Categories

RHEL 7 Extras

RHEL 7 Extras
Introduction of Docker Docker is an open source project that automates the deployment of applications inside Linux Containers, and provides the capability to package an application with its runtime dependencies into a container.
Device Hotplug Removed While RHEL 5/6 has device hotplug support (udev rule that runs the ifup script for newly created devices), it has been disabled for RHEL 7 since it can result in race conditions when initializing newly found.
No 32 Bit ISO Image No 32 bit ISO for download. Red Hat Enterprise Linux 7 will only provide 64-bit ISO’s, thus allowing only a 64-bit operating environment. RHEL 7 will not natively support 32-bit hardware.
MemAvailable Added to meminfo A new entry to the /proc/meminfo file has been introduced to provide the MemAvailable field. MemAvailable provides an estimate of how much memory is available for starting new applications, without swapping. However, unlike the data provided by the Cache or Free fields, MemAvailable takes into account page cache and also that not all reclaimable memory slabs will be reclaimable due to items being in use.
New Ruby and Python Versions Red Hat Enterprise Linux 7 provides the latest Ruby version, 2.0.0 and Python 2.7.5.
OpenJDK7 Made Default Red Hat Enterprise Linux 7 features OpenJDK7 as the default Java Development Kit (JDK) and Java 7 as the default Java version.
More Powerful NetworkManager NetworkManager has been significantly enhanced to configure and monitor all the networking features for enterprise class servers and for desktop applications.

For the enterprise data centers, NetworkManager can be used for tasks such as basic networking configuration, network teaming, configuring virtual LANs, bridges, bonds, IPv6, VPNs, assigning interfaces to firewall zones, and others. For desktop servers it can manage wired and wireless networks and VPNs.

Support for 40 Gigabit NICs Red Hat Enterprise Linux 7 supports 40 Gigabit network interface controllers (NICs) from multiple hardware partners. This provides support for 40 Gigabit Ethernet link speeds enabling faster network communication for applications and systems. Note that the ethtool utility will report interface link speeds up to 40Gb data rates.
No RHN Classic RHN Classic is not supported in RHEL7. Older versions supported different subscription management method being used. Red Hat Subcription Management is the only one used by RHEL 7.
OpenSSH – Multiple Required Authentications Red Hat Enterprise Linux 7 supports multiple required authentications in SSH protocol version 2 using the AuthenticationMethods option. This option lists one or more comma-separated lists of authentication method names. Successful completion of all the methods in any list is required for authentication to complete.
Minimum Disk Space for Installation of RHEL7 Red Hat Enterprise Linux 7 now requires at least 1 GB of disk space to install. However, Red Hat recommends a minimum of 5 GB of disk space for all supported architectures.
Implementation of tmpfs file system Red Hat Enterprise Linux 7 offers the ability to use /tmp as a mount point for a temporary file storage system (tmpfs).

When enabled, this temporary storage appears as a mounted file system, but stores its content in volatile memory instead of on a persistent storage device. No files in /tmp are stored on the hard drive except when memory is low, in which case swap space is used. This means that the contents of /tmp are not persisted across a reboot.

New Logging Framework Red Hat Enterprise Linux 7 introduces a new logging daemon, journald, as part of the move to systemd.

journald captures the following types of message for all services:

– syslog messages
– kernel messages
– initial RAM disk and early boot messages
– messages sent to standard output and standard error output.

Changes to mount options Unlike ext3 and ext4, the XFS file system enables the user_xattr and acl mount options by default. Ext3 and ext4 file systems do not enable these attributes by default.

RHEL7 and 6 difference

Features RHEL 7 RHEL 6
Default File System XFS EXT4
Kernel Version 3.10.x-x kernel 2.6.x-x Kernel
Kernel Code Name Maipo Santiago
General Availability Date of First Major Release 2014-06-09 (Kernel Version 3.10.0-123) 2010-11-09 (Kernel Version 2.6.32-71)
First Process systemd (process ID 1) init (process ID 1)
Runlevel runlevels are called as “targets” as shown below:

runlevel0.target -> poweroff.target
runlevel1.target -> rescue.target
runlevel2.target -> multi-user.target
runlevel3.target -> multi-user.target
runlevel4.target -> multi-user.target
runlevel5.target -> graphical.target
runlevel6.target -> reboot.target

/etc/systemd/system/default.target (this by default is linked to the multi-user target)

Traditional runlevels defined :

runlevel 0
runlevel 1
runlevel 2
runlevel 3
runlevel 4
runlevel 5
runlevel 6

and the default runlevel would be defined in /etc/inittab file.
/etc/inittab

Host Name Change In Red Hat Enterprise Linux 7, as part of the move to the new init system (systemd), the hostname variable is defined in /etc/hostname. In Red Hat Enterprise Linux 6, the hostname variable was defined in the /etc/sysconfig/network configuration file.
Change In UID Allocation By default any new users created would get UIDs assigned starting from 1000.

This could be changed in /etc/login.defs if required.

Default UID assigned to users would start from 500.

This could be changed in /etc/login.defs if required.

Max Supported File Size Maximum (individual) file size = 500TB
Maximum filesystem size = 500TB

(This maximum file size is only on 64-bit machines. Red Hat Enterprise Linux does not support XFS on 32-bit machines.)

Maximum (individual) file size = 16TB
Maximum filesystem size = 16TB

(This maximum file size is based on a 64-bit machine. On a 32-bit machine, the maximum files size is 8TB.)

File System Check “xfs_repair”

XFS does not run a file system check at boot time.

“e2fsck”

File system check would gets executed at boot time.

Differences Between xfs_repair & e2fsck “xfs_repair”

– Inode and inode blockmap (addressing) checks.
– Inode allocation map checks.
– Inode size checks.
– Directory checks.
– Pathname checks.
– Link count checks.
– Freemap checks.
– Super block checks.

“e2fsck”

– Inode, block, and size checks.

– Directory structure checks.

– Directory connectivity checks.

– Reference count checks.

– Group summary info checks.

Difference Between xfs_growfs & resize2fs “xfs_growfs”

xfs_growfs takes mount point as arguments.

“resize2fs”

resize2fs takes logical volume name as arguments.

Change In File System Structure /bin, /sbin, /lib, and /lib64 are now nested under /usr. /bin, /sbin, /lib, and /lib64 are usually under /
Boot Loader GRUB 2
Supports GPT, additional firmware types, including BIOS, EFI and OpenFirmwar. Ability to boot on various file systems (xfs, ext4, ntfs, hfs+, raid, etc)
GRUB 0.97
KDUMP RHEL7 supports kdump on large memory based systems up to 3 TB Kdump doesn’t work properly with large RAM based systems.
System & Service Manager “Systemd”

systemd is a system and service manager for Linux, and replaces SysV and Upstart used in previous releases of Red Hat Enterprise Linux. systemd is compatible with SysV and Linux Standard Base init scripts.

Upstart
Enable/Start Service For RHEL 7, the systemctl command replaces service and chkconfig.

– Start Service : “systemctl start nfs-server.service”.

– Enable Service : To enable the service (example: nfs service ) to start automatically on boot : “systemctl enable nfs-server.service”.

Although one can still use the service and chkconfig commands to start/stop and enable/disable services, respectively, they
are not 100% compatible with the RHEL 7 systemctl command (according to redhat).

Using “service” command and “chkconfig” commands.

– Start Service : “service start nfs” OR “/etc/init.d/nfs start”

– Enable Service : To start with specific runlevel : “chkconfig –level 3 5 nfs on”

Default Firewall “Firewalld (Dynamic Firewall)”

The built-in configuration is located under the /usr/lib/firewalld directory. The configuration that you can customize is under the /etc/firewalld directory. It is not possible to use Firewalld and Iptables at the same time. But it is still possible to disable Firewalld and use Iptables as before.

Iptables
Network Bonding “Team Driver”

-/etc/sysconfig/network-scripts/ifcfg-team0
– DEVICE=”team0”
– DEVICETYPE=”Team”

“Bonding”

-/etc/sysconfig/network-scripts/ifcfg-bond0
– DEVICE=”bond0”

Network Time Synchronization Using Chrony suite (faster time sync compared with ntpd) Using ntpd
NFS NFS4.1
NFSv2 is no longer supported. Red Hat Enterprise Linux 7 supports NFSv3, NFSv4.0, and NVSv4.1 clients.
NFS4
Cluster Resource Manager Pacemaker Rgmanager
Load Balancer Technology Keepalived and HAProxy Piranha
Desktop/GUI Interface GNOME3 and KDE 4.10 GNOME2
Default Database MariaDB is the default implementation of MySQL in Red Hat Enterprise Linux 7 MySQL
Managing Temporary Files RHEL 7 uses systemd-tmpfiles (more structured, and configurable, method to manage tmp files and directories). Using “tmpwatch”

CentOS 7 / RHEL firewalld settings

CentOS 7 / RHEL firewalld settings

CentOS 7 has adopted firelwalld by default over the previous iptables, which will require some new steps to configure your firewall:

# new CentOS/RHEL 7 Firewall:
(see https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Using_Firewalls.html )

# create a new service e.g. for webmin:

$ cat /etc/firewalld/services/webmin.xml


Webmin
Server admin service. Restrict access and do not leave running.

# add service to zone:

nano /etc/firewalld/zones/public.xml
# OR
$ firewall-cmd –permanent –zone=public –add-service=webmin

# reload to add:

$ firewall-cmd –reload

# check:
$ firewall-cmd –zone=public –list-all

## apache / httpd:
$ firewall-cmd –permanent –add-service=http
$ firewall-cmd –permanent –add-service=https
$ systemctl restart firewalld

convert a PFX to a seperate .key/.crt file

So after you installed OpenSSL you can start it from it’s Bin folder. I’d like to put OpenSSL\Bin in my path so I can start it from any folder. Fire up a command prompt and cd to the folder that contains your .pfx file. First type the first command to extract the private key:

openssl pkcs12 -in [yourfile.pfx] -nocerts -out [keyfile-encrypted.key]

What this command does is extract the private key from the .pfx file. Once entered you need to type in the importpassword of the .pfx file. This is the password that you used to protect your keypair when you created your .pfx file. If you cannot remember it anymore you can just throw your .pfx file away, cause you won’t be able to import it again, anywhere!. Once you entered the import password OpenSSL requests you to type in another password, twice!. This new password will protect your .key file.

Now let’s extract the certificate:

openssl pkcs12 -in [yourfile.pfx] -clcerts -nokeys -out [certificate.crt]

Just press enter and your certificate appears.

Now as I mentioned in the intro of this article you sometimes need to have an unencrypted .key file to import on some devices. I probably don’t need to mention that you should be carefully. If you store your unencrypted keypair somewhere on an unsafe location anyone can have a go with it and impersonate for instance a website or a person of your company. So always be extra careful when it comes to private keys! Just throw the unencrypted keyfile away when you’re done with it, saving just the encrypted one.

The command:

openssl rsa -in [keyfile-encrypted.key] -out [keyfile-decrypted.key]

Again you need to enter an import password. This time you need to enter the new password that you created in step 1. After that you’re done. You decrypted your private key. In the folder you ran OpenSSL from you’ll find the certifcate (.crt) and the two private keys (encrypted and unencrypted).

Update 07-07-2014:

In some cases you might be forced to convert your private key to PEM format. You can do so with the following command:

openssl rsa -in [keyfile-encrypted.key] -outform PEM -out [keyfile-encrypted-pem.key]

dditionally to

openssl pkcs12 -in domain.pfx -clcerts -nokeys -out domain.cer
openssl pkcs12 -in domain.pfx -nocerts -nodes -out domain.key

openssl pkcs12 -in domain.pfx -clcerts -nokeys -out domain.cer
openssl pkcs12 -in domain.pfx -nocerts -nodes -out domain_encrypted.key
openssl rsa -in domain_encrypted.key -out domain.key

OpenSSL command reference

OpenSSL command reference
General OpenSSL commands
commands to generate CSRs, Certificates, Private Keys and other tasks.

Generate a new private key and matching certificate signing request (Unix)

openssl req -out CSR.csr -pubkey -new -keyout privateKey.key
Generate a new private key and matching certificate signing request (Windows)

openssl req -out CSR.csr -pubkey -new -keyout privateKey.key -config .shareopenssl.cmf
Generate a certificate signing request for an existing private key

openssl req -out CSR.csr -key privateKey.key -new
Generate a certificate signing request based on an existing x509 certificate

openssl x509 -x509toreq -in MYCRT.crt -out CSR.csr -signkey privateKey.key
Decrypt private key

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.key -out certificate.crt
Remove a passphrase from a private key

openssl rsa -in privateKey.pem -out newPrivateKey.pem
Checking commands
Check a certificate signing request

openssl req -text -noout -verify -in CSR.csr
Check a private key

openssl rsa -in privateKey.key -check
Check a certificate

openssl x509 -in certificate.crt -text -noout
Check a PKCS#12 keystore

openssl pkcs12 -info -in keyStore.p12
Debugging commands
commands to debug a SSL connection

Check the MD5 hash of the public key

openssl x509 -noout -modulus -in certificate.crt | openssl md5
openssl rsa -noout -modulus -in privateKey.key | openssl md5
openssl req -noout -modulus -in CSR.csr | openssl md5
Check an SSL connection. All certificates (also intermediates) should be shown

openssl s_client -connect https://www.paypal.com:443
Converting commands
Use the following commands to convert certificates and keys to different formats to make them compatible with specific types of servers or software. For example, convert a normal PEM file that would work with Apache to a PFX (PKCS#12) file for use with Tomcat or IIS.

Convert DER (.crt .cer .der) to PEM

openssl x509 -outform der -in certificate.cer -out certificate.der

openssl x509 -inform der -in certificate.der -out certificate.pem
Convert PEM to DER

openssl x509 -outform der -in certificate.pem -out certificate.der
Convert PKCS#12 (.pfx .p12) to PEM containing both private key and certificates

openssl pkcs12 -in keyStore.pfx -out keyStore.pem -nodes
add -nocerts for private key only; add -nokeys for certificates only
Convert (add) a seperate key and certificate to a new keystore of type PKCS#12

openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.cr

Configuring automatic startup of Oracle Database under systemd on RHEL 7/OEL 7/CentOS 7

Configuring automatic startup of Oracle Database under systemd on RHEL 7/OEL 7/CentOS 7
There are several methods how to start Oracle Database automatically during/after OS boot. You can use Oracle CRS, other clusterware or init implemented in Linux. Starting RHEL 7 SysV init has been replaced by systemd or simply said systemd is the new init system.

In these days not only group of Linux users became polarized but also whole Linux world became polarized as well. Mostly Redhat based distributions have adopted systemd, other distributions are reluctant to implement systemd and either are continuing to use SysV init or migrated to another solutions e.g. Upstart. Despite this fact most of the Oracle certified Linux distributions (such as Redhat or SuSE and their (even not certified) clones) are using the systemd.

This post briefly shows how to configure systemd service for automatic start of Oracle Databases and Listener and these steps are applicable for Redhat Enterprise Linux 7, Oracle Enterprise Linux 7, CentOS 7 or SuSE Linux Enteprise Server 12 and Fedora 15 (or later).

Typically systemd startup configuration consists of two parts:

unit file – using “.service” suffix (in case of service), typically stored in /usr/lib/systemd/system or /etc/systemd/system directory for units provided by installed packages or /usr/lib/systemd/user or /etc/systemd/user directory for units installed by administrator
environment file (optional) – typically stored in /etc/sysconfig directory on RHEL and it’s clones. We don’t need it in our case.
Creating the unit for automatic startup/shutdown of Oracle Database manually

Logon as root user create and edit /etc/systemd/system/oracle-rdbms.service and add following content:

# /etc/systemd/system/oracle-rdbms.service
# Invoking Oracle scripts to start/shutdown Instances defined in /etc/oratab
# and starts Listener

[Unit]
Description=Oracle Database(s) and Listener
Requires=network.target

[Service]
Type=forking
Restart=no
ExecStart=/opt/oracle/12102/bin/dbstart /opt/oracle/12102
ExecStop=/opt/oracle/12102/bin/dbshut /opt/oracle/12102
User=oracle

[Install]
WantedBy=multi-user.target
Note that this configuration assumes that our ORACLE_HOME is /opt/oracle/12102. It’s recommended to use PIDFile while using “forking” type but we don’t need it. As you can see well known scripts (shipped with Oracle Database) are executed for startup/shutdown using path to Oracle Home in order to specify the Oracle Home for Listener process. As shown these scripts are executed under “oracle” user account/privileges. More over service can be started once network is cofigured (started) and service starts in multi-user level (more less equivalent of runlevel 3 in SysV init)

Now we have to reload systemd in order to register unit file (as root) and enable the service.

systemctl daemon-reload
systemctl enable oracle-rdbms

So, now the startup service should be created and enabled but to be sure we can check it by following command (Note: first line is OS command, other lines is the output):

systemctl status oracle-rdbms
oracle-rdbms.service – Oracle Database(s) and Listener
Loaded: loaded (/etc/systemd/system/oracle-rdbms.service; enabled)
According to output our service is enabled succesfully and should be started on next OS boot. To start the service without reboot of machine you can use following command:

systemctl start oracle-rdbms

Creating the unit for automatic startup/shutdown of Oracle Database using script

I have created a simple script which automatically performs above tasks for creating and enabling startup service. This scripts contains simple checks (as I’ve tried to make the script bulletproof), then lists available Oracle homes that exist on OS and then asks to specify Oracle home from which the Listener will be started. Note that it’s important to specify Oracle home for the highest version of Oracle software as Listener will be handling connections for all Oracle homes.

#!/usr/bin/bash

# This script configures systemd startup service for Oracle Databases and Listener
# Ivan Kartik http://ivan.kartik.sk

if [ `whoami` != “root” ]; then
echo “root login required!”
exit
fi

if [ `uname -s` != “Linux” ]; then
echo “This is not Linux!”
exit
fi

if [ `ps -e|grep ” 1 ?”|cut -d ” ” -f15` != “systemd” ]; then
echo “Systemd is not present, use Init scripts instead!”
exit
fi

echo “List of existing Oracle Homes:”
echo “——————————”
cat `cat /etc/oraInst.loc|grep inventory_loc|cut -d ‘=’ -f2`/ContentsXML/inventory.xml|grep “HOME NAME”|cut -d ‘”‘ -f 4
echo

echo “Enter ORACLE_HOME of Oracle Listener [$ORACLE_HOME]:”
read NEWHOME

case “$NEWHOME” in
“”) ORAHOME=”$ORACLE_HOME” ;;
*) ORAHOME=”$NEWHOME” ;;
esac

if [ -z $ORAHOME ]; then
echo “Error: Missing value!”
exit
fi

if [ -f $ORAHOME/bin/lsnrctl ]; then
echo ‘# /etc/systemd/system/oracle-rdbms.service
# Ivan Kartik http://ivan.kartik.sk
# Invoking Oracle scripts to start/shutdown Instances defined in /etc/oratab
# and starts Listener

[Unit]
Description=Oracle Database(s) and Listener
Requires=network.target

[Service]
Type=forking
Restart=no
ExecStart=’$ORAHOME’/bin/dbstart ‘$ORAHOME’
ExecStop=’$ORAHOME’/bin/dbshut ‘$ORAHOME’
User=oracle

[Install]
WantedBy=multi-user.target’ > /etc/systemd/system/oracle-rdbms.service

systemctl daemon-reload
systemctl enable oracle-rdbms
echo “Done! Service oracle-ordbms has been configured and will be started during next boot.”
echo “If you want to start service now, execute: systemctl start oracle-rdbms”
else
echo “Error: No Listener script under specified ORACLE_HOME: $ORAHOME”
exit
fi

You either can copy/paste this code or download here: http://ivan.kartik.sk/scripts/oracle_systemd_service.sh

Final check of service and started databases (Note: Output from systemctl status has been shortened):

# cat /etc/oratab |grep :Y
ORA12CR1:/opt/oracle/12102:Y
ORA11GR2:/opt/oracle/11204:Y

# systemctl status oracle-rdbms
oracle-rdbms.service – Oracle Database(s) and Listener
Loaded: loaded (/etc/systemd/system/oracle-rdbms.service; enabled)
Active: active (running) since Mon 2015-11-15 14:51:13 CET; 54s ago
Process: 425 ExecStart=/opt/oracle/12102/bin/dbstart /opt/oracle/12102 (code=exited, status=0/SUCCESS)
CGroup: /system.slice/oracle-rdbms.service
?? 452 /opt/oracle/12102/bin/tnslsnr LISTENER -inherit
??1155 ora_pmon_ORA12CR1
??1171 ora_vktm_ORA12CR1
??1177 ora_gen0_ORA12CR1
??1181 ora_mman_ORA12CR1
??1183 ora_diag_ORA12CR1
??1185 ora_dbrm_ORA12CR1
??1195 ora_ckpt_ORA12CR1
??1197 ora_smon_ORA12CR1
??1199 ora_reco_ORA12CR1
??1201 ora_lreg_ORA12CR1
??1289 ora_mman_ORA11GR2
…..
??1291 ora_dbw0_ORA11GR2
??1293 ora_lgwr_ORA11GR2
??1295 ora_ckpt_ORA11GR2
??1297 ora_smon_ORA11GR2
??1299 ora_reco_ORA11GR2
??1301 ora_mmon_ORA11GR2
??1303 ora_mmnl_ORA11GR2
??1350 ora_qmnc_ORA11GR2
??1450 ora_q001_ORA11GR2

Nov 15 14:50:57 oel01 dbstart[425]: Processing Database instance “ORA12CR1”: log file /opt/oracle/12102/startup.log
Nov 15 14:51:07 oel01 dbstart[425]: Processing Database instance “ORA11GR2”: log file /opt/oracle/11204/startup.log
Nov 15 14:51:13 oel01 systemd[1]: Started Oracle Database(s) and Listener.
For little comparison of difference commands or usage regarding SysV init and systemd, here is very nice cheat sheet created by guys from Linoxide.com it’s downloadable

IPMI

IPMI ( Intelligent Platform Management Interface ) : It is a remote hardware health monitoring and management system that defines interfaces for use in monitoring the physical health of servers.

IPMI provides a way to monitor & manage a server system that may be powered off or unresponsive by using a network connection to the hardware rather than to an OS.

IPMI functions independently of the OS to allow system admins to manage a system remotely in the absence of an operating system .IPMI can work in any of three situations:
Situation 1 : Your remote server is down, the Operating System is not booting up and you need to check what happened remotely and you need to start the machine, again remotely (without accessing the physical hardware).

Situation 2 : You are on a weekend holiday and you received email that one node in cluster is not responding. You need to find what happened and might need to fence (or reboot) the machine, remotely.

Situation 3 : You need a detailed report on server health.

The primary IPMI features include:

Monitoring (supervision of the hardware)
Recovery Control (Recover/Restart the server)
Logging (protocol “out-of-range” states for the hardware)
Inventory (list of hardware inventory)
IPMI provides these four functions independently from the server’s CPU, BIOS and operating system. The platform management features are also available when the server has been shutdown (as long as at least one server power supply has power).

dynamic date value in shell scripts

dynamic date value in shell scripts
using a variable – easier to read in scripts:
NOW=$(date +”%Y%m%d%H%M%S”)
echo “bar” > “$NOW”foobar.txt

one-line, equivalent to above:
echo “bar” > $(date +”%Y%m%d%H%M%S”)foobar.txt

alternate single-line format:
echo “bar” >> $(date “+myfile%Y%m%d.txt”)

man strftime to see formatting values

CentOS 7 + SELinux + PHP + Apache – cannot write/access file

Amazon EC2 instance running on CentOS 7. Apache logs keep saying that it can’t write to file due to permission where file permissions are properly setup, only to realize it was SELinux in action.

Problem 1: Can’t serve files on a custom directory

The first problem I have encountered is that I tried to setup the application inside /data/www/html/sites/mysite. When viewed on the browser, it says 403 Forbidden and error logs says:

1
13)Permission denied: [client 121.54.44.93:23180] AH00529: /data/www/html/sites/mysite/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable and that ‘/data/www/html/sites/mysite/’ is executable
The directory structure has proper ownership and permissions, ex: directory is owned by apache:apache, file permission is 0644 and directory permission is 0755. It doesn’t make sense at all. I noticed though that the default document root has no problem serving the php file so I decided to serve it off the /var/www/html/mysite directory, which is the default document root.

Problem 2: Can’t write to file

Moving to the default document root directory did the trick and I was able to run the application but with errors. The error says it can’t write to file although again, proper permissions are already set to the directory. Below is the error (it is a custom error log, but if writing to log file doesn’t work, imagine how your upload functionality would work):

1
PHP Warning: fopen(/var/www/html/mysite/application/config/../../logs/web/20150708.ALL.log): failed to open stream: Permission denied in /var/www/html/mysite/application/core/App_Exceptions.php
Surprise! SELinux is here!

After realizing that it was SELinux whose messing with me for the past 2 hours, I was thinking of ditching CentOS and go with the recommended Ubuntu instead. But then my instinct tells me that if SELinux is blocking the read/write operations, it must did it for a good reason, and that was for security. I realize that you need to specify which files/directories Apache can serve files and which files/directories it can write into.

SELinux seems to have some rules/policies that applies to files/directories on top of the unix file permissions structure. When I run the command below on the default document root, I saw more information on the file/directory permissions.

1
ls -Z /var/www/html/mysite
Below is the output (some information removed):

1
2
drwxr-xr-x. apache apache unconfined_u:object_r:httpd_sys_content_t:s0 application
-rw-r–r–. apache apache unconfined_u:object_r:httpd_sys_content_t:s0 index.php
And below is what I got for other normal directories:

1
drwxr-xr-x. apache apache unconfined_u:object_r:default_t:s0 www
Therefore, we can conclude that we need to specify the proper SELinux permissions on directories in order to serve files on a custom directory and set another SELinux permissions to allow writing to file. Therefore, we can solve the original problem then.

Fixing the original problem

So we want to serve our files at /data/www/html/sites/mysite and enable writing to log files and file uploads as well? Let’s play nice with SELinux.

First, copy the files as usual to /data/www/html/sites/mysite, then set the proper ownership and permissions.

# Ownership
sudo chown apache:apache -R /data/www/html/sites/mysite
cd /data/www/html/sites/mysite

# File permissions, recursive
find . -type f -exec chmod 0644 {} \;

# Dir permissions, recursive
find . -type d -exec chmod 0755 {} \;

# SELinux serve files off Apache, resursive
sudo chcon -t httpd_sys_content_t /data/www/html/sites/mysite -R

# Allow write only to specific dirs
sudo chcon -t httpd_sys_rw_content_t /data/www/html/sites/mysite/logs -R
sudo chcon -t httpd_sys_rw_content_t /data/www/html/sites/mysite/uploads -R
httpd_sys_content_t – for allowing Apache to serve these contents and httpd_sys_rw_content_t – for allowing Apache to write to those path.

Fix stale NFS mounts on linux without rebooting

Fix stale NFS mounts on linux without rebooting

I have often noticed that some folks reboot systems to fix stale NFS mount problems which can be disruptive.

Fortunately, that often isn’t necessary. All you have to do is restart nfs and autofs services. However that sometimes fails because user processes have files open on the stale partition or users are cd’ed to the stale partition.

Both conditions are easy to fix. The steps to fix stale mounts by addressing the previously described conditions are described below.

Step 1. Kill process with open files on the partition

Use lsof to find the processes that have files open on the partition and then kill those processes using kill or pkill.

% # Find the jobs that are accessing the state partition and kill them.
% kill -9 $(lsof |\
egrep ‘/stale/fs|/export/backup’ |\
awk ‘{print $2;}’ |\
sort -fu )

% # Restart the NFS and AUTOFS services
% service nfs stop
% service autofs stop
% service nfs start
% service autofs start

% # Check it
% ls /stale/fs

Typically this is sufficient but if it fails, you need to go to step 2.

Step 2. Kill process that have cd’ed to the partition

Look at the current working directory of all of the users. If any of them are on the partition, that process has to be killed.

% # List the users that are cd’ed to the stale partition and kill their jobs.
% # NOTE: change /stale/fs to the path to your stale partition.
% kill -9 $( for u in $( who | awk ‘{print $1;}’ | sort -fu ) ; do \
pwdx $(pgrep -u $u) |\
grep ‘/stale/fs’ |\
awk -F: ‘{print $1;}’ ; \
done)

% # umount the stale partition
% umount -f /state/fs

% # Restart the NFS and AUTOFS services
% service nfs stop
% service autofs stop
% service nfs start
% service autofs start

% # Check it
% ls /stale/fs

Step 3. Kill all of the users

If step 2 doesn’t work then there is something strange going on but killing all of the user processes will usually fix it. That is done as follows.

% # Kill all user processes.
% for u in $( who | awk ‘{print $1;}’ | sort -fu ) ; do \
kill -9 $(pgrep -u $u) |\
awk -F: ‘{print $1;}’ ; \
done

% # umount the stale partition
% umount -f /state/fs

% # Restart the NFS and AUTOFS services
% service nfs stop
% service autofs stop
% service nfs start
% service autofs start

% # Check it
% ls /stale/fs

As you can see, it is basically the same as step 2 except that all user processes are killed.

If that doesn’t work you need to resort the nuclear option: rebooting.

Step 4. Reboot

This is the option of last resort but it should always work.

If you know of any other tips for fix stale NFS mounts I would really like to hear about them.

Page 30 of 159« First...1020...2829303132...405060...Last »