November 27, 2013

Using the Automounter Service on RHEL 6

RHEL 6 ships with a convenient network mounter service, the automounter.

To check if the automounter is running.

To use it, simply cd into the /net folder followed by nfs hostname.

The remote network share will be unmounted automatically when unused for a configurable timeout.

Managing LVM with RHEL 6

Introduction

LVM (Logical Volume Manager) is a flexible way to handle disk space, since you can increase and decrease file systems, that is not possible to the same extent as in MBR (Master Boot Record) partitioning format.

NOTE: "It is generally recommended that you create a single partition that covers the whole disk to label as an LVM physical volume" [https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Logical_Volume_Manager_Administration/LVM_components.html#multiple_partitions]

The LVM is build up on three cornerstone.

  1. Physical Volume, PV
  2. Volume Group, VG
  3. Logical Volume, LV

Prerequisite

Create a new partition with type 0x8E Linux LVM.

The Most Imported Commands

Create Physical Volume (PV), Volumme Group (VG) and Logical Volume (LV)

First lets create a new physical volume on the prerequisite partition.

Create volume group vg_test that span entire physical volume /dev/sda3

Create logical volumne with size 500 MB, named lv_test in volume group vg_test.

The lvcreate will now create a device block file in /dev/vgName/lvName that we now can create a filesystem on and mount.

Extends Logical Volume (LV)

Extend the logical volume lv_test with plus 500 MB.

Now you need to grow the file system.

Verify/test the new size of /data.

Reduce Logical Volume (LV)

When reducing a file system, you need to unmount it first.

# umount /data

Then reduce the actual filesystem.

After the actual file system is reduced, we can now shrink the logical volume.

Finally test/verify, by remounting and check disk space

Extends Volume Group (VG)

First create a new physical volume.

Now lets extends existing volume group 'vg_test' with our new physical volume.

And last test/verify.

Reduce Volume Group (VG)

Remove existing volume group 'vg_test' with physical volume /dev/sda4.

Test/verify

Reference

  • lvm(8): lvm - LVM2 tools
  • pvcreate(8): pvcreate - initialize a disk or partition for use by LVM
  • vgcreate(8): vgcreate - create a volume group
  • lvcreate(8): lvcreate - create a logical volume in an existing volume group
  • vgextend(8): vgextend - add physical volumes to a volume group
  • vgreduce(8): vgreduce - reduce a volume group
  • lvextend(8): lvextend - extend the size of a logical volume
  • lvreduce(8): lvreduce - reduce the size of a logical volume
  • resize2fs(8): resize2fs - ext2/ext3/ext4 file system resizer

Encrypting Disks with LUKS in RHEL 6

Introduction

LUKS (Linux Unified Key Setup) is a standard for hard disk encryption. LUKS can encrypt both partition and LVM volumes. Here I will encrypt a partition.

Prerequisite

Creata a new partition with fdisk.

Enrypt a Partition

First we need to encrypt the partition.

Next step is to unlock the partition via luksOpen <blockDeviceFile> <luksname>. The cryptsetup will after create a new mapped blocked device file under /dev/mapper/<luksname>.

Finally we format now the unencrypted partition we a file system and mount it.

Persistently Mount Encrypted Partition

To make the mounting persisted we normally add the block device file in /etc/fstab, but with encrypted storage we also need to add the encrypted partition to the list of devices to be unlocked during system startup. That is done by adding the luksname and block device file to the /etc/crypttab.

After that extra step, normally edit /etc/fstab.

Automatically Mount Encrypted Partition

To automatically unlock a encrypted partition we need to store the password on disk, has obvious security problems, but if wanted to the following.

Now edit /etc/crypttab and add password file.

Reboot and verify, that no password is needed and that encrypted partition is mounted.

Remove Encrypted Partition

  1. Remove mapped block device file from /etc/fstab.
  2. Remove luksName from /etc/crypttab.
  3. unmount the mapped block device: umount /dev/mapper/luksname.
  4. Lock encrypted partition: cryptsetup luksClose luksname.

Reference

  • cryptsetup(8): cryptsetup - setup cryptographic volumes for dm-crypt (including LUKS extension)
  • crypttab(5): /etc/crypttab - encrypted block device table
  • fstab(5): /etc/fstab - static information about the filesystems

November 26, 2013

Managing Swap Space in RHEL 6

Introduction

The swap space is used by the OS to handle overflow for parts of the RAM that are currently not being used.

The recommended size of the swap space is depending on how much RAM you have.

  • < 2GB RAM, use 2 * RAM
  • >= 2GB RAM, use RAM + 2GB

How to Create a New Swap Partition

After reboot we need to format the new swap partition.

Next step is to activating it.

To verify/list current swap spaces.

To make this new swap space persistent, we need to add this new swap space to /etc/fstab.

Reboot and verify that new swap space is active.

How to Remove a Swap Partition

First deactive it.

Verify it is no longer active.

IF YOU HAVE ADDED IT TO /etc/fstab, DO NOT FORGET TO REMOVE IT FROM THERE AS WELL!

Managing Partions With RHEL 6

Introduction

Most Linux distrobution, which is also the case with RHEL 6, uses the MBR (Master Boot Record) partitioning format. The MBR is designed to hold up to maximum 4 primary partition. If more is needed, you must use one primary as extended partition. And do not forget to let the extended partition use all remaining disk space. After creating an extended partition, you can create logical partition on the extended partiti

Graphical Tool

In a desktop RHEL, there is the graphical tool for managing our partition - palimpsest.

A never GUI tool that is maybe better is parted. The good thing with this tool is that it also can resize and copy partitions.

Command Line

At the command line, you have the fdisk tool. When using the fdisk tool always use the following options:

  • -c Switch off DOS-compatible mode.
  • -u When listing partition tables, give sizes in sectors instead of cylinders.

Lets get started with fdisk and create a new primary partition.

After reboot you can check your new primary partition.

Now lets create an ext4 file system on the new primary partition.

And mount it.

If you want RHEL to automatically mount your new partition at boot, you need to add that to /etc/fstab. And the recommended way to identify the partition is with it's UUID.

And finally save and reboot.

November 25, 2013

How to Mount an USB Device in Linux

Short Version

1. Before inserting the USB, check which disks you already have.

2. Create a new directory under /mnt to which you will mount your USB.

3. Now insert the USB and mount it.

4. Now you are ready to read and write to your USB.

5. To unmount.

Longer Version

In Linux a storage device is represented by a device file in /dev/.

The three letter naming convention for storage devices in Linux are:

  1. s - storage
  2. d - disc (such as SCSI, USB, SATA), cd - cd or dvd
  3. litteral order character, starting with a, then b, c, etc

Example: /dev/sda (SCSI, USB, SATA), /dev/sdb (SCSI, USB, SATA), /dev/scd (CD/DVD)

These device files represent the whole drive. Each drive is partitioned into partition. The first partition receives order number one, the next one two, etc

When a new storage device is added it will receive the last character order literal, here it is b (/dev/sdb). Another way to find out the device file is to tail the dmesg log file.

Here we see that the USB was allocated device name sdb. But when you mount you mount to a partition that contains a file system. And in general, most USB only have one partition, hence sdb1.

November 24, 2013

Securing SSH with Public/Private Key Authentication

The motive for using public/private key authentication are:

  1. Firstly for convinience, you no longer need to enter password (unless you encrypt your keys with password protected).
  2. Secondly, ones setup, you can remove password protection, which is a big cracking hole.

Prerequisite

The remote user needs to exist on the remote server. If it does not. Create it. And at least LOGIN ONES, so that it's home directory is created. Otherwise you can eagerly created the home directory when you add the user.

Here I will use the existing user root, for simplicity.

Client Side

Generate public and private keys, with NO password protection. I will here use the RSA algorithm and key length 2048 bits.

Next make sure that the ssh key directory and private key has proper file permission

The last step is to copy the client public key to the server. You can either do that manually, or with the ssh-copy-id tool. Here I will use the tool.

If you were setting up public/private key authentication for a different user, please replace root in above command with you user.

Server Side

On the server side, open /etc/ssh/sshd_config and enable public/private key authentication

Then restart the ssh daemon service.

And finally verify that the keys directory and files have the proper file permission and SELinux type for your user.

Test

Finally you need to test, to verify the installation. On the client machine switch to the user you had setup for and

RHEL: How to Switch Users in Multiuser Runlevels

Switching User

To switch to a different user, e.g. student, run To switch to root

Runlevels

Most Linux distribution can be ran in 5 different runlevels. Runlevel 0 and 6 are special, which you can see below.

  • 0 - Shutdown
  • 1 - Single user mode, without network
  • 2 - Multiuser, without NFS (The same as 3, if you do not have networking)
  • 3 - Full multiuser mode, with network.
  • 4 - Unused
  • 5 - X11, graphical mode with network
  • 6 - Reboot
To see the current runlevel, type:

The default runlevel is set in /etc/inittab.

How to Switch Runlevels

You can switch the runlevel with init, e.g. init 3. But from the graphical mode, there is also a keyboard shortcut.

ctrl + alt + F1 - for init 1, ctrl + alt + F2 - for init 2, etc.

November 23, 2013

Accessing Network Files via NFS and CIFS in Linux

Working with remote file system under Linux is not hard. Below I will show how to use the two most common remote file system used:

  • NFS - Network File System
  • CIFS - Common Internet File System

NFS

Show the NFS server’s export list. Mount. Note that the directory /remote must exist before mount, if not create it with mkdir /remotenfs. Unmount file systems

CIFS

CIFS is the underlying remote file protocol used for samba server and which is the most common file server when having a mixed client environment with Windows and Linux.

Install client library Show the CIFS server’s sharenames. Mount. Note that the directory /remote must exist before mount, if not create it with mkdir /remotecifs. Unmount file systems

Common vi commands

Most Linux server runs without a graphical interface and the most sure installed editor for file is the vi editor. But getting used with vi can be a little challenging. Below I will show you the most common vi commands.

Openvi file.txt
Close without saving:q!
Inserti
Quite editingESC
Write and close:wq
Copy line and paste lineyy + p
Delete line and paste linedd + P (capital)
Change wordcw
Browse to next workw
Browse to previous workb
Go to first line1G
Go to last lineG

Linux File and Special Permission

File Permission

The simplest file permission in Linux are the r (read), w (write), x (executable). These file permission yields for u (user), g (group) and o (other). They can be set both:

  • Symbolically: +-r, +-w, +-x
  • Numerically: r=4, w=2, x=1

Special Permission

There are three special permission: setuid, setgid and sticky. They can be both applied to files and directories, but then have different meanings.

Special Permission File Directory
setuid Only meaning for executable file: The executable file be be run as the file owner, not as the user that executes it.

Example /usr/bin/passwd
No effect.
setgid Only meaning for executable file: The executable file be be run as the file group, not as the user that executes it. All newly created file in directory, will inherit the parent directory group permission.
sticky No effect. All files created with a user that have write permission for a specific file can only remove that file, except for root.

Example: /tmp

To set the special permission:

  • Symbolically: setuid=u+s, setgid=g+s, sticky=o+t
  • Numerically: setuid=4, setgid=2, sticky=1