Motorcycle Touring

RHCE Objectives: Network services

Network services are an important subset of the exam objectives. RHCE candidates should be capable of meeting the following objectives for each of the network services listed below:

• Install the packages needed to provide the service
• Configure SELinux to support the service
• Use SELinux port labeling to allow services to use non-standard ports
• Configure the service to start when the system is booted
• Configure the service for basic operation
• Configure host-based and user-based security for the service

http://www.certdepot.net/rhel7-use-selinux-port-labelling/

• Synchronize time using other NTP peers

Install packages: yum install ntp, systemctl start ntpd

Configure SELinux: Should be configured out of the box; ps -e –context | grep ntp

SELinux Port labeling: Use the semanage tool to see the existing ports to be used:

semanage port -l | grep ntp

To use a different port, you’ll need to make sure the target port isn’t different

sepolicy network -p [port number]

If unreserved, then assign it.

semanage port -a -t ntp_port_t -p tcp 60123

Configure to start when booted: systemctl enable ntpd

Configure for basic operation: By default; ntpq -p to review the output.

Configure host-based and user-based security for the service:

Synchronize time using other NTP peers: Start ntpd; systemctl start ntpd. This will start the sync process. If you need to initially set your hardware clock, you can use ntpdate [servername] to manually set the date and time but ntpd can’t be running. So stop ntpd (systemctl stop ntpd), run ntpdate [servername] to sync, and then start ntpd back up (systemctl start ntpd).

RHCE Objectives: Network services

Network services are an important subset of the exam objectives. RHCE candidates should be capable of meeting the following objectives for each of the network services listed below:

• Install the packages needed to provide the service
• Configure SELinux to support the service
• Use SELinux port labeling to allow services to use non-standard ports
• Configure the service to start when the system is booted
• Configure the service for basic operation
• Configure host-based and user-based security for the service

• Configure key-based authentication
• Configure additional options described in documentation

Install: yum install sshd (technically it’s already in place but to satisfy the listing above). You’ll need to add it to the firewall if it’s not there already: firewall-cmd –permanent –add-service=ssh; firewall-cmd –reload

Configure SELinux to support: Should already be there

Use SELinux Port labeling: See NTP. You’ll need to change /etc/ssh/sshd_config port command if you use a different port.

Configure the service to start: systemctl enable sshd

Configure the service for basic operation: again, already started.

Configure host-based and user-based security for the service:

http://www.certdepot.net/rhel7-configure-ssh-key-based-authentication/

Configure key-based authentication: Simple enough. In your home directory, create a .ssh directory chmod 700. Run ssh-keygen -t rsa and hit enter through the prompts. On the second machine, create a .ssh directory also chmod 700 and copy the id_rsa.pub file from server 1 to server to:.ssh/authorized_keys

Configure additional options: Edit the /etc/ssh/sshd_config file. The file itself is pretty clearly documented. Commented out commands show the default option. Restart the service after changes (systemctl restart sshd).

RHCE Objectives: Network services

Network services are an important subset of the exam objectives. RHCE candidates should be capable of meeting the following objectives for each of the network services listed below:

• Install the packages needed to provide the service
• Configure SELinux to support the service
• Use SELinux port labeling to allow services to use non-standard ports
• Configure the service to start when the system is booted
• Configure the service for basic operation
• Configure host-based and user-based security for the service

http://www.certdepot.net/rhel7-configure-system-forward-email-central-mail-server/

• Configure a system to forward all email to a central mail server

Assuming Postfix here vs sendmail (especially with the above article).

Install: yum install postfix

SELinux: Again, with the yum install, the selinux part is already configured.

SELinux Port: See ntp

Configure to start: systemctl enable postfix; systemctl restart postfix;

Configure the service for basic operation: This may be the first block below (the myhostname to mydestination).

Configure host-based and user-based security for the service:

Configure a system to forward all email to a central mail server:

Here we don’t know if there is a central mail server already or if one will be provided. Assuming “send mail to the following IP address or server”

In /etc/postfix/main.cf uncomment/change the following lines:

myhostname = server.example.com
mydomain = example.com
myorigin = $mydomain
inet_interfaces = loopback-only
mydestination =
relayhost = 192.168.1.1

The first parts are to configure your system. Blank mydestination and set relayhost. This will forward mail to the relayhost.

RHCE Objectives: Network services

Network services are an important subset of the exam objectives. RHCE candidates should be capable of meeting the following objectives for each of the network services listed below:

• Install the packages needed to provide the service
• Configure SELinux to support the service
• Use SELinux port labeling to allow services to use non-standard ports
• Configure the service to start when the system is booted
• Configure the service for basic operation
• Configure host-based and user-based security for the service

• Provide network shares to specific clients
• Provide network shares suitable for group collaboration.

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/SELinux_Users_and_Administrators_Guide/sect-Managing_Confined_Services-Samba-Configuration_examples.html#sect-Managing_Confined_Services-Configuration_examples-Sharing_directories_you_create

http://www.certdepot.net/rhel7-provide-smb-network-shares/

Install is a bit more involved, at least for the testing part: yum groupinstall “file-server”, plus samba-client and samba-winbind

firewall-cmd –permanent –add-service=samba

systemctl enable smb

systemctl enable nmb

systemctl enable winbind

systemctl start smb

systemctl start nmb

systemctl start winbind

Setting it up is easy enough. in /etc/samba/smb.conf:

Uncomment ‘netbios name’
Update interfaces with interfaces on system

Everything should already be set.

Add a new shared entry at the end

Comment =
browseable = yes
path = /shared
valid users = your user
writable = yes

Done

Make the directory and set it 777 (mkdir /shared, chmod 777 /shared, touch /shared/test

The selinux part is as always the harder part.

If semanage not there, install setroubleshoot-server

semanage fcontext –list | grep samba gives you some. Set up samba_share_t for the new shared filesystem

semanage fcontext -a -t samba_share_t “/shared(/.*)?”
restorecon -R /shared

And add the user to the password file.

smbpasswd -a your user. It’ll ask for your new password.

Use smbclient to access the share //localhost/shared -U user%password

Group access is similar but a few extra options are needed for management

valid users = @group
create mode = 0660
directory mode = 0770

Change the group for /shared to group (chgrp /shared group)

RHCE Objectives: Network services

Network services are an important subset of the exam objectives. RHCE candidates should be capable of meeting the following objectives for each of the network services listed below:

• Install the packages needed to provide the service
• Configure SELinux to support the service
• Use SELinux port labeling to allow services to use non-standard ports
• Configure the service to start when the system is booted
• Configure the service for basic operation
• Configure host-based and user-based security for the service

• Provide network shares to specific clients
• Provide networks hares suitable for group collaboration
• Use Kerberos to control access to NFS network shares

Install: yum groupinstall “file-server”

firewall-cmd –permanent –add-service=nfs

firewall-cmd –reload

systemctl enable rpcbind
systemctl enable nfs-server
systemctl enable nfs-lock
systemctl enable nfs-idmap

mkdir -p /home/tools; mkdir -p /home/guests; chmod 777 /home/tools; chmod 777 /home/guests

In the /etc exports file, add the two file systems to be shared

/home/tools client1(rw,no_root_squash)
/home/guests client2(rw,no_root_squash)

exportfs -avr

systemctl restart nfs-server

As always, selinux adds complexity to a simple task 🙂

You’ll need to change the context of the two file systems and set up the boolean values

semanage fcontext -a -t public_content_rw_t “/home/tools(/.*)?”
semanage fcontext -a -t public_content_rw_t “/home/guests(/.*)?”

semanage boolean -l | grep nfs

The last three need to be set on (last two should already be on)

setsebool -P use_nfs_home_dirs on

On the client side, install the nfs-utils package and then use

mount -t nfs server:/home/tools /mnt

To mount the share.

Group is the same, just create the group owned directory and add GUID (2770) to the file system.

RHCE Objectives: Network services

Network services are an important subset of the exam objectives. RHCE candidates should be capable of meeting the following objectives for each of the network services listed below:

• Install the packages needed to provide the service
• Configure SELinux to support the service
• Use SELinux port labeling to allow services to use non-standard ports
• Configure the service to start when the system is booted
• Configure the service for basic operation
• Configure host-based and user-based security for the service

• Configure a caching-only name server
• Troubleshoot DNS client issues

Edit /etc/named.conf

Change 127.0.0.1 to any
Change query to any
Change dnssec-validation to no

Save

Run named-checkconf

firewall-cmd –permanent –add-service=dns

firewall-cmd –reload

systemctl enable named

systemctl start named

RHCE Objectives: Network services

Network services are an important subset of the exam objectives. RHCE candidates should be capable of meeting the following objectives for each of the network services listed below:

• Install the packages needed to provide the service
• Configure SELinux to support the service
• Use SELinux port labeling to allow services to use non-standard ports
• Configure the service to start when the system is booted
• Configure the service for basic operation
• Configure host-based and user-based security for the service

• Configure a virtual host
• Configure private directories
• Deploy a basic CGI application
• Configure group-managed content
• Configure TLS security

Install: yum groupinstall “Web Server”

If no DNS, add IP and hostname in /etc/hosts

systemctl enable httpd

systemctl start httpd

firewall-cmd –permanent –add-service=http

firewall-cmd –reload

Virtual Hosts

Make a directory under /var/www/html for the new server

/etc/httpd/conf.d/vhosts.conf

VirtualHost *:80
ServerAdmin
DocumentRoot
ServerName
ErrorLog
CustomLog

apachectl configtest

apachectl restart or systemctl restart httpd

httpd -D DUMP_VHOSTS

RHCE Objectives: Use shell scripting to automate system maintenance tasks

This is far too simple and to broad a task to be able to address in a posting. In the chapter study guide, it uses “make a backup of files in /home” for the example.

Seriously, if you can’t script, you shouldn’t be here.

RHCE Objectives: Produce and deliver reports on system utilization (processor, memory, disk, and network).

This is a bit more flexible. You can use several tools to get processor, memory, disk, and network information such as

iostat – cpu and disk information
vmstat – procs, memory, swap, system, and cpu info
netstat – network statistics
mpstat – cpu

You do need to remember that the first line is stats since the system was booted.

You can also use dstat which gives you a display (use the -f flag) info for cpus, disks, network, and memory. Plus you can send the output to a csv file for export into a spreadsheet.

sar is an old handy tool that also gives you the same stats, cpu, memory, swap, and network.

All three sets of tools can be used to generate reports depending on what report is of interest.

An excel spreadsheet would likely have the output of dstat be the easiest for reporting purposes.

RHCE Objectives: Configure a system as either an iSCSI target or initiator that persistently mounts an iSCSI target

http://www.certdepot.net/rhel7-configure-iscsi-target-initiator-persistently/

Actually this page is pretty clear. I followed it and it worked just fine.

Create the image drives for use by clients:

yum install targetcli
targetcli

> cd /backstores/fileio
> create shareddata /opt/shareddata.img 100M
> cd /iscsi
> create iqn.2017-02.pri.internal:target
> cd iqn[tab]/tpg1/luns
> create /backstores/fileio/shareddata
> cd ../acls
> create iqn.2017-02.pri.internal:client
> cd iqn[tab]
> set auth userid=cschelin
> set auth password=password
> exit

systemctl enable target
systemctl start target
firewall-cmd –permanent –add-port=3260/tcp
firewall-cmd –reload

On the client side:

yum install -y iscsi-initiator-utils
cd /etc/iscsi
vi initatorname.iscsi
Change the iqn to iqn.2017-02.pri.internal:client
vi iscsid.conf
Uncomment and update the authmethod, username, and password
systemctl enable iscsi
systemctl start iscsi
iscsiadm –mode discovery –type sendtargets –portal 192.168.1.203
iscsiadm –mode node –targetname iqn.2017-02.pri.internal:target –portal 192.168.1.203 –login
mkfs.xfs /dev/sdb
blkid /dev/sdb (get uuid)
vi /etc/fstab
Add UUID pointing to mnt, ext4, _netdev 0 0
mount -a