Permalink
Switch branches/tags
Nothing to show
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
5267 lines (5177 sloc) 223 KB
<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="generator" content="Docutils 0.5: http://docutils.sourceforge.net/" />
<title>RHCSA / RHCE Preparation</title>
<style type="text/css">
/*
:Author: David Goodger (goodger@python.org)
:Id: $Id: html4css1.css 5196 2007-06-03 20:25:28Z wiemann $
:Copyright: This stylesheet has been placed in the public domain.
Default cascading style sheet for the HTML output of Docutils.
See http://docutils.sf.net/docs/howto/html-stylesheets.html for how to
customize this style sheet.
*/
/* used to remove borders from tables and images */
.borderless, table.borderless td, table.borderless th {
border: 0 }
table.borderless td, table.borderless th {
/* Override padding for "table.docutils td" with "! important".
The right padding separates the table cells. */
padding: 0 0.5em 0 0 ! important }
.first {
/* Override more specific margin styles with "! important". */
margin-top: 0 ! important }
.last, .with-subtitle {
margin-bottom: 0 ! important }
.hidden {
display: none }
a.toc-backref {
text-decoration: none ;
color: black }
blockquote.epigraph {
margin: 2em 5em ; }
dl.docutils dd {
margin-bottom: 0.5em }
/* Uncomment (and remove this text!) to get bold-faced definition list terms
dl.docutils dt {
font-weight: bold }
*/
div.abstract {
margin: 2em 5em }
div.abstract p.topic-title {
font-weight: bold ;
text-align: center }
div.admonition, div.attention, div.caution, div.danger, div.error,
div.hint, div.important, div.note, div.tip, div.warning {
margin: 2em ;
border: medium outset ;
padding: 1em }
div.admonition p.admonition-title, div.hint p.admonition-title,
div.important p.admonition-title, div.note p.admonition-title,
div.tip p.admonition-title {
font-weight: bold ;
font-family: sans-serif }
div.attention p.admonition-title, div.caution p.admonition-title,
div.danger p.admonition-title, div.error p.admonition-title,
div.warning p.admonition-title {
color: red ;
font-weight: bold ;
font-family: sans-serif }
/* Uncomment (and remove this text!) to get reduced vertical space in
compound paragraphs.
div.compound .compound-first, div.compound .compound-middle {
margin-bottom: 0.5em }
div.compound .compound-last, div.compound .compound-middle {
margin-top: 0.5em }
*/
div.dedication {
margin: 2em 5em ;
text-align: center ;
font-style: italic }
div.dedication p.topic-title {
font-weight: bold ;
font-style: normal }
div.figure {
margin-left: 2em ;
margin-right: 2em }
div.footer, div.header {
clear: both;
font-size: smaller }
div.line-block {
display: block ;
margin-top: 1em ;
margin-bottom: 1em }
div.line-block div.line-block {
margin-top: 0 ;
margin-bottom: 0 ;
margin-left: 1.5em }
div.sidebar {
margin: 0 0 0.5em 1em ;
border: medium outset ;
padding: 1em ;
background-color: #ffffee ;
width: 40% ;
float: right ;
clear: right }
div.sidebar p.rubric {
font-family: sans-serif ;
font-size: medium }
div.system-messages {
margin: 5em }
div.system-messages h1 {
color: red }
div.system-message {
border: medium outset ;
padding: 1em }
div.system-message p.system-message-title {
color: red ;
font-weight: bold }
div.topic {
margin: 2em }
h1.section-subtitle, h2.section-subtitle, h3.section-subtitle,
h4.section-subtitle, h5.section-subtitle, h6.section-subtitle {
margin-top: 0.4em }
h1.title {
text-align: center }
h2.subtitle {
text-align: center }
hr.docutils {
width: 75% }
img.align-left {
clear: left }
img.align-right {
clear: right }
ol.simple, ul.simple {
margin-bottom: 1em }
ol.arabic {
list-style: decimal }
ol.loweralpha {
list-style: lower-alpha }
ol.upperalpha {
list-style: upper-alpha }
ol.lowerroman {
list-style: lower-roman }
ol.upperroman {
list-style: upper-roman }
p.attribution {
text-align: right ;
margin-left: 50% }
p.caption {
font-style: italic }
p.credits {
font-style: italic ;
font-size: smaller }
p.label {
white-space: nowrap }
p.rubric {
font-weight: bold ;
font-size: larger ;
color: maroon ;
text-align: center }
p.sidebar-title {
font-family: sans-serif ;
font-weight: bold ;
font-size: larger }
p.sidebar-subtitle {
font-family: sans-serif ;
font-weight: bold }
p.topic-title {
font-weight: bold }
pre.address {
margin-bottom: 0 ;
margin-top: 0 ;
font-family: serif ;
font-size: 100% }
pre.literal-block, pre.doctest-block {
margin-left: 2em ;
margin-right: 2em }
span.classifier {
font-family: sans-serif ;
font-style: oblique }
span.classifier-delimiter {
font-family: sans-serif ;
font-weight: bold }
span.interpreted {
font-family: sans-serif }
span.option {
white-space: nowrap }
span.pre {
white-space: pre }
span.problematic {
color: red }
span.section-subtitle {
/* font-size relative to parent (h1..h6 element) */
font-size: 80% }
table.citation {
border-left: solid 1px gray;
margin-left: 1px }
table.docinfo {
margin: 2em 4em }
table.docutils {
margin-top: 0.5em ;
margin-bottom: 0.5em }
table.footnote {
border-left: solid 1px black;
margin-left: 1px }
table.docutils td, table.docutils th,
table.docinfo td, table.docinfo th {
padding-left: 0.5em ;
padding-right: 0.5em ;
vertical-align: top }
table.docutils th.field-name, table.docinfo th.docinfo-name {
font-weight: bold ;
text-align: left ;
white-space: nowrap ;
padding-left: 0 }
h1 tt.docutils, h2 tt.docutils, h3 tt.docutils,
h4 tt.docutils, h5 tt.docutils, h6 tt.docutils {
font-size: 100% }
ul.auto-toc {
list-style-type: none }
</style>
</head>
<body>
<div class="document" id="rhcsa-rhce-preparation">
<h1 class="title">RHCSA / RHCE Preparation</h1>
<h2 class="subtitle" id="a-creative-commons-courseware">A Creative Commons Courseware</h2>
<!-- Sequence of section adornments: -->
<!-- ==- - -->
<!-- ==- -==- -__++~~^^ -->
<!-- To exclude elements with a certain class from the PDF, use "- -strip-elements-with-class=classname" when producing a PDF. -->
<!-- To print a copy for other instructors, exclude the class "custom" -->
<!-- To print PDF slides (for classroom use), exclude the class "handout" -->
<!-- To print a handout version with additional explanatory notes, exclude the class "slides" -->
<!-- Course Outline -->
<!-- =========================== -->
<!-- .. contents:: -->
<div class="section" id="session-one-introductions">
<h1>Session One: Introductions</h1>
<div class="section" id="introductions-your-instructor">
<h2>Introductions: Your Instructor</h2>
<p class="custom">Scott Purcell</p>
<p class="custom"><a class="reference external" href="mailto:scott&#64;texastwister.info">scott&#64;texastwister.info</a></p>
<p class="custom"><a class="reference external" href="http://www.linkedin.com/in/scottpurcell">http://www.linkedin.com/in/scottpurcell</a></p>
<p class="custom"><a class="reference external" href="http://twitter.com/texastwister">http://twitter.com/texastwister</a></p>
<p class="custom"><a class="reference external" href="http://www.facebook.com/Scott.L.Purcell">http://www.facebook.com/Scott.L.Purcell</a></p>
<p class="custom"><strong>Qualifications</strong></p>
<blockquote class="custom">
<ul class="simple">
<li>RHCSA, RHCE #110-008-877 (RHEL6)</li>
<li>Also: CTT+, CLA, CLP, CNI, LPIC1, Linux+</li>
<li>Curriculum Developer and Trainer for a major computer manufacturer for 15 years</li>
<li>Linux Enthusiast since 2000</li>
</ul>
</blockquote>
<p class="custom"><strong>Personal</strong></p>
<blockquote class="custom">
<ul class="simple">
<li>Disciple of Jesus Christ, Husband, Father, Eagle Scout, Computer Geek, Balloon Entertainer, and occasional coach of youth sports or leader of scouting units.</li>
</ul>
</blockquote>
<p class="custom"><strong>Fun</strong></p>
<blockquote class="custom">
<ul class="simple">
<li>Fun: Part-time Balloon Entertainer</li>
</ul>
</blockquote>
</div>
<div class="section" id="introductions-fellow-students">
<h2>Introductions: Fellow Students</h2>
<p><strong>Please Introduce Yourselves</strong></p>
<ul class="simple">
<li>Name</li>
<li>Where you work or what you do.</li>
<li>What Linux experience do you already have?</li>
<li>What goals do you have for this class?</li>
<li>Something fun about yourself.</li>
</ul>
</div>
<div class="section" id="introductions-the-course">
<h2>Introductions: The Course</h2>
<p>Our Textbook:</p>
<blockquote>
RHCSA/RHCE Red Hat Linux Certification Study Guide
(Exams EX200 &amp; EX300), 6th Edition (Certification Press)
Michael Jang
ISBN-10: 0071765654 | ISBN-13: 978-0071765657
Publication Date: June 17, 2011 | Edition: 6</blockquote>
<p>Our classroom time will not follow it closely, but it is invaluable for your background reading, later reference, and out-of-class practice and study.</p>
<div class="section" id="course-goals">
<h3>Course Goals</h3>
<dl class="docutils">
<dt>Primary Goal:</dt>
<dd>Preparation to Pass the RHCE Exam (assumes passage of the RHCSA Exam)</dd>
<dt>Secondary Goal:</dt>
<dd>Preparation to Pass the RHCSA Exam</dd>
<dt>Tertiary Goal:</dt>
<dd>Acquiring high-level Enterprise-oriented Linux skills</dd>
<dt>NOT a Goal of this course:</dt>
<dd>Acquiring basic or user-oriented Linux skills. These are assumed as prerequisite for this course.</dd>
</dl>
</div>
</div>
<div class="section" id="reasonable-expectations">
<h2>Reasonable Expectations</h2>
<ul>
<li><p class="first">Should I be able to pass the RHCE on this class alone?</p>
<blockquote>
<p>A stunning number (estimated at 50% or more) of seasoned professionals taking Red Hat's own prep courses fail to pass on first attempt.</p>
</blockquote>
</li>
<li><p class="first">Planning for more than one attempt is prudent.</p>
<blockquote>
<p>Pass rates go up substantially on 2nd attempts.</p>
</blockquote>
</li>
<li><p class="first">Maximizing your out-of-class preparation time is prudent.</p>
</li>
</ul>
</div>
<div class="section" id="preparation-recommendations">
<h2>Preparation Recommendations</h2>
<p><strong>1. Build a Practice/Study Environment</strong></p>
<blockquote>
<ul>
<li><p class="first">Scenario 1 -- A single virtualization-capable system with multiple vm &quot;guests&quot;.</p>
<blockquote>
<ul class="simple">
<li>Host must have a 64 bit CPU with HW virtualization extensions</li>
<li>4 GB or more of RAM recommended as a minimum -- 2GB is likely an absolute minimum</li>
<li>60 GB of HDD space recommended as a minimum -- enough for the host OS and several VMs.</li>
</ul>
</blockquote>
</li>
<li><p class="first">Scenario 2 -- Several Rackspace or Amazon VMs.</p>
</li>
<li><p class="first">Scenario 3 -- Several physical systems, networked together.</p>
<blockquote>
<ul class="simple">
<li>These can be 32-bit (i386 / i686) or 64-bit (x86_64) systems</li>
<li>Each should have 768 MB of RAM as a minimum.</li>
<li>Each should have 12-20 GB of HDD space as a minimum.</li>
</ul>
<div class="caution">
<p class="first admonition-title">Caution!</p>
<p class="last">You may be unable to practice a few of the objectives (those related to virtualization) in this scenario.</p>
</div>
</blockquote>
</li>
</ul>
</blockquote>
</div>
<div class="section" id="id1">
<h2>Preparation Recommendations</h2>
<p><strong>2. Take initiative -- form a study group.</strong></p>
<blockquote>
<p>Find Participants:</p>
<blockquote>
<ul class="simple">
<li>In class</li>
<li>At work</li>
<li>Linked-In groups</li>
<li>Local LUGs</li>
<li>MeetUps</li>
</ul>
</blockquote>
</blockquote>
<p><strong>3. Practice, practice, practice!</strong></p>
<blockquote>
<p>Take the exam objectives and work to ensure that you can configure and secure every service, and implement every feature named in the course objectives.</p>
<p>Highlight areas on the objectives where you need review and bring your questions to class or post them on the Google Groups site:</p>
<p><a class="reference external" href="https://groups.google.com/d/forum/acc-ce-linux-learners">https://groups.google.com/d/forum/acc-ce-linux-learners</a></p>
</blockquote>
</div>
<div class="section" id="an-os-for-practice-and-study">
<h2>An OS for Practice and Study</h2>
<dl class="docutils">
<dt>RHEL 6</dt>
<dd><a class="reference external" href="https://www.redhat.com/rhel/details/eval/">https://www.redhat.com/rhel/details/eval/</a></dd>
<dt>CENTOS 6</dt>
<dd><a class="reference external" href="https://www.centos.org/">https://www.centos.org/</a> or <a class="reference external" href="http://vault.centos.org/">http://vault.centos.org/</a></dd>
<dt>Scientific Linux</dt>
<dd><a class="reference external" href="http://www.scientificlinux.org/">http://www.scientificlinux.org/</a></dd>
<dt>Fedora 13</dt>
<dd><a class="reference external" href="http://mirrors.fedoraproject.org/publiclist/Fedora/13/x86_64/">http://mirrors.fedoraproject.org/publiclist/Fedora/13/x86_64/</a></dd>
</dl>
</div>
<div class="section" id="online-information">
<h2>Online Information</h2>
<dl class="docutils">
<dt>Red Hat docs:</dt>
<dd><a class="reference external" href="https://access.redhat.com/knowledge/docs/Red_Hat_Enterprise_Linux/">https://access.redhat.com/knowledge/docs/Red_Hat_Enterprise_Linux/</a></dd>
<dt>RHCSA/RHCE Objectives and other information at:</dt>
<dd><a class="reference external" href="https://www.redhat.com/training/certifications/">https://www.redhat.com/training/certifications/</a></dd>
</dl>
</div>
<div class="section" id="classroom-infrastructure">
<h2>Classroom Infrastructure</h2>
<p>RHEL6 Server installed on virtualization-capable Dell Optiplex workstations.</p>
<p>We will be creating multiple virtual machines on the hosts on which the Lab Exercises will be performed.</p>
<p>A classroom server is available at 192.168.5.200, offering a variety of services to your lab stations.</p>
<p>File downloads are available at <a class="reference external" href="ftp://192.168.5.200/pub">ftp://192.168.5.200/pub</a>.</p>
<p>Note, especially, the preconfigured yum repo file at <a class="reference external" href="ftp://192.168.5.200/pub/classroom.repo">ftp://192.168.5.200/pub/classroom.repo</a>. The following commands can be used on a newly configured virtual machine to configure it for access to the repository:</p>
<pre class="literal-block">
# cd /etc/yum.repos.d/
# wget ftp://192.168.5.200/pub/classroom.repo
</pre>
</div>
<div class="section" id="red-hat-enterprise-linux">
<h2>Red Hat Enterprise Linux</h2>
<ul>
<li><p class="first">Overview</p>
<blockquote>
<p>Well-tested Linux distro focusing on Enterprise features and stability and a long lifecycle</p>
</blockquote>
</li>
<li><p class="first">Server and Desktop variants</p>
</li>
<li><p class="first">Add-on Functionality</p>
<blockquote>
<p>Support for high-end features such as Load Balancing, Clustering, Management, High Performance networking, etc.</p>
</blockquote>
</li>
<li><p class="first">LifeCycle</p>
<blockquote>
<p><a class="reference external" href="https://access.redhat.com/support/policy/updates/errata/">https://access.redhat.com/support/policy/updates/errata/</a></p>
</blockquote>
</li>
</ul>
</div>
<div class="section" id="the-red-hat-certification-landscape">
<h2>The Red Hat Certification Landscape</h2>
<ul>
<li><p class="first">RHCSA</p>
<blockquote>
<p>RHCSA is new, replacing the RHCT. It is the &quot;core&quot; sysadmin certification from Red Hat. To earn RHCE and other system administration certs will require first earning the RHCSA.</p>
<blockquote>
<ul>
<li><p class="first"><a class="reference external" href="https://www.redhat.com/training/certifications/rhcsa/">RHCSA Details</a></p>
<blockquote>
</blockquote>
</li>
<li><p class="first"><a class="reference external" href="https://www.redhat.com/training/courses/ex200/examobjective">RHCSA Objectives</a></p>
<blockquote>
</blockquote>
</li>
</ul>
</blockquote>
</blockquote>
</li>
<li><p class="first">RHCE</p>
<blockquote>
<p>RHCE is a senior system administration certification. It is an eligibility requirement for taking any COE exams and is thus a requirement for the upper-level credentials as well.</p>
<blockquote>
<ul>
<li><p class="first"><a class="reference external" href="https://www.redhat.com/training/courses/ex300/">RHCE Details</a></p>
<blockquote>
</blockquote>
</li>
<li><p class="first"><a class="reference external" href="https://www.redhat.com/training/courses/ex300/examobjective">RHCE Objectives</a></p>
<blockquote>
</blockquote>
</li>
</ul>
</blockquote>
</blockquote>
</li>
</ul>
<ul>
<li><p class="first">Certificates of Expertise</p>
<blockquote>
<p>COEs are incremental credentials demonstrating skills and knowledge in specialized areas. They are worthy credentials in their own right, but also the building blocks of the upper level credentials.</p>
<blockquote>
<ul>
<li><p class="first"><a class="reference external" href="https://www.redhat.com/training/certifications/expertise/">Overview of COEs</a></p>
<blockquote>
</blockquote>
</li>
</ul>
</blockquote>
</blockquote>
</li>
<li><p class="first">RHCSS, RHCDS, RHCA</p>
<blockquote>
<p>These upper level credentials recognize those who have achieved expertise in several related specialized areas. Each one requires multiple COEs.</p>
</blockquote>
</li>
</ul>
</div>
<div class="section" id="exercise-1-1-install-rhel6-on-a-virtual-machine">
<h2>Exercise 1-1: Install RHEL6 on a Virtual Machine</h2>
<p>Following the instructor, install your first virtual machine.</p>
</div>
<div class="section" id="id2">
<h2>RHCSA Objectives</h2>
<div class="section" id="rhcsa-objectives-understand-use-essential-tools">
<h3>RHCSA Objectives: Understand &amp; Use Essential Tools</h3>
<blockquote>
<ul>
<li><p class="first">Access a shell prompt and issue commands with correct syntax</p>
</li>
<li><p class="first">Use input-output redirection (&gt;, &gt;&gt;, <tt class="docutils literal"><span class="pre">|</span></tt>, 2&gt;, etc.)</p>
</li>
<li><p class="first">Use grep and regular expressions to analyze text</p>
</li>
<li><p class="first">Access remote systems using ssh and VNC</p>
</li>
<li><p class="first">Log in and switch users in multi-user runlevels</p>
</li>
<li><p class="first">Archive, compress, unpack and uncompress files using tar, star, gzip, and bzip2</p>
</li>
<li><p class="first">Create and edit text files</p>
</li>
<li><p class="first">Create, delete, copy and move files and directories</p>
</li>
<li><p class="first">Create hard and soft links</p>
</li>
<li><p class="first">List, set and change standard ugo/rwx permissions</p>
</li>
<li><p class="first">Locate, read and use system documentation including man, info, and files in /usr/share/doc .</p>
<blockquote>
<p>[Note: Red Hat may use applications during the exam that are not included in Red Hat Enterprise Linux for the purpose of evaluating candidate's abilities to meet this objective.]</p>
</blockquote>
</li>
</ul>
</blockquote>
</div>
<div class="section" id="rhcsa-operate-running-systems">
<h3>RHCSA: Operate Running Systems</h3>
<blockquote>
<ul class="simple">
<li>Boot, reboot, and shut down a system normally</li>
<li>Boot systems into different runlevels manually</li>
<li>Use single-user mode to gain access to a system</li>
<li>Identify CPU/memory intensive processes, adjust process priority with renice, and kill processes</li>
<li>Locate and interpret system log files</li>
<li>Access a virtual machine's console</li>
<li>Start and stop virtual machines</li>
<li>Start, stop and check the status of network services</li>
</ul>
</blockquote>
</div>
<div class="section" id="rhcsa-configure-local-storage">
<h3>RHCSA: Configure Local Storage</h3>
<blockquote>
<ul class="simple">
<li>List, create, delete and set partition type for primary, extended, and logical partitions</li>
<li>Create and remove physical volumes, assign physical volumes to volume groups, create and delete logical volumes</li>
<li>Create and configure LUKS-encrypted partitions and logical volumes to prompt for password and mount a decrypted file system at boot</li>
<li>Configure systems to mount file systems at boot by Universally Unique ID (UUID) or label</li>
<li>Add new partitions, logical volumes and swap to a system non-destructively</li>
</ul>
</blockquote>
</div>
<div class="section" id="rhcsa-create-and-configure-file-systems">
<h3>RHCSA: Create and Configure File Systems</h3>
<blockquote>
<ul class="simple">
<li>Create, mount, unmount and use ext2, ext3 and ext4 file systems</li>
<li>Mount, unmount and use LUKS-encrypted file systems</li>
<li>Mount and unmount CIFS and NFS network file systems</li>
<li>Configure systems to mount ext4, LUKS-encrypted and network file systems automatically</li>
<li>Extend existing unencrypted ext4-formatted logical volumes</li>
<li>Create and configure set-GID directories for collaboration</li>
<li>Create and manage Access Control Lists (ACLs)</li>
<li>Diagnose and correct file permission problems</li>
</ul>
</blockquote>
</div>
<div class="section" id="rhcsa-deploy-configure-maintain">
<h3>RHCSA: Deploy, Configure &amp; Maintain</h3>
<blockquote>
<ul class="simple">
<li>Configure networking and hostname resolution statically or dynamically</li>
<li>Schedule tasks using cron</li>
<li>Configure systems to boot into a specific runlevel automatically</li>
<li>Install Red Hat Enterprise Linux automatically using Kickstart</li>
<li>Configure a physical machine to host virtual guests</li>
<li>Install Red Hat Enterprise Linux systems as virtual guests</li>
<li>Configure systems to launch virtual machines at boot</li>
<li>Configure network services to start automatically at boot</li>
<li>Configure a system to run a default configuration HTTP server</li>
<li>Configure a system to run a default configuration FTP server</li>
<li>Install and update software packages from Red Hat Network, a remote repository, or from the local filesystem</li>
<li>Update the kernel package appropriately to ensure a bootable system</li>
<li>Modify the system bootloader</li>
</ul>
</blockquote>
</div>
<div class="section" id="rhcsa-manage-users-and-groups">
<h3>RHCSA: Manage Users and Groups</h3>
<blockquote>
<ul class="simple">
<li>Create, delete, and modify local user accounts</li>
<li>Change passwords and adjust password aging for local user accounts</li>
<li>Create, delete and modify local groups and group memberships</li>
<li>Configure a system to use an existing LDAP directory service for user and group information</li>
</ul>
</blockquote>
</div>
<div class="section" id="rhcsa-manage-security">
<h3>RHCSA: Manage Security</h3>
<blockquote>
<ul class="simple">
<li>Configure firewall settings using system-config-firewall or iptables</li>
<li>Set enforcing and permissive modes for SELinux</li>
<li>List and identify SELinux file and process context</li>
<li>Restore default file contexts</li>
<li>Use boolean settings to modify system SELinux settings</li>
<li>Diagnose and address routine SELinux policy violations</li>
</ul>
</blockquote>
</div>
</div>
<div class="section" id="id3">
<h2>RHCE Objectives</h2>
<div class="section" id="rhce-system-configuration-and-management">
<h3>RHCE: System Configuration and Management</h3>
<blockquote>
<ul class="simple">
<li>Route IP traffic and create static routes</li>
<li>Use iptables to implement packet filtering and configure network address translation (NAT)</li>
<li>Use /proc/sys and sysctl to modify and set kernel run-time parameters</li>
<li>Configure system to authenticate using Kerberos</li>
<li>Build a simple RPM that packages a single file</li>
<li>Configure a system as an iSCSI initiator that persistently mounts an iSCSI target</li>
<li>Produce and deliver reports on system utilization (processor, memory, disk, and network)</li>
<li>Use shell scripting to automate system maintenance tasks</li>
<li>Configure a system to log to a remote system</li>
<li>Configure a system to accept logging from a remote system</li>
</ul>
</blockquote>
</div>
<div class="section" id="rhce-network-services">
<h3>RHCE: Network Services</h3>
<p>Network services are an important subset of the exam objectives. RHCE candidates should be capable of meeting the following objectives for each of the network services listed below:</p>
<blockquote>
<ul class="simple">
<li>Install the packages needed to provide the service</li>
<li>Configure SELinux to support the service</li>
<li>Configure the service to start when the system is booted</li>
<li>Configure the service for basic operation</li>
<li>Configure host-based and user-based security for the service</li>
</ul>
</blockquote>
<p>RHCE candidates should also be capable of meeting the following objectives associated with specific services:</p>
</div>
<div class="section" id="rhce-http-https">
<h3>RHCE: HTTP/HTTPS</h3>
<blockquote>
<ul class="simple">
<li>Install the packages needed to provide the service</li>
<li>Configure SELinux to support the service</li>
<li>Configure the service to start when the system is booted</li>
<li>Configure the service for basic operation</li>
<li>Configure host-based and user-based security for the service</li>
<li>Configure a virtual host</li>
<li>Configure private directories</li>
<li>Deploy a basic CGI application</li>
<li>Configure group-managed content</li>
</ul>
</blockquote>
</div>
<div class="section" id="rhce-dns">
<h3>RHCE: DNS</h3>
<blockquote>
<ul class="simple">
<li>Install the packages needed to provide the service</li>
<li>Configure SELinux to support the service</li>
<li>Configure the service to start when the system is booted</li>
<li>Configure the service for basic operation</li>
<li>Configure host-based and user-based security for the service</li>
<li>Configure a caching-only name server</li>
<li>Configure a caching-only name server to forward DNS queries</li>
<li>Note: Candidates are not expected to configure master or slave name servers</li>
</ul>
</blockquote>
</div>
<div class="section" id="rhce-ftp">
<h3>RHCE: FTP</h3>
<blockquote>
<ul class="simple">
<li>Install the packages needed to provide the service</li>
<li>Configure SELinux to support the service</li>
<li>Configure the service to start when the system is booted</li>
<li>Configure the service for basic operation</li>
<li>Configure host-based and user-based security for the service</li>
<li>Configure anonymous-only download</li>
</ul>
</blockquote>
</div>
<div class="section" id="rhce-nfs">
<h3>RHCE: NFS</h3>
<blockquote>
<ul class="simple">
<li>Install the packages needed to provide the service</li>
<li>Configure SELinux to support the service</li>
<li>Configure the service to start when the system is booted</li>
<li>Configure the service for basic operation</li>
<li>Configure host-based and user-based security for the service</li>
<li>Provide network shares to specific clients</li>
<li>Provide network shares suitable for group collaboration</li>
</ul>
</blockquote>
</div>
<div class="section" id="rhce-smb">
<h3>RHCE: SMB</h3>
<blockquote>
<ul class="simple">
<li>Install the packages needed to provide the service</li>
<li>Configure SELinux to support the service</li>
<li>Configure the service to start when the system is booted</li>
<li>Configure the service for basic operation</li>
<li>Configure host-based and user-based security for the service</li>
<li>Provide network shares to specific clients</li>
<li>Provide network shares suitable for group collaboration</li>
</ul>
</blockquote>
</div>
<div class="section" id="rhce-smtp">
<h3>RHCE: SMTP</h3>
<blockquote>
<ul class="simple">
<li>Install the packages needed to provide the service</li>
<li>Configure SELinux to support the service</li>
<li>Configure the service to start when the system is booted</li>
<li>Configure the service for basic operation</li>
<li>Configure host-based and user-based security for the service</li>
<li>Configure a mail transfer agent (MTA) to accept inbound email from other systems</li>
<li>Configure an MTA to forward (relay) email through a smart host</li>
</ul>
</blockquote>
</div>
<div class="section" id="rhce-ssh">
<h3>RHCE: SSH</h3>
<blockquote>
<ul class="simple">
<li>Install the packages needed to provide the service</li>
<li>Configure SELinux to support the service</li>
<li>Configure the service to start when the system is booted</li>
<li>Configure the service for basic operation</li>
<li>Configure host-based and user-based security for the service</li>
<li>Configure key-based authentication</li>
<li>Configure additional options described in documentation</li>
</ul>
</blockquote>
</div>
<div class="section" id="rhce-ntp">
<h3>RHCE: NTP</h3>
<blockquote>
<ul class="simple">
<li>Install the packages needed to provide the service</li>
<li>Configure SELinux to support the service</li>
<li>Configure the service to start when the system is booted</li>
<li>Configure the service for basic operation</li>
<li>Configure host-based and user-based security for the service</li>
<li>Synchronize time using other NTP peers</li>
</ul>
</blockquote>
</div>
</div>
</div>
<div class="section" id="operating-a-system">
<h1>Operating a System</h1>
<div class="section" id="boot-reboot-shutdown">
<h2>Boot, Reboot, Shutdown</h2>
<ul class="simple">
<li>Power On</li>
<li>GRUB Menu</li>
<li>Display Manager Screen</li>
<li>Gnome or KDE</li>
<li>Terminal commands: shutdown, halt, poweroff, reboot, init</li>
</ul>
</div>
<div class="section" id="runlevels">
<h2>Runlevels</h2>
<ul class="simple">
<li>Default</li>
<li>From GRUB Menu</li>
</ul>
</div>
<div class="section" id="single-user-mode">
<h2>Single User Mode</h2>
<ul class="simple">
<li>Password Recovery</li>
</ul>
<p>Note: SELinux bug prevents password changes while set to &quot;Enforcing&quot;.</p>
</div>
<div class="section" id="exercise-1-2-use-single-user-mode-to-recover-a-root-password">
<h2>Exercise 1-2: Use Single-user mode to recover a root password</h2>
<ul class="simple">
<li>Reboot your virtual machine</li>
<li>Activate the GRUB Menu</li>
<li>Boot the system in Single User Mode</li>
<li>Set SELinux to Permissive Mode</li>
<li>Change the root password</li>
<li>Set SELinux back to Enforcing Mode</li>
<li>Activate runlevel 5</li>
<li>Login as root with the new password</li>
</ul>
</div>
<div class="section" id="exercise-1-3-boot-into-runlevel-3">
<h2>Exercise 1-3: Boot into runlevel 3</h2>
<ul class="simple">
<li>Reboot your virtual machines</li>
<li>Activate the GRUB Menu</li>
<li>Boot the system into runlevel 3</li>
<li>Login as root</li>
<li>Transition the system back to runlevel 5</li>
</ul>
</div>
<div class="section" id="log-files">
<h2>Log Files</h2>
<p><tt class="docutils literal"><span class="pre">/var/log/*</span></tt></p>
<p><tt class="docutils literal"><span class="pre">/root/install.log</span></tt></p>
<p><tt class="docutils literal"><span class="pre">/root/anaconda-ks.cfg</span></tt></p>
<p>View with <tt class="docutils literal"><span class="pre">cat</span></tt>, <tt class="docutils literal"><span class="pre">less</span></tt> or other tools</p>
<p>Search with <tt class="docutils literal"><span class="pre">grep</span></tt></p>
</div>
<div class="section" id="exercise-1-4-view-logs-from-an-x-term-and-a-virtual-terminal">
<h2>Exercise 1-4: View Logs from an x-term and a virtual terminal</h2>
<ul class="simple">
<li>Launch a gnome-terminal session and browse the <tt class="docutils literal"><span class="pre">/var/log/messages</span></tt> file.</li>
<li>Switch to a virtual terminal, login as root, and view <tt class="docutils literal"><span class="pre">/var/log/secure</span></tt></li>
</ul>
</div>
<div class="section" id="start-stop-virtual-machines">
<h2>Start/Stop Virtual Machines</h2>
<ul>
<li><p class="first">Using virt-manager</p>
<blockquote>
<p>Select the desired VM. There are several approaches to these operations in the GUI.</p>
</blockquote>
</li>
<li><p class="first">Using virsh commands:</p>
<pre class="literal-block">
# virsh list --all
# virsh start &lt;VM ID or Name&gt;
# virsh stop &lt;VM ID or Name&gt;
# virsh destroy &lt;VM ID or Name&gt;
</pre>
</li>
</ul>
<!-- -->
<div class="note">
<p class="first admonition-title">Note</p>
<p class="last">&quot;stop&quot; requests a graceful shutdown. &quot;destroy&quot; forces a poweroff -- data loss could result.</p>
</div>
</div>
<div class="section" id="virtual-machine-consoles">
<h2>Virtual Machine Consoles</h2>
<ul>
<li><p class="first">virt-manager</p>
<blockquote>
<p>Double-click the Virtual Machine desired.</p>
</blockquote>
</li>
<li><p class="first">virt-viewer</p>
<blockquote>
<pre class="literal-block">
# virt-viewer &lt;VM ID or Name&gt;
</pre>
</blockquote>
</li>
</ul>
</div>
<div class="section" id="virtual-machine-text-console">
<h2>Virtual Machine Text Console</h2>
<p>With libguestfs-tools installed and the VM in question shut-down, from the host:</p>
<pre class="literal-block">
# virt-edit {VMname} /boot/grub/menu.lst
</pre>
<p>There, append to the kernel line:</p>
<pre class="literal-block">
console=tty0 console=ttyS0.
</pre>
<p>After saving, the following commands should allow a console based view of the boot process and a console login:</p>
<pre class="literal-block">
# virsh start {VMname} ; virsh console {VMname}
</pre>
</div>
<div class="section" id="virtual-machine-text-console-caveat">
<h2>Virtual Machine Text Console Caveat</h2>
<blockquote>
After this change, some messages that appear only on the default console will be visible only here. For example, the passphrase prompt to decrypt LUKS-encrypted partitions mounted in /etc/fstab will not be visible when using virt-viewer and the vm will appear to be hung. Only by using virsh console can the passphrase be entered to allow the boot process to continue.</blockquote>
</div>
<div class="section" id="start-stop-and-check-the-status-of-network-services">
<h2>Start, stop, and check the status of network services</h2>
<p>Distinguish between starting a service and configuring it to be persistently on.</p>
<ul>
<li><p class="first">Start services with:</p>
<blockquote>
<pre class="literal-block">
# service &lt;servicename&gt; start
</pre>
<!-- -->
<p>or</p>
<pre class="literal-block">
# /etc/init.d/&lt;servicescript&gt; start
</pre>
</blockquote>
</li>
<li><p class="first">Configure services to run on each reboot with:</p>
<blockquote>
<pre class="literal-block">
# chkconfig &lt;servicename&gt; on
</pre>
<!-- -->
<p>or with <tt class="docutils literal"><span class="pre">ntsysv</span></tt> or <tt class="docutils literal"><span class="pre">system-config-services</span></tt></p>
</blockquote>
</li>
</ul>
</div>
<div class="section" id="exercise-1-5-manipulate-the-cups-service">
<h2>Exercise 1-5: Manipulate the cups service</h2>
<ul>
<li><dl class="first docutils">
<dt>Check the status of the cups service</dt>
<dd><ul class="first last simple">
<li>Is it running now?</li>
<li>Is it configured to run on future boots? In which runlevels?</li>
</ul>
</dd>
</dl>
</li>
<li><p class="first">Stop the cups service.</p>
</li>
<li><p class="first">Start the cups service.</p>
</li>
<li><p class="first">Configure cups to start only on runlevels 3 and 5</p>
</li>
</ul>
</div>
<div class="section" id="modify-the-system-bootloader">
<h2>Modify the system bootloader</h2>
<ul>
<li><p class="first">Edit the GRUB config file:</p>
<pre class="literal-block">
# vim /boot/grub/grub.conf
</pre>
</li>
<li><p class="first">Interactively edit the GRUB menu system.</p>
</li>
<li><p class="first">Directly manipulate GRUB through its shell.</p>
</li>
</ul>
</div>
</div>
<div class="section" id="supplemental-reading">
<h1>Supplemental Reading</h1>
<p>Jang, Chapters 1-3</p>
</div>
<div class="section" id="supplemental-exercises">
<h1>Supplemental Exercises</h1>
<ul class="simple">
<li>Setup a practice environment following instructions in Jang, Ch 1.</li>
</ul>
<div class="section" id="reading">
<h2>Reading</h2>
<dl class="docutils">
<dt>Topics from this class:</dt>
<dd>Jang, Chapters 1-3</dd>
<dt>Topics for next class:</dt>
<dd>Jang 4,6,8</dd>
</dl>
</div>
</div>
<div class="section" id="session-2-user-mgmt-storage-and-filesystems">
<h1>Session 2 User Mgmt, Storage, and filesystems</h1>
<div class="section" id="user-administration-with-config-files">
<h2>User Administration with Config Files</h2>
<dl class="docutils">
<dt>/etc/passwd</dt>
<dd>World-readable file of user information</dd>
<dt>/etc/shadow</dt>
<dd>Restricted-access file with password and expiry info.</dd>
<dt>/etc/group</dt>
<dd>World-readable file of group information</dd>
<dt>/etc/gshadow</dt>
<dd>Restricted-access group password, admin, membership info</dd>
</dl>
<div class="important">
<p class="first admonition-title">Important</p>
<p class="last">If editing directly, <tt class="docutils literal"><span class="pre">vipw</span></tt> and <tt class="docutils literal"><span class="pre">vigr</span></tt> should be used.</p>
</div>
</div>
<div class="section" id="structure-of-etc-passwd">
<h2>Structure of /etc/passwd</h2>
<p><tt class="docutils literal"><span class="pre">Name:Password:UID:GID:Comments:Homedir:Shell</span></tt></p>
<p><strong>Sample Contents</strong></p>
<pre class="literal-block">
$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
gdm:x:42:42::/var/gdm:/sbin/nologin
scott:x:500:500:Scott Purcell:/home/scott:/bin/bash
</pre>
<!-- -->
<p>The &quot;x&quot; in the password field indicates that the actual password hashes have been moved to /etc/shadow in order to implement the shadow password system.</p>
</div>
<div class="section" id="structure-of-etc-shadow">
<h2>Structure of /etc/shadow</h2>
<p><tt class="docutils literal"><span class="pre">Name:Password:Lastchange:May:Must:Warn:Disable:Expire</span></tt></p>
<p><strong>Sample Contents</strong></p>
<pre class="literal-block">
# cat /etc/shadow
root:$1$IyApEyOS$dZ5SMuC7Yw9/PDMyWi1H11:14373:0:99999:7:::
sshd:!!:14373:0:99999:7:::
ntp:!!:14373:0:99999:7:::
gdm:!!:14373:0:99999:7:::
scott:$1${...}:14374:0:99999:7:::
bob:$1${...}:14398:7:30:7:7:14457:
</pre>
<!-- -->
<p>The values in field 3 and field 8 are dates -- rendered as a count of days elapsed since the start of the &quot;Unix Epoch&quot; (1/1/1970).</p>
<p>The &quot;{...}&quot; marks where the actual encrypted password is stored.</p>
</div>
<div class="section" id="structure-of-etc-group">
<h2>Structure of /etc/group</h2>
<p><tt class="docutils literal"><span class="pre">Name:Password:GID:Users</span></tt></p>
<p><strong>Sample Contents</strong></p>
<pre class="literal-block">
# cat /etc/group
root:x:0:root
scott:x:500:
bob:x:501:
mary:x:502:
sales:x:503:bob,mary
training:x:504:scott
</pre>
</div>
<div class="section" id="structure-of-etc-gshadow">
<h2>Structure of /etc/gshadow</h2>
<p><tt class="docutils literal"><span class="pre">Name:Password:Admins:Members</span></tt></p>
<p><strong>Sample Contents</strong>
**</p>
<pre class="literal-block">
# cat /etc/gshadow
root:::root
scott:!!::
bob:!::
mary:!::
sales:!::bob,mary
training:!::scott
</pre>
</div>
<div class="section" id="user-admin-with-cli-tools">
<h2>User Admin with CLI tools</h2>
<dl class="docutils">
<dt>useradd, usermod, userdel</dt>
<dd>Create, delete, and modify user accounts</dd>
<dt>groupadd, groupmod, groupdel</dt>
<dd>Create, delete, and modify group accounts</dd>
<dt>chage</dt>
<dd>Modify password aging and expiration</dd>
</dl>
</div>
<div class="section" id="user-admin-with-gui-tools">
<h2>User Admin with GUI tools</h2>
<p>The GUI tool for managing users and groups is the Red Hat User Manager. It can be launched from the menu at <strong>System | Administration | Users and Groups</strong> or from the CLI as <tt class="docutils literal"><span class="pre">system-config-users</span></tt>.</p>
<blockquote>
<img alt="images/UserMgr.png" src="images/UserMgr.png" style="width: 80%;" />
</blockquote>
</div>
<div class="section" id="user-environment">
<h2>User environment</h2>
<dl class="docutils">
<dt>Home directories</dt>
<dd>/home/{user}/ or /root/</dd>
<dt>/etc/skel</dt>
<dd>Contents copied to home directory of each new user.</dd>
</dl>
<div class="section" id="common-contents">
<h3>Common Contents:</h3>
<blockquote>
<p>.bashrc</p>
<p>.bash_logout</p>
<p>.bash_profile</p>
</blockquote>
</div>
</div>
<div class="section" id="system-wide-shell-config-files">
<h2>System-wide Shell Config Files</h2>
<dl class="docutils">
<dt>/etc/profile</dt>
<dd>Executed with each user login. Sets paths, variables, etc. Runs scripts in <tt class="docutils literal"><span class="pre">/etc/profile.d</span></tt>.</dd>
<dt>/etc/profile.d</dt>
<dd>Scripts that extend /etc/profile, usually added by applications.</dd>
<dt>/etc/bashrc</dt>
<dd>System-wide functions and aliases</dd>
</dl>
<div class="tip">
<p class="first admonition-title">Tip</p>
<p>In order to remember what types of content goes in which of these files, it is helpful to remember the origin of each file. /etc/profile was the config file for the Bourne shell and thus supported only the older and more limited feature set of that shell. /etc/bashrc is the newer, bash-specific config file.</p>
<p class="last">Thus, the newer features such as functions and aliases can only go in bashrc, while older features such as environment variables can go in profile.</p>
</div>
</div>
<div class="section" id="user-configurable-environment-files">
<h2>User-configurable Environment Files</h2>
<dl class="docutils">
<dt>~/.bashrc</dt>
<dd>User aliases and functions</dd>
<dt>~/.bash_profile</dt>
<dd>User paths, variables, and environment settings</dd>
</dl>
</div>
<div class="section" id="exercise-2-1-configure-users-and-groups">
<h2>Exercise 2-1: Configure Users and Groups</h2>
<p>On your client virtual machines, perform these tasks:</p>
<ol class="arabic">
<li><p class="first">Create Groups &quot;goodguys&quot; and &quot;villains&quot;</p>
<blockquote>
<ul class="simple">
<li>Use custom GIDs so that the automatically created GIDs for the UPG scheme remain in sync with the usernames.</li>
</ul>
</blockquote>
</li>
<li><p class="first">Create Users &quot;bugs&quot;, &quot;tweety&quot; and &quot;roadrunner&quot; and make them members of &quot;goodguys&quot;</p>
</li>
<li><p class="first">Create Users &quot;taz&quot;, &quot;sam&quot;, and &quot;wiley&quot; and make them members of &quot;villains&quot;</p>
</li>
<li><p class="first">Set sam's account to expire in 30 days (&quot;wabbit season&quot; ends!)</p>
</li>
</ol>
<div class="tip">
<p class="first admonition-title">Tip</p>
<p>The following command is useful for sorting the existing GIDs in order to choose unique out-of-sequence GIDs for the instructions above:</p>
<pre class="literal-block">
# sort -t: -k3 -n /etc/group
</pre>
<p>The following command is useful for converting dates in /etc/shadow to calendar dates:</p>
<pre class="last literal-block">
# date -d &quot;1 January 1970 + lastchg days&quot;
</pre>
</div>
</div>
<div class="section" id="filesystem-disambiguation">
<h2>&quot;Filesystem&quot; - Disambiguation</h2>
<p>Several meanings for the term:</p>
<ol class="arabic">
<li><p class="first">The way files are physically written to storage devices, as in the ext3, Fat-32, NTFS filesystems, or etc.</p>
<blockquote>
<p>Example: &quot;Create a VFAT filesystem on a USB drive if you want a device that works for both Windows and Linux.&quot;</p>
</blockquote>
</li>
<li><p class="first">The collection of files and directories stored on a particular storage device.</p>
<blockquote>
<p>Example: &quot;On any device using Ext 2/3/4, you should find a &quot;lost+found&quot; directory at the root level of the filesystem.&quot;</p>
</blockquote>
</li>
<li><p class="first">The unified directory structure which logically organizes files.</p>
<blockquote>
<p>Example: &quot;In contrast with Windows, which accesses drives with various drive letters, on Linux all storage devices are mounted into a single filesystem.&quot;</p>
</blockquote>
</li>
<li><p class="first">The standard which defines how directories should be structured and utilized in Linux</p>
<blockquote>
<p>Example: &quot;In a Linux filesystem, third party applications should generally be installed in /opt.&quot;</p>
</blockquote>
</li>
</ol>
</div>
<div class="section" id="linux-filesystem-hierarchy">
<h2>Linux Filesystem Hierarchy</h2>
<p>The directory structure of a Linux system is standardized through the Filesystem Hierarchy Standard (explained at <a class="reference external" href="http://www.pathname.com/fhs">http://www.pathname.com/fhs</a>)</p>
<p>The Linux Manual system has an abbreviated reference:</p>
<blockquote>
<tt class="docutils literal"><span class="pre">$</span> <span class="pre">man</span> <span class="pre">7</span> <span class="pre">hier</span></tt></blockquote>
<p>Red Hat has a more complete description, along with RedHat-specific implementation decisions in their <strong>Storage Administration Guide</strong> at <a class="reference external" href="https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Storage_Administration_Guide/s1-filesystem-fhs.html">https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Storage_Administration_Guide/s1-filesystem-fhs.html</a></p>
<!-- for future development, consider expanding this... -->
</div>
<div class="section" id="disk-and-filesystem-tools">
<h2>Disk and Filesystem tools</h2>
<ul class="simple">
<li><tt class="docutils literal"><span class="pre">fdisk</span></tt> or <tt class="docutils literal"><span class="pre">parted</span></tt> -- Used to partition hard disks or other block devices</li>
<li><tt class="docutils literal"><span class="pre">mkfs</span></tt> and variants -- Used to create filesystems on block devices (actually a front-end for a variety of FS-specific tools)</li>
<li><tt class="docutils literal"><span class="pre">fsck</span></tt> and variants -- Used to run filesystem checks (a front-end to FS specific tools)</li>
<li><tt class="docutils literal"><span class="pre">mount</span></tt> -- Used to mount a filesystem to a specific location in the directory structure</li>
<li><tt class="docutils literal"><span class="pre">/etc/fstab</span></tt> -- Configuration file used to describe the filesystems that should be persistently mounted</li>
<li><tt class="docutils literal"><span class="pre">blkid</span></tt> -- used to identify filesystems or other in-use devices by UUID or filesystem labels.</li>
<li><tt class="docutils literal"><span class="pre">df</span></tt> -- used to display the capacity and utilization % of mounted filesystems.</li>
<li><tt class="docutils literal"><span class="pre">partx</span></tt> -- used to force implementation of a new partition table on an in-use device w/o the need to reboot.</li>
<li><tt class="docutils literal"><span class="pre">partprobe</span></tt></li>
</ul>
</div>
<div class="section" id="working-with-partitions">
<h2>Working with Partitions</h2>
<p>Overview of process for using Basic Storage Devices:</p>
<ul class="simple">
<li>Install the device or otherwise make it available to the system.</li>
<li>Partition it with <tt class="docutils literal"><span class="pre">fdisk</span></tt> or <tt class="docutils literal"><span class="pre">parted</span></tt>.</li>
<li>Create a filesystem on the partition with mkfs or other tools.</li>
<li>Choose or create a directory to serve as a mount point.</li>
<li>Mount the partition.</li>
<li>Add an entry to <tt class="docutils literal"><span class="pre">/etc/fstab</span></tt> to make it persistent.</li>
</ul>
<!-- List, create, delete and set partition type for primary, extended, and logical partitions -->
</div>
<div class="section" id="exercise-2-2-work-with-basic-partitions">
<h2>Exercise 2-2: Work with Basic Partitions</h2>
<p>On your Host machine:</p>
<ul class="simple">
<li>Use <tt class="docutils literal"><span class="pre">virt-manager</span></tt> to create a 20 GB virtual disk for your Client VM.</li>
</ul>
<p>On your Client virtual machine:</p>
<ol class="arabic simple">
<li>Use <tt class="docutils literal"><span class="pre">fdisk</span> <span class="pre">-luc</span></tt> to verify that it is seen after a reboot of the VM.</li>
<li>Use fdisk to create a 5 GB partition (leaving the remainder unused.</li>
<li>Create an ext4 filesystem on the new partition.</li>
<li>Create a new directory at /shared/villains and mount the new filesystem there.</li>
<li>Verify with <tt class="docutils literal"><span class="pre">df</span> <span class="pre">-h</span></tt> that the new space is seen.</li>
<li>Create an entry in <tt class="docutils literal"><span class="pre">/etc/fstab</span></tt> to make it persistent.</li>
</ol>
<p>Optional Steps:</p>
<ul class="simple">
<li>Save a test file to <tt class="docutils literal"><span class="pre">/shared/villains/</span></tt>.</li>
<li>Use <tt class="docutils literal"><span class="pre">ls</span></tt> to verify that it was saved as intended.</li>
<li>Use <tt class="docutils literal"><span class="pre">umount</span></tt> to unmount the new partition.</li>
<li>Use <tt class="docutils literal"><span class="pre">ls</span></tt> to verify that the file is no longer seen.</li>
<li>Remount the partition.</li>
</ul>
</div>
<div class="section" id="working-with-logical-volume-management">
<h2>Working with Logical Volume Management</h2>
<p>Overview of process for using Logical Volume Management:</p>
<ul class="simple">
<li>Install the device or otherwise make it available to the system.</li>
<li>Create a type <tt class="docutils literal"><span class="pre">8e</span></tt> partition with <tt class="docutils literal"><span class="pre">fdisk</span></tt> or <tt class="docutils literal"><span class="pre">parted</span></tt>.</li>
<li>Initialize the partition as a physical volume with <tt class="docutils literal"><span class="pre">pvcreate</span></tt>.</li>
<li>Add the storage of the PV to a volume group with <tt class="docutils literal"><span class="pre">vgcreate</span></tt>.</li>
<li>Allocate storage from the volume group to a logical volume with <tt class="docutils literal"><span class="pre">lvcreate</span></tt>.</li>
<li>Create a filesystem on the logical volume with mkfs or other tools.</li>
<li>Choose or create a directory to serve as a mount point.</li>
<li>Mount the partition.</li>
<li>Add an entry to <tt class="docutils literal"><span class="pre">/etc/fstab</span></tt> to make it persistent.</li>
</ul>
<!-- Create and remove physical volumes, assign physical volumes to volume groups, create and delete logical volumes -->
</div>
<div class="section" id="removing-logical-volume-structures">
<h2>Removing Logical Volume structures</h2>
<ul class="simple">
<li>Unmount the lv you want to remove</li>
<li>Edit /etc/fstab to remove its entry</li>
<li>Remove the logical volume: <tt class="docutils literal"><span class="pre">lvremove</span> <span class="pre">/dev/&lt;vg&gt;/&lt;lv&gt;</span></tt></li>
<li>Before removing a VG, ensure there are no more LVs within it.</li>
<li>Remove the volume group: <tt class="docutils literal"><span class="pre">vgremove</span> <span class="pre">/dev/&lt;vg&gt;</span></tt></li>
<li>Remove the LVM signature from the partitions: <tt class="docutils literal"><span class="pre">pvremove</span> <span class="pre">/dev/&lt;part&gt;</span></tt></li>
</ul>
</div>
<div class="section" id="exercise-2-3-work-with-logical-volume-management">
<h2>Exercise 2-3: Work with Logical Volume Management</h2>
<p>On your Client virtual machine:</p>
<blockquote>
<ol class="arabic simple">
<li>From the unallocated space on the disk you added in the previous exercise, create a 5 GB partition (type 8e) for LVM</li>
<li>Initialize it with pvcreate</li>
<li>Use vgcreate to create a volume group named &quot;shared&quot; from the physical volume.</li>
<li>Use lvcreate to create a 2.5 GB logical volume called &quot;goodguys&quot; from the &quot;shared&quot; volume group.</li>
<li>Create an ext3 filesystem on <tt class="docutils literal"><span class="pre">/dev/shared/goodguys</span></tt>.</li>
<li>Create a directory <tt class="docutils literal"><span class="pre">/shared/goodguys</span></tt> and mount the LV there.</li>
<li>Create an entry in <tt class="docutils literal"><span class="pre">/etc/fstab</span></tt> for persistance.</li>
<li>Use <tt class="docutils literal"><span class="pre">df</span> <span class="pre">-h</span></tt> to verify the available space.</li>
<li>Use lvextend to add another 1 GB to <tt class="docutils literal"><span class="pre">/dev/shared/goodguys</span></tt>.</li>
<li>Use resize2fs to grow the filesystem on <tt class="docutils literal"><span class="pre">/dev/shared/goodguys</span></tt> to use the new space.</li>
<li>use <tt class="docutils literal"><span class="pre">df</span> <span class="pre">-h</span></tt> to verify the available space.</li>
</ol>
</blockquote>
</div>
<div class="section" id="commands-to-know">
<h2>Commands to Know</h2>
<p>fdisk</p>
<blockquote>
<ul class="simple">
<li>Always use -u and -c for best compatibility with newer storage devices</li>
<li>Can't create partitions &gt;= 2TB, use parted with GPT instead</li>
</ul>
</blockquote>
<p>parted</p>
<blockquote>
<ul class="simple">
<li>fdisk-replacement that is GPT-aware. Required for drives &gt; 2TB.</li>
</ul>
</blockquote>
<p>mkfs</p>
<blockquote>
<ul class="simple">
<li>Used to create filesystems on devices</li>
<li>Front-end for other filesystem-specific tools (usually named mkfs.&lt;fstype&gt;)</li>
</ul>
</blockquote>
<p>blkid</p>
<blockquote>
<ul class="simple">
<li>Shows device name, Fileystem Labels, and UUID of detected block devices.</li>
<li>May not show block devices until a filesystem is created on them.</li>
<li>May not show block devices used in non-standard ways (for example, a filesystem on a whole disk instead of on a partition)</li>
</ul>
</blockquote>
<p>mount</p>
<blockquote>
<ul class="simple">
<li>used to make a new filesystem available</li>
</ul>
</blockquote>
</div>
<div class="section" id="working-with-luks-encrypted-storage">
<h2>Working with LUKS encrypted storage</h2>
<p>cryptsetup-luks-1.1.2-2.el6.x86_64</p>
<p>Overview of process for using LUKS encryption:</p>
<ul class="simple">
<li>Create a new partition</li>
<li>Encrypt it with <tt class="docutils literal"><span class="pre">cryptsetup</span> <span class="pre">luksFormat</span> <span class="pre">/dev/&lt;partition&gt;</span></tt></li>
<li>Open the encrypted device and assign it a name with <tt class="docutils literal"><span class="pre">cryptsetup</span> <span class="pre">luksOpen</span> <span class="pre">/dev/&lt;partition&gt;</span> <span class="pre">&lt;name&gt;</span></tt></li>
<li>Create a filesystem on the named device (/dev/mapper/&lt;name&gt;)</li>
<li>Create a mountpoint for the device</li>
<li>Mount the device</li>
</ul>
<p>To lock the volume:</p>
<ul class="simple">
<li>unmount it</li>
<li>Use <tt class="docutils literal"><span class="pre">cryptsetup</span> <span class="pre">luksClose</span> <span class="pre">&lt;name&gt;</span></tt> to remove the decryption mapping</li>
</ul>
</div>
<div class="section" id="persistent-mounting-of-luks-devices">
<h2>Persistent mounting of LUKS devices</h2>
<p>To persistently mount it</p>
<blockquote>
<ul>
<li><p class="first">Create an entry in /etc/crypttab:</p>
<pre class="literal-block">
&lt;name&gt; /dev/&lt;partition&gt; &lt;password (none|&lt;blank&gt;|&lt;path/to/file/with/password&gt;)&gt;
</pre>
</li>
<li><p class="first">If the password field is &quot;none&quot; or left blank, the system will prompt for a password.</p>
</li>
<li><p class="first">Create an entry in /etc/fstab</p>
</li>
</ul>
<div class="note">
<p class="first admonition-title">Note</p>
<p class="last">At reboot, the password prompt goes only to the default console. If console redirection is enabled, as it might be in the case of enabling a virtual machine to accessible through <tt class="docutils literal"><span class="pre">virsh</span> <span class="pre">console</span> <span class="pre">&lt;name&gt;</span></tt>, then the only place where the prompt is seen and the passphrase can be entered is at that redirected console.</p>
</div>
</blockquote>
<!-- Create and configure LUKS-encrypted partitions and logical volumes to prompt for password and mount a decrypted file system at boot -->
</div>
<div class="section" id="exercise-2-4-create-a-luks-encrypted-volume">
<h2>Exercise 2-4: Create a LUKS-encrypted volume</h2>
</div>
<div class="section" id="working-with-swap">
<h2>Working with SWAP</h2>
<p>Overview of process for adding SWAP space using a partition:</p>
<ul>
<li><p class="first">Create a type 82 partition</p>
</li>
<li><p class="first">Initialize as swap with <tt class="docutils literal"><span class="pre">mkswap</span> <span class="pre">/dev/&lt;partition&gt;</span></tt></p>
</li>
<li><p class="first">Identify the UUID with <tt class="docutils literal"><span class="pre">blkid</span></tt></p>
</li>
<li><p class="first">Add an <tt class="docutils literal"><span class="pre">/etc/fstab</span></tt> line:</p>
<pre class="literal-block">
UUID=&lt;UUID&gt; swap swap defaults 0 0
</pre>
</li>
<li><p class="first">Activate the new swap space with: <tt class="docutils literal"><span class="pre">swapon</span> <span class="pre">-a</span></tt></p>
</li>
</ul>
</div>
<div class="section" id="using-a-file-for-swap">
<h2>Using a file for SWAP</h2>
<p>Overview of process for adding SWAP space using a file:</p>
<ul>
<li><p class="first">create a pre-allocated file of the desired size:</p>
<pre class="literal-block">
dd if=/dev/zero of=/path/to/&lt;swapfile&gt; bs=1M count=&lt;size in MB&gt;
</pre>
</li>
<li><p class="first">Initialize as swap with <tt class="docutils literal"><span class="pre">mkswap</span> <span class="pre">/path/to/&lt;swapfile&gt;</span></tt></p>
</li>
<li><p class="first">Add an <tt class="docutils literal"><span class="pre">/etc/fstab</span></tt> line:</p>
<pre class="literal-block">
/path/to/&lt;swapfile&gt; swap swap defaults 0 0
</pre>
</li>
<li><p class="first">Activate the new swap space with: <tt class="docutils literal"><span class="pre">swapon</span> <span class="pre">-a</span></tt></p>
</li>
</ul>
</div>
<div class="section" id="exercise-2-5-add-a-new-swap-partition">
<h2>Exercise 2-5: Add a new SWAP partition</h2>
<p>On your Client virtual machine:</p>
<blockquote>
<ol class="arabic simple">
<li>Use <tt class="docutils literal"><span class="pre">free</span> <span class="pre">-m</span></tt> to report the amount of swap in mebibytes (MiB) <a class="footnote-reference" href="#id5" id="id4">[2]</a> your system is configured to use. Note that number.</li>
<li>Create a new partition (this may be a new primary partition, or a logical partition on an extended partition, or you may need to add a new virtual disk, depending on your needs -- consult your instructor if you need help making this determination) of 512 MiB and make it a &quot;Linux Swap&quot; partition (type 82).</li>
<li>Initialize it with <tt class="docutils literal"><span class="pre">mkswap</span></tt>. Note the &quot;UUID=...&quot; in the output.</li>
<li>Configure <tt class="docutils literal"><span class="pre">/etc/fstab</span></tt> to use that device by device name or, preferably, by UUID as swap.</li>
<li>Activate the new swap partition with <tt class="docutils literal"><span class="pre">swapon</span></tt>.</li>
<li>Use <tt class="docutils literal"><span class="pre">free</span> <span class="pre">-m</span></tt> to confirm that the new swap space is available.</li>
</ol>
</blockquote>
<table class="docutils footnote" frame="void" id="id5" rules="none">
<colgroup><col class="label" /><col /></colgroup>
<tbody valign="top">
<tr><td class="label">[2]</td><td><em>(<a class="fn-backref" href="#id4">1</a>, <a class="fn-backref" href="#id6">2</a>)</em> A mebibyte (MiB) is the <em>proper</em> term for the unit containing 1024 units (kibibytes or KiB) of 1024 bytes. This is in contrast to the term &quot;megabyte&quot; which properly refers to a unit containing 1000 units (kilobytes or kB) of 1000 bytes. For more information, see the <a class="reference external" href="http://physics.nist.gov/cuu/Units/binary.html">short summary by The National Institute of Standards and Technology (NIST)</a> or the <a class="reference external" href="http://en.wikipedia.org/wiki/Binary_prefix">reference article on Wikipedia</a></td></tr>
</tbody>
</table>
</div>
<div class="section" id="exercise-2-6-add-a-new-swap-file">
<h2>Exercise 2-6: Add a new SWAP file</h2>
<p>On your Client virtual machine:</p>
<blockquote>
<ol class="arabic simple">
<li>Use <tt class="docutils literal"><span class="pre">free</span> <span class="pre">-m</span></tt> to report the amount of swap in mebibytes (MiB) <a class="footnote-reference" href="#id5" id="id6">[2]</a> your system is configured to use. Note that number.</li>
<li>Create a new file for swap by using <tt class="docutils literal"><span class="pre">dd</span></tt> to write zeros to a file of 128 MiB.</li>
<li>Initialize it with <tt class="docutils literal"><span class="pre">mkswap</span></tt>.</li>
<li>Configure <tt class="docutils literal"><span class="pre">/etc/fstab</span></tt> to use that file (by pathname) as swap.</li>
<li>Activate the new swap partition with <tt class="docutils literal"><span class="pre">swapon</span></tt>.</li>
<li>Use <tt class="docutils literal"><span class="pre">free</span> <span class="pre">-m</span></tt> to confirm that the new swap space is available.</li>
</ol>
</blockquote>
</div>
<div class="section" id="mounting-using-uuids-and-filesystem-labels">
<h2>Mounting Using UUIDs and Filesystem Labels</h2>
<p>Configure systems to mount file systems at boot by Universally Unique ID (UUID) or label</p>
</div>
<div class="section" id="local-storage-adding-new-storage">
<h2>Local Storage: Adding New Storage</h2>
<p>Add new partitions, logical volumes, and swap to a system non-destructively</p>
</div>
<div class="section" id="file-systems-working-with-common-linux-filesystems">
<h2>File systems: Working with Common Linux Filesystems</h2>
<p>Create, mount, unmount and use ext2, ext3 and ext4 file systems</p>
<p>Extend existing unencrypted ext4-formatted logical volumes</p>
</div>
<div class="section" id="filesystem-permissions-basic-permissions">
<h2>Filesystem Permissions: Basic Permissions</h2>
<p>Linux permissions are organized around:</p>
<blockquote>
<p><strong>Three sets of permissions</strong></p>
<blockquote>
<ul class="simple">
<li>User,</li>
<li>Group, and</li>
<li>Other</li>
</ul>
</blockquote>
<p><strong>Three types of permissions</strong></p>
<blockquote>
<ul class="simple">
<li>Read,</li>
<li>Write, and</li>
<li>Execute</li>
</ul>
</blockquote>
<p><strong>Three extended attributes</strong></p>
<blockquote>
<ul class="simple">
<li>SUID,</li>
<li>SGID, and</li>
<li>Stickybit</li>
</ul>
</blockquote>
</blockquote>
</div>
<div class="section" id="three-sets-of-permissions">
<h2>Three Sets of Permissions:</h2>
<p>Any given file or directory can be owned by one (and only one) user and one (and only one) group. Three different sets of permissions can be assigned.</p>
<ul class="simple">
<li>User -- User permissions apply to the individual user who owns the file or directory.</li>
<li>Group -- Group permissions apply to any user who is a member of the group that owns the file or directory.</li>
<li>Other -- Other permissions apply to any user account with access to the system that does not fall into the previous categories.</li>
</ul>
</div>
<div class="section" id="three-types-of-permissions">
<h2>Three Types of Permissions:</h2>
<ul>
<li><p class="first">Read (&quot;r&quot;)</p>
<blockquote>
<ul class="simple">
<li>On a file, allows reading</li>
<li>On a directory, allows listing</li>
</ul>
</blockquote>
</li>
<li><p class="first">Write (&quot;w&quot;)</p>
<blockquote>
<ul class="simple">
<li>On a file, allows editing</li>
<li>On a directory, allows creation and deletion of files</li>
</ul>
</blockquote>
</li>
<li><p class="first">Execute (&quot;x&quot;)</p>
<blockquote>
<ul class="simple">
<li>On a file, allows execution if the file is otherwise executable (script or binary)</li>
<li>On a directory, allows entry or traversal (<tt class="docutils literal"><span class="pre">#</span> <span class="pre">cd</span> <span class="pre">{dirname}</span></tt>)</li>
</ul>
</blockquote>
</li>
</ul>
</div>
<div class="section" id="three-extended-attributes">
<h2>Three Extended Attributes:</h2>
<ul>
<li><dl class="first docutils">
<dt>SUID (Set User ID)</dt>
<dd><p class="first last">On an executable, runs a process under the UID of the file owner rather than that of the user executing it.</p>
</dd>
</dl>
</li>
<li><dl class="first docutils">
<dt>SGID (Set Group ID)</dt>
<dd><p class="first last">On a directory, causes any files created in the directory to belong to the group owning the directory. On an executable, runs a process under the GID of the group owning the file rather the logged-in group of the user executing it.</p>
</dd>
</dl>
</li>
<li><dl class="first docutils">
<dt>&quot;Stickybit&quot;</dt>
<dd><p class="first last">On a directory, ensures that only the owner of a file or the owner of the directory can delete it, even if all users or other members of a group have write access to the directory.</p>
</dd>
</dl>
</li>
</ul>
</div>
<div class="section" id="viewing-permissions">
<h2>Viewing Permissions</h2>
<p>Permissions are displayed with positions 2-10 of a &quot;long&quot; filelisting:</p>
<blockquote>
<img alt="images/permblock.gif" src="images/permblock.gif" style="width: 40%;" />
</blockquote>
</div>
<div class="section" id="setting-permissions">
<h2>Setting Permissions</h2>
<p>The <tt class="docutils literal"><span class="pre">chmod</span></tt> command is used to set permissions on both files and directories. It has two modes -- one using symbolic options and one using octal numbers.</p>
<dl class="docutils">
<dt><tt class="docutils literal"><span class="pre">chmod</span> <span class="pre">[option]</span> <span class="pre">[ugoa...][+-=][rwxst]</span> <span class="pre">filename</span></tt></dt>
<dd>where ugo are user, group, other, or all and rwxst are read, write, execute, s{u/g}id, stickybit.</dd>
<dt><tt class="docutils literal"><span class="pre">chmod</span> <span class="pre">[option]</span> <span class="pre">XXXX</span> <span class="pre">filename</span></tt></dt>
<dd>where XXXX is a number representing the complete permissions on the file.</dd>
</dl>
</div>
<div class="section" id="setting-permissions-with-symbolic-options">
<h2>Setting Permissions with Symbolic Options</h2>
<p>The following symbols are used:</p>
<table border="1" class="docutils">
<colgroup>
<col width="18%" />
<col width="51%" />
<col width="31%" />
</colgroup>
<thead valign="bottom">
<tr><th class="head">Which Set?</th>
<th class="head">What to do?</th>
<th class="head">Which Permissions?</th>
</tr>
</thead>
<tbody valign="top">
<tr><td>u user</td>
<td>+ add this permission</td>
<td>r read</td>
</tr>
<tr><td>g group</td>
<td>- remove this permission</td>
<td>w write</td>
</tr>
<tr><td>o other</td>
<td>= set exactly this permission</td>
<td>x execute</td>
</tr>
<tr><td>a all</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
</tbody>
</table>
<p>Examples:</p>
<pre class="literal-block">
$ chmod a+x /home/scott/Downloads/somescript.sh
$ chmod u=rw,g=r,o-rwx ./myfile.txt
</pre>
</div>
<div class="section" id="setting-permissions-with-numeric-options">
<h2>Setting Permissions with Numeric Options</h2>
<p>Each permission is assigned a numeric value:</p>
<blockquote>
<p>4 read</p>
<p>2 write</p>
<p>1 execute</p>
</blockquote>
<table border="1" class="docutils">
<colgroup>
<col width="56%" />
<col width="22%" />
<col width="22%" />
</colgroup>
<thead valign="bottom">
<tr><th class="head">r, w, x Permissions</th>
<th class="head">Binary</th>
<th class="head">Octal</th>
</tr>
</thead>
<tbody valign="top">
<tr><td>---</td>
<td>000</td>
<td>0</td>
</tr>
<tr><td>--x</td>
<td>001</td>
<td>1</td>
</tr>
<tr><td>-w-</td>
<td>010</td>
<td>2</td>
</tr>
<tr><td>-wx</td>
<td>011</td>
<td>3</td>
</tr>
<tr><td>r--</td>
<td>100</td>
<td>4</td>
</tr>
<tr><td>r-x</td>
<td>101</td>
<td>5</td>
</tr>
<tr><td>rw-</td>
<td>110</td>
<td>6</td>
</tr>
<tr><td>rwx</td>
<td>111</td>
<td>7</td>
</tr>
</tbody>
</table>
<p>Each set of permission is added separately so that a three-digit octal number fully represents the basic permissions of a file or directory:</p>
<pre class="literal-block">
$ chmod 640 ~/myfile.txt
$ chmod 751 /shared/scripts/myscript.sh
</pre>
<!-- +- - - - - - - - - - - - - -+- - - - - - - - - - -+- - - - - - - - - - -+- - - - - - - - - - -+ -->
<!-- .. | | User | Group | Other | -->
<!-- +==============+===+===+===+===+===+===+===+===+===+ -->
<!-- .. |Permissions | r | w | x | r | w | x | r | w | x | -->
<!-- +- - - - - - - - - - - - - -+- - -+- - -+- - -+- - -+- - -+- - -+- - -+- - -+- - -+ -->
<!-- .. |Numeric Value | 4 | 2 | 1 | 4 | 2 | 1 | 4 | 2 | 1 | -->
<!-- +- - - - - - - - - - - - - -+- - -+- - -+- - -+- - -+- - -+- - -+- - -+- - -+- - -+ -->
<!-- .. |Sum | 0-7 | 0-7 | 0-7 | -->
<!-- +- - - - - - - - - - - - - -+- - - - - - - - - - -+- - - - - - - - - - -+- - - - - - - - - - -+ -->
<!-- -->
<!-- +- - - - - - - - - - - - - -+- - - - - - - - - - -+- - - - - - - - - - -+- - - - - - - - - - -+ -->
<!-- .. | example.txt | User | Group | Other | -->
<!-- +==============+===+===+===+===+===+===+===+===+===+ -->
<!-- .. |Permissions | r | w | x | r |\- | x |\- |\- | x | -->
<!-- +- - - - - - - - - - - - - -+- - -+- - -+- - -+- - -+- - -+- - -+- - -+- - -+- - -+ -->
<!-- .. |Numeric Value | 4 | 2 | 1 | 4 | 0 | 1 | 0 | 0 | 1 | -->
<!-- +- - - - - - - - - - - - - -+- - -+- - -+- - -+- - -+- - -+- - -+- - -+- - -+- - -+ -->
<!-- .. |Sum | 7 | 5 | 1 | -->
<!-- +- - - - - - - - - - - - - -+- - - - - - - - - - -+- - - - - - - - - - -+- - - - - - - - - - -+ -->
</div>
<div class="section" id="setting-extended-attributes-with-numeric-options">
<h2>Setting Extended Attributes with Numeric Options</h2>
<p>chmod numeric options are actually 4 digits (not three). Missing digits are assumed to be leading zeroes.</p>
<p>The leftmost place is for extended attributes:</p>
<p>Each attribute is assigned a numeric value:</p>
<blockquote>
<p>4 SUID</p>
<p>2 SGID</p>
<p>1 Stickybit</p>
</blockquote>
<!-- .. +- - - - - - - - - - -+- - - - - - -+- - - - - - -+- - - - - - - - - - -+ -->
<!-- .. | Attribute | SUID | SGID | Stickybit | -->
<!-- .. +===========+=======+=======+===========+ -->
<!-- .. | Value | 4 | 2 | 1 | -->
<!-- .. +- - - - - - - - - - -+- - - - - - -+- - - - - - -+- - - - - - - - - - -+ -->
<p>Example:</p>
<pre class="literal-block">
$ chmod 3775 MySharedDir
</pre>
</div>
<div class="section" id="setting-extended-attributes-with-symbolic-values">
<h2>Setting Extended Attributes with Symbolic Values:</h2>
<dl class="docutils">
<dt><tt class="docutils literal"><span class="pre">chmod</span> <span class="pre">o+t</span> <span class="pre">{filename}</span></tt></dt>
<dd>Sets the sticky bit</dd>
<dt><tt class="docutils literal"><span class="pre">chmod</span> <span class="pre">u+s</span> <span class="pre">{filename}</span></tt></dt>
<dd>Sets suid</dd>
<dt><tt class="docutils literal"><span class="pre">chmod</span> <span class="pre">g+s</span> <span class="pre">{filename}</span></tt></dt>
<dd>Sets sgid</dd>
</dl>
</div>
<div class="section" id="extended-attributes-in-directory-listings">
<h2>Extended Attributes in Directory Listings</h2>
<table border="1" class="docutils">
<colgroup>
<col width="18%" />
<col width="82%" />
</colgroup>
<tbody valign="top">
<tr><td>-rwxrwxrwx</td>
<td>Normal Permissions, All permissions granted</td>
</tr>
<tr><td>-rwSrwxrwx</td>
<td>Indicates SUID set</td>
</tr>
<tr><td>-rwsrwxrwx</td>
<td>Indicates SUID and execute permission set</td>
</tr>
<tr><td>-rwxrwSrwx</td>
<td>Indicates SGID set</td>
</tr>
<tr><td>-rwxrwsrwx</td>
<td>Indicates SGID and execute permission set</td>
</tr>
<tr><td>-rwxrwxrwT</td>
<td>Indicates Stickybit set</td>
</tr>
<tr><td>-rwxrwxrwt</td>
<td>Indicates Stickybit and execute permission set</td>
</tr>
</tbody>
</table>
</div>
<div class="section" id="umask">
<h2>Umask</h2>
<ul class="simple">
<li>The umask value determines the permissions that will be applied to newly created files and directories.</li>
<li>As a &quot;mask&quot; it is subtractive -- representing the value of the permissions you DO NOT want to grant.</li>
<li>Execute rights are automatically withheld (w/o regard for the umask) for <em>files</em> but not for <em>directories</em>.</li>
<li>Extended attributes are not addressed -- even though a umask is four characters.</li>
<li>The default umask value is set in /etc/bashrc and can be modified (non-persistently!) with the bash built-in command <tt class="docutils literal"><span class="pre">umask</span></tt>.</li>
</ul>
</div>
<div class="section" id="umask-examples">
<h2>Umask Examples</h2>
<ul class="simple">
<li>Umask of 0002 yields permissions of 0775 on new directories and 0664 on new files</li>
<li>Umask of 0022 yields permissions of 0755 on new directories and 0644 on new files</li>
</ul>
</div>
<div class="section" id="sgid-and-stickybit-use-case-collaborative-directories">
<h2>SGID and Stickybit Use Case -- Collaborative Directories</h2>
<ul class="simple">
<li>Create a Group for Collaboration</li>
<li>Add users to the group</li>
<li>Create a directory for collaboration</li>
<li>Set its group ownership to the intended group</li>
<li>Set its group permissions appropriately</li>
<li>Recursively set the SGID and sticky bits on the directory</li>
</ul>
<p>This ensures that:</p>
<blockquote>
<ol class="arabic simple">
<li>All files created in this directory will be owned by the intended group (SGID effect)</li>
<li>All files created in this directory can only be deleted by the user who owns the file or the user who owns the directory (stickybit effect)</li>
</ol>
</blockquote>
</div>
<div class="section" id="file-access-control-lists">
<h2>File Access Control Lists</h2>
<ul>
<li><p class="first">Provide more granular control of permissions.</p>
</li>
<li><p class="first">Filesystem must be mounted with the 'acl' option or be configured with that option by default.</p>
<blockquote>
<ul class="simple">
<li>Use mount with a <tt class="docutils literal"><span class="pre">-o</span> <span class="pre">acl</span></tt> option to mount (non-persistently) with ACLs enabled.</li>
<li>Add &quot;acl&quot; in the options field of <tt class="docutils literal"><span class="pre">/etc/fstab</span></tt> to persistently enable ACLs</li>
<li>or use <tt class="docutils literal"><span class="pre">tune2fs</span> <span class="pre">-o</span> <span class="pre">user_xattr,acl</span> <span class="pre">/path/to/device</span></tt> to configure those attributes as default mount options</li>
</ul>
</blockquote>
</li>
</ul>
<dl class="docutils">
<dt>getfacl</dt>
<dd>Used to view file ACLs</dd>
<dt>setfacl</dt>
<dd>Used to set file ACLs</dd>
</dl>
</div>
<div class="section" id="getfacl">
<h2>getfacl</h2>
<p>Example of &quot;getfacl acldir&quot;</p>
<pre class="literal-block">
# file: acldir
# owner: frank
# group: frank
user::rwx
user:bob:-wx
user:mary:rw-
group::rwx
mask::rwx
other::r-x
</pre>
<p>Example of <tt class="docutils literal"><span class="pre">ls</span> <span class="pre">-l</span> <span class="pre">acldir</span></tt>:</p>
<pre class="literal-block">
drwxrwxr-x+ 2 frank frank 4096 2009-05-27 14:15 acldir
</pre>
<!-- Create and manage File Access Control Lists -->
</div>
<div class="section" id="working-with-cifs-network-file-systems">
<h2>Working with CIFS network file systems</h2>
<p>Will be covered in more detail later.</p>
<p>Mounting:</p>
<pre class="literal-block">
mount -t cifs //server/share /path/to/mountpoint -o options
</pre>
</div>
<div class="section" id="working-with-nfs-file-systems">
<h2>Working with NFS file systems</h2>
<p>Will be covered in more detail later.</p>
<p>Mounting:</p>
<pre class="literal-block">
mount -t nfs server:/path/to/export /path/to/mountpoint -o options
</pre>
</div>
<div class="section" id="iscsi-devices">
<h2>iSCSI Devices</h2>
<p>Package: iscsi-initiator-utils</p>
<p>Allows a system to access remote storage devices with SCSI commands as though it were a local hard disk.</p>
<p>Terms:</p>
<ul class="simple">
<li>iSCSI initiator: A client requesting access to storage</li>
<li>iSCSI target: Remote storage device presented from an iSCSI server or &quot;target portal&quot;</li>
<li>iSCSI target portal: A server providing targets to the initiator</li>
<li>IQN: &quot;iSCSI Qualified Name&quot; -- a unique name. Both the initiator and target need such a name to be assigned</li>
</ul>
</div>
<div class="section" id="accessing-iscsi-devices">
<h2>Accessing iSCSI Devices</h2>
<ul>
<li><p class="first">Install the iscsi-initiator-utils package</p>
</li>
<li><p class="first">Start the <tt class="docutils literal"><span class="pre">iscsi</span></tt> and <tt class="docutils literal"><span class="pre">iscsid</span></tt> services (and configure them persistently on)</p>
</li>
<li><p class="first">Set the initiator IQN in /etc/iscsi/initiatorname.iscsi</p>
</li>
<li><p class="first">Discover targets with:</p>
<pre class="literal-block">
iscsiadm -m discovery -t st -p &lt;portal IP address&gt;
</pre>
</li>
<li><p class="first">Log in to the target using the name displayed in discovery:</p>
<pre class="literal-block">
iscsiadm -m node -T &lt;IQN&gt; -p &lt;portal IP address&gt; -l
</pre>
</li>
<li><p class="first">Identify the SCSI device name with <tt class="docutils literal"><span class="pre">dmesg</span></tt>, <tt class="docutils literal"><span class="pre">tail</span> <span class="pre">/var/log/messages</span></tt> or <tt class="docutils literal"><span class="pre">ls</span> <span class="pre">-l</span> <span class="pre">/dev/disk/by-path/*iscsi*</span></tt></p>
</li>
<li><p class="first">Use the disk as though it were a local hard disk</p>
</li>
</ul>
<div class="important">
<p class="first admonition-title">Important</p>
<p class="last">Be certain to use UUIDs or labels for persistent mounts in <tt class="docutils literal"><span class="pre">/etc/fstab</span></tt>. Also, provide <tt class="docutils literal"><span class="pre">_netdev</span></tt> as a mount option so that this device will not be mounted until the network is already up.</p>
</div>
<!-- Configure a system as an iSCSI initiator that persistently mounts an iSCSI target -->
</div>
<div class="section" id="disconnecting-from-iscsi-devices">
<h2>Disconnecting from iSCSI Devices</h2>
<ul>
<li><p class="first">Ensure the device is not in use</p>
</li>
<li><p class="first">Unmount the device</p>
</li>
<li><p class="first">Remove its <tt class="docutils literal"><span class="pre">/etc/fstab</span></tt> entry</p>
</li>
<li><p class="first">Logout from the target:</p>
<pre class="literal-block">
iscsiadm -m node -T &lt;IQN&gt; -p &lt;portal IP&gt; -u
</pre>
</li>
<li><p class="first">Delete the local record:</p>
<pre class="literal-block">
iscsiadm -m node -T &lt;IQN&gt; -p &lt;portal IP&gt; -o delete
</pre>
</li>
</ul>
</div>
<div class="section" id="additional-references">
<h2>Additional References</h2>
<ul class="simple">
<li>Chapter 4 of the Storage Administration Guide for RHEL6 (<a class="reference external" href="http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Storage_Administration_Guide/index.html">http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Storage_Administration_Guide/index.html</a>) covers the usage of parted.</li>
<li>Man pages for fdisk(8), fstab(5), mkfs(8), blkid(8), partprobe(8), mount(8), parted(8), cryptsetup(8), and crypttab(5)</li>
</ul>
</div>
<div class="section" id="id7">
<h2>Reading</h2>
<dl class="docutils">
<dt>Topics from this class:</dt>
<dd>Jang, Chapters 4,6,8</dd>
<dt>Topics for next class:</dt>
<dd>Jang Ch 7,9,12,17</dd>
</dl>
</div>
<div class="section" id="labs">
<h2>Labs</h2>
<p>Add Storage</p>
<blockquote>
<p>Add a disk to the virtual machine</p>
<blockquote>
<p>Add Swap</p>
<p>Add a partition</p>
<p>Add space to a VG</p>
<p>Add a LUKS-encrypted filesystem</p>
<p>Enlarge an LV</p>
</blockquote>
<p>Add an iSCSI device</p>
</blockquote>
<p>Create a partition for collaboration</p>
<blockquote>
Create File ACLs</blockquote>
</div>
</div>
<div class="section" id="session-3-managing-software-processes-kernel-attributes-and-users-and-groups">
<h1>Session 3 Managing software, processes, kernel attributes, and users and groups</h1>
<div class="section" id="the-red-hat-network-rhn">
<h2>The Red Hat Network (RHN)</h2>
<p>The primary delivery mechanism for installable software, updates, errata and bug fixes and systems management functions for an installation of RHEL 6 is the Red Hat Network or RHN.</p>
<p>The &quot;cost&quot; of RHEL 6 is really a subscription to this support network.</p>
<p>These commands are using in managing an RHN subscription:</p>
<pre class="literal-block">
# man -k rhn
rhn-profile-sync (8) - Update system information on Red Hat Network
rhn_check (8) - Check for and execute queued actions on RHN
rhn_register (8) - Connect to Red Hat Network
rhnplugin (8) - Red Hat Network support for yum(8)
rhnplugin.conf [rhnplugin] (5) - Configuration file for the rhnplugin(8) yum(8) plugin
rhnreg_ks (8) - A program for non interactively registering systems to Red Hat Network
rhnsd (8) - A program for querying the Red Hat Network for updates and information
</pre>
</div>
<div class="section" id="rhn-subscription-activation">
<h2>RHN Subscription Activation</h2>
<p>A new user of RHEL6 should receive information similar to this:</p>
<pre class="literal-block">
Red Hat subscription login:
Account Number : *******
Contract Number : *******
Item Description : Red Hat Enterprise Linux &lt;Edition&gt;
RHEL Subscription Number : *******************
Quantity : #
Service Dates : 12-JUN-10 through 11-JUN-11
Customer Name : *********************************
Account Number: ************
Log into the new portal here: access.redhat.com
Login: *************
Password: **************
Email address: ****************************
</pre>
<p>That information can then be used with <tt class="docutils literal"><span class="pre">rhn_register</span></tt> to activate a new subscription</p>
</div>
<div class="section" id="rd-party-yum-repositories">
<h2>3rd Party Yum Repositories</h2>
<p>These are other repositories of installable software, updates, or bugfixes. The <tt class="docutils literal"><span class="pre">yum</span></tt> command can be configured to use them in addition to or instead of the RHN.</p>
<ul class="simple">
<li>Configuration of repositories other than the RHN is accomplished through text configuration files located in the directory: <tt class="docutils literal"><span class="pre">/etc/yum.repos.d/</span></tt></li>
<li>A configuration file for each repository (or group of related repos) should be created in <tt class="docutils literal"><span class="pre">/etc/yum.repos.d/</span></tt></li>
<li>The name of each repo config file should end in &quot;.repo&quot;.</li>
<li>This allows repos to be easily temporarily disabled simply by renaming the file to something like: <tt class="docutils literal"><span class="pre">myrepo.repo.disabled</span></tt></li>
</ul>
</div>
<div class="section" id="yum-repository-mandatory-configuration-items">
<h2>Yum Repository Mandatory Configuration Items</h2>
<dl class="docutils">
<dt>Repository ID</dt>
<dd><p class="first">Short name for identifying this repository in reports</p>
<pre class="last literal-block">
[MyRepo]
</pre>
</dd>
<dt>Name</dt>
<dd><p class="first">Longer description of this repository</p>
<pre class="last literal-block">
name=My Custom Repository
</pre>
</dd>
<dt>Baseurl</dt>
<dd><p class="first">Description of protocol and location needed to locate the repo files.</p>
<pre class="last literal-block">
baseurl=ftp://192.168.5.200/pub/rhel6
</pre>
</dd>
</dl>
</div>
<div class="section" id="yum-repository-common-optional-configuration-items">
<h2>Yum Repository Common Optional Configuration Items</h2>
<dl class="docutils">
<dt>gpgcheck</dt>
<dd><p class="first">Defines whether yum should attempt to validate package signatures. &quot;0&quot; = &quot;off&quot;, &quot;1&quot; = &quot;on&quot;.</p>
<pre class="last literal-block">
gpgcheck=1
</pre>
</dd>
<dt>gpgkey</dt>
<dd><p class="first">Defines (via URL) where the keys for signature validation are located (typically <tt class="docutils literal"><span class="pre">file:///etc/pki/rpm-gpg/&lt;key</span> <span class="pre">name&gt;</span></tt>)</p>
<pre class="last literal-block">
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
</pre>
</dd>
<dt>enabled</dt>
<dd><p class="first">(Optional) Defines whether this repository should be currently active. &quot;0&quot; = &quot;off&quot;, &quot;1&quot; = &quot;on&quot;.</p>
<pre class="last literal-block">
enabled=1
</pre>
</dd>
</dl>
</div>
<div class="section" id="managing-software-using-yum">
<h2>Managing Software: Using yum</h2>
<p>Common commands:</p>
<dl class="docutils">
<dt><tt class="docutils literal"><span class="pre">yum</span> <span class="pre">help</span></tt></dt>
<dd>Displays usage information.</dd>
<dt><tt class="docutils literal"><span class="pre">yum</span> <span class="pre">list</span></tt></dt>
<dd>Lists all available packages and indicates which are installed.</dd>
<dt><tt class="docutils literal"><span class="pre">yum</span> <span class="pre">search</span> <span class="pre">KEYWORD</span></tt></dt>
<dd>Searches for packages with a keyword in the package metadata.</dd>
<dt><tt class="docutils literal"><span class="pre">yum</span> <span class="pre">info</span> <span class="pre">PACKAGENAME</span></tt></dt>
<dd>Displays information about a package taken from the package metadata.</dd>
<dt><tt class="docutils literal"><span class="pre">yum</span> <span class="pre">install</span> <span class="pre">PACKAGENAME</span></tt></dt>
<dd>Installs a package (obtained from the repository) and any required dependencies.</dd>
<dt><tt class="docutils literal"><span class="pre">yum</span> <span class="pre">localinstall</span> <span class="pre">RPMFILENAME</span></tt></dt>
<dd>Installs a local .rpm file, but uses the repository to satisfy dependencies.</dd>
<dt><tt class="docutils literal"><span class="pre">yum</span> <span class="pre">remove</span> <span class="pre">PACKAGENAME</span></tt></dt>
<dd>Uninstalls a package and any other packages dependent upon it.</dd>
<dt><tt class="docutils literal"><span class="pre">yum</span> <span class="pre">update</span> <span class="pre">PACKAGENAME</span></tt></dt>
<dd>Installs a newer version of the package, if available.</dd>
<dt><tt class="docutils literal"><span class="pre">yum</span> <span class="pre">update</span></tt></dt>
<dd>Updates an installed package for which a newer version is available.</dd>
</dl>
</div>
<div class="section" id="yum-related-man-pages">
<h2>Yum-related man pages</h2>
<pre class="literal-block">
# man -k yum
qreposync (1) - synchronize yum repositories to a local directory
rhnplugin (8) - Red Hat Network support for yum(8)
rhnplugin.conf [rhnplugin] (5) - Configuration file for the rhnplugin(8) yum(8) plugin
yum (8) - Yellowdog Updater Modified
yum [yum-shell] (8) - Yellowdog Updater Modified shell
yum-groups-manager (1) - create and edit yum's group metadata
yum-utils (1) - tools for manipulating repositories and extended package management
yum.conf [yum] (5) - Configuration file for yum(8)
</pre>
</div>
<div class="section" id="rpm-architecture">
<h2>RPM Architecture</h2>
<p><tt class="docutils literal"><span class="pre">rpm</span></tt> executable</p>
<p>RPM packages -- Files to install + SPEC file (metadata)</p>
<p>Local RPM database -- retains metadata from all installed packages</p>
<blockquote>
Database is kept in /var/lib/rpm</blockquote>
</div>
<div class="section" id="rpm-package-naming">
<h2>RPM Package Naming</h2>
<ul>
<li><p class="first">name-version-release.architecture*.rpm</p>
</li>
<li><p class="first">Version is the version of the &quot;upstream&quot; open source code</p>
</li>
<li><p class="first">Release refers to Red Hat internal patches to the source code</p>
</li>
<li><p class="first">Architecture is one of:</p>
<blockquote>
<ul class="simple">
<li>i386,i686 -- 32 bit x86 compatible</li>
<li>x86_64 -- Intel/AMD 64 bit</li>
<li>ppc64 -- Power PC 64 bit</li>
<li>ia64 -- Intel Itanium 64 bit</li>
<li>noarch -- Arch-independent code (scripts, docs, images, etc)</li>
<li>src -- Source code</li>
</ul>
</blockquote>
</li>
</ul>
</div>
<div class="section" id="package-naming-example">
<h2>Package Naming Example</h2>
<p>bash-4.1.2-8.el6.x86_64</p>
<table border="1" class="docutils">
<colgroup>
<col width="14%" />
<col width="40%" />
<col width="28%" />
<col width="19%" />
</colgroup>
<thead valign="bottom">
<tr><th class="head">Name</th>
<th class="head">Project Version</th>
<th class="head">RH Release</th>
<th class="head">Arch</th>
</tr>
</thead>
<tbody valign="top">
<tr><td>bash</td>
<td>4.1.2</td>
<td>8.el6</td>
<td>x86_64</td>
</tr>
</tbody>
</table>
<p>This package starts with version 4.1.2 of bash (from ftp.gnu.org/gnu/bash), applies a RH patch identified as 8.el6 to it, and is then built to run on an Intel/AMD 64 bit processor.</p>
</div>
<div class="section" id="installing-and-upgrading-packages">
<h2>Installing and Upgrading Packages</h2>
<dl class="docutils">
<dt><tt class="docutils literal"><span class="pre">#</span> <span class="pre">rpm</span> <span class="pre">-i[v,h]</span> <span class="pre">name-ver-rel.arch.rpm</span></tt></dt>
<dd>Installs a package</dd>
<dt><tt class="docutils literal"><span class="pre">#</span> <span class="pre">rpm</span> <span class="pre">-U[v,h]</span> <span class="pre">name-ver-rel.arch.rpm</span></tt></dt>
<dd>Upgrades a package if an older version was previously installed. Otherwise, simply installs the new version.</dd>
<dt><tt class="docutils literal"><span class="pre">#</span> <span class="pre">rpm</span> <span class="pre">-F[v,h]</span> <span class="pre">name-ver-rel.arch.rpm</span></tt></dt>
<dd>Upgrades a package if an older version is installed. Otherwise, does nothing -- <strong>does not install new packages if no older version was installed.</strong></dd>
</dl>
</div>
<div class="section" id="upgrading-a-kernel">
<h2>Upgrading a Kernel</h2>
<ul class="simple">
<li>Always use <tt class="docutils literal"><span class="pre">#rpm</span> <span class="pre">-i</span> <span class="pre">...</span></tt></li>
<li>This leaves the previously installed kernel on the system and in the GRUB menu as a fall-back in case the new version has problems.</li>
</ul>
</div>
<div class="section" id="rpm-and-modified-config-files">
<h2>RPM and Modified Config Files</h2>
<p>Scenario: niftyapp-1.0-1.el5.rpm uses a config file, <tt class="docutils literal"><span class="pre">/etc/nifty.conf</span></tt>. You tweaked <tt class="docutils literal"><span class="pre">/etc/nifty.conf</span></tt> to fit your system. Now niftyapp-2.0-1.el5.rpm is available with new features that require changes in the .conf file and provides a new default config file. What to do?</p>
<ul class="simple">
<li>If the previous version provided a default config file, the changes are detected. Your modified version of the .conf file is saved as <tt class="docutils literal"><span class="pre">/etc/nifty.conf.rpmsave</span></tt> and the new default config is installed. You can compare the files and modify as needed.</li>
<li>If the previous version did NOT provide a default config file, your version of the .conf file is saved as <tt class="docutils literal"><span class="pre">/etc/nifty.conf.rpmorig</span></tt> and the new default config is installed. You can compare the files and modify as needed.</li>
</ul>
</div>
<div class="section" id="uninstalling">
<h2>Uninstalling</h2>
<p><tt class="docutils literal"><span class="pre">#</span> <span class="pre">rpm</span> <span class="pre">-e</span> <span class="pre">name[-ver][-rel]</span></tt></p>
<ul class="simple">
<li>Package removal is never verbose, never shows progress ( -v, -h have not effect)</li>
<li>Package removal only needs the name (or when multiple versions of the same package are installed, sometimes the version or release) but not the architecture or the .rpm extension.</li>
</ul>
</div>
<div class="section" id="rpm-over-a-network">
<h2>RPM over a Network</h2>
<p><tt class="docutils literal"><span class="pre">#</span> <span class="pre">rpm</span> <span class="pre">-ivh</span> <span class="pre">ftp://{Host}/path/to/packagename-ver-rel.arch.rpm</span></tt></p>
<p><tt class="docutils literal"><span class="pre">#</span> <span class="pre">rpm</span> <span class="pre">-ivh</span> <span class="pre">http://{Host}/path/to/packagename-ver-rel.arch.rpm</span></tt></p>
<p>And wildcard &quot;globbing&quot; is allowed:</p>
<p><tt class="docutils literal"><span class="pre">#</span> <span class="pre">rpm</span> <span class="pre">-ivh</span> <span class="pre">http://{Host}/path/to/packagename*</span></tt></p>
</div>
<div class="section" id="common-rpm-queries">
<h2>Common RPM Queries</h2>
<table border="1" class="docutils">
<colgroup>
<col width="29%" />
<col width="71%" />
</colgroup>
<thead valign="bottom">
<tr><th class="head">Query</th>
<th class="head">Result</th>
</tr>
</thead>
<tbody valign="top">
<tr><td>rpm -qa</td>
<td>lists all installed packages.</td>
</tr>
<tr><td>rpm -q pkg</td>
<td>Reports the version of the package.</td>
</tr>
<tr><td>rpm -qf /path/file</td>
<td>Reports which package provided the file.</td>
</tr>
<tr><td>rpm -qc pkg</td>
<td>Lists all configuration files of the package.</td>
</tr>
<tr><td>rpm -qd pkg</td>
<td>Lists all documentation of the package.</td>
</tr>
<tr><td>rpm -qi pkg</td>
<td>Reports a description of the package.</td>
</tr>
<tr><td>rpm -ql pkg</td>
<td>Lists all files contained in the package.</td>
</tr>
<tr><td>rpm -qR pkg</td>
<td>Lists all dependencies.</td>
</tr>
<tr><td>rpm -q --scripts</td>
<td>Lists the scripts that run when installing/removing.</td>
</tr>
</tbody>
</table>
<dl class="docutils">
<dt>rpm -q{c|d|i|l|R}p /path/to/packagename-ver-rel-arch.rpm</dt>
<dd>Reports the same info as above, but pulls info from the .rpm file instead of the rpm database.</dd>
</dl>
</div>
<div class="section" id="rpm-verification">
<h2>RPM Verification</h2>
<p>The RPM system satisfies two types of security concerns:</p>
<ol class="arabic simple">
<li>Is this package <em>authentic</em>? How do I know it came from Red Hat?</li>
<li>Has this package retained <em>integrity</em>? How do I know they haven't been modified?</li>
</ol>
<p>Authenticity and integrity of packages can be confirmed prior to installation with GPG signing and MD5 checksums of the RPM packages.</p>
<p>Integrity of files can be confirmed after installation with verification of installed files against the recorded metadata in the package.</p>
</div>
<div class="section" id="validate-package-signatures">
<h2>Validate Package Signatures</h2>
<ol class="arabic">
<li><p class="first">Import the Red Hat GPG public key (It can be found on the installation CD or in the /etc/pki/rpm-gpg/ directory):</p>
<blockquote>
<pre class="literal-block">
# rpm --import /media/disk/RPM-GPG-KEY-redhat-release
</pre>
<p>or:</p>
<pre class="literal-block">
# rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
</pre>
</blockquote>
</li>
<li><p class="first">Check the signature of the package in question:</p>
<pre class="literal-block">
# rpm --checksig /path/to/package-ver-rel.arch.rpm
</pre>
</li>
</ol>
</div>
<div class="section" id="rpm-checksig-sample-output">
<h2>RPM Checksig Sample Output</h2>
<pre class="literal-block">
$ rpm --checksig ftp://linuxlib.us.dell.com/pub/Distros/RedHat/RHEL5/5.3/Server/x86_64/
install-x86_64/Server/ImageMagick-6.2.8.0-4.el5_1.1.i386.rpm
ftp://linuxlib.us.dell.com/pub/Distros/RedHat/RHEL5/5.3/Server/x86_64/install-x86_64/Server
/ImageMagick-6.2.8.0-4.el5_1.1.i386.rpm: (sha1) dsa sha1 md5 gpg OK
</pre>
</div>
<div class="section" id="verify-installed-files">
<h2>Verify Installed Files</h2>
<p><tt class="docutils literal"><span class="pre">rpm</span> <span class="pre">-V</span></tt> (or <tt class="docutils literal"><span class="pre">--verify</span></tt>) will compare existing files on the system to their pristine state in the packages they came from.</p>
<p>There are 8 points of comparison as shown in the following table, in the Michael Jang book and in the rpm man page:</p>
</div>
<div class="section" id="change-codes-from-rpm-verify">
<h2>Change Codes from rpm --verify</h2>
<table border="1" class="docutils">
<colgroup>
<col width="36%" />
<col width="64%" />
</colgroup>
<thead valign="bottom">
<tr><th class="head">Change Code</th>
<th class="head">Meaning</th>
</tr>
</thead>
<tbody valign="top">
<tr><td>5</td>
<td>MD5 checksum</td>
</tr>
<tr><td>S</td>
<td>File size</td>
</tr>
<tr><td>L</td>
<td>Symbolic Link</td>
</tr>
<tr><td>T</td>
<td>Modification time</td>
</tr>
<tr><td>D</td>
<td>Device</td>
</tr>
<tr><td>U</td>
<td>User</td>
</tr>
<tr><td>G</td>
<td>Group</td>
</tr>
<tr><td>M</td>
<td>Mode</td>
</tr>
</tbody>
</table>
</div>
<div class="section" id="rpm-verify-sample-output">
<h2>RPM Verify Sample Output</h2>
<pre class="literal-block">
#rpm -Va
...
S.5....T c /etc/ntp.conf
..?..... c /etc/ntp/keys
S.5....T /usr/bin/aspell
.......T /usr/share/ImageMagick-6.2.8/config/magic.xml
.......T d /usr/share/doc/ImageMagick-6.2.8/images/arc.png
.......T d /usr/share/doc/ImageMagick-6.2.8/images/background.jpg
...
</pre>
</div>
<div class="section" id="identifying-installed-packages">
<h2>Identifying Installed Packages</h2>
<p>View a list of the packages originally installed on the system:</p>
<pre class="literal-block">
# less /root/install.log
</pre>
<p>View a list of the packages installed through yum:</p>
<pre class="literal-block">
# less /var/log/yum.log
</pre>
<p>Query the RPM database for the packages installed right now:</p>
<pre class="literal-block">
# rpm -qa
</pre>
</div>
<div class="section" id="managing-software-building-rpms">
<h2>Managing Software: Building RPMs</h2>
<p>As of this writing, Red Hat provides little documentation on their own site about RPM creation. Instead, they provide pointers to the following resources:</p>
<ul>
<li><p class="first"><a class="reference external" href="http://www.rpm.org/">The RPM.org site</a></p>
<blockquote>
</blockquote>
</li>
<li><p class="first"><a class="reference external" href="http://docs.fedoraproject.org/en-US/Fedora_Draft_Documentation/0.1/html/RPM_Guide/">The Fedora RMP Guide</a></p>
<blockquote>
</blockquote>
</li>
</ul>
<p>The RPM.org site, in turn, links to a PDF available from Gurulabs:</p>
<ul>
<li><p class="first"><a class="reference external" href="http://www.gurulabs.com/downloads/GURULABS-RPM-LAB/GURULABS-RPM-GUIDE-v1.0.PDF">GuruLabs RPM Guide</a></p>
<blockquote>
</blockquote>
</li>
</ul>
</div>
<div class="section" id="inside-an-rpm-package">
<h2>Inside an RPM package</h2>
<ul class="simple">
<li>files</li>
<li>scripts</li>
<li>metadata</li>
</ul>
<p>The package is defined by a &quot;build specification file&quot; or <em>spec file</em>.</p>
<p>A good example of a spec file can be obtained from the source rpm for redhat-release.</p>
<p><a class="reference external" href="ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/redhat-release-server-6Server-6.0.0.37.el6.src.rpm">ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/redhat-release-server-6Server-6.0.0.37.el6.src.rpm</a></p>
<div class="tip">
<p class="first admonition-title">Tip</p>
<p class="last">Open .spec files in vim for color highlighting</p>
</div>
</div>
<div class="section" id="main-contents-of-a-spec-file">
<h2>Main contents of a .spec file</h2>
<ul class="simple">
<li>Introduction or preamble: Contains metadata about the package</li>
<li>Build instructions on how to compile the source code or otherwise prepare the package payload.</li>
<li>Scriptlets that perform the installation, uninstallation, or upgrade.</li>
<li>Manifest of files to be installed, along with their permissions.</li>
<li>Changelog recording the changes made to the package with each revision.</li>
</ul>
</div>
<div class="section" id="format-of-the-spec-file">
<h2>Format of the .spec file</h2>
<dl class="docutils">
<dt>Preamble (aka &quot;Header&quot;)</dt>
<dd>Optional macro definitions and directives that define the package</dd>
<dt>Stanzas</dt>
<dd>Sections that perform specific functions, identified by tokens like <tt class="docutils literal"><span class="pre">%prep</span></tt> and <tt class="docutils literal"><span class="pre">%build</span></tt>.</dd>
</dl>
</div>
<div class="section" id="preamble-directives">
<h2>Preamble directives</h2>
<dl class="docutils">
<dt>Name</dt>
<dd>Name of the package. Should not include whitespace.</dd>
<dt>Version</dt>
<dd>Version identifier. Should not include dashes.</dd>
<dt>Release</dt>
<dd>Indicates incremental changes within a version.</dd>
<dt>Group</dt>
<dd>The package group that should include this package. This can come from the list at <tt class="docutils literal"><span class="pre">/usr/share/doc/rpm-*/GROUPS</span></tt> or can be unique to you. Not related to yum package groups.</dd>
<dt>License</dt>
<dd>Short License Identifier as described at <a class="reference external" href="http://fedoraproject.org/wiki/Packaging/LicensingGuidelines">http://fedoraproject.org/wiki/Packaging/LicensingGuidelines</a></dd>
<dt>Summary</dt>
<dd>Short (&lt;=50 chars) one-line description.</dd>
<dt>Source</dt>
<dd>The file to be used as the source code. Add'l sources can be specified as Source0, Source1, etc.</dd>
<dt>BuildArch</dt>
<dd>Arch to use when building. Defaults to the existing system arch. May also be &quot;noarch&quot; for arch-independent packages.</dd>
<dt>Requires</dt>
<dd>Requirements that this package needs to run. Can be in the form of files or other packages</dd>
<dt>BuildRequires</dt>
<dd>Requirements needed to build this package.</dd>
</dl>
</div>
<div class="section" id="required-spec-file-sections">
<h2>Required Spec file sections</h2>
<dl class="docutils">
<dt>%description</dt>
<dd>Longer description. Lines starting flush-left will be automatically wrapped when displayed. Lines starting with leading whitespace are treated as pre-formatted text and not wrapped. Blank Lines separate paragraphs.</dd>
<dt>%prep</dt>
<dd>Prepares the environment for the build. May need no more than the macro: <tt class="docutils literal"><span class="pre">%setup</span> <span class="pre">-q</span></tt>.</dd>
<dt>%build</dt>
<dd>Builds the binaries from source. This section must include the commands that would be used to manually build the software.</dd>
<dt>%install</dt>
<dd>&quot;Installs&quot; the compiled application -- but into the build environment instead of on your working filesystem.</dd>
<dt>%clean</dt>
<dd>Removes the contents of the build environment.</dd>
<dt>%files</dt>
<dd>Lists, and sets attibutes for, all the files and directories to be placed on the target system by your finished RPM</dd>
<dt>%changelog</dt>
<dd>Time-stamps and describes the changes in each revision of the RPM.</dd>
</dl>
</div>
<div class="section" id="package-building-tools">
<h2>Package Building Tools</h2>
<p>These packages will provide tools for setting up a build environment and the ability to create your own packages.</p>
<ul class="simple">
<li>rpm-build</li>
<li>rpmdevtools</li>
<li>rpmlint</li>
</ul>
</div>
<div class="section" id="setting-up-a-build-environment">
<h2>Setting up a Build Environment</h2>
<p>As a non-privileged user, run:</p>
<pre class="literal-block">
$ rpmdev-setuptree
</pre>
<p>This should create the following directory structure in your home directory:</p>
<pre class="literal-block">
~/rpmbuild
|-- BUILD
|-- RPMS
|-- SOURCES
|-- SPECS
\-- SRPMS
</pre>
<p>In that structure, your source files (in a tarball) should be placed ~/rpmbuild/SOURCES/ and your .spec file in ~/rpmbuild/SPECS/. The ~/rpmbuild/BUILD/ directory will be a temporary working directory for the build process. And, after the rpmbuild process is complete, the finished binary and source RPMs will be placed in ~/rpmbuild/RPMS/ and ~/rpmbuild/SRPMS/, respectively.</p>
</div>
<div class="section" id="viewing-the-build-environment">
<h2>Viewing the Build Environment</h2>
<p>When diagnosing build problems, it is sometimes useful to see what files are actually being created in the build environment in order to identify deviations of actual behavior from expected behavior. The tree utility is useful for that.</p>
<p>Install tree with <tt class="docutils literal"><span class="pre">#</span> <span class="pre">yum</span> <span class="pre">install</span> <span class="pre">tree</span></tt>.</p>
<p>Invoke tree with <tt class="docutils literal"><span class="pre">$</span> <span class="pre">tree</span> <span class="pre">~/rpmbuild</span></tt> to show the contents of the build environment.</p>
</div>
<div class="section" id="building-the-rpm">
<h2>Building the RPM</h2>
<p>With the source files in place and a properly configured <tt class="docutils literal"><span class="pre">.spec</span></tt> file written, the <tt class="docutils literal"><span class="pre">rpmbuild</span></tt> command can be used to build the rpm either at once, or (for troubleshooting) in stages</p>
<dl class="docutils">
<dt><tt class="docutils literal"><span class="pre">$</span> <span class="pre">rpmbuild</span> <span class="pre">-bp</span> <span class="pre">&lt;spec</span> <span class="pre">file&gt;</span></tt></dt>
<dd>Builds through the <tt class="docutils literal"><span class="pre">%prep</span></tt> section -- unpacks sources and applies patches.</dd>
<dt><tt class="docutils literal"><span class="pre">$</span> <span class="pre">rpmbuild</span> <span class="pre">-bc</span> <span class="pre">&lt;spec</span> <span class="pre">file&gt;</span></tt></dt>
<dd>Builds through compile -- processes the <tt class="docutils literal"><span class="pre">%prep</span></tt> and <tt class="docutils literal"><span class="pre">%build</span></tt> sections.</dd>
<dt><tt class="docutils literal"><span class="pre">$</span> <span class="pre">rpmbuild</span> <span class="pre">-bi</span> <span class="pre">&lt;spec</span> <span class="pre">file&gt;</span></tt></dt>
<dd>Builds through <tt class="docutils literal"><span class="pre">%install</span></tt> -- processes <tt class="docutils literal"><span class="pre">%prep</span></tt>, <tt class="docutils literal"><span class="pre">%build</span></tt>, and <tt class="docutils literal"><span class="pre">%install</span></tt>.</dd>
<dt><tt class="docutils literal"><span class="pre">$</span> <span class="pre">rpmbuild</span> <span class="pre">-bb</span> <span class="pre">&lt;spec</span> <span class="pre">file&gt;</span></tt></dt>
<dd>Builds only the binary rpm file.</dd>
<dt><tt class="docutils literal"><span class="pre">$</span> <span class="pre">rpmbuild</span> <span class="pre">-bs</span> <span class="pre">&lt;spec</span> <span class="pre">file&gt;</span></tt></dt>
<dd>Builds only the source rpm file.</dd>
<dt><tt class="docutils literal"><span class="pre">$</span> <span class="pre">rpmbuild</span> <span class="pre">-ba</span> <span class="pre">&lt;spec</span> <span class="pre">file&gt;</span></tt></dt>
<dd>Builds both the binary and source rpm files.</dd>
</dl>
<p>Use <tt class="docutils literal"><span class="pre">rpmbuild</span> <span class="pre">--help</span></tt> or <tt class="docutils literal"><span class="pre">man</span> <span class="pre">rpmbuild</span></tt> for other options.</p>
</div>
<div class="section" id="exercise-building-a-custom-rpm">
<h2>Exercise: Building a Custom RPM</h2>
<p>As root, install rpm-build, rpmlint, rpmdevtools:</p>
<pre class="literal-block">
# yum -y install rpm-build rpmdevtools rpmlint
</pre>
<p>As a non-privileged user, create a project directory, named according to the convention: &lt;projname&gt;-&lt;majorver&gt;.&lt;minorver&gt;:</p>
<pre class="literal-block">
$ mkdir ~/hello-1.0
</pre>
<p>Create bash script: ~/hello-1.0/hello.sh</p>
<pre class="literal-block">
#!/bin/bash
# hello.sh
echo 'hello'
exit 0
</pre>
<p>Create a tarball of the project directory:</p>
<pre class="literal-block">
$ tar cvzf hello-1.0.tar.gz hello-1.0/
</pre>
<p>Create an rpm development environment:</p>
<pre class="literal-block">
$ rpmdev-setuptree
</pre>
<p>Move the tarball to the SOURCES directory:</p>
<pre class="literal-block">
$ mv hello-1.0.tar.gz rpmbuild/SOURCES/
</pre>
<p>Create a .spec file in the SPECS directory:</p>
<pre class="literal-block">
$ vim rpmbuild/SPECS/hello-1.0.spec
</pre>
<p>or:</p>
<pre class="literal-block">
$ rpmdev-newspec -o rpmbuild/SPECS/hello-1.0.spec
</pre>
<p>Insert a name (Match the pkgname on the tarball and directory):</p>
<pre class="literal-block">
Name: hello
</pre>
<p>Insert a version (Match the version):</p>
<pre class="literal-block">
Version: 1.0
</pre>
<p>Leave the release alone</p>
<p>Insert a summary (one line):</p>
<pre class="literal-block">
Summary: Simple Hello script created as a test package
</pre>
<p>Insert a group (package group):</p>
<pre class="literal-block">
Group: Applications/Text
</pre>
<p>Insert a license:</p>
<pre class="literal-block">
License: Public Domain
</pre>
<p>Insert a URL or delete the line:</p>
<pre class="literal-block">
URL: http://www.example.com/hello-1.0/
</pre>
<p>Insert on the Source0 line, the name of your tarball:</p>
<pre class="literal-block">
Source0: hello-1.0.tar.gz
</pre>
<p>Leave the BuildRoot line alone</p>
<p>Unless your package has prerequisites needed before it can be compiled, delete the BuildRequires line</p>
<p>Unless your package has prerequisites needed before it can work, delete the Requires line</p>
<p>On a blank line below %description, insert a brief description of your package</p>
<p>Leave the %prep and %setup lines alone</p>
<p>If your package does not need to be &quot;built&quot; (compiled), delete the %build, %configure, and make lines.</p>
<p>Leave the %install section header alone.</p>
<p>Under the %install section, leave the rm line alone.</p>
<p>If your package does not need to be built, modify the make install line to something like this:</p>
<pre class="literal-block">
install -D hello.sh $RPM_BUILD_ROOT/usr/local/bin/hello.sh
</pre>
<p>Leave the %clean and the rm -rf lines alone.</p>
<p>Under %files, use the following syntax to list each of the files your package will place on the target system:</p>
<pre class="literal-block">
%attr(777,root,root)/usr/local/bin/hello.sh
</pre>
<p>Use the following syntax to list each of the directories your package will place on the target system:</p>
<pre class="literal-block">
%dir /usr/local/bin
</pre>
<p>The changelog section can be deleted or left alone.</p>
<p>Save and exit the .spec file and then test your build with:</p>
<pre class="literal-block">
$ rpmbuild -ba rpmbuild/SPECS/hello-1.0.spec
</pre>
<p>If it fails, troubleshoot using the various partial invocations of rpmbuild (described on a previous page) and using the tree command to see what is actually being placed on your system.</p>
<!-- + Build a simple RPM that packages a single file -->
</div>
<div class="section" id="signing-your-rpms">
<h2>Signing Your RPMs</h2>
<p>Your RPMs can be digitally signed to protect users from the possibility of forged packages (any RPM package can execute scripts w/ root privileges when installed!). To implement this, first generate and identify a gpg key:</p>
<pre class="literal-block">
$ gpg --gen-key
gpg (GnuPG) 2.0.14; Copyright (C) 2009 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
Your selection?
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
Requested keysize is 2048 bits
Please specify how long the key should be valid.
0 = key does not expire
&lt;n&gt; = key expires in n days
&lt;n&gt;w = key expires in n weeks
&lt;n&gt;m = key expires in n months
&lt;n&gt;y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y
GnuPG needs to construct a user ID to identify your key.
Real name: Scott Purcell
Email address: scott&#64;texastwister.info
Comment:
You selected this USER-ID:
&quot;Scott Purcell &lt;scott&#64;texastwister.info&gt;&quot;
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
You need a Passphrase to protect your secret key.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: key B9AED1DE marked as ultimately trusted
public and secret key created and signed.
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
pub 2048R/B9AED1DE 2011-02-22
Key fingerprint = 9987 B276 A24A 1210 13A7 4D05 9F3F 8934 B9AE D1DE
uid Scott Purcell &lt;scott&#64;texastwister.info&gt;
sub 2048R/0DA4CCE9 2011-02-22
[scott&#64;Client1 rhel6]$
</pre>
<p>The key ID can be seen in the output above, or can be found with gpg --fingerprint</p>
<p>Export the key to a file:</p>
<pre class="literal-block">
$ gpg --armor --output ~/RPM-GPG-KEY-ScottPurcell --export B9AED1DE
</pre>
<!-- -->
<blockquote>
<p>[<a class="reference external" href="mailto:scott&#64;Client1">scott&#64;Client1</a> ~]$ cat RPM-GPG-KEY-ScottPurcell
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2.0.14 (GNU/Linux)</p>
<p>mQENBE1jVagBCADVDTOvRl3Z5xPZb6AAl2D3bM/H4kEhyJ+yk1pbVPmu8yu0Cbsl
. . .
R+J9rjvN8rNpQwm40Gx6RpM7qtP/LodzD46dNfbr87lJ4F+4A3U=
=f4Gq
-----END PGP PUBLIC KEY BLOCK-----</p>
</blockquote>
<p>Configure rpm-related tools to use your signature:</p>
<pre class="literal-block">
$ echo '%_gpg_name Scott Purcell'&gt;&gt; ~/.rpmmacros
</pre>
<p>or:</p>
<pre class="literal-block">
$ echo '%_gpg_name B9AED1DE'&gt;&gt; ~/.rpmmacros
</pre>
<p>Now packages can be created and signed at the same time with rpmbuild using the --sign option. Or existing packages can be retroactively signed with rpm using the --addsign or --resign options.</p>
<p>With a signed package in place, the user intending to install it now needs to import the key:</p>
<pre class="literal-block">
# rpm --import /home/scott/RPM-GPG-KEY-ScottPurcell
</pre>
<p>And with the key imported, the package can be verified:</p>
<pre class="literal-block">
$ rpm -K rpmbuild/RPMS/x86_64/rhel6rhce-0.5-1.el6.x86_64.rpm
rpmbuild/RPMS/x86_64/rhel6rhce-0.5-1.el6.x86_64.rpm: rsa sha1 (md5) pgp md5 OK
</pre>
</div>
<div class="section" id="create-a-repo-with-your-files">
<h2>Create a Repo with your files</h2>
<p>(Assumes httpd already installed)</p>
<p><tt class="docutils literal"><span class="pre">#</span> <span class="pre">yum</span> <span class="pre">-y</span> <span class="pre">install</span> <span class="pre">createrepo</span></tt></p>
<p><tt class="docutils literal"><span class="pre">#</span> <span class="pre">mkdir</span> <span class="pre">-p</span> <span class="pre">/var/www/html/repo/Packages</span></tt></p>
<p><tt class="docutils literal"><span class="pre">#</span> <span class="pre">cp</span> <span class="pre">MyPackage.rpm</span> <span class="pre">/var/www/html/repo/Packages</span></tt></p>
<p><tt class="docutils literal"><span class="pre">#</span> <span class="pre">createrepo</span> <span class="pre">-v</span> <span class="pre">/var/www/html/repo</span></tt></p>
<p><tt class="docutils literal"><span class="pre">#</span> <span class="pre">cp</span> <span class="pre">/home/me/RPM-GPG-KEY-me</span> <span class="pre">/var/www/html/repo</span></tt></p>
</div>
<div class="section" id="rpm-packaging-other-documentation">
<h2>RPM Packaging, Other Documentation:</h2>
<p>Red Hat Enterprise Linux Deployment Guide, section on &quot;Querying RPM&quot;</p>
<p>Man Pages:</p>
<blockquote>
<ul class="simple">
<li>rpm (8)</li>
<li>rpm2cpio (8)</li>
<li>cpio (1)</li>
</ul>
</blockquote>
</div>
<div class="section" id="manage-processes-and-services">
<h2>Manage Processes and Services</h2>
<dl class="docutils">
<dt>Start a service:</dt>
<dd><ul class="first last simple">
<li><tt class="docutils literal"><span class="pre">service</span> <span class="pre">&lt;servicename&gt;</span> <span class="pre">start</span></tt></li>
<li><tt class="docutils literal"><span class="pre">/etc/init.d/&lt;servicescript&gt;</span> <span class="pre">start</span></tt></li>
</ul>
</dd>
<dt>Stop a service:</dt>
<dd><ul class="first last simple">
<li><tt class="docutils literal"><span class="pre">service</span> <span class="pre">&lt;servicename&gt;</span> <span class="pre">stop</span></tt></li>
<li><tt class="docutils literal"><span class="pre">/etc/init.d/&lt;servicescript&gt;</span> <span class="pre">stop</span></tt></li>
</ul>
</dd>
<dt>Check status of a service:</dt>
<dd><ul class="first last simple">
<li><tt class="docutils literal"><span class="pre">service</span> <span class="pre">&lt;servicename&gt;</span> <span class="pre">status</span></tt></li>
<li><tt class="docutils literal"><span class="pre">/etc/init.d/&lt;servicescript&gt;</span> <span class="pre">status</span></tt></li>
</ul>
</dd>
<dt>Reload a service's config:</dt>
<dd><ul class="first last simple">
<li><tt class="docutils literal"><span class="pre">service</span> <span class="pre">&lt;servicename&gt;</span> <span class="pre">reload</span></tt></li>
<li><tt class="docutils literal"><span class="pre">/etc/init.d/&lt;servicescript&gt;</span> <span class="pre">reload</span></tt></li>
</ul>
</dd>
</dl>
</div>
<div class="section" id="persistent-configuration-of-services">
<h2>Persistent Configuration of Services</h2>
<dl class="docutils">
<dt>Configure a service to start at boot:</dt>
<dd><ul class="first last simple">
<li><tt class="docutils literal"><span class="pre">chkconfig</span> <span class="pre">&lt;servicename&gt;</span> <span class="pre">on</span></tt></li>
<li><tt class="docutils literal"><span class="pre">system-config-services</span></tt></li>
<li><tt class="docutils literal"><span class="pre">ntsysv</span></tt></li>
</ul>
</dd>
</dl>
</div>
<div class="section" id="manage-processes-and-services-configure-systems-to-boot-into-a-specific-runlevel-automatically">
<h2>Manage Processes and Services: Configure systems to boot into a specific runlevel automatically</h2>
<p><tt class="docutils literal"><span class="pre">/etc/inittab</span></tt></p>
</div>
<div class="section" id="monitoring-processes">
<h2>Monitoring Processes</h2>
<dl class="docutils">
<dt><tt class="docutils literal"><span class="pre">ps</span></tt></dt>
<dd>Highly configurable command to list running processes</dd>
<dt><tt class="docutils literal"><span class="pre">top</span></tt></dt>
<dd>Command to provide realtime reports of the most active running processes</dd>
</dl>
</div>
<div class="section" id="killing-processes">
<h2>Killing Processes</h2>
<dl class="docutils">
<dt><tt class="docutils literal"><span class="pre">kill</span></tt></dt>
<dd>kills a process by PID. Optionally sends &quot;signals&quot; other than &quot;kill&quot;.</dd>
<dt><tt class="docutils literal"><span class="pre">kill-all</span></tt></dt>
<dd>Kills a process by name. Use care not to match names you don't intend to kill.</dd>
<dt><tt class="docutils literal"><span class="pre">pkill</span></tt></dt>
<dd>Also kills processes by name. Use care not to match names you don't intend to kill.</dd>
<dt><tt class="docutils literal"><span class="pre">pgrep</span></tt></dt>
<dd>Searches processes by name. Useful for verifying which processes would be killed by pkill.</dd>
</dl>
</div>
<div class="section" id="prioritizing-processes">
<h2>Prioritizing Processes</h2>
<p>The kernel calculates the priority of each process through a variety of factors. One input into that calculation is a user-modifiable value called &quot;niceness&quot;.</p>
<ul class="simple">
<li>A process with higher niceness has lower priority and is thus more willing to share resources with other processes.</li>
<li>niceness can range from -20 (highest priority) to 19 (lowest priority).</li>
</ul>
</div>
<div class="section" id="nice-and-renice-commands">
<h2><tt class="docutils literal"><span class="pre">nice</span></tt> and <tt class="docutils literal"><span class="pre">renice</span></tt> commands</h2>
<dl class="docutils">
<dt><tt class="docutils literal"><span class="pre">nice</span></tt></dt>
<dd><p class="first">Launches commands with a specified &quot;niceness&quot; value affecting process priority.</p>
<ul class="last simple">
<li>Default niceness is &quot;0&quot;.</li>
<li>Root can set any value.</li>
<li>Non-privileged users can only use positive values.</li>
</ul>
</dd>
<dt><tt class="docutils literal"><span class="pre">renice</span></tt></dt>
<dd><p class="first">Modifies the niceness of an already-running process.</p>
<ul class="last simple">
<li>Root can modify the niceness of any process in either direction.</li>
<li>Non-privileged users can only modify their own processes and by increasing niceness (lowering priority)</li>
</ul>
</dd>
</dl>
<!-- Identify CPU/memory intensive processes, adjust process priority with renice, and kill processes -->
</div>
<div class="section" id="manage-system-performance">
<h2>Manage system performance</h2>
<ul class="simple">
<li>Use /proc/sys and sysctl to modify and set kernel run-time parameters</li>
<li>Produce and deliver reports on system utilization (processor, memory, disk, and network)</li>
<li>Use iostat and vmstat to report on system performance</li>
<li>Use shell scripting to automate system maintenance tasks</li>
</ul>
<div class="section" id="proc-sys">
<h3>/proc/sys</h3>
<p>/proc is a virtual filesystem containing &quot;virtual&quot; files and directories that serve as an interface to the data being held in RAM by the kernel.</p>
<p>Many of these files deal with running processes. Others deal with hardware information. But the /proc/sys directory tree contains files defining system performance and can be used for performance tuning.</p>
<p>These performance parameters can be directly read with <tt class="docutils literal"><span class="pre">cat</span></tt>:</p>
<pre class="literal-block">
# cat /proc/sys/net/ipv4/icmp_echo_ignore_all
0
</pre>
<p>Or modified directly with <tt class="docutils literal"><span class="pre">echo</span></tt>:</p>
<pre class="literal-block">
# echo 1 &gt;/proc/sys/net/ipv4/icmp_echo_ignore_all
# cat /proc/sys/net/ipv4/icmp_echo_ignore_all
1
</pre>
</div>
<div class="section" id="sysctl">
<h3>sysctl</h3>
<p>The <tt class="docutils literal"><span class="pre">sysctl</span></tt> command is an easier and safer way to work with these parameters</p>
<p>To view all of the tunable parameters:</p>
<pre class="literal-block">
# sysctl -A
kernel.sched_child_runs_first = 0
kernel.sched_min_granularity_ns = 1000000
kernel.sched_latency_ns = 5000000
...
</pre>
<p>To search for a tunable parameter related to a keyword:</p>
<pre class="literal-block">
# sysctl -A | grep icmp
...
net.ipv4.icmp_echo_ignore_all = 0
net.ipv4.icmp_echo_ignore_broadcasts = 1
...
</pre>
<p>The <a class