diff --git a/CLAUDE.md b/CLAUDE.md index ad22bbe..023a9c8 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -39,12 +39,12 @@ This is a Red Hat Certified System Administrator (RHCSA) certification study rep - `rhcsa_acronyms_glossary.md` - Comprehensive glossary of RHCSA acronyms and terms - `ebook_summary.md` - Analysis and topic organization from both major RHCSA study books - `anki/` - Anki flashcard deck (tracked in git) - - `rhcsa_deck.csv` - 146 comprehensive flashcards covering all RHCSA exam objectives + - `rhcsa_deck.csv` - 169 comprehensive flashcards covering all RHCSA exam objectives - `mkdocs.yml` - MkDocs configuration file for documentation site - `requirements.txt` - Python dependencies for MkDocs - `.github/workflows/deploy.yml` - GitHub Actions workflow for automatic deployment to GitHub Pages -- `vagrant/` - Automated lab environment provisioning with RHEL 9 VMs - - `Vagrantfile` - VM configuration for rhel9a and rhel9b instances +- `vagrant/` - Automated lab environment provisioning with RHEL 10 VMs + - `Vagrantfile` - VM configuration for rhel10a and rhel10b instances - `playbook.yml` - Ansible playbook for environment setup - `.rhel-credentials` - Hidden credentials file for Red Hat Developer subscription (not tracked) - `sources/` - External resources (not tracked in git, contains copyrighted materials) @@ -53,14 +53,14 @@ This is a Red Hat Certified System Administrator (RHCSA) certification study rep ## Lab Environment Requirements **Vagrant Configuration**: The `../vagrant/` directory provides automated lab environment provisioning: -- RHEL 9 VMs with proper resource allocation and networking +- RHEL 10 VMs with proper resource allocation and networking - Automated subscription registration with Red Hat Developer accounts - Pre-configured storage setup for LVM and filesystem labs - Prerequisites: Vagrant, VirtualBox, Red Hat Developer subscription **VM Usage**: -- **rhel9a**: Used for user management and SELinux scenarios -- **rhel9b**: Used for storage management scenarios (multiple disks pre-configured) +- **rhel10a**: Used for user management and SELinux scenarios +- **rhel10b**: Used for storage management scenarios (multiple disks pre-configured) ## Common Study Tasks @@ -73,7 +73,7 @@ This is a Red Hat Certified System Administrator (RHCSA) certification study rep - **Focus on hands-on** command execution and verification in lab environment ### Anki Flashcard Usage -The `anki/rhcsa_deck.csv` file contains 146 essential commands organized by tags: +The `anki/rhcsa_deck.csv` file contains 169 essential commands organized by tags: - `user_management` - useradd, usermod, chage, groupadd - `permissions` - chmod, chown, file access controls - `systemd` - systemctl, journalctl, service management @@ -82,7 +82,7 @@ The `anki/rhcsa_deck.csv` file contains 146 essential commands organized by tags - `selinux` - getenforce, setsebool, restorecon, ausearch troubleshooting - `firewall` - firewall-cmd, port and service management - `networking` - nmcli, static IP, DNS configuration -- `containers` - podman operations, systemd integration +- `flatpak` - Flatpak repository and application management ## Key RHCSA Command Categories diff --git a/COPYRIGHT_NOTICE.md b/COPYRIGHT_NOTICE.md index a0cd4cc..6e44f43 100644 --- a/COPYRIGHT_NOTICE.md +++ b/COPYRIGHT_NOTICE.md @@ -2,43 +2,43 @@ ## Protected Content -This repository contains analysis and study materials derived from the following copyrighted works, all stored in the `resources/` directory (not tracked in git): +This repository contains analysis and study materials derived from the following copyrighted works, all stored in the `sources/` directory (not tracked in git): ### Study Books -1. **"RHCSA Red Hat Enterprise Linux" by Asghar Ghori** - - EPUB file: `resources/RHCSA Red Hat Enterprise Linux - Asghar Ghori.epub` - - Converted content: `resources/asghar_ghori_rhcsa.md` - - Extracted images: `resources/images/OEBPS/` (1000+ images) +1. **"RHCSA Red Hat Enterprise Linux 10" by Asghar Ghori** (Dec 2025 edition) + - EPUB file: `sources/RHCSA Red Hat Enterprise Linux - Asghar Ghori.epub` + - Converted content: `sources/asghar_ghori_rhcsa.md` + - Extracted images: `sources/images/OEBPS/` (1000+ images) - Status: Excluded from repository via .gitignore 2. **"Red Hat RHCSA 9 Cert Guide" by Sander van Vugt** - - EPUB file: `resources/Red Hat RHCSA 9 Cert Guide (Cer - Sander van Vugt.epub` - - Converted content: `resources/sander_van_vugt_rhcsa.md` - - Extracted images: `resources/images/00001.jpeg` through `resources/images/00223.jpeg` + - EPUB file: `sources/Red Hat RHCSA 9 Cert Guide (Cer - Sander van Vugt.epub` + - Converted content: `sources/sander_van_vugt_rhcsa.md` + - Extracted images: `sources/images/00001.jpeg` through `sources/images/00223.jpeg` - Status: Excluded from repository via .gitignore ### Official Documentation 3. **Red Hat Enterprise Linux 9 - Using SELinux** - - PDF file: `resources/Red_Hat_Enterprise_Linux-9-Using_SELinux-en-US.pdf` + - PDF file: `sources/Red_Hat_Enterprise_Linux-9-Using_SELinux-en-US.pdf` - Publisher: Red Hat, Inc. - License: Likely Creative Commons or similar open license (check document) - Status: Excluded from repository via .gitignore 4. **Red Hat Enterprise Linux for SAP Solutions 9 - Using SELinux for SAP HANA** - - PDF file: `resources/Red_Hat_Enterprise_Linux_for_SAP_Solutions-9-Using_SELinux_for_SAP_HANA-en-US.pdf` + - PDF file: `sources/Red_Hat_Enterprise_Linux_for_SAP_Solutions-9-Using_SELinux_for_SAP_HANA-en-US.pdf` - Publisher: Red Hat, Inc. - License: Likely Creative Commons or similar open license (check document) - Status: Excluded from repository via .gitignore ## Original Work Included (Tracked in Git) -The following files in `reference/` are original work and analysis based on the study materials: +The following files are original work and analysis based on the study materials: -- `reference/anki_rhcsa_flashcards.csv` - 146 original study flashcards organized by topic -- `reference/command_reference_by_topic.md` - Organized command reference with examples -- `reference/exam_quick_reference.md` - Exam day reference with comprehensive examples -- `reference/rhcsa_acronyms_glossary.md` - Comprehensive acronym and terminology guide -- `reference/ebook_summary.md` - Original analysis and commentary on both study books (transformative educational content) +- `anki/rhcsa_deck.csv` - Study flashcards organized by topic +- `docs/command_reference_by_topic.md` - Organized command reference with examples +- `docs/exam_quick_reference.md` - Exam day reference with comprehensive examples +- `docs/rhcsa_acronyms_glossary.md` - Comprehensive acronym and terminology guide +- `docs/ebook_summary.md` - Original analysis and commentary on both study books (transformative educational content) ## Fair Use Statement diff --git a/README.md b/README.md index f8ec211..6f6d076 100644 --- a/README.md +++ b/README.md @@ -18,11 +18,11 @@ A comprehensive study repository for Red Hat Certified System Administrator (RHC - `command_reference_by_topic.md` - Commands organized by functional area - `rhcsa_acronyms_glossary.md` - Comprehensive glossary - `ebook_summary.md` - Analysis from major RHCSA study books -- **`anki/rhcsa_deck.csv`** - 146 comprehensive flashcards for Anki import +- **`anki/rhcsa_deck.csv`** - 169 comprehensive flashcards for Anki import ### πŸ—οΈ Lab Environment -- **`vagrant/`** - Automated RHEL 9 VM provisioning with Vagrant - - `Vagrantfile` - VM configuration for rhel9a and rhel9b instances +- **`vagrant/`** - Automated RHEL 10 VM provisioning with Vagrant + - `Vagrantfile` - VM configuration for rhel10a and rhel10b instances - `playbook.yml` - Ansible playbook for environment setup ### πŸ“– External Resources (`sources/` directory, not tracked) @@ -35,17 +35,17 @@ A comprehensive study repository for Red Hat Certified System Administrator (RHC ### Using the Anki Flashcards 1. Import `anki/rhcsa_deck.csv` into Anki -2. The deck includes 146 cards organized by topic tags: +2. The deck includes 169 cards organized by topic tags: - `user_management`, `permissions`, `systemd` - - `storage`, `lvm`, `selinux`, `firewall` - - `networking`, `containers`, `monitoring` - - `rhel9_specific`, `exam_pressure`, `syntax_heavy` + - `storage`, `lvm`, `selinux`, `firewall` + - `networking`, `flatpak`, `monitoring` + - `rhel10_specific`, `exam_pressure`, `syntax_heavy` ### Lab Environment Setup **Vagrant VM Provisioning**: - See `vagrant/` directory for automated lab environment setup -- RHEL 9 VMs configured with proper resources and networking +- RHEL 10 VMs configured with proper resources and networking - Automated subscription registration and storage disk configuration - Prerequisites: Vagrant, VirtualBox, Red Hat Developer subscription @@ -83,7 +83,7 @@ The flashcards and lab scenarios cover all essential areas: - **Storage & LVM**: fdisk, pvcreate, vgcreate, lvcreate, filesystem management - **Security & SELinux**: getenforce, setsebool, restorecon, firewall-cmd - **Networking**: nmcli, static IP configuration, SSH setup -- **Containers**: podman operations with systemd integration +- **Flatpak**: Flatpak repository and application management ## Lab Scenarios @@ -95,5 +95,5 @@ Each lab includes: ## Notes - Lab 3 (SELinux) contains a TODO section requiring completion -- All scenarios designed for RHEL 9 environments +- All scenarios designed for RHEL 10 environments - Commands in flashcards represent real exam tasks diff --git a/anki/rhcsa_deck.csv b/anki/rhcsa_deck.csv index 2986805..c54c17b 100644 --- a/anki/rhcsa_deck.csv +++ b/anki/rhcsa_deck.csv @@ -78,14 +78,16 @@ Front,Back,Tags,Notes "Generate SSH key pair","ssh-keygen -t rsa","ssh","" "Connect to server via SSH with specific key","ssh -i /path/to/key user@server","ssh","" "Disable password authentication in SSH","Edit /etc/ssh/sshd_config, set PasswordAuthentication no","ssh","" -"Pull container image from registry","podman pull registry.redhat.io/ubi8/ubi","containers","" -"Run container with port mapping","podman run -d -p 8080:80 nginx","containers","" -"List running containers","podman ps","containers","" -"Stop container by ID","podman stop container-id","containers","" -"Build container from Containerfile","podman build -t myapp .","containers","" -"Run container as systemd service","podman generate systemd --new container-name > /etc/systemd/system/container.service","containers","" -"Mount host directory in container","podman run -v /host/path:/container/path image","containers","" -"View container logs","podman logs container-name","containers","" +"Add Flathub repository to system","flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo","flatpak","" +"Install Flatpak application from Flathub","flatpak install flathub org.example.App","flatpak","" +"Install Flatpak application for current user only (no root)","flatpak install --user flathub org.example.App","flatpak","" +"List installed Flatpak applications","flatpak list --app","flatpak","" +"List configured Flatpak remotes","flatpak remotes","flatpak","" +"Search for available Flatpak applications","flatpak search keyword","flatpak","" +"Remove a Flatpak application","flatpak uninstall org.example.App","flatpak","" +"Remove unused Flatpak runtimes after uninstalling apps","flatpak uninstall --unused","flatpak","" +"Run a Flatpak application","flatpak run org.example.App","flatpak","" +"Update all installed Flatpak applications","flatpak update","flatpak","" "Check disk usage","df -h","monitoring","" "Check memory usage","free -h","monitoring","" "View running processes by CPU usage","top","monitoring","" @@ -108,10 +110,10 @@ Front,Back,Tags,Notes "Trace network route","traceroute destination","troubleshooting","" "Test DNS resolution","nslookup hostname","troubleshooting","" "View network interface statistics","ip -s link show","troubleshooting","" -"Configure static IP 192.168.1.100/24 and DNS 8.8.8.8 using nmcli on connection 'ens33'","nmcli con modify ens33 ipv4.addresses 192.168.1.100/24 ipv4.dns 8.8.8.8 ipv4.method manual && nmcli con up ens33","rhel9_specific,networking","Note: ipv4.method manual is required for static IP" -"Create podman container running nginx, map port 8080->80, auto-start with systemd","podman run -d --name web-server -p 8080:80 nginx && podman generate systemd --new --files --name web-server && sudo cp container-web-server.service /etc/systemd/system/ && sudo systemctl enable container-web-server.service","containers,rhel9_specific","New RHCSA requirement - containers with systemd integration" +"Configure static IP 192.168.1.100/24 and DNS 8.8.8.8 using nmcli on connection 'ens33'","nmcli con modify ens33 ipv4.addresses 192.168.1.100/24 ipv4.dns 8.8.8.8 ipv4.method manual && nmcli con up ens33","rhel10_specific,networking","Note: ipv4.method manual is required for static IP" +"Add Flathub remote for user-level installs and install an app","flatpak remote-add --user --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo && flatpak install --user flathub org.gnome.Calculator -y","flatpak,rhel10_specific","Flatpak replaces containers on RHEL 10 RHCSA exam" "Boot into rescue mode to reset root password on RHEL 9 (GRUB method)","At GRUB menu: e -> find linux line -> add rd.break at end -> Ctrl+X -> mount -o remount,rw /sysroot -> chroot /sysroot -> passwd -> touch /.autorelabel -> exit -> exit","boot_rescue,exam_pressure","Must remember .autorelabel for SELinux" -"Allow httpd to bind to port 8080 with SELinux (without disabling)","semanage port -a -t http_port_t -p tcp 8080","selinux,rhel9_specific","Use semanage, not setsebool for port binding" +"Allow httpd to bind to port 8080 with SELinux (without disabling)","semanage port -a -t http_port_t -p tcp 8080","selinux,rhel10_specific","Use semanage, not setsebool for port binding" "Create LV, extend it by 500MB, and grow XFS filesystem in one sequence","lvcreate -L 1G -n data vg01 && mkfs.xfs /dev/vg01/data && mkdir /data && mount /dev/vg01/data /data && lvextend -L +500M /dev/vg01/data && xfs_growfs /data","lvm,exam_pressure","Remember: XFS uses xfs_growfs, not resize2fs" "Configure autofs to mount NFS share 192.168.1.100:/exports to /mnt/nfs","echo '/mnt /etc/auto.nfs --timeout=60' >> /etc/auto.master && echo 'nfs -rw 192.168.1.100:/exports' >> /etc/auto.nfs && systemctl enable autofs && systemctl start autofs","nfs,autofs,syntax_heavy","Complex syntax - practice this" "Find all SUID files on system (exam-safe performance)","find / -perm -4000 -type f 2>/dev/null","security,file_operations","Redirect stderr to avoid permission noise" @@ -120,14 +122,14 @@ Front,Back,Tags,Notes "Create swap file (not partition) of 1GB and enable permanently","fallocate -l 1G /swapfile && chmod 600 /swapfile && mkswap /swapfile && swapon /swapfile && echo '/swapfile swap swap defaults 0 0' >> /etc/fstab","storage,exam_tricks","Swap files are valid - know this alternative" "Troubleshoot: service fails to start, check SELinux denials","systemctl status servicename && journalctl -u servicename && ausearch -m AVC -ts recent","troubleshooting,selinux","Check all three: systemctl, journalctl, ausearch" "Set user password to expire in 90 days, warn 7 days before, min 1 day between changes","chage -M 90 -W 7 -m 1 username","user_management,syntax_heavy","-M=max, -W=warning, -m=minimum days" -"Open firewall for HTTP, HTTPS permanently and reload","firewall-cmd --permanent --add-service=http --add-service=https && firewall-cmd --reload","firewall,rhel9_specific","Can chain --add-service options" -"Configure persistent journal logging","mkdir -p /var/log/journal && systemctl restart systemd-journald","systemd,rhel9_specific","Directory must exist for persistence" +"Open firewall for HTTP, HTTPS permanently and reload","firewall-cmd --permanent --add-service=http --add-service=https && firewall-cmd --reload","firewall,rhel10_specific","Can chain --add-service options" +"Configure persistent journal logging","mkdir -p /var/log/journal && systemctl restart systemd-journald","systemd,rhel10_specific","Directory must exist for persistence" "Reset forgotten root password using single user mode (systemd method)","At GRUB: e -> linux line -> add systemd.unit=rescue.target -> Ctrl+X -> enter root password -> passwd -> systemctl default","boot_rescue,systemd","Systemd method - know both rd.break and rescue.target" "Mount NFS share temporarily and add to fstab for permanent mounting","mount -t nfs 192.168.1.100:/exports /mnt/nfs && echo '192.168.1.100:/exports /mnt/nfs nfs defaults 0 0' >> /etc/fstab","nfs,storage","Test mount first, then add to fstab" "Create user with specific UID 5000, home dir /opt/appuser, shell /sbin/nologin","useradd -u 5000 -d /opt/appuser -s /sbin/nologin -m appuser","user_management,exam_requirements","-m creates home dir, even if custom location" "Check which process is using port 80","ss -tlnp | grep :80 OR lsof -i :80","monitoring,alternatives","Know both ss and lsof methods" -"Configure timezone to America/New_York","timedatectl set-timezone America/New_York","system_config,rhel9_specific","Use timedatectl, not /etc/localtime symlinks" -"Set hostname to server1.example.com permanently","hostnamectl set-hostname server1.example.com","networking,rhel9_specific","hostnamectl is the RHEL 9 way" +"Configure timezone to America/New_York","timedatectl set-timezone America/New_York","system_config,rhel10_specific","Use timedatectl, not /etc/localtime symlinks" +"Set hostname to server1.example.com permanently","hostnamectl set-hostname server1.example.com","networking,rhel10_specific","hostnamectl is the RHEL 9 way" "Find files modified in last 7 days in /var/log","find /var/log -mtime -7 -type f","file_operations,exam_tricks","-mtime -7 means less than 7 days ago" "Enable and start httpd, then check if it's listening on port 80","systemctl enable --now httpd && ss -tlnp | grep :80","systemd,verification","--now enables and starts in one command" "Create logical volume that uses all available space in VG","lvcreate -l 100%FREE -n data vg01","lvm,exam_tricks","-l 100%FREE uses all remaining space" @@ -136,8 +138,9 @@ Front,Back,Tags,Notes "Create archive of /home excluding .cache directories","tar --exclude='*.cache*' -czf home-backup.tar.gz /home","file_operations,exam_tricks","--exclude before source directory" "Change process priority of PID 1234 to nice value 10","renice 10 1234","process_management,syntax_order","renice [priority] [PID]" "Configure autofs timeout of 30 seconds for all mounts","Edit /etc/auto.master, add --timeout=30 to master map entries","autofs,advanced","Global timeout in master map" -"Set ACL to give user alice read/write access to /shared/file","setfacl -m u:alice:rw /shared/file","acl,permissions","Format: u:user:permissions" -"Check ACL permissions on a file","getfacl /path/to/file","acl,verification","Shows effective permissions including ACLs" +"Show detailed information about a Flatpak application","flatpak info org.example.App","flatpak,verification","Shows version, runtime, permissions" +"Create LVM thin pool and thin volume","lvcreate --type thin-pool -L 5G -n thinpool vgname && lvcreate --virtualsize 10G --thin -n thinlv vgname/thinpool","lvm,thin_provisioning","Thin volumes allocate space on demand from pool" +"Check LVM thin pool usage percentage","lvs -o+data_percent vgname/thinpool","lvm,thin_provisioning","Monitor pool usage to avoid running out of space" "Force user to change password on next login","chage -d 0 username OR passwd -e username","user_management,alternatives","Know both chage and passwd methods" "Configure sudo access for wheel group without password","visudo -> %wheel ALL=(ALL) NOPASSWD: ALL","security,sudo","% indicates group, NOPASSWD removes password requirement" "Find largest files in filesystem (top 10)","find / -type f -exec ls -la {} \; 2>/dev/null | sort -nk5 | tail -10","file_operations,advanced","Complex but useful for disk space issues" diff --git a/docs/command_reference_by_topic.md b/docs/command_reference_by_topic.md index b6543a4..d090604 100644 --- a/docs/command_reference_by_topic.md +++ b/docs/command_reference_by_topic.md @@ -240,7 +240,7 @@ find / -perm -2000 2>/dev/null # Find setgid files find / -perm -1000 2>/dev/null # Find sticky bit files ``` -### Access Control Lists (ACLs) +### Access Control Lists (ACLs) β€” Supplementary (not on RHEL 10 exam) ```bash # Manage ACLs setfacl -m u:username:rwx file # Set user ACL @@ -1018,48 +1018,28 @@ systemctl start timer.timer # Start timer systemctl status timer.timer # Check timer status ``` -## Container Management with Podman +## Flatpak Software Management -### Container Operations +### Remote and Application Management ```bash -# Image management -podman pull image:tag # Pull image from registry -podman images # List local images -podman rmi image # Remove image -podman search keyword # Search for images -podman inspect image # Inspect image details - -# Container lifecycle -podman run -d --name container image # Run container in background -podman run -it image /bin/bash # Run interactive container -podman run -p 8080:80 image # Port mapping -podman run -v /host:/container image # Volume mount -podman ps # List running containers -podman ps -a # List all containers -podman stop container # Stop container -podman start container # Start container -podman restart container # Restart container -podman rm container # Remove container - -# Container management -podman exec -it container /bin/bash # Execute command in container -podman logs container # View container logs -podman logs -f container # Follow container logs -podman cp file container:/path # Copy file to container -podman stats # Show container statistics -``` - -### Systemd Integration -```bash -# Generate systemd units -podman generate systemd --new --files --name container -sudo cp container-name.service /etc/systemd/system/ -sudo systemctl daemon-reload -sudo systemctl enable container-name.service - -# User services (rootless) -loginctl enable-linger username # Enable user services -systemctl --user enable container.service +# Remote (repository) management +flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo +flatpak remote-add --user flathub URL # User-level remote +flatpak remote-delete flathub # Remove remote +flatpak remotes # List configured remotes +flatpak remote-ls flathub # List available apps + +# Application management +flatpak search keyword # Search for apps +flatpak install flathub org.example.App # Install app +flatpak install --user flathub org.example.App # User-level install +flatpak uninstall org.example.App # Remove app +flatpak uninstall --unused # Remove unused runtimes +flatpak list --app # List installed apps +flatpak list --runtime # List installed runtimes +flatpak run org.example.App # Run app +flatpak update # Update all +flatpak info org.example.App # Show app details ``` ## SSH and Remote Access @@ -1072,7 +1052,7 @@ ssh -p 2222 user@hostname # Connect to custom port ssh -i keyfile user@hostname # Use specific key ssh -L 8080:localhost:80 user@host # Local port forwarding ssh -R 8080:localhost:80 user@host # Remote port forwarding -ssh -X user@hostname # X11 forwarding +ssh -X user@hostname # X11/Wayland forwarding # Key management ssh-keygen -t rsa # Generate RSA key pair diff --git a/docs/ebook_summary.md b/docs/ebook_summary.md index 5676c93..aead0ac 100644 --- a/docs/ebook_summary.md +++ b/docs/ebook_summary.md @@ -1,45 +1,47 @@ # RHCSA Study Guide Summary: Topics and Commands from Both EPUBs -Based on analysis of both "RHCSA Red Hat Enterprise Linux - Asghar Ghori" and "Red Hat RHCSA 9 Cert Guide - Sander van Vugt" study guides. +Based on analysis of "RHCSA Red Hat Enterprise Linux 10" by Asghar Ghori (Dec 2025 edition) and "Red Hat RHCSA 9 Cert Guide" by Sander van Vugt. > **πŸ“š Enhanced Study Resource**: This summary has been expanded into the comprehensive [RHCSA Synthesis](rhcsa_synthesis/index.md) knowledge base, which provides detailed modules for each topic with hands-on labs, troubleshooting guides, and exam strategies. **Start with the synthesis modules for the most comprehensive exam preparation.** ## Book Structure Overview -### Asghar Ghori RHCSA Book Structure +### Asghar Ghori RHCSA Book Structure (RHEL 10 Edition, Dec 2025) **22 Chapters with comprehensive exercises and labs** **Chapters 1-4: Foundation Skills** -- Chapter 1: Local Installation +- Chapter 1: Local Installation - Chapter 2: Initial Interaction with the System -- Chapter 3: Working with Files and File Permissions +- Chapter 3: Working with Files and File Permissions - Chapter 4: Basic File Permissions **Chapters 5-8: User and System Management** - Chapter 5: Basic User Management - Chapter 6: Advanced User Management - Chapter 7: The Bash Shell -- Chapter 8: Managing Services and Processes +- Chapter 8: Shell Scripting **Chapters 9-12: System Operations** -- Chapter 9: Package Management +- Chapter 9: Managing Services and Processes - Chapter 10: System Processes and Job Control -- Chapter 11: Boot Process, GRUB2, and the Linux Kernel -- Chapter 12: System Logging and Monitoring - -**Chapters 13-16: Storage and Networking** -- Chapter 13: Storage Management (LVM, VDO) -- Chapter 14: File Systems and Swap -- Chapter 15: Networking, Network Devices, and Network Connections -- Chapter 16: Network File System - -**Chapters 17-22: Advanced Topics** -- Chapter 17: AutoFS and Automounting -- Chapter 18: Storage Management -- Chapter 19: Firewall and System Security -- Chapter 20: SELinux -- Chapter 21: SSH and Time Services -- Chapter 22: Containers with Podman +- Chapter 11: Package Management +- Chapter 12: Flatpak Software Management + +**Chapters 13-16: Storage** +- Chapter 13: Storage Management (Partitions and File Systems) +- Chapter 14: Advanced Storage (LVM) +- Chapter 15: Advanced Storage (LVM Thin Provisioning, Swap) +- Chapter 16: Boot Process, GRUB2, and the Linux Kernel + +**Chapters 17-22: Networking and Security** +- Chapter 17: Networking, Network Devices, and Network Connections +- Chapter 18: Hostname Resolution and Time Synchronization +- Chapter 19: NFS and AutoFS +- Chapter 20: Firewall and System Security +- Chapter 21: SELinux +- Chapter 22: SSH and Remote Access + +> **Note**: The RHEL 10 edition replaces the Podman/containers chapter with Flatpak, adds LVM thin provisioning, elevates shell scripting to its own chapter, and merges NFS+AutoFS into a single chapter. ### Sander van Vugt RHCSA Book Structure **26 Chapters organized in 5 parts** @@ -351,7 +353,7 @@ rpm -Uvh package.rpm # upgrade package #### **Sander van Vugt Labs:** - Advanced LVM scenarios - Storage troubleshooting -- VDO configuration + #### **Key Commands:** ```bash diff --git a/docs/exam_quick_reference.md b/docs/exam_quick_reference.md index 95e3902..6b22f10 100644 --- a/docs/exam_quick_reference.md +++ b/docs/exam_quick_reference.md @@ -443,7 +443,7 @@ find /path -type f -exec chmod 644 {} \; # Files to 644 find /path -type d -exec chmod 755 {} \; # Directories to 755 ``` -### ACL vs Traditional Permissions +### ACL vs Traditional Permissions (Supplementary β€” not on RHEL 10 exam) ```bash # Traditional permissions (3 entities: user, group, other) chmod 750 file # rwxr-x--- (user: rwx, group: r-x, other: ---) @@ -468,7 +468,7 @@ setfacl -d -m u:alice:rwx /directory # New files inherit ACL ## Package Management ### Key Terms & Acronyms -- **DNF** - Dandified YUM (RHEL 9 package manager) +- **DNF** - Dandified YUM (RHEL 10 package manager) - **YUM** - Yellowdog Updater Modified (legacy package manager) - **RPM** - Red Hat Package Manager (low-level package format) - **repository** - Package source location @@ -615,7 +615,7 @@ dnf install --nogpgcheck package # Skip GPG verification (not recommended) ``` ### Common Pitfalls -- **WRONG**: Using `yum` commands β†’ **RIGHT**: Use `dnf` in RHEL 9 +- **WRONG**: Using `yum` commands β†’ **RIGHT**: Use `dnf` in RHEL 10 - **WRONG**: Not updating before installing β†’ **RIGHT**: Run `dnf update` regularly - **WRONG**: Installing from untrusted sources β†’ **RIGHT**: Verify GPG signatures - **WRONG**: Mixing RPM and DNF operations β†’ **RIGHT**: Use DNF for dependency management @@ -630,7 +630,7 @@ dnf install --nogpgcheck package # Skip GPG verification (not recommended) - **VG** - Volume Group (pool of PVs) - **LV** - Logical Volume (usable storage from VG) - **UUID** - Universally Unique Identifier (persistent device ID) -- **XFS** - X File System (RHEL 9 default) +- **XFS** - X File System (RHEL 10 default) - **ext4** - Fourth Extended Filesystem - **GPT** - GUID Partition Table (modern partitioning) - **MBR** - Master Boot Record (legacy, 2TB limit) @@ -639,7 +639,7 @@ dnf install --nogpgcheck package # Skip GPG verification (not recommended) - **swap** - Virtual memory on disk - **mount point** - Directory where filesystem is attached - **PE** - Physical Extent (LVM allocation unit) -- **VDO** - Virtual Data Optimizer (deduplication/compression) + ### Key File Paths ```bash @@ -901,7 +901,7 @@ setenforce 1 # Set enforcing (temporary) # Persistent configuration (EXAM TIP: grubby commands are IN the config file!) vi /etc/selinux/config # Contains helpful grubby examples in comments # SELINUX=enforcing|permissive|disabled -# For RHEL 9: disabled only unloads policy, doesn't fully disable SELinux +# For RHEL 10: disabled only unloads policy, doesn't fully disable SELinux # To fully disable: grubby --update-kernel ALL --args selinux=0 # To re-enable: grubby --update-kernel ALL --remove-args selinux @@ -1311,7 +1311,7 @@ systemctl get-default # Check current default ### Password Recovery Procedure ```bash -# RHEL 9 Password Reset Steps: +# RHEL 10 Password Reset Steps: # 1. Boot system and interrupt GRUB menu (press 'e') # 2. Find linux line, add: rd.break # 3. Press Ctrl+X to boot @@ -1337,7 +1337,7 @@ grubby --info=DEFAULT | grep args # Verify parameter added # Create custom GRUB menu entry cat >> /etc/grub.d/40_custom << 'EOF' -menuentry "RHEL 9 Debug Mode" { +menuentry "RHEL 10 Debug Mode" { linux /boot/vmlinuz-$(uname -r) root=/dev/sda1 debug initrd /boot/initramfs-$(uname -r).img } @@ -1380,7 +1380,7 @@ grubby --remove-kernel=/boot/vmlinuz-old # Remove problematic kernel - **WRONG**: Editing `/boot/grub2/grub.cfg` directly β†’ **RIGHT**: Use `grub2-mkconfig` or `grubby` - **WRONG**: Forgetting `/.autorelabel` after password reset β†’ **RIGHT**: Always touch when SELinux enabled - **WRONG**: Not regenerating GRUB config after changes β†’ **RIGHT**: Run `grub2-mkconfig` after editing defaults -- **WRONG**: Using legacy GRUB commands β†’ **RIGHT**: Use `grub2-*` commands in RHEL 9 +- **WRONG**: Using legacy GRUB commands β†’ **RIGHT**: Use `grub2-*` commands in RHEL 10 --- @@ -1610,7 +1610,7 @@ multitail /var/log/messages /var/log/secure # Multiple files simultaneously ## NFS and AutoFS ### Key Terms & Acronyms -- **NFS** - Network File System (remote file sharing protocol) +- **NFS** - Network File System (remote file sharing protocol, NFS 4.2 is the RHEL 10 default) - **AutoFS** - Automatic File System (on-demand mounting service) - **export** - Making shares available on NFS server - **mount** - Accessing shares on NFS client @@ -1836,151 +1836,84 @@ systemctl restart autofs # Full restart if needed --- -## Container Management (Podman) +## Flatpak Software Management ### Key Terms & Acronyms -- **podman** - Pod Manager (daemonless container engine) -- **container** - Isolated application instance -- **image** - Read-only container template -- **registry** - Container image repository -- **Containerfile** - Build instructions (aka Dockerfile) -- **OCI** - Open Container Initiative -- **runtime** - Container execution environment -- **rootless** - Containers without root privileges -- **namespace** - Linux isolation mechanism -- **cgroup** - Control group (resource limits) -- **layer** - Image filesystem layer -- **tag** - Image version identifier -- **buildah** - Container image builder -- **skopeo** - Container image inspector +- **Flatpak** - Application distribution framework with sandboxing +- **Flathub** - Largest public Flatpak repository (flathub.org) +- **remote** - Flatpak repository (similar to DNF repo) +- **runtime** - Shared base libraries used by multiple Flatpak apps +- **application** - Sandboxed software package +- **OSTree** - Content-addressable storage system used by Flatpak +- **sandbox** - Isolated execution environment for Flatpak apps +- **portal** - D-Bus interface for controlled host access from sandbox +- **app ID** - Reverse-DNS application identifier (e.g., org.gimp.GIMP) ### Key File Paths ```bash -~/.config/systemd/user/ # User systemd service files -/etc/systemd/system/ # System-wide container services -~/.config/containers/ # User container configuration -/etc/containers/ # System container configuration +/var/lib/flatpak/ # System-wide Flatpak installations +~/.local/share/flatpak/ # User Flatpak installations +/etc/flatpak/remotes.d/ # System-wide remote configuration +/var/lib/flatpak/overrides/ # System permission overrides +~/.local/share/flatpak/overrides/ # User permission overrides ``` ### Essential Commands ```bash -# Container lifecycle -podman pull registry.redhat.io/ubi8/ubi:latest # Pull image -podman run -d --name webserver -p 8080:80 httpd # Run detached with port mapping -podman ps # List running containers -podman ps -a # List all containers -podman logs webserver # View container logs -podman logs -f webserver # Follow logs - -# Container management -podman stop webserver # Stop container -podman start webserver # Start container -podman restart webserver # Restart container -podman exec -it webserver /bin/bash # Execute command in container -podman rm webserver # Remove container -podman rmi httpd # Remove image - -# Volume and data management -podman run -d --name db -v /host/data:/container/data postgres -podman run -d --name web -v webdata:/var/www/html httpd - -# Image management -podman images # List local images -podman search httpd # Search for images -podman inspect httpd # Inspect image details - -# Building images from Containerfile -podman build -t myimage:latest . # Build image from current directory -podman build -t myimage:v1.0 /path/to/containerfile/ # Build from specific directory -podman build -f CustomContainerfile -t myimage . # Use custom filename -``` - -### Containerfile Instructions - -| Instruction | Description | -|-------------|-------------| -| `FROM` | Identifies the base container image to use | -| `RUN` | Executes specified commands during build | -| `CMD` | Runs a command when container starts (default command) | -| `COPY` | Copies files from host to container | -| `ADD` | Similar to COPY but can handle URLs and archives | -| `ENV` | Defines environment variables for build and runtime | -| `EXPOSE` | Documents which ports the container will listen on | -| `USER` | Defines a non-root user to run commands as | -| `WORKDIR` | Sets the working directory (created if doesn't exist) | -| `VOLUME` | Creates a mount point for external volumes | -| `LABEL` | Adds metadata to the image | -| `ENTRYPOINT` | Configures the main command (cannot be overridden) | - -### Sample Containerfile -```dockerfile -# Example Containerfile for web server -FROM registry.redhat.io/ubi8/ubi:latest -RUN dnf install -y httpd -COPY index.html /var/www/html/ -EXPOSE 80 -USER apache -CMD ["/usr/sbin/httpd", "-D", "FOREGROUND"] -``` - -### Systemd Integration -```bash -# Rootless containers (as regular user) -loginctl enable-linger username # Enable user services -podman generate systemd --new --files --name webserver -mkdir -p ~/.config/systemd/user -mv container-webserver.service ~/.config/systemd/user/ -systemctl --user daemon-reload -systemctl --user enable container-webserver.service -systemctl --user start container-webserver.service - -# System-wide containers (as root) -sudo podman generate systemd --new --files --name webserver -sudo cp container-webserver.service /etc/systemd/system/ -sudo systemctl daemon-reload -sudo systemctl enable container-webserver.service -sudo systemctl start container-webserver.service +# Remote (repository) management +flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo +flatpak remote-add --user flathub https://flathub.org/repo/flathub.flatpakrepo # User only +flatpak remote-delete flathub # Remove remote +flatpak remotes # List configured remotes +flatpak remotes --show-details # Detailed remote info +flatpak remote-ls flathub # List apps in remote + +# Search and information +flatpak search keyword # Search for applications +flatpak info org.example.App # Show app details + +# Install and uninstall +flatpak install flathub org.example.App # Install from remote +flatpak install --user flathub org.example.App # Install for user only +flatpak uninstall org.example.App # Uninstall application +flatpak uninstall --unused # Remove unused runtimes + +# List, run, and update +flatpak list --app # List installed apps +flatpak list --runtime # List installed runtimes +flatpak run org.example.App # Run application +flatpak update # Update all Flatpaks ``` ### Common Tasks ```bash -# Deploy containerized web server with persistent service -podman pull httpd -podman run -d --name mywebserver -p 8080:80 httpd -podman generate systemd --new --files --name mywebserver -sudo cp container-mywebserver.service /etc/systemd/system/ -sudo systemctl daemon-reload -sudo systemctl enable --now container-mywebserver.service -firewall-cmd --add-port=8080/tcp --permanent -firewall-cmd --reload -curl http://localhost:8080 # Test +# Set up Flathub and install application +flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo +flatpak install flathub org.gnome.Calculator -y +flatpak list --app # Verify +flatpak run org.gnome.Calculator # Test -# Deploy with persistent storage -podman run -d --name webapp -p 8080:80 -v /opt/webapp:/usr/local/apache2/htdocs httpd +# User-level install (no root needed) +flatpak remote-add --user --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo +flatpak install --user flathub org.mozilla.firefox -y +flatpak list --user --app # Verify -# Build custom image from Containerfile -mkdir /tmp/myapp -cd /tmp/myapp -# Create Containerfile (see sample above) -echo "

My Custom App

" > index.html -podman build -t myapp:v1.0 . -podman run -d --name customapp -p 8080:80 myapp:v1.0 +# Clean up after uninstalls +flatpak uninstall --unused -y # Remove orphaned runtimes ``` -### Troubleshooting +### Permission Overrides ```bash -# Container issues -podman ps -a # Check container status -podman logs container_name # Check container logs -podman inspect container_name # Check container configuration -ss -tuln | grep :8080 # Check port binding -systemctl --user status container-name.service # Check systemd service +# Grant filesystem access to sandboxed app +flatpak override --user --filesystem=home org.example.App +flatpak override --user --show org.example.App # View overrides +flatpak override --user --reset org.example.App # Reset to defaults ``` ### Common Pitfalls -- **WRONG**: Forgetting `loginctl enable-linger` for user services β†’ **RIGHT**: Enable lingering for persistent user services -- **WRONG**: Not opening firewall ports β†’ **RIGHT**: Always configure firewall for exposed ports -- **WRONG**: Using wrong systemd directory β†’ **RIGHT**: Use `~/.config/systemd/user/` for user services +- **WRONG**: Trying to install without adding remote first β†’ **RIGHT**: Add remote with `flatpak remote-add` before installing +- **WRONG**: Forgetting `--if-not-exists` β†’ **RIGHT**: Use it to make commands idempotent +- **WRONG**: Not cleaning up runtimes β†’ **RIGHT**: Run `flatpak uninstall --unused` after removing apps --- @@ -2315,7 +2248,7 @@ systemctl status timer_name # Detailed timer status - **known_hosts** - File storing server public keys - **authorized_keys** - File storing allowed client public keys - **port forwarding** - Tunnel network connections through SSH -- **X11 forwarding** - Remote GUI application display +- **Wayland forwarding** - Remote GUI application display (RHEL 10 uses Wayland, not X11) ### Key File Paths ```bash @@ -2362,7 +2295,7 @@ scp -P 2222 file.txt user@hostname:/path # Custom port ssh -L 8080:localhost:80 user@hostname # Local port forwarding ssh -R 8080:localhost:80 user@hostname # Remote port forwarding ssh -D 1080 user@hostname # SOCKS proxy -ssh -X user@hostname # X11 forwarding (GUI apps) +ssh -X user@hostname # X11/Wayland forwarding (GUI apps) ssh -N -f -L 8080:localhost:80 user@hostname # Background tunnel ``` @@ -2662,6 +2595,18 @@ case $variable in esac ``` +### Positional Parameters and Special Variables +```bash +$0 # Script name +$1, $2, $3... # Positional parameters (arguments) +$# # Number of arguments +$@ # All arguments (individually quoted) +$* # All arguments (as single string) +$? # Exit status of last command +$$ # Current process ID +shift # Shift positional parameters left ($2β†’$1) +``` + ### Common Scripting Patterns ```bash # Check if script has arguments diff --git a/docs/index.md b/docs/index.md index 047a524..59fb6a0 100644 --- a/docs/index.md +++ b/docs/index.md @@ -21,7 +21,7 @@ Complete knowledge base with 15 detailed modules covering all RHCSA exam objecti - **Module 11**: [Boot & GRUB](rhcsa_synthesis/11_boot_grub.md) - System boot process - **Module 12**: [Logging & Monitoring](rhcsa_synthesis/12_logging_monitoring.md) - System monitoring - **Module 13**: [Scheduled Tasks](rhcsa_synthesis/13_scheduled_tasks.md) - Automation -- **Module 14**: [Container Management](rhcsa_synthesis/14_container_management.md) - Podman containers +- **Module 14**: [Flatpak Management](rhcsa_synthesis/14_flatpak_management.md) - Flatpak software management - **Module 15**: [Troubleshooting](rhcsa_synthesis/15_troubleshooting.md) - Problem resolution ### Quick References @@ -36,7 +36,7 @@ Complete knowledge base with 15 detailed modules covering all RHCSA exam objecti Import the comprehensive flashcard deck for spaced repetition learning: - **Location**: [anki/rhcsa_deck.csv](https://github.com/kraker/rhcsa/blob/main/anki/rhcsa_deck.csv) -- **Cards**: 146 essential commands and concepts +- **Cards**: 169 essential commands and concepts - **Topics**: All RHCSA exam objectives with practical examples ### Flashcard Categories @@ -47,14 +47,14 @@ Import the comprehensive flashcard deck for spaced repetition learning: - SELinux & Security - Firewall Configuration - Networking -- Container Management +- Flatpak Management ## πŸ—οΈ Lab Environment Set up hands-on practice environment using Vagrant: - **Location**: [vagrant/](https://github.com/kraker/rhcsa/tree/main/vagrant) directory -- **VMs**: RHEL 9 instances (rhel9a, rhel9b) +- **VMs**: RHEL 10 instances (rhel10a, rhel10b) - **Features**: Automated provisioning, storage configuration, networking - **Prerequisites**: Vagrant, VirtualBox, Red Hat Developer subscription diff --git a/docs/rhcsa_acronyms_glossary.md b/docs/rhcsa_acronyms_glossary.md index 37bd7be..4d92785 100644 --- a/docs/rhcsa_acronyms_glossary.md +++ b/docs/rhcsa_acronyms_glossary.md @@ -13,7 +13,7 @@ - [Networking](#networking) - [Security](#security) - [Services & Process Management](#services--process-management) - - [Containers & Virtualization](#containers--virtualization) + - [Flatpak & Software Distribution](#flatpak--software-distribution) - [Package Management](#package-management) --- @@ -133,7 +133,7 @@ ### N - **NAT** - Network Address Translation - IP address remapping -- **NFS** - Network File System - Distributed filesystem protocol +- **NFS** - Network File System - Distributed filesystem protocol (NFS 4.2 default in RHEL 10) - **NIC** - Network Interface Card - Network adapter hardware - **NIS** - Network Information Service - Directory service - **NMCLI** - NetworkManager Command Line Interface @@ -142,7 +142,7 @@ ### O -- **OCI** - Open Container Initiative - Container standards organization +- **OSTree** - Content-addressable filesystem used by Flatpak for efficient storage - **OS** - Operating System - System software managing hardware/software - **OSS** - Open Source Software - Publicly accessible source code @@ -223,7 +223,6 @@ ### V -- **VDO** - Virtual Data Optimizer - Deduplication and compression - **VG** - Volume Group - LVM storage pool - **VI/VIM** - Visual/Vi Improved - Text editor - **VLAN** - Virtual Local Area Network - Network segmentation @@ -238,7 +237,7 @@ ### X -- **X11** - X Window System Version 11 - Graphical display system +- **Wayland** - Modern display protocol replacing X11 in RHEL 10 - **XFS** - X File System - High-performance filesystem (RHEL default) - **XML** - Extensible Markup Language - Data format @@ -304,7 +303,6 @@ - **VG** - Volume Group - **LV** - Logical Volume - **PE** - Physical Extent -- **VDO** - Virtual Data Optimizer - **LUKS** - Linux Unified Key Setup - **RAID** - Redundant Array of Independent Disks - **NFS** - Network File System @@ -373,8 +371,10 @@ - **FIFO** - First In, First Out - **LIFO** - Last In, First Out -### Containers & Virtualization -- **OCI** - Open Container Initiative +### Flatpak & Software Distribution +- **Flatpak** - Application distribution framework with sandboxing +- **Flathub** - Public Flatpak application repository +- **OSTree** - Content-addressable storage system - **VM** - Virtual Machine - **KVM** - Kernel-based Virtual Machine - **QEMU** - Quick Emulator @@ -421,7 +421,7 @@ - **GID** - Group Identifier - **UID** - User Identifier - **VI/VIM** - Visual/Vi Improved -- **X11** - X Window System Version 11 +- **Wayland** - Modern Display Protocol - **PING** - Packet Internet Groper --- @@ -477,12 +477,12 @@ - **timer** - Systemd scheduled task - **socket** - Systemd activation unit -### Container Terms -- **image** - Container template -- **container** - Running instance -- **registry** - Image repository -- **namespace** - Process isolation -- **cgroup** - Resource control +### Flatpak Terms +- **remote** - Flatpak repository source +- **runtime** - Shared base libraries for Flatpak apps +- **app ID** - Reverse-DNS application identifier +- **sandbox** - Isolated app execution environment +- **portal** - D-Bus interface for controlled host access --- diff --git a/docs/rhcsa_synthesis/00_exam_overview.md b/docs/rhcsa_synthesis/00_exam_overview.md index e596170..023ae09 100644 --- a/docs/rhcsa_synthesis/00_exam_overview.md +++ b/docs/rhcsa_synthesis/00_exam_overview.md @@ -23,15 +23,15 @@ ### Exam Format - **Type**: Performance-based, hands-on exam (no multiple choice) - **Duration**: 3 hours -- **Environment**: Virtual machines running RHEL 9 -- **Tasks**: 15-20 practical tasks to complete +- **Environment**: Virtual machines running RHEL 10 +- **Tasks**: Practical tasks to complete - **Passing Score**: Typically 210/300 points (70%) - **Delivery**: Red Hat Training Centers or remote proctoring ### Exam Environment -- **Systems**: Usually 2-3 RHEL 9 virtual machines +- **Systems**: RHEL 10 virtual machines - **Access**: SSH and console access to systems -- **Tools**: Standard RHEL 9 command line tools and documentation +- **Tools**: Standard RHEL 10 command line tools and documentation - **Network**: Limited internet access (man pages available) - **Time Pressure**: Approximately 9-12 minutes per task average @@ -118,7 +118,7 @@ man pages, info pages /usr/share/doc/ (system documentation) # System tools -All standard RHEL 9 command-line utilities +All standard RHEL 10 command-line utilities ``` ### What's NOT Available @@ -175,13 +175,13 @@ All standard RHEL 9 command-line utilities - Configure and start services - Set up scheduled tasks - Configure logging -- Manage containers +- Manage Flatpak software **Strategy**: - Services must be enabled AND started - Test functionality after configuration - Check logs for errors -- Common commands: `systemctl`, `crontab`, `podman` +- Common commands: `systemctl`, `crontab`, `flatpak` --- @@ -260,7 +260,7 @@ ssh username@host # Remote access works ### Recommended Practice Environment ```bash # Minimum setup for RHCSA practice: -- 2 RHEL 9 VMs (4GB RAM each, 20GB+ disk) +- 2 RHEL 10 VMs (4GB RAM each, 20GB+ disk) - Network connectivity between systems - Additional storage devices for LVM practice - SSH configured between systems @@ -275,8 +275,8 @@ cd /path/to/rhcsa/vagrant source .rhel-credentials && vagrant up # This provides: -# - rhel9a: Primary practice system -# - rhel9b: Secondary system with extra storage +# - rhel10a: Primary practice system +# - rhel10b: Secondary system with extra storage # - Automatic Red Hat registration # - Network connectivity configured ``` diff --git a/docs/rhcsa_synthesis/01_system_installation.md b/docs/rhcsa_synthesis/01_system_installation.md index 2daef21..c9af41a 100644 --- a/docs/rhcsa_synthesis/01_system_installation.md +++ b/docs/rhcsa_synthesis/01_system_installation.md @@ -6,7 +6,7 @@ ## 1. Executive Summary -**Topic Scope**: RHEL 9 installation process, initial system configuration, and post-installation setup +**Topic Scope**: RHEL 10 installation process, initial system configuration, and post-installation setup **RHCSA Relevance**: Foundation knowledge - while not directly tested, understanding installation helps with system administration tasks @@ -219,10 +219,10 @@ dnf history info 1 ## 6. Hands-On Labs ### Lab 6.1: Basic RHEL Installation (Asghar Ghori Method) -**Objective**: Install RHEL 9 with standard configuration for RHCSA practice +**Objective**: Install RHEL 10 with standard configuration for RHCSA practice **Prerequisites**: -- RHEL 9 ISO image +- RHEL 10 ISO image - Virtual machine with 20GB disk, 2GB RAM - Network connectivity @@ -230,14 +230,14 @@ dnf history info 1 1. **Create Virtual Machine** ```bash # In VirtualBox/VMware: - # - Name: rhel9-server1 + # - Name: rhel10-server1 # - RAM: 2048MB # - Disk: 20GB dynamically allocated # - Network: NAT or Bridged ``` 2. **Boot Installation Media** - - Attach RHEL 9 ISO to VM + - Attach RHEL 10 ISO to VM - Boot from ISO - Select "Install Red Hat Enterprise Linux 9.x" @@ -270,7 +270,7 @@ systemctl status # Check system status ``` ### Lab 6.2: Custom Partitioning Installation (Sander van Vugt Method) -**Objective**: Install RHEL 9 with custom partitioning scheme +**Objective**: Install RHEL 10 with custom partitioning scheme **Steps**: 1. **Follow initial steps from Lab 6.1** through software selection diff --git a/docs/rhcsa_synthesis/02_file_management.md b/docs/rhcsa_synthesis/02_file_management.md index 981d8c0..4d5e778 100644 --- a/docs/rhcsa_synthesis/02_file_management.md +++ b/docs/rhcsa_synthesis/02_file_management.md @@ -6,7 +6,7 @@ ## 1. Executive Summary -**Topic Scope**: Essential file operations, text processing, archiving, and linking in RHEL 9 +**Topic Scope**: Essential file operations, text processing, archiving, and linking in RHEL 10 **RHCSA Relevance**: Critical foundation skill - file management appears in virtually every exam task diff --git a/docs/rhcsa_synthesis/03_user_group_management.md b/docs/rhcsa_synthesis/03_user_group_management.md index 85c1eb7..9697e94 100644 --- a/docs/rhcsa_synthesis/03_user_group_management.md +++ b/docs/rhcsa_synthesis/03_user_group_management.md @@ -6,7 +6,7 @@ ## 1. Executive Summary -**Topic Scope**: User account creation, modification, deletion, group management, and password policies in RHEL 9 +**Topic Scope**: User account creation, modification, deletion, group management, and password policies in RHEL 10 **RHCSA Relevance**: Critical exam topic - user management appears in multiple exam tasks @@ -21,7 +21,7 @@ ## 2. Conceptual Foundation ### Core Theory -User and group management in RHEL 9 is based on the traditional Unix model with modern enhancements: +User and group management in RHEL 10 is based on the traditional Unix model with modern enhancements: - **User accounts**: Unique identities with UID, home directory, and shell - **Groups**: Collections of users for permission management (primary and supplementary) diff --git a/docs/rhcsa_synthesis/04_file_permissions.md b/docs/rhcsa_synthesis/04_file_permissions.md index d921934..b51ca82 100644 --- a/docs/rhcsa_synthesis/04_file_permissions.md +++ b/docs/rhcsa_synthesis/04_file_permissions.md @@ -6,12 +6,14 @@ ## 1. Executive Summary -**Topic Scope**: File permissions, special permissions, Access Control Lists (ACLs), and umask configuration in RHEL 9 +**Topic Scope**: File permissions, ownership, and umask configuration in RHEL 10 **RHCSA Relevance**: Critical security topic - file permissions are fundamental to Linux security model **Exam Weight**: High - Permission management appears in multiple exam scenarios +**RHEL 10 Exam Note**: ACLs (setfacl/getfacl) and special permissions (setuid/setgid/sticky bit) are **no longer RHCSA exam objectives** as of RHEL 10. They are retained below as supplementary reference material. + **Prerequisites**: Understanding of users, groups, and basic file operations **Related Topics**: [User Management](03_user_group_management.md), [SELinux](09_selinux.md), [Security](09_selinux.md) @@ -27,7 +29,6 @@ Linux file permissions operate on a three-tier model: - **Group**: Permissions for the file's group members - **Other**: Permissions for all other users - **Permission types**: Read (r), Write (w), Execute (x) -- **Special permissions**: setuid, setgid, sticky bit for enhanced security control ### Real-World Applications - **System security**: Protecting sensitive configuration files @@ -39,18 +40,12 @@ Linux file permissions operate on a three-tier model: ### Common Misconceptions - **Directory permissions**: Execute permission on directories means "traverse" not "run" - **Group permissions**: Group permission applies to primary group, not all user's groups -- **Special permissions**: setuid on directories has no effect (only setgid works) - **Root override**: Root can read/write most files regardless of permissions (but not execute) -- **ACL inheritance**: Default ACLs only apply to newly created files, not existing ones ### Key Terminology - **Octal notation**: Numeric representation of permissions (755, 644, etc.) - **Symbolic notation**: Letter-based permission representation (rwxr-xr-x) -- **setuid bit**: Execute file with owner's privileges -- **setgid bit**: Execute file with group's privileges, or inherit group ownership -- **Sticky bit**: Prevents deletion by non-owners in shared directories - **umask**: Default permission mask for new files and directories -- **ACL**: Access Control List for fine-grained permission control --- @@ -90,48 +85,6 @@ chown -R user:group directory # Change ownership recursively chmod -R 755 directory # Change permissions recursively ``` -### Special Permissions -```bash -# setuid (4000) -chmod u+s file # Add setuid bit -chmod 4755 file # Set permissions with setuid - -# setgid (2000) -chmod g+s file # Add setgid bit -chmod g+s directory # Set group inheritance on directory -chmod 2755 directory # Set permissions with setgid - -# Sticky bit (1000) -chmod +t directory # Add sticky bit to directory -chmod 1755 directory # Set permissions with sticky bit - -# Combined special permissions -chmod 6755 file # setuid + setgid -chmod 7755 directory # setuid + setgid + sticky -``` - -### Access Control Lists (ACLs) -```bash -# View ACLs -getfacl file # Show ACL information -getfacl -R directory # Recursive ACL display - -# Set ACLs -setfacl -m u:username:rwx file # Set user ACL -setfacl -m g:groupname:rx file # Set group ACL -setfacl -m o::r file # Set other ACL -setfacl -m d:u:username:rwx directory # Set default user ACL - -# Remove ACLs -setfacl -x u:username file # Remove user ACL -setfacl -x g:groupname file # Remove group ACL -setfacl -b file # Remove all ACLs -setfacl -k directory # Remove default ACLs - -# Copy ACLs -getfacl file1 | setfacl --set-file=- file2 # Copy ACLs between files -``` - ### umask Configuration ```bash # View current umask @@ -147,9 +100,6 @@ umask u=rwx,g=rx,o= # Symbolic umask setting ### Finding Files by Permissions ```bash # Find by permission patterns -find / -perm -4000 # Find setuid files -find / -perm -2000 # Find setgid files -find / -perm -1000 # Find sticky bit files find / -perm 777 # Find world-writable files find / -perm -o+w # Find other-writable files @@ -166,8 +116,6 @@ find / -nogroup # Find files with no valid group | `chmod` | Change file permissions | `u+x`, `g-w`, `755`, `-R` | `chmod 644 file.txt` | | `chown` | Change file ownership | `user:group`, `-R` | `chown alice:staff file` | | `chgrp` | Change group ownership | `-R` | `chgrp developers file` | -| `setfacl` | Set Access Control Lists | `-m`, `-x`, `-b`, `-R` | `setfacl -m u:john:rwx file` | -| `getfacl` | View Access Control Lists | `-R` | `getfacl file` | | `umask` | Set default permissions | `-S` | `umask 022` | --- @@ -205,18 +153,11 @@ find / -nogroup # Find files with no valid group 1. **Create directory with appropriate permissions** ```bash mkdir /shared/project - chmod 2775 /shared/project # setgid + group write + chmod 775 /shared/project chown :projectteam /shared/project ``` -2. **Set default ACLs for new files** - ```bash - setfacl -d -m u::rwx /shared/project - setfacl -d -m g::rwx /shared/project - setfacl -d -m o::r-x /shared/project - ``` - -3. **Test directory functionality** +2. **Test directory functionality** ```bash # Test as different users touch /shared/project/testfile @@ -227,9 +168,7 @@ find / -nogroup # Find files with no valid group ``` Permission Requirements β”œβ”€β”€ Simple user/group/other? β†’ Use chmod with octal notation -β”œβ”€β”€ Fine-grained user access? β†’ Use ACLs with setfacl -β”œβ”€β”€ Shared directory? β†’ Use setgid bit + appropriate permissions -β”œβ”€β”€ Temporary shared space? β†’ Add sticky bit for protection +β”œβ”€β”€ Shared directory? β†’ Use group permissions + chmod └── System service? β†’ Restrict to specific user/group only ``` @@ -238,10 +177,7 @@ Permission Requirements ```bash # World-writable files find / -type f -perm -002 2>/dev/null - - # Setuid/setgid files - find / -type f \( -perm -4000 -o -perm -2000 \) 2>/dev/null - + # Files with no owner/group find / \( -nouser -o -nogroup \) 2>/dev/null ``` @@ -306,37 +242,6 @@ umask 027 # More restrictive for root umask 077 # Very restrictive (user-only access) ``` -### ACL Configuration Examples -#### Basic ACL Setup -```bash -# Grant specific user access -setfacl -m u:alice:rw- /path/to/file - -# Grant group access -setfacl -m g:developers:rwx /path/to/directory - -# Set default ACLs for directory -setfacl -d -m u:alice:rwx /path/to/directory -setfacl -d -m g:developers:rwx /path/to/directory -``` - -#### Complex ACL Scenario -```bash -# Multi-user project directory -mkdir /project -chmod 2775 /project -chown :project /project - -# Set default ACLs -setfacl -d -m u::rwx /project -setfacl -d -m g::rwx /project -setfacl -d -m o::r-x /project - -# Add specific user permissions -setfacl -d -m u:manager:rwx /project -setfacl -d -m u:readonly:r-x /project -``` - --- ## 6. Hands-On Labs @@ -366,205 +271,94 @@ setfacl -d -m u:readonly:r-x /project chmod u+x dir3 # Add execute for owner ``` -3. **Test special permissions** - ```bash - # Create files for special permission testing - cp /bin/cat testcat - chmod u+s testcat # Add setuid - - mkdir shared_dir - chmod g+s shared_dir # Add setgid - - mkdir temp_shared - chmod +t temp_shared # Add sticky bit - ``` - -4. **Test permission effects** - ```bash - # Test file access as different user (if available) - # Create a test file in setgid directory - touch shared_dir/testfile - ls -l shared_dir/testfile # Should inherit group - ``` - **Verification**: ```bash ls -la # Check all permissions stat file1 file2 file3 # Detailed permission info -find . -perm -4000 # Find setuid files -find . -perm -2000 # Find setgid files -find . -perm -1000 # Find sticky bit files ``` -### Lab 6.2: Access Control Lists (Sander van Vugt Style) -**Objective**: Implement fine-grained access control using ACLs +### Lab 6.2: Ownership and umask Configuration +**Objective**: Practice ownership changes and understand umask **Steps**: -1. **Create ACL test environment** - ```bash - mkdir ~/acl_lab - cd ~/acl_lab - touch sensitive_file - mkdir project_dir - - # Create some test users (if you have sudo access) - # sudo useradd alice - # sudo useradd bob - # sudo useradd charlie - ``` - -2. **Set basic ACLs** +1. **Practice ownership changes** ```bash - # Grant specific user access to file - setfacl -m u:alice:rw- sensitive_file - setfacl -m u:bob:r-- sensitive_file - setfacl -m u:charlie:--- sensitive_file - - # Verify ACLs - getfacl sensitive_file - ls -l sensitive_file # Notice the '+' indicating ACLs + mkdir ~/ownership_lab + cd ~/ownership_lab + touch file1 file2 + mkdir dir1 + + # Change ownership (requires root or owning the files) + chown :users file1 + chgrp users dir1 ``` -3. **Configure directory ACLs** +2. **Understand umask effects** ```bash - # Set directory ACLs - setfacl -m u:alice:rwx project_dir - setfacl -m g:developers:r-x project_dir - - # Set default ACLs for new files - setfacl -d -m u:alice:rwx project_dir - setfacl -d -m g:developers:r-x project_dir - setfacl -d -m o::r-x project_dir + # Check current umask + umask + umask -S + + # Set restrictive umask and test + umask 077 + touch private_file + mkdir private_dir + ls -l private_file # Should be rw------- + ls -ld private_dir # Should be rwx------ + + # Set collaborative umask + umask 002 + touch shared_file + ls -l shared_file # Should be rw-rw-r-- ``` -4. **Test ACL inheritance** +3. **Configure persistent umask** ```bash - # Create files in directory with default ACLs - touch project_dir/new_file - mkdir project_dir/new_dir - - # Check inherited permissions - getfacl project_dir/new_file - getfacl project_dir/new_dir + # Add umask to ~/.bashrc for persistence + echo "umask 027" >> ~/.bashrc ``` **Verification**: ```bash -# Review all ACL configurations -getfacl -R ~/acl_lab -# Test access as different users (if possible) -# su - alice -c "cat ~/acl_lab/sensitive_file" +ls -la ~/ownership_lab/ +stat ~/ownership_lab/private_file +umask ``` -### Lab 6.3: Shared Directory with Complex Permissions (Synthesis Challenge) -**Objective**: Create a collaborative workspace with multiple access levels +### Lab 6.3: Shared Directory Setup (Synthesis Challenge) +**Objective**: Create a collaborative workspace using standard permissions -**Scenario**: Set up a development project directory with different access levels for team members, managers, and external reviewers. +**Scenario**: Set up a project directory where a team can collaborate. **Requirements**: -- Project managers: full access -- Developers: read/write access to project files -- Reviewers: read-only access -- Temporary files should be deletable only by creators -- New files should inherit appropriate group ownership +- Project team members: read/write access +- Others: no access **Solution Steps**: 1. **Create directory structure** ```bash - sudo mkdir -p /projects/webapp/{src,docs,temp} + sudo mkdir -p /projects/webapp sudo groupadd developers - sudo groupadd managers - sudo groupadd reviewers - - # Add users to groups (assuming users exist) - # sudo usermod -aG managers alice - # sudo usermod -aG developers bob,charlie - # sudo usermod -aG reviewers david - ``` -2. **Set base permissions and ownership** - ```bash - # Set group ownership and setgid - sudo chown :developers /projects/webapp - sudo chmod 2775 /projects/webapp - - # Configure subdirectories - sudo chown :developers /projects/webapp/src - sudo chmod 2775 /projects/webapp/src - - sudo chown :developers /projects/webapp/docs - sudo chmod 2775 /projects/webapp/docs - - # Temp directory with sticky bit - sudo chown :developers /projects/webapp/temp - sudo chmod 3775 /projects/webapp/temp # setgid + sticky + # Add users to group (assuming users exist) + # sudo usermod -aG developers alice + # sudo usermod -aG developers bob ``` -3. **Configure ACLs for fine-grained access** +2. **Set permissions and ownership** ```bash - # Main project directory ACLs - sudo setfacl -m g:managers:rwx /projects/webapp - sudo setfacl -m g:developers:rwx /projects/webapp - sudo setfacl -m g:reviewers:r-x /projects/webapp - - # Default ACLs for new files - sudo setfacl -d -m g:managers:rwx /projects/webapp - sudo setfacl -d -m g:developers:rwx /projects/webapp - sudo setfacl -d -m g:reviewers:r-x /projects/webapp - - # Source directory - developers need write, reviewers read-only - sudo setfacl -R -m g:developers:rwx /projects/webapp/src - sudo setfacl -R -m g:reviewers:r-x /projects/webapp/src - sudo setfacl -d -m g:developers:rwx /projects/webapp/src - sudo setfacl -d -m g:reviewers:r-x /projects/webapp/src - - # Docs directory - all can read, developers can write - sudo setfacl -R -m g:reviewers:r-x /projects/webapp/docs - sudo setfacl -d -m g:reviewers:r-x /projects/webapp/docs + sudo chown :developers /projects/webapp + sudo chmod 770 /projects/webapp ``` -4. **Test and document configuration** +3. **Verify** ```bash - # Create test files - sudo touch /projects/webapp/src/main.py - sudo touch /projects/webapp/docs/README.md - sudo touch /projects/webapp/temp/build.log - - # Verify permissions and ACLs - ls -la /projects/webapp/ - getfacl /projects/webapp/ - getfacl /projects/webapp/src/ - - # Document the setup - cat > /projects/webapp/PERMISSIONS.md << 'EOF' - # Project Permissions Documentation - - ## Directory Structure - - `/projects/webapp/`: Main project directory - - `/projects/webapp/src/`: Source code (developers: rw, reviewers: r) - - `/projects/webapp/docs/`: Documentation (all: read, developers: write) - - `/projects/webapp/temp/`: Temporary files (sticky bit for creator-only deletion) - - ## Access Levels - - **Managers**: Full access to all areas - - **Developers**: Read/write to src and docs - - **Reviewers**: Read-only access to src and docs - - ## Special Features - - setgid bit ensures new files inherit group ownership - - Sticky bit in temp/ prevents accidental deletion - - ACLs provide fine-grained access control - EOF + ls -ld /projects/webapp/ + # Test as a member of the developers group + touch /projects/webapp/testfile + ls -l /projects/webapp/testfile ``` -**Verification**: -```bash -# Complete access audit -sudo find /projects/webapp -type d -exec getfacl {} \; -sudo ls -laR /projects/webapp/ -# Test with different users if available -``` - --- ## 7. Troubleshooting Playbook @@ -613,81 +407,11 @@ setfacl -m u:username:r-- filename **Prevention**: Always verify permissions after creating files and directories -#### Issue 2: ACL Configuration Problems -**Symptoms**: -- ACLs not working as expected -- Default ACLs not being inherited -- Performance issues with ACL-enabled filesystems - -**Diagnosis**: -```bash -# Check if filesystem supports ACLs -mount | grep acl -tune2fs -l /dev/device | grep acl - -# Verify ACL configuration -getfacl filename -getfacl -d directoryname # Check default ACLs - -# Check effective permissions -getfacl filename | grep effective -``` - -**Resolution**: -```bash -# Enable ACL support on filesystem -mount -o remount,acl /mountpoint -# Or add to /etc/fstab: defaults,acl - -# Fix ACL configuration -setfacl -b filename # Remove all ACLs and start over -setfacl -k directoryname # Remove default ACLs - -# Set correct ACLs -setfacl -m u:username:rwx filename -setfacl -d -m u:username:rwx directoryname -``` - -#### Issue 3: Special Permission Confusion -**Symptoms**: -- setuid/setgid not working as expected -- Sticky bit not preventing file deletion -- Programs not running with expected privileges - -**Diagnosis**: -```bash -# Check special permissions -ls -l filename -stat filename - -# Find all special permission files -find /path -perm -4000 # setuid -find /path -perm -2000 # setgid -find /path -perm -1000 # sticky - -# Test execution context -ps aux | grep processname -``` - -**Resolution**: -```bash -# Set special permissions correctly -chmod u+s executable # setuid -chmod g+s directory # setgid for directory -chmod +t directory # sticky bit - -# Remove special permissions if problematic -chmod u-s filename -chmod g-s filename -chmod -t filename -``` - ### Diagnostic Command Sequence ```bash # Permission troubleshooting workflow ls -la filename # Check basic permissions stat filename # Detailed permission info -getfacl filename # Check ACLs id username # Check user context groups username # Check group memberships lsattr filename # Check extended attributes @@ -705,20 +429,12 @@ lsattr filename # Check extended attributes ### Essential Commands At-a-Glance ```bash -# Basic permissions +# Permissions chmod 755 file # Standard executable/directory chmod 644 file # Standard file chown user:group file # Change ownership - -# Special permissions -chmod u+s file # Add setuid -chmod g+s directory # Add setgid -chmod +t directory # Add sticky bit - -# ACLs -setfacl -m u:user:rwx file # Set user ACL -getfacl file # View ACLs -setfacl -b file # Remove all ACLs +chgrp group file # Change group +umask 022 # Set default permission mask ``` ### Octal Permission Reference @@ -728,13 +444,6 @@ setfacl -b file # Remove all ACLs - **777**: rwxrwxrwx (dangerous, avoid) - **000**: --------- (no permissions) -### Special Permission Values -- **4000**: setuid bit -- **2000**: setgid bit -- **1000**: sticky bit -- **6000**: setuid + setgid -- **7000**: setuid + setgid + sticky - ### Common umask Values - **022**: Default (644 for files, 755 for directories) - **027**: Group-friendly (640 for files, 750 for directories) @@ -745,95 +454,86 @@ setfacl -b file # Remove all ACLs ## 9. Knowledge Check ### Conceptual Questions -1. **Question**: What's the difference between setuid on files versus setgid on directories? - **Answer**: setuid on files makes the executable run with the owner's privileges instead of the executor's. setgid on directories makes new files created in that directory inherit the directory's group ownership instead of the creator's primary group. +1. **Question**: What is the difference between octal and symbolic permission notation? + **Answer**: Octal notation uses numbers (e.g., `755` = rwxr-xr-x) where each digit represents user/group/other permissions (r=4, w=2, x=1). Symbolic notation uses letters (e.g., `u+x`, `g=rw`, `o-w`) to add, set, or remove specific permissions. -2. **Question**: Why might ACLs show "effective" permissions that differ from granted permissions? - **Answer**: The effective permission is the intersection of the ACL permission and the group permission (mask). If the mask is more restrictive than the ACL entry, the effective permission will be limited by the mask. +2. **Question**: What does the execute permission mean on a directory? + **Answer**: On a directory, execute (x) means "traverse" β€” the ability to cd into the directory and access files within it. Without execute on a directory, you cannot access its contents even if you have read permission (which only lets you list filenames). -3. **Question**: When would you use the sticky bit and why? - **Answer**: The sticky bit is used on directories (like /tmp) to prevent users from deleting files owned by others, even if they have write permission on the directory. Only the file owner, directory owner, or root can delete the file. +3. **Question**: How does umask affect new file and directory permissions? + **Answer**: umask subtracts from the default permissions. New files start at 666 (no execute) and directories at 777. With umask 022, files become 644 (rw-r--r--) and directories become 755 (rwxr-xr-x). ### Practical Scenarios -1. **Scenario**: Create a shared directory where users can create files but only delete their own files. +1. **Scenario**: Create a directory where only members of the "project" group can access files. **Solution**: ```bash - mkdir /shared - chmod 1777 /shared # world-writable with sticky bit - # or - chmod o+t /shared && chmod 777 /shared + mkdir /project + chown :project /project + chmod 770 /project ``` -2. **Scenario**: A web application needs read access to user files, but users shouldn't access each other's files. - **Solution**: Use ACLs to grant the web server user specific access while maintaining user privacy: +2. **Scenario**: A user creates files that are world-readable by default. Make them private. + **Solution**: Set a restrictive umask: ```bash - setfacl -m u:www-data:r-- /home/user1/public_file + umask 077 + # Or add to ~/.bashrc for persistence + echo "umask 077" >> ~/.bashrc ``` ### Command Challenges -1. **Challenge**: Find all world-writable files in /tmp that don't have the sticky bit. - **Answer**: `find /tmp -type f -perm -002 ! -perm -1000` - **Explanation**: `-perm -002` finds world-writable, `! -perm -1000` excludes sticky bit files +1. **Challenge**: Change ownership of all files in /data to user "admin" and group "staff" recursively. + **Answer**: `chown -R admin:staff /data` + **Explanation**: `-R` applies the change recursively to all files and subdirectories. -2. **Challenge**: Create a directory where the group can read/write/execute, but new files are readable by everyone. - **Answer**: - ```bash - mkdir shared_dir - chmod 2775 shared_dir - setfacl -d -m o::r-- shared_dir - ``` +2. **Challenge**: Find all files owned by a user who no longer exists on the system. + **Answer**: `find / -nouser 2>/dev/null` + **Explanation**: `-nouser` finds files whose numeric UID doesn't match any user in /etc/passwd. --- ## 10. Exam Strategy ### Topic-Specific Tips -- Master octal notation - it's faster than symbolic for complex permissions +- Master octal notation β€” it's faster than symbolic for complex permissions - Always verify permissions after setting them with `ls -l` -- Remember that ACLs require filesystem support (most modern filesystems support them) -- Practice special permissions until you understand their real-world applications +- Know how umask affects default permissions for new files and directories +- Practice chmod, chown, chgrp until they are second nature ### Common Exam Scenarios -1. **Scenario**: Set up collaborative directory with group inheritance - **Approach**: Use setgid bit (`chmod g+s`) on directory, set appropriate group ownership - -2. **Scenario**: Restrict file access to specific users beyond standard permissions - **Approach**: Use ACLs with `setfacl -m u:username:permissions` +1. **Scenario**: Set up a shared directory for a group + **Approach**: Create group, set group ownership with `chown :group dir`, set `chmod 770` or `chmod 775` -3. **Scenario**: Create secure temporary space where users can't delete others' files - **Approach**: Use sticky bit (`chmod +t`) on directory +2. **Scenario**: Set appropriate permissions on configuration files + **Approach**: Restrictive permissions like `chmod 600` for sensitive files, `chmod 644` for readable configs ### Time Management - **Basic permission tasks**: 2-3 minutes including verification -- **ACL configuration**: 4-5 minutes for complex scenarios -- **Special permissions**: 3-4 minutes including testing -- **Always verify**: Use `ls -l` and `getfacl` to confirm settings +- **Ownership changes**: 1-2 minutes +- **Always verify**: Use `ls -l` and `stat` to confirm settings ### Pitfalls to Avoid - Don't forget that directory execute permission is needed for traversal - Remember that changing group membership requires logout/login to take effect -- ACLs require `+` to show in `ls -l` output - if missing, ACLs aren't set -- Special permissions only work in specific contexts (setuid on scripts often doesn't work) - Don't use 777 permissions unless absolutely necessary (security risk) +- Remember umask subtracts from defaults: files start at 666, directories at 777 --- ## Summary ### Key Takeaways -- **File permissions are the foundation of Linux security** - master both basic and special permissions -- **ACLs provide fine-grained control** - use when standard permissions aren't sufficient -- **Special permissions solve specific problems** - setuid, setgid, and sticky bit have distinct use cases -- **umask affects default permissions** - understand its impact on file creation +- **File permissions are the foundation of Linux security** β€” master chmod, chown, chgrp +- **umask controls default permissions** β€” understand its impact on file creation +- **Ownership determines access** β€” proper user:group assignment is critical ### Critical Commands to Remember ```bash chmod 755 directory # Standard directory permissions -chmod 644 file # Standard file permissions +chmod 644 file # Standard file permissions chown user:group file # Change ownership -setfacl -m u:username:rwx file # Set user ACL -chmod g+s directory # setgid for group inheritance -chmod +t directory # Sticky bit for shared directories +chgrp group file # Change group +umask 022 # Set default permissions +find / -nouser # Find orphaned files ``` ### Next Steps @@ -843,4 +543,63 @@ chmod +t directory # Sticky bit for shared directories --- +## Supplementary Reference: ACLs (Not on RHEL 10 Exam) + +> **Note**: Access Control Lists (ACLs) are no longer an RHCSA exam objective as of RHEL 10. This section is retained for reference only. + +### ACL Commands +```bash +# View ACLs +getfacl file # Show ACL information +getfacl -R directory # Recursive ACL display + +# Set ACLs +setfacl -m u:username:rwx file # Set user ACL +setfacl -m g:groupname:rx file # Set group ACL +setfacl -m d:u:username:rwx directory # Set default user ACL + +# Remove ACLs +setfacl -x u:username file # Remove user ACL +setfacl -b file # Remove all ACLs +setfacl -k directory # Remove default ACLs + +# Copy ACLs +getfacl file1 | setfacl --set-file=- file2 # Copy ACLs between files +``` + +--- + +## Supplementary Reference: Special Permissions (Not on RHEL 10 Exam) + +> **Note**: setuid, setgid, and sticky bit are no longer RHCSA exam objectives as of RHEL 10. This section is retained for reference only. + +### Special Permission Commands +```bash +# setuid (4000) β€” execute file with owner's privileges +chmod u+s file # Add setuid bit +chmod 4755 file # Set permissions with setuid + +# setgid (2000) β€” execute with group's privileges / inherit group on directories +chmod g+s directory # Set group inheritance on directory +chmod 2755 directory # Set permissions with setgid + +# Sticky bit (1000) β€” prevent deletion by non-owners +chmod +t directory # Add sticky bit to directory +chmod 1755 directory # Set permissions with sticky bit +``` + +### Special Permission Values +- **4000**: setuid bit +- **2000**: setgid bit +- **1000**: sticky bit + +### Finding Special Permission Files +```bash +find / -perm -4000 2>/dev/null # Find setuid files +find / -perm -2000 2>/dev/null # Find setgid files +find / -perm -1000 2>/dev/null # Find sticky bit directories +``` + +--- + **Navigation**: [← User Management](03_user_group_management.md) | [Index](index.md) | [Next β†’ Process Management](05_process_service_management.md) \ No newline at end of file diff --git a/docs/rhcsa_synthesis/05_process_service_management.md b/docs/rhcsa_synthesis/05_process_service_management.md index c92a311..560118c 100644 --- a/docs/rhcsa_synthesis/05_process_service_management.md +++ b/docs/rhcsa_synthesis/05_process_service_management.md @@ -6,7 +6,7 @@ ## 1. Executive Summary -**Topic Scope**: Process monitoring, control, systemd service management, and system targets in RHEL 9 +**Topic Scope**: Process monitoring, control, systemd service management, and system targets in RHEL 10 **RHCSA Relevance**: Critical operational skill - process and service management is essential for system administration @@ -21,7 +21,7 @@ ## 2. Conceptual Foundation ### Core Theory -RHEL 9 uses systemd as the init system and service manager, which fundamentally changed how processes and services are managed: +RHEL 10 uses systemd as the init system and service manager, which fundamentally changed how processes and services are managed: - **Process hierarchy**: All processes descend from PID 1 (systemd) - **Service units**: Standardized configuration for system services diff --git a/docs/rhcsa_synthesis/06_package_management.md b/docs/rhcsa_synthesis/06_package_management.md index 22964bc..d36b605 100644 --- a/docs/rhcsa_synthesis/06_package_management.md +++ b/docs/rhcsa_synthesis/06_package_management.md @@ -6,7 +6,7 @@ ## 1. Executive Summary -**Topic Scope**: DNF package manager, RPM operations, repository management, and software installation in RHEL 9 +**Topic Scope**: DNF package manager, RPM operations, repository management, and software installation in RHEL 10 **RHCSA Relevance**: Essential system administration skill - package management is fundamental for maintaining RHEL systems @@ -21,7 +21,7 @@ ## 2. Conceptual Foundation ### Core Theory -RHEL 9 uses DNF (Dandified YUM) as the primary package manager, which provides: +RHEL 10 uses DNF (Dandified YUM) as the primary package manager, which provides: - **Dependency resolution**: Automatic handling of package dependencies - **Repository management**: Centralized software distribution points diff --git a/docs/rhcsa_synthesis/07_storage_lvm.md b/docs/rhcsa_synthesis/07_storage_lvm.md index f0e70bb..7dd8897 100644 --- a/docs/rhcsa_synthesis/07_storage_lvm.md +++ b/docs/rhcsa_synthesis/07_storage_lvm.md @@ -6,7 +6,7 @@ ## 1. Executive Summary -**Topic Scope**: Disk partitioning, LVM (Logical Volume Management), filesystem creation, mounting, and swap management in RHEL 9 +**Topic Scope**: Disk partitioning, LVM (Logical Volume Management), filesystem creation, mounting, and swap management in RHEL 10 **RHCSA Relevance**: Critical exam topic - storage management is a major component of RHCSA certification @@ -21,7 +21,7 @@ ## 2. Conceptual Foundation ### Core Theory -Storage management in RHEL 9 involves multiple layers: +Storage management in RHEL 10 involves multiple layers: - **Physical storage**: Hard drives, SSDs, network storage - **Partitions**: Logical divisions of physical storage @@ -50,6 +50,8 @@ Storage management in RHEL 9 involves multiple layers: - **Physical Extent (PE)**: Smallest unit of space allocation in LVM - **Logical Extent (LE)**: Mapping unit from logical volume to physical extents - **Mount point**: Directory where filesystem is attached to directory tree +- **Thin pool**: LVM storage pool for thin provisioning with on-demand allocation +- **Thin volume**: Logical volume that draws space from a thin pool as data is written - **fstab**: Configuration file for automatic filesystem mounting - **UUID**: Universally Unique Identifier for devices and filesystems @@ -116,6 +118,27 @@ lvreduce -L -1G /dev/vgname/lvname # Reduce LV by 1GB lvremove /dev/vgname/lvname # Remove LV ``` +### LVM Thin Provisioning +```bash +# Create a thin pool (allocates actual storage) +lvcreate --type thin-pool -L 5G -n mythinpool vgname + +# Create thin volumes (virtual size, allocated from pool on demand) +lvcreate --virtualsize 10G --thin -n thinlv1 vgname/mythinpool +lvcreate --virtualsize 10G --thin -n thinlv2 vgname/mythinpool + +# Monitor thin pool usage +lvs -o+lv_size,pool_lv,data_percent vgname +lvs -a vgname # Show all LVs including pool metadata + +# Extend thin pool when running low +lvextend -L +5G vgname/mythinpool + +# Create filesystem and mount thin volume (same as regular LV) +mkfs.xfs /dev/vgname/thinlv1 +mount /dev/vgname/thinlv1 /mnt/thin1 +``` + ### Filesystem Management ```bash # Create filesystems @@ -266,6 +289,48 @@ swapon /swapfile # Enable swap file df -h /data ``` +### Standard Procedure: LVM Thin Provisioning Setup + +Thin provisioning allows over-committing storage β€” thin volumes can have a combined virtual size larger than the physical pool. Space is allocated only as data is written. + +1. **Create thin pool from volume group** + ```bash + # Create a thin pool (actual physical storage) + lvcreate --type thin-pool -L 5G -n thinpool datavg + ``` + +2. **Create thin volumes** + ```bash + # Virtual size can exceed pool size (overprovisioning) + lvcreate --virtualsize 10G --thin -n app1 datavg/thinpool + lvcreate --virtualsize 10G --thin -n app2 datavg/thinpool + ``` + +3. **Create filesystems and mount** + ```bash + mkfs.xfs /dev/datavg/app1 + mkfs.xfs /dev/datavg/app2 + mkdir -p /srv/{app1,app2} + mount /dev/datavg/app1 /srv/app1 + mount /dev/datavg/app2 /srv/app2 + ``` + +4. **Monitor pool usage and extend when needed** + ```bash + # Check how much of the pool is actually used + lvs -o+data_percent datavg/thinpool + + # Extend pool before it fills up + lvextend -L +5G datavg/thinpool + ``` + +5. **Make mounts persistent** + ```bash + echo "/dev/datavg/app1 /srv/app1 xfs defaults 0 2" >> /etc/fstab + echo "/dev/datavg/app2 /srv/app2 xfs defaults 0 2" >> /etc/fstab + mount -a + ``` + ### Decision Tree: Storage Strategy Selection ``` Storage Requirements @@ -276,6 +341,8 @@ Storage Requirements β”‚ β”œβ”€β”€ Need flexibility? β†’ LVM with multiple PVs β”‚ β”œβ”€β”€ Performance priority? β†’ RAID + LVM β”‚ └── Simple aggregation? β†’ LVM spanning +β”œβ”€β”€ Overprovisioned / on-demand storage? +β”‚ └── LVM thin provisioning β†’ thin pool + thin volumes └── Specific use case? β”œβ”€β”€ Database storage β†’ XFS on LVM for large files β”œβ”€β”€ Boot partition β†’ ext4 on regular partition @@ -855,6 +922,11 @@ mount /dev/vgname/lvname /mnt # Mount filesystem vgextend vgname /dev/sdc1 # Add space to VG lvextend -L +1G /dev/vgname/lvname # Extend LV xfs_growfs /mnt # Grow XFS filesystem + +# Thin provisioning workflow +lvcreate --type thin-pool -L 5G -n pool vgname # Create thin pool +lvcreate --virtualsize 10G --thin -n lv1 vgname/pool # Create thin LV +lvs -o+data_percent vgname/pool # Monitor pool usage ``` ### fstab Entry Examples @@ -919,6 +991,7 @@ UUID=abc123-def456 /data xfs defaults,noatime 0 2 - Use `lsblk` to visualize storage hierarchy before making changes - Remember that XFS can only grow, not shrink - Practice the complete workflow: PV β†’ VG β†’ LV β†’ filesystem β†’ mount β†’ fstab +- For thin provisioning: monitor pool usage (`lvs -o+data_percent`) and extend before full ### Common Exam Scenarios 1. **Scenario**: Add storage to existing system diff --git a/docs/rhcsa_synthesis/08_networking.md b/docs/rhcsa_synthesis/08_networking.md index 88af9fd..1a37412 100644 --- a/docs/rhcsa_synthesis/08_networking.md +++ b/docs/rhcsa_synthesis/08_networking.md @@ -6,7 +6,7 @@ ## 1. Executive Summary -**Topic Scope**: Network interface configuration, static IP assignment, hostname management, and network troubleshooting in RHEL 9 +**Topic Scope**: Network interface configuration, static IP assignment, hostname management, and network troubleshooting in RHEL 10 **RHCSA Relevance**: Essential system administration skill - network configuration is fundamental for server management @@ -21,7 +21,7 @@ ## 2. Conceptual Foundation ### Core Theory -RHEL 9 uses NetworkManager as the primary network management service: +RHEL 10 uses NetworkManager as the primary network management service: - **NetworkManager**: Modern network configuration service replacing traditional networking scripts - **Connection profiles**: Persistent network configurations stored by NetworkManager @@ -37,7 +37,7 @@ RHEL 9 uses NetworkManager as the primary network management service: - **Network isolation**: Separating different types of traffic for security ### Common Misconceptions -- **NetworkManager vs network scripts**: RHEL 9 uses NetworkManager, not legacy scripts +- **NetworkManager vs network scripts**: RHEL 10 uses NetworkManager, not legacy scripts - **Interface naming**: Modern systems use predictable names (ens3, enp0s3) not eth0 - **Connection vs device state**: A device can be up but connection down - **DNS configuration**: Managed by NetworkManager, not directly in /etc/resolv.conf @@ -362,7 +362,7 @@ nmcli connection modify "connection-name" \ ### Network Interface Naming #### Predictable Network Interface Names ```bash -# Modern naming scheme (RHEL 9): +# Modern naming scheme (RHEL 10): # ens3 - Ethernet slot 3 # enp0s3 - Ethernet PCI bus 0, slot 3 # enp1s0f0 - Ethernet PCI bus 1, slot 0, function 0 @@ -879,7 +879,7 @@ ipv4.dns # DNS servers ## 10. Exam Strategy ### Topic-Specific Tips -- Always use `nmcli` for configuration - it's the modern RHEL 9 way +- Always use `nmcli` for configuration - it's the modern RHEL 10 way - Verify configuration with both `nmcli` and `ip` commands - Remember that connections must be activated after creation - Test connectivity at multiple levels (gateway, external, DNS) @@ -912,7 +912,7 @@ ipv4.dns # DNS servers ## Summary ### Key Takeaways -- **NetworkManager is the standard** in RHEL 9 - master `nmcli` commands +- **NetworkManager is the standard** in RHEL 10 - master `nmcli` commands - **Connections are profiles** applied to devices - understand this relationship - **Systematic troubleshooting** saves time - test connectivity at each network layer - **Always verify configuration** with multiple commands and connectivity tests diff --git a/docs/rhcsa_synthesis/09_selinux.md b/docs/rhcsa_synthesis/09_selinux.md index 72a84fc..187e6dc 100644 --- a/docs/rhcsa_synthesis/09_selinux.md +++ b/docs/rhcsa_synthesis/09_selinux.md @@ -6,7 +6,7 @@ ## 1. Executive Summary -**Topic Scope**: SELinux configuration, contexts, booleans, troubleshooting, and security policy management in RHEL 9 +**Topic Scope**: SELinux configuration, contexts, booleans, troubleshooting, and security policy management in RHEL 10 **RHCSA Relevance**: Critical security topic - SELinux is a major component of RHEL security and frequently tested diff --git a/docs/rhcsa_synthesis/10_firewall.md b/docs/rhcsa_synthesis/10_firewall.md index 90e9a6b..252d61e 100644 --- a/docs/rhcsa_synthesis/10_firewall.md +++ b/docs/rhcsa_synthesis/10_firewall.md @@ -6,7 +6,7 @@ ## 1. Executive Summary -**Topic Scope**: Firewall configuration using firewalld, zones, services, ports, and rich rules in RHEL 9 +**Topic Scope**: Firewall configuration using firewalld, zones, services, ports, and rich rules in RHEL 10 **RHCSA Relevance**: Essential security skill - firewall management is fundamental for server security @@ -21,7 +21,7 @@ ## 2. Conceptual Foundation ### Core Theory -RHEL 9 uses firewalld as the default firewall management service, which provides: +RHEL 10 uses firewalld as the default firewall management service, which provides: - **Zone-based management**: Different security levels for different network contexts - **Dynamic configuration**: Changes without service restart or connection drops @@ -37,7 +37,7 @@ RHEL 9 uses firewalld as the default firewall management service, which provides - **Compliance requirements**: Meeting security standards for regulated environments ### Common Misconceptions -- **iptables vs firewalld**: RHEL 9 uses firewalld by default, not direct iptables +- **iptables vs firewalld**: RHEL 10 uses firewalld by default, not direct iptables - **Zone complexity**: Zones are logical groupings, not physical network segments - **Runtime changes**: Runtime changes are temporary unless made permanent - **Service vs port rules**: Services are collections of ports with meaningful names diff --git a/docs/rhcsa_synthesis/11_boot_grub.md b/docs/rhcsa_synthesis/11_boot_grub.md index 637b31c..35bf58d 100644 --- a/docs/rhcsa_synthesis/11_boot_grub.md +++ b/docs/rhcsa_synthesis/11_boot_grub.md @@ -1,7 +1,7 @@ # Module 11: Boot Process & GRUB Configuration ## 1. Learning Objectives -- Understand the RHEL 9 boot process from UEFI/BIOS to systemd +- Understand the RHEL 10 boot process from UEFI/BIOS to systemd - Configure and customize GRUB2 bootloader settings - Manage kernel parameters and boot options - Recover from boot failures using rescue modes @@ -11,7 +11,7 @@ ## 2. Key Concepts ### Boot Process Overview -The RHEL 9 boot sequence follows these stages: +The RHEL 10 boot sequence follows these stages: 1. **UEFI/BIOS**: Hardware initialization and bootloader location 2. **GRUB2**: Boot menu, kernel selection, and parameter passing 3. **Kernel**: Hardware detection, driver loading, initramfs mounting @@ -227,7 +227,7 @@ systemd.unit=runlevel3.target # Equivalent to multi-user **Objective**: Configure GRUB bootloader and manage kernel parameters **Prerequisites**: -- RHEL 9 system with multiple kernel versions +- RHEL 10 system with multiple kernel versions - Root access for bootloader modifications **Tasks**: @@ -250,7 +250,7 @@ cat /proc/cmdline # Verify current parameter **Objective**: Practice boot failure recovery procedures **Prerequisites**: -- RHEL 9 system with intentionally broken boot configuration +- RHEL 10 system with intentionally broken boot configuration - Installation media or rescue disk available **Tasks**: @@ -273,7 +273,7 @@ journalctl -b | grep -i error # Check for boot errors **Objective**: Integrate both methodologies for comprehensive boot management **Prerequisites**: -- Fresh RHEL 9 installation +- Fresh RHEL 10 installation - Multiple kernel versions installed - Access to rescue media diff --git a/docs/rhcsa_synthesis/12_logging_monitoring.md b/docs/rhcsa_synthesis/12_logging_monitoring.md index 000eee0..348b865 100644 --- a/docs/rhcsa_synthesis/12_logging_monitoring.md +++ b/docs/rhcsa_synthesis/12_logging_monitoring.md @@ -11,7 +11,7 @@ ## 2. Key Concepts -### Logging Architecture in RHEL 9 +### Logging Architecture in RHEL 10 - **systemd-journald**: Primary logging daemon for systemd services - **rsyslog**: Traditional syslog daemon for compatibility and advanced features - **Log Storage**: Binary journal files and text-based syslog files @@ -312,7 +312,7 @@ aureport --auth --summary # SELinux auth summary **Objective**: Configure comprehensive logging system with journal persistence and rsyslog customization **Prerequisites**: -- RHEL 9 system with systemd and rsyslog installed +- RHEL 10 system with systemd and rsyslog installed - Root access for configuration modifications **Tasks**: @@ -335,7 +335,7 @@ cat /etc/logrotate.d/ssh # Check rotation config **Objective**: Implement comprehensive system monitoring using built-in tools **Prerequisites**: -- RHEL 9 system with full monitoring tools installed +- RHEL 10 system with full monitoring tools installed - Network connectivity for remote logging tests **Tasks**: @@ -358,7 +358,7 @@ ls -la /var/log/sa/ # Check SAR data files **Objective**: Build enterprise-grade logging and monitoring system **Prerequisites**: -- Multiple RHEL 9 systems (or containers) for centralized logging +- Multiple RHEL 10 systems (or containers) for centralized logging - Administrative access to all systems **Tasks**: @@ -533,4 +533,4 @@ Storage=volatile # Use memory storage tempora --- -**Module 12 Summary**: Effective logging and monitoring are essential for maintaining system health and security. This module combines traditional syslog management with modern systemd journal capabilities, providing comprehensive coverage of RHEL 9 logging infrastructure. Understanding both reactive troubleshooting through log analysis and proactive monitoring for performance optimization is crucial for RHCSA certification and production system management. \ No newline at end of file +**Module 12 Summary**: Effective logging and monitoring are essential for maintaining system health and security. This module combines traditional syslog management with modern systemd journal capabilities, providing comprehensive coverage of RHEL 10 logging infrastructure. Understanding both reactive troubleshooting through log analysis and proactive monitoring for performance optimization is crucial for RHCSA certification and production system management. \ No newline at end of file diff --git a/docs/rhcsa_synthesis/13_scheduled_tasks.md b/docs/rhcsa_synthesis/13_scheduled_tasks.md index 6cea121..4135e10 100644 --- a/docs/rhcsa_synthesis/13_scheduled_tasks.md +++ b/docs/rhcsa_synthesis/13_scheduled_tasks.md @@ -11,7 +11,7 @@ ## 2. Key Concepts -### Task Scheduling Systems in RHEL 9 +### Task Scheduling Systems in RHEL 10 - **cron**: Traditional time-based job scheduler - **anacron**: Enhanced scheduler for systems not always running - **systemd timers**: Modern systemd-based scheduling @@ -325,7 +325,7 @@ echo "/usr/local/bin/video-processing.sh" | batch **Objective**: Implement comprehensive cron-based task scheduling with proper security and logging **Prerequisites**: -- RHEL 9 system with crond and anacron installed +- RHEL 10 system with crond and anacron installed - Multiple user accounts for testing access control **Tasks**: @@ -348,7 +348,7 @@ grep CRON /var/log/cron # Check cron execution logs **Objective**: Build modern systemd-based scheduling system with advanced timer features **Prerequisites**: -- RHEL 9 system with systemd +- RHEL 10 system with systemd - Understanding of systemd unit files **Tasks**: @@ -371,7 +371,7 @@ systemd-analyze calendar "Mon..Fri *-*-* 09..17:00:00" # Validate calendar **Objective**: Design comprehensive enterprise scheduling system combining all methodologies **Prerequisites**: -- Multiple RHEL 9 systems for distributed scheduling +- Multiple RHEL 10 systems for distributed scheduling - Network connectivity for centralized monitoring **Tasks**: diff --git a/docs/rhcsa_synthesis/14_container_management.md b/docs/rhcsa_synthesis/14_container_management.md deleted file mode 100644 index 41dfca0..0000000 --- a/docs/rhcsa_synthesis/14_container_management.md +++ /dev/null @@ -1,578 +0,0 @@ -# Module 14: Container Management with Podman - -## 1. Learning Objectives -- Master Podman container operations and management -- Configure rootless and rootful container execution -- Implement persistent container storage and networking -- Manage container images, registries, and security -- Integrate containers with systemd services -- Design container-based application deployment strategies -- Troubleshoot container networking and storage issues - -## 2. Key Concepts - -### Container Technology in RHEL 9 -- **Podman**: Pod Manager, daemonless container engine -- **Buildah**: Container image building tool -- **Skopeo**: Container image operations and inspection -- **CRI-O**: Container runtime interface for Kubernetes -- **Rootless containers**: User namespace containers without root privileges - -### Podman Architecture -- **Daemonless**: No central daemon, direct fork/exec model -- **Rootless**: Can run containers as regular users -- **Pod support**: Kubernetes-compatible pod management -- **OCI compliance**: Open Container Initiative standard compatibility -- **systemd integration**: Native systemd service generation - -### Container Storage and Networking -- **Storage drivers**: overlay, vfs for different storage backends -- **Container images**: Layered filesystem with union mounts -- **Volumes**: Persistent data storage independent of container lifecycle -- **Networks**: Bridge, host, none networking modes -- **Port mapping**: Expose container ports to host system - -### Security Features -- **SELinux integration**: Container process confinement -- **User namespaces**: Process isolation and privilege separation -- **Capabilities**: Fine-grained privilege control -- **Seccomp**: System call filtering -- **Image signing**: Digital signature verification - -## 3. Essential Commands - -### Basic Container Operations -```bash -# Container lifecycle -podman run -it --name mycontainer ubi8 /bin/bash # Create and start container -podman start container_name # Start stopped container -podman stop container_name # Stop running container -podman restart container_name # Restart container -podman rm container_name # Remove container -podman kill container_name # Force kill container - -# Container information -podman ps # List running containers -podman ps -a # List all containers -podman inspect container_name # Detailed container info -podman logs container_name # View container logs -podman top container_name # Show container processes -``` - -### Image Management -```bash -# Image operations -podman images # List local images -podman pull registry.redhat.io/ubi8/ubi # Pull image from registry -podman search httpd # Search for images -podman inspect image_name # Image details -podman rmi image_name # Remove image -podman tag old_name new_name # Tag image with new name - -# Image building -podman build -t myapp:v1 . # Build from Dockerfile -buildah from ubi8 # Create working container -buildah run mycontainer -- yum install httpd # Run commands in container -buildah commit mycontainer myimage:v1 # Commit to new image -``` - -### Volume and Storage Management -```bash -# Volume operations -podman volume create myvolume # Create named volume -podman volume ls # List volumes -podman volume inspect myvolume # Volume details -podman volume rm myvolume # Remove volume - -# Using volumes in containers -podman run -v myvolume:/data ubi8 # Mount named volume -podman run -v /host/path:/container/path ubi8 # Bind mount host directory -podman run --mount type=bind,source=/host,target=/container ubi8 # Alternative mount syntax -``` - -### Network Management -```bash -# Network operations -podman network ls # List networks -podman network create mynetwork # Create custom network -podman network inspect mynetwork # Network details -podman network rm mynetwork # Remove network - -# Container networking -podman run -p 8080:80 httpd # Port mapping -podman run --network none ubi8 # No networking -podman run --network host httpd # Use host networking -podman run --network mynetwork --name web httpd # Use custom network -``` - -### Systemd Integration -```bash -# Generate systemd service files -podman generate systemd --name mycontainer # Generate service unit -podman generate systemd --name mycontainer --files # Write to files -podman generate systemd --new --name mycontainer # Include container creation - -# Service management (as user) -systemctl --user daemon-reload # Reload user systemd -systemctl --user enable container-mycontainer # Enable container service -systemctl --user start container-mycontainer # Start container service -loginctl enable-linger username # Enable user services at boot -``` - -## 4. Asghar Ghori's Approach - -### Systematic Container Deployment -Ghori emphasizes structured container implementation: -```bash -# Step 1: Environment preparation -dnf install container-tools # Install podman suite -podman info # Verify installation - -# Step 2: Registry configuration -# Edit /etc/containers/registries.conf -[registries.search] -registries = ['registry.redhat.io', 'registry.fedoraproject.org', 'docker.io'] - -[registries.insecure] -registries = [] - -[registries.block] -registries = [] - -# Step 3: Container deployment workflow -podman pull registry.redhat.io/ubi8/httpd-24 # Pull official image -podman inspect registry.redhat.io/ubi8/httpd-24 # Examine image -podman run -d --name web-server -p 8080:8080 registry.redhat.io/ubi8/httpd-24 -podman ps # Verify deployment -curl http://localhost:8080 # Test functionality -``` - -### Rootless Container Configuration -Ghori's approach to non-privileged container management: -```bash -# Configure subuid and subgid for regular user -echo "username:100000:65536" >> /etc/subuid -echo "username:100000:65536" >> /etc/subgid - -# As regular user -podman unshare cat /proc/self/uid_map # Verify user namespace -podman run --rm -it ubi8 id # Check container user mapping - -# Rootless networking (requires special handling) -podman run -p 8080:8080 httpd # Unprivileged ports only -``` - -### Container Persistence Strategy -```bash -# Ghori's systematic approach to data persistence -# 1. Create persistent volume -podman volume create webapp-data - -# 2. Deploy container with volume -podman run -d --name webapp \ - -v webapp-data:/var/www/html \ - -p 8080:8080 \ - httpd - -# 3. Populate data -podman exec webapp sh -c "echo '

Hello World

' > /var/www/html/index.html" - -# 4. Test persistence -podman stop webapp -podman rm webapp -podman run -d --name webapp2 -v webapp-data:/var/www/html -p 8081:8080 httpd -curl http://localhost:8081 # Data should persist -``` - -## 5. Sander van Vugt's Approach - -### Advanced Podman Configuration -Van Vugt focuses on production-ready container configurations: -```bash -# Configure container storage optimization -# Edit /etc/containers/storage.conf -[storage] -driver = "overlay" -runroot = "/run/containers/storage" -graphroot = "/var/lib/containers/storage" - -[storage.options] -additionalimagestores = [] -size = "" -remap-uids = "" -remap-gids = "" -ignore_chown_errors = "false" -mount_program = "/usr/bin/fuse-overlayfs" -mountopt = "nodev,metacopy=on" -``` - -### Multi-Container Pod Management -Van Vugt's pod-based approach: -```bash -# Create pod with shared networking -podman pod create --name webapp-pod -p 8080:80 - -# Deploy database container in pod -podman run -d --name database \ - --pod webapp-pod \ - -e MYSQL_ROOT_PASSWORD=secret \ - -e MYSQL_DATABASE=webapp \ - registry.redhat.io/rhel8/mysql-80 - -# Deploy web application in same pod -podman run -d --name webapp \ - --pod webapp-pod \ - -e DB_HOST=localhost \ - -e DB_PASSWORD=secret \ - custom-webapp:latest - -# Pod management -podman pod ps # List pods -podman pod stop webapp-pod # Stop entire pod -podman pod start webapp-pod # Start entire pod -``` - -### Production Systemd Integration -Van Vugt's enterprise systemd service configuration: -```bash -# Generate production-ready systemd units -podman create --name production-web \ - --restart=always \ - -p 80:8080 \ - -v web-data:/var/www/html:Z \ - httpd - -# Generate systemd service -podman generate systemd --new --files --name production-web - -# Install as system service (requires root) -cp container-production-web.service /etc/systemd/system/ -systemctl daemon-reload -systemctl enable container-production-web -systemctl start container-production-web - -# Monitor service -systemctl status container-production-web -journalctl -u container-production-web -f -``` - -### Advanced Networking Configuration -```bash -# Create custom bridge network with specific subnet -podman network create --driver bridge --subnet 172.20.0.0/16 --gateway 172.20.0.1 prod-network - -# Deploy containers with static IPs -podman run -d --name web1 --network prod-network --ip 172.20.0.10 httpd -podman run -d --name web2 --network prod-network --ip 172.20.0.11 httpd - -# Load balancer configuration -podman run -d --name lb \ - --network prod-network \ - --ip 172.20.0.5 \ - -p 80:80 \ - nginx - -# Network troubleshooting -podman network inspect prod-network -podman exec web1 ping 172.20.0.11 -``` - -## 6. Command Examples and Scenarios - -### Scenario 1: Web Application Deployment -```bash -# Deploy complete web application stack -# 1. Create application network -podman network create webapp-net - -# 2. Deploy database -podman run -d --name webapp-db \ - --network webapp-net \ - -e POSTGRES_DB=webapp \ - -e POSTGRES_USER=appuser \ - -e POSTGRES_PASSWORD=secret \ - -v db-data:/var/lib/postgresql/data \ - postgres:13 - -# 3. Deploy application -podman run -d --name webapp-api \ - --network webapp-net \ - -e DATABASE_URL=postgresql://appuser:secret@webapp-db:5432/webapp \ - -p 8080:8080 \ - webapp-api:latest - -# 4. Deploy frontend -podman run -d --name webapp-frontend \ - --network webapp-net \ - -e API_URL=http://webapp-api:8080 \ - -p 80:80 \ - webapp-frontend:latest -``` - -### Scenario 2: Development Environment -```bash -# Create development container with volume mounts -podman run -it --name dev-env \ - -v $(pwd):/workspace:Z \ - -v dev-cache:/root/.cache \ - -w /workspace \ - -p 3000:3000 \ - -p 8080:8080 \ - node:16 - -# Inside container: npm install && npm start - -# Attach to running development container -podman exec -it dev-env /bin/bash -``` - -### Scenario 3: Batch Processing Container -```bash -# Run one-time batch processing container -podman run --rm \ - -v /data/input:/input:ro \ - -v /data/output:/output:Z \ - -e BATCH_SIZE=1000 \ - -e OUTPUT_FORMAT=json \ - batch-processor:latest - -# Scheduled batch processing with systemd timer -podman create --name nightly-batch \ - -v batch-input:/input:ro \ - -v batch-output:/output:Z \ - batch-processor:latest - -podman generate systemd --new --files --name nightly-batch -``` - -## 7. Lab Exercises - -### Lab 14A: Basic Container Operations (Ghori-focused) -**Time Limit**: 25 minutes -**Objective**: Master fundamental Podman operations and rootless container deployment - -**Prerequisites**: -- RHEL 9 system with container-tools package installed -- Regular user account configured with subuid/subgid - -**Tasks**: -1. Configure rootless container environment for regular user -2. Deploy HTTP server container with persistent volume -3. Create custom image with application modifications -4. Implement container networking with port mapping -5. Generate and test systemd service for container - -**Verification Commands**: -```bash -podman ps -a # List all containers -podman images # Show local images -podman volume ls # List volumes -curl http://localhost:8080 # Test web service -systemctl --user status container-* # Check systemd services -``` - -### Lab 14B: Advanced Container Management (van Vugt-focused) -**Time Limit**: 30 minutes -**Objective**: Implement production-ready container infrastructure with pods and networking - -**Prerequisites**: -- RHEL 9 system with full container tools suite -- Understanding of systemd service management - -**Tasks**: -1. Create multi-container pod with shared networking -2. Implement custom bridge network with static IP assignments -3. Deploy database and web application containers with proper data persistence -4. Configure container auto-restart and health monitoring -5. Set up centralized logging for container applications - -**Verification Commands**: -```bash -podman pod ps # List pods -podman network ls # Show networks -podman volume inspect data-volume # Check volume details -systemctl status container-* # Service status -podman logs --tail=20 webapp # Application logs -``` - -### Lab 14C: Synthesis Challenge - Enterprise Container Platform -**Time Limit**: 40 minutes -**Objective**: Build complete containerized application platform combining all methodologies - -**Prerequisites**: -- Multiple RHEL 9 systems for distributed deployment -- Container registry access for image distribution - -**Tasks**: -1. Design multi-tier containerized application architecture -2. Implement container image build pipeline with Buildah -3. Deploy distributed application using pods and custom networking -4. Configure container monitoring and log aggregation -5. Implement container backup and disaster recovery procedures -6. Set up automated container updates and rollback mechanisms - -**Advanced Requirements**: -- Combine Ghori's systematic deployment with van Vugt's advanced configuration -- Implement container security hardening and SELinux integration -- Create comprehensive operational documentation - -**Verification Commands**: -```bash -podman system info # System configuration -podman pod ps && podman ps # All containers and pods -ss -tulnp | grep -E ":80|:8080|:443" # Network services -find /var/lib/containers -name "*.json" | head -5 # Container metadata -systemctl --user list-units --type=service | grep container # User services -``` - -## 8. Troubleshooting Common Issues - -### Container Won't Start -```bash -# Symptoms: Container fails to start or exits immediately -# Check container logs -podman logs container_name - -# Check container configuration -podman inspect container_name | grep -A5 -B5 Error - -# Common causes: -# 1. Image not found -podman images | grep image_name - -# 2. Port conflicts -ss -tulnp | grep :8080 - -# 3. Permission issues with volumes -ls -laZ /host/path -``` - -### Rootless Container Networking Issues -```bash -# Symptoms: Cannot bind to ports below 1024 -# Solution: Use port mapping to higher ports -podman run -p 8080:80 httpd # Map host 8080 to container 80 - -# Enable unprivileged port binding (if needed) -echo 'net.ipv4.ip_unprivileged_port_start=80' >> /etc/sysctl.conf -sysctl -p - -# Check user namespace configuration -podman unshare cat /proc/self/uid_map -podman unshare cat /proc/self/gid_map -``` - -### Volume Mount Permission Errors -```bash -# Symptoms: Permission denied errors when accessing mounted volumes -# Check SELinux context -ls -laZ /host/directory - -# Fix SELinux context for container volumes -# Method 1: Use :Z suffix for automatic labeling -podman run -v /host/path:/container/path:Z image - -# Method 2: Manually set SELinux context -semanage fcontext -a -t container_file_t "/host/path(/.*)?" -restorecon -Rv /host/path - -# Check volume ownership -podman unshare ls -la /host/path -``` - -### Image Pull Failures -```bash -# Symptoms: Cannot pull images from registry -# Check registry configuration -cat /etc/containers/registries.conf - -# Test registry connectivity -curl -I https://registry.redhat.io/v2/ - -# Check authentication -podman login registry.redhat.io - -# Use fully qualified image names -podman pull registry.redhat.io/ubi8/ubi:latest -``` - -### Systemd Service Integration Problems -```bash -# Symptoms: Container service fails to start properly -# Regenerate systemd service files -podman generate systemd --new --files --name container_name - -# Check service file syntax -systemctl --user cat container-name -systemctl --user daemon-reload - -# Enable linger for user services -loginctl enable-linger username -loginctl show-user username | grep Linger - -# Check service logs -systemctl --user status container-name -journalctl --user -u container-name -``` - -## 9. Best Practices - -### Security Hardening -- Run containers as rootless whenever possible -- Use minimal base images (UBI, Alpine, scratch) -- Implement proper SELinux labeling for volumes -- Avoid running containers with --privileged flag -- Use secrets management for sensitive data -- Regular security scanning of container images - -### Resource Management -- Set memory and CPU limits for containers -- Use appropriate restart policies -- Monitor container resource usage -- Implement health checks for applications -- Use multi-stage builds to reduce image size -- Clean up unused images and containers regularly - -### Data Persistence Strategy -- Use named volumes for persistent data -- Implement proper backup strategies for volume data -- Separate application data from container lifecycle -- Use bind mounts sparingly and with proper permissions -- Document volume dependencies and relationships - -### Networking Design -- Use custom networks for application isolation -- Implement proper port management strategies -- Document network dependencies between containers -- Use pod networking for tightly coupled applications -- Implement proper DNS resolution for service discovery - -## 10. Integration with Other RHCSA Topics - -### Service Management Integration -- Generate systemd services for containers -- Integrate container services with system boot process -- Monitor container services through systemd -- Implement service dependencies and ordering - -### Storage Integration -- Use LVM volumes for container storage -- Implement container data backup strategies -- Integrate with existing storage infrastructure -- Monitor container storage usage and growth - -### Security Integration -- Implement SELinux policies for containers -- Use firewall rules for container networking -- Integrate with system authentication mechanisms -- Implement audit logging for container operations - -### Network Integration -- Configure container networking with host network infrastructure -- Implement load balancing for containerized services -- Use existing DNS infrastructure for container name resolution -- Monitor network performance for containerized applications - ---- - -**Module 14 Summary**: Container management with Podman is an essential skill for modern system administrators. This module provides comprehensive coverage of container operations, from basic deployment to advanced enterprise configurations. Understanding both rootless container management and production deployment strategies is crucial for RHCSA certification and modern infrastructure management. The synthesis approach ensures proficiency in both fundamental operations and advanced containerization concepts. \ No newline at end of file diff --git a/docs/rhcsa_synthesis/14_flatpak_management.md b/docs/rhcsa_synthesis/14_flatpak_management.md new file mode 100644 index 0000000..9088e15 --- /dev/null +++ b/docs/rhcsa_synthesis/14_flatpak_management.md @@ -0,0 +1,633 @@ +# 14 - Flatpak Software Management + +**Navigation**: [← Scheduled Tasks](13_scheduled_tasks.md) | [Index](index.md) | [Next β†’ Troubleshooting](15_troubleshooting.md) + +--- + +## 1. Executive Summary + +**Topic Scope**: Flatpak application packaging, repository management, and software distribution on RHEL 10 + +**RHCSA Relevance**: Flatpak replaces container management (Podman) as an RHCSA exam objective starting with RHEL 10. Candidates must be able to configure Flatpak repositories and manage Flatpak-based software. + +**Exam Weight**: High + +**Prerequisites**: Basic package management (Module 06), familiarity with DNF/RPM + +**Related Topics**: [Package Management](06_package_management.md) + +--- + +## 2. Conceptual Foundation + +### What is Flatpak? + +Flatpak is a framework for distributing desktop and command-line applications on Linux. It provides a sandboxed environment where applications run isolated from the host system, with their own bundled dependencies. + +**Key characteristics**: +- **Sandboxed execution**: Applications run in isolated environments with controlled access to host resources +- **Bundled dependencies**: Each application ships with its own runtime and libraries, avoiding dependency conflicts +- **Distribution-agnostic**: The same Flatpak runs on any Linux distribution +- **Automatic updates**: Applications can be updated independently of the host OS +- **OSTree-based**: Uses content-addressable storage for efficient deduplication and delta updates + +### Flatpak Architecture + +- **Runtimes**: Shared sets of base libraries (e.g., `org.freedesktop.Platform`, `org.gnome.Platform`) that provide common dependencies. Multiple applications can share the same runtime. +- **Applications**: The actual software packages, built against a specific runtime +- **Remotes**: Repositories from which runtimes and applications are fetched (similar to DNF repositories) +- **Refs**: References to specific versions of applications or runtimes (e.g., `app/org.gimp.GIMP/x86_64/stable`) +- **Sandbox**: The isolation boundary using namespaces, seccomp, and portals + +### System vs User Installs + +Flatpak supports two installation scopes: + +- **System installs** (`--system`, default): Available to all users, stored in `/var/lib/flatpak/`. Requires root or polkit authorization. +- **User installs** (`--user`): Available only to the current user, stored in `~/.local/share/flatpak/`. No root required. + +### Remotes and Repositories + +- **Flathub** (`https://flathub.org/repo/flathub.flatpakrepo`): The largest Flatpak repository with thousands of community and vendor applications +- **RHEL Flatpak remote**: Red Hat's curated Flatpak repository for enterprise applications +- **Fedora Flatpaks**: Fedora's official Flatpak repository + +### Sandboxing and Permissions + +Flatpak uses a portal-based permission system: +- **Filesystem access**: Controlled via `--filesystem=` overrides +- **Network access**: Enabled/disabled per application +- **Device access**: Camera, GPU, etc. via portals +- **D-Bus access**: Controlled bus access for desktop integration +- Applications request permissions at install time; users can override them + +### Common Misconceptions + +- **Flatpak is not a container runtime** β€” Unlike Podman/Docker, Flatpak is designed for desktop/CLI applications, not server workloads +- **Flatpaks are not always large** β€” Runtimes are shared across applications, so the second Flatpak using the same runtime adds minimal disk usage +- **Flatpak does not replace RPM/DNF** β€” System packages (kernel, systemd, libraries) are still managed by DNF. Flatpak is for application-layer software + +--- + +## 3. Command Mastery + +### Essential Commands + +```bash +# Repository (remote) management +flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo # Add Flathub +flatpak remote-add --user myremote https://example.com/repo/example.flatpakrepo # Add user remote +flatpak remote-delete flathub # Remove a remote +flatpak remote-ls flathub # List available apps from remote +flatpak remotes # List configured remotes + +# Search and information +flatpak search gimp # Search for applications +flatpak info org.gimp.GIMP # Show detailed app information + +# Install and uninstall +flatpak install flathub org.gimp.GIMP # Install from specific remote +flatpak install org.gimp.GIMP # Install (auto-selects remote) +flatpak install --user org.gimp.GIMP # Install for current user only +flatpak uninstall org.gimp.GIMP # Uninstall application +flatpak uninstall --unused # Remove unused runtimes + +# List installed applications +flatpak list # List all installed Flatpaks +flatpak list --app # List only applications (not runtimes) +flatpak list --runtime # List only runtimes + +# Run and update +flatpak run org.gimp.GIMP # Run application +flatpak update # Update all Flatpaks +flatpak update org.gimp.GIMP # Update specific application +``` + +### Command Reference Table + +| Command | Purpose | Key Options | Example | +|---------|---------|-------------|---------| +| `flatpak remote-add` | Add repository | `--if-not-exists`, `--user` | `flatpak remote-add flathub URL` | +| `flatpak remote-delete` | Remove repository | `--force` | `flatpak remote-delete flathub` | +| `flatpak remote-ls` | List remote apps | `--app`, `--runtime` | `flatpak remote-ls flathub` | +| `flatpak remotes` | Show configured remotes | `--show-details` | `flatpak remotes` | +| `flatpak search` | Search for apps | β€” | `flatpak search firefox` | +| `flatpak install` | Install application | `--user`, `--system`, `-y` | `flatpak install flathub org.gimp.GIMP` | +| `flatpak uninstall` | Remove application | `--unused` | `flatpak uninstall org.gimp.GIMP` | +| `flatpak list` | List installed | `--app`, `--runtime` | `flatpak list --app` | +| `flatpak run` | Run application | `--command=` | `flatpak run org.gimp.GIMP` | +| `flatpak update` | Update apps | `-y` | `flatpak update` | +| `flatpak info` | Show app details | β€” | `flatpak info org.gimp.GIMP` | + +--- + +## 4. Procedural Workflows + +### Standard Procedure: Adding a Remote and Installing Software + +1. **Add the Flathub remote** (if not already configured): + ```bash + flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo + ``` + +2. **Verify the remote is configured**: + ```bash + flatpak remotes + ``` + +3. **Search for the desired application**: + ```bash + flatpak search gimp + ``` + +4. **Install the application**: + ```bash + flatpak install flathub org.gimp.GIMP -y + ``` + +5. **Verify installation**: + ```bash + flatpak list --app | grep -i gimp + flatpak info org.gimp.GIMP + ``` + +6. **Run the application**: + ```bash + flatpak run org.gimp.GIMP + ``` + +### Standard Procedure: User-Level Installation + +1. **Add remote for current user only**: + ```bash + flatpak remote-add --user --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo + ``` + +2. **Install application for current user**: + ```bash + flatpak install --user flathub org.mozilla.firefox -y + ``` + +3. **Verify user-level install**: + ```bash + flatpak list --user --app + ls ~/.local/share/flatpak/app/ + ``` + +### Standard Procedure: Updating and Cleaning Up + +1. **Check for available updates**: + ```bash + flatpak update --appstream # Update metadata + flatpak remote-ls --updates # List available updates + ``` + +2. **Update all installed Flatpaks**: + ```bash + flatpak update -y + ``` + +3. **Remove unused runtimes** (after uninstalling applications): + ```bash + flatpak uninstall --unused -y + ``` + +--- + +## 5. Configuration Deep Dive + +### Primary Configuration Locations + +- **System remotes**: `/var/lib/flatpak/repo/` +- **System installations**: `/var/lib/flatpak/app/`, `/var/lib/flatpak/runtime/` +- **User remotes and installations**: `~/.local/share/flatpak/` +- **Remote configuration**: `/etc/flatpak/remotes.d/` (system-wide remote definitions) + +### Adding Remotes via Configuration File + +Flatpak remotes can be pre-configured by placing `.flatpakrepo` files in `/etc/flatpak/remotes.d/`: + +```ini +# /etc/flatpak/remotes.d/flathub.flatpakrepo +[Flatpak Repo] +Title=Flathub +Url=https://dl.flathub.org/repo/ +Homepage=https://flathub.org/ +Comment=Central repository of Flatpak applications +Icon=https://dl.flathub.org/repo/logo.svg +GPGKey=mQINBFlD2sABEADsiUZUO... +``` + +### Permission Overrides + +Override application sandbox permissions: + +```bash +# Grant filesystem access +flatpak override --user --filesystem=home org.gimp.GIMP + +# Remove network access +flatpak override --user --no-network org.example.App + +# View current overrides +flatpak override --user --show org.gimp.GIMP + +# Reset overrides to defaults +flatpak override --user --reset org.gimp.GIMP +``` + +Override files are stored in: +- System: `/var/lib/flatpak/overrides/` +- User: `~/.local/share/flatpak/overrides/` + +--- + +## 6. Hands-On Labs + +### Lab 14.1: Configure Flatpak and Install Applications (Ghori Ch 12) + +**Objective**: Set up Flatpak repositories and install applications at system and user levels + +**Steps**: + +1. **Verify Flatpak is installed** (it should be on RHEL 10 by default): + ```bash + rpm -q flatpak + flatpak --version + ``` + +2. **List currently configured remotes**: + ```bash + flatpak remotes + ``` + +3. **Add the Flathub repository** (system-wide, requires root): + ```bash + sudo flatpak remote-add --if-not-exists flathub \ + https://flathub.org/repo/flathub.flatpakrepo + ``` + +4. **Verify the remote was added**: + ```bash + flatpak remotes --show-details + ``` + +5. **Search for and install an application**: + ```bash + flatpak search calculator + sudo flatpak install flathub org.gnome.Calculator -y + ``` + +6. **Verify the installation**: + ```bash + flatpak list --app + flatpak info org.gnome.Calculator + ``` + +7. **Run the installed application**: + ```bash + flatpak run org.gnome.Calculator + ``` + +8. **Install an application at user level** (no root needed): + ```bash + flatpak remote-add --user --if-not-exists flathub \ + https://flathub.org/repo/flathub.flatpakrepo + flatpak install --user flathub org.gnome.TextEditor -y + flatpak list --user --app + ``` + +**Verification**: +```bash +flatpak remotes # Should show flathub +flatpak list --app # Should show installed apps +flatpak info org.gnome.Calculator # Should show app details +``` + +**Expected Result**: Flathub is configured, applications are installed at both system and user levels, and can be launched successfully. + +### Lab 14.2: Managing Flatpak Applications + +**Objective**: Practice updating, removing, and managing Flatpak applications + +**Steps**: + +1. **Update all installed Flatpaks**: + ```bash + flatpak update -y + ``` + +2. **List installed runtimes**: + ```bash + flatpak list --runtime + ``` + +3. **Uninstall an application**: + ```bash + sudo flatpak uninstall org.gnome.Calculator -y + ``` + +4. **Clean up unused runtimes**: + ```bash + sudo flatpak uninstall --unused -y + ``` + +5. **Verify removal**: + ```bash + flatpak list --app + ``` + +6. **Check disk usage**: + ```bash + du -sh /var/lib/flatpak/ + du -sh ~/.local/share/flatpak/ + ``` + +**Verification**: +```bash +flatpak list --app # Removed apps should be gone +flatpak list --runtime # Unused runtimes should be cleaned +``` + +### Lab 14.3: Synthesis Challenge - Enterprise Flatpak Deployment + +**Objective**: Configure a complete Flatpak environment suitable for enterprise use + +**Scenario**: As a system administrator, configure Flatpak on a RHEL 10 system so that: +- Flathub is available as a system-wide remote +- A standard set of applications is installed for all users +- A regular user can install additional applications at the user level + +**Requirements**: +1. Add Flathub as a system-wide remote +2. Install two system-wide applications +3. As a regular user, add a user-level remote and install one application +4. Update all installed Flatpaks +5. Verify system vs user install locations + +**Solution Steps**: +1. **System-wide setup** (as root): + ```bash + sudo flatpak remote-add --if-not-exists flathub \ + https://flathub.org/repo/flathub.flatpakrepo + sudo flatpak install flathub org.gnome.Calculator org.gnome.TextEditor -y + ``` + +2. **User-level setup** (as regular user): + ```bash + flatpak remote-add --user --if-not-exists flathub \ + https://flathub.org/repo/flathub.flatpakrepo + flatpak install --user flathub org.gnome.Logs -y + ``` + +3. **Update everything**: + ```bash + sudo flatpak update -y + flatpak update --user -y + ``` + +4. **Verify**: + ```bash + flatpak list --app # All apps + flatpak list --app --system # System apps + flatpak list --app --user # User apps + ls /var/lib/flatpak/app/ # System install path + ls ~/.local/share/flatpak/app/ # User install path + ``` + +--- + +## 7. Troubleshooting Playbook + +### Common Issues + +#### Issue 1: Remote Add Fails with GPG Error + +**Symptoms**: +- Error about GPG verification when adding a remote +- "GPG signatures found, but none are in trusted keyring" + +**Diagnosis**: +```bash +flatpak remotes --show-details # Check existing remote config +``` + +**Resolution**: +```bash +# Re-add the remote (the .flatpakrepo file includes the GPG key) +flatpak remote-delete flathub +flatpak remote-add flathub https://flathub.org/repo/flathub.flatpakrepo +``` + +**Prevention**: Always use the official `.flatpakrepo` URL which bundles the GPG key. + +#### Issue 2: Application Won't Install β€” Missing Runtime + +**Symptoms**: +- Installation fails with "runtime not found" error + +**Diagnosis**: +```bash +flatpak info --show-runtime org.example.App # Check required runtime +flatpak list --runtime # List installed runtimes +``` + +**Resolution**: +```bash +# Install the required runtime manually +flatpak install flathub org.freedesktop.Platform//24.08 -y +# Then retry the application install +flatpak install flathub org.example.App -y +``` + +#### Issue 3: Application Crashes or Cannot Access Files + +**Symptoms**: +- Application starts but cannot read/write files +- Permission denied errors in application + +**Diagnosis**: +```bash +flatpak info --show-permissions org.example.App +flatpak override --user --show org.example.App +``` + +**Resolution**: +```bash +# Grant filesystem access +flatpak override --user --filesystem=home org.example.App +# Or grant access to a specific path +flatpak override --user --filesystem=/path/to/data org.example.App +``` + +### Diagnostic Command Sequence + +```bash +flatpak --version # Verify Flatpak installation +flatpak remotes --show-details # Check remote configuration +flatpak list --app # List installed applications +flatpak list --runtime # List installed runtimes +flatpak info org.example.App # Check specific app details +journalctl --user -b | grep flatpak # Check logs for errors +``` + +--- + +## 8. Quick Reference Card + +### Essential Commands At-a-Glance + +```bash +# Remotes +flatpak remotes # List remotes +flatpak remote-add --if-not-exists NAME URL # Add remote +flatpak remote-delete NAME # Remove remote +flatpak remote-ls NAME # List apps in remote + +# Applications +flatpak search KEYWORD # Search for apps +flatpak install REMOTE APP_ID # Install app +flatpak uninstall APP_ID # Remove app +flatpak list --app # List installed apps +flatpak run APP_ID # Run app +flatpak update # Update all +flatpak info APP_ID # App details + +# Cleanup +flatpak uninstall --unused # Remove unused runtimes +``` + +### Key File Locations + +- **System installations**: `/var/lib/flatpak/` +- **User installations**: `~/.local/share/flatpak/` +- **System remote configs**: `/etc/flatpak/remotes.d/` +- **Permission overrides (system)**: `/var/lib/flatpak/overrides/` +- **Permission overrides (user)**: `~/.local/share/flatpak/overrides/` + +### Verification Commands + +```bash +flatpak remotes # Confirm remotes are configured +flatpak list --app # Confirm apps are installed +flatpak info APP_ID # Confirm app details +flatpak run APP_ID # Confirm app runs +``` + +--- + +## 9. Knowledge Check + +### Conceptual Questions + +1. **Question**: What is the difference between a Flatpak runtime and a Flatpak application? + **Answer**: A runtime is a shared set of base libraries (like `org.freedesktop.Platform`) that provides common dependencies. An application is the actual software built against a specific runtime. Multiple applications can share the same runtime, reducing disk usage. + +2. **Question**: What is the difference between system-level and user-level Flatpak installs? + **Answer**: System installs (default) are stored in `/var/lib/flatpak/` and available to all users but require root privileges. User installs (`--user`) are stored in `~/.local/share/flatpak/` and available only to the installing user but require no elevated privileges. + +3. **Question**: How does Flatpak differ from RPM/DNF package management? + **Answer**: DNF manages system-level packages (kernel, libraries, system services) from RPM repositories. Flatpak manages sandboxed applications with bundled dependencies, providing isolation from the host system. They serve complementary roles β€” DNF for the base OS, Flatpak for application-layer software. + +### Practical Scenarios + +1. **Scenario**: A user needs to install GIMP from Flathub but Flathub is not configured on the system. + **Solution**: + ```bash + sudo flatpak remote-add --if-not-exists flathub \ + https://flathub.org/repo/flathub.flatpakrepo + sudo flatpak install flathub org.gimp.GIMP -y + ``` + +2. **Scenario**: A regular user wants to install applications without root access. + **Solution**: + ```bash + flatpak remote-add --user --if-not-exists flathub \ + https://flathub.org/repo/flathub.flatpakrepo + flatpak install --user flathub org.example.App -y + ``` + +### Command Challenges + +1. **Challenge**: List all Flatpak applications (not runtimes) installed on the system. + **Answer**: `flatpak list --app` + **Explanation**: The `--app` flag filters output to show only applications, excluding shared runtimes. + +2. **Challenge**: Remove all unused runtimes left over from uninstalled applications. + **Answer**: `flatpak uninstall --unused` + **Explanation**: After uninstalling applications, their runtimes may remain. `--unused` identifies and removes runtimes no longer needed by any installed application. + +--- + +## 10. Exam Strategy + +### Topic-Specific Tips + +- Know the difference between `--system` (default) and `--user` installation scopes +- Remember that `flatpak remote-add` requires a URL to a `.flatpakrepo` file, not just a hostname +- Use `--if-not-exists` when adding remotes to make commands idempotent +- The Flatpak application ID format is reverse-DNS: `org.gimp.GIMP`, `org.mozilla.firefox` + +### Common Exam Scenarios + +1. **Scenario**: Configure Flathub repository and install a specified application + **Approach**: + ```bash + flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo + flatpak install flathub org.example.App -y + flatpak list --app # Verify + ``` + +2. **Scenario**: Install a Flatpak application for a specific user without root + **Approach**: + ```bash + flatpak remote-add --user --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo + flatpak install --user flathub org.example.App -y + ``` + +### Time Management + +- **Estimated Time**: 5-8 minutes for Flatpak tasks (remote setup + install + verify) +- **Quick Verification**: `flatpak list --app` confirms installation immediately + +### Pitfalls to Avoid + +- Forgetting to add the remote before trying to install +- Not using `--if-not-exists` (causes errors if remote already configured) +- Confusing system vs user installs (check which the question asks for) +- Not verifying with `flatpak list` after installation + +--- + +## Summary + +### Key Takeaways + +- Flatpak is the RHEL 10 RHCSA method for application distribution (replacing containers/Podman from RHEL 9) +- Remotes (repositories) must be configured before applications can be installed +- System installs require root; user installs do not +- Applications run sandboxed with controlled permissions +- Unused runtimes should be cleaned up with `flatpak uninstall --unused` + +### Critical Commands to Remember + +```bash +flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo +flatpak install flathub org.example.App +flatpak list --app +flatpak uninstall org.example.App +flatpak uninstall --unused +flatpak update +flatpak search keyword +flatpak run org.example.App +``` + +### Next Steps + +- Continue to [Troubleshooting](15_troubleshooting.md) +- Review related topics: [Package Management](06_package_management.md) +- Practice installing and managing Flatpak applications on your RHEL 10 lab VM + +--- + +**Navigation**: [← Scheduled Tasks](13_scheduled_tasks.md) | [Index](index.md) | [Next β†’ Troubleshooting](15_troubleshooting.md) diff --git a/docs/rhcsa_synthesis/15_troubleshooting.md b/docs/rhcsa_synthesis/15_troubleshooting.md index 44a5299..7d88ca5 100644 --- a/docs/rhcsa_synthesis/15_troubleshooting.md +++ b/docs/rhcsa_synthesis/15_troubleshooting.md @@ -323,7 +323,7 @@ grub2-mkconfig -o /boot/grub2/grub.cfg **Objective**: Diagnose and resolve common service configuration issues **Prerequisites**: -- RHEL 9 system with intentionally misconfigured services +- RHEL 10 system with intentionally misconfigured services - Apache httpd and SSH services installed **Setup** (Instructor creates these issues): @@ -353,7 +353,7 @@ crontab -l && grep CRON /var/log/cron # Cron verification **Objective**: Analyze and resolve system performance issues using advanced diagnostic techniques **Prerequisites**: -- RHEL 9 system with performance monitoring tools installed +- RHEL 10 system with performance monitoring tools installed - Simulated high load conditions **Setup** (Instructor creates these conditions): @@ -382,7 +382,7 @@ top -b -n1 | head -15 # Process overview **Objective**: Perform comprehensive system recovery using integrated troubleshooting methodologies **Prerequisites**: -- RHEL 9 system with multiple simulated failures +- RHEL 10 system with multiple simulated failures - Access to rescue media and documentation **Setup** (Multiple interconnected issues): diff --git a/docs/rhcsa_synthesis/index.md b/docs/rhcsa_synthesis/index.md index 4e56e98..e5ae34e 100644 --- a/docs/rhcsa_synthesis/index.md +++ b/docs/rhcsa_synthesis/index.md @@ -5,8 +5,8 @@ ## Overview This knowledge base synthesizes content from two authoritative RHCSA study resources: -- **Asghar Ghori**: "RHCSA Red Hat Enterprise Linux 9" (34,346+ lines of content) -- **Sander van Vugt**: "Red Hat RHCSA 9 Cert Guide" (53,622+ lines of content) +- **Asghar Ghori**: "RHCSA Red Hat Enterprise Linux 10" (Dec 2025 edition) +- **Sander van Vugt**: "Red Hat RHCSA 9 Cert Guide" (concepts still applicable) Each topic module combines the best approaches from both authors, providing comprehensive coverage with practical labs, detailed explanations, and exam-focused strategies. @@ -37,13 +37,13 @@ Each topic module combines the best approaches from both authors, providing comp | [00](00_exam_overview.md) | **Exam Overview** | Format, strategy, environment setup | Essential | | [01](01_system_installation.md) | **System Installation** | RHEL installation, initial configuration | High | | [02](02_file_management.md) | **File Management** | Basic operations, text processing | High | -| [03](03_permissions_security.md) | **Permissions & Security** | File permissions, access controls | Critical | +| [03](03_user_group_management.md) | **User & Group Management** | Account creation, policies, sudo | Critical | ### System Administration | Module | Topic | Focus Areas | Exam Weight | |--------|-------|-------------|-------------| -| [04](04_user_group_mgmt.md) | **User & Group Management** | Account creation, policies, sudo | Critical | -| [05](05_process_services.md) | **Process & Service Management** | Systemd, process control | Critical | +| [04](04_file_permissions.md) | **File Permissions** | File permissions, access controls | Critical | +| [05](05_process_service_management.md) | **Process & Service Management** | Systemd, process control | Critical | | [06](06_package_management.md) | **Package Management** | RPM, YUM, DNF, repositories | High | | [07](07_storage_lvm.md) | **Storage & LVM** | Partitions, filesystems, LVM | Critical | | [08](08_networking.md) | **Network Configuration** | IP configuration, DNS, routing | High | @@ -51,8 +51,8 @@ Each topic module combines the best approaches from both authors, providing comp ### Security and Advanced Topics | Module | Topic | Focus Areas | Exam Weight | |--------|-------|-------------|-------------| -| [09](09_firewall.md) | **Firewall Configuration** | firewall-cmd, zones, services | High | -| [10](10_selinux.md) | **SELinux Management** | Contexts, booleans, troubleshooting | Critical | +| [09](09_selinux.md) | **SELinux Management** | Contexts, booleans, troubleshooting | Critical | +| [10](10_firewall.md) | **Firewall Configuration** | firewall-cmd, zones, services | High | | [11](11_boot_grub.md) | **Boot Process & GRUB** | Boot sequence, GRUB configuration | Medium | | [12](12_logging_monitoring.md) | **Logging & Monitoring** | rsyslog, journald, log analysis | Medium | | [13](13_scheduled_tasks.md) | **Scheduled Tasks** | cron, at, systemd timers | Medium | @@ -60,8 +60,8 @@ Each topic module combines the best approaches from both authors, providing comp ### Modern RHEL Features | Module | Topic | Focus Areas | Exam Weight | |--------|-------|-------------|-------------| -| [14](14_containers.md) | **Container Management** | Podman, container services | High | -| [15](15_network_services.md) | **Network Services** | SSH, NFS, time services | Medium | +| [14](14_flatpak_management.md) | **Flatpak Management** | Flatpak repos, application management | High | +| [15](15_troubleshooting.md) | **Troubleshooting** | System recovery, boot issues | Medium | ## Quick Navigation @@ -70,16 +70,16 @@ Each topic module combines the best approaches from both authors, providing comp - **Create simple shell scripts** β†’ Module 02, 13 - **Operate running systems** β†’ Modules 05, 06, 12, 13 - **Configure local storage** β†’ Module 07 -- **Create and configure file systems** β†’ Modules 03, 07 +- **Create and configure file systems** β†’ Modules 04, 07 - **Deploy, configure, and maintain systems** β†’ Modules 01, 08, 09, 14, 15 - **Manage basic networking** β†’ Module 08 -- **Manage users and groups** β†’ Module 04 -- **Manage security** β†’ Modules 03, 09, 10 +- **Manage users and groups** β†’ Module 03 +- **Manage security** β†’ Modules 04, 09, 10 ### By Common Tasks -- **System Setup**: Modules 01, 04, 08 -- **Storage Configuration**: Modules 03, 07 -- **Security Hardening**: Modules 03, 04, 09, 10 +- **System Setup**: Modules 01, 03, 08 +- **Storage Configuration**: Modules 07 +- **Security Hardening**: Modules 04, 09, 10 - **Service Management**: Modules 05, 13, 14, 15 - **Troubleshooting**: All modules (dedicated sections) @@ -90,25 +90,25 @@ Track your progress through the synthesis modules: - [ ] 00 - Exam Overview - [ ] 01 - System Installation - [ ] 02 - File Management -- [ ] 03 - Permissions & Security -- [ ] 04 - User & Group Management +- [ ] 03 - User & Group Management +- [ ] 04 - File Permissions - [ ] 05 - Process & Service Management - [ ] 06 - Package Management - [ ] 07 - Storage & LVM - [ ] 08 - Network Configuration -- [ ] 09 - Firewall Configuration -- [ ] 10 - SELinux Management +- [ ] 09 - SELinux Management +- [ ] 10 - Firewall Configuration - [ ] 11 - Boot Process & GRUB - [ ] 12 - Logging & Monitoring - [ ] 13 - Scheduled Tasks -- [ ] 14 - Container Management -- [ ] 15 - Network Services +- [ ] 14 - Flatpak Management +- [ ] 15 - Troubleshooting ## Additional Resources ### Original Sources - Current ebook analysis: [ebook_summary.md](../ebook_summary.md) -- Comprehensive flashcards: [anki_rhcsa_flashcards.csv](../anki_rhcsa_flashcards.csv) +- Comprehensive flashcards: [rhcsa_deck.csv](../../anki/rhcsa_deck.csv) - Quick exam reference: [exam_quick_reference.md](../exam_quick_reference.md) ### Command References diff --git a/mkdocs.yml b/mkdocs.yml index 4d8675d..2f9fce5 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -37,7 +37,7 @@ nav: - 'Module 11: Boot & GRUB': rhcsa_synthesis/11_boot_grub.md - 'Module 12: Logging & Monitoring': rhcsa_synthesis/12_logging_monitoring.md - 'Module 13: Scheduled Tasks': rhcsa_synthesis/13_scheduled_tasks.md - - 'Module 14: Container Management': rhcsa_synthesis/14_container_management.md + - 'Module 14: Flatpak Management': rhcsa_synthesis/14_flatpak_management.md - 'Module 15: Troubleshooting': rhcsa_synthesis/15_troubleshooting.md - Quick References: - 'Exam Quick Reference': exam_quick_reference.md diff --git a/vagrant/Vagrantfile b/vagrant/Vagrantfile index 9ba65a4..8bd55bb 100644 --- a/vagrant/Vagrantfile +++ b/vagrant/Vagrantfile @@ -1,7 +1,7 @@ # -*- mode: ruby -*- # vi: set ft=ruby : -# Lab environment for RHCSA on RHEL 9 +# Lab environment for RHCSA on RHEL 10 Vagrant.configure("2") do |config| # vagrant-registration plugin settings config.registration.username = ENV['RHS_USERNAME'] @@ -14,17 +14,21 @@ Vagrant.configure("2") do |config| vb.cpus = 2 # 2 CPU cores end - config.vm.define "rhel9a" do |vm| - vm.vm.box = "generic/rhel9" - vm.vm.hostname = "rhel9a" + # NOTE: generic/rhel10 box may not yet be available on Vagrant Cloud. + # Check https://app.vagrantup.com/generic/boxes/rhel10 for availability. + # As an alternative, you can build a local box from the RHEL 10 ISO. + + config.vm.define "rhel10a" do |vm| + vm.vm.box = "generic/rhel10" + vm.vm.hostname = "rhel10a" vm.vm.network "private_network", ip: "192.168.56.10" vm.vm.disk :disk, name: "sdb", size: "300MB" vm.vm.disk :disk, name: "sdc", size: "300MB" end - config.vm.define "rhel9b" do |vm| - vm.vm.box = "generic/rhel9" - vm.vm.hostname = "rhel9b" + config.vm.define "rhel10b" do |vm| + vm.vm.box = "generic/rhel10" + vm.vm.hostname = "rhel10b" vm.vm.network "private_network", ip: "192.168.56.11" vm.vm.disk :disk, name: "sdb", size: "300MB" vm.vm.disk :disk, name: "sdc", size: "300MB" diff --git a/vagrant/lab-up.sh b/vagrant/lab-up.sh index 991ce3f..9ead3cb 100755 --- a/vagrant/lab-up.sh +++ b/vagrant/lab-up.sh @@ -31,7 +31,7 @@ fi # Start the VMs echo "" -echo "πŸš€ Starting RHEL 9 VMs..." +echo "πŸš€ Starting RHEL 10 VMs..." echo " This may take several minutes on first run..." vagrant up @@ -39,7 +39,7 @@ echo "" echo "βœ… Lab environment ready!" echo "" echo "πŸ’‘ Useful commands:" -echo " vagrant ssh rhel9a # SSH to rhel9a VM" -echo " vagrant ssh rhel9b # SSH to rhel9b VM" +echo " vagrant ssh rhel10a # SSH to rhel10a VM" +echo " vagrant ssh rhel10b # SSH to rhel10b VM" echo " vagrant halt # Stop all VMs" echo " vagrant destroy # Remove all VMs" \ No newline at end of file