一、环境模拟
- * server0.example.com :172.25.0.11
- * desktop0.example.com :172.25.0.10
- * 子网掩码为:255.255.255.0
- * 默认网关为:172.25.0.254
- 考试中使用的 Red Hat Enterprise Linux 操作系统版本对应的
- 分发包可以通过YUM在下面的链接中找到:http://classroom.example.com/content/rhel7.0/x86_64/dvd
- 确保您的两台虚拟机的 SELinux 处于强制启用模式
解题:
[root@server0 ~]# vim /etc/yum.repos.d/classroom.example.com_content_rhel7.0_x86_64_dvd.repo 在尾部添加: gpgcheck=0 [root@server0 ~]# yum clean all [root@server0 ~]# yum makecache 两台机器先配置SELINUX: [root@server0 ~]# vim /etc/selinux/config 修改: SELINUX=enforcing [root@server0 ~]# setenforce 1 两台机配置chronyd: 添加: [root@desktop0 ~]# vim /etc/chrony.conf server classroom.example.com iburst [root@desktop0 ~]# systemctl enable chronyd [root@desktop0 ~]# systemctl restart chronyd [root@desktop0 ~]# chronyc sources -v 将网卡全部设置为静态: [root@server0 ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth0 DEVICE=eth0 BOOTPROTO=static ONBOOT=yes TYPE=Ethernet NAME=eth0 IPADDR1=172.25.0.11 PREFIX=24 GATEWAY=172.25.0.254 DNS1=172.25.254.254 DEVICE=eth0 BOOTPROTO=static ONBOOT=yes TYPE=Ethernet NAME=eth0 IPADDR1=172.25.0.10 PREFIX=24 GATEWAY=172.25.0.254 DNS1=172.25.254.254
二、配置SSH
- 用户能够从域 example.com 内的客户端 SSH 远程访问您的两个虚拟机系统;
- 在域 my133t.org 内的客户端不能访问您的两个虚拟机系统
解题:
在两台机器执行:
server0: [root@server0 ~]# firewall-cmd --permanent --add-rich-rule "rule family="ipv4" source address="172.25.0.0/24" service name="ssh" accept [root@server0 ~]# firewall-cmd --permanent --add-rich-rule "rule family="ipv4" source address="172.24.0.0/24" service name="ssh" reject" [root@server0 ~]# firewall-cmd --reload
desktop0: [root@desktop0 ~]# firewall-cmd --permanent --add-rich-rule "rule family="ipv4" source address="172.25.0.0/24" service name="ssh" accept" [root@desktop0 ~]# firewall-cmd --permanent --add-rich-rule "rule family="ipv4" source address="172.24.0.0/24" service name="ssh" reject" [root@desktop0 ~]# firewall-cmd --reload
三、配置端口转发
- 在 172.25.0.0/24 网络中的系统,访问 server0 的本地端口 9394 将被转发到本地端口 443 ;
- 此设置必须永久有效。
解题:
[root@server0 ~]# firewall-cmd --permanent --add-rich-rule "rule family="ipv4" source address="172.25.0.0/24" forward-port to-port="443" protocol="tcp" port="9394" accept" [root@server0 ~]# firewall-cmd --reload
四、配置链路聚合
- 在 server0.example.com 和 desktop0.example.com 之间按以下要求配置一个链路 team1 :
- 此链路使用接口 eth1和 eth2;
- 此链路在一个接口失效时仍然能工作;
- 此链路在 server0 使用下面的地址 :172.26.20.10/255.255.255.0 ;
- 此链路在 desktop0 使用下面的地址 :172.26.20.20/255.255.255.0 ;
- 此链路在系统重启之后依然保持正常状态。
解题:
server: [root@server0 ~]# nmcli connection add con-name team1 type team ifname team1 config '{"runner": {"name": "activebackup"}}' [root@server0 ~]# nmcli connection modify team1 ipv4.addresses "172.26.20.10/24" ipv4.method manual connection.autoconnect yes [root@server0 ~]# nmcli connection add con-name team1-slave1 ifname eth1 type team-slave master team1 [root@server0 ~]# nmcli connection add con-name team1-slave2 ifname eth2 type team-slave master team1 [root@server0 ~]# nmcli connection reload [root@server0 ~]# nmcli connection up team1 [root@server0 ~]# nmcli connection up team1-slave1 [root@server0 ~]# nmcli connection up team1-slave2 [root@server0 ~]# teamdctl team1 state setup: runner: activebackup ports: eth2 link watches: link summary: up instance[link_watch_0]: name: ethtool link: up eth1 link watches: link summary: up instance[link_watch_0]: name: ethtool link: up runner: active port: eth1 [root@server0 ~]# desktop: [root@desktop0 ~]# nmcli connection add con-name team1 type team ifname team1 config '{"runner": {"name": "activebackup"}}' [root@desktop0 ~]# nmcli connection modify team1 ipv4.addresses "172.26.20.20/24" ipv4.method manual connection.autoconnect yes [root@desktop0 ~]# nmcli connection add con-name team1-slave2 ifname eth2 type team-slave master team1 [root@desktop0 ~]# nmcli connection add con-name team1-slave2 ifname eth2 type team-slave master team1 [root@desktop0 ~]# nmcli connection add con-name team1-slave1 ifname eth1 type team-slave master team1 [root@desktop0 ~]# nmcli connection reload [root@desktop0 ~]# nmcli connection up team1 Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/13) [root@desktop0 ~]# nmcli connection up team1 [root@desktop0 ~]# nmcli connection up team1-slave1 [root@desktop0 ~]# nmcli connection up team1-slave2 [root@desktop0 ~]# [root@desktop0 ~]# teamdctl team1 state setup: runner: activebackup ports: eth1 link watches: link summary: up instance[link_watch_0]: name: ethtool link: up eth2 link watches: link summary: up instance[link_watch_0]: name: ethtool link: up runner: active port: eth1
五、配置ipv6
- 在您的两个考试系统上配置接口 eth0 使用下列 IPv6 地址:
- server0 上的地址应该是 2019:ce11::1748/64 ;
- desktop0 上的地址应该是 2019:ce11::1757/64 ;
- 两个系统必须能与网络 2019:ce11/64 内的系统通信;
- 地址必须在重启系统后依旧生效;
- 两个系统必须保持当前的 IPv4 地址并仍然能够通信。
解题:
server: [root@server0 ~]# nmcli connection modify eth0 ipv6.addresses "2019:ce11::1748/64" ipv6.method manual connection.autoconnect yes [root@server0 ~]# nmcli connection reload [root@server0 ~]# service network restart [root@server0 ~]# nmcli connection reload [root@server0 ~]# nmcli connection up team1 (配置完成ipv6需要重启链路聚合) [root@server0 ~]# nmcli connection up team1-slave1 [root@server0 ~]# nmcli connection up team1-slave2 desktop: [root@desktop0 ~]# nmcli connection modify eth0 ipv6.addresses "2019:ce11::1757/64" ipv6.method manual connection.autoconnect yes [root@desktop0 ~]# nmcli connection reload [root@desktop0 ~]# service network restart [root@desktop0 ~]# nmcli connection up team1 (配置完成ipv6需要重启链路聚合) [root@desktop0 ~]# nmcli connection up team1-slave1 [root@desktop0 ~]# nmcli connection up team1-slave2
六、配置邮件服务
- 在系统 server0 和 desktop0 上配置邮件服务,满足以下要求:
- 这些系统不接收外部发送来的邮件;
- 在这些系统上本地发送的任何邮件都会自动路由到 smtp0.example.com ;
- 从这些系统上发送的邮件显示来自于 desktop0.example.com ;
- 您可以通过在 server0.example.com 发送邮件到本地用户 student 来测试您的配置,并将系统 desktop0.example.com 配置为后端邮件服务器,确保可接收并投递来自 server0 的邮件。
解题:
server: [root@server0 ~]# systemctl enable postfix [root@server0 ~]# firewall-cmd --permanent --add-rich-rule "rule family="ipv4" source address="172.25.0.0/24" service name="stmp" accept" success [root@server0 ~]# firewall-cmd --permanent --add-rich-rule "rule family="ipv4" source address="172.25.0.0/24" port port="25" protocol="tcp" accept" success [root@server0 ~]# firewall-cmd --reload success [root@server0 ~]# [root@server0 ~]# postconf -e 'inet_interfaces=loopback-only' [root@server0 ~]# postconf -e 'relayhost=[smtp0.example.com]' [root@server0 ~]# postconf -e 'mydestination=' [root@server0 ~]# postconf -e 'myorigin=desktop0.example.com' [root@server0 ~]# systemctl restart postfix.service desktop: [root@desktop0 ~]# systemctl enable postfix [root@desktop0 ~]# firewall-cmd --permanent --add-rich-rule "rule family="ipv4" source address="172.25.0.0/24" service name="stmp" accept" [root@desktop0 ~]# firewall-cmd --permanent --add-rich-rule "rule family="ipv4" source address="172.25.0.0/24" port port="25" protocol="tcp" accept" [root@desktop0 ~]# firewall-cmd --reload [root@desktop0 ~]# postconf -e 'inet_interfaces=loopback-only' [root@desktop0 ~]# postconf -e 'relayhost=[smtp0.example.com]' [root@desktop0 ~]# postconf -e 'mydestination=' [root@desktop0 ~]# postconf -e 'myorigin=desktop0.example.com' [root@desktop0 ~]# systemctl restart postfix.service [root@desktop0 ~]# echo 'hello'|mail -s testmail student
七、SMB
- 在 server0 通过 SMB 共享 /exam_share 目录:
- 您的 SMB 服务器必须是 WORKSTAFF 工作组的一个成员;
- 共享名必须为 exam share ;
- 只有 example.com 域内的客户端可以访问 exam_share 共享;
- exam_share 必须是可以浏览的;
- 用户 harris 必须能够读取共享中的内容,如果需要的话,验证的密码是 123456。
解题:
server: [root@server0 ~]# yum install samba samba-client -y [root@server0 ~]# systemctl enable nmb smb [root@server0 ~]# firewall-cmd --permanent --add-rich-rule "rule family="ipv4" source address="172.25.0.0/24" service name="samba" accept" success [root@server0 ~]# firewall-cmd --reload [root@server0 ~]# mkdir /exam_share -p [root@server0 ~]# semanage fcontext -a -t 'samba_share_t' '/exam_share(/.*)?' [root@server0 ~]# restorecon -Rv /exam_share/ restorecon reset /exam_share context unconfined_u:object_r:default_t:s0->unconfined_u:object_r:samba_share_t:s0 [root@server0 ~]# [root@server0 ~]# smbpasswd -a harris [root@server0 ~]# vim /etc/samba/smb.conf workgroup = WORKSTAFF [exam_share] path = /exam_share browseable = yes desktop: [root@desktop0 ~]# yum install samba-client -y [root@desktop0 ~]# smbclient //172.25.0.11/exam_share -U harris Enter harris's password: Domain=[WORKSTAFF] OS=[Unix] Server=[Samba 4.1.1] smb: \> ls
八、SMB多用户挂载
- 在 server0 通过 SMB 共享目录 /exam_devops,并满足以下要求:
- 共享名为 exam devops ;
- 共享目录 exam_devops 只能被 example.com 域中的客户端使用;
- 共享目录 exam_devops 必须可以被浏览;
- 用户 johnson 必须能以读的方式访问此共享,该问密码是 exam@1748 ;
- 用户 kristina 必须能以读写的方式访问此共享,访问密码是 exam@1748 ;
- 此共享永久挂载在 desktop0.example.com 上的/mnt/exam_devops 目录,并使用用户 johnson 作为认证。任何用户可以通过用户 kristina 来临时获取写的权限。
解题:
[root@server0 ~]# semanage fcontext -a -t 'samba_share_t' '/exam_devops(/.*)?' [root@server0 ~]# restorecon -Rv /exam_devops/ [root@server0 ~]# [root@server0 ~]# setfacl -Rm u:kristina:rwX /exam_devops [root@server0 ~]# vim /etc/samba/smb.conf [exam_devops] path = /exam_devops browseable = yes write list = kristina [root@server0 ~]# systemctl restart nmb smb [root@server0 ~]# smbpasswd -a kristina [root@server0 ~]# smbpasswd -a johnson desktop: [root@desktop0 ~]# yum install cifs-utils -y [root@desktop0 ~]# mkdir -p /mnt/exam_devops [root@desktop0 ~]# vim /etc/fstab //172.25.0.11/exam_devops /mnt/exam_devops cifs defaults,multiuser,username=johnson,password=exam@1748,sec=ntlmssp 0 0 [root@desktop0 ~]# mount -av / : ignored /mnt/iscsi_storage : already mounted /mnt/exam_devops : already mounted [root@desktop0 ~]# su student [student@desktop0 exam_devops]$ ls ls: reading directory .: Permission denied [student@desktop0 exam_devops]$ cifscreds add 172.25.0.11 -u kristina [student@desktop0 exam_devops]$ touch xx [student@desktop0 exam_devops]$ ll total 0 -rw-r--r--. 1 1004 1004 0 Nov 14 07:54 test01 -rw-r--r--. 1 1004 1004 0 Nov 14 08:12 xx
九、NFS
- 在 server0 配置 NFS 服务,要求如下:
- 以只读的方式共享目录 /nfspublic ,只能被 example.com 域中的系统访问;
- 以读写的方式共享目录 /nfsprotected ,只能被 example.com 域中的系统访问;
- 访问 /nfsprotected 需要通过 Kerberos 安全加密,您可以使用下面 URL 提供的密钥:http://classroom.example.com/pub/keytabs/server0.keytab ;
- 目录 /nfsprotected 应该包含名为 nfsproject 拥有人为 ldapuser0 的子目录;
- 用户 ldapuser0 能以读写方式访问 /nfsprotected/nfsproject 。
解题:
[root@server0 ~]# yum install nfs-utils -y [root@server0 ~]# firewall-cmd --permanent --add-service=nfs success [root@server0 ~]# firewall-cmd --permanent --add-service=mountd success [root@server0 ~]# firewall-cmd --permanent --add-service=rpc-bind [root@server0 ~]# firewall-cmd --reload [root@server0 ~]# systemctl enable nfs-server.service nfs-secure-server.service [root@server0 ~]# vim /etc/sysconfig/nfs RPCNFSDARGS="-V 4.2" [root@server0 ~]# wget -O /etc/krb5.keytab http://classroom.example.com/pub/keytabs/server0.keytab [root@server0 ~]# systemctl restart nfs-secure-server.service [root@server0 ~]# systemctl restart nfs-server.service [root@server0 ~]# mkdir -p /nfspublic [root@server0 ~]# mkdir -p /nfsprotected/nfsproject [root@server0 ~]# useradd ldapuser0 [root@server0 ~]# chown -R ldapuser0 /nfsprotected/nfsproject [root@server0 ~]# ls -ldZ /nfsprotected/nfsproject/ drwxr-xr-x. ldapuser0 root unconfined_u:object_r:default_t:s0 /nfsprotected/nfsproject/ [root@server0 ~]# [root@server0 ~]# semanage fcontext -a -t 'public_content_t' '/nfsprotected(/.*)?' [root@server0 ~]# restorecon -Rv /nfsprotected/ restorecon reset /nfsprotected context unconfined_u:object_r:default_t:s0->unconfined_u:object_r:public_content_t:s0 restorecon reset /nfsprotected/nfsproject context unconfined_u:object_r:default_t:s0->unconfined_u:object_r:public_content_t:s0 [root@server0 ~]# systemctl restart nfs-server.service [root@server0 ~]# systemctl restart nfs-secure-server.service [root@server0 ~]# [root@server0 ~]# vim /etc/exports /nfspublic 172.25.0.0/24(ro,sync) /nfsprotected 172.25.0.0/24(rw,sec=krb5p,sync) [root@server0 ~]# [root@server0 ~]# exportfs -avr exporting 172.25.0.0/24:/nfsprotected exporting 172.25.0.0/24:/nfspublic [root@server0 ~]#
十、NFS挂载
- 在 desktop0 上挂载一个来自 server0.example.com 的共享,并符合下列要求:
- /nfspublic 挂载在下面的目录上 /mnt/nfsmount ;
- /nfsprotected 挂载在下面的目录上 /mnt/nfssecure 并使用安全的方式,密钥下载 URL:http://classroom.example.com/pub/keytabs/desktop0.keytab
- 用户 ldapuser0 能够在/mnt/nfssecure/nfsproject 上创建文件;
- 这些文件系统在系统启动时自动挂载。
解题:
[root@desktop0 ~]# mkdir -p /mnt/nfsmount [root@desktop0 ~]# mkdir -p /mnt/nfssecure root@desktop0 ~]# showmount -e 172.25.0.11 Export list for 172.25.0.11: /nfsprotected 172.25.0.0/24 /nfspublic 172.25.0.0/24 [root@desktop0 ~]# [root@desktop0 ~]# vim /etc/fstab 172.25.0.11:/nfspublic /mnt/nfsmount nfs defaults 0 0 [root@desktop0 ~]# mount -av /mnt/nfsmount : successfully mounted [root@desktop0 ~]# wget -O /etc/krb5.keytab http://classroom.example.com/pub/keytabs/desktop0.keytab [root@desktop0 ~]# systemctl enable nfs-secure [root@desktop0 ~]# systemctl restart nfs-secure [root@desktop0 ~]# vim /etc/fstab 172.25.0.11:/nfsprotected /mnt/nfssecure nfs defaults,vers=4.2,sec=krb5p,sync 0 0 (执行 lab nfskrb5 setup,开启ldap和keyboard服务可以挂载,考试时是在设置好这个环境的基础上进行) [root@desktop0 ~]# mount -av / : ignored /mnt/iscsi_storage : already mounted /mnt/exam_devops : already mounted /mnt/nfsmount : already mounted [root@desktop0 ~]#
十一、配置web服务器
- 为 http://server0.example.com 配置 Web 服务器:
- 从 URL 地址 http://classroom.example.com/pub/materials/station.html 下载一个主页文件,并将该文件重命名为 index.html (此处请新建文件);
- 将文件 index.html 拷贝到您的 Web 服务器的 DocumentRoot 目录下;
- 不要对文件 index.html 的内容进行任何修改。
解题:
[root@server0 ~]# yum install http\* -y [root@server0 ~]# systemctl enable httpd.service [root@server0 ~]# firewall-cmd --permanent --add-rich-rule "rule family="ipv4" source address="172.25.0.0/24" service name="http" accept" [root@server0 ~]# firewall-cmd --reload [root@server0 ~]# cd /etc/httpd/conf.d/ [root@server0 conf.d]# cat 1.conf <VirtualHost *:80> ServerName server0.example.com DocumentRoot /var/www/html </VirtualHost> <Directory "/var/www/html"> AllowOverride None Require all granted </Directory> [root@server0 conf.d]# [root@server0 conf.d]# wget -O /var/www/html/index.html http://classroom.example.com/pub/materials/station.html (notfund表示系统环境没有该文件) 建立测试: [root@server0 conf.d]# systemctl restart httpd.service [root@server0 conf.d]# echo "test01">/var/www/html/index.html [root@server0 conf.d]# curl http://server0.example.com test01 [root@server0 conf.d]#
十二、WebTLS加密
- 为站点 http://server0.example.com 配置 TLS 加密:
- 一个已签名证书从 http://classroom.example.com/pub/tls/certs/server0.crt 获取;
- 此证书的密钥从 http://classroom.example.com/pub/tls/private/server0.key 获取;
- 此证书的签名授权信息从 http://classroom.example.com/pub/example-ca.crt 获取。
解题:
[root@server0 conf.d]# yum install mod_ssl -y [root@server0 conf.d]# firewall-cmd --permanent --add-rich-rule " rule family="ipv4" source address="172.25.0.0/24" service name="https" accept" success [root@server0 conf.d]# firewall-cmd --reload [root@server0 conf.d]# cp -a 1.conf 2.conf [root@server0 conf.d]# cat 2.conf <VirtualHost *:443> ServerName server0.example.com DocumentRoot /var/www/html SSLEngine on SSLProtocol all -SSLv2 -SSLv3 SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5 SSLCertificateFile /etc/pki/tls/certs/server0.crt SSLCertificateKeyFile /etc/pki/tls/private/server0.key SSLCACertificateFile /etc/pki/tls/certs/example-ca.crt </VirtualHost> <Directory "/var/www/html"> AllowOverride None Require all granted </Directory> [root@server0 conf.d]# [root@server0 conf.d]# wget -O /etc/pki/tls/certs/server0.crt http://classroom.example.com/pub/tls/certs/server0.crt [root@server0 conf.d]# wget -O /etc/pki/tls/private/server0.key http://classroom.example.com/pub/tls/private/server0.key [root@server0 conf.d]# wget -O /etc/pki/tls/certs/example-ca.crt http://classroom.example.com/pub/example- [root@server0 conf.d]# systemctl restart httpd.service [root@server0 conf.d]# curl -k https://server0.example.com test01 [root@server0 conf.d]#
十三、配置虚拟主机
- 在 server0 上扩展您的 web 服务器,为站点 http://www0.example.com 创建一个虚拟主机,然后执行下述步骤:
- 设置 DocumentRoot 为/var/www/website ;
- 从 http://classroom.example.com/pub/materials/www.html 下载文件并重命名为index.html (此处请新建文件);
- 不要对文件 index.html 的内容进行任何修改;
- 将文件 index.html 放到虚拟主机的 DocumentRoot 目录下 ;
- 确保 harris 用户能够在 /var/www/website 目录下创建文件;
- 从 server0 上,任何人都可以浏览 website 的内容,但是从其他系统不能访问这个目录的内容。
- 注意:原始站点 http://server0.example.com 必须仍然能够访问,名称服务器 example.com 提供对主机名 www0.example.com 的域名解析。
解题:
[root@server0 conf.d]# mkdir -p /var/www/website [root@server0 conf.d]# wget -O /var/www/website/index.html http://classroom.example.com/pub/materials/www.html [root@server0 conf.d]# cat 3.conf <VirtualHost *:80> ServerName www0.example.com DocumentRoot /var/www/website </VirtualHost> <Directory "/var/www/website"> AllowOverride None Require all denied Require local </Directory> [root@server0 conf.d]# 创建测试: [root@server0 conf.d]# echo "test03" > /var/www/website/index.html [root@server0 conf.d]# setfacl -Rm u:harris:rwX /var/www/website/ [root@server0 conf.d]# systemctl restart httpd.service [root@server0 conf.d]# curl http://www0.example.com test03 [root@server0 conf.d]#
十四、web动态页面
- 在 server0 上配置提供动态 Web 内容,要求如下:
- 动态内容由名为 webapp0.example.com 的虚拟主机提供
- 虚拟主机侦听在端口 8998 ;
- 从 http://classroom.example.com/pub/materials/webinfo.wsgi 下载一个脚本,然后放在适当的位置,无论如何不要修改此文件的内容(文件此前已提供);
- 客户端访问 http://webapp0.example.com:8998 可接收到动态生成的 Web 页;
- 此 http://webapp0.example.com:8998 必须能被 example.com 域内的所有系统访问。
解题:
[root@server0 conf.d]# yum install -y mod_wsgi [root@server0 conf.d]# firewall-cmd --permanent --add-rich-rule "rule family="ipv4" source address="172.25.0.0/24" port port="8998" protocol="tcp" accept" success [root@server0 conf.d]# firewall-cmd --reload success [root@server0 conf.d]# [root@server0 conf.d]# wget -O /var/www/html/webinfo.wsgi http://classroom.example.com/pub/materials/webinfo.wsgi 自行上传测试页面 [root@server0 conf.d]# semanage port -a -t http_port_t -p tcp 8998 [root@server0 conf.d]# systemctl restart httpd.service [root@server0 conf.d]# curl http://server0.example.com:8998 UNIX EPOCH time is now: 1573692142.7 [root@desktop0 ~]# curl http://server0.example.com:8998 UNIX EPOCH time is now: 1573692148.15 [root@desktop0 ~]#
十五、编写shell脚本case
方法一: [root@server0 ~]# touch foo.sh [root@server0 ~]# chmod 755 foo.sh #!/bin/bash if [ $# -eq 1 ]; then if [ $1 == "redhat" ]; then echo "fedora" exit 1 elif [ $1 == "fedora" ]; then echo "redhat" else echo "/root/foo.sh redhat|fedora" fi else echo "/root/foo.sh redhat|fedora" fi 方法二: #!/bin/bash case $1 in redhat) echo "fedora" ;; fedora) echo "redhat" ;; *) echo "/root/foo.sh redhat|fedora" esac
十六、编写shell脚本创建用户
[root@server0 ~]# touch batchusers [root@server0 ~]# chmod 755 batchusers [root@server0 ~]# touch userlist [root@server0 ~]# echo user01 >userlist #!/bin/bash if [ $# -eq 1 ]; then if [ -f "$1" ]; then username=$( cat /root/userlist ) for uname in $username do useradd -s /bin/false $uname &>/dev/null done else echo "Input file not found" fi else echo "Usage: /root/batchusers userfile" fi
十七、ISCSI服务器
- 配置 server0 提供一个 iSCSI 服务,目标段名为 iqn.2019-11.com.example:server0 ,并符合下列要求:
- 服务端口为 3260 ;
- 使用 iscsi_storage 作其后端卷,其大小为 2 GiB ;
- 此服务只能被 desktop0.example.com 访问。
解题:
server: [root@server0 ~]# yum install targetcli -y [root@server0 ~]# systemctl enable target [root@server0 ~]# systemctl restart target [root@server0 ~]# partprobe [root@server0 ~]# pvcreate /dev/vdb1 Physical volume "/dev/vdb1" successfully created [root@server0 ~]# vgcreate iscsi_vg /dev/vdb1 Volume group "iscsi_vg" successfully created [root@server0 ~]# lvcreate -n iscsi_storage -l 100%VG iscsi_vg Logical volume "iscsi_storage" created [root@server0 ~]# [root@server0 ~]# partprobe [root@server0 ~]# targetcli /> ls o- / .................................................................. [...] o- backstores ....................................................... [...] | o- block ........................................... [Storage Objects: 1] | | o- iscsi_storage [/dev/iscsi_vg/iscsi_storage (2.0GiB) write-thru activated] | o- fileio .......................................... [Storage Objects: 0] | o- pscsi ........................................... [Storage Objects: 0] | o- ramdisk ......................................... [Storage Objects: 0] o- iscsi ..................................................... [Targets: 1] | o- iqn.2019-11.com.example:desktop0 ............................ [TPGs: 1] | o- tpg1 ........................................ [no-gen-acls, no-auth] | o- acls ................................................... [ACLs: 1] | | o- iqn.2019-11.com.example:server0 ............... [Mapped LUNs: 1] | | o- mapped_lun0 .................. [lun0 block/iscsi_storage (rw)] | o- luns ................................................... [LUNs: 1] | | o- lun0 ....... [block/iscsi_storage (/dev/iscsi_vg/iscsi_storage)] | o- portals ............................................. [Portals: 1] | o- 172.25.0.11:3260 .......................................... [OK] o- loopback .................................................. [Targets: 0] /> /iscsi/iqn.20...:server0/tpg1> set attribute authentication=0 Parameter authentication is now '0'. /iscsi/iqn.20...:server0/tpg1> set attribute generate_node_acls=0 /> saveconfig [root@server0 ~]# firewall-cmd --permanent --add-rich-rule "rule family="ipv4" source address="172.25.0.0/24" port port=3260 protocol="tcp" accept " success [root@server0 ~]# firewall-cmd --reload success
十八、ISCSI客户端
- 配置 desktop0 使其能连接 server0 上提供的 iqn.2019-11.com.example:server0 ,并符合以下要求:
- 发起端名为 iqn.2019-11.com.example:server0 ;
- iSCSI 设备在系统启动的期间自动加载;
- 块设备 iSCSI 上包含一个大小为 1600 MiB 的分区,并格式化为 ext4 文件系统;
- 此分区挂载在 /mnt/iscsi_storage 上,同时在系统启动的期间自动挂载。
解题:
desktop: [root@desktop0 ~]# systemctl enable iscsi iscsid [root@desktop0 ~]# vim /etc/iscsi/initiatorname.iscsi InitiatorName=iqn.2019-11.com.example:desktop0 [root@desktop0 ~]# systemctl restart iscsi iscsid [root@desktop0 ~]# iscsiadm -m discovery -t st -p 172.25.0.11 172.25.0.11:3260,1 iqn.2019-11.com.example:server0 [root@desktop0 ~]# [root@desktop0 ~]# iscsiadm -m node -l Logging in to [iface: default, target: iqn.2019-11.com.example:server0, portal: 172.25.0.11,3260] (multiple) Login to [iface: default, target: iqn.2019-11.com.example:server0, portal: 172.25.0.11,3260] successful. [root@desktop0 ~]# [root@desktop0 ~]# fdisk /dev/sda [root@desktop0 ~]# partprobe [root@desktop0 ~]# lsblk NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT sda 8:0 0 2G 0 disk └─sda1 8:1 0 1.6G 0 part vda 253:0 0 10G 0 disk └─vda1 253:1 0 10G 0 part / vdb 253:16 0 [root@desktop0 ~]# mkdir -p /mnt/iscsi_storage [root@desktop0 ~]# blkid /dev/vda1: UUID="9bf6b9f7-92ad-441b-848e-0257cbb883d1" TYPE="xfs" /dev/sda1: UUID="2689c309-c6c7-4785-8939-d8ac83e0d40c" TYPE="ext4" [root@desktop0 ~]# vim /etc/fstab UUID="2689c309-c6c7-4785-8939-d8ac83e0d40c" /mnt/iscsi_storage ext4 defaults,_netdev 0 0 [root@desktop0 ~]# mount -av / : ignored mount: /mnt/iscsi_storage does not contain SELinux labels. ...... /mnt/iscsi_storage : successfully mounted 第一次需重启验证(严格按照下列顺序): [root@desktop0 ~]# iscsiadm -m node -u Logging out of session [sid: 1, target: iqn.2019-11.com.example:server0, portal: 172.25.0.11,3260] Logout of [sid: 1, target: iqn.2019-11.com.example:server0, portal: 172.25.0.11,3260] successful. [root@desktop0 ~]# [root@desktop0 ~]# shutdown -h 0 [root@server0 ~]# reboot 开启client验证: [root@desktop0 ~]# df -lh Filesystem Size Used Avail Use% Mounted on /dev/vda1 10G 3.1G 7.0G 31% / devtmpfs 906M 0 906M 0% /dev tmpfs 921M 80K 921M 1% /dev/shm tmpfs 921M 17M 904M 2% /run tmpfs 921M 0 921M 0% /sys/fs/cgroup /dev/sda1 1.6G 4.7M 1.5G 1% /mnt/iscsi_storage [root@desktop0 ~]#
十九、mariadb安装与配置
- 在 server0 上创建一个 MariaDB 数据库,名为 Inventory,并符合以下条件:
- 数据库应该包含来自数据库复制的内容,复制文件的 URL 为:http://classroom.example.com/pub/materials/maradb.dump ;
- 数据库只能被 localhost 访问;
- 除了 root 用户,此数据库只能被用户 Lampard 查询,此用户密码为 123456 ;
- root 用户的密码为 123456 ,同时不允许空密码登陆。
[root@server0 ~]# yum groupinstall mariadb mariadb-client -y [root@server0 ~]# wget http://classroom.example.com/pub/materials/maradb.dump [root@server0 ~]# systemctl enable mariadb [root@server0 ~]# systemctl restart mariadb [root@server0 ~]# mysql_secure_installation Set root password? [Y/n] y New password: Re-enter new password: Remove anonymous users? [Y/n] y ... Success! Disallow root login remotely? [Y/n] y ... Success! Remove test database and access to it? [Y/n] y Reload privilege tables now? [Y/n] y ... Success! [root@server0 ~]# [root@server0 ~]# mysql -uroot -p123456 MariaDB [(none)]> create database Inventory; MariaDB [Inventory]> grant select on Inventory.* to 'Lampard'@'localhost' identified by '123456'; Query OK, 0 rows affected (0.00 sec) MariaDB [Inventory]> flush privileges; Query OK, 0 rows affected (0.00 sec) [root@server0 ~]# vim /etc/my.cnf skip-networking=1 S[root@server0 ~]# systemctl restart mariadb [root@server0 ~]#
二十、数据库查询
(略)
https://www.cnblogs.com/tanshouke/p/12187419.html
注:原创帖,转载注明出处
上一篇:RHCSA考试:https://www.cnblogs.com/tanshouke/p/12186366.html