Red Hat Enterprise Linux === ###### tags: `QCT` `Linux OS` `IBM` ## SSH Key Login - [產生SSH Key並且透過KEY進行免密碼登入](https://xenby.com/b/220-%E6%95%99%E5%AD%B8-%E7%94%A2%E7%94%9Fssh-key%E4%B8%A6%E4%B8%94%E9%80%8F%E9%81%8Ekey%E9%80%B2%E8%A1%8C%E5%85%8D%E5%AF%86%E7%A2%BC%E7%99%BB%E5%85%A5) ## Enable IP forwarding ``` vi /etc/sysctl.conf net.ipv4.ip_forward = 1 sysctl -p sysctl -a | grep forward ``` ## firewall-cmd - [firewalld & firewall-cmd 指令設定防火牆規則教學](https://blog.gtwang.org/linux/centos-7-firewalld-command-setup-tutorial/) ## Swap - [Swap Recommended Size](https://access.redhat.com/solutions/15244) ## LVM - [Linux LVM (建立、擴充、移除LVM磁區) 操作筆記](https://sc8log.blogspot.com/2017/03/linux-lvm-lvm.html) ``` rpm -qa lvm2 # 新增 partition /dev/sdb1 fdisk /dev/sdb partprobe /dev/sdb1 # 新增 PV pvcreate /dev/sdb1 # 新增 VG vgcreate vgabby /dev/sdb1 # 新增 LV lvcreate -L 1G -n lvabby vgabby lsdisplay mkfs.ext4 /dev/vgabby/lvabby mkdir /testlvm vi /etc/fstab # device MountPoint filesystem parameters dump fsck /dev/vgabby/lvabby /testlvm ext4 defaults 0 0 mount -a ``` :::info * ```mount -a``` will follow /etc/fstab and ignore the already mounted devices (logic volume or partition) and mount only the devices that has not been mounted. * 開機會依據/etc/fstab進行掛載 ::: ## Add Banner ``` # 加入圖案 vi /etc/issue # Enable SSH vi /etc/ssh/sshd_config Banner /etc/issue systemctl restart sshd ``` ## DNS - [How to change DNS settings on RHEL using Network Manager](https://www.cyberciti.biz/faq/change-dns-ip-address-rhel-redhat-linux/) ``` systemctl enable NetworkManager.service systemctl start NetworkManager.service nmcli connection nmcli con mod eth0 ipv4.dns "8.8.8.8" systemctl restart NetworkManager.service ``` * 禁止 Network Manager 覆寫 /etc/resolv.conf 1. Edit```/etc/NetworkManager/NetworkManager.conf```and after ```[Main]``` add or change to```dns=none```. Save the file. 2. Execute ```systemctl restart NetworkManager.service```. 3. Edit ```/etc/resolv.conf``` with your values. Save the file. ## Add User - [使用者帳號與群組管理](http://120.105.184.250/peiyuli/unix/%E4%BD%BF%E7%94%A8%E8%80%85%E5%B8%B3%E8%99%9F%E8%88%87%E7%BE%A4%E7%B5%84%E7%AE%A1%E7%90%86.htm) ``` groupadd <group name> -g <GID> useradd abby -g <initial group> -G <supplementary group> -d </home/path/to> -u <UID> passwd abby ## 改密碼 echo NEWPASSWORD | passwd --stdin USERNAME 或 echo 'abby:NEWPASSWORD' | sudo chpasswd ``` :::info /etc/passwd 欄位1 帳號名稱。 欄位2 「x」表示密碼存放在檔案 /etc/shadow 中。 欄位3 使用者編號 (UID)。 欄位4 群組編號 (GID)，每一個帳號皆會屬於一個自己的初始群組，其預設名稱與使用者帳號相同。 欄位5 記錄關於使用者的姓名、電話、辦公室等資訊。 欄位6 家目錄。 欄位7 使用者在文字模式下啟動的 shell，負責解譯使用者輸入的指令。 ::: :::info /etc/group 欄位1 群組名稱。 欄位2 「x」表示密碼存放在檔案 /etc/shadow 中。 欄位3 GID。 欄位4 此群組支援的帳號名稱。 ::: ## Let an user ```sudo``` ``` cat /etc/sudoers ## Allows people in group wheel to run all commands %wheel ALL=(ALL) ALL ``` 1. Become root by running ```su``` 2. Run ```usermod -aG wheel <your_user_id>``` 3. Log out and back in again 4. ```cat /etc/group | grep wheel``` ## 禁止 User 登入 1. passwd ``` # Lock passwd -l lynn ``` ``` # Unlock passwd -u lynn ``` 2. ```/etc/passwd```該使用者加入```/sbin/nologin``` ## 密碼效期 - [chage](https://codertw.com/%E4%BC%BA%E6%9C%8D%E5%99%A8/381055/) ## 密碼策略 - [密碼長度](https://kknews.cc/code/o38kl9o.amp) ## 切換身分 ``` # 換成 abby 身分 su abby # 換成 abby 身分到 abby 環境 su - abby ``` ## 新建檔案與目錄時的預設權限 - umask umask 是在666基礎上減少檔案權限; 及在777基礎上減少目錄權限。 ## Get IP * 採用DHCP取得IP ``` sudo dhclient -r sudo dhclient ip a ``` ## man ``` # whatis syslog syslog (3) - send messages to the system logger syslog (2) - read and/or clear kernel message ring buffer; set console_loglevel syslog (3p) - control system log # man 3 syslog ``` ## Subscription Manager 註冊系統到Red Hat Customer Portal (官網帳密) ``` # 註冊並自動訂閱最適合系統的內容 subscription-manager register --username <account> --password <password> --auto-attach --force # 自選訂閱內容 subscription-manager list --available subscription-manager attach --pool=<Pool-ID> # 訂閱完畢，自動產生 redhat.repo 內容 cat /etc/yum.repos.d/redhat.repo # 拉下最新的訂閱資料 subscription-manager refresh ``` :::info * The register command has an option, --auto-attach, which allows the system to be registered to the subscription service and immediately attaches the subscription which best matches the system's architecture, in a single step. --force, which registers the system even if it is already registered. Normally, any register operations will fail if the machine is already registered. * Subscription Manager's refresh command pulls the latest subscription data from the server. ::: ## YUM Operation ### Offline Installation ``` # mount -t iso9660 -o ro /dev/cdrom /mnt/iso # vi /etc/yum.repos.d/redhat.repo [AppStream] name=AppStream gpgcheck=0 baseurl=file:///mnt/iso/AppStream #目錄底下有repodata enable=1 [BaseOS] name=BaseOS gpgcheck=0 baseurl=file:///mnt/iso/BaseOS #目錄底下有repodata enable=1 # yum clean all # yum repolist #拉 AppStream/repodata/、BaseOS/repodata/ # yum install <PACKAGE> # umount /mnt/iso ``` ### Offline Security Patching Check OS version ``` cat /etc/redhat-release cat /etc/os-release uname -a ``` Mount the specific iso and add /etc/yum.repos.d/my-update.repo ``` yum clean all yum repolist ``` * Full update ``` yum list updates yum list installed yum --disablerepo=* --enablerepo=<repo id> update ``` * Security update ``` # 列出所有可更新的 advisory (bugfix, security, enhancement) yum updateinfo list available # 列出可更新的 security package yum updateinfo list security # 列出已安裝的 security package yum updateinfo list security installed # 列出 CVE 關聯到的可更新 security package yum updateinfo list cves # 詳視 RHSA 資訊 (對應到哪個 CVE) yum updateinfo RHSA-2021:1072 ``` ``` # It will install the last version available of any package with at least one security errata thus may install non-security erratas. yum update --security # To only install the packages that have a security errata use yum update-minimal --security # 根據 CVE 安裝影響到的 package yum update --cve CVE-2008-0947 # 根據 RHSA 安裝影響到的 package yum update --advisory=RHSA-2014:0159 ``` ## RPM 查已安裝package ``` rpm -qa <package> ``` ## Hard Link & Soft Link - [Linux 學習之理解 Inode](https://www.itread01.com/content/1542281710.html) ## systemctl - [systemd套件與systemctl命令終極教程](https://kknews.cc/code/99j9gp8.amp) :::info * Suspend - Saves its state to the RAM. * Hibernate - Saves its state to disk, thus it requires swap space. * Hybrid-Sleep - To suspend to copy the contents to RAM, and then hibernate would also copy the contents of the RAM to the disk. ::: ## Linux核心模組相關命令 - [lsmod,depmod,modprobe,modinfo,insmod,rmmod 使用說明](https://codertw.com/%E7%A8%8B%E5%BC%8F%E8%AA%9E%E8%A8%80/569972/) ## 禁止使用者執行危險動作 1. CLI 以系統管理員身分，新增群組，將受限制的使用者加入群組 ``` sudo groupadd nonadmin sudo usermod -a -G nonadmin hncbuser ``` 禁止該群組使用者進行危險的命令 ``` sudo visudo ## Prohibit users in group nonadmin from doing danger commands Cmnd_Alias PROHIBITION=/sbin/reboot,/sbin/shutdown,/sbin/halt,/sbin/poweroff %nonadmin ALL=(ALL) ALL, !PROHIBITION ``` 2. GUI - [https://access.redhat.com/solutions/2020763](https://access.redhat.com/solutions/2020763) ## Kernel Command Line Parameters vs Kernel Parameters * Kernel command line parameters for modules which are built into the kernel need to be specified on the kernel command line. modprobe looks through the kernel command line (/proc/cmdline) and collects module parameters when it loads a module, so the kernel command line can be used for loadable modules too. - [CentOS / RHEL 7 : How to modify the kernel command line parameters](https://www.thegeekdiary.com/centos-rhel-7-how-to-modify-the-kernel-command-line/) * Kernel parameters are tunable values which you can adjust while the system is running. There is no requirement to reboot or recompile the kernel for changes to take effect. It is possible to address the kernel parameters through: The sysctl command. The virtual file system mounted at the /proc/sys/ directory. ## 切換kernel開機 [How do I change the default kernel in GRUB that is loaded at startup?](https://access.redhat.com/solutions/3089) * 確認目前預設boot entry ``` vi /boot/grub2/grubenv ``` * 顯示可選的boot entry ``` awk -F\' /^menuentry/{print\$2} /etc/grub2.cfg ``` * 設定預設boot entry ``` grub2-set-default 'Red Hat Enterprise Linux Server (3.10.0-957.el7.x86_64) 7.6 (Maipo)' ```