rhce7_objectives

RHCE7 EX300 objectives (20160323)

[rhel7, certification]

RHCE7 EX300 objectives (20160323)

Some notes on the EX300 exam.

Source: https://www.redhat.com/en/services/training/ex300-red-hat-certified-engineer-rhce-exam

- System configuration and management

- Use network teaming or bonding to configure aggregated network links between two Red Hat Enterprise Linux systems

Start with two systems, having at least two networkinterfaces.
Bonding is not supported with cross cables, or direct links. If an interface is administratively disabled in such a configuration, the PHY may still maintain electrical connectivity to the peer and failover will not work as expected, leading to a lack of bond communication.

Teaming

Teaming is new in RHEL 7.

First, install the team daemon, if it has not been installed yet:
```
yum install teamd
```

Create a new team interface:

nmcli connection add type team con-name team0

Add interfaces to the team:

nmcli con add type team-slave ifname enp2s0 master team0
nmcli con add type team-slave ifname enp3s0 master team0

Bring interfaces up (first the ports, then master):

nmcli c up team-slave-enp2s0
nmcli c up team-slave-enp3s0
nmcli c up team0

Team status:

teamdctl nm-team state
setup:
  runner: roundrobin
ports:
  enp3s0
    link watches:
      link summary: up
      instance[link_watch_0]:
        name: ethtool
        link: up
        down count: 0
  enp2s0
    link watches:
      link summary: up
      instance[link_watch_0]:
        name: ethtool
        link: up
        down count: 0

Team port status:

teamnl nm-team ports
 4: enp3s0: up 1000Mbit FD 
 3: enp2s0: up 1000Mbit FD

Modify the runner type:

nmcli con mod team0 team.config '{ "runner": {"name": "loadbalance"}}'

Runners

broadcast (data is transmitted over all ports)
round-robin (data is transmitted over all ports in turn)
active-backup (one port or link is used while others are kept as a backup)
loadbalance (with active Tx load balancing and BPF-based Tx port selectors)
lacp (implements the 802.3ad Link Aggregation Control Protocol)

In addition, the following link-watchers are available:

ethtool (Libteam lib uses ethtool to watch for link state changes). This is the default if no other link-watcher is specified in the configuration file.
arp_ping (The arp_ping utility is used to monitor the presence of a far-end hardware address using ARP packets.)
nsna_ping (Neighbor Advertisements and Neighbor Solicitation from the IPv6 Neighbor Discovery protocol are used to monitor the presence of a neighbor's interface)

There are no restrictions in the code to prevent a particular link-watcher from being used with a particular runner, however when using the lacp runner, ethtool is the only recommended link-watcher.

Bonding

Create a bond:

nmcli con add type bond con-name bond0 ifname bond0 mode active-backup

Add slaves:

nmcli con add type bond-slave ifname enp2s0 master bond0

Bring up slaves and then the bond0 interface:

nmcli con up bond-slave-enp2s0
nmcli con up bond-slave-enp3s0
nmcli con up bond0

Change bond options:

nmcli con mod bond0 +bond.options mii=100
nmcli con mod bond0 +bond.options mode=802.3ad

Show bond statistics:

cat /proc/net/bonding/bond0 
Ethernet Channel Bonding Driver: v3.7.1 (April 27, 2011)

Bonding Mode: load balancing (round-robin)
MII Status: up
MII Polling Interval (ms): 100
Up Delay (ms): 0
Down Delay (ms): 0

Slave Interface: enp2s0
MII Status: up
Speed: 1000 Mbps
Duplex: full
Link Failure Count: 1
Permanent HW addr: 00:0d:b9:33:90:75
Slave queue ID: 0

Slave Interface: enp3s0
MII Status: up
Speed: 1000 Mbps
Duplex: full
Link Failure Count: 1
Permanent HW addr: 00:0d:b9:33:90:76
Slave queue ID: 0

- Configure IPv6 addresses and perform basic IPv6 troubleshooting

Add static IPv6 address:

nmcli c edit enp1s0
nmcli> set ipv6.addresses 2001:470:xxxx:xxxx::10/64
nmcli> set ipv6.gateway 2001:470:xxxx:xxxx::1
nmcli> save
nmcli> quit
nmcli c up enp1s0

Troubleshoot with:
- Ping: ping6
- Traceroute: traceroute6
- Resolve hostnames: host -t AAAA <ipv6 hostname>
- Show routes: ip -6 r
- Show neighbours: ip neigh
- Portscan: nmap -6 <ipv6 address>
- Show firewall rules: ip6tables -nvL
- Telnet test, Star Wars: telnet towel.blinkenlights.nl
- Telnet test, BOFH excuse server: telnet towel.blinkenlights.nl 666

- Route IP traffic and create static routes

Show routes: ip -r
Add static route: nmcli edit connection → set ipv4.routes 1.2.3.4/24 1.2.3.1
Remove static route: nmcli edit connection → remove ipv4.routes 1.2.3.4/24 1.2.3.1
NMcli saves config in /etc/sysconfig/network-scripts. You can also disable NetworkManager and create the config yourself.

- Use firewalld and associated mechanisms such as rich rules, zones and custom rules, to implement packet filtering and configure network address translation (NAT)

List current active zones: firewall-cmd --get-active-zones
List default zone: firewall-cmd --get-default-zone
List all information in zone: firewall-cmd --zone public --list-all
To Make rules permanent, use: --permanent
Reload after using --permanent: firewall-cmd --reload

Open port: firewall-cmd --permanent --zone internal --add-service ssh
Instead of opening a port/service, remove a service with: --remove-service

Add a source to zone: firewall-cmd --permanent --zone internal --add-source 1.2.3.4/24
Instead of adding a source, remove it with: --remove-source

Add new service XML files to /etc/firewalld/services/, find examples in: /usr/lib/firewalld/services/.

Add masquerading: firewall-cmd --permanent --zone=external --add-masquerade
Port forwarding (check if forwarding is enabled in kernel): firewall-cmd --permanent --zone=external --add-forward-port=port=22:proto=tcp:toport=2222

Direct rule example:firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p tcp --dport 5001 -j ACCEPT
List all direct rules: firewall-cmd --direct --get-all-rules

- Use /proc/sys and sysctl to modify and set kernel runtime parameters

Change variable temporary: echo 1 >/proc/sys/net/ipv4/ip_forward
Make it permanent, edit /etc/sysctl.d/<name>.conf. And run sysctl -p
Read all variables with sysctl: sysctl -a

- Configure a system to authenticate using Kerberos

Install the required packages:

yum -y install krb5-workstation pam_krb5

Edit the /etc/krb5.conf file:
- Uncomment all lines.
- Replace al example domain names and realms.
- Change example kdc and admin_server.

Add principals on KDC:

kadmin -p root/admin
kadmin:  addprinc -randkey host/test1.example.com
kadmin:  addprinc -randkey host/test2.example.com
kadmin:  addprinc -randkey host/test3.example.com

kadmin:  ktadd host/test1.example.com
kadmin:  ktadd host/test2.example.com
kadmin:  ktadd host/test3.example.com

Retrieve ticket:
```
kinit benst
```

- Configure a system as either an iSCSI target or initiator that persistently mounts an iSCSI target

Initiator

Configure system as client (initiator), install the required packages:
```
 yum install iscsi-initiator-utils
```
Edit /etc/iscsi/initiatorname.iscsi and set the InitiatorName. For example:
```
InitiatorName=iqn.2016-04.nl.polaire:test4
```

Edit /etc/iscsi/iscsid.conf and change username an password:

node.session.auth.authmethod = CHAP
node.session.auth.username = <username>
node.session.auth.password = <password>

Start the iSCSI service:
```
systemctl start iscsi
```

Discover targets:

iscsiadm --mode discovery --type sendtargets --portal 1.2.3.4

iscsiadm --mode node --targetname iqn.2000-01.nl.polaire:rackstation.target-Test --portal 1.2.3.4 --login

You have now access to the block device:

lsblk --scsi
NAME HCTL       TYPE VENDOR   MODEL             REV TRAN
sda  1:0:0:0    disk ATA      KINGSTON SMS200S BBF0 sata
sdc  7:0:0:0    disk SYNOLOGY IBLOCK           4.0  iscsi

You can now create a file system (or use LVM first) and mount it at boot.

Create file system and mount at boot:

mkfs.xfs /dev/sdc
mkdir /data
mount /dev/sdc /data
echo "UUID=`blkid -s UUID -o value /dev/sdc` /data xfs _netdev 0 0" >>/etc/fstab

umount /data
mount -a

# test reboot

Show nodes:
```
iscsiadm -m discoverydb -P1
```

If you need to delete a node:

iscsiadm -m node -p 172.16.10.39 --op=delete

If you have the problem that systemd unmounts a new volume after altering /etc/fstab, run systemctl daemon-reload.

Target

Install targetcli:

yum install -y targetcli</code.
  * Enable service (start at boot):<code>systemctl enable target

Create file backed store:

targetcli
/> backstores/fileio/ create shareddata /opt/iscsi.img 1G
Created fileio shareddata with size 1073741824
/> iscsi/ create iqn.2016-04.nl.polaire:target1
Created target iqn.2016-04.nl.polaire:target1.
Created TPG 1.
Global pref auto_add_default_portal=true
Created default portal listening on all IPs (0.0.0.0), port 3260.

You can cd into that directory and create a portal if it has not been created yet:
```
targetcli
/> cd iscsi/iqn.2014-08.com.example:t1/tpg1
/> portals/ create
```

Create a LUN:

targetcli
/iscsi/iqn.20...laire:target1> luns/ create /backstores/fileio/shareddata

Create ACL:

acls/ create iqn.2016-04.nl.polaire:test4

Set password:

/iscsi/iqn.20...ample:t1/tpg1> cd acls/iqn.2016-04.nl.polaire:test4/
/iscsi/iqn.20...xample:client> set auth userid=username
Parameter userid is now 'username'.
/iscsi/iqn.20...xample:client> set auth password=pwd

Config is saved in /etc/target/saveconfig.json

Open firewall port:

firewall-cmd --permanent --add-port=3260/tcp
firewall-cmd --reload

- Produce and deliver reports on system utilization (processor, memory, disk, and network)

top, sar, vmstat, iostat, tcpdump…

- Use shell scripting to automate system maintenance tasks

bash scripting…

- Network services

- Install the packages needed to provide the service

yum, rpm

- Configure SELinux to support the service

ls -lZ
restorecon
semanage
auditd

- Use SELinux port labeling to allow services to use non-standard ports

Install tools:
```
yum install policycoreutils-python
```
List ports:
```
semanage port -l | grep ssh
```

Modify port setting:

semanage port -m -t ssh_port_t -p tcp 4321

- Configure the service to start when the system is booted

Enable server to start at boot:
```
systemctl enable <servicename>
```

- Configure the service for basic operation

systemctl start
systemctl stop
systemctl restart
systemctl enable
systemctl reeanble
systemctl status

Add custom services in: /etc/systemd/system.

- Configure host-based and user-based security for the service

HTTP/HTTPS

- Configure a virtual host

Install httpd:
```
yum install httpd
```
Enable service:
```
systemctl enable httpd
```
Create a directory for the virtual host files:
```
mkdir /var/www/html/virta
```

Create a index.html:

echo "
<html>
<head><title>virta virtual host</title></head>
<body>
This is virtual host -virta-
</body>
</html>
" > /var/www/html/virta/index.html

Restore SELinux labels if needed:
```
restorecon -Rv /var/www/html/
```

Create the virtual host config in, config is read alphabetically/etc/httpd/conf.d/1-virta.conf. You can find examples in /usr/share/doc/httpd-2.4.6/httpd-vhosts.conf:

<VirtualHost *:80>
    ServerAdmin ben@polaire.nl
    DocumentRoot "/var/www/html/virta/"
    ServerName virta.polaire.nl
    ServerAlias www.virta.polaire.nl
    ErrorLog "/var/log/httpd/virta-error_log"
    CustomLog "/var/log/httpd/virta-access_log" common
</VirtualHost>

You van add the virta hostname in DNS, or for this test in the /etc/hosts file.
Test config:
```
apachectl configtest
```
Start httpd:
```
systemctl start httpd
```

Open firewall port:

firewall-cmd --permanent --zone public --add-service http
firewall-cmd --reload

Show all running virtual hosts:
```
httpd -D DUMP_VHOSTS
```
Test with elinks on local host.

- Configure private directories

Create a private directory:
```
mkdir /var/www/html/virta/private
```

Create a test file:

echo "This is private" >/var/www/html/virta/private/index.html

Add the config below for host based authentication:

<Directory "/var/www/html/virta/private">
AllowOverride None
Options None
Require host test.polaire.nl localhost
</Directory>

For user based authentication, create the following config:

<Directory "/var/www/html/virta/private/">
AuthType Basic
AuthName "Password protected"
AuthUserFile /etc/httpd/conf/passwd
Require user testuser
</Directory>

Save the user and password:

htpasswd -c /etc/httpd/conf/passwd testuser

Modify rights:

chmod 600 /etc/httpd/conf/passwd
chown apache:apache /etc/httpd/conf/passwd

- Deploy a basic CGI application

Simple method is to put an executable perl script in: /var/www/cgi-bin.

Or create a bash script and configure the vhost:

<Directory "/usr/local/cgi-bin/">
    Options +ExecCGI
    AddHandler cgi-script .cgi
  </Directory>

Bash script:

#!/bin/bash
echo "Content-type: text/html"
date
echo
echo "Testing CGI scripts..."

- Configure group-managed content

Configure the directory directive:

AuthType Basic
AuthName "Group test"
AuthGroupFile /etc/httpd/conf/group
AuthUserFile /etc/httpd/conf/passwd
Require group usergroup

Create the group file /etc/httpd/conf/group:
```
usergroup: user1 user2
```

Create the password file /etc/httpd/conf/passwd:

htpasswd -c /etc/httpd/conf/passwd user1
htpasswd /etc/httpd/conf/passwd user2

- Configure TLS security

Have the httpd server running.
Install the required packages (haveged for speeding up key generation):
```
yum install crypto-utils mod_ssl lynx haveged
```

Start and enable haveged:

systemctl start haveged
systemctl enable haveged

Run genkey (use --test to omit the slow process of generating random data) :
```
genkey server.domain.tld
```

Edit: /etc/httpd/conf.d/ssl.conf:

SSLCertificateFile /etc/pki/tls/certs/test.polaire.nl.crt
SSLCertificateKeyFile /etc/pki/tls/private/test.polaire.nl.key
ServerName test.polaire.nl:443

Create a new virtual host for HTTPS, see example in ssl.conf.

Check config and restart Apache:

apachectl configtest
systemctl restart httpd:

Open firewall https port 443.
Test with lynx

DNS

- Configure a caching-only name server

Install unbound:
```
yum install unbound
```

Configure unbound, edit /etc/unbound/unbound.conf:

        interface: 0.0.0.0
        interface: ::0

        do-ip4: yes
        do-ip6: yes

        do-udp: yes

        use-syslog: yes
        
        hide-identity: yes
        hide-version: yes
 
        #val-permissive-mode: yes # Might be needed if upstream doesn't support DNSSEC

        access-control: 0.0.0.0/0 allow
        access-control: ::0/0 allow
        
        domain-insecure: "your-domain.tld"

Create a forward zone (for all zones) /etc/unbound/conf.d/forward.conf:

forward-zone:
        name: "."
        forward-addr: 1.2.3.4
        forward-addr: 1.2.3.5

Check config: unbound-checkconf /etc/unbound/unbound.conf.

Enable and start the service:

systemctl start unbound.service
systemctl enable unbound.service

Open firewall ports (53 udp).

- Troubleshoot DNS client issues

Use the host or dig command. Check journalctl.

NFS

- Provide network shares to specific clients

Install packages:
```
yum groupinstall file-server
```

Open firewall:

firewall-cmd --permanent --add-service=nfs
firewall-cmd --reload

Start services and configure to start at boot:

systemctl enable rpcbind nfs-server
systemctl start rpcbind nfs-server

Create shared directory:

mkdir -p /home/share1
chmod 0777 /home/share1
mkdir -p /home/share2
chmod 0777 /home/share2

Set SELinux contexts:

semanage fcontext -a -t public_content_rw_t "/home/share1(/.*)?"
semanage fcontext -a -t public_content_rw_t "/home/share2(/.*)?"
restorecon -Rv /home/share1
restorecon -Rv /home/share2

Create shares, edit /etc/exports:

/home/share1 test1.yourdomain.tld(rw,no_root_squash)
/home/share2 test2.yourdomain.tld(rw,no_root_squash)

Export the filesystems:

exportfs -avr
# systemctl restart nfs-server

For showmount to work, open firewall for additional ports:

firewall-cmd --add-service=mountd --permanent
firewall-cmd --add-service=rpc-bind --permanent
firewall-cmd --reload

Configure the client:

yum install nfs-utils
showmount -e nfs.yourdomain.tld
mount -t nfs nfs.yourdomain.tld:/home/share1 /mnt

- Provide network shares suitable for group collaboration

Create an NFS server.
Create a shared directory.
Create a group.
Assign group to shared directory.

Set permissions to directory.

chmod 0770 /home/Shared # no sticky or setgid bit.
All group users can add to and delete from the folder and can read and but not write to each others files.

chmod 1770 /home/Shared # sticky bit
Same as above but only the owner of the file can delete it.

chmod 2770 /home/Shared # setgid bit
All group users can add to and delete from the folder and can read and write to each other's files:

chmod 3770 /home/Shared # sticky and setgid bit
As above, except only the owner of the file can delete it

Create /etc/exports.
```
/shared client(rw,no_root_squash)
```

Export the directory:

exportfs -avr
systemctl restart nfs-server

- Use Kerberos to control access to NFS network shares

Configure working NTP (NTPd or Chrony) and DNS.

Install Kerberos KDC:

yum install krb5-server krb5-workstation pam_krb5
yum install haveged (for entropy)
systemctl start haveged
systemctl enable haveged

vi /var/kerberos/krb5kdc/kdc.conf  # replace EXAMPLE.COM with your own realm
                                   # uncomment master_key_type = aes256-cts line
                                   # and paste the following line in the [realms] stanza:
                                   # default_principal_flags = +preauth

vi /etc/krb5.conf                  # uncomment all the lines, replace EXAMPLE.COM with your own realm
                                   # example.com with your own domain name, and kerberos.example.com
                                   # with your own KDC server name (here kbserver.example.com).

vi /var/kerberos/krb5kdc/kadm5.acl # replace EXAMPLE.COM with your own realm.


# Create Kerberos database
kdb5_util create -s -r YOURDOMAIN.TLD

# Start and activate Kerberos
systemctl start krb5kdc kadmin
systemctl enable krb5kdc kadmin

# Add users
useradd test1
useradd test2

# Start Kerberos admin
kadmin.local

# Create admin principal
kadmin.local:   addprinc root/admin

# Create user principals
kadmin.local:   addprinc test1
kadmin.local:   addprinc test2

# Add KDC hostname
kadmin.local:   addprinc -randkey host/kbserver.yourdomain.tld

# Create local copy /etc/krb5.keytab file:
kadmin.local:  ktadd host/kbserver.yourdomain.tld

kadmin.local:  quit


# Open firewall
firewall-cmd --permanent --zone public --add-service kerberos
firewall-cmd --reload

# Test
su - test1
kinit
klist

Setup an NFS server:

yum groupinstall file-server
firewall-cmd --permanent --add-service=nfs
firewall-cmd --permanent --add-service=mountd 
firewall-cmd --permanent --add-service=rpc-bind
firewall-cmd --reload

# Activate and start NFS server
systemctl enable rpcbind nfs-server
systemctl start rpcbind nfs-server

# Create a shared directory
mkdir -p /home/share
chmod 0777 /home/share
yum install policycoreutils-python # provides the semanage command
semanage fcontext -a -t public_content_rw_t "/home/share(/.*)?"
restorecon -Rv /home/share
echo "/home/share client.example.com(rw,no_root_squash)" >> /etc/exports
exportfs -avr
showmount -e localhost

Configure the NFS client:

yum install nfs-utils
showmount -e nfsserver.yourdomain.tld
mount -t nfs nfsserver.yourdomain.tld:/home/share /mnt

Configure the NFS server and NFS client as kerberos client.

# Install on both NFS server and client:
yum install krb5-workstation pam_krb5

# Copy the /etc/krb5.conf file from the KDC server to NFS client and server.

# Add the principals (on the KDC)
kadmin
kadmin:  addprinc -randkey nfs/nfserver.yourdomain.tld
kadmin:  addprinc -randkey nfs/nfsclient.yourdomain.tld
kadmin:  ktadd nfs/nfsserver.yourdomain.tld
kadmin:  ktadd nfs/nfsclient.yourdomain.tld
kadmin:  quit

# Add sec=krb5 to exports on NFS server
/home/share nfsclient.yourdomain.tld(rw,no_root_squash,sec=krb5)

# Activate and start NFS on the server (RHEL 7.0 only)
systemctl enable nfs-secure-server && systemctl start nfs-secure-server

# Copy /etc/krb5.keytab from KDC to client.

# Activate and start NFS on the client: 
# RHEL 7.0
# systemctl enable nfs-secure && systemctl start nfs-secure

# RHEL >= 7.1
# systemctl enable nfs-client.target && systemctl start nfs-client.target

# Mount the remote directory:
mount -t nfs4 -o sec=krb5 nfsserver.yourdomain.tld:/home/tools /mnt

SMB

- Provide network shares to specific clients

Install packages:

yum groupinstall "File and Print Server"

Create directory:
```
mkdir /opt/smbdata
```

Set rights:

chown testuser.users /opt/smbdata
chmod 775 /opt/smbdata

Set SELinux context:

semanage fcontext -a -t samba_share_t "/opt/smbdata(/.*)?"
restorecon -Rv /opt/smbdata

Edit /etc/samba/smb.conf

Change workgroup.

Add share:

[data]
        comment = Data
        path = /opt/smbdata
        browseable = yes
        writeable = yes
        hosts allow = 10.1.2.
        valid users = testuser

Test config with: testparm.
Enable and start smb, nmb and winbind.

Create user:

useradd -s /sbin/nologin testuser
smbpasswd -a testuser

Open firewall for CIFS (samba) traffic.

Test:

smbclient //localhost/shared -U testuser

On the client install the required packages:
```
yum install cifs-utils samba-client
```

Test connection:

smbclient -L <server> -U <username>
smbclient //server/data -U <username>

- Provide network shares suitable for group collaboration

Without using Kerberos, you could use a multiuser mount. You can then use cifscreds to login to a multiuser mount.
Create a credentials file /root/smb-creds:
```
username=user01
password=...
```

Test with:

mount -t cifs -o multiuser,credentials=/root/smb-creds //test6/data /mnt

Switch to other user and use cifscreds
Test if you can r/w files.

Mount in fstab:

//test6/data /mnt cifs multiuser,credentials=/root/smb-creds 0 0

Table of Contents

RHCE7 EX300 objectives (20160323)

- System configuration and management

- Use network teaming or bonding to configure aggregated network links between two Red Hat Enterprise Linux systems

Teaming

Bonding

- Configure IPv6 addresses and perform basic IPv6 troubleshooting

- Route IP traffic and create static routes

- Use firewalld and associated mechanisms such as rich rules, zones and custom rules, to implement packet filtering and configure network address translation (NAT)

- Use /proc/sys and sysctl to modify and set kernel runtime parameters

- Configure a system to authenticate using Kerberos

- Configure a system as either an iSCSI target or initiator that persistently mounts an iSCSI target

- Produce and deliver reports on system utilization (processor, memory, disk, and network)

- Use shell scripting to automate system maintenance tasks

- Network services

- Install the packages needed to provide the service

- Configure SELinux to support the service

- Use SELinux port labeling to allow services to use non-standard ports

- Configure the service to start when the system is booted

- Configure the service for basic operation

- Configure host-based and user-based security for the service

- Configure a virtual host

- Configure private directories

- Deploy a basic CGI application

- Configure group-managed content

- Configure TLS security

- Configure a caching-only name server

- Troubleshoot DNS client issues

- Provide network shares to specific clients

- Provide network shares suitable for group collaboration

- Use Kerberos to control access to NFS network shares

- Provide network shares to specific clients

- Provide network shares suitable for group collaboration

- Configure a system to forward all email to a central mail server

- Configure key-based authentication

- Configure additional options described in documentation

- Synchronize time using other NTP peers

- Database services

- Install and configure MariaDB

- Backup and restore a database

- Create a simple database schema

- Perform simple SQL queries against a database