SELinux gives that extra layer of security to the resources in the system. It provides the MAC (mandatory access control) as contrary to the DAC (Discretionary access control). Before we dive into setting the SELinux modes, let us see what are the different SELinux modes of operation and how do they work. SELinux can operate in any of the 3 modes :
1. Enforced : Actions contrary to the policy are blocked and a corresponding event is logged in the audit log.
2. Permissive : Actions contrary to the policy are only logged in the audit log.
3. Disabled : The SELinux is disabled entirely.
SELinux configuration file /etc/selinux/config :
# cat /etc/selinux/config # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=disabled # SELINUXTYPE= can take one of three two values: # targeted - Targeted processes are protected, # minimum - Modification of targeted policy. Only selected processes are protected. # mls - Multi Level Security protection. SELINUXTYPE=targeted
Toggling SELinux modes (Temporarily)
To switch between the SELinux modes temporarily we can use the setenforce command as shown below :
# setenforce [ Enforcing | Permissive | 1 | 0 ]
0 –> Permissive
1 –> Enforcing
Verify the current mode of SELinux :
# getenforce Enforcing
or we can also use the sestatus command to get a detailed status :
# sestatus SELinux status: enabled SELinuxfs mount: /selinux --> virtual FS similar to /proc Current mode: enforcing --> current mode of operation Mode from config file: permissive --> mode set in the /etc/sysconfig/selinux file. Policy version: 24 Policy from config file: targeted
Toggling SELinux modes (Permanently) [reboot require]
SELinux mode can be set permanently using either of below methods :
1. editing /etc/selinux/config file
2. editing kernel boot options
1. editing /etc/selinux/config file
to set SELinux to permissive, set the below line in the file /etc/selinux/config to :
vi /etc/selinux/config .... SELINUX=permissive ...
Similarly the mode can be set to enforcing/disable by setting the mode in the same line.
2. editing kernel boot options
Edit the kernel boot line and append enforcing=0 to the kernel boot options. For example:
title Red Hat Enterprise Linux AS (2.6.9-42.ELsmp) root (hd0,0) kernel /vmlinuz-2.6.9-42.ELsmp ro root=LABEL=/ rhgb quiet enforcing=0 initrd /initrd-2.6.9-42.ELsmp.img
Reboot the server.
# shutdown -r now
Forcing reboot on changing mode
We can force a reboot on changing the selinux mode :
# setsebool secure_mode_policyload on
The file access control lists (FACLs) or simply ACLs are the list of additional user/groups and their permission to the file. Although the default file permissions does their jobs perfectly, it does not allow you to give permissions to more than one user or one group on the same file.
How to know when a file has ACL attached to it
ls -l command would produce a output as show below. Note the + sign at the end of the permissions. This confirms that the file has an ACL attached to it.
# ls -l -rw-r--r-+ 1 root root 0 Sep 19 14:41 file
To display details ACL information of a file use the getfacl command. If you see carefully, the users sam and john have some extra permissions (shown highlighted). The default user/group permissions are specified using “user::permission” and “group::
# getfacl /tmp/test # file: test # owner: root # group: root user::rw- user:john:rw- user:sam:rwx group::r-- mask::rwx other:---
In contrast, if you check the ACLs on a a file with “no ACLs” the additional “user:” lines and “mask” line will not be shown and standard file permissions will be shown. :
# getfacl test # file: test # owner: root # group: root user::rw- group::r-- other::r--
Creating and Managing FACLs
The setfacl command is used to set ACL on the given file. To give a rw access to user john on the file /tmp/test :
# setfacl -m u:john:rw /tmp/test
The -m option tells setfacl to modify ACLs on the file(s) mentioned in command line. Instead of user john we can have a group to have a specific permission on the file :
# setfacl -m g:accounts:rw /tmp/test
FACLs for multiple user and groups can also be set with single command :
# setfacl -m u:john:rw,g:accounts:rwx /tmp/test
By setting a default ACL, you’ll determine the permissions that will be set for all new items that are created in the directory. But the permissions of existing files and subdirectories remains same.
To create a default FACL on a directory :
# setfacl -m default:u:john:rw /accounts
Notice the default permissions in the getfacl command :
# getfacl accounts/ # file: accounts/ # owner: root # group: root user::rwx group::r-x other::r-x default:user::rwx default:user:john:rw- default:group::r-x default:mask::rwx default:other::r-x
To remove ACLs, use the setfacl command with -x option :
# setfacl -x u:john /tmp/test
The above command removes the ACL for the user john on the file /tmp/test. The ACLs for other user/groups if any remains unaffected. To remove all ACLs associated to a file use the -b option with setfacl :
# setfacl -b /tmp/test
password aging requires users to change their password periodically. Use the chage to configure password expiration. The syntax is :
# chage [options] user_name
– When you fire the command chage, the currently set options are displayed as well.
# chage oracle Changing the aging information for oracle Enter the new value, or press ENTER for the default Minimum Password Age : Maximum Password Age : Last Password Change (YYYY-MM-DD) [2016-08-23]: Password Expiration Warning : Password Inactive [-1]: Account Expiration Date (YYYY-MM-DD) [1969-12-31]:
Password expiration information is stored in /etc/shadow file.
# grep oracle /etc/shadow oracle:$6$H28sLVDL$iNvp/AvbMeqqrslH2bfmTxJpE6.mO8UNzlIXGB3sp87jZP9dW1DxeoLf2QXR7hkLkomuXbtgO1zPKUEYRY8YI1:15284:14:30:7:::
As shown above the oracle user has minimum password age of 14 and maximum password age of 30 – It means that in 14 days the user will have 30 days to change the password. Also the user is warned to change the password 7 days prior to password expiry date.
Number of options are available in chage command. To list aging information :
# chage -l geek Last password change : Sep 18, 2016 Password expires : never Password inactive : never Account expires : never Minimum number of days between password change : 0 Maximum number of days between password change : 99999 Number of days of warning before password expires : 7
To force a user to set a new password immediately (force immediate expiration), set the last password change value to 0 :
# chage –d 0 geek
The Linux user password hashing algorithm is also configurable. Use the authconfig command to determine the current algorithm being used, or to set it to something different. To determine the current algorithm:
# authconfig --test | grep hashing password hashing algorithm is sha512
To change the algorithm, use the –passalgo option with one of the following as a parameter: descrypt, bigcrypt, md5, sha256, or sha512, followed by the –update option.
# authconfig --passalgo=md5 --update
/etc/login.defs file provides default user account settings. Default values include:
- Location of user mailboxes
- Password aging controls
- Values for automatic UID selection
- Values for automatic GID selection
- User home directory creation options
- Encryption method used to encrypt passwords
Sample /etc/login.defs file :
# cat /etc/login.defs ..... PASS_MAX_DAYS 99999 PASS_MIN_DAYS 0 PASS_MIN_LEN 5 PASS_WARN_AGE 7 ...... GID_MIN 1000 GID_MAX 60000 ..... UID_MIN 1000 UID_MAX 60000
– Use the groupadd command to add a new group :
# groupadd [options] group_name
– Use the groupmod command to modify an existing group :
# groupmod [options] group_name
– Use groupdel to delete the group. You can remove a group even if there are users in the group. But you can not remove the primary group of an existing user. You must remove the user before removing the group.
# groupdel group_name
– Use the gpasswd command to administer the groups :
# gpasswd [options] group_name
For example : to add user test in group student –
# gpasswd -a test student
The groups command displays the group the user belongs to. For example the user oracle as shown below belongs to multiple groups which can be displayed using the groups command :
# groups oracle oracle : oinstall dba asm asmdba oper # grep oracle /etc/group oinstall:x:5004:oracle dba:x:5005:oracle asm:x:5006:oracle asmdba:x:5007:oracle oper:x:5008:oracle
The newgroup command executes a new shell and changes a user’s real group information. For example,
Before executing newgrp command
$ id uid=5004(oracle) gid=5004(oinstall) groups=5004(oinstall),5005(dba) ...
$ ps PID TTY TIME CMD 106591 pts/0 00:00:00 bash 106672 pts/0 00:00:00 ps
After executing newgrp command
$ newgrp dba
Note the gid for the user has changed to that of the student group :
$ id uid=5004(oracle) gid=5005(dba) groups=5005(dba),5004(oinstall) ...
Also note that a new shell has been executed.
$ ps PID TTY TIME CMD 106591 pts/0 00:00:00 bash 106231 pts/0 00:00:00 bash 106672 pts/0 00:00:00 ps
Adding a user account
Use the useradd command to add new user :
# useradd [options] [username]
The default settings for new user can viewed and modified using the -D option :
# useradd -D GROUP=100 HOME=/home INACTIVE=-1 EXPIRE= SHELL=/bin/bash SKEL=/etc/skel CREATE_MAIL_SPOOL=yes
For example, to change the default user shell for new user to /bin/ksh :
# useradd -D -s /bin/ksh
To simple add a user with all default options :
# useradd user01
To add user with uid 1099, comment “new user” and default shell as /bin/ksh :
# useradd -u 1099 -c "new user" -s /bin/ksh user01
Check new user’s entry in /etc/passwd file :
grep user01 /etc/passwd user01:x:1099:1099:new user:/home/user01:/bin/ksh
To modify existing user (e.g. changing the comment) :
# usermod -c "modified user" user01
To assign the password to new user:
# passwd user01 Changing password for user user01. New password: Retype new password: passwd: all authentication tokens updated successfully.
View the /etc/shadow file :
# grep user01 /etc/shadow user01:$6$dox84xyJ$89DdMcxSlI9OHxUCyY1ryaFsmG6MSEwbmSbZXJoFY.tHgdEEeQQgQjDV0dD8jEiHusrUjj3p8gtMTKR4sXXN5.:17058:0:45:7:::
To delete the user :
# userdel user01
You can create a user with nologin shell for running services such as SMTP, FTP etc. A user without a login shell can not login to a system and therefore cannot run any command on the system interactively on the system. Processes can run as that users however.
To add new user “test” with shell nologin :
# useradd -s /sbin/nologin test
Make sure the nologin shell is present in the /etc/shells file :
# cat /etc/shells /bin/sh /bin/bash /sbin/nologin /usr/bin/sh /usr/bin/bash /usr/sbin/nologin
RHEL 7 has 3 command-line utilities to configure the system date and time:
Use the date command to display or set the system date and time. Run the date command with no arguments to display the current date and time:
# date Mon Sep 12 19:41:40 IST 2016
The date command provides a variety of output formatting options. You can also time and date in future or past. Few examples are given below.
1. Display day of the week :
# date +%A Monday
2. Display date one year from now :
# date -d "1 year" Mon Sep 12 19:47:49 IST 2017
3. Display 1 month past date :
# date -d "1 month ago" Mon Aug 12 19:49:07 IST 2016
Use the following syntax to change the current date. Replace YYYY with a four-digit year, MM with a two-digit month, and DD with a two-digit day of the month.
# date +%D -s [YYYY-MM-DD]
Use the following syntax to change the current time. Replace HH with a two-digit hour, MM with a two-digit minute, and SS with a two-digit second. Include either AM or PM. Include the –u option if your system clock is set to use UTC.
# date +%T%p -s [HH:MM:SS]AM|PM –u
Use the hwclock command to query and set the hardware clock, also known as the RTC (real-time clock). This clock runs independently of any control program running in the CPU and even when the machine is powered off. The hwclock command allows you to:
- Display the current time
- Set the hardware clock to a specified time
- Set the system time from the hardware clock (hwclock –s)
- Set the hardware clock to the current system time (hwclock –w)
– The timedatectl utility is part of the systemd system and service manager.
– To display local, universal, and RTC time and time zone, NTP configuration, and DST information:
# timedatectl Local time: Tue 2016-09-13 20:30:26 IST Universal time: Tue 2016-09-13 15:00:26 UTC RTC time: Tue 2016-09-13 15:00:26 Time zone: Asia/Kolkata (IST, +0530) NTP enabled: yes NTP synchronized: yes RTC in local TZ: no DST active: n/a
– Use the following syntax to change the date and time:
# timedatectl set-time [YYYY-MM-DD] # timedatectl set-time [HH:MM:SS]
– Use the following syntax to change the time zone:
# timedatectl set-timezone [time_zone]
– To list available time zones :
# timedatectl list-timezones Africa/Abidjan Africa/Accra Africa/Addis_Ababa
– To enable clock synchronization over NTP:
# timedatectl set-ntp yes
NTP provides a method of verifying and correcting your computer’s time by synchronizing it with another system.
To install NTP :
# yum install ntp
By default, there are four public server entries in the NTP configuration file, /etc/ntp.conf, which are specified by the server directive.
# grep server /etc/ntp.conf server 0.rhel.pool.ntp.org server 1.rhel.pool.ntp.org server 2.rhel.pool.ntp.org server 3.rhel.pool.ntp.org
Instead of using a predefined public server, you can specify a local reference server in the /etc/ntpd.conf file. For example:
# vi /etc/ntpd.conf server 192.0.2.1
Another directive in the configuration file is driftfile. The default setting is as follows:
This drift file contains one value used to adjust the system clock frequency after every system or service start.
The ntpd program is the user space daemon that synchronizes the system clock with remote NTP time servers or local reference clocks. The daemon reads the configuration file at system start or when the service is restarted. You also need to open UDP port 123 in the firewall for NTP packets. After editing the /etc/ntp.conf file, use the systemctl command to start the NTP daemon:
# systemctl start ntpd
Use the following command to ensure the NTP daemon starts at boot time:
# systemctl enable ntpd
Other NTP utilities
Use the ntpq command to query the NTP daemon operations and to determine performance. Use the –p option (or peers command) to display a list of peers known to the server as well as a summary of their state. For example:
# ntpq -p remote refid st t when poll reach delay offset jitter ============================================================================== *10.10.0.2 192.168.2.11 2 u 911 1024 377 1.274 0.147 0.355 +10.10.0.3 192.168.2.11 2 u 1026 1024 377 1.161 0.073 0.852
The * indicates your system is synchronized with the 10.10.0.2 server. Use the ntpstat command to show network time synchronization status.
# ntpstat synchronised to NTP server (10.10.0.2) at stratum 3 time correct to within 31 ms polling server every 1024 s
Configuring NTP using chrony
Chrony is a suite of utilities that provides another implementation of NTP. Chrony is designed for mobile systems and virtual machines that are often powered down or disconnected from the network. Systems that are not permanently connected to a network take a relatively long time to adjust their system clocks with the NTP daemon, ntpd.
Chrony consists of chronyd, a daemon that runs in user space, and chronyc, a command- line program for making adjustments to chronyd. The chronyd daemon makes adjustments to the system clock that is running in the kernel. It uses NTP to synchronize with another system when network access is available. When network access is not available, chronyd uses the last calculated drift stored in the drift file to synchronize the system time.
For more information on chrony (installation, configuration, troubleshooting), refer the below posts :
CentOS / RHEL 7 : Tips on Troubleshooting NTP / chrony Issues
Previous versions of Oracle Linux use init scripts located in the /etc/rc.d/init directory to start and stop services. In RHEL 7, these init scripts have been replaced with systemd service units. Service units have a .service extension. Use the systemctl command to list all loaded service units:
# systemctl list-units --type service --all UNIT LOAD ACTIVE SUB DESCRIPTION auditd.service loaded active running Security Auditing Service avahi-daemon.service loaded active running Avahi mDNS/DNS-SD Stack .....
LOAD – service load state
high-level (ACTIVE) and low-level (SUB) unit activation state
DESCRIPTION – description of the service unit.
Omit the –all option to list only the active service units. Use the list-unit-files option to see which service units are enabled:
# systemctl list-unit-files --type service
Displaying status of the services
systemd service units correspond to system services. Use the following command to display detailed information about a service unit. This example displays information about the sshd service unit.
# systemctl status sshd
The following information is available for the specified service unit:
Loaded: If the service is loaded, the absolute path to the service unit file, and if the service unit is enabled Active: If the service unit is running and a timestamp Main PID: The Process ID of the corresponding system service and the service name Status: Additional information about the corresponding system service Process: Additional information about related processes CGroup: Additional information about related Control Groups
To check whether a service is running (active) or not running (inactive):
# systemctl is-active sshd active
To check whether a service is enabled:
# systemctl is-enabled sshd enabled
Starting and Stopping Services
In previous versions of RHEL, the service utility is used to stop and start services. In RHEL 7, the systemctl utility provides an equivalent set of subcommands. The table below shows a comparison of the service utility with systemctl.
|service Utility||systemctl Utility||Description|
|service name start||systemctl start name||Starts a service|
|service name stop||systemctl stop name||Stops a service|
|service name restart||systemctl restart name||Restarts a service|
|service name condrestart||systemctl try- restart name||Restarts a service only if it is running|
|service name reload||systemctl reload name||Reloads a configuration|
|service name status||systemctl status name||Checks whether a service is running|
|service –status- all||systemctl list-units –type service –all||Displays the status of all services|
Enabling and disabling services
In previous versions of RHEL, the chkconfig utility is used to enable and disable services. In RHEL 7, the systemctl utility provides an equivalent set of subcommands. The table below shows a comparison of the chkconfig utility with systemctl.
|chkconfig Utility||systemctl Utility||Description|
|chkconfig name on||systemctl enable name||Enables a service|
|chkconfig name off||systemctl disable name||Disables a service|
|chkconfig –list name||systemctl status name, systemctl is-enabled name||Checks whether a service is enabled|
|chkconfig –list||systemctl list-unit-files –type service||Lists all services and checks whether they are enabled|
In some cases you may want to extract the initramfs image file to check built-in contents. This post provides steps to extract initramfs image files for RHEL 7. Unlike previous version, on RHEL 7 using cpio command for the initramfs image file will not extract all files (or will give some error). For example:
# ls -la /boot/initramfs-$(uname -r).img -rw------- 1 root root 19602671 Feb 4 2016 /boot/initramfs-3.10.0-229.el7.x86_64.img
# file initramfs-3.10.0-229.el7.x86_64.img initramfs-3.10.0-229.el7.x86_64.img: gzip compressed data, from Unix, last modified: Thu Feb 4 16:02:04 2016, max compression
# gzip -dc initramfs-3.10.0-229.el7.x86_64.img | cpio -id --- will not extract all files or will give some error
To extract it on RHEL7, use skipcpio:
1. copy the initramfs image file to some directory.
# mkdir /tmp/initramfs # cp /boot/initramfs-3.10.0-229.el7.x86_64.img
2. extract the contents using the /usr/lib/dracut/skipcpio command :
# cd /tmp/initramfs # /usr/lib/dracut/skipcpio initramfs-3.10.0-229.el7.x86_64.img | zcat | cpio -ivd . var var/lock var/run lib
where skipcpio is the built-in tool from dracut.
Listing the content of initramfs image
To only list the contents of an initramfs image file, you can run lsinitrd:
# lsinitrd /boot/initramfs-3.10.0-229.el7.x86_64.img | more Image: /boot/initramfs-3.10.0-229.el7.x86_64.img: 19M ======================================================================== Version: dracut-033-359.el7 Arguments: -f dracut modules: bash nss-softokn i18n network ifcfg drm plymouth dm kernel-modules lvm resume rootfs-block terminfo udev-rules biosdevname systemd usrmount base fs-lib shutdown ======================================================================== drwxr-xr-x 12 root root 0 May 23 10:27 . crw-r--r-- 1 root root 5, 1 May 23 10:27 dev/console crw-r--r-- 1 root root 1, 11 May 23 10:27 dev/kmsg crw-r--r-- 1 root root 1, 3 May 23 10:27 dev/null
For new installation of RHEL 7 ,GUI doesn’t come with default installation. If you do not click on the “Software Selection” link and pick “server with GUI” then there will be no GUI after reboot, only “Base Environment ” will be installed.
To enable GUI after system installation, you can use following method.
Installing the environment group “Server with GUI”
1. Check the available environment groups :
]# yum grouplist Loaded plugins: langpacks, product-id, search-disabled-repos, subscription-manager This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register. There is no installed groups file. Maybe run: yum groups mark convert (see man yum) Available Environment Groups: Minimal Install Infrastructure Server File and Print Server Basic Web Server Virtualization Host Server with GUI Available Groups: Compatibility Libraries Console Internet Tools Development Tools Graphical Administration Tools Legacy UNIX Compatibility Scientific Support Security Tools Smart Card Support System Administration Tools System Management Done
2. Execute the following to install the environments for GUI.
# yum groupinstall "Server with GUI" ....... Transaction Summary ==================================================== Install 199 Packages (+464 Dependent packages) Upgrade ( 8 Dependent packages) Total download size: 523 M Is this ok [y/d/N]:
The above will install the GUI in RHEL 7, which by default get installed to text mode.
3. Enable GUI on system start up. In RHEL 7, systemd uses ‘targets’ instead of runlevels. The file /etc/inittab is no more used to change run levels. Issue the following command to enable the GUI on system start.
To set a default target :
# systemctl set-default graphical.target
To change the current target to graphical without reboot :
# systemctl start graphical.target
Verify the default target :
# systemctl get-default graphical.target
4. Reboot the machine to verify that it boots into GUI directly.
# systemctl reboot
Installing core GNOME packages
“Server with GUI” installs the default GUI which is GNOME. In case if you want to install only core GNOME packages use :
# yum groupinstall 'X Window System' 'GNOME' .... Transaction Summary =========================================================== Install 104 Packages (+427 Dependent packages) Upgrade ( 8 Dependent packages) Total download size: 318 M Is this ok [y/d/N]:
There are various ways you can configure an IP address in RHEL 7. The posts discusses the use of network interface configuration files to configure the IP address. Each physical network device has an associated network interface configuration file. Network interface configuration files are located in the /etc/sysconfig/network-scripts directory.
1. Use the ip addr command to display your available network interfaces.
# ip addr 1: lo: [LOOPBACK,UP,LOWER_UP] mtu 65536 qdisc noqueue state UNKNOWN link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: [BROADCAST,MULTICAST,UP,LOWER_UP] mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:50:56:23:2f:bc brd ff:ff:ff:ff:ff:ff inet 192.168.43.104/24 brd 192.168.43.255 scope global dynamic eth0 valid_lft 2792sec preferred_lft 2792sec inet6 2405:204:10a:6c1:250:56ff:fe23:2fbc/64 scope global valid_lft forever preferred_lft forever inet6 fe80::250:56ff:fe23:2fbc/64 scope link valid_lft forever preferred_lft forever 3: eth1: [BROADCAST,MULTICAST,UP,LOWER_UP] mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:0c:29:d5:6e:a6 brd ff:ff:ff:ff:ff:ff
Note that you have 3 Ethernet interfaces (eth0, eth1) and the loopback interface (lo). If you interface names are somthing like eno16777736, refere this post to change the interface naming to eth0 and eth1.
2. cd into the /etc/sysconfig/network-scripts directory which holds the network interface configuration files.
# cd /etc/sysconfig/network-scripts
Here you would find the network configuration file for the eth1 interface i.e. ifcfg-eth1. If not already present you can copy the interface configuration file of interface eth0.
3. We want to assign IP address 192.168.1.30 to the interface eth1. Edit the configuration file for the interface and change the highlighted parameters as show below :
# vi ifcfg-eth1 TYPE="Ethernet" BOOTPROTO="none" DEFROUTE="no" IPV4_FAILURE_FATAL="no" IPV6INIT="yes" IPV6_AUTOCONF="yes" IPV6_DEFROUTE="yes" IPV6_FAILURE_FATAL="no" NAME="eno16777736" UUID="7fe712d2-5e3a-4f68-b34b-4b3f6c787a56" ONBOOT="yes" IPADDR0="192.168.1.30" PREFIX0="24" HWADDR="00:0C:29:D5:6E:9C" IPV6_PEERDNS="yes" IPV6_PEERROUTES="yes"
4. Edit the /etc/hosts file to add the entry for the new IP address :
# cat /etc/hosts 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 192.168.1.30 geeklab
5. Restart the network services :
# systemctl restart network
# ip addr 1: lo: [LOOPBACK,UP,LOWER_UP] mtu 65536 qdisc noqueue state UNKNOWN link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: [BROADCAST,MULTICAST,UP,LOWER_UP] mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:50:56:23:2f:bc brd ff:ff:ff:ff:ff:ff inet 192.168.43.104/24 brd 192.168.43.255 scope global dynamic eth0 valid_lft 2538sec preferred_lft 2538sec inet6 2405:204:10a:6c1:250:56ff:fe23:2fbc/64 scope global valid_lft forever preferred_lft forever inet6 fe80::250:56ff:fe23:2fbc/64 scope link valid_lft forever preferred_lft forever 3: eth1: [BROADCAST,MULTICAST,UP,LOWER_UP] mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:0c:29:d5:6e:a6 brd ff:ff:ff:ff:ff:ff inet 192.168.1.30/24 brd 192.168.1.255 scope global eth1 valid_lft forever preferred_lft forever inet6 fe80::20c:29ff:fed5:6ea6/64 scope link valid_lft forever preferred_lft forever
Using network interface control scripts to stop/start a specific network interface
The network interface control scripts i.e. ifup and ifdown. Use the ifdown command to stop the interface and eno16777736. Verify the status of the interface using “if addr” command (the ip address should have disappeared):
# ifdown eth1
# ip a 1: lo: [LOOPBACK,UP,LOWER_UP] mtu 65536 qdisc noqueue state UNKNOWN link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: [BROADCAST,MULTICAST,UP,LOWER_UP] mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:50:56:23:2f:bc brd ff:ff:ff:ff:ff:ff inet 192.168.43.104/24 brd 192.168.43.255 scope global dynamic eth0 valid_lft 2751sec preferred_lft 2751sec inet6 2405:204:10a:6c1:250:56ff:fe23:2fbc/64 scope global valid_lft forever preferred_lft forever inet6 fe80::250:56ff:fe23:2fbc/64 scope link valid_lft forever preferred_lft forever 3: eth1: [BROADCAST,MULTICAST,UP,LOWER_UP] mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:0c:29:d5:6e:a6 brd ff:ff:ff:ff:ff:ff
Use the ifup command to start the interface again :
# ifup eth1
# ip addr 1: lo: [LOOPBACK,UP,LOWER_UP] mtu 65536 qdisc noqueue state UNKNOWN link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: [BROADCAST,MULTICAST,UP,LOWER_UP] mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:50:56:23:2f:bc brd ff:ff:ff:ff:ff:ff inet 192.168.43.104/24 brd 192.168.43.255 scope global dynamic eth0 valid_lft 2720sec preferred_lft 2720sec inet6 2405:204:10a:6c1:250:56ff:fe23:2fbc/64 scope global valid_lft forever preferred_lft forever inet6 fe80::250:56ff:fe23:2fbc/64 scope link valid_lft forever preferred_lft forever 3: eth1: [BROADCAST,MULTICAST,UP,LOWER_UP] mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:0c:29:d5:6e:a6 brd ff:ff:ff:ff:ff:ff inet 192.168.1.30/24 brd 192.168.1.255 scope global eth1 valid_lft forever preferred_lft forever inet6 fe80::20c:29ff:fed5:6ea6/64 scope link valid_lft forever preferred_lft forever