Set Up Python with CentOS Linux ”; Previous Next Python is a widely used interpreted language that has brought professionalism to the world of coding scripted applications on Linux (and other operating systems). Where Perl was once the industry standard, Python has surpassed Perl in many respects. Some strengths of Python versus Perl are − Rapid progression in refinement Libraries that are standard to the language Readability of the code is thought out in language definition Many professional frameworks for everything from GUI support to web-development Python can do anything Perl can do, and in a lot of cases in a better manner. Though Perl still has its place amongst the toolbox of a Linux admin, learning Python is a great choice as a skill set. The biggest drawbacks of Python are sometimes related to its strengths. In history, Python was originally designed to teach programming. At times, its core foundations of “easily readable” and “doing things the right way” can cause unnecessary complexities when writing a simple code. Also, its standard libraries have caused problems in transitioning from versions 2.X to 3.X. Python scripts are actually used at the core of CentOS for functions vital to the functionality of the operating system. Because of this, it is important to isolate our development Python environment from CentOS” core Python environment. For starters, there are currently two versions of Python − Python 2.X and Python 3.X. Both stages are still in active production, though version 2.X is quickly closing in on depreciation (and has been for a few years). The reason for the two active versions of Python was basically fixing the shortcomings of version 2.X. This required some core functionality of version 3.X to be redone in ways it could not support some version 2.X scripts. Basically, the best way to overcome this transition is − Develop for 3.X and keep up with the latest 2.X version for legacy scripts. Currently, CentOS 7.X relies on a semi-current revision of version 2.X. As of this writing, the most current versions of Python are − 3.4.6 and 2.7.13. Don”t let this confuse or draw any conclusions of Python. Setting up a Python environment is really pretty simple. With Python frameworks and libraries, this task is actually really easy to accomplish. Before setting up our Python environments, we need a sane environment. To start, let”s make sure our CentOS install is fully updated and get some building utilities installed. Step 1 − Update CentOS. [root@CentOS]# yum -y update Step 2 − Install build utilities. [root@CentOS]# yum -y groupinstall “development tools” Step 3 − Install some needed packages. [root@CentOS]# yum install -y zlib-dev openssl-devel sqlite-devel bip2-devel Now we need to install current Python 2.X and 3.X from source. Download compressed archives Extract files Compile source code Let”s start by creating a build directory for each Python install in /usr/src/ [root@CentOS]# mkdir -p /usr/src/pythonSource Now let”s download the source tarballs for each − [root@CentOS]# wget https://www.python.org/ftp/python/2.7.13/Python-2.7.13.tar.xz [root@CentOS]# wget https://www.python.org/ftp/python/3.6.0/Python-3.6.0.tar.xz Now we need to extract each from the archive. Step 1 − Install xz-libs and extract the tarballs. [root@CentOS]# yum install xz-libs [root@CentOS python3]# xz -d ./*.xz [root@CentOS python3]# ls Python-2.7.13.tar Python-3.6.0.tar [root@CentOS python3]# Step 2 − Untar each installer from its tarball. [root@CentOS]# tar -xvf ./Python-2.7.13.tar [root@CentOS]# tar -xvf ./Python-3.6.0.tar Step 3 − Enter each directory and run the configure script. [root@CentOS]# ./configure –prefix=/usr/local root@CentOS]# make altinstall Note − Be sure to use altinstall and not install. This will keep CentOS and development versions of Python separated. Otherwise, you may break the functionality of CentOS. You will now see the compilation process begins. Grab a cup of coffee and take a 15minute break until completion. Since we installed all the needed dependencies for Python, the compilation process should complete without error. Let”s make sure we have the latest 2.X version of Python installed. [root@CentOS Python-2.7.13]# /usr/local/bin/python2.7 -V Python 2.7.13 [root@CentOS Python-2.7.13]# Note − You will want to prefix the shebang line pointing to our development environment for Python 2.X. [root@CentOS Python-2.7.13]# cat ver.py #!/usr/local/bin/python2.7 import sys print(sys.version) [root@CentOS Python-2.7.13]# ./ver.py 2.7.13 (default, Jan 29 2017, 02:24:08) [GCC 4.8.5 20150623 (Red Hat 4.8.5-11)] Just like that, we have separate Python installs for versions 2.X and 3.X. From here, we can use each and utilities such as pip and virtualenv to further ease the burden of managing Python environments and package installation. Print Page Previous Next Advertisements ”;
Category: linux Admin
Home
Linux Admin Tutorial PDF Version Quick Guide Resources Job Search Discussion Linux was designed based on the Unix philosophy of “small, precise tools chained together simplifying larger tasks”. Linux, at its root, does not have large single-purpose applications for one specific use a lot of the time. Instead, there are hundreds of basic utilities that when combined offer great power to accomplish big tasks with efficiency. Unique amongst business class Linux distributions, CentOS stays true to the open-source nature that Linux was founded on. This tutorial gives a complete understanding on Linux Admin and explains how to use it for benefit. Audience This tutorial has been prepared for beginners to help them understand the fundamentals of Linux Admin. It will specifically be useful for Linux administration professionals. After completing this tutorial, you will find yourself at a moderate level of expertise from where you can take yourself to the next levels. Prerequisites Before you go ahead with this tutorial, we assume that you have a basic knowledge of Linux and Administration fundamentals. Print Page Previous Next Advertisements ”;
CentOS Overview
Linux Admin – CentOS Overview ”; Previous Next Unique among business class Linux distributions, CentOS stays true to the open-source nature that Linux was founded on. The first Linux kernel was developed by a college student at the University of Helsinki (Linus Torvalds) and combined with the GNU utilities founded and promoted by Richard Stallman. CentOS has a proven, open-source licensing that can power today’s business world. CentOS has quickly become one of the most prolific server platforms in the world. Any Linux Administrator, when seeking employment, is bound to come across the words: “CentOS Linux Experience Preferred”. From startups to Fortune 10 tech titans, CentOS has placed itself amongst the higher echelons of server operating systems worldwide. What makes CentOS stand out from other Linux distributions is a great combination of − Open source licensing Dedicated user-base of Linux professionals Good hardware support Rock-solid stability and reliability Focus on security and updates Strict adherence to software packaging standards needed in a corporate environment Before starting the lessons, we assume that the readers have a basic knowledge of Linux and Administration fundamentals such as − What is the root user? The power of the root user Basic concept of security groups and users Experience using a Linux terminal emulator Fundamental networking concepts Fundamental understanding of interpreted programming languages (Perl, Python, Ruby) Networking protocols such as HTTP, LDAP, FTP, IMAP, SMTP Cores that compose a computer operating system: file system, drivers, and the kerne Print Page Previous Next Advertisements ”;
File / Folder Management
Linux Admin – File / Folder Management ”; Previous Next To introduce permissions as they apply to both directories and files in CentOS Linux, let”s look at the following command output. [centos@centosLocal etc]$ ls -ld /etc/yum* drwxr-xr-x. 6 root root 100 Dec 5 06:59 /etc/yum -rw-r–r–. 1 root root 970 Nov 15 08:30 /etc/yum.conf drwxr-xr-x. 2 root root 187 Nov 15 08:30 /etc/yum.repos.d Note − The three primary object types you will see are “-“ − a dash for plain file “d” − for a directory “l” − for a symbolic link We will focus on the three blocks of output for each directory and file − drwxr-xr-x : root : root -rw-r–r– : root : root drwxr-xr-x : root : root Now let”s break this down, to better understand these lines − d Means the object type is a directory rwx Indicates directory permissions applied to the owner r-x Indicates directory permissions applied to the group r-x Indicates directory permissions applied to the world root The first instance, indicates the owner of the directory root The second instance, indicates the group to which group permissions are applied Understanding the difference between owner, group and world is important. Not understanding this can have big consequences on servers that host services to the Internet. Before we give a real-world example, let”s first understand the permissions as they apply to directories and files. Please take a look at the following table, then continue with the instruction. Octal Symbolic Perm. Directory 1 x Execute Enter the directory and access files 4 r Read List the files within the directory 2 w Write Delete or modify the files in a directory Note − When files should be accessible for reading in a directory, it is common to apply read and execute permissions. Otherwise, the users will have difficulty working with the files. Leaving write disabled will assure files cannot be: renamed, deleted, copied over, or have permissions modified. Applying Permissions to Directories and Files When applying permissions, there are two concepts to understand − Symbolic Permissions Octal Permissions In essence, each are the same but a different way to referring to, and assigning file permissions. For a quick guide, please study and refer to the following table − Read Write Execute Octal 4 2 1 Symbolic r w x When assigning permissions using the octal method, use a 3 byte number such as: 760. The number 760 translates into: Owner: rwx; Group: rw; Other (or world) no permissions. Another scenario: 733 would translate to: Owner: rwx; Group: wx; Other: wx. There is one drawback to permissions using the Octal method. Existing permission sets cannot be modified. It is only possible to reassign the entire permission set of an object. Now you might wonder, what is wrong with always re-assigning permissions? Imagine a large directory structure, for example /var/www/ on a production web-server. We want to recursively take away the w or write bit on all directories for Other. Thus, forcing it to be pro-actively added only when needed for security measures. If we re-assign the entire permission set, we take away all other custom permissions assigned to every sub-directory. Hence, it will cause a problem for both the administrator and the user of the system. At some point, a person (or persons) would need to re-assign all the custom permissions that were wiped out by re-assigning the entire permission-set for every directory and object. In this case, we would want to use the Symbolic method to modify permissions − chmod -R o-w /var/www/ The above command would not “overwrite permissions” but modify the current permission sets. So get accustomed to using the best practice Octal only to assign permissions Symbolic to modify permission sets It is important that a CentOS Administrator be proficient with both Octal and Symbolic permissions as permissions are important for the integrity of data and the entire operating system. If permissions are incorrect, the end result will be both sensitive data and the entire operating system will be compromised. With that covered, let”s look at a few commands for modifying permissions and object owner/members − chmod chown chgrp umask chmod : Change File Mode Permission Bits Command Action -c Like verbose, but will only report the changes made -v Verbose, outputsthe diagnostics for every request made -R Recursively applies the operation on files and directories chmod will allow us to change permissions of directories and files using octal or symbolic permission sets. We will use this to modify our assignment and uploads directories. chown : Change File Owner and Group Command Action -c Like verbose, but will only report the changes made -v Verbose, outputsthe diagnostics for every request made -R Recursively applies the operation on files and directories chown can modify both owning the user and group of objects. However, unless needing to modify both at the same time, using chgrp is usually used for groups. chgrp : Change Group Ownership of File or Directory Command
Resource Mgmt with crgoups
Linux Admin – Resource Mgmt with crgoups ”; Previous Next cgroups or Control Groups are a feature of the Linux kernel that allows an administrator to allocate or cap the system resources for services and also group. To list active control groups running, we can use the following ps command − [root@localhost]# ps xawf -eo pid,user,cgroup,args 8362 root – _ [kworker/1:2] 1 root – /usr/lib/systemd/systemd –switched- root –system — deserialize 21 507 root 7:cpuacct,cpu:/system.slice /usr/lib/systemd/systemd-journald 527 root 7:cpuacct,cpu:/system.slice /usr/sbin/lvmetad -f 540 root 7:cpuacct,cpu:/system.slice /usr/lib/systemd/systemd-udevd 715 root 7:cpuacct,cpu:/system.slice /sbin/auditd -n 731 root 7:cpuacct,cpu:/system.slice _ /sbin/audispd 734 root 7:cpuacct,cpu:/system.slice _ /usr/sbin/sedispatch 737 polkitd 7:cpuacct,cpu:/system.slice /usr/lib/polkit-1/polkitd –no-debug 738 rtkit 6:memory:/system.slice/rtki /usr/libexec/rtkit-daemon 740 dbus 7:cpuacct,cpu:/system.slice /bin/dbus-daemon –system – address=systemd: –nofork –nopidfile –systemd-activation Resource Management, as of CentOS 6.X, has been redefined with the systemd init implementation. When thinking Resource Management for services, the main thing to focus on are cgroups. cgroups have advanced with systemd in both functionality and simplicity. The goal of cgroups in resource management is -no one service can take the system, as a whole, down. Or no single service process (perhaps a poorly written PHP script) will cripple the server functionality by consuming too many resources. cgroups allow resource control of units for the following resources − CPU − Limit cpu intensive tasks that are not critical as other, less intensive tasks Memory − Limit how much memory a service can consume Disks − Limit disk i/o **CPU Time: ** Tasks needing less CPU priority can have custom configured CPU Slices. Let”s take a look at the following two services for example. Polite CPU Service 1 [root@localhost]# systemctl cat polite.service # /etc/systemd/system/polite.service [Unit] Description = Polite service limits CPU Slice and Memory After=remote-fs.target nss-lookup.target [Service] MemoryLimit = 1M ExecStart = /usr/bin/sha1sum /dev/zero ExecStop = /bin/kill -WINCH ${MAINPID} WantedBy=multi-user.target # /etc/systemd/system/polite.service.d/50-CPUShares.conf [Service] CPUShares = 1024 [root@localhost]# Evil CPU Service 2 [root@localhost]# systemctl cat evil.service # /etc/systemd/system/evil.service [Unit] Description = I Eat You CPU After=remote-fs.target nss-lookup.target [Service] ExecStart = /usr/bin/md5sum /dev/zero ExecStop = /bin/kill -WINCH ${MAINPID} WantedBy=multi-user.target # /etc/systemd/system/evil.service.d/50-CPUShares.conf [Service] CPUShares = 1024 [root@localhost]# Let”s set Polite Service using a lesser CPU priority − systemctl set-property polite.service CPUShares = 20 /system.slice/polite.service 1 70.5 124.0K – – /system.slice/evil.service 1 99.5 304.0K – - As we can see, over a period of normal system idle time, both rogue processes are still using CPU cycles. However, the one set to have less time-slices is using less CPU time. With this in mind, we can see how using a lesser time time-slice would allow essential tasks better access the system resources. To set services for each resource, the set-property method defines the following parameters − systemctl set-property name parameter=value CPU Slices CPUShares Memory Limit MemoryLimit Soft Memory Limit MemorySoftLimit Block IO Weight BlockIOWeight Block Device Limit (specified in /volume/path) ) BlockIODeviceWeight Read IO BlockIOReadBandwidth Disk Write IO BlockIOReadBandwidth Most often services will be limited by CPU use, Memory limits and Read / Write IO. After changing each, it is necessary to reload systemd and restart the service − systemctl set-property foo.service CPUShares = 250 systemctl daemon-reload systemctl restart foo.service Configure CGroups in CentOS Linux To make custom cgroups in CentOS Linux, we need to first install services and configure them. Step 1 − Install libcgroup (if not already installed). [root@localhost]# yum install libcgroup Package libcgroup-0.41-11.el7.x86_64 already installed and latest version Nothing to do [root@localhost]# As we can see, by default CentOS 7 has libcgroup installed with the everything installer. Using a minimal installer will require us to install the libcgroup utilities along with any dependencies. Step 2 − Start and enable the cgconfig service. [root@localhost]# systemctl enable cgconfig Created symlink from /etc/systemd/system/sysinit.target.wants/cgconfig.service to /usr/lib/systemd/system/cgconfig.service. [root@localhost]# systemctl start cgconfig [root@localhost]# systemctl status cgconfig ● cgconfig.service – Control Group configuration service Loaded: loaded (/usr/lib/systemd/system/cgconfig.service; enabled; vendor preset: disabled) Active: active (exited) since Mon 2017-01-23 02:51:42 EST; 1min 21s ago Main PID: 4692 (code=exited, status = 0/SUCCESS) Memory: 0B CGroup: /system.slice/cgconfig.service Jan 23 02:51:42 localhost.localdomain systemd[1]: Starting Control Group configuration service… Jan 23 02:51:42 localhost.localdomain systemd[1]: Started Control Group configuration service. [root@localhost]# Print Page Previous Next Advertisements ”;
Firewall Setup
Linux Admin – Firewall Setup ”; Previous Next firewalld is the default front-end controller for iptables on CentOS. The firewalld front-end has two main advantages over raw iptables − Uses easy-to-configure and implement zones abstracting chains and rules. Rulesets are dynamic, meaning stateful connections are uninterrupted when the settings are changed and/or modified. Remember, firewalld is the wrapper for iptables – not a replacement. While custom iptables commands can be used with firewalld, it is recommended to use firewalld as to not break the firewall functionality. First, let”s make sure firewalld is both started and enabled. [root@CentOS rdc]# systemctl status firewalld ● firewalld.service – firewalld – dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled) Active: active (running) since Thu 2017-01-26 21:42:05 MST; 3h 46min ago Docs: man:firewalld(1) Main PID: 712 (firewalld) Memory: 34.7M CGroup: /system.slice/firewalld.service └─712 /usr/bin/python -Es /usr/sbin/firewalld –nofork –nopid We can see, firewalld is both active (to start on boot) and currently running. If inactive or not started we can use − systemctl start firewalld && systemctl enable firewalld Now that we have our firewalld service configured, let”s assure it is operational. [root@CentOS]# firewall-cmd –state running [root@CentOS]# We can see, the firewalld service is fully functional. Firewalld works on the concept of zones. A zone is applied to network interfaces through the Network Manager. We will discuss this in configuring networking. But for now, by default, changing the default zone will change any network adapters left in the default state of “Default Zone”. Let”s take a quick look at each zone that comes out-of-the-box with firewalld. Sr.No. Zone & Description 1 drop Low trust level. All incoming connections and packetsare dropped and only outgoing connections are possible via statefullness 2 block Incoming connections are replied with an icmp message letting the initiator know the request is prohibited 3 public All networks are restricted. However, selected incoming connections can be explicitly allowed 4 external Configures firewalld for NAT. Internal network remains private but reachable 5 dmz Only certain incoming connections are allowed. Used for systems in DMZ isolation 6 work By default, trust more computers on the network assuming the system is in a secured work environment 7 hone By default, more services are unfiltered. Assuming a system is on a home network where services such as NFS, SAMBA and SSDP will be used 8 trusted All machines on the network are trusted. Most incoming connections are allowed unfettered. This is not meant for interfaces exposed to the Internet The most common zones to use are:public, drop, work, and home. Some scenarios where each common zone would be used are − public − It is the most common zone used by an administrator. It will let you apply the custom settings and abide by RFC specifications for operations on a LAN. drop − A good example of when to use drop is at a security conference, on public WiFi, or on an interface connected directly to the Internet. drop assumes all unsolicited requests are malicious including ICMP probes. So any request out of state will not receive a reply. The downside of drop is that it can break the functionality of applications in certain situations requiring strict RFC compliance. work − You are on a semi-secure corporate LAN. Where all traffic can be assumed moderately safe. This means it is not WiFi and we possibly have IDS, IPS, and physical security or 802.1x in place. We also should be familiar with the people using the LAN. home − You are on a home LAN. You are personally accountable for every system and the user on the LAN. You know every machine on the LAN and that none have been compromised. Often new services are brought up for media sharing amongst trusted individuals and you don”t need to take extra time for the sake of security. Zones and network interfaces work on a one to many level. One network interface can only have a single zone applied to it at a time. While, a zone can be applied to many interfaces simultaneously. Let”s see what zones are available and what are the currently applied zone. [root@CentOS]# firewall-cmd –get-zones work drop internal external trusted home dmz public block [root@CentOS]# firewall-cmd –get-default-zone public [root@CentOS]# Ready to add some customized rules in firewalld? First, let”s see what our box looks like, to a portscanner from outside. bash-3.2# nmap -sS -p 1-1024 -T 5 10.211.55.1 Starting Nmap 7.30 ( https://nmap.org ) at 2017-01-27 23:36 MST Nmap scan report for centos.shared (10.211.55.1) Host is up (0.00046s latency). Not shown: 1023 filtered ports PORT STATE SERVICE 22/tcp open ssh Nmap done: 1 IP address (1 host up) scanned in 3.71 seconds bash-3.2# Let”s allow the incoming requests to port 80. First, check to see what zone is applied as default. [root@CentOs]# firewall-cmd –get-default-zone public [root@CentOS]# Then, set the rule allowing port 80 to the current default zone. [root@CentOS]# firewall-cmd –zone=public –add-port = 80/tcp success [root@CentOS]# Now, let”s check our box after allowing port 80 connections. bash-3.2# nmap -sS -p 1-1024 -T 5 10.211.55.1 Starting Nmap 7.30 ( https://nmap.org ) at 2017-01-27 23:42 MST Nmap scan report for centos.shared (10.211.55.1) Host is up (0.00053s latency). Not shown: 1022 filtered ports PORT STATE SERVICE 22/tcp open ssh
Shell Scripting
Linux Admin – Shell Scripting ”; Previous Next Introduction to Bash Shell Like flavors of GNU Linux, shells come in many varieties and vary in compatibility. The default shell in CentOS is known as the Bash or Bourne Again Shell. The Bash shell is a modern day, modified version of Bourne Shell developed by Stephen Bourne. Bash was the direct replacement to the original Thompson Shell on the Unix operating system developed at Bell Labs by Ken Thompson and Dennis Ritchie (Stephen Bourne was also employed by Bell Labs) Everyone has a favorite shell and each has its strengths and difficulties. But for the most part, Bash is going to be the default shell across all Linux distributions and most commonly available. With experience, everyone will want to explore and use a shell that is best for them. However at the same time, everyone will also want to master Bash shell. Other Linux shells include: Tcsh, Csh, Ksh, Zsh, and Fish. Developing skills to use any Linux shell at an expert level is extremely important to a CentOS administrator. As we mentioned previously, unlike Windows, Linux at its heart is a command line operating system. A shell is simply a user interface that allows an administrator (or user) to issue commands to the operating system. If a Linux system administrator were an airlines pilot, using the shell would be similar to taking the plane off auto-pilot and grabbing the manual controls for more maneuverable flight. A Linux shell, like Bash, is known in Computer Science terms as a Command Line Interpreter. Microsoft Windows also has two command line interpreters called DOS (not to be confused with the original DOS operating system) and PowerShell. Most modern shells like Bash provide constructs allowing more complex shell scripts to automate both common and complex tasks. Constructs include − Script flow control (ifthen and else) Logical comparison operations (greater than, less than, equality) Loops Variables Parameters defining operation (similar to switches with commands) Using Shell Script Versus Scripting Language Often when thinking about performing a task administrators ask themselves: Should I use a shell script or a scripting language such as Perl, Ruby or Python? There is no set rule here. There are only typical differences between shells versus scripting languages. Shell Shell allows the use of Linux commands such as sed, grep, tee, cat and all other command-line based utilities on the Linux operating system. In fact, pretty much any command line Linux utility can be scripted in your shell. A great example of using a shell would be a quick script to check a list of hosts for DNS resolution. Our simple Bash Script to check DNS names − #!/bin/bash for name in $(cat $1); do host $name.$2 | grep “has address” done exit small wordlist to test DNS resolution on − dns www test dev mail rdp remote Output against google.com domain − [rdc@centos ~]$ ./dns-check.sh dns-names.txt google.com -doing dns dns.google.com has address 172.217.6.46 -doing www www.google.com has address 172.217.6.36 -doing test -doing dev -doing mail googlemail.l.google.com has address 172.217.6.37 -doing rdp -doing remote [rdc@centos ~]$ Leveraging simple Linux commands in our shell, we were able to make a simple 5-line script to audit DNS names from a word list. This would have taken some considerable time in Perl, Python, or Ruby even when using a nicely implemented DNS Library. Scripting Language A scripting language will give more control outside the shell. The above Bash script used a wrapper around the Linux host command. What if we wanted to do more and make our own application like host to interact outside the shell? This is where we would use a scripting language. Also, with a highly maintained scripting language we know our actions will work across different systems for the most part. Python 3.5, for example, will work on any other system running Python 3.5 with the same libraries installed. Not so, if we want to run our BASH script on both Linux and HP-UX. Sometimes the lines between a scripting language and a powerful shell can be blurred. It is possible to automate CentOS Linux administration tasks with Python, Perl or Ruby. Doing so is really quite commonplace. Also, affluent shell-script developers have made a simple, but otherwise functional, web-server daemon in Bash. With experience in scripting languages and automating tasks in shells, a CentOS administrator will be able to quickly determine where to start when needing to solve a problem. It is quite common to start a project with a shell script. Then progress to a scripting (or compiled) language as a project gets more complex. Also, it is ok to use both a scripting language and shell script for different parts of a project. An example could be a Perl script to scrape a website. Then, use a shell script to parse and format with sed, awk, and egrep. Finally, use a PHP script for inserting formatted data into MySQL database using a web GUI. With some theory behind shells, let”s get started with the basic building blocks to automate tasks from a Bash shell in CentOS. Input Output and Redirection Processing stdout to another command − [rdc@centos ~]$ cat ~/output.txt | wc -l 6039 [rdc@centos ~]$ Above, we have passed cat”sstoud to wc for processing with the pipe character. wc then processed the output from cat, printing the line count of output.txt to the terminal. Think of the pipe character as a “pipe” passing output from one command, to be processed by the next command. Following are the key concepts to remember when dealing with command redirection − Number File
Install Anonymous FTP
Linux Admin – Install Anonymous FTP ”; Previous Next Before delving into installing FTP on CentOS, we need to learn a little about its use and security. FTP is a really efficient and well-refined protocol for transferring files between the computer systems. FTP has been used and refined for a few decades now. For transferring files efficiently over a network with latency or for sheer speed, FTP is a great choice. More so than either SAMBA or SMB. However, FTP does possess some security issues. Actually, some serious security issues. FTP uses a really weak plain-text authentication method. It is for this reason authenticated sessions should rely on sFTP or FTPS, where TLS is used for end-to-end encryption of the login and transfer sessions. With the above caveats, plain old FTP still has its use in the business environment today. The main use is, anonymous FTP file repositories. This is a situation where no authentication is warranted to download or upload files. Some examples of anonymous FTP use are − Large software companies still use anonymous ftp repositories allowing Internet users to download shareware and patches. Allowing internet users to upload and download public documents. Some applications will automatically send encrypted, archived logs for or configuration files to a repository via FTP. Hence, as a CentOS Administrator, being able to install and configure FTP is still a designed skill. We will be using an FTP daemon called vsFTP, or Very Secure FTP Daemon. vsFTP has been used in development for a while. It has a reputation for being secure, easy to install and configure, and is reliable. Step 1 − Install vsFTPd with the YUM Package Manager. [root@centos]# yum -y install vsftpd.x86_64 Step 2 − Configure vsFTP to Start on Boot with systemctl. [root@centos]# systemctl start vsftpd [root@centos]# systemctl enable vsftpd Created symlink from /etc/systemd/system/multi- user.target.wants/vsftpd.service to /usr/lib/systemd/system/vsftpd.service. Step 3 − Configure FirewallD to allow FTP control and transfer sessions. [root@centos]# firewall-cmd –add-service=ftp –permanent success [root@centos]# Assure our FTP daemon is running. [root@centos]# netstat -antup | grep vsftp tcp6 0 0 :::21 :::* LISTEN 13906/vsftpd [root@centos]# Step 4 − Configure vsFTPD For Anonymous Access. Create a root FTP directory [root@centos]# mkdir /ftp Change owner and group of FTP root to ftp [root@centos]# chown ftp:ftp /ftp Set minimal permissions for FTP root: [root@centos]# chmod -R 666 /ftp/ [root@centos]# ls -ld /ftp/ drw-rw-rw-. 2 ftp ftp 6 Feb 27 02:01 /ftp/ [root@centos]# In this case, we gave users read/write access to the entire root FTP tree. Configure /etc/vsftpd/vsftpd.conf” [root@centos]# vim /etc/vsftpd/vsftpd.conf # Example config file /etc/vsftpd/vsftpd.conf # # The default compiled in settings are fairly paranoid. This sample file # loosens things up a bit, to make the ftp daemon more usable. # Please see vsftpd.conf.5 for all compiled in defaults. # # READ THIS: This example file is NOT an exhaustive list of vsftpd options. # Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd”s # capabilities. We will want to change the following directives in the vsftp.conf file. Enable Anonymous uploading by uncommenting anon_mkdir_write_enable=YES chown uploaded files to owned by the system ftp user chown_uploads = YES chown_username = ftp Change system user used by vsftp to the ftp user: nopriv_user = ftp Set the custom banner for the user to read before signing in. ftpd_banner = Welcome to our Anonymous FTP Repo. All connections are monitored and logged. Let”s set IPv4 connections only − listen = YES listen_ipv6 = NO Now, we need to restart or HUP the vsftp service to apply our changes. [root@centos]# systemctl restart vsftpd Let”s connect to our FTP host and make sure our FTP daemon is responding. [root@centos rdc]# ftp 10.0.4.34 Connected to localhost (10.0.4.34). 220 Welcome to our Anonymous FTP Repo. All connections are monitored and logged. Name (localhost:root): anonymous 331 Please specify the password. Password: ”230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> Print Page Previous Next Advertisements ”;
Resource Mgmt with systemctl
Resource Mgmt with systemctl ”; Previous Next systemctl is the utility used to control systemd. systemctl provides CentOS administrators with the ability to perform a multitude of operations on systemd including − Configure systemd units Get status of systemd untis Start and stop services Enable / disable systemd services for runtime, etc. The command syntax for systemctl is pretty basic, but can tangle with switches and options. We will present the most essential functions of systemctl needed for administering CentOS Linux. Basic systemctl syntax: systemctl [OPTIONS] COMMAND [NAME] Following are the common commands used with systemctl − start stop restart reload status is-active list-units enable disable cat show We have already discussed start, stop, reload, restart, enable and disable with systemctl. So let”s go over the remaining commonly used commands. status In its most simple form, the status command can be used to see the system status as a whole − [root@localhost rdc]# systemctl status ● localhost.localdomain State: running Jobs: 0 queued Failed: 0 units Since: Thu 2017-01-19 19:14:37 EST; 4h 5min ago CGroup: / ├─1 /usr/lib/systemd/systemd –switched-root –system –deserialize 21 ├─user.slice │ └─user-1002.slice │ └─session-1.scope │ ├─2869 gdm-session-worker [pam/gdm-password] │ ├─2881 /usr/bin/gnome-keyring-daemon –daemonize –login │ ├─2888 gnome-session –session gnome-classic │ ├─2895 dbus-launch –sh-syntax –exit-with-session The above output has been condensed. In the real-world systemctl status will output about 100 lines of treed process statuses. Let”s say we want to check the status of our firewall service − [root@localhost rdc]# systemctl status firewalld ● firewalld.service – firewalld – dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled) Active: active (running) since Thu 2017-01-19 19:14:55 EST; 4h 12min ago Docs: man:firewalld(1) Main PID: 825 (firewalld) CGroup: /system.slice/firewalld.service └─825 /usr/bin/python -Es /usr/sbin/firewalld –nofork –nopid As you see, our firewall service is currently active and has been for over 4 hours. list-units The list-units command allows us to list all the units of a certain type. Let”s check for sockets managed by systemd − [root@localhost]# systemctl list-units –type=socket UNIT LOAD ACTIVE SUB DESCRIPTION avahi-daemon.socket loaded active running Avahi mDNS/DNS-SD Stack Activation Socket cups.socket loaded active running CUPS Printing Service Sockets dbus.socket loaded active running D-Bus System Message Bus Socket dm-event.socket loaded active listening Device-mapper event daemon FIFOs iscsid.socket loaded active listening Open-iSCSI iscsid Socket iscsiuio.socket loaded active listening Open-iSCSI iscsiuio Socket lvm2-lvmetad.socket loaded active running LVM2 metadata daemon socket lvm2-lvmpolld.socket loaded active listening LVM2 poll daemon socket rpcbind.socket loaded active listening RPCbind Server Activation Socket systemd-initctl.socket loaded active listening /dev/initctl Compatibility Named Pipe systemd-journald.socket loaded active running Journal Socket systemd-shutdownd.socket loaded active listening Delayed Shutdown Socket systemd-udevd-control.socket loaded active running udev Control Socket systemd-udevd-kernel.socket loaded active running udev Kernel Socket virtlockd.socket loaded active listening Virtual machine lock manager socket virtlogd.socket loaded active listening Virtual machine log manager socket Now let’s check the current running services − [root@localhost rdc]# systemctl list-units –type=service UNIT LOAD ACTIVE SUB DESCRIPTION abrt-ccpp.service loaded active exited Install ABRT coredump hook abrt-oops.service loaded active running ABRT kernel log watcher abrt-xorg.service loaded active running ABRT Xorg log watcher abrtd.service loaded active running ABRT Automated Bug Reporting Tool accounts-daemon.service loaded active running Accounts Service alsa-state.service loaded active running Manage Sound Card State (restore and store) atd.service loaded active running Job spooling tools auditd.service loaded active running Security Auditing Service is-active The is-active command is an example of systemctl commands designed to return the status information of a unit. [root@localhost rdc]# systemctl is-active ksm.service active cat cat is one of the seldomly used command. Instead of using cat at the shell and typing the path to a unit file, simply use systemctl cat. [root@localhost]# systemctl cat firewalld # /usr/lib/systemd/system/firewalld.service [Unit] Description=firewalld – dynamic firewall daemon Before=network.target Before=libvirtd.service Before = NetworkManager.service After=dbus.service After=polkit.service Conflicts=iptables.service ip6tables.service ebtables.service ipset.service Documentation=man:firewalld(1) [Service] EnvironmentFile = -/etc/sysconfig/firewalld ExecStart = /usr/sbin/firewalld –nofork –nopid $FIREWALLD_ARGS ExecReload = /bin/kill -HUP $MAINPID # supress to log debug and error output also to /var/log/messages StandardOutput = null StandardError = null Type = dbus BusName = org.fedoraproject.FirewallD1 [Install] WantedBy = basic.target Alias = dbus-org.fedoraproject.FirewallD1.service [root@localhost]# Now that we have explored both systemd and systemctl in more detail, let”s use them to manage the resources in cgroups or control groups. Print Page Previous Next Advertisements ”;
Quota Management
Linux Admin – Quota Management ”; Previous Next CentOS disk quotas can be enabled both; alerting the system administrator and denying further disk-storage-access to a user before disk capacity is exceeded. When a disk is full, depending on what resides on the disk, an entire system can come to a screeching halt until recovered. Enabling Quota Management in CentOS Linux is basically a 4 step process − Step 1 − Enable quota management for groups and users in /etc/fstab. Step 2 − Remount the filesystem. Step 3 − Create Quota database and generate disk usage table. Step 4 − Assign quota policies. Enable Quota Management in /etc/fstab First, we want to backup our /etc/fstab filen − [root@centosLocal centos]# cp -r /etc/fstab ./ We now have a copy of our known working /etc/fstab in the current working directory. # # /etc/fstab # Created by anaconda on Sat Dec 17 02:44:51 2016 # # Accessible filesystems, by reference, are maintained under ”/dev/disk” # See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info # /dev/mapper/cl-root / xfs defaults 0 0 UUID = 4b9a40bc-9480-4 /boot xfs defaults 0 0 /dev/mapper/cl-home /home xfs defaults,usrquota,grpquota 0 0 /dev/mapper/cl-swap swap swap defaults 0 0 We made the following changes in the options section of /etc/fstab for the volume or Label to where quotas are to be applied for users and groups. usrquota grpquota As you can see, we are using the xfs filesystem. When using xfs there are extra manual steps involved. /home is on the same disk as /. Further investigation shows / is set for noquota, which is a kernel level mounting option. We must re-configure our kernel boot options. root@localhost rdc]# mount | grep ” / ” /dev/mapper/cl-root on / type xfs (rw,relatime,seclabel,attr2,inode64,noquota) [root@localhost rdc]# Reconfiguring Kernel Boot Options for XFS File Systems This step is only necessary under two conditions − When the disk/partition we are enabling quotas on, is using the xfs file system When the kernel is passing noquota parameter to /etc/fstab at boot time Step 1 − Make a backup of /etc/default/grub. cp /etc/default/grub ~/ Step 2 − Modify /etc/default/grub. Here is the default file. GRUB_TIMEOUT=5 GRUB_DISTRIBUTOR=”$(sed ”s, release .*$,,g” /etc/system-release)” GRUB_DEFAULT=saved GRUB_DISABLE_SUBMENU=true GRUB_TERMINAL_OUTPUT=”console” GRUB_CMDLINE_LINUX=”crashkernel=auto rd.lvm.lv=cl/root rd.lvm.lv=cl/swap rhgb quiet” GRUB_DISABLE_RECOVERY=”true” We want to modify the following line − GRUB_CMDLINE_LINUX=”crashkernel=auto rd.lvm.lv=cl/root rd.lvm.lv=cl/swap rhgb quiet” to GRUB_CMDLINE_LINUX=”crashkernel=auto rd.lvm.lv=cl/root rd.lvm.lv =cl/swap rhgb quiet rootflags=usrquota,grpquota” Note − It is important we copy these changes verbatim. After we reconfigure grub.cfg, our system will fail to boot if any errors were made in the configuration. Please, try this part of the tutorial on a non-production system. Step 3 − Backup your working grub.cfg cp /boot/grub2/grub.cfg /boot/grub2/grub.cfg.bak Make a new grub.cfg [root@localhost rdc]# grub2-mkconfig -o /boot/grub2/grub.cfg Generating grub configuration file … Found linux image: /boot/vmlinuz-3.10.0-514.el7.x86_64 Found initrd image: /boot/initramfs-3.10.0-514.el7.x86_64.img Found linux image: /boot/vmlinuz-0-rescue-dbba7fa47f73457b96628ba8f3959bfd Found initrd image: /boot/initramfs-0-rescuedbba7fa47f73457b96628ba8f3959bfd.img done [root@localhost rdc]# Reboot [root@localhost rdc]#reboot If all modifications were precise, we should not have the availability to add quotas to the xfs file system. [rdc@localhost ~]$ mount | grep ” / ” /dev/mapper/cl-root on / type xfs (rw,relatime,seclabel,attr2,inode64,usrquota,grpquota) [rdc@localhost ~]$ We have passed the usrquota and grpquota parameters via grub. Now, again edit /etc/fstab to include / since /homeon the same physical disk. /dev/mapper/cl-root/xfs defaults,usrquota,grpquota 0 0 Now let”s enable the quota databases. [root@localhost rdc]# quotacheck -acfvugM Make sure Quotas are enabled. [root@localhost rdc]# quotaon -ap group quota on / (/dev/mapper/cl-root) is on user quota on / (/dev/mapper/cl-root) is on group quota on /home (/dev/mapper/cl-home) is on user quota on /home (/dev/mapper/cl-home) is on [root@localhost rdc]# Remount the File System If the partition or disk is separate from the actively booted partition, we can remount without rebooting. If the quota was configured on a disk/partition booted in the root directory /, we may need to reboot the operating system. Forcing the remount and applying changes, the need to remount the filesystem may vary. [rdc@localhost ~]$ df Filesystem 1K-blocks Used Available Use% Mounted on /dev/mapper/cl-root 22447404 4081860 18365544 19% / devtmpfs 903448 0 903448 0% /dev tmpfs 919308 100 919208 1% /dev/shm tmpfs 919308 9180 910128 1% /run tmpfs 919308 0 919308 0% /sys/fs/cgroup /dev/sda2 1268736 176612 1092124 14% /boot /dev/mapper/cl-var 4872192 158024 4714168 4% /var /dev/mapper/cl-home 18475008 37284 18437724 1% /home tmpfs 183864 8 183856 1% /run/user/1000 [rdc@localhost ~]$ As we can see, LVM volumes are in use. So it”s simple to just reboot. This will remount /home and load the /etc/fstab configuration changes into active configuration. Create Quota Database Files CentOS is now capable of working with disk quotas on /home. To enable full quota supprt, we must run the quotacheck command. quotacheck will create two files − aquota.user aquota.group These are used to store quota information for the quota enabled disks/partitions. Following are the common quotacheck switches. Switch Action -u Checks for user quotas -g Checks for group quotas -c Quotas should be enabled for each file system with enables quotas -v Displays verbose output Add Quota Limits Per User For this, we will use the edquota command, followed by the username − [root@localhost rdc]# edquota centos Disk quotas for user centos (uid 1000): Filesystem blocks soft hard