Motorcycle Touring

RHCE Objectives: Network services

Network services are an important subset of the exam objectives. RHCE candidates should be capable of meeting the following objectives for each of the network services listed below:

• Install the packages needed to provide the service
• Configure SELinux to support the service
• Use SELinux port labeling to allow services to use non-standard ports
• Configure the service to start when the system is booted
• Configure the service for basic operation
• Configure host-based and user-based security for the service

• Configure a virtual host
• Configure private directories
• Deploy a basic CGI application
• Configure group-managed content
• Configure TLS security

Install: yum groupinstall “Web Server”

If no DNS, add IP and hostname in /etc/hosts

systemctl enable httpd

systemctl start httpd

firewall-cmd –permanent –add-service=http

firewall-cmd –reload

Virtual Hosts

Make a directory under /var/www/html for the new server

/etc/httpd/conf.d/vhosts.conf

VirtualHost *:80
ServerAdmin
DocumentRoot
ServerName
ErrorLog
CustomLog

apachectl configtest

apachectl restart or systemctl restart httpd

httpd -D DUMP_VHOSTS

RHCE Objectives: Use shell scripting to automate system maintenance tasks

This is far too simple and to broad a task to be able to address in a posting. In the chapter study guide, it uses “make a backup of files in /home” for the example.

Seriously, if you can’t script, you shouldn’t be here.

RHCE Objectives: Produce and deliver reports on system utilization (processor, memory, disk, and network).

This is a bit more flexible. You can use several tools to get processor, memory, disk, and network information such as

iostat – cpu and disk information
vmstat – procs, memory, swap, system, and cpu info
netstat – network statistics
mpstat – cpu

You do need to remember that the first line is stats since the system was booted.

You can also use dstat which gives you a display (use the -f flag) info for cpus, disks, network, and memory. Plus you can send the output to a csv file for export into a spreadsheet.

sar is an old handy tool that also gives you the same stats, cpu, memory, swap, and network.

All three sets of tools can be used to generate reports depending on what report is of interest.

An excel spreadsheet would likely have the output of dstat be the easiest for reporting purposes.

RHCE Objectives: Configure a system as either an iSCSI target or initiator that persistently mounts an iSCSI target

http://www.certdepot.net/rhel7-configure-iscsi-target-initiator-persistently/

Actually this page is pretty clear. I followed it and it worked just fine.

Create the image drives for use by clients:

yum install targetcli
targetcli

> cd /backstores/fileio
> create shareddata /opt/shareddata.img 100M
> cd /iscsi
> create iqn.2017-02.pri.internal:target
> cd iqn[tab]/tpg1/luns
> create /backstores/fileio/shareddata
> cd ../acls
> create iqn.2017-02.pri.internal:client
> cd iqn[tab]
> set auth userid=cschelin
> set auth password=password
> exit

systemctl enable target
systemctl start target
firewall-cmd –permanent –add-port=3260/tcp
firewall-cmd –reload

On the client side:

yum install -y iscsi-initiator-utils
cd /etc/iscsi
vi initatorname.iscsi
Change the iqn to iqn.2017-02.pri.internal:client
vi iscsid.conf
Uncomment and update the authmethod, username, and password
systemctl enable iscsi
systemctl start iscsi
iscsiadm –mode discovery –type sendtargets –portal 192.168.1.203
iscsiadm –mode node –targetname iqn.2017-02.pri.internal:target –portal 192.168.1.203 –login
mkfs.xfs /dev/sdb
blkid /dev/sdb (get uuid)
vi /etc/fstab
Add UUID pointing to mnt, ext4, _netdev 0 0
mount -a

RHCE Objectives: Configure a system to authenticate using Kerberos

* yum install krb5-workstation pam_krb5
*

RHCE Objectives: Use /proc/sys and sysctl to modify and set kernel runtime parameters.

This is all pretty normal work. In RH6 you’d manually edit the /etc/sysctl.conf file to make changes and run sysctl -p to reload the changes or reboot of course. Running sysctl -a shows all the variables (also located in /proc/sys in various subdirectories such as ‘kernel’, hint hint).

RH7 will let you modify the same sysctl.conf file but per the comments, will accept changes in /usr/lib/sysctl.d/00-system.conf (location of default settings) or /etc/sysctl.d/name.conf (such as 00-kernel.conf for kernel settings). The files are numbered similar to the rc.3 files where 00 is the first loaded file and 99 is the last loaded file. This assumes a reason for loading settings in some order.

RHCE Objective: Use firewalld and associated mechanisms such as rich rules, zones, and custom rules, to implement packet filtering and configure network address translation (NAT).

http://www.certdepot.net/rhel7-get-started-firewalld/

This is clearly necessary to pass the exam so we’ll just have to dig in. In my current shop, we don’t have firewalls on servers and depend on external firewall and zone management.

Status:

Standard commands to check firewalld; systemctl status firewalld

If you have a multi-homed environment, you’ll need to set up net.ipv4.ip_forward=1 in /etc/sysctl.conf

Zones:

With a bastion host (for example), you’ll have a public facing interface and an interface that you as an admin can log in to. You can use the default (or public) zone or create a new zone for admin traffic (management zone).

RHCE Objective: Route IP traffic and create static routes

In most cases, you’ll use routing when you have a multi-homed system. A server with an interface on one network and one or more interfaces on a different network. You’d do this for bastion hosts (public interface, private interface) for example or if you want to keep maintenance traffic like backups or general admin access away from the production traffic.

Under RH6 route information was located in /etc/sysconfig/network-scripts/route-interface. You can set up default and static routes and reload the interface (ifdown/ifup), reload the network (service network restart), or just reboot the system (depending on the system not a bad idea, to ensure the routes are configured and will come back after a boot).

default via 10.105.12.254

You can also add routes on the command line using the route command, route add net 10.100.0.0/16 gw 10.105.12.254 dev eth1. Of course if you want to maintain this info, you’ll need to add it to the file(s) as noted above. Note for the file, you use ‘via’ but on the command line, you’d use ‘gw’.

10.100.0.0/16 via 10.105.12.254 dev eth1

The ip command has been available for some years now and ip route add and ip route del are the new ways of managing routes. The command line is similar but not exactly the same.

ip route add 10.100.0.0/16 via 10.105.12.254 dev eth1

Note no net option. By adding the CIDR of /16, you’re telling ip that it’s a network vs a single host (/32).

NetworkManager

One of the issues with RH7 are the new tools such as NetworkManager. For a workstation, especially a wireless user, using NetworkManager is helpful. It offers a simple method of managing network interfaces. But you should not be using NetworkManager in a server environment.

RHCE Objectives: Configure IPv6 addresses and perform basic IPv6 troubleshooting.

Configuring IPv6 on Red Hat 7 is very similar to configuration on Red Hat 6.

Files are located in: /etc/sysconfig/network and /etc/sysconfig/network-scripts/ifcfg-interface

The definition for IPv6 specific settings are located in /usr/share/doc/initscripts-*/sysconfig.txt

network

The IPV6INIT command is not used in RHEL7 but configured in the individual interface files below. Other IPV6 commands can be set in the network file and are superseded by the same commands in the interface files.

* IPV6 Default Gateway – IPV6DEFAULTGW=”3gg3:ffff:1234:5678::1″

ifcfg-interface

In the /etc/sysconfig/network-scripts directory are located the interface configuration files. See the txt file above for lots of information but in general the following configuration options are needed when activating IPv6. Some commands like IPV6_DEFAULTGW can be set here if not set in the above network file.

* Initialize IPv6 – IPV6INIT=”yes”
* Static IPv6 IP – IPV6ADDR=address/prefix length
** IPV6ADDR=”3ffe:ffff:0:5::1/128″ (/64 is default)
* DHCP IPv6 – DHCPV6C=”yes|no”
* Default IPV6 Gateway – IPV6_DEFAULTGW=”3ff3:ffff:1234:5678::1″

RHCE Objective: Use network teaming or bonding to configure aggregated network links between two Red Hat Enterprise Linux systems.

http://rhelblog.redhat.com/2014/06/23/team-driver/

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Networking_Guide/ch-Configure_Network_Teaming.html

Teaming and Bonding are the same as far as technical discussions at this level are concerned. Bonding is kernel level work where teaming is user space. This lets you be more flexible with the configurations.

Bonding is pretty simple.

Set up a /etc/sysconfig/network-scripts/ifcfg-bond0 file. In the interface files you will be bonding to it, remove the IPADDR line and move it to the bond0 file (only one IP). Then add a SLAVE=yes and MASTER=bond0 to the two or more interface files that the bond0 interface will consist of.