Use the du command to list firectories with largest disk space. Replace DIREC in the following commands with a starting directory (e.g; / or /etc)

# du -sh $DIREC/* | sort -r --human-numeric-sort | head -n10

In the above command, head -n10 option can be changed to list few or more results in the output.

Another example is given below.

# du -sh /* | sort -r --human-numeric-sort | head -n10

All numeric login names are not supported in AlmaLinux and CentOS. usernames that begin with a digit and also contain letters are not known to have any issue. However, in CentOS 7 version, some system tools can make varying assumptions.

In Almalinux 8 and future releases, ALL numeric usernames are not supported. For more details check the man page of useradd. An excerpt is given below:

Usernames may contain only lower and upper case letters, digits, underscores, or dashes. They can end with a dollar sign. Dashes are not allowed at the beginning of the username. Fully numeric usernames and usernames . or .. are also disallowed. It is not recommended to use
usernames beginning with . character as their home directories will be hidden in the ls output. In regular expression terms: [a-zA-Z0-9_.][a-zA-Z0-9_.-]*[$]?

In CentOS 7, user and group names consisting of only digits, while permitted by shadow-utils,  should best be avoided. OS tools, getent, setfacl, and chown can’t recognize ALL numeric login names. If you still want to create ALL numeric usernames shadow-utils will require the SHADOW_ALLOW_ALL_NUMERIC_USER environment variable to be set to any value so as to allow useradd to make ALL numeric usernames.

POSIX does not forbid ALL numeric user names but it can introduce certain issues. Some programs only manipulate a string or an integer but CLI tools get their input as strings. They have to decide whether 3OO1 should be treated as a string username or an integer UID. 

TCP throughput (SCP) from a remote host is slow. By looking at the trace, it is noticed that the CentOS server is waiting for up to 40ms before sending an ACK.

In CentOS releases before 7.2, delayed Acks can only be reduced by cannot be eliminated. In CentOS 7.2, quickacks are tunable on a per route basis. By enabling quickacks delayed, The kernel disables aCKs. You can allow quickacks by executing ip route change based on ip route show.

# ip route show
default via 192.168.1.254 dev ens1 proto static metric 100
192.168.1.0/24 dev ens1 proto kernel scope link src 192.168.1.112 metric 100

# ip route change default via 192.168.1.254 dev ens1 proto static metric 100 quickack 1

# ip route change 192.168.1.0/24 dev ens1 proto kernel scope link src 192.168.1.112 metric 100 quickack 1


# ip route show
default via 192.168.1.254 dev ens1 proto static metric 100 quickack 1
192.168.1.0/24 dev ens3 proto kernel scope link src 192.168.1.112 metric 100 quickack 1

You can verify if the FANOTIFY is enabled in the kernel by using the following command.

# cat /boot/config-$(uname -r) | grep FANOTIFY
CONFIG_FANOTIFY=y
CONFIG_FANOTIFY_ACCESS_PERMISSIONS=y

FANOTIFY is built in the kernel, so there is no need to load other modules. It is enabled by default in CentOS 7,8 and AlmaLinux 8.

You can calculate free space in thinpool LVM by using the following command:

# dmsetup status
[... ]
vg1-poolB-tpool: 0 45135824 thin-pool 1 4773/178944 90879/206109 - rw discard_passdown queue_if_no_space - 1024

In the above output, 206109 are the total available extents and 90879 are the free extents. You can now find the chunk size as follows:

# lvs -o chunk_size vg1/poolB
Chunk
64.00k

Then total free space should be 5,816,256k.

VNC is one of the most common methods to access servers remotely by multiple users simultaneously. VNC is usually configured as a systems service that is always on, serving a GUI session for a single or multiple users simultaneously. There is no limit on the number of VNC sessions in a Linux-based server, but constraints are based on available server resources that can be used effectively.

Simultaneous VNC sessions are limited by three primary resources in a server: CPU, RAM, and bandwidth. In a VNC user session, software-based rendering renders the Graphical User Interface (GUI) to the video frame buffer used for remote connectivity.

As such, a VNC session typically consumes high CPU resources than a local console. Similar resources utilization affects the RAM and bandwidth, as the VNC session uses system RAM for Its video frame buffer instead of video RAM.

VNC sessions constrain network bandwidth, as it uses video compression techniques for desktop display, which is less efficient. It should be noted that running videos or graphics video editors on a VNC session will increase resource utilization.

Generally, you can allocate 1 CPU core, 4GB RAM, and 10Mbps network bandwidth for each VNC session. It is recommended that for 8 VNC users, an 8-Core CPU, 32GB RAM, and 300Mbbps network connection is required.

Some mitigation strategies are given below if you have limited hardware resources on a VNC server and serve multiple VNC users.

• Instead of using GNOME sessions, use minimal X sessions to reduce VNC server load.
• Reduce screen geometry with geometry options such as geometry=800×600.
• Enable QoS (Quality of Service) to prioritize VNC over regular user sessions.
• Limit VNC sessions to single tasks instead of running multiple processes simultaneously.

• The VNC server is configured on a Linux machine, but the service status is shown as failed.

systemctl status vncserver@:1.service
● vncserver@:1.service - Remote desktop service (VNC)
Loaded: loaded (/etc/systemd/system/vncserver@:1.service; enabled; vendor preset: disabled)
Active: failed (Result: exit-code) since Mon 2021-09-01 11:30:03 +04; 11s ago
Process: 13739 ExecStart=/usr/sbin/runuser -l vncuser -c /usr/bin/vncserver %i (code=exited, status=1/FAILURE)
Process: 13739 ExecStartPre=/bin/sh -c /usr/bin/vncserver -kill %i > /dev/null 2>&1 || : (code=exited, status=0/SUCCESS)
Main PID: 1231 (code=exited, status=0/SUCCESS)

• The main reason for failed VNC server service is that X1-lock and socket files are present in /tmp/.X11-unix. Remove the files to start the VNC session.

rm /tmp/.X11-unix/X1 /tmp/.X1-lock

• Start the VNC server service as follows:

systemctl start vncserver@:<display>.service

• The root cause of this error is that files in /tmp/.X* are VNC session log files, and deliberately killing the session will not remove the /tmp/.X* files. The result is that the user cannot start the VNC session on the same display again. The first solution is to remove these stale files.
• You should remove all stale files under these directories.

/tmp/.X11-unix/
X2 X3 X3 X5

/tmp/.X1-lock
.X0-lock .X11-unix/ .X1-lock .X2-lock .X3-lock .X4-lock

• Normal users in Linux are usually given permission to execute a certain command in /bin/ and /usr/local/bin. Follow the below steps to remove those permissions and restrict users to run only specific commands.
• Enter the following command to generate a restricted shell.

cp /bin/bash /bin/rbash

• Change the shell as a restricted shell while adding the target user.

useradd -s /bin/rbash user-restrict

• For present users on the machine.

usermod -s /bin/rbash user-restrict

• In this way, the user user-restrict is chrooted and will not be able to access the links outside his $HOME directory /home/user-restrict
• Create a directory under /home/user-restrict as follows:
  mkdir /home/user-restrict/directory
• At this point, the user user-restrict can access all commands that are allowed to execute. These commands are presented from environment PATH variable set in /home/user-restrict/.bash_profile. Change it as follows:

cat /home/user-restrict/.bash_profile
# .bash_profile
# Get the aliases and functions
if [ -f ~/.bashrc ]; then
. ~/.bashrc
fi
# User specific environment and startup programs
readonly PATH=$HOME/directory
export PATH

• Now, if the user user-restrict log in, he/she will not be able to run even simple commands.
• Now make softlinks of commands for user user-restrict to execute in the directory /home/user-restrict/directory

ln -s /bin/date /home/user-restrict/directory/
ln -s /bin/ls /home/user-restrict/directory/
ll /home/user-restrict/directory/
total 8
lrwxrwxrwx 1 root root 10 Aug 17 18:00 date -> /bin/date
lrwxrwxrwx 1 root root 10 Aug 17 18:00 ls -> /bin/ls

• Logout and login again and execute the following commands

[user-restrict@example ~]$ date
Sun Aug 17 20:00:00 IST 2021
[user-restrict@example ~]$ ls
filea fileb filec filed directory
[user-restrict@example ~]$ tail
-rbash: tail: command not found

• To restrict user user-restrict for making any modification in their .bash_profile.

chattr +i /home/user-restrict/.bash_profile

• The above command will make the .bash_profile immutable. Only root will be able to remove the immutable flag from the file.

chattr -i /home/user-restrict/.bash_profile

• Install the required VNC server packages in AlmaLinux 8.3 as follows:

yum -y install tigervnc-server tigervnc

• The default configuration files for the tigervnc-server are located in /etc/tigervnc. In this directory, the following files are present.

vncserver.users
vncserver-config-mandatory
vncserver-config-defaults

• Map the users to a particular port by adding the following option (:x=user) in /etc/tigervnc/vncserver.users file.

:1=vnc-user1
:2=vnc-users2

• You should configure one vnc session per user as AlmaLinux 8.3 only supports one unique user per GUI session per machine.
• Now you will have to edit vncserver-config-defaults file to configure Xvnc parameters. The values in this file will be applied to every user unless the user has its own configuration file in $HOME/.vnc/config. The same options with different values are set in vncserver-config-mandatory file, which replaces the default configuration file and has a higher priority. The format of the configuration file is option=value.

session=gnome
#securitytypes=vncauth,tlsvnc
#desktop=myserver
#geometry=1900x1100
#localhost
#alwaysshared

• Make sure the parameter session=gnome in the above code matches the name of the session desktop file in the/usr/share/xsessions directory (case-sensitive).
• Run the following command to start the Tigervnc server. This command should be run as a user who will be starting and using the vnc server. The vnc password must be set while the user is logged in and not by the root.

vncpasswd

• As root, start the Tigervnc server as follows:

# systemctl enable vncserver@:$x.service
# systemctl start vncserver@:$x.service

• In the above command, you should replace the variable $x by the actual number configured in /etc/tigervnc/vncserver.users

systemctl enable vncserver@:1.service --now

• Open vnc default port 5901 in the firewall as follows:

firewall-cmd --permanent --zone=public --add-port 5901/tcp

• Reload firewall.

firewall-cmd --reload

• You can use a script to apply promiscuous settings to an interface or multiple interfaces when they come online.

touch /etc/NetworkManager/dispatcher.d/30-promisc
chmod +x /etc/NetworkManager/dispatcher.d/30-promisc

• Add following script code to 30-promisc file.

#!/bin/bash
if [ "$1" == "eth0" ] && [ "$2" == "up" ]; then
ip link set dev "$1" promisc on
fi

• You can also use network initscripts by adding code in /sbin/ifup-local file. Create a file if it is not present.

#!/bin/bash
if [ "$1" == "eth0" ]; then
/usr/sbin/ip link set dev "$1" promisc on
fi

How to apply ethtool settings to interface using Network Manager dispatcher script

In the same way as above, you can use the network manager dispatcher script to apply ethtool commands.

• create files as follows:

touch /etc/NetworkManager/dispatcher.d/30-ethtool
chmod +x /etc/NetworkManager/dispatcher.d/30-ethtool

• Now to apply settings to a single network interface:

#!/bin/bash
if [ "$1" == "eth1" ] && [ "$2" == "up" ]; then
ethtool -K "$1" lro off rx on gro off 
fi

• For multiple interfaces:

#!/bin/bash
if [ "$1" == "eth1" -a "$2" == "up" ] || [ "$1" == "eth0" -a "$2" == "up" ] ; then
ethtool -K "$1" lro off rx off gro off 
fi

• For bonding interface:

#!/bin/bashif [ "$1" == "bond0" ] && [ "$2" == "up" ]; then
for INTERFACE in bond0 eth1 eth0; do
ethtool -K "$INTERFACE" lro off rx off gro off 
done
fi