CentOS 7

by

Using firewall-cmd in CentOS 7

Note: Do note that the default zone is “public”

Section 1: Checking Zones and Prerequisites

Option 1: Check State of Firewalld

# firewall-cmd --state
Running

Option 2: Check Default Zone

# firewall-cmd --get-default-zone
public

Option 3: Check Active Zones

# firewall-cmd --get-active-zones
public: etho eth1

Option 4: Get Zones

# firewall-cmd --get-zones
block dmz drop external home internal public trusted work

Section 2: Selecting Zones for your Interfaces

Option 1: Change Interfaces

# firewall-cmd --permanent --zone=trusted --change-interface=eth0 
success
# firewall-cmd --reload

Option 2: Verify the Zone has been changed

firewall-cmd --get-active-zones
trusted
interfaces: eth0
public
interfaces: eth1

Section 3: Editing Firewall-CMD Rules

Option 1: Opening Ports (Single)

# firewall-cmd --permanent --zone=public --add-port=80/tcp
success
# firewall-cmd --reload

Option 2: Opening Ports (Range)

# firewall-cmd --permanent --zone=public --add-port=80-90/tcp
success
# firewall-cmd --reload

Option 3: List Ports

#  firewall-cmd --zone=public --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: enp6s0f0 eno2 ib1
  sources:
  services: ssh dhcpv6-client
  ports: 22/tcp 5053/tcp 57889/tcp
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

Option 4: Remove Port

# firewall-cmd --permanent --zone=public --remove-port=80/tcp
success
# firewall-cmd --reload

Option 5: Adding Service

Checking Services

# firewall-cmd --get-services

Finally, add service – ssh

# firewall-cmd --permanent --zone=public --add-service=ssh
success
# firewall-cmd --reload

Source-Based Filtering with zones and IP Addresses

Add the Source IP Addresses to the Zone (Assume you are limiting IP Addresses on the trusted zone)

firewall-cmd --zone=trusted --add-source=192.168.1.0/24 --permanent
success
firewall-cmd --reload

Make sure the Ethernet is in the trusted zone. To move the ethernet into the trusted zone, see Section2 in the same blog

If you are outside the allowed IP Address, you should see something like (Assume your trusted target server is 192.168.1.1 and your external untrusted client is 192.168.2.0), you might see something like this

ssh user1@192.168.1.1
Password:
Internal errors

References:

  1. How To Set Up a Firewall Using FirewallD on CentOS 7
by

Nvidia Drivers Issues – Unable to find the kernel source tree

Step 1: Check current kernel version

# uname -r
3.10.0-862.14.4.el7.x86_64

Step 2: Check installed kernel version

# yum info kernel
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
* base: mirror.0x.sg
* elrepo: elrepo.mirror.angkasa.id
* epel: sg.fedora.ipserverone.com
* extras: mirror.0x.sg
* updates: mirror.0x.sg
Installed Packages
Name : kernel
Arch : x86_64
Version : 3.10.0
Release : 693.el7
Size : 59 M
Repo : installed
From repo : anaconda
Summary : The Linux kernel
URL : http://www.kernel.org/
License : GPLv2
Description : The kernel package contains the Linux kernel (vmlinuz), the core of any
: Linux operating system. The kernel handles the basic functions
: of the operating system: memory allocation, process allocation, device
: input and output, etc.

Name : kernel
Arch : x86_64
Version : 3.10.0
Release : 862.14.4.el7
Size : 62 M
Repo : installed
From repo : updates
Summary : The Linux kernel
URL : http://www.kernel.org/
License : GPLv2
Description : The kernel package contains the Linux kernel (vmlinuz), the core of any
: Linux operating system. The kernel handles the basic functions
: of the operating system: memory allocation, process allocation, device
: input and output, etc.

Step 3: Install Kernel-Devel and Kernel-Headers

# yum install kernel-devel kernel-headers -y
# yum info kernel-devel kernel-headers

Step 4: Check Kernel-Devel. Make sure the version is in-sync

# yum info kernel-devel
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
* base: mirror.0x.sg
* elrepo: elrepo.mirror.angkasa.id
* epel: sg.fedora.ipserverone.com
* extras: mirror.0x.sg
* updates: mirror.0x.sg
Installed Packages
Name : kernel-devel
Arch : x86_64
Version : 3.10.0
Release : 862.14.4.el7
Size : 37 M
Repo : installed
From repo : updates
Summary : Development package for building kernel modules to match the kernel
URL : http://www.kernel.org/
License : GPLv2
Description : This package provides kernel headers and makefiles sufficient to build modules
: against the kernel package.

Step 5: Check Kernel-Headers. Make sure the version is in-sync

# yum info kernel-headers
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
* base: mirror.0x.sg
* elrepo: elrepo.mirror.angkasa.id
* epel: sg.fedora.ipserverone.com
* extras: mirror.0x.sg
* updates: mirror.0x.sg
Installed Packages
Name : kernel-headers
Arch : x86_64
Version : 3.10.0
Release : 862.14.4.el7
Size : 3.6 M
Repo : installed
From repo : updates
Summary : Header files for the Linux kernel for use by glibc
URL : http://www.kernel.org/
License : GPLv2
Description : Kernel-headers includes the C header files that specify the interface
: between the Linux kernel and userspace libraries and programs. The
: header files define structures and constants that are needed for
: building most standard programs and are also needed for rebuilding the
: glibc package.
by

“The command gnome-session existed with signal 15” on CentOS 7 for FastX2

If you have an error message when you launched FastX2 client, you will see this error “The command gnome-session existed with signal 15” on CentOS 7 for FastX2.

Step 1: This error is caused by selinux on CentOS 7. Do the following /etc/selinux

SELINUX=disabled

Trying to use the command “setenforce 0” does not seems to be able to fix the issue.

Step 2: Remember to install GNOME Desktop

# yum groupinstall "GNOME Desktop" "Graphical Administration Tools"

Step 3: Uninstall the StarNetFastX2 and reinstall

# rpm -e StarNetFastX2
# rpm -Uvh --force StarNetFastX2-2.4.7.rhel6.x86_64.rpm
by

Disable FirewallD Services on CentOS 7

Do note that firewall on CentOS 7 system is enabled by default.

Step 1: To check the status of CentOS 7 FirewallD

# systemctl status firewalld.service
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
   Active: inactive (dead)
     Docs: man:firewalld(1)

The above shows that the firewalld is disabled.

Step 2: To stop the FirewallD

# systemctl stop firewalld.service

Step 3: To completely disable the firewalld service

# systemctl disable firewalld.service
by

Resolving “lsb_release not found” on CentOS 7

I was installing ABAQUS 2017 on CentOS 7 when I encountered an error. lsb_release is the print distribution specific information. Strangely, this issue is found on CentOS 7 distribution.

[root@node-h001 1]# ./StartGUI.sh
CurrentMediaDir initial="."
CurrentMediaDir="/root/abaqus2017/AM_SIM_Abaqus_Extend.AllOS/1"
Current operating system: "Linux"
./StartGUI.sh[21]: .[31]: .: line 3: lsb_release: not found
DSY_OS_Release=""
Unknown linux release ""
exit 8

Resolving Issues

# yum install redhat-lsb-core

Verification

[root@node-h001 1]# lsb_release
LSB Version: :core-4.1-amd64:core-4.1-noarch
by

Setting up NTP in CentOS 7

Prerequisites Step 1: Endure you are in the correct time zone

# timedatectl
      Local time: Wed 2018-09-12 13:48:31 +08
  Universal time: Wed 2018-09-12 05:48:31 UTC
        RTC time: Wed 2018-09-12 05:48:31
       Time zone: Asia/Singapore (+08, +0800)
     NTP enabled: yes
NTP synchronized: yes
 RTC in local TZ: no
      DST active: n/a

Prerequisites Step 2: List Time Zone

# timedatectl list-timezones
.....
Asia/Singapore
.....

Prerequisites Step 3: Set Time Zone

# timedatectl set-timezone Asia/Singapore

 

Step 1: Yum Install

NTP can be installed from the CentOS repositories with yum

# yum install ntp

Step 2: Edit the Public Time Servers

Once you have installed ntp package, go to official NTP Public Pool Time Servers . For Singapore, you can use this specific pool zone, add the following to your ntp.conf file:

server 0.sg.pool.ntp.org iburst
server 1.sg.pool.ntp.org iburst
server 2.sg.pool.ntp.org iburst
server 3.sg.pool.ntp.org iburst

Step 3: Allow the clients from the network to sync with this server

Restrict which clients from which network is allowed to query and sync time

restrict 192.168.5.0 netmask 255.255.224.0 nomodify notrap

Step 4: Record all NTP server issues into one dedicated log file. Edit /etc/ntp.conf

logfile /var/log/ntp.log

Step 5: Add Firewall Rule and Start Services

# firewall-cmd --add-service=ntp --permanent
# firewall-cmd --reload
# systemctl start ntpd
# systemctl enable ntpd
# systemctl status ntpd

Step 6: Verify Time Sync

# ntpq -p
# date -R

Or query or synchronize against a selected pool of time servers

# ntpdate -q 0.sg.pool.ntp.org

References:

  1. Setting Up “NTP (Network Time Protocol) Server” in RHEL/CentOS 7 (by Tecmint.com)
by

Set hostname using hostnamectl for CentOS 7

1. Listing hostname using “hostnamectl” or “hostnamectl status”

[root@localhost ~]# hostnamectl
Static hostname: helloworld.com
Icon name: computer-server
Chassis: server
Machine ID: aaaaaaaaaaaaa
Boot ID: ddddddddddd
Operating System: CentOS Linux 7 (Core)
CPE OS Name: cpe:/o:centos:centos:7
Kernel: Linux 3.10.0-327.el7.x86_64
Architecture: x86-64

2.Setting static host-name using hostnamectl

# hostnamectl set-hostname "helloworld.com" --static

3. Delete static host-nameusing hostnamectl

# hostnamectl set-hostname "" --static
by

Commands for sending signals by explicit request

A. Foreground Processes:

You can use the keyboard to issue a signal on your current processing by pressing a keyboard control sequence t

1. Suspend foreground process

# Ctrl+z

2. Kill foreground process

# Ctrl+c

3. Core Dump

# Ctrl+\

B. Background Process

  1. Check the list of kill option
# kill -l
 1) SIGHUP       2) SIGINT       3) SIGQUIT      4) SIGILL       5) SIGTRAP
 6) SIGABRT      7) SIGBUS       8) SIGFPE       9) SIGKILL     10) SIGUSR1
11) SIGSEGV     12) SIGUSR2     13) SIGPIPE     14) SIGALRM     15) SIGTERM
16) SIGSTKFLT   17) SIGCHLD     18) SIGCONT     19) SIGSTOP     20) SIGTSTP
..................................
# kill -9 PID

2. Look up processes based on name and kill them

# pgrep -l -u user1
7000 bash
7001 sleep
...............
# pkill -SIGKILL -u user1

Notes: SIGTERM is the default signal, SIGKILL is a commonly misused administrator favorite. Since the SIGKILL signal cannot be handled or ignored, it is always fatal. However, it forces termination without allowing the killed process to run self-cleanup routines. It is recommended to send SIGTERM first, then retry with SIGKILL only if a process fails to respond

3. kill processes running in tty3

# pkill -SIGKILL -t tty3

4. Use the pstree command to view a process tree for the system or a single user.

# pstree -p root

[root@lime ~]# pstree -p root
init(1)─┬─NetworkManager(1785)
├─abrtd(2232)
by

Introduction to Systemd on CentOS 7

A few terms we need to grasp:

  1. Daemons are processes that wait or run in the background performing various tasks.
  2. To listen for connections, a daemon uses a socket.
  3. service often refers to one or more daemons

If you are moving from CentOS 6 to CentOS 7, you may be wondering why the need to move to systemd. Here are the features

  1. Parallelization capabilities, which increase the boot speed of a system
  2. Automatic service dependency management which can prevent long time-out.
  3. A method of tracking related processes together by using Linux control groups
  4. On-demand starting of daemons without requiring a separate service

Listing unit files with systemctl

  1. Query the state of all units 
    # systemctl
  2. Query the state of selected service 
    # systemctl --type=service
  3. List full output of the selected service. Useful for detailed check and investigation 
    # systemctl status sshd.service -l
  4. To check whether the particular is active and enabled to start at boot time 
    # systemctl is-active sshd
# systemctl is-enabled sshd
  5. List the active state of all loaded units. –all will include inactive units 
    # systemctl list-units --type=service
# systemctl list-units --type=service --all
  6. View the enabled and disabled settings for all units 
    # systemctl list-unit-files --type=service
  7. View only failed services. 
    # systemctl --failed --type=service

     

Controlling System Services

a. Status of a Service

# systemctl status sshd.service

b. Disable of a Service

# systemctl disable sshd.service

c. Enable and verify the status of a Service

# systemctl enable sshd.service
# systemctl is-enabled sshd.service

d. Reload configuration file of a running service

# systemctl is-enabled sshd.service