August 2019
M T W T F S S
« Jul    
 1234
567891011
12131415161718
19202122232425
262728293031  

Categories

WordPress Quotes

Nothing is predestined: The obstacles of your past can become the gateways that lead to new beginnings.
Ralph Blum
August 2019
M T W T F S S
« Jul    
 1234
567891011
12131415161718
19202122232425
262728293031  

Short Cuts

2012 SERVER (64)
2016 windows (9)
AIX (13)
Amazon (40)
Ansibile (19)
Apache (135)
Asterisk (2)
cassandra (2)
Centos (211)
Centos RHEL 7 (268)
chef (3)
cloud (2)
cluster (3)
Coherence (1)
DB2 (5)
DISK (25)
DNS (9)
Docker (30)
Eassy (11)
ELKS (1)
EXCHANGE (3)
Fedora (6)
ftp (5)
GIT (3)
GOD (2)
Grub (1)
Hacking (10)
Hadoop (6)
health (1)
horoscope (23)
Hyper-V (10)
IIS (15)
IPTABLES (15)
JAVA (7)
JBOSS (32)
jenkins (1)
Kubernetes (7)
Ldap (5)
Linux (188)
Linux Commands (166)
Load balancer (5)
mariadb (14)
Mongodb (4)
MQ Server (24)
MYSQL (84)
Nagios (5)
NaturalOil (13)
Nginx (35)
Ngix (1)
openldap (1)
Openstack (6)
Oracle (35)
Perl (3)
Postfix (19)
Postgresql (1)
PowerShell (2)
Python (3)
qmail (36)
Redis (12)
RHCE (28)
SCALEIO (1)
Security on Centos (29)
SFTP (1)
Shell (64)
Solaris (58)
Sql Server 2012 (4)
squid (3)
SSH (10)
SSL (14)
Storage (1)
swap (3)
TIPS on Linux (28)
tomcat (62)
Uncategorized (29)
Veritas (2)
vfabric (1)
VMware (28)
Weblogic (38)
Websphere (71)
Windows (19)
Windows Software (2)
wordpress (1)
ZIMBRA (17)

WP Cumulus Flash tag cloud by Roy Tanck requires Flash Player 9 or better.

Who's Online

24 visitors online now
1 guests, 23 bots, 0 members

Hit Counter provided by dental implants orange county

CentOS / RHEL 7 : Beginners guide to firewalld

Introduction

– A packet filtering firewall reads incoming network packets and filters (allows or denies) each data packet based on the header information in the packet. The Linux kernel has built-in packet filtering functionality called Netfilter.
– Two services are available in RHEL 7 to create, maintain, and display the rules stored by Netfilter:
1. firewalld
2. iptables
– In RHEL 7, the default firewall service is firewalld.
– firewalld is a dynamic firewall manager which supports firewall (network) zones.
– The firewalld service has support for IPv4, IPv6, and for Ethernet bridges.
– The firewalld service also provides a D-BUS interface. Services or applications already using D-BUS can add or request changes to firewall rules directly through the D-BUS interface.

Advantages over iptables

firewalld has the following advantages over iptables :
1. Unlike the iptables command, the firewall-cmd command does not restart the firewall and disrupt established TCP connections.
2. firewalld supports dynamic zones.
3. firewalld supports D-Bus for better integration with services that depend on firewall configuration.

Configuration options

The firewalld service has two types of configuration options:
1. Runtime: Changes to firewall settings take effect immediately but are not permanent. Changes made in runtime configuration mode are lost when the firewalld service is restarted.
2. Permanent: Changes to firewall settings are written to configuration files. These changes are applied when the firewalld service restarts.

Configuration files

Configuration files for firewalld exist in two directories:
/usr/lib/firewalld: Contains default configuration files. Do not make changes to these files. An upgrade of the firewalld package overwrites this directory.
/etc/firewalld: Changes to the default configuration files are stored in this directory.Files in this directory overload the default configuration files.

firewalld zones

The firewalld service allows you to separate networks into different zones based on the level of trust you want to place on the devices and traffic within a specific network. For each zone you can define the following features:
Services: Predefined or custom services to trust. Trusted services are a combination of ports and protocols that are accessible from other systems and networks.
Ports: Additional ports or port ranges and associated protocols that are accessible from other systems and networks.
Masquerading: Translate IPv4 addresses to a single external address. With masquerading enabled, addresses of a private network are mapped to and hidden behind a public address.
Port Forwarding: Forward inbound network traffic from a specific port or port range to an alternative port on the local system, or to a port on another IPv4 address.
ICMP Filter: Block selected Internet Control Message Protocol messages.
Rich Rules: Extend existing firewalld rules to include additional source and destination addresses and logging and auditing actions.
Interfaces: Network interfaces bound to the zone. The zone for an interface is specified with the ZONE=option in the /etc/sysconfig/network-scripts/ifcfg file. If the option is missing, the interface is bound to the default zone.

Predefined firewalld Zones

The firewalld software package includes a set of predefined network zones in the following directory:

# ls -lrt /usr/lib/firewalld/zones/
total 36
-rw-r—– 1 root root 342 Sep 15 2015 work.xml
-rw-r—– 1 root root 162 Sep 15 2015 trusted.xml
-rw-r—– 1 root root 315 Sep 15 2015 public.xml
-rw-r—– 1 root root 415 Sep 15 2015 internal.xml
-rw-r—– 1 root root 400 Sep 15 2015 home.xml
-rw-r—– 1 root root 304 Sep 15 2015 external.xml
-rw-r—– 1 root root 291 Sep 15 2015 drop.xml
-rw-r—– 1 root root 293 Sep 15 2015 dmz.xml
-rw-r—– 1 root root 299 Sep 15 2015 block.xml
The zone files contain preset settings, which can be applied to a network interface. For example:

# grep –i service /usr/lib/firewalld/zones/public.xml


In this example, network interfaces bound to the public zone trust only two services, ssh and dhcpv6-client.

A brief explanation of each zone follows:
drop: Any incoming network packets are dropped, there is no reply. Only outgoing
network connections are possible.
block: Any incoming network connections are rejected with an icmp-host- prohibited message for IPv4 and icmp6-adm-prohibited for IPv6. Only network connections initiated from within the system are possible.
home: For use in home areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
public: For use in public areas. You do not trust the other computers on the network to not harm your computer. Only selected incoming connections are accepted.
work: For use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
dmz: For computers in your demilitarized zone that are publicly accessible with limited access to your internal network. Only selected incoming connections are accepted.
external: For use on external networks with masquerading enabled especially for routers. You do not trust the other computers on the network to not harm your computer. Only selected incoming connections are accepted.
internal: For use on internal networks. You mostly trust the other computers on the networks to not harm your computer. Only selected incoming connections are accepted.
trusted: All network connections are accepted.

Setting the Default firewalld Zone

After an initial installation, the public zone is the default zone as specified in the configuration file, /etc/firewalld/firewalld.conf.

# grep –i defaultzone /etc/firewalld/firewalld.conf
DefaultZone=public
Network interfaces are bound to the default zone unless specified with ZONE=[zone] in the ifcfg file. The following command shows the interfaces that are bound to the public zone:

# firewall-cmd –get-active-zone
public
interfaces: eth0 eth1
You can use the firewall-cmd command to change the default zone:

# firewall-cmd –set-default-zone=work
success
You can also use the firewall-config GUI to change the default zone. From the menu bar, select Options->Change Default Zone, and then select a zone from a pop-up list.

firewalld Services

– A firewalld service is a combination of local ports and protocols and destination addresses.
– A firewalld service can also include Netfilter kernel modules that are automatically loaded when a service is enabled.
– The firewalld software package includes a set of predefined services in the following directory:

# # ls -lrt /usr/lib/firewalld/zones/
total 36
-rw-r—– 1 root root 342 Sep 15 2015 work.xml
-rw-r—– 1 root root 162 Sep 15 2015 trusted.xml
-rw-r—– 1 root root 315 Sep 15 2015 public.xml
-rw-r—– 1 root root 415 Sep 15 2015 internal.xml
-rw-r—– 1 root root 400 Sep 15 2015 home.xml
-rw-r—– 1 root root 304 Sep 15 2015 external.xml
-rw-r—– 1 root root 291 Sep 15 2015 drop.xml
-rw-r—– 1 root root 293 Sep 15 2015 dmz.xml
-rw-r—– 1 root root 299 Sep 15 2015 block.xml
– Services can be enabled for a zone in Runtime mode.
– Service definitions can only be edited in Permanent mode.

Start firewalld

To start firewalld:

# systemctl start firewalld
To ensure firewalld starts at boot time:

# systemctl enable firewalld
To check if firewalld is running:

# systemctl status firewalld
# firewall-cmd –state
Three methods to configure the firewalld service:
– firewall-cmd : Command-line interface
– firewall-config : Graphical user interface
– Edit various XML configuration files.

The firewall-cmd Utility

The command-line tool firewall-cmd is part of the firewalld application, which is installed by default. To get help on the firewall-cmd command:

# firewall-cmd –help
The firewall-cmd command offers categories of options such as General, Status, Permanent, Zone, IcmpType, Service, Adapt and Query Zones, Direct, Lockdown, Lockdown Whitelist, and Panic. To list information for all zones:

# firewall-cmd –list-all-zones public (default, active)
interfaces: eth0 eth1
sources:
services: dhcpv6-client ssh
ports:

To permit access by HTTP clients for the public zone:

# firewall-cmd –zone=public –add-service=http
success
To list services that are allowed for the public zone:

# firewall-cmd –zone=work –list-services
dhcpv6-client http ssh
Using this command only changes the Runtime configuration and does not update the configuration files.
The configuration changes made in Runtime configuration mode are lost when the firewalld service is restarted:

# systemctl restart firewalld
# firewall-cmd –zone=work –list-services dhcpv6-client ssh
To make changes permanent, use the –permanent option. Example:

# firewall-cmd –permanent –zone=public –add-service=http
success
Changes made in Permanent configuration mode are not implemented immediately. However, changes made in Permanent configuration are written to configuration files. Restarting the firewalld service reads the configuration files and implements the changes. Example:

# systemctl restart firewalld
# firewall-cmd –zone=work –list-services
dhcpv6-client http ssh

CentOS / RHEL 7 : Configuring an NFS server and NFS client

NFS allows a linux server to share directories with other UNIX clients over network. NFS server exports a directory and NFS client mounts this directory. RHEL 7 supports two version of NFS – NFSv3 and NFSv4.

NFS server and RPC processes

starting the nfs-server process starts the NFS server and other RPC processes. RPC processes includes:
– rpc.statd : implements monitoring protocol (NSM) between NFS client and NFS server
– rpc.mountd : NFS mount daemon that implements the server side of the mount requests from NFSv3 clients.
– rpc.idmapd : Maps NFSv4 names and local UIDs and GIDs
– rpc.rquotad : provides user quota information for remote users.

Configuring NFS server

1. Install the required nfs packages if not already installed on the server :

# rpm -qa | grep nfs-utils
# yum install nfs-utils rpcbind
2. Enable the services at boot time:

# systemctl enable nfs-server
# systemctl enable rpcbind
# systemctl enable nfs-lock
In RHEL7.1 (nfs-utils-1.3.0-8.el7) enabling nfs-lock does not work (No such file or directory). it does not need to be enabled since rpc-statd.service is static.

# systemctl enable nfs-idmap
In RHEL7.1 (nfs-utils-1.3.0-8.el7) this does not work (No such file or directory). it does not need to be enabled since nfs-idmapd.service is static.

3. Start the NFS services:

# systemctl start rpcbind
# systemctl start nfs-server
# systemctl start nfs-lock
# systemctl start nfs-idmap
4. Check the status of NFS service:

# systemctl status nfs
5. Create a shared directory:

# mkdir /test
6. Export the directory. The format of the /etc/exports file is :

dir client1 (options) [client2(options)…]
Client options include (defaults are listed first) :
ro / rw :
a) ro : allow clients read only access to the share.
b) rw : allow clients read write access to the share.
sync / async :
a) sync : NFS server replies to request only after changes made by previous request are written to disk.
b) async : specifies that the server does not have to wait.
wdelay / no_wdelay
a) wdelay : NFS server delays committing write requests when it suspects another write request is imminent.
b) no_wdelay : use this option to disable to the delay. no_wdelay option can only be enabled if default sync option is enabled.
no_all_squash / all_squash :
a) no_all_squash : does not change the mapping of remote users.
b) all_squash : to squash all remote users including root.
root_squash / no_root_squash :
a) root_squash : prevent root users connected remotely from having root access. Effectively squashing remote root privileges.
b) no_root_squash : disable root squashing.

Example :

# vi /etc/exports
/test *(rw)
7. Exporting the share :

# exportfs -r
-r re-exports entries in /etc/exports and sync /var/lib/nfs/etab with /etc/exports. The /var/lib/nfs/etab is the master export table. Other options that can be used with exportfs command are :

-a : exports entries in /etc/exports but do not synchronize with /var/lib/nfs/etab
-i : ignore entries in /etc/exports and uses command line arguments.
-u : un-export one or more directories
-o : specify client options on command line
8. Restart the NFS service:

# systemctl restart nfs-server
Configuring NFS client

1. Install the required nfs packages if not already installed on the server :

# rpm -qa | grep nfs-utils
# yum install nfs-utils
2. Use the mount command to mount exported file systems. Syntax for the command:

mount -t nfs -o options host:/remote/export /local/directory
Eample :

# mount -t nfs -o ro,nosuid remote_host:/home /remote_home
This example does the following:
– It mounts /home from remote host (remote_host) on local mount point /remote_home.
– File system is mounted read-only and users are prevented from running a setuid program (-o ro,nosuid options).

3. Update /etc/fstab to mount NFS shares at boot time.

# vi /etc/fstab
remote_host:/home /remote_home nfs ro,nosuid 0 0
Firewalld services to be active on NFS server

For the NFS server to work, enable the nfs, mountd, and rpc-bind services in the relevant zone in the firewall-config application or using firewall-cmd :

# firewall-cmd –add-service=nfs –zone=internal –permanent
# firewall-cmd –add-service=mountd –zone=internal –permanent
# firewall-cmd –add-service=rpc-bind –zone=internal –permanent

CentOS / RHEL 7 : How to switch to iptables from firewalld

Question : How to disable firewalld and enable iptables instead?

Answer :
To switch to from firewalld to iptables follow the steps given below.

1. Firstly ensure the iptables-services package is installed.

# yum install -y -q iptables-services
2. Then prepare the iptables rules you wish to use by editing /etc/sysconfig/iptables and /etc/sysconfig/ipt6tables.

3. Next, disable and stop the firewalld service

# systemctl disable firewalld
rm ‘/etc/systemd/system/basic.target.wants/firewalld.service’
rm ‘/etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service’
# systemctl stop firewalld
4. Then start iptables services :

# systemctl start iptables
# systemctl start ip6tables
5. Enable iptables service to automatically start at boot :

# systemctl enable iptables
ln -s ‘/usr/lib/systemd/system/iptables.service’ ‘/etc/systemd/system/basic.target.wants/iptables.service’
# systemctl enable ip6tables
ln -s ‘/usr/lib/systemd/system/ip6tables.service’ ‘/etc/systemd/system/basic.target.w

CentOS / RHEL 7 firewalld : Command line reference (Cheat Sheet)

Firewalld is the new way of interacting with the iptables rules in RHEL 7. It allows to set new sucurity rules and activate them in runtime without disconnecting any existing connections.

Managing firewalld

# firewall-cmd –state — Display whether service is running
# systemctl status firewalld — Another command to display status of service
# systemctl restart firewall-cmd — To restart service
# firewall-cmd –reload — To reload the permanent rules without interrupting existing persistent connections
To start/stop/status firewalld service

# systemctl start firewalld.service
# systemctl stop firewalld.service
# systemctl status firewalld.service
To enable/disable firewalld service at boot time

To enable firewalld service from starting at boot time.

# systemctl enable firewalld
To disable firewalld service from starting at boot time.

# systemctl disable firewalld
To list details of default and active zones

# firewall-cmd –get-default-zone
# firewall-cmd –get-active-zones
# firewall-cmd –list-all
To add/remove interfaces to zones

To add interface “eth1” to “public” zone.

# firewall-cmd –zone=public –change-interface=eth1
To list/add/remove services to zones

To list available services :

# firewall-cmd –get-services
To add “samba and samba-client” service to a specific zone. You may include, “permanent” flag to make this permanent change.

# firewall-cmd –zone=public –add-service=samba –add-service=samba-client –permanent
To list services configured in a specific zone.

# firewall-cmd –zone=public –list-service
To list and Add ports to firewall

# firewall-cmd –list-ports
# firewall-cmd –zone=public –add-port=5000/tcp
Note:
You may restart the Network service followed by Firewall server.

# systemctl restart network.service
# systemctl restart firewalld.service

CentOS / RHEL 7 : How to password protect GRUB2 menu entries

Why should a Linux boot loader have password protection?

The following are the primary reasons for password protecting a Linux boot loader:
1. Preventing Access to Single User Mode – If an attacker can boot into single user mode, he becomes the root user.
2. Preventing Access to the GRUB Console – If the machine uses GRUB as its boot loader, an attacker can use the GRUB editor interface to change its configuration or to gather information using the cat command.
3. Preventing Access to Non-Secure Operating Systems – If it is a dual-boot system, an attacker can select at boot time an operating system, such as DOS, which ignores access controls and file permissions.

Password protecting GRUB2

Follow the steps below to password protect GRUB2 in RHEL 7.
1. Remove –unrestricted from the main CLASS= declaration in /etc/grub.d/10_linux file.
This can be done by using sed to replace the

# sed -i “/^CLASS=/s/ –unrestricted//” /etc/grub.d/10_linux
2. If a user hasn’t already been configured, use grub2-setpassword to set a password for the root user :

# grub2-setpassword
This creates a file /boot/grub2/user.cfg if not already present, which contains the hashed GRUB bootloader password. This utility only supports configurations where there is a single root user.
Example /boot/grub2/user.cfg file :

# cat /boot/grub2/user.cfg
GRUB2_PASSWORD=grub.pbkdf2.sha512.10000.CC6F56BFCFB90C49E6E16DC7234BF4DE4159982B6D121DC8EC6BF0918C7A50E8604CA40689A8B26EA01BF2A76D33F7E6C614E6289ABBAA6944ECB2B6DEB2F3CF.4B929016A827C36142CC126EB47E86F5F98E92C8C2C924AD0C98436E4699DF7536894F69BB904FDB5E609B9A5D67E28A7D79E8521C0B0AE6C031589FA0452A21
3. Recreate the grub config with grub2-mkconfig :

# grub2-mkconfig -o /boot/grub2/grub.cfg
Generating grub configuration file …
Found linux image: /boot/vmlinuz-3.10.0-327.el7.x86_64
Found initrd image: /boot/initramfs-3.10.0-327.el7.x86_64.img
Found linux image: /boot/vmlinuz-0-rescue-f9725b0c842348ce9e0bc81968cf7181
Found initrd image: /boot/initramfs-0-rescue-f9725b0c842348ce9e0bc81968cf7181.img
done
4. Reboot the server and verify.

# shutdown -r now
Note that all defined grub menu entries will now require entering user & password each time at boot; henceforth, the system will not boot any kernel without direct user intervention from the console. When prompted for user, enter “root”. When prompted for password, enter whatever was passed to the grub2-setpassword command :

password protect GRUB2 menu entries
Remove password protection

To remove the password protection we can add the –unrestricted text in the main CLASS= declaration in /etc/grub.d/10_linux file again. Another way is to remove the /boot/grub2/user.cfg file which stores the hashed GRUB bootloader password.

Restricting only GRUB menu entry editing

If you only want to simply prevent users from entering the grub command line and edit menu entries (as opposed to completely locking menu entries), then all that is needed is execution of grub2-setpassword command.

CentOS / RHEL 7 : Chrony V/s NTP (Differences Between ntpd and chronyd) Chosing between Chrony and NTP

CentOS / RHEL 7 : Chrony V/s NTP (Differences Between ntpd and chronyd)
Chosing between Chrony and NTP

– In RHEL 7 ntpd is replaced by chronyd as the default network time protocol daemon.
– Basic configuration for synchronize time and date is stored in the file /etc/chrony.conf.
– ntpd is still included in yum repository for customers who need to run an NTP service.
– Chrony is a different implementation of the network time protocol (NTP) than the network time protocol daemon (ntpd) that is able to synchronize the system clock faster and with better accuracy than ntpd.

Benefits of Chrony include:

1. Faster synchronization requiring only minutes instead of hours to minimize the time and frequency error, which is useful on desktops or systems not running 24 hours a day.
2. Better response to rapid changes in the clock frequency, which is useful for virtual machines that have unstable clocks or for power-saving technologies that don’t keep the clock frequency constant.
3. After the initial synchronization, it never steps the clock so as not to affect applications needing system time to be monotonic.
4. Better stability when dealing with temporary asymmetric delays, for example when the link is saturated by a large download.
5. Periodic polling of servers is not required, so systems with intermittent network connections can still quickly synchronize clocks.

When to use chrony

Chrony would be considered a best match for the systems which are frequently suspended or otherwise intermittently disconnected from a network (mobile and virtual servers etc).

When to use NTP

The NTP daemon (ntpd) should be considered for systems which are normally kept permanently on. Systems which are required to use broadcast or multicast IP, or to perform authentication of packets with the Autokey protocol, should consider using ntpd.

CentOS / RHEL 7 : How to sync chrony to local clock

Question : How to sync chrony to the local clock.

Answer :
When the chrony service starts, there are some settings in the /etc/chrony/chrony.conf file that tells it to actually set the time if specific conditions occur. Below procedure lts you set the local clock as the source for chrony to synchronize the time.

1. Currently the chrony does not sync to local clock and ‘chronyc sources’ command gives the following result :

# chronyc sources
210 Number of sources = 1
MS Name/IP address Stratum Poll Reach LastRx Last sample
===============================================================================
^? localhost
2. Edit /etc/chrony.conf to add the settings below. The configuration file needs atleast 3 of the below entries to have a local clock synchronization.

# vi /etc/chrony.conf
server 127.127.1.0
allow 127.0.0.0/8
local stratum 10
3. Restart chronyd service

# systemctl restart chronyd.service
4. Verify the status of chrony synchronization

# chronyc sources
210 Number of sources = 1
MS Name/IP address Stratum Poll Reach LastRx Last sample
===============================================================================
^* 127.127.1.0 15 6 377 42 -4471ns[ -13us] +/- 204us

CentOS / RHEL 7 : How to configure serial getty with systemd

With SysV init, by default, getty processes are started on the first six virtual consoles. They can be accessed with the Ctrl+Alt+F1 to Ctrl+Alt+F6 key combination. systemd starts the getty processes only when needed. That means, only after you change to, for instance, the second virtual terminal by pressing Ctrl+Alt+F2 is the getty process started in that terminal.

The /usr/lib/systemd/system/getty@.service file is responsible for the virtual terminals (/dev/tty[X]). /usr/lib/systemd/system/serial-getty@.service is responsible for all other terminals, such as a serial terminal on /dev/ttyS0.

Systemd provides a template unit file for serial getty. Template file can be found here

/lib/systemd/system/serial-getty@.service
Steps

1. First copy the template:

# cp /usr/lib/systemd/system/serial-getty@.service /etc/systemd/system/serial-getty@ttyS0.service
2. Then edit the file and modify the agetty line:

[Service]
ExecStart=-/sbin/agetty –keep-baud 115200,38400,9600 %I $TERM <-- Change this parameter Type=idle 3. Create a symlink: # ln -s /etc/systemd/system/serial-getty@ttyS0.service /etc/systemd/system/getty.target.wants/ 4. Reload the daemon and start the service: # systemctl daemon-reload # systemctl start serial-getty@ttyS0.service # systemctl enable serial-getty@ttyS0.service

CentOS / RHEL 7 : How to change runlevels (targets) with systemd

Systemd has replaced sysVinit as the default service manager in RHEL 7. Some of the sysVinit commands have been symlinked to their RHEL 7 counterparts, however this will eventually be deprecated in favor of the standard systemd commands in the future.

SysVinit V/s systemd runlevels

Here is a comparison between SysVinit runlevels V/s systemd targets.

SYSVINIT RUNLEVEL SYSTEMD TARGET FUNCTION
0 runlevel0.target, poweroff.target System halt/shutdown
1, s, single runlevel1.target, rescue.target Single-user mode
2, 4 runlevel2.target, runlevel4.target, multi-user.target User-defined/Site-specific runlevels. By default, identical to 3.
3 runlevel3.target, multi-user.target Multi-user, non-graphical mode, text console only
5 runlevel5.target, graphical.target Multi-user, graphical mode
6 runlevel6.target, reboot.target Reboot
emergency emergency.target Emergency mode
Changing runlevels with systemd

The runlevel target can be changed by using the systemctl isolate command :

# systemctl isolate multi-user.target
To view what targets are available you can issue the list-units option with the type target

# systemctl list-units –type=target
Run level 3 is emulated by multi-user.target. This is done by symbolic link and can be used interchangeably

# systemctl isolate multi-user.target
# systemctl isolate runlevel3.target
# ls -l /usr/lib/systemd/system/runlevel3.target
lrwxrwxrwx 1 root root 17 Oct 18 11:41 /usr/lib/systemd/system/runlevel3.target -> multi-user.target
Run level 5 is emulated by graphical.target. This is also done by symbolic link and can be used interchangeably

# systemctl isolate graphical.target
# systemctl isolate runlevel5.target
# ls -l /usr/lib/systemd/system/runlevel5.target
lrwxrwxrwx 1 root root 16 Oct 18 11:41 /usr/lib/systemd/system/runlevel5.target -> graphical.target
Changing the default runlevel

The default runlevel can be changed by using the set-default option.

# systemctl set-default multi-user.target
To get the currently set default, you can use the get-default option.

# systemctl get-default
The default runlevel in systemd can also be set using the below method (not recommended though).

# ln -sf /lib/systemd/system/[desired].target /etc/systemd/system/default.target
The default target can also be set in the kernel line during boot by adding the following option :

systemd.unit=multi-user.target

CentOS / RHEL 7 : systemd-analyze command to find booting time delays

Question : My system is taking a lot of time to boot. How can I find out which services are taking long time to start?

Answer :

systemd-analyze command can be utilized to find out information about how much each service took to start. systemd-analyze time can provide overall information about how long it took system to start. Here is a command out which clearly shows the time taken by kernel, initrd and userspace while booting.

# systemd-analyze time
Startup finished in 1.267s (kernel) + 6.798s (initrd) + 1min 2.139s (userspace) = 1min 10.205s
To find out, how much time each unit took to start, run systemd-analyze blame.

# systemd-analyze blame
24.728s dev-mapper-centos\x2droot.device
15.135s kdump.service
14.670s plymouth-quit-wait.service
14.210s firewalld.service
9.835s accounts-daemon.service
7.383s ModemManager.service
7.259s libvirtd.service
7.257s systemd-logind.service
7.177s ksm.service
7.081s gssproxy.service
7.067s avahi-daemon.service
7.062s rsyslog.service
7.039s abrt-ccpp.service
As you see the output is sorted according to the time taken by each unit, you can easily find out which service is taking more time during booting and can dig down deeper to analyze the issue.

At certain steps, the boot cannot proceed until all dependencies for unit are satisfied. To see units at these critical points run systemd-analyze critical-chain.

# systemd-analyze critical-chain
The time after the unit is active or started is printed after the “@” character.
The time the unit takes to start is printed after the “+” character.

graphical.target @1min 2.102s
??multi-user.target @1min 2.102s
??abrt-vmcore.service @1min 1.228s +872ms
??kdump.service @46.090s +15.135s
??remote-fs.target @46.086s
??remote-fs-pre.target @46.083s
??iscsi-shutdown.service @45.951s +99ms
??network.target @45.944s
??network.service @44.959s +975ms
??NetworkManager.service @38.653s +689ms
??firewalld.service @24.439s +14.210s
??basic.target @23.850s
??sockets.target @23.849s
??cups.socket @23.847s
??sysinit.target @23.618s
??systemd-update-utmp.service @23.603s +13ms
??auditd.service @22.959s +643ms
??systemd-tmpfiles-setup.service @22.726s +230ms
??rhel-import-state.service @22.431s +294ms
??local-fs.target @22.428s
??boot.mount @19.675s +2.126s
??dev-disk-by\x2duuid-7de2053c\x2d44d7\x2d4f33\x2db522\x2d81dee2f6b69b.device @19.652s
SVG graphic image can be plot which contains detailing about system services start time, highlighting the time they spent on initialization. Make sure you have enabled graphical display mode or have x-windows enabled in order to see the plot.

# systemd-analyze plot > plot.svg
# eog plot.svg
Here is a snip from sample plot on my CentOS 7 machine. Zoom in to check the waterfall clearly.