Thursday, 10 September 2020

Swap Space Made Easy

Swap Space Made Easy Cutting through the exposition and explanation, we can create a new swap file as easily and quickly as this: sudo dd if=/dev/zero /of=/swapfile2 bs=1024 count=104857 sudo mkswap /swapfile2 sudo chmod 600 /swapfile2 sudo swapon /swapfile2 And let’s check that it worked: swapon --show sudo dd if=/dev/zero /of=/swapfile2 bs=1024 count=104857 in a terminal window If you want to make that permanent drop, it into your /etc/fstab file. The line we need to add to the bottom of the file is: /swapfile none swap sw 0 0 The operating system makes use of swap space when its available physical memory (RAM) is running out due to ever-demanding applications. In this situation, the operating system moves the inactive pages in physical memory to swap space. This freeing up of physical memory will be used for other applications. When the physical memory is available enough, the swap memory area will be brought back to the physical memory. The administrators ensure that sufficient swap space present in the system so that some free physical memory always available to the operating system. This article provides steps to create or increase swap space and also delete if you need it. Table of Contents ​Do I really need swap space? Partition or file? What is the recommended swap size? Creating swap space Disable and remove a swap file Limitation ​Conclusion ​Do I really need swap space? Not always, the provided system has a large amount of physical memory (RAM). But it is recommended to have swap space handy. The system may crash when the system is run out of physical memory when many applications are running with large memory footprint. When compared to RAM, disk space is relatively cheap! Partition or file? Swap space can be a dedicated swap partition (recommended), a swap file, or a combination of both. By default, most of the Linux distributions create a dedicated swap partition or a file on the system partition during installation. Windows operating system generally has the swap space as a file. What is the recommended swap size? Though there is no hard and fast rule to have swap space, it is recommended to have at least 1.5 times the physical memory. In the case of hibernation, the swap partition should be at least as big as the RAM size. Creating swap space Following are the instructions to create swap space using a file: Login as root. sudo su get superuser ubuntu linux Create swap file in directory “/var” with name “swapfile”. At the shell, create the file and set root permissions as follows: cd /var touch swapfile chmod 600 swapfile ls -la swapfile create swap file Use “dd” command to fill the swap file with 1 GB size (as an example) as follows : dd if=/dev/zero of=/var/swapfile bs=1024k count=1000 create swap file with data Now setup the swap file: mkswap /var/swapfile Picture Enable the swap file: swapon /var/swapfile enable swap file To check whether the new swap file was successfully created, either of the below commands can be used.​ # cat /proc/swaps # swapon –show get all swap files Add below line to the “/etc/fstab” file so that next time when the system boots, it enables the newly created swap file: /var/swapfile none swap sw 0 0 Disable and remove a swap file Disable the swap file. # swapoff /var/swapfile Delete the swap file. # rm /var/swapfile Remove the entry from “/etc/fstab” file. /var/swapfile none swap sw 0 0 Limitation

Wednesday, 9 September 2020

Disable SELinux Permanently

Disable SELinux Permanently To permanently disable SELinux, use your favorite text editor to open the file /etc/sysconfig/selinux as follows: # vi /etc/sysconfig/selinux SELinux Enforcing Mode SELinux Enforcing Mode Then change the directive SELinux=enforcing to SELinux=disabled as shown in the below image. SELINUX=disabled Disable SELinux Permanently Disable SELinux Permanently Then, save and exit the file, for the changes to take effect, you need to reboot your system and then check the status of SELinux using sestatus command as shown: $ sestatus Check SELinux Status Check SELinux Status

Tuesday, 8 September 2020

Linux HTTP Server Configuration

Installation For a minimum HTTP server installation, issue the following command. # yum install httpd If you want a more complete installation, you can install the "Web Server" package group. # yum groupinstall "Web Server" Make sure the "/etc/hosts" file contains references for the loopback address and the hostname. 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 192.168.122.89 rhce1.localdomain rhce1 Turn on the HTTP server and make sure it starts automatically on reboot. # service httpd start # chkconfig httpd on The HTTP server is now installed and running. The HTTP configuration files are located under the "/etc/httpd" directory, with the main configuration file being the "/etc/httpd/conf/httpd.conf" file. The default document root is "/var/www/html". Any files or directories below this point will be visible using a browser once you configure the firewall. Changes to the "/etc/httpd/conf/httpd.conf" file have to be followed by a reload or a restart of the httpd service. # service httpd reload # # OR # service httpd restart Firewall If you are using the Linux firewall, you need to punch a hole in the firewall for port 80 (and 443 for HTTPS) to make sure the HTTP server can be accessed from the network. There are several ways to do this: The "Firewall Configuration" dialog from the menu (System > Administration > Firewall) or initiated from the command line by running the system-config-firewall command. On the "Trusted Services" section, scroll down the list and check the "WWW (HTTP)" option, then click the "Apply" button. The text-based "Firewall Configuration" utility (system-config-firewall-tui). This is the text-based version of the above dialog. Using the iptables service directly, as described here. In this case we could need the following entry. iptables -A INPUT -p tcp --dport 80 -j ACCEPT You can read more about the Linux firewall here. SELinux If you are using SELinux, you will need to consider the following points. The SELinux booleans associated with the httpd service are displayed using the getsebool command. # getsebool -a | grep httpd allow_httpd_anon_write --> off allow_httpd_mod_auth_ntlm_winbind --> off allow_httpd_mod_auth_pam --> off allow_httpd_sys_script_anon_write --> off httpd_builtin_scripting --> on httpd_can_check_spam --> off httpd_can_network_connect --> off httpd_can_network_connect_cobbler --> off httpd_can_network_connect_db --> off httpd_can_network_memcache --> off httpd_can_network_relay --> off httpd_can_sendmail --> off httpd_dbus_avahi --> on httpd_enable_cgi --> on httpd_enable_ftp_server --> off httpd_enable_homedirs --> off httpd_execmem --> off httpd_manage_ipa --> off httpd_read_user_content --> off httpd_run_stickshift --> off httpd_setrlimit --> off httpd_ssi_exec --> off httpd_tmp_exec --> off httpd_tty_comm --> on httpd_unified --> on httpd_use_cifs --> off httpd_use_gpg --> off httpd_use_nfs --> off httpd_use_openstack --> off httpd_verify_dns --> off # The setsebool command is used to set a specific boolean value. # setsebool httpd_use_nfs on # setsebool httpd_use_nfs off The httpd_sys_content_t context should be assigned to all content. # semanage fcontext -a -t httpd_sys_content_t "/var/www/html(/.*)?" # restorecon -F -R -v /var/www/html You can check the current context setting on files and directories using the "ls -alZ" command. More information on SELinux can be found here. Virtual Hosts Virtual Hosts allow multiple websites to be hosts by a single physical machine, with each website being apparently independent of each other. The virtual hosts can be IP-based, but are typically name-based, meaning the domain name in the URL used to access the web server determines which virtual host the request is for. Create the following directories as locations for two virtual hosts. I've also created a test file in both document roots. # mkdir -p /www/mysite1.com/logs # mkdir -p /www/mysite1.com/html # echo "MySite1.com Test file" > /www/mysite1.com/html/test.txt # mkdir -p /www/mysite2.com/logs # mkdir -p /www/mysite2.com/html # echo "MySite2.com Test file" > /www/mysite2.com/html/test.txt If you are using SELinux, make sure the directories and their contents are assigned the correct context. # semanage fcontext -a -t httpd_sys_content_t "/www(/.*)?" # restorecon -F -R -v /www Virtual hosts are defined in the "/etc/httpd/conf/httpd.conf" file. The definition of the two virtual hosts are shown below. NameVirtualHost *:80 ServerName www.mysite1.com Serveralias mysite1.com DocumentRoot /www/mysite1.com/html ErrorLog /www/mysite1.com/logs/mysite1.com-error_log ServerName www.mysite2.com Serveralias mysite2.com DocumentRoot /www/mysite2.com/html ErrorLog /www/mysite2.com/logs/mysite2.com-error_log Reload or restart the httpd service for the changes to take effect. # service httpd reload # # OR # service httpd restart Provided the DNS, or hosts file, resolves the names "mysite1.com" and "mysite2.com" to the IP address of the web server, pages under the document roots will now display for each virtual host. To test this you can alter your hosts file with the following entries. 127.0.0.1 mysite1.com mysite1 127.0.0.1 mysite2.com mysite2 You should now see the correct test page under each of the following URLs on the web server. http://mysite1.com/test.txt http://mysite2.com/test.txt Private Directories Using the virtual hosts we created previous, create a new directory called "private" and place a file in it. # mkdir /www/mysite1.com/html/private # echo "MySite1.com Private Test file" > /www/mysite1.com/html/private/test.txt Create a ".htpasswd" file containing a username/password, then add a second entry. # cd /www/mysite1.com/html/private # htpasswd -cmb .htpasswd user1 password1 # htpasswd -mb .htpasswd user2 password2 Edit the "/etc/httpd/conf/httpd.conf" file with an entry such as the following. AuthType basic AuthName "Private Access" AuthUserFile "/www/mysite1.com/html/private/.htpasswd" Require valid-user Order allow,deny Allow from all Reload or restart the httpd service for the changes to take effect. # service httpd reload # # OR # service httpd restart You should now be prompted for a username/password when trying to access the following file. http://mysite1.com/private/test.txt Group Managed Content Using the virtual hosts defined previously, we will enable group managed content for "mysite1.com". Create a group that the users will be part of. # groupadd webdevs Add the necessary users to the group. # # Create new users. # useradd -g webdevs user1 # useradd -g webdevs user2 # # # Modify existing users. # usermod -g webdevs user1 # usermod -g webdevs user2 Change the ownership and permissions of the directories holding the group managed content. # chown -R apache.webdevs /www/mysite1.com/html # chmod -R 775 /www/mysite1.com/html # chmod -R g+s /www/mysite1.com/html Log in a the two users and check they can add and amend content. # su - user1 $ umask 002 $ echo "Test by user1" > /www/mysite1.com/html/group-test.txt $ exit logout # su - user2 $ umask 002 $ echo "Test by user2" >> /www/mysite1.com/html/group-test.txt $ exit logout # The file with both users content is visible using the following URL. http://mysite1.com/group-test.txt Notice the umask setting, which allows read/write permission for the group. This setting can be placed in the "~/.bashrc" or the "~/.bash_profile" file for each user. Deploy a Basic CGI Application Create a directory called "cgi-bin" under an existing virtual host. # mkdir /www/mysite2.com/html/gci-bin Create a simple CGI application in the directory, for example a file called "helloworld.pl" with the following contents. #!/usr/bin/perl print "Content-type: text/html\n\n"; print "helloWorld!"; Change the ownership and make sure the file is executable. # chown apache.apache helloworld.pl # chmod u+x helloworld.pl Edit the "/etc/httpd/conf/httpd.conf" file, adding the following entries to the virtual host definition. ScriptAlias /cgi-bin/ /www/mysite2.com/html/gci-bin/ Options +ExecCGI AddHandler cgi-script .pl .cgi So the complete definition looks like this. ServerName www.mysite2.com Serveralias mysite2.com DocumentRoot /www/mysite2.com/html ErrorLog /www/mysite2.com/logs/mysite2.com-error_log # Below added to support CGI applications ScriptAlias /cgi-bin/ /www/mysite2.com/html/gci-bin/ Options +ExecCGI AddHandler cgi-script .pl .cgi Reload or restart the httpd service for the changes to take effect. # service httpd reload # # OR # service httpd restart The CGI application can now be run will the following URL. http://mysite2.com/cgi-bin/helloworld.pl If you prefer the "cgi-bin" directory to be placed in a different location, simply alter the "ScriptAlias" entry to reflect the changed location. SSL Configuration (HTTPS) HTTPS configuration is not a requirement of the RHCE exam, but it is useful to know, so I included it. If they are not already installed, install the mod_ssl, openssl and crypto-utils packages. # yum install mod_ssl openssl crypto-utils The installation of the mod_ssl package creates the "/etc/httpd/conf.d/ssl.conf" configuration file, which includes references to the default self-signed localhost certificate and key. This is sufficient for testing SSL configuration. The httpd service must be restarted for the module to be loaded, but we will do that later. The genkey command can generate a certificate request or a new self-signed certificate. For this test I created a new self-signed certificate. Remember, if you encrypt the certificate with a passphrase, you will need to enter it every time you start the HTTP server. # genkey --makeca rhce1.localdomain Move the key and certificate to the relevant directories. # mv /etc/pki/CA/private/rhce1.localdomain /etc/pki/tls/private/rhce1.localdomain # mv /etc/pki/CA/rhce1.localdomain /etc/pki/tls/certs/rhce1.localdomain Add/modify the following lines in the "/etc/httpd/conf.d/ssl.conf" file. SSLProtocol ALL -SSLv2 -SSLv3 SSLHonorCipherOrder On SSLCipherSuite HIGH:!aNULL:!MD5:!3DES:!DES:!DHE:!RSA SSLCertificateFile /etc/pki/tls/certs/rhce1.localdomain SSLCertificateKeyFile /etc/pki/tls/private/rhce1.localdomain #SSLCACertificateFile /etc/pki/tls/certs/intermediate.crt Notice the "SSLCACertificateFile" entry is commented out. If you are using a real certificate, you will probably need to download the intermediate bundle from the CA and reference it using this tag. Restart the HTTP server. # service httpd restart Provided you have the correct firewall settings, you should now be able to access your applications using HTTPS. https://rhce1.localdomain

Synchronize Time on Installed Linux Operating Systems NTP

Synchronize Time on Installed Linux Operating Systems When Linux machines are provisioned with an operating system, the Network Time Protocol (NTP) service is not running. After moving the newly provisioned Linux machines to a network with access to the NTP server, you must synchronize the time on the machines to network time. Prerequisites Configure the Linux machines on a network with access to the NTP server. Identify the NTP servers used in your environment. Procedure On the Linux machine, log in as root. Run the ntpdate -u command to update the machine clock. For example, ntpdate -u ntp-time.for.mydomain. Open the /etc/ntp.conf file and add the NTP servers used in your environment. You can add multiple NTP servers similar to these examples. server ntp-time.for.mydomain server otherntp.server.org server ntp.research.gov Run the service ntpd start command to start the NTP service and implement you configuration changes.