rhce7_objectives
Table of Contents
RHCE7 EX300 objectives (20160323)
Some notes on the EX300 exam.
- System configuration and management
- Use network teaming or bonding to configure aggregated network links between two Red Hat Enterprise Linux systems
- Start with two systems, having at least two networkinterfaces.
- Bonding is not supported with cross cables, or direct links. If an interface is administratively disabled in such a configuration, the PHY may still maintain electrical connectivity to the peer and failover will not work as expected, leading to a lack of bond communication.
Teaming
Teaming is new in RHEL 7.
- First, install the team daemon, if it has not been installed yet:
yum install teamd
- Create a new team interface:
nmcli connection add type team con-name team0
- Add interfaces to the team:
nmcli con add type team-slave ifname enp2s0 master team0 nmcli con add type team-slave ifname enp3s0 master team0
- Bring interfaces up (first the ports, then master):
nmcli c up team-slave-enp2s0 nmcli c up team-slave-enp3s0 nmcli c up team0
- Team status:
teamdctl nm-team state setup: runner: roundrobin ports: enp3s0 link watches: link summary: up instance[link_watch_0]: name: ethtool link: up down count: 0 enp2s0 link watches: link summary: up instance[link_watch_0]: name: ethtool link: up down count: 0
- Team port status:
teamnl nm-team ports 4: enp3s0: up 1000Mbit FD 3: enp2s0: up 1000Mbit FD
- Modify the runner type:
nmcli con mod team0 team.config '{ "runner": {"name": "loadbalance"}}'
Runners
- broadcast (data is transmitted over all ports)
- round-robin (data is transmitted over all ports in turn)
- active-backup (one port or link is used while others are kept as a backup)
- loadbalance (with active Tx load balancing and BPF-based Tx port selectors)
- lacp (implements the 802.3ad Link Aggregation Control Protocol)
In addition, the following link-watchers are available:
- ethtool (Libteam lib uses ethtool to watch for link state changes). This is the default if no other link-watcher is specified in the configuration file.
- arp_ping (The arp_ping utility is used to monitor the presence of a far-end hardware address using ARP packets.)
- nsna_ping (Neighbor Advertisements and Neighbor Solicitation from the IPv6 Neighbor Discovery protocol are used to monitor the presence of a neighbor's interface)
There are no restrictions in the code to prevent a particular link-watcher from being used with a particular runner, however when using the lacp runner, ethtool is the only recommended link-watcher.
Bonding
- Create a bond:
nmcli con add type bond con-name bond0 ifname bond0 mode active-backup
- Add slaves:
nmcli con add type bond-slave ifname enp2s0 master bond0
- Bring up slaves and then the bond0 interface:
nmcli con up bond-slave-enp2s0 nmcli con up bond-slave-enp3s0 nmcli con up bond0
- Change bond options:
nmcli con mod bond0 +bond.options mii=100 nmcli con mod bond0 +bond.options mode=802.3ad
- Show bond statistics:
cat /proc/net/bonding/bond0 Ethernet Channel Bonding Driver: v3.7.1 (April 27, 2011) Bonding Mode: load balancing (round-robin) MII Status: up MII Polling Interval (ms): 100 Up Delay (ms): 0 Down Delay (ms): 0 Slave Interface: enp2s0 MII Status: up Speed: 1000 Mbps Duplex: full Link Failure Count: 1 Permanent HW addr: 00:0d:b9:33:90:75 Slave queue ID: 0 Slave Interface: enp3s0 MII Status: up Speed: 1000 Mbps Duplex: full Link Failure Count: 1 Permanent HW addr: 00:0d:b9:33:90:76 Slave queue ID: 0
- Configure IPv6 addresses and perform basic IPv6 troubleshooting
- Add static IPv6 address:
nmcli c edit enp1s0 nmcli> set ipv6.addresses 2001:470:xxxx:xxxx::10/64 nmcli> set ipv6.gateway 2001:470:xxxx:xxxx::1 nmcli> save nmcli> quit nmcli c up enp1s0
- Troubleshoot with:
- Ping:
ping6
- Traceroute:
traceroute6
- Resolve hostnames:
host -t AAAA <ipv6 hostname>
- Show routes:
ip -6 r
- Show neighbours:
ip neigh
- Portscan:
nmap -6 <ipv6 address>
- Show firewall rules:
ip6tables -nvL
- Telnet test, Star Wars:
telnet towel.blinkenlights.nl
- Telnet test, BOFH excuse server:
telnet towel.blinkenlights.nl 666
- Route IP traffic and create static routes
- Show routes:
ip -r
- Add static route: nmcli edit connection →
set ipv4.routes 1.2.3.4/24 1.2.3.1
- Remove static route: nmcli edit connection →
remove ipv4.routes 1.2.3.4/24 1.2.3.1
- NMcli saves config in
/etc/sysconfig/network-scripts
. You can also disable NetworkManager and create the config yourself.
- Use firewalld and associated mechanisms such as rich rules, zones and custom rules, to implement packet filtering and configure network address translation (NAT)
- List current active zones:
firewall-cmd --get-active-zones
- List default zone:
firewall-cmd --get-default-zone
- List all information in zone:
firewall-cmd --zone public --list-all
- To Make rules permanent, use:
--permanent
- Reload after using
--permanent
:firewall-cmd --reload
- Open port:
firewall-cmd --permanent --zone internal --add-service ssh
- Instead of opening a port/service, remove a service with:
--remove-service
- Add a source to zone:
firewall-cmd --permanent --zone internal --add-source 1.2.3.4/24
- Instead of adding a source, remove it with:
--remove-source
- Add new service XML files to
/etc/firewalld/services/
, find examples in:/usr/lib/firewalld/services/
.
- Add masquerading:
firewall-cmd --permanent --zone=external --add-masquerade
- Port forwarding (check if forwarding is enabled in kernel):
firewall-cmd --permanent --zone=external --add-forward-port=port=22:proto=tcp:toport=2222
- Direct rule example:
firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p tcp --dport 5001 -j ACCEPT
- List all direct rules:
firewall-cmd --direct --get-all-rules
- Use /proc/sys and sysctl to modify and set kernel runtime parameters
- Change variable temporary:
echo 1 >/proc/sys/net/ipv4/ip_forward
- Make it permanent, edit
/etc/sysctl.d/<name>.conf
. And runsysctl -p
- Read all variables with sysctl:
sysctl -a
- Configure a system to authenticate using Kerberos
- Install the required packages:
yum -y install krb5-workstation pam_krb5
- Edit the
/etc/krb5.conf
file:- Uncomment all lines.
- Replace al example domain names and realms.
- Change example kdc and admin_server.
- Add principals on KDC:
kadmin -p root/admin kadmin: addprinc -randkey host/test1.example.com kadmin: addprinc -randkey host/test2.example.com kadmin: addprinc -randkey host/test3.example.com kadmin: ktadd host/test1.example.com kadmin: ktadd host/test2.example.com kadmin: ktadd host/test3.example.com
- Retrieve ticket:
kinit benst
- Configure a system as either an iSCSI target or initiator that persistently mounts an iSCSI target
Initiator
- Configure system as client (initiator), install the required packages:
yum install iscsi-initiator-utils
- Edit
/etc/iscsi/initiatorname.iscsi
and set the InitiatorName. For example:InitiatorName=iqn.2016-04.nl.polaire:test4
- Edit
/etc/iscsi/iscsid.conf
and change username an password:node.session.auth.authmethod = CHAP node.session.auth.username = <username> node.session.auth.password = <password>
- Start the iSCSI service:
systemctl start iscsi
- Discover targets:
iscsiadm --mode discovery --type sendtargets --portal 1.2.3.4
- Log in on target:
iscsiadm --mode node --targetname iqn.2000-01.nl.polaire:rackstation.target-Test --portal 1.2.3.4 --login
- You have now access to the block device:
lsblk --scsi NAME HCTL TYPE VENDOR MODEL REV TRAN sda 1:0:0:0 disk ATA KINGSTON SMS200S BBF0 sata sdc 7:0:0:0 disk SYNOLOGY IBLOCK 4.0 iscsi
- You can now create a file system (or use LVM first) and mount it at boot.
- Create file system and mount at boot:
mkfs.xfs /dev/sdc mkdir /data mount /dev/sdc /data echo "UUID=`blkid -s UUID -o value /dev/sdc` /data xfs _netdev 0 0" >>/etc/fstab umount /data mount -a # test reboot
- Show nodes:
iscsiadm -m discoverydb -P1
- If you need to delete a node:
iscsiadm -m node -p 172.16.10.39 --op=delete
- If you have the problem that systemd unmounts a new volume after altering
/etc/fstab
, runsystemctl daemon-reload
.
Target
- Install targetcli:
yum install -y targetcli</code. * Enable service (start at boot):<code>systemctl enable target
- Create file backed store:
targetcli /> backstores/fileio/ create shareddata /opt/iscsi.img 1G Created fileio shareddata with size 1073741824 /> iscsi/ create iqn.2016-04.nl.polaire:target1 Created target iqn.2016-04.nl.polaire:target1. Created TPG 1. Global pref auto_add_default_portal=true Created default portal listening on all IPs (0.0.0.0), port 3260.
- You can
cd
into that directory and create a portal if it has not been created yet:targetcli /> cd iscsi/iqn.2014-08.com.example:t1/tpg1 /> portals/ create
- Create a LUN:
targetcli /iscsi/iqn.20...laire:target1> luns/ create /backstores/fileio/shareddata
- Create ACL:
acls/ create iqn.2016-04.nl.polaire:test4
- Set password:
/iscsi/iqn.20...ample:t1/tpg1> cd acls/iqn.2016-04.nl.polaire:test4/ /iscsi/iqn.20...xample:client> set auth userid=username Parameter userid is now 'username'. /iscsi/iqn.20...xample:client> set auth password=pwd
- Config is saved in
/etc/target/saveconfig.json
- Open firewall port:
firewall-cmd --permanent --add-port=3260/tcp firewall-cmd --reload
- Produce and deliver reports on system utilization (processor, memory, disk, and network)
- top, sar, vmstat, iostat, tcpdump…
- Use shell scripting to automate system maintenance tasks
- bash scripting…
- Network services
- Install the packages needed to provide the service
yum
,rpm
- Configure SELinux to support the service
ls -lZ
restorecon
semanage
auditd
- Use SELinux port labeling to allow services to use non-standard ports
- Install tools:
yum install policycoreutils-python
- List ports:
semanage port -l | grep ssh
- Modify port setting:
semanage port -m -t ssh_port_t -p tcp 4321
- Configure the service to start when the system is booted
- Enable server to start at boot:
systemctl enable <servicename>
- Configure the service for basic operation
systemctl start systemctl stop systemctl restart systemctl enable systemctl reeanble systemctl status
- Add custom services in:
/etc/systemd/system
.
- Configure host-based and user-based security for the service
- ?
HTTP/HTTPS
- Configure a virtual host
- Install httpd:
yum install httpd
- Enable service:
systemctl enable httpd
- Create a directory for the virtual host files:
mkdir /var/www/html/virta
- Create a
index.html
:echo " <html> <head><title>virta virtual host</title></head> <body> This is virtual host -virta- </body> </html> " > /var/www/html/virta/index.html
- Restore SELinux labels if needed:
restorecon -Rv /var/www/html/
- Create the virtual host config in, config is read alphabetically
/etc/httpd/conf.d/1-virta.conf
. You can find examples in/usr/share/doc/httpd-2.4.6/httpd-vhosts.conf
:<VirtualHost *:80> ServerAdmin ben@polaire.nl DocumentRoot "/var/www/html/virta/" ServerName virta.polaire.nl ServerAlias www.virta.polaire.nl ErrorLog "/var/log/httpd/virta-error_log" CustomLog "/var/log/httpd/virta-access_log" common </VirtualHost>
- You van add the virta hostname in DNS, or for this test in the
/etc/hosts
file. - Test config:
apachectl configtest
- Start httpd:
systemctl start httpd
- Open firewall port:
firewall-cmd --permanent --zone public --add-service http firewall-cmd --reload
- Show all running virtual hosts:
httpd -D DUMP_VHOSTS
- Test with
elinks
on local host.
- Configure private directories
- Create a private directory:
mkdir /var/www/html/virta/private
- Create a test file:
echo "This is private" >/var/www/html/virta/private/index.html
- Add the config below for host based authentication:
<Directory "/var/www/html/virta/private"> AllowOverride None Options None Require host test.polaire.nl localhost </Directory>
- For user based authentication, create the following config:
<Directory "/var/www/html/virta/private/"> AuthType Basic AuthName "Password protected" AuthUserFile /etc/httpd/conf/passwd Require user testuser </Directory>
- Save the user and password:
htpasswd -c /etc/httpd/conf/passwd testuser
- Modify rights:
chmod 600 /etc/httpd/conf/passwd chown apache:apache /etc/httpd/conf/passwd
- Deploy a basic CGI application
- Simple method is to put an executable perl script in:
/var/www/cgi-bin
. - Or create a bash script and configure the vhost:
<Directory "/usr/local/cgi-bin/"> Options +ExecCGI AddHandler cgi-script .cgi </Directory>
- Bash script:
#!/bin/bash echo "Content-type: text/html" date echo echo "Testing CGI scripts..."
- Configure group-managed content
- Configure the directory directive:
AuthType Basic AuthName "Group test" AuthGroupFile /etc/httpd/conf/group AuthUserFile /etc/httpd/conf/passwd Require group usergroup
- Create the group file
/etc/httpd/conf/group
:usergroup: user1 user2
- Create the password file
/etc/httpd/conf/passwd
:htpasswd -c /etc/httpd/conf/passwd user1 htpasswd /etc/httpd/conf/passwd user2
- Configure TLS security
- Have the httpd server running.
- Install the required packages (haveged for speeding up key generation):
yum install crypto-utils mod_ssl lynx haveged
- Start and enable haveged:
systemctl start haveged systemctl enable haveged
- Run genkey (use
--test
to omit the slow process of generating random data) :genkey server.domain.tld
- Edit:
/etc/httpd/conf.d/ssl.conf
:SSLCertificateFile /etc/pki/tls/certs/test.polaire.nl.crt SSLCertificateKeyFile /etc/pki/tls/private/test.polaire.nl.key ServerName test.polaire.nl:443
- Create a new virtual host for HTTPS, see example in
ssl.conf
. - Check config and restart Apache:
apachectl configtest systemctl restart httpd:
- Open firewall https port 443.
- Test with lynx
DNS
- Configure a caching-only name server
- Install unbound:
yum install unbound
- Configure unbound, edit
/etc/unbound/unbound.conf
:interface: 0.0.0.0 interface: ::0 do-ip4: yes do-ip6: yes do-udp: yes use-syslog: yes hide-identity: yes hide-version: yes #val-permissive-mode: yes # Might be needed if upstream doesn't support DNSSEC access-control: 0.0.0.0/0 allow access-control: ::0/0 allow domain-insecure: "your-domain.tld"
- Create a forward zone (for all zones)
/etc/unbound/conf.d/forward.conf
:forward-zone: name: "." forward-addr: 1.2.3.4 forward-addr: 1.2.3.5
- Check config:
unbound-checkconf /etc/unbound/unbound.conf
. - Enable and start the service:
systemctl start unbound.service systemctl enable unbound.service
- Open firewall ports (53 udp).
- Troubleshoot DNS client issues
- Use the
host
ordig
command. Checkjournalctl
.
NFS
- Provide network shares to specific clients
- Install packages:
yum groupinstall file-server
- Open firewall:
firewall-cmd --permanent --add-service=nfs firewall-cmd --reload
- Start services and configure to start at boot:
systemctl enable rpcbind nfs-server systemctl start rpcbind nfs-server
- Create shared directory:
mkdir -p /home/share1 chmod 0777 /home/share1 mkdir -p /home/share2 chmod 0777 /home/share2
- Set SELinux contexts:
semanage fcontext -a -t public_content_rw_t "/home/share1(/.*)?" semanage fcontext -a -t public_content_rw_t "/home/share2(/.*)?" restorecon -Rv /home/share1 restorecon -Rv /home/share2
- Create shares, edit
/etc/exports
:/home/share1 test1.yourdomain.tld(rw,no_root_squash) /home/share2 test2.yourdomain.tld(rw,no_root_squash)
- Export the filesystems:
exportfs -avr # systemctl restart nfs-server
- For showmount to work, open firewall for additional ports:
firewall-cmd --add-service=mountd --permanent firewall-cmd --add-service=rpc-bind --permanent firewall-cmd --reload
- Configure the client:
yum install nfs-utils showmount -e nfs.yourdomain.tld mount -t nfs nfs.yourdomain.tld:/home/share1 /mnt
- Provide network shares suitable for group collaboration
- Create an NFS server.
- Create a shared directory.
- Create a group.
- Assign group to shared directory.
- Set permissions to directory.
chmod 0770 /home/Shared # no sticky or setgid bit. All group users can add to and delete from the folder and can read and but not write to each others files. chmod 1770 /home/Shared # sticky bit Same as above but only the owner of the file can delete it. chmod 2770 /home/Shared # setgid bit All group users can add to and delete from the folder and can read and write to each other's files: chmod 3770 /home/Shared # sticky and setgid bit As above, except only the owner of the file can delete it
- Create
/etc/exports
./shared client(rw,no_root_squash)
- Export the directory:
exportfs -avr systemctl restart nfs-server
- Use Kerberos to control access to NFS network shares
- Configure working NTP (NTPd or Chrony) and DNS.
- Install Kerberos KDC:
yum install krb5-server krb5-workstation pam_krb5 yum install haveged (for entropy) systemctl start haveged systemctl enable haveged vi /var/kerberos/krb5kdc/kdc.conf # replace EXAMPLE.COM with your own realm # uncomment master_key_type = aes256-cts line # and paste the following line in the [realms] stanza: # default_principal_flags = +preauth vi /etc/krb5.conf # uncomment all the lines, replace EXAMPLE.COM with your own realm # example.com with your own domain name, and kerberos.example.com # with your own KDC server name (here kbserver.example.com). vi /var/kerberos/krb5kdc/kadm5.acl # replace EXAMPLE.COM with your own realm. # Create Kerberos database kdb5_util create -s -r YOURDOMAIN.TLD # Start and activate Kerberos systemctl start krb5kdc kadmin systemctl enable krb5kdc kadmin # Add users useradd test1 useradd test2 # Start Kerberos admin kadmin.local # Create admin principal kadmin.local: addprinc root/admin # Create user principals kadmin.local: addprinc test1 kadmin.local: addprinc test2 # Add KDC hostname kadmin.local: addprinc -randkey host/kbserver.yourdomain.tld # Create local copy /etc/krb5.keytab file: kadmin.local: ktadd host/kbserver.yourdomain.tld kadmin.local: quit # Open firewall firewall-cmd --permanent --zone public --add-service kerberos firewall-cmd --reload # Test su - test1 kinit klist
- Setup an NFS server:
yum groupinstall file-server firewall-cmd --permanent --add-service=nfs firewall-cmd --permanent --add-service=mountd firewall-cmd --permanent --add-service=rpc-bind firewall-cmd --reload # Activate and start NFS server systemctl enable rpcbind nfs-server systemctl start rpcbind nfs-server # Create a shared directory mkdir -p /home/share chmod 0777 /home/share yum install policycoreutils-python # provides the semanage command semanage fcontext -a -t public_content_rw_t "/home/share(/.*)?" restorecon -Rv /home/share echo "/home/share client.example.com(rw,no_root_squash)" >> /etc/exports exportfs -avr showmount -e localhost
- Configure the NFS client:
yum install nfs-utils showmount -e nfsserver.yourdomain.tld mount -t nfs nfsserver.yourdomain.tld:/home/share /mnt
- Configure the NFS server and NFS client as kerberos client.
# Install on both NFS server and client: yum install krb5-workstation pam_krb5 # Copy the /etc/krb5.conf file from the KDC server to NFS client and server. # Add the principals (on the KDC) kadmin kadmin: addprinc -randkey nfs/nfserver.yourdomain.tld kadmin: addprinc -randkey nfs/nfsclient.yourdomain.tld kadmin: ktadd nfs/nfsserver.yourdomain.tld kadmin: ktadd nfs/nfsclient.yourdomain.tld kadmin: quit # Add sec=krb5 to exports on NFS server /home/share nfsclient.yourdomain.tld(rw,no_root_squash,sec=krb5) # Activate and start NFS on the server (RHEL 7.0 only) systemctl enable nfs-secure-server && systemctl start nfs-secure-server # Copy /etc/krb5.keytab from KDC to client. # Activate and start NFS on the client: # RHEL 7.0 # systemctl enable nfs-secure && systemctl start nfs-secure # RHEL >= 7.1 # systemctl enable nfs-client.target && systemctl start nfs-client.target # Mount the remote directory: mount -t nfs4 -o sec=krb5 nfsserver.yourdomain.tld:/home/tools /mnt
SMB
- Provide network shares to specific clients
- Install packages:
yum groupinstall "File and Print Server"
- Create directory:
mkdir /opt/smbdata
- Set rights:
chown testuser.users /opt/smbdata chmod 775 /opt/smbdata
- Set SELinux context:
semanage fcontext -a -t samba_share_t "/opt/smbdata(/.*)?" restorecon -Rv /opt/smbdata
- Edit
/etc/samba/smb.conf
- Change
workgroup
. - Add share:
[data] comment = Data path = /opt/smbdata browseable = yes writeable = yes hosts allow = 10.1.2. valid users = testuser
- Test config with:
testparm
. - Enable and start
smb
,nmb
andwinbind
. - Create user:
useradd -s /sbin/nologin testuser smbpasswd -a testuser
- Open firewall for CIFS (samba) traffic.
- Test:
smbclient //localhost/shared -U testuser
- On the client install the required packages:
yum install cifs-utils samba-client
- Test connection:
smbclient -L <server> -U <username> smbclient //server/data -U <username>
- Provide network shares suitable for group collaboration
- Without using Kerberos, you could use a multiuser mount. You can then use
cifscreds
to login to a multiuser mount. - Create a credentials file
/root/smb-creds
:username=user01 password=...
- Test with:
mount -t cifs -o multiuser,credentials=/root/smb-creds //test6/data /mnt
- Switch to other user and use
cifscreds
- Test if you can r/w files.
- Mount in fstab:
//test6/data /mnt cifs multiuser,credentials=/root/smb-creds 0 0
SMTP
- Configure a system to forward all email to a central mail server
- Edit
/etc/postfix/main.cf
, restart postfix. - check options
man 5 postconf
.
SSH
- Configure key-based authentication
- Configure additional options described in documentation
NTP
- Synchronize time using other NTP peers
- Database services
- Install and configure MariaDB
- Backup and restore a database
- Create a simple database schema
- Perform simple SQL queries against a database
rhce7_objectives.txt · Last modified: 2021/10/09 15:14 by 127.0.0.1