Ben Stienstra

Linux, Unix, network, radio and more...

User Tools

Site Tools


RHCE7 EX300 objectives (20160323)

1 System configuration and management

  • Start with two systems, having at least two networkinterfaces.
  • Bonding is not supported with cross cables, or direct links. If an interface is administratively disabled in such a configuration, the PHY may still maintain electrical connectivity to the peer and failover will not work as expected, leading to a lack of bond communication.

Teaming is new in RHEL 7.

  • First, install the team daemon, if it has not been installed yet:
    yum install teamd
  • Create a new team interface:
    nmcli connection add type team con-name team0
  • Add interfaces to the team:
    nmcli con add type team-slave ifname enp2s0 master team0
    nmcli con add type team-slave ifname enp3s0 master team0
  • Bring interfaces up (first the ports, then master):
    nmcli c up team-slave-enp2s0
    nmcli c up team-slave-enp3s0
    nmcli c up team0
  • Team status:
    teamdctl nm-team state
      runner: roundrobin
        link watches:
          link summary: up
            name: ethtool
            link: up
            down count: 0
        link watches:
          link summary: up
            name: ethtool
            link: up
            down count: 0
  • Team port status:
    teamnl nm-team ports
     4: enp3s0: up 1000Mbit FD 
     3: enp2s0: up 1000Mbit FD
  • Modify the runner type:
    nmcli con mod team0 team.config '{ "runner": {"name": "loadbalance"}}'


  • broadcast (data is transmitted over all ports)
  • round-robin (data is transmitted over all ports in turn)
  • active-backup (one port or link is used while others are kept as a backup)
  • loadbalance (with active Tx load balancing and BPF-based Tx port selectors)
  • lacp (implements the 802.3ad Link Aggregation Control Protocol)

In addition, the following link-watchers are available:

  • ethtool (Libteam lib uses ethtool to watch for link state changes). This is the default if no other link-watcher is specified in the configuration file.
  • arp_ping (The arp_ping utility is used to monitor the presence of a far-end hardware address using ARP packets.)
  • nsna_ping (Neighbor Advertisements and Neighbor Solicitation from the IPv6 Neighbor Discovery protocol are used to monitor the presence of a neighbor's interface)

There are no restrictions in the code to prevent a particular link-watcher from being used with a particular runner, however when using the lacp runner, ethtool is the only recommended link-watcher.

  • Create a bond:
    nmcli con add type bond con-name bond0 ifname bond0 mode active-backup
  • Add slaves:
    nmcli con add type bond-slave ifname enp2s0 master bond0
  • Bring up slaves and then the bond0 interface:
    nmcli con up bond-slave-enp2s0
    nmcli con up bond-slave-enp3s0
    nmcli con up bond0
  • Change bond options:
    nmcli con mod bond0 +bond.options mii=100
    nmcli con mod bond0 +bond.options mode=802.3ad
  • Show bond statistics:
    cat /proc/net/bonding/bond0 
    Ethernet Channel Bonding Driver: v3.7.1 (April 27, 2011)
    Bonding Mode: load balancing (round-robin)
    MII Status: up
    MII Polling Interval (ms): 100
    Up Delay (ms): 0
    Down Delay (ms): 0
    Slave Interface: enp2s0
    MII Status: up
    Speed: 1000 Mbps
    Duplex: full
    Link Failure Count: 1
    Permanent HW addr: 00:0d:b9:33:90:75
    Slave queue ID: 0
    Slave Interface: enp3s0
    MII Status: up
    Speed: 1000 Mbps
    Duplex: full
    Link Failure Count: 1
    Permanent HW addr: 00:0d:b9:33:90:76
    Slave queue ID: 0

1.2 Configure IPv6 addresses and perform basic IPv6 troubleshooting

  • Add static IPv6 address:
    nmcli c edit enp1s0
    nmcli> set ipv6.addresses 2001:470:xxxx:xxxx::10/64
    nmcli> set ipv6.gateway 2001:470:xxxx:xxxx::1
    nmcli> save
    nmcli> quit
    nmcli c up enp1s0
  • Troubleshoot with:
    • Ping: ping6
    • Traceroute: traceroute6
    • Resolve hostnames: host -t AAAA <ipv6 hostname>
    • Show routes: ip -6 r
    • Show neighbours: ip neigh
    • Portscan: nmap -6 <ipv6 address>
    • Show firewall rules: ip6tables -nvL
    • Telnet test, Star Wars: telnet
    • Telnet test, BOFH excuse server: telnet 666

1.3 Route IP traffic and create static routes

  • Show routes: ip -r
  • Add static route: nmcli edit connection → set ipv4.routes
  • Remove static route: nmcli edit connection → remove ipv4.routes
  • NMcli saves config in /etc/sysconfig/network-scripts. You can also disable NetworkManager and create the config yourself.

1.4 Use firewalld and associated mechanisms such as rich rules, zones and custom rules, to implement packet filtering and configure network address translation (NAT)

  • List current active zones: firewall-cmd --get-active-zones
  • List default zone: firewall-cmd --get-default-zone
  • List all information in zone: firewall-cmd --zone public --list-all
  • To Make rules permanent, use: --permanent
  • Reload after using --permanent: firewall-cmd --reload
  • Open port: firewall-cmd --permanent --zone internal --add-service ssh
  • Instead of opening a port/service, remove a service with: --remove-service
  • Add a source to zone: firewall-cmd --permanent --zone internal --add-source
  • Instead of adding a source, remove it with: --remove-source
  • Add new service XML files to /etc/firewalld/services/, find examples in: /usr/lib/firewalld/services/.
  • Add masquerading: firewall-cmd --permanent --zone=external --add-masquerade
  • Port forwarding (check if forwarding is enabled in kernel): firewall-cmd --permanent --zone=external --add-forward-port=port=22:proto=tcp:toport=2222
  • Direct rule example:firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p tcp --dport 5001 -j ACCEPT
  • List all direct rules: firewall-cmd --direct --get-all-rules

1.5 Use /proc/sys and sysctl to modify and set kernel runtime parameters

  • Change variable temporary: echo 1 >/proc/sys/net/ipv4/ip_forward
  • Make it permanent, edit /etc/sysctl.d/<name>.conf. And run sysctl -p
  • Read all variables with sysctl: sysctl -a

1.6 Configure a system to authenticate using Kerberos

  • Install the required packages:
    yum -y install krb5-workstation pam_krb5
  • Edit the /etc/krb5.conf file:
    • Uncomment all lines.
    • Replace al example domain names and realms.
    • Change example kdc and admin_server.
  • Add principals on KDC:
    kadmin -p root/admin
    kadmin:  addprinc -randkey host/
    kadmin:  addprinc -randkey host/
    kadmin:  addprinc -randkey host/
    kadmin:  ktadd host/
    kadmin:  ktadd host/
    kadmin:  ktadd host/
  • Retrieve ticket:
    kinit benst

1.7 Configure a system as either an iSCSI target or initiator that persistently mounts an iSCSI target


  • Configure system as client (initiator), install the required packages:
     yum install iscsi-initiator-utils
  • Edit /etc/iscsi/initiatorname.iscsi and set the InitiatorName. For example:
  • Edit /etc/iscsi/iscsid.conf and change username an password:
    node.session.auth.authmethod = CHAP
    node.session.auth.username = <username>
    node.session.auth.password = <password>
  • Start the iSCSI service:
    systemctl start iscsi
  • Discover targets:
    iscsiadm --mode discovery --type sendtargets --portal
  • Log in on target:
    iscsiadm --mode node --targetname --portal --login
  • You have now access to the block device:
    lsblk --scsi
    NAME HCTL       TYPE VENDOR   MODEL             REV TRAN
    sda  1:0:0:0    disk ATA      KINGSTON SMS200S BBF0 sata
    sdc  7:0:0:0    disk SYNOLOGY IBLOCK           4.0  iscsi
  • You can now create a file system (or use LVM first) and mount it at boot.
    • Create file system and mount at boot:
      mkfs.xfs /dev/sdc
      mkdir /data
      mount /dev/sdc /data
      echo "UUID=`blkid -s UUID -o value /dev/sdc` /data xfs _netdev 0 0" >>/etc/fstab
      umount /data
      mount -a
      # test reboot
  • Show nodes:
    iscsiadm -m discoverydb -P1
  • If you need to delete a node:
    iscsiadm -m node -p --op=delete
  • If you have the problem that systemd unmounts a new volume after altering /etc/fstab, run systemctl daemon-reload.


  • Install targetcli:
    yum install -y targetcli</code.
      * Enable service (start at boot):<code>systemctl enable target
  • Create file backed store:
    /> backstores/fileio/ create shareddata /opt/iscsi.img 1G
    Created fileio shareddata with size 1073741824
    /> iscsi/ create
    Created target
    Created TPG 1.
    Global pref auto_add_default_portal=true
    Created default portal listening on all IPs (, port 3260.
  • You can cd into that directory and create a portal if it has not been created yet:
    /> cd iscsi/
    /> portals/ create
  • Create a LUN:
    /iscsi/iqn.20...laire:target1> luns/ create /backstores/fileio/shareddata
  • Create ACL:
    acls/ create
  • Set password:
    /iscsi/iqn.20...ample:t1/tpg1> cd acls/
    /iscsi/iqn.20...xample:client> set auth userid=username
    Parameter userid is now 'username'.
    /iscsi/iqn.20...xample:client> set auth password=pwd
  • Config is saved in /etc/target/saveconfig.json
  • Open firewall port:
    firewall-cmd --permanent --add-port=3260/tcp
    firewall-cmd --reload

1.8 Produce and deliver reports on system utilization (processor, memory, disk, and network)

  • top, sar, vmstat, iostat, tcpdump…

1.9 Use shell scripting to automate system maintenance tasks

  • bash scripting…

2 Network services

2.1 Install the packages needed to provide the service

  • yum, rpm

2.2 Configure SELinux to support the service

  • ls -lZ
  • restorecon
  • semanage
  • auditd

2.3 Use SELinux port labeling to allow services to use non-standard ports

  • Install tools:
    yum install policycoreutils-python
  • List ports:
    semanage port -l | grep ssh
  • Modify port setting:
    semanage port -m -t ssh_port_t -p tcp 4321

2.4 Configure the service to start when the system is booted

  • Enable server to start at boot:
    systemctl enable <servicename>

2.5 Configure the service for basic operation

  • systemctl start
    systemctl stop
    systemctl restart
    systemctl enable
    systemctl reeanble
    systemctl status
  • Add custom services in: /etc/systemd/system.

2.6 Configure host-based and user-based security for the service

  • ?


2.7 Configure a virtual host

  • Install httpd:
    yum install httpd
  • Enable service:
    systemctl enable httpd
  • Create a directory for the virtual host files:
    mkdir /var/www/html/virta
  • Create a index.html:
    echo "
    <head><title>virta virtual host</title></head>
    This is virtual host -virta-
    " > /var/www/html/virta/index.html
  • Restore SELinux labels if needed:
    restorecon -Rv /var/www/html/
  • Create the virtual host config in, config is read alphabetically/etc/httpd/conf.d/1-virta.conf. You can find examples in /usr/share/doc/httpd-2.4.6/httpd-vhosts.conf:
    <VirtualHost *:80>
        DocumentRoot "/var/www/html/virta/"
        ErrorLog "/var/log/httpd/virta-error_log"
        CustomLog "/var/log/httpd/virta-access_log" common
  • You van add the virta hostname in DNS, or for this test in the /etc/hosts file.
  • Test config:
    apachectl configtest
  • Start httpd:
    systemctl start httpd
  • Open firewall port:
    firewall-cmd --permanent --zone public --add-service http
    firewall-cmd --reload
  • Show all running virtual hosts:
    httpd -D DUMP_VHOSTS
  • Test with elinks on local host.

2.8 Configure private directories

  • Create a private directory:
    mkdir /var/www/html/virta/private
  • Create a test file:
    echo "This is private" >/var/www/html/virta/private/index.html
  • Add the config below for host based authentication:
    <Directory "/var/www/html/virta/private">
    AllowOverride None
    Options None
    Require host localhost
  • For user based authentication, create the following config:
    <Directory "/var/www/html/virta/private/">
    AuthType Basic
    AuthName "Password protected"
    AuthUserFile /etc/httpd/conf/passwd
    Require user testuser
  • Save the user and password:
    htpasswd -c /etc/httpd/conf/passwd testuser
  • Modify rights:
    chmod 600 /etc/httpd/conf/passwd
    chown apache:apache /etc/httpd/conf/passwd

2.9 Deploy a basic CGI application

  • Simple method is to put an executable perl script in: /var/www/cgi-bin.
  • Or create a bash script and configure the vhost:
    <Directory "/usr/local/cgi-bin/">
        Options +ExecCGI
        AddHandler cgi-script .cgi
  • Bash script:
    echo "Content-type: text/html"
    echo "Testing CGI scripts..."

2.10 Configure group-managed content

  • Configure the directory directive:
    AuthType Basic
    AuthName "Group test"
    AuthGroupFile /etc/httpd/conf/group
    AuthUserFile /etc/httpd/conf/passwd
    Require group usergroup
  • Create the group file /etc/httpd/conf/group:
    usergroup: user1 user2
  • Create the password file /etc/httpd/conf/passwd:
    htpasswd -c /etc/httpd/conf/passwd user1
    htpasswd /etc/httpd/conf/passwd user2

2.11 Configure TLS security

  • Have the httpd server running.
  • Install the required packages (haveged for speeding up key generation):
    yum install crypto-utils mod_ssl lynx haveged
  • Start and enable haveged:
    systemctl start haveged
    systemctl enable haveged
  • Run genkey (use --test to omit the slow process of generating random data) :
    genkey server.domain.tld
  • Edit: /etc/httpd/conf.d/ssl.conf:
    SSLCertificateFile /etc/pki/tls/certs/
    SSLCertificateKeyFile /etc/pki/tls/private/
  • Create a new virtual host for HTTPS, see example in ssl.conf.
  • Check config and restart Apache:
    apachectl configtest
    systemctl restart httpd:
  • Open firewall https port 443.
  • Test with lynx


2.12 Configure a caching-only name server

  • Install unbound:
    yum install unbound
  • Configure unbound, edit /etc/unbound/unbound.conf:
            interface: ::0
            do-ip4: yes
            do-ip6: yes
            do-udp: yes
            use-syslog: yes
            hide-identity: yes
            hide-version: yes
            #val-permissive-mode: yes # Might be needed if upstream doesn't support DNSSEC
            access-control: allow
            access-control: ::0/0 allow
            domain-insecure: "your-domain.tld"
  • Create a forward zone (for all zones) /etc/unbound/conf.d/forward.conf:
            name: "."
  • Check config: unbound-checkconf /etc/unbound/unbound.conf.
  • Enable and start the service:
    systemctl start unbound.service
    systemctl enable unbound.service
  • Open firewall ports (53 udp).

2.13 Troubleshoot DNS client issues

  • Use the host or dig command. Check journalctl.


2.14 Provide network shares to specific clients

  • Install packages:
    yum groupinstall file-server
  • Open firewall:
    firewall-cmd --permanent --add-service=nfs
    firewall-cmd --reload
  • Start services and configure to start at boot:
    systemctl enable rpcbind nfs-server
    systemctl start rpcbind nfs-server
  • Create shared directory:
    mkdir -p /home/share1
    chmod 0777 /home/share1
    mkdir -p /home/share2
    chmod 0777 /home/share2
  • Set SELinux contexts:
    semanage fcontext -a -t public_content_rw_t "/home/share1(/.*)?"
    semanage fcontext -a -t public_content_rw_t "/home/share2(/.*)?"
    restorecon -Rv /home/share1
    restorecon -Rv /home/share2
  • Create shares, edit /etc/exports:
    /home/share1 test1.yourdomain.tld(rw,no_root_squash)
    /home/share2 test2.yourdomain.tld(rw,no_root_squash)
  • Export the filesystems:
    exportfs -avr
    # systemctl restart nfs-server
  • For showmount to work, open firewall for additional ports:
    firewall-cmd --add-service=mountd --permanent
    firewall-cmd --add-service=rpc-bind --permanent
    firewall-cmd --reload
  • Configure the client:
    yum install nfs-utils
    showmount -e nfs.yourdomain.tld
    mount -t nfs nfs.yourdomain.tld:/home/share1 /mnt

2.15 Provide network shares suitable for group collaboration

  • Create an NFS server.
  • Create a shared directory.
  • Create a group.
  • Assign group to shared directory.
  • Set permissions to directory.
    chmod 0770 /home/Shared # no sticky or setgid bit.
    All group users can add to and delete from the folder and can read and but not write to each others files.
    chmod 1770 /home/Shared # sticky bit
    Same as above but only the owner of the file can delete it.
    chmod 2770 /home/Shared # setgid bit
    All group users can add to and delete from the folder and can read and write to each other's files:
    chmod 3770 /home/Shared # sticky and setgid bit
    As above, except only the owner of the file can delete it
  • Create /etc/exports.
    /shared client(rw,no_root_squash)
  • Export the directory:
    exportfs -avr
    systemctl restart nfs-server

2.16 Use Kerberos to control access to NFS network shares

  • Configure working NTP (NTPd or Chrony) and DNS.
  • Install Kerberos KDC:
    yum install krb5-server krb5-workstation pam_krb5
    yum install haveged (for entropy)
    systemctl start haveged
    systemctl enable haveged
    vi /var/kerberos/krb5kdc/kdc.conf  # replace EXAMPLE.COM with your own realm
                                       # uncomment master_key_type = aes256-cts line
                                       # and paste the following line in the [realms] stanza:
                                       # default_principal_flags = +preauth
    vi /etc/krb5.conf                  # uncomment all the lines, replace EXAMPLE.COM with your own realm
                                       # with your own domain name, and
                                       # with your own KDC server name (here
    vi /var/kerberos/krb5kdc/kadm5.acl # replace EXAMPLE.COM with your own realm.
    # Create Kerberos database
    kdb5_util create -s -r YOURDOMAIN.TLD
    # Start and activate Kerberos
    systemctl start krb5kdc kadmin
    systemctl enable krb5kdc kadmin
    # Add users
    useradd test1
    useradd test2
    # Start Kerberos admin
    # Create admin principal
    kadmin.local:   addprinc root/admin
    # Create user principals
    kadmin.local:   addprinc test1
    kadmin.local:   addprinc test2
    # Add KDC hostname
    kadmin.local:   addprinc -randkey host/kbserver.yourdomain.tld
    # Create local copy /etc/krb5.keytab file:
    kadmin.local:  ktadd host/kbserver.yourdomain.tld
    kadmin.local:  quit
    # Open firewall
    firewall-cmd --permanent --zone public --add-service kerberos
    firewall-cmd --reload
    # Test
    su - test1
  • Setup an NFS server:
    yum groupinstall file-server
    firewall-cmd --permanent --add-service=nfs
    firewall-cmd --permanent --add-service=mountd 
    firewall-cmd --permanent --add-service=rpc-bind
    firewall-cmd --reload
    # Activate and start NFS server
    systemctl enable rpcbind nfs-server
    systemctl start rpcbind nfs-server
    # Create a shared directory
    mkdir -p /home/share
    chmod 0777 /home/share
    yum install policycoreutils-python # provides the semanage command
    semanage fcontext -a -t public_content_rw_t "/home/share(/.*)?"
    restorecon -Rv /home/share
    echo "/home/share,no_root_squash)" >> /etc/exports
    exportfs -avr
    showmount -e localhost
  • Configure the NFS client:
    yum install nfs-utils
    showmount -e nfsserver.yourdomain.tld
    mount -t nfs nfsserver.yourdomain.tld:/home/share /mnt
  • Configure the NFS server and NFS client as kerberos client.
    # Install on both NFS server and client:
    yum install krb5-workstation pam_krb5
    # Copy the /etc/krb5.conf file from the KDC server to NFS client and server.
    # Add the principals (on the KDC)
    kadmin:  addprinc -randkey nfs/nfserver.yourdomain.tld
    kadmin:  addprinc -randkey nfs/nfsclient.yourdomain.tld
    kadmin:  ktadd nfs/nfsserver.yourdomain.tld
    kadmin:  ktadd nfs/nfsclient.yourdomain.tld
    kadmin:  quit
    # Add sec=krb5 to exports on NFS server
    /home/share nfsclient.yourdomain.tld(rw,no_root_squash,sec=krb5)
    # Activate and start NFS on the server (RHEL 7.0 only)
    systemctl enable nfs-secure-server && systemctl start nfs-secure-server
    # Copy /etc/krb5.keytab from KDC to client.
    # Activate and start NFS on the client: 
    # RHEL 7.0
    # systemctl enable nfs-secure && systemctl start nfs-secure
    # RHEL >= 7.1
    # systemctl enable && systemctl start
    # Mount the remote directory:
    mount -t nfs4 -o sec=krb5 nfsserver.yourdomain.tld:/home/tools /mnt


2.17 Provide network shares to specific clients

  • Install packages:
    yum groupinstall "File and Print Server"
  • Create directory:
    mkdir /opt/smbdata
  • Set rights:
    chown testuser.users /opt/smbdata
    chmod 775 /opt/smbdata
  • Set SELinux context:
    semanage fcontext -a -t samba_share_t "/opt/smbdata(/.*)?"
    restorecon -Rv /opt/smbdata
  • Edit /etc/samba/smb.conf
    • Change workgroup.
    • Add share:
              comment = Data
              path = /opt/smbdata
              browseable = yes
              writeable = yes
              hosts allow = 10.1.2.
              valid users = testuser
  • Test config with: testparm.
  • Enable and start smb, nmb and winbind.
  • Create user:
    useradd -s /sbin/nologin testuser
    smbpasswd -a testuser
  • Open firewall for CIFS (samba) traffic.
  • Test:
    smbclient //localhost/shared -U testuser
  • On the client install the required packages:
    yum install cifs-utils samba-client
  • Test connection:
    smbclient -L <server> -U <username>
    smbclient //server/data -U <username>

2.18 Provide network shares suitable for group collaboration

  • Without using Kerberos, you could use a multiuser mount. You can then use cifscreds to login to a multiuser mount.
  • Create a credentials file /root/smb-creds:
  • Test with:
    mount -t cifs -o multiuser,credentials=/root/smb-creds //test6/data /mnt
  • Switch to other user and use cifscreds
  • Test if you can r/w files.
  • Mount in fstab:
    //test6/data /mnt cifs multiuser,credentials=/root/smb-creds 0 0


2.19 Configure a system to forward all email to a central mail server

  • Edit /etc/postfix/, restart postfix.
  • check options man 5 postconf.


2.20 Configure key-based authentication

2.21 Configure additional options described in documentation


2.22 Synchronize time using other NTP peers

3 Database services

3.1 Install and configure MariaDB

3.2 Backup and restore a database

3.3 Create a simple database schema

3.4 Perform simple SQL queries against a database

rhce7_objectives.txt · Last modified: 2016/05/17 13:44 by admin