Chapter 1. Getting started with system administration

The following sections provide an overview of basic administration tasks on the installed system.

Note

Such tasks may include items that are usually done already during the installation process, but they do not have to be done necessarily, such as the registration of the system. The sections dealing with such tasks provide a brief summary of how this can be achieved during the installation and links to related documentation.

For information on Red Hat Enterprise Linux installation, see Performing a standard RHEL installation.

Although you can perform all post-installation tasks through the command line, you can also use the RHEL 8 web console to perform some of them.

1.1. Configuring system settings in the web console

In this chapter, you will learn how to execute basic system settings in the web console and thus be able to:

  • Restart or shutdown the system in the web console.
  • Change a system host name.
  • Join the system to a domain.
  • Configure time and time zones.
  • Change a performance profile.

1.1.1. What the RHEL 8 web console is and which tasks it can be used for

The RHEL 8 web console is an interactive server administration interface. It interacts directly with the operating system from a real Linux session in a browser.

The web console enables to perform these tasks:

  • Monitoring basic system features, such as hardware information, time configuration, performance profiles, connection to the realm domain
  • Inspecting system log files
  • Managing network interfaces and configuring firewall
  • Handling docker images
  • Managing virtual machines
  • Managing user accounts
  • Monitoring and configuring system services
  • Creating diagnostic reports
  • Setting kernel dump configuration
  • Managing packages
  • Configuring SELinux
  • Updating software
  • Managing system subscriptions
  • Accessing the terminal

For more information on installing and using the RHEL 8 web console, see Managing systems using the RHEL 8 web console.

1.1.2. Using the web console to restart the system

The following procedure describes system restart executed in the web console.

Prerequisites

Procedure

  1. Log in to the RHEL 8 web console.

    For details, see Logging in to the web console.

  2. Click Overview.
  3. Click the Restart restart button.

    cockpit system restart pf4

  4. If there are users logged into the system, write a reason for the restart in the Restart dialog box.
  5. In the Delay drop down list, select a time interval.

    cockpit restart delay pf4

  6. Click Restart.

The system will restart according to your set parameters.

1.1.3. Using the web console to shutdown the system

The following procedure describes system shutdown executed in the web console.

Prerequisites

Procedure

  1. Log in to the RHEL 8 web console.

    For details, see Logging in to the web console.

  2. Click Overview.
  3. In the Restart drop down list, select Shut Down.

    cockpit system shutdown pf4

  4. If there are users logged in to the system, write a reason for the shutdown in the Shut Down dialog box.
  5. In the Delay drop down list, select a time interval.
  6. Click Shut Down.

The system will be turned off according to your selection.

1.1.4. Using the web console for setting a host name

The host name identifies the system. By default, the host name is set to localhost, but you can change it.

Host names consists of two parts:

  • Host name — It is a unique name which identifies a system.
  • Domain — If you want to use the machine in the network and use names instead of just IP addresses, you need to add the domain as a suffix behind the host name. For example: mymachine.example.com

You can configure also a pretty host name in the RHEL web console. The pretty host name allows you to enter a host name with capital letters, spaces, and so on. The pretty host name displays in the web console, but it does not have to correspond with the host name.

Example:

Pretty host name: My Machine

Host name: mymachine

Real host name (Fully qualified domain name): mymachine.idm.company.com

Host names are stored in the /etc/hostname file, however, you can set or change the host name in the web console.

Prerequisites

Procedure

  1. Log in to the RHEL 8 web console.

    For details, see Logging in to the web console.

  2. Click Overview.
  3. Click edit next to the current host name.

    cockpit hostname pf4

  4. In the Change Host Name dialog box, enter the host name in the Pretty Host Name field.
  5. In the Real Host Name field, the pretty name will be compounded with a domain name.

    You can change the host name manually if it does not correspond with the pretty host name.

  6. Click Change.

    cockpit hostname change pf4

Verification steps

  1. Log out from the web console.
  2. Reopen the web console using an address with the new host name to the address bar of your browser.

cockpit hostname change verify pf4

1.1.5. Joining the RHEL 8 system to the IdM domain using the web console

The following procedure describes joining the RHEL 8 system to the IdM domain.

Prerequisites

  • IdM domain running and reachable from the client you want to join.
  • IdM domain administrator credentials.

Procedure

  1. Log in to the RHEL web console.

    For details, see Logging in to the web console.

  2. Open the System tab.
  3. Click Join Domain.

    idm cockpit join domain

  4. In the Join a Domain dialog box, enter the host name of the IdM server in the Domain Address field.
  5. In the Authentication drop down list, select if you want to use password or one time password for authentication.

    idm cockpit join psswd

  6. In the Domain Administrator Name field, enter the user name of the IdM administration account.
  7. In the password field, add the password or one time password according to what you selected in the Authentication drop down list above.
  8. Click Join.

    idm cockpit join

If the RHEL 8 web console did not display an error, the system has been joined to the IdM domain and you can see the domain name in the System screen.

idm cockpit domain added

Warning

If you click to the joined domain in the System screen, the system will display a warning dialog with the information about leaving the domain. If you click Leave, the system will leave the domain.

idm cockpit leave

1.1.6. Using the web console for configuring time settings

This section shows you how to set:

  • The correct time zone
  • Automatic time settings provided by an NTP server.
  • A specific NTP server.

Prerequisites

  • The web console must be installed and accessible.

    For details, seeh ttps://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/managing_systems_using_the_rhel_8_web_console/getting-started-with-the-rhel-8-web-console_system-management-using-the-rhel-8-web-console#installing-the-web-console_getting-started-with-the-rhel-8-web-console[Installing the web console].

Procedure

  1. Log in to the RHEL 8 web console.

    For details, see Logging in to the web console.

  2. Click the current system time in Overview.

    cockpit time settings pf4

  3. In the Change System Time dialog box, change the time zone if necessary.
  4. In the Set Time drop down menu, select one option from:

    1. Manually
    2. Automatically using NTP server — This is a default option. If the time of the system is correct, leave it as it is.
    3. Automatically using specific NTP servers — Use this option only if you need to synchronize the system with a specific NTP server and add the DNS name or IP address of the server.
  5. Click Change.

    cockpit time change pf4

The change is now available in the Overview tab.

1.1.7. Using the web console for selecting performance profiles

Red Hat Enterprise Linux 8 includes performance profiles optimizing:

  • Systems using Desktop
  • Latency performance
  • Network performance
  • Low power consumption
  • Virtual machines

The following procedure describes setting up performance profiles in the web console.

The RHEL 8 web console configures the tuned service.

For details about the tuned service, see Monitoring and managing system status and performance.

Prerequisites

Procedure

  1. Log in to the RHEL 8 web console.

    For details, see Logging in to the web console.

  2. Click Overview.
  3. In the Performance Profile field, click the current performance profile.

    cockpit performance profile pf4

  4. In the Change Performance Profile dialog box, change the profile if necessary.
  5. Click Change Profile.

    cockpit performance profile change pf4

The change is now available in the Overview tab.

1.1.8. Disabling SMT to prevent CPU security issues

This section helps you to disable Simultaneous Multi Threading (SMT) in case of attacks that misuse CPU SMT. Disabling SMT can mitigate security vulnerabilities, such as L1TF or MDS.

Important

Disabling SMT might lower the system performance.

Prerequisites

Procedure

  1. Log in to the RHEL 8 web console.

    For details, see Logging in to the web console.

  2. Click System.
  3. In the Hardware item, click the hardware information.

    cockpit smt hardware

  4. In the CPU Security item, click Mitigations.

    If this link is not present, it means that your system does not support SMT, and therefore is not vulnerable.

  5. In the CPU Security Toggles, switch on the Disable simultaneous multithreading (nosmt) option.

    cockpit smt disable

  6. Click on the Save and reboot button.

After the system restart, the CPU no longer uses SMT.

Additional resources

For more details on security attacks that you can prevent by disabling SMT, see:

1.2. What RHEL System Roles are and which tasks they can be used for

1.2.1. Introduction to RHEL System Roles

Red Hat Enterprise Linux System Roles is a collection of Ansible roles and modules that provide a configuration interface to remotely manage multiple RHEL systems. The interface enables managing system configurations across multiple versions of RHEL, as well as adopting new major releases.

Red Hat Enterprise Linux System Roles were introduced with Red Hat Enterprise Linux 7.4. For more information, see the Red Hat Enterprise Linux (RHEL) System Roles Red Hat KnowledgeBase article.

On Red Hat Enterprise Linux 8, the interface currently consists of the following roles:

  • selinux
  • kdump
  • network
  • timesync
  • storage

All these roles are provided by the rhel-system-roles package available in the AppStream repository.

1.2.2. Applying a role

To apply a particular role, you need to fulfill the following prerequisites.

Prerequisites

  • The rhel-system-roles package has been installed on the system that you want to use as a control node:

    #  yum install rhel-system-roles
  • The Ansible Engine repository has been enabled, and the ansible package has been installed on the system that you want to use as a control node. The ansible package is needed to run playbooks that use Red Hat Enterprise Linux System Roles.

    If you do not have a Red Hat Ansible Engine Subscription, you can use a limited supported version of Red Hat Ansible Engine provided with your Red Hat Enterprise Linux subscription. In this case, follow these steps:

    • Enable the RHEL Ansible Engine repository:

      # subscription-manager refresh
      # subscription-manager repos --enable ansible-2-for-rhel-8-x86_64-rpms
    • Install Ansible Engine:

      # yum install ansible

      If you have a Red Hat Ansible Engine Subscription, follow the procedure described in How do I Download and Install Red Hat Ansible Engine?.

  • You are able to create an Ansible playbook.

    Playbooks represent Ansible’s configuration, deployment, and orchestration language. By using playbooks, you can declare and manage configurations of remote machines, deploy multiple remote machines or orchestrate steps of any manual ordered process.

    A playbook is a list of one or more plays. Every play can include Ansible variables, tasks or roles.

    Playbooks are human-readable, and they are expressed in the YAML format.

    For more information about playbooks, see Ansible documentation

To apply a particular role, use the following procedure.

Procedure

  1. Create an Ansible playbook including the required role.

    The classic way to use roles is via the roles: option for a given play, as shown in the example below:

    ---
    - hosts: webservers
      roles:
         - rhel-system-roles.network
         - rhel-system-roles.timesync

    For more information on using roles in playbooks, see Ansible documentation.

    See Ansible examples for example playbooks.

    Note

    Every role includes a README file, which documents how to use the role and supported parameter values. You can also find an example playbook for a particular role under the documentation directory of the role. Such documentation directory is provided by default with the rhel-system-roles package, and can be found in the following location:

    /usr/share/doc/rhel-system-roles-<version>/SUBSYSTEM/

    where SUBSYSTEM is the name of the subsystem that contains the individual role manages - selinux, kdump, network or timesync.

  2. Execute the playbook on targeted hosts by running the ansible-playbook command:

    ansible-playbook -i <name of the inventory> <name of the playbook>

    An inventory is a list of systems against which Ansible works. For more information on how to create and inventory, and how to work with it, see Ansible documentation.

    If you have not created an inventory in advance, you can do so even at the time of running ansible-playbook:

    For cases with only one targeted host against which you want to run the playbook, use:

    ansible-playbook -i  host1, <name of the playbook>

    For cases with multiple targeted hosts against which you want to run the playbook, use:

    ansible-playbook -i  host1,host2,…​.,hostn <name of the playbook>

    For more detailed information on using the ansible-playbook command, see the ansible-playbook man page.

1.3. Basic configuration of environment

Basic configuration of environment includes:

  • Date and time
  • System locales
  • Keyboard layout
  • Language

1.3.1. Configuring the date and time

Accurate timekeeping is important for a number of reasons. In Red Hat Enterprise Linux, timekeeping is ensured by the NTP protocol, which is implemented by a daemon running in user space. The user space daemon updates the system clock running in the kernel. The system clock can keep time by using various clock sources.

Red Hat Enterprise Linux 8 uses the chronyd daemon to implement NTP. chronyd is available from the chrony package. For more information, see Using the chrony suite to configure NTP.

1.3.1.1. Displaying the current date and time

To display the current date and time, use either of these procedures.

Procedure

  • Run the date command:

    $ date

Procedure

  • Run the timedatectl command:

    $ timedatectl
Note

The timedatectl command provides more verbose output, including universal time, currently used time zone, the status of the Network Time Protocol (NTP) configuration, and some additional information.

1.3.1.2. Additional resources

1.3.2. Configuring the system locale

System-wide locale settings are stored in the /etc/locale.conf file, which is read at early boot by the systemd daemon. The locale settings configured in /etc/locale.conf are inherited by every service or user, unless individual programs or individual users override them.

Basic tasks to handle the system locales include:

  • Listing available system locale settings
  • Displaying the current status of the system locales settings
  • Setting or changing the default system locale settings

1.3.2.1. Listing available system locale settings

To list available system locale settings, use this procedure.

Procedure

  • Run the following command:

    $ localectl list-locales

1.3.2.2. Displaying the current status of the system locales settings

To display the current status of the system locales settings, use this procedure.

Procedure

  • Run the following command:

    $ localectl status

1.3.2.3. Setting or changing the default system locale settings

To set or change the default system locale settings, use this procedure.

Procedure

  • Run the following command as the root user:

    # localectl set-locale LANG=locale

1.3.3. Configuring the keyboard layout

The keyboard layout settings control the layout used on the text console and graphical user interfaces.

Basic tasks to handle the keyboard layout include:

  • Listing available keymaps
  • Displaying the current status of keymap settings
  • Setting or changing the default system keymap

1.3.3.1. Listing available keymaps

To list available keymaps, use this procedure.

Procedure

  • Run the following command:

    $ localectl list-keymaps

1.3.3.2. Displaying the current status of keymaps settings

To display the current status of keymaps settings, use this procedure.

Procedure

  • Run the following command:

    $ localectl status

1.3.3.3. Setting or changing the default system keymap

To set or change the default system keymap, use this procedure.

Procedure

  • Run the following command as the root user:

    # localectl set-keymap

1.3.4. Changing the language using desktop GUI

This section describes how to change the system language using desktop GUI.

Prerequisites

  • Proper language packages are installed on your system

Procedure

  1. Open GNOME Control Center

    For more information on how to launch this tool, see approaches described in Launching applications

    Note, that you can also launch GNOME Control Center from the System menu by clicking on its icon.

    cs system menu

  2. In GNOME Control Center, choose Region & Language from the left vertical bar
  3. Click the Language menu

    cs language menu

  4. Select the required region and language from the menu

    cs select region language

    If your region and language are not listed, scroll down, and click More to select from available regions and languages.

    cs available region language

  5. Click Done
  6. Click Restart for changes to take effect

    cs restart region language

Note

Some applications do not support certain languages. The text of an application that cannot be translated into the selected language remains in US English.

1.3.5. Additional resources

Setting of these items is normally a part of the installation process. For more information, see Performing a standard RHEL installation.

1.4. Configuring and managing network access

This section describes different options how to add an Ethernet connections in RHEL.

1.4.1. Configuring the network and host name in the graphical installation mode

Follow the steps in this procedure to configure your network and host name.

Procedure

  1. From the Installation Summary window, click Network and Host Name.
  2. From the list in the left-hand pane, select an interface. The details are displayed in the right-hand pane.
  3. Toggle the ON/OFF switch to enable or disable the selected interface.

    Note

    Locally accessible interfaces are automatically detected by the installation program and cannot be manually added or deleted.

  4. Click + to add a virtual network interface, which can be either: Team, Bond, Bridge, or VLAN.
  5. Click - to remove a virtual interface.
  6. Click Configure to change settings such as IP addresses, DNS servers, or routing configuration for an existing interface (both virtual and physical).
  7. Type a host name for your system in the Host Name field.

    Note
    • There are several types of network device naming standards used to identify network devices with persistent names, for example, em1 and wl3sp0. For information about these standards, see the Configuring and managing networking document.
    • The host name can be either a fully-qualified domain name (FQDN) in the format hostname.domainname, or a short host name with no domain name. Many networks have a Dynamic Host Configuration Protocol (DHCP) service that automatically supplies connected systems with a domain name. To allow the DHCP service to assign the domain name to this machine, specify only the short host name. The value localhost.localdomain means that no specific static host name for the target system is configured, and the actual host name of the installed system is configured during the processing of the network configuration, for example, by NetworkManager using DHCP or DNS.
  8. Click Apply to apply the host name to the environment.

Additional resources and information

  • For details about configuring network settings and the host name when using a kickstart file, see the corresponding appendix in Performing an advanced RHEL installation.
  • If you install RHEL using the text mode of the Anaconda installation program, use the Network settings option to configure the network.

1.4.2. Adding a static Ethernet connection using nmcli

This procedure describes adding an Ethernet connection with the following settings:

  • A static IPv4 address - 192.0.2.1 with a /24 subnet mask
  • A static IPv6 address - 2001:db8::1 with a /32 subnet mask
  • An IPv4 default gateway - 192.0.2.254
  • An IPv6 default gateway - 2001:db8::fffe
  • An IPv4 DNS server - 192.0.2.200
  • An IPv6 DNS server - 2001:db8::ffbb
  • A DNS search domain - example.com

Procedure

  1. Add a new NetworkManager connection profile for the Ethernet connection:

    # nmcli connection add con-name Example-Connection ifname enp7s0 type ethernet ipv4.addresses 192.0.2.1/24

    The further steps modify the Example-Connection connection profile you created.

  2. Set the IPv6 address:

    # nmcli connection modify Example-Connection ipv6.addresses 2001:db8::1/32
  3. Set the IPv4 and IPv6 connection method to manual:

    # nmcli connection modify Example-Connection ipv4.method manual
    # nmcli connection modify Example-Connection ipv6.method manual
  4. Set the IPv4 and IPv6 default gateways:

    # nmcli connection modify Example-Connection ipv4.gateway 192.0.2.254
    # nmcli connection modify Example-Connection ipv6.gateway 2001:db8::fffe
  5. Set the IPv4 and IPv6 DNS server addresses:

    # nmcli connection modify Example-Connection ipv4.dns "192.0.2.200"
    # nmcli connection modify Example-Connection ipv6.dns "2001:db8::ffbb"

    To set multiple DNS servers, specify them space-separated and enclosed in quotes.

  6. Set the DNS search domain for the IPv4 and IPv6 connection:

    # nmcli connection modify Example-Connection ipv4.dns-search example.com
    # nmcli connection modify Example-Connection ipv6.dns-search example.com
  7. Active the connection profile:

    # nmcli connection up Example-Connection
    Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/13)

Verification steps

  1. Display the status of the devices and connections:

    # nmcli device status
    DEVICE      TYPE      STATE      CONNECTION
    enp7s0      ethernet  connected  Example-Connection
  2. To display all settings of the connection profile:

    # nmcli connection show Example-Connection
    connection.id:              Example-Connection
    connection.uuid:            b6cdfa1c-e4ad-46e5-af8b-a75f06b79f76
    connection.stable-id:       --
    connection.type:            802-3-ethernet
    connection.interface-name:  enp7s0
    ...

Additional resources

  • See the nm-settings(5) man page for more information on connection profile properties and their settings.
  • For further details about the nmcli utility, see the nmcli(1) man page.

1.4.3. Adding a connection profile using nmtui

The nmtui application provides a text user interface to NetworkManager. This procedure describes how to add a new connection profile.

Prerequisites

  • The NetworkManager-tui package is installed.

Procedure

  1. Start the NetworkManager text user interface utility:

    # nmtui
  2. Select the Edit a connection menu entry, and press Enter.
  3. Select the Add button, and press Enter.
  4. Select Ethernet, and press Enter.
  5. Fill the fields with the connection details.

    add connection in nmtui
  6. Select OK to save the changes.
  7. Select Back to return to the main menu.
  8. Select Activate a connection, and press Enter.
  9. Select the new connection entry, and press Enter to activate the connection.
  10. Select Back to return to the main menu.
  11. Select Quit.

Verification steps

  1. Display the status of the devices and connections:

    # nmcli device status
    DEVICE      TYPE      STATE      CONNECTION
    enp7s0      ethernet  connected  Example-Connection
  2. To display all settings of the connection profile:

    # nmcli connection show Example-Connection
    connection.id:              Example-Connection
    connection.uuid:            b6cdfa1c-e4ad-46e5-af8b-a75f06b79f76
    connection.stable-id:       --
    connection.type:            802-3-ethernet
    connection.interface-name:  enp7s0
    ...

Additional resources

  • For further details about the nmtui application, see the nmtui(1) man page.

1.4.4. Managing networking in the RHEL 8 web console

In the web console, the Networking menu enables you:

  • To display currently received and sent packets
  • To display the most important characteristics of available network interfaces
  • To display content of the networking logs.
  • To add various types of network interfaces (bond, team, bridge, VLAN)

Figure 1.1. Managing Networking in the RHEL 8 web console

cs getting started networking new

1.4.5. Managing networking using RHEL System Roles

You can configure the networking connections on multiple target machines using the network role.

The network role allows to configure the following types of interfaces:

  • Ethernet
  • Bridge
  • Bonded
  • VLAN
  • MacVLAN
  • Infiniband

The required networking connections for each host are provided as a list within the network_connections variable.

Warning

The network role updates or creates all connection profiles on the target system exactly as specified in the network_connections variable. Therefore, the network role removes options from the specified profiles if the options are only present on the system but not in the network_connections variable.

The following example shows how to apply the network role to ensure that an Ethernet connection with the required parameters exists:

Example 1.1. An example playbook applying the network role to set up an Ethernet connection with the required parameters

# SPDX-License-Identifier: BSD-3-Clause
---
- hosts: network-test
  vars:
    network_connections:

      # Create one ethernet profile and activate it.
      # The profile uses automatic IP addressing
      # and is tied to the interface by MAC address.
      - name: prod1
        state: up
        type: ethernet
        autoconnect: yes
        mac: "00:00:5e:00:53:00"
        mtu: 1450

  roles:
    - rhel-system-roles.network

For more information on applying a system role, see What RHEL System Roles are and which tasks they can be used for.

1.4.6. Additional resources

1.5. Registering the system and managing subscriptions

The products installed on Red Hat Enterprise Linux, including the operating system itself, are covered by subscriptions.

A subscription to Red Hat Content Delivery Network is used to track:

  • Registered systems
  • Products installed on those system
  • Subscriptions attached to those product

1.5.1. Registering the system after the installation

Your subscription can be registered during the installation process. For more information, see Performing a standard RHEL installation.

If you have not registered your system during the installation process, you can do it afterwards by applying the following procedure. Note that all commands in this procedure need to be performed as the root user.

Registering and subscribing your system

  1. Register your system:

    # subscription-manager register

    The command will prompt you to enter your Red Hat Customer Portal user name and password.

  2. Determine the pool ID of a subscription that you require:

    # subscription-manager list --available

    This command displays all available subscriptions for your Red Hat account. For every subscription, various characteristics are displayed, including the pool ID.

  3. Attach the appropriate subscription to your system by replacing pool_id with the pool ID determined in the previous step:

    # subscription-manager attach --pool=pool_id

1.5.2. Registering subscriptions with credentials in the web console

The following describes subscribing the newly installed Red Hat Enterprise Linux using the RHEL 8 web console.

Prerequisites

  • Valid user account in the Red Hat Customer Portal.

    See the Create a Red Hat Login page.

  • Active subscription for the RHEL system.

Procedure

  1. Type subscription in the search field and press the Enter key.

    cockpit subscription icon

    Alternatively, you can log in to the RHEL 8 web console. For details, see Logging in to the web console.

  2. In the polkit authentication dialog for privileged tasks, add the password belonging user name displayed in the dialog.

    cockpit subscription password

  3. Click Authenticate.
  4. In the Subscriptions dialog box, click Register.

    cockpit subscription notregistered

  5. Enter your Customer Portal credentials.

    cockpit subscription register cred

  6. Enter the name of your organization.

    You need to add the organization name or organization ID, if you have more than one account in the Red Hat Customer Portal. To get the org ID, go to your Red Hat contact point.

  7. Click the Register button.

At this point, your RHEL 8 system has been successfully registered.

cockpit subscription registered

1.5.3. Registering a system using Red Hat account on GNOME

You can enroll your system with your Red Hat subscription so that your system can receive updates from Red Hat.

Prerequisites

Procedure

  1. Go to the system menu, which is accessible from the top-right screen corner and click the Settings icon.
  2. In the DetailsAbout section, click Register.
  3. Select Registration Server.
  4. If you are not using the Red Hat server, enter the server address in the URL field.
  5. In the Registration Type menu, select Red Hat Account.
  6. Under Registration Details:

    • Enter your Red hat account user name in the Login field,
    • Enter your Red hat account password in the Password field.
    • Enter the name of your organization in the Organization field.
  7. Click Register.

1.5.4. Registering a system using Activation Key on GNOME

You can register your system with the activation key using GNOME. You can get the activation key from your organization administrator.

Prerequisites

  • Activation key or keys.

    See the Activation Keys page for creating new activation keys.

Procedure

  1. Go to the system menu, which is accessible from the top-right screen corner and click the Settings icon.
  2. In the DetailsAbout section, click Register.
  3. Select Registration Server.
  4. Enter URL to the customized server, if you are not using the Red Hat server.
  5. In the Registration Type menu, select Activation Keys.
  6. Under Registration Details:

    • Enter Activation Keys.

      Separate multiple keys by a comma (,).

    • Enter the name or ID of your organization in the Organization field.
  7. Click Register.

1.6. Installing software

This section provides information to guide you through the basics of software installation. It mentions the prerequisites that you need to fulfil to be able to install software, provides the basic information on software packaging and software repositories, and references the ways to perform basic tasks related to software installation.

1.6.1. Prerequisites for software installation

The Red Hat Content Delivery Network subscription service provides a mechanism to handle Red Hat software inventory and enables you to install additional software or update already installed packages. You can start installing software once you have registered your system and attached a subscription, as described in Section 1.5.1, “Registering the system after the installation”.

1.6.2. Introduction to the system of software packaging and software repositories

All software on a Red Hat Enterprise Linux system is divided into RPM packages, which are stored in particular repositories. When a system is subscribed to the Red Hat Content Delivery Network, a repository file is created in the /etc/yum.repos.d/ directory.

Use the yum utility to manage package operations:

  • Searching information about packages
  • Installing packages
  • Updating packages
  • Removing packages
  • Checking the list of currently available repositories
  • Adding or removing a repository
  • Enabling or disabling a repository

For information on basic tasks related to the installation of software, see Managing basic software-installation tasks with subscription manager and yum.

1.6.3. Managing basic software-installation tasks with subscription manager and yum

The most basic software-installation tasks that you might need after the operating system has been installed include:

  • Listing all available repositories:

    # subscription-manager repos --list
  • Listing all currently enabled repositories:

    yum repolist
  • Enabling or disabling a repository:

    # subscription-manager repos --enable repository
    # subscription-manager repos --disable repository
  • Searching for packages matching a specific string:

    yum search string
  • Installing a package:

    # yum install package_name
  • Updating all packages and their dependencies:

    # yum update
  • Updating a package:

    # yum update package_name
  • Uninstalling a package and any packages that depend on it:

    # yum remove package_name
  • Listing information on all installed and available packages:

    yum list all
  • Listing information on all installed packages:

    yum list installed

1.7. Making systemd services start at boot time

Systemd is a system and service manager for Linux operating systems that introduces the concept of systemd units.

This section provides information on how to ensure that a service is enabled or disabled at boot time. It also explains how to manage the services through the web console.

1.7.1. Enabling or disabling the services

You can determine services that are enabled or disabled at boot time already during the installation process, or you can enable or disable a service on an installed operating system.

To create the list of services enabled or disabled at boot time during the installation process, use the services option in your Kickstart file:

services [--disabled=list] [--enabled=list]
Note

The list of disabled services is processed before the list of enabled services. Therefore, if a service appears on both lists, it is enabled. The list of the services uses the comma-separated format. Do not include spaces in the list of services.

To enable or disable a service on an already installed operating system:

# systemctl enable service_name
# systemctl disable service_name

For further details on enabling and disabling services, see Section 3.2, “Managing system services”.

1.7.2. Managing services in the RHEL 8 web console

In the web console, select Services to manage systemd targets, services, sockets, timers, and paths. There you can check their status, start or stop them, enable or disable them.

Figure 1.2. Managing services in the RHEL 8 web console

cs getting started systemd new2

1.8. Enhancing system security with a firewall, SELinux, and SSH access

Computer security is the protection of computer systems from the theft or damage to their hardware, software, or information, as well as from disruption or misdirection of the services they provide. Ensuring computer security is therefore an essential task not only in the enterprises processing sensitive data or handling some business transactions.

Computer security includes a wide variety of features and tools. This section covers only the basic security features that you need to configure after you have installed the operating system. For detailed information on securing Red Hat Enterprise Linux, see the titles from the Security section in Product Documentation for Red Hat Enterprise Linux 8.

1.8.1. Ensuring the firewall is enabled and running

1.8.1.1. What a firewall is and how it enhances system security

A firewall is a network security system that monitors and controls the incoming and outgoing network traffic based on predetermined security rules. A firewall typically establishes a barrier between a trusted, secure internal network and another outside network.

The firewall is provided by the firewalld service, which is automatically enabled during the installation. However, if you explicitly disabled the service, you can re-enable it, as described in Section 1.8.1.2, “Re-enabling the firewalld service”.

1.8.1.2. Re-enabling the firewalld service

In case that the firewalld service is disabled after the installation, Red Hat recommends to consider re-enabling it.

To display the current status of firewalld even as a regular user:

systemctl status firewalld

If firewalld is not enabled and running, switch to the root user, and change its status:

# systemctl start firewalld
# systemctl enable firewalld

For detailed information on configuring and using firewall, see Using and configuring firewalls.

1.8.1.3. Managing firewall in the RHEL 8 web console

In the web console, use the Firewall option under Networking to enable or disable the firewalld service.

By default, the firewalld service in the web console is enabled. To disable it, set off as shown below. Additionally, you can choose the services that you want to allow through firewall.

Figure 1.3. Managing firewall in the RHEL 8 web console

cs getting started firewall new

1.8.2. SELinux and its modes

Security-Enhanced Linux (SELinux) is an additional layer of system security that determines which process can access which files, directories, and ports.

SELinux states

SELinux has two possible states:

  • Enabled
  • Disabled

When SELinux is disabled, only Discretionary Access Control (DAC) rules are used.

SELinux modes

When SELinux is enabled, it can run in one of the following modes:

  • Enforcing
  • Permissive

Enforcing mode means that SELinux policies are enforced. SELinux denies access based on SELinux policy rules, and enables only the interactions that are particularly allowed. Enforcing mode is the default mode after the installation and it is also the safest SELinux mode.

Permissive mode means that SELinux policies are not enforced. SELinux does not deny access, but denials are logged for actions that would have been denied if running in enforcing mode. Permissive mode is the default mode during the installation. Operating in permissive mode is also useful in some specific cases, for example if you require access to the Access Vector Cache (AVC) denials when troubleshooting problems.

For more information on SELinux, see Using SELinux.

1.8.3. Ensuring the required state of SELinux

By default, SELinux operates in permissive mode during the installation and in enforcing mode when the installation finishes.

However, in specific scenarios, you can set SELinux to permissive mode or even disable it on the installed operating system.

Important

Red Hat recommends to keep your system in enforcing mode. For debugging purposes, set SELinux to permissive mode.

To display the current SELinux mode, and to set the mode as required:

Ensuring the required state of SELinux

  1. Display the current SELinux mode in effect:

    getenforce
  2. If required, switch between SELinux modes:

    The switch can be either temporary or permanent. A temporary switch is not persistent across reboots, while permanent switch is.

    • To temporary switch to either enforcing or permissive mode:

      # setenforce Enforcing
      # setenforce Permissive
    • To permanently set SELinux mode, modify the SELINUX variable in the /etc/selinux/config configuration file.

      For example, to switch SELinux to enforcing mode:

      # This file controls the state of SELinux on the system.
      # SELINUX= can take one of these three values:
      #     enforcing - SELinux security policy is enforced.
      #     permissive - SELinux prints warnings instead of enforcing.
      #     disabled - No SELinux policy is loaded.
      SELINUX=enforcing
      Warning

      Disabling SELinux using the SELINUX=disabled option in the /etc/selinux/config results in a process in which the kernel boots with SELinux enabled and switches to disabled mode later in the boot process. Because memory leaks and race conditions causing kernel panics can occur, prefer disabling SELinux by adding the selinux=0 parameter to the kernel command line as described in Changing SELinux modes at boot time if your scenario really requires to completely disable SELinux.

      For more information on permanent changes of SELinux modes, see Changing SELinux states and modes in the Using SELinux title.

1.8.3.1. Switching SELinux modes in the RHEL 8 web console

In the web console, use the SELinux option to turn SELinux enforcing policy on or off.

By default, SELinux enforcing policy in the web console is on, and SELinux operates in enforcing mode. By turning it off, you can switch SELinux to permissive mode. Note that such deviation from the default configuration in the /etc/sysconfig/selinux file is automatically reverted on the next boot.

Figure 1.4. Managing SELinux in the RHEL 8 web console

cs getting started selinux on

1.8.4. Managing SELinux on multiple systems using RHEL System Roles and Ansible

You can manage various SELinux local customizations on multiple target machines using the selinux system role.

For more information on applying the selinux role to manage various local customizations, such as applying the restorecon command to portions of file system tree, or managing file contexts, SELinux booleans, logins, or ports, see the Deploying the same SELinux configuration on multiple systems section.

1.8.5. Accessing system through SSH

The SSH protocol provides encrypted communications between two systems. SSH mitigates many security threats, such as interception of communication. It also prevents impersonation of a particular host because the SSH client and server use digital signatures to verify their identities.

For more information, see the Using secure communications between two systems with OpenSSH section.

1.9. Managing user accounts

Red Hat Enterprise Linux is a multi-user operating system, which enables multiple users on different computers to access a single system installed on one machine. Every user operates under its own account, and managing user accounts thus represents a core element of Red Hat Enterprise Linux system administration.

1.9.1. The basics of managing user accounts

Normal and System Accounts

Normal accounts are created for users of a particular system. Such accounts can be added, removed, and modified during normal system administration.

System accounts represent a particular applications identifier on a system. Such accounts are generally added or manipulated only at software installation time, and they are not modified later.

Warning

System accounts are presumed to be available locally on a system. If these accounts are configured and provided remotely, such as in the instance of an LDAP configuration, system breakage and service start failures can occur.

For system accounts, user IDs below 1000 are reserved. For normal accounts, you can use IDs starting at 1000. However, the recommended practice is to assign IDs starting at 5000. See Reserved user and group IDs for more information. The guidelines for assigning IDs can be found in the /etc/login.defs file:

# Min/max values for automatic uid selection in useradd
#
UID_MIN                  1000
UID_MAX                 60000
# System accounts
SYS_UID_MIN               201
SYS_UID_MAX               999
What groups are and which purposes they can be used for

A group in an entity which ties together multiple user accounts for a common purpose, such as granting access to particular files.

1.9.1.1. Basic command-line tools to manage user accounts and groups

The most basic tasks to manage user accounts and groups, and the appropriate command-line tools, include:

  • Displaying user and group IDs:

    id
  • Creating a new user account:

    # useradd [options] user_name
  • Assigning a new password to a user account belonging to username:

    # passwd user_name
  • Adding a user to a group:

    # usermod -a -G group_name user_name

For detailed information on managing users and groups, see Section 4.1, “Introduction to Users and Groups”.

1.9.2. System user accounts managed in the web console

With user accounts displayed in the RHEL 8 web console you can:

  • Authenticate users when accessing the system.
  • Set them access rights to the system.

The RHEL 8 web console displays all user accounts located in the system. Therefore, you can see at least one user account just after the first login to the web console.

Ones you are logged in to the RHEL 8 web console, you can:

  • Create new users accounts.
  • Change their parameters.
  • Lock accounts.
  • Terminate the user session.

You can find the account management in the Accounts settings.

cockpit user accounts

1.9.3. Adding new accounts in the web console

The following describes adding system user accounts in the RHEL 8 web console and setting administration rights to the accounts.

Procedure

  1. Log in to the RHEL web console.
  2. Click Accounts.
  3. Click Create New Account.
  4. In the Full Name field, enter the full name of the user.

    The RHEL web console automatically suggests a user name from the full name and fills it in the User Name field. If you do not want to use the original naming convention consisting of the first letter of the first name and the whole surname, update the suggestion.

  5. In the Password/Confirm fields, enter the password and retype it for verification that your password is correct. The color bar placed below the fields shows you security level of the entered password, which does not allow you to create a user with a weak password.

    cockpit create new account

  6. Click Create to save the settings and close the dialog box.
  7. Select the newly created account.
  8. Select Server Administrator in the Roles item.

cockpit terminate session

Now you can see the new account in the Accounts settings and you can use the credentials to connect to the system.

1.10. Dumping the crashed kernel using the kdump mechanism

This section provides an introduction to the kernel crash dump mechanism, also called kdump, and briefly explains what kdump is used for in Section 1.10.1, “What kdump is and which tasks it can be used for”.

Activation of the kdump service is a part of the installation process, as described in Performing a standard RHEL installation and Performing an advanced RHEL installation.

You can also use the web console to configure kdump. See Section 1.10.2, “Configuring kdump in the RHEL 8 web console” for more information.

1.10.1. What kdump is and which tasks it can be used for

In case of a system crash, you can use the kernel crash dump mechanism called kdump that enables you to save the content of the system’s memory for later analysis. The kdump mechanism relies on the kexec system call, which can be used to boot a Linux kernel from the context of another kernel, bypass BIOS, and preserve the contents of the first kernel’s memory that would otherwise be lost.

When kernel crash occurs, kdump uses kexec to boot into a second kernel, a capture kernel, which resides in a reserved part of the system memory that is inaccessible to the first kernel. The second kernel captures the contents of the crashed kernel’s memory, a crash dump, and saves it.

For more detailed information about kdump, see Managing, monitoring and updating the kernel.

For installing and configuring kdump, see Installing and configuring kdump.

1.10.2. Configuring kdump in the RHEL 8 web console

In the web console, select Kernel dump configuration to verify:

  • the kdump status
  • the amount of memory reserved for kdump
  • the location of the crash dump files

Figure 1.5. Configuring kdump in the RHEL 8 web console

cs getting started kdump new

1.10.3. Configuring kdump using RHEL System Roles

You can configure kdump on multiple target machines using the kdump role.

Warning

The kdump role replaces the kdump configuration of the managed hosts entirely. If kdump role is applied, all previous kdump settings are lost, even if they are not specified by the role variables. The /etc/sysconfig/kdump and /etc/kdump.conf configuration files are replaced.

The following example shows how to apply the kdump role to set the location of the crash dump files:

Example 1.2. An example playbook applying the kdump role for setting the location of kdump files

---
- hosts: kdump-test
  vars:
    kdump_path: /var/crash
  roles:
    - rhel-system-roles.kdump

For more information on applying the kdump role to manage various kdump configurations, see System roles documentation.

1.11. Performing system rescue and creating system backup with ReaR

When a software or hardware failure breaks the operating system, you need a mechanism to rescue the system. It is also useful to have the system backup saved. Red Hat recommends using the Relax-and-Recover (ReaR) tool to fulfil both these needs.

1.11.1. What ReaR is and which tasks it can be used for

ReaR is a disaster recovery and system migration utility which enables you to create the complete rescue system. By default, this rescue system restores only the storage layout and the boot loader, but not the actual user and system files.

Additionally, certain backup software enables you to integrate ReaR for disaster recovery.

ReaR enables to perform the following tasks:

  • Booting a rescue system on the new hardware
  • Replicating the original storage layout
  • Restoring user and system files

1.11.2. Quickstart to installation and configuration of ReaR

To install ReaR, enter as the root user:

# yum install rear genisoimage syslinux

Use the settings in the /etc/rear/local.conf file to configure ReaR.

1.11.3. Quickstart to creation of the rescue system with ReaR

To create the rescue system, perform the following command as the root user:

# rear mkrescue

1.11.4. Quickstart to configuration of ReaR with the backup software

ReaR contains a fully-integrated built-in, or internal, backup method called NETFS.

To make ReaR use its internal backup method, add these lines to the /etc/rear/local.conf file:

BACKUP=NETFS
BACKUP_URL=backup location

You can also configure ReaR to keep the previous backup archives when the new ones are created by adding the following line to /etc/rear/local.conf:

NETFS_KEEP_OLD_BACKUP_COPY=y

To make the backups incremental, meaning that only the changed files are backed up on each run, add this line to /etc/rear/local.conf:

BACKUP_TYPE=incremental

1.12. Using the log files to troubleshoot problems

When troubleshooting a problem, you may appreciate the log files that contain different information and messages about the operating system. The logging system in Red Hat Enterprise Linux is based on the built-in syslog protocol. Particular programs use this system to record events and organize them into log files, which are useful when auditing the operating system and troubleshooting various problems.

1.12.1. Services handling the syslog messages

The syslog messages are handled by two services:

  • The systemd-journald daemon
  • The rsyslog service

The systemd-journald daemon collects messages from various sources and forwards them to the rsyslog service for further processing. The sources from which the messages are collected are:

  • Kernel
  • Early stages of the boot process
  • Standard output and error of daemons as they start up and run
  • Syslog

The rsyslog service sorts the syslog messages by type and priority, and writes them to the files in the /var/log directory, where the logs are persistently stored.

1.12.2. Subdirectories storing the syslog messages

The syslog messages are stored in various subdirectories under the /var/log directory according to what kind of messages and logs they contain:

  • var/log/messages - all syslog messages except those mentioned below
  • var/log/secure - security and authentication-related messages and errors
  • var/log/maillog - mail server-related messages and errors
  • var/log/cron - log files related to periodically executed tasks
  • var/log/boot.log - log files related to system startup

1.12.2.1. Managing the log files in the RHEL 8 web console

In the web console, use the Logs option if you want to inspect the log files.

Figure 1.6. Inspecting the log files in the RHEL 8 web console

cs getting started logs new

1.13. Accessing Red Hat support

To obtain support from Red Hat, use the Red Hat Customer Portal, which provides access to everything available with your subscription.

This section describes:

1.13.1. Obtaining Red Hat Support through Red Hat Customer Portal

By using the Red Hat Customer Portal you can:

  • Open a new support case
  • Initiate a live chat with a Red Hat expert
  • Contact a Red Hat expert by making a call or sending an email

To access the Red Hat Customer Portal, go to https://access.redhat.com.

1.13.2. Using the SOS report to troubleshoot problems

The SOS report collects configuration details, system information and diagnostic information from a Red Hat Enterprise Linux system. Attach the report when you open a support case.

Note that the SOS report is provided in the sos package, which is not installed with the default minimal installation of Red Hat Enterprise Linux.

To install the sos package:

# yum install sos

To generate an SOS report:

# sosreport

To attach the sos report to your support case, see the Red Hat Knowledgebase article How can I attach a file to a Red Hat support case?. Note that you will be prompted to enter the number of the support case, when attaching the sos report.

For more information on SOS report, see the Red Hat Knowledgebase article What is a sosreport and how to create one in Red Hat Enterprise Linux 4.6 and later?.