ClouDIY: Bootstrapping Linux Servers

ClouDIY: Bootstrapping Linux Servers – Part 2

Advanced tools and services for Linux system administration (based on RH134)

1. Shell Scripting Basics

Shell scripts allow you to automate tasks such as backups, user setup, or software installation. They're simply text files containing a sequence of shell commands.

#!/bin/bash
echo "Welcome"
whoami

Explanation: The first line tells Linux to use the Bash shell. echo displays text, and whoami prints the current user.

Tip: To run the script, first make it executable:

chmod +x script.sh
./script.sh

Loops and Conditions

Scripts often need to make decisions or repeat actions. You can do this using if statements and loops.

If statement: Checks if a file exists before taking action:

if [ -f "/etc/passwd" ]; then
  echo "File exists"
fi

For loop: Repeats a command for each item in a list:

for i in 1 2 3
do
  echo $i
done

This loop prints the numbers 1 to 3, one per line.

grep, awk, cut

Linux admins often need to extract and analyze parts of files. Tools like grep, awk, and cut help with that.

Examples:

grep "httpd" /var/log/messages      # Find lines containing 'httpd'
awk '{print $1}' file.txt           # Print the first word (column) of each line
cut -d":" -f1 /etc/passwd           # Show only the usernames from passwd file

These tools are powerful when dealing with logs, config files, or output from other commands.

2. Scheduling Tasks

Automating tasks like backups, updates, or cleanup scripts is essential for server management. Linux provides two main tools for this:

cron – for tasks that repeat on a schedule (daily, weekly, etc.)
at – for tasks that run once at a specific time

Example: Run a backup script every day at 2 AM using cron:

crontab -e
0 2 * * * /scripts/backup.sh

This means:

0 → Minute (0th minute)
2 → Hour (2 AM)
* * * → Every day, every month, every day of the week

So this job runs daily at 2:00 AM.

To check your scheduled jobs, run:

crontab -l

For a one-time task, use the at command. Example:

echo "/scripts/update.sh" | at 10:30

This schedules update.sh to run at 10:30 AM once.

Note: The at command may need to be installed on some systems (dnf install at).

3. System Tuning with tuned

tuned is a powerful tool for optimizing system performance based on specific workloads. It comes with pre-defined tuning profiles designed for different scenarios like servers, desktops, or virtual machines.

Why use it? Instead of manually adjusting system parameters (CPU, disk, network), tuned applies a set of optimized settings tailored to your use case — improving performance or power efficiency with one command.

Example: Maximize throughput (e.g., for servers handling heavy I/O):

tuned-adm profile throughput-performance

Scenario: Running on a virtual machine?

Apply a profile optimized for virtual guests:

tuned-adm profile virtual-guest

To see available profiles:

tuned-adm list

To check which profile is currently active:

tuned-adm active

This makes tuning your Linux system fast, simple, and effective — no deep kernel tweaks required.

4. Process Priority: nice & renice

Linux lets you control how much CPU time a process gets using nice and renice. This is helpful when you want to make sure critical tasks run smoothly without being slowed down by less important ones.

nice sets the priority *when starting* a new process. Lower values mean higher priority (range: -20 to 19). Regular users can only set positive nice values (lower priority).

Example: Run a script with lower priority to reduce its impact on system performance:

nice -n 10 script.sh

renice changes the priority of a process that is already running, using its process ID (PID).

Example: Increase priority of process ID 1234:

renice -n 5 -p 1234

Use case: If a background process is slowing down your system, use renice to lower its priority and free up CPU for more important tasks.

5. Access Control Lists (ACL)

ACLs let you set more flexible file permissions than the traditional owner-group-other model in Linux. With ACL, you can give different users specific access to individual files or directories — even if they’re not the owner or in the group.

Example: Give user john read and write access to /data/file.txt:

setfacl -m u:john:rw /data/file.txt

This command means:

-m: modify ACL
u:john:rw: give user 'john' read and write permissions

To check current ACL settings on a file:

getfacl /data/file.txt

When to use ACL: Useful in shared environments where you need to grant access to multiple users without changing the file's group or ownership.

6. SELinux Overview

SELinux (Security-Enhanced Linux) adds a powerful security layer that controls how processes interact with files, ports, and other resources. It enforces strict access controls and limits the damage from vulnerabilities or misconfigurations.

Checking SELinux Status

Use these commands to find out if SELinux is running and in what mode:

getenforce    # Returns: Enforcing, Permissive, or Disabled
sestatus      # Gives detailed SELinux status and config

Changing SELinux Modes Temporarily

You can temporarily change the SELinux mode (it resets on reboot):

setenforce 0  # Switch to Permissive mode (logs violations but doesn't block)
setenforce 1  # Switch to Enforcing mode (actively blocks unauthorized actions)

When to Change SELinux Mode

Enforcing: Recommended for production. Strictly enforces policies.
Permissive: Useful for troubleshooting – logs alerts but allows actions.
Disabled: Not recommended unless absolutely necessary (configured in /etc/selinux/config).

Tip: If you're seeing unexpected access denials, try Permissive mode briefly to diagnose the issue.

7. Managing Storage with LVM (Logical Volume Manager)

LVM helps you manage disk storage more flexibly than traditional partitioning. It allows you to create, resize, and organize storage volumes dynamically without worrying about fixed partitions.

Basic LVM Workflow

Here’s how to create a logical volume step-by-step:

# Initialize a physical disk for LVM usage
pvcreate /dev/sdb

# Create a volume group named 'datavg' using the physical disk
vgcreate datavg /dev/sdb

# Create a logical volume 'datalv' of size 5GB within 'datavg'
lvcreate -L 5G -n datalv datavg

# Format the logical volume with the XFS filesystem (common for Linux)
mkfs.xfs /dev/datavg/datalv

Explanation:

pvcreate: Prepares a physical disk or partition for LVM.
vgcreate: Groups one or more physical volumes into a volume group.
lvcreate: Creates a logical volume inside the volume group.
mkfs.xfs: Formats the logical volume with a filesystem so it can store files.

Logical volumes can later be resized or moved without unmounting the filesystem, making LVM ideal for growing or changing storage needs.

8. Mounting File Systems via NFS (Network File System)

NFS allows you to share directories and files over a network, letting multiple systems access the same files as if they were local. This is great for centralized storage or sharing data between servers.

How to Mount an NFS Share

Use the mount command to connect a remote NFS share to a local directory:

mount 192.168.1.5:/share /mnt/share

Explanation:

192.168.1.5:/share — The remote NFS server IP address and the exported directory.
/mnt/share — The local directory where the remote share will be accessible.

Before mounting, ensure the NFS client utilities are installed on your system and the remote server is exporting the share properly.

Once mounted, you can access files in /mnt/share as if they were on your local disk.

9. Samba for Windows File Sharing

Samba lets Linux machines share files and printers with Windows systems over a network. It makes your Linux server act like a Windows file server.

How to Get Started

Install Samba packages on your Linux system.
Edit the main Samba configuration file /etc/samba/smb.conf to define what folders to share and set access permissions.
Start and enable the Samba service to run automatically on boot:

systemctl enable --now smb

Quick Tips:

Make sure your firewall allows Samba traffic.
Test connectivity from Windows by accessing \\your-linux-server-ip\shared-folder
Use Samba users to control who can access the shared folders.

10. Boot Process Management

The boot process determines how your Linux system starts up and which services run. systemd uses targets to define the system state after boot.

Common Targets

graphical.target – Full graphical desktop environment (for desktops).
multi-user.target – Text-based multi-user mode without a graphical interface (common for servers).
rescue.target – Rescue mode for system recovery.

Check Current Default Target

This command shows what mode your system boots into by default:

systemctl get-default

Change Default Target

To change the default boot target (for example, to switch to multi-user mode without GUI):

systemctl set-default multi-user.target

Why Manage Boot Targets?

Optimize server performance by booting without unnecessary graphical services.
Use rescue mode to fix system problems when normal boot fails.
Customize startup to match your system’s role and requirements.

11. Recovering from Boot Issues

Sometimes your system may fail to boot properly due to configuration errors, such as a faulty /etc/fstab entry that prevents filesystems from mounting.

What to Do?

You can use GRUB, the bootloader, to edit kernel parameters and boot into special modes that help fix these problems:

Emergency mode: Boots into a minimal environment with root access, but most services are stopped. Use this for urgent repairs.
Rescue mode: Similar to emergency mode but with more services running, allowing for easier troubleshooting.

How to Access These Modes

When the GRUB menu appears at boot, press e to edit the boot entry.
Find the line starting with linux or linux16 (the kernel boot line).
Add emergency or rescue at the end of this line.
Press Ctrl + X or F10 to boot with these options.

Fixing Issues

Once in emergency or rescue mode, you’ll get a root shell where you can edit files, such as correcting /etc/fstab, to resolve boot problems.

After fixing the issue, reboot the system normally with:

reboot

12. Managing Firewalls

A firewall controls network traffic coming in and out of your server, helping protect it from unauthorized access.

Using `firewalld`

firewalld is a dynamic firewall manager commonly used on many Linux systems. It organizes rules into services, making it easier to allow or block common network traffic.

Allowing Services

For example, to allow web traffic on port 80 (HTTP), you can add the http service permanently:

firewall-cmd --add-service=http --permanent

The --permanent flag saves the rule so it stays after a reboot.

Reloading Firewall

After adding or changing rules, reload the firewall for changes to take effect immediately:

firewall-cmd --reload

Check Current Settings

To see which services and ports are currently allowed:

firewall-cmd --list-all

Managing your firewall properly helps keep your server safe while allowing necessary network access.

13. Working with Containers (podman)

Containers let you run applications in isolated environments, making deployment and management easier and more consistent.

What is Podman?

Podman is a popular tool to manage containers on Linux. It's similar to Docker but doesn’t require a background daemon, offering more security and simplicity.

Installing Podman

To install Podman on your system, run:

dnf install podman -y

Running a Container

Start a container running the Apache web server and map port 80 inside the container to port 8080 on your server:

podman run -dt -p 8080:80 docker.io/httpd

Flags explained:

-d: Run container in background (detached mode)
-t: Allocate a pseudo-TTY (for interactive processes)
-p 8080:80: Map host port 8080 to container port 80

Listing Running Containers

To see containers currently running:

podman ps

Tip:

If you’re used to Docker commands, you can alias docker to podman for easier use:

alias docker=podman

This makes managing containers straightforward, even if you're new to containerization.

Wrap-Up

This part covered more advanced and real-world aspects of Linux system management.