Category: Knowledgebase

Linux, Windows, Virtualization based technical articles, reviews, and How-TOs.

gpu graphic card

How to distinguish between LHR and FHR nvidia graphic card?

After NVIDIA released their Ti range of consumer graphics cards, there were many misunderstandings regarding Lite Hash Rate (LHR) graphic card and Full Hash Rate (FHR).

RTX 3060, RTX 3060 Ti, 3070 Ti, and 3080 Ti graphic cards are LHR since NVIDIA released them. It is important to note that RTX 3090 is an FHR card, whereas RTX 3060 Ti, RTX 3080, and RTX 3080 are potentially FHR.

Some tech news outlets reported that miners could turn LHR-based RTX 3060 cards to FHR with leaked NVIDIA drivers.

MODELTYPE
RTX 3090Only Full Hash Rate
RTX 3080 TiOnly Lite Hash Rate
RTX 3080Full Hash Rate or Lite Hash rate after late May 2021
RTX 3070 TiOnly Lite Hash Rate
RTX 3070Full Hash Rate or Lite Hash rate after late May 2021
RTX 3060 TiFull Hash Rate or Lite Hash rate after late May 2021

If you buy a graphics card released after July 2021, it is most likely an LHR model. In fact, all NVIDIA cards sold after July 2021 are LHR models.

You can spot LHR cards by looking at their retail box. You should be able to find LHR printed on the retail package. It was mandatory by NVIDIA for all OEMs to put LHR identification on all graphics card retail boxes.

The best way to make sure you are not getting an LHR card is to ask a retailer/supplier before you buy. Give them the model number You want to buy, and they will tell you precisely if the card is LHR or FHR.

NVIDIA RTX 3090 and NVIDIA Quadro A6000 professional graphics cards

Enable designers, scientists, artists, and researchers to explore their innovative ideas faster than ever.

Buy now

nvidia rtx a6000

Devices have inconsistent logical block sizes while adding VDO device

  • While extending VG on SD or VDO devices, you may get an error:

# vgextend vg1 /dev/mapper/vdo2
Devices have inconsistent logical block sizes (512 and 4096).

  • In the above output, vgextend fails due to inconsistent block size of physical volume on disk drives.
  • To resolve this issue, enable allow_mixed_block_sizes in lvm.conf to allow the same VG to have two PV of varying block sizes. The default value of allow_mixed_block_sizes is 0, which is disabled by default.

# cat /etc/lvm/lvm.conf | grep -i "allow_mixed_block_sizes" | grep -v "#"
allow_mixed_block_sizes =1

  • You can verify the block size of the SD or VDO disk using the following command:

# parted /dev/sdb u s p

Note: The default logical block size of the VDO device is 4096K (8 sectors).

VNC session freezes for a few seconds

VNC hangs due to an increased number of VNC sessions initiated by sshd, being under the closing state.

# loginctl list-sessions --no-pager | wc -l
49290

A session would be in a closing state if a process within the session stayed alive after the session was closed.

# loginctl session-status 45098
45098 - root (0)
Since: Fri 2021-09-04 13:20:15 CET; 1 months 0 days ago
Leader: 1278
Remote: vnc.seimaxim.com
Service: sshd; type tty; class user
State: closing
Unit: session-45098.scope

The root cause is that two sshd daemons are running on the server. This causes logind to not terminate the session gracefully. To resolve this issue, reboot the server.

  • You should run only one sshd daemon on the server.

# ps axu | grep -i "sbin/sshd"

  • Run the following command and check the output. This will disable the sshd-quest.service.

# systemctl stop sshd-quest.service
# systemctl disable sshd-quest.service

  • Keep running the sshd.service as provisioned in the Linux OS.

# systemctl start sshd.service
# systemctl enable sshd.service

How to create SFTP shared folder so multiple restricted and chroot Jailed users can access the same folder

You need to migrate windows based SFTP server to the RHEL platform to save cost and make it easy to manage.

To build a similar kind of environment as I have on windows, I need to create three types of user accounts, and as you know, chroot jailed means that the account is jailed and can’t get out of its home directory by ensuring no other users are affected. So this makes it a bit challenging.

Based on my requirement,

  1. Users should be restricted to their directories and not see OS directories, ensuring no other users are affected. 
  2. Some users will have FULL access to other user’s home directories.
  3. Some users will have read-only access to some other user’s fully shared directories.

There will be other solutions to fix this problem, but I am doing the easiest way I can think of.

I am going to discuss three scenarios.

Scenario #1: Create three SFTP jailed Chroot accounts, but one account should access the files of the other two accounts’ home directory.

I have created a folder structure as shown in the below table. You can see user03 home directory is one level up from the other two accounts.

UsersHome directories
User01/data/accounts/user01
User02/data/accounts/user02
accounts/data/accounts

create directories

mkdir -p /data/accounts/user01 ; mkdir -p /data/accounts/user02

Make the landing directories home directories.

create logins and directories, and you can also amend the /etc/passwd if you have created the user accounts and not added the home directories.

useradd  -d /data/accounts/user01 -s /sbin/nologin user01 ; useradd  -d /data/accounts/user02 -s /sbin/nologin user02

Make sure you have settled the password of your accounts

passwd <userName>

Add your account into the group named sftpusers

groupadd sftpusers 
usermod -aG sftpusers user01

Setup the appropriate permissions

chown user01:sftpusers /data/accounts/user01/internal ; chmod -R 755 /data/user01/internal
chown user02:sftpusers /data/accounts/user01/internal ; chmod -R 755 /data/user02/internal

Edit the sshd_config file

Edit the /etc/ssh/sshd_config and add the following lines.

Configure /etc/ssh/sshd_config

#Subsystem      sftp    /usr/libexec/openssh/sftp-server
Subsystem       sftp    internal-sftp

# BEGIN SFTP-Server sftpusers block

Match Group sftpusers
ChrootDirectory  %h
AllowTcpForwarding no
ForceCommand internal-sftp
X11Forwarding no

#End group sftpusers configuration

Restart the SSHD service

systemctl restart sshd

You have configured user01 and user02, and you can login and upload the files.
Let’s start with our third account named “accounts,” This account should have FULL access to the user01/user02 files.

Configure your third user accounts

useradd  -d /data/accounts -s /sbin/nologin accounts ; mkdir -p  /data/account/

make accounts member of group sftpusers

usermod -aG sftpusers accounts

Make sure you give good permissions to the home directories of user01/user02

chown user02:sftpusers /data/accounts/user01/internal ; chmod -R 775 /data/user02/internal

change the /etc/ssh/sshd_config to add the user accounts

# BEGIN SFTP-Server "accounts" block

Match user accounts
ChrootDirectory  /data/accounts
AllowTcpForwarding no
ForceCommand internal-sftp
X11Forwarding no
#END SFTP-Server accounts block

Restart the SSHD service.

systemctl restart sshd

TESTING & Diagnostic Steps

you can test your login by doing: sftp user05@localhost
Check /var/log/secure for any errors with permissions and sftp.

sftp and/or scp may fail at connection time if you have shell initialization (.profile, .bashrc, .cshrc, etc) which produces output for non-interactive sessions. This output confuses the sftp/scp client. You can verify if your shell is doing this by executing this

ssh <yourhost> /usr/bin/true

Scenario # 2 one folder is shared by multiple chroot jailed accounts

UsersHome directories
User03/dpt/files
User04/dpt/files

As shown above, both chroot jailed users have shared folders, so we will create the users and configure them.

mkdir -p /dpt/files
useradd  -d /dpt/files -s /sbin/nologin user03
useradd  -d /dpt/files -s /sbin/nologin user04

create group grp-shared and add your accounts into the newly created group.

groupadd grp-shared
usermod -aG grp-shared user03 ; usermod -aG grp-shared user04

To check that your users have the desired group.

groups user03

Make sure you give good permissions to the home directories of user01/user02

chgrp  grp-shared /dpt/files/internal ; chmod -R 775 /dpt/files/internal

change the /etc/ssh/sshd_config to add your group grp-shared in the sshd configuration

#BEGIN SFTP-Server grp-shared block

Match Group grp-shared
ChrootDirectory  /dpt/files
AllowTcpForwarding no
ForceCommand internal-sftp
X11Forwarding no
PermitTunnel no
PasswordAuthentication yes
#END SFTP-Server grp-shared block

Restart the SSHD service.

systemctl restart sshd

Scenario # 3 single folder is shared by multiple chroot jailed accounts, but one user has read-only access to that shared folder

UsersHome directories
user03/dpt/files
user04/dpt/files
user05/dpt/files ( READ-ONLY ACCESS)

Here I will show you the configurations for the third user, which has only READ-ONLY access because shared folder scenario I have discussed above. 

useradd   -s /sbin/nologin user05
passwd user05

You can have the default home directory to the users as /home/user05, but in the sshd_config file, you can chroot directory to the /dpt/files.

Match User user05
ChrootDirectory /dpt/files
AllowTcpForwarding no
ForceCommand internal-sftp
X11Forwarding no
PermitTunnel no
PasswordAuthentication yes

Restart the SSHD service.

systemctl restart sshd

Disclaimer: All information posted is merely for educational and informational purposes. Should you decide to act upon any information on this article, you do so at your own risk.

How to setup VNC server as user in AlmaLinux 8 & CentOS 8

  • For setting up a VNC server as a Linux user, you must complete all the following steps as the same user. You must ssh to the server as the intended user and must not sudo or su – .
  • The following steps can be used to configure the Xvnc server in Alma Linux 8.
  • Copy /usr/lib/systemd/user/vncserver@.service to ~/.config/systemd/user/ as follows:

$ mkdir -p ~/.config/systemd/user
$ cp /usr/lib/systemd/user/vncserver@.service ~/.config/systemd/user/

  • After copying files, reload the user’s systems as follows:

$ systemctl --user daemon-reload

  • Use vncpasswd command to setup password for the root user as follows:

$ vncpasswd

  • Enable vncserver service and allow it to run at boot time as follows:

$ systemctl --user enable vncserver@:<display>.service --now

  • You must not use displays 0 and 1 and only use between 2 and 99.
  • As the final step, enable lingering as follows:

$ loginctl enable-linger

VNC error – Could not connect to session bus:Failed to connect

  • Your VNC session may give an error as shown below:

Could not connect to session bus:Failed to connect to socket /tmp/dbus-xxxxxx:Connection refused

  • The root cause of this error is that the session bus gets multiple dbus-daemon modules in the default path set for the user.
  • A path for /root/anaconda3/bin was exported and set as the default path for a user.
    Delete the path /root/anaconda3/bin from the default PATH. If the session bus error is faced by a single user, the anaconda path needs to be removed from the two files mentioned below:

~/.bash_profile and ~/.bashrc

  • If a session bus error is generated for system-wide users, the anaconda path needs to be removed from  the following files:

/etc/bashrc and /etc/profile

  • To reproduce this error, connect vnc viewer to vnc server, the window will pop up showing the following error:

Could not connect to session bus:Failed to connect to socket /tmp/dbus-xxxxxx:Connection refused

How to login into VNC without a password

You can remove all types of authentications by configuring the vnc server.  As user start a vnc session and “-SecurityTypes none” option while starting a vnc server as below:

#vncserver :X -SecurityTypes None

In the above command, X is the display number at which the vnc session should start.

The “-SecurityTypes none” can be added to vnc service file by passing it to ExecStart = section. In this way, users do not need to enter this option every time while starting a vnc session with vncserver.

ExecStart=/usr/sbin/runuser -l startvnc -c "/usr/bin/vncserver %i -SecurityTypes None"

How to change the color of the default black Font Awesome icons

  • You can add the color to the HTML element as follows:

<i class="fa fa-car" style="color:#DDDDDD;"><!-- icon --></i>

  • You can also change the size of the icon as follows:

<i class="fa fa-car fa-lg" style="color:#DDDDDD;"><!-- icon --></i>

<i class="fa fa-car fa-4x" style="color:#DDDDDD;"><!-- icon --></i>

  • You can also make site-wide changes with CSS as follows:

.fa {
color: black;
}
.fa-car {
color: red;
}
.fa-bus {
color: green;
}

How to disable bash shell history

You can use two methods to disable saving shell history in bash.

Method 1:

  • Add the following line at the end of /etc/profile or make a new file in /etc/profile.d/ with .sh extension.

unset HISTFILE

  • With the above option, the user’s bash shell will not save history unless manually configures the HISTFILE variable.

Method 2:

  • Add the following line in either /etc/profile or make a new file under /etc/profile.d/ with the .sh extension to implement the second method.

set +o history

  • Users will still be able to auto-save shell history by manually setting the HISTFILE variable.
  • It is possible to make it difficult for users to get their bash processes to autosave command in shell history. Follow these steps:
  • Set unset HISTFILE or setting set -o history as described in the above steps. Take ownership of the ~/.bashrc and ~/.bash_profile files in all user’s $HOME directories.

chown root:root ~albert/.bashrc ~albert/.bash_profile

  • Make the files immutable in all users $HOME directories as follows:

chattr +i ~albert/.bashrc ~albert/.bash_profile

error “Cannot allocate memory” while executing commands

  • You should increase /proc/sys/kernel/pid_max sysctl. Otherwise, execute the following command to check which app is forking multiple threads.

#ps -eLF

  • Error “Cannot allocate memory” indicates that the system is running out of PID (process ids). In other words, the number of threads/processes present on the system has reached the maximum limit, which is delimited by /proc/sys/kernel/pid_max sysctl.
  • You can check the value of pid_max on the system as follows:

#cat /proc/sys/kernel/pid_max
40000

  • To set the value of pid_max, execute the following command as root.

sysctl -w kernel.pid_max=32768
kernel.pid_max = 32768

  • The value can only be extended up to a theoretical maximum of 32768 for 32 bit systems or 4194304 for 64 bit.

How to configure system wide proxy for all users shells and yum

  • http_Proxy environment variable is used to specify proxy settings to wget and curl. To find the proxy server already set on a Linux machine, use the following command:

echo $http_proxy

  • To set http_proxy without username and password:

export http_proxy=http://SERVER-NAME:PORT/

  • To set http_proxy with username and password:

export http_proxy=http://USER-NAME:PASSWORD@SERVER-NAME:PORT/

  • To set http_proxy with username, password, and domain:

export http_proxy=http://DOMAINUSERNAME-NAME:PASSWORD@SERVER-NAME:PORT/

  • In the above command, make sure the literal backslash is doubled.
  • When the username or password uses the @ symbol, add a backslash () before the @  as follows:

export http_proxy=http://DOMAINUSER-NAME@ME:PASSWORD@SERVER-NAME:PORT

  • To make the proxy server settings permanent:

echo "http_proxy=http://proxy.seimaxim.com:3000/" > /etc/environment

  • To set yum proxy, add/modify the following lines to yum.conf.

proxy=http://proxy.example.com:3000
proxy_username=yum-username
proxy_password=hjytr

  • To make proxy server settings permanent for bash and sh user, create a new file /etc/profile.d/http_proxy.sh and run the following command.

echo "export http_proxy=http://proxy.seimaxim.com:3000/" > /etc/profile.d/http_proxy.sh

  • To make proxy server settings permanent for csh and tcsh users, create a new file /etc/profile.d/http_proxy.sh and run the following command.

echo "setenv http_proxy http://proxy.seimaxim.com:3000/" > /etc/profile.d/http_proxy.csh

If you are trying to configure a proxy for chrome or firefox, you need to go through its user guide.

How to log all bash history commands to syslog

shopt is a built-in bash variable that enables bash history to be written to /var/log/messages.

shopt -s syslog_history

If you want to unset it, run the following command.

shopt -u syslog_history

In order for these audit activities to persist in all bash sessions, append the following to the bottom of /etc/bashrc file.

shopt -s syslog_history

How to setup CA Certificate authority with OpenSSH in CentOS 7

  • You should first create CA keys on the certificate authority ca server as root:

ssh-keygen -f ca_server

  • Check with ls to see if files are created in the current working directory. Following files will be present.

ca_server ca_server.pub

  • Sign the host key of the ca server itself.

ssh-keygen -s ca_server -I host_auth_server -h -n ca_server.seimaxim.com -V +52w /etc/ssh/ssh_host_rsa_key.pub

Signed host key /etc/ssh/ssh_host_rsa_key-cert.pub: id "host_auth_server" serial 0 for ca_server.example.com valid from 2021-01-01T12:00:00 to 2022-01- 01T12:00:00

  • In the next step, use scp to copy the host key from the ssh server to ca server as follows:

scp root@sshserver.seimaixm.com:/etc/ssh/ssh_host_rsa_key.pub .

  • On the ca server, using the method as above, create a certificate from /etc/ssh/ssh_host_rsa_key.pub file.

sh-keygen -s server_ca -I host_sshserver -h -n sshserver.seimaxim.com -V +52w ssh_host_rsa_key.pub

  • Copy the generated ca certificate file to ssh server with scp as follows:

scp ssh_host_rsa_key-cert.pub root@sshserver.seimaxim.com:/etc/ssh/

  • Now on both ca server and ssh server adds the following line to /etc/ssh/sshd_config file.

HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub

  • Reload ssh

systemctl reload sshd

  • Repeat all steps in bold text above on all ssh servers to which the clients want to connect.
  • Confirm certificate of ssh server from the ssh client system.

cat ca_server.pub

  • The output of the above command should be:

ssh-rsa
CVBGHNB3NzaC1yc2EAAAADAQABAAJKJKJKJJJJJJUKJHJhcNeRD3dKh0L1opw4/LQJcUPfRj07E3ambJfK+G4gfrKZ/ju0nanbq+XViNA4cpTIJq6xVk1uVvnQVOi09p4SIyqffahO9S+GxGj8apv7GkailNyYvoMYordMbIx8UVxtcTR5AMAXJM6GdIyRkKxZm1r9tsVPraaMOsKc++8isjJilwiQAhxdWVqvojPmXWE6V1R4E0wNgiHOZ+Wc72nfHh0oivZC4/i3JuZVH7kIDb+ugbsL8zFfauDevuxWeJVWn8r8SduMUVTMCzlqZKlhWb4SNCfv4j7DolKZ+KcQLbAfwybVr3Jy5d
root@ca_server

  • On ssh client edit ~/.ssh/known_hosts file. Delete all data from this file and add the following entry that specifies the public key to check the certificate that ssh server will present to ssh client during login.

@cert-authority *.seimaxim.com ssh-rsa
CVBGHNB3NzaC1yc2EAAAADAQABAAJKJKJKJJJJJJUKJHJhcNeRD3dKh0L1opw4/LQJcUPfRj07E3ambJfK+G4gfrKZ/ju0nanbq+XViNA4cpTIJq6xVk1uVvnQVOi09p4SIyqffahO9S+GxGj8apv7GkailNyYvoMYordMbIx8UVxtcTR5AMAXJM6GdIyRkKxZm1r9tsVPraaMOsKc++8isjJilwiQAhxdWVqvojPmXWE6V1R4E0wNgiHOZ+Wc72nfHh0oivZC4/i3JuZVH7kIDb+ugbsL8zFfauDevuxWeJVWn8r8SduMUVTMCzlqZKlhWb4SNCfv4j7DolKZ+KcQLbAfwybVr3Jy5d
root@ca_server

  • The client machine will not ask about trusting the remote host to connecting to the ssh server for the first time using FQDN. The main reason is that the ssh server has shown its host certificate to ssh client, signed by the certificate authority ca server by checking the known_hosts file and verifying that the certificate is legit.

How to set certificate authority CA for the user account

  • On the ca_server, create new keys to sign user certificates as follows:

ssh-keygen -f ca_users

  • Configure ca_server to accept logins with user certification. Use scp to copy the public key to each of ssh servers that will validate the authenticity of the user.

scp users_ca.pub root@sshserver.example.com:/etc/ssh/

  • Add below line to /etc/ssh/sshd_config file on ssh server. This should be added after HostCertificate key as follows:

TrustedUserCAKeys /etc/ssh/ca_users.pub

  • Restart sshd server with systemctl restart sshd
  • Copy client key to the ca_server as follows:

scp <username>@client.seimaxim.com:~/<username>/.ssh/id_rsa.pub

ssh-keygen -s ca_users -I <user_username> -n <username> -V +52w id_rsa.pub

  • On ca server, id_rsa-cert.pub file will be generated that needs to be copied back to the client machine.

scp id_rsa-cert.pub username@client.seimaxim.com:/home/username/.ssh/

  • At this stage, if you log in to ssh server from the client machine, it should not require authentication, even if a login has not been done before to this ssh server as this user.

Bash Shell Scripting Cheat Sheet for Linux

Bash is by default installed on most Linux distributions like Alma Linux, CentOS, Kali, and Ubuntu. The following cheat sheet outlines some important features of bash scripting.

Bash Script Header

#!/usr/bin/env bash
echo “Hello World”

Variables

#!/usr/bin/env bash
MSG=”Hello World”
echo “$MSG Albert” # Hello World Albert
echo ‘$MSG Albert # $MSG Albert

Strings

MSG=”hello world”

Replace

echo ${MSG/w/W} # hello World
echo ${MSG//[a-zA-Z]/X} # AAAAA AAAAA

Uppercase

echo ${MSG^} # Hello world
echo ${MSG^^} # HELLO WORLD
MSG=”HELLO WORLD”
echo ${MSG,} # hELLO WORLD
echo ${MSG,,} # hello world

Substring

echo ${MSG:0:5} # hello
echo ${MSG%world} # hello
echo ${MSG#hello} # world

Alternative

echo ${MSG:-val} # HELLO WORLD
echo ${FOO:-val} # val

Collections

Arrays

names=(‘Ben’ ‘Bolt’ ‘Bob’)
names+=(‘Soto’) # Appends element
unset names[3] # Removes element

echo ${names[0]} # Ben
echo ${names[@]} # Ben Bolt Bob
echo ${#names[@]} # 3

Maps

declare -a score
score[X]=”1″
score[Y]=”2″
score[Z]=”3″
unset score[X] # Delete X entry

echo ${!score[@]} # X Y Z
echo ${score[@]} # 2 1 3
echo ${#score[@]} # 3

Functions

helloworld() {
echo “Number of arguments $#” # 2
echo “Hello World $1 from $2” # Hello World Ben from Bash
}
helloworld “Ben” “Bash

helloworld() {
echo ‘My return string!’
}
msg=$(helloworld)
echo $msg

Conditionals

if [[ $b -gt 4 ]]; then
echo “$b is greater than 4”
elif [[ $b -lt 4 ]]; then
echo “$b less than 4”
else
echo “$b is equal 4”
fi

Numeric Conditions

[[ NUM -eq NUM ]] Equal
[[ NUM -ne NUM ]] Not equal
[[ NUM -lt NUM ]] Less than
[[ NUM -le NUM
a]]
Less than or equal to
[[ NUM -gt NUM ]] [[ NUM -ge NUM ]] Greater than or equal to

String Conditions

[[ STRING
== STRING
]]
Equal

[[ STRING !=
STRING ]]
Not Equal

[[ -z STRING
]]
Empty string

[[ -n STRING
]]
Not empty string

[[ STRING
=~ STRING
]]
Regular expression match

File Conditions

[[ -f FILE ]] Is a file

[[ -d FILE ]] Is a directory

[[ -e FILE ]] Exists

[[ -r -w -x FILE ]] Is readable, Writable, executable

[[ -h FILE ]] Is symbolic link

Boolean conditions

a|[[ ! EXPR ]] |Not
a|[[ BOOL && BOOL ]] |And
a|[[ BOOL || BOOL ]] |OR

Loops

For

for ((i = 0 ; i < 10 ; i++)); do
echo “Hello World $i”
done

for i in {1..5}; do
echo “Hello World $i”
done

While

x=1;
while [ $x -le 5 ]; do
echo “Hello World”
done

Files

for i in /tmp/*.txt; do
echo $i
done
cat /tmp/hello.txt | while read line; do
echo $line
done

Print Output

printf “nn@ Writing @n”

Read Input

echo -n “Type answer: “
read ans
echo $ans

How to set up sftp so that user cannot get out of their home directory

This guide deals with how to set up sftp so that users are restricted to their home directory, while other users on the server are not affected.

  • To allow chroot only for specific users, use the Match keyword in /etc/ssh/sshd_config file.
  • Comment the original Subsystem entry in sshd_config file as follows:

#Subsystem sftp /usr/libexec/openssh/sftp-server

  • Add the following Subsystem entry as follows:

Subsystem sftp internal-sftp

  • Type following at the end of /etc/ssh/sshd_config file and save it.

Match Group sftponly
ChrootDirectory /chroots/%u
AllowTcpForwarding no
ForceCommand internal-sftp
X11Forwarding no

  • Add a new group to add sftp users. Users in his group will be limited to their chrooted environment. These users will not have access to ssh/scp.

groupadd sftponly

  • Create accounts of sftp-chrooted-users. The home directory /home-sftp is relative to the chroot directory.
  • If the user already exists on the server then run:

usermod -g sftp -s /bin/false user

  • In case the user do not exist on the server then create a new user as follows:

useradd -d /home-sftp -M -g sftponly -s /bin/false user

  • For a newly created user account, set the password as follows:

passwd user

  • Make the chroot environment of the user and configure directory permissions while making sure the path is owned and writable by root only.

mkdir -p /chroots/user ; chmod -R 755 /chroots/user

  • In the above case, /chroot/user becomes the base root/ when the user is logged in to the server. If this is not the case then run the following command for chroot sftp setup.

chown root:root /chroots/user

  • Make the user’s actual home directory under ChrootDirectory and chown it user and group created above.

mkdir /chroots/user/home-sftp ; chown user:sftponly /chroots/user/home-sftp

  • The permission of /chroots/user/home-sftp should be 0755.
  • For setting the time zone of the host server in a chrooted environment, run the following command.

mkdir /chroots/user/etc/; cp /usr/share/zoneinfo/Asia/Singapore /chroots/user/etc/localtime

  • Restart sshd or reboot server.

systemctl restart sshd

How to install Nvidia drivers on Kali linux

  • First, update Kali Linux based server as follows:

sudo apt update
sudo apt -y full-upgrade

  • Reboot server as follows:

reboot

  • Find out which video card is installed in the Kali Linux server and verify using the nouveau open-source driver.

lspci | grep -i vga

  • You will get the following output:

00:02.0 VGA compatible controller: NVIDIA Corporation GP106 [GeForce GTX 1060 6GB] (rev a1)

  • To get information about the drivers installed, use the lspci command, replacing 00:02.0 with your number from the previous output.

lspci -s 00:02.0 -v
...
Kernel driver in use: nouveau
Kernel modules: nouveau

  • Now install nVIDIA driver and CUDA toolkit with the following command:

sudo apt install nvidia-driver nvidia-cuda-toolkit

  • You can now verify that your system is using Nvidia drivers instead of nouveau.

lspci -s 00:02.0 -v
...
Kernel driver in use: nvidia
Kernel modules: nvidia

sudo apt install hashcat
hashcat -b | uniq

Inode attributes set with lsattr are not copied to other filesystems

Some of the common tools like cp/rsync do not support copying of inode attributes, so it is not possible to copy these attributes across or even on the same filesystems.

These are inode flags (attributes) and not the regular attributes.

Some Linux filesystems support inode flags, attributes that modify the semantics of files and directories. These flags can be modified and retrieved using ioctl operations. The lsattr and chattr shell commands provide interfaces to these operations, allowing a user to view and modify the inode flags associated with a file.

Inode flags are a nonstandard Linux extension and may be implemented if desired within a filesystem and in a non-uniform way.

SSH connection fails with messages “no hostkey alg”

  • Getting the following ssh debug output:

debug2: mac_setup: found hmac-sha1
debug1: kex: server->client aes128-ctr hmac-sha1 none
debug2: mac_setup: found hmac-sha1
debug1: kex: client->server aes128-ctr hmac-sha1 none
no hostkey alg

  • On CentOS 6, you generate ECDSA hostkeys with correct permissions:

ssh-keygen -t ecdsa -f /etc/ssh/ssh_host_ecdsa_key -C '' -N ''
chmod 600 /etc/ssh/ssh_host_ecdsa_key
chmod 640 /etc/ssh/ssh_host_ecdsa_key.pub
restorecon /etc/ssh/ssh_host_ecdsa_key.pub

  • To allow ssh clients to accept ECDSA hostkeys, add the following in /etc/ssh/sshd_config file on the ssh server.

Host fips-seimaxim-hostname
Hostkeyalgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521

Linux Cheat Sheet – AlmaLinux 8, CentOS 8, CentOS 7, CentOS 6, CentOS 5

Basic SYSTEM coMMANDS

TaskCentOS5CentOS6CentOS7AlmaLinux8/CentOS8
Graphical configuration toolssystem-config-*gnome-control-center
Text-based configuration toolssystem-config-*-tui
Configure printersystem-config-printergnome-control-center
Configure networksystem-config-networknmcli
nmtui
nm-connection-editor
nmcli
nmtui
nm-connection-editor
gnome-control-center
Configure system languagesystem-config-languagelocalectllocalectl
gnome-control-center
Configure time and datesystem-config-date
date
timedatectl
date
timedatectl
dategnome-control-center
Synchronize time and datentpdate
/etc/ntp.conf
timedatectl
/etc/chrony.conf
ntpdate
timedatectl
date
/etc/chrony.conf
chronyc
Configure keyboardsystem-config-keyboardlocalectllocalectl
gnome-control-center
Configure SSH/etc/ssh/ssh_config
/etc/ssh/sshd_config
~/.ssh/config
ssh-keygen

Server BASIC INFO

TaskCentOS5CentOS6CentOS7AlamaLinux8/CentOS8
View version information

hostnamectl

rpm -qa centos-release

cat /etc/os-release or cat/etc/centos-release

View system profile

sosreport

dmidecode
hwbrowser

sosreport

dmidecode

lstopo
lscpu

sosreport
dmidecodelstopo
lscpu
cat /proc/cpuinfo
lshw

boot & Kernel

TaskCentOS5CentOS6CentOS7AlmaLinux8/CentOS8
Single user/rescue modeappend 1 or s or init=/bin/bash to kernel cmdlineappend 1 or s or rd.break or init=/bin/bash to kernel cmdline
Shut down systemshutdown
Power off systempoweroffpoweroff
systemctl poweroff
Halt systemhalthalt
systemctl halt
Reboot systemrebootreboot
systemctl reboot
Configure default run level/target/etc/inittabsystemctl set-default
Configure GRUB bootloader/boot/grub/grub.conf/etc/default/grub
grub2-mkconfig
grub-set-default
Configure kernel modulemodprobe
View hardware configuredhwbrowserlshw (in EPEL)lshw
Configure hardware deviceudev
View kernel parameterssysctl -a
cat /proc/cmdline
Load kernel modulemodprobe
Remove kernel modulemodprobe -r
View kernel versionrpm -q kernel
uname -r

Software installation

TaskCentOS5CentOS6CentOS7AlmaLinux8/CentOS8
Install softwareyum install
yum groupinstall
yum install
yum group install
View software infoyum info
yum groupinfo
yum info
yum group info
Update softwareyum update
Upgrade softwareyum upgrade
Configure software repositorysubscription-manager repos
/etc/yum.repos.d/*.repo
Find package owning filerpm -qf filename
yum provides filename-glob
View software versionrpm -q packagenameyum list installed packagename
rpm -q packagename
View installed softwarerpm -qa
yum list installed
Install a moduleyum module install module_name
View info on a moduleyum module info module_name
View a module’s streamsyum module info module_name
Change module streamsyum module remove module_name:stream
yum module reset module:stream
yum module install module:new_stream
List available modulesyum module list

SERVER services

TaskCentOS5CentOS6CentOS7AlmaLinux8/CentOS8
List all services

chkconfig –list

ls /etc/init.d/

systemctl -at service
ls /etc/systemd/system/*.service
ls /usr/lib/systemd/system/*.service
systemctl list-units -at service
find /etc/systemd/ /usr/lib/systemd/ /run/systemd/ -name *.service”
List running servicesservice –status-allsystemctl -t service –state=active
Start/stop serviceservice name start
service name stop
systemctl start name.service
systemctl stop name.service
Enable/disable servicechkconfig name on
chkconfig name off
systemctl enable name.service
systemctl disable name.service
View service statusservice name statussystemctl status name.service
Check if service is enabledchkconfig name –listsystemctl is-enabled name
Create new service file or modify configurationchkconfig –addsystemctl daemon-reload
/etc/systemd/system/*.service
View run level/targetrunlevel
who -r
systemctl get-default
who -r
Change run level/target/etc/inittab
init run_level

systemctl isolate name.target

systemctl set-default

Configure logging/etc/syslog.conf/etc/rsyslog.conf/etc/rsyslog.conf
/etc/rsyslog.d/*.conf
/var/log/journal
systemd-journald.service
View logs/var/log/var/log
journalctl
Configure system auditadd audit=1 to kernel cmdline
auditctl
/etc/audit/auditd.conf
/etc/audit/audit.rules
authconfig
/etc/pam.d/system-auth
pam_tty_audit kernel module

add audit=1 to kernel cmdline

auditctl
/etc/audit/auditd.conf
/etc/audit/audit.rules
authconfig
/etc/pam.d/system-auth
tlog

View audit outputaureport
/var/log/faillog
Schedule/batch taskscron
at
batch
cron
at
batch
systemd-run –on-calendar
Find file by namelocate
Find file by characteristicfind
Create archivetar
cpio
zip
xz

User operations

TaskCentOS5CentOS6CentOS7AlmaLinux8/CentOS8
Graphical user managementsystem-config-usersgnome-control-center
Create user accountuseradd
Delete user accountuserdel
View/change user account detailsusermod
/etc/passwd
vipw
id
Create user groupgroupadd
Delete user groupgroupdel
Change group detailsgroupmod
/etc/group
Change user passwordpasswd
Change user permissionsusermod
visudo
Change group permissionsgroupmod
visudo
Change password policychage
View user sessionsw

Volumes, File systems, Storage

TaskCentOS5CentOS6CentOS7AlmaLinux8/CentOS8
Default file systemext3ext4xfs
Create/modify disk partitions

fdisk

parted

fdisk
gdiskparted
ssm create
parted
fdisk
gdisk
ssm_create
Format disk partitionmkfs.filesystem_type (ext4, xfs)
mkswap
mkfs.filesystem_type (ext4, xfs)
mkswap
ssm create
Defragment disk spacecopy data to new file system
fsck (look for ‘non-contiguous inodes’)
copy data to new file system
fsck (look for ‘non-contiguous inodes’)
xfs_fsr
Mount storage

mount

/etc/fstab

mount

/etc/fstab
ssm mount

Mount and activate swap

/etc/fstab

swapon -a

Configure static mounts/etc/fstab
View free disk spacedf
View logical volume infolvdisplay
lvs
vgdisplay
vgs
pvdisplay
pvs
Create physical volumepvcreatepvcreate
ssm create (if backend is lvm)
Create volume groupvgcreatevgcreate
ssm create (if backend is lvm)
Create logical volumelvcreatelvcreate
ssm create (if backend is lvm)
Enlarge volumes formatted with default file systemvgextend
lvextend
resize2fs
vgextend
lvextend
xfs_growfs
ssm resize
Shrink volumes formatted with default file systemresize2fs
lvreduce
vgreduce
XFS cannot currently be shrunk; copy desired data to a smaller file system.
Check/repair file systemfsckfsck
ssm check
View NFS shareshowmount -e
mount
Configure NFS share/etc/exports
service nfs reload
/etc/exports
systemctl reload nfs.service
Configure on-demand auto-mounts/etc/auto.master.d/*.autofs
/etc/auto.*
Change file permissionschmod
chown
chgrp
umask (future file creation)
Change file attributeschattr
Change access control listsetfacl

Networking & routing

TaskCentOS5CentOS6CentOS7AlmaLinux8/CentOS8
Configure name resolution/etc/hosts
/etc/resolv.conf
/etc/hosts
/etc/resolv.conf
nmcli con mod
Configure hostname/etc/sysconfig/networkhostnamectl
/etc/hostname
nmtui
View network interface info

ip addr

ifconfig
brctl

ip addr
nmcli dev show
teamdctl
brctl
bridge
Configure network interface/etc/sysconfig/network-scripts/ifcfg-*/etc/sysconfig/network-scripts/ifcfg-*
nmcli con [add|mod|edit]
nmtui
nm-connection-editor
View routesip route
Configure routesip route add
system-config-network
/etc/sysconfig/route-iface
ip route add
nmcli
nmtui
nm-connection-editor
/etc/sysconfig/route-iface
Configure firewalliptables and ip6tables
/etc/sysconfig/ip*tables
iptables and ip6tables
/etc/sysconfig/ip*tables
system-config-firewall
firewall-cmd
firewall-config
firewall-cmd
firewall-config
nftables
View ports/socketsss
lsof
netstat
ss
lsof
netstat
ss
lsof
netstat
pcp-dstat –socket

Security management

TaskCentOS5CentOS6CentOS7AlmaLinux8/CentOS8
Configure system security/etc/selinux/config
chcon
restorecon
semanage
setsebool
system-config-selinux
Report on system securitysealert
LDAP, SSSD, Kerberosauthconfig
authconfig-tui
authconfig-gtk
authselect
Network usersgetent

process management

TaskCentOS5CentOS6CentOS7AlmaLinux8/CentOS8
Trace system callsstrace
Trace library callsltrace
Change process prioritynice
renice
Change process run locationtaskset
Kill a process

kill

pkill

killall

View system usagetop
ps
sar
iostat
netstat
vmstat
mpstat
numastat
top
ps
sar
iostat
netstat
ss
vmstat
mpstat
numastat
tuna
top
ps
sar
iostat
ss
vmstat
mpstat
numastat
tuna
pcp atop
top
ps
sar
iostat
ss
vmstat
mpstat
numastat
tuna
View disk usagedfdf
iostat
pcp-dstat
pmiostat
df
iostat

NFS server configuration file in AlmaLinux 8, CentOS

The new configuration file for NFS server setup in AlmaLinux 8 is /etc/nfs.conf. /etc/sysconfig/nfs is deprecated and replaced by /etc/nfs.conf.

# cat /etc/nfs.conf
#
# This is a general configuration for the
# NFS daemons and tools
#
[general]
# pipefs-directory=/var/lib/nfs/rpc_pipefs
#
[exportfs]
# debug=0
#
[gssd]
# use-memcache=0
# use-machine-creds=1
use-gss-proxy = yes
# avoid-dns=1
# limit-to-legacy-enctypes=0
# context-timeout=0
# rpc-timeout=5
# keytab-file=/etc/krb5.keytab
# cred-cache-directory=
# preferred-realm=
#
[lockd]
# port=0
# udp-port=0
#
[mountd]
# debug=0
# manage_gids=n
# descriptors=0
# port=0
# threads=1
# reverse-lookup=n
# state-directory-path=/var/lib/nfs
# ha-callout=
#
[nfsdcltrack]
# debug=0
# storagedir=/var/lib/nfs/nfsdcltrack
#
[nfsd]
# debug=0
# threads=8
# host=
# port=0

# grace-time=90
# lease-time=90
# tcp=y
# vers2=n
# vers3=y
# vers4=y
# vers4.0=y
# vers4.1=y
# vers4.2=y
# rdma=n
#
[statd]
# debug=0
# port=0
# outgoing-port=0
# name=
# state-directory-path=/var/lib/nfs/statd
# ha-callout=
#
[sm-notify]
# debug=0
# retry-time=900
# outgoing-port=
# outgoing-addr=
# lift-grace=y

How to setup password-less SSH between Windows Clients and CentOS, AlmaLinux servers

Method 1: Create pub/private keys on Windows Clients and copy the public key to Linux Server

  • On a Windows machine, open Putty Key Generator. Click Generate to create public and private keys (set passphrase if preferred).
  • Copy the content of the public key, and paste it to the ~/.ssh/authorized_keys file on AlmaLinux/CentOS ssh server.
  • Confirm that the file permission is 644.
  • Again on Putty Key Generator, click Save private key.
  • Next, name the key file and save it as .ppk.
  • Save the public key in .txt format.
  • Open putty configuration box.
  • Select Connection > SSH > Auth.
  • Click Browse and select the saved .ppk key file in the Private key file for authentication.
  • Select Session in the putty configuration box.
  • Enter hostname in HostName, and enter preferred session name in Saved Sessions, click Save.
  • Select the saved session name, click Load, then click Open.
  • An SSH session is opened without a password requirement (only prompting to enter passphrase if set in step 1).

Method 2: Create pub/private keys on Linux Server and copy the private key to Windows Client

  • Establish ssh connection to the AlmaLinux ssh server from the Windows ssh client through putty using a password.
  • On the terminal of the AlmaLinux ssh server, run the following commands to create public/private keys and copy the public key to the authorized keys file as follows:

ssh-keygen -t rsa
cat .ssh/id_rsa.pub >> .ssh/authorized_keys

  • Copy the content of the private key, .ssh/id_rsa, to text editor/notepad on Windows.
  • Save the copied text with .pem format with Encoding as “ANSI”.
  • On Windows, open Putty Key Generator. Click Load, and select the saved .pem file from the above step.
  •  By opening the .pem file, it is automatically converted to ppk (private key) format. (If the passphrase is set when generating the key pair, it is prompted to enter the passphrase here. So enter the passphrase, click OK.)
  • A message confirming the import was successful is displayed. Click OK.
  • Click Save private key.
  • Save the key file in .ppk format by clicking Save.
  • Open putty configuration box.
  • Select Connection > SSH > Auth.
  • Click Browse and select the saved .ppk key file in the Private key file for authentication.
  • Select Session in the putty configuration box.
  • Enter hostname in HostName, and enter preferred session name in Saved Sessions, click Save.
  • Select the saved session name, click Load, then click Open.
  • SSH session is opened without password (prompted to enter passphrase if passphrase was set).

How to set default Java version with alternatives tool in AlmaLinux

  • When different Java versions are installed on a Linux server, use the alternatives tool to set the default Java version as follows:

alternatives --config java
There are 2 program that provides 'java'.
Selection Command
-----------------------------------------------
*+ 1 java-1.9.0-openjdk.x86_64 (/usr/lib/jvm/java-1.9.0-openjdk-1.9.0.292.b10-1.el8_4.x86_64/jre/bin/java)
2 java-12-openjdk.x86_64 (/usr/lib/jvm/java-12-openjdk-11.0.11.0.9-2.el8_4.x86_64/bin/java)

Enter to keep the current selection[+], or type selection number: 2

  • Type 1 or 2 to select default Java for OS. Note that this command can be run as root only. If this command is run as a user following error is returned.

failed to create /var/lib/alternatives/java.new: Permission denied

How to create local repository distributed through apache on AlmaLinux 8 using DVD ISO

repo creation via ISO DVD image that can be used by local server only

  • Mount the AlmaLinux DVD ISO file to /mnt/iso as the yum destination.

mkdir -p /mnt/iso

mount -o loop AlmaLinux-dvd.iso /mnt/iso

  • If you are using cdrom/dvdrom, insert cd/dvd and mount it to /mnt/iso as the yum destination.

mkdir -p /mnt/iso

mount -o loop -t iso9660 /dev/sr0 /mnt/iso

  • Create a yum repo file on the server in destination /etc/yum.repos.d/dvd.repo

vi /etc/yum.repos.d/BaseOS.repo
[BaseOS]
name=AlmaLinux 8.0 BaseOS
baseurl=file:///mnt/iso/BaseOS/
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-AlmaLinux-release

vi /etc/yum.repos.d/AppStream.repo
[AppStream]
name=AlmaLinux 8.0 AppStream
baseurl=file:///mnt/iso/AppStream/
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-AlmaLinux-release

apache (httpd) based yum repository, which can be used by local server and network server

  • Mount AlmaLinux 8/Centos 8 DVD as follows:

mount -o loop almaLinux8-dvd.iso /mnt

  • Copy all data to /var/www/html/ or to a local directory:

shopt -s dotglob

cp -avRpf /mnt/* /var/www/html/

  • create .repo for clients as follows:

cat /etc/yum.repos.d/BaseOS.repo
[BaseOS]
name=AlmaLinux 8.0 BaseOS
enabled=1
gpgcheck=1
baseurl=http://<Server-IP>/BaseOS/

cat /etc/yum.repos.d/AppStream.repo
[AppStream]
name=AlmaLinux 8.0 AppStream
enabled=1
gpgcheck=1
baseurl=http://<Server-IP>/AppStream/

  • Clean existing yum/dnf cache and update repository lists on client servers as follows:

dnf clean all
rm -rf /var/cache/yum/*
dnf makecache
dnf repolist

Unable to connect via SSH to other hosts in VMware running AlmaLinux 8

If you SSH to other hosts in VM running under VMware workstation, you may get the following error:

packet_write_wait: Connection to x.x.x.x port 22: Broken pipe

  • To resolve this issue use bridged networking instead of NAT in VMware workstation. If you still want to keep NAT networking, add the following to your ~/.ssh/config file:

Host *
IPQoS=throughput

The above issue is caused by a change in openSSH 7.8.

How to configure multiple instances of Apache HTTPD on the same server in AlmaLinux?

  • You need to copy instance specific configuration file located at /usr/share/doc/httpd/instance.conf to /etc/httpd/conf/newinstance.conf

cp /usr/share/doc/httpd/instance.conf /etc/httpd/conf/newinstance.conf

  • Use the Listen option to change the port to run simultaneously with other httpd.service as below:

Listen 81

  • This configuration will be the default when running httpd@newinstance.service

systemctl start httpd@newinstance.service

  • Some changes expected from the default are:
  1. The default log files names are prefixed with the newinstance name.
  2. DefaulltRuntime and Pidfile renamed to newinstance.
  3. conf.modules.d is included but /etc/httpd/conf.d is not included by default.

You can reload instance httpd@.service to reload when httpd.service is reloaded. For instance, logrotate will reload the only httpd.service when logs are rotated. To accomplish this, create a drop-in file for the instance as below:

[Unit]
ReloadPropagatedFrom=httpd.service

Drop in GPU usage for GPU intensive application

  • To resolve this issue, replace DPMS with HardDPMS in the “OutputClass” section of Xorg configuration file [/etc/X11/xorg.conf.d/] as shown below:

option "DPMS" "false"

  • Change above to:

Option "HardDPMS" "flase"

  • If no DPMS options are set in [/etc/X11/xorg.conf.d/] file than append this option as follows:

Section "OutputClass"
Identifier "nvidia"
MatchDriver "nvidia-drm"
Driver "nvidia"
Option "AllowEmptyInitialConfiguration"
Option "PrimaryGPU" "yes"
Option "SLI" "Auto"
Option "BaseMosaic" "on"
Option "HardDPMS" "false"
EndSection

  • Reboot server.

Buy NVIDIA RTX and NVIDIA Quadro professional graphics cards

Enable designers, scientists, artists, and researchers to explore their innovative ideas faster than ever.

Purchase now

nvidia rtx a6000

GPU devices have wrong SELinux context after reboot in CentOS

GPU devices show the wrong SELinux context after the server restarts and cannot be used without restoring the context with restorecon.

ls -Z /dev/nvi*
crw-rw-rw-. root root system_u:object_r:xserver_misc_device_t:s0 /dev/nvidia0
crw-rw-rw-. root root system_u:object_r:xserver_misc_device_t:s0 /dev/nvidia1
crw-rw-rw-. root root system_u:object_r:device_t:s0 /dev/nvidia2
crw-rw-rw-. root root system_u:object_r:device_t:s0 /dev/nvidia3
crw-rw-rw-. root root system_u:object_r:device_t:s0 /dev/nvidia4
crw-rw-rw-. root root system_u:object_r:device_t:s0 /dev/nvidia5
crw-rw-rw-. root root system_u:object_r:device_t:s0 /dev/nvidia6
crw-rw-rw-. root root system_u:object_r:device_t:s0 /dev/nvidia7
crw-rw-rw-. root root system_u:object_r:xserver_misc_device_t:s0 /dev/nvidiactl
crw-rw-rw-. root root system_u:object_r:xserver_misc_device_t:s0 /dev/nvidia-modeset
crw-rw-rw-. root root system_u:object_r:device_t:s0 /dev/nvidia-uvm
crw-rw-rw-. root root system_u:object_r:device_t:s0 /dev/nvidia-uvm-tools

The right context is set after running restorecon.

$ ls -Z /dev/nvi*
crw-rw-rw-. root root system_u:object_r:xserver_misc_device_t:s0 /dev/nvidia0
crw-rw-rw-. root root system_u:object_r:xserver_misc_device_t:s0 /dev/nvidia1
crw-rw-rw-. root root system_u:object_r:xserver_misc_device_t:s0 /dev/nvidia2
crw-rw-rw-. root root system_u:object_r:xserver_misc_device_t:s0 /dev/nvidia3
crw-rw-rw-. root root system_u:object_r:xserver_misc_device_t:s0 /dev/nvidia4
crw-rw-rw-. root root system_u:object_r:xserver_misc_device_t:s0 /dev/nvidia5
crw-rw-rw-. root root system_u:object_r:xserver_misc_device_t:s0 /dev/nvidia6
crw-rw-rw-. root root system_u:object_r:xserver_misc_device_t:s0 /dev/nvidia7
crw-rw-rw-. root root system_u:object_r:xserver_misc_device_t:s0 /dev/nvidiactl
crw-rw-rw-. root root system_u:object_r:xserver_misc_device_t:s0 /dev/nvidia-modeset
crw-rw-rw-. root root system_u:object_r:xserver_misc_device_t:s0 /dev/nvidia-uvm
crw-rw-rw-. root root system_u:object_r:xserver_misc_device_t:s0 /dev/nvidia-uvm-tools

  • To resolve this issue, you should check for missing files, as shown below.

/lib/udev/rules.d/60-nvidia-drm.rules
/lib/udev/rules.d/60-nvidia-uvm.rules

These files are present in NVIDIA CUDA drivers.

GPU in VMware does not work with PCI passthrough

It is not possible that GPU in your host server will work with the PCI passthrough. Virtual machines will be unable to use hypervisor GPU configured for PCI passthrough.

For GPU to work with PCI passthrough, it should be explicitly designed for this purpose, such as AMD MxGPU or NVIDIA Grid devices.

The main reason is that the specific usage described above violates the architecture design principle where two BIOSs can claim a single device.

Another important point is that GPU sharing is not possible between the hypervisor itself and VMs.