{{tag>[rhel7 certification]}}
=====RHCE7 EX300 objectives (20160323)=====
Some notes on the EX300 exam.
* Source: [[https://www.redhat.com/en/services/training/ex300-red-hat-certified-engineer-rhce-exam]]
==== - System configuration and management====
=== - Use network teaming or bonding to configure aggregated network links between two Red Hat Enterprise Linux systems===
* Start with two systems, having at least two networkinterfaces.
* [[https://access.redhat.com/solutions/202583|Bonding is not supported with cross cables, or direct links]]. If an interface is administratively disabled in such a configuration, the PHY may still maintain electrical connectivity to the peer and failover will not work as expected, leading to a lack of bond communication.
==Teaming==
Teaming is new in RHEL 7.
* First, install the team daemon, if it has not been installed yet:yum install teamd
* Create a new team interface:nmcli connection add type team con-name team0
* Add interfaces to the team:nmcli con add type team-slave ifname enp2s0 master team0
nmcli con add type team-slave ifname enp3s0 master team0
* Bring interfaces up (first the ports, then master):nmcli c up team-slave-enp2s0
nmcli c up team-slave-enp3s0
nmcli c up team0
* Team status:teamdctl nm-team state
setup:
runner: roundrobin
ports:
enp3s0
link watches:
link summary: up
instance[link_watch_0]:
name: ethtool
link: up
down count: 0
enp2s0
link watches:
link summary: up
instance[link_watch_0]:
name: ethtool
link: up
down count: 0
* Team port status:teamnl nm-team ports
4: enp3s0: up 1000Mbit FD
3: enp2s0: up 1000Mbit FD
* Modify the runner type:nmcli con mod team0 team.config '{ "runner": {"name": "loadbalance"}}'
**Runners**
* **broadcast** (data is transmitted over all ports)
* **round-robin** (data is transmitted over all ports in turn)
* **active-backup** (one port or link is used while others are kept as a backup)
* **loadbalance** (with active Tx load balancing and BPF-based Tx port selectors)
* **lacp** (implements the 802.3ad Link Aggregation Control Protocol)
In addition, the following link-watchers are available:
* **ethtool** (Libteam lib uses ethtool to watch for link state changes). This is the default if no other link-watcher is specified in the configuration file.
* **arp_ping** (The arp_ping utility is used to monitor the presence of a far-end hardware address using ARP packets.)
* **nsna_ping** (Neighbor Advertisements and Neighbor Solicitation from the IPv6 Neighbor Discovery protocol are used to monitor the presence of a neighbor's interface)
There are no restrictions in the code to prevent a particular link-watcher from being used with a particular runner, however when using the lacp runner, ethtool is the only recommended link-watcher.
==Bonding==
* Create a bond: nmcli con add type bond con-name bond0 ifname bond0 mode active-backup
* Add slaves:nmcli con add type bond-slave ifname enp2s0 master bond0
* Bring up slaves and then the bond0 interface:nmcli con up bond-slave-enp2s0
nmcli con up bond-slave-enp3s0
nmcli con up bond0
* Change bond options:nmcli con mod bond0 +bond.options mii=100
nmcli con mod bond0 +bond.options mode=802.3ad
* Show bond statistics:cat /proc/net/bonding/bond0
Ethernet Channel Bonding Driver: v3.7.1 (April 27, 2011)
Bonding Mode: load balancing (round-robin)
MII Status: up
MII Polling Interval (ms): 100
Up Delay (ms): 0
Down Delay (ms): 0
Slave Interface: enp2s0
MII Status: up
Speed: 1000 Mbps
Duplex: full
Link Failure Count: 1
Permanent HW addr: 00:0d:b9:33:90:75
Slave queue ID: 0
Slave Interface: enp3s0
MII Status: up
Speed: 1000 Mbps
Duplex: full
Link Failure Count: 1
Permanent HW addr: 00:0d:b9:33:90:76
Slave queue ID: 0
=== - Configure IPv6 addresses and perform basic IPv6 troubleshooting===
* Add static IPv6 address:nmcli c edit enp1s0
nmcli> set ipv6.addresses 2001:470:xxxx:xxxx::10/64
nmcli> set ipv6.gateway 2001:470:xxxx:xxxx::1
nmcli> save
nmcli> quit
nmcli c up enp1s0
* Troubleshoot with:
* Ping: ''ping6''
* Traceroute: ''traceroute6''
* Resolve hostnames: ''host -t AAAA ''
* Show routes: ''ip -6 r''
* Show neighbours: ''ip neigh''
* Portscan: ''nmap -6 ''
* Show firewall rules: ''ip6tables -nvL''
* Telnet test, Star Wars: ''telnet towel.blinkenlights.nl''
* Telnet test, BOFH excuse server: ''telnet towel.blinkenlights.nl 666''
=== - Route IP traffic and create static routes===
* Show routes: ''ip -r''
* Add static route: nmcli edit connection -> ''set ipv4.routes 1.2.3.4/24 1.2.3.1''
* Remove static route: nmcli edit connection -> ''remove ipv4.routes 1.2.3.4/24 1.2.3.1''
* NMcli saves config in ''/etc/sysconfig/network-scripts''. You can also disable NetworkManager and create the config yourself.
=== - Use firewalld and associated mechanisms such as rich rules, zones and custom rules, to implement packet filtering and configure network address translation (NAT)===
* List current active zones: ''firewall-cmd %%--%%get-active-zones''
* List default zone: ''firewall-cmd %%--%%get-default-zone''
* List all information in zone: ''firewall-cmd %%--%%zone public %%--%%list-all''
* To Make rules permanent, use: ''%%--%%permanent''
* Reload after using ''%%--%%permanent'': ''firewall-cmd %%--%%reload''
* Open port: ''firewall-cmd %%--%%permanent %%--%%zone internal %%--%%add-service ssh''
* Instead of opening a port/service, remove a service with: ''%%--%%remove-service''
* Add a source to zone: ''firewall-cmd %%--%%permanent %%--%%zone internal %%--%%add-source 1.2.3.4/24''
* Instead of adding a source, remove it with: ''%%--%%remove-source''
* Add new service XML files to ''/etc/firewalld/services/'', find examples in: ''/usr/lib/firewalld/services/''.
* Add masquerading: ''firewall-cmd %%--%%permanent %%--%%zone=external %%--%%add-masquerade''
* Port forwarding (check if forwarding is enabled in kernel): ''firewall-cmd %%--%%permanent %%--%%zone=external %%--%%add-forward-port=port=22:proto=tcp:toport=2222''
* Direct rule example:''firewall-cmd %%--%%permanent %%--%%direct %%--%%add-rule ipv4 filter INPUT 0 -p tcp %%--%%dport 5001 -j ACCEPT''
* List all direct rules: ''firewall-cmd %%--%%direct %%--%%get-all-rules''
=== - Use /proc/sys and sysctl to modify and set kernel runtime parameters===
* Change variable temporary: ''echo 1 >/proc/sys/net/ipv4/ip_forward''
* Make it permanent, edit ''/etc/sysctl.d/.conf''. And run ''sysctl -p''
* Read all variables with sysctl: ''sysctl -a''
=== - Configure a system to authenticate using Kerberos===
* Install the required packages:yum -y install krb5-workstation pam_krb5
* Edit the ''/etc/krb5.conf'' file:
* Uncomment all lines.
* Replace al example domain names and realms.
* Change example kdc and admin_server.
* Add principals on KDC:kadmin -p root/admin
kadmin: addprinc -randkey host/test1.example.com
kadmin: addprinc -randkey host/test2.example.com
kadmin: addprinc -randkey host/test3.example.com
kadmin: ktadd host/test1.example.com
kadmin: ktadd host/test2.example.com
kadmin: ktadd host/test3.example.com
* Retrieve ticket:kinit benst
=== - Configure a system as either an iSCSI target or initiator that persistently mounts an iSCSI target===
**Initiator**
* Configure system as client (initiator), install the required packages: yum install iscsi-initiator-utils
* Edit ''/etc/iscsi/initiatorname.iscsi'' and set the InitiatorName. For example:InitiatorName=iqn.2016-04.nl.polaire:test4
* Edit ''/etc/iscsi/iscsid.conf'' and change username an password:
node.session.auth.authmethod = CHAP
node.session.auth.username =
node.session.auth.password =
* Start the iSCSI service:systemctl start iscsi
* Discover targets:iscsiadm --mode discovery --type sendtargets --portal 1.2.3.4
* Log in on target:iscsiadm --mode node --targetname iqn.2000-01.nl.polaire:rackstation.target-Test --portal 1.2.3.4 --login
* You have now access to the block device:lsblk --scsi
NAME HCTL TYPE VENDOR MODEL REV TRAN
sda 1:0:0:0 disk ATA KINGSTON SMS200S BBF0 sata
sdc 7:0:0:0 disk SYNOLOGY IBLOCK 4.0 iscsi
* You can now create a file system (or use LVM first) and mount it at boot.
* Create file system and mount at boot:mkfs.xfs /dev/sdc
mkdir /data
mount /dev/sdc /data
echo "UUID=`blkid -s UUID -o value /dev/sdc` /data xfs _netdev 0 0" >>/etc/fstab
umount /data
mount -a
# test reboot
* Show nodes: iscsiadm -m discoverydb -P1
* If you need to delete a node:iscsiadm -m node -p 172.16.10.39 --op=delete
* If you have the problem that systemd unmounts a new volume after altering ''/etc/fstab'', run ''systemctl daemon-reload''.
**Target**
* Install targetcli: yum install -y targetclisystemctl enable target
* Create file backed store:targetcli
/> backstores/fileio/ create shareddata /opt/iscsi.img 1G
Created fileio shareddata with size 1073741824
/> iscsi/ create iqn.2016-04.nl.polaire:target1
Created target iqn.2016-04.nl.polaire:target1.
Created TPG 1.
Global pref auto_add_default_portal=true
Created default portal listening on all IPs (0.0.0.0), port 3260.
* You can ''cd'' into that directory and create a portal if it has not been created yet:targetcli
/> cd iscsi/iqn.2014-08.com.example:t1/tpg1
/> portals/ create
* Create a LUN:targetcli
/iscsi/iqn.20...laire:target1> luns/ create /backstores/fileio/shareddata
* Create ACL:acls/ create iqn.2016-04.nl.polaire:test4
* Set password:/iscsi/iqn.20...ample:t1/tpg1> cd acls/iqn.2016-04.nl.polaire:test4/
/iscsi/iqn.20...xample:client> set auth userid=username
Parameter userid is now 'username'.
/iscsi/iqn.20...xample:client> set auth password=pwd
* Config is saved in ''/etc/target/saveconfig.json''
* Open firewall port:firewall-cmd --permanent --add-port=3260/tcp
firewall-cmd --reload
=== - Produce and deliver reports on system utilization (processor, memory, disk, and network)===
* top, sar, vmstat, iostat, tcpdump...
=== - Use shell scripting to automate system maintenance tasks===
* bash scripting...
==== - Network services====
=== - Install the packages needed to provide the service===
* ''yum'', ''rpm''
=== - Configure SELinux to support the service===
* ''ls -lZ''
* ''restorecon''
* ''semanage''
* ''auditd''
=== - Use SELinux port labeling to allow services to use non-standard ports===
* Install tools:yum install policycoreutils-python
* List ports:semanage port -l | grep ssh
* Modify port setting:semanage port -m -t ssh_port_t -p tcp 4321
=== - Configure the service to start when the system is booted===
* Enable server to start at boot:systemctl enable
=== - Configure the service for basic operation===
* systemctl start
systemctl stop
systemctl restart
systemctl enable
systemctl reeanble
systemctl status
* Add custom services in: ''/etc/systemd/system''.
=== - Configure host-based and user-based security for the service===
* ?
//HTTP/HTTPS//
=== - Configure a virtual host===
* Install httpd:yum install httpd
* Enable service:systemctl enable httpd
* Create a directory for the virtual host files:mkdir /var/www/html/virta
* Create a ''index.html'':echo "
virta virtual host
This is virtual host -virta-
" > /var/www/html/virta/index.html
* Restore SELinux labels if needed:restorecon -Rv /var/www/html/
* Create the virtual host config in, config is read alphabetically''/etc/httpd/conf.d/1-virta.conf''. You can find examples in ''/usr/share/doc/httpd-2.4.6/httpd-vhosts.conf'':
ServerAdmin ben@polaire.nl
DocumentRoot "/var/www/html/virta/"
ServerName virta.polaire.nl
ServerAlias www.virta.polaire.nl
ErrorLog "/var/log/httpd/virta-error_log"
CustomLog "/var/log/httpd/virta-access_log" common
* You van add the virta hostname in DNS, or for this test in the ''/etc/hosts'' file.
* Test config: apachectl configtest
* Start httpd:systemctl start httpd
* Open firewall port:firewall-cmd --permanent --zone public --add-service http
firewall-cmd --reload
* Show all running virtual hosts:httpd -D DUMP_VHOSTS
* Test with ''elinks'' on local host.
=== - Configure private directories===
* Create a private directory:mkdir /var/www/html/virta/private
* Create a test file:echo "This is private" >/var/www/html/virta/private/index.html
* Add the config below for host based authentication:
AllowOverride None
Options None
Require host test.polaire.nl localhost
* For user based authentication, create the following config:
AuthType Basic
AuthName "Password protected"
AuthUserFile /etc/httpd/conf/passwd
Require user testuser
* Save the user and password:htpasswd -c /etc/httpd/conf/passwd testuser
* Modify rights:chmod 600 /etc/httpd/conf/passwd
chown apache:apache /etc/httpd/conf/passwd
=== - Deploy a basic CGI application===
* Simple method is to put an executable perl script in: ''/var/www/cgi-bin''.
* Or create a bash script and configure the vhost:
Options +ExecCGI
AddHandler cgi-script .cgi
* Bash script:#!/bin/bash
echo "Content-type: text/html"
date
echo
echo "Testing CGI scripts..."
=== - Configure group-managed content===
* Configure the directory directive:
AuthType Basic
AuthName "Group test"
AuthGroupFile /etc/httpd/conf/group
AuthUserFile /etc/httpd/conf/passwd
Require group usergroup
* Create the group file ''/etc/httpd/conf/group'':usergroup: user1 user2
* Create the password file ''/etc/httpd/conf/passwd'': htpasswd -c /etc/httpd/conf/passwd user1
htpasswd /etc/httpd/conf/passwd user2
=== - Configure TLS security===
* Have the httpd server running.
* Install the required packages (haveged for speeding up key generation):yum install crypto-utils mod_ssl lynx haveged
* Start and enable haveged:systemctl start haveged
systemctl enable haveged
* Run genkey (use ''%%--%%test'' to omit the slow process of generating random data) :genkey server.domain.tld
* Edit: ''/etc/httpd/conf.d/ssl.conf'':
SSLCertificateFile /etc/pki/tls/certs/test.polaire.nl.crt
SSLCertificateKeyFile /etc/pki/tls/private/test.polaire.nl.key
ServerName test.polaire.nl:443
* Create a new virtual host for HTTPS, see example in ''ssl.conf''.
* Check config and restart Apache:apachectl configtest
systemctl restart httpd:
* Open firewall https port 443.
* Test with lynx
//DNS//
=== - Configure a caching-only name server===
* Install unbound:yum install unbound
* Configure unbound, edit ''/etc/unbound/unbound.conf'':
interface: 0.0.0.0
interface: ::0
do-ip4: yes
do-ip6: yes
do-udp: yes
use-syslog: yes
hide-identity: yes
hide-version: yes
#val-permissive-mode: yes # Might be needed if upstream doesn't support DNSSEC
access-control: 0.0.0.0/0 allow
access-control: ::0/0 allow
domain-insecure: "your-domain.tld"
* Create a forward zone (for all zones) ''/etc/unbound/conf.d/forward.conf'':
forward-zone:
name: "."
forward-addr: 1.2.3.4
forward-addr: 1.2.3.5
* Check config: ''unbound-checkconf /etc/unbound/unbound.conf''.
* Enable and start the service:
systemctl start unbound.service
systemctl enable unbound.service
* Open firewall ports (53 udp).
=== - Troubleshoot DNS client issues===
* Use the ''host'' or ''dig'' command. Check ''journalctl''.
//NFS//
=== - Provide network shares to specific clients===
* Install packages:yum groupinstall file-server
* Open firewall:
firewall-cmd --permanent --add-service=nfs
firewall-cmd --reload
* Start services and configure to start at boot:systemctl enable rpcbind nfs-server
systemctl start rpcbind nfs-server
* Create shared directory:
mkdir -p /home/share1
chmod 0777 /home/share1
mkdir -p /home/share2
chmod 0777 /home/share2
* Set SELinux contexts:
semanage fcontext -a -t public_content_rw_t "/home/share1(/.*)?"
semanage fcontext -a -t public_content_rw_t "/home/share2(/.*)?"
restorecon -Rv /home/share1
restorecon -Rv /home/share2
* Create shares, edit ''/etc/exports'':
/home/share1 test1.yourdomain.tld(rw,no_root_squash)
/home/share2 test2.yourdomain.tld(rw,no_root_squash)
* Export the filesystems:
exportfs -avr
# systemctl restart nfs-server
* For showmount to work, open firewall for additional ports:
firewall-cmd --add-service=mountd --permanent
firewall-cmd --add-service=rpc-bind --permanent
firewall-cmd --reload
* Configure the client:yum install nfs-utils
showmount -e nfs.yourdomain.tld
mount -t nfs nfs.yourdomain.tld:/home/share1 /mnt
=== - Provide network shares suitable for group collaboration===
* Create an NFS server.
* Create a shared directory.
* Create a group.
* Assign group to shared directory.
* Set permissions to directory.
chmod 0770 /home/Shared # no sticky or setgid bit.
All group users can add to and delete from the folder and can read and but not write to each others files.
chmod 1770 /home/Shared # sticky bit
Same as above but only the owner of the file can delete it.
chmod 2770 /home/Shared # setgid bit
All group users can add to and delete from the folder and can read and write to each other's files:
chmod 3770 /home/Shared # sticky and setgid bit
As above, except only the owner of the file can delete it
* Create ''/etc/exports''./shared client(rw,no_root_squash)
* Export the directory:exportfs -avr
systemctl restart nfs-server
=== - Use Kerberos to control access to NFS network shares===
* Configure working NTP (NTPd or Chrony) and DNS.
* Install Kerberos KDC:
yum install krb5-server krb5-workstation pam_krb5
yum install haveged (for entropy)
systemctl start haveged
systemctl enable haveged
vi /var/kerberos/krb5kdc/kdc.conf # replace EXAMPLE.COM with your own realm
# uncomment master_key_type = aes256-cts line
# and paste the following line in the [realms] stanza:
# default_principal_flags = +preauth
vi /etc/krb5.conf # uncomment all the lines, replace EXAMPLE.COM with your own realm
# example.com with your own domain name, and kerberos.example.com
# with your own KDC server name (here kbserver.example.com).
vi /var/kerberos/krb5kdc/kadm5.acl # replace EXAMPLE.COM with your own realm.
# Create Kerberos database
kdb5_util create -s -r YOURDOMAIN.TLD
# Start and activate Kerberos
systemctl start krb5kdc kadmin
systemctl enable krb5kdc kadmin
# Add users
useradd test1
useradd test2
# Start Kerberos admin
kadmin.local
# Create admin principal
kadmin.local: addprinc root/admin
# Create user principals
kadmin.local: addprinc test1
kadmin.local: addprinc test2
# Add KDC hostname
kadmin.local: addprinc -randkey host/kbserver.yourdomain.tld
# Create local copy /etc/krb5.keytab file:
kadmin.local: ktadd host/kbserver.yourdomain.tld
kadmin.local: quit
# Open firewall
firewall-cmd --permanent --zone public --add-service kerberos
firewall-cmd --reload
# Test
su - test1
kinit
klist
* Setup an NFS server:
yum groupinstall file-server
firewall-cmd --permanent --add-service=nfs
firewall-cmd --permanent --add-service=mountd
firewall-cmd --permanent --add-service=rpc-bind
firewall-cmd --reload
# Activate and start NFS server
systemctl enable rpcbind nfs-server
systemctl start rpcbind nfs-server
# Create a shared directory
mkdir -p /home/share
chmod 0777 /home/share
yum install policycoreutils-python # provides the semanage command
semanage fcontext -a -t public_content_rw_t "/home/share(/.*)?"
restorecon -Rv /home/share
echo "/home/share client.example.com(rw,no_root_squash)" >> /etc/exports
exportfs -avr
showmount -e localhost
* Configure the NFS client:
yum install nfs-utils
showmount -e nfsserver.yourdomain.tld
mount -t nfs nfsserver.yourdomain.tld:/home/share /mnt
* Configure the NFS server and NFS client as kerberos client.
# Install on both NFS server and client:
yum install krb5-workstation pam_krb5
# Copy the /etc/krb5.conf file from the KDC server to NFS client and server.
# Add the principals (on the KDC)
kadmin
kadmin: addprinc -randkey nfs/nfserver.yourdomain.tld
kadmin: addprinc -randkey nfs/nfsclient.yourdomain.tld
kadmin: ktadd nfs/nfsserver.yourdomain.tld
kadmin: ktadd nfs/nfsclient.yourdomain.tld
kadmin: quit
# Add sec=krb5 to exports on NFS server
/home/share nfsclient.yourdomain.tld(rw,no_root_squash,sec=krb5)
# Activate and start NFS on the server (RHEL 7.0 only)
systemctl enable nfs-secure-server && systemctl start nfs-secure-server
# Copy /etc/krb5.keytab from KDC to client.
# Activate and start NFS on the client:
# RHEL 7.0
# systemctl enable nfs-secure && systemctl start nfs-secure
# RHEL >= 7.1
# systemctl enable nfs-client.target && systemctl start nfs-client.target
# Mount the remote directory:
mount -t nfs4 -o sec=krb5 nfsserver.yourdomain.tld:/home/tools /mnt
//SMB//
=== - Provide network shares to specific clients===
* Install packages:yum groupinstall "File and Print Server"
* Create directory:mkdir /opt/smbdata
* Set rights:chown testuser.users /opt/smbdata
chmod 775 /opt/smbdata
* Set SELinux context:semanage fcontext -a -t samba_share_t "/opt/smbdata(/.*)?"
restorecon -Rv /opt/smbdata
* Edit ''/etc/samba/smb.conf''
* Change ''workgroup''.
* Add share:[data]
comment = Data
path = /opt/smbdata
browseable = yes
writeable = yes
hosts allow = 10.1.2.
valid users = testuser
* Test config with: ''testparm''.
* Enable and start ''smb'', ''nmb'' and ''winbind''.
* Create user:useradd -s /sbin/nologin testuser
smbpasswd -a testuser
* Open firewall for CIFS (samba) traffic.
* Test:smbclient //localhost/shared -U testuser
* On the client install the required packages:yum install cifs-utils samba-client
* Test connection:smbclient -L -U
smbclient //server/data -U
=== - Provide network shares suitable for group collaboration===
* Without using Kerberos, you could use a multiuser mount. You can then use ''cifscreds'' to login to a multiuser mount.
* Create a credentials file ''/root/smb-creds'':username=user01
password=...
* Test with: mount -t cifs -o multiuser,credentials=/root/smb-creds //test6/data /mnt
* Switch to other user and use ''cifscreds''
* Test if you can r/w files.
* Mount in fstab://test6/data /mnt cifs multiuser,credentials=/root/smb-creds 0 0
//SMTP//
=== - Configure a system to forward all email to a central mail server===
* Edit ''/etc/postfix/main.cf'', restart postfix.
* check options ''man 5 postconf''.
//SSH//
=== - Configure key-based authentication===
=== - Configure additional options described in documentation===
//NTP//
=== - Synchronize time using other NTP peers===
==== - Database services====
=== - Install and configure MariaDB===
=== - Backup and restore a database===
=== - Create a simple database schema===
=== - Perform simple SQL queries against a database===