Configuring your boot environment
by Uday R. Sawant, William Leemans, Jonathan Hobson, Oliver Pelz
Linux: Powerful Server Administration
- Linux: Powerful Server Administration
- Table of Contents
- Linux: Powerful Server Administration
- Linux: Powerful Server Administration
- Credits
- Preface
- 1. Module 1
- 1. Managing Users and Groups
- 2. Networking
- Introduction
- Connecting to a network with a static IP
- Installing the DHCP server
- Installing the DNS server
- Hiding behind the proxy with squid
- Being on time with NTP
- Discussing load balancing with HAProxy
- Tuning the TCP stack
- Troubleshooting network connectivity
- Securing remote access with OpenVPN
- Securing a network with uncomplicated firewall
- Securing against brute force attacks
- Discussing Ubuntu security best practices
- 3. Working with Web Servers
- Introduction
- Installing and configuring the Apache web server
- Serving dynamic contents with PHP
- Hosting multiple websites with a virtual domain
- Securing web traffic with HTTPS
- Installing Nginx with PHP_FPM
- Setting Nginx as a reverse proxy
- Load balancing with Nginx
- Setting HTTPs on Nginx
- Benchmarking and performance tuning of Apache
- Securing the web server
- Troubleshooting the web server
- 4. Working with Mail Servers
- 5. Handling Databases
- Introduction
- Installing relational databases with MySQL
- Storing and retrieving data with MySQL
- Importing and exporting bulk data
- Adding users and assigning access rights
- Installing web access for MySQL
- Setting backups
- Optimizing MySQL performance – queries
- Optimizing MySQL performance – configuration
- Creating MySQL replicas for scaling and high availability
- Troubleshooting MySQL
- Installing MongoDB
- Storing and retrieving data with MongoDB
- 6. Network Storage
- 7. Cloud Computing
- 8. Working with Containers
- Introduction
- Installing LXD, the Linux container daemon
- Deploying your first container with LXD
- Managing LXD containers
- Managing LXD containers – advanced options
- Setting resource limits on LXD containers
- Networking with LXD
- Installing Docker
- Starting and managing Docker containers
- Creating images with a Dockerfile
- Understanding Docker volumes
- Deploying WordPress using a Docker network
- Monitoring Docker containers
- Securing Docker containers
- 9. Streaming with Ampache
- 10. Communication Server with XMPP
- 11. Git Hosting
- Introduction
- Installing Git
- Creating a local repository with Git CLI
- Storing file revisions with Git commit
- Synchronizing the repository with a remote server
- Receiving updates with Git pull
- Creating repository clones
- Installing GitLab, your own Git hosting
- Adding users to the GitLab server
- Creating a repository with GitLab
- Automating common tasks with Git hooks
- 12. Collaboration Tools
- 13. Performance Monitoring
- 14. Centralized Authentication Service
- 2. Module 2
- 1. Installing CentOS
- Introduction
- Downloading CentOS and confirming the checksum on Windows or OS X
- Creating USB installation media on Windows or OS X
- Performing an installation of CentOS using the graphical installer
- Running a netinstall over HTTP
- Installing CentOS 7 using a kickstart file
- Getting started and customising the boot loader
- Troubleshooting the system in rescue mode
- Updating the installation and enhancing the minimal install with additional administration and development tools
- 2. Configuring the System
- Introduction
- Navigating text files with less
- Introduction to Vim
- Speaking the right language
- Synchronizing the system clock with NTP and the chrony suite
- Setting your hostname and resolving the network
- Building a static network connection
- Becoming a superuser
- Customizing your system banners and messages
- Priming the kernel
- 3. Managing the System
- Introduction
- Knowing and managing your background services
- Troubleshooting background services
- Tracking system resources with journald
- Configuring journald to make it persistent
- Managing users and their groups
- Scheduling tasks with cron
- Synchronizing files and doing more with rsync
- Maintaining backups and taking snapshots
- Monitoring important server infrastructure
- Taking control with GIT and Subversion
- 4. Managing Packages with YUM
- 5. Administering the Filesystem
- 6. Providing Security
- 7. Building a Network
- 8. Working with FTP
- 9. Working with Domains
- 10. Working with Databases
- 11. Providing Mail Services
- 12. Providing Web Services
- 13. Operating System-Level Virtualization
- 14. Working with SELinux
- 15. Monitoring IT Infrastructure
- 1. Installing CentOS
- 3. Module 3
- 1. Working with KVM Guests
- 2. Deploying RHEL "En Masse"
- 3. Configuring Your Network
- 4. Configuring Your New System
- 5. Using SELinux
- 6. Orchestrating with Ansible
- 7. Puppet Configuration Management
- 8. Yum and Repositories
- 9. Securing RHEL 7
- 10. Monitoring and Performance Tuning
- Bibliography
- Index
GRUB2 is the default boot loader for RHEL 7. By default, it doesn't use any fancy configuration options, but it is wise to at least secure your grub boot loader.
There are many advantages to having your grub and boot environment output to serial console in an enterprise environment. Many vendors integrate virtual serial ports in their remote control systems, as does KVM. This allows you to connect to the serial port and easily grab whatever is displayed in a text editor.
Setting a password on the GRUB2 boot loader mitigates possible hacking attempts on your system when you have physical access to the server or console. Perform the following steps for this recipe:
- First, edit
/etc/sysconfig/grubwith your favorite editor. - Now, modify the
GRUB_TERMINAL_OUTPUTline to include both console and serial access by executing the following command line:GRUB_TERMINAL_OUTPUT="console serial"
- Add the
GRUB_SERIAL_COMMANDentry, as follows:GRUB_SERIAL_COMMAND="serial --speed=9600 --unit=0 --word=8 --parity=no –stop=1"
- Now, save the file.
- Create the
/etc/grub.d/01_usersfile with the following contents:cat << EOF set superusers="root" password root SuperSecretPassword EOF
- Next, update your
grubconfiguration by running the following commands:~]# grub2-mkconfig -o /boot/grub2/grub.cfg Generating grub configuration file ... Found linux image: /boot/vmlinuz-3.10.0-229.4.2.el7.x86_64 Found initrd image: /boot/initramfs-3.10.0-229.4.2.el7.x86_64.img Found linux image: /boot/vmlinuz-3.10.0-229.1.2.el7.x86_64 Found initrd image: /boot/initramfs-3.10.0-229.1.2.el7.x86_64.img Found linux image: /boot/vmlinuz-0-rescue-fe045089e49942cb97db675892395bc8 Found initrd image: /boot/initramfs-0-rescue-fe045089e49942cb97db675892395bc8.img done ~]#
The behavior of grub2-mkconfig is defined by the directives of the files in /etc/grub.d. These files, based on the configuration in /etc/sysconfig/grub, autogenerate all the menu entries in the grub.cfg file. You can modify its behavior by adding files with bash code in this directory.
For instance, you could add a script that would add a menu entry to boot from the CD/DVD ROM drive.
The user root, which is added to /etc/grub.d/01_users, is the only one allowed to edit menu entries from the console, mitigating the weakness in GRUB to force rescue mode by adding 1 or rescue at the end of the kernel line.
The grub2-mkconfig command is specific for BIOS-based systems. In order to do the same on UEFI systems, modify the command as follows:
~]# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg
In order to access the GRUB terminal over the same serial connection, you need to specify an additional kernel option: console=ttyS0,9600n8.
You can either modify the kernel lines in /boot/grub2/grub.cfg (or /boot/efi/EFI/redhat/grub.cfg manually, but you do risk losing the change when your kernel is updated), or manually regenerate the file using grub2-mkconfig.
It's best to add it to the GRUB_CMDLINE_LINUX directive in /etc/sysconfig/grub and regenerate your grub.cfg file.
Passwords for GRUB users can be encrypted using the grub2-mkpasswd-pbkdf2 command, as follows:
~]# grub2-mkpasswd-pbkdf2 Enter password: Reenter password: PBKDF2 hash of your password is grub.pbkdf2.sha512.10000.C208DD5E318B1D6477C4E51035649C197411259C214D0B83E3E83753AD58F7676B62CDF48E31AF0E739844A5CF9A95F76AF5008AF340336DB50ECA23906ECC13.9D20A66F0CADA12AA617B293B5BBF7AAD44423ECA513F302FEBF5CB92A0DC54436E16D7CD6E09685323084A27462C2A981054D52F452F5C2F71FBACD2C31AEFA ~]#
Then, you can substitute the clear text password in /etc/grub.d/01_users with the generated hash. Here's an example:
password root grub.pbkdf2.sha512.10000.C208DD5E318B1D6477C4E51035649C197411259C214D0B83E3E83753AD58F7676B62CDF48E31AF0E739844A5CF9A95F76AF5008AF340336DB50ECA23906ECC13.9D20A66F0CADA12AA617B293B5BBF7AAD44423ECA513F302FEBF5CB92A0DC54436E16D7CD6E09685323084A27462C2A981054D52F452F5C2F71FBACD2C31AEFA
All the entries that are automatically generated are bootable but not editable from the console, unless you know the user and password. If you have custom menu entries and want to protect them in a similar way, add --unrestricted to the menu entry definition before the accolades. Here's an example:
menuentry 'My custom grub boot entry' <options> --unrestricted {For more information about working with the GRUB2 boot loader, go to https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Working_with_the_GRUB_2_Boot_Loader.html.
-
No Comment