Professional Documents
Culture Documents
RHCE7 Exam Review
RHCE7 Exam Review
b. DesktopX:
2 VMs (serverX – desktopX) # yum install samba-client cifs-utils nfs-utils
3 NICs each (one public, two internal connecting both: serverX & desktopX)
Different users (Otis, ?, ?, ?) d. Start X:
# systemctl set-default graphical.target
PRE or
a. Create yum.repo on both serverX & desktopX
# init 5
b. AutocompletioncentOS (yum install bash-completion)
c. Install firewall, system-config*, targertd, http, nfs, nfs-kerb, smb, mariadb, postfix e. Enable sshd firewall
d. start X in serverX and desktopX > init 5 OR # vim /etc/inittab OR # systemctl set-default graphical.target # firewall-cmd --permanent --add-service=ssh
e. enable sshd in firewall (?)
EXAM EXAM
1. Set SELinux to enforced
1. Set SELinux to enforced
2. Create team0 (activebackup) with eth1 and eth2
a. Configure IPv4 on both interfaces # vim /etc/sysconfig/selinux
3. IPv6 on public (ping between server and client = gw?)
4. Install Firewall manager and configure
a. rule to drop myl33t.com /etc/sysconfig/selinux
b. port forwarding IP local to port SELINUX=enforcing
5. Create file /usr/sbin/qset and chmod +x (ps –A )
6. iSCSI 3TB from local LVM # sestatus
a. create partition on extra space of sda. (3.1TBpv, vg, lv -> partprobe) > targetd
# getenforce
b. mount it on desktopX
7. 1 virtual website (default & name www.example.com)
8. 1 virtual website (name server1.example.com) – user Otis with permissions at /var/www/server1
9. 1 website (???) certificates SSL??? (nmcli dev connect eno16777736) – just to connect iface
10. 1 website (???) 2. Create team0 (activebackup) with eth1 and eth2.
11. 1 website Group Managed Content a. On serverX:
12. Postfix (forwarder/relay and permit mail from source ??) # locate teamd | grep 3
13. NFS share …
14. NFS + Kerberos /usr/share/doc/teamd-1.17/example_ifcfgs/3/ifcfg-team_test0
15. SMB (ACL (setafcl?), semanage, restorecon) > CIFS > mount permissions for users # cat /usr/share/doc/teamd-1.17/example_ifcfgs/3/ifcfg-team_test0 | grep –i config
16. SMB (???) … '{"runner": {"name": "activebackup"} …
17. MariaDB create DB & Restore DB from backup, create user and provide ALTER permissions on DB?
18. MariaDB do a query of an attribute by searching for a given ID and DB (the DB might not be accessible/visible) Take the config and use it when creating the team interface:
19. Script (I=kernel > O= user; I=user > O=kernel, I= null > O=echo Please type k o u) # nmcli connection add type team con-name team0 ifname team0 config '{"runner":
20. Kerberos Setup KDC Admin {"name": "activebackup"}}'
21. Configure Client Kerberos Auth # nmcli connection modify team0 ipv4.addresses 172.16.4.10/24 ipv4.method static
# nmcli connection add type team-slave con-name team0-eth1 ifname eth1 master team0
# command
# nmcli connection add type team-slave con-name team0-eth2 ifname eth2 master team0
filename
# nmcli connection up team0
Text to edit
PRE b. On desktop (copy&paste changing IP):
a. Create yum.repo on both serverX & desktopX
# nmcli connection add type team con-name team0 ifname team0 config '{"runner":
# vim /etc/yum.repos.d/rhel.repo {"name": "activebackup"}}'
# nmcli connection modify team0 ipv4.addresses 172.16.4.11/24 ipv4.method static
rhel.repo
[rhel] # nmcli connection add type team-slave con-name team0-eth1 ifname eth1 master team0
name=rhel
mirrorlist=URL provided on exam # nmcli connection add type team-slave con-name team0-eth2 ifname eth2 master team0
gpgcheck=0
enabled=1
3. IPv6 on public (ping between server and client = gw?)
# yum upgrade a. Gateway is fddb:fe2a:ab1e::c0a8:fe/64 (router)
b. Configure IPv6, with gw and static
b. Autocompletion (only for CentOS lab, not exam) # nmcli connection modify eth0 ipv6.addresses fddb:fe2a:ab1e::c0a8:2/64 ipv6.gateway
# yum install bash-completion fddb:fe2a:ab1e::c0a8:fe ipv6.method static
c. Install at:
a. ServerX: firewall, system-config*, targertd & cli, httpd, nfs, kerb5, smb, mariadb, postfix
# yum install system-config-firewall targetd targetcli httpd mod_ssl samba samba-client
cifs-utils nfs-utils nfs4-acl-tools mariadb-server postfix
pg. 1
RHCE 7
4. Install Firewall manager and configure on serverX. a. create partition on extra space of sda. (3.1TBpv, vg, lv -> partprobe) > targetd
a. Rule drop myl33t.com = (i.e. 10.0.10.10/24)
# yum install targetd targetcli
# systemctl start targetd && systemctl enable targetd
# fdisk /dev/sda
n
p
default -> 3
default sector
+3GB
t
3
8e
w
# partprobe
# pvcreate /dev/sda3
# vgcreate vg-iscsi /dev/sda3
# lvcreate -n Shared_Data -L 2.6G vg-iscsi
# targetcli
/> backstores/block create name=serverX.disk1 dev=/dev/vg-iscsi/Shared_Data
/> saveconfig
/> exit
b. mount it on desktop
# yum provides iscsiadm
/etc/iscsi/initiatorname.iscsi
InitiatorName=iqn.2016-06.com.example:desktop
/etc/fstab
UUID=a579e7c8-094d-4feb-896b-796293cbf970 /data xfs _netdev 0 2
7. 1 virtual website (default & name www.example.com)
6. iSCSI 3TB from local LVM
pg. 2
RHCE 7
# yum install httpd mod_ssl a. SSL TLS
# yum install crypto-utils mod_ssl
# systemctl enable httpd.service && systemctl start httpd.service
# genkey alf.home # follow the ui
# firewall-cmd --permanent --add-service=http
# vim /etc/http/conf.d/ssl.conf
# firewall-cmd --permanent --add-service=https
# wget http://url_exam /var/www/html/index.html Modify the cert name generated:
# chcon -t ?????????????
/etc/http/conf.d/ssl.conf
# semanage fcontext --list | grep httpd
SSLCertificateFile /etc/pki/tls/certs/alf.home.crt
# semanage fcontext -a -t httpd_sys_content_t '/var/www(/.*)?' SSLCertificateKeyFile /etc/pki/tls/certs/alf.home.crt
# restorecon -Rv /var/www/html/
# vim /etc/httpd/conf.d/00-default-vhost.conf b. PHP or CGI app
# yum install php
/etc/httpd/conf.d/00-default-vhost.conf # systemctl start httpd
<VirtualHost _default_:80> # vim /var/www/cgi-bin/test.php
ServerName www.example.com
DocumentRoot /var/www/html
CustomLog "logs/default-vhost.log" combined /var/www/cgi-bin/test.php
</VirtualHost> <? php
phpinfo();
<Directory /var/www/html> ?>
Require all granted
</Directory> # chown apache:apache test.php
8. 1 virtual website (name server1.example.com) – user Otis with permissions at /var/www/server1 # chmod +x test.php
# semanage fcontext -a -t httpd_sys_script_exect_t “/var.www/(/.?)”?”
# cp /etc/httpd/conf.d/00-default-vhost.conf /etc/httpd/conf.d/01-serverx-vhost.conf
# restorecon -Rv /var/www
# wget http://url_exam /var/www/serverx/index.html
# systemctl restart httpd
# man semanage fcontext
semanage fcontext --list | grep httpd
# semanage fcontext -a -t httpd_sys_content_t “/var/www(/.*)?” Check in Firefox: localhost/cgi-bin/text.php
# restorecon -Rv /var/www/serverx
11. Group Managed Content
# setfacl -R -m u:Otis:rwX /var/www/serverx
# vim /etc/httpd/conf.d/01-serverx-vhost.conf
12. Postfix (forwarder/relay and permit mail from source ??)
/etc/httpd/conf.d/01-serverx-vhost.conf
<VirtualHost *:80> # yum install postfix
ServerName serverx.example.com # systemctl start postfix && systemctl enable postfix
DocumentRoot /var/www/serverx
CustomLog "logs/serverx-vhost.log" combined # firewall-cmd –permanent –add-service=smtp
</VirtualHost> # vim /etc/postfix/main.cfg
<Directory /var/www/serverx>
Require all granted /etc/postfix/
</Directory> main.cfg
mydomain = example.com
9. 1 website (???) users home folders??? (check!!!)
# useradd test myhostname = serverx.example.com
myorigin = $myhostname
# htpasswd -c /etc/httpd/htpasswd test
# vim /etc/httd/conf/httpd.conf inet_interfaces = $myhostname, localhost
relayhost = [destination.example.com]
/etc/httpd/conf/httpd.conf
<Directory “/var/www/htm/secret”> 13. NFS share on serverX:
AuthType Basic
AuthName “Secret Content” # systemctl start nfs-server && systemctl enable nfs-server
AuthUserFile /etc/httpd/htpasswd systemctl start rpcbind && systemctl enable rpcbind
Require valid-user
</Directory> # firewall-cmd --permanent --add-service=nfs
# firewall-cmd --permanent --add-service=rpc-bind
10. SSL, PHP and CGI # firewall-cmd --reload
pg. 3
RHCE 7
# mkdir /nfsshare # semanage fcontext -a -t samba_share_t ‘/sharedpath(/.*)?’
# chwon nfsnobody /nfsshare # restorecon -vvFR /sharedpath
# echo ‘/nfsshare desktopX(rw)’ >> /etc/exports
# exportfs -avr public_content_t (read only)
showmount -e localhost public_content_rw_t (read and write) for this the Boolean smdb_anon_write must be enabled:
Give permissions to user ldapX on shared file testfile.txt. On server: Create user and provide ALTER permissions to DB:
# Echo “Hello World” > /securenfs/testfile.txt # show databases;
# chcon –t public_content_t /securenfs/testfile.txt # use db_to_use;
# create user pruebas@localhost identified by 'redhat';
# chown ldapuserx:ldapuserx /securenfs/testfile.txt
# grant alter db_to_use on table.* to pruebas@localhost; # table can be also * (*.*)
# chown 644 /securenfs/testfile.txt
# ssh ldapuserx@desktopx
18. MariaDB do a query of an attribute by searching for a given ID and DB (the DB might not be accessible/visible)
# echo “I can write” >> /mnt/securenfs/testfile.txt # ls /var/lib/mysql/
# cat /mnt/securenfs/testfile.txt # mysql -u root -p (or use the user with permissions)
MariaDB show databases;
15. SMB (ACL (setafcl?), semanage, restorecon) > CIFS > mount permissions for users MariaDB use db_to_use;
MariaDB show tables;
# yum install samba samba-client MariaDB select user,password from users;
# mkdir /sharedpath MariaDB select host,user,password,select_priv,create_priv from users where host = '127.0.0.1';
pg. 4
RHCE 7
kadm5.acl
19. Script (I=kernel > O= user; I=user > O=kernel, I= null > O=echo Please type k o u) */admin@LAB.LOCAL *
# touch /tmp/script.sh
# chmod +x /tmp/script.sh # vim /var/kerberos/krb5kdc/kdc.conf
# vim /tmp/script.sh
/var/kerberos/krb5kdc/kdc.conf
script.sh …
#!/bin/bash [realms]
case "$1" in LAB.LOCAL = {
kernel) …
echo user
;; Create the Database Kerberos uses for storing all users
user) # kdb5_util create -s -r LAB.LOCAL
echo kernel
;; # systemctl start krb5kdc kadmin
*) # systemctl enable krb5kdc kadmin
echo Please type ./script.sh kernel/user # systemctl status krb5kdc
;; # systemctl status kadmin
esac
# firewall-cmd --permanent --add-service=Kerberos
20. Kerberos Setup KDC Admin (not an exam question, but preparing the server for authenticating!!) ## set firewall rule for remote access to krbadmin:
# firewall-cmd --permanent --add-port=749/tcp
Configure: # firewall-cmd --reload
# vim /etc/hosts
# kadmin.local
kadmin.local: listprincs
/etc/hosts
192.168.50.11 client-a.alf.home client-a kadmin.local: addprinc root/admin@LAB.LOCAL
10.31.244.138 server-a.alf.home server-a - Set password: ….
# sysctl -p
21. Configure Client Kerberos Auth, on clientA:
# vim /etc/hosts
# yum install -y krb5-server
# vim /etc/krb5.conf
/etc/hosts
/etc/krb5.conf 10.31.244.140 clientA.lab.local clientA
[libdefaults] 10.31.244.138 serverA.lab.local serverA
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true # domainname
rdns = false # vim /etc/sysctl.conf
default_realm = LAB.LOCAL
default_ccache_name = KEYRING:persistent:%{uid} /etc/sysctl.conf
kernel.hostname = clientA.lab.local
[realms] kernel.domainname = lab.local
LAB.LOCAL = {
kdc = serverA.lab.local
# sysctl -p
admin_server = serverA.lab.local
}
# yum search krb5
# yum install -y krb5-workstation pam_krb5.x86_64
[domain_realm]
.lab.local = LAB.local
# authconfig-tui (specify the KDC servers and Domain Name in CAPITAL letters)
lab.local = LAB.local
# useradd test
# vim /var/kerberos/krb5kdc/kadm5.acl
# kadmin
/var/kerberos/krb5kdc/ kadmin: addprinc test
kadmin: exit
pg. 5
RHCE 7
# ssh test@serverA.lab.local
pg. 6