Systemctl and Systemd on CentOS 7

Introduction to Systemd

Systemd is a system and service manager for Linux operating systems which is the new standard for CentOS 7, RHEL 7, Fedora, ArchLinux. Most Linux distros seem to be going towards adding Systemd as a standard and replace the old init.d. By design it’s backwards compatible with SysVinit scripts, and introduces new features like on-demand activation of processes, parallel startup for system services upon boot or even support for system state snapshots. systemctl it the core tool used to manage Systemd services and units.

Systemd introduces a new concept called systemd units. These units are represented by unit configuration files located in following directories:

/usr/lib/systemd/system/
/run/systemd/system/
/etc/systemd/system/

Each of these folders contain different Systemd units. For example, the first one contains units distributed by RPMs, like sshd while the last one contains units created and managed by the system administrator, i.e: Network Manager.

Manage Services

The main purpose of any init system is to manage services and initialize services post kernel boot. systemctl is quite simple to use here and uses regular start, stop, status commands. The full syntax to start a service would be:

systemctl start name.service

systemctl is smart enough to determine what kind of application we’re dealing with as such this should suffice:

systemctl start name

The same applies for stop and restart commands as well.

Listing Services

The following command will list all the currently loaded service units:

systemctl list-units --type service

List all installed service units and determine their state(ENABLED/DISABLED):

systemctl list-unit-files --type service

Enable, Disable, Mask Services

Enabling a service means that it will start automatically upon next system reboot. Running the enable command will create the necessary symlink from the /usr/lib/systemd/system/ folder to the /etc/systemd/system/ one. For example, enabling nginx will have the following output:

[root@web01 ~]# systemctl enable nginx.service
ln -s '/usr/lib/systemd/system/nginx.service' '/etc/systemd/system/multi-user.target.wants/nginx.service'

In order to disable nginx and don’t start it on boot time:

[root@web01 ~]# systemctl disable nginx.service
rm '/etc/systemd/system/multi-user.target.wants/nginx.service'

which will remove the symlink. We can even make any service and prevent it from being started by any other services by running:

[root@web01 ~]# systemctl mask nginx.service
ln -s '/dev/null' '/etc/systemd/system/nginx.service'

which will create a symlink from /etc/systemd/system/nginx.service to /dev/null

Power Management

systemctl is able to manage the machine’s state as well which means that you can reboot, shutdown, power-off, suspend, hibernate and so on:

  • systemctl reboot – Reboot the system
  • systemctl poweroff – Power-off the system
  • systemctl suspend – Suspend the system
  • systemctl hibernate – Put the system into hibernation

Conclusions

systemctl allows you to full control your systemd instance. It’s a really powerful tool and this is just a basic guide on what you can achieve using it.

More details about systemd and systemctl can be found here.

Create a Large File on Linux

How to create a large file on Linux, Unix or BSD OS from command line?

There are several commands that can help you create a large file on Linux OS but the most used are dd and fallocate.

First of all we’ll need to check and make sure that we have enough disk space for creating this file. df -h will help us here and the output should be similar to this:

[root@web ~]# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/vda1 30G 2.8G 26G 10% /

1. fallocate

fallocate is used to preallocate blocks to a file. This is much faster than creating a file by filling it with zeros which means that dd or truncate are way slower than fallocate. The syntax is quite simple and straight forward: fallocate -l SIZE PATH/NAME:

[root@web ~]# fallocate -l 1G 1GB_file.img
[root@web ~]# ls -lah 1GB_file.img
-rw-r--r-- 1 root root 1.0G Feb 17 14:11 1GB_file.img

This will create a file called 1GB_file.img with 1GB in size.

Other examples:

  • fallocate -l 100M 100M_file.img – This will create 100MB file
  • fallocate -l 50M 50M_file.img – This will create 50MB file
  • 2. dd

    dd is an utility that can be used to convert and copy files. The syntax is quite simple, and dd if=/PATH/INPUT of=/PATH/OUTPUT should do it. On Linux special device files(such as /dev/zero and /dev/random) show up as regular files which means dd can also read and/or write from/to them. The following command will create a 1GB file:

    [root@web ~]# dd if=/dev/zero of=1G.bin bs=1G count=1
    1+0 records in
    1+0 records out
    1073741824 bytes (1.1 GB) copied, 26.838 s, 40.0 MB/s

  • http://linux.die.net/man/1/dd
  • Fix GHOST: glibc vulnerability CVE-2015-0235

    Red Hat Product Security released on January 27, 2015 details about a critical vulnerability that affects glibc and which is known as GHOST. This vulnerability was assigned CVE-2015-0235 and is a buffer overflow bug affecting the gethostbyname() and gethostbyname2() function calls in the glibc library – hence the name GetHOST.

    Fortunately the fix is easy it just involves running a yum update on the system. For CentOS, RHEL or Fedora we can check the RPM version installed using:

    rpm -q glibc

    In order to fix this glibc vulnerability you’ll need to simply:

    yum update glibc

    and reboot the system. If it’s not possible to reboot the system we can also restart all the services that use glibc. In order to determine which services need to be restarted we can run this command:

    lsof +c 15 | grep libc- | awk '{print $1}' | sort -u

    The output should be something similar to this:

    [root@CentOS ~]# lsof +c 15 | grep libc- | awk '{print $1}' | sort -u
    agetty
    auditd
    avahi-daemon
    awk
    bash
    crond
    dbus-daemon
    gdbus
    gmain
    grep
    in:imjournal
    iprdump
    iprinit
    iprupdate
    JS
    lsof
    master
    mysqld
    mysqld_safe
    NetworkManager
    nginx
    php-fpm
    pickup
    polkitd
    qmgr
    rs:main
    rsyslogd
    runaway-killer-
    sort
    sshd
    systemd
    systemd-journal
    systemd-logind
    systemd-udevd
    tuned

    We can restart the public facing services to temporary fix this for certain services but the best way to go would be by rebooting the machine.

    Once that’s done we can check again the version and make sure we’re safe:

    [root@CentOS ~]# rpm -qa | grep glibc
    glibc-2.17-55.el7_0.5.x86_64
    glibc-common-2.17-55.el7_0.5.x86_64

    https://access.redhat.com – CVE-2015-0235

    Disable SELinux on CentOS 7

    How to disable SELinux on CentOS 7 or most Linux operating systems?

    SELinux stands for Security-Enhanced Linux and is a Linux kernel security module that provides a mechanism for supporting access control security policies. If you’ve recently installed your CentOS 7(works for CentOS 4,5,6 as well) and you don’t want to use SELinux, the easiest way would be to disable it first and then make sure it won’t start upon reboot.

    We can verify the status using sestatus which should return enabled along with some variables or disabled if it’s already turned off:


    [root@server ~]# sestatus
    SELinux status: disabled

    In order to disable it for the time being, until the machine is rebooted we can simply use the setenforce command:


    [root@server ~]# setenforce
    usage: setenforce [ Enforcing | Permissive | 1 | 0 ]

    Simply running setenforce Permissive from shell as root:

    [root@server ~]# setenforce Permissive

    OR:

    [root@server ~]# setenforce 0

    should to the trick but we also need to make sure it remains permanent. In order to do this we’ll simply edit SELinux’s configuration file located under: /etc/sysconfig/selinux and alter the SELINUX variable to disabled:

    [root@server ~]# vi /etc/sysconfig/selinux

    After saving the file and exiting the editor SELinux should be off and it shouldn’t interfere unless you enable it again. It recommended that we reboot the machine after changing SELinux between modes. If you plan to install cPanel/WHM on the machine this is a mandatory step. cPanel/WHM doesn’t work on your machine with SELinux set to Enforcing(1).

    Please note that if we disable SELinux on CentOS 7 it doesn’t mean the machine will be less protected, however the OS will be more permissive. For example an user would be able to set 777 permissions for sensitive files like SSH Keys which means that other users will be able to see them.

    Read more about SELinux:

    SELinux on Wikipedia
    HowTos SELinux

    How To Add swap on CentOS 7

    What is swap?

    Swap space on Linux is an area on the machine’s hard drive where the operating system will write data that cannot be held in the memory. Swap is usually used when the amount of physical memory (RAM) is full. If the system needs more memory resources and the RAM is full, inactive pages in memory are moved to the swap space. While swap space can help machines with a small amount of RAM, it should not be considered a replacement for more RAM. Swap space is located on the hard drives, which have a slower access time than physical memory. Due to these factors, relying on swap all the times isn’t recommended and it should be limited.

    Pre-flight checks

    After installing the OS(in this case CentOS 7) we’ll need to log in to the machine from console or SSH. Before doing anything we should check a few things in order to make sure we have enough room for swap and if swap isn’t already enabled. This can be done using swapon utility, using the -s flag that will print the status:

    [root@web ~]# swapon -s

    If this returns no output then it means we don’t have swap. Next we’ll check RAM usage using the free utility and the -m parameter:

    [root@web ~]# free -mo
    total used free shared buffers cached
    Mem: 994 851 142 6 39 218
    Swap: 0 0 1023

    Since swap will be written on the disk we’ll need to check that we have enough disk space available. In order to do so df and the -h parameter(human-friendly reading format) will be used:

    [root@web ~]# df -h
    Filesystem Size Used Avail Use% Mounted on
    /dev/vda1 30G 2.7G 26G 10% /
    devtmpfs 490M 0 490M 0% /dev
    tmpfs 498M 0 498M 0% /dev/shm
    tmpfs 498M 6.5M 491M 2% /run
    tmpfs 498M 0 498M 0% /sys/fs/cgroup

    We have plenty of disk space for this task as such we can proceed to the next step.

    How to enable swap on CentOS 7

    We’ll create a 1GB swap file called swap in the / location. In order to do this we’ll use fallocate

    fallocate -l 1G /swap

    The swap file should be created almost instantly and you should see the command prompt again. We can check that the swap file was created using ls

    [root@web ~]# ls -lh /swap
    -rw------- 1 root root 1.0G Jan 18 03:22 /swap

    Before proceeding we’ll need to secure it, in order to make sure only root can read/write on it by using chmod

    chmod 600 /swap

    We have the file that will be used as swap and we’ll need to instruct the operating system to use it. In order to do so we’ll use mkswap which should return something similar to this:

    root@web ~]# mkswap /swap
    Setting up swapspace version 1, size = 1048572 KiB
    no label, UUID=df691846-69f2-4157-86a6-4002cadef825

    We now have a swap space and we can enable it using swapon:

    swapon /swap

    swapon -s should reflex this change along with free -m:

    [root@web ~]# swapon -s
    Filename Type Size Used Priority
    /swap file 1048572 0 -1
    [root@web ~]# free -m
    total used free shared buffers cached
    Mem: 994 851 142 6 40 219
    -/+ buffers/cache: 592 401
    Swap: 1023 0 1023

    This means that we have successfully enabled swap on the machine, however we’ll need to make sure it starts on reboot. In order to do so we’ll edit /etc/fstab using your favorite editor(vi in this case):

    vi /etc/fstab

    and add the following line:

    /swap swap swap sw 0 0

    We have successfully enabled swap on CentOS 7 which should start on reboot.