Oracle Linux/Quick Reference

Revision as of 16:52, 2 January 2019

yum

update repo cache (agt-get update equivalent)

~$ yum check-update

update all packages

~$ yum update

install software

~$ yum install lynx

search for software

~$ yum search apache

remove software

~$ yum remove lynx

search for package by command

~$ yum whatprovides dig

search for installed packages

~$ yum list installed | grep nfs-utils

show available versions from repo with their details

~$ yum -v list nfs-utils --show-duplicates 

Add user & add to sudoers

add user

~$ useradd user

you can also add the user, define their home directory, and add them to a group in one line.

~$ useradd username -d <customer_home_dir_path> -G <group_names>

set password for user

~$ passwd user

add to sudoers

~$ visudo
...
user ALL=(ALL) ALL

or use the wheel group. Uncomment it:

## Allow people in the group wheel to run all commands
%wheel     ALL=(ALL)     ALL

Add user to the group

~$ sudo usermod -a -G [group] [user]
i.e. sudo usermod -a -G sudo Joe

check to verify they are part of the group
~$ getent group sudo
sudo:x:27:Bob,Joe

permissions

determine packages installed & search

~$ rpm -qa | less | grep term

configure date/time

~$ sudo date -s "2 OCT 2006 18:00:00"

netstat

determine gateway

~$ netstat -nr
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         10.45.9.1       0.0.0.0         UG        0 0          0 eth0
10.45.9.0       0.0.0.0         255.255.255.0   U         0 0          0 eth0
169.254.0.0     0.0.0.0         255.255.0.0     U         0 0          0 eth0

disable selinux

Check Status

~$ $ sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      31

temporarily disable

~$ setenforce 0
or
~$ setenforce Permissive

permanently disable

~$ /etc/selinux/config
 change SELinux=enforcing to SELinux=disabled

check linux version

~$ rpm -qf /etc/redhat-release

release and renew ip (dhcp)

release

~$ sudo dhclient -v -r eth0

renew

~$ sudo dhclient -v eth0

clone network adapter config

I found that i'm regularly adding new network adapters to vms (say to add an internal network) and wanted a single line way of copying the existing nic interface config and modifying it for the new interface. I came up with the line below which starts off by defining an array with both the old and new interface names, in that order: {old new}

~$ ints=(enp0s3 enp0s8) && sudo cat /etc/sysconfig/network-scripts/ifcfg-"${ints[0]}" | sed 's/UUID\=.\{38\}/UUID\=\"'$(uuidgen ${ints[1]})'\"/' | sed 's/DEVICE\=.\{8\}/DEVICE\=\"'$(echo ${ints[1]})'\"/' | sed 's/NAME\=.\{8\}/NAME\=\"'$(echo ${ints[1]})'\"/' | sudo tee /etc/sysconfig/network-scripts/ifcfg-"${ints[1]}" > /dev/null

pretty simple, opens the existing old config file, generates new UUID and replaces the old, finds old device and name values and replaces with new, then finally creates a new file with all the changes. Doesn't affect the old config file at all.

update hostname

Normally you only need to update the hostname in (1) place:

~$ sudo vim /etc/hostname
hostname.localhost

However, you may need to change it in these other places (or it may already be changed there)
Make sure your hostname is defined in /etc/sysconfig/network

HOSTNAME=server.fqdn.com

Also for the network config, put your FQDN in the hosts file @ /etc/hosts

127.0.0.1   server.fqdn.com
::1   server.fqdn.com
OR
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
ip.address	fqdn.hostname

check and change DNS servers

~$ sudo vi /etc/resolv.conf
nameserver 8.8.8.8
nameserver 8.8.4.4

Install epel repo

~$ yum install epel-release

Add & configure LDAP authentication for SSH

references

https://docs.oracle.com/cd/E52668_01/E54669/html/ol7-sssd-ldap.html
https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=66854729 https://www.jethrocarr.com/2010/11/17/automatically-creating-home-directories-at-login-time/

Install SSSD

~$ sudo yum install sssd sssd-client

Configure SSSD

You can opt to manually edit the configuration file, like is seen in this link.
Or you can use authconfig to configure it for you, like so:

authconfig --enablesssd --enablesssdauth --enablelocauthorize --enableldap --enableldapauth --ldapserver=<ldap_host> --enableldaptls --ldapbasedn=dc=my-company,dc=my-org --enableshadow --enablerfc2307bis --enablemkhomedir --enablecachecreds --update

You may need to start or restart the service

~$ sudo service sssd restart

Home Directories

Make sure you use the switch --enablemkhomedir when you use authconfig if you want users to have their own home directory.

Sudo access

If you want users to have sudo access, providing you already have a group in your LDAP, you can the group to your sudoers file.
Check to see if sssd has imported the groups from your ldap:

~$ getent group

Once you see the group name with the users you want to add, just edit the sudoers file

~$ visudo

Make sure you add it like so:

## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)
#includedir /etc/sudoers.d
%new_sudoer_group ALL = (ALL) ALL

Add Service to auto start on boot

list current state

~$ sudo chkconfig --list <service name; ie. mysqld>

set service to start on boot

~$ sudo chkconfig --level 345 <service name; ie. mysqld> on

Common packages to install on fresh (minimal) install

~$ sudo yum install telnet net-tools vim tcpdump bind-utils redhat-lsb-core wget nfs-utils policycoreutils-python setroubleshoot setools-y

telnet

standard telnet package

net-tools

contains obsolete networking applications such as ifconfig

vim

advanced text editor

tcpdump

packet capture utility

bind-utils

contains dns focused applications such as dig

redhat-lsb-core

provides LSB commands, such as lsb_release -a which gives you specific system information and build details.

wget

application to access and download internet content, such as http/https

nfs-utils

utilities for setting up, configuring, and managing nfs shares on linux

policycoreutils-python

contains selinux management utilities such as semanage

setroubleshoot

has selinux troubleshooting tools, like sealert

setools

policy analysis tool for selinux, such as seinfo

bash for loop examples

Get a list of file names with the full path, then for each, print the filename and path and then search for a string, printing any matching lines.

~$ for i in $(find / -name "*.ldif"); do echo $i && grep localdomain $i; done
/etc/openldap/slapd.d/cn=config.ldif
/etc/openldap/slapd.d/cn=config/olcDatabase={2}bdb.ldif
olcSuffix: dc=localhost,dc=localdomain
olcRootDN: cn=ldapadmin,dc=localhost,dc=localdomain
/etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif
 nal,cn=auth" read  by dn.base="cn=ldapadmin,dc=localhost,dc=localdomain" read  by * n
/etc/openldap/slapd.d/cn=config/olcDatabase={-1}frontend.ldif
/etc/openldap/slapd.d/cn=config/cn=schema/cn={10}ppolicy.ldif

Add NFS mount and share to clients

Done on CentOS Linux release 7.5.1804 (Core)

Server side

From the server side we need to do the following:

~$ sudo yum install nfs-utils
~$ systemctl enable nfs
~$ systemctl start nfs.service

Make the NFS share and assign permissions in /etc/exports

~$ sudo mkdir /nfsshare
$ sudo vim /etc/exports
/nfsshare ansible2.r00tedvw.local(ro,sync,no_root_squash)
/nfsshare ansible3.r00tedvw.local(ro,sync,no_root_squash)

Add the needed firewalld rules

~$ sudo firewall-cmd --permanent --add-service=nfs
~$ sudo firewall-cmd --permanent --add-service=mountd
~$ sudo firewall-cmd --permanent --add-service=rpc-bind
~$ sudo firewall-cmd --reload

NFS options

Some other options we can use in “/etc/exports” file for file sharing is as follows.

ro: With the help of this option we can provide read only access to the shared files i.e client will only be able to read.
rw: This option allows the client server to both read and write access within the shared directory.
sync: Sync confirms requests to the shared directory only once the changes have been committed.
no_subtree_check: This option prevents the subtree checking. When a shared directory is the subdirectory of a larger file system, nfs performs scans of every directory above it, in order to verify its permissions and details. Disabling the subtree check may increase the reliability of NFS, but reduce security.
no_root_squash: This phrase allows root to connect to the designated directory, but also leaves a security vulnerability.
root_squash: This phrase allows files created on a mount from a client to be setup with nobody permissions.

Client Side

~$ sudo yum install nfs-utils
~$ systemctl start nfs.service

check to make sure you can hit the NFS share and pull info

~$ showmount -e ansible1.r00tedvw.local
Export list for ansible1.r00tedvw.local:
/nfsshare ansible3.r00tedvw.local,ansible2.r00tedvw.local

check a couple of other ways:

~$ nfsstat -m
/mnt/nfsshare from ansible1.r00tedvw.local:/nfsshare
 Flags:	rw,relatime,vers=4.1,rsize=131072,wsize=131072,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=sys,clientaddr=10.0.3.4,local_lock=none,addr=10.0.3.6

~$ mount -v
...
ansible1.r00tedvw.local:/nfsshare on /mnt/nfsshare type nfs4 (rw,relatime,vers=4.1,rsize=131072,wsize=131072,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=sys,clientaddr=10.0.3.4,local_lock=none,addr=10.0.3.6)

temporary mount

Add the mount dir and map it.

~$ sudo mkdir /mnt/nfsshare
~$ sudo mount -t nfs ansible1.r00tedvw.local:/nfsshare /mnt/nfsshare

permanent map

add the mount to /etc/fstab

~$ sudo -s
~$ echo "ansible1.r00tedvw.local:/nfsshare /mnt/nfsshare  nfs defaults 0 0" >> /etc/fstab

Setup NTP server

very simple to configure a ntp client to maintain date/time on the server.

~$ sudo yum install -y ntp
~$ echo '*/5 * * * * root /usr/sbin/ntpd -q -u ntp:ntp' > /etc/cron.d/ntpd

The default ntp servers, like 0.centos.pool.ntp.org, do not work. So let's change them to something more reliable.

~$ sudo vim /etc/ntpd.conf
...
server time1.google.com iburst
server time2.google.com iburst
server time3.google.com iburst
server time4.google.com iburst

~$ sudo systemctl restart ntpd

With the ntpd service restarted, it should automatically sync with your NTP servers. If not, you can check it manually:

~$ ntpdate -q time1.google.com
server 216.239.35.0, stratum 1, offset 0.009567, delay 0.05885
 2 Jan 15:51:04 ntpdate[5561]: adjust time server 216.239.35.0 offset 0.009567 sec