Red Hat Certified Engineer Exam Preparation Session RHEL 7 Md. Shah Alam (Shohag) CCNP (Route)|| CCNA Security || CCNA R&S || RHCE | | RHCSA on RHEL-7
Cell: +880 1914486186
Sr. Systems Specialist MetroNet Bangladesh Ltd.
Configure Repository
Create repository for system1 and system2. You can use this URL for your repository: http://classroom.example.com/content/rhel7.0/x86_64/dvd
Answer: #cd /etc/yum.repos.d (Show with “ls” command and delete previous repo) #vim yum.repo [repo name is user define] [rhce] name=repo for rhce exam baseurl=http://classroom.example.com/pub/x86_64/server enabled=1 gpgcheck=0 [Save & Exit] # yum update -y
2
Configure SELinux
Configure System-1 and System-2 that should be running in Enforcing mode.
Answer: # vim /etc/selinux/config SELINUX=enforcing (Be careful about this change) (Save and Exit) # reboot [You can check this with “getenforce” command] # getenforce
Enforcing
3
SSH Configuration
4
Configure SSH access on your both hosts (System-1 and System-2) as follows. Clients within rny22ilt.org should not have access to ssh on your hosts.
Answer:
# yum install openssh –y # systemctl enable sshd
# systemctl start sshd # firewall-cmd - - permanent - - add-service=ssh # firewall-cmd - - reload # systemctl restart sshd.service
--------------------(SSH service access control for rny22ilt.org)-----------------# firewall-config [After execute this command graphical window will appear, rest of the task you can do graphically]
For check the firewall list execute bellow command: # firewall-cmd - - list - - all
Configure Port Forwarding Configure system1 to forward traffic incoming on port 80/tcp from source network 172.25.11.0/24 or 172.25.11.0 / 255.255.255.0 to port on 5243/tcp
Answer: # firewall-config
5
Customize User Environment
Create a command called “qstat” on both systems (System-1 and System2). It should be able to execute the followings.
(ps -eo pid,tid,class,rtprio,ni,pri,psr,pcpu,stat,wchan:14,comm) Answer: # vim /etc/bashrc [ Go to bellow the file and write]
qstat ( ) { ps -eo pid,tid,class,rtprio,ni,pri,psr,pcpu,stat,wchan:14,comm } [save and exit]
# source /etc/bashrc [Type bellow command for check] # qstat
6
Configure IP Address (IPv6)
Configure eth0 interface with static ipv6 address on both systems and able to communicate within the network. System-1: 2001:123::1/64 System-2: 2001:123::2/64
Both systems are able to communicate within the network 2001:123::/64
Both systems should be maintain the current IPv4 address and changes should be permanent even after the reboot. Answer: [for System-1] #nmcli connection modify eth0ipv6.address ‘2001:123::1/64’ connection.autoconnect yes ipv6.method manual
#nmcli connection up eth0 #ping6 2001:123::1 [Above configuration will also in system-2, only ipv6 address will be change] [For check the configuration ping each other]
7
Link Aggregation
8
Configure syatem-1 and syatem-2 with eth0 and eth1 which watches for link changes. Selects an active port for data transfers.
System-1 IP address: 192.168.X.10/24 and System-2 IP address: 192.168.X.11/24
Answer: # lab teambridge setup (Not in exam only for lab environment) # nmcli connection show
(For show the connection)
# nmcli connection add con-name team0 type team ifname team0 config ‘{“runner”:{“name”:”activebackup”}}’ # nmcli connection add con-name team0-p1 type team-slave ifname eno1 mater team0 # nmcli connection add con-name team0-p2 type team-slave ifname eno2 master team0 # nmcli connection modify team0 ipv4.address 192.168.X.10/24 ipv4.method manual connection.autoconnect yes # nmcli connection up team0 # nmcli connection up team0-p1 # nmcli connection up team0-p2 # teamdctl team0 state [Ping each other for check the task]
SMTP Configuration
9
Configure SMTP mail service on both systems which relay the mail only from local system through smtpX.example.com, all outgoing mail have their sender domain as example.com. Ensure the mail should not store locally. Verify the mail server is working by sending mail to
[email protected] user. Solution: # yum install postfix –y #cd /etc/postfix
# vim main.cf [set line number with “set nu” command] 75. myhostname = serverX.example.com 84. mydomain = example.com 101. myorigin = $mydomain 119. inet_interfaces = localhost 168. mydestination = 269. mynetworks = 127.0.0.0/8 323. relayhost = [smtpX.example.com] local_transport = error: Disable by Admin. [Write it manually] In lab environment you have to type #lab smtp-nullclient setup at client side for receive the mail
Continue
…
SMTP Configuration # firewall-cmd - - permanent - - add-service=smtp # firewall-cmd - - reload # systemct enable postfix
# systemctl start postfix For send mail: # mail –v
[email protected] Subject: Test mail Just for test. . EOT For check the mail:
Just type “mail” command at recipient site. [Real Time] In exam time for check the mail, they will provide two links bellow the question.
10
SMTP Configuration
11
Your server system should accept new mail over smtp from the 172.25.X.0/24. All messages not addressed to running on desktop.example.com. Solution: # yum install postfix –y #cd /etc/postfix # vim main.cf [set line number with “set nu” command]
75. myhostname = serverX.example.com 84. mydomain = example.com 101. myorigin = $mydomain 119. inet_interfaces = all 168. mydestination = $myhostname, localhost.mydomain, localhost
269. mynetworks = 172.25.X.0/24, 127.0.0.0/8 323. relayhost = [smtpX.example.com] local_transport = error: Disable by Admin. [Write it manually] In lab environment you have to type #lab smtp null-client setup at client side for receive the mail
…
Continue
SMTP Configuration # firewall-cmd - - permanent - - add-service=smtp # firewall-cmd - - reload # systemct enable postfix
# systemctl start postfix For send mail: # mail –v
[email protected] Subject: Test mail Just for test. . EOT For check the mail:
Just type “mail” command at recipient site. [Real Time] In exam time for check the mail, they will provide two links bellow the question.
12
NFS Server Configuration
13
1.
Share /nfsshare directory within the example.com domain clients only, share must be writable.
2.
Share /nfssecure/protected, enable krb5p security to secure access to the NFS share. Keytab URL http://classroom.example.com/pub/keytabs/serverX.keytab
3.
Create a directory named protected under /nfssecure. The exported directory should have read/write access from all subdomains of the example.com. Ensure the directory /nfssecure/protected should be owned by the user harry with read/write permissions.
4.
Mount both directory at desktopX.example.com.
[ At exam time no need to create any user for NFS, they will create and provide you the user name]
NFS Server Configuration Requirements: # lab nfskrb5 setup [For lab environment only]
In exam time, you have to download three packages for this configuration: 1.
sssd.
2.
Authconfig-gtk
3.
Krb5-workstation
14
NFS Server Configuration Answer: (Normal Share) # mkdir /nfsshare #vim
/etc/exports
/nfsshare #exportfs
Common Mistakes:
15
1. Domain address entry in exports file with proper permissions. 2. Execute “exportfs -ra” command. 3. Allow in firewall 4. Proper service enable and start.
172.25.X.0/24(rw)
-ra
# firewall-cmd - - permanent --add-service=nfs # firewall-cmd - - reload # systemctl enable nfs-server.service # systemctl start nfs-server.service # showmount –e 172.25.X.X [For show the share directory]
NFS Mount (Normal Share) Mount normal Share: # yum install nfs-utils -y
Common Mistakes:
[Create mount point, where they want]
1. Source directory entry in fstab.
# mkdir /public # vim
/etc/fstab
serverX.example.com:/nfsshare
/public nfs defaults 0
[Save & Exit] # mount -a # df -h
[ For show the mounted directory]
0
16
NFS Server Configuration
17
Answer: (Secure Share) # mkdir -p /nfssecure/protected #vim
/etc/exports
/nfssecure/protected
172.25.X.0/24(sec=krb5p,rw)
# wget –O /etc/krb5.keytab http://classroom.example.com/pub/keytabs/serverX.keytab #exportfs
-ra
# firewall-cmd - - permanent --add-service=nfs # firewall-cmd --reload # systemctl enable nfs-secure-server.service
Common Mistakes:
1. Domain address entry in exports file with proper permissions. 2. Execute “exportfs -ra” command. 3. Key download properly. 4. Allow in firewall. 5. Proper service enable and start.
# systemctl start nfs-secure-server.service # showmount –e 172.25.X.X [For show the share directory]
NFS Mount (Secure Share) # yum install nfs-utils -y
[Create mount point, where they want] # mkdir -p /secure/protected
18
Common Mistakes:
1. Source directory and mounting method entry in fstab. 2. krb5 file download mismatch. 3. Enable proper service.
# vim /etc/fstab serverX.example.com: /nfssecure/protected
/secure/protected
nfs sec=krb5p,defaults
0
# wget –O /etc/krb5.keytab http://classroom.example.com/pub/keytabs/desktopX.keytab # systemctl enable nfs-secure.service # systemctl start nfs-secure.service
# mount -a # df -h
[ For show the mounted directory]
0
Shared Directory Ownership We can do it two different way: 1.
Provide ownership on directory to mention user.
# chown harry 1.
/secure
ACL
# setfacl
-m u:harry:rwx
/secure
# getfacl /secure [For check the ACL]
Preferable
19
Samba Configure (Single User) Share the /sambadir directory via SMB serverX: 1.
Your samba server must be a member of the TESTGROUP workgroup.
2.
The share name must be data.
3.
The data share must be available to content.com domain clients only.
4.
The data share must be browseable.
5.
Susan must have the read access to the share, authenticating with the same password if necessary.
20
Samba Configure (Single User) # yum install samba
-y
# yum install samba-client # mkdir
21
-y
/sambadir
[Apply SELinux context on directory, you can get help from “man page” with man semanage-fcontext command]
# semanage fcontext –a -t samba_share_t “/sambadir(/.*)?”
# restorecon -R –v /sambadir # ls
-ldZ /sambadir
[For check the context]
[Create smb user with smb password]
# useradd -s /sbin/nologin susan # smbpasswd -a susan
Samba Configure (Single User) # vim
/etc/samba/smb.conf
workgroup = TESTGROUP host allows = 172.25.0. [data] path = /sambadir valid users = susan # testparm -s # systemctl enable smb nmb # systemctl start smb nmb # firewall-cmd - - permanent --add-service=samba # firewall-cmd - - reload
22
Samba Configure (Multi User) Share the /opstack directory via SMB serverX: 1.
The share name must be cluster.
2.
The user frankenstain has readable, writeable access to the /opstack SMB share.
3.
The user martin has the read access to the /opstack SMB share.
4.
Both user should have the SMB password “SaniTago”
5.
The samba server must be a member of the TESTGROUP workgroup.
23
Samba Configure (Multi User) # yum install samba
-y
# yum install samba-client # mkdir
24
-y
/opstack
[Apply SELinux context on directory, you can get help from “man page” with man semanage-fcontext command]
# semanage fcontext –a -t samba_share_t “/opstack(/.*)?”
# restorecon -R –v /opstack # ls
-ldZ /opstack
[For check the context]
[Create smb users with smb password]
# useradd -s /sbin/nologin frankenstain # smbpasswd -a frankenstain # useradd -s /sbin/nologin martin # smbpasswd -a martin
Samba Configure (Multi User) # vim /etc/samba/smb.conf workgroup = TESTGROUP host allows = 172.25.0. [cluster] path = /opstack valid users = frankenstain, martin write list = frankenstain # testparm -s # systemctl enable smb nmb # systemctl start smb nmb # firewall-cmd - - permanent --add-service=samba # firewall-cmd - - reload
25
Samba Test
# smbclient //serverX.example.com/data -U susan
# smbclient //serverX.example.com/cluster -U frankenstain # smbclient //serverX.example.com/cluster -U martin
26
Samba Mount (Multi User) 1.
Mount the samba share /opstack permanently at /mnt/smbspace on desktop as a multiuser mount.
2.
The Samba share should be mounted with the credentials of frankenstain.
27
Samba Mount (Multi User)
28
Answer: # yum install samba-client -y # yum install cifs-utils -y # mkdir -p /mnt/smbspace # vim /root/pass.txt username=frankenstain password=Sanitago # vim /etc/fstab //serverX.example.com/cluster # mount -a # df -h
/mnt/smbspace
cifs credentials=/root/pass.txt,multiuser,sec=ntlmssp 0
0
Webserver Configuration
29
Implement a webserver for the site http://serverX.example.com. Download the page from http://classroom.example.com/pub/rhce/rhce.html. Rename the file to the index.html. Copy the file into the document root. Do not modify the content of index.html. Clients within rny22ilt.org should not access the webserver on your systems. Answer: # yum install httpd -y # cd /var/www/html # wget http://classroom.example.com/pub/rhce/rhce.html # mv
rhce.html
index.html
# firewall-cmd - - permanent - - add-service=http # firewall-cmd - - reload # systemctl enable httpd.service # systemctl start httpd.service # curl http://serverX.example.com
Virtual Hosting
30
Setup a virtual host with an alternate document root. Extend your web to include a virtual for the site http://wwwX.example.com Set the document root as /usr/local/vhosts Download http://classroom.example.com/pub/rhce/vhost.htrnl - rename it as index.html place this document root of the virtual host Note: The other websites configures for your server must still accessible. Answer: # mkdir -p /usr/local/vhosts [Apply SELinux context on directory, you can get help from “man page” with man semanage-fcontext command]
# semanage fcontext –a -t httpd_sys_content_t “/usr/local/vhosts(/.*)?” # restorecon -R –v /usr/local/vhosts # ls
-ldZ /usr/local/vhosts
[For check the context]
# cd /usr/local/vhosts #wget http://classroom.example.com/pub/rhce/www.html
Virtual Hosting # cp /usr/share/doc/httpd-2.4.6/httpd-vhosts.conf # vim /etc/httpd/conf.d/ httpd-vhosts.conf DocumentRoot "/var/www/html" ServerName serverX.example.com
DocumentRoot "/usr/local/vhosts" ServerName wwwX.example.com
/etc/httpd/conf.d/
31
Virtual Hosting #vim /etc/httpd/conf/httpd.conf #vim httpd-vhosts.conf
Require all granted
Copy this four lines from httpd.conf file and paste bellow the vhosts configuration file
Require all granted # httpd -t [For check the syntax error in configuration file] # systemctl restart httpd.service [Write on browser wwwX.example.com for test the vhost server]
32
Restricted Webpage
33
Implement website for http://serverX.content.com/owndir. Create a directory named as "owndir" under the document root of webserver. Download http://station.networkO.content.com/pub/rhce/restrict.htrnl. Rename the file into index.html. The content of the owndir should be visible to everyone browsing from your local system but should not be accessible from other location. Answer: #mkdir -p /var/www/html/owndir [Apply SELinux contect on directory, you can get help from “man page” with man semanage-fcontext command]
# semanage fcontext –a -t httpd_sys_content_t “/var/www/html/owndir(/.*)?” # restorecon -R –v /var/www/html/owndir #cd owndir #wget http://classroom.example.com/pub/rhce/secure.html
# vim /etc/httpd/conf/httpd.conf Require host serverX.example.com #httpd -t
#systemctl restart httpd.service
Secured Webserver Configure the website https://serverX.content.com with TLS SSLCertificate file. 1.
TLS Certificate:
http://classroom.example.com/pub/tls/certs/webappX.crt 2. TLS private key: http://classroom.example.com/pub/tls/private/webappX.key 3. TLS CA certificate:
http://classroom.example.com/pub/example-ca.crt
34
Secured Webserver
35
Answer: #yum install mod_ssl -y #cd /etc/pki/tls/certs wget http://classroom.example.com/pub/tls/certs/webappX.crt http://classroom.example.com/pub/example-ca.crt #cd /etc/pki/tls/private http://classroom.example.com/pub/tls/private/webappX.key
All .crt files will be download under certs and .key file will download under private directory.
Secured Webserver #vim /etc/httpd/conf.d/ssl.conf ServerName serverX.example.com SSLEngine on SSLProtocol all -SSLv2 -SSLv3 SSLCipherSuite HIGH:MEDIUM:!aNULL:!aMD5 SSLCertificateFile /etc/pki/tls/certs/webapp.crt SSLCertificateKeyFile /etc/pki/tls/private/webappX.key SSLCertificateChainFile /etc/pki/tls/certs/example-ca.crt #firewall-cmd - -permanent - -add- -service=https #firewall-cmd –reload #httpd -t #systemctl restart httpd.service
36
Dynamic Webserver Configuration (WSGI)
37
configure website http://serverX.example.com:8961 on systernl with the docurnentroot /srv/webapp Site should executes webapp.wsgi. Answer: [ lab webapp setup ] # yum install mod_wsgi -y #mkdir -p /srv/webapp [Apply SELinux contect on directory, you can get help from “man page” with man semanage-fcontext command]
# semanage fcontext –a -t httpd_sys_content_t “/srv/webapp(/.*)?” # restorecon -R –v /srv/webapp # cp /home/student/webapp.wsgi /srv/webapp/
Dynamic Webserver Configuration (WSGI) #vim /etc/httpd/conf.d/ssl.conf ServerName webappX.example.com SSLEngine on SSLProtocol all -SSLv2 -SSLv3 SSLCipherSuite HIGH:MEDIUM:!aNULL:!aMD5 SSLCertificateFile /etc/pki/tls/certs/webapp.crt SSLCertificateKeyFile /etc/pki/tls/private/webappX.key SSLCertificateChainFile
/etc/pki/tls/certs/example-ca.crt
WSGIScriptAlias / /srv/webapp/webapp.wsgi Require all granted
38
Webserver Logical Port Change Run your https webserver through 8989/tcp port: Answer: # semanage port – l | grep http # semanage port –a –t http_port_t –p tcp 8989
# firewall-cmd - - permanent - - add-port=8989/tcp # firewall-cmd - - reload
39
Webserver Logical Port Change Listen 8989 https
ServerName webappX.example.com SSLEngine on SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite HIGH:MEDIUM:!aNULL:!aMD5 SSLCertificateFile /etc/pki/tls/certs/webapp.crt SSLCertificateKeyFile /etc/pki/tls/private/webappX.key
SSLCertificateChainFile # systemctl restart httpd.service
/etc/pki/tls/certs/example-ca.crt
40
Script # 01
41
Create a script on serverX called /root/random with following details: 1. When run as /root/random foo,should bring the output as “bar”. 2. When run as /root/random bar, should bring the output “foo”. 3. When run with any other argument or without argument, should appear the message Type foo or bar. Answer: # mkdir /root/random # vim /root/random/script #! /bin/bash case $@ in foo ) echo “bar”;; bar ) echo “foo”;; * ) echo “Type foo or bar”;; esac
# chmod +x /root/random/script # /root/random/script foo
[For check the script]
# /root/random/script bar
[For check the script]
Script # 02 Create a script on serverX called /root/createusers with following details:
42
1. When run as /root/createusers testfile, it should add all the users from the downloaded file.(http://serverX.example.com/testfile). All users should have the loginshell as /bin/false, password not required.
2. When this script is run with any other argument, it should print the message as “Input File Not Found”. 3. When run without any argument, it should display “Usage:/root/createusers”. NOTE: If the users are added, no need to delete.
[For lab environment, create a file with user name. File name should be testfile]
Script # 02 Answer: # vim testfile [Write user name list---Only for lab] # vim /root/createusers #! /bin/bash a=“” case $@ in
testfile) for user in $(cat $1); do echo “Adding users:”$user useradd -s /bin/false $user done;;
$a) echo “Usage: /root/createusers”;; *) echo “Input File Not Found”;; esac # chmod +x /root/createusers
# /root/createusers testfile
[For check the script]
# /root/createusers [Enter]
[For check the script]
# /root/createusers [Wrong Value] [For check the script]
43
iSCSI (Traget) Configuration
44
Create a new 3GB LVM target on your serverX.example.com. The block device name should be data block. The server should export an iscsi disk called iqn.201410.com.example:serverX. LVM name should be /dev/iscsivg/iscsilv
Answer: # fdisk -l
#fdisk /dev/vdb [Create 3300MB LVM partition] # partprobe # pvcreate /dev/vdb # vgcreate iscsivg /dev/vdb1 # lvcreate -L 3072M -n iscsilv iscsivg # lvdisplay
[For display the path]
iSCSI (Traget) Configuration
45
# yum install targetcli -y # systemctl enable target # systemctl start target #targetcli /> backstores/block create data /dev/iscsivg/iscsilv /> iscsi/ create iqn.2014-10.com.example:serverX /> iscsi/ iqn.2014-06.com.example:server1/tpg1/acls create iqn.201410.com.example:desktop1 /> iscsi/ iqn.2014-10.com.example:server1/tpg1/lun create /backstores/block/data /> iscsi/ iqn.2014-06.com.example:server1/tpg1/portal create 172.25.1.11 />ls /> saveconfig #firewall-cmd - -permanent - -add-port=3260/tcp #firewall-cmd - -reload
iSCSI (Initiator) Configuration
46
The systemX.example.com provides an called iqn.2014-10.com.example:serverX With port 3260/tcp. Connect the disk with client and configure filesystem with the following requirements. 1.
Create 3GB partition on iSCSI block device and assign the file system as ext3.
2.
Mount the volume under /mnt/initiator at the system boot time.
3.
The file System should be contain the copy of http://classroom.example.com/pub/iscsi.txt
4.
The file should be owned by root with 0644 permissions.
iSCSI (Initiator) Configuration
47
Answer: #yum install iscsi-initiator-utils -y #vim /etc/iscsi/initiatorname.iscsi
InitiatorName= iqn.2014-10.com.example:desktopX # systemctl enable iscsi # systemctl start iscsi # iscsiadm --mode discovery --type sendtargets --portal 172.25.X.X –discover # iscsiadm --mode node --targetname iqn.2014-10.com.example:systemX --portal 172.25.X.X:3260 –login [For above two command you can get help from man page “man iscsiadm”]
iSCSI (Initiator) Configuration
48
# fdisk -l # fdisk /dev/sda [Create a 3GB partition] # partprobe # mkfs.ext3 /dev/sda1
# blkid /dev/sda1 [For show the /dev/sda1 UUID] # vim /etc/fstab UUID=c9213938-6753-4001-b939-4b5720c8ec5e
/mnt/initiator
# mount -a # mkdir /mnt/initiator
# cd /mnt/initiator # wget http://classroom.example.com/pub/iscsi.txt # chown root iscsi.txt # chmod 0644 iscsi.txt
ext3
_netdev
0
0
MariaDB # 1
49
Restore a database on serverX from the URL http://classroom.content.com/pub/rhce/backup.mdb 1. The database name should be Contacts. 2. It should be access only within the localhost.
Most important
3. Set a password for root user as "Postroll".
4. Other than the root user, the user andrew able to “read,write,update,delete” the query from the above mentioned database. [Andrew is a local user] 5. The user should be authenticated with the password as "Postroll".
MariaDB # 1
50
# yum groupinstall mariadb -y # yum groupinstall mariadb-client -y # systemctl enable mariadb.service # systemctl start mariadb.service
# mysql_secure_installation Enter/:Y/New Password:Postroll/Y/Y/Y/Y/ # mysql -u root –p MariaDB [(none)]> create database Contacts;
MariaDB [(none)]> exit
Database create command.
# wget http://content.example.com/courses/rhce/rhel7.0/materials/mariadb/mariadb.dump # mysql -u root -p Contacts < mariadb.dump Enter password: Postroll
Database Backup
MariaDB # 1
51
# mysql -u root -p Enter password: [ ******] MariaDB [(none)]> show databases; MariaDB [(none)]> use Contacts;
Only for Check.
MariaDB [inventory]> show tables;
MariaDB [inventory]> exit # mysql -u root –p Enter password: [ ******] MariaDB [(none)]> create user andrew@localhost identified by ‘Postroll';
MariaDB [(none)]> grant select on Contacts.* to andrew@localhost; MariaDB [(none)]> create user steve@'%’ identified by ‘Postroll'; MariaDB [(none)]> grant insert,update,delete on Contacts.* to steve@'%’; MariaDB [(none)]> flush privileges; MariaDB [(none)]> exit
User Create
MariaDB # 1 # mysql -u steve –p MariaDB [(none)]> use Contacts;
# firewall-cmd –permanent –add-service=mysql # firewall-cmd –reload #vim /etc/my.cnf [mysqld] skip-networking=1 #systemctl restart mariadb.service
If in question says, It should be access only within the localhost. Then must be edit this file.
52
