Topics: Red Hat, Security, System Admin

Resetting the root password for a KVM guest image

Red Hat provides you the opportunity to download a KVM guest image, that you can use within virt-manager to start immediately. This saves you the trouble and time of having to install the operating system.

However, the root password is not known, and so, it may be difficult to log in as root when using the KVM guest image provided by Red Hat.

Luckily, there is an easy solution to changing the root password on a KVM guest image.

Start by installing guestfish:

# yum -y install guestfish
Guestfish is a tool that can be used from the command line to access guest virtual machine file systems.

Next, update the image file as follows, assuming the image file is located in /var/lib/libvirt/images, and the image file is called "rhel7.5.beta1.qcow2", and you want to set the password to "PASSWORD":
# cd /var/lib/libvirt/images
# virt-customize -a rhel7.5.beta1.qcow2 --root-password password:PASSWORD

Topics: Red Hat, System Admin

Keystrokes used in top

The top command is quite useful in Red Hat Enterprise Linux. This is a list of common keystrokes that can be used in top:

Key Purpose
? or h Help for interactive keystrokes.
l, t, m Toggles for load, threads, and memory header lines.
1 Toggle showing individual CPUs or a summary for all CPUs in header.
s or d Change the refresh (screen) rate, in decimal seconds (e.g., 0.5, 1, 5).
b Toggle reverse highlighting for Running processes; default is bold only.
B Enables use of bold in display, in the header, and for Running processes.
H Toggle threads; show process summary or individual threads.
u, U Filter for any user name (effective, real).
M Sorts process listing by memory usage, in descending order.
P Sorts process listing by processor utilization, in descending order.
k Kill a process. When prompted, enter PID, then signal.
r Renice a process. When prompted, enter PID, then nice_value.
W Write (save) the current display configuration for use at the next top restart.
q Quit.

Topics: Red Hat, System Admin

Processes

A process is a running instance of a launched, executable program. A process consists of:

  • an address space of allocated memory,
  • security properties including ownership credentials and privileges,
  • one or more execution threads of program code, and
  • the process state.
The environment of a process includes:
  • local and global variables,
  • a current scheduling context, and
  • allocated system resources, such as file descriptors and network ports.
An existing (parent) process duplicates its own address space (fork) to create a new (child) process structure. Every new process is assigned a unique process ID (PID) for tracking and security. The PID and the parent's process ID (PPID) are elements of the new process environment. Any process may create a child process. All processes are descendants of the first system process, which is systemd(1) on a Red Hat Enterprise Linux 7 system.


Through the fork routine, a child process inherits security identities, previous and current file descriptors, port and resource privileges, environment variables, and program code. A child process may then exec its own program code. Normally, a parent process sleeps while the child process runs, setting a request (wait) to be signaled when the child completes. Upon exit, the child process has already closed or discarded its resources and environment; the remainder is referred to as a zombie. The parent, signaled awake when the child exited, cleans the remaining structure, then continues with its own program code execution.

In a multitasking operating system, each CPU (or CPU core) can be working on one process at a single point in time. As a process runs, its immediate requirements for CPU time and resource allocation change. Processes are assigned a state, which changes as circumstances require.


The Linux process states are illustrated in the previous diagram and described in the following table.

Name Flag Kernel-defined state name and description
Running R

TASK_RUNNING: The process is either executing on a CPU or waiting to run. Process can be executing user routines or kernel routines (system calls), or be queued and ready when in the Running (or Runnable) state.

Sleeping S

TASK_INTERRUPTIBLE: The process is waiting for some condition: a hardware request, system resource access, or signal. When an event or signal satisfies the condition, the process returns to Running.

D

TASK_UNINTERRUPTIBLE: This process is also Sleeping, but unlike S state, will not respond to delivered signals. Used only under specific conditions in which process interruption may cause an unpredictable device state.

K

TASK_KILLABLE: Identical to the uninterruptible D state, but modified to allow the waiting task to respond to a signal to be killed (exited completely). Utilities frequently display Killable processes as D state.

Stopped T

TASK_STOPPED: The process has been Stopped (suspended), usually by being signaled by a user or another process. The process can be continued (resumed) by another signal to return to Running.

T

TASK_TRACED: A process that is being debugged is also temporarily Stopped and shares the same T state flag.

Zombie Z

EXIT_ZOMBIE: A child process signals its parent as it exits. All resources except for the process identity (PID) are released.

X

EXIT_DEAD: When the parent cleans up (reaps) the remaining child process structure, the process is now released completely. This state will never be observed in process-listing utilities.

Topics: Red Hat, System Admin

How to tie a system to a specific update of Red Hat Enterprise Linux

Please see the following page: https://access.redhat.com/solutions/238533, if you need to update a Red Hat Enterprise Linux system, but need to ensure at the same time that the system isn't upgraded to a new minor release (e.g. from version 7.3 to version 7.4).

The trick is to use the "releasever" option with the yum commmand. For example, if you have a Red Hat Enterprise Linux system running version 7.3 (check with "cat /etc/redhat-release), and you need to keep it at this version (e.g. for application specific reasons), then run the following command to only update the system pacakages relevant to version 7.3:

# yum --releasever=7.3 update
Once the update has been completed, check file /etc/redhat-release to ensure the system is still at version 7.3, and has not been upgraded to version 7.4.

And don't forget to reboot the system after doing updates. The following command will indicate if the command needs to be rebooted, to ensure that all installed updates are properly activated:
# needs-restarting -r
If the needs-restarting command is not avaialable on your system, then please ensure to install RPM yum-utils:
# yum -y install yum-utils

Topics: Red Hat, System Admin

Read PDF files in Gnome

There are 2 easy ways to read PDF files in Gnone (the default desktop for Red Hat Enterprise Linux): Use Firefox or Evince.

Evince is the Gnome document viewer, and can be easily opened as follows:

# evince /usr/share/doc/libtasn1-4.10/libtasn1.pdf
You can also use Firefox. Firefox has built-in PDF support. You can open it as follows:
# firefox /usr/share/doc/libtasn1-4.10/libtasn1.pdf

Topics: Red Hat, System Admin

Resizing a Red Hat swap space

The general procedure for resizing a swap space is as follows (assuming the swap space is set up as a logical volume within the root volume group called vg_root), for example to resize a swap space to 8 GB:

# swapoff -v /dev/mapper/vg_root-lv_swap
# lvm lvresize /dev/mapper/vg_root-lv_swap -L 8G 
# mkswap /dev/mapper/vg_root-lv_swap
# swapon -va

Topics: Red Hat, System Admin

Subscribing a Red Hat system

Here's how to register and un-register a Red Hat system through subscription-manager. You'll need to do this, for example, if you wish to do operating system updates on a Red Hat system.

First, here's how to unregister a system. This might come in handy if you do not have enough subscriptions in your Red Hat account, and temporarily want to move a valid subscription over to another system):

# subscription-manager unregister
System has been unregistered.
And here's how you register:
# subscription-manager register
Registering to: subscription.rhsm.redhat.com:443/subscription
Username: [type your Red Hat username here]
Password: [type your Red Hat password here]
The system has been registered with ID: 3db39bee-bd48-46e8-9abc-9ba9
If you have issues registering a server, try removing all Red Hat subscription information first, and then register again, using the "auto-attach" option:
# subscription-manager clean
All local data removed
# subscription-manager list

+-------------------------------------------+
    Installed Product Status
+-------------------------------------------+
Product Name:   Red Hat Enterprise Linux Server
Product ID:     69
Version:        7.4
Arch:           x86_64
Status:         Unknown
Status Details:
Starts:
Ends:

# subscription-manager register --auto-attach
Registering to: subscription.rhsm.redhat.com:443/subscription
Username: [type your Red Hat username here]
Password: [type your Red Hat password here]
The system has been registered with ID: 3db39bee-bd48-46e8-9abc-9ba9

Installed Product Current Status:
Product Name: Red Hat Enterprise Linux Server
Status:       Subscribed

# subscription-manager list

+-------------------------------------------+
    Installed Product Status
+-------------------------------------------+
Product Name:   Red Hat Enterprise Linux Server
Product ID:     69
Version:        7.4
Arch:           x86_64
Status:         Subscribed
Status Details:
Starts:         12/27/2017
Ends:           12/26/2020
If you wish to use a specific Red Hat subscription, then you may first check for the available Red Hat subscriptions, by running:
# subscription-manager list --available --all
In the output of the command above, you will see, if any subscriptions are available, a Pool ID. You can use that Pool ID to attach a specific subscription to the system, for example, by running:
# subscription-manager attach pool=8a85f98c6267d2d90162734a700467b2

Topics: Security, System Admin

Automatically accept new SSH keys

Whenever you have to connect through SSH to a lot of different servers, and you create a command for it like this:

# for h in $SERVER_LIST; do ssh $h "uptime"; done
You may run into an error that stops your command, especially when a new server is added to $SERVER_LIST, like this:
The authenticity of host 'myserver (1.2.3.4)' can't be established.
RSA key fingerprint is .....
Are you sure you want to continue connecting (yes/no)?
And you'll have to type "yes" every time this error is encountered.

So, how do you automate this, and not have to type "yes" with every new host?

The answer is to disable strict host key checking with the ssh command like this:
ssh -oStrictHostKeyChecking=no $h uptime
Please note that you should only do this with hosts that you're familiar with, and/or are in trusted networks, as it bypasses a security question.

Topics: Red Hat, System Admin

Configuring NTP on CentOS 6

Configuring NTP on CentOS 6 (and similar versions) involves a number of steps - especially if you want to have it configured right and secure. Here's a quick guide how to do it:

First of all you have to determine the IP addresses of the NTP servers you are going to use. You may have to contact your network administrator to find out. Ensure that you get at least two time server IP addresses to use.

Then, install and verify the NTP packages:

# yum -y install ntp ntpdate
# yum -q ntp ntpdate
Edit file /etc/ntp.conf and ensure that option "broadcastclient" is commented out (which it is by default with a new installation).

Enable ntp and ntpdate at system boot time:
# chkconfig ntpd on
# chkconfig ntpdate on
Ensure that file /etc/ntp/step-tickers is empty. This will make sure that if ntpdate is run, that it will use one of the time servers configured in /etc/ntp.conf.
# cp /dev/null /etc/ntp/step-tickers
Add two time servers to /etc/ntp.conf, or use any of the pre-configured time servers in this file. Comment out the pre-configured servers, if you are using your own time servers.
#server 0.centos.pool.ntp.org iburst
#server 1.centos.pool.ntp.org iburst
#server 2.centos.pool.ntp.org iburst
#server 3.centos.pool.ntp.org iburst
server 1.2.3.4
server 5.6.7.8
Do not copy the example above. Use the IP addresses for each time server that you've received from your network administrator instead.

Enable NTP slewing (for slow time stepping if the time on the server is off, instead of suddenly making big time jump changes), by adding "-x" to OPTIONS in /etc/sysconfig/ntpd. Also add "SYNC_HWCLOCK=yes" in /etc/sysconfig/ntpdate to synchronize the hardware clock with any time changes.

Stop the NTP service, if it is running:
# service ntpd stop
Start the ntpdate service (this will synchronize the system clock and the hardware clock):
# service ntpdate start
Now, start the time service:
# service ntpd start
Wait a few minutes for the server to synchronize its time with the time servers. This may take anywhere between a few and 15 minutes. Then check the status of the time synchronization:
# ntpq -p
# ntpstat
The asterisk in front of the time server name in the "ntpq -p" output indicates that the client has reached time synchronization with that particular time server.

Done!

Topics: Red Hat, Security, System Admin

Disabling SELinux

Security Enhanced Linux, or short SELinux, is by default enabled on Red Hat Enterprise (and alike) Linux systems.

To determine the status of SELinux, simply run:

# sestatus
There will be times when it may be necessary to disable SELinux. Or for example, when a Linux system is not Internet facing, you may not need to have SELinux enabled.

From the command line, you can edit the /etc/sysconfig/selinux file. This file is a symbolic link to file /etc/selinux/config.

By default, option SELINUX will be set to enforcing in this file:
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=enforcing
By changing it to "permissive", you will disable SELinux:
SELINUX=permissive

Number of results found for topic System Admin: 237.
Displaying results: 1 - 10.