Linux RHCE Preparation

RHCE

1. Start classroom-rh254

2. Set environment: yum install ./examrhce-0.0.1-l.el7.x86_64.rpm -y

3. Start server-rh254

4. Set lab environment: lab examrhce setup

5. Start desktop-rh254

6. Set lab environment: lab examrhce setup

7. Check result: lab examrhcsa grade

1. Set Selinux

A. Change config file: vim /etc/sysconfig/selinux

B. Temporary set selinux: setenforce 1

C. Check selinux: getenforce

If it used to be disabled, you need to restart to change to enforcing. 

2. SSH Access Setting

A. Disable the firewall for RHEL 6

i. systemctl mask iptables;

ii. systemctl mask ip6tables;

iii systemctl mask ebtable.service

B. Start the firewall for RHEL 7

i. systemctl enable firewalld

ii. systemctl start firewalld

C. Set firewall rule

i. Allow ssh: firewall-cmd --permanent --add-service=ssh

ii. Block subnet for ssh: firewall-cmd --permanent --add-rich-rul='rule family=ipv4 source address=172.17.10.0/24 service=ssh reject'

D. Reload firewall: firewall-cmd --reload

E. Check firewall rules: firewall-cmd --list-all

F. Repeat the same operation on desktop-rh254

3. Set IPv6 Address

A. Set IPv6: nm-connection-editor

B. Edit eth0 IPv6 Setting

C. Input the Addresses information 

i. IP Address

ii. Mask: 64

D. restart the network adaptor

i. nmcli connection reload

ii. nmcli connection down eth0

iii. nmcli connection up eth0

E. Check setting: ifconfig

F. Repeat the same operation on desktop-rh254

G. Check connection: ping6 <server-rh254 ipv6 address>

4. Config network team

A. Config network: nm-connection-editor

B. Create team network: team0

C. Set connection name: team0

D. General two item chosen

E. Change IPv4 Settings with IP address / Netmask / Gateway

F. Change Team Setting with Add two connections

First connection

i. Connection name: team0-port1

ii. Ethernet: choose eth1

iii. Generat: choose two options

Second connection

i. Connection name: team0-port2

ii. Ethernet: choose eth2

iii. Generat: choose two options

G. JSON config: {"runner":{"name":"activebackup"}}

H. Load the config: 

i. nmcli connection reload

ii. nmcli connection down team0

iii. nmcli connection up team1

I. Check team status: teamdctl team0 state

J. Verify the network: Ping gateway

K. Repeat the same operation on desktop-rh254

Command method on server0

A. Change to root: su -

B. Check the network adaptor: ip link

C. Create team: nmcli con add type team con-name team0 ifname team0 config '{"runner":{"name":"activebackup"}}'

D. Set IP address: 

i. nmcli con mod team0 ipv4.method manual

ii. nmcli con mod team0 ipv4.addresses '192.168.0.101/24'

E. Add network adaptor to team

i. nmcli con add type team-slave con-name team0-port1 ifname eth1 master team0

ii. nmcli con add type team-slave con-name team0-port2 ifname eth2 master team0

F. Verify the team: teamctl team0 state

5. User define command

A. Change config file: vim /etc/bashrc

Add following item at the buttom of the file:

alias qstat='/bin/ps -Ao pid,tt,user,fname,rsz'

B. Open new terminal

C. Check command: which qstat

D. Verify command: qstat

E. Repeat the same operation on desktop-rh254

6. Config email service

A. Install package: yum install postfix

B. Start service

i. systemctl enable postfix

ii. systemctl start postfix

C. Edit postfix config file

i. postconf -e "inet_interfaces = loopback-only"

ii. postconf -e "myorigin = example.com"

iii. postconf -e "relayhost = [classroom.example.com]"

iv. postconf -e "mydestination = "

v. postconf -e "local_transport = error: local delivery disabled"

vi. postconf -e "mynetworks = 127.0.0.0/8, [::1]/128"

D. Restart service: systemctl restart postfix

E. Verify the setting: 

i. send email command:

mail -s "server0 null client" student@classroom.example.com

null client test

.

ii. check email command: mailq

F. Check email: curl http://classroom.example.com/cgi-bin/recevied_mail

G. Check email on classroom server: /var/mail/student

H. Repeat the operation in desktop-rh254

7. Port Forward on server0

A. Create firewall rule: 

firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address=172.25.0.0/24 forward-port port=5423 protocol=tcp to-port=80'

firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address=172.25.0.0/24 forward-port port=5423 protocol=udp to-port=80'

B. Reload firewall service: firewall-cmd --reload

8. Samba Share folder on server0

A. Install Samba package: yum install samba samba-client 

B. Create folder: mkdir /common

C. Create user

useradd -s /sbin/nologin rob

useradd -s /sbin/nologin brian

D. Add user into Samba

smbpasswd -a rob

smbpasswd -a brian

E. Change privilege of folder

chgrp brian /common

chmod 2775 /common

F. Change selinux of folder: semanage fcontext -a -t samba_share_t '/common(/.*)?'

G. Refresh the folder: restorecon -vFR /common/

H. Change the samba config file

vim /etc/samba/smb.conf

i. Change context from 

workgroup = MYGROUP

to

workgroup = STAFF

ii. make sure: security = user

iii. Add following context at buttom of the file

[common]

                path = /common

                write list = brian

                browseable = yes

                hosts allow = 172.25.0.

I. Start the service

systemctl enable smb nmb

systemctl start smb nmb

J. Change firewall for samba:

firewall-cmd --permanent --add-service=samba

firewall-cmd --reload

K. Restart the service

systemctl restart smb nmb

9. SMB Client Multiuser Mount on desktop0

A. Install package: yum install cifs-utils

B. Create folder: mkdir /mnt/multiuser

C. Create config file

echo 'username=brian' > /root/smb-multiuser.txt

echo 'password=redhat' >> /root/smb-multiuser.txt

D. Modify the file /etc/fstab

//server0/common /mnt/multiuser cifs credentials=/root/smb-multiuser.txt,multiuser,sec=ntlmssp 0 0

E. Verfiy: mount -a

F. Create user

useradd -s /sbin/nologin rob

useradd -s /sbin/nologin brian

G. set brian user

su - brian

cifscreds add server0

<input passwd>

H. Verify the user to create file and read file

I. set rob user

su - rob

cifscreds add server0

<input passwd>

J. Verify user only can read file

10. NFS Config on server0

A. Install package: yum install nfs-utils

B. Start service

systemctl enable nfs-server

systemctl start nfs-server

C. Create folder: mkdir /public

D. Change privilege: chown nftnobody /public

E. Change the file: vim /etc/exports

Add following context:

/public        *.example.com(ro)

F. Export the folder: exportfs -r

G. Check the export: exportfs

H. Change the firewall rule: 

firewall-cmd --permanent --add-service=nfs

firewall-cmd --reload

I. Download private key: wget -0 /etc/brb5.keytab <link>

J. Change nfs config file vim /etc/sysconfig/nfs

Change from 

RPCNFSDARGS=""

to

RPCNFSDARGS="-V 4.2"

K. Start nfs security service

systemctl enable nfs-secure-server.service

systemctl start nfs-secure-server.service

L. Create folder: mkdir /protected/project -p

M. Change privilege: chown ldapuser0:ldapuser0 /protected/project

N. Change nfs config file vim /etc/exports

Add follwoing context:

/protected    *.example.com(rw,sec=krb5p)

O. Export the folder: exportfs -r

P. Check the export: exportfs

12. NFS Config on desktop0

A. Create folder: /mkdir /mnt/nfsmount

B. Change file: vim /etc/fstab

Add following context

server0.example.com:/public /mnt/nfsmount nfs defaults 0 0

C. Get certificate: wget -0 /etc/krb5.keytab http://classroom.example.com/pub/keytabs/desktop0.keytab

D. Start service

systemctl enable nf-secure

systemctl start nf-secure

E. Create folder: mkdir /mnt/nfssecure

F. Change file: vim /etc/fstab

Add following context

server0.example.com:/protected /mnt/nfssecure nfs defaults,sec=krb5p 0 0

G. Verify mount: mount -a

H. Verify ldapuser0 to create file in /mnt/nfssecure/project folder

13. Web service

A. Install package: yum install httpd 

B. Change firewall rule

firewall-cmd --permanent --add-service=http

firewall-cmd --reload

C. Create vhost config file: vim /etc/httpd/conf.d/vhost-server0.conf

Add following context:

<VirtualHost *:80>

        ServerName server0.example.com

        DocumentRoot "/var/www/html"

        CustomLog "logs/server0_vhost_log" combined

        <Directory "/var/www/html">

                <RequireAll>

                        Require all granted

                        Require not host .my133t.com

                </RequireALL>

        </Directory>

</VirtualHost>

D. Download file: wget -0 /var/www/html/index.html http://classroom.example.com/materials/station.html

E. Start service

systemctl enable httpd

systemctl start httpd

F. Check port status: lsof -i:80 -n

G. Use browser to visit the website http://server0.example.com

14. Config SSL for Web Service

A. Install package: yum install mod_ssl 

B. Change firewall rule: 

firewall-cmd --permanent --add-service=https

firewall-cmd --reload

C. Download the certification

wget -0 /etc/pki/tls/certs/server0.crt http://classroom.example.com/pub/tls/certs/server0.crt

wget -0 /etc/pki/tls/private/server0.key http://classroom.example.com/pub/tls/private/server0.key

wget -0 /etc/pki/tls/certs/example-ca.crt http://classroom.example.com/pub/example-ca.crt

D. Change SSL config file: vim /etc/httpd/conf.d/ssl.conf

i. Add following context below <VirtualHost _default_:443>

DocumentRoot "/var/www/html"

ServerName server0.example.com

ii. Change from

SSLCertificateFile /etc/pki/tls/certs/localhost.crt

to

SSLCertificateFile /etc/pki/tls/certs/server0.crt

iii. Change from

SSLCertificateKeyFile /etc/pki/tls/private/localhost.key

to

SSLCertificateKeyFile /etc/pki/tls/private/server0.key

iv. Change from

#SSLCACertificateFile /etc/pki/tls/ca-bundle.crt

to

SSLCACertificateFile /etc/pki/tls/certs/example-ca.crt

v. Add visit control before </VirtualHost>

        <Directory "/var/www/html">

                <RequireAll>

                        Require all granted

                        Require not host .my133t.com

                </RequireAll>

        </Directory>

E. Use browser to visit the website https://server0.example.com

15. Virtual Host Config on server0

A. Install package: yum install httpd

B. Start service

systemctl enable httpd

systemctl start httpd

C. Change firewall rule: 

firewall-cmd --permanent --add-service=http

firewall-cmd --reload

D. Create virtual host config file: vim /etc/httpd/conf.d/vhost-www0.conf

Add following context

<VirtualHost *:80>

        ServerName www0.example.com

        DocumentRoot "/var/www/virtual"

        CustomLog "logs/www0_virtual_log" combined

        <Directory "/var/www/virtual">

                Require all granted               

        </Directory>

</VirtualHost>

E. Create folder: mkdir -p /var/www/virtual

F. Download homepage: wget -0 /var/www/virtual/index.html http://classroom.example.com/materials/www.html

G. Change selinux 

semanage fcontext -a -t 'httpd_sys_content_t' '/var/www/virtual(./*)?'

restorecon -vFR /var/www/virtual

H. Verify selinux: ls -ldZ /var/www/virtual

I. Create user: useradd floyd

J. Set file privilege: setfacl -m user:floyd:rwx /var/www/virtual/

K. Restart service: systemctl restart httpd

16. Add Access Control on Virtual Host on server0

A. Create folder: mkdir /var/www/virtual/private

B. Download homepage: wget -0 /var/www/virtual/private/index.html http://classroom.example.com/materials/private.html

C. Change virtual host config file: vim /etc/httpd/conf.d/vhost-www0.conf

Change from

<VirtualHost *:80>

        ServerName www0.example.com

        DocumentRoot "/var/www/virtual"

        CustomLog "logs/www0_virtual_log" combined

        <Directory "/var/www/virtual">

                        Require all granted

        </Directory>

</VirtualHost>

to

<VirtualHost *:80>

        ServerName www0.example.com

        DocumentRoot "/var/www/virtual"

        CustomLog "logs/www0_virtual_log" combined

        <Directory "/var/www/virtual">

                        Require all granted

        </Directory>

        <Directory "/var/www/virtual/private"> 

                Require all denied

                Require local

        </Directory>

</VirtualHost>

D. Restart httpd: systemctl restart httpd

E. Use IE to visit the link http://www0.example.com/private

17. Dynamic Web Context

A. Install package: yum install mod_wsgi 

B. Create folder: mkdir -p /var/www/webapp

C. Download material: wget -0 /var/www/webapp/webinfo.wsgi http://classroom.example.com/materials/webinfo.wsgi

D. Set selinux:

i. semanage fcontext -a -t 'http_sys_content_t' '/var/www/webapp(/.*)?'

ii. semanage port -a -t 'http_port_t' -p tcp 8908

iii. restorecon -vFR /var/www/webapp

E. Create virtual host config file: vim /etc/httpd/conf.d/vhost-webapp0.conf

Add following context

Listen 8908

<VirtualHost *:8908>

        ServerName webapp0.example.com

        DocumentRoot "/var/www/webapp"

        CustomLog "logs/webapp0_vhost_log" combined

        <Directory "/var/www/webapp">

                        Require all granted

        </Directory>

        

        WSGIScriptAlias / /var/www/webapp/webinfo.wsgi

        

</VirtualHost>

F. Restart service: systemctl restart httpd

G. Change Firewall Rule: 

firewall-cmd --permanent --add-rich-rule 'rule family=ipv4 source address=172.25.0.0/24 port port=8908 protocol=tcp accept'

firewall-cmd --reload

H. Use IE to visit the html

18. Create Script

A. Create script with following context: vim /root/foo.sh

#!/bin/bash

case $1 in 

            redhat)

                echo "fedora"

            ;;

            fedora)

                echo "redhat"

            ;;

            * )

                echo "/root/foo.sh redhat|fedora"

            ;;

esac

B. Change privilege: chmod 755 /root/foo.sh

19. Create Script

A. Create script with following context: vim /root/batchusers

#!/bin/bash

if [ $# -eq 1 ]; then

        if [ -f "$1" ]; then

                while read username; do

                    useradd -s /bin/false $username &>/dev/null

                done < $1

        else

                echo "Input file not found"

                exit 1

        fi

else

        echo "Usage: /root/batchusers userfile"

        exit 2

fi

B. Change privilege: chmod 755 /root/batchusers

C. Download file: wget -0 /root/userlist http://classroom.example.com/materials/userlist

20. Config iSCSI Service on server0

A. Install package: yum install targetcli

B. Start Service:

systemctl enable targetcli

systemctl start targetcli

C. Change firewall rule: 

firewall-cmd --permanent --add-port=3260/tcp

firewall-cmd --reload

D. Create disk: fdisk /dev/sdb --> p --> n --> p --> enter --> +4G --> t --> 8e --> p --> w

E. Check disk: ll /dev/sdb*

F. Create pv: pvcreate /dev/sdb1

G. Create vg: vgcreate iSCSI_vg /dev/sdb1

H. Create lv: lvcreate -n iscsi_store -L 3G iSCSI_vg

I. Create iSCSI: targetcli --> cd /iscsi --> create iqn.2014-11.com.example:server0 -->iqn.2014-11.com.example:server0/tpg1/portals create 172.25.0.11 3260 --> cd / --> backstores/block create name=server0.iscsi_store dev=/dev/iSCSI_vg/iscsi_store --> iscsi/iqn.2014-11.com.example:server0/tpg1/luns create /backstores/block/server0.iscsi_store --> iscsi/iqn.2014-11.com.example:server0/tpg1/acls create iqn.2014-11.com.example:desktop0 -->iscsi/iqn.2014-11.com.example:server0/tpg1/ set attribute authentication=0 --> iscsi/iqn.2014-11.com.example:server0/tpg1/ set attribute generate_node_acls=0 --> saveconfig --> exit

J. Verify setting: targetcli --> ls

21. Config iSCSI client on desktop0

A. Install package: yum install iscsi-initiator-utils

B. Change config file: vim /etc/iscsi/initiatorname.iscsi

Clean all and add following context:

InitiatorName=iqn.2014-11.com.example:desktop0

C. Start service

systemctl enable iscsi

systemctl start iscsi

D. Find iscsi disk

i. iscsiadm -m discovery -t st -p 172.25.0.11

ii. iscsiadm -m node -l

E. Check iscsi disk: lsblk

F. Create partition: fdisk /dev/dsc --> p --> n --> p --> enter --> enter --> +2100M --> p --> w

G. Format the disk: mkfs.ext4 /dev/sdc1

H. Check uuid: blkid

I. Create folder: mkdir /mnt/data

J. Change fstab: vim /etc/fstab

Add following context:

<UUID> /mnt/data ext4 defaults,_netdev 0 0

K. Check: mount -a

22. MariaDB Config

A. Install Package: yum install mariadb mariadb-client

B. Start service

systemctl enable mariadb

systemctl start mariadb

C. Run secure script: mysql_secure_installation

i. set password for root

ii. set disable remote login

D. Download the datafile: wget -0 /root/mariadb.dump http://classroom.example.com/content/cources/rhce/rhel7.0/materials/mariadb/mariadb.dump

E. Login databaes: mysql -u root -p <password>

F. Create database: create databsae legacy

G. Go into database: use legacy

H. Recover database: source /root/mariadb.dump

I. Check database: show tables

J. Create accounts

i. grant select on legacy.* to mary@'localhost' identified by 'mary_password';

ii. grant select,insert,update,delete on legacy.* to legacy@'localhost' identified by 'legacy_password';

iii. grant select on legacy.* to report@'localhost' identified by 'report_password';

iv. flush privileges;

23. MariaDB query

A. Login mysql: mysql -u root -p <password>

B. Login db: use legacy

C. Query: 

select sum(stock)

from product, category

where product.id_category=category.id

and category.name='Server';