{"id":13528,"date":"2019-04-03T07:50:54","date_gmt":"2019-04-03T07:50:54","guid":{"rendered":"http:\/\/www.appservgrid.com\/paw92\/?p=13528"},"modified":"2019-04-03T07:50:54","modified_gmt":"2019-04-03T07:50:54","slug":"rhce-red-hat-certified-engineer","status":"publish","type":"post","link":"https:\/\/www.appservgrid.com\/paw92\/index.php\/2019\/04\/03\/rhce-red-hat-certified-engineer\/","title":{"rendered":"RHCE (Red Hat Certified Engineer)"},"content":{"rendered":"

RHCE Series: How to Setup and Test Static Network Routing \u2013 Part 1<\/h1>\n

RHCE<\/strong>\u00a0(Red Hat Certified Engineer<\/strong>) is a certification from Red Hat company, which gives an open source operating system and software to the enterprise community, It also gives training, support and consulting services for the companies.<\/p>\n

\n

\"RHCE<\/a><\/p>\n

RHCE Exam Preparation Guide<\/p>\n<\/div>\n

This\u00a0RHCE<\/strong>\u00a0(Red Hat Certified Engineer<\/strong>) is a performance-based exam (codename\u00a0EX300<\/strong>), who possesses the additional skills, knowledge, and abilities required of a senior system administrator responsible for Red Hat Enterprise Linux (RHEL) systems.<\/p>\n

Important<\/strong>:\u00a0Red Hat Certified System Administrator<\/a>\u00a0(RHCSA) certification is required to earn\u00a0RHCE<\/strong>\u00a0certification.<\/p>\n

Following are the exam objectives based on the\u00a0Red Hat Enterprise Linux 7<\/strong>\u00a0version of the exam, which will going to cover in this RHCE series:<\/p>\n

Part 1<\/b>:\u00a0How to Setup and Test Static Routing in RHEL 7<\/b><\/div>\n
Part 2<\/b>:\u00a0How to Perform Packet Filtering, Network Address Translation and Set Kernel Runtime Parameters<\/a><\/div>\n
Part 3<\/b>:\u00a0How to Produce and Deliver System Activity Reports Using Linux Toolsets<\/a><\/div>\n
Part 4<\/b>:\u00a0Using Shell Scripting to Automate Linux System Maintenance Tasks<\/a><\/div>\n
Part 5<\/b>:\u00a0How to Manage System Logs (Configure, Rotate and Import Into Database) in RHEL 7<\/a><\/div>\n
Part 6<\/b>:\u00a0Setting Up Samba and Configure FirewallD and SELinux to Allow File Sharing on Clients<\/a><\/div>\n
Part 7<\/b>:\u00a0Setting Up NFS Server with Kerberos-based Authentication for Linux Clients<\/a><\/div>\n
Part 8<\/b>:\u00a0Implementing HTTPS through TLS using Network Security Service (NSS) for Apache<\/a><\/div>\n
Part 9<\/b>:\u00a0How to Setup Postfix Mail Server (SMTP) using null-client Configuration<\/a><\/div>\n
Part 10<\/b>:\u00a0Install and Configure Caching-Only DNS Server in RHEL\/CentOS 7<\/a><\/div>\n
Part 11<\/b>:\u00a0Setup and Configure Network Bonding or Teaming in RHEL\/CentOS 7<\/a><\/div>\n
Part 12<\/b>:\u00a0Create Centralized Secure Storage using iSCSI Target \/ Initiator on RHEL\/CentOS 7<\/a><\/div>\n
Part 13<\/b>:\u00a0Setting Up \u201cNTP (Network Time Protocol) Server\u201d in RHEL\/CentOS 7<\/a><\/div>\n
<\/div>\n

To view fees and register for an exam in your country, check the\u00a0RHCE Certification<\/a>\u00a0page.<\/p>\n

In this\u00a0Part 1<\/strong>\u00a0of the\u00a0RHCE<\/strong>\u00a0series and the next, we will present basic, yet typical, cases where the principles of static routing, packet filtering, and network address translation come into play.<\/p>\n

\n

\"Setup<\/a><\/p>\n

RHCE: Setup and Test Network Static Routing \u2013 Part 1<\/p>\n<\/div>\n

Please note that we will not cover them in depth, but rather organize these contents in such a way that will be helpful to take the first steps and build from there.<\/p>\n

Static Routing in Red Hat Enterprise Linux 7<\/h3>\n

One of the wonders of modern networking is the vast availability of devices that can connect groups of computers, whether in relatively small numbers and confined to a single room or several machines in the same building, city, country, or across continents.<\/p>\n

However, in order to effectively accomplish this in any situation, network packets need to be routed, or in other words, the path they follow from source to destination must be ruled somehow.<\/p>\n

Static routing is the process of specifying a route for network packets other than the default, which is provided by a network device known as the default gateway. Unless specified otherwise through static routing, network packets are directed to the default gateway; with static routing, other paths are defined based on predefined criteria, such as the packet destination.<\/p>\n

Let us define the following scenario for this tutorial. We have a Red Hat Enterprise Linux 7 box connecting to router\u00a0#1 [192.168.0.1]<\/strong>\u00a0to access the Internet and machines in\u00a0192.168.0.0\/24<\/strong>.<\/p>\n

A second router\u00a0(router #2)<\/strong>\u00a0has two network interface cards:\u00a0enp0s3<\/strong>\u00a0is also connected to\u00a0router #1<\/strong>\u00a0to access the Internet and to communicate with the RHEL 7 box and other machines in the same network, whereas the other (enp0s8<\/strong>) is used to grant access to the\u00a010.0.0.0\/24<\/strong>\u00a0network where internal services reside, such as a web and \/ or database server.<\/p>\n

This scenario is illustrated in the diagram below:<\/p>\n

\n

\"Static<\/a><\/p>\n

Static Routing Network Diagram<\/p>\n<\/div>\n

In this article we will focus exclusively on setting up the routing table on our\u00a0RHEL 7<\/strong>\u00a0box to make sure that it can both access the Internet through\u00a0router #1<\/strong>\u00a0and the internal network via\u00a0router #2<\/strong>.<\/p>\n

In\u00a0RHEL 7<\/strong>, you will use the\u00a0ip command<\/a>\u00a0to configure and show devices and routing using the command line. These changes can take effect immediately on a running system but since they are not persistent across reboots, we will use\u00a0ifcfg-enp0sX<\/strong>\u00a0and\u00a0route-enp0sX<\/strong>\u00a0files inside\u00a0\/etc\/sysconfig\/network-scripts<\/strong>\u00a0to save our configuration permanently.<\/p>\n

To begin, let\u2019s print our current routing table:<\/p>\n

# ip route show\r\n<\/pre>\n
\n
\"Check<\/a><\/p>\n
Check Current Routing Table<\/p>\n<\/div>\n
From the output above, we can see the following facts:<\/p>\n
    \n
  1. The default gateway\u2019s IP address is\u00a0192.168.0.1<\/strong>\u00a0and can be accessed via the\u00a0enp0s3<\/strong>\u00a0NIC.<\/li>\n
  2. When the system booted up, it enabled the zeroconf route to\u00a0169.254.0.0\/16<\/strong>\u00a0(just in case). In few words, if a machine is set to obtain an IP address through DHCP but fails to do so for some reason, it is automatically assigned an address in this network. Bottom line is, this route will allow us to communicate, also via\u00a0enp0s3<\/strong>, with other machines who have failed to obtain an IP address from a DHCP server.<\/li>\n
  3. Last, but not least, we can communicate with other boxes inside the\u00a0192.168.0.0\/24<\/strong>\u00a0network through\u00a0enp0s3<\/strong>, whose IP address is\u00a0192.168.0.18<\/strong>.<\/li>\n<\/ol>\n
    These are the typical tasks that you would have to perform in such a setting. Unless specified otherwise, the following tasks should be performed in\u00a0router #2<\/strong>:<\/p>\n
    Make sure all NICs have been properly installed:<\/p>\n
    # ip link show\r\n<\/pre>\n
    If one of them is down, bring it up:<\/p>\n
    # ip link set dev enp0s8 up\r\n<\/pre>\n
    and assign an IP address in the\u00a010.0.0.0\/24<\/strong>\u00a0network to it:<\/p>\n
    # ip addr add 10.0.0.17 dev enp0s8\r\n<\/pre>\n
    Oops! We made a mistake in the IP address. We will have to remove the one we assigned earlier and then add the right one (10.0.0.18<\/strong>):<\/p>\n
    # ip addr del 10.0.0.17 dev enp0s8\r\n# ip addr add 10.0.0.18 dev enp0s8\r\n<\/pre>\n
    Now, please note that you can only add a route to a destination network through a gateway that is itself already reachable. For that reason, we need to assign an IP address within the\u00a0192.168.0.0\/24<\/strong>\u00a0range to\u00a0enp0s3<\/strong>\u00a0so that our RHEL 7 box can communicate with it:<\/p>\n
    # ip addr add 192.168.0.19 dev enp0s3\r\n<\/pre>\n
    Finally, we will need to enable packet forwarding:<\/p>\n
    # echo \"1\" > \/proc\/sys\/net\/ipv4\/ip_forward\r\n<\/pre>\n
    and stop \/ disable (just for the time being \u2013 until we cover packet filtering in the next article) the firewall:<\/p>\n
    # systemctl stop firewalld\r\n# systemctl disable firewalld\r\n<\/pre>\n
    Back in our\u00a0RHEL 7<\/strong>\u00a0box (192.168.0.18<\/strong>), let\u2019s configure a route to\u00a010.0.0.0\/24<\/strong>\u00a0through\u00a0192.168.0.19<\/strong>\u00a0(enp0s3<\/strong>\u00a0in\u00a0router #2<\/strong>):<\/p>\n
    # ip route add 10.0.0.0\/24 via 192.168.0.19\r\n<\/pre>\n
    After that, the routing table looks as follows:<\/p>\n
    # ip route show\r\n<\/pre>\n
    \n
    \"Show<\/a><\/p>\n
    Confirm Network Routing Table<\/p>\n<\/div>\n
    Likewise, add the corresponding route in the machine(s) you\u2019re trying to reach in\u00a010.0.0.0\/24<\/strong>:<\/p>\n
    # ip route add 192.168.0.0\/24 via 10.0.0.18\r\n<\/pre>\n
    You can test for basic connectivity using\u00a0ping<\/strong>:<\/p>\n
    In the\u00a0RHEL 7<\/strong>\u00a0box, run<\/p>\n
    # ping -c 4 10.0.0.20\r\n<\/pre>\n
    where\u00a010.0.0.20<\/strong>\u00a0is the IP address of a web server in the\u00a010.0.0.0\/24<\/strong>\u00a0network.<\/p>\n
    In the web server (10.0.0.20<\/strong>), run<\/p>\n
    # ping -c 192.168.0.18\r\n<\/pre>\n
    where\u00a0192.168.0.18<\/strong>\u00a0is, as you will recall, the IP address of our RHEL 7 machine.<\/p>\n
    Alternatively, we can use\u00a0tcpdump<\/a>\u00a0(you may need to install it with\u00a0yum install tcpdump<\/strong>) to check the 2-way communication over TCP between our RHEL 7 box and the web server at\u00a010.0.0.20<\/strong>.<\/p>\n
    To do so, let\u2019s start the logging in the first machine with:<\/p>\n
    # tcpdump -qnnvvv -i enp0s3 host 10.0.0.20\r\n<\/pre>\n
    and from another terminal in the same system let\u2019s\u00a0telnet<\/strong>\u00a0to port\u00a080<\/strong>\u00a0in the web server (assuming\u00a0Apache<\/strong>\u00a0is listening on that port; otherwise, indicate the right port in the following command):<\/p>\n
    # telnet 10.0.0.20 80\r\n<\/pre>\n
    The\u00a0tcpdump<\/strong>\u00a0log should look as follows:<\/p>\n
    \n
    \"Check<\/a><\/p>\n
    Check Network Communication between Servers<\/p>\n<\/div>\n
    Where the connection has been properly initialized, as we can tell by looking at the 2-way communication between our\u00a0RHEL 7<\/strong>\u00a0box (192.168.0.18<\/strong>) and the web server (10.0.0.20<\/strong>).<\/p>\n
    Please remember that these changes will go away when you restart the system. If you want to make them persistent, you will need to edit (or create, if they don\u2019t already exist) the following files, in the same systems where we performed the above commands.<\/p>\n
    Though not strictly necessary for our test case, you should know that\u00a0\/etc\/sysconfig\/network<\/strong>\u00a0contains system-wide network parameters. A typical\u00a0\/etc\/sysconfig\/network<\/strong>\u00a0looks as follows:<\/p>\n
    # Enable networking on this system?\r\nNETWORKING=yes\r\n# Hostname. Should match the value in \/etc\/hostname\r\nHOSTNAME=yourhostnamehere\r\n# Default gateway\r\nGATEWAY=XXX.XXX.XXX.XXX\r\n# Device used to connect to default gateway. Replace X with the appropriate number.\r\nGATEWAYDEV=enp0sX\r\n<\/pre>\n
    When it comes to setting specific variables and values for each NIC (as we did for router #2), you will have to edit\u00a0\/etc\/sysconfig\/network-scripts\/ifcfg-enp0s3<\/strong>\u00a0and\u00a0\/etc\/sysconfig\/network-scripts\/ifcfg-enp0s8<\/strong>.<\/p>\n
    Following our case,<\/p>\n
    TYPE=Ethernet\r\nBOOTPROTO=static\r\nIPADDR=192.168.0.19\r\nNETMASK=255.255.255.0\r\nGATEWAY=192.168.0.1\r\nNAME=enp0s3\r\nONBOOT=yes\r\n<\/pre>\n
    and<\/p>\n
    TYPE=Ethernet\r\nBOOTPROTO=static\r\nIPADDR=10.0.0.18\r\nNETMASK=255.255.255.0\r\nGATEWAY=10.0.0.1\r\nNAME=enp0s8\r\nONBOOT=yes\r\n<\/pre>\n
    for\u00a0enp0s3<\/strong>\u00a0and\u00a0enp0s8<\/strong>, respectively.<\/p>\n
    As for routing in our client machine (192.168.0.18), we will need to edit\u00a0\/etc\/sysconfig\/network-scripts\/route-enp0s3:<\/strong><\/p>\n
    10.0.0.0\/24 via 192.168.0.19 dev enp0s3\r\n<\/pre>\n
    Now\u00a0reboot<\/strong>\u00a0your system and you should see that route in your table.<\/p>\n
    Summary<\/h3>\n
    In this article we have covered the essentials of static routing in\u00a0Red Hat Enterprise Linux 7<\/strong>. Although scenarios may vary, the case presented here illustrates the required principles and the procedures to perform this task. Before wrapping up, I would like to suggest you to take a look at\u00a0Chapter 4<\/a>\u00a0of the\u00a0Securing and Optimizing Linux<\/strong>section in The Linux Documentation Project site for further details on the topics covered here.<\/p>\n
    Free ebook on\u00a0Securing & Optimizing Linux: The Hacking Solution (v.3.0)<\/strong>\u00a0\u2013 This\u00a0800+<\/strong>\u00a0eBook contains comprehensive collection of Linux security tips and how to use them safely and easily to configure Linux-based applications and services.<\/p>\n
    \n
    \"Linux<\/a><\/p>\n
    Linux Security and Optimization Book<\/p>\n<\/div>\n
    Download Now<\/a><\/p>\n
    In the next article we will talk about packet filtering and network address translation to sum up the networking basic skills needed for the RHCE certification.<\/p>\n
    As always, we look forward to hearing from you, so feel free to leave your questions, comments, and suggestions using the form below.<\/p>\n
    How to Perform Packet Filtering, Network Address Translation and Set Kernel Runtime Parameters \u2013 Part 2<\/h1>\n
    As promised in\u00a0Part 1<\/strong>\u00a0(\u201cSetup Static Network Routing<\/a>\u201d), in this article (Part 2<\/strong>\u00a0of\u00a0RHCE<\/strong>\u00a0series) we will begin by introducing the principles of packet filtering and network address translation (NAT) in\u00a0Red Hat Enterprise Linux 7<\/strong>, before diving into setting runtime kernel parameters to modify the behavior of a running kernel if certain conditions change or needs arise.<\/p>\n
    \n
    \"Network<\/a><\/p>\n
    RHCE: Network Packet Filtering \u2013 Part 2<\/p>\n<\/div>\n
    Network Packet Filtering in RHEL 7<\/h3>\n
    When we talk about packet filtering, we refer to a process performed by a firewall in which it reads the header of each data packet that attempts to pass through it. Then, it filters the packet by taking the required action based on rules that have been previously defined by the system administrator.<\/p>\n
    As you probably know, beginning with\u00a0RHEL 7<\/strong>, the default service that manages firewall rules is\u00a0firewalld<\/a>. Like iptables, it talks to the netfilter module in the Linux kernel in order to examine and manipulate network packets. Unlike iptables, updates can take effect immediately without interrupting active connections \u2013 you don\u2019t even have to restart the service.<\/p>\n
    Another advantage of\u00a0firewalld<\/strong>\u00a0is that it allows us to define rules based on pre-configured service names (more on that in a minute).<\/p>\n
    In\u00a0Part 1<\/strong>, we used the following scenario:<\/p>\n
    \n
    \"Static<\/a><\/p>\n
    Static Routing Network Diagram<\/p>\n<\/div>\n
    However, you will recall that we disabled the firewall on\u00a0router #2<\/strong>\u00a0to simplify the example since we had not covered packet filtering yet. Let\u2019s see now how we can enable incoming packets destined for a specific service or port in the destination.<\/p>\n
    First, let\u2019s add a permanent rule to allow inbound traffic in\u00a0enp0s3<\/strong>\u00a0(192.168.0.19<\/strong>) to\u00a0enp0s8<\/strong>\u00a0(10.0.0.18<\/strong>):<\/p>\n
    # firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 0 -i enp0s3 -o enp0s8 -j ACCEPT\r\n<\/pre>\n
    The above command will save the rule to\u00a0\/etc\/firewalld\/direct.xml<\/strong>:<\/p>\n
    # cat \/etc\/firewalld\/direct.xml\r\n<\/pre>\n
    \n
    \"Check<\/a><\/p>\n
    Check Firewalld Saved Rules<\/p>\n<\/div>\n
    Then enable the rule for it to take effect immediately:<\/p>\n
    # firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i enp0s3 -o enp0s8 -j ACCEPT\r\n<\/pre>\n
    Now you can telnet to the web server from the\u00a0RHEL 7<\/strong>\u00a0box and run\u00a0tcpdump<\/a>\u00a0again to monitor the TCP traffic between the two machines, this time with the firewall in\u00a0router #2<\/strong>\u00a0enabled.<\/p>\n
    # telnet 10.0.0.20 80\r\n# tcpdump -qnnvvv -i enp0s3 host 10.0.0.20\r\n<\/pre>\n
    What if you want to only allow incoming connections to the web server (port 80<\/strong>) from\u00a0192.168.0.18<\/strong>\u00a0and block connections from other sources in the\u00a0192.168.0.0\/24<\/strong>\u00a0network?<\/p>\n
    In the web server\u2019s firewall, add the following rules:<\/p>\n
    # firewall-cmd --add-rich-rule 'rule family=\"ipv4\" source address=\"192.168.0.18\/24\" service name=\"http\" accept'\r\n# firewall-cmd --add-rich-rule 'rule family=\"ipv4\" source address=\"192.168.0.18\/24\" service name=\"http\" accept' --permanent\r\n# firewall-cmd --add-rich-rule 'rule family=\"ipv4\" source address=\"192.168.0.0\/24\" service name=\"http\" drop'\r\n# firewall-cmd --add-rich-rule 'rule family=\"ipv4\" source address=\"192.168.0.0\/24\" service name=\"http\" drop' --permanent\r\n<\/pre>\n
    Now you can make HTTP requests to the web server, from\u00a0192.168.0.18<\/strong>\u00a0and from some other machine in\u00a0192.168.0.0\/24<\/strong>. In the first case the connection should complete successfully, whereas in the second it will eventually timeout.<\/p>\n
    To do so, any of the following commands will do the trick:<\/p>\n
    # telnet 10.0.0.20 80\r\n# wget 10.0.0.20\r\n<\/pre>\n
    I strongly advise you to check out the\u00a0Firewalld Rich Language<\/a>\u00a0documentation in the Fedora Project Wiki for further details on rich rules.<\/p>\n
    Network Address Translation in RHEL 7<\/h3>\n
    Network Address Translation<\/strong>\u00a0(NAT<\/strong>) is the process where a group of computers (it can also be just one of them) in a private network are assigned an unique public IP address. As result, they are still uniquely identified by their own private IP address inside the network but to the outside they all \u201cseem\u201d the same.<\/p>\n
    In addition, NAT makes it possible that computers inside a network sends requests to outside resources (like the Internet) and have the corresponding responses be sent back to the source system only.<\/p>\n
    Let\u2019s now consider the following scenario:<\/p>\n
    \n
    \"Network<\/a><\/p>\n
    Network Address Translation<\/p>\n<\/div>\n
    In\u00a0router #2<\/strong>, we will move the\u00a0enp0s3<\/strong>\u00a0interface to the external zone, and\u00a0enp0s8<\/strong>\u00a0to the internal zone, where masquerading, or NAT, is enabled by default:<\/p>\n
    # firewall-cmd --list-all --zone=external\r\n# firewall-cmd --change-interface=enp0s3 --zone=external\r\n# firewall-cmd --change-interface=enp0s3 --zone=external --permanent\r\n# firewall-cmd --change-interface=enp0s8 --zone=internal\r\n# firewall-cmd --change-interface=enp0s8 --zone=internal --permanent\r\n<\/pre>\n
    For our current setup, the internal zone \u2013 along with everything that is enabled in it will be the default zone:<\/p>\n
    # firewall-cmd --set-default-zone=internal\r\n<\/pre>\n
    Next, let\u2019s reload firewall rules and keep state information:<\/p>\n
    # firewall-cmd --reload\r\n<\/pre>\n
    Finally, let\u2019s add\u00a0router #2<\/strong>\u00a0as default gateway in the web server:<\/p>\n
    # ip route add default via 10.0.0.18\r\n<\/pre>\n
    You can now verify that you can ping\u00a0router #1<\/strong>\u00a0and an external site (tecmint.com<\/strong>, for example) from the web server:<\/p>\n
    # ping -c 2 192.168.0.1\r\n# ping -c 2 tecmint.com\r\n<\/pre>\n
    \n
    \"Verify<\/a><\/p>\n
    Verify Network Routing<\/p>\n<\/div>\n
    Setting Kernel Runtime Parameters in RHEL 7<\/h3>\n
    In Linux, you are allowed to change, enable, and disable the kernel runtime parameters, and RHEL is no exception. The\u00a0\/proc\/sys<\/strong>\u00a0interface (sysctl<\/strong>) lets you set runtime parameters on-the-fly to modify the system\u2019s behavior without much hassle when operating conditions change.<\/p>\n
    To do so, the echo shell built-in is used to write to files inside\u00a0\/proc\/sys\/<category><\/strong>, where\u00a0<category><\/strong>\u00a0is most likely one of the following directories:<\/p>\n
      \n
    1. dev<\/strong>: parameters for specific devices connected to the machine.<\/li>\n
    2. fs<\/strong>: filesystem configuration (quotas and inodes, for example).<\/li>\n
    3. kernel<\/strong>: kernel-specific configuration.<\/li>\n
    4. net<\/strong>: network configuration.<\/li>\n
    5. vm<\/strong>: use of the kernel\u2019s virtual memory.<\/li>\n<\/ol>\n
      To display the list of all the currently available values, run<\/p>\n
      # sysctl -a | less\r\n<\/pre>\n
      In\u00a0Part 1<\/strong>, we changed the value of the\u00a0net.ipv4.ip<\/strong>_forward parameter by doing<\/p>\n
      # echo 1 > \/proc\/sys\/net\/ipv4\/ip_forward\r\n<\/pre>\n
      in order to allow a Linux machine to act as router.<\/p>\n
      Another runtime parameter that you may want to set is\u00a0kernel.sysrq<\/strong>, which enables the\u00a0Sysrq<\/strong>\u00a0key in your keyboard to instruct the system to perform gracefully some low-level functions, such as rebooting the system if it has frozen for some reason:<\/p>\n
      # echo 1 > \/proc\/sys\/kernel\/sysrq\r\n<\/pre>\n
      To display the value of a specific parameter, use sysctl as follows:<\/p>\n
      # sysctl <parameter.name>\r\n<\/pre>\n
      For example,<\/p>\n
      # sysctl net.ipv4.ip_forward\r\n# sysctl kernel.sysrq\r\n<\/pre>\n
      Some parameters, such as the ones mentioned above, require only one value, whereas others (for example,\u00a0fs.inode-state<\/strong>) require multiple values:<\/p>\n
      \n
      \"Check<\/a><\/p>\n
      Check Kernel Parameters<\/p>\n<\/div>\n
      In either case, you need to read the kernel\u2019s documentation before making any changes.<\/p>\n
      Please note that these settings will go away when the system is rebooted. To make these changes permanent, we will need to add\u00a0.conf<\/strong>\u00a0files inside the\u00a0\/etc\/sysctl.d<\/strong>\u00a0as follows:<\/p>\n
      # echo \"net.ipv4.ip_forward = 1\" > \/etc\/sysctl.d\/10-forward.conf\r\n<\/pre>\n
      (where the number\u00a010<\/strong>\u00a0indicates the order of processing relative to other files in the same directory).<\/p>\n
      and enable the changes with<\/p>\n
      # sysctl -p \/etc\/sysctl.d\/10-forward.conf\r\n<\/pre>\n
      Summary<\/h3>\n
      In this tutorial we have explained the basics of packet filtering, network address translation, and setting kernel runtime parameters on a running system and persistently across reboots. I hope you have found this information useful, and as always, we look forward to hearing from you!
      \nDon\u2019t hesitate to share with us your questions, comments, or suggestions using the form below.<\/p>\n
      How to Produce and Deliver System Activity Reports Using Linux Toolsets \u2013 Part 3<\/h1>\n
      As a system engineer, you will often need to produce reports that show the utilization of your system\u2019s resources in order to make sure that: 1) they are being utilized optimally, 2) prevent bottlenecks, and 3) ensure scalability, among other reasons.<\/p>\n
      \n
      \"Monitor<\/a><\/p>\n
      RHCE: Monitor Linux Performance Activity Reports \u2013 Part 3<\/p>\n<\/div>\n
      Besides the well-known native Linux tools that are used to check disk, memory, and CPU usage \u2013 to name a few examples, Red Hat Enterprise Linux 7 provides two additional toolsets to enhance the data you can collect for your reports:\u00a0sysstat<\/strong>\u00a0and\u00a0dstat<\/strong>.<\/p>\n
      In this article we will describe both, but let\u2019s first start by reviewing the usage of the classic tools.<\/p>\n
      Native Linux Tools<\/h3>\n
      With\u00a0df<\/strong>, you will be able to report disk space and inode usage of by filesystem. You need to monitor both because a lack of space will prevent you from being able to save further files (and may even cause the system to crash), just like running out of inodes will mean you can\u2019t link further files with their corresponding data structures, thus producing the same effect: you won\u2019t be able to save those files to disk.<\/p>\n
      # df -h \t\t[Display output in human-readable form]\r\n# df -h --total         [Produce a grand total]\r\n<\/pre>\n
      \n
      \"Check<\/a><\/p>\n
      Check Linux Total Disk Usage<\/p>\n<\/div>\n
      # df -i \t\t[Show inode count by filesystem]\r\n# df -i --total \t[Produce a grand total]\r\n<\/pre>\n
      \n
      \"Check<\/a><\/p>\n
      Check Linux Total inode Numbers<\/p>\n<\/div>\n
      With\u00a0du<\/strong>, you can estimate file space usage by either file, directory, or filesystem.<\/p>\n
      For example, let\u2019s see how much space is used by the\u00a0\/home<\/strong>\u00a0directory, which includes all of the user\u2019s personal files. The first command will return the overall space currently used by the entire\u00a0\/home<\/strong>\u00a0directory, whereas the second will also display a disaggregated list by sub-directory as well:<\/p>\n
      # du -sch \/home\r\n# du -sch \/home\/*\r\n<\/pre>\n
      \n
      \"Check<\/a><\/p>\n
      Check Linux Directory Disk Size<\/p>\n<\/div>\n
      Don\u2019t Miss<\/strong>:<\/p>\n
        \n
      1. 12 \u2018df\u2019 Command Examples to Check Linux Disk Space Usage<\/a><\/li>\n
      2. 10 \u2018du\u2019 Command Examples to Find Disk Usage of Files\/Directories<\/a><\/li>\n<\/ol>\n
        Another utility that can\u2019t be missing from your toolset is\u00a0vmstat<\/strong>. It will allow you to see at a quick glance information about processes, CPU and memory usage, disk activity, and more.<\/p>\n
        If run without arguments,\u00a0vmstat<\/strong>\u00a0will return averages since the last reboot. While you may use this form of the command once in a while, it will be more helpful to take a certain amount of system utilization samples, one after another, with a defined time separation between samples.<\/p>\n
        For example,<\/p>\n
        # vmstat 5 10\r\n<\/pre>\n
        will return 10 samples taken every 5 seconds:<\/p>\n
        \n
        \"Check<\/a><\/p>\n
        Check Linux System Performance<\/p>\n<\/div>\n
        As you can see in the above picture, the output of vmstat is divided by columns:\u00a0procs<\/strong>\u00a0(processes),\u00a0memory<\/strong>,\u00a0swap<\/strong>,\u00a0io<\/strong>,\u00a0system<\/strong>, and\u00a0cpu<\/strong>. The meaning of each field can be found in the\u00a0FIELD DESCRIPTION<\/strong>\u00a0sections in the man page of\u00a0vmstat<\/strong>.<\/p>\n
        Where can\u00a0vmstat<\/strong>\u00a0come in handy? Let\u2019s examine the behavior of the system before and during a\u00a0yum update<\/strong>:<\/p>\n
        # vmstat -a 1 5\r\n<\/pre>\n
        \n
        \"Vmstat<\/a><\/p>\n
        Vmstat Linux Performance Monitoring<\/p>\n<\/div>\n
        Please note that as files are being modified on disk, the amount of\u00a0active<\/strong>\u00a0memory increases and so does the number of blocks written to disk\u00a0(bo)<\/strong>\u00a0and the CPU time that is dedicated to user processes\u00a0(us)<\/strong>.<\/p>\n
        Or during the saving process of a large file directly to disk (caused by\u00a0dsync<\/strong>):<\/p>\n
        # vmstat -a 1 5\r\n# dd if=\/dev\/zero of=dummy.out bs=1M count=1000 oflag=dsync\r\n<\/pre>\n
        \n
        \"VmStat<\/a><\/p>\n
        VmStat Linux Disk Performance Monitoring<\/p>\n<\/div>\n
        In this case, we can see a yet larger number of blocks being written to disk\u00a0(bo)<\/strong>, which was to be expected, but also an increase of the amount of CPU time that it has to wait for I\/O operations to complete before processing tasks\u00a0(wa)<\/strong>.<\/p>\n
        Don\u2019t Miss<\/strong>:\u00a0Vmstat \u2013 Linux Performance Monitoring<\/a><\/p>\n
        Other Linux Tools<\/h3>\n
        As mentioned in the introduction of this chapter, there are other tools that you can use to check the system status and utilization (they are not only provided by\u00a0Red Hat<\/strong>\u00a0but also by other major distributions from their officially supported repositories).<\/p>\n
        The\u00a0sysstat<\/strong>\u00a0package contains the following utilities:<\/p>\n
          \n
        1. sar<\/strong>\u00a0(collect, report, or save system activity information).<\/li>\n
        2. sadf<\/strong>\u00a0(display data collected by sar in multiple formats).<\/li>\n
        3. mpstat<\/strong>\u00a0(report processors related statistics).<\/li>\n
        4. iostat<\/strong>\u00a0(report CPU statistics and I\/O statistics for devices and partitions).<\/li>\n
        5. pidstat (report statistics for Linux tasks).<\/li>\n
        6. nfsiostat<\/strong>\u00a0(report input\/output statistics for NFS).<\/li>\n
        7. cifsiostat<\/strong>\u00a0(report CIFS statistics) and<\/li>\n
        8. sa1<\/strong>\u00a0(collect and store binary data in the system activity daily data file.<\/li>\n
        9. sa2<\/strong>\u00a0(write a daily report in the\u00a0\/var\/log\/sa<\/strong>\u00a0directory) tools.<\/li>\n<\/ol>\n
          whereas\u00a0dstat<\/strong>\u00a0adds some extra features to the functionality provided by those tools, along with more counters and flexibility. You can find an overall description of each tool by running\u00a0yum info sysstat<\/strong>\u00a0or\u00a0yum info dstat<\/strong>, respectively, or checking the individual man pages after installation.<\/p>\n
          To install both packages:<\/p>\n
          # yum update && yum install sysstat dstat\r\n<\/pre>\n
          The main configuration file for\u00a0sysstat<\/strong>\u00a0is\u00a0\/etc\/sysconfig\/sysstat<\/strong>. You will find the following parameters in that file:<\/p>\n
          # How long to keep log files (in days).\r\n# If value is greater than 28, then log files are kept in\r\n# multiple directories, one for each month.\r\nHISTORY=28<\/strong>\r\n# Compress (using gzip or bzip2) sa and sar files older than (in days):\r\nCOMPRESSAFTER=31<\/strong>\r\n# Parameters for the system activity data collector (see sadc manual page)\r\n# which are used for the generation of log files.\r\nSADC_OPTIONS=\"-S DISK\"<\/strong>\r\n# Compression program to use.\r\nZIP=\"bzip2\"<\/strong>\r\n<\/pre>\n
          When\u00a0sysstat<\/strong>\u00a0is installed, two cron jobs are added and enabled in\u00a0\/etc\/cron.d\/sysstat<\/strong>. The first job runs the system activity accounting tool every\u00a010 minutes<\/strong>\u00a0and stores the reports in\u00a0\/var\/log\/sa\/saXX<\/strong>\u00a0where\u00a0XX<\/strong>\u00a0is the day of the month.<\/p>\n
          Thus,\u00a0\/var\/log\/sa\/sa05<\/strong>\u00a0will contain all the system activity reports from the 5th of the month. This assumes that we are using the default value in the\u00a0HISTORY<\/strong>\u00a0variable in the configuration file above:<\/p>\n
          *\/10 * * * * root \/usr\/lib64\/sa\/sa1 1 1\r\n<\/pre>\n
          The second job generates a daily summary of process accounting at\u00a011:53<\/strong>\u00a0pm every day and stores it in\u00a0\/var\/log\/sa\/sarXX<\/strong>\u00a0files, where\u00a0XX<\/strong>\u00a0has the same meaning as in the previous example:<\/p>\n
          53 23 * * * root \/usr\/lib64\/sa\/sa2 -A\r\n<\/pre>\n
          For example, you may want to output system statistics from\u00a09:30 am<\/strong>\u00a0through\u00a05:30 pm<\/strong>\u00a0of the sixth of the month to a\u00a0.csv<\/strong>\u00a0file that can easily be viewed using\u00a0LibreOffice Calc<\/strong>\u00a0or\u00a0Microsoft Excel<\/strong>\u00a0(this approach will also allow you to create charts or graphs):<\/p>\n
          # sadf -s 09:30:00 -e 17:30:00 -dh \/var\/log\/sa\/sa06 -- | sed 's\/;\/,\/g' > system_stats20150806.csv\r\n<\/pre>\n
          You could alternatively use the\u00a0-j<\/strong>\u00a0flag instead of\u00a0-d<\/strong>\u00a0in the\u00a0sadf<\/strong>\u00a0command above to output the system stats in\u00a0JSON<\/strong>\u00a0format, which could be useful if you need to consume the data in a web application, for example.<\/p>\n
          \n
          \"Linux<\/a><\/p>\n
          Linux System Statistics<\/p>\n<\/div>\n
          Finally, let\u2019s see what\u00a0dstat<\/strong>\u00a0has to offer. Please note that if run without arguments,\u00a0dstat<\/strong>\u00a0assumes\u00a0-cdngy<\/strong>\u00a0by default (short for CPU, disk, network, memory pages, and system stats, respectively), and adds one line every second (execution can be interrupted anytime with\u00a0Ctrl + C<\/strong>):<\/p>\n
          # dstat\r\n<\/pre>\n
          \n
          \"Linux<\/a><\/p>\n
          Linux Disk Statistics Monitoring<\/p>\n<\/div>\n
          To output the stats to a\u00a0.csv<\/strong>\u00a0file, use the\u00a0\u2013output<\/strong>\u00a0flag followed by a file name. Let\u2019s see how this looks on LibreOffice Calc:<\/p>\n
          \n
          \"Monitor<\/a><\/p>\n
          Monitor Linux Statistics Output<\/p>\n<\/div>\n
          I strongly advise you to check out the man page of\u00a0dstat<\/a>\u00a0along with the man page of\u00a0sysstat<\/a>\u00a0in PDF format for your reading convenience. You will find several other options that will help you create custom and detailed system activity reports.<\/p>\n
          Don\u2019t Miss:<\/strong>\u00a0Sysstat \u2013 Linux Usage Activity Monitoring Tool<\/a><\/p>\n
          Summary<\/h3>\n
          In this guide we have explained how to use both native Linux tools and specific utilities provided with\u00a0RHEL 7<\/strong>\u00a0in order to produce reports on system utilization. At one point or another, you will come to rely on these reports as best friends.<\/p>\n
          You will probably have used other tools that we have not covered in this tutorial. If so, feel free to share them with the rest of the community along with any other suggestions \/ questions \/ comments that you may have- using the form below.<\/p>\n
          We look forward to hearing from you.<\/p>\n
          Using Shell Scripting to Automate Linux System Maintenance Tasks \u2013 Part 4<\/h1>\n
          Some time ago I read that one of the distinguishing characteristics of an effective system administrator \/ engineer is laziness. It seemed a little contradictory at first but the author then proceeded to explain why:<\/p>\n
          \n
          \"Automate<\/a><\/p>\n
          RHCE Series: Automate Linux System Maintenance Tasks \u2013 Part 4<\/p>\n<\/div>\n
          if a sysadmin spends most of his time solving issues and doing repetitive tasks, you can suspect he or she is not doing things quite right. In other words, an effective system administrator \/ engineer should develop a plan to perform repetitive tasks with as less action on his \/ her part as possible, and should foresee problems by using,<\/p>\n
          for example, the tools reviewed in Part 3 \u2013\u00a0Monitor System Activity Reports Using Linux Toolsets<\/a>\u00a0of this series. Thus, although he or she may not seem to be doing much, it\u2019s because most of his \/ her responsibilities have been taken care of with the help of shell scripting, which is what we\u2019re going to talk about in this tutorial.<\/p>\n
          What is a shell script?<\/h3>\n
          In few words, a shell script is nothing more and nothing less than a program that is executed step by step by a shell, which is another program that provides an interface layer between the Linux kernel and the end user.<\/p>\n
          By default, the shell used for user accounts in\u00a0RHEL 7<\/strong>\u00a0is bash (\/bin\/bash<\/strong>). If you want a detailed description and some historical background, you can refer to\u00a0this Wikipedia article<\/a>.<\/p>\n
          To find out more about the enormous set of features provided by this shell, you may want to check out its\u00a0man page<\/strong>, which is downloaded in in PDF format at (Bash Commands<\/a>). Other than that, it is assumed that you are familiar with Linux commands (if not, I strongly advise you to go through\u00a0A Guide from Newbies to SysAdmin<\/a>article in\u00a0Tecmint.com<\/strong>\u00a0before proceeding). Now let\u2019s get started.<\/p>\n
          Writing a script to display system information<\/h3>\n
          For our convenience, let\u2019s create a directory to store our shell scripts:<\/p>\n
          # mkdir scripts\r\n# cd scripts\r\n<\/pre>\n
          And open a new text file named\u00a0system_info.sh<\/code>\u00a0with your preferred text editor. We will begin by inserting a few comments at the top and some commands afterwards:<\/p>\n
          #!\/bin\/bash\r\n\r\n# Sample script written for Part 4 of the RHCE series\r\n# This script will return the following set of system information:\r\n# -Hostname information:\r\necho -e \"\\e[31;43m***** HOSTNAME INFORMATION<\/strong> *****\\e[0m\"\r\nhostnamectl\r\necho \"\"\r\n# -File system disk space usage:\r\necho -e \"\\e[31;43m***** FILE SYSTEM DISK SPACE USAGE<\/strong> *****\\e[0m\"\r\ndf -h\r\necho \"\"\r\n# -Free and used memory in the system:\r\necho -e \"\\e[31;43m ***** FREE AND USED MEMORY<\/strong> *****\\e[0m\"\r\nfree\r\necho \"\"\r\n# -System uptime and load:\r\necho -e \"\\e[31;43m***** SYSTEM UPTIME AND LOAD<\/strong> *****\\e[0m\"\r\nuptime\r\necho \"\"\r\n# -Logged-in users:\r\necho -e \"\\e[31;43m***** CURRENTLY LOGGED-IN USERS<\/strong> *****\\e[0m\"\r\nwho\r\necho \"\"\r\n# -Top 5 processes as far as memory usage is concerned\r\necho -e \"\\e[31;43m***** TOP 5 MEMORY-CONSUMING PROCESSES<\/strong> *****\\e[0m\"\r\nps -eo %mem,%cpu,comm --sort=-%mem | head -n 6\r\necho \"\"\r\necho -e \"\\e[1;32mDone.\\e[0m\"\r\n<\/pre>\n
          Next, give the script execute permissions:<\/p>\n
          # chmod +x system_info.sh\r\n<\/pre>\n
          and run it:<\/p>\n
          .\/system_info.sh\r\n<\/pre>\n
          Note that the headers of each section are shown in color for better visualization:<\/p>\n
          \n
          \"Server<\/a><\/p>\n
          Server Monitoring Shell Script<\/p>\n<\/div>\n
          That functionality is provided by this command:<\/p>\n
          echo -e \"\\e[COLOR1;COLOR2m<YOUR TEXT HERE><\/strong>\\e[0m\"\r\n<\/pre>\n
          Where\u00a0COLOR1<\/strong>\u00a0and\u00a0COLOR2<\/strong>\u00a0are the foreground and background colors, respectively (more info and options are explained in this entry from the\u00a0Arch Linux Wiki<\/a>) and\u00a0<YOUR TEXT HERE><\/strong>\u00a0is the string that you want to show in color.<\/p>\n
          Automating Tasks<\/h3>\n
          The tasks that you may need to automate may vary from case to case. Thus, we cannot possibly cover all of the possible scenarios in a single article, but we will present three classic tasks that can be automated using shell scripting:<\/p>\n
          1)<\/strong>\u00a0update the local file database, 2) find (and alternatively delete) files with\u00a0777<\/strong>\u00a0permissions, and\u00a03)<\/strong>\u00a0alert when filesystem usage surpasses a defined limit.<\/p>\n
          Let\u2019s create a file named\u00a0auto_tasks.sh<\/code>\u00a0in our scripts directory with the following content:<\/p>\n
          #!\/bin\/bash\r\n\r\n# Sample script to automate tasks:\r\n# -Update local file database:\r\necho -e \"\\e[4;32mUPDATING LOCAL FILE DATABASE<\/strong>\\e[0m\"\r\nupdatedb\r\nif [ $? == 0 ]; then\r\n        echo \"The local file database was updated correctly.\"\r\nelse\r\n        echo \"The local file database was not updated correctly.\"\r\nfi\r\necho \"\"\r\n\r\n# -Find and \/ or delete files with 777 permissions.\r\necho -e \"\\e[4;32mLOOKING FOR FILES WITH 777 PERMISSIONS<\/strong>\\e[0m\"\r\n# Enable either option (comment out the other line), but not both.\r\n# Option 1: Delete files without prompting for confirmation. Assumes GNU version of find.\r\n#find -type f -perm 0777 -delete\r\n# Option 2: Ask for confirmation before deleting files. More portable across systems.\r\nfind -type f -perm 0777 -exec rm -i {} +;\r\necho \"\"\r\n# -Alert when file system usage surpasses a defined limit \r\necho -e \"\\e[4;32mCHECKING FILE SYSTEM USAGE<\/strong>\\e[0m\"\r\nTHRESHOLD=30\r\nwhile read line; do\r\n        # This variable stores the file system path as a string\r\n        FILESYSTEM=$(echo $line | awk '{print $1}')\r\n        # This variable stores the use percentage (XX%)\r\n        PERCENTAGE=$(echo $line | awk '{print $5}')\r\n        # Use percentage without the % sign.\r\n        USAGE=${PERCENTAGE%?}\r\n        if [ $USAGE -gt $THRESHOLD ]; then\r\n                echo \"The remaining available space in $FILESYSTEM is critically low. Used: $PERCENTAGE\"\r\n        fi\r\ndone < <(df -h --total | grep -vi filesystem)\r\n<\/pre>\n
          Please note that there is a space between the two\u00a0<<\/code>\u00a0signs in the last line of the script.<\/p>\n
          \n
          \"Shell<\/a><\/p>\n
          Shell Script to Find 777 Permissions<\/p>\n<\/div>\n
          Using Cron<\/h3>\n
          To take efficiency one step further, you will not want to sit in front of your computer and run those scripts manually. Rather, you will use\u00a0cron<\/strong>\u00a0to schedule those tasks to run on a periodic basis and sends the results to a predefined list of recipients via email or save them to a file that can be viewed using a web browser.<\/p>\n
          The following script (filesystem_usage.sh) will run the well-known\u00a0df -h<\/strong>\u00a0command, format the output into a HTML table and save it in the\u00a0report.html<\/strong>\u00a0file:<\/p>\n
          #!\/bin\/bash\r\n# Sample script to demonstrate the creation of an HTML report using shell scripting\r\n# Web directory\r\nWEB_DIR=\/var\/www\/html\r\n# A little CSS and table layout to make the report look a little nicer\r\necho \"<HTML>\r\n<HEAD>\r\n<style>\r\n.titulo{font-size: 1em; color: white; background:#0863CE; padding: 0.1em 0.2em;}\r\ntable\r\n{\r\nborder-collapse:collapse;\r\n}\r\ntable, td, th\r\n{\r\nborder:1px solid black;\r\n}\r\n<\/style>\r\n<meta http-equiv='Content-Type' content='text\/html; charset=UTF-8' \/>\r\n<\/HEAD>\r\n<BODY>\" > $WEB_DIR\/report.html\r\n# View hostname and insert it at the top of the html body\r\nHOST=$(hostname)\r\necho \"Filesystem usage for host <strong>$HOST<\/strong><br>\r\nLast updated: <strong>$(date)<\/strong><br><br>\r\n<table border='1'>\r\n<tr><th class='titulo'>Filesystem<\/td>\r\n<th class='titulo'>Size<\/td>\r\n<th class='titulo'>Use %<\/td>\r\n<\/tr>\" >> $WEB_DIR\/report.html\r\n# Read the output of df -h line by line\r\nwhile read line; do\r\necho \"<tr><td align='center'>\" >> $WEB_DIR\/report.html\r\necho $line | awk '{print $1}' >> $WEB_DIR\/report.html\r\necho \"<\/td><td align='center'>\" >> $WEB_DIR\/report.html\r\necho $line | awk '{print $2}' >> $WEB_DIR\/report.html\r\necho \"<\/td><td align='center'>\" >> $WEB_DIR\/report.html\r\necho $line | awk '{print $5}' >> $WEB_DIR\/report.html\r\necho \"<\/td><\/tr>\" >> $WEB_DIR\/report.html\r\ndone < <(df -h | grep -vi filesystem)\r\necho \"<\/table><\/BODY><\/HTML>\" >> $WEB_DIR\/report.html\r\n<\/pre>\n
          In our\u00a0RHEL 7<\/strong>\u00a0server (192.168.0.18<\/strong>), this looks as follows:<\/p>\n
          \n
          \"Server<\/a><\/p>\n
          Server Monitoring Report<\/p>\n<\/div>\n
          You can add to that report as much information as you want. To run the script every day at\u00a01:30 pm<\/strong>, add the following crontab entry:<\/p>\n
          30 13 * * * \/root\/scripts\/filesystem_usage.sh\r\n<\/pre>\n
          Summary<\/h3>\n
          You will most likely think of several other tasks that you want or need to automate; as you can see, using shell scripting will greatly simplify this effort. Feel free to let us know if you find this article helpful and don’t hesitate to add your own ideas or comments via the form below.<\/p>\n
          How to Manage System Logs (Configure, Rotate and Import Into Database) in RHEL 7 \u2013 Part 5<\/h1>\n
          In order to keep your\u00a0RHEL 7<\/strong>\u00a0systems secure, you need to know how to monitor all of the activities that take place on such systems by examining log files. Thus, you will be able to detect any unusual or potentially malicious activity and perform system troubleshooting or take another appropriate action.<\/p>\n
          \n
          \"Linux<\/a><\/p>\n
          RHCE Exam: Manage System LogsUsing Rsyslogd and Logrotate \u2013 Part 5<\/p>\n<\/div>\n
          In\u00a0RHEL 7<\/strong>, the\u00a0rsyslogd<\/a>\u00a0daemon is responsible for system logging and reads its configuration from\u00a0\/etc\/rsyslog.conf<\/strong>\u00a0(this file specifies the default location for all system logs) and from files inside\u00a0\/etc\/rsyslog.d<\/strong>, if any.<\/p>\n
          Rsyslogd Configuration<\/h3>\n
          A quick inspection of the\u00a0rsyslog.conf<\/a>\u00a0will be helpful to start. This file is divided into 3 main sections:\u00a0Modules<\/strong>(since rsyslog follows a modular design),\u00a0Global<\/strong>\u00a0directives (used to set global properties of the rsyslogd daemon), and\u00a0Rules<\/strong>. As you will probably guess, this last section indicates what gets logged or shown (also known as the selector) and where, and will be our focus throughout this article.<\/p>\n
          A typical line in\u00a0rsyslog.conf<\/strong>\u00a0is as follows:<\/p>\n
          \n
          \"Rsyslogd<\/a><\/p>\n
          Rsyslogd Configuration<\/p>\n<\/div>\n
          In the image above, we can see that a selector consists of one or more pairs\u00a0Facility:Priority<\/strong>\u00a0separated by semicolons, where Facility describes the type of message (refer to\u00a0section 4.1.1 in RFC 3164<\/a>\u00a0to see the complete list of facilities available for rsyslog) and Priority indicates its severity, which can be one of the following self-explanatory words:<\/p>\n
            \n
          1. debug<\/li>\n
          2. info<\/li>\n
          3. notice<\/li>\n
          4. warning<\/li>\n
          5. err<\/li>\n
          6. crit<\/li>\n
          7. alert<\/li>\n
          8. emerg<\/li>\n<\/ol>\n
            Though not a priority itself, the keyword\u00a0none<\/strong>\u00a0means no priority at all of the given facility.<\/p>\n
            Note<\/strong>: That a given priority indicates that all messages of such priority and above should be logged. Thus, the line in the example above instructs the\u00a0rsyslogd<\/strong>\u00a0daemon to log all messages of priority info or higher (regardless of the facility) except those belonging to\u00a0mail<\/strong>,\u00a0authpriv<\/strong>, and\u00a0cron<\/strong>\u00a0services (no messages coming from this facilities will be taken into account) to\u00a0\/var\/log\/messages<\/strong>.<\/p>\n
            You can also group multiple facilities using the colon sign to apply the same priority to all of them. Thus, the line:<\/p>\n
            *.info;mail.none;authpriv.none;cron.none                \/var\/log\/messages\r\n<\/pre>\n
            Could be rewritten as<\/p>\n
            *.info;mail,authpriv,cron.none                \/var\/log\/messages\r\n<\/pre>\n
            In other words, the facilities\u00a0mail<\/strong>,\u00a0authpriv<\/strong>, and\u00a0cron<\/strong>\u00a0are grouped and the keyword\u00a0none<\/strong>\u00a0is applied to the three of them.<\/p>\n
            Creating a custom log file<\/h4>\n
            To log all daemon messages to\u00a0\/var\/log\/tecmint.log<\/strong>, we need to add the following line either in\u00a0rsyslog.conf<\/strong>\u00a0or in a separate file (easier to manage) inside\u00a0\/etc\/rsyslog.d<\/strong>:<\/p>\n
            daemon.*    \/var\/log\/tecmint.log\r\n<\/pre>\n
            Let\u2019s restart the daemon (note that the service name does not end with a\u00a0d<\/strong>):<\/p>\n
            # systemctl restart rsyslog\r\n<\/pre>\n
            And check the contents of our custom log before and after restarting two random daemons:<\/p>\n
            \n
            \"Linux<\/a><\/p>\n
            Create Custom Log File<\/p>\n<\/div>\n
            As a self-study exercise, I would recommend you play around with the facilities and priorities and either log additional messages to existing log files or create new ones as in the previous example.<\/p>\n
            Rotating Logs using Logrotate<\/h3>\n
            To prevent log files from growing endlessly, the\u00a0logrotate<\/strong>\u00a0utility is used to rotate, compress, remove, and alternatively mail logs, thus easing the administration of systems that generate large numbers of log files.<\/p>\n
            Suggested Read:<\/b>\u00a0How to Setup and Manage Log Rotation Using Logrotate in Linux<\/a><\/p>\n
            Logrotate<\/strong>\u00a0runs daily as a\u00a0cron<\/strong>\u00a0job (\/etc\/cron.daily\/logrotate<\/strong>) and reads its configuration from\u00a0\/etc\/logrotate.conf<\/strong>\u00a0and from files located in\u00a0\/etc\/logrotate.d<\/strong>, if any.<\/p>\n
            As with the case of\u00a0rsyslog<\/strong>, even when you can include settings for specific services in the main file, creating separate configuration files for each one will help organize your settings better.<\/p>\n
            Let\u2019s take a look at a typical\u00a0logrotate.conf<\/strong>:<\/p>\n
            \n
            \"Logrotate<\/a><\/p>\n
            Logrotate Configuration<\/p>\n<\/div>\n
            In the example above,\u00a0logrotate<\/strong>\u00a0will perform the following actions for\u00a0\/var\/loh\/wtmp:<\/strong>\u00a0attempt to rotate only once a month, but only if the file is at least\u00a01 MB<\/strong>\u00a0in size, then create a brand new log file with permissions set to\u00a00664<\/strong>\u00a0and ownership given to user root and group\u00a0utmp<\/strong>. Next, only keep one archived log, as specified by the rotate directive:<\/p>\n
            \n
            \"Logrotate<\/a><\/p>\n
            Logrotate Logs Monthly<\/p>\n<\/div>\n
            Let\u2019s now consider another example as found in\u00a0\/etc\/logrotate.d\/httpd<\/strong>:<\/p>\n
            \n
            \"Rotate<\/a><\/p>\n
            Rotate Apache Log Files<\/p>\n<\/div>\n
            You can read more about the settings for\u00a0logrotate<\/strong>\u00a0in its man pages (man logrotate<\/a>\u00a0and\u00a0man logrotate.conf<\/a>). Both files are provided along with this article in PDF format for your reading convenience.<\/p>\n
            As a system engineer, it will be pretty much up to you to decide for how long logs will be stored and in what format, depending on whether you have\u00a0\/var<\/strong>\u00a0in a separate partition\u00a0\/<\/strong>\u00a0logical volume. Otherwise, you really want to consider removing old logs to save storage space. On the other hand, you may be forced to keep several logs for future security auditing according to your company\u2019s or client\u2019s internal policies.<\/p>\n
            Saving Logs to a Database<\/h4>\n
            Of course examining logs (even with the help of tools such as\u00a0grep<\/strong>\u00a0and regular expressions) can become a rather tedious task. For that reason,\u00a0rsyslog<\/strong>\u00a0allows us to export them into a database (OTB<\/strong>\u00a0supported RDBMS include MySQL, MariaDB, PostgreSQL, and Oracle.<\/p>\n
            This section of the tutorial assumes that you have already installed the\u00a0MariaDB<\/strong>\u00a0server and client in the same RHEL 7 box where the logs are being managed:<\/p>\n
            # yum update && yum install mariadb mariadb-server mariadb-client rsyslog-mysql\r\n# systemctl enable mariadb && systemctl start mariadb\r\n<\/pre>\n
            Then use the\u00a0mysql_secure_installation<\/code>\u00a0utility to set the password for the root user and other security considerations:<\/p>\n
            \n
            \"Secure<\/a><\/p>\n
            Secure MySQL Database<\/p>\n<\/div>\n
            Note<\/strong>: If you don\u2019t want to use the\u00a0MariaDB<\/strong>\u00a0root user to insert log messages to the database, you can configure another user account to do so. Explaining how to do that is out of the scope of this tutorial but is explained in detail in\u00a0MariaDB knowledge<\/a>\u00a0base. In this tutorial we will use the root account for simplicity.<\/p>\n
            Next, download the\u00a0createDB.sql<\/strong>\u00a0script from\u00a0GitHub<\/a>\u00a0and import it into your database server:<\/p>\n
            # mysql -u root -p < createDB.sql\r\n<\/pre>\n
            \n
            \"Save<\/a><\/p>\n
            Save Server Logs to Database<\/p>\n<\/div>\n
            Finally, add the following lines to\u00a0\/etc\/rsyslog.conf<\/strong>:<\/p>\n
            $ModLoad ommysql\r\n$ActionOmmysqlServerPort 3306\r\n*.* :ommysql:localhost,Syslog,root,YourPasswordHere<\/strong>\r\n<\/pre>\n
            Restart\u00a0rsyslog<\/strong>\u00a0and the database server:<\/p>\n
            # systemctl restart rsyslog \r\n# systemctl restart mariadb\r\n<\/pre>\n
            Querying the Logs using SQL syntax<\/h4>\n
            Now perform some tasks that will modify the logs (like stopping and starting services, for example), then log to your DB server and use standard SQL commands to display and search in the logs:<\/p>\n
            USE Syslog;\r\nSELECT ReceivedAt, Message FROM SystemEvents;\r\n<\/pre>\n
            \n
            \"Query<\/a><\/p>\n
            Query Logs in Database<\/p>\n<\/div>\n
            Summary<\/h3>\n
            In this article we have explained how to set up system logging, how to rotate logs, and how to redirect the messages to a database for easier search. We hope that these skills will be helpful as you prepare for the\u00a0RHCE exam<\/a>\u00a0and in your daily responsibilities as well.<\/p>\n
            As always, your feedback is more than welcome. Feel free to use the form below to reach us.<\/p>\n
            Setting Up Samba and Configure FirewallD and SELinux to Allow File Sharing on Linux\/Windows Clients \u2013 Part 6<\/h1>\n
            Since computers seldom work as isolated systems, it is to be expected that as a system administrator or engineer, you know how to set up and maintain a network with multiple types of servers.<\/p>\n
            In this article and in the next of this series we will go through the essentials of setting up\u00a0Samba<\/strong>\u00a0and\u00a0NFS<\/strong>servers with Windows\/Linux and Linux clients, respectively.<\/p>\n
            \n
            \"Setup<\/a><\/p>\n
            RHCE: Setup Samba File Sharing \u2013 Part 6<\/p>\n<\/div>\n
            This article will definitely come in handy if you\u2019re called upon to set up file servers in corporate or enterprise environments where you are likely to find different operating systems and types of devices.<\/p>\n
            Since you can read about the background and the technical aspects of both Samba and NFS all over the Internet, in this article and the next we will cut right to the chase with the topic at hand.<\/p>\n
            Step 1: Installing Samba Server<\/h3>\n
            Our current testing environment consists of two\u00a0RHEL 7 boxes<\/strong>\u00a0and one\u00a0Windows 8<\/strong>\u00a0machine, in that order:<\/p>\n
            1. Samba \/ NFS server<\/strong> [box1 (RHEL 7): 192.168.0.18]<\/strong>, \r\n2. Samba client #1<\/strong> [box2 (RHEL 7): 192.168.0.20]<\/strong>\r\n3. Samba client #2<\/strong> [Windows 8 machine: 192.168.0.106]<\/strong>\r\n<\/pre>\n
            \n
            \"Testing<\/a><\/p>\n
            Testing Setup for Samba<\/p>\n<\/div>\n
            On\u00a0box1<\/strong>, install the following packages:<\/p>\n
            # yum update && yum install samba samba-client samba-common\r\n<\/pre>\n
            On\u00a0box2<\/strong>:<\/p>\n
            # yum update && yum install samba samba-client samba-common cifs-utils\r\n<\/pre>\n
            Once the installation is complete, we\u2019re ready to configure our share.<\/p>\n
            Step 2: Setting Up File Sharing Through Samba<\/h3>\n
            One of the reason why\u00a0Samba<\/strong>\u00a0is so relevant is because it provides file and print services to\u00a0SMB\/CIFS<\/strong>\u00a0clients, which causes those clients to see the server as if it was a Windows system (I must admit I tend to get a little emotional while writing about this topic as it was my first setup as a new Linux system administrator some years ago).<\/p>\n
            Adding system users and setting up permissions and ownership<\/h6>\n
            To allow for group collaboration, we will create a group named\u00a0finance<\/strong>\u00a0with two users (user1<\/strong>\u00a0and\u00a0user2<\/strong>) with\u00a0useradd command<\/a>\u00a0and a directory\u00a0\/finance<\/strong>\u00a0in\u00a0box1<\/strong>.<\/p>\n
            We will also change the group owner of this directory to\u00a0finance<\/strong>\u00a0and set its permissions to\u00a00770<\/strong>\u00a0(read, write, and execution permissions for the owner and the group owner):<\/p>\n
            # groupadd finance\r\n# useradd user1\r\n# useradd user2\r\n# usermod -a -G finance user1\r\n# usermod -a -G finance user2\r\n# mkdir \/finance\r\n# chmod 0770 \/finance\r\n# chgrp finance \/finance\r\n<\/pre>\n
            Step 3:\u200b Configuring SELinux and Firewalld<\/h3>\n
            In preparation to configure\u00a0\/finance<\/strong>\u00a0as a Samba share, we will need to either disable\u00a0SELinux<\/strong>\u00a0or set the proper\u00a0boolean<\/strong>\u00a0and security context values as follows (otherwise, SELinux will prevent clients from accessing the share):<\/p>\n
            # setsebool -P samba_export_all_ro=1 samba_export_all_rw=1\r\n# getsebool \u2013a | grep samba_export\r\n# semanage fcontext \u2013at samba_share_t \"\/finance(\/.*)?\"\r\n# restorecon \/finance\r\n<\/pre>\n
            In addition, we must ensure that Samba traffic is allowed by the\u00a0firewalld<\/a>.<\/p>\n
            # firewall-cmd --permanent --add-service=samba\r\n# firewall-cmd --reload\r\n<\/pre>\n
            Step 4: Configure Samba Share<\/h3>\n
            Now it\u2019s time to dive into the configuration file\u00a0\/etc\/samba\/smb.conf<\/strong>\u00a0and add the section for our share: we want the members of the\u00a0finance<\/strong>\u00a0group to be able to browse the contents of\u00a0\/finance<\/strong>, and save\u00a0\/<\/strong>\u00a0create files or subdirectories in it (which by default will have their permission bits set to\u00a00770<\/strong>\u00a0and\u00a0finance<\/strong>\u00a0will be their group owner):<\/p>\n
            smb.conf<\/div>\n
            [finance]\r\ncomment=Directory for collaboration of the company's finance team\r\nbrowsable=yes\r\npath=\/finance\r\npublic=no\r\nvalid users=@finance\r\nwrite list=@finance\r\nwriteable=yes\r\ncreate mask=0770\r\nForce create mode=0770\r\nforce group=finance\r\n<\/pre>\n
            Save the file and then test it with the\u00a0testparm<\/strong>\u00a0utility. If there are any errors, the output of the following command will indicate what you need to fix. Otherwise, it will display a review of your Samba server configuration:<\/p>\n
            \n
            \"Test<\/a><\/p>\n
            Test Samba Configuration<\/p>\n<\/div>\n
            Should you want to add another share that is open to the public (meaning without any authentication whatsoever), create another section in\u00a0\/etc\/samba\/smb.conf<\/strong>\u00a0and under the new share\u2019s name copy the section above, only changing\u00a0public=no<\/strong>\u00a0to\u00a0public=yes<\/strong>\u00a0and not including the valid users and write list directives.<\/p>\n
            Step 5: Adding Samba Users<\/h3>\n
            Next, you will need to add\u00a0user1<\/strong>\u00a0and\u00a0user2<\/strong>\u00a0as Samba users. To do so, you will use the\u00a0smbpasswd<\/strong>\u00a0command, which interacts with Samba\u2019s internal database. You will be prompted to enter a password that you will later use to connect to the share:<\/p>\n
            # smbpasswd -a user1\r\n# smbpasswd -a user2\r\n<\/pre>\n
            Finally, restart\u00a0Samba<\/strong>, enable the service to start on boot, and make sure the share is actually available to network clients:<\/p>\n
            # systemctl start smb\r\n# systemctl enable smb\r\n# smbclient -L localhost \u2013U user1\r\n# smbclient -L localhost \u2013U user2\r\n<\/pre>\n
            \n
            \"Verify<\/a><\/p>\n
            Verify Samba Share<\/p>\n<\/div>\n
            At this point, the Samba file server has been properly installed and configured. Now it\u2019s time to test this setup on our\u00a0RHEL 7<\/strong>\u00a0and\u00a0Windows 8<\/strong>\u00a0clients.<\/p>\n
            Step 6:\u200b Mounting the Samba Share in Linux<\/h3>\n
            First, make sure the Samba share is accessible from this client:<\/p>\n
            # smbclient \u2013L 192.168.0.18 -U user2\r\n<\/pre>\n
            \n
            \"Mount<\/a><\/p>\n
            Mount Samba Share on Linux<\/p>\n<\/div>\n
            (repeat the above command for user1)<\/p>\n
            As any other storage media, you can mount (and later unmount) this network share when needed:<\/p>\n
            # mount \/\/192.168.0.18\/finance \/media\/samba -o username=user1\r\n<\/pre>\n
            \n
            \"Mount<\/a><\/p>\n
            Mount Samba Network Share<\/p>\n<\/div>\n
            (where\u00a0\/media\/samba<\/strong>\u00a0is an existing directory)<\/p>\n
            or permanently, by adding the following entry in\u00a0\/etc\/fstab<\/strong>\u00a0file:<\/p>\n
            fstab<\/div>\n
            \/\/192.168.0.18\/finance \/media\/samba cifs credentials=\/media\/samba\/.smbcredentials,defaults 0 0\r\n<\/pre>\n
            Where the hidden file\u00a0\/media\/samba\/.smbcredentials<\/strong>\u00a0(whose permissions and ownership have been set to\u00a0600<\/strong>and\u00a0root:root<\/strong>, respectively) contains two lines that indicate the username and password of an account that is allowed to use the share:<\/p>\n
            .smbcredentials<\/div>\n
            username=user1\r\npassword=PasswordForUser1\r\n<\/pre>\n
            Finally, let\u2019s create a file inside\u00a0\/finance<\/strong>\u00a0and check the permissions and ownership:<\/p>\n
            # touch \/media\/samba\/FileCreatedInRHELClient.txt\r\n<\/pre>\n
            \n
            \"Create<\/a><\/p>\n
            Create File in Samba Share<\/p>\n<\/div>\n
            As you can see, the file was created with\u00a00770<\/strong>\u00a0permissions and ownership set to\u00a0user1:finance<\/strong>.<\/p>\n
            Step 7: Mounting the Samba Share in Windows<\/h3>\n
            To mount the Samba share in Windows, go to\u00a0My PC<\/strong>\u00a0and choose\u00a0Computer<\/strong>, then\u00a0Map<\/strong>\u00a0network drive. Next, assign a letter for the drive to be mapped and check Connect using different credentials (the screenshots below are in Spanish, my native language):<\/p>\n
            \n
            \"Mount<\/a><\/p>\n
            Mount Samba Share in Windows<\/p>\n<\/div>\n
            Finally, let\u2019s create a file and check the permissions and ownership:<\/p>\n
            \n
            \"Create<\/a><\/p>\n
            Create Files on Windows Samba Share<\/p>\n<\/div>\n
            # ls -l \/finance\r\n<\/pre>\n
            This time the file belongs to\u00a0user2<\/strong>\u00a0since that\u2019s the account we used to connect from the Windows client.<\/p>\n
            Summary<\/h3>\n
            In this article we have explained not only how to set up a\u00a0Samba<\/strong>\u00a0server and two clients using different operating systems, but also\u00a0how to configure the firewalld<\/a>\u00a0and\u00a0SELinux on the server<\/a>\u00a0to allow the desired group collaboration capabilities.<\/p>\n
            Last, but not least, let me recommend the reading of the online\u00a0man page of smb.conf<\/a>\u00a0to explore other configuration directives that may be more suitable for your case than the scenario described in this article.<\/p>\n
            As always, feel free to drop a comment using the form below if you have any comments or suggestions.<\/p>\n
            Setting Up NFS Server with Kerberos-based Authentication for Linux Clients \u2013 Part 7<\/h1>\n
            In the last article of this series, we reviewed\u00a0how to set up a Samba share over a network<\/a>\u00a0that may consist of multiple types of operating systems. Now, if you need to set up file sharing for a group of Unix-like clients you will automatically think of the\u00a0Network File System<\/strong>, or\u00a0NFS<\/strong>\u00a0for short.<\/p>\n
            \n
            \"Setting<\/a><\/p>\n
            RHCE Series: Setting Up NFS Server with Kerberos Authentication \u2013 Part 7<\/p>\n<\/div>\n
            In this article we will walk you through the process of using\u00a0Kerberos-based<\/strong>\u00a0authentication for\u00a0NFS<\/strong>\u00a0shares. It is assumed that you already have set up a NFS server and a client. If not, please refer to\u00a0install and configure NFS server<\/a>\u00a0\u2013 which will list the necessary packages that need to be installed and explain how to perform initial configurations on the server before proceeding further.<\/p>\n
            In addition, you will want to configure both\u00a0SELinux<\/a>\u00a0and\u00a0firewalld<\/a>\u00a0to allow for file sharing through NFS.<\/p>\n
            The following example assumes that your\u00a0NFS<\/strong>\u00a0share is located in\u00a0\/nfs<\/strong>\u00a0in\u00a0box2<\/strong>:<\/p>\n
            # semanage fcontext -a -t public_content_rw_t \"\/nfs(\/.*)?\"\r\n# restorecon -R \/nfs\r\n# setsebool -P nfs_export_all_rw on\r\n# setsebool -P nfs_export_all_ro on\r\n<\/pre>\n
            (where the\u00a0-P<\/strong>\u00a0flag indicates persistence across reboots).<\/p>\n
            Finally, don\u2019t forget to:<\/p>\n
            Create NFS Group and Configure NFS Share Directory<\/h4>\n
            1.<\/strong>\u00a0Create a group called\u00a0nfs<\/strong>\u00a0and add the\u00a0nfsnobody<\/strong>\u00a0user to it, then change the permissions of the\u00a0\/nfs<\/strong>\u00a0directory to\u00a00770<\/strong>\u00a0and its group owner to\u00a0nfs<\/strong>. Thus,\u00a0nfsnobody<\/strong>\u00a0(which is mapped to the client requests) will have write permissions on the share) and you won\u2019t need to use\u00a0no_root_squash<\/strong>\u00a0in the\u00a0\/etc\/exports<\/strong>\u00a0file.<\/p>\n
            # groupadd nfs\r\n# usermod -a -G nfs nfsnobody\r\n# chmod 0770 \/nfs\r\n# chgrp nfs \/nfs\r\n<\/pre>\n
            2.<\/strong>\u00a0Modify the exports file (\/etc\/exports<\/strong>) as follows to only allow access from\u00a0box1<\/strong>\u00a0using\u00a0Kerberos<\/strong>\u00a0security (sec=krb5<\/strong>).<\/p>\n
            Note<\/strong>: that the value of\u00a0anongid<\/strong>\u00a0has been set to the\u00a0GID<\/strong>\u00a0of the\u00a0nfs<\/strong>\u00a0group that we created previously:<\/p>\n
            exports \u2013 Add NFS Share<\/div>\n
            \/nfs box1(rw,sec=krb5,anongid=1004)\r\n<\/pre>\n
            3.<\/strong>\u00a0Re-export\u00a0(-r)<\/strong>\u00a0all\u00a0(-a)<\/strong>\u00a0the NFS shares. Adding verbosity to the output\u00a0(-v)<\/strong>\u00a0is a good idea since it will provide helpful information to troubleshoot the server if something goes wrong:<\/p>\n
            # exportfs -arv\r\n<\/pre>\n
            4.<\/strong>\u00a0Restart and enable the NFS server and related services. Note that you don\u2019t have to enable\u00a0nfs-lock<\/strong>\u00a0and\u00a0nfs-idmapd<\/strong>\u00a0because they will be automatically started by the other services on boot:<\/p>\n
            # systemctl restart rpcbind nfs-server nfs-lock nfs-idmap\r\n# systemctl enable rpcbind nfs-server\r\n<\/pre>\n
            Testing Environment and Other Prerequisites<\/h4>\n
            In this guide we will use the following test environment:<\/p>\n
              \n
            1. Client machine [box1: 192.168.0.18<\/strong>]<\/li>\n
            2. NFS \/ Kerberos server\u00a0[box2: 192.168.0.20]<\/strong>\u00a0(also known as\u00a0Key Distribution Center<\/strong>, or\u00a0KDC<\/strong>\u00a0for short).<\/li>\n<\/ol>\n
              Note<\/strong>: that\u00a0Kerberos<\/strong>\u00a0service is crucial to the authentication scheme.<\/p>\n
              As you can see, the\u00a0NFS<\/strong>\u00a0server and the\u00a0KDC<\/strong>\u00a0are hosted in the same machine for simplicity, although you can set them up in separate machines if you have more available. Both machines are members of the\u00a0mydomain.com<\/code>domain.<\/p>\n
              Last but not least,\u00a0Kerberos<\/strong>\u00a0requires at least a basic schema of name resolution and the\u00a0Network Time Protocol<\/a>service to be present in both client and server since the security of Kerberos authentication is in part based upon the timestamps of tickets.<\/p>\n
              To set up name resolution, we will use the\u00a0\/etc\/hosts<\/strong>\u00a0file in both client and server:<\/p>\n
              host file \u2013 Add DNS for Domain<\/div>\n
              192.168.0.18    box1.mydomain.com    box1\r\n192.168.0.20    box2.mydomain.com    box2\r\n<\/pre>\n
              In\u00a0RHEL 7<\/strong>,\u00a0chrony<\/strong>\u00a0is the default software that is used for\u00a0NTP<\/strong>\u00a0synchronization:<\/p>\n
              # yum install chrony\r\n# systemctl start chronyd\r\n# systemctl enable chronyd\r\n<\/pre>\n
              To make sure\u00a0chrony<\/strong>\u00a0is actually synchronizing your system\u2019s time with time servers you may want to issue the following command two or three times and make sure the offset is getting nearer to zero:<\/p>\n
              # chronyc tracking\r\n<\/pre>\n
              \n
              \"Synchronize<\/a><\/p>\n
              Synchronize Server Time with Chrony<\/p>\n<\/div>\n
              Installing and Configuring Kerberos<\/h3>\n
              To set up the\u00a0KDC<\/strong>, install the following packages on both\u00a0server<\/strong>\u00a0and\u00a0client<\/strong>\u00a0(omit the server package in the client):<\/p>\n
              # yum update && yum install krb5-server krb5-workstation pam_krb5\r\n<\/pre>\n
              Once it is installed, edit the configuration files (\/etc\/krb5.conf<\/strong>\u00a0and\u00a0\/var\/kerberos\/krb5kdc\/kadm5.acl<\/strong>) and replace all instances of\u00a0example.com<\/strong>\u00a0(lowercase and uppercase) with\u00a0mydomain.com<\/code>\u00a0as follows.<\/p>\n
              Now create the\u00a0Kerberos<\/strong>\u00a0database (please note that this may take a while as it requires a some level of entropy in your system. To speed things up, I opened another terminal and ran\u00a0ping -f localhost<\/strong>\u00a0for 30-45 seconds):<\/p>\n
              # kdb5_util create -s\r\n<\/pre>\n
              \n
              \"Create<\/a><\/p>\n
              Create Kerberos Database<\/p>\n<\/div>\n
              Next, enable\u00a0Kerberos<\/strong>\u00a0through the\u00a0firewall<\/strong>\u00a0and start \/ enable the related services.<\/p>\n
              Important<\/strong>:\u00a0nfs-secure<\/strong>\u00a0must be started and enabled on the client as well:<\/p>\n
              # firewall-cmd --permanent --add-service=kerberos\r\n# systemctl start krb5kdc kadmin nfs-secure   \r\n# systemctl enable krb5kdc kadmin nfs-secure       \r\n<\/pre>\n
              Next, using the\u00a0kadmin.local<\/strong>\u00a0tool, create an admin principal for root:<\/p>\n
              # kadmin.local\r\n# addprinc root\/admin\r\n<\/pre>\n
              And add the\u00a0Kerberos<\/strong>\u00a0server to the database:<\/p>\n
              # addprinc -randkey host\/box2.mydomain.com\r\n<\/pre>\n
              Same with the\u00a0NFS<\/strong>\u00a0service for both client (box1<\/strong>) and server (box2<\/strong>). Please note that in the screenshot below I forgot to do it for\u00a0box1<\/strong>\u00a0before quitting:<\/p>\n
              # addprinc -randkey nfs\/box2.mydomain.com\r\n# addprinc -randkey nfs\/box1.mydomain.com\r\n<\/pre>\n
              And\u00a0exit<\/strong>\u00a0by typing\u00a0quit<\/strong>\u00a0and pressing Enter:<\/p>\n
              \n
              \"Add<\/a><\/p>\n
              Add Kerberos to NFS Server<\/p>\n<\/div>\n
              Then obtain and cache Kerberos ticket-granting ticket for root\/admin:<\/p>\n
              # kinit root\/admin\r\n# klist\r\n<\/pre>\n
              \n
              \"Cache<\/a><\/p>\n
              Cache Kerberos<\/p>\n<\/div>\n
              The last step before actually using\u00a0Kerberos<\/strong>\u00a0is storing into a\u00a0keytab<\/strong>\u00a0file (in the server) the principals that are authorized to use Kerberos authentication:<\/p>\n
              # kadmin.local\r\n# ktadd host\/box2.mydomain.com\r\n# ktadd nfs\/box2.mydomain.com\r\n# ktadd nfs\/box1.mydomain.com\r\n<\/pre>\n
              Finally, mount the share and perform a write test:<\/p>\n
              # mount -t nfs4 -o sec=krb5 box2:\/nfs \/mnt\r\n# echo \"Hello from Tecmint.com\" > \/mnt\/greeting.txt\r\n<\/pre>\n
              \n
              \"Mount<\/a><\/p>\n
              Mount NFS Share<\/p>\n<\/div>\n
              Let\u2019s now\u00a0unmount<\/strong>\u00a0the share, rename the\u00a0keytab<\/strong>\u00a0file in the client (to simulate it\u2019s not present) and try to mount the share again:<\/p>\n
              # umount \/mnt\r\n# mv \/etc\/krb5.keytab \/etc\/krb5.keytab.orig\r\n<\/pre>\n
              \n
              \"Mount<\/a><\/p>\n
              Mount Unmount Kerberos NFS Share<\/p>\n<\/div>\n
              Now you can use the\u00a0NFS<\/strong>\u00a0share with\u00a0Kerberos-based<\/strong>\u00a0authentication.<\/p>\n
              Summary<\/h3>\n
              In this article we have explained how to set up\u00a0NFS<\/strong>\u00a0with\u00a0Kerberos<\/strong>\u00a0authentication. Since there is much more to the topic than we can cover in a single guide, feel free to check the online\u00a0Kerberos documentation<\/a>\u00a0and since Kerberos is a bit tricky to say the least, don\u2019t hesitate to drop us a note using the form below if you run into any issue or need help with your testing or implementation.<\/p>\n
              RHCE Series: Implementing HTTPS through TLS using Network Security Service (NSS) for Apache \u2013 Part 8<\/h1>\n
              If you are a system administrator who is in charge of maintaining and securing a web server, you can\u2019t afford to not devote your very best efforts to ensure that data served by or going through your server is protected at all times.<\/p>\n
              \n
              \"Setup<\/a><\/p>\n
              RHCE Series: Implementing HTTPS through TLS using Network Security Service (NSS) for Apache \u2013 Part 8<\/p>\n<\/div>\n
              In order to provide more secure communications between web clients and servers, the\u00a0HTTPS<\/strong>\u00a0protocol was born as a combination of\u00a0HTTP<\/strong>\u00a0and\u00a0SSL<\/strong>\u00a0(Secure Sockets Layer<\/strong>) or more recently,\u00a0TLS<\/strong>\u00a0(Transport Layer Security<\/strong>).<\/p>\n
              Due to some serious security breaches,\u00a0SSL<\/strong>\u00a0has been deprecated in favor of the more robust\u00a0TLS<\/strong>. For that reason, in this article we will explain how to secure connections between your web server and clients using TLS.<\/p>\n
              This tutorial assumes that you have already installed and configured your Apache web server. If not, please refer to following article in this site before proceeding further.<\/p>\n
                \n
              1. Install LAMP (Linux, MySQL\/MariaDB, Apache and PHP) on RHEL\/CentOS 7<\/a><\/li>\n<\/ol>\n
                Installation of OpenSSL and Utilities<\/h3>\n
                First off, make sure that\u00a0Apache<\/strong>\u00a0is running and that both\u00a0http<\/strong>\u00a0and\u00a0https<\/strong>\u00a0are allowed through the firewall:<\/p>\n
                # systemctl start http\r\n# systemctl enable http\r\n# firewall-cmd --permanent \u2013-add-service=http\r\n# firewall-cmd --permanent \u2013-add-service=https\r\n<\/pre>\n
                Then install the necessary packages:<\/p>\n
                # yum update && yum install openssl mod_nss crypto-utils\r\n<\/pre>\n
                Important<\/strong>: Please note that you can replace\u00a0mod_nss<\/strong>\u00a0with\u00a0mod_ssl<\/strong>\u00a0in the command above if you want to use\u00a0OpenSSL<\/strong>\u00a0libraries instead of\u00a0NSS<\/strong>\u00a0(Network Security Service<\/strong>) to implement\u00a0TLS<\/strong>\u00a0(which one to use is left entirely up to you, but we will use NSS in this article as it is more robust; for example, it supports recent cryptography standards such as\u00a0PKCS #11<\/strong>).<\/p>\n
                Finally, uninstall\u00a0mod_ssl<\/strong>\u00a0if you chose to use\u00a0mod_nss<\/strong>, or viceversa.<\/p>\n
                # yum remove mod_ssl\r\n<\/pre>\n
                Configuring NSS (Network Security Service)<\/h3>\n
                After\u00a0mod_nss<\/strong>\u00a0is installed, its default configuration file is created as\u00a0\/etc\/httpd\/conf.d\/nss.conf<\/strong>. You should then make sure that all of the\u00a0Listen<\/strong>\u00a0and\u00a0VirtualHost<\/strong>\u00a0directives point to port\u00a0443<\/strong>\u00a0(default port for HTTPS):<\/p>\n
                nss.conf \u2013 Configuration File<\/div>\n
                Listen 443\r\nVirtualHost _default_:443\r\n<\/pre>\n
                Then restart\u00a0Apache<\/strong>\u00a0and check whether the\u00a0mod_nss<\/strong>\u00a0module has been loaded:<\/p>\n
                # apachectl restart\r\n# httpd -M | grep nss\r\n<\/pre>\n
                \n
                \"Check<\/a><\/p>\n
                Check Mod_NSS Module Loaded in Apache<\/p>\n<\/div>\n
                Next, the following edits should be made in\u00a0\/etc\/httpd\/conf.d\/nss.conf<\/code>\u00a0configuration file:<\/p>\n
                1.<\/strong>\u00a0Indicate NSS database directory. You can use the default directory or create a new one. In this tutorial we will use the default:<\/p>\n
                NSSCertificateDatabase \/etc\/httpd\/alias\r\n<\/pre>\n
                2.<\/strong>\u00a0Avoid manual passphrase entry on each system start by saving the password to the database directory in\u00a0\/etc\/httpd\/nss-db-password.conf<\/strong>:<\/p>\n
                NSSPassPhraseDialog file:\/etc\/httpd\/nss-db-password.conf\r\n<\/pre>\n
                Where\u00a0\/etc\/httpd\/nss-db-password.conf<\/strong>\u00a0contains ONLY the following line and\u00a0mypassword<\/strong>\u00a0is the password that you will set later for the NSS database:<\/p>\n
                internal:mypassword\r\n<\/pre>\n
                In addition, its permissions and ownership should be set to\u00a00640<\/strong>\u00a0and\u00a0root:apache<\/strong>, respectively:<\/p>\n
                # chmod 640 \/etc\/httpd\/nss-db-password.conf\r\n# chgrp apache \/etc\/httpd\/nss-db-password.conf\r\n<\/pre>\n
                3.<\/strong>\u00a0Red Hat recommends disabling\u00a0SSL<\/strong>\u00a0and all versions of\u00a0TLS<\/strong>\u00a0previous to\u00a0TLSv1.0<\/strong>\u00a0due to the\u00a0POODLE SSLv3<\/strong>vulnerability (more information\u00a0here<\/a>).<\/p>\n
                Make sure that every instance of the\u00a0NSSProtocol<\/strong>\u00a0directive reads as follows (you are likely to find only one if you are not hosting other virtual hosts):<\/p>\n
                NSSProtocol TLSv1.0,TLSv1.1\r\n<\/pre>\n
                4.<\/strong>\u00a0Apache will refuse to restart as this is a self-signed certificate and will not recognize the issuer as valid. For this reason, in this particular case you will have to add:<\/p>\n
                NSSEnforceValidCerts off\r\n<\/pre>\n
                5.<\/strong>\u00a0Though not strictly required, it is important to set a password for the NSS database:<\/p>\n
                # certutil -W -d \/etc\/httpd\/alias\r\n<\/pre>\n
                \n
                \"Set<\/a><\/p>\n
                Set Password for NSS Database<\/p>\n<\/div>\n
                Creating a Apache SSL Self-Signed Certificate<\/h3>\n
                Next, we will create a self-signed certificate that will identify the server to our clients (please note that this method is not the best option for production environments; for such use you may want to consider buying a certificate verified by a 3rd trusted certificate authority, such as\u00a0DigiCert<\/strong>).<\/p>\n
                To create a new NSS-compliant certificate for\u00a0box1<\/strong>\u00a0which will be valid for\u00a0365<\/strong>\u00a0days, we will use the\u00a0genkey<\/strong>command. When this process completes:<\/p>\n
                # genkey --nss --days 365 box1\r\n<\/pre>\n
                Choose\u00a0Next<\/strong>:<\/p>\n
                \n
                \"Create<\/a><\/p>\n
                Create Apache SSL Key<\/p>\n<\/div>\n
                You can leave the default choice for the key size (2048<\/strong>), then choose\u00a0Next<\/strong>\u00a0again:<\/p>\n
                \n
                \"Select<\/a><\/p>\n
                Select Apache SSL Key Size<\/p>\n<\/div>\n
                Wait while the system generates random bits:<\/p>\n
                \n
                \"Generating<\/a><\/p>\n
                Generating Random Key Bits<\/p>\n<\/div>\n
                To speed up the process, you will be prompted to enter random text in your console, as shown in the following screencast. Please note how the progress bar stops when no input from the keyboard is received. Then, you will be asked to:<\/p>\n
                1.<\/strong>\u00a0Whether to send the\u00a0Certificate Sign Request<\/strong>\u00a0(CSR<\/strong>) to a\u00a0Certificate Authority<\/strong>\u00a0(CA<\/strong>): Choose\u00a0No<\/strong>, as this is a self-signed certificate.<\/p>\n
                2.<\/strong>\u00a0to enter the information for the certificate.<\/p>\n
                \n