This post briefly outlines how one can force a ntp (Network Time Protocol) sync with the ntp servers defined in the
# grep ^server /etc/ntp.conf
This document is useful when the date gets reset e.g. by a hardware maintenance such as a motherboard replacement.
Steps to force NTP sync
1. Stop the ntpd service :
# service ntpd stop
2. Force an update :
# ntpd -gq
-g – requests an update irrespective of the time offset
-q – requests the daemon to quit after updating the date from the ntp server.
3. restart the ntpd service :
# service ntpd start
Question: How to disable BASH shell history, so that it does not save users shell history?
Add a line like the following to the end of
This will make each user’s bash shell to skip saving history files unless the users manually configure the HISTFILE variable.
There is no practical way to completely prevent users from saving their own bash shell history. Users can still get auto-saved shell history by manually declaring the HISTFILE variable. A user could add the following to their
To make it harder for users to get their bash processes to auto-save command history, take the following steps.
1. Add unset HISTFILE to global config as originally described here in the start of the post.
2. As root, take ownership of the
# chown root:root ~bob/.bashrc ~bob/.bash_profile
As root, make those same files (in EVERY user’s homedir) immutable, e.g.:
# chattr +i ~bob/.bashrc ~bob/.bash_profile
Note that performing these steps will not prevent a user from manually declaring the HISTFILE variable from the command-line each time they start a bash process. So if someone declares a variable HISTFILE, he can still be able to save the command history to a file.
As Per the ip man page, there are three route types which will drop traffic in specific ways:
unreachable – these destinations are unreachable. Packets are discarded and the ICMP message host unreachable is generated. The local senders get an EHOSTUNREACH error.
blackhole – these destinations are unreachable. Packets are discarded silently. The local senders get an EINVAL error.
prohibit – these destinations are unreachable. Packets are discarded and the ICMP message communication administratively prohibited is generated. The local senders get an EACCES error.
The null route or the blackhole route can be addded with the help of ip command using the blackhole route type. In the example here, we silently drop any packets destined for the 10.192.168.0/24 network:
# ip route add blackhole 10.192.168.0/24
The post describes how to setup kdump on SuSE Linux Enterprise System (SLES) 10 and 11 to capture core dumps from Kernel panics and crashes. Kdump (kernel dump) provides a memory dump into a file named vmcore when the kernel has critical issue. Vmcore is often required to investigate the issue. The crash dump is captured from the context of a freshly-booted kernel, not from the context of the crashed kernel. Kdump uses kexec to boot into a second kernel whenever the system crashes. Kexec is a fast-boot mechanism which allows rebooting a new Linux kernel from the context of a running kernel without going through any firmware or warm start.
Steps to Follow
Since Version SLES 10, Suse uses kdump as the default crash dump capturing method. The kernel core dumps are stored under “/var”, so you need to take care that the partition “/var” has enough space to store this information, at least the slightly bigger than the physical amount of systems memory. As the system try to store up to 5 core dumps the disk space should be optimal be able to save all this information.
1. Install necessary packages
You need to install the packages “kdump” and “kexec-tools” which match the Service Pack of your installed product. The easiest Way is to use the YaST application to install this package. Start the command “yast2” from the console with the command:
# yast2 -i kdump # yast2 -i kexec-tools
This will install the necessary packages or you may use the graphical system installer YaST to install the appropriate packages.
2. Configure Kdump to capture the dump
First of all, you need to reserve memory to the capture kernel. This will pass to the system’s kernel at the boot command line. SuSE recommended the following settings for x86 and x86_64 architecture: [email protected]
To change this you can start YaST, under System, select Boot Loader. On the tab Section Management, select the default section and press Edit. Add the settings to the field labeled Other Kernel Parameters, then press Ok and Finish to save the settings.
Next, you need to activate Kdump to startup a system boot by
# chkconfig kdump on
Finally, you need to restart the system to active the changes of the kernel command line. Some more information on the configuration of Kdump can be found in “/usr/share/doc/packages/kexec-tools/README.SUSE”
In later versions of SLES there is also a module (yast2-kdump-*.rpm) for the YaST2, which assist you in configuring and activating kdump on your system. Simply run
# yast2 kdump
3. Checking the configuration
To make sure that the configuration is working, you can test this by using the magic SysRq feature of the kernel.
First you need to enable it with the following command:
# echo 1 > /proc/sys/kerne/sysrq
Next you should sync the data of your hard disks to minimize the risk of lost data by
# echo s > /proc/sysrq-trigger
and finally you can force the system to “crash” by
# echo c > /proc/sysrq-trigger
The system will save crash dump data. This will take some time depending on the amount of memory of your system and the speed of the device the dump is written to. After the dump is finished the system will reboot back to the normal service. You should find the core dump in the directory
CentOS / RHEL 6 : How to configure kdump
CentOS / RHEL 7 : How to configure kdump
1. Backup the configuration files using authconfig utility. The general syntax for the command is :
# authconfig --savebackup=[name]
For example :
# authconfig --savebackup=config_backup
2. Backup’s are saved at following location:
# ll /var/lib/authconfig/backup-config_backup/ total 80 -rw-r--r-- 1 root root 401 Oct 28 00:18 authconfig -rw-r--r-- 1 root root 1 Oct 28 00:18 cacheenabled.conf -rw-r--r-- 1 root root 830 Oct 28 00:18 fingerprint-auth-ac -rw-r--r-- 1 root root 512 Oct 28 00:18 krb5.conf -rw-r--r-- 1 root root 2293 Oct 28 00:18 libuser.conf -rw-r--r-- 1 root root 1816 Oct 28 00:18 login.defs -rw-r--r-- 1 root root 67 Oct 28 00:18 network -rw-r--r-- 1 root root 4290 Oct 28 00:18 nslcd.conf -rw-r--r-- 1 root root 1722 Oct 28 00:18 nsswitch.conf -rw-r--r-- 1 root root 464 Oct 28 00:18 openldap.conf -rw-r--r-- 1 root root 8857 Oct 28 00:18 pam_ldap.conf -rw-r--r-- 1 root root 1174 Oct 28 00:18 password-auth-ac -rw-r--r-- 1 root root 882 Oct 28 00:18 smartcard-auth-ac -rw-r--r-- 1 root root 844 Oct 28 00:18 smb.conf -rw-r--r-- 1 root root 416 Oct 28 00:18 sssd.conf -rw-r--r-- 1 root root 1174 Oct 28 00:18 system-auth-ac -rw-r--r-- 1 root root 585 Oct 28 00:18 yp.conf
3. Configurations can be restored using the following command:
# authconfig --restorebackup=[name]
In our example case :
# authconfig --restorebackup=config_backup
By default, RHEL 7 uses the FirewallD service to provide network security. FirewallD must be stopped and disabled when using the iptables service:
# systemctl stop firewalld.service # systemctl disable firewalld.service
# systemctl enable iptables.service # systemctl start iptables.service
The iptables service is now provided by a separate package called
# yum info iptables-services Name : iptables-services Arch : x86_64 Version : 1.4.21 Release : 13.el7 Size : 23 k Repo : installed From repo : anaconda Summary : iptables and ip6tables services for iptables URL : http://www.netfilter.org/ License : GPLv2 Description : iptables services for IPv4 and IPv6 : : This package provides the services iptables and ip6tables that have been split : out of the base package since they are not active by default anymore.
The iptables-services package may need to be installed 1st:
# systemctl -a|grep iptables ● iptables.service not-found inactive dead iptables.service
Stop and disable the firewalld service first.
# systemctl stop firewalld.service # systemctl disable firewalld.service Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service. Removed symlink /etc/systemd/system/basic.target.wants/firewalld.service.
If you try to enable the iptables service, it would fail.
# systemctl enable iptables.service Failed to execute operation: No such file or directory
Install the iptables-services package.
# yum install iptables-services -y
Enable the iptables service :
# systemctl enable iptables.service Created symlink from /etc/systemd/system/basic.target.wants/iptables.service to /usr/lib/systemd/system/iptables.service.
Start the iptables service :
# systemctl start iptables.service #
When trying to start/enable the iptables daemon you receive the errors:
# systemctl enable iptables Failed to issue method call: Access denied
# systemctl start iptables Failed to start iptables.service: Unit iptables.service failed to load: No such file or directory.
Starting with RHEL 7, firewalld is introduced and by default the iptables package is not installed on the system. This is done to avoid conflict in running both iptables and firewalld.
Make sure you have the
The package “iptables-services” needs to be installed before you are able to start the service.
# yum install iptables-services
One of the extensively used command in UNIX world is the history command. Every flavor of UNIX has the history command. The bash shell stores a history of commands entered, which can be used to repeat commands by using the history command. By default, it’ll show the previous 1000 commands that were used.
Here’s a sample output of the command history:
# history 1 uname -a 2 clear 3 ssh [email protected] 4 exit 5 ls 6 clear 7 echo "Hello" ........
The bash history mechanism supports a variety of advanced ways of retrieving commands from the history list. Below are some of the ways to use the bash history command :
1. Listing last n commands used
By default, history command shows the last 1000 commands used. If you want to list only last few commands fired by the user use “history n”. For example, to display last 5 commands fired :
# history 5 504 uname -a 505 who am i 506 date 507 echo "Hi" 508 history 5
2. Repeating last command
To repeat the last command executed :
# echo "I am history" I am history # !! echo "I am history" I am history
3. Repeat last command starting with some character
!char = repeats last command that started with char. For example :
# !uname uname -a Linux geeklab 2.6.32-504.el6.x86_64 #1 SMP Tue Sep 16 01:56:35 EDT 2014 x86_64 x86_64 x86_64 GNU/Linux
4. Repeat last command by its number
!num = repeats a command by its number in history output. For example :
# !1010 ls -lrth total 197M -rw-r--r-- 1 root root 512K May 25 2015 file1 drwxr-xr-x 2 root root 4.0K Jun 1 2016 dir1
5. Repeat last command that contains some character
!?command = repeats last command that contains (as opposed to started with [!char]) command. Example :
# echo "I am legend" I am legend # !?legend echo "I am legend" I am legend
6. Repeat the nth last command
!-n = repeats a command entered n commands back
# !-3 uname -a Linux VMAX3Linux 2.6.32-358.el6.x86_64 #1 SMP Tue Jan 29 11:47:41 EST 2013 x86_64 x86_64 x86_64 GNU/Linux
7. Searching for a command in history and executing it
Ctrl-r = search for a command in command history and execute it once you find a match.
# (reverse-i-search)`uname': uname -a
Question: Is it possible to limit yum so that it lists or installs only security updates? How to patch the system only with security errata ?
Install the yum-security plugin
It is now possible to limit yum to install only security updates (as opposed to bug fixes or enhancements) by installing the yum-security plugin. Contrary to RHEL 7, in RHEL 6 the yum-security plugin is not part of yum. So to install the plugin use :
# yum install yum-plugin-security
listing available erratas
To list all available erratas without installing them, run:
# yum updateinfo list available
Listing available security updates
To list all available security updates without installing them, run:
# yum updateinfo list security all # yum updateinfo list sec
To list all available security updates with verbose descriptions of the issues they apply to:
# yum info-sec
Listing currently installed security updates
To get a list of the currently installed security updates this command can be used:
# yum updateinfo list security installed
Installing available security updates
Run the following command to download and apply all available security updates :
# yum -y update --security
To only install the packages that have a security errata use
# yum update-minimal --security -y
For more commands consult the manual pages of yum-security with
# man yum-security
Watch command is a really neat tool and comes in handy in many situations. The watch command can be used to monitor any file or script periodically. It runs every 2 seconds by default and it will run until interrupted.
# watch -h Usage: watch [-dhntv] [--differences[=cumulative]] [--help] [--interval=
] [--no-title] [--version] -d, --differences[=cumulative] highlight changes between updates (cumulative means highlighting is cumulative) -h, --help print a summary of the options -n, --interval= seconds to wait between updates -v, --version print the version number -t, --no-title turns off showing the header
The basic syntax of watch command is :
# watch [-n seconds] [-d] [command]
-dflag will highlight the differences between successive updates. -nflag is to specify the interval. The default value is 2 seconds.
Here’s a sample output:
# watch -n 10 -d ls -lt Every 10.0s: ls -lt Tue Feb 14 12:27:43 2017 total 0 -rw-r--r-- 1 root root 0 Feb 14 12:27 new_file_just_created -rw-r--r-- 1 root root 0 Feb 14 10:46 file1 -rw-r--r-- 1 root root 0 Feb 14 10:46 file2 -rw-r--r-- 1 root root 0 Feb 14 10:46 file3
Every 10.0s : is the time interval to run the watch command. i.e. 10 seconds. ls -lt : is the command to be executed every 10 seconds. Tue Feb 14 12:27:43 2017 : is the current date and time.
Example 1 : Monitoring a dynamically changing file like /proc/meminfo
There is a way to monitor any file on the system with the command watch.
# watch -n 10 -d cat /proc/meminfo
would produce an output of the meminfo status every 10 seconds on the screen and will highlight if any changes.
Example 2 : look for the change in the content of a directory
Another excellent use of the watch command is to keep an eye on the contents of the directory and see if any new file is getting added or removed.
# watch -d ls -lt
Example 3 : Removing the title/header from the output.
In case you do not want to print the header in the output of watch command, you can use the
-t-d ls -lt total 0 -rw-r--r-- 1 root root 0 Feb 14 10:47 new_file_just_created -rw-r--r-- 1 root root 0 Feb 14 10:46 file1 -rw-r--r-- 1 root root 0 Feb 14 10:46 file2 -rw-r--r-- 1 root root 0 Feb 14 10:46 file3
Example 4 : Highlighting cumulative difference
In case you want to highlight the cumulative difference in the output, you can use the
The output after adding a new file – new_file1 :
The output after adding another new file – new_file2 :