This offering lays the foundation for secure user and group administration, and develops skills that allow administrators to use available storage solutions more efficiently and securely. This course is the first of a two-part series that turns a computer professional who knows nothing about Linux into a fully capable Linux administrator. Red Hat has created this course in a way intended to benefit our customers, but each company and infrastructure is unique, and actual results or benefits may vary.
As a result of attending this course, you should be able to perform essential Linux administration tasks, including installation, establishing network connectivity, managing physical storage, and basic security administration.
RH bundle - currently viewing Save time and money by combining course and exam offerings. Interested in exploring related skills paths? View all Red Hat Enterprise Linux options.
Want to verify your knowledge first? Take our free skills assessment. Take this course as part of a Red Hat Learning Subscription , which gives you on-demand, unlimited access to our online learning resources for an entire year.
Fill out a free assessment to establish your skill level on Red Hat products and identify where you can start on the path that a learning subscription can help you travel.
Thank you for your nominations! Learn the best practices for how to prepare for your remote exam with our tips and guidance on setup, system requirements, and more. Open hybrid cloud Support Developers Partners Start a trial. Enter your keywords. Featured links. In light of the spread of the Omicron variant in Southeast Asia and around the world, Vietnam should act as though the variant is already in the country, Deputy Prime Minister Vu Duc Dam has said.
Some studies have shown that Omicron spreads three to seven times faster than the Delta strain. For Windows system administrators or candidates with minimal experience with Red Hat Enterprise Linux:. Open hybrid cloud Support Developers Partners Start a trial. Enter your keywords. Featured links. Log in Account. Shared storage example: NFS for a simple migration Live KVM migration with virsh Migrating with virt-manager Remote management of guests 5.
Remote management with SSH Transport modes Overcommitting with KVM 7. Advanced virtualization administration 37 8. Control Groups cgroups Hugepage support Miscellaneous administration tasks 9.
Automatically starting guests Using qemu-img Verifying virtualization extensions Setting KVM processor affinities Generating a new unique MAC address Improving guest response time Configuring a VNC Server Gracefully shutting down guests Virtual machine timer management with libvirt Storage concepts 55 Storage pools Storage pools 59 Creating storage pools Dedicated storage device-based storage pools Virtualization Administration Guide Partition-based storage pools Directory-based storage pools LVM-based storage pools NFS-based storage pools Volumes Creating volumes Cloning volumes Adding storage devices to guests Adding file based storage to a guest Adding hard drives and other block devices to a guest Deleting and removing volumes Enabling NPIV on the switch The Virtual Host Metrics Daemon vhostmd Installing vhostmd on the host Configuration of vhostmd Starting and stopping the daemon Verifying that vhostmd is working from the host Configuring guests to see the metrics Using vm-dump-metrics in Red Hat Enterprise Linux guests to verify operation Managing guests with virsh Attaching and updating a device with virsh Connecting to the hypervisor Creating a virtual machine XML dump configuration file Suspending, resuming, saving and restoring a guest Shutting down, rebooting and force-shutdown of a guest Retrieving guest information Retrieving host information Storage pool information Displaying per-guest information Managing virtual networks Migrating guests with virsh Guest CPU model configuration Learning about the host CPU model Determining a compatible CPU model to suit a pool of hosts Configuring the guest CPU model Managing guests with the Virtual Machine Manager virt-manager Starting virt-manager The Virtual Machine Manager main window The virtual hardware details window Virtual Machine graphical console Adding a remote connection Displaying guest details Performance monitoring Displaying CPU usage Guest The guestfish shell Viewing file systems with guestfish Modifying files with guestfish Other actions with guestfish Shell scripting with guestfish Augeas and libguestfs scripting Other commands Running virt-rescue Running virt-df Expanding a disk image Running virt-inspector Using virt-win-reg Interaction with the API via a C program Where to find further documentation Virtual Networking Virtual network switches Network Address Translation Other virtual network switch routing types The default configuration Examples of common scenarios Routed mode NAT mode Isolated mode Managing a virtual network Creating a virtual network Attaching virtual network to host Creating custom libvirt scripts Using XML configuration files with virsh Basic options Disk options Display options Network options Device options Expert options Help and information options Miscellaneous options Troubleshooting Debugging and troubleshooting tools Troubleshooting with serial consoles Virtualization log files Loop device errors KVM networking performance Additional resources A.
Online resources Installed documentation Revision History Index Preface 1. Document Conventions This manual uses several conventions to highlight certain words and phrases and draw attention to specific pieces of information. If not, alternative but equivalent typefaces are displayed. Typographic Conventions Four typographic conventions are used to call attention to specific words and phrases.
These conventions, and the circumstances they apply to, are as follows. Mono-spaced Bold Used to highlight system input, including shell commands, file names and paths. Also used to highlight keycaps and key combinations. The above includes a file name, a shell command and a keycap, all presented in mono-spaced bold and all distinguishable thanks to context.
Key combinations can be distinguished from keycaps by the hyphen connecting each part of a key combination. For example: Press Enter to execute the command.
The first paragraph highlights the particular keycap to press. The second highlights two key combinations each a set of three keycaps with each set pressed simultaneously. If source code is discussed, class names, methods, functions, variable names and returned values mentioned within a paragraph will be presented as above, in mono-spaced bold.
For example: File-related classes include filesystem for file systems, file for files, and dir for directories. Each class has its own associated set of permissions. Proportional Bold This denotes words or phrases encountered on a system, including application names; dialog box text; labeled buttons; check-box and radio button labels; menu titles and sub-menu titles.
In the Buttons tab, click the Left-handed mouse check box and click. Preface Close to switch the primary mouse button from the left to the right making the mouse suitable for use in the left hand. To insert a special character into a gedit file, choose Applications Accessories Character Map from the main menu bar. Next, choose Search Find from the Character Map menu bar, type the name of the character in the Search field and click Next.
The character you sought will be highlighted in the Character Table. Doubleclick this highlighted character to place it in the Text to copy field and then click the Copy button.
Now switch back to your document and choose Edit Paste from the gedit menu bar. The above text includes application names; system-wide menu names and items; application-specific menu names; and buttons and text found within a GUI interface, all presented in proportional bold and all distinguishable by context. Mono-spaced Bold Italic or Proportional Bold Italic Whether mono-spaced bold or proportional bold, the addition of italics indicates replaceable or variable text.
Italics denotes text you do not input literally or displayed text that changes depending on circumstance. For example: To connect to a remote machine using ssh, type ssh username domain. If the remote machine is example. The mount -o remount file-system command remounts the named file system.
To see the version of a currently installed package, use the rpm -q package command. It will return a result as follows: package-version-release. Note the words in bold italics above username, domain. Each word is a placeholder, either for text you enter when issuing a command or for text displayed by the system. Aside from standard usage for presenting the title of a work, italics denotes the first use of a new and important term. For example: Publican is a DocBook publishing system.
Pull-quote Conventions Terminal output and source code listings are set off visually from the surrounding text. Source-code listings are also set in mono-spaced roman but add syntax highlighting as follows: package org. Notes and Warnings Finally, we use three visual styles to draw attention to information that might otherwise be overlooked. Note Notes are tips, shortcuts or alternative approaches to the task at hand.
Ignoring a note should have no negative consequences, but you might miss out on a trick that makes your life easier. Important Important boxes detail things that are easily missed: configuration changes that only apply to the current session, or services that need restarting before an update will apply. Ignoring a box labeled 'Important' will not cause data loss but may cause irritation and frustration. Getting Help and Giving Feedback 2. Through the customer portal, you can: search or browse through a knowledgebase of technical support articles about Red Hat products.
Preface access other product documentation. Red Hat also hosts a large number of electronic mailing lists for discussion of Red Hat software and technology. Click on the name of any mailing list to subscribe to that list or to access the list archives.
If you find a typographical error in this manual, or if you have thought of a way to make this manual better, we would love to hear from you!
If you have found an error, please include the section number and some of the surrounding text so we can find it easily. Server best practices The following tasks and tips can assist you with securing and ensuring reliability of your Red Hat Enterprise Linux host. Run SELinux in enforcing mode. Set SELinux to run in enforcing mode with the setenforce command. Only add the minimum number of user accounts needed for platform management on the server and remove unnecessary user accounts.
Avoid running any unessential applications on your host. Running applications on the host may impact virtual machine performance and can affect server stability. Any application which may crash the server will also cause all virtual machines on the server to go down. Use a central location for virtual machine installations and images. If you are using a different directory for your virtual machine images make sure you add the directory to your SELinux policy and relabel it before starting the installation.
Use of shareable, network storage for a central location is highly recommended. Security for virtualization When deploying virtualization technologies, you must ensure that the host cannot be compromised. The host is a Red Hat Enterprise Linux system that manages the system, devices, memory and networks as well as all virtualized guests.
If the host is insecure, all guests in the system are vulnerable. There are several ways to enhance security on systems using virtualization. You or your organization should create a Deployment Plan containing the operating specifications and specifies which services are needed on your virtualized guests and host servers as well as what support is required for these services.
Here are a few security issues to consider while developing a deployment plan: Run only necessary services on hosts. The fewer processes and services running on the host, the higher the level of security and performance. Enable SELinux on the hypervisor. Read Section 2. Use a firewall to restrict traffic to the host. You can setup a firewall with default-reject rules that will help secure the host from attacks. It is also important to limit network-facing services.
Do not allow normal users to access the host. The host is privileged, and granting access to unprivileged accounts may compromise the level of security. Storage security issues Administrators of virtualized guests can change the partitions the host boots in certain circumstances.
To prevent this administrators should follow these recommendations: The host should not use disk labels to identify file systems in the fstab file, the initrd file or used by the kernel command line. If less privileged users, especially virtualized guests, have write access to whole partitions or LVM volumes.
SELinux limits an attacker's abilities and works to prevent many common security exploits such as buffer overflow attacks and privilege escalation. These instructions also work for hard drive partitions. Procedure 2. Creating and mounting a logical volume on a virtualized guest with SELinux enabled 1.
Create a logical volume. This example creates a 5 gigabyte logical volume named NewVolumeName on the volume group named volumegroup. Chapter 2. Format the NewVolumeName logical volume with a file system that supports extended attributes, such as ext3. Create a new directory for mounting the new logical volume. This directory can be anywhere on your file system. Set the correct SELinux type for the libvirt image location. Testing new attributes Create a new file using the touch command on the file system.
When you deploy system changes or add devices, you must update your SELinux policy accordingly. Virtualization firewall information To configure an LVM volume for a guest, you must modify the SELinux context for the respective underlying block device and volume group. Allow virt to read fuse files. Allow virt to manage NFS files. Allow virt to manage CIFS files. Allow sanlock to manage virt lib files.
Allow virt to manage device configuration PCI. Allow virtual machine to interact with the xserver. Allow virt to use USB devices. Virtualization firewall information Various ports are used for communication between virtualized guests and management utilities.
Guest network services Any network service on a virtualized guest must have the applicable ports open on the guest to allow external access. If a network service on a guest is firewalled it will be inaccessible. Always verify the guests network configuration first. ICMP requests must be accepted. ICMP packets are used for network testing. You cannot ping guests if ICMP packets are blocked.
Port 22 should be open for SSH access and the initial installation. Ports 80 or depending on the security settings on the RHEV Manager are used by the vdsmreg service to communicate information about the host. Ports to are used for migrations with KVM. Migration may use any port in this range depending on the number of concurrent migrations occurring. Enabling IP forwarding net.
Note that installing libvirt enables this variable so it will be enabled when the virtualization packages are installed unless it was manually disabled. Note Note that enabling IP forwarding is not required for physical bridge devices. When a guest is connected through a physical bridge, traffic only operates at a level that does not require IP configuration such as IP forwarding. The main reasons for integrating these technologies are to improve security and harden the system against bugs in the hypervisor that might be used as an attack vector aimed toward the host or to another virtualized guest.
This chapter describes how sVirt integrates with virtualization technologies in Red Hat Enterprise Linux 6. Non-virtualized environments In a non-virtualized environment, hosts are separated from each other physically and each host has a self-contained environment, consisting of services such as a web server, or a DNS server. These services communicate directly to their own user space, host kernel and physical host, offering their services directly to the network. The following image represents a non-virtualized environment:.
Virtualized environments In a virtualized environment, several operating systems can run on a single host kernel and physical host. The following image represents a virtualized environment:. Security and Virtualization When services are not virtualized, machines are physically separated.
Any exploit is usually contained to the affected machine, with the obvious exception of network attacks. When services are grouped together in a virtualized environment, extra vulnerabilities emerge in the system. If there is a security flaw in the hypervisor that can be exploited by a guest instance, this guest may be able to not only attack the host, but also other guests running on that host.
These attacks can extend beyond the guest instance and could expose other guests to attack. This is demonstrated in the following image, where an attack can not break out of the virtualized guest and extend to another guest instance:. The sVirt framework allows guests and their resources to be uniquely labeled.
Once labeled, rules can be applied which can reject access between different guests. Under typical use, you should not even notice that sVirt is working in the background. This section describes the labeling features of sVirt.
As shown in the following output, when using sVirt, each virtualized guest process is labeled and runs with a dynamically generated level. Each process is isolated from other VMs with different levels:. The actual disk images are automatically labeled to match the processes, as shown in the following output:. Approximately , labels are supported.
0コメント