CentOS-Linux4U: Linux Cheats-old

LINUX BOOT PROCESS

############################################################################

power on -> post- > mbr[bit 512, 446 bootstrip,64 bit partition table, 2 magic bit]->system.map->grub->VMLinux[decompress]-> mount /root as (RO) -> initrd -> init(start) ->inittab(complete)-> run level -> rc script -> (s-start k-kill)

############################################################################

Q. How to reset grub passwd and root passwd in linux ?

Setup grub password:

[root@Samsung ~]# grub-md5-crypt

Password:

Retype password:

$1$7vwaz1$NTMVsrwzG/Yz5qtF6u/zV.

[root@Samsung ~]#

[root@Samsung ~]# cat /boot/grub/grub.conf

default=0

timeout=5

password --md5 $1$7vwaz1$NTMVsrwzG/Yz5qtF6u/zV.

splashimage=(hd0,0)/grub/splash.xpm.gz

hiddenmenu

title Red Hat Enterprise Linux Server (2.6.18-274.el5)

        root (hd0,0)

        kernel /vmlinuz-2.6.18-274.el5 ro root=/dev/VolGroup00/LogVol00 rhgb

        initrd /initrd-2.6.18-274.el5.img

[root@Samsung ~]#

Q. How to configure kdump in Linux ?

[root@Samsung 2015-06-07-15:12]# cat /etc/grub.conf

title Red Hat Enterprise Linux Server (2.6.18-274.el5)

root (hd0,0)

kernel /vmlinuz-2.6.18-274.el5 ro root=/dev/VolGroup00/LogVol00 rhgb quiet crashkernel=64M@16M à Add this line

initrd /initrd-2.6.18-274.el5.img

[root@Samsung 2015-06-07-15:12]# cat /etc/kdump.conf

path /var/crash

core_collector makedumpfile -c --message-level 1

#/etc/init.d/kdump start

Q: - What is the role of udev daemon?

The udev demon used to create and remove all these device nodes or files in /dev/ directory.

Q: - Explain architectures required for RPMs?

noarch Architecture-independent, can run on any architecture

i386 Generic build for a 32-bit x86 system

i586 Sometimes used when building kernels for older x86 processors

Intel® Pentium ® II, Intel Pentium III, Intel Pentium 4, AMD Athlon, and

i686 AMD Duron systems (Most RPMs for these architectures are built using the i386 architecture, with the kernel for these architectures being built with the

i686 for optimal performance.)

x86_64 64-bit processors such as AMD Athlon64, AMD Opteron, and Intel EM64T

ia64 Intel® Itanium

ppc 32-bit IBM® POWER, IBM eServer„ pSeries®, and IBM eServer iSeries

s390x 64-bit IBM eServer System z

############################################################################

dmesg

############################################################################

The ‘dmesg‘ command displays the messages from the kernel ring buffer. A system passes multiple runlevel from where we can get lot of information like system architecture, cpu, attached device, RAM etc. When computer boots up, a kernel (core of an operating system) is loaded into memory. During that period number of messages are being displayed where we can see hardware devices detected by kernel.

Search Detected Device or Particular String

[root@tecmint.com log]# dmesg | grep -i usb

[root@tecmint.com log]# dmesg | grep -i dma

[root@tecmint.com log]# dmesg | grep -i tty

[root@tecmint.com log]# dmesg | grep -i memory

Clear dmesg Buffer Logs

[root@tecmint.com log]# dmesg -c

Monitoring dmesg in Real Time

[root@tecmint.com log]# watch "dmesg | tail -20”

COMMAND

############################################################################

lsof (list openfile); +D /var/log/ (under dir); -c sshd (process name); -u ^ram (users ^-not); kill -9`losf -t -u ram`

lsof -i :25 (network connect) ; lsof -i tcp/udp ; lsof -N -u ram -a(nfs)

top -n 1; mpstat (CPU) ; free -mt(mem) ; ps -aux; ps -C java -L -o pid,pcpu,pmem,args (pcpu=cpu used, args=command);

ps -aux --sort pcpu/pmem ; grep -i ^search$ abc.txt (^ begin $end) -v (not) -C 2 (2 above & below) ;

sar –b 1 10 (display read/write request).(rtps – total no. of read request per second, wtps – total no. of write request /sec bread/s – total no. of data read from disk, bwrtn – total no. of data written to disk)

sar –W 1 10 (page in / page out statistics)

sar –u –f sa (-u mem; -rcpu)

pmap –d <process_id> (memory map to process)

vmstat -p /dev/hda1 - (returns partitions stats for /dev/hda1)

sed -e '/^$/d' grep1.txt (deletes blank lines) ; awk '{ print $1 }' grep1.txt

tar -cvf data.tar data ; z=gzip j=bzip2

find / -type f -atime -30 > filename.txt

User Administration:

#useradd abc

After user add command is executed it refer to 2 files & updates 4 files.

Config. Files

Refers

|----/etc/login.defs

||----/etc/default/useradd

Updates

|----/etc/passwd

||----/etc/group

||----/etc/shadow

||----/etc/gshadow

Example command :

#useradd -u 9181361 -g 3100000 -G 3100004 -c "Vallabh Darole" -m a181361 ; echo pass@1234 | passwd --stdin a181361

# fields/etc/passwd (it contain 7 fields )

student1:x:501:501::/home/student1:/bin/bash (7 field)

username:shadow_reference:uid:gid:Description(GECOS) :$HOME:$SHELL

Note: /etc/passwd is a world-readable file

Note: /etc/shadow now stores passwords in encrypted form

Note: /etc/shadow is NOT world-readable

2^nd field of password

i.e. (x) --- password somewhere else.

(*) --- user can't login.

( ) --- user can login without passwd.

Fields in /etc/shadow: (it contain 9 field)

student1:$1$XSFMv2ru$lfTACjN.XxaxbHA0EkB4U0:13891:0:99999:7:::

1. username:

2. encrypted_password:

3. Days_since_Unix_epoch_password_was_changed (01/01/1970)

4. Days before password may be changed

5. Days after which the password MUST be changed

6. Days before password is to expire that user is warned

7. Days after password expires, that account is disabled

8. Days since Unix epoch, that account is disabled

9. Reserved field (currently unused)

Field is /etc/fstab (it contain 6 field)

#cat /etc/fstab

/dev/hdxx /mnt ext3 defaults 0 0

1st field device ; 2nd field mountpoint 3rd field filesystem

4th filed permission 5th field backup for sixth field

6th field fsck sequence (same as chkdsk in windows)

(default permission rw, dev, suid, exec, auto, nouser, async)

Cron

/etc/crontab

‘ * * * * * /bin/bash echo hello

mins hrs DOM MOY DOW

00-59 00-23 1-31 1-12 0-7

Crontab –l to view and crontab –e to edit.

Logs are stored /var/log/cronlogs

File Types - Permissions

########################

drwxrwxrwx

1st bit = file type. '-' = file, 'd' = directory; owner,grp,everyone

r = read = 4

w = write = 2

x = execute = 1

chmod 4760 regextest.pl (-rwsrw----)

's' in the execute position means that the program will execute as that user

chmod 3777 /sales or chmod +t /sales (sticky bit)

Sticky Bit:

Features:

1. Ability to ensure that users cannot delete others' files in a directory

###Symlinks###

1. Provides shortcuts to files (including directories)

2. Provides hard links to inode (file system) locations

Soft Links: ln -s source_file target
Hard Links: ln source_file target

Note: With soft links, if you change the name or location of the source file, you will break ALL of the symlinks (soft)

Hard Links: Features:

1. The ability to reference the same inode/hard drive location from multiple places within the same file system

NICE & RENICE

##############

Nice range – highest ( -20) to lowest (19)

ps –axl displays the current nice value of all program

nice -10 ps clamd renice -10 <pid>

###################################################################

RPM

###################################################################

Query:

1. rpm -qa - dumps all installed packages

2. rpm -qi nano - dumps info. about the 'nano' package as it's recorded in the local RPM database

3. rpm -qf /usr/bin/nano - dumps package membership info. for the 'nano' file

4. rpm -qpi dhcp-3.0.5-7.el5.i386.rpm - dumps info. about the uninstalled 'dhcp' package, which resides on the repository

5. rpm -ql package_name - returns all included files

Verify:

1. rpm -Va - verifies ALL packages on the system, returning info. only if there are discrepancies from the original installation

2. rpm -Vf /usr/bin/nano

Task: Change '/usr/bin/nano' then verify

SM5....T /usr/bin/nano

S(file size), M(mode or permissions), 5(MD5), T(mod time)

3. rpm -Vp nano

Install: rpm –ivh dhcp-3.0.5-7.el5.i386.rpm

Remove: rpm –evh dhcp-3.0.5-7.el5.i386.rpm

Upgrade (Installs or overwrites existing package): rpm –Uvh dhcp-3.0.5-7.el5.i386.rpm

Freshen (Updates an existing package):

Note: Will NOT install the package, if it doesn't exist locally

rpm -Fvh *.rpm - freshens the current version of a package

rpm stores info about packages in a database /var/lib/rpm

$ rpm -k <.rpm> we could verify the MD5 is OK

$ rpm –rebuilddb

$ rpm -qa --last ---> latest package

$ rpm -qdf /usr/bin/vmstat ---> to view on document location.

$ rpm -qpR crontabs-1.11-6.20121102git.el7.noarch.rpm --> To verify dependent packages.

###################################################################

Disk Management:

Storage Disk scanning.

Q1. How to scan newly assigned SAN’S LUN on Linux server without rebooting ?

First find out how many disks are visible in “fdisk -l”

Find out how many host bus adapter configured in the Linux box. you can use “systool –c fc_host -v” to verify available FC in the system.

#systool -c fc_host -v | grep -i "Device path"

for i in 0 1 2 3

> do

> fdisk –l > /tmp/before_scan

> echo "1" > /sys/class/fc_host/host$i/issue_lip

> echo "- - -" > /sys/class/scsi_host/host$i/scan

> fdisk –l > /tmp/after_scan

> diff /tmp/after_scan /tmp/before_scan

> done

Verify new disks are visible or not:

Compare both fdisk –l outputs.

HBA Details:

cat /sys/class/scsi_host/host3/fwrev

You can get the Fiber Channel addresses of the HBAs by typing the following commands:

# systool -c fc_host -v

fibre channel target WWN:

# systool -c fc_transport -v

Now we can see the WWN names of those target as mentioned below with respect to each hosts. (host10 and host7)

#systool -c fc_host -A "port_name"

http://www.theunixway.com/2013/11/how-to-find-hba-and-add-new-lun-in.html

#cat /sys/class/fc_host/host2/port_state

#cat /sys/class/scsi_host/host2/state

Multipathing:

multipath -X command. This lists all the multipath devices.

-l Display the current multipath configuration gathered from sysfs and the device mapper.

-ll Display the current multipath configuration gathered from sysfs, the device mapper, and all other available components on the system.

-f Device Remove the named multipath device.

-F Remove all multipath devices.

When new storage disk is add to system

# multipath -d -v 3 | grep blacklisted|grep ' ^[0-9]

The output can be for example:

360060480000290104094533031444438: blacklisted

This LUN is seen twice, because of the double path. This WWID needs to be added to the multipath

#vi /etc/multipath.conf.

exclusion list in /etc/multipath.conf.

blacklist_exceptions

{

wwid 360060480000290104094533031444438

}

Execute multipath to see the device name:

# multipath

create: mpath1 (360060480000290104094533031444438) EMC,SYMMETRIX

[size=17G][features=0][hwhandler=0][n/a]

\_ round-robin 0 [prio=2][undef]

#vi /etc/multipath.conf

blacklist_exceptions {

wwid "36005076802810d754800000000000485"

wwid "36005076802810d754800000000000491"

}

multipaths {

multipath {

uid 0

gid 0

wwid "36005076802810d754800000000000485"

mode 0600

}

multipath {

uid 0

gid 0

wwid "36005076802810d754800000000000491"

mode 0600

}

/etc/init.d/multipathd reload

Reloading multipathd: [ OK ]

http://en.community.dell.com/techcenter/enterprise-solutions/w/oracle_solutions/4983.how-to-configure-multipath-on-enterprise-linux-6-x-for-dell-compellent-storage

# fdisk /dev/mapper/mpath1

Make the new device a multipath device:

# /sbin/dmsetup ls --target multipath --exec "/sbin/kpartx -a -p p"

LVM Basic

pvcreate /dev/sda4 ; vgcreate vg1 /dev/sda4; lvcreate -L +100M -n lvm1 vg1 ; pvs,vgs, lvs

To extend: lvextend –L +40M /dev/vg0/data && resize2fs –p /dev/vg0/data

To reduce: umount file system, e2fsck –f /var/vg0/data, resize2fs /dev/vg0/data 50M, lvreduce –L 50M /dev/vg0/data

To create snapshot, sync & remove :

lvcreate -s -L +100M -n snap-lvm vg1

mount /dev/vg1/lvm1 /backup

mount /dev/vg1/snap /snap

# IF THERE IS ANY CHANGE IN BACKUP FOLDER YOU CAN SYNC IT WITH RSYNC COMMAND:

rsync -avh /backup /snap

lvremove /dev/vg1/snap

rsync -arv user01@server-name:/Source/ /Destination

RSYNC TESTING:

to create file on 1GB

dd if=/dev/zero of=1g.bin bs=1G count=1

Create 262044 file

[root@rhel7 data]# cat file-creation.sh

for a in {a..z}

for b in {A..Z}

for f in {1..9897}

echo hello > "$a.$b.$f.txt"

done

[root@rhel7 data]#

#rsync -avlzhu --dry-run --stats /data/home /data1/

#time rsync -avlzhu --stats --progress /data/home /data1/

-v, --verbose increase verbosity

-a, --archive archive mode; equals -rlptgoD (no -H,-A,-X)

-l, --links copy symlinks as symlinks

-z, --compress compress file data during the transfer

-h, --human-readable output numbers in a human-readable format

-u, --update skip files that are newer on the receiver

-n, --dry-run perform a trial run with no changes made

--stats give some file-transfer stats

--progress show progress during transfer

Moving a volume group to another system

========================================

* Unmount the FS.

* Mark the volume group inactive.

#vgchange -an design

* Export the volume group

#vgexport design

* Import the volume group

#pvscan

#vgimport design

#vgimport design /dev/sdb1 /dev/sdb2

* Activate the volume group

#vgchange -ay design

#mount /dev/design/users /mnt/design/users

Link:::http://tldp.org/HOWTO/LVM-HOWTO/recipemovevgtonewsys.html

Mirror a newly added LUN on a Physical Server

pvcreate /dev/emcpowerbx1

vgextend vg01 /dev/emcpowerbx1

Create the Mirror:

lvconvert -m1 --mirrorlog core /dev/vg01/lvol0 /dev/emcpowerbx1

Remove the original disk from the mirror:

lvconvert -m0 /dev/vg01/lvol0 /dev/emcpowerj1

SOFTWARE RAID

#############

RAID 0- Data is written in stripped set on two disk using two R/W head, enhances performances, no fault-tollerance

RAID 1-Two disk contain same data, updated simultaneously. fault-tollerance

RAID 5 – Three or more disk with zero or more hot spare, perfect balance between fault tolerance and performance. Parity bit is saved in any idsk in the array.

RAID 6 – Stripping with dual parity, ensures fault tolerance even at second disk failure in the ary. It also protects data lose in the arry at the time of recovery.

mdadm –C /dev/md0 –chunk=64 –level=5 –raid-devices=3 /dev/sd{b,c,d}1

mke2fs –f –b 4096 –E stride=48 /dev/md0

mdadm –remove /dev/md0 /dev/sdb1

mdadm –add /dev/md0 /dev/sdb1

mdadm –detail /dev/md0 or cat /proc/mdstat

/etc/mdadm.conf MAILERDIR atanu@banerjee.com

swap

###################

fdisk (partation type swap=82, ext3=83,lvm=8e)

mkswap /dev/sda2

swapon /dev/sda2

swapof /dev/sda2

swapon -s

dd if=/dev/zero of=/home1/swapfile1 bs=1024 count=512M

mkswap /home1/swapfile1

swapon /home1/swapfile1

How to mount ISO file in linux ?

mount -t iso9660 -o loop /home/tecmint/Fedora-18-i386-DVD.iso /mnt/iso/

How to remove file system from read only mode.

mount -o remount /u01/

###########################################################################

NETWORK

###########################################################################

ifdown eth0 && mii-tool –v --force 100baseTx-FD eth0 && ifup eth0(Disable auto negotiation)

ifdown eth0 && mii-tool –vr eth0 && ifup eth0 (Enable auto negotiation)

ethtool eth0 [link status]; ethtool -t ethX [offline|online]( in offline test temp route goes)

route add default gw 192.168.1.254 eth0

Route - /etc/sysconfig/network-scripts/route-eth0 – 192.168.100.0/24 via 10.234.13.1

netstat -rn (returns the routing table)

netstat -nulp (returns all u =UDP/ t = tcp lISTENERS without name resolution)

arp -a (returns MAC to IP mappings)

ifconfig eth0:1 192.168.75.11 (Virtual IP Address)

ifconfig eth0:2 del 10.168.76.11 (removes the virtual interface)

#/sbin/ip addr add 10.94.141.178/24 dev bond0

#ip a

1. Scan the localhost for open ports

a. nmap -v localhost

2. Service detection scan - attempts to resolve services to names & versions

a. nmap -v -sV 192.168.75.199

3. OS Fingerprinting scan

a. nmap -v -O 192.168.75.199

4. Reporting

a. nmap -v -oN filename.txt 192.168.75.1 - normal output

5. Check which eth* is in which network, by using

# tcpdump -i eth* command

6. Type of network bonding.

mode=0 (balance-rr)

Round-robin policy: Transmit packets in sequential order from the first available slave through the last. This mode provides load balancing and fault tolerance.

mode=1 (active-backup)

Active-backup policy: Only one slave in the bond is active. A different slave becomes active if, and only if, the active slave fails. The bond's MAC address is externally visible on only one port (network adapter) to avoid confusing the switch. This mode provides fault tolerance. The primary option affects the behavior of this mode.

mode=2 (balance-xor)

XOR policy: Transmit based on [(source MAC address XOR'd with destination MAC address) modulo slave count]. This selects the same slave for each destination MAC address. This mode provides load balancing and fault tolerance.

mode=3 (broadcast)

Broadcast policy: transmits everything on all slave interfaces. This mode provides fault tolerance.

mode=4 (802.3ad)

IEEE 802.3ad Dynamic link aggregation. Creates aggregation groups that share the same speed and duplex settings. Utilizes all slaves in the active aggregator according to the 802.3ad specification.

mode=5 (balance-tlb)

Adaptive transmit load balancing: channel bonding that does not require any special switch support. The outgoing traffic is distributed according to the current load (computed relative to the speed) on each slave. Incoming traffic is received by the current slave. If the receiving slave fails, another slave takes over the MAC address of the failed receiving slave.

mode=6 (balance-alb)

Adaptive load balancing: includes balance-tlb plus receive load balancing (rlb) for IPV4 traffic, and does not require any special switch support. The receive load balancing is achieved by ARP negotiation. The bonding driver intercepts the ARP Replies sent by the local system on their way out and overwrites the source hardware address with the unique hardware address of one of the slaves in the bond such that different peers use different hardware addresses for the server.

7. How to configure network bonding.

# vi
/etc/sysconfig/network-scripts/ifcfg-bond0

DEVICE=bond0

IPADDR=192.168.1.20

NETWORK=192.168.1.0

NETMASK=255.255.255.0

USERCTL=no

BOOTPROTO=none

ONBOOT=yes

# vi
/etc/sysconfig/network-scripts/ifcfg-eth0

DEVICE=eth0

USERCTL=no

ONBOOT=yes

MASTER=bond0

SLAVE=yes

BOOTPROTO=none

# vi /etc/modprobe.conf

alias bond0 bonding

options bond0 mode=balance-alb miimon=100

# modprobe bonding

# service network restart

# cat /proc/net/bonding/bond0

####################################################################

YUM

###########################################################################

Q: - What is YUM?

YUM stands for Yellow dog Updater, Modified because it is based on YUP, the Yellow dog Updater. Where does the name Yellow dog come from? Yellow Dog is a version of Linux for the Power Architecture hardware and is RPM-based, just like Red Hat Enterprise Linux and Fedora. YUP, and later YUM, were written by the Linux community as a way to maintain an RPM-based system.

Q: - What are the advantages of YUM?

- Automatic resolution of software dependencies.
- Multiple software locations at one time.
- Ability to specify particular software versions or architectures.

Q: - How you will install software by YUM?

yum install <pkgname>

Q: - How to remove a software by YUM?

yum remove <pkgname>

Install/start vsftp ;createrepo -v /var/ftp/pub/Server/; vi rhel.repo baseurl=ftp://ip/pub/Server/, enabled=1,gpgcheck=0

yum install yum-downloadonly; /etc/yum/pluginconf.d/downloadonly.conf ; #yum install --downloadonly --downloaddir=/tmp vsftpd

NFS

###

vi /etc/exports ; /nfs1 192.168.75.10(rw) ; restart nfsd ; exportfs -v ;

rw,no_root_squash (Allow local 'root' user the ability to write to /nfs1 export )

exportfs -a (to update the export table)

mount -t nfs 192.168.75.199:/nfs1 /nfs1

#showmount –a -------à

Port information.

ntp 123/udp # Network Time Protocol

nfs 2049/tcp nfsd

swat 901/tcp # Samba Web Administration Tool

Ssh-22

ftp-21

smtp-25

samba-139

proto port

111 portmapper

1018 yppasswdd

614 ypserv

NIS

###

/etc/yp.conf (contains NIS server name) /etc/nsswitch.conf (passwd: files nis ldap) /etc/sysconfig/authconfig – USENIS=yes

edit /var/yp/Makefile (all: passwd…), edit /etc/sysconfig/network (NISDOMAIN=domain), start services – ypserv and yppasswdd, run /usr/lib/yp/ypinit –m, run authconfig (important command – ypcat passwd, /var/yp/make)

AUTOFS

######

/etc/auto.master - /misc /etc/auto.misc --timeout 60

/etc/auto.misc - data -fstype=ext3 :/dev/hda6

For NIS

* -rw,soft,intr 192.168.1.1:/home/&

Apache Checking

##############

httpd –t (syntax OK) httpd –v (Server Version) httpd –V (details including compile with)

access_logs:

(200 ok, 202 accepted, 400 bad request, 401 Authorization Required, 404 Not Found,408 request time out, 500 internal server error, 502 Bad Gateway, 503 Service Unavailable, 505 HTTP Version Not Supported)

error_logs:

Apache related error(file dont exist )

VSFTPD

#######

/etc/vsftpd/vsftpd.conf, /etc/vsftpd.user_list using userlist_enable=yes(default)(never allow user in file), if userlist_deny=NO (only allow users in this file)

KICKSTART

###########

/etc/dhcpd.conf allow booting; allow bootp; next-server IP; filename “linux-install/pxelinux.0”; range

Configure nfs or ftp or http server, create ks.cfg file, install tftp server and start all those server

PXE Boot Configuration system-config-netboot, if first time click Network install, otherwise click Configure, select protocol for installation, server name or IP and location of the installation file, OK. The vmlinuz and initrd image will be created in /tftpboot/linux-install/distribution directory

#######################################################################

REDHAT CLUSTER

#######################################################################

To check cluster status?

#clustat

clusvcadm -Z web-cluster (-z freezes; -U Unfreezes; -d disable ; -e enable; l lock -u unlock)

clusvcadm -r web-cluster -m node01.example.com

Sart Service: cman, qdisk, clvmd, gfs, rgmanager

Cluster Quorum Example

Required Votes for quorum=(expected_votes/2)+1

Q1. What is cman in Red Hat Cluster?

• This is an abbreviation used for Cluster Manager.

• CMAN is a distributed cluster manager and runs in each cluster node.

• It is responsible for monitoring, heartbeat, quorum, voting and communication between cluster nodes.

• CMAN keeps track of cluster quorum by monitoring the count of cluster nodes.

Q2. What are the different port no. used in Red Hat Cluster?

IP Port no.	Protocol	Component
5404,5405	UDP	corosync/cman
11111	TCP	ricci
21064	TCP	dlm (Distributed Lock Manager)
16851	TCP	Modclustered
8084	TCP	luci
4196,4197	TCP	rgmanager

Q3. What is the command used to relocate a service to another node?

clusvcadm -r service_name -m node_name

Q4. What are the various types of fencing supported by High Availability Add On?

• Power fencing — A fencing method that uses a power controller to power off an inoperable node.

• Storage fencing — A fencing method that disables the Fibre Channel port that connects storage to an inoperable node.

• Other fencing — Several other fencing methods that disable I/O or power of an inoperable node, including IBM Bladecenters, PAP, DRAC/MC, HP ILO, IPMI, IBM RSA II, and others.

Q5. What is rgmanager in Red Hat Cluster and its use?

• This is a service termed as Resource Group Manager

• RGManager manages and provides failover capabilities for collections of cluster resources called services, resource groups, or resource trees

• It allows administrators to define, configure, and monitor cluster services. In the event of a node failure, rgmanager will relocate the clustered service to another node with minimal service disruption

Q6. What is Cluster Quorum

· Quorum is a voting algorithm used by CMAN.

· CMAN keeps a track of cluster quorum by monitoring the count of number of nodes in cluster.

· If more than half of members of a cluster are in active state, the cluster is said to be in Quorum

· If half or less than half of the members are not active, the cluster is said to be down and all cluster activities will be stopped

· Quorum is defined as the minimum set of hosts required in order to provide service and is used to prevent split-brain situations.

· The quorum algorithm used by the RHCS cluster is called “simple majority quorum”, which means that more than half of the hosts must be online and communicating

· in order to provide service.

Q7. What is the order in which you will start the Red Hat Cluster services?

service cman start

service qdiskd start

service clvmd start

service gfs start

service rgmanager start

Q8. What can cause a node to leave the cluster?

A node may leave the cluster for many reasons. Among them:

1. Shutdown: cman_tool leave was run on this node

2. Killed by another node. The node was killed with either by cman_tool kill or qdisk.

3. Panic: cman failed to allocate memory for a critical data structure or some other very bad internal failure.

4. Removed: Like 1, but the remainder of the cluster can adjust quorum downwards to keep working.

5. Membership Rejected: The node attempted to join a cluster but it's

6. cluster.conf file did not match that of the other nodes. To find the real reason for this you need to examine the syslog of all the valid cluster members to find out why it was rejected.

7. Inconsistent cluster view: This is usually indicative of a bug but it can also happen if the network is extremely unreliable.

8. Missed too many heartbeats: This means what it says. All nodes are expected to broadcast a heartbeat every 5 seconds (by default). If none is received within

https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Cluster_Administration/ch-config-ccs-CA.html

Q9. Creating the Cluster Configuration File on a Local System

#ccs -h host [options]

Q10. To create and edit a cluster configuration file on a local system, use the -f option of the ccs command

#ccs -f file [options]

#ccs -h host -f file --setconf

After you have created or edited a cluster configuration file on one of the nodes in the cluster, you need to propagate that same file to all of the cluster nodes and activate the configuration.

Use the following command to propagate and activate a cluster configuration file:

#ccs -h host --sync --activate

Q11. To verify that all of the nodes specified in the hosts cluster configuration file have the identical cluster configuration file, execute the following command:

#ccs -h host --checkconf

Q12. If you have created or edited a configuration file on a local node, use the following command to send that file to one of the nodes in the cluster:

#ccs -f file -h host --setconf

Q13. To verify that all of the nodes specified in the local file have the identical cluster configuration file, execute the following command:

#ccs -f file --checkconf

Q14. Which is configuration file of redhat cluster ?

#/etc/cluster/cluster.conf

Q15. Validate the file with against the cluster schema (cluster.rng) by running the ccs_config_validate command. For example:

[root@example-01 ~]# ccs_config_validate

Configuration validates

Q16. At any cluster node, run cman_tools nodes to verify that the nodes are functioning as members in the cluster (signified as "M" in the status column, "Sts"). For example:

[root@example-01 ~]# cman_tool nodes

Node Sts Inc Joined Name

1 M 548 2010-09-28 10:52:21 node-01.example.com

2 M 548 2010-09-28 10:52:21 node-02.example.com

3 M 544 2010-09-28 10:52:21 node-03.example.com

gfs_mkfs -p lock_dlm -t cluster01:gfsdata1 -j 2 /dev/g-vg1/lvm-G

mount /dev/g-vg1/lvm-G /d1/

gfs_tool df /gfsdata1/

lvextend -L +200m /dev/g-vg1/lvm-G

gfs_grow -v /d1

############################################################################

VCS

############################################################################

How do you troubleshoot if VCS cluster is not starting ?

Scenario:

Two nodes are clustered with veritas cluster and you have rebooted one of the server. Rebooted node has come up but VCS cluster was not started (HAD daemon). You are trying to start the cluster using “hastart” command , but its not working.How do you troubleshoot ?

Here we go.

1.Check the cluster status after the server reboot using “hastatus” command.

# hastatus -sum |head

Cannot connect to VCS engine2.Trying to start the cluster using hastart . No Luck. ? Still getting same message like above ? Proceed with Step 3.

3.Check the llt and GAB service. If its in disable state, just enable it .

[root@UA~]# svcs -a |egrep "llt|gab"

online Jun_27 svc:/system/llt:default

online Jun_27 svc:/system/gab:default

[root@UA~]#4.Check the llt(heartbeat) status. Here LLT links looks good.

[root@UA ~]# lltstat -nvv |head

LLT node information:

Node State Link Status Address

0 UA2 OPEN

HB1 UP 00:91:28:99:74:89

HB2 UP 00:91:28:99:74:BF

* 1 UA OPEN

HB1 UP 00:71:28:9C:2E:OF

HB2 UP 00:71:28:9C:2F:9F

[root@UA ~]#5.If the LLT is down ,then try to configure using “lltconfig -c” command to configure the private links. Still if you have any issue with LLT links, then need to check with network team to fix the heartbeat links.

6.check the GAB status using “gabconfig -a” command.

[root@UA ~]# gabconfig -a

GAB Port Memberships

===============================================================

[root@UA ~]#7.As per the above command output, memberships are not seeded. We have to seed the membership manually using gabconfig command.

[root@UA ~]# gabconfig -cx

[root@UA ~]#8. Check the GAB status now.

[root@UA ~]# gabconfig -a

GAB Port Memberships

===============================================================

Port a gen 6d0607 membership 01

[root@UA ~]#Above output Indicates that GAB(Port a) is online on both the nodes. (0 , 1). To know which node is “0” and which node “1” , refer /etc/llthosts file.

9.Try to start the cluster using hastart command.It should work now.

10.Check the Membership status using gabconfig.

[root@UA ~]# gabconfig -a

GAB Port Memberships

===============================================================

Port a gen 6d0607 membership 01

Port h gen 6d060b membership 01

[root@UA ~]#Above output Indicates that HAD(Port h) is online on both the nodes. (0 , 1).

11.Check the cluster status using hastatus command. System should be back to business.

[root@UA ~]# hastatus -sum |head

-- SYSTEM STATE

-- System State Frozen

A UA2 RUNNING 0

A UA RUNNING 0

-- GROUP STATE

-- Group System Probed AutoDisabled State

B ClusterService UA Y N ONLINE

B ClusterService UA2 Y N OFFLINE

[root@UA ~]#This is very small thing but many of the VCS beginners failed to fix this start-up issues. In interviews too ,they are not able say that ,” If the HAD is not starting using “hastart” command , I will check the LLT & GAB services and will fix any issues with that.Then i will start the cluster using hastart”

hastart –force|–stale system_name

hasys –force system_name

hastop –local|-all|-force|-evacuate

hastop –sys system_name

hastat -sum

---------

NOGAB memebership:

#hastat -sum

gabconfig -a

lltstat -nvv | more

cat /etc/gabconfig

gabconfig -c -n 2

Add following resource and modify attributes.

1. Disk Group, DG name

2. Mount block device, FS Type, Mount pt

3. Create dependency between following resource

1. Create DG by VX VM.

2. Create Service groups.

a. #haconf –makerw

b. #haconf –dump –makero

c. #hagrp add newgroup

d. #hagrp –modify newgroup system list <host1> <host2>

e. #hagrp –modify newgroup Autostart list <host1>

3. Create Disk Groups Resource & modify it attributes

a. #hares -add Rdatadg Disk Group newgroup

b. #hares –modify Rdatadg Disk group datadg

4. Create mount resource & modify it attributes.

a. #hares – add Res_vol01_mnt Mount newgroup

b. #hares – modify Res_vol01_mnt to Block device /dev/vx/dsk/datadg/vol01

c. #hares –modify Res_vol01_mnt FStype vxfs

d. #hares –modify Res_vol01_mnt Mount point /vol

e. #hares –modify Res_vol01_mnt fsckOpt %-y

5. Link the mount resource to the disk group resources

a. #hares –link Res_vol01_mnt Rdatadg

6. Enable the resource and close the configuration.

a. # hagrp –enable resource newgroup

b. # haconf –dump makero

c. # haconf makero

1: How do check the status of VERITAS Cluster Server status ?

Ans: hastatus –sum

2. Which is the important config file for VCS and where it is located?

Ans: main.cf is the important configuration file for VCS and it is located in /etc/VRTSvcs/conf/config.

3: Which command you will use to check the syntax of the main.cf?

Ans: hacf -verify /etc/VRTSvcs/conf/config

4: How to switchover the service group in VCS?

Ans: # hagrp –switch -to SYSTEM_NAME

5: How to online the service groups in VCS?

Ans: # hagrp –online -sys SYSTEM_NAME

6: How to add a user with cluster administrator/Operator access?

Ans: # hauser –add <user> -priv Administrator/Operator

7: How to display the status of a service group on a system?

Ans: # hagrp –state <service group> -sys <system>

8: How to display the resources for a specific service group?

Ans: # hagrp –resources <service group>

9: How to display the service group dependencies?

Ans: # hagrp –dep <service group>

10: How to display resource dependencies?

Ans: # hares –dep <resource name>

11: How to list the systems in the cluster?

Ans: # hasys –list

12: How to display the status of cluster faults, including faulted service groups, systems, links and agents?

Ans: # hastatus –summary

13: How to add a service group in a cluster?

Ans: # hagrp –add <service group>

14: How to delete a service group from a cluster?

Ans: # hagrp –delete <service group>

15: How to freeze a service group?

Ans: # hagrp –freeze <service group> -persistent

16: How to disable a service group?

Ans: # hagrp –disable <service group> -sys <system name>

Disabling the SG stops monitoring the resources in the SG and the SG cannot be brought online. Only when SG is enabled can the resources in the SG be brought online.

Q-17 How to access the Cluster Manager Java Console?

Ans: #/opt/VRTSvcs/bin/hagui

Q-18 What is the main daemon of VCS?

Ans: had (high availability daemon) which is started by hashadow daemon.

Q-19 What is GAB?

Ans: Group Membership Services/Atomic Broadcast (GAB) is responsible for cluster membership and reliable cluster communication. GAB has two major functions:

1: Cluster membership

GAB maintains cluster membership by receiving heartbeat from LLT. When a system no longer receives heartbeats from a cluster peer, GAB marks the node as down.

2: Cluster communication

GAB provides the guaranteed delivery of messages to all the systems. The atomic broadcast functionality is used by HAD to ensure that all systems within the cluster receive configuration change messages.

Q-18 What is LLT?

Ans: Low Latency Transport (LLT) is used for all cluster communication. LLT has 2 major functions:

1: Traffic Distribution

LLT works as a backbone for GAB. LLT distributes all inter communication across all configured network links. If a link is failes, traffic is directed to the remaining link.

2: Heartbeat

LLT is responsible for sending and receiving heartbeat signals.

Q-21 How many network links are supported in LLT?

Ans: 8 links are supported.

Q-22 How many nodes can join a Cluster?

Ans: Maximum of 32 nodes is supported in VCS.

Q-23 How do you shutdown a Veritas Cluster Server, leaving the applications running from the command line?

Ans: # hastop -all –force

Troubleshooting :

Q-24 HAD stopped & does not restart.

Ans:

1. hastatus –sum

2. cd /etc/VRTSvcs/conf/config

3. hacf –verify

4. mv main.cf.previous main.cf

5. hacf –verify

6. hasys –force node01

Q-25 How do you troubleshoot if VCS cluster is not starting ?

1. Check the cluster status after the server reboot using “hastatus” command.

# hastatus -sum |head

Cannot connect to VCS engine

2. Trying to start the cluster using hastart . No Luck. ? Still getting same message like above ? Proceed with Step 3.

3. Check the llt and GAB service. If its in disable state, just enable it .

[root@UA~]# svcs -a |egrep "llt|gab"

online Jun_27 svc:/system/llt:default

online Jun_27 svc:/system/gab:default

[root@UA~]#4.Check the llt(heartbeat) status. Here LLT links looks good.

root@UA ~]# lltstat -nvv |head

LLT node information:

Node State Link Status Address

0 UA2 OPEN

HB1 UP 00:91:28:99:74:89

HB2 UP 00:91:28:99:74:BF

* 1 UA OPEN

HB1 UP 00:71:28:9C:2E:OF

HB2 UP 00:71:28:9C:2F:9F

#5.If the LLT is down ,then try to configure using “lltconfig -c” command to configure the private links. Still if you have any issue with LLT links, then need to check with network team to fix the heartbeat links.

6.check the GAB status using “gabconfig -a” command.

[root@UA ~]# gabconfig -a

GAB Port Memberships

===============================================================

7.As per the above command output, memberships are not seeded. We have to seed the membership manually using gabconfig command.

[root@UA ~]# gabconfig -cx

8. Check the GAB status now.

[root@UA ~]# gabconfig -a

GAB Port Memberships

===============================================================

Port a gen 6d0607 membership 01

Above output Indicates that GAB(Port a) is online on both the nodes. (0 , 1). To know which node is “0” and which node “1” , refer /etc/llthosts file.

9. Try to start the cluster using hastart command.It should work now.

10. Check the Membership status using gabconfig.

[root@UA ~]# gabconfig -a

GAB Port Memberships

===============================================================

Port a gen 6d0607 membership 01

Port h gen 6d060b membership 01

[root@UA ~]#Above output Indicates that HAD(Port h) is online on both the nodes. (0 , 1).

11.Check the cluster status using hastatus command. System should be back to business.

[root@UA ~]# hastatus -sum |head

-- SYSTEM STATE

-- System State Frozen

A UA2 RUNNING 0

A UA RUNNING 0

-- GROUP STATE

-- Group System Probed AutoDisabled State

B ClusterService UA Y N ONLINE

B ClusterService UA2 Y N OFFLINE

########################################################################

VXVM

########################################################################

#vxdisk list

#vxdisk -o alldgs list

#vxdmpadm listctlr

#vxdisksetup sdc

#vxdg init dg1 disk01=sdb cds=off

#vxdg -g dg1 adddisk disk02=sdc

#vxassist -g dg1 maxsize

#vxassist -g dg1 make vol01 2g

# vxinfo -g dg1 -p

mkfs -t vxfs /dev/vx/dsk/labdg10/labvol10-01

mount /dev/vx/dsk/labdg10/labvol10-01 lab10-01/

vxresize -F vxfs -g labdg10 labvol10-01 2048m ==========> Make volume of 2GB

vxresize -F vxfs -g labdg10 labvol10-01 +1024m ==========> Add disk space by +1GB

vxresize -F vxfs -g labdg10 labvol10-01 -1024m ==========> Reduse disk space by +1GB

# vxdg deport dg1

#vxdiskunsetup -C sdc

--------

vxrecover -g dg1 -bs vol1

-------------

Q-1 How to get volume information in Veritas Volume Manager?

Ans: # vxinfo <volume-name>

Q-2 Veritas Volume Manager GUI

Ans: # vxva

Q-3 How to check which tasks is running in Veritas Volume Manager?

Ans: # vxtask list

Q-4 How to restart VxVM configuration Daemon?

Ans # vxconfigd -k

Q-5 How to display free space on the disks in Veritas volume Manager?

Ans: # vxdg free

Q-6 How to verify the main daemon for Veritas Volume Manager?

Ans: vxconfigd is the main daemon of Veritas Volume Manager which must be running at all times. It is started at system startup.

We can check its status by below given way:

# vxdctl mode

Or we can verify it is running with a ps command:

# ps -ef | grep vxconfigd

Q-7 How to enable, disable or verify the vxconfigd daemon in Veritas Volume Manager?

To verify the vxconfigd daemon in Veritas Volume Manager:

# vxdctl mode

To enable the vxconfigd daemon:

# vxdctl enable

To disable the vxconfigd daemon:

# vxdctl disable

QMAIL

#####

Tools that come with Qmail

===========================

qmail-qread:

------------

Lists the messages in the queue, it shows sender, recipient, date and message number.

[root@correo root]# qmail-qread

16 Sep 2003 21:13:33 GMT #145337 2218 <joe@home.com>

remote shmoe@work.net

qmail-qstat:

-----------

Simple tool: Reports the number of messages in qmail's queue, and of messages waiting to enter the queue.

[root@correo root]# qmail-qstat

messages in queue: 1025

messages in queue but not yet preprocessed: 2

PENDING

#######

1. SENDMAIL

#vi /etc/mail/sendmail.mc

Make commented like to accept all network :

----

dnl # DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl

#m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf

Set DAEMON to yes in

# vi /etc/sysconfig/sendmail

----

DAEMON=yes

QUEUE=1h

Check whether port listens :

#netstat -tulpn | grep 25

#telnet localhost 25

#telnet IP 25

SQUID

/etc/squid - primary configuration container

/etc/squid/squid.conf - primary configuration file

/usr/sbin/squidclient - used to test Squid Proxy server

/var/log/squid - primary log directory

/var/spool/squid - cache directory containter

2. Start Squid, and ensure that it starts when the system reboots

a. service squid start

b. chkconfig --level 35 squid on

Note: Ensure that ample/fast disk storage is available for: /var/spool/squid

Note: Squid defaults to TCP:3128

3. Configure Firefox browser to use Squid Proxy server

4. Configure Squid to allow LAN access through, to resources

a. nano /etc/squid/squid.conf

b. acl lan_users src 192.168.75.0/24

c. http_access allow lan_users

5. Deny 192.168.75.10, but allow ALL other users from the local subnet

acl_lan_bad_users src 192.168.75.10

http_access deny acl_lan_bad_users

Log

/var/log/squid/cache.log

/var/log/squid/access.log

SAMBA

Samba server is use to share file with windows
config file of samba
#etc/samba/smb.conf
# Samba config file created using SWAT
# Global parameters
[global]
workgroup = MSHOME	#### Workgroup
netbios name = MUMBAI.COM	#### Computer Name
server string = File Server
interfaces = 192.168.1.10	#### IP Assign Server
encrypt passwords = Yes	#### encrypt passwd for windows
admin users = administrator	#### admin user
[homes]
comment = Home Directory
read only = No
browseable = No
[Account]	#### Share Name
comment = Account Directory
path = /accounts	#### Share Folder
read only = No

#server smb restart
#test parm	#### To test samba file

To install in server:
#setup System Services Run Tool smb.
To check the Apache installed properly or not.
#rpm -qa \| grep samba
To activate Samba service :
#/etc/init.d/smb start to start the Samba Service.
#/etc/init.d/smb restart to restart the Samba Service.

Assign the Samba Service to user.
To add Samba user for Samba service.
Login as Root
# cat /etc/passwd \| /usr/bin/mksmbpasswd.sh > /etc/samba/smbpasswd
To give the samba password to samba user:
#smbpasswd <user name>
In Win98 :
Login from Samba user with password.
(change workgroup to mygroup, if necessary)
Default Workgroup of Server is Mygroup which is in /etc/smb.conf

Printer Installation
=====================
Local Printer :
Text Mode :
#printconf-tui new Queue Name Local printer choose product.
Network Printer :
Text Mode :
#printconf-tui new Queue Name (same as in local printer) next Server IP Add. & Queue Name (same as in local printer) choose product.
To get printout :
#lpr <file name>

mount -t cifs -o credentials=/app/norman/op/.smbcredentials //10.2.105.19/Postausgang/norman-Ausgang/ /app/norman/op/snt_ausgang

mount -t cifs //server/share /mnt -o user=username

smbclient -L hbg1n108 -U dephbgsa11-sys26 -W wbi

###BIND DNS###

/etc# vi named.conf

Add line to make domain(Master DNS)

-----------------------

options {

directory "/var/named";

notify yes;

allow-query {any; };

allow-transfer { 192.168.1.12; };

transfer-source 192.168.1.11;

};

controls {

inet 127.0.0.1 allow { localhost; } keys { rndckey; };

inet 192.168.1.11 allow { mumbai.india.com; } keys { rndckey; };

};

zone "india.com" IN {

type master;

file "mumbai.india.com.zone";

allow-update { none; };

};

zone "1.168.192.in-addr.arpa" IN {

type master;

file "mumbai.com.local";

allow-update { none; };

};

include "/etc/rndc.key";

===============================================================

/var/named

cp -pR named.zone mumbai.india.com.zone

cp -pR named.local mumbai.com.local

===============================================================

vi mumbai.india.com.zone

$TTL 86400

@ IN SOA india.com root.mumbai.india.com (

42 ; serial (d. adams)

3H ; refresh

15M ; retry

1W ; expiry

1D ) ; minimum

IN NS mumbai.india.com.

IN A 192.168.1.11

IN MX 10 mumbai.india.com.

mumbai IN A 192.168.1.11

delhi IN A 192.168.1.12

www IN A 192.168.1.11

mail IN A 192.168.1.11

==============================================================

vi mumbai.com.local

$TTL 86400

@ IN SOA india.com. root.mumbai.india.com. (

1997022700 ; Serial

28800 ; Refresh

14400 ; Retry

3600000 ; Expire

86400 ) ; Minimum

IN NS india.com.

11 IN PTR mumbai.india.com.

12 IN PTR delhi.india.com.

================================================================

nslookup mumbai.india.com, wwww.india.com, mail.india.com (working)

================================================================

vi /etc/rndc.conf

options {

default-server mumbai.india.com;

default-key "rndckey";

};

server mumbai.delhi.com {

key "rndckey";

};

======================================================================

Config slave server:

vi /etc/named.comf

options {

directory "/var/named";

notify yes;

allow-query { any; };

allow-transfer {192.168.1.11; };

transfer-source 192.168.1.12;

};

controls {

inet 127.0.0.1 allow { localhost; } keys { rndckey; };

inet 192.168.1.12 allow { delhi.com; } keys { rndckey; };

};

zone "india.com" IN {

type slave;

file "delhi.com.zone";

masters {192.168.1.11; };

};

zone "1.168.192" IN {

type slave;

file "delhi.com.local";

masters {192.168.1.11; };

};

include "/etc/rndc.key";

=============================================================================

restart named service

to update manually command is

host -l india.com

=============================================================================

nslookup

set type=mx

###Network Time Protocol (NTP) Implementation###

Features:

1. The ability to synch your system's clock

2. Also can be used to synch other clocks

3. Implemented as: 'ntp-4.2...rpm' package

4. Is hierarchial, using strata levels to denote time accuracy

/etc/ntp.conf - primary configuration

1. Synch against internal NTP server

a. /etc/ntp.conf

a1. server 192.168.75.100

b. service ntpd start - this starts the 'ntpd' service

c. ntpq -np - this queries the running 'ntpd' server

###############################################################

IPTABLES

###############################################################

Features:

1. Firewall for Linux

2. Interface to Netfilter, which is loaded by the kernel (grep -i config_netfilter /boot/config*)

3. Operates primarily @ layers 3 & 4 of the OSI model

4. Modular

5. Provides Network Address Translation (NAT)

6. IPTables can also access other layers (2, 5-7), with modules

Description of OSI layers: 1-Physical Layer, 2-Data Link Layer, 3-Network Layer, 4-Transport Layer, 5-Session Layer 6- Presentation Layer, 7-Application

IPTables rules are save in: /etc/sysconfig/iptables

IPTable configuration file is : /etc/sysconfig/iptables-config

Binary

/sbin/iptables - primary ACL modifier utility

/sbin/iptables-restore - restores rules to current IPTables instance

/sbin/iptables-save - saves rules to STDOUT, by default, or to a file

IPTables includes 3 default tables, which you cannot remove:

1. NAT: This table is consulted when a packet that creates a new connection is encountered. It consists of three built-ins: PREROUTING (for altering packets as soon as they come in), OUTPUT (for altering locally-generated packets before routing), and POSTROUTING (for altering packets as they are about to go out).

2. Mangle: This table is used for specialized packet alteration. Until kernel 2.4.17 it had two built-in chains: PREROUTING (for altering incoming packets before routing) and OUTPUT (for altering locally-generated packets before routing). Since kernel 2.4.18, three other built-in chains are also supported: INPUT (for packets coming into the box itself), FORWARD (for altering packets being routed through the box), and POSTROUTING (for altering packets as they are about to go out).

3. Filter (Default) - filters inbound/outbound traffic: This is the default table (if no -t option is passed). It contains the built-in chains INPUT (for packets destined to local sockets), FORWARD (for packets being routed through the box), and OUTPUT (for locally-generated packets).

Task:

View rule with Line number:

iptables -L --line-number

Add IPtables rule

iptables -A INPUT -p tcp --dport 22 -j ACCEPT

Insert IPTable rule

iptables -I INPUT 2 -p tcp --dport 21 -j ACCEPT (inserted rule after 2^nd line)

Delete IPTable rule

iptable -D INPUT 3 (deleted 3 rule)

To Start creation of logs.

iptables -N LOGGING

--------------------------------------------------------------------------------

#echo | telnet 10.2.1.55 22

#iptables -nL --line-numbers

iptables -I INPUT -m –s S1 -p tcp --dport 22 -j ACCEPT

#iptables -I INPUT 12 -m state --state NEW -m tcp -p tcp --dport 3872 -j ACCEPT

#iptables -I INPUT 13 -m state --state NEW -m tcp -p tcp --dport 1830:1849 -j ACCEPT

#iptables -I OUTPUT 1 -s 10.2.10.13 -d 10.2.1.55 -p tcp --dport 1159 -j ACCEPT

#iptables -I OUTPUT 2 -s 10.2.10.13 -d 10.2.1.55 -p tcp --dport 4889:4908 -j ACCEPT

/etc/init.d/iptables save

/etc/init.d/iptables reload.

25 Hardening Security Tips for Linux Servers

1. Physical System Security

■Set GRUB Password to Protect Linux Servers

2. Disk Partitions

3. Minimize Packages to Minimize Vulnerability

4. Check Listening Network Ports

# netstat -tulpn

5. Use Secure Shell(SSH)

# vi /etc/ssh/sshd_config

PermitRootLogin no

AllowUsers username

Protocol 2

6. Keep System updated

# yum updates

# yum check-update

7. Lockdown Cronjobs

# echo ALL >>/etc/cron.deny

8. Disable USB stick to Detect

9. Turn on SELinux

10. Remove KDE/GNOME Desktops

11. Turn Off IPv6

12. Restrict Users to Use Old Passwords

13. How to Check Password Expiration of User

14. Lock and Unlock Account Manually

15. Enforcing Stronger Passwords

16. Enable Iptables (Firewall)

17. Disable Ctrl+Alt+Delete in Inittab

18. Checking Accounts for Empty Passwords

19. Display SSH Banner Before Login

20. Monitor User Activities

21. Review Logs Regularly

22. Important file Backup

23. NIC Bonding

24. Keep /boot as read-only

# vi /etc/fstab

LABEL=/boot /boot ext2 defaults,ro 1 2

25. Ignore ICMP or Broadcast Request

“/etc/sysctl.conf” file to ignore ping or broadcast request

Ignore ICMP request:

net.ipv4.icmp_echo_ignore_all = 1

Ignore Broadcast request:

net.ipv4.icmp_echo_ignore_broadcasts = 1

#sysctl -p

How to solve password less ssh issue.

#ssh server-name

#passwd:

dr-xr-x---. 11 root root 4096 Jul 11 14:15 root

Satellite Server

Port Protocol Service
80 TCP HTTP
443 TCP HTTPS
5646 TCP qpid/Katello
5647 TCP qpid/Katello
5671 TCP amqp
8140 TCP puppet
9090 TCP Foreman Smart Proxy
53 UDP/TCP DNS
67 UDP DHCP
68 UDP DHCP
69 UDP TFTP

Storage Configuration:

The Satellite Server system host will require a minimum of 6 GB of storage for the operation system. In addition, the system requires the following storage requirements for the Satellite Server software:

• Minimum of 2 GB for Red Hat Satellite 6 software installation for disconnected installations.
• Minimum of 1 MB for var /cache/pulp , which temporarily stores content during synchronization by Satellite Server.
• Minimum of 1 MB for var /lib/pulp , which stores content synchronized by Satellite Server
• Minimum of 2 MB in var / qpidd for each content host to be registered with Satellite Server
• Minimum of 3.5 GB for var / mongodb , which contains Satellite Server's MongoDB database
• Minimum of 2 GB for var / pgsql , which contains Satellite Server's Postgres database.

CentOS-Linux4U

Linux Cheats-old

No comments:

Post a Comment