e t w o 512 M i B part i t i o n s a s swa p s pace.
-
3.1 . Fo r m a t t h e newly c reated p a r t i t i o n with the X FS f i l e syst e m .

[ ro o t@ s e r v e r x - ] # mkfs - t x f s /dev/vdbl
m e t a - da t a= / dev/vd b l isize=256 agc o u n t = 4 , agsize=131072 b l k s
s e c t sz=512 a t t r = 2 , p r oj i d 3 2 b i t = 1
c rc=El
data b s ize=4096 bloc k s = 5 24288 , imax p c t = 2 5
s u n i t = El swid t h= El b l k s
naming =ve r s ion 2 b s ize=4096 ascii - c i=El f t ype=El
log =in t e r n al l o g b s i z e=4096 bloc k s = 2 5 6 0 , v e r s i o n = 2
s e c t sz=512 s u n i t = El bl k s , lazy - co u n t = l
realtime =none ext s z=4096 bloc k s = El , r t ex t e n t s = El

-
3.2. I n it i a l ize t h e ot h e r two p a r t i t i o n s as swa p spa ce.

[ r o o t@se rve rX - ] # mkswap /dev/vdb2 -


S e t t i n g u p swap space v e r s io n 1, size = 524284 KiB
n o label , U U I D=d00554b 7 - dfac - 4034 - bd d 1 - 3 7 b 8 9 6023f2c

-
[ ro o t@ s e r v e r X -]# mkswap /dev/vdb3
S e t t i n g u p swapspace ve r s ion 1, size = 524284 KiB
n o label , U U I D=af30c b b 0 - 3866 - 46 6 a - 8 2 5 a - 58889a49ef33 -

4. Config u re the newly c reated X FS fi l e system to persiste n t l y m o u n t at /backup.

4.1 . C reate t h e /bac k u p d i rectory m o u n t poi nt.

,- -
! [ r o o t@s e r v e rX - ] # mkdir /bac kup

4.2. Dete r m i n e the U U I D of the f i rst partition o n the seco n d d i s k . -

[ ro o t@s e r v e r X - ] # blkid /dev/vdb1


/dev/vd b l : U U I D = " 748ca35a - 1668 - 4a2f - bf b a - 51ebe550f6f0 " TYPE= " xf s "
PARTLABE L = " L i n u x file s y s t e m " PARTU U I D = " 83b18af b - 9c 1 2 - 48 b f - a620 - 7f8a612d f5a8 "

4.3. A d d a n e n t ry to /et c/fs t ab.

I U U I D=748ca35a - 1668 - 4a2f - bf b a - 51ebe550f6f0 /bac k u p x f s defau l t s 0 2


-

-
194 R H1 3 4- R H E L 7-e n-1-2014061 0

-
-

Sol ution
-

5. Config u re t h e newly c reated swa p spaces to be e n a b l e d at boot. Set o n e of t h e swa p spaces


to b e p referred ove r t h e other.
-

5.1 . A d d e n t r i e s to / e t c / f s t ab u s i n g t h e U U I Ds g e n e rated by t h e p rev i o u s mk swap steps.


Set t h e p r i o rity o n o n e of the swa p s paces to 1.
-

U U I D=d00554b7 - d fac - 4034 - bd d 1 - 3 7 b 89 6 0 2 3 f 2 c swap swap defau l t s 0 0


U U I D=af30c b b 0 - 3866 - 466a - 8 2 5 a - 5 8 8 8 9a49ef33 swap swap p r i=l 0 0

6. Reboot se rve rX. After the server has rebooted, log in a n d verify that /dev/vd bl i s mou nted
- at /backup. A l so verify that two 512 M i B swap partitions a re e n a b l e d , and that one has
defa u lt p r i o rity and t h e ot h e r h a s a prio rity of 1.

- [ s t u d e n t@ s e r v e r X - ] $ mount I g rep A /
/dev/vdal o n I t y p e x f s ( rw , relat ime , s eclabel , a t t r 2 , i n o d e 64 , n o q u o t a )
/dev/vdbl o n /bac k u p type x f s ( rw , relat ime , s eclabel , at t r 2 , i n o d e 64 , n o q uo t a )

[ s t u d e n t@ s e r v e r X - ] $ f ree
t o t al used f r ee shared buffe r s cached
- Mem : 1885252 563528 1 3 21 7 24 17096 696 245224
- /+ b u f f e r s/cac h e : 317608 1567644
Swap : 1048568 0 1048568

[ s t u d e n t @ s e r v e r X - ] $ swapon - s
Filename Type Size Used Priority
- /dev/vdb2 pa r t i t i o n 524284 0 -1
/dev/vdb3 pa r t i t io n 524284 0 1

- 7. W h e n you have c o m p l eted yo u r work, r u n lab d i s k g r ade o n t h e serverX m a c h i ne to


verify yo u r work.

[ s t u d e n t @ s e r v e r x - ] $ lab d i s k grade
l
-

R H134- R H E L7-e n -1-2014061 0 195

-
-

C h a pter 9. Ad d i n g D i s ks, Pa rtitions, a n d F i l e Syste m s to a L i n u x System


-

S u m m a ry -

Add i n g Pa rtitions, File Syste m s , and Pers istent M o u nts


· fdisk ca n b e u s e d to add, m o d i fy, and re m ove partitions o n disks w i t h M B R -

pa rtit i o n i n g s c h e m es.

· gdisk c a n b e used to add, m o d ify, and rem ove partitions o n d i s k s with G PT -


partit i o n i n g s c h e mes.

• F i l e syste m s a re c reated o n d i s k p a r t i t i o n s u s i n g mkfs.


-

• To m a ke fi l e syst e m m o u nts persistent. t h ey m u st b e added to /et c/fs t ab.

M a n a g i n g Swa p S pace -

• C reate and act ivate swa p s paces.

196 R H134- R H E L7 - e n -1 -2014061 0


red h at ®
® TRAINING

CHAPTER 10

MA NAGING LOG ICAL VOLUME


MA NAG EMENT (LVM) STORAGE

Ove rview

Goal To m a n a g e l o g i c a l vo l u me s from t h e c o m m a n d l i n e.

Objectives • Describe l o g i c a l vo l u m e m a n a g ement c o m p o n e n t s a n d


conc epts.

• M a nage l o g i c a l vo l u mes.

• Extend logical vo l u m es.

Sections • Lo g i c a l Vo l u m e M a n a g e ment C o n c e pts (and Pract ice)

• M a n a g i n g L o g i c a l Vo l u m e s (a n d Practi ce)

• E xte n d i n g L o g i c a l Vo l u m e s (a n d P ra c t i ce)

Lab • M a n a g i n g Lo g ic a l Vo l u m e M a n a g e m e nt ( LV M ) Stora g e

R H 1 34 - R H E L7-en-1-20140610 197
C h a pt e r 1 0 . M a n a g i n g L o g i c a l Vol u m e M a n a g e m e nt ( LV M ) S t o ra g e

Log i ca l Vo l u m e M a n a g e m e n t C o n c e pt s

O bject ives
After c o m p l et i n g t h i s s e c t i o n , stu d e n t s s h o u l d be a b l e to d e s c r i b e LVM c o m p o n e nts.

Logical volume management ( LV M ) concepts


L o g i c a l v o l u mes a n d l o g i c a l vo l u m e m a n a g e m e n t m a ke i t e a s i e r to m a n a g e d i s k s pa ce. I f a LV M ­
h osted f i l e s y s t e m needs m o re s pa c e, i t c a n b e a l l o cated t o its l o g i c a l v o l u m e from t h e f re e s p a c e
i n i t s vo l u m e g ro u p a n d t h e f i l e s y s t e m c a n be res i z e d . I f a d i s k starts to fa i l , a r e p l a c e m e n t d i s k
c a n b e r e g i stered as a p hy s i c a l v o l u m e w i t h t h e vol u m e g ro u p a n d t h e l o g i c a l v o l u m e ' s e x t e n t s
c a n b e m i g rated to t h e new d i sk.

""
U n u s ed S p a c e

4. Create logical volume ( LV)

3. C re a t e v o l u m e group (VG)

2. C re a t e p h y s i c a l v o l u m e ( PV)

1. P a r t i t i o n p hy s i c a l storage

198 R H1 3 4- R H E L7 - e n -1 -20140610
-

Log i c a l vo l u m e m a n a g em e n t ( LV M ) conce pts


-

Figure 1 0. 1 : Logical volume management components


-
LV M Defi n it i o n s
• Physical devices a re t h e stora g e d evices u s e d to pers ist data stored i n a logica l vo l u m e. These
- are b l o c k devices and cou l d be disk partit i o n s , whole d i s ks, R A I D a r rays, o r SAN d i s ks. A device
m u st be i n i t i a l ized a s a n LV M physical vo l u m e i n o rd e r to be used w i t h LV M . T h e e n t i re "device"
w i l l be u s e d as a p hysica l vo l u me.
-
• Physical volumes (PV) a re used to reg ister u n d e r l y i n g physical devices for u s e i n vo l u m e
grou ps. LV M a u to m atica l ly seg m e nts PVs i nto physical extents (PE); t h e s e a re s m a l l c h u n ks of
- data t h a t act as t h e s m a l lest stora g e b l oc k on a PV.

• Volume groups (VG) a re sto ra g e pools m a d e u p of o n e or m o re physica l vo l u m es. A PV ca n


-
o n l y be a l l ocated to a s i n g l e VG. A VG ca n c o n s i st of u n used space a n d a n y n u m be r of l o g i c a l
vo l u m es.

• Logical volumes (L V) a re c reated from free p hysica l extents in a vo l u m e g ro u p and p rovide t h e


-
"stora g e " d evice used b y a p p l ications, u s e rs , a n d t h e o p e ra t i n g syst e m . LVs a re a co l l ect i o n
o f logical extents (LE) , w h i c h m a p to phys i c a l extents, t h e s m a l l est sto ra g e c h u n k of a PV. B y
-
defa u lt, e a c h L E w i l l m a p to o n e PE. Sett i n g s p e c i f i c LV o p t i o n s w i l l c h a n g e t h i s m a p p i n g ; fo r
exa m p l e, mirroring c a u ses each L E to m a p to two PEs.

- R H134- R H E L 7 - e n -1-2014061 0 199

-
C h a pte r 1 0 . M a n a g i n g L o g i c a l Vo l u m e M a n a g e m e n t ( LV M ) Storage

P ra c t i ce: Log i c a l Vo l u m e M a n a g e m e nt
Concepts

Quiz
Match t h e fo l l o w i n g i t e m s t o t h e i r c o u nt e rpa rts i n t h e t a b l e .

D i s k, p a r t i t i o n , R A I D a r ray L o g i c a l extent Log i c a l vo l u m e ( LV )

P h ys i c a l e x t e n t P h y s i c a l vo l u m e ( P V ) Vo l u m e g ro u p ( V G )

Co m po n e n t desc r i p t i o n Component

Fo r m a t t e d w i t h a f i l e system a n d m o u n t e d f o r u s e
at r u n t i m e

M a ps to a p h ys i c a l s t o r a g e d e v i ce , s u c h a s a d i s k
o r p a rt i t i o n

Sto ra g e c h u n k o f a LV, ty p i c a l l y m a p s to a P E

U se d to i d e n t i fy a p o o l o f P V s fo r u se i n c re a t i n g
o n e o r m o re LVs

N a m e u s e d for t h e s t o ra g e c h u n k of a P V, a l so
the s m a l l e s t s t o ra g e c h u n k f o r a LV

Pote n t i a l ca n d i d a te s fo r u s e a s a s i n g l e P V

200 R H1 3 4- R H E L 7-e n-1 -2014061 0


-

Sol ution
-

Solution
Match t h e fo l l ow i n g ite m s to t h e i r cou nterparts i n t h e ta b l e.

Co m po n e n t d e s c r i p t i o n Component

Fo r m a t t e d w i t h a f i l e syste m a n d m o u n t e d f o r u s e L o g i c a l vo l u m e ( LV )

-
at runtime

M a ps to a p h ys i ca l sto ra g e d ev i ce, s u c h a s a d i s k P h ys i ca l vo l u m e ( P V )
or partition

S t o ra g e c h u n k of a LV, ty p i c a l l y m a p s to a P E L o g i ca l exte n t
-

U s e d to i d e n t i fy a p o o l of PVs fo r u s e i n c re a t i n g Vo l u m e g ro u p ( VG )
-
o n e o r m o re LVs

-
Na m e u s e d fo r t h e sto ra g e c h u n k of a PV, a l s o P h ys i ca l exte n t
t h e s m a l l e st s t o ra g e c h u n k f o r a LV
-

Pote n t i a l ca n d i d a t e s f o r u s e a s a s i n g l e PV D i s k , pa rt i t i o n , R A I D
-
a r ra y

- R H134- R H E L7-en-1 -20140610 2 01

-
-

C h a pte r 1 0. M a n a g i n g Log i c a l Vo l u m e M a n a g e m e n t ( LV M ) Stora g e


-

M a n a g i n g Log i c a l Vo l u m es -

Objectives -

Aft e r co m p l et i n g t h i s sect i o n , students s h o u l d be a b l e to:

-
• I m p l e m e n t LV M stora g e.

• D i s p l ay LV M c o m p o n e n t i nfo r m a t i o n .
-

I mplementing LV M storage
LV M comes with a c o m p re h e ns ive set of com m a n d - l i n e too l s for i m p l e m e n t i n g a n d m a n a g i n g -
LV M storage. These com m a n d - l i n e too l s can be u s e d i n scripts, m a k i n g t h e m s u ita b l e for
automation.
-

Important
T h e fo l l owi n g exa m p l e s u s e d evice vda a n d its p a r t i t i o n s to i l l u st rate LV M com m a n d s. -

I n practice, t h ese exa m p l e s wou l d need to u s e t h e correct devices for t h e d i s k a n d d i s k


partit i o n s t h a t a re b e i n g u s e d by t h e syste m .
-

Creating a logical volume


-
T h e re a re five steps n e e d e d to create a u s a b l e l o g i c a l vo l u me :

1. Prepare the physical device. -

Use fdisk, gdis k or p a r t ed to c reate a new partition fo r use with LV M . A l ways set t h e
part i t i o n t y p e to Linux LVM o n LV M pa rt i t i o n s ; use 0 x 8 e for M B R-sty l e part i t i o n s . I f
necessa ry, use p a r t p r obe to reg ister t h e new partition w i t h t h e ke r n e l . -

A lternat ive l y, use a w h o l e d i s k , a RA I D a r ray, o r a S A N d i s k.


-

A p hysica l device o n l y n e e d s to be prepa red if t h e re a re n o n e prepa red a l ready a n d a new


phys ical vo l u m e i s req u i red to c reate or exte n d a vo l u m e g ro u p .

f�isk /d��/vda
-

I
1
[ r oot@serverX - ] # ---- ----

-
Use m for h e l p, p to p r i n t t h e e x i s t i n g part i t i o n t a b l e, n to c reate a new partit i o n , t to c h a n g e
t h e partition type, w to w r ite t h e c h a n ges, a n d q to q u it.

2. Create a physical volume. -

pvc reate i s used to l a b e l the partition (o r o t h e r physica l device) for use w i t h LV M a s a


-
phys i c a l vo l u m e. A h e a d e r to store LV M conf i g u ra t i o n data is written d i rectly to t h e PV.
A PV is d i v i d e d i nto physical extents (PE) of a fixed size; for exa m p l e, 4 M i B b l oc ks. L a b e l
m u lt i p l e devices at t h e s a m e t i m e by u s i n g s pace-d e l i m ited device n a mes as a rg u m e nts t o
-
pvc reate.

[ r oot@se r ve rX - ] # pvc reat e /dev/vda2 /dev/vdbl


-

-
202 R H134- R H E L 7 - e n -1-2014061 0
-

I m p l e m e n t i n g LV M stora g e
-

T h i s w i l l l a b e l devi ces /dev/vd a2 a n d /dev/vd b1 a s PVs, rea d y f o r a l l oc a t i o n i n t o a


vo l u m e g ro u p.
-

A PV o n l y n e e d s to be created if t h e re a re no PVs free to create o r extend a VG.


-
3. Create a volume group.
vgc reate is used to create a p o o l of o n e o r m o re physica l vo l u mes, ca l l e d a vo l u m e g ro u p.
- T h e s i z e of t h e VG is dete r m i n e d by t h e tota l n u m be r of phys i c a l extents i n t h e pool. A
VG is res po n s i b l e for host i n g o n e or m o re l o g ica l vo l u mes by a l l ocat i n g free PEs to a LV;
t h e refore, it m u st h ave s u ff i c i e n t free P E s ava i l a b l e at t h e t i m e t h e LV is created.
-

A s a rg u m ents to vgcreate, d e f i n e a VG n a m e and l ist o n e o r m o re PVs to a l l ocate to t h e


VG.
-

I
!
[ r o o t @ s e r v e r X - ] # vgc reate vg - alpha /dev/vda2 /dev/vdbl

T h i s w i l l c reate a VG ca l l ed vg - alpha t h a t is t h e co m b i n e d s i ze, i n PE u n its, of t h e two PVs


/d ev/vda2 a n d /dev/vd bL
-

A VG o n l y n e e d s to be created when t h e re i s n o n e i n existe n ce. A d d i t i o n a l VGs may be


created for a d m i n i st rative rea s o n s to m a n a g e t h e use of PVs and LVs. Ot h e rw i se, exist i n g
- VGs c a n be exte n d e d to acco m modate n e w LVs w h e n needed.

4. Create a logical volume.


-
lvc reate c reates a new l o g i c a l vo l u m e from the ava i l a b l e physica l exte nts in a vo l u m e
g ro u p. U s e t h ese a r g u m e n t s to lvc r e a t e as a m i n i m u m : u s e t h e - n opt i o n t o set t h e LV
-
n a me, t h e - L option to set t h e LV size i n bytes, a n d i d e n t ify t h e VG n a m e t h a t t h e LV i s to
b e created i n .

- I
i
[ r o o t@ s e r v e r X - ] # lvc reate - n hercules - L 2 G vg - alpha

T h i s w i l l c reate a LV ca l l e d h e r c ules, 2GiB i n size, i n t h e VG vg - alpha. T h e re m u st b e


....
s u f f i c i e n t free physica l e x t e n t s to a l l ocate 2 G i B, a n d if n ecessa ry, it w i l l b e ro u n ded to a
fa ctor of t h e PE u n i t size.

-
T h e re a re m u l t i p l e ways to s pe c i fy the s i ze : - L expects s i zes i n bytes, or l a rg e r n a med
va l u es, s u c h as m e b i bytes ( b i n a ry m e g a bytes, 1048576 bytes) and g i b i bytes ( b i n a ry
g i g a bytes). The 1 option expects sizes m e a s u re d as a n u m be r of p hysica l extents.
-
-

Some examples:
-
• lvc reate - L 128M: S i z e t h e l o g i ca l vo l u m e to exact l y 1 28 M i B.

• lvc reate - 1 128 : Size t h e l o g i c a l vo l u m e to exact l y 128 exte nts i n s i ze. The tot a l
-
n u m be r o f bytes d e p e n d s o n t h e s i ze of t h e physica l extent b l o c k o n t h e u n d e r l y i n g
physical vo l u m e.

- R H134- R H E L 7-en-1-2014061 0 203

-
-

C h a pte r 1 0. M a n a g i n g Log ica l Vo l u m e M a n a g e m e nt ( LV M ) Stora g e


-

Important -

D i ffe rent too l s w i l l d i s p l a y t h e l o g i c a l vo l u m e n a m e u s i n g e i t h e r t h e t ra d i t i o n a l


n a me, /dev/vgname/l vname, o r t h e ker n e l device m a p p e r n a m e, /dev/
-
mapper/vgname - l vname.

5. Add the file system.


Use mkfs to c reate an xfs f i l e syste m on t h e new l o g i ca l vo l u m e. A l t e r n a t ive l y, c reate a f i l e -
syste m based on you r p referred fi l e syst e m ; f o r exa m p l e, ext4.

-
[ r o o t @ s e rve rx - ] # mkfs - t xfs /dev/v g - alpha/hercules

To m a ke the f i l e system ava i l a b l e a c ross re boots:

• U s e mkdir to c reate a mount point d i recto ry.


-
�o t @ s e r v e r x - ] # m k d i r /mnt / h e rcules ·1
i
'
_J

-
• Add an e n t ry to the /etc/fs t ab f i l e :

I
I /dev/vg - alpha/ h e r c u l e s /mnt/he rcules xfs defau l t s 1 2
-

• R u n mou n t - a to m o u n t a l l t h e f i l e syste m s i n /et c / f s t ab, i n c l u d i n g t h e e n t ry j u st


added. -

L: [ r o o t@se rve rX - ] # moun t - a


���������������������������������·_
- J
l
-

Removing a logical volume


T h e re a re fou r steps n e e d e d to rem ove a// l o g i c a l vo l u me co m po n e nts:

1. Prepare the file system.


-
M ove a l l data that m u st b e kept to a n ot h e r file syste m , t h e n use u mo u n t to u n mo u nt t h e f i l e
syst e m . Do n o t forget to remove a n y / e t c / f s t a b entries associated w i t h t h i s f i l e system .
-
[ r o o t @s e r v e rx - ] # umount /mnt/hercules
l
-

Warning
R e m o v i n g a l o g ica l vo l u m e w i l l dest roy a ny data stored o n t h e l o g i c a l vo l u m e. -
B a c k u p or m ove yo u r data BEFORE you re move t h e l o g i c a l vo l u me.

2. Remove the logical volume.

204 R H134- R H E L 7-en-1 -2014061 0


-

Reviewi n g LV M sta t u s i nfo r m a t i o n


-

lvremove is u s e d to rem ove a l og ica l vo l u m e t h a t is n o l o n g e r n e e d e d . U s e t h e device


name a s t h e a rg u m e nt.
-

[ ro o t @ s e r v e r X - ] # lvremove /dev/vg - alpha/he rcules


-

The LV f i l e syste m m u st be u n m o u nted before r u n n i n g t h i s co m m a n d . I t w i l l ask for


confi r m a t i o n before removi n g t h e LV.
-

T h e LV ' s phys i c a l extents w i l l be freed a n d m a d e ava i l a b l e for a s s i g n m e nt to e x i st i n g o r new


LVs i n t h e vo l u m e g roup.
-

3. Remove the volume group.


- v g remove is used to rem ove a vo l u m e g r o u p t h a t i s n o l o n g e r needed. Use the VG n a m e as
the a rg u me nt.

-
I [ ro o t@se r v e r X - ] # vgremove vg - alpha

-
The VG's phys i c a l vo l u m es w i l l be freed a n d m a d e a va i l a b l e for a s s i g n m e n t to e x i s t i n g or
new VGs on the syste m .

-
4. Remove the physical volumes.
pvremove is used to re m ove physica l vo l u m e s t h a t a re n o l o n g e r n e e d e d . Use a s pace­
d e l i m ited l i st of PV d evices to remove m o re t h a n one a t a t i m e. The PV metad ata i s w i p e d
-
f r o m t h e pa r ti ti o n (or d i s k). The partition i s now f r e e for rea l l ocation o r refo r m a t t i n g .

- [ ro o t @ s e r v e rX - ] # pvremove /dev/vda2 /dev/vdb1

-
Reviewing LV M status information
Physical volumes
... Use pvd is play to d i s p l a y i nfor m a t i o n a b o u t p hysica l vo l u m es. If no a rg u m e n t s a re specified
w i t h t h e com m a n d , it w i l l l i st i nfor m a t i o n a bo u t a l l PVs o n t h e syste m . I f t h e a rg u m e n t i s a
specific device n a m e, t h e n d i s p l a y i nform a t i o n w i l l be l i m ited to t h a t specific PV.
-

[ ro o t @s e r v e rX - ] # pvdisplay /dev/vda2
- - - Physical volume
-
PV Name / dev/vda2 0
VG Name vg - al p h a C)
- PV Size 2 5 6 . 00 MiB I n o t u s able 4 . 00 M i B E>
Allocatable yes

PE Size 4 . 00 M i B 0
- Total PE 63

F r ee P E 26 0
Allocated PE 37
- PV UUID JWzDp n - LG3e - n 2 o i - 9E t d - VT2 H - PMem - 1ZXwP1

-
O PV Name m a ps to t h e device n a me.

- RH134- R H E L 7-en-1-2014061 0 205

-
-

C h a pter 1 0. M a n a g i n g Log ica l Vo l u me M a n a g e m e n t ( LV M ) Stora g e


-

O VG Name s h ows t h e vo l u m e g ro u p w h e re t h e PV is a l l ocated .


O PV Size s h ows t h e p hysica l size of the PV, i n c l u d i n g a n y u n u s a b l e s p a ce. -

O PE Size is t h e p hysica l extent s ize, w h i c h is t h e s m a l l est size a l o g i ca l vo l u m e ca n b e


a l l ocated.
-

I t i s a l so the m u l t i p l y i n g factor when ca l c u l a t i n g the size of a n y va l u e repo rted in P E u n its,


such a s Free PE; for exa m p l e : 26 PEs x 4 M i B (t h e PE Size) g i ves 1 04 M i B of free s pa ce. A
l o g i ca l vo l u m e size w i l l be rou n d e d to a factor of PE u n its. -

LV M sets the P E s i z e a utomatica l l y, a l t h o u g h it i s poss i b l e to specify it.


O F r ee PE s hows how m a n y PE u n its a re ava i l a b l e for a l location to new l o g i c a l vo l u mes. -

Volume groups
Use vgdis play to d i s p l a y information a bout vo l u m e g ro u ps. I f n o a rg u m e n t i s s p e c i f i e d for t h e -

co m m a n d , t h e n it w i l l d i s p l ay i nfo r m a t i o n a bo u t a l l VGs. U s i n g t h e V G n a m e a s a n a rg u m e n t wi l l
l i m it t h e d i s p l a y i nfo r m a t i o n t o that specific VG.

II [ root@s e rv e r X - ] # vgdisplay vg - alpha


- - - Volume g ro u p - - -

VG Name vg - al p h a 0 -

System I D
F o rmat lvm2
Metadata Areas 3 -
Metadata Seq u e n c e No 4
VG Acc e s s read/w r i t e
VG Status r e s izable
MAX LV 0 -

C u r LV 1
Open LV 1
Max PV 0
C u r PV 3
-

Ac t PV 3

VG Size 1012 . 00 MiB 0


P E Size 4 . 00 MiB

Total P E 253 0
Alloc PE I S i z e 175 I 700 . 00 MiB
-
F ree PE I S i z e 78 I 312 . 00 MiB 0
VG UUID 3 s n Nw3 - C F 7 1 - CcYG - Ll k 1 - p 6 EY - r H E v - xfUSez

O VG N ame is t h e n a m e of t h i s vo l u m e g ro u p.
O VG Size is t h e tot a l size of t h e stora g e p o o l ava i l a b l e for l o g i c a l vo l u m e a l l ocat i o n .
-
O Total PE is t h e tota l s i z e ex p ressed in PE u n its.
O F r ee PE I Size s h ows h ow m u c h s pace i s free i n t h e VG for a l l ocat i n g to n e w LVs o r to
exten d exist i n g LVs.
-

Logical volumes
U s e lvdis play to d i s p l a y i nformation a bout l o g i c a l vo l u m es. A g a i n , n o a rg u m e n t w i t h t h e
-
c o m m a n d w i l l d i s p lay i nfo r m a t i o n a b o u t a l l LVs , a n d u s i n g t h e LV device n a m e a s a n a rg u m e nt
w i l l d i s p l a y i nfo r m a t i o n a b o u t that specific device.

� r oot@se rverX
-
-]# lvdis play /dev/vg - alpha/he rcules

I I
- - - Logical volume

LV Path /dev/vg - alpha/h e r c ul e s 0 -

206 R H134- R H E L 7 - e n -1 -2014061 0


-

Review i n g LV M statu s i nfo r m a t i o n


-

L V Name hercules

V G Name v g - al p h a 0
LV U U I D 5 I yRea - W8Zw - x L H k - 3 h 2 a - I uVN - YaeZ - i3 I R r N
-

L V W r i t e Acc e s s read/write
LV C r eation h os t , t ime s e r v e r l . example . c om 2014 - 02 - 19 00 : 2 6 : 48 - 0500
- LV S t a t u s available
# open 1

LV Size 7 0 0 MiB 0
-
c u r rent LE 175 0
Segme n t s 3
Alloca t i o n inherit
-
R e a d a h e a d sec t o r s auto
- c u r rent set to 8192
Blo c k device 252 : 0

O LV Pat h s h ows t h e device n a m e of t h i s l o g i c a l vo l u m e.

S o m e too l s may re port t h e d evice n a m e as /dev/ma p p e r / vgname - l vname; both


-
represent t h e s a m e LV.
O VG N ame s hows t h e vo l u m e g ro u p t h e LV is a l l ocated fro m .
- 0 LV Size s hows t h e tot a l size of t h e LV. Use f i l e syst e m too l s to c h e c k free space a n d u s e d
space for storage of data.
0 C u r r e n t LE s h ows t h e n u m be r of l o g i c a l extents used by t h i s LV. A L E u s u a l ly m a p s to a
- p hysica l exte nt i n t h e VG, a n d t h e refo re t h e physica l vo l u me.

R References
-
lvm(8), pvc reate(8), vgc r eate(8), lvc reate(8), pvremove(8), vgremove(8),
lvremove(8), pvdisplay(8 ) , vgdisplay(8), lvdis play(8), fdisk(8), gdisk(8),
-
p a r t ed(8), p ar t p robe(8), an d mkfs(8) man pages

- R H1 3 4- R H E L 7-en-1-20140610 207

-
C h a pt e r 1 0 . M a n a g i n g L o g i c a l Vo l u m e M a n a g e m e nt ( LV M ) Stora g e

P ra c t i c e: Ad d i n g a Log i c a l Vo l u m e

Guided exercise
In this l a b, you w i l l a d d a p h y s i c a l v o l u m e , v o l u m e g ro u p, l o g i c a l v o l u m e , and a n XFS f i l e syste m .
Y o u w i l l p e r s i s t e n t l y m o u n t t h e l o g i c a l v o l u m e f i l e syst e m .

�·
Machine;
� ..
O u tcomes:
A 400M i B l o g i c a l vol u m e c a l l e d s t o rage i n t h e vol u m e g ro u p s h az am, m o u n ted at / s t o r age.
The v o l u m e g ro u p cons i sts of two p h y s i c a l vo l u m es, e a c h 2 5 6 M i B i n size.

Before you begin ...


Reset your serverX syst e m .

L o g into s e rv e r X .

Open a terminal.

Switch to root (sudo - i).

I m p o rtant
T h e f o l l o w i n g e xa m p l es use d e v i ce vdb, b u t y o u r e n v i ro n m e n t m a y h ave d i ffe rent
device n a m es. Adj u st the device n a m e a s n e c e s s a r y i n e a c h step.

D 1. C reate the Phys i c a l R e s o u rces


D 1 .1 . U s e f d i s k t o c reate two p a r t i t i o n s o f 2 5 6 M i B a p i e ce a n d set t h e m t o ty p e L i n u x
LV M .

I [ r o ot@serverX - ] # fdisk /dev/vdb

Note: T h e fo l l o w i n g steps o m it s o m e o u t p u t .

D 1.2. A d d a n e w p r i m a ry pa rt i t i o n of 2 5 6 M i B .

Command ( m f o r h e l p ) : n
P a r t i t io n type :
p p r imary ( 0 p r im a r y , 0 e x t e n d ed , 4 f r e e )
e e x t e n ded
Select ( d efault p ) : Enter
U s ing default r e s p o n s e p
P a r t i t i o n n um b e r ( 1 - 4 , default 1 ) : Enter
F i r s t s e c t o r ( 2048 - 20971519 , default 2048 ) : Enter
Using default val u e 2048
Last sec t o r , +sec t o r s o r +size{K , M , G } ( 2 048 - 2 0 9 7 1 5 1 9 , default
20971519 ) : +256M

D 1 . 3. C h a n g e the pa rtit i o n type to Linux L VM - Ox8e.

208 R H1 3 4- R H E L7 - e n +20140610
-

G u i d ed exercise
-

Command (m f o r help ) : t
-
Sele c t e d p a r t i t i o n 1
Hex c o d e ( t ype L to l i s t all c o d e s ) : Se
C h a n g e d type o f p a r t i t i o n ' Li n u x ' t o ' Li n u x LVM '

D 1 .4. Repeat t h e prev i o u s two steps to a d d a seco n d p r i m a ry partition of t h e s a m e size


i n t h e next ava i l a b l e partit i o n s p a ce.
-
D 1.5. Write the c h a n g e s to the p a r t i t i o n t a b l e a n d q u it.

- Command (m for h e lp ) : w
T h e p a r t it i o n t able has b e e n a l t e r e d !

- D 1.6. U s e p a r t p robe to register t h e n e w p a r t i t i o n s with t h e k e r n e l .

[ ro o t@se rverX - ] # part p robe


- 'I

D 2. C reate t h e Physica l Vo l u mes


- Use pvc r e at e to a d d t h e two new p a r t i t i o n s as PVs.

[ r o o t@s e r v e r X - ] # pvc reate /dev/vdb1 /dev/vdb2


- Physical volume " /dev/vd b l " s u c c e s s f u lly c r eated
Physical volume " /dev/vd b 2 " s u c c e s s f ully c r eated

-
D 3. C reate the Vo l u m e Gro u p
U s e vgc r e at e t o c reate a n e w V G n a m e d shazam b u i l t fro m t h e two PVs.

-
[ r o o t@s e r v e r X - ] # vgcreate shazam /dev/vdb1 /dev/vdb2
I Volume g r o u p " s hazam " s u c c e s s f u lly c re a t e d

D 4. C reate the Logica l Vo l u m e


U s e lvc r e at e t o create a 400 M i B LV n a m e d s t o r age from t h e shazam VG.
-

[ r oo t @s e r v e r X - ] # lvc reate -n s t o r age -L 400M shazam


L o g i c al volume " s t o r a g e " c r e a t e d
-

T h i s w i l l c reate a device ca l l e d /dev/ s h azam/ s t o rage, c u rre n t l y without a file system


-
o n it.

D 5. A d d a Pe rsistent File System


D 5.1 . U s e m k f s t o p l a ce a n x f s f i l e system o n t h e s t o r age LV; u s e t h e LV device
-
n a m e.

-
[ r o o t@se rve rX - ] # mkfs - t xfs /dev/shazam/s to rage
m e t a - data=/dev/ s h azam/ s t o r a g e isize=256 agc o u n t =4 , a g s ize=25600 b l k s j
I

D 5.2. U s e m k d i r to c reate a m o u nt p o i n t at / s t o rage.

- RH134- R H EL 7 - e n -1-2014061 0 209

-
-

C h a pter 1 0. M a n a g i n g L o g i c a l Vo l u me M a n a g e m e n t ( LV M ) Stora g e
-

[ r o o t @ s e rve rX - ] # mkdir / s t o rage


I -

D 5.3. Use vim to add the fo l l ow i n g l i n e to the bottom of / e t c / f s t a b o n serverX:


-

/dev/ s h azam/ s t o rage /sto rage xfs defau l t s 1 2

D 5.4. U s e mou n t to verify t h e / e t c / f s t ab e n t ry a n d m o u n t t h e new s t o r age LV -

d evice.

I [ ro o t@ s e r v e r X - ] # moun t - a
-

D 6. Test a n d Review Yo u r Work -

D 6.1 . As a fi n a l test, copy s o m e f i l e s onto / s t o rage a n d verify how m a n y were copied.

[ r oo t @ s e r v e r x - ] # c p - a /etc/ * . conf / s t orage


[ r o o t @ s e r v e r X - ] # ls /sto rage I we - 1
47
-

We wi l l c h e c k that we sti l l have t h e s a m e n u m be r of fi l es in the next p ractice


exerc i s e.
-

D 6.2. fdis k - 1 /dev/vdb w i l l show you t h e partit i o n s that exist o n /dev/vd b.

I
I
[ ro o t @ s e r v e r X - ] # fdisk - 1 /dev/vdb
-

C h e c k t h e /dev/vd bl a n d /dev/vd b2 entries, a n d notice t h e Id a n d Sys tem -


c o l u m n s s h o w i n g Be and Linux LVM, res pective l y.

D 6.3. pvdisplay w i l l show you i nfo r m a t i o n a bout each of t h e physica l vo l u mes.


-
O p t i o n a l l y, i n c l u d e t h e d evice name to l i m it deta i l s to a specific PV.

[ r o o t @ s e r v e r X - ] # pvdis play /dev/vdb2 -


- - - P h y sical volume
PV N ame /dev/vd b 2
V G N ame s hazam
PV Size 256 . 00 M i B I n o t u sable 4 . 00 MiB -

Allocatable yes
P E Size 4 . 00 MiB
Total PE 63
F ree P E 26
-

Alloc a t e d PE 37
PV U U I D N 6 4 t 6 x - UR d J - fVU3 - FQ67 - zU6g - So7w - hvXM c M
-

T h i s s h ows t h at o u r PV i s a l l ocated to VG shazam, i s 256 M i B in size (a l t h o u g h


4 M i B is not u s a b l e), a n d o u r p h ys i c a l extent s i z e ( P E Size) is 4 M i B (t h e s m a l l est
-
a l l ocata b l e LV size).

T h e re a re 63 PEs, of w h i c h 26 PEs a re free for a l l ocat i o n to LVs i n the f u t u re a n d


-
3 7 P E s a re c u r re n t l y a l l ocated to LVs. T h e s e t ra n s l ate to M i B va l ues a s fo l l ows:

• Tot a l 2 52 M i B ( 63 P E s x 4 M i B); re m e m be r, 4 M i B a re u n u s a b l e.
-

-
21 0 R H134- R H E L 7 - e n -1 -2014061 0
-

G u i d ed exercise
-

• Free 1 04 M i B (26 P E s x 4 M i B)

-
• A l l ocated 1 48 M i B (37 PEs x 4 M i B)

D 6.4. vgdis play vgname w i l l show you info r m a t i o n a b o u t t h e vo l u m e g r o u p n a m e d


- vgname.

[ r oot@se rve rX - ] # vgdisplay shazam


-

C h e c k t h e fo l l o w i n g va l u es:

• VG Size is 504 . 0 0MiB.

• Total PE i s 126.
-

. Alloc PE I Size i s 100 I 400 . 00MiB.

- · F r ee PE I Size is 26 I 104 . 00Mia

D 6.5. lvd is play /dev/ vgname/l vname w i l l s h ow yo u information about the l o g i c a l


-
vo l u m e n a m e d lvname.

[ r oo t @s e r v e r X - ] # lvdisplay /dev/shazam/s t o rage


-

N otice the LV P a t h , LV N ame, VG Name, LV S t a t u s , LV Size, a n d C u r r e n t


LE ( l og i c a l exte nts, w h i c h m a p to phys i ca l extents).
-

D 6.6. mou n t w i l l s h ow a l l the devices that a re m o u nted and any m o u n t o p t i o n s . It


s h o u l d i n c l u d e / dev/shazam/s t o rage.
-

Note
-
Reminder:M a ny too l s w i l l report t h e d ev i ce m a p p e r n a m e i n st ea d ,
/dev/mapp e r /s hazam - s t o r age; it i s t h e s a m e l o g i c a l vo l u m e.

[ r oo t @ s e r v e r X - ] # mount

Yo u s h o u l d see ( p ro b a b l y o n the l a st l i n e) /dev/mapper/shaz am - s t o rage


m o u nted o n / s t o rage and t h e associated m o u nt information.
-

D 6.7. d f - h w i l l s h ow h u ma n-rea d a b l e disk free s p a ce. O pt i o n a l l y, i n c l u d e t h e m o u nt


point to l i m it d eta i l s to that f i l e syste m .
-

[ ro o t @s e rve rX - ] # df - h / s t o r age
File s y s t em Size U s e d Avail U s e% M o u n t e d o n
-
/dev/map p e r / s h a z am - s t o r ag e 3 9 7 M 21M 3 7 7 M 6 % / s t o rage

A l l o w i n g for f i l e syste m metadata, these va l u es a re what we wou l d expect.


-

- R H134-RH E L 7-en-1-20140610 211

-
-
-
C h a pter 1 0. M a n a g i n g Log ica l Vo l u m e M a n a g e m e n t ( LV M ) Sto ra g e
-
Exte n d i n g Log i c a l Vo l u m es
-
Objectives -
-
After co m p l et i n g t h i s sect i o n , st u d e nts s h o u l d be a b l e to:

• Extend a n d red u ce a vo l u m e g ro u p.

-
• Extend a LV with a n X FS f i l e syst e m .

Extend a n LV with a n e x t 4 f i l e syst e m .

-

Extending and reducing a volume group

-
A vo l u m e g ro u p can have m o re d i s k space added to it by a d d i n g a d d it i o n a l physica l vo l u m es.
This is ca l l e d exte n d i n g the vo l u m e g ro u p. The new p hysica l extents prov i d e d by t h e a d d it i o n a l
physical vo l u mes c a n t h e n be a s s i g n e d to l o g i ca l vo l u m es.

U n u sed p hysica l vo l u m e s ca n be rem oved from a vol u m e g ro u p. This is ca l l e d red u c i n g t h e


vo l u m e g ro u p . A tool ca l l e d pvmove c a n be u s e d t o m ove d a t a f r o m extents o n o n e physica l -
-
vo l u m e to extents on o t h e r p hysica l vo l u mes i n t h e vo l u m e g ro u p. I n t h i s way, a new d i s k ca n b e
a d d e d to a n exist i n g vo l u m e g ro u p , data can be m o v e d from a n o l d e r o r s l ower d i s k to a n e w d i s k,
a n d t h e o l d d i s k re moved from t h e vo l u m e g r o u p. T h i s can be d o n e w h i l e t h e l og ica l vo l u m e s i n
t h e vo l u m e g ro u p are i n u se.

' I m portant -

The fo l l owi n g exa m p l es use device vdb and its pa rtiti o n s to i l l ust rate LV M com m a n d s.
I n p ractice, t h ese exa m p l es wo u l d need to u s e t h e correct d evices for t h e d i s k a n d d i s k -

partitions t h a t a re b e i n g u s e d b y t h e syste m .

Extending a volume group


T h e re a re potentia l l y fo u r steps n e e d e d to exte n d a vo l u m e g r o u p :

1. Prepare the physical device. -

As w i t h creat i n g a new vo l u m e g ro u p , a new partition m u st b e created and prepa red for u s e


-
as a n LV M phys i ca l vo l u m e.

Use fdisk, gdisk, o r p a r t e d to c reate a new partition for use with LV M . A l ways set
-
t h e partition type to Linux LVM o n LV M partitions; u s e exae for M B R-style pa rtit i o n s . I f
necessa ry, use p a r t p robe to reg i ster t h e new p a rtit i o n w i t h t h e ke r n e l .

A lternat i ve l y, u s e a w h o l e d i s k , a R A I D a r ray, o r a S A N d i s k. -

A physica l device o n l y n e e d s to be prepare d if t h e re a re n o n e prepa red a l ready a n d a new


phys i c a l vo l u m e is req u i red to exte n d t h e vo l u m e g ro u p. -

I [ root@se rverX