RHCSA & RHCE Red Hat Enterprise Linux 7: Training and Exam Preparation Guide (EX200 and EX300) third edition march 2015 by Asghar Ghori

RHCE

Hoofdstuk 14 Writing Shell Scripts

nl       Number lines of files
bash -x  Debug script

Command line arguments $0 $1, $#, $*, $$ (scriptname,first argument, # of arguments, all arguments,PID of the script). ${10} for arguments above 9.
shift    Move arguments

echo -e  Enables interprestation of backslash escapes

read Var Read user input from the keyboard

$?       Exit code

test     Test conditions (man test) int1 -eq int2
if condition then action else action fi
if condition then action elif condition then action else action fi

for-do done
while do done
until do done

Hoofdstuk 15 Configuring Bonding, Teaming, IPv6 and Routing

Link Aggregation

Link aggregation is a term to combine the capabilities of two or more physical or virtual Ethernet network interfacesto function as a single network pip. RHEL7 supports two link aggregation methods that are referred to as bonding and teaming.

Interface Bonding

Interface bonding provides the ability to bind two or mor network interfaces together into a single logical bonded channel that acts as the master for all slave interfaces that are added to it. The support for bonding is integrated entirely into the kernel as a loadable module. This module is called bonding.

Interface Teaming

Interface teaming is introduced in RHEL7 as an additional choice to implement enhance troughput and fault tolerance at the network interface level. Teaming is a new implementation. Teaming handels the flow of network packets faster that bonding does.And, unline bonding, which is accomplished purely in the kernel space and provides no user control over its operation, teaming only requires the integration of the essential code into the kernel and the rest is implemented via the teamd daemon, whihc gives users the ability to control it with the teamdctl command.

modprobe bonding       Add and remove modules from the kernel
modinfo bonding        Show information about a kernel module
uuidgen eth2           Generate UUIDs

systemctl status NetworkManager
nmcli dev status
nmcli con add type bond con-name bond0 ifname bond0 mode balance-rr ip4 192.168.122.112 gw4 192.168.122.1
nmcli con add type bond-slave ifname eth1 master bond0
nmcli con up bond0
nmcli con show 
nmtui               Indien NetworkManager aktief is

yum install teamd    software
modprobe team 
modinfo team
nmcli con add type team con-name team0 ifname team0 ip4 192.168.122.122/24 gw4 192.168.122.1
nmcli con add type team-slave con-name eth4 ifname eth4 master team0

nmtui 
nm-connection-editor    Graphical Network Administration Tool, including bonding and teaming
teamd
teamdctl
teamnl

IPv6 128bit 1204:bab1:21d1:bb43:23a1:9bde:87df:bac9
Zowel IPv4 als IPv6 adressen kunnen op een adapter gezet worden.
ping6

RIP    Routing Information protocol
OSPF   Open Shortest Path First
ip route, route, netstat -rn
ip route add
ip route del

Files

/etc/sysconfig/network-scripts/ifcfg-bond0
                              /ifcfg-eth2
                              /ifcfg-eth3

Hoofdstuk 16 Synchronzing Time with NTP

ntpd used UDP over well-known port 123

NTP roles: Primary NTP server, Secondary NTP server, NTP peer, NTP client.

NTP Client can be configured as a polling, broadcast, multicast or manycast client.

Packages ntp and ntpdate
Commands ntpdate, ntpq, ntpd and ntpstat.

NTP Configuration file /etc/ntp.conf.
Key directives driftfile, logfile restrict, server, peer, broadcast, crypto, includefile, keys. See man ntp.conf.
firewall-cmd --permanent --add-service ntp;reload

Package system-config-date for system-config-date tool
Output ntpq -p is important

Hoofdstuk 17 Working with Firewalld and Kerberos

Firewall

firewall-cmd      --state, --get-default-zone, --get-active-zones, --get-zones, --list-all, --list-all-zones 
                  --list-all -zone public, 
                  --net-zone testzone --permanent, --delete-zone testzone --permanent
                  --get-services
                  --list-services
                  --query-service
                  --list-ports --add-port --remove-port --query-port --permanent --zone
                  --list-rich-rules --add-rich-rule --remove-rich-rule --query-rich-rule --permanent --zone
                  --add-masquerade --remove-masquerade --query-masquerade --permanent --zone
                  --list-forward-ports --add-forward-port --remove-forward-port query-forward-port --permanent --zone

firewall-config   Firewalld GUI configuration tool

/etc/firewalld/
/etc/firewalld/zones/             System-defined

/usr/lib/firewalld/zones/         User-defined

Kerberos

• Authentication: The proces of verifying the identoty of a user or service.
• Authentication Service (AS): A service that runs on theKey Distribution Center (KDC) server to authenticate clients and issue initial tickets.
• Client: A user or service (suchs as NFS or Samba) that requests for the issuance of tickets to use network services.
• Credentials: A ticket aling with relevant encryption keys.
• Principal: A verified client (user or service) that is recorded in the KDC databaseand to which the KDC can assign tickets.
• Realm: The administrative territory of a KDC, with one or more KDCs and several principals.
• Service Host: A system that runs a kerberized service that clients can use.
• Session key: An encrypted key that is used to secure communication among clients, KDCs and service hosts.
• Service Ticket: An encrypted digital certificate used to authenticate a uuser to a specific network service. It is issued by the TGS after validating a user's TGT and it contains a session key, the principal name, and expiration time and more.
• Ticket Granting Service (TGS): A service that runs on the KDC to generate and issue service tickets to clients.
• Ticket Granting Ticket (TGT): An initial encrypted digital certificate that is used to identify tha client to TGS at the time of requesting service tickets. It is issued by the AS after validationg the client's presence in the KDC database.

Packages krb5-server krb5-workstation
Commands kinit, kdestroy, klist, passwd, kadmin, kadmin.local

Hoofdstuk 18 Tuning Kernel Parameters, Reporting System Usage and Logging Remotely

sysctl -a, sysctl -p

/proc/cmdline
/proc/sys

echo 18 >/proc/sys/...

/etc/sysctl.conf
/usr/lib/sysctl.d/00-system.conf

/boot/grub2/grub.cfg
/proc/cmdline                        Boot-Time parameters aka command-line options

df, vmstat, top

Package sysstat: cifsiostat, iostat, mpstat,nfsiostat, pidstat, sa1, sa2, sadc, sadf, sar, dstat
/etc/sysconfig/sysstat
/etc/sysconfig/sysstat.ioconf

Package dstat, dstat

Chapter 19 Sharing Block Storage with iSCSI

targetcli     for target administration, package targetclt
targetcli     saveconfig
iscsiadm      for initiator administration, package iscsi-initiator-utils

iscsiadm      -m discovery -t st -p 192.168.122.102    Locate available targets
iscsiadm      -m node -T iqn.2016-01.roggeware.nl.server2:iscsidisk1 -p 192.168.122.102 -l         Login (-l) to target (-T) in node mode (-m) at portal (-p)
iscsiadm      -m session 

systemctl enable iscsid

/etc/iscsi/iscsi.conf
/var/lib/iscsi/

Chapter 20 Sharing File Storage with NFS

yum install nfs-utils

getsebool -a|grep nfs_export
setsebool -P nfs_export_all_ro=1 nfs_export_all_rw=1
firewall-cmd --add-service nfs
firewall-cmd --reload
firewall-cmd --list-services

systemctl enable rpcbind nfs-server

/etc/exports          /common server2.example.com(rw,no_root_squash)     
/etc/fstab            server1.example.com:/common     /nfsrhcemnt   nfs _netdev,rw 0 0
/var/lib/nfs/etab
/etc/sysconfig/nfs

exportfs -avr
exportfs -u server2.example.com:/common

man exports

nfsstat
nfsiostat
mountstats

Chapter 21 Sharing File Storage with Samba

Server Message Block (SMB) now widely known as the Common Internet File System (CIFS). The Samba daemon smbd uses TCP port 445

Samba Commands

mount            Mounts a Samba share. Adds an entry to /etc/mtab
mount.cifs       Mounts a Samba share on the client.
pdbedit          Maintains a local user database in /var/lib/samba/private/smbpasswd on the server.
smbclient        Connects to a Samba share to perform FTP-like operations.
smbpasswd        Changes Samba user passwords.
testparm         Tests syntax of smb.conf file/
umount

smbclient -L //server1/common -U user10

Samba Configuration and functional files

/etc/samba/smb.conf                Samba server configuration file.
/etc/samba/smbusers                Maintains Samba and Linux user mappings.
/etc/sysconfig/samba               Contains directives used at Samba startup.
/var/lib/samba/private/smbpasswd   Maintains Samba user passwords. 
/var/log/samba                     Directory location for Samba logs.

Samba Software Packages

samba            Provides the Samba server support.
samba-client     Includes utilities for performing various operations on server and client.
samba-common     Provides Samba man pages, commands and configuration files.
samba-libs       Contains library routines used by Samba server and client.
cifs-utils       Client-side utilities for mounting and managing CIFS shares.

SELinux Requirements for Samba Operation

....

Chapter 22 Hosting Websites with Apache

Apache Commands

apachectl     Starts, stops and checks status of the httpd process. Systemctl may also be used.
htpasswd      Create and updates files to store usernames and passwords for basic authentication of Apache users.
httpd         Server program for the Apache webservice.
              -t         verify configuration file
              -D vhosts verify vhost configuration file

Apache Configuration Files

/etc/httpd                Default directory for all configuration files.
/run/httpd                Runtime information.
/usr/lib64/httpd/modules  Additional Apache modules.
/var/log/httpd            Apache logfiles.
/usr/share/doc/httpd-2.4.6  

Apache Software Packages

httpd
httpd-manual              html pages in /usr/share/httpd/manual accessible with links or elinks.
httpd-tools

Configuring Apache Web Servers

system-config-selinux              SELinux Configuration Tool
getsebool -a|grep httpd

firewall-cmd --permanent -add-service=http
firewall-cmd --reload
firewall-cmd --permanent -add-port 8900/tcp
semanage fcontext -at httpd_sys_content_t "/var/vhost2(/.*)?"
restorecon -Rv /var/vhost2

elinks http://localhost

Understanding and Configuring Apache Web Servers over SSL/TLS

CA  Certificate Authority.
CSR Certificate Signing Request.

Software Packages mod_ssl and openssl.

Files

/etc/httpd/conf.d/ssl.conf    Installed by package mod_ssl.

Sending and Receiving Electronic Mail

MUA Mail User Agent. 
MSA Mail Submission Agent.
MTA Mail transport Agent.
MDA Mail Delivery Agent

POP Post Office Protocol.
IMAP Internet Message Access Protocol.

Postfix Commands

alternatives         Displays and sets the default MTA.
                     --set mta
                     --display mta
mail/mailx           Sends and receives email.
postalias/newalias   Processes the alias database (/etc/aliases by default).
postconf             Displays and modifies the Postfix configuration stored in the main.cf file.
postfix              Controls operation of Postfix servcies, including start, stop, health, and reload config.
                     check
postmap              Process and converts some configuration files into Postfix-compatible databases.
postqueue/mailq      Lists and controls Postfix queue.

Files

/etc/aliases
/etc/postfix
/var/lib/postfix
/var/log/maillog
/var/spool/postfix
/var/spool/mail

Configuring DNS

Determining the IP address of a hostname is referred to as forward name resolution or simply name resolution and determining the hostname associated with an IP address is reffered to as reverse name resolution.

DNS Name Space and Domains

The DNS Name Space is an hierarchical organization of all the domains on the internet. The root of the name space is represented by a dot. The hierarchy right below the root represents top-level domains (TLD) that are either generic, such as .com, .net , .org and .gov, and referred to as gTLDs or specific to a two-letter country-code, such as .ca and .uk and referred to as ccTLDs. Sub-domains fall under domains and are separated by a dot.

BIND Software Packages and Service Daemon

bind        Provides software to configure a DNS server.
bind-libs   Contains library files for bind and bind-utils packages.
bind-utils  Comprises of resolver tools, such as dig, host and nslookup

Daemon named listens on well-know port 53 and supports both TCP and UDP protocols for operation. See /usr/share/doc/bind for example named configuration files.

DNS Commands

systemctl enable named
systemctl start named
named-checkconf

DNS related files

/etc/named.conf
/usr/share/doc/bind
/var/log/messages
/var/named.rfc1912.zones
/var/named/                    Zone files

SeLinux requirements

ps -eZ |grep named shows domain type named_t.
semanage port -l|grep dns
getsebool -a |grep ^named

Managing MariaDB

Packages

mariadb
mariadb-libs
mariadb-server

Configuration files

/etc/my.cnf        Global defaults.
/etc/my.cnf.d/     Directory for configuration files.
/var/log/mariadb/mariadb.log

SELinux requirements

By default the mysqld daemon runs confined in its own domain with domain-type mysqld_t.

ps -eZ|grep mysqld    --> system_u:system_r:mysqld_t:s0    5245 ?        00:06:00 mysqld

The SELinux filetype associated with the mysqld daemon file is mysql_exec_t, configuration files in the /etc/my.cnf.d directory is etc_t, database files in the /var/lib/mysql directory is mysqld_db_t and logfiles in /var/log/mariadb is mysql_log_t.

ll -dZ /usr/libexec/mysqld /etc/my.cnf.d /var/lib/mysql    /var/log/mariadb
drwxr-xr-x. root  root  system_u:object_r:mysqld_etc_t:s0  /etc/my.cnf.d
-rwxr-xr-x. root  root  system_u:object_r:mysqld_exec_t:s0 /usr/libexec/mysqld
drwxr-xr-x. mysql mysql system_u:object_r:mysqld_db_t:s0   /var/lib/mysql
drwxr-x---. mysql mysql system_u:object_r:mysqld_log_t:s0  /var/log/mariadb

semanage port -l|grep mysql
mysqld_port_t                  tcp      1186, 3306, 63132-63164

getsebool -a|grep mysql
mysql_connect_any --> off
selinuxuser_mysql_connect_enabled --> off