Chapter 1. Getting started with system administration

The following sections provide an overview of basic administration tasks on the installed system.

Note

The following basic administration tasks may include items that are usually done already during the installation process, but they do not have to be done necessarily, such as the registration of the system. The sections dealing with such tasks provide a summary of how you can achieve the same goals during the installation.

For information on Red Hat Enterprise Linux installation, see Performing a standard RHEL installation.

Although you can perform all post-installation tasks through the command line, you can also use the RHEL 8 web console to perform some of them.

1.1. Configuring system settings in the web console

The following sections guide you on how to configure basic system settings in the web console, and thus be able to:

  • Restart or shutdown the system in the web console.
  • Change a system host name.
  • Join the system to a domain.
  • Configure time and time zones.
  • Change a performance profile.

1.1.1. What the RHEL 8 web console is and which tasks it can be used for

The RHEL 8 web console is an interactive server administration interface. It interacts directly with the operating system from a real Linux session in a browser.

The web console enables to perform these tasks:

  • Monitoring basic system features, such as hardware information, time configuration, performance profiles, connection to the realm domain
  • Inspecting system log files
  • Managing network interfaces and configuring firewall
  • Handling docker images
  • Managing virtual machines
  • Managing user accounts
  • Monitoring and configuring system services
  • Creating diagnostic reports
  • Setting kernel dump configuration
  • Managing packages
  • Configuring SELinux
  • Updating software
  • Managing system subscriptions
  • Accessing the terminal

For more information on installing and using the RHEL 8 web console, see Managing systems using the RHEL 8 web console.

1.1.2. Using the web console to restart the system

This procedure uses the web console to restart a RHEL system that the web console is attached to.

Prerequisites

Procedure

  1. Log into the RHEL 8 web console.

    For details, see Logging in to the web console.

  2. Click Overview.
  3. Click the Restart restart button.

    cockpit system restart pf4

  4. If any users are logged into the system, write a reason for the restart in the Restart dialog box.
  5. Optional: In the Delay drop down list, select a time interval.

    cockpit restart delay pf4

  6. Click Restart.

1.1.3. Using the web console to shut down the system

This procedure uses the web console to shut down a RHEL system that the web console is attached to.

Prerequisites

Procedure

  1. Log into the RHEL 8 web console.

    For details, see Logging in to the web console.

  2. Click Overview.
  3. In the Restart drop down list, select Shut Down.

    cockpit system shutdown pf4

  4. If any users are logged in to the system, write a reason for the shutdown in the Shut Down dialog box.
  5. Optional: In the Delay drop down list, select a time interval.
  6. Click Shut Down.

1.1.4. Configuring the host name in the web console

You can use the web console to configure different forms of the host name on the system that the web console is attached to.

1.1.4.1. Host name

The host name identifies the system. By default, the host name is set to localhost, but you can change it.

A host name consists of two parts:

Host name
It is a unique name which identifies a system.
Domain
Add the domain as a suffix behind the host name when using a system in a network and when using names instead of just IP addresses.

A host name with an attached domain name is called a fully qualified domain name (FQDN). For example: mymachine.example.com.

Host names are stored in the /etc/hostname file.

1.1.4.2. Pretty host name in the web console

You can configure a pretty host name in the RHEL web console. The pretty host name is a host name with capital letters, spaces, and so on.

The pretty host name displays in the web console, but it does not have to correspond with the host name.

Example 1.1. Host name formats in the web console

Pretty host name
My Machine
Host name
mymachine
Real host name - fully qualified domain name (FQDN)
mymachine.idm.company.com

1.1.4.3. Setting the host name using the web console

This procedure sets the real host name or the pretty host name in the web console.

Prerequisites

Procedure

  1. Log into the RHEL 8 web console.

    For details, see Logging in to the web console.

  2. Click Overview.
  3. Click edit next to the current host name.

    cockpit hostname pf4

  4. In the Change Host Name dialog box, enter the host name in the Pretty Host Name field.
  5. The Real Host Name field attaches a domain name to the pretty name.

    You can change the real host name manually if it does not correspond with the pretty host name.

  6. Click Change.

    cockpit hostname change pf4

Verification steps

  1. Log out from the web console.
  2. Reopen the web console by entering an address with the new host name in the address bar of your browser.

    cockpit hostname change verify pf4

1.1.5. Joining a RHEL 8 system to an IdM domain using the web console

This procedure uses the web console to join the Red Hat Enterprise Linux 8 system to the Identity Management (IdM) domain.

Prerequisites

  • The IdM domain is running and reachable from the client you want to join.
  • You have the IdM domain administrator credentials.

Procedure

  1. Log into the RHEL web console.

    For details, see Logging in to the web console.

  2. Open the System tab.
  3. Click Join Domain.

    idm cockpit join domain

  4. In the Join a Domain dialog box, enter the host name of the IdM server in the Domain Address field.
  5. In the Authentication drop down list, select if you want to use a password or a one-time password for authentication.

    idm cockpit join psswd

  6. In the Domain Administrator Name field, enter the user name of the IdM administration account.
  7. In the password field, add the password or one-time password according to what you selected in the Authentication drop down list earlier.
  8. Click Join.

    idm cockpit join

Verification steps

  1. If the RHEL 8 web console did not display an error, the system has been joined to the IdM domain and you can see the domain name in the System screen.
  2. To verify that the user is a member of the domain, click the Terminal page and type the id command:

    $ id
    euid=548800004(example_user) gid=548800004(example_user) groups=548800004(example_user) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

1.1.6. Using the web console for configuring time settings

This procedure sets a time zone and synchronizes the system time with a Network Time Protocol (NTP) server.

Prerequisites

Procedure

  1. Log in to the RHEL 8 web console.

    For details, see Logging in to the web console.

  2. Click the current system time in Overview.

    cockpit time settings pf4

  3. In the Change System Time dialog box, change the time zone if necessary.
  4. In the Set Time drop down menu, select one of the following:

    Manually
    Use this option if you need to set the time manually, without an NTP server.
    Automatically using NTP server
    This is a default option, which synchronizes time automatically with the preset NTP servers.
    Automatically using specific NTP servers
    Use this option only if you need to synchronize the system with a specific NTP server. Specify the DNS name or the IP address of the server.
  5. Click Change.

    cockpit time change pf4

Verification steps

  • Check the system time displayed in the System tab.

1.1.7. Optimizing the system performance using the web console

In the web console, you can set a performance profile to optimize the performance of the system for a selected task.

1.1.7.1. Performance tuning options in the web console

Red Hat Enterprise Linux 8 provides several performance profiles that optimize the system for the following tasks:

  • Systems using the desktop
  • Throughput performance
  • Latency performance
  • Network performance
  • Low power consumption
  • Virtual machines

The tuned service optimizes system options to match the selected profile.

In the web console, you can set which performance profile your system uses.

Additional resources

1.1.7.2. Setting a performance profile in the web console

This procedure uses the web console to optimize the system performance for a selected task.

Prerequisites

Procedure

  1. Log into the RHEL 8 web console.

    For details, see Logging in to the web console.

  2. Click Overview.
  3. In the Performance Profile field, click the current performance profile.

    cockpit performance profile pf4

  4. In the Change Performance Profile dialog box, change the profile if necessary.
  5. Click Change Profile.

    cockpit performance profile change pf4

Verification steps

  • The Overview tab now shows the selected performance profile.

1.1.8. Disabling SMT to prevent CPU security issues

This section helps you to disable Simultaneous Multi Threading (SMT) in case of attacks that misuse CPU SMT. Disabling SMT can mitigate security vulnerabilities, such as L1TF or MDS.

Important

Disabling SMT might lower the system performance.

Prerequisites

Procedure

  1. Log in to the RHEL 8 web console.

    For details, see Logging in to the web console.

  2. Click System.
  3. In the Hardware item, click the hardware information.

    cockpit smt hardware

  4. In the CPU Security item, click Mitigations.

    If this link is not present, it means that your system does not support SMT, and therefore is not vulnerable.

  5. In the CPU Security Toggles, switch on the Disable simultaneous multithreading (nosmt) option.

    cockpit smt disable

  6. Click on the Save and reboot button.

After the system restart, the CPU no longer uses SMT.

Additional resources

For more details on security attacks that you can prevent by disabling SMT, see:

1.2. Getting started with RHEL System Roles

This section explains what RHEL System Roles are. Additionally, it describes how to apply a particular role through an Ansible playbook to perform various system administration tasks.

1.2.1. Introduction to RHEL System Roles

RHEL System Roles is a collection of Ansible roles and modules. RHEL System Roles provide a configuration interface to remotely manage multiple RHEL systems. The interface enables managing system configurations across multiple versions of RHEL, as well as adopting new major releases.

On Red Hat Enterprise Linux 8, the interface currently consists of the following roles:

  • kdump
  • network
  • selinux
  • storage
  • timesync

All these roles are provided by the rhel-system-roles package available in the AppStream repository.

Additional resources

1.2.2. Applying a role

The following procedure describes how to apply a particular role.

Prerequisites

  • The rhel-system-roles package is installed on the system that you want to use as a control node:

    # yum install rhel-system-roles
  • The Ansible Engine repository is enabled, and the ansible package is installed on the system that you want to use as a control node. You need the ansible package to run playbooks that use RHEL System Roles.

    • If you do not have a Red Hat Ansible Engine Subscription, you can use a limited supported version of Red Hat Ansible Engine provided with your Red Hat Enterprise Linux subscription. In this case, follow these steps:

      1. Enable the RHEL Ansible Engine repository:

        # subscription-manager refresh
        # subscription-manager repos --enable ansible-2-for-rhel-8-x86_64-rpms
      2. Install Ansible Engine:

        # yum install ansible
    • If you have a Red Hat Ansible Engine Subscription, follow the procedure described in How do I Download and Install Red Hat Ansible Engine?.
  • You are able to create an Ansible playbook.

    Playbooks represent Ansible’s configuration, deployment, and orchestration language. By using playbooks, you can declare and manage configurations of remote machines, deploy multiple remote machines or orchestrate steps of any manual ordered process.

    A playbook is a list of one or more plays. Every play can include Ansible variables, tasks, or roles.

    Playbooks are human-readable, and they are expressed in the YAML format.

    For more information about playbooks, see Ansible documentation.

Procedure

  1. Create an Ansible playbook including the required role.

    The following example shows how to use roles through the roles: option for a given play:

    ---
    - hosts: webservers
      roles:
         - rhel-system-roles.network
         - rhel-system-roles.timesync

    For more information on using roles in playbooks, see Ansible documentation.

    See Ansible examples for example playbooks.

    Note

    Every role includes a README file, which documents how to use the role and supported parameter values. You can also find an example playbook for a particular role under the documentation directory of the role. Such documentation directory is provided by default with the rhel-system-roles package, and can be found in the following location:

    /usr/share/doc/rhel-system-roles/SUBSYSTEM/

    Replace SUBSYSTEM with the name of the required role, such as selinux, kdump, network, timesync, or storage.

  2. Execute the playbook on targeted hosts by running the ansible-playbook command:

    # ansible-playbook -i name.of.the.inventory name.of.the.playbook

    An inventory is a list of systems against which Ansible works. For more information on how to create and inventory, and how to work with it, see Ansible documentation.

    If you do not have an inventory, you can create it at the time of running ansible-playbook:

    If you have only one targeted host against which you want to run the playbook, use:

    # ansible-playbook -i host1, name.of.the.playbook

    If you have multiple targeted hosts against which you want to run the playbook, use:

    # ansible-playbook -i host1,host2,....,hostn name.of.the.playbook

Additional resources

  • For more detailed information on using the ansible-playbook command, see the ansible-playbook man page.

1.2.3. Additional resources

1.3. Changing basic environment settings

Configuration of basic environment settings is a part of the installation process. The following sections guide you when you change them later. The basic configuration of the environment includes:

  • Date and time
  • System locales
  • Keyboard layout
  • Language

1.3.1. Configuring the date and time

Accurate timekeeping is important for a number of reasons. In Red Hat Enterprise Linux, timekeeping is ensured by the NTP protocol, which is implemented by a daemon running in user space. The user-space daemon updates the system clock running in the kernel. The system clock can keep time by using various clock sources.

Red Hat Enterprise Linux 8 uses the chronyd daemon to implement NTP. chronyd is available from the chrony package. For more information, see Using the chrony suite to configure NTP.

1.3.1.1. Displaying the current date and time

To display the current date and time, use either of these steps.

Procedure

  1. Enter the date command:

    $ date
    Mon Mar 30 16:02:59 CEST 2020
  2. To see more details, use the timedatectl command:

    $ timedatectl
    Local time: Mon 2020-03-30 16:04:42 CEST
    Universal time: Mon 2020-03-30 14:04:42 UTC
      RTC time: Mon 2020-03-30 14:04:41
     Time zone: Europe/Prague (CEST, +0200)
    System clock synchronized: yes
    NTP service: active
    RTC in local TZ: no

Additional resources

  • For more information, see the date(1) and timedatectl(1) man pages.

1.3.1.2. Additional resources

1.3.2. Configuring the system locale

System-wide locale settings are stored in the /etc/locale.conf file, which is read at early boot by the systemd daemon. Every service or user inherits the locale settings configured in /etc/locale.conf, unless individual programs or individual users override them.

This section describes how to manage system locale.

Procedure

  1. To list available system locale settings:

    $ localectl list-locales
    C.utf8
    aa_DJ
    aa_DJ.iso88591
    aa_DJ.utf8
    ...
  2. To display the current status of the system locales settings:

    $ localectl status
  3. To set or change the default system locale settings, use a localectl set-locale sub-command as the root user. For example:

    # localectl set-locale LANG=en-US

Additional resources

  • For more information, see the localectl(1), locale(7), and locale.conf(5) man pages.

1.3.3. Configuring the keyboard layout

The keyboard layout settings control the layout used on the text console and graphical user interfaces.

Procedure

  1. To list available keymaps:

    $ localectl list-keymaps
    ANSI-dvorak
    al
    al-plisi
    amiga-de
    amiga-us
    ...
  2. To display the current status of keymaps settings:

    $ localectl status
    ...
    VC Keymap: us
    ...
  3. To set or change the default system keymap, use a localectl set-keymap sub-command as the root user. For example:

    # localectl set-keymap us

Additional resources

  • For more information, see the localectl(1), locale(7), and locale.conf(5) man pages.

1.3.4. Changing the language using desktop GUI

This section describes how to change the system language using the desktop GUI.

Prerequisites

  • Required language packages are installed on your system

Procedure

  1. Open the GNOME Control Center from the System menu by clicking on its icon.

    cs system menu

  2. In the GNOME Control Center, choose Region & Language from the left vertical bar.
  3. Click the Language menu.

    cs language menu

  4. Select the required region and language from the menu.

    cs select region language

    If your region and language are not listed, scroll down, and click More to select from available regions and languages.

    cs available region language

  5. Click Done.
  6. Click Restart for changes to take effect.

    cs restart region language

Note

Some applications do not support certain languages. The text of an application that cannot be translated into the selected language remains in US English.

Additional resources

  • For more information on how to launch the GNOME Control Center, see approaches described in Launching applications

1.3.5. Additional resources

1.4. Configuring and managing network access

This section describes different options on how to add Ethernet connections in Red Hat Enterprise Linux.

1.4.1. Configuring the network and host name in the graphical installation mode

Follow the steps in this procedure to configure your network and host name.

Procedure

  1. From the Installation Summary window, click Network and Host Name*.
  2. From the list in the left-hand pane, select an interface. The details are displayed in the right-hand pane.
  3. Toggle the ON/OFF switch to enable or disable the selected interface.

    Note

    The installation program automatically detects locally accessible interfaces, and you cannot add or remove them manually.

  4. Click + to add a virtual network interface, which can be either: Team, Bond, Bridge, or VLAN.
  5. Click - to remove a virtual interface.
  6. Click Configure to change settings such as IP addresses, DNS servers, or routing configuration for an existing interface (both virtual and physical).
  7. Type a host name for your system in the Host Name field.

    Note
    • There are several types of network device naming standards used to identify network devices with persistent names, for example, em1 and wl3sp0. For information about these standards, see the Configuring and managing networking document.
    • The host name can be either a fully-qualified domain name (FQDN) in the format hostname.domainname, or a short host name with no domain name. Many networks have a Dynamic Host Configuration Protocol (DHCP) service that automatically supplies connected systems with a domain name. To allow the DHCP service to assign the domain name to this machine, specify only the short host name. The value localhost.localdomain means that no specific static host name for the target system is configured, and the actual host name of the installed system is configured during the processing of the network configuration, for example, by NetworkManager using DHCP or DNS.
  8. Click Apply to apply the host name to the environment.

Additional resources and information

  • For details about configuring network settings and the host name when using a Kickstart file, see the corresponding appendix in Performing an advanced RHEL installation.
  • If you install Red Hat Enterprise Linux using the text mode of the Anaconda installation program, use the Network settings option to configure the network.

1.4.2. Adding a static Ethernet connection using nmcli

This procedure describes adding an Ethernet connection with the following settings:

  • A static IPv4 address - 192.0.2.1 with a /24 subnet mask
  • A static IPv6 address - 2001:db8:1::1 with a /64 subnet mask
  • An IPv4 default gateway - 192.0.2.254
  • An IPv6 default gateway - 2001:db8:1::fffe
  • An IPv4 DNS server - 192.0.2.200
  • An IPv6 DNS server - 2001:db8:1::ffbb
  • A DNS search domain - example.com

Procedure

  1. Add a new NetworkManager connection profile for the Ethernet connection:

    # nmcli connection add con-name Example-Connection ifname enp7s0 type ethernet ipv4.addresses 192.0.2.1/24

    The further steps modify the Example-Connection connection profile you created.

  2. Set the IPv6 address:

    # nmcli connection modify Example-Connection ipv6.addresses 2001:db8:1::1/64
  3. Set the IPv4 and IPv6 connection method to manual:

    # nmcli connection modify Example-Connection ipv4.method manual
    # nmcli connection modify Example-Connection ipv6.method manual
  4. Set the IPv4 and IPv6 default gateways:

    # nmcli connection modify Example-Connection ipv4.gateway 192.0.2.254
    # nmcli connection modify Example-Connection ipv6.gateway 2001:db8:1::fffe
  5. Set the IPv4 and IPv6 DNS server addresses:

    # nmcli connection modify Example-Connection ipv4.dns "192.0.2.200"
    # nmcli connection modify Example-Connection ipv6.dns "2001:db8:1::ffbb"

    To set multiple DNS servers, specify them space-separated and enclosed in quotes.

  6. Set the DNS search domain for the IPv4 and IPv6 connection:

    # nmcli connection modify Example-Connection ipv4.dns-search example.com
    # nmcli connection modify Example-Connection ipv6.dns-search example.com
  7. Active the connection profile:

    # nmcli connection up Example-Connection
    Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/13)

Verification steps

  1. Display the status of the devices and connections:

    # nmcli device status
    DEVICE      TYPE      STATE      CONNECTION
    enp7s0      ethernet  connected  Example-Connection
  2. To display all settings of the connection profile:

    # nmcli connection show Example-Connection
    connection.id:              Example-Connection
    connection.uuid:            b6cdfa1c-e4ad-46e5-af8b-a75f06b79f76
    connection.stable-id:       --
    connection.type:            802-3-ethernet
    connection.interface-name:  enp7s0
    ...
  3. Use the ping utility to verify that this host can send packets to other hosts.

    • Ping an IP address in the same subnet.

      For IPv4:

      # ping 192.0.2.3

      For IPv6:

      # ping 2001:db8:2::1

      If the command fails, verify the IP and subnet settings.

    • Ping an IP address in a remote subnet.

      For IPv4:

      # ping 198.162.3.1

      For IPv6:

      # ping 2001:db8:2::1
      • If the command fails, ping the default gateway to verify settings.

        For IPv4:

        # ping 192.0.2.254

        For IPv6:

        # ping 2001:db8:1::fffe
  4. Use the host utility to verify that name resolution works. For example:

    # host client.example.com

    If the command returns any error, such as connection timed out or no servers could be reached, verify your DNS settings.

Troubleshooting steps

  1. If the connection fails or if the network interface switches between an up and down status:

    • Make sure that the network cable is plugged-in to the host and a switch.
    • Check whether the link failure exists only on this host or also on other hosts connected to the same switch the server is connected to.
    • Verify that the network cable and the network interface are working as expected. Perform hardware diagnosis steps and replace defect cables and network interface cards.

Additional resources

  • See the nm-settings(5) man page for more information on connection profile properties and their settings.
  • For further details about the nmcli utility, see the nmcli(1) man page.
  • If the configuration on the disk does not match the configuration on the device, starting or restarting NetworkManager creates an in-memory connection that reflects the configuration of the device. For further details and how to avoid this problem, see NetworkManager duplicates a connection after restart of NetworkManager service.

1.4.3. Adding a connection profile using nmtui

The nmtui application provides a text user interface to NetworkManager. This procedure describes how to add a new connection profile.

Prerequisites

  • The NetworkManager-tui package is installed.

Procedure

  1. Start the NetworkManager text user interface utility:

    # nmtui
  2. Select the Edit a connection menu entry, and press Enter.
  3. Select the Add button, and press Enter.
  4. Select Ethernet, and press Enter.
  5. Fill the fields with the connection details.

    add connection in nmtui
  6. Select OK to save the changes.
  7. Select Back to return to the main menu.
  8. Select Activate a connection, and press Enter.
  9. Select the new connection entry, and press Enter to activate the connection.
  10. Select Back to return to the main menu.
  11. Select Quit.

Verification steps

  1. Display the status of the devices and connections:

    # nmcli device status
    DEVICE      TYPE      STATE      CONNECTION
    enp7s0      ethernet  connected  Example-Connection
  2. To display all settings of the connection profile:

    # nmcli connection show Example-Connection
    connection.id:              Example-Connection
    connection.uuid:            b6cdfa1c-e4ad-46e5-af8b-a75f06b79f76
    connection.stable-id:       --
    connection.type:            802-3-ethernet
    connection.interface-name:  enp7s0
    ...

Additional resources

1.4.4. Managing networking in the RHEL 8 web console

In the web console, the Networking menu enables you:

  • To display currently received and sent packets
  • To display the most important characteristics of available network interfaces
  • To display content of the networking logs.
  • To add various types of network interfaces (bond, team, bridge, VLAN)

Figure 1.1. Managing Networking in the RHEL 8 web console

cs getting started networking new

1.4.5. Managing networking using RHEL System Roles

You can configure the networking connections on multiple target machines using the network role.

The network role allows to configure the following types of interfaces:

  • Ethernet
  • Bridge
  • Bonded
  • VLAN
  • MacVLAN
  • Infiniband

The required networking connections for each host are provided as a list within the network_connections variable.

Warning

The network role updates or creates all connection profiles on the target system exactly as specified in the network_connections variable. Therefore, the network role removes options from the specified profiles if the options are only present on the system but not in the network_connections variable.

The following example shows how to apply the network role to ensure that an Ethernet connection with the required parameters exists:

Example 1.2. An example playbook applying the network role to set up an Ethernet connection with the required parameters

# SPDX-License-Identifier: BSD-3-Clause
---
- hosts: network-test
  vars:
    network_connections:

      # Create one ethernet profile and activate it.
      # The profile uses automatic IP addressing
      # and is tied to the interface by MAC address.
      - name: prod1
        state: up
        type: ethernet
        autoconnect: yes
        mac: "00:00:5e:00:53:00"
        mtu: 1450

  roles:
    - rhel-system-roles.network

For more information on applying a system role, see What RHEL System Roles are and which tasks they can be used for.

1.4.6. Additional resources

1.5. Registering the system and managing subscriptions

Subscriptions cover products installed on Red Hat Enterprise Linux, including the operating system itself.

You can use a subscription to Red Hat Content Delivery Network to track:

  • Registered systems
  • Products installed on your systems
  • Subscriptions attached to the installed products

1.5.1. Registering the system after the installation

Use the following procedure to register your system if you have not registered it during the installation process already.

Prerequisites

Procedure

  1. Register and automatically subscribe your system in one step:

    # subscription-manager register --username <username> --password <password> --auto-attach
    Registering to: subscription.rhsm.redhat.com:443/subscription
    The system has been registered with ID: 37to907c-ece6-49ea-9174-20b87ajk9ee7
    The registered system name is: client1.idm.example.com
    Installed Product Current Status:
    Product Name: Red Hat Enterprise Linux for x86_64
    Status:       Subscribed

    The command prompts you to enter your Red Hat Customer Portal user name and password.

    If the registration process fails, you can register your system with a specific pool. For guidance on how to do it, proceed with the following steps:

    1. Determine the pool ID of a subscription that you require:

      # subscription-manager list --available

      This command displays all available subscriptions for your Red Hat account. For every subscription, various characteristics are displayed, including the pool ID.

    2. Attach the appropriate subscription to your system by replacing pool_id with the pool ID determined in the previous step:

      # subscription-manager attach --pool=pool_id

Additional resources

1.5.2. Registering subscriptions with credentials in the web console

Use the following steps to register a newly installed Red Hat Enterprise Linux using the RHEL 8 web console.

Prerequisites

  • A valid user account on the Red Hat Customer Portal.

    See the Create a Red Hat Login page.

  • Active subscription for your RHEL system.

Procedure

  1. Type subscription in the search field and press the Enter key.

    cockpit subscription icon

    Alternatively, you can log in to the RHEL 8 web console. For details, see Logging in to the web console.

  2. In the polkit authentication dialog for privileged tasks, add the password belonging to the user name displayed in the dialog.

    cockpit subscription password

  3. Click Authenticate.
  4. In the Subscriptions dialog box, click Register.

    cockpit subscription notregistered

  5. Enter your Customer Portal credentials.

    cockpit subscription register cred

  6. Enter the name of your organization.

    If you have more than one account on the Red Hat Customer Portal, you have to add the organization name or organization ID. To get the org ID, go to your Red Hat contact point.

  7. Click the Register button.

At this point, your Red Hat Enterprise Linux 8 system has been successfully registered.

cockpit subscription registered

1.5.3. Registering a system using Red Hat account on GNOME

Follow the steps in this procedure to enroll your system with your Red Hat account.

Prerequisites

Procedure

  1. Go to the system menu, which is accessible from the top-right screen corner and click the Settings icon.
  2. In the DetailsAbout section, click Register.
  3. Select Registration Server.
  4. If you are not using the Red Hat server, enter the server address in the URL field.
  5. In the Registration Type menu, select Red Hat Account.
  6. Under Registration Details:

    • Enter your Red hat account user name in the Login field,
    • Enter your Red hat account password in the Password field.
    • Enter the name of your organization in the Organization field.
  7. Click Register.

1.5.4. Registering a system using an activation key on GNOME

Follow the steps in this procedure to register your system with an activation key. You can get the activation key from your organization administrator.

Prerequisites

  • Activation key or keys.

    See the Activation Keys page for creating new activation keys.

Procedure

  1. Go to the system menu, which is accessible from the top-right screen corner and click the Settings icon.
  2. In the DetailsAbout section, click Register.
  3. Select Registration Server.
  4. Enter URL to the customized server, if you are not using the Red Hat server.
  5. In the Registration Type menu, select Activation Keys.
  6. Under Registration Details:

    • Enter Activation Keys.

      Separate multiple keys by a comma (,).

    • Enter the name or ID of your organization in the Organization field.
  7. Click Register

1.6. Making systemd services start at boot time

Systemd is a system and service manager for Linux operating systems that introduces the concept of systemd units.

This section provides information on how to ensure that a service is enabled or disabled at boot time. It also explains how to manage the services through the web console.

1.6.1. Enabling or disabling the services using the CLI

You can determine which services are enabled or disabled at boot time already during the installation process. You can also enable or disable a service on an installed operating system.

This section describes the steps for enabling or disabling those services on an already installed operating system:

Prerequisites

  • You must have root access to the system.

Procedure

  1. To enable a service, use the enable option:

    # systemctl enable service_name

    Replace service_name with the service you want to enable.

    You can also enable and start a service in a single command:

    # systemctl enable --now service_name
  2. To disable a service, use the disable option:

    # systemctl disable service_name

    Replace service_name with the service you want to disable.

Warning

You cannot enable a service that has been previously masked. You have to unmask it first:

# systemctl unmask service_name

1.6.2. Managing services in the RHEL 8 web console

This section describes how you can also enable or disable a service using the web console. You can manage systemd targets, services, sockets, timers, and paths. You can also check the service status, start or stop services, enable or disable them.

Prerequisites

  • You must have root access to the system.

Procedure

  1. Open https://localhost:9090/ in a web browser of your preference.
  2. Log in to the web console with your root credentials on the system.
  3. To display the web console panel, click the Host icon, which is in the upper-left corner of the window.

    managing services web console
  4. On the menu, click Services.

    You can manage systemd targets, services, sockets, timers, and paths.

  5. For example, to manage the service NFS client services:

    1. Click Targets.
    2. Select the service NFS client services.
    3. To enable or disable the service, click the Toogle button.
    4. To stop the service, click the button and choose the option 'Stop'.

      stopping service web console

1.7. Configuring system security

Computer security is the protection of computer systems and their hardware, software, information, and services from theft, damage, disruption, and misdirection. Ensuring computer security is an essential task, in particular in enterprises that process sensitive data and handle business transactions.

This section covers only the basic security features that you can configure after installation of the operating system. For detailed information on securing Red Hat Enterprise Linux, see the Security section in Product Documentation for Red Hat Enterprise Linux 8.

1.7.1. Enhancing system security with a firewall

A firewall is a network security system that monitors and controls incoming and outgoing network traffic according to configured security rules. A firewall typically establishes a barrier between a trusted secure internal network and another outside network.

The firewalld service, which provides a firewall in Red Hat Enterprise Linux, is automatically enabled during installation.

1.7.1.1. Enabling the firewalld service

To enable the firewalld service, follow this procedure.

Procedure

  1. Display the current status of firewalld:

    $ systemctl status firewalld
    ● firewalld.service - firewalld - dynamic firewall daemon
       Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
       Active: inactive (dead)
    ...
  2. If firewalld is not enabled and running, switch to the root user, and start the firewalld service and enable to start it automatically after the system restarts:

    # systemctl enable --now firewalld

Verification steps

  1. Check that firewalld is running and enabled:

    $ systemctl status firewalld
    ● firewalld.service - firewalld - dynamic firewall daemon
       Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
       Active: active (running)
    ...

Additional resources

  • For more information, see the firewalld(1) man page.

1.7.1.2. Managing firewall in the RHEL 8 web console

To configure the firewalld service in the web console, navigate to NetworkingFirewall.

By default, the firewalld service is enabled.

Procedure

  1. To enable or disable firewalld in the web console, switch the Firewall toggle button.

    cs getting started firewall new
Note

Additionally, you can define more fine-grained access through the firewall to a service using the Add services…​ button.

1.7.1.3. Additional resources

1.7.2. Managing basic SELinux settings

Security-Enhanced Linux (SELinux) is an additional layer of system security that determines which processes can access which files, directories, and ports. These permissions are defined in SELinux policies. A policy is a set of rules that guide the SELinux security engine.

1.7.2.1. SELinux states and modes

SELinux has two possible states:

  • Disabled
  • Enabled

When SELinux is enabled, it runs in one of the following modes:

  • Enabled

    • Enforcing
    • Permissive

In enforcing mode, SELinux enforces the loaded policies. SELinux denies access based on SELinux policy rules and enables only the interactions that are explicitly allowed. Enforcing mode is the safest SELinux mode and is the default mode after installation.

In permissive mode, SELinux does not enforce the loaded policies. SELinux does not deny access, but reports actions that break the rules to the /var/log/audit/audit.log log. Permissive mode is the default mode during installation. Permissive mode is also useful in some specific cases, for example when troubleshooting problems.

Additional resources

1.7.2.2. Ensuring the required state of SELinux

By default, SELinux operates in enforcing mode. However, in specific scenarios, you can set SELinux to permissive mode or even disable it.

Important

Red Hat recommends to keep your system in enforcing mode. For debugging purposes, you can set SELinux to permissive mode.

Follow this procedure to change the state and mode of SELinux on your system.

Procedure

  1. Display the current SELinux mode:

    $ getenforce
  2. To temporarily set SELinux:

    1. To Enforcing mode:

      # setenforce Enforcing
    2. To Permissive mode:

      # setenforce Permissive
      Note

      After reboot, SELinux mode is set to the value specified in the /etc/selinux/config configuration file.

  3. To set SELinux mode to persist across reboots, modify the SELINUX variable in the /etc/selinux/config configuration file.

    For example, to switch SELinux to enforcing mode:

    # This file controls the state of SELinux on the system.
    # SELINUX= can take one of these three values:
    #     enforcing - SELinux security policy is enforced.
    #     permissive - SELinux prints warnings instead of enforcing.
    #     disabled - No SELinux policy is loaded.
    SELINUX=enforcing
    ...
    Warning

    Disabling SELinux reduces your system security. Avoid disabling SELinux using the SELINUX=disabled option in the /etc/selinux/config file because this can result in memory leaks and race conditions causing kernel panics. Instead, disable SELinux by adding the selinux=0 parameter to the kernel command line as described in Changing SELinux modes at boot time .

Additional resources

1.7.2.3. Switching SELinux modes in the RHEL 8 web console

You can set SELinux mode through the RHEL 8 web console in the SELinux menu item.

By default, SELinux enforcing policy in the web console is on, and SELinux operates in enforcing mode. By turning it off, you switch SELinux to permissive mode. Note that this selection is automatically reverted on the next boot to the configuration defined in the /etc/sysconfig/selinux file.

Procedure

  1. In the web console, use the Enforce policy toggle button in the SELinux menu item to turn SELinux enforcing policy on or off.

    cs getting started selinux on

1.7.2.4. Next steps

1.7.3. Next steps

1.8. Getting started with managing user accounts

Red Hat Enterprise Linux is a multi-user operating system, which enables multiple users on different computers to access a single system installed on one machine.

Every user operates under its own account, and managing user accounts thus represents a core element of Red Hat Enterprise Linux system administration.

1.8.1. Overview of user accounts and groups

This section provides an overview of user accounts and groups. The following are the different types of user accounts:

  • Normal user accounts:

    Normal accounts are created for users of a particular system. Such accounts can be added, removed, and modified during normal system administration.

  • System user accounts

    System user accounts represent a particular applications identifier on a system. Such accounts are generally added or manipulated only at software installation time, and they are not modified later.

    Warning

    System accounts are presumed to be available locally on a system. If these accounts are configured and provided remotely, such as in the instance of an LDAP configuration, system breakage and service start failures can occur.

    For system accounts, user IDs below 1000 are reserved. For normal accounts, you can use IDs starting at 1000. However, the recommended practice is to assign IDs starting at 5000.

  • Group

    A group in an entity which ties together multiple user accounts for a common purpose, such as granting access to particular files.

Additional resources

1.8.2. Managing accounts and groups using command-line tools

This section describes basic command-line tools to manage user accounts and groups.

  • To display user and group IDs:

    $ id
    uid=1000(example.user) gid=1000(example.user) groups=1000(example.user),10(wheel) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
  • To create a new user account:

    # useradd example.user
  • To assign a new password to a user account belonging to example.user:

    # passwd example.user
  • To add a user to a group:

    # usermod -a -G example.group example.user

Additional resources

  • The useradd(8), passwd(1), and usermod(8) man pages.

1.8.3. System user accounts managed in the web console

With user accounts displayed in the RHEL web console you can:

  • Authenticate users when accessing the system.
  • Set them access rights to the system.

The RHEL web console displays all user accounts located in the system. Therefore, you can see at least one user account just after the first login to the web console.

After logging into the RHEL web console, you can perform the following operations:

  • Create new users accounts.
  • Change their parameters.
  • Lock accounts.
  • Terminate user sessions.

1.8.4. Adding new accounts using the web console

Use the following steps for adding user accounts to the system and setting administration rights to the accounts through the RHEL web console.

Prerequisites

Procedure

  1. Log in to the RHEL web console.
  2. Click Accounts.
  3. Click Create New Account.

    cockpit create new account pf4

  4. In the Full Name field, enter the full name of the user.

    The RHEL web console automatically suggests a user name from the full name and fills it in the User Name field. If you do not want to use the original naming convention consisting of the first letter of the first name and the whole surname, update the suggestion.

  5. In the Password/Confirm fields, enter the password and retype it for verification that your password is correct. The color bar placed below the fields shows you security level of the entered password, which does not allow you to create a user with a weak password.

    cockpit user accounts pf4

  6. Click Create to save the settings and close the dialog box.
  7. Select the newly created account.
  8. Select Server Administrator in the Roles item.

cockpit terminate session pf4

Now you can see the new account in the Accounts settings and you can use the credentials to connect to the system.

1.8.5. Next steps

1.9. Dumping a crashed kernel for later analysis

To analyze why a system crashed, you can use the kdump service to save the contents of the system’s memory for later analysis.

This section provides a brief introduction to kdump, and information about configuring kdump using the RHEL web console or using the corresponding RHEL system role.

1.9.1. What is kdump

kdump is a service providing a crash dumping mechanism. The service enables you to save the contents of the system’s memory for later analysis. kdump uses the kexec system call to boot into the second kernel (a capture kernel) without rebooting; and then captures the contents of the crashed kernel’s memory (a crash dump or a vmcore) and saves it. The second kernel resides in a reserved part of the system memory.

Important

A kernel crash dump can be the only information available in the event of a system failure (a critical bug). Therefore, ensuring that kdump is operational is important in mission-critical environments. Red Hat advise that system administrators regularly update and test kexec-tools in your normal kernel update cycle. This is especially important when new kernel features are implemented.

1.9.2. Configuring kdump memory usage and target location in web console

The procedure below shows you how to use the Kernel Dump tab in the Red Hat Enterprise Linux web console interface to configure the amount of memory that is reserved for the kdump kernel. The procedure also describes how to specify the target location of the vmcore dump file and how to test your configuration.

Prerequisites

Procedure

  1. Open the Kernel Dump tab and start the kdump service.
  2. Configure the kdump memory usage through the command line.
  3. Click the link next to the Crash dump location option.

    web console initial screen
  4. Select the Local Filesystem option from the drop-down and specify the directory you want to save the dump in.

    web console crashdump target
    • Alternatively, select the Remote over SSH option from the drop-down to send the vmcore to a remote machine using the SSH protocol.

      Fill the Server, ssh key, and Directory fields with the remote machine address, ssh key location, and a target directory.

    • Another choice is to select the Remote over NFS option from the drop-down and fill the Mount field to send the vmcore to a remote machine using the NFS protocol.

      Note

      Tick the Compression check box to reduce the size of the vmcore file.

  5. Test your configuration by crashing the kernel.

    web console test kdump config
    Warning

    This step disrupts execution of the kernel and results in a system crash and loss of data.

Additional resources

1.9.3. Configuring kdump using RHEL System Roles

RHEL System Roles is a collection of Ansible roles and modules that provide a consistent configuration interface to remotely manage multiple RHEL systems. The kdump role enables you to set basic kernel dump parameters on multiple systems.

Warning

The kdump role replaces the kdump configuration of the managed hosts entirely by replacing the /etc/kdump.conf file. Additionally, if the kdump role is applied, all previous kdump settings are also replaced, even if they are not specified by the role variables, by replacing the /etc/sysconfig/kdump file.

The following example playbook shows how to apply the kdump system role to set the location of the crash dump files:

---
- hosts: kdump-test
  vars:
    kdump_path: /var/crash
  roles:
    - rhel-system-roles.kdump

Additional resources

1.9.4. Additional resources

1.10. Recovering and restoring a system

To recover and restore a system using an existing backup, Red Hat Enterprise Linux provides the Relax-and-Recover (ReaR) utility.

You can use the utility as a disaster recovery solution and also for system migration.

The utility enables you to perform the following tasks:

  • Produce a bootable image and restore the system from an existing backup, using the image.
  • Replicate the original storage layout.
  • Restore user and system files.
  • Restore the system to a different hardware.

Additionally, for disaster recovery, you can also integrate certain backup software with ReaR.

Setting up ReaR involves the following high-level steps:

  1. Install ReaR.
  2. Create rescue system.
  3. Modify ReaR configuration file, to add backup method details.
  4. Generate backup files.

1.10.1. Setting up ReaR

Use the following steps to install the packages for using the Relax-and-Recover (ReaR) utility, create a rescue system, configure and generate a backup.

Prerequisites

  • Necessary configurations as per the backup restore plan are ready.

    Note that you can use the NETFS backup method, a fully-integrated and built-in method with ReaR.

Procedure

  1. Install ReaR, the genisomage pre-mastering program, and the syslinux package providing a suite of boot loaders:

    # yum install rear genisoimage syslinux
  2. Create a rescue system:

    # rear mkrescue
  3. Modify the ReaR configuration file in an editor of your choice, for example:

    # vi /etc/rear/local.conf
  4. Add the backup setting details to /etc/rear/local.conf. For example, in the case of the NETFS backup method, add the following lines:

    BACKUP=NETFS
    BACKUP_URL=backup.location

    Replace backup.location by the URL of your backup location.

  5. To configure ReaR to keep the previous backup archives when the new ones are created, also add the following line to the configuration file:

    NETFS_KEEP_OLD_BACKUP_COPY=y
  6. To make the backups incremental, meaning that only the changed files are backed up on each run, add the following line:

    BACKUP_TYPE=incremental
  7. Take a backup as per the restore plan.

1.11. Troubleshooting problems using log files

Log files contain messages about the system, including the kernel, services, and applications running on it. These contain information that helps troubleshoot issues or monitor system functions. The logging system in Red Hat Enterprise Linux is based on the built-in syslog protocol. Particular programs use this system to record events and organize them into log files, which are useful when auditing the operating system and troubleshooting various problems.

1.11.1. Services handling syslog messages

The following two services handle syslog messages:

  • The systemd-journald daemon
  • The Rsyslog service

The systemd-journald daemon collects messages from various sources and forwards them to Rsyslog for further processing. The systemd-journald daemon collects messages from the following sources:

  • Kernel
  • Early stages of the boot process
  • Standard and error output of daemons as they start up and run
  • Syslog

The Rsyslog service sorts the syslog messages by type and priority and writes them to the files in the /var/log directory. The /var/log directory persistently stores the log messages.

1.11.2. Subdirectories storing syslog messages

The following subdirectories under the /var/log directory store syslog messages.

  • /var/log/messages - all syslog messages except the following
  • /var/log/secure - security and authentication-related messages and errors
  • /var/log/maillog - mail server-related messages and errors
  • /var/log/cron - log files related to periodically executed tasks
  • /var/log/boot.log - log files related to system startup

1.11.3. Inspecting log files using the web console

Follow the steps in this procedure to inspect the log files using the web console.

Procedure

  1. Log into the Red Hat Enterprise Linux 8 web console.

    For details, see Logging in to the web console.

  2. Click Logs.

Figure 1.2. Inspecting the log files in the RHEL 8 web console

cs viewing logs web console

1.11.4. Viewing logs using the command line

The Journal is a component of systemd that helps to view and manage log files. It addresses problems connected with traditional logging, closely integrated with the rest of the system, and supports various logging technologies and access management for the log files.

You can use the journalctl command to view messages in the system journal using the command line, for example:

$ journalctl -b | grep kvm
May 15 11:31:41 localhost.localdomain kernel: kvm-clock: Using msrs 4b564d01 and 4b564d00
May 15 11:31:41 localhost.localdomain kernel: kvm-clock: cpu 0, msr 76401001, primary cpu clock
...

Table 1.1. Viewing system information

CommandDescription

journalctl

Shows all collected journal entries.

journalctl FILEPATH

Shows logs related to a specific file. For example, the journalctl /dev/sda command displays logs related to the /dev/sda file system.

journalctl -b

Shows logs for the current boot.

journalctl -k -b -1

Shows kernel logs for the current boot.

Table 1.2. Viewing information on specific services

CommandDescription

journalctl -b _SYSTEMD_UNIT=foo

Filters log to see ones matching the "foo" systemd service.

journalctl -b _SYSTEMD_UNIT=foo _PID=number

Combines matches. For example, this command shows logs for systemd-units that match foo and the PID number.

journalctl -b _SYSTEMD_UNIT=foo _PID=number + _SYSTEMD_UNIT=foo1

The separator “+” combines two expressions in a logical OR. For example, this command shows all messages from the foo service process with the PID plus all messages from the foo1 service (from any of its processes).

journalctl -b _SYSTEMD_UNIT=foo _SYSTEMD_UNIT=foo1

This command shows all entries matching either expression, referring to the same field. Here, this command shows logs matching a systemd-unit foo or a systemd-unit foo1.

Table 1.3. Viewing logs related to specific boots

CommandDescription

journalctl --list-boots

Shows a tabular list of boot numbers, their IDs, and the timestamps of the first and last message pertaining to the boot. You can use the ID in the next command to view detailed information.

journalctl --boot=ID _SYSTEMD_UNIT=foo

Shows information about the specified boot ID.

1.11.5. Additional resources

1.12. Accessing the Red Hat support

This section describes how to effectively troubleshoot your problems using Red Hat support and sosreport.

To obtain support from Red Hat, use the Red Hat Customer Portal, which provides access to everything available with your subscription.

1.12.1. Obtaining Red Hat Support through Red Hat Customer Portal

The following section describes how to use the Red Hat Customer Portal to get help.

Prerequisites

  • A valid user account on the Red Hat Customer Portal. See Create a Red Hat Login.
  • An active subscription for the RHEL system.

Procedure

  1. Access Red Hat support:

    1. Open a new support case.
    2. Initiate a live chat with a Red Hat expert.
    3. Contact a Red Hat expert by making a call or sending an email.

1.12.2. Troubleshooting problems using sosreport

The sosreport command collects configuration details, system information and diagnostic information from a Red Hat Enterprise Linux system.

The following section describes how to use the sosreport command to produce reports for your support cases.

Prerequisites

  • A valid user account on the Red Hat Customer Portal. See Create a Red Hat Login.
  • An active subscription for the RHEL system.
  • A support-case number.

Procedure

  1. Install the sos package:

    # yum install sos
    Note

    The default minimal installation of Red Hat Enterprise Linux does not include the sos package, which provides the sosreport command.

  2. Generate a report:

    # sosreport
  3. Attach the report to your support case.

    See the How can I attach a file to a Red Hat support case? Red Hat Knowledgebase article for more information.

    Note that when attaching the report, you are prompted to enter the number of the relevant support case.

Additional resources