RHEL 7 Systemd unit file customization.

When a service doesn’t run as you would like, when you want to change its default configuration, Systemd offers you several options.

Firstly, you can copy the standard unit file from the /usr/lib/systemd/system directory into the /etc/systemd/system directory and then changes its content. The new unit file will take precedence over the default one. Don’t forget to run the systemctl daemon-reload command each time you create or modify a unit file

Also, if you want to make clear that you built the new unit file from the default one, you can add the following line at the beginning of the new unit file (here /etc/systemd/system/httpd.service):

.include /usr/lib/systemd/system/httpd.service

Here you can read .include. It’s not a typo but the syntax required by Systemd.

The specified directive (here CPUShares) will override the previous configuration except if this directive allows multiple values, in this case, the new value will be added at the end. To avoid this situation, you will have to proceed in two steps: assign an empty value and then assign the desired value in another line.

Secondly, instead of copying the default unit file, you can create a directory of the same name with the .d suffix in the /etc/systemd/system directory and drop a file with the .conf suffix containing the settings you want to override. This is automatically done when using the systemctl set-property command. This method also allows to override settings coming from a unit file located in the /etc/systemd/system directory.

In our example, create the /etc/systemd/system/httpd.service.d directory, then the file called constraints.conf and paste the following lines into it:


Thirdly, it is still possible to customize the environment before the service starts. You can specify a list of environment variables and their values with the Environment directive:

Environment="VAR1=word1 word2" VAR2=word3

You can also use a dedicated file with the EnvironmentFile directive. In the httpd case, you can see the following line in the /usr/lib/systemd/system/httpd.service file:


Finally, don’t hesitate to run the systemd-delta command to know what was changed from the default configuration.

Who said that Systemd was not flexible!

Posted in RHEL7

RHEL 7 Firewalld tips.

To a non expert, Firewalld can sometimes appear a little bit strange and confusing.
Let’s take an example: you just set up an Apache webserver and want to configure a https virtual host.
Because it’s a test, you want to temporarily allow https on port tcp 443 to go through the firewall with the default zone:

# firewall-cmd --add-port=443/tcp
# firewall-cmd --list-ports

At this moment and because it was a temporary configuration, it would not have been a good idea to reload the firewall configuration, you would have lost the previous modification:

# firewall-cmd --reload
# firewall-cmd --list-ports

Later, you decide to make your configuration permanent:

# firewall-cmd --permanent --add-port=443/tcp

If you forget to reload the configuration, this is not going to work, at least until your next reboot!

# firewall-cmd --list-ports

But if you reload the firewall configuration, you get what you expected:

# firewall-cmd --reload
# firewall-cmd --list-ports

1st tip: A temporary configuration is directly activated without any need to reload the firewall configuration. But a permanent configuration requires a reload of the firewall configuration to work as expected. And it’s not the other way around!

This rule is verified for source management, port management, service management, masquerading and port forwarding but not for interface assignments to a zone or direct rules that are always directly activated whether temporary or not.

Concerning the firewall-cmd –list-ports command and lots of other commands used to check the configuration like firewall-cmd –list-services, firewall-cmd –query-masquerade, firewall-cmd –list-sources or firewall-cmd –list-all, you need to understand a subtile point:

  • The firewall-cmd –list-ports command displays the current configuration, ie the list of the temporarily open ports and the permanently open ports already activated.
  • The firewall-cmd –permanent –list-ports command only shows the permanent configuration, ie the list of the permanently open ports, activated or not!

2nd tip: During an exam, you need to use the –permanent option when applying most of the configurations and then reload the firewall configuration. However, when checking your configuration, you shouldn’t use the –permanent option if you want to get the correct information!

Posted in RHEL7

RHEL 7 systemctl status command.

When working with services in RHEL 7, you can check if a service is currently running with the is-active option or enabled at boot time with the is-enabled option. But it is more difficult to know if the unit file is located in /usr/lib/systemd/system or /etc/systemd/system in the case of a custom service. It is also not obvious to know when the service was started or to get some CGroup information.
The systemctl status command brings all this information and even more.
Let’s take the httpd example and run the following command:

# systemctl status httpd
httpd.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled)
Active: active (running) since Tue 2015-04-21 11:48:23 CEST; 24h ago
Main PID: 2446 (httpd)
Status: "Total requests: 0; Current requests/sec: 0; Current traffic:   0 B/sec"
CGroup: /system.slice/httpd.service
└─2446 /usr/sbin/httpd -DFOREGROUND
└─2447 /usr/sbin/httpd -DFOREGROUND
└─2448 /usr/sbin/httpd -DFOREGROUND
└─2449 /usr/sbin/httpd -DFOREGROUND
└─2450 /usr/sbin/httpd -DFOREGROUND
└─2451 /usr/sbin/httpd -DFOREGROUND
└─2452 /usr/sbin/httpd -DFOREGROUND

Apr 21 11:48:23 server1.example.com systemd[1]: Starting The Apache HTTP Ser....
Apr 21 11:48:23 server1.example.com systemd[1]: Started The Apache HTTP Server.
Hint: Some lines were ellipsized, use -l to show in full.

The first line gives you a description of the service. You then learn that Systemd loaded the unit file from /usr/lib/systemd/system/httpd.service and the service is not enabled at boot time (disabled).
You next learn that the service has been running (active) for 24 hours and when was exactly the launch date.
The following line provides the Process ID.
In the case of the httpd service, you even get a quick activity report.
Then, the CGroup information is shown with the list of the child processes.
Finally, an extract from the journal is displayed with the most useful events.

Even though at first sight the systemctl status command seems to display too many lines, when you look at it, everything is there!

Posted in RHEL7

RHEL 7 ISCSI configuration.

ISCSI configuration is a very tricky topic of the RHCE 7 exam.

If a RHCE candidate takes the exam without previous iScsi experience, he will fail!
Man pages are not enough to understand the intricacy of this subject and there is too much to read in a so limited time.

With iScsi configuration, you have to choose among several backstores, mainly fileio and block. Then, you have to set authentication, basic or CHAP (Challenge Handshake Authentication Protocol).

Also, you have to understand what is a target (the server side), an initiator (the client side), a LUN (Logical Unit Number), a portal (an entry point consisting of an ip address and a port), a TPG (Target Portal Group) and an ACL (Access Control List).

To get comfortable with this topic, you will have to practice iSCSI configuration at least 8 times: with each kind of backstores, with each kind of main authentication mechanisms and at least twice to get it memorized!

Good luck!

Posted in RHEL7

CentOS 7.1 released.

Today, Centos 7 (1503) aka CentOS 7.1 has just been released.
The distribution can now be downloaded from the CentOS website.

The Release Notes explain the major changes:

  • As of March 2015 ABRT (>= 2.1.11-19.el7.centos.0.1) can report bugs directly to bugs.centos.org.
  • Support for new processors (Intel Broadwell) and graphics (AMD Hawaii)
  • Full support for LVM cache
  • Ability to mount ceph block devices
  • Updated Hyper-V network drivers
  • New libguestfs features
  • Full support for OpenJDK-1.8.0
  • Improved clock stability (for PTP and NTP)
  • Updated Networkmanager packages to version 1.0
  • Updated docker to 1.4.1
  • Updated OpenSSH to 6.6.1
  • New package: Mozilla Thunderbird
  • Update to numerous storage, network and graphics drivers
  • Technology Preview: Support of the Btrfs file system, OverlayFS and the Cisco VIC kernel driver.

Reminder: This version is mandatory for RHCE candidates. It brings fixes for the Samba + Kerberos objective.

Happy download!

Posted in RHEL7

RHEL 7 HTTPD SELinux policy hardening.

If you have to migrate a HTTPD server from RHEL 6/CentOS 6 to RHEL 7/CentOS 7, you should be careful.

The default HTTPD SELinux policy has changed and very limited information has been provided about it: many free tutorials available on the Internet won’t work because of SELinux!

In RHEL 6/CentOS 6, you didn’t need to define precisely what directories or files you were allowed to read, write and execute. You could assign the httpd_sys_content_t SELinux context to all the directories and files under the /var/www/html directory or any path of your choice and, as the httpd_unified SELinux boolean was set to on by default, you could get read, write, and execution access rights everywhere within this path. Things were pretty simple!

With RHEL 7/CentOS 7, the httpd_unified SELinux boolean is now set to off by default, meaning that the httpd_sys_content_t SELinux context allows only read access.

You’ve got now three cases:

  • you agree with the previous relaxed SELinux policy: set the httpd_unified SELinux boolean to on and you are done,
  • you accept the new restricted policy and your webserver uses the /var/www/html path: apply the restorecon -R /var/www/html command and test your webserver behaviour,
  • you accept the new restricted policy but your server doesn’t use the standard /var/www/html path: you have to define precisely all the SELinux rules to get read, write or execution access rights.

With WordPress websites for example, a symptom of a wrong SELinux configuration can be the inability to upload anything or when updating a plugin getting a message asking for the ftp account!

At the end of the day, there is nothing complicated. But you need to be aware!

Additional information is available in the HTTPD SELinux policy page.

Posted in RHEL7

Linux package management tips.

Although keeping a system tidy is not an exam objective, it’s a nice skill to have.

Three tutorials can help you to progress in this domain:

Through these various pages you will learn that yum is your friend.

Posted in RHEL7

RHEL 7.1 officially released.

Today, Red Hat announces the official release of RHEL 7.1. To know more about this new version you can read a summary of the RHEL 7.1 changes or the RHEL 7.1 Release Notes.

In addition, Red Hat is also releasing its RHEL 7 Atomic Host, an operating system optimized for running the next generation of applications with Linux containers.

Finally, for the RHCE certification candidate it’s an interesting day: Red Hat today delivers a bunch of software updates. One of them fixes some embarassing bugs preventing Samba+Kerberos configurations from working. Hopefully, these updates will be available soon in CentOS 7.

Posted in RHEL7

Website news.

In order to make mobile connection easier the website theme has been changed.
It should now be handier to access pages during a trip.

In addition, there are two new quiz: one for the RHCSA 7 exam and one for the RHCE 7 exam.

Braindumps are a pretty stupid way to get prepared for the hands-on RHCSA/RHCE exams, they don’t teach you anything about understanding or reasoning. However, learning by heart specific command syntax or tricks can be very useful to remember key points not only during the exams, but also after.

Each of this quiz contains more than 30 questions and more will be added in the future.


Posted in RHEL7

Minimal Image Survival Guide.

Every day I can hear someone saying: the ifconfig command has been removed from the RHEL 7/CentOS 7 distribution and nobody told me anything!
Invariably, it’s about a RHEL/CentOS minimal installation.
To alleviate this unpleasant situation, there is now a minimal image survival guide.
Next time you happen to hear someone ranting about minimal installation, forward him this survival guide, it will be your good deed of the day!

Posted in RHEL7

RHCSA7: Task of the day

Allowed time: 10 minutes.
Create a XFS file system of 100MB. Mount it under /mnt. Then, increase its size by 50MB.

RHCE7: Task of the day

Allowed time: 15 minutes.
Configure a Samba server called MYSERVER, belonging to the MYGROUP group, sharing the /shared directory with the name "shared".

Poll for favorite RHEL 6 book

What is your favorite RHEL 6 book to prepare RHCSA & RHCE exams?

View Results

Loading ... Loading ...

Poll for most difficult RHEL 6 topic

What do you think is the most difficult RHEL 6 topic?

View Results

Loading ... Loading ...