Archive

Archive for the ‘Linux’ Category

Rsync and details on what has changed

January 13, 2017 Leave a comment

Setup 

# create a directoy and a couple of files 
mkdir /tmp/mydir1;
mkdir /tmp/mydir1/data;
echo "hello" > /tmp/mydir1/hello.txt;
echo "name is john" > /tmp/mydir1/name.txt;
mkdir -p /tmp/mydir1/dir1/dir2/dir3/dir4/dir5;

# copy the directory with all permissions etc to a new directory 
# -a : copy exactly with owner, group, permissions etc
# -r : recursive
cp -ar /tmp/mydir1 /tmp/mydir2

Some rsync options 

  • –dry-run : only do a simulation – don not perform the actual action
  • -v : verbose
  • -a : archive mode – this is equal to specifying all these options ( -r -l -p -t -g -o – D )
  • -r : recursive
  • -l : copy symlinks as symlinks
  • -p : preserve permissions
  • -t : preserve file timestamps
  • -g: preserve group
  • -o: preserve owner
  • -D: preserve device files and special files
  • -c : compare file checksum instead of timestamp and filesize
  • -i : format the output
  • –delete: delete any files in destination that are not in the source

First try – simple dry run 

# rsync --dry-run -avc --delete /tmp/mydir1/ /tmp/mydir2/
sending incremental file list

 

Nothing has changed as we have exactly copied the two directories.
Now lets make some changes to mydir2

echo "hello again" >> /tmp/mydir2/hello.txt;
touch /tmp/mydir2/newfile.txt;
chmod o+rwx /tmp/mydir2/dir1;
mkdir /tmp/mydir2/newdir;
chgrp nobody /tmp/mydir2/dir1/dir2;
chown nobody /tmp/mydir2/dir1/dir2/dir3;

Try again 

# rsync --dry-run -avc --delete /tmp/mydir1/ /tmp/mydir2/
sending incremental file list
./
deleting newdir/
deleting newfile.txt
hello.txt
dir1/
dir1/dir2/
dir1/dir2/dir3/

You will see what changes will be done in this list

To see more details use the  –itemize-changes( -i ) option.
This will tell in detail what attribute has changed

Second try – lets format the output 

# rsync --dry-run -avci --delete /tmp/mydir1/ /tmp/mydir2/
sending incremental file list
.d..t...... ./
*deleting newdir/
*deleting newfile.txt
>fcst...... hello.txt
.d...p..... dir1/
.d.....g... dir1/dir2/
.d....o.... dir1/dir2/dir3/

We can now see that some things have been appended to the list of files – explanation are ( see man rsync for more details on –itemize-changes )

  • (>) means file is being transferred
  • (c) means a change is happening or file is being created
  • (*deleting) means file will be deleted on destination
  • (p) means permission changed
  • (g) means group changed
  • (o) means owner changed

 

 

 

Categories: Linux Tags:

Installing VirtualBox Guest Addition on CentOS 7 server – no GUI

January 19, 2016 3 comments

I am doing this on

  • VirtualBox 5.0.12
  • Windows 8.1 64 bit Host
  • CentOS 7 server 64 bit guest up to date

Steps

  • Start CentOS 7 guest
  • From the Devices Menu,go to Optical Drives and remove previous CD/DVD using the Remove Disk from VirtualDrive
  • Then click on Devices and select Insert Guest AdditionsCD Image.
  • This will put the Guest addition cd into /dev/cdrom in CentOS
  • SSH into CentOS and mount the cdrom with the command
mount /dev/cdrom /mnt
  • Install required libraries
sudo yum install bzip2 gcc kernel-devel dkms
  • install the guest addition, nox11 is to indicate that we dont have a GUI
bash /mnt/VBoxLinuxAdditions.run --nox11
  • It will install and finally give some messages like below
Verifying archive integrity... All good.
Uncompressing VirtualBox 5.0.12 Guest Additions for Linux............
VirtualBox Guest Additions installer
Removing installed version 5.0.12 of VirtualBox Guest Additions...
Removing existing VirtualBox DKMS kernel modules[ OK ]
Removing existing VirtualBox non-DKMS kernel modules[ OK ]
Copying additional installer modules ...
Installing additional modules ...
Removing existing VirtualBox DKMS kernel modules[ OK ]
Removing existing VirtualBox non-DKMS kernel modules[ OK ]
Building the VirtualBox Guest Additions kernel modules[ OK ]
Doing non-kernel setup of the Guest Additions[ OK ]
You should restart your guest to make sure the new modules are actually used
Installing the Window System drivers
Could not find the X.Org or XFree86 Window System, skipping.

  • Shutdown the CentOS VM and add shared folders and select Auto Mount
  • Start the CentOS VM and the shared folder should be available at /media on CentOS

 

Setting the default editor to nano Linux

January 14, 2016 Leave a comment

In CentOS, the default system editor is VI
If you want to edit the crontab with crontab -e command, the text editor that opens up is VI

In order to change the system wide default text editor to nano, edit /etc/bashrc and put the below line in it at the bottom

export EDITOR="nano"

Exit and login again for the changes to take effect

Categories: Linux Tags: , ,

Disabling SELinux on CentOS 7

January 14, 2016 Leave a comment

Security-Enhanced Linux (SE Linux) is a Linux kernel security module that provides a mechanism for supporting access control security policies. It controls which applications can access what directories in the system

For example, the default rules for apache is to only be allowed to access /var/www and /var/logs/httpd and some other configuration directories. If apache tries to access any other directory, then SELinux will not permit it if it is enabled.

Example, default web root for apache is /var/www, if you change it to /home/code, then SELinux will not allow apache to access files in /home/code and the application will fail to load on the web page

You have 2 options,

  • manually add the new location to SELinux apache rules by giving appropriate groups ( recommended )
  • disable SELinux permanently

Similary if you change the data directory for mysql, you will come across this issue

Sometimes you need a quick fix and might need to disable SELinux

This is not recommended on production systems. Do it on your own risk.

Command to check if SELinux is active is sestatus

[root@ip-172-30-0-220:/]$ sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 28

Current Mode is set to enforcing, which means SELinux is active

Temporarily Disabling SELinux

To temporarily disable SELinux, use the command

sudo setenforce 0

Then check with sestatus and Current Mode should be permissive. This will revert back on boot to enforcing

To enable SELinux again, use

setenforce 1

 

Permanently Disabling SELinux

edit /etc/selinux/config

change SELINUX=enforcing to SELINUX=disabled

restart the server and check with sestatus command

Categories: Linux Tags:

Adding a Self Signed Certificate to Trusted Certificate on Linux

January 14, 2016 Leave a comment

Some times, when we generate self signed certificates, some libraries need it to be a part of the operating systems trusted certificates

I am doing this on CentOS 7 and for openSSL

This will only work for apps/libraries that use OpenSSLs trusted certificate list

I already have my self signed certificate in /etc/pki/tls/certs/my-self-signed-cert.crt

cp /etc/pki/tls/certs/devinviteright.crt /etc/pki/ca-trust/source/anchors

sudo update-ca-trust

Increasing File Descriptors and Open Files Limit CentOS 7

September 17, 2015 4 comments

PS: See Andy Dyrcz answer in the comments for a better way to do this

Some programs like Apache and MySQL require a higher number of file descriptors.
This is how you can increase that limit for all users in CentOS 7
Commands require root access

# Find the default limit – check the open files line – it will be 1024

sudo ulimit -a

To increase edit nano /etc/sysctl.conf add the below line, save and exit

fs.file-max = 100000

We also need to increase hard and soft limits
Edit /etc/security/limits.conf add the below lines before the #End, save and exit

* soft nproc 65535
 * hard nproc 65535
 * soft nofile 65535
 * hard nofile 65535

Next run the command

sudo sysctl -p

for MySQL, edit /usr/lib/systemd/system/mysqld.service  and add the below 2 lines at the end, save and exit

LimitNOFILE=65535
 LimitNPROC=65535

then increase the table_open_cache and open_files_limit in my.cnf

# reload systemctl
 sudo systemctl daemon-reload

# if you modified mysql config, restart mysql and check values for table_open_cache and open_files_limit

systemctl restart mysqld.service

run the below command to check the open files limit – change user based on requirement
output should say: open files (-n) 65535

# for mysql
 su - mysql -c 'ulimit -aHS' -s '/bin/bash'

# for apache
 su - apache -c 'ulimit -aHS' -s '/bin/bash'

Changing SSH Ports CentOS 7

September 17, 2015 Leave a comment

Here is how to change the SSH port in CentOS 7

All commands require root privileges

SSH into the server with the default SSH port 22

edit /etc/ssh/sshd_config 

un-comment #Port and put your new SSH port number there

for example, if you choose 9898 as your new port, the file should look like

# If you want to change the port on a SELinux system, you have to tell
# SELinux about this change.
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
#
Port 9898

Make sure that the port you choose is not being used for any other purposes. For this you can use these commands

# list all services with their associated ports
semanage port -l

# check the current ssh port - you will see a couple of matches including the ssh_port_t
semanage port -l | grep '22'
ssh_port_t tcp 22

# check your new port - there should not be any matches with the exact port 
semanage port -l | grep '9898'

Now you need to tell SELinux about the new port – execute the command

semanage port -a -t ssh_port_t -p tcp #YOUR-NEW-PORT-NUMBER 

Example

# -a: add, -t: service type, -p: protocol 
semanage port -a -t ssh_port_t -p tcp 9898

Restart the sshd service

systemctl restart sshd.service

DO NOT GET OUT OF YOUR CURRENT SESSION UNTIL YOU CAN LOG IN WITH THE NEW PORT SETTINGS 

this is just a precaution because if something goes wrong, you still have an active session that you can use to make modifications

if you close this session and you SSH with the new port does not work, then your system might become inaccessible

Now open a SEPARATE SSH session and try to log in with the new port

If you can log in then everything worked fine

you can also check the port assignments with

semanage port -l | grep ssh_port_t
Categories: Linux