EX300 Red Hat Certified Engineer Exam Review Working in progress
Test taking strategy Spend 10 mins to go through all the questions before diving into any task. Understand task dependencies. Complete low hanging fruits first. For every task, must validate the work by: Use validation commands Connecting to the service from desktop machine. su to the user to test
acl or permission settings.
0. The bible man -k . | grep {keyword} grep -r {keyword} /usr/share/docs
1. systemctl and boot process List all targets systemctl list-units --type=target --all
View default target and change default systemctl get-default systemctl set-default multi-user.target
Alternatively, one can append systemd.unit=single-user.target to kernel command line in boot menu. Temporarily switching target systemctl isolate multi-user.target
Recover root password Append
rd.break
to the line that starts with
linux16
. Press
control + X
to boot.
mount -o remount,rw /sysroot chroot /sysroot passwd root touch /.autorelabel exit exit
Debug boot issues Boot into rescue target or emergency target by appending the following to kernel command line systemd.unit=rescue.target # Or systemd.unit=emergency.target # List all jobs running at boot time systemctl list-jobs
2.
nmcli
for IPv4, IPv6, Teaming
Check current network setup nmcli dev status nmcli con show ip a ip link
Adding static connection to interface
eth0
nmcli con add con-name my-con-eth0 ifname eth0 type ethernet \
ip4 192.168.100.100/24 gw4 192.168.100.1 \
ip4 1.2.3.4 \ ip6 abbe::cafe
nmclo con mod my-con-eth0 +ipv4.addresses "10.7.1.2/24" nmcli con mod my-con-eth0 ipv4.dns "8.8.8.8 8.8.4.4" nmcli con mod my-con-eth0 +ipv4.dns 1.2.3.4
nmcli con mod my-con-eth0 ipv6.dns "2001:4860:4860::8888 2001:4860:4860::8 844" nmcli con mod my-con-eth0 ipv4.method manual nmcli -p con show my-con-eth0 nmcli con reload Validate cat /etc/sysconfig/network-scripts/ifcfg-my-con-eth0
Teaming nmcli con add type team con-name team0 ifname team0 config '{"runner": {"n ame" : "roundrobin"}}' nmcli con mod team0 ipv4.addresses "192.168.0.5/24" nmcli con mod team0 ipv4.method manual nmcli con add type team-slave con-name team0-port1 ifname eno1 master team 0 nmcli con add type team-slave con-name team0-port2 ifname eno2 master team 0 Validate teamdctl team0 state Available runner types: boardcast , roundrobin , activebackup , loadbalance , lacp
Bridging Grading checks nmcli dev | grep team0 teamdctl team0 port present eno1 teamdctl team0 port present eno2 teamdctl team0 state | grep runner brctl show | grep team0 | grep brteam0
Bridging nmcli con add type bridge con-name br1 ifname br1
nmcli con mod br1 ipv4.addresses "192.168.0.10024" nmcli con mod br1 ipv4.method manual
nmcli con add type bridge-slave con-name br1-port0 ifname eno1 master br1 brctl show
3. hostnamectl , ntp hostnamectl set-hostname demo.example.com cat /etc/hostname
timedatectl set-ntp true timedatectl set-timezone Asia/Singapore echo "server classroom.example.com iburst" > /etc/chrony.conf systemctl restart chronyd chronyc sources -v
Validate NTP sync is working timedatectl ... NTP synchronized: yes ...
# or checking chronyc sources chronyc sources -v
4. firewall-cmd On-the-field tips
Always do firewall-cmd --permanent ... then firewall-cmd --reload man firewalld.richlanguage
firewall-cmd --permanent --add-service http --add-service https firewall-cmd --reload
firewall-cmd --permanent --add-rich-rule 'rule family=ipv4 source address= 172.25.1.10/32 service name="http" log level=notice prefix="NEW HTTP" limi
t = value="3/s" accept'
firewall-cmd --permanent --zone=work --add-source 172.16.100.0/24
masquerade firewall-cmd --permanent --zone={ZONE} --add-masquerade firewall-cmd --permanent --add-rich-rule 'rule family=ipv4 source address= 192.168.0.0/24 masquerade'
port-forwarding # simple firewall-cmd --permanent --zone=public --add-forward-port 'port=513:proto= tcp:toport=132:toaddr=192.168.0.254' # using rich rule firewall-cmd --permanent --add-rich-rule 'rule family=ipv4 source address= 172.25.X.10/32 forward-port port=443 protocol=tcp to-port=22'
reject traffic firewall-cmd --permanent --zone=testing --add-rich-rule='rule family=ipv4 source address=192.168.0.10/24 port=22 reject'
5. selinux seinfo -t | grep {keyword} semange fcontext -a -t samba_share_t '/sambashare(/.*)?' restorecon -vvRf /sambashare semanage port
-l | grep http
semanage port --add --proto tcp --type http_port_t 8081 semenage port --delete --proto tcp --type http_port_t 443
6. Postfix SMTP null client yum install postfix postconf -e "relayhost=[smtp1.example.com]"
postconf -e "inet_interfaces=loopback-only" postconf -e "mydestination=" postconf -e "local_transport=error: disabled" postconf -e "mynetworks=127.0.0.1/8 [::1]/128" systemctl restart postfix
Attempt to send an email using Red Hat suggests
mail
mutt
but it did not work for me.
mutt -s "some subject"
[email protected] < body.txt tail -f /var/log/mailog # Login to imaps to verify email was recevied, double check sender domain mutt -f imaps://student:
[email protected]
7. iscsi This section assumes candidate is familiar with block device commands, e.g. blkid
,
fdisk
lsblk
,
, etc.. Often candidate is asked to create a block level disk to use as a
backstore for a LUN. IQN - iqn.YYYY-MM.com.reversed.domain[:optional_string]
Server side
systemctl enable target.service systemctl start target.service /iscsi create "iqn.2015-01.com.example:server0" # Must use IP address here for portal /iscsi/iqn.2015-01.com.example:server0/tpg1/portals create 172.25.0.11 [$p ort] /backstores/block create name=disk1 dev=/dev/vdb1 /iscsi/iqn.2015-01.com.example:server0/tpg1/luns create /backstores/block/ disk1 /iscsi/iqn.2015-01.com.example:server0/tpg1/acls create iqn.2015-01.com.ex ample:desktop0 /iscsi/iqn.2015-01.com.example:server0/tpg1 set attribute generate_node_ac ls=1 /iscsi/iqn.2015-01.com.example:server0/tpg1 set attribute authentication=0 # Open firewall
firewall-cmd --permanent --add-port 3260/tcp
Client
yum install iscsi-initiator-utils systemctl enable iscsi.service systemctl start iscsi.service iscsiadm -m discovery -t st -p "server1.example.com:3260" # Configuration is generated # cat /var/lib/iscsi/nodes/[iqnname]/default iscsiadm -m node -T "iqn.2018-04.com.example:server1" -l iscsiadm -m node -P [1|2|3] fdisk /dev/vda mkfs -x xfs /dev/vda1 echo "UUID=123-123-123 /iscsidisk xfs _netdev 0 2" mount -a
Remove iscsi umount /iscsidisk iscsiadm -m node -T "iqn.2018-04.com.example:server1" -u iscsiadm -m node -T "iqn.2018-04.com.example:server1" -o delete ls -lah /var/lib/iscsi/nodes
8. NFS You should be able to set up NFS server exporting non-secure and secure (krb5) directory. You may need to enrol to LDAP server. Don’t forget tool such as authconfig-gtk and krb5-workstation
systemctl enable nfs-server systemctl start nfs-server echo "/myshare desktop0(rw)" >> /etc/exports echo "/public 172.16.0.0/16(ro) *.example.com(ro,no_root_squash)" >> /etc/ exports exportfs -r firewall-cmd --permanent --add-service nfs firewall-cmd --reload
mount serverX:/myshare /mnt/nfsexport
Protected NFS server # Download and verify keytab is valid wget -O /etc/krb5.keytab http: //classroom.example.com/serverX.ke ytab klist -k /etc/krb5.keytab
# Start nfs-secure-server systemctl enable nfs-secure-server ^enable^start
mkdir /secureexport echo '/securedexport *.example.com(sec=krb5p,rw)' >>/etc/exports exportfs -r exportfs -v
To enable SElinux labels, make sure the following exists in /etc/sysconfig/nfs RPCNFSDARGS="-V 4.2"
desktop wget -O /etc/krb5.keytab http: //classroom.example.com/desktopX.k eytab systemctl enable nfs-secure systemctl start nfs-secure mount -t nfs4 -o sec=krb5p ser verX:/securedexport /mnt/securedex port
# Mount permanently echo "server1:/secureexport /mnt/secureexport nfs defaults,v4.2,sec=krb5p, rw 0.0" >> /etc/fstab mount -a
9. Samba You should be able to set up a shared folder in serverX via samba; accessible to groups mngt and employees . Users in group mngt should have write access.
server yum install samba -y mkdir -p /sambashare
chmod -R 2775 /sambashare semanage fcontext -a -t samba_share_t '/sambashare(/.*)?' restorecon -vvFR /sambashare useradd -s /sbin/nologin brian smbpasswd -a brian # List samba user pdbedit -L
desktop yum install samba-client cifs-utils -y smbclient -L server -U brian # Test login credential mkdir -p /mnt/brian # Mount single user echo "//server/smbshare /mnt/brian cifs credentials=/etc/secure/brian.logi n 0 0" >> /etc/fstab # Mount multi-user echo "//server/smbshare /mnt/share cifs credentials=/root/cred.txt",multiu ser,sec=ntlmssp 0 0" >> /etc/fstab mount -a
Test multi-user samba on desktop
su - rob cifscreds add server1
10.
unbound
/etc/unbound/conf.d/forwarder.conf
server: interface: 0.0.0.0 interface: ::0 access-control: 172.25.1.0/24 allow domain-insecure: "example.com" forward-zone: name: . forward-addr: 172.25.254.254
yum install unbound -y systemctl enable unbound systemctl start unbound firewall-cmd --permanent --add-service dns firewall-cmd --reload
11.
httpd
yum install httpd mod_ssl mod_php php-mysql mod_wsgi -y semanage port -a -p tcp -t http_port_t 444 semanage fcontext -a -t public_content_t '/custom/webroot(/.*)?' restorecon -RFv '/custom/webroot'
Sample virtualhost config with SSL
ServerName webapp1.example.com ServerAlias webapp1 SSLEngine On SSLProtocol -SSLv2 -SSLv3 SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5 SSLHonorCipherOrder On
SSLCertificateFile '/etc/pki/tls/certs/webapp1.crt'
SSLCertificateKeyFile '/etc/pki/tls/private/webapp1.key'
SSLCertificateChainFile '/etc/pki/tls/certs/ca-example.crt' DocumentRoot /srv/webapp1/www
Require grant alll
For python web app WSGIScriptAlias /myapp/ /srv/myapp/www/myapp.py
Validate curl -cacert -vvv example-ca.crt https://webapp1.example.com:444
12. BASH scripting Special variables available in bash script $# Number of arg $* all args as one word $@ all args as an array
if [ "@#" -eq 0 ]; then
echo "Some error message"
exit 1;
fi
switch-case
case "$1" in start)
do-foo ;;
reload|restart)
do-bar
exit 0 ;; *)
do-default-action ;;
esac
Text manipulation cat /etc/passwd | cut -d: -f1 cat /etc/passwd | awk -F: '{print $1}'
Appendix A: Command cheatsheet selinux semanage fcontext -t # List all current rules seinfo -t
# List all available context
seinfo -u
# List all context users
seinfo -r
# List all context roles
# panic mode with selinux audit2allow -m mypolicy < /var/log/audit/audit.log semodule -i mypolicy.pp
Appendix B: Gap-filling labs SMB Create SMB share smbshare on serverX using mycompany workgroup member of group marketing have rw permission. all users not in marketing group have read-only permission. User brian is part of marketing team and password is redhat . User rob has password redhat .
NFS Configure the NFS server on serverX to meet the following requirements: Share the newly created /krbnfs directory on serverX with krb5p security. Allow read and write access on the share from the desktopX system. SELinux labels are exported. Preconfigured krb5 keytabs for the serverX and desktopX systems are available at: http://classroom.example.com/pub/keytabs/serverX.keytab. http://classroom.example.com/pub/keytabs/desktopX.keytab.
Allow access to the NFS service through the firewall.
Mock exam Q19: Client within my133t.org should not have access to ssh on your systems. Q20: Configure port forwarding in your machine system1 such that forward all incoming
connection on port 5909/tcp on the firewall to port 80/tcp of the machine with the 172.26.1.0/24
Q21: Create a script name makeusers in /root directory when an argument file.txt
pass in front of this script then users listed in this file created with /bin/false sheel. When file
name is different then error shows file not found if file is not pass an argument then error shows please write command again . content of file.txt alice bob sheldon