Admin guidelines for user quotas

Disk quotas on xfs are supported, and all EL7 and above systems in the company use xfs. No limits are planned for ext4 filesystems at this time.

Report on entire filesystem quotas

sudo xfs_quota -xc 'report -h' /home
$ sudo xfs_quota -xc 'report -h' /home
User quota on /home (/dev/mapper/bf-home)
                        Blocks
User ID      Used   Soft   Hard Warn/Grace
---------- ---------------------------------
root            0  1000M   1.3G  00 [------]
svcacct1     192K  1000M   1.3G  00 [------]
jdoe1             0  1000M   1.3G  00 [------]
bgstack15     98.2M  1000M   1.3G  00 [------]
sudo du -xBM --max-depth 1 /home | sort -n | tail
# sudo du -xBM --max-depth 1 /home | sort -n | tail
1M      /home/testuser
2M      /home/wharvey
53M     /home/jsmith
179M    /home/bgstack15
261M    /home/svcacct2
14489M  /home/jdoe1
14986M  /home

Changing quotas

After a Linux engineer approves, a user quota may be changed.

Change the default quota

The default quota affects all users. Do not use this one!

sudo xfs_quota -x -c 'limit bsoft=250m bhard=300m -d' /home

Change a user quota

sudo xfs_quota -xc 'limit bsoft=1000m bhard=1200m jdoe1' /home

Remove a user quota

Setting to zero will return a user back to the default quota. The documentation states this makes an unlimited quota, but the documentation is incorrect (original research).

sudo xfs_quota -xc 'limit bsoft=0 bhard=0 jdoe1' /home

Policy for user quotas for home directories for Linux

Policy

The default storage limit for users on the /home filesystem is 250MB. If all of your allocated space is used, you cannot grow files or make new ones in your home directory. Using the entire disk quota can cause your application to display an error.

This limitation exists to reinforce the company’s Data Retention Policy and allocate disk space fairly. Users should not store large files in the home directories. The home directories are designed for incidental storage for OS user files, and work files being used before moving them to a final location.

FAQs

Dow do I request more space?

Open a help ticket to the IT queue. The Linux team will review your request and work with you on the requirements. Be advised that exceptions to the main policy are very rare, because /home exists for work-related files which are primarily stored elsewhere. Storage of personal files and large work files in /home is not supported and is not a valid use case for an exception.

How do I check my disk usage and clean up files

You can view information about your home directory and how much space you are currently using.

Command Explanation
du -hs * | sort -h
Show all files and directories in the current directory, and sort by size
du -xBM --max-depth 3 /home/jdoe | sort -n | tail
Show the largest 10 files and directories in /home/jdoe, drilling down to a max of 3 subdirectories
ls -al
List all files and directories in the current directory
rm -i FILE1 FILE2 FILE3
Delete files named FILE1, FILE2, and FILE3.
rmdir foobar
Remove an empty directory named foobar

References

Similar guidelines for other organizations include

Access vm in libvirt/qemu/kvm on serial console from hypervisor

You can access the serial port console of a virtual machine running in qemu, if you have configured the guest kernel correctly.

Configure the guest

# add serial console
sed -i -r -e '/^GRUB_CMDLINE_LINUX=/{s/(\s*)\"$/ console=ttyS0 console=tty1\"/;}' /etc/default/grub
grub2-mkconfig > /boot/grub2/grub.cfg

I have these steps in my kickstart %post scriptlet, so all my VMs get this setting. These steps modify grub to tell the kernel to open a listening console on the first serial console (ttyS0) and also the regular virtual terminal tty1. It is important to denote both, so the spice client sees the tty1, and that virsh on the command line can get to the serial console.

Accessing the guest from the hypervisor

sudo virsh console $GUESTNAME

Once the guest OS has booted, just run this command and you’re connected to the serial console. You have to log in like a true console session, and then you’re in!

Libreoffice is not using my gtk theme

LibreOffice was not using my gtk theme (on my devuan netinst, fluxbox, with xfce4-settings-manager, chtheme, and manually written .config/gtk-3.0/settings.ini).

basic interface for libreoffice writer
No theming for Writer

Turns out you simply need to install an additional package:

sudo apt-get install libreoffice-gtk3
libreoffice writer with gtk3 theming
Writer with gtk3 theme applied

Devuan also has a libreoffice-gtk2 package, which I didn’t try.
I haven’t tried a Fedora minimal/net install with Fluxbox and LibreOffice, so I don’t know if the libreoffice-gtk3 rpm is necessary there, but it’s in the repos.

sudo dnf install libreoffice-gtk3

I was impressed by this behavior. Just install an extra .so file, and boom, LibreOffice integrates with your desktop theme. LibreOffice is some great stuff!

References

Ripped off from How to change themes [closed] – Ask LibreOffice

Roll back aborted dnf update, 2019 edition

I had to fix an aborted dnf update. My previous post on this topic

sudo dnf remove $( sudo dnf list installed --showduplicates $( sudo dnf list installed --showduplicates | sort | uniq -w35 -D | awk '/^[a-zA-Z]/{print $1}' | sort | uniq | grep -vE 'kernel|saned' ) | awk '$0 !~ /Packages/{split($1,b,".");if($2 > a[b[1]]){a[b[1]]=$2"."b[2]}} END {for (key in a) {print key"-"a[key]} }' )

Walkthrough of the commands

sudo dnf list installed --showduplicates | sort | uniq -w35 -D | awk '/^[a-zA-Z]/{print $1}' | sort | uniq | grep -vE 'kernel|saned'

Show all installed packages, and then show only the duplicates (up to the first 35 characters; having to take a guess here), and remove any saned and kernel packages. I don’t know why I had to exclude saned: Perhaps I wanted both x86_64 and i386 packages for saned.

sudo dnf list installed --showduplicates $ABOVEVALUES | awk '$0 !~ /Packages/{split($1,b,".");if($2 > a[b[1]]){a[b[1]]=$2"."b[2]}} END {for (key in a) {print key"-"a[key]} }'

So, list the output from the previous statement including duplicates, and then use awk to find the highest version number of each named package and store it to a buffer. Then display that whole buffer at the end. So this now shows only the exact name and version (NEVRA, partially) of what to remove.
So this whole process is here to roll back the partially-updated changes.

sudo dnf remove $ABOVEVALUES

And now remove those packages. This should reset, so that we can then perform a regular upgrade at some later point.

references

  1. awk array in END https://unix.stackexchange.com/questions/183279/how-to-view-all-the-content-in-an-awk-array/183280#183280
  2. Prior use of associative arrays in awk https://bgstack15.wordpress.com/2017/04/11/remove-only-certain-duplicate-lines-with-awk/
  3. prior use of dnf –showduplicates but that didn’t work this time https://bgstack15.wordpress.com/2018/04/03/fedora-remove-duplicate-packages-from-partially-completed-dnf-update/
  4. discussion on NEVRA https://slashterix.wordpress.com/2016/08/06/rpm-version-comparison/

Notes for Powershell credentials

Here are some dirty ways to store user credentials in powershell.

Get-Credential | Export-Clixml C:\path\to\output\file.xml

The same user, on the same machine, that generates that file can retrieve the contents with

$credential = Import-Clixml C:\path\to\output\file.xml

References

https://blogs.technet.microsoft.com/robcost/2008/05/01/powershell-tip-storing-and-using-password-credentials/
https://bgstack15.wordpress.com/2019/04/15/install-powershell-and-powercli-on-centos-7-linux/

Assigning permissions for Linux service account to add machines to AD

Create service account.

On the domain where the machines will be joined:
Open Active Directory Users and Computers. Enable Advanced Features on the “View” menu.

View the properties of the entire domain.

Select the Security tab, and select Advanced.

  • For this object and all descendant objects: Grant Create/Delete Computer objects
  • For descendant computer objects: Grant Reset password
  • For descendant computer objects: Read/write account restrictions
  • For descendant computer objects: Write all properties, Write all validated writes