[CONFIDENTIAL: Instructor Only]: RHCE SAMPLE DEMO Created By A S M Kawsar Harun

System1: [Link] use as Server

System2: [Link] use as Client

Your systems are in need of the following information below:

IP Address:

[Link] : 172.24.X.10/24
[Link] : 172.24.X.11/24
Name Server : [Link]
Gateway : 172.24.X.254
Root password : roonkere
Your Domain : [Link]
Your Subnet : 172.24.X.0/[Link]
Repository : [Link]

1. Enable Selinux on enforcing method

Do This on Both System1 and System2

[root@system ~]# getenforce

Permissive
[root@system ~]# vim /etc/sysconfig/selinux

Set

SELINUX = enforcing

[root@system ~]# setenforce 1

[root@system ~]# init 6
[root@system ~]# getenforce

Enforcing
[CONFIDENTIAL: Instructor Only]: RHCE SAMPLE DEMO Created By A S M Kawsar Harun

2. Yum Client Configuration

[Link]
Do This on Both SYstem1 and System2

[root@ systemX ~]# cd /etc/[Link].d/

[root@ systemX ~]# rm -f * ..(remove the existing files)
[root@ systemX ~]# vim [Link]

[dvd]
name=Local dvd
baseurl=[Link]
enabled=1
gpgcheck=0

[root@ system1 ~]# yum clean all

[root@ system1 ~]# yum repolist all

3. SSH Configuration.

- Clients within [Link] should NOT have access to ssh on your systems
- Clients with domain [Link] should be able to access the systems

in that case [Link] has ([Link]/[Link])

Ans:
Do This on Both system1 and system2

# firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="[Link]/24" service name="ssh"

reject'
# firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="172.24.X.0/24" service name="ssh"
accept'
# firewall-cmd --reload
[CONFIDENTIAL: Instructor Only]: RHCE SAMPLE DEMO Created By A S M Kawsar Harun

4. Port forwarding.

Scenario 1:

- Configure system1 to forward traffic incoming on port 5243/tcp from source network 172.24.X.0/[Link] to
port on 80/tcp

Ans:

Server side

[root@ system1 ~]# firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address=172.24.X.0/24

forward-port port=5243 protocol=tcp to-port=80'
[root@ system1 ~]# firewall-cmd --reload
[root@ system1 ~]# firewall-cmd --list-rich-rules

Scenario 2:

- Configure system1 to forward traffic incoming on port 5243/tcp to port on 80/tcp but only for system2.

Ans:

Server side

[root@ system1 ~]# firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source

address=172.24.X.11/32 forward-port port=5243 protocol=tcp to-port=80'
[root@ system1 ~]# firewall-cmd --reload
[root@ system1 ~]# firewall-cmd --list-rich-rules

Scenario 3:

- Configure system1 to forward traffic to host 172.24.X.254 on incoming port 5243/tcp to port on 22/tcp but only
for system2.

Ans:

Server side

[root@ system1 ~]# firewall-cmd --permanent --add-rich-rule='rule family=”ipv4” source address=172.24.X.11/32

forward-port port=5243 protocol=tcp to-port=22 to-addr=”172.24.X.254”'
[root@ system1 ~]# firewall-cmd --permanent --zone=public --add-masquerade
[root@ system1 ~]# firewall-cmd --reload
[root@ system1 ~]# firewall-cmd --list-rich-rules
[CONFIDENTIAL: Instructor Only]: RHCE SAMPLE DEMO Created By A S M Kawsar Harun

5. Configure FTP access on your systems:

- Clients within the [Link] domain should have anonymous FTP access to your machine.
- Clients outside [Link] should NOT have access to your FTP service .

[root@ system1 ~]# yum install vsftpd -y

[root@ system1 ~]# systemctl enable vsftpd
[root@ system1 ~]# systemctl start vsftpd
[root@ system1 ~]# firewall-cmd --permanent --add-rich-rule='rule family=”ipv4” source address=”172.24.X.0/24”
service name="ftp" accept'
[root@ system1 ~]# firewall-cmd --reload
[root@ system1 ~]# systemctl restart vsftpd

test from system2

[Link]

6. User Environment.

- Create a command called qstat on both system1 and system2. It should able to execute the following
command (ps eo pid,tid,class,rtprio,ni,pri,psr,pcpu,stat,wchan:14,comm)
- The command should be executable by all users..

Ans:
Do this for both system1 and system2

[root@ system1 ~]# vim /etc/profile

qstat() {
ps eo pid,tid,class,rtprio,ni,pri,psr,pcpu,stat,wchan:14,comm
}

[root@ system1 ~]# vim /etc/bashrc

qstat() {
ps eo pid,tid,class,rtprio,ni,pri,psr,pcpu,stat,wchan:14,comm
}

[Close the shell and re-open then type 'qstat' ]

[CONFIDENTIAL: Instructor Only]: RHCE SAMPLE DEMO Created By A S M Kawsar Harun

[Link] 6 Connection.

- Configure eth0 with a static ipv6 addresses as follows.

- System1 = Fd00:ba5e:ba11:X::10/64
- system2 = Fd00:ba5e:ba11:X::20/64
- DG = Fd00:ba5e:ba11:X::fe
- The changes should be permanent even after the reboot

Ans :

System 1:

[root@ system1 ~]# nmcli connection show

[root@ system1 ~]# nmcli device status
[root@ system1 ~]# nmcli connection modify "System eth0" [Link] ' Fd00:ba5e:ba11:X::10/64
Fd00:ba5e:ba11:X::fe' [Link] manual
[root@ system1 ~]# nmcli connection up "System eth0"

System2:

[root@ system2 ~]# nmcli connection show

[root@ system2 ~]# nmcli device status
[root@ system2 ~]# nmcli connection modify "System eth0" [Link] ' Fd00:ba5e:ba11:X::20/64
Fd00:ba5e:ba11:X::fe' [Link] manual
[root@ system2 ~]# nmcli connection up "System eth0"

Now Test:

[root@ system2 ~]# ping6 Fd00:ba5e:ba11:X::fe

[root@ system1 ~]# ping6 Fd00:ba5e:ba11:X::fe

8. Link aggregation

- Configure your system1 and system2, which watches for link changes and selects an active port for data
transfers.
- System1 should have the address as 172.24.X.110/[Link]
- System2 should have the address as 172.24.X.220/[Link]
- your system has already two interfaces called eno1 and eno2 which should be used as the ports
- when you reboot eno2 must be running as active runner port.

[root@ system1 ~]# nmcli connection show

[root@ system1 ~]# nmcli device status
[root@ system1 ~]# ip link
eth0 eno1 eno2 lo
[CONFIDENTIAL: Instructor Only]: RHCE SAMPLE DEMO Created By A S M Kawsar Harun

System1 Side:

[root@ system1 ~]# nmcli connection add autoconnect yes con-name team0 type team ifname team0 config '{"runner":
{"name": "activebackup"}}’
[root@ system1 ~]# nmcli connection modify team0 [Link] 172.24.X.110/24 [Link] manual
[root@ system1 ~]# nmcli connection show

NAME UUID TYPE DEVICE

System eth0 5fb06bd0-0bb0-7ffb-45f1-d6edd65f3e03 802-3-ethernet eth0
Team0 e10a27c3-bd4a-431a-a284-50375a3c4717 team team0

[root@ system1 ~]# nmcli connection add autoconnect yes con-name team0-port1 type team-slave ifname eno1 master
team0 config '{"prio": -10, "sticky": “true”}'
[root@ system1 ~]# nmcli connection add autoconnect yes con-name team0-port2 type team-slave ifname eno2 master
team0 config '{"prio": 100}'
[root@ system1 ~]# nmcli connection up team0
[root@ system1 ~]# teamdctl team0 state
setup:
runner: activebackup
ports:
eth1
link watches:
link summary: up
instance[link_watch_0]:
name: ethtool
link: up
eth2
link watches:
link summary: up
instance[link_watch_0]:
name: ethtool
link: up
runner:
active port: eth2

Client Side :

[root@ system1 ~]# nmcli connection show

[root@ system1 ~]# nmcli device status
[root@ system1 ~]# ip link
[root@ system1 ~]# nmcli connection add autoconnect yes con-name team0 type team ifname team0 config '{"runner":
{"name": "activebackup"}}'
[root@ system1 ~]# nmcli connection modify team0 [Link] 172.24.X.220/24 [Link] manual
[CONFIDENTIAL: Instructor Only]: RHCE SAMPLE DEMO Created By A S M Kawsar Harun

[root@ system1 ~]# nmcli connection show

[root@ system1 ~]# nmcli connection add autoconnect yes con-name team0-port1 type team-slave ifname eno1 master
team0 config '{"prio": -10, "sticky": “true”}'
[root@ system1 ~]# nmcli connection add autoconnect yes con-name team0-port2 type team-slave ifname eno2 master
team0 config '{"prio": 100}'
[root@ system1 ~]# nmcli connection up team0
[root@ system1 ~]# teamdctl team0 state

Now reboot & test

server side:-

[root@system1 ~]# ping -I team0 172.24.X.220

9. Configure SMTP Null Client on system1 and system2 which

- relay the mail only from local system through [Link]

- all outgoing mail have their sender domain as [Link].
- Local transport is diabled and while system tries to mail local system, postfix should give a message “error:
local delivery disabled”.
- Verify the mail server is working by sending mail to a local user kaiser. Check the mail on both system1 and
system2 with the URL [Link]

System1

[root@ system1 ~]# systemctl restart [Link]

[root@ system1 ~]# systemctl enable [Link]
[root@ system1 ~]# vim /etc/postfix/[Link]

Line No 76 :
myhostname = [Link]
Line No 99 :
myorigin = [Link]
Line No 116:
inet_interfaces = loopback-only
Line No 164:
mydestination =
Line No 264:
mynetworks = [Link]/8
Line No 317:
relayhost = [Link] or [[Link]]
local_transport = error: local delivery disabled
Line No 426: mail_spool_directory= /var/spool/mail

[root@ system1 ~]# systemctl restart [Link]

[root@ system1 ~]# mail -s “Hii” kaiser@[Link]
From System1:netX
Hi
.
[CONFIDENTIAL: Instructor Only]: RHCE SAMPLE DEMO Created By A S M Kawsar Harun

EOT

[root@ system1 ~]# scp /etc/postfix/[Link] root@[Link]:/etc/postfix/

System2

[root@ system2 ~]# systemctl restart [Link]

[root@ system2 ~]# systemctl enable [Link]
[root@ system2 ~]# vim /etc/postfix/[Link]
Line No 76 : myhostname = [Link]

[root@ system2 ~]# systemctl restart [Link]

10. NFS server

NFS Secure:

- Share the /nfssecure, enable krb5p security to secure access to the NFS share from URL
[Link]
- Create a directory named as protected under /nfssecure
- The exported directory should have read/write access from [Link] only.
- Ensure the directory /nfssecure/protected should be owned by the user harry with read/write permission.
System1 :

[root@ system1 ~]# firewall-cmd --permanent --add-service=nfs

[root@ system1 ~]# firewall-cmd --permanent --add-service=rpc-bind
[root@ system1 ~]# firewall-cmd --permanent --add-service=mountd
[root@ system1 ~]# firewall-cmd --reload
[root@ system1 ~]# mkdir /nfssecure/protected -p
[root@ system1 ~]# wget -O /etc/[Link] [Link]
[root@ system1 ~]# mkdir -p /nfssecure/protected
[root@ system1 ~]# chown harry: /nfssecure/protected
[root@ system1 ~]# vim /etc/exports

/nfssecure [Link](rw,sync,sec=krb5p)
[root@ system1 ~]# exportfs -r
[root@ system1 ~]# exportfs
[root@server0 ~]# vim /etc/sysconfig/nfs
Line 13: RPCNFSDARGS="-V 4.2"
[root@ system1 ~]# systemctl enable nfs-secure-server nfs-server
[root@ system1 ~]# systemctl restart nfs-secure-server nfs-server
[root@ system1 ~]# showmount -e 172.24.X.10

Export list for 172.24.X.10:

[CONFIDENTIAL: Instructor Only]: RHCE SAMPLE DEMO Created By A S M Kawsar Harun

/nfssecure [Link]

NFS Secure Client: System2

- Mount /nfssecure/protected with krb5p secured share on system2 beneath /mnt/protected provided with keytab
[Link]
- The user harry able to write files on /secure/protected directory

# mkdir /mnt/protected
# wget -O /etc/[Link] [Link]
# systemctl start nfs-secure-server nfs-secure
# systemctl enable nfs-secure-server nfs-secure
# vim /etc/fstab

[Link]:/nfssecure/protected /secure/protected nfs sync,v4.2,sec=krb5p,_netdev 0 0

:wq

# df -hT
# mount | grep nfs
# ssh -X harry@localhost
password:

[harry@system2 ~ ]# cd /secure/protected
[harry@system2 protected ]# touch one; mkdir twoR
[harry@system2 protected ]# ls
one two

11. SMB access.

SMB SHARE 1:
- Share the /sambadir directory via SMB on system1.
- Your SMB server must be a member of the STAFF workgroup.
- The share name must be data .
- The data share must be available to [Link] domain clients only.
- The data share must be browseable.
- Susan must have read access to the share, authenticating with the same password 'password' if necessary.

[root@ system1 ~]# yum install samba* -y

[root@ system1 ~]# systemctl start smb nmb
[root@ system1 ~]# systemctl enable smb nmb
[CONFIDENTIAL: Instructor Only]: RHCE SAMPLE DEMO Created By A S M Kawsar Harun

[root@ system1 ~]# firewall-cmd --permanent --add-service=samba

[root@ system1 ~]# firewall-cmd --permanent --add-service=samba-client
[root@ system1 ~]# firewall-cmd --reload
[root@ system1 ~]# mkdir /sambadir
[root@ system1 ~]# semanage fcontext -a -t samba_share_t '/sambadir(/.*)?'
[root@ system1 ~]# restorecon -Rv /sambadir/
[root@ system1 ~]# ll -Zd /sambadir/
drwxr-xr-x. root root unconfined_u:object_r:samba_share_t:s0 /sambadir/

[root@ system1 ~]# useradd -s /sbin/nologin susan

[root@ system1 ~]# useradd -s /sbin/nologin martin
[root@ system1 ~]# useradd -s /sbin/nologin frankenstein
[root@ system1 ~]# smbpasswd -a susan
[root@ system1 ~]# smbpasswd -a frankenstein
[root@ system1 ~]# smbpasswd -a martin
[root@ system1 ~]# ll -d /sambadir/
[root@ system1 ~]# vim /etc/samba/[Link]

workgroup = STAFF
hosts allow = 127. .[Link] 172.24.X.

[data]
path=/sambadir
browseable=yes
valid users=susan
read list = susan

[root@ system1 ~]# systemctl restart smb nmb

[root@ system1 ~]# smbclient //172.24.X.10/data -U Susan
Enter susan's password:
Domain=[STAFF] OS=[Unix] Server=[Samba 4.1.1]
smb: \> ls

. D 0 Wed Dec 16 10:12:30 2015

.. D 0 Wed Dec 16 10:12:30 2015
40913 blocks of size 262144. 27465 blocks available

smb: \> exit

[CONFIDENTIAL: Instructor Only]: RHCE SAMPLE DEMO Created By A S M Kawsar Harun

SMB SHARE 2:

- Share /opstack with SMB share name must be cluster.

- The workgroup for cluster share must be cluster.
- The cluster share must be readable by the members of group tigers.
- The user frankenstein has readable,writeable,accesseworkgrouphosts allowable to the /opstack SMB share.
- The user martin has read access to the /opstack SMB share. Both users should have the SMB passwd "SaniTago".
- The share must be browseable

[root@ system1 ~]# mkdir /opstack

[root@ system1 ~]# ll -Zd /opstack/
drwxr-xr-x. root root unconfined_u:object_r:default_t:s0 /opstack/
[root@ system1 ~]# semanage fcontext -a -t samba_share_t '/opstack(/.*)?'
[root@ system1 ~]# restorecon -Rv /opstack/
[root@ system1 ~]# ll -lZd /opstack/
drwxr-xr-x. root root unconfined_u:object_r:samba_share_t:s0 /opstack/
[root@ system1 ~]# chgrp tigers /opstack/
[root@ system1 ~]# chmod 2775 /opstack/
[root@ system1 ~]# vim /etc/samba/[Link]

workgroup = STAFF
hosts allow = 127. .[Link] 172.24.X.

[cluster]
workgroup = cluster
path = /opstack
browseable = yes
valid users = @tigers,martin
write list = frankenstein

[root@ ~]# systemctl restart [Link] [Link]

[root@ ~]# smbclient //172.24.X.10/cluster -U frankenstein

Enter frankenstein's password:

Domain=[STAFF] OS=[Unix] Server=[Samba 4.1.1]
smb: \> mkdir test

. D 0 Wed Dec 16 10:32:03 2015

.. D 0 Wed Dec 16 10:32:03 2015
40913 blocks of size 262144. 27466 blocks available

smb: \> exit

[root@ ~]# smbclient //172.24.X.10/cluster -U martin

Enter martin's password:
[CONFIDENTIAL: Instructor Only]: RHCE SAMPLE DEMO Created By A S M Kawsar Harun

Domain=[STAFF] OS=[Unix] Server=[Samba 4.1.1]

smb: \> ls
. D 0 Wed Dec 16 10:32:03 2015
.. D 0 Wed Dec 16 10:32:03 2015
40913 blocks of size 262144. 27466 blocks available
smb: \> exit

SAMBA Client :

12. Smb mount.

- mount the samba share /opstack permanently beneath /mnt/smbspace on system2 as a multiuser mount.
- the samba share should be mounted with the credentials of martin.

[root@system2 ~]# yum install cifs-utils* -y

[root@system2 ~]# mkdir /mnt/smbspace
[root@system2 ~]# vim /root/[Link]
username=martin
password=SaniTago( press enter)

[root@system2 ~]# vim /etc/fstab

//172.24.X.10/cluster /mnt/smbspace cifs sec=ntlmssp,credentials=/root/[Link],multiuser,_netdev 0 0

[root@system2 ~]# mount -a

[root@system2 ~]# df -h

//172.24.X.10/cluster 10G 3.3G 6.8G 33% /mnt/smbspace

[root@system2 ~]# cd /mnt/smbspace/

[root@system2 smbspace]# touch [Link]
read only file system touch cannot allow
[root@system2 ~]# useradd martin
[root@system2 ~]# useradd frankenstein
[root@system2 ~]# echo SaniTago | passwd --stdin martin

[root@system2 ~]# echo SaniTago | passwd --stdin frankenstein

[root@system2 ~]# su – frankenstein
[root@system2 ~]# cd /mnt/smbspace
[root@system2 ~]# cifscreds add 172.24.X.10
Password: Give password from SMB SYSTEM 1
[root@system2 smbspace]# touch [Link]
[CONFIDENTIAL: Instructor Only]: RHCE SAMPLE DEMO Created By A S M Kawsar Harun

WEB SERVER

Normal :

– Implement a webserver for the site [Link]

– Download the webpage from [Link]
– rename the downloaded file in to [Link].
– copy the file into the document root.
– Do not make any modification with the content of the [Link].
– Webserver must be available to clients with domain [Link]
– Clients within [Link] should NOT access the webserver on your systems

[root@system1 ~]# systemctl start httpd

[root@system1 ~]# systemctl enable httpd
[root@system1 ~]# firewall-cmd --permanent –add-service=http
[root@system1 ~]# firewall-cmd --permanent –add-rich-rule=’rule family=”ipv4” source address=”[Link]/24”
service name=”http” reject’
[root@system1 ~]# firewall-cmd --reload
[root@system1 ~]# cd /var/www/html/
[root@system1 html]# wget -O [Link] [Link]
[root@system1 html]# ls
[Link]

[root@system1 html]# systemctl restart [Link]

[root@system1 html]# vim /etc/httpd/conf.d/[Link]

<virtualhost [Link]>
servername [Link]
documentroot /var/www/html
</virtualhost>

[root@system1 html]# httpd -t

Syntax OK

[root@system1 html]# systemctl restart [Link]

[root@system1 html]# cd
[root@system1 ~]# yum install elinks* -y
[root@system1 ~]# elinks [Link]
this is server
[CONFIDENTIAL: Instructor Only]: RHCE SAMPLE DEMO Created By A S M Kawsar Harun

TLS Web Page Hosting

Secured webserver

– configure the website [Link] with TLS

- set the documentroot to /myweb
– SSLCertificate file [Link]
– SSLCertificatekeyfile [Link]
– SSL CA certificate file [Link]
- The default port should be still accessible
- clients should be automatically redirected to the secured server.

[root@system1 ~]# vim /etc/httpd/conf.d/[Link]

<directory /myweb>
require all granted
</directory>

<virtualhost [Link]>
servername [Link]
documentroot /myweb
rewriteengine on
rewriterule ^(/.*)$ [Link] [redirect=301]
</virtualhost>

<virtualhost [Link]>
servername [Link]
documentroot /myweb
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
SSLHonorCipherOrder on
SSLCertificateFile /etc/pki/tls/certs/[Link]
SSLCertificateKeyFile /etc/pki/tls/private/[Link]
SSLCertificateChainFile /etc/pki/tls/certs/[Link]
</virtualhost>

[root@system1 ~]# cd /etc/pki/tls/certs/

[root@system1 certs]# wget [Link]
[root@system1 certs]# wget [Link]
[root@system1 certs]# cd /etc/pki/tls/private/
[root@system1 private]# wget [Link]
[root@system1 private]# chmod 600 [Link]
[root@system1 ~]# systemctl restart [Link]
[root@system1 ~]# firewall-cmd --permanent --add-service=https
[root@system1 ~]# firewall-cmd –reload
[CONFIDENTIAL: Instructor Only]: RHCE SAMPLE DEMO Created By A S M Kawsar Harun

Secured WEB

- Implement website for [Link]

- Create a directory named as “owndir” under the document root of webserver
- Download [Link]
- rename the file into [Link]
- The content of the owndir should be visible to everyone browsing from your local
- system but should not be accessible from other location
- User harry can edit the contents of the directory

[root@system1 ~]# cd /var/www/html/

[root@system1 html]# mkdir owndir
[root@system1 html]# cd owndir/
[root@system1 owndir]# wget -O [Link] [Link]
[root@system1 owndir]# ls
[Link]

[root@system1 owndir]# setfacl -Rm u:harry:rwX /var/www/html/owndir/

[root@system1 owndir]# setfacl -m d:u:harry:rwx /var/www/html/owndir/
[root@system1 owndir]# vim /etc/httpd/conf.d/[Link]

<directory /var/www/html/restricted>
require host [Link]
</directory>

[root@system1 ~]# systemctl restart [Link]

[root@system1 ~]# elinks [Link]
this is secured

client :
[root@system2 ~]# elinks [Link]

Forbidden
You don't have permission to access /owndir on this server.

Virtual hosting.

– Setup a virtual host with an alternate document root .

– Extend your web to include a virtual for the site [Link]
– Set the document root as /usr/local/vhost
– Download [Link]
– rename it as [Link] place this document root of the virtual host
– domain [Link] ([Link]/[Link]) should not access to the page.
- system2 should not access to the page as well.
[CONFIDENTIAL: Instructor Only]: RHCE SAMPLE DEMO Created By A S M Kawsar Harun

[root@system1~]# mkdir /usr/local/vhost

[root@system1~]# cd /usr/local/vhost
[root@system1 vhost]# wget [Link]
[root@system1 vhost]# man semanage-fcontext
[root@system1 vhost]# semanage fcontext -a -t httpd_sys_content_t '/usr/local/vhost(/.*)?'
[root@system1 vhost]# restorecon -Rv /usr/local/vhost/
[root@system1 vhost]# ls
[root@system1 vhost]# mv [Link] [Link]
[root@system1 vhost]# ls
[Link]

[root@system1 vhost]# vim /etc/httpd/conf/[Link]

<directory /usr/local/vhost>
<requireall>
require not ip [Link]/24
require not host .[Link]
require not host [Link]
require all granted
</requireall>
</directory>

<virtualhost [Link]>
servername [Link]
documentroot /usr/local/vhost
</virtualhost>

[root@system1 ~]# systemctl restart [Link]

Dynamic Webpage configuration.

- configure website [Link] under the document root of your virtual server.
- site should execute [Link]
- page is already provided on [Link]
- content of the script should not be modified.

[root@system1~]# yum install mod_wsgi -y

[root@system1~]# man semanage-port
[root@system1~]# semanage port -a -t http_port_t -p tcp 8951
[root@system1~]# firewall-cmd --permanent --add-port=8951/tcp
[root@system1~]# firewall-cmd --reload
[root@system1~]# cd /myweb
[root@system1~]# wget [Link]
[CONFIDENTIAL: Instructor Only]: RHCE SAMPLE DEMO Created By A S M Kawsar Harun

[root@system1~]# vim /etc/httpd/conf.d/[Link]

listen 8951

<virtualhost [Link]>
servername [Link]
documentroot /myweb
WSGIScriptAlias / /myweb/[Link]
</virtualhost>

[root@system1 ~]# systemctl restart [Link]

18. Script 1

-create a script on systems called /root/random with following details.

-When run as /root/random user, should bring the output as kernel
-When run as /root/random kernel, should bring the output as user
-When run with any other arguments or without argument,

should bring the stderr as /root/random user|kernel

[root@ ~]# vim /root/random

#!/bin/bash

if [[ $1 == "user" ]]; then

echo "kernel"
elif [[ $1 == "kernel" ]]; then
echo "user"
else
>&2 echo "/root/random user|kernel"
fi

[root@ ~]# chmod a+x /root/random

[root@ ~]# /root/random user
kernel

[root@ ~]# /root/random kernel

user

[root@ ~]# /root/random

/root/random user|kernel
[CONFIDENTIAL: Instructor Only]: RHCE SAMPLE DEMO Created By A S M Kawsar Harun

19. Script 2

- Create a script on system1 called /root/createusers

- When this script is called with the testfile argument, it should add all the users from the file
- Download the file from [Link]
- All users should have the login shell as /bin/false, password not required.
- When this script is called with a file that doesnt exist, it should print the
message as Input File Not Found
- When this script is run without or any other arguments, it should display
Usage: /root/createusers <FILENAME>
- Note: If the users are added no need to delete.

[root@ ~]# wget [Link]

[root@ ~]# cat userlist
arun
john
david

[root@ ~]# vim /root/createusers

#!/bin/bash

if [[ ! $1 ]]; then
echo "Usage: /root/createusers <FILENAME>"
exit 1
elif [[ ! -e $1 ]]; then
echo "Input File Not Found"
exit 2
fi

user=$(cat $1)

for RHCE in $user

do
useradd -s /sbin/false $RHCE
done
exit 0

[root@ ~]# chmod a+x /root/createusers

[root@ ~]# /root/createusers
Usage: /root/createusers <FILENAME>

[root@ ~]# /root/createusers 111

Input File Not Found
[CONFIDENTIAL: Instructor Only]: RHCE SAMPLE DEMO Created By A S M Kawsar Harun

[root@system1 ~]# /root/createusers userlist

[root@system1 ~]# tail -n 3 /etc/passwd

arun:x:1004:1005::/home/arun:/sbin/false
john:x:1005:1006::/home/john:/sbin/false
david:x:1006:1007::/home/david:/sbin/false

MARIADB :

[Link] Configuration

- Configure a MariaDB on System1 securely with a database name Contacts.

- The database server should not have test table and anonymous users.
- The Database must be accessible locally only.
- The root password must be roonkere.
- Apart from root, only the user kaiser must be able to query the Contacts Database.
- kaiser must be identified by roonkere.

Restore a database on system1 from the backup file

[Link]

[root@ ~]# yum groupinstall “MariaDB” “mariadb-client” -y

[root@ ~]# systemctl start mariadb
[root@ ~]# systemctl enable mariadb
[root@ ~]# vim /etc/[Link]

[mysqld]
datadir=/var/lib/mysql
socket=/var/lib/mysql/[Link]
skip-networking=1

[root@ ~]# mysql_secure_installation

Enter current password for root (enter for none): Enter

Set root password? [Y/n] Enter
New password: roonkere
Re-enter new password: roonkere
Remove anonymous users? [Y/n] Enter
Disallow root login remotely? [Y/n] Enter
Remove test database and access to it? [Y/n] Enter
Reload privilege tables now? [Y/n] Enter
[CONFIDENTIAL: Instructor Only]: RHCE SAMPLE DEMO Created By A S M Kawsar Harun

[root@ ~]# mysql -p

Enter Password:
MariaDB [(none)]> create database Contacts;
MariaDB [(none)]> show databases;

+--------------------+
| Database |
+--------------------+
| information_schema |
| contacts |
| mysql |
| performance_schema |
| test |
+--------------------+

4 rows in set (0.00 sec)

MariaDB [(none)]> exit

Bye

[root@ ~]# wget [Link]

[root@ ~]# ls
[Link] [Link]
[root@ ~]# mysql -u root -p Contacts < [Link]
Enter password:
[root@ ~]# mysql -u root -p
Enter password:

MariaDB [(none)]> use Contacts

Database changed
MariaDB [Contacts]> show tables;

+--------------------+
| Tables_in_contacts |
+--------------------+
| category |
| manufacturer |
| product |
+--------------------+

3 rows in set (0.00 sec)

[CONFIDENTIAL: Instructor Only]: RHCE SAMPLE DEMO Created By A S M Kawsar Harun

MariaDB [Contacts]> describe product;

+-----------------+--------------+------+-----+---------+----------------+
| Field | Type | Null | Key | Default | Extra |
+-----------------+--------------+------+-----+---------+----------------+
| id | int(11) | NO | PRI | NULL | auto_increment |
| name | varchar(100) | NO | | NULL | |
| price | double | NO | | NULL | |
| stock | int(11) | NO | | NULL | |
| id_category | int(11) | NO | | NULL | |
| id_manufacturer | int(11) | NO | | NULL | |
+-----------------+--------------+------+-----+---------+----------------+

6 rows in set (0.00 sec)

MariaDB [Contacts]> help grant

example:

CREATE USER 'jeffrey'@'localhost' IDENTIFIED BY 'mypass';

GRANT ALL ON db1.* TO 'jeffrey'@'localhost';
GRANT SELECT ON [Link] TO 'jeffrey'@'localhost';
GRANT USAGE ON *.* TO 'jeffrey'@'localhost' WITH MAX_QUERIES_PER_HOUR 90;

MariaDB [Contacts]> create user 'kaiser'@'localhost' identified by 'roonkere';

MariaDB [COntacts]> grant all on Contacts.* to 'kaiser'@'localhost';
MariaDB [COntacts]> flush tables;
MariaDB [COntacts]> show grants for 'kaiser'@'localhost';

21. ISCSI Storage.

- your system shares 3GB lvm target on your [Link].

- The logical block name should be lvm
- The server should export an iscsi disk called [Link]:system1
- This target should only be allowed only be allowed to system2

[root@ ~]# yum install targetcli -y

[root@ ~]# systemctl start target
[root@ ~]# systemctl enable target
[root@ ~]# firewall-cmd --permanent --add-port=3260/tcp
[root@ ~]# firewall-cmd --reload
[CONFIDENTIAL: Instructor Only]: RHCE SAMPLE DEMO Created By A S M Kawsar Harun

[ Note: Check first if there is any volume group with available space. If there is no VG available then check for
hard disks. You may find /dev/vdb what is totally free. We are moving with /dev/vdb as an example ]
# lsblk
# fdisk /dev/vdb [ create 3100MiB Partition ]
# partprobe /dev/vdb
# pvcreate /dev/vdb1
# vgcreate vg0 /dev/vdb1
# lvcreate -L 3G n lv0 vg0
# lvs

LV VG Attr LSize Pool Origin Data%

lv0 vg0 -wi-ao 3.00g

/> cd /backstores/block
/backstores/block> create lvm /dev/vg0/lv0
/backstores/block> ls
o- block ................................................................. [Storage Objects: 1]
o- lvm .................................. [/dev/mapper/vg0-lvm(1.0GiB) write-back deactivated]
/backstores/block> cd /iscsi
/iscsi> create [Link]:system1
/iscsi> ls
o- iscsi .......................................................................... [Targets: 1]
o- [Link]:system1 ............................................ [TPGs: 1]
o- tpg1 ............................................................. [no-gen-acls, no-auth]
o- acls ........................................................................ [ACLs: 0]
o- luns ........................................................................ [LUNs: 0]
o- portals .................................................................. [Portals: 0]

/iscsi> cd /iscsi/[Link]:system1/tpg1/acls/
/iscsi/....acls> create [Link]:system2
/iscsi/...acls > ls

o- acls .............................................................................. [ACLs: 1]

o- [Link]:system2 ..................................... [Mapped LUNs: 0]

/iscsi/....acls> cd /iscsi/[Link]:system1/tpg1/luns/
/iscsi/....luns> create /backstores/block/lvm
/iscsi/....luns> ls
o- luns .............................................................................. [LUNs: 1]
o- lun0 .................................................. [block/lvm (/backstores/block/lvm)]

/iscsi/.luns> cd /iscsi/[Link]:system2/tpg1/portals/
/iscsi/...portals> create 172.24.X.10
Using default IP port 3260
[CONFIDENTIAL: Instructor Only]: RHCE SAMPLE DEMO Created By A S M Kawsar Harun

/iscsi/...portals> cd /
/iscsi/...portals> ls
o- / ..................................................................................... [...]
o- backstores .......................................................................... [...]
| o- block .............................................................. [Storage Objects: 0]
| | o- lvm ................................ [/dev/mapper/vg0-lvm(1.0GiB) write-back activated]
| o- fileio ............................................................. [Storage Objects: 1]
| o- pscsi .............................................................. [Storage Objects: 0]
| o- ramdisk ............................................................ [Storage Objects: 0]
o- iscsi ........................................................................ [Targets: 1]
| o- [Link]:system1 .......................................... [TPGs: 1]
| o- tpg1 ........................................................... [no-gen-acls, no-auth]
| o- acls ...................................................................... [ACLs: 1]
| | o- [Link]:system2 ............................. [Mapped LUNs: 1]
| | o- mapped_lun0 .............................................. [lun0 block/lvm (rw)]
| o- luns ...................................................................... [LUNs: 1]
| | o- lun0 ............................................ [block/lvm (/dev/mapper/vg0-lvm)]
| o- portals ................................................................ [Portals: 0]
o- loopback ..................................................................... [Targets: 0]
/> exit

# systemctl restart target

Initiator (client)

# yum install iscsi-initiator-utils -y

# vim /etc/iscsi/[Link]
InitiatorName=[Link]:system2

:wq!

# systemctl enable iscsi

# systemctl start iscsi
# man iscsiadm
# iscsiadm -mode discoverydb --type sendtargets --portal 172.24.X.10 –-discover
172.24.X.10:3260,1 [Link]:system1

# iscsiadm --mode node --targetname [Link]:system1 --portal 172.24.X.10:3260 --login

# lsblk

sda 8:0 0 3G 0 disk

vda 253:0 0 10G 0 disk
└─ vda1 253:1 0 10G 0 part /
[CONFIDENTIAL: Instructor Only]: RHCE SAMPLE DEMO Created By A S M Kawsar Harun

vdb 253:16 0 10G 0 disk

# fdisk /dev/sda
# partprobe /dev/sda
# lsblk
sda 8:0 0 3G 0 disk
└─ sda1 8:1 0 1G 0 part
vda 253:0 0 10G 0 disk
└─ vda1 253:1 0 10G 0 part /
vdb 253:16 0 10G 0 disk
├─ vdb1 253:17 0 500M 0 part [SWAP]
├─ vdb2 253:18 0 1K 0 part
└─ vdb5 253:21 0 1G 0 part [SWAP]

# mkfs.ext4 /dev/sda1
# mkdir /mnt/disk1
# blkid
/dev/vda1: UUID="9bf6b9f792ad441b848e0257cbb883d1" TYPE="xfs"
/dev/vdb1: UUID="7233d805845944e59aaa0a9f47942885" TYPE="swap"
/dev/vdb5: UUID="80348a74e62541f68ce7c8785a868539" TYPE="swap"
/dev/sda1: UUID="61da859c577345a1949de2f63cd1b853" TYPE="ext4"

# vim /etc/fstab

UUID=61da859c-5773-45a1-949d-e2f63cd1b853 /mnt/disk1 ext4 _netdev 0 2

# mount -a
# df -h
# reboot
# df -h
# iscsiadm -m session -P 3