ivstefn

---

• usermod -L user01: lock the password of user01
• passwd: change password

---

Snippets:

• mkdir -p {Sij,Velj,Ozu,Tra}/{Porezna,Izlazne,Ulazne}
• df -hPT
• free -mh
• ps -faux
• newgrp
• sudo -l ili sudo -l -U username

• ls -il filename: print inode numbers

• a hard link points a name to data on a storage device

• a symbolic link points a name to another name, which points to data on a storage device

Table 3.2. Table of Metacharacters and Matches:

Pattern	Matches
*	Any string of zero or more characters
?	Any single character
[abc...]	Any one character in the enclosed class (between the square brackets)
[!abc...]	Any one character not in the enclosed class
[^abc...]	Any one character not in the enclosed class
[[:alpha:]]	Any alphabetic character
[[:lower:]]	Any lowercase character
[[:upper:]]	Any uppercase character
[[:alnum:]]	Any alphabetic character or digit
[[:punct:]]	Any printable character that is not a space or alphanumeric
[[:digit:]]	Any single digit from 0 to 9
[[:space:]]	Any single white space character, which might include tabs, newlines, carriage returns, form feeds, or spaces

• man-db-cache-update: update the man pages

Output redirection

• > file: redirect stdout to overwrite a file
• >> file: redirect stdout to appent to a file
• 2> file: stderr overwrite a file
• 2> /dev/null: discard stderr
• > file 2>&1: redirect stdout and stderr to the same file
• &> file: redirect stdout and stderr to the same file
• >> file 2>&1: stdout and stderr to append to the same file
• &>> file: stdout and stderr to append to the same file
• $?: return value of last

• find / -name passwd 2>&1 | less: redirect both standard output and standard error through a pipeline

• set: list shell variables

• HISTTIMEFORMAT="%F %T ": history time format
• env ili printenv: list all environment variables
• unset file1: unset and unexport a variable

User accounts

• superuser (uid 0), system users, regular users
• su - user -c command: run command as user
• usermod -L user02: lock user02
• /etc/login.defs: default options
• find / -nouser -o -nogroup: find unowned files and directories
• newgrp group01: temporarily change primary group

Summary:

• The user account types in Linux are the superuser, system users, and regular users.
• A user has a primary group and might be a member of supplementary groups.
• The /etc/passwd, /etc/group, and /etc/shadow critical files contain user and group information.
• You can run commands as the superuser with the su and sudo commands.
• The useradd, usermod, and userdel commands manage users.
• The groupadd, groupmod, and groupdel commands manage groups.
• The passwd command manages passwords for users.
• The chage command displays and configures password expiration settings for users.

References:

• chage(1)
• crypt(3)
• group(5)
• groupadd(8)
• groupdel(8)
• id(1)
• login.defs(5)
• passwd(5)
• shadow(5)
• useradd(8)
• userdel(8)
• usermod(8)

Control access to files

Permission	File	Direktory
Read	Open a file	List contents of directory
Write	Change contents of file	Create and delete files
Execute	Run a program file	Change to the directory

Special permissions:

Permission	File	Directory
u+s (suid)	file executes as the owner	No effect
g+s (sgid)	file executes the group owner	created files have group owner of the directory
o+t (sticky)	no effect	users with write access to the directory can remove only files that they own

Setuid = u+s; setgit = g+s; sticky = o+t Setuid = 4; setgit = 2, sticky = 1

Systemd

---

Postfix

• postconf
• postconf name_of_setting
• postconf -e 'name_of_setting = value
• postqueue -p
• postqueue -f
• postconf(5)

Configure Postfix as null client:

1. postconf -e "relayhost=[smtp0.example.com]"
2. postconf -e "inet_interface=loopback-only"
3. postconf -e "mynetworks=127.0.0.0/8 [::1]/128
4. postconf -e "myorigin=desktop0.example.com"
5. postconf -e "mydestination="
6. postconf -e "local_transport=error: local delivery disabled"
7. systemctl reload postfix

References:

• postconf(1)
• postconf(5)
• mail(1)
• mutt(1)

DNS

• getent hosts example.com
• dig
• getent hosts example.com

Errori

• SERVFAIL: A common cause of SERVFAIL status is the failure of the DNS server to communicate with the nameservers authoritative for the name being queried.

• NXDOMAIN: An NXDOMAIN status indicates that no records were found associated with the name queried. The other scenario where an NXDOMAIN status may be unexpectedly encountered is when querying a CNAME record containing an orphaned CNAME.

• REFUSED: A REFUSED status indicates that the DNS server has a policy restriction which keeps it from fulfilling the client's query

• systemctl stop firewalld

• chattr -i /etc/resolv.con
• edit /etc/hosts
• getent host.name

dnsmasq exercise

U dnsmasq.conf:

• domain-needed
• bogus-priv: ???
• interface=ethX
• bind-interfaces
• no-resolv: ???
• expand-hosts
• domain=mikro.local

Host:

U /etc/resolv.conf:

• search mikro.local
• nameserver 1.2.3.4

bind exercise

1. Kreiraj dir: /etc/named/zones/master/
2. Kreiraj file: /etc/named/zones/master/db.rhcsa.local

db.rhcsa.local:

; BIND data file for rhcsa.local

$TTL    3h
@       IN  SOA ns1.rhcsa.local.    admin.rhcsa.local (
            1   ; Serial (broj promjena u fajlu)
            3h  ; Refrash
            1h  ; Retry
            1w  ; Expire
            1h  ; Negative cache TTL )
;
@               IN  NS  ns1.rhcsa.local.

rhcsa.local.    IN  A   172.25.250.11
ns1             IN  A   172.25.250.11
servera         IN  A   10.10.20.10
serverb         IN  A   10.10.20.20
serverc         IN  A   10.10.20.30
email           IN  A   10.10.20.40

db.172.25.250:

10.20.10.10.in-addr.arpa.       IN      PTR     servera

/etc/named.conf:

zone "rhcsa.local" {
    type master;
    file "/etc/named/zones/master/db.rhcsa.local"; }

• listen-on
• allow-query

email

• nslookup -type=mx mikro.local
• mx-host=mail.mikro.local 10

/etc/postfix/main.cf:

• myhostname = mail.mikro.local
• mydomain = mikro.local
• myorigin = $mydomain
• inet_interfaces = all
• mydestination = ..., ..., $mydomain
• mynetworks = ..., ..., ..., 172.25.250.0/24

telnet email

• telnet mail.mikro.local 25
• MAIL FROM:whatever@something
• RCPT TO:someone@something
• DATA: text

Exit with ctrl + đ, ili ctrl + ]

tmux

• set synchronize-panes

---

• mount -rav
• getent hosts
• rpm -qa
• dnf list --installed
• dnf history info
• partprobe ili udevadm settle
• mkswap /dev/vdb3
• /dev/vdb3 swap swap defaults 0 0
• hostnamectl set-hostname "name"
• timedatectl set-ntp false

Apache:

<VirtualHost *:80>
    ServerName my.domain.local
    DocumentRoot /var/www/path_to_dir

    ErroLog /var/log/path_to_file
    CustomLog /var/log/path_to_file combined
</VirtualHost>

nginx:
    server{
        server_name www.nginx.local;
        listen 80;
        root /var/www/www_nginx_local/;
        error_log /var/log/www_nginx_err.log;
        access_log /var/log/www_nginx_local.log;

---

Storage

[root@host ~]# parted /dev/vdb mklabel gpt mkpart primary 1MiB 769MiB
...output omitted...
[root@host ~]# parted /dev/vdb mkpart primary 770MiB 1026MiB
[root@host ~]# parted /dev/vdb set 1 lvm on
[root@host ~]# parted /dev/vdb set 2 lvm on

LVM

1. pvcreate /dev/vdb1 /dev/vdb2
2. vgcreate vgname /dev/vdb1 /dev/vdb2
3. lvcreate -n lvname -L 100M vgname
4. mkfs -t xfs /dev/vgname/lvname
5. mount ...

Display status:

• pvdisplay /dev/vdb1
• vgdisplay /dev/vg01
• lvdisplay /dev/lv01
• pvs
• vgs
• lvs

Extend

1. vgextend vg01 /dev/vdb3
2. lvextend -L +500M /dev/vg01/lv01 ili lvextend -r -L +500M /dev/vg01/lv01
3. xfs_growfs /mnt/lvmount ili resizefs /dev/vg01/lv01

Reduce

1. pvmove /dev/vdb3
2. vgreduce vg01 /dev/vdb3

Commands: lvremove, vgremove, and pvremove

Extend swap

1. swapoff -v /dev/vg01/swap
2. lvextend -L +300M /dev/vg01/swap
3. mkswap /dev/vg01/swap
4. swapon /dev/vg01/swap

LVM VDO (deduplication and compression)

1. dnf install vdo kmod-kvdo
2. lvcreate --type vdo --name vdo-lv01 --size 5G vg01

Stratis

1. dnf install stratis-cli stratisd
2. systemctl enable --now stratisd
3. stratis pool create pool1 /dev/vdb
4. stratis pool list
5. stratis pool add-data pool1 /dev/vdc
6. stratis blockdev list pool1
7. stratis filesystem create pool1 fs1
8. stratis filesystem list
9. stratis filesystem snapshot pool1 fs1 snapshot1

fstab:

UUID=c7b57190-8fba-463e-8ec8-29c80703d45e /dir1 xfs defaults,x-systemd.requires=stratisd.service 0 0

Databases

MySQL / MariaDB

1. yum groupinstall mariadb mariadb-client

2. systemctl start mariadb

3. port 3306

   • firewall-cmd --permanent --add-service=mysql
   • firewall-cmd --reload
4. /etc/my.cnf
   • bind-address
   • skip-networking=1
5. mysql_secure_installation(1)
6. mysql -u root -h localhost -p: connect

SQL:

• SHOW DATABASES;
• CREATE DATABASE inventory;
• USE inventory;
• DESCRIBE servers;
• delete from table where id = x;
• update table set column1=value1, column2=value2 where id = x;

Inserting:

INSERT INTO product(name,price,stock,id_category,id_manufacturer) 
                      VALUES ('SDSSDP-128G-G25 2.5',82.04,30,3,1);

Access rights:

• CREATE USER username@hostname IDENTIFIED BY 'password';

• SELECT host,user,password FROM user WHERE user = 'username';

• username@'localhost': User mobius can connect just from localhost.

• mobius@'192.168.1.5': User mobius can connect from 192.168.1.5 host.
• mobius@'192.168.1.%': User mobius can connect from any host that belongs to the network 192.168.1.0.
• mobius@'%': User mobius can connect from any host.

• mobius@'2000:472:18:b51:c32:a21': User mobius can connect from 2000:472:18:b51:c32:a21 host.

• GRANT SELECT, UPDATE, DELETE, INSERT on inventory.category to user username.hostname;

• REVOKE SELECT, UPDATE, DELETE, INSERT on inventory.category to user username.hostname;
• SHOW GRANTS FOR root@localhost;
• FLUSH PRIVILEGES;

Logical backup:

• mysqldump -u root -p inventory > /backup/inventory.dump
• mysqldump -u root -p --all-databases > /backup/mariadb.dump
• mysql -u root -p inventory < /backup/mariadb.dump
• Other mysqldump options:
  • --add-drop-table
  • --no-data
  • --lock-all-tables
  • --add-drop-database

Physical:

1. mysql -u root -p
2. FLUSH TABLES WITH READ LOCK;
3. UNLOCK TABLES;

---

firewalld

• firewall-cmd
• firewall-cmd --list-all-zones
• firewall-cmd --add-service http --zone public
• firewall-cmd --remove-service http --zone public
• systemctl reload firewalld
• firewall-cmd --runtime-to-permanent
• firewall-cmd --get-services

Tune system performance

• tuned-adm list
• /usr/lib/tuned/virtual-guest/tuned.conf
• sysctl vm.dirty_ratio
• sysctl vm.swapiness
• tuned-adm profile throughput-performance
• tuned-adm active

See

• tuned(8)
• tuned.conf(5)
• tuned-main.conf(5)
• tuned-adm(1)

nice, renice

• ps -o pid,pcpu,nice,comm $(pgrep command)

selinux

• disable using selinux=0 kernel parameter at boot
• enforcing=1 kernel parameter at boot Config file: /etc/selinux/config
• packages
• policycoreutils

• policycoreutils-python-utils

• semanage fcontext -a -t httpd_sys_content_t '/app(/.*)?'

• restorecon -RFvv /path/to/something

• cp --preserve=context

• semanage fcontext -l
• semanage -a, --add: add a record
• semanage -d, --delete: delete a record
• semanage -l, --list: list records
• semanage fcontext -a -t httpd_sys_content_t '/virtual(/.*)?'
• semanage fcontext -l -C
• semanage boolean -l | grep httpd_enable_homedirs
• getsebool httpd_enable_homedirs
• semanage boolean -l -C
• setsebool -P httpd_enable_homedirs on

See: - getenforce(8) - setenforce(8) - linux_config(5)

---

• find /path -type f -name "*.bla"

---

• https://www.tecmint.com/set-linux-process-priority-using-nice-and-renice-commands/
• https://www.cyberciti.biz/faq/enable-firewalld-logging-for-denied-packets-on-linux/
• https://wiki.gentoo.org/wiki/SELinux/Tutorials/Using_SELinux_booleans
• https://www.redhat.com/sysadmin/change-selinux-settings-boolean
• https://www.pluralsight.com/resources/blog/cloud/exploring-selinux-context
• https://source.android.com/docs/security/features/selinux/concepts
• https://www.regular-expressions.info

---

---