Advanced File Management

Permission Classes and Types

Permission classes

• user (u)
• group (g)
• other (o) (public)
• all (a) <- all combined

Permission types

• r,w,x
• works differently on files and directories
• hyphen (-) represents no permissions set

ls results permissions groupings

• • rwx rw- r–
    • user (owner), group, and other (public)

ls results first character meaning

• regular file d directory l symbolic link c character device file b block device file p named pipe s socket

Modifying Access Permission Bits

chmod command

• Modify permissions using symbolic or octal notation.
• Used by root or the file owner.

Flags chmod -v ::: Verbose.

Symbolic notation

• Letters (ugo/rwx) and symbols (+, -, =) used to add, revoke, or assign permission bits.

Octal Notation

Three-digit numbering system ranging from 0 to 7. 0 — 1 –x 2 -w- 3 -wx 4 r– 5 r-x 6 rw- 7 rwx

Default Permissions

• Calculated based on the umask (user mask) value subtracted from the initial permissions value.

umask

• Three-digit value (octal or symbolic) that refers to read, write, and execute permissions for owner, group, and public.
• Default umask value is 0022 for the root user and 0002 normal users.
• The left-most 0 has no significance.
• If umask is set to 000 files will get max of 666
• If the initial permissions are 666 and the umask is 002 then the default permissions are 664. (666-002)
• Any new files or directories created after changing the umask will have the new default permissions set.
• umask settings are lost when you log off. Add it to the appropriate startup file to make it permanent.

Defaults

• files 666 rw-rw-rw-
• directories 777 rwxrwxrwx

umask command

Options

• -S symbolic form

Special Permission Bits

• 3 types of special permission bits for executable files or directories for non root users
  • setuid
  • setgid
  • sticky
• setuid
  • set on exe’s to provide non-owners the ability to run them with the privileges of the owning user
  • may be set on directories and files but will have no effect.
  • example: the su command
  • shows an ’s’ in ls -l listing at the end of owners permissions
  • If the file already has the “x” bit set for the user, the long listing will show a lowercase “s”, otherwise it will list it with an uppercase “S”.
• setgid
  • set on exe’s to provide non-group members the ability to run them with the privileges of the owning group.
  • May be set on shared directories
    • allow files and subdirectories created underneath to automatically inherit the directory’s owning group.
    • saves group members who are sharing the directory contents from changing the group ID for every new file and subdirectory that they add.
  • write command has this set by default so a member of the tty group can run it. If the file already has the “x” bit set for the group, the long listing will show a lowercase “s”, otherwise it will list it with an uppercase “S”.
• Sticky bit
  • may be set on public directories for inhibiting file deletion by non-owners
  • may be set on directories and files but will have no effect.
  • Set on /tmp and /var/tmp by default
  • Letter “t” in other permission feild
  • If the directory already has the “x” bit set for public, the long listing will show a lowercase “t”, otherwise it will list it with an uppercase “T”.

Access Control Lists (ACLs)

• Setting a default ACL on a directory allows content sharing among user’s without having to modify access on each new file and subdirectory.

• Extra permissions that can be set on files and directories.

• Define permissions for named user and named groups.

• Configured the same way on both files and directories.

• Named Users

  • May or may not be a part of the same group.

• 2 different groups of ACLs. Default ACLs and Access ACLs.

  • Access ACLs
    • Set on individual files and directories
  • Default ACLs
    • Applied on directories
    • files and subdirectories inherit the ACL
    • Execute bit must be set on the directory for public.
    • Files receive the shared directory’s default ACLs as their access ACLs - what the mask limits.
    • Subdirectories receive both default ACLs and access ACLs as they are.

• A “+” at the end of ls -l listing indicates ACL is set

  • -rw-rw-r–+

ACL Commands

getfacl

• Display ACL settings
  • Displays:
  • name of file
  • owner
  • owning group
  • Permissions
    • colon characters save space for named user/group (or UID/GID) when extended Permissions are set.
    • Example: user:1000:r–
      • the named user with UID 1000, who is neither the file owner nor a member of the owning group, is allowed read-only access to this file.
    • Example: group:dba:rw-
      • give the named group (dba) read and write access to the file. setfacl
  • set, modify, substitute, or delete ACL settings
  • If you want to give read and write permissions to a specific user (user1) and change the mask to read-only at the same time, the setfacl command will allocate the permissions as mentioned; however, the effective permissions for the named user will only be read-only.

u:UID:perms

• named user must exist in /etc/passwd
• if no user specified, permissions are given to the owner of the file/directory

g:GID:perms

• Named group must exist in /etc/group
• If no group specified, permissions are given to the owning group of the file/directory

o:perms

• Neither owner or owning group

m:perms

• Maximum permissions for named user or named group

Switches

Mask Value

• Determine maximum allowable permissions for named user or named group
• Mask value displayed on separate line in getfacl output
• Mask is recalculated every time an ACL is modified unless value is manually entered.
• Overrides the set ACL value.

Find Command

• Search files and display the full path.
• Execute command on search results.
• Different search criteria
  • name
  • part name
  • ownership
  • owning group
  • permissions
  • inode number
  • last access
  • modification time in days or minutes
  • size
  • file type
• Command syntax
  • {find} + {path} + {search option} + {action}
• Options
  • -name / -iname (search by name)
  • -user / -group (UID / GID)
  • -perm (permissions)
  • -inum (inode)
  • -atime/amin (access time)
  • -mtime/amin (modification time)
  • -size / -type (size / type)
• Action
  • copy, erase, rename, change ownership, modify permissions
    • -exec {} \;
      • replaces {} for each filename as it is found. The semicolon character (;) marks the termination of the command and it is escaped with the backslash character (\).
    • -ok {} \;
      • same as exec but requires confirmation.
  • -delete
  • -print <- default

Advanced File Management Labs

Lab: find stuff

1. Create file 10 and search for it.

[vagrant@server1 ~]$ sudo touch /root/file10
[vagrant@server1 ~]$ sudo find / -name file10 -print
/root/file10

2. Perform a case insensitive search for files and directories in /dev that begin with “usb” followed by any characters.

[vagrant@server1 ~]$ find /dev -iname usb*
/dev/usbmon0

3. Find files smaller than 1MB (-1M) in size (-size) in the root user’s home directory (~).

[vagrant@server1 etc]$ find ~ -size -1M

4. Search for files larger than 40MB (+40M) in size (-size) in the /usr directory:

[vagrant@server1 etc]$ sudo find /usr -size +40M
/usr/share/GeoIP/GeoLite2-City.b

5. Find files in the entire root file system (/) with ownership (-user) set to user daemon and owning group (-group) set to any group other than (-not or ! for negation) user1:

[vagrant@server1 etc]$ sudo find / -user daemon -not -group user1

6. Search for directories (-type) by the name “src” (-name) in /usr at a maximum of two subdirectory levels below (-maxdepth):

[vagrant@server1 etc]$ sudo find /usr -maxdepth 2 -type d -name src
/usr/local/src
/usr/src

7. Run the above search but at least three subdirectory levels beneath /usr, substitute -maxdepth 2 with -mindepth 3.

[vagrant@server1 etc]$ sudo find /usr -mindepth 3 -type d -name src
/usr/src/kernels/4.18.0-425.3.1.el8.x86_64/drivers/gpu/drm//display/dmub/src
/usr/src/kernels/4.18.0-425.3.1.el8.x86_64/tools/usb/usbip/src

8. Find files in the /etc directory that were modified (-mtime) more than (the + sign) 2000 days ago:

[vagrant@server1 etc]$ sudo find /etc -mtime +2000
/etc/libuser.conf
/etc/xattr.conf
/etc/whois.conf

9. Run the above search for files that were modified exactly 12 days ago, replace “+2000” with “12”.

[vagrant@server1 etc]$ sudo find /etc -mtime 12

10. To find files in the /var/log directory that have been modified (-mmin) in the past (the - sign) 100 minutes:

[vagrant@server1 etc]$ sudo find /var/log -mmin -100
/var/log/rhsm/rhsmcertd.log
/var/log/rhsm/rhsm.log
/var/log/audit/audit.log
/var/log/dnf.librepo.log
/var/log/dnf.rpm.log
/var/log/sa
/var/log/sa/sa16
/var/log/sa/sar15
/var/log/dnf.log
/var/log/hawkey.log
/var/log/cron
/var/log/messages
/var/log/secure

11. Run the above search for files that have been modified exactly 25 minutes ago, replace “-100” with “25”.

[vagrant@server1 etc]$ sudo find /var/log -mmin 25

12. To search for block device files (-type) in the /dev directory with permissions (-perm) set to exactly 660:

[vagrant@server1 etc]$ sudo find /dev -type b -perm 660
/dev/dm-1
/dev/dm-0
/dev/sda2
/dev/sda1
/dev/sda

13. Search for character device files (-type) in the /dev directory with at least (-222) world writable permissions (this example would ignore checking the write and execute permissions):

[vagrant@server1 etc]$ sudo find /dev -type c -perm -222

14. Find files in the /etc/systemd directory that are executable by at least their owner or group members:

[vagrant@server1 etc]$ sudo find /etc/systemd -perm /110

15. Search for symlinked files (-type) in /usr with permissions (-perm) set to read and write for the owner and owning group:

 sudo find /usr -type l -perm -ug=rw

16. Search for directories in the entire directory tree (/) by the name “core” (-name) and list them (ls-ld) as they are discovered without prompting for user confirmation (-exec):

 [vagrant@server1 etc]$ sudo find / -name core -exec ls -ld {} \;

17. Use the -ok switch to prompt for confirmation before it copies each matched file (-name) in /etc/sysconfig to /tmp:

 sudo find /etc/sysconfig -name '*.conf' -ok  cp {} /tmp \;

Lab: Display ACL and give permissions

1. Create and empty file aclfile1 in /tmp and display ACLs on it:

 cd /tmp
 touch aclfile1
 getfacl aclfile1

2. Give rw permission to user 1 but with a mask of read only and view the results.

 setfacl -m u:user1:rw,m:r aclfile1

3. Promote the mask value to include write bit and verify:

 setfacl -m m:rw aclfile1
 getfacl -c aclfile1

Lab: Identify, Apply, and Erase Access ACLs

1. Switch to user1 and create file acluser1 in /tmp:

 su - user1
 cd /tmp
 touch acluser1

2. Use ls and getfacl to check existing acl entries:

 ls -l acluser1
 getfacl acluser1 -c

3. Allocate rw permissions to user100 with setfacl in octal form:

 setfacl -m u:user100:6 acluser1

4. Run ls (+) and getfacl to verify:

 ls -l acluser1
 getfacl -c acluser1

5. Open another terminal as user100 and open the file and edit it.

6. Add user200 with full rwx permissions to acluser1 using the symbolic notation and then show the updated ACL settings:

 setfacl -m u:user200:rwx acluser1
 getfacl -c acluser1

7. Delete the ACL entries set for user200 and validate:

 setfacl -x u:user200 acluser1
 getfacl acluser1 -c

8. Delete the rest of the ACLs:

 setfacl -b acluser1

9. Use the ls and getfacl commands and confirm for the ACLs removal:

 ls -l acluser1
 getfacl acluser1 -c

10. create group aclgroup1

 groupadd -g 8000 aclgroup1

11. add this group as a named group along with the two named users (user100 and user200).

Lab: Apply, Identify, and erase default ACLs

1. Switch or log in as user1 and create a directory projects in /tmp:

 su - user1
 cd /tmp
 mkdir projects

2. Use the getfacl command for an initial look at the permissions on the directory:

 getfacl -c projects

3. Allocate default read, write, and execute permissions to user100 and user200 on the directory. Use both octal and symbolic notations and the -d (default) option with the setfacl command.

 setfacl -dm u:user100:7,u:user200:rwx projects/
 getfacl -c projects/

4. Create a subdirectory prjdir1 under projects and observe the ACL inheritance:

 mkdir prjdir1
 getfacl -c prjdir1

5. Create a file prjfile1 under projects and observe the ACL inheritance:

 touch prjfile1
 getfacl -c prjfilel

6. log in as one of the named users, change directory into /tmp/projects, and edit prjfile1 (add some random text). Then change into the prjdir1 and create file file100.

 su - user100
 cd /tmp/projects
 vim prjfile1
 ls -l prjfile1
 cd prjdir1
 touch file100
 pwd

7. Delete all the default ACLs from the projects directory as user1 and confirm:

 exit
 su - user1
 cd /tmp
 setfacl -k projects
 getfacl -c projects

8. create a group such as aclgroup2 by running groupadd -g 9000 aclgroup2 as the root user and repeat this exercise by adding this group as a named group along with the two named users (user100 and user200).

Lab: Modify Permission Bits Using Symbolic Form

1. Add an execute bit for the owner and a write bit for group and public

 [vagrant@server1 ~]$ chmod u+x permfile1 -v
 mode of 'permfile1' changed from 0444 (r--r--r--) to 0544 (r-xr--r--)
 [vagrant@server1 ~]$ chmod -v go+w permfile1
 mode of 'permfile1' changed from 0544 (r-xr--r--) to 0566 (r-xrw-rw-)

2. Revoke the write bit from public

 [vagrant@server1 ~]$ chmod -v o-w permfile1
 mode of 'permfile1' changed from 0566 (r-xrw-rw-) to 0564 (r-xrw-r--)
 [vagrant@server1 ~]$ chmod -v a=rwx permfile1
 mode of 'permfile1' changed from 0564 (r-xrw-r--) to 0777 (rwxrwxrwx)

3. Revoke write from the owning group and write and execute bits from public.

 [vagrant@server1 ~]$ chmod g-w,o-wx permfile1 -v
 mode of 'permfile1' changed from 0777 (rwxrwxrwx) to 0754 (rwxr-xr--)

Lab: Modify Permission Bits Using Octal Form

1. Read only for user, group, and other:

 [vagrant@server1 ~]$ touch permfile2
 [vagrant@server1 ~]$ chmod 444 permfile2
 [vagrant@server1 ~]$ ls -l permfile2
 -r--r--r--. 1 vagrant vagrant 0 Feb  4 12:22 permfile2

2. Add an execute bit for the owner:

 [vagrant@server1 ~]$ chmod -v 544 permfile2
 mode of 'permfile2' changed from 0444 (r--r--r--) to 0544 (r-xr--r--)

3. Add a write permission bit for group and public:

 [vagrant@server1 ~]$ chmod -v 566 permfile2
 mode of 'permfile2' changed from 0544 (r-xr--r--) to 0566 (r-xrw-rw-)

4. Revoke the write bit for public:

 [vagrant@server1 ~]$ chmod -v 564 permfile2
 mode of 'permfile2' changed from 0566 (r-xrw-rw-) to 0564 (r-xrw-r--)

5. Assign read, write, and execute permission bits to all three user categories:

 [vagrant@server1 ~]$ chmod -v 777 permfile2
 mode of 'permfile2' changed from 0564 (r-xrw-r--) to 0777 (rwxrwxrwx)

6. Run the umask command without any options and it will display the current umask value in octal notation:

 [vagrant@server1 ~]$ umask
 0002

7. Symbolic form

 [vagrant@server1 ~]$ umask -S
 u=rwx,g=rwx,o=rx

8. Set all new files and directories to get 640 and 750 permissions,

 umask 027
 umask u=rwx,g=rx,o=

9. Test new umask (666-027=640) (777-027=750)

 [vagrant@server1 ~]$ touch tempfile1
 [vagrant@server1 ~]$ ls -l tempfile1
 -rw-r-----. 1 vagrant vagrant 0 Feb  5 12:09 tempfile1
 [vagrant@server1 ~]$ mkdir tempdir1
 [vagrant@server1 ~]$ ls -ld tempdir1
 drwxr-x---. 2 vagrant vagrant 6 Feb  5 12:10 tempdir1

Lab: View suid bit on su command

 [vagrant@server1 ~]$ ls -l /usr/bin/su
 -rwsr-xr-x. 1 root root 50152 Aug 22 10:08 /usr/bin/su

Lab: Test the Effect of setuid Bit on Executable Files

1. Open 2 terminal windows. Switch to user1 in terminal1

 [vagrant@server1 ~]$ su - user1
 Password:
 Last login: Sun Feb  5 12:37:12 UTC 2023 on pts/1

2. Switch to root on terminal2

 sudo su - root

3. T1 Revoke the setuid bit from /usr/bin/su

 chmod -v u-s /usr/bin/su

4. T2 log off as root

 ctrl+d

5. Try to log in has root from both terminals

 [user1@server1 ~]$ su - root
 Password:
 su: Authentication failure

6. T1 restore the setuid bit

 [vagrant@server1 ~]$ sudo chmod -v +4000 /usr/bin/su
 mode of '/usr/bin/su' changed from 0755 (rwxr-xr-x) to 4755 (rwsr-xr-x)

Lab: Test the Effect of setgid Bit on Executable Files

1. Log into two terminals T1 root T2 user1 Opened with ssh

2. T2 list users currently logged in

who

3. T2 send a message to root

write root

3. T1 revoke setgid from /usr/bin/write

chmod g-s /usr/bin/write -v

4. Try to write root

[user1@server1 ~]$ write root
write: effective gid does not match group of /dev/pts/0

5. Restore the setgid bit on /usr/bin/write:

[root@server1 ~]# sudo chmod -v +2000 /usr/bin/write
mode of '/usr/bin/write' changed from 0755 (rwxr-xr-x) to 2755 (rwxr-sr-x)

6. Test

write root

Lab: Set up Shared Directory for Group Collaboration

1. set up 2 test users

 [root@server1 ~]# adduser user100
 [root@server1 ~]# adduser user200

2. Add group sgrp with GID 9999 with the groupadd command:

 [root@server1 ~]# groupadd -g 9999 sgrp

3. Add user100 and user200 as members to sgrp using the usermod command:

 [root@server1 ~]# usermod -aG sgrp user100
 [root@server1 ~]# usermod -aG sgrp user200

4. Create /sdir directory

 [root@server1 ~]# mkdir /sdir

5. Set ownership and owning group on /sdir to root and sgrp, using the chown command:

 [root@server1 ~]# chown root:sgrp /sdir

6. Set the setgid bit on /sdir using the chmod command:

 [vagrant@server1 ~]$ sudo chmod g+s /sdir

7. Add write permission to the group members on /sdir and revoke all permissions from public:

 [root@server1 ~]# chmod g+w,o-rx /sdir

8. Verify

 [root@server1 ~]# ls -ld /sdir
 drwxrws---. 2 root sgrp 6 Feb 13 15:49 /sdir

9. Switch or log in as user100 and change to the /sdir directory:

 [root@server1 ~]# su - user100
 [user100@server1 ~]$ cd /sdir

10. Create a file and check the owner and owning group on it:

 [user100@server1 sdir]$ touch file100
 [user100@server1 sdir]$ ls -l file100
 -rw-rw-r--. 1 user100 sgrp 0 Feb 10 22:41 file100

11. Log out as user100, and switch or log in as user200 and change to the /sdir directory:

 [root@server1 ~]# su - user200
 [user200@server1 ~]$ cd /sdir

12. Create a file and check the owner and owning group on it:

 [user200@server1 sdir]$ touch file200
 [user200@server1 sdir]$ ls -l file200
 -rw-rw-r--. 1 user200 sgrp 0 Feb 13 16:01 file200

Lab: View “t” in permissions for sticky bit

 [user200@server1 sdir]$ ls -l /tmp /var/tmp -d
 drwxrwxrwt. 8 root root 185 Feb 13 16:12 /tmp
 drwxrwxrwt. 4 root root 113 Feb 13 16:00 /var/tmp

Lab: Test the effect of Sticky Bit

1. Switch to user100 and change to the /tmp directory

[user100@server1 sdir]$ cd /tmp

2. Create file called stckyfile

[user100@server1 tmp]$ touch stickyfile

3. Try to delete the file as user200

[user200@server1 tmp]$ rm stickyfile
rm: remove write-protected regular empty file 'stickyfile'? y
rm: cannot remove 'stickyfile': Operation not permitted

4. Revoke the /tmp stickybit and confirm

[vagrant@server1 ~]$ sudo chmod o-t /tmp
[vagrant@server1 ~]$ ls -ld /tmp
drwxrwxrwx. 8 root root 4096 Feb 13 22:00 /tmp

5. Retry the removal as user200

rm stickyfile

6. Restore the sticky bit on /tmp

sudo chmod -v +1000 /tmp

Lab: Manipulate File Permissions (user1)

1. Create file file11 and directory dir11 in the home directory. Make a note of the permissions on them.

 touch file11
 mkdir dir11

2. Run the umask command to determine the current umask.

 umask

3. Change the umask value to 0035 using symbolic notation.

 umask g=r,0=w

4. Create file22 and directory dir22 in the home directory.

 touch file22
 mkdir dir22

5. Observe the permissions on file22 and dir22, and compare them with the permissions on file11 and dir11.

 ls -l

6. Use the chmod command and modify the permissions on file11 to match those on file22.

 chmod g-w,o-r,o+w file11

7. Use the chmod command and modify the permissions on dir22 to match those on dir11. Do not remove file11, file22, dir11, and dir22 yet.

 chmod g-wx,o-rx,o+w dir11

Lab: Configure Group Collaboration and Prevent File Deletion (root)

1. create directory /sdir. Create group sgrp and create user1000 and user2000 and add them to the group:

 mkdir /sdir
 groupadd sgrp
 adduser user1000 && adduser user2000
 usermod -a -G sgrp user1000
 usermod -a -G sgrp user2000

2. Set up appropriate ownership (root), owning group (sgrp), and permissions (rwx for group, — for public, s for group, and t for public) on the directory to support group collaboration and ensure non-owners cannot delete files.

 chgrp sgrp sdir
 chmod g=rwx,o=--- sdir
 chmod o+t sdir
 chmod g+s sdir

3. Log on as user1000 and create a file under /sdir.

 su - user1000
 cd /sdir
 touch testfile

4. Log on as user2000 and try to edit that file. You should be able to edit the file successfully.

 su - user200
 cd /sdir
 vim testfile
 cat testfile

5. As user2000 try to delete the file. You should not be able to.

 rm testfile

Lab: Find Files (root)

1. Search for all files in the entire directory structure that have been modified in the last 300 minutes and display their type.

 find /sdir -mtime -300 -exec file {} \;

2. Search for named pipe and socket files.

 find / -type p
 find / -type s

Lab: Find Files Using Different Criteria (root)

1. Search for regular files under /usr that were accessed more than 100 days ago, are not bigger than 5MB in size, and are owned by the user root.

 find /usr -type f -mtime +100 -size -5M -user root

Lab: Apply ACL Settings (root)

1. Create file testfile under /tmp.

 touch /tmp/testfile

2. Create users.

 adduser user2000
 adduser user3000
 adduser user4000

3. Apply ACL settings on the file so that user2000 gets 7, user3000 gets 6, and user4000 gets 4 permissions.

 setfacl -m u:user2000:7 testfile
 setfacl -m u:user3000:6 testfile
 setfacl -m u:user4000:4 testfile

4. Remove the ACLs for user2000, and verify.

 setfacl -x user2000 testfile
 getfacl testfile

5. Erase all remaining ACLs at once, and confirm.

 setfacl -b testfile
 getfacl testfile

Advanced Package Management

Package Groups

package group

• Group of packages that serve a common purpose.
• Can query, install, and delete as a single unit rather than dealing with packages individually.
• Two types of package groups: environment groups and package groups.

environment groups available in RHEL 9:

• server, server with GUI, minimal install, workstation, virtualization host, and custom operating system.
• Listed on the software selection window during RHEL 9 installation.

Package groups include:

• container management, smart card support, security tools, system tools, network servers, etc.

Individual packages, package groups, and modules:

Individual Package Management

List, install, query, and remove packages.

Listing Available and Installed Packages

• dnf lists available packages as well as installed packages.

Lab: list all packages available for installation from all enabled repos,

 sudo dnf repoquery

Lab: list of packages that are available only from a specific repo:

 sudo dnf repoquery --repo "BaseOS"

Lab: grep for an expression to narrow down your search.

For example, to find whether the BaseOS repo includes the zsh package.

 sudo dnf repoquery --repo BaseOS | grep zsh

Lab: list all installed packages on the system:

 sudo dnf list installed

Three columns: - package name - package version - repo it was installed from. - @anaconda means the package was installed at the time of RHEL installation.

List all installed packages and all packages available for installation from all enabled repositories:

 sudo dnf list

• @ sign identifies the package as installed.

List all packages available from all enabled repositories that should be able to update:

 sudo dnf list updates

List whether a package (bc, for instance) is installed or available for installation from any enabled repository:

 sudo dnf list bc

List all installed packages whose names begin with the string “gnome” followed by any number of characters:

 sudo dnf list installed ^gnome*

List recently added packages:

 sudo dnf list recent

Refer to the repoquery and list subsections of the dnf command manual pages for more options and examples.

Installing and Updating Packages

Installing a package:

• creates the necessary directory structure
• installs the required files
• runs any post-installation steps.
• If already installed, dnf command updates it to the latest available version.

Attempt to install a package called ypbind, proceed to update if it detects the presence of an older version:

 sudo dnf install ypbind

Install or update a package called dcraw located locally at /mnt/AppStream/Packages/

 sudo dnf localinstall /mnt/AppStream/Packages/dcraw*

Update an installed package (autofs, for example) to the latest available version. Dnf will fail if the specified package is not already installed:

 sudo dnf update autofs

Update all installed packages to the latest available versions:

 sudo dnf -y update

Refer to the install and update subsections of the dnf command manual pages for more options and examples.

Exhibiting Package Information

Show:

• release
• size
• whether it is installed or available for installation
• repo name it was installed or is available from
• short and long descriptions
• license
• so on

dnf info subcommand

View information about a package called autofs:

 dnf info autofs

• Determines whether the specified package is installed or not.

Refer to the info subsection of the dnf command manual pages.

Removing Packages

Removing a package:

• uninstalls it and removes all associated files and directory structure.
• erases any dependencies as part of the deletion process.

Remove a package called ypbind:

 sudo dnf remove ypbind

Output

• Resolved dependencies
• List of the packages that it would remove.
• Disk space that their removal would free up.
• After confirmation, it erased the identified packages and verified their removal.
• List of the removed packages

Refer to the remove subsection of the dnf command manual pages for more options and examples available for removing packages.

Lab: Manipulate Individual Packages

Perform management operations on a package called cifs-utils. Determine if this package is already installed and if it is available for installation. Display its information before installing it. Install the package and exhibit its information. Erase the package along with its dependencies and confirm the removal.

1. Check whether the cifs-utils package is already installed:

 dnf list installed | grep cifs-utils

2. Determine if the cifs-utils package is available for installation:

 dnf repoquery cifs-utils

3. Display detailed information about the package:

 dnf info cifs-utils

4. Install the package:

 dnf install -y cifs-utils

5. Display the package information again:

 dnf info cifs-utils

6. Remove the package:

 dnf remove -y cifs-utils

7. Confirm the removal:

 dnf list installed | grep cif

Determining Provider and Searching Package Metadata

• You can determine what package a specific file belongs to or which package comprises a certain string.

Search for packages that contain a specific file such as /etc/passwd/, use the provides or the whatprovides subcommand with dnf:

 dnf provides /etc/passwd

• Indicates file is part of a package called setup, installed during RHEL installation.

• Second instance, setup package is part of the BaseOS repository.

• Can also use a wildcard character for filename expansion.

List all packages that contain filenames beginning with “system-config” followed by any number of characters:

 dnf whatprovides /usr/bin/system-config*

To search for all the packages that match the specified string in their name or summary:

 dnf search system-config

Package Group Management

• group subcommand
• list, install, query, and remove groups of packages.

Listing Available and Installed Package Groups

group list subcommand:

• list the package groups available for installation from either or both repos
• list the package groups that are already installed on the system.

List all available and installed package groups from all repositories:

 dnf group list

output:

• two categories of package groups:
  • Environment group
  • Package groups

Environment group:

• Larger collection of RHEL packages that provides all necessary software to build the operating system foundation for a desired purpose.

Package group

• Small bunch of RHEL packages that serve a common purpose.
• Saves time on the deployment of individual and dependent packages.
• Output shows installed and available package groups.

Display the number of installed and available package groups:

 sudo dnf group summary

List all installed and available package groups including those that are hidden:

 sudo dnf group list hidden

Try group list with --installed and --available options to narrow down the output list.

 sudo dnf group list --installed

List all packages that a specific package group such as Base contains:

 sudo dnf group info Base

-v option with the group info subcommand for more information.

Review group list and group info subsections of the dnf man pages.

Installing and Updating Package Groups

• Creates the necessary directory structure for all the packages included in the group and all dependent packages.
• Installs the required files.
• Runs any post-installation steps.
• Attempts to update all the packages included in the group to the latest available versions.

Install a package group called Emacs. Update if it detects an older version.

 sudo dnf -y groupinstall emacs

Update the smart card support package group to the latest version:

 dnf groupupdate "Smart Card Support"

Refer to the group install and group update subsections of the dnf command manual pages for more details.

Removing Package Groups

• Uninstalls all the included packages and deletes all associated files and directory structure.
• Erases any dependencies

Erase the smart card support package group that was installed:

 sudo dnf -y groupremove 'smart card support'

Refer to the remove subsection of the dnf command manual pages for more details.

Lab: Manipulate Package Groups

Perform management operations on a package group called system tools. Determine if this group is already installed and if it is available for installation. List the packages it contains and install it. Remove the group along with its dependencies and confirm the removal.

1. Check whether the system tools package group is already installed:

 dnf group list installed

2. Determine if the system tools group is available for installation:

 dnf group list available

The group name is exhibited at the bottom of the list under the available groups.

3. Display the list of packages this group contains:

 dnf group info 'system tools'

• All of the packages will be installed as part of the group installation.

4. Install the group:

 sudo dnf group install 'system tools'

5. Remove the group:

 sudo dnf group remove 'system tools' -y

6. Confirm the removal:

 dnf group list installed

Application Streams and Modules

Application Streams

• Introduced in RHEL 8.
• Employs a modular approach to organize multiple versions of a software application alongside its dependencies to be available for installation from a single repository.

module

• Logical set of application packages that includes everything required to install it, including the executables, libraries, documentation, tools, and utilities as well as dependent components.
• Modularity gives the flexibility to choose the version of software based on need.

• In older RHEL releases, each version of a package would have to come from a separate repository. (This has changed in RHEL 8.)
• Now modules of a single application with different versions can be stored and made available for installation from a common repository.
• The package management tool has also been enhanced to manipulate modules.

• RHEL 9 is shipped with two core repositories called BaseOS and Application Stream (AppStream).

BaseOS repository

• Includes the core set of RHEL 9 components
• kernel, modules, bootloader, and other foundational software packages.
• Lays the foundation to install and run software applications and programs.
• Available in the traditional rpm format.

AppStream repository

• Comes standard with core applications,
• Plus several add-on applications
• Rpm and modular format
• Include web server software, development languages, database software, etc.

Benefits of Segregation

Why separate BaseOS components from other applications?

(1) Separates application components from the core operating system elements.
(2) Allows publishers to deliver and administrators to apply application updates more frequently.

In previous RHEL versions, an OS update would update all installed components including the kernel, service, and application components to the latest versions by default.

This could result in an unstable system or a misbehaving application due to an unwanted upgrade of one or more packages.

By detaching the base OS components from the applications, either of the two can be updated independent of the other.

This provides enhanced flexibility in tailoring the system components and application workloads without impacting the underlying stability of the system.

Module Streams

• Collection of packages organized by version
• Each module can have multiple streams
• Each stream receives updates independent of the other streams
• Stream can be enabled or disabled.

enabled stream

• Allows the packages it contains to be queried or installed
• Only one stream of a specific module can be enabled at a time
• Each module has a default stream, which provides the latest or the recommended version.

Module Profiles

• List of recommended packages organized for purpose-built, convenient deployments to support a variety of use cases such as:
• Minimal, development, common, client, server, etc.
• A profile may also include packages from the BaseOS repository or the dependencies of the stream
• Each module stream can have zero, one, or more profiles associated with it with only one of them marked as the default.

Module Management

Modules are special package groups usually representing an application, a language runtime, or a set of tools. They are available in one or multiple streams which usually represent a major version of a piece of software, They are available in one or multiple streams which give you an option to choose what versions of packages you want to consume. https://docs.fedoraproject.org/en-US/modularity/using-modules/

Modules are a way to deliver different versions of software (such as programming languages, databases, or web servers) independently of the base operating system’s release cycle.

Each module can contain multiple streams, representing different versions or configurations of the software. For example, a module for Python might have streams for Python 2 and Python 3.

module dnf subcommand

• list, enable, install, query, remove, and disable modules.

Listing Available and Installed Modules

List all modules along with their stream, profile, and summary information available from all configured repos:

 dnf module list

Limit the output to a list of modules available from a specific repo such as AppStream by adding --repo AppStream:

 dnf module list --repo AppStream

Output:

• default (d)
• enabled (e)
• disabled (x)
• installed (i)

List all the streams for a specific module such as ruby and display their status:

 dnf module list ruby

Modify the above and list only the specified stream 3.3 for the module ruby

 dnf module list ruby:3.3

List all enabled module streams:

 dnf module list --enabled

Similarly, you can use the --installed and --disabled options with dnf module list to output only the installed or the disabled streams.

Refer to the module list subsection of the dnf command manual pages.

Installing and Updating Modules

Installing a module

• Creates directory tree for all packages included in the module and all dependent packages.
• Installs required files for the selected profile.
• Runs any post-installation steps.
• If module being loaded or a part of it is already present, the command attempts to update all the packages included in the profile to the latest available versions.

Install the perl module using its default stream and default profile:

 sudo dnf -y module install perl

Update a module called squid to the latest version:

 sudo dnf module update squid -y

Install the profile “common” with stream “rhel9” for the container-tools module: (module:stream/profile)

 sudo dnf module install container-tools:rhel9/common

Displaying Module Information

• Shows
  • Name, stream, version, list of profiles, default profile, repo name module was installed or is available from
  • Summary, description, and artifacts.
• Can be viewed by supplying module info with dnf.

List all profiles available for the module ruby:

 dnf module info --profile ruby

Limit the output to a particular stream such as 3.1:

 dnf module info --profile ruby:3.1

Refer to the module info subsection of the dnf command manual pages for more details.

Removing Modules

Removing a module will:

• Uninstall all the included packages and
• Delete all associated files and directory structure.
• Erases any dependencies as part of the deletion process.

Remove the ruby module with “3.1” stream:

 sudo dnf module remove ruby:3.1

Refer to the module remove subsection of the dnf command manual pages:

Lab: Manipulate Modules

• Perform management operations on a module called postgresql.
• Determine if this module is already installed and if it is available for installation.
• Show its information and install the default profile for stream “10”.
• Remove the module profile along with any dependencies
• confirm the removal.

1. Check whether the postgresql module is already installed(i):

 dnf module list postgresql

2. Display detailed information about the default stream of the module:

 dnf module info postgresql:15

3. Install the module with default profile for stream “15”:

 sudo dnf -y module install --profile postgresql:15

4. Display the module information again:

 dnf module info postgresql:15

5. Erase the module profile for the stream:

 dnf module remove -y postgresql:15

6. Confirm the removal (back to (d)):

 dnf module info postgresql:15

Switching Module Streams

• Typically performed to upgrade or downgrade the version of an installed module.

process:

• uninstall the existing version provided by a stream alongside any dependencies that it has,

• switch to the other stream

• install the desired version.

• Installing a module from a stream automatically enables the stream if it was previously disabled

• you can manually enable or disable it with the dnf command.

• Only one stream of a given module enabled at a time.

• Attempting to enable another one for the same module automatically disables the current enabled stream.

• dnf module list and dnf module info expose the enable/disable status of the module stream.

Lab: Install a Module from an Alternative Stream

• Downgrade a module to a lower version.
• Remove the stream ruby 3.3 and
• Confirm its removal.
• manually enable the stream perl 5.24 and confirm its new status.
• install the new version of the module and display its information.

1. Check the current state of all perl streams:

 dnf module list perl

2. Remove perl 5.26:

 sudo dnf module remove perl -y

1. Confirm the removal:

 dnf module list ruby

2. Reset the module so that neither stream is enabled or disabled. This will remove the enabled (e) indication from ruby 3.3

 sudo dnf module reset ruby

3. Install the non-default profile “minimal” for ruby stream 3.1. This will auto-enable the stream.

–allowerasing

• Will instruct the command to remove installed packages for dependency resolution.

 sudo dnf module install ruby:3.1 --allowerasing

4. Check the status of the module:

 dnf module list perl

The dnf Command

• Introduced in RHEL 8
• Can use interchangeably with yum in RHEL
  • yum is a soft link to the dnf utility.
• Requires the system to have access to either:
  • a local or remote software repository
  • a local installable package file.

Subscription Management* (RHSM) service

• Available in the Red Hat Customer Portal

• Offers access to official Red Hat software repositories.

• Other web-based repositories that host packages are available

• You can also set up a local, custom repository on your system and add packages of your choice to it.

Primary benefit of using dnf over rpm:

• Resolve dependencies automatically

  • By identifying and installing any additional required packages

• With multiple repositories set up, dnf extracts the software from wherever it finds it.

• Perform abundant software administration tasks.

• Invokes the rpm utility in the background

• Can perform a number of operations on individual packages, package groups, and modules:

  • listing
  • querying
  • installing
  • removing
  • enabling and disabling specific module streams.

Software handling tasks that dnf can perform on packages:

• Clean and repolist are specific to repositories.
• Refer to the manual pages of dnf for additional subcommands, operators, options, examples, and other details.

dnf subcommands that are intended for operations on package groups and modules:

For labs, you’ll need to create a definition file and configure access to the two repositories available on the RHEL 8 ISO image.

Lab: Configure Access to Pre-Built Repositories

Set up access to the two dnf repositories that are available on RHEL 9 image. (You should have already configured an automatic mounting of RHEL 9 image on /mnt.) Create a definition file for the repositories and confirm.

1. Verify that the image is currently mounted:

 df -h | grep mnt

2. Create a definition file called local.repo in /etc/yum.repos.d/ using the vim editor and define the following data for both repositories in it:

 [BaseOS] 
 name=BaseOS 
 baseurl=file:///mnt/BaseOS 
 gpgcheck=0 

 [AppStream] 
 name=AppStream 
 baseurl=file:///mnt/AppStream 
 gpgcheck=0

3. Confirm access to the repositories:

 sudo dnf repolist 

• Ignore lines 1-4 in the output that are related to subscription and system registration.
• Lines 5 and 6 show the rate at which the command read the repo data.
• Line 7 displays the timestamp of the last metadata check.
• last two lines show the repo IDs, repo names, and a count of packages they hold.
• AppStream repo consists of 4,672 packages
• BaseOS repo contains 1,658 packages.
• Both repos are enabled by default and are ready for use.

dnf yum Repository

dnf repository (yum repository or a repo)

• Digital library for storing software packages

• Repository is accessed for package retrieval, query, update, and installation

• The two repositories

  • BaseOS and AppStream
    • come preconfigured with the RHEL 9 ISO image.

• Number of other repositories available on the Internet that are maintained by software publishers such as Red Hat and CentOS.

• Can build private custom repositories for internal IT use for stocking and delivering software.

  • Good practice for an organization with a large Linux server base, as it manages dependencies automatically and aids in maintaining software consistency across the board.

• Can also be used to store in-house developed packages.

• It is important to obtain software packages from authentic and reliable sources such as Red Hat to prevent potential damage to your system and to circumvent possible software corruption.

• There is a process to create repositories and to access preconfigured repositories.

• There are two pre-set repositories available on the RHEL 9 image. You will configure access to them via a definition file to support the exercises and lab environment.

Repository Definition File

• Repo definition files are located in /etc/yum.repos.d/
• Can create local.repo file in this directory to specify local repos
• See dnf.conf man page

Sample repo definition file and key directives:

 [BaseOS_RHEL_9]
 name= RHEL 9 base operating system components
 baseurl=file://*mnt*BaseOS
 enabled=1
 gpgcheck=0

EXAM TIP:

• Knowing how to configure a dnf/yum repository using a URL plays an important role in completing some of the RHCSA exam tasks successfully.
• Use two forward slash characters (//) with the baseurl directive for an FTP, HTTP, or HTTPS source.

Five lines from a sample repo file: Line 1 defines an exclusive ID within the square brackets. Line 2 is a brief description of the repo with the “name” directive. Line 3 is the location of the repodata directory with the “baseurl” directive. Line 4 shows whether this repository is active. Line 5 shows if packages are to be GPGchecked for authenticity.

• Each repository definition file must have:

  • Unique ID
  • Description
  • Baseurl directive defined
  • Other directives are set as required.

• The baseurl directive for a local directory path is defined as file:///local_path

  • The first two forward slash characters represent the URL convention, and the third forward slash is for the absolute path to the destination directory)
  • FTP and
    • \ftp://hostname/network_path
  • HTTP(S)
    • http(s)://hostname/network_path
  • network path must include a resolvable hostname or an IP address.

Software Management with dnf

• Tools are available to work with individual packages as well as package groups and modules.
• rpm command is limited to managing one package at a time.
• dnf has an associated configuration file that can define settings to control its behavior.

dnf Configuration File

• Key configuration file: /etc/dnf/dnf.conf
• “main” section - Sets directives that have a global effect on dnf operations.
• Can define separate sections for each custom repository that you plan to set up on the system.
• Preferred location to store configuration for each custom repository in their own definition files is in /etc/yum.repos.d
  • default location created for this purpose.

Default content of this configuration file:

 cat /etc/dnf/dnf.conf

 [main]
 gpgcheck=1
 installonly_limit=3
 clean_requirements_on_remove=True
 best=True
 skip_if_unavailable=False

The above and a few other directives that you may define in the file:

For other directives: man 5 dnf.conf

Advanced Package Management DIY Labs

1. Configure Access to RHEL 8 Repositories (Make sure the RHEL 8 ISO image is attached to the VM and mounted.) Create a definition file under /etc/yum.repos.d/, and define two blocks (one for BaseOS and another for AppStream).

  vim /etc/yum.repos.d/local.repo

 [BaseOS]
 name=BaseOS 
 baseurl=file:///mnt/BaseOS 
 gpgcheck=0 

 [AppStrean]
 name=AppStream 
 baseurl=file:///mnt/AppStream 
 gpgcheck=0

4. Verify the configuration with dnf repolist. You should see numbers in thousands under the Status column for both repositories.

 dnf repolist -v

Lab: Install and Manage Individual Packages

1. List all installed and available packages separately.

 dnf list --available && dnf list --installed

2. Show which package contains the /etc/group file.

 dnf provides /etc/group

3. Install the package httpd.

 dnf -y install httpd

4. Review /var/log/yum.log/ for confirmation. (/var/lib/dnf/history)

  dnf history

5. Perform the following on the httpd package:
6. Show information

 dnf info httpd

2. List dependencies

 dnf repoquery --requires httpd

3. Remove it

 dnf remove httpd

Lab Install and Manage Package Groups

1. List all installed and available package groups separately.

 dnf group list available && dnf group list installed

1. Install package groups Security Tools and Scientific Support.

 dnf group install 'Security Tools'

2. Review /var/log/yum.log for confirmation.

 dnf history

3. Show the packages included in the Scientific Support package group, and delete this group.

 dnf group info 'Scientific Support' && dnf group  remove 'Scientific Support'

Lab: Install and Manage Modules

4. List all modules. Identify which modules, streams and profiles are installed, default, disabled, and enabled from the output.

 dnf module list

5. Install the default stream of the development profile for module php, and verify.

 dnf module install php && dnf module list

6. Remove the module.

 dnf module remove php

Lab Switch Module Streams and Install Software

7. List postgresql module. This will display the streams and profiles, and their status.

 dnf module list postgresql

8. Reset both streams

 dnf module reset postgresql

9. enable the stream for the older version, and install its client profile.

 dnf module install postgresql:15

Advanced User Management

Local User Authentication Files

• Three supported account types: root, normal, service
• root
  • has full access to all services and administrative functions on the system.
  • created by default during installation.
• Normal
  • user-level privileges
  • cannot perform any administrative functions
  • can run applications and programs that have been authorized.
• Service
  • take care of their respective services, which include apache, ftp, mail, and chrony.
• User account information for local users is stored in four files that are located in the /etc directory.
  • passwd, shadow, group, and gshadow (user authentication files)
  • updated when a user or group account is created, modified, or deleted.
  • referenced to check and validate the credentials for a user at the time of their login attempt,
  • system creates their automatic backups by default as passwd-, shadow-, group-, and gshadow- in the /etc directory.

/etc/passwd

• vital user login data
• each row hold info for one user
• 644 permissions by default
• 7 feilds per row
  • login name
    • up to 255 characters
    • _ and - characters are supported
    • not recommended to include special characters and uppercase letters in login names.
  • password
    • “x” in this field points to /etc/shadow for actual password.
    • “*” identifies disabled account
    • Can also include a hashed password (RHEL uses SHA-512 by default)
  • UID
    • Number between 0 and 4.2 billion
    • UID 0 is reserved for root account
    • UIDs 1-200 are used by Red Hat for core service accounts
    • UIDs 201-999 are reserved for non-core service accounts
    • UIDs 1000 < are for normal user accounts (starts at 1000 by default)
  • GID
    • GID that matches entry in /etc/group (primary group)
    • Group for every user by default that matches UID
  • Comments (GECOS) or (GCOS)
    • general comments about the user
  • Home Directory
    • absolute path to the user home directory.
  • Shell
    • absolute path of the shell file for the user’s primary shell after logging in. (default = (/bin/bash))

/etc/shadow

• no access permissions for any user (even root) (but owned by root)
• secure password control (shadow password)
• user passwords are hashed and stored in a more secure file /etc/shadow
• limits on user passwords in terms of expiration, warning period, etc. applied on per-user basis
• limits and other settings are defined in /etc/login.defs
• user is initially checked in the passwd file for existence and then in the shadow file for authenticity.
• contains user authentication and password aging information.
• Each row in the file corresponds to one entry in the passwd file.
• login names are used as a common key between the shadow and passwd files.
• nine colon-separated fields per line entry.
  • 1 Login name
  • 2 Encrypted password
    • ! at the beginning of this field shows that the user account is locked
    • if field is empty then user has passwordless entry
  • 3 last change
    • Number of days (lastchg) since the UNIX epoch, (UNIX time (January 01, 1970 00:00:00 UTC) when the password was last modified.
    • Empty field represents the passiveness of password aging features.
    • 0 forces the user to change their password upon next login.
  • 4 minimum
    • number of days (mindays) that must elapse before the user is allowed to change their password
    • can be altered using the chage command with the -m option or the passwd command with the -n option.
    • 0 or null in this field disables this feature.
  • 5 (Maximum)
    • maximum number of days (maxdays) before the user password expires and must be changed.
    • may be altered using the chage command with the -M option or the passwd command with the -x option.
    • null value here disables this feature along with other features such as the maximum password age, warning alerts, and the user inactivity period.
  • 6 Field 6 (Warning)
    • number of days (warndays) the user gets warnings for changing their password before it expires.
    • may be altered using the chage command with the -W option or the passwd command with the -w option.
    • 0 or null in this field disables this feature.
  • 7 Password Expiry)
    • maximum allowable number of days for the user to be able to log in with the expired password. (inactivity period).
    • may be altered using the chage command with the -I option or the passwd command with the -i option.
    • empty field disables this feature.
  • 8 (Account Expiry)
    • number of days since the UNIX time when the user account will expire and no longer be available.
    • may be altered using the chage command with the -E option.
    • empty field disables this feature.
  • 9 (Reserved): Reserved for future use.

/etc/group

• plaintext file and contains critical group information.
• 644 permissions by default and owned by root.
• Each row in the file stores information for one group entry.
• Every user on the system must be a member of at least one group (User Private Group (UPG)).
• a group name matches the username it is associated with by default
• four colon-separated fields per line entry.
  • Field 1 (Group Name):
    • Holds a group name that must begin with a letter. Group names with up to 255 characters, including the
    • uppercase, underscore (_) and hyphen (-) characters, are also supported. (not recommended)
  • Field 2 (Encrypted Password):
    • Can be empty or contain an “x” (points to the /etc/gshadow file for the actual password), or a hashed group-level password.
    • can set a password on a group for non-members to be able to change their group identity temporarily using the newgrp command.
    • non-members must enter the correct password in order to do so.
  • Field 3 (GID):
    • Holds a GID, that is also placed in the GID field of the passwd file.
    • By default, groups are created with GIDs starting at 1000 and with the same name as the username.
    • system allows several users to belong to a single group
    • also allows a single user to be a member of multiple groups at the same time.
  • Field 4 (Group Members):
    • Lists the membership for the group. (user’s primary group is always defined in the GID field of the passwd file.)

/etc/gshadow

• no access permissions for any user (even root)
• group passwords are hashed and stored
• group names are used as a common key between the gshadow and group files.
• 000 permissions and owned by root
• four colon-separated fields
  • Field 1 (Group Name):
    • Consists of a group name as appeared in the group file.
  • Field 2 (Encrypted Password):
    • Can contain a hashed password, which may be set with the gpasswd command for non-group members to access the group temporarily using the newgrp command.
    • single exclamation mark (!) or a null value in this field allows group members password-less access and restricts non-members from switching into this group.
  • Field 3 (Group Administrators):
    • Lists usernames of group administrators that are authorized to add or remove members with the gpasswd command.
  • Field 4 (Members):
    • comma-separated list of members.

gpasswd command:

• add group administrators.
• add or delete group members.
  • assign or revoke a group-level password.
  • disable the ability of the newgrp command to access a group.
  • picks up the default values from the /etc/login.defs file.

useradd and login.defs configuration files

useradd command

• picks up the default values from the /etc/default/useradd and /etc/login.defs files for any options that are not specified at the command line when executing it.
• login.defs file is also consulted by the usermod, userdel, chage, and passwd commands
• Both files store several defaults including those that affect the password length and password lifecycle. /etc/default/useradd Default Directives:
• starting GID (GROUP) (provided the USERGROUPS_ENAB directive in the login.defs file is set to no)
• home directory location (HOME)
• number of inactivity days between password expiry and permanent account disablement (INACTIVE)
• account expiry date (EXPIRE),
• login shell (SHELL),
• skeleton directory location to copy user initialization files from (SKEL)
• whether to create mail spool directory (CREATE_MAIL_SPOOL)

/etc/login.defs default directives:

MAIL_DIR

• mail directory location

PASS_MAX_DAYS, PASS_MIN_DAYS, PASS_MIN_LEN, and PASS_WARN_AGE

• password aging attributes.

UID_MIN, UID_MAX, GID_MIN, and GID_MAX

• ranges of UIDs and GIDs to be allocated to new users and groups

SYS_UID_MIN, SYS_UID_MAX, SYS_GID_MIN, and SYS_GID_MAX

• ranges of UIDs and GIDs to be allocated to new service users and groups

CREATE_HOME

• whether to create a home directory

UMASK

• permissions to be set on the user home directory at creation based on this umask value

USERGROUPS_ENAB

• whether to delete a user’s group (at the time of user deletion) if it contains no more members

ENCRYPT_METHOD

• encryption method for user passwords

Password Aging attributes

• Can be done for an individual user or applied to all users.
• Can prevent users from logging in to the system by locking their access for a period of time or permanently.
• Must be performed by a user with elevated privileges of the root user.
• Normal users may be allowed access to privileged commands by defining them appropriately in a configuration file.
• Each file that exists on the system regardless of its type has an owning user and an owning group.
• every file that a user creates is in the ownership of that user.
• ownership may be changed and given to another user by a super user.

Password Aging and management

• Setting restrictions on password expiry, account disablement, locking and unlocking users, and password change frequency.
• Can choose to inactivate it completely for an individual user.
• Stored in the /etc/shadow file (fields 4 to 8) and its default policies in the /etc/login.defs configuration file.
• aging management tools—chage and passwd—
• usermod command can be used to implement two aging attributes (user expiry and password expiry) and lock and unlock user accounts.

chage command

• Set or alter password aging parameters on a user account.
• Changes various fields in the shadow file
• Switches
  • -d (–lastday)
    • Specifies an explicit date in the YYYY-MM-DD format, or the number of days since the UNIX time when the password was last modified. With -d 0, the user is forced to change the password at next login. It corresponds to field 3 in the shadow file.
  • -E (–expiredate)
    • Sets an explicit date in the YYYY-MM-DD format, or the number of days since the UNIX time on which the user account is deactivated. This feature can be disabled with -E -1. It corresponds to the eighth field in the shadow file.
  • -I (–inactive)
    • Defines the number of days of inactivity after the password expiry and before the account is locked. The user may be able to log in during this period with their expired password. This feature can be disabled with -I -1. It corresponds to field 7 in the shadow file.
  • -l
    • Lists password aging attributes set on a user account.
  • -m (–mindays)
    • Indicates the minimum number of days that must elapse before the password can be changed. A value of 0 allows the user to change their password at any time. It corresponds to field 4 in the shadow file.
  • -M (–maxdays)
    • Denotes the maximum number of days of password validity before the user password expires and it must be changed. This feature can be disabled with -M -1. It corresponds to field 5 in the shadow file.
  • -W (–warndays)
    • Designates the number of days for which the user gets alerts to change their password before it expires. It corresponds to field 6 in the shadow file.

passwd command

• set or modify a user’s password
• modify the password aging attributes and
• lock or unlock account
• Switches
  • -d (–delete)
    • Deletes a user password
    • does not expire the user account.
  • -e (–expire)
    • Forces a user to change their password upon next logon.
    • sets date to prior to Unix time
  • -i (–inactive)
    • Defines the number of days of inactivity after the password expiry and before the account is locked. (field 7 in shadow file)
  • -l (–lock)
    • Locks a user account.
  • -n (–minimum)
    • Specifies the number of days that must elapse before the password can be changed. (field 4 in shadow file)
  • -S (–status)
    • Displays the status information for a user.
  • -u (–unlock)
    • Unlocks a locked user account.
  • -w (–warning)
    • Designates the number of days for which the user gets alerts to change their password before it actually expires. (field 6 in shadow file)
  • -x (–maximum)
    • Denotes the maximum number of days of password validity before the user password expires and it must be changed. (field 5 in shadow file)

usermod command

• Modify a user’s attribute
• Lock or unlock their account
• Switches
  • -L (–lock)
    • Locks a user account by placing a single exclamation mark (!) at the beginning of the password field and before the hashed password string.
  • -U (–unlock)
    • Unlocks a user’s account by removing the exclamation mark (!) from the beginning of the password field.

Linux Groups and their Management

• /etc/group
  • group info
• /etc/login.defs
  • default policies
• /etc/gshadow
  • group administrator information and group-level passwords
• group management tools
  • groupadd, groupmod, and groupdel
  • create, alter, and erase groups

groupadd command

• adds entries to the group and gshadow files for each group added to the system
• picks up default values from /etc/login.defs
• Switches
  • -g (–gid)
    • Specifies the GID to be assigned to the group
  • -o (–non-unique)
    • Creates a group with a matching GID of an existing group. When two groups have an identical GID, members of both groups get identical rights on each other’s files. This should only be done in specific situations.
  • -r
    • Creates a system group with a GID below 1000
  • groupname
    • Specifies a group name

groupmod command

• syntax of this command is very similar to the groupadd with most options identical.
• Additional flags
  • -n
    • change name of existing group

User Management

Switching Users

su command

Ctrl-d - return to previous user su - - switch user with startup scripts -c - issue a command as a user without switching to them.

• root user can switch into any user account that exists on the system without being prompted for that user’s password.
• switching into the root account to execute privileged actions is not recommended.

whoami command

• show current user

logname command

• Identity of the user who originally logged in.

groupdel command

• removes entries for the specified group from both group and gshadow files.

Doing as Superuser (substitute user)

• Any normal user that requires privileged access to administrative commands or non-owning files is defined in the sudoers file.
  • File may be edited with a command called visudo
  • Creates a copy of the file as sudoers.tmp and applies the changes there. After the visudo session is over, the updated updated file overwrites the original sudoers file and sudoers.tmp is deleted.
  • syntax
    • user1 ALL=(ALL) ALL
    • %dba ALL=(ALL) ALL group is prefixed by %
  • Make it so members are not prompted for password
    • user1 ALL=(ALL) NOPASSWD:ALL
    • %dba ALL=(ALL) NOPASSWD:ALL
  • Limit access to a single command
    • user1 ALL=/usr/bin/cat
    • %dba ALL=/usr/bin/cat
• too many entries can clutter sudoers file. Use aliases instead:
  • User_Alias
    • you can define a User_Alias called PKGADM for user1, user100, and user200. These users may or may not belong to the same Linux group.
  • Cmnd_Alias
    • you can define a Cmnd_Alias called PKGCMD containing yum and rpm package management commands

sudo command

• /etc/sudoers
• /etc/sudoers.d/
  • drop-in directory /var/log/secure
  • Sudo logs successful authentication and command data to here under the name of the user using the command.

Owning User and Owning Group

• Every file and directory has an owner.
• Creator assumes ownership by default.
• Every user is a member of one or more groups.
• Owners group is also assigned to file or directory by default.

chown command

• alter the ownership for files and directories
• Must have root privileges.
• Can also change owning group.

chgrp command

• alter the owning group for files and directories
• Must have root privileges.

Advanced User Management Labs

Lab: Set and Confirm Password Aging with chage (root)

1. Set password aging parameters for user100 to mindays (-m) 7, maxdays (-M) 28, and warndays (-W) 5:

chage -m 7 -M 28 -W 5 user100

2. Confirm

chage -l user100

3. Set the account expiry to January 31, 2020

chage -E 2020-01-31 user100

4. Verify the new account expiry setting

chage -l user100

Lab: Set and Confirm Password Aging with passwd (root)

1. Set password aging attributes for user200 to mindays 10, maxdays 90, and warndays 14:

passwd -n 10 -x 90 -w 14 user200

2. Confirm:

passwd -S user200

3. Set the number of inactivity days to 5:

passwd -i 5 user200

4. Confirm:

passwd -S user200

5. Ensure that the user is forced to change their password at next login:

passwd -e user200

6. Confirm:

passwd -S user200

Lab: Lock and Unlock a User Account with usermod and passwd (root)

1. Obtain the current password information for user200 from the shadow file:

grep user200 /etc/shadow

2. Lock the account for user200:

usermod -L user200 

3. Confirm:

grep user200 /etc/shadow

4. Unlock the account with either of the following:

usermod -U user200
or
passwd -u user200

5. confirm

grep user200 /etc/shadow

Lab: Create a Group and Add Members (root)

1. Create the group linuxadm with GID 5000:

groupadd -g 5000 linuxadm

2. Create a group called dba with the same GID as that of group linuxadm:

groupadd -o -g 5000 dba

3. Confirm:

grep linuxadm /etc/group
grep dba /etc/group

4. Add user1 as a secondary member of group dba using the usermod command. The existing membership for the user must remain intact.

usermod -aG dba user1

5. Verify the updated group membership information for user1 by extracting the relevant entry from the group file, and running the id and groups command for user1:

grep dba /etc/group
id user1
groups user1

Lab: Modify and Delete a Group Account (root)

1. Alter the name of linuxadm to sysadm:

groupmod -n sysadm linuxadm

2. Change the GID of sysadm to 6000:

groupmod -g 6000 sysadm

3. Confirm:

grep sysadm /etc/group
grep linuxadm /etc/group

4. Delete sysadm group and confirm:

groupdel sysadm
grep sysadm /etc/group

Lab: To switch from user1 (assuming you are logged in as user1) into root without executing the startup scripts

su

2. switch to user100

su - user100

3. See what whoami and logname reports now:

whoami
logname

4. use su as follows and execute this privileged command to obtain desired results:

su -c 'firewall-cmd --list-services'

Lab: Add user1 to sudo file but only for the cat command.

1. Open up /etc/sudoers and add the following:

user1 ALL=/usr/bin/cat

2. run cat as user1 with and without sudo:

cat /etc/sudoers
sudo cat /etc/sudoers

Lab: Add user and command aliases to the sudoer file.

1. Add the following to the bottom of the sudoers file:

Cmnd_Alias PKGCMD = /usr/bin/yum, /usr/bin/rpm
User_Alias PKGADM = user1, user100, user200 
PKGADM ALL=PKGCMD

2. Run rpm or yum with sudo as one of the users.

sudo yum 

Lab: Take a look at examples in the sudoers file.

cat /etc/sudoers

Lab: Viewing owner and group information

1. Create a file file1 as user1 in their home directory and exhibit the file’s long listing:

touch file1
ls -l file1

2. View the corresponding UID and GID instead, you can specify the -n option with the command:

ls -ln file1

Lab: Modify File Owner and Owning Group

1. Change into the /tmp directory and create file10 and dir10:

cd /tmp
touch file10
mkdir dir10

2. Check and validate that both attributes are set to user1:

ls -l file10
ls -ld dir10

3. Set the ownership of file10 to user100 and confirm:

sudo chown user100 file10
ls -l file10

4. Alter the owning group to dba and verify:

sudo chgrp dba file10
ls -l file10

5. Change the ownership to user200 and owning group to user100 and confirm:

sudo chown user200:user100 file10

6. Modify the ownership to user200 and owning group to dba recursively on dir10 and validate:

sudo  chown -R user200:dba dir10
ls -ld dir10

Lab: Create User and Configure Password Aging (root)

1. Create group lnxgrp with GID 6000.

groupadd lnxgrp -g 6000

2. Create user user5000 with UID 5000 and GID 6000. Assign this user a password.

useradd -u 5000 -g 6000 user5000

3. Establish password aging attributes so that this user cannot change their password within 4 days after setting it and with a password validity of 30 days. This user should start getting warning messages for changing password 10 days prior to account lock down.

chage -m 4 -M 30 -W 10 user5000

4. This user account needs to expire on the 20th of December, 2021.

chage -E 2021-12-20 user5000

Lab 6-2: Lock and Unlock User (root)

1. Lock the user account for user5000 using the passwd command, and

passwd -l user5000

2. confirm by examining the change in the /etc/shadow file.

cat /etc/shadow

3. Try to log in with user5000 and observe what happens.

su - user1
su - user5000

4. Use the usermod command and unlock

Basic File Managment

Chapter 3 RHCSA Notes - File Management

7 File types

1. regular
2. directory
3. block special device
4. character special device
5. symbolic link
6. named pipe
7. socket

Commands

• ls
• stat
• file

Regular files

• Text or binary data.
• Represented by hyphen (-).

Directory Files

• Identified by the letter “d” in the beginning of ls output.

Block and Character (raw) Special Device Files

• All hardware has device file in /dev/.
• Used by system to communicate with device.
• Identified by “c” or “b” in ls listing.
• Each device driver is assigned a unique number called the major number
• Character device
  • Reads and writes 8 bits at a time.
  • Serial
• Block device
  • Receives data in fixed block size determined by drivers
  • 512 or 4096 bytes

Major Number

• Used by kernel to recognize device driver type.
• Column 5 of ls listing.

ls -l /dev/sda

Minor Number

• Each device controlled by the same device driver gets a Minor Number
• Applies to disk partitions as well.
• The same driver can control multiple devices of the same type.
• Column 6 of ls listing

ls -l /dev/sda

Symbolic Links

• Shortcut to another file or directory.
• Begins with “l” in ls listing.

ls -l /usr/sbin/vigr
lrwxrwxrwx. 1 root root 4 Jul 21 14:36 /usr/sbin/vigr -> vipw

Compression and Archiving

Archiving

• Preserves file attributes such as ownership, owning group, and timestamp.
• Preserves extended file attributes such as ACLs and SELinux contexts.
• Syntax of tar and star are identical.

star command

tar (tape archive) command

• Create, append, update, list, and extract files/directory tree to/from a file called a tarball(tarfile)
• Can compress a tarball after it’s been created.
• Automatically removes “/” so you do not have to specify the full pathname  when restoring files at any location.

flags tar -c :: Create tarball. tar -f :: Specify tarball name. tar -p :: Preserve file permissions. Default for the root user. Specify this if you create an archive as a normal user. tar -r :: Append files to the end of an existing uncompressed tarball. tar -t :: List contents of a tarball. tar -u :: Append files to the end of an existing uncompressed tarball provided the specified files being added are newer. -z -j -C

Archive entire home directory:

tar -cvf /tmp/home.tar /home

Archive two specific files:

tar -cvf /tmp/files.tar /etc/passwd /etc/yum.conf

Append files in a directory to existing tarball:

tar -rvf /tmp/files.tar /etc/yum.repos.d

List what is included in home.tar tarball:

tar -tvf /tmp/files.tar

Restore single file and confirm:

tar -xf /tmp/files.tar etc/yum.conf
ls -l etc/yum.conf

Restore all files and confirm:

tar -xf /tmp/files.tar
ls

Create a gzip-compressed tarball under /tmp for /home:

tar -czf /tmp/home.tar.gz /home

Create bzip2-compressed tarball under /tmp for /home:

sudo tar -cjf /tmp/home.tar.bz2 /home

List content of gzip-compressed archive without uncompressing it:

tar -tf /tmp/home.tar.gz

Extract files from gzip-compressed tarball in the current directory:

tar -xf /tmp/home.tar.gz

Extract files from the bzip2-compressed tarball under /tmp:

tar -xf /tmp/home.tar.bz2 -C /tmp

Compression tools

gzip (gunzip) command

• Create a compressed file for each of the specified files.
• Adds .gz extension.

Flags

Copy /etc/fstab to the current directory and display filename when uncompressed:

cp /etc/fstab .
ls -l fstab

gzip fstab and view details:

gzip fstab
ls -l fstab.gz

Display compression info:

gzip -l fstab.gz

Uncompress fstab.gz:

gunzip fstab.gz
ls -l fstab

bzip2 (bunzip2) command

• Adds .bz2 extension.

• Better compression/ decompression ratio but is slower than gzip.

Compress fstab using bzip and view details:

bzip2 fstab
ls -l fstab.bz2

Unzip fstab.bz2 and view details:

bunzip2 fstab.bz2
ls -l fstab

File Editing

Vim

vimguide

File and Directory Operations

touch command

• File is created with 0 bytes in size.
• Run touch on it and it will get a new timestamp

Flags

Set date on file1 to 2019-09-20:

touch -d 2019-09-20 file1

Change modification time on file1 to current system time:

touch -m file1

mkdir command

• Create a new directory.

flags

Create dir1 verbosely:

mkdir dir1 -v

Create dir2/perl/perl5:

mkdir -vp dir2/perl/perl5

Commands for displaying file contents

• cat
• more
• less
• head
• tail

cat command

• Concatenate and print files to standard output.

Flags

Redirect output to specified file:

cat > catfile1

tac command

• Display file contents in reverse

more command

• Display files on page-by-page basis.
• Forward text searching only.

Navigation

less command

• Display files on page-by-page basis.
• Forward and backwards searching.

less /usr/bin/znew

Navigation

head command

• Displays first 10 lines of a file.

head /etc/profile

View top 3 lines of a file:

head -3 /etc/profile

tail command

• Display last 10 lines of a file.

Flags

tail /etc/profile

View last 3 lines of /etc/profile:

tail -3 /etc/profile

View updates to the system log file /varlog/messages in real time:

sudo tail -f /var/log/messages

Counting Words, Lines, and Characters in Text Files

wc (word count) command

• Display the number of lines, words, and characters (or bytes) contained in a text file or input supplied.

Flags

 wc /etc/profile
  85  294 2123 /etc/profile

Display count of characters on /etc/profile:

wc -m /etc/profile

Copying Files and Directories

cp command

• Copy files or directories.
• Overwrites destination without warning.
• root has a custom alias in their .bashrc file that automatically adds the -i option.

alias cp='cp -i'

Flags

cp file1 newfile1

Copy file to new directory:

cp file1 dir1

Get confirmation before overwriting:

cp file1 dir1 -i
cp: overwrite 'dir1/file1'? y

Copy a directory and view hierarchy:

cp -r dir1 dir2
ls -l dir2 -R

Copy file while preserving attributes:

cp -p file1 /tmp

Moving and renaming Files and Directories

mv command

• Move or rename files and directories.
• Can move a directory into another directory.
  • Target directory must exist otherwise you are just renaming the directory.
• Alias exists in root’s home directory for -i in the .bashrc file.

alias—“alias mv=’mv -i’""

Flags

mv -i file1 dir1

mv newfile1 newfile2

Move a dir into another dir (target exists):

mv dir1 dir2

Rename a directory (Target does not exist):

mv dir2 dir20

Removing files

rm command

• Delete one or more specified files or directories.
• Alias—“alias rm=’rm -i’”— in the .bashrc file in the root user’s home directory.
• Remember to backslash “" any wildcard characters in filenames.

Flags

Erase newfile2:

rm -i newfile2

rm a directory:

 rm -dv emptydir

rm a directory recursively:

rm -r dir20

rmdir command

• Remove empty directories.

Flags

rmdir emptydir -v

File Linking

inode (index node)

• Contains metadata about a file (128 bytes)
  • File type, Size, permissions, owner name, owning group, access times, link count, etc.
  • Also shows number of allocated blocks and pointers to the data storage location.
• Assigned a unique numeric identifier that is used by the kernel for accessing, tracking, and managing the file.
• Does not store the filename.
• Filename and corresponding inode number mapping is maintained in the directory’s metadata where the file resides.
• Links are not created between files and directories

Hard links

• Mapping between one or more filenames and an inode number.
• Hard-linked files are indistinguishable from one another.
• All hard-linked files will have identical metadata.
• Changes to the file metadata and content can be made by accessing any of the filenames.
• Cannot cross file system boundaries.
• Cannot link directories.

ls -li output

• Column 1 inode number.
• Column 3 link count.

Soft Links

• Symbolic (symlink).
• Like a Windows shortcut.
• Unique inode number for each symlink.
• Link count does not increase or decrease.
• Size of soft link is the number of character in pathname to target.
• Can cross file system boundaries.
• Can link directories.
• ls-l shows l at the beginning of the permissions for soft link
• if you remove the original file, the softlink will point to a file that doesn’t exist.
• RHEL 8 has four soft-linked directories under /.
  1. bin -> usr/bin
  2. lib -> usr/lib
  3. lib64 ->usr/lib64
  4. sbin -> usr/sbin
• Same syntax for creating linked directories

ln command

• Create links between files.
• Creates hard link by default.

Hard link file10 and file20 and verify the inode number:

touch file10
ln file10 file20
ls -li

Create a soft link to file10 called soft10:

ln -s file10 soft10

Copying vs linking

Copying

• Duplicates source file.
• Each copy stores data at a unique location.
• Each copied file has a unique inode number and unique metadata.
• If a copy is moved, erased, or renamed, the source file will have no impact, and vice versa.
• Copy is used when the data needs to be edited independent of the other.
• Permissions on the source and the copy are managed independent of each other.

Linking

• Creates a shortcut that points to the source file.
• Source can be accessed or modified using either the source file or the link.
• All linked files point to the same data.
• Hard Link: All hard-linked files share the same inode number, and hence the metadata.
• Symlink: Each symlinked file has a unique inode number, but the inode number stores only the pathname to the source.
• Hard Link: If the hard link is weeded out, the other file and the data will remain untouched.
• Symlink: If the source is deleted, the soft link will be broken and become meaningless. If the soft link is removed, the source will have no impact.
• Links are used when access to the same source is required from multiple locations.
• Permissions are managed on the source file.

Labs

Lab: Viewing regular file information:

touch file1
ls -l

file file1

stat file1

Lab Create and Manage Hard Links

1. Create an empty file /tmp/hard1, and display the long file listing including the inode number:

touch /tmp/hard1
ls -li /tmp/hard1

2. Create two hard links called hard2 and hard3 under /tmp, and display the long listing:

ln /tmp/hard1 /tmp/hard2
ln /tmp/hard1 /tmp/hard3
ls -li /tmp/hard*

3. Edit file hard2 and add some random text. Display the long listing for all three files again:

vim /tmp/hard2
ls -li /tmp/hard*

4. Erase file hard1 and hard3, and display the long listing for the remaining file:

rm -f /tmp/hard1 /tmp/hard3
ls -li /tmp/hard*

Lab: Create and Manage Soft Links

1. Create soft link /root/soft1 pointing to /tmp/hard2, and display the long file listing for both:

sudo ln -s /tmp/hard2 /root/soft1
ls -li /tmp/hard2 /root/soft1
sudo ls -li /tmp/hard2 /root/soft1

2.Edit soft1 and display the long listing again:

sudo vim /root/soft1
sudo ls -li /tmp/hard2 /root/soft1

3.Remove hard2 and display the long listing:

sudo ls -li /tmp/hard2 /root/soft1

remove the soft link

rm -f /root/soft1.

Lab: Archive, List, and Restore Files

Create a gzip-compressed archive of the /etc directory.

tar -czf etc.tar.gz /etc

Create a bzip2-compressed archive of the /etc directory.

sudo tar -cjf etc.tar.bz2 /etc

Compare the file sizes of the two archives.

ls -l etc*

Run the tar command and uncompress and restore both archives without specifying the compression tool used.

sudo tar -xf etc.tar.bz2 ; sudo tar -xf etc.tar.gz

Lab: Practice the vim Editor

As user1 on server1, create a file called vipractice in the home directory using vim. Type (do not copy and paste) each sentence from Lab 3-1 on a separate line (do not worry about line wrapping). Save the file and quit the editor.

Open vipractice in vim again and reveal line numbering. Copy lines 2 and 3 to the end of the file to make the total number of lines in the file to 6.

:set number!
#then
yy and p

Move line 3 to make it line 1.

3m0

Go to the last line and append the contents of the .bash_profile.

:r ~/.bashrc

Substitute all occurrences of the string “Profile” with “Pro File”, and all occurrences of the string “profile” with “pro file”.

:%s/profile/pro file/gi

Erase lines 5 to 8.

:5,8d

Provide a count of lines, words, and characters in the vipractice file using the wc command.

wc vipractice

Lab: File and Directory Operations

As user1 on server1, create one file and one directory in the home directory.

touch file3
mkdir dir5

List the file and directory and observe the permissions, ownership, and owning group.

ls -l file3
ls -l dir5
ls -ld dir5

Try to move the file and the directory to the /var/log directory and notice what happens.

mv dir5 /var/log
mv file3 /var/log

Try again to move them to the /tmp directory.

mv dir5 /tmp
ls /tmp

Duplicate the file with the cp command, and then rename the duplicated file using any name.

cp /tmp/file3 file4
ls /tmp
ls

Erase the file and directory created for this lab.

rm -d /tmp/dir5; rm file4

Basic Package Management

RPM (Redhat Package Manager)

• Specially formatted File(s) packaged together with the .rpm extension.
• Packages included or available for RHEL are in rpm format.
• Metadata info gets updated whenever a package is updated.

rpm command

• Install, Upgrade, remove, query, freshen, or decompress packages.
• Validate package authenticity and integrity.

Packages

• Two types of packages binary (or installable) and source.

Binary packages

• Installation ready
• Bundled for distribution.
• Have .rpm extension.
• Contain:
  • install scripts (pre and post)
  • Executables
  • Configuration files
  • Library files
  • Dependency information
  • Where to install files
  • Documentation
    • How to install/uninstall
    • Man pages for config files/commands
    • Other install and usage info
  • Metadata
    • Stored in central location
    • Includes:
      • Package version
      • Install location
      • Checksum values
      • List of included files and their attributes
• Package intelligence
  • Used by package administration toolset for successful completion of the package installation process.
  • May include info on:
    • prerequisites
    • User account setup
    • Needed directories/ soft links
  • Includes reverse process for uninstall

Package Naming

5 parts to a package name: 1. Name 2. Version 3. release (revision or build) 4. Linux version 5. Processor Architecture - noarch - platform independant - src - Source code packages

• Always has .rpm extension
• .rpm is removed after install Example: openssl-1.1.1-8.el8.x86_64.rpm,

Package Dependency

• Dependency info is in the metadata
  • Read by package handling utilities

Package Database

• Metadata for installed packages and package files is stored in /var/lib/rpm/
  • Package database
  • Referenced by package manipulation utilities to obtain:
    • package name and version data
    • Info about owerships, permissions, timestamps, and file sizes that are part of the package.
    • Contain info on dependencies.
    • Aids management commands in:
      • listing and querying packages
      • Verifying dependencies and file attributes.
      • Installing new packages.
      • Upgrading and uninstalling packages.
    • Removes and replaces metadata when a package is replaced.
    • Can maintain multiple version of a single package.

Package Management Tools

• rpm (redhat package manager)
  • Does not automatically resolve dependencies.
• yum (yellowdog update, modified)
  • Find, get, and install dependencies automatically.
  • softlink to dnf now.
• dnf (dandified yum)

Package management with rpm

rpm package management tasks: - query - install - upgrade - freshen - overwrite - remove - extract - validate - verify

• Works with installed and installable packages.

rpm command

Query options

Query and display packages
-q (--query)

List all installed packages
-qa (--query --all)

List config files in a package
-qc (--query --config-files)

List documentation files in a package
-qd (--query --docfiles)

Exhibit what package a file comes from
-qf (--query --file)

Show installed package info (Version, Size, Installation status, Date, Signature, Description, etc.) -qi (--query --info)

Show installable package info (Version, Size, Installation status, Date, Signature, Description, etc.) -qip (--query --info --package)

List all files in a package.
-ql (--query --list)

List files and packages a package depends on.
-qR (--query --requires)

List packages that provide the specified package or file.
-q --whatprovides

List packages that require the specified package or file.
-q --whatrequires

Package installation options

Remove a package
-e (--erase)

Upgrades installed package. Or loads if not installed.
-U (--upgrade)

Display detailed information
-v (--verbose or -vv)

Verify integrity of a package or package files
-V (--verify)

Querying packages

Query packages in the package database or at a specified location.

Installing a package

• Creates directory structure needed
• Installs files
• Runs needed post installation steps
• Installing package will fail if missing dependencies.
• Error message will show missing dependencies.

Upgrading a package

• Installs the package if previous version does not exist. (-U)
• Makes backup of effected configuration files and adds .rpmsave extension.

Freshening a package

• Older version must exist.
• -F option
• Will only work if a newer version of a package is available.

Overwriting a Package

• Replaces existing files of a package with the same version.
• –replacepkgs option.
• Useful when you suspect corruption.

Removing a Package

• Uninstalls package and associated files/ directories
• -e Option
• Checks to see if this package is a dependency for another program and fails if it is.

Extracting Files from an Installable Package

• rpm2cpio command
• -i (extract)
• -d create directory structure. Useful for:
  • Examining package contents.
  • Replacing corrupt or lost command.
  • Replace critical configuration file to it’s original state

Package Integrity and Credibility

• MD5 Checksum for verifying package integrity
• GNU Privacy Guard Public Key (GNU Privacy Guard or GPG) for ensuring credibility of publisher.
• PGP (Pretty Good Privacy) - commercial version of GPG.
• --nosignature
  • Don’t verify package or header signatures when reading.
• -K
  • keep package files after installation rpmkeys command
  • check credibility, import GPG key, and verify packages
• Redhat signs their products and updates with a GPG key.
  • Files in installation media include public keys in the products for verification.
  • Copied to /etc/pki/rpm-gpg during OS installation. RPM-GPG-KEY-redhat-release
    • Used for packages shipped after November 2009 and their updates. RPM-GPG-KEY-redhat-beta
    • For Beta products shipped after November 2009.
• Import the relevant GPG key and the verify the package to check the credibility of a package.

Viewing GPG Keys

• view with rpm command rpm -q gpg-pubkey
• -i option
  • show info about a key.

Verifying Package Attributes

• Compare package file attributes with originals stored in package database at the time of installation.
• -V option
  • compare owner, group, permission mode, size, modification time, digest, type, etc.
  • Returns to prompt if no changes are detected
  • -v or vv for verbose
• -Vf
  • run the check directly on the file
• Three columns of output:
  • Column 1
    • 9 fields
      • S = Different file size.
      • M = Mode or permission or file type change.
      • 5 = MD5 Checksum does not match.
      • D = Device file and its major and minor number have changed.
      • L = File is a symlink and it’s path has been altered.
      • U = Ownership has changed.
      • G = Group membership has been modified.
      • T = Timestamp changed.
      • P = Capabilities are altered.
      • . = No modifications detected.
  • Column 2
    • File type
      • c = Configuration file
      • d = Documentation File
      • g = Ghost FIle
      • l = License file
      • r = Readme file
  • Column 3
    • Full path of file

Basic Package Management Labs

Lab: Mount RHEL 9 ISO Persistently

1. Go to the VirtualBox VM Manager and make sure that the RHEL 8 image is attached to RHEL9-VM1 as depicted below:

2. Open the /etc/fstab file in the vim editor (or another editor of your choice) and add the following line entry at the end of the file to mount the DVD image (/dev/sr0) in read-only (ro) mode on the /mnt directory.

   /dev/sr0 /mnt iso9660 ro 0 0

Note: sr0 represents the first instance of the optical device and iso9660 is the standard format for optical file systems.

3. Mount the file system as per the configuration defined in the /etc/fstab file using the mount command with the -a (all) option:

   sudo mount -a

4. Verify the mount using the df command:

   df -h | grep mnt

Note: The image and the packages therein can now be accessed via the /mnt directory just like any other local directory on the system.

5. List the two directories—/mnt/BaseOS/Packages and /mnt/AppStream/Packages—that contain all the software packages (directory names are case sensitive):

   ls -l /mnt/BaseOS/Packages | more

Lab: Query Packages (RPM)

1. query all installed packages: rpm -qa

2. query whether the perl package is installed: rpm -q perl

3. list all files in a package: rpm -ql iproute

4. list only the documentation files in a package: rpm -qd audit

5. list only the configuration files in a package: rpm -qc cups

6. identify which package owns the specified file: rpm -qf /etc/passwd

7. display information about an installed package including version, release, installation status, installation date, size, signatures, description, and so on: rpm -qi setup

8. list all file and package dependencies for a given package: rpm -qR chrony

9. query an installable package for metadata information (version, release, architecture, description, size, signatures, etc.): rpm -qip /mnt/BaseOS/Packages/zsh-5.5.1-6.el8.x86_64.rpm

10. determine what packages require the specified package in order to operate properly: rpm -q --whatrequires lvm2

Lab: Installing a Package (RPM)

1. Install zsh-5.5.1-6.el8.x86_64.rpm sudo rpm -ivh /mnt/BaseOS/Packages/zsh-5.5.1-6.el8.x86_64.rpm

Lab: Upgrading a Package (RPM)

1. Upgrade sushi with the -U option: sudo rpm -Uvh /mnt/AppStream/Packages/sushi-3.28.3-1.el8.x86_64.rpm

Lab: Freshening a Package

1. Freshen the sushi package: sudo rpm -Fvh /mnt/AppStream/Packages/sushi-3.28.3-1.el8.x86_64.rpm

Lab: Overwriting a Package

1. Overwrite zsh-5.5.1-6.el8.x86_64 sudo rpm -ivh --replacepkgs /mnt/BaseOS/Packages/zsh-5.5.1-6.el8.x86_64

Lab: Removing a Package

1. Remove sushi sudo rpm sushi -ve

Lab: Extracting Files from an Installable Package

1. You have lost /etc/crony.conf. Determine what package this file comes from: rpm -qf /etc/chrony.conf

2. Extract all files from the crony package to /tmp and create the directory structure:

[root@server30 mnt]# cd /tmp

[sudo rpm2cpio /mnt/BaseOS/Packages/chrony-3.3-3.el8.x86_64.rpm | cpio -imd
1066 blocks](<[root@server30 tmp]# rpm2cpio /mnt/BaseOS/Packages/chrony-4.3-1.el9.x86_64.rpm | cpio -imd
1253 blocks>)

3. Use find to locate the crony.conf file: sudo find . -name chrony.conf

4. Copy the file to /etc:

Lab: Validating Package Integrity and Credibility

1. Check the integrity of zsh-5.5.1-6.el8.x86_64.rpm located in /mnt/BaseOS/Packages: rpm -K /mnt/BaseOS/Packages/zsh-5.5.1-6.el8.x86_64.rpm --nosignature
2. Import the GPG key from the proper file and verify the signature for the zsh-5.5.1-6.el8.x86_64.rpm package.

sudo rpmkeys --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
sudo rpmkeys -K /mnt/BaseOS/Packages/zsh-5.5.1-6.el8.x86_64.rpm

Lab: Viewing GPG Keys

1. List the imported key: rpm -q gpg-pubkey
2. View details for the first key: rpm -qi gpg-pubkey-fd431d51-4ae0493b

Lab: Verifying Package Attributes

1. Run a check on the at program: sudo rpm -V at

2. Change permissions of one of the files and run the check again:

ls -l /etc/sysconfig/atd
sudo chmod -v 770 /etc/sysconfig/atd
sudo rpm -V at

3. Run the check directly on the file: sudo rpm -Vf /etc/sysconfig/atd

4. Reset the value and check the file again:

sudo chmod -v 644 /etc/sysconfig/atd
sudo rpm -V at

Lab: Perform Package Management Using rpm

1. Run the ls command on the /mnt/AppStream/Packages directory to confirm that the rmt package is available:

[root@server30 tmp]# ls -l /mnt/BaseOS/Packages/rmt*
-r--r--r--. 1 root root 49582 Nov 20  2021 /mnt/BaseOS/Packages/rmt-1.6-6.el9.x86_64.rpm

2. Run the rpm command and verify the integrity and credibility of the package:

[root@server30 tmp]# rpmkeys -K /mnt/BaseOS/Packages/rmt-1.6-6.el9.x86_64.rpm
/mnt/BaseOS/Packages/rmt-1.6-6.el9.x86_64.rpm: digests signatures OK

3. Install the Package:

[root@server30 tmp]# rpmkeys -K /mnt/BaseOS/Packages/rmt-1.6-6.el9.x86_64.rpm
/mnt/BaseOS/Packages/rmt-1.6-6.el9.x86_64.rpm: digests signatures OK
[root@server30 tmp]# rpm -ivh /mnt/BaseOS/Packages/rmt-1.6-6.el9.x86_64.rpm
Verifying...                         ################################# [100%])
Preparing...                         ################################# [100%])
Updating / installing...
   1:rmt-2:1.6-6.el9                 ################################# [100%])

4. Show basic information about the package:

[root@server30 tmp]# rpm -qi rmt
Name        : rmt
Epoch       : 2
Version     : 1.6
Release     : 6.el9
Architecture: x86_64
Install Date: Sat 13 Jul 2024 09:02:08 PM MST
Group       : Unspecified
Size        : 88810
License     : CDDL
Signature   : RSA/SHA256, Sat 20 Nov 2021 08:46:44 AM MST, Key ID 199e2f91fd431d51
Source RPM  : star-1.6-6.el9.src.rpm
Build Date  : Tue 10 Aug 2021 03:13:47 PM MST
Build Host  : x86-vm-55.build.eng.bos.redhat.com
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor      : Red Hat, Inc.
URL         : http://freecode.com/projects/star
Summary     : Provides certain programs with access to remote tape devices
Description :
The rmt utility provides remote access to tape devices for programs
like dump (a filesystem backup program), restore (a program for
restoring files from a backup), and tar (an archiving program).

5. Show all the files the package contains:

[root@server30 tmp]# rpm -ql rmt
/etc/default/rmt
/etc/rmt
/usr/lib/.build-id
/usr/lib/.build-id/c2
/usr/lib/.build-id/c2/6a51ea96fc4b4367afe7d44d16f1405c3c7ec9
/usr/sbin/rmt
/usr/share/doc/star
/usr/share/doc/star/CDDL.Schily.txt
/usr/share/doc/star/COPYING
/usr/share/man/man1/rmt.1.gz

6. List the documentation files the package has:

[root@server30 tmp]# rpm -qd rmt
/usr/share/doc/star/CDDL.Schily.txt
/usr/share/doc/star/COPYING
/usr/share/man/man1/rmt.1.gz

7. Verify the attributes of each file in the package. Use verbose mode.

[root@server30 tmp]# rpm -vV rmt
.........  c /etc/default/rmt
.........    /etc/rmt
.........  a /usr/lib/.build-id
.........  a /usr/lib/.build-id/c2
.........  a /usr/lib/.build-id/c2/6a51ea96fc4b4367afe7d44d16f1405c3c7ec9
.........    /usr/sbin/rmt
.........    /usr/share/doc/star
.........  d /usr/share/doc/star/CDDL.Schily.txt
.........  d /usr/share/doc/star/COPYING
.........  d /usr/share/man/man1/rmt.1.gz

8. Remove the package:

[root@server30 tmp]# rpm -ve rmt
Preparing packages...
rmt-2:1.6-6.el9.x86_64

Lab 9-1: Install and Verify Packages

As user1 with sudo on server3,

• make sure the RHEL 9 ISO image is attached to the VM and mounted.
• Use the rpm command and install the zsh package by specifying its full path.

[root@server30 Packages]# rpm -ivh /mnt/BaseOS/Packages/zsh-5.8-9.el9.x86_64.rpm 
Verifying...                         ################################# [100%])
Preparing...                         ################################# [100%])
	package zsh-5.8-9.el9.x86_64 is already installed

• Run the rpm command again and perform the following on the zsh package:
• (1) show information

[root@server30 Packages]# rpm -qi zsh
Name        : zsh
Version     : 5.8
Release     : 9.el9
Architecture: x86_64
Install Date: Sat 13 Jul 2024 06:49:40 PM MST
Group       : Unspecified
Size        : 8018363
License     : MIT
Signature   : RSA/SHA256, Thu 24 Feb 2022 08:59:15 AM MST, Key ID 199e2f91fd431d51
Source RPM  : zsh-5.8-9.el9.src.rpm
Build Date  : Wed 23 Feb 2022 07:10:14 AM MST
Build Host  : x86-vm-56.build.eng.bos.redhat.com
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor      : Red Hat, Inc.
URL         : http://zsh.sourceforge.net/
Summary     : Powerful interactive shell
Description :
The zsh shell is a command interpreter usable as an interactive login
shell and as a shell script command processor.  Zsh resembles the ksh
shell (the Korn shell), but includes many enhancements.  Zsh supports
command line editing, built-in spelling correction, programmable
command completion, shell functions (with autoloading), a history
mechanism, and more.

• (2) validate integrity

[root@server30 Packages]# rpm -K zsh-5.8-9.el9.x86_64.rpm
zsh-5.8-9.el9.x86_64.rpm: digests signatures OK

• (3) display attributes [root@server30 Packages]# rpm -V zsh

Lab 9-2: Query and Erase Packages

As user1 with sudo on server3,

• make sure the RHEL 9 ISO image is attached to the VM and mounted.
• Use the rpm command to perform the following:
• (1) check whether the setup package is installed

[root@server30 Packages]# rpm -q setup
setup-2.13.7-10.el9.noarch

• (2) display the list of configuration files in the setup package

[root@server30 Packages]# rpm -qc setup
/etc/aliases
/etc/bashrc
/etc/csh.cshrc
/etc/csh.login
/etc/environment
/etc/ethertypes
/etc/exports
/etc/filesystems
/etc/fstab
/etc/group
/etc/gshadow
/etc/host.conf
/etc/hosts
/etc/inputrc
/etc/motd
/etc/networks
/etc/passwd
/etc/printcap
/etc/profile
/etc/profile.d/csh.local
/etc/profile.d/sh.local
/etc/protocols
/etc/services
/etc/shadow
/etc/shells
/etc/subgid
/etc/subuid
/run/motd
/usr/lib/motd

• (3) show information for the zlib-devel package on the ISO image

[root@server30 Packages]# rpm -qi ./zlib-devel-1.2.11-40.el9.x86_64.rpm
Name        : zlib-devel
Version     : 1.2.11
Release     : 40.el9
Architecture: x86_64
Install Date: (not installed)
Group       : Unspecified
Size        : 141092
License     : zlib and Boost
Signature   : RSA/SHA256, Tue 09 May 2023 05:31:02 AM MST, Key ID 199e2f91fd431d51
Source RPM  : zlib-1.2.11-40.el9.src.rpm
Build Date  : Tue 09 May 2023 03:51:20 AM MST
Build Host  : x86-64-03.build.eng.rdu2.redhat.com
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor      : Red Hat, Inc.
URL         : https://www.zlib.net/
Summary     : Header files and libraries for Zlib development
Description :
The zlib-devel package contains the header files and libraries needed
to develop programs that use the zlib compression and decompression
library.

• (4) reinstall the zsh package (–reinstall -vh),

[root@server30 Packages]# rpm -hv --reinstall ./zsh-5.8-9.el9.x86_64.rpm
Verifying...                         ################################# [100%])
Preparing...                         ################################# [100%])
Updating / installing...
   1:zsh-5.8-9.el9                   ################################# [ 50%])
Cleaning up / removing...
   2:zsh-5.8-9.el9                   ################################# [100%])

• (5) remove the zsh package. [root@server30 Packages]# rpm -e zsh

Basic User Management

Listing Logged-In Users

A list of the users who have successfully signed on to the system with valid credentials can be printed using who and w

who command

• references the /run/utmp file and displays the information.
• displays login name of user
• shows terminal session device filename
• pts stands for pseudo terminal session
• shows data and time of user login
• Shows if terminal session is graphical(:0), remote(IP address), or textual on the console

what command (w)

• Shows length of time the user has been idle
• CPU time used by all processes including any existing background jobs attached to this terminal (JCPU),
• CPU time used by the current process (PCPU),
• current activity (WHAT).
• current system time
• system up duration
• number of users logged in
• cpu averages over last 1, 5, and 15 minutes
• load average (CPU load): 0.00 and 1.00 correspond to no load and full load, and a number greater than 1.00 signifies excess load (over 100%).

last command

• Reports the history of successful user login attempts and system boots
• Consults the wtmp file located in the /var/log directory.
• wtmp keeps a record of login/logout activities
  • login time
  • duration a user stayed logged in
  • tty
• Output
  • Login name
  • Terminal name
  • Terminal name or IP from where connection was established
  • Day, Month, date, and time when the connection was established
  • Log out time or (still logged in)
  • Duration of session
  • Action name (system reboots section)
  • Activity name (system reboots section)
  • Linux kernel version (system reboots section)
  • Day, Month, date, and time when the reboot command was issued (system reboots section)
  • System restart time (system reboots section)
  • Duration the system remained down or (still running) (system reboots section)
  • log filename (wtmp) (last line)

lastb command

• reports failed login attempts
• Consults /var/log/btmp
  • record of failed login attempts
  • login name
  • time
  • tty
• Must be root to run this command
• Columns
  • name of user
  • protocol used
  • terminal name or ip address
  • Day, Month, Date, and time of the attempt
  • Duration the attempt was tried
  • Duration the attempt last for
  • log filename (btmp) (last line)

lastlog command

• most recent login evidence info for every user account that exists on the system
• Consults /var/log/lastlog
  • record of most recent user attempts
  • login name
  • time
  • port (or tty)
  • Columns:
    • Login name of user
    • Terminal name assigned upon Logging in
    • Terminal name or Ip address from where the session was initiated
    • Timestamp for the latest login or “Never logged in”
  • service accounts are used by their respective services, and they are not meant for logging.

id (identifier) Command

• displays the calling user’s:
  • UID (User IDentifier)
  • username
  • GID (Group IDentifier)
  • group name
  • all secondary groups the user is a member of
  • SELinux security context

groups Command:

• lists all groups the calling user is a member of:
• first group listed is the primary group for the user who executed this command
• other groups are secondary (or supplementary).
• can also view group membership information for a different user.

User Account Management

useradd Command

• add a new user to the system
• adds entries to the four user authentication files for each account added to the system
• creates a home directory for the user and copies the default user startup files from the skeleton directory /etc/skel into the user’s home directory
• used to update the default settings that are used at the time of new user creation for unspecified settings
• Options
  • -b (–base-dir)
    • Defines the absolute path to the base directory for placing user home directories. The default is /home.
  • -c (–comment)
    • Describes useful information about the user.
  • -d (–home-dir)
    • Defines the absolute path to the user home directory.
  • -D (–defaults)
    • Displays the default settings from the /etc/default/useradd file and modifies them.
  • -e (–expiredate)
    • Specifies a date on which a user account is automatically disabled. The format for the date specification is YYYY-MM-DD.
  • -f (–inactive)
    • Denotes maximum days of inactivity between password expiry and permanent account disablement.
  • -g (–gid)
    • Specifies the primary GID. Without this option, a group account matching the username is created with the GID matching the UID.
  • -G (–groups)
    • Specifies the membership to supplementary groups.
  • -k (–skel)
    • location of the skeleton directory (default is /etc/skel) (stores default user startup files)
      • These files are copied to the user’s home directory at the time of account creation.
      • Three hidden bash shell files: (default)
        • .bash_profile, .bashrc, and .bash_logout
        • You can customize these files or add your own to be used for accounts created thereafter.
  • -m (–create-home)
    • Creates a home directory if it does not already exist.
  • -o (–non-unique)
    • Creates a user account sharing the UID of an existing user.
    • When two users share a UID, both get identical rights on each other’s files.
    • Should only be done in specific situations.
  • -r (–system)
    • Creates a service account with a UID below 1000 and a never-expiring password.
  • -s (–shell)
    • Defines the absolute path to the shell file. The default is /bin/bash.
  • -u (–uid)
    • Indicates a unique UID. Without this option, the next available UID from the /etc/passwd file is used.
  • login
    • Specifies a login name to be assigned to the user account.

usermod Command

• modify the attributes of an existing user
• similar syntax to useradd and most switches identical.
• Options unique to usermod:
  • -a (–append)
    • Adds a user to one or more supplementary groups
  • -l (–login)
    • Specifies a new login name
  • -m (–move-home)
    • Creates a home directory and moves the content over from the old location
  • -G
    • Add a list of groups a user is a member of.

userdel Command

• to remove a user from the system

passwd Command

• set or modify a user’s password

No-Login (Non-Interactive) User Account

nologin command

• /sbin/nologin
• special purpose program that can be employed for user accounts that do not require login access to the system.
• located in the /usr/sbin (or /sbin) directory
• user is refused with the message, “This account is currently not available.”
• If a custom message is required, you can create a file called nologin.txt in the /etc directory and add the desired text to it.
• If a no-login user is able to log in with their credentials, there is a problem. Use the grep command against the /etc/passwd file to ensure ‘/sbin/nologin’ is there in the shell field for that user.
• examples of user accounts that do not require login access are the service accounts such as ftp, apache, and sshd.

Basic User Management Labs

Lab: who

 who

Lab: what

 w

Lab: last

1. List all user login, logout, and system reboot occurrences:

 last

2. List system reboot info only:

 last reboot

Lab: lastb

 lastb

Lab: lastlog

 lastlog

Lab: id

1. View info about currently active user:

 id

2. View info about another user:

 id user1

Lab: groups

1. View current user’s groups:

 groups

2. View groups of another user:

 groups user1

Lab: user authentication files

1. list of the four files and their backups from the /etc directory:

 ls -l /etc/passwd* /etc/group* /etc/shadow* /etc/gshadow*

2. View first and last 3 lines of the passwd file

 head -3 /etc/passwd ; tail -3 /etc/passwd

3. verify the permissions and ownership on the passwd file:

 ls -l /etc/passwd

4. View first and last 3 lines of the shadow file:

 head -3 /etc/shadow ; tail -3 /etc/shadow

5. verify the permissions and ownership on the shadow file:

 ls -l /etc/shadow

6. View first and last 3 lines of the group file:

 head -3 /etc/group ; tail -3 /etc/group

7. Verify the permissions and ownership on the group file:

 ls -l /etc/group

8. View first and last 3 lines of the gshadow file:

 head -3 /etc/gshadow ; tail -3 /etc/gshadow

9. Verify the permissions and ownership on the gshadow file:

 ls -l /etc/gshadow

Lab: useradd and login.defs

1. use the cat or less command to view the useradd file content or display the settings with the useradd command:

 useradd -D

1. grep on the/etc/login.defs with uncommented and non-empty lines:

 grep -v ^# /etc/login.defs | grep -v ^$

Lab: Create a User Account with Default Attributes (root)

2. Create user2 with all the default directives:

 useradd user2

3. Assign this user a password and enter it twice when prompted:

 passwd user2

4. grep for user2: on the authentication files to examine what the useradd command has added:

 cd /etc ; grep user2: passwd shadow group gshadow

5. Test this new account by logging in as user2 and then run the id and groups commands to verify the UID, GID, and group membership information:

 su - user2
 id
 groups

Lab: Create a User Account with Custom Values

1. Create user3 with UID 1010, home directory /usr/user3a, and shell /bin/sh:

 useradd -u 1010 -d /usr/user3a -s /bin/sh user3

2. Assign user1234 as password (passwords assigned in the following way is not recommended; however, it is okay in a lab environment):

 echo user1234 | passwd --stdin user3

3. grep for user3: on the four authentication files to see what was added for this user:

 cd /etc ; grep user3: passwd shadow group gshadow 

4. Test this account by switching to or logging in as user3 and entering user1234 as the password. Run the id and groups commands for further verification.

 su - user3 
 id
 groups

Lab: Modify and Delete a User Account

1. Modify the login name for user2 to user2new, UID to 2000, home directory to /home/user2new, and login shell to /sbin/nologin.

 usermod -l user2new -m -d /home/user2new -s /sbin/nologin -u 2000 user2

2. Obtain the information for user2new from the passwd file for confirmation:

 grep user2new /etc/passwd

1. Remove user2new along with their home and mail spool directories:

 userdel -r user2new

2. Confirm the user deletion:

 grep user2new /etc/passwd

Lab: Create a User Account with No-Login Access (root)

3. Look at the current nologin users:

 grep nologin /etc/passwd

4. Create user4 with non-interactive shell file /sbin/nologin:

 useradd -s /sbin/nologin user4

5. Assign user1234 as password:

 echo user1234 | passwd --stdin user4

6. grep for user4 on the passwd file and verify the shell field containing the nologin shell:

 grep user4 /etc/passwd

7. Test this account by attempting to log in or switch:

 su - user4

Lab: Check User Login Attempts (root)

8. execute the last, lastb, and lastlog commands, and observe the outputs.

 last
 lastb
 lastlog

1. List the timestamps when the system was last rebooted.

 last | grep reboot

Lab 5-2: Verify User and Group Identity (user1)

2. run the who and w commands one at a time, and compare the outputs.

 who
 w

3. Execute the id and groups commands, and compare the outcomes. Examine the extra information that the id command shows, but not the groups command.

 id
 groups

Lab 5-3: Create Users (root)

4. create user account user4100 with UID 4100 and home directory under /usr.

 useradd -m -d /usr/user4100 -u 4100 user4100 

5. Create another user account user4200 with default attributes.

 useradd user4200

6. Assign both users a password.

 passwd user4100
 passwd user4200

7. View the contents of the passwd, shadow, group, and gshadow files, and observe what has been added for the two new users.

 cat /etc/passwd
 cat /etc/shadow
 cat /etc/group
 cat /etc/gshadow

Lab: Create User with Non-Interactive Shell (root)

8. Create user account user4300 with the disability of logging in.

 useradd -s /sbin/nologin user4300

9. Assign this user a password.

 passwd user4300

10. Try to log on with this user and see is displayed on the screen.

 su - user4300

11. View the content of the passwd file, and see what is there that prevents this user from logging in.

 cat /etc/passwd

Boot Process, Grub2, and Kernel

Linux Kernel

• controls everything on the system.
  • hardware
  • enforces security and access controls
  • runs, schedules, and manages processes and service daemons.
• comprised of several modules.
• new kernel must be installed or an existing kernel must be upgraded when the need arises from an application or functionality standpoint.
• core of the Linux system.
• manages
• hardware
• enforces security
• regulates access to the system

handles

• processes

• services

• application workloads.

• collection of software components called modules

  • Modules
    • device drivers that control hardware devices
      • processor
      • memory
      • storage
      • controller cards
      • peripheral equipment
    • interact with software subsystems
      • storage partitioning
      • file systems
      • networking
      • virtualization

• Some modules are static to the kernel and are integral to system functionality,

• Some modules are loaded dynamically as needed

• RHEL 8.0 and RHEL 8.2 are shipped with kernel version 4.18.0 (4.18.0-80 and 4.18.0-193 to be specific) for the 64-bit Intel/AMD processor architecture computers with single, multi-core, and multi-processor configurations.

• uname -m shows the architecture of the system.

• Kernel requires a rebuild when a new functionality is added or removed.

• functionality may be introduced by:

  • installing a new kernel
  • upgrading an existing one
  • installing a new hardware device, or
  • changing a critical system component.

• existing functionality that is no longer needed may be removed to make the overall footprint of the kernel smaller for improved performance and reduced memory utilization.

• tunable parameters are set that define a baseline for kernel functionality.

• Some parameters must be tuned for some applications and database software to be installed smoothly and operate properly.

• You can generate and store several custom kernels with varied configuration and required modules

• only one of them can be active at a time.

• different kernel may be loaded by interacting with GRUB2.

Kernel Packages

• set of core kernel packages that must be installed on the system at a minimum to make it work.
• Additional packages providing supplementary kernel support are also available.

Core and some add-on kernel packages.

Kernel Packages

• Packages containing the source code for RHEL 8 are also available for those who wish to customize and recompile the code

List kernel packages installed on the system:

 dnf list installed kernel*

• Shows six kernel packages that were loaded during the OS installation.

Analyzing Kernel Version

Check the version of the kernel running on the system to check for compatibility with an application or database:

 uname -r
 5.14.0-362.24.1.el9_3.x86_64

5 - Major version 14 - Major revision 0 - Kernel patch version 362 - Red Hat version el9 - Enterprise Linux 9 x86_64 - Processor architecture

Kernel Directory Structure

Kernel and its support files (noteworthy locations)

• /boot
• /proc
• /usr/lib/modules

/boot

• Created at system installation.
• Linux kernel
• GRUB2 configuration
• other kernel and boot support files.

View the /boot filesystem: ls -l /boot

• four files are for the kernel and
  • vmlinuz - main kernel file
  • initramfs - main kernel’s boot image
  • config - configuration
  • System.map - mapping
• two files for kernel rescue version
  • Have the current kernel version appended to their names.
  • have the string “rescue” embedded within their names

/boot/efi/ and /boot/grub2/

• hold bootloader information specific to firmware type used on the system: UEFI or BIOS.

List /boot/Grub2:

 [root@localhost ~]# ls -l /boot/grub2
 total 32
 -rw-r--r--. 1 root root   64 Feb 25 05:13 device.map
 drwxr-xr-x. 2 root root   25 Feb 25 05:13 fonts
 -rw-------. 1 root root 7049 Mar 21 04:47 grub.cfg
 -rw-------. 1 root root 1024 Mar 21 05:12 grubenv
 drwxr-xr-x. 2 root root 8192 Feb 25 05:13 i386-pc
 drwxr-xr-x. 2 root root 4096 Feb 25 05:13 locale

• grub.cfg
  • bootable kernel information
• grub.env
  • environment information that the kernel uses.

/boot/loader

• storage location for configuration of the running and rescue kernels.
• Configuration is stored in files under the /boot/loader/entries/

 [root@localhost ~]# ls -l /boot/loader/entries/
 total 12
 -rw-r--r--. 1 root root 484 Feb 25 05:13  8215ac7e45d34823b4dce2e258c3cc47-0-rescue.conf
 -rw-r--r--. 1 root root 460 Mar 16 06:17  8215ac7e45d34823b4dce2e258c3cc47-5.14.0-362.18.1.el9_3.x86_64.conf
 -rw-r--r--. 1 root root 459 Mar 16 06:17  8215ac7e45d34823b4dce2e258c3cc47-5.14.0-362.24.1.el9_3.x86_64.conf

• The files are named using the machine id of the system as stored in /etc/machine-id/ and the kernel version they are for.

content of the kernel file:

 [root@localhost entries]# cat  /boot/loader/entries/8215ac7e45d34823b4dce2e258c3cc47-5.14.0- 362.18.1.el9_3.x86_64.conf
 title Red Hat Enterprise Linux (5.14.0-362.18.1.el9_3.x86_64) 9.3  (Plow)
 version 5.14.0-362.18.1.el9_3.x86_64
 linux /vmlinuz-5.14.0-362.18.1.el9_3.x86_64
 initrd /initramfs-5.14.0-362.18.1.el9_3.x86_64.img $tuned_initrd
 options root=/dev/mapper/rhel-root ro crashkernel=1G-4G:192M,4G- 64G:256M,64G-:512M resume=/dev/mapper/rhel-swap rd.lvm.lv=rhel/root  rd.lvm.lv=rhel/swap rhgb quiet  $tuned_params
 grub_users $grub_users
 grub_arg --unrestricted
 grub_class rhel

• “title” is displayed on the bootloader screen
• “kernelopts” and “tuned_params” supply values to the booting kernel to control its behavior.

/proc

• Virtual, memory-based file system
• contents are created and updated in memory at system boot and during runtime
• destroyed at system shutdown
• current state of the kernel, which includes
  • hardware configuration
  • status information
    • processor
    • memory
    • storage
    • file systems
    • swap
    • processes
    • network interfaces
    • connections
    • routing
    • etc.
• Data kept in tens of thousands of zero-byte files organized in a hierarchy.

List /proc: ls -l /proc

• numerical subdirectories contain information about a specific process
  • process ID matches the subdirectory name.
• other files and subdirectories contain information, such as
  • memory segments for processes and
  • configuration data for system components.
  • can view the configuration in vim

Show selections from the cpuinfo and meminfo files that hold processor and memory information: cat/proc/cpuinfo && cat /proc/meminfo

• data used by top, ps, uname, free, uptime and w, to display information.

/usr/lib/modules/

• holds information about kernel modules.
• subdirectories are specific to the kernels installed on the system.

Long listing of /usr/lib/modules/ shows two installed kernels:

 [root@localhost entries]# ls -l /usr/lib/modules
 total 8
 drwxr-xr-x. 7 root root 4096 Mar 16 06:18 5.14.0-362.18.1.el9_3.x86_64
 drwxr-xr-x. 8 root root 4096 Mar 16 06:18 5.14.0-362.24.1.el9_3.x86_64

View /usr/lib/modules/5.14.0-362.18.1.el9_3.x86_64/:

 ls -l /usr/lib/modules/5.14.0-362.18.1.el9_3.x86_64

• Subdirectories hold module-specific information for the kernel version.

/lib/modules/4.18.0-80.el8.x86_64/kernel/drivers/

• stores modules for a variety of hardware and software components in various subdirectories:

 ls -l /usr/lib/modules/5.14.0-362.18.1.el9_3.x86_64/kernel/drivers

• Additional modules may be installed on the system to support more components.

Installing the Kernel

• requires extra care

• could leave your system in an unbootable or undesirable state.

• have the bootable medium handy prior to starting the kernel install process.

• By default, the dnf command adds a new kernel to the system, leaving the existing kernel(s) intact. It does not replace or overwrite existing kernel files.

• Always install a new version of the kernel instead of upgrading it.

• The upgrade process removes any existing kernel and replaces it with a new one.

• In case of a post-installation issue, you will not be able to revert to the old working kernel.

• Newer version of the kernel is typically required:

  • if an application needs to be deployed on the system that requires a different kernel to operate.
  • When deficiencies or bugs are identified in the existing kernel, it can hamper the kernel’s smooth operation.

• new kernel

  • addresses existing issues
  • adds bug fixes
  • security updates
  • new features
  • improved support for hardware devices.

• dnf is the preferred tool to install a kernel

• it resolves and installs any required dependencies automatically.

• rpm may be used but you must install any dependencies manually.

• Kernel packages for RHEL are available to subscribers on Red Hat’s Customer Portal.

Linux Boot Process

Multiple phases during the boot process.

• Starts selective services during its transition from one phase into another.
• Presents the administrator an opportunity to interact with a preboot program to boot the system into a non-default target.
• Pass an option to the kernel.
• Reset the lost or forgotten root user password.
• Launches a number of services during its transition to the default or specified target.
• boot process after the system has been powered up or restarted.
• lasts until all enabled services are started.
• login prompt will appear on the screen
• boot process is automatic, but you
  • may need to interact with it to take a non-default action, such as
    • booting an alternative kernel
    • booting into a non-default operational state
    • repairing the system
    • recovering from an unbootable state boot process on an x86 computer may be split into four major phases: (1) the firmware phase (2) the bootloader phase (3) the kernel phase (4) the initialization phase.

The system accomplishes these phases one after the other while performing and attempting to complete the tasks identified in each phase.

The Firmware Phase (BIOS and UEFI)

firmware:

• BIOS (Basic Input/Output System) or the UEFI (Unified Extensible Firmware Interface) code that is stored in flash memory on the x86-based system board.
• runs the Power-On-Self-Test (POST) to detect, test, and initialize the system hardware components.
• Installs appropriate drivers for the video hardware
• exhibits system messages on the screen.
• scans available storage devices to locate a boot device,
  • starting with a 512-byte image that contains
    • 446 bytes of the bootloader program,
    • 64 bytes for the partition table
    • last two bytes with the boot signature.
    • referred to as the Master Boot Record (MBR)
    • located on the first sector of the boot disk.
    • As soon as it discovers a usable boot device, it loads the bootloader into memory and passes control over to it.

BIOS

• small memory chip in the computer that stores
  • system date and time,
  • list and sequence of boot devices,
  • I/O configuration,
  • etc.
• configuration is customizable.
• hardware initialization phase
  • detecting and diagnosing peripheral devices.
  • runs the POST on the devices as it finds them
  • installs drivers for the graphics card and the attached monitor
  • begins exhibiting system messages on the video hardware.
  • discovers a usable boot device
  • loads the bootloader program into memory, and passes control over to it.

UEFI

• new 32/64-bit architecture-independent specification replacing BIOS.
• delivers enhanced boot and runtime services
• superior features such as speed over the legacy 16-bit BIOS.
• has its own device drivers
• able to mount and read extended file systems
• includes UEFI-compliant application tools
• supports one or more bootloader programs.
• comes with a boot manager that allows you to choose an alternative boot source.

Bootloader Phase

• Once the firmware phase is over and a boot device is detected,
• system loads a piece of software called bootloader that is located in the boot sector of the boot device.
• RHEL uses GRUB2 (GRand Unified Bootloader) version 2 as the bootloader program. GRUB2 supports both BIOS and UEFI firmware.

The primary job of the bootloader program is to

• spot the Linux kernel code in the /boot file system
• decompress it
• load it into memory based on the configuration defined in the /boot/grub2/grub.cfg file
• transfer control over to it to further the boot process.

UEFI-based systems,

• GRUB2 looks for the EFI system partition /boot/efi instead
• Runs the kernel based on the configuration defined in the /boot/efi/EFI/redhat/grub.efi file.

Kernel Phase

• kernel is the central program of the operating system, providing access to hardware and system services.
• After getting control from the bootloader, the kernel:

  • extracts the initial RAM disk (initrd) file system image found in the /boot file system into memory,

  • decompresses it

  • mounts it as read-only on /sysroot to serve as the temporary root file system

  • loads necessary modules from the initrd image to allow access to the physical disks and the partitions and file systems therein.

  • loads any required drivers to support the boot process.

  • Later, it unmounts the initrd image and mounts the actual physical root file system on / in read/write mode.

  • At this point, the necessary foundation has been built for the boot process to carry on and to start loading the enabled services.

  • kernel executes the systemd process with PID 1 and passes the control over to it.

Initialization Phase

• fourth and the last phase in the boot process.

• Systemd:

• takes control from the kernel and continues the boot process.

• is the default system initialization scheme used in RHEL 9.

• starts all enabled userspace system and network services

• Brings the system up to the preset boot target.

• A boot target is an operational level that is achieved after a series of services have been started to get to that state.

• system boot process is considered complete when all enabled services are operational for the boot target and users are able to log in to the system

GRUB2 Bootloader

• After the firmware phase has concluded:
• Bootloader presents a menu with a list of bootable kernels available on the system
• Waits for a predefined amount of time before it times out and boots the default kernel.
• You may want to interact with GRUB2 before the autoboot times out to boot with a non-default kernel boot to a different target, or customize the kernel boot string.
• Press a key before the timeout expires to interrupt the autoboot process and interact with GRUB2.
• autoboot countdown default value is 5 seconds.

Interacting with GRUB2

• GRUB2 main menu shows a list of bootable kernels at the top.
• Edit a selected kernel menu entry by pressing an e or go to the grub> command prompt by pressing a c.

edit mode,

• GRUB2 loads the configuration for the selected kernel entry from the /boot/grub2/grub.cfg file in an editor
• enables you to make a desired modification before booting the system.
• you can boot the system into a less capable operating target by adding “rescue”, “emergency”, or “3” to the end of the line that begins with the keyword “linux”,
• Press Ctrl+x when done to boot.
• one-time temporary change and it won’t touch the grub.cfg file.
• press ESC to discard the changes and return to the main menu.
• grub> command prompt appears when you press Ctrl+c while in the edit window
• or a c from the main menu.
• command mode: execute debugging, recovery, etc.
• view available commands by pressing the TAB key.

GRUB2 Commands

Understanding GRUB2 Configuration Files

/boot/grub2/grub.cfg

• Referenced at boot time.
• Generated automatically when a new kernel is installed or upgraded
• not advisable to modify it directly, as your changes will be overwritten. :

/etc/default/grub

• primary source file that is used to regenerate grub.cfg.
• Defines the directives that govern how GRUB2 should behave at boot time.
• Any changes made to the grub file will only take effect after the grub2-mkconfig utility has been executed
• Defines the directives that control the behavior of GRUB2 at boot time.
• Any changes in this file must be followed by the execution of the grub2-mkconfig command in order to be reflected in grub.cfg.

Default settings:

 [root@localhost default]# nl /etc/default/grub
     1	GRUB_TIMEOUT=5
     2	GRUB_DISTRIBUTOR="$(sed 's, release .*$,,g' /etc/system-release)"
     3	GRUB_DEFAULT=saved
     4	GRUB_DISABLE_SUBMENU=true
     5	GRUB_TERMINAL_OUTPUT="console"
     6	GRUB_CMDLINE_LINUX="crashkernel=1G-4G:192M,4G-64G:256M,64G-:512M resume=/dev/mapper/rhel-swap rd.lvm.lv=rhel/root rd.lvm.lv=rhel/swap rhgb quiet"
     7	GRUB_DISABLE_RECOVERY="true"
     8	GRUB_ENABLE_BLSCFG=true

• Default settings are good enough for normal system operation.

/boot/grub2/grub.cfg - /boot/efi/EFI/redhat/grub.cfg

• Main GRUB2 configuration file that supplies boot-time configuration information.
• located in the /boot/grub2/ on BIOS-based systems
• /boot/efi/EFI/redhat/ on UEFI-based systems.
• can be recreated manually with the grub2-mkconfig utility
• automatically regenerated when a new kernel is installed or upgraded.
• file will lose any previous manual changes made to it.

grub2-mkconfig command

• Uses the settings defined in helper scripts located in the /etc/grub.d directory.

 [root@localhost default]# ls -l /etc/grub.d
 total 104
 -rwxr-xr-x. 1 root root  9346 Jan  9 09:51 00_header
 -rwxr-xr-x. 1 root root  1046 Aug 29  2023 00_tuned
 -rwxr-xr-x. 1 root root   236 Jan  9 09:51 01_users
 -rwxr-xr-x. 1 root root   835 Jan  9 09:51  08_fallback_counting
 -rwxr-xr-x. 1 root root 19665 Jan  9 09:51 10_linux
 -rwxr-xr-x. 1 root root   833 Jan  9 09:51  10_reset_boot_success
 -rwxr-xr-x. 1 root root   892 Jan  9 09:51  12_menu_auto_hide
 -rwxr-xr-x. 1 root root   410 Jan  9 09:51  14_menu_show_once
 -rwxr-xr-x. 1 root root 13613 Jan  9 09:51  20_linux_xen
 -rwxr-xr-x. 1 root root  2562 Jan  9 09:51  20_ppc_terminfo
 -rwxr-xr-x. 1 root root 10869 Jan  9 09:51 30_os- prober
 -rwxr-xr-x. 1 root root  1122 Jan  9 09:51 30_uefi- firmware
 -rwxr-xr-x. 1 root root   218 Jan  9 09:51 40_custom
 -rwxr-xr-x. 1 root root   219 Jan  9 09:51 41_custom
 -rw-r--r--. 1 root root   483 Jan  9 09:51 README

00_header

• sets the GRUB2 environment 10_linux
• searches for all installed kernels on the same disk partition 30_os-prober
• searches for the presence of other operating systems 40_custom and 41_custom are to
• introduce any customization.
• like add custom entries to the boot menu.

grub.cfg file

• Sources /boot/grub2/grubenv for kernel options and other settings.

 [root@localhost grub2]# cat grubenv
 # GRUB Environment Block
 # WARNING: Do not edit this file by tools other than grub-editenv!!!
 saved_entry=8215ac7e45d34823b4dce2e258c3cc47-5.14.0- 362.24.1.el9_3.x86_64
 menu_auto_hide=1
 boot_success=0
 boot_indeterminate=0
 ############################################################################
 ##################################################### #######################

If a new kernel is installed:

• the existing kernel entries remain intact.
• All bootable kernels are listed in the GRUB2 menu
• any of the kernel entries can be selected to boot.

Lab: Change Default System Boot Timeout

• change the default system boot timeout value to 8 seconds persistently, and validate.

1. Edit the /etc/default/grub file and change the setting as follows: `GRUB_TIMEOUT=8

2. Execute the grub2-mkconfig command to reproduce grub.cfg:

grub2-mkconfig -o /boot/grub2/grub.cfg

3.Restart the system with sudo reboot and confirm the new timeout value when GRUB2 menu appears.

Booting into Specific Targets

RHEL

• boots into graphical target state by default if the Server with GUI software selection is made during installation.

• can also be directed to boot into non-default but less capable operating targets from the GRUB2 menu.

• offers emergency and rescue boot targets.

  • special target levels can be launched from the GRUB2 interface by
    • selecting a kernel
    • pressing e to enter the edit mode
    • appending the desired target name to the line that begins with the keyword “linux”.
    • Press ctrl+x to boot into the supplied target
    • Enter root password
    • reboot when you are done

• You must know how to boot a RHEL 9 system into a specific target from the GRUB2 menu to modify the fstab file or reset an unknown root user password.

Append “emergency” to the kernel line entry:

Other options:

• “rescue”
• “1”
• “s”
• “single”

Reset the root User Password

• Terminate the boot process at an early stage to be placed in a special debug shell in order to reset the root password.

1. Reboot or reset server1, and interact with GRUB2 by pressing a key before the autoboot times out. Highlight the default kernel entry in the GRUB2 menu and press e to enter the edit mode. Scroll down to the line entry that begins with the keyword “linux” and press the End key to go to the end of that line:

2. Modify this kernel string and append “rd.break” to the end of the line.

3. Press Ctrl+x when done to boot to the special shell. The system mounts the root file system read-only on the /sysroot directory. Make /sysroot appear as mounted on / using the chroot command:

 chroot sysroot

3. Remount the root file system in read/write mode for the passwd command to be able to modify the shadow file with a new password:

 mount -o remount,rw /

4. Enter a new password for root by invoking the passwd command:

 passwd

5. Create a hidden file called .autorelabel to instruct the operating system to run SELinux relabeling on all files, including the shadow file that was updated with the new root password, on the next reboot:

 touch .autorelabel

6. Issue the exit command to quit the chroot shell and then the reboot command to restart the system and boot it to the default target.

 exit
 reboot

Second method

Look into using init=/bin/bash for password recovery as a second method.

Boot Grub2 Kernel Labs

Lab: Enable Verbose System Boot

• Remove “quiet” from the end of the value of the variable GRUB_CMDLINE_LINUX in the /etc/default/grub file
• Run grub2-mkconfig to apply the update.
• Reboot the system and observe that the system now displays verbose information during the boot process.

Lab: Reset root User Password

• Reset the root user password by booting the system into emergency mode with SELinux disabled.
• Try to log in with root and enter the new password after the reboot.

Lab: Install New Kernel

• Check the current version of the kernel using the uname or rpm command.
• Download a higher version from the Red Hat Customer Portal or rpmfind.net and install it.
• Reboot the system and ensure the new kernel is listed on the bootloader menu. 5.14.0-427.35.1.el9_4.x86_64

Lab: Download and Install a New Kernel

• download the latest available kernel packages from the Red Hat Customer Portal
• install them using the dnf command.
• ensure that the existing kernel and its configuration remain intact.

• As an alternative (preferred) to downloading kernel packages individually and then installing them, you can follow the instructions provided in “Containers” chapter to register server1 with RHSM and run sudo dnf install kernel to install the latest kernel and all the dependencies collectively.

1. Check the version of the running kernel: uname -r

2. List the kernel packages currently installed: rpm -qa | grep kernel

3. Sign in to the Red Hat Customer Portaland click downloads.

4. Click “Red Hat Enterprise Linux 8” under “By Category”:

5. Click Packages and enter “kernel” in the Search bar to narrow the list of available packages:

6. Click “Download Latest” against the packages kernel, kernel-core, kernel-headers, kernel-modules, kernel-tools, and kernel-tools-libs to download them.

7. Once downloaded, move the packages to the /tmp directory using the mv command.

8. List the packages after moving them:

9. Install all the six packages at once using the dnf command: dnf install /tmp/kernel* -y

10. Confirm the installation alongside the previous version: sudo dnf list installed kernel*

11. The /boot/grub2/grubenv/ file now has the directive “saved_entry” set to the new kernel, which implies that this new kernel will boot up on the next system restart: sudo cat /boot/grub2/grubenv

12. Reboot the system. You will see the new kernel entry in the GRUB2 boot list at the top. The system will autoboot this new default kernel.

13. Run the uname command once the system has been booted up to confirm the loading of the new kernel: uname -r

14. View the contents of the version and cmdline files under /proc to verify the active kernel: `cat /proc/version

Or just dnf install kernel

Installation

Chapter 1 RHCSA Notes - Installation

About RHEL9

• Kernel 5.14
• Released May 2019
• Built along side of Fedora 34
• Installer program = Anaconda
• Default Bootloader = GRUB2
• Default automatic partitioning = /boot, /, swap
• Default desktop environment = GNOME

Installation Logs

/root/anaconda-ks.cfg Configuration entered

/var/log/anaconda/anaconda.log Contains informational, debug, and other general messages

/var/log/anaconda/journal.log Stores messages generated by many services and components during system installation

/var/log/anaconda/packaging.log Records messages generated by the dnf and rpm commands during software installation

/var/log/anaconda/program.log Captures messages generated by external programs

/var/log/anaconda/storage.log Records messages generated by storage modules

/var/log/anaconda/syslog Records messages related to the kernel

/var/log/anaconda/X.log Stores X Window System information

Note: Logs are created in /tmp then transferred over to /var/log/anaconda once the install is finished.

6 Virtual Consoles

• Monitor the installation process.
• View diagnostic messages.
• Discover and fix any issues encountered.
• Information displayed on the console screens is captured in installation log files.

Console 1 (Ctrl+Alt+F1)

• Main screen
• Select language
• Then switches default console to 6

Console 2 (Ctrl_Alt+F2)

• Shell interface for root user

Console 3 (Ctrl_Alt+F3)

• Displays install messages
• Stores them in /tmp/anaconda.log
• Info on detected hardware, etc.

Console 4 (Ctrl_Alt+F4)

• Shows storage messages
• Stores them in /tmp/storage.log

Console 5 (Ctrl_Alt+F5)

• Program messages
• Stores them in /tmp/program.log

Console 6 (Ctrl_Alt+F6)

• Default Graphical configuration and installation console screen

Console 1 Brings you to the log in screen. Console 2 does nothing. Console 3-6 all bring you to this log in screen

Lab Setup

VM1

server1.example.om 
192.168.0.110 
Memory: 2GB 
Storage: 1x20GB 
2 vCPUs

VM2

server2.exmple.om 
192.168.0.120 
Memory: 2048 
Storage: 1x20GB 
	4x250 MB data disk 
	1x5GB data disk 
2 vCPUs

Setting up VM1

Download the disc iso on Redhat’s website: https://access.redhat.com/downloads/content/rhel

Name RHEL9-VM1 Accept defaults.

Set drive to 20 gigs

press “spe” to hlt utooot

Selet instll

selet lnguge

onfigure timezone under time & dte

go into instlltion destintion nd li “done”

Networ nd hostnme settings

1. hnge the hostnme to server1.exmple.om
2. go to IPv4 settings in networ nd host nd set to mnul ddress: 192.168.0.110 netms 24 gtewy 192.168.0.1 then sve
3. slide the on/off swith in the min menu to on

Set root pssword

Chnge the oot order

1. power off the vm
2. Set oot sequene to hrd dis first then optil, remove floppy

Accept license terms and rete user

ssh from host os with putty

Issue these Commnds after set up

whoami 
hostname 
pwd 
logout or ctrl+d

Using cockpit

• Web gui for managing RHEL system
• Comes pre-installed
  • if not then install with:

  sudo dnf install cockpit

• must enable cockpit socket

  sudo systemctl enable --now cockpit.socket

• https://yourip:9090

Labs

Lab:

Enable cockpit.socket:

sudo systemctl enable --now cockpit.socket

In a web browser, go to https://<your-ip>:9090

Interaction

Looking to get started using Fedora or Red Hat operating systems?

This guide with get you started with the RHEL Graphical environment, file system, and essential commands to get started using Fedora, Red Hat, or other RHEL based systems.

RedHat (RHEL9) Graphical Environment (Wayland)

Redhat runs a graphical environment called Wayland. This is the foundation for running GUI apps. Wayland is a client/server display protocol. Which just means that the user (the client) requests a resource and the display manager (the server) serves those resources.

Wayland is slowly replaced and older display protocol called “X”. And has better graphics capabilities, features, and performance than X. And consists of a Display or Login manager and a Desktop environment.

The Display/ Login manager presents the login screen for users to log in. Once you log in, you get to the pre-configured desktop manager or Desktop Environment (DE). The GNOME Display Manager. (GDM)

File System and Directory Hierarchy

The standard for the Linux filesystem is the Filesystem Hierarchy Standard (FHS). Which describes locations, names, and permissions for a variety of file types and directories.

The directory structure starts at the root. Which is notated by a “/”. The top levels of the directory can be viewed by running the ls command on the root of the directory tree.

Size of the root file system is automatically determined by the installer program based on the available disk space when you select the default partitioning (it may be altered). Here is a listing of the contents of /:

$ ls /
afs  bin  boot  dev  etc  home  lib  lib64  lost+found  media  mnt  opt  proc  root  run  sbin  snap  srv  sys  tmp  usr  var

Some of these directories hold static data such as commands, configuration files, kernel and device files, etc. And some hold dynamic data such as log and status files.

There are three major categories of file systems. They are:

1. disk-based
2. network-based
3. memory-based

Disk-based files systems are physical media such as a hard drive or a USB flash drive and store information persistently. The root and boot file systems and both disk-based and created automatically when you select the default partitioning.

Network-Based file systems are disk-based file systems that are shared over the network for remote access. (Also stored persistently)

Memory-Based filesystems are virtual. And are created automatically at system startup and destroyed when the system goes down.

Key Directories in /

/etc (extended text configuration)

This directory contains system configuration files for systemd, LVM, and user shell startup template files.

david@fedora:$ ls /etc
abrt                    dhcp                        gshadow-       locale.conf               openldap            request-key.d          sysctl.conf
adjtime                 DIR_COLORS                  gss            localtime                 opensc.conf         resolv.conf            sysctl.d
aliases                 DIR_COLORS.lightbgcolor     gssproxy       login.defs                opensc-x86_64.conf  rpc                    systemd
alsa                    dleyna-server-service.conf  host.conf      logrotate.conf            openvpn             rpm                    system-release
alternatives            dnf                         hostname       logrotate.d               opt                 rpmdevtools            system-release-cpe
anaconda                dnsmasq.conf                hosts          lvm                       os-release          rpmlint                tcsd.conf
anthy-unicode.conf      dnsmasq.d                   hp             machine-id                ostree              rsyncd.conf            terminfo
apk                     dracut.conf                 httpd          magic                     PackageKit          rwtab.d                thermald
appstream.conf          dracut.conf.d               idmapd.conf    mailcap                   pam.d               rygel.conf             timidity++.cfg
asound.conf             egl                         ImageMagick-7  makedumpfile.conf.sample  paperspecs          samba                  tmpfiles.d
audit                   environment                 init.d         man_db.conf               passwd              sane.d                 tpm2-tss
authselect              ethertypes                  inittab        mcelog                    passwd-             sasl2                  Trolltech.conf
avahi                   exports                     inputrc        mdevctl.d                 passwdqc.conf       security               trusted-key.key
bash_completion.d       exports.d                   ipp-usb        mercurial                 pinforc             selinux                ts.conf
bashrc                  favicon.png                 iproute2       mime.types                pkcs11              services               udev
bindresvport.blacklist  fedora-release              iscsi          mke2fs.conf               pkgconfig           sestatus.conf          udisks2
binfmt.d                filesystems                 issue          modprobe.d                pki                 sgml                   unbound
bluetooth               firefox                     issue.d        modules-load.d            plymouth            shadow                 updatedb.conf
brlapi.key              firewalld                   issue.net      mono                      pm                  shadow-                UPower
brltty                  flatpak                     java           motd                      polkit-1            shells                 uresourced.conf
brltty.conf             fonts                       jvm            motd.d                    popt.d              skel                   usb_modeswitch.conf
ceph                    fprintd.conf                jvm-common     mtab                      ppp                 sos                    vconsole.conf
chkconfig.d             fstab                       kdump          mtools.conf               printcap            speech-dispatcher      vdpau_wrapper.cfg
chromium                fuse.conf                   kdump.conf     my.cnf                    profile             ssh                    vimrc
chrony.conf             fwupd                       kernel         my.cnf.d                  profile.d           ssl                    virc
cifs-utils              gcrypt                      keys           nanorc                    protocols           sssd                   vmware-tools
containers              gdbinit                     keyutils       ndctl                     pulse               statetab.d             vpl
credstore               gdbinit.d                   krb5.conf      ndctl.conf.d              qemu                subgid                 vpnc
credstore.encrypted     gdm                         krb5.conf.d    netconfig                 qemu-ga             subgid-                vulkan
crypto-policies         geoclue                     ld.so.cache    NetworkManager            rc0.d               subuid                 wgetrc
crypttab                glvnd                       ld.so.conf     networks                  rc1.d               subuid-                whois.conf
csh.cshrc               gnupg                       ld.so.conf.d   nfs.conf                  rc2.d               subversion             wireplumber
csh.login               GREP_COLORS                 libaudit.conf  nfsmount.conf             rc3.d               sudo.conf              wpa_supplicant
cups                    groff                       libblockdev    nftables                  rc4.d               sudoers                X11
cupshelpers             group                       libibverbs.d   nilfs_cleanerd.conf       rc5.d               sudoers.d              xattr.conf
dbus-1                  group-                      libnl          npmrc                     rc6.d               swid                   xdg
dconf                   grub2.cfg                   libreport      nsswitch.conf             rc.d                swtpm-localca.conf     xml
debuginfod              grub2-efi.cfg               libssh         nvme                      reader.conf.d       swtpm-localca.options  yum.repos.d
default                 grub.d                      libuser.conf   odbc.ini                  redhat-release      swtpm_setup.conf       zfs-fuse
depmod.d                gshadow                     libvirt        odbcinst.ini              request-key.conf    sysconfig

As you can see, there is a lot of stuff here.

/root

This is the default home directory for the root user.

/mnt

/mnt is used to temporarily mount a file system.

/boot (Disk-Based)

This directory contains the Linux Kernel, as well as boot support and configuration files.

The size of /boot is determined by the installer program based on the available disk space when you select the default partitioning. It may be set to a different size during or after the installation.

/home

This is used to store user home directories and other user contents.

/opt (Optional)

This directory holds additional software that may need to be installed on the system. A sub directory is created for each installed software.

/usr (UNIX System Resources)

Holds most of the system files such as:

/usr/bin

Binary directory for user executable commands

/usr/sbin

System binaries required at boot and system administration commands not intended for execution by normal users. This directory is not included in the default search path for normal users.

/usr/lib and /usr/lib64

Contain shared library routines required by many commands/programs located in /usr/bin and /usr/sbin. These are used by kernel and other applications and programs for their successful installation and operation.

/usr/lib directory also stores system initialization and service management programs. /usr/lib64 contains 64-bit shared library routines.

/usr/include

Contains header files for the C programming language.

/usr/local:

This is a system administrator repository for storing commands and tools. These commands not generally included with the original Linux distribution.

/usr/src:

This directory is used to store source code.

Variable Directory (/var)

For data that frequently changes while the system is operational. Such as log, status, spool, lock, etc.

Common sub directories in /var:

/var/log

Contains most system log files. Such as boot logs, user logs, failed user logs, installation logs, cron logs, mail logs, etc.

/var/opt

Log, status, etc. for software installed in /opt.

/var/spool

Queued files such as print jobs, cron jobs, mail messages, etc.

/var/tmp

For large or longer term temporary files that need to survive system reboots. These are deleted if they are not accessed for a period of 30 days.

/tmp (Temporary)

Temporary files that survive system reboots. These are deleted after 10 days if they are not accessed. Programs may need to create temporary files in order to run.

/dev (Devices)

Contains Device nodes for physical and virtual devices. Linux kernel talks to devices through these nodes. Device nodes are automatically created and deleted by the udevd service. Which dynamically manages devices.

The two types of device files are character (or raw) and block.

Character devices

• Accessed serially.
• Console, serial printers, mice, keyboards, terminals, etc.

Block devices

• Accessed in a parallel fashion with data exchanged in blocks.
• Data on block devices is accessed randomly.
• Hard disk drives, optical drives, parallel printers, etc.

Procfs File System (/proc)

• Config and status info on:
  • Kernel, CPU, memory, disks, partitioning, file systems, networking, running processes, etc.
• Zero-length pseudo files point to data maintained by the kernel in the memory.
• Interface to interact with kernel-maintained information.
• Contents created in memory at system boot time, updated during runtime, and destroyed at system shutdown.

Runtime File System (/run)

• Data for processes running on the system.
  • /run/media
• Used to automatically mount external file systems (CD, DVD, flash USB.)
• Contents deleted at shutdown.

The System File System (/sys)

• Info about hardware devices, drivers, and some kernel features.
• Used by the kernel to load necessary support for devices, create device nodes in /dev, and configure devices.
• Auto-maintained.

Essential System Commands

tree command

• List hierarchy of directories and files.
• Column 2
  • Size.
• Column 3
  • Full path.

Options. tree -a :: Include hidden files in the output. tree -d :: Exclude files from the output. tree -h :: Displays file sizes in human-friendly format. tree -f :: Prints the full path for each file. tree -p :: Includes file permissions in the output

Labs

List only the directories (-d) in the root user’s home directory (/root).

tree -d /root

List files in the /etc/sysconfig directory along with their permissions, sizes in human-readable format, and full path.

tree -phf /etc/sysconfig

View tree man pages.

man tree

Prompt Symbols

• Hash sign (#) for root user.
• Dollar sign ($) for normal users.

Linux Commands

Two types of commands:

1. User
   • General purpose.
   • For any user.
2. System Management
   • Superuser.
   • Require elevated privileges.

Command Mechanics

Basic Syntax

• command option(s) argument(s)
• Many commands have preconfigured default options and arguments.

An option that starts with a single hyphen character (-la, for instance) ::: Short-option format.

• Two hyphen characters (–all, for instance) ::: Long-option format.

Listing Files and Directories

ls

• ll :: shortcut for ls -l

Flags ls -l ::: View long listing format. ls -d ::: View info on the specified directory. ls -h ::: Human readable format. ls -a ::: List all files, including the hidden files. ls -t ::: Sort output by date and time with the newest file first. ls -R ::: List contents recursively. ls -i ::: View inode information.

labs:

Show the long listing of only /usr without showing its contents.

ls -ld /usr

Display all files in the current directory with their sizes in human-friendly format.

ls -lh

List all files, including the hidden files, in the current directory with detailed information.

ls -la

Sort output by date and time with the newest file first.

ls -lt

List contents of the /etc directory recursively.

ls -R /etc

List directory info and the contents of a directory recursively.

ls -lR /etc

View ls manpage.

man ls

Printing Working Directory (pwd) command

• Returns the absolute path to a file or directory.

Navigating Directories

Absolute path (full path or a fully qualified pathname) :: Points to a file or directory in relation to the top of the directory tree. It always starts with the forward slash (/).

Relative path :: Points to a file or directory in relation to your current location.

Labs:

Go one level up into the parent directory using the relative path

cd ..

cd into /etc/sysconfig using the absolute path (/etc/sysconfig), or the relative path (etc/sysconfig)

cd /etc/sysconfig
cd /
cd etc/sysconfig

Change into the /usr/bin directory from /etc/sysconfig using relative or absolute path

cd /usr/bin

or

cd ../usr/bin

Return to your home directory

cd

or

cd ~

Use the absolute path to change into the home directory of the root user from /etc/sysconfig

cd ../../root

Switch between the current and previous directories

cd ..

use the cd command to print the home directory of the current user

cd -

Terminal Device Files

• Unique pseudo (or virtual) numbered device files that represent terminal sessions opened by users.
• Used to communicate with individual sessions.
• Stored in the /dev/pts/ (pseudo terminal session).
• Created when a user opens a new terminal session.
• Removed when a session closes.

tty command

• Identify current terminal session.
• Displays filename and location.
• Example: /dev/pts/0

Inspecting System’s Uptime and Processor Load

uptime command

• Displays:
  • System’s current time.
  • System up time.
  • Number of users currently logged in.
  • Average % CPU load over the past 1, 5, and 15 minutes.
    • 0.00 and 1.00 represent no load and full load.
    • Greater than 1.00 signifies excess load (over 100%).

clear command

• Clears the terminal screen and places the cursor at the top left of the screen.
• Can also use Ctrl+l for this command.

clear

Determining Command Path

Tools for identifying the absolute path of the command that will be executed when you run it without specifying its full path.

which, whereis, and type

show the full location of the ls command:

which command

• Show command aliases and location.

[root@server1 bin]# which ls
alias ls='ls --color=auto'
        /usr/bin/ls

whereis command

• Locates binary, source, and manual files for specified command name.

[root@server1 bin]# whereis ls
ls: /usr/bin/ls /usr/share/man/man1/ls.1.gz /usr/share/man/man1p/ls.1p.gz>)

type command

• Find whether the given command is an alias, shell built-in, file, function, or keyword.

type ls

Viewing System Information

uname command

• Show system operating system name.

[root@server1 bin]# uname
Linux

Flags uname -s ::: Show kernel name. uname -n ::: Show hostname. uname -r ::: Show kernel release. uname -v ::: Show kernel build date. uname -m ::: Show machine hardware name. uname -p ::: Show processor type. uname -i ::: Show hardware platform. uname -o ::: Show OS name. uname -a ::: Show kernel name, nodename, release, version, machine, and os.

uname

uname -a

Linux = Kernel name
server1.example.com = Hostname of the system
4.18.0-80.el8.x86_64 = Kernel release
#1 SMP Wed Mar 13 12:02:46 UTC 2019 = Date and time of the kernel built
x86_64 = Machine hardware name
x86_64 = Processor type
x86_64 = Hardware platform
GNU/Linux = Operating system name

Viewing CPU Specs

lscpu command

• Shows CPU:
  • Architecture.
  • Operating modes.
  • Vendor.
  • Family.
  • Model.
  • Speed.
  • Cache memory.
  • Virtualization support type.

lscpu

architecture of the CPU (x86_64)
supported modes of operation (32-bit and 64-bit)
sequence number of the CPU on this system (1)
threads per core (1)
cores per socket (1)
number of sockets (1)
vendor ID (GenuineIntel)
CPU model (58) model name (Intel …)
speed (2294.784 MHz)
amount and levels of cache memory (L1d, L1i, L2, and L3)

Getting Help

Manual pages

• Informational pages stored in /usr/share/man for each program.

See Using Man Pages for more.

man command

Flags: -k

• Perform a keyword search on manual pages.
• Must build the database with mandb first.

-f

• Equivalent to whatis.

Commands to find information/help about programs.

• apropos
• whatis
• info
• pinfo

/usr/share/doc/

• Directory with additional program documentation.

man passwd

line at the bottom indicates the line number of the manual page.

Man page navigation

h ::: Help on navigation. q ::: Quit the man page. Up arrow key ::: Scroll up one line. Enter or Down arrow key ::: Scroll down one line. f / Spacebar / Page down ::: Move forward one page. b / Page up ::: Move backward one page. d / u ::: Move down/up half a page. g / G ::: Move to the beginning / end of the man pages. :f ::: Display line number and bytes being viewed. /pattern ::: Searches forward for the specified pattern. ?pattern ::: Searches backward for the specified pattern. n / N ::: Find the next / previous occurrence of a pattern.

Headings in the Manual

NAME

• Name of the command or file with a short description. SYNOPSIS
• Syntax summary. DESCRIPTION
• Overview of the command or file. OPTIONS
• Options available for use. EXAMPLES
• Some examples to explain the usage. FILES
• A list of related files. SEE ALSO
• Reference to other manual pages or topics. BUGS
• Any reported bugs or issues. AUTHOR
• Contributor information.

Manual Sections

• Manual information is split into nine sections for organization and clarity.
• Man searches through each section until it finds a match.
  • Starts at section 1, then section 2, etc.
• Some commands in Linux also have a configuration file with an identical name.
  • Ex: passwd command in /usr/bin and the passwd file in /etc.
• Specify the section to find that page only.
  • Ex: man 5 passwd
• Section number is located at the top (header) of the page.

Section 1

• Refers to user commands. Section 4
• Contains special files. Section 5
• Describes file formats for many system configuration files. Section 8
• Documents system administration and privileged commands designed for the root user.

Run man man for more details.

Searching by Keyword

apropos command

• Search all sections of the manual pages and show a list of all entries matching the specified keyword in their names or descriptions.
• Must mandb command in order to build an indexed database of the manual pages prior to using.

mandb

mandb command

• Build an indexed database of the manual pages.

Lab: Find a forgotten XFS administration command.

man -k xfs
or
apropos xfs

Lab: Show a brief list of options and a description.

passwd --help
or
passwd -?

whatis command

• Same output as man -f
• Display one-line manual page descriptions.

info and pinfo Commands

• Display command detailed documentation.
• Divided into sections called nodes.
• Header:
  • Name of the file being displayed.
  • Names of the current, next, and previous nodes.
• Almost identical to each other.

info ls

u navigate efficiently.

info page Navigation

Down / Up arrows

• Move forward / backward one line. Spacebar / Del
• Move forward / backward one page. q
• Quit the info page. t
• Go to the top node of the document. s
• Search

Documentation in /usr/share/doc/

/usr/share/doc/

• Stores general documentation for installed packages under subdirectories that match their names.

ls -l /usr/share/doc/gzip

Online RHEL Documentation

• docs.redhat.com
• Release notes and guides on planning, installation, administration, security, storage management, virtualization, etc.
• access.redhat.com

Labs

Lab 2: Navigate Linux Directory Tree

Check your location in the directory tree.

pwd

Show file permissions in the current directory including the hidden files.

ls -la

Change directory into /etc and confirm the directory change.

cd /etc
pwd

Switch back to the directory where you were before, and run pwd again to verify.

cd -
pwd

Lab: Miscellaneous Tasks

Identify the terminal device file.

tty

Open a couple of terminal sessions. Compare the terminal numbers.

tty
/dev/pts/1

Execute the uptime command and analyze the system uptime and processor load information.

uptime

Use three commands to identify the location of the vgs command.

which vgs
whereis vgs
type vgs

Lab: Identify System and Kernel Information

1. Analyze the basic information about the system and kernel reported.

uname -a

Examine the key items relevant to the processor.

lscpu

Lab: Man

View man page for uname.

man uname

View the 5 man page section for the shadow.

man 5 shadow

Local File Systems and Swap

File Systems and File System Types

File systems

• Can be optimized, resized, mounted, and unmounted independently.
• Must be connected to the directory hierarchy in order to be accessed by users and applications.
• Mounting may be accomplished automatically at system boot or manually as required.
• Can be mounted or unmounted using their unique identifiers, labels, or device files.
• Each file system is created in a discrete partition, VDO volume, or logical volume.
• A typical production RHEL system usually has numerous file systems.
• During OS installation, only two file systems— / and /boot —are created in the default disk layout, but you can design a custom disk layout and construct separate containers to store dissimilar information.
• Typical additional file systems that may be created during an installation are /home, /opt, /tmp, /usr, and /var.
• / and /boot—are required for installation and booting.

Storing disparate data in distinct file systems versus storing all data in a single file system offers the following advantages:

• Make any file system accessible (mount) or inaccessible (unmount) to users independent of other file systems. This hides or reveals information contained in that file system.
• Perform file system repair activities on individual file systems
• Keep dissimilar data in separate file systems
• Optimize or tune each file system independently
• Grow or shrink a file system independent of other file systems

3 types of file systems:

• disk-based, network-based, and memory-based.

Disk-based

• Typically created on physical drives using SATA, USB, Fibre Channel, and other technologies.
• store information persistently

Network-based

• Essentially disk-based file systems shared over the network for remote access.
• store information persistently

Memory-based

• Virtual
• Created at system startup and destroyed when the system goes down.
• data saved in virtual file systems does not survive across system reboots.

Ext3

• Disk based
• The third generation of the extended filesystem.
• Metadata journaling for faster recovery
• Superior reliability
• Creation of up to 32,000 subdirectories
• supports larger file systems and bigger files than its predecessor

Ext4

• Disk based
• Successor to Ext3.
  • Supports all features of Ext3 in addition to:
    • Larger file system size
    • Bigger file size
    • Unlimited number of subdirectories
    • Metadata and quota journaling
    • Extended user attributes

XFS

• Disk based
• Highly scalable and high-performing 64-bit file system.
• Supports:
  • Metadata journaling for faster crash recovery
  • Online defragmentation, expansion, quota journaling, and extended user attributes
• default file system type in RHEL 9.

VFAT

• Disk based
• Used for post-Windows 95 file system formats on hard disks, USB drives, and floppy disks.

ISO9660

• Disk based
• Used for optical file systems such as CD and DVD.

NFS - (Network File System.)

• Network based
• Shared directory or file system for remote access by other Linux systems.

AutoFS (Auto File System)

• Network based
• NFS file system set to mount and unmount automatically on remote client systems.

Extended File Systems

• First generation is obsolete and is no longer supported
• Second, third, and fourth generations are currently available and supported.
• Fourth generation is the latest in the series and is superior in features and enhancements to its predecessors.
• Structure is built on a partition or logical volume at the time of file system creation.
• Structure is divided into two sets:
  • first set holds the file system’s metadata and it is very tiny.
    • Superblock
      • keeps vital file system structural information:
        • type
        • size
        • status of the file system
        • number of data blocks it contains
        • automatically replicated and maintained at various known locations throughout the file system.
        • primary superblock
          • superblock at the beginning of the file system
        • backup superblocks.
          • I used to supplant the corrupted or lost primary superblock to bring the file system back to its normal state.
          • Copy of the primary
    • Inode table
      • maintains a list of index node (inode) numbers.
      • Each file is assigned an inode number at the time of its creation, and the inode number
        • holds the file’s attributes such as:
          • type
          • permissions
          • ownership
          • owning group
          • size
          • last access/modification time
          • holds and keeps track of the pointers to the actual data blocks where the file contents are located.
  • second set stores the actual data, and it occupies almost the entire partition or the logical volume (VDO and LVM) space.\

journaling

• Supported by Ext3 and Ext4

• Recover swiftly after a system crash.

• keep track of recent changes in their metadata in a journal (or log).

• Each metadata update is written in its entirety to the journal after completion.

• The system peruses the journal of each extended file system following the reboot after a crash to determine if there are any errors

• Lets the system recover the file system rapidly using the latest metadata information stored in its journal.

• Ext3 that supports file systems up to 16TiB and files up to 2TiB,

• Ext4 supports very large file systems up to 1EiB (ExbiByte) and files up to 16TiB (TebiByte).

  • Uses a series of contiguous physical blocks on the hard disk called extents, resulting in improved read and write performance with reduced fragmentation.
  • Supports extended user attributes, metadata and quota journaling, etc.

XFS File System

• High-performing 64-bit extent-based journaling file system type.
• Allows the creation of file systems and files up to 8EiB (ExbiByte).
• Does not run file system checks at system boot
• Relies on you to use the xfs_repair utility to manually fix any issues.
• Sets the extended user attributes and certain mount options by default on new file systems.
• Enables defragmentation on mounted and active file systems to keep as much data in contiguous blocks as possible for faster access.
• Inability to shrink.
• Uses journaling for metadata operations, guaranteeing the consistency of the file system against abnormal or forced unmounting.
• Journal information is read and any pending metadata transactions are replayed when the XFS file system is remounted.
• Speedy input/output performance.
• Can be snapshot in a mounted, active state.

VFAT File System

• Extension to the legacy FAT file system (FAT16)
• Supports 255 characters in filenames including spaces and periods
• Does not differentiate between lowercase and uppercase letters.
• Primarily used on removable media, such as floppy and USB flash drives, for exchanging data between Linux and Windows.

ISO9660 File System

• For removable optical disc media such as CD/DVD drives

File System Management

File System Administration Commands

• Some are limited to their operations on the Extended, XFS, or VFAT file system type.
• Others are general and applicable to all file system types.

Extended File System Management Commands

e2label

• Modifies the label of a file system

tune2fs

• Tunes or displays file system attributes

XFS Management Commands

xfs_admin

• Tunes file system attributes

xfs_growfs

• Extends the size of a file system

xfs_info

• Exhibits information about a file system

General File System Commands

blkid

• Displays block device attributes including their UUIDs and labels

df

• Reports file system utilization

du

• Calculates disk usage of directories and file systems

fsadm

• Resizes a file system. This command is automatically invoked when the lvresize command is run with the -r switch.

lsblk

• Lists block devices and file systems and their attributes including their UUIDs and labels

mkfs

• Creates a file system. Use the -t option and specify ext3, ext4, vfat, or xfs file system type.

mount

• Mount a file system for user access.
• Display currently mounted file systems.

umount

• Unmount a file system.

Mounting and Unmounting File Systems

• File system must be connected to the directory structure at a desired attachment point, (mount point)
• A mount point in essence is any empty directory that is created and used for this purpose.

Use the mount command to view information about xfs mounted file systems:

[root@server2 ~]# mount -t xfs
/dev/mapper/rhel-root on / type xfs (rw,relatime,seclabel,attr2,inode64,logbufs=8,logbsize=32k,noquota)
/dev/sda1 on /boot type xfs (rw,relatime,seclabel,attr2,inode64,logbufs=8,logbsize=32k,noquota)

Mount command

• -t option
  • type.
• Mount a file system to a mount point.
• Performed with the root user privileges.
• Requires the absolute pathnames of the file system block device and the mount point name.
• Accepts the UUID or label of the file system in lieu of the block device name.
• Mount all or a specific type of file system.
• Upon successful mount, the kernel places an entry for the file system in the /proc/self/mounts file.
• A mount point should be empty when an attempt is made to mount a file system on it, otherwise the content of the mount point will hide.
• The mount point must not be in use or the mount attempt will fail.

auto (noauto)

• Mounts (does not mount) the file system when the -a option is specified

defaults

• Mounts a file system with all the default values (async, auto, rw, etc.)

_netdev

• Used for a file system that requires network connectivity in place before it can be mounted. NFS is an example.

remount

• Remounts an already mounted file system to enable or disable an option

ro (rw)

• Mounts a file system read-only read/write)

umount Command

• Detach a file system from the directory hierarchy and make it inaccessible to users and applications.
• Expects the absolute pathname to the block device containing the file system or its mount point name in order to detach it.
• Unmount all or a specific type of file system.
• Kernel removes the corresponding file system entry from the /proc/self/mounts file after it has been successfully disconnected.

Determining the UUID of a File System

• Extended and XFS file systems have a 128-bit (32 hexadecimal characters) UUID (Universally Unique IDentifier) assigned to it at the time of its creation.

• UUIDs assigned to vfat file systems are 32-bit (8 hexadecimal characters) in length.

• Assigning a UUID makes the file system unique among many other file systems that potentially exist on the system.

• Persistent across system reboots.

• Used by default in RHEL 9 in the /etc/fstab file for any file system that is created by the system in a standard partition.

• RHEL attempts to mount all file systems listed in the /etc/fstab file at reboots.

• Each file system has an associated device file and UUID, but may or may not have a corresponding label.

• The system checks for the presence of each file system’s device file, UUID, or label, and then attempts to mount it.

Determine the UUID of /boot

[root@server2 ~]# lsblk | grep boot
├─sda1          8:1    0    1G  0 part /boot

[root@server2 ~]# sudo xfs_admin -u /dev/sda1
UUID = 630568e1-608f-4603-9b97-e27f82c7d4b4

[root@server2 ~]# sudo blkid /dev/sda1
/dev/sda1: UUID="630568e1-608f-4603-9b97-e27f82c7d4b4" TYPE="xfs" PARTUUID="7dcb43e4-01"

[root@server2 ~]# sudo lsblk -f /dev/sda1
NAME FSTYPE FSVER LABEL UUID                                 FSAVAIL FSUSE% MOUNTPOINTS
sda1 xfs                630568e1-608f-4603-9b97-e27f82c7d4b4  616.1M    36% /boot

For extended file systems, you can use the tune2fs, blkid, or lsblk commands to determine the UUID.

A UUID is also assigned to a file system that is created in a VDO or LVM volume; however, it need not be used in the fstab file, as the device files associated with the logical volumes are always unique and persistent.

Labeling a File System

• A unique label may be used instead of a UUID to keep the file system association with its device file exclusive and persistent across system reboots.
• A label is limited to a maximum of 12 characters on the XFS file system
• 16 characters on the Extended file system.
• By default, no labels are assigned to a file system at the time of its creation.

The /boot file system is located in the /dev/sda1 partition and its type is XFS. You can use the xfs_admin or the lsblk command as follows to determine its label:

[root@server2 ~]# sudo xfs_admin -l /dev/sda1
label = ""

[root@server2 ~]# sudo lsblk -f /dev/sda1
NAME FSTYPE FSVER LABEL UUID                                 FSAVAIL FSUSE% MOUNTPOINTS
sda1 xfs                630568e1-608f-4603-9b97-e27f82c7d4b4  616.1M    36% /boot

• Not needed on a file system if you intend to use its UUID or if it is created in a logical volume
• You can still apply one using the xfs_admin command with the -L option.
• Labeling an XFS file system requires that the target file system be unmounted.

unmount /boot, set the label “bootfs” on its device file, and remount it:

[root@server2 ~]# sudo umount /boot
[root@server2 ~]# sudo xfs_admin -L bootfs /dev/sda1
writing all SBs
new label = "bootfs"

Confirm the new label by executing sudo xfs_admin -l /dev/sda1 or sudo lsblk -f /dev/sda1.

For extended file systems, you can use the e2label command to apply a label and the tune2fs, blkid, and lsblk commands to view and verify.

Now you can replace the UUID=\"22d05484-6ae1-4ef8-a37d-abab674a5e35" for /boot in the fstab file with LABEL=bootfs, and unmount and remount /boot as demonstrated above for confirmation.

[root@server2 ~]# mount /boot
mount: (hint) your fstab has been modified, but systemd still uses
       the old version; use 'systemctl daemon-reload' to reload.

A label may also be applied to a file system created in a logical volume; however, it is not recommended for use in the fstab file, as the device files for logical volumes are always unique and remain persistent across system reboots.

Automatically Mounting a File System at Reboots

/etc/fstab

• File systems defined in the /etc/fstab file are mounted automatically at reboots.
• Must contain proper and complete information for each listed file system.
• An incomplete or inaccurate entry might leave the system in an undesirable or unbootable state.
• Only need to specify one of the four attributes
  • Block device name
  • UUID
  • label
  • mount point
• The mount command obtains the rest of the information from this file.
• Only need to specify one of these attributes with the umount command to detach it from the directory hierarchy.
• Contains entries for file systems that are created at the time of installation.

[root@server2 ~]# cat /etc/fstab

#
# /etc/fstab
# Created by anaconda on Sun Feb 25 12:11:47 2024
#
# Accessible filesystems, by reference, are maintained under '/dev/disk/'.
# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info.
#
# After editing this file, run 'systemctl daemon-reload' to update systemd
# units generated from this file.
#
/dev/mapper/rhel-root   /                       xfs     defaults        0 0
LABEL=bootfs /boot                   xfs     defaults        0 0
/dev/mapper/rhel-swap   none                    swap    defaults        0 0