May 2020
« Mar    


WordPress Quotes

People often say that this or that person has not yet found himself. But the self is not something one finds, it is something one creates.
Thomas S. Szasz
May 2020
« Mar    

Short Cuts

2012 SERVER (64)
2016 windows (9)
AIX (13)
Amazon (40)
Ansibile (19)
Apache (135)
Asterisk (2)
cassandra (2)
Centos (211)
Centos RHEL 7 (270)
centos8 (3)
chef (3)
cloud (2)
cluster (3)
Coherence (1)
DB2 (5)
DISK (25)
DNS (9)
Docker (30)
Eassy (11)
ELKS (1)
Fedora (6)
ftp (5)
GIT (3)
GOD (2)
Grub (1)
Hacking (10)
Hadoop (6)
health (2)
horoscope (23)
Hyper-V (10)
IIS (15)
JAVA (7)
JBOSS (32)
jenkins (1)
Kubernetes (7)
Ldap (5)
Linux (188)
Linux Commands (166)
Load balancer (5)
mariadb (14)
Mongodb (4)
MQ Server (24)
MYSQL (84)
Nagios (5)
NaturalOil (13)
Nginx (35)
Ngix (1)
openldap (1)
Openstack (6)
Oracle (35)
Perl (3)
Postfix (19)
Postgresql (1)
PowerShell (2)
Python (3)
qmail (36)
Redis (12)
RHCE (28)
Security on Centos (29)
SFTP (1)
Shell (64)
Solaris (58)
Sql Server 2012 (4)
squid (3)
SSH (10)
SSL (14)
Storage (1)
swap (3)
TIPS on Linux (28)
tomcat (62)
Ubuntu (1)
Uncategorized (30)
Veritas (2)
vfabric (1)
VMware (28)
Weblogic (38)
Websphere (71)
Windows (19)
Windows Software (2)
wordpress (1)

WP Cumulus Flash tag cloud by Roy Tanck requires Flash Player 9 or better.

Who's Online

0 visitors online now
0 guests, 0 bots, 0 members

Hit Counter provided by dental implants orange county

CentOS / RHEL 7 : How to Install GUI

For new installation of RHEL 7 ,GUI doesn’t come with default installation.
If you do not click on the “Software Selection” link and pick “server with GUI” then there will be no GUI after reboot, only “Base Environment ” will be installed.

To enable GUI after system installation, you can use following method.

Installing the environment group “Server with GUI”

1. Check the available environment groups :

]# yum grouplist
Loaded plugins: langpacks, product-id, search-disabled-repos, subscription-manager
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
There is no installed groups file.
Maybe run: yum groups mark convert (see man yum)
Available Environment Groups:
Minimal Install
Infrastructure Server
File and Print Server
Basic Web Server
Virtualization Host
Server with GUI
Available Groups:
Compatibility Libraries
Console Internet Tools
Development Tools
Graphical Administration Tools
Legacy UNIX Compatibility
Scientific Support
Security Tools
Smart Card Support
System Administration Tools
System Management
2. Execute the following to install the environments for GUI.

# yum groupinstall “Server with GUI”
Transaction Summary
Install 199 Packages (+464 Dependent packages)
Upgrade ( 8 Dependent packages)

Total download size: 523 M
Is this ok [y/d/N]:
The above will install the GUI in RHEL 7, which by default get installed to text mode.

3. Enable GUI on system start up. In RHEL 7, systemd uses ‘targets’ instead of runlevels. The file /etc/inittab is no more used to change run levels. Issue the following command to enable the GUI on system start.

To set a default target :

# systemctl set-default
To change the current target to graphical without reboot :

# systemctl start
Verify the default target :

# systemctl get-default
4. Reboot the machine to verify that it boots into GUI directly.

# systemctl reboot
Installing core GNOME packages

“Server with GUI” installs the default GUI which is GNOME. In case if you want to install only core GNOME packages use :

# yum groupinstall ‘X Window System’ ‘GNOME’
Transaction Summary
Install 104 Packages (+427 Dependent packages)
Upgrade ( 8 Dependent packages)

Total download size: 318 M
Is this ok [y/d/N]:y

CentOS / RHEL 7 : How to extract initramfs image and edit/view it

In some cases you may want to extract the initramfs image file to check built-in contents. This post provides steps to extract initramfs image files for RHEL 7. Unlike previous version, on RHEL 7 using cpio command for the initramfs image file will not extract all files (or will give some error). For example:

# ls -la /boot/initramfs-$(uname -r).img
-rw——- 1 root root 19602671 Feb 4 2016 /boot/initramfs-3.10.0-229.el7.x86_64.img
# file initramfs-3.10.0-229.el7.x86_64.img
initramfs-3.10.0-229.el7.x86_64.img: gzip compressed data, from Unix, last modified: Thu Feb 4 16:02:04 2016, max compression
# gzip -dc initramfs-3.10.0-229.el7.x86_64.img | cpio -id — will not extract all files or will give some error
To extract it on RHEL7, use skipcpio:
1. copy the initramfs image file to some directory.

# mkdir /tmp/initramfs
# cp /boot/initramfs-3.10.0-229.el7.x86_64.img
2. extract the contents using the /usr/lib/dracut/skipcpio command :

# cd /tmp/initramfs
# /usr/lib/dracut/skipcpio initramfs-3.10.0-229.el7.x86_64.img | zcat | cpio -ivd
where skipcpio is the built-in tool from dracut.

Listing the content of initramfs image

To only list the contents of an initramfs image file, you can run lsinitrd:

# lsinitrd /boot/initramfs-3.10.0-229.el7.x86_64.img | more
Image: /boot/initramfs-3.10.0-229.el7.x86_64.img: 19M
Version: dracut-033-359.el7

Arguments: -f

dracut modules:
drwxr-xr-x 12 root root 0 May 23 10:27 .
crw-r–r– 1 root root 5, 1 May 23 10:27 dev/console
crw-r–r– 1 root root 1, 11 May 23 10:27 dev/kmsg
crw-r–r– 1 root root 1, 3 May 23 10:27 dev/null

CentOS / RHEL 7 : Beginners guide to systemd service units

Previous versions of Oracle Linux use init scripts located in the /etc/rc.d/init directory to start and stop services. In RHEL 7, these init scripts have been replaced with systemd service units. Service units have a .service extension. Use the systemctl command to list all loaded service units:

# systemctl list-units –type service –all
auditd.service loaded active running Security Auditing Service
avahi-daemon.service loaded active running Avahi mDNS/DNS-SD Stack
LOAD – service load state
high-level (ACTIVE) and low-level (SUB) unit activation state
DESCRIPTION – description of the service unit.

Omit the –all option to list only the active service units. Use the list-unit-files option to see which service units are enabled:

# systemctl list-unit-files –type service

Displaying status of the services

systemd service units correspond to system services. Use the following command to display detailed information about a service unit. This example displays information about the sshd service unit.

# systemctl status sshd

The following information is available for the specified service unit:

Loaded: If the service is loaded, the absolute path to the service unit file, and if the
service unit is enabled
Active: If the service unit is running and a timestamp
Main PID: The Process ID of the corresponding system service and the service name
Status: Additional information about the corresponding system service
Process: Additional information about related processes
CGroup: Additional information about related Control Groups
To check whether a service is running (active) or not running (inactive):

# systemctl is-active sshd
To check whether a service is enabled:

# systemctl is-enabled sshd
Starting and Stopping Services

In previous versions of RHEL, the service utility is used to stop and start services. In RHEL 7, the systemctl utility provides an equivalent set of subcommands. The table below shows a comparison of the service utility with systemctl.

service name start systemctl start name Starts a service
service name stop systemctl stop name Stops a service
service name restart systemctl restart name Restarts a service
service name condrestart systemctl try- restart name Restarts a service only if it is running
service name reload systemctl reload name Reloads a configuration
service name status systemctl status name Checks whether a service is running
service –status- all systemctl list-units –type service –all Displays the status of all services
Enabling and disabling services

In previous versions of RHEL, the chkconfig utility is used to enable and disable services. In RHEL 7, the systemctl utility provides an equivalent set of subcommands. The table below shows a comparison of the chkconfig utility with systemctl.

chkconfig name on systemctl enable name Enables a service
chkconfig name off systemctl disable name Disables a service
chkconfig –list name systemctl status name, systemctl is-enabled name Checks whether a service is enabled
chkconfig –list systemctl list-unit-files –type service Lists all services and checks whether they are enabled

RHEL 7 – RHCSA Notes : Configure a system to use time services

RHEL 7 has 3 command-line utilities to configure the system date and time:
1. date
2. hwclock
3. timedatectl

date command

Use the date command to display or set the system date and time. Run the date command with no arguments to display the current date and time:

# date
Mon Sep 12 19:41:40 IST 2016
The date command provides a variety of output formatting options. You can also time and date in future or past. Few examples are given below.
1. Display day of the week :

# date +%A
2. Display date one year from now :

# date -d “1 year”
Mon Sep 12 19:47:49 IST 2017
3. Display 1 month past date :

# date -d “1 month ago”
Mon Aug 12 19:49:07 IST 2016
Use the following syntax to change the current date. Replace YYYY with a four-digit year, MM with a two-digit month, and DD with a two-digit day of the month.

# date +%D -s [YYYY-MM-DD]
Use the following syntax to change the current time. Replace HH with a two-digit hour, MM with a two-digit minute, and SS with a two-digit second. Include either AM or PM. Include the –u option if your system clock is set to use UTC.

# date +%T%p -s [HH:MM:SS]AM|PM –u
hwclock command

Use the hwclock command to query and set the hardware clock, also known as the RTC (real-time clock). This clock runs independently of any control program running in the CPU and even when the machine is powered off. The hwclock command allows you to:

Display the current time
Set the hardware clock to a specified time
Set the system time from the hardware clock (hwclock –s)
Set the hardware clock to the current system time (hwclock –w)
timedatectl command

– The timedatectl utility is part of the systemd system and service manager.
– To display local, universal, and RTC time and time zone, NTP configuration, and DST information:

# timedatectl
Local time: Tue 2016-09-13 20:30:26 IST
Universal time: Tue 2016-09-13 15:00:26 UTC
RTC time: Tue 2016-09-13 15:00:26
Time zone: Asia/Kolkata (IST, +0530)
NTP enabled: yes
NTP synchronized: yes
RTC in local TZ: no
DST active: n/a
– Use the following syntax to change the date and time:

# timedatectl set-time [YYYY-MM-DD]
# timedatectl set-time [HH:MM:SS]
– Use the following syntax to change the time zone:

# timedatectl set-timezone [time_zone]
– To list available time zones :

# timedatectl list-timezones
– To enable clock synchronization over NTP:

# timedatectl set-ntp yes
Using NTP

NTP provides a method of verifying and correcting your computer’s time by synchronizing it with another system.
To install NTP :

# yum install ntp
By default, there are four public server entries in the NTP configuration file, /etc/ntp.conf, which are specified by the server directive.

# grep server /etc/ntp.conf
Instead of using a predefined public server, you can specify a local reference server in the /etc/ntpd.conf file. For example:

# vi /etc/ntpd.conf
Another directive in the configuration file is driftfile. The default setting is as follows:

driftfile /var/lib/ntp/drift
This drift file contains one value used to adjust the system clock frequency after every system or service start.

NTP daemon

The ntpd program is the user space daemon that synchronizes the system clock with remote NTP time servers or local reference clocks. The daemon reads the configuration file at system start or when the service is restarted. You also need to open UDP port 123 in the firewall for NTP packets. After editing the /etc/ntp.conf file, use the systemctl command to start the NTP daemon:

# systemctl start ntpd
Use the following command to ensure the NTP daemon starts at boot time:

# systemctl enable ntpd
Other NTP utilities

Use the ntpq command to query the NTP daemon operations and to determine performance. Use the –p option (or peers command) to display a list of peers known to the server as well as a summary of their state. For example:

# ntpq -p
remote refid st t when poll reach delay offset jitter
* 2 u 911 1024 377 1.274 0.147 0.355
+ 2 u 1026 1024 377 1.161 0.073 0.852
The * indicates your system is synchronized with the server. Use the ntpstat command to show network time synchronization status.

# ntpstat
synchronised to NTP server ( at stratum 3
time correct to within 31 ms
polling server every 1024 s
Configuring NTP using chrony

Chrony is a suite of utilities that provides another implementation of NTP. Chrony is designed for mobile systems and virtual machines that are often powered down or disconnected from the network. Systems that are not permanently connected to a network take a relatively long time to adjust their system clocks with the NTP daemon, ntpd.

Chrony consists of chronyd, a daemon that runs in user space, and chronyc, a command- line program for making adjustments to chronyd. The chronyd daemon makes adjustments to the system clock that is running in the kernel. It uses NTP to synchronize with another system when network access is available. When network access is not available, chronyd uses the last calculated drift stored in the drift file to synchronize the system time.

For more information on chrony (installation, configuration, troubleshooting), refer the below posts :

RHEL 7 – RHCSA Notes : Create, delete, and modify local groups and group memberships.

Group administration

– Use the groupadd command to add a new group :

# groupadd [options] group_name
– Use the groupmod command to modify an existing group :

# groupmod [options] group_name
– Use groupdel to delete the group. You can remove a group even if there are users in the group. But you can not remove the primary group of an existing user. You must remove the user before removing the group.

# groupdel group_name
– Use the gpasswd command to administer the groups :

# gpasswd [options] group_name
For example : to add user test in group student –

# gpasswd -a test student
groups command

The groups command displays the group the user belongs to. For example the user oracle as shown below belongs to multiple groups which can be displayed using the groups command :

# groups oracle
oracle : oinstall dba asm asmdba oper
# grep oracle /etc/group
newgrp command

The newgroup command executes a new shell and changes a user’s real group information. For example,
Before executing newgrp command

$ id
uid=5004(oracle) gid=5004(oinstall) groups=5004(oinstall),5005(dba) …
$ ps
106591 pts/0 00:00:00 bash
106672 pts/0 00:00:00 ps
After executing newgrp command

$ newgrp dba
Note the gid for the user has changed to that of the student group :

$ id
uid=5004(oracle) gid=5005(dba) groups=5005(dba),5004(oinstall) …
Also note that a new shell has been executed.

$ ps
106591 pts/0 00:00:00 bash
106231 pts/0 00:00:00 bash
106672 pts/0 00:00:00 ps

RHEL 7 – RHCSA Notes – Create and manage Access Control Lists (ACLs)

The file access control lists (FACLs) or simply ACLs are the list of additional user/groups and their permission to the file. Although the default file permissions does their jobs perfectly, it does not allow you to give permissions to more than one user or one group on the same file.

How to know when a file has ACL attached to it

ls -l command would produce a output as show below. Note the + sign at the end of the permissions. This confirms that the file has an ACL attached to it.

# ls -l
-rw-r–r-+ 1 root root 0 Sep 19 14:41 file
Viewing ACLs

To display details ACL information of a file use the getfacl command. If you see carefully, the users sam and john have some extra permissions (shown highlighted). The default user/group permissions are specified using “user::permission” and “group::

# getfacl /tmp/test
# file: test
# owner: root
# group: root
In contrast, if you check the ACLs on a a file with “no ACLs” the additional “user:” lines and “mask” line will not be shown and standard file permissions will be shown. :

# getfacl test
# file: test
# owner: root
# group: root
Creating and Managing FACLs

The setfacl command is used to set ACL on the given file. To give a rw access to user john on the file /tmp/test :

# setfacl -m u:john:rw /tmp/test
The -m option tells setfacl to modify ACLs on the file(s) mentioned in command line. Instead of user john we can have a group to have a specific permission on the file :

# setfacl -m g:accounts:rw /tmp/test
FACLs for multiple user and groups can also be set with single command :

# setfacl -m u:john:rw,g:accounts:rwx /tmp/test
Default ACLs

By setting a default ACL, you’ll determine the permissions that will be set for all new items that are created in the directory. But the permissions of existing files and subdirectories remains same.

To create a default FACL on a directory :

# setfacl -m default:u:john:rw /accounts
Notice the default permissions in the getfacl command :

# getfacl accounts/
# file: accounts/
# owner: root
# group: root
Removing FACLs

To remove ACLs, use the setfacl command with -x option :

# setfacl -x u:john /tmp/test
The above command removes the ACL for the user john on the file /tmp/test. The ACLs for other user/groups if any remains unaffected. To remove all ACLs associated to a file use the -b option with setfacl :

# setfacl -b /tmp/test
You can also create a backup of ACLs using getfacl, and restore ACLs using setfacl command. To create the backup, use getfacl -R /dir > file.acls. To restore the settings from the backup file, use setfacl –restore=file.acl

RHEL 7 – RHCSA Notes : Change passwords and adjust password aging for local user accounts

Password configuration

password aging requires users to change their password periodically. Use the chage to configure password expiration. The syntax is :

# chage [options] user_name
– When you fire the command chage, the currently set options are displayed as well.

# chage oracle
Changing the aging information for oracle
Enter the new value, or press ENTER for the default

Minimum Password Age [14]:
Maximum Password Age [30]:
Last Password Change (YYYY-MM-DD) [2016-08-23]:
Password Expiration Warning [7]:
Password Inactive [-1]:
Account Expiration Date (YYYY-MM-DD) [1969-12-31]:
Password expiration information is stored in /etc/shadow file.

# grep oracle /etc/shadow
As shown above the oracle user has minimum password age of 14 and maximum password age of 30 – It means that in 14 days the user will have 30 days to change the password. Also the user is warned to change the password 7 days prior to password expiry date.

chage options

Number of options are available in chage command. To list aging information :

# chage -l geek
Last password change : Sep 18, 2016
Password expires : never
Password inactive : never
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 99999
Number of days of warning before password expires : 7
To force a user to set a new password immediately (force immediate expiration), set the last password change value to 0 :

# chage –d 0 geek

The Linux user password hashing algorithm is also configurable. Use the authconfig command to determine the current algorithm being used, or to set it to something different. To determine the current algorithm:

# authconfig –test | grep hashing
password hashing algorithm is sha512
To change the algorithm, use the –passalgo option with one of the following as a parameter: descrypt, bigcrypt, md5, sha256, or sha512, followed by the –update option.

# authconfig –passalgo=md5 –update
/etc/login.defs file

/etc/login.defs file provides default user account settings. Default values include:

Location of user mailboxes
Password aging controls
Values for automatic UID selection
Values for automatic GID selection
User home directory creation options
Encryption method used to encrypt passwords
Sample /etc/login.defs file :

# cat /etc/login.defs
GID_MIN 1000
GID_MAX 60000
UID_MIN 1000
UID_MAX 60000

RHEL 7 – RHCSA Notes – Set enforcing and permissive modes for SELinux

SELinux modes

SELinux gives that extra layer of security to the resources in the system. It provides the MAC (mandatory access control) as contrary to the DAC (Discretionary access control). Before we dive into setting the SELinux modes, let us see what are the different SELinux modes of operation and how do they work. SELinux can operate in any of the 3 modes :

1. Enforced : Actions contrary to the policy are blocked and a corresponding event is logged in the audit log.
2. Permissive : Actions contrary to the policy are only logged in the audit log.
3. Disabled : The SELinux is disabled entirely.

Configuration file

SELinux configuration file /etc/selinux/config :

# cat /etc/selinux/config

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing – SELinux security policy is enforced.
# permissive – SELinux prints warnings instead of enforcing.
# disabled – No SELinux policy is loaded.
# SELINUXTYPE= can take one of three two values:
# targeted – Targeted processes are protected,
# minimum – Modification of targeted policy. Only selected processes are protected.
# mls – Multi Level Security protection.
Toggling SELinux modes (Temporarily)

To switch between the SELinux modes temporarily we can use the setenforce command as shown below :

# setenforce [ Enforcing | Permissive | 1 | 0 ]
0 –> Permissive
1 –> Enforcing

Verify the current mode of SELinux :

# getenforce
or we can also use the sestatus command to get a detailed status :

# sestatus
SELinux status: enabled
SELinuxfs mount: /selinux –> virtual FS similar to /proc
Current mode: enforcing –> current mode of operation
Mode from config file: permissive –> mode set in the /etc/sysconfig/selinux file.
Policy version: 24
Policy from config file: targeted
Toggling SELinux modes (Permanently) [reboot require]

SELinux mode can be set permanently using either of below methods :
1. editing /etc/selinux/config file
2. editing kernel boot options

1. editing /etc/selinux/config file

to set SELinux to permissive, set the below line in the file /etc/selinux/config to :

vi /etc/selinux/config

Similarly the mode can be set to enforcing/disable by setting the mode in the same line.

2. editing kernel boot options

Edit the kernel boot line and append enforcing=0 to the kernel boot options. For example:

title Red Hat Enterprise Linux AS (2.6.9-42.ELsmp)
root (hd0,0)
kernel /vmlinuz-2.6.9-42.ELsmp ro root=LABEL=/ rhgb quiet enforcing=0
initrd /initrd-2.6.9-42.ELsmp.img
Reboot the server.

# shutdown -r now
Forcing reboot on changing mode

We can force a reboot on changing the selinux mode :

# setsebool secure_mode_policyload on

CentOS / RHEL 7 : How to Create and Remove the LVM Mirrors Using lvconvert

When you convert a linear volume to a mirrored volume, you are basically creating an extra mirror copy for an existing volume. This means that your volume group must contain the devices and space for the mirrors and for the mirror log. If losing a copy of a mirror, LVM converts the volume to a linear volume so that you still have access to the volume. And Option ‘[ -m | –mirrors ]’ specifies the degree of the mirror you wish to create.

For example:

“-m 1” would convert the original logical volume to a mirror volume with 2-sides; that is, a linear volume plus one copy.
And ” -m 0 ” will converts the mirrored logical volume to a linear logical volume, removing or breaking the mirror leg including the mirrored devices.
Creating LVM mirrors

The following command converts the linear logical volume ‘datavg/testlv’ to a mirrored logical volume :

# lvconvert -m1 datavg/testlv
The below commands shows the configuration of the volume after the lvconvert command changed the volume to a volume with two mirror copies.

# lvs -a -o name,copy_percent,devices datavg
LV Cpy%Sync Devices
testlv 100.00 testlv_rimage_0(0),testlv_rimage_1(0)
[testlv_rimage_0] /dev/sdb(0)
[testlv_rimage_1] /dev/sdc(1)
[testlv_rmeta_0] /dev/sdb(256)
[testlv_rmeta_1] /dev/sdc(0)
# lvs –all –segments -o +devices
LV VG Attr #Str Type SSize Devices
root centos -wi-ao—- 1 linear 17.47g /dev/sda2(512)
swap centos -wi-ao—- 1 linear 2.00g /dev/sda2(0)
testlv datavg rwi-aor— 2 raid1 1.00g testlv_rimage_0(0),testlv_rimage_1(0)
[testlv_rimage_0] datavg iwi-aor— 1 linear 1.00g /dev/sdb(0)
[testlv_rimage_1] datavg iwi-aor— 1 linear 1.00g /dev/sdc(1)
[testlv_rmeta_0] datavg ewi-aor— 1 linear 4.00m /dev/sdb(256)
[testlv_rmeta_1] datavg ewi-aor— 1 linear 4.00m /dev/sdc(0)
Removing LVM mirrors

The following command converts the mirrored logical volume datavg/testlv to a linear logical volume, removing or breaking the mirror copy including the mirrored devices. Note that, we have to specify the device to detach the mirror copy.

# lvconvert -m0 datavg/testlv /dev/sdc
Check the status of volume and devices again to see the difference :

# lvs -a -o +devices
LV VG Attr LSize Pool Origin Data% Meta% Move Log Cpy%Sync Convert Devices
root centos -wi-ao—- 17.47g /dev/sda2(512)
swap centos -wi-ao—- 2.00g /dev/sda2(0)
testlv datavg -wi-ao—- 1.00g /dev/sdb(0)
# lvs -a -o name,devices datavg
LV Devices
testlv /dev/sdb(0)

CentOS / RHEL 7 : Beginners guide to firewalld


– A packet filtering firewall reads incoming network packets and filters (allows or denies) each data packet based on the header information in the packet. The Linux kernel has built-in packet filtering functionality called Netfilter.
– Two services are available in RHEL 7 to create, maintain, and display the rules stored by Netfilter:
1. firewalld
2. iptables
– In RHEL 7, the default firewall service is firewalld.
– firewalld is a dynamic firewall manager which supports firewall (network) zones.
– The firewalld service has support for IPv4, IPv6, and for Ethernet bridges.
– The firewalld service also provides a D-BUS interface. Services or applications already using D-BUS can add or request changes to firewall rules directly through the D-BUS interface.

Advantages over iptables

firewalld has the following advantages over iptables :
1. Unlike the iptables command, the firewall-cmd command does not restart the firewall and disrupt established TCP connections.
2. firewalld supports dynamic zones.
3. firewalld supports D-Bus for better integration with services that depend on firewall configuration.

Configuration options

The firewalld service has two types of configuration options:
1. Runtime: Changes to firewall settings take effect immediately but are not permanent. Changes made in runtime configuration mode are lost when the firewalld service is restarted.
2. Permanent: Changes to firewall settings are written to configuration files. These changes are applied when the firewalld service restarts.

Configuration files

Configuration files for firewalld exist in two directories:
/usr/lib/firewalld: Contains default configuration files. Do not make changes to these files. An upgrade of the firewalld package overwrites this directory.
/etc/firewalld: Changes to the default configuration files are stored in this directory.Files in this directory overload the default configuration files.

firewalld zones

The firewalld service allows you to separate networks into different zones based on the level of trust you want to place on the devices and traffic within a specific network. For each zone you can define the following features:
Services: Predefined or custom services to trust. Trusted services are a combination of ports and protocols that are accessible from other systems and networks.
Ports: Additional ports or port ranges and associated protocols that are accessible from other systems and networks.
Masquerading: Translate IPv4 addresses to a single external address. With masquerading enabled, addresses of a private network are mapped to and hidden behind a public address.
Port Forwarding: Forward inbound network traffic from a specific port or port range to an alternative port on the local system, or to a port on another IPv4 address.
ICMP Filter: Block selected Internet Control Message Protocol messages.
Rich Rules: Extend existing firewalld rules to include additional source and destination addresses and logging and auditing actions.
Interfaces: Network interfaces bound to the zone. The zone for an interface is specified with the ZONE=option in the /etc/sysconfig/network-scripts/ifcfg file. If the option is missing, the interface is bound to the default zone.

Predefined firewalld Zones

The firewalld software package includes a set of predefined network zones in the following directory:

# ls -lrt /usr/lib/firewalld/zones/
total 36
-rw-r—– 1 root root 342 Sep 15 2015 work.xml
-rw-r—– 1 root root 162 Sep 15 2015 trusted.xml
-rw-r—– 1 root root 315 Sep 15 2015 public.xml
-rw-r—– 1 root root 415 Sep 15 2015 internal.xml
-rw-r—– 1 root root 400 Sep 15 2015 home.xml
-rw-r—– 1 root root 304 Sep 15 2015 external.xml
-rw-r—– 1 root root 291 Sep 15 2015 drop.xml
-rw-r—– 1 root root 293 Sep 15 2015 dmz.xml
-rw-r—– 1 root root 299 Sep 15 2015 block.xml
The zone files contain preset settings, which can be applied to a network interface. For example:

# grep –i service /usr/lib/firewalld/zones/public.xml

In this example, network interfaces bound to the public zone trust only two services, ssh and dhcpv6-client.

A brief explanation of each zone follows:
drop: Any incoming network packets are dropped, there is no reply. Only outgoing
network connections are possible.
block: Any incoming network connections are rejected with an icmp-host- prohibited message for IPv4 and icmp6-adm-prohibited for IPv6. Only network connections initiated from within the system are possible.
home: For use in home areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
public: For use in public areas. You do not trust the other computers on the network to not harm your computer. Only selected incoming connections are accepted.
work: For use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
dmz: For computers in your demilitarized zone that are publicly accessible with limited access to your internal network. Only selected incoming connections are accepted.
external: For use on external networks with masquerading enabled especially for routers. You do not trust the other computers on the network to not harm your computer. Only selected incoming connections are accepted.
internal: For use on internal networks. You mostly trust the other computers on the networks to not harm your computer. Only selected incoming connections are accepted.
trusted: All network connections are accepted.

Setting the Default firewalld Zone

After an initial installation, the public zone is the default zone as specified in the configuration file, /etc/firewalld/firewalld.conf.

# grep –i defaultzone /etc/firewalld/firewalld.conf
Network interfaces are bound to the default zone unless specified with ZONE=[zone] in the ifcfg file. The following command shows the interfaces that are bound to the public zone:

# firewall-cmd –get-active-zone
interfaces: eth0 eth1
You can use the firewall-cmd command to change the default zone:

# firewall-cmd –set-default-zone=work
You can also use the firewall-config GUI to change the default zone. From the menu bar, select Options->Change Default Zone, and then select a zone from a pop-up list.

firewalld Services

– A firewalld service is a combination of local ports and protocols and destination addresses.
– A firewalld service can also include Netfilter kernel modules that are automatically loaded when a service is enabled.
– The firewalld software package includes a set of predefined services in the following directory:

# # ls -lrt /usr/lib/firewalld/zones/
total 36
-rw-r—– 1 root root 342 Sep 15 2015 work.xml
-rw-r—– 1 root root 162 Sep 15 2015 trusted.xml
-rw-r—– 1 root root 315 Sep 15 2015 public.xml
-rw-r—– 1 root root 415 Sep 15 2015 internal.xml
-rw-r—– 1 root root 400 Sep 15 2015 home.xml
-rw-r—– 1 root root 304 Sep 15 2015 external.xml
-rw-r—– 1 root root 291 Sep 15 2015 drop.xml
-rw-r—– 1 root root 293 Sep 15 2015 dmz.xml
-rw-r—– 1 root root 299 Sep 15 2015 block.xml
– Services can be enabled for a zone in Runtime mode.
– Service definitions can only be edited in Permanent mode.

Start firewalld

To start firewalld:

# systemctl start firewalld
To ensure firewalld starts at boot time:

# systemctl enable firewalld
To check if firewalld is running:

# systemctl status firewalld
# firewall-cmd –state
Three methods to configure the firewalld service:
– firewall-cmd : Command-line interface
– firewall-config : Graphical user interface
– Edit various XML configuration files.

The firewall-cmd Utility

The command-line tool firewall-cmd is part of the firewalld application, which is installed by default. To get help on the firewall-cmd command:

# firewall-cmd –help
The firewall-cmd command offers categories of options such as General, Status, Permanent, Zone, IcmpType, Service, Adapt and Query Zones, Direct, Lockdown, Lockdown Whitelist, and Panic. To list information for all zones:

# firewall-cmd –list-all-zones public (default, active)
interfaces: eth0 eth1
services: dhcpv6-client ssh

To permit access by HTTP clients for the public zone:

# firewall-cmd –zone=public –add-service=http
To list services that are allowed for the public zone:

# firewall-cmd –zone=work –list-services
dhcpv6-client http ssh
Using this command only changes the Runtime configuration and does not update the configuration files.
The configuration changes made in Runtime configuration mode are lost when the firewalld service is restarted:

# systemctl restart firewalld
# firewall-cmd –zone=work –list-services dhcpv6-client ssh
To make changes permanent, use the –permanent option. Example:

# firewall-cmd –permanent –zone=public –add-service=http
Changes made in Permanent configuration mode are not implemented immediately. However, changes made in Permanent configuration are written to configuration files. Restarting the firewalld service reads the configuration files and implements the changes. Example:

# systemctl restart firewalld
# firewall-cmd –zone=work –list-services
dhcpv6-client http ssh

CentOS / RHEL 7 : Configuring an NFS server and NFS client

NFS allows a linux server to share directories with other UNIX clients over network. NFS server exports a directory and NFS client mounts this directory. RHEL 7 supports two version of NFS – NFSv3 and NFSv4.

NFS server and RPC processes

starting the nfs-server process starts the NFS server and other RPC processes. RPC processes includes:
– rpc.statd : implements monitoring protocol (NSM) between NFS client and NFS server
– rpc.mountd : NFS mount daemon that implements the server side of the mount requests from NFSv3 clients.
– rpc.idmapd : Maps NFSv4 names and local UIDs and GIDs
– rpc.rquotad : provides user quota information for remote users.

Configuring NFS server

1. Install the required nfs packages if not already installed on the server :

# rpm -qa | grep nfs-utils
# yum install nfs-utils rpcbind
2. Enable the services at boot time:

# systemctl enable nfs-server
# systemctl enable rpcbind
# systemctl enable nfs-lock
In RHEL7.1 (nfs-utils-1.3.0-8.el7) enabling nfs-lock does not work (No such file or directory). it does not need to be enabled since rpc-statd.service is static.

# systemctl enable nfs-idmap
In RHEL7.1 (nfs-utils-1.3.0-8.el7) this does not work (No such file or directory). it does not need to be enabled since nfs-idmapd.service is static.

3. Start the NFS services:

# systemctl start rpcbind
# systemctl start nfs-server
# systemctl start nfs-lock
# systemctl start nfs-idmap
4. Check the status of NFS service:

# systemctl status nfs
5. Create a shared directory:

# mkdir /test
6. Export the directory. The format of the /etc/exports file is :

dir client1 (options) [client2(options)…]
Client options include (defaults are listed first) :
ro / rw :
a) ro : allow clients read only access to the share.
b) rw : allow clients read write access to the share.
sync / async :
a) sync : NFS server replies to request only after changes made by previous request are written to disk.
b) async : specifies that the server does not have to wait.
wdelay / no_wdelay
a) wdelay : NFS server delays committing write requests when it suspects another write request is imminent.
b) no_wdelay : use this option to disable to the delay. no_wdelay option can only be enabled if default sync option is enabled.
no_all_squash / all_squash :
a) no_all_squash : does not change the mapping of remote users.
b) all_squash : to squash all remote users including root.
root_squash / no_root_squash :
a) root_squash : prevent root users connected remotely from having root access. Effectively squashing remote root privileges.
b) no_root_squash : disable root squashing.

Example :

# vi /etc/exports
/test *(rw)
7. Exporting the share :

# exportfs -r
-r re-exports entries in /etc/exports and sync /var/lib/nfs/etab with /etc/exports. The /var/lib/nfs/etab is the master export table. Other options that can be used with exportfs command are :

-a : exports entries in /etc/exports but do not synchronize with /var/lib/nfs/etab
-i : ignore entries in /etc/exports and uses command line arguments.
-u : un-export one or more directories
-o : specify client options on command line
8. Restart the NFS service:

# systemctl restart nfs-server
Configuring NFS client

1. Install the required nfs packages if not already installed on the server :

# rpm -qa | grep nfs-utils
# yum install nfs-utils
2. Use the mount command to mount exported file systems. Syntax for the command:

mount -t nfs -o options host:/remote/export /local/directory
Eample :

# mount -t nfs -o ro,nosuid remote_host:/home /remote_home
This example does the following:
– It mounts /home from remote host (remote_host) on local mount point /remote_home.
– File system is mounted read-only and users are prevented from running a setuid program (-o ro,nosuid options).

3. Update /etc/fstab to mount NFS shares at boot time.

# vi /etc/fstab
remote_host:/home /remote_home nfs ro,nosuid 0 0
Firewalld services to be active on NFS server

For the NFS server to work, enable the nfs, mountd, and rpc-bind services in the relevant zone in the firewall-config application or using firewall-cmd :

# firewall-cmd –add-service=nfs –zone=internal –permanent
# firewall-cmd –add-service=mountd –zone=internal –permanent
# firewall-cmd –add-service=rpc-bind –zone=internal –permanent