Systemctl and Systemd on CentOS 7

Introduction to Systemd

Systemd is a system and service manager for Linux operating systems which is the new standard for CentOS 7, RHEL 7, Fedora, ArchLinux. Most Linux distros seem to be going towards adding Systemd as a standard and replace the old init.d. By design it’s backwards compatible with SysVinit scripts, and introduces new features like on-demand activation of processes, parallel startup for system services upon boot or even support for system state snapshots. systemctl it the core tool used to manage Systemd services and units.

Systemd introduces a new concept called systemd units. These units are represented by unit configuration files located in following directories:

/usr/lib/systemd/system/
/run/systemd/system/
/etc/systemd/system/

Each of these folders contain different Systemd units. For example, the first one contains units distributed by RPMs, like sshd while the last one contains units created and managed by the system administrator, i.e: Network Manager.

Manage Services

The main purpose of any init system is to manage services and initialize services post kernel boot. systemctl is quite simple to use here and uses regular start, stop, status commands. The full syntax to start a service would be:

systemctl start name.service

systemctl is smart enough to determine what kind of application we’re dealing with as such this should suffice:

systemctl start name

The same applies for stop and restart commands as well.

Listing Services

The following command will list all the currently loaded service units:

systemctl list-units --type service

List all installed service units and determine their state(ENABLED/DISABLED):

systemctl list-unit-files --type service

Enable, Disable, Mask Services

Enabling a service means that it will start automatically upon next system reboot. Running the enable command will create the necessary symlink from the /usr/lib/systemd/system/ folder to the /etc/systemd/system/ one. For example, enabling nginx will have the following output:

[root@web01 ~]# systemctl enable nginx.service
ln -s '/usr/lib/systemd/system/nginx.service' '/etc/systemd/system/multi-user.target.wants/nginx.service'

In order to disable nginx and don’t start it on boot time:

[root@web01 ~]# systemctl disable nginx.service
rm '/etc/systemd/system/multi-user.target.wants/nginx.service'

which will remove the symlink. We can even make any service and prevent it from being started by any other services by running:

[root@web01 ~]# systemctl mask nginx.service
ln -s '/dev/null' '/etc/systemd/system/nginx.service'

which will create a symlink from /etc/systemd/system/nginx.service to /dev/null

Power Management

systemctl is able to manage the machine’s state as well which means that you can reboot, shutdown, power-off, suspend, hibernate and so on:

  • systemctl reboot – Reboot the system
  • systemctl poweroff – Power-off the system
  • systemctl suspend – Suspend the system
  • systemctl hibernate – Put the system into hibernation

Conclusions

systemctl allows you to full control your systemd instance. It’s a really powerful tool and this is just a basic guide on what you can achieve using it.

More details about systemd and systemctl can be found here.

.htaccess examples

A .htaccess file is a configuration file supported by several web servers(including Apache), that allows for decentralized management(local) of web server configuration. .htaccess supports quite a few modifications and it’s quite flexible and customizable. The original purpose of .htaccess was to allow directory access control(requiring a password to access the content). Its functionality nowadays is way beyond access control since the .htaccess file override many other configuration settings such as content type, character set, handlers, and so on. The most common functions for .htaccess are used to facilitate the following:

  • Authorization, authentication
  • Blocking, allowing access
  • Rewriting URLs
  • Enable, disable Webserver options
  • Cache Control
  • MIME types
  • Here are a few .htaccess examples to achieve certain functionality.

    Deny all traffic to the site

    Deny from all

    Deny all traffic and allow only one IP address

    Order deny,allow
    Deny from all
    Allow from 1.2.3.4

    where 1.2.3.4 is the IP address that you to be permitted for access.

    This can go even further and redirect all the visitors to a different page while only your IP address(1.2.3.4) can access it:

    ErrorDocument 403 http://www.google.com/
    Order deny,allow
    Deny from all
    Allow from 1.2.3.4

    Redirect one file to a new one

    Redirect 301 /old/file.html /new/file.html

    Redirect an entire directory

    RedirectMatch 301 /folder(.*) /$1

    Redirect all traffic to www

    This is quite handy if you want to keep your traffic and links using www:

    RewriteCond %{REQUEST_URI} !^/(robots\.txt|favicon\.ico|sitemap\.xml)$
    RewriteCond %{HTTP_HOST} !^www\.hostingstuff\.net$ [NC]
    RewriteRule ^(.*)$ /$1 [R=301,L]

    Setup custom error documents based on HTTP response code

    The syntax is quite simple and straight forward:

    ErrorDocument RESPONSE_CODE PAGE

    Here are a few .htaccess examples for 403, 404, 500 error codes:

    ErrorDocument 403 /403.html
    ErrorDocument 404 /404.html
    ErrorDocument 500 /500.html

    Enable directory listing and fancy indexing, declare the DirectoryIndex variable

    Options +Indexes
    IndexOptions +FancyIndexing
    DirectoryIndex index.html index.php

    Disable directory listing

    Options -Indexes

    Create a Large File on Linux

    How to create a large file on Linux, Unix or BSD OS from command line?

    There are several commands that can help you create a large file on Linux OS but the most used are dd and fallocate.

    First of all we’ll need to check and make sure that we have enough disk space for creating this file. df -h will help us here and the output should be similar to this:

    [root@web ~]# df -h
    Filesystem Size Used Avail Use% Mounted on
    /dev/vda1 30G 2.8G 26G 10% /

    1. fallocate

    fallocate is used to preallocate blocks to a file. This is much faster than creating a file by filling it with zeros which means that dd or truncate are way slower than fallocate. The syntax is quite simple and straight forward: fallocate -l SIZE PATH/NAME:

    [root@web ~]# fallocate -l 1G 1GB_file.img
    [root@web ~]# ls -lah 1GB_file.img
    -rw-r--r-- 1 root root 1.0G Feb 17 14:11 1GB_file.img

    This will create a file called 1GB_file.img with 1GB in size.

    Other examples:

  • fallocate -l 100M 100M_file.img – This will create 100MB file
  • fallocate -l 50M 50M_file.img – This will create 50MB file
  • 2. dd

    dd is an utility that can be used to convert and copy files. The syntax is quite simple, and dd if=/PATH/INPUT of=/PATH/OUTPUT should do it. On Linux special device files(such as /dev/zero and /dev/random) show up as regular files which means dd can also read and/or write from/to them. The following command will create a 1GB file:

    [root@web ~]# dd if=/dev/zero of=1G.bin bs=1G count=1
    1+0 records in
    1+0 records out
    1073741824 bytes (1.1 GB) copied, 26.838 s, 40.0 MB/s

  • http://linux.die.net/man/1/dd
  • Fix GHOST: glibc vulnerability CVE-2015-0235

    Red Hat Product Security released on January 27, 2015 details about a critical vulnerability that affects glibc and which is known as GHOST. This vulnerability was assigned CVE-2015-0235 and is a buffer overflow bug affecting the gethostbyname() and gethostbyname2() function calls in the glibc library – hence the name GetHOST.

    Fortunately the fix is easy it just involves running a yum update on the system. For CentOS, RHEL or Fedora we can check the RPM version installed using:

    rpm -q glibc

    In order to fix this glibc vulnerability you’ll need to simply:

    yum update glibc

    and reboot the system. If it’s not possible to reboot the system we can also restart all the services that use glibc. In order to determine which services need to be restarted we can run this command:

    lsof +c 15 | grep libc- | awk '{print $1}' | sort -u

    The output should be something similar to this:

    [root@CentOS ~]# lsof +c 15 | grep libc- | awk '{print $1}' | sort -u
    agetty
    auditd
    avahi-daemon
    awk
    bash
    crond
    dbus-daemon
    gdbus
    gmain
    grep
    in:imjournal
    iprdump
    iprinit
    iprupdate
    JS
    lsof
    master
    mysqld
    mysqld_safe
    NetworkManager
    nginx
    php-fpm
    pickup
    polkitd
    qmgr
    rs:main
    rsyslogd
    runaway-killer-
    sort
    sshd
    systemd
    systemd-journal
    systemd-logind
    systemd-udevd
    tuned

    We can restart the public facing services to temporary fix this for certain services but the best way to go would be by rebooting the machine.

    Once that’s done we can check again the version and make sure we’re safe:

    [root@CentOS ~]# rpm -qa | grep glibc
    glibc-2.17-55.el7_0.5.x86_64
    glibc-common-2.17-55.el7_0.5.x86_64

    https://access.redhat.com – CVE-2015-0235

    Disable SELinux on CentOS 7

    How to disable SELinux on CentOS 7 or most Linux operating systems?

    SELinux stands for Security-Enhanced Linux and is a Linux kernel security module that provides a mechanism for supporting access control security policies. If you’ve recently installed your CentOS 7(works for CentOS 4,5,6 as well) and you don’t want to use SELinux, the easiest way would be to disable it first and then make sure it won’t start upon reboot.

    We can verify the status using sestatus which should return enabled along with some variables or disabled if it’s already turned off:


    [root@server ~]# sestatus
    SELinux status: disabled

    In order to disable it for the time being, until the machine is rebooted we can simply use the setenforce command:


    [root@server ~]# setenforce
    usage: setenforce [ Enforcing | Permissive | 1 | 0 ]

    Simply running setenforce Permissive from shell as root:

    [root@server ~]# setenforce Permissive

    OR:

    [root@server ~]# setenforce 0

    should to the trick but we also need to make sure it remains permanent. In order to do this we’ll simply edit SELinux’s configuration file located under: /etc/sysconfig/selinux and alter the SELINUX variable to disabled:

    [root@server ~]# vi /etc/sysconfig/selinux

    After saving the file and exiting the editor SELinux should be off and it shouldn’t interfere unless you enable it again. It recommended that we reboot the machine after changing SELinux between modes. If you plan to install cPanel/WHM on the machine this is a mandatory step. cPanel/WHM doesn’t work on your machine with SELinux set to Enforcing(1).

    Please note that if we disable SELinux on CentOS 7 it doesn’t mean the machine will be less protected, however the OS will be more permissive. For example an user would be able to set 777 permissions for sensitive files like SSH Keys which means that other users will be able to see them.

    Read more about SELinux:

    SELinux on Wikipedia
    HowTos SELinux