diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 0f7cde9..d8a870e 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -22,13 +22,32 @@ concurrency: cancel-in-progress: false jobs: + # Lint job + lint: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Setup Node.js + uses: actions/setup-node@v4 + with: + node-version: '22' + + - name: Install markdownlint-cli + run: npm install -g markdownlint-cli@0.45.0 + + - name: Lint markdown + run: markdownlint '**/*.md' + # Build job build: + needs: lint runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v4 - + - name: Setup uv uses: astral-sh/setup-uv@v5 diff --git a/.gitignore b/.gitignore index b657799..6b0fc6c 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,6 @@ +# Claude +.claude/ + # Copyrighted study materials sources/ diff --git a/.markdownlint.yaml b/.markdownlint.yaml new file mode 100644 index 0000000..b8eeace --- /dev/null +++ b/.markdownlint.yaml @@ -0,0 +1,20 @@ +--- +# Markdownlint configuration for RHCSA study guide +# https://github.com/DavidAnson/markdownlint/blob/main/doc/Rules.md + +default: true + +# Disable line length — study materials have long command examples +MD013: false + +# Allow duplicate headings — repeated section titles across modules +MD024: false + +# Allow inline HTML — MkDocs uses
, , etc. +MD033: false + +# Allow emphasis as heading — used intentionally in study materials +MD036: false + +# Disable table column style — tables are readable as-is +MD060: false diff --git a/.markdownlintignore b/.markdownlintignore new file mode 100644 index 0000000..e95df5c --- /dev/null +++ b/.markdownlintignore @@ -0,0 +1,4 @@ +sources/ +site/ +node_modules/ +.venv/ diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 0000000..b0151e5 --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,7 @@ +repos: + - repo: https://github.com/igorshubovych/markdownlint-cli + rev: v0.45.0 + hooks: + - id: markdownlint + args: ["--fix"] + files: \.md$ diff --git a/CLAUDE.md b/CLAUDE.md index 023a9c8..e55ce56 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -9,8 +9,8 @@ This file provides guidance to Claude Code (claude.ai/code) when working with co ## User Context **GitHub Username**: @kraker (not stovepipe) -**Repository**: https://github.com/kraker/rhcsa -**GitHub Pages Site**: https://kraker.github.io/rhcsa/ +**Repository**: +**GitHub Pages Site**: CRITICAL: Always use @kraker as the GitHub username in all URLs, repository references, and documentation. @@ -53,19 +53,22 @@ This is a Red Hat Certified System Administrator (RHCSA) certification study rep ## Lab Environment Requirements **Vagrant Configuration**: The `../vagrant/` directory provides automated lab environment provisioning: + - RHEL 10 VMs with proper resource allocation and networking - Automated subscription registration with Red Hat Developer accounts - Pre-configured storage setup for LVM and filesystem labs - Prerequisites: Vagrant, VirtualBox, Red Hat Developer subscription **VM Usage**: + - **rhel10a**: Used for user management and SELinux scenarios - **rhel10b**: Used for storage management scenarios (multiple disks pre-configured) ## Common Study Tasks ### Working with Study Materials -- **Visit Documentation Site**: Browse https://kraker.github.io/rhcsa/ for organized study materials + +- **Visit Documentation Site**: Browse for organized study materials - **Start with RHCSA Synthesis**: Begin with comprehensive modules in `docs/rhcsa_synthesis/` for complete topic coverage - **Use Anki flashcards** for spaced repetition and command memorization - **Reference guides** in `docs/` directory for quick lookup during study @@ -73,7 +76,9 @@ This is a Red Hat Certified System Administrator (RHCSA) certification study rep - **Focus on hands-on** command execution and verification in lab environment ### Anki Flashcard Usage + The `anki/rhcsa_deck.csv` file contains 169 essential commands organized by tags: + - `user_management` - useradd, usermod, chage, groupadd - `permissions` - chmod, chown, file access controls - `systemd` - systemctl, journalctl, service management @@ -87,6 +92,7 @@ The `anki/rhcsa_deck.csv` file contains 169 essential commands organized by tags ## Key RHCSA Command Categories ### Essential System Management + ```bash # Service Management systemctl start/stop/enable/disable service @@ -105,6 +111,7 @@ find / -user username -type f 2>/dev/null ``` ### Storage and LVM + ```bash # LVM Workflow pvcreate /dev/device @@ -120,6 +127,7 @@ resize2fs /dev/device # For ext4 ``` ### Security and SELinux + ```bash # SELinux Management getenforce / setenforce 0|1 @@ -138,7 +146,8 @@ firewall-cmd --reload **CRITICAL**: Claude Code must update `COPYRIGHT_NOTICE.md` whenever adding copyrighted content to the repository. -### When Adding New Copyrighted Materials: +### When Adding New Copyrighted Materials + 1. **Read COPYRIGHT_NOTICE.md first** to understand current copyright inventory 2. **Add new materials to `sources/` directory** (gitignored) 3. **Update COPYRIGHT_NOTICE.md** with: @@ -149,15 +158,41 @@ firewall-cmd --reload 4. **Verify .gitignore excludes the new content** 5. **Never commit copyrighted content to git repository** -### Content Classification: +### Content Classification + - **Original Work**: Content created for this repository → `docs/` directory (tracked) - **Copyrighted Materials**: Books, PDFs, images from external sources → `sources/` directory (not tracked) - **Derived Content**: Analysis or summaries of copyrighted works → `sources/` directory (not tracked) +## Markdown Style Guide + +When writing or editing markdown files in this repository, follow these conventions: + +- **4-space indentation** for all content under ordered list items (Python-Markdown requires this for list continuation after blank lines) +- **Always specify a language** on fenced code blocks — use `bash` for commands, `text` for ASCII diagrams/decision trees +- **Nested code fences** (e.g., heredocs that generate markdown): use `````bash` (4 backticks) for the outer fence so inner ` ``` ` don't close it +- **Escape pipes in tables**: use `\|` inside table cells (e.g., `` `ps aux \| grep httpd` ``) +- **MkDocs extensions**: the site uses `pymdownx.highlight` + `pymdownx.superfences` (not legacy `codehilite`) + +### Linting + +Pre-commit hooks are managed by [prek](https://prek.j178.dev/) with markdownlint: + +- Config: `.pre-commit-config.yaml` (markdownlint with `--fix`) +- Rules: `.markdownlint.yaml` — disabled: MD013 (line length), MD024 (duplicate headings), MD033 (inline HTML), MD036 (emphasis as heading) +- Ignore: `.markdownlintignore` — excludes `sources/`, `site/`, `node_modules/`, `.venv/` + +```bash +prek install # Install git hooks (one-time) +markdownlint '**/*.md' # Lint all markdown +markdownlint --fix docs/ # Auto-fix issues +prek run --all-files # Run all hooks +``` + ## Notes for Claude Code - This repository focuses on RHCSA exam preparation, not software development -- **Documentation Site**: The repository is published as a MkDocs site at https://kraker.github.io/rhcsa/ +- **Documentation Site**: The repository is published as a MkDocs site at - When helping with study materials, emphasize practical command execution and verification - The study materials in `docs/` are original work and tracked in git - External resources in `sources/` contain copyrighted materials and are not tracked @@ -169,6 +204,7 @@ firewall-cmd --reload ## Git Commit Style Guide ### Atomic Commit Principles + Following [Aleksandr Hovhannisyan's atomic git commits](https://www.aleksandrhovhannisyan.com/blog/atomic-git-commits/): **Core Rule**: Each commit should represent "a single, complete unit of work" that can be independently reviewed and reverted. @@ -176,6 +212,7 @@ Following [Aleksandr Hovhannisyan's atomic git commits](https://www.aleksandrhov ### Commit Message Format **Simple Changes** (data fixes, small bug fixes): + ```bash git commit -m "Fix malformed times in SELinux troubleshooting examples" git commit -m "Update Anki flashcard for ausearch command syntax" @@ -183,12 +220,14 @@ git commit -m "Add missing firewall commands to quick reference" ``` **Feature Commits** (new capabilities, significant changes): + ```bash git commit -m "Add comprehensive ausearch troubleshooting section to SELinux lab" git commit -m "Implement enhanced SELinux flashcards with Red Hat official syntax" ``` **Milestone/Release Commits** (major completions): + ```bash # Use detailed heredoc format for comprehensive changelog git commit -m "$(cat <<'EOF' @@ -208,6 +247,7 @@ EOF ``` ### Guidelines + - **Present tense verbs**: "Fix", "Add", "Update", "Remove", "Implement" - **Component focus**: Mention what study material/system is changed - **Atomic scope**: One logical change per commit @@ -215,6 +255,7 @@ EOF - **Commit early and often**: Make commits as soon as a logical unit is complete ### Examples by Type + - **Content fixes**: `Fix duplicate commands in storage management flashcards` - **Study material updates**: `Add comprehensive ausearch examples to SELinux lab` - **Reference enhancements**: `Implement timezone-aware examples in quick reference` @@ -223,9 +264,9 @@ EOF ## Study Workflow Recommendations -1. **Visit Documentation Site**: Browse https://kraker.github.io/rhcsa/ for organized study materials +1. **Visit Documentation Site**: Browse for organized study materials 2. **Begin with RHCSA Synthesis**: Start with `docs/rhcsa_synthesis/` for comprehensive topic coverage 3. **Use Anki deck** (`anki/rhcsa_deck.csv`) for command memorization and quick reference 4. **Practice with Vagrant VMs** using Asghar Ghori book lab exercises 5. **Verify all tasks** with provided verification commands -6. **Focus on practical application** rather than theoretical knowledge \ No newline at end of file +6. **Focus on practical application** rather than theoretical knowledge diff --git a/COPYRIGHT_NOTICE.md b/COPYRIGHT_NOTICE.md index 6e44f43..bdc8a79 100644 --- a/COPYRIGHT_NOTICE.md +++ b/COPYRIGHT_NOTICE.md @@ -5,6 +5,7 @@ This repository contains analysis and study materials derived from the following copyrighted works, all stored in the `sources/` directory (not tracked in git): ### Study Books + 1. **"RHCSA Red Hat Enterprise Linux 10" by Asghar Ghori** (Dec 2025 edition) - EPUB file: `sources/RHCSA Red Hat Enterprise Linux - Asghar Ghori.epub` - Converted content: `sources/asghar_ghori_rhcsa.md` @@ -18,13 +19,14 @@ This repository contains analysis and study materials derived from the following - Status: Excluded from repository via .gitignore ### Official Documentation -3. **Red Hat Enterprise Linux 9 - Using SELinux** + +1. **Red Hat Enterprise Linux 9 - Using SELinux** - PDF file: `sources/Red_Hat_Enterprise_Linux-9-Using_SELinux-en-US.pdf` - Publisher: Red Hat, Inc. - License: Likely Creative Commons or similar open license (check document) - Status: Excluded from repository via .gitignore -4. **Red Hat Enterprise Linux for SAP Solutions 9 - Using SELinux for SAP HANA** +2. **Red Hat Enterprise Linux for SAP Solutions 9 - Using SELinux for SAP HANA** - PDF file: `sources/Red_Hat_Enterprise_Linux_for_SAP_Solutions-9-Using_SELinux_for_SAP_HANA-en-US.pdf` - Publisher: Red Hat, Inc. - License: Likely Creative Commons or similar open license (check document) @@ -43,8 +45,9 @@ The following files are original work and analysis based on the study materials: ## Fair Use Statement The analysis contained in this repository represents educational use of copyrighted materials under fair use doctrine for: + - Personal study and exam preparation - Educational analysis and commentary - Transformation of content into study aids -The original copyrighted works are not redistributed and remain protected. \ No newline at end of file +The original copyrighted works are not redistributed and remain protected. diff --git a/README.md b/README.md index 6f6d076..c1cb081 100644 --- a/README.md +++ b/README.md @@ -7,11 +7,13 @@ A comprehensive study repository for Red Hat Certified System Administrator (RHC ### 📚 Study Materials #### 🌐 Online Documentation Site -- **GitHub Pages**: https://kraker.github.io/rhcsa/ (live documentation site) + +- **GitHub Pages**: (live documentation site) - Built with MkDocs using the readthedocs theme - Mobile-friendly and searchable interface #### 📁 Local Files + - **`docs/`** - All study materials (MkDocs source) - `rhcsa_synthesis/` - 15 comprehensive study modules - `exam_quick_reference.md` - Essential commands for exam day @@ -21,11 +23,13 @@ A comprehensive study repository for Red Hat Certified System Administrator (RHC - **`anki/rhcsa_deck.csv`** - 169 comprehensive flashcards for Anki import ### 🏗️ Lab Environment + - **`vagrant/`** - Automated RHEL 10 VM provisioning with Vagrant - `Vagrantfile` - VM configuration for rhel10a and rhel10b instances - `playbook.yml` - Ansible playbook for environment setup ### 📖 External Resources (`sources/` directory, not tracked) + - Official Red Hat documentation (PDFs) - Study book materials (EPUBs) - Book summaries and extracted content @@ -34,6 +38,7 @@ A comprehensive study repository for Red Hat Certified System Administrator (RHC ## Quick Start ### Using the Anki Flashcards + 1. Import `anki/rhcsa_deck.csv` into Anki 2. The deck includes 169 cards organized by topic tags: - `user_management`, `permissions`, `systemd` @@ -44,17 +49,20 @@ A comprehensive study repository for Red Hat Certified System Administrator (RHC ### Lab Environment Setup **Vagrant VM Provisioning**: + - See `vagrant/` directory for automated lab environment setup - RHEL 10 VMs configured with proper resources and networking - Automated subscription registration and storage disk configuration - Prerequisites: Vagrant, VirtualBox, Red Hat Developer subscription **Setup Steps**: + 1. Edit `vagrant/.rhel-credentials` with your Red Hat Developer credentials 2. Source credentials and start VMs: `cd vagrant && source .rhel-credentials && vagrant up` ### Study Workflow -1. **Visit the Documentation Site**: Browse https://kraker.github.io/rhcsa/ for organized study materials + +1. **Visit the Documentation Site**: Browse for organized study materials 2. **Start with RHCSA Synthesis**: Begin with the 15 comprehensive study modules 3. **Use Anki flashcards** (`anki/rhcsa_deck.csv`) for command memorization and spaced repetition 4. **Reference quick guides** for exam preparation @@ -62,7 +70,9 @@ A comprehensive study repository for Red Hat Certified System Administrator (RHC 6. **Focus on hands-on** command execution and verification ### Local Development + To run the documentation site locally: + ```bash # Install dependencies uv sync @@ -73,11 +83,13 @@ uv run mkdocs serve # Build static site uv run mkdocs build ``` + The site will be available at `http://127.0.0.1:8000` ## Key RHCSA Command Categories The flashcards and lab scenarios cover all essential areas: + - **System Management**: systemctl, journalctl, service configuration - **User/Group Management**: useradd, usermod, chage, permissions - **Storage & LVM**: fdisk, pvcreate, vgcreate, lvcreate, filesystem management @@ -88,12 +100,43 @@ The flashcards and lab scenarios cover all essential areas: ## Lab Scenarios Each lab includes: + - Time limits matching exam conditions - Step-by-step task instructions - Verification commands to confirm completion - Prerequisites and setup requirements +## Linting & Pre-commit Hooks + +This repository uses [prek](https://prek.j178.dev/) (a fast, drop-in replacement for +pre-commit) with [markdownlint](https://github.com/igorshubovych/markdownlint-cli) to +enforce consistent markdown formatting. + +```bash +# Install git hooks (one-time setup) +prek install + +# Lint all markdown files +markdownlint '**/*.md' + +# Auto-fix fixable issues +markdownlint --fix docs/ + +# Run all hooks against all files +prek run --all-files +``` + +**Key markdown conventions:** + +- Use **4-space indentation** for content under ordered list items (Python-Markdown requirement) +- Always specify a language on fenced code blocks (`bash`, `text`, etc.) +- Use 4 backticks (``````) for outer fences when nesting code blocks (e.g., heredocs) +- Escape `|` as `\|` inside markdown table cells + +See `.markdownlint.yaml` for the full rule configuration. + ## Notes + - Lab 3 (SELinux) contains a TODO section requiring completion - All scenarios designed for RHEL 10 environments - Commands in flashcards represent real exam tasks diff --git a/docs/command_reference_by_topic.md b/docs/command_reference_by_topic.md index d090604..ee8ca3c 100644 --- a/docs/command_reference_by_topic.md +++ b/docs/command_reference_by_topic.md @@ -5,6 +5,7 @@ Organized command reference extracted from both study guides, designed for quick ## System Information and Management ### Hardware and System Information + ```bash # System information uname -a # System kernel and architecture @@ -34,6 +35,7 @@ du -h --max-depth=1 /path # Subdirectory sizes ``` ### Date and Time Management + ```bash # Time and timezone date # Current date and time @@ -49,6 +51,7 @@ systemctl status chronyd # Check time sync status ## File System and Storage Management ### Basic File Operations + ```bash # Directory navigation pwd # Print working directory @@ -79,6 +82,7 @@ touch file # Create empty file or update timestamp ``` ### File Searching and Finding + ```bash # Find files and directories find /path -name "pattern" # Find by name @@ -100,6 +104,7 @@ type command # Show command type and location ``` ### File Linking + ```bash # Hard and soft links ln source hard_link # Create hard link @@ -109,6 +114,7 @@ stat file # Show file statistics and links ``` ### File Compression and Archives + ```bash # tar archives tar -czf archive.tar.gz files/ # Create gzipped tar @@ -130,6 +136,7 @@ unzip archive.zip # Extract zip archive ## Text Processing and File Content ### Viewing File Contents + ```bash # Display file contents cat file # Display entire file @@ -145,6 +152,7 @@ more file # Page through file (simpler) ``` ### Text Processing Tools + ```bash # Search and filter grep pattern file # Search for pattern @@ -180,6 +188,7 @@ wc -c file # Character count only ``` ### Text Editors + ```bash # vim editor vim file # Open file in vim @@ -194,6 +203,7 @@ nano file # Open file in nano ## Permissions and Security ### File Permissions + ```bash # View permissions ls -l file # Show permissions @@ -226,6 +236,7 @@ umask 077 # Set umask (700 for dirs, 600 for files) ``` ### Special Permissions + ```bash # Special permission bits chmod +s file # Set setuid/setgid @@ -241,6 +252,7 @@ find / -perm -1000 2>/dev/null # Find sticky bit files ``` ### Access Control Lists (ACLs) — Supplementary (not on RHEL 10 exam) + ```bash # Manage ACLs setfacl -m u:username:rwx file # Set user ACL @@ -254,6 +266,7 @@ getfacl file # Display ACLs ## User and Group Management ### User Account Management + ```bash # Create users useradd username # Create user with defaults @@ -287,6 +300,7 @@ finger username # User information (if available) ``` ### Password Management + ```bash # Password operations passwd username # Set user password @@ -306,6 +320,7 @@ chage -E 2024-12-31 username # Account expiration date ``` ### Group Management + ```bash # Create groups groupadd groupname # Create group @@ -328,6 +343,7 @@ getent group groupname # Show group information ``` ### User Information and Login History + ```bash # Current activity who # Currently logged in users @@ -341,6 +357,7 @@ lastlog # Last login for all users ## Process and Job Management ### Process Monitoring + ```bash # View processes ps # Current session processes @@ -354,6 +371,7 @@ htop # Enhanced process monitor ``` ### Process Control + ```bash # Find processes pgrep processname # Find process IDs by name @@ -375,6 +393,7 @@ renice -5 -u username # Change priority for user processes ``` ### Job Control + ```bash # Background jobs command & # Run in background @@ -392,6 +411,7 @@ Ctrl+C # Interrupt current job ## System Services and Systemd ### Service Management + ```bash # Service operations systemctl start service # Start service @@ -415,6 +435,7 @@ systemctl --failed # Show failed services ``` ### Systemd Targets + ```bash # Target management systemctl get-default # Show default target @@ -425,6 +446,7 @@ systemctl list-dependencies target # Show target dependencies ``` ### Unit Files and Configuration + ```bash # Unit file management systemctl daemon-reload # Reload unit files @@ -437,6 +459,7 @@ systemctl show service # Show unit properties ## Logging and Monitoring ### Journal (systemd logs) + ```bash # View logs journalctl # All journal entries @@ -454,6 +477,7 @@ journalctl --disk-usage # Journal disk usage ``` ### Traditional Logs + ```bash # Log files tail -f /var/log/messages # Follow system messages @@ -464,6 +488,7 @@ logger "test message" # Send message to syslog ``` ### Log Rotation + ```bash # Logrotate logrotate -d /etc/logrotate.conf # Debug/test rotation @@ -473,6 +498,7 @@ logrotate -f /etc/logrotate.conf # Force rotation ## Network Configuration and Management ### Network Information + ```bash # Network interfaces ip addr show # Show IP addresses @@ -486,6 +512,7 @@ route -n # Show routing table (deprecated) ``` ### NetworkManager with nmcli + ```bash # Connection management nmcli device status # Device status @@ -512,6 +539,7 @@ nmcli con delete "conn1" # Delete connection ``` ### Network Testing and Troubleshooting + ```bash # Connectivity testing ping host # Test connectivity @@ -536,6 +564,7 @@ lsof -i tcp:22 # Show SSH connections ## Network File System (NFS) and AutoFS ### NFS Client Operations + ```bash # NFS package installation dnf install -y nfs-utils # Install NFS client utilities @@ -574,6 +603,7 @@ rpcinfo -p nfs-server # Show RPC services ``` ### NFS Server Management + ```bash # NFS server package installation dnf install -y nfs-utils # Install NFS server utilities @@ -602,6 +632,7 @@ firewall-cmd --reload # Apply firewall changes ``` ### AutoFS Configuration and Management + ```bash # AutoFS installation dnf install -y autofs # Install AutoFS package @@ -638,6 +669,7 @@ mount | grep autofs # Show active automounts ``` ### fstab Integration for NFS + ```bash # fstab entry format for NFS # device mount-point type options dump fsck @@ -655,6 +687,7 @@ findmnt /mnt/nfs # Show mount details ``` ### NFS and AutoFS Troubleshooting + ```bash # NFS client troubleshooting showmount -e server # Test server connectivity @@ -686,6 +719,7 @@ lsof +D /mnt/nfs-share # Show open files in NFS mount ## Package Management ### DNF Package Manager + ```bash # Package operations dnf install package # Install package @@ -726,6 +760,7 @@ dnf autoremove # Remove unneeded packages ``` ### RPM Package Manager + ```bash # RPM queries rpm -qa # List all installed packages @@ -751,6 +786,7 @@ rpm -Va # Verify all packages ## Storage Management and File Systems ### Disk and Partition Management + ```bash # Disk information lsblk # List block devices @@ -770,6 +806,7 @@ tune2fs -L label /dev/partition # Set file system label ``` ### LVM (Logical Volume Management) + ```bash # Physical volumes pvcreate /dev/device # Create physical volume @@ -798,6 +835,7 @@ lvremove /dev/vg/lv # Remove logical volume ``` ### File System Operations + ```bash # Mounting mount /dev/device /mountpoint # Mount file system @@ -822,6 +860,7 @@ swapon -a # Enable all swap in fstab ``` ### fstab Configuration + ```bash # /etc/fstab format: # device mountpoint fstype options dump pass @@ -843,6 +882,7 @@ nosuid # Ignore setuid bits ## Firewall Management ### firewalld Configuration + ```bash # Firewall status firewall-cmd --state # Check if running @@ -881,6 +921,7 @@ firewall-cmd --runtime-to-permanent # Make runtime rules permanent ## SELinux Management ### SELinux Status and Modes + ```bash # SELinux status getenforce # Current mode (Enforcing/Permissive/Disabled) @@ -893,6 +934,7 @@ SELINUX=enforcing # or permissive, disabled ``` ### File Contexts + ```bash # View contexts ls -Z file # Show file context @@ -912,6 +954,7 @@ semanage fcontext -d "/web(/.*)?" # Delete context rule ``` ### SELinux Booleans + ```bash # View booleans getsebool -a # List all booleans @@ -921,6 +964,7 @@ setsebool -P httpd_can_network_connect on # Set boolean (permanent) ``` ### Port Contexts + ```bash # Manage port contexts semanage port -l # List port contexts @@ -930,6 +974,7 @@ semanage port -l | grep http # Show HTTP ports ``` ### SELinux Troubleshooting + ```bash # Check for denials ausearch -m AVC -ts recent # Recent AVC denials @@ -946,6 +991,7 @@ semodule -i mypolicy.pp # Install policy module ## Boot Process and GRUB ### GRUB Configuration + ```bash # GRUB management grub2-editenv list # List GRUB environment @@ -959,6 +1005,7 @@ grub2-mkconfig -o /boot/grub2/grub.cfg ``` ### Boot Targets and Runlevels + ```bash # Systemd targets systemctl get-default # Show default target @@ -974,6 +1021,7 @@ systemctl list-dependencies graphical.target # Show dependencies ## Scheduled Tasks ### Cron Jobs + ```bash # User crontab crontab -e # Edit user crontab @@ -995,6 +1043,7 @@ ls /etc/cron.{hourly,daily,weekly,monthly}/ # Cron directories ``` ### At Jobs + ```bash # Schedule one-time jobs at now + 5 minutes # Schedule for 5 minutes from now @@ -1009,6 +1058,7 @@ at -c job_number # Show job details ``` ### Systemd Timers + ```bash # Timer management systemctl list-timers # List all timers @@ -1021,6 +1071,7 @@ systemctl status timer.timer # Check timer status ## Flatpak Software Management ### Remote and Application Management + ```bash # Remote (repository) management flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo @@ -1045,6 +1096,7 @@ flatpak info org.example.App # Show app details ## SSH and Remote Access ### SSH Client + ```bash # SSH connections ssh user@hostname # Connect to remote host @@ -1063,6 +1115,7 @@ ssh-agent bash # Start SSH agent ``` ### SSH Server Configuration + ```bash # SSH daemon configuration (/etc/ssh/sshd_config) Port 22 # Change SSH port @@ -1077,6 +1130,7 @@ sshd -t # Test configuration ``` ### File Transfer + ```bash # SCP (Secure Copy) scp file user@host:/path # Copy file to remote @@ -1089,4 +1143,4 @@ rsync -av --delete source/ dest/ # Sync and delete extras rsync -av user@host:/path/ local/ # Sync from remote ``` -This comprehensive command reference covers all major RHCSA topics with practical command examples organized by functional area for efficient study and quick reference during exam preparation. \ No newline at end of file +This comprehensive command reference covers all major RHCSA topics with practical command examples organized by functional area for efficient study and quick reference during exam preparation. diff --git a/docs/ebook_summary.md b/docs/ebook_summary.md index aead0ac..717deb0 100644 --- a/docs/ebook_summary.md +++ b/docs/ebook_summary.md @@ -7,33 +7,39 @@ Based on analysis of "RHCSA Red Hat Enterprise Linux 10" by Asghar Ghori (Dec 20 ## Book Structure Overview ### Asghar Ghori RHCSA Book Structure (RHEL 10 Edition, Dec 2025) + **22 Chapters with comprehensive exercises and labs** **Chapters 1-4: Foundation Skills** + - Chapter 1: Local Installation - Chapter 2: Initial Interaction with the System - Chapter 3: Working with Files and File Permissions - Chapter 4: Basic File Permissions **Chapters 5-8: User and System Management** + - Chapter 5: Basic User Management - Chapter 6: Advanced User Management - Chapter 7: The Bash Shell - Chapter 8: Shell Scripting **Chapters 9-12: System Operations** + - Chapter 9: Managing Services and Processes - Chapter 10: System Processes and Job Control - Chapter 11: Package Management - Chapter 12: Flatpak Software Management **Chapters 13-16: Storage** + - Chapter 13: Storage Management (Partitions and File Systems) - Chapter 14: Advanced Storage (LVM) - Chapter 15: Advanced Storage (LVM Thin Provisioning, Swap) - Chapter 16: Boot Process, GRUB2, and the Linux Kernel **Chapters 17-22: Networking and Security** + - Chapter 17: Networking, Network Devices, and Network Connections - Chapter 18: Hostname Resolution and Time Synchronization - Chapter 19: NFS and AutoFS @@ -44,9 +50,11 @@ Based on analysis of "RHCSA Red Hat Enterprise Linux 10" by Asghar Ghori (Dec 20 > **Note**: The RHEL 10 edition replaces the Podman/containers chapter with Flatpak, adds LVM thin provisioning, elevates shell scripting to its own chapter, and merges NFS+AutoFS into a single chapter. ### Sander van Vugt RHCSA Book Structure + **26 Chapters organized in 5 parts** **Part I: Basic System Management Tasks (Chapters 1-8)** + - Chapter 1: Installing Red Hat Enterprise Linux Server - Chapter 2: Using Essential Tools - Chapter 3: Essential File Management Tools @@ -57,6 +65,7 @@ Based on analysis of "RHCSA Red Hat Enterprise Linux 10" by Asghar Ghori (Dec 20 - Chapter 8: Configuring Networking **Part II: Operating Running Systems (Chapters 9-13)** + - Chapter 9: Software Management - Chapter 10: Managing Processes - Chapter 11: Working with Systemd Services @@ -64,6 +73,7 @@ Based on analysis of "RHCSA Red Hat Enterprise Linux 10" by Asghar Ghori (Dec 20 - Chapter 13: Configuring Logging **Part III: Advanced System Administration Tasks (Chapters 14-20)** + - Chapter 14: Managing Storage - Chapter 15: Advanced Storage Management - Chapter 16: Basic Kernel Management @@ -73,6 +83,7 @@ Based on analysis of "RHCSA Red Hat Enterprise Linux 10" by Asghar Ghori (Dec 20 - Chapter 20: Managing Software **Part IV: Managing Network Services (Chapters 21-25)** + - Chapter 21: Configuring SSH - Chapter 22: Managing SELinux - Chapter 23: Configuring a Firewall @@ -80,6 +91,7 @@ Based on analysis of "RHCSA Red Hat Enterprise Linux 10" by Asghar Ghori (Dec 20 - Chapter 25: Configuring Time Services **Part V: RHCSA Practice Exams (Chapter 26)** + - Chapter 26: Managing Containers ## Topic-by-Topic Breakdown with Lab Exercises @@ -87,17 +99,20 @@ Based on analysis of "RHCSA Red Hat Enterprise Linux 10" by Asghar Ghori (Dec 20 ### 1. System Installation and Initial Setup #### **Asghar Ghori Labs:** + - Exercise 1-1: Download and Install VirtualBox Software - Exercise 1-2: Download and Install RHEL - Exercise 1-3: Logging In from Windows - Lab 1-1: Build RHEL9-VM2 (server2) #### **Sander van Vugt Labs:** + - Focus on automated installation methods - Kickstart configuration - Initial system configuration #### **Key Commands:** + ```bash # System information hostnamectl @@ -116,6 +131,7 @@ localectl set-locale ### 2. File Management and Text Processing #### **Asghar Ghori Labs:** + - Exercise 3-1: Create Compressed Archives - Exercise 3-2: Create and Manage Hard Links - Exercise 3-3: Create and Manage Soft Links @@ -124,11 +140,13 @@ localectl set-locale - Lab 3-3: File and Directory Operations #### **Sander van Vugt Labs:** + - Working with tar archives - Text file manipulation with sed, awk, grep - File linking and copying strategies #### **Key Commands:** + ```bash # File operations ls -la @@ -164,6 +182,7 @@ nano filename ### 3. File Permissions and Security #### **Asghar Ghori Labs:** + - Exercise 4-1: Modify Permission Bits Using Symbolic Form - Exercise 4-2: Modify Permission Bits Using Octal Form - Exercise 4-3: Test the Effect of setuid Bit on Executable Files @@ -176,11 +195,13 @@ nano filename - Lab 4-4: Find Files Using Different Criteria #### **Sander van Vugt Labs:** + - Advanced permission scenarios - ACL implementation - Special permissions in practice #### **Key Commands:** + ```bash # Basic permissions chmod 755 file @@ -210,6 +231,7 @@ find / -group groupname ### 4. User and Group Management #### **Asghar Ghori Labs:** + - Exercise 5-1: Create a User Account with Default Attributes - Exercise 5-2: Create a User Account with Custom Values - Exercise 5-3: Modify and Delete a User Account @@ -219,11 +241,13 @@ find / -group groupname - Exercise 6-3: Lock and Unlock a User Account with usermod and passwd #### **Sander van Vugt Labs:** + - User account policies - Group membership management - Password aging configuration #### **Key Commands:** + ```bash # User management useradd -u UID -g GROUP -G GROUPS -s SHELL -d HOME username @@ -255,16 +279,19 @@ lastb ### 5. Process and Service Management #### **Asghar Ghori Labs:** + - Systemctl command exercises - Service configuration labs - Process monitoring and control #### **Sander van Vugt Labs:** + - Systemd service creation - Timer configuration - Process priority management #### **Key Commands:** + ```bash # Process management ps aux @@ -304,16 +331,19 @@ systemctl isolate rescue.target ### 6. Package Management #### **Asghar Ghori Labs:** + - DNF package management exercises - Repository configuration - RPM command usage #### **Sander van Vugt Labs:** + - Advanced package queries - Group package management - Creating custom repositories #### **Key Commands:** + ```bash # DNF package management dnf install package @@ -346,16 +376,18 @@ rpm -Uvh package.rpm # upgrade package ### 7. Storage Management and LVM #### **Asghar Ghori Labs:** + - LVM creation and management exercises - File system creation and mounting - Swap configuration labs #### **Sander van Vugt Labs:** + - Advanced LVM scenarios - Storage troubleshooting - #### **Key Commands:** + ```bash # Disk and partition management lsblk @@ -401,16 +433,19 @@ swapon --show ### 8. Network Configuration #### **Asghar Ghori Labs:** + - NetworkManager configuration with nmcli - Static IP configuration - Network troubleshooting exercises #### **Sander van Vugt Labs:** + - Advanced networking scenarios - Network bonding and teaming - IPv6 configuration #### **Key Commands:** + ```bash # Network information ip addr show @@ -440,16 +475,19 @@ netstat -tuln ### 9. Firewall Configuration #### **Asghar Ghori Labs:** + - firewall-cmd basic configuration - Service and port management - Rich rules implementation #### **Sander van Vugt Labs:** + - Advanced firewall scenarios - Custom service definitions - Firewall troubleshooting #### **Key Commands:** + ```bash # Firewall management firewall-cmd --state @@ -472,17 +510,20 @@ firewall-cmd --change-interface=INTERFACE --zone=ZONE --permanent ### 10. SELinux Management #### **Asghar Ghori Labs:** + - SELinux mode configuration - Context management exercises - Boolean configuration - Port labeling labs #### **Sander van Vugt Labs:** + - Advanced SELinux troubleshooting - Custom policy modules - File context analysis #### **Key Commands:** + ```bash # SELinux status and modes getenforce @@ -516,16 +557,19 @@ sealert -a /var/log/audit/audit.log ### 11. Boot Process and GRUB #### **Asghar Ghori Labs:** + - GRUB configuration modification - Kernel parameter management - Boot troubleshooting scenarios #### **Sander van Vugt Labs:** + - Advanced boot procedures - Systemd target management - Recovery scenarios #### **Key Commands:** + ```bash # GRUB management grub2-editenv list @@ -546,16 +590,19 @@ dnf list installed kernel ### 12. Logging and Monitoring #### **Asghar Ghori Labs:** + - Journald configuration - Rsyslog setup - Log rotation configuration #### **Sander van Vugt Labs:** + - Advanced logging scenarios - Remote logging setup - Log analysis techniques #### **Key Commands:** + ```bash # Journal management journalctl @@ -577,16 +624,19 @@ logrotate -d /etc/logrotate.conf ### 13. Scheduled Tasks #### **Asghar Ghori Labs:** + - Crontab configuration - At job scheduling - Systemd timer creation #### **Sander van Vugt Labs:** + - Advanced scheduling scenarios - Timer unit configuration - Anacron usage #### **Key Commands:** + ```bash # Cron management crontab -e @@ -609,16 +659,19 @@ systemctl start timer.timer ### 14. Container Management #### **Asghar Ghori Labs:** + - Podman basic operations - Container networking - Container storage management #### **Sander van Vugt Labs:** + - Advanced container scenarios - Systemd integration - Container image management #### **Key Commands:** + ```bash # Container management podman pull image @@ -644,16 +697,19 @@ podman logs container ### 15. Network Services #### **Asghar Ghori Labs:** + - NFS server and client configuration - AutoFS implementation - SSH configuration #### **Sander van Vugt Labs:** + - Advanced NFS scenarios - Time synchronization - SSH key management #### **Key Commands:** + ```bash # NFS management systemctl enable --now nfs-server @@ -674,6 +730,7 @@ scp file user@server:/path ## Command Summary by Category ### User Management Commands + ```bash useradd, usermod, userdel, passwd, chage, chsh, chfn groupadd, groupmod, groupdel, gpasswd @@ -681,6 +738,7 @@ id, groups, who, w, last, lastb ``` ### File Management Commands + ```bash ls, cp, mv, rm, mkdir, rmdir, touch, find, locate chmod, chown, chgrp, umask @@ -689,6 +747,7 @@ tar, gzip, gunzip, zip, unzip ``` ### Process Management Commands + ```bash ps, top, htop, pgrep, pkill, kill, killall jobs, bg, fg, nohup @@ -696,12 +755,14 @@ nice, renice ``` ### System Service Commands + ```bash systemctl, journalctl service, chkconfig (legacy) ``` ### Network Commands + ```bash nmcli, nmtui ip, ifconfig (legacy) @@ -710,6 +771,7 @@ ss, netstat (legacy) ``` ### Storage Commands + ```bash lsblk, fdisk, parted, partprobe pvcreate, vgcreate, lvcreate, pvs, vgs, lvs @@ -718,11 +780,13 @@ xfs_growfs, resize2fs ``` ### Package Management Commands + ```bash dnf, rpm, yum (legacy) ``` ### Security Commands + ```bash firewall-cmd getenforce, setenforce, setsebool, restorecon, semanage @@ -730,8 +794,9 @@ ausearch, sealert ``` ### Container Commands + ```bash podman, buildah, skopeo ``` -This comprehensive summary covers all major topics and commands from both study guides, organized for efficient exam preparation. \ No newline at end of file +This comprehensive summary covers all major topics and commands from both study guides, organized for efficient exam preparation. diff --git a/docs/exam_quick_reference.md b/docs/exam_quick_reference.md index 6b22f10..c2ed74f 100644 --- a/docs/exam_quick_reference.md +++ b/docs/exam_quick_reference.md @@ -3,6 +3,7 @@ ## Essential Acronyms & Terms ### Certification & System + - **RHCSA** - Red Hat Certified System Administrator (EX200) - **RHEL** - Red Hat Enterprise Linux (version 9) - **OS** - Operating System @@ -15,6 +16,7 @@ - **STDIN/STDOUT/STDERR** - Standard input/output/error ### Hardware & Boot + - **CPU** - Central Processing Unit - **RAM** - Random Access Memory - **BIOS** - Basic Input/Output System @@ -25,6 +27,7 @@ - **KVM** - Kernel-based Virtual Machine ## Pre-Exam Checklist + - [ ] Verify VM access and connectivity - [ ] Test sudo access: `sudo -l` - [ ] Check available storage devices: `lsblk` @@ -38,6 +41,7 @@ ## File Management & Text Processing ### Key Terms & Acronyms + - **inode** - Index node (file metadata structure) - **hard link** - Direct link to inode (same filesystem) - **soft link** - Symbolic link (can cross filesystems) @@ -51,6 +55,7 @@ - **buffer** - Temporary data storage ### Key File Paths + ```bash /tmp/ # Temporary files directory /var/tmp/ # Persistent temporary files @@ -60,6 +65,7 @@ ``` ### Essential Commands + ```bash # File operations ls -la # List files with details @@ -115,6 +121,7 @@ readlink link_name # Show link target ``` ### File Archiving & Compression + ```bash # Tar operations tar -cf archive.tar files # Create tar archive @@ -138,6 +145,7 @@ unzip archive.zip # Extract zip archive ``` ### Input/Output Redirection + ```bash # Redirection operators command > file # Redirect stdout to file (overwrite) @@ -151,6 +159,7 @@ command &> file # Redirect both stdout and stderr ``` ### Common Tasks + ```bash # Create directory structure and files mkdir -p /project/{docs,src,tests} @@ -173,6 +182,7 @@ find /path -name "*.conf" -exec sed -i 's/old/new/g' {} \; ``` ### Troubleshooting + ```bash # File system issues df -h # Check disk space @@ -192,6 +202,7 @@ od -c filename | head # Check for special characters ``` ### Common Pitfalls + - **WRONG**: Using `rm -rf /` accidentally → **RIGHT**: Always double-check paths - **WRONG**: Not quoting file names with spaces → **RIGHT**: Use quotes or escape spaces - **WRONG**: Forgetting `-r` for directory operations → **RIGHT**: Use `-r` for recursive operations @@ -202,6 +213,7 @@ od -c filename | head # Check for special characters ## User and Group Management ### Key Terms & Acronyms + - **UID** - User Identifier (numeric user ID, root=0) - **GID** - Group Identifier (numeric group ID) - **sudo** - Superuser do (privilege escalation) @@ -211,6 +223,7 @@ od -c filename | head # Check for special characters - **wheel** - Administrative group with sudo privileges ### Key File Paths + ```bash /etc/passwd # User account information /etc/shadow # Password hashes @@ -222,6 +235,7 @@ od -c filename | head # Check for special characters ``` ### Essential Commands + ```bash # User creation and management useradd alice # Basic user with defaults @@ -256,6 +270,7 @@ last alice # Login history for user ``` ### Common Tasks + ```bash # Create user with sudo access useradd -G wheel username && passwd username @@ -272,6 +287,7 @@ su - username # Test login ``` ### Sudo Configuration + ```bash # Always use visudo to edit visudo @@ -283,6 +299,7 @@ alice ALL=(ALL) NOPASSWD: /bin/systemctl # Specific command only ``` ### Troubleshooting + ```bash # User can't login passwd -S username # Check password status @@ -295,6 +312,7 @@ groups username # Verify group membership ``` ### Common Pitfalls + - **WRONG**: Direct editing `/etc/sudoers` → **RIGHT**: Use `visudo` - **WRONG**: Creating user without password → **RIGHT**: Always set password after `useradd` - **WRONG**: Forgetting home directory → **RIGHT**: Use `-m` or check `/home` @@ -304,6 +322,7 @@ groups username # Verify group membership ## File Permissions & Access Control ### Key Terms & Acronyms + - **ACL** - Access Control List (extended permissions) - **setuid** - Set User ID (execute as owner) - **setgid** - Set Group ID (execute as group) @@ -317,6 +336,7 @@ groups username # Verify group membership - **mask** - Maximum ACL permissions allowed ### Key File Paths + ```bash /etc/passwd # User account information /etc/group # Group information @@ -324,6 +344,7 @@ groups username # Verify group membership ``` ### Essential Commands + ```bash # Basic permission management chmod 755 filename # Set permissions (octal) @@ -368,6 +389,7 @@ umask 002 # Set umask (files 664, dirs 775) ``` ### Permission Calculation + ```bash # Octal permissions breakdown # Read (r) = 4, Write (w) = 2, Execute (x) = 1 @@ -391,6 +413,7 @@ umask 002 # Set umask (files 664, dirs 775) ``` ### Common Tasks + ```bash # Set up shared directory with group collaboration mkdir /shared @@ -423,6 +446,7 @@ find /usr/bin -not -user root # Non-root owned executables ``` ### Troubleshooting Permission Issues + ```bash # Permission denied troubleshooting ls -la /path/to/file # Check file permissions @@ -444,6 +468,7 @@ find /path -type d -exec chmod 755 {} \; # Directories to 755 ``` ### ACL vs Traditional Permissions (Supplementary — not on RHEL 10 exam) + ```bash # Traditional permissions (3 entities: user, group, other) chmod 750 file # rwxr-x--- (user: rwx, group: r-x, other: ---) @@ -457,6 +482,7 @@ setfacl -d -m u:alice:rwx /directory # New files inherit ACL ``` ### Common Pitfalls + - **WRONG**: Using `777` permissions everywhere → **RIGHT**: Use least privilege principle - **WRONG**: Forgetting recursive flag for directories → **RIGHT**: Use `-R` for recursive operations - **WRONG**: Not checking parent directory permissions → **RIGHT**: Verify full path permissions @@ -468,6 +494,7 @@ setfacl -d -m u:alice:rwx /directory # New files inherit ACL ## Package Management ### Key Terms & Acronyms + - **DNF** - Dandified YUM (RHEL 10 package manager) - **YUM** - Yellowdog Updater Modified (legacy package manager) - **RPM** - Red Hat Package Manager (low-level package format) @@ -481,6 +508,7 @@ setfacl -d -m u:alice:rwx /directory # New files inherit ACL - **AppStream** - Application and runtime repository ### Key File Paths + ```bash /etc/dnf/dnf.conf # DNF main configuration /etc/yum.repos.d/ # Repository configuration files @@ -490,6 +518,7 @@ setfacl -d -m u:alice:rwx /directory # New files inherit ACL ``` ### Essential Commands + ```bash # Package information and search dnf list # List all packages @@ -541,6 +570,7 @@ rpm -qd httpd # List documentation ``` ### Module Operations (Application Streams) + ```bash # Module management dnf module list # List available modules @@ -553,6 +583,7 @@ dnf module reset nodejs # Reset module state ``` ### Repository Configuration + ```bash # Add custom repository cat > /etc/yum.repos.d/custom.repo << EOF @@ -570,6 +601,7 @@ dnf config-manager --enable epel ``` ### Common Tasks + ```bash # Install web server stack dnf install -y httpd php php-mysqlnd mariadb-server @@ -592,6 +624,7 @@ dnf autoremove # Remove orphaned packages ``` ### Troubleshooting + ```bash # Package issues dnf check # Check for problems @@ -615,6 +648,7 @@ dnf install --nogpgcheck package # Skip GPG verification (not recommended) ``` ### Common Pitfalls + - **WRONG**: Using `yum` commands → **RIGHT**: Use `dnf` in RHEL 10 - **WRONG**: Not updating before installing → **RIGHT**: Run `dnf update` regularly - **WRONG**: Installing from untrusted sources → **RIGHT**: Verify GPG signatures @@ -625,6 +659,7 @@ dnf install --nogpgcheck package # Skip GPG verification (not recommended) ## Storage and LVM Management ### Key Terms & Acronyms + - **LVM** - Logical Volume Manager (flexible disk management) - **PV** - Physical Volume (physical disk/partition) - **VG** - Volume Group (pool of PVs) @@ -640,8 +675,8 @@ dnf install --nogpgcheck package # Skip GPG verification (not recommended) - **mount point** - Directory where filesystem is attached - **PE** - Physical Extent (LVM allocation unit) - ### Key File Paths + ```bash /etc/fstab # Filesystem mount configuration /dev/mapper/ # Device mapper devices (LVM) @@ -652,6 +687,7 @@ dnf install --nogpgcheck package # Skip GPG verification (not recommended) ``` ### Essential Commands + ```bash # Disk and partition management lsblk # Check available disks @@ -691,6 +727,7 @@ lsblk # Verify block device structure ``` ### Swap Management + ```bash # Create and enable swap mkswap /dev/sdd1 # Create swap on partition @@ -700,6 +737,7 @@ swapon --show # Verify active swap ``` ### fstab Configuration + ```bash # Add entries to /etc/fstab for persistence echo "/dev/vg_data/lv_database /database xfs defaults 0 2" >> /etc/fstab @@ -711,6 +749,7 @@ umount /database && mount /database # Test specific mount ``` ### Common Tasks + ```bash # Complete LVM setup from scratch lsblk # Check available disks @@ -733,6 +772,7 @@ df -h /app # Verify new size ``` ### Troubleshooting + ```bash # Storage issues diagnostic df -h # Check disk space @@ -749,6 +789,7 @@ fuser -mv /mountpoint # Alternative to lsof ``` ### Common Pitfalls + - **WRONG**: Using `resize2fs` for XFS → **RIGHT**: Use `xfs_growfs` for XFS - **WRONG**: Forgetting partition type → **RIGHT**: Set type `8e` for LVM in fdisk - **WRONG**: Not testing fstab → **RIGHT**: Always `mount -a` before reboot @@ -759,6 +800,7 @@ fuser -mv /mountpoint # Alternative to lsof ## Network Configuration ### Key Terms & Acronyms + - **NetworkManager** - Primary network service in RHEL - **nmcli** - NetworkManager CLI - **nmtui** - NetworkManager TUI @@ -774,6 +816,7 @@ fuser -mv /mountpoint # Alternative to lsof - **connection** - NetworkManager configuration profile ### Key File Paths + ```bash /etc/NetworkManager/ # NetworkManager configuration /etc/resolv.conf # DNS configuration @@ -784,6 +827,7 @@ fuser -mv /mountpoint # Alternative to lsof ``` ### Essential Commands + ```bash # Network information ip addr show # Show IP addresses @@ -816,6 +860,7 @@ nmcli con up "System eth0" ``` ### Network Testing + ```bash # Connectivity testing ping -c 3 192.168.1.1 # Test gateway @@ -830,6 +875,7 @@ dig @8.8.8.8 google.com # Query specific DNS server ``` ### Common Tasks + ```bash # Configure static IP from scratch nmcli con add type ethernet con-name "server" ifname ens33 \ @@ -840,6 +886,7 @@ ping -c 3 8.8.8.8 # Verify connectivity ``` ### Troubleshooting + ```bash # Network connectivity issues (layer-by-layer) ip link show # Physical layer @@ -858,6 +905,7 @@ systemctl status NetworkManager # Check NetworkManager service ``` ### Common Pitfalls + - **WRONG**: Forgetting to activate connection → **RIGHT**: Always `nmcli con up` after changes - **WRONG**: Not setting method to manual → **RIGHT**: Set `ipv4.method manual` for static IP - **WRONG**: Configuring without checking interface name → **RIGHT**: Check `ip link show` first @@ -867,6 +915,7 @@ systemctl status NetworkManager # Check NetworkManager service ## SELinux Management ### Key Terms & Acronyms + - **SELinux** - Security-Enhanced Linux (MAC system) - **MAC** - Mandatory Access Control - **DAC** - Discretionary Access Control @@ -883,6 +932,7 @@ systemctl status NetworkManager # Check NetworkManager service - **relabel** - Reapply correct SELinux contexts ### Key File Paths + ```bash /etc/selinux/config # SELinux mode configuration /var/log/audit/audit.log # SELinux audit logs @@ -891,6 +941,7 @@ systemctl status NetworkManager # Check NetworkManager service ``` ### Essential Commands + ```bash # SELinux status and modes getenforce # Current mode @@ -941,6 +992,7 @@ semanage port -l | grep http # Show HTTP ports ``` ### Troubleshooting SELinux + ```bash # Essential ausearch commands (RED HAT OFFICIAL SYNTAX) ausearch -m AVC -ts recent # Recent AVC denials @@ -960,6 +1012,7 @@ grep "SELinux is preventing" /var/log/messages # setroubleshoot messages ``` ### Common Tasks + ```bash # Configure custom document root for Apache mkdir -p /web/html @@ -996,6 +1049,7 @@ reboot ``` ### Troubleshooting Workflow + ```bash # Step-by-step SELinux troubleshooting getenforce # 1. Check mode @@ -1007,6 +1061,7 @@ ausearch -m AVC -ts recent # 6. Verify no new denials ``` ### Common Pitfalls + - **WRONG**: Temporary boolean change `setsebool boolean on` → **RIGHT**: Use `-P` for permanent - **WRONG**: Forgetting `restorecon` after context changes → **RIGHT**: Always run `restorecon -Rv` - **WRONG**: Using wrong context type → **RIGHT**: Use `semanage fcontext -l | grep service` to find correct type @@ -1019,6 +1074,7 @@ ausearch -m AVC -ts recent # 6. Verify no new denials ## Firewall Management ### Key Terms & Acronyms + - **firewalld** - Dynamic firewall daemon - **zone** - Network security trust level - **service** - Predefined firewall rule set @@ -1031,6 +1087,7 @@ ausearch -m AVC -ts recent # 6. Verify no new denials - **permanent** - Persistent configuration ### Key File Paths + ```bash /etc/firewalld/ # Firewall configuration files /etc/firewalld/zones/ # Zone configuration files @@ -1038,6 +1095,7 @@ ausearch -m AVC -ts recent # 6. Verify no new denials ``` ### Essential Commands + ```bash # Firewall status and information firewall-cmd --state # Check if firewalld is running @@ -1071,6 +1129,7 @@ firewall-cmd --add-rich-rule='rule family="ipv4" source address="10.0.0.5" port ``` ### Common Tasks + ```bash # Allow web server traffic firewall-cmd --add-service=http --permanent @@ -1089,6 +1148,7 @@ firewall-cmd --add-port=443/tcp --permanent && firewall-cmd --reload ``` ### Troubleshooting + ```bash # Check if firewall is blocking service firewall-cmd --list-all # Check current rules @@ -1099,6 +1159,7 @@ firewall-cmd --reload ``` ### Common Pitfalls + - **WRONG**: Adding rule without `--permanent` → **RIGHT**: Always use `--permanent` and `--reload` - **WRONG**: Forgetting to reload → **RIGHT**: Run `--reload` to apply permanent changes - **WRONG**: Not verifying service is listening → **RIGHT**: Check with `ss -tuln | grep :port` @@ -1108,6 +1169,7 @@ firewall-cmd --reload ## Services and Systemd Management ### Key Terms & Acronyms + - **systemd** - System and service manager (PID 1) - **unit** - Basic systemd object - **service** - Daemon unit type (.service) @@ -1122,6 +1184,7 @@ firewall-cmd --reload - **runlevel** - Legacy term (replaced by targets) ### Key File Paths + ```bash /etc/systemd/system/ # Custom systemd unit files /usr/lib/systemd/system/ # System-provided unit files @@ -1130,6 +1193,7 @@ firewall-cmd --reload ``` ### Essential Commands + ```bash # Service lifecycle management systemctl status httpd # Check service status @@ -1169,6 +1233,7 @@ systemctl restart systemd-journald ``` ### Common Tasks + ```bash # Install and configure web server dnf install -y httpd @@ -1185,6 +1250,7 @@ systemctl status mariadb ``` ### Troubleshooting Services + ```bash # Service startup troubleshooting workflow systemctl status service_name # 1. Check service status @@ -1205,6 +1271,7 @@ ss -tuln | grep :port # Port availability ``` ### Common Pitfalls + - **WRONG**: Starting service but not enabling → **RIGHT**: Use `systemctl enable --now` - **WRONG**: Using restart when reload suffices → **RIGHT**: Use `reload` when possible - **WRONG**: Not checking logs for errors → **RIGHT**: Always check `journalctl -u service` @@ -1214,6 +1281,7 @@ ss -tuln | grep :port # Port availability ## Boot Process & GRUB Configuration ### Key Terms & Acronyms + - **GRUB** - Grand Unified Bootloader (version 2) - **UEFI** - Unified Extensible Firmware Interface - **BIOS** - Basic Input/Output System (legacy) @@ -1228,6 +1296,7 @@ ss -tuln | grep :port # Port availability - **ESP** - EFI System Partition ### Key File Paths + ```bash /boot/grub2/grub.cfg # GRUB configuration (auto-generated) /etc/default/grub # GRUB settings file @@ -1239,6 +1308,7 @@ ss -tuln | grep :port # Port availability ``` ### Essential Commands + ```bash # GRUB configuration management grub2-mkconfig -o /boot/grub2/grub.cfg # Regenerate GRUB config @@ -1275,6 +1345,7 @@ lsinitrd /boot/initramfs-$(uname -r).img # List specific initramfs ``` ### GRUB Configuration + ```bash # Edit GRUB defaults (/etc/default/grub) GRUB_TIMEOUT=5 # Boot menu timeout @@ -1294,6 +1365,7 @@ menuentry "My Custom Boot" { ``` ### Boot Targets (Systemd) + ```bash # Common systemd targets graphical.target # Multi-user + GUI (runlevel 5) @@ -1310,6 +1382,7 @@ systemctl get-default # Check current default ``` ### Password Recovery Procedure + ```bash # RHEL 10 Password Reset Steps: # 1. Boot system and interrupt GRUB menu (press 'e') @@ -1326,6 +1399,7 @@ exit ``` ### Common Tasks + ```bash # Change default boot target to text mode systemctl set-default multi-user.target @@ -1351,6 +1425,7 @@ dracut --force --regenerate-all ``` ### Boot Troubleshooting + ```bash # Boot process diagnosis journalctl -b # Current boot logs @@ -1377,6 +1452,7 @@ grubby --remove-kernel=/boot/vmlinuz-old # Remove problematic kernel ``` ### Common Pitfalls + - **WRONG**: Editing `/boot/grub2/grub.cfg` directly → **RIGHT**: Use `grub2-mkconfig` or `grubby` - **WRONG**: Forgetting `/.autorelabel` after password reset → **RIGHT**: Always touch when SELinux enabled - **WRONG**: Not regenerating GRUB config after changes → **RIGHT**: Run `grub2-mkconfig` after editing defaults @@ -1387,6 +1463,7 @@ grubby --remove-kernel=/boot/vmlinuz-old # Remove problematic kernel ## Logging & System Monitoring ### Key Terms & Acronyms + - **journald** - Systemd journal daemon - **rsyslog** - System logging service - **syslog** - System logging protocol @@ -1401,6 +1478,7 @@ grubby --remove-kernel=/boot/vmlinuz-old # Remove problematic kernel - **rsyslogd** - Remote system logging daemon ### Key File Paths + ```bash /var/log/messages # General system messages (rsyslog) /var/log/secure # Authentication and security messages @@ -1415,6 +1493,7 @@ grubby --remove-kernel=/boot/vmlinuz-old # Remove problematic kernel ``` ### Essential Commands + ```bash # Systemd Journal (journalctl) journalctl # View all journal entries @@ -1467,6 +1546,7 @@ netstat -tuln # Network connections (legacy) ``` ### Performance Monitoring + ```bash # System performance tools sar # System activity reporter @@ -1481,6 +1561,7 @@ vmstat 1 5 # 1 second intervals, 5 times ``` ### Log Configuration + ```bash # Make journal persistent mkdir -p /var/log/journal @@ -1507,6 +1588,7 @@ systemctl restart rsyslog ``` ### Log Rotation + ```bash # Logrotate configuration # Edit /etc/logrotate.d/myapp: @@ -1529,6 +1611,7 @@ logrotate -f /etc/logrotate.d/myapp # Force rotation ``` ### Common Tasks + ```bash # Monitor system startup issues journalctl -b -p err # Boot errors @@ -1554,6 +1637,7 @@ find /var/log -name "*.gz" -mtime +30 -delete # Remove compressed logs > 30 day ``` ### Troubleshooting with Logs + ```bash # Service won't start systemctl status servicename # Service status @@ -1583,6 +1667,7 @@ dmesg | grep -i error # Kernel errors ``` ### Log Analysis Techniques + ```bash # Pattern matching and analysis grep "ERROR" /var/log/messages | tail -20 @@ -1600,6 +1685,7 @@ multitail /var/log/messages /var/log/secure # Multiple files simultaneously ``` ### Common Pitfalls + - **WRONG**: Using `tail -f` on journal files → **RIGHT**: Use `journalctl -f` - **WRONG**: Not making journal persistent → **RIGHT**: Create `/var/log/journal` directory - **WRONG**: Ignoring log rotation → **RIGHT**: Configure logrotate for custom logs @@ -1610,6 +1696,7 @@ multitail /var/log/messages /var/log/secure # Multiple files simultaneously ## NFS and AutoFS ### Key Terms & Acronyms + - **NFS** - Network File System (remote file sharing protocol, NFS 4.2 is the RHEL 10 default) - **AutoFS** - Automatic File System (on-demand mounting service) - **export** - Making shares available on NFS server @@ -1624,6 +1711,7 @@ multitail /var/log/messages /var/log/secure # Multiple files simultaneously - **\_netdev** - Mount option indicating network dependency ### Key File Paths + ```bash /etc/exports # NFS server export configuration /etc/fstab # Persistent mount configuration @@ -1634,6 +1722,7 @@ multitail /var/log/messages /var/log/secure # Multiple files simultaneously ``` ### NFS Server Setup + ```bash # Install NFS server software dnf install -y nfs-utils @@ -1668,6 +1757,7 @@ firewall-cmd --reload ``` ### NFS Client Operations + ```bash # Install NFS client software dnf install -y nfs-utils @@ -1691,6 +1781,7 @@ umount /mnt/nfs-data ``` ### Persistent NFS Mounting via fstab + ```bash # Add entry to /etc/fstab for persistent mounting echo "server.example.com:/nfs-share /mnt/nfs-data nfs defaults,_netdev 0 0" >> /etc/fstab @@ -1713,8 +1804,9 @@ mount /mnt/nfs-data # Mount specific entry ### AutoFS Configuration **Direct vs Indirect Maps Overview:** + - **Indirect Maps**: Mount point is a directory that contains subdirectories for each share - - Master map: `/mnt/auto /etc/auto.nfs` → Access `/mnt/auto/sharename` + - Master map: `/mnt/auto /etc/auto.nfs` → Access `/mnt/auto/sharename` - Map file defines keys (subdirectory names) and their NFS locations - **Direct Maps**: Each share has its own specific mount point anywhere in filesystem - Master map: `/- /etc/auto.direct` → Access exact paths like `/shared-data` @@ -1764,6 +1856,7 @@ mount | grep autofs # Show active automounts ``` ### AutoFS Wildcards for User Home Directories + ```bash # Wildcard mapping in indirect map # * matches subdirectory name, & substitutes server/path @@ -1777,6 +1870,7 @@ echo "/home /etc/auto.home" >> /etc/auto.master ``` ### Common NFS and AutoFS Tasks + ```bash # Set up NFS client with AutoFS indirect map showmount -e nfs-server # List available shares @@ -1799,6 +1893,7 @@ mount | grep autofs ``` ### Troubleshooting NFS and AutoFS + ```bash # NFS server troubleshooting exportfs -v # Show active exports @@ -1827,6 +1922,7 @@ systemctl restart autofs # Full restart if needed ``` ### Common Pitfalls + - **WRONG**: Forgetting `_netdev` in fstab → **RIGHT**: Always use `_netdev` for network filesystems - **WRONG**: Using AutoFS and fstab together → **RIGHT**: Choose either AutoFS or fstab, not both - **WRONG**: Not starting rpcbind service → **RIGHT**: Ensure rpcbind runs before nfs-server @@ -1839,6 +1935,7 @@ systemctl restart autofs # Full restart if needed ## Flatpak Software Management ### Key Terms & Acronyms + - **Flatpak** - Application distribution framework with sandboxing - **Flathub** - Largest public Flatpak repository (flathub.org) - **remote** - Flatpak repository (similar to DNF repo) @@ -1850,6 +1947,7 @@ systemctl restart autofs # Full restart if needed - **app ID** - Reverse-DNS application identifier (e.g., org.gimp.GIMP) ### Key File Paths + ```bash /var/lib/flatpak/ # System-wide Flatpak installations ~/.local/share/flatpak/ # User Flatpak installations @@ -1859,6 +1957,7 @@ systemctl restart autofs # Full restart if needed ``` ### Essential Commands + ```bash # Remote (repository) management flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo @@ -1886,6 +1985,7 @@ flatpak update # Update all Flatpaks ``` ### Common Tasks + ```bash # Set up Flathub and install application flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo @@ -1903,6 +2003,7 @@ flatpak uninstall --unused -y # Remove orphaned runtimes ``` ### Permission Overrides + ```bash # Grant filesystem access to sandboxed app flatpak override --user --filesystem=home org.example.App @@ -1911,6 +2012,7 @@ flatpak override --user --reset org.example.App # Reset to defaults ``` ### Common Pitfalls + - **WRONG**: Trying to install without adding remote first → **RIGHT**: Add remote with `flatpak remote-add` before installing - **WRONG**: Forgetting `--if-not-exists` → **RIGHT**: Use it to make commands idempotent - **WRONG**: Not cleaning up runtimes → **RIGHT**: Run `flatpak uninstall --unused` after removing apps @@ -1920,6 +2022,7 @@ flatpak override --user --reset org.example.App # Reset to defaults ## Scheduled Tasks & Automation ### Key Terms & Acronyms + - **cron** - Time-based job scheduler - **crontab** - Cron table (user's scheduled jobs) - **crond** - Cron daemon @@ -1933,6 +2036,7 @@ flatpak override --user --reset org.example.App # Reset to defaults - **Persistent** - Timer survives system shutdown ### Key File Paths + ```bash /etc/crontab # System-wide cron table /etc/cron.d/ # System cron job directory @@ -1950,6 +2054,7 @@ flatpak override --user --reset org.example.App # Reset to defaults ``` ### Essential Commands + ```bash # Crontab management crontab -e # Edit user's crontab @@ -1980,6 +2085,7 @@ systemctl disable timer_name # Disable timer ``` ### Cron Syntax + ```bash # Crontab format: minute hour day month weekday command # * * * * * command @@ -2015,6 +2121,7 @@ systemctl disable timer_name # Disable timer ``` ### Systemd Timers + ```bash # Create timer unit file (/etc/systemd/system/backup.timer) [Unit] @@ -2050,6 +2157,7 @@ OnCalendar=*:0/15 # Every 15 minutes ``` ### Common Tasks + ```bash # Daily log rotation at 3:00 AM echo "0 3 * * * /usr/sbin/logrotate /etc/logrotate.conf" | crontab - @@ -2093,6 +2201,7 @@ systemctl enable --now daily-backup.timer ``` ### Environment and Output Handling + ```bash # Cron environment variables (in crontab) SHELL=/bin/bash @@ -2113,6 +2222,7 @@ cd /home/user ``` ### Access Control + ```bash # Allow specific users to use cron echo "alice" >> /etc/cron.allow @@ -2127,6 +2237,7 @@ echo "bob" >> /etc/at.allow ``` ### Troubleshooting + ```bash # Check cron service status systemctl status crond @@ -2161,6 +2272,7 @@ chmod +x /path/to/script.sh ``` ### Monitoring Scheduled Tasks + ```bash # List all active cron jobs for user in $(cut -f1 -d: /etc/passwd); do @@ -2178,6 +2290,7 @@ systemctl status timer_name # Detailed timer status ``` ### Common Pitfalls + - **WRONG**: Using relative paths in cron jobs → **RIGHT**: Use absolute paths always - **WRONG**: Not setting proper environment → **RIGHT**: Set PATH and other variables in crontab - **WRONG**: Forgetting output redirection → **RIGHT**: Redirect stdout/stderr appropriately @@ -2189,6 +2302,7 @@ systemctl status timer_name # Detailed timer status ## Emergency Recovery Procedures ### Key Terms & Acronyms + - **rd.break** - Kernel parameter for root password reset - **rescue** - Systemd target for system recovery - **emergency** - Minimal systemd target @@ -2199,6 +2313,7 @@ systemctl status timer_name # Detailed timer status - **grubby** - GRUB configuration tool ### Boot Issues and Recovery + ```bash # GRUB rescue (password reset) # At GRUB menu: e -> linux line -> add rd.break @@ -2219,6 +2334,7 @@ systemctl status timer_name # Detailed timer status ``` ### Critical File Recovery + ```bash # Corrupted fstab # Boot to rescue mode @@ -2237,6 +2353,7 @@ systemctl status timer_name # Detailed timer status ## SSH & Remote Access ### Key Terms & Acronyms + - **SSH** - Secure Shell (encrypted remote access protocol) - **sshd** - SSH daemon (server process) - **RSA** - Rivest-Shamir-Adleman (key algorithm) @@ -2251,6 +2368,7 @@ systemctl status timer_name # Detailed timer status - **Wayland forwarding** - Remote GUI application display (RHEL 10 uses Wayland, not X11) ### Key File Paths + ```bash /etc/ssh/sshd_config # SSH daemon configuration /etc/ssh/ssh_config # System-wide client configuration @@ -2265,6 +2383,7 @@ systemctl status timer_name # Detailed timer status ``` ### Essential Commands + ```bash # SSH connection basics ssh user@hostname # Connect to remote host @@ -2300,6 +2419,7 @@ ssh -N -f -L 8080:localhost:80 user@hostname # Background tunnel ``` ### SSH Configuration + ```bash # Server configuration (/etc/ssh/sshd_config) Port 22 # Default SSH port @@ -2336,6 +2456,7 @@ Host bastion ``` ### Key-Based Authentication Setup + ```bash # Complete key-based authentication setup # 1. Generate key pair on client @@ -2359,6 +2480,7 @@ sudo systemctl reload sshd ``` ### SSH Security Hardening + ```bash # Change default port sed -i 's/^#Port 22/Port 2222/' /etc/ssh/sshd_config @@ -2384,6 +2506,7 @@ sshd -t && systemctl reload sshd ``` ### Common Tasks + ```bash # Set up passwordless SSH between servers ssh-keygen -t ed25519 -N "" -f ~/.ssh/server_key @@ -2409,6 +2532,7 @@ journalctl -u sshd -f # Follow SSH logs in real-time ``` ### Troubleshooting SSH + ```bash # Connection troubleshooting ssh -v user@hostname # Verbose output (debug) @@ -2439,6 +2563,7 @@ semanage port -l | grep ssh # Check SELinux port contexts ``` ### SSH Agent and Key Management + ```bash # Start SSH agent eval $(ssh-agent) # Start agent and set environment @@ -2462,6 +2587,7 @@ ssh -i ~/.ssh/specific_key user@hostname # Use specific key ``` ### Common Pitfalls + - **WRONG**: Using weak RSA 1024-bit keys → **RIGHT**: Use RSA 4096-bit or Ed25519 keys - **WRONG**: Leaving default SSH port 22 → **RIGHT**: Change to non-standard port for security - **WRONG**: Wrong file permissions on SSH keys → **RIGHT**: Use 600 for private keys, 644 for public keys @@ -2473,6 +2599,7 @@ ssh -i ~/.ssh/specific_key user@hostname # Use specific key ## Shell Environment & Scripting Basics ### Key Terms & Acronyms + - **bash** - Bourne Again Shell (default RHEL shell) - **env** - Environment (shell variables and settings) - **PATH** - Executable search path @@ -2487,6 +2614,7 @@ ssh -i ~/.ssh/specific_key user@hostname # Use specific key - **source/dot** - Execute script in current shell ### Key File Paths + ```bash /etc/profile # System-wide shell initialization /etc/profile.d/ # System-wide shell scripts @@ -2499,6 +2627,7 @@ ssh -i ~/.ssh/specific_key user@hostname # Use specific key ``` ### Essential Commands + ```bash # Environment variables export VAR=value # Set and export variable @@ -2537,6 +2666,7 @@ command1; command2 # Run commands sequentially ``` ### Basic Scripting Constructs + ```bash #!/bin/bash # Shebang - interpreter specification @@ -2596,6 +2726,7 @@ esac ``` ### Positional Parameters and Special Variables + ```bash $0 # Script name $1, $2, $3... # Positional parameters (arguments) @@ -2608,6 +2739,7 @@ shift # Shift positional parameters left ($2→$1) ``` ### Common Scripting Patterns + ```bash # Check if script has arguments if [ $# -eq 0 ]; then @@ -2651,6 +2783,7 @@ log() { ``` ### Environment Configuration + ```bash # System-wide environment (/etc/profile) export PATH="/usr/local/bin:$PATH" @@ -2677,6 +2810,7 @@ source ~/.bashrc # Reload configuration ``` ### Common Tasks + ```bash # Create a backup script #!/bin/bash @@ -2719,6 +2853,7 @@ done ``` ### Advanced Shell Features + ```bash # Parameter expansion ${var} # Variable value @@ -2751,6 +2886,7 @@ nohup command & # Run command immune to hangups ``` ### Debugging and Troubleshooting + ```bash # Script debugging bash -x script.sh # Execute with debug output @@ -2775,6 +2911,7 @@ fi ``` ### Common Pitfalls + - **WRONG**: `VAR = value` → **RIGHT**: `VAR=value` (no spaces around =) - **WRONG**: Not quoting variables → **RIGHT**: Use `"$var"` to prevent word splitting - **WRONG**: Using `[ $var = value ]` with empty var → **RIGHT**: Use `[ "$var" = "value" ]` @@ -2804,6 +2941,7 @@ ausearch -m AVC -ts recent | wc -l # Count SELinux denials ## Last-Minute Exam Reminders ### Must-Verify Checklist + - [ ] Services enabled AND started: `systemctl is-enabled service && systemctl is-active service` - [ ] Firewall rules applied: `firewall-cmd --list-all` - [ ] SELinux not blocking: `ausearch -m AVC -ts recent` @@ -2812,6 +2950,7 @@ ausearch -m AVC -ts recent | wc -l # Count SELinux denials - [ ] Network connectivity: `ping 8.8.8.8` ### Emergency Commands + ```bash # If something breaks during exam: systemctl status service_name # Check service status @@ -2823,6 +2962,7 @@ ss -tuln | grep :port # Is service listening? ``` ### Final Strategy + **Accuracy over speed. Verify everything. Use man pages when uncertain.** -Time allocation: 40% basic tasks (users, basic services), 40% intermediate (storage, network), 20% advanced (containers, troubleshooting). \ No newline at end of file +Time allocation: 40% basic tasks (users, basic services), 40% intermediate (storage, network), 20% advanced (containers, troubleshooting). diff --git a/docs/index.md b/docs/index.md index 59fb6a0..678cdac 100644 --- a/docs/index.md +++ b/docs/index.md @@ -5,6 +5,7 @@ Welcome to the comprehensive Red Hat Certified System Administrator (RHCSA) stud ## 📚 Study Materials ### [RHCSA Synthesis Modules](rhcsa_synthesis/) + Complete knowledge base with 15 detailed modules covering all RHCSA exam objectives: - **Module 00**: [Exam Overview](rhcsa_synthesis/00_exam_overview.md) - Strategy and format guide @@ -40,6 +41,7 @@ Import the comprehensive flashcard deck for spaced repetition learning: - **Topics**: All RHCSA exam objectives with practical examples ### Flashcard Categories + - User & Group Management - File Operations & Permissions - System Services (systemd) @@ -76,7 +78,7 @@ Set up hands-on practice environment using Vagrant: ## 📁 Repository Structure -``` +```text rhcsa/ ├── docs/ # Study materials (this site) ├── anki/ # Flashcard deck @@ -87,4 +89,4 @@ rhcsa/ For the complete repository structure, visit: [github.com/kraker/rhcsa](https://github.com/kraker/rhcsa) -Ready to start your RHCSA journey? Begin with [Module 00: Exam Overview](rhcsa_synthesis/00_exam_overview.md) to understand the exam format and strategy! \ No newline at end of file +Ready to start your RHCSA journey? Begin with [Module 00: Exam Overview](rhcsa_synthesis/00_exam_overview.md) to understand the exam format and strategy! diff --git a/docs/rhcsa_acronyms_glossary.md b/docs/rhcsa_acronyms_glossary.md index 4d92785..8e4dbb2 100644 --- a/docs/rhcsa_acronyms_glossary.md +++ b/docs/rhcsa_acronyms_glossary.md @@ -5,6 +5,7 @@ --- ## Quick Navigation + - [Alphabetical Index](#alphabetical-index) - [Acronyms by Category](#acronyms-by-category) - [Certification & System](#certification--system) @@ -256,6 +257,7 @@ ## Acronyms by Category ### Certification & System + - **RHCSA** - Red Hat Certified System Administrator - **RHCE** - Red Hat Certified Engineer - **RHEL** - Red Hat Enterprise Linux @@ -274,6 +276,7 @@ - **LTS** - Long Term Support ### Hardware & Boot + - **CPU** - Central Processing Unit - **RAM** - Random Access Memory - **BIOS** - Basic Input/Output System @@ -294,6 +297,7 @@ - **I/O** - Input/Output ### File Systems & Storage + - **XFS** - X File System (RHEL default) - **EXT4** - Fourth Extended Filesystem - **BTRFS** - B-tree File System @@ -311,6 +315,7 @@ - **SWAP** - Swap Space ### Networking + - **IP** - Internet Protocol - **IPv4** - Internet Protocol version 4 - **IPv6** - Internet Protocol version 6 @@ -343,6 +348,7 @@ - **NMTUI** - NetworkManager Text User Interface ### Security + - **SELinux** - Security-Enhanced Linux - **MAC** - Mandatory Access Control - **DAC** - Discretionary Access Control @@ -358,6 +364,7 @@ - **GPG** - GNU Privacy Guard ### Services & Process Management + - **SYSTEMD** - System Daemon - **PID** - Process Identifier - **PPID** - Parent Process Identifier @@ -372,6 +379,7 @@ - **LIFO** - Last In, First Out ### Flatpak & Software Distribution + - **Flatpak** - Application distribution framework with sandboxing - **Flathub** - Public Flatpak application repository - **OSTree** - Content-addressable storage system @@ -381,12 +389,14 @@ - **VNC** - Virtual Network Computing ### Package Management + - **DNF** - Dandified YUM - **YUM** - Yellowdog Updater Modified - **RPM** - Red Hat Package Manager - **EPM** - Enterprise Package Manager ### Other Common Acronyms + - **AWK** - Aho, Weinberger, and Kernighan - **SED** - Stream Editor - **TAR** - Tape Archive @@ -429,6 +439,7 @@ ## Key Non-Acronym Terms ### System Components + - **daemon** - Background service process - **kernel** - Core operating system component - **shell** - Command interpreter @@ -436,6 +447,7 @@ - **console** - Physical or virtual system interface ### File System Terms + - **inode** - Index node storing file metadata - **block** - Basic storage allocation unit - **sector** - Physical disk storage unit @@ -443,6 +455,7 @@ - **umount** - Detach filesystem from directory tree ### Process Terms + - **fork** - Create child process - **exec** - Execute new program - **zombie** - Defunct process awaiting cleanup @@ -450,6 +463,7 @@ - **thread** - Lightweight process component ### Network Terms + - **socket** - Network communication endpoint - **port** - Network service identifier - **interface** - Network connection point @@ -457,6 +471,7 @@ - **netmask** - Network address mask ### Security Terms + - **context** - SELinux security label - **boolean** - SELinux policy toggle - **permission** - File access rights @@ -464,6 +479,7 @@ - **audit** - Security event logging ### Storage Terms + - **partition** - Disk subdivision - **filesystem** - Data organization method - **journal** - Filesystem transaction log @@ -471,6 +487,7 @@ - **snapshot** - Point-in-time copy ### Service Terms + - **unit** - Systemd management object - **target** - Systemd state grouping - **service** - Systemd daemon unit @@ -478,6 +495,7 @@ - **socket** - Systemd activation unit ### Flatpak Terms + - **remote** - Flatpak repository source - **runtime** - Shared base libraries for Flatpak apps - **app ID** - Reverse-DNS application identifier @@ -486,4 +504,4 @@ --- -*This glossary covers essential acronyms and terms for RHCSA exam success. Review regularly to ensure familiarity with technical vocabulary.* \ No newline at end of file +*This glossary covers essential acronyms and terms for RHCSA exam success. Review regularly to ensure familiarity with technical vocabulary.* diff --git a/docs/rhcsa_synthesis/00_exam_overview.md b/docs/rhcsa_synthesis/00_exam_overview.md index 023ae09..4ec3811 100644 --- a/docs/rhcsa_synthesis/00_exam_overview.md +++ b/docs/rhcsa_synthesis/00_exam_overview.md @@ -21,6 +21,7 @@ ## 2. RHCSA Exam Fundamentals ### Exam Format + - **Type**: Performance-based, hands-on exam (no multiple choice) - **Duration**: 3 hours - **Environment**: Virtual machines running RHEL 10 @@ -29,6 +30,7 @@ - **Delivery**: Red Hat Training Centers or remote proctoring ### Exam Environment + - **Systems**: RHEL 10 virtual machines - **Access**: SSH and console access to systems - **Tools**: Standard RHEL 10 command line tools and documentation @@ -36,8 +38,9 @@ - **Time Pressure**: Approximately 9-12 minutes per task average ### Key Exam Objectives (Red Hat Official) + 1. **Understand and use essential tools** -2. **Create simple shell scripts** +2. **Create simple shell scripts** 3. **Operate running systems** 4. **Configure local storage** 5. **Create and configure file systems** @@ -51,13 +54,16 @@ ## 3. Strategic Approach ### Pre-Exam Preparation + #### Mental Preparation + - **Sleep well**: 7-8 hours before exam day - **Eat properly**: Light meal 2 hours before exam - **Arrive early**: 15-30 minutes before appointment - **Review briefly**: Quick scan of command reference only #### Knowledge Verification + - Complete all synthesis modules at least twice - Practice all hands-on labs until automatic - Memorize critical command syntax @@ -66,6 +72,7 @@ ### During the Exam #### Initial Setup (First 10 minutes) + 1. **Read all tasks quickly** - get overview of what's needed 2. **Check system hostnames** - understand the environment 3. **Test connectivity** - ensure SSH works between systems @@ -73,6 +80,7 @@ 5. **Plan your sequence** - tackle easier tasks first for confidence #### Task Execution Strategy + 1. **Time boxing**: Allocate maximum time per task (don't get stuck) 2. **Verify immediately**: Test each task completion before moving on 3. **Skip and return**: If stuck, mark task and continue @@ -80,6 +88,7 @@ 5. **Save regularly**: Some tasks auto-save, others need manual saves #### Time Management + - **First hour**: Complete 6-8 easier tasks - **Second hour**: Tackle 4-5 medium difficulty tasks - **Final hour**: Address remaining difficult tasks and review @@ -90,7 +99,8 @@ ## 4. Exam Environment Deep Dive ### System Layout (Typical) -``` + +```text Exam Environment: ├── workstation.lab.example.com (your main system) ├── server1.lab.example.com (target system 1) @@ -98,11 +108,13 @@ Exam Environment: ``` ### Common Hostnames and IPs + - **workstation**: 192.168.1.10 (your working system) - **server1**: 192.168.1.11 (primary target) - **server2**: 192.168.1.12 (secondary target) ### Available Tools + ```bash # Text editors vim, nano @@ -122,6 +134,7 @@ All standard RHEL 10 command-line utilities ``` ### What's NOT Available + - GUI applications (exam is command-line only) - Internet browsers - External documentation sites @@ -132,52 +145,64 @@ All standard RHEL 10 command-line utilities ## 5. Task Categories and Strategies ### Category 1: System Configuration (30-35% of exam) + **Typical Tasks**: + - Configure network settings - Set up user accounts and groups - Configure SSH access - Set hostname and timezone **Strategy**: + - These are usually straightforward - Complete early for confidence - Double-check with verification commands - Common commands: `nmtui`, `useradd`, `systemctl` ### Category 2: Storage Management (25-30% of exam) + **Typical Tasks**: + - Create partitions and filesystems - Configure LVM - Mount filesystems persistently - Set up swap space **Strategy**: + - Be very careful with disk operations - Always verify before writing changes - Test mounts with `mount -a` - Common commands: `fdisk`, `mkfs`, `pvcreate`, `mount` ### Category 3: Security Configuration (20-25% of exam) + **Typical Tasks**: + - Configure firewall rules - Set up SELinux contexts - Configure file permissions - Set up sudo access **Strategy**: + - Security tasks often have dependencies - Test access from different accounts - Verify with appropriate tools - Common commands: `firewall-cmd`, `restorecon`, `chmod`, `visudo` ### Category 4: Service Management (15-20% of exam) + **Typical Tasks**: + - Configure and start services - Set up scheduled tasks - Configure logging - Manage Flatpak software **Strategy**: + - Services must be enabled AND started - Test functionality after configuration - Check logs for errors @@ -188,6 +213,7 @@ All standard RHEL 10 command-line utilities ## 6. Common Exam Mistakes to Avoid ### Critical Mistakes (Task Failure) + 1. **Wrong system**: Performing task on wrong host 2. **Permissions errors**: Forgetting to use sudo when needed 3. **Service not enabled**: Starting but not enabling services @@ -195,6 +221,7 @@ All standard RHEL 10 command-line utilities 5. **Wrong user context**: Performing tasks as wrong user ### Time-Wasting Mistakes + 1. **Perfectionism**: Over-configuring beyond requirements 2. **Rabbit holes**: Spending too long troubleshooting one task 3. **Verification obsession**: Testing same thing multiple times @@ -202,6 +229,7 @@ All standard RHEL 10 command-line utilities 5. **Second-guessing**: Changing correct configurations ### Recovery Strategies + 1. **Task failure**: Move on, return later if time permits 2. **System broken**: Use rescue mode or reinstall if necessary 3. **Partial credit**: Document what you accomplished @@ -213,6 +241,7 @@ All standard RHEL 10 command-line utilities ## 7. Verification Techniques ### Standard Verification Workflow + ```bash # For each completed task: 1. Test the functionality as requested @@ -222,6 +251,7 @@ All standard RHEL 10 command-line utilities ``` ### Service Configuration Verification + ```bash # Always verify services are: systemctl status service-name # Running @@ -230,6 +260,7 @@ systemctl is-enabled service-name # Enabled for boot ``` ### Storage Configuration Verification + ```bash # Always verify storage is: lsblk # Properly configured @@ -238,6 +269,7 @@ cat /etc/fstab # Persistent configuration ``` ### Network Configuration Verification + ```bash # Always verify network is: ip addr show # Interface has correct IP @@ -246,6 +278,7 @@ ss -tuln # Services listening on correct ports ``` ### User/Security Verification + ```bash # Always verify access is: su - username # User can log in @@ -258,6 +291,7 @@ ssh username@host # Remote access works ## 8. Lab Environment Setup for Practice ### Recommended Practice Environment + ```bash # Minimum setup for RHCSA practice: - 2 RHEL 10 VMs (4GB RAM each, 20GB+ disk) @@ -267,6 +301,7 @@ ssh username@host # Remote access works ``` ### Using Vagrant for Practice (from this repository) + ```bash # Navigate to vagrant directory cd /path/to/rhcsa/vagrant @@ -282,6 +317,7 @@ source .rhel-credentials && vagrant up ``` ### Practice Scenarios + 1. **Daily practice**: 30-45 minutes on 2-3 tasks 2. **Weekend labs**: 2-3 hour sessions simulating exam conditions 3. **Mock exams**: Full 3-hour timed practice with all task types @@ -292,6 +328,7 @@ source .rhel-credentials && vagrant up ## 9. Final Preparation Checklist ### One Week Before Exam + - [ ] Complete all synthesis modules - [ ] Practice all hands-on labs - [ ] Take at least 2 full mock exams @@ -299,6 +336,7 @@ source .rhel-credentials && vagrant up - [ ] Verify exam logistics (location, time, requirements) ### Day Before Exam + - [ ] Light review of command syntax only - [ ] Prepare required identification - [ ] Confirm exam location and arrival time @@ -306,6 +344,7 @@ source .rhel-credentials && vagrant up - [ ] Avoid intensive studying ### Morning of Exam + - [ ] Light breakfast 2 hours before - [ ] Review quick reference cards only (15 minutes max) - [ ] Arrive 15-30 minutes early @@ -317,6 +356,7 @@ source .rhel-credentials && vagrant up ## 10. Exam Day Tactics ### When You Sit Down + 1. **Take deep breaths** - calm your nerves 2. **Read instructions carefully** - understand exam rules 3. **Scan all tasks** - get the big picture @@ -324,6 +364,7 @@ source .rhel-credentials && vagrant up 5. **Note time limits** - plan your approach ### During Task Execution + 1. **Read twice, execute once** - understand requirements fully 2. **Work systematically** - complete one task fully before starting next 3. **Verify immediately** - test each task before moving on @@ -331,6 +372,7 @@ source .rhel-credentials && vagrant up 5. **Use time wisely** - don't spend too long on any single task ### Final Review Phase + 1. **Test critical functionality** - make sure key services work 2. **Check persistent configuration** - verify settings survive reboot 3. **Review partial completions** - ensure maximum partial credit @@ -342,12 +384,14 @@ source .rhel-credentials && vagrant up ## Summary ### Key Takeaways + - **RHCSA is performance-based** - hands-on skills matter more than theory - **Time management is critical** - don't get stuck on any single task - **Verification is essential** - always test your work immediately - **Practice under pressure** - simulate exam conditions during preparation ### Success Factors + 1. **Thorough preparation** through all synthesis modules 2. **Practical experience** with hands-on labs 3. **Strategic thinking** during the exam @@ -355,10 +399,11 @@ source .rhel-credentials && vagrant up 5. **Systematic verification** of all work ### Next Steps + - Begin with [Module 01: System Installation](01_system_installation.md) - Set up your practice environment using Vagrant - Start with easier modules and progress to advanced topics --- -**Navigation**: [Index](index.md) | [Next → System Installation](01_system_installation.md) \ No newline at end of file +**Navigation**: [Index](index.md) | [Next → System Installation](01_system_installation.md) diff --git a/docs/rhcsa_synthesis/01_system_installation.md b/docs/rhcsa_synthesis/01_system_installation.md index c9af41a..4a8566c 100644 --- a/docs/rhcsa_synthesis/01_system_installation.md +++ b/docs/rhcsa_synthesis/01_system_installation.md @@ -21,6 +21,7 @@ ## 2. Conceptual Foundation ### Core Theory + RHEL installation involves deploying the Red Hat Enterprise Linux operating system using the **Anaconda** installer. The process includes: - **System preparation**: Hardware verification and boot media creation @@ -29,18 +30,21 @@ RHEL installation involves deploying the Red Hat Enterprise Linux operating syst - **Post-installation**: Initial login and system verification ### Real-World Applications + - **Data center deployments**: Automated installation using Kickstart files - **Development environments**: Virtual machine installations for testing - **Production servers**: Careful configuration for specific workloads - **Lab environments**: Practice installations for certification preparation ### Common Misconceptions + - **Installation = configuration**: Installation only provides the base system - **Default settings are optimal**: Production systems require careful customization - **GUI required**: RHEL can be fully managed from command line - **Single partition layout**: Multiple partitions provide better organization and security ### Key Terminology + - **Anaconda**: The RHEL installer program - **ISO image**: Bootable installation media file - **Kickstart**: Automated installation configuration file @@ -53,6 +57,7 @@ RHEL installation involves deploying the Red Hat Enterprise Linux operating syst ## 3. Command Mastery ### Pre-Installation Commands + ```bash # Verify system requirements lscpu # Check CPU information @@ -65,6 +70,7 @@ sha256sum rhel-9.1-x86_64-dvd.iso ``` ### Post-Installation Verification + ```bash # System information hostnamectl # Display system hostname and info @@ -82,6 +88,7 @@ ping -c 3 8.8.8.8 # Test network connectivity ``` ### Initial System Configuration + ```bash # Set system hostname hostnamectl set-hostname server1.example.com @@ -102,49 +109,52 @@ systemctl list-unit-files --type=service --state=enabled ## 4. Installation Workflows ### Standard Installation Procedure + 1. **Boot from Installation Media** - - Select "Install Red Hat Enterprise Linux 9.x" - - Wait for Anaconda to load (may take several minutes) + - Select "Install Red Hat Enterprise Linux 9.x" + - Wait for Anaconda to load (may take several minutes) 2. **Language and Localization** - - Select installation language - - Configure keyboard layout - - Set date and time/timezone + - Select installation language + - Configure keyboard layout + - Set date and time/timezone 3. **Installation Source** - - Verify installation media is detected - - Configure additional repositories if needed + - Verify installation media is detected + - Configure additional repositories if needed 4. **Software Selection** - ``` - Available Base Environments: - ├── Server (recommended for RHCSA) - ├── Minimal Install (command line only) - ├── Workstation (desktop environment) - ├── Custom Operating System (advanced users) - └── Virtualization Host (for hypervisors) - ``` + + ```text + Available Base Environments: + ├── Server (recommended for RHCSA) + ├── Minimal Install (command line only) + ├── Workstation (desktop environment) + ├── Custom Operating System (advanced users) + └── Virtualization Host (for hypervisors) + ``` 5. **Storage Configuration** - - **Automatic partitioning**: Simple, good for learning - - **Custom partitioning**: More control, better for production + - **Automatic partitioning**: Simple, good for learning + - **Custom partitioning**: More control, better for production 6. **Network Configuration** - - Configure hostname - - Set up network interfaces - - Configure static IP if needed + - Configure hostname + - Set up network interfaces + - Configure static IP if needed 7. **User Configuration** - - Set root password (required) - - Create regular user account (recommended) - - Configure sudo access + - Set root password (required) + - Create regular user account (recommended) + - Configure sudo access 8. **Begin Installation** - - Review settings summary - - Start installation process - - Configure users while installation proceeds + - Review settings summary + - Start installation process + - Configure users while installation proceeds ### Recommended Partitioning Scheme + ```bash # For RHCSA practice (20GB disk): /boot 1GB (ext4) # Boot files and kernels @@ -160,6 +170,7 @@ swap 1GB (swap) # Virtual memory ``` ### Base Environment Comparison + | Environment | Size | GUI | Services | Use Case | |-------------|------|-----|----------|----------| | **Server** | ~3GB | No | Standard server services | RHCSA practice, production servers | @@ -171,15 +182,18 @@ swap 1GB (swap) # Virtual memory ## 5. Configuration Deep Dive ### Anaconda Installation Configuration + During installation, Anaconda creates several key configuration files: #### Network Configuration + ```bash # /etc/hostname server1.example.com ``` #### User Configuration + ```bash # /etc/passwd (user entries created) root:x:0:0:root:/root:/bin/bash @@ -187,6 +201,7 @@ user1:x:1000:1000:User One:/home/user1:/bin/bash ``` #### Filesystem Configuration + ```bash # /etc/fstab (automatically generated) /dev/mapper/rhel-root / xfs defaults 0 0 @@ -195,7 +210,9 @@ UUID=abc123-def456 /boot ext4 defaults 1 2 ``` ### Post-Installation Configuration Files + #### System Information + ```bash # /etc/os-release NAME="Red Hat Enterprise Linux" @@ -206,6 +223,7 @@ PLATFORM_ID="platform:el9" ``` #### Installed Package Information + ```bash # View installation log cat /var/log/anaconda/anaconda.log @@ -219,47 +237,52 @@ dnf history info 1 ## 6. Hands-On Labs ### Lab 6.1: Basic RHEL Installation (Asghar Ghori Method) + **Objective**: Install RHEL 10 with standard configuration for RHCSA practice **Prerequisites**: + - RHEL 10 ISO image - Virtual machine with 20GB disk, 2GB RAM - Network connectivity **Steps**: + 1. **Create Virtual Machine** - ```bash - # In VirtualBox/VMware: - # - Name: rhel10-server1 - # - RAM: 2048MB - # - Disk: 20GB dynamically allocated - # - Network: NAT or Bridged - ``` + + ```bash + # In VirtualBox/VMware: + # - Name: rhel10-server1 + # - RAM: 2048MB + # - Disk: 20GB dynamically allocated + # - Network: NAT or Bridged + ``` 2. **Boot Installation Media** - - Attach RHEL 10 ISO to VM - - Boot from ISO - - Select "Install Red Hat Enterprise Linux 9.x" + - Attach RHEL 10 ISO to VM + - Boot from ISO + - Select "Install Red Hat Enterprise Linux 9.x" 3. **Configure Installation** - - Language: English (US) - - Software Selection: Server - - Installation Destination: Use entire disk, automatic partitioning + - Language: English (US) + - Software Selection: Server + - Installation Destination: Use entire disk, automatic partitioning 4. **Network Configuration** - - Set hostname: `server1.example.com` - - Configure network interface with DHCP or static IP + - Set hostname: `server1.example.com` + - Configure network interface with DHCP or static IP 5. **User Configuration** - - Root password: Set secure password - - Create user: Regular user with sudo privileges + - Root password: Set secure password + - Create user: Regular user with sudo privileges 6. **Complete Installation** - - Review summary and begin installation - - Wait for completion (20-30 minutes) - - Reboot system + - Review summary and begin installation + - Wait for completion (20-30 minutes) + - Reboot system **Verification**: + ```bash # After reboot, verify installation hostnamectl # Check hostname @@ -270,34 +293,39 @@ systemctl status # Check system status ``` ### Lab 6.2: Custom Partitioning Installation (Sander van Vugt Method) + **Objective**: Install RHEL 10 with custom partitioning scheme **Steps**: + 1. **Follow initial steps from Lab 6.1** through software selection 2. **Custom Storage Configuration** - - Installation Destination → Custom → Done - - Create new mount points: - ``` - /boot 1GB ext4 - / 10GB xfs - /home 5GB xfs - /var 3GB xfs - swap 1GB swap - ``` + - Installation Destination → Custom → Done + - Create new mount points: + + ```text + /boot 1GB ext4 + / 10GB xfs + /home 5GB xfs + /var 3GB xfs + swap 1GB swap + ``` 3. **Configure each partition**: - ```bash - # For each mount point: - # - Click "+" to add mount point - # - Specify mount point and size - # - Select filesystem type - # - Click "Add mount point" - ``` + + ```bash + # For each mount point: + # - Click "+" to add mount point + # - Specify mount point and size + # - Select filesystem type + # - Click "Add mount point" + ``` 4. **Complete installation** following remaining steps from Lab 6.1 **Verification**: + ```bash # Verify custom partitioning lsblk # Check partition layout @@ -307,43 +335,50 @@ mount | grep "^/" | sort # List mounted filesystems ``` ### Lab 6.3: Post-Installation Configuration + **Objective**: Configure newly installed system for RHCSA practice **Steps**: + 1. **System Updates** - ```bash - # Register system (if using RHEL subscription) - subscription-manager register --username your_username - # Update all packages - dnf update -y - ``` + ```bash + # Register system (if using RHEL subscription) + subscription-manager register --username your_username + + # Update all packages + dnf update -y + ``` 2. **Additional Software Installation** - ```bash - # Install useful tools for RHCSA practice - dnf groupinstall "Development Tools" -y - dnf install vim wget curl man-pages -y - ``` + + ```bash + # Install useful tools for RHCSA practice + dnf groupinstall "Development Tools" -y + dnf install vim wget curl man-pages -y + ``` 3. **Security Configuration** - ```bash - # Configure firewall - firewall-cmd --state - firewall-cmd --list-all + + ```bash + # Configure firewall + firewall-cmd --state + firewall-cmd --list-all - # Enable SELinux (verify) - getenforce - ``` + # Enable SELinux (verify) + getenforce + ``` 4. **User Environment** - ```bash - # Configure bash aliases for root - echo 'alias ll="ls -la"' >> /root/.bashrc - echo 'alias grep="grep --color=auto"' >> /root/.bashrc - ``` + + ```bash + # Configure bash aliases for root + echo 'alias ll="ls -la"' >> /root/.bashrc + echo 'alias grep="grep --color=auto"' >> /root/.bashrc + ``` **Verification**: + ```bash # Verify post-installation configuration dnf list installed | wc -l # Count installed packages @@ -359,11 +394,14 @@ getenforce # Verify SELinux status ### Common Installation Issues #### Issue 1: Installation Media Not Detected + **Symptoms**: + - Boot process hangs or shows errors - "No installation source found" message **Diagnosis**: + ```bash # Check ISO integrity before installation sha256sum /path/to/rhel-9.x-x86_64-dvd.iso @@ -371,6 +409,7 @@ sha256sum /path/to/rhel-9.x-x86_64-dvd.iso ``` **Resolution**: + - Re-download ISO image if corrupted - Verify virtual machine CD/DVD settings - Try different boot order in BIOS/UEFI @@ -378,11 +417,14 @@ sha256sum /path/to/rhel-9.x-x86_64-dvd.iso **Prevention**: Always verify ISO checksums before installation #### Issue 2: Insufficient Disk Space + **Symptoms**: + - "Not enough space" error during partitioning - Installation fails during package installation **Diagnosis**: + ```bash # In installer, check available disk space # Minimum requirements: @@ -392,17 +434,21 @@ sha256sum /path/to/rhel-9.x-x86_64-dvd.iso ``` **Resolution**: + - Increase virtual machine disk size - Choose Minimal Install if space limited - Use custom partitioning to optimize space usage #### Issue 3: Network Configuration Problems + **Symptoms**: + - Cannot set hostname - Network interface not detected - No network connectivity post-installation **Diagnosis**: + ```bash # During installation, check network tab # Post-installation: @@ -411,6 +457,7 @@ ip addr show # Check IP configuration ``` **Resolution**: + ```bash # Post-installation network fix: nmcli connection show @@ -421,12 +468,15 @@ systemctl restart NetworkManager ### Boot Issues After Installation #### Issue 4: System Won't Boot + **Symptoms**: + - GRUB rescue prompt - Kernel panic messages - Black screen after boot **Diagnosis**: + ```bash # From rescue media: mkdir /mnt/sysimage @@ -435,6 +485,7 @@ chroot /mnt/sysimage ``` **Resolution**: + ```bash # Reinstall GRUB bootloader grub2-install /dev/sda @@ -446,6 +497,7 @@ grub2-mkconfig -o /boot/grub2/grub.cfg ## 8. Quick Reference Card ### Essential Installation Commands + ```bash # Pre-installation verification lscpu # Check CPU @@ -460,18 +512,21 @@ ip addr show # Network config ``` ### Key File Locations + - **Installation logs**: `/var/log/anaconda/` - **System configuration**: `/etc/os-release` - **Filesystem mounts**: `/etc/fstab` - **Network configuration**: `/etc/NetworkManager/` ### Installation Options + - **Graphical**: Default installation interface - **Text mode**: Add `inst.text` to boot parameters - **VNC**: Add `inst.vnc` for remote installation - **Kickstart**: Add `inst.ks=URL` for automated installation ### Verification Commands + ```bash # Quick system health check systemctl status # System status @@ -484,56 +539,64 @@ dmesg | tail # Kernel messages ## 9. Knowledge Check ### Conceptual Questions + 1. **Question**: What is the name of the RHEL installer program? - **Answer**: Anaconda - this is the graphical and text-based installer used for all RHEL installations. + **Answer**: Anaconda - this is the graphical and text-based installer used for all RHEL installations. 2. **Question**: What are the minimum partition requirements for RHEL installation? - **Answer**: Root filesystem (/) and swap partition. While /boot is recommended as separate partition, it can reside within the root filesystem in simple installations. + **Answer**: Root filesystem (/) and swap partition. While /boot is recommended as separate partition, it can reside within the root filesystem in simple installations. 3. **Question**: What is the difference between Server and Minimal Install base environments? - **Answer**: Server includes standard server services and networking tools (~3GB), while Minimal Install contains only essential packages for basic system operation (~1GB). + **Answer**: Server includes standard server services and networking tools (~3GB), while Minimal Install contains only essential packages for basic system operation (~1GB). ### Practical Scenarios + 1. **Scenario**: You need to install RHEL on a system with only 10GB available disk space. - **Solution**: Use Minimal Install base environment, create 8GB root partition and 2GB swap, or use custom partitioning to optimize space allocation. + **Solution**: Use Minimal Install base environment, create 8GB root partition and 2GB swap, or use custom partitioning to optimize space allocation. 2. **Scenario**: Installation completed but system won't boot, showing GRUB rescue prompt. - **Solution**: Boot from installation media in rescue mode, chroot to installed system, reinstall GRUB bootloader using grub2-install and grub2-mkconfig commands. + **Solution**: Boot from installation media in rescue mode, chroot to installed system, reinstall GRUB bootloader using grub2-install and grub2-mkconfig commands. ### Command Challenges + 1. **Challenge**: Write commands to verify a successful RHEL installation. - **Answer**: - ```bash - hostnamectl # Check system info - cat /etc/os-release # Verify RHEL version - lsblk && df -h # Check storage - ip addr show # Verify network - systemctl status # Check system health - ``` + **Answer**: + + ```bash + hostnamectl # Check system info + cat /etc/os-release # Verify RHEL version + lsblk && df -h # Check storage + ip addr show # Verify network + systemctl status # Check system health + ``` --- ## 10. Exam Strategy ### Topic-Specific Tips + - Installation knowledge helps with boot troubleshooting tasks - Understand default partitioning schemes for storage questions - Know post-installation configuration locations - Practice both graphical and text-mode installations ### Common Exam Scenarios + 1. **Scenario**: Fix boot issues on system that won't start - **Approach**: Use rescue mode, check /boot contents, verify GRUB configuration + **Approach**: Use rescue mode, check /boot contents, verify GRUB configuration 2. **Scenario**: Configure hostname during system setup - **Approach**: Use `hostnamectl set-hostname` command, verify with `hostnamectl status` + **Approach**: Use `hostnamectl set-hostname` command, verify with `hostnamectl status` ### Time Management + - **Installation tasks**: Usually 5-10 minutes for configuration - **Boot troubleshooting**: Allocate 15-20 minutes maximum - **Quick verification**: Use fast commands like `hostnamectl`, `lsblk` ### Pitfalls to Avoid + - Don't spend excessive time on installation details during exam - Remember to make configuration changes persistent - Always verify system boots correctly after changes @@ -544,12 +607,14 @@ dmesg | tail # Kernel messages ## Summary ### Key Takeaways + - **Anaconda** is the RHEL installer program with graphical and text interfaces - **Server base environment** is ideal for RHCSA practice and exam preparation - **Standard partitioning** includes root (/) and swap at minimum, /boot recommended - **Post-installation verification** ensures system is properly configured ### Critical Commands to Remember + ```bash hostnamectl # System information and hostname management lsblk # Display block devices and partitions @@ -557,10 +622,11 @@ systemctl status # Check system and service status ``` ### Next Steps + - Continue to [Module 02: File Management](02_file_management.md) - Practice installation in virtual environment using Vagrant - Review related topics: [Boot Process](11_boot_grub.md), [Storage](07_storage_lvm.md) --- -**Navigation**: [← Exam Overview](00_exam_overview.md) | [Index](index.md) | [Next → File Management](02_file_management.md) \ No newline at end of file +**Navigation**: [← Exam Overview](00_exam_overview.md) | [Index](index.md) | [Next → File Management](02_file_management.md) diff --git a/docs/rhcsa_synthesis/02_file_management.md b/docs/rhcsa_synthesis/02_file_management.md index 4d5e778..07d3a07 100644 --- a/docs/rhcsa_synthesis/02_file_management.md +++ b/docs/rhcsa_synthesis/02_file_management.md @@ -21,6 +21,7 @@ ## 2. Conceptual Foundation ### Core Theory + File management in Linux operates on the principle that "everything is a file." This includes: - **Regular files**: Documents, scripts, configuration files @@ -29,6 +30,7 @@ File management in Linux operates on the principle that "everything is a file." - **Special files**: Device files, pipes, sockets ### Real-World Applications + - **Configuration management**: Editing system configuration files - **Log analysis**: Processing and searching through system logs - **Backup operations**: Creating and extracting archives @@ -36,12 +38,14 @@ File management in Linux operates on the principle that "everything is a file." - **Automation**: Writing and managing shell scripts ### Common Misconceptions + - **Case sensitivity**: Linux is case-sensitive (`File.txt` ≠ `file.txt`) - **File extensions**: Extensions are for humans; Linux determines file type by content - **Hidden files**: Files starting with `.` are hidden from `ls` by default - **Directory permissions**: Different from file permissions; affect access to directory contents ### Key Terminology + - **Inode**: Index node containing file metadata and disk block locations - **Hard link**: Multiple directory entries pointing to the same inode - **Symbolic link**: File containing the pathname of another file @@ -54,6 +58,7 @@ File management in Linux operates on the principle that "everything is a file." ## 3. Command Mastery ### Essential File Operations + ```bash # Listing files and directories ls -la # Long format with hidden files @@ -76,6 +81,7 @@ mv source destination # Move/rename file or directory ``` ### Text Processing Commands + ```bash # Viewing file contents cat filename # Display entire file @@ -99,6 +105,7 @@ cut -d: -f1 /etc/passwd # Extract first field (delimiter :) ``` ### Archiving and Compression + ```bash # Tar archives tar -czf archive.tar.gz directory/ # Create compressed archive @@ -114,6 +121,7 @@ unzip archive.zip # Extract zip archive ``` ### File Linking + ```bash # Hard links ln source hardlink # Create hard link @@ -126,6 +134,7 @@ readlink symlink # Display link target ``` ### Command Reference Table + | Command | Purpose | Key Options | Example | |---------|---------|-------------|---------| | `ls` | List directory contents | `-l`, `-a`, `-h`, `-t` | `ls -lah /home` | @@ -139,32 +148,38 @@ readlink symlink # Display link target ## 4. Procedural Workflows ### Standard Procedure: File Search and Analysis + 1. **Initial search**: Use `locate` for quick filename searches - ```bash - locate filename - updatedb # Update locate database if needed - ``` + + ```bash + locate filename + updatedb # Update locate database if needed + ``` 2. **Detailed search**: Use `find` for complex criteria - ```bash - find /path -name "pattern" -type f -size +1M - ``` + + ```bash + find /path -name "pattern" -type f -size +1M + ``` 3. **Content analysis**: Examine file contents - ```bash - file filename # Determine file type - less filename # Review content - grep "pattern" filename # Search within file - ``` + + ```bash + file filename # Determine file type + less filename # Review content + grep "pattern" filename # Search within file + ``` 4. **Verification**: Confirm file properties - ```bash - ls -l filename # Check permissions and size - stat filename # Detailed file information - ``` + + ```bash + ls -l filename # Check permissions and size + stat filename # Detailed file information + ``` ### Decision Tree: Archive Strategy -``` + +```text Archive Task ├── Backup entire directory? → tar -czf backup.tar.gz directory/ ├── Selective file backup? → tar -czf backup.tar.gz file1 file2 file3 @@ -173,29 +188,34 @@ Archive Task ``` ### Standard Procedure: Log Analysis Workflow + 1. **Identify log location**: Common locations - ```bash - ls /var/log/ # System logs - journalctl --list-boots # Systemd journal - ``` + + ```bash + ls /var/log/ # System logs + journalctl --list-boots # Systemd journal + ``` 2. **Filter relevant entries**: Use grep patterns - ```bash - grep -i "error\|fail\|warn" /var/log/messages - tail -f /var/log/secure # Monitor authentication - ``` + + ```bash + grep -i "error\|fail\|warn" /var/log/messages + tail -f /var/log/secure # Monitor authentication + ``` 3. **Time-based analysis**: Focus on specific periods - ```bash - grep "$(date '+%b %d')" /var/log/messages # Today's entries - journalctl --since "1 hour ago" # Recent systemd logs - ``` + + ```bash + grep "$(date '+%b %d')" /var/log/messages # Today's entries + journalctl --since "1 hour ago" # Recent systemd logs + ``` --- ## 5. Configuration Deep Dive ### File System Navigation + - **`/etc/`**: System configuration files - **`/var/log/`**: System and application logs - **`/tmp/`**: Temporary files (cleared on reboot) @@ -203,6 +223,7 @@ Archive Task - **`/opt/`**: Optional software packages ### Glob Pattern Usage + ```bash # Wildcards ls *.txt # All .txt files @@ -216,6 +237,7 @@ ls {*.txt,*.log} # Brace expansion ``` ### Archive Best Practices + ```bash # Include/exclude patterns tar --exclude="*.tmp" -czf backup.tar.gz directory/ @@ -231,35 +253,41 @@ tar -df archive.tar.gz # Compare with filesystem ## 6. Hands-On Labs ### Lab 6.1: File Operations Mastery (Asghar Ghori Style) + **Objective**: Master essential file operations and text processing **Steps**: + 1. **Create test environment** - ```bash - mkdir -p ~/lab02/{documents,logs,archives} - cd ~/lab02 - ``` + + ```bash + mkdir -p ~/lab02/{documents,logs,archives} + cd ~/lab02 + ``` 2. **Generate test files** - ```bash - echo "System log entry 1" > logs/system.log - echo "Error message here" >> logs/system.log - echo "Normal operation" >> logs/system.log - echo "Configuration data" > documents/config.txt - ``` + + ```bash + echo "System log entry 1" > logs/system.log + echo "Error message here" >> logs/system.log + echo "Normal operation" >> logs/system.log + echo "Configuration data" > documents/config.txt + ``` 3. **Practice file operations** - ```bash - # Copy with different options - cp documents/config.txt documents/config.backup - cp -p logs/system.log logs/system.$(date +%Y%m%d) + + ```bash + # Copy with different options + cp documents/config.txt documents/config.backup + cp -p logs/system.log logs/system.$(date +%Y%m%d) - # Search operations - find . -name "*.log" -type f - grep -r "Error" . - ``` + # Search operations + find . -name "*.log" -type f + grep -r "Error" . + ``` **Verification**: + ```bash ls -la logs/ # Verify file creation find . -name "*.backup" # Check backup files @@ -267,35 +295,41 @@ wc -l logs/system.log # Count log entries ``` ### Lab 6.2: Advanced Text Processing (Sander van Vugt Style) + **Objective**: Master text processing and analysis techniques **Steps**: + 1. **Create sample data** - ```bash - cp /etc/passwd ~/lab02/passwd.sample - cp /var/log/messages ~/lab02/messages.sample 2>/dev/null || \ - journalctl > ~/lab02/messages.sample - ``` + + ```bash + cp /etc/passwd ~/lab02/passwd.sample + cp /var/log/messages ~/lab02/messages.sample 2>/dev/null || \ + journalctl > ~/lab02/messages.sample + ``` 2. **Text analysis tasks** - ```bash - # User analysis - cut -d: -f1,3 ~/lab02/passwd.sample | sort -t: -k2 -n - grep -c "bash\|sh" ~/lab02/passwd.sample + + ```bash + # User analysis + cut -d: -f1,3 ~/lab02/passwd.sample | sort -t: -k2 -n + grep -c "bash\|sh" ~/lab02/passwd.sample - # Log analysis - grep -i "error\|fail" ~/lab02/messages.sample | wc -l - tail -20 ~/lab02/messages.sample | grep -v "systemd" - ``` + # Log analysis + grep -i "error\|fail" ~/lab02/messages.sample | wc -l + tail -20 ~/lab02/messages.sample | grep -v "systemd" + ``` 3. **Advanced filtering** - ```bash - # Complex grep patterns - grep -E "(error|fail|warn)" ~/lab02/messages.sample - awk '{print $1, $2, $3}' ~/lab02/messages.sample | head -10 - ``` + + ```bash + # Complex grep patterns + grep -E "(error|fail|warn)" ~/lab02/messages.sample + awk '{print $1, $2, $3}' ~/lab02/messages.sample | head -10 + ``` **Verification**: + ```bash # Verify text processing results cut -d: -f1 ~/lab02/passwd.sample | sort | head -5 @@ -303,50 +337,57 @@ grep -c ":" ~/lab02/passwd.sample ``` ### Lab 6.3: Archive and Link Management (Synthesis Challenge) + **Objective**: Master archiving, compression, and linking **Scenario**: Create a backup system with different archive types and linking strategies **Requirements**: + - Create compressed archives of different directories - Implement hard and symbolic links - Practice archive extraction and verification **Solution Steps**: + 1. **Prepare directory structure** - ```bash - mkdir -p ~/lab02/backup-test/{dir1,dir2,dir3} - echo "File in dir1" > ~/lab02/backup-test/dir1/file1.txt - echo "File in dir2" > ~/lab02/backup-test/dir2/file2.txt - echo "Shared content" > ~/lab02/backup-test/shared.txt - ``` + + ```bash + mkdir -p ~/lab02/backup-test/{dir1,dir2,dir3} + echo "File in dir1" > ~/lab02/backup-test/dir1/file1.txt + echo "File in dir2" > ~/lab02/backup-test/dir2/file2.txt + echo "Shared content" > ~/lab02/backup-test/shared.txt + ``` 2. **Create various archives** - ```bash - # Different compression methods - tar -czf ~/lab02/archives/backup-gzip.tar.gz ~/lab02/backup-test/ - tar -cjf ~/lab02/archives/backup-bzip2.tar.bz2 ~/lab02/backup-test/ - zip -r ~/lab02/archives/backup.zip ~/lab02/backup-test/ - ``` + + ```bash + # Different compression methods + tar -czf ~/lab02/archives/backup-gzip.tar.gz ~/lab02/backup-test/ + tar -cjf ~/lab02/archives/backup-bzip2.tar.bz2 ~/lab02/backup-test/ + zip -r ~/lab02/archives/backup.zip ~/lab02/backup-test/ + ``` 3. **Implement linking strategy** - ```bash - # Hard links - ln ~/lab02/backup-test/shared.txt ~/lab02/backup-test/dir1/shared-hard + + ```bash + # Hard links + ln ~/lab02/backup-test/shared.txt ~/lab02/backup-test/dir1/shared-hard - # Symbolic links - ln -s ../shared.txt ~/lab02/backup-test/dir2/shared-soft - ``` + # Symbolic links + ln -s ../shared.txt ~/lab02/backup-test/dir2/shared-soft + ``` 4. **Verification and analysis** - ```bash - # Compare archive sizes - ls -lh ~/lab02/archives/ + + ```bash + # Compare archive sizes + ls -lh ~/lab02/archives/ - # Verify links - ls -li ~/lab02/backup-test/shared.txt ~/lab02/backup-test/dir1/shared-hard - ls -l ~/lab02/backup-test/dir2/shared-soft - ``` + # Verify links + ls -li ~/lab02/backup-test/shared.txt ~/lab02/backup-test/dir1/shared-hard + ls -l ~/lab02/backup-test/dir2/shared-soft + ``` --- @@ -355,11 +396,14 @@ grep -c ":" ~/lab02/passwd.sample ### Common Issues #### Issue 1: "No such file or directory" errors + **Symptoms**: + - Commands fail with file not found errors - Scripts cannot locate files **Diagnosis**: + ```bash # Check current directory pwd @@ -370,6 +414,7 @@ ls -ld /path/to/file ``` **Resolution**: + ```bash # Use absolute paths ls /full/path/to/file @@ -382,11 +427,14 @@ ls -ld /path/to/ **Prevention**: Always use tab completion and absolute paths in scripts #### Issue 2: Archive extraction failures + **Symptoms**: + - tar command fails with "not in gzip format" error - Archive appears corrupted **Diagnosis**: + ```bash # Check file type file archive.tar.gz @@ -397,6 +445,7 @@ df -h . ``` **Resolution**: + ```bash # Use correct extraction flags tar -xf archive.tar.gz # Auto-detect compression @@ -407,11 +456,14 @@ ls -l archive.tar.gz ``` #### Issue 3: Symbolic link problems + **Symptoms**: + - Symlinks point to non-existent files - Permission denied accessing through symlinks **Diagnosis**: + ```bash # Check link status ls -l symlink @@ -422,6 +474,7 @@ ls -l $(readlink symlink) ``` **Resolution**: + ```bash # Fix broken link ln -sf correct/target symlink @@ -430,6 +483,7 @@ rm symlink && ln -s new/target symlink ``` ### Diagnostic Command Sequence + ```bash # File system troubleshooting workflow pwd # Confirm current location @@ -440,6 +494,7 @@ lsof filename # Check if file is open ``` ### Log File Analysis + - **`/var/log/messages`**: General system messages - **`/var/log/secure`**: Authentication and security events - **`/var/log/boot.log`**: Boot process messages @@ -450,6 +505,7 @@ lsof filename # Check if file is open ## 8. Quick Reference Card ### Essential Commands At-a-Glance + ```bash # File operations ls -lah # List all files with details @@ -469,17 +525,20 @@ tar -xzf archive.tar.gz # Extract archive ``` ### Key File Locations + - **Configuration**: `/etc/` directory - **Logs**: `/var/log/` directory - **User data**: `/home/username/` - **Temporary**: `/tmp/` directory ### Important Patterns + - **Hidden files**: Start with `.` (dot) - **Backup files**: Often end with `~` or `.bak` - **Log files**: Usually in `/var/log/` with `.log` extension ### Verification Commands + ```bash # Quick file checks ls -l filename # File details @@ -493,66 +552,75 @@ du -sh directory # Directory size ## 9. Knowledge Check ### Conceptual Questions + 1. **Question**: What's the difference between hard links and symbolic links? - **Answer**: Hard links point to the same inode (same file data), while symbolic links contain the pathname of another file. Hard links cannot cross filesystems or point to directories; symbolic links can. If the original file is deleted, hard links still access the data, but symbolic links become broken. + **Answer**: Hard links point to the same inode (same file data), while symbolic links contain the pathname of another file. Hard links cannot cross filesystems or point to directories; symbolic links can. If the original file is deleted, hard links still access the data, but symbolic links become broken. 2. **Question**: Why might you use `tar` instead of `zip` for archiving? - **Answer**: Tar preserves Unix file permissions, ownership, and metadata better than zip. It's the standard in Unix/Linux environments and integrates seamlessly with compression tools. Tar also handles symbolic links correctly and is more efficient for backing up entire directory structures. + **Answer**: Tar preserves Unix file permissions, ownership, and metadata better than zip. It's the standard in Unix/Linux environments and integrates seamlessly with compression tools. Tar also handles symbolic links correctly and is more efficient for backing up entire directory structures. 3. **Question**: When would you use `find` versus `locate`? - **Answer**: Use `locate` for quick filename searches across the entire system (faster, uses database). Use `find` for complex searches based on file attributes, content, or when you need real-time results. Find searches the actual filesystem; locate searches a database that may be outdated. + **Answer**: Use `locate` for quick filename searches across the entire system (faster, uses database). Use `find` for complex searches based on file attributes, content, or when you need real-time results. Find searches the actual filesystem; locate searches a database that may be outdated. ### Practical Scenarios + 1. **Scenario**: You need to find all configuration files modified in the last 24 hours. - **Solution**: - ```bash - find /etc -name "*.conf" -mtime -1 -type f - find /etc -name "*.cfg" -mtime -1 -type f - ``` + **Solution**: + + ```bash + find /etc -name "*.conf" -mtime -1 -type f + find /etc -name "*.cfg" -mtime -1 -type f + ``` 2. **Scenario**: Create a backup excluding temporary files and logs. - **Solution**: - ```bash - tar --exclude="*.tmp" --exclude="*.log" --exclude="/var/log/*" \ - -czf backup.tar.gz /home/user/ - ``` + **Solution**: + + ```bash + tar --exclude="*.tmp" --exclude="*.log" --exclude="/var/log/*" \ + -czf backup.tar.gz /home/user/ + ``` ### Command Challenges + 1. **Challenge**: Write a command to find all files larger than 100MB in /var directory - **Answer**: `find /var -type f -size +100M` - **Explanation**: `-type f` ensures only regular files, `-size +100M` finds files larger than 100 megabytes + **Answer**: `find /var -type f -size +100M` + **Explanation**: `-type f` ensures only regular files, `-size +100M` finds files larger than 100 megabytes 2. **Challenge**: Create a command to show the 10 largest files in the current directory - **Answer**: `ls -lS | head -11 | tail -10` - **Explanation**: `-S` sorts by size (largest first), `head -11` gets first 11 lines (including header), `tail -10` shows last 10 (excluding header) + **Answer**: `ls -lS | head -11 | tail -10` + **Explanation**: `-S` sorts by size (largest first), `head -11` gets first 11 lines (including header), `tail -10` shows last 10 (excluding header) --- ## 10. Exam Strategy ### Topic-Specific Tips + - Practice file operations until they're automatic - speed matters in the exam - Master grep patterns as they're used throughout the exam - Know the difference between absolute and relative paths - Understand when to use different archive formats ### Common Exam Scenarios + 1. **Scenario**: Find and copy configuration files to a backup directory - **Approach**: Use `find` with appropriate criteria, then `cp` with `-p` to preserve attributes + **Approach**: Use `find` with appropriate criteria, then `cp` with `-p` to preserve attributes 2. **Scenario**: Search log files for specific error patterns - **Approach**: Combine `grep`, `tail`, and date filtering for targeted searches + **Approach**: Combine `grep`, `tail`, and date filtering for targeted searches 3. **Scenario**: Create archives of user data with specific exclusions - **Approach**: Use `tar` with `--exclude` patterns for clean backups + **Approach**: Use `tar` with `--exclude` patterns for clean backups ### Time Management + - **File operations**: 2-3 minutes for basic tasks - **Archive creation**: 3-5 minutes including verification - **Text searching**: 2-4 minutes depending on complexity - **Quick verification**: Always test your commands before moving on ### Pitfalls to Avoid + - Don't forget the `-r` flag when copying directories - Remember that Linux is case-sensitive - Always verify archive contents before considering task complete @@ -564,12 +632,14 @@ du -sh directory # Directory size ## Summary ### Key Takeaways + - **File management is fundamental** - these skills are used in every exam task - **Master text processing tools** - grep, sort, and cut are essential for analysis - **Archive operations are common** - know tar syntax and compression options - **Practice makes perfect** - file operations must be automatic for exam success ### Critical Commands to Remember + ```bash ls -la # List files with details find /path -name "pattern" # Search for files @@ -579,10 +649,11 @@ ln -s target linkname # Create symbolic link ``` ### Next Steps + - Continue to [Module 03: User & Group Management](03_user_group_management.md) - Practice file operations in the Vagrant environment - Review related topics: [File Permissions](04_file_permissions.md), [Storage](07_storage_lvm.md) --- -**Navigation**: [← System Installation](01_system_installation.md) | [Index](index.md) | [Next → User Management](03_user_group_management.md) \ No newline at end of file +**Navigation**: [← System Installation](01_system_installation.md) | [Index](index.md) | [Next → User Management](03_user_group_management.md) diff --git a/docs/rhcsa_synthesis/03_user_group_management.md b/docs/rhcsa_synthesis/03_user_group_management.md index 9697e94..8e7881d 100644 --- a/docs/rhcsa_synthesis/03_user_group_management.md +++ b/docs/rhcsa_synthesis/03_user_group_management.md @@ -21,6 +21,7 @@ ## 2. Conceptual Foundation ### Core Theory + User and group management in RHEL 10 is based on the traditional Unix model with modern enhancements: - **User accounts**: Unique identities with UID, home directory, and shell @@ -30,6 +31,7 @@ User and group management in RHEL 10 is based on the traditional Unix model with - **Password policies**: Rules governing password complexity and expiration ### Real-World Applications + - **Multi-user environments**: Corporate servers with multiple administrators - **Service accounts**: Running applications with specific privileges - **Temporary access**: Creating accounts for contractors or temporary staff @@ -37,6 +39,7 @@ User and group management in RHEL 10 is based on the traditional Unix model with - **Resource management**: Controlling access to files and system resources ### Common Misconceptions + - **Root is UID 0**: Root always has UID 0, but UID 0 doesn't always mean "root" name - **Group membership**: Users can belong to multiple groups simultaneously - **Home directories**: Not automatically deleted when users are removed @@ -44,6 +47,7 @@ User and group management in RHEL 10 is based on the traditional Unix model with - **Password expiration**: Affects login but not running processes ### Key Terminology + - **UID**: User Identifier (numeric ID for user accounts) - **GID**: Group Identifier (numeric ID for groups) - **Primary group**: User's main group (stored in /etc/passwd) @@ -58,6 +62,7 @@ User and group management in RHEL 10 is based on the traditional Unix model with ## 3. Command Mastery ### User Management Commands + ```bash # Creating users useradd username # Basic user creation @@ -85,6 +90,7 @@ userdel -r username # Delete user and home directory ``` ### Group Management Commands + ```bash # Creating groups groupadd groupname # Basic group creation @@ -105,6 +111,7 @@ groupdel groupname # Delete group ``` ### Password Management Commands + ```bash # Setting passwords passwd username # Set/change password @@ -123,6 +130,7 @@ chage -l username # List aging information ``` ### Information Commands + ```bash # User information id username # Show UID, GID, and groups @@ -142,6 +150,7 @@ getent group groupname # Get group info from all sources ``` ### Command Reference Table + | Command | Purpose | Key Options | Example | |---------|---------|-------------|---------| | `useradd` | Create user account | `-u`, `-g`, `-G`, `-s`, `-d` | `useradd -G wheel john` | @@ -156,62 +165,73 @@ getent group groupname # Get group info from all sources ## 4. Procedural Workflows ### Standard Procedure: Creating a New User + 1. **Plan user requirements** - ```bash - # Determine: UID, primary group, supplementary groups, shell, home directory - ``` + + ```bash + # Determine: UID, primary group, supplementary groups, shell, home directory + ``` 2. **Create the user account** - ```bash - useradd -u 1500 -g users -G wheel,developers -s /bin/bash -m username - ``` + + ```bash + useradd -u 1500 -g users -G wheel,developers -s /bin/bash -m username + ``` 3. **Set initial password** - ```bash - passwd username - # Force password change on first login - chage -d 0 username - ``` + + ```bash + passwd username + # Force password change on first login + chage -d 0 username + ``` 4. **Configure password policy** - ```bash - chage -M 90 -m 7 -W 14 username - ``` + + ```bash + chage -M 90 -m 7 -W 14 username + ``` 5. **Verify account creation** - ```bash - id username - ls -ld /home/username - getent passwd username - ``` + + ```bash + id username + ls -ld /home/username + getent passwd username + ``` ### Standard Procedure: User Account Maintenance + 1. **Regular account review** - ```bash - # Check for unused accounts - last | grep username - # Review password aging - chage -l username - ``` + + ```bash + # Check for unused accounts + last | grep username + # Review password aging + chage -l username + ``` 2. **Modify account as needed** - ```bash - # Add to new group - usermod -aG newgroup username - # Change shell - usermod -s /bin/zsh username - ``` + + ```bash + # Add to new group + usermod -aG newgroup username + # Change shell + usermod -s /bin/zsh username + ``` 3. **Handle account issues** - ```bash - # Temporarily lock account - usermod -L username - # Force password change - passwd -e username - ``` + + ```bash + # Temporarily lock account + usermod -L username + # Force password change + passwd -e username + ``` ### Decision Tree: Account Creation Strategy -``` + +```text New User Request ├── Regular user? │ ├── Standard UID range (≥1000) @@ -228,28 +248,32 @@ New User Request ``` ### Standard Procedure: Group Management + 1. **Create group structure** - ```bash - # Create functional groups - groupadd -g 2000 developers - groupadd -g 2001 admins - groupadd -g 2002 operations - ``` + + ```bash + # Create functional groups + groupadd -g 2000 developers + groupadd -g 2001 admins + groupadd -g 2002 operations + ``` 2. **Assign users to groups** - ```bash - # Add existing users - usermod -aG developers user1,user2 - gpasswd -a user3 admins - ``` + + ```bash + # Add existing users + usermod -aG developers user1,user2 + gpasswd -a user3 admins + ``` 3. **Verify group memberships** - ```bash - # Check specific user - groups username - # Check specific group - getent group groupname - ``` + + ```bash + # Check specific user + groups username + # Check specific group + getent group groupname + ``` --- @@ -258,6 +282,7 @@ New User Request ### Primary Configuration Files #### /etc/passwd - User Account Information + ```bash # Format: username:password:UID:GID:comment:home:shell root:x:0:0:root:/root:/bin/bash @@ -266,6 +291,7 @@ apache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin ``` #### /etc/shadow - Password Information + ```bash # Format: username:password:lastchange:min:max:warn:inactive:expire:reserved root:$6$encrypted$hash:19000:0:99999:7::: @@ -273,6 +299,7 @@ john:$6$encrypted$hash:19000:7:90:14:30:19200: ``` #### /etc/group - Group Information + ```bash # Format: groupname:password:GID:members root:x:0: @@ -281,6 +308,7 @@ developers:x:2000:john,jane,bob ``` #### /etc/gshadow - Group Password Information + ```bash # Format: groupname:password:admins:members root::: @@ -291,6 +319,7 @@ developers:!!::john,jane,bob ### Default Configuration Files #### /etc/default/useradd - Default User Settings + ```bash # Default values for useradd command GROUP=100 @@ -303,6 +332,7 @@ CREATE_MAIL_SPOOL=yes ``` #### /etc/login.defs - Login Definitions + ```bash # Password aging controls PASS_MAX_DAYS 90 @@ -323,6 +353,7 @@ SYS_GID_MAX 999 ``` #### /etc/skel/ - Skeleton Directory + ```bash # Template files copied to new user home directories /etc/skel/.bash_logout @@ -333,6 +364,7 @@ SYS_GID_MAX 999 ### Password Policy Configuration #### System-wide Password Policies + ```bash # /etc/security/pwquality.conf minlen = 8 # Minimum password length @@ -347,45 +379,51 @@ ocredit = -1 # Require at least 1 special character ## 6. Hands-On Labs ### Lab 6.1: Basic User Management (Asghar Ghori Style) + **Objective**: Create, modify, and manage user accounts with various configurations **Steps**: + 1. **Create users with different specifications** - ```bash - # Regular user with defaults - useradd alice - passwd alice + + ```bash + # Regular user with defaults + useradd alice + passwd alice - # User with custom UID and group - useradd -u 1500 -g wheel -s /bin/bash bob - passwd bob + # User with custom UID and group + useradd -u 1500 -g wheel -s /bin/bash bob + passwd bob - # Service account - useradd -r -s /sbin/nologin -d /var/lib/webservice webservice - ``` + # Service account + useradd -r -s /sbin/nologin -d /var/lib/webservice webservice + ``` 2. **Modify existing users** - ```bash - # Add alice to additional groups - usermod -aG wheel,developers alice + + ```bash + # Add alice to additional groups + usermod -aG wheel,developers alice - # Change bob's shell - usermod -s /bin/zsh bob + # Change bob's shell + usermod -s /bin/zsh bob - # Lock webservice account - usermod -L webservice - ``` + # Lock webservice account + usermod -L webservice + ``` 3. **Configure password policies** - ```bash - # Set password aging for alice - chage -M 60 -m 5 -W 10 alice + + ```bash + # Set password aging for alice + chage -M 60 -m 5 -W 10 alice - # Force password change for bob - passwd -e bob - ``` + # Force password change for bob + passwd -e bob + ``` **Verification**: + ```bash # Verify user creation and modifications id alice @@ -397,52 +435,58 @@ getent passwd | grep -E "(alice|bob|webservice)" ``` ### Lab 6.2: Group Management and Membership (Sander van Vugt Style) + **Objective**: Create groups and manage complex membership scenarios **Steps**: + 1. **Create organizational groups** - ```bash - # Create department groups - groupadd -g 2000 marketing - groupadd -g 2001 sales - groupadd -g 2002 engineering + + ```bash + # Create department groups + groupadd -g 2000 marketing + groupadd -g 2001 sales + groupadd -g 2002 engineering - # Create role-based groups - groupadd -g 3000 managers - groupadd -g 3001 leads - ``` + # Create role-based groups + groupadd -g 3000 managers + groupadd -g 3001 leads + ``` 2. **Create users and assign group memberships** - ```bash - # Marketing team - useradd -g marketing -G leads marketing_lead - useradd -g marketing marketing_user1 - useradd -g marketing marketing_user2 + + ```bash + # Marketing team + useradd -g marketing -G leads marketing_lead + useradd -g marketing marketing_user1 + useradd -g marketing marketing_user2 - # Engineering team - useradd -g engineering -G managers,leads engineering_lead - useradd -g engineering engineering_dev1 - useradd -g engineering engineering_dev2 + # Engineering team + useradd -g engineering -G managers,leads engineering_lead + useradd -g engineering engineering_dev1 + useradd -g engineering engineering_dev2 - # Set passwords - echo "password123" | passwd --stdin marketing_lead - echo "password123" | passwd --stdin marketing_user1 - echo "password123" | passwd --stdin engineering_lead - echo "password123" | passwd --stdin engineering_dev1 - ``` + # Set passwords + echo "password123" | passwd --stdin marketing_lead + echo "password123" | passwd --stdin marketing_user1 + echo "password123" | passwd --stdin engineering_lead + echo "password123" | passwd --stdin engineering_dev1 + ``` 3. **Modify group memberships** - ```bash - # Add cross-functional team members - usermod -aG sales marketing_lead - usermod -aG marketing engineering_lead + + ```bash + # Add cross-functional team members + usermod -aG sales marketing_lead + usermod -aG marketing engineering_lead - # Use gpasswd for group management - gpasswd -a marketing_user1 leads - gpasswd -A marketing_lead marketing - ``` + # Use gpasswd for group management + gpasswd -a marketing_user1 leads + gpasswd -A marketing_lead marketing + ``` **Verification**: + ```bash # Verify group structure getent group | grep -E "(marketing|sales|engineering|managers|leads)" @@ -454,80 +498,87 @@ getent gshadow | grep marketing ``` ### Lab 6.3: Advanced User Account Scenarios (Synthesis Challenge) + **Objective**: Handle complex user management scenarios combining both methodologies **Scenario**: Set up a development environment with different user types and access requirements **Requirements**: + - Create system service accounts - Set up developer accounts with specific group memberships - Implement password policies and account expiration - Handle temporary contractor accounts **Solution Steps**: + 1. **Create service accounts for applications** - ```bash - # Database service account - useradd -r -u 500 -g daemon -s /sbin/nologin -d /var/lib/database database + + ```bash + # Database service account + useradd -r -u 500 -g daemon -s /sbin/nologin -d /var/lib/database database - # Web service account - useradd -r -u 501 -g daemon -s /sbin/nologin -d /var/lib/webapp webapp + # Web service account + useradd -r -u 501 -g daemon -s /sbin/nologin -d /var/lib/webapp webapp - # Backup service account - useradd -r -u 502 -g daemon -s /bin/bash -d /var/lib/backup backup - ``` + # Backup service account + useradd -r -u 502 -g daemon -s /bin/bash -d /var/lib/backup backup + ``` 2. **Create developer environment** - ```bash - # Create developer groups - groupadd -g 5000 developers - groupadd -g 5001 senior_devs - groupadd -g 5002 devops + + ```bash + # Create developer groups + groupadd -g 5000 developers + groupadd -g 5001 senior_devs + groupadd -g 5002 devops - # Create developer accounts - useradd -g developers -G wheel -s /bin/bash -c "Senior Developer" senior_dev1 - useradd -g developers -s /bin/bash -c "Junior Developer" junior_dev1 - useradd -g developers -G devops,wheel -s /bin/bash -c "DevOps Engineer" devops1 + # Create developer accounts + useradd -g developers -G wheel -s /bin/bash -c "Senior Developer" senior_dev1 + useradd -g developers -s /bin/bash -c "Junior Developer" junior_dev1 + useradd -g developers -G devops,wheel -s /bin/bash -c "DevOps Engineer" devops1 - # Set strong password policies for developers - for user in senior_dev1 junior_dev1 devops1; do - passwd $user - chage -M 30 -m 3 -W 5 $user - done - ``` + # Set strong password policies for developers + for user in senior_dev1 junior_dev1 devops1; do + passwd $user + chage -M 30 -m 3 -W 5 $user + done + ``` 3. **Handle contractor accounts** - ```bash - # Create temporary contractor account (expires in 90 days) - future_date=$(date -d "+90 days" +%Y-%m-%d) - useradd -g developers -s /bin/bash -c "Contractor" -e $future_date contractor1 - passwd contractor1 + + ```bash + # Create temporary contractor account (expires in 90 days) + future_date=$(date -d "+90 days" +%Y-%m-%d) + useradd -g developers -s /bin/bash -c "Contractor" -e $future_date contractor1 + passwd contractor1 - # Force password change on first login - chage -d 0 contractor1 + # Force password change on first login + chage -d 0 contractor1 - # Set shorter password validity - chage -M 14 -m 1 -W 3 contractor1 - ``` + # Set shorter password validity + chage -M 14 -m 1 -W 3 contractor1 + ``` 4. **Verification and documentation** - ```bash - # Generate user report - echo "=== Service Accounts ===" > user_report.txt - getent passwd | awk -F: '$3 < 1000 && $3 != 0 {print $1, $3, $7}' >> user_report.txt + + ```bash + # Generate user report + echo "=== Service Accounts ===" > user_report.txt + getent passwd | awk -F: '$3 < 1000 && $3 != 0 {print $1, $3, $7}' >> user_report.txt - echo -e "\n=== Developer Accounts ===" >> user_report.txt - getent passwd | awk -F: '$3 >= 1000 {print $1, $3, $5}' >> user_report.txt + echo -e "\n=== Developer Accounts ===" >> user_report.txt + getent passwd | awk -F: '$3 >= 1000 {print $1, $3, $5}' >> user_report.txt - echo -e "\n=== Group Memberships ===" >> user_report.txt - for user in $(getent passwd | awk -F: '$3 >= 1000 {print $1}'); do - echo "$user: $(groups $user | cut -d: -f2)" >> user_report.txt - done + echo -e "\n=== Group Memberships ===" >> user_report.txt + for user in $(getent passwd | awk -F: '$3 >= 1000 {print $1}'); do + echo "$user: $(groups $user | cut -d: -f2)" >> user_report.txt + done - # Check account expiration - echo -e "\n=== Account Expiration ===" >> user_report.txt - chage -l contractor1 | grep "Account expires" >> user_report.txt - ``` + # Check account expiration + echo -e "\n=== Account Expiration ===" >> user_report.txt + chage -l contractor1 | grep "Account expires" >> user_report.txt + ``` --- @@ -536,12 +587,15 @@ getent gshadow | grep marketing ### Common Issues #### Issue 1: User Cannot Login + **Symptoms**: + - Authentication failures - Account locked messages - Permission denied errors **Diagnosis**: + ```bash # Check account status passwd -S username @@ -555,6 +609,7 @@ grep username /etc/passwd ``` **Resolution**: + ```bash # Unlock account if locked passwd -u username @@ -571,12 +626,15 @@ usermod -s /bin/bash username **Prevention**: Implement regular account audits and proper password policies #### Issue 2: Group Permission Problems + **Symptoms**: + - Users cannot access group files - "Permission denied" for group resources - Inconsistent group memberships **Diagnosis**: + ```bash # Check current group membership groups username @@ -588,6 +646,7 @@ getent group groupname ``` **Resolution**: + ```bash # Add user to correct group usermod -aG groupname username @@ -599,12 +658,15 @@ getent group groupname ``` #### Issue 3: UID/GID Conflicts + **Symptoms**: + - User creation fails with "UID already exists" - File ownership shows numbers instead of names - Permission inconsistencies **Diagnosis**: + ```bash # Check for UID conflicts getent passwd | sort -t: -k3 -n | uniq -D -f2 @@ -615,6 +677,7 @@ find / -nouser -o -nogroup 2>/dev/null ``` **Resolution**: + ```bash # Change conflicting UID usermod -u newuid username @@ -625,6 +688,7 @@ find /home/username -uid olduid -exec chown username {} \; ``` ### Diagnostic Command Sequence + ```bash # User account troubleshooting workflow getent passwd username # Verify account exists @@ -636,6 +700,7 @@ last username # Check login history ``` ### Log File Analysis + - **`/var/log/secure`**: Authentication events, login attempts - **`/var/log/messages`**: General system messages including user management - **`/var/log/audit/audit.log`**: SELinux denials related to user operations @@ -646,6 +711,7 @@ last username # Check login history ## 8. Quick Reference Card ### Essential Commands At-a-Glance + ```bash # User management useradd -G wheel username # Create user with sudo access @@ -665,6 +731,7 @@ chage -l username # Show password aging info ``` ### Key File Locations + - **User accounts**: `/etc/passwd` - **Password hashes**: `/etc/shadow` - **Group information**: `/etc/group` @@ -674,6 +741,7 @@ chage -l username # Show password aging info - **Skeleton directory**: `/etc/skel/` ### Important UID/GID Ranges + - **Root**: UID 0, GID 0 - **System accounts**: UID 1-999 - **Regular users**: UID ≥ 1000 @@ -681,6 +749,7 @@ chage -l username # Show password aging info - **Regular groups**: GID ≥ 1000 ### Password Aging Parameters + - **Maximum age**: `-M days` (default 99999) - **Minimum age**: `-m days` (default 0) - **Warning period**: `-W days` (default 7) @@ -692,64 +761,72 @@ chage -l username # Show password aging info ## 9. Knowledge Check ### Conceptual Questions + 1. **Question**: What's the difference between primary and supplementary groups? - **Answer**: A primary group is a user's default group (stored in /etc/passwd, field 4) used for file creation. Supplementary groups are additional groups a user belongs to, providing access to resources owned by those groups. Users can have one primary group but multiple supplementary groups. + **Answer**: A primary group is a user's default group (stored in /etc/passwd, field 4) used for file creation. Supplementary groups are additional groups a user belongs to, providing access to resources owned by those groups. Users can have one primary group but multiple supplementary groups. 2. **Question**: Why might you use a system account instead of a regular user account? - **Answer**: System accounts (UID < 1000) are designed for services and daemons. They typically don't have home directories, use /sbin/nologin as shell, and follow the principle of least privilege. This provides better security isolation and prevents interactive login for service accounts. + **Answer**: System accounts (UID < 1000) are designed for services and daemons. They typically don't have home directories, use /sbin/nologin as shell, and follow the principle of least privilege. This provides better security isolation and prevents interactive login for service accounts. 3. **Question**: What happens when you lock a user account with `usermod -L`? - **Answer**: Account locking prepends an exclamation mark (!) to the password hash in /etc/shadow, preventing password authentication. However, the user might still login using SSH keys. For complete access blocking, also set shell to /sbin/nologin and consider expiring the account. + **Answer**: Account locking prepends an exclamation mark (!) to the password hash in /etc/shadow, preventing password authentication. However, the user might still login using SSH keys. For complete access blocking, also set shell to /sbin/nologin and consider expiring the account. ### Practical Scenarios + 1. **Scenario**: Create a contractor account that expires in 30 days and must change password every 14 days. - **Solution**: - ```bash - future_date=$(date -d "+30 days" +%Y-%m-%d) - useradd -e $future_date -s /bin/bash contractor - passwd contractor - chage -M 14 -m 1 -W 3 -d 0 contractor - ``` + **Solution**: + + ```bash + future_date=$(date -d "+30 days" +%Y-%m-%d) + useradd -e $future_date -s /bin/bash contractor + passwd contractor + chage -M 14 -m 1 -W 3 -d 0 contractor + ``` 2. **Scenario**: A user reports they can't access files owned by the "projects" group despite being added to it. - **Solution**: The user needs to logout and login again for group membership changes to take effect, or use `newgrp projects` to switch to the new group in the current session. + **Solution**: The user needs to logout and login again for group membership changes to take effect, or use `newgrp projects` to switch to the new group in the current session. ### Command Challenges + 1. **Challenge**: Write a command to show all users with UID between 1000 and 2000. - **Answer**: `getent passwd | awk -F: '$3 >= 1000 && $3 <= 2000 {print $1, $3}'` - **Explanation**: Uses getent to get all passwd entries, awk to filter by UID range in field 3 + **Answer**: `getent passwd | awk -F: '$3 >= 1000 && $3 <= 2000 {print $1, $3}'` + **Explanation**: Uses getent to get all passwd entries, awk to filter by UID range in field 3 2. **Challenge**: Create a user with no login shell, custom home directory, and specific UID. - **Answer**: `useradd -u 1555 -d /opt/service -s /sbin/nologin -m serviceuser` - **Explanation**: `-u` sets UID, `-d` sets custom home, `-s` sets shell, `-m` creates home directory + **Answer**: `useradd -u 1555 -d /opt/service -s /sbin/nologin -m serviceuser` + **Explanation**: `-u` sets UID, `-d` sets custom home, `-s` sets shell, `-m` creates home directory --- ## 10. Exam Strategy ### Topic-Specific Tips + - Always verify user creation with `id username` and `getent passwd username` - Remember that group changes require logout/login or `newgrp` to take effect - Use `chage -l` to verify password policies are correctly applied - Practice creating users with multiple requirements in single commands ### Common Exam Scenarios + 1. **Scenario**: Create users with specific group memberships and password policies - **Approach**: Use `useradd` with multiple options, then `chage` for password aging + **Approach**: Use `useradd` with multiple options, then `chage` for password aging 2. **Scenario**: Troubleshoot user access problems - **Approach**: Check account status, group memberships, and home directory permissions + **Approach**: Check account status, group memberships, and home directory permissions 3. **Scenario**: Set up service accounts for applications - **Approach**: Use system UID range, /sbin/nologin shell, and appropriate group + **Approach**: Use system UID range, /sbin/nologin shell, and appropriate group ### Time Management + - **Basic user creation**: 2-3 minutes including verification - **Complex user with groups and policies**: 4-5 minutes - **Troubleshooting user issues**: 5-7 minutes depending on complexity - **Always verify**: Use `id` and `groups` commands to confirm ### Pitfalls to Avoid + - Don't forget `-m` flag when creating home directories with `useradd` - Remember that `usermod -G` replaces all supplementary groups (use `-aG` to append) - Always set passwords after creating users @@ -761,12 +838,14 @@ chage -l username # Show password aging info ## Summary ### Key Takeaways + - **User and group management is foundational** - required for virtually all system administration - **Understand the difference between primary and supplementary groups** - critical for file permissions - **Master password policies and account aging** - important for security compliance - **System accounts vs. regular users** - different configuration requirements and security implications ### Critical Commands to Remember + ```bash useradd -G wheel -s /bin/bash -m username # Create user with sudo access usermod -aG groupname username # Add user to supplementary group @@ -776,10 +855,11 @@ id username # Verify user configuration ``` ### Next Steps + - Continue to [Module 04: File Permissions](04_file_permissions.md) - Practice user management in the Vagrant environment - Review related topics: [SELinux](09_selinux.md), [SSH Configuration](08_networking.md) --- -**Navigation**: [← File Management](02_file_management.md) | [Index](index.md) | [Next → File Permissions](04_file_permissions.md) \ No newline at end of file +**Navigation**: [← File Management](02_file_management.md) | [Index](index.md) | [Next → File Permissions](04_file_permissions.md) diff --git a/docs/rhcsa_synthesis/04_file_permissions.md b/docs/rhcsa_synthesis/04_file_permissions.md index b51ca82..788587e 100644 --- a/docs/rhcsa_synthesis/04_file_permissions.md +++ b/docs/rhcsa_synthesis/04_file_permissions.md @@ -23,6 +23,7 @@ ## 2. Conceptual Foundation ### Core Theory + Linux file permissions operate on a three-tier model: - **Owner (user)**: The file/directory owner's permissions @@ -31,6 +32,7 @@ Linux file permissions operate on a three-tier model: - **Permission types**: Read (r), Write (w), Execute (x) ### Real-World Applications + - **System security**: Protecting sensitive configuration files - **Collaboration**: Shared directories for team projects - **Service accounts**: Restricting application access to specific files @@ -38,11 +40,13 @@ Linux file permissions operate on a three-tier model: - **Web servers**: Setting appropriate permissions for web content ### Common Misconceptions + - **Directory permissions**: Execute permission on directories means "traverse" not "run" - **Group permissions**: Group permission applies to primary group, not all user's groups - **Root override**: Root can read/write most files regardless of permissions (but not execute) ### Key Terminology + - **Octal notation**: Numeric representation of permissions (755, 644, etc.) - **Symbolic notation**: Letter-based permission representation (rwxr-xr-x) - **umask**: Default permission mask for new files and directories @@ -52,6 +56,7 @@ Linux file permissions operate on a three-tier model: ## 3. Command Mastery ### Basic Permission Commands + ```bash # View permissions ls -l file # Show detailed permissions @@ -73,6 +78,7 @@ chmod 777 file # rwxrwxrwx (dangerous!) ``` ### Ownership Commands + ```bash # Change ownership chown user file # Change owner only @@ -86,6 +92,7 @@ chmod -R 755 directory # Change permissions recursively ``` ### umask Configuration + ```bash # View current umask umask # Show current umask in octal @@ -98,6 +105,7 @@ umask u=rwx,g=rx,o= # Symbolic umask setting ``` ### Finding Files by Permissions + ```bash # Find by permission patterns find / -perm 777 # Find world-writable files @@ -111,6 +119,7 @@ find / -nogroup # Find files with no valid group ``` ### Command Reference Table + | Command | Purpose | Key Options | Example | |---------|---------|-------------|---------| | `chmod` | Change file permissions | `u+x`, `g-w`, `755`, `-R` | `chmod 644 file.txt` | @@ -123,49 +132,58 @@ find / -nogroup # Find files with no valid group ## 4. Procedural Workflows ### Standard Procedure: Setting Up Secure File Permissions + 1. **Determine access requirements** - ```bash - # Identify who needs what access: - # - Owner: full control - # - Group: read/execute - # - Others: no access - ``` + + ```bash + # Identify who needs what access: + # - Owner: full control + # - Group: read/execute + # - Others: no access + ``` 2. **Set basic permissions** - ```bash - chmod 750 file_or_directory - # or symbolically: - chmod u=rwx,g=rx,o= file_or_directory - ``` + + ```bash + chmod 750 file_or_directory + # or symbolically: + chmod u=rwx,g=rx,o= file_or_directory + ``` 3. **Set appropriate ownership** - ```bash - chown owner:group file_or_directory - ``` + + ```bash + chown owner:group file_or_directory + ``` 4. **Verify permissions** - ```bash - ls -l file_or_directory - stat file_or_directory - ``` + + ```bash + ls -l file_or_directory + stat file_or_directory + ``` ### Standard Procedure: Shared Directory Setup + 1. **Create directory with appropriate permissions** - ```bash - mkdir /shared/project - chmod 775 /shared/project - chown :projectteam /shared/project - ``` + + ```bash + mkdir /shared/project + chmod 775 /shared/project + chown :projectteam /shared/project + ``` 2. **Test directory functionality** - ```bash - # Test as different users - touch /shared/project/testfile - ls -l /shared/project/testfile - ``` + + ```bash + # Test as different users + touch /shared/project/testfile + ls -l /shared/project/testfile + ``` ### Decision Tree: Permission Strategy -``` + +```text Permission Requirements ├── Simple user/group/other? → Use chmod with octal notation ├── Shared directory? → Use group permissions + chmod @@ -173,34 +191,40 @@ Permission Requirements ``` ### Standard Procedure: Security Audit + 1. **Find potentially dangerous permissions** - ```bash - # World-writable files - find / -type f -perm -002 2>/dev/null - # Files with no owner/group - find / \( -nouser -o -nogroup \) 2>/dev/null - ``` + ```bash + # World-writable files + find / -type f -perm -002 2>/dev/null + + # Files with no owner/group + find / \( -nouser -o -nogroup \) 2>/dev/null + ``` 2. **Review critical system files** - ```bash - ls -l /etc/passwd /etc/shadow /etc/group - ls -l /etc/sudoers - ls -ld /tmp /var/tmp - ``` + + ```bash + ls -l /etc/passwd /etc/shadow /etc/group + ls -l /etc/sudoers + ls -ld /tmp /var/tmp + ``` 3. **Check home directory permissions** - ```bash - ls -ld /home/* - find /home -type d -perm -002 2>/dev/null - ``` + + ```bash + ls -ld /home/* + find /home -type d -perm -002 2>/dev/null + ``` --- ## 5. Configuration Deep Dive ### Permission Calculation + #### Octal Permission Values + ```bash # Read (r) = 4, Write (w) = 2, Execute (x) = 1 @@ -213,6 +237,7 @@ Permission Requirements ``` #### Special Permission Values + ```bash # Special permissions (added to regular permissions): 4000 = setuid bit @@ -227,7 +252,9 @@ Permission Requirements ``` ### umask Configuration Files + #### System-wide umask + ```bash # /etc/bashrc or /etc/profile umask 022 # Default for most users @@ -237,6 +264,7 @@ umask 027 # More restrictive for root ``` #### Per-user umask + ```bash # ~/.bashrc or ~/.bash_profile umask 077 # Very restrictive (user-only access) @@ -247,78 +275,89 @@ umask 077 # Very restrictive (user-only access) ## 6. Hands-On Labs ### Lab 6.1: Basic Permission Management (Asghar Ghori Style) + **Objective**: Master fundamental permission operations and special bits **Steps**: + 1. **Create test environment** - ```bash - mkdir ~/permissions_lab - cd ~/permissions_lab - touch file1 file2 file3 - mkdir dir1 dir2 dir3 - ``` + + ```bash + mkdir ~/permissions_lab + cd ~/permissions_lab + touch file1 file2 file3 + mkdir dir1 dir2 dir3 + ``` 2. **Practice basic permissions** - ```bash - # Set different permission combinations - chmod 644 file1 # Standard file permissions - chmod 755 dir1 # Standard directory permissions - chmod 600 file2 # Private file - chmod 700 dir2 # Private directory + + ```bash + # Set different permission combinations + chmod 644 file1 # Standard file permissions + chmod 755 dir1 # Standard directory permissions + chmod 600 file2 # Private file + chmod 700 dir2 # Private directory - # Use symbolic notation - chmod u=rw,g=r,o= file3 # Owner: rw, Group: r, Other: none - chmod u+x dir3 # Add execute for owner - ``` + # Use symbolic notation + chmod u=rw,g=r,o= file3 # Owner: rw, Group: r, Other: none + chmod u+x dir3 # Add execute for owner + ``` **Verification**: + ```bash ls -la # Check all permissions stat file1 file2 file3 # Detailed permission info ``` ### Lab 6.2: Ownership and umask Configuration + **Objective**: Practice ownership changes and understand umask **Steps**: + 1. **Practice ownership changes** - ```bash - mkdir ~/ownership_lab - cd ~/ownership_lab - touch file1 file2 - mkdir dir1 - # Change ownership (requires root or owning the files) - chown :users file1 - chgrp users dir1 - ``` + ```bash + mkdir ~/ownership_lab + cd ~/ownership_lab + touch file1 file2 + mkdir dir1 + + # Change ownership (requires root or owning the files) + chown :users file1 + chgrp users dir1 + ``` 2. **Understand umask effects** - ```bash - # Check current umask - umask - umask -S - - # Set restrictive umask and test - umask 077 - touch private_file - mkdir private_dir - ls -l private_file # Should be rw------- - ls -ld private_dir # Should be rwx------ - - # Set collaborative umask - umask 002 - touch shared_file - ls -l shared_file # Should be rw-rw-r-- - ``` + + ```bash + # Check current umask + umask + umask -S + + # Set restrictive umask and test + umask 077 + touch private_file + mkdir private_dir + ls -l private_file # Should be rw------- + ls -ld private_dir # Should be rwx------ + + # Set collaborative umask + umask 002 + touch shared_file + ls -l shared_file # Should be rw-rw-r-- + ``` 3. **Configure persistent umask** - ```bash - # Add umask to ~/.bashrc for persistence - echo "umask 027" >> ~/.bashrc - ``` + + ```bash + # Add umask to ~/.bashrc for persistence + echo "umask 027" >> ~/.bashrc + ``` **Verification**: + ```bash ls -la ~/ownership_lab/ stat ~/ownership_lab/private_file @@ -326,38 +365,44 @@ umask ``` ### Lab 6.3: Shared Directory Setup (Synthesis Challenge) + **Objective**: Create a collaborative workspace using standard permissions **Scenario**: Set up a project directory where a team can collaborate. **Requirements**: + - Project team members: read/write access - Others: no access **Solution Steps**: + 1. **Create directory structure** - ```bash - sudo mkdir -p /projects/webapp - sudo groupadd developers - # Add users to group (assuming users exist) - # sudo usermod -aG developers alice - # sudo usermod -aG developers bob - ``` + ```bash + sudo mkdir -p /projects/webapp + sudo groupadd developers + + # Add users to group (assuming users exist) + # sudo usermod -aG developers alice + # sudo usermod -aG developers bob + ``` 2. **Set permissions and ownership** - ```bash - sudo chown :developers /projects/webapp - sudo chmod 770 /projects/webapp - ``` + + ```bash + sudo chown :developers /projects/webapp + sudo chmod 770 /projects/webapp + ``` 3. **Verify** - ```bash - ls -ld /projects/webapp/ - # Test as a member of the developers group - touch /projects/webapp/testfile - ls -l /projects/webapp/testfile - ``` + + ```bash + ls -ld /projects/webapp/ + # Test as a member of the developers group + touch /projects/webapp/testfile + ls -l /projects/webapp/testfile + ``` --- @@ -366,12 +411,15 @@ umask ### Common Issues #### Issue 1: Permission Denied Errors + **Symptoms**: + - Users cannot access files they should be able to read - Applications fail with permission errors - "Permission denied" messages in logs **Diagnosis**: + ```bash # Check file permissions and ownership ls -la filename @@ -390,6 +438,7 @@ getfacl filename ``` **Resolution**: + ```bash # Fix basic permissions chmod 644 filename # For regular files @@ -408,6 +457,7 @@ setfacl -m u:username:r-- filename **Prevention**: Always verify permissions after creating files and directories ### Diagnostic Command Sequence + ```bash # Permission troubleshooting workflow ls -la filename # Check basic permissions @@ -418,6 +468,7 @@ lsattr filename # Check extended attributes ``` ### Log File Analysis + - **`/var/log/messages`**: General permission-related errors - **`/var/log/secure`**: Authentication and access control events - **`/var/log/audit/audit.log`**: SELinux and detailed access events @@ -428,6 +479,7 @@ lsattr filename # Check extended attributes ## 8. Quick Reference Card ### Essential Commands At-a-Glance + ```bash # Permissions chmod 755 file # Standard executable/directory @@ -438,6 +490,7 @@ umask 022 # Set default permission mask ``` ### Octal Permission Reference + - **755**: rwxr-xr-x (directories, executables) - **644**: rw-r--r-- (regular files) - **600**: rw------- (private files) @@ -445,6 +498,7 @@ umask 022 # Set default permission mask - **000**: --------- (no permissions) ### Common umask Values + - **022**: Default (644 for files, 755 for directories) - **027**: Group-friendly (640 for files, 750 for directories) - **077**: Private (600 for files, 700 for directories) @@ -454,64 +508,73 @@ umask 022 # Set default permission mask ## 9. Knowledge Check ### Conceptual Questions + 1. **Question**: What is the difference between octal and symbolic permission notation? - **Answer**: Octal notation uses numbers (e.g., `755` = rwxr-xr-x) where each digit represents user/group/other permissions (r=4, w=2, x=1). Symbolic notation uses letters (e.g., `u+x`, `g=rw`, `o-w`) to add, set, or remove specific permissions. + **Answer**: Octal notation uses numbers (e.g., `755` = rwxr-xr-x) where each digit represents user/group/other permissions (r=4, w=2, x=1). Symbolic notation uses letters (e.g., `u+x`, `g=rw`, `o-w`) to add, set, or remove specific permissions. 2. **Question**: What does the execute permission mean on a directory? - **Answer**: On a directory, execute (x) means "traverse" — the ability to cd into the directory and access files within it. Without execute on a directory, you cannot access its contents even if you have read permission (which only lets you list filenames). + **Answer**: On a directory, execute (x) means "traverse" — the ability to cd into the directory and access files within it. Without execute on a directory, you cannot access its contents even if you have read permission (which only lets you list filenames). 3. **Question**: How does umask affect new file and directory permissions? - **Answer**: umask subtracts from the default permissions. New files start at 666 (no execute) and directories at 777. With umask 022, files become 644 (rw-r--r--) and directories become 755 (rwxr-xr-x). + **Answer**: umask subtracts from the default permissions. New files start at 666 (no execute) and directories at 777. With umask 022, files become 644 (rw-r--r--) and directories become 755 (rwxr-xr-x). ### Practical Scenarios + 1. **Scenario**: Create a directory where only members of the "project" group can access files. - **Solution**: - ```bash - mkdir /project - chown :project /project - chmod 770 /project - ``` + **Solution**: + + ```bash + mkdir /project + chown :project /project + chmod 770 /project + ``` 2. **Scenario**: A user creates files that are world-readable by default. Make them private. - **Solution**: Set a restrictive umask: - ```bash - umask 077 - # Or add to ~/.bashrc for persistence - echo "umask 077" >> ~/.bashrc - ``` + **Solution**: Set a restrictive umask: + + ```bash + umask 077 + # Or add to ~/.bashrc for persistence + echo "umask 077" >> ~/.bashrc + ``` ### Command Challenges + 1. **Challenge**: Change ownership of all files in /data to user "admin" and group "staff" recursively. - **Answer**: `chown -R admin:staff /data` - **Explanation**: `-R` applies the change recursively to all files and subdirectories. + **Answer**: `chown -R admin:staff /data` + **Explanation**: `-R` applies the change recursively to all files and subdirectories. 2. **Challenge**: Find all files owned by a user who no longer exists on the system. - **Answer**: `find / -nouser 2>/dev/null` - **Explanation**: `-nouser` finds files whose numeric UID doesn't match any user in /etc/passwd. + **Answer**: `find / -nouser 2>/dev/null` + **Explanation**: `-nouser` finds files whose numeric UID doesn't match any user in /etc/passwd. --- ## 10. Exam Strategy ### Topic-Specific Tips + - Master octal notation — it's faster than symbolic for complex permissions - Always verify permissions after setting them with `ls -l` - Know how umask affects default permissions for new files and directories - Practice chmod, chown, chgrp until they are second nature ### Common Exam Scenarios + 1. **Scenario**: Set up a shared directory for a group - **Approach**: Create group, set group ownership with `chown :group dir`, set `chmod 770` or `chmod 775` + **Approach**: Create group, set group ownership with `chown :group dir`, set `chmod 770` or `chmod 775` 2. **Scenario**: Set appropriate permissions on configuration files - **Approach**: Restrictive permissions like `chmod 600` for sensitive files, `chmod 644` for readable configs + **Approach**: Restrictive permissions like `chmod 600` for sensitive files, `chmod 644` for readable configs ### Time Management + - **Basic permission tasks**: 2-3 minutes including verification - **Ownership changes**: 1-2 minutes - **Always verify**: Use `ls -l` and `stat` to confirm settings ### Pitfalls to Avoid + - Don't forget that directory execute permission is needed for traversal - Remember that changing group membership requires logout/login to take effect - Don't use 777 permissions unless absolutely necessary (security risk) @@ -522,11 +585,13 @@ umask 022 # Set default permission mask ## Summary ### Key Takeaways + - **File permissions are the foundation of Linux security** — master chmod, chown, chgrp - **umask controls default permissions** — understand its impact on file creation - **Ownership determines access** — proper user:group assignment is critical ### Critical Commands to Remember + ```bash chmod 755 directory # Standard directory permissions chmod 644 file # Standard file permissions @@ -537,6 +602,7 @@ find / -nouser # Find orphaned files ``` ### Next Steps + - Continue to [Module 05: Process & Service Management](05_process_service_management.md) - Practice permission scenarios in the Vagrant environment - Review related topics: [User Management](03_user_group_management.md), [SELinux](09_selinux.md) @@ -548,6 +614,7 @@ find / -nouser # Find orphaned files > **Note**: Access Control Lists (ACLs) are no longer an RHCSA exam objective as of RHEL 10. This section is retained for reference only. ### ACL Commands + ```bash # View ACLs getfacl file # Show ACL information @@ -574,6 +641,7 @@ getfacl file1 | setfacl --set-file=- file2 # Copy ACLs between files > **Note**: setuid, setgid, and sticky bit are no longer RHCSA exam objectives as of RHEL 10. This section is retained for reference only. ### Special Permission Commands + ```bash # setuid (4000) — execute file with owner's privileges chmod u+s file # Add setuid bit @@ -589,11 +657,13 @@ chmod 1755 directory # Set permissions with sticky bit ``` ### Special Permission Values + - **4000**: setuid bit - **2000**: setgid bit - **1000**: sticky bit ### Finding Special Permission Files + ```bash find / -perm -4000 2>/dev/null # Find setuid files find / -perm -2000 2>/dev/null # Find setgid files @@ -602,4 +672,4 @@ find / -perm -1000 2>/dev/null # Find sticky bit directories --- -**Navigation**: [← User Management](03_user_group_management.md) | [Index](index.md) | [Next → Process Management](05_process_service_management.md) \ No newline at end of file +**Navigation**: [← User Management](03_user_group_management.md) | [Index](index.md) | [Next → Process Management](05_process_service_management.md) diff --git a/docs/rhcsa_synthesis/05_process_service_management.md b/docs/rhcsa_synthesis/05_process_service_management.md index 560118c..9832323 100644 --- a/docs/rhcsa_synthesis/05_process_service_management.md +++ b/docs/rhcsa_synthesis/05_process_service_management.md @@ -21,6 +21,7 @@ ## 2. Conceptual Foundation ### Core Theory + RHEL 10 uses systemd as the init system and service manager, which fundamentally changed how processes and services are managed: - **Process hierarchy**: All processes descend from PID 1 (systemd) @@ -30,6 +31,7 @@ RHEL 10 uses systemd as the init system and service manager, which fundamentally - **Process control**: Signal-based communication for process management ### Real-World Applications + - **Web server management**: Starting, stopping, and monitoring Apache/Nginx - **Database operations**: Managing MySQL/PostgreSQL service lifecycle - **System maintenance**: Controlling system services during maintenance windows @@ -37,6 +39,7 @@ RHEL 10 uses systemd as the init system and service manager, which fundamentally - **Service reliability**: Ensuring critical services restart automatically ### Common Misconceptions + - **systemctl vs service**: Old `service` command still works but `systemctl` is preferred - **Enable vs start**: Services must be both enabled (auto-start) and started (running now) - **Process vs service**: Not all processes are services; services are managed processes @@ -44,6 +47,7 @@ RHEL 10 uses systemd as the init system and service manager, which fundamentally - **Targets vs runlevels**: systemd targets are more flexible than traditional runlevels ### Key Terminology + - **Process**: Running instance of a program with unique PID - **Service**: Long-running process managed by systemd - **Unit**: systemd configuration object (service, target, socket, etc.) @@ -58,6 +62,7 @@ RHEL 10 uses systemd as the init system and service manager, which fundamentally ## 3. Command Mastery ### Process Monitoring Commands + ```bash # Basic process listing ps aux # All processes, detailed format @@ -84,6 +89,7 @@ lsof -p PID # Files opened by process ``` ### Process Control Commands + ```bash # Process signals kill PID # Send TERM signal (graceful termination) @@ -108,6 +114,7 @@ ionice -c 2 -n 7 PID # Set I/O priority ``` ### systemd Service Management + ```bash # Service status and control systemctl status servicename # Show service status @@ -133,6 +140,7 @@ systemctl list-dependencies --reverse servicename # Reverse dependencies ``` ### System Targets + ```bash # Target management systemctl get-default # Show default target @@ -149,6 +157,7 @@ systemctl isolate reboot.target # Restart system ``` ### Advanced systemd Commands + ```bash # Unit file management systemctl daemon-reload # Reload systemd configuration @@ -165,9 +174,10 @@ systemctl hybrid-sleep # Suspend to both RAM and disk ``` ### Command Reference Table + | Command | Purpose | Key Options | Example | |---------|---------|-------------|---------| -| `ps` | List processes | `aux`, `-ef`, `-C` | `ps aux | grep httpd` | +| `ps` | List processes | `aux`, `-ef`, `-C` | `ps aux \| grep httpd` | | `top` | Monitor processes | `-u`, `-p` | `top -u apache` | | `kill` | Send signals | `-9`, `-HUP`, `-USR1` | `kill -HUP 1234` | | `systemctl` | Manage services | `start`, `stop`, `enable`, `status` | `systemctl enable httpd` | @@ -179,65 +189,75 @@ systemctl hybrid-sleep # Suspend to both RAM and disk ## 4. Procedural Workflows ### Standard Procedure: Service Installation and Configuration + 1. **Install and enable service** - ```bash - dnf install servicename - systemctl enable servicename - systemctl start servicename - ``` + + ```bash + dnf install servicename + systemctl enable servicename + systemctl start servicename + ``` 2. **Verify service status** - ```bash - systemctl status servicename - systemctl is-active servicename - systemctl is-enabled servicename - ``` + + ```bash + systemctl status servicename + systemctl is-active servicename + systemctl is-enabled servicename + ``` 3. **Configure service** - ```bash - # Edit main configuration - vim /etc/servicename/config.conf + + ```bash + # Edit main configuration + vim /etc/servicename/config.conf - # Or create systemd override - systemctl edit servicename - ``` + # Or create systemd override + systemctl edit servicename + ``` 4. **Apply changes** - ```bash - systemctl daemon-reload - systemctl restart servicename - systemctl status servicename - ``` + + ```bash + systemctl daemon-reload + systemctl restart servicename + systemctl status servicename + ``` ### Standard Procedure: Process Troubleshooting + 1. **Identify problematic process** - ```bash - top # Look for high CPU/memory usage - ps aux --sort=-%cpu # Sort by CPU usage - ps aux --sort=-%mem # Sort by memory usage - ``` + + ```bash + top # Look for high CPU/memory usage + ps aux --sort=-%cpu # Sort by CPU usage + ps aux --sort=-%mem # Sort by memory usage + ``` 2. **Gather process information** - ```bash - ps -p PID -o pid,ppid,user,cmd - lsof -p PID # Files opened by process - strace -p PID # System calls (use carefully) - ``` + + ```bash + ps -p PID -o pid,ppid,user,cmd + lsof -p PID # Files opened by process + strace -p PID # System calls (use carefully) + ``` 3. **Take appropriate action** - ```bash - # Graceful termination - kill PID + + ```bash + # Graceful termination + kill PID - # Force termination if needed - kill -9 PID + # Force termination if needed + kill -9 PID - # Or restart associated service - systemctl restart servicename - ``` + # Or restart associated service + systemctl restart servicename + ``` ### Decision Tree: Process Management Strategy -``` + +```text Process Issue ├── High CPU usage? │ ├── Expected behavior? → Monitor and document @@ -255,34 +275,41 @@ Process Issue ``` ### Standard Procedure: System Target Management + 1. **Check current target** - ```bash - systemctl get-default - who -r # Alternative method - ``` + + ```bash + systemctl get-default + who -r # Alternative method + ``` 2. **Change target temporarily** - ```bash - systemctl isolate multi-user.target - ``` + + ```bash + systemctl isolate multi-user.target + ``` 3. **Change default target** - ```bash - systemctl set-default graphical.target - ``` + + ```bash + systemctl set-default graphical.target + ``` 4. **Verify target change** - ```bash - systemctl get-default - systemctl list-units --type=target - ``` + + ```bash + systemctl get-default + systemctl list-units --type=target + ``` --- ## 5. Configuration Deep Dive ### systemd Unit Files + #### Service Unit Structure + ```bash # /etc/systemd/system/myservice.service [Unit] @@ -304,6 +331,7 @@ WantedBy=multi-user.target ``` #### Common Unit File Sections + ```bash [Unit] Description=Service description @@ -331,7 +359,9 @@ Also=other.service ``` ### Process Priority and Nice Values + #### Understanding Priority + ```bash # Nice values range from -20 (highest priority) to 19 (lowest priority) # Default nice value is 0 @@ -344,7 +374,9 @@ renice 5 1234 # Change running process priority ``` ### Resource Control with systemd + #### Systemd Slices and Resource Limits + ```bash # Create custom slice for resource management # /etc/systemd/system/myapp.slice @@ -359,6 +391,7 @@ TasksMax=100 ``` #### Service Resource Limits + ```bash # In service unit file [Service] section: CPUQuota=50% # Limit CPU usage to 50% @@ -372,70 +405,77 @@ IOWeight=100 # I/O priority weight ## 6. Hands-On Labs ### Lab 6.1: Process Monitoring and Control (Asghar Ghori Style) + **Objective**: Master process identification, monitoring, and control techniques **Steps**: + 1. **Start background processes for testing** - ```bash - # Create some test processes - sleep 300 & - PID1=$! - dd if=/dev/zero of=/dev/null & - PID2=$! - find / -name "*.log" > /dev/null 2>&1 & - PID3=$! + + ```bash + # Create some test processes + sleep 300 & + PID1=$! + dd if=/dev/zero of=/dev/null & + PID2=$! + find / -name "*.log" > /dev/null 2>&1 & + PID3=$! - echo "Started processes: $PID1 $PID2 $PID3" - ``` + echo "Started processes: $PID1 $PID2 $PID3" + ``` 2. **Practice process monitoring** - ```bash - # View all processes - ps aux | head -20 + + ```bash + # View all processes + ps aux | head -20 - # Find specific processes - ps aux | grep sleep - pgrep sleep - pidof sleep + # Find specific processes + ps aux | grep sleep + pgrep sleep + pidof sleep - # Monitor resource usage - top -p $PID1,$PID2,$PID3 - # Press 'q' to quit top + # Monitor resource usage + top -p $PID1,$PID2,$PID3 + # Press 'q' to quit top - # View process tree - pstree $$ # Show tree from current shell - ``` + # View process tree + pstree $$ # Show tree from current shell + ``` 3. **Practice process control** - ```bash - # Send different signals - kill -USR1 $PID1 # User signal (sleep will ignore) - kill -STOP $PID2 # Suspend process - kill -CONT $PID2 # Resume process + + ```bash + # Send different signals + kill -USR1 $PID1 # User signal (sleep will ignore) + kill -STOP $PID2 # Suspend process + kill -CONT $PID2 # Resume process - # Check process status - ps -o pid,state,comm -p $PID1,$PID2,$PID3 + # Check process status + ps -o pid,state,comm -p $PID1,$PID2,$PID3 - # Terminate processes - kill $PID1 # Graceful termination - kill -9 $PID2 # Force termination - killall find # Kill by name - ``` + # Terminate processes + kill $PID1 # Graceful termination + kill -9 $PID2 # Force termination + killall find # Kill by name + ``` 4. **Practice job control** - ```bash - # Start job in foreground - sleep 100 - # Press Ctrl+Z to suspend + + ```bash + # Start job in foreground + sleep 100 + # Press Ctrl+Z to suspend - # Manage jobs - jobs # List jobs - bg %1 # Send to background - fg %1 # Bring to foreground - # Press Ctrl+C to terminate - ``` + # Manage jobs + jobs # List jobs + bg %1 # Send to background + fg %1 # Bring to foreground + # Press Ctrl+C to terminate + ``` **Verification**: + ```bash # Verify no test processes remain ps aux | grep -E "(sleep|dd|find)" | grep -v grep @@ -443,59 +483,66 @@ jobs # Should show no jobs ``` ### Lab 6.2: systemd Service Management (Sander van Vugt Style) + **Objective**: Master systemd service lifecycle and configuration **Steps**: + 1. **Explore existing services** - ```bash - # List all services - systemctl list-units --type=service --all + + ```bash + # List all services + systemctl list-units --type=service --all - # Check specific service status - systemctl status sshd - systemctl is-active sshd - systemctl is-enabled sshd + # Check specific service status + systemctl status sshd + systemctl is-active sshd + systemctl is-enabled sshd - # View service dependencies - systemctl list-dependencies sshd - systemctl list-dependencies --reverse sshd - ``` + # View service dependencies + systemctl list-dependencies sshd + systemctl list-dependencies --reverse sshd + ``` 2. **Practice service control** - ```bash - # Work with chronyd (time synchronization) - systemctl status chronyd - systemctl stop chronyd - systemctl status chronyd - systemctl start chronyd - systemctl reload chronyd # If reload is supported - systemctl restart chronyd - ``` + + ```bash + # Work with chronyd (time synchronization) + systemctl status chronyd + systemctl stop chronyd + systemctl status chronyd + systemctl start chronyd + systemctl reload chronyd # If reload is supported + systemctl restart chronyd + ``` 3. **Configure service startup** - ```bash - # Check and modify service enablement - systemctl is-enabled chronyd - systemctl disable chronyd - systemctl is-enabled chronyd - systemctl enable chronyd - systemctl is-enabled chronyd - ``` + + ```bash + # Check and modify service enablement + systemctl is-enabled chronyd + systemctl disable chronyd + systemctl is-enabled chronyd + systemctl enable chronyd + systemctl is-enabled chronyd + ``` 4. **Explore service configuration** - ```bash - # View service unit file - systemctl cat chronyd + + ```bash + # View service unit file + systemctl cat chronyd - # Show all service properties - systemctl show chronyd | head -20 + # Show all service properties + systemctl show chronyd | head -20 - # Create service override (don't actually modify) - systemctl edit chronyd --drop-in=custom - # This would open an editor, but let's skip actual changes - ``` + # Create service override (don't actually modify) + systemctl edit chronyd --drop-in=custom + # This would open an editor, but let's skip actual changes + ``` **Verification**: + ```bash # Verify service is properly configured systemctl status chronyd @@ -504,111 +551,120 @@ systemctl is-enabled chronyd ``` ### Lab 6.3: Custom Service Creation (Synthesis Challenge) + **Objective**: Create and manage a custom systemd service **Scenario**: Create a custom web log monitor service that watches for specific patterns in web server logs **Requirements**: + - Service runs as non-root user - Automatically restarts if it fails - Starts after network is available - Can be stopped and started with systemctl **Solution Steps**: + 1. **Create the monitoring script** - ```bash - sudo mkdir -p /opt/logmonitor - sudo tee /opt/logmonitor/weblog-monitor.sh << 'EOF' - #!/bin/bash - # Simple web log monitor + + ```bash + sudo mkdir -p /opt/logmonitor + sudo tee /opt/logmonitor/weblog-monitor.sh << 'EOF' + #!/bin/bash + # Simple web log monitor - LOGFILE="/var/log/httpd/access_log" - MONITOR_LOG="/var/log/logmonitor.log" + LOGFILE="/var/log/httpd/access_log" + MONITOR_LOG="/var/log/logmonitor.log" - # Create log file if it doesn't exist - touch "$MONITOR_LOG" + # Create log file if it doesn't exist + touch "$MONITOR_LOG" - echo "$(date): Web log monitor started" >> "$MONITOR_LOG" + echo "$(date): Web log monitor started" >> "$MONITOR_LOG" - while true; do - # Monitor for 404 errors (customize as needed) - if tail -n 1 "$LOGFILE" 2>/dev/null | grep -q " 404 "; then - echo "$(date): 404 error detected" >> "$MONITOR_LOG" - fi - sleep 5 - done - EOF + while true; do + # Monitor for 404 errors (customize as needed) + if tail -n 1 "$LOGFILE" 2>/dev/null | grep -q " 404 "; then + echo "$(date): 404 error detected" >> "$MONITOR_LOG" + fi + sleep 5 + done + EOF - sudo chmod +x /opt/logmonitor/weblog-monitor.sh - ``` + sudo chmod +x /opt/logmonitor/weblog-monitor.sh + ``` 2. **Create service user** - ```bash - sudo useradd -r -s /sbin/nologin -d /opt/logmonitor logmonitor - sudo chown -R logmonitor:logmonitor /opt/logmonitor - sudo touch /var/log/logmonitor.log - sudo chown logmonitor:logmonitor /var/log/logmonitor.log - ``` + + ```bash + sudo useradd -r -s /sbin/nologin -d /opt/logmonitor logmonitor + sudo chown -R logmonitor:logmonitor /opt/logmonitor + sudo touch /var/log/logmonitor.log + sudo chown logmonitor:logmonitor /var/log/logmonitor.log + ``` 3. **Create systemd service unit** - ```bash - sudo tee /etc/systemd/system/weblog-monitor.service << 'EOF' - [Unit] - Description=Web Log Monitor Service - Documentation=man:tail(1) - After=network.target httpd.service - Wants=network.target + + ```bash + sudo tee /etc/systemd/system/weblog-monitor.service << 'EOF' + [Unit] + Description=Web Log Monitor Service + Documentation=man:tail(1) + After=network.target httpd.service + Wants=network.target - [Service] - Type=simple - User=logmonitor - Group=logmonitor - ExecStart=/opt/logmonitor/weblog-monitor.sh - ExecStop=/bin/kill -TERM $MAINPID - Restart=always - RestartSec=30 - StandardOutput=journal - StandardError=journal + [Service] + Type=simple + User=logmonitor + Group=logmonitor + ExecStart=/opt/logmonitor/weblog-monitor.sh + ExecStop=/bin/kill -TERM $MAINPID + Restart=always + RestartSec=30 + StandardOutput=journal + StandardError=journal - [Install] - WantedBy=multi-user.target - EOF - ``` + [Install] + WantedBy=multi-user.target + EOF + ``` 4. **Enable and test the service** - ```bash - # Reload systemd configuration - sudo systemctl daemon-reload + + ```bash + # Reload systemd configuration + sudo systemctl daemon-reload - # Enable and start the service - sudo systemctl enable weblog-monitor - sudo systemctl start weblog-monitor + # Enable and start the service + sudo systemctl enable weblog-monitor + sudo systemctl start weblog-monitor - # Check service status - sudo systemctl status weblog-monitor + # Check service status + sudo systemctl status weblog-monitor - # Test service functionality - sudo systemctl stop weblog-monitor - sudo systemctl start weblog-monitor - sudo systemctl restart weblog-monitor - ``` + # Test service functionality + sudo systemctl stop weblog-monitor + sudo systemctl start weblog-monitor + sudo systemctl restart weblog-monitor + ``` 5. **Monitor and verify service** - ```bash - # Check service logs - sudo journalctl -u weblog-monitor -f --no-pager - # Press Ctrl+C to stop following + + ```bash + # Check service logs + sudo journalctl -u weblog-monitor -f --no-pager + # Press Ctrl+C to stop following - # Verify service is running as correct user - ps aux | grep weblog-monitor + # Verify service is running as correct user + ps aux | grep weblog-monitor - # Check if service auto-restarts (simulate crash) - sudo pkill -f weblog-monitor.sh - sleep 35 # Wait for restart - sudo systemctl status weblog-monitor - ``` + # Check if service auto-restarts (simulate crash) + sudo pkill -f weblog-monitor.sh + sleep 35 # Wait for restart + sudo systemctl status weblog-monitor + ``` **Verification**: + ```bash # Complete service verification sudo systemctl is-active weblog-monitor @@ -624,12 +680,15 @@ ls -l /var/log/logmonitor.log ### Common Issues #### Issue 1: Service Won't Start + **Symptoms**: + - `systemctl start` fails with error - Service shows "failed" status - Application not responding **Diagnosis**: + ```bash # Check service status and errors systemctl status servicename @@ -644,6 +703,7 @@ systemctl list-dependencies servicename ``` **Resolution**: + ```bash # Fix common issues systemctl daemon-reload # Reload if unit file changed @@ -661,12 +721,15 @@ systemctl start servicename **Prevention**: Always test configuration changes before applying to production #### Issue 2: High System Load + **Symptoms**: + - System responds slowly - High load average - Applications timing out **Diagnosis**: + ```bash # Check system load uptime @@ -683,6 +746,7 @@ iostat 1 5 ``` **Resolution**: + ```bash # Adjust process priorities renice 10 PID # Lower priority @@ -697,12 +761,15 @@ kill -9 PID # If graceful doesn't work ``` #### Issue 3: Process Won't Terminate + **Symptoms**: + - Process ignores TERM signal - `kill` command has no effect - Process shows as zombie **Diagnosis**: + ```bash # Check process state ps -o pid,ppid,state,comm -p PID @@ -716,6 +783,7 @@ ps aux | grep -E '|' ``` **Resolution**: + ```bash # Try escalating signals kill PID # TERM signal @@ -730,6 +798,7 @@ kill PPID ``` ### Diagnostic Command Sequence + ```bash # Service troubleshooting workflow systemctl status servicename # Check service status @@ -740,6 +809,7 @@ lsof -i :port # Check port usage ``` ### Log File Analysis + - **`journalctl`**: Primary systemd log viewer - **`/var/log/messages`**: General system messages - **`/var/log/secure`**: Authentication and security events @@ -750,6 +820,7 @@ lsof -i :port # Check port usage ## 8. Quick Reference Card ### Essential Commands At-a-Glance + ```bash # Process monitoring ps aux # List all processes @@ -769,6 +840,7 @@ systemctl isolate target # Switch to target ``` ### Important Signals + - **TERM (15)**: Graceful termination (default for `kill`) - **KILL (9)**: Force termination (cannot be caught) - **HUP (1)**: Hangup (often used to reload config) @@ -776,6 +848,7 @@ systemctl isolate target # Switch to target - **CONT (18)**: Resume suspended process ### Common systemd Targets + - **poweroff.target**: Shutdown system - **rescue.target**: Single-user mode - **multi-user.target**: Multi-user, no GUI @@ -783,6 +856,7 @@ systemctl isolate target # Switch to target - **reboot.target**: Restart system ### Process States + - **R**: Running or runnable - **S**: Sleeping (waiting for event) - **D**: Uninterruptible sleep (usually I/O) @@ -794,57 +868,64 @@ systemctl isolate target # Switch to target ## 9. Knowledge Check ### Conceptual Questions + 1. **Question**: What's the difference between `systemctl start` and `systemctl enable`? - **Answer**: `start` immediately begins running the service, while `enable` configures the service to start automatically at boot. A service can be enabled but not running, or running but not enabled. For complete setup, you typically need both commands. + **Answer**: `start` immediately begins running the service, while `enable` configures the service to start automatically at boot. A service can be enabled but not running, or running but not enabled. For complete setup, you typically need both commands. 2. **Question**: Why might a process become a zombie? - **Answer**: A zombie process occurs when a child process has finished executing but its parent hasn't read its exit status yet. The process entry remains in the process table until the parent calls wait(). If the parent never calls wait() or terminates, the zombie persists. + **Answer**: A zombie process occurs when a child process has finished executing but its parent hasn't read its exit status yet. The process entry remains in the process table until the parent calls wait(). If the parent never calls wait() or terminates, the zombie persists. 3. **Question**: What happens when you send SIGKILL (-9) to a process? - **Answer**: SIGKILL cannot be caught or ignored by the process - the kernel immediately terminates it. This bypasses any cleanup code, potentially leaving files open, shared memory segments allocated, or other resources in an inconsistent state. Use only as a last resort. + **Answer**: SIGKILL cannot be caught or ignored by the process - the kernel immediately terminates it. This bypasses any cleanup code, potentially leaving files open, shared memory segments allocated, or other resources in an inconsistent state. Use only as a last resort. ### Practical Scenarios + 1. **Scenario**: A web service keeps crashing and needs to restart automatically. - **Solution**: Configure the systemd service with `Restart=always` and `RestartSec=30` in the `[Service]` section of the unit file. + **Solution**: Configure the systemd service with `Restart=always` and `RestartSec=30` in the `[Service]` section of the unit file. 2. **Scenario**: You need to temporarily stop a service without preventing future automatic starts. - **Solution**: Use `systemctl stop servicename`. This stops the service but leaves it enabled, so it will still start automatically at next boot. + **Solution**: Use `systemctl stop servicename`. This stops the service but leaves it enabled, so it will still start automatically at next boot. ### Command Challenges + 1. **Challenge**: Find all processes owned by the user "apache" and show their CPU usage. - **Answer**: `ps -u apache -o pid,user,%cpu,comm` - **Explanation**: `-u apache` filters by user, `-o` specifies custom output format + **Answer**: `ps -u apache -o pid,user,%cpu,comm` + **Explanation**: `-u apache` filters by user, `-o` specifies custom output format 2. **Challenge**: Create a command to monitor the top 5 CPU-consuming processes, updating every 2 seconds. - **Answer**: `top -n 0 -d 2 | head -12 | tail -5` or use `watch -n 2 "ps aux --sort=-%cpu | head -5"` + **Answer**: `top -n 0 -d 2 | head -12 | tail -5` or use `watch -n 2 "ps aux --sort=-%cpu | head -5"` --- ## 10. Exam Strategy ### Topic-Specific Tips + - Always use `systemctl status` to verify service operations - Remember to both `enable` and `start` services for complete setup - Practice signal usage - know when to use graceful vs force termination - Understand systemd dependencies - services may fail if dependencies aren't met ### Common Exam Scenarios + 1. **Scenario**: Configure a service to start automatically at boot - **Approach**: Use `systemctl enable servicename` then `systemctl start servicename` + **Approach**: Use `systemctl enable servicename` then `systemctl start servicename` 2. **Scenario**: Troubleshoot a service that won't start - **Approach**: Check `systemctl status`, review `journalctl -u servicename`, verify dependencies + **Approach**: Check `systemctl status`, review `journalctl -u servicename`, verify dependencies 3. **Scenario**: Find and terminate a runaway process - **Approach**: Use `top` or `ps` to identify, then `kill` with appropriate signal + **Approach**: Use `top` or `ps` to identify, then `kill` with appropriate signal ### Time Management + - **Basic service operations**: 2-3 minutes including verification - **Process troubleshooting**: 5-7 minutes depending on complexity - **Custom service creation**: 8-10 minutes for complete setup - **Always verify**: Check service status after changes ### Pitfalls to Avoid + - Don't forget to `systemctl daemon-reload` after editing unit files - Remember that stopping a service doesn't disable it (still starts at boot) - Avoid `kill -9` unless absolutely necessary - try graceful termination first @@ -856,12 +937,14 @@ systemctl isolate target # Switch to target ## Summary ### Key Takeaways + - **systemd is the modern service manager** - master its commands and concepts - **Process management requires understanding signals** - different signals have different effects - **Service dependencies matter** - services may fail if dependencies aren't met - **Always verify changes** - check status after making service modifications ### Critical Commands to Remember + ```bash systemctl start servicename # Start service now systemctl enable servicename # Start service at boot @@ -872,10 +955,11 @@ journalctl -u servicename # View service logs ``` ### Next Steps + - Continue to [Module 06: Package Management](06_package_management.md) - Practice service management in the Vagrant environment - Review related topics: [Boot Process](11_boot_grub.md), [Logging](12_logging_monitoring.md) --- -**Navigation**: [← File Permissions](04_file_permissions.md) | [Index](index.md) | [Next → Package Management](06_package_management.md) \ No newline at end of file +**Navigation**: [← File Permissions](04_file_permissions.md) | [Index](index.md) | [Next → Package Management](06_package_management.md) diff --git a/docs/rhcsa_synthesis/06_package_management.md b/docs/rhcsa_synthesis/06_package_management.md index d36b605..f9cc237 100644 --- a/docs/rhcsa_synthesis/06_package_management.md +++ b/docs/rhcsa_synthesis/06_package_management.md @@ -21,6 +21,7 @@ ## 2. Conceptual Foundation ### Core Theory + RHEL 10 uses DNF (Dandified YUM) as the primary package manager, which provides: - **Dependency resolution**: Automatic handling of package dependencies @@ -30,6 +31,7 @@ RHEL 10 uses DNF (Dandified YUM) as the primary package manager, which provides: - **Modular content**: Support for application streams and modules ### Real-World Applications + - **System maintenance**: Installing security updates and patches - **Software deployment**: Installing applications and development tools - **Environment setup**: Configuring development or production environments @@ -37,6 +39,7 @@ RHEL 10 uses DNF (Dandified YUM) as the primary package manager, which provides: - **Custom repositories**: Managing internal software distributions ### Common Misconceptions + - **DNF vs YUM**: DNF is the successor to YUM with better dependency resolution - **Package vs RPM**: Packages are distributed as RPMs, but package managers handle dependencies - **Repository priority**: Higher numbers mean lower priority (opposite of what you might expect) @@ -44,6 +47,7 @@ RHEL 10 uses DNF (Dandified YUM) as the primary package manager, which provides: - **Modules vs packages**: Modules provide different versions/streams of software ### Key Terminology + - **Package**: Software bundle with metadata, dependencies, and installation scripts - **Repository**: Collection of packages available for installation - **Metadata**: Information about packages, dependencies, and repositories @@ -58,6 +62,7 @@ RHEL 10 uses DNF (Dandified YUM) as the primary package manager, which provides: ## 3. Command Mastery ### Basic DNF Operations + ```bash # Package installation and removal dnf install packagename # Install package @@ -82,6 +87,7 @@ dnf provides */filename # Find package providing file ``` ### Advanced DNF Operations + ```bash # Package groups dnf grouplist # List available groups @@ -105,6 +111,7 @@ dnf download --resolve packagename # Download with dependencies ``` ### Repository Management + ```bash # Repository operations dnf repolist # List enabled repositories @@ -123,6 +130,7 @@ dnf clean expire-cache # Clean expired cache ``` ### Module Management + ```bash # Module operations dnf module list # List available modules @@ -135,6 +143,7 @@ dnf module reset modulename # Reset module state ``` ### RPM Commands + ```bash # Package information rpm -qa # List all installed packages @@ -155,6 +164,7 @@ rpm -e packagename # Erase package ``` ### Command Reference Table + | Command | Purpose | Key Options | Example | |---------|---------|-------------|---------| | `dnf install` | Install packages | `-y`, `--nogpgcheck` | `dnf install -y httpd` | @@ -169,63 +179,74 @@ rpm -e packagename # Erase package ## 4. Procedural Workflows ### Standard Procedure: Software Installation + 1. **Search for package** - ```bash - dnf search keyword - dnf info packagename - ``` + + ```bash + dnf search keyword + dnf info packagename + ``` 2. **Install package** - ```bash - dnf install -y packagename - ``` + + ```bash + dnf install -y packagename + ``` 3. **Verify installation** - ```bash - dnf list installed | grep packagename - rpm -qi packagename - ``` + + ```bash + dnf list installed | grep packagename + rpm -qi packagename + ``` 4. **Configure and start if it's a service** - ```bash - systemctl enable --now servicename - systemctl status servicename - ``` + + ```bash + systemctl enable --now servicename + systemctl status servicename + ``` ### Standard Procedure: System Updates + 1. **Check for updates** - ```bash - dnf check-update - dnf list updates - ``` + + ```bash + dnf check-update + dnf list updates + ``` 2. **Review security updates** - ```bash - dnf updateinfo list security - dnf updateinfo info security - ``` + + ```bash + dnf updateinfo list security + dnf updateinfo info security + ``` 3. **Apply updates** - ```bash - # Test updates first - dnf update --downloadonly + + ```bash + # Test updates first + dnf update --downloadonly - # Apply all updates - dnf update -y + # Apply all updates + dnf update -y - # Or security only - dnf update --security -y - ``` + # Or security only + dnf update --security -y + ``` 4. **Verify and reboot if needed** - ```bash - dnf history info last - # Reboot if kernel updated - needs-restarting -r - ``` + + ```bash + dnf history info last + # Reboot if kernel updated + needs-restarting -r + ``` ### Decision Tree: Package Management Strategy -``` + +```text Package Task ├── Installing new software? │ ├── Available in repositories? → dnf install @@ -243,39 +264,45 @@ Package Task ``` ### Standard Procedure: Repository Management + 1. **Add new repository** - ```bash - # Method 1: Using config-manager - dnf config-manager --add-repo https://example.com/repo - - # Method 2: Manual file creation - cat > /etc/yum.repos.d/custom.repo << 'EOF' - [custom-repo] - name=Custom Repository - baseurl=https://example.com/repo - enabled=1 - gpgcheck=1 - gpgkey=https://example.com/repo/RPM-GPG-KEY - EOF - ``` + + ```bash + # Method 1: Using config-manager + dnf config-manager --add-repo https://example.com/repo + + # Method 2: Manual file creation + cat > /etc/yum.repos.d/custom.repo << 'EOF' + [custom-repo] + name=Custom Repository + baseurl=https://example.com/repo + enabled=1 + gpgcheck=1 + gpgkey=https://example.com/repo/RPM-GPG-KEY + EOF + ``` 2. **Update repository metadata** - ```bash - dnf makecache - ``` + + ```bash + dnf makecache + ``` 3. **Verify repository** - ```bash - dnf repolist - dnf repoinfo custom-repo - ``` + + ```bash + dnf repolist + dnf repoinfo custom-repo + ``` --- ## 5. Configuration Deep Dive ### DNF Configuration Files + #### Main Configuration + ```bash # /etc/dnf/dnf.conf [main] @@ -287,6 +314,7 @@ skip_if_unavailable=False # Fail if repository unavailable ``` #### Repository Configuration + ```bash # /etc/yum.repos.d/example.repo [repository-id] @@ -306,7 +334,9 @@ excludepkgs=package3,package4 # Exclude these packages ``` ### Package Groups Configuration + #### Common Package Groups + ```bash # Development tools dnf groupinstall "Development Tools" @@ -324,7 +354,9 @@ dnf groupinstall "KDE Plasma Workspaces" ``` ### Module Configuration + #### Module Stream Management + ```bash # List available streams for a module dnf module list nodejs @@ -346,64 +378,71 @@ dnf module install nodejs:16/minimal ## 6. Hands-On Labs ### Lab 6.1: Basic Package Operations (Asghar Ghori Style) + **Objective**: Master fundamental DNF package management operations **Steps**: + 1. **Explore package information** - ```bash - # Search for web server packages - dnf search "web server" - dnf search apache + + ```bash + # Search for web server packages + dnf search "web server" + dnf search apache - # Get detailed information - dnf info httpd - dnf info nginx + # Get detailed information + dnf info httpd + dnf info nginx - # Check what's installed - dnf list installed | grep -i web - ``` + # Check what's installed + dnf list installed | grep -i web + ``` 2. **Install and configure packages** - ```bash - # Install web server - dnf install -y httpd + + ```bash + # Install web server + dnf install -y httpd - # Install additional packages - dnf install -y wget curl + # Install additional packages + dnf install -y wget curl - # Verify installations - dnf list installed | grep -E "(httpd|wget|curl)" - rpm -qi httpd - ``` + # Verify installations + dnf list installed | grep -E "(httpd|wget|curl)" + rpm -qi httpd + ``` 3. **Manage package groups** - ```bash - # List available groups - dnf grouplist | head -20 + + ```bash + # List available groups + dnf grouplist | head -20 - # Get information about development tools - dnf groupinfo "Development Tools" + # Get information about development tools + dnf groupinfo "Development Tools" - # Install development group (if not already installed) - dnf groupinstall -y "Development Tools" + # Install development group (if not already installed) + dnf groupinstall -y "Development Tools" - # List installed groups - dnf grouplist --installed - ``` + # List installed groups + dnf grouplist --installed + ``` 4. **Practice package removal** - ```bash - # Remove a package - dnf remove -y wget + + ```bash + # Remove a package + dnf remove -y wget - # Check for orphaned dependencies - dnf autoremove + # Check for orphaned dependencies + dnf autoremove - # Reinstall package - dnf install -y wget - ``` + # Reinstall package + dnf install -y wget + ``` **Verification**: + ```bash # Verify package operations dnf history | head -10 @@ -412,66 +451,73 @@ systemctl status httpd ``` ### Lab 6.2: Repository Management (Sander van Vugt Style) + **Objective**: Configure and manage software repositories **Steps**: + 1. **Explore existing repositories** - ```bash - # List current repositories - dnf repolist - dnf repolist --all + + ```bash + # List current repositories + dnf repolist + dnf repolist --all - # Get detailed repository information - dnf repoinfo baseos - dnf repoinfo appstream + # Get detailed repository information + dnf repoinfo baseos + dnf repoinfo appstream - # Check repository configuration files - ls /etc/yum.repos.d/ - cat /etc/yum.repos.d/redhat.repo - ``` + # Check repository configuration files + ls /etc/yum.repos.d/ + cat /etc/yum.repos.d/redhat.repo + ``` 2. **Add EPEL repository (Extra Packages for Enterprise Linux)** - ```bash - # Install EPEL release package - dnf install -y epel-release + + ```bash + # Install EPEL release package + dnf install -y epel-release - # Verify EPEL repository is added - dnf repolist | grep epel + # Verify EPEL repository is added + dnf repolist | grep epel - # Search for packages in EPEL - dnf search --enablerepo=epel htop - dnf info --enablerepo=epel htop - ``` + # Search for packages in EPEL + dnf search --enablerepo=epel htop + dnf info --enablerepo=epel htop + ``` 3. **Practice repository management** - ```bash - # Disable a repository temporarily - dnf config-manager --disable epel - dnf repolist | grep epel + + ```bash + # Disable a repository temporarily + dnf config-manager --disable epel + dnf repolist | grep epel - # Enable repository - dnf config-manager --enable epel - dnf repolist | grep epel + # Enable repository + dnf config-manager --enable epel + dnf repolist | grep epel - # Update repository metadata - dnf makecache - dnf clean expire-cache - ``` + # Update repository metadata + dnf makecache + dnf clean expire-cache + ``` 4. **Work with repository priorities** - ```bash - # View repository configuration - cat /etc/yum.repos.d/epel.repo + + ```bash + # View repository configuration + cat /etc/yum.repos.d/epel.repo - # Install package from specific repository - dnf install --enablerepo=epel -y htop + # Install package from specific repository + dnf install --enablerepo=epel -y htop - # Verify installation - which htop - htop --version - ``` + # Verify installation + which htop + htop --version + ``` **Verification**: + ```bash # Verify repository configuration dnf repolist @@ -480,11 +526,13 @@ ls -la /etc/yum.repos.d/ ``` ### Lab 6.3: Advanced Package Management (Synthesis Challenge) + **Objective**: Handle complex package scenarios including modules, local packages, and troubleshooting **Scenario**: Set up a development environment with specific software versions and handle package conflicts **Requirements**: + - Install development tools - Configure specific module streams - Install local packages @@ -492,100 +540,107 @@ ls -la /etc/yum.repos.d/ - Document the configuration **Solution Steps**: + 1. **Set up development environment** - ```bash - # Install base development tools - dnf groupinstall -y "Development Tools" + + ```bash + # Install base development tools + dnf groupinstall -y "Development Tools" - # Install additional development packages - dnf install -y git vim-enhanced tree + # Install additional development packages + dnf install -y git vim-enhanced tree - # List installed development packages - dnf groupinfo "Development Tools" | grep "Installed Packages" - ``` + # List installed development packages + dnf groupinfo "Development Tools" | grep "Installed Packages" + ``` 2. **Work with modules for specific versions** - ```bash - # List available modules - dnf module list | head -20 + + ```bash + # List available modules + dnf module list | head -20 - # Work with Node.js module (example) - dnf module list nodejs + # Work with Node.js module (example) + dnf module list nodejs - # Enable specific stream and install - dnf module enable -y nodejs:16 - dnf module install -y nodejs:16/development + # Enable specific stream and install + dnf module enable -y nodejs:16 + dnf module install -y nodejs:16/development - # Verify module installation - node --version - npm --version - ``` + # Verify module installation + node --version + npm --version + ``` 3. **Handle local package installation** - ```bash - # Create a directory for downloaded packages - mkdir ~/packages - cd ~/packages + + ```bash + # Create a directory for downloaded packages + mkdir ~/packages + cd ~/packages - # Download a package without installing - dnf download --resolve tree + # Download a package without installing + dnf download --resolve tree - # List downloaded packages - ls -la *.rpm + # List downloaded packages + ls -la *.rpm - # Reinstall from local file - dnf remove -y tree - dnf localinstall -y tree-*.rpm - ``` + # Reinstall from local file + dnf remove -y tree + dnf localinstall -y tree-*.rpm + ``` 4. **Troubleshoot package issues** - ```bash - # Check for package problems - dnf check + + ```bash + # Check for package problems + dnf check - # Verify package integrity - rpm -Va | head -10 + # Verify package integrity + rpm -Va | head -10 - # Check transaction history - dnf history | head -10 - dnf history info last + # Check transaction history + dnf history | head -10 + dnf history info last - # Clean up if needed - dnf autoremove -y - dnf clean all - ``` + # Clean up if needed + dnf autoremove -y + dnf clean all + ``` 5. **Document the environment** - ```bash - # Create environment documentation - cat > ~/development-environment.md << 'EOF' - # Development Environment Setup - - ## Installed Components - - Development Tools group - - Node.js version 16.x with development profile - - Git, Vim, Tree utilities - - ## Repository Configuration - - BaseOS and AppStream (default RHEL repositories) - - EPEL repository for additional packages - - ## Module Configuration - - nodejs:16 stream enabled with development profile - - ## Package Verification Commands - ```bash - dnf grouplist --installed - dnf module list --installed - node --version && npm --version - ``` - EOF - - # Create package list backup - dnf list installed > ~/installed-packages-$(date +%Y%m%d).txt - ``` + + ````bash + # Create environment documentation + cat > ~/development-environment.md << 'EOF' + # Development Environment Setup + + ## Installed Components + - Development Tools group + - Node.js version 16.x with development profile + - Git, Vim, Tree utilities + + ## Repository Configuration + - BaseOS and AppStream (default RHEL repositories) + - EPEL repository for additional packages + + ## Module Configuration + - nodejs:16 stream enabled with development profile + + ## Package Verification Commands + ```bash + dnf grouplist --installed + dnf module list --installed + node --version && npm --version + ``` + EOF + + # Create package list backup + dnf list installed > ~/installed-packages-$(date +%Y%m%d).txt + ```` **Verification**: + ```bash # Complete environment verification dnf grouplist --installed | grep -i development @@ -604,12 +659,15 @@ cat ~/development-environment.md ### Common Issues #### Issue 1: Package Installation Failures + **Symptoms**: + - "Nothing to do" message when installing - Dependency conflicts - Repository errors **Diagnosis**: + ```bash # Check if package exists dnf search packagename @@ -624,6 +682,7 @@ dnf check ``` **Resolution**: + ```bash # Update repository metadata dnf clean expire-cache @@ -642,12 +701,15 @@ dnf reinstall packagename **Prevention**: Regular repository metadata updates and system maintenance #### Issue 2: Dependency Hell + **Symptoms**: + - Circular dependency errors - "Package does not exist" for dependencies - Transaction test failures **Diagnosis**: + ```bash # Check package dependencies dnf deplist packagename @@ -658,6 +720,7 @@ dnf history info problematic-transaction ``` **Resolution**: + ```bash # Reset transaction dnf history undo problematic-transaction @@ -673,12 +736,15 @@ dnf install packagename --exclude=problematic-package ``` #### Issue 3: Repository Problems + **Symptoms**: + - "Repository not found" errors - GPG signature failures - Slow or failed downloads **Diagnosis**: + ```bash # Check repository configuration cat /etc/yum.repos.d/problematic.repo @@ -691,6 +757,7 @@ rpm -qa gpg-pubkey* ``` **Resolution**: + ```bash # Fix repository URL vim /etc/yum.repos.d/problematic.repo @@ -707,6 +774,7 @@ dnf makecache ``` ### Diagnostic Command Sequence + ```bash # Package troubleshooting workflow dnf check # Check for problems @@ -717,6 +785,7 @@ df -h # Check disk space ``` ### Log File Analysis + - **`/var/log/dnf.log`**: DNF transaction logs - **`/var/log/dnf.librepo.log`**: Repository access logs - **`/var/log/dnf.rpm.log`**: RPM transaction logs @@ -727,6 +796,7 @@ df -h # Check disk space ## 8. Quick Reference Card ### Essential Commands At-a-Glance + ```bash # Basic operations dnf install packagename # Install package @@ -746,12 +816,14 @@ dnf clean all # Clean cache ``` ### Common Package Groups + - **"Development Tools"**: Compilers, build tools - **"Web Server"**: Apache HTTP server and related - **"Virtualization Host"**: KVM and virtualization tools - **"Security Tools"**: Security-related packages ### RPM Query Options + - **`-qa`**: List all installed packages - **`-qi`**: Package information - **`-ql`**: List package files @@ -760,6 +832,7 @@ dnf clean all # Clean cache - **`-qc`**: List configuration files ### DNF History Operations + - **`dnf history`**: Show transaction history - **`dnf history info ID`**: Transaction details - **`dnf history undo ID`**: Undo transaction @@ -770,58 +843,65 @@ dnf clean all # Clean cache ## 9. Knowledge Check ### Conceptual Questions + 1. **Question**: What's the difference between `dnf remove` and `dnf autoremove`? - **Answer**: `dnf remove` removes specified packages and their dependencies that are no longer needed by other packages. `dnf autoremove` removes packages that were installed as dependencies but are no longer required by any installed packages. Use `autoremove` to clean up orphaned dependencies. + **Answer**: `dnf remove` removes specified packages and their dependencies that are no longer needed by other packages. `dnf autoremove` removes packages that were installed as dependencies but are no longer required by any installed packages. Use `autoremove` to clean up orphaned dependencies. 2. **Question**: Why would you use modules instead of regular packages? - **Answer**: Modules provide different versions (streams) of software that aren't available as separate packages. For example, you can choose Node.js 14, 16, or 18 streams. Modules also offer different profiles (minimal, development, etc.) with different sets of packages for specific use cases. + **Answer**: Modules provide different versions (streams) of software that aren't available as separate packages. For example, you can choose Node.js 14, 16, or 18 streams. Modules also offer different profiles (minimal, development, etc.) with different sets of packages for specific use cases. 3. **Question**: When should you use `rpm` commands instead of `dnf`? - **Answer**: Use `rpm` for querying information about installed packages, verifying package integrity, and installing local packages when you don't need dependency resolution. Use `dnf` for installation, updates, and dependency management. Never use `rpm -e` to remove packages - use `dnf remove` instead. + **Answer**: Use `rpm` for querying information about installed packages, verifying package integrity, and installing local packages when you don't need dependency resolution. Use `dnf` for installation, updates, and dependency management. Never use `rpm -e` to remove packages - use `dnf remove` instead. ### Practical Scenarios + 1. **Scenario**: You need to install a specific version of Python that's not available in the default repositories. - **Solution**: Check for Python modules with `dnf module list python*`, enable the desired stream with `dnf module enable python39:3.9`, then install with `dnf module install python39:3.9`. + **Solution**: Check for Python modules with `dnf module list python*`, enable the desired stream with `dnf module enable python39:3.9`, then install with `dnf module install python39:3.9`. 2. **Scenario**: A package installation failed halfway through and the system is in an inconsistent state. - **Solution**: Use `dnf history` to find the failed transaction, then `dnf history undo transaction-id` to roll back the changes. + **Solution**: Use `dnf history` to find the failed transaction, then `dnf history undo transaction-id` to roll back the changes. ### Command Challenges + 1. **Challenge**: Find which package provides the `netstat` command. - **Answer**: `dnf provides */netstat` or `dnf whatprovides netstat` - **Explanation**: The `provides` subcommand searches for packages that provide a specific file or command + **Answer**: `dnf provides */netstat` or `dnf whatprovides netstat` + **Explanation**: The `provides` subcommand searches for packages that provide a specific file or command 2. **Challenge**: Install all available security updates without installing other updates. - **Answer**: `dnf update --security` - **Explanation**: The `--security` flag limits updates to only security-related packages + **Answer**: `dnf update --security` + **Explanation**: The `--security` flag limits updates to only security-related packages --- ## 10. Exam Strategy ### Topic-Specific Tips + - Master the difference between `dnf` and `rpm` - use the right tool for each task - Practice repository management - know how to add, enable, and disable repos - Understand package groups - they're often used in exam scenarios - Remember that modules provide version flexibility ### Common Exam Scenarios + 1. **Scenario**: Install software development tools - **Approach**: Use `dnf groupinstall "Development Tools"` for comprehensive setup + **Approach**: Use `dnf groupinstall "Development Tools"` for comprehensive setup 2. **Scenario**: Configure custom repository - **Approach**: Create repository file in `/etc/yum.repos.d/` or use `dnf config-manager --add-repo` + **Approach**: Create repository file in `/etc/yum.repos.d/` or use `dnf config-manager --add-repo` 3. **Scenario**: Troubleshoot failed package installation - **Approach**: Check `dnf history`, use `dnf check`, verify repository configuration + **Approach**: Check `dnf history`, use `dnf check`, verify repository configuration ### Time Management + - **Package installation**: 2-3 minutes including verification - **Repository configuration**: 4-5 minutes for complete setup - **Package troubleshooting**: 5-7 minutes depending on issue complexity - **Always verify**: Check installation with `dnf list installed` or `rpm -q` ### Pitfalls to Avoid + - Don't mix `rpm` and `dnf` operations (use `dnf` for dependency management) - Remember to enable repositories after adding them - Always update metadata (`dnf makecache`) after adding repositories @@ -833,12 +913,14 @@ dnf clean all # Clean cache ## Summary ### Key Takeaways + - **DNF is the modern package manager** - it replaces YUM with better dependency resolution - **Repository management is crucial** - proper repository configuration enables software installation - **Modules provide version flexibility** - use them for software requiring specific versions - **Package groups simplify installation** - use them for installing related software collections ### Critical Commands to Remember + ```bash dnf install packagename # Install software dnf update # Update system @@ -849,10 +931,11 @@ dnf history # View transaction history ``` ### Next Steps + - Continue to [Module 07: Storage & LVM](07_storage_lvm.md) - Practice package management in the Vagrant environment - Review related topics: [System Installation](01_system_installation.md), [Service Management](05_process_service_management.md) --- -**Navigation**: [← Process Management](05_process_service_management.md) | [Index](index.md) | [Next → Storage & LVM](07_storage_lvm.md) \ No newline at end of file +**Navigation**: [← Process Management](05_process_service_management.md) | [Index](index.md) | [Next → Storage & LVM](07_storage_lvm.md) diff --git a/docs/rhcsa_synthesis/07_storage_lvm.md b/docs/rhcsa_synthesis/07_storage_lvm.md index 7dd8897..80a846c 100644 --- a/docs/rhcsa_synthesis/07_storage_lvm.md +++ b/docs/rhcsa_synthesis/07_storage_lvm.md @@ -21,6 +21,7 @@ ## 2. Conceptual Foundation ### Core Theory + Storage management in RHEL 10 involves multiple layers: - **Physical storage**: Hard drives, SSDs, network storage @@ -30,6 +31,7 @@ Storage management in RHEL 10 involves multiple layers: - **Mount points**: Directory locations where filesystems are accessible ### Real-World Applications + - **Database servers**: Managing storage for database files with growth requirements - **Web servers**: Organizing storage for logs, content, and temporary files - **Development systems**: Creating isolated storage areas for different projects @@ -37,6 +39,7 @@ Storage management in RHEL 10 involves multiple layers: - **Virtual environments**: Providing flexible storage to virtual machines ### Common Misconceptions + - **LVM complexity**: LVM adds flexibility, not just complexity - **XFS vs ext4**: XFS is better for large files, ext4 for small files - **Partition vs LVM**: LVM provides better flexibility for production systems @@ -44,6 +47,7 @@ Storage management in RHEL 10 involves multiple layers: - **Online resizing**: XFS can only grow, ext4 can shrink and grow ### Key Terminology + - **Physical Volume (PV)**: Physical storage device or partition used by LVM - **Volume Group (VG)**: Collection of physical volumes acting as single storage pool - **Logical Volume (LV)**: Virtual partition created from volume group space @@ -60,6 +64,7 @@ Storage management in RHEL 10 involves multiple layers: ## 3. Command Mastery ### Disk and Partition Management + ```bash # View disk information lsblk # List block devices in tree format @@ -90,6 +95,7 @@ partprobe /dev/sdb # Update without reboot ``` ### LVM Management Commands + ```bash # Physical Volume (PV) management pvcreate /dev/sdb1 # Create physical volume @@ -119,6 +125,7 @@ lvremove /dev/vgname/lvname # Remove LV ``` ### LVM Thin Provisioning + ```bash # Create a thin pool (allocates actual storage) lvcreate --type thin-pool -L 5G -n mythinpool vgname @@ -140,6 +147,7 @@ mount /dev/vgname/thinlv1 /mnt/thin1 ``` ### Filesystem Management + ```bash # Create filesystems mkfs.xfs /dev/vgname/lvname # Create XFS filesystem @@ -162,6 +170,7 @@ fsck.ext4 /dev/vgname/lvname # Check/repair ext4 (unmounted) ``` ### Mount Management + ```bash # Mounting filesystems mount /dev/vgname/lvname /mnt/data # Mount filesystem @@ -183,6 +192,7 @@ df -h # Mounted filesystem usage ``` ### Swap Management + ```bash # Create and manage swap mkswap /dev/vgname/swaplv # Create swap filesystem @@ -199,6 +209,7 @@ swapon /swapfile # Enable swap file ``` ### Command Reference Table + | Command | Purpose | Key Options | Example | |---------|---------|-------------|---------| | `lsblk` | List block devices | `-f` | `lsblk -f` | @@ -213,126 +224,141 @@ swapon /swapfile # Enable swap file ## 4. Procedural Workflows ### Standard Procedure: Complete LVM Setup + 1. **Prepare physical storage** - ```bash - # Create partition (if not using whole disk) - fdisk /dev/sdb - # Create partition, set type to Linux LVM (8e) - partprobe /dev/sdb - ``` + + ```bash + # Create partition (if not using whole disk) + fdisk /dev/sdb + # Create partition, set type to Linux LVM (8e) + partprobe /dev/sdb + ``` 2. **Create LVM structure** - ```bash - # Create physical volume - pvcreate /dev/sdb1 + + ```bash + # Create physical volume + pvcreate /dev/sdb1 - # Create volume group - vgcreate datavg /dev/sdb1 + # Create volume group + vgcreate datavg /dev/sdb1 - # Create logical volume - lvcreate -L 2G -n datalv datavg - ``` + # Create logical volume + lvcreate -L 2G -n datalv datavg + ``` 3. **Create and mount filesystem** - ```bash - # Create filesystem - mkfs.xfs /dev/datavg/datalv + + ```bash + # Create filesystem + mkfs.xfs /dev/datavg/datalv - # Create mount point - mkdir -p /data + # Create mount point + mkdir -p /data - # Mount filesystem - mount /dev/datavg/datalv /data - ``` + # Mount filesystem + mount /dev/datavg/datalv /data + ``` 4. **Make mount permanent** - ```bash - # Add to fstab - echo "/dev/datavg/datalv /data xfs defaults 0 2" >> /etc/fstab + + ```bash + # Add to fstab + echo "/dev/datavg/datalv /data xfs defaults 0 2" >> /etc/fstab - # Verify fstab - mount -a - df -h /data - ``` + # Verify fstab + mount -a + df -h /data + ``` ### Standard Procedure: Extending LVM Storage + 1. **Add new physical volume** - ```bash - # Prepare new disk/partition - pvcreate /dev/sdc1 + + ```bash + # Prepare new disk/partition + pvcreate /dev/sdc1 - # Add to existing volume group - vgextend datavg /dev/sdc1 + # Add to existing volume group + vgextend datavg /dev/sdc1 - # Verify VG size increased - vgs datavg - ``` + # Verify VG size increased + vgs datavg + ``` 2. **Extend logical volume** - ```bash - # Extend logical volume - lvextend -L +5G /dev/datavg/datalv + + ```bash + # Extend logical volume + lvextend -L +5G /dev/datavg/datalv - # Or extend to use all available space - lvextend -l +100%FREE /dev/datavg/datalv - ``` + # Or extend to use all available space + lvextend -l +100%FREE /dev/datavg/datalv + ``` 3. **Extend filesystem** - ```bash - # For XFS filesystems - xfs_growfs /data + + ```bash + # For XFS filesystems + xfs_growfs /data - # For ext4 filesystems - resize2fs /dev/datavg/datalv + # For ext4 filesystems + resize2fs /dev/datavg/datalv - # Verify new size - df -h /data - ``` + # Verify new size + df -h /data + ``` ### Standard Procedure: LVM Thin Provisioning Setup Thin provisioning allows over-committing storage — thin volumes can have a combined virtual size larger than the physical pool. Space is allocated only as data is written. 1. **Create thin pool from volume group** - ```bash - # Create a thin pool (actual physical storage) - lvcreate --type thin-pool -L 5G -n thinpool datavg - ``` + + ```bash + # Create a thin pool (actual physical storage) + lvcreate --type thin-pool -L 5G -n thinpool datavg + ``` 2. **Create thin volumes** - ```bash - # Virtual size can exceed pool size (overprovisioning) - lvcreate --virtualsize 10G --thin -n app1 datavg/thinpool - lvcreate --virtualsize 10G --thin -n app2 datavg/thinpool - ``` + + ```bash + # Virtual size can exceed pool size (overprovisioning) + lvcreate --virtualsize 10G --thin -n app1 datavg/thinpool + lvcreate --virtualsize 10G --thin -n app2 datavg/thinpool + ``` 3. **Create filesystems and mount** - ```bash - mkfs.xfs /dev/datavg/app1 - mkfs.xfs /dev/datavg/app2 - mkdir -p /srv/{app1,app2} - mount /dev/datavg/app1 /srv/app1 - mount /dev/datavg/app2 /srv/app2 - ``` + + ```bash + mkfs.xfs /dev/datavg/app1 + mkfs.xfs /dev/datavg/app2 + mkdir -p /srv/{app1,app2} + mount /dev/datavg/app1 /srv/app1 + mount /dev/datavg/app2 /srv/app2 + ``` 4. **Monitor pool usage and extend when needed** - ```bash - # Check how much of the pool is actually used - lvs -o+data_percent datavg/thinpool - # Extend pool before it fills up - lvextend -L +5G datavg/thinpool - ``` + ```bash + # Check how much of the pool is actually used + lvs -o+data_percent datavg/thinpool + + # Extend pool before it fills up + lvextend -L +5G datavg/thinpool + ``` 5. **Make mounts persistent** - ```bash - echo "/dev/datavg/app1 /srv/app1 xfs defaults 0 2" >> /etc/fstab - echo "/dev/datavg/app2 /srv/app2 xfs defaults 0 2" >> /etc/fstab - mount -a - ``` + + ```bash + echo "/dev/datavg/app1 /srv/app1 xfs defaults 0 2" >> /etc/fstab + echo "/dev/datavg/app2 /srv/app2 xfs defaults 0 2" >> /etc/fstab + mount -a + ``` ### Decision Tree: Storage Strategy Selection -``` + +```text Storage Requirements ├── Simple single-disk setup? │ ├── Basic partitioning → fdisk + mkfs + mount @@ -350,45 +376,51 @@ Storage Requirements ``` ### Standard Procedure: Filesystem Migration + 1. **Prepare new storage** - ```bash - # Create new LVM structure - pvcreate /dev/sdd1 - vgcreate newvg /dev/sdd1 - lvcreate -L 10G -n newlv newvg - mkfs.xfs /dev/newvg/newlv - ``` + + ```bash + # Create new LVM structure + pvcreate /dev/sdd1 + vgcreate newvg /dev/sdd1 + lvcreate -L 10G -n newlv newvg + mkfs.xfs /dev/newvg/newlv + ``` 2. **Copy data safely** - ```bash - # Mount new filesystem temporarily - mkdir /mnt/newdata - mount /dev/newvg/newlv /mnt/newdata + + ```bash + # Mount new filesystem temporarily + mkdir /mnt/newdata + mount /dev/newvg/newlv /mnt/newdata - # Copy data with rsync - rsync -avxHAX /olddata/ /mnt/newdata/ + # Copy data with rsync + rsync -avxHAX /olddata/ /mnt/newdata/ - # Verify data integrity - diff -r /olddata /mnt/newdata - ``` + # Verify data integrity + diff -r /olddata /mnt/newdata + ``` 3. **Switch to new storage** - ```bash - # Update fstab - sed -i 's|/dev/oldvg/oldlv|/dev/newvg/newlv|g' /etc/fstab + + ```bash + # Update fstab + sed -i 's|/dev/oldvg/oldlv|/dev/newvg/newlv|g' /etc/fstab - # Unmount old, remount new - umount /olddata - umount /mnt/newdata - mount /dev/newvg/newlv /olddata - ``` + # Unmount old, remount new + umount /olddata + umount /mnt/newdata + mount /dev/newvg/newlv /olddata + ``` --- ## 5. Configuration Deep Dive ### /etc/fstab Configuration + #### fstab Entry Format + ```bash # Device/UUID Mount Point Filesystem Options Dump Pass /dev/datavg/datalv /data xfs defaults 0 2 @@ -397,6 +429,7 @@ UUID=abc123-def456 /home ext4 defaults,noatime 1 2 ``` #### Common fstab Options + ```bash # Performance options defaults,noatime # Don't update access times (performance) @@ -413,7 +446,9 @@ defaults,nofail # Continue boot if device unavailable ``` ### LVM Configuration Files + #### LVM Configuration + ```bash # /etc/lvm/lvm.conf devices { @@ -432,6 +467,7 @@ backup { ``` #### Volume Group Backup and Recovery + ```bash # Backup VG metadata vgcfgbackup vgname @@ -445,7 +481,9 @@ vgcfgrestore -l vgname ``` ### Filesystem-Specific Configuration + #### XFS Configuration + ```bash # XFS filesystem options in fstab /dev/datavg/datalv /data xfs defaults,noatime,logbsize=256k 0 2 @@ -456,6 +494,7 @@ xfs_db -r /dev/datavg/datalv # XFS debugger (read-only) ``` #### ext4 Configuration + ```bash # ext4 tuning tune2fs -o acl,user_xattr /dev/datavg/datalv # Enable ACLs @@ -468,88 +507,96 @@ tune2fs -i 180d /dev/datavg/datalv # Check every 180 days ## 6. Hands-On Labs ### Lab 6.1: Basic LVM Setup (Asghar Ghori Style) + **Objective**: Create complete LVM storage solution from scratch **Prerequisites**: Additional disk (/dev/sdb) available for testing **Steps**: + 1. **Explore current storage** - ```bash - # View current storage configuration - lsblk - df -h - pvs - vgs - lvs - ``` + + ```bash + # View current storage configuration + lsblk + df -h + pvs + vgs + lvs + ``` 2. **Create partition for LVM** - ```bash - # Create partition on /dev/sdb - fdisk /dev/sdb - # Commands in fdisk: - # n (new partition) - # p (primary) - # 1 (partition number) - # Enter (default start) - # Enter (default end, use whole disk) - # t (change type) - # 8e (Linux LVM) - # w (write and exit) + + ```bash + # Create partition on /dev/sdb + fdisk /dev/sdb + # Commands in fdisk: + # n (new partition) + # p (primary) + # 1 (partition number) + # Enter (default start) + # Enter (default end, use whole disk) + # t (change type) + # 8e (Linux LVM) + # w (write and exit) - # Update kernel partition table - partprobe /dev/sdb + # Update kernel partition table + partprobe /dev/sdb - # Verify partition - lsblk /dev/sdb - ``` + # Verify partition + lsblk /dev/sdb + ``` 3. **Create LVM components** - ```bash - # Create physical volume - pvcreate /dev/sdb1 - pvdisplay /dev/sdb1 + + ```bash + # Create physical volume + pvcreate /dev/sdb1 + pvdisplay /dev/sdb1 - # Create volume group - vgcreate labtesting /dev/sdb1 - vgdisplay labtesting + # Create volume group + vgcreate labtesting /dev/sdb1 + vgdisplay labtesting - # Create logical volumes - lvcreate -L 1G -n data labtesting - lvcreate -L 500M -n logs labtesting - lvcreate -L 256M -n swap labtesting + # Create logical volumes + lvcreate -L 1G -n data labtesting + lvcreate -L 500M -n logs labtesting + lvcreate -L 256M -n swap labtesting - # Verify LVM structure - lvdisplay - ``` + # Verify LVM structure + lvdisplay + ``` 4. **Create filesystems and swap** - ```bash - # Create filesystems - mkfs.xfs /dev/labtesting/data - mkfs.ext4 /dev/labtesting/logs - mkswap /dev/labtesting/swap + + ```bash + # Create filesystems + mkfs.xfs /dev/labtesting/data + mkfs.ext4 /dev/labtesting/logs + mkswap /dev/labtesting/swap - # Verify filesystem creation - blkid | grep labtesting - ``` + # Verify filesystem creation + blkid | grep labtesting + ``` 5. **Mount and configure** - ```bash - # Create mount points - mkdir -p /lab/{data,logs} + + ```bash + # Create mount points + mkdir -p /lab/{data,logs} - # Mount filesystems - mount /dev/labtesting/data /lab/data - mount /dev/labtesting/logs /lab/logs - swapon /dev/labtesting/swap + # Mount filesystems + mount /dev/labtesting/data /lab/data + mount /dev/labtesting/logs /lab/logs + swapon /dev/labtesting/swap - # Verify mounts - df -h /lab/data /lab/logs - swapon --show - ``` + # Verify mounts + df -h /lab/data /lab/logs + swapon --show + ``` **Verification**: + ```bash # Complete verification lsblk @@ -559,71 +606,78 @@ swapon --show | grep labtesting ``` ### Lab 6.2: LVM Extension and Management (Sander van Vugt Style) + **Objective**: Practice extending and managing existing LVM infrastructure **Prerequisites**: Lab 6.1 completed, additional disk (/dev/sdc) available **Steps**: + 1. **Add storage to existing VG** - ```bash - # Prepare new disk - fdisk /dev/sdc - # Create partition, set type to Linux LVM (8e) - partprobe /dev/sdc + + ```bash + # Prepare new disk + fdisk /dev/sdc + # Create partition, set type to Linux LVM (8e) + partprobe /dev/sdc - # Add to LVM - pvcreate /dev/sdc1 - vgextend labtesting /dev/sdc1 + # Add to LVM + pvcreate /dev/sdc1 + vgextend labtesting /dev/sdc1 - # Verify VG growth - vgs labtesting - vgdisplay labtesting - ``` + # Verify VG growth + vgs labtesting + vgdisplay labtesting + ``` 2. **Extend logical volumes** - ```bash - # Extend data LV by 2GB - lvextend -L +2G /dev/labtesting/data + + ```bash + # Extend data LV by 2GB + lvextend -L +2G /dev/labtesting/data - # Extend logs LV to use remaining space - lvextend -l +100%FREE /dev/labtesting/logs + # Extend logs LV to use remaining space + lvextend -l +100%FREE /dev/labtesting/logs - # Verify LV sizes - lvs labtesting - ``` + # Verify LV sizes + lvs labtesting + ``` 3. **Resize filesystems** - ```bash - # Resize XFS filesystem (data) - xfs_growfs /lab/data + + ```bash + # Resize XFS filesystem (data) + xfs_growfs /lab/data - # Resize ext4 filesystem (logs) - resize2fs /dev/labtesting/logs + # Resize ext4 filesystem (logs) + resize2fs /dev/labtesting/logs - # Verify filesystem sizes - df -h /lab/data /lab/logs - ``` + # Verify filesystem sizes + df -h /lab/data /lab/logs + ``` 4. **Practice LV management operations** - ```bash - # Create snapshot of data LV - lvcreate -L 500M -s -n data-snapshot /dev/labtesting/data + + ```bash + # Create snapshot of data LV + lvcreate -L 500M -s -n data-snapshot /dev/labtesting/data - # Create some test data - echo "Test file content" > /lab/data/testfile.txt - ls -la /lab/data/ + # Create some test data + echo "Test file content" > /lab/data/testfile.txt + ls -la /lab/data/ - # Mount and examine snapshot - mkdir /mnt/snapshot - mount /dev/labtesting/data-snapshot /mnt/snapshot - ls -la /mnt/snapshot/ + # Mount and examine snapshot + mkdir /mnt/snapshot + mount /dev/labtesting/data-snapshot /mnt/snapshot + ls -la /mnt/snapshot/ - # Clean up snapshot - umount /mnt/snapshot - lvremove -f /dev/labtesting/data-snapshot - ``` + # Clean up snapshot + umount /mnt/snapshot + lvremove -f /dev/labtesting/data-snapshot + ``` **Verification**: + ```bash # Verify final state pvs && vgs && lvs @@ -632,145 +686,154 @@ lsblk | grep labtesting ``` ### Lab 6.3: Complete Storage Migration (Synthesis Challenge) + **Objective**: Migrate existing storage to new LVM configuration with minimal downtime **Scenario**: Migrate a production-like data directory to new storage with better organization **Requirements**: + - Create new VG with better naming convention - Migrate data safely without corruption - Update system configuration appropriately - Document the migration process **Solution Steps**: + 1. **Prepare new storage infrastructure** - ```bash - # Use remaining space or additional disk - if lsblk | grep -q sdd; then - NEWDISK=/dev/sdd - else - # Use remaining space in existing VG - NEWDISK="extend_existing" - fi + + ```bash + # Use remaining space or additional disk + if lsblk | grep -q sdd; then + NEWDISK=/dev/sdd + else + # Use remaining space in existing VG + NEWDISK="extend_existing" + fi - if [ "$NEWDISK" != "extend_existing" ]; then - pvcreate ${NEWDISK}1 - vgcreate production ${NEWDISK}1 - else - # Extend existing VG and create new LVs - vgextend labtesting /dev/sdc1 2>/dev/null || true - fi + if [ "$NEWDISK" != "extend_existing" ]; then + pvcreate ${NEWDISK}1 + vgcreate production ${NEWDISK}1 + else + # Extend existing VG and create new LVs + vgextend labtesting /dev/sdc1 2>/dev/null || true + fi - # Create production-style LVM layout - if vgs production >/dev/null 2>&1; then - lvcreate -L 3G -n app-data production - lvcreate -L 1G -n app-logs production - lvcreate -L 500M -n app-backup production - else - lvcreate -L 1G -n app-data labtesting - lvcreate -L 500M -n app-logs labtesting - lvcreate -L 256M -n app-backup labtesting - fi - ``` + # Create production-style LVM layout + if vgs production >/dev/null 2>&1; then + lvcreate -L 3G -n app-data production + lvcreate -L 1G -n app-logs production + lvcreate -L 500M -n app-backup production + else + lvcreate -L 1G -n app-data labtesting + lvcreate -L 500M -n app-logs labtesting + lvcreate -L 256M -n app-backup labtesting + fi + ``` 2. **Prepare new filesystems** - ```bash - # Determine which VG to use - if vgs production >/dev/null 2>&1; then - VG=production - else - VG=labtesting - fi + + ```bash + # Determine which VG to use + if vgs production >/dev/null 2>&1; then + VG=production + else + VG=labtesting + fi - # Create filesystems with appropriate options - mkfs.xfs -L app-data /dev/${VG}/app-data - mkfs.ext4 -L app-logs /dev/${VG}/app-logs - mkfs.ext4 -L app-backup /dev/${VG}/app-backup + # Create filesystems with appropriate options + mkfs.xfs -L app-data /dev/${VG}/app-data + mkfs.ext4 -L app-logs /dev/${VG}/app-logs + mkfs.ext4 -L app-backup /dev/${VG}/app-backup - # Create mount points - mkdir -p /app/{data,logs,backup} - ``` + # Create mount points + mkdir -p /app/{data,logs,backup} + ``` 3. **Migrate existing data** - ```bash - # Create some test data in old location - echo "Important application data" > /lab/data/app.conf - echo "$(date): Application started" > /lab/logs/app.log - mkdir -p /lab/data/important - echo "Critical data" > /lab/data/important/critical.txt + + ```bash + # Create some test data in old location + echo "Important application data" > /lab/data/app.conf + echo "$(date): Application started" > /lab/logs/app.log + mkdir -p /lab/data/important + echo "Critical data" > /lab/data/important/critical.txt - # Mount new filesystems temporarily - mkdir -p /mnt/migration/{data,logs,backup} - mount /dev/${VG}/app-data /mnt/migration/data - mount /dev/${VG}/app-logs /mnt/migration/logs - mount /dev/${VG}/app-backup /mnt/migration/backup + # Mount new filesystems temporarily + mkdir -p /mnt/migration/{data,logs,backup} + mount /dev/${VG}/app-data /mnt/migration/data + mount /dev/${VG}/app-logs /mnt/migration/logs + mount /dev/${VG}/app-backup /mnt/migration/backup - # Migrate data safely with rsync - rsync -avxHAX /lab/data/ /mnt/migration/data/ - rsync -avxHAX /lab/logs/ /mnt/migration/logs/ + # Migrate data safely with rsync + rsync -avxHAX /lab/data/ /mnt/migration/data/ + rsync -avxHAX /lab/logs/ /mnt/migration/logs/ - # Create backup of migration - tar -czf /mnt/migration/backup/migration-backup-$(date +%Y%m%d).tar.gz \ - -C /mnt/migration data logs + # Create backup of migration + tar -czf /mnt/migration/backup/migration-backup-$(date +%Y%m%d).tar.gz \ + -C /mnt/migration data logs - # Verify data integrity - diff -r /lab/data /mnt/migration/data - echo "Data integrity check: $?" - ``` + # Verify data integrity + diff -r /lab/data /mnt/migration/data + echo "Data integrity check: $?" + ``` 4. **Update system configuration** - ```bash - # Prepare new fstab entries - cat >> /tmp/new-fstab-entries << EOF - /dev/${VG}/app-data /app/data xfs defaults,noatime 0 2 - /dev/${VG}/app-logs /app/logs ext4 defaults,noatime 0 2 - /dev/${VG}/app-backup /app/backup ext4 defaults,noexec 0 2 - EOF + + ```bash + # Prepare new fstab entries + cat >> /tmp/new-fstab-entries << EOF + /dev/${VG}/app-data /app/data xfs defaults,noatime 0 2 + /dev/${VG}/app-logs /app/logs ext4 defaults,noatime 0 2 + /dev/${VG}/app-backup /app/backup ext4 defaults,noexec 0 2 + EOF - # Show what will be added - echo "New fstab entries:" - cat /tmp/new-fstab-entries + # Show what will be added + echo "New fstab entries:" + cat /tmp/new-fstab-entries - # Add to fstab (in real migration, this would be done during maintenance window) - cat /tmp/new-fstab-entries >> /etc/fstab + # Add to fstab (in real migration, this would be done during maintenance window) + cat /tmp/new-fstab-entries >> /etc/fstab - # Switch to new storage - umount /mnt/migration/data /mnt/migration/logs /mnt/migration/backup - mount /dev/${VG}/app-data /app/data - mount /dev/${VG}/app-logs /app/logs - mount /dev/${VG}/app-backup /app/backup - ``` + # Switch to new storage + umount /mnt/migration/data /mnt/migration/logs /mnt/migration/backup + mount /dev/${VG}/app-data /app/data + mount /dev/${VG}/app-logs /app/logs + mount /dev/${VG}/app-backup /app/backup + ``` 5. **Verify and document migration** - ```bash - # Create migration report - cat > /app/backup/migration-report-$(date +%Y%m%d).txt << EOF - Storage Migration Report - Date: $(date) + + ```bash + # Create migration report + cat > /app/backup/migration-report-$(date +%Y%m%d).txt << EOF + Storage Migration Report + Date: $(date) - Old Storage: - - /lab/data ($(du -sh /lab/data | cut -f1)) - - /lab/logs ($(du -sh /lab/logs | cut -f1)) + Old Storage: + - /lab/data ($(du -sh /lab/data | cut -f1)) + - /lab/logs ($(du -sh /lab/logs | cut -f1)) - New Storage: - Volume Group: ${VG} - - /app/data: /dev/${VG}/app-data (XFS, $(df -h /app/data | tail -1 | awk '{print $2}')) - - /app/logs: /dev/${VG}/app-logs (ext4, $(df -h /app/logs | tail -1 | awk '{print $2}')) - - /app/backup: /dev/${VG}/app-backup (ext4, $(df -h /app/backup | tail -1 | awk '{print $2}')) + New Storage: + Volume Group: ${VG} + - /app/data: /dev/${VG}/app-data (XFS, $(df -h /app/data | tail -1 | awk '{print $2}')) + - /app/logs: /dev/${VG}/app-logs (ext4, $(df -h /app/logs | tail -1 | awk '{print $2}')) + - /app/backup: /dev/${VG}/app-backup (ext4, $(df -h /app/backup | tail -1 | awk '{print $2}')) - Migration Status: COMPLETED - Data Verification: PASSED - Backup Created: migration-backup-$(date +%Y%m%d).tar.gz - EOF + Migration Status: COMPLETED + Data Verification: PASSED + Backup Created: migration-backup-$(date +%Y%m%d).tar.gz + EOF - # Display final configuration - echo "=== Migration Complete ===" - lsblk | grep -E "(${VG}|labtesting)" - df -h | grep app - cat /app/backup/migration-report-$(date +%Y%m%d).txt - ``` + # Display final configuration + echo "=== Migration Complete ===" + lsblk | grep -E "(${VG}|labtesting)" + df -h | grep app + cat /app/backup/migration-report-$(date +%Y%m%d).txt + ``` **Verification**: + ```bash # Complete post-migration verification mount | grep "/app" @@ -788,12 +851,15 @@ cat /app/logs/app.log ### Common Issues #### Issue 1: LV Won't Mount After Reboot + **Symptoms**: + - Filesystem not available after system restart - "Device not found" errors during boot - Services fail to start due to missing storage **Diagnosis**: + ```bash # Check if LVM volumes are active lvs @@ -808,6 +874,7 @@ mount | grep mapper ``` **Resolution**: + ```bash # Activate volume groups vgchange -ay @@ -828,12 +895,15 @@ mount -a **Prevention**: Use UUIDs in fstab, ensure LVM service is enabled #### Issue 2: Cannot Extend Filesystem + **Symptoms**: + - LV extends successfully but filesystem size unchanged - "No space left on device" despite LV extension - Applications still report old filesystem size **Diagnosis**: + ```bash # Check LV vs filesystem size lvs @@ -845,6 +915,7 @@ blkid /dev/vgname/lvname ``` **Resolution**: + ```bash # For XFS filesystems xfs_growfs /mountpoint @@ -857,12 +928,15 @@ df -h /mountpoint ``` #### Issue 3: VG Shows as Inactive + **Symptoms**: + - Volume group not visible or inactive - Cannot access logical volumes - LVM commands show no VGs **Diagnosis**: + ```bash # Check PV status pvdisplay -C @@ -874,6 +948,7 @@ vgdisplay -A ``` **Resolution**: + ```bash # Activate volume group vgchange -ay vgname @@ -889,6 +964,7 @@ lvscan ``` ### Diagnostic Command Sequence + ```bash # Storage troubleshooting workflow lsblk # Overview of block devices @@ -900,6 +976,7 @@ cat /etc/fstab # Persistent mount configuration ``` ### Log File Analysis + - **`/var/log/messages`**: General storage and LVM errors - **`/var/log/boot.log`**: Boot-time storage issues - **`dmesg`**: Kernel messages about storage devices @@ -910,6 +987,7 @@ cat /etc/fstab # Persistent mount configuration ## 8. Quick Reference Card ### Essential Commands At-a-Glance + ```bash # LVM creation workflow pvcreate /dev/sdb1 # Create physical volume @@ -930,6 +1008,7 @@ lvs -o+data_percent vgname/pool # Monitor pool usage ``` ### fstab Entry Examples + ```bash # Using device path (not recommended) /dev/datavg/datalv /data xfs defaults 0 2 @@ -942,12 +1021,14 @@ UUID=abc123-def456 /data xfs defaults,noatime 0 2 ``` ### LVM Size Specifications + - **Absolute sizes**: `1G`, `500M`, `2T` - **Percentage of VG**: `50%VG`, `100%VG` - **Percentage of free space**: `50%FREE`, `100%FREE` - **Relative changes**: `+1G`, `-500M`, `+50%FREE` ### Filesystem Types + - **XFS**: Best for large files, can only grow - **ext4**: General purpose, can grow and shrink - **swap**: Virtual memory extension @@ -957,36 +1038,40 @@ UUID=abc123-def456 /data xfs defaults,noatime 0 2 ## 9. Knowledge Check ### Conceptual Questions + 1. **Question**: What's the advantage of LVM over traditional partitioning? - **Answer**: LVM provides flexibility to resize storage without repartitioning disks. You can extend logical volumes across multiple physical devices, create snapshots, and resize filesystems online. It separates physical storage from logical organization, making storage management much more flexible. + **Answer**: LVM provides flexibility to resize storage without repartitioning disks. You can extend logical volumes across multiple physical devices, create snapshots, and resize filesystems online. It separates physical storage from logical organization, making storage management much more flexible. 2. **Question**: Why can't you shrink an XFS filesystem? - **Answer**: XFS is designed for performance and large-scale storage. Its metadata structure and allocation algorithms are optimized for forward growth. Shrinking would require complex metadata reorganization that could compromise performance and reliability, so XFS developers chose to support only growth operations. + **Answer**: XFS is designed for performance and large-scale storage. Its metadata structure and allocation algorithms are optimized for forward growth. Shrinking would require complex metadata reorganization that could compromise performance and reliability, so XFS developers chose to support only growth operations. 3. **Question**: When would you use a swap file instead of swap partition? - **Answer**: Swap files are easier to manage dynamically - you can create, resize, or remove them without repartitioning. They're useful when you need to add swap temporarily, when using cloud instances with limited partitioning options, or when you want to adjust swap size based on changing workload requirements. + **Answer**: Swap files are easier to manage dynamically - you can create, resize, or remove them without repartitioning. They're useful when you need to add swap temporarily, when using cloud instances with limited partitioning options, or when you want to adjust swap size based on changing workload requirements. ### Practical Scenarios + 1. **Scenario**: Database server running out of space for transaction logs. - **Solution**: Extend the LV containing the logs (`lvextend -L +10G /dev/vgname/logslv`), then grow the filesystem (`xfs_growfs /var/lib/mysql/logs`), assuming XFS filesystem. + **Solution**: Extend the LV containing the logs (`lvextend -L +10G /dev/vgname/logslv`), then grow the filesystem (`xfs_growfs /var/lib/mysql/logs`), assuming XFS filesystem. 2. **Scenario**: Need to migrate data from failing disk to new storage. - **Solution**: Create new LVM structure on new disk, use `rsync -avxHAX` to copy data while old disk still works, then update fstab and remount on new storage. + **Solution**: Create new LVM structure on new disk, use `rsync -avxHAX` to copy data while old disk still works, then update fstab and remount on new storage. ### Command Challenges + 1. **Challenge**: Create a 5GB logical volume using exactly 50% of volume group space. - **Answer**: `lvcreate -l 50%VG -n mylv vgname` - **Explanation**: `-l` uses extents/percentages, `50%VG` means half of total VG space + **Answer**: `lvcreate -l 50%VG -n mylv vgname` + **Explanation**: `-l` uses extents/percentages, `50%VG` means half of total VG space 2. **Challenge**: Find all LVM logical volumes and their mount points. - **Answer**: `findmnt | grep mapper` or `mount | grep mapper` - **Explanation**: LVM device paths contain `/dev/mapper/` prefix when mounted + **Answer**: `findmnt | grep mapper` or `mount | grep mapper` + **Explanation**: LVM device paths contain `/dev/mapper/` prefix when mounted --- ## 10. Exam Strategy ### Topic-Specific Tips + - Always verify disk space before creating partitions or LVs - Use `lsblk` to visualize storage hierarchy before making changes - Remember that XFS can only grow, not shrink @@ -994,22 +1079,25 @@ UUID=abc123-def456 /data xfs defaults,noatime 0 2 - For thin provisioning: monitor pool usage (`lvs -o+data_percent`) and extend before full ### Common Exam Scenarios + 1. **Scenario**: Add storage to existing system - **Approach**: Create PV, extend VG, extend LV, resize filesystem + **Approach**: Create PV, extend VG, extend LV, resize filesystem 2. **Scenario**: Create swap space - **Approach**: Create LV, format as swap, enable swap, add to fstab + **Approach**: Create LV, format as swap, enable swap, add to fstab 3. **Scenario**: Set up persistent mounts - **Approach**: Add appropriate entries to /etc/fstab, test with `mount -a` + **Approach**: Add appropriate entries to /etc/fstab, test with `mount -a` ### Time Management + - **Basic LVM setup**: 8-10 minutes for complete PV→VG→LV→filesystem→mount - **Storage extension**: 5-7 minutes for extend LV and resize filesystem - **Partition creation**: 3-4 minutes using fdisk - **Always verify**: Check with `df -h` and `mount` after each step ### Pitfalls to Avoid + - Don't forget `partprobe` after creating partitions with fdisk - Remember to resize filesystem after extending LV - Use UUIDs in fstab for reliability @@ -1022,12 +1110,14 @@ UUID=abc123-def456 /data xfs defaults,noatime 0 2 ## Summary ### Key Takeaways + - **LVM provides storage flexibility** - essential for production systems - **Understand the hierarchy**: Physical Volume → Volume Group → Logical Volume → Filesystem - **XFS vs ext4 have different capabilities** - choose based on requirements - **fstab configuration is critical** - systems won't boot properly without correct entries ### Critical Commands to Remember + ```bash pvcreate /dev/sdb1 # Create physical volume vgcreate vgname /dev/sdb1 # Create volume group @@ -1038,10 +1128,11 @@ xfs_growfs /mountpoint # Grow XFS filesystem ``` ### Next Steps + - Continue to [Module 08: Network Configuration](08_networking.md) - Practice storage management in the Vagrant environment with multiple disks - Review related topics: [System Installation](01_system_installation.md), [Boot Process](11_boot_grub.md) --- -**Navigation**: [← Package Management](06_package_management.md) | [Index](index.md) | [Next → Network Configuration](08_networking.md) \ No newline at end of file +**Navigation**: [← Package Management](06_package_management.md) | [Index](index.md) | [Next → Network Configuration](08_networking.md) diff --git a/docs/rhcsa_synthesis/08_networking.md b/docs/rhcsa_synthesis/08_networking.md index 1a37412..88847eb 100644 --- a/docs/rhcsa_synthesis/08_networking.md +++ b/docs/rhcsa_synthesis/08_networking.md @@ -21,6 +21,7 @@ ## 2. Conceptual Foundation ### Core Theory + RHEL 10 uses NetworkManager as the primary network management service: - **NetworkManager**: Modern network configuration service replacing traditional networking scripts @@ -30,6 +31,7 @@ RHEL 10 uses NetworkManager as the primary network management service: - **Network namespaces**: Isolated network environments (advanced topic) ### Real-World Applications + - **Server deployment**: Configuring static IPs for production servers - **Network troubleshooting**: Diagnosing connectivity issues in enterprise environments - **Remote management**: Ensuring SSH access through proper network configuration @@ -37,6 +39,7 @@ RHEL 10 uses NetworkManager as the primary network management service: - **Network isolation**: Separating different types of traffic for security ### Common Misconceptions + - **NetworkManager vs network scripts**: RHEL 10 uses NetworkManager, not legacy scripts - **Interface naming**: Modern systems use predictable names (ens3, enp0s3) not eth0 - **Connection vs device state**: A device can be up but connection down @@ -44,6 +47,7 @@ RHEL 10 uses NetworkManager as the primary network management service: - **Gateway terminology**: Default route and default gateway are the same concept ### Key Terminology + - **Interface**: Physical or virtual network device (ens3, enp0s3, virbr0) - **Connection**: NetworkManager configuration profile applied to interface - **Profile**: Persistent network configuration including IP, DNS, gateway @@ -58,6 +62,7 @@ RHEL 10 uses NetworkManager as the primary network management service: ## 3. Command Mastery ### NetworkManager Commands (nmcli) + ```bash # Connection management nmcli connection show # List all connections @@ -92,6 +97,7 @@ nmcli connection modify "static-ens3" connection.autoconnect yes ``` ### Traditional Network Commands + ```bash # Interface information ip addr show # Show all interface addresses @@ -108,6 +114,7 @@ ss -tuln # Show listening sockets (replaces netstat) ``` ### Network Testing Commands + ```bash # Connectivity testing ping -c 4 8.8.8.8 # Test internet connectivity @@ -127,6 +134,7 @@ ss -tuln | grep :80 # Check if service listening on port ``` ### Hostname Management + ```bash # Hostname commands hostnamectl # Show hostname information @@ -139,6 +147,7 @@ hostname server1 # Set hostname (temporary) ``` ### Network Configuration Files + ```bash # NetworkManager connection files ls /etc/NetworkManager/system-connections/ # Connection profiles @@ -151,6 +160,7 @@ cat /etc/nsswitch.conf # Name resolution order ``` ### Command Reference Table + | Command | Purpose | Key Options | Example | |---------|---------|-------------|---------| | `nmcli con show` | List connections | `--active` | `nmcli con show --active` | @@ -165,71 +175,82 @@ cat /etc/nsswitch.conf # Name resolution order ## 4. Procedural Workflows ### Standard Procedure: Configure Static IP Address + 1. **Identify available interface** - ```bash - nmcli device status - ip link show - ``` + + ```bash + nmcli device status + ip link show + ``` 2. **Create static connection** - ```bash - nmcli connection add type ethernet \ - con-name "static-connection" \ - ifname ens3 \ - ipv4.addresses 192.168.1.100/24 \ - ipv4.gateway 192.168.1.1 \ - ipv4.dns "8.8.8.8 8.8.4.4" \ - ipv4.method manual \ - connection.autoconnect yes - ``` + + ```bash + nmcli connection add type ethernet \ + con-name "static-connection" \ + ifname ens3 \ + ipv4.addresses 192.168.1.100/24 \ + ipv4.gateway 192.168.1.1 \ + ipv4.dns "8.8.8.8 8.8.4.4" \ + ipv4.method manual \ + connection.autoconnect yes + ``` 3. **Activate connection** - ```bash - nmcli connection up "static-connection" - ``` + + ```bash + nmcli connection up "static-connection" + ``` 4. **Verify configuration** - ```bash - ip addr show ens3 - ip route show - cat /etc/resolv.conf - ping -c 2 8.8.8.8 - ``` + + ```bash + ip addr show ens3 + ip route show + cat /etc/resolv.conf + ping -c 2 8.8.8.8 + ``` ### Standard Procedure: Switch from DHCP to Static + 1. **Check current configuration** - ```bash - nmcli connection show --active - nmcli device show ens3 - ``` + + ```bash + nmcli connection show --active + nmcli device show ens3 + ``` 2. **Modify existing connection** - ```bash - # Get current connection name - CON_NAME=$(nmcli -t -f NAME connection show --active | head -1) - - # Modify to static - nmcli connection modify "$CON_NAME" \ - ipv4.method manual \ - ipv4.addresses 192.168.1.100/24 \ - ipv4.gateway 192.168.1.1 \ - ipv4.dns "8.8.8.8,8.8.4.4" - ``` + + ```bash + # Get current connection name + CON_NAME=$(nmcli -t -f NAME connection show --active | head -1) + + # Modify to static + nmcli connection modify "$CON_NAME" \ + ipv4.method manual \ + ipv4.addresses 192.168.1.100/24 \ + ipv4.gateway 192.168.1.1 \ + ipv4.dns "8.8.8.8,8.8.4.4" + ``` 3. **Apply changes** - ```bash - nmcli connection down "$CON_NAME" - nmcli connection up "$CON_NAME" - ``` + + ```bash + nmcli connection down "$CON_NAME" + nmcli connection up "$CON_NAME" + ``` 4. **Verify changes** - ```bash - ip addr show - ping -c 2 google.com - ``` + + ```bash + ip addr show + ping -c 2 google.com + ``` ### Decision Tree: Network Configuration Strategy -``` + +```text Network Configuration Need ├── New system setup? │ ├── DHCP available? → Use auto method @@ -248,43 +269,50 @@ Network Configuration Need ``` ### Standard Procedure: Network Troubleshooting + 1. **Check physical connectivity** - ```bash - nmcli device status - ip link show - # Look for "connected" state and "UP" flags - ``` + + ```bash + nmcli device status + ip link show + # Look for "connected" state and "UP" flags + ``` 2. **Check IP configuration** - ```bash - ip addr show - nmcli connection show --active - ``` + + ```bash + ip addr show + nmcli connection show --active + ``` 3. **Test network layers** - ```bash - # Layer 3 - IP connectivity - ping -c 2 127.0.0.1 # Loopback - ping -c 2 $(ip route | grep default | awk '{print $3}') # Gateway - ping -c 2 8.8.8.8 # External IP + + ```bash + # Layer 3 - IP connectivity + ping -c 2 127.0.0.1 # Loopback + ping -c 2 $(ip route | grep default | awk '{print $3}') # Gateway + ping -c 2 8.8.8.8 # External IP - # Layer 7 - DNS resolution - nslookup google.com - ping -c 2 google.com - ``` + # Layer 7 - DNS resolution + nslookup google.com + ping -c 2 google.com + ``` 4. **Check services and ports** - ```bash - ss -tuln # Listening services - systemctl status NetworkManager - ``` + + ```bash + ss -tuln # Listening services + systemctl status NetworkManager + ``` --- ## 5. Configuration Deep Dive ### NetworkManager Connection Files + #### Static IP Connection + ```bash # /etc/NetworkManager/system-connections/static-ens3.nmconnection [connection] @@ -309,6 +337,7 @@ method=auto ``` #### DHCP Connection + ```bash # /etc/NetworkManager/system-connections/dhcp-ens3.nmconnection [connection] @@ -331,7 +360,9 @@ method=auto ``` ### Advanced Network Configuration + #### Multiple IP Addresses + ```bash # Add secondary IP to existing connection nmcli connection modify "static-ens3" \ @@ -345,6 +376,7 @@ nmcli connection add type ethernet con-name "multi-ip" ifname ens3 \ ``` #### DNS Configuration + ```bash # Set specific DNS servers nmcli connection modify "connection-name" \ @@ -360,7 +392,9 @@ nmcli connection modify "connection-name" \ ``` ### Network Interface Naming + #### Predictable Network Interface Names + ```bash # Modern naming scheme (RHEL 10): # ens3 - Ethernet slot 3 @@ -377,66 +411,73 @@ udevadm info /sys/class/net/ens3 ## 6. Hands-On Labs ### Lab 6.1: Basic Network Configuration (Asghar Ghori Style) + **Objective**: Configure static IP address and test connectivity **Steps**: + 1. **Explore current network configuration** - ```bash - # Check current interfaces and connections - nmcli device status - nmcli connection show + + ```bash + # Check current interfaces and connections + nmcli device status + nmcli connection show - # Show detailed interface information - ip addr show - ip route show + # Show detailed interface information + ip addr show + ip route show - # Check current connectivity - ping -c 2 8.8.8.8 - ``` + # Check current connectivity + ping -c 2 8.8.8.8 + ``` 2. **Create static IP configuration** - ```bash - # Create new static connection (adjust IP range for your environment) - nmcli connection add type ethernet \ - con-name "lab-static" \ - ifname ens3 \ - ipv4.addresses 192.168.1.150/24 \ - ipv4.gateway 192.168.1.1 \ - ipv4.dns "8.8.8.8 8.8.4.4" \ - ipv4.method manual \ - connection.autoconnect yes - - # Activate the new connection - nmcli connection up "lab-static" - ``` + + ```bash + # Create new static connection (adjust IP range for your environment) + nmcli connection add type ethernet \ + con-name "lab-static" \ + ifname ens3 \ + ipv4.addresses 192.168.1.150/24 \ + ipv4.gateway 192.168.1.1 \ + ipv4.dns "8.8.8.8 8.8.4.4" \ + ipv4.method manual \ + connection.autoconnect yes + + # Activate the new connection + nmcli connection up "lab-static" + ``` 3. **Verify static configuration** - ```bash - # Check new IP configuration - ip addr show ens3 - ip route show - cat /etc/resolv.conf - - # Test connectivity - ping -c 3 192.168.1.1 # Gateway - ping -c 3 8.8.8.8 # External IP - ping -c 3 google.com # DNS resolution - ``` + + ```bash + # Check new IP configuration + ip addr show ens3 + ip route show + cat /etc/resolv.conf + + # Test connectivity + ping -c 3 192.168.1.1 # Gateway + ping -c 3 8.8.8.8 # External IP + ping -c 3 google.com # DNS resolution + ``` 4. **Test connection management** - ```bash - # Bring connection down and up - nmcli connection down "lab-static" - ip addr show ens3 # Should show no IP + + ```bash + # Bring connection down and up + nmcli connection down "lab-static" + ip addr show ens3 # Should show no IP - nmcli connection up "lab-static" - ip addr show ens3 # Should show static IP + nmcli connection up "lab-static" + ip addr show ens3 # Should show static IP - # Show connection details - nmcli connection show "lab-static" - ``` + # Show connection details + nmcli connection show "lab-static" + ``` **Verification**: + ```bash # Complete verification nmcli connection show --active | grep lab-static @@ -446,67 +487,74 @@ ip route show | grep default ``` ### Lab 6.2: Advanced Network Management (Sander van Vugt Style) + **Objective**: Modify existing connections and manage multiple network configurations **Steps**: + 1. **Analyze existing network setup** - ```bash - # Document current configuration - nmcli connection show > /tmp/original-connections.txt - nmcli device show > /tmp/original-devices.txt - ip addr show > /tmp/original-ips.txt - ``` + + ```bash + # Document current configuration + nmcli connection show > /tmp/original-connections.txt + nmcli device show > /tmp/original-devices.txt + ip addr show > /tmp/original-ips.txt + ``` 2. **Create DHCP backup connection** - ```bash - # Create DHCP connection for same interface - nmcli connection add type ethernet \ - con-name "lab-dhcp-backup" \ - ifname ens3 \ - ipv4.method auto \ - connection.autoconnect no - - # Test switching between static and DHCP - nmcli connection down "lab-static" - nmcli connection up "lab-dhcp-backup" - - # Check what IP was assigned by DHCP - ip addr show ens3 - ``` + + ```bash + # Create DHCP connection for same interface + nmcli connection add type ethernet \ + con-name "lab-dhcp-backup" \ + ifname ens3 \ + ipv4.method auto \ + connection.autoconnect no + + # Test switching between static and DHCP + nmcli connection down "lab-static" + nmcli connection up "lab-dhcp-backup" + + # Check what IP was assigned by DHCP + ip addr show ens3 + ``` 3. **Modify connection properties** - ```bash - # Switch back to static and modify it - nmcli connection down "lab-dhcp-backup" - nmcli connection up "lab-static" + + ```bash + # Switch back to static and modify it + nmcli connection down "lab-dhcp-backup" + nmcli connection up "lab-static" - # Add secondary IP address - nmcli connection modify "lab-static" \ - +ipv4.addresses 192.168.1.151/24 + # Add secondary IP address + nmcli connection modify "lab-static" \ + +ipv4.addresses 192.168.1.151/24 - # Change DNS servers - nmcli connection modify "lab-static" \ - ipv4.dns "1.1.1.1,8.8.8.8" + # Change DNS servers + nmcli connection modify "lab-static" \ + ipv4.dns "1.1.1.1,8.8.8.8" - # Apply changes - nmcli connection down "lab-static" - nmcli connection up "lab-static" - ``` + # Apply changes + nmcli connection down "lab-static" + nmcli connection up "lab-static" + ``` 4. **Verify multiple IPs and DNS changes** - ```bash - # Check multiple IP addresses - ip addr show ens3 | grep inet + + ```bash + # Check multiple IP addresses + ip addr show ens3 | grep inet - # Verify DNS changes - cat /etc/resolv.conf + # Verify DNS changes + cat /etc/resolv.conf - # Test connectivity from both IPs - ping -c 2 -I 192.168.1.150 google.com - ping -c 2 -I 192.168.1.151 google.com - ``` + # Test connectivity from both IPs + ping -c 2 -I 192.168.1.150 google.com + ping -c 2 -I 192.168.1.151 google.com + ``` **Verification**: + ```bash # Document final configuration nmcli connection show "lab-static" @@ -515,137 +563,145 @@ nslookup google.com ``` ### Lab 6.3: Network Troubleshooting Scenario (Synthesis Challenge) + **Objective**: Diagnose and resolve complex network connectivity issues **Scenario**: A server has lost network connectivity and needs systematic troubleshooting **Requirements**: + - Systematically diagnose network issues - Test connectivity at multiple network layers - Document findings and resolution steps - Restore full network functionality **Solution Steps**: + 1. **Create a "broken" network scenario** - ```bash - # Simulate network problems (choose one or more): + + ```bash + # Simulate network problems (choose one or more): - # Problem 1: Wrong gateway - nmcli connection modify "lab-static" ipv4.gateway 192.168.1.99 + # Problem 1: Wrong gateway + nmcli connection modify "lab-static" ipv4.gateway 192.168.1.99 - # Problem 2: Wrong DNS - nmcli connection modify "lab-static" ipv4.dns "192.168.1.99" + # Problem 2: Wrong DNS + nmcli connection modify "lab-static" ipv4.dns "192.168.1.99" - # Problem 3: Wrong IP range - nmcli connection modify "lab-static" ipv4.addresses 10.0.0.100/24 + # Problem 3: Wrong IP range + nmcli connection modify "lab-static" ipv4.addresses 10.0.0.100/24 - # Apply one of these problematic configs - nmcli connection down "lab-static" - nmcli connection up "lab-static" + # Apply one of these problematic configs + nmcli connection down "lab-static" + nmcli connection up "lab-static" - # Verify the problem exists - ping -c 2 google.com # This should fail - ``` + # Verify the problem exists + ping -c 2 google.com # This should fail + ``` 2. **Systematic network troubleshooting** - ```bash - # Step 1: Check physical and link layer - echo "=== LAYER 1 & 2 DIAGNOSTICS ===" - nmcli device status - ip link show ens3 + + ```bash + # Step 1: Check physical and link layer + echo "=== LAYER 1 & 2 DIAGNOSTICS ===" + nmcli device status + ip link show ens3 - # Step 2: Check network layer (IP configuration) - echo "=== LAYER 3 DIAGNOSTICS ===" - ip addr show ens3 - ip route show + # Step 2: Check network layer (IP configuration) + echo "=== LAYER 3 DIAGNOSTICS ===" + ip addr show ens3 + ip route show - # Step 3: Test connectivity at each level - echo "=== CONNECTIVITY TESTS ===" + # Step 3: Test connectivity at each level + echo "=== CONNECTIVITY TESTS ===" - # Test loopback - ping -c 1 127.0.0.1 && echo "Loopback: OK" || echo "Loopback: FAIL" + # Test loopback + ping -c 1 127.0.0.1 && echo "Loopback: OK" || echo "Loopback: FAIL" - # Test local IP - LOCAL_IP=$(ip addr show ens3 | grep 'inet ' | awk '{print $2}' | cut -d'/' -f1) - ping -c 1 $LOCAL_IP && echo "Local IP: OK" || echo "Local IP: FAIL" + # Test local IP + LOCAL_IP=$(ip addr show ens3 | grep 'inet ' | awk '{print $2}' | cut -d'/' -f1) + ping -c 1 $LOCAL_IP && echo "Local IP: OK" || echo "Local IP: FAIL" - # Test gateway - GATEWAY=$(ip route show default | awk '{print $3}') - ping -c 1 $GATEWAY && echo "Gateway: OK" || echo "Gateway: FAIL" + # Test gateway + GATEWAY=$(ip route show default | awk '{print $3}') + ping -c 1 $GATEWAY && echo "Gateway: OK" || echo "Gateway: FAIL" - # Test external IP - ping -c 1 8.8.8.8 && echo "External IP: OK" || echo "External IP: FAIL" + # Test external IP + ping -c 1 8.8.8.8 && echo "External IP: OK" || echo "External IP: FAIL" - # Test DNS resolution - nslookup google.com > /dev/null 2>&1 && echo "DNS Resolution: OK" || echo "DNS Resolution: FAIL" - ``` + # Test DNS resolution + nslookup google.com > /dev/null 2>&1 && echo "DNS Resolution: OK" || echo "DNS Resolution: FAIL" + ``` 3. **Diagnose and fix the specific problem** - ```bash - # Based on the test results, fix the issue: + + ```bash + # Based on the test results, fix the issue: - # If gateway test failed: - echo "Fixing gateway configuration..." - nmcli connection modify "lab-static" ipv4.gateway 192.168.1.1 + # If gateway test failed: + echo "Fixing gateway configuration..." + nmcli connection modify "lab-static" ipv4.gateway 192.168.1.1 - # If DNS resolution failed but external IP worked: - echo "Fixing DNS configuration..." - nmcli connection modify "lab-static" ipv4.dns "8.8.8.8,8.8.4.4" + # If DNS resolution failed but external IP worked: + echo "Fixing DNS configuration..." + nmcli connection modify "lab-static" ipv4.dns "8.8.8.8,8.8.4.4" - # If external IP failed but gateway worked (wrong IP range): - echo "Fixing IP address configuration..." - nmcli connection modify "lab-static" ipv4.addresses 192.168.1.150/24 + # If external IP failed but gateway worked (wrong IP range): + echo "Fixing IP address configuration..." + nmcli connection modify "lab-static" ipv4.addresses 192.168.1.150/24 - # Apply the fix - nmcli connection down "lab-static" - nmcli connection up "lab-static" - ``` + # Apply the fix + nmcli connection down "lab-static" + nmcli connection up "lab-static" + ``` 4. **Verify resolution and document** - ```bash - # Re-run connectivity tests - echo "=== POST-FIX VERIFICATION ===" - ping -c 2 127.0.0.1 # Loopback - ping -c 2 192.168.1.1 # Gateway - ping -c 2 8.8.8.8 # External IP - ping -c 2 google.com # DNS resolution - - # Create troubleshooting report - cat > /tmp/network-troubleshooting-report.txt << EOF - Network Troubleshooting Report - Date: $(date) - - Problem Description: - - Network connectivity was lost - - Systematic diagnostics performed - - Diagnostics Performed: - 1. Physical layer check: nmcli device status - 2. IP configuration check: ip addr show, ip route show - 3. Connectivity tests: loopback, gateway, external IP, DNS - - Issue Found: - $(if ping -c 1 google.com > /dev/null 2>&1; then echo "Issue resolved successfully"; else echo "Issue still present"; fi) - - Resolution Applied: - - Modified connection: lab-static - - Updated configuration parameters - - Reactivated network connection - - Final Configuration: - $(nmcli connection show "lab-static" | grep ipv4) - - Post-Fix Tests: - - Gateway connectivity: $(ping -c 1 192.168.1.1 > /dev/null 2>&1 && echo "PASS" || echo "FAIL") - - External connectivity: $(ping -c 1 8.8.8.8 > /dev/null 2>&1 && echo "PASS" || echo "FAIL") - - DNS resolution: $(ping -c 1 google.com > /dev/null 2>&1 && echo "PASS" || echo "FAIL") - EOF - - # Display the report - cat /tmp/network-troubleshooting-report.txt - ``` + + ```bash + # Re-run connectivity tests + echo "=== POST-FIX VERIFICATION ===" + ping -c 2 127.0.0.1 # Loopback + ping -c 2 192.168.1.1 # Gateway + ping -c 2 8.8.8.8 # External IP + ping -c 2 google.com # DNS resolution + + # Create troubleshooting report + cat > /tmp/network-troubleshooting-report.txt << EOF + Network Troubleshooting Report + Date: $(date) + + Problem Description: + - Network connectivity was lost + - Systematic diagnostics performed + + Diagnostics Performed: + 1. Physical layer check: nmcli device status + 2. IP configuration check: ip addr show, ip route show + 3. Connectivity tests: loopback, gateway, external IP, DNS + + Issue Found: + $(if ping -c 1 google.com > /dev/null 2>&1; then echo "Issue resolved successfully"; else echo "Issue still present"; fi) + + Resolution Applied: + - Modified connection: lab-static + - Updated configuration parameters + - Reactivated network connection + + Final Configuration: + $(nmcli connection show "lab-static" | grep ipv4) + + Post-Fix Tests: + - Gateway connectivity: $(ping -c 1 192.168.1.1 > /dev/null 2>&1 && echo "PASS" || echo "FAIL") + - External connectivity: $(ping -c 1 8.8.8.8 > /dev/null 2>&1 && echo "PASS" || echo "FAIL") + - DNS resolution: $(ping -c 1 google.com > /dev/null 2>&1 && echo "PASS" || echo "FAIL") + EOF + + # Display the report + cat /tmp/network-troubleshooting-report.txt + ``` **Verification**: + ```bash # Final comprehensive verification echo "=== FINAL NETWORK STATUS ===" @@ -664,12 +720,15 @@ cat /tmp/network-troubleshooting-report.txt ### Common Issues #### Issue 1: No Network Connectivity After Configuration + **Symptoms**: + - Cannot ping gateway or external hosts - New IP configuration not applied - Connection shows as activated but no connectivity **Diagnosis**: + ```bash # Check connection and device status nmcli connection show --active @@ -684,6 +743,7 @@ journalctl -u NetworkManager --since "10 minutes ago" ``` **Resolution**: + ```bash # Restart NetworkManager service systemctl restart NetworkManager @@ -702,12 +762,15 @@ nmcli connection show | grep interface-name **Prevention**: Always verify configuration before applying, test in stages #### Issue 2: DNS Resolution Not Working + **Symptoms**: + - Can ping IP addresses but not hostnames - /etc/resolv.conf has wrong or no DNS servers - nslookup/dig commands fail **Diagnosis**: + ```bash # Check DNS configuration cat /etc/resolv.conf @@ -722,6 +785,7 @@ systemctl status systemd-resolved # If using resolved ``` **Resolution**: + ```bash # Fix DNS in connection configuration nmcli connection modify "connection-name" \ @@ -737,12 +801,15 @@ nmcli connection up "connection-name" ``` #### Issue 3: Interface Name Changes After Reboot + **Symptoms**: + - Network interface has different name after reboot - Connection tied to specific interface fails - Previous interface name no longer exists **Diagnosis**: + ```bash # Check current interfaces nmcli device status @@ -754,6 +821,7 @@ journalctl -b | grep "renamed network interface" ``` **Resolution**: + ```bash # Update connection to use correct interface nmcli connection modify "connection-name" \ @@ -766,6 +834,7 @@ nmcli connection modify "new-connection" \ ``` ### Diagnostic Command Sequence + ```bash # Network troubleshooting workflow nmcli device status # Check device status @@ -778,6 +847,7 @@ nslookup google.com # Test DNS resolution ``` ### Log File Analysis + - **`journalctl -u NetworkManager`**: NetworkManager service logs - **`/var/log/messages`**: General system messages including network events - **`dmesg`**: Kernel messages about network interfaces @@ -788,6 +858,7 @@ nslookup google.com # Test DNS resolution ## 8. Quick Reference Card ### Essential Commands At-a-Glance + ```bash # Connection management nmcli con show # List connections @@ -808,6 +879,7 @@ ping -c 2 host # Test connectivity ``` ### NetworkManager Configuration Structure + ```bash # Connection properties: connection.id # Connection name @@ -822,12 +894,14 @@ ipv4.dns # DNS servers ``` ### Common Network Ranges + - **Private Class A**: 10.0.0.0/8 (10.0.0.0 - 10.255.255.255) - **Private Class B**: 172.16.0.0/12 (172.16.0.0 - 172.31.255.255) - **Private Class C**: 192.168.0.0/16 (192.168.0.0 - 192.168.255.255) - **Loopback**: 127.0.0.0/8 (127.0.0.1 is localhost) ### DNS Servers + - **Google**: 8.8.8.8, 8.8.4.4 - **Cloudflare**: 1.1.1.1, 1.0.0.1 - **Quad9**: 9.9.9.9, 149.112.112.112 @@ -837,70 +911,80 @@ ipv4.dns # DNS servers ## 9. Knowledge Check ### Conceptual Questions + 1. **Question**: What's the difference between a network device and a network connection in NetworkManager? - **Answer**: A device is a physical or virtual network interface (like ens3), while a connection is a configuration profile that can be applied to a device. One device can have multiple connection profiles, but only one can be active at a time. + **Answer**: A device is a physical or virtual network interface (like ens3), while a connection is a configuration profile that can be applied to a device. One device can have multiple connection profiles, but only one can be active at a time. 2. **Question**: Why might /etc/resolv.conf show different DNS servers than what you configured? - **Answer**: NetworkManager dynamically manages /etc/resolv.conf. If you have multiple connections or DHCP is providing DNS servers, NetworkManager combines them. Use `nmcli connection show` to see the actual DNS configuration for each connection. + **Answer**: NetworkManager dynamically manages /etc/resolv.conf. If you have multiple connections or DHCP is providing DNS servers, NetworkManager combines them. Use `nmcli connection show` to see the actual DNS configuration for each connection. 3. **Question**: What happens when you set ipv4.method to "auto" versus "manual"? - **Answer**: "auto" uses DHCP to automatically obtain IP address, gateway, and DNS servers from a DHCP server. "manual" requires you to explicitly specify all network parameters and creates a static configuration. + **Answer**: "auto" uses DHCP to automatically obtain IP address, gateway, and DNS servers from a DHCP server. "manual" requires you to explicitly specify all network parameters and creates a static configuration. ### Practical Scenarios + 1. **Scenario**: Server needs to be accessible from multiple subnets but only has one interface. - **Solution**: Add multiple IP addresses to the same connection: - ```bash - nmcli con modify "connection" ipv4.addresses "192.168.1.100/24,10.0.1.100/24" - ``` + **Solution**: Add multiple IP addresses to the same connection: + + ```bash + nmcli con modify "connection" ipv4.addresses "192.168.1.100/24,10.0.1.100/24" + ``` 2. **Scenario**: Need to quickly switch between office and home network configurations. - **Solution**: Create two connection profiles for the same interface and switch between them: - ```bash - nmcli con add type ethernet con-name "office" ifname ens3 ipv4.method manual ... - nmcli con add type ethernet con-name "home" ifname ens3 ipv4.method auto - # Switch: nmcli con up "office" or nmcli con up "home" - ``` + **Solution**: Create two connection profiles for the same interface and switch between them: + + ```bash + nmcli con add type ethernet con-name "office" ifname ens3 ipv4.method manual ... + nmcli con add type ethernet con-name "home" ifname ens3 ipv4.method auto + # Switch: nmcli con up "office" or nmcli con up "home" + ``` ### Command Challenges + 1. **Challenge**: Create a connection that gets IP via DHCP but uses custom DNS servers. - **Answer**: - ```bash - nmcli con add type ethernet con-name "dhcp-custom-dns" ifname ens3 \ - ipv4.method auto \ - ipv4.dns "8.8.8.8,8.8.4.4" \ - ipv4.ignore-auto-dns yes - ``` + **Answer**: + + ```bash + nmcli con add type ethernet con-name "dhcp-custom-dns" ifname ens3 \ + ipv4.method auto \ + ipv4.dns "8.8.8.8,8.8.4.4" \ + ipv4.ignore-auto-dns yes + ``` 2. **Challenge**: Find all interfaces that are up but don't have an IP address. - **Answer**: `ip link show | grep "state UP" -A1 | grep -B1 "NO-CARRIER\|state UP" | grep "^[0-9]" | cut -d: -f2` + **Answer**: `ip link show | grep "state UP" -A1 | grep -B1 "NO-CARRIER\|state UP" | grep "^[0-9]" | cut -d: -f2` --- ## 10. Exam Strategy ### Topic-Specific Tips + - Always use `nmcli` for configuration - it's the modern RHEL 10 way - Verify configuration with both `nmcli` and `ip` commands - Remember that connections must be activated after creation - Test connectivity at multiple levels (gateway, external, DNS) ### Common Exam Scenarios + 1. **Scenario**: Configure static IP address on server - **Approach**: Use `nmcli con add` with manual method, specify all required parameters + **Approach**: Use `nmcli con add` with manual method, specify all required parameters 2. **Scenario**: Fix server that lost network connectivity - **Approach**: Check device status, connection status, IP configuration, test connectivity systematically + **Approach**: Check device status, connection status, IP configuration, test connectivity systematically 3. **Scenario**: Change hostname of server - **Approach**: Use `hostnamectl set-hostname` and verify with `hostnamectl status` + **Approach**: Use `hostnamectl set-hostname` and verify with `hostnamectl status` ### Time Management + - **Static IP configuration**: 5-7 minutes including verification - **Network troubleshooting**: 8-10 minutes for systematic diagnosis - **Hostname changes**: 2-3 minutes - **Always verify**: Test connectivity after any network changes ### Pitfalls to Avoid + - Don't forget to activate connections after creating them - Remember that interface names may not be eth0 (use `nmcli device status` to find correct names) - Always test both IP connectivity and DNS resolution @@ -912,12 +996,14 @@ ipv4.dns # DNS servers ## Summary ### Key Takeaways + - **NetworkManager is the standard** in RHEL 10 - master `nmcli` commands - **Connections are profiles** applied to devices - understand this relationship - **Systematic troubleshooting** saves time - test connectivity at each network layer - **Always verify configuration** with multiple commands and connectivity tests ### Critical Commands to Remember + ```bash nmcli con add type ethernet con-name "static" ifname ens3 \ ipv4.addresses 192.168.1.100/24 \ @@ -932,10 +1018,11 @@ hostnamectl set-hostname name # Set system hostname ``` ### Next Steps + - Continue to [Module 09: SELinux Management](09_selinux.md) - Practice network configuration in the Vagrant environment - Review related topics: [Firewall Configuration](10_firewall.md), [SSH Setup](08_networking.md) --- -**Navigation**: [← Storage & LVM](07_storage_lvm.md) | [Index](index.md) | [Next → SELinux Management](09_selinux.md) \ No newline at end of file +**Navigation**: [← Storage & LVM](07_storage_lvm.md) | [Index](index.md) | [Next → SELinux Management](09_selinux.md) diff --git a/docs/rhcsa_synthesis/09_selinux.md b/docs/rhcsa_synthesis/09_selinux.md index 1636063..fa7b1e8 100644 --- a/docs/rhcsa_synthesis/09_selinux.md +++ b/docs/rhcsa_synthesis/09_selinux.md @@ -303,7 +303,7 @@ semodule -i mypolicy.pp ### Decision Tree: SELinux Problem Resolution -``` +```text SELinux Access Denied ├── File access denied? │ ├── Wrong file context? → Use semanage fcontext + restorecon @@ -792,34 +792,34 @@ Custom web application experiencing SELinux access denials ## Investigation Steps 1. **Initial Analysis** - - Checked for AVC denials: \`ausearch -m AVC -ts recent\` - - Analyzed denials: \`sealert -a /var/log/audit/audit.log\` - - Reviewed current file contexts + - Checked for AVC denials: \`ausearch -m AVC -ts recent\` + - Analyzed denials: \`sealert -a /var/log/audit/audit.log\` + - Reviewed current file contexts 2. **Root Cause** - - Custom application files had incorrect SELinux contexts - - Files in /opt/customapp/ had default contexts instead of web server contexts - - Custom port 9090 not in HTTP port context + - Custom application files had incorrect SELinux contexts + - Files in /opt/customapp/ had default contexts instead of web server contexts + - Custom port 9090 not in HTTP port context ## Resolution Applied 1. **File Context Policies**: - \`\`\`bash - semanage fcontext -a -t httpd_exec_t "/opt/customapp/bin(/.*)?" - semanage fcontext -a -t httpd_config_t "/opt/customapp/config(/.*)?" - semanage fcontext -a -t httpd_log_t "/opt/customapp/data(/.*)?" - restorecon -Rv /opt/customapp/ - \`\`\` + \`\`\`bash + semanage fcontext -a -t httpd_exec_t "/opt/customapp/bin(/.*)?" + semanage fcontext -a -t httpd_config_t "/opt/customapp/config(/.*)?" + semanage fcontext -a -t httpd_log_t "/opt/customapp/data(/.*)?" + restorecon -Rv /opt/customapp/ + \`\`\` 2. **Port Context**: - \`\`\`bash - semanage port -a -t http_port_t -p tcp 9090 - \`\`\` + \`\`\`bash + semanage port -a -t http_port_t -p tcp 9090 + \`\`\` 3. **Boolean Configuration**: - \`\`\`bash - setsebool -P httpd_can_network_connect on - setsebool -P httpd_builtin_scripting on - \`\`\` + \`\`\`bash + setsebool -P httpd_can_network_connect on + setsebool -P httpd_builtin_scripting on + \`\`\` ## Verification - No new AVC denials after fixes @@ -1044,29 +1044,30 @@ semanage port -d -t http_port_t -p tcp 8080 # Remove port context ### Conceptual Questions 1. **Question**: What's the difference between discretionary access control and mandatory access control in SELinux? -
Answer Discretionary access control (traditional permissions) allows users to control access to their own files. Mandatory access control (SELinux) enforces system-wide security policies that users cannot override, providing an additional security layer based on security contexts and policies.
+
Answer Discretionary access control (traditional permissions) allows users to control access to their own files. Mandatory access control (SELinux) enforces system-wide security policies that users cannot override, providing an additional security layer based on security contexts and policies.
2. **Question**: Why is it better to use semanage fcontext instead of chcon for permanent changes? -
Answer`chcon` only changes the context temporarily - it's lost if the file is moved, copied, or if `restorecon` is run. `semanage fcontext` creates a permanent policy rule, so the context is automatically applied to matching files and persists through system operations.
+
Answer`chcon` only changes the context temporarily - it's lost if the file is moved, copied, or if `restorecon` is run. `semanage fcontext` creates a permanent policy rule, so the context is automatically applied to matching files and persists through system operations.
3. **Question**: When would you create a custom SELinux policy module instead of using existing tools? -
AnswerCustom policy modules are a last resort when legitimate application behavior triggers denials that can't be resolved with existing booleans, file contexts, or port contexts. They're typically needed for applications with unusual security requirements or behaviors not covered by standard policies.
+
AnswerCustom policy modules are a last resort when legitimate application behavior triggers denials that can't be resolved with existing booleans, file contexts, or port contexts. They're typically needed for applications with unusual security requirements or behaviors not covered by standard policies.
### Practical Scenarios 1. **Scenario**: Web server needs to connect to a database on a non-standard port. -
SolutionEnable the `httpd_can_network_connect` boolean with `setsebool -P httpd_can_network_connect on` and possibly add the database port to appropriate context with `semanage port`.
+
SolutionEnable the `httpd_can_network_connect` boolean with `setsebool -P httpd_can_network_connect on` and possibly add the database port to appropriate context with `semanage port`.
2. **Scenario**: Custom application installed in /opt needs to be accessed by Apache. -
SolutionSet appropriate contexts with `semanage fcontext -a -t httpd_config_t "/opt/myapp(/.*)?"` and apply with `restorecon -Rv /opt/myapp/`.
+
SolutionSet appropriate contexts with `semanage fcontext -a -t httpd_config_t "/opt/myapp(/.*)?"` and apply with `restorecon -Rv /opt/myapp/`.
### Command Challenges 1. **Challenge**: Find all files in /var/www that have the wrong SELinux context. -
Answer`find /var/www -exec ls -lZ {} \; | grep -v httpd_config_t | grep -v httpd_exec_t`
+
Answer`find /var/www -exec ls -lZ {} \; | grep -v httpd_config_t | grep -v httpd_exec_t`
2. **Challenge**: Create a policy to allow Apache to write to a custom log directory. - **Answer**: + **Answer**: + ```bash semanage fcontext -a -t httpd_log_t "/custom/logs(/.*)?" restorecon -Rv /custom/logs/ @@ -1087,13 +1088,13 @@ setsebool -P httpd_can_network_connect on # if network logging ### Common Exam Scenarios 1. **Scenario**: Configure web server to serve content from custom directory - **Approach**: Use `semanage fcontext` to set appropriate httpd contexts, then `restorecon` + **Approach**: Use `semanage fcontext` to set appropriate httpd contexts, then `restorecon` 2. **Scenario**: Web application needs network access - **Approach**: Enable `httpd_can_network_connect` boolean with `-P` flag + **Approach**: Enable `httpd_can_network_connect` boolean with `-P` flag 3. **Scenario**: Service won't start, works in permissive mode - **Approach**: Check `ausearch -m AVC`, analyze with `sealert`, apply appropriate fix + **Approach**: Check `ausearch -m AVC`, analyze with `sealert`, apply appropriate fix ### Time Management diff --git a/docs/rhcsa_synthesis/10_firewall.md b/docs/rhcsa_synthesis/10_firewall.md index 252d61e..e6631e2 100644 --- a/docs/rhcsa_synthesis/10_firewall.md +++ b/docs/rhcsa_synthesis/10_firewall.md @@ -21,6 +21,7 @@ ## 2. Conceptual Foundation ### Core Theory + RHEL 10 uses firewalld as the default firewall management service, which provides: - **Zone-based management**: Different security levels for different network contexts @@ -30,6 +31,7 @@ RHEL 10 uses firewalld as the default firewall management service, which provide - **Runtime vs permanent**: Immediate changes vs persistent configuration ### Real-World Applications + - **Web server protection**: Allowing HTTP/HTTPS while blocking unauthorized access - **SSH hardening**: Restricting remote access to specific networks or ports - **Database security**: Limiting database access to application servers only @@ -37,6 +39,7 @@ RHEL 10 uses firewalld as the default firewall management service, which provide - **Compliance requirements**: Meeting security standards for regulated environments ### Common Misconceptions + - **iptables vs firewalld**: RHEL 10 uses firewalld by default, not direct iptables - **Zone complexity**: Zones are logical groupings, not physical network segments - **Runtime changes**: Runtime changes are temporary unless made permanent @@ -44,6 +47,7 @@ RHEL 10 uses firewalld as the default firewall management service, which provide - **Default deny**: firewalld uses default deny - only explicitly allowed traffic passes ### Key Terminology + - **Zone**: Security context with specific rules applied to network interfaces - **Service**: Predefined firewall rule for common applications (http, ssh, etc.) - **Port**: Specific TCP/UDP port number that can be opened @@ -58,6 +62,7 @@ RHEL 10 uses firewalld as the default firewall management service, which provide ## 3. Command Mastery ### Basic Firewall Status and Control + ```bash # Service management systemctl status firewalld # Check firewalld service status @@ -75,6 +80,7 @@ firewall-cmd --get-default-zone # Show default zone ``` ### Zone Management + ```bash # Zone operations firewall-cmd --get-zones # List all available zones @@ -94,6 +100,7 @@ firewall-cmd --zone=work --list-sources # List sources in zone ``` ### Service Management + ```bash # Service operations firewall-cmd --get-services # List all available services @@ -117,6 +124,7 @@ firewall-cmd --zone=public --query-service=ssh # Check service in specific zone ``` ### Port Management + ```bash # Port operations firewall-cmd --list-ports # List open ports in default zone @@ -137,6 +145,7 @@ firewall-cmd --query-port=8080/tcp # Check if port is open ``` ### Rich Rules + ```bash # Rich rule syntax examples # Accept SSH from specific subnet @@ -160,6 +169,7 @@ firewall-cmd --remove-rich-rule='rule...' # Remove specific rich rule ``` ### Configuration Persistence + ```bash # Runtime vs permanent configurations firewall-cmd --list-all # Show runtime configuration @@ -176,6 +186,7 @@ firewall-cmd --check-config # Validate configuration ``` ### Advanced Features + ```bash # Custom services firewall-cmd --permanent --new-service=myapp # Create custom service @@ -192,6 +203,7 @@ firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p tcp --dport 22 -j ACCEPT ``` ### Command Reference Table + | Command | Purpose | Key Options | Example | |---------|---------|-------------|---------| | `firewall-cmd --state` | Check firewall status | | `firewall-cmd --state` | @@ -206,65 +218,75 @@ firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p tcp --dport 22 -j ACCEPT ## 4. Procedural Workflows ### Standard Procedure: Configure Web Server Firewall + 1. **Check current firewall status** - ```bash - systemctl status firewalld - firewall-cmd --state - firewall-cmd --get-default-zone - firewall-cmd --list-all - ``` + + ```bash + systemctl status firewalld + firewall-cmd --state + firewall-cmd --get-default-zone + firewall-cmd --list-all + ``` 2. **Add web services** - ```bash - # Add HTTP and HTTPS services - firewall-cmd --permanent --add-service=http - firewall-cmd --permanent --add-service=https + + ```bash + # Add HTTP and HTTPS services + firewall-cmd --permanent --add-service=http + firewall-cmd --permanent --add-service=https - # Apply changes - firewall-cmd --reload - ``` + # Apply changes + firewall-cmd --reload + ``` 3. **Verify configuration** - ```bash - firewall-cmd --list-services - firewall-cmd --query-service=http - firewall-cmd --query-service=https - ``` + + ```bash + firewall-cmd --list-services + firewall-cmd --query-service=http + firewall-cmd --query-service=https + ``` 4. **Test connectivity** - ```bash - # Test from external system - telnet server-ip 80 - telnet server-ip 443 - ``` + + ```bash + # Test from external system + telnet server-ip 80 + telnet server-ip 443 + ``` ### Standard Procedure: Restrict SSH Access + 1. **Check current SSH access** - ```bash - firewall-cmd --query-service=ssh - firewall-cmd --list-all | grep ssh - ``` + + ```bash + firewall-cmd --query-service=ssh + firewall-cmd --list-all | grep ssh + ``` 2. **Remove SSH from default zone and add restricted access** - ```bash - # Remove SSH from public zone - firewall-cmd --permanent --remove-service=ssh + + ```bash + # Remove SSH from public zone + firewall-cmd --permanent --remove-service=ssh - # Add SSH access only from management network - firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.1.0/24" service name="ssh" accept' + # Add SSH access only from management network + firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.1.0/24" service name="ssh" accept' - # Apply changes - firewall-cmd --reload - ``` + # Apply changes + firewall-cmd --reload + ``` 3. **Verify restricted access** - ```bash - firewall-cmd --list-rich-rules - firewall-cmd --list-services | grep ssh || echo "SSH not in services" - ``` + + ```bash + firewall-cmd --list-rich-rules + firewall-cmd --list-services | grep ssh || echo "SSH not in services" + ``` ### Decision Tree: Firewall Rule Strategy -``` + +```text Firewall Configuration Need ├── Standard service (http, ssh, ftp)? │ ├── Use predefined service → --add-service=name @@ -283,43 +305,49 @@ Firewall Configuration Need ``` ### Standard Procedure: Database Server Security + 1. **Create dedicated zone for database servers** - ```bash - # Create database zone - firewall-cmd --permanent --new-zone=database - firewall-cmd --permanent --zone=database --set-description="Database servers zone" - firewall-cmd --permanent --zone=database --set-target=DROP - ``` + + ```bash + # Create database zone + firewall-cmd --permanent --new-zone=database + firewall-cmd --permanent --zone=database --set-description="Database servers zone" + firewall-cmd --permanent --zone=database --set-target=DROP + ``` 2. **Configure database zone rules** - ```bash - # Allow SSH from management network - firewall-cmd --permanent --zone=database --add-rich-rule='rule family="ipv4" source address="192.168.100.0/24" service name="ssh" accept' + + ```bash + # Allow SSH from management network + firewall-cmd --permanent --zone=database --add-rich-rule='rule family="ipv4" source address="192.168.100.0/24" service name="ssh" accept' - # Allow MySQL from application servers - firewall-cmd --permanent --zone=database --add-rich-rule='rule family="ipv4" source address="192.168.10.0/24" port protocol="tcp" port="3306" accept' + # Allow MySQL from application servers + firewall-cmd --permanent --zone=database --add-rich-rule='rule family="ipv4" source address="192.168.10.0/24" port protocol="tcp" port="3306" accept' - # Apply changes - firewall-cmd --reload - ``` + # Apply changes + firewall-cmd --reload + ``` 3. **Assign interface to database zone** - ```bash - # Move interface to database zone - firewall-cmd --permanent --zone=database --change-interface=ens3 - firewall-cmd --reload + + ```bash + # Move interface to database zone + firewall-cmd --permanent --zone=database --change-interface=ens3 + firewall-cmd --reload - # Verify assignment - firewall-cmd --get-zone-of-interface=ens3 - firewall-cmd --zone=database --list-all - ``` + # Verify assignment + firewall-cmd --get-zone-of-interface=ens3 + firewall-cmd --zone=database --list-all + ``` --- ## 5. Configuration Deep Dive ### Firewall Zones Overview + #### Default Zones and Their Purposes + ```bash # Drop zone - deny all incoming, allow outgoing # Target: DROP - most restrictive @@ -351,6 +379,7 @@ Firewall Configuration Need ``` #### Zone Configuration Files + ```bash # Zone configuration location /etc/firewalld/zones/ # Custom and modified zones @@ -373,7 +402,9 @@ Firewall Configuration Need ``` ### Service Definitions + #### Service Configuration Files + ```bash # Service definitions location /etc/firewalld/services/ # Custom services @@ -389,6 +420,7 @@ Firewall Configuration Need ``` #### Creating Custom Services + ```bash # Create custom web application service firewall-cmd --permanent --new-service=webapp @@ -402,7 +434,9 @@ firewall-cmd --permanent --add-service=webapp ``` ### Rich Rules Syntax + #### Rich Rule Components + ```bash # Basic syntax: rule [family="ipv4|ipv6"] @@ -426,6 +460,7 @@ rule [family="ipv4|ipv6"] ``` #### Rich Rule Examples + ```bash # Accept SSH from management network with logging firewall-cmd --add-rich-rule='rule family="ipv4" source address="10.0.1.0/24" service name="ssh" log prefix="SSH-MGMT" level="info" accept' @@ -445,78 +480,85 @@ firewall-cmd --add-rich-rule='rule family="ipv4" forward-port port="2222" protoc ## 6. Hands-On Labs ### Lab 6.1: Basic Firewall Configuration (Asghar Ghori Style) + **Objective**: Configure basic firewall rules for common services **Steps**: + 1. **Explore current firewall configuration** - ```bash - # Check firewall status and default configuration - systemctl status firewalld - firewall-cmd --state - firewall-cmd --get-default-zone - firewall-cmd --get-active-zones - firewall-cmd --list-all + + ```bash + # Check firewall status and default configuration + systemctl status firewalld + firewall-cmd --state + firewall-cmd --get-default-zone + firewall-cmd --get-active-zones + firewall-cmd --list-all - # Check available zones and services - firewall-cmd --get-zones - firewall-cmd --get-services | head -20 - ``` + # Check available zones and services + firewall-cmd --get-zones + firewall-cmd --get-services | head -20 + ``` 2. **Configure web server firewall rules** - ```bash - # Add HTTP and HTTPS services permanently - firewall-cmd --permanent --add-service=http - firewall-cmd --permanent --add-service=https + + ```bash + # Add HTTP and HTTPS services permanently + firewall-cmd --permanent --add-service=http + firewall-cmd --permanent --add-service=https - # Add custom port for web application - firewall-cmd --permanent --add-port=8080/tcp + # Add custom port for web application + firewall-cmd --permanent --add-port=8080/tcp - # Apply changes - firewall-cmd --reload + # Apply changes + firewall-cmd --reload - # Verify configuration - firewall-cmd --list-services - firewall-cmd --list-ports - firewall-cmd --list-all - ``` + # Verify configuration + firewall-cmd --list-services + firewall-cmd --list-ports + firewall-cmd --list-all + ``` 3. **Test runtime vs permanent changes** - ```bash - # Add FTP service to runtime only - firewall-cmd --add-service=ftp + + ```bash + # Add FTP service to runtime only + firewall-cmd --add-service=ftp - # Check runtime vs permanent - firewall-cmd --list-services - firewall-cmd --permanent --list-services + # Check runtime vs permanent + firewall-cmd --list-services + firewall-cmd --permanent --list-services - # Reload and see FTP disappear - firewall-cmd --reload - firewall-cmd --list-services + # Reload and see FTP disappear + firewall-cmd --reload + firewall-cmd --list-services - # Add FTP permanently - firewall-cmd --permanent --add-service=ftp - firewall-cmd --reload - firewall-cmd --list-services - ``` + # Add FTP permanently + firewall-cmd --permanent --add-service=ftp + firewall-cmd --reload + firewall-cmd --list-services + ``` 4. **Practice zone management** - ```bash - # Check current zone assignment - firewall-cmd --get-zone-of-interface=ens3 + + ```bash + # Check current zone assignment + firewall-cmd --get-zone-of-interface=ens3 - # Temporarily change zone - firewall-cmd --zone=work --change-interface=ens3 - firewall-cmd --get-active-zones + # Temporarily change zone + firewall-cmd --zone=work --change-interface=ens3 + firewall-cmd --get-active-zones - # Check different zone rules - firewall-cmd --list-all - firewall-cmd --zone=work --list-all + # Check different zone rules + firewall-cmd --list-all + firewall-cmd --zone=work --list-all - # Change back to public - firewall-cmd --zone=public --change-interface=ens3 - ``` + # Change back to public + firewall-cmd --zone=public --change-interface=ens3 + ``` **Verification**: + ```bash # Complete verification of configuration firewall-cmd --get-default-zone @@ -527,78 +569,85 @@ systemctl is-enabled firewalld ``` ### Lab 6.2: Advanced Firewall Rules (Sander van Vugt Style) + **Objective**: Implement complex firewall rules using rich rules and custom zones **Steps**: + 1. **Create custom zone for DMZ servers** - ```bash - # Create DMZ zone - firewall-cmd --permanent --new-zone=dmz-servers - firewall-cmd --permanent --zone=dmz-servers --set-description="DMZ servers with restricted access" - firewall-cmd --permanent --zone=dmz-servers --set-target=DROP + + ```bash + # Create DMZ zone + firewall-cmd --permanent --new-zone=dmz-servers + firewall-cmd --permanent --zone=dmz-servers --set-description="DMZ servers with restricted access" + firewall-cmd --permanent --zone=dmz-servers --set-target=DROP - # Apply changes - firewall-cmd --reload + # Apply changes + firewall-cmd --reload - # Verify zone creation - firewall-cmd --get-zones | grep dmz-servers - firewall-cmd --zone=dmz-servers --list-all - ``` + # Verify zone creation + firewall-cmd --get-zones | grep dmz-servers + firewall-cmd --zone=dmz-servers --list-all + ``` 2. **Configure rich rules for specific access control** - ```bash - # Allow SSH only from management network - firewall-cmd --permanent --zone=dmz-servers --add-rich-rule='rule family="ipv4" source address="192.168.100.0/24" service name="ssh" accept' + + ```bash + # Allow SSH only from management network + firewall-cmd --permanent --zone=dmz-servers --add-rich-rule='rule family="ipv4" source address="192.168.100.0/24" service name="ssh" accept' - # Allow HTTP from any source but log connections - firewall-cmd --permanent --zone=dmz-servers --add-rich-rule='rule family="ipv4" service name="http" log prefix="DMZ-HTTP" level="info" accept' + # Allow HTTP from any source but log connections + firewall-cmd --permanent --zone=dmz-servers --add-rich-rule='rule family="ipv4" service name="http" log prefix="DMZ-HTTP" level="info" accept' - # Allow HTTPS with rate limiting - firewall-cmd --permanent --zone=dmz-servers --add-rich-rule='rule family="ipv4" service name="https" accept limit value="50/s"' + # Allow HTTPS with rate limiting + firewall-cmd --permanent --zone=dmz-servers --add-rich-rule='rule family="ipv4" service name="https" accept limit value="50/s"' - # Reject FTP from specific problematic network - firewall-cmd --permanent --zone=dmz-servers --add-rich-rule='rule family="ipv4" source address="10.0.0.0/8" service name="ftp" reject' + # Reject FTP from specific problematic network + firewall-cmd --permanent --zone=dmz-servers --add-rich-rule='rule family="ipv4" source address="10.0.0.0/8" service name="ftp" reject' - # Apply changes - firewall-cmd --reload - ``` + # Apply changes + firewall-cmd --reload + ``` 3. **Create custom service definition** - ```bash - # Create custom application service - firewall-cmd --permanent --new-service=custom-app - firewall-cmd --permanent --service=custom-app --set-description="Custom Application Service" - firewall-cmd --permanent --service=custom-app --add-port=9090/tcp - firewall-cmd --permanent --service=custom-app --add-port=9091/udp + + ```bash + # Create custom application service + firewall-cmd --permanent --new-service=custom-app + firewall-cmd --permanent --service=custom-app --set-description="Custom Application Service" + firewall-cmd --permanent --service=custom-app --add-port=9090/tcp + firewall-cmd --permanent --service=custom-app --add-port=9091/udp - # Add custom service to DMZ zone - firewall-cmd --permanent --zone=dmz-servers --add-service=custom-app + # Add custom service to DMZ zone + firewall-cmd --permanent --zone=dmz-servers --add-service=custom-app - # Apply changes - firewall-cmd --reload + # Apply changes + firewall-cmd --reload - # Verify custom service - firewall-cmd --get-services | grep custom-app - firewall-cmd --zone=dmz-servers --list-services - ``` + # Verify custom service + firewall-cmd --get-services | grep custom-app + firewall-cmd --zone=dmz-servers --list-services + ``` 4. **Test zone assignment and rules** - ```bash - # Assign interface to DMZ zone - firewall-cmd --permanent --zone=dmz-servers --change-interface=ens3 - firewall-cmd --reload + + ```bash + # Assign interface to DMZ zone + firewall-cmd --permanent --zone=dmz-servers --change-interface=ens3 + firewall-cmd --reload - # Verify active configuration - firewall-cmd --get-active-zones - firewall-cmd --zone=dmz-servers --list-all + # Verify active configuration + firewall-cmd --get-active-zones + firewall-cmd --zone=dmz-servers --list-all - # Test rule queries - firewall-cmd --zone=dmz-servers --query-service=http - firewall-cmd --zone=dmz-servers --query-service=custom-app - firewall-cmd --zone=dmz-servers --list-rich-rules - ``` + # Test rule queries + firewall-cmd --zone=dmz-servers --query-service=http + firewall-cmd --zone=dmz-servers --query-service=custom-app + firewall-cmd --zone=dmz-servers --list-rich-rules + ``` **Verification**: + ```bash # Complete verification of advanced configuration firewall-cmd --get-zones | grep dmz-servers @@ -608,11 +657,13 @@ firewall-cmd --zone=dmz-servers --list-rich-rules ``` ### Lab 6.3: Firewall Troubleshooting Scenario (Synthesis Challenge) + **Objective**: Diagnose and resolve firewall connectivity issues **Scenario**: A multi-tier application is experiencing connectivity issues that appear to be firewall-related **Requirements**: + - Web tier needs HTTP/HTTPS access from internet - Application tier needs custom port access from web tier only - Database tier needs MySQL access from application tier only @@ -620,193 +671,200 @@ firewall-cmd --zone=dmz-servers --list-rich-rules - All configuration must be persistent **Solution Steps**: + 1. **Set up the problematic scenario** - ```bash - # Reset firewall to default state - firewall-cmd --complete-reload + + ```bash + # Reset firewall to default state + firewall-cmd --complete-reload - # Create restrictive configuration that will cause problems - firewall-cmd --set-default-zone=drop - firewall-cmd --permanent --zone=drop --remove-service=ssh - firewall-cmd --reload + # Create restrictive configuration that will cause problems + firewall-cmd --set-default-zone=drop + firewall-cmd --permanent --zone=drop --remove-service=ssh + firewall-cmd --reload - # This should now block most traffic - simulating the problem - echo "=== PROBLEMATIC CONFIGURATION APPLIED ===" - firewall-cmd --list-all - ``` + # This should now block most traffic - simulating the problem + echo "=== PROBLEMATIC CONFIGURATION APPLIED ===" + firewall-cmd --list-all + ``` 2. **Diagnose connectivity issues** - ```bash - # Step 1: Check firewall status and configuration - echo "=== FIREWALL DIAGNOSIS ===" - systemctl status firewalld - firewall-cmd --state - firewall-cmd --get-default-zone - firewall-cmd --get-active-zones - firewall-cmd --list-all + + ```bash + # Step 1: Check firewall status and configuration + echo "=== FIREWALL DIAGNOSIS ===" + systemctl status firewalld + firewall-cmd --state + firewall-cmd --get-default-zone + firewall-cmd --get-active-zones + firewall-cmd --list-all - # Step 2: Check what services should be running - echo "=== EXPECTED SERVICES ===" - echo "Web tier should allow: HTTP (80), HTTPS (443)" - echo "App tier should allow: Custom app (9090) from web tier" - echo "DB tier should allow: MySQL (3306) from app tier" - echo "Management: SSH (22) from 192.168.100.0/24" + # Step 2: Check what services should be running + echo "=== EXPECTED SERVICES ===" + echo "Web tier should allow: HTTP (80), HTTPS (443)" + echo "App tier should allow: Custom app (9090) from web tier" + echo "DB tier should allow: MySQL (3306) from app tier" + echo "Management: SSH (22) from 192.168.100.0/24" - # Step 3: Identify the problems - echo "=== PROBLEMS IDENTIFIED ===" - echo "1. Default zone is 'drop' - blocks everything" - echo "2. No services are allowed through firewall" - echo "3. SSH access is completely blocked" - ``` + # Step 3: Identify the problems + echo "=== PROBLEMS IDENTIFIED ===" + echo "1. Default zone is 'drop' - blocks everything" + echo "2. No services are allowed through firewall" + echo "3. SSH access is completely blocked" + ``` 3. **Implement systematic fix** - ```bash - # Fix 1: Change to appropriate default zone - echo "=== FIXING DEFAULT ZONE ===" - firewall-cmd --set-default-zone=public - firewall-cmd --get-default-zone + + ```bash + # Fix 1: Change to appropriate default zone + echo "=== FIXING DEFAULT ZONE ===" + firewall-cmd --set-default-zone=public + firewall-cmd --get-default-zone - # Fix 2: Configure web tier access (public zone) - echo "=== CONFIGURING WEB TIER ===" - firewall-cmd --permanent --zone=public --add-service=http - firewall-cmd --permanent --zone=public --add-service=https + # Fix 2: Configure web tier access (public zone) + echo "=== CONFIGURING WEB TIER ===" + firewall-cmd --permanent --zone=public --add-service=http + firewall-cmd --permanent --zone=public --add-service=https - # Fix 3: Create application zone with restricted access - echo "=== CREATING APPLICATION ZONE ===" - firewall-cmd --permanent --new-zone=application - firewall-cmd --permanent --zone=application --set-description="Application tier with restricted access" - firewall-cmd --permanent --zone=application --set-target=DROP + # Fix 3: Create application zone with restricted access + echo "=== CREATING APPLICATION ZONE ===" + firewall-cmd --permanent --new-zone=application + firewall-cmd --permanent --zone=application --set-description="Application tier with restricted access" + firewall-cmd --permanent --zone=application --set-target=DROP - # Allow SSH from management network - firewall-cmd --permanent --zone=application --add-rich-rule='rule family="ipv4" source address="192.168.100.0/24" service name="ssh" accept' + # Allow SSH from management network + firewall-cmd --permanent --zone=application --add-rich-rule='rule family="ipv4" source address="192.168.100.0/24" service name="ssh" accept' - # Allow application port 9090 from web servers (assuming web servers are in 192.168.1.0/24) - firewall-cmd --permanent --zone=application --add-rich-rule='rule family="ipv4" source address="192.168.1.0/24" port protocol="tcp" port="9090" accept' + # Allow application port 9090 from web servers (assuming web servers are in 192.168.1.0/24) + firewall-cmd --permanent --zone=application --add-rich-rule='rule family="ipv4" source address="192.168.1.0/24" port protocol="tcp" port="9090" accept' - # Fix 4: Create database zone with even more restricted access - echo "=== CREATING DATABASE ZONE ===" - firewall-cmd --permanent --new-zone=database - firewall-cmd --permanent --zone=database --set-description="Database tier with MySQL access from app tier only" - firewall-cmd --permanent --zone=database --set-target=DROP + # Fix 4: Create database zone with even more restricted access + echo "=== CREATING DATABASE ZONE ===" + firewall-cmd --permanent --new-zone=database + firewall-cmd --permanent --zone=database --set-description="Database tier with MySQL access from app tier only" + firewall-cmd --permanent --zone=database --set-target=DROP - # Allow SSH from management network - firewall-cmd --permanent --zone=database --add-rich-rule='rule family="ipv4" source address="192.168.100.0/24" service name="ssh" accept' + # Allow SSH from management network + firewall-cmd --permanent --zone=database --add-rich-rule='rule family="ipv4" source address="192.168.100.0/24" service name="ssh" accept' - # Allow MySQL from application servers (assuming app servers are in 192.168.2.0/24) - firewall-cmd --permanent --zone=database --add-rich-rule='rule family="ipv4" source address="192.168.2.0/24" port protocol="tcp" port="3306" accept' + # Allow MySQL from application servers (assuming app servers are in 192.168.2.0/24) + firewall-cmd --permanent --zone=database --add-rich-rule='rule family="ipv4" source address="192.168.2.0/24" port protocol="tcp" port="3306" accept' - # Apply all changes - firewall-cmd --reload - ``` + # Apply all changes + firewall-cmd --reload + ``` 4. **Verify and test the fix** - ```bash - # Verify zone configurations - echo "=== VERIFYING CONFIGURATIONS ===" + + ```bash + # Verify zone configurations + echo "=== VERIFYING CONFIGURATIONS ===" - echo "Public zone (web tier):" - firewall-cmd --zone=public --list-all + echo "Public zone (web tier):" + firewall-cmd --zone=public --list-all - echo "Application zone (app tier):" - firewall-cmd --zone=application --list-all + echo "Application zone (app tier):" + firewall-cmd --zone=application --list-all - echo "Database zone (db tier):" - firewall-cmd --zone=database --list-all + echo "Database zone (db tier):" + firewall-cmd --zone=database --list-all - # Test basic connectivity (simulation) - echo "=== CONNECTIVITY TESTS ===" + # Test basic connectivity (simulation) + echo "=== CONNECTIVITY TESTS ===" - # Test HTTP service - firewall-cmd --zone=public --query-service=http && echo "✓ HTTP allowed in public zone" || echo "✗ HTTP blocked" + # Test HTTP service + firewall-cmd --zone=public --query-service=http && echo "✓ HTTP allowed in public zone" || echo "✗ HTTP blocked" - # Test HTTPS service - firewall-cmd --zone=public --query-service=https && echo "✓ HTTPS allowed in public zone" || echo "✗ HTTPS blocked" + # Test HTTPS service + firewall-cmd --zone=public --query-service=https && echo "✓ HTTPS allowed in public zone" || echo "✗ HTTPS blocked" - # Test SSH in management networks - firewall-cmd --zone=application --list-rich-rules | grep ssh && echo "✓ SSH restricted in application zone" || echo "✗ SSH not configured" - firewall-cmd --zone=database --list-rich-rules | grep ssh && echo "✓ SSH restricted in database zone" || echo "✗ SSH not configured" + # Test SSH in management networks + firewall-cmd --zone=application --list-rich-rules | grep ssh && echo "✓ SSH restricted in application zone" || echo "✗ SSH not configured" + firewall-cmd --zone=database --list-rich-rules | grep ssh && echo "✓ SSH restricted in database zone" || echo "✗ SSH not configured" - # Verify rich rules for application and database access - firewall-cmd --zone=application --list-rich-rules | grep 9090 && echo "✓ App port 9090 configured" || echo "✗ App port not configured" - firewall-cmd --zone=database --list-rich-rules | grep 3306 && echo "✓ MySQL port 3306 configured" || echo "✗ MySQL port not configured" - ``` + # Verify rich rules for application and database access + firewall-cmd --zone=application --list-rich-rules | grep 9090 && echo "✓ App port 9090 configured" || echo "✗ App port not configured" + firewall-cmd --zone=database --list-rich-rules | grep 3306 && echo "✓ MySQL port 3306 configured" || echo "✗ MySQL port not configured" + ``` 5. **Document the solution** - ```bash - # Create comprehensive troubleshooting report - cat > /tmp/firewall-troubleshooting-report.md << 'EOF' - # Firewall Troubleshooting Report - Date: $(date) - - ## Problem Description - Multi-tier application experiencing connectivity issues due to overly restrictive firewall configuration. - - ## Issues Found - 1. **Default Zone**: Set to 'drop' zone blocking all traffic - 2. **Missing Services**: No HTTP/HTTPS services allowed for web tier - 3. **SSH Access**: Completely blocked, including from management network - 4. **Tier Isolation**: No proper network segmentation between application tiers - - ## Resolution Strategy - ### 1. Zone-Based Security Architecture - - **Public Zone**: Web tier with HTTP/HTTPS access - - **Application Zone**: Restricted access, custom application ports - - **Database Zone**: Highly restricted, MySQL access only from app tier - - ### 2. Implemented Rules - #### Public Zone (Web Tier) - ```bash - firewall-cmd --permanent --zone=public --add-service=http - firewall-cmd --permanent --zone=public --add-service=https - ``` - - #### Application Zone - ```bash - firewall-cmd --permanent --zone=application --add-rich-rule='rule family="ipv4" source address="192.168.100.0/24" service name="ssh" accept' - firewall-cmd --permanent --zone=application --add-rich-rule='rule family="ipv4" source address="192.168.1.0/24" port protocol="tcp" port="9090" accept' - ``` - - #### Database Zone - ```bash - firewall-cmd --permanent --zone=database --add-rich-rule='rule family="ipv4" source address="192.168.100.0/24" service name="ssh" accept' - firewall-cmd --permanent --zone=database --add-rich-rule='rule family="ipv4" source address="192.168.2.0/24" port protocol="tcp" port="3306" accept' - ``` - - ## Security Benefits - 1. **Defense in Depth**: Multiple zones provide layered security - 2. **Least Privilege**: Each tier only allows necessary access - 3. **Source Restriction**: SSH limited to management network - 4. **Service Isolation**: Database only accessible from application tier - - ## Testing Results - - ✓ Web services (HTTP/HTTPS) accessible from internet - - ✓ SSH access restricted to management network (192.168.100.0/24) - - ✓ Application port (9090) accessible from web tier only - - ✓ MySQL port (3306) accessible from application tier only - - ✓ All configurations are permanent and survive reboots - - ## Maintenance Commands - ```bash - # Check zone assignments - firewall-cmd --get-active-zones - - # Review specific zone rules - firewall-cmd --zone=zonename --list-all - - # Test service access - firewall-cmd --zone=zonename --query-service=servicename - - # Monitor firewall logs (if logging enabled) - journalctl -u firewalld -f - ``` - EOF - - # Display the report - echo "=== TROUBLESHOOTING REPORT ===" - cat /tmp/firewall-troubleshooting-report.md - ``` + + ````bash + # Create comprehensive troubleshooting report + cat > /tmp/firewall-troubleshooting-report.md << 'EOF' + # Firewall Troubleshooting Report + Date: $(date) + + ## Problem Description + Multi-tier application experiencing connectivity issues due to overly restrictive firewall configuration. + + ## Issues Found + 1. **Default Zone**: Set to 'drop' zone blocking all traffic + 2. **Missing Services**: No HTTP/HTTPS services allowed for web tier + 3. **SSH Access**: Completely blocked, including from management network + 4. **Tier Isolation**: No proper network segmentation between application tiers + + ## Resolution Strategy + ### 1. Zone-Based Security Architecture + - **Public Zone**: Web tier with HTTP/HTTPS access + - **Application Zone**: Restricted access, custom application ports + - **Database Zone**: Highly restricted, MySQL access only from app tier + + ### 2. Implemented Rules + #### Public Zone (Web Tier) + ```bash + firewall-cmd --permanent --zone=public --add-service=http + firewall-cmd --permanent --zone=public --add-service=https + ``` + + #### Application Zone + ```bash + firewall-cmd --permanent --zone=application --add-rich-rule='rule family="ipv4" source address="192.168.100.0/24" service name="ssh" accept' + firewall-cmd --permanent --zone=application --add-rich-rule='rule family="ipv4" source address="192.168.1.0/24" port protocol="tcp" port="9090" accept' + ``` + + #### Database Zone + ```bash + firewall-cmd --permanent --zone=database --add-rich-rule='rule family="ipv4" source address="192.168.100.0/24" service name="ssh" accept' + firewall-cmd --permanent --zone=database --add-rich-rule='rule family="ipv4" source address="192.168.2.0/24" port protocol="tcp" port="3306" accept' + ``` + + ## Security Benefits + 1. **Defense in Depth**: Multiple zones provide layered security + 2. **Least Privilege**: Each tier only allows necessary access + 3. **Source Restriction**: SSH limited to management network + 4. **Service Isolation**: Database only accessible from application tier + + ## Testing Results + - ✓ Web services (HTTP/HTTPS) accessible from internet + - ✓ SSH access restricted to management network (192.168.100.0/24) + - ✓ Application port (9090) accessible from web tier only + - ✓ MySQL port (3306) accessible from application tier only + - ✓ All configurations are permanent and survive reboots + + ## Maintenance Commands + ```bash + # Check zone assignments + firewall-cmd --get-active-zones + + # Review specific zone rules + firewall-cmd --zone=zonename --list-all + + # Test service access + firewall-cmd --zone=zonename --query-service=servicename + + # Monitor firewall logs (if logging enabled) + journalctl -u firewalld -f + ``` + EOF + + # Display the report + echo "=== TROUBLESHOOTING REPORT ===" + cat /tmp/firewall-troubleshooting-report.md + ```` **Verification**: + ```bash # Final comprehensive verification echo "=== FINAL FIREWALL CONFIGURATION ===" @@ -825,12 +883,15 @@ echo "Configuration is persistent: $(firewall-cmd --permanent --list-all > /dev/ ### Common Issues #### Issue 1: Service Can't Be Accessed After Firewall Configuration + **Symptoms**: + - Connection timeouts to service ports - Service logs show no connection attempts - Works when firewall is disabled **Diagnosis**: + ```bash # Check firewall status and rules firewall-cmd --state @@ -847,6 +908,7 @@ firewall-cmd --zone=trusted --list-all ``` **Resolution**: + ```bash # Add missing service or port firewall-cmd --permanent --add-service=service-name @@ -865,12 +927,15 @@ firewall-cmd --list-all **Prevention**: Always test connectivity after firewall changes #### Issue 2: Rich Rules Not Working as Expected + **Symptoms**: + - Traffic not matching rich rule conditions - Rules appear correct but don't apply - Complex rules causing conflicts **Diagnosis**: + ```bash # Check rich rule syntax firewall-cmd --list-rich-rules @@ -883,6 +948,7 @@ firewall-cmd --list-all | grep -A 5 -B 5 problematic-rule ``` **Resolution**: + ```bash # Remove problematic rule firewall-cmd --remove-rich-rule='rule family="ipv4"...' @@ -895,12 +961,15 @@ firewall-cmd --reload ``` #### Issue 3: Changes Not Persisting After Reboot + **Symptoms**: + - Firewall rules work but disappear after reboot - Runtime configuration differs from permanent - Services fail to start after system restart **Diagnosis**: + ```bash # Compare runtime vs permanent firewall-cmd --list-all @@ -912,6 +981,7 @@ cat /etc/firewalld/zones/zone-name.xml ``` **Resolution**: + ```bash # Make runtime changes permanent firewall-cmd --runtime-to-permanent @@ -925,6 +995,7 @@ firewall-cmd --permanent --list-all ``` ### Diagnostic Command Sequence + ```bash # Firewall troubleshooting workflow systemctl status firewalld # Check service status @@ -936,6 +1007,7 @@ journalctl -u firewalld # Check firewall logs ``` ### Log File Analysis + - **`journalctl -u firewalld`**: Firewalld service logs - **`/var/log/messages`**: System messages including firewall events - **Rich rule logging**: Custom logs based on rich rule log statements @@ -946,6 +1018,7 @@ journalctl -u firewalld # Check firewall logs ## 8. Quick Reference Card ### Essential Commands At-a-Glance + ```bash # Basic status firewall-cmd --state # Check if firewall running @@ -964,6 +1037,7 @@ firewall-cmd --zone=dmz --add-interface=ens3 # Assign interface to zone ``` ### Common Services + - **http**: TCP port 80 (web server) - **https**: TCP port 443 (secure web) - **ssh**: TCP port 22 (secure shell) @@ -973,6 +1047,7 @@ firewall-cmd --zone=dmz --add-interface=ens3 # Assign interface to zone - **smtp**: TCP port 25 (email) ### Zone Security Levels (Most to Least Restrictive) + 1. **drop**: Drop all incoming, allow outgoing 2. **block**: Reject all incoming with ICMP error 3. **dmz**: Limited services for DMZ servers @@ -984,6 +1059,7 @@ firewall-cmd --zone=dmz --add-interface=ens3 # Assign interface to zone 9. **trusted**: Allow all traffic ### Rich Rule Template + ```bash firewall-cmd --add-rich-rule=' rule family="ipv4" @@ -998,64 +1074,73 @@ rule family="ipv4" ## 9. Knowledge Check ### Conceptual Questions + 1. **Question**: What's the difference between runtime and permanent firewall configuration? - **Answer**: Runtime configuration is active immediately but lost on service restart or reboot. Permanent configuration is saved to files and survives restarts but requires `--reload` to become active. Use `--permanent` flag to modify saved configuration. + **Answer**: Runtime configuration is active immediately but lost on service restart or reboot. Permanent configuration is saved to files and survives restarts but requires `--reload` to become active. Use `--permanent` flag to modify saved configuration. 2. **Question**: Why would you use rich rules instead of simple service or port rules? - **Answer**: Rich rules allow complex conditions like source/destination restrictions, logging, rate limiting, and time-based rules. Use them when simple service/port rules aren't sufficient for your security requirements. + **Answer**: Rich rules allow complex conditions like source/destination restrictions, logging, rate limiting, and time-based rules. Use them when simple service/port rules aren't sufficient for your security requirements. 3. **Question**: How do firewall zones relate to network interfaces? - **Answer**: Zones are security contexts applied to network interfaces. Each interface can be assigned to one zone, and all traffic through that interface follows the zone's rules. This allows different security policies for different network connections. + **Answer**: Zones are security contexts applied to network interfaces. Each interface can be assigned to one zone, and all traffic through that interface follows the zone's rules. This allows different security policies for different network connections. ### Practical Scenarios + 1. **Scenario**: Web server needs HTTP access from internet but SSH only from management network. - **Solution**: - ```bash - firewall-cmd --permanent --add-service=http - firewall-cmd --permanent --remove-service=ssh - firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.100.0/24" service name="ssh" accept' - ``` + **Solution**: + + ```bash + firewall-cmd --permanent --add-service=http + firewall-cmd --permanent --remove-service=ssh + firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.100.0/24" service name="ssh" accept' + ``` 2. **Scenario**: Need to temporarily allow FTP access for maintenance without making it permanent. - **Solution**: Use runtime-only configuration: `firewall-cmd --add-service=ftp` (without --permanent flag) + **Solution**: Use runtime-only configuration: `firewall-cmd --add-service=ftp` (without --permanent flag) ### Command Challenges + 1. **Challenge**: Create a zone that only allows HTTPS and SSH from specific network, logging all connections. - **Answer**: - ```bash - firewall-cmd --permanent --new-zone=secure-web - firewall-cmd --permanent --zone=secure-web --set-target=DROP - firewall-cmd --permanent --zone=secure-web --add-rich-rule='rule family="ipv4" source address="trusted.network/24" service name="https" log prefix="HTTPS" accept' - firewall-cmd --permanent --zone=secure-web --add-rich-rule='rule family="ipv4" source address="trusted.network/24" service name="ssh" log prefix="SSH" accept' - ``` + **Answer**: + + ```bash + firewall-cmd --permanent --new-zone=secure-web + firewall-cmd --permanent --zone=secure-web --set-target=DROP + firewall-cmd --permanent --zone=secure-web --add-rich-rule='rule family="ipv4" source address="trusted.network/24" service name="https" log prefix="HTTPS" accept' + firewall-cmd --permanent --zone=secure-web --add-rich-rule='rule family="ipv4" source address="trusted.network/24" service name="ssh" log prefix="SSH" accept' + ``` --- ## 10. Exam Strategy ### Topic-Specific Tips + - Always check both runtime and permanent configurations - Use `--permanent` flag for persistent changes, then `--reload` - Remember that first matching rule wins in rich rules - Test connectivity after every firewall change ### Common Exam Scenarios + 1. **Scenario**: Configure web server with HTTP/HTTPS access - **Approach**: Use standard service definitions with `--add-service=http` and `--add-service=https` + **Approach**: Use standard service definitions with `--add-service=http` and `--add-service=https` 2. **Scenario**: Restrict SSH access to management network only - **Approach**: Remove SSH service, add rich rule with source restriction + **Approach**: Remove SSH service, add rich rule with source restriction 3. **Scenario**: Allow custom application port from specific sources - **Approach**: Use rich rules with source and port specifications + **Approach**: Use rich rules with source and port specifications ### Time Management + - **Basic service configuration**: 3-4 minutes including verification - **Zone configuration**: 5-7 minutes for custom zones with rules - **Rich rule implementation**: 6-8 minutes for complex rules - **Always verify**: Test rules with query commands and connectivity tests ### Pitfalls to Avoid + - Don't forget `--permanent` flag for persistent changes - Remember to `--reload` after permanent changes - Don't block SSH access without alternative access method @@ -1067,12 +1152,14 @@ rule family="ipv4" ## Summary ### Key Takeaways + - **Firewalld is zone-based** - understand how zones work and use them effectively - **Permanent vs runtime** - always use --permanent for lasting changes - **Rich rules provide flexibility** - use them for complex access control requirements - **Test everything** - firewall mistakes can lock you out of systems ### Critical Commands to Remember + ```bash firewall-cmd --permanent --add-service=http # Add service permanently firewall-cmd --permanent --add-port=8080/tcp # Add port permanently @@ -1083,10 +1170,11 @@ firewall-cmd --zone=zone-name --change-interface=ens3 # Assign interface to zon ``` ### Next Steps + - Continue to [Module 11: Boot Process & GRUB](11_boot_grub.md) - Practice firewall configuration in the Vagrant environment - Review related topics: [Network Configuration](08_networking.md), [SELinux Management](09_selinux.md) --- -**Navigation**: [← SELinux Management](09_selinux.md) | [Index](index.md) | [Next → Boot Process & GRUB](11_boot_grub.md) \ No newline at end of file +**Navigation**: [← SELinux Management](09_selinux.md) | [Index](index.md) | [Next → Boot Process & GRUB](11_boot_grub.md) diff --git a/docs/rhcsa_synthesis/11_boot_grub.md b/docs/rhcsa_synthesis/11_boot_grub.md index 35bf58d..0879291 100644 --- a/docs/rhcsa_synthesis/11_boot_grub.md +++ b/docs/rhcsa_synthesis/11_boot_grub.md @@ -1,6 +1,7 @@ # Module 11: Boot Process & GRUB Configuration ## 1. Learning Objectives + - Understand the RHEL 10 boot process from UEFI/BIOS to systemd - Configure and customize GRUB2 bootloader settings - Manage kernel parameters and boot options @@ -11,19 +12,23 @@ ## 2. Key Concepts ### Boot Process Overview + The RHEL 10 boot sequence follows these stages: + 1. **UEFI/BIOS**: Hardware initialization and bootloader location 2. **GRUB2**: Boot menu, kernel selection, and parameter passing 3. **Kernel**: Hardware detection, driver loading, initramfs mounting 4. **systemd**: Service initialization and target reaching ### GRUB2 Configuration Structure + - **Main config**: `/boot/grub2/grub.cfg` (auto-generated) - **Default settings**: `/etc/default/grub` - **Custom entries**: `/etc/grub.d/` directory - **EFI systems**: `/boot/efi/EFI/redhat/grub.cfg` ### Systemd Targets + - **graphical.target**: Full multi-user with GUI - **multi-user.target**: Multi-user without GUI - **rescue.target**: Single-user maintenance mode @@ -32,6 +37,7 @@ The RHEL 10 boot sequence follows these stages: ## 3. Essential Commands ### GRUB Management + ```bash # Regenerate GRUB configuration grub2-mkconfig -o /boot/grub2/grub.cfg # BIOS systems @@ -47,6 +53,7 @@ grub2-editenv list # Show current default ``` ### Kernel Parameter Management + ```bash # Temporary kernel parameters (current boot only) # Edit in GRUB menu: press 'e', modify linux line, press Ctrl+x @@ -61,6 +68,7 @@ cat /proc/cmdline ``` ### Boot Target Management + ```bash # Get current target systemctl get-default @@ -78,6 +86,7 @@ systemctl isolate emergency.target ``` ### Recovery Procedures + ```bash # Reset root password (from rescue mode) mount -o remount,rw /sysroot @@ -98,7 +107,9 @@ reboot ## 4. Asghar Ghori's Approach ### Boot Process Analysis + Ghori emphasizes understanding each boot stage through observation: + ```bash # Analyze boot messages dmesg | less @@ -108,6 +119,7 @@ journalctl -b -1 # Previous boot messages ``` ### GRUB Customization Method + ```bash # Modify /etc/default/grub GRUB_TIMEOUT=10 @@ -122,7 +134,9 @@ grub2-mkconfig -o /boot/grub2/grub.cfg ``` ### Rescue Mode Procedure + Ghori's systematic approach to rescue scenarios: + 1. Boot from installation media 2. Select "Troubleshooting" → "Rescue a Red Hat Enterprise Linux system" 3. Choose shell option for full system access @@ -132,7 +146,9 @@ Ghori's systematic approach to rescue scenarios: ## 5. Sander van Vugt's Approach ### Bootloader Troubleshooting Methodology + Van Vugt focuses on systematic GRUB repair procedures: + ```bash # Complete GRUB reinstallation procedure # Boot from live/rescue media @@ -148,6 +164,7 @@ grub2-mkconfig -o /boot/grub2/grub.cfg ``` ### Advanced Kernel Parameter Management + ```bash # Comprehensive grubby usage grubby --default-kernel # Show default kernel @@ -157,7 +174,9 @@ grubby --remove-kernel=/boot/vmlinuz-old ``` ### Systemd Boot Analysis + Van Vugt's approach to boot performance analysis: + ```bash # Boot time analysis systemd-analyze # Overall boot time @@ -169,6 +188,7 @@ systemd-analyze plot > bootchart.svg # Visual boot chart ## 6. Command Examples and Scenarios ### Scenario 1: Kernel Parameter Configuration + ```bash # Add kernel parameter for debugging grubby --update-kernel=ALL --args="debug" @@ -182,6 +202,7 @@ grubby --update-kernel=ALL --args="mem=2G" ``` ### Scenario 2: GRUB Menu Customization + ```bash # Extend GRUB timeout sed -i 's/GRUB_TIMEOUT=5/GRUB_TIMEOUT=15/' /etc/default/grub @@ -204,6 +225,7 @@ grub2-mkconfig -o /boot/grub2/grub.cfg ``` ### Scenario 3: Boot Target Management + ```bash # Switch to text mode permanently systemctl set-default multi-user.target @@ -223,14 +245,17 @@ systemd.unit=runlevel3.target # Equivalent to multi-user ## 7. Lab Exercises ### Lab 11A: GRUB Configuration and Kernel Parameters (Ghori-focused) + **Time Limit**: 20 minutes **Objective**: Configure GRUB bootloader and manage kernel parameters **Prerequisites**: + - RHEL 10 system with multiple kernel versions - Root access for bootloader modifications **Tasks**: + 1. Modify GRUB timeout to 15 seconds and disable submenu 2. Add kernel parameter `console=ttyS0,115200` to all kernels 3. Create custom GRUB menu entry for memory test @@ -238,6 +263,7 @@ systemd.unit=runlevel3.target # Equivalent to multi-user 5. Set the second kernel as default boot option **Verification Commands**: + ```bash grep GRUB_TIMEOUT /etc/default/grub # Check timeout setting grubby --info=ALL | grep console # Verify console parameter @@ -246,14 +272,17 @@ cat /proc/cmdline # Verify current parameter ``` ### Lab 11B: Boot Troubleshooting and Recovery (van Vugt-focused) + **Time Limit**: 25 minutes **Objective**: Practice boot failure recovery procedures **Prerequisites**: + - RHEL 10 system with intentionally broken boot configuration - Installation media or rescue disk available **Tasks**: + 1. Simulate GRUB corruption by removing `/boot/grub2/grub.cfg` 2. Boot into rescue mode and reinstall GRUB 3. Change root password using emergency boot mode @@ -261,6 +290,7 @@ cat /proc/cmdline # Verify current parameter 5. Analyze boot performance and identify slowest service **Verification Commands**: + ```bash ls -la /boot/grub2/grub.cfg # Verify GRUB config exists systemctl get-default # Check default target @@ -269,15 +299,18 @@ journalctl -b | grep -i error # Check for boot errors ``` ### Lab 11C: Synthesis Challenge - Complete Boot Environment Setup + **Time Limit**: 30 minutes **Objective**: Integrate both methodologies for comprehensive boot management **Prerequisites**: + - Fresh RHEL 10 installation - Multiple kernel versions installed - Access to rescue media **Tasks**: + 1. Configure GRUB with custom splash image and 20-second timeout 2. Add persistent kernel parameters for debugging and console redirection 3. Create custom rescue menu entry that boots directly to single-user mode @@ -286,11 +319,13 @@ journalctl -b | grep -i error # Check for boot errors 6. Document complete recovery procedure for boot failure scenarios **Advanced Requirements**: + - Use both grubby and manual GRUB configuration methods - Combine Ghori's systematic approach with van Vugt's advanced troubleshooting - Create comprehensive boot analysis report using systemd tools **Verification Commands**: + ```bash grub2-editenv list # Verify default settings grubby --info=ALL # Check all kernel parameters @@ -301,6 +336,7 @@ journalctl -b --no-pager | grep -E "(Started|Failed)" # Boot service status ## 8. Troubleshooting Common Issues ### GRUB Not Loading + ```bash # Symptoms: System boots directly to BIOS/UEFI # Solution: Reinstall GRUB to MBR/ESP @@ -315,6 +351,7 @@ grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg ``` ### Kernel Panic on Boot + ```bash # Symptoms: Kernel panic, unable to mount root filesystem # Solution: Boot with different kernel or rescue mode @@ -326,6 +363,7 @@ grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg ``` ### Wrong systemd Target + ```bash # Symptoms: System boots to wrong runlevel/target # Solution: Check and correct default target @@ -336,6 +374,7 @@ systemctl list-units --type=target --state=active # Show active targets ``` ### GRUB Configuration Corruption + ```bash # Symptoms: Syntax errors, missing menu entries # Solution: Regenerate configuration @@ -351,6 +390,7 @@ grub2-mkconfig -o /boot/grub2/grub.cfg ``` ### Forgotten Root Password Recovery + ```bash # Method 1: rd.break method # Add to kernel line: rd.break @@ -371,6 +411,7 @@ exec /sbin/init ## 9. Best Practices ### GRUB Configuration Management + - Always backup `/boot/grub2/grub.cfg` before changes - Use `/etc/default/grub` for global settings - Place custom entries in `/etc/grub.d/40_custom` @@ -378,6 +419,7 @@ exec /sbin/init - Keep rescue media available for emergency recovery ### Kernel Parameter Management + - Use `grubby` for persistent kernel parameter changes - Document all custom parameters and their purposes - Test parameter changes before making them permanent @@ -385,6 +427,7 @@ exec /sbin/init - Maintain list of working parameter combinations ### Boot Security + - Implement GRUB password protection for menu editing - Secure physical access to prevent boot parameter tampering - Use encrypted boot partitions for sensitive environments @@ -392,6 +435,7 @@ exec /sbin/init - Monitor boot logs for unauthorized access attempts ### Recovery Preparedness + - Create and test rescue media regularly - Document complete recovery procedures - Practice password recovery methods @@ -401,24 +445,28 @@ exec /sbin/init ## 10. Integration with Other RHCSA Topics ### Storage Integration + - Boot partition requirements for LVM root filesystems - GRUB configuration for encrypted root partitions - Rescue procedures for storage failures - Boot from different storage devices ### Security Integration + - SELinux autorelabel during password recovery - Boot security with GRUB passwords - Secure boot configuration in UEFI environments - Audit trail for boot-time security events ### Network Integration + - Network boot with PXE and GRUB - Console redirection for remote management - Boot parameter configuration for network interfaces - Remote boot troubleshooting procedures ### Service Integration + - systemd target dependencies and boot order - Service startup optimization for faster boot - Boot-time service failure troubleshooting @@ -426,4 +474,4 @@ exec /sbin/init --- -**Module 11 Summary**: Boot process management and GRUB configuration are critical skills for system recovery and optimization. This module combines systematic troubleshooting approaches with practical recovery procedures, ensuring administrators can handle boot failures and customize the boot environment effectively. Understanding both the theory of the boot process and hands-on recovery techniques is essential for RHCSA certification and real-world system administration. \ No newline at end of file +**Module 11 Summary**: Boot process management and GRUB configuration are critical skills for system recovery and optimization. This module combines systematic troubleshooting approaches with practical recovery procedures, ensuring administrators can handle boot failures and customize the boot environment effectively. Understanding both the theory of the boot process and hands-on recovery techniques is essential for RHCSA certification and real-world system administration. diff --git a/docs/rhcsa_synthesis/12_logging_monitoring.md b/docs/rhcsa_synthesis/12_logging_monitoring.md index 348b865..e735f46 100644 --- a/docs/rhcsa_synthesis/12_logging_monitoring.md +++ b/docs/rhcsa_synthesis/12_logging_monitoring.md @@ -1,6 +1,7 @@ # Module 12: Logging & Monitoring ## 1. Learning Objectives + - Master systemd journald and traditional syslog logging systems - Configure rsyslog for centralized log management - Monitor system performance using built-in RHEL tools @@ -12,23 +13,27 @@ ## 2. Key Concepts ### Logging Architecture in RHEL 10 + - **systemd-journald**: Primary logging daemon for systemd services - **rsyslog**: Traditional syslog daemon for compatibility and advanced features - **Log Storage**: Binary journal files and text-based syslog files - **Log Forwarding**: Integration between journald and rsyslog ### Journal vs Syslog + - **Journal**: Binary format, structured metadata, automatic rotation - **Syslog**: Text format, traditional facilities/priorities, manual rotation - **Integration**: journald forwards to rsyslog for persistent storage ### Log Facilities and Priorities -``` + +```text Facilities: kern, user, mail, daemon, auth, syslog, lpr, news, uucp, cron, authpriv, ftp, local0-7 Priorities: emerg, alert, crit, err, warning, notice, info, debug ``` ### System Monitoring Tools + - **top/htop**: Real-time process monitoring - **vmstat**: Virtual memory statistics - **iostat**: I/O statistics @@ -38,6 +43,7 @@ Priorities: emerg, alert, crit, err, warning, notice, info, debug ## 3. Essential Commands ### Journal Management + ```bash # View journal logs journalctl # All logs @@ -61,6 +67,7 @@ journalctl -k # Kernel messages only ``` ### Journal Configuration + ```bash # Journal persistence configuration mkdir -p /var/log/journal @@ -79,6 +86,7 @@ journalctl --vacuum-size=100M # Limit size ``` ### Rsyslog Configuration + ```bash # Main configuration file: /etc/rsyslog.conf # Additional configs: /etc/rsyslog.d/*.conf @@ -95,6 +103,7 @@ systemctl restart rsyslog ``` ### Log Rotation Management + ```bash # Logrotate configuration /etc/logrotate.conf # Main config @@ -120,6 +129,7 @@ EOF ``` ### System Monitoring Commands + ```bash # Process and memory monitoring top # Real-time process viewer @@ -143,7 +153,9 @@ iftop # Network traffic by conne ## 4. Asghar Ghori's Approach ### Systematic Log Analysis Method + Ghori emphasizes structured log examination: + ```bash # Step-by-step log analysis workflow # 1. Identify the time frame @@ -163,7 +175,9 @@ journalctl -k --since "30 minutes ago" # Kernel messages ``` ### Rsyslog Centralization Setup + Ghori's approach to centralized logging: + ```bash # Server configuration (/etc/rsyslog.conf) $ModLoad imudp @@ -181,6 +195,7 @@ firewall-cmd --reload ``` ### Performance Monitoring Workflow + ```bash # Ghori's systematic performance analysis # 1. Overall system health @@ -203,7 +218,9 @@ netstat -i # Interface statistics ## 5. Sander van Vugt's Approach ### Advanced Journal Queries + Van Vugt focuses on sophisticated filtering techniques: + ```bash # Complex journal queries using field matching journalctl _COMM=sshd _PID=1234 # Multiple field filters @@ -221,7 +238,9 @@ journalctl -F PRIORITY # List priority values ``` ### Rsyslog Advanced Configuration + Van Vugt's sophisticated rsyslog setup: + ```bash # Template-based logging # Add to /etc/rsyslog.conf: @@ -240,6 +259,7 @@ $IMJournalStateFile imjournal.state # State file location ``` ### SAR-based Long-term Monitoring + ```bash # Configure SAR data collection # Edit /etc/sysconfig/sysstat @@ -259,6 +279,7 @@ sar -A -s 09:00:00 -e 17:00:00 # All stats, time range ## 6. Command Examples and Scenarios ### Scenario 1: Troubleshooting Service Failures + ```bash # Service failed to start - comprehensive analysis systemctl status httpd # Service status @@ -272,6 +293,7 @@ semanage port -l | grep http # Check SELinux ports ``` ### Scenario 2: Performance Investigation + ```bash # System running slowly - systematic analysis # 1. Quick overview @@ -293,6 +315,7 @@ dmesg | tail -20 # Recent kernel messages ``` ### Scenario 3: Security Event Analysis + ```bash # Investigating failed login attempts journalctl -u sshd | grep "Failed password" # SSH failures @@ -308,14 +331,17 @@ aureport --auth --summary # SELinux auth summary ## 7. Lab Exercises ### Lab 12A: Journal and Rsyslog Configuration (Ghori-focused) + **Time Limit**: 25 minutes **Objective**: Configure comprehensive logging system with journal persistence and rsyslog customization **Prerequisites**: + - RHEL 10 system with systemd and rsyslog installed - Root access for configuration modifications **Tasks**: + 1. Configure journal persistence with 2GB maximum usage 2. Set up rsyslog to separate SSH logs to `/var/log/ssh.log` 3. Configure log rotation for SSH logs (daily, keep 30 days) @@ -323,6 +349,7 @@ aureport --auth --summary # SELinux auth summary 5. Forward all critical messages to remote server (simulated) **Verification Commands**: + ```bash ls -la /var/log/journal/ # Check journal persistence grep -i ssh /etc/rsyslog.conf # Verify SSH logging config @@ -331,14 +358,17 @@ cat /etc/logrotate.d/ssh # Check rotation config ``` ### Lab 12B: System Monitoring and Analysis (van Vugt-focused) + **Time Limit**: 30 minutes **Objective**: Implement comprehensive system monitoring using built-in tools **Prerequisites**: + - RHEL 10 system with full monitoring tools installed - Network connectivity for remote logging tests **Tasks**: + 1. Configure SAR to collect data every 2 minutes 2. Analyze system performance during high load simulation 3. Set up advanced journal queries to identify security events @@ -346,6 +376,7 @@ cat /etc/logrotate.d/ssh # Check rotation config 5. Generate performance report covering 24-hour period **Verification Commands**: + ```bash crontab -l | grep sa # Check SAR cron job sar -u 1 3 # Test SAR functionality @@ -354,14 +385,17 @@ ls -la /var/log/sa/ # Check SAR data files ``` ### Lab 12C: Synthesis Challenge - Complete Logging Infrastructure + **Time Limit**: 35 minutes **Objective**: Build enterprise-grade logging and monitoring system **Prerequisites**: + - Multiple RHEL 10 systems (or containers) for centralized logging - Administrative access to all systems **Tasks**: + 1. Set up centralized rsyslog server with client forwarding 2. Configure journal with structured logging for application troubleshooting 3. Implement automated log analysis with alerting mechanisms @@ -370,11 +404,13 @@ ls -la /var/log/sa/ # Check SAR data files 6. Document incident response procedures using log analysis **Advanced Requirements**: + - Combine both Ghori's systematic approach and van Vugt's advanced techniques - Implement security-focused logging with audit integration - Create automated scripts for common troubleshooting scenarios **Verification Commands**: + ```bash ss -tulnp | grep :514 # Check rsyslog server journalctl --disk-usage # Check journal usage @@ -385,6 +421,7 @@ systemctl status rsyslog systemd-journald # Check service status ## 8. Troubleshooting Common Issues ### Journal Not Persisting + ```bash # Symptoms: Logs lost after reboot # Solution: Enable persistent journal storage @@ -403,6 +440,7 @@ systemctl restart systemd-journald ``` ### High Log Volume Consuming Disk Space + ```bash # Symptoms: Logs filling up filesystem # Solutions: Implement proper rotation and retention @@ -421,6 +459,7 @@ logrotate -d /etc/logrotate.conf | grep -A5 -B5 error ``` ### Rsyslog Not Receiving Remote Logs + ```bash # Symptoms: Central log server not receiving client logs # Solution: Check network and configuration @@ -440,6 +479,7 @@ logger -n logserver "Test message from client" ``` ### Missing Log Entries + ```bash # Symptoms: Expected log entries not appearing # Solution: Check service status and configuration @@ -458,6 +498,7 @@ logger "Another test message" ``` ### Performance Impact from Logging + ```bash # Symptoms: System slowdown due to excessive logging # Solution: Optimize logging configuration @@ -478,6 +519,7 @@ Storage=volatile # Use memory storage tempora ## 9. Best Practices ### Log Management Strategy + - Implement centralized logging for multi-server environments - Configure appropriate retention policies based on compliance requirements - Use structured logging formats for easier analysis @@ -485,6 +527,7 @@ Storage=volatile # Use memory storage tempora - Monitor log growth and implement automated cleanup ### Performance Optimization + - Balance between log detail and system performance - Use asynchronous logging for high-volume applications - Configure appropriate buffer sizes for network log forwarding @@ -492,6 +535,7 @@ Storage=volatile # Use memory storage tempora - Implement log compression for long-term storage ### Security Considerations + - Protect log files with appropriate permissions (640 or 644) - Implement log integrity checking for critical systems - Use encrypted connections for remote log forwarding @@ -499,6 +543,7 @@ Storage=volatile # Use memory storage tempora - Regular security log analysis and alerting ### Monitoring Best Practices + - Establish baseline performance metrics - Set up automated alerting for critical thresholds - Document normal system behavior patterns @@ -508,24 +553,28 @@ Storage=volatile # Use memory storage tempora ## 10. Integration with Other RHCSA Topics ### Security Integration + - Correlate SELinux denials with application errors - Monitor authentication and authorization events - Track file permission changes and access attempts - Integrate with audit subsystem for compliance logging ### Network Integration + - Monitor network service performance and errors - Track connection attempts and failures - Correlate network issues with system performance - Monitor firewall rule effectiveness through logs ### Storage Integration + - Monitor filesystem usage and I/O performance - Track LVM operations and storage events - Correlate storage errors with application failures - Monitor backup and restore operations ### Service Integration + - Monitor systemd service dependencies and failures - Track service startup and shutdown times - Correlate service errors with system events @@ -533,4 +582,4 @@ Storage=volatile # Use memory storage tempora --- -**Module 12 Summary**: Effective logging and monitoring are essential for maintaining system health and security. This module combines traditional syslog management with modern systemd journal capabilities, providing comprehensive coverage of RHEL 10 logging infrastructure. Understanding both reactive troubleshooting through log analysis and proactive monitoring for performance optimization is crucial for RHCSA certification and production system management. \ No newline at end of file +**Module 12 Summary**: Effective logging and monitoring are essential for maintaining system health and security. This module combines traditional syslog management with modern systemd journal capabilities, providing comprehensive coverage of RHEL 10 logging infrastructure. Understanding both reactive troubleshooting through log analysis and proactive monitoring for performance optimization is crucial for RHCSA certification and production system management. diff --git a/docs/rhcsa_synthesis/13_scheduled_tasks.md b/docs/rhcsa_synthesis/13_scheduled_tasks.md index 4135e10..8e7335a 100644 --- a/docs/rhcsa_synthesis/13_scheduled_tasks.md +++ b/docs/rhcsa_synthesis/13_scheduled_tasks.md @@ -1,6 +1,7 @@ # Module 13: Scheduled Tasks & Automation ## 1. Learning Objectives + - Master cron and anacron scheduling systems - Configure systemd timers for service automation - Implement at and batch commands for one-time tasks @@ -12,6 +13,7 @@ ## 2. Key Concepts ### Task Scheduling Systems in RHEL 10 + - **cron**: Traditional time-based job scheduler - **anacron**: Enhanced scheduler for systems not always running - **systemd timers**: Modern systemd-based scheduling @@ -19,17 +21,20 @@ - **batch**: Queue-based task execution ### Cron Architecture + - **crond**: Main cron daemon - **User crontabs**: Individual user scheduling - **System crontab**: `/etc/crontab` for system-wide tasks - **Cron directories**: `/etc/cron.{hourly,daily,weekly,monthly}/` ### Systemd Timer Types + - **Realtime timers**: Calendar-based scheduling (like cron) - **Monotonic timers**: Relative to system events (boot, service start) - **Transient timers**: Temporary timers created on-the-fly ### Access Control + - **Allow files**: `/etc/cron.allow`, `/etc/at.allow` - **Deny files**: `/etc/cron.deny`, `/etc/at.deny` - **Default behavior**: If no allow file exists, all users except those in deny file can schedule tasks @@ -37,6 +42,7 @@ ## 3. Essential Commands ### Cron Management + ```bash # User crontab management crontab -e # Edit current user's crontab @@ -56,6 +62,7 @@ systemctl restart crond ``` ### Crontab Syntax + ```bash # Format: minute hour day_of_month month day_of_week command # Fields: 0-59 0-23 1-31 1-12 0-7 (0 and 7 are Sunday) @@ -76,6 +83,7 @@ systemctl restart crond ``` ### Systemd Timer Management + ```bash # List all timers systemctl list-timers # Active timers @@ -93,6 +101,7 @@ journalctl -u timer-name.service ``` ### At and Batch Commands + ```bash # Schedule one-time tasks with at at 15:30 # Run at 3:30 PM today @@ -116,6 +125,7 @@ batch> ``` ### Access Control Management + ```bash # Cron access control echo "username" >> /etc/cron.allow # Allow user @@ -134,7 +144,9 @@ echo "username" >> /etc/at.deny # Deny user ## 4. Asghar Ghori's Approach ### Systematic Cron Implementation + Ghori emphasizes step-by-step cron configuration: + ```bash # 1. Plan the task schedule # Identify task frequency and timing requirements @@ -161,7 +173,9 @@ crontab -e ``` ### Anacron Configuration for Laptops + Ghori's approach for systems not always running: + ```bash # Configure anacron in /etc/anacrontab # period_in_days delay_in_minutes job-identifier command @@ -177,6 +191,7 @@ anacron -T # Test configuration ``` ### Cron Security Best Practices + ```bash # Ghori's security recommendations: # 1. Use full paths in cron scripts @@ -193,7 +208,9 @@ MAILTO=admin@company.com ## 5. Sander van Vugt's Approach ### Systemd Timer Implementation + Van Vugt emphasizes modern systemd timers over traditional cron: + ```bash # Create service unit file cat > /etc/systemd/system/system-cleanup.service << 'EOF' @@ -232,7 +249,9 @@ systemctl enable --now system-cleanup.timer ``` ### Advanced Timer Scheduling + Van Vugt's sophisticated timer configurations: + ```bash # Complex calendar specifications OnCalendar=Mon,Tue,Wed,Thu,Fri *-*-* 02:00:00 # Weekdays at 2 AM @@ -254,6 +273,7 @@ Persistent=true ``` ### Timer Debugging and Analysis + ```bash # Van Vugt's timer troubleshooting approach systemctl list-timers --all # Show all timer status @@ -269,6 +289,7 @@ systemctl status timer-name.timer timer-name.service # Combined status ## 6. Command Examples and Scenarios ### Scenario 1: System Maintenance Automation + ```bash # Comprehensive system maintenance crontab # Edit: crontab -e @@ -288,6 +309,7 @@ systemctl status timer-name.timer timer-name.service # Combined status ``` ### Scenario 2: User-specific Task Scheduling + ```bash # User crontab for development environment # Run as regular user: crontab -e @@ -305,6 +327,7 @@ MAILTO=developer@company.com ``` ### Scenario 3: One-time and Conditional Tasks + ```bash # Schedule immediate one-time tasks echo "systemctl restart httpd" | at now + 5 minutes @@ -321,14 +344,17 @@ echo "/usr/local/bin/video-processing.sh" | batch ## 7. Lab Exercises ### Lab 13A: Cron and Anacron Configuration (Ghori-focused) + **Time Limit**: 25 minutes **Objective**: Implement comprehensive cron-based task scheduling with proper security and logging **Prerequisites**: + - RHEL 10 system with crond and anacron installed - Multiple user accounts for testing access control **Tasks**: + 1. Create system-wide backup script that runs daily at 2:30 AM 2. Configure user crontab for log rotation every 6 hours 3. Set up anacron for weekly system updates (for laptop usage) @@ -336,6 +362,7 @@ echo "/usr/local/bin/video-processing.sh" | batch 5. Create monitoring script that checks cron job execution **Verification Commands**: + ```bash crontab -l # Check user crontab cat /etc/crontab # Check system crontab @@ -344,14 +371,17 @@ grep CRON /var/log/cron # Check cron execution logs ``` ### Lab 13B: Systemd Timer Implementation (van Vugt-focused) + **Time Limit**: 30 minutes **Objective**: Build modern systemd-based scheduling system with advanced timer features **Prerequisites**: + - RHEL 10 system with systemd - Understanding of systemd unit files **Tasks**: + 1. Create systemd service and timer for automated system cleanup 2. Configure calendar-based timer for business hours only (9 AM - 5 PM, weekdays) 3. Implement persistent timer that catches up missed executions @@ -359,6 +389,7 @@ grep CRON /var/log/cron # Check cron execution logs 5. Create timer with randomized delay for distributed execution **Verification Commands**: + ```bash systemctl list-timers --all # Check all timers systemctl status cleanup.timer cleanup.service # Check timer status @@ -367,14 +398,17 @@ systemd-analyze calendar "Mon..Fri *-*-* 09..17:00:00" # Validate calendar ``` ### Lab 13C: Synthesis Challenge - Enterprise Task Scheduling + **Time Limit**: 35 minutes **Objective**: Design comprehensive enterprise scheduling system combining all methodologies **Prerequisites**: + - Multiple RHEL 10 systems for distributed scheduling - Network connectivity for centralized monitoring **Tasks**: + 1. Design multi-tier scheduling system using both cron and systemd timers 2. Implement centralized task monitoring and alerting 3. Create backup scheduling with dependency management @@ -383,11 +417,13 @@ systemd-analyze calendar "Mon..Fri *-*-* 09..17:00:00" # Validate calendar 6. Implement security hardening for all scheduled tasks **Advanced Requirements**: + - Combine Ghori's systematic approach with van Vugt's modern timer techniques - Implement cross-system task coordination - Create automated failover mechanisms for critical tasks **Verification Commands**: + ```bash systemctl list-timers && crontab -l # Check all scheduling grep -r "CRON\|Timer" /var/log/ # Check execution logs @@ -398,6 +434,7 @@ find /etc -name "*cron*" -o -name "*.timer" | head -10 # Find config files ## 8. Troubleshooting Common Issues ### Cron Jobs Not Executing + ```bash # Symptoms: Scheduled tasks not running # Check cron service status @@ -423,6 +460,7 @@ ls -la /etc/cron.{allow,deny} ``` ### Environment Variables in Cron + ```bash # Symptoms: Script works manually but fails in cron # Solution: Set environment variables in crontab @@ -441,6 +479,7 @@ source ~/.bashrc ``` ### Systemd Timer Not Triggering + ```bash # Symptoms: Timer exists but service doesn't run # Check timer status @@ -460,6 +499,7 @@ journalctl -u timer-name.service ``` ### At Jobs Not Running + ```bash # Symptoms: at command accepts job but doesn't execute # Check atd service @@ -479,6 +519,7 @@ tail -f /var/log/cron # at uses cron logging ``` ### Permission Denied Errors + ```bash # Symptoms: Jobs fail with permission errors # Check script ownership and permissions @@ -498,6 +539,7 @@ username ALL=(ALL) NOPASSWD: /usr/local/bin/script.sh ## 9. Best Practices ### Security Considerations + - Use full paths for all commands and scripts - Set restrictive permissions on cron scripts (755 or 750) - Implement proper logging and monitoring @@ -506,6 +548,7 @@ username ALL=(ALL) NOPASSWD: /usr/local/bin/script.sh - Implement access control using allow/deny files ### Performance Optimization + - Avoid scheduling multiple resource-intensive tasks simultaneously - Use batch command for CPU-intensive tasks - Implement task dependencies to prevent conflicts @@ -513,6 +556,7 @@ username ALL=(ALL) NOPASSWD: /usr/local/bin/script.sh - Use randomized delays for distributed environments ### Error Handling and Monitoring + - Redirect output to log files for debugging - Implement notification mechanisms for task failures - Use MAILTO variable for cron error notifications @@ -520,6 +564,7 @@ username ALL=(ALL) NOPASSWD: /usr/local/bin/script.sh - Maintain audit logs of all scheduled task changes ### Modern Scheduling Strategy + - Prefer systemd timers for new implementations - Use persistent timers for critical tasks - Implement proper service dependencies @@ -529,24 +574,28 @@ username ALL=(ALL) NOPASSWD: /usr/local/bin/script.sh ## 10. Integration with Other RHCSA Topics ### Service Management Integration + - Schedule service restarts and updates - Coordinate scheduled tasks with service dependencies - Monitor service health through scheduled checks - Implement service failover through automation ### Storage Integration + - Schedule filesystem cleanup and maintenance - Automate backup and archive operations - Monitor disk usage and implement alerts - Coordinate with LVM operations for snapshots ### Security Integration + - Schedule security updates and patches - Automate log analysis and security monitoring - Coordinate with SELinux policy updates - Implement automated security scanning ### Network Integration + - Schedule network monitoring and diagnostics - Automate network configuration backups - Coordinate with network service maintenance @@ -554,4 +603,4 @@ username ALL=(ALL) NOPASSWD: /usr/local/bin/script.sh --- -**Module 13 Summary**: Task scheduling and automation are essential for maintaining efficient and reliable systems. This module provides comprehensive coverage of both traditional cron-based scheduling and modern systemd timer approaches. Understanding how to design, implement, and troubleshoot automated tasks is crucial for RHCSA certification and effective system administration. The synthesis of different scheduling methodologies ensures flexibility and reliability in diverse environments. \ No newline at end of file +**Module 13 Summary**: Task scheduling and automation are essential for maintaining efficient and reliable systems. This module provides comprehensive coverage of both traditional cron-based scheduling and modern systemd timer approaches. Understanding how to design, implement, and troubleshoot automated tasks is crucial for RHCSA certification and effective system administration. The synthesis of different scheduling methodologies ensures flexibility and reliability in diverse environments. diff --git a/docs/rhcsa_synthesis/14_flatpak_management.md b/docs/rhcsa_synthesis/14_flatpak_management.md index 9088e15..7306b2d 100644 --- a/docs/rhcsa_synthesis/14_flatpak_management.md +++ b/docs/rhcsa_synthesis/14_flatpak_management.md @@ -25,6 +25,7 @@ Flatpak is a framework for distributing desktop and command-line applications on Linux. It provides a sandboxed environment where applications run isolated from the host system, with their own bundled dependencies. **Key characteristics**: + - **Sandboxed execution**: Applications run in isolated environments with controlled access to host resources - **Bundled dependencies**: Each application ships with its own runtime and libraries, avoiding dependency conflicts - **Distribution-agnostic**: The same Flatpak runs on any Linux distribution @@ -55,6 +56,7 @@ Flatpak supports two installation scopes: ### Sandboxing and Permissions Flatpak uses a portal-based permission system: + - **Filesystem access**: Controlled via `--filesystem=` overrides - **Network access**: Enabled/disabled per application - **Device access**: Camera, GPU, etc. via portals @@ -126,71 +128,83 @@ flatpak update org.gimp.GIMP # Update specific applica ### Standard Procedure: Adding a Remote and Installing Software 1. **Add the Flathub remote** (if not already configured): - ```bash - flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo - ``` + + ```bash + flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo + ``` 2. **Verify the remote is configured**: - ```bash - flatpak remotes - ``` + + ```bash + flatpak remotes + ``` 3. **Search for the desired application**: - ```bash - flatpak search gimp - ``` + + ```bash + flatpak search gimp + ``` 4. **Install the application**: - ```bash - flatpak install flathub org.gimp.GIMP -y - ``` + + ```bash + flatpak install flathub org.gimp.GIMP -y + ``` 5. **Verify installation**: - ```bash - flatpak list --app | grep -i gimp - flatpak info org.gimp.GIMP - ``` + + ```bash + flatpak list --app | grep -i gimp + flatpak info org.gimp.GIMP + ``` 6. **Run the application**: - ```bash - flatpak run org.gimp.GIMP - ``` + + ```bash + flatpak run org.gimp.GIMP + ``` ### Standard Procedure: User-Level Installation 1. **Add remote for current user only**: - ```bash - flatpak remote-add --user --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo - ``` + + ```bash + flatpak remote-add --user --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo + ``` 2. **Install application for current user**: - ```bash - flatpak install --user flathub org.mozilla.firefox -y - ``` + + ```bash + flatpak install --user flathub org.mozilla.firefox -y + ``` 3. **Verify user-level install**: - ```bash - flatpak list --user --app - ls ~/.local/share/flatpak/app/ - ``` + + ```bash + flatpak list --user --app + ls ~/.local/share/flatpak/app/ + ``` ### Standard Procedure: Updating and Cleaning Up 1. **Check for available updates**: - ```bash - flatpak update --appstream # Update metadata - flatpak remote-ls --updates # List available updates - ``` + + ```bash + flatpak update --appstream # Update metadata + flatpak remote-ls --updates # List available updates + ``` 2. **Update all installed Flatpaks**: - ```bash - flatpak update -y - ``` + + ```bash + flatpak update -y + ``` 3. **Remove unused runtimes** (after uninstalling applications): - ```bash - flatpak uninstall --unused -y - ``` + + ```bash + flatpak uninstall --unused -y + ``` --- @@ -237,6 +251,7 @@ flatpak override --user --reset org.gimp.GIMP ``` Override files are stored in: + - System: `/var/lib/flatpak/overrides/` - User: `~/.local/share/flatpak/overrides/` @@ -251,53 +266,62 @@ Override files are stored in: **Steps**: 1. **Verify Flatpak is installed** (it should be on RHEL 10 by default): - ```bash - rpm -q flatpak - flatpak --version - ``` + + ```bash + rpm -q flatpak + flatpak --version + ``` 2. **List currently configured remotes**: - ```bash - flatpak remotes - ``` + + ```bash + flatpak remotes + ``` 3. **Add the Flathub repository** (system-wide, requires root): - ```bash - sudo flatpak remote-add --if-not-exists flathub \ - https://flathub.org/repo/flathub.flatpakrepo - ``` + + ```bash + sudo flatpak remote-add --if-not-exists flathub \ + https://flathub.org/repo/flathub.flatpakrepo + ``` 4. **Verify the remote was added**: - ```bash - flatpak remotes --show-details - ``` + + ```bash + flatpak remotes --show-details + ``` 5. **Search for and install an application**: - ```bash - flatpak search calculator - sudo flatpak install flathub org.gnome.Calculator -y - ``` + + ```bash + flatpak search calculator + sudo flatpak install flathub org.gnome.Calculator -y + ``` 6. **Verify the installation**: - ```bash - flatpak list --app - flatpak info org.gnome.Calculator - ``` + + ```bash + flatpak list --app + flatpak info org.gnome.Calculator + ``` 7. **Run the installed application**: - ```bash - flatpak run org.gnome.Calculator - ``` + + ```bash + flatpak run org.gnome.Calculator + ``` 8. **Install an application at user level** (no root needed): - ```bash - flatpak remote-add --user --if-not-exists flathub \ - https://flathub.org/repo/flathub.flatpakrepo - flatpak install --user flathub org.gnome.TextEditor -y - flatpak list --user --app - ``` + + ```bash + flatpak remote-add --user --if-not-exists flathub \ + https://flathub.org/repo/flathub.flatpakrepo + flatpak install --user flathub org.gnome.TextEditor -y + flatpak list --user --app + ``` **Verification**: + ```bash flatpak remotes # Should show flathub flatpak list --app # Should show installed apps @@ -313,37 +337,44 @@ flatpak info org.gnome.Calculator # Should show app details **Steps**: 1. **Update all installed Flatpaks**: - ```bash - flatpak update -y - ``` + + ```bash + flatpak update -y + ``` 2. **List installed runtimes**: - ```bash - flatpak list --runtime - ``` + + ```bash + flatpak list --runtime + ``` 3. **Uninstall an application**: - ```bash - sudo flatpak uninstall org.gnome.Calculator -y - ``` + + ```bash + sudo flatpak uninstall org.gnome.Calculator -y + ``` 4. **Clean up unused runtimes**: - ```bash - sudo flatpak uninstall --unused -y - ``` + + ```bash + sudo flatpak uninstall --unused -y + ``` 5. **Verify removal**: - ```bash - flatpak list --app - ``` + + ```bash + flatpak list --app + ``` 6. **Check disk usage**: - ```bash - du -sh /var/lib/flatpak/ - du -sh ~/.local/share/flatpak/ - ``` + + ```bash + du -sh /var/lib/flatpak/ + du -sh ~/.local/share/flatpak/ + ``` **Verification**: + ```bash flatpak list --app # Removed apps should be gone flatpak list --runtime # Unused runtimes should be cleaned @@ -354,11 +385,13 @@ flatpak list --runtime # Unused runtimes should be cleaned **Objective**: Configure a complete Flatpak environment suitable for enterprise use **Scenario**: As a system administrator, configure Flatpak on a RHEL 10 system so that: + - Flathub is available as a system-wide remote - A standard set of applications is installed for all users - A regular user can install additional applications at the user level **Requirements**: + 1. Add Flathub as a system-wide remote 2. Install two system-wide applications 3. As a regular user, add a user-level remote and install one application @@ -366,34 +399,39 @@ flatpak list --runtime # Unused runtimes should be cleaned 5. Verify system vs user install locations **Solution Steps**: + 1. **System-wide setup** (as root): - ```bash - sudo flatpak remote-add --if-not-exists flathub \ - https://flathub.org/repo/flathub.flatpakrepo - sudo flatpak install flathub org.gnome.Calculator org.gnome.TextEditor -y - ``` + + ```bash + sudo flatpak remote-add --if-not-exists flathub \ + https://flathub.org/repo/flathub.flatpakrepo + sudo flatpak install flathub org.gnome.Calculator org.gnome.TextEditor -y + ``` 2. **User-level setup** (as regular user): - ```bash - flatpak remote-add --user --if-not-exists flathub \ - https://flathub.org/repo/flathub.flatpakrepo - flatpak install --user flathub org.gnome.Logs -y - ``` + + ```bash + flatpak remote-add --user --if-not-exists flathub \ + https://flathub.org/repo/flathub.flatpakrepo + flatpak install --user flathub org.gnome.Logs -y + ``` 3. **Update everything**: - ```bash - sudo flatpak update -y - flatpak update --user -y - ``` + + ```bash + sudo flatpak update -y + flatpak update --user -y + ``` 4. **Verify**: - ```bash - flatpak list --app # All apps - flatpak list --app --system # System apps - flatpak list --app --user # User apps - ls /var/lib/flatpak/app/ # System install path - ls ~/.local/share/flatpak/app/ # User install path - ``` + + ```bash + flatpak list --app # All apps + flatpak list --app --system # System apps + flatpak list --app --user # User apps + ls /var/lib/flatpak/app/ # System install path + ls ~/.local/share/flatpak/app/ # User install path + ``` --- @@ -404,15 +442,18 @@ flatpak list --runtime # Unused runtimes should be cleaned #### Issue 1: Remote Add Fails with GPG Error **Symptoms**: + - Error about GPG verification when adding a remote - "GPG signatures found, but none are in trusted keyring" **Diagnosis**: + ```bash flatpak remotes --show-details # Check existing remote config ``` **Resolution**: + ```bash # Re-add the remote (the .flatpakrepo file includes the GPG key) flatpak remote-delete flathub @@ -424,15 +465,18 @@ flatpak remote-add flathub https://flathub.org/repo/flathub.flatpakrepo #### Issue 2: Application Won't Install — Missing Runtime **Symptoms**: + - Installation fails with "runtime not found" error **Diagnosis**: + ```bash flatpak info --show-runtime org.example.App # Check required runtime flatpak list --runtime # List installed runtimes ``` **Resolution**: + ```bash # Install the required runtime manually flatpak install flathub org.freedesktop.Platform//24.08 -y @@ -443,16 +487,19 @@ flatpak install flathub org.example.App -y #### Issue 3: Application Crashes or Cannot Access Files **Symptoms**: + - Application starts but cannot read/write files - Permission denied errors in application **Diagnosis**: + ```bash flatpak info --show-permissions org.example.App flatpak override --user --show org.example.App ``` **Resolution**: + ```bash # Grant filesystem access flatpak override --user --filesystem=home org.example.App @@ -521,41 +568,43 @@ flatpak run APP_ID # Confirm app runs ### Conceptual Questions 1. **Question**: What is the difference between a Flatpak runtime and a Flatpak application? - **Answer**: A runtime is a shared set of base libraries (like `org.freedesktop.Platform`) that provides common dependencies. An application is the actual software built against a specific runtime. Multiple applications can share the same runtime, reducing disk usage. + **Answer**: A runtime is a shared set of base libraries (like `org.freedesktop.Platform`) that provides common dependencies. An application is the actual software built against a specific runtime. Multiple applications can share the same runtime, reducing disk usage. 2. **Question**: What is the difference between system-level and user-level Flatpak installs? - **Answer**: System installs (default) are stored in `/var/lib/flatpak/` and available to all users but require root privileges. User installs (`--user`) are stored in `~/.local/share/flatpak/` and available only to the installing user but require no elevated privileges. + **Answer**: System installs (default) are stored in `/var/lib/flatpak/` and available to all users but require root privileges. User installs (`--user`) are stored in `~/.local/share/flatpak/` and available only to the installing user but require no elevated privileges. 3. **Question**: How does Flatpak differ from RPM/DNF package management? - **Answer**: DNF manages system-level packages (kernel, libraries, system services) from RPM repositories. Flatpak manages sandboxed applications with bundled dependencies, providing isolation from the host system. They serve complementary roles — DNF for the base OS, Flatpak for application-layer software. + **Answer**: DNF manages system-level packages (kernel, libraries, system services) from RPM repositories. Flatpak manages sandboxed applications with bundled dependencies, providing isolation from the host system. They serve complementary roles — DNF for the base OS, Flatpak for application-layer software. ### Practical Scenarios 1. **Scenario**: A user needs to install GIMP from Flathub but Flathub is not configured on the system. - **Solution**: - ```bash - sudo flatpak remote-add --if-not-exists flathub \ - https://flathub.org/repo/flathub.flatpakrepo - sudo flatpak install flathub org.gimp.GIMP -y - ``` + **Solution**: + + ```bash + sudo flatpak remote-add --if-not-exists flathub \ + https://flathub.org/repo/flathub.flatpakrepo + sudo flatpak install flathub org.gimp.GIMP -y + ``` 2. **Scenario**: A regular user wants to install applications without root access. - **Solution**: - ```bash - flatpak remote-add --user --if-not-exists flathub \ - https://flathub.org/repo/flathub.flatpakrepo - flatpak install --user flathub org.example.App -y - ``` + **Solution**: + + ```bash + flatpak remote-add --user --if-not-exists flathub \ + https://flathub.org/repo/flathub.flatpakrepo + flatpak install --user flathub org.example.App -y + ``` ### Command Challenges 1. **Challenge**: List all Flatpak applications (not runtimes) installed on the system. - **Answer**: `flatpak list --app` - **Explanation**: The `--app` flag filters output to show only applications, excluding shared runtimes. + **Answer**: `flatpak list --app` + **Explanation**: The `--app` flag filters output to show only applications, excluding shared runtimes. 2. **Challenge**: Remove all unused runtimes left over from uninstalled applications. - **Answer**: `flatpak uninstall --unused` - **Explanation**: After uninstalling applications, their runtimes may remain. `--unused` identifies and removes runtimes no longer needed by any installed application. + **Answer**: `flatpak uninstall --unused` + **Explanation**: After uninstalling applications, their runtimes may remain. `--unused` identifies and removes runtimes no longer needed by any installed application. --- @@ -571,19 +620,21 @@ flatpak run APP_ID # Confirm app runs ### Common Exam Scenarios 1. **Scenario**: Configure Flathub repository and install a specified application - **Approach**: - ```bash - flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo - flatpak install flathub org.example.App -y - flatpak list --app # Verify - ``` + **Approach**: + + ```bash + flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo + flatpak install flathub org.example.App -y + flatpak list --app # Verify + ``` 2. **Scenario**: Install a Flatpak application for a specific user without root - **Approach**: - ```bash - flatpak remote-add --user --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo - flatpak install --user flathub org.example.App -y - ``` + **Approach**: + + ```bash + flatpak remote-add --user --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo + flatpak install --user flathub org.example.App -y + ``` ### Time Management diff --git a/docs/rhcsa_synthesis/15_troubleshooting.md b/docs/rhcsa_synthesis/15_troubleshooting.md index 7d88ca5..c31af1f 100644 --- a/docs/rhcsa_synthesis/15_troubleshooting.md +++ b/docs/rhcsa_synthesis/15_troubleshooting.md @@ -1,6 +1,7 @@ # Module 15: System Troubleshooting & Recovery ## 1. Learning Objectives + - Master systematic troubleshooting methodologies - Diagnose and resolve boot, network, and service failures - Analyze system performance issues and resource constraints @@ -12,6 +13,7 @@ ## 2. Key Concepts ### Troubleshooting Methodology + - **Problem identification**: Define symptoms and scope - **Information gathering**: Collect system state and logs - **Analysis**: Correlate data and identify root causes @@ -20,6 +22,7 @@ - **Documentation**: Record solutions for future reference ### System State Analysis + - **Boot process**: GRUB, kernel, systemd initialization - **Service status**: systemd unit states and dependencies - **Resource utilization**: CPU, memory, disk, network usage @@ -27,6 +30,7 @@ - **Configuration validation**: Syntax and logical correctness ### Recovery Techniques + - **Boot recovery**: Rescue mode, emergency mode, single-user mode - **Filesystem repair**: fsck, xfs_repair, data recovery - **Service restoration**: Dependency resolution, configuration fixes @@ -34,6 +38,7 @@ - **Security recovery**: SELinux troubleshooting, permission fixes ### Diagnostic Tools + - **System information**: lscpu, lsmem, lsblk, lspci, lsusb - **Performance monitoring**: top, htop, iotop, vmstat, iostat - **Network diagnostics**: ping, traceroute, netstat, ss, tcpdump @@ -42,6 +47,7 @@ ## 3. Essential Commands ### System Information Gathering + ```bash # Hardware information lscpu # CPU information @@ -60,6 +66,7 @@ systemctl status # Overall system status ``` ### Process and Resource Analysis + ```bash # Process monitoring ps aux # Process snapshot @@ -77,6 +84,7 @@ fuser -v /path/file # Processes using file ``` ### Network Diagnostics + ```bash # Network connectivity ping -c 4 target # Test connectivity @@ -96,6 +104,7 @@ host hostname # Simple DNS lookup ``` ### Service Troubleshooting + ```bash # Service analysis systemctl status service_name # Service status @@ -111,6 +120,7 @@ postfix check # Postfix config test ``` ### Log Analysis + ```bash # System logs journalctl -b # Current boot logs @@ -128,7 +138,9 @@ awk '/ERROR/ {print $1, $2, $3, $NF}' /var/log/secure # Extract error info ## 4. Asghar Ghori's Approach ### Systematic Problem Analysis + Ghori emphasizes structured troubleshooting workflow: + ```bash # Step 1: Problem definition and scope echo "Problem: Service X not responding" @@ -148,7 +160,9 @@ httpd -t # Config validation ``` ### Boot Troubleshooting Methodology + Ghori's systematic boot problem resolution: + ```bash # Boot analysis workflow # 1. Identify boot stage failure @@ -169,6 +183,7 @@ systemctl list-jobs # Pending jobs ``` ### Network Troubleshooting Steps + ```bash # Ghori's network diagnosis process # 1. Physical/Link layer @@ -189,7 +204,9 @@ nmap -p 80 target_server # Remote service test ## 5. Sander van Vugt's Approach ### Advanced Diagnostic Techniques + Van Vugt focuses on deep system analysis: + ```bash # Comprehensive system performance analysis # 1. CPU analysis @@ -209,7 +226,9 @@ lsof +D /path # Files open in directory ``` ### Root Cause Analysis Framework + Van Vugt's systematic root cause identification: + ```bash # Multi-layer analysis approach # 1. Hardware layer @@ -229,6 +248,7 @@ gdb --pid PID # Debug running process ``` ### Advanced Log Correlation + ```bash # Van Vugt's log correlation methodology # 1. Timeline reconstruction @@ -247,6 +267,7 @@ grep -E "ERROR|CRITICAL|FATAL" /var/log/application.log | sort | uniq -c ## 6. Command Examples and Scenarios ### Scenario 1: Service Startup Failure + ```bash # Problem: Web server won't start after system reboot # Systematic diagnosis: @@ -273,6 +294,7 @@ firewall-cmd --list-services ``` ### Scenario 2: System Performance Degradation + ```bash # Problem: System running slowly, high load average # Performance analysis: @@ -296,6 +318,7 @@ netstat -i # Interface statistics ``` ### Scenario 3: Boot Failure Recovery + ```bash # Problem: System won't boot, dropped to emergency shell # Recovery procedure: @@ -319,20 +342,24 @@ grub2-mkconfig -o /boot/grub2/grub.cfg ## 7. Lab Exercises ### Lab 15A: Service and Configuration Troubleshooting (Ghori-focused) + **Time Limit**: 30 minutes **Objective**: Diagnose and resolve common service configuration issues **Prerequisites**: + - RHEL 10 system with intentionally misconfigured services - Apache httpd and SSH services installed **Setup** (Instructor creates these issues): + 1. Apache httpd service fails to start due to configuration syntax error 2. SSH service running but refusing connections due to permission issue 3. Network service configured with conflicting IP addresses 4. Cron service not executing jobs due to permission problems **Tasks**: + 1. Identify and fix Apache configuration syntax error 2. Resolve SSH connection issues and verify remote access 3. Correct network configuration conflicts @@ -340,6 +367,7 @@ grub2-mkconfig -o /boot/grub2/grub.cfg 5. Document all findings and solutions **Verification Commands**: + ```bash systemctl status httpd sshd # Service status curl http://localhost # Test web service @@ -349,20 +377,24 @@ crontab -l && grep CRON /var/log/cron # Cron verification ``` ### Lab 15B: Performance and Resource Troubleshooting (van Vugt-focused) + **Time Limit**: 35 minutes **Objective**: Analyze and resolve system performance issues using advanced diagnostic techniques **Prerequisites**: + - RHEL 10 system with performance monitoring tools installed - Simulated high load conditions **Setup** (Instructor creates these conditions): + 1. Memory leak causing system slowdown 2. High I/O wait times due to disk issues 3. Network connectivity problems affecting services 4. CPU-intensive process consuming resources **Tasks**: + 1. Identify memory leak source and implement solution 2. Diagnose and resolve I/O performance bottleneck 3. Troubleshoot network connectivity issues @@ -370,6 +402,7 @@ crontab -l && grep CRON /var/log/cron # Cron verification 5. Create monitoring strategy to prevent recurrence **Verification Commands**: + ```bash free -h && vmstat 1 3 # Memory status iostat -x 1 3 # I/O performance @@ -378,14 +411,17 @@ top -b -n1 | head -15 # Process overview ``` ### Lab 15C: Synthesis Challenge - Complete System Recovery + **Time Limit**: 45 minutes **Objective**: Perform comprehensive system recovery using integrated troubleshooting methodologies **Prerequisites**: + - RHEL 10 system with multiple simulated failures - Access to rescue media and documentation **Setup** (Multiple interconnected issues): + 1. Boot failure due to corrupted filesystem 2. Network services not starting due to SELinux denials 3. Storage issues affecting application data @@ -393,6 +429,7 @@ top -b -n1 | head -15 # Process overview 5. Logging system failures hiding other issues **Tasks**: + 1. Recover system from boot failure using rescue mode 2. Resolve SELinux issues preventing service startup 3. Repair storage problems and recover application data @@ -402,11 +439,13 @@ top -b -n1 | head -15 # Process overview 7. Create comprehensive incident report **Advanced Requirements**: + - Combine both Ghori's systematic approach and van Vugt's deep analysis - Use multiple diagnostic tools and correlation techniques - Document complete recovery timeline and lessons learned **Verification Commands**: + ```bash systemctl status && systemctl --failed # Overall system health mount && df -h # Storage status @@ -418,6 +457,7 @@ ss -tulnp | grep -E ":22|:80|:443" # Critical services ## 8. Troubleshooting Common Issues ### Boot Failure Scenarios + ```bash # GRUB not loading # Symptoms: System boots directly to BIOS/UEFI @@ -439,6 +479,7 @@ mount -o remount,rw / ``` ### Network Connectivity Issues + ```bash # No network connectivity # Symptoms: Cannot reach external hosts @@ -464,6 +505,7 @@ nmcli connection up connection_name # Bring up connection ``` ### High Load and Performance Issues + ```bash # System running slowly # Symptoms: High load average, slow response @@ -490,6 +532,7 @@ journalctl --vacuum-time=1week # Clean journal logs ``` ### Service Dependencies and Failures + ```bash # Service won't start due to dependencies # Symptoms: Service fails with dependency errors @@ -515,6 +558,7 @@ service_name -t # If applicable ## 9. Best Practices ### Troubleshooting Methodology + - Document all symptoms before making changes - Follow systematic approach from general to specific - Make one change at a time and test results @@ -523,6 +567,7 @@ service_name -t # If applicable - Have rollback plan for all changes ### Information Gathering + - Collect system information immediately when issue occurs - Preserve log files and system state for analysis - Use multiple information sources for correlation @@ -530,6 +575,7 @@ service_name -t # If applicable - Interview users about what they were doing when issue occurred ### Solution Implementation + - Test solutions in non-production environment first - Implement least disruptive solution first - Monitor system closely after implementing fixes @@ -537,6 +583,7 @@ service_name -t # If applicable - Verify that solution doesn't create new problems ### Preventive Measures + - Implement comprehensive monitoring and alerting - Perform regular system health checks - Keep system and applications updated @@ -547,24 +594,28 @@ service_name -t # If applicable ## 10. Integration with Other RHCSA Topics ### Service Management Integration + - Understand systemd service dependencies and failures - Troubleshoot service startup and runtime issues - Analyze service logs and performance metrics - Implement service monitoring and alerting ### Storage Integration + - Diagnose filesystem corruption and recovery procedures - Troubleshoot LVM and storage performance issues - Implement storage monitoring and capacity planning - Recover from storage hardware failures ### Security Integration + - Troubleshoot SELinux denials and policy issues - Diagnose firewall rule conflicts and connectivity problems - Investigate security incidents and unauthorized access - Implement security monitoring and incident response ### Network Integration + - Diagnose network connectivity and performance issues - Troubleshoot DNS resolution and service discovery - Analyze network traffic and security events @@ -572,4 +623,4 @@ service_name -t # If applicable --- -**Module 15 Summary**: System troubleshooting is the culmination of all RHCSA skills, requiring deep understanding of Linux system components and their interactions. This module provides comprehensive coverage of systematic troubleshooting methodologies, from basic problem identification to complex system recovery scenarios. Mastering both structured diagnostic approaches and advanced analysis techniques is essential for RHCSA certification and effective system administration in production environments. The synthesis of different troubleshooting philosophies ensures comprehensive problem-solving capabilities across all system components. \ No newline at end of file +**Module 15 Summary**: System troubleshooting is the culmination of all RHCSA skills, requiring deep understanding of Linux system components and their interactions. This module provides comprehensive coverage of systematic troubleshooting methodologies, from basic problem identification to complex system recovery scenarios. Mastering both structured diagnostic approaches and advanced analysis techniques is essential for RHCSA certification and effective system administration in production environments. The synthesis of different troubleshooting philosophies ensures comprehensive problem-solving capabilities across all system components. diff --git a/docs/rhcsa_synthesis/_template.md b/docs/rhcsa_synthesis/_template.md index fa7a8e8..0d23ecc 100644 --- a/docs/rhcsa_synthesis/_template.md +++ b/docs/rhcsa_synthesis/_template.md @@ -21,15 +21,19 @@ ## 2. Conceptual Foundation ### Core Theory + [Fundamental concepts explained clearly] ### Real-World Applications + [How these concepts apply in practice] ### Common Misconceptions + [Things students often get wrong] ### Key Terminology + - **Term 1**: Definition and context - **Term 2**: Definition and context @@ -38,6 +42,7 @@ ## 3. Command Mastery ### Essential Commands + ```bash # Primary command with full syntax command [options] [arguments] @@ -51,12 +56,14 @@ command -multiple -flags --with=values ``` ### Command Reference Table + | Command | Purpose | Key Options | Example | |---------|---------|-------------|---------| | `command1` | Description | `-option` | `command1 -option value` | | `command2` | Description | `--flag` | `command2 --flag=value` | ### Expected Outputs + ```bash $ command example [Expected output shown here] @@ -67,21 +74,28 @@ $ command example ## 4. Procedural Workflows ### Standard Procedure: [Task Name] + 1. **Step 1**: Action to take - ```bash - command1 parameters - ``` + + ```bash + command1 parameters + ``` + 2. **Step 2**: Next action - ```bash - command2 parameters - ``` + + ```bash + command2 parameters + ``` + 3. **Verification**: Confirm success - ```bash - verification-command - ``` + + ```bash + verification-command + ``` ### Decision Tree: [Complex Scenario] -``` + +```text Start Here ├── Condition A? → Action 1 ├── Condition B? → Action 2 @@ -93,7 +107,9 @@ Start Here ## 5. Configuration Deep Dive ### Primary Configuration Files + - **`/path/to/config`**: Main configuration file + ```bash # Key parameters parameter1=value1 @@ -101,6 +117,7 @@ Start Here ``` - **`/path/to/secondary`**: Secondary configuration + ```bash # Additional settings setting1=value1 @@ -108,13 +125,16 @@ Start Here ``` ### Configuration Examples + #### Basic Configuration + ```bash # /etc/example.conf basic_setting=value ``` #### Advanced Configuration + ```bash # /etc/advanced.conf advanced_setting1=value1 @@ -127,14 +147,17 @@ advanced_setting2=value2 ## 6. Hands-On Labs ### Lab 6.1: [Asghar Ghori Exercise] + **Objective**: [What this lab accomplishes] **Steps**: + 1. [Detailed step 1] 2. [Detailed step 2] 3. [Detailed step 3] **Verification**: + ```bash # Commands to verify completion verification-command @@ -143,14 +166,17 @@ verification-command **Expected Result**: [What should happen] ### Lab 6.2: [Sander van Vugt Exercise] + **Objective**: [What this lab accomplishes] **Steps**: + 1. [Detailed step 1] 2. [Detailed step 2] 3. [Detailed step 3] **Verification**: + ```bash # Commands to verify completion verification-command @@ -159,16 +185,19 @@ verification-command **Expected Result**: [What should happen] ### Lab 6.3: [Synthesis Challenge] + **Objective**: [Combined scenario from both authors] **Scenario**: [Real-world situation to solve] **Requirements**: + - [Requirement 1] - [Requirement 2] - [Requirement 3] **Solution Steps**: + 1. [Step 1 with commands] 2. [Step 2 with commands] 3. [Step 3 with commands] @@ -180,11 +209,14 @@ verification-command ### Common Issues #### Issue 1: [Problem Description] + **Symptoms**: + - [Symptom 1] - [Symptom 2] **Diagnosis**: + ```bash # Commands to identify the issue diagnostic-command1 @@ -192,6 +224,7 @@ diagnostic-command2 ``` **Resolution**: + ```bash # Commands to fix the issue fix-command1 @@ -201,9 +234,11 @@ fix-command2 **Prevention**: [How to avoid this issue] #### Issue 2: [Another Problem] + [Follow same format] ### Diagnostic Command Sequence + ```bash # Standard diagnostic workflow step1-command # Check basic status @@ -213,6 +248,7 @@ step4-command # Test functionality ``` ### Log File Analysis + - **`/var/log/relevant.log`**: What to look for - **`/var/log/system.log`**: Common error patterns @@ -221,6 +257,7 @@ step4-command # Test functionality ## 8. Quick Reference Card ### Essential Commands At-a-Glance + ```bash # Most important commands for this topic primary-command [options] @@ -229,15 +266,18 @@ verification-command [options] ``` ### Key File Locations + - **Configuration**: `/etc/main-config` - **Data**: `/var/lib/service-data` - **Logs**: `/var/log/service.log` ### Important Parameters + - `parameter1`: Effect and usage - `parameter2`: Effect and usage ### Verification Commands + ```bash # Quick checks to confirm everything works status-check @@ -249,45 +289,52 @@ functionality-test ## 9. Knowledge Check ### Conceptual Questions + 1. **Question**: [Conceptual question about the topic] - **Answer**: [Detailed explanation] + **Answer**: [Detailed explanation] 2. **Question**: [Another conceptual question] - **Answer**: [Detailed explanation] + **Answer**: [Detailed explanation] ### Practical Scenarios + 1. **Scenario**: [Real-world problem to solve] - **Solution**: [Step-by-step solution] + **Solution**: [Step-by-step solution] 2. **Scenario**: [Another practical problem] - **Solution**: [Step-by-step solution] + **Solution**: [Step-by-step solution] ### Command Challenges + 1. **Challenge**: Write a command to [specific task] - **Answer**: `command with correct syntax` - **Explanation**: [Why this works] + **Answer**: `command with correct syntax` + **Explanation**: [Why this works] --- ## 10. Exam Strategy ### Topic-Specific Tips + - [Tip 1 specific to this topic] - [Tip 2 for exam success] - [Tip 3 for time management] ### Common Exam Scenarios + 1. **Scenario**: [Typical exam task] - **Approach**: [How to handle it efficiently] + **Approach**: [How to handle it efficiently] 2. **Scenario**: [Another exam task] - **Approach**: [Efficient solution method] + **Approach**: [Efficient solution method] ### Time Management + - **Estimated Time**: [X minutes for this type of task] - **Quick Verification**: [Fastest way to check your work] ### Pitfalls to Avoid + - [Common mistake 1] - [Common mistake 2] - [Common mistake 3] @@ -297,11 +344,13 @@ functionality-test ## Summary ### Key Takeaways + - [Major point 1] - [Major point 2] - [Major point 3] ### Critical Commands to Remember + ```bash must-know-command1 must-know-command2 @@ -309,10 +358,11 @@ must-know-command3 ``` ### Next Steps + - Continue to [next module](XX_next_topic.md) - Review related topics: [links] - Practice with [suggested lab exercises] --- -**Navigation**: [← Previous](XX_previous_topic.md) | [Index](index.md) | [Next →](XX_next_topic.md) \ No newline at end of file +**Navigation**: [← Previous](XX_previous_topic.md) | [Index](index.md) | [Next →](XX_next_topic.md) diff --git a/docs/rhcsa_synthesis/index.md b/docs/rhcsa_synthesis/index.md index e5ae34e..3079c2d 100644 --- a/docs/rhcsa_synthesis/index.md +++ b/docs/rhcsa_synthesis/index.md @@ -5,6 +5,7 @@ ## Overview This knowledge base synthesizes content from two authoritative RHCSA study resources: + - **Asghar Ghori**: "RHCSA Red Hat Enterprise Linux 10" (Dec 2025 edition) - **Sander van Vugt**: "Red Hat RHCSA 9 Cert Guide" (concepts still applicable) @@ -13,18 +14,21 @@ Each topic module combines the best approaches from both authors, providing comp ## Study Approach ### For First-Time Learners + 1. Start with [Exam Overview](00_exam_overview.md) for context 2. Follow modules in numerical order (01-15) 3. Complete all hands-on labs in each module 4. Use Quick Reference Cards for review ### For Exam Preparation + 1. Review [Exam Overview](00_exam_overview.md) for strategy 2. Focus on modules matching your weak areas 3. Practice all troubleshooting scenarios 4. Use Knowledge Checks for self-assessment ### For Reference/Review + 1. Use this index to jump to specific topics 2. Leverage Quick Reference Cards for rapid lookup 3. Consult Troubleshooting Playbooks for specific issues @@ -32,6 +36,7 @@ Each topic module combines the best approaches from both authors, providing comp ## Module Index ### Foundation Topics + | Module | Topic | Focus Areas | Exam Weight | |--------|-------|-------------|-------------| | [00](00_exam_overview.md) | **Exam Overview** | Format, strategy, environment setup | Essential | @@ -40,6 +45,7 @@ Each topic module combines the best approaches from both authors, providing comp | [03](03_user_group_management.md) | **User & Group Management** | Account creation, policies, sudo | Critical | ### System Administration + | Module | Topic | Focus Areas | Exam Weight | |--------|-------|-------------|-------------| | [04](04_file_permissions.md) | **File Permissions** | File permissions, access controls | Critical | @@ -49,6 +55,7 @@ Each topic module combines the best approaches from both authors, providing comp | [08](08_networking.md) | **Network Configuration** | IP configuration, DNS, routing | High | ### Security and Advanced Topics + | Module | Topic | Focus Areas | Exam Weight | |--------|-------|-------------|-------------| | [09](09_selinux.md) | **SELinux Management** | Contexts, booleans, troubleshooting | Critical | @@ -58,6 +65,7 @@ Each topic module combines the best approaches from both authors, providing comp | [13](13_scheduled_tasks.md) | **Scheduled Tasks** | cron, at, systemd timers | Medium | ### Modern RHEL Features + | Module | Topic | Focus Areas | Exam Weight | |--------|-------|-------------|-------------| | [14](14_flatpak_management.md) | **Flatpak Management** | Flatpak repos, application management | High | @@ -66,6 +74,7 @@ Each topic module combines the best approaches from both authors, providing comp ## Quick Navigation ### By Exam Objective + - **Understand and use essential tools** → Modules 01, 02 - **Create simple shell scripts** → Module 02, 13 - **Operate running systems** → Modules 05, 06, 12, 13 @@ -77,6 +86,7 @@ Each topic module combines the best approaches from both authors, providing comp - **Manage security** → Modules 04, 09, 10 ### By Common Tasks + - **System Setup**: Modules 01, 03, 08 - **Storage Configuration**: Modules 07 - **Security Hardening**: Modules 04, 09, 10 @@ -107,14 +117,16 @@ Track your progress through the synthesis modules: ## Additional Resources ### Original Sources + - Current ebook analysis: [ebook_summary.md](../ebook_summary.md) - Comprehensive flashcards: [rhcsa_deck.csv](../../anki/rhcsa_deck.csv) - Quick exam reference: [exam_quick_reference.md](../exam_quick_reference.md) ### Command References + - Organized by topic: [command_reference_by_topic.md](../command_reference_by_topic.md) - Acronyms and terminology: [rhcsa_acronyms_glossary.md](../rhcsa_acronyms_glossary.md) --- -**Study Tip**: Each module is self-contained but cross-references related topics. Don't feel obligated to read linearly - jump to what you need to learn or review! \ No newline at end of file +**Study Tip**: Each module is self-contained but cross-references related topics. Don't feel obligated to read linearly - jump to what you need to learn or review! diff --git a/mkdocs.yml b/mkdocs.yml index 2f9fce5..4ec2422 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -50,8 +50,9 @@ markdown_extensions: - toc: permalink: true - admonition - - codehilite: + - pymdownx.highlight: guess_lang: false + - pymdownx.superfences - def_list - footnotes - meta