Grub2 explained

Linux boot options in RHEL, SLES help ailing servers

GRUB2 and systemd present a major change for Linux boot options in Red Hat Enterprise Linux 7 and SUSE Linux Enterprise Server, including a change in how admins troubleshoot a server that doesn’t boot properly and requires essential recovery tasks.

When a Linux server boots, it first reads the GRUB2 configuration to discover which disk contains the root file system, as well as where to find the kernel and initramfs. If something is configured incorrectly, the system administrator must change the settings to allow the server to boot properly.

GRUB2 boot options

Figure 1. Editing GRUB2 boot options.

To do so, press the Escape key when GRUB2 loads to see available boot options. Select the option you want to modify and press e to enter the editor mode. This will show all the options that are loaded from the GRUB2 configuration files in /etc/default/grub and /etc/grub.d.

From the Linux boot options menu, select the line that you want to edit. Often, this is the line that loads the kernel. Some of the most important boot options have changed in RHEL 7 and SUSE LES. Systemd.units, or collections of systemd services that need to be started, replace runlevels, rescue mode and emergency mode.

Systemd.units provide many services for Linux boot options. And there are a few key systemd.unit services that all Linux administrators must know:

  • rescue.target: Rescue mode, which loads all the services needed for a fully operational system, but no network services or other non-essential services. It is comparable to runlevel 1 from the init boot procedure.
  • emergency.target: A minimal mode in which almost nothing is loaded. You’ll have a root file system, but very few services. This target can be compared to passing theinit=/bin/bash mode when starting on an init-based server.
  • multi-user.target: Replaces the runlevel 3. It is the basic mode a server starts in by default.
  • graphical.target: The new version of runlevel 5 that starts all services as well as the graphical interface.
  • poweroff.target: The old runlevel 0, which shuts down the server.
  • reboot.target: The old runlevel 6, which reboots a server.

To specify which targets to use during boot, pass them as an argument to the GRUB2 line that loads the kernel. To do this, you should either specify systemd.unit=emergency.target, or add the name of the target you want to start to the end of the line that loads the kernel.

Editing targets

Figure 2. Specifying the target you want to start at the end of the line that loads the kernel.

To enter any of these targets, use the systemctl command — as in systemctl isolate reboot.target. Distribution vendors keep the old commands operational to simplify the process. So if you cannot get accustomed to the new way of working, the telinit 6 command will work.

When you finish applying modifications to the line from the GRUB menu, use Ctrl-X to boot. Once in a specific mode, like emergency mode, type the systemctl command to find out which systemd services started. This provides an overview of all loaded services. In emergency.target mode, these will be minimal (see Figure 3).

Services in emergency.target mode

Figure 3. Getting an overview of currently loaded services.

After troubleshooting, use systemctl, followed by the name of the target you want to go, to restart the normal server state. For example, type systemctl isolate multi-user.target to start the equivalent of runlevel 3.

Changing GRUB2 default settings

If you entered the GRUB2 boot menu to modify the default GRUB2 startup, you should permanently apply them to GRUB2 configuration. Type the command grub2-mkconfig -o /boot/grub2/grub.cfg. This writes the settings you used to boot your server to the default GRUB2 configuration file /boot/grub2/grub.cfg. It only works if your grub configuration contained some real errors.

/etc/default/grub configuration file

Figure 4. The /etc/default/grub configuration file.

Change the grub configuration to change the default behavior of GRUB2. Start with the file /etc/default/grub, which contains most of the common GRUB2 settings you had to change. The GRUB_CMDLINE_LINUX line contains every option that your server’s kernel starts with by default. Modifying this line applies changes permanently.

Aside from the /etc/grub/default file, there are also files in the /etc/grub.ddirectory, which rarely require modification.

After applying changes to the GRUB2 configuration files, write them to your system with thegrub2-mkconfig -o /boot/grub2/grub.cfg command.

Original page here

RHEL 7 and firewalld

A few ways to configure Linux firewalld

Initially, firewalld looks difficult to use, but it really isn’t. Services and zones make it easy to put the pieces together and configure Linux firewalls.

Although it also works on the netfilter code in the Linux kernel, firewalld is totally incompatible with the old way to configure Linux firewalls. Red Hat Enterprise Linux 7 and other current distributions rely on this new method.

All examples of commands in this article are based on RHEL 7.

Firewalld works with zones

First, verify that firewalld is running. Use the command systemctl status firewalld(Listing 1).

Listing 1. This sequence shows that firewalld is active and running. Some lines were ellipsized; use -l when you try it to show them in full.

[root@rhelserver ~]# systemctl status firewalld

firewalld.service – firewalld – dynamic firewall daemon

   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled)

   Active: active (running) since Thu 2014-05-22 07:48:08 EDT; 14min ago

 Main PID: 867 (firewalld)

   CGroup: /system.slice/firewalld.service

           └─867 /usr/bin/python -Es /usr/sbin/firewalld –nofork –nopid

May 22 07:48:08 rhelserver.example.com systemd[1]: Started firewalld – dynami…

Everything in firewalld relates to one or more zones.

After installation, a RHEL 7 server is normally in the public zone, but you may want to add it to another zone to easily configure firewall access. The command firewall-cmd --get-default-zone shows which zone you’re in, and firewall-cmd --get-zones shows the available zones. For detailed information about the configuration of a specific zone, you can use firewall-cmd --zone=zonename --list-all (Listing 2).

Listing 2. These commands show the zone or zones in which you’re setting up Linux firewalls.

root@rhelserver ~]# firewall-cmd –get-default-zone

public

 [root@rhelserver ~]# firewall-cmd –get-zones

block dmz drop external home internal public trusted work

[root@rhelserver ~]# firewall-cmd –zone=public –list-all

public (default, active)

  interfaces: ens33

  sources:

  services: dhcpv6-client sander ssh

  ports:

  masquerade: no

  forward-ports:

  icmp-blocks:

  rich rules:

Changing the current zone isn’t difficult: Use firewall-cmd --set-default-zone=home, for example, to change the default zone assignment from public to home.

Services and other building blocks

There are a few basic building blocks in the zones — services are the most important. Firewalld uses its own set of services that are configured using XML files in the directories /usr/lib/firewalld/services (for the system default services) and /etc/firewalld/services for services that you, the administrator, create. To configure services, create an XML file based on the example from Listing 3.

Listing 3. An example of a configuration of firewalld services.

[root@rhelserver services]# cat ftp.xml

<?xml version=”1.0″ encoding=”utf-8″?>

<service>

  <short>FTP</short>

  <description>FTP is a protocol used for remote file transfer. If you plan to make your FTP server publicly available, enable this option. You need the vsftpd package installed for this option to be useful.</description>

  <port protocol=”tcp” port=”21″/>

  <module name=”nf_conntrack_ftp”/>

</service>

Each service definition needs a short name, a description, a port section that specifies the protocol and port to be used, and a module name.

Listing 4. This example of a configuration file will create a firewalld service.

[root@rhelserver services]# cat sander.xml

<?xml version=”1.0″ encoding=”utf-8″?>

<service>

  <short>Sander</short>

  <description>Sander is a random service to show how service configuration works.</description>

  <port port=”666″ protocol=”tcp”/>

</service>

Once you have the right service file, use these commands to manipulate it.

The command firewall-cmd --list-services shows a list of all services that were found on your server. To add a service, use firewall-cmd --add-service yourservice to put it into the default zone, or add --zone=zonename to choose a specific zone.

Here’s how it works:

1. The command firewall-cmd --zone=public --list-all shows the current configuration of the public zone.

[root@rhelserver ~]# firewall-cmd –zone=public –list-all

public (default, active)

  interfaces: ens33

  sources:

  services: dhcpv6-client ssh

  ports:

  masquerade: no

  forward-ports:

  icmp-blocks:

  rich rules:

2. The command firewall-cmd --zone=public --add-service=ftp adds the FTP service to the public zone in the Linux firewall.

3. Verify that the FTP service was added successfully by repeating step 1. You will see it in the list of services.

4. Restart your server and repeat step 1. You will see that the FTP service has disappeared. In firewalld, nothing is permanent unless you use the option –permanent.

5. To add FTP to the public zone and make it a permanent setting, use firewall-cmd  --permanent --zone=public --add-service=ftp. It will now survive a reboot.

6. Type firewall-cmd --reload to apply all rules and reload the firewall.

It is extremely important when working with firewalld to use the --permanent option to make settings permanent.

Breaking the rules

Services are the preferred way of configuring firewalld, easily providing a global overview of what your firewall is doing. But if you don’t want to make your own service file in /etc/firewalld/service, you can add ports without them.

To assign a specific port to a specific zone, use a command like firewall-cmd --permanent --zone=dmz --add-port=22/tcp, then use firewall-cmd --zone=dmz --list-all to verify that the port was added successfully. While this is an uncomplicated way to add a port, going through services makes it easier to distribute similar rules across different hosts. Without services, files are hard to distribute, and rules in a configuration file are not that easy.

For even more control, you can — but shouldn’t — use a direct rule. Here’s why:

1. Type firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p tcp --dport 80 -j ACCEPT.

2. Now type firewall-cdm --list-all to show the configuration for your default zone. Nothing was added that relates to port 80.

[root@rhelserver ~]# firewall-cmd –list-all

public (default, active)

  interfaces: ens33

  sources:

  services: dhcpv6-client ftp ssh

  ports:

  masquerade: no

  forward-ports:

  icmp-blocks:

  rich rules:

Nothing appears about the HTTP port you added because direct rules are writing to theiptables interface, not to firewalld.

3. To show direct rules, use firewall-cmd --direct --get-all-rules. Or use the deprecated command iptables -L instead.

Instead of direct rules, use rich rules, which are written to firewalld instead of iptables(Listing 5).

Listing 5. An example of a rich rule in Linux firewalld.

firewall-cmd –permanent –zone=public –add-rich-rule=”rule family=”ipv4″ source address=”192.168.4.0/24″ service name=”tftp” log prefix=”tftp” level=”info” limit value=”1/m” accept”

Firewalld rich rules offer a maximum amount of flexibility that is similar to what is possible on an iptables firewall.

Many things are accomplished and applied all in Listing 5’s one rule. The specification of IP family, source address and services name may be obvious, but note how the rule handles logging: A specific log prefix is defined, as well as a log level info and a limit value of one message per minute. max.

The Linux administrator can apply filters that look at more than just ports, so rich rules are particularly useful to filter on IP addresses (Listing 6).

Listing 6. This rich rule applies a filter on IP addresses for the Linux firewall.

firewall-cmd –permanent –zone=public –add-rich-rule=”rule family=”ipv4″ \

    source address=”192.168.0.4/24″ service name=”http” accept”

Analyzing zones

The firewall-cmd command is one of many methods to configure firewalld. Alternatively, you can edit the zone configuration file directly. This doesn’t give you any feedback on wrong syntax, but it’s a clean and straightforward configuration file that is easy to modify and distribute across multiple servers.

Listing 7. You can configure firewalld by editing the zone configuration file.

<?xml version=”1.0″ encoding=”utf-8″?>

<zone>

  <short>Public</short>

  <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>

  <service name=”dhcpv6-client”/>

  <service name=”ssh”/>

  <rule family=”ipv4″>

    <source address=”192.168.4.0/24″/>

    <service name=”tftp”/>

    <log prefix=”tftp” level=”info”>

      <limit value=”1/m”/>

    </log>

    <accept/>

  </rule>

</zone>

The example in Listing 7 includes all that was added in the previous examples, written directly to the zone configuration file, with the exception of direct rules. Direct rules have their own configuration file:

[root@rhelserver firewalld]# cat direct.xml

<?xml version=”1.0″ encoding=”utf-8″?>

<direct>

  <rule priority=”0″ table=”filter” ipv=”ipv4″ chain=”INPUT”>-p tcp –dport 80 -j ACCEPT</rule>

</direct>

 

 

 

 

Came from here

Seafile: Install and Set

 

 

  • Seafile
    • wget https://bitbucket.org/haiwen/seafile/downloads/seafile-server_2.2.1_x86-64.tar.gz
    • tar zxf seafile-server_2.2.1_x86-64.tar.gz
    • apt-get -y install libevent-dev libcurl4-openssl-dev libglib2.0-dev uuid-dev intltool libsqlite3-dev libmysqlclient-dev libarchive-dev libtool libjansson-dev valac libfuse-dev sqlite3 python-mysqldb
    • Install libzdb
    • Install libevhtp
  • Seahub (Web Env)
    • apt-get -y install python-djblets sqlite3 python-simplejson python-image chardet gunicorn
  • Prepare Directories
    • cd seafile dir
    • ./seafile-setup.sh

 

 

OpenLDAP on Centos 6

yum install openldap-servers system-config-firewall-tui

sed -i “s/example/owncloudbook/g” olcDatabasse={2}bdb.ldif

openssl req -new -x509 -nodes -out /etc/pki/tls/certs/owncloud-cert.pem -keyout /etc/pki/tls/certs/owncloudbook.key.pem -days 3650

chown root:ldap /etc/pki/tls/certs/owncloudbook*

chmod 750 /etc/pki/tls/certs/owncloudbook*
echo << {olcDatabase={2}bdb.ldif EOF

olcTLSCertificateFile: /etc/pki/tls/certs/owncloudbook-cert.pem

olcTLSCertificateKeyFile: /etc/pki/tls/certs/owncloudbook-cert-key.pemsed -i /example/owncloudbook/g” olc

EOF

sed -i “s/example/owncloudbook/g” olcDatabase={1}monitor.ldif

cp /usr/share/openldap-servers/DB_CONF.example /var/lib/ldap/DB_CONFIG

chown -Rf  ldap:ldap /var/lib/ldap

vi /etc/sysconfig/ldap

SLAPD_LDAPS=yes

–> save and close

slaptest -u

services lapd start

TLS_CACERRT /etc/pki/tls/certs/owncloudbook-cert.pem

URI ldap://127.0.01

BASE dc=owncloud,dc=com

–> save and close

ldapsearch -x -b “dc=owncloudbook,dc=com”

 

groups.ldif and users.ldif

vi /etc/openldap/schema/base.ldif

dn: dc=owncloudbook,dc=com

dc: owncloudbook

objectClass: top

ocjbectClass: domain

dn: ou=Users,dc=owncloud,dc=com

ou: Users

objectClass: top

objectClass: organizationalUnit

dn: ou=Group, dc

Checking for Rootkits and Malware on Linux

  1. wget http://sourceforge.net/projects/rkhunter/files/rkhunter/1.4.2/rkhunter-1.4.2.tar.gz/download
  2. tar -zxpvf  rkhunter-1.4.2.tar
  3. cd rkhunter-1.4.2
  4. ./installer.sh –layout default –install
  5. /usr/local/bin/rkhunter –update
  6. /usr/local/bin/rkhunter –propupd
  7. rkhunter –check

Pulled from:  http://sourceforge.net/projects/rkhunter/files/rkhunter/1.4.2/

Needed a bit of updating.

 

http://www.nextstep4it.com/categories/how-to/rkhunter/

Linux Bonding RHEL style

This should work on RHEL, Centos, and Fedora alike.

 

bond0 = eth0 and eth1
ifenslave -c bond0 eth1 (will change the currently active slave to eth1)
echo -eth0 > /sys/class/net/bond0/bonding/slaves (will remove eth0 from the bonding interface running)
echo +eth0 > /sys/class/net/bond0/bonding/slaves (will add eth0 to the bonding interface running)