Here's how to set up VNC on Red Hat 7.5, combined with the Gnome desktop, Firefox and TigerVNC.
The goal is to install a Linux desktop, Firefox and TigerVNC on a system with just a base (minimal) Red Hat 7.5 install (without a desktop), and to set up the VNC service for 2 users, in this case for user root, and for user oracle. The VNC port to use for user root will be 5901, and it will be 5092 for user oracle.
Note: This procedure will also work on older RHEL 7 versions, like RHEL 7.2 through RHEL 7.4, with a few minor changes as there are a few differences between these RHEL releases. Please see below.
Install the GUI first (based on: https://access.redhat.com/solutions/5238):
Install TigerVNC:# yum -y groupinstall "Server with GUI" # yum install xterm xorg-x11-xinit
There is no need to specifically install Firefox - it is installed as part of the GUI installation.# yum -y install tigervnc tigervnc-server
If here, you are not using RHEL 7.5, but an older version of RHEL 7, then please make sure to (at least) update the following packages to the latest available versions. These latest package versions are needed to make this work:
Start the GUI:# yum -y update xterm xorg-x1-xinit tigervnc tigervnc-server
Configure VNC (based on https://access.redhat.com/solutions/966063):# systemctl set-default graphical.target # systemctl start graphical.target
Configure the VNC password for both root and user oracle (repeat for both users - log in as each user, and run the following command):
You will be asked if you would like to enter a view-only password. You may answer "n" for no.# vncpasswd
Set up the VNC service on the system:
For user root:
# cp /lib/systemd/system/vncserver@.service /etc/systemd/system/vncserver@:1.serviceEdit the new file, and replace all entries in the files of "<USER>" with "root"; ensure the home directory of user root is also set to /root, not /home/root.
For user oracle:
# cp /lib/systemd/system/vncserver@.service /etc/systemd/system/vncserver@:2.serviceEdit the new file, and replace all entries of "<USER>" with "oracle".
Edit the xstartup user file in ~root/.vnc/xstartup and ~oracle/.vnc/xstartup. Replace the contents of the xstartup file with this:
Note here: Create the xstartup file, if it does not exist. And make sure to enable the execution bit on the xstartup file, by running:#!/bin/sh [ -x /etc/vnc/xstartup ] && exec /etc/vnc/xstartup [ -r $HOME/.Xresources ] && xrdb $HOME/.Xresources vncconfig -iconic & dbus-launch --exit-with-session gnome-session &
If necessary, if the firewall is in use, add the ports in the firewall.# chmod +x xstartup
First check if the firewall daemon is running right now, and enabled at boot time:
# systemctl status firewalldIf so, then add the ports used by VNC to the firewall configuration:
Run the following command as changes were made to systemd files:# firewall-cmd --permanent --zone=public --add-port 5901/tcp # firewall-cmd --permanent --zone=public --add-port 5902/tcp # firewall-cmd --reload
# systemctl daemon-reloadEnable and start the TigerVNC service:
If, at this point, when starting either VNC service, you get an error about not available resources, it may be that either VNC was already running, or that there are old VNC files in /tmp. In this case, first search for any running VNC processes:# systemctl enable vncserver@:1.service # systemctl enable vncserver@:2.service # systemctl start vncserver@:1.service # systemctl start vncserver@:2.service
If any VNC processes are still running, then kill them, by using "kill -9". Then move over to the /tmp folder and clear out any old files used by VNC:# ps -ef | grep vnc
And then, try starting the VNC services again:# cd /tmp # rm -rf .X*
That should work. If so, then proceed with the next steps:# systemctl start vncserver@:1.service # systemctl start vncserver@:2.service
Check if the VNC services are listening on the ports 5901 and 5902:
Now, it's time to test the VNC connections. A good way to test, without having to install a VNC client (usually requiring admin privileges on your Windows desktop), use realVNC VNC viewer, from https://www.realvnc.com/en/connect/download/viewer/windows/. In the dropdown list on this website, make sure to select the "Standalone" version that applies to your operating system version. The regular EXE file on this site is a VNC viewer that requires admin privileges on Windows to install. This "standalone" VNC viewer can be used without having to install any software, and does not require admin-level access on Windows.# netstat -an | grep ::590 tcp 0 0 0.0.0.0:5901 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:5902 0.0.0.0:* LISTEN tcp6 0 0 :::5901 :::* LISTEN tcp6 0 0 :::5902 :::* LISTEN
Open the screen for user root, by typing the following string, assuming the IP address of the server is 172.29.126.210:
172.29.126.210:5901And for user oracle:
172.29.126.210:5902And type the password provided earlier through the vncpasswd command.
That's it. You should be presented with desktop screens for both users root and oracle, and you should be able to run Firefox within those desktops.
Topics: Networking, Red Hat / Linux, Storage↑
How to install and configure Samba on CentOS 7 for file sharing on Windows
Here's how to set up a secure Samba share from a CentOS 7 (or RHEL 7) system, and share it with a Windows client.
First, install Samba:
# yum install samba samba-client samba-commonAdd an exception to the firewall, if the firewall is active:
Next, you'll need to know the workgroup the Windows system is configured in. By far, the easiest way to do this, is to open a command prompt on the Windows system, and run:# firewall-cmd --permanent --zone=public --add-service=samba # firewall-cmd --reload
net config workstationFor the sake of this tutorial, we'll assume the workgroup is called WORKGROUP.
Make a copy of the Samba config file:
# cp /etc/samba/smb.conf /etc/samba/smb.conf.origSet up a secure file share. In the example below, the share will be located in /media/windows/share on the CentOS 7 system. Be sure to set the permissions in such a way that the user account used for the share (see below) indeed has access to this folder.
Edit file /etc/samba/smb.conf and add:# mkdir -p /media/windows/share # chmod -R 0755 /media/windows/share # chown -R user:group /media/windows/share
[global]
workgroup = WORKGROUP
netbios name = centos
[Share]
comment = Shared Folder
path = /media/windows/share
valid users = user
browsable = yes
writable = yes
guest ok = no
read only = no
Set the SMB passwd for the user (this will be the username and password used to access the share from Windows):
Make sure everything is okay:# smbpasswd -a user New SMB password: Retype new SMB password:
# testparmNow enable and start Samba:
On the Windows host, io File explore type the IP address of the CentOS system, for example:# systemctl enable smb.service # systemctl enable nmb.service # systemctl start smb.service # systemctl start nmb.service
\\192.168.0.206You will be asked for the username and password used when you ran the smbpasswd command.
And that should do it; You should now have a secured Samba share available on a Windows system.
Windows may cache any credentials that are used for the Samba share(s). When configuring the Samba share(s), it may be needed to have Windows "forget" these credentials. This can be easily achieved by running from a Command Prompt:
net use * /del
From time to time, there may be a need to run a tcpdump, to analyze the TCP traffic on a Red Hat system.
Now, there's a perfectly good description on how to that on the Red Hat website at https://access.redhat.com/solutions/8787, so we won't be repeating that on this blog.
Just a few simple commands to get the tcpdump command going:
To start a tcpdump, for example on network interface em1, and dump the output to a file called /tmp/tcpdump.out, run:
The "-v" option used in the example above, shows the number of packets that it captured, while the tcpdump command is running, and thus is very useful. Once you think you have gathered enough information, hit CTRL-C to stop the tcpudmp. Be careful, running tcpdump can create quite a bit of output, especially if there's a lot of network traffic going on. This may fill up the the file system where the tcpdump output file is located in, pretty quickly, so don't leave the tcpdump running for prolonged periods of time.# tcpdump -s 0 -i em1 -w /tmp/tcpdump.out -v
To review the contents of the tcpdump output, use the "-r" option:
# tcpdump -r /tmp/tcpdump.outThe "tcpdump -r" command will show you detailed information about the captured network packets.
Monitoring tools often use SNMP to query another system's information and status. For that to work on a Red Hat Enterprise Linux system, that system will have to have SNMP configured. And to allow a remote (monitoring) system to query SNMP information of a Red Hat Enterprise Linux system, one has to complete the following 3 items:
- Set up SNMP.
- Configure SNMP to use a non-public community name.
- Allow access through the firewall, if configured.
Next, start and enable (at boot time) the SNMP daemon to run on the system:# yum -y install net-snmp net-snmp-utils
Now you can test if you can query SNMP infomation -locally- on the system, by using the snmpwalk command:# systemctl enable snmpd # systemctl start snmpd
The community string used above ("public") is a well-known SNMP community string, and this can be (and probably "is") utilized by hackers or other unfriendly people to obtain information about the system remotely, and as such, it's best practice to change the public community name into something a littlebit different, preferably something that can't be guessed very easily. For the sake of this tutorial, we'll change it to "kermit".# snmpwalk -v2c -c public localhost | head -5
Basically, you'll have to update this line in /etc/snmp/snmpd.conf from "public" to "kermit":
Before:
After:com2sec notConfigUser default public
Then, restart the SNMP daemon, so it picks up the changes to configuration file /etc/snmp/snmpd.conf:com2sec notConfigUser default kermit
Now test again with the snmpwalk command but this time by using the "kermit" community name:# systemctl restart snmpd
That should give you quite a bit of output. If it doesn't, you've made a mistake, and you'll have to re-trace your steps.# snmpwalk -v2c -c kermit localhost
The final step is to allow remote access. That will be needed if a remote system is being used to monitor the server, for example by a tool like Solarwinds. By default, remote access will be blocked by the firewall daemon on the system. To allow remote access, open up UDP port 161 on the client:
Now log in to a remote system and run a similar snmpwalk command, but this time, specify the hostname of the server that you're querying (instead of "localhost"). For example, if the name of the host is "myserver", run:# firewall-cmd --zone=public --add-port=161/udp --permanent # firewall-cmd --reload
And that's it. You can now remotely monitor a Linux server using SNMP, and you've secured it by changing the community name.# snmpwalk -v2c -c kermit myserver
Red Hat provides you the opportunity to download a KVM guest image, that you can use within virt-manager to start immediately. This saves you the trouble and time of having to install the operating system.
However, the root password is not known, and so, it may be difficult to log in as root when using the KVM guest image provided by Red Hat.
Luckily, there is an easy solution to changing the root password on a KVM guest image.
Start by installing guestfish:
Guestfish is a tool that can be used from the command line to access guest virtual machine file systems.# yum -y install guestfish
Next, update the image file as follows, assuming the image file is located in /var/lib/libvirt/images, and the image file is called "rhel7.5.beta1.qcow2", and you want to set the password to "PASSWORD":
# cd /var/lib/libvirt/images # virt-customize -a rhel7.5.beta1.qcow2 --root-password password:PASSWORD
The top command is quite useful in Red Hat Enterprise Linux. This is a list of common keystrokes that can be used in top:
| Key | Purpose |
|---|---|
| ? or h | Help for interactive keystrokes. |
| l, t, m | Toggles for load, threads, and memory header lines. |
| 1 | Toggle showing individual CPUs or a summary for all CPUs in header. |
| s or d | Change the refresh (screen) rate, in decimal seconds (e.g., 0.5, 1, 5). |
| b | Toggle reverse highlighting for Running processes; default is bold only. |
| B | Enables use of bold in display, in the header, and for Running processes. |
| H | Toggle threads; show process summary or individual threads. |
| u, U | Filter for any user name (effective, real). |
| M | Sorts process listing by memory usage, in descending order. |
| P | Sorts process listing by processor utilization, in descending order. |
| k | Kill a process. When prompted, enter PID, then signal. |
| r | Renice a process. When prompted, enter PID, then nice_value. |
| W | Write (save) the current display configuration for use at the next top restart. |
| q | Quit. |
Topics: Red Hat / Linux, System Admin↑
Processes
A process is a running instance of a launched, executable program. A process consists of:
- an address space of allocated memory,
- security properties including ownership credentials and privileges,
- one or more execution threads of program code, and
- the process state.
- local and global variables,
- a current scheduling context, and
- allocated system resources, such as file descriptors and network ports.
Through the fork routine, a child process inherits security identities, previous and current file descriptors, port and resource privileges, environment variables, and program code. A child process may then exec its own program code. Normally, a parent process sleeps while the child process runs, setting a request (wait) to be signaled when the child completes. Upon exit, the child process has already closed or discarded its resources and environment; the remainder is referred to as a zombie. The parent, signaled awake when the child exited, cleans the remaining structure, then continues with its own program code execution.
In a multitasking operating system, each CPU (or CPU core) can be working on one process at a single point in time. As a process runs, its immediate requirements for CPU time and resource allocation change. Processes are assigned a state, which changes as circumstances require.
The Linux process states are illustrated in the previous diagram and described in the following table.
| Name | Flag | Kernel-defined state name and description |
|---|---|---|
| Running |
R
|
TASK_RUNNING: The process is either executing on a CPU or waiting to run. Process can be executing user routines or kernel routines (system calls), or be queued and ready when in the Running (or Runnable) state. |
| Sleeping |
S
|
TASK_INTERRUPTIBLE: The process is waiting for some condition: a hardware request, system resource access, or signal. When an event or signal satisfies the condition, the process returns to Running. |
D
|
TASK_UNINTERRUPTIBLE: This process is also Sleeping, but
unlike |
|
K
|
TASK_KILLABLE: Identical to the uninterruptible |
|
| Stopped |
T
|
TASK_STOPPED: The process has been Stopped (suspended), usually by being signaled by a user or another process. The process can be continued (resumed) by another signal to return to Running. |
T
|
TASK_TRACED: A process that is being debugged is also temporarily
Stopped
and shares the same |
|
| Zombie |
Z
|
EXIT_ZOMBIE: A child process signals its parent as it exits. All resources except for the process identity (PID) are released. |
X
|
EXIT_DEAD: When the parent cleans up (reaps) the remaining child process structure, the process is now released completely. This state will never be observed in process-listing utilities. |
Topics: Red Hat / Linux, System Admin↑
How to tie a system to a specific update of Red Hat Enterprise Linux
Please see the following page: https://access.redhat.com/solutions/238533, if you need to update a Red Hat Enterprise Linux system, but need to ensure at the same time that the system isn't upgraded to a new minor release (e.g. from version 7.3 to version 7.4).
The trick is to use the "releasever" option with the yum commmand. For example, if you have a Red Hat Enterprise Linux system running version 7.3 (check with "cat /etc/redhat-release), and you need to keep it at this version (e.g. for application specific reasons), then run the following command to only update the system pacakages relevant to version 7.3:
# yum --releasever=7.3 updateOnce the update has been completed, check file /etc/redhat-release to ensure the system is still at version 7.3, and has not been upgraded to version 7.4.
And don't forget to reboot the system after doing updates. The following command will indicate if the command needs to be rebooted, to ensure that all installed updates are properly activated:
If the needs-restarting command is not avaialable on your system, then please ensure to install RPM yum-utils:# needs-restarting -r
# yum -y install yum-utils
The general procedure for resizing a swap space is as follows (assuming the swap space is set up as a logical volume within the root volume group called vg_root), for example to resize a swap space to 8 GB:
# swapoff -v /dev/mapper/vg_root-lv_swap # lvm lvresize /dev/mapper/vg_root-lv_swap -L 8G # mkswap /dev/mapper/vg_root-lv_swap # swapon -va
There are 2 easy ways to read PDF files in Gnone (the default desktop for Red Hat Enterprise Linux): Use Firefox or Evince.
Evince is the Gnome document viewer, and can be easily opened as follows:
# evince /usr/share/doc/libtasn1-4.10/libtasn1.pdfYou can also use Firefox. Firefox has built-in PDF support. You can open it as follows:
# firefox /usr/share/doc/libtasn1-4.10/libtasn1.pdf
