Study notes for the exam.
- Managing physical storage
- Install and configure software components and services
- Establish network connections
- Monitor and manage running processes
- Manage and secure files and file systems
- Administer users and groups
- Review the system log files and journal for issues
- Remotely manage systems with SSH and the Web Console
- Install Red Hat Enterprise Linux using scalable methods
- Access security files, file systems, and networks
- Execute shell scripting and automation techniques
- Manage storage devices, logical volumes, and file systems
- Manage security and system access
- Control the boot process and system services
- Sander van Vugt RHCSA 9 course
- RHCSA 9 Textbook Both can be found on the O'Reilly learning platform.
- Red Hat System Administration I (RH124)
- Red Hat System Administration II (RH134)
Create file by using the command "vim "
When in Vim use "i" to get to INSERT mode and begin typing.
o = new line
ctrl + c = command mode
v = visual mode
dd = delete current line
gg = top of the document
^ = start of the line
:wq = save and exit
Files on a Linux system are organized into a single file-system hierarchy
mkdir (make directory), rmdir (remove directory), cp (copy), and mv (move) are commands to manage files.
Hard links
Soft links
- Source File: ~/.bashrc
- Password Config: /etc/login.defs/user
- Sudo Config: /etc/sudoers.d/user
- Password info: /etc/passwd
- Group info: /etc/group
- SSH Config & Password Auth: /etc/ssh/sshd_config
- To change a user's password on log in: chage -d 0 user
- Change expiration date for password: chage -M 30 user
- Check user password expiration: chage -l user
- Add user: useradd
- Modify user: usermod
- Add group: groupadd
- Modify group: groupmod
- Change permission: chmod
- Change ownership: chown
- Read # Write # Execute
- Owning User # Owning Group # Other
---------------------------------------------------------------------------
Schedule jobs to run on a repeating schedule with a user's crontab file.
"man at" shows how to execute schedule jobs. These are one time jobs. For example: "at now +3min" runs a job 3 min from now.
"atq" lists scheduled jobs. "atrm" removes the job.
Recurring Jobs: The crond daemon reads multiple config files. Each user has a personal file that they edit with "crontab -e". The fields in the crontab file are in the following order:
- Minutes
- Hours
- Day of Month
- Month
- Day of Week
- Command
Red Hat includes the systemd-tmpfiles tool - provides a method to manage temporary directories and files. The systemd-tmpfiles-setup service runs the systemd-tmpfiles command.
systemd-tmpfiles-clean service configuration files exist in three places: /etc/tmpfiles.d/*.conf /run/tmpfiles.d/*.conf /usr/lib/tmpfiles.d/*.conf
In the config file, specify what to do... echo "d/etc/
The rsyslog service is used to determine for handle log messages.
The logrotate command rotates log files to prevent them from taking too much space in the /var/log directory. When a log is rotated, it is renamed with an extension.
journalctl retrieves all log messages.
-r shows the most recent logs
-p shows the priority level
-b shows the current system boot
The system has its own journal located at system.journal. Indiviual users have their own journals pertaining to their own transacions inside of file called user-userid
Updating Time Zones: Use the command tzselect to view the appropriate time zone. Then use "timedatectl set-timezone" command to set the time zone.
----------------------------------------------------------------------------An archive is a file that contains multiple files. "tar" is the command to create manage and extract archives.
Command: dnf list - lists installed and available packages
Use dnf install -y software to install
----------------------------------------------------------------------------------command & starts a job in the background.
Jobs- to view all running jobs
A runnable process can be stopped with CTRL+z
The ps command shows current running processes
The "top" command shows the highest running processes
ps -fU user ... for a user's processes
Use "Kill" or "killall dd" to kill processes. To kill a ZOMBIE process
Process Priorities
- Nice and Renice can be used to change priorities of non-realtime processes
- Nice ranges from -20 to 19. Positive values means lower priority.
- Use " Cat /proc/sys/vm/swappiness" to see the value then use "echo _ _ /proc/sys/vm/swappiness" to change it. To make it persistent " cat >> swappiness.conf << EOF"
- loginctl list-user: shows users currently logged in. loginctl terminate-user: to stop a user session
Creating Logical volumes involves 4 steps :
- Convert physical devices into physical volumes: pvcreate
- Create the volume group and assign PVs to it: vgcreate (the name of the physical volume)(the location of the pv)
- Create the logical volume: lvcreate-n (the name of the lv) -L (the size of the lv)
- Make a file system on top of the logical volume: mkfs.ext4 /dev/(vg name)/(lv name)
Use lsblk to view the physical devices on the server
----------------------------------------------------------------------------
- systemctl edit unit.service : to edit unit files
- systemctl list-dependencies for a complete overview of dependencies
- Mask services : use Systemctl Stop (service) then systemctl mask (service)
- Example: systemctl Status httpd [disabled] ...systemctl enable httpd...
- Preserve the systemd journal: check settings in /etc/systemd/journal.conf. The setting "STORAGE=AUTO" ensures that persistent storage is happening automatically. Make directory /var/log/journal. Restart service: systemctl restart systemd-journald.
- Logrotate is started by a systemd timer to prevent disks from filling up. "systemctl cat logrotate.conf" to view the settings for logrotate.
- Make sure that the /var/log/journal exists
Security Enhanced Linux (SELinux) provides an additional layer of system security. It should always be enabled. There are two modes: permissive or enforcing. If permissive is enabled, no access is blocked. If enforcing is enabled, all restrictions are applied and SELinux is fully operational.
- getenforce shows the current SELinux state.
- setenforce toggles between enforcing and permissive and sets them temporarily.
- To change the default mode persistently, you need to write it to /etc/sysconfig/selinux, or change GRUB kernel boot arguments.
- File context labels are applied to every Object: user, rule, type
- semanage-fcontext : sets the file context label ( - a to set a new context label) ( -m to modify an existing context label )
- When files are copied, they inherit the context type
Context management means applying contexts to files.
Install curl.
Then edit the httpd conf file by adding "/web" to the DocumentRoot parameter. Be sure that the following is also added to the file:
Enable the httpd service and then restart. Curl http://localhost to confirm that SELinux has not been set to permissive and you'll see that this is not your webpage. Use "setenforce 0" and repeat the previous step.
Type semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?" to apply to the directory "/web"
Type restorecon -R -v /web. The restorecon command restores the default SELinux contexts so that changes made by the "semange fcontext" command are persistent.
- SELinux Booleans change the behavior of a rule. To change a Boolean, you can use "setsebool". To list all Booleans - "getsebool -a" or "semanage boolean -l"
- To view logging, you need to access the audit log - "/var/log/audit/audit.log"... SELinux type is AVC so "grep AVC /var/log/audit/audit.log" will show the SELinux logs.
- To understand the logs further, you can use "sealert -l UUID" for more information.
Firewalld is a service that can configure firewall rules by using different interfaces. Administrators can manage rules but rules can also be added or removed without any direct action required of the system administrator.
A zone is a collection of rules applied to incoming packets matching a specific source address or network interface.
A Firewalld service - what should be accepted as incoming and outgoing traffic in the firewall. It typically includes ports to be opened, & kernel modules
firewall-cmd -- is the cmd line tool used for firewall configuration.
-------------------------------------------------------------The /etc/fstab file can be used to mount the NFS file system
Within the file, you have 6 columns:
- server+share directory
- directory where you mount NFS share
- file system type (nfs)
- specify mount options (defaults)
- 0
- 0
This example will show how to mount NFS server and NFS data automatically using autofs
- dnf install -y autofs
- cd /etc/
- vim auto.master (add /nfsdata /etc/auto.nfsdata at the top of the file)
- vim auto.misc
- vim auto.nfsdata (files -rw nfsserver:/nfsdata)
- systemctl enable --now autofs
- ls /
- cd /nfsdata
- ls -al
- cd files
- mount | tail -3 (this will show the automount that was created)
- showmount -e nfsserver: to check what is currently mounted
- vim /etc/auto.master (/homes /etc/auto.homes)
- vim /etc/auto.homers (* -rw nfsserver:/home/ldap/&)
- systemctl restart autofs
- cd /homes
- ls -a
A container has all that is needed to run an application. They are started from container images. Images are provided in image registries.
Features:
- Control groups - set limits to the amount of resources that can be used
- Namespaces - provide isolation so that containers only have access to their data and configuration
Containers need a user ID to be started. Root containers are started by the root users. Rootless containers are started by non-root users.
Normally each container runs one application.
Podman manages containers and container images
Container images are used to package container applications with all of their dependencies.
podman login registry.redhat.io
Configure Registry Access
- Registry access is configured in /etc/containers/registries.conf
- Container file - text file with instructions to build a custom container image
- dnf install container-tools (view all supporting tools to work with containers)
Move to the directory with the repo files: cd /rhcsa ... and list the files
cat Containerfile
git clone repository
podman images then podman info to see all of the registries
podman login registry.access.redhat.com
podman build -t mymap
vim Containerfile add "-y" to the RUN section
--------------------------------------------------------------------------------
- podman search: searches registries for images
- podman run: runs a container
- podman stop: stops a currently running container
- podman ps: show information about containers
- podman build: build an image from a Containerfile
- podman images: lists images
- podman inspect: shows container or image details
- podman pull: pulls an image from the registry
- podman exec: executes a command in a running container
- podman rm: removes a container
Use "podman inspect container"
podman logs: explore logs created by the container
Container access happens through port mappings. A port on the container host is exposed and forwards traffic to the container port.
podman run -d -p {portnumber}
--------------------------------------------
- Persistent storage is made by creating a directory on the container host and mounting that directory using podman run -d... -v /hostdir:/containerdir
- Namespaces provide isolation for the container and give it root access.
- Rootless containers are launched in a namespace
- The podman unshare command is used to run commands inside the container namespace
- To see appropriate directory ownership for rootless containers, you must first find the UID of the user that runs the main application (podman inspect imagename)
- Use podman unshare chown nn:nn directoryname to set the container UID as the owner of the directory on the host
- loginctl enable-linger to allow user services for a specific user (requires root privileges)
- Create a regular user account to manage all containers
- mkdir ~/.config/systemd/user; cd ~/.config/systemd/user
- Use podman to generate a user systems file for an existing container
- To generate a service file for a root container, do it from /etc/systemd/system
- podman generate --new : creates a new container when the system unit is started and deletes it when the unit is stopped.
- Edit the file that is generated and change the "WantedBy" line to "WantedBy=default.target"
- Manage them by using systemctl --user commands.