Posts

LINUX – nmcli command examples (cheatsheet), compare nm-settings with if-cfg file

nmcli examples. nmcli cheatsheet in CentOS/RHEL 7/8. nmcli command exmaples. nmcli con reload. nmcli help. add ethernet connection using nmcli. nmclic command examples cheatsheet in linux. add bond connection using nmcli in linux. add and configure network teaming using nmcli. nmcli command cheatsheet. configure networkmanager using nmcli. nmcli examples. nmclic command examples cheatsheet. exit an existing connection with nmcli. nmcli command examples. nmcli enable dhcp. man nmcli examples. nmcli rename connection. nmcli remove static ipv4 address. nmcle cheat sheet. nmcli remove dns

Understanding nmcli

  • nmcli is a command-line tool for controlling NetworkManager and reporting network status.
  • It can be utilised as a replacement for nm-applet or other graphical clients. nmcli is used to create, display, edit, delete, activate, and deactivate network connections, as well as control and display network device status.
  • Connections are stored in configuration files
  • The NetworkManager service must be running to manage these files
ALSO READ:

16 ip command examples to configure network interfaces (cheatsheet)

Compare nm-settings with ifcfg-* directives (IPv4)

nmcli con mod ifcfg-* file Effect
ipv4.method manual BOOTPROTO=none IPv4 address configured statically
ipv4.method auto BOOTPROTO=dhcp Will look for configuration settings from a DHCPv4 server
ipv4.address "192.168.0.10/24" IPADDR=192.168.0.10
PREFIX=24		 Set static IPv4 address, network prefix
ipv4.gateway 192.168.0.1 GATEWAY=192.168.0.1 Set IPv4 Gateway
ipv4.dns 8.8.8.8 DNS1=8.8.8.8 Modify /etc/resolv.conf to use this nameserver
ipv4.dns-search example.com DOMAIN=example.com Modify /etc/resolv.conf to use this domain in the search directive
ipv4.ignore-auto-dns true PEERDNS=no Ignore DNS Server information from the DHCP Server
connection.autoconnect yes ONBOOT=yes Automatically activate this connection on boot
connection.id eth0 NAME=eth0 The name of this connection
connection.interface-name eth0 DEVICE=eth0 The connection is bound to the network interface with this name
802-3-ethernet.mac-address 08:00:27:4b:7a:80 HWADDR=08:00:27:4b:7a:80 The connection is bound to the network interface with this MAC Address
ipv4.never-default no DEFROUTE=yes Never use provided interface’s gateway as default gateway

Compare nm-settings with ifcfg-* directives (IPv6)

nmcli con mod ifcfg-* file Effect
ipv6.method manual IPV6_AUTOCONF=no IPv6 is configured statically
ipv6.method auto IPV6_AUTOCONF=yes Will configure network settings using SLAAC from router advertisements.
ipv6.method dhcp IPV6_AUTOCONF=no
DHCPV6C=yes		 Will configure network settings by using DHCPv6, but not SLAAC
ipv6 . addresses
"2001:db8::a/64 2001:db8::1"		 IPV6ADDR=2001:db8::a/64
IPV6_DEFAULTGW=2001:db8::1		 Sets static IPv6 Address and Gateway
ipv6.dns . . . DNS0=. . . Modify /etc/resolv.conf to use this nameserver
ipv6.dns-search example.com DOMAIN=example.com Modify /etc/resolv.conf to use to use this domain in the search directive
ipv6.ignore-auto-dns true IPV6_PEERDNS=no Ignore DNS server information from the DHCP server
connection.autoconnect yes ONBOOT=YES Automatically activates the connection at boot
connection.id eth0 NAME=eth0 The name of this connection
connection.interface-name eth0 DEVICE=eth0 The connection is bound to this network interface with this name
802-3-ethernet.mac-address . . . HWADDR=. . . The connection is bound to the network interface with this MAC Address

Brief list of nmcli commands syntax

Command Purpose
nmcli dev status Show the Network Manager status of all network interfaces
nmcli con show List all connections
nmcli con show name List the current settings for the connection name
nmcli con add con-name name .. Add a new connection named name
nmcli con mod name .. Modify the connection name
nmcli con reload Tell networkManager to reread the configuration files (useful after they have been edited by hand)
nmcli con up name Activate the connection name
nmcli dev dis dev Deactivate and disconnect the current connection on the network interface dev
nmcli con del name Delete the connection name and its configuration file

nmcli command examples (cheatsheet)

Below are some of the chosen nmcli command examples

1. Check if NetworkManager is running

You can use below command to check if NetworkManager is running or not

To get a general status

2. List all the available device

To view and list all the available devices on your Linux system

3. List all the available connections

To list all the available connections

4. List all the configuration of interface

To view all the configured values (default and custom) of an interface

Advertisement

5. Check physical network device status

Now the status of all the connection network devices

6. Change hostname using nmcli

You can ideally change hostname using hostnamectl command, but you can also update hostname using nmcli

To get the current hostname

Next to update the hostname

Verify the same

7. Create a new ethernet connection and assign static IP Address

In this example nmcli configures the eth2 interface statically, using the IPv4 address and network prefix 10.10.10.4/24 and default gateway 10.10.10.1, but still auto connects at
startup and saves its configuration into /etc/sysconfig/network-scripts/ifcfg-eth2 file.

8. Create a new ethernet connection and assign DHCP IP Address

The following command will add a new connection for the interface eth2, which will get IPv4 networking information using DHCP and will autoconnect on startup. The configuration will be
saved in /etc/sysconfig/network-scripts/ifcfg-eth2 because the con-name is eth2

We can verify the same in the mapped interface configuration file

Advertisement

9. Create and configure bond connection (active-backup) with two slave interface

You can create bond connection with multiple slave interface using nmcli.

HINT:

There are 6 types of bonding mode 802.3ad/balance-alb/balance-tlb/broadcast/active-backup/balance-rr/balance-xor

Delete any configuration file which exists for slave interface

Add bond interface using nmcli. This command adds a master bond connection, naming the bonding interface mybond0 and using active-backup mode. I have given some dummy values for MII, UPDELAY and DOWNDELAY. If you wish to add primary interface using “primary=<ifname>

Similarly for round-robin bonding you can use bond.options as “downdelay=5,miimon=100,mode=balance-rr,updelay=10

Next add the slaves for mybond0 using nmcli. This command binds first slave to eth1 interface

This command binds slave 2 to eth2 interface

List the active connections. So we have our bond and slave interface with us.

Advertisement

Here I am setting static IP Address, NetMask, Gateway, DNS and DNS Search to mybond0 using nmcli

NOTE:

To use DHCP IP, use ipv4.method auto and do not provide any IP Address related details in the above command

Verify your mybond0 configuration file

refresh/reload the network configuration change for mybond0

Verify the bond IP Address

Verify the list of available connection

10. Create and configure Network Bridge

I have written another article with detailed steps to create and configure network bridge using nmcli and nmtui separately on RHEL/CentOS 7 and 8 Linux.

11. Create and configure Network Teaming

I have written another article with detailed steps to create and configure NIC teaming with two slaves using nmcli validated on RHEL/CentOS 7/8 Linux

12. Reload connection using nmcli (restart)

Reload all connection files from disk. NetworkManager does not monitor changes to connection files by default. So you need to use this command in order to tell NetworkManager to re-read the connection profiles from disk when a change was made to them.

Advertisement

13. Interactively add/edit a connection

You can use nmcli con edit to Edit an existing connection or add a new one, using an interactive editor. In the below example we will edit eth1’s IP Address

Now verify your changes in eth1’s configuration file

14. Change ethernet connection BOOTPROTO from DHCP to Static

Now to change ethernet connection BOOTPROTO from DHCP to static using nmcli, we must modify ipv4.method directive to use manual

Now verify the network configuration file for eth2

15. Change ethernet connection BOOTPROTO from Static to DHCP

Similarly to change ethernet connection BOOTPROTO from static to DHCP using nmcli, we must modify ipv4.method directive to use auto

Now verify the eth2 network configuration file

As you see we still have IPADDR and other variables from previous command but they are considered null, because you can see my DHCP has assigned 10.10.10.5 to eth2

Advertisement

16. Change ONBOOT directive using nmcli

By default ONBOOT is yes in the interface configuration file. So to disable ONBOOT we must modify connection.autoconnect directive using nmcli

Verify the ONBOOT value before changing this directive

Change ONBOOT directive, disable ONBOOT using nmcli

Re-verify the ONBOOT directive for eth2

17. Change DEFROUTE directive (Never use this network for default route)

By default any gateway we add for any ethernet connection will also be considered as default gateway, to turn off this directive use ipv4.never-default with nmcli

Before we make any change verify DEFROUTE directive in the eth2 configuration file

So by default this directive is ON, we will disable the default gateway option for eth2. To turn off this directive we must select ipv4.never-default as “yes

Next verify the DEFROUTE directive for eth2

Advertisement

18. Disable IPv6 Address for ethernet connection (IPV6INIT)

By default both IPv4 and IPv6 connection type (IPV6INIT) is enabled for any ethernet connection type. To only use IPv4 and disable IPv6 using nmcli

Verify the existing status of IPv6 connection type for eth2

So this is enabled, we will disable IPv6 connection type using ipv6.method directive with nmcli

HINT:

Supported input arguments for ipv6.method are ignore, auto, dhcp, link-local, manual, shared. You can use the same options to enable/disable IPv4 using ipv4.method

Now re-verify the IPV6INIT directive from eth2 config file

19. Change “Automatically Connect” Directive

By default any ethernet connection will be allowed to automatically connect, you can modify this using

20. Add or Modify DNS to existing connection

You can use ipv4.dns to add DNS server to an new connection or modify any existing connection using nmcli.
Currently there are no DNS server IP provided for eth1

Next modify connection to add DNS Server IP Address

Verify the eth1 config file

21. Append single/multiple DNS Server to connection

Use + prefix with ipv4.dns to append new DNS IP Addresses to an existing connection using nmcli. In the previous example we added 8.8.8.8 as my DNS server for eth1. Now we will append 8.2.2.2 to the same connection

Verify the eth1 configuration file

HINT:

You can also append single or multiple values from other multi-value (container) properties like ipv4.dns, ipv4.addresses, bond.options, etc

22. Remove single/multiple DNS Server from connection

As it is understood, with + we append so with – we remove single/multiple entries of DNS Server from the interface connection using nmcli.

Verify the eth1 configuration file

HINT:

You can also remove single or multiple values from other multi-value (container) properties like ipv4.dns, ipv4.addresses, bond.options, etc

23. Display selected fields with values of connection

You can list all the configured values of a connection using “nmcli con show <ifname>” but that gives you a long list of details, you can actually also get selected value of the provided directive of an individual connection

To get the IPv4 Address of eth1

You can use -g to print values from specific fields using nmcli

But here as you see we do not get a field to value mapping. You can use -f to specify what fields (column names) should be printed using nmcli. Valid field names differ for specific commands. List available fields by providing an invalid value to the --fields option.

HINT:

You can choose these fields: ipv4.method,ipv4.dns,ipv4.dns-search,ipv4.dns-options,ipv4.dns-priority,ipv4.addresses,ipv4.gateway,ipv4.routes,ipv4.route-metric,ipv4.route-table,ipv4.ignore-auto-routes,ipv4.ignore-auto-dns,ipv4.dhcp-client-id,ipv4.dhcp-timeout,ipv4.dhcp-send-hostname,ipv4.dhcp-hostname,ipv4.dhcp-fqdn,ipv4.never-default,ipv4.may-fail,ipv4.dad-timeout

24. Monitor connection and device activity

Using nmcli monitor you can observe NetworkManager activity. Watches for changes in connectivity state, devices or connection profiles. Here in this example we will execute nmcli monitor for eth1 in one terminal, and on the other terminal we will make some modification to eth1 connection

As you see, after the modification, the monitor command gives below output

25. Activate a connection

Just opposite to what we used above, we will use nmcli con up

Verify the list of available connection

26. De-activate a connection

Deactivate a connection from a device without preventing the device from further auto-activation using nmcli con down <ifname>. Multiple connections can be passed to the command.

Verify the list of active connections

NOTE:

If you are connected to your server using this interface then your connection would close once the connection is de-activated

27. Delete connection

lastly in nmcli command examples, you can delete all type of available connection using “nmcli con del <ifname>

Lastly I hope the steps from the article with nmcli command examples (cheatsheet) on Linux was helpful. So, let me know your suggestions and feedback using the comment section.

References:

golinuxcloud.com
man page nmcli
man page nmcli-examples

/by

CentOS – Installer just goes black screen on Centos8

Problem: During installation of CentOS the installer screen goes black. The terminal multiplexer is running in virtual console 1. To switch from the graphical installation environment to tmux, press Ctrl+Alt+F1. To go back to the main installation interface which runs in virtual console 6, press Ctrl+Alt+F6. Available tmux Windows Shortcut Contents Ctrl+b 1 Main installation […]

Read more
/by

How to force fsck at every boot in Linux

  1. In /etc/init.d/checkfs.sh is the line if [ -f /forcefsck ] || grep -s -w -i "forcefsck" /proc/cmdline, so providing forcefsck on the kernel command line or generating a /forcefsck file on shutdown should cause an fsck on the next reboot.

    To prevent manual fsck runs, ask fsck to try to automatically fix errors with the -y option by uncommenting and changing no to yes in the following /etc/default/rcS entry, after the edit it should look like:

  1. One option (forcefsck or FSCKFIX) does not imply the other.
  1. according to manpages -c argument for tune2fs counts number of instances of mounts for a partition. Hence, 1 forces to check the fs after every mounting instance. (http://man7.org/linux/man-pages/man8/tune2fs.8.html)

Read more

/by

LINUX – Network Throughput Tuning

General Approach

To check what setting your system is using, use ‘sysctl name’ (e.g.: ‘sysctl net.ipv4.tcp_rmem’). To change a setting use ‘sysctl -w’. To make the setting permanent add the setting to the file ‘sysctl.conf’.

More Reading:

fasterdata.es.net

/by

CentOS – How do I safely delete old kernel versions ?

package-cleanup:

Using package-cleanup command which is a part of yum-utils package we can uninstall any number of old kernels automatically. As an example using --oldkernels --count=2 option with package-cleanup command the command will remove all unused kernel while keeping last three most recent kernel versions installed.

yum:

list installed kernels

remove kernels no longer needed; listed above

automated:

By default CentOS will keep last 5 kernels installed on your system. This behavior is defined by installonly_limit=5 line within /etc/yum.conf file. Update the /etc/yum.conf configuration file appropriately to keep desired number of old kernels on your system after update. The minimum value to be set is 2.

Example of /etc/yum.conf configuration file to keep only last two kernel versions:

read more: linuxconfig.org

/by

CentOS – NIC Teaming with LACP

A Comparison of Features in Bonding and Team

Feature Bonding Team
broadcast Tx policy Yes Yes
round-robin Tx policy Yes Yes
active-backup Tx policy Yes Yes
LACP (802.3ad) support Yes (active only) Yes
Hash-based Tx policy Yes Yes
User can set hash function No Yes
Tx load-balancing support (TLB) Yes Yes
LACP hash port select Yes Yes
load-balancing for LACP support No Yes
Ethtool link monitoring Yes Yes
ARP link monitoring Yes Yes
NS/NA (IPv6) link monitoring No Yes
ports up/down delays Yes Yes
port priorities and stickiness (“primary” option enhancement) No Yes
separate per-port link monitoring setup No Yes
multiple link monitoring setup Limited Yes
lockless Tx/Rx path No (rwlock) Yes (RCU)
VLAN support Yes Yes
user-space runtime control Limited Full
Logic in user-space No Yes
Extensibility Hard Easy
Modular design No Yes
Performance overhead Low Very Low
D-Bus interface No Yes
multiple device stacking Yes Yes
zero config using LLDP No (in planning)
NetworkManager support Yes Yes

Read More: RHEL

Config Snippets:

  • CentOS 7
  • No NetworkManager

NEXUS vPC Switch A:

NEXUS vPC Switch B:

CentOS 7 Server – Config: nas-a:

CentOS 7 Server – Config: nas-a:

CentOS 7 Server – Show Commands:

/by

Linux – iproute2 Cheat Sheet

Overview

iproute2 is the Linux networking toolkit that replaced net-tools (ifconfig, route, arp etc.)

Old style network utilities like ifconfig and route are still there just for backwards compatibility
and do not provide access to new features like policy-based routing or network namespaces.

Note that iproute2 has been a standard Linux tool since the early 2000’s. It’s included in
every distro by default, or at least available from the repos (OpenWRT is one of the cases).

iproute2 was originally written by Alex Kuznetsov and is now maintained by Stephen Hemminger.

This document aims to provide comprehensive but easy to use documentation for the ip command
included in iproute2 package. There are more, such as ss (netstat replacement, fairly straightforward),
tc (QoS management), but documenting them in this style, especially tc, would be a separate big project.

Instead of listing commands and describing what they do, it uses a task-centered approach and gives commands
for tasks that network administrators need to do. It was once called a “cheatsheet”
for this reason, but has long outgrown the size and scope of a cheat sheet for the most common tasks.

Contributions are always welcome, you can find the “source code” at
github.com/dmbaturin/iproute2-cheatsheet.

This document is provided “as is”, without any warranty. The authors are not liable for any
damage related to using it.

General notes

All commands that change any settings (that is, not just display them) require root privileges.

There are configuration files in /etc/iproute2, mainly for assinging symbolic names to network
stack entities such as routing tables. Those files are re-read every time you run the ip command and you don’t need
to do anything to apply the changes.

Typographic conventions

Metasyntactic variables are written in shell-style syntax, ${something}. Optional command parts are in
square brackets.

Table of contents


    Address management

    In this section ${address} value should be a host address in dotted decimal format, and
    ${mask} can be either a dotted decimal subnet mask or a prefix length.
    That is, both 192.0.2.10/24 and 192.0.2.10/255.255.255.0 are equally acceptable.

    If you are not sure if something is a correct host address, use ipcalc or similar
    program to check.

    Show all addresses

    All show commands can be used with -4 or -6 options to show only IPv4 or IPv6 addresses.

    Show addresses for a single interface

    Examples:

    Show addresses only for running interfaces

    Show only static or dynamic IPv6 addresses

    Show only statically configured addresses:

    Show only addresses learnt via autoconfiguration:

    Add an address to an interface

    Examples:

    You can add as many addresses as you want.

    If you add more than one address, your machine will accept packets for
    all of them. The first address you added will be used as source address for
    outgoing traffic by default, it’s referred to as primary address.

    All additional addresses you set will become secondary addresses.

    Add an address with human-readable description

    Examples:

    A label must start with the interface name followed by a colon due to some backwards compatibility issues,
    otherwise you’ll get an error.
    Keep the label shorter than sixteen characters, or else you’ll get this error:

    Notes

    For IPv6 addresses this command has no effect (address will be added, but without a label).

    Delete an address

    Examples:

    Interface name is required. Linux does allow the same address to be configured on multiple interfaces
    and it has valid use cases.

    Remove all addresses from an interface

    Examples:

    By default this command removes both IPv4 and IPv6 addresses. If you want to remove only
    IPv4 or IPv6 addresses, use “ip -4 address flush” or “ip -6 address flush”.

    Notes

    There is no way to swap primary and secondary addresses or explicitly set the new primary address. Try to always set the primary address first.

    However, if the sysctl variable net.ipv4.conf.${interface}.promote_secondaries is set to 1, when you delete the primary address,
    the first secondary address will become the new primary.

    Note that net.ipv4.conf.default.promote_secondaries=1 is not the universal default setting in all Linux distributions,
    so check yours before trying it. If it’s set to 0, then when you delete the primary address, all addresses will be removed
    from the interface.

    Secondary IPv6 addresses are always promoted to primary if the primary address is deleted so you don’t need to worry about sysctl settings.

    Neighbor (ARP and NDP) table management

    For ladies and gentlemen who prefer the British spelling, this command family supports the “neighbour” spelling too.

    View neighbor tables

    All “show” commands support -4 and -6 options to view only IPv4 (ARP) or IPv6 (NDP) neighbors. By default
    all neighbors are displayed.

    View neighbors for single interface

    Examples:

    Flush table for an interface

    Examples:

    Add a neighbor table entry

    Examples:

    One of the use cases for it is to add static entry for an interface with disabled ARP to
    restrict interface usage only by hosts with specific MAC addresses.

    Delete a neighbor table entry

    Examples:

    Allows to delete a static entry, or get rid of an automatically learnt entry without flushing the table.

    Link management

    Link is another term for a for network interface. Commands from the “ip link” family perform operations
    that are common for all interface types, like viewing link information or changing the MTU.

    Historically “ip link” commands could create all types of interfaces, except for tunnels (IPIP, GRE etc.), L2TPv3, and VXLAN
    interfaces that have their own commands. In newer iproute2 versions (since at least 3.16) they can create interfaces of all
    types except L2TPv3, though using special command families for some of them is more convenient.

    Note that interface name you set with “name ${name}” parameter of “ip link add” and “ip link set”
    commands may be arbitrary, and may even contain unicode characters. However, it’s better to stick with
    ASCII because other programs may not handle unicode correctly.

    Also note that other programs, such as iptables, may have their own link name format and length
    restrictions, so it’s better to use short alphanumeric names, and provide additional information in
    link aliases.

    Show information about all links

    These commands are equivalent and can be used with the same arguments.

    Show information about specific link

    Examples:

    The word “dev” may be omitted.

    Bring a link up or down

    Examples:

    Note: virtual links described below, like VLANs and bridges
    are in down state immediately after creation. You need to bring them up to start using them.

    Set human-readable link description

    Examples:

    Link aliases show up in “ip link show” output, like:

    Rename an interface

    Examples:

    Note that you can’t rename an active interface. You need to bring it down
    before doing it.

    Change link layer address (usually MAC address)

    Link layer address is a pretty broad concept. The most known
    example is MAC address for ethernet devices. To change MAC
    address you would need something like:

    Change link MTU

    Examples:

    MTU stands for “Maximum Transmission Unit”, the maximum size
    of a frame an interface can transmit at once.

    Apart from reducing fragmentation in tunnels like
    in example above, this is also used to increase performance of
    gigabit ethernet links that support so called “jumbo frames”
    (frames up to 9000 bytes large). If all your equipment
    supports gigabit ethernet, you may want to do something like

    Note that you may need to configure it on your L2 switches too,
    some of them have it disabled by default.

    Delete a link

    Obviously, only virtual links like VLANs or bridges can be deleted.

    Enable or disable multicast on an interface

    Unless you really understand what you are doing, better not to touch this.

    Enable or disable ARP on an interface

    One may want to disable ARP to enforce a security policy and allow only specific MACs
    to communicate with the interface. In this case neighbor table entries for whitelisted MACs
    should be created manually (see neighbor table management
    section), or nothing will be able to communicate with that interface.

    In most cases it’s better to configure MAC policy on an access layer switch though.
    Do not change this flag unless you are sure what you are going to do and why.

    Create a VLAN interface

    Examples:

    The only type of VLAN supported in Linux is IEEE 802.1q VLAN, legacy implementations like ISL
    are not supported.

    Once you create a VLAN interface, all frames tagged with ${tag} you specified in id option
    received by ${parent interface} will be processed by that VLAN interface.

    eth0.100 name format is traditional, but not required, you can name the interface as you want,
    just like with other interface types.

    VLANs can be created over bridge, bonding and other interfaces capable of processing ethernet frames too.

    Create a QinQ interface (VLAN stacking)

    Example:

    VLAN stacking (aka 802.1ad QinQ) is a way to transmit VLAN tagged traffic over another VLAN. The common use case
    for it is like this: suppose you are a service provider and you have a customer who wants to use your network
    infrastructure to connect parts of their network to each other. They use multiple VLANs in their network, so
    an ordinary rented VLAN is not an option. With QinQ you can add a second tag to the customer traffic when it enters your network
    and remove that tag when it exits, so there are no conflicts and you don’t need to waste VLAN numbers.

    The service tag is the VLAN tag the provider uses to carry client traffic through their network. The client tag
    is the tag set by the customer.

    Note that link MTU for the client VLAN interface is not adjusted automatically, you need to take care
    of it yourself and either decrease the client interface MTU by at least 4 bytes, or increase the parent MTU accordingly.

    Standards-compliant QinQ is available since Linux 3.10.

    Create pseudo-ethernet (aka macvlan) interface

    Examples:

    You can think of macvlan interfaces as additional virtual MAC addresses on the parent interface.
    They look like normal ethernet interfaces from user point of view, and handle all traffic for
    MAC address they are assigned with received by their parent interface.

    This is commonly used for testing, or for using several instances of a service identified by
    MAC when only one physical interface is available.

    They also can be used just for IP address separation instead of assigning multiple addresses
    to the same physical interface, especially if some service can’t operate on a secondary address properly.

    Create a dummy interface

    Examples:

    Dummy interfaces work pretty much like loopback interfaces, just there can be as many
    of them as you want.

    The first purpose of them is for communication of programs inside the host.

    The second purpose exploits the fact they are always up (unless administratively taken down).
    This is often used to assign service addresses to them on routers with more than one physical
    interface. As long as the traffic to the address assigned to a loopback or dummy interface
    is routed to the machine that owns it, you can access it through any of its interfaces.

    Create a bridge interface

    Examples:

    Bridge interfaces are virtual ethernet switches. They can be used to relay traffic
    transparently between ethernet interfaces, and, increasingly common, as ethernet switches
    for virtual machines running inside hypervisors.

    You can assign an IP address to a bridge and it will be visible from all bridge ports.

    If this command fails, check if “bridge” module is loaded.

    Add an interface to bridge

    Examples:

    Interface you added to a bridge becomes a virtual switch port. It operates only on datalink
    layer and ceases all network layer operation.

    Remove interface from bridge

    Examples:

    Create a bonding interface

    Examples:

    Note: This is not enough to configure bonding (link aggregation)
    in any meaningful way. You need to set up bonding parameters according to your situation.
    This is far beyond the cheat sheet scope, so consult the documentation.

    Interfaces are added to the bond group the same way to bridge group, just note that you can’t
    add it until you take it down.

    Create an intermediate functional block interface

    Example:

    Intermediate functional block devices are used for traffic redirection and mirroring
    in conjunction with tc. This is also far beyond the scope of this document, consult tc
    documentation.

    Create a pair of virtual ethernet devices

    Virtual ethernet (veth) devices always come in pairs and work as a bidirectional pipe,
    whatever comes into one of them, comes out of another. They are used in conjunction with
    system partitioning features such as network namespaces and containers (OpenVZ and LXC)
    for connecting one partition to another.

    Examples:

    Note: virtual ethernet devices are created in UP state, no need to
    bring them up manually after creation.

    Link group management

    Link groups are similar to port ranges found in managed switches. You can add network
    interfaces to a numbered group and perform operations on all the interfaces from that group
    at once.

    Links not assigned to any group belong to group 0 aka “default”.

    Add an interface to a group

    Examples:

    Remove an interface from a group

    This can be done by assigning it to the default group.

    Examples:

    Assign a symbolic name to a group

    Group names are stored in /etc/iproute2/group file. Symbolic name “default”
    for group 0 comes exactly from there. You can add your own, one per line,
    following the same “${number} ${name}” format. You can have up to 255 named groups.

    Once you configured a group name, number and name can be used interchangeably
    in ip commands.

    Example:

    After that you can use that name in all operations, like in

    Perform an operation on a group

    Examples:

    View information about links from specific group

    Use usual information viewing command with “group ${group}” modifier.

    Examples:

    Tun and Tap devices

    Tun and tap devices allow userspace programs to emulate a network
    device. When the userspace program opens them they get a file
    descriptor. Packets routed by the kernel networking stack to the
    device are read from the file descriptor, data the userspace
    program writes to the file descriptor are injected as local
    outgoing packets into the networking stack. The difference between
    the two is:

    • tap sends and receives raw Ethernet frames.
    • tun sends and receives raw IP packets.

    There are two types of tun/tap devices: persistent and transient.
    Transient tun/tap devices are created by userspace programs when they open a special device, and are destroyed
    automatically when the associated file descriptor is closed.
    The commands listed here manipulate persistent devices.

    View tun/tap devices

    Note: this command can be abbreviated to “ip tuntap”.

    This command is the only way to find out if some device is in tun or tap mode.

    Add an tun/tap device useable by the root user

    Examples:

    Add an tun/tap device usable by an ordinary user

    Example:

    Add an tun/tap device using an alternate packet format

    Add meta information to each packet received over the file
    descriptor. Very few programs expect this information, and
    including it when it isn’t expected will break things.

    Example:

    Add an tun/tap ignoring flow control

    Normally packets sent to a tun/tap device travel in the same way
    as packets sent to any other device: they are put on a queue handled by the
    traffic control engine (which is configured by the tc command).
    This can be bypassed, thus disabling the traffic control engine
    for this tun/tap device.

    Example:

    Delete tun/tap device

    Examples:

    Note: you must specify the mode. The mode is not displayed in “ip link show”, so
    if you don’t know if it’s TUN or TAP, consult the output of “ip tuntap show”.

    Tunnel management

    Tunnels are “network wormholes” that look like normal interfaces,
    but packets sent through them are encapsulated into another protocol
    and sent to the other side of tunnel through multiple hosts, then
    decapsulated and processed in usual way, so you can pretend two
    machines have direct connectivity, while they in fact do not.

    This is often used for virtual private networks (in conjunction with
    encrypted transport protocols like IPsec), or connecting networks
    that use some protocol via an intermediate network that does not use it
    (e.g. IPv6 networks separated by an IPv4-only segment).

    Note: tunnels on their own offer zero security.
    They are as secure as their underlying network. So if you need
    security, use them over an encrypted transport, e.g. IPsec.

    Linux currently supports IPIP (IPv4 in IPv4), SIT (IPv6 in IPv4),
    IP6IP6 (IPv6 in IPv6), IPIP6 (IPv4 in IPv6), GRE (virtually anything
    in anything), and, in very recent versions, VTI (IPv4 in IPsec).

    Note that tunnels are created in DOWN state, you need to bring them up.

    In this section ${local endpoint address} and ${remote endpoint address}
    refer to addresses assigned to physical interfaces of endpoint. ${address}
    refers to the address assigned to tunnel interface.

    Create an IPIP tunnel

    Examples:

    Create a SIT tunnel

    Examples:

    This type of tunnels is commonly used to provide an IPv4-connected network with
    IPv6 connectivity. There are so called “tunnel brokers” that provide it to everyone interested,
    e.g. Hurricane Electric tunnelbroker.net.

    Create an IPIP6 tunnel

    Examples:

    This type of tunnels will be widely used when transit operators phase IPv4 out (i.e. not any soon).

    Create an IP6IP6 tunnel

    Examples:

    Just like IPIP6 these ones aren’t going to be generally useful any soon.

    Create a gretap (ethernet over GRE) device

    Examples:

    This type of tunnels encapsulates ethernet frames into IPv4 packets.

    Recent kernel and iproute2 versions also support gretap over IPv6, you need to replace the mode with “ip6gretap”
    to create an IPv6-based link.

    This probably should have been in “Links management” section, but as it involves encapsulation, it’s here.
    Tunnel interface created this way looks like an L2 link, and it can be added to a bridge group. This is used
    to connect L2 segments via a routed network.

    Create a GRE tunnel

    Examples:

    GRE can encapsulate both IPv4 and IPv6 at the same time. However, by default it uses IPv4 for transport,
    for GRE over IPv6 there is a separate tunnel mode, “ip6gre”.

    Create multiple GRE tunnels to the same endpoint

    Examples:

    Keyed tunnels can be used at the same time to unkeyed too. Key may be in dotted decimal IPv4-like format.

    Note that key does not add any security to the tunnel. It’s just an identifier used to distinguish one tunnel from another.

    Create a point-to-multipoint GRE tunnel

    Examples:

    Note the absence of ${remote endpoint address}. This is the same to what is called “mode gre multipoint” in Cisco IOS.

    In the absence of remote endpoint address the key is the only way to identify the tunnel traffic, so ${key value} is required.

    This type of tunnels allows you to communicate with multiple endpoints by using the same tunnel interface. It’s commonly used in
    complex VPN setups with multiple endpoints communicating to one another (in Cisco terminology, “dynamic multipoint VPN”).

    As there is no explicit remote endpoint address, obviously it is not enough to just create a tunnel. Your system needs to know
    where the other endpoints are.

    In real life NHRP (Next Hop Resolution Protocol) is used for it. For testing you can add peers manually (given remote endpoint
    uses 203.0.113.6 address on its physical interface and 10.0.0.2 on the tunnel):

    You will have to do it on the remote endpoint too, like:

    Note that link-layer address and neighbor address are both IP addresses, so they are on the same OSI layer.
    This one of the cases where link-layer address concept gets interesting.

    Create a GRE tunnel over IPv6

    Recent kernel and iproute2 versions support GRE over IPv6. Point-to-point with no key:

    It should support all options and features supported by the IPv4 GRE described above.

    Delete a tunnel

    Examples:

    Note that in older iproute2 versions this command did not support the full “delete” word, only “del”.
    Recent versions allow both full and abbreviated forms (tested in iproute2-ss131122).

    Modify a tunnel

    Examples:

    Note: Apparently you can’t add a key to previously unkeyed tunnel.
    Not sure if it’s a bug or a feature. Also, you can’t change tunnel mode on the fly,
    for obvious reasons.

    View tunnel information

    Examples:

    L2TPv3 pseudowire management

    L2TPv3 is a tunneling
    protocol commonly used for L2 pseudowires.

    In many distros L2TPv3 is compiled as a module, and may not be loaded by default.
    If you get a “RTNETLINK answers: No such file or directory” and “Error talking to the kernel” message
    to any “ip l2tp” command, this is likely the case. Load l2tp_netlink and
    l2tp_eth modules. If you want to use L2TPv3 over IP rather than UDP, also load
    l2tp_ip.

    Compared to other tunneling protocol implementations in Linux, L2TPv3 terminology is somewhat
    reversed. You create a tunnel, and then bind sessions to it. You can bind
    multiple sessions with different identifiers to the same tunnel. Virtual network interfaces
    (by default named l2tpethX) are associated with sessions.

    Note: Linux kernel implements only handling of data frames, so you can create
    only unmanaged tunnels with iproute2, with all settings configured manually on both sides.
    If you want to use L2TP for remote access VPN or something else other than fixed
    pseudowire, you need a userspace daemon to handle it. This is outside of this document scope.

    Create an L2TPv3 tunnel over UDP

    Examples:

    Note: Tunnel identifiers and other settings on both endpoints must match.

    Create an L2TPv3 tunnel over IP

    L2TPv3 encapsulated directly into IP offers less overhead,
    bug generally is unable to pass through NAT.

    Create an L2TPv3 session

    Examples:

    Notes: tunnel_id value must match a value of previously created tunnel.
    Session identifiers on both endpoints must match.

    Once you create a tunnel and a session, l2tpethX interface will appear, in down state. Change the state
    to up and bridge it with another interface or assign an address.

    Delete an L2TPv3 session

    Examples

    Delete an L2TPv3 tunnel

    Examples

    Note: You need to delete all sessions associated
    with a tunnel before deleting it.

    View L2TPv3 tunnel information

    Examples:

    View L2TPv3 session information

    Examples:

    VXLAN management

    VXLAN is a layer 2 tunneling protocol that is commonly used in conjunction with
    virtualization systems such as KVM to connect virtual machines running on different
    hypervisor nodes to each other and to outside world.

    Unlike GRE or L2TPv3 that are point to point, VXLAN replicates some properties of
    multiple access switched networks by using IP multicast. Also it supports virtual network
    separation by transmitting a network identifier along with the frame.

    The downside is that you will need to use a multicast routing protocol, typically PIM-SM,
    to get it to work over routed networks.

    The underlying encapsulation protocol for VXLAN is UDP.

    Create unicast VXLAN link

    Example:

    Note: id options means VXLAN Network Identifier (VNI).

    Create multicast VXLAN link

    Example:

    After that you need to bring the link up and either bridge it with
    another interface or assign an address.

    Route management

    For IPv4 routes, you can use either a prefix length or a dotted decimal subnet mask.
    That is, both 192.0.2.0/24 and 192.0.2.0/255.255.255.0 are equally acceptable.

    Note: as per the section below, if you set up a static route,
    and it becomes unreachable because a link goes down, it will be removed and
    will never get back on its own. You may not have noticed this behaviour
    because in many cases additional software (e.g. NetworkManager or rp-pppoe)
    takes care of restoring the routes when links go up and down.

    If you are going to use your Linux machine as a router, consider installing
    a routing protocol suite such as Quagga
    or BIRD. They keep track of interface status
    and restore routes when a link goes up after going down. Of course they also allow you
    to use dynamic routing protocols such as OSPF and BGP.

    Connected routes

    Some routes appear in the system without explicit configuration (against your will).

    Once you assign an address to an interface, the system calculates its network address
    and creates a route to it (this is why the subnet mask is required). These routes are
    called connected routes.

    For example, if you assign 203.0.113.25/24 to eth0, a connected route to 203.0.113.0/24 network
    will be created and the system will know that hosts from that network can be reached
    directly.

    When an interface goes down, connected routes associated with it are removed.
    This is used for inaccessible gateway detection so routes through gateways that
    went inaccessible are removed. Same mechanism prevents you from creating
    routes through inaccessible gateways.

    View all routes

    You can use -4 and -6 options to view only IPv4 or IPv6 routes.
    If no options given, IPv4 routes are displayed. To view IPv6 routes, use:

    View routes to a network and all its subnets

    For example, if you use 192.168.0.0/24 subnet in your network
    and it’s broken into 192.168.0.0/25 and 192.168.0.128/25, you can see
    all those routes with:

    Note: the word “to” in this and other show commands is optional.

    View routes to a network and all supernets

    If you want to view routes to 192.168.0.0/24 and all larger subnets,
    use:

    As routers prefer more specific routes to less specific,
    this is often useful for debugging in situations when traffic to specific
    subnet is sent the wrong way because a route to it is missing
    but routes to larger subnets exist.

    View routes to exact subnet

    If you want to see the routes to 192.168.0.0/24, but not to,
    say 192.168.0.0/25 and 192.168.0.0/16, you can use:

    View only the route actually used by the kernel

    Example:

    Note that in complex routing scenarios like multipath routing,
    the result may be “correct but not complete”, as it always shows
    one route that will be used first. In most situations it’s not
    a problem, but never forget to look at the corresponding “show” command
    output too.

    View route cache (pre 3.6 kernels only)

    Until the version 3.6, Linux used
    route caching. In older kernels, this command displays the contents
    of the route cache. It can be used with modifiers
    described above. In newer kernels it does nothing.

    Add a route via gateway

    Examples:

    Add a route via interface

    Example:

    Interface routes are commonly used with point-to-point interfaces
    like PPP tunnels where next hop address is not required.

    Change or replace a route

    You may use “change” command to change parameters of existing routes.
    “Replace” command can be used to modify existing route or add new one if
    it doesn’t exist. Examples:

    Delete a route

    Examples:

    Default route

    There is a shortcut to add default route.

    These are equivalent to:

    With IPv6 routes it also works and is equivalent to ::/0

    Blackhole routes

    Examples:

    Traffic to destinations that match a blackhole route is silently discarded.

    Blackhole routes have dual purpose. First one is straightforward, to discard traffic
    sent to unwanted destinations, e.g. known malicious hosts.

    The second one is less obvious and uses the “longest match rule” as per RFC1812.
    In some cases you may want the router to think it has a route to a larger subnet,
    while you are not using it as a whole,
    e.g. when advertising the whole subnet via dynamic routing protocols. Large subnets
    are commonly broken into smaller parts, so if your subnet is 192.0.2.0/24, and you
    have assigned 192.0.2.1/25 and 192.0.2.129/25 to your interfaces, your system creates connected
    routes to the /25’s, but not the whole /24, and routing daemons may not want to
    advertise /24 because you have no route to that exact subnet. The solution is to setup
    a blackhole route to 192.0.2.0/24. Because routes to smaller subnets are preferred
    over larger subnets, it will not affect actual routing, but will convince routing
    daemons there’s a route to the supernet.

    Other special routes

    These routes make the system discard packets and reply with an ICMP error message to the sender.

    unreachable
    Sends ICMP “host unreachable”.
    prohibit
    Sends ICMP “administratively prohibited”.
    throw
    Sends “net unreachable”.

    Unlike blackhole routes, these can’t be recommended for stopping unwanted traffic (e.g. DDoS)
    because they generate a reply packet for every discarded packet and thus create even greater traffic flow.
    They can be good for implementing internal access policies, but consider firewall for this purpose first.

    “Throw” routes may be used for implementing policy-based routing, in non-default tables they
    stop current table lookup, but don’t send ICMP error messages.

    Routes with different metric

    Examples:

    If there are several routes to the same network with different metric value,
    the one with the lowest metric will be preferred.

    Important part of this concept is that when an interface goes down, routes
    that would be rendered useless by this event disappear from the routing table (see the Connected Routes section), and
    the system will fall back to higher metric routes.

    This feature is commonly used to implement backup connections to important destinations.

    Multipath routing

    Multipath routes make the system balance packets across several links according to the weight (higher weight is preferred, so
    gateway/interface with weight of 2 will get roughly two times more traffic than another one with weight of 1). You can have as many gateways
    as you want and mix gateway and interface routes, like:

    Warning: the downside of this type of balancing is that packets are not guaranteed to be sent back
    through the same link they came in. This is called “asymmetric routing”. For routers that simply forward packets and don’t
    do any local traffic processing such as NAT, this is usually normal, and in some cases even unavoidable.

    If your system does anything but forwarding packets between interfaces, this may cause problems with incoming connections
    and some measures should be taken to prevent it.

    Policy-based routing

    Policy-based routing (PBR) in Linux is designed the following way:
    first you create custom routing tables, then you create rules to tell
    the kernel it should use those tables instead of the default table for specific traffic.

    Some tables are predefined:

    local (table 255)
    Contains control routes local and broadcast addresses.
    main (table 254)
    Contains all non-PBR routes. If you don’t specify the table when adding a route, it goes here.
    default (table 253)
    Reserved for post processing, normally unused.

    User-defined tables are created automatically when you add the first route to them.

    Create a policy route

    Examples:

    Notes: You can use any route options described in “Route management” section
    in policy routes too, the only difference is the “table ${table id/name}” part at the end.

    Numeric table identifiers and names can be used interchangeably. To create your own symbolic
    names, edit /etc/iproute2/rt_tables config file.

    “delete”, “change”, “replace”, or any other route actions work with any table too.

    “ip route … table main” or “ip route … table 254” would have exact same effect to
    commands without a table part.

    View policy routes

    Examples:

    Note: in this case you need the “show” word, the shorthand like “ip route table 120”
    do not work because the command would be ambiguous.

    General rule syntax

    Traffic that matches the ${options} (described below) will be routed
    according to the table with specified name/id instead of the “main”/254 table if “lookup” action is used.

    “blackhole”, “prohibit”, and “unreachable” actions that work the same way to route types with same names.
    In most of examples we will use “lookup” action as the most common.

    For IPv6 rules, use “ip -6”, the rest of the syntax is the same.

    “table ${table id or name}” can be used as alias to “lookup ${table id or name}”.

    Create a rule to match a source network

    Examples:

    Notes: “all” can be used as shorthand to 0.0.0.0/0 or ::/0

    Create a rule to match a destination network

    Examples:

    Create a rule to match a ToS field value

    Examples:

    Create a rule to match a firewall mark value

    Examples:

    Note: See iptables documentation to find out how to set the mark.

    Create a rule to match inbound interface

    Examples:

    Rule with “iif lo” (loopback) will match locally generated traffic.

    Create a rule to match outbound interface

    Examples:

    Note: this works only for locally generated traffic.

    Set rule priority

    Examples:

    Note: As rules are traversed from the lowest to the highest
    priority and processing stops at first match, you need to put more specific rules
    before less specific. The above example demonstrates rules for 192.0.2.0/24 and its
    subnet 192.0.2.0/25. If the priorities were reversed and the rule for /25 was placed
    after the rule for /24, it would never be reached.

    Show all rules

    Delete a rule

    Examples:

    Notes: You can copy/paste from the output of “ip rule show”/”ip -6 rule show”.

    Delete all rules

    Notes: this operation is highly disruptive. Even if you have not
    configured any rules, “from all lookup main” rules are initialized by default. On an unconfigured
    machine you can see this:

    The “from all lookup local” rule is special and cannot be deleted. The “from all lookup main” is not,
    there may be valid reasons not to have it, e.g. if you want to route only traffic you created explicit
    rules for. As a side effect, if you do “ip rule flush”, this rule will be deleted, which will make the
    system stop routing any traffic until you restore your rules.

    Network namespace management

    Network namespaces are isolated network stack instances within a single machine. They can be used
    for security domain separation, managing traffic flows between virtual machines and so on.

    Every namespace is a complete copy of the networking stack with its own interfaces, addresses,
    routes etc. You can run processes inside a namespace and bridge namespaces to physical interfaces.

    Create a namespace

    Examples:

    List existing namespaces

    Delete a namespace

    Examples:

    Run a process inside a namespace

    Examples:

    Note: assigning a process to a non-default namespace requires
    root privileges.

    You can run any processes inside a namespace, in particular you can run “ip”
    itself, commands like in this “ip netns exec foo ip link list” in this section
    are not a special syntax but simply executing another copy of “ip” in a namespace.
    You can run an interactive shell inside a namespace as well.

    List all processes assigned to a namespace

    The output will be a list of PIDs.

    Identify process’ primary namespace

    Examples:

    Assign network interface to a namespace

    Examples:

    Note: once you assign an interface to a namespace, it disappears
    from the default namespace and you will have to perform all operations with it via
    “ip netns exec ${netspace name}”, as in “ip netns exec ${netspace name} ip link set dev dummy0 down”.

    Moreover, when you move an interface to another namespace, it loses all existing configuration
    such as IP addresses configured on it and goes to DOWN state. You need to bring it back up and
    reconfigure.

    If you specify a PID instead of a namespace name, the interface gets assigned to the primary
    namespace of the process with that PID. This way you can reassign an interface back to default
    namespace with e.g. “ip netns exec ${namespace name} ip link set dev ${intf} netns 1”
    (since init or another process with PID 1 is pretty much guaranteed to be in default namespace).

    Connect one namespace to another

    This can be done by creating two veth links and assigning them two different namespaces.
    Suppose you want to connect namespace “foo” to the default namespace.

    Create a pair of veth devices:

    Move veth2 to namespace foo:

    Bring veth2 and add an address in “foo” namespace:

    Add an address to veth1, which stays in the default namespace:

    Now you can ping 10.1.1.1 which if in foo namespace, and setup routes to
    subnets configured in other interfaces of that namespace.

    If you want switching instead of routing, you can bridge those veth
    interfaces with other interfaces in corresponding namespaces. Same technique
    can be used to connect namespaces to physical networks.

    Monitor network namespace subsystem events

    Displays events such as creation and deletion of namespaces when they occur.

    Multicast management

    Multicast is mostly handled by applications and routing daemons, so there is not much
    you can and should do manually here. Multicast-related ip commands are mostly useful for debug.

    View multicast groups

    Example:

    Add a link-layer multicast address

    You cannot join an IP multicast group manually, but you can add a multicast MAC
    address (even though it’s rarely needed).

    Example:

    View multicast routes

    Multicast routes cannot be added manually, so this command can only show
    multicast routes installed by a routing daemon. It supports the same modifiers to
    unicast route viewing commands (iif, table, from etc.).

    Network event monitoring

    You can monitor certain network events with iproute2, such as changes in network configuration,
    routing tables, and ARP/NDP tables.

    Monitor all events

    You may either call the command without parameters or explicitly specify “all”.

    Monitor specific events

    Event type can be:

    link
    Link state: interfaces going up and down, virtual interfaces getting created or
    destroyed etc.
    address
    Link address changes.
    route
    Routing table changes.
    mroute
    Multicast routing changes.
    neigh
    Changes in neighbor (ARP and NDP) tables.

    When there are distinct IPv4 and IPv6 subsystems, the usual “-4” and “-6” options
    allow you to display events only for specified protocol. As in:

    Read a log file produced by rtmon

    iproute2 includes a program called “rtmon” that serves essentially the same purpose,
    but writes events to a binary log file instead of displaying them. “ip monitor” command
    allows you to read files created by the program”.

    rtmon syntax is similar to that of “ip monitor”, except event type is limited to
    link, address, route, and all; and address family is specified in “-family” option.

    netconf (sysctl configuration viewing)

    View sysctl configuration for all interfaces

    View sysctl configuration for specific interface

    Examples:

    Contributors:

    Content

    Nicolas Dichtel
    Netconf section
    Russel Stuart
    TUN/TAP section
    Phil Huang
    Unicast VXLAN
    Haishan
    dstport option for VXLAN commands
    Emil Pederson
    promote_secondaries suggestion.
    Nick B.
    tuntap device deletion command correction

    Grammar, style, typo fixes

    Trick van Staveren,
    powyginanachochla,
    Nathan Handler,
    Bhaskar Sarma Upadhyayula,
    Geert Stappers,
    Alex White-Robinson,
    Achilleas Pipinellis,
    fauxm,
    fgtham,
    eri.

    Design

    elico,
    alex-eri.

    Copyright © Daniil Baturin <daniil at baturin dot org>
    2013, 2015, 2017.
    Creative Commons License
    Last modified: 2017 Nov 23.

    © 2018 GitHub, Inc.
    Terms
    Privacy
    Security
    Status
    Help
    Contact GitHub
    API
    Training
    Shop
    Blog
    About
    Press h to open a hovercard with more details.

    /by

    Linux – Permissions

     

    In order to update and change file permissions, you can use the chmod command. The format of the command is as follows:

    for each action

     

    Changing Permissions
    VALUE MEANING
    rwx+ugo No restrictions on permissions.
    u+rwx,go+rx,go-x The file’s owner may read, write, and execute the file. All others may read and execute the file.
    u+rwx,og-rwx The file’s owner may read, write, and execute the file. Nobody else has any rights.
    ugo+rw,ugo-x All users may read and write the file.
    u+rw,u-x,go+r,go-wx The owner may read and write a file, while all others may only read the file.
    u+rw,u-x,go-rwx The owner may read and write a file. All others have no rights.
    /by

    How to Disable or Enable Disk Write Caching in Linux

    ATA-Based Disks

    1. Check out whether disk caching is enabled on your disk or not:
    1. To disable write caching, you need to edit hdparm.conf using your favorite editor (e.g. gedit, vi).
    1. After making the changes, restart the server/computer and check out the write caching status again to make sure it’s disabled.
      If in case hdparm.conf does not exist in /etc folder, an alternative approach is to use the command below.
    1. To know more about “hdparm”, invoke the manual by typing the following command.

    SCSI-Based Disks

    1. Check out whether disk caching is enabled on your disk or not:
    1. Sending an SCSI inquiry command using “sdparm”.
    1. Getting all the parameters for the Caching Mode Page. Refer to the details of this mode page from the SCSI Interface Specification.
    1. Setting write caching or disk caching to enable by running below command.
    1. To get the WCE current value:
    1. To set the WCE current value (WCE=1)
    1. To set the WCE current and saved values (WCE=1)
    1. To clear (disable) the WCE current value (WCE=0)
    1. To clear (disable) the WCE current and saved values (WCE=0)
    1. To know more about “sdparm”, invoke the manual by typing the following command.
    /by