Manage Photon OS from Command Line Interface (CLI)

Photon OS is an open-source Linux distribution designed by VMware to run containerized workloads. It is optimised to run on several cloud platforms such as vSphere, Microsoft Azure, Google Compute Engine, Amazon Elastic Compute Cloud etc, offering a small but still secure platform to run containerized workloads.

It is shipped with only the required tools to run containers. This is so vital as it eliminates the attack surface and any other unnecessary libraries or packages that might increase its size. It also has fast boot times with less resource utilization which is so ideal for any containerized environment.

Photon OS is secure by default using the Kernel Self-Protection Project (KSPP) recommendations. The Kernel is secure by default and all the packages are built with hardened security flags. To improve its security even further, Photon OS also includes SELinux and AppArmor to safeguard against any malicious activities on the system.

OSTree is a powerful tool designed to handle bootable, unchangeable, and versioned filesystem trees. Unlike traditional package managers such as rpm or dpkg, which handle package installation, removal, and configuration, OSTree doesn’t have file-level awareness. However, when combined with rpm functionality, OSTree transforms into RPM-OSTree, a system capable of replicating filetrees while also being aware of packages. This integration allows for a comprehensive filetree replication system that incorporates package management capabilities.

Photon OS also supports a traditional package management system, it includes a yum-compatible, package-based lifecycle management system known as tdnf. This gives the users the flexibility to select the tools that work best in their setup.

With all the above features and benefits, Photon OS is a common choice for DevOps and any other area where cloud-native applications exist.

In our previous guide, we learned how to deploy Kubernetes Cluster using VMware Photon OS. Today we will focus on how to Administer or manage Photon OS from Command Line Interface(CLI). This guide covers the basic tasks such as managing packages, controlling services with systemd, configuring networking etc.

1. Manage Photon OS Packages

Photon OS repositories contain several packages. To view the packages that appear in the Photon OS repositories check the GitHub website. To view the version of the package, select the package and click on the .spec file.

For example:

a. Using sudo on Photon OS

The other important things when logging in to Photon and managing packages is sudo. Normally, Photon allows root login and users are able to execute commands without sudo. For the minimal version, you should install sudo to be able to use it.

Use the command:

tdnf install sudo

b. Checking Signatures on Photon OS

To enhance security, the packages on Photon OS are signed using GPG signatures. This uses keyed-hash authentication such as the SHA1 algorithm, RSA Data Security and MD5.

The signature verification happens automatically when packages are installed or updated using the default package manager tdnf

By default, the GPG check for the tdnf config file is set to 1. Verify with the command:

$ cat /etc/tdnf/tdnf.conf
[main]
gpgcheck=1
installonly_limit=3
clean_requirements_on_remove=0
repodir=/etc/yum.repos.d
cachedir=/var/cache/tdnf

To view the keys signings, use the command:

$ rpm -qa gpg-pubkey*
gpg-pubkey-66fd4949-4803fe57
gpg-pubkey-8a6a826d-596882ca

You can view detailed information of the key:

$ rpm -qi gpg-pubkey-66fd4949-4803fe57
Name        : gpg-pubkey
Version     : 66fd4949
Release     : 4803fe57
Architecture: (none)
Install Date: Wed 10 May 2023 10:34:00 AM UTC
Group       : Public Keys
Size        : 0
License     : pubkey
Signature   : (none)
Source RPM  : (none)
Build Date  : Tue 15 Apr 2008 01:01:11 AM UTC
Build Host  : localhost
Packager    : VMware, Inc. -- Linux Packaging Key -- <[email protected]>
Summary     : VMware, Inc. -- Linux Packaging Key -- <[email protected]> public key
Description :
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: rpm-4.18.0

mI0ESAP+VwEEAMZylR8dOijUPNn3He3GdgM/kOXEhn3uQl+sRMNJUDm1qebi2D5b
Qa7GNBIlXm3DEMAS+ZlkiFQ4WnhUq5awEXU7MGcWCEGfums5FckV2tysSfn7HeWd
9mkEnsY2CUZF54lyKfY0f+vdFd6QdYo6b+YxGnLyiunEYHXSEo1TNj1vABEBAAG0
QlZNd2FyZSwgSW5jLiAtLSBMaW51eCBQYWNrYWdpbmcgS2V5IC0tIDxsaW51eC1w
YWNrYWdlc0B2bXdhcmUuY29tPoi8BBMBAgAmBQJIA/5XAhsDBQkRcu4ZBgsJCAcD
AgQVAggDBBYCAwECHgECF4AACgkQwLXgq2b9SUkw0AP/UlmWQIjMNcYfTKCOOyFx
Csl3bY5OZ6HZs4qCRvzESVTyKs0YN1gX5YDDRmE5EbaqSO7OLriA7p81CYhstYID
GjVTBqH/zJz/DGKQUv0A7qGvnX4MDt/cvvgEXjGpeRx42le/mkPsHdwbG/8jKveY
S/eu0g9IenS49i0hcOnjShGIRgQQEQIABgUCSAQWfAAKCRD1ZoIQEyn810LTAJ9k
IOziCqa/awfBvlLq4eRgN/NnkwCeJLOuL6eAueYjaODTcFEGKUXlgM4=
=bXtp
-----END PGP PUBLIC KEY BLOCK-----

c. Photon OS Package Repositories

Photon OS includes yum-compatible repositories by default. To view the repositories, use the command:

$ ls -l /etc/yum.repos.d/
total 24
-rw-r--r-- 1 root root 313 Apr 24 20:29 photon-debuginfo.repo
-rw-r--r-- 1 root root 238 Apr 24 20:29 photon-iso.repo
-rw-r--r-- 1 root root 299 Apr 24 20:29 photon-release.repo
-rw-r--r-- 1 root root 303 Apr 24 20:29 photon.repo
-rw-r--r-- 1 root root 331 Apr 24 20:29 photon-srpms.repo
-rw-r--r-- 1 root root 307 Apr 24 20:29 photon-updates.repo

Below is a breakdown of the repositories:

• photon-iso.repo has the packages for photon OS loaded during the installation.
• photon.repo has packages built for a given release
• photon-updates.repo has the latest release versions for the rpms for a particular Photon release
• photon-debuginfo.repo this has the debuginfo rpms that can be installed for issues or coredumps or issues. It is disabled by default.
• photon-release.repo as deisbaled by default, contains the rpms snapped at the major release time
• photon-srpms.repo contains the source rpms for a particular Photon release. It is disabled by default.

d. Manage packages with tdnf

The default package manager for Photon OS is tdnf. This is a C implementation of DNF without the Python dependencies. This package manage is available in both Minimal and full Photon OS versions.

To view the available repositories, you can use:

$ tdnf repolist
repo id             repo name                                status   
photon-updates      VMware Photon Linux 5.0 (x86_64) Updates enabled  

The local cache is stored at /var/cache/tdnf/photon, you can clear that to make it simple for you to troubleshoot when you have issues or slow tdnf performance.

To clear that, use:

$ sudo tdnf clean all
cleaning photon-updates: metadata dbcache packages keys expire-cache
cleaning photon-iso: metadata dbcache packages keys expire-cache
cleaning photon-debuginfo: metadata dbcache packages keys expire-cache
cleaning photon-srpms: metadata dbcache packages keys expire-cache
cleaning photon-release: metadata dbcache packages keys expire-cache
cleaning photon: metadata dbcache packages keys expire-cache
Done.

New repositories on Photon OS are added to /etc/yum.repos.d/

$ ls  /etc/yum.repos.d/
photon-debuginfo.repo  photon-release.repo  photon-srpms.repo
photon-iso.repo        photon.repo          photon-updates.repo

You can view the syntax of the file, For example, the photon-release.repo

$ cat /etc/yum.repos.d/photon-release.repo
[photon-release]
name=VMware Photon Linux $releasever ($basearch)
baseurl=https://packages.vmware.com/photon/$releasever/photon_release_$releasever_$basearch
gpgkey=file:///etc/pki/rpm-gpg/VMWARE-RPM-GPG-KEY file:///etc/pki/rpm-gpg/VMWARE-RPM-GPG-KEY-4096
gpgcheck=1
enabled=0
skip_if_unavailable=1

To demonstrate how to add a new repo, we will use the sample command below to add the Kopia YUM repo

cat <<EOF | sudo tee /etc/yum.repos.d/kopia.repo
[Kopia]
name=Kopia
baseurl=http://packages.kopia.io/rpm/stable/\$basearch/
gpgcheck=1
enabled=1
gpgkey=https://kopia.io/signing-key
EOF

Once added, import the key:

sudo rpm --import https://kopia.io/signing-key

Update the package index:

$ sudo tdnf makecache
Refreshing metadata for: 'VMware Photon Linux 5.0 (x86_64) Updates'
Refreshing metadata for: 'Kopia'        240884 100%
Metadata cache created.                   3181 100%

Now there are several methods to install packages from the CLI using tdnf. These are:

• Using a Repo

You can use a repository to install a package on Photon OS. For example:

sudo tdnf install kopia

Sample output:

• Using a URL

It is possible to install an RPM package on Photon OS directly. All you need to do is provide the URL to the RPM file:

sudo tdnf install <URL-to-RPM-file>

For example:

sudo tdnf install https://repo.mongodb.org/yum/redhat/9/mongodb-org/6.0/x86_64/RPMS/mongodb-org-mongos-6.0.6-1.el9.x86_64.rpm

Sample output:

• Using RPM file

You can also download and install a package using an RPM file. For example:

wget https://repo.mongodb.org/yum/redhat/9/mongodb-org/6.0/x86_64/RPMS/mongodb-org-mongos-6.0.6-1.el9.x86_64.rpm

Now install the package:

sudo tdnf install ./mongodb-org-mongos-6.0.6-1.el9.x86_64.rpm

Sample Output:

e. Update/Upgrade Photon OS

To update or upgrade the Photon OS system use the command:

sudo tdnf update

The command will check, download and install all the available system and package updates.

Now you can automate the update process using the tdnf-automaticcommand. This can be used as an alternative command to tdnf upgrade/tdnf update with other added features to be executed as a corn job.

The command is controlled by a config file located at /etc/tdnf/automatic.conf. The tool checks and synchronizes package metadata for any available updates and outputs via stdio

To learn how to customize the /etc/tdnf/automatic.conf use the help command:

$ sudo tdnf-automatic help
tdnf-automatic - started at Thu Jun 15 10:28:28 AM UTC 2023...


tdnf-automatic help:
tdnf-automatic [{-c|--conf config-file}(optional)] [{-i|--install}] [{-n|--notify}] [{-h|--help}] [{-v|--version}]

-c, --conf	tdnf-automatic configuration file (Optional argument)
-i, --install	Override automatic.conf apply_updates and install updates
-n, --notify	Show available updates
-h, --help	Show this help message
-v, --version	Show tdnf-automatic version information


tdnf-automatic - completed with exit status 22 at Thu Jun 15 10:28:28 AM UTC 2023..

If not available, install it:

sudo tdnf install tdnf-automatic

To view the available updates, run:

$ sudo tdnf-automatic -n
tdnf-automatic - started at Thu Jun 15 10:30:07 AM UTC 2023...

RefreshCache success...
RefreshCache success...

The following updates are available on - photon-lab:
glibc-libs-2.36-5.ph5
coreutils-selinux-9.1-5.ph5
xmlsec1-1.2.37-2.ph5
vim-9.0.1532-1.ph5
systemd-udev-253-4.ph5
systemd-rpm-macros-253-4.ph5
.....
tdnf-automatic - completed with exit status 0 at Thu Jun 15 10:30:09 AM UTC 2023...

You can install the updates:

sudo tdnf-automatic -i

2. Manage Services with Systemd on Photon OS

On Photon OS, services are managed by systemd. For that reason, you are able to manage services using the systemctl command and not the deprecated commands of init.d.

To view the services, use the command:

systemctl

View the statuses:

systemctl --all

To view the unit files, use the command:

systemctl list-unit-files

You can filter the required services using the grp command. For example:

$ systemctl list-unit-files | grep ssh
sshd.service                           enabled         enabled
[email protected]                          static          -
sshd.socket                            enabled         enabled

Now you can start, enable and stop the services using the systemctl command. For example:

##To start SSH
sudo systemctl start sshd

##To Enable SSH
sudo systemctl enable sshd

##To Stop SSH
sudo systemctl stop sshd

##Check status
systemctl status sshd

3. Manage Networks On Photon Os

You can manage network services using systemd that include systemd-networkd, systemd-resolvd, and networkctl

To view the status of the service use:

$ systemctl status systemd-networkd
 systemd-networkd.service - Network Configuration
     Loaded: loaded (/usr/lib/systemd/system/systemd-networkd.service; enabled; preset: enabl>
     Active: active (running) since Thu 2023-06-15 09:28:10 UTC; 1h 18min ago
TriggeredBy: ● systemd-networkd.socket
       Docs: man:systemd-networkd.service(8)
   Main PID: 522 (systemd-network)
     Status: "Processing requests..."
      Tasks: 1 (limit: 4624)
     Memory: 3.0M
        CPU: 24ms
     CGroup: /system.slice/systemd-networkd.service
             └─522 /usr/lib/systemd/systemd-networkd

Now to configure the network on Photon OS, you need to edit the systemd-networkd files at /etc/systemd/network and /usr/lib/systemd/network.

For example:

$ ls /etc/systemd/network/
50-static-en.network

For this guide, we have the file as 50-static-en.network. Now you can modify the file as desired.

sudo vim /etc/systemd/network/50-static-en.network

For example to configure DHCP:

[Match]
Name=e*

[Network]
DHCP=yes

For Static IP:

[Match]
Name=eth0

[Network]
IPv6AcceptRA=no
Address=192.168.200.61/24
DNS=8.8.8.8
Gateway=192.168.200.1

Once the changes have been made, ensure the file is owned by systemd-network

sudo chown systemd-network:systemd-network  /etc/systemd/network/50-static-en.network

Verify if the system network locates the file:

$ sudo updatedb
$ locate systemd/network
/etc/systemd/network
/etc/systemd/network/50-static-en.network
/etc/systemd/networkd.conf
/run/systemd/network
/usr/lib/systemd/network
/usr/lib/systemd/network/80-6rd-tunnel.network
/usr/lib/systemd/network/80-container-host0.network
/usr/lib/systemd/network/80-container-vb.network
/usr/lib/systemd/network/80-container-ve.network
/usr/lib/systemd/network/80-container-vz.network
/usr/lib/systemd/network/80-ethernet.network.example
/usr/lib/systemd/network/80-vm-vt.network
/usr/lib/systemd/network/80-wifi-adhoc.network
/usr/lib/systemd/network/80-wifi-ap.network.example
/usr/lib/systemd/network/80-wifi-station.network.example
/usr/lib/systemd/network/99-default.link

To apply the changes, restart the service:

sudo systemctl restart systemd-networkd

Now check the IP address:

$ ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.200.61  netmask 255.255.255.0  broadcast 192.168.200.255
        inet6 fe80::cc85:4cff:fe74:cde6  prefixlen 64  scopeid 0x20<link>
        ether ce:85:4c:74:cd:e6  txqueuelen 1000  (Ethernet)
        RX packets 10603  bytes 95291495 (90.8 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 8695  bytes 766871 (748.8 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
....

4. Manage SELinux and Firewall on Photon OS

You can improve security on your Photon OS using SELinux or firewall settings. To be able to enable SELinux, you need to ensure that the required default policy and dependencies are installed:

sudo tdnf install -y selinux-policy

Once installed, you can set SELinux in enforcing mode using two methods. The first one is a temporary setting:

sudo setenforce 1

To make a permanent setting, you need to modify the below file as shown:

$ sudo vim /etc/selinux/config
SELINUX=enforcing
enforcing=1

Save the file and reboot the system

You can then load customized policies to SELinux. First, install the required packages:

sudo  tdnf install -y selinux-policy-devel semodule-utils make

Create the config file:

$ vim getty_local.te
policy_module(getty_local, 1.0)

gen_require(`
    type getty_t;
      ')

allow getty_t self:capability sys_admin;

Compile it:

make -f /usr/share/selinux/devel/Makefile getty_local.pp

Now load the policy with priority 200.

sudo semodule -i getty_local.pp -X 200

You can view all the loaded modules:

sudo semodule -lfull

You can manage firewall rules on Photon OS using iptables:

sudo tdnf install iptables

Export the profile if the iptables command is not found:

echo "export PATH=\$PATH:/usr/sbin" | sudo tee -a /etc/profile
source /etc/profile

Now you can allow a desired port:

sudo iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
sudo iptables -A INPUT -p tcp -m tcp --dport 2379:2380 -j ACCEPT

Save the rules:

iptables-save > /etc/systemd/scripts/ip4save

5. Manage Storage on Photon OS

Managing storage on Photon Os is similar to other Linux distributions. Check the disk usage:

$ df -h
Filesystem      Size  Used Avail Use% Mounted on
devtmpfs        4.0M     0  4.0M   0% /dev
tmpfs           1.9G     0  1.9G   0% /dev/shm
tmpfs           777M  8.7M  768M   2% /run
/dev/sda3        40G  931M   37G   3% /
tmpfs           1.9G     0  1.9G   0% /tmp
/dev/sda2        10M  2.2M  7.9M  22% /boot/efi
tmpfs           389M     0  389M   0% /run/user/1000

View the attached disks:

$ lsblk
NAME   MAJ:MIN RM   SIZE RO TYPE MOUNTPOINTS
sda      8:0    0    40G  0 disk 
├─sda1   8:1    0     4M  0 part 
├─sda2   8:2    0    10M  0 part /boot/efi
└─sda3   8:3    0    40G  0 part /
sr0     11:0    1 537.5M  0 rom  

To partition a disk, use parted, installed with the command:

sudo tdnf install parted

Once installed, perform disk partitioning:

sudo parted /dev/sdx

Where /dev/sdx is the exact name of the disk.

Verdict

That marks the end of this detailed guide on how to Administer / Manage Photon OS from the Command Line Interface(CLI). This guide has only provided the basic administration tasks, there are more other tasks, please feel free to explore.

Interested in more?

• Deploy Kubernetes Cluster using VMware Photon OS
• Install Flatcar Container Linux in VMware Workstation
• How To Deploy Multi-Node OKD Cluster using Fedora CoreOS