Time to play with SSL certificates.

Until recently, SSL certificates were so expensive that you couldn’t set up your personal website only for fun. You had to have a good reason or a big wallet.

This is not the case anymore. Now and until the letsencrypt.org initiative takes off, for a minimal price, you can start to play with standard or wildcard SSL certificates and get some experience with them.

If you are interested in, there is a full tutorial about setting up a SSL certificate on RHEL 7, including all the steps, from certificate purchase to certificate installation.

Auto-signed certificates are perhaps on the way out!

Posted in RHEL7

KVM thin provisioning tip.

If you use KVM for managing your virtual machines, you can sometimes run out of space in the /var/lib/libvirt/images directory, the default location for the RHEL/CentOS distributions.
Because KVM knows the concept of thin provisioning through the qcow2 image format, the one used by the virt-install command by default, it would be crazy not to use it.
This can be done through the virt-sparsify command coming with the libguestfs-tools rpm package. So, the virt-sparsify command copies a VM image, only keeping the necessary data.

Let’s try an example.
Install the libguestfs-tools package:

# yum install libguestfs-tools

Go to the /var/lib/libvirt/images directory (or the one that you are using for storing your VM images):

# cd /var/lib/libvirt/images

Choose a VM and stop it (here vm.example.com) (use the virsh destroy command if necessary):

# virsh shutdown vm.example.com

Execute the virt-sparsify command:

# virt-sparsify -q vm.example.com.img vm.example.com.img2

Note: The -q option removes any display (quiet). Don’t ask me why this is not the default!

Get the size of the VM before and after:

# du -k vm.*
8388660 vm.example.com.img
1370168 vm.example.com.img2

Note: The ls command doesn’t display the correct information.

Replace the old image with the new one:

# mv -f vm.example.com.img2 vm.example.com.img

Restart the VM:

# virsh start vm.example.com

As you can see, it’s quite simple! I’m sure you will love it!

Posted in RHEL7

RHEL Disk tip.

During the RHCSA exam, you need to go fast.
When dealing with partition creation, you can’t afford to waste time, searching for information about the current configuration with almost obsolete command like fdisk -l displaying a very cryptic and mostly useless information.
You need to use the right command before starting any disk operation.
This command is called lsblk and stands for LiSt BLocK devices.

# lsblk -a
NAME          MAJ:MIN RM  SIZE RO TYPE MOUNTPOINT
vda           252:0    0    6G  0 disk 
├─vda1        252:1    0  390M  0 part /boot
└─vda2        252:2    0  5.5G  0 part 
  ├─rhel-swap 253:0    0  552M  0 lvm  [SWAP]
  └─rhel-root 253:1    0    3G  0 lvm  /

With the lsblk command, you get quickly the following information about the current disk configuration:

  • it is a virtual machine (vda, sda would indicate a physical server),
  • there is only one disk /dev/vda of 6GB,
  • the disk is divided into two partitions (vda1 and vda2) respectively with a size of 390MB and 5.5GB,
  • the vda1 partition is mounted under /boot,
  • the vda2 partition consists in two logical volumes (lvm) swap and root in a volume group called rhel,
  • the swap logical volume is used by the system as a swapping area ([SWAP]) of 552MB,
  • the root logical volume is mounted under / with a size of 3GB,
  • there is around 2GB of free available space (5.5GB552MB3GB=2GB) in the vda2 partition,
  • none of the partitions are in Read-Only mode (RO=0) or ReMovable (RM=0).

By default, the lsblk command skips empty devices. The -a option corrects this behaviour and displays all devices, empty ones included.

With only one command, you get almost everything you need!

Posted in RHEL7

RHEL 6.7 just released.

Even though the RHEL 6 distribution is not used for the main exams anymore (since February 28, 2015 for the RHCSA & RHCE exams, since July 22, 2015 for the LFCS & LFCE exams, except if you bought the exam vouchers before the respective dates), it remains critical for many companies.

The RHEL 6.7 release brings the following main benefits:

  • it makes hardening a server easier through some SCAP security guide improvements and the new scap-workbench package,
  • it can use Red Hat Access Insights through a Red Hat hosted service to proactively identify and resolve technical issues,
  • it gets the new clufter package that contains a tool for transforming and analyzing cluster configuration formats, useful when preparing cluster migration,
  • it adds the new lshw package that includes a utility providing detailed information on the hardware configuration of a machine,
  • finally, it provides 242 packages freshly updated.

As usual, you will find all the details in the RHEL 6.7 Releases Notes & RHEL 6.7 Technical Notes.

Posted in RHEL6

New RHEL Systemd Version.

With the upcoming RHEL 7.2 version, Systemd should be upgraded, going from version 208 to 219.

This Systemd upgrade decision was taken according to Lukáš Nykrýn from Red Hat because “it is really difficult and risky to backport patches from newer version to our current 208 and we have a lot of request for new features from users”.

Today, you’ve got two solutions to experiment this new version:

  • either install the Fedora 22 distribution on a PC or a virtual machine after downloading the 64-Bit 2.1GB installation image,
  • or install a RHEL 7/CentOS 7 distribution, configure the EPEL repository, follow Lukáš Nykrýn’s instructions and update the distribution:
    # yum install -y epel-release
    # cd /etc/yum.repos.d
    # wget "https://copr.fedoraproject.org/coprs/lnykryn/systemd/repo/epel-7/lnykryn-systemd-epel-7.repo"
    # yum -y update

You can now check the new Systemd version:

# systemctl --version
systemd 219
+PAM +AUDIT +SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ -LZ4 -SECCOMP +BLKID +ELFUTILS +KMOD +IDN

According to the 2015 Red Hat Summit Systemd Presentation, this version brings the following new features:

  • systemctl: new edit and cat options
  • CPUQuota: “cap” CPU usage for services
  • systemd-socket-proxy: add socket activation to daemons that don’t support it natively
  • systemd-nspawn: improvements on networking, container management, etc
  • systemd-networkd: DHCP server/client, bridge, bond, vlan, vxlan, macvlan, tun configuration management

Happy testing!

Posted in RHEL7

2015 Red Hat Summit Announcements.

Here are some of the main 2015 Red Hat Summit announcements:

  • the upcoming RHEL 7.2 release will bring
    • SCAP profiles into the installation process,
    • cryptography enhancements,
    • kernel patching,
    • performance gains (network and system),
    • a new predictable cycle for software updates,
    • better OS modularity (physical server, virtual machine, cloud, etc),
    • high-availability support for IBM Z-system mainframes,
    • full ARM support.
  • the new Red Hat Learning Subscription provides the following benefits:
    • unlimited access to all of Red Hat’s online courses (content, videos, and labs),
    • access to expert seminars given by Red Hat,
    • access to subscriber support with live online chat,
    • 50% discount for current RHCAs,
  • the new Red Hat Atomic Enterprise Platform extends the already known Project Atomic offering:
    • a managed cluster of RHEL 7 or Red Hat Enterprise Linux Atomic Host instances,
    • the Docker container runtime and packaging format,
    • container orchestration with Kubernetes,
    • cluster-wide infrastructure services,
    • a commitment to container security and certification,
  • the new Openshift Enterprise 3.0 now relies on:
    • Kubernetes,
    • Docker,
    • RHEL 7/Red Hat Atomic Enterprise Platform,
  • Red Hat and Samsung work together to deliver the Red Hat Mobile Application Platform, using the MBAAS (Mobile Backend As A Service).

Summit Breakout Sessions are available here. Some presentation slides are there.

Posted in RHEL7

RHEL 7 Interesting CGroup behaviour.

The other day I was looking at some Systemd service properties with the systemctl show command. One of them, CPUShares, got my interest.

Caution: The following tutorial shouldn’t be run on a production server! The CPU will be used at 100%!

To better understand how all this works, I created a basic Systemd unit file called /etc/systemd/system/testSpeed.service:

[Unit]
Description=Test Speed
After=syslog.target

[Service]
ExecStart=/usr/bin/openssl speed 
ExecStop=/bin/kill -WINCH ${MAINPID}

[Install]
WantedBy=multi-user.target

Then, I created another copy of this file and updated the Systemd configuration:

# cd /etc/systemd/system; cp testSpeed.service testSpeed2.service
# systemctl daemon-reload

I started both new services on a fresh standard install of Centos 7 on a VM with 1 vCPU:

# systemctl start testSpeed && systemctl start testSpeed2

Each of the two new services were using almost 50% of the CPU:

  PID USER      PR  NI S %CPU %MEM     TIME+ COMMAND      
24598 root      20   0 R 49.8  0.3   0:08.42 openssl      
24601 root      20   0 R 49.8  0.3   0:08.40 openssl      

I checked the default CPUShares of the new services:

# systemctl show testSpeed | grep CPUShares
CPUShares=1024

At this point, I asked myself: Is RHEL 7 really different from RHEL 6 and all the Unix systems in general? Is RHEL 7 limiting any new service by default? After some time, I came to the conclusion that everything was exactly as before: there is no CPU limit (or any other limit) on your service by default.

Because I wanted to learn how CGroups were working, I decided to apply a CPU constraint:

# systemctl set-property testSpeed CPUShares=512
# systemctl daemon-reload

Note1: The daemon-reload option is only there to avoid a warning message but doesn’t change anything.
Note2: You don’t need to restart any service.

Now, the testSpeed service gets 33.3% of the CPU and the testSpeed2 gets 66.7%:

  PID USER      PR  NI S %CPU %MEM     TIME+ COMMAND      
24601 root      20   0 R 66.7  0.3   1:23.58 openssl      
24598 root      20   0 R 33.3  0.3   1:22.20 openssl      

What exactly happened?

By default, Systemd services are part of the system.slice hierarchy. When you set a CPU constraint on one service, you not only assign a CPU resource controller to this service but also to all the services in the system.slice hierarchy. It is not possible to apply a CPU constraint on one service without affecting all the others.

The CPUShares concept represents more a CPU priority than a limit.

Concerning the CPU usage, this is the result of a computation:

  • testSpeed gets 33.3% because 512/(512+1024)=1/3
  • testSpeed2 gets 66.7% because 1024/(512+1024)=2/3

It is better to know this behaviour because otherwise you would perhaps be very surprised at the worst moment!

I would like to thank Radoslaw Kujawa for helping me understand what I was suspecting.

Look at my CGroups page to get some other tips on this topic.

Posted in RHEL7

CentOS 7 News.

There are some activities on the CentOS 7 side:

More than providing a free alternative to RHEL 7, CentOS 7 is about to offer a wider choice of hardware platforms.

Posted in RHEL7

RHEL 7 Service masking.

Many people don’t figure out why a Systemd service can be masked. They understand the need to enable it at boot and start it but why masking it?
Back to basics, a Systemd service can be:

  • manually started with the systemctl start command,
  • automatically started at boot with the systemctl enable command,
  • dbus-activated by another Systemd service (NetworkManager can be triggered like this),
  • socket-activated by some network activities (the printer service cups is a good example).

With this in mind, it becomes clear that masking a Systemd service with the systemctl mask command makes sense for a dbus-activated or a socket-activated service because in these cases stopping or disabling won’t definitively be enough!

Conclusion: If you want to be sure that a service will not start, mask it!

Posted in RHEL7

RHEL 7 Systemd unit file customization.

When a service doesn’t run as you would like, when you want to change its default configuration, Systemd offers you several options.

Firstly, you can copy the standard unit file from the /usr/lib/systemd/system directory into the /etc/systemd/system directory and then changes its content. The new unit file will take precedence over the default one. Don’t forget to run the systemctl daemon-reload command each time you create or modify a unit file

Also, if you want to make clear that you built the new unit file from the default one, you can add the following line at the beginning of the new unit file (here /etc/systemd/system/httpd.service):

.include /usr/lib/systemd/system/httpd.service
[Service]
CPUShares=500

Here you can read .include. It’s not a typo but the syntax required by Systemd.

The specified directive (here CPUShares) will override the previous configuration except if this directive allows multiple values, in this case, the new value will be added at the end. To avoid this situation, you will have to proceed in two steps: assign an empty value and then assign the desired value in another line.

Secondly, instead of copying the default unit file, you can create a directory of the same name with the .d suffix in the /etc/systemd/system directory and drop a file with the .conf suffix containing the settings you want to override. This is automatically done when using the systemctl set-property command. This method also allows to override settings coming from a unit file located in the /etc/systemd/system directory.

In our example, create the /etc/systemd/system/httpd.service.d directory, then the file called constraints.conf and paste the following lines into it:

[Service]
CPUShares=400

Thirdly, it is still possible to customize the environment before the service starts. You can specify a list of environment variables and their values with the Environment directive:

Environment="VAR1=word1 word2" VAR2=word3

You can also use a dedicated file with the EnvironmentFile directive. In the httpd case, you can see the following line in the /usr/lib/systemd/system/httpd.service file:

EnvironmentFile=/etc/sysconfig/httpd

Finally, don’t hesitate to run the systemd-delta command to know what was changed from the default configuration.

Who said that Systemd was not flexible!

Posted in RHEL7

RHCSA7: Task of the day

Allowed time: 10 minutes.
Set up a default configuration HTTP server with SELinux in Enforcing mode and active firewalld configuration.

RHCE7: Task of the day

Allowed time: 3 minutes.
Configure your machine to be a router.

Poll for favorite RHEL 6 book

What is your favorite RHEL 6 book to prepare RHCSA & RHCE exams?

View Results

Loading ... Loading ...

Poll for most difficult RHEL 6 topic

What do you think is the most difficult RHEL 6 topic?

View Results

Loading ... Loading ...