How to install Docker EE in RHEL7

How to install Docker EE in RHEL7

Will see How to install Docker EE in RHEL7 in this post. We have other steps as well on our blog to install the Docker in Linux.

It’s a container virtualization technology and more efficient in the deploy an application.

We have two option to install the Docker EE in RedHat Linux.

  1. Yum Repository: Create/ Enable YUM Repository and install using that. this is the recommended one to install/ upgrade a package in Linux.
  2. RPM: We have to download and install manually. This will be useful to install when the system doesn’t have internet access.

Requirement:

RHEL 7.1 or Higher Operating System.

overlay2 or device-mapper storage driver(direct-lvm mode for production environment)

Yum repository.

Disable SELinux in IBM Power Systems before install/ Upgrade

Enabling YUM Repository for Docker EE Installation:

Browse “https://store.docker.com/my-content” and login. You should at least registered for the trail.

Once logged in, Click “Setup” to get the URL to enable the repository.

Copy the URL from “Copy and paste this URL to download your Edition:” and save it for later use.

You will use this URL to create the variable called “DOCKERURL“.

Use the below command to remove existing docker repo.

[root@localhost ~]# rm /etc/yum.repos.d/docker*.repo

Save the copied URL in the environmental variable(DOCKERURL). Replace with URL where “<DOCKER-URL>” is mentioned in below command.

#export DOCKERURL="<DOCKER-EE-URL>"

Than now store the variable(DOCKERURL) in yum variable /etc/yum/vars

[root@localhost ~]# sudo -E sh -c 'echo "$DOCKERURL/rhel" > /etc/yum/vars/dockerurl'

Now store the OS version in /etc/yum/vars/dockerosversion:

[root@localhost ~]# sh -c 'echo "7.3" > /etc/yum/vars/dockerosversion'

Then install the required packages yum-utils, device-mapper-persistent-data and lvm2

[root@localhost ~]# yum -y install yum-utils device-mapper-persistent-data lvm2

Now will enable extras RHEL repository and This will ensure the access to container-selinux which is package required by “Docker-EE” and the below command will be used in all Architecture except IBM Power Systems.

[root@localhost ~]# yum-config-manager --enable rhel-7-server-extras-rpms
Loaded plugins: product-id

For IBM Power System use the below command:

#yum-config-manager --enable extras
#subscription-manager repos --enable=rhel-7-for-power-le-extras-rpms
#yum makecache fast
#yum -y install container-selinux

Add the Docker EE repository using below command.

[root@localhost ~]# yum-config-manager --add-repo "$DOCKERURL/rhel/docker-ee.repo"

Installing Docker EE in RedHat Linux:

Now using the docker repository will install the Docker-EE by executing below command.

[root@localhost ~]# yum install docker-ee

Note: If the above command failed for “container-selinux” dependency. Then we should install the container-selinux and below two are dependency packages for container-selinux

policycoreutils.2.5-11.el7 Click here to download

policycoreutils-python (This will be available in your OS packages list)

Now again try to install the docker-ee using yum.

Start the docker using systemctl.

[root@localhost ~]# systemctl start docker

Now we completed docker-ee installation.

To verify Docker-EE installed correctly, use the hello-world image. This will download a test image and run it in a container. Will give you the information.

[root@localhost ~]# docker run hello-world
Unable to find image 'hello-world:latest' locally
latest: Pulling from library/hello-world
9bb5a5d4561a: Pull complete
Digest: sha256:f5233545e43561214ca4891fd1157e1c3c563316ed8e237750d59bde73361e77
Status: Downloaded newer image for hello-world:latest

Hello from Docker!
This message shows that your installation appears to be working correctly.

To generate this message, Docker took the following steps:
1. The Docker client contacted the Docker daemon.
2. The Docker daemon pulled the "hello-world" image from the Docker Hub.
(amd64)
3. The Docker daemon created a new container from that image which runs the
executable that produces the output you are currently reading.
4. The Docker daemon streamed that output to the Docker client, which sent it
to your terminal.

To try something more ambitious, you can run an Ubuntu container with:
$ docker run -it ubuntu bash

Share images, automate workflows, and more with a free Docker ID:
https://hub.docker.com/

For more examples and ideas, visit:
https://docs.docker.com/engine/userguide/

 

So, Finally we completed the Docker installation.

Refernce: docs.docker.com

List of tools in Kali Linux

List of tools in Kali Linux

We have more than 500 List of tools in Kali Linux and below are the categories of available tools with numbers.

List of tools in Kali Linux:
  1. Exploitation tools (21)
  2. Forensics (23)
  3. Hardware hacking (6)
  4. Information Gathering (69)
  5. Maintaining Access (18)
  6. Password Attacks (41)
  7. Reporting Tools (10)
  8. Reverse Engineering (11)
  9. Sniffing/ Spoofing (32)
  10. Stress testing (14)
  11. Uncategorized (10)
  12. Vulnerability Analysis (29)
  13. Web Applications (44)
  14. Wireless Attacks (53)

Will see briefly in future posts about these categorized tools.

Thanks for your support. Comments are always welcome to provide you the better experience on learning technologies.

Reference: Kali Docs

VNC installation in rhel7

VNC installation in rhel7

Will see how to install VNC installation in rhel7 in this post.

VNC will help us to share the desktop with GUI and for that in both server VNC Server/client should be installed.

Before installing VNC, we should install GNOME in RHEL7.

Installing VNC Server:

Use yum to install the VNC Server. Before that yum should be configured on your server.

[root@localhost ~]# yum -y install vnc*

Configuring VNC Server in RHEL7:

To configure the port and user, need to copy vncserver@.service from /lib/systemd/system/ to /etc/systemd/system/.

5900 is default listening port.

[root@localhost ~]# cp /lib/systemd/system/vncserver@.service /etc/systemd/system/

Now open the /etc/systemd/system/vncserver@.service file using vi editor and locate <USER> replace with your respective username which you are going to use for remote access.

[root@localhost ~]# vi /etc/systemd/system/vncserver\@.service

[Unit]
Description=Remote desktop service (VNC)
After=syslog.target network.target

[Service]
Type=forking
# Clean any existing files in /tmp/.X11-unix environment
ExecStartPre=/bin/sh -c '/usr/bin/vncserver -kill %i > /dev/null 2>&1 || :'
ExecStart=/usr/sbin/runuser -l <USER> -c "/usr/bin/vncserver %i"
PIDFile=/home/<USER>/.vnc/%H%i.pid
ExecStop=/bin/sh -c '/usr/bin/vncserver -kill %i > /dev/null 2>&1 || :'

[Install]
WantedBy=multi-user.target

Updated:

[Unit]
Description=Remote desktop service (VNC)
After=syslog.target network.target

[Service]
Type=forking
# Clean any existing files in /tmp/.X11-unix environment
ExecStartPre=/bin/sh -c '/usr/bin/vncserver -kill %i > /dev/null 2>&1 || :'
ExecStart=/usr/sbin/runuser -l root -c "/usr/bin/vncserver %i"
PIDFile=/home/root/.vnc/%H%i.pid
ExecStop=/bin/sh -c '/usr/bin/vncserver -kill %i > /dev/null 2>&1 || :'

[Install]
WantedBy=multi-user.target

Now enable the port over the firewall to allow VNC access using firewalld.

[root@localhost ~]# firewall-cmd --permanent --add-port=5900/tcp
success
[root@localhost ~]# firewall-cmd --reload
success

Than start VNC server

[root@localhost ~]# vncserver

Now it will prompt to set the password to access the desktop.

You will require a password to access your desktops.
Password:
Verify:
xauth: file /root/.Xauthority does not exist

New 'localhost.localdomain:1 (root)' desktop is localhost.localdomain:1

Creating default startup script /root/.vnc/xstartup
Starting applications specified in /root/.vnc/xstartup
Log file is /root/.vnc/localhost.localdomain:1.log

Now reload the systemctl daemon

[root@localhost ~]# systemctl daemon-reload

 

And start and enable the service in this run level permanently using below command.

[root@localhost ~]# systemctl start vncserver@.service

[root@localhost ~]# systemctl enable vncserver@.service

Finally, we completed all the configuration on Linux Machine and to check this open VNC on a windows machine and try to access using our Linux machine IP Address and port number

192.168.1.104:5900

and it will prompt for the password, provide de password to access the Linux machine.

Reference: itzgeek

Logrotate in Linux

Will see how to configure/ use logrotate in Linux

to compress, move, delete or mail log files at the periodic time. By doing this will keep away the filesystem from the filesystem full issue.

Setting up and Manage logrotate in Linux:

In Linux/ Unix, environment /var/log is most important directory and it keeps all the activities as a log.

System administrators will use the logs to analyze any issue’s.

/var/log keeps lots of log files and here is the list.

[root@localhost ~]# ls /var/log
anaconda boot.log cron dmesg.old lastlog messages rhsm spooler tuned wtmp
audit btmp dmesg firewalld maillog ppp secure tallylog vmware-vmsvc.log

Installing logrotate:

Here I am going to use the yum package manager to install the logrotate.

[root@localhost ~]# yum install logrotate
Loaded plugins: product-id, search-disabled-repos, subscription-manager
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
Package logrotate-3.8.6-12.el7.x86_64 already installed and latest version
Nothing to do

look likes the package is already installed on my machine.

/etc/logrotate.conf is an important configuration file which contains all the configuration of log rotation and “include /etc/logrotate.d ” this line should be uncommented.

We have plenty of option in logrotate and below is that.

Will create /etc/logrotate.d/apache2.conf file and insert below content.

/var/log/apache/* {
weekly
rotate 5
size 25M
compress
delaycompress
}

Daily, Weekly, Monthly:  Based on this input the tool will rotate the logs.

rotate 5: This will keep the only 5 files and the old files will be removed.

size 25: log file minimum size for log rotation.

Compress & Delaycompress:  These are used to say that all are already rotated logs.

Now will do s test using the below command

[root@localhost ~]# logrotate -d /etc/logrotate.d/apache2.conf

 

 

Reference: Tecmint

RedHat Enterprise Linux 7 Installation

Will start learning RedHat Enterprise Linux 7 Installation in this post.

We have many new features in RHEL7 and simple differences in installation as well comparing to old version’s that we were given input like hostname, timezone, package selection, network configuration, kdump configuration, etc… in next next screen’s. But, in RHEL7 we can provide those details on a single screen. However all the remaining will be the same.

Using RHEL7 media boot the machine and you will receive a screen like below.

RedHat Enterprise Linux 7 Installation

Now select “Install Red Hat Enterprise Linux 7.3” to begin the installation.

As first part, you will get a screen that is asking you to select the System language and keyboard layout like below.

Then next you will get a screen which is the place to provide all information to install the operating system.

In this screen, you can provide all the information like Software selection, Partitioning in Installation destination tab, time zone, etc…

Now, will edit some of the configuration based on our requirement.

As first, here editing time zone part and selecting Asia/ Kolkata like below.

you can select the time zone in two ways one is by clicking on India over the map and another one is selecting Asia and Kolkata in the drop-down list.

And, click on the done button which is showing the left corner of upper on the screen to complete this part.

Likewise, we should click on done for each and every part.

Now, Click on “Software selection” tab to select packages

Will continue with default one which is “minimal installation”.

Based on the selected packages group, it will install the required packages.

Next, Click on “Installation destination” to create partitions.

We have two option at this stage. One is “Automatically configure partitions” and another one is “I will configure partitioning”

If you select the first option, it will create the partition automatically with LVM and if you select the second option, we need to provide the partition details manually.

Here let us see how to create manual partitions.

Once you selected the second option, you will get a screen asking for partition type Standard, LVM, etc…

select on Standard one to create a normal partition.

and click done to go next screen of partition creation.

It will ask for the mount point with size like below. Below filesystem, creation is compulsory while doing manual partitioning.

  1. boot – Contains bootloader and partition information
  2. / (root)
  3. swap – Virtual memory

Like above will create the three mandate partition to continue the installation.

and click done to go back to the main screen.

and it will ask our confirmation to write the partition changes on the disk. Click “Accept Changes”.

And now, click “Begin Installation” to start the package installation.

In package installation screen, we can see that password has not been set still. So, click on “Root Password” to set the root password. and click done.

See the screen after root password has been assigned.

Once installation completed, will ask for the reboot. Click on “Reboot” button to complete the installation.

We compeleted RHEL7 installation successfully.

 

 

 

 

 

How to boot with an old kernel version in RHEL7

In this post, will see how to boot with an old kernel version in RHEL7. When the updated kernel not suitable for your application or OS not booting.

There might be a requirement to upgrade the operating system or kernel version alone in Linux/Unix machines.

In such case, we might face issue with the upgraded kernel version. To, fix that, follow the below steps.

By default, /etc/default/grub file has entry called GRUB_DEFAULT=saved.

[root@localhost ~]# cat /etc/default/grub
GRUB_TIMEOUT=5
GRUB_DISTRIBUTOR="$(sed 's, release .*$,,g' /etc/system-release)"
GRUB_DEFAULT=saved
GRUB_DISABLE_SUBMENU=true
GRUB_TERMINAL_OUTPUT="console"
GRUB_CMDLINE_LINUX="crashkernel=auto rhgb quiet"
GRUB_DISABLE_RECOVERY="true"

This entry instructs the system which kernel will be used to load the operating system by checking the saved_entry in the grubenv file, which is in /boot/grub2/grubenv.

[root@localhost ~]# cat /boot/grub2/grubenv
# GRUB Environment Block
saved_entry=0
#########################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################[root@localhost ~]#

So we can set the default kernel by editing /boot/grub2/grubenv file or using grub2-set-default command.

To do this, select the old kernel to boot the operating system from grub splash screen.

How to boot with old kernel in RHEL7

And use the grub2-set-default command to change the kernel.

Before changing we should remember that, the always updated kernel will be on top and will use numeric value “0” to mention this kernel in command

The old one will be available by next. So, to mention the old kernel will use numeric value “1”. Like this numeric will start from 0.

/boot/grub2/grub.cfg file contains Kernel and initramfs image details.

below command will show us the list of the kernel installed on this machine.

[root@localhost ~]# awk -F\' '$1=="menuentry " {print $2}' /etc/grub2.cfg
Red Hat Enterprise Linux Server (3.10.0-693.17.1.el7.x86_64) 7.3 (Maipo)
Red Hat Enterprise Linux Server (3.10.0-514.el7.x86_64) 7.3 (Maipo)
Red Hat Enterprise Linux Server (0-rescue-ffc8e857b7b84166b88e7b0522c168a4) 7.3 (Maipo)

By default, saved_entry will be the latest one, which you updated.

Using below command will change the default kernel as the old one to boot the operating system without any issue.

[root@localhost ~]# grub2-set-default 1

and now check again in /boot/grub2/grunenv file to verify the default kernel.

[root@localhost ~]# cat /boot/grub2/grubenv | grep saved
saved_entry=1

Now you can see in above screen that the old kernel is set as default one.

Now rebuild the /boot/grub2/grub.cfg file using grub2-mkconfig -o command.

Use the below command in BIOS based machines:

[root@localhost ~]# grub2-mkconfig -o /boot/grub2/grub.cfg
Generating grub configuration file ...
Found linux image: /boot/vmlinuz-3.10.0-693.17.1.el7.x86_64
Found initrd image: /boot/initramfs-3.10.0-693.17.1.el7.x86_64.img
Found linux image: /boot/vmlinuz-3.10.0-514.el7.x86_64
Found initrd image: /boot/initramfs-3.10.0-514.el7.x86_64.img
Found linux image: /boot/vmlinuz-0-rescue-ffc8e857b7b84166b88e7b0522c168a4
Found initrd image: /boot/initramfs-0-rescue-ffc8e857b7b84166b88e7b0522c168a4.img
done

Use below command for UEFI based machines:

[root@localhost ~]# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg

finally, restart the machine and check whether the machine booting using old kernel.

reference: Red Hat Document

Limiting CPU and Memory usage to users/groups(CGroups)

In this post we are going to see : Limiting CPU and Memory usage to users/groups.

In large environments, there is a chance to access single system by more than one users at a time. So, user’s can access the resources highly.

For our exercise going to use RHEL7 Operating System.

CGroups will help us to limit the resources by group of users.

We have below users created already to do practise.

[root@server ~]# grep home /etc/passwd
lbcuser1:x:1005:1007::/home/lbcuser1:/bin/bash
lbcuser2:x:1006:1008::/home/lbcuser2:/bin/bash
lbcuser3:x:1007:1009::/home/lbcuser3:/bin/bash
lbcuser:x:1008:1011::/home/lbcuser:/bin/bash

Users are assigned to below mentioned groups.

Groups:    lbcgroup, finance, admin

[root@server ~]# grep "lbcuser" /etc/group
finance:x:1003:lbcuser2
lbcgroup:x:1010:lbcuser1,lbcuser
admin:x:1012:lbcuser3

To work on this, lbcgroup package should be installed and will use /etc/cgconfig.conf and /etc/cgrules.conf to apply the rules overs the users to limit the resources use.

follow the below steps to apply rules by per Group:

[root@server ~]# vi /etc/cgconfig.conf
mount {
 cpu = /cgroup/cpu_and_mem;
 cpuacct = /cgroup/cpu_and_mem;
 memory = /cgroup/cpu_and_mem;
}

group finance {
 cpu {
 cpu.shares="250";
 }
 cpuacct {
 cpuacct.usage="0";
 }
 memory {
 memory.limit_in_bytes="1G";
 memory.memsw.limit_in_bytes="2G";
 }
}

group lbcgroup {
 cpu {
 cpu.shares="250";
 }
 cpuacct {
 cpuacct.usage="0";
 }
 memory {
 memory.limit_in_bytes="1G";
 memory.memsw.limit_in_bytes="2G";
 }
}

group admin {
 cpu {
 cpu.shares="500";
 }
 cpuacct {
 cpuacct.usage="0";
 }
 memory {
 memory.limit_in_bytes="1G";
 memory.memsw.limit_in_bytes="2G";
 }
}

While starting the server, above configuration file will mount cpu, cpuacct and memory subsystems to a cpu_and _memory cgroup.

CPU:

cpu-shares parameter used to assign the the CPU resources which is available to each and every processes. Assigning parameter values as 250, 250 and 500 for finance, lbcgroup and admin groups in cgroup will split the CPU resources in 1:1:2 ratio. If only one process is running, it doesn’t matter in which cgroup it falls. CPU limitation will be applied, when there is more than one process running.

cpuacct:

cpuacct.usage=”0″ this value is used to reset the CPU usage on cpuacct.usage and cpuacct_percpu files. These files contains the total CPU utilized time by all the process.

Memory:

memory.limit_in_bytes=”1G” parameter says that how much memory allowed to use by a cgroup.

memory.memsw.limit_in_bytes=”2G” parameter says that how much swap space allowed to use by a cgroup

cgrulesengd:

Start this daemon using below command:

[root@server ~]# systemctl start cgred

This daemon will help to move process to specific cgroup and for that we need to configure /etc/cgrules.conf like below

[root@server ~]# vi /etc/cgrules.conf
# /etc/cgrules.conf
#The format of this file is described in cgrules.conf(5)
#manual page.

@finance  cpu,memory finance
@lbcgroup cpu,memory lbcgroup
@admin    cpu        admin

Like above will assign rules to group.

In this, process will be moved to cgroup based on which user started this process and belongs to which group.

For example, Process detects the limitations from lbcgroup cgroup, which is started by lbcuser1 user and it will move to /cgroup/cpu_and_mem/lbcgroup/tasks file.

cgconfig:

Start this daemon to create hierarchy of cgroup to set the required parameters  in all cgroups.

[root@server ~]# systemctl start cgconfig

and to make all changes persistent across reboot, configure both(cgred, cgconfig) services to be started by default.

[root@server ~]# systemctl enable cgred

[root@server ~]# systemctl enable cgconfig

 

Reference: Red Hat official documentation

How to install Graphical user Interface/GUI on RedHat 7 Linux

In this post going to see How to install Graphical user Interface/GUI on RedHat Linux.

We have 7 run levels in RedHat and in that, runlevel 5 is used for GUI.

Use below command to change from current runlevel to GUI(before changing to graphical mode, make sure GNOME package installed):

[root@server ~]# init 5

To set GUI as default runlevel, use the below command and reboot the machine.

[root@server ~]# systemctl set-default graphical.target

If without any error runlevel switched to GUI, than package is already installed in your machine.

If you are receiving any error, than you should install the GNOME package.

Let’s see how to install the GUI in RedHat 7.

We will use yum package manager to install the GUI.

We have two types of repository that, one is online and another one is local repository.First decide which repository going to use to install GNOME package.

If you’re machine connected with internet, register in redhat repository using below command.

[root@server ~]# subscription-manager register
[root@server ~]# subscription-manager refresh
[root@server ~]# subscription-manager attach --auto

To use local repository make sure its already configured in your machine. Click here to know how to configure local yum repository.

Use the below command to check the group name for GNOME installation.

[root@server ~]# yum grouplist
Loaded plugins: product-id, search-disabled-repos, subscription-manager
This system is not registered to Red Hat Subscription Management. You can use su bscription-manager to register.
There is no installed groups file.
Maybe run: yum groups mark convert (see man yum)
Available Environment Groups:
 Minimal Install
 Infrastructure Server
 File and Print Server
 Basic Web Server
 Virtualization Host
 Server with GUI
Available Groups:
 Compatibility Libraries
 Console Internet Tools
 Development Tools
 Graphical Administration Tools
 Legacy UNIX Compatibility
 Scientific Support
 Security Tools
 Smart Card Support
 System Administration Tools
 System Management
Done

We should install “Server with GUI” using yum like below.

[root@server ~]# yum -y groupinstall "Server with GUI"

Now successfully installed GUI in our machine. Try to switch using “init 5” command.

Thanks for reading this post.

Reference: Red Hat Discussion

Permission handling in Linux

In this post we are going to see(Permission handling in Linux) how to set permission for files and directories in linux/unix.

Before set/unset permission we should check the existing permission for a file usinf ll <filename> command like below.

[root@server ~]# ll abu
-rwxrwxrwx. 1 abu root 113 Dec 11 20:22 abu

We can assign permission based on below categories and same has been display while executing ll or ls –l command.

User:    u

Group:  g

Others:  o

Numeric values used for changing/identifying the permissions:

Read:       4, r

Write:      2, w

Execute:  1, x

Command used for changing file permission:

#Chmod 655 <filename>

Example:

Command to set permission:

We are going to set permission for file abu from 777 to 755 using below command. 755 will have full permission for user, read and execute for group and others.

[root@server ~]# chmod 755 abu
[root@server ~]# ll abu
-rwxr-xr-x. 1 abu root 113 Dec 11 20:22 abu

Also will set the permissions usings characters like below.

Read:        r

Write:       w

Execute:  x

Example:

Command to set permission using characters:

In the below example going to set execute permission alone to others

[root@server ~]# ll abu1
-rwxr-xr--. 1 root abu 0 Dec 11 20:17 abu1
[root@server ~]# chmod o+x abu1
[root@server ~]# ll abu1
-rwxr-xr-x. 1 root abu 0 Dec 11 20:17 abu1

Changing ownership of a file or directory:

#Chwon user:group <filename>

example:

In below example going to change owner of the directory as lbcuser for lbc directory. User has been created already.

Note: Existing owner and group will be root.

before changing owhership:

[root@server ~]# mkdir lbc
[root@server ~]# ll | grep lbc
drwxr-xr-x. 2 root root 6 Dec 16 20:33 lbc

after changing ownership:

[root@server ~]# chown lbcuser lbc
[root@server ~]# ll | grep lbc
drwxr-xr-x. 2 lbcuser root 6 Dec 16 20:33 lbc

using chown command will change group as well like below.

Going to change group as finance.

[root@server ~]# chown :finance lbc
[root@server ~]# ll | grep lbc
drwxr-xr-x. 2 lbcuser finance 6 Dec 16 20:33 lbc

Will change the group alone using chgrp command:

[root@server ~]# mkdir lbc1
[root@server ~]# chgrp finance lbc1
[root@server ~]# ll | grep lbc1
drwxr-xr-x. 2 root finance 6 Dec 16 20:47 lbc1

 

Reference: RedHat Document

ACL in RHEL7/Cent OS 7

In this post we are going to securing files and directories using ACL in RHEL7/Cent OS 7.

In this post we are going to see how to secure files and directories using ACL.

As first step need to check kernel compatibility for ACL using below command.

[root@server ~]# grep -i acl /boot/config*
CONFIG_EXT4_FS_POSIX_ACL=y
CONFIG_XFS_POSIX_ACL=y
CONFIG_BTRFS_FS_POSIX_ACL=y
CONFIG_FS_POSIX_ACL=y
CONFIG_GENERIC_ACL=y
CONFIG_TMPFS_POSIX_ACL=y
CONFIG_NFS_V3_ACL=y
CONFIG_NFSD_V2_ACL=y
CONFIG_NFSD_V3_ACL=y
CONFIG_NFS_ACL_SUPPORT=m
CONFIG_CEPH_FS_POSIX_ACL=y
CONFIG_CIFS_ACL=y

Above output will says that this kernel is compatible with ACL access since we could see all are marked as yes POSIX_ACL=y. 

If it is set as N. Than we need to rebuild the kernel.

Next need to install the packages.

Required packages for ACL:

acl

nfs4-acl-tools

libacl

Now install all the above three packages using yum:

Link to see how to configure yum locally click here

[root@server ~]# yum -y install nfs4-acl* acl libacl

Will assign read, write and execute permission to files and directories using ACL and will mention characters ugo/rwx  in commands for permissions respectively.

Now will see a example which will help us to understand clearly.

Create three users and one group respectively like below.

[root@server ~]# useradd lbcuser1
[root@server ~]# useradd lbcuser2
[root@server ~]# useradd lbcuser3
[root@server ~]# groupadd lbcgroup
[root@server ~]# passwd lbcuser1
Changing password for user lbcuser1.
New password:
BAD PASSWORD: The password is a palindrome
Retype new password:
passwd: all authentication tokens updated successfully.

Above screen password has been generated for only lbcuser1.Same like that need to set password for other 2 users.

Now add the lbcgroup group as secondry group for lbcuser1 and lbcuser2 users.

[root@server ~]# usermod -aG lbcgroup lbcuser1
[root@server ~]# usermod -aG lbcgroup lbcuser2

Create a directory and a file inside of that directory to assign and check permissions using acl.

[root@server ~]# mkdir /tmp/data
[root@server ~]# touch /tmp/data/testfile.txt

Now change the group as lbcgroup to the file like below.

[root@server ~]# chown :lbcgroup /tmp/data/testfile.txt
[root@server ~]# ll /tmp/data/testfile.txt
-rw-r--r--. 1 root lbcgroup 0 Dec 15 21:14 /tmp/data/testfile.txt

set the permission 770 using chmod command to the testfile.txt.

Now we can login as lbcuser1 and lbcuser2 and than will try to insert content in testfile.txt.

Sure both users can able to insert content in the file. Because, both users and files group is same(lbcgroup).

[root@server ~]# su lbcuser1
[lbcuser1@server root]$ echo "My name is lbcuser1..." > /tmp/data/testfile.txt
[lbcuser1@server root]$ exit
exit
[root@server ~]# su lbcuser2
[lbcuser2@server root]$ echo "My name is lbcuser2..." > /tmp/data/testfile.txt
[lbcuser2@server root]$ exit
exit
[root@server ~]#

and now will try to insert content as lbcuser3. It will give error. Since, its not the owner and member of lbcgroup for that file.

[root@server ~]# su lbcuser3
[lbcuser3@server root]$ echo "My name is lbcuser3..." > /tmp/data/testfile.txt
bash: /tmp/data/testfile.txt: Permission denied

So, now will provide read and write permission using ACL without adding the lbcuser3 in lbcgroup and will check it again to insert content into the file.

[root@server ~]# setfacl -R -m u:lbcuser3:rw /tmp/data/testfile.txt
[root@server ~]# su lbcuser3
[lbcuser3@server root]$ echo "My name is lbcuser3..." > /tmp/data/testfile.txt
[lbcuser3@server root]$ cat /tmp/data/testfile.txt
My name is lbcuser3...

Since we user single > symbol to redirect the echo command out into the file, its showing our last content which is “My name is lbcuser3…”

To set permission for group will use in above command where we used and groupname where we given username like below.

[root@server ~]# setfacl -R -m g:lbcgroup:rw /tmp/data/testfile.txt

To check the existing ACL permission of a file use getfacl command.

[root@server ~]# getfacl /tmp/data/testfile.txt
getfacl: Removing leading '/' from absolute path names
# file: tmp/data/testfile.txt
# owner: root
# group: lbcgroup
user::rwx
user:lbcuser3:rw-
group::rwx
mask::rwx
other::---

Same like file will set permission to directory as well.

Command to set permission for directory:

below command will help us to set read permission alone for other users which is not owner/group of the directory.

[root@server ~]# setfacl -m d:o:r /tmp/data
[root@server ~]# getfacl /tmp/data
getfacl: Removing leading '/' from absolute path names
# file: tmp/data
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
default:user::rwx
default:group::r-x
default:other::r--