What's New in Centos 8
- Since CentOS 7.5 the web console, cockpit has been available
- View Performance: Real-time performance data
- Manage users: Create users and groups
- Read logs: Access and filter log files
When a socket unit starts the port used by the service is held open by systemd.When users connect to the service it is started. When service is no longer needed the service shuts down and systemd maintains the socket.
sudo systemctl enable --now cockpit.socket sudo ss -ntlp sudo systemctl status cockpit.socket sudo systemctl status cockpit.service http://ip:9090
yum list cockpit* yum info cockpit-dashboard
Released with the Linux kernel 3.13 in January 2014 nftables can be used as a replacement for netfilter modules used previously.the Command nft is used to natively manage the rules and combines management if IPv4, IPv6, ARP and Bridge filters
Nftables is without Default Tables
Unlike netfilter modules and the associated iptables command, nftables does not have any predefined tables. These all need to be defined.By default in CentOS 8 this is handled by firewalld.
systemctl disable --now firewalld reboot nft list tables nft list tables ip systemctl enable --now firewalld nft list tables nft list tables ip nft list table ip filter
Tables and Chains are the basis of firewall rules. Disabling firewalld and rebooting the system will allow us to build everything from scratch. Using inet as the family we can work with both IPv4 and IPv6
systemctl disable --now firewalld; reboot nft list tables nft add table inet filter nft add chain inet filter INPUT { type filter hook input priority 0; policy accept;} nft list table inet filter nft list ruleset
- filter
route nat
- prerouting
input forward output postrouting ingress
If we need inbound SSH connection to the system a basic firewall is not that different to one we would build with iptables but working with both IPv4 and IPv6
nft add rule inet filter INPUT iif lo accept nft add rule inet filter INPUT ct state established, related accept nft add rule net filter INPUT tcp dport 22 accept nft add rule net filter INPUT counter drop
We can list the complete ruleset and redirect to a file. We can then flush the table, clearing all associated chains and delete the table. Reestablishing rules by reading the file back with the option -f
nft list ruleset > /root/myrules nft flush table inet filter nft delete table inet filter nft -f /root/myrules nft list ruleset / etc/sysconfig/nftables.conf nft flush table inet filter nft delete table inet filter systemctl enable --now nftables
NFS versions
The NFS server and client are installed using the nfs-utils package as it was in CentOS 7. A default install will disable NFSv2 and enable NFSv3 and above. Disabling NFSv3 makes the system more firewall friendly. only needing TCP port 2049 to be opened
configuring NFS in CentOS 8
We can either edit the new /etc/nfs.conf file or make use of the equally new nfsconf command line utility
yum install nfs-utils systemctl enable --now nfs-server.service ss -tl ss -tnl ss -4 -tnl systemctl mask --now rpc-statd rpcbind.service rpcbind.socket
nfsconf --set nfsd vers4 y nfsconf --set nfsd tcp y nfsconf --set nfsd udp n nfsconf --set nfsd vers3 n
Allowing Access through Firewalld
On the NFS server we can allow inbound TCP port 2049 by making use of the nfs service xml file.
firewall-cmd --add=service=nfs firewall-cmd --runtime-to-permanent
mkdir /share find /usr/shar/doc -name "*.txt" -exec cp {} /share ; vim /etc/exports /share *(rw)
exportfs -rav exportfs -v firewall-cmd --list-all firewall-cmd --add-service=nfs --permanent
yum list nfs-utils
mount bog:/share /mnt lst /mnt
SELinux support for NFS continues and there are many customizations that can be made to SELinux polcies to better enable NFS in the way you need. The first step is to make sure you have the MAN pages installed
MAN pages for SELinux types can be installed using the command sepolicy
yum provides "*/sepolicy" yum install policycoreutils-devel sepolicy manpage -d nfsd_t -p /usr/share/man/man8 mandb apropos _selinux
Managing volumes with Stratis allows you to create thinly provisioned volumes file systems with a single command whilst utilizing existing dev-mapper and XFS technology
yum install stratisd stratis-cli systemctl enable --now stratisd
Stratis pools aggregate storage space and represent volume groups and thin pools in DM management. The sub-command add-data is used to extend the size of an existing pool
stratis pool create pool1 /dev/sdb stratis pool add-data pool1 /dev/sdc stratis pool list blockdev
lsblk wipefs --all /dev/sdb wipefs --all /dev/sdc ps -fp $(pgrep stratis) stratis daemon version stratis pool create pool1 /dev/sdb stratis pool stratis pool add-data pool1 /dev/sdc stratis blockdev stratis filesystem
Stratis volumes are thinly provisioned and as such we do not set the size. They are assigned more space than is available. Ensure that the mount option in the /etc/fstab is used to ensure the service is running before the mount is attempted.
stratis filesystem create pool1 fs1 mount /stratis/pool1/fs1 /data x-systemd.requires=stratisd.service
vim /etc/fstab
/stratis/pool1/fs1 /data xfs defaults,x-systemd.requires=stratisd.service 0 0
mount -a mount -t XFS find /usr/share/doc/ -name '*.html' -exec cp {} /data ; df -h /data
Snapshots are point in time copies of a file system and can be used as a method of rolling back changes on a simple online backup agent.
stratis filesystem snapshot pool1 fs1 snap1
mount /stratis/pool1/snap1 /backup rm -f /data* umount /data umount /backup vim /etc/fstab stratis filesystem destroy pool1 fs1
The Virtoal Data Optimizer became available with CentOS 7.5 and allows for compression and deduplication of data by Linux Kernel modules
You will probably find that these items are installed on most CentOS 8 deployments. You will need a disk larger than 4 GB to use as a VDO device
yum install vdo kmod-kvdo systemd enable --now vdo.service
We create a logical size for the volume as it is this size that is used by the file system without knowkedge of the gains from optimization
modprobe kvdo vdo create --name=vdo1 --device=/dev/sdb --vdoLogicalSize=20G vdo status --name=vdo1 | grep -E '(Dedup|Compression)' mkfs.xfs -K /dev/mapper/vdo1 mkfs.xfs -K /dev/mapper/vdo2
When mounting VDO devices from the /etc/fstab file ,don't overlook the mount option. We can view device usage to mointor actual space left.
x-systemd.requires=vdo.service vdostats --human-readable vim /etc/fstab /dev/mapper/vdo1 /data xfs defaults,x-systemd.requires=vdo.service 0 0 mount -a ls -lh /boot
for i in {1..100}; do echo $i; done for i in {1..100}; do cp /boot/vmlinuz-4.18.0-193.6.3.el8_2.x86_64 /data/$i; done du -sh /data vdostats --human-readable
The vdoLogicalSize is the size of the thinly provisioned device presented to the system. Red Hat recommends a 10:1 ratio for filesystems hosting virtual machines and a 3:1 ratio for object stores such as ceph. We can increase but not reduce the logical size.
vdo growLogical --name=vdo1 --vdoLogicalSize=40G xfs_growfs /data df -h /data vdo status --name=vdo1 | grep 'Logical size'
Compression adn deduplication can be independently enabled and disabled. Both are enabled by default
vdo disableDeduplication --name=vdo1 vdo enableDeduplication --name=vdo1
Linux Kernel 4.18 ping 127.1 ping 1.1