This is Rakesh, and once again, I am here with another deep, honest, and real-world learning related to Kubernetes. Today’s topic is Kubernetes Deployment Strategy.

I want you to read this documentation slowly, like personal notes written in a notebook. This is not copied content, not interview-only material, and not something you just skim. This is written so that you feel how deployment actually happens inside a company, why certain decisions are taken, and how Kubernetes behaves behind the scenes.

My goal is simple: after reading this, you should be able to explain deployment strategies confidently to anyone, and also implement them practically.

Let us first understand what we really mean by the term deployment strategy.

In real life, deployment strategy is not a Kubernetes keyword first. It is a business and engineering problem. Whenever a company is running an application that users are actively using, the company cannot just stop everything and start again. Users may be making payments, booking tickets, logging in, or consuming services. Even a few seconds of downtime can break user trust, create financial loss, or damage reputation.

So whenever a company says, “We want to upgrade our application from an old version to a new version,” the next question is never how to deploy, but always how to deploy safely.

That safe and planned way of upgrading an application from one version to another is called a deployment strategy.

In very simple language: Deployment strategy means the method we choose to replace the old running application with a new version, without breaking the system.

Kubernetes comes into the picture as the system that executes this plan for us.

Now comes one of the most important truths that every Kubernetes learner must clearly understand.

As per official Kubernetes documentation, Kubernetes supports only two deployment strategies by default:

Recreate and RollingUpdate.

That’s it. Nothing more.

Many people believe that Blue-Green and Canary are also default Kubernetes deployment strategies, but that belief is incomplete and slightly incorrect. Blue-Green and Canary are deployment patterns, not native strategies. Kubernetes does not give you a direct field called type: BlueGreen. Instead, Kubernetes gives you building blocks like Deployments, Services, labels, selectors, and controllers. Using these building blocks, engineers design advanced patterns like Blue-Green and Canary.

These patterns exist because the default strategies have real limitations, especially in production environments.

So to truly understand Blue-Green, we must start from the beginning — from the simplest strategy.

1. Let us start with the Recreate Deployment Strategy.

Recreate is the most basic and straightforward strategy. Its behavior is very simple. When a new version of the application needs to be deployed, Kubernetes first terminates all existing Pods of the application. Only after all old Pods are terminated does Kubernetes start creating new Pods with the updated version.

This means there is a clear gap between stopping the old application and starting the new one.

That gap is called downtime.

Downtime is not an accidental side effect here. Downtime is the natural and unavoidable result of how Recreate works.

Now let us imagine a real company scenario.

Suppose there is a payment-related company. The application is already running smoothly. The frontend is serving users, the backend is connected to the database, APIs are responding correctly, and users are happily making transactions. Behind the scenes, Kubernetes is managing Deployments, Services, Secrets, ConfigMaps, and storage. Everything is stable.

Now the manager comes to the tech team and says: “Can we upgrade the frontend UI to a newer version?”

If the DevOps team uses the Recreate strategy, Kubernetes will first stop all existing frontend Pods. During this time, the Service has no Pods to send traffic to. Users will see errors, blank pages, or timeouts. Only after the new Pods start and become ready will the application be available again.

So even if the downtime is small, downtime will definitely happen.

This is why the Recreate strategy is not trusted for production user-facing applications.

Now, let us make this learning REAL — Practical part for each deployment strategy

Till now, we understood the why and what. Now we will move to the how. This section is written so that you can sit in front of a laptop and actually do it, not just imagine it.

I will explain the practical part slowly, and assuming you have enough learning of Kubernetes, honestly, not rushing.

Practical: Recreate Deployment Strategy

First, we intentionally use Recreate so that you personally observe why it is risky.

Create a simple Deployment using nginx. This will act as our frontend application.

# vim recreate_deployment.yml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: recreate-deployment
  labels:
    policy: recreate
spec:
  replicas: 10
  selector:
    matchLabels:
      app: recreate 
  template:
    metadata:
      labels: 
        app: recreate
    spec:
      containers:
      - name: nginx
        image: nginx:1.14.2
        ports:
        - containerPort: 80

kubectl create -f recreate_deployment.yml -n strategy

Note: For my safe practice purposes, I am using a namespace, so all resources are kept aligned in one location.

Now create a NodePort service for this deployment, so users can request publicly to the application using the service.

# vim recreate_Service.yml

apiVersion: v1
kind: Service
metadata:
  name: recreate-service
spec:
  type: NodePort
  selector:
    app: recreate
  ports:
    - port: 80
      # By default and for convenience, the `targetPort` is set to
      # the same value as the `port` field.
      targetPort: 80
      # Optional field
      # By default and for convenience, the Kubernetes control plane
      # will allocate a port from a range (default: 30000-32767)
      nodePort: 30007

Now create both resources.

# kubectl create -f recreate_Service.yml -n strategy

Apply both manifests and access the application.

At this stage, everything works normally.

Now we are going to update the pre-exist Deployment image to other version ex:nginx:1.25 and apply it again. You can edit existing running deployment using following method:

1. Direct EDIT method kubectl edit deployment

2. Using kubectl patch

3. Using kubectl set image

4. Edit deployment and apply changes using kubectl create -f

kubectl set image deployment/recreate-deployment nginx=nginx:1.25.0 -n strategy

You will observe that all pods 100 % get down first, and new pods spin out after a few seconds. This is called downtime, and this is an issue.

Later, check again and see there are all the new pods are running. Which means there are two ReplicaSet is available for this deployment with two versions. One for the old version nginx:1.14.2 and second one for new version nginx:1.25.0 . This process of being updated with a newer version is called rolling update, even this is for Recreate strategy.

kubectl get pods -n strategy

Check ReplicaSet status.

kubectl get all -n strategy

See, there is a deployment running two ReplicaSet with different versions.

Conclusion of the Recreate Deployment Strategy

So, the Recreate strategy still has its place. It is useful for proof-of-concept environments, internal testing, development setups, and batch-style workloads where downtime does not matter. But for real production systems, Recreate is almost never acceptable.

This limitation of Recreate naturally led engineers to ask a better question:

“Can we update the application without stopping everything at once?”

That question gave rise to the RollingUpdate strategy.

2. RollingUpdate is the default strategy in Kubernetes, and it is much smarter than Recreate.

Instead of stopping all Pods together, RollingUpdate replaces Pods gradually. Some old Pods continue running while new Pods are being created. This way, the application usually remains available during the update process. Between updating the pods version, it takes some time to get back ready to serve the application publicly. Read this for more Pods Termination Behavior .

vim rolling_update_deployment.yml

apiVersion: apps/v1
kind: Deployment
metadata:
  name: rolling-update-deployment
  labels:
    app: nginx
spec:
  replicas: 10
  selector:
    matchLabels:
      app: rolling-update
  strategy:
   type: RollingUpdate
   rollingUpdate:
     maxUnavailable: 0           # High Availability 
     maxSurge: 2                  # Two extra pods will create in advance
  template:
    metadata:
      labels:
        app: rolling-update
    spec:
      terminationGracePeriodSeconds: 10 # extra long grace period
      containers:
      - name: nginx
        image: nginx:latest
        ports:
        - containerPort: 80

And expose the deployment with a service NodePort.

vim rolling_update_service.yml

# vim recreate_Service.yml

apiVersion: v1
kind: Service
metadata:
  name: rolling-update-service
spec:
  type: NodePort
  selector:
    app: rolling-update
  ports:
    - port: 80
      # By default and for convenience, the `targetPort` is set to
      # the same value as the `port` field.
      targetPort: 80
      # Optional field
      # By default and for convenience, the Kubernetes control plane
      # will allocate a port from a range (default: 30000-32767)
      nodePort: 30010

Now create resources using commands.

kubectl create -f rolling_update_deployment.yml -n strategy
kubectl create -f rolling_update_deployment.yml -n strategy
kubectl get all -n strategy

Now change the version of deployment pods.

From old to new version and apply changes to the existing deployment.

kubectl set image deployment/rolling-update-deployment nginx=nginx:1.25.0 -n strategy

At first glance, the RollingUpdate strategy seems ideal. It offers no downtime, a smooth transition, and a controlled rollout. With maxSurge: 2, two extra pods are created first, and then old pods are deleted until all pods are updated to the new version. What else do we need?

Right ????

While the RollingUpdate strategy ensures high availability, the issue is not just about availability. The real problem is that, for a brief moment, the application runs two versions simultaneously. This means some users might be using the older version while others are on the newer version. This can lead to compatibility issues between the backend and frontend, causing potential disconnects. Therefore, this approach may not be entirely reliable for production-level work.

Running two versions at the same time, even for a few seconds, can be risky. Downtime, no matter how brief, can impact a company in terms of money, time, and trust.

Now let us go back to the real-world company example.

Suppose the frontend version v1 is fully compatible with the backend APIs and database. Everything works fine. Now a new frontend version v2 is built. The UI is improved, performance is enhanced, but v2 expects some new API responses or slightly different behavior from the backend.

During a RollingUpdate, both frontend v1 and frontend v2 are running together. Some users hit v1 and everything works. Some users hit v2, and suddenly they see errors because the backend does not yet support those expectations.

This creates an inconsistent user experience.

It is very important to understand that Kubernetes is not wrong here. Kubernetes is doing exactly what RollingUpdate promises. The real problem is that RollingUpdate allows mixed-version traffic.

RollingUpdate cannot guarantee that all users will see only one version at a time.

And for some businesses, especially high-risk systems like payments, banking, authentication, or compliance-heavy applications, this risk is unacceptable.

That is why companies needed something even safer.

3. This is where the Blue-Green Deployment pattern comes into the picture.

Blue-Green deployment is not about replacing Pods. It is about switching traffic.

The idea is very simple but extremely powerful.

Instead of upgrading the running application directly, the company runs two environments side by side.

The Blue environment represents the current live application that users are using.

The Green environment represents the new version of the application. It is fully deployed, fully tested, and fully ready — but hidden from users.

Only one environment receives traffic at a time.

When the company is confident that the Green version is stable, traffic is switched from Blue to Green in one clean step.

No gradual replacement. No mixed versions. No confusion.

If something goes wrong, traffic can be switched back to Blue immediately.

This is why companies love Blue-Green deployment.

In real companies, this traffic switch is usually done using a Kubernetes Service or an Ingress controller. The Service selector is updated to point to the new version. The Pods themselves are not restarted or modified during the switch. Only traffic routing changes.

This makes rollback extremely fast and safe.

For this practical, we have to create two deployments and one service.

So in this scenario, the service will serve the public client requests to that deployment that has matching labels with service labels.

vim blue-green-deployment.yml

# -------------------------------
# BLUE DEPLOYMENT
# -------------------------------
apiVersion: apps/v1
kind: Deployment
metadata:
  name: blue-deploy
spec:
  replicas: 4
  selector:
    matchLabels:
      env: blue
  template:
    metadata:
      labels:
        env: blue
    spec:
      containers:
      - name: app
        image: nginx:1.25
        ports:
        - containerPort: 80

---
# -------------------------------
# BLUE SERVICE
# -------------------------------
apiVersion: v1
kind: Service
metadata:
  name: strategy-svc
spec:
  selector:
    env: blue
  ports:
  - port: 80
    targetPort: 80
  type: ClusterIP

## This service will pick blue deployment pods,  because of selector env: blue
---
# -------------------------------
# GREEN DEPLOYMENT
# -------------------------------
apiVersion: apps/v1
kind: Deployment
metadata:
  name: green-deploy
spec:
  replicas: 4
  selector:
    matchLabels:
      env: green
  template:
    metadata:
      labels:
        env: green
    spec:
      containers:
      - name: app
        image: nginx:1.25
        ports:
        - containerPort: 80

kubectl create -f blue-green-deployment.yml -n strategy

kubectl get pods  --show-labels -n strategy

Two deployments are ready, but serving the public request by only one at a time, which has matching service labels.

kubectl get svc -n strategy
kubectl describe svc/strategy-svc -n strategy

Deployment blue-deploy has labels = env: blue

Deployment green-deploy has labels = env: blue

Current Service strategy-svc has labels = env: blue

Which means deployment blue-deploy is currently serving the service, because its pod has matching labels with the service.

Recently company has changed their mind and wants to move on new version. So only a patch change will divert the service request to the new deployment.

kubectl patch service strategy-svc \
  -p '{"spec":{"selector":{"env":"green"}}}' -n strategy

This patch has changed the traffic from env: blue deployment pods

to newer deployment pods env: green

Check with the service description. Look into the labels. Now it’s changed to env:green.

kubectl describe svc/strategy-svc -n strategy

Although In the background, both deployment is running, but deployment that has labels env: blue is now serving the service to public.

If company decide to go back with previous version. company need to change only service labels.

 kubectl patch service strategy-svc \
  -p '{"spec":{"selector":{"env":"blue"}}}' -n strategy

However, Blue-Green is not magic. It does not fix bad database design or incompatible APIs. Companies still need backwards-compatible database migrations and well-designed APIs. Blue-Green simply ensures that users are never exposed to two application versions at the same time.

Now come to Canary deployment strategy and see what special in this.

4. Canary Deployment Strategy

Let us first come back to the real-world problem.

A company is running an application that users are actively using. Everything is stable. Payments are working, logins are fine, APIs are responding, dashboards look green. Now the company wants to release a new version.

At this point, the company already knows about RollingUpdate and Blue-Green.

RollingUpdate is good, but it allows mixed versions to serve traffic at the same time.

Blue-Green is safer, but it switches 100% of users to the new version at once.

Now imagine this situation.

The company is not fully confident about the new version. So

• A new feature is introduced

• A new UI flow is added

• A new algorithm is used

• A performance optimization is done

The code has passed testing, but still the team is not comfortable exposing all users to it at once.

So the real question becomes:

“What if we expose the new version to only a small set of users, observe it in production, and then decide?”

That thinking is the birth of Canary Deployment.

The term Canary comes from an old practice in coal mines.

Miners used to carry a canary bird with them. If the air was toxic, the canary would show signs first, warning the miners before humans were affected.

In software terms, the new version of the application is the canary.

It is exposed to danger first, while the majority of users stay safe on the stable version.

Now let us define Canary deployment in very simple, honest language.

Canary deployment means:

Releasing a new version of the application to a small percentage of users, monitoring its behaviour in real production conditions, and gradually increasing traffic only if everything looks healthy.

Unlike Blue-Green, Canary is not about instant switching.

Unlike RollingUpdate, Canary is not about replacing Pods.

Canary is about risk control.

Now it is very important to understand one thing clearly.

Just like RollingUpdate, Canary is not a default Kubernetes deployment strategy.

Kubernetes does not have a type: Canary field.

Canary is a deployment pattern built using Kubernetes primitives such as:

• Deployments

• Labels

• Services

• Ingress or traffic controllers

Kubernetes gives you the tools. Canary gives you the idea. Canary deployment is usually done gradually.

First, only a very small percentage of traffic goes to the new version.

So engineers observe the application and environment calmly:

• Checking the Error rates

• Checking the Latency

• Check the service Logs

• Read User complaints

If everything looks good, traffic is increased slowly.

If anything looks wrong, Canary is stopped immediately, and users continue using the stable version.

This gives teams confidence with control.

It is also important to understand that Canary deployment is more complex than RollingUpdate and Blue-Green.

It requires or we can say depended on:

• Better monitoring

• Clear rollback strategy

• Discipline in release management

That is why small teams may avoid Canary initially, while mature teams adopt it as they scale.

Companies choose Canary when they feel in control and confident in the application.If you truly understand Canary deployment at this theoretical level, you are already thinking like a production engineer, not just a Kubernetes learner.

Now it’s time for Canary Deployment practical learning.

The company is running a website application named “chatbot“, for this, there is a deployment is running in the production with this specification yaml.

vim pre-deployment.yml

apiVersion: apps/v1
kind: Deployment
metadata:
  name: pre-deployment
  labels:
    app: nginx
spec:
  replicas: 4
  selector:
    matchLabels:
      env: prod
      version: v1
  template:
    metadata:
      labels:
        env: prod
        version: v1
    spec:
      containers:
      - name: nginx
        image: nginx:1.14.2
        ports:
        - containerPort: 80

In the deployment we have 4 replicas and using nginx image.

labels you can see :

env: prod

version: v1

Now application deployment is exposed using the service (ex: nodePort in our practice).

100% service request came to deployment that has both matching labels.

apiVersion: v1
kind: Service
metadata:
  name: pre-svc
spec:
  type: NodePort
  selector:
    env: prod
    version: v1
  ports:
  - port: 80
    targetPort: 80
    nodePort: 31745

Now as a client request to application using service request.

curl http://node-public-ip:31745

You will receive a response from the 4 replica deployment of nginx pods.

<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
    body {
        width: 35em;
        margin: 0 auto;
        font-family: Tahoma, Verdana, Arial, sans-serif;
    }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>

<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>

<p><em>Thank you for using nginx.</em></p>
</body>
</html>

Image explained

Now Canary comes in game

Create one more deployment yaml.

vim canary-deployment.yml

apiVersion: apps/v1
kind: Deployment
metadata:
  name: canary-deployment
  labels:
    app: httpd
spec:
  replicas: 2
  selector:
    matchLabels:
      env: prod
      version: v2
  template:
    metadata:
      labels:
        env: prod
        version: v2
    spec:
      containers:
      - name: httpd
        image: httpd
        ports:
        - containerPort: 80

kubectl create -f canary-deployment.yml

This is new deployment that has 2 replicas and two labels env: prod & version: v2 and using image httpd.

Now we will see the magic of canary strategy.

Instead of fully traffic conversion, we provide a small amount of service.

for this edit the existing service and remove one label version: v2

kubectl edit svc/pre-svc

  ports:
  - nodePort: 31745
    port: 80
    protocol: TCP
    targetPort: 80
  selector:
    env: prod

So this time service is controlling and sending client requests to those deployment pods that has labels

env: prod.

and we know both deployment has label env: prod.

One deployment pre-deployment has 4 replicas

New deployment canary-deployment has 2 replicas.

So total there are 6 pods replicas, which in total request client requests via service.

kubectl get deployment --show-labels
NAME                  READY   UP-TO-DATE   AVAILABLE   AGE   LABELS
canary-deployment     4/4     4            4           53m   app=nginx,name=canary-deployment
strategy-deployment   2/2     2            2           46m   app=httpd,name=strategy-deployment

kubectl get pods --show-labels 
NAME                                   READY   STATUS    RESTARTS   AGE   LABELS
canary-deployment-688c4f4d54-ftdt8     1/1     Running   0          53m   env=prod,pod-template-hash=688c4f4d54,version=v1
canary-deployment-688c4f4d54-lzfnz     1/1     Running   0          53m   env=prod,pod-template-hash=688c4f4d54,version=v1
canary-deployment-688c4f4d54-rz4dh     1/1     Running   0          53m   env=prod,pod-template-hash=688c4f4d54,version=v1
canary-deployment-688c4f4d54-zsgjn     1/1     Running   0          53m   env=prod,pod-template-hash=688c4f4d54,version=v1
strategy-deployment-5474844f99-66dc5   1/1     Running   0          46m   env=prod,pod-template-hash=5474844f99,version=v2
strategy-deployment-5474844f99-qhsb6   1/1     Running   0          46m   env=prod,pod-template-hash=5474844f99,version=v2

curl http://cluster-pub-ip:31745

Make it refresh again and again.
some time nginx image respond and some time httpd image

Refresh two three times, because nginx image deployment (older version deployment) has more replicas=4 as compare to newer version deployment replicas=2.

which mean clients are using newer version of application at the same time but for asmall percentage.

if company found application newer version good, then they can increase the deployment replicas, so percentage share will increase for client requests. and later we can remove the older version deployment pods.

.

Thank you

~Rakesh Kumar Jangid

So, how was your experience with this blog post? If you want to read more about Kubernetes and DevOps, we have awesome posts and projects on this website.

Practice Kubernetes GitOps project: https://projectwala.site/real-world-production-ready-gitops-project-for-devops-practitioners

Read other Kubernetes blogs: Kubernetes-Series

Read Linux blogs: https://projectwala.site/series/linux-series

Read Ansible blogs: Ansible-Series

Learn from DevOps Practice: DevOps

Read Docker Container: Docker-Series

This project is designed to take you deep inside the core of DevOps practices. We will not just run commands — we will understand why things work the way they do in real production environments.
By the end of this project, you won’t be the same person. You’ll gain real-world, production-level insights that most beginners miss.

Tech Stack Used

In this project, we will work with the following tools and technologies:

• Linux

• LAMP Server (WordPress)

• Docker + Kind (to create a mini Kubernetes practice cluster)

• Kubernetes (for microservices-based application deployment)

• Kubernetes Dashboard (for pod-level monitoring)

• HPA (For Pod Auto-Scale as per matrix Data)

• ArgoCD (GitOps tool to tightly sync Git & GitHub for continuous deployment)

• Helm (your special package manager for Kubernetes)

• AWS EC2 (for Project Infra, t2.large instance)

• Git & GitHub

Core Skills You Should Have

Before starting this project, you should be comfortable with:

• Basic Linux commands

• Git & GitHub (basic usage)

• Docker and Kubernetes fundamentals

• AWS EC2 instance creation

• Basic Linux web server knowledge

Don’t worry — you don’t need to be an expert.
If your basics are clear, this project will sharpen your mindset and confidence.

Let’s Get Started

I am using aws cloud for project infrastructure. So we will use
OS: Ubuntu 22.04
Configuration: T2.Large (Because we have to do lots of work here- so need more power)
Storage Volume: 24 GB Minimum

Step-1: Create AWS T2.Large Instance

We will use direct aws console to access terminal

Install some required packages tool tech

apt-get update
apt install -y vim git docker.io 
systemctl enable --now docker

Step-2: Now we have to install KIND so we can create k8s mini cluster. So for this we have to create some script. and then run the script after give the execute permission.

# vim install_kind.sh

#!/bin/bash
# For AMD64 / x86_64
[ $(uname -m) = x86_64 ] && curl -Lo ./kind https://kind.sigs.k8s.io/dl/v0.20.0/kind-linux-amd64
chmod +x ./kind
sudo cp ./kind /usr/local/bin/kind
rm -rf kind

chmod +x install_kind.sh
bash install_kind.sh

In Ubuntu Install Docker

apt-get update
apt install docker.io
systemctl enable --now docker
systemctl status docker
docker ps -a

In Fedora Based System Install Docker

sudo dnf remove docker \
                  docker-client \
                  docker-client-latest \
                  docker-common \
                  docker-latest \
                  docker-latest-logrotate \
                  docker-logrotate \
                  docker-engine

sudo dnf -y install dnf-plugins-core
sudo dnf config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo

sudo dnf install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin

sudo systemctl enable --now docker
sudo docker ps -a

Your Docker is installed successfully. However, to access the Kubernetes cluster, you need a command-line tool, which is "kubectl."

Step-3: Install kubectl command in KIND cluster.

# vim install_kubectl.sh
#!/bin/bash

# Variables
VERSION="v1.30.0"
URL="https://dl.k8s.io/release/${VERSION}/bin/linux/amd64/kubectl"
INSTALL_DIR="/usr/local/bin"

# Download and install kubectl
curl -LO "$URL"
chmod +x kubectl
sudo mv kubectl $INSTALL_DIR/
kubectl version --client

# Clean up
rm -f kubectl

echo "kubectl installation complete."

chmod +x install_kubectl.sh
bash install_kubectl.sh

Step-4: Install the KIND cluster, so we have to create a KIND config file, that specify the core specification details regarding your KIND cluster nodes.

# vim config.yml
kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4

nodes:
- role: control-plane
  image: kindest/node:v1.30.0
- role: worker
  image: kindest/node:v1.30.0
- role: worker
  image: kindest/node:v1.30.0

Create the KIND cluster with specifying config.yml file for reference

kind create cluster --config=config.yml

and you will get screen like this.

Your KIND kubernetes cluster is working or not, let him check

kubectl get no -o wide

Step-5: The GitHUB Repository Server

Over this KIND cluster, your application will deploy. But what about the project application files? As you know, we are working on a LAMP WordPress application, and we have a dedicated GitHub repository server for this, where you will get all the required files and folders. Because this is a GitOps project, GitHub is the core artifact server.

Go to this link: devrakaops/projectwala

This is the huge repository where some of my core learning DevOps project are kept, this project is one of them.

In this repository the related files and folder for this project are kept here only.

Go to this link: projectwala/Basic-Level/Project-2 at main · devrakaops/projectwala

The Kubernetes folder has all the YAML for our project, which we will use.

Step-6. Installing Argo CD

We have multiple options to install ArgoCD

1. Using Helm install ArgoCD

   To install ArgoCD using helm, you have to first install helm package manager in your kubernetes cluster itself and after then need to install using dedicated yaml file. I am here providing you a link:

2. Using Direct command install ArgoCD

   To install argocd using direct command line method follow the commands

   Create a namespace for Argo CD:

    kubectl create namespace argocd
   

   Apply the Argo CD manifest:

    kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yaml
   

   Check services in Argo CD namespace:

    kubectl get svc -n argocd
   

   Expose Argo CD server using NodePort:

    kubectl patch svc argocd-server -n argocd -p '{"spec": {"type": "NodePort"}}'
   

   Forward ports to access Argo CD server:

    kubectl port-forward -n argocd service/argocd-server 443:443 &
   

Access the ArgoCD cluster using public IP of your AWS instance with dedicated 443 port. This is not fix that only use 443 port. You can use any random port, because we are using port forward so request will come at the end of the service port

• Don’t forgot to open 443 ports in your AWS security group inbound rule

In starting you will see the unsecure page warning

But click on “Continue to 13.201.28.87 (unsafe)“ link. And you will get the actual ArgoCD UI Page.

You can cross-check in Kubernetes cluster as well.

Now it’s time to access the ArgoCD, you required username and password:

The username is "admin," but the password can only be obtained by decoding a secret using the base64 algorithm.

Run this command to Retrieve Argo CD admin password:

kubectl get secret -n argocd argocd-initial-admin-secret -o jsonpath="{.data.password}" | base64 -d && echo

jr20RBeyfzwvB1mW

Paste the password to the UI dashboard
Username: admin
Password: jr20RBeyfzwvB1mW

This is simple interface of ArgoCD dashboard.

Step-7: Setup the application in ArgoCD

Click on +New APP Icon and click on EDIT AS YAML icon, just left top side, so paste the code below

apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: myapp
spec:
  destination:
    namespace: default
    server: https://kubernetes.default.svc
  source:
    path: Basic-Level/Project-2/Kubernetes
    repoURL: https://github.com/devrakaops/projectwala.git
    targetRevision: main
  sources: []
  project: default
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
      enabled: true

Save this and click on CREATE .

Your application is running, and within 5 seconds, it will sync with your GitHub application directory YAML in the Kubernetes folder.

Just click on this.
And you will see the magic of GitOps.

All kubernetes YAML is showing in tree wise structure. all are healthy and working properly.

Either make changes on GitHub repository folder or direct change here will impact the resource.

If you will check at the kubernetes cluster using

kubectl get all -n default

Which means ArgoCD is working properly.

Now its time to expose the WordPress deployment using port forwarding.

kubectl port-forward  svc/wordpress -p 8080:80 --address=0.0.0.0 &

I have used 8080 for mapping, that is mapped inside with port 80 and accessable from everywhere.

Now you can access your wordpress application on port 8080 specify with your public IP of AWS instance. As i told you earlier that this is not fix that only expose application on 8080. You can use any random open port that is not using currently, means shold be free. so don’t forgot to open 8080 port in AWS instances securit groups inbound rule.

Fill the WordPress details.

And now take login with login credentials.

Setup for LAMP WordPress theme or customize your application.

Finally you will get the application at the end.

Step-8: Install Kubernetes Dashboard for pod level monitoring

• Deploy Kubernetes dashboard:

    kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.7.0/aio/deploy/recommended.yaml
  

• Create a token for dashboard access:

    kubectl -n kubernetes-dashboard create token admin-user
  

So create a service role “admin-user“ and make him binding with service account so we can access the kubernetes-dashboard using the token of service account

# vim dashboard_admin.yml

apiVersion: v1
kind: ServiceAccount
metadata:
  name: admin-user
  namespace: kubernetes-dashboard
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: admin-user
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: admin-user
  namespace: kubernetes-dashboard

Make port mapping for kubernetes-dashboard, so you can access the dashboard. So first check the service for the kubernetes-dashboard.

kubectl get svc -n kubernetes-dashboard

You will see kubernetes-dashboard service is a Cluster-IP Service that is only accessable on port 443 inside the cluster only, not from outside.

So lets have a port mapping to access the kubernetes-dashboard via the service. so 9090 port is opening here to access kubernetes-dashboard that is mapped with port 443 inside.

kubectl port-forward  svc/kubernetes-dashboard -n kubernetes-dashboard -p 9090:443 --address=0.0.0.0 &

Access the dashboard on port 9090

You can see that the Kubernetes Dashboard is accessible only when we provide a token.
This is because Kubernetes follows a security-first approach by default.

Now, let’s understand this in easy language.

Kubernetes Dashboard is nothing but a pod running inside the Kubernetes cluster, right?
But Kubernetes does not allow any pod or user to access cluster information by default.

So if we try to open the dashboard without permission, Kubernetes will block the access.

That’s why we need to create a ServiceAccount.

A ServiceAccount tells Kubernetes:

“This dashboard pod is trusted, and it is allowed to view cluster resources.”

Using this ServiceAccount, Kubernetes generates a token.
When we log in to the dashboard using this token, Kubernetes verifies the permissions and then allows access.

So in this step, we are creating a Service Account (and assigning proper role) so the Kubernetes Dashboard can securely access the cluster resources.

kubectl create -f dashboard_admin.yml

If you check you will see a service account named “admin-user“

kubectl get sa -n kubernetes-dashboard

Now create the token and paste it to token section in dashboard UI.

kubectl -n kubernetes-dashboard create token admin-user

You will get something like this

eyJhbGciOiJSUzI1NiIsImtpZCI6Ik8wRnE3NDRTcXVHUHdsMHB3eUw1bmRNX3lwUDZjNWlkYUJ4aThNM01KQkkifQ.eyJhdWQiOlsiaHR0cHM6Ly9rdWJlcm5ldGVzLmRlZmF1bHQuc3ZjLmNsdXN0ZXIubG9jYWwiXSwiZXhwIjoxNzY5NTI4NzE5LCJpYXQiOjE3Njk1MjUxMTksImlzcyI6Imh0dHBzOi8va3ViZXJuZXRlcy5kZWZhdWx0LnN2Yy5jbHVzdGVyLmxvY2FsIiwianRpIjoiNThhYzI5ZDYtZGQxNi00YjA4LTg4ZGYtYTAxM2IyZmNkOWVjIiwia3ViZXJuZXRlcy5pbyI6eyJuYW1lc3BhY2UiOiJrdWJlcm5ldGVzLWRhc2hib2FyZCIsInNlcnZpY2VhY2NvdW50Ijp7Im5hbWUiOiJhZG1pbi11c2VyIiwidWlkIjoiYWE1M2MyYzctNmU4Ni00ZTY3LThkYmItYTI1MmE1ZTAzOTA0In19LCJuYmYiOjE3Njk1MjUxMTksInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDprdWJlcm5ldGVzLWRhc2hib2FyZDphZG1pbi11c2VyIn0.HPJbXiKqjUBXQxYV47F2_kQ1fcgkHitAqRBdqmVQqn4tyDP2zQOAjPuqJWYDKu8t75KjjkmPu8bmOrznuEFJq3d42tyzPa62dSx8CuMpSa_GJ2h9SqwjpYJ46-PtdBy4kczEn4fidvMRLhI1wDYn8ne16if2YZqL--mYpAUR1LG2IEikidTDpFwZY5FkW8Am09SMIESV4u_JfrwxpTgJvB_9l1iXNCNXApujYnBEWEjcc479heqmzwdvQy6pBUq3sn5KgfenzbjhLzJZUI6nwIeKOOS3j_UUcyYsIrDxUwtkbzjQ0VLKZkMmcOVrV41tzdEIcIkRqbX6oLIlV-asQQ

You will get the complete resources namespace vise

Change the namespace and you can access the related resources of namespace.

There are many possibilities in this project:

• We can add monitoring pods for metrics and log-based monitoring using Prometheus, Grafana, Loki, and exporters.

• We can set up Kubernetes pod autoscaling and more.

Step 9: Set up Pod Autoscaler for load-based deployment management

To setup a Pod AutoScaller, we required official yaml. See the link: HorizontalPodAutoscaler Walkthrough | Kubernetes

Create a HPA YAML and customize it. I have created the complete yaml for you.
SO simply Copy-Paste and create the resource.

---
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
  name: php-apache
spec:
  behavior:
    scaleDown:
     stabilizationWindowSeconds: 300
  scaleTargetRef:
    apiVersion: apps/v1
    kind: Deployment
    name: wordpress
  minReplicas: 1
  maxReplicas: 5
  metrics:
  - type: Resource
    resource:
      name: cpu
      target:
        type: Utilization
        averageUtilization: 50

If you see carefully HPA is waiting for matrix, so HPA over it can work.
If we dont have HPA, this wont work at all. so just check matrix-server is running or not.

kubectl apply -f https://github.com/kubernetes-sigs/metrics-server/releases/latest/download/components.yaml

Just edit one thing

kubectl edit deployment metrics-server -n kube-system

Add this arg flag “--kubelet-insecure-tls“ in “container.args“

spec:
      containers:
      - args:
        - --kubelet-insecure-tls
        - --cert-dir=/tmp
        - --secure-port=10250
        - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
        - --kubelet-use-node-status-port
        - --metric-resolution=15s

Now check again the HPA status

kubectl get hpa

NAME         REFERENCE              TARGETS       MINPODS   MAXPODS   REPLICAS   AGE
php-apache   Deployment/wordpress   cpu: 0%/50%   1         5         1          6m40s

So that was the project practical documentation! I hope you gain some real-world insights into DevOps tools and technologies and get hands-on experience with a real-world project!

Don't forget to share this with your colleagues, friends, and your group!
See you soon in the next amazing project!

Thank you,
Rakesh Kumar Jangid.

If you are learning DevOps, you may be asking yourself:

👉 “I already know Bash scripting. Do I really need Python? Can’t I do the same work with Bash?”

This is a common question, and the truth is:

• No, you don’t always need Python – Bash can handle many tasks.

• But Python makes automation easier, smarter, and more powerful, especially when tasks grow bigger.

Let’s go step by step to understand this in simple terms.

What is Bash?

Bash (Bourne Again Shell) is a command-line shell used in Linux and Unix systems.

You can use Bash to:

• Run Linux commands (ls, pwd, cat, etc.)

• Automate small tasks like backups or log cleanups

• Write simple scripts using loops and conditions

Example – Bash script to process log files

#!/bin/bash
for file in *.log; do
  echo "Processing $file"
done

Use Case of Bash in DevOps

• Copying files to servers

• Running cron jobs (daily/weekly tasks)

• Checking disk space with df -h

• Quick one-liners to fix issues

Bash is simple, fast, and already installed in every Linux machine. That’s why DevOps engineers love it for day-to-day operations.

What is Python?

Python is a general-purpose programming language. Unlike Bash, it is not limited to Linux commands.

You can use Python for:

• Automating bigger tasks

• Working with APIs and JSON data

• System monitoring (CPU, memory, disk)

• Cloud automation (AWS, GCP, Azure)

• Container & Kubernetes automation

Example – Python script to check CPU usage

import psutil
print("CPU Usage:", psutil.cpu_percent(), "%")

Use Case of Python in DevOps

• Writing monitoring scripts (CPU, memory, services)

• Managing servers across multiple clouds

• Automating Docker builds and Kubernetes deployments

• Parsing and analyzing log files

• Creating CI/CD automation scripts in Jenkins or GitHub Actions

Key Differences (Simple View)

When to Use Bash?

Choose Bash when your task is:

• Small and simple

• Only needs Linux commands

• Example:

  • Move files between folders

  • Clean old log files

  • Create a cron job to take backups

When to Use Python?

Choose Python when your task is:

• Large and complex

• Needs cloud or DevOps tool integration

• Example:

  • Monitor CPU, memory, and disk across servers

  • Automate AWS tasks (EC2, S3, Lambda)

  • Interact with Kubernetes clusters

  • Write a deployment script in CI/CD pipeline

Final Thought

“If your task is small, Bash is enough. But if your task is big, needs more features, or involves DevOps tools, Python is the better choice.”

Both Bash and Python are important for a DevOps engineer.

• Start with Bash for Linux basics and small automations.

• Learn Python to build scalable and smarter projects.

Conclusion

As a beginner in DevOps:

1. Don’t skip Bash — it is your day-to-day companion for Linux tasks.

2. But also learn Python — because it gives you power, libraries, and the ability to work with modern DevOps tools.

With Bash, you can start. With Python, you can grow.

In this series, we are here with a Python project from our Beginner-Level Project Ideas.

If you’re just starting your DevOps journey and want to understand how Python can be used for automation, system interaction, and command execution, this project is a perfect starting point.

We’ll build a Python-based mini shell that allows you to run Linux commands directly from a Python script. This simple project demonstrates how Python can interact with the underlying operating system—a core skill for any DevOps engineer.

🔹 Use Case – Why This Project?

In DevOps, engineers often work extensively with the Linux command line for tasks such as:

• Checking system health

• Navigating directories

• Running deployment or monitoring commands

Instead of typing directly into the terminal, Python can act as a wrapper around the shell, executing commands programmatically.

This project helps you:

• Understand how Python executes shell commands.

• Build a foundation for automation scripts.

• Think about extending it into advanced DevOps tools (like deployment scripts, monitoring dashboards, or log analyzers).

🔹 The Code – Python Mini Shell

Here’s the complete Python script:

import subprocess

command = ""
while command != "exit":
    command = input("bash:# ")
    if command == "exit":
        break
    result = subprocess.getoutput(command)
    print(result)

✅ How It Works

• import subprocess → Imports the Python module that interacts with system commands.

• input("bash:# ") → Gives the user a shell-like prompt.

• Exit condition → Typing exit will end the program.

• subprocess.getoutput(command) → Executes the entered command and returns the output.

• print(result) → Displays the result of the command.

🔹 Example Run

Here’s what it looks like when you run the script:

bash:# ls
file1.txt file2.py
bash:# pwd
/home/devops
bash:# exit

Simple, yet powerful 🚀

🔹 Tools Required to Get Started

You don’t need a complicated setup to try this project. Just:

• Python 3 installed on your machine

• VS Code (or any text editor of your choice)

• Linux Environment (Ubuntu, CentOS, or WSL if you’re on Windows)

👉 That’s it! Open VS Code, paste the code, and run it from your terminal.

🔹 Conclusion

This project may look small, but it teaches an important DevOps concept: using Python to interact with the system.

As you move forward, you can enhance this project by adding:

• Error handling for invalid commands

• Logging output into files

• Restricting certain commands for security

• Integrating with tools like Docker or Kubernetes

This is just the beginning of using Python for DevOps automation—and in the upcoming articles of this series, we’ll explore more exciting beginner and intermediate project ideas.

Stay tuned for the next project in the Python in DevOps Series! 🎯

Python is simple, human-readable, and comes with thousands of ready-to-use libraries. For DevOps folks, it’s like having a Swiss Army knife that can help with almost everything — from writing small scripts to building full-fledged automation systems.

Why Python Matters in DevOps

1. Easy to Learn & Use

   • Python’s syntax is clean and easy to read. You don’t have to be a hardcore programmer to write useful Python scripts.

2. Great for Automation

   • Whether it’s automating server setup, cleaning logs, or managing cloud resources, Python scripts save hours of manual work.

3. Huge Library Support

   • Libraries like boto3 (for AWS), paramiko (for SSH), and docker-py (for Docker) make DevOps tasks very smooth.

4. Cross-Platform

   • Python runs everywhere — Linux, Windows, Mac — so you don’t have to worry about compatibility.

5. Integration Power

   • Almost every DevOps tool (Jenkins, Ansible, Kubernetes, AWS, etc.) has Python support or APIs that can be called using Python.

Final Thought

If you’re starting your DevOps journey, Python is not optional anymore — it’s a must-have skill. Think of it as your magic wand that makes your life easier, reduces repetitive manual work, and lets you focus on solving bigger challenges.

So in the next parts of this series, we’ll dive into real examples and projects where Python shines in DevOps. Get ready, because this is going to be fun, practical, and super useful!

In this blog we are going to create a GitLab project, that will showcase the skillset regarding GitLab tool.

Create a Group and a project within

Open your GitLab account and follow these steps one by one. I will guide you if you are starting from basic, so you have to create a group, for this directly go to GitLab account and click on “New group“ button, there you will see two ways to create group, but you need to create a group by click on “Create Group“ . Give him a name and done, you have successfully created a group. In GitLab, your group is like user account in GitHub, ex: GitHub-username

Now in this group, you have to create project by pressing “New Project“ button exact same way of group creation. This is like repository in your GitHub account.

Push your application data to project

As a developer you need to push all the project code from your system to GitLab project using Git Tool.

Here i have pushed all the project code in master branch.

Link: https://gitlab.com/devrakaops1/java-todo-app-cicd/-/tree/master?ref_type=heads

Add a Runner

now this time your next work is to create a EC2-Instance that we can use as a GitLab custom Runner to run our project.

Step-1: Go to your AWS account and create an ec2-instance with t2.medium and rhel-9 OS

Step-2: Take SSH to the instance and run provided commands to make them GitLab Runner

Now run commands to became GitLab Runner

Go to settings > CICD > Runners > Create Project Runner

And click on “Create Runner“

Now select your OS “RedHat Linux“ in my case.
Now you have to run some commands but GitLab Runner must be installed before you can register a runner. For this run below commands by clicking in link “How do I install GitLab Runner?“

Select your architecture of system, run the following commands.

But don’t forgot to run command “yum update“. This will save your time and to lots of confusions.

And then following command.

 gitlab-runner register --url https://gitlab.com --token glrt-oxwG1lduWEnIh3DJiwHCqm86MQpwOjE3ZmVkeQp0OjMKdTpobDhpbRg.01.1j0181m9p

Now check your runner is working and active

make sure you have turn off GitLab default runner

Now your runner is active and in working state. Later you can mention this runner using mentioning tags “dev“ in main CICD file .gitlab-ci.yml

Add Docker Credentials Variables

To add variable in GitLab, go to settings > CICD > Variables > add variable

We have to create two variable:

DOCKERHUB_NAME = ********
DOCKERHUB_PASS = *****************************

Now its time to create CICD file. Name should be “.gitlab-ci.yml“

Create a GitLab CICD file

stages:
        - build
        - test
        - push_to_dockerhub
        - deploy
variables:
        NAME: "Rakesh"
        CITY: "Jaipur"

build_job:
        stage: build
        script:
                - echo "$CI_JOB_STAGE is working in $CI_COMMIT_BRANCH branch"
                - docker build -t todo-app:latest .
        tags:
                - dev

test_job:
        stage: test
        script:
                - echo "$CI_JOB_STAGE is working in $CI_COMMIT_BRANCH branch"
                - docker image ls
        tags:
                - dev

push_job:
        stage: push_to_dockerhub
        before_script: 
                - docker login -u $DOCKERHUB_NAME -p $DOCKERHUB_PASS  
        script:
                - echo "$CI_JOB_STAGE is working in $CI_COMMIT_BRANCH branch"              
                - docker image tag todo-app:latest      $DOCKERHUB_NAME/todo:latest
                - docker push $DOCKERHUB_NAME/todo:latest
        tags:
                - dev

deploy_job:
        stage: deploy
        script:
                - echo "$CI_JOB_STAGE is working in $CI_COMMIT_BRANCH branch"
                - docker compose up -d
                - echo "Working Successful"
        tags:
                - dev

Install Docker in Ec2 Instance

Install docker: https://docs.docker.com/engine/install/centos/

systemctl enable --now docker

Configuration Work

yum install -y git
echo "gitlab-runner  ALL=(ALL)   NOPASSWD:ALL" > /etc/sudoers.d/gitlab-runner

Check the CICD pipeline

When you pushes the code to the repository server in master branch, automatically cicd pipeline will trigger.

Go to build > pipeline >

If you want to see on instance, there is docker container is running on port 8000.

So we have to add 8000 inbound port to the AWS EC2-Instances security group

Access the application

Because we have deployed application on ec2-instance so will see the output using instances public IP with appending 8000 port on web browser.

Notification Alerts

GitLab normally provides alert notification service

Output Logs

• Build_job

    Running with gitlab-runner 18.3.0 (9ba718cd)
      on gitlab-runner1 jHBjwSbnw, system ID: s_5da8ab1e406d
    Preparing the "shell" executor
    00:00
    Using Shell (bash) executor...
    Preparing environment
    00:00
    Running on ip-172-31-95-28.ec2.internal...
    Getting source from Git repository
    00:01
    Gitaly correlation ID: 089ad318cb6440518c7c06d9f9afc0ee
    Fetching changes with git depth set to 20...
    Reinitialized existing Git repository in /builds/jHBjwSbnw/0/devrakaops1/java-todo-app-cicd/.git/
    Checking out 65f03dd9 as detached HEAD (ref is master)...
    Skipping Git submodules setup
    Executing "step_script" stage of the job script
    00:08
    $ echo "Hello my name is $NAME and i lived in $CITY"
    Hello my name is Rakesh and i lived in Jaipur
    $ echo "$CI_JOB_STAGE is working in $CI_COMMIT_BRANCH branch"
    build is working in master branch
    $ echo pwd
    pwd
    $ echo whoami
    whoami
    $ echo ls -al
    ls -al
    $ docker build -t todo-app:latest .
    #0 building with "default" instance using docker driver
    #1 [internal] load build definition from Dockerfile
    #1 transferring dockerfile: 297B done
    #1 DONE 0.0s
    #2 [auth] library/node:pull token for registry-1.docker.io
    #2 DONE 0.0s
    #3 [internal] load metadata for docker.io/library/node:12.2.0-alpine
    #3 DONE 0.2s
    #4 [internal] load .dockerignore
    #4 transferring context: 2B done
    #4 DONE 0.0s
    #5 [1/5] FROM docker.io/library/node:12.2.0-alpine@sha256:2ab3d9a1bac67c9b4202b774664adaa94d2f1e426d8d28e07bf8979df61c8694
    #5 DONE 0.0s
    #6 [internal] load build context
    #6 transferring context: 15.71kB done
    #6 DONE 0.0s
    #7 [2/5] WORKDIR /node
    #7 CACHED
    #8 [3/5] COPY . .
    #8 DONE 0.0s
    #9 [4/5] RUN npm install
    #9 0.710 npm WARN read-shrinkwrap This version of npm is compatible with lockfileVersion@1, but package-lock.json was generated for lockfileVersion@2. I'll try to do my best with it!
    #9 5.604 
    #9 5.604 > ejs@2.7.4 postinstall /node/node_modules/ejs
    #9 5.604 > node ./postinstall.js
    #9 5.604 
    #9 5.653 Thank you for installing EJS: built with the Jake JavaScript build tool (https://jakejs.com/)
    #9 5.653 
    #9 5.909 npm WARN my-todolist@0.1.0 No repository field.
    #9 5.910 npm WARN my-todolist@0.1.0 No license field.
    #9 5.910 
    #9 5.913 added 291 packages from 653 contributors and audited 291 packages in 5.249s
    #9 5.914 found 33 vulnerabilities (10 low, 3 moderate, 16 high, 4 critical)
    #9 5.914   run `npm audit fix` to fix them, or `npm audit` for details
    #9 DONE 6.1s
    #10 [5/5] RUN npm run test
    #10 0.428 
    #10 0.428 > my-todolist@0.1.0 test /node
    #10 0.428 > mocha --recursive --exit
    #10 0.428 
    #10 0.624 
    #10 0.625 
    #10 0.627   Simple Calculations
    #10 0.628 This part executes once before all tests
    #10 0.628     Test1
    #10 0.628 executes before every test
    #10 0.629       ✓ Is returning 5 when adding 2 + 3
    #10 0.629 executes before every test
    #10 0.630       ✓ Is returning 6 when multiplying 2 * 3
    #10 0.630     Test2
    #10 0.630 executes before every test
    #10 0.630       ✓ Is returning 4 when adding 2 + 3
    #10 0.630 executes before every test
    #10 0.630       ✓ Is returning 8 when multiplying 2 * 4
    #10 0.631 This part executes once after all tests
    #10 0.631 
    #10 0.631 
    #10 0.631   4 passing (7ms)
    #10 0.631 
    #10 DONE 0.6s
    #11 exporting to image
    #11 exporting layers
    #11 exporting layers 1.1s done
    #11 writing image sha256:c210dbc115207b92008265a12fe9e3059e2b259a59627ce44805f917bb2c49dd done
    #11 naming to docker.io/library/todo-app:latest done
    #11 DONE 1.1s
    Cleaning up project directory and file based variables
    00:00
    Job succeeded
  

• test_job

    Running with gitlab-runner 18.3.0 (9ba718cd)
      on gitlab-runner1 jHBjwSbnw, system ID: s_5da8ab1e406d
    Preparing the "shell" executor
    00:00
    Using Shell (bash) executor...
    Preparing environment
    00:00
    Running on ip-172-31-95-28.ec2.internal...
    Getting source from Git repository
    00:01
    Gitaly correlation ID: 14a70c8d29bf4a60bb71afd99d959466
    Fetching changes with git depth set to 20...
    Reinitialized existing Git repository in /builds/jHBjwSbnw/0/devrakaops1/java-todo-app-cicd/.git/
    Checking out 65f03dd9 as detached HEAD (ref is master)...
    Skipping Git submodules setup
    Executing "step_script" stage of the job script
    00:00
    $ echo "$CI_JOB_STAGE is working in $CI_COMMIT_BRANCH branch"
    test is working in master branch
    $ docker image ls
    REPOSITORY         TAG       IMAGE ID       CREATED         SIZE
    todo-app           latest    c210dbc11520   5 seconds ago   104MB
    [MASKED]/todo   latest    5970356deaa0   3 minutes ago   104MB
    Cleaning up project directory and file based variables
    00:00
    Job succeeded
  

• push_to_dockerhub_job

    Running with gitlab-runner 18.3.0 (9ba718cd)
      on gitlab-runner1 jHBjwSbnw, system ID: s_5da8ab1e406d
    Preparing the "shell" executor
    00:00
    Using Shell (bash) executor...
    Preparing environment
    00:00
    Running on ip-172-31-95-28.ec2.internal...
    Getting source from Git repository
    00:01
    Gitaly correlation ID: 4cfb3d55ef244d9dad1a96d22cdd7691
    Fetching changes with git depth set to 20...
    Reinitialized existing Git repository in /builds/jHBjwSbnw/0/devrakaops1/java-todo-app-cicd/.git/
    Checking out 65f03dd9 as detached HEAD (ref is master)...
    Skipping Git submodules setup
    Executing "step_script" stage of the job script
    00:04
    $ echo "$CI_JOB_STAGE is working in $CI_COMMIT_BRANCH branch"
    push_to_dockerhub is working in master branch
    $ docker login -u $DOCKERHUB_NAME -p $DOCKERHUB_PASS
    WARNING! Using --password via the CLI is insecure. Use --password-stdin.
    Login Succeeded
    $ docker image tag todo-app:latest      $DOCKERHUB_NAME/todo:latest
    $ docker push $DOCKERHUB_NAME/todo:latest
    The push refers to repository [docker.io/[MASKED]/todo]
    b4a20abeed57: Preparing
    b5a342a444fe: Preparing
    2630b0641421: Preparing
    48568d6a9c95: Preparing
    917da41f96aa: Preparing
    7d6e2801765d: Preparing
    f1b5933fe4b5: Preparing
    7d6e2801765d: Waiting
    f1b5933fe4b5: Waiting
    48568d6a9c95: Layer already exists
    917da41f96aa: Layer already exists
    7d6e2801765d: Layer already exists
    f1b5933fe4b5: Layer already exists
    b4a20abeed57: Pushed
    2630b0641421: Pushed
    b5a342a444fe: Pushed
    latest: digest: sha256:c289ae82475448c92ba2db4d00584f9664fdc9bc300208a44dbc7c878c6623c0 size: 1785
    Cleaning up project directory and file based variables
    00:01
    Job succeeded
  

• deploy_job

    Running with gitlab-runner 18.3.0 (9ba718cd)
      on gitlab-runner1 jHBjwSbnw, system ID: s_5da8ab1e406d
    Preparing the "shell" executor
    00:00
    Using Shell (bash) executor...
    Preparing environment
    00:00
    Running on ip-172-31-95-28.ec2.internal...
    Getting source from Git repository
    00:01
    Gitaly correlation ID: 45752bebf3ae4b6582bb25bdff2e7ac4
    Fetching changes with git depth set to 20...
    Reinitialized existing Git repository in /builds/jHBjwSbnw/0/devrakaops1/java-todo-app-cicd/.git/
    Checking out 65f03dd9 as detached HEAD (ref is master)...
    Skipping Git submodules setup
    Executing "step_script" stage of the job script
    00:01
    $ echo "$CI_JOB_STAGE is working in $CI_COMMIT_BRANCH branch"
    deploy is working in master branch
    $ docker compose up -d
    time="2025-08-22T15:30:00Z" level=warning msg="/builds/jHBjwSbnw/0/devrakaops1/java-todo-app-cicd/docker-compose.yaml: the attribute `version` is obsolete, it will be ignored, please remove it to avoid potential confusion"
     Network java-todo-app-cicd_default  Creating
     Network java-todo-app-cicd_default  Created
     Container java-todo-app-cicd-web-1  Creating
     Container java-todo-app-cicd-web-1  Created
     Container java-todo-app-cicd-web-1  Starting
     Container java-todo-app-cicd-web-1  Started
    $ echo "Working Successful"
    Working Successful
    Cleaning up project directory and file based variables
    00:00
    Job succeeded
  

Thank you

GitLab repo: https://gitlab.com/devrakaops1/java-todo-app-cicd/-/tree/master?ref_type=heads

Linkedin: https://www.linkedin.com/in/rakeshkumarjangid/

You know how it feels when you forget your Linux password and suddenly can’t do anything on your own machine? It's super frustrating, especially when you’re locked out of something important. Whether you’re using Fedora, Ubuntu, or any other Linux distro, you need that admin access to keep things running smoothly—installing software, updating the system, all that stuff. Without it, you’re just stuck.

But here’s the good news: Linux has a safety net. You can actually reset or break the password and get back in control. It might sound a bit intimidating at first, but trust me, with a little guidance, it’s totally doable.

So, imagine this: you’re the system admin, and suddenly you can’t remember your root password. It’s one of those moments where everything grinds to a halt because, without that password, you’re locked out of doing just about anything important on your system. Maybe you were in the middle of something critical, and now you’re stuck. But don’t worry—Linux has got your back.

Resetting the Root Password from the Boot Loader

If you ever find yourself in this situation, knowing how to reset a lost root password is a skill every system admin needs. If you’re already logged in with sudo access or as root, it’s no big deal. But if you’re not logged in, things get a bit trickier.

You’ve got a few options here. Some might suggest booting from a Live CD, mounting your root file system, and then editing /etc/shadow to fix the problem. But let’s face it, not everyone wants to fiddle with external media. So, let’s explore a method that doesn’t require any of that.

On older Red Hat systems, you could just boot into runlevel 1 to get a root prompt. In the newer versions, like Red Hat Enterprise Linux 8 and beyond, it’s a bit different. You’ll need to use either the rescue or emergency targets, but here’s the catch—they still require the root password. If your system was deployed from a Red Hat cloud image, you might not have a rescue kernel in your boot menu, but your default kernel has a trick up its sleeve—it lets you enter maintenance mode without needing the root password.

How to Do It:

Approach-1

1. Reboot Your System: Start by rebooting your machine.

   Interrupt the Boot: When the boot-loader countdown starts, hit any key (except Enter) to stop it.

   You will see kernel images here, select "rescue" kernel image. use ↑ & ↓ arrow key to change the selection.

2. 

   Select the Rescue Kernel: Use the arrow keys to move the cursor to the entry with the word "rescue" in its name.

3. Edit the Boot Parameters: Press e to edit the selected entry.

4. Modify the Kernel Command Line: Find the line that begins with linux and append rd.break at the end after entering a single space. This tells the system to pause just before handing control from the initramfs to the actual system.

   

   

5. Boot with the Changes: Press Ctrl+x to boot with the modified parameters.

6. Maintenance Mode: When prompted, press Enter to enter maintenance mode.

   

7. Remount the File System: Run this command to remount the root file system as read/write:

    switch_root:/# mount -o remount,rw /sysroot
   

8. Enter a Chroot Jail: This makes /sysroot the root of your file-system tree:

    switch_root:/# chroot /sysroot
   

9. Reset the Password: Set a new root password with this command:

    sh-5.1# passwd root
    Changing password for user root.
    New password: **********
    Retype new password: **********
    passwd: all authentication tokens updated successfully.
   

10. Ensure Files Get Relabeled: This step is crucial to avoid SELinux issues later. Run:

    sh-5.1# touch /.autorelabel
    

11. Exit and Reboot: Type exit twice—once to leave the chroot jail and once to exit the initramfs shell. The system will continue booting, perform a full SELinux relabel, and then reboot again. It will take some time to restart, so login now with new password for the root user.

    sh-5.1# exit
    switch_root:/# exit
    

Approach-2

1. Reboot Your System: Start by rebooting your machine.

   Interrupt the Boot: When the boot-loader countdown starts, hit any key (except Enter) to stop it.

   You will see kernel images here, select "rescue" kernel image. use ↑ & ↓ arrow key to change the selection.

2. 

   Select the Rescue Kernel: Use the arrow keys to move the cursor to the entry with the word "rescue" in its name.

3. Edit the Boot Parameters: Press e to edit the selected entry.

4. Modify the Kernel Command Line: Find the line that begins with linux and append rw init=/bin/bash at the end after entering a single space. This tells the system to pause just before handing control from the initramfs to the actual system.

   

5. Boot with the Changes: Press Ctrl+x to boot with the modified parameters.

6. Maintenance Mode: When prompted, press Enter to enter maintenance mode.

    bash# passwd root
    Changing password for user root.
    New password: **********
    Retype new password: **********
    passwd: all authentication tokens updated successfully.
   

7. Ensure Files Get Relabeled: This step is crucial to avoid SELinux issues later.

    bash# touch /.autorelabel
   

8. Exit and Reboot: Type /sbin/reboot -f and hit enter. Now the system will continue booting, perform a full SELinux relabel, and then reboot again. It will take some time to restart, so login now with new password for the root user.

    bash# /sbin/reboot -f
   

And that’s it! You’re back in business with a new root password, and you didn’t even need to mess around with external media. Whether you’re troubleshooting or just making sure you’re prepared for a rainy day, knowing this trick can save you a lot of headaches.

What is a Network & Networking?

A network is a collection of computing devices (Ex:- Mobile, Computers, IoT Devices, Servers) connected via a communication medium (Wired, Wireless) to exchange information and resources while networking is the practice of creating, maintaining, securing, and troubleshooting this network.

How does a computer network work?

A computer network is a system that allows multiple computing devices (known as nodes) to connect and communicate with each other. This communication is facilitated through various mediums such as wires, optical fibers, or wireless links.

The basic building blocks of a computer network are nodes and links. A node can be a device for data communication like a modem, router, or a data terminal like a computer. Links in computer networks can be defined as wires or cables or free space of wireless networks.

Each device in a network has a unique IP Address that helps in identifying the device. Protocols, which are sets of rules, help in sending and receiving data via the links that allow computer networks to communicate. We will talk about IP address and stuff later.

What are two types of computer network architecture?

There are two main types:

1. Client-server architecture: Here, some nodes (servers) provide resources to other nodes (clients). Clients can talk to each other but don’t share resources.

2. Peer-to-Peer (P2P) architecture: Here, all computers have the same powers. There’s no central server. Each device can act as a client or server and share resources with the network.

What is network topology?

Network Topology is like a blueprint of a network. It shows how different devices such as computers, routers, and servers are connected to each other.

Here are the different types of network topologies:

1. Point-to-Point Topology: This is the simplest form where two devices are directly connected. It’s like a direct phone call between two people. For example, a satellite dish receiving a signal from a satellite is a point-to-point connection.

2. Mesh Topology: In this type, every device is connected to every other device. It’s like a group where everyone is friends with everyone else. This is often used in wireless networks where each device can communicate with every other device directly.

3. Star Topology: Here, all devices are connected to a central hub. It’s like a wheel where the hub is the center and the devices are the spokes. This is commonly used in home networks where all devices connect to a central router.

4. Bus Topology: All devices are connected through a single cable, known as the backbone. It’s like a bus route where all stops (devices) are located along the route. This was commonly used in old Ethernet networks.

5. Ring Topology: Devices are connected in a circle, and data moves in one direction from one device to another. It’s like a circular conveyor belt where packages (data) can hop on at one station and hop off at another. This is used in some types of office networks.

6. Tree Topology: This is a combination of star and bus topologies and looks like a tree with branches. This is often used in wide area networks (WANs) that span large distances, like a network of a large company with many branches.

7. Hybrid Topology: This is a combination of two or more different types of topologies. This is often used in large businesses where different departments have different needs.

What are the types of enterprise computer networks?

Computer networks can vary in size and complexity:

• Personal Area Network (PAN): A network that connects devices over a very short distance, often within a range of 10 meters. For example, a smartphone connected to a wearable device.

• Local Area Network (LAN): A network that connects devices over a short distance, such as within a building or a campus.

• Metropolitan Area Network (MAN): A network that covers a larger geographic area, such as a city.

• Wide Area Network (WAN): A network that covers a large geographic area, such as a country or the entire world. The Internet is an example of a WAN.

• Service provider networks: An Internet Service Provider (ISP) is an example of a service provider network. ISPs are organizations that provide services for accessing, using, managing, or participating in the Internet. They can be organized in various forms, such as commercial, community-owned, non-profit, or privately owned. ISPs provide internet access, internet transit, domain name registration, web hosting, and colocation.

• Cloud networks: A Virtual Private Cloud (VPC) is an example of a cloud network. A VPC is a virtual network dedicated to your AWS account. It is logically isolated from other virtual networks in the AWS Cloud. You can specify an IP address range for the VPC, add subnets, add gateways, and associate security groups. A subnet is a range of IP addresses in your VPC. Amazon VPC lets you define and launch AWS resources in a virtual network that you control. You can customize your VPC by choosing your own IP address range, creating subnets, and configuring route tables, and secure and monitor your connections with security groups and firewalls.

The main components of a computer network

Computer network components are the major parts that are needed to install a network according to network topology architectural setup. The design of a network for any organization is indeed influenced by the choice of network components and network topologies. These components are crucial in the design of a computer network architecture as they dictate the layout, communication protocols, and connectivity patterns of network systems.

1. NIC (Network Interface Card):

This is a piece of hardware that connects a computer to a network. It can handle data transfer rates from 10 to 1000 Mb/s. There are two types:

• Wired NIC: This is inside the computer’s motherboard and uses cables to transfer data.

• Wireless NIC: This has an antenna for wireless connections. For example, laptops have wireless NICs.

2. HUB:

• A Hub is a connector that connects wires coming from different sides.

• It operates only on the physical layer (Layer 1) of the OSI model.

• It is also known as a repeater as it transmits signals to every port except the port from where the signal is received.

• Hubs are not intelligent in communication and processing information for the 2nd and 3rd layer.

3. Switch:

• A Switch is a point-to-point communication device that operates on both the physical and data link layers (Layer 1 and Layer 2) of the OSI model.

• It can inspect data packets as they are received, determine the source and destination device of each packet, and forward them appropriately.

• By delivering messages only to the connected device intended, a network switch conserves network bandwidth and offers generally better performance than a hub.

4. Router:

• A Router is a device that forwards data packets between computer networks, creating an overlay internetwork. It operates on the third layer (Network Layer) of the OSI model.

• Routers use headers and forwarding tables to determine the best path for forwarding the packets, and they use protocols such as ICMP to communicate with each other and configure the best route between any two hosts.

• Unlike access points and modems, routers have the ability to connect two or more logical subnets, which do not necessarily map one-to-one to the physical interfaces of the router.

5. Access Point:

• An Access Point, on the other hand, is a device that allows wireless devices to connect to a network. It serves as a central transmitter and receiver of wireless radio signals.

• Access points are used for extending the wireless coverage of an existing network and for increasing the number of users that can connect to it. Unlike a router, it does not handle traffic routing across multiple networks.

6. Modem:

• A Modem is a device that connects your home, usually through a coax cable connection, to your Internet Service Provider (ISP), like Jio, Airtel, Idea, or others.

• The modem takes signals from your ISP and translates them into signals your local devices can use, and vice versa. Unlike routers and access points, modems do not manage network traffic - they simply provide a pathway for it.

7. Cables and Connectors:

These are used for transmitting signals. The three types of cables used are twisted pair cable, coaxial cable, and fiber-optic cables.

The Logical Terminology of Networking

1. IP Address

   Any digital device that is connected to the internet is assigned an address known as an IP address, which can be obtained in two ways: statically or dynamically. An IP (Internet Protocol) address is a unique numerical label assigned to each device participating in a computer network that uses the Internet Protocol for communication. It’s like a house address in the digital world for your system, allowing computers to send and receive information over the internet.

    C:\Users\RakaModify-PC> ipconfig
   

1. Versions Types of IP addresses:

• IPv4: This is the most commonly used version. An IPv4 address consists of four numbers separated by dots, each ranging from 0 to 255. For example, 192.168.1.1. Each number can be represented by a group of 8-digit binary digits, making the whole IPv4 binary address represented by 32-bits of binary digits.

• IPv6: This version was introduced to deal with the exhaustion of IPv4 addresses. An IPv6 address is longer and can generate a vast number of unique IP addresses. It uses 128 bits for the IP address, which was standardized in 1998.

1. Static or dynamic IP:

• Static: These are permanent IP addresses typically assigned manually by an administrator. They are fixed or permanent and do not change over time.

• Dynamic: These are temporary and are assigned each time on lease, and a device accesses the Internet through DHCP (Dynamic Host Configuration Protocol) server. Your internet activity goes through your service provider, and they route it back to you, using your IP address. Your IP address can change, for example, turning your router on or off can change your IP Address.

1. Private IP (Virtual IP) vs. public IP (Real IP)

   • Private IP Address: This is the IP address that is used to communicate within the same network. It is assigned by the router to each device on the network. Private IP addresses are more secure as they can only be traced within the local network and are not visible online.

   • Public IP Address: This is the IP address that is used to communicate outside the network. It is assigned by the Internet Service Provider (ISP). Public IP addresses can be traced back to the ISP, revealing the geographical location. They are visible online and are unique on the internet.

1. Logical Address VS Physical Address

   • Physical Address: This is also known as the MAC (Media Access Control) address or link address. It is the address of a node as defined by its LAN or WAN. It’s used by the data link layer and is the lowest level of addresses. Physical addresses are unique to each device and are used to identify devices in the same network. However, they can only be used in local networks and not between different networks.

   • Logical Address: Also referred to as IP (Internet Protocol) address, it is used in the Network layer. This address facilitates universal communication that is not dependent on the underlying physical networks. There are two types of IP addresses – IPv4 and IPv6. Logical addresses provide a layer of abstraction that allows processes to access memory without knowing the physical memory location.

6. What is MAC (Physical Address, Hardware Address) & NIC (LAN Card, Network Adapter)

• NIC (Network Interface Card): It’s a hardware component, also known as a LAN card or network adapter, that enables a computer to connect to a network. Each NIC is assigned an IP address when connected to a network, allowing the system to be identified and communicate with other systems on the network.

• MAC (Media Access Control) Address: This is a unique 48-bit hardware number embedded & assigned to a NIC by the manufacturer. It’s used for network communication within a network segment. Unlike an IP address, which can change based on network assignment, a MAC address is a unique, physical address embedded into the device. It helps in uniquely identifying a system in the world.

  💡

  In windows try this command to see MAC address: ipconfig /all

    C:\Users\Rakesh-PC>  ipconfig /all
  

1. ISP (Internet Service Provider)

   ISP, or Internet Service Provider, is a company that gives people access to the internet. Customers pay a fee to the ISP, which can change based on how much data they use or the data plan they choose. ISPs are also called Internet Access Providers or online service providers. If you want to connect to the internet, you need an ISP. Ex: Idea, Airtel, Jio etc.

2. DNS Server(Domain Name Server)

   The Domain Name System (DNS) is like the phonebook of the Internet. When users type domain names such as ‘google.com’ or ‘nytimes.com’ into web browsers, DNS is responsible for finding the correct IP address for those sites. DNS servers are machines dedicated to answering DNS queries.

8. NAT (Network Address Translator) & How NAT work?

• NAT, which stands for Network Address Translation, is like a translator for internet addresses. It allows multiple devices on a local network (like the devices connected to your home Wi-Fi) to connect to the internet using just one public IP address. When a device on your network wants to access the internet, NAT changes the device’s private IP address to a public one. This is because private IP addresses can’t be used on the internet.

• When the internet sends data back, NAT changes the public IP address back to the private one. This way, all devices on your network can share the same public IP address but still have their own unique private addresses inside the network. This process is crucial for keeping your network secure and efficient.

1. Client Machine & Server Machine

• A client machine is like a regular computer that we use every day, such as a smartphone or a laptop. It’s designed for simple tasks and has basic hardware and software.

• A server machine, on the other hand, is a more powerful version of a client machine. It has high-end hardware and software configurations. Its main job is to provide services like web hosting (HTTP), secure shell access (SSH), database management, and storage to client machines over a network.

  💡

  A machine can be a client or a server. A client machine uses services, and a server machine provides services.

IP Address Classification & Subnetting through Netmasking.

Classes of IPv4

IPv4 addresses are divided into five classes: A, B, C, D, and E. Each class has a range of IP addresses and is used for different types of networks:

• Class A: This class is used for very large networks, such as multinational corporations. The IP addresses in Class A range from 1.0.0.0 to 126.0.0.0. The first octet (the first set of numbers before the dot) is used for the network ID, and the remaining three octets are used for the host ID. This means there can be 126 networks (2^7 - 2) and 16,777,214 hosts (2^24 - 2) in each network. 127.0.0.1 is save reserved for self localhost address.

• Class B: This class is used for medium-sized networks, like large universities. The IP addresses in Class B range from 128.0.0.0 to 191.255.0.0. The first two octets are used for the network ID, and the remaining two octets are used for the host ID. This allows for 16,384 networks (2^14) and 65,534 hosts (2^16 - 2) in each network.

• Class C: This class is used for small networks, like small businesses. The IP addresses in Class C range from 192.0.0.0 to 223.255.255.0. The first three octets are used for the network ID, and the last octet is used for the host ID. This allows for 2,097,152 networks (2^21) and 254 hosts (2^8 - 2) in each network.

• Class D and E: These classes are reserved for special uses, such as multicasting and research.

What is Subnetting/Netmasking?

Subnetting is a method for dividing a network into smaller, more manageable pieces. This is done by taking bits from the host portion of the IP address and using them to create a subnet. A subnet mask is used to determine which part of the IP address is the network section and which part is the host section.

For example, consider an IP address of 192.168.1.0 with a subnet mask of 255.255.255.0. The 255 in the subnet mask tells us that the corresponding octet in the IP address is all part of the network address. So in this case, 192.168.1 is the network address, and the last part (represented by 0) is left for hosts on that network.

Importance of Subnetting/Netmasking

• Subnetting is important for several reasons:

• Efficiency: It allows for more efficient use of IP addresses. By dividing a network into subnets, you can ensure that IP addresses are not wasted.

• Performance: Subnetting can reduce network congestion. By confining network traffic to a single subnet, you can prevent that traffic from affecting other subnets.

• Security: Subnetting can improve network security. By isolating different parts of the network into different subnets, you can limit the impact of a security breach. If one subnet is compromised, the others remain secure.

Case Study: To Understand Network & Netmask

TechCo is a small company that is divided into five key departments: HR, Tech, Accounts, Sales, and Others. Each department is equipped with a different number of computers to meet its specific needs. The HR department has 5 computers, Accounts has 15, Tech has 60, Sales has 30, and Others has 11.

To ensure smooth inter-departmental communication, TechCo purchased a “Type-C” network range. The challenge was to divide this network range efficiently among the five departments, a process known as subnetting. The goal was to provide each department with enough network addresses for its computers, while minimizing the number of unused addresses.

This case study will explore how TechCo successfully implemented subnetting to optimize its network division across the five departments in a simple and understandable manner.

Answer: TechCo, a small company, is divided into five sub-departments: HR, Tech, Accounts, Sales, and Others. Each department has a different number of computers: HR has 5, Accounts has 15, Tech has 60, Sales has 30, and Others has 11.

To establish an efficient network among these departments, TechCo purchased a Type-C network with a range of 192.168.25.0 - 192.168.25.255 and divided it into subnets. The division of the network among the departments is as follows:

• The Network Address is the first IP in the range, which is 192.168.25.0.

• The Broadcast Address is the last IP in the range, which is 192.168.25.255.

• The Self Loop Localhost Address is the IP range, which is 127.0.0.1

This case study demonstrates how TechCo efficiently divided its network among its departments, ensuring optimal use of resources.

What is TCP/IP Networking Model

The TCP/IP network model is a simplified, four-layered set of communication protocols that describes how data communications are packetized, addressed, transmitted, routed, and received between computers over a network. Here’s a detailed explanation of each layer:

1. Application Layer: Each application has specifications for communication so that clients and servers can communicate across platforms. Common protocols include SSH, HTTPS (secure web), FTP (file sharing), and SMTP (electronic mail delivery).

2. Transport Layer: This layer uses TCP and UDP as transport protocols. TCP is a reliable connection-oriented communication, while UDP is a connectionless datagram protocol. Application protocols can use either TCP or UDP ports. When a packet is sent on the network, the combination of the service port and IP address forms a socket. Each packet has a source socket and a destination socket. This information can be used when monitoring and filtering network traffic.

3. Internet Layer: The Internet, or network layer, carries data from the source host to the destination host. The IPv4 and IPv6 protocols are Internet layer protocols. Each host has an IP address and a prefix to determine network addresses. Routers are used to connect networks.

4. Link Layer: The link, or media access, layer provides the connection to physical media. The most common types of networks are wired Ethernet (802.3) and wireless Wi-Fi (802.11). Each physical device has a Media Access Control (MAC) address, also known as a hardware address, to identify the destination of packets on the local network segment.

   

What is Ports & Sockets

• Port = Running service address on the server

• IP Address = Your system's logical address on the internet

• Socket = IP address + Service Port

Why Sockets is important and useful?

• In a multitasking system, multiple services can run concurrently. Each device on the internet is identified by an IP address, which can be either static or dynamic. On a system level, while all services share the same IP address, they run individually on specific ports. For instance, in a network, your system might be assigned an IP address like 192.168.10.25/24. On this system, multiple servers could be running concurrently, each on its own port. Examples include a database server on port 3306, SSH on port 22, a web server on ports 443 and 80, and NFS on port 2049.

• A socket is one endpoint of a two-way communication link between two programs running on the network. When user “A” wants to send data to user “B” at a different location, the data is broken down into smaller data packets. These packets follow the TCP/IP protocol for transmission. Each packet contains data and the destination socket information (IP address and port number). The socket itself is an interface for sending and receiving data.

# vim /etc/services  -------? Showing all ports
# netstat -tulpn     --------? Showing open running service port

• A socket is the combination of an IP address and a port number. When a packet is sent on the network, it has a source socket and a destination socket. The socket helps in identifying the source and destination of the packet, which is crucial for routing and delivering the packet correctly. This concept is used in the transport layer of the TCP/IP model for monitoring and filtering network traffic

NetworkManager & Configuration Setup

1. What is NetworkManager? NetworkManager is a service that monitors and manages a system’s network settings. It is designed to simplify and automate the control of network connections.

    # systemctl status NetworkManager.service
   

2. Purpose of NetworkManager: The purpose of NetworkManager is to keep track of network devices and connections, and to ensure that network access is available when needed and not used when not needed.

3. Interaction with NetworkManager: Users can interact with the NetworkManager service via the command line (nmcli) or with graphical tools (nmtui). In the GNOME graphical environment, a Notification Area applet displays network configuration and status information that is received from the NetworkManager daemon.

   

4. Configuration Files: The configuration files for the service are stored in the /etc/NetworkManager/system-connections/ directory.

5. Network Devices and Connections: A network device is a physical or virtual network interface that provides for network traffic. A connection is a collection of related configuration settings for a single network device, also known as a network profile. Each connection must have a unique name or ID, which can match the device name that it configures.

6. Multiple Connection Configurations: A single device can have multiple connection configurations and switch between them, but only one connection can be active per device. For example, a laptop wireless device might configure a fixed IP address for use at a secure work site in one connection, but might configure a second connection with an automated address and a virtual private network (VPN) to access the same company network from home.

7. Changes in Red Hat Enterprise Linux 8: Starting in Red Hat Enterprise Linux 8, ifcfg format configuration files and the /etc/sysconfig/network-scripts/ directory are deprecated. NetworkManager now uses an INI-style key file format, which is a key-value pair structure to organize properties. NetworkManager stores network profiles in the /etc/NetworkManager/system-connections/ directory. For compatibility with earlier versions, ifcfg format connections in the /etc/sysconfig/network-scripts/ directory are still recognized and loaded.

8. How to View Network Information?

    # nmcli connection show
    # nmcli connection show <connection-name>
    # nmcli connection show --active
    # nmcli device show
    # nmcli device show <device-name>
    # nmcli device status
   

9. How to Add a Network Connection?

   • Uses Manual Connection build (Not autoconnect on startup)

       # nmcli con add con-name test type ethernet ifname ens160 \
       ipv4.addresses 192.168.199.130/24 ipv4.dns 8.8.8.8 \
       ipv4.gateway 192.168.199.254 connection.autoconnect yes ipv4.method manual
     

   • connection uses a DHCP service and has the device autoconnect on startup.

       # nmcli con add con-name dynamo type ethernet \
       ifname ens160 connection.autoconnect yes ipv4.method auto/dhcp
     

10. How to Modify an existing Network Connections?

    • Modify through Command Line interface

        # nmcli con mod test ipv4.addresses 192.0.2.2/24 \
        ipv4.gateway 192.0.2.254 connection.autoconnect yes
      

    • Modify through direct profile configuration file

        # vim /etc/NetworkManager/system-connections/test.nmconnection
        # systemctl restart NetworkManager
      

      💡

      Some settings can have multiple values. A specific value can be added to the list or deleted from the connection settings by adding a plus (+) or minus (-) symbol to the start of the setting name. If a plus or minus is not included, then the specified value replaces the setting's current list. The following example adds the 8.8.4.4 DNS server to the test connection.

        # nmcli con mod test +ipv4.dns 8.8.4.4
      

11. How to work with connection profiles?

    # nmcli connection show
    # nmcli connection up <connection-name>
    # nmcli connection down <connection-name>
    # nmcli device disconnect <device-IF-name>
    # nmcli connection reload <connection-name>
    

12. How to delete an Network Connection?

    # nmcli con del <connection-name>
    

Useful Network Management Commands

1. ip: This command provides information about every network interface. The correct usage is:

    ip a
    ip addr
   

2. tracepath: This command is used to find network delays. It does not require root privileges. The correct usage is:

    tracepath www.example.com
   

3. ss: This command is a replacement for the netstat command. It fetches information directly from the kernel userspace. The correct usage is:

    ss
   

4. host: This command shows the IP address for a hostname and the domain name for an IP address. It is also used for DNS lookups. The correct usage is:

    host -t A www.example.com
   

5. hostname: This command is used to view and set the system’s hostname. The correct usage is:

    hostname
   

6. curl and wget: These commands are used to download files from the internet using the command line interface (CLI). The correct usage is:

    curl -O https://example.com/path/to/file
    wget https://example.com/path/to/file
   

7. mtr: This command combines traceroute and ping commands. It regularly shows information related to the packets transferred using the ping time of all hops. The correct usage is:

    mtr www.example.com
   

8. whois: This command fetches all website-related information. The correct usage is:

    whois www.example.com
   

9. tcpdump: This command is widely used in network analysis. It analyses the traffic passing from the network interface and displays it. The correct usage is:

    tcpdump -i eth0
   

10. tracepath: This command traces the path that packets take from your computer to the destination address. The correct usage is:

    tracepath www.example.com
    

11. tracepath6: This command is similar to tracepath, but it is used for IPv6 addresses. The correct usage is:

    tracepath6 2001:db8:0:2::451
    

12. dig: This command is used to query DNS name servers for information about host addresses, mail exchanges, name servers, and related information. The correct usage is:

    dig www.example.com
    

13. getent hosts: This command retrieves entries from the specified administrative database. The correct usage is:

    getent hosts www.example.com
    

14. ss -tulpn: This command is used to dump socket statistics and displays listening sockets. The correct usage is:

    ss -tulpn
    

15. ss -ta: This command displays all non-listening sockets (that’s established connections). The correct usage is:

    ss -ta
    

16. ss -lt: This command displays only listening sockets. The correct usage is:

    ss -lt
    

17. ip -br addr: This command displays brief information about the IP addresses of all network interfaces. The correct usage is:

    ip -br addr
    

18. netstat -tulpn: This command displays network connections, routing tables, interface statistics, masquerade connections, and multicast memberships. The correct usage is:

    netstat -tulpn
    

19. ip route: This command displays the IP routing table. The correct usage is:

    ip route
    

20. ip -6 route: This command displays the IPv6 routing table. The correct usage is:

    ip -6 route
    

21. ping: This command sends ICMP ECHO_REQUEST packets to network hosts. The correct usage is:

    ping www.example.com
    

22. ping6: This command is similar to ping, but it is used for IPv6 addresses. The correct usage is:

    ping6 ::1
    

23. ping -c3 192.0.2.254: This command sends exactly 3 ICMP ECHO_REQUEST packets to the host with the IP address 192.0.2.254. The correct usage is:

    ping -c3 192.0.2.254
    

24. ping6 2001:db8:0:1::1: This command sends ICMP ECHO_REQUEST packets to the IPv6 address 2001:db8:0:1::1. The correct usage is:

    ping6 2001:db8:0:1::1
    

25. whois: This command is used to retrieve domain name information from WHOIS servers. The correct usage is:

    whois example.com
    

26. nslookup: This command is used to query Internet domain name servers. The correct usage is:

    nslookup www.example.com
    

27. ifconfig: This command is used to display or configure a network interface. The correct usage is:

    ifconfig
    

Reference Links:

• https://aws.amazon.com/what-is/computer-networking/

Introductions & Importance

In a Linux server, services and daemons are like the unsung heroes working behind the scenes to ensure everything runs smoothly. They are essentially programs that run in the background, performing various tasks necessary for the system to function properly.

Here are some examples:

1. Web Server (e.g., Apache or Nginx): This service is responsible for serving web pages. When you type a URL into your browser, the request goes to the web server, which then sends back the requested page. Without this service, your website wouldn’t be accessible to users.

1. NTP Server (Network Time Protocol): This daemon synchronizes the system’s clock with global time servers. Accurate timekeeping is crucial for many server tasks and processes. For example, it helps in scheduling tasks, logging events accurately, and ensuring secure communication.

1. SSH Server: This service allows secure remote access to the server. Administrators use SSH to log in and manage the server from any location. Without the SSH service, remote management would be much more difficult and less secure.

Imagine a busy airport - the services and daemons are like the air traffic control, baggage handling, and maintenance crews. You might not see them, but without them, planes wouldn’t be able to land or take off safely, passengers wouldn’t get their luggage, and the whole operation would come to a standstill.

So, in a nutshell, services and daemons are vital for the continuous and correct operation of a Linux server. They handle essential tasks and enable the server to perform its intended functions seamlessly. So now important question is what is Daemons and Service in Linux.

What is daemon(s)

In Linux, a daemon is a background process that operates autonomously, performing tasks without user intervention. They are utility programs that run silently in the background to monitor and take care of certain subsystems to ensure that the operating system runs properly. Almost all daemons have names that end with the letter “d”. For example, httpd is the daemon that handles the Apache server, and sshd handles SSH remote access connections.

Daemons are important in a Linux OS server for several reasons:

1. Handling Network Requests: Daemons enable your system to correctly respond to network requests by associating each request with a compatible network port.

2. Executing Scheduled System Tasks: Daemons make it possible to run or execute scheduled system tasks. The daemon responsible for this specific task is called cron.

3. Monitoring System Performance: Daemons also offer a priceless contribution in monitoring the performance of your system.

4. Managing Essential Services: They act as the backbone of many essential computing services, operating silently and efficiently. From managing system logs with the syslogd daemon to handling mail services with the postfix daemon, these background processes are integral to the functionality and efficiency of our systems.

Now, let’s understand the difference between a Process, a Daemon, and a Service:

• A Process is a running instance of executing program code. At a particular instant of time, it can be either running, sleeping, or zombie (completed process, but waiting for its parent process to pick up the return value).

• A Daemon is a specific type of process that runs in the background and is not interactive. They have no controlling terminal. They perform certain actions at predefined times or in response to certain events. In Unix-like systems, the names of daemons end in ‘d’.

• A Service is a program that responds to requests from other programs over some inter-process communication mechanism (usually over a network). A service doesn’t have to be a daemon, but usually is. A user application with a GUI could have a service built into it. For example, a file-sharing application. In Windows, daemons are called services. In essence, daemons are the silent heroes of computing, managing tasks and services that ensure our systems run smoothly. They are effectively invisible but essential.

What is systemd?

systemd is also a daemon. It is a system and service manager for Linux operating systems. It is designed to be backward compatible with SysV init scripts and provides several features such as

• parallel startup of system services at boot time,

• on-demand activation of daemons,

• dependency-based service control logic.

Its primary component is a “system and service manager” – an init system used to bootstrap user space and manage user processes. It also provides replacements for various daemons and utilities, including device management, login management, network connection management, and event logging.

# pstree | less

What are Service Units?

In RHEL Linux, systemd uses something called “units” to manage different types of tasks. Here are the three types of units mentioned:

1. Service Units (.service): Service units have a .service extension and represent system services. You can use service units to start frequently accessed daemons, such as a web server.

2. Socket Units (.socket): These are like the telephone operators of your system. They monitor communication points (sockets) between different processes. If a process wants to talk to another (connects to the socket), systemd starts the service (like a worker) needed for that communication.

3. Path Units (.path): These are like the watchmen of your system. They keep an eye on specific locations in your filesystem. If they notice a change (like a new file being added), they can start a service.

4. Daemons (.d): daemons are indeed a part of system units. In the context of systemd, a daemon is often associated with a service unit. When a service unit is started, it usually initiates a daemon. A daemon is a type of program that runs in the background, waiting for events to occur and offering services. A good example is a web server daemon, which waits for a request to come in, and then responds to that request.

To manage these units, you use the systemctl command. It’s like the manager of all these workers, operators, and watchmen. You can use it to start, stop, restart, and check the status of these units. Display available unit types with the systemctl -t help command

# systemctl -t help

Available unit types:
service
mount
swap
socket
target
device
automount
timer
path
slice
scope

How to Manage Daemons

To manage daemons in Linux, you can use the systemctl command. Here are some common operations you can perform:

• Check the STATUS of Service and START, STOP, RESTART, RELOAD, ENABLE, DISABLE, MASK, UNMASK a service:

# systemctl status  <SERVICE-NAME>
# systemctl start   <SERVICE-NAME>
# systemctl stop    <SERVICE-NAME>
# systemctl restart <SERVICE-NAME>
# systemctl reload  <SERVICE-NAME>
# systemctl enable  <SERVICE-NAME>
# systemctl disable <SERVICE-NAME>
# systemctl mask    <SERVICE-NAME>
# systemctl unmask  <SERVICE-NAME>

These commands are used to manage services (or daemons) in Linux using systemd. Here’s what each command does:

• systemctl status <SERVICE-NAME>: This command displays the current status of a service. It shows whether the service is running, stopped, or in any other state.

• systemctl start <SERVICE-NAME>: This command starts a service. If the service is already running, it does nothing.

• systemctl stop <SERVICE-NAME>: This command stops a running service.

• systemctl restart <SERVICE-NAME>: This command first stops and then starts a service. It’s useful when you’ve made configuration changes that need to be picked up by the service.

• systemctl reload <SERVICE-NAME>: This command asks a service to reload its configuration. Not all services support this, but for those that do, it’s a way to pick up configuration changes without the disruption of stopping and starting the service.

• systemctl enable <SERVICE-NAME>: This command enables a service to start at boot time.

• systemctl disable <SERVICE-NAME>: This command disables a service from starting at boot time.

• systemctl mask <SERVICE-NAME>: This command completely disables a service - it cannot be started manually or at boot time.

• systemctl unmask <SERVICE-NAME>: This command removes the mask, allowing a service to be started manually or at boot time. It’s used when you want to re-enable a service that was previously masked.

Difference between "restart VS reload" & "mask VS unmask" the services in rhel Linux.

RESTART

When you restart a service, it first stops the current running instance of the service. The system sends a SIGTERM (A polite way to stop a process) signal to the service to terminate it. If the service does not stop within a certain time frame, a SIGKILL (A forceful way to stop the process) signal is sent to force the termination. After the service is stopped, it is then started again, hence the term “restart”. Each running process on a system is assigned a unique process ID (PID). When the service is stopped, it no longer has a PID. Then, the service starts again and is assigned a new PID. If any changes have been made to the service’s configuration files, these are read and applied when the service starts again. For example:

# systemctl restart httpd

RELOAD

On the other hand, reload tells the running service to check its configuration files again and apply any changes without actually stopping and starting the service. When you reload a service, the system sends a SIGHUP (Reload process configurations files) signal to the service. This signal instructs the service to reload its configuration files while continuing to run. This allows the service to apply any changes made in its configuration files without interrupting its operation. For example:

# systemctl reload httpd

MASK

Masking a service means to link it to /dev/null, making it impossible to start the service. This is used when you don’t want a certain service to run at all, even if another service tries to start it.

• let’s consider a case study involving the firewalld and iptables services in CentOS/RHEL, which is a common scenario in real-world Linux system administration.

• CentOS/RHEL 7 has both firewalld and iptables services for firewall management. However, it is recommended to use only one at a time to prevent conflicts. Let’s say you decide to use firewalld and want to prevent iptables from running even accidentally. Here’s how you can do it:

• Mask the iptables service:

    # systemctl mask iptables
  

  This command prevents the iptables service from being started, even by other services. Now Check the status of the iptables service:

     # systemctl status iptables
  

  You should see a message indicating that the service is masked. Now, suppose you later decide that you want to use iptables instead of firewalld. Here’s how you can unmask the iptables service:

UNMASK

Unmasking a service undoes the masking. If you’ve previously masked a service but now you want it to be able to start, you would unmask it.

• Unmask the iptables service:

    # systemctl unmask iptables
  

• This command removes the mask from the iptables service, allowing it to be started.Check the status of the iptables service:

•   # systemctl status iptables
  

  You should see a message indicating that the service is loaded and inactive (dead), meaning it can now be started.

This case study illustrates how the mask and unmask commands can be used to control which services are allowed to run on a CentOS/RHEL system, providing a powerful tool for system administrators. It’s important to note that while this example uses firewalld and iptables, the same principles apply to any services managed by systemd.

Details in "systemctl status SERVICE"

# systemctl status sshd
● sshd.service - OpenSSH server daemon
     Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: enabled)
     Active: active (running) since Thu 2024-02-15 10:47:44 IST; 2h 55min ago
       Docs: man:sshd(8)
             man:sshd_config(5)
   Main PID: 5746 (sshd)
      Tasks: 1 (limit: 22833)
     Memory: 1.7M
        CPU: 17ms
     CGroup: /system.slice/sshd.service
             └─5746 "sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups"

Feb 15 10:47:43 server1.example.com systemd[1]: Starting OpenSSH server daemon...
Feb 15 10:47:44 server1.example.com sshd[5746]: Server listening on 0.0.0.0 port 22.
Feb 15 10:47:44 server1.example.com sshd[5746]: Server listening on :: port 22.
Feb 15 10:47:44 server1.example.com systemd[1]: Started OpenSSH server daemon.

The systemctl status SERVICE command provides a detailed report about the specified service. Here’s what each line in the output means:

• ● sshd.service - OpenSSH server daemon: This line shows the name of the service and a brief description of it.

• Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: enabled): This line shows the path to the service’s unit file, whether the service is enabled to start at boot, and the vendor preset status.

• Active: active (running) since Thu 2024-02-15 10:47:44 IST; 2h 55min ago: This line shows the current state of the service, when it entered this state, and how long it has been in this state.

• Docs: man:sshd(8) man:sshd_config(5): This line provides references to the man pages related to the service.

• Main PID: 5746 (sshd): This line shows the main Process ID (PID) for the service.

• Tasks: 1 (limit: 22833): This line shows the current number of tasks or threads the service is running and the limit set on them.

• Memory: 1.7M: This line shows the current memory consumption of the service.

• CPU: 17ms: This line shows the CPU time consumed by the service.

• CGroup: /system.slice/sshd.service └─5746 "sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups": This line shows the control group hierarchy of the service and the commands being run under this service.

• log entries from the service: The lines starting with the date (e.g., Feb 15 10:47:43 server1.example.com systemd[1]: Starting OpenSSH server daemon...) are log entries from the service. They provide a chronological account of what the service has been doing. In this case, it shows when the OpenSSH server daemon started and that it’s listening on ports 22 for both IPv4 and IPv6.

Other Important "systemd management" command

Here are some important systemctl commands and their uses:

1. Change the default system target (run-level): This command is used to change the default system target (run-level).

# systemctl set-default [target]

# systemctl set-default graphical.target
# systemctl isolate graphical.target
# systemctl set-default multi-user.target
# systemctl isolate multi-user.target

1. List all installed unit files and their states: This command is used to list all installed unit files and their states.

    # systemctl list-unit-files
    # systemctl list-unit-files -
   

2. List the dependencies of a specific unit: This command is used to list the dependencies of a specific unit.

    # systemctl list-dependencies [unit]
   

3. List all active sockets: This command is used to list all active sockets.

    # systemctl list-sockets
   

4. List all active systemd jobs: This command is used to list all active systemd jobs.

    # systemctl list-jobs
   

Show the status of all loaded and active systemd units: This command is used to show the status of all loaded and active systemd units.

# systemctl list-units

Interview Questions & Answers Related to "systemd management"

1. What is systemd?

   Answer: Systemd is a system and service manager for Linux operating systems. It initializes and manages/maintains system processes after the Linux kernel has booted up.

2. What is the role of a service in a systemd context?

   Answer: A service is a program that runs as a background process. In a systemd context, services are defined by service unit files, and systemd starts them and manages their state according to these files.

3. How do you check the status of a service using systemd?

   Answer: You can check the status of a service using the command systemctl status service_name.

4. How do you start, stop, or restart a service?

   Answer: You can use the commands systemctl start service_name, systemctl stop service_name, and systemctl restart service_name respectively.

5. How do you enable or disable a service to start at boot?

   Answer: You can use the commands systemctl enable service_name and systemctl disable service_name respectively.

6. What is a unit file in systemd?

   Answer: A unit file is a configuration file that defines the properties of system resources managed by systemd, such as services, sockets, devices, etc.

7. What is the difference between systemctl reload and systemctl restart?

   Answer: systemctl reload only reloads the configuration file of the service, while systemctl restart will stop and then start the service again.

8. What is a socket in systemd?

   Answer: A socket is a special file used for inter-process communication, which can also be managed by systemd. Socket units in systemd have a .socket extension.

9. What is the target in systemd and how is it used?

   Answer: A target is a unit that groups together other units, similar to how runlevels group services in SysVinit. They are used to create a system state or mode defined by the services they group.

10. How do you list all active (running) services in systemd?

    Answer: You can use the command systemctl --type=service --state=running.

11. What is journald in the context of systemd?

    Answer: journald is a part of systemd that provides a centralized management of system logs.

12. How do you see the log of a particular service using systemd?

    Answer: You can use the command journalctl -u service_name.

13. What is the cgroup in systemd?

    Answer: Cgroup is a Linux kernel feature to limit, police and account the resource usage for a set of processes. In systemd, it’s used to track the processes that systemd starts.

14. How do you mask a service in systemd?

    Answer: You can use the command systemctl mask service_name. Masking a service makes it impossible to start it.

15. What is the difference between systemctl mask and systemctl disable?

    Answer: systemctl disable prevents the service from starting at boot, but allows manual starting, while systemctl mask prevents the service from starting altogether, both at boot and manually.

16. What is systemctl daemon-reload used for?

    Answer: systemctl daemon-reload is used to reload the systemd manager configuration. This includes reloading all unit files and recreating the entire dependency tree. This is typically done after creating or modifying a unit file.

17. How do you check which version of systemd you are running?

    Answer: You can use the command systemctl --version.

18. Question: What is a daemon in the context of operating systems?

    Answer: A daemon is a type of program on Unix-like operating systems that runs silently without users direct interactions in the background, rather than under the direct control of a user, waiting to be activated by the occurrence of a specific event or condition.

19. Question: How does a service differ from a daemon?

    Answer: A service is a program or a set of programs that perform system-level operations in an operating system. A daemon is a type of service that runs in the background and is not directly interacted with by the user.

20. Question: What is the role of systemd in managing services and daemons? Answer: systemd is a system and service manager for Linux operating systems. It initializes and manages/maintains/tracks system services and daemons, both during startup and while the system is running.

21. Question: Explain the difference between service and systemctl commands.

    Answer: Both service and systemctl are used to interact with system services. However, service is a more legacy command and is being replaced by systemctl, which provides more detailed status information and is more consistent in its syntax.

22. Question: How can you enable or disable a service to start on boot? Answer: You can use systemctl enable serviceName to have a service start at boot, and systemctl disable serviceName to prevent a service from starting at boot.

23. Question: How would you check the status of a service in Windows? Answer: In Windows, you can check the status of a service through the Services management console (services.msc), or by using the sc query command in the command prompt.

24. Question: How can you create a custom service in Linux?

    Answer: In Linux, you can create a custom service by writing a service unit file and placing it in the /etc/systemd/system directory. The unit file will specify how the service should start, stop, and otherwise operate.

25. Question: What are the potential security implications of running a service/daemon as root?

    Answer: Running a daemon as root can be a security risk because if the daemon is compromised, it could give an attacker full control over the system. It’s generally recommended to run daemons under non-privileged user accounts when possible.

26. Question: How does systemd handle dependencies between services? Answer: systemd handles dependencies through a directive in the service unit file called After or Before, which ensures that one service starts after or before another. It also uses Wants or Requires to specify if a service should continue running if its dependencies fail.

27. Question: What is the role of the journalctl command in relation to services and daemons?

    Answer: journalctl is used to query and display messages from the systemd journal, which includes logs from services and daemons.

28. Question: How can you configure a service to automatically restart if it crashes?

    Answer: In the service’s unit file, you can set the Restart directive to always or on-failure to have systemd automatically restart the service if it crashes.

Understand the process & How it works?.

1. Process: A process is like a task your computer is performing. It’s an instance of a program that’s currently running. When a process is created. For example, when you create an executable program and run this program, It becomes a process when it running.

   Inside a process, some imp. key things are available :

   • PID: "Process ID"

   • PPID: "Parent Process ID"

   • Owner: "User of the process, who runs this?"

   • Executable Program: "How does this program work?"

   • Memory Time: "Memory time is taken by the process"

   • CPU Time: "CPU time is taken by the process"

   • Security Context: "Linux Security Context"

2. Life Cycle of Process

Let's understand the process...

1. Program to Process: A program is a set of instructions that are loaded into memory. When these instructions are executed, the program becomes a process. Each process has a unique process ID (PID) for tracking and security purposes.

2. Creating a Child Process: A parent process can create a child process through a mechanism known as “forking”. In this process, the parent duplicates its own address space to create a new process structure for the child. The child process inherits various attributes from the parent, such as security identities, file descriptors, resource privileges, environment variables, and program code.

3. Execution of Child Process: Once created, the child process can execute its own program code. During this time, the parent process usually sleeps, setting a wait request to be signaled when the child completes.

4. Zombie Process: A zombie process, also known as a defunct process, is a peculiar state in which a process has completed its execution (via the exit system call), but its entry still lingers in the process table. Essentially, it’s a process that has finished its job but hasn’t been properly cleaned up by its parent process.

Example: Let’s consider a real-world example. Imagine you’re a chef (parent process) in a restaurant. You get an order (program) to prepare a dish. You start preparing the dish (process). Now, you need to chop some vegetables, so you ask your assistant (child process) to do it. You wait (sleep) until your assistant finishes chopping (child process execution). Once the assistant is done, they inform you and go on to their next task (child process exits, leaving a zombie). You then continue preparing the dish (the parent process continues execution after cleaning up the zombie). and server the order (process completed)

What is the Background & Foreground Process ??

1. Foreground Process:

   • A foreground process is one that requires user interaction. When a process runs directly in the terminal shell, it occupies the terminal session, and you interact with it directly.

   • For example, if you execute a command that performs a task and waits for your input or displays output in the terminal, it is a foreground process.

   • While a foreground process is running, you cannot use the terminal for other commands until the process completes or you interrupt it.

2. Background Process:

   • A background process operates independently of user interaction. It runs behind the scenes, allowing you to continue using the terminal for other tasks.

   • When you start a process in the background, it doesn’t hold the terminal session hostage. You can execute other commands or even disconnect from an SSH session without affecting the background process.

   • Background processes are useful for long-running tasks, such as monitoring events or performing lengthy computations.

# jobs

jobs command is used to check whether your process is running background or not. if there are any such processes it look like:-

# jobs

[1]+  Stopped                 sleep 100
[2]   Running                 sleep 100 &
[3]-  Running                 firefox &

# sleep &

Suppose you run a command Ex: Firefox on the foreground, first you have to stop this (ctrl +z) and then run this process in the background (bg %job_id) again to see jobs id using jobs command

[root@web ~]# firefox
^Z
[1]+  Stopped                 firefox
[root@web ~]# jobs
[1]+  Stopped                 firefox
[root@web ~]# bg %1
[1]+ firefox &
[root@web ~]# jobs
[1]+  Running                 firefox &
[root@web ~]#

Let's assume, I am running this command: firefox

What is Process States ??

In a multitasking operating system, each CPU (or CPU core) can be working on one process at a time. As a process runs, its immediate requirements for CPU time and resource allocation change. Processes are assigned a state, which changes as circumstances dictate. A process, during its lifecycle, goes through several stages. These stages or states are:

1. New: The process is about to be created but not yet created.

2. Ready: After the creation of a process, the process enters the ready state i.e., the process is loaded into the main memory and is waiting to get the CPU time for its execution.

3. Running: The process is chosen from the ready queue by the CPU for execution.

4. Sleeping or Wait: Whenever the process requests access to I/O or needs input from the user or needs access to a critical region, it enters the blocked or waiting state.

5. Terminated or Stopped: The process is killed, and the resources allocated to the process are released or deallocated.

Process State Transitions

A process can move between different states in an operating system based on its execution status and resource availability. Here are some examples of how a process can move between different states:

• New to Ready: When a process is created, it is in a new state. It moves to the ready state when the operating system has allocated resources to it and it is ready to be executed.

• Ready to Running: When the CPU becomes available, the operating system selects a process from the ready queue depending on various scheduling algorithms and moves it to the running state.

• Running to Waiting: If a process requests access to I/O or needs input from the user or needs access to a critical region, it enters the blocked or waits state.

• Waiting to Ready: Once the I/O operation is completed the process goes to the ready state.

• Running to Stopped: If a process has completed execution, it moves to the terminated/stopped state.

Mainly we need to understand the following 5 types of processes.

Importance of Process States

We have substantial reasons to understand process states, especially if we are overseeing an application as a monitoring authority.

1. Performance Analysis: It helps us figure out if our computer is running smoothly or if something is slowing it down.

2. Resource Management: It shows us how our computer’s resources (like memory and processing power) are being used.

3. System Troubleshooting: If our computer is having problems, understanding process states can help us find out what’s going wrong.

4. Process Optimization: We can make changes to improve how efficiently our computer runs.

5. Predicting System Behavior: It can give us an idea of how our computer might behave under different conditions.

ps: Reports a snapshot of the current processes on current shell terminal.

# ps
    PID TTY          TIME CMD
  37078 pts/0    00:00:00 bash
  40340 pts/0    00:00:00 ps

ps -aux: Shows all processes for all users.

# ps -aux
USER         PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root           1  0.0  0.6 181792 11992 ?        Ss   Feb08   0:18 /usr/lib/systemd/systemd rhgb --switched-root --system --deserialize 31
root           2  0.0  0.0      0     0 ?        S    Feb08   0:00 [kthreadd]
root           3  0.0  0.0      0     0 ?        I<   Feb08   0:00 [rcu_gp]
root           4  0.0  0.0      0     0 ?        I<   Feb08   0:00 [rcu_par_gp]
root           5  0.0  0.0      0     0 ?        I<   Feb08   0:00 [netns]

ps lax: Provides a very detailed and technical information about tasks.

# ps lax
F   UID     PID    PPID PRI  NI    VSZ   RSS WCHAN  STAT TTY        TIME COMMAND
4     0       1       0  20   0 181792 11992 ep_pol Ss   ?          0:18 /usr/lib/systemd/systemd rhgb --switched-root --system --deserialize 31
1     0       2       0  20   0      0     0 kthrea S    ?          0:00 [kthreadd]
1     0       3       2   0 -20      0     0 rescue I<   ?          0:00 [rcu_gp]

uptime: Shows the current time, how long the system has been running, how many users are currently logged on, and the system load averages for the past 1, 5, and 15 minutes.

# uptime
19:29:13 up 1 day, 19:50,  5 users,  load average: 0.01, 0.02, 0.05

To calculate the load average of the system we have to require two values.

1. load average (One minutes, Five Minutes, Fifteen Minutes), which you can get from command "uptime"

2. Number of CPU, which you can get from command "lscpu"

Calculation Formula: Load Average / Number of CPU

top: Provides a dynamic real-time view of the running system. It can display system summary information and a list of processes currently being managed by the kernel.

# top

top is a dynamic real-time process monitoring tool with lots of options, where ps is a static process monitoring tool at a certain time only.

# htop

Remember to use man <command> (replace <command> with the command name) to get more details about each command and its options.

# man top
# man ps

Important keyboard options with top command

Here are the uses of each option in the top command, each in a separate row:

# top

What is Process Signals, How Signals Works ??

Process signaling is a method used in operating systems to communicate between processes. It’s like a notification system where one process sends a signal, and another process receives it.

Here are some uses of process signaling:

1. Interrupt a Process: If a process is running, a signal can be sent to stop it immediately.

2. Resume a Process: A stopped process can be resumed using a signal.

3. Terminate a Process: If a process needs to be ended, a signal can be sent to terminate it.

4. Handle Errors: If a process encounters an error, it can send a signal to indicate that something went wrong.

Fundamental process management signals

1. Scenario: You want to stop a program nicely (Not forcefully).

   • Question: What signal do you use to ask a program to stop, but let it finish up important tasks first?

   • Answer: Use the SIGTERM signal.

# pgrep firefox
# pgrep httpd
# pgrep mysql
# ps -aux | grep -e firefox -e httpd -e mysql -e username
# top

# kill -l
# kill -15 <process-id>
# kill -SIGTERM <process-id>

1. Scenario: You need to stop a program right away because it’s causing problems.

   • Question: What signal do you use to force a program to stop immediately?

   • Answer: Use the SIGKILL signal.

# kill -l
# kill -9 <process-id>
# kill -SIGKILL <process-id>

1. Scenario: You want to pause a program for a while.

   • Question: What signal do you use to pause a program and then start it again later?

   • Answer: Use the SIGTSTP signal to pause and the SIGCOUNT signal to start again.

# kill -l
# kill -20 <process-id>
# kill -18 <process-id>
# kill -SIGTSTP <process-id>
# kill -SIGCOUNT <process-id>

1. Scenario: You want a program to read its configuration settings again without stopping it.

   • Question: What signal do you use to ask a program to read its settings again?

   • Answer: Use the SIGKILL signal.

# kill -l
# kill -1 <process-id>
# kill -SIGHUP <process-id>

1. Scenario: You want to prevent an anonymous user from using the shell immediately.

   • Question: What steps or measures can you take to quickly disable shell access for an anonymous user?

   • Answer: Using SIGKILL signal

# kill -l
# kill -9 <process-id>
# kill -SIGKILL <process-id>

Here are some real-world scenarios where you can use the pkill command effectively:

# pkill --help

• Use kill when you know the PID.

• Use pkill when you want to terminate processes by their names and patterns.

What is Process Priority, How to Modify Processes Priority??

# ps lax

Process Priority is a characteristic of a process that determines how much CPU time it is allocated for execution. The NI column displays the niceness of processes, indicating their priority.It’s important because it helps the operating system manage resources efficiently. If all processes were given equal priority, a long-running or resource-intensive process could monopolize the CPU, causing other processes to slow down or even halt. By assigning different priorities, the operating system can ensure that important processes get the resources they need, while less important processes are made to wait.

The nicevalue is a way to influence process priority in Unix-like operating systems. It’s a value that can be assigned to a process to either increase or decrease its priority. The nice value ranges from -20 (highest priority) to +19 (lowest priority). By default, the Nice value is zero, which gives the process a neutral priority.

• The nice command in Unix-like systems is used to start a process with a certain nice value.

• while the renice command is used to change the nice value of an already running process.

• The lower the nice value (i.e., more negative), the higher the priority of the process.

• The higher nice value (i.e., more positive) gives the process a lower priority.

So, the Nice and renice values are directly connected with process priority because they are tools that allow users to influence the scheduling priority of processes. This can be useful in a variety of situations, such as ensuring that a critical process gets the CPU time it needs or preventing a resource-intensive process from monopolizing the CPU.

What is NICE & RENICE value in the process Priority?

In Linux, the nice and renice commands are used to influence the scheduling priority of processes. Here’s a simple explanation:

• nice: This command is used when you’re starting a new process and you want to set its priority. The nice value can range from -20 (highest priority) to 19 (lowest priority).

# nice -n 10 command
# nice -n -20 firefox
# nice -n 1 command

Above command will start the command with a nice value of 10, -20, 1 , which is lower & Higher priority.

• renice: This command is used when you want to change the priority of an already running process. For example, if you have a process with process ID (PID) 15784 and you want to lower its priority, you can use the renice command like this:

# renice -n 15 -p 15784
# renice -n -19 -p 45125

This will change the nice value of the process with PID 15784, 45125 to 15, -19 which is a lower & higher nice priority.

Thank you!

Step 1 (Pre-Setup requirements)

Before You Begin:

1. Make sure you have the ‘sudo’ access on your Linux server. You’ll need it because this guide uses commands that need Administrative permissions.

2. Your server needs to be able to connect to the internet. This is necessary to download the Prometheus software. So ping 8.8.8.8 to check connectivity.

3. Don’t forget to adjust your firewall settings. You need to allow access to port 9090 on your server to use Prometheus.

4. Yum client repository should be configured properly.

Step 2 (Setup Prometheus)

Step 2.1: Update the yum package repositories.

$ sudo yum update -y

Step 2.2: Go to the official Prometheus downloads page and get the latest download link for the Linux binary.

Step 2.3: Retrieve the source code using wget, decompress the tar file, and rename the resulting directory to ‘prometheus-files’. For this create a new directory ‘prometheus-files’

$ sudo  wget https://github.com/prometheus/prometheus/releases/download/v2.49.1/prometheus-2.49.1.linux-amd64.tar.gz
$ sudo tar -xvf prometheus-2.49.1.linux-amd64.tar.gz
$ sudo mkdir prometheus-files
$ sudo mv prometheus-2.49.1.linux-amd64  prometheus-files/

Step 3 (User Creation And Ownership Change)

Step 3.1: Create a Prometheus user, establish the necessary directories, and assign ownership of these directories to the Prometheus user.

$ sudo useradd prometheus --no-create-home -s /bin/false 
$ sudo mkdir /etc/prometheus
$ sudo mkdir /var/lib/prometheus
$ sudo chown prometheus:prometheus /etc/prometheus
$ sudo chown prometheus:prometheus /var/lib/prometheus

Step 3.2: Take the ‘prometheus’ and ‘promtool’ files from the ‘prometheus-files’ folder. Put them in the ‘/usr/local/bin’ folder. Then, make sure they belong to the ‘prometheus’ user. so change the ownership to prometheus user

$ sudo cp prometheus-files/prometheus /usr/local/bin/
$ sudo cp prometheus-files/promtool /usr/local/bin/
$ sudo chown prometheus:prometheus /usr/local/bin/prometheus
$ sudo chown prometheus:prometheus /usr/local/bin/promtool

Step 3.3: Move the consoles and console_libraries directories from prometheus-files to /etc/prometheus folder and change the ownership to prometheus user.

$ sudo cp -r prometheus-files/consoles /etc/prometheus
$ sudo cp -r prometheus-files/console_libraries /etc/prometheus
$ sudo chown -R prometheus:prometheus /etc/prometheus/consoles
$ sudo chown -R prometheus:prometheus /etc/prometheus/console_libraries

Step 4 (Prometheus Configuration Process)

All the prometheus configurations should be present in /etc/prometheus/ prometheus.yml file.

Step 4.1: Create the prometheus.yml file & Copy the following contents to the prometheus.yml file.

$ sudo vi /etc/prometheus/prometheus.yml

global:
  scrape_interval: 10s

scrape_configs:
  - job_name: 'prometheus'
    scrape_interval: 5s
    static_configs:
      - targets: ['localhost:9090']

$ sudo firewall-cmd --permanent-port=9090/tcp
$ sudo firewall-cmd --reload
$ sudo firewall-cmd --list-all

Step 4.2: Change the ownership of the file to prometheus user.

$ sudo chown prometheus:prometheus /etc/prometheus/prometheus.yml

Step 4.3: Create a prometheus service file & Copy the following content to the file, for Setup Prometheus Service File.

$ sudo vi /etc/systemd/system/prometheus.service

[Unit]
Description=Prometheus
Wants=network-online.target
After=network-online.target

[Service]
User=prometheus
Group=prometheus
Type=simple
ExecStart=/usr/local/bin/prometheus \
    --config.file /etc/prometheus/prometheus.yml \
    --storage.tsdb.path /var/lib/prometheus/ \
    --web.console.templates=/etc/prometheus/consoles \
    --web.console.libraries=/etc/prometheus/console_libraries

[Install]
WantedBy=multi-user.target

Step 4.4: Reload the systemd service to register the prometheus service and start the prometheus service.

$ sudo systemctl daemon-reload
$ sudo systemctl start prometheus

Check the prometheus service status using the following command.

$ sudo systemctl status prometheus

The status should show the active state as shown below.

Step 5 (Access Prometheus Web UI)

Now you will be able to access the prometheus UI on 9090 port of the prometheus server.

http://<Instance-IP>:9090/graph

You can see the following UI as shown below. Lots of Congratulations !!!!

Now search "process_cpu_seconds_total" in search bar, choose option Graph and press Execute .

This is graphical representation for "process_cpu_seconds_total" of your instance.

Step 6 (What Next.....?)

Step 6.1: Well At this point, we’ve set up the Prometheus server. But to start collecting data, we need to specify where to get it from. This is done by registering a ‘target’ in the prometheus.yml file.

1. A ‘target’ is essentially a source system from which Prometheus can collect metrics. If you have multiple systems (like ten servers) that you want to monitor, you would list the IP addresses of these servers as targets in the Prometheus configuration.

2. However, before Prometheus can collect any data, each server needs to have a program called ‘Node Exporter’ installed. This program collects system metrics and makes them available for Prometheus to scrape.

In simpler terms, think of it like this: Prometheus is a data collector, the ‘targets’ are the places it collects data from, and ‘Node Exporter’ is the tool that gathers the data and puts it in a place where Prometheus can find it.

Step 6.2: How to do practically ?

Here are the practical steps to get data from 10 servers using Prometheus and Node Exporter:

1. Install Node Exporter on Each Server: Node Exporter is a program that collects system metrics and makes them available for Prometheus to scrape. You need to install Node Exporter on each of the 10 servers that you want to monitor.

Node Exporter is like a reporter for your server. It collects information about your server’s performance, such as how much memory it’s using, how much data it’s reading and writing to the disk, and how much work the CPU is doing. It then makes this information available in a format that Prometheus, a monitoring tool, can understand. This allows you to keep track of your server’s health and performance over time.

1. Configure Prometheus to Monitor These Servers: After installing Node Exporter, you need to tell Prometheus to scrape metrics from these servers. This is done by adding the IP addresses of these servers as targets in the prometheus.yml configuration file.

Here’s an example of what the configuration might look like:

$ sudo vim /etc/prometheus/prometheus.yml

scrape_configs:
  - job_name: 'node'
    static_configs:
      - targets: ['<server-1-ip>:9100', '<server-2-ip>:9100', ..., '<server-10-ip>:9100']

Replace <server-1-ip>, <server-2-ip>, …, <server-10-ip> with the actual IP addresses of your servers.

1. Start Prometheus: Finally, start the Prometheus server. It will now begin collecting metrics from the specified targets at regular intervals.

References:

• https://prometheus.io/docs/visualization/grafana/

• https://mobaxterm.mobatek.net/download.html

What is DNS?

The Domain Name System (DNS) is a critical component of the Internet infrastructure that translates user-friendly domain names into numerical IP addresses. It’s often compared to a phone book for the Internet.

Here’s why DNS is important:

1. User-friendly: It allows users to interact with devices on the Internet using easy-to-remember domain names instead of having to remember long strings of numbers.

2. Smooth operation: DNS ensures the Internet works smoothly, loading the content we ask for quickly and efficiently.

3. Connectivity: If a DNS is not responding, you won’t be able to connect to other websites on the Internet.

For example, when you type www.google.com into your web browser, the browser sends a request to the DNS server. The DNS server finds the corresponding IP address (like 192.168.1.1 or 74.125.68.102), and then connects it with the hosting server, allowing the webpage to be displayed on your browser. Without DNS, you would have to type in the numerical IP address directly to access the website.

• What is the difference between IP & DNS?

The Domain Name System (DNS) and IP addresses are both crucial components of the internet, but they serve different functions:

• IP Address: An IP (Internet Protocol) address is a unique numerical identifier assigned to every device connected to a network. It’s like a phone number for your computer or any device connected to a network. There are two main types of IP addresses: IPv4 (e.g., 192.168.1.1) and IPv6 (e.g., 2001:0db8:85a3:0000:0000:8a2e:0370:7334). Just like how you dial a phone number to call someone, devices use IP addresses to reach each other.

• DNS: The Domain Name System (DNS) is like your phone’s contact list but for websites. Instead of remembering all the numbers, you just need to know the name. When you want to use Google, you type the domain name (google.com) in your web browser, not the numeric IP address of the server hosting Google. The main purpose of DNS is to translate human-friendly domain names like “google.com” into the machine-readable IP addresses.

In summary, the main difference between IP addresses and DNS is that an IP address is a unique numerical identifier assigned to every device connected to a network, while DNS (Domain Name System) translates human-friendly domain names into IP addresses. DNS and IP addresses work together to connect you to websites. Think of it as using your contact list to dial a friend’s phone number.

DNS Architecture (How does DNS work?)

The Domain Name System (DNS) works in a series of steps:

1. User Request: When you type a URL like www.example.com into your web browser, a DNS query is initiated.

2. Contacting ISP DNS Recursor: The query first reaches the DNS recursor, a server designed to receive queries from client machines. This server can be thought of as a librarian who is asked to find a particular book in a library. For example "JIO, AIRTEL, IDEA", from which your computer is getting an internet connection to connect with the INTERNET.

   When your computer connects to the internet through an Internet Service Provider (ISP) like JIO, it typically uses the DNS servers provided by the ISP. These servers act as DNS recursors.

   A DNS recursor is a server designed to receive queries from client machines through applications such as web browsers. The recursor is responsible for making additional requests in order to satisfy the client’s DNS query.

3. Querying the Root Nameserver: The recursor then queries a root nameserver, which can be thought of as an index in a library that points to different racks of books. It serves as a reference to other more specific locations.

4. Accessing the TLD Nameserver: The next step is to access the Top Level Domain (TLD) nameserver. This server can be thought of as a specific rack of books in a library. For www.example.com, the TLD is .com.

5. Reaching the Authoritative Nameserver: Finally, the query reaches the authoritative nameserver, which can be thought of as a dictionary on a rack of books. This server provides the final translation of the domain name into its corresponding IP address. For example GoDaddy, BigRock, Namecheap, and BlueHost etc. are examples of Authoritative Nameservers.

6. Retrieving the IP Address: The IP address is then returned to the DNS recursor, which in turn sends it back to your computer.

7. Connecting to the Website: Your computer uses this IP address to connect to the website, and the website content is returned to your browser.

This entire process happens behind the scenes and requires no interaction from the user apart from the initial request. It’s a complex but essential system that allows us to navigate the internet using easy-to-remember domain names instead of numerical IP addresses.

Understanding Recursive and Iterative Queries in DNS Resolution

• Recursive Query

When you enter a URL (like www.rakamodify.online) in your web browser, the browser sends a request to the Internet Service Provider’s (ISP) DNS server to resolve the domain name into an IP address. This is known as a recursive query. The ISP’s DNS server is responsible for providing a definitive answer, either the IP address or an error message.

• Iterative Query

If the ISP’s DNS server doesn’t know the IP address for the domain, it will perform an iterative query to find it. This involves the following steps:

1. The ISP’s DNS server queries a Root DNS server. The Root DNS server doesn’t know the IP address, but it knows where to find the DNS server for top-level domains (TLDs) like .com, .online, .org, etc.

2. The ISP’s DNS server then queries the TLD DNS server. The TLD DNS server doesn’t know the IP address, but it knows where to find the DNS server for the specific domain (like rakamodify.online).

3. Finally, the ISP’s DNS server queries the Authoritative DNS server (which could be hosted by providers like Namecheap, BigRock, Bluehost, GoDaddy, etc.). The Authoritative DNS server knows the IP address for the specific domain and returns it to the ISP’s DNS server.

• Non-Recursive Query

A Non-Recursive query in DNS is a type of query where the DNS resolver already knows the answer. It either immediately returns a DNS record because it already stores it in local cache, or queries a DNS Name Server which is authoritative for the record, meaning it definitely holds the correct IP for that hostname.

This process of the ISP’s DNS server querying the Root DNS server, TLD DNS server, and Authoritative DNS server to find the IP address for a domain is known as an iterative query. The ISP’s DNS server does the “hard work” of finding the IP address, hence the term “recursive resolver”.

Once the IP address is found, the ISP’s DNS server returns it to your web browser, which can then request the webpage from the web server at that IP address.

How to configure a DNS server?

We’re utilizing a Cloud Service for our setup, which includes two instances. The first instance is a web server, and the second one is a DNS server.

Here’s a brief overview of the configuration:

Now, let’s dive into the configuration of each instance.

1. WB-SERVER (On your web-server instance)

Follow these article links for web-server setup:

• For Dynamic MySQL + WordPress Setup:-

https://www.rakamodify.online/deploy-wordpress-mariadb-php-apache-web-server-on-rhel9-with-easy-steps

• For Dynamic Web Setup on Kubernetes Cluster:-

https://www.rakamodify.online/session-1

• For a simple static web setup

# yum install -y httpd
# firewall-cmd --permaanent-add --port=80/tcp
# firewall-cmd --reload
# systemctl enable --now httpd
# echo "Congratulations! web service is running." > /var/www/html/index.html
# systemctl restart httpd

# curl http://localhost
Congratulations! web service is running.

1. DNS-SERVER (On your dns-server instance)

# yum install -y bind bind-utils
# systemctl enable --now named
# firewall-cmd --permanent-add-port=53/udp
# firewall-cmd --reload

• Configuration in /etc/named.conf

[root@dns ~]# vim /etc/named.conf
options {
        directory "/var/named";
        recursion no;
};
zone "rakamodify.online" IN {
        type master;
        file "test";
};

• Entry of DNS targets in /var/named/test

# cp -p /var/named/named.empty /var/named/test
# vim /var/named/test

$TTL 1M
@       IN SOA  @ rname.invalid. (
                                        0       ; serial
                                        1D      ; refresh
                                        1H      ; retry
                                        1W      ; expire
                                        3H )    ; minimum

rakamodify.online.             IN      NS          ns1.rakamodify.online.
rakamodify.online.             IN      NS          ns2.rakamodify.online.
ns1                            IN      A           72.46.25.41
ns2                            IN      A           72.46.25.41
rakamodify.online.             IN      A           72.46.86.21
photos                         IN      A           72.46.86.21
www                            IN      CNAME       rakamodify.online.

• Open your Domain Name registrar account and change the nameserver and child nameserver entry.

• Change nameserver to custom DNS

• And make the following entry:

ns1.rakamodify.online

ns2.rakamodify.online

• Now add the IPv4 address for the newly added namespace for redirection.

Now how this entire setup will work:-

Wait for some time to update DNS cache with updated configuration. Then check your Domain - IP name resolution with networking command # nslookup

Check locally on your DNS Instance Server

# nslookup rakamodify.online localhost
# nslookup www.rakamodify.online localhost
# nslookup www.rakamodify.online 8.8.8.8
# nslookup www.rakamodify.online 8.8.4.4

And output should be like this

Server:         localhost
Address:        ::1#53

Name:   rakamodify.online
Address: 72.46.86.21

Congratulations

Introduction:

MySQL is like a big, digital filing cabinet where you can store, organize, and retrieve your data. It’s important because it’s fast, reliable, and easy to use. It’s different from other databases because it’s open-source, which means anyone can use or modify it for free. It uses a language called SQL to manage the data, which is widely used and powerful. It’s like the grammar rules for talking to the database. MySQL is also good at handling lots of data and can be used by big websites or apps. It’s a popular choice for web development because it can work well with various programming languages and tools. It’s also part of the popular LAMP stack for web development, which stands for Linux, Apache, MySQL, and PHP.

MySQL is a popular open-source relational database management system (RDBMS). Here’s what it does:

• Organizes and manages data: MySQL organizes data into tables, rows, and columns, which can be related to each other. This structure allows for efficient data management and retrieval.

• Relational database: Unlike other types of databases, MySQL is a relational database. This means it stores data in separate tables rather than putting all the data in one big storeroom. This makes it easier to maintain and access specific data.

• SQL: The “SQL” in MySQL stands for “Structured Query Language”, which is a standardized language used to access databases. Depending on your programming environment, you might enter SQL directly or use a language-specific API that hides the SQL syntax.

• Open source: Being open source means anyone can use and modify MySQL software for free. This has led to its widespread popularity and use in many applications, from small-scale projects to large-scale websites and enterprise-level solutions.

• A popular choice for developers: MySQL consistently ranks as the most popular database for developers. It supports various programming languages and platforms, and offers high performance, reliability, scalability, security, and flexibility.

In short, MySQL is a powerful tool for managing and manipulating structured data, making it a key component in many web applications and services. It’s different from other databases because of its open-source nature, its use of SQL, and its strong performance and reliability characteristics.

Overview database common understanding:

1. Why not use storage volume, instead of database?

   While storage devices like hard drives, SSDs, and memory cards can store data, databases offer several advantages that make them more suitable for storing application data.

   Storage Volumes are like a big box where you can put anything, but if you need to find something specific quickly, it can be difficult and time-consuming. They are great for storing things like photos, videos, or documents, but not so good when you need to find, update, or analyze specific pieces of data quickly.

   On the other hand, Databases are like a well-organized filing cabinet with labels and categories, making it easy to find, update, or analyze specific data. They are designed to handle complex operations on data, like finding all customers who bought a specific product last month.

   Here are some reasons why we use databases instead of storage volumes for applications:

   • Speed: Databases are designed to handle complex queries, which allows applications to retrieve and update data much faster than they could if the data were stored in a storage volume.

   • Concurrent Access: Databases allow multiple users or applications to access and modify data at the same time without conflicts. This is crucial for applications where many users need to access and update data simultaneously.

   • Data Integrity: Databases have built-in mechanisms to ensure data integrity. They can enforce rules to prevent duplicate, missing, or incorrect data. This helps maintain the accuracy and consistency of data.

   • Security: Databases provide robust security features, including access control and encryption, to protect sensitive data from unauthorized access or modification.

   • Scalability: Databases can handle large amounts of data and can be scaled up or down to meet the needs of the application.

2. What is a database? A database is an organized collection of structured information, or data, typically stored electronically in a computer system.

   Databases help us store information in such a way that we can easily manipulate it. Each row in a table is called a record, and each cell is a field.

3. Uses of a database in an application: Databases are used in applications for storing, retrieving, and managing data. They are essential for data management, integration, privacy, collaboration, analysis, and reporting.

4. Types of Databases: There are several types of databases, including:

   • Relational databases

   • Non-relational (NoSQL) databases

   • Object-oriented databases

   • Centralized databases

   • Distributed databases

   • Cloud databases.

5. Why different types of databases are made and their purpose: Different types of databases are designed to meet specific requirements and to handle different types of data. For example, relational databases are best for structured data and complex queries, while non-relational databases are more flexible and can handle unstructured data.

6. What is a relational database? A relational database organizes data into tables (rows and columns), which can be joined together via a primary key or a foreign key. These unique identifiers demonstrate the different relationships that exist between tables.

7. What is a non-relational database? A non-relational database, also known as a NoSQL database, stores data in a non-tabular form, and tends to be more flexible than the traditional, SQL-based, relational database structures. It does not follow the relational model provided by traditional relational database management systems.

8. What is a database language? Database languages are a type of programming language used to define and manipulate a database. They are classified into four types: Data Definition Language (DDL), Data Manipulation Language (DML), Data Control Language (DCL), and Transaction Control Language (TCL).

9. Why are Databases Important? Databases are crucial for many reasons. They allow us to store, retrieve, and manipulate data in an efficient manner. They help in organizing data, ensuring data integrity, and providing a high level of data security.

10. What are the Uses of Databases? Databases are used in various ways. They are used for storing data, searching for specific information within the data, allowing multiple people to look at and change the data at the same time, managing who is allowed to see the data and who can change it, and managing rules about the data.

11. What is a Cloud Database? A cloud database is a database service built and accessed through a cloud computing platform. It serves many of the same functions as a traditional database with the added flexibility of cloud computing.

12. Why Use a Cloud Database? Cloud databases provide flexibility, reliability, security, affordability, and more. They can rapidly adapt to changing workloads and demands without increasing the workload of already overburdened teams.

Now we have learnt enough understandingn

1. Install & Configure MySQL in Linux

Note: Make sure you have

• Proper Internet connection and connectivity for package installation.

• Yum client configure at /etc/yum.repos.d

• Install MySQL package in Linux Rhel-9

# yum install -y mysql-server

• Restart and enable the mysqld.service

# systemctl enable --now mysqld.service
# systemctl status mysqld

• Run mysql_secure_installation script, that is typically run after installing MySQL to ensure a more secure default setup.

# mysql_secure_installation

The simplified explanation of mysql_secure_installation:

1. Sets root password: If there’s no existing password for the MySQL root user, it prompts you to set one.

2. Removes anonymous users: MySQL includes an anonymous user account by default. This script removes such accounts.

3. Disables remote root login: It prevents root accounts from being accessed from outside the local host.

4. Removes test database: MySQL includes a test database by default. This script removes this database.

5. Reloads privilege tables: Finally, it reloads the privilege tables to make sure all changes take effect immediately.

• Login to MySQL with default user root and newly set password through mysql_secure_installation script.

# mysql -u root -p
Enter password:
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 11
Server version: 8.0.32 Source distribution

Copyright (c) 2000, 2023, Oracle and/or its affiliates.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql>

• Create a new file ~/.my.cnf on your home directory and write some lines

# vim ~/.my.cnf

[client]
user=rakamodify
password=password

:wq!

Now you can log in MySQL without entering username and password.

# mysql

Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 11
Server version: 8.0.32 Source distribution
Copyright (c) 2000, 2023, Oracle and/or its affiliates.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql>

1. Submit SQL query for MySQL database interaction

• Create a new Database.

mysql> CREATE DATABASE wordpress;
mysql> SHOW DATABASES;

• Show newly created database Tables (If exists).

mysql> USE wordpress;
mysql> CREATE TABLE table1 (
    id INT AUTO_INCREMENT,
    name VARCHAR(100),
    email VARCHAR(100),
    PRIMARY KEY(id)
);

mysql> CREATE TABLE table2 (
    id INT AUTO_INCREMENT,
    post_title VARCHAR(200),
    post_content TEXT,
    PRIMARY KEY(id)
);

• Enter some records in data row/fields

mysql> INSERT INTO table1 (name, email) VALUES ('John Doe', 'john@example.com'), ('Jane Doe', 'jane@example.com');
mysql> INSERT INTO table2 (post_title, post_content) VALUES ('First Post', 'This is the content of the first post'), ('Second Post', 'This is the content of the second post');

• Describe Tables to see tables columns/attributes.

mysql> SHOW tables;
+---------------------+
| Tables_in_wordpress |
+---------------------+
| table1              |
| table2              |
+---------------------+
2 rows in set (0.00 sec)


mysql> DESCRIBE table1;
+-------+--------------+------+-----+---------+----------------+
| Field | Type         | Null | Key | Default | Extra          |
+-------+--------------+------+-----+---------+----------------+
| id    | int          | NO   | PRI | NULL    | auto_increment |
| name  | varchar(100) | YES  |     | NULL    |                |
| email | varchar(100) | YES  |     | NULL    |                |
+-------+--------------+------+-----+---------+----------------+
3 rows in set (0.00 sec)

• Show tables record.

mysql> 
mysql> SELECT * FROM table1;
+----+----------+------------------+
| id | name     | email            |
+----+----------+------------------+
|  1 | John Doe | john@example.com |
|  2 | Jane Doe | jane@example.com |
+----+----------+------------------+
2 rows in set (0.00 sec)

mysql> SELECT * FROM table2;
+----+-------------+----------------------------------------+
| id | post_title  | post_content                           |
+----+-------------+----------------------------------------+
|  1 | First Post  | This is the content of the first post  |
|  2 | Second Post | This is the content of the second post |
+----+-------------+----------------------------------------+
2 rows in set (0.00 sec)

• Create a new user for security.

mysql> CREATE USER 'username'@'host' IDENTIFIED WITH authentication_plugin BY 'password';
mysql> CREATE USER 'sammy'@'localhost' IDENTIFIED BY 'password';
mysql> CREATE USER 'sammy'@'localhost' IDENTIFIED WITH mysql_native_password BY 'password';

• Alter/Edit Modification of user creation.

mysql> ALTER USER 'sammy'@'localhost' IDENTIFIED WITH mysql_native_password BY 'password';

*Imp: about creating a newMySQL user.

Creating a new user for a MySQL database is important for several reasons:

1. Security: Each user in MySQL has a set of permissions that determine what actions they can perform. By creating a new user, you can limit their permissions, reducing the risk of unauthorized access or changes to your database.

2. Access Control: You can grant different users different levels of access to your databases. For example, you might have a user that can only read data from a database, but not modify it.

3. Accountability: By having separate users, you can track who is making changes to your database. This can be useful for auditing purposes.

4. Resource Management: MySQL allows you to set resource limits on a per-user basis. This can help prevent a single user from consuming too many resources.

Remember, it’s always a good practice to follow the principle of least privilege, i.e., users should be given the minimum levels of access necessary to perform their tasks. This helps to maintain the integrity and security of your database.

• Grant privileges on a database for newly created user.

mysql> GRANT PRIVILEGE ON database.table(s) TO 'username'@'host';
mysql> GRANT CREATE, ALTER, DROP, INSERT, UPDATE, DELETE, SELECT, REFERENCES, RELOAD on *.* TO 'sammy'@'localhost' WITH GRANT OPTION;   
mysql> GRANT ALL PRIVILEGES ON *.* TO 'username'@'localhost' WITH GRANT OPTION;

• Refresh the MySQL changes immediately.

mysql> FLUSH PRIVILEGES;

1. Database Backup & Restore safely

• To backup a MySQL database

  💡

  First, exit the MySQL command shell. Then, execute the following command in the Linux terminal.

# mysqldump -u username -p database-name > /var/lib/mysql/mysql_backup.sql
Enter Password:

Please replace [username], [password], [database_name], and [filename] with your MySQL username, password, the name of the database you want to backup, and the name you want for the backup file, respectively.

Remember, there is no space between -p and your password. If your password contains special characters, you might need to put it in quotes. Also, make sure you have the necessary permissions to perform the backup.

• Restore backup of MySQL database

# mysql -u username -p database-name < /var/lib/mysql/mysql_backup.sql
Enter Password:

Important questions

1. Q: What is SQL?

   A: SQL stands for Structured Query Language. It’s a standard language for managing and manipulating databases.

2. Q: What is a primary key?

   A: A primary key is a unique identifier for a record in a database table. No two records in a table can have the same primary key value.

3. Q: What is a foreign key?

   A: A foreign key is a column or set of columns in a table that is used to establish a link between the data in two tables.

4. Q: What is a database schema?

   A: A database schema is the structure of a database system, described in a formal language supported by the database management system.

5. Q: What is a database transaction?

   A: A database transaction is a unit of work that is performed against a database. It’s the propagation of one or more changes to the database.

6. Q: What is database normalization?

   A: Database normalization is the process of organizing data in a database in the most efficient way possible. It involves dividing a database into two or more tables and defining relationships between the tables.

7. Q: What is a data model?

   A: A data model is a conceptual representation of data structures required for a database and is used as a blueprint for designing databases.

8. Q: What is a query? A:

   A query is a request for data or information from a database table or combination of tables.

9. Q: What is a database view?

   A: A database view is a searchable object in a database that is defined by a query.

10. Q: What is a database index?

    A: A database index is a data structure that improves the speed of data retrieval operations on a database table.

11. Q: What is a stored procedure?

    A: A stored procedure is a prepared SQL code that you can save, so the code can be reused over and over again.

12. Q: What is a trigger in a database?

    A: A trigger is a stored procedure in a database that automatically reacts to an event like insertions, updates, or deletions.

13. Q: What is a cursor in a database?

    A: A cursor in a database is a control structure that enables traversal over the records in a database.

14. Q: What is a database constraint?

    A: A database constraint is a rule that is applied to a field or set of fields in a table, which limits the data that can be stored in fields.

15. Q: What is a database join?

    A: A database join is a method of combining rows from two or more tables based on a related column between them.

16. Q: What is a database lock? A: A database lock is a mechanism used by DBMS to control read/write access to a database or to a portion of it.

17. Q: What is a database transaction log?

    A: A database transaction log is a history of all actions executed by a database management system to ensure data integrity and to facilitate data recovery.

18. Q: What is a database shard?

    A: A database shard is a horizontal partition of data in a database, where each shard is held on a separate database server instance.

19. Q: What is a database replica?

    A: A database replica is a copy of a database on a different server or on the same server as the primary database.

20. Q: What is a database rollback? A: A database rollback is an operation which returns the database to some previous state.

21. Q: What is a database commit?

    A: A database commit is an operation that gives a green signal to the database management system to finalize the changes, and after this operation, no change can be reverted back.

22. Q: What is a database deadlock?

    A: A database deadlock is a situation where two transactions wait for each other to give up locks.

23. Q: What is a database backup?

    A: A database backup is a copy of the data from a database that can be used to reconstruct data.

24. Q: What is a database recovery?

    A: Database recovery is the process of restoring the database back to the correct state at a given point of time in case of a failure.

25. Q: What is a database schema?

    A: A database schema is the skeleton structure that represents the logical view of the entire database.

26. Q: What is a database cluster?

    A: A database cluster is a group of databases that work together to maintain high availability and data redundancy.

27. Q: What is AWS?

    A: AWS stands for Amazon Web Services. It’s a platform by Amazon that provides on-demand cloud computing platforms and APIs to individuals, companies, and governments.

28. Q: What is cloud computing?

    A: Cloud computing is the delivery of computing services over the internet (“the cloud”) including servers, storage, databases, networking, software, analytics, and intelligence.

29. Q: What is a cloud database?

    A: A cloud database is a database service built and accessed through a cloud platform. It serves many of the same functions as a traditional database with the added flexibility of cloud computing.

30. Q: What is the importance of cloud databases?

    A: Cloud databases provide scalability, high availability, multi-regional distribution, and disaster recovery capabilities. They can be accessed from anywhere in the world, at any time, making data management more convenient.

31. Q: What is AWS RDS?

    A: Amazon RDS (Relational Database Service) is a web service that makes it easier to set up, operate, and scale a relational database in the cloud.

32. Q: What is a database backup?

    A: A database backup is a copy of the data from a database that can be used to reconstruct data.

33. Q: What is the importance of database backup?

    A: Database backups are crucial for protecting data against loss due to hardware failures, user errors, and natural disasters. They allow you to restore your data and continue business operations.

34. Q: What is database restore?

    A: Database restore is the process of bringing back a database from a backup to its original place or to a new place.

35. Q: How does AWS handle database backup and restore?

    A: AWS provides services like Amazon RDS which automatically backs up your data and allows you to perform a point-in-time restore.

36. Q: What is AWS S3?

    A: Amazon S3 (Simple Storage Service) is an object storage service that offers industry-leading scalability, data availability, security, and performance.

37. Q: How is AWS S3 used in database backup?

    A: Amazon S3 is often used to store database backups in a secure and scalable environment. Database backup files can be moved to S3 and restored when needed.

38. Q: What is AWS DynamoDB?

    A: Amazon DynamoDB is a key-value and document database that delivers single-digit millisecond performance at any scale.

39. Q: What is the difference between SQL and NoSQL databases?

    A: SQL databases are primarily called as Relational Databases (RDBMS), whereas NoSQL database are primarily called as non-relational or distributed databases.

40. Q: What is AWS EC2?

    A: Amazon EC2 (Elastic Compute Cloud) is a web service that provides resizable compute capacity in the cloud. It is designed to make web-scale cloud computing easier for developers.

41. Q: What is the role of AWS EC2 in database hosting?

    A: Amazon EC2 instances can be used to host databases. The service provides flexible, resizable capacity in the AWS Cloud which can be used to install and run any third-party database software.

42. Q: What is AWS Lambda?

    A: AWS Lambda is a serverless compute service that lets you run your code without provisioning or managing servers.

43. Q: How does AWS Lambda interact with databases?

    A: AWS Lambda can interact with databases by executing SQL statements, reading and writing data, and performing other database operations in response to events.

44. Q: What is the importance of AWS in database management?

    A: AWS provides a broad and deep set of database services that provide innovative and scalable solutions for database management. These services are fully managed, relieving the burden of server maintenance and setup.

45. Q: What is database migration?

    A: Database migration is the process of moving your data from one database to another.

46. Q: What is AWS DMS?

    A: AWS DMS (Database Migration Service) helps you migrate databases to AWS quickly and securely. The source database remains fully operational during the migration, minimizing downtime to applications that rely on the database.

1. Question-1: What does theGRANT statement do in MySQL?

   Answer-1: The GRANT statement in MySQL is used to give privileges to a user account. It allows the database administrator to define the kinds of operations that a user can perform.

2. Question-2: Can you explain what each of the permissions in theGRANT statement (CREATE, ALTER, DROP, INSERT, UPDATE, DELETE, SELECT, REFERENCES, RELOAD) allows a user to do?

   Answer-2: The permissions in the GRANT statement allow a user to perform various operations:

   • CREATE: Allows the user to create databases and tables.

   • ALTER: Allows the user to modify existing databases and tables.

   • DROP: Allows the user to delete databases, tables, and views.

   • INSERT: Allows the user to insert data into tables.

   • UPDATE: Allows the user to update existing data in tables.

   • DELETE: Allows the user to delete data from tables.

   • SELECT: Allows the user to read data using the SELECT statement.

   • REFERENCES: Allows the user to create a foreign key constraint.

   • RELOAD: Allows the user to reload the server settings and flush the server logs.

3. Question-3: In the query, what does*.* represent?

   Answer-3: In a MySQL query, *.* represents all databases and all tables within those databases. It’s a wildcard notation where the first * stands for all databases and the second * stands for all tables.

4. Question-4: What does theWITH GRANT OPTION clause do in a GRANT statement?

   Answer-4: The WITH GRANT OPTION clause in a GRANT statement allows the user to grant any privileges they have to other users. It’s a way to delegate authority within the database system.

5. Question-5: Why might you want to create a new user in MySQL, like ‘sammy’ in the given query?

   Answer-5: Creating a new user in MySQL, like ‘sammy’, allows you to control access to your databases. Each user can be given specific privileges, ensuring they can only perform the actions necessary for their role. This helps maintain the security and integrity of your databases.

6. Question-6: What are some potential security implications of granting a user too many permissions in MySQL?

   Answer-6: Granting a user too many permissions in MySQL can lead to several security issues. The user could accidentally or maliciously modify or delete important data. They could also potentially access sensitive information. It’s best to follow the principle of least privilege, granting only the permissions necessary for the user’s role.

7. Question-7: How would you modify the permissions of an existing user in MySQL?

   Answer-7: To modify the permissions of an existing user in MySQL, you can use the GRANT statement to add new permissions and the REVOKE statement to remove permissions. After modifying permissions, you should use the FLUSH PRIVILEGES command to ensure the changes take effect immediately.

8. Question-8: How can you revoke permissions from a user in MySQL?

   Answer-8: You can revoke permissions from a user in MySQL using the REVOKE statement, followed by the privileges you want to remove, and then the FROM keyword followed by the username. For example, REVOKE SELECT, INSERT ON database.table FROM 'username'@'localhost';.

9. Question-9: Can you explain the principle of least privilege and why it’s important in the context of database access control?

   Answer-9: The principle of least privilege is a computer security concept in which a user is given the minimum levels of access necessary to complete their job functions. In the context of database access control, this principle helps to protect data from accidental or malicious modification, deletion, or exposure.

10. Question-10:What happens if you change your hostname, then can you access your MySQL database?

    Answer: Changing the hostname of your machine does not directly affect your ability to access your MySQL database. However, if your MySQL users or permissions are set up to only allow connections from a specific hostname, you may need to update these settings. Also, any applications that connect to MySQL using the old hostname will need to be updated.

11. Question-11 : How to give single table’s authority permission on a database for a user?

    Answer: You can grant specific table permissions to a user in MySQL using the GRANT command. Here’s an example:

    GRANT SELECT, INSERT, UPDATE ON database_name.table_name TO 'username'@'localhost';
    

    Note:- This command gives SELECT, INSERT, and UPDATE permissions on table_name in database_name to the user username connecting from localhost.

12. Question-13: What is the MySQL configuration file?

    Answer: The MySQL configuration file is a setup file for MySQL server. It’s named my.cnf on Unix-based systems and my.ini on Windows. This file is used to configure various server settings like the number of concurrent connections, table cache size, memory settings, and more.

13. Question-14: Can you access MySQL from another machine on LAN?

    Answer: Yes, you can access MySQL from another machine on the same Local Area Network (LAN), provided that the MySQL server is configured to accept network connections and the necessary firewall rules allow it. The user must also have the necessary permissions to connect from the client machine’s IP address.

14. Question-15: Can you access MySQL database on a different port like 3307?

    Answer: Yes, you can access a MySQL database on a different port like 3307. By default, MySQL listens on port 3306, but this can be changed in the MySQL configuration file. When connecting, you would specify the port number along with the hostname, like mysql -h hostname -P 3307 -u username -p.

References Links:

• How to create a new user in MySQL and grants permission:https://www.digitalocean.com/community/tutorials/how-to-create-a-new-user-and-grant-permissions-in-mysql

• Learn MySQL SQL query:-https://www.w3schools.com/MySQL/default.asp

Pre-Setup:

I am assuming that you have

• Configured the yum client and EPEL repository on the machine.

• Hostname

• Proper Network Internet connection for package installation

1. Install Apache Web Server

• httpd packages for the web-server

# yum install -y httpd

• Restart the httpd.service and enable it

# systemctl enable --now httpd

• Add http & https package in the firewall & reload the firewall service

# firewall-cmd --permanent --add-port=80/tcp
# firewall-cmd --permannet --add-port=443/tcp
# firewall-cmd --reload
# firewall-cmd --list-all

• check the selinux label object_r:httpd_sys_content_t on /var/www/html/

# ls -lZ /var/www/html
-rw-r--r--.  1 root root unconfined_u:object_r:httpd_sys_content_t:s0      405 Feb  6  2020 index.html

• Check the HTTP web server page on the browser

Congratulations!

your apache web server is working perfectly. Let's Move further for MySQL + WordPress configuration.

1. Install MariaDB/MySQL and WordPress

• For this first, we have to set setup the "REMI" repository client on the yum repository for PHP packages.

# cat /etc/os-release

[root@mh1 conf]# cat /etc/os-release


NAME="Red Hat Enterprise Linux"
VERSION="9.1 (Plow)"
REDHAT_SUPPORT_PRODUCT_VERSION="9.1"

• Setup REMI repository for RHEL 9.1

# dnf install https://repo.extreme-ix.org/remi/enterprise/remi-release-9.rpm
# yum repolist all

• Install PHP packages (php, php-mysqlnd, php-pdo, php-gd, php-mbstring)

# yum install php php-mysqlnd php-pdo php-gd php-mbstring

• Install MySQL/MariaDB & Restart the service

# yum install -y mariadb-server mariadb
# yum enable --now mariadb.service

• Fresh configure your MariaDB

#  mariadb-secure-installation

• Get into MariaDB using new login

# mysql -u root -p
password:

Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 13
Server version: 10.5.22-MariaDB MariaDB Server

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]>

# vim ~/.my.cnf
[clients]
username=root
password=password

:wq!

Now you don't need to use -u & -p option to work with the MariaDB database.

# mysql

• Create a new database, user and grant permission on the database.

# mysql

MariaDB [(none)]> CREATE DATABASE wordpress;
MariaDB [(none)]> CREATE USER 'admin'@'localhost' IDENTIFIED BY 'password';     
MariaDB [(none)]> GRANT ALL PRIVILEGES ON wordpress.* TO 'admin'@'localhost' WITH GRANT OPTION;
MariaDB [(none)]> FLUSH PRIVILIGES;

1. Install WordPress and configuration

• Go to wordpress.org and download the latest WordPress suit package using wget.

# cd /var/www/html/
# wget https://wordpress.org/latest.zip
# unzip latest.zip
# rm -rf latest.zip

• Configure /var/www/html/wordpress/wp-config-sample.php or wp-config.php configuration file

# vim /var/www/html/wordpress/wp-config-sample.php


// ** Database settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define( 'DB_NAME', 'wordpress' );

/** Database username */
define( 'DB_USER', 'admin' );

/** Database password */
define( 'DB_PASSWORD', 'password' );

/** Database hostname */
define( 'DB_HOST', 'localhost' );

• Open /etc/httpd/conf/httpd.conf file for above configuration.

# vim /etc/httpd/conf/httpd.conf

Listen 80
User apache
Group apache
ServerAdmin admin@localhost
DocumentRoot "/var/www/html/wordpress"

• Change user:group ownership to apache user on DocumentRoot directory

# chown -R apache:apache /var/www/html/wordpress
# ls -lZ /var/www/html/wordpress

[root@mh1 conf]# ls -lZ /var/www/html/wordpress/
total 228
-rw-r--r--.  1 apache apache unconfined_u:object_r:httpd_sys_content_t:s0      405 Feb  6  2020 filename.extention

• Restart the httpd.service, mariadb.service one more time to update with new changes.

# systemctl restart httpd.service  mariadb.service
# systemctl enable httpd.service mariadb.service

• Open your browser and paste this address: http://machine-ip .

• Fill your information and login WordPress Page.

  

Lots of Congratulations!

Hello everyone, In this article, we’re going to explore the complete landscape of Logical Volume Management (LVM), from the basics to the advanced concepts. We’ll journey from the very beginning to the end, ensuring a comprehensive understanding of LVM. The topics we’ll cover throughout this article are listed below. So, let’s dive in and learn together.

1. Introduction to LVM

   • Definition of LVM

   • Why LVM is popular?

2. LVM Architecture & their components

   • How LVM works

3. Practical Guide ( Working with LVM )

   • Creating a Physical Volume (PV)

   • Creating a Volume Group (VG)

   • Creating a Logical Volume (LV)

   • File system formation

   • Access LVM partition through mount access point

   • Resizing LVM options: lvreduce and lvextend

   • Taking a snapshot of LVM and its uses

   • Restoring from a snapshot state

   • How to remove active PV from the LVM

1. Introduction to LVM

• Definition of LVM

LVM is like a magic box for managing storage on your computer. Imagine you have several small boxes (these are your physical storage devices like hard drives). Each box can hold a certain amount of stuff (data). But it’s hard to keep track of what’s in each box and moving stuff around if you need more space in one box is a hassle.

This is where LVM comes in. It allows you to put all these small boxes into one big box (this is called a Volume Group). Now, instead of seeing several small boxes, you see one big box. The best part is, you can create smaller, flexible partitions inside this big box (these are called Logical Volumes). You can name these partitions anything you like, such as “photos”, “documents”, etc.

The beauty of LVM is that these partitions are flexible. If you find that your “photos” partition is running out of space, you can easily make it bigger by taking some space from another partition. You can do all this while your computer is running, without needing to stop and restart it.

Let’s take an example. Suppose you have two hard drives of 500GB each. Without LVM, if you have partitioned one drive to hold 300GB of movies and it’s running out of space, you’d have to manually move some movies to the other drive. With LVM, you can simply add more space to your “movies” partition from the unused space of the second drive, all without moving any files around.

• Why LVM is popular then, traditional disks partitions schemes?

Logical Volume Management (LVM) is a method of allocating space on mass-storage devices that is more flexible than conventional partitioning schemes. In particular, an LVM system can:

• Resize disk partitions: With traditional disk partitions, resizing is a complex task and sometimes not possible without data loss. However, LVM allows you to resize disk partitions easily and without data loss.

• Manage storage more effectively: LVM allows you to create a logical volume that spans multiple physical disks. This is useful when you need more storage than a single disk can provide.

• Snapshot capability: LVM provides snapshot capability. You can create a temporary copy of a logical volume and use it for backups. This is not possible with traditional disk partitions.

• Dynamic allocation of storage: With LVM, you can allocate additional storage to a logical volume on the fly as your needs grow, without any downtime.

Let’s say you have a 500GB hard drive with a single partition that is running out of space. You add a new 500GB hard drive to your system. With traditional partitions, you would have to create a new partition on the new drive and then figure out how to distribute your data between the two partitions.

With LVM, you can add the new drive to a volume group, extend the logical volume to include the new drive, and then resize the file system, all without any downtime or data loss. The operating system sees this as one large 1TB drive, and you don’t have to worry about managing multiple partitions.

In short, while traditional disk partitions still have their uses, LVM provides a more flexible and powerful way to manage disk space. It’s particularly useful in enterprise environments where storage needs can change rapidly and downtime is costly.

1. LVM Architecture & their components

• How LVM architecture are working?

In LVM (Logical Volume Management) architecture, data is stored in a layered manner:

1. Physical Volumes (PVs): Data is first stored on physical storage devices, such as hard disks or SSDs. These devices, or specific partitions on these devices, are designated as PVs.

2. Volume Group (VG): The PVs are then grouped together to form a VG. The VG acts as a single large storage pool, combining the capacities of all the PVs it contains. Data isn’t directly stored on the VG, but the VG keeps track of which parts of the PVs are allocated to which LVs.

3. Logical Volumes (LVs): Within the VG, you create LVs. These LVs are where your data is actually stored. You can think of an LV as a ‘virtual partition’. It’s given a portion of the total VG space and can be formatted with a file system (like ext4 or XFS) where you can store your files and directories.

This layered approach allows for flexibility. For example, if an LV is running out of space, you can add a new PV to the VG and then extend the LV to use this additional space. Similarly, if you have unused space in your VG, you can create new LVs to utilize it. This is how data is stored and managed in LVM architecture.

Below image of LVM architecture :-

Practical Guide (Working with LVM)

• Crating a Physical Volume (PV)

I have three disks partition sda, sdb, sdc with 100 GB storage each for this practical.

1. List the block devices: You can use the lsblk command to list all block devices, which should now include your new disks sda, sdb, and sdc.

$ lsblk

The output look something like this:

NAME   MAJ:MIN RM   SIZE RO TYPE MOUNTPOINT
sda      8:0    0   100G  0 disk 
sdb      8:16   0   100G  0 disk 
sdc      8:32   0   100G  0 disk

1. Check the file system disk space usage: You can use the df -h command to check the file system disk space usage.

$ df -h

1. Create a Physical Volume (PV): You can use the pvcreate command to create a new physical volume on each of your new disks.

Create Persistent volume with three individual disks /dev/sda, /dev/sdb, /dev/sdc

$ sudo pvcreate /dev/sda
$ sudo pvcreate /dev/sdb
$ sudo pvcreate /dev/sdc

1. List the Physical Volumes: You can use the pvs or pvdisplay command for long detailed output to list all physical volumes.

$ sudo pvs
$ sudo pvdisplay

The output might look something like this:

  PV         VG        Fmt  Attr PSize   PFree
  /dev/sda            lvm2 ---  100.00g 100.00g
  /dev/sdb            lvm2 ---  100.00g 100.00g
  /dev/sdc            lvm2 ---  100.00g 100.00g

• Creating a Volume Group (VG)

Now you have to create a volume group (VG) named vg_vol from these physical volumes (PVs): That is actually a combined volume space that have PV's space behind in reality.

1. Create a Volume Group (VG): You can use the vgcreate command to create a new volume group. Here’s how you can do it:

$ sudo vgcreate -s 2M vg_vol /dev/sda /dev/sdb /dev/sdc
Volume group "vg_vol" successfully created

This command creates a new volume group named vg_vol using the physical volumes /dev/sda, /dev/sdb, and /dev/sdc, and each Physical Extent size will be 2MB each block.

1. List the Volume Groups: You can use the vgs or vgdisplay command for long detailed output to list all volume groups.

$ sudo vgs

VG     #PV #LV #SN Attr   VSize   VFree
vg_vol   3   0   0 wz--n- 300.00g 300.00g

$ sudo vgdisplay  
--- Volume group ---
  VG Name               vg_vol
  System ID             
  Format                lvm2
  Metadata Areas        2
  Metadata Sequence No  1
  VG Access             read/write
  VG Status             resizable
  MAX LV                0
  Cur LV                0
  Open LV               0
  Max PV                0
  Cur PV                2
  Act PV                2
  VG Size               <300 GiB
  PE Size               2.00 MiB
  Total PE              153600
  Alloc PE / Size       0 / 0   
  Free  PE / Size       153600 / <4.00 GiB
  VG UUID               vQqtJ2-cMLU-hHc2-AU1e-Uw1R-alWb-nOtxBi

This shows that the volume group vg_vol has been successfully created with 3 physical volumes, and it has a size of 300GB with 300GB free.

• Creating a Logical Volume (LV)

Now you can create logical volumes (LVs) named lv_vol1, lv_vol2, and lv_vol3 from the volume group (VG) vg_vol:

1. Create Logical Volumes (LVs): You can use the lvcreate command to create new logical volumes. Here’s how you can do it:

NOTE: In the lvcreate command in Linux, -L and -l options are used to specify the size of the logical volume:

• -L option: This is used to specify the size in units such as kilobytes (K), megabytes (M), gigabytes (G), terabytes (T), etc. For example, -L 10G would create a logical volume of 10 gigabytes.

• -l option: This is used to specify the size in extents. An extent is a block of space in the volume group. The size of an extent is defined when the volume group is created. For example, -l 100%FREE would use 100% of the free space in the volume group.

So, the basic difference is that -L specifies the size in units of bytes, while -l specifies the size in extents.

$ sudo lvcreate -n lv_vol1 -L 50G vg_vol
$ sudo lvcreate -n lv_vol2 -L 50G vg_vol
$ sudo lvcreate -n lv_vol3 -L 50G vg_vol

Logical volume "lv_vol" created.

Or you can do this. (Both option will create same amount of LV partition)

EX: Here 1 Physical Extent is 2 MB, then (1024 * 50)/2 = 25600 Physical Extent

$ sudo lvcreate -n lv_vol1 -l 25600 vg_vol
$ sudo lvcreate -n lv_vol2 -L 25600 vg_vol
$ sudo lvcreate -n lv_vol3 -L 25600 vg_vol

Logical volume "lv_vol" created.

These commands create three new logical volumes named lv_vol1, lv_vol2, and lv_vol3 each with a size of 50GB in the volume group vg_vol.

1. List the Logical Volumes: You can use the lvs or lvdisplay command for detailed output to list all logical volumes.

$ sudo lvs

  LV     VG     Attr       LSize   Pool Origin Data%  Meta%  Move Log Cpy%Sync Convert
  lv_vol1 vg_vol -wi-a-----  50.00g                                                    
  lv_vol2 vg_vol -wi-a-----  50.00g                                                    
  lv_vol3 vg_vol -wi-a-----  50.00g

$ sudo lvdisplay /dev/vg_vol/lv_vol1

  LV Path                /dev/vg_vol/lv_vol1
  LV Name                lv_vol1
  VG Name                vg_vol
  LV UUID                rdEpAG-7egK-08e4-SSWJ-1Ywx-hVvD-XbFlp0
  LV Write Access        read/write
  LV Creation host, time mh1.example.com, 2024-01-17 20:16:19 +0530
  LV Status              available
  # open                 0
  LV Size                50.00 GiB
  Current LE             25600
  Segments               1
  Allocation             inherit
  Read ahead sectors     auto
  - currently set to     256
  Block device           253:2

This shows that the logical volumes lv_vol1, lv_vol2, and lv_vol3 have been successfully created in the volume group vg_vol each with a size of 50GB.

• File system formation

Now you can create ext4 file systems on these logical volumes (LVs) and check their details:

1. Create ext4 File Systems: You can use the mkfs.ext4 command to create an ext4 file system on each of your logical volumes.

$ sudo mkfs.ext4 /dev/vg_vol/lv_vol1
$ sudo mkfs.ext4 /dev/vg_vol/lv_vol2
$ sudo mkfs.ext4 /dev/vg_vol/lv_vol3

1. List the Block Devices: You can use the lsblk command to list all block devices.

$ lsblk

The output might look something like this:

NAME           MAJ:MIN RM   SIZE RO TYPE MOUNTPOINT
sda              8:0    0   100G  0 disk 
sdb              8:16   0   100G  0 disk 
sdc              8:32   0   100G  0 disk 
└─vg_vol       253:0    0   300G  0 lvm  
  ├─lv_vol1    253:1    0    50G  0 lvm  
  ├─lv_vol2    253:2    0    50G  0 lvm  
  └─lv_vol3    253:3    0    50G  0 lvm

1. Print Block Device Attributes: You can use the blkid command to print the block device attributes.

$ sudo blkid

/dev/sda: UUID="3ef4-gh7j" TYPE="ext4"
/dev/sdb: UUID="4gh5-jk8l" TYPE="ext4"
/dev/sdc: UUID="5hj6-kl9m" TYPE="ext4"
/dev/vg_vol/lv_vol1: UUID="6jk73ekl9f4-gh7j-lm0n3ekl9f4-gh7j-" TYPE="ext4"
/dev/vg_vol/lv_vol2: UUID="7kl8kl9-mn3ef4-gh7j03ekl9f4-gh7j-o" TYPE="ext4"
/dev/vg_vol/lv_vol3: UUID="8lkl3ekl9f4-gh7j-93ef4-gh7jm9-no0p" TYPE="ext4"

1. Check the File System Disk Space Usage: You can use the df -hT command to check the file system disk space usage.

$ df -hT

Filesystem     Type      Size  Used Avail Use% Mounted on
/dev/sda       ext4      100G  10G   90G  10% /
/dev/sdb       ext4      100G  20G   80G  20% /mnt/data1
/dev/sdc       ext4      100G  30G   70G  30% /mnt/data2
/dev/vg_vol/lv_vol1 ext4 50G   5G    45G  10% /mnt/lv1
/dev/vg_vol/lv_vol2 ext4 50G   10G   40G  20% /mnt/lv2
/dev/vg_vol/lv_vol3 ext4 50G   15G   35G  30% /mnt/lv3

• Access LVM partition through mount access point

We are going to create three mount points, namely lv-mount1, lv-mount2, and lv-mount3, in the /mnt location. After that, we will mount the logical volumes to these mount points. Finally, we will make entries in the fstab file for these mounts.

# Create mount points
$ mkdir /mnt/lv_mount1
$ mkdir /mnt/lv_mount2
$ mkdir /mnt/lv_mount3

# Mount the logical volumes
$ mount /dev/vg_vol/lv_vol1 /mnt/lv_mount1
$ mount /dev/vg_vol/lv_vol2 /mnt/lv_mount2
$ mount /dev/vg_vol/lv_vol3 /mnt/lv_mount3

# Make fstab entries for permanent after boot
$ echo "/dev/vg_vol/lv_vol1 /mnt/lv_mount1 ext4 defaults 0 0" >> /etc/fstab
$ echo "/dev/vg_vol/lv_vol2 /mnt/lv_mount2 ext4 defaults 0 0" >> /etc/fstab
$ echo "/dev/vg_vol/lv_vol3 /mnt/lv_mount3 ext4 defaults 0 0" >> /etc/fstab

And here is the output of the /etc/fstab file after the above operations:

$ sudo vim /etc/fstab

# <file system> <mount point>   <type>  <options>       <dump>  <pass>
/dev/sda        /               ext4    defaults        0       0
/dev/sdb        /mnt/data1      ext4    defaults        0       0
/dev/sdc        /mnt/data2      ext4    defaults        0       0
/dev/vg_vol/lv_vol1       /mnt/lv_mount1     ext4   defaults    0 0
/dev/vg_vol/lv_vol2       /mnt/lv_mount2     ext4   defaults    0 0
/dev/vg_vol/lv_vol3       /mnt/lv_mount3     ext4   defaults    0 0

$ sudo cp -arvf /var/* /mnt/lv_mount1/
$ sudo cp -arvf /boot/* /mnt/lv_mount1/

Check size of lv disk partition.

$ sudo du -h /mnt/lv_mount

.
. .
. . .
. . . . 
4096M    /mnt/lv-mount1/

• Resizing LVM options: lvreduce and lvextend

You can use the lvreduce and lvextend commands to resize LVM partitions:

1. Reducing the size of an LVM partition (lvreduce):

Before reducing the size of a logical volume, it’s important to ensure that the file system within the volume can also be reduced. For an ext4 file system, you can use the resize2fs command:

On the other hand, resize2fs is a tool that knows how to safely shrink an ext4 file system. It will move any data residing on the blocks that are being removed to other parts of the file system.

# Unmount the logical volume
$ umount /mnt/lv-mount1

# Check the file system before resizing
$ e2fsck -f /dev/vg_vol/lv_vol1

e2fsck 1.46.5 (30-Dec-2021)
Pass 1: Checking inodes, blocks, and sizes
Pass 2: Checking directory structure
Pass 3: Checking directory connectivity
Pass 4: Checking reference counts
Pass 5: Checking group summary information
/dev/vgvol/lvvol2: 11/360448 files (0.0% non-contiguous), 44646/1441792 blocks

#Resize the file system
$ resize2fs /dev/vg_vol/lv_vol1 40G

#Reduce the size of the logical volume
$ lvreduce -L 40G /dev/vg_vol/lv_vol1

WARNING: Reducing active logical volume to 40.00 GiB.
THIS MAY DESTROY YOUR DATA (filesystem etc.)
Do you really want to reduce vg_vol/lv_vol2? [y/n]: y
Size of logical volume vg_vol/lv_vol2 changed from 5.50 GiB (282516 extents) to 200.00 MiB (100 extents).
Device vg_vol-lv_vol2-real (253:4) is used by another device.
Problem reactivating logical volume vg_vol/lv_vol2.
Logical volume vg_vol/lv_vol successfully resized.

#Remount the logical volume
$ mount /dev/vg_vol/lv_vol1 /mnt/lv-mount1

$ lsblk

NAME           MAJ:MIN RM   SIZE RO TYPE MOUNTPOINT
sda              8:0    0   100G  0 disk 
sdb              8:16   0   100G  0 disk 
sdc              8:32   0   100G  0 disk 
└─vg_vol       253:0    0   300G  0 lvm  
  ├─lv_vol1    253:1    0    10G  0 lvm  
  ├─lv_vol2    253:2    0    50G  0 lvm  /mnt/lv_mount2
  └─lv_vol3    253:3    0    50G  0 lvm  /mnt/lv_mount3

In this example, the size of lv_vol1 is reduced to 40GB and remaining size of lvm is 10G.

1. Increasing the size of an LVM partition (lvextend):

# Extend the size of the logical volume 
$ sudo lvextend -L +10G /dev/vg_vol/lv_vol1
$ sudo lvextend -r -L +10G /dev/vg_vol/lv_vol1 #(-r option do resize at same time)

# Resize the file system
$ resize2fs /dev/vg_vol/lv_vol1   #(No use when you use -r option with lvextend)

In this example, the size of lv_vol1 is increased by 10GB.

$ lsblk

NAME           MAJ:MIN RM   SIZE RO TYPE MOUNTPOINT
sda              8:0    0   100G  0 disk 
sdb              8:16   0   100G  0 disk 
sdc              8:32   0   100G  0 disk 
└─vg_vol       253:0    0   300G  0 lvm  
  ├─lv_vol1    253:1    0    20G  0 lvm  
  ├─lv_vol2    253:2    0    50G  0 lvm  /mnt/lv_mount2
  └─lv_vol3    253:3    0    50G  0 lvm  /mnt/lv_mount3

2. Increasing the size of an VG pool (vgextend):

   Extending a Volume Group (VG) in LVM means adding more disks to give extra storage space to VG group. This allows you to handle more data without shutting down your system. It makes it easier to manage your storage and keeps everything running smoothly as your needs grow.

   to extend the VG, we have to require some newly created PV disks. For example we have one more disk “/dev/sdd“, so add this PV into vg_vol

    $ vgextend vg_vol /dev/sdd
    Volume group "vg_vol" successfully extended
   

• Taking a snapshot of LVM and its uses

1. Create a logical volume named origin from the volume group vg001:

   💡

   Create a snap, when you create lvm

    $ sudo lvcreate -n lv_vol1 -L 50G vg_vol
    $ sudo lvcreate --size 1G --name lv_vol1_snap --snapshot /dev/vg_vol/lv_vol1   
   
    Logical volume "lv_vol1_snap" created.
   

2. Create a snapshot logical volume named snap of /dev/vg_vol/lv_vol1 that is 1GB in size:

    #lvcreate --size 1G M --name snap --snapshot /dev/vg_vol/lv_vol1
   
    $ Logical volume "snap" created.
   

    $ lsblk
   
    NAME           MAJ:MIN RM   SIZE RO TYPE MOUNTPOINT
    sda              8:0    0   100G  0 disk 
    sdb              8:16   0   100G  0 disk 
    sdc              8:32   0   100G  0 disk 
    └─vg_vol       253:0    0   300G  0 lvm  
      ├─lv_vol1    253:1    0    20G  0 lvm  
      ├─lv_vol1_snap    254:1    0    20G  0 lvm
      ├─lv_vol2    253:2    0    50G  0 lvm  /mnt/lv_mount2
      └─lv_vol3    253:3    0    50G  0 lvm  /mnt/lv_mount3
   

   💡

   You can also use the -L argument instead of using --size, -n instead of using --name, and -s instead of using --snapshot to create a snapshot. You can check snapshot in /etc/lvm/archive/ location.

    $ cd /etc/lvm/archive/
    $ ls -al
   
    total 60
    drwx------. 2 root root 4096 Jan 17 17:28 .
    drwxr-xr-x. 7 root root  115 Jan 17 13:02 ..
    -rw-------. 1 root root 1887 Jan 17 12:26 vg_vol_snap_00000-733987744.vg
    -rw-------. 1 root root 2484 Jan 17 12:34 vg_vol_snap_00001-1752724781.vg
    -rw-------. 1 root root 3074 Jan 17 12:37 vg_vol_snap_00002-1278740074.vg
    -rw-------. 1 root root 3239 Jan 17 12:52 vg_vol_snap_00003-1110221396.vg
    -rw-------. 1 root root 3552 Jan 17 12:52 vg_vol_snap_00004-786463575.vg
    -rw-------. 1 root root 4308 Jan 17 12:53 vg_vol_snap_00005-1268100483.vg
    -rw-------. 1 root root 3532 Jan 17 12:53 vg_vol_snap_00006-1388604217.vg
    -rw-------. 1 root root 3550 Jan 17 12:54 vg_vol_snap_00007-730868741.vg
    -rw-------. 1 root root 3284 Jan 17 13:04 vg_vol_snap_00008-316161094.vg
    -rw-------. 1 root root 3688 Jan 17 13:04 vg_vol_snap_00009-1832259422.vg
    -rw-------. 1 root root 3661 Jan 17 17:28 vg_vol_snap_00010-1424043212.vg
   

3. How to remove active PV from the LVM

   At times in a production environment, you may encounter issues with an active PV (Physical Volume). When this happens, the solution is often to replace it with a new disk. However, as an administrator, you must consider the data stored on the PV. So, what’s the correct approach?

   1. Move the data from the removable PV to another available PV.

      For example we are removing a PV named “/dev/sdb“

       $ pvmove /dev/sdb /dev/sda
         /dev/sdb: Moved: 0.39%
         /dev/sdb: Moved: 100.00%
      

   2. Reduce the VG (Volume Group) size.

       $ vgreduce vg_vol /dev/sdb
         Removed "/dev/sdb" from volume group "vg_vol"
      

   3. Safely remove the PV from the Volume Group.

       $ pvremove /dev/sdb
         Labels on physical volume "/dev/sdb" successfully wiped.
      

Definition:

MySQL is a widely used open-source relational database management system (RDBMS) that uses Structured Query Language (SQL), the most popular language for adding, accessing, and managing content in a database. It’s known for its quick processing, proven reliability, ease and flexibility of use.

Ansible, on the other hand, is an open-source software provisioning, configuration management, and application-deployment tool. It provides large productivity gains to a wide variety of automation challenges, including setting up databases.

When it comes to automating MySQL database setup and management, Ansible shines in several ways:

1. Simplicity: Ansible uses a simple syntax written in YAML called playbooks. These playbooks are easy to write, read, and understand, even for those not familiar with the Ansible tool.

2. Efficiency: Ansible allows you to automate the process of setting up and configuring MySQL databases, which can be a time-consuming and error-prone task if done manually.

3. Consistency: By using Ansible, you ensure that your MySQL databases are set up and configured consistently across all your environments.

4. Scalability: Ansible can easily scale to manage many databases, making it a great choice for large-scale deployments.

The combination of MySQL and Ansible provides a powerful toolset for managing databases efficiently and consistently. Whether you’re a database administrator looking to automate routine tasks or a developer wanting to ensure consistent database setup across multiple environments, Ansible and MySQL can make your life much easier. So lets create ansible playbook for configuring and automating MySQL database on your host machine.

Create an ansible playbook for configure MySQL database on localhost.

[ansible@master ~]$ vim mysql.yml

---
- name: Configure MySQL database using Ansible automation
  hosts: localhost
  vars:
    db_username: ram
    db_name: wordpress
    mysql_root_password: password
  tasks:
    - name: Install pip3
      ansible.builtin.yum:
        name: python3-pip
        state: present
        update_cache: yes

    - name: Install Python MySQL module
      ansible.builtin.pip:
        name: PyMySQL
        state: present

    - name: Install MySQL
      ansible.builtin.yum:
        name: mysql
        state: latest
      notify: restart mysqld

    - name: Create database user with password and all database privileges and 'WITH GRANT OPTION'
      community.mysql.mysql_user:
        name: "{{ db_username }}"
        password: "{{ mysql_root_password }}"
        priv: '*.*:ALL,GRANT'
        state: present

    - name: Create a new database "{{ db_name }}"
      community.mysql.mysql_db:
        login_user: "{{ db_username }}"
        login_password: "{{ mysql_root_password }}"
        name: "{{ db_name }}"
        state: present

    - name: Add sample database to the database
      copy:
        src: ./dump.sql
        dest: /tmp/dump.sql

    - name: insert sample database into database
      community.mysql.mysql_db:
        name: "{{ db_name }}"
        state: import
        target: /tmp/dump.sql
        login_user: "{{ db_username }}"
        login_password: "{{ mysql_root_password }}"

  handlers:
    - name: restart mysqld
      ansible.builtin.service:
        name: mysqld
        state: restarted
        enabled: yes

Create a new table for the newly created database and insert some records.

[ansible@master ~]$ vim dump.sql

CREATE TABLE IF NOT EXISTS test (
  message varchar(255) NOT NULL
) ENGINE=MyISAM DEFAULT CHARSET=utf8;

INSERT INTO test(message) VALUES('Ansible To Do List');
INSERT INTO test(message) VALUES('Get ready');
INSERT INTO test(message) VALUES('Ansible is fun');
INSERT INTO test(message) VALUES('Learn Ansible');
INSERT INTO test(message) VALUES('Setup Ansible');
INSERT INTO test(message) VALUES('Test Ansible setup');

Let's check whether our MySQL Database is configured correctly or not. This is the output result.

[ansible@master ~]$ mysql -u ram -p
Enter password:
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 14
Server version: 8.0.32 Source distribution

Copyright (c) 2000, 2023, Oracle and/or its affiliates.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| mysql              |
| performance_schema |
| sys                |
| wordpress          |
+--------------------+
5 rows in set (0.00 sec)

mysql> use wordpress;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> show tables;
+---------------------+
| Tables_in_wordpress |
+---------------------+
| test                |
+---------------------+
1 row in set (0.00 sec)

mysql> describe test
    -> ;
+---------+--------------+------+-----+---------+-------+
| Field   | Type         | Null | Key | Default | Extra |
+---------+--------------+------+-----+---------+-------+
| message | varchar(255) | NO   |     | NULL    |       |
+---------+--------------+------+-----+---------+-------+
1 row in set (0.00 sec)

mysql> select * from test;
+--------------------+
| message            |
+--------------------+
| Ansible To Do List |
| Get ready          |
| Ansible is fun     |
| Learn Ansible      |
| Setup Ansible      |
| Test Ansible setup |
+--------------------+
6 rows in set (0.00 sec)

mysql>

In-Short Description about playbook

Let's understand this playbook in the description step by step. This Ansible playbook is designed to configure a MySQL database on localhost. Here’s a breakdown of what each part does:

1. Variables: The playbook defines three variables: db_username, db_name, and mysql_root_password. These are used later in the playbook to set up the MySQL database.

2. Tasks: The playbook then performs a series of tasks:

   • Install pip3: This task installs pip3, a package manager for Python, using the ansible.builtin.yum module.

   • Install Python MySQL module: This task uses pip3 to install the PyMySQL module, which is a Python interface for MySQL.

   • Install MySQL: This task installs the latest version of MySQL using the ansible.builtin.yum module. If the installation is successful, it triggers a handler to restart the MySQL service.

   • Create database user: This task creates a new MySQL user with the username and password specified by the db_username and mysql_root_password variables. The user is granted all privileges on all databases.

   • Create a new database: This task creates a new MySQL database with the name specified by the db_name variable.

   • Add sample database to the database: This task copies a sample database file (dump.sql) to the /tmp directory on the target host.

   • Insert sample database into database: This task imports the sample database into the newly created database.

3. Handlers: The playbook includes a handler to restart the MySQL service. This handler is triggered if the MySQL installation task is successful.

This playbook provides a comprehensive example of how to automate the process of setting up a MySQL database using Ansible. It demonstrates the use of variables, tasks, and handlers in an Ansible playbook. It also shows how to use different Ansible modules to perform tasks such as installing packages, creating users and databases, and importing data.

If any issues are found in this code, please comment, so we can fix them as soon as possible. Thank you.

#Ansible #MySQL #DatabaseConfiguration #DevOps #Automation #InfrastructureAsCode #IAC #Playbook #RelationalDatabase #RDBMS #ConfigurationManagement #ITAutomation #CloudComputing #OpenSource #Tech

Beginner Level:

1. Setup a Web Server: Use Ansible to automate the setup of a web server, like Apache or Nginx. This includes installing the necessary packages, starting the service, and ensuring it runs at startup.

2. Software configuration: Use Ansible to automate software package automation

3. User Management: Write an Ansible playbook to create, delete, and manage users on a Linux system. This can include setting up SSH keys for remote login.

4. Automate Package Updates: Write a playbook to automate the process of updating all packages on your system.

5. Setup a Database Server: Use Ansible to automate the setup of a database server, like MySQL or PostgreSQL.

6. Automate System Updates: Write a playbook to automate system updates on all your managed nodes.

7. Setup VSFTP Server: Use Ansible to automate the VSFTP file server for cross-system files transfer.

8. Setup a File Server: Use Ansible to set up a file server, like Samba or NFS.

9. Setup a DNS Server: Use Ansible to automate the setup of a DNS server, like BIND.

10. Automate System Audits: Write a playbook to automate system audits and generate reports.

11. Setup a Mail Server: Use Ansible to set up a mail server, like Postfix.

Intermediate Level:

1. Multi-tier Application Deployment: Use Ansible to deploy a multi-tier application. This could be a simple web application with a separate database server.

2. Automate Security Updates: Write a playbook to automate the process of updating your system packages for security patches.

3. Automate Network Configuration: Use Ansible to automate the configuration of network devices.

4. DevOps Exercises: Contribute to open-source projects that use Ansible, such as the DevOps Exercises project.

5. Automate Database Backups: Write a playbook to automate database backups.

6. Automate Log Rotation: Use Ansible to automate log rotation on your servers.

7. Automate SSL Certificate Renewals: Write a playbook to automate SSL certificate renewals.

8. Automate System Monitoring: Use Ansible to automate the setup of system monitoring tools, like Nagios.

9. Automate Firewall Configuration: Write a playbook to automate firewall configuration.

Expert Level:

1. Continuous Integration/Continuous Deployment (CI/CD) Pipeline: Use Ansible in a CI/CD pipeline to automate the testing and deployment of code.

2. Infrastructure Monitoring: Integrate Ansible with monitoring tools like Nagios or Prometheus to automate the setup and configuration of infrastructure monitoring.

3. AWX Project: Contribute to the AWX project, which provides a web-based user interface, REST API, and task engine built on top of Ansible.

4. Kubespray: Contribute to the Kubespray project, which uses Ansible to deploy a production-ready Kubernetes cluster.

5. Automate Multi-Cloud Deployments: Use Ansible to automate deployments across multiple cloud providers.

6. Automate Big Data Deployments: Write a playbook to automate the deployment of big data tools, like Hadoop.

7. Automate Machine Learning Workflows: Use Ansible to automate machine learning workflows.

8. Automate Microservices Deployments: Write a playbook to automate the deployment of microservices.

9. Automate Zero Downtime Deployments: Use Ansible to automate zero downtime deployments.

References:

• https://faun.pub/mini-project-simple-automation-using-ansible-3b0ee607a693

• https://www.libhunt.com/topic/ansible

• https://thomascfoulds.com/2021/09/29/25-tips-for-using-ansible-in-large-projects.html

Note: Write your managed host's IP address and their hostnames in the ./hosts-ip.yml file and don't forget to include it in your playbook.

vim ./hosts-ip.yml 
hosts-entries:   
  - ip: 192.168.10.1     
    hostname: mh1.example.com
  - ip: 192.168.10.2
    hostname: mh2.example.com  
  - ip: 192.168.10.3
    hostname: mh3.example.com

Make sure to create an inventory file in the same place where your ansible.cfg is located, and don't forget to include it in your playbook.

vim ./inventory

[stage]
mh1.example.com

[test]
mh2.example.com

[prod]
mh3.example.com

This is your ansible configuration playbook

---
- name: Install Ansible from scratch
  hosts: cn.example.com
  become: yes
  become_user: root
  gather_facts: yes
  vars:
    username: admin
    password: password
    inventory_file: path/to/inventory/file
  vars_files:
    - ./hosts-ip.yml
  tasks:
    - name: "Yum repository configuration on server"
      ansible.builtin.yum_repository:
        name: "{{ item.name }}"
        description: YUM repo
        file: external
        baseurl: "{{ item.baseurl }}"
        gpgcheck: 0
        enabled: 1
      loop:
        - { name: online_one, baseurl: "https://mirror.stream.centos.org/9-stream/AppStream/x86_64/os/" }
        - { name: online_two, baseurl: "https://mirror.stream.centos.org/9-stream/BaseOS/x86_64/os/" }
      when: ansible_facts.distribution in ['RedHat','Fedora'] and ansible_facts.distribution_major_version | int >= 9

    - name: "Setup EPEL REPOSITORY"
      ansible.builtin.dnf:
        name: https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm
        state: present
      when: ansible_facts.distribution in ['RedHat','Fedora'] and ansible_facts.distribution_major_version | int >= 9

    - name: "Install ansible in the machine"
      ansible.builtin.dnf:
        name: ansible
        state: latest
      register: output

    - name: show the result
      debug:
        var: output

    - name: "create ip hostname entry in /etc/hosts file of control-node machine"
      blockinfile:
        path: /etc/hosts
        lineinfile: "{{ item.ip }}  {{ item.hostname }}"
        state: present
      loop: "{{ hosts-entries }}"

    - name: "create a user {{ username }}"
      user:
        name:  "{{ username }}"
        state: present
        password: "{{ password | password_hash('sha512') }}"

    - name: Enable PermitRootLogin, PubkeyAuthentication, and PasswordAuthentication
      lineinfile:
        path: /etc/ssh/sshd_config
        regexp: "{{ item.regexp }}"
        line: "{{ item.line }}"
        state: present
        backup: yes
      loop:
        - { regexp: '^#?PermitRootLogin', line: 'PermitRootLogin yes' }
        - { regexp: '^#?PubkeyAuthentication', line: 'PubkeyAuthentication yes' }
        - { regexp: '^#?PasswordAuthentication', line: 'PasswordAuthentication yes' }
      notify: restart sshd service

    - name: "create ansible directory in {{ username }} home directory"
      file:
        path: "/home/{{ username }}/.ansible"
        state: directory

    - name: "Create ansible.cfg file in {{ username }} home directory under .ansible directory"
      file:
        path: "/home/{{ username }}/.ansible/{{ item }}"
        state: touch
      loop:
        - ansible.cfg
        - inventory

    - name: "Insert details in ansible.cfg file"
      blockinfile:
        path: "/home/{{ username }}/.ansible/ansible.cfg"
        block: |
          [defaults]
          inventory = "/home/{{ username }}/.ansible/inventory"
          remote_user = "{{ remote_user }}"
          ask_pass = false

          [privilege_escalation]
          become = true
          become_method = sudo
          become_user = root
          become_ask_pass = false

    - name: "create inventory file"
      ansible.builtin.copy:
        src: "{{ inventory_file }}"
        dest: "/home/{{ username }}/.ansible/inventory"
  handlers:
    - name: restart sshd service
      service:
        name: sshd
        state: restarted



- name: Install Ansible from scratch
  hosts: stage
  become: yes
  vars:
    username: ansible
  become_user: root
  gather_facts: yes
  tasks:
    - name: "Configure ssh to make password-less connection between machines"
      ansible.posix.authorized_key:
        user: '{{ username }}'
        state: present
        key: "{{ lookup('file', '/home/{{ username }}/.ssh/id_rsa.pub') }}"
      notify: restart sshd service
      register: connection-output

    - name: show the connection output
      debug:
        var: connection-output 

  handlers:
    - name: restart sshd service
      service:
        name: sshd
        state: restarted

Description of this playbook in short

This Ansible playbook is designed to set up Ansible on a managed host. Here’s a simplified explanation of what each part does:

1. Yum repository configuration on server: This task sets up the Yum repositories on the server. It uses a loop to add two repositories, one for AppStream and one for BaseOS. This task only runs if the server’s operating system is RedHat or Fedora and the major version is 9 or above.

2. Setup EPEL REPOSITORY: This task installs the EPEL repository on the server. This task also only runs if the server’s operating system is RedHat or Fedora and the major version is 9 or above.

3. Install ansible in the machine: This task installs the latest version of Ansible on the server.

4. Show the result: This task displays the result of the Ansible installation.

5. Create IP hostname entry in /etc/hosts file of control-node machine: This task adds entries to the /etc/hosts file on the control node machine. The entries are defined in the hosts-entries variable.

6. Create a user: This task creates a new user on the server. The username and password are defined in the username and password variables.

7. Enable PermitRootLogin, PubkeyAuthentication, and PasswordAuthentication: This task modifies the SSH configuration to enable root login, public key authentication, and password authentication.

8. Configure ssh to make password-less connection between machines: This task sets up SSH keys for the new user to allow password-less connections between machines.

9. Create ansible directory in user home directory: This task creates a new directory for Ansible in the home directory of the new user.

10. Create ansible.cfg file in user home directory under .ansible directory: This task creates an Ansible configuration file and an inventory file in the new Ansible directory.

11. Insert details in ansible.cfg file: This task adds configuration details to the Ansible configuration file.

12. Create inventory file: This task copies an inventory file to the new Ansible directory.

As we reach the end of this journey, remember that technology is not just about understanding the new, but about transforming the old. It’s about taking the world as we know it and daring to envision it better. Here at rakamodify.online, we don’t just write about technology, we live it. We breathe it. And we share that passion with you, our readers.

So, keep exploring, keep innovating, and keep modifying. The future is a blank canvas, teeming with possibilities. And with every line of code, every circuit built, and every system debugged, you’re painting your masterpiece.

Thank you for joining us on this journey. Until next time, keep modifying your world, one byte at a time. 😊

#Technology #Innovation #Coding #Blogging #Learning #Inspiration #RakaModify #Ansible #DevOps #Automation #ConfigurationManagement #InfrastructureAsCode #AnsiblePlaybook #OpenSource #CloudComputing #ITAutomation #Tech

Introduction:

In the dynamic landscape of corporate infrastructure, maintaining robust security measures while managing user access becomes pivotal. This article navigates through the process of establishing a secure Linux-based server system in the midst of organizational restructuring, focusing on user and group management and stringent password policy implementation.

Understanding the Scenario:

As an IT administrator at GlobalTech Inc., overseeing a Linux-based server system, the recent restructuring necessitates the creation of new departments and user accounts. The primary objective is to fortify the security posture by setting up user accounts and groups effectively, limiting superuser access, enforcing strict directory access controls, and implementing stringent password policies.

1. User and Group Setup:

Creating user accounts and groups for the newly formed departments – R&D, Marketing, and Customer Support – is the initial step. This involves generating user accounts for each department and assigning appropriate privileges, facilitating streamlined access control by associating users with their respective departmental groups.

• Creating User Account:

# Create users for each department
sudo useradd RnDUser
sudo useradd MarketingUser
sudo useradd CustomerSupportUser
sudo groupadd RnDUserGroup
sudo groupadd MarketingUserGroup
sudo groupadd CustomerSupportUserGroup
sudo cat /etc/passwd
sudo cat /etc/group

• Creating Group Account (Assigning Users to Groups)

# Assign users to their respective departmental groups
sudo usermod -aG RnDUserGroup RnDUser
sudo usermod -aG MarketingUserGroup MarketingUser
sudo usermod -aG CustomerSupportUserGroup CustomerSupportUser

sudo cat /etc/group | grep -e RnDUserGroup -e MarketingUserGroup -e CustomerSupportUserGroup

1. Superuser Access and Privileges:

Limiting superuser access is crucial for maintaining system integrity. Configuring sudo access for department heads empowers them to perform essential administrative tasks without full root access. Educating users on responsible elevated privileges usage ensures the importance of limited access and minimizes potential risks.

• Configuring Sudo Access:

  Edit sudoers file using visudo (sudo visudo) and add lines for department heads:

RnDUser ALL=(ALL) /path/to/RnD_commands
MarketingUser ALL=(ALL) /path/to/Marketing_commands
CustomerSupportUser ALL=(ALL) /path/to/CustomerSupport_commands

1. Directory Access Control:

• Creating Directories:

# Create directories for each department
sudo mkdir /RnD_Data
sudo mkdir /Marketing_Content
sudo mkdir /CustomerSupport_Reports

• Setting Directory Permissions:

# Set permissions to restrict access
sudo chown -R :RnDUserGroup /RnD_Data
sudo chmod -R 770 /RnD_Data

sudo chown -R :MarketingUserGroup /Marketing_Content
sudo chmod -R 770 /Marketing_Content

sudo chown -R :CustomerSupportUserGroup /CustomerSupport_Reports
sudo chmod -R 770 /CustomerSupport_Reports

Establishing restricted access to department-specific directories – 'R&D_Data', 'Marketing_Content', and 'CustomerSupport_Reports' – is imperative for data security. Setting permissions ensures that members within each department possess full access while restricting users from other departments to read-only or no access, fortifying data confidentiality.

1. Password Policy Implementation:

Implementing stringent password policies across the network adds an additional layer of security. Enforcing complexity, length, and expiration rules for all user accounts enhances system resilience. Regularly prompting users to update passwords aligns with policy compliance and reinforces security measures.

• **Password Policy Implementation (**Enforcing Password Policies):

# Open the login.defs file in a text editor (such as nano or vi)
sudo nano /etc/login.defs

Within the '/etc/login.defs' file, locate or add the following lines and adjust the values to meet your desired password policy:

# Set password complexity rules (example values)
PASS_MAX_DAYS   90  # Maximum password age
PASS_MIN_DAYS   7   # Minimum password age
PASS_MIN_LEN    10  # Minimum password length
FAIL_DELAY      3    # Delay in seconds after a failed login attempt
FAILLOG_ENAB    yes  # Enable recording of failed login attempts
LOGIN_RETRIES   3    # Maximum number of login retries before account is locked
UID_MIN         1000 # Minimum value for user IDs (UIDs)
UID_MAX         60000 # Maximum value for user IDs (UIDs)
GID_MIN         1000 # Minimum value for group IDs (GIDs)
GID_MAX         60000 # Maximum value for group IDs (GIDs)
ENV_PATH        PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
ENV_SUPATH      PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
UMASK           077  # Default umask value for new files
CREATE_HOME     yes  # Create home directories for new users by default

1. Different scenarios along with the corresponding chage command options and their explanations:

• Scenario 1: Setting Maximum Password Age

  Scenario: You want to ensure that user accounts require password changes every 90 days.

  Command:

sudo chage -l RnDUser
sudo chage RnDUser

sudo chage -M 90 username

Explanation: This command sets the maximum password age (-M) for the specified user (username) to 90 days. Users will be prompted to change their passwords after 90 days for security reasons.

• Scenario 2: Specifying Password Expiry Date

  Scenario: You need to set a specific date (e.g., December 31, 2024) for a user's password to expire.

  Command:

sudo chage -E "2024-12-31" username

Explanation: Using the -E flag allows setting the exact password expiration date for the specified user (username). After the specified date, the user will be prompted to change their password upon login.

• Scenario 3: Setting Minimum Days Between Password Changes

  Scenario: Ensure users cannot change their passwords too frequently by setting a minimum of 7 days between password changes.

  Command:

sudo chage -m 7 username

Explanation: This command sets the minimum number of days (-m) required between password changes for the user (username). Users will need to wait at least 7 days before changing their passwords again.

• Scenario 4: Account Inactivity and Disabling

  Scenario: Automatically disable a user account after 30 days of inactivity.

  Command:

sudo chage -I 30 username

Explanation: Using -I specifies the number of days of inactivity (30 in this case) after which the account will be automatically disabled if the user doesn't log in within that period.

• Scenario 5: Disabling Password Expiration

  Scenario: Temporarily disable password expiration for a user account.

  Command:

sudo chage -M -1 username

Explanation: Setting the maximum password age (-M) to -1 effectively disables password expiration for the specified user (username). They won't be prompted to change their password based on age.

• Scenario 6: Forcing Password Change on Next Login

  Scenario: Require a user to change their password immediately upon next login.

  Command:

sudo chage -d 0 username

Explanation: Using -d with a value of 0 forces the user to change their password during the next login attempt by setting the number of days since the epoch to 0.

sudo man useradd

1. /etc/passwd: Contains user account information like usernames, user IDs (UIDs), group IDs (GIDs), home directories, and default shells.

2. /etc/shadow: Stores encrypted user passwords and password aging details, providing enhanced security by safeguarding password hashes.

3. /etc/group: Lists all system groups, associating users with their respective groups, along with group IDs (GIDs) and membership details.

4. /etc/sudoers: Manages user privileges, determining who can execute commands as root or other users with elevated permissions using sudo.

5. /etc/login.defs: Defines system-wide defaults for user accounts and password policies, specifying aging parameters and other policies.

6. /etc/security/pwquality.conf: Configures password quality requirements like complexity, length, and expiration, affecting password creation and modification rules.

7. /etc/pam.d/: Contains Pluggable Authentication Module configuration files for various services, allowing flexible authentication policies.

8. /etc/default/useradd: Specifies default values for creating new user accounts, setting parameters for home directories, shells, etc.

9. /etc/default/userdel: Defines default behaviors for deleting user accounts, deciding whether to remove home directories or mail spools.

10. /etc/default/usermod: Sets default behaviors and options for modifying existing user accounts, facilitating changes to user attributes.

Conclusion:

In the ever-evolving corporate landscape, the stability and security of Linux-based server systems remain paramount. By effectively managing user accounts and groups, limiting superuser access, implementing stringent directory access controls, and enforcing robust password policies, GlobalTech Inc. fortifies its defenses against potential threats while fostering a secure environment for critical data and operations.

1. Definition and Use Case of VSFTP?

• FTP (File Transfer Protocol)

FTP stands for File Transfer Protocol. It's like a highway system that allows you to move files between your computer and a server on the internet. It's been around for a long time and is one of the earliest ways to share files between computers.

• VSFTP (Very Secure FTP)

VSFTP is a specific type of FTP server software. Think of it as a super safe and organized garage where you can store and exchange files with others securely. It's known for being very secure, hence the name, and it's efficient at managing files for sharing.

• Uses and Practical Example:

Imagine you're a photographer, and you need to send high-resolution images to your clients. Using VSFTP, you set up a secure space on your website where each client has their own folder. When a client needs their pictures, they log in securely and access only their folder to download the images. It's like having a locked drawer in a file cabinet where each client can access only their documents.

VSFTP ensures that only authorized users can access these folders, and it's really fast at transferring large image files without losing any quality. Plus, it keeps everything organized and separate for each client, just like how you'd organize folders for different clients in your workspace.

In essence, FTP and VSFTP are like the trusted and secure delivery systems for files on the internet. They allow you to share, access, and manage files between computers or users in a structured and secure way, making them essential tools for businesses and individuals who need to exchange files regularly.

1. Write an Ansible playbook for VSFTP server

[ansible@cn ~]$ vim ucredent.yml

groupname: sftpusers
username: thift
password: thift

:wq!

[ansible@cn ~]$ vim sftp.yml

---
- name: Configure SFTP on the {{ hosts }} server
  hosts: stage
  vars_files:
    - ./ucredent.yml  
  tasks:
    - name: "Yum repository configuration on {{ hosts }} server"
      ansible.builtin.yum_repository:
        name: "{{ item.name }}"
        description: YUM repo
        file: external
        baseurl: "{{ item.baseurl }}"
        gpgcheck: 0
        enabled: 1
      loop:
        - { name: online_one, baseurl: "https://mirror.stream.centos.org/9-stream/AppStream/x86_64/os/" }
        - { name: online_two, baseurl: "https://mirror.stream.centos.org/9-stream/BaseOS/x86_64/os/" }
      when: ansible_facts.distribution in ['RedHat','Fedora'] and ansible_facts.distribution_major_version | int >= 9


    - name: Install Packages
      yum:
        name: "{{ item }}"
        state: latest
      loop:
        - vsftpd
        - openssh-server
        - openssh-clients
      notify: restart sshd service

    - name: groupadd "{{ groupname }}"
      group:
        name: "{{ groupname }}"
        state: present

    - name: useradd "{{ username }}"
      user:
        name: "{{ username }}"
        state: present
        password: "{{ password | password_hash('sha512') }}"
        shell: /sbin/nologin
        groups: "{{ groupname }}"
        append: yes

    - name: Create Directory "/var/sftp"
      file:
        path: /var/sftp/
        group: "{{ groupname }}"
        state: directory

    - name: Create Directory "/var/sftp/upload"
      file:
        path: /var/sftp/upload
        owner: "{{ username }}"
        group: "{{ groupname }}"
        state: directory
        mode: u=rwx,g=rx,o-rwx

    - name: Change sshd configuration file content
      blockinfile:
        path: /etc/ssh/sshd_config
        block: |
         Match User {{ username }}
         ForceCommand internal-sftp
         PasswordAuthentication yes
         ChrootDirectory /var/sftp
         AllowTcpForwarding no
         X11Forwarding no
      notify: restart sshd service

  handlers:
    - name: restart sshd service
      service:
        name: "{{ item }}"
        state: restarted
      loop:
        - vsftpd
        - sshd

1. Let's break & understand this playbook step by step

• Task 1: Setting up Yum Repositories

• What it Does: Configures locations where the system can find software packages.

• Comparison: Imagine making a list of shops and their addresses where you can buy specific items.

• Details: This task specifies two locations (repositories) where the server can get software packages required for the VSFTP setup. It checks if the server is running RedHat or Fedora version 9 or higher and configures repository URLs accordingly.

• Task 2: Installing Necessary Software

• What it Does: Installs required software packages onto the system.

• Comparison: Think of this as getting the tools and materials needed for building a specific project.

• Details: This task installs three software packages - VSFTP (for file transfer), OpenSSH server (for secure connections), and OpenSSH clients (for interacting with SSH server) using the Yum package manager.

• Task 3: Creating a User Group

• What it Does: Establishes a group for users with shared permissions.

• Comparison: Like creating a club or a group where people with similar interests can gather.

• Details: It creates a user group, enabling multiple users to have similar access permissions and settings within the VSFTP server environment.

• Task 4: Adding a User to the Group

• What it Does: Creates a new user and assigns them to the previously established group.

• Comparison: Similar to giving someone membership to a club or a group.

• Details: This task adds a specific user to the previously created group, providing them access to the file-sharing capabilities within the VSFTP server.

• Task 5: Setting Up Storage Directories

• What it Does: Creates specific folders (directories) for storing and uploading files.

• Comparison: Like setting up different rooms or spaces for various purposes in a building.

• Details: It establishes two directories within the server - one for general storage (/var/sftp/) and another for file uploads (/var/sftp/upload). It assigns ownership and permissions to ensure the user and group have appropriate access rights.

• Task 6: Configuring Server Settings

• What it Does: Alters the server's configuration for secure file transfer.

• Comparison: Adjusting rules or settings in a building to ensure safety and organization.

• Details: This task modifies the server's SSH configuration file to enforce secure file transfer settings for a specific user. It restricts the user to use only the internal-sftp method, enhances password authentication, and sets a specific directory for their access.

• Final Action: Restarting Services

• What it Does: Restarts essential services to apply changes made by the playbook.

• Comparison: Similar to turning off and then on again to make sure all changes take effect.

• Details: It restarts the VSFTP and SSHD (SSH server) services to apply all the configurations and settings implemented by the playbook.

Each task contributes to setting up a secure and functional VSFTP server, ensuring the right software is installed, users are added with appropriate permissions, directories are created for storage, and the server is configured for safe file sharing.

1. How to Access FTP Service from a Remote Machine

To access an FTP service from a remote machine, you typically use an FTP client. Here's a general step-by-step guide:

• Install an FTP Client: First, ensure you have an FTP client installed on your remote machine. Popular FTP clients include FileZilla, WinSCP, MobaXterm (for Windows), Cyberduck (for macOS), or the command-line FTP client. Here on the window machine, I am using MobaXterm & FileZilla.

• MobaXterm (Command Line Interface)

You can see upload directory here.

Basic Commands to use VSFTP command line:

• ls or dir: Lists files and directories on the remote server.

• get <filename>: Downloads a file from the remote server.

• put <filename>: Uploads a file to the remote server.

• cd <directory>: Changes the current directory on the remote server.

• mkdir <directory>: Creates a directory on the remote server.

• delete <filename>: Deletes a file on the remote server.

• bye or exit: Quits the FTP session and disconnects from the server.

• FlleZilla (Graphically | Drop your file here)

Thank you for your time.

if any issue occurs in this article setup, commands, theory, or definition. Please send a comment in the comment box.