New features:
- Using cockpit web interface
- Using enhanced firewall: nftables
- Managing NFSv4 with nfsconf
- Layered storage management with stratis
- Data de-duplication and compression with VDO (virtual data optimizer)
感觉资源挺分散的,不知道就是不知道😢 RedHat provides lab interactive learning exercise:
Openshift lab interactive exercise:
Fast Ping Test
This is the new shorthand format.
1 | # last decimal represents 24 bits |
Cocopit Web Console
Available since CentOS 7.5. 相当于一个简化版的桌面. You can check logs, create account, monitor network, start services, and so on.
1 | # install |
Set root password, user vagrant
is privileged, run:
1 | sudo passwd root |
I have the port forwarding for 9090
, view cockpit UI by localhost:9090
, login as root user with the password you set. After login the cockpit.service
is now active:
1 | systemctl status cockpit.service |
There is a terminal
in web UI, you can work with it just like working on a normal ssh terminal.
The dashboard
plugin:
1 | # see plugins |
With cockpit dashboard plugin installed, you can connect to remote machine (with cockpit installed and cockpit.socket running), dashboard is just like a control plane.
Other plugins like cockpit-machines
is used to manage virtual guests.
Enhancing Firewall
RedHat 8 Getting start with nftables
It is the designated successor to the iptables, ip6tables, arptables, and ebtables tools. Stick to one command, not using mixed. firewalld
command can be replaced by nftables.
NFTables nft
is the default kernel firewall in CentOS 8. Single command for IPV4, IPV6 ARP, and Bridge filters. nftables does not have any predefined tables, tables are created by firewalld
or rely on our scripts.
First yum install nftables, run as sudo or root.
1 | systemctl disable --now firewalld |
Now start and enable firewalld, the tables will be created:
1 | systemctl enable --now firewalld |
Some common commands:
1 | # list all tables |
Let’s see the demo code to build nftables:
- create chains
- create rules
1 | # disable firewalld |
Add SSH inbound to our system, set rules:
1 | # add rule to inet filter table INPUT chain |
Persisting nftables rules
1 | # store rules |
Using systemd service unit:
1 | # the systemd service unit for nftables use /etc/sysconfig/nftables.conf |
NFSv4
CentOS 8 uses NFSv4.2 as NFS server.
The new tool nfsconf
writes to the /etc/nfs.conf
.
Enable and use NFSv4 only and managing inbound TCP connections using firewall.
SELinux NFS configuration.
Install nfs package for both server and clients:
1 | yum install -y nfs-utils |
The default will have NFSv2 disable and NFSv3 and above enabled, we will disable NFSv3 and have NFSv4 only with TCP port 2049 to be opened. 这样看来之前项目中的NFS 用的默认设置,并且不是secure的.
we can edit /etc/nfs.conf
or using nfsconf
commands:
1 | nfsconf --set nfsd vers4 y |
Start nfs server daemon:
1 | systemctl enable --now nfs-server.service |
Check port opened:
1 | ss -tlp -4 |
We don’t need sunrpc
with NFSv4, mask them both service and socket:
1 | systemctl mask --now rpc-statd rpcbind.service rpcbind.socket |
Then we have nfs and mounted port only, only nfs port needs firewalld setting:
1 | ss -tl -4 |
Let’s create some shared files:
1 | mkdir /share |
Go to edit /etc/exports
file
1 | # Here only rw, in my previous work, we use (rw,insecure,async,no_root_squash) |
Configure firewall:
1 | firewall-cmd --add-service=nfs --permanent |
Then go to the client and mount /share
folder.
后面讲了SElinux对NFS的支持,目前用不到, 也没明白.
Storage Management Stratis
Stratis resources:
视频中的讲解比RedHat的练习更好一些,在mount的时候,用的是/etc/fstab
persistent configuration.
In creating filesystem, the author chooses xfs
, so what is the difference comparing to ext4
?
Virtual Data Optimizer
To make use of block level deduplication, compression, thin-provisioning to save space.
Example Use Case: To reduce the amount of operational and storage costs in data centers, we use the deduplication and compression features in VDO to decrease the footprint of data.