KVM and virtualization, virsh and virt-manager

Find if CPU support:
# cat /proc/cpuinfo
i’m interested about flags line
Intel base CPU have VMX
# lsmod | grep kvm
There are 2 modules: one from generic linux and another one from specific platform support.
Check the status of libvirtd
# system status libvirtd
Check the link:
# ip link show
This device virbr0 (virtual bridge) is special created for virtualization. Is like an embedded bridge in order to share connection.
To support KVM need 64 bit kernel:
# arch
Support the CPU:
# grep vmx /proc/cpuinfo
Need libvirtd available:
# systemctl status libvirtd
Virtualization shell:
# virsh
After starting the program, type “help” in order to see the list with options.
Basic commands:
List what VM running:
# virsh list
List existing VM:
# virsh list –all
# virsh distroy machineName – is stopping immediately.
# virsh start machineName
All VM have configuration files.
the files are into:
# cd /etc/libvirt
Those are the configurations for libvirtd
QEMU is an emulator which is old which is used in KVM environment.
cd /etc/libvirt/qemu
Those are configuration files for VM.
# vi vmName.xml
The best way to edit the configuration is by using virsh:
# virsh edit vmName
In this file are details about VM and also the disk image file which is not the best as performance but easiest to implement.
Check the network of virtual VM:
# ip link show

Start virt-manager:
# virt-manager

# yum install -y kvm libvirt virt-manager qemu-kvm

yum, rpm and repositories

# yum repolist
The result is not OK.
Repository are on internet or can be a directory on server Example: /repo
# cd /etc/yum.repos.d/
Create a file:
# vi myrepo.repo
This is important that the file name is .repo.
3 things are very important:
This is using an URI which can be file:// if is local or http:// or ftp://. After that is the path to repository. If is local it starts with /. There will be 3 slashes: /// !!!!!!!!!!
This will switch off the file integrity.
For test is ok because it is hard to setup other steps.
Check it:
# yum repolist
Check the repository list:
# yum search ftp
# which cronyd
This is the process used to manage cron service.
The name of the process is /sbin/chronyd
Find from rpm:
# rpm -gf /sbin/cronyd
I see that the name of the RPM is chrony
Find all what is in the package:
# rpm ql chrony
Before installing scripts check the packages. If the packages are downloaded, check it like this:
# rpm -ql packageName
# rpm -qpl packageName
Check the scripts:
# rpm -qp –scripts packageName
Install a local package which is not in repository:
# yum localinstall packageName
Useful command:
# repoquery – is checking the packages while are in repository:
# repoquery -ql yp-tools

Install manually a repository:
wget ftp://server.example.com/repository
# createrepo /downloads
# repoquery – request information.


for see the process and child information use:
# ps fax
# free -m
(-m – megabytes)
# killall dd (terminate the processes with dd name)
# nice –help
nice [option] [command]
# nice -n 10 httpd
renice – for running processes
# renice -n -10 PID

NetworkManager and nmtui

# nmtui
These connections are managed by SystemManager
# systemctl restart NetworkManager
# systemctl status NetworkManager
check the connection information:
# ip a
Temporary base:
# ip route show
# ip route add via
This route say to computer the next IP hop from routing steps.
Make the route permanent by edit the file:
# vi /etc/sysconfig/network-scripts/ifcfg-ens33
After doing changes use the restart:
# nscli con down ens33; nmcli con up ens33

# hostname
# ping example.com
# traceroute example.com
# dig example.com
# nmap example.com
# netstat -tulpen

Managing ACLS

first getfacl
# getfacl
Access control list will copy the permissions to ACL and will lose permissions from files/directory.
# setfacl -R -m g:sales:rx /directory
Apply default for future items
# setfacl -m d:g:sales:rx /directory
check facl for new directory:
# getfacl
Get the man page for example:
# man setfacl

automount SAMBA and NFS server

First install automount service:
# yum install -y autofs
The main configuration file is auto.master.
# vi /etc/auto.master
There I will setup the home directory of LDAP users to be setup by the /etc/auto.guests file.
/home/guests /etc/auto.guests
Now setup the content of the file /etc/auto.guests
In first position I will use a * which means anything. On exam use a NFS server. At end of line use & which means any file.
* -rw nfsserver:/home/guests/&
on SAMBA use the following which are a little more complicated:
* -fstype=cifs,username=ldapuser,password=password ://server.example.com/data/&
The structure of file is the same. First is directory which by * means anything. Then there is alist of mount options
fstype=cifs tell automount that is a SAMBA server.
username=ldapuser,password=password – completly open the share to all LDAP users.
://server.example.com/data/& – this is the path to SAMBA server.

Configuring NFS and automount
Setup the NFS environment. First search the server packages:
# yum search nfs
This will tell us what we need. We need a nfs-utils t create a small NFS server.
# yum install -y nfs-utils
Create the file /etc/exports
# vi /etc/exports
Here I say what I’m exporting /data
mount options -rw
to whom I want to open it *(rw,no_root_squash)
Here I can put an IP address because NFS works with local machines only.
/data -rw *(rw,no_root_squash)
Start the server:
# systemctl start nfs
If is not starting, check the status with:
# systemctl status -l nfs
!!!!! Create the directory in order to share it before starting the server:
# mkdir /data
# cd /data
# touch file1
# systemctl start nfs
On client I will connect to NFS
# showmount -e localhost
This is show the mounts that are exported to server with localhost.
Mount the directory from NFS server to the mount point /mnt:
# mount localhost:/data /mnt
Now I should see the files from mount point:
# ls /mnt
Create automount to NFS environment:
edit the file /etc/auto.master and add the line:
/nfsserver /etc/auto.nfsserver
Create the file with name:
# vi /etc/auto.nfsserver
What I want to do? If somebody will go to directory blah on nfs server, will go to remote host /data
blah -rw localhost:/data
restart teh autofs:
# systemctl restart autofs
Automount have created the directory automatically:
# cd /nfsserver
Now there is nothing there but if I use:
# cd blah
Will go to directory

LDAP client connection

I have the DNS name : server.exemple.com
I have top domain: .com
I have subdomain: exemple
I have a leave object: server
In LDAP can have something like:
In LDAP is not write that way. This is DNS way. In LDAP.
the domain will be dc (domain container)
For leave objects will use “common name”: cn=server
Is not using “.”, is using “,”.
When setup the connection to LDAP must setup the “base context”. This is like search domain in DNS. Is the starting point where the client should look for objects.
The base content must be setup before and then the user will use it to login.
Steps to login to LDAP:
1. find the binary for login:
# which login
Those binaries are used by user to connect to anything.
Those binaries is using library files. Find the library files:
# ldd /bin/login
The libpam.so library is a plugin to login which add functionality to login command.
PAM is from Pluggable Authentication Modules.
The authentication module is in /etc/pam.d/ directory. Here are configuration files for any kind on authentication. Here is the configuration file for login:
# /etc/pam.d/login
Here is defined what is happening when system is starting. “auth” is the common definition for login procedure of any process which is related to user authentication.
Check the system-auth file:
# vi /etc/pam.d/system-auth
The line with pam.unix.so is telling Linux to check local login mechanism. If that is not successful the user will go to pam_ldap.so. This will search the user to LDAP. This is how internal programs know about LDAP.

# authconfig
# authconfig-tui
graphical interface configuration:
# yum install authconfig-gtk -y
Need additional packages (Name Server Cache Daemon). Is caching the information on local server during working with Authentication.
Also we need nss-pam-ldap. This will resolve local name resolution and send to LDAP. Also we need the libraries for make local authentication: pam_ldap. I need all of these.
# yum install nscd nss-pam-ldap pam_ldap -y
Now I can lunch the graphical authconfig:
# authconfig-gtk
or can use authconfig-gui but on exam is easy with gtk.
I have to setup the user account to use LDAP database.
The error with /lib64/security/pam_krb5.so is related to kerberos and since we are not using, is OK. But in order to have the package complete, is ok to be installed.
Kerberos is in RHCE course.
Authentication method to LDAP password.
LDAP Search Base DN: dc=example,dc=com
LDAP server name. IP addresses is not working: ldap://server.example.com. Is not working with name because the name should match the name from certificate and the certificate is for name not the IP.
Check TLS to encrypt connection, download certificate from ftp://server.example.com/pub/certification.pem. Click Apply.

Modifying nslcd Configuration
Many things happening when connecting using LDAP process. Those are related to nslcd process:
# systemctl status nslcd
The file /etc/nsswitch.conf is the configuration file used by client in order to connect to LDAP server.

Is show that first is loking in file system and after that in sss (is not used anymore) and after that in ldap.
pam – pluggable authntication modules – is using also nslcd.
The directory /etc/pam.d/ have configuration files for LDAP.
the file /etc/pam.d/login have the definition on what should happen when user will login. The most important is system-auth
To find the LDAP server we need the nslcd.
# less /etc/nslcd.conf
There is an nscd file which is not related to LDAP.
Here is the URI and base context of LDAP server.
Also there are information about downloaded certificate.
Check also /var/log/messages


# useradd –help
-e wait an expiration date but not say the format.
# man useradd
Since the user is a C programmer want the C shell:
# useradd -c myuser -e 2015-12-05 -s /bin/tcsh laura
Add people to group
# usermod –help
-g – is for primarry group
-G – is a new list of secondary should not be use because will OVERWRITE the current groups.
-a should be used because is appending.
# id laura
# usermod -aG account laura
/etc/passwd – every user account have his own account.
/etc/shadow – is for passwords. Password is hash
/etc/login.defs – definitions for creating users.
/etc/default/useradd – this is the default for useradd.
skeleton from home directory.
/etc/skel – is used for copy files into new users directory.
Can add files here which will be used for creating users.
# passwd –help
-d delete, -l lock,, -e expire, -w warning, etc.
# chage -E 2015-07-01 laura
# /etc/shadow – have the details about the account of user.
4. expire password in 40 days. Not the account to expire
# passwd -x 90 lisa

connection using ssh

# ssh localhost – connect to localhost
accept keyFingerprint. This is because the key cannot be verified.
# exit – exit from ssh connection
# ssh -p 2022 user@server.com
Key fingerprint is stored into:
# ~/.ssh/known_hosts
If the key fingerprint is wrong, there will be: Add correct host key in …… this is happening because the server has been installed on same IP address and key fingerprint from computer don’t match the key fingerprint from server. In order to restore the error, delete the key fingerprint from client. Identify the line from
# ~/.ssh/known_hosts
and delete it using dd from vim.
On server check the settings from:
# vim /etc/ssh/sshd_config

Create public/private key pair.
# ssh-keygen
The private key /home/user/.ssh/id_rsa will be created. Enter the passphrase in order to use this key.
The public key is created:
Copy public key to server:
# ssh-copy-id localhost
Use the password for remote user.
In order to copy to a remote host:
# ssh-copy-id -p 9822 user@domain.com
The option -i is useful when the file.pub is not located and have to manually insert the path to that file.
Test it:
# ssh -p 9822 user@domain.com
scp is for secure copy. Is used for copy files:
# scp -P 9822 /local/filename nameOfServer:/path/to/file
Is using “P” for port and not “p” because “p” is used for preserve the files attributes

test it:
1. Open a console and login as root.
ctrl+alt+F2 and login as root.
ctrl+alt+F1 – return to console.
2. from console login to localhost.
# ssh localhost
3. exit to close the session
# exit
4. create a ssh key pair.
# ssh-keygen > file for private > password (could be none)
5. use the key pair in order to login.
# ssh-copy-id localhost

working with cut, translate, sed, awk

# cut -f 1 filename – filter a file.
Cut is using a separator for fields.
# cut -f 1 -d : /etc/passwd

# tr – translate is replace characters. It works with pipe | in order to work with the output from other command.
# echo hello | tr a-z A-Z
This command is show all uppercase.
This is working ok if there are not different letters.
# echo hello | tr [:lower:] [:upper:]
# man tr
and awk was for file processing. Now there are not used anymore.
# sed 2q /etc/passwd
show the first 2 lines from file
# sed -n /^root/p /etc/passwd
Sed is not using anymore because there are other commands which are nice: grep.
# cp /etc/passwd ~
Replace an user with something else:
# sed -i ‘s/linda/julia/g’ passwd
awk is doing many things which can be done with other tools. Cutting information:
# ps aux | grep apache
# ps aux | grep apache | cut -f 2
# ps aux | grep apache | awk ‘{ print $2 }’

1. Use head and tail to display the 5th line of file /etc/passwd
# head -n 5 /etc/passwd | tail -n 1
2. use sed to do the same.
# sed -n ‘5p’ /etc/passwd
3. use awk to filter the first column out of the results of command ps aux
# ps aux | awk ‘{ print $1 }’
4. use grep to show the names of all files in /etc that have lines starting with the text ‘root’
# cd /etc
# grep ^root * 2> /dev/null