RHEL 7 Entropy mechanisms.

Sometimes to get some entropy you have to do strange things.

Do you remember to make sudden mouse movements during SSH keys generation?

Where do this entropy come from? Why does everything sometimes seem stopped? How does it work for a virtual machine?

These are some of the questions discussed in the Random Number Generator tutorial.

I’m sure you will learn something.

Posted in RHEL7

RHEL 7 package group management.

At first, managing package groups seems easy.

Package groups are a simple means to gather packages under a unique name.

But, it’s not so simple! There are different types of package groups. There are at least two ways to call them. When installing package groups, some packages are installed by default, some others aren’t.

Take two minutes and learn some subtleties about the package group management.

Posted in RHEL7

Happy birthday again!

It’s now two years that this website exists.

New tutorials have regularly been added. Lots of tutorials have seen their content increased through the “Additional Resources” section to provide advanced material to hungry readers.

Besides learning new topics, keep an eye on your typing speed, because during an hands-on exam it can make a difference.

I hope you still enjoy this website!

Posted in RHEL7

Time to play with SSL certificates.

Until recently, SSL certificates were so expensive that you couldn’t set up your personal website only for fun. You had to have a good reason or a big wallet.

This is not the case anymore. Now and until the letsencrypt.org initiative takes off, for a minimal price, you can start to play with standard or wildcard SSL certificates and get some experience with them.

If you are interested in, there is a full tutorial about setting up a SSL certificate on RHEL 7, including all the steps, from certificate purchase to certificate installation.

Auto-signed certificates are perhaps on the way out!

Posted in RHEL7

KVM thin provisioning tip.

If you use KVM for managing your virtual machines, you can sometimes run out of space in the /var/lib/libvirt/images directory, the default location for the RHEL/CentOS distributions.
Because KVM knows the concept of thin provisioning through the qcow2 image format, the one used by the virt-install command by default, it would be crazy not to use it.
This can be done through the virt-sparsify command coming with the libguestfs-tools rpm package. So, the virt-sparsify command copies a VM image, only keeping the necessary data.

Let’s try an example.
Install the libguestfs-tools package:

# yum install libguestfs-tools

Go to the /var/lib/libvirt/images directory (or the one that you are using for storing your VM images):

# cd /var/lib/libvirt/images

Choose a VM and stop it (here vm.example.com) (use the virsh destroy command if necessary):

# virsh shutdown vm.example.com

Execute the virt-sparsify command:

# virt-sparsify -q vm.example.com.img vm.example.com.img2

Note: The -q option removes any display (quiet). Don’t ask me why this is not the default!

Get the size of the VM before and after:

# du -k vm.*
8388660 vm.example.com.img
1370168 vm.example.com.img2

Note: The ls command doesn’t display the correct information.

Replace the old image with the new one:

# mv -f vm.example.com.img2 vm.example.com.img

Restart the VM:

# virsh start vm.example.com

As you can see, it’s quite simple! I’m sure you will love it!

Posted in RHEL7

RHEL Disk tip.

During the RHCSA exam, you need to go fast.
When dealing with partition creation, you can’t afford to waste time, searching for information about the current configuration with almost obsolete command like fdisk -l displaying a very cryptic and mostly useless information.
You need to use the right command before starting any disk operation.
This command is called lsblk and stands for LiSt BLocK devices.

# lsblk -a
vda           252:0    0    6G  0 disk 
├─vda1        252:1    0  390M  0 part /boot
└─vda2        252:2    0  5.5G  0 part 
  ├─rhel-swap 253:0    0  552M  0 lvm  [SWAP]
  └─rhel-root 253:1    0    3G  0 lvm  /

With the lsblk command, you get quickly the following information about the current disk configuration:

  • it is a virtual machine (vda, sda would indicate a physical server),
  • there is only one disk /dev/vda of 6GB,
  • the disk is divided into two partitions (vda1 and vda2) respectively with a size of 390MB and 5.5GB,
  • the vda1 partition is mounted under /boot,
  • the vda2 partition consists in two logical volumes (lvm) swap and root in a volume group called rhel,
  • the swap logical volume is used by the system as a swapping area ([SWAP]) of 552MB,
  • the root logical volume is mounted under / with a size of 3GB,
  • there is around 2GB of free available space (5.5GB552MB3GB=2GB) in the vda2 partition,
  • none of the partitions are in Read-Only mode (RO=0) or ReMovable (RM=0).

By default, the lsblk command skips empty devices. The -a option corrects this behaviour and displays all devices, empty ones included.

With only one command, you get almost everything you need!

Posted in RHEL7

RHEL 6.7 just released.

Even though the RHEL 6 distribution is not used for the main exams anymore (since February 28, 2015 for the RHCSA & RHCE exams, since July 22, 2015 for the LFCS & LFCE exams, except if you bought the exam vouchers before the respective dates), it remains critical for many companies.

The RHEL 6.7 release brings the following main benefits:

  • it makes hardening a server easier through some SCAP security guide improvements and the new scap-workbench package,
  • it can use Red Hat Access Insights through a Red Hat hosted service to proactively identify and resolve technical issues,
  • it gets the new clufter package that contains a tool for transforming and analyzing cluster configuration formats, useful when preparing cluster migration,
  • it adds the new lshw package that includes a utility providing detailed information on the hardware configuration of a machine,
  • finally, it provides 242 packages freshly updated.

As usual, you will find all the details in the RHEL 6.7 Releases Notes & RHEL 6.7 Technical Notes.

Posted in RHEL6

New RHEL Systemd Version.

With the upcoming RHEL 7.2 version, Systemd should be upgraded, going from version 208 to 219.

This Systemd upgrade decision was taken according to Lukáš Nykrýn from Red Hat because “it is really difficult and risky to backport patches from newer version to our current 208 and we have a lot of request for new features from users”.

Today, you’ve got two solutions to experiment this new version:

  • either install the Fedora 22 distribution on a PC or a virtual machine after downloading the 64-Bit 2.1GB installation image,
  • or install a RHEL 7/CentOS 7 distribution, configure the EPEL repository, follow Lukáš Nykrýn’s instructions and update the distribution:
    # yum install -y epel-release
    # cd /etc/yum.repos.d
    # wget "https://copr.fedoraproject.org/coprs/lnykryn/systemd/repo/epel-7/lnykryn-systemd-epel-7.repo"
    # yum -y update

You can now check the new Systemd version:

# systemctl --version
systemd 219

According to the 2015 Red Hat Summit Systemd Presentation, this version brings the following new features:

  • systemctl: new edit and cat options
  • CPUQuota: “cap” CPU usage for services
  • systemd-socket-proxy: add socket activation to daemons that don’t support it natively
  • systemd-nspawn: improvements on networking, container management, etc
  • systemd-networkd: DHCP server/client, bridge, bond, vlan, vxlan, macvlan, tun configuration management

Happy testing!

Posted in RHEL7

2015 Red Hat Summit Announcements.

Here are some of the main 2015 Red Hat Summit announcements:

  • the upcoming RHEL 7.2 release will bring
    • SCAP profiles into the installation process,
    • cryptography enhancements,
    • kernel patching,
    • performance gains (network and system),
    • a new predictable cycle for software updates,
    • better OS modularity (physical server, virtual machine, cloud, etc),
    • high-availability support for IBM Z-system mainframes,
    • full ARM support.
  • the new Red Hat Learning Subscription provides the following benefits:
    • unlimited access to all of Red Hat’s online courses (content, videos, and labs),
    • access to expert seminars given by Red Hat,
    • access to subscriber support with live online chat,
    • 50% discount for current RHCAs,
  • the new Red Hat Atomic Enterprise Platform extends the already known Project Atomic offering:
    • a managed cluster of RHEL 7 or Red Hat Enterprise Linux Atomic Host instances,
    • the Docker container runtime and packaging format,
    • container orchestration with Kubernetes,
    • cluster-wide infrastructure services,
    • a commitment to container security and certification,
  • the new Openshift Enterprise 3.0 now relies on:
    • Kubernetes,
    • Docker,
    • RHEL 7/Red Hat Atomic Enterprise Platform,
  • Red Hat and Samsung work together to deliver the Red Hat Mobile Application Platform, using the MBAAS (Mobile Backend As A Service).

Summit Breakout Sessions are available here. Some presentation slides are there.

Posted in RHEL7

RHEL 7 Interesting CGroup behaviour.

The other day I was looking at some Systemd service properties with the systemctl show command. One of them, CPUShares, got my interest.

Caution: The following tutorial shouldn’t be run on a production server! The CPU will be used at 100%!

To better understand how all this works, I created a basic Systemd unit file called /etc/systemd/system/testSpeed.service:

Description=Test Speed

ExecStart=/usr/bin/openssl speed 
ExecStop=/bin/kill -WINCH ${MAINPID}


Then, I created another copy of this file and updated the Systemd configuration:

# cd /etc/systemd/system; cp testSpeed.service testSpeed2.service
# systemctl daemon-reload

I started both new services on a fresh standard install of Centos 7 on a VM with 1 vCPU:

# systemctl start testSpeed && systemctl start testSpeed2

Each of the two new services were using almost 50% of the CPU:

  PID USER      PR  NI S %CPU %MEM     TIME+ COMMAND      
24598 root      20   0 R 49.8  0.3   0:08.42 openssl      
24601 root      20   0 R 49.8  0.3   0:08.40 openssl      

I checked the default CPUShares of the new services:

# systemctl show testSpeed | grep CPUShares

At this point, I asked myself: Is RHEL 7 really different from RHEL 6 and all the Unix systems in general? Is RHEL 7 limiting any new service by default? After some time, I came to the conclusion that everything was exactly as before: there is no CPU limit (or any other limit) on your service by default.

Because I wanted to learn how CGroups were working, I decided to apply a CPU constraint:

# systemctl set-property testSpeed CPUShares=512
# systemctl daemon-reload

Note1: The daemon-reload option is only there to avoid a warning message but doesn’t change anything.
Note2: You don’t need to restart any service.

Now, the testSpeed service gets 33.3% of the CPU and the testSpeed2 gets 66.7%:

  PID USER      PR  NI S %CPU %MEM     TIME+ COMMAND      
24601 root      20   0 R 66.7  0.3   1:23.58 openssl      
24598 root      20   0 R 33.3  0.3   1:22.20 openssl      

What exactly happened?

By default, Systemd services are part of the system.slice hierarchy. When you set a CPU constraint on one service, you not only assign a CPU resource controller to this service but also to all the services in the system.slice hierarchy. It is not possible to apply a CPU constraint on one service without affecting all the others.

The CPUShares concept represents more a CPU priority than a limit.

Concerning the CPU usage, this is the result of a computation:

  • testSpeed gets 33.3% because 512/(512+1024)=1/3
  • testSpeed2 gets 66.7% because 1024/(512+1024)=2/3

It is better to know this behaviour because otherwise you would perhaps be very surprised at the worst moment!

I would like to thank Radoslaw Kujawa for helping me understand what I was suspecting.

Look at my CGroups page to get some other tips on this topic.

Posted in RHEL7

RHCSA7: Task of the day

Allowed time: 5 minutes.
Create a user called tom. Create a directory named /private. Use an acl to only allow access (rwx) to tom to the private directory.

RHCE7: Task of the day

Allowed time: 10 minutes.
Set up a default secure MariaDB database called maria and back up the database with mysqldump.

Poll for favorite RHEL 7 book

What is your favorite RHEL 7 book to prepare RHCSA & RHCE exams?

View Results

Loading ... Loading ...

Poll for most difficult RHCSA 7 topic

What do you think is the most difficult RHCSA 7 topic?

View Results

Loading ... Loading ...

Poll for most difficult RHCE 7 topic

What do you think is the most difficult RHCE 7 topic?

View Results

Loading ... Loading ...