RHCE Update

November 10, 2017 | Author: Mahbub Afzal Khan | Category: I Pv6, Web Server, Secure Shell, Technology, World Wide Web
Share Embed Donate


Short Description

upd...

Description

Red Hat Certified Engineer Exam Preparation Session RHEL 7 Md. Shah Alam (Shohag) CCNP (Route)|| CCNA Security || CCNA R&S || RHCE | | RHCSA on RHEL-7

Cell: +880 1914486186

Sr. Systems Specialist MetroNet Bangladesh Ltd.

Configure Repository 

Create repository for system1 and system2. You can use this URL for your repository: http://classroom.example.com/content/rhel7.0/x86_64/dvd

Answer: #cd /etc/yum.repos.d (Show with “ls” command and delete previous repo) #vim yum.repo [repo name is user define] [rhce] name=repo for rhce exam baseurl=http://classroom.example.com/pub/x86_64/server enabled=1 gpgcheck=0 [Save & Exit] # yum update -y

2

Configure SELinux 

Configure System-1 and System-2 that should be running in Enforcing mode.

Answer: # vim /etc/selinux/config SELINUX=enforcing (Be careful about this change) (Save and Exit) # reboot [You can check this with “getenforce” command] # getenforce

Enforcing

3

SSH Configuration

4



Configure SSH access on your both hosts (System-1 and System-2) as follows. Clients within rny22ilt.org should not have access to ssh on your hosts.



Answer:

# yum install openssh –y # systemctl enable sshd

# systemctl start sshd # firewall-cmd - - permanent - - add-service=ssh # firewall-cmd - - reload # systemctl restart sshd.service

--------------------(SSH service access control for rny22ilt.org)-----------------# firewall-config [After execute this command graphical window will appear, rest of the task you can do graphically]

For check the firewall list execute bellow command: # firewall-cmd - - list - - all

Configure Port Forwarding Configure system1 to forward traffic incoming on port 80/tcp from source network 172.25.11.0/24 or 172.25.11.0 / 255.255.255.0 to port on 5243/tcp

Answer: # firewall-config

5

Customize User Environment 

Create a command called “qstat” on both systems (System-1 and System2). It should be able to execute the followings.

(ps -eo pid,tid,class,rtprio,ni,pri,psr,pcpu,stat,wchan:14,comm) Answer: # vim /etc/bashrc [ Go to bellow the file and write]

qstat ( ) { ps -eo pid,tid,class,rtprio,ni,pri,psr,pcpu,stat,wchan:14,comm } [save and exit]

# source /etc/bashrc [Type bellow command for check] # qstat

6

Configure IP Address (IPv6) 

Configure eth0 interface with static ipv6 address on both systems and able to communicate within the network. System-1: 2001:123::1/64 System-2: 2001:123::2/64

Both systems are able to communicate within the network 2001:123::/64

Both systems should be maintain the current IPv4 address and changes should be permanent even after the reboot. Answer: [for System-1] #nmcli connection modify eth0ipv6.address ‘2001:123::1/64’ connection.autoconnect yes ipv6.method manual

#nmcli connection up eth0 #ping6 2001:123::1 [Above configuration will also in system-2, only ipv6 address will be change] [For check the configuration ping each other]

7

Link Aggregation 

8

Configure syatem-1 and syatem-2 with eth0 and eth1 which watches for link changes. Selects an active port for data transfers.

System-1 IP address: 192.168.X.10/24 and System-2 IP address: 192.168.X.11/24

Answer: # lab teambridge setup (Not in exam only for lab environment) # nmcli connection show

(For show the connection)

# nmcli connection add con-name team0 type team ifname team0 config ‘{“runner”:{“name”:”activebackup”}}’ # nmcli connection add con-name team0-p1 type team-slave ifname eno1 mater team0 # nmcli connection add con-name team0-p2 type team-slave ifname eno2 master team0 # nmcli connection modify team0 ipv4.address 192.168.X.10/24 ipv4.method manual connection.autoconnect yes # nmcli connection up team0 # nmcli connection up team0-p1 # nmcli connection up team0-p2 # teamdctl team0 state [Ping each other for check the task]

SMTP Configuration

9

Configure SMTP mail service on both systems which relay the mail only from local system through smtpX.example.com, all outgoing mail have their sender domain as example.com. Ensure the mail should not store locally. Verify the mail server is working by sending mail to [email protected] user. Solution: # yum install postfix –y #cd /etc/postfix

# vim main.cf [set line number with “set nu” command] 75. myhostname = serverX.example.com 84. mydomain = example.com 101. myorigin = $mydomain 119. inet_interfaces = localhost 168. mydestination = 269. mynetworks = 127.0.0.0/8 323. relayhost = [smtpX.example.com] local_transport = error: Disable by Admin. [Write it manually] In lab environment you have to type #lab smtp-nullclient setup at client side for receive the mail

Continue



SMTP Configuration # firewall-cmd - - permanent - - add-service=smtp # firewall-cmd - - reload # systemct enable postfix

# systemctl start postfix For send mail: # mail –v [email protected] Subject: Test mail Just for test. . EOT For check the mail:

Just type “mail” command at recipient site. [Real Time] In exam time for check the mail, they will provide two links bellow the question.

10

SMTP Configuration

11

Your server system should accept new mail over smtp from the 172.25.X.0/24. All messages not addressed to running on desktop.example.com. Solution: # yum install postfix –y #cd /etc/postfix # vim main.cf [set line number with “set nu” command]

75. myhostname = serverX.example.com 84. mydomain = example.com 101. myorigin = $mydomain 119. inet_interfaces = all 168. mydestination = $myhostname, localhost.mydomain, localhost

269. mynetworks = 172.25.X.0/24, 127.0.0.0/8 323. relayhost = [smtpX.example.com] local_transport = error: Disable by Admin. [Write it manually] In lab environment you have to type #lab smtp null-client setup at client side for receive the mail



Continue

SMTP Configuration # firewall-cmd - - permanent - - add-service=smtp # firewall-cmd - - reload # systemct enable postfix

# systemctl start postfix For send mail: # mail –v [email protected] Subject: Test mail Just for test. . EOT For check the mail:

Just type “mail” command at recipient site. [Real Time] In exam time for check the mail, they will provide two links bellow the question.

12

NFS Server Configuration

13

1.

Share /nfsshare directory within the example.com domain clients only, share must be writable.

2.

Share /nfssecure/protected, enable krb5p security to secure access to the NFS share. Keytab URL http://classroom.example.com/pub/keytabs/serverX.keytab

3.

Create a directory named protected under /nfssecure. The exported directory should have read/write access from all subdomains of the example.com. Ensure the directory /nfssecure/protected should be owned by the user harry with read/write permissions.

4.

Mount both directory at desktopX.example.com.

[ At exam time no need to create any user for NFS, they will create and provide you the user name]

NFS Server Configuration Requirements: # lab nfskrb5 setup [For lab environment only]

In exam time, you have to download three packages for this configuration: 1.

sssd.

2.

Authconfig-gtk

3.

Krb5-workstation

14

NFS Server Configuration Answer: (Normal Share) # mkdir /nfsshare #vim

/etc/exports

/nfsshare #exportfs

Common Mistakes:

15

1. Domain address entry in exports file with proper permissions. 2. Execute “exportfs -ra” command. 3. Allow in firewall 4. Proper service enable and start.

172.25.X.0/24(rw)

-ra

# firewall-cmd - - permanent --add-service=nfs # firewall-cmd - - reload # systemctl enable nfs-server.service # systemctl start nfs-server.service # showmount –e 172.25.X.X [For show the share directory]

NFS Mount (Normal Share) Mount normal Share: # yum install nfs-utils -y

Common Mistakes:

[Create mount point, where they want]

1. Source directory entry in fstab.

# mkdir /public # vim

/etc/fstab

serverX.example.com:/nfsshare

/public nfs defaults 0

[Save & Exit] # mount -a # df -h

[ For show the mounted directory]

0

16

NFS Server Configuration

17

Answer: (Secure Share) # mkdir -p /nfssecure/protected #vim

/etc/exports

/nfssecure/protected

172.25.X.0/24(sec=krb5p,rw)

# wget –O /etc/krb5.keytab http://classroom.example.com/pub/keytabs/serverX.keytab #exportfs

-ra

# firewall-cmd - - permanent --add-service=nfs # firewall-cmd --reload # systemctl enable nfs-secure-server.service

Common Mistakes:

1. Domain address entry in exports file with proper permissions. 2. Execute “exportfs -ra” command. 3. Key download properly. 4. Allow in firewall. 5. Proper service enable and start.

# systemctl start nfs-secure-server.service # showmount –e 172.25.X.X [For show the share directory]

NFS Mount (Secure Share) # yum install nfs-utils -y

[Create mount point, where they want] # mkdir -p /secure/protected

18

Common Mistakes:

1. Source directory and mounting method entry in fstab. 2. krb5 file download mismatch. 3. Enable proper service.

# vim /etc/fstab serverX.example.com: /nfssecure/protected

/secure/protected

nfs sec=krb5p,defaults

0

# wget –O /etc/krb5.keytab http://classroom.example.com/pub/keytabs/desktopX.keytab # systemctl enable nfs-secure.service # systemctl start nfs-secure.service

# mount -a # df -h

[ For show the mounted directory]

0

Shared Directory Ownership We can do it two different way: 1.

Provide ownership on directory to mention user.

# chown harry 1.

/secure

ACL

# setfacl

-m u:harry:rwx

/secure

# getfacl /secure [For check the ACL]

Preferable

19

Samba Configure (Single User) Share the /sambadir directory via SMB serverX: 1.

Your samba server must be a member of the TESTGROUP workgroup.

2.

The share name must be data.

3.

The data share must be available to content.com domain clients only.

4.

The data share must be browseable.

5.

Susan must have the read access to the share, authenticating with the same password if necessary.

20

Samba Configure (Single User) # yum install samba

-y

# yum install samba-client # mkdir

21

-y

/sambadir

[Apply SELinux context on directory, you can get help from “man page” with man semanage-fcontext command]

# semanage fcontext –a -t samba_share_t “/sambadir(/.*)?”

# restorecon -R –v /sambadir # ls

-ldZ /sambadir

[For check the context]

[Create smb user with smb password]

# useradd -s /sbin/nologin susan # smbpasswd -a susan

Samba Configure (Single User) # vim

/etc/samba/smb.conf

workgroup = TESTGROUP host allows = 172.25.0. [data] path = /sambadir valid users = susan # testparm -s # systemctl enable smb nmb # systemctl start smb nmb # firewall-cmd - - permanent --add-service=samba # firewall-cmd - - reload

22

Samba Configure (Multi User) Share the /opstack directory via SMB serverX: 1.

The share name must be cluster.

2.

The user frankenstain has readable, writeable access to the /opstack SMB share.

3.

The user martin has the read access to the /opstack SMB share.

4.

Both user should have the SMB password “SaniTago”

5.

The samba server must be a member of the TESTGROUP workgroup.

23

Samba Configure (Multi User) # yum install samba

-y

# yum install samba-client # mkdir

24

-y

/opstack

[Apply SELinux context on directory, you can get help from “man page” with man semanage-fcontext command]

# semanage fcontext –a -t samba_share_t “/opstack(/.*)?”

# restorecon -R –v /opstack # ls

-ldZ /opstack

[For check the context]

[Create smb users with smb password]

# useradd -s /sbin/nologin frankenstain # smbpasswd -a frankenstain # useradd -s /sbin/nologin martin # smbpasswd -a martin

Samba Configure (Multi User) # vim /etc/samba/smb.conf workgroup = TESTGROUP host allows = 172.25.0. [cluster] path = /opstack valid users = frankenstain, martin write list = frankenstain # testparm -s # systemctl enable smb nmb # systemctl start smb nmb # firewall-cmd - - permanent --add-service=samba # firewall-cmd - - reload

25

Samba Test

# smbclient //serverX.example.com/data -U susan

# smbclient //serverX.example.com/cluster -U frankenstain # smbclient //serverX.example.com/cluster -U martin

26

Samba Mount (Multi User) 1.

Mount the samba share /opstack permanently at /mnt/smbspace on desktop as a multiuser mount.

2.

The Samba share should be mounted with the credentials of frankenstain.

27

Samba Mount (Multi User)

28

Answer: # yum install samba-client -y # yum install cifs-utils -y # mkdir -p /mnt/smbspace # vim /root/pass.txt username=frankenstain password=Sanitago # vim /etc/fstab //serverX.example.com/cluster # mount -a # df -h

/mnt/smbspace

cifs credentials=/root/pass.txt,multiuser,sec=ntlmssp 0

0

Webserver Configuration

29

Implement a webserver for the site http://serverX.example.com. Download the page from http://classroom.example.com/pub/rhce/rhce.html. Rename the file to the index.html. Copy the file into the document root. Do not modify the content of index.html. Clients within rny22ilt.org should not access the webserver on your systems. Answer: # yum install httpd -y # cd /var/www/html # wget http://classroom.example.com/pub/rhce/rhce.html # mv

rhce.html

index.html

# firewall-cmd - - permanent - - add-service=http # firewall-cmd - - reload # systemctl enable httpd.service # systemctl start httpd.service # curl http://serverX.example.com

Virtual Hosting

30

Setup a virtual host with an alternate document root. Extend your web to include a virtual for the site http://wwwX.example.com Set the document root as /usr/local/vhosts Download http://classroom.example.com/pub/rhce/vhost.htrnl - rename it as index.html place this document root of the virtual host Note: The other websites configures for your server must still accessible. Answer: # mkdir -p /usr/local/vhosts [Apply SELinux context on directory, you can get help from “man page” with man semanage-fcontext command]

# semanage fcontext –a -t httpd_sys_content_t “/usr/local/vhosts(/.*)?” # restorecon -R –v /usr/local/vhosts # ls

-ldZ /usr/local/vhosts

[For check the context]

# cd /usr/local/vhosts #wget http://classroom.example.com/pub/rhce/www.html

Virtual Hosting # cp /usr/share/doc/httpd-2.4.6/httpd-vhosts.conf # vim /etc/httpd/conf.d/ httpd-vhosts.conf DocumentRoot "/var/www/html" ServerName serverX.example.com

DocumentRoot "/usr/local/vhosts" ServerName wwwX.example.com

/etc/httpd/conf.d/

31

Virtual Hosting #vim /etc/httpd/conf/httpd.conf #vim httpd-vhosts.conf

Require all granted

Copy this four lines from httpd.conf file and paste bellow the vhosts configuration file

Require all granted # httpd -t [For check the syntax error in configuration file] # systemctl restart httpd.service [Write on browser wwwX.example.com for test the vhost server]

32

Restricted Webpage

33

Implement website for http://serverX.content.com/owndir. Create a directory named as "owndir" under the document root of webserver. Download http://station.networkO.content.com/pub/rhce/restrict.htrnl. Rename the file into index.html. The content of the owndir should be visible to everyone browsing from your local system but should not be accessible from other location. Answer: #mkdir -p /var/www/html/owndir [Apply SELinux contect on directory, you can get help from “man page” with man semanage-fcontext command]

# semanage fcontext –a -t httpd_sys_content_t “/var/www/html/owndir(/.*)?” # restorecon -R –v /var/www/html/owndir #cd owndir #wget http://classroom.example.com/pub/rhce/secure.html

# vim /etc/httpd/conf/httpd.conf Require host serverX.example.com #httpd -t

#systemctl restart httpd.service

Secured Webserver Configure the website https://serverX.content.com with TLS SSLCertificate file. 1.

TLS Certificate:

http://classroom.example.com/pub/tls/certs/webappX.crt 2. TLS private key: http://classroom.example.com/pub/tls/private/webappX.key 3. TLS CA certificate:

http://classroom.example.com/pub/example-ca.crt

34

Secured Webserver

35

Answer: #yum install mod_ssl -y #cd /etc/pki/tls/certs wget http://classroom.example.com/pub/tls/certs/webappX.crt http://classroom.example.com/pub/example-ca.crt #cd /etc/pki/tls/private http://classroom.example.com/pub/tls/private/webappX.key

All .crt files will be download under certs and .key file will download under private directory.

Secured Webserver #vim /etc/httpd/conf.d/ssl.conf ServerName serverX.example.com SSLEngine on SSLProtocol all -SSLv2 -SSLv3 SSLCipherSuite HIGH:MEDIUM:!aNULL:!aMD5 SSLCertificateFile /etc/pki/tls/certs/webapp.crt SSLCertificateKeyFile /etc/pki/tls/private/webappX.key SSLCertificateChainFile /etc/pki/tls/certs/example-ca.crt #firewall-cmd - -permanent - -add- -service=https #firewall-cmd –reload #httpd -t #systemctl restart httpd.service

36

Dynamic Webserver Configuration (WSGI)

37

configure website http://serverX.example.com:8961 on systernl with the docurnentroot /srv/webapp Site should executes webapp.wsgi. Answer: [ lab webapp setup ] # yum install mod_wsgi -y #mkdir -p /srv/webapp [Apply SELinux contect on directory, you can get help from “man page” with man semanage-fcontext command]

# semanage fcontext –a -t httpd_sys_content_t “/srv/webapp(/.*)?” # restorecon -R –v /srv/webapp # cp /home/student/webapp.wsgi /srv/webapp/

Dynamic Webserver Configuration (WSGI) #vim /etc/httpd/conf.d/ssl.conf ServerName webappX.example.com SSLEngine on SSLProtocol all -SSLv2 -SSLv3 SSLCipherSuite HIGH:MEDIUM:!aNULL:!aMD5 SSLCertificateFile /etc/pki/tls/certs/webapp.crt SSLCertificateKeyFile /etc/pki/tls/private/webappX.key SSLCertificateChainFile

/etc/pki/tls/certs/example-ca.crt

WSGIScriptAlias / /srv/webapp/webapp.wsgi Require all granted

38

Webserver Logical Port Change Run your https webserver through 8989/tcp port: Answer: # semanage port – l | grep http # semanage port –a –t http_port_t –p tcp 8989

# firewall-cmd - - permanent - - add-port=8989/tcp # firewall-cmd - - reload

39

Webserver Logical Port Change Listen 8989 https

ServerName webappX.example.com SSLEngine on SSLProtocol all -SSLv2 -SSLv3

SSLCipherSuite HIGH:MEDIUM:!aNULL:!aMD5 SSLCertificateFile /etc/pki/tls/certs/webapp.crt SSLCertificateKeyFile /etc/pki/tls/private/webappX.key

SSLCertificateChainFile # systemctl restart httpd.service

/etc/pki/tls/certs/example-ca.crt

40

Script # 01

41

Create a script on serverX called /root/random with following details: 1. When run as /root/random foo,should bring the output as “bar”. 2. When run as /root/random bar, should bring the output “foo”. 3. When run with any other argument or without argument, should appear the message Type foo or bar. Answer: # mkdir /root/random # vim /root/random/script #! /bin/bash case $@ in foo ) echo “bar”;; bar ) echo “foo”;; * ) echo “Type foo or bar”;; esac

# chmod +x /root/random/script # /root/random/script foo

[For check the script]

# /root/random/script bar

[For check the script]

Script # 02 Create a script on serverX called /root/createusers with following details:

42

1. When run as /root/createusers testfile, it should add all the users from the downloaded file.(http://serverX.example.com/testfile). All users should have the loginshell as /bin/false, password not required.

2. When this script is run with any other argument, it should print the message as “Input File Not Found”. 3. When run without any argument, it should display “Usage:/root/createusers”. NOTE: If the users are added, no need to delete.

[For lab environment, create a file with user name. File name should be testfile]

Script # 02 Answer: # vim testfile [Write user name list---Only for lab] # vim /root/createusers #! /bin/bash a=“” case $@ in

testfile) for user in $(cat $1); do echo “Adding users:”$user useradd -s /bin/false $user done;;

$a) echo “Usage: /root/createusers”;; *) echo “Input File Not Found”;; esac # chmod +x /root/createusers

# /root/createusers testfile

[For check the script]

# /root/createusers [Enter]

[For check the script]

# /root/createusers [Wrong Value] [For check the script]

43

iSCSI (Traget) Configuration 

44

Create a new 3GB LVM target on your serverX.example.com. The block device name should be data block. The server should export an iscsi disk called iqn.201410.com.example:serverX. LVM name should be /dev/iscsivg/iscsilv

Answer: # fdisk -l

#fdisk /dev/vdb [Create 3300MB LVM partition] # partprobe # pvcreate /dev/vdb # vgcreate iscsivg /dev/vdb1 # lvcreate -L 3072M -n iscsilv iscsivg # lvdisplay

[For display the path]

iSCSI (Traget) Configuration

45

# yum install targetcli -y # systemctl enable target # systemctl start target #targetcli /> backstores/block create data /dev/iscsivg/iscsilv /> iscsi/ create iqn.2014-10.com.example:serverX /> iscsi/ iqn.2014-06.com.example:server1/tpg1/acls create iqn.201410.com.example:desktop1 /> iscsi/ iqn.2014-10.com.example:server1/tpg1/lun create /backstores/block/data /> iscsi/ iqn.2014-06.com.example:server1/tpg1/portal create 172.25.1.11 />ls /> saveconfig #firewall-cmd - -permanent - -add-port=3260/tcp #firewall-cmd - -reload

iSCSI (Initiator) Configuration

46

The systemX.example.com provides an called iqn.2014-10.com.example:serverX With port 3260/tcp. Connect the disk with client and configure filesystem with the following requirements. 1.

Create 3GB partition on iSCSI block device and assign the file system as ext3.

2.

Mount the volume under /mnt/initiator at the system boot time.

3.

The file System should be contain the copy of http://classroom.example.com/pub/iscsi.txt

4.

The file should be owned by root with 0644 permissions.

iSCSI (Initiator) Configuration

47

Answer: #yum install iscsi-initiator-utils -y #vim /etc/iscsi/initiatorname.iscsi

InitiatorName= iqn.2014-10.com.example:desktopX # systemctl enable iscsi # systemctl start iscsi # iscsiadm --mode discovery --type sendtargets --portal 172.25.X.X –discover # iscsiadm --mode node --targetname iqn.2014-10.com.example:systemX --portal 172.25.X.X:3260 –login [For above two command you can get help from man page “man iscsiadm”]

iSCSI (Initiator) Configuration

48

# fdisk -l # fdisk /dev/sda [Create a 3GB partition] # partprobe # mkfs.ext3 /dev/sda1

# blkid /dev/sda1 [For show the /dev/sda1 UUID] # vim /etc/fstab UUID=c9213938-6753-4001-b939-4b5720c8ec5e

/mnt/initiator

# mount -a # mkdir /mnt/initiator

# cd /mnt/initiator # wget http://classroom.example.com/pub/iscsi.txt # chown root iscsi.txt # chmod 0644 iscsi.txt

ext3

_netdev

0

0

MariaDB # 1

49

Restore a database on serverX from the URL http://classroom.content.com/pub/rhce/backup.mdb 1. The database name should be Contacts. 2. It should be access only within the localhost.

Most important

3. Set a password for root user as "Postroll".

4. Other than the root user, the user andrew able to “read,write,update,delete” the query from the above mentioned database. [Andrew is a local user] 5. The user should be authenticated with the password as "Postroll".

MariaDB # 1

50

# yum groupinstall mariadb -y # yum groupinstall mariadb-client -y # systemctl enable mariadb.service # systemctl start mariadb.service

# mysql_secure_installation Enter/:Y/New Password:Postroll/Y/Y/Y/Y/ # mysql -u root –p MariaDB [(none)]> create database Contacts;

MariaDB [(none)]> exit

Database create command.

# wget http://content.example.com/courses/rhce/rhel7.0/materials/mariadb/mariadb.dump # mysql -u root -p Contacts < mariadb.dump Enter password: Postroll

Database Backup

MariaDB # 1

51

# mysql -u root -p Enter password: [ ******] MariaDB [(none)]> show databases; MariaDB [(none)]> use Contacts;

Only for Check.

MariaDB [inventory]> show tables;

MariaDB [inventory]> exit # mysql -u root –p Enter password: [ ******] MariaDB [(none)]> create user andrew@localhost identified by ‘Postroll';

MariaDB [(none)]> grant select on Contacts.* to andrew@localhost; MariaDB [(none)]> create user steve@'%’ identified by ‘Postroll'; MariaDB [(none)]> grant insert,update,delete on Contacts.* to steve@'%’; MariaDB [(none)]> flush privileges; MariaDB [(none)]> exit

User Create

MariaDB # 1 # mysql -u steve –p MariaDB [(none)]> use Contacts;

# firewall-cmd –permanent –add-service=mysql # firewall-cmd –reload #vim /etc/my.cnf [mysqld] skip-networking=1 #systemctl restart mariadb.service

If in question says, It should be access only within the localhost. Then must be edit this file.

52

View more...

Comments

Copyright ©2017 KUPDF Inc.
SUPPORT KUPDF