Some notes on the EX300 exam.
Teaming is new in RHEL 7.
yum install teamd
nmcli connection add type team con-name team0
nmcli con add type team-slave ifname enp2s0 master team0 nmcli con add type team-slave ifname enp3s0 master team0
nmcli c up team-slave-enp2s0 nmcli c up team-slave-enp3s0 nmcli c up team0
teamdctl nm-team state setup: runner: roundrobin ports: enp3s0 link watches: link summary: up instance[link_watch_0]: name: ethtool link: up down count: 0 enp2s0 link watches: link summary: up instance[link_watch_0]: name: ethtool link: up down count: 0
teamnl nm-team ports 4: enp3s0: up 1000Mbit FD 3: enp2s0: up 1000Mbit FD
nmcli con mod team0 team.config '{ "runner": {"name": "loadbalance"}}'
Runners
In addition, the following link-watchers are available:
There are no restrictions in the code to prevent a particular link-watcher from being used with a particular runner, however when using the lacp runner, ethtool is the only recommended link-watcher.
nmcli con add type bond con-name bond0 ifname bond0 mode active-backup
nmcli con add type bond-slave ifname enp2s0 master bond0
nmcli con up bond-slave-enp2s0 nmcli con up bond-slave-enp3s0 nmcli con up bond0
nmcli con mod bond0 +bond.options mii=100 nmcli con mod bond0 +bond.options mode=802.3ad
cat /proc/net/bonding/bond0 Ethernet Channel Bonding Driver: v3.7.1 (April 27, 2011) Bonding Mode: load balancing (round-robin) MII Status: up MII Polling Interval (ms): 100 Up Delay (ms): 0 Down Delay (ms): 0 Slave Interface: enp2s0 MII Status: up Speed: 1000 Mbps Duplex: full Link Failure Count: 1 Permanent HW addr: 00:0d:b9:33:90:75 Slave queue ID: 0 Slave Interface: enp3s0 MII Status: up Speed: 1000 Mbps Duplex: full Link Failure Count: 1 Permanent HW addr: 00:0d:b9:33:90:76 Slave queue ID: 0
nmcli c edit enp1s0 nmcli> set ipv6.addresses 2001:470:xxxx:xxxx::10/64 nmcli> set ipv6.gateway 2001:470:xxxx:xxxx::1 nmcli> save nmcli> quit nmcli c up enp1s0
ping6
traceroute6
host -t AAAA <ipv6 hostname>
ip -6 r
ip neigh
nmap -6 <ipv6 address>
ip6tables -nvL
telnet towel.blinkenlights.nl
telnet towel.blinkenlights.nl 666
ip -r
set ipv4.routes 1.2.3.4/24 1.2.3.1
remove ipv4.routes 1.2.3.4/24 1.2.3.1
/etc/sysconfig/network-scripts
. You can also disable NetworkManager and create the config yourself.firewall-cmd --get-active-zones
firewall-cmd --get-default-zone
firewall-cmd --zone public --list-all
--permanent
--permanent
: firewall-cmd --reload
firewall-cmd --permanent --zone internal --add-service ssh
--remove-service
firewall-cmd --permanent --zone internal --add-source 1.2.3.4/24
--remove-source
/etc/firewalld/services/
, find examples in: /usr/lib/firewalld/services/
.firewall-cmd --permanent --zone=external --add-masquerade
firewall-cmd --permanent --zone=external --add-forward-port=port=22:proto=tcp:toport=2222
firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p tcp --dport 5001 -j ACCEPT
firewall-cmd --direct --get-all-rules
echo 1 >/proc/sys/net/ipv4/ip_forward
/etc/sysctl.d/<name>.conf
. And run sysctl -p
sysctl -a
yum -y install krb5-workstation pam_krb5
/etc/krb5.conf
file:kadmin -p root/admin kadmin: addprinc -randkey host/test1.example.com kadmin: addprinc -randkey host/test2.example.com kadmin: addprinc -randkey host/test3.example.com kadmin: ktadd host/test1.example.com kadmin: ktadd host/test2.example.com kadmin: ktadd host/test3.example.com
kinit benst
Initiator
yum install iscsi-initiator-utils
/etc/iscsi/initiatorname.iscsi
and set the InitiatorName. For example:InitiatorName=iqn.2016-04.nl.polaire:test4
/etc/iscsi/iscsid.conf
and change username an password:node.session.auth.authmethod = CHAP node.session.auth.username = <username> node.session.auth.password = <password>
systemctl start iscsi
iscsiadm --mode discovery --type sendtargets --portal 1.2.3.4
iscsiadm --mode node --targetname iqn.2000-01.nl.polaire:rackstation.target-Test --portal 1.2.3.4 --login
lsblk --scsi NAME HCTL TYPE VENDOR MODEL REV TRAN sda 1:0:0:0 disk ATA KINGSTON SMS200S BBF0 sata sdc 7:0:0:0 disk SYNOLOGY IBLOCK 4.0 iscsi
mkfs.xfs /dev/sdc mkdir /data mount /dev/sdc /data echo "UUID=`blkid -s UUID -o value /dev/sdc` /data xfs _netdev 0 0" >>/etc/fstab umount /data mount -a # test reboot
iscsiadm -m discoverydb -P1
iscsiadm -m node -p 172.16.10.39 --op=delete
/etc/fstab
, run systemctl daemon-reload
.Target
yum install -y targetcli</code. * Enable service (start at boot):<code>systemctl enable target
targetcli /> backstores/fileio/ create shareddata /opt/iscsi.img 1G Created fileio shareddata with size 1073741824 /> iscsi/ create iqn.2016-04.nl.polaire:target1 Created target iqn.2016-04.nl.polaire:target1. Created TPG 1. Global pref auto_add_default_portal=true Created default portal listening on all IPs (0.0.0.0), port 3260.
cd
into that directory and create a portal if it has not been created yet:targetcli /> cd iscsi/iqn.2014-08.com.example:t1/tpg1 /> portals/ create
targetcli /iscsi/iqn.20...laire:target1> luns/ create /backstores/fileio/shareddata
acls/ create iqn.2016-04.nl.polaire:test4
/iscsi/iqn.20...ample:t1/tpg1> cd acls/iqn.2016-04.nl.polaire:test4/ /iscsi/iqn.20...xample:client> set auth userid=username Parameter userid is now 'username'. /iscsi/iqn.20...xample:client> set auth password=pwd
/etc/target/saveconfig.json
firewall-cmd --permanent --add-port=3260/tcp firewall-cmd --reload
yum
, rpm
ls -lZ
restorecon
semanage
auditd
yum install policycoreutils-python
semanage port -l | grep ssh
semanage port -m -t ssh_port_t -p tcp 4321
systemctl enable <servicename>
systemctl start systemctl stop systemctl restart systemctl enable systemctl reeanble systemctl status
/etc/systemd/system
.HTTP/HTTPS
yum install httpd
systemctl enable httpd
mkdir /var/www/html/virta
index.html
:echo " <html> <head><title>virta virtual host</title></head> <body> This is virtual host -virta- </body> </html> " > /var/www/html/virta/index.html
restorecon -Rv /var/www/html/
/etc/httpd/conf.d/1-virta.conf
. You can find examples in /usr/share/doc/httpd-2.4.6/httpd-vhosts.conf
:<VirtualHost *:80> ServerAdmin ben@polaire.nl DocumentRoot "/var/www/html/virta/" ServerName virta.polaire.nl ServerAlias www.virta.polaire.nl ErrorLog "/var/log/httpd/virta-error_log" CustomLog "/var/log/httpd/virta-access_log" common </VirtualHost>
/etc/hosts
file.apachectl configtest
systemctl start httpd
firewall-cmd --permanent --zone public --add-service http firewall-cmd --reload
httpd -D DUMP_VHOSTS
elinks
on local host.mkdir /var/www/html/virta/private
echo "This is private" >/var/www/html/virta/private/index.html
<Directory "/var/www/html/virta/private"> AllowOverride None Options None Require host test.polaire.nl localhost </Directory>
<Directory "/var/www/html/virta/private/"> AuthType Basic AuthName "Password protected" AuthUserFile /etc/httpd/conf/passwd Require user testuser </Directory>
htpasswd -c /etc/httpd/conf/passwd testuser
chmod 600 /etc/httpd/conf/passwd chown apache:apache /etc/httpd/conf/passwd
/var/www/cgi-bin
.<Directory "/usr/local/cgi-bin/"> Options +ExecCGI AddHandler cgi-script .cgi </Directory>
#!/bin/bash echo "Content-type: text/html" date echo echo "Testing CGI scripts..."
AuthType Basic AuthName "Group test" AuthGroupFile /etc/httpd/conf/group AuthUserFile /etc/httpd/conf/passwd Require group usergroup
/etc/httpd/conf/group
:usergroup: user1 user2
/etc/httpd/conf/passwd
: htpasswd -c /etc/httpd/conf/passwd user1 htpasswd /etc/httpd/conf/passwd user2
yum install crypto-utils mod_ssl lynx haveged
systemctl start haveged systemctl enable haveged
--test
to omit the slow process of generating random data) :genkey server.domain.tld
/etc/httpd/conf.d/ssl.conf
: SSLCertificateFile /etc/pki/tls/certs/test.polaire.nl.crt SSLCertificateKeyFile /etc/pki/tls/private/test.polaire.nl.key ServerName test.polaire.nl:443
ssl.conf
.apachectl configtest systemctl restart httpd:
DNS
yum install unbound
/etc/unbound/unbound.conf
:interface: 0.0.0.0 interface: ::0 do-ip4: yes do-ip6: yes do-udp: yes use-syslog: yes hide-identity: yes hide-version: yes #val-permissive-mode: yes # Might be needed if upstream doesn't support DNSSEC access-control: 0.0.0.0/0 allow access-control: ::0/0 allow domain-insecure: "your-domain.tld"
/etc/unbound/conf.d/forward.conf
: forward-zone: name: "." forward-addr: 1.2.3.4 forward-addr: 1.2.3.5
unbound-checkconf /etc/unbound/unbound.conf
.systemctl start unbound.service systemctl enable unbound.service
host
or dig
command. Check journalctl
.NFS
yum groupinstall file-server
firewall-cmd --permanent --add-service=nfs firewall-cmd --reload
systemctl enable rpcbind nfs-server systemctl start rpcbind nfs-server
mkdir -p /home/share1 chmod 0777 /home/share1 mkdir -p /home/share2 chmod 0777 /home/share2
semanage fcontext -a -t public_content_rw_t "/home/share1(/.*)?" semanage fcontext -a -t public_content_rw_t "/home/share2(/.*)?" restorecon -Rv /home/share1 restorecon -Rv /home/share2
/etc/exports
:/home/share1 test1.yourdomain.tld(rw,no_root_squash) /home/share2 test2.yourdomain.tld(rw,no_root_squash)
exportfs -avr # systemctl restart nfs-server
firewall-cmd --add-service=mountd --permanent firewall-cmd --add-service=rpc-bind --permanent firewall-cmd --reload
yum install nfs-utils showmount -e nfs.yourdomain.tld mount -t nfs nfs.yourdomain.tld:/home/share1 /mnt
chmod 0770 /home/Shared # no sticky or setgid bit. All group users can add to and delete from the folder and can read and but not write to each others files. chmod 1770 /home/Shared # sticky bit Same as above but only the owner of the file can delete it. chmod 2770 /home/Shared # setgid bit All group users can add to and delete from the folder and can read and write to each other's files: chmod 3770 /home/Shared # sticky and setgid bit As above, except only the owner of the file can delete it
/etc/exports
./shared client(rw,no_root_squash)
exportfs -avr systemctl restart nfs-server
yum install krb5-server krb5-workstation pam_krb5 yum install haveged (for entropy) systemctl start haveged systemctl enable haveged vi /var/kerberos/krb5kdc/kdc.conf # replace EXAMPLE.COM with your own realm # uncomment master_key_type = aes256-cts line # and paste the following line in the [realms] stanza: # default_principal_flags = +preauth vi /etc/krb5.conf # uncomment all the lines, replace EXAMPLE.COM with your own realm # example.com with your own domain name, and kerberos.example.com # with your own KDC server name (here kbserver.example.com). vi /var/kerberos/krb5kdc/kadm5.acl # replace EXAMPLE.COM with your own realm. # Create Kerberos database kdb5_util create -s -r YOURDOMAIN.TLD # Start and activate Kerberos systemctl start krb5kdc kadmin systemctl enable krb5kdc kadmin # Add users useradd test1 useradd test2 # Start Kerberos admin kadmin.local # Create admin principal kadmin.local: addprinc root/admin # Create user principals kadmin.local: addprinc test1 kadmin.local: addprinc test2 # Add KDC hostname kadmin.local: addprinc -randkey host/kbserver.yourdomain.tld # Create local copy /etc/krb5.keytab file: kadmin.local: ktadd host/kbserver.yourdomain.tld kadmin.local: quit # Open firewall firewall-cmd --permanent --zone public --add-service kerberos firewall-cmd --reload # Test su - test1 kinit klist
yum groupinstall file-server firewall-cmd --permanent --add-service=nfs firewall-cmd --permanent --add-service=mountd firewall-cmd --permanent --add-service=rpc-bind firewall-cmd --reload # Activate and start NFS server systemctl enable rpcbind nfs-server systemctl start rpcbind nfs-server # Create a shared directory mkdir -p /home/share chmod 0777 /home/share yum install policycoreutils-python # provides the semanage command semanage fcontext -a -t public_content_rw_t "/home/share(/.*)?" restorecon -Rv /home/share echo "/home/share client.example.com(rw,no_root_squash)" >> /etc/exports exportfs -avr showmount -e localhost
yum install nfs-utils showmount -e nfsserver.yourdomain.tld mount -t nfs nfsserver.yourdomain.tld:/home/share /mnt
# Install on both NFS server and client: yum install krb5-workstation pam_krb5 # Copy the /etc/krb5.conf file from the KDC server to NFS client and server. # Add the principals (on the KDC) kadmin kadmin: addprinc -randkey nfs/nfserver.yourdomain.tld kadmin: addprinc -randkey nfs/nfsclient.yourdomain.tld kadmin: ktadd nfs/nfsserver.yourdomain.tld kadmin: ktadd nfs/nfsclient.yourdomain.tld kadmin: quit # Add sec=krb5 to exports on NFS server /home/share nfsclient.yourdomain.tld(rw,no_root_squash,sec=krb5) # Activate and start NFS on the server (RHEL 7.0 only) systemctl enable nfs-secure-server && systemctl start nfs-secure-server # Copy /etc/krb5.keytab from KDC to client. # Activate and start NFS on the client: # RHEL 7.0 # systemctl enable nfs-secure && systemctl start nfs-secure # RHEL >= 7.1 # systemctl enable nfs-client.target && systemctl start nfs-client.target # Mount the remote directory: mount -t nfs4 -o sec=krb5 nfsserver.yourdomain.tld:/home/tools /mnt
SMB
yum groupinstall "File and Print Server"
mkdir /opt/smbdata
chown testuser.users /opt/smbdata chmod 775 /opt/smbdata
semanage fcontext -a -t samba_share_t "/opt/smbdata(/.*)?" restorecon -Rv /opt/smbdata
/etc/samba/smb.conf
workgroup
.[data] comment = Data path = /opt/smbdata browseable = yes writeable = yes hosts allow = 10.1.2. valid users = testuser
testparm
.smb
, nmb
and winbind
.useradd -s /sbin/nologin testuser smbpasswd -a testuser
smbclient //localhost/shared -U testuser
yum install cifs-utils samba-client
smbclient -L <server> -U <username> smbclient //server/data -U <username>
cifscreds
to login to a multiuser mount./root/smb-creds
:username=user01 password=...
mount -t cifs -o multiuser,credentials=/root/smb-creds //test6/data /mnt
cifscreds
//test6/data /mnt cifs multiuser,credentials=/root/smb-creds 0 0
SMTP
/etc/postfix/main.cf
, restart postfix.man 5 postconf
.SSH
NTP