RHCSA 9

2> :redirect errors.

#who :show current connected users. Pipping | :is to use the output of the first command as an input
for the second on
#w :same as who but with more details. (e.g cat/etc/hosts | grep linda).
#chvt 3 :change to the virtual terminal N° 3, or you can press #history :print commands history.
ctrl+alt+f3.
~/.bash_history :history file.
#man ls :to get ls command documentation.
HISTSIZE and HISTFILESIZE :to define entries number.
#man –k or apropos :to search for a command in mandb based on
keywords, but you need to run the mandb command #history –w :synchronize history to .bash_history.
first. #history –c :clear history.
#vim file1 :file editor, you can use some commands while using #history –d nn :delete command nn from history
vim:
yy :copy text,
dd :delete line, Expansion:
p :paste,
gg :go to the top of the file, #ls * : show all
G :go to the end of file, #ls a?* : show all file’s name starts with a and followed at
^ :go to start of line, least by 1one character.
$ :go to the end of line,
/hi :search for the word hi, #ls [a-e]* :show all files start with a or e.
%s/old/new/g :replace word “old” with the word #ls [a..e]* :show all files start with a,b,c..e.
“new”
se number :show lines number, #touch file{1..9} : create from file1 to file9.
a :start insert mode,
o :insert line. #useradd {linda,bob,rose} : create users linda, bob and rose.

#vimtutor :vim course.

Redirection: Variables
> :redirect output into file (if the is already exit it will #key=value :local variable e.g: #color=red.
delete the contenet before).
#echo $color :print variable value
>> :append output into the end of file.
#export color=red :local variable for bash and subbash
linkedin.com/in/saadaouiwassim
 RHCSA 9
#alias dir=’ls –ltr’ :define costume command. #cut -d: f7 /etc/hosts : show the 7th field from each line in the file
passwd.
 Also can be configure on .bashrc or .bash_profile, to become -d: specify delimiter used to separate fields in
persistent. text line
 f7 specify which field to extract.
files # mv /etc/login.defs /opt/doc : move login.dfs to /opt/doc
#which passwd :show command file path.
#find / -name “hosts” :prints all file with the name hosts.
Links
#find /etc –type f –size +100M :list all file within a size bigger than #ln –s /etc/hosts ~/link1 :symbolic link/ soft link.
100M.
#ln –p /etc/passwd ~/phylink :physical link/ hard link.
#find /etc -size +1M –exec grep –l student {} \; : -exec: call for another
command
{} use the previous
output as input Archive
\; close exec.
#tar –cvf arch.tar /etc :create archive (without compression).
#find / -user wassim : show all files owned by a specific user.
#tar –czvf arch.tar.gz /etc :compress with gzip.
#find / -perm g+s or find / -perm /4000 :show all files that have the a
#tar –cjvf arch.tar.bz2 /etc :compress with bzip2.
specific permission ( in this
case suid) #tar –cJvf arch.tar.xy /etc :compress with xy.
#cut file1 :print file1 content. #tar –tvf arch.tar :print archive content.
#cp -ar /etc/passwd . : copy file to the current folder #tar –xvf arch.tar.gz :extract archive file. Can add –C
/extract_path.
#cp -ar /etc/shadow /home/alice : copy file to alice home
#tar –uvf arch.tar /tmp :append archive.
#tr ‘[:lower:]’ ‘[:upper:]’ </etc/hosts> ./upperfile : made a copy from
hosts file to the current #tar –rvf arch.tar /etc :update archive.
directory uner the name
upperfile, and change
all lower case to upper
grep
case.
grep: is a tool to filter an ouput or to to find a specific information in a text
file.
linkedin.com/in/saadaouiwassim
 RHCSA 9
#ps aux | grep sshd :to get all sshd processes. etc/sudoers :sudoers config file
#grep Wassim /etc/* :filter all the files contain word etc/sudoers.d :drop-in files folder for sudoers config.
“Wassim”(shows the file and the lines).
**drop-in files config:
#grep –I wassim /etc/* :intensive filter, ignore uppercase and lower
case. #vim /etc/sudoers.d/lisa

#grep –A 5 –B 5 allow /etc/ssh/sshd_config :show 5 lines after and Lisa ALL=/usr/bin/passwd ,!/usr/passwd root
5 lines before the specific word. => lisa allowed to changer other users
password but not the root password.
#grep –R root * :recursive search in the current directory and
sub directory. #vim /etc/sudoers.d/group_users

#grep –l wassim /etc/* :print only the file that continent the text %users ALL=/usr/sbin/mount /dev/sdb
Wassim in it. =>members of the group users are allowed to
mount sdb.
#grep ‘^w’ file1 :grep all lines satarts with w.
#grep ‘$nova’ file1 :grep all lines ends with nova.
Users and Groups
#grep ‘anna\b’ file1 :grep word ends with anna
#useradd wassim :create uses (with default settings).
#grep ‘b.*t’ file1 :grep words starts with b and ends with t, and
whatever the nbr of character in between is 0 #useradd supernova –d /home/dir_super –g tekup –G wheel –s
or more. /sbin/nologin –u 3004
#grep ‘b.+t’ file1 : 1 or more.  -d : to specify the user’s home directory
 -g : to specify user’s primary group
#grep ‘b.?t’ file1 :0 or 1 caracter in between.
 -G : supplementary groups
#grep ‘bo\{3\]t} file1 :start with b and ends with t and o repeated  -u : to specify the user’s UID
4times (e.g boooot).  -s : to specify user’s shell, example of shell:
 /sbin/nologin : this shell
prevents interactive login.
Root privileges  /bin/sh : It's less feature-rich
than Bash but still provides a
#su - :switch to root user. shell environment.
 /sbin/bash : full interactive
#usermod –aG wheel Wassim :memebers of the group wheel shell login.
are allowed to use sudo.

linkedin.com/in/saadaouiwassim
 RHCSA 9
#usermod –L linda : the user linda is locked. -W : set expiration warning days to
WARN_DAYS.
#usermod –U linda : unlock the user.
/etc/security/pwquality.conf : password policy config file.
#usermod –e 2023-09-12 linda : change user expiration date.
/etc/shadow : where the password hashage is stored.
#usermod –s /bin/bash linda :change user shell.
#userdel linda :delete user.
#newgrp dev linda :temporary primary group. File owner ship
#groupadd finance : create new group named fianance. Permission on folder and files are: read=r=1, write=w=2, execute=x=1.
#groupdel dev : delete a group. #chown linda file : change the file owner to linda.
#lid –g finance : list all members of the group finance. #chown :dev file : change the file groupe owner to dev.
/etc/default/useradd : config file of useradd. #chgrp dev file : change group owner.
/etc/login.defs : default setting of creating a new user. #chmod 750 file : change file access permission.
/etc/skel : files on this folder will be created to the user #chmod g+x o-rw u+rwx file : g+x add the execute permission for
home directory upon creation. group.
#passwd linda : change linda password. o-w : restric the permissions of read
and write for others.
# chage –d 0 linda : force linda to change the password next time u+rwx : add the all permissions to the
login
user (owner).
=> chage options:
-d set date of last password change to #chmod g+s folder : setgid : every file or folder will be created on
LAST_DAY. this folder, it will be owned
-E: set account expiration date to by the group ownership of the parent
EXPIRE_DATE. folder, can write also :
-I : set password inactive after expiration to chmod 2751 folder
INACTIVE.
#chmod +T folder : sticky bit : to make only the owner of file/
-m set minimum number of days before
password change to MIN_DAYS. sub-directory can delete it.
-M set maximum number of days before chmod 1751 folder
password change to MAX_DAYS. umask: is a shell setting that subtract the umask value from the default
permission on folde/file.
linkedin.com/in/saadaouiwassim
 RHCSA 9
Default permission on a folder are 777 and for a file are 666 #ip link show : show current network devices.
 e.g umask 022 on a file: #ip addr show : show network device configuration.
 Owner: 6 (read and write) - 0 (umask) = 6
#hostnamectl hostname tekup :change hostname.
 Group: 6 (read and write) - 2 (umask) = 4
 Others: 6 (read and write) - 2 (umask) = 4 /etc/hosts : contain hosts and their IP.
you can set mask by running the cmd umask on the shell, or added it to .bashrc
/etc/resolv.conf : contain dns config.
or .bash_profile
/etc/nsswitch.conf : hostname resolution.
e.g: umask 752 or echo “umask 752”>> ~/.bashrc
When you try to ping google.com, your system will check /etc/hosts then
#getfacl file : show file access list.
dns, and then your hostname.
#setfacl -m u:alice:rw f1 :add the user alice to f1 ACL and
permissions are set to rw.
#ip addr add dev ens160 10.0.0.1/24 : add temporary address.

#setfacl -m g:operations:rw f1 : add the group operations to the acl. #ip route 2.2.2.2/24 via 10.0.0.1/24 : add route to the route table.

#setfacl -m u:bob:rw,g:tekup:rw f1 : add user and group to the acl. /etc/NetworkManager/system-connection : folder where you will find the
file for you network config.
#setfacl -m d:u:bob:rw folder1 : the option d is only applied to folders, to
make sure the acl will be inherited to #nmcli general permission : to check permission on network
sub-folders and files. manager.

#setfacl -b f1 : delete all acl for f1 #nmcli con show or nmcli dev status : show connection.

#setfacl -x g:tekup f1 : delete groupe tekup from acl. # nmcli connection add con-name mycon ifname ens160 type ethernet
ip4.add 192.168.1.11 ipv4.gatway 192.168.1.2 ipv4.method manual
#getfacl -R f1 >acl.save : save acl to a file
 This command is used to a new connection
#setfacl -b f1 : delete all f1 ACL  con-name: to set the new connection name
#setfacl --restore=acl.save f1 : retore f1 acl  ifname: to set the interface name
 type: to set the connection type
 ipv4.method: used to specify the method used to
configure IPv4 settings for a network connection,
auto ( the coonection will receive ip@ from DHCP,
so the address we set may will be change), manual(
static address, so the address we set won’t change).
Network
linkedin.com/in/saadaouiwassim
 RHCSA 9
#nmcli con up mycon : to activate the connection. #mkdir /repo : mount point.
# nmcli connection modify ens160 ipv4.add 192.168.130.229/24 #echo “/rhel.iso /repo iso9660 defaults 0 0” >> /etc/fstab : persistent
ipv4.gateway 192.168.130.1 ipv4.dns 192.168.130.254 +ipv4.dns 8.8.8.8 mount.
 modify my current connection settings (this’s what you will be asked for #mount -a
on the RHCSA exam).
# dnf config-manage --add-repo="file///repo/BaseOS" : add baseos
# nmcli connection reload to reload all connection files repository to /etc/yum.repos.d
#nmtui : console where you can set hostname & #ls /etc/yum.repos.d : to check for the file.
connections.
#dnf repolist : list of repository.
#ss : investigate sockets.
or can be created manually
#vim /etc/yum.repos.d/BaseOS.repo
Managing software >[repo_BaseOS]
RPM : software on RHEL is installed using packages in RPM format. >name=BaseOS
#rpm –qa : show all installed packages. >baseurl=file///repo/BaseOS
#rpm –qf gedit : show from which packages gedit was >enable=1
installed.
>gpgcheck=0 disable gpg key check.
#rpm –ql gedi t : Shows u what files were put on ur computer
when u installed a program using RPM
#rpm –q --scripts podman : shows the executed scripts while installing Managing packages with dnf
the package.
#dnf list “selinux” :list selinux installed and available packages.
#dnf seach seinfo :search in packages name and summary.
Setting up Ripository access #dnf search all seinfo :search even in description.
#dh -h : check for available space (check / it should have #dnf provides */containerfile :search for packages that
available space >10GiB, or it won’t work provides a specific file.
#dd if=/dev/sr0 of=/rhel.iso bs=1M :copy files from sr0 to rhel.iso. #dnf info httpd : show package info.
linkedin.com/in/saadaouiwassim
 RHCSA 9
#dnf install firewalld : install package. >f : shows available display field.
#dnf update : update installed packages. #nice -n 19 dd if=/dev/zero to of=/dev/null :nice and renice are
used to set the priority of a processit value
#dnf group list : show Available Environment Groups. between -20 and 19, -20 highest priority and
#dnf group list hidden : show all available groups ( include not 19 is the lowest.
installed groups). #renice -n 19 PID : renice process using PID.
#dnf group info “vitualization host” : list packages within group.
#dnf group install “ftp server” --with-optional : install with optional Profiles
packages.
#sysctl -a : show system variables.
/var/log/dnf.rpm.lop : all transaction that dnf perform.
#dnf history : summary of all installation and removal #sysctl vm.swappiness=40 : change variable value.
transaction. problem: sysctl containes about 1004 variable, which means it’s hard to set
all those variable.
#dnt history undo n : undo transaction number n.
solution: is to use a profile or to custom profiles.
#tuned-adm list : shows all available profiles.
process and jobs
#tuned-adm profile my profile : set a profile.
#command & : run a command on background.
#mkdir /etc/tuned/myprofile : create folder form my custom profile.
#jobs : list all jobs that runs on background.
#vim /etc/tuned/myprofile/tuned.conf :create my profle
#fg 1 : run back job 1 to forward ground.
>[sysctl]
#ps aux : review of all processes.
>vm.swappiness=66
# ps -fax : shows heirarical relation between processes.
#tuned-adm profile myprofile : change profile to myprofile.
#ps -fu wassim : show all processes owend by wassim.
#sysctl -a | grep vm.swappiess : check changes.
#ps -f --forest -c sshd : show a process tree.
Note: we should change the value reapply_sysctl to 0 in the config file
#ps L : show you a list of threads. /etc/tuned/tuned.main.conf.
#ps -eo pid, ppid, user, cmd : some specifiers to show a list of processes. #loginctl : manage users and sessions.
#top : realtime process monetering.
linkedin.com/in/saadaouiwassim
 RHCSA 9
>RestartSec=5s

Managing system services #systemctl restart httpd.service

#systemctl enable httpd : enables service.

#systemctl disable httpd : disable service. Task scheduling
#systemctl status httpd : show service status. Timer:
# systemctl start httpd : start service. #systemctl list-units -t timer : show all active timers.
#systemctl stop httpd : stop service. #systemctl list-unit-files *.timer : show all configured timer file.
#systemctl reload httpd : reload service without stopin’ it. #systemctl /etc/system/system/tmp-clean.service : configure service file
that will started by timer
#systemctl restart httpd : restart service.
>[Unit]
#systemctl edit httpd : edit service file config.
>Description=clean tmp
#export EDITOR=/usr/bin/vim : to change system editor.
>[Service]
#systemctl list-dependencies sshd.service : complete overview of all
currently loaded units and their >type=oneshot
dependency.
>ExecStart=/usr/bin/ rm -rf /tmp/*
Problem: some services cannot run simultaneously with other services on
the same system. #vim /etc/system/system/tmp-clean.timer : timer file that will run the
service file tmp-clean.service.
Solution: is to use mask which will create a symbolic link to /dev/null the
unwanted service to ensure that it cannot be stared >[Unit]

#systemctl mask sshd.service : mash sshd.service. >Description=Run tmp-clean.service weekly

#systemctl unmask sshd.service : unmask the masked service. >[Timer]

**** sretart a service automatically in failure case. >OnBootSec= 15min : service will be trigged 15min after
the system boot.
#systemctl edit httpd.service
>OnUnitActiveSec= 1w : this option will make sure service
>[service] will be trigged only after one week
sence the last time.
>Restart=always

linkedin.com/in/saadaouiwassim
 RHCSA 9
>Persistent=true : when a timer is missed, persistent Logging
will make sure it will be run
immediately when the system boot. #journalctl : show the entire journal.
#journalctl -p err : show errors only.
other timer’s option:
OnActiveSec= 1h : to make sure the service is trigged 1h after booting #journalctl -f : show the last 10lines+ adds new massage
or after starting the timer. (synchronization).

OnBootSec= 15min : service will be trigged 15min after booting the #journalctl -u sshd : show journal of specific service.
system. the old option was (OnStartupSec= 15min). #journalctl --since “-1hour” : show journal of the last 1hour.
OnUnitSec= 1w : to make sure that timer will wait for 1week to #journalctl --since today : show today journal.
triggers the service again.
#journalct -o verbose : detailed journal.
PS: you should add Persistent=true , to make the
service will be trigged immediately next reboot if /etc/logrotate : logrotate config file
the timer is missed. logrotate.timer : timer to clean log files.

WakeSystem= true : it will wake the system from {sleep or suspend

mode} to run the service. Managing storage

OnCalendar= 10:00 : trigged the service daily at 10:00. #df -h :shows available space.

OnCalendar= Mon 10:00 : every monday at 10:00. #lsblk : print block devices.

OnCalendar= Sun..Fri 13:00,19:00 : from sunday to friday at 13H #blkid : shows block’s UUID.
and at 19H, and after that the service won’t be trigged again. /proc/partition : partition and disk statistics.
OnCalenda= Mon, Tue *-*-* 14:00 : every Mon & Tue at 14H. /etc/fstab : persistent mount file.
On calendar= 2023-07-12..2023-07-23 19:00 :from 07/12 to 07/23 at /run/systemd/generator/ : folder for drop-in mount files (not encluded
19H on RHCSA exam)
****Crontab to create a new partion you can use: fdisk, gdisk or parted.
#crontab -e : create cron job ***create and mount a new partion:
/etc/crontab : a file that shows how to setup a cron job. #fdisk /dev/sda :create a new partition from sda device
/etc/cron.d : directory to drop you cronjob config file. >m :for help.
linkedin.com/in/saadaouiwassim
 RHCSA 9
>n : create new partition ***LABLE
>w : write to disk table and exit. #xfs_admin -L super /dev/sda1 : set label named “super” to /dev/sda1
(xfs file system).
>q : exist without saving changes.
#echo “LABLE=super /xfs1 defaults 0 0” >>/etc/fstab
#mkfs.xfs /dev/sda1 : create xfs file system on sda1 partition.
#mount -a
#mkdir /xfs1 : folder which will the mount point for the new
partion ***Swap
# mount /dev/sda1 /xfs1 : for temporary mounting ( will be discard #fdisk /dev/sda : to create a new partition for swap
after reboot).
>n : new partition
#echo “ /dev/sda1 /xfs1 xfs default 0 0”>> /etc/fstab :
persistent mount >t : to change partition type

# mount -a : to make sure to mount all unmounted devices. >8200 : linux swap hexa code

#findmnt --verify : you can always use this command to verify if >w : save changes.
there’s any syntax errors in /etc/fstab. #mkswap /dev/sda2 : create swap file system on /dev/sda2.
**** mounting usig UUID and LABEL #swapon /dev/sda2 : activate the new swap partition.
#blkid : to get block UUID. #swapoff /dev/sda2 :disactivate the swap partition
#tune2fs -L : set a label on ext file system. #echo “/dev/sda2 none swap defaults 0 0” >>/etc/fstab
#xfs_admin -L : set a label on xfs file system.
#mkfs.* -L : set a label while creating a file syetem. ***LVM creation
in case of cloning device two device will be have the same UUID, so u need #pvcreat /dev/sda1 :create physical volume
to use the command:
#vgcreate vgdata /dev/sda1 : create a volumle groupe named vgdata from
#xfs_admin -U generate /dev/sda1 : to get a new UUID. the physical volume /dev/sda1.
**UUID #lvcreate -n lvdata -L 1G vgdata : create logical volume named lvdata
with a size of 1GiB from vgdata.
#blkid
#mkfs.xfs /dev/vgdata/lvdata : create file system on lvdata.
#echo “UUID=….. /xfs1 xfs defaults 0 0” >> /etc/fstab
#mount -a #echo “/dev/vgdata/lvdata /lvfolder xfs defaults 0 0” >>/etc/fstab

linkedin.com/in/saadaouiwassim
 RHCSA 9
#mount -a #stratis blockdev list : list all pool blockdevices.
***extent (which mean to set volume based on block size) #stratis fs create mypool myfs1 : create file system on mypool.
#vgcreate -s 8M vgdata /sda1 :set the physical extent volume (echa #echo “UUID=… /myfs1 xfs
block size is 8MiB) defaults,x_systemd.requires=stratisd.service 0 0”>>/etc/fsrab
#lvcreate -l 2 -n lv1 vgdata : create a logical volume within a size of 2 mount stratis fs.
blocks,each block’s sized of 8MiB.
***stratis snapshot
***extend LVM size
#stratis fs snapshot mypool myfs mysnap : create a snapshot of myfs
#vgextend vgdata /dev/sda2 :extend vg volume.
#mkdir /mysnap :create mount point
#lvextend -r -l +50%FREE /dev/vgdata/lv1 : add 50% of the free
space on vgdata to lv1 #mount /dev/stratis/mypool/mysnap /mysnap : mount mysnap on
/mysnap
#lvextend -r -l +2 /dev/vgdata/lv1 : extend lv1 with two blocks. #ls -l /mysnap :check /mysnap
continent.
#lvextend -r -L +1G /dev/vgdata/lv1 : add 1GiB to lv1.
#stratis fs destroy mypool myfs : destroy myfs.
#lvextend -L +1G /dev/vgdata/lv1 /dev/sda2 : specify from which
physical volume you will add more volume to lv1.
***reduce volume Boot procedure
#pvmove -v /dev/sda2 /dev/sda1 : move all the contenant of sda2 /etc/default/grub : to edit persistently Grub2 parameters.
extents(blocks) to sda1.
#grub2-mkconfig -o /boot/grub2/grub.cfg : to compile changes to
#vgreduce vgdata /dev/sda2 : reduce vgdata volume. grub.cfg on xfs file system.
***startis volume #grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg : to compule
#dnf install stratis-cli startisd changes on EFI file system.

#systemctl enable --now stratisd Boot procedure

#stratis pool create mypool /dev/sda1 : create pool named /etc/default/grub : to edit persistently Grub2 parameters.
mypool with the volume sda1.
#grub2-mkconfig -o /boot/grub2/grub.cfg : to compile changes to
#stratis pool --add-data mypool /dev/sda2 : add more volume to grub.cfg on xfs file system.
mypool.
#stratis pool list :list all created pools.
linkedin.com/in/saadaouiwassim
 RHCSA 9
#grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg : to compule ***if….else
changes on EFI file system.
#vim test.sh
>#!/bin/bash
System targets >if test -z “$1”
multi-users.target :multi users without graphical environment. >then
graphical.target :graphical desktop environment. > echo you have to provice argument
rescue.target & emergency.target : for troubleshooting and system > exit 3
recovery.
>fi
#systemctl get-default xxx.target : get the current default target
>if test “$1”=”hello”
#systemctl set-default xxx.target : set the default target.
>then
#systemctl isolatre xxx.target :change target on the
running time. > echo you tayped hello

also you can boot into specific, from boot screen press “e” and add >else
system.unit=xxx.target to the end of line linux. > echo you typed something else
*****root password recovery >fi
step1: from boot screen press “e”. >if [ -f $1 ]  same as test -f $1
step2: add init=/bin/bash to end of line linux >then
#mount -o remount, rw / : to change into read-write mode on / > echo $1 is a file
#passwd root :change password. >else
#touch /.autorelabel : to resolve problem related to selinux. > echo $1 is not a file
# exec /usr/lib/systemd/systemd :to restart the system on a normal way. >fi
#chmon u+x test.sh : to make the file executable.
Shell bash scripts #. test.sh : run the file
linkedin.com/in/saadaouiwassim
 RHCSA 9
>do
**** for > echo $counter seconds remaining
#vim n-bonj.sh > counter=$(( counter -1))
>#!/bin/bash > sleep 1
>read num >echo break is over
>for((i=1; i<= $num; i++)) #chmon u+x break-counter.sh : to make the file executable.
>do #. break-counter.sh
>echo bonjour n: $i Note: you can use bash -x to to see in details what’s the script doing
while running
>done
#bash -x break-counter.sh
#chmon u+x n-bonj.sh : to make the file executable.
you can ckeck man test for test options
#. n-bonj.sh : run the file

****while SSH

#vim break-counter.sh #ssh-keygen :distribute ssh key

>#!/bin/bash #echo “192.168.133.229 sever” >>/etc/hosts : add server ip

to hosts
>if [ -z $1]
#ssh-copy-id server : send key to server.
>then
 in case you create key protected with passphrase everytime you try to
> echo provide beak duration in minute to run a command on the remote server, you will be asked to confirm the
> read COUNTER passphrase

>else COUNTER= $1 Solution:

>counteur=$5((COUNTER*60 #ssh-agent /bin/bash

>while [ $counter -gt 0 #ssh-add

linkedin.com/in/saadaouiwassim
 RHCSA 9
#ssh -X server gedit : the optin -X is used to run application on the remote selinux=1 : enable selinux
server.
#semanage fcontext :to manage selinux context
/etc/ssh/ssh_config : client-side configuration file for OpenSSH.
#restorecon -Rv /var/www/html : to inherite selinux policy of the
/etc/ssh/sshd_config : server-side config file. parent folder.
#scp file1 file2 student@server:/home/student : copy file securely. #semanage -a -t httpd_sys_content_t “/web(/.*)? to change selinux
policy of the flolder /web.
#rsync -a * server:/home/student/ : synchronize files between current
directory and remote server path. #restore -Rv /web :apply the new policy.
***how to get the right selinux policy

http server #dnf install selinux-policy-doc : selinux policy documentation.

#dnf install httpd #man -k _selinux |grep httpd : show all selinux policy
related to httpd.
/etc/httpd/conf/httpd.conf :config file
***changing port for ssh to 2022
/etc/httpd/conf.d/ :drop-in files storing folder.
#semanage port -a -t ssh_port -t -p tcp 2022
/var/www/htdocs : defaults document root.
***Boolean
#getsebool -a |grep ftpd : show all selinux Boolean related to
Selinux ftpd.

#getenforce : show current selinux state #set -P ftpd_use_nfs on : activate a Boolean

#setenforce : change between enforcing & permissive mode. #semanage boolean -l -c : shows all boolean that have non
default settings.
/etc/sysconfig/selinux : config file.
#journalctl | grep sealer : to get all selinux alerts.
selinux also can be context from the boot menu, in the end of line “linux”.
#grep AVC /var/log/audit/audit.log : used to search for entries related to
enforcing=0 : permissive mode AVC (Access Vector Cache) denials
enforcing=1 : enforcing mode in the audit log file on a system with
SELinux enabled.
selinux=0 : disable selinux

linkedin.com/in/saadaouiwassim
 RHCSA 9
Firewalld
#ss :shows all sockets Remote file system and automation
#ss -tu :show connected tcp and udp sockets ***configure nfs server
#ss -tua :show sockets that are in listening state. #dnf install nfs-utils
#firewall-cmd --list-all : list complete config of the firewall #mkdir -p /nfsdata /home/ldap/ldapuser{1..9}
#firewall-cmd --get-services : show all managed services by the firewall #echo “/nfsdata *(rw, (no_root_squash))” >> /etc/exports
#firewall-cmd --add-service http : allow the http service temporary #echo “/home/ldap *”(rw, (no_root_squash))” >>etc/exports
#firewall-cmd --add-service http --permanent : allow the http service #systemctl enable --now nfs-server
permanently.
#for i in nfs mountd rpc-bind; do firwall-cmd --add-service $i --
#firewall-cmd reload : reload firemwall config. permanent; done
#firewall-cmd reload
Mannaging time #show mount -e nfsserver :to check the nfs server is accessible.
#hwclock --hctosys : set time from hardware clock to system time. ***client side
#hwclock --systohc :set time from system to hardware clock. #dnf install nfs-utils
#date : show date and time. #mount server:/nfsdata /mnt
#timedatectl status :show current time settings. ***automont (client side)
#timedatectl set-time : set system time. #dnf install autofs
#timedatectl set-timezone : set system time zone. #echo “/nfsdata /etc/auto.nfsdata”>>/etc/auto.master
#timedatectl set-ntp : enable/disable network time synchronization. #echo “files -rw nfsserver:/nfsdata”>>/etc/auto.nfsdata
#chronyd : used for time synchronization and clock management. #systemctl enable --now autofs
#chronyc sources : verify proper synchronization. ***automount for home directory
/etc/chrony.conf : chrony config file. #echo “/homes /etc/auto.homes”>>/etc/auto.master

linkedin.com/in/saadaouiwassim
 RHCSA 9
#echo “* -rw nfsserver:/home/ldap”>>/etc/auto.homes #podman run -it --name mycontainer docker.io/library/httpd
#systemctl restart autofs -it : start a container with interactive terminal
#podman logs mycontainer :explore logs created by the container.

Containers #podman run -d --name mydb quay.io/centos7/mariadb-103-centos7

#dnf install container-tools this command will exit with error

#podman login registry.redhat.io : login to a registry. #skopeo inspect docker://quay.io/centos7/mariadb-103-centos7

#podman login registr.redhat.io : to get your current login display metadata about container image
credentials. don’t forget to add docker:// or it won’t work
#podman search : search for images from registries #podman run -d --name mydb -e
#podman build : build an image from containe image. MYSQL_ROOt_PASSWORD=wasssim -p 8080:80
quay.io/centos7/mariadb-103-centos7
#podman run : run a container
 -e : set container envirement variable, -p : publish a container’s port, or
#podman stop : stop a container range of ports. #firewall-cmd --add-port 8080/tcp : allow port access on
#podman rm : remove a container firewall.

#podman images : list you images #firewall-cmd reload

#podman inspect : show container or image datails ***persistent storage

#podman pull : pull (download ) image from registries with root user you can run this command with out problem:

#podman exec : run a command in a running container # podman run -d --name mydb -e
MYSQL_ROOt_PASSWORD=wasssim -p 8080:80 -v
#podman ps : list info abut active containers. /root/mydb:/var/lib/mysql quay.io/centos7/mariadb-103-centos7
but with a normal user you will face many problems related to files owner
ship and selinux
#podman run -d --name sleepy docker.io/library/httpd sleep 3600
solution:
-d: run a container in detached mode, which means container will run in
background, sleep 3600 : container will run a specific service and then will
sleeps for 1hour.
linkedin.com/in/saadaouiwassim
 RHCSA 9
#podman run -d --name mydb -e #systemctl --user daemon-reload
MYSQL_ROOt_PASSWORD=wasssim -p 8080:80
#systemctl --user enable container-myngnix.service
quay.io/centos7/mariadb-103-centos7
#sudo reboot
run containe with out storage
#jounalctl | grep containee-myngnix : to check if the
#podman exec mydb grep mysql /etc/passwd :to get mysql uid:uid
container is working
#podman unshare chown 27:27 mydb :chande the folder mydb to
become owned by the containers. ***pdfconvert

#podman run -d --name mydb -e #loginctl enable-linger Wassim

MYSQL_ROOt_PASSWORD=wasssim -p 8080:80 -v #ssh wassim@localhost
/root/mydb:/var/lib/mysql:Z quay.io/centos7/mariadb-103-centos7
$cd ~
now you can run the command with out any problems PS: don’t forget to
add :Z which will take care of selinux context. $ mkdir -p ~/data/in ~/data/out

***auto starting container $mkdir -p .config/systemd/user

#useradd linda $cd .config/systemd/user

#passwd linda $git clone https://github.com/sachinyadav3496/Text-To-PDF.git

#loginctl enable-linger linda :to make sure the container service $podman build -t pdfconvert -f ./Text-To-PDF/Dockerfile
will run even the user linda isn’t connected.
to build container image using docker file
#ssh linda@localhost
$podman run -d --name myapp1 pdfconvert
#mkdir ~/.config/systemd/user
$podman exec myapp1 cat /etc/passwd
#cd ~/.config/systemd/user
$podman unshare chown 65534:65534 ~/data/in
#podman run -d --name myngnix -p 8080:80 ngnix
$podman unshare chown 65534:65534 ~/data/out
#podman generate systemd--name mynginx --files --new
$podman stop myapp1 && podman rm myapp1
#echo “WantedBy=default.target” >>container-myngnix.service
$podman run -d --name myapp1 -v ~/data/in:/data/input:Z -v
wantedby should set only to default.target, otherwise, it won’t work. ~/data/out:/data/output:Z pdfcon

linkedin.com/in/saadaouiwassim
 RHCSA 9
$podman generate systemd--name myapp1 --files --new $ systemctl --user daemon-reload
$vim container-myapp1.service $ systemctl --user enable container-container-logserver.service
 check for the line WantedBy=default.target
$systemctl --user daemon-reload *********rsyslogpodman build
$systemctl --user enable container-myapp1.service 1. Create a container logserver from an image rsyslog
2. Configure the container with systemd services by an existing user “linda”,
3. Service name should be container-logserver, and configure it to start
automatically across reboot.
******** syslog
4. Configure your host journal to store all journal across reboot
#useradd bob 5. Copy all *.journal from /var/log/journal and all subdirectories to
/home/linda/container_logserver
#passwd bob  set password to tekup 6. Configure automount /var/log/journal from logserver (container) to
/home/linda/container_logserver when container starts.
#loginctl enable-linger bob
#vim /etc/systemd/journal.conf
#mkdir /var/log/containerlog
make the following changes
#chown bob:bob /var/log/containerlog
Storage=persistent
#ssh bob@localhost
SystemKeepFree=100M
$podman login registry.access.redhat.com
RuntimeKeepFree=100M
$mkdir container_logserver
#systemctl restart systemd-journald
$ mkdir -p .config/systemd/user
#useradd linda && passwd linda
$ cd .config/systemd/user
#loginctl enable-linger linda
$ git clone https://github.com/aheimsbakk/container-syslog-example.git
#ssh linda@localhost
$ podman run -d --name container-logserver -v
/var/log/containerlog/:/var/log/:Z syslog:latest #podman login registry.access.redhat.com
$podman ps check for the container is working #mkdir -p .config/systemd/user
$ podman generate systemd --name container-logserver --files --new #cd .config/systemd/user

linkedin.com/in/saadaouiwassim
 RHCSA 9
#mkdir container_logserver
# cp -r /var/log/journal/* ~/container_logserver/
# podman search rsyslog
# podman pull docker.io/lendingworks/rsyslog
# podman run -d --name container-logserver -v
/home/linda/container_logserver/:/var/log/journal/:Z
docker.io/lendingworks/rsyslog:latest
#podman ps
#podman generate systemd --name container-logserver --files --new
#systemctl --user daemon-reload
# systemctl --user enable container-container-logserver.service

linkedin.com/in/saadaouiwassim