Ben's notes

Linux, Unix, network, radio...

User Tools

Site Tools


rhce7_objectives

RHCE7 EX300 objectives (20160323)

- System configuration and management

  • Start with two systems, having at least two networkinterfaces.
  • Bonding is not supported with cross cables, or direct links. If an interface is administratively disabled in such a configuration, the PHY may still maintain electrical connectivity to the peer and failover will not work as expected, leading to a lack of bond communication.
Teaming

Teaming is new in RHEL 7.

  • First, install the team daemon, if it has not been installed yet:
    yum install teamd
  • Create a new team interface:
    nmcli connection add type team con-name team0
  • Add interfaces to the team:
    nmcli con add type team-slave ifname enp2s0 master team0
    nmcli con add type team-slave ifname enp3s0 master team0
  • Bring interfaces up (first the ports, then master):
    nmcli c up team-slave-enp2s0
    nmcli c up team-slave-enp3s0
    nmcli c up team0
  • Team status:
    teamdctl nm-team state
    setup:
      runner: roundrobin
    ports:
      enp3s0
        link watches:
          link summary: up
          instance[link_watch_0]:
            name: ethtool
            link: up
            down count: 0
      enp2s0
        link watches:
          link summary: up
          instance[link_watch_0]:
            name: ethtool
            link: up
            down count: 0
  • Team port status:
    teamnl nm-team ports
     4: enp3s0: up 1000Mbit FD 
     3: enp2s0: up 1000Mbit FD
  • Modify the runner type:
    nmcli con mod team0 team.config '{ "runner": {"name": "loadbalance"}}'

Runners

  • broadcast (data is transmitted over all ports)
  • round-robin (data is transmitted over all ports in turn)
  • active-backup (one port or link is used while others are kept as a backup)
  • loadbalance (with active Tx load balancing and BPF-based Tx port selectors)
  • lacp (implements the 802.3ad Link Aggregation Control Protocol)

In addition, the following link-watchers are available:

  • ethtool (Libteam lib uses ethtool to watch for link state changes). This is the default if no other link-watcher is specified in the configuration file.
  • arp_ping (The arp_ping utility is used to monitor the presence of a far-end hardware address using ARP packets.)
  • nsna_ping (Neighbor Advertisements and Neighbor Solicitation from the IPv6 Neighbor Discovery protocol are used to monitor the presence of a neighbor's interface)

There are no restrictions in the code to prevent a particular link-watcher from being used with a particular runner, however when using the lacp runner, ethtool is the only recommended link-watcher.

Bonding
  • Create a bond:
    nmcli con add type bond con-name bond0 ifname bond0 mode active-backup
  • Add slaves:
    nmcli con add type bond-slave ifname enp2s0 master bond0
  • Bring up slaves and then the bond0 interface:
    nmcli con up bond-slave-enp2s0
    nmcli con up bond-slave-enp3s0
    nmcli con up bond0
  • Change bond options:
    nmcli con mod bond0 +bond.options mii=100
    nmcli con mod bond0 +bond.options mode=802.3ad
  • Show bond statistics:
    cat /proc/net/bonding/bond0 
    Ethernet Channel Bonding Driver: v3.7.1 (April 27, 2011)
    
    Bonding Mode: load balancing (round-robin)
    MII Status: up
    MII Polling Interval (ms): 100
    Up Delay (ms): 0
    Down Delay (ms): 0
    
    Slave Interface: enp2s0
    MII Status: up
    Speed: 1000 Mbps
    Duplex: full
    Link Failure Count: 1
    Permanent HW addr: 00:0d:b9:33:90:75
    Slave queue ID: 0
    
    Slave Interface: enp3s0
    MII Status: up
    Speed: 1000 Mbps
    Duplex: full
    Link Failure Count: 1
    Permanent HW addr: 00:0d:b9:33:90:76
    Slave queue ID: 0
    

- Configure IPv6 addresses and perform basic IPv6 troubleshooting

  • Add static IPv6 address:
    nmcli c edit enp1s0
    nmcli> set ipv6.addresses 2001:470:xxxx:xxxx::10/64
    nmcli> set ipv6.gateway 2001:470:xxxx:xxxx::1
    nmcli> save
    nmcli> quit
    nmcli c up enp1s0
  • Troubleshoot with:
    • Ping: ping6
    • Traceroute: traceroute6
    • Resolve hostnames: host -t AAAA <ipv6 hostname>
    • Show routes: ip -6 r
    • Show neighbours: ip neigh
    • Portscan: nmap -6 <ipv6 address>
    • Show firewall rules: ip6tables -nvL
    • Telnet test, Star Wars: telnet towel.blinkenlights.nl
    • Telnet test, BOFH excuse server: telnet towel.blinkenlights.nl 666

- Route IP traffic and create static routes

  • Show routes: ip -r
  • Add static route: nmcli edit connection → set ipv4.routes 1.2.3.4/24 1.2.3.1
  • Remove static route: nmcli edit connection → remove ipv4.routes 1.2.3.4/24 1.2.3.1
  • NMcli saves config in /etc/sysconfig/network-scripts. You can also disable NetworkManager and create the config yourself.

- Use firewalld and associated mechanisms such as rich rules, zones and custom rules, to implement packet filtering and configure network address translation (NAT)

  • List current active zones: firewall-cmd --get-active-zones
  • List default zone: firewall-cmd --get-default-zone
  • List all information in zone: firewall-cmd --zone public --list-all
  • To Make rules permanent, use: --permanent
  • Reload after using --permanent: firewall-cmd --reload
  • Open port: firewall-cmd --permanent --zone internal --add-service ssh
  • Instead of opening a port/service, remove a service with: --remove-service
  • Add a source to zone: firewall-cmd --permanent --zone internal --add-source 1.2.3.4/24
  • Instead of adding a source, remove it with: --remove-source
  • Add new service XML files to /etc/firewalld/services/, find examples in: /usr/lib/firewalld/services/.
  • Add masquerading: firewall-cmd --permanent --zone=external --add-masquerade
  • Port forwarding (check if forwarding is enabled in kernel): firewall-cmd --permanent --zone=external --add-forward-port=port=22:proto=tcp:toport=2222
  • Direct rule example:firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p tcp --dport 5001 -j ACCEPT
  • List all direct rules: firewall-cmd --direct --get-all-rules

- Use /proc/sys and sysctl to modify and set kernel runtime parameters

  • Change variable temporary: echo 1 >/proc/sys/net/ipv4/ip_forward
  • Make it permanent, edit /etc/sysctl.d/<name>.conf. And run sysctl -p
  • Read all variables with sysctl: sysctl -a

- Configure a system to authenticate using Kerberos

  • Install the required packages:
    yum -y install krb5-workstation pam_krb5
  • Edit the /etc/krb5.conf file:
    • Uncomment all lines.
    • Replace al example domain names and realms.
    • Change example kdc and admin_server.
  • Add principals on KDC:
    kadmin -p root/admin
    kadmin:  addprinc -randkey host/test1.example.com
    kadmin:  addprinc -randkey host/test2.example.com
    kadmin:  addprinc -randkey host/test3.example.com
    
    kadmin:  ktadd host/test1.example.com
    kadmin:  ktadd host/test2.example.com
    kadmin:  ktadd host/test3.example.com
  • Retrieve ticket:
    kinit benst

- Configure a system as either an iSCSI target or initiator that persistently mounts an iSCSI target

Initiator

  • Configure system as client (initiator), install the required packages:
     yum install iscsi-initiator-utils
  • Edit /etc/iscsi/initiatorname.iscsi and set the InitiatorName. For example:
    InitiatorName=iqn.2016-04.nl.polaire:test4
  • Edit /etc/iscsi/iscsid.conf and change username an password:
    node.session.auth.authmethod = CHAP
    node.session.auth.username = <username>
    node.session.auth.password = <password>
  • Start the iSCSI service:
    systemctl start iscsi
  • Discover targets:
    iscsiadm --mode discovery --type sendtargets --portal 1.2.3.4
  • Log in on target:
    iscsiadm --mode node --targetname iqn.2000-01.nl.polaire:rackstation.target-Test --portal 1.2.3.4 --login
  • You have now access to the block device:
    lsblk --scsi
    NAME HCTL       TYPE VENDOR   MODEL             REV TRAN
    sda  1:0:0:0    disk ATA      KINGSTON SMS200S BBF0 sata
    sdc  7:0:0:0    disk SYNOLOGY IBLOCK           4.0  iscsi
  • You can now create a file system (or use LVM first) and mount it at boot.
    • Create file system and mount at boot:
      mkfs.xfs /dev/sdc
      mkdir /data
      mount /dev/sdc /data
      echo "UUID=`blkid -s UUID -o value /dev/sdc` /data xfs _netdev 0 0" >>/etc/fstab
      
      umount /data
      mount -a
      
      # test reboot
  • Show nodes:
    iscsiadm -m discoverydb -P1
  • If you need to delete a node:
    iscsiadm -m node -p 172.16.10.39 --op=delete
  • If you have the problem that systemd unmounts a new volume after altering /etc/fstab, run systemctl daemon-reload.

Target

  • Install targetcli:
    yum install -y targetcli</code.
      * Enable service (start at boot):<code>systemctl enable target
  • Create file backed store:
    targetcli
    /> backstores/fileio/ create shareddata /opt/iscsi.img 1G
    Created fileio shareddata with size 1073741824
    /> iscsi/ create iqn.2016-04.nl.polaire:target1
    Created target iqn.2016-04.nl.polaire:target1.
    Created TPG 1.
    Global pref auto_add_default_portal=true
    Created default portal listening on all IPs (0.0.0.0), port 3260.
  • You can cd into that directory and create a portal if it has not been created yet:
    targetcli
    /> cd iscsi/iqn.2014-08.com.example:t1/tpg1
    /> portals/ create
  • Create a LUN:
    targetcli
    /iscsi/iqn.20...laire:target1> luns/ create /backstores/fileio/shareddata
  • Create ACL:
    acls/ create iqn.2016-04.nl.polaire:test4
  • Set password:
    /iscsi/iqn.20...ample:t1/tpg1> cd acls/iqn.2016-04.nl.polaire:test4/
    /iscsi/iqn.20...xample:client> set auth userid=username
    Parameter userid is now 'username'.
    /iscsi/iqn.20...xample:client> set auth password=pwd
  • Config is saved in /etc/target/saveconfig.json
  • Open firewall port:
    firewall-cmd --permanent --add-port=3260/tcp
    firewall-cmd --reload

- Produce and deliver reports on system utilization (processor, memory, disk, and network)

  • top, sar, vmstat, iostat, tcpdump…

- Use shell scripting to automate system maintenance tasks

  • bash scripting…

- Network services

- Install the packages needed to provide the service

  • yum, rpm

- Configure SELinux to support the service

  • ls -lZ
  • restorecon
  • semanage
  • auditd

- Use SELinux port labeling to allow services to use non-standard ports

  • Install tools:
    yum install policycoreutils-python
  • List ports:
    semanage port -l | grep ssh
  • Modify port setting:
    semanage port -m -t ssh_port_t -p tcp 4321

- Configure the service to start when the system is booted

  • Enable server to start at boot:
    systemctl enable <servicename>

- Configure the service for basic operation

  • systemctl start
    systemctl stop
    systemctl restart
    systemctl enable
    systemctl reeanble
    systemctl status
  • Add custom services in: /etc/systemd/system.

- Configure host-based and user-based security for the service

  • ?

HTTP/HTTPS

- Configure a virtual host

  • Install httpd:
    yum install httpd
  • Enable service:
    systemctl enable httpd
  • Create a directory for the virtual host files:
    mkdir /var/www/html/virta
  • Create a index.html:
    echo "
    <html>
    <head><title>virta virtual host</title></head>
    <body>
    This is virtual host -virta-
    </body>
    </html>
    " > /var/www/html/virta/index.html
  • Restore SELinux labels if needed:
    restorecon -Rv /var/www/html/
  • Create the virtual host config in, config is read alphabetically/etc/httpd/conf.d/1-virta.conf. You can find examples in /usr/share/doc/httpd-2.4.6/httpd-vhosts.conf:
    <VirtualHost *:80>
        ServerAdmin ben@polaire.nl
        DocumentRoot "/var/www/html/virta/"
        ServerName virta.polaire.nl
        ServerAlias www.virta.polaire.nl
        ErrorLog "/var/log/httpd/virta-error_log"
        CustomLog "/var/log/httpd/virta-access_log" common
    </VirtualHost>
  • You van add the virta hostname in DNS, or for this test in the /etc/hosts file.
  • Test config:
    apachectl configtest
  • Start httpd:
    systemctl start httpd
  • Open firewall port:
    firewall-cmd --permanent --zone public --add-service http
    firewall-cmd --reload
  • Show all running virtual hosts:
    httpd -D DUMP_VHOSTS
  • Test with elinks on local host.

- Configure private directories

  • Create a private directory:
    mkdir /var/www/html/virta/private
  • Create a test file:
    echo "This is private" >/var/www/html/virta/private/index.html
  • Add the config below for host based authentication:
    <Directory "/var/www/html/virta/private">
    AllowOverride None
    Options None
    Require host test.polaire.nl localhost
    </Directory>
  • For user based authentication, create the following config:
    <Directory "/var/www/html/virta/private/">
    AuthType Basic
    AuthName "Password protected"
    AuthUserFile /etc/httpd/conf/passwd
    Require user testuser
    </Directory>
  • Save the user and password:
    htpasswd -c /etc/httpd/conf/passwd testuser
  • Modify rights:
    chmod 600 /etc/httpd/conf/passwd
    chown apache:apache /etc/httpd/conf/passwd

- Deploy a basic CGI application

  • Simple method is to put an executable perl script in: /var/www/cgi-bin.
  • Or create a bash script and configure the vhost:
    <Directory "/usr/local/cgi-bin/">
        Options +ExecCGI
        AddHandler cgi-script .cgi
      </Directory>
  • Bash script:
    #!/bin/bash
    echo "Content-type: text/html"
    date
    echo
    echo "Testing CGI scripts..."

- Configure group-managed content

  • Configure the directory directive:
    AuthType Basic
    AuthName "Group test"
    AuthGroupFile /etc/httpd/conf/group
    AuthUserFile /etc/httpd/conf/passwd
    Require group usergroup
  • Create the group file /etc/httpd/conf/group:
    usergroup: user1 user2
  • Create the password file /etc/httpd/conf/passwd:
    htpasswd -c /etc/httpd/conf/passwd user1
    htpasswd /etc/httpd/conf/passwd user2

- Configure TLS security

  • Have the httpd server running.
  • Install the required packages (haveged for speeding up key generation):
    yum install crypto-utils mod_ssl lynx haveged
  • Start and enable haveged:
    systemctl start haveged
    systemctl enable haveged
  • Run genkey (use --test to omit the slow process of generating random data) :
    genkey server.domain.tld
  • Edit: /etc/httpd/conf.d/ssl.conf:
    SSLCertificateFile /etc/pki/tls/certs/test.polaire.nl.crt
    SSLCertificateKeyFile /etc/pki/tls/private/test.polaire.nl.key
    ServerName test.polaire.nl:443
  • Create a new virtual host for HTTPS, see example in ssl.conf.
  • Check config and restart Apache:
    apachectl configtest
    systemctl restart httpd:
  • Open firewall https port 443.
  • Test with lynx

DNS

- Configure a caching-only name server

  • Install unbound:
    yum install unbound
  • Configure unbound, edit /etc/unbound/unbound.conf:
            interface: 0.0.0.0
            interface: ::0
    
            do-ip4: yes
            do-ip6: yes
    
            do-udp: yes
    
            use-syslog: yes
            
            hide-identity: yes
            hide-version: yes
     
            #val-permissive-mode: yes # Might be needed if upstream doesn't support DNSSEC
    
            access-control: 0.0.0.0/0 allow
            access-control: ::0/0 allow
            
            domain-insecure: "your-domain.tld"
    
  • Create a forward zone (for all zones) /etc/unbound/conf.d/forward.conf:
    forward-zone:
            name: "."
            forward-addr: 1.2.3.4
            forward-addr: 1.2.3.5
  • Check config: unbound-checkconf /etc/unbound/unbound.conf.
  • Enable and start the service:
    systemctl start unbound.service
    systemctl enable unbound.service
  • Open firewall ports (53 udp).

- Troubleshoot DNS client issues

  • Use the host or dig command. Check journalctl.

NFS

- Provide network shares to specific clients

  • Install packages:
    yum groupinstall file-server
  • Open firewall:
    firewall-cmd --permanent --add-service=nfs
    firewall-cmd --reload
  • Start services and configure to start at boot:
    systemctl enable rpcbind nfs-server
    systemctl start rpcbind nfs-server
  • Create shared directory:
    mkdir -p /home/share1
    chmod 0777 /home/share1
    mkdir -p /home/share2
    chmod 0777 /home/share2
  • Set SELinux contexts:
    semanage fcontext -a -t public_content_rw_t "/home/share1(/.*)?"
    semanage fcontext -a -t public_content_rw_t "/home/share2(/.*)?"
    restorecon -Rv /home/share1
    restorecon -Rv /home/share2
  • Create shares, edit /etc/exports:
    /home/share1 test1.yourdomain.tld(rw,no_root_squash)
    /home/share2 test2.yourdomain.tld(rw,no_root_squash)
  • Export the filesystems:
    exportfs -avr
    # systemctl restart nfs-server
  • For showmount to work, open firewall for additional ports:
    firewall-cmd --add-service=mountd --permanent
    firewall-cmd --add-service=rpc-bind --permanent
    firewall-cmd --reload
  • Configure the client:
    yum install nfs-utils
    showmount -e nfs.yourdomain.tld
    mount -t nfs nfs.yourdomain.tld:/home/share1 /mnt

- Provide network shares suitable for group collaboration

  • Create an NFS server.
  • Create a shared directory.
  • Create a group.
  • Assign group to shared directory.
  • Set permissions to directory.
    chmod 0770 /home/Shared # no sticky or setgid bit.
    All group users can add to and delete from the folder and can read and but not write to each others files.
    
    chmod 1770 /home/Shared # sticky bit
    Same as above but only the owner of the file can delete it.
    
    chmod 2770 /home/Shared # setgid bit
    All group users can add to and delete from the folder and can read and write to each other's files:
    
    chmod 3770 /home/Shared # sticky and setgid bit
    As above, except only the owner of the file can delete it
  • Create /etc/exports.
    /shared client(rw,no_root_squash)
  • Export the directory:
    exportfs -avr
    systemctl restart nfs-server

- Use Kerberos to control access to NFS network shares

  • Configure working NTP (NTPd or Chrony) and DNS.
  • Install Kerberos KDC:
    yum install krb5-server krb5-workstation pam_krb5
    yum install haveged (for entropy)
    systemctl start haveged
    systemctl enable haveged
    
    vi /var/kerberos/krb5kdc/kdc.conf  # replace EXAMPLE.COM with your own realm
                                       # uncomment master_key_type = aes256-cts line
                                       # and paste the following line in the [realms] stanza:
                                       # default_principal_flags = +preauth
    
    vi /etc/krb5.conf                  # uncomment all the lines, replace EXAMPLE.COM with your own realm
                                       # example.com with your own domain name, and kerberos.example.com
                                       # with your own KDC server name (here kbserver.example.com).
    
    vi /var/kerberos/krb5kdc/kadm5.acl # replace EXAMPLE.COM with your own realm.
    
    
    # Create Kerberos database
    kdb5_util create -s -r YOURDOMAIN.TLD
    
    # Start and activate Kerberos
    systemctl start krb5kdc kadmin
    systemctl enable krb5kdc kadmin
    
    # Add users
    useradd test1
    useradd test2
    
    # Start Kerberos admin
    kadmin.local
    
    # Create admin principal
    kadmin.local:   addprinc root/admin
    
    # Create user principals
    kadmin.local:   addprinc test1
    kadmin.local:   addprinc test2
    
    # Add KDC hostname
    kadmin.local:   addprinc -randkey host/kbserver.yourdomain.tld
    
    # Create local copy /etc/krb5.keytab file:
    kadmin.local:  ktadd host/kbserver.yourdomain.tld
    
    kadmin.local:  quit
    
    
    # Open firewall
    firewall-cmd --permanent --zone public --add-service kerberos
    firewall-cmd --reload
    
    # Test
    su - test1
    kinit
    klist
  • Setup an NFS server:
    yum groupinstall file-server
    firewall-cmd --permanent --add-service=nfs
    firewall-cmd --permanent --add-service=mountd 
    firewall-cmd --permanent --add-service=rpc-bind
    firewall-cmd --reload
    
    # Activate and start NFS server
    systemctl enable rpcbind nfs-server
    systemctl start rpcbind nfs-server
    
    # Create a shared directory
    mkdir -p /home/share
    chmod 0777 /home/share
    yum install policycoreutils-python # provides the semanage command
    semanage fcontext -a -t public_content_rw_t "/home/share(/.*)?"
    restorecon -Rv /home/share
    echo "/home/share client.example.com(rw,no_root_squash)" >> /etc/exports
    exportfs -avr
    showmount -e localhost
  • Configure the NFS client:
    yum install nfs-utils
    showmount -e nfsserver.yourdomain.tld
    mount -t nfs nfsserver.yourdomain.tld:/home/share /mnt
  • Configure the NFS server and NFS client as kerberos client.
    # Install on both NFS server and client:
    yum install krb5-workstation pam_krb5
    
    # Copy the /etc/krb5.conf file from the KDC server to NFS client and server.
    
    # Add the principals (on the KDC)
    kadmin
    kadmin:  addprinc -randkey nfs/nfserver.yourdomain.tld
    kadmin:  addprinc -randkey nfs/nfsclient.yourdomain.tld
    kadmin:  ktadd nfs/nfsserver.yourdomain.tld
    kadmin:  ktadd nfs/nfsclient.yourdomain.tld
    kadmin:  quit
    
    # Add sec=krb5 to exports on NFS server
    /home/share nfsclient.yourdomain.tld(rw,no_root_squash,sec=krb5)
    
    # Activate and start NFS on the server (RHEL 7.0 only)
    systemctl enable nfs-secure-server && systemctl start nfs-secure-server
    
    # Copy /etc/krb5.keytab from KDC to client.
    
    # Activate and start NFS on the client: 
    # RHEL 7.0
    # systemctl enable nfs-secure && systemctl start nfs-secure
    
    # RHEL >= 7.1
    # systemctl enable nfs-client.target && systemctl start nfs-client.target
    
    # Mount the remote directory:
    mount -t nfs4 -o sec=krb5 nfsserver.yourdomain.tld:/home/tools /mnt

SMB

- Provide network shares to specific clients

  • Install packages:
    yum groupinstall "File and Print Server"
  • Create directory:
    mkdir /opt/smbdata
  • Set rights:
    chown testuser.users /opt/smbdata
    chmod 775 /opt/smbdata
  • Set SELinux context:
    semanage fcontext -a -t samba_share_t "/opt/smbdata(/.*)?"
    restorecon -Rv /opt/smbdata
  • Edit /etc/samba/smb.conf
    • Change workgroup.
    • Add share:
      [data]
              comment = Data
              path = /opt/smbdata
              browseable = yes
              writeable = yes
              hosts allow = 10.1.2.
              valid users = testuser
  • Test config with: testparm.
  • Enable and start smb, nmb and winbind.
  • Create user:
    useradd -s /sbin/nologin testuser
    smbpasswd -a testuser
  • Open firewall for CIFS (samba) traffic.
  • Test:
    smbclient //localhost/shared -U testuser
  • On the client install the required packages:
    yum install cifs-utils samba-client
  • Test connection:
    smbclient -L <server> -U <username>
    smbclient //server/data -U <username>

- Provide network shares suitable for group collaboration

  • Without using Kerberos, you could use a multiuser mount. You can then use cifscreds to login to a multiuser mount.
  • Create a credentials file /root/smb-creds:
    username=user01
    password=...
  • Test with:
    mount -t cifs -o multiuser,credentials=/root/smb-creds //test6/data /mnt
  • Switch to other user and use cifscreds
  • Test if you can r/w files.
  • Mount in fstab:
    //test6/data /mnt cifs multiuser,credentials=/root/smb-creds 0 0

SMTP

- Configure a system to forward all email to a central mail server

  • Edit /etc/postfix/main.cf, restart postfix.
  • check options man 5 postconf.

SSH

- Configure key-based authentication

- Configure additional options described in documentation

NTP

- Synchronize time using other NTP peers

- Database services

- Install and configure MariaDB

- Backup and restore a database

- Create a simple database schema

- Perform simple SQL queries against a database

rhce7_objectives.txt · Last modified: 2021/10/09 15:14 by 127.0.0.1