Linux Admin

linux_system_administration.pdf
red_hat_linux_administration_-_a_beginner_s_guide_2003.pdf

Maintainece update not supported from 2020/11/30 ⇒ you must config repos to new mirror for Fixing yum error:

yum list
Failed to set locale, defaulting to C
Loaded plugins: fastestmirror
Determining fastest mirrors
YumRepo Error: All mirror URLs are not using ftp, http[s] or file.
 Eg. Invalid release/repo/arch combination/
removing mirrorlist with no valid mirrors: /var/cache/yum/x86_64/6/base/mirrorlist.txt

Steps:

1. Step1: Update /etc/yum.repos.d/CentOS-Base.repo

[base]
name=CentOS-$releasever - Base
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=os&infra=$infra
baseurl=http://vault.centos.org/6.10/os/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
#released updates
[updates]
name=CentOS-$releasever - Updates
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=updates&infra=$infra
baseurl=http://vault.centos.org/6.10/updates/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
#additional packages that may be useful
[extras]
name=CentOS-$releasever - Extras
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=extras&infra=$infra
baseurl=http://vault.centos.org/6.10/extras/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
#additional packages that extend functionality of existing packages
[centosplus]
name=CentOS-$releasever - Plus
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=centosplus&infra=$infra
baseurl=http://vault.centos.org/6.10/centosplus/$basearch/
gpgcheck=1
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
#contrib - packages by Centos Users
[contrib]
name=CentOS-$releasever - Contrib
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=contrib&infra=$infra
baseurl=http://vault.centos.org/6.10/contrib/$basearch/
gpgcheck=1
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6

1. Step2:

   yum clean all

mount /dev/cdrom /mnt/cdrom/
cd /mnt/cdrom/CentOS
rpm -i mc-4.6.1a-35.el5.i386.rpm

It can automatically perform system updates, including dependancy analysis and obsolete processing based on “repository” metadata. It can also perform installation of new packages, removal of old packages and perform queries on the installed and/or available packages among many other commands/services (see below). yum is similar to other high level package managers like apt-get and smart.

• yum grouplist

  => 
  Installed Groups:
     DNS Name Server
     Dialup Networking Support
     Editors
     FTP Server
     .......
  Available Groups:
     Administration Tools
     Authoring and Publishing
     Base
     Beagle
     Cluster Storage
     Clustering
     Development Libraries
     Development Tools

• yum groupinfo

  yum groupinfo "Development Libraries"

• How to install gcc:

  # yum list | grep gcc
  => output:
  gcc.i386                                 4.1.2-44.el5                  base
  libgcc.i386                              4.1.2-44.el5                  base
  compat-gcc-34.i386                       3.4.6-4                       base
  .......			
  # yum install gcc.i386

• check package installed or available:

    yum list | grep postfix
    postfix.x86_64                           2:2.6.6-6.el6_5                @updates
    postfix-perl-scripts.x86_64              2:2.6.6-6.el6_5                updates
    # @updates => Installed
    # update => Available

• yum info php-mysql

  Loading mirror speeds from cached hostfile
  * base: mirrors.digipower.vn
  * elrepo: ftp.osuosl.org
  * extras: mirrors.digipower.vn
  * updates: mirrors.digipower.vn
  Installed Packages
  Name        : php-mysql

apt-cache - performs a variety of operations on APT's package cache. apt-cache does not manipulate the state of the system but does provide operations to search and generate interesting output from the package metadata.

dpkg - package manager for Debian

upgrades all installed packages

apt-get upgrade

Search Packages:

• Find packages that include <search_term>

  apt-cache search <search_term>

  For example:

  dpkg -l *chkconfig*

  output:

  Desired=Unknown/Install/Remove/Purge/Hold
  | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
  |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
  ||/ Name                                 Version                 Architecture            Description
  +++-====================================-=======================-=======================-=============================================================================
  un  chkconfig                            <none>                  <none>                  (no description available)

• Find packages whose names contain <search_term>. Similar to apt-cache search, but also shows whether a package is installed on your system by marking it with ii (installed) and un (not installed).

  dpkg -l *<search_term>*

• Shows the description of package <package_name> and other relevant information including version, size, dependencies and conflicts

  apt-cache show <package_name>

• Shows the description of package

  dpkg --print-avail <package_name>

• List files in package <package_name>

  dpkg -L <package_name>

• Add user normal

  useradd anhvc

• Set password for user anhvc

  passwd anhvc

• Remove normal user:

  userdel anhvc

• Remove user and home directory itself and the user´s mail spool.

  userdel -r anhvc

• Add System User:

  #Create User and not create Home Directory
  useradd -M dovecot
  #Lock User not allow login
  usermod -L dovecot

• Change name of group

  groupmod -n accounting accountant

• Print all groups which user is in

  groups root

  output:

  root : root bin daemon sys adm disk wheel

• Get All users in group

  lid -g <groupname>

• Add user anhvc with group ztbackup

  useradd anhvc -g ztbackup

• Add an Existing User to a Group

  usermod -a -G <groupname> username

• Change a User’s Primary Group

  usermod -g <groupname> username

• Add a User to Multiple Groups:

  usermod -a -G ftp,admins,othergroup <username>

• Remove User in Group

  gpasswd -d <username> <groupname>

• Change the ownership of the file to the group “accounting”:

  chown :accounting filename

• Command format:

  chown user:group filename

refer: http://www.yolinux.com/TUTORIALS/LinuxTutorialManagingGroups.html

cat /etc/passwd | grep ftp

output:

ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
(username:ftp
userid:14
group:50 => ftp
Real name: FTP User
home directory: /var/ftp
Shell: /sbin/nologin
)	

cat ~/.bash_profile
cat ~/.bashrc => login profile for user
cat ~/.bash_history => history commands of user

• Prepare for writing /etc/sudoers

  chmod +w /etc/sudoers

• Add user to run sudo as root add below line to /etc/sudoers:

  anhvc    ALL=(ALL)     NOPASSWD: ALL

  ⇒ Allow user anhvc run sudo with no password. And below is config allow user anhvc sudo with password:

  anhvc    ALL=(ALL)  ALL

• Remove below config to allow run sudo command not require tty

  #Defaults requiretty

• Remove property write:

  chmod -w /etc/sudoers

umask(The user file-creation mode mask) is use to determine the file permission for newly created files

• normal user: The default umask 0002 ⇒ output:
  • default directory permissions are 775(rwxrwxr-x)
  • and default file permissions are 664(rw-rw-r–)
• root user: The default umask is 0022 result ⇒ output:
  • default directory permissions are 755 (rwxr-xr-x). How to calculate directory permission for 022 umaks (root user):

          Default Permissions: 777
          Subtract umask value: 022 (-)
          Allowed Permissions: 755

  • and default file permissions are 644 (rw-r–r–). How to calculate file permission for 022 umaks (root user):

          Default Permissions: 666
          Subtract umask value: 022 (-)
          Allowed Permissions: 644

• How to restore default mod when we chmod entire the directory with another mod? We only copy the file/directory to new file/directory → The mod will be automatic create base on the umask config

+ /etc/inittab
id:3:initdefault:
=> id:runlevels:action:command
+ /etc/rc.local
=> startup script when linux start

Understanding run-level scripts:A software package that has a service to start at boot time (or when the system changes run levels)

• Can add a script to the /etc/init.d directory. That script can then be linked to an appropriate run-level directory and either be started or stopped (to start or stop the service).
  • step1: create my_daemon and copy to /etc/init.d. Below is format of my_daemon:

    # chkconfig: 345 82 28
    # description: Does something pretty cool - you really
    #    have to see it to believe it!
    # processname: my_daemon

  • step2: run script:

    chkconfig --add my_daemon

• All of the programs within the /etc/rcX.d directories (where X is replaced by a run-level number) are symbolic links, usually to a file in /etc/init.d.
• For each run level, a script beginning with K stops the service, whereas a script beginning with S starts the service.

There are a bunch of services, particularly Internet services, that are not handled by separate run-level scripts. Instead, a single run-level script called xinetd ¹⁾ is run to handle incoming requests for these services ⇒ xinetd is sometimes referred to as the super-server.Below is script start,stop:

/etc/inid.d/xinetd

• Start httpd service:

  service httpd start

• Stop httpd service:

  service httpd stop

• Config autostart httpd when OS boot:

  chkconfig httpd on

  And in debian:

  update-rc.d httpd enable

• Get all services running

  service --status-all | grep running

  output:

  acpid (pid 3039) is running...
  atd (pid 3318) is running...
  auditd (pid 2690) is running...
  automount (pid 3015) is running...
  Avahi daemon is running
  Avahi DNS daemon is not running
  hcid (pid 2892) is running...
  sdpd (pid 2896) is running...
  capi not installed - No such file or directory (2)
  crond (pid 3289) is running...
  cupsd (pid 3072) is running...
  .............................

• Redhat / CentOS / Fedora: Edit /etc/sysconfig/network

  hostname="GWServer01-YN01"

  And run below script to save active hostname:

  hostname GWServer01-YN01
  /etc/sysconfig/network

• Debian / Ubuntu: Edit /etc/hostname file, enter new hostname:

  GWServer01-YN01

  And run script below to change live hostname:

  hostname GWServer01-YN01

/etc/issue.net /etc/issue

/etc/ssh/sshd_config

• Redhat: Edit /etc/sysconfig/network-scripts/ifcfg-eth0:

  DEVICE=eth0
  ONBOOT=yes
  BOOTPROTO=static
  IPADDR=120.138.64.2
  NETMASK=255.255.255.192
  HWADDR=00:1A:64:56:12:10
  GATEWAY=120.138.64.1

  And run command below to active config:

  /sbin/service network restart

• [debian/ubuntu]:Edit /etc/network/interfaces

  auto eth0
  iface eth0 inet static
  address 123.30.133.150
  gateway 123.30.133.129
  netmask 255.255.255.128
  network 123.30.133.128#custom
  broadcast 123.30.133.255#custom

  And run command below to active config:

  /etc/init.d/networking restart

/sbin/ifconfig -a
/sbin/arp -a

sudo /usr/sbin/dmidecode -t
sudo /usr/sbin/dmidecode -t baseboard

output:

Handle 0x002B, DMI type 10, 6 bytes
On Board Device Information
        Type: Ethernet
        Status: Enabled
        Description: Onboard Ethernet
Handle 0x006A, DMI type 41, 11 bytes
Onboard Device
        Reference Designation:  Onboard LAN
        Type: Ethernet
        Status: Enabled
        Type Instance: 1
        Bus Address: 0000:00:19.0

• Redhat

  route add -net 10.60.3.0/24 gw 10.30.41.1
  route add -net 192.168.2.0/24 gw 192.168.2.2
  route add default gw 120.138.64.1

• Debian

  up route add -net 10.60.3.0/24 gw 10.30.41.1 dev eth1
  up route add -net 192.168.2.0/24 gw 192.168.2.2 dev eth1

• Redhat: update route in /etc/sysconfig/network-scripts/route-eth1

  cat > /etc/sysconfig/network-scripts/route-eth1
  10.199.44.0/24 via 10.30.31.1
  10.199.51.5/32 via 10.30.31.1
  10.199.3.0/24 via 10.30.31.1
  10.199.50.213/32 via 10.30.31.1
  10.30.4.0/27 via 10.30.31.1
  118.102.5.136/32 via 10.30.31.1
  192.168.64.0/24 via 10.30.31.1
  10.30.4.9/32 via 10.30.31.1

  Or run script below to add route:

  echo '10.30.15.16/32 via 10.30.31.1' >> /etc/sysconfig/network-scripts/route-eth1
  route add -host 10.30.15.16 gw 10.30.31.1

  And active configure:

  /sbin/service network restart

• Debian: Edit /etc/network/interfaces

  up route add -net 10.8.0.0 netmask 255.255.255.0 gw 192.168.1.11
  down route del -net 10.8.0.0 netmask 255.255.255.0 gw 192.168.1.11

  And active configure:

  /etc/init.d/networking restart

[/etc/resolv.conf]

nameserver 202.96.209.5

• config: /etc/dhcp.conf
• client: go dhclient ⇒ get dynamic IP

service iptables start
service iptables stop
service iptables restart
service iptables status
chkconfig --level 345 iptables on
chkconfig --list iptables

• /etc/sysconfig/iptables
• Create simle iptable which open ssh, http and ICMP:

  *filter
  :INPUT ACCEPT [396:30624]
  :FORWARD ACCEPT [0:0]
  :OUTPUT ACCEPT [216:23216]
  -A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
  #eth0 INPUT here
  -A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
  -A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
  -A INPUT -i eth0 -p icmp -j ACCEPT
  -A INPUT -i eth0 -j DROP
  #eth1 INPUT here
  -A INPUT -i eth1 -p icmp -j ACCEPT
  -A INPUT -i eth1 -j DROP
  COMMIT

http://linuxhelp.blogspot.com/2005/01/system-logging.html

These daemons provide centralized logging in linux.

• The configuration file: /etc/syslog.conf
• script controls: /etc/rc.d/init.d/syslog

• /var/log/dmesg: This log file is written upon system boot. It contains messages from the kernel that were raised during the boot process. You can also view them using the command:

      #dmesg
      

• /var/log/messages: This is the standard system log file, which contains messages from all your system software, non-kernel boot issues, and messages that go to 'dmesg'.
• /var/log/maillog: This log file contains messages and errors from your sendmail.
• /var/log/secure: This log file contains messages and errors from security related systems such as login, tcp_wrappers, and xinetd. This log file is very useful in detecting and investigating network abuse.

Check log all crontabs on linux system:

cat /var/log/cron

/etc/at.deny
echo "/sbin/init 0" | at now +1 minutes

atq
job 12 at 2009-08-17 20:06

to sheduleing with crond, the crond was configured auto-restart when linux start:

chkconfig crond on

All available crontabs:

crontab
cron.deny
cron.hourly
cron.daily
cron.weekly
cron.monthly
cron.d

• crontab -e: create or edit crontab configuration file
• crontab -l: display content of crontab configuration file
• crontab -r: delete crontab configuration file

• cat /var/spool/cron/root

  */30 * * * * /usr/sbin/ntpdate  pool.ntp.org
  */5 * * * * /usr/local/bin/iostat.sh
  14 2 * * * /etc/webmin/cron/tempdelete.pl
  30 4 * * 1 /root/scripts/kpiweekly.sh >> /var/log/kpiweekly.log
  0 5 1 * * /root/scripts/kpimonthly.sh >> /var/log/kpimonthly.log

• structure of crontab

  minute(s) hour(s) day(s) month(s) weekday(s) command(s)
     *     *     *     *     *     command to be executed
     -     -     -     -     -
     |     |     |     |     |
     |     |     |     |     +----- day of week (0 - 6) (Sunday=0)
     |     |     |     +------- month (1 - 12)
     |     |     +--------- day of month (1 - 31)
     |     +----------- hour (0 - 23)
     +------------- min (0 - 59)		
  25 18 * * * /etc/webmin/cron/tempdelete.pl

create crontab for user anhvc to backup file /home/anhvc/data.txt at 21h45 every day

• step1: create scrip backup

  #!/bin/sh
  file_name=`date +%H%M%S_%d%m%y`			
  cp data.txt $file_name.txt

• step2: Create crontab configuration file

  crontab -e
  45 21 * * * /home/anhvc/backupdata.sh

• step3: restart crontab service

  sudo /etc/init.d/crond restart

• step4: check content of crontab configuration file

  crontab -l  => 45 21 * * * /home/anhvc/backupdata.sh

• step5: check output of contab

  ls /home/anhvc 
  => 214501_170809.txt

1. Step1: Install ntpdate

   yum install ntpdate

2. Step2: Create contab content:

   */30 * * * * /usr/sbin/ntpdate  pool.ntp.org

logrotate was run everydays with crond default config /etc/cron.daily/logrotate below:

#!/bin/sh
 
/usr/sbin/logrotate /etc/logrotate.conf >/dev/null 2>&1
EXITVALUE=$?
if [ $EXITVALUE != 0 ]; then
    /usr/bin/logger -t logrotate "ALERT exited abnormally with [$EXITVALUE]"
fi
exit 0

in /etc/logrotate.d/httpd

/var/log/httpd/*log {
    missingok
    notifempty
    sharedscripts
    delaycompress
    postrotate
        /sbin/service httpd reload > /dev/null 2>/dev/null || true
    endscript
}

⇒ we can chage the directory which contain log files /var/log/httpd/*log

refer: http://article.gmane.org/gmane.comp.web.nginx.english/586

1. Step1: Config ngix create pid file in conf/nginx.conf:

   worker_processes  1;
   
   #error_log  logs/error.log;
   #error_log  logs/error.log  notice;
   #error_log  logs/error.log  info;
   
   pid        /var/run/nginx.pid;

2. Step2: Restart nginx and check content of /var/log/nginx.pid. If OK, go to next step
3. Step3: create logrotate config for nginx /etc/logrotate.d/nginx with content below:

   /usr/local/nginx/logs/*log {
       #rotate the logfile(s) daily
       daily
       # adds extension like YYYYMMDD instead of simply adding a number
       dateext
       # If log file is missing, go on to next one without issuing an error msg
       missingok
       # Save logfiles for the last 52 days
       rotate 52
       # Old versions of log files are compressed with gzip
       compress
       # Postpone compression of the previous log file to the next rotation cycle
       delaycompress
       # Do not rotate the log if it is empty
       notifempty
       # create mode owner group
       create 640 root nobody
       sharedscripts
       #after logfile is rotated and nginx.pid exists, send the USR1 signal
       postrotate
           [ ! -f /var/run/nginx.pid ] || kill -USR1 `cat /var/run/nginx.pid`
       endscript
   }

   ⇒ root:nobody(user: root, group: nobody) permissions might need further revision in your own system, as well as the logs and pid file location

4. Step4: run to check nginx logrotate config

   logrotate --force /etc/logrotate.d/nginx

refer: http://ithubinfo.blogspot.com/2013/07/how-to-increase-ulimit-open-file-and.html

• run some basic dynamic config

  ulimit -n 102400
  ulimit -c 1024000
  echo 1073741824 >/proc/sys/kernel/shmmax
  echo 200000 260000 300000 > /proc/sys/net/ipv4/tcp_mem

• check config:

  ulimit -a

  ⇒ output:

  core file size          (blocks, -c) 0
  data seg size           (kbytes, -d) unlimited
  scheduling priority             (-e) 0
  file size               (blocks, -f) unlimited
  pending signals                 (-i) 256651
  max locked memory       (kbytes, -l) 64
  max memory size         (kbytes, -m) unlimited
  open files                      (-n) 1024
  pipe size            (512 bytes, -p) 8
  POSIX message queues     (bytes, -q) 819200
  real-time priority              (-r) 0
  stack size              (kbytes, -s) 10240
  cpu time               (seconds, -t) unlimited
  max user processes              (-u) 1024
  virtual memory          (kbytes, -v) unlimited
  file locks                      (-x) unlimited

Check number open files

• Method1:

  cat /proc/sys/fs/file-nr

  ⇒output:

  960     0       65536

  ⇒ 960 files is opened and fs.file-max = 65536

• Method2: Check sysctl

  sysctl -a | grep file-max

  output:

  fs.file-max = 65536

Steps to config max number open files:

1. Step1: Edit config in /etc/sysctl.conf to increase max number of ulimit open file in Linux

   fs.file-max = 65536

2. Step2: add config into /etc/security/limits.conf

   *          soft     nproc          65535
   *          hard     nproc          65535
   *          soft     nofile         65535
   *          hard     nofile         65535

3. Step3: reboot
4. Step4: recheck after config:

   ulimit -n

   output:

   65535

ulimit -a
sysctl -a => Display all values currently available.
sysctl kernel => for kernel
sysctl fs => for file system
sysctl net => for net system