Exercise Answers

This appendix provides answers to each of the chapter exercises. There are many ways to accomplish tasks in Linux. The answers provided here are suggestions.

Some of the exercises require that you modify system files that could change the basic functioning of your system, or even make it unbootable. Therefore, I recommend that you do the exercises on a Linux system that you are free to modify and erase if something should go wrong.

Chapter 2: Creating the Perfect Linux Desktop

The following section details some ways these tasks can be completed on both the GNOME 2 and GNOME 3 desktops.

1. To get started, you need a Linux system in front of you to do the procedures in this book. An installed system is preferable so you don't lose your changes when you reboot. To start out, you can use a Fedora Live CD (or installed system), an Ubuntu installed system, or a Red Hat Enterprise Linux installed system. Here are your choices:
   • Fedora Live CD (GNOME 3)—Get a Fedora Live CD as described in Appendix A. Run it live, as described in the “Starting with the Fedora GNOME Desktop Live CD” section of Chapter 2, or install it and run it from hard disk as described in Chapter 9, “Installing Linux.”
   • Ubuntu (GNOME 3)—Install Ubuntu, and install the GNOME Shell software as described in the beginning of Chapter 2.
   • Red Hat Enterprise Linux 7 (GNOME 3)—Install Red Hat Enterprise Linux 7 as described in Chapter 9.
   • Red Hat Enterprise Linux 6 or earlier (GNOME 2)—Install Red Hat Enterprise Linux 6 as described in Chapter 9.
2. To launch the Firefox web browser and go to the GNOME home page (http://gnome.org), there are some easy steps to take. If your networking is not working, refer to Chapter 14, “Administering Networking,” for help connecting to wired and wireless networks.
   • For GNOME 3, you can press the Windows key to get to the Overview screen. Then type Firefox to highlight just the Firefox Web Browser icon. Press Enter to launch it. Type http://gnome.org in the location box, and press Enter.
   • For GNOME 2, select the Firefox icon from the top menu bar. Type http://gnome.org in the location box, and press Enter.
3. To pick a background you like from the GNOME art site (http://gnome-look.org), download it to your Pictures folder, and select it as your current background on both GNOME 2 and GNOME 3 systems, do the following:
   1. Type http://gnome-look.org/ in the Firefox location box, and press Enter.
   2. Find a background you like and select it, and then click zoom to display it.
   3. Right-click the image, and select Set as Desktop Background.
   4. From the pop-up that appears, select the position and color of the background image.
   5. Select the Set Desktop Background button. The image is used as your desktop background, and the image is copied to the file Firefox_wallpaper.png in your home directory.
4. To start a Nautilus File Manager window and move it to the second workspace on your desktop, do the following:
   • For GNOME 3:
     1. Press the Windows key.
     2. Grab the Files icon from the Dash (left side) and drag it onto an unused workspace on the right side. A new instance of Nautilus starts in that workspace.
   • For GNOME 2:
     1. Open the Home folder from the GNOME 2 desktop (double-click).
     2. Right-click in the Nautilus title bar that appears, and select either Move to Workspace Right or Move to Another Workspace (you can select which workspace you want from the list).
5. To find the image you downloaded to use as your desktop background and open it in any image viewer, first go to your Home folder.

   The image should appear in that folder when you open Nautilus. Simply doubleclick the Firefox_wallpaper.png icon to open the image in the default image viewer. If you have multiple image viewers on your system, right-click the icon and select the application you want to use to open it.

6. Moving back and forth between the workspace with Firefox on it and the one with the Nautilus file manager is fairly straightforward.

   If you did the previous exercises properly, Nautilus and Firefox should be in different workspaces. Here's how you can move between those workspaces in GNOME 3 and GNOME 2:

   • In GNOME 3, press the Windows key, and double-click the workspace you want in the right column. As an alternative, you can go directly to the application you want by pressing Alt+Tab and pressing Tab again to highlight the application you want to open.
   • In GNOME 2, select the workspace you want with your mouse by clicking the small representation of the workspace in the right side of the lower panel. If you happen to have Desktop Effects enabled (System Preferences Desktop Effects Compiz), try pressing Ctrl+Alt+right arrow (or left arrow) to spin to the next workspace.
7. To open a list of applications installed on your system and select an image viewer to open from that list using as few clicks or keystrokes as possible, do the following:
   • In GNOME 3, move the mouse to the upper-left corner of the screen to get to the Overview screen. Select Applications, select Graphics from the right column, and then select Image Viewer.
   • In GNOME 2, select Applications Graphics Image Viewer to open an image viewer window on the desktop.
8. To change the view of the windows on your current workspace to smaller views of those windows you can step through, do the following:
   • In GNOME 3, with multiple windows open on multiple workspaces, press and hold the Alt+Tab keys. While continuing to hold the Alt key, press Tab until you highlight the application you want. Release the Alt key to select it. (Notice that applications that are not on the current workspace are to the right of a line dividing the icons.)
   • In GNOME 2, with multiple windows open on multiple workspaces, press and hold the Ctrl+Alt+Tab keys. While continuing to hold the Ctrl+Alt keys, press Tab until you have highlighted the application you want. Release the Ctrl and Alt keys to select it.
9. To launch a music player from your desktop using only the keyboard, do the following:
   • In GNOME 3:
     1. Press the Windows key to go to the Overview screen.
     2. Type Rhyth (until the icon appears and is highlighted), and press Enter. (In Ubuntu, if you don't have Rhythmbox installed, type Bansh to open the Banshee Media Player.)
   • In GNOME 2:

     Press Alt+F2. From the Run Application box that appears, type rhythmbox and press Enter.

10. To take a picture of your desktop using only keystrokes, press the Print Screen key to take a screenshot of your entire desktop in both GNOME 3 and GNOME 2. Press Alt+Print Screen to take a screenshot of just the current window. In both cases, the images are saved to the Pictures folder in your home folder.

Chapter 3: Using the Shell

1. To switch virtual consoles and return to the desktop:
   1. Hold Ctrl+Alt and press F2 (Ctrl+Alt+F2). A text-based console should appear.
   2. Type your username (press Enter) and password (press Enter).
   3. Type a few commands, such as id, pwd, and ls.
   4. Type exit to exit the shell and return to the login prompt.
   5. Press Ctrl+Alt+F1 to return to the virtual console that holds your desktop. (On different Linux systems, the desktop may be on different virtual consoles. Ctrl+Alt+F7 is another common place to find it.)
2. For your Terminal window, to make the font red and the background yellow:
   1. From the GNOME desktop, select Applications System Tools Terminal to open a Terminal window.
   2. From the Terminal window, select Edit Profiles.
   3. With Default highlighted from the Profiles window, select Edit.
   4. Select the Colors Tab and deselect the Use colors from system theme box.
   5. Select the box next to Text Color, click the color red you want from the color wheel, and click OK.
   6. Select the box next to Background Color, click the color yellow you want from the color wheel, and click OK.
   7. Click Close on each window to go back to the Terminal window with the new colors.
   8. Go back and reselect the Use colors from system theme box to go back to the default Terminal colors.
3. To find the mount command and tracepath man page:
   • Run type mount to see that the mount command's location is /bin/mount.
   • Run locate tracepath to see that the tracepath man page is at /usr/share/man/man8/tracepath.8.gz.
4. To run, recall, and change these commands as described:

   $ cat /etc/passwd
   $ ls $HOME
   $ date

   1. Press the up arrow until you see the cat /etc/passwd command. If your cursor is not already at the end of the line, press Ctrl+E to get there. Backspace over the word passwd, type the word group, and press Enter.
   2. Type man ls and find the option to list by time (-t). Press the up arrow until you see the ls $HOME command. Use the left arrow key or Alt+B to position your cursor to the left of $HOME. Type -t, so the line appears as ls -t $HOME. Press Enter to run the command.
   3. Type man date to view the date man page. Use the up arrow to recall the date command and add the format indicator you found. A single %D format indicator gets the results you need:

      $ date +%D
      12/08/11

5. Use tab completion to type basename /usr/share/doc/. Type basen<Tab> /u<Tab>sh<Tab>do<Tab> to get basename /usr/share/doc/.
6. Pipe /etc/services to the less command: $ cat /etc/services | less.
7. Make output from the date command appear in this format: Today is Thursday, December 10, 2015.

   $ echo "Today is $(date +'%A, %B %d, %Y')"

8. View variables to find your current hostname, username, shell, and home directories.

   $ echo $HOSTNAME
   $ echo $USERNAME
   $ echo $SHELL
   $ echo $HOME

9. To add a permanent mypass alias that displays the contents of the /etc/passwd file:
   1. a. Type nano $HOME/.bashrc.
   2. b. Move the cursor to an open line at the bottom of the page (press Enter to open a new line if needed).
   3. c. On its own line, type alias m=“cat /etc/passwd”.
   4. d. Type Ctrl+O to save and Ctrl+X to exit the file.
   5. d. Type source $HOME/.bashrc.
   6. e. Type alias m to make sure the alias was set properly: alias m='cat /etc/ passwd'.
   7. f. Type m (the /etc/passwd file displays on the screen).
10. To display the man page for the mount system call, use the man -k command to find man pages that include the word mount (using the ^ ensures that only commands beginning with the word mount are displayed). Then use the mount command with the correct section number (2) to get the proper mount man page:

    $ man -k ^mount
    mount               (2)  - mount file system
    mount               (8)  - mount a filesystem
    mountpoint          (1)  - see if a directory is a mountpoint
    mountstats          (8)  - Displays NFS client per-mount statistics

    $ man 2 mount
    MOUNT(2)      Linux Programmer's Manual             MOUNT(2)
    NAME
          mount - mount file system
    SYNOPSIS
          #include <sys/mount.h>
    .
    .
    .

Chapter 4: Moving around the Filesystem

1. Create the projects directory, create nine empty files (house1 to house9), and list just those files.

   $ mkdir $HOME/projects/
   $ touch $HOME/projects/house{1..9}
   $ ls $HOME/projects/house{1..9}

2. Make the $HOME/projects/houses/doors/ directory path, and create some empty files in that path.

   $ cd
   $ mkdir projects/houses
   $ touch $HOME/projects/houses/bungalow.txt
   $ mkdir $HOME/projects/houses/doors/
   $ touch $HOME/projects/houses/doors/bifold.txt
   $ mkdir -p $HOME/projects/outdoors/vegetation/
   $ touch projects/outdoors/vegetation/landscape.txt

3. Copy the files house1 and house5 to the $HOME/projects/houses/ directory.

   $ cp $HOME/projects/house[15] $HOME/projects/houses

4. Recursively copy the /usr/share/doc/initscripts* directory to the $HOME/projects/ directory.

   $ cp -ra /usr/share/doc/initscripts*/ $HOME/projects/

5. Recursively list the contents of the $HOME/projects/ directory. Pipe the output to the less command so you can page through the output.

   $ ls -lR $HOME/projects/ | less

6. Remove the files house6, house7, and house8 without being prompted.

   $ rm -f $HOME/projects/house[678]

7. Move house3 and house4 to the $HOME/projects/houses/doors directory.

   $ mv projects/house{3,4} projects/houses/doors/

8. Remove the $HOME/projects/houses/doors directory and its contents.

   $ rm -rf projects/houses/doors/

9. Change the permissions on the $HOME/projects/house2 file so it can be read and written to by the user who owns the file, only read by the group, and have no permission for others.

   $ chmod 640 $HOME/projects/house2

10. Recursively change the permissions of the $HOME/projects/ directory so that nobody has write permission to any files or directory beneath that point in the file system.

    $ chmod -R a-w $HOME/projects/
    $ ls -lR /home/joe/projects/
    /home/joe/projects/:
    total 12
    -r--r--r--. 1 joe joe    0 Jan 16 06:49 house1
    -r--r-----. 1 joe joe    0 Jan 16 06:49 house2
    -r--r--r--. 1 joe joe    0 Jan 16 06:49 house5
    -r--r--r--. 1 joe joe    0 Jan 16 06:49 house9
    dr-xr-xr-x. 2 joe joe 4096 Jan 16 06:57 houses
    dr-xr-xr-x. 2 joe joe 4096 Jul  1  2014 initscripts-9.03.40
    dr-xr-xr-x. 3 joe joe 4096 Jan 16 06:53 outdoors

Chapter 5: Working with Text Files

1. Follow these steps to create the /tmp/services file, and then edit it so that “WorldWideWeb” appears as “World Wide Web”.

   $ cp /etc/services /tmp
   $ vi /tmp/services
   /WorldWideWeb<Enter>
   cwWorld Wide Web<Esc>

   The next two lines show the before and after.

   http         80/tcp     www www-http    # WorldWideWeb HTTP
   http         80/tcp     www www-http    # World Wide Web HTTP

2. One way to move the paragraph in your /tmp/services file is to search for the first line of the paragraph, delete five lines (5dd), go to the end of the file (G), and put in the text (p):

   $ vi /tmp/services
   /Note that it is<Enter>
   5dd
   G
   p

3. To use ex mode to search for every occurrence of the term tcp (case sensitive) in your /tmp/services file and change it to WHATEVER, you can type the following:

   $ vi /tmp/services
   :g/tcp/s//WHATEVER/g<Enter>

4. To search the /etc directory for every file named passwd and redirect errors from your search to /dev/null, you can type the following:

   $ find /etc -name passwd 2> /dev/null

5. Create a directory in your home directory called TEST. Create files in that directory named one, two, and three that have full read/write/execute permissions on for everyone (user, group, and other). Construct a find command that would find those files and any other files that have write permission open to “others” from your home directory and below.

   $ mkdir $HOME/TEST
   $ touch $HOME/TEST/{one,two,three}
   $ chmod 777 $HOME/TEST/{one,two,three}
   $ find $HOME -perm -002 -type f -ls
   148120 0 -rwxrwxrwx 1 chris chris 0 Jan 1 08:56 /home/chris/TEST/two
   148918 0 -rwxrwxrwx 1 chris chris 0 Jan 1 08:56 home/chris/TEST/three
   147306 0 -rwxrwxrwx 1 chris chris 0 Jan 1 08:56 /home/chris/TEST/one

6. Find files under the /usr/share/doc directory that have not been modified in more than 300 days.

   $ find /usr/share/doc -mtime +300

7. Create a /tmp/FILES directory. Find all files under the /usr/share directory that are more than 5MB and less than 10MB and copy them to the /tmp/FILES directory.

   $ mkdir /tmp/FILES
   $ find /usr/share -size +5M -size -10M -exec cp {} /tmp/FILES \;
   $ du -sh /tmp/FILES/*
   7.0M   /tmp/FILES/cangjie5.db
   5.4M   /tmp/FILES/cangjie-big.db
   8.3M   /tmp/FILES/icon-theme.cache

8. Find every file in the /tmp/FILES directory and make a backup copy of each file in the same directory. Use each file's existing name and just append .mybackup to create each backup file.

   $ find /tmp/FILES/ -type f -exec cp {} {}.mybackup \;

9. Install the kernel-doc package in Fedora or Red Hat Enterprise Linux. Using grep, search inside the files contained in the /usr/share/doc/kernel-doc* directory for the term e1000 (case insensitive) and list the names of the files that contain that term.

   NOTE: The kernel-doc package was dropped for Fedora 21. To complete this exercise for Fedora 21, install kernel-core and use the /usr/share/kcbench-data/linux-*/Documentation directory instead of /usr/share/doc/kernel-doc*.

   # yum install kernel-doc
   $ cd /usr/share/doc/kernel-doc*
   $ grep -rli e1000.
   ./Documentation/powerpc/booting-without-of.txt
   ./Documentation/networking/e100.txt
   ...

10. Search for the e1000 term again in the same location, but this time list every line that contains the term and highlight the term in color.

    $ cd /usr/share/doc/kernel-doc-*
    $ grep -ri --color e1000.

Chapter 6: Managing Running Processes

1. To list all processes running on your system with a full set of columns, while piping the output to less, type the following:

   $ ps -ef | less

2. To list all processes running on the system and sort those processes by the name of the user running each process, type the following:

   $ ps -ef --sort=user | less

3. To list all processes running on the system with the column names process ID, user name, group name, nice value, virtual memory size, resident memory size, and command, type the following:

   $ ps -eo 'pid,user,group,nice,vsz,rss,comm' | less
     PID USER     GROUP     NI    VSZ  RSS COMMAND
       1 root     root       0  19324 1236 init
       2 root     root       0      0    0 kthreadd
       3 root     root       -      0    0 migration/0
       4 root     root       0      0    0 ksoftirqd/0

4. To run the top command and then go back and forth between sorting by CPU usage and memory consumption, type the following:

   $ top
   P
   M
   P
   M

5. To start the gedit process from your desktop and use the System Monitor window to kill that process, type the following:

   $ gedit &

   Next, in GNOME 2 select Applications System Tools System Monitor, or in GNOME 3 type System Monitor from the Activities screen and press Enter. Find the gedit process on the Processes tab (you can sort alphabetically to make it easier by clicking the Process Name heading). Right-click the gedit command, and then select either End Process or Kill Process; the gedit window on your screen should disappear.

6. To run the gedit process and use the kill command to send a signal to pause (stop) that process, type the following:

   $ gedit &
   [1] 21532
   $ kill -SIGSTOP 21578

7. To use the killall command to tell the gedit command (paused in the previous exercise) to continue working, do the following:

   $ killall -SIGCONT gedit

   Make sure the text you typed after gedit was paused now appears in the window.

8. To install the xeyes command, run it about 20 times in the background, and run killall to kill all 20 xeyes processes at once, type the following:

   # yum install xorg-x11-apps
   $ xeyes &
   $ xeyes &
   ...
   $ killall xeyes

   Remember, you need to be the root user to install the package. After that, remember to repeat the xeyes command 20 times. Spread the windows around on your screen, and move the mouse for fun to watch the eyes move. All the xeyes windows should disappear at once when you type killall xeyes.

9. As a regular user, run the gedit command so it starts with a nice value of 5.

   $ nice -n 5 gedit &
   [1] 21578

10. To use the renice command to change the nice value of the gedit command you just started to 7, type the following:

    $ renice -n 7 21578
    21578: old priority 0, new priority 7

    Use any command you like to verify that the current nice value for the gedit command is now set to 7. For example, you could type this:

    $ ps -eo 'pid,user,nice,comm' | grep gedit
    21578 chris     7 gedit

Chapter 7: Writing Simple Shell Scripts

1. Here's an example of how to create a script in your $HOME/bin directory called myownscript. When the script runs, it should output information that looks as follows:

   Today is Sat Dec 10 15:45:04 EDT 2016.
   You are in /home/joe and your host is abc.example.com.

   The following steps show one way to create the script named myownscript:

   1. If it doesn't already exist, create a bin directory:

      $ mkdir $HOME/bin

   2. Using any text editor, create a script called $HOME/bin/myownscript that contains the following:

      #!/bin/bash
      # myownscript
      # List some information about your current system
      echo "Today is $(date)."
      echo "You are in $(pwd) and your host is $(hostname)."

   3. Make the script executable:

      $ chmod 755 $HOME/bin/myownscript

2. To create a script that reads in three positional parameters from the command line, assigns those parameters to variables named ONE, TWO, and THREE, respectively, and then outputs that information in the specified format, do the following:
   1. Replace X with the number of parameters and Y with all parameters entered. Then replace A with the contents of variable ONE, B with variable TWO, and C with variable THREE.

      Here is an example of what that script could contain:

      #!/bin/bash
      # myposition
      ONE=$1
      TWO=$2
      THREE=$3
      echo "There are $# parameters that include: $@"
      echo "The first is $ONE, the second is $TWO, the third is
      $THREE."

   2. To create a script called $HOME/bin/myposition and make the script executable, type this:

      $ chmod 755 $HOME/bin/myposition

   3. To test it, run it with some command-line arguments, as in the following:

      $ myposition Where Is My Hat Buddy?
      There are 5 parameters that include: Where Is My Hat Buddy?
      The first is Where, the second is Is, the third is My.

3. To create the script described, do the following:
   1. To create a file called $HOME/bin/myhome and make it executable, type this:

      $ touch $HOME/bin/myhome
      $ chmod 755 $HOME/bin/myhome

   2. Here's what the script myhome might look like:

      #!/bin/bash
      # myhome
      read -p "What street did you grow up on? " mystreet
      read -p "What town did you grow up in? " mytown
      echo "The street I grew up on was $mystreet and the town was
      $mytown."

   3. Run the script to check that it works. The following example shows what input and output for the script could look like:

      $ myhome
      What street did you grow up on? Harrison
      What town did you grow up in? Princeton
      The street I grew up on was Harrison and the town was Princeton.

4. To create the required script, do the following:
   1. Using any text editor, create a script called $HOME/bin/myos and make the script executable:

      $ touch $HOME/bin/myos
      $ chmod 755 $HOME/bin/myos

   2. The script could contain the following:

      #!/bin/bash
      # myos
      read -p "What is your favorite operating system, Mac, Windows or
           Linux? " opsys
      if [ $opsys = Mac ] ; then
        echo "Mac is nice, but not tough enough for me."
      elif [ $opsys = Windows ] ; then
        echo "I used Windows once. What is that blue screen for?"
      elif [ $opsys = Linux ] ; then
        echo "Great Choice!"
      else
        echo "Is $opsys an operating system?"
      fi

5. To create a script named $HOME/bin/animals that runs the words moose, cow, goose, and sow through a for loop and have each of those words appended to the end of the line, “I have a...,” do the following:
   1. Make the script executable:

      $ touch $HOME/bin/animals
      $ chmod 755 $HOME/bin/animals

   2. The script could contain the following:

      #!/bin/bash
      # animals

      for ANIMALS in moose cow goose sow ; do
        echo "I have a $ANIMALS"
      done

   3. When you run the script, the output should look as follows:

      $ animals
      I have a moose
      I have a cow
      I have a goose
      I have a sow

Chapter 8: Learning System Administration

1. You can open the Date & Time window from a GNOME desktop in RHEL or Fedora by doing one of the following:
   • If it isn't already installed, install the system-config-date package (yum install system-config-date).
   • Open a Terminal window and type system-config-date. If you do that as a regular user, you are prompted for the root password.
   • From a GNOME 2.X desktop, select System Administration Date & Time.
   • From a GNOME 3 desktop, select Activities and type System-Config-Date. When the Date & Time window opens, select the Time Zone tab to check your time zone.
2. To use System Monitor to sort all processes running on your system by username, type System Monitor from the Activities screen and press Enter. Click the settings button (icon with three lines), click All Processes, and click the User column. This sorts the processes by user name. Scroll down to see the processes.
3. To find all files under the /var/spool directory that are owned by users other than root and do a long listing of them, type the following (I recommend becoming root to find files that might be closed off to other users):

   $ su -
   Password: *********
   # find /var/spool -not -user root -ls | less

4. To become root user and create an empty or plain text file named /mnt/test.txt, type the following:

   $ su -
   Password: *********
   # touch /mnt/test.txt
   # ls -l /mnt/test.txt
   -rw-r--r--. 1 root root 0 Jan  9 21:51 /mnt/test.txt

5. To become root and edit the /etc/sudoers file to allow your regular user account (for example, bill) to have full root privilege via the sudo command, do the following:

   $ su -
   Password: *********
   # visudo
   o
   bill      ALL=(ALL)     ALL
   Esc ZZ

   Because visudo opens the /etc/sudoers file in vi, the example types o to open a line, and then types in the line to allow bill to have full root privilege. After the line is typed, press ESC to return to command mode and type ZZ to write and quit.

6. To use the sudo command to create a file called /mnt/test2.txt and verify that the file is there and owned by the root user, type the following:

   [bill]$ sudo touch /mnt/test2.txt
   We trust you have received the usual lecture from the local System
   Administrator. It usually boils down to these three things:
       #1) Respect the privacy of others.
       #2) Think before you type.
       #3) With great power comes great responsibility.
   [sudo] password for bill:
   *********
   [bill]$  ls -l /mnt/text2.txt
   -rw-r--r--. 1 root root 0 Jan   9 23:37 /mnt/text2.txt

7. Do the following to mount and unmount a USB drive and watch the system journal during this process:
   1. Run the journalctl -f command as root in a Terminal window and watch the output from here for the next few steps.

      # journalctl -f
      Jan 25 16:07:59 host2 kernel: usb 1-1.1: new high-speed USB device
          number 16 using ehci-pci
      Jan 25 16:07:59 host2 kernel: usb 1-1.1: New USB device found,
          idVendor=0ea0, idProduct=2168
      Jan 25 16:07:59 host2 kernel: usb 1-1.1: New USB device strings:
          Mfr=1, Product=2, SerialNumber=3
      Jan 25 16:07:59 host2 kernel: usb 1-1.1: Product: Flash Disk
      Jan 25 16:07:59 host2 kernel: usb 1-1.1: Manufacturer: USB
      ...
      Jan 25 16:08:01 host2 kernel: sd 18:0:0:0: [sdb] Write Protect is off
      Jan 25 16:08:01 host2 kernel: sd 18:0:0:0: [sdb]
          Assuming drive cache: write through
      Jan 25 16:08:01 host2 kernel:  sdb: sdb1
      Jan 25 16:08:01 host2 kernel: sd 18:0:0:0: [sdb]
          Attached SCSI removable disk

   2. Plug in a USB storage drive, which should mount a filesystem from that drive automatically. If it does not, run the following commands in a second terminal (as root) to create a mount point directory and mount the device:

      # mkdir /mnt/test
      # mount /dev/sdb1 /mnt/test

   3. Unmount the device and unplug the USB drive:

      # umount /dev/sdb1

8. To see what USB devices are connected to your computer, type the following:

   $ lsusb

9. To load the bttv module, list the modules that were loaded, and unload it, type the following:

   # modprobe -a bttv
   # lsmod | grep bttv
   bttv                   124516  0
   v4l2_common             10572  1 bttv
   videobuf_dma_sg          9814  1 bttv
   videobuf_core           20076  2 bttv,videobuf_dma_sg
   btcx_risc                4416  1 bttv
   rc_core                 19686  7 ir_lirc_codec,ir_sony_decoder,
        ir_jvc_decoder,ir_rc6_decoder
   tveeprom                14042  1 bttv
   videodev                76244  3 bttv,v4l2_common,uvcvideo
   i2c_algo_bit             5728  2 bttv,i915
   i2c_core                31274  9 bttv,v4l2_common,tveeprom,videodev,
        i2c_i801,i915,drm_kms_helper

   Notice that other modules (v4l2_common, videodev, and others) were loaded when you loaded bttv with modprobe -a.

10. Type the following to remove the bttv module along with any other modules that were loaded with it. Notice that they were all gone after running modprobe -r.

    # modprobe -r bttv
    # lsmod | grep bttv

Chapter 9: Installing Linux

1. To install a Fedora system from Fedora live media, follow the instructions in the “Installing Fedora from Live Media” section. In general, those steps include:
   1. Booting the Live media.
   2. Selecting to install to hard drive when the system boots up.
   3. Adding information from the summary page about your language, storage, hostname, time zone, root password, and other items needed to initially configure your system.
   4. Rebooting your computer, removing the Live medium, so the newly installed system boots from hard disk.
2. To update the packages, after the Fedora Live media installation is complete, do the following:
   1. Reboot the computer and fill in the first boot questions as prompted.
   2. Using a wired or wireless connection, make sure you have a connection to the Internet. Refer to Chapter 14, “Administering Networking,” if you have trouble getting your networking connection to work properly. Open a shell as the root user and type yum update.
   3. When prompted, type y to accept the list of packages displayed. The system begins downloading and installing the packages.
3. To run the RHEL installation in text mode, do the following:
   1. Boot the RHEL DVD.
   2. When you see the boot menu, highlight one of the installation boot entries and press Tab. Move the cursor right to the end of the kernel line and type the literal option text at the end of that line. Press Enter to start the installer.
   3. Try out the rest of the installation in text mode.
4. To set the disk partitioning as described in Question 4 for a Red Hat Enterprise Linux DVD installation, do the following:

   CAUTION

   This procedure ultimately deletes all content on your hard disk. If you want to just use this exercise to practice partitioning, you can reboot your computer before clicking Next at the very end of this procedure without harming your hard disk. After you go forward and partition your disk, assume that all data has been deleted.

   1. On a computer you can erase with at least 10GB of disk space, insert a RHEL installation DVD, reboot, and begin stepping through the installation screens.
   2. When you get to the Installation Summary screen, select Installation Destination.
   3. From the Installation Destination screen, select the device to use for the installation (probably sda if you have a single hard disk that you can completely erase or vda for a virtual install).
   4. Select the “I will configure partitioning” button.
   5. Select Done to get to the Manual Partitioning screen.
   6. If the existing disk space is already consumed, you need to delete the partitions before proceeding.
   7. Click the plus (+) button at the bottom of the screen. Then add each of the following mount points:

      /boot - 400M
      / - 3G
      /var - 2G
      /home -2G

   8. Select Done. You should see a summary of changes.
   9. If the changes look acceptable, select Accept Changes. If you are just practicing and don't actually want to change your partitions, select Cancel & Return to Custom Partitioning. Then simply exit the installer.

Chapter 10: Getting and Managing Software

1. To search the YUM repository for the package that provides the mogrify command, type the following:

   # yum provides mogrify

2. To display information about the package that provides the mogrify command and determine what that package's home page (URL) is, type the following:

   # yum info ImageMagick

   You will see that the URL to the home page for ImageMagick is http://www.imagemagick.org.

3. To install the package containing the mogrify command, type the following:

   # yum install ImageMagick

4. To list all the documentation files contained in the package that provides the mogrify command, type the following:

   # rpm -qd ImageMagick
   ...
   /usr/share/doc/ImageMagick/README.txt
   ...
   /usr/share/man/man1/identify.1.gz
   /usr/share/man/man1/import.1.gz
   /usr/share/man/man1/mogrify.1.gz

5. To look through the change log of the package that provides the mogrify command, type the following:

   # rpm -q --changelog ImageMagick | less

6. To delete the mogrify command from your system and verify its package against the RPM database to see that the command is indeed missing, type the following:

   # type mogrify
   mogrify is /usr/bin/mogrify
   # rm /usr/bin/mogrify

   rm remove regular file '/usr/bin/mogrify'? y
   # rpm -V ImageMagick
   missing   /usr/bin/mogrify

7. To reinstall the package that provides the mogrify command and make sure the entire package is intact again, type the following:

   # yum reinstall ImageMagick
   # rpm -V ImageMagick

8. To download the package that provides the mogrify command to your current directory, type the following:

   # yumdownloader ImageMagick
   ImageMagick-6.8.8.10-5.fc21.x86_64.rpm

9. To display general information about the package you just downloaded by querying the package's RPM file in the current directory, type the following:

   # rpm -qip ImageMagick-6.8.8.10-5.fc21.x86_64.rpm
   Name        : ImageMagick
   Version     : 6.8.8.10
   Release     : 5.fc21
   Architecture: x86_64
   ...

10. To remove the package containing the mogrify command from your system, type the following:

    # yum remove ImageMagick

Chapter 11: Managing User Accounts

For questions that involve adding and removing user accounts, you can use the Users window, the User Manager window, or command-line tools such as useradd and usermod. The point is to make sure that you get the correct results shown in the answers that follow, not necessarily do it exactly the same way I did. There are multiple ways you can achieve the same results. The answers here show how to complete the exercises from the command line. (Become root user when you see a # prompt.)

1. To add a local user account to your Linux system that has a username of jbaxter and a full name of John Baxter, that uses /bin/sh as its default shell, and that is the next available UID (yours may differ from the one shown here), type the following. You can use the grep command to check the new user account. Then set the password for jbaxter to: My1N1te0ut!

   # useradd -c "John Baxter" -s /bin/sh jbaxter
   # grep jbaxter /etc/passwd
   jbaxter:x:1001:1001:John Baxter:/home/jbaxter:/bin/sh
   # passwd jbaxter

   Changing password for user jbaxter
   New password: My1N1te0ut!
   Retype new password: My1N1te0ut!
   passwd: all authentication tokens updated successfully

2. To create a group account named testing that uses group ID 315, type the following:

   # groupadd -g 315 testing
   # grep testing /etc/group
   testing:x:315:

3. To add jbaxter to the testing group and the bin group, type the following:

   # usermod -aG testing,bin jbaxter
   # grep jbaxter /etc/group
   bin:x:1:bin,daemon,jbaxter
   jbaxter:x:1001:
   testing:x:315:jbaxter

4. To become jbaxter and temporarily have the testing group be jbaxter's default group, run touch /home/jbaxter/file.txt—so the testing group is assigned as the file's group—and do the following:

   $ su - jbaxter
   Password: My1N1te0ut!
   sh-4.2$ newgrp testing
   sh-4.2$ touch /home/jbaxter/file.txt
   sh-4.2$ ls -l /home/baxter/file.txt
   -rw-rw-r--. 1 jbaxter testing 0 Jan 25 06:42 /home/jbaxter/file.txt
   sh-4.2$ exit ; exit

5. Note what user ID has been assigned to jbaxter, and then delete the user account without deleting the home directory assigned to jbaxter.

   $ userdel jbaxter

6. Use the following command to find any files in the /home directory (and any subdirectories) that are assigned to the user ID that recently belonged to the user named jbaxter (when I did it, the UID/GID were both 1001; yours may differ). Notice that the username jbaxter is no longer assigned on the system, so any files that user created are listed as belonging to UID 1001 and GID 1001, except for a couple of files that were assigned to the testing group, because of the newgrp command run earlier:

   # find /home -uid 1001 -ls
   262184  4 drwx------ 4 1001  1001  4096 Jan 25 08:00 /home/jbaxter
   262193  4 -rw-r--r-- 1 1001  1001   176 Jan 27  2011 /home/jbaxter/
        .bash_profile
   262196  4 -rw------- 1 13602 testing 93 Jan 25 08:00 /home/jbaxter/
        .bash_history
   262194  0 -rw-rw-r-- 1 13602 testing  0 Jan 25 07:59 /home/jbaxter/
        file.txt
   ...

7. Run these commands to copy the /etc/services file to the /etc/skel/ directory; then add a new user to the system named mjones, with a full name of Mary Jones and a home directory of /home/maryjones. List her home directory to make sure the services file is there.

   # cp /etc/services /etc/skel/
   # useradd -d /home/maryjones -c "Mary Jones" mjones
   # ls -l /home/maryjones
   total 628
   -rw-r--r--. 1 mjones mjones 640999 Jan 25 06:27 services

8. Run the following command to find all files under the /home directory that belong to mjones. If you did the exercises in order, notice that after you deleted the user with the highest user ID and group ID, those numbers were assigned to mjones. As a result, any files left on the system by jbaxter now belong to mjones. (For this reason, you should remove or change ownership of files left behind when you delete a user.)

   # find /home -user mjones -ls
   262184 4 drwx------ 4 mjones mjones 4096 Jan 25 08:00 /home/jbaxter
   262193 4 -rw-r--r-- 1 mjones mjones 176 Jan 27 2011 /home/jbaxter/
        .bash_profile
   262189 4 -rw-r--r-- 1 mjones mjones 18 Jan 27 2011 /home/jbaxter/
        .bash_logout
   262194 0 -rw-rw-r-- 1 mjones testing 0 Jan 25 07:59 /home/jbaxter/
        file.txt
   262188 4 -rw-r--r-- 1 mjones mjones 124 Jan 27 2011 /home/jbaxter/
        .bashrc
   262197 4 drwx------ 4 mjones mjones 4096 Jan 25 08:27 /home/
        maryjones
   262207 4 -rw-r--r-- 1 mjones mjones 176 Jan 27 2011 /home/
   maryjones/
        .bash_profile
   262202 4 -rw-r--r-- 1 mjones mjones 18 Jan 27 2011 /home/maryjones/
        .bash_logout
   262206 628 -rw-r--r-- 1 mjones mjones 640999 Jan 25 08:27 /home/
        maryjones/services
   262201 4 -rw-r--r-- 1 mjones mjones 124 Jan 27 2011 /home/
        maryjones/.bashrc

9. As the user mjones, you can use the following to create a file called /tmp/maryfile.txt and use ACLs to assign the bin user read/write permission and the lp group read/write permission to that file.

   [mjones]$ touch /tmp/maryfile.txt
   [mjones]$ setfacl -m u:bin:rw /tmp/maryfile.txt
   [mjones]$ setfacl -m g:lp:rw /tmp/maryfile.txt
   [mjones]$ getfacl /tmp/maryfile.txt
   # file: tmp/maryfile.txt
   # owner: mjones

   # group: mjones
   user::rw-
   user:bin:rw-
   group::rw-
   group:lp:rw-
   mask::rw-
   other::r –

10. Run this set of commands (as mjones) to create a directory named /tmp/mydir and use ACLs to assign default permissions to it so that the adm user has read/write/execute permission to that directory and any files or directories created in it. Test that it worked by creating the /tmp/mydir/testing/ directory and /tmp/mydir/newfile.txt.

    [mary]$ mkdir /tmp/mydir
    [mary]$ setfacl -m d:u:adm:rwx /tmp/mydir
    [mjones]$ getfacl /tmp/mydir
    # file: tmp/mydir
    # owner: mjones
    # group: mjones
    user::rwx
    group::rwx
    other::r-x
    default:user::rwx
    default:user:adm:rwx
    default:group::rwx
    default:mask::rwx
    default:other::r-x
    [mjones]$ mkdir /tmp/mydir/testing
    [mjones]$ touch /tmp/mydir/newfile.txt
    [mjones]$ getfacl /tmp/mydir/testing/
    # file: tmp/mydir/testing/
    # owner: mjones
    # group: mjones
    user::rwx
    user:adm:rwx
    group::rwx
    mask::rwx
    other::r-x
    default:user::rwx
    default:user:adm:rwx
    default:group::rwx
    default:mask::rwx
    default:other::r-x
    [mjones]$ getfacl /tmp/mydir/newfile.txt
    # file: tmp/mydir/newfile.txt
    # owner: mjones
    # group: mjones
    user::rw-

    user:adm:rwx       #effective:rw-
    group::rwx         #effective:rw-
    mask::rw-
    other::r--

    Notice that the adm user effectively has only rw- permission. To remedy that, you need to expand the permissions of the mask. One way to do that is with the chmod command, as follows:

    [mjones]$ chmod 775 /tmp/mydir/newfile.txt
    [mjones]$ getfacl /tmp/mydir/newfile.txt
    # file: tmp/mydir/newfile.txt
    # owner: mjones
    # group: mjones
    user::rwx
    user:adm:rwx
    group::rwx
    mask::rwx
    other::r-x

Chapter 12: Managing Disks and Filesystems

1. To determine the device name of a USB flash drive that you want to insert into your computer, type the following and insert the USB flash drive (press Ctrl+C after you have seen the appropriate messages).

   # tail -f /var/log/messages
   kernel: [sdb] 15667200 512-byte logical blocks:
        (8.02 GB/7.47 GiB)
   Feb 11 21:55:59 cnegus kernel: sd 7:0:0:0:
        [sdb] Write Protect is off
   Feb 11 21:55:59 cnegus kernel: [sdb] Assuming
        drive cache: write through
   Feb 11 21:55:59 cnegus kernel: [sdb] Assuming
        drive cache: write through

2. To list partitions on the USB flash drive on a RHEL 6 system, type the following:

   # fdisk -c -u -l /dev/sdb

   To list partitions on a RHEL 7 or Fedora system, type the following:

   # fdisk -l /dev/sdb

3. To delete partitions on the USB flash drive, assuming device /dev/sdb, do the following:

   # fdisk /dev/sdb
   Command (m for help): d
   Partition number (1-6): 6
   Command (m for help): d

   Partition number (1-5): 5
   Command (m for help): d
   Partition number (1-5): 4
   Command (m for help): d
   Partition number (1-4): 3
   Command (m for help): d
   Partition number (1-4): 2
   Command (m for help): d
   Selected partition 1
   Command (m for help): w
   # partprobe /dev/sdb

4. To add a 100MB Linux partition, 200MB swap partition, and 500MB LVM partition to the USB flash drive, type the following:

   # fdisk /dev/sdb
   
   Command (m for help): n
   Command action
      e   extended
      p   primary partition (1-4)
   p
   Partition number (1-4): 1
   First sector (2048-15667199, default 2048): <ENTER>
   Last sector, +sectors or +size{K,M,G} (default 15667199): +100M
   Command (m for help): n
   Command action
      e   extended
      p   primary partition (1-4)
   p
   Partition number (1-4): 2
   First sector (616448-8342527, default 616448): <ENTER>
   Last sector, +sectors or +size{K,M,G} (default 15667199): +200M
   Command (m for help): n
   Command action
      e   extended
      p   primary partition (1-4)
   p
   Partition number (1-4): 3
   First sector (616448-15667199, default 616448): <ENTER>
   Using default value 616448
   Last sector, +sectors or +size{K,M,G} (default 15667199): +500M
   Command (m for help): t
   Partition number (1-4): 2
   Hex code (type L to list codes): 82
   Changed system type of partition 2 to 82 (Linux swap / Solaris)
   Command (m for help): t
   Partition number (1-4): 3
   Hex code (type L to list codes): 8e

   Changed system type of partition 3 to 8e (Linux LVM)
   Command (m for help): w
   # partprobe /dev/sdb
   # grep sdb /proc/partitions
      8       16    7833600 sdb
      8       17     102400 sdb1
      8       18     204800 sdb2
      8       19     512000 sdb3

5. To put an ext3 filesystem on the Linux partition, type the following:

   # mkfs -t ext3 /dev/sdb1

6. To create a mount point called /mnt/mypart and mount the Linux partition on it temporarily, do the following:

   # mkdir /mnt/mypart
   # mount -t ext3 /dev/sdb1 /mnt/mypart

7. To enable the swap partition and turn it on so additional swap space is immediately available, type the following:

   # mkswap /dev/sdb2
   # swapon /dev/sdb2

8. To create a volume group called abc from the LVM partition, create a 200MB logical volume from that group called data, create a VFAT filesystem on it, temporarily mount the logical volume on a new directory named /mnt/test, and then check that it was successfully mounted, type the following:

   # pvcreate /dev/sdb3
   # vgcreate abc /dev/sdb3
   # lvcreate -n data -L 200M abc
   # mkfs -t vfat /dev/mapper/abc-data
   # mkdir /mnt/test
   # mount /dev/mapper/abc-data /mnt/test

9. To grow the logical volume from 200MB to 300MB, type the following:

   # lvextend -L +100M /dev/mapper/abc-data
   # resize2fs -p /dev/mapper/abc-data

10. To safely remove the USB flash drive from the computer, do the following:

    # umount /dev/sdb1
    # swapoff /dev/sdb2
    # umount /mnt/test
    # lvremove /dev/mapper/abc-data
    # vgremove abc
    # pvremove /dev/sdb3

    You can now safely remove the USB flash drive from the computer.

Chapter 13: Understanding Server Administration

1. To log in to any account on another computer using the ssh command, type the following, and then enter the password when prompted:

   $ ssh joe@localhost
   joe@localhost's password:
   *********
   [joe]$

2. To display the contents of a remote /etc/system-release file and have its contents displayed on the local system using remote execution with the ssh command, do the following:

   $ ssh joe@localhost "cat /etc/system-release"
   joe@localhost's password: *********
   Fedora release 21 (Twenty One)

3. To use X11 forwarding to display a gedit window on your local system and then save a file on the remote home directory, do the following:

   $ ssh -X joe@localhost "gedit newfile"
   joe@localhost's password: ********
   $ ssh joe@localhost "cat newfile"
   joe@localhost's password: ********
   This is text from the file I saved in joe's remote home directory

4. To recursively copy all the files from the /usr/share/selinux directory on a remote system to the /tmp directory on your local system in such a way that all the modification times on the files are updated to the time on the local system when they are copied, do the following:

   $ scp -r joe@localhost:/usr/share/selinux /tmp
   joe@localhost's password: ********
   irc.pp.bz2                          100% 9673     9.5KB/s  00:00
   dcc.pp.bz2                          100%   15KB  15.2KB/s  00:01
   $ ls -l /tmp/selinux | head
   total 20
   drwxr-xr-x. 3 root root  4096 Apr 18 05:52 devel
   drwxr-xr-x. 2 root root  4096 Apr 18 05:52 packages
   drwxr-xr-x. 2 root root 12288 Apr 18 05:52 targeted

5. To recursively copy all the files from the /usr/share/logwatch directory on a remote system to the /tmp directory on your local system in such a way that all the modification times on the files from the remote system are maintained on the local system, try this:

   $ rsync -av joe@localhost:/usr/share/logwatch /tmp
   joe@localhost's password: ********
   receiving incremental file list

   logwatch/
   logwatch/default.conf/
   logwatch/default.conf/logwatch.conf
   $ ls -l /tmp/logwatch | head
   total 16
   drwxr-xr-x. 5 root root 4096 Apr 19  2011 default.conf
   drwxr-xr-x. 4 root root 4096 Feb 28  2011 dist.conf
   drwxr-xr-x. 2 root root 4096 Apr 19  2011 lib

6. To create a public/private key pair to use for SSH communications (no passphrase on the key), copy the public key file to a remote user's account with ssh-copy-id, and use key-based authentication to log in to that user account without having to enter a password, use the following code:

   $ ssh-keygen
   Generating public/private rsa key pair.
   Enter file in which to save the key (/home/joe/.ssh/id_rsa): ENTER
   /home/joe/.ssh/id_rsa already exists.
   Enter passphrase (empty for no passphrase): ENTER
   Enter same passphrase again: ENTER
   Your identification has been saved in /home/joe/.ssh/id_rsa.
   Your public key has been saved in /home/joe/.ssh/id_rsa.pub.
   The key fingerprint is:
   58:ab:c1:95:b6:10:7a:aa:7c:c5:ab:bd:f3:4f:89:1e joe@cnegus.csb
   The key's randomart image is:
   $ ssh-copy-id -i ~/.ssh/id_rsa.pub joe@localhost
   joe@localhost's password: ********
   Now try logging into the machine, with "ssh 'joe@localhost'",
   and check in:
   .ssh/authorized_keys
   to make sure we haven't added extra keys that you weren't expecting.
   $ ssh joe@localhost
   $ cat .ssh/authorized_keys
   ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAyN2Psp5/LRUC9E8BDCx53yPUa0qoOPd
   v6H4sF3vmn04V6E7D1iXpzwPzdo4rpvmR1ZiinHR2xGAEr2uZag7feKgLnww2KPcQ6S
   iR7lzrOhQjV+SGb/a1dxrIeZqKMq1Tk07G4EvboIrq//9J47vI4l7iNu0xRmjI3TTxa
   DdCTbpG6J3uSJm1BKzdUtwb413x35W2bRgMI75aIdeBsDgQBBiOdu+zuTMrXJj2viCA
   XeJ7gIwRvBaMQdOSvSdlkX353tmIjmJheWdgCccM/1jKdoELpaevg9anCe/yUP3so31
   tTo4I+qTfzAQD5+66oqW0LgMkWVvfZI7dUz3WUPmcMw== chris@abc.example.com

7. To create an entry in /etc/rsyslog.conf that stores all authentication messages at the info level and higher into a file named /var/log/myauth, do the following. Watch from one terminal as the data comes in.

   # vim /etc/rsyslog.conf
   authpriv.info                            /var/log/myauth
   # service rsyslog restart
        or
   # systemctl restart rsyslog.service
   <Terminal 1>                             <Terminal 2>

   # tail -f /var/log/myauth                     $ ssh joe@localhost
   Apr 18 06:19:34 abc unix_chkpwd[30631]   joe@localhost's password:
   Apr 18 06:19:34 abc sshd[30631]          Permission denied,try again
    :pam_unix(sshd:auth):
    authentication failure;logname= uid=501
    euid=501 tty=ssh ruser= rhost=localhost
    user=joe
   Apr 18 06:19:34 abc sshd[30631]:
    Failed password for joe from
    127.0.0.1 port 5564 ssh2

8. To determine the largest directory structures under /usr/share, sort them from largest to smallest, and list the top 10 of those directories in terms of size using the du command, type the following:

   $ du -s /usr/share/* | sort -rn | head
   
   527800 /usr/share/locale
   277108 /usr/share/fonts
   265772 /usr/share/icons
   253844 /usr/share/doc
   ...

9. To show the space that is used and available from all the filesystems currently attached to the local system, but exclude any tmpfs or devtmpfs filesystems by using the df command, type the following:

   $ df -h -x tmpfs -x devtmpfs
   Filesystem      Size  Used Avail Use% Mounted on
   /deev/sda4       20G  4.2G 16G    22% /

10. To find any files in the /usr directory that are more than 10MB in size, do the following:

    $ find /usr -size +10M
    /usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0/jre/lib/rt.jar
    /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.3/jre/lib/rt.jar
    /usr/lib/llvm/libLLVM-2.9.so
    /usr/lib/flash-plugin/libflashplayer.so

Chapter 14: Administering Networking

1. To use the desktop to check that NetworkManager has successfully started your network interface (wired or wireless), do the following:

   Left-click the NetworkManager icon in your top panel. Any active wired or wireless network connections should be highlighted in bold.

   If it has not connected to the network, select from the list of wired or wireless networks available, and then enter the username and password, if prompted, to start an active connection.

2. To run a command to check the active network interfaces available on your computer, type:

   $ ifconfig
   or
   $ ip addr show

3. Try to contact google.com from the command line in a way that ensures that DNS is working properly:

   $ ping google.com
   Ctrl-C

4. To run a command to check the routes being used to communicate outside your local network, type:

   $ route

5. To trace the route being taken to connect to google.com, use the traceroute command:

   $ traceroute google.com

6. To turn off and disable NetworkManager and start the network service, do the following:

   From an RHEL 6 system, type:

   # service NetworkManager stop
   # service network restart
   # chkconfig NetworkManager off
   # chkconfig network on

   For RHEL 7 or newer Fedora systems, type:

   # systemctl stop NetworkManager.service
   # systemctl disable NetworkManager.service
   # service network restart
   # chkconfig network on

7. To create a host entry that allows you to communicate with your local host system using the name myownhost, do the following: Edit the /etc/hosts file (vi /etc/hosts) and add myownhost to the end of the localhost entry so it appears as follows (then ping myownhost to see if it worked):

   127.0.0.1              localhost.localdomain localhost myownhost
   # ping myownhost
   Ctrl+C

8. To add the public Google DNS server (IP address 8.8.8.8) as the last in your list of DNS servers, take the following action: Make a copy of your resolv.conf file before proceeding (then copy it back after the procedure is done):

   # cp /etc/resolv.conf $HOME

   If you are using the NetworkManager service, left-click the NetworkManager icon and select Network Settings. Select the IPv4 Settings. Then select the Method box and choose Automatic (DHCP) addresses only and fill in 8.8.8.8 in the DNS servers box (along with any other DNS servers you need). If that doesn't work, try one of the DNS servers listed in the resolv.conf file you just copied to your home directory.

   Or, if you are using the network service, edit the /etc/resolv.conf file directly, so the file includes at least the following line:

   nameserver 8.8.8.8

   In either case, use the dig command to check that the DNS server was able to resolve an address:

   # dig google.com
   ...
   google.com.     91941   IN     NS     ns3.google.com.
   ;; Query time: 0 msec
   ;; SERVER: 8.8.8.8#53(8.8.8.8)
   ;; WHEN: Mon Apr 30 13:57:44 2012
   ;; MSG SIZE rcvd: 276

9. To create a custom route that directs traffic destined for the 192.168.99.0/255.255.255.0 network to some IP address on your local network, such as 192.168.0.5 (first ensuring that the 10.0.99 network is not being used at your location), do the following:

   Determine the name of your network interface. For RHEL, your first network interface is probably eth0. In that case, as root run the following commands:

   # cd /etc/sysconfig/network-scripts
   # vi route-eth0

   Add the following lines to that file:

   ADDRESS0=192.168.99.0
   NETMASK0=255.255.255.0
   GATEWAY0=192.168.0.5

   Restart networking and run route to see that the route is active:

   # service network restart
   # route
   Destination  Gateway       Genmask       Flags Metric Ref Use Iface
   default      192.168.0.1   0.0.0.0       UG     0      0     0 eth0

   192.168.0.0  *             255.255.255.0 U      1      0     0 eth0
   192.168.99.0 192.168.0.5   255.255.255.0 UG     0      0     0 eth0

   To check to see if your system has been configured to allow IPv4 packets to be routed between network interfaces on your system, type the following:

   # cat /proc/sys/net/ipv4/ip_forward
   0

   A 0 shows that IPv4 packet forwarding is disabled; a 1 shows it is enabled.

Chapter 15: Starting and Stopping Services

1. To determine which initialization daemon your server is currently using, consider the following:
   • You have Upstart if your Linux server runs one of the following distributions: RHEL version 6, Fedora versions 9 through 14, Ubuntu versions 6-14.10, or openSUSE versions 11.3–12.1, and the strings command shows the Upstart init process in use as demonstrated in the following example:

     $ strings /sbin/init | grep -i upstart
     upstart-devel@lists.ubuntu.com
     UPSTART_CONFDIR
     UPSTART_NO_SESSIONS
     ...

   • You have the systemd daemon if your Linux server runs Fedora version 15 or greater, RHEL 7, Ubuntu 15.04 or OpenSUSE 12.02 or greater. In some cases, PID 1 is the systemd process. In earlier cases, PID 1 is the init daemon. To tell if it is a systemd init daemon, you can run the following strings command to show systemd in use:

     # strings /sbin/init | grep -i systemd
     systemd.unit=
     systemd.log_target=
     systemd.log_level=
     ...

   • Most likely, you have the SysVinit or BSD init daemon if your init daemon is not the Upstart init daemon or systemd. But double-check at http://wikipedia.org/wiki/Init.
2. The tools you use to manage services depend primarily on which initialization system is in use. Try to run the initctl, systemctl, and service commands to determine the type of initialization script in use for the ssh service on your system:
   • A positive result, shown here, means the sshd has been converted to Upstart:

     # initctl status ssh
     ssh start/running, process 2390

   • For systemd, a positive result, shown here, means the sshd has been converted to systemd:

     # systemctl status sshd.service
     sshd.service - OpenSSH server daemon
       Loaded: loaded (/lib/systemd/system/sshd.service; enabled)
       Active: active (running) since Mon, 30 Apr 2015 12:35:20...

   • If you don't see positive results for the preceding tests, try the following command for the SysVinit init daemon. A positive result here, along with negative results for the preceding tests, means sshd is still using the SysVinit daemon.

     # service ssh status
     sshd (pid 2390) is running...

3. To determine your server's previous and current runlevel, use the runlevel command. It still works on all init daemons:

   $ runlevel
   N 3

4. To change the default runlevel or target unit on your Linux server, you can do one of the following (depending upon your server's init daemon):
   • For SysVinit, edit the file /etc/inittab and change the # in the line id:#:initdefault: to either 2, 3, 4, or 5.
   • For Upstart daemon, edit the file /etc/inittab and change the # in the line id:#:initdefault: to either 2, 3, 4, or 5.
   • For systemd, change the default.target symbolic link to the desired runlevel#.target, where # is either 2, 3, 4, or 5. The following shows you how to change the symbolic link for the target unit to runlevel3.target.

     # ln -sf /lib/systemd/system/runlevel3.target \
            /etc/systemd/system/default.target
     /lib/systemd/system/runlevel3.target

5. To list out services running (or active) on your server, you need to use different commands, depending upon the initialization daemon you are using.
   • For SysVinit, use the service command as shown in this example:

     # service --status-all | grep running... | sort
     anacron (pid 2162) is running...
     atd (pid 2172) is running...
     ...

   • For Upstart, use the initctl command. However, also be sure to use the service command, because not all services may have been ported to Upstart:

     # initctl list | grep start/running
     tty (/dev/tty3) start/running, process 1163
     ...

     # service --status-all | grep running
     abrtd (pid  1118) is running...
     ...

   • For systemd, use the systemctl command, as follows:

     # systemctl list-unit-files --type=service | grep -v disabled
     UNIT FILE                         STATE
     abrt-ccpp.service                 enabled
     abrt-oops.service                 enabled
     ...

6. To list out the running (or active) services on your Linux server, use the appropriate command(s) determined in Answer 5 for the initialization daemon your server is using.
7. For each initialization daemon, the following command(s) show a particular service's current status:
   • For SysVinit, the service service_name status command is used.
   • For Upstart, the initctl status service_name command is used.
   • For systemd, the systemctl status service_name command is used.
8. To show the status of the cups daemon on your Linux server, use the following:
   • For SysVinit:

     # service cups status
     cupsd (pid 8236) is running...

   • For Upstart:

     # initctl status cups
     cups start/running, process 2390

   • Remember that if a service has not yet been ported to Upstart, you need to use the service command instead of initctl.
   • For systemd:

     # systemctl status cups.service
     cups.service - CUPS Printing Service
          Loaded: loaded (/lib/systemd/system/cups.service; enabled)
          Active: active (running) since Tue, 01 May 2015 04:43:5...
       Main PID: 17003 (cupsd)
          CGroup: name=systemd:/system/cups.service
                   17003 /usr/sbin/cupsd -f

9. To attempt to restart the cups daemon on your Linux server, use the following:
   • For SysVinit:

     # service cups restart
     Stopping cups:       [  OK  ]
     Starting cups:       [  OK  ]

   • For Upstart:

     # initctl restart cups
     cups start/running, process 2490

   • Remember that if a service has not yet been ported to Upstart, you need to use the service command instead of initctl.
   • For systemd:

     # systemctl restart cups.service

10. To attempt to reload the cups daemon on your Linux server, use the following:
    • For SysVinit:

      # service cups reload
      Reloading cups:           [  OK  ]

    • For Upstart:

      # initctl reload cups

    Remember that if a service has not yet been ported to Upstart, you need to use the service command instead of initctl.

    • For systemd, this is a trick question. You cannot reload the cups daemon on a systemd Linux server!

      # systemctl reload cups.service
      Failed to issue method call: Job type reload is
        not applicable for unit cups.service.

Chapter 16: Configuring a Print Server

1. To use the Print Settings window to add a new printer called myprinter to your system (generic PostScript printer, connected to a port), do the following from Fedora 21:
   1. Install the system-config-printer package:

      # yum install system-config-printer

   2. From the GNOME 3 desktop, select Print Settings from the Activities screen.
   3. Unlock the interface and enter the root password.
   4. Select the Add button.
   5. Select an LPT or other port as the device and click Forward.
   6. For the driver, choose Generic and click Forward; then choose PostScript and click Forward.
   7. Click Forward to skip any installable options, if needed.
   8. For the printer name, call it myprinter, give it any Description and Location you like, and click Apply.
   9. Click Cancel to not print a test page. The printer should appear in the Print Settings window.
2. To use the lpc command to see the status of all your printers, type the following:

   # lpc status
   myprinter:
     queuing is enabled
     printing is enabled
     no entries
     daemon present

3. To use the lpr command to print the /etc/hosts file, type the following:

   $ lpr /etc/hosts -P myprinter

4. To check the print queue for that printer, type the following:

   # lpq -P myprinter
   myprinter is not ready
   Rank    Owner  Job      File(s)           Total Size
   1st     root   655      hosts             1024 bytes

5. To remove the print job from the queue (cancel it), type the following.

   # lprm -P myprinter

6. To use the printing window to set the basic server setting that publishes your printers so other systems on your local network can print to your printers, do the following:
   1. On a GNOME 3 desktop, from the Activities screen, type Print Settings and press Enter.
   2. Select Server Settings and type the root password if prompted.
   3. Click the check box next to Publish shared printers connected to this system, and click OK.
7. To allow remote administration of your system from a web browser, follow these steps:
   1. On a GNOME 3 desktop, from the Activities screen, type Print Settings and press Enter.
   2. Select Server Settings and type the root password if prompted.
   3. Click the check box next to Allow remote administration, and click OK.
8. To demonstrate that you can do remote administration of your system from a web browser on another system, do the following:
   1. In the location box from a browser window from another computer on your network, type the following replacing hostname with the name or IP address of the system running your print service: http://hostname:631.
   2. Type root as the user and the root password, when prompted. The CUPS home page should appear from that system.
9. To use the netstat command to see which addresses the cupsd daemon is listening on, type the following:

   # netstat -tupln | grep 631
   tcp   0    0 0.0.0.0:631      0.0.0.0:*     LISTEN     6492/cupsd

10. To delete the myprinter printer entry from your system, do the following:
    1. Click the Unlock button and type the root password when prompted.
    2. From the Print Settings window, right-click the myprinter icon and select Delete.
    3. When prompted, select Delete again.

Chapter 17: Configuring a Web Server

1. To install all the packages associated with the Web Server group on a Fedora system, do the following:

   # yum groupinstall "Web Server"

2. To create a file called index.html in the directory assigned to DocumentRoot in the main Apache configuration file (with the words My Own Web Server inside), do the following:
   1. Determine the location of DocumentRoot:

      # grep ^DocumentRoot /etc/httpd/conf/httpd.conf
      DocumentRoot "/var/www/html"

   2. Echo the words “My Own Web Server” into the index.html file located in DocumentRoot:

      # echo "My Own Web Server" > /var/www/html/index.html

3. To start the Apache web server and set it to start up automatically at boot time, then check that it is available from a web browser on your local host, do the following (you should see the words “My Own Web Server” displayed if it is working properly):

   The httpd service is started and enabled differently on different Linux systems. In recent Fedora or RHEL 7 or later, type the following:

   # systemctl start httpd.service
   # systemctl enable httpd.service

   In RHEL 6 or earlier, type:

   # service httpd start
   # chkconfig httpd on

4. To use the netstat command to see which ports the httpd server is listening on, type the following:

   # netstat -tupln | grep httpd
   tcp6     0   0 :::80      :::*    LISTEN   2496/httpd
   tcp6     0   0 :::443     :::*    LISTEN   2496/httpd

5. Try to connect to your Apache web server from a web browser that is outside the local system. If it fails, correct any problems you encounter by investigating the firewall, SELinux, and other security features.

   If you don't have DNS set up yet, use the IP address of the server to view your Apache server from a remote web browser, such as http://192.168.0.1. If you are not able to connect, retry connecting to the server from your browser after performing each of the following steps on the system running the Apache server:

   # iptables -F
   # setenforce 0
   # chmod 644 /var/www/html/index.html

   The iptables -F command flushes the firewall rules temporarily. If connecting to the web server succeeds after that, you need to add new firewall rules to open tcp ports 80 and 443 on the server. On a system using the firewalld service, do this by clicking the check box next to those ports on the Firewall window. For systems running the iptables service, add the following rules before the last DROP or REJECT rule.

   -A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
   -A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT

   The setenforce 0 command puts SELinux in permissive mode temporarily. If connecting to the web server succeeds after that, you need to correct SELinux file context and/or Boolean issues (probably file context in this case). The following should work:

   # chcon --reference=/var/www/html /var/www/html/index.html

   If the chmod command works, it means that the apache user and group did not have read permission to the file. You should be able to leave the new permissions as they are.

6. To use the openssl or similar command to create your own private RSA key and self-signed SSL certificate, do the following:

   # yum install openssl
   # cd /etc/pki/tls/private
   # openssl genrsa -out server.key 1024
   # chmod 600 server.key

   # cd /etc/pki/tls/certs
   # openssl req -new -x509 -nodes -sha1 -days 365 \
      -key /etc/pki/tls/private/server.key \
      -out server.crt
   Country Name (2 letter code) [AU]: US
   State or Province Name (full name) [Some-State]: NJ
   Locality Name (eg, city) []: Princeton
   Organization Name (eg, company) [Internet Widgits Pty
   Ltd]:TEST USE ONLY
   Organizational Unit Name (eg, section) []:TEST USE ONLY
   Common Name (eg, YOUR name) []:secure.example.org
   Email Address []:dom@example.org

   You should now have a /etc/pki/tls/private/server.key key file and a /etc/pki/tls/certs/server.crt certificate file.

7. To configure your Apache web server to use your key and self-signed certificate to serve secure (HTTPS) content, do the following:
   1. Edit the /etc/httpd/conf.d/ssl.conf file to change the key and certificate locations to use the ones you just created:

      SSLCertificateFile /etc/pki/tls/certs/server.crt
      SSLCertificateKeyFile /etc/pki/tls/private/server.key

   2. Restart the httpd service:

      # systemctl restart httpd.service

8. To use a web browser to create an HTTPS connection to your web server and view the contents of the certificate you created, do the following:

   From the system running the Apache server, type https://localhost in the browser's location box. You should see a message that reads, “This Connection is Untrusted.” To complete the connection, do the following:

   1. Click I Understand the Risks.
   2. Click Add Exception.
   3. Click Get Certificate.
   4. Click Confirm Security Exception.
9. To create a file named /etc/httpd/conf.d/example.org.conf, which turns on name-based virtual hosting and creates a virtual host that 1) listens on port 80 on all interfaces, 2) has a server administrator of joe@example.org, 3) has a server name of joe.example.org, 4) has a DocumentRoot of /var/www/html/joe.example.org, and 5) has a DirectoryIndex that includes at least index.html, and create an index.html file in DocumentRoot that contains the words “Welcome to the House of Joe” inside, do the following:

   Create an example.org.conf file that looks like the following:

   NameVirtualHost *:80
   <VirtualHost *:80>
       ServerAdmin      joe@
   example.org
       ServerName       joe.
   example.org
       ServerAlias      web.example.org
       DocumentRoot     /var/www/html/joe.example.org/
       DirectoryIndex   index.html
   </VirtualHost>

   This is how you could create the text to go into the index.html file:

   # echo "Welcome to the House of Joe" > /var/www/html/joe.example
        .org/index.html

10. To add the text joe.example.org to the end of the localhost entry in your /etc/hosts file on the machine that is running the web server, and check it by typing http://joe.example.org into the location box of your web browser to see “Welcome to the House of Joe” when the page is displayed, do the following:
    1. Reload the httpd.conf file modified in the previous exercise:

       # apachectl graceful

    2. Edit the /etc/hosts file with any text editor so the local host line appears as follows:

       127.0.0.1     localhost.localdomain localhost joe.example.org

    3. From a browser on the local system where httpd is running, you should be able to type http://joe.example.org into the location box to access the Apache web server using name-based authentication.

Chapter 18: Configuring an FTP Server

1. To determine which package provides the Very Secure FTP Daemon service, type the following as root:

   # yum search "Very Secure FTP"
   ...
   ================== N/S Matched: Very Secure FTP ==================
   vsftpd.i686 : Very Secure Ftp Daemon

   The search found the vsftpd package.

2. To install the Very Secure FTP Daemon package on your system and search for the configuration files in that package, type the following:

   # yum install vsftpd
   # rpm -qc vsftpd | less

3. To start the Very Secure FTP Daemon service and set it to start when the system boots, type the following on a Fedora or Red Hat Enterprise Linux 7 system:

   # systemctl start vsftpd.service
   # systemctl enable vsftpd.service

   On a Red Hat Enterprise Linux 6 system, type the following:

   # service vsftpd start
   # chkconfig vsftpd on

4. On the system running your FTP server, type the following to create a file named test in the anonymous FTP directory that contains the words “Welcome to your vsftpd server”:

   # echo "Welcome to your vsftpd server" > /var/ftp/test

5. To open the test file from the anonymous FTP home directory, using a web browser on the system running your FTP server, do the following: Start the Firefox web browser, type the following in the location box, and press Enter:

   ftp://localhost/test

   The text “Welcome to your Very Secure FTP Daemon server” should appear in the Firefox window.

6. To access the test file in the anonymous FTP home directory, do the following. (If you cannot access the file, check that your firewall, SELinux, and TCP wrappers are configured to allow access to that file, as described here.)
   1. Type the following into the location box of a browser on a system on your network that can reach the FTP server (replace host with your system's fully qualified hostname or IP address):

      ftp://host/test

      If you cannot see the welcome message in your browser window, check what may be preventing access. To temporarily turn off your firewall (flush your iptables rules), type the following command as the root user from a shell on your FTP server system and then try to access the site again:

      # iptables -F

   2. To temporarily disable SELinux, type the following, and then try to access the site again:

      # setenforce 0

   3. To temporarily disable TCP wrappers, add the following to the beginning of the /etc/hosts.allow file (be sure to remove this line again when the test is done):

      ALL: ALL

After you have determined what is causing the file on your FTP server to be unavailable, go back to the “Securing Your FTP Server” section and go through the steps to determine what might be blocking access to your file. These are likely possibilities:

• For iptables, make sure there is a rule opening TCP port 21 on the server.
• For SELinux, make sure the file context is set to public_content_t.
• For TCP wrappers, make sure that there is a vsftpd: ALL or similar line in the /etc/hosts.allow file. An entry such as this should be needed only if there is a line in the /etc/hosts.deny file that denies access to services that are not explicitly allowed.

• 7. To configure your Very Secure FTP Daemon server to allow file uploads by anonymous users to a directory named in, do the following as root on your FTP server:
  1. Create the in directory as follows:

     # mkdir /var/ftp/in
     # chown ftp:ftp /var/ftp/in
     # chmod 770 /var/ftp/in

  2. Inside the /etc/vsftpd/vsftpd.conf file, make sure that the following variables are set:

     anonymous_enable=YES
     write_enable=YES
     anon_upload_enable=YES

  3. For Fedora 20 or RHEL 7, open the Firewall Configuration window and check the FTP box under services to open access to your FTP service. For earlier RHEL and Fedora systems, configure your iptables firewall to allow new requests on TCP port 21 by adding the following rule at some point before a final DROP or REJECT rule in your /etc/sysconfig/iptables file:

     -A INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT

  4. Configure your iptables firewall to do connection tracking by loading the appropriate module to the /etc/sysconfig/iptables-config file:

     IPTABLES_MODULES="nf_conntrack_ftp"

  5. For SELinux to allow uploading to the directory, first set file contexts properly:

     # semanage fcontext -a -t public_content_rw_t "/var/ftp/in(/.*)?"
     # restorecon -F -R -v /var/ftp/in

  6. Next, set the SELinux Boolean to allow uploading:

     # setsebool -P allow_ftpd_anon_write on

  7. Restart the vsftpd service (service vsftpd restart or systemctl restart vsftpd.service).
• 8. To install the lftp FTP client (if you don't have a second Linux system, install lftp on the same host running the FTP server) and try to upload the /etc/hosts file to the incoming directory on the server, run the following commands as the root user:

  # yum install lftp
  # lftp localhost
  lftp localhost:/> cd in
  lftp localhost:/in> put /etc/hosts
  89 bytes transferred
  lftp localhost:/in> quit

  You won't be able to see that you copied the hosts file to the incoming directory. However, type the following from a shell on the host running the FTP server to make sure the hosts file is there:

  # ls /var/ftp/in hosts

  If you cannot upload the file, troubleshoot the problem as described in Exercise 7, recheck your vsftpd.conf settings, and review the ownership and permissions on the /var/ftp/in directory.

• 9. Using any FTP client you choose, visit the /pub/linux/docs/man-pages directory on the ftp://kernel.org site and list the contents of that directory. Here's how to do that with the lftp client:

  # lftp ftp://kernel.org/pub/linux/docs/man-pages
  cd ok, cwd=/pub/linux/docs/man-pages
  lftp kernel.org:/pub/linux/docs/man-pages> ls
  drwxrwsr-x 2 536 536   24576 May 10 20:29 Archive
  -rw-rw-r-- 1 536 536 1135808 Feb 09 23:23 man-pages-3.34.tar.bz2
  -rw-rw-r-- 1 536 536 1674738 Feb 09 23:23 man-pages-3.34.tar.gz
  -rw-rw-r-- 1 536 536     543 Feb 09 23:23 man-pages-3.34.tar.sign
  ...

• 10. Using any FTP client you choose, download the man-pages-3.78.tar.gz file from the kernel.org directory you just visited to the /tmp directory on your local system.

  # lftp ftp://kernel.org/pub/linux/docs/man-pages
  cd ok, cwd=/pub/linux/docs/man-pages
  lftp kernel.org:man-pages> get man-pages-3.78.tar.gz
  1739208 bytes transferred in 4 seconds (481.0K/s)
  lftp kernel.org:man-pages> quit

Chapter 19: Configuring a Windows File Sharing (Samba) Server

1. To install the samba and samba-client packages, type the following as root from a shell on the local system:

   # yum install samba samba-client

2. To start and enable the smb and nmb services, type the following as root from a shell on the local system:

   # systemctl enable smb.service
   # systemctl start smb.service
   # systemctl enable nmb.service
   # systemctl start nmb.service

   or

   # chkconfig smb on
   # service smb start
   # chkconfig nmb on
   # service nmb start

3. To set the Samba server's workgroup to TESTGROUP, the netbios name to MYTEST, and the server string to Samba Test System, as root user in a text editor, open the /etc/samba/smb.conf file and change three lines so they appear as follows:

   workgroup = TESTGROUP
   netbios name = MYTEST
   server string = Samba Test System

4. To add a Linux user named phil to your system and add a Linux password and Samba password for phil, type the following as root user from a shell (be sure to remember the passwords you set):

   # useradd phil
   # passwd phil
   New password: *******
   Retype new password: *******
   # smbpasswd -a phil
   New SMB password: *******
   Retype new SMB password: *******
   Added user phil.

5. To set the [homes] section so that home directories are browseable (yes) and writable (yes), and that phil is the only valid user, open the /etc/samba/smb.conf file as root and change the [homes] section so it appears as follows:

   [homes]
           comment = Home Directories
           browseable = yes
           writable = yes
           valid users = phil

6. To set SELinux Booleans that are necessary to make it so phil can access his home directory via a Samba client, type the following as root from a shell:

   # setsebool -P samba_enable_home_dirs on

7. From the local system, use the smbclient command to list that the homes share is available.

   # smbclient -L localhost
   Enter root's password:
   <ENTER>
   Anonymous login successful
   Domain=[DATAGROUP] OS=[Unix] Server=[Samba 4.1.15]
        Sharename       Type      Comment
        ---------       ----      -------
        homes           Disk      Home Directories
    ...

8. To connect to the homes share from a Nautilus (file manager) window on the Samba server' local system for the user phil in a way that allows you to drag and drop files to that folder, do the following:
   1. Open the Nautilus window (select the files icon).
   2. Under the Network heading in the left pane, select Connect to Server.
   3. Type the Server address. For example, smb://localhost/phil/.
   4. When prompted, type phil as the username and enter phil's password.
   5. Open another Nautilus window and drop a file to phil's homes folder.
9. To open up the firewall so anyone who has access to the server can access the Samba service (smbd and nmbd daemons), you can simply open the Firewall Configuration window and check the samba and samba-client check boxes. If your system is running basic iptables (and not the firewalld service), change the /etc/sysconfig/iptables file so the firewall appears like the following (the rules you add being those in bold):

   *filter
   :INPUT ACCEPT [0:0]
   :FORWARD ACCEPT [0:0]
   :OUTPUT ACCEPT [0:0]
   -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
   -A INPUT -p icmp -j ACCEPT
   -A INPUT -i lo -j ACCEPT
   -I INPUT -m state --state NEW -m udp -p udp --dport 137 -j ACCEPT
   -I INPUT -m state --state NEW -m udp -p udp --dport 138 -j ACCEPT
   -I INPUT -m state --state NEW -m tcp -p tcp --dport 139 -j ACCEPT
   -I INPUT -m state --state NEW -m tcp -p tcp --dport 445 -j ACCEPT

   -A INPUT -j REJECT --reject-with icmp-host-prohibited
   -A FORWARD -j REJECT --reject-with icmp-host-prohibited
   COMMIT

   Then type the following for the firewall rules to be reloaded:

   # service iptables restart

10. To open the homes share again as the user phil from another system on your network (Windows or Linux), and make sure you can drag and drop files to it, do the following:

    This step is really just repeating the Nautilus example described previously or accessing a Windows Explorer window and opening the share (by selecting Network, then the Samba server). The trick is to make sure the service has been made available through the Linux server security features.

    If you cannot access the Samba share, try disabling your firewall and then disabling SELinux. If the share is accessible when you turn off either of those services, go back and debug the problems with the service that is not working:

    # setenforce 0
    # service iptables stop

    When you have fixed the problem, set SELinux back to Enforcing mode and restart iptables:

    # setenforce 1
    # service iptables start

Chapter 20: Configuring an NFS File Server

1. To install the packages needed to configure the NFS service on the Linux system you choose, type the following as root user at a shell (Fedora or RHEL):

   # yum install nfs-utils

2. To list the documentation files that come in the package that provides the NFS server software, type the following:

   # rpm -qd nfs-utils
   /usr/share/doc/nfs-utils-1.2.5/ChangeLog
   ...
   /usr/share/man/man5/exports.5.gz
   /usr/share/man/man5/nfs.5.gz
   /usr/share/man/man5/nfsmount.conf.5.gz
   /usr/share/man/man7/nfsd.7.gz
   /usr/share/man/man8/blkmapd.8.gz
   /usr/share/man/man8/exportfs.8.gz
   ...

3. To start and enable the NFS service, type the following as root user on the NFS server:

   # systemctl start nfs-server.service
   # systemctl enable nfs-server.service

4. To check the status of the NFS service you just started on the NFS server, type the following as root user:

   # systemctl status nfs-server.service

5. To share a directory /var/mystuff from your NFS server as available to everyone, read-only, and with the root user on the client having root access to the share, first create the mount directory as follows:

   # mkdir /var/mystuff

   Then create an entry in the /etc/exports file that is similar to the following:

   /var/mystuff    *(ro,no_root_squash,insecure)

   To make the share available, type the following:

   # exportfs -v -a
   exporting *:/var/mystuff

6. To make sure the share you created is accessible to all hosts, first check that rpcbind is not blocked by TCP wrappers by adding the following entry to the beginning of the /etc/hosts.allow file:

   rpcbind: ALL

   To open the firewall in systems that use firewalld (RHEL 7 and recent Fedora systems), install the firewall-config package. Then run firewall-config and from the Firewall Configuration window that appears, make sure that nfs and rpc-bind are checked on for the Permanent firewall settings.

   To open the ports needed to allow clients to reach NFS through the iptables firewall (RHEL 6 and earlier Fedora systems without firewalld), you need to open at least TCP and UDP ports 111 (rpcbind), 20048 (mountd), and 2049 (nfs) by adding the following rules to the /etc/sysconfig/iptables file and starting the iptables service:

   -A INPUT -m state --state NEW -m tcp -p tcp --dport 111 -j ACCEPT
   -A INPUT -m state --state NEW -m udp -p udp --dport 111 -j ACCEPT
   -A INPUT -m state --state NEW -m tcp -p tcp --dport 2049 -j ACCEPT
   -A INPUT -m state --state NEW -m udp -p udp --dport 2049 -j ACCEPT
   -A INPUT -m state --state NEW -m tcp -p tcp --dport 20048 -j ACCEPT
   -A INPUT -m state --state NEW -m udp -p udp --dport 20048 -j ACCEPT

   SELinux should be able to share NFS filesystems while in Enforcing mode without any changes to file contexts or Booleans. To make sure the share you created can be shared read-only, run the following command as root user on the NFS server:

   # setsebool -P nfs_export_all_ro on

7. To view the shares available from the NFS server, assuming the NFS server is named nfsserver, type the following from the NFS client:

   # showmount -e nfsserver
   Export list for nfsserver:
   /var/mystuff  *

8. To create a directory called /var/remote and temporarily mount the /var/mystuff directory from the NFS server (named nfsserver in this example) on that mount point, type the following as root user from the NFS client:

   # mkdir /var/remote
   # mount -t nfs nfsserver:/var/mystuff /var/remote

9. To add an entry so that the same mount is done automatically when you reboot, first unmount /var/remote as follows:

   # umount /var/remote

   Then add an entry like the following to the /etc/fstab on the client system:

   /var/remote    nfsserver:/var/mystuff   nfs bg,ro 0 0

   To test that the share is configured properly, type the following on the NFS client as the root user:

   # mount -a
   # mount -t nfs
   nfsserver:/var/mystuff on /var/remote type nfs4
    (ro,vers=4,rsize=524288...

10. To copy some files to the /var/mystuff directory, type the following on the NFS server:

    # cp /etc/hosts /etc/services /var/mystuff

    From the NFS client, to make sure you can see the files just added to that directory and to make sure you can't write files to that directory from the client, type the following:

    # ls /var/remote
    hosts   services
    # touch /var/remote/file1
    touch: cannot touch '/var/remote/file1': Read-only file system

Chapter 21: Troubleshooting Linux

1. To go into Setup mode from the BIOS screen on your computer, do the following:
   1. Reboot your computer.
   2. Within a few seconds, you should see the BIOS screen, with an indication of which function key to press to go into Setup mode. (On my Dell workstation, it's the F2 function key.)
   3. The BIOS screen should appear. (If the system starts booting Linux, you didn't press the function key fast enough.)
2. From the BIOS setup screen, do the following to determine whether your computer is 32-bit or 64-bit, whether it includes virtualization support, and whether your network interface card is capable of PXE booting.

   Your experience may be a bit different from mine, depending on your computer and Linux system. The BIOS setup screen is different for different computers. In general, however, you can use arrow keys and tab keys to move between different columns and press Enter to select an entry.

   • On my Dell workstation, under the System heading, I highlight Processor Info to see that mine is a 64-bit Technology computer. Look in the Processor Info, or similar, section on your computer to see the type of processor you have.
   • On my Dell workstation, under the Onboard Devices heading, I highlight Integrated NIC and press Enter. The Integrated NIC screen that appears to the right lets me choose to enable or disable the NIC (On or Off) or enable with PXE or RPL (if I intend to boot the computer over the network).
3. To interrupt the boot process to get to the GRUB boot loader, do the following:
   1. Reboot the computer.
   2. Just after the BIOS screen disappears, when you see the countdown to booting the Linux system, press any key (perhaps the spacebar).
   3. The GRUB boot loader menu should appear, ready to allow you to select which operating system kernel to boot.
4. To boot up your computer to runlevel 1 so you can do some system maintenance, get to the GRUB boot screen (as described in the previous exercise), and then do the following:
   1. Use the arrow keys to highlight the operating system and kernel you want to boot.
   2. Type e to see the entries needed to boot the operating system.
   3. Move your cursor to the line that included the kernel. (It should include the word vmlinuz somewhere on the line.)
   4. Move the cursor to the end of that line, add a space, and then type the number 1 or init=/bin/bash.
   5. Follow the instructions to boot the new entry. You will probably either press Ctrl+X or press Enter; then when you see the next screen, type b.

      If it worked, your system should bypass the login prompt and boot up directly to a root user shell, where you can do administrative tasks without providing a password.

5. To start up Red Hat Enterprise Linux (through RHEL 6.χ) so you can confirm each service as it is started, do the following:
   1. Follow the previous two exercises, but instead of putting a 1 at the end of a kernel line, put the word confirm.
   2. When the boot process gets to the point where it is starting runlevel services, you are prompted to confirm (Y) or deny (N) each service, or continue (C) to simply start all the rest of the services.

   Note that this option is not available with the latest Fedora and Ubuntu releases.

6. To look at the messages that were produced in the kernel ring buffer (which shows the activity of the kernel as it booted up), type the following from the shell after the system finishes booting:

   # dmesg | less

   Or on a system using systemd, type the following:

   # journalctl -k

7. To run a trial yum update from Fedora or RHEL and exclude any kernel package that is available, type the following (when prompted, type N to not actually go through with the update, if updates are available):

   # yum update --exclude='kernel*'

8. To check to see what processes are listening for incoming connections on your system, type the following:

   # netstat -tupln | less

9. To check to see what ports are open on your external network interface, do the following:

   If possible, run the nmap command from another Linux system on your network, replacing yourhost with the hostname or IP address of your system:

   # nmap yourhost

10. To clear your system's page cache and watch the effect it has on your memory usage, do the following:
    1. Select Terminal from an application menu on your desktop (it is located on different menus for different systems).
    2. Run the top command (to watch processes currently running on your system), and then type a capital M to sort processes by those consuming the most memory.
    3. From the Terminal window, select File and Open Terminal to open a second Terminal window.
    4. From the second Terminal window, become root user (su -).
    5. While watching the Mem line (used column) in the first Terminal window, type the following from the second Terminal window:

       # echo 3 > /proc/sys/vm/drop_caches

    6. The used RES memory should go down significantly on the Mem line. The numbers in the RES column for each process should go down as well.

Chapter 22: Understanding Basic Linux Security

1. To check log messages from the systemd journal for the NetworkManager.service, sshd.service, and auditd.service services, type the following:

   # journalctl -u NetworkManager.service
   ...
   # journalctl -u sshd.service
   ...
   # journalctl -u auditd.service
   ...

2. User passwords are stored in the /etc/shadow file. To see its permissions, type ls -l /etc/shadow at the command line. (If no shadow file exits, then you need to run pwconv.)

   The following are the appropriate settings:

   # ls -l /etc/shadow
   ----------. 1 root root 1049 Feb   10 09:45 /etc/shadow

3. To determine your account's password aging and whether it will expire using a single command, type chage -l user_name . For example:

   # chage -l chris

4. To start auditing writes to the /etc/shadow with the auditd daemon, type the following at the command line:

   # auditctl -w /etc/shadow -p w

   To check your audit settings, type in auditctl -l at the command line.

5. To create a report from the auditd daemon on the /etc/shadow file, type ausearch -f /etc/shadow at the command line. To turn off the auditing on that file, type auditctl -W /etc/shadow -p w at the command line.
6. To install the lemon package, damage the /usr/bin/lemon file, verify that the file has been tampered with, and remove the lemon package, type the following:

   # yum install -y lemon
   # cp /etc/services /usr/bin/lemon
   # rpm -V lemon
   S.5....T.    /usr/bin/lemon
   # yum erase lemon

   From the original lemon file, the file size (S), the md4sum (5), and the modification times (T) all differ. For Ubuntu, install the package with apt-get install lemon and type debsums lemon to check it.

7. If you suspect you have had a malicious attack on your system today and important binary files have been modified, you can find these modified files by typing the following at the command line: find directory -mtime -1 for the directories, /bin, /sbin, /usr/bin, and /usr/sbin.
8. To install and run chkrootkit to see if the malicious attack from the exercise above installed a rootkit, choose your distribution and do the following:
   1. To install on a Fedora or RHEL distribution, type yum install chkrootkit at the command line.
   2. To install on a Ubuntu or debian-based distribution, type sudo apt-get install chkrootkit at the command line.
   3. To run the check, type chkrootkit at the command line and review the results.
9. To find files anywhere in the system with the SetUID or SetGID permission set, type find / -perm /6000 at the command line.
10. Install the aide package, run the aide command to initialize the aide database, copy the database to the correct location, and run the aide command to check whether any important files on your system have been modified.

    # yum install aide
    # aide -i
    # cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
    # aide -C

    To make the output more interesting, you could install the lemon package (described in an earlier exercise) before you run aide -i and modify it before running aide -C to see how a modified binary looks from aide.

Chapter 23: Understanding Advanced Linux Security

To do the first few exercises, you must have the gnupg2 package installed. This is not installed by default in Ubuntu, although it is for recent Fedora and RHEL releases.

1. 1. To encrypt a file using the gpg2 utility and a symmetric key, type the following command (the gpg2 utility asks for a passphrase to protect the symmetric key):

   $ gpg2 -c filename

2. 2. To generate a keypair using the gpg2 utility, type the following:

   $ gpg2 --gen-key

You must provide the following information:

1. a. What kind of asymmetric key you want:
   • RSA and RSA (default)
   • DSA and Elgamal
   • DSA (sign only)
   • RSA (sign only)
2. b. What key size (in number of bits) you want
3. c. How many days, weeks, months, years the key should be valid. (You can also request that the key be valid permanently.)
4. d. Your real name, e-mail address, and a comment to create the User ID for the public key
5. e. A passphrase for the private key

• 3. To list out the keys you generated, type:

  $ gpg2 --list-keys

• 4. To encrypt a file and add your digital signature using the gpg2 utility, do the following:
  1. You must have first generated a key ring (Exercise 2).
  2. After you have generated the key ring, type:

     $ gpg2 --output EncryptedSignedFile --sign FiletoEncryptSign

• 5. To use the appropriate message digest utility to ensure that the downloaded file is not corrupted, you must do the following. (Remember that a message digest is also called a checksum.)
  1. Review the download website for the MD5 or SHA-1 file or number.
     • If it is a checksum number, you need to go to the next step.
     • If it is a checksum file, you need to download that file too and then use the cat command to display the checksum file's contents to your screen.
  2. If it is an MD5, type the following at the command line and compare the numbers to the MD5 checksum file or number on the website:

     $ md5sum FirstDownloadedFile

  3. If it is an SHA-1 hash, type the following at the command line and compare the numbers to the SHA-1 checksum file or number on the website:

     $ sha1sum FirstDownloadedFile

• 6. To determine if the su command on your Linux system is PAM-aware, type:

  $ ldd $(which su) | grep pam
   libpam.so.0 => /lib64/libpam.so.0 (0x00007fac89d48000)
   libpam_misc.so.0 => /lib64/libpam_misc.so.0 (0x00007fac89b44000)

  If the su command on your Linux system is PAM-aware, you see a PAM library name listed when you issue the ldd command.

• 7. To determine if the su command has a PAM configuration file, type:

  $ ls /etc/pam.d/su

  If the file exists, type at the command line to display its contents. The PAM contexts it uses is any of the following: auth, account, password, session.

  $ cat /etc/pam.d/su

• 8. To list out the various PAM modules on your Fedora or RHEL system, type:

  $ ls /lib/security/pam*.so

  To list out the various PAM modules on your Ubuntu Linux system, type:

  $ sudo find / -name pam*.so.

• 9. To find the PAM “other” configuration file on your system, type ls /etc/pam.d/other at the command line. An “other” configuration file that enforces Implicit Deny should look similar to the following code:

  $ cat /etc/pam.d/other
  #%PAM-1.0
  auth     required       pam_deny.so
  account  required       pam_deny.so
  password required       pam_deny.so
  session  required       pam_deny.so

• 10. To find the PAM limits configuration file, type:

  $ ls /etc/security/limits.conf

  Display the file's contents by typing the following:

  $ cat /etc/security/limits.conf

  Settings in this file to prevent a fork bomb look like the following:

  @staff      hard    nproc          50
  @staff      hard    maxlogins       1

Chapter 24: Enhancing Linux Security with SELinux

1. To set your system into the permissive mode for SELinux, type setenforce permissive at the command line. It would also be acceptable to type setenforce 0 at the command line.
2. To set your system into the enforcing Operating mode for SELinux without changing the SELinux primary configuration file, use caution. It is best not to run this command on your system for an exercise until you are ready for the SELinux to be enforced. Use the following command: setenforce enforcing at the command line. It would also be acceptable to type setenforce 1 at the command line.
3. To find and view the permanent SELinux policy type (set at boot time), go to the main SELinux configuration file, /etc/selinux/config. To view it, type cat /etc/selinux/config | grep SELINUX= at the command line. To be sure how it is currently set, type the getenforce command.
4. To list the /etc/hosts file security context and identify the different security context attributes, type ls -Z /etc/hosts at the command line:

   $ ls -Z /etc/hosts
   -rw-r--r--. root root system_u:object_r:net_conf_t:s0   /etc/hosts

   1. The file's user context is system_u, indicating a system file.
   2. The file's role is object_r, indicating an object in the file system (a text file, in this case).
   3. The file's type is net_conf_t, because the file is a network configuration file.
   4. The file's sensitivity level is s0, indicating the lowest security level. (This number may be listed in a range of numbers from s0-s3.)
   5. The file's category level starts with a c and ends with a number. It may be listed in a range of numbers, such as c0-c102. This is not required except in highly secure environments and is not set here.
5. To create a file called test.html and assign its type as httpd_sys_content_t, type the following:

   $ touch test.html
   $ chcon -t httpd_sys_content_t test.html
   $ ls -Z test.html
   -rw-rw-r--. chris chris unconfined_u:object_r:httpd_sys_content_t:s0
      test.html

6. To list a current process's security context and identify the different security context attributes, type this at the command line:

   $ ps -efZ | grep crond
   system_u:system_r:crond_t:s0-s0:c0.c1023 root 665  1  0
       Sep18 ?   00:00:00 /usr/sbin/crond -n

   1. The process's user context is system_u, indicating a system process.
   2. The process's role is system_r, indicating a system role.
   3. The process's type or domain is crond_t.
   4. The process's sensitivity level starts s0-s0, indicating that it is not highly sensitive. (It is secure by normal Linux standards, however, because the process is run as the root user.)
   5. The process's category level is c0.c1023, with the c0 indicating that the category is also not highly secure from an SELinux standpoint.
7. To create an /etc/test.txt file, change its file context to user_tmp_t, restore it to its proper content (the default context for the /etc directory), and remove the file, type the following:

   # touch /etc/test.txt
   # ls -Z /etc/test.txt
   -rw-r--r--. root root unconfined_u:object_r:etc_t:s0   /etc/test.txt

   # chcon -t user_tmp_t /etc/test.txt
   # ls -Z /etc/test.txt
   -rw-r--r--. root root unconfined_u:object_r:user_tmp_t:s0 /etc/
        test.txt
   # restorecon /etc/test.txt
   # ls -Z /etc/test.txt
   -rw-r--r--. root root unconfined_u:object_r:etc_t:s0   /etc/test.txt
   # rm /etc/test.txt
   rm: remove regular empty file '/etc/test.txt'? y

8. To determine what Boolean allows users to access their home directories via FTP and turn that Boolean on permanently, type the following commands:

   # getsebool -a | grep ftp
   ftp_home_dir --> off
   ftpd_anon_write --> off
   ...
   # setsebool -P ftp_home_dir=on
   # getsebool ftp_home_dir
   ftp_home_dir --> on

9. To list all SELinux policy modules on your system, along with their version numbers, type semodule -l.

   NOTE

   If you chose ls /etc/selinux/targeted/modules/active/modules/*.pp as your answer to Question 9, that is okay, but this command doesn't give you the version numbers of the policy modules. Only semodule -l gives the version numbers.

10. To prepare your system to run a vsftpd FTP server that is protected by SELinux, log in as a regular (we use chris in this example) and try to copy a file (which should cause an AVC denial), type the following:

    # getenforce
    Enforcing
    # yum install vsftpd lftp rsyslog setroubleshoot-server
    # systemctl start syslog
    # systemctl start vsftpd
    # semodule -DB
    # getsebool ftp_home_dir
    ftp_home_dir --> off
    # lftp -u chris localhost
    Password: ********
    lftp chris@localhost:~> put /etc/services
    put: Access failed: 553 Could not create file. (services)
    lftp chris@localhost:~> quit

    To view information about the denial, and change the Boolean to allow FTP access, do the following:

    # ausearch -m avc
    type=AVC msg=audit(1411217594.188:70555): avc: denied { create } for
        pid=25470 comm="vsftpd" name="services"
        scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023
        tcontext=system_u:object_r:user_home_t:s0 tclass=file
    # journalctl | grep "SELinux is preventing"
    Sep 20 08:53:18 fedora20 setroubleshoot: SELinux is preventing /usr/
        sbin/vsftpd from create access on the file services. For
        complete SELinux messages. run
        sealert -l 2ad99cba-13d8-4bb1-8d74-bbfc31b68f8b
    # sealert -l 2ad99cba-13d8-4bb1-8d74-bbfc31b68f8b
    SELinux is preventing /usr/sbin/vsftpd from create access on the file
        gshadow.
        *** Plugin catchall_boolean (47.5 confidence) suggests *********
        If you want to determine whether ftpd can read and write files
        in user home directories.
        Then you must tell SELinux about this by enabling
        the 'ftp_home_dir' boolean.
        You can read 'user_selinux' man page for more details.
        Do  setsebool -P ftp_home_dir 1

Chapter 25: Securing Linux on a Network

1. To install the Network Mapper (aka nmap) utility on your local Linux system:
   1. On Fedora or RHEL, type yum install nmap at the command line.
   2. On Ubuntu, nmap may come pre-installed. If not, type sudo apt-get install nmap at the command line.
2. To run a TCP Connect scan on your local loopback address, type nmap -sT 127.0.0.1 at the command line. The ports you have running on your Linux server will vary. However, they may look similar to the following:

   # nmap -sT 127.0.0.1
   ...
   PORT    STATE SERVICE
   25/tcp  open  smtp
   631/tcp open  ipp

3. To run a UDP Connect scan on your Linux system from a remote system:
   1. Determine your Linux server's IP address by typing ifconfig at the command line. The output will look similar to the following and your system's IP address follows “inet addr:” in the ifconfig command's output.

      # ifconfig
      ...
      p2p1  Link encap:Ethernet  HWaddr 08:00:27:E5:89:5A
            inet addr:10.140.67.23

   2. From a remote Linux system, type the command nmap -sU IP address at the command line, using the IP address you obtained from above. For example:

      # nmap -sU 10.140.67.23

4. To check whether the ssh daemon on your Linux system uses TCP Wrapper support, type ldd /usr/sbin/sshd | grep libwrap at the command line. The output will look similar to the following if it does use TCP Wrapper support. If it does not, there will be no output.

   $ ldd /usr/sbin/sshd | grep libwrap
   libwrap.so.0 => /lib/libwrap.so.0 (0x0012f000)

5. To allow access to the ssh tools on your Linux system from a designated remote system and deny all other access using TCP Wrappers, you need to modify both the /etc/hosts.allow file and the /etc/hosts.deny file. The modifications will look similar to the following:

   # cat /etc/hosts.allow
   ...
   sshd: 10.140.67.32
   #
   # cat /etc/hosts.deny
   #...
   ALL: ALL

6. To determine your Linux system's current netfilter/iptables firewall policies and rules, type iptables -vnL at the command line.
7. To flush your Linux system's current firewall rules, type iptables -F at the command line. To restore the firewall's rules on older Fedora systems or RHEL 6 systems, type iptables-restore < /etc/sysconfig/iptables. On a RHEL 7 or recent Fedora system, type systemctl restart firewalld.service to reinstate your system's permanent firewall rules.
8. This is a trick question! You cannot set a Linux system's firewall policy to reject. You can set it to drop, but not reject. To set your Linux system's firewall filter table for the input chain to a policy of DROP, type iptables -P INPUT DROP at the command line.
9. To change your Linux system firewall's filter table policy back to accept for the input chain, type iptables -P INPUT ACCEPT at the command line. To add a rule to drop all network packets from the IP address, 10.140.67.23, type iptables -A INPUT -s 10.140.67.23 -j DROP at the command line.
10. To remove the rule you added above, without flushing or restoring your Linux system firewall's rules, type iptables -D INPUT 1 at the command line. This is assuming that the rule you added above is rule 1. If not, change the 1 to the appropriate rule number in your iptables command.

Chapter 26: Using Linux for Cloud Computing

1. To check your computer to see if it can support KVM virtualization, type the following:

   # cat /proc/cpuinfo | grep --color -E "vmx|svm|lm"
   flags  : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca
   cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe
   syscall
   nx pdpe1gb rdtscp lm constant_tsc arch_perfmon pebs bts rep_good
   xtopology nonstop_tsc aperfmperf pni pclmulqdq dtes64 monitor
   ds_cpl vmx smx es...
   ...

   The CPU must support either vmx or svm. The lm indicates that it is a 64-bit computer.

2. To install a Linux system along with the packages needed to use it as a KVM host and to run the Virtual Machine Manager application, do the following:
   1. Get a live or installation image from a Linux site (such as getfedora.org), and burn it to a DVD (or otherwise make it available to install).
   2. Boot the installation image, and select to install it to a hard disk.
   3. For a Fedora Workstation, after the install is complete and you have rebooted, install the following package (for different Linux distributions, you might need to install a package that provides libvirtd as well):

      # yum install virt-manager libvirt-daemon-config-network

3. To make sure that the sshd and libvirtd services are running on the system, type the following:

   # systemctl start sshd.service
   # systemctl enable sshd.service
   # systemctl start libvirtd.service
   # systemctl enable libvirtd.service

4. Get a Linux installation ISO image that is compatible with your hypervisor, and copy it to the default directory used by Virtual Machine Manager to store images. For example, if the Fedora Workstation DVD is in the current directory, you can type the following:

   # cp Fedora-Live-Workstation-x86_64-21-5.iso /var/lib/libvirt/images/

5. To check the settings on the default network bridge (virbr0), type the following:

   # brctl show
   bridge name bridge id STP enabled interfacesvirbr0
   8000.000000000000 yes
   # ip addr show virbr0
   4: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc
        noqueue state UP group default
       link/ether de:21:23:0e:2b:c1 brd ff:ff:ff:ff:ff:ff
       inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0
          valid_lft forever preferred_lft forever

6. To install a virtual machine using the ISO image you copied earlier, do the following.
   1. Type this command:

      # virt-manager &

   2. Select File, and then select New Virtual Machine.
   3. Select Local install media, and click Forward.
   4. Select Browse, choose the live or install ISO, click Choose Volume, and click Forward.
   5. Select memory and CPUs, and click Forward.
   6. Select the size of disk you want to use, and click Forward.
   7. Select “Virtual network default: NAT” (it may already be selected).
   8. If it all looks okay, click Finish.
   9. Follow the installation process indicated by the installation ISO.
7. To make sure you can log in to and use the virtual machine, do the following:
   1. Double-click the entry for the new virtual machine.
   2. When the viewer window appears, log in as you would normally.
8. To check that your virtual machine can connect to the Internet or other network outside the hypervisor, do one of the following:
   • Open a web browser and try to connect to a website on the Internet.
   • Open a Terminal window, type ping redhat.com, and then press Ctrl+C to exit.
9. Stop the virtual machine so it is no longer running.
   1. Right-click the entry for the VM in the virt-manager window.
   2. Select Shut Down, and then select Shut down again.
   3. If the VM doesn't shut down immediately, you can select Force Off instead, but that is like pulling the plug out and risks data loss.
10. Start the virtual machine again so it is running and available.

    Right-click the virtual machine entry, and select Run.