RHCE exam summary (continuously updated)

Keywords: Operation & Maintenance firewall vim yum SELinux

Environmental preparation

1. Configure YUM software warehouse

server and desktop machine do the same operation!!!!
 
# // server:
$ vim /etc/yum.repos.d/base.repo
[rhce]
name = EX300
gpgcheck = 0
baseurl = http://classroom.example.com/content/rhel7.0/x86_64/dvd/

### Clear the previous software warehouse cache
$ yum clean all
### Refresh software warehouse
$ yum repolist

### Copy to desktop
$ scp /etc/yum.repos.d/base.repo root@172.25.0.10:/etc/yum.repos.d/

Start answering questions

1. Configure SELinux

SELinux for virtual machine server and desktop must be running in Enforcing mode.
 
$ vim /etc/selinux/config 
$ grep -v ^# /etc/selinux/config 
SELINUX=enforcing
SELINUXTYPE=targeted
### Modify the current mode to enforce  
$ setenforcing 1
$ sestatus
...
Current mode:                   enforcing
Mode from config file:          enforcing
...

2. Configure ssh access

Configure SSH access as follows
Users can remotely access your two virtual machine systems through SSH from clients within domain example.com
Clients in the domain my133t.org cannot access your two virtual machines
#//server
### Check if the firewall is on
$ systemctl status firewalld.service
...
Active : active (running)
...
$ firewall-cmd --permanent --add-service=ssh
$ firewall-cmd --permanent --add-rich-rule 'rule family=ipv4 source address=172.25.10.0/24 service name=ssh reject'
$ firewall-cmd --reload
### inspect
$ firewall-cmd --list-all

#//desktop does the same thing

3. Custom user environment

Create custom command on system server0 and desktop0 for qstat this definition command will execute the following command:
/bin/ps -Ao pid,tt,user,fname,rsz
This command is valid for all users in the system.
 
#//server
$ echo "alias qstat='/bin/ps -Ao pid,tt,user,fname,rsz'" >> /etc/bashrc
$ source /etc/bashrc 
### Check it out.
$ qstat

#//desktop does the same thing

4. Configure port forwarding

Configure port forwarding on system server0 as follows:
In the 172.25.0.0/24 network, the local port 5423 accessing server0 will be forwarded to 80
This setting must be permanent.
#//server
$ firewall-cmd --permanent --add-rich-rule 'rule family=ipv4 source address=172.25.0.0/24 forward-port port=5423 protocol=tcp to-prot=80'
$ firewall-cmd --reload
### inspect
firewall-cmd --list-all
Or execute
#//server
$ firewall-cmd --permanent --add-forward-port=port=5423:proto=tcp:toport=80
$ firewall-cmd --reload
### inspect
$ firewall-cmd --list-forward-ports 

5, Configure link aggregation

Configure a link between server0.example.com and desktop0.example.com as follows:
This link uses interfaces eth1 and eth2
This link still works when an interface fails
This link server0 uses the following address 172.16.1.65 / 255.255.255.0
This link desktop0 uses the following address 172.16.1.75 / 255.255.255.0
This link remains normal after the system restarts.
If you are not familiar with commands, you can use the help file. Skip help if familiar.
-----help --- split line--------
$man nmcli examples
$man team. Conf -- > here are two core help
"Runner": {"name": "activebackup"} -- > use this help
$cat / usr / share / Doc / team-1.9/example \ ifcfgs / ifcfgs-team \ Test0 -- > see here, too
-----help --- split line--------
#//server
$ nmcli connection add type team con-name Team0 ifname team0 config '{"runner":  {"name":"activebackup"}}'
--->Note single and double quotes
### inspect
$ ip a s
...
$ nmcli connection add type team-slave con-name Team0-port1 ifname eth1 master team0 
$ nmcli connection add type team-slave con-name Team0-port2 ifname eth2 master team0 
$ nmcli connection modify Team0 ipv4.addresses '172.16.1.65/24' ipv4.method manual 
$ nmcli connection reload 
$ nmcli connection up Team0 
### Verification
$ teamdctl team0 state
#//desktop -- do the same
Note ip address: nmcli connection modify team0 ipv4.addresses' 172.16.1.75/24 'ipv4.method manual

6. Configure IPv6 address

Configure the interface eth0 on your test system to use the following IPv6 address:
The address on server0 should be 2014:ac18::a/64
The address on desktop0 should be 2014:ac18::b/64
The two systems must be able to communicate with the system in network 2014:ac18/64
Address must be valid after restart
Both systems must maintain the current IPv4 address and be able to communicate.
#//server
$ nmcli connection modify 'System eth0' ipv6.addresses '2014:ac18::a/64' ipv6.method manual 
$ nmcli connection reload 
### activation
$ nmcli connection up 'System eth0'

#//server
### Verification 
$ ping 172.25.0.10
#//desktop 
$ nmcli connection modify 'System eth0' ipv6.addresses '2014:ac18::b/64' ipv6.method manual 
$ nmcli connection reload 
### activation
$ nmcli connection up 'System eth0'

#//desktop
### Verification 
$ ping6 2014:ac18::a

7. Configure local mail service

Configure mail service on system server0 and desktop0 to meet the following requirements:
These systems do not receive messages sent from outside
Any messages sent on these systems are automatically routed to classroom.example.com
Messages sent from these systems appear to be from example.com
You can test your configuration by sending an email to the local user hal. The system classroom.example.com has configured to send this user's email to the following URL:
http://classroom.example.com/cgi-bin/recevied_mail
### To view the question requirements, one is to do email forwarding, the other is to do email alias
#//server
$ cd /etc/postfix/
$ cp -a main.cf{,.bak} 

//Modify the configuration file / etc/postfix/main.cf to modify the following lines:
$ vim /etc/postfix/main.cf
83 mydomain = example.com                      --->field
99 myorigin = $mydomain                        --->Configure mail source domain
164 mydestination = ""                         --->Configure mail destinations
316 relayhost = [classroom.example.com]       --->Configure mail routing host

$ systemctl restart postfix.service 

### test
$ echo "$HOSTNAME" |mail -s "nullclient" hal@classroom.example.com 
$ mailq 
Mail queue is empty --->No, it's a success
#//desktop
$ scp /etc/postfix/main.cf root@desktop0:/etc/postfix/
--->yes,Then input root Password

### test
$ echo "$HOSTNAME" |mail -s "nullclient" hal@classroom.example.com 
$ mailq 

8. Share directory through SMB

Configure SMB service on server0
Your SMB server must be a member of the STAFF Workgroup
Share / groupdir directory share name must be common
Only clients in the example.com domain can access the common share
common must be browsable
User barney must be able to read the content in the share, and if necessary, the password to be verified is flectrag
#//server
$ yum -y install samba samba-client 
$ systemctl enable smb nmb        --->Boot up

$ mkdir /groupdir 
$ setfacl -m u:barney:rx   /groupdir     --->Notice this is rx ,If written rw implement ls No permission will be prompted

$ chcon -t samba_share_t /groupdir        --->This and the next line can be found at/etc/samba/smb.conf Found in file SELINUX Location view of
$ setsebool -P samba_export_all_ro 1

$ cp -a /etc/samba/smb.conf{,.bak}        --->Backup is very important, add -a Copy the permission bit
$ vim /etc/samba/smb.conf
89    workgroup = STAFF 
95    hosts allow = 127.   172.25.0.     --->Domains allowed, 172.25.0. yes example.com All clients in the domain
321   [common]                           --->Shared name
322   path = /groupdir                   --->Shared directory
323   browseable = yes                   --->Browable

$ systemctl start smb nmb     --->start-up

$ smbpasswd -a barney 
New SMB password: [flectrag]
Retype new SMB password: [flectrag]
$ pdbedit -L
barney : 1001 :
###test
$ smbclient //server0.example.com/common -U barney
Enter barney's password: [flectrag]
Domain=[STAFF] OS=[Unix] Server=[Samba 4.1.1]
smb: \> ls 
...
40913 blocks of size 262144. 28449 blocks available
smb: \> exit

9. Configure multi-user SMB mount

Share on server0 through SMB directory / data to meet the following requirements:
Share name is data
Shared directory data can only be used by clients in the example.com domain
Shared directory data must be browsable
The user manager must be able to access the share in a read mode, and the access password is flectrag
The user wolfery ne must be able to access this share in a read-write way, and the access password is flectrag
This share is permanently mounted in the / mnt/multi directory on desktop0.example.com, and uses the user manager as the authentication. Any user can obtain the write permission temporarily through the user wolfery ne.
#//server 
$ mkdir /data 
$ setfacl -m u:manager:rx /data 
$ setfacl -m u:wolferyne:rwx /data   --->Notice this is rwx ,Be sure to add. x Executive authority

$ chcon -t samba_share_t /data          --->This and the next line can be found at/etc/samba/smb.conf Found in file SELINUX Location view of
$ setsebool -P samba_export_all_rw 1 

$ cp -a /etc/samba/smb.conf{,.bak2}
$ vim /etc/samba/smb.conf 
324      [data]
325      path = /data 
326     public = yes 
327     writable = yes
328     write list = wolferyne 

$ smbpasswd -a manager              --->Set up smb User password
New SMB password: [flectrag]
Retype new SMB password: [flectrag]
$ smbpasswd -a wolferyne            --->Set up smb User password
New SMB password: [flectrag]
Retype new SMB password: [flectrag]

$ systemctl restart smb nmb 

//Add firewall policy
$ firewall-cmd --permanent --add-service=samba
$ firewall-cmd --reload
Client configuration
#//desktop 
$ yum -y install samba-client cifs-utils
$ mkdir /mnt/multi

--->Check the help of mount, execute man -k mount, and find mount.cifs to check the details
$VIM / root / mysmb -- > create credentials authentication file for smb
username=manager
password=flectrag

$VIM / etc / fstab -- > set boot auto mount
//server0.example.com/data    /mnt/multi     cifs     defaults,credentials=/root/mysmb,multiuser   0     0

$mount - a -- > reload everything in / etc/fstab
//Be sure to add the samba firewall policy on server0 first, or you will be prompted Unable to find suitable address
//Or prompt: connection to server0.example.com failed (error NT? Status? Host? Unreachable)
###test
$ su - wolferyne 
$ cifscreds add server0 
Password: [flectrag]
$ cd /mnt/multi/
$ touch a 
$ exit 

10. Configure services for NFS

To configure the NFS service on server0, the requirements are as follows:
Share directory as read-only / public can be accessed by the system in the example.com domain
Shared directory in read-write mode / protected can be accessed by the system in the example.com domain
Access to / protected requires Kerberos security encryption, and you can use the key provided by the following URL:
http://classroom.example.com/pub/keytabs/server0.keytab
Directory / protected should contain a subdirectory named restricted with owner ldapuser0
User ldapuser0 can access / protected/restricted in read-write mode
#//server 
$ wget -O /etc/krb5.keytab http://classroom.example.com/pub/keytabs/server0.keytab  
 --->Download to/etc/krb5.keytab Corresponding/etc/exports In configuration sec=krb5p
 ---> kerberos Time synchronization required $ system-config-date -—->$ chronyc sources -v 
 ---> Otherwise mount -a Will prompt for access denied.
 
$ mkdir /public 
$ chown nfsnobody /public 

$ vim /etc/exports 
/public  *.example.com(ro)   --->Share directories read-only /public Can be example.com System access in domain

$ mkdir -p /protected/restricted
$ chown nfsnobody /protected
$ chown ldapuser0 /protected/restricted  --->Catalog /protected/restricted Owner ldapuser0

$ vim /etc/exports 
/protected  *.example.com(rw,sync,sec=krb5p)  --->Share directories read and write /protected Can be example.com System access in domain
/public  *.example.com(ro)

$ exportfs -avr      --->Boot sharing

$ systemctl enable nfs-server nfs-secure-server 
$ systemctl start nfs-server nfs-secure-server 
--->If rpcbind This service does not start, nfs Service will fail to start, nfs-secure-server rely on /etc/krb5.keytab   

$ showmount -e       --->View sharing

#Add firewall
$ firewall-cmd --permanent --add-service=nfs 
$ firewall-cmd --permanent --add-service=mountd    --->adopt mountd Service (cannot be remote if it is not turned on showmount)
$ firewall-cmd --permanent --add-service=rpc-bind  --->adopt rpc Service (if not turned on, rpcinfo Can't scan)
$ firewall-cmd --reload

11. Mount an NFS share

Mount an NFS share from server0.example.com on desktop0, and meet the following requirements:
/public is mounted on the following directory / mnt/nfsmount
/protected is mounted on the following directory / mnt/nfssecure and used in a safe way. The key Download URL is as follows:
http://classroom.example.com/pub/keytabs/desktop0.keytab
User ldapuser0 can create files on / mnt/nfssecure/restricted
These file systems mount automatically when the system starts.
#//desktop 
$ wget -O /etc/krb5.keytab http://classroom.example.com/pub/keytabs/desktop0.keytab
  --->Download to/etc/krb5.keytab Corresponding /etc/fstab In configuration sec=krb5p, nfs-secure rely on /etc/krb5.keytab 

$ systemctl enable nfs-secure
$ systemctl start nfs-secure

$ mkdir /mnt/nfsmount 
$ mkdir /mnt/nfssecure 

$ vim /etc/fstab 
server0.example.com:/public   /mnt/nfsmount  nfs   defaults    0  0
server0.example.com:/protected   /mnt/nfssecure  nfs   defaults,sec=krb5p    0  0
$ mount -a  --->take/etc/fstab All content reloads for

$ df -Th 
Filesystem                       Type  Size  Used  Avail    Use%  Mounted on 
server0.example.com:/public      nfs4  11G   3.4G  7.5G     31%   /mnt/nfsmount
server0.example.com:/protected   nfs4  11G   3.4G  7.5G     31%   /mnt/nfssecure

$ su - ldapuser0 
-bash-4.2$ kinit ldapuser0 
Password for ldapuser0@EXAMPLE.COM: [kerberos]
-bash-4.2$ klist 
...
-bash-4.2$ cd /mnt/nfssecure/restricted 
-bash-4.2$ touch a

12. Implement a Web server

Configure a site http://server0.example.com on server0 and perform the following steps:
Download the file from http://classroom.example.com/materials/station.html and rename the file to index.html do not modify the contents of this file
Copy the file index.html to the DocumentRoot directory of your web server
Clients from the example.com domain can access this web service
Client from my133t.org domain denied access to this web service
#//server
$ yum -y install httpd 
$ systemctl enable httpd
$ systemctl start httpd

$ wget -O /var/www/html/index.html http://classroom.example.com/materials/station.html
$ rpm -qd httpd          --->Find help
$ vim /etc/httpd/conf.d/site1.conf 
<VirtualHost _default_:80>
   ServerName server0.example.com    --->Set site name
   <Directory "/var/www/html">       --->/var/www/html Is the default. DocumentRoot Catalog
      <RequireAll>
         Require all granted 
         Require not ip 172.15.10.0/24
      </RequireAll>
   </Directory>
</VirtualHost>

$ systemctl restart httpd
//Add firewalld policy
$ firewall-cmd --permanent --add-service=http 
$ firewall-cmd --reload
###Test to desktop
Test mode 1
$ firefox http://server0.example.com& 
Test mode 2
$ yum -y install links 
$ links http://server0.example.com

13. Configure secure web services

Configure TLS encryption for the site http://server0.example.com
Get the signed certificate from http://classroom.example.com/pub/tls/certs/server0.crt
Get the key of this certificate from http://classroom.example.com/pub/tls/private/server0.key
Get the signature authorization information for this certificate from http://classroom.example.com/pub/example-ca.crt
#//server
$ yum -y install mod_ssl    --->After installation, it will generate /etc/httpd/conf.d/ssl.conf

$ wget -P /etc/pki/tls/certs/ http://classroom.example.com/pub/tls/certs/server0.crt
$ wget -P /etc/pki/tls/private/ http://classroom.example.com/pub/tls/private/server0.key 
$ wget -P /etc/pki/tls/certs/ http://classroom.example.com/pub/example-ca.crt 

$ vim /etc/httpd/conf.d/ssl.conf ---> :%s/localhost/server0/g ---use server0 replace localhost
100   SSLCertificateFile      /etc/pki/tls/certs/server0.crt 
107   SSLCertificateKeyFile   /etc/pki/tls/private/server0.key 

$ systemctl restart httpd 
//If firewalld is used, add a policy 
$ firewall-cmd --permanent --add-service=https
$ firewall-cmd --reload
#//desktop
test
$ firefox https://server0.example.com & 
--->Click the verification button to confirm

14. Configure virtual host

Expand your web server on server0, create a virtual host for the site http://www0.example.com, and then perform the following steps:
Set DocumentRoot to / var/www/virtual
Download the file from http://classroom.example.com/materials/www.html and rename it to index.html. Do not make any changes to the contents of index.html
Put the file index.html in the DocumentRoot directory of the virtual host
Make sure barney users can create files in / var/www/virtual directory
Note: the original site http://server0.example.com must still be accessible. The name server example.com provides domain name resolution for the host name www0.example.com.
#//server
$ mkdir /var/www/virtual 
$ setfacl -m u:barney:rwx  /var/www/virtual     --->ensure barney Users can /var/www/virtual Create file in directory

$ wget -O /var/www/virtual/index.html http://classroom.example.com/materials/www.html 

$ rpm -qd httpd --->Find help

$ vim /etc/httpd/conf.d/vhost-www0.conf 
<VirtualHost *:80>
   ServerName   www0.example.com 
   DocumentRoot /var/www/virtual 
</VirtualHost>

$ systemctl restart httpd
#//desktop
//test
$ firefox http://www0.example.com &

15. Configure access to web content

Create a directory named confidential under the DocumentRoot directory of the web server on your server0. The requirements are as follows:
Download a copy of the file from http://classroom.example.com/materials/private.html to this directory and rename it index.html
Do not make any changes to the contents of this file
From server0, anyone can browse the contents of confidential, but the contents of this directory cannot be accessed from other systems
#//server
$ mkdir /var/www/html/confidential 
$ cd /var/www/html/confidential 
$ wget -O index.html http://classroom.example.com/materials/private.html

//Edit the configuration file / etc/httpd/conf.d/site1.conf and add the following lines
<Directory "/var/www/html/confidential">
   Require local 
</Directory>

$ vim /etc/httpd/conf.d/site1.conf 
<VirtualHost _default_:80>
   ServerName server0.example.com    --->Set site name
   <Directory "/var/www/html">       --->/var/www/html Is the default. DocumentRoot Catalog
      <RequireAll>
         Require all granted 
         Require not ip 172.15.10.0/24
      </RequireAll>
   </Directory>
   <Directory "/var/www/html/confidential">
       Require local 
    </Directory>
</VirtualHost>

$ systemctl restart httpd.service
#//desktop
//test
$ firefox http://server0.example.com/confidential & 

 

16. Implementing dynamic web content

Dynamic web content is provided on server0. The requirements are as follows:
Dynamic content is provided by a virtual machine called transitional.example.com
Virtual machine listening on port 8989
Download a script from http://classroom.example.com/materials/script.wsgi and put it in the right place, never modify the contents of this file
Clients should receive dynamically generated web pages when visiting http://transitional.example.com: 8989 /
This http://transitional.example.com:8989/ must be accessible by all systems in the example.com domain
#//server
$ yum -y install mod_wsgi 

$ rpm -qd mod_wsgi  --->Query help
/usr/share/doc/mod_wsgi-3.4/LICENCE
/usr/share/doc/mod_wsgi-3.4/README

//Edit the configuration file / etc/httpd/conf.d/site2.conf 
$ vim /etc/httpd/conf.d/site2.conf 
Listen 8989
<VirtualHost *:8989>
   ServerName   transitive.example.com:8989
   WSGIScriptAlias  /     /var/www/cgi-bin/script.wsgi 
</VirtualHost>

$ wget -P /var/www/cgi-bin/ http://classroom.example.com/materials/script.wsgi 

$ semanage port -l |grep 80
...
http_port_t       tcp 80,81,443,488,8008,8009,8443,9000
...
$ semanage port -a -t http_port_t -p tcp 8989
$ systemctl restart httpd.service

### Add firewall policy
$ firewall-cmd --permanent --add-port=8989/tcp
$ firewall-cmd --reload 

### inspect
$ firefox http://transitive.example.com:8989/ & 

17. Create a script

Create a script named / root/script.sh on server0 to provide the following features:
When running / root/script.sh all, the output is none
When running / root/script.sh none, the output is all
When no parameter or parameter is all or none, its error output produces the following information:
/root/script.sh all|none
#//server
$ touch /root/script.sh 
$ chmod u+x /root/script.sh 
$ vim /root/script.sh 
#!/bin/bash 
#/root/script.sh 
case "$1" in 
      all)
      echo "none"
      ;;
      none)
      echo "all"
      ;;
      *)
      echo "/root/script.sh all|none"
      ;;
esac
### Verification
$ /root/script.sh all
none
$ /root/script.sh none
all 

18. Create a script to add users

Create a script named / root/makeusers on server0, which can create local users for system server0, and the user names of these users come from a file containing the user name list.
Meanwhile, the following requirements shall be met:
This script requires a parameter, which is the file containing the user list
If no parameters are provided, the script should give the following prompt: Usage: / root / makeusers < userfile > and exit with the corresponding value
If you provide a file name that does not exist, the script should give the following prompt, Iuput file not found, and then exit with the corresponding value
The user login shell created is / bin/false
This script does not need to set a password for the user
You can get the user list from the following URL for testing http://classroom.example.com/materials/ulist
#//server
$ touch /root/makeusers
$ chmod u+x /root/makeusers
//Method 1:
$ vim /root/makeusers
#!/bin/bash
#/root/makeusers
if [ $# -ne 1 ];then 
   echo 'Usage:/root/makeusers <userfile>'
   exit 1
elif [ ! -f "$1" ];then 
   echo 'Iuput file not found'
   exit 2
else 
   for USER in $(cat "$1");do 
      useradd -s /bin/false $USER 
   done 
fi
### Verification
$ wget http://classroom.example.com/materials/ulist
$ ./makeusers
$ ./makeusers ulist
$ tail -n 10 /etc/passwd |grep /bin/false
Method two:
$ vim /root/makeusers
#!/bin/bash
#/root/makeusers
if [ $# -eq 1 ];then 
   if [ -f "$1" ];then 
      while read username;do 
         useradd -s /bin/false $username &>/dev/null 
      done<$1
   else
      echo 'Iuput file not found'
   fi
else  
   echo 'Usage:/root/makeusers <userfile>'
fi

Posted by iamyespee on Sun, 09 Feb 2020 03:55:34 -0800