How to Monitor Apache Performance using Netdata on CentOS 7

Netdata is a free open source, simple yet powerful, and effective real-time system performance monitoring tool for Linux, FreeBSD and MacOS. It supports various plugins for monitoring general server status, applications, web services such as Apache or Nginx HTTP server and so much more.

Read AlsoHow to Monitor Nginx Performance Using Netdata on CentOS 7

In this article, we will explain how to monitor Apache HTTP server performance using Netdata performance monitoring tool on a CentOS 7 or RHEL 7 distribution. At the end of this article, you will be able to watch visualizations of requests, bandwidth, workers, and other Apache server metrics.

Requirements:

  1. CentOS 7 Server or RHEL 7 Server with Minimal Install.
  2. Apache HTTP server installation with mod_status module enabled.

Step 1: Install Apache on CentOS 7

1. First start by installing Apache HTTP server from the default software repositories using the YUM package manager.

# yum install httpd

2. After you have installed Apache web server, start it for the first time, check if it is up and running, and enable it to start automatically at system boot using following commands.

# systemctl start httpd
# systemctl enable httpd
# systemctl status httpd

3. If you are running a firewall for example firewalld, you need to open the ports 80 and 443 to allow web traffic to Apache via HTTP and HTTPS respectively, using the commands below.

# firewall-cmd --zone=public --permanent --add-port=80/tcp
# firewall-cmd --zone=public --permanent --add-port=443/tcp
# firewall-cmd --reload 

Step 2: Enable Mod_Status Module in Apache

4. In this step, you need to enable and configure mod_status module in Apache, this is required by Netdata for gathering server status information and statistics.

Open the file /etc/httpd/conf.modules.d/00-base.conf file using your favorite editor.

# vim /etc/httpd/conf.modules.d/00-base.conf

And ensure that the line below is uncommented to enable mod_status module, as shown in the screenshot.

Enable Mod_Status Module in Apache

Enable Mod_Status Module in Apache

5. Once you’ve enabled mod_status, next you need to create a server-status.conf configuration file for the Apache server status page.

# vim /etc/httpd/conf.d/server-status.conf

Add the following configuration inside the file.

<Location "/server-status">
    SetHandler server-status
    #Require host localhost           #uncomment to only allow requests from localhost 
</Location>

Save the file and close. Then restart the Apache HTTPD service.

# systemctl restart httpd

6. Next, you need to verify that the Apache server status and statistics page is working well by using a command-line web browser such as lynx as shown.

# yum install lynx
# lynx http://localhost/server-status   

Check Apache Server Status

Check Apache Server Status

Step 3: Install Netdata on CentOS 7

7. Fortunately, there is a kickstarter shell script for painlessly installing netdata from its github repository. This one-liner script downloads a second script which checks your Linux distribution and installs the required system packages for building netdata, then downloads the latest netdata source tree; builds and installs it on your server.

You can start the kickstarter script as shown, the all flag allows for installing required packages for all netdata plugins including the ones for Apache HTTP server.

# bash <(curl -Ss https://my-netdata.io/kickstart.sh) all

Note that if your not administering your system as root, you will be prompted to enter your user password for sudo command, and you will also be asked to confirm a number of functions by pressing [Enter].

Install Netdata on CentOS 7

Install Netdata on CentOS 7

8. Once the script has completed building and installing netdata, it will automatically start the netdata service via systemd service manager and enables it to start at system boot.

Netdata Installation Summary

Netdata Installation Summary

By default, netdata listens on port 19999, you will access the web UI using this port. So, open port 19999 in the firewall to access the netdata web UI.

# firewall-cmd --permanent --add-port=19999/tcp
# firewall-cmd --reload 

Step 4: Configure Netdata to Monitor Apache Performance

9. The netdata configuration for Apache plugin is /etc/netdata/python.d/apache.conf, this file is written in YaML format, you can open it using your favorite editor.

# vim /etc/netdata/python.d/apache.conf

The default configuration is just enough to get you started with monitoring your Apache HTTP server.

Netdata Configuration for Apache

Netdata Configuration for Apache

However, if you have read the documentation, and made any changes to it, restart the netdata service to effect the changes.

# systemctl restart netdata 

Step 5: Monitor Apache Performance Using Netdata

10. Next, open a web browser and use the following URL to access the netdata web UI.

http://domain_name:19999
OR
http://SERVER_IP:19999

From the netdata dashboard, search for “Apache local” on the right hand side list of plugins, and click on it to start monitoring your Apache server. You will be able to watch visualizations of requests, bandwidth, workers, and other server statistics, as shown in the following screenshot.

Monitor Apache Performance Using Netdata

Monitor Apache Performance Using Netdata

Netdata Github repositoryhttps://github.com/firehol/netdata

That’s all! In this article, we’ve explained how to monitor Apache performance using Netdata on CentOS 7. If you have any questions or additional thoughts to share, please reach us via the comment form below.

Source

How to Enable NGINX Status Page

Nginx is a free open source, high-performance, reliable, scalable and fully extensible web server, load balancer and reverse proxy software. It has a simple and easy-to-understand configuration language. It also supports a multitude of modules both static (which have existed in Nginx since the first version) and dynamic (introduced in version 1.9.11).

One of the important modules in Nginx is the ngx_http_stub_status_module module which provides access to basic Nginx status information via a “status page”. It shows information such as total number of active client connections, those accepted, and those handled, total number of requests and number of reading, writing and waiting connections.

Read AlsoAmplify – NGINX Monitoring Made Easy

On most Linux distributions, the Nginx version comes with the ngx_http_stub_status_module enabled. You can check out if the module is already enabled or not using following command.

# nginx -V 2>&1 | grep -o with-http_stub_status_module

Check Nginx Status Module

Check Nginx Status Module

If you see --with-http_stub_status_module as output in the terminal, means the status module is enabled. If the above command returns no output, you need to compile NGINX from source using the –with-http_stub_status_module as configuration parameter as shown.

# wget http://nginx.org/download/nginx-1.13.12.tar.gz
# tar xfz nginx-1.13.12.tar.gz
# cd nginx-1.13.12/
# ./configure --with-http_stub_status_module
# make
# make install

After verifying the module, you will also need to enable stub_status module in the NGINX configuration file /etc/nginx/nginx.conf to set up a locally reachable URL (e.g., http://www.example.com/nginx_status) for the status page.

location /nginx_status {
 	stub_status;
 	allow 127.0.0.1;	#only allow requests from localhost
 	deny all;		#deny all other hosts	
 }

Enable Nginx Status Page

Enable Nginx Status Page

Make sure to replace 127.0.0.1 with your server’s IP address and also make sure that this page accessible to only you.

After making configurations changes, make sure to check nginx configuration for any errors and restart the nginx service to effect the recent changes using following commands.

# nginx -t
# nginx -s reload 

Check Nginx Configuration

Check Nginx Configuration

After reloading nginx server, now you can visit the Nginx status page at the below URL using curl program to see your metrics.

# curl http://127.0.0.1/nginx_status
OR
# curl http://www.example.com/nginx_status

Check Nginx Status Page

Check Nginx Status Page

Important: The ngx_http_stub_status_module module has been superseded by the ngx_http_api_modulemodule in Nginx 1.13.0 version.

Read AlsoHow to Enable PHP-FPM Status Page in Nginx

That’s all! In this article, we have showed how to enable Nginx status page in Linux. Use the comment form below to ask any questions.

Source

How to Password Protect Web Directories in Nginx

Managers of web projects often need to protect their work one way or another. Often people ask how to password protect their website while it is still in development.

Nginx Password Protect Website

Nginx Password Protect Web Directory

In this tutorial, we are going to show you a simple, but effective technique how to password protected web directory when running Nginx as web server.

In case you are using Apache web server, you can check our guide for password protecting a web directory:

  1. Password Protect Web Directories in Apache

Requirements

To complete the steps in this tutorial, you will need to have:

  • Nginx web server installed
  • Root access to the server

Step 1: Create User and Password

1. To password protect our web directory, we will need to create the file that will contain our encrypted username and password.

When using Apache, you can use the “htpasswd” utility. If you have that utility installed on your system, you can use this command to generate the password file:

# htpasswd -c /path/to/file/.htpasswd username

When running this command, you will be asked to set a password for the above user and after that the .htpasswd file will be created in the specified directory.

Create Nginx User Password File

htpasswd: Create Nginx User Password File

2. If you don’t have that tool installed, you can create the .htpasswd file manually. The file should have the following syntax:

username:encrypted-password:comment

The username that you will use depends on you, choose whatever you like.

The more important part is the way that you will generate the password for that user.

Step 2: Generate Encrypted Password

3. To generate the password, use Perl’s integrated “crypt” function.

Here is an example of that command:

# perl -le 'print crypt("your-password", "salt-hash")'

A real life example:

# perl -le 'print crypt("#12Dfsaa$fa", "1xzcq")'

Generate Encrypted Pasword

Generate Encrypted Pasword

Now open a file and put your username and the generated in string it, separated with semicolon.

Here is how:

# vi /home/tecmint/.htpasswd

Put your username and password. In my case it looks like this:

tecmint:1xV2Rdw7Q6MK.

Save the file by hitting “Esc” followed by “:wq”.

Add Encrypted Password to htpasswd

Add Encrypted Password to htpasswd

Step 3: Update Nginx Configuration

4. Now open and edit the Nginx configuration file associated with the site you are working on. In our case we will use the default file at:

# vi /etc/nginx/conf.d/default.conf       [For CentOS based systems]
OR
# vi /etc/nginx/nginx.conf                [For CentOS based systems]


# vi /etc/nginx/sites-enabled/default     [For Debian based systems]

In our example, we will password protect the directory root for nginx, which is: /usr/share/nginx/html.

5. Now add the following two lines section under the path you wish to protect.

auth_basic "Administrator Login";
auth_basic_user_file /home/tecmint/.htpasswd;

Password Protect Nginx Directory

Password Protect Nginx Directory

Now save the file and restart Nginx with:

# systemctl restart nginx
OR
# service nginx restart

6. Now copy/paste that IP address in your browser and you should be asked for password:

Nginx Password Protect Login

Nginx Password Protect Login

That’s it! Your main web directory is now protected. When you want to remove the password protection on the site, simply remove the two lines that you just added to .htpasswd file or use the following command to remove the added user from a password file.

# htpasswd -D /path/to/file/.htpasswd username

Source

How to Limit the Network Bandwidth Used by Applications in a Linux System with Trickle

Have you ever encountered situations where one application dominated you all network bandwidth? If you have ever been in a situation where one application ate all your traffic, then you will value the role of the trickle bandwidth shaper application. Either you are a system admin or just a Linux user, you need to learn how to control the upload and download speeds for applications to make sure that your network bandwidth is not burned by a single application.

Bandwidth limit in Linux

Install Trickle Bandwidth Limit in Linux

What is Trickle?

Trickle is a network bandwidth shaper tool that allows us to manage the upload and download speeds of applications in order to prevent any single one of them to hog all (or most) of the available bandwidth. In few words, trickle lets you control the network traffic rate on a per-application basis, as opposed to per-user control, which is the classic example of bandwidth shaping in a client-server environment, and is probably the setup we are more familiar with.

How Trickle Works?

In addition, trickle can help us to define priorities on a per-application basis, so that when overall limits have been set for the entire system, priority apps will still get more bandwidth automatically. To accomplish this task, trickle sets traffic limits to the way in which data is sent to, and received from, sockets using TCP connections. We must note that, other than the data transfer rates, trickle does not modify in any way the behavior of the process it is shaping at any given moment.

What Can’t Trickle do?

The only limitation, so to speak, is that trickle will not work with statically linked applications or binaries with the SUID or SGID bits set since it uses dynamic linking and loading to place itself between the shaped process and its associated network socket. Trickle then acts as a proxy between these two software components.

Since trickle does not require superuser privileges in order to run, users can set their own traffic limits. Since this may not be desirable, we will explore how to set overall limits that system users cannot exceed. In other words, users will still be able to manage their traffic rates, but always within the boundaries set by the system administrator.

In this article we will explain how to limit the network bandwidth used by applications in a Linux server with trickle. To generate the necessary traffic, we will use ncftpput and ncftpget (both tools are available by installing ncftp) on the client (CentOS 7 server – dev1: 192.168.0.17), and vsftpd on the server (Debian Wheezy 7.5 – dev2: 192.168.0.15) for demonstration purposes. The same instructions also works on RedHat, Fedora and Ubuntu based systems.

Prerequisites

1. For RHEL/CentOS 7/6enable the EPEL repository. Extra Packages for Enterprise Linux (EPEL) is a repository of high-quality free and open-source software maintained by the Fedora project and is 100% compatible with its spinoffs, such as Red Hat Enterprise Linux and CentOS. Both trickle and ncftp are made available from this repository.

2. Install ncftp as follows:

# yum update && sudo yum install ncftp		[On RedHat based systems]
# aptitude update && aptitude install ncftp	[On Debian based systems]	

3. Set up a FTP server in a separate server. Please note that although FTP is inherently insecure, it is still widely used in cases when security in uploading or downloading files is not needed. We are using it in this article to illustrate the bounties of trickle and because it shows the transfer rates in stdout on the client, and we will leave the discussion of whether it should or should not be used for another date and time :).

# yum update && yum install vsftpd 		[On RedHat based systems]
# aptitude update && aptitude install vsftpd 	[On Debian based systems]

Now, edit the /etc/vsftpd/vsftpd.conf file on the FTP server as follows:

anonymous_enable=NO
local_enable=YES
chroot_local_user=YES
allow_writeable_chroot=YES

After that, make sure to start vsftpd for your current session and to enable it for automatic start on future boots:

# systemctl start vsftpd 		[For systemd-based systems]
# systemctl enable vsftpd
# service vsftpd start 			[For init-based systems]
# chkconfig vsftpd on

4. If you chose to set up the FTP server in a CentOS/RHEL 7 droplet with SSH keys for remote access, you will need a password-protected user account with the appropriate directory and file permissions for uploading and downloading the desired content OUTSIDE root’s home directory.

You can then browse to your home directory by entering the following URL in your browser. A login window will pop up prompting you for a valid user account and password on the FTP server.

ftp://192.168.0.15

If the authentication succeeds, you will see the contents of your home directory. Later in this tutorial you will be able to refresh that page to display the files that have been uploaded during previous steps.

FTP Directory Tree

FTP Directory Tree

How to Install Trickle in Linux

1. Install trickle via yum or aptitude.

To ensure a successful installation, it is considered good practice to make sure the currently installed packages are up-to-date (using yum update) before installing the tool itself.

# yum -y update && yum install trickle 		        [On RedHat based systems]
# aptitude -y update && aptitude install trickle 	[On Debian based systems]

2. Verify whether trickle will work with the desired binary.

As we explained earlier, trickle will only work with binaries using dynamic, or shared, libraries. To verify whether we can use this tool with a certain application, we can use the well-known ldd utility, where ldd stands for list dynamic dependencies. Specifically, we will look for the presence of glibc (the GNU C library) in the list of dynamic dependencies of any given program because it is precisely that library which defines the system calls involved in communication through sockets.

Run the following command against a given binary to see if trickle can be used to shape its bandwidth:

# ldd $(which [binary]) | grep libc.so

For example,

# ldd $(which ncftp) | grep libc.so

whose output is:

# libc.so.6 => /lib64/libc.so.6 (0x00007efff2e6c000)

The string between brackets in the output may change from system to system and even between subsequent runs of the same command, since it represents the load address of the library in physical memory.

If the above command does not return any results, it means that the binary it was run against does not use libcand thus trickle cannot be used as bandwidth shaper in that case.

Learn How to Use Trickle

The most basic usage of trickle is in standalone mode. Using this approach, trickle is used to explicitly define the download and upload speeds of a given application. As we explained earlier, for the sake of brevity, we will use the same application for download and upload tests.

Running Trickle in Standalone Mode

We will compare the download and upload speeds with and without using trickle. The -d option indicates the download speed in KB/s, while the -u flag tells trickle to limit the upload speed by the same unit. In addition, we will use the -s flag, which specifies that trickle should run in standalone mode.

The basic syntax to run trickle in standalone mode is as follows:

# trickle -s -d [download rate in KB/s] -u [upload rate in KB/s]

In order to perform the following examples on your own, make sure to have trickle and ncftp installed on the client machine (192.168.0.17 in my case).

Example 1: Uploading a 2.8 MB PDF file with and without trickle.

We are using the freely-distributable Linux Fundamentals PDF file (available from here) for the following tests.

You can initially download this file to your current working directory with the following command:

# wget http://linux-training.be/files/books/LinuxFun.pdf 

The syntax to upload a file to our FTP server without trickle is as follows:

# ncftpput -u username -p password 192.168.0.15  /remote_directory local-filename 

Where /remote_directory is the path of the upload directory relative to username’s home, and local-filename is a file in your current working directory.

Specifically, without trickle we get a peak upload speed of 52.02 MB/s (please note that this is not the real average upload speed, but an instant starting peak), and the file gets uploaded almost instantly:

# ncftpput -u username -p password 192.168.0.15  /testdir LinuxFun.pdf 

Output:

LinuxFun.pdf:                                        	2.79 MB   52.02 MB/s

With trickle, we will limit the upload transfer rate at 5 KB/s. Before uploading the file for the second time, we need to delete it from the destination directory; otherwise, ncftp will inform us that the file at the destination directory is the same that we are trying to upload, and will not perform the transfer:

# rm /absolute/path/to/destination/directory/LinuxFun.pdf 

Then:

# trickle -s -u 5 ncftpput -u username -p password 111.111.111.111 /testdir LinuxFun.pdf 

Output:

LinuxFun.pdf:                                        	2.79 MB	4.94 kB/s

In the example above, we can see that the average upload speed dropped to ~5 KB/s.

Example 2: Downloading the same 2.8 MB PDF file with and without trickle

First, remember to delete the PDF from the original source directory:

# rm /absolute/path/to/source/directory/LinuxFun.pdf 

Please note that the following cases will download the remote file to the current directory in the client machine. This fact is indicated by the period (‘.‘) that appears after the IP address of the FTP server.

Without trickle:

# ncftpget -u username -p  password 111.111.111.111 . /testdir/LinuxFun.pdf 

Output:

LinuxFun.pdf:                                        	2.79 MB  260.53 MB/s

With trickle, limiting the download speed at 20 KB/s:

# trickle -s -d 30 ncftpget -u username -p password 111.111.111.111 . /testdir/LinuxFun.pdf 

Output:

LinuxFun.pdf:                                        	2.79 MB   17.76 kB/s

Running Trickle in Supervised [unmanaged] Mode

Trickle can also run in unmanaged mode, following a series of parameters defined in /etc/trickled.conf. This file defines how trickled (the daemon) behaves and manages trickle.

In addition, if we want to set global settings to be used, overall, by all applications, we will need to use the trickled command. This command runs the daemon and allows us to define download and upload limits that will be shared by all the applications run through trickle without us needing to specify limits each time.

For example, running:

# trickled -d 50 -u 10

Will cause that the download and upload speeds of any application run through trickle be limited to 30 KB/s and 10 KB/s, respectively.

Please note that you can check at any time whether trickled is running and with what arguments:

# ps -ef | grep trickled | grep -v grep

Output:

root 	16475 	1  0 Dec24 ?    	00:00:04 trickled -d 50 -u 10

How to Get the Size of a Directory in Linux

When listing the contents of a directory using the ls command, you may have noticed that the size of the directories is almost always 4096 bytes (4 KB). That’s the size of space on the disk that is used to store the meta information for the directory, not what it contains.

The command you’ll want to use to get the actual size of a directory is du which is short for “disk usage”. We’ll show you how to use this command.

The du command displays the amount of file space used by the specified files or directories. If the specified path is a directory, du will summarize disk usage of each file and subdirectory in that directory. If no path is specified, du will report the disk usage of the current working directory.

If you run du without any option it will display the disk usage the specified directory and each of its subdirectories in bytes.

In most cases, you would want to display only the space occupied by the directory in a human-readable format. For example, to get the total size of the /var directory, you would run the following command:

sudo du -sh /var

The output will look something like this.

85G	/var

Let’s explain the command and its arguments:

  • The command starts with sudo because most of the files and directories inside the /var directory are owned by the root user and are not readable by the regular users. If you omit sudo the du command will print “du: cannot read directory”.
  • s – Display only the total size of the specified directory, do not display file size totals for subdirectories.
  • h – Print sizes in a human-readable format (h).
  • /var – The path to the directory you want to get the size.

What if you want to display the disk usage of the first-level subdirectories. You have two options, the first one is to use the asterisk symbol as shown below which means “everything that doesn’t start with a period (.)“. The c switch tells du to print a grand total of all sizes:

sudo du -shc /var/*
.0G	/var/cache
24K	/var/db
4.0K	/var/empty
4.0K	/var/games
77G	/var/lib
4.0K	/var/local
0	/var/lock
3.3G	/var/log
0	/var/mail
4.0K	/var/opt
0	/var/run
196K	/var/spool
28K	/var/tmp
85G	total

Another option is to use the --max-depth switch and specify the subdirectories level:

sudo du -h --max-depth=1 /var
77G	  /var/lib
24K	  /var/db
4.0K	/var/empty
4.0K	/var/local
4.0K	/var/opt
196K	/var/spool
4.0K	/var/games
3.3G	/var/log
5.0G	/var/cache
28K	/var/tmp
85G	/var
85G	total

By default, the du utility shows the disk space used by the directory or file. The “apparent size” of a file is how much data is actually in the file.

To find the apparent size of a directory use the --apparent-size switch.

sudo du -sh --apparent-size /var

When you transfer a directory via SCPRsync or SFTP the amount of data that will be transferred over the network is the apparent size of the files. This is why the size of space on the disk that is used on the source when displayed with du (without --apparent-size) will not be the same as the size on the target.

The du command can also be combined with other commands with pipes. For example, to print the 5 largest directories in the /var directory you would use:

sudo du -h /var/ | sort -rh | head -5

Copy

85G	/var/
77G	/var/lib
75G	/var/lib/libvirt/images
75G	/var/lib/libvirt
5.0G	/var/cache/pacman/pkg

In this tutorial, you learned how to get the size of a directory using the du command. If you have any question or remark, please leave a comment below.

Source

A Basic Guide to Linux Boot Process

As promised in our earlier post, in this post we are going to review boot process in Linux Operating System. How Operating system passes through different stage of booting states. This article is written for those readers who has just steps in Linux world. Understanding how Linux boots up is very important in terms of effectively troubleshooting in case of system failure. When a system switched on and after few moment we get a login prompt. Have we try to find out what all stage of booting sequence has crossed and what happened behind the scene during system boots up.

Linux Boot Process

Linux Boot Loader Process

Power on

  1. BIOS (Basic Input Output System) is a software program comes pre-built in a motherboard chipset.
  2. BIOS loads and scans for devices such as Hard DiskCD-ROMRAM, etc.
  3. BIOS searches for MBR (Master Boot Record: 1st sector) of the primary hard drive, it scans for 1st stage loader (In our case boot loader is (GRUB LILO) and hands over the responsibility to MBR.
  4. Boot PROM/FLASH/BIOS is proficient of loading the MBR into RAM and executing it.

MBR (Master Boot Record)

  • 512 bytes of space –> MBR
  • MBR contains the information of loader of most operating system e.g UNIXLinux and WINDOWS
  • MBR holds the small binary information of 1st stage of loader
  • MBR consist physical sector of the first disk drive (i.e 512 bytes) and it’s not part of any partition.
  • Placed on the prime disk drive, in the prime sector of the first cylinder of track is 0 and head is 0 (this whole path is generally booked for boot programs)
  • MBR involve a mini executable programs and a table specify the primary partitions.
Boot Code (GRUB) 446 bytes
partition 1: 16 bytes
partition 2: 16 bytes
partition 3: 16 bytes
partition 4: 16 bytes
magic Number: 2 bytes
  1. MBR also document which primary partition is ACTIVE.
  2. The BIOS surrender rights to the first stage boot loader, which then scans partition table and finds second stage boot loader on the partition configured as bootable.

Boot Loader

  1. The boot loader termed from 1st stage loader and loads itself into RAM. All this go on in milliseconds.
  2. The default stage 2 boot loader is a GRUB (Grand Unified Boot Loader) or LILO (Linux Loader)
  3. Once GRUB is loaded into RAM, then it’s search for the location of Kernel.
  4. GRUB will scrutinize the map file to find the kernel image, that is located under (/boot) and load it.
  5. GRUB loads the kernel (vmlinuz-version) from /boot partition

Trivia 1

GRUB organize RAMDISK for initrd —> (RAMDISK is reserved space from RAM). In addition, it drives initrd into RAM to ready the kernel for loading itself into memory and depended modules so that it can leave the system to “init” process

In, Linux most of the drivers are pre-built as modules, these would be initial ram drive (initrd.img) where it can keep all the information of additional modules. So, when the kernel boots, it creates ramdrive, loads the initrd.img and its depended modules.

GRUB reads /boot/grub/grub.conf & shows us a clean interface for selecting Operating System

Once Kernel loads its depended modules and then it hand over to “init” process. The kernel image has a small, unpacked program that un-compresses kernel and runs it.

Trivia 2

LILO needed to indicate MBR in order to locate operating systems on the hard drive. Any modifications done to /etc/lilo.conf, that must be updated in MBR, but in GRUB‘s case no need to update, it reads directly from the file /boot/grub/grub.conf.

After making changes in /etc/lilo.conf, we’ll have to update the MBR manually

# /sbin/lilo -v

Trivia 3

The GRUB second stage loader resides within the MBR and within /boot partition. Once GRUB is loaded into memory it becomes 2nd stage loader.

Trivia 4

The /initrd directory should not be removed it is a temporary place holder for kernel to have quick access to the modules that it needs to start the system modules include device drivers.

Kernel initialization highlights include:

  1. initialize CPU components, eg, MMU
  2. initialize the scheduler (PID 0)
  3. mount the root filesystem in rw mode
  4. fork off the init process (PID 1)

In essence, kernel initialization does two things:

  1. Start the core system of shared resource managers (RAM, processor and mass storage).
  2. Starts a single process, /sbin/init.

Init process (sbin/init) is the very fist process which loads all the various daemons and mounts all the partitions which are listed under /etc/fstab.

About /etc/fstab

  1. The /sbin/init reads /etc/inittab file
  2. Set default runlevel ( the telinit command allows administrators to tell the init process to change its current runlevel)
  3. Calls /etc/rc.d/rc.sysinit and /etc/rc.d/rc x (where ‘x‘ is a runlevel)
  4. In /etc/rc.d/rc5.d directory files starting with letter K –> kill scripts and files starting with letter S –> Startup scripts.
  5. Start up the tty processes and xdm ( X display manager)
  6. Starts User’s login screen

Source

How to Scan for Rootkits, backdoors and Exploits Using ‘Rootkit Hunter’ in Linux

Guys, if you are a regular reader of tecmint.com you will notice that this is our third article on security tools. In our previous two articles we have given you all the guidance in how to secure Apache and Linux Systems from MalwareDOS and DDOS attacks using mod_security and mod_evasive and LMD (Linux Malware Detect).

Again we are here to introduce a new security tool called Rkhunter (Rootkit Hunter). This article will guide you a way to install and configure RKH (RootKit Hunter) in Linux systems using source code.

Rootkit Hunter - Scans Linux Systems for Rootkits, backdoors and Local Exploits

Rootkit Hunter – Scans Linux Systems for Rootkits, backdoors and Local Exploits

What Is Rkhunter?

Rkhunter (Rootkit Hunter) is an open source Unix/Linux based scanner tool for Linux systems released under GPL that scans backdoors, rootkits and local exploits on your systems.

It scans hidden files, wrong permissions set on binaries, suspicious strings in kernel etc. To know more about Rkhunter and its features visit http://www.rootkit.nl/.

Install Rootkit Hunter Scanner in Linux Systems

Step 1: Downloading Rkhunter

First download the latest stable version of Rkhunter tool by going to http://www.rootkit.nl/projects/rootkit_hunter.html or use below Wget command to download it on your systems.

# cd /tmp
# wget http://downloads.sourceforge.net/project/rkhunter/rkhunter/1.4.2/rkhunter-1.4.2.tar.gz

Step 2: Installing Rkhunter

Once you have downloaded the latest version, run the following commands as a root user to install it.

# tar -xvf rkhunter-1.4.2.tar.gz 
# cd rkhunter-1.4.2
# ./installer.sh --layout default --install
Sample Output
Checking system for:
 Rootkit Hunter installer files: found
 A web file download command: wget found
Starting installation:
 Checking installation directory "/usr/local": it exists and is writable.
 Checking installation directories:
  Directory /usr/local/share/doc/rkhunter-1.4.2: creating: OK
  Directory /usr/local/share/man/man8: exists and is writable.
  Directory /etc: exists and is writable.
  Directory /usr/local/bin: exists and is writable.
  Directory /usr/local/lib64: exists and is writable.
  Directory /var/lib: exists and is writable.
  Directory /usr/local/lib64/rkhunter/scripts: creating: OK
  Directory /var/lib/rkhunter/db: creating: OK
  Directory /var/lib/rkhunter/tmp: creating: OK
  Directory /var/lib/rkhunter/db/i18n: creating: OK
  Directory /var/lib/rkhunter/db/signatures: creating: OK
 Installing check_modules.pl: OK
 Installing filehashsha.pl: OK
 Installing stat.pl: OK
 Installing readlink.sh: OK
 Installing backdoorports.dat: OK
 Installing mirrors.dat: OK
 Installing programs_bad.dat: OK
 Installing suspscan.dat: OK
 Installing rkhunter.8: OK
 Installing ACKNOWLEDGMENTS: OK
 Installing CHANGELOG: OK
 Installing FAQ: OK
 Installing LICENSE: OK
 Installing README: OK
 Installing language support files: OK
 Installing ClamAV signatures: OK
 Installing rkhunter: OK
 Installing rkhunter.conf: OK
Installation complete

Step 3: Updating Rkhunter

Run the RKH updater to fill the database properties by running the following command.

# /usr/local/bin/rkhunter --update
# /usr/local/bin/rkhunter --propupd
Sample Output
[ Rootkit Hunter version 1.4.2 ]

Checking rkhunter data files...
  Checking file mirrors.dat                                  [ No update ]
  Checking file programs_bad.dat                             [ Updated ]
  Checking file backdoorports.dat                            [ No update ]
  Checking file suspscan.dat                                 [ No update ]
  Checking file i18n/cn                                      [ No update ]
  Checking file i18n/de                                      [ No update ]
  Checking file i18n/en                                      [ No update ]
  Checking file i18n/tr                                      [ No update ]
  Checking file i18n/tr.utf8                                 [ No update ]
  Checking file i18n/zh                                      [ No update ]
  Checking file i18n/zh.utf8                                 [ No update ]

[ Rootkit Hunter version 1.4.2 ]
File created: searched for 174 files, found 137

Step 4: Setting Cronjob and Email Alerts

Create a file called rkhunter.sh under /etc/cron.daily/, which then scans your file system every day and sends email notifications to your email id. Create following file with the help of your favourite editor.

# vi /etc/cron.daily/rkhunter.sh

Add the following lines of code to it and replace “YourServerNameHere” with your “Server Name” and “your@email.com” with your “Email Id“.

#!/bin/sh
(
/usr/local/bin/rkhunter --versioncheck
/usr/local/bin/rkhunter --update
/usr/local/bin/rkhunter --cronjob --report-warnings-only
) | /bin/mail -s 'rkhunter Daily Run (PutYourServerNameHere)' your@email.com

Set execute permission on the file.

# chmod 755 /etc/cron.daily/rkhunter.sh

Step 5: Manual Scan and Usage

To scan the entire file system, run the Rkhunter as a root user.

# rkhunter --check
Sample Output
[ Rootkit Hunter version 1.4.2 ]

Checking system commands...

  Performing 'strings' command checks
    Checking 'strings' command                               [ OK ]

  Performing 'shared libraries' checks
    Checking for preloading variables                        [ None found ]
    Checking for preloaded libraries                         [ None found ]
    Checking LD_LIBRARY_PATH variable                        [ Not found ]

  Performing file properties checks
    Checking for prerequisites                               [ OK ]
    /usr/local/bin/rkhunter                                  [ OK ]
    /usr/sbin/adduser                                        [ OK ]
    /usr/sbin/chkconfig                                      [ OK ]
    /usr/sbin/chroot                                         [ OK ]
    /usr/sbin/depmod                                         [ OK ]
    /usr/sbin/fsck                                           [ OK ]
    /usr/sbin/fuser                                          [ OK ]
    /usr/sbin/groupadd                                       [ OK ]
    /usr/sbin/groupdel                                       [ OK ]
    /usr/sbin/groupmod                                       [ OK ]
    /usr/sbin/grpck                                          [ OK ]
    /usr/sbin/ifconfig                                       [ OK ]
    /usr/sbin/ifdown                                         [ Warning ]
    /usr/sbin/ifup                                           [ Warning ]
    /usr/sbin/init                                           [ OK ]
    /usr/sbin/insmod                                         [ OK ]
    /usr/sbin/ip                                             [ OK ]
    /usr/sbin/lsmod                                          [ OK ]
    /usr/sbin/lsof                                           [ OK ]
    /usr/sbin/modinfo                                        [ OK ]
    /usr/sbin/modprobe                                       [ OK ]
    /usr/sbin/nologin                                        [ OK ]
    /usr/sbin/pwck                                           [ OK ]
    /usr/sbin/rmmod                                          [ OK ]
    /usr/sbin/route                                          [ OK ]
    /usr/sbin/rsyslogd                                       [ OK ]
    /usr/sbin/runlevel                                       [ OK ]
    /usr/sbin/sestatus                                       [ OK ]
    /usr/sbin/sshd                                           [ OK ]
    /usr/sbin/sulogin                                        [ OK ]
    /usr/sbin/sysctl                                         [ OK ]
    /usr/sbin/tcpd                                           [ OK ]
    /usr/sbin/useradd                                        [ OK ]
    /usr/sbin/userdel                                        [ OK ]
    /usr/sbin/usermod                                        [ OK ]
....
[Press  to continue]


Checking for rootkits...

  Performing check of known rootkit files and directories
    55808 Trojan - Variant A                                 [ Not found ]
    ADM Worm                                                 [ Not found ]
    AjaKit Rootkit                                           [ Not found ]
    Adore Rootkit                                            [ Not found ]
    aPa Kit                                                  [ Not found ]
.....

[Press  to continue]


  Performing additional rootkit checks
    Suckit Rookit additional checks                          [ OK ]
    Checking for possible rootkit files and directories      [ None found ]
    Checking for possible rootkit strings                    [ None found ]

....
[Press  to continue]


Checking the network...

  Performing checks on the network ports
    Checking for backdoor ports                              [ None found ]
....
  Performing system configuration file checks
    Checking for an SSH configuration file                   [ Found ]
    Checking if SSH root access is allowed                   [ Warning ]
    Checking if SSH protocol v1 is allowed                   [ Warning ]
    Checking for a running system logging daemon             [ Found ]
    Checking for a system logging configuration file         [ Found ]
    Checking if syslog remote logging is allowed             [ Not allowed ]
...
System checks summary
=====================

File properties checks...
    Files checked: 137
    Suspect files: 6

Rootkit checks...
    Rootkits checked : 383
    Possible rootkits: 0

Applications checks...
    Applications checked: 5
    Suspect applications: 2

The system checks took: 5 minutes and 38 seconds

All results have been written to the log file: /var/log/rkhunter.log

One or more warnings have been found while checking the system.
Please check the log file (/var/log/rkhunter.log)

The above command generates log file under /var/log/rkhunter.log with the checks results made by Rkhunter.

# cat /var/log/rkhunter.log
Sample Output
03:33:40] Running Rootkit Hunter version 1.4.2 on server
[03:33:40]
[03:33:40] Info: Start date is Tue May 31 03:33:40 EDT 2016
[03:33:40]
[03:33:40] Checking configuration file and command-line options...
[03:33:40] Info: Detected operating system is 'Linux'
[03:33:40] Info: Found O/S name: CentOS Linux release 7.2.1511 (Core) 
[03:33:40] Info: Command line is /usr/local/bin/rkhunter --check
[03:33:40] Info: Environment shell is /bin/bash; rkhunter is using bash
[03:33:40] Info: Using configuration file '/etc/rkhunter.conf'
[03:33:40] Info: Installation directory is '/usr/local'
[03:33:40] Info: Using language 'en'
[03:33:40] Info: Using '/var/lib/rkhunter/db' as the database directory
[03:33:40] Info: Using '/usr/local/lib64/rkhunter/scripts' as the support script directory
[03:33:40] Info: Using '/usr/lib64/qt-3.3/bin /usr/local/sbin /usr/local/bin /usr/sbin /usr/bin /bin /sbin /usr/libexec /usr/local/libexec' as the command directories
[03:33:40] Info: Using '/var/lib/rkhunter/tmp' as the temporary directory
[03:33:40] Info: No mail-on-warning address configured
[03:33:40] Info: X will be automatically detected
[03:33:40] Info: Found the 'basename' command: /usr/bin/basename
[03:33:40] Info: Found the 'diff' command: /usr/bin/diff
[03:33:40] Info: Found the 'dirname' command: /usr/bin/dirname
[03:33:40] Info: Found the 'file' command: /usr/bin/file
[03:33:40] Info: Found the 'find' command: /usr/bin/find
[03:33:40] Info: Found the 'ifconfig' command: /usr/sbin/ifconfig
[03:33:40] Info: Found the 'ip' command: /usr/sbin/ip
...

For more information and options please run the following command.

# rkhunter --help

If you liked this article, then sharing is the right way to say thanks.

Source

How to Manage ‘Systemd’ Services and Units Using ‘Systemctl’ in Linux

Systemctl is a systemd utility which is responsible for Controlling the systemd system and service manager.

Systemd is a collection of system management daemons, utilities and libraries which serves as a replacement of System V init daemon. Systemd functions as central management and configuration platform for UNIX like system.

In the Linux Ecosystem Systemd has been implemented on most of the standard Linux Distribution with a few exception. Systemd is the parent Process of all other daemons oftenly but not always.

Manage Linux Services Using Systemctl

Manage Linux Services Using Systemctl

This article aims at throwing light on “How to control System and Services” on a system running systemd.

Starting with Systemtd and Systemctl Basics

1. First check if systemd is installed on your system or not and what is the version of currently installed Systemd?

# systemd --version

systemd 215
+PAM +AUDIT +SELINUX +IMA +SYSVINIT +LIBCRYPTSETUP +GCRYPT +ACL +XZ -SECCOMP -APPARMOR

It’s clear from the above example, that we have systemd 215 version Installed.

2. Check where the binaries and libraries of systemd and systemctl are installed.

# whereis systemd 
systemd: /usr/lib/systemd /etc/systemd /usr/share/systemd /usr/share/man/man1/systemd.1.gz


# whereis systemctl
systemctl: /usr/bin/systemctl /usr/share/man/man1/systemctl.1.gz

3. Check whether systemd is running or not.

# ps -eaf | grep [s]ystemd

root         1     0  0 16:27 ?        00:00:00 /usr/lib/systemd/systemd --switched-root --system --deserialize 23
root       444     1  0 16:27 ?        00:00:00 /usr/lib/systemd/systemd-journald
root       469     1  0 16:27 ?        00:00:00 /usr/lib/systemd/systemd-udevd
root       555     1  0 16:27 ?        00:00:00 /usr/lib/systemd/systemd-logind
dbus       556     1  0 16:27 ?        00:00:00 /bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation

Notice: systemd is running as parent daemon (PID=1). In the above command ps with (-e) select all Processes, (-a) select all processes except session leaders and (-f) for full format listing (i.e. -eaf).

Also note the square brackets in the above example and rest of the examples to follow. Square Bracket expression is part of grep’s character class pattern matching.

4. Analyze systemd boot process.

# systemd-analyze
Startup finished in 487ms (kernel) + 2.776s (initrd) + 20.229s (userspace) = 23.493s

5. Analyze time taken by each process at boot.

# systemd-analyze blame

8.565s mariadb.service
7.991s webmin.service
6.095s postfix.service
4.311s httpd.service
3.926s firewalld.service
3.780s kdump.service
3.238s tuned.service
1.712s network.service
1.394s lvm2-monitor.service
1.126s systemd-logind.service
....

6. Analyze critical chain at boot.

# systemd-analyze critical-chain

The time after the unit is active or started is printed after the "@" character.
The time the unit takes to start is printed after the "+" character.

multi-user.target @20.222s
└─mariadb.service @11.657s +8.565s
  └─network.target @11.168s
    └─network.service @9.456s +1.712s
      └─NetworkManager.service @8.858s +596ms
        └─firewalld.service @4.931s +3.926s
          └─basic.target @4.916s
            └─sockets.target @4.916s
              └─dbus.socket @4.916s
                └─sysinit.target @4.905s
                  └─systemd-update-utmp.service @4.864s +39ms
                    └─auditd.service @4.563s +301ms
                      └─systemd-tmpfiles-setup.service @4.485s +69ms
                        └─rhel-import-state.service @4.342s +142ms
                          └─local-fs.target @4.324s
                            └─boot.mount @4.286s +31ms
                              └─systemd-fsck@dev-disk-by\x2duuid-79f594ad\x2da332\x2d4730\x2dbb5f\x2d85d19608096
                                └─dev-disk-by\x2duuid-79f594ad\x2da332\x2d4730\x2dbb5f\x2d85d196080964.device @4

Important: Systemctl accepts services (.service), mount point (.mount), sockets (.socket) and devices (.device) as units.

7. List all the available units.

# systemctl list-unit-files

UNIT FILE                                   STATE   
proc-sys-fs-binfmt_misc.automount           static  
dev-hugepages.mount                         static  
dev-mqueue.mount                            static  
proc-sys-fs-binfmt_misc.mount               static  
sys-fs-fuse-connections.mount               static  
sys-kernel-config.mount                     static  
sys-kernel-debug.mount                      static  
tmp.mount                                   disabled
brandbot.path                               disabled
.....

8. List all running units.

# systemctl list-units

UNIT                                        LOAD   ACTIVE SUB       DESCRIPTION
proc-sys-fs-binfmt_misc.automount           loaded active waiting   Arbitrary Executable File Formats File Syste
sys-devices-pc...0-1:0:0:0-block-sr0.device loaded active plugged   VBOX_CD-ROM
sys-devices-pc...:00:03.0-net-enp0s3.device loaded active plugged   PRO/1000 MT Desktop Adapter
sys-devices-pc...00:05.0-sound-card0.device loaded active plugged   82801AA AC'97 Audio Controller
sys-devices-pc...:0:0-block-sda-sda1.device loaded active plugged   VBOX_HARDDISK
sys-devices-pc...:0:0-block-sda-sda2.device loaded active plugged   LVM PV Qzyo3l-qYaL-uRUa-Cjuk-pljo-qKtX-VgBQ8
sys-devices-pc...0-2:0:0:0-block-sda.device loaded active plugged   VBOX_HARDDISK
sys-devices-pl...erial8250-tty-ttyS0.device loaded active plugged   /sys/devices/platform/serial8250/tty/ttyS0
sys-devices-pl...erial8250-tty-ttyS1.device loaded active plugged   /sys/devices/platform/serial8250/tty/ttyS1
sys-devices-pl...erial8250-tty-ttyS2.device loaded active plugged   /sys/devices/platform/serial8250/tty/ttyS2
sys-devices-pl...erial8250-tty-ttyS3.device loaded active plugged   /sys/devices/platform/serial8250/tty/ttyS3
sys-devices-virtual-block-dm\x2d0.device    loaded active plugged   /sys/devices/virtual/block/dm-0
sys-devices-virtual-block-dm\x2d1.device    loaded active plugged   /sys/devices/virtual/block/dm-1
sys-module-configfs.device                  loaded active plugged   /sys/module/configfs
...

9. List all failed units.

# systemctl --failed

UNIT          LOAD   ACTIVE SUB    DESCRIPTION
kdump.service loaded failed failed Crash recovery kernel arming

LOAD   = Reflects whether the unit definition was properly loaded.
ACTIVE = The high-level unit activation state, i.e. generalization of SUB.
SUB    = The low-level unit activation state, values depend on unit type.

1 loaded units listed. Pass --all to see loaded but inactive units, too.
To show all installed unit files use 'systemctl list-unit-files'.

10. Check if a Unit (cron.service) is enabled or not?.

# systemctl is-enabled crond.service

enabled

11. Check whether a Unit or Service is running or not?.

# systemctl status firewalld.service

firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled)
   Active: active (running) since Tue 2015-04-28 16:27:55 IST; 34min ago
 Main PID: 549 (firewalld)
   CGroup: /system.slice/firewalld.service
           └─549 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid

Apr 28 16:27:51 tecmint systemd[1]: Starting firewalld - dynamic firewall daemon...
Apr 28 16:27:55 tecmint systemd[1]: Started firewalld - dynamic firewall daemon.

Control and Manage Services Using Systemctl

12. List all services (including enabled and disabled).

# systemctl list-unit-files --type=service

UNIT FILE                                   STATE   
arp-ethers.service                          disabled
auditd.service                              enabled 
autovt@.service                             disabled
blk-availability.service                    disabled
brandbot.service                            static  
collectd.service                            disabled
console-getty.service                       disabled
console-shell.service                       disabled
cpupower.service                            disabled
crond.service                               enabled 
dbus-org.fedoraproject.FirewallD1.service   enabled 
....

13. How do I start, restart, stop, reload and check the status of a service (httpd.service) in Linux.

# systemctl start httpd.service
# systemctl restart httpd.service
# systemctl stop httpd.service
# systemctl reload httpd.service
# systemctl status httpd.service

httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled)
   Active: active (running) since Tue 2015-04-28 17:21:30 IST; 6s ago
  Process: 2876 ExecStop=/bin/kill -WINCH ${MAINPID} (code=exited, status=0/SUCCESS)
 Main PID: 2881 (httpd)
   Status: "Processing requests..."
   CGroup: /system.slice/httpd.service
           ├─2881 /usr/sbin/httpd -DFOREGROUND
           ├─2884 /usr/sbin/httpd -DFOREGROUND
           ├─2885 /usr/sbin/httpd -DFOREGROUND
           ├─2886 /usr/sbin/httpd -DFOREGROUND
           ├─2887 /usr/sbin/httpd -DFOREGROUND
           └─2888 /usr/sbin/httpd -DFOREGROUND

Apr 28 17:21:30 tecmint systemd[1]: Starting The Apache HTTP Server...
Apr 28 17:21:30 tecmint httpd[2881]: AH00558: httpd: Could not reliably determine the server's fully q...ssage
Apr 28 17:21:30 tecmint systemd[1]: Started The Apache HTTP Server.
Hint: Some lines were ellipsized, use -l to show in full.

Note: When we use commands like startrestartstop and reload with systemctl, we will not get any output on the terminal, only status command will print the output.

14. How to active a service and enable or disable a service at boot time (auto start service at system boot).

# systemctl is-active httpd.service
# systemctl enable httpd.service
# systemctl disable httpd.service

15. How to mask (making it impossible to start) or unmask a service (httpd.service).

# systemctl mask httpd.service
ln -s '/dev/null' '/etc/systemd/system/httpd.service'

# systemctl unmask httpd.service
rm '/etc/systemd/system/httpd.service'

16. How to a Kill a service using systemctl command.

# systemctl kill httpd
# systemctl status httpd

httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled)
   Active: failed (Result: exit-code) since Tue 2015-04-28 18:01:42 IST; 28min ago
 Main PID: 2881 (code=exited, status=0/SUCCESS)
   Status: "Total requests: 0; Current requests/sec: 0; Current traffic:   0 B/sec"

Apr 28 17:37:29 tecmint systemd[1]: httpd.service: Got notification message from PID 2881, but recepti...bled.
Apr 28 17:37:29 tecmint systemd[1]: httpd.service: Got notification message from PID 2881, but recepti...bled.
Apr 28 17:37:39 tecmint systemd[1]: httpd.service: Got notification message from PID 2881, but recepti...bled.
Apr 28 17:37:39 tecmint systemd[1]: httpd.service: Got notification message from PID 2881, but recepti...bled.
Apr 28 17:37:49 tecmint systemd[1]: httpd.service: Got notification message from PID 2881, but recepti...bled.
Apr 28 17:37:49 tecmint systemd[1]: httpd.service: Got notification message from PID 2881, but recepti...bled.
Apr 28 17:37:59 tecmint systemd[1]: httpd.service: Got notification message from PID 2881, but recepti...bled.
Apr 28 17:37:59 tecmint systemd[1]: httpd.service: Got notification message from PID 2881, but recepti...bled.
Apr 28 18:01:42 tecmint systemd[1]: httpd.service: control process exited, code=exited status=226
Apr 28 18:01:42 tecmint systemd[1]: Unit httpd.service entered failed state.
Hint: Some lines were ellipsized, use -l to show in full.

Control and Manage Mount Points using Systemctl

17. List all system mount points.

# systemctl list-unit-files --type=mount

UNIT FILE                     STATE   
dev-hugepages.mount           static  
dev-mqueue.mount              static  
proc-sys-fs-binfmt_misc.mount static  
sys-fs-fuse-connections.mount static  
sys-kernel-config.mount       static  
sys-kernel-debug.mount        static  
tmp.mount                     disabled

18. How do I mount, unmount, remount, reload system mount points and also check the status of mount points on the system.

# systemctl start tmp.mount
# systemctl stop tmp.mount
# systemctl restart tmp.mount
# systemctl reload tmp.mount
# systemctl status tmp.mount

tmp.mount - Temporary Directory
   Loaded: loaded (/usr/lib/systemd/system/tmp.mount; disabled)
   Active: active (mounted) since Tue 2015-04-28 17:46:06 IST; 2min 48s ago
    Where: /tmp
     What: tmpfs
     Docs: man:hier(7)
           http://www.freedesktop.org/wiki/Software/systemd/APIFileSystems
  Process: 3908 ExecMount=/bin/mount tmpfs /tmp -t tmpfs -o mode=1777,strictatime (code=exited, status=0/SUCCESS)

Apr 28 17:46:06 tecmint systemd[1]: Mounting Temporary Directory...
Apr 28 17:46:06 tecmint systemd[1]: tmp.mount: Directory /tmp to mount over is not empty, mounting anyway.
Apr 28 17:46:06 tecmint systemd[1]: Mounted Temporary Directory.

19. How to active, enable or disable a mount point at boot time (auto mount at system boot).

# systemctl is-active tmp.mount
# systemctl enable tmp.mount
# systemctl disable  tmp.mount

20. How to mask (making it impossible to start) or unmask a mount points in Linux.

# systemctl mask tmp.mount

ln -s '/dev/null' '/etc/systemd/system/tmp.mount'

# systemctl unmask tmp.mount

rm '/etc/systemd/system/tmp.mount'

Control and Manage Sockets using Systemctl

21. List all available system sockets.

# systemctl list-unit-files --type=socket

UNIT FILE                    STATE   
dbus.socket                  static  
dm-event.socket              enabled 
lvm2-lvmetad.socket          enabled 
rsyncd.socket                disabled
sshd.socket                  disabled
syslog.socket                static  
systemd-initctl.socket       static  
systemd-journald.socket      static  
systemd-shutdownd.socket     static  
systemd-udevd-control.socket static  
systemd-udevd-kernel.socket  static  

11 unit files listed.

22. How do I start, restart, stop, reload and check the status of a socket (example: cups.socket) in Linux.

# systemctl start cups.socket
# systemctl restart cups.socket
# systemctl stop cups.socket
# systemctl reload cups.socket
# systemctl status cups.socket

cups.socket - CUPS Printing Service Sockets
   Loaded: loaded (/usr/lib/systemd/system/cups.socket; enabled)
   Active: active (listening) since Tue 2015-04-28 18:10:59 IST; 8s ago
   Listen: /var/run/cups/cups.sock (Stream)

Apr 28 18:10:59 tecmint systemd[1]: Starting CUPS Printing Service Sockets.
Apr 28 18:10:59 tecmint systemd[1]: Listening on CUPS Printing Service Sockets.

23. How to active a socket and enable or disable at boot time (auto start socket at system boot).

# systemctl is-active cups.socket
# systemctl enable cups.socket
# systemctl disable cups.socket

24. How to mask (making it impossible to start) or unmask a socket (cups.socket).

# systemctl mask cups.socket
ln -s '/dev/null' '/etc/systemd/system/cups.socket'

# systemctl unmask cups.socket
rm '/etc/systemd/system/cups.socket'

CPU Utilization (Shares) of a Service

25. Get the current CPU Shares of a Service (say httpd).

# systemctl show -p CPUShares httpd.service

CPUShares=1024

Note: The default each service has a CPUShare = 1024. You may increase/decrease CPU share of a process.

26. Limit the CPU Share of a service (httpd.service) to 2000 CPUShares/

# systemctl set-property httpd.service CPUShares=2000
# systemctl show -p CPUShares httpd.service

CPUShares=2000

Note: When you set CPUShare for a service, a directory with the name of service is created (httpd.service.d) which contains a file 90-CPUShares.conf which contains the CPUShare Limit information. You may view the file as:

# vi /etc/systemd/system/httpd.service.d/90-CPUShares.conf 

[Service]
CPUShares=2000        

27. Check all the configuration details of a service.

# systemctl show httpd

Id=httpd.service
Names=httpd.service
Requires=basic.target
Wants=system.slice
WantedBy=multi-user.target
Conflicts=shutdown.target
Before=shutdown.target multi-user.target
After=network.target remote-fs.target nss-lookup.target systemd-journald.socket basic.target system.slice
Description=The Apache HTTP Server
LoadState=loaded
ActiveState=active
SubState=running
FragmentPath=/usr/lib/systemd/system/httpd.service
....

28. Analyze critical chain for a services(httpd).

# systemd-analyze critical-chain httpd.service

The time after the unit is active or started is printed after the "@" character.
The time the unit takes to start is printed after the "+" character.

httpd.service +142ms
└─network.target @11.168s
  └─network.service @9.456s +1.712s
    └─NetworkManager.service @8.858s +596ms
      └─firewalld.service @4.931s +3.926s
        └─basic.target @4.916s
          └─sockets.target @4.916s
            └─dbus.socket @4.916s
              └─sysinit.target @4.905s
                └─systemd-update-utmp.service @4.864s +39ms
                  └─auditd.service @4.563s +301ms
                    └─systemd-tmpfiles-setup.service @4.485s +69ms
                      └─rhel-import-state.service @4.342s +142ms
                        └─local-fs.target @4.324s
                          └─boot.mount @4.286s +31ms
                            └─systemd-fsck@dev-disk-by\x2duuid-79f594ad\x2da332\x2d4730\x2dbb5f\x2d85d196080964.service @4.092s +149ms
                              └─dev-disk-by\x2duuid-79f594ad\x2da332\x2d4730\x2dbb5f\x2d85d196080964.device @4.092s

29. Get a list of dependencies for a services (httpd).

# systemctl list-dependencies httpd.service

httpd.service
├─system.slice
└─basic.target
  ├─firewalld.service
  ├─microcode.service
  ├─rhel-autorelabel-mark.service
  ├─rhel-autorelabel.service
  ├─rhel-configure.service
  ├─rhel-dmesg.service
  ├─rhel-loadmodules.service
  ├─paths.target
  ├─slices.target
  │ ├─-.slice
  │ └─system.slice
  ├─sockets.target
  │ ├─dbus.socket
....

30. List control groups hierarchically.

# systemd-cgls

├─1 /usr/lib/systemd/systemd --switched-root --system --deserialize 23
├─user.slice
│ └─user-0.slice
│   └─session-1.scope
│     ├─2498 sshd: root@pts/0    
│     ├─2500 -bash
│     ├─4521 systemd-cgls
│     └─4522 systemd-cgls
└─system.slice
  ├─httpd.service
  │ ├─4440 /usr/sbin/httpd -DFOREGROUND
  │ ├─4442 /usr/sbin/httpd -DFOREGROUND
  │ ├─4443 /usr/sbin/httpd -DFOREGROUND
  │ ├─4444 /usr/sbin/httpd -DFOREGROUND
  │ ├─4445 /usr/sbin/httpd -DFOREGROUND
  │ └─4446 /usr/sbin/httpd -DFOREGROUND
  ├─polkit.service
  │ └─721 /usr/lib/polkit-1/polkitd --no-debug
....

31. List control group according to CPU, memory, Input and Output.

# systemd-cgtop

Path                                                              Tasks   %CPU   Memory  Input/s Output/s

/                                                                    83    1.0   437.8M        -        -
/system.slice                                                         -    0.1        -        -        -
/system.slice/mariadb.service                                         2    0.1        -        -        -
/system.slice/tuned.service                                           1    0.0        -        -        -
/system.slice/httpd.service                                           6    0.0        -        -        -
/system.slice/NetworkManager.service                                  1      -        -        -        -
/system.slice/atop.service                                            1      -        -        -        -
/system.slice/atopacct.service                                        1      -        -        -        -
/system.slice/auditd.service                                          1      -        -        -        -
/system.slice/crond.service                                           1      -        -        -        -
/system.slice/dbus.service                                            1      -        -        -        -
/system.slice/firewalld.service                                       1      -        -        -        -
/system.slice/lvm2-lvmetad.service                                    1      -        -        -        -
/system.slice/polkit.service                                          1      -        -        -        -
/system.slice/postfix.service                                         3      -        -        -        -
/system.slice/rsyslog.service                                         1      -        -        -        -
/system.slice/system-getty.slice/getty@tty1.service                   1      -        -        -        -
/system.slice/systemd-journald.service                                1      -        -        -        -
/system.slice/systemd-logind.service                                  1      -        -        -        -
/system.slice/systemd-udevd.service                                   1      -        -        -        -
/system.slice/webmin.service                                          1      -        -        -        -
/user.slice/user-0.slice/session-1.scope                              3      -        -        -        -

Control System Runlevels

32. How to start system rescue mode.

# systemctl rescue

Broadcast message from root@tecmint on pts/0 (Wed 2015-04-29 11:31:18 IST):

The system is going down to rescue mode NOW!

33. How to enter into emergency mode.

# systemctl emergency

Welcome to emergency mode! After logging in, type "journalctl -xb" to view
system logs, "systemctl reboot" to reboot, "systemctl default" to try again
to boot into default mode.

34. List current run levels in use.

# systemctl get-default

multi-user.target

35. How to start Runlevel 5 aka graphical mode.

# systemctl isolate runlevel5.target
OR
# systemctl isolate graphical.target

36. How to start Runlevel 3 aka multiuser mode (commandline).

# systemctl isolate runlevel3.target
OR
# systemctl isolate multiuser.target

36. How to set multiusermode or graphical mode as default runlevel.

# systemctl set-default runlevel3.target

# systemctl set-default runlevel5.target

37. How to reboot, halt, suspend, hibernate or put system in hybrid-sleep.

# systemctl reboot

# systemctl halt

# systemctl suspend

# systemctl hibernate

# systemctl hybrid-sleep

For those who may not be aware of runlevels and what it does.

  1. Runlevel 0 : Shut down and Power off the system.
  2. Runlevel 1 : Rescue?Maintainance Mode.
  3. Runlevel 3 : multiuser, no-graphic system.
  4. Runlevel 4 : multiuser, no-graphic system.
  5. Runlevel 5 : multiuser, graphical system.
  6. Runlevel 6 : Shutdown and Reboot the machine.

That’s all for now. Keep connected! Keep commenting. Don’t forget to provide us with your valuable feedback in the comments below. Like and share us and help us get spread.

Source

ONLYOFFICE – A Complete Web-based Office and Productivity Suite to Increase Your Team Efficiency

ONLYOFFICE is an office and productivity suite developed to provide an open source alternative to Microsoft Office 365 and Google Apps. Three main components are connected to build a whole corporate platform:

ONLYOFFICE Document Server offers text, spreadsheet and presentation editors compatible with MS Office and OpenDocument file formats, among others.

It works within a browser and allows you to create and co-edit documents choosing one of the co-editing modes: Fast (shows the changes made by co-editors in real-time) or Strict (hides other user changes until you save your own changes and accept the changes made by others). Commenting, tracking changes and built-in chat are also available.

ONLYOFFICE Community Server comes with mail client, document management tools, projects, CRM, calendar, and community with blogs, forums, and wiki.

ONLYOFFICE Mail Server, developed on the base of the iRedMail, is used to create and manage mailboxes using your own domain name.

ONLYOFFICE has recently updated its two main components: Document Server v. 4.0.0 and Community Server v.8.9.0 adding some features listed below:

ONLYOFFICE Document Server v.4.0.0

  1. fast real-time co-editing like in Google Docs
  2. commenting
  3. integrated chat
  4. reviewing and tracking changes
  5. version history
  6. text art for text, spreadsheets and presentations
  7. adding, removing and modifying the available styles.

ONLYOFFICE Community Server v.8.9.0

  1. review access rights for documents
  2. mail and calendar integration allowing to:
    1. invite any Internet user to your event and notify them about the changes
    2. get invitations from other calendars and accept or reject them.
  3. address book for personal contacts
  4. mail auto-reply

Installing ONLYOFFICE in Linux

You can deploy the latest stable version of ONLYOFFICE using the official Docker script. It allows you to install the whole system on a single machine avoiding the dependency errors.

In general, each ONLYOFFICE component requires some dependencies to be installed on your Linux machine. With Docker, only one dependency is needed – Docker v.1.10 or later.

There are also DEB and RPM packages available for ONLYOFFICE at: http://www.onlyoffice.com/download.aspx

Before you go ahead, please check if your machine meets the ONLYOFFICE hardware and software requirements:

ONLYOFFICE Hardware Requirements

  1. CPU: dual-core 2 GHz or better
  2. RAM: 6 GB or more
  3. HDD at least 40 GB of free space
  4. Swap at least 8 GB

Important: Please note that the size requirement for a server to run ONLYOFFICE depends on the components you need and how much documents and mails you plan to store.

6 GB of RAM is necessary for the efficient work of the whole system: Document ServerMail Server and Community Server.

To install it without mail server, 2 GB of RAM will be enough, given the necessary amount of swap is available.

ONLYOFFICE Software Requirements

  1. OS: amd64 Linux distributive with kernel version 3.10 or later
  2. Docker: version 1.10 or later (to install it, refer to the official Docker documentation)

Let’s proceed further to install ONLYOFFICE in Linux distributions.

Step 1. Download ONLYOFFICE Docker script file.

# wget http://download.onlyoffice.com/install/opensource-install.sh

Step 2. Run the complete ONLYOFFICE installation.

Important: Please note that to perform this action you must be logged in with root rights.

# bash opensource-install.sh -md "yourdomain.com"

Where yourdomain.com is your own domain used for Mail Server.

To install ONLYOFFICE without mail server, run the following command:

# bash opensource-install.sh -ims false

Getting started with ONLYOFFICE

Step 3. Enter the IP address of your server to your browser to open ONLYOFFICE. The portal start up and initialization processes will start. Once completed, the Wizard page will open:

ONLYOFFICE Installation Wizard

ONLYOFFICE Installation Wizard

Step 4. Configure your web office by adding your email, password and its confirmation to use them next time to access ONLYOFFICE. Select the language and time zone (you will be able to change it later in Settings section. Click Continue.

Configure ONLYOFFICE Modules

Configure ONLYOFFICE Modules

Step 5. Invite your team member by going to the People module using the corresponding icon. Click the Create New button in the left upper corner, select the User option from the drop-down list. Fill in the required fields and click the Save button.

Add New Users to ONLYOFFICE

Add New Users to ONLYOFFICE

The invitation message will be sent to your team member. Following the link provided in this email, he/she will be able to join your web office.

Conclusion

ONLYOFFICE is a feature-rich productivity suite that helps to organize every step of your teamwork without switching between different applications.

The Docker script made it easy to deploy and run your web office on any Linux machine allowing to avoid common dependency errors and installation issues.

Source

How to Install and Configure Ansible on Ubuntu 18.04

Introduction

Configuration management systems are designed to make controlling large numbers of servers easy for administrators and operations teams. They allow you to control many different systems in an automated way from one central location.

While there are many popular configuration management systems available for Linux systems, such as Chef and Puppet, these are often more complex than many people want or need. Ansible is a great alternative to these options because it requires a much smaller overhead to get started.

In this guide, we will discuss how to install Ansible on an Ubuntu 18.04 server and go over some basics of how to use the software.

How Does Ansible Work?

Ansible works by configuring client machines from a computer that has the Ansible components installed and configured.

It communicates over normal SSH channels to retrieve information from remote machines, issue commands, and copy files. Because of this, an Ansible system does not require any additional software to be installed on the client computers.

This is one way that Ansible simplifies the administration of servers. Any server that has an SSH port exposed can be brought under Ansible’s configuration umbrella, regardless of what stage it is at in its life cycle. This means that any computer that you can administer through SSH, you can also administer through Ansible.

Ansible takes on a modular approach, making it easy to extend to use the functionalities of the main system to deal with specific scenarios. Modules can be written in any language and communicate in standard JSON.

Configuration files are mainly written in the YAML data serialization format due to its expressive nature and its similarity to popular markup languages. Ansible can interact with hosts either through command line tools or its configuration scripts, which are known as Playbooks.

Prerequisites

To follow this tutorial, you will need:

  • Two or more Ubuntu 18.04 servers. One of these will be used as your Ansible server, while the remainder will be used as your Ansible hosts. Each should have a non-root user with sudo privileges and a basic firewall configured. You can set this up by following our Initial Server Setup Guide for Ubuntu 18.04. Please note that the examples throughout this guide specify three Ansible hosts, but the commands and configurations shown can be adjusted for any number of clients.
  • SSH keys generated for the non-root user on your Ansible server. To do this, follow Step 1 of our guide on How to Set Up SSH Keys on Ubuntu 18.04. For the purposes of this tutorial, you can save the key pair to the default location (~/.ssh/id_rsa) and you do not need to password-protect it.

Step 1 — Installing Ansible

To begin using Ansible as a means of managing your various servers, you need to install the Ansible software on at least one machine.

To get the latest version of Ansible for Ubuntu, you can add the project’s PPA (personal package archive) to your system. Before doing this, though, you should first ensure that you have the software-properties-common package installed. This software will make it easier to manage this and other independent software repositories:

  • sudo apt update
  • sudo apt install software-properties-common

Then add the Ansible PPA by typing the following command:

  • sudo apt-add-repository ppa:ansible/ansible

Press ENTER to accept the PPA addition.

Next, refresh your system’s package index once again so that it is aware of the packages available in the PPA:

  • sudo apt update

Following this update, you can install the Ansible software:

  • sudo apt install ansible

Your Ansible server now has all of the software required to administer your hosts.

Step 2 — Configuring SSH Access to the Ansible Hosts

As mentioned previously, Ansible primarily communicates with client computers through SSH. While it certainly has the ability to handle password-based SSH authentication, using SSH keys can help to keep things simple.

On your Ansible server, use the cat command to print the contents of your non-root user’s SSH public key file to the terminal’s output:

  • cat ~/.ssh/id_rsa.pub

Copy the resulting output to your clipboard, then open a new terminal and connect to one of your Ansible hosts using SSH:

  • ssh sammy@ansible_host_ip

Switch to the client machine’s root user:

  • su –

As the root user, open the authorized_keys within the ~/.ssh directory:

  • nano ~/.ssh/authorized_keys

In the file, paste your Ansible server user’s SSH key, then save the file and close the editor (press CTRL + XY, then ENTER). Then run the exit command to return to the host’s non-root user:

  • exit

Lastly, because Ansible uses a python interpreter located at /usr/bin/python to run its modules, you’ll need to install Python 2 on the host in order for Ansible to communicate with it. Run the following commands to update the host’s package index and install the python package:

  • sudo apt update
  • sudo apt install python

Following this, you can run the exit command once again to close the connection to the client:

  • exit

Repeat this process for each server you intend to control with your Ansible server. Next, we’ll configure the Ansible server to connect to these hosts using Ansible’s hosts file.

Step 3 — Setting Up Ansible Hosts

Ansible keeps track of all of the servers that it knows about through a hosts file. We need to set up this file first before we can begin to communicate with our other computers.

Open the file with sudo privileges, like this:

  • sudo nano /etc/ansible/hosts

Inside the file, you will see a number of example configurations that have been commented out (with a #preceding each line). These examples won’t actually work for us since the hosts listed in each one are made up. We will, however, keep these examples in the file to help us with configuration if we want to implement more complex scenarios in the future.

The hosts file is fairly flexible and can be configured in a few different ways. The syntax we are going to use, though, looks like this:

[group_name]
alias ansible_host=your_server_ip

Note: With the release of Ansible version 2.0, the configuration variable ansible_host replaced the original variable, ansible_ssh_host. If you’re using an older version of Ansible, you should use the older, longer variable.

In this example, group_name is an organizational tag that lets you refer to any servers listed under it with one word, while alias is just a name to refer to one specific server.

So, in our scenario, we are imagining that we have three servers we are going to control with Ansible. At this point, these servers are accessible from the Ansible server by typing:

  • ssh root@ansible_host_ip

You should not be prompted for a password if you have set this up correctly. For the purpose of demonstration, we will assume that our hosts’ IP addresses are 203.0.113.1203.0.113.2, and 203.0.113.3. We will set this up so that we can refer to these individually as host1host2, and host3, or as a group with the name servers.

This is the block that we should add to our hosts file to accomplish this:

/etc/ansible/hosts
[servers]
host1 ansible_host=203.0.113.1
host2 ansible_host=203.0.113.2
host3 ansible_host=203.0.113.3

Hosts can be in multiple groups and groups can configure parameters for all of their members. Let’s try this out now.

With our current settings, if we tried to connect to any of these hosts with Ansible, the command would fail (assuming you are not operating as the root user). This is because your SSH key is embedded for the rootuser on the remote systems and Ansible will by default try to connect as your current user. A connection attempt will get this error:

Output
host1 | UNREACHABLE! => {
    "changed": false,
    "msg": "Failed to connect to the host via ssh.",
    "unreachable": true
}

On the Ansible server, we’re using a user called sammy. Ansible will try to connect to each host with ssh sammy@server. This will not work if the sammy user is not on the remote system as well.

We can create a file that tells all of the servers in the “servers” group to connect as the root user.

To do this, we will create a directory in the Ansible configuration structure called group_vars. Within this folder, we can create YAML-formatted files for each group we want to configure:

  • sudo mkdir /etc/ansible/group_vars
  • sudo nano /etc/ansible/group_vars/servers

YAML files start with “—“, so make sure you don’t forget that part.

/etc/ansible/group_vars/servers
---
ansible_user: root

Note: Similar to the ansible_host variable, ansible_user replaced the variable ansible_ssh_user with the release of version 2.0. If you’re using an older version of Ansible than 2.0, be sure to use the older, longer variable.

Save and close this file when you are finished.

If you want to specify configuration details for every server, regardless of group association, you can put those details in a file at /etc/ansible/group_vars/all. Individual hosts can be configured by creating files named after their alias under a directory at /etc/ansible/host_vars.

Step 4 — Using Simple Ansible Commands

Now that we have our hosts set up and enough configuration details to allow us to successfully connect to our hosts, we can try out our very first command.

Ping all of the servers you configured by typing:

  • ansible -m ping all
Ping output
host1 | SUCCESS => {
    "changed": false,
    "ping": "pong"
}

host3 | SUCCESS => {
    "changed": false,
    "ping": "pong"
}

host2 | SUCCESS => {
    "changed": false,
    "ping": "pong"
}

This is a basic test to make sure that Ansible has a connection to all of its hosts.

The all means all hosts. We could just as easily specify a group:

  • ansible -m ping servers

We could also specify an individual host:

  • ansible -m ping host1

We can specify multiple hosts by separating them with colons:

  • ansible -m ping host1:host2

The -m ping portion of the command is an instruction to Ansible to use the “ping” module. These are basically commands that you can run on your remote hosts. The ping module operates in many ways like the normal ping utility in Linux, but instead it checks for Ansible connectivity.

The ping module doesn’t really take any arguments, but we can try another command to see how that works. We pass arguments into a script by typing -a.

The “shell” module lets us send a terminal command to the remote host and retrieve the results. For instance, to find out the memory usage on our host1 machine, we could use:

  • ansible -m shell -a ‘free -m’ host1
Shell output
host1 | SUCCESS | rc=0 >>
             total       used       free     shared    buffers     cached
Mem:          3954        227       3726          0         14         93
-/+ buffers/cache:        119       3834
Swap:            0          0          0

With that, your Ansible server configured and you can successfully communicate and control your hosts.

Conclusion

In this tutorial, we have configured Ansible and verified that it can communicate with each host. We have also used the ansible command to execute simple tasks remotely.

Although this is useful, we have not covered the most powerful feature of Ansible in this article: Playbooks. Ansible Playbooks are a powerful, simple way to manage server configurations and multi-machine deployments. For an introduction to Playbooks, see this guide. Additionally, we encourage you to check out the official Ansible documentation to learn more about the tool.

Source

WP2Social Auto Publish Powered By : XYZScripts.com