RHCE resolve questions

Preparing the Environment

yum-config-manager --add-repo=ADDREPO
vim /etc/yum.conf
gpgcheck=0（1=on,0=off）

  Adds the specified repo source, shut down signature legality check.

Questions and answers

First, configure the SELINUX

Questions Overview:
  Make sure that both virtual machines SELinux enabled in forced mode.

vim /etc/selinux/config
SELINUX=enforcing
setenforce 1 (usage:  setenforce [ Enforcing | Permissive | 1 | 0 ])

Second, configure SSH access

Questions Overview:
Configuring SSH access to the following requirements:

• Users can SSH remote access to your system two virtual machines from a client domain example.com end;
• In the domain my133t.org clients can not access your system two virtual machines.

vim /etc/ssh/sshd_config
DenyUsers *@*.my133t.org *@172.25.0.*

  You can also use firewall rules limit will be mentioned later.

Third, custom user environment (alias setting)

Questions Overview:
  created on systems system1 and system2 custom command qstat, this custom command will execute the following command: / bin / ps -Ao pid, tt, user, fname, rsz;
  this command is valid for all system users.

vim /etc/profile
qstat='/bin/ps -Ao pid,tt,user,fname,rsz'
source /etc/profile

Fourth, configure the firewall port forwarding

Questions Overview:
  configure port forwarding system system1, requirements are as follows:

• In 172.25.0.0/24 network client, the local port access server0 5423 will be forwarded to 80
• This setting must be permanent.

firewall-cmd --set-default-zone=trusted (将默认区域设置为默认模式)
firewall-cmd --permanent --add-source=172.25.0.0/24 --zone=block (防火墙拒绝my133t.org访问)
firewall-cmd --permanent --zone=trusted --add-forward-port=port=5423:proto=tcp:toport=80

5, configuration Link Aggregation

Questions Overview:
  Configure a link between system1.example.com team0 and system2.example.com:  use this link and the interface eth1 eth2:

• This link is still operating at an interface failure;
• This link uses the following address 172.24.4.30/255.255.255.0 system1;
• This link uses the following address 172.24.4.40/255.255.255.0 system2;
• This link remains normal state after a system reboot.

nmcli connection add type team con-name team0 ifname team0 connection.autoconnect yes config '{"runner":{"name":"activebackup"}}'
nmcli connection add type team-slave con-name eth1 ifname eth1 connection.autoconnect yes master team0
nmcli connection add type team-slave con-name eth2 ifname eth2 connection.autoconnect yes master team0
nmcli connection modify team0 ipv4.method manual ipv4.address "172.24.4.30/24" connection.autoconnect yes  
nmcli connection up team0
teamdctl team0 state 

  After testing the machine interface starts to whether the new IP can communicate, if nowhere can restart the network service test again systemctl restart network.

Sixth, configure IPv6 addresses

Questions Overview:
  configured on your test system interface eth0 Use the following IPv6 address:

• Address on the system1 should be 2003: ac18 :: 305/64:
• Address on the system2 should be 2003: ac18 :: 306/64;
• Both systems must be able to network with 2003: communications within ac18 / 64 system;
• The address must still take effect after the restart;
• Both systems must maintain the current IPv4 addresses and can communicate.

nmcli connection modify eth0 ipv6.method manual ipv6.address "2003:ac18::305/64"
nmcli connection up eth0

  If the ping described above.

Seven local mail server configuration

Questions Overview:
  configure the mail service on a system system1, meet the following requirements:

• The system does not receive messages sent from an external;
• Any local routing messages are automatically transmitted on these systems to smtp0.example.com;
• Mail sent from these systems display from system1.example.com;
    You can go to the local user student to test your configuration by sending mail on system1, student user on the system will receive this system2.example.com mail.

：配置文件修改
vim /etc/postfix/main.cf
relayhost = smtp0.example.com  //自动路由配置
inet_interfaces = loopback-only  //监听在回环网卡
myorigin = system1.example.com //邮件显示
mynetworks = 127.0.0.0/8 [::1]/28
local_transport = error:local

：启动服务
systemctl restart postfix 
systemctl enalbe postfix 

：测试
echo 'test' | mail -s 'Test1' student

  If the firewall default non-trusted domains need to open smtp service access.

Eight, published by SMB shared directory

Overview of questions:
  on system1 by SMB shared / common directory:

• Your SMB server must be a member of the working group STAFF;
• Share name must be common;
• Only the client example.com domain can access common share;
• common must be viewed;
• Harry user must be able to read the contents of the share, if necessary, to verify the password is migwhisk.

：安装及基本设置
yum -y install samba
mkdir /common
setsebool -P samba_export_all_rw=on
smbpasswd -a harry

：修改配置文件
vim /etc/samba/smb.conf
[global]
    workgroup = STAFF
[common]
       path = /common
       hosts allow = 172.24.0.0/24
       browseable = yes

：重启并设置开机自启
systemctl restart smb nmb 
systemctl enable smb nmb 

Nine, multi-user configuration of Samba mount

Questions Overview:
  In system1 shared directory / devops through SMB, and meet the following requirements:

• Share name devops;
• Devops shared directory can only be used by clients in the example.com domain;
• Devops must be a shared directory browsing;
• Kenji user must be able to access this shared way to read the password is asked atenorth;
• Chihiro user must be able to access this shared read-write manner, the access password is atenorth;
• This shared permanently mounted on system2.example.com the / mnt / dev directory and user kenji as the authentication, any user can obtain temporary permission to write user chihiro.

：基本准备
mkdir /devops
smbpasswd -a kenji
smbpasswd -a chihiro 
setfacl -m u:chihiro:rwx /devops

：修改配置文件
vim /etc/samba/smb.conf
[devops]
    path = /devops
    hosts allow = 172.24.0.0/24
    write list = chihiro

：重启服务
systemctl restart smb nmb 

：system2操作
：准备基本环境
yum -y install samba-client cifs-utils 
smbclient -L system1.example.com -U chihiro
mkdir /mnt/dev

：修改配置文件
vim /etc/fstab
//system1.example.com/devops /mnt/dev cifs defaults,multiuser,username=kenji,password=atenorth,sec=ntlmssp,_netdev 0 0 

：挂载配置
mount -a 

：验证临时权限
su - other
cifscreds add -u chihiro system1.example.com 
touch /mnt/dev/1.txt

Ten, configure NFS sharing service

Questions Overview:
  In system1 configuring NFS service, the following:

• Read-only manner shared directory / public, can only be access to the system while the example.com domain;
• The manner in reading and writing shared directory / protected, the system can access the example.com domain;
• Access / protected by Kerberos security encryption needs, you can use the keys provided the following URL: http: //classroom.example.com/pub/keytabs/system1.keytab;
• Catalog / protected should contain a subdirectory named project owners ldapuser0 of;
• Ldapuser0 user access / protected / project read-write.

：环境准备
mkdir -p /public /protected/project 
chown ldapuser0 /protected/project
wget -O /etc/krb5.keytab http://classroom/pub/keytabs/system1.keytab

：修改配置
vim /etc/exports 
/public 172.24.4.0/24(ro)
/protected 172.24.4.0/24(rw,sec=krb5p)

：启动服务并设置为开机自启
systemctl start nfs-secure-server nfs-server
systemctl enable nfs-secure-server nfs-server

XI mount NFS shares

Questions Overview:
  Mount a share from system1.exmaple.com on system2, and meet the following requirements:

• / Public mount the following directories / mnt / nfsmount;
• / Protected in the following directory mount / mnt / nfssecure and used in a safe manner, key download URL: http: //classroom.example.com/pub/keytabs/system2.keytab;
• Ldapuser0 user can create a file on / mnt / nfssecure / project;
• These file systems mounted automatically at system startup.

：环境准备
mkdir -p /mnt/nfsmount /mnt/nfssecure
wget -O /etc/krb5.keytab http://classroom/pub/keytabs/system1.keytab
systemctl start nfs-secure 
systemctl enable nfs-secure
showmount -e system1.example.com

：修改配置文件
vim /etc/fstab
system1.example.com:/public /mnt/nfsmount nfs _netdev 0 0 
system1.example.com:/protected /mnt/nfssecure nfs sec=krb5p,_netdev 0 0

：挂载
mount -a

XII implement a web server

Questions Overview:
  Web server is configured http://system1.example.com:

• Download a file from the Home http://classroom.example.com/pub/materials/station.html, and rename the file as index.html;
• The index.html file copied to the DocumentRoot directory of your web server;
• Do the contents of the index.html file to make any changes;
• From the example.com domain clients can access this Web service;
• My133t.org domain from a client to refuse access this Web service.

：安装Apache服务
yum -y install httpd 
：修改配置文件
vim /etc/httpd/conf.d/rhce.conf
<VirtualHost *:80>
    ServerName system1.example.com
    DocumentRoot /var/www/html
</VirtualHost>
：下载网页文件
wget -O /var/www/html/index.html http://classroom.example.com/pub/materials/station.html
：重启Apache服务并设置为开机自启
systemctl restart httpd 
systemctl enable httpd 

XIII, configure secure web services

Questions Overview:
  Configuring TLS encryption for the site http://server0.example.com:

• Obtain a signed certificate from http://classroom.example.com/pub/tls/certs/system1.crt;
• Key certificate acquired from http://classroom.example.com/pub/tls/private/system1.key;
• Certificate signing authority to obtain information from http://classroom.example.com/pub/example-ca.crt.

：安装所需认证模块
yum -y install mod_ssl 

：下载所需文件
cd /etc/pki/tls/certs/ 
wget http://classroom.example.com/pub/example-ca.crt
http://classroom.example.com/pub/tls/certs/system1.crt
cd etc/pki/tls/private/
wget http://classroom.example.com/pub/tls/private/system1.key

：修改配置文件
vim /etc/httpd/conf.d/ssl.conf
<VirtualHost _default_:443>
    DocumentRoot /var/www/html
    ServerName system1.example.com:443
    SSLCertificateFile          /etc/pki/tls/certs/system1.crt
    SSLCertificateKeyFile       /etc/pki/tls/private/system1.key
    SSLCACertificateFile        /etc/pki/tls/certs/example-ca.crt
</VirtualHost>

：重启Apache服务
systemclt restart httpd 

Fourth, the virtual host configuration

Questions Overview:
  Extend your web server on system1, create a virtual host for the site http://www0.example.com, and then perform the following steps:

• Set to DocumentRoot / var / www / virtual;
• From http://classroom.example.com/pub/materials/www.html download the file and rename it to index.html;
• Do not make any modifications to the contents of the index.html file;
• The index.html file put under DocumentRoot directory of the virtual host;
• Ensure that the student user can create files in / var / www / virtual directory;

：环境准备
mkdir /var/www/virtual
setfacl -m u:student:rwx /var/www/virtual
wget -O /var/www/virtual/index.html  http://classroom.example.com/pub/materials/www.html 

：修改配置文件
vim /etc/httpd/conf.d/rhce.conf
<VirtualHost *:80>
    ServerName www0.example.com
    DocumentRoot /var/www/virtual
</VirtualHost>

：重启Apache服务
systemctl restart httpd

XV configure web content access

Questions Overview:
  Create a directory called private under DocumentRoot directory on your web server system1, the following:

• Http://classroom.example.com/pub/materails/private.html download a copy from a file to this directory, and was named index.html;
• Do not make any modifications to the contents of this document;
• From server0, anyone can browse the contents private, but can not access the contents of this directory from the other system.

：环境准备
mkdir /var/www/html/private
wget -O /var/www/html/private/index.html http://classroom.example.com/pub/materails/private.html 

：修改配置
vim /etc/httpd/conf.d/rhce.conf
<Directory /var/www/html/private>
    Require ip 127.0.0.1 
</Directory>

Sixteen, dynamic web access

Questions Overview:
  configured to provide dynamic Web content on system1, requirements are as follows:

• Dynamic content provided by the virtual host name of webapp0.example.com
• Virtual host listens on port 8909
  - Download a script from http://classroom.example.com/pub/materials/webinfo.wsgi, then put in place, in any case do not modify the content of this document
• Client Access http://webapp0.example.com:8909 can receive a dynamically generated Web page
• This http://webapp0.example.com:8909 system must be accessible to all example.com domain

：安装所需模块
yum -y install mod_wsgi 

：准备环境
cd /var/www/html
wget http://classroom.example.com/pub/materials/webinfo.wsgi 
semanage port -a -t http_port_t -p tcp 8909

：修改配置
vim /etc/httpd/conf.d/rhce.conf
<VirtualHost *:8909>
    ServerName webapp0.example.com:8909
    DocumentRoot /var/www/html
    WSGIScriptAlias / /var/www/html/webinfo.wsgi
</VirtualHost>

：重启Apache服务
systemctl restart httpd

XVII create a script

Questions Overview:
  create a script named /root/foo.sh on system1, let it provides the following features:

• When running /root/foo.sh redhat, Fedora output;
• When running /root/foo.sh fedora, RedHat output;
• When there is no argument or the argument is not redhat or fedora, whose output produces the following error message: /root/foo.sh redhat | fedora.

vim /root/foo.sh
#!/bin/bash
if [ "$1" = "redhat" ] ; then
    echo "fedora"
elif [ "$1" = "fedora" ] ; then
    echo "redhat"
else
    echo "/root/foo.sh redhat|fedora" 
fi

chmod +x /root/foo.sh

Eight, add the user to create a script

Questions Overview:
  Creating system1 on a script called / root / batchusers, this script can achieve system1 to create a local user to the system, and the user name from the file containing the user name, as well as meet the following requirements:

• This script asks for a parameter that contains the file is a list of user names;
• If no argument, this script should be given the following message Usage: / root / batchusers Then exits and returns the corresponding value;
• If you provide a file name that does not exist, this script should be given the following message Input file not found then exits and returns the corresponding value;
• Shell to create a user login / bin / false, this script does not need to set a password for the user;
• You can get a list of user names from the following URL as a test: http: //classroom.example.com/pub/materials/userlist.

vim /root/batchusers
#!/bin/bash
if [ $# -eq 0 ] ; then
echo " "
Usage: /root/batchusers <userfile>
exit 1 fi
if [ ! -f $1 ] ; then
echo "Input file not found" exit 2
fi
for name in $(cat $1)
do
useradd -s /bin/false $name done

chmod +x /root/batchusers

Ninth, configure the iSCSI server

Questions Overview:
  Configuring iSCSI server0 provide services, disk called iqn.2016-02.com.example: server0, and meet the following requirements:

• Service port is 3260;
• The rear end of its use as iscsi_store, its size is 3GiB access;
• This service can only be accessed system2.example.com.

：准备磁盘空间
fdisk /dev/vda
Command (m for help): n
Partition number (1-128, default 1): First sector (34-20971486, default 2048):
Last sector, +sectors or +size{K,M,G,T,P} (2048-20971486, default 20971486): +3G 
Command (m for help): w 

partprobe /dev/vda

：安装并配置iSCSI
yum -y install targetcli
targetcli
/> backstores/block create block1  /dev/vda1
/> /iscsi create iqn.2016-02.com.example:system1
/> /iscsi/iqn.2016-02.com.example:system1/tpg1/acls create iqn.2016-02.com.example:system2
/> /iscsi/iqn.2016-02.com.example:system1/tpg1/luns create /backstores/block/block1
/> /iscsi/iqn.2016-02.com.example:system1/tpg1/portals create 172.24.4.30 3260
/> saveconfig
/> exit

：重启并设置开机自启
systemctl restart target 
systemctl enable target 

XX, configure the iSCSI client

Questions Overview:
  Configuration system2 you can connect iqn.2016-02.com.example provided on system1: system1, and meet the following requirements:

• iSCSI automatically loading during system startup;
• ISCSI block device comprising a 2100MiB partition size, and format of the partition  ext4 file system mounted on / mnt / data, while the automatic loading during system startup.

：安装iSCSI客户端
yum -y install iscsi-initiator-utils 

：修改iSCSI本机iqn名称
vim /etc/iscsi/initiatorname.iscsi
InitiatorName=iqn.2016-02.com.example:system2

：重启服务
systemctl restart iscsid
systemctl enalbe iscsid 


：查找、连接磁盘
 iscsiadm -m discovery -t st -p system1
 iscsiadm -m node -L all

 ：分区设置
 lsblk （查看新磁盘）
 fdisk /dev/sda 
 Command (m for help): n
Partition number (1-128, default 1): First sector (34-20971486, default 2048):
Last sector, +sectors or +size{K,M,G,T,P} (2048-20971486, default 20971486): +2100M  
Command (m for help): w 

partprobe /dev/sda
mkfs.ext4 /dev/sda1 

：挂载设置
mkdir /mnt/data

vim /etc/fstab
/dev/sda1 /mnt/data ext4 defaults,_netdev 0 0 
mount - a

XXI configure a database

Questions Overview:
  Creating a MariaDB database on system1, called Contacts, and meet the following conditions:  database should contain content from database replication, URL copied file is: http: //classroom.example.com/pub/materials/ users.sql:

• Localhost database can only be accessed;
• In addition to root user, this database can only be Raikon user query, the user password is atenorth  root user password for atenorth, while not allowing blank password.

：安装、配置、启动MariaDB
yum -y isntall mariadb mariadb-server
vim /etc/my.cnf
[mysqld]
skip-networking

systemctl restart mariadb 
systemctl enable mariadb 

：数据库基本操作
wget http://classroom.example.com/pub/materials/users.sql
mysqladmin -u root password 'atenorth'
mysql -u root -patenorth

CREATE DATABASE Contacts;
USE Contacts;
SOURCE /root/users.sql
GRANT select ON Contacts.* to Raikon@localhost IDENTIFIED BY 'atenorth';
DELETE FROM mysql.user WHERE Password='';

XXII, database queries

Questions Overview:
  Use Contacts database on the system system1, and use the corresponding SQL query to answer the following questions:

• The password is solicitous person's name?
• How many people are Barbara's name while living in Sunnyvale?

SELECT name FROM base WHERE password='solicitous';
SELECT count(*) FROM base,location WHERE base.name='Barbara' AND location.city='Sunnyvale' AND base.id=location.id ;