Sam Doran

My little corner of the Internet

Red Hat 7

I have used Red Hat professionally since my first job as a System Administrator back in 20101. I started out on Red Hat Enterprise Linux 5, which was a solid OS but a huge pain for development since its packages were outdated. Building and using modern tools on RHEL 5 was not fun.

While I was supporting RHEL 5, RHEL 6 was released. It was a step in the right direction but still lagged behind its main competitor in the server space, Ubuntu 12.04 LTS, in terms of modern Linux features. RHEL 6 still felt behind the times and moving too slowly, too conservatively. Conservatism is an admirable trait in a server operating system, but RHEL always felt conservative to a fault.

Since 2013, all the production servers I have deployed (including the one that runs this site) run CentOS 6. I have been happy with CentOS 6 but it has always felt like a stepping stone release: solid, much newer packages, but still uses an older kernel and upstart with some sysv sprinkled in. I have anxiously awaited the release of RHEL 7 which I knew would further modernize the OS and bring systemd to handle services.

Ironically, when RHEL 7 was released last year, I was overwhelmed by the amount of fundamental changes, changes I have been wishing for since my RHEL 5 days2. systemd replaced upstart, firewalld now manages the firewall, XFS is the new default filesystem, GRUB 2 is the default bootloader on 64-bit systems, and the tools for doing basic network configuration have changed. I’ve been looking at it seriously the last few days and this is my overview of how to get acclimated to RHEL 7 if you have lots of experience with Red Hat or CentOS.

CentOS Release Naming Scheme

This is CentOS specific, but the version numbering has changed. This threw me off a but until I found the explanation:

CentOS 7.0-1406 introduces a new numbering scheme that we want to further develop into the life of CentOS-7. The 0 component maps to the upstream realease, whose code this release is built from. The 1406 component indicates the monthstamp of the code included in the release ( in this case, June 2014 ).

Managing Services

systemd brings a lot more to the table than just better management of services: it also completely replaces the concept of runlevels and handles reboot and shutdown3. A welcome default setting in RHEL 7 is that single user mode now requires the root password4. Previous versions defaulted to /sbin/sushell which give root access without authentication.

One caveat is that to actually protect access to single user mode, you also need to password protect Grub 2 since you can tell Grub 2 to execute any command, such as /bin/sh. You should always password protect the bootloader and single user mode. Single user mode is now password protected by default, so that’s one less thing that needs to be configured.

While the overview and documentation of systmed are great, here are the things I do most often and how to do them with systemd:

Show all services:

systemctl list-units | grep service

Show all enabled service units:

systemctl list-unit-files -t service | grep enabled

Disable service units:

systemctl disable [unit file name]

Stop/start service units:

systemctl stop [unit file name]
systemctl start [unit file name]
systemctl restart [unit file name]
systemctl reload [unit file name]

Networking

Two major things have changed regarding networking in RHEL 7: interface naming and the removal of some very common tools such as ifconfig and netstat.

Regarding interface names, the ethX scheme is gone in favor of a more consistent naming scheme. The interface names look a bit funny at first, but they are a welcome change once you understand the logic. Also, anyone who has ever written custom udev rules so interfaces are named consistently will love the new system. Interface config files are still stored is /etc/sysconfig/network-scripts and have a familiar syntax. You can change the name of the interface by changing the NAME= parameter in the appropriate configuration file, then restarting the network service (systemctl restart network).

The following commands have been removed in favor of different (not necessarily new) tools to perform the same function: ifconfig, netstat, route. These can be installed by running yum install net-tools, but it’s a good idea to get used to the new tools instead of hanging on to the old ones.

Here is how to perform familiar tasks with the “new” tools:

List interfaces (old ifconfig -a):

ip link show

Disable/enable an interface:

ip link set ens160 down
ip link set ens160 up

Show ip addresses (old ifconfig):

ip addr show

Add address to an interface:

ip add 192.168.0.19 dev ens160

Show routing table (old route -an or netstat -rn):

ip route show

Global default gateway is stored it /etc/sysconfig/network. Add the following line to create a default gateway:

GATEWAY=192.168.0.1

Show all listening ports (old netstat -an):

ss -ln

There is also a new command for setting the hostname: hostnamectl. The “static” hostname is now stored in /etc/hostname instead of /etc/sysconfig/network. The “transient” hostname is akin to using the hostname command (which still exists). hostnamectl also has settings for use by graphical desktop environments, which I won’t go over.

Show the hostname:

hostnamectl status

Set the transient and static hostname:

hostnamectl set-hostname [fqdn]

Firewall

Probably the biggest change in RHEL 7 is the replacement of the iptables service with firewalld and system-config-firewall with firewall-cmd. It still uses iptables under the hood, but how the rules are stored and how you interact with the firewall are quite different. Plus, firewalld is zone-based, a powerful feature that can be a bit of a hurdle to get over if you . Look at the XML config files in /usr/lib/firewalld to get a better understanding of the defaults.

I’m not going to do a full overview of firewalld here. The official documentation is excellent. This is my short list of commands to get up and running if you’re accustomed to working with iptables and looking at /etc/sysconfig/iptables.

Here are some key concepts to know:

  • An interface must be added to a zone before the firewall rules have any effect.
  • Rules added with --permanent get written to config files in /etc/firewalld and do not take effect until the firewall is reloaded with firewall-cmd --reload.
  • To show all the current rules, iptables -vnL is still your friend.
  • There is a rich rules syntax for specifying source and destination address, among other things.

Show firewall status:

firewall-cmd --state
# OR
systemctl status firewalld

Show all zones:

firewall-cmd --get-zones

Show default zone:

firewall-cmd --get-default-zone

Set default zone:

firewall-cmd --set-default-zone [zone]

Add an interface to a zone:

# With no --zone options, adds to the default zone
firewall-cmd --add-interface=ens160

# Specify the --zone option to add to a zone other than the default
firewall-cmd --add-interface=ens160 --zone=home

Show active zones and their interfaces:

firewall-cmd --get-active-zones

Show all settings of a zone, including member interfaces and open ports/services:

firewall-cmd --zone=public --list-all

Only allow access to SSH from a certain subnet:

firewall-cmd --add-rich-rule='rule family=ipv4 source address=10.0.0.0/24 service name=ssh accept'

Only allow access to a range of UDP ports from a certain subnet:

firewall-cmd --add-rich-rule='rule family=ipv4 source address=10.0.0.0/24 port port=5060-5062 protocol=udp accept'

  1. Seems like I’ve been at this longer. A lot has changed in five short years.

  2. Insert “Be careful what you wish for” lesson here.

  3. shutdown, poweroff, and reboot are now symlinks that point to /bin/systemctl.

  4. Look in /lib/systemd/system/ at console-shell.service, emergency.service, and rescue.service. They all call /sbin/sulogin.