Red Hat Certified System Administrator V9

# RHCSA V9 Notes for RHCSA v9 exam. #### ++ Restore root password ``` 0. ctrl + e 1. In linux line change ro to rw and add init=/bin/bash at the end of the line. 2. ctrl +x 3. passwd 4. touch /.autorelabel 5. exec /sbin/init ``` ``` Things have changed in RHEL 9. rd.break does not work anymore. These are the steps that need to be taken. Find the line that loads the Linux kernel and add init=/bin/bash to the end of the line. mount -o remount,rw / This is necessary because it's mounted as read-only. passwd root touch /.autorelabel exec /usr/lib/systemd/systemd/ To reboot the machine or /sbin/reboot -f ``` !!! select kernel name contain "rescue" to edit for newer RHEL9 version !!! check `/etc/fstab` for mount issue !!! run `systemctl daemon-reload` to update systemd daemon to register new /etc/fstab file configuration #### ++ Runlevel / Systemd Target $ runlevel $ systemctl get-default set default target $ systemctl set-default switch to different target at runtime $ systemctl isolate multi-user $ systemctl isolate graphical list all available target $ systemctl list-units --type=target --all To select a different target at boot time, append the **systemd.unit=target.target** option to the kernel command line from the boot loader. For example: systemd.unit=emergency.target #### ++ User management /etc/login.defs: Used for default settings like UID settings, passwd default settings, and other things. /etc/profile: Used for default settings for all users when starting a login shell. /etc/bashrc: Used to define defaults for all users when starting a subshell. ~/.profile: Specific settings for one user applied when starting a login shell. ~/.bashrc: Specific settings for one user applied when starting a subshell. $ useradd $ groupadd $ usermod $ groupmod $ groupmems gpasswd - administer /etc/group and /etc/gshadow [ycheng@centos9 ~]$ sudo lid ycheng wheel(gid=10) ycheng(gid=1000) !!! add join to sales gorup (use -G for secondary group, -g for primary group) $ usermod -aG sales john #### ++ SELinux $ getenforce $ setenforce $ ps Zaux **/etc/selinux/config** $ ls -Z /tmp/file* $ man semanage-fcontext ``` EXAMPLE remember to run restorecon after you set the file context Add file-context for everything under /web # semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?" # restorecon -R -v /web Substitute /home1 with /home when setting file context # semanage fcontext -a -e /home /home1 # restorecon -R -v /home1 For home directories under top level directory, for example /disk6/home, execute the following commands. # semanage fcontext -a -t home_root_t "/disk6" # semanage fcontext -a -e /home /disk6/home # restorecon -R -v /disk6 -e EQUAL, --equal EQUAL -t TYPE, --type TYPE SELinux Type for the object ``` !!! restorecon - restore file(s) default SELinux security contexts. !!! you can use touch /.autorelabel to relabel all files to the context that is specified in the policy. That should be our last option, it happens while rebooting. So restorecon is preferred. !!! dnf install selinux-policy-doc ``` [root@centos9 ~]# mkdir /virtual [root@centos9 ~]# [root@centos9 ~]# touch /virtual/index.html [root@centos9 ~]# ls -Zd /virtual/ unconfined_u:object_r:default_t:s0 /virtual/ [root@centos9 ~]# ls -Z /virtual/ unconfined_u:object_r:default_t:s0 index.html [root@centos9 ~]# semanage fcontext -a -t httpd_sys_content_t '/virtual(/.*)?' [root@centos9 ~]# restorecon -RFvv /virtual/ Relabeled /virtual from unconfined_u:object_r:default_t:s0 to system_u:object_r:httpd_sys_content_t:s0 Relabeled /virtual/index.html from unconfined_u:object_r:default_t:s0 to system_u:object_r:httpd_sys_content_t:s0 [root@centos9 ~]# ls -Zd /virtual/ system_u:object_r:httpd_sys_content_t:s0 /virtual/ [root@centos9 ~]# ls -Z /virtual/ system_u:object_r:httpd_sys_content_t:s0 index.html [root@centos9 ~]# semanage fcontext -l -C SELinux fcontext type Context /virtual(/.*)? all files system_u:object_r:httpd_sys_content_t:s0 ``` SELinux Policy with Boolean $ getsebool -a $ semanage boolean -l ``` [root@centos9 ~]# semanage boolean -l | head SELinux boolean State Default Description abrt_anon_write (off , off) Allow abrt to anon write abrt_handle_event (off , off) Allow abrt to handle event ``` $ setsebool -P <SELinux boolean name> [on | off] !!! with -P to make it persistent Check SELinux alrrt log $ cat /var/log/messages | grep sealert chcon command to set file context type ＄ chcon -t <content_type_name> <file/dir path> #### ++ Podman container $ dnf install container-tools **/etc/containers/registries.conf** you can create a registries.conf file for container registries in the **$HOME/.config/containers** directory. The configuration file in this directory overrides the settings in the /etc/containers/registries.conf file, and is used when Podman runs in rootless mode. ``` [[registry]] location = "registry.lab.example.com" insecure = true blocked = false ``` !!! Container file ``` [user@host ~]$ cat Containerfile FROM registry.access.redhat.com/ubi8/ubi:latest RUN dnf install -y python3 CMD ["/bin/bash", "-c", "echo hello"] ``` $ podman build -t NAME:TAG DIR $ podman build -t python36:1.0 . ![](https://hackmd.io/_uploads/rJtc01FBn.png) search specific image $ podman search <repo url>/<image name> $ skopeo inspect $ podman pull ###### Container Persistent Storage To persist data, you can use host file-system content in the container with the --volume (-v) option. You must consider file-system level permissions when you use this volume type in a container. In a rootless container, the user has root access from within the container, because Podman launches a container inside the user namespace. You can use the podman unshare command to run a command inside the user namespace. To obtain the UID mapping for your user namespace, use the podman unshare cat command. ``` [user@host ~]$ podman unshare cat /proc/self/uid_map 0 1000 1 1 100000 65536 [user@host ~]$ podman unshare cat /proc/self/gid_map 0 1000 1 1 100000 65536 ``` use the podman unshare command to set the user namespace UID and GID of 27 as the owner of the directory. ``` $ podman exec -it db01 grep mysql /etc/passwd mysql:x:27:27:MySQL Server:/var/lib/mysql:/sbin/nologin $ mkdir /home/user/db_data $ podman unshare chown 27:27 /home/user/db_data ``` ###### SELinux Contexts for Container Storage You can append the Z option to the argument of the podman run command -v option to automatically set the SELinux context on the directory. `-v /home/user/db_data:/var/lib/mysql:Z \` ###### You use the podman run command -p option to set a port mapping ``` $ podman run -d --name db01 \ -e MYSQL_USER=student \ -e MYSQL_PASSWORD=student \ -e MYSQL_DATABASE=dev_data \ -e MYSQL_ROOT_PASSWORD=redhat \ -v /home/user/db_data:/var/lib/mysql:Z \ -p 13306:3306 \ registry.lab.example.com/rhel8/mariadb-105 [root@host ~]# firewall-cmd --add-port=13306/tcp --permanent [root@host ~]# firewall-cmd --reload ``` ###### Use the podman network create command to create a DNS-enabled network. ``` $ podman network create --gateway 10.87.0.1 --subnet 10.87.0.0/16 db_net ``` ###### Create systemd User Files for Containers You can manually define systemd services in the **~/.config/systemd/user/** directory. Use the podman generate systemd command to generate systemd service files for an existing container. The podman generate systemd command uses a container as a model to create the configuration file. The podman generate systemd command --new option instructs the podman utility to configure the systemd service to create the container when the service starts, and to delete the container when the service stops. `$ podman generate systemd --name webserver1` `$ podman generate systemd --name webserver1 --new` `$ mv container-webserver1.service ~/.config/systemd/user/` `$ systemctl --user daemon-reload` `$ systemctl --user start container-webserver1.service` ![](https://hackmd.io/_uploads/HylMCxYrh.png) ###### Configure Containers to Start at System Boot At this point, the systemd service configuration is ready to run a container for a given user. However, the systemd service stops the container after a certain time if the user logs out from the system. This behavior occurs because the systemd service unit was created with the --user option, which starts a service at user login and stops it at user logout. You can change this default behavior, and force your enabled services to start with the server and stop during the shutdown, by running the **loginctl enable-linger** command. You use the loginctl command to configure the systemd user service to persist after the last user session of the configured service closes. `$ loginctl show-user appdev-adm` `$ loginctl enable-linger` ###### Manage Containers as Root with systemd The procedure to set the service file as root is similar to the previously outlined procedure for rootless containers, with the following exceptions: - Do not create a dedicated user for container management - The service file must be in the /etc/systemd/system directory instead of in the ~/.config/systemd/user directory. - You manage the containers with the systemctl command without the --user option. - Do not run the loginctl enable-linger command as the root user. #### ++ Recover /etc/fstab issue Similar to reset root password to enter rescue mode. update /etc/fstab and reboot server #### ++ NTP chronyd config file **/etc/chrony.conf** pool 2.centos.pool.ntp.org iburst server materials.example.com iburst $ timedatectl status $ timedatectl list-timezones $ timedatectl set-timezone $ timedatectl set-ntp #### ++ Log file and journal $ sudo dnf install rsyslog !!! configuration file **/etc/rsyslog.conf** !!! current boot $ journalctl -b $ journalctl --list-boots $ journalctl -u chronyd $ journalctl -u chronyd --since "2023-05-21 00:00:00" $ journalctl -u chronyd --since "2023-05-21 00:00:00" --until "2023-05-21 01:00:00" $ journalctl --since yesterday $ journalctl --since 09:00 --until "1 hour ago" $ journalctl _PID=8088 !!! show kernel message $ journalctl -k !!! priority level () $ journalctl -p err -b ``` 0: emerg 1: alert 2: crit 3: err 4: warning 5: notice 6: info 7: debug ``` ``` [ycheng@centos9 ~]$ systemctl cat logrotate.timer # /usr/lib/systemd/system/logrotate.timer [Unit] Description=Daily rotation of log files Documentation=man:logrotate(8) man:logrotate.conf(5) [Timer] OnCalendar=daily AccuracySec=1h Persistent=true [Install] WantedBy=timers.target ``` $ systemctl status logrotate.service #### ++ GPT/MBR partition [root@host ~]# parted /dev/vda print Graphic interface tool $ cfdisk Write the Partition Table on a New Disk ``` [root@host ~]# parted /dev/vdb mklabel msdos [root@host ~]# parted /dev/vdb mklabel gpt ``` Create MBR partition ``` [root@host ~]# parted /dev/vdb GNU Parted 3.4 Using /dev/vdb Welcome to GNU Parted! Type 'help' to view a list of commands. (parted) (parted) mkpart Partition type? primary/extended? primary File system type? [ext2]? xfs [root@host ~]# parted /dev/vdb help mkpart Start? 2048s End? 1000MB (parted) quit Information: You may need to update /etc/fstab. !!! in single command [root@host ~]# parted /dev/vdb mkpart primary xfs 2048s 1000MB [root@host ~]# udevadm settle ``` Create GPT partition ``` [root@host ~]# parted /dev/vdb (parted) mkpart Partition name? []? userdata File system type? [ext2]? xfs Start? 2048s End? 1000MB (parted) quit Information: You may need to update /etc/fstab. [root@host ~]# !!! in single command [root@host ~]# parted /dev/vdb mkpart userdata xfs 2048s 1000MB [root@host ~]# udevadm settle ``` #### ++ SWAP !!! swap from file sudo dd if=/dev/zero of=/swap count=2048 bs=1MiB chmod 600 /swap mkswap /swap swapon /swap fstab: /swap swap swap defaults 0 0 !!! swap from a partition $ mkswap /dev/vdd1 $ mkswap -L myswapspace /dev/vdd1 configure in "/etc/fstab", $ swapon -a $ free -h $ swapon -s ``` [root@serverb ~]# parted /dev/vdc mklabel msdos ...output omitted... [root@serverb ~]# parted /dev/vdc mkpart primary linux-swap 1MiB 513MiB ...output omitted... [root@serverb ~]# lsblk -o UUID /dev/vdc1 UUID cc18ccb6-bd29-48a5-8554-546bf3471b69 [root@serverb ~]# echo "UUID=cc18...1b69 swap swap defaults 0 0" >> /etc/fstab [root@serverb ~]# swapon -a [root@serverb ~]# swapon -s ``` #### ++ LVM (create and extend, use resizefs and xfs_growfs) ###### Create new LVM 1. prepare physical devices ``` [root@host ~]# parted /dev/vdb mklabel gpt mkpart primary 1MiB 769MiB [root@host ~]# parted /dev/vdb mkpart primary 770MiB 1026MiB [root@host ~]# parted /dev/vdb set 1 lvm on [root@host ~]# parted /dev/vdb set 2 lvm on [root@host ~]# udevadm settle ``` 2. create physical volumes ``` [root@host ~]# pvcreate /dev/vdb1 /dev/vdb2 Physical volume "/dev/vdb1" successfully created. Physical volume "/dev/vdb2" successfully created. Creating devices file /etc/lvm/devices/system.devices ``` 4. create volume group ``` [root@host ~]# vgcreate vg01 /dev/vdb1 /dev/vdb2 Volume group "vg01" successfully created ``` 6. create logical volume ``` [root@host ~]# lvcreate -n lv01 -L 300M vg01 Logical volume "lv01" created. lvcreate -n lv01 -L 128M vg01 : create an LV of size 128 MiB, rounded to the next PE. lvcreate -n lv01 -l 32 vg01 : create an LV of size 32 PEs at 4 MiB each, total 128 MiB. ``` VDO LV ``` [root@host ~]# dnf install vdo kmod-kvdo [root@host ~]# lvcreate --type vdo --name vdo-lv01 --size 5G vg01 Logical blocks defaulted to 523108 blocks. The VDO volume can address 2 GB in 1 data slab. It can grow to address at most 16 TB of physical storage in 8192 slabs. If a larger maximum size might be needed, use bigger slabs. Logical volume "vdo-lv01" created. ``` 7. create filesystem on logical volume ``` [root@host ~]# mkfs -t xfs /dev/vg01/lv01 [root@host ~]# mkdir /mnt/data # edit /etc/fstab /dev/vg01/lv01 /mnt/data xfs defaults 0 0 [root@host ~]# mount /mnt/data/ ``` ###### Extend exist LVM 1. prepare physical device and create physical volume if not present ``` [root@host ~]# parted /dev/vdb mkpart primary 1072MiB 1648MiB ...output omitted... [root@host ~]# parted /dev/vdb set 3 lvm on ...output omitted... [root@host ~]# udevadm settle [root@host ~]# pvcreate /dev/vdb3 Physical volume "/dev/vdb3" successfully created. ``` 2. use vgextend command to add new PV to VG ``` [root@host ~]# vgextend vg01 /dev/vdb3 Volume group "vg01" successfully extended ``` 3. extend a logical volume size ``` [root@host ~]# lvextend -L +500M /dev/vg01/lv01 Size of logical volume vg01/lv01 changed from 300.00 MiB (75 extents) to 800.00 MiB (200 extents). Logical volume vg01/lv01 successfully resized. ``` ``` [root@host ~]# xfs_growfs /mnt/data/ ...output omitted... data blocks changed from 76800 to 204800 ``` `[root@host ~]# lvextend -L +500M -r /dev/vg01/lv01` with "-r" option, you dont need to run xfs_growfs For EXT4 use `resize2fs ` ###### Display LVM status ``` [root@host ~]# pvdisplay /dev/vdb1 [root@host ~]# vgdisplay vg01 [root@host ~]# lvdisplay /dev/vg01/lv01 ``` ###### Remove LVM ``` [root@host ~]# lvremove /dev/vg01/lv01 [root@host ~]# vgremove vg01 [root@host ~]# pvremove /dev/vdb1 /dev/vdb2 ``` #### ++ NFS and AutoFS ``` [root@host ~]# dnf install nfs-utils [root@host ~]# showmount --exports server Export list for server /shares/test1 /shares/test2 [root@host ~]# mkdir /mountpoint [root@host ~]# mount server:/ /mountpoint [root@host ~]# ls /mountpoint [root@host ~]# mount -t nfs -o rw,sync server:/export /mountpoint [root@host ~]# vim /etc/fstab ... server:/export /mountpoint nfs rw 0 0 ``` AutoFS ``` # install packages [user@host ~]$ sudo dnf install autofs nfs-utils ``` indirect map ``` # create a Master Map [user@host ~]$ sudo vim /etc/auto.master.d/demo.autofs /shares /etc/auto.demo # create indirect map or wildcards in an indirect Map [user@host ~]$ sudo vim /etc/auto.demo work -rw,sync serverb:/shares/work * -rw,sync serverb:/shares/& ``` direct map ``` # create direct map in Master Map [user@host ~]$ sudo vim /etc/auto.master.d/demo.autofs /- /etc/auto.direct # create direct Map [user@host ~]$ sudo vim /etc/auto.direct /mnt/docs -rw,sync serverb:/shares/docs ``` start automounter service ``` [user@host ~]$ sudo systemctl enable --now autofs ``` #### ++ Crontab and at crontab -e 10 14 * * * logger "Pass EX200" crontab -l !!! Format Min Hour Day Month Week <Command> https://phoenixnap.com/kb/linux-at-command sudo systemctl enable --now atd echo "hello" | at now +5 minutes echo "hello" >> example.txt | at now at -c [job_number] at -l sudo atq rm example.txt | at -m tomorrow #### ++ File permission ``` # sticky bit chmod +t chmod -t # setuid only chmod u+s # setgid only chmod g+s # both setuid and setgid chmod +s chmod -s ``` #### ++ find command usage https://www.thegeekdiary.com/linux-unix-examples-of-find-command-to-find-files-with-specific-sets-of-permissions/ ``` 1. Command to list files with other writable and sticky bit set. # find / -perm -002 -and -perm -1000 -exec ls -ldb {} ; 2. Command to list files with other writable excluding sticky bit set. # find / -perm -002 -not -perm -1000 -exec ls -ldb {} ; 3. Command to list files with (group + other) writable permission and SET UID set. # find / -perm -4022 -exec ls -ldb {} ; 4. Command to list files with (group + other) writable and SET GID set. # find / -perm -2022 -exec ls -ldb {} ; 5. Command to list files with other writable and sticky bit set. # find / -perm -1002 -exec ls -ldb {} ; 6. Command to list files with other writable excluding sticky bit set. # find / -perm -002 -not -perm -1000 -exec ls -ldb {} ; ``` use `\;` or `+` or `+;` to terminated -exec https://stackoverflow.com/questions/2961673/find-missing-argument-to-exec #### ++ Networking !!! use graphic tool $ nmtui !!! use nmcli $ nmcli connection show $ nmcli connection edit enp1s0 nmcli> set ipv4. Error: invalid property: missing name, try one of [method, dns, dns-search, dns-options, dns-priority, addresses, gateway, routes, route-metric, route-table, routing-rules, replace-local-rule, ignore-auto-routes, ignore-auto-dns, dhcp-client-id, dhcp-iaid, dhcp-timeout, dhcp-send-hostname, dhcp-hostname, dhcp-fqdn, dhcp-hostname-flags, never-default, may-fail, required-timeout, dad-timeout, dhcp-vendor-class-identifier, link-local, dhcp-reject-servers, auto-route-ext-gw] !!! modify connection in single command $ nmcli con mod ens160 autoconnect yes $ nmcli connection modify enp0s3 ipv4.addresses 192.168.1.21/24 $ nmcli connection modify enp0s3 ipv4.gateway 192.168.1.254 ipv4.method static $ nmcli connection modify enp0s3 autoconnect yes ipv4.method manual ipv4.addresses 172.25.250.100 ipv4.gateway 172.25.250.254 ipv4.dns 172.25.250.254 $ nmcli con up ens160 $ nmcli con add con-name eno2 type ethernet ifname eno2 Connection 'eno2' (8159b66b-3c36-402f-aa4c-2ea933c7a5ce) successfully added ``` COMMON_OPTIONS: type <type> [ifname <interface name> | "*"] [con-name <connection name>] [autoconnect yes|no] [save yes|no] [master <master (ifname, or connection UUID or name)>] [slave-type <master connection type>] ``` !!! set link up/down $ ip link set ens33 down $ ip link set ens33 up ###### Firewall $ firewall-cmd --list-all $ firewall-cmd --get-services $ firewall-cmd --add-service squid --permanent $ firewall-cmd --reload ss -tu shows connected TCP and UDP sockets. ss -tua shows connected TCP and UDP sockets + sockets in a listening state. ss -tulpn Shows TCP and UDP sockets in a listening state, it also adds process names or PID to the output. ###### Firewall Zone ``` [ycheng@centos9 ~]$ firewall-cmd --get-zones block dmz drop external home internal nm-shared public trusted work [root@host ~]# firewall-cmd --set-default-zone=dmz [root@host ~]# firewall-cmd --permanent --zone=internal --add-source=192.168.0.0/24 [root@host ~]# firewall-cmd --permanent --zone=internal --add-service=mysql [root@host ~]# firewall-cmd --reload ``` ![](https://hackmd.io/_uploads/ByD0rmvrh.png) #### ++ Manage process $ sysctl -a To make system tuning easier, use **tuned**. **tuned** is a systemd service that works with different profiles. **tuned-adm** list shows current profiles. ``` $ tuned-adm active Current active profile: balanced $ tuned-adm profile virtual-guest $ sudo tuned-adm profile virtual-host ``` ``` $ pidof bash 2919 2051 $ pgrep bash 2051 2919 $ ps aux | grep bash ycheng 2051 0.0 0.3 223976 5376 pts/0 Ss May20 0:00 -bash ycheng 2919 0.0 0.3 223976 5476 pts/1 Ss+ 14:41 0:00 -bash ycheng 3118 0.0 0.1 221368 2028 pts/0 S+ 15:10 0:00 grep --color=auto bash ``` #### ++ Package dnf repolist dnf search dnf history sudo dnf history undo 10 sudo dnf history rollback 10 `$ dnf config-manager --enable <name-of-the-repository>` `$ dnf config-manager --add-repo <URL>` `$ dnf config-manager --enable <repo name>` #### ++ ACL (not covered in exam) ``` EXAMPLES Granting an additional user read access setfacl -m u:lisa:r file Revoking write access from all groups and all named users (using the effective rights mask) setfacl -m m::rx file Removing a named group entry from a file's ACL setfacl -x g:staff file Copying the ACL of one file to another getfacl file1 | setfacl --set-file=- file2 Copying the access ACL into the Default ACL getfacl --access dir | setfacl -d -M- dir ``` #### ++ Command notes ``` RHCSA v9 Questions: # Kernel Runtime !!! append to “kernel” line at boot loader (use one of them) 1. systemd.unit=emergency.target or 2. init=/bin/bash $systemctl list-units --type target $ systemctl get-default $ systemctl set-default <target> $ systemctl isolate <target> # User Management $ useradd $ groupadd !!! (use -G for secondary group, -g for primary group) $ usermod -aG <group_name> <user_name> $ lid <username> # SELinux $ getenforce $ setenforce $ getsebool -a $ semanage boolean -l $ setsebool -P <SELinux boolean name> [on | off] $ cat /var/log/messages | grep sealert # Package Repository config $ dnf repolist $ dnf repolist --all $ dnf config-manager --add-repo=“https://…..” $ ls -l /etc/yum.repos.d repo config example: [repo name] name = <repo_name> baser = <repo_url> enabled = 1 $ dnf --enablerepo=<repo_name> install <package name> $ dnf search <package_name> $ dnf config-manager --set-enabled <repo_name> $ dnf info <package_name> $ dnf list installed $ yum repolist [enabled | disabled | all] # Network IP config $ nmtui # Firewall $ systemctl status firewalld $ firewall-cmd [ --get-zones | --get-services | --list-all | --reload ] $ firewall-cmd --permanent --add-port=... $ firewall-cmd --permanent --add-service=... $ firewall-cmd --permanent --add-source=... $ firewall-cmd --permanent --add-source=... --zone=... # AutoFS # LVM $ lsblk -f $ parted # display... $ pvs $ vgs $ lvs $ pvcreate <device_path> ... $ vgcreate <vg_name> <pv_name> $ lvcreate -n <lv_name> -L <size> <vg_name> $ lvcreate -n lv01 -L 128M vg01 $ lvcreate -n lv01 -l 32 vg01 $ vgextend <vg_name> <pv_name> $ lvextend -L +500M -r <lv_name (/dev/vg_name/lv_name)> $ xfs_growfs /mnt/data... $ resize2fs /mnt/data... # Podman $ podman run -d --name db01 \ -e MYSQL_USER=student \ -e MYSQL_PASSWORD=student \ -e MYSQL_DATABASE=dev_data \ -e MYSQL_ROOT_PASSWORD=redhat \ -v /home/user/db_data:/var/lib/mysql:Z \ -p 13306:3306 \ registry.lab.example.com/rhel8/mariadb-105 $ firewall-cmd --add-port=13306/tcp --permanent $ firewall-cmd --reload $ loginctl show-user <username> $ loginctl enable-linger # find -perm -1000. --> sticky bit -perm -2000. --> GID (setgid) -perm -4000 --> UID (setuid) -size 6M -size +2G -size -10k -size +10M -size -20M # permission $ chmod +t $ chmod u+s $ chmod g+s $ chmod +s [root@centos9 ycheng]# ls -l abc -rw-r--r--. 1 root root 0 Jul 5 21:48 abc [root@centos9 ycheng]# chmod +t abc [root@centos9 ycheng]# ls -l abc -rw-r--r-T. 1 root root 0 Jul 5 21:48 abc [root@centos9 ycheng]# chmod u+s abc [root@centos9 ycheng]# ls -l abc -rwSr--r-T. 1 root root 0 Jul 5 21:48 abc [root@centos9 ycheng]# chmod g+s abc [root@centos9 ycheng]# ls -l abc -rwSr-Sr-T. 1 root root 0 Jul 5 21:48 abc # crontab and at !!! Format Min Hour Day Month Week <Command> echo “hello” | at now +5 minutes ```