EX300 redhat exam prep cheat sheet

EX300 Red Hat Certified Engineer Exam Review Working in progress

Test taking strategy  Spend 10 mins to go through all the questions before diving into any task. Understand task dependencies. Complete low hanging fruits first. For every task, must validate the work by: Use validation commands Connecting to the service from desktop  machine. su  to the user to test

acl  or permission settings.

0. The bible  man -k . | grep {keyword} grep -r {keyword} /usr/share/docs

1. systemctl  and boot process List all targets systemctl list-units --type=target --all

View default target and change default systemctl get-default systemctl set-default multi-user.target

 Alternatively, one can append systemd.unit=single-user.target  to kernel command line in boot menu. Temporarily switching target systemctl isolate multi-user.target

Recover root password  Append

rd.break

 to the line that starts with

linux16

. Press

control + X

 to boot.

 mount -o remount,rw /sysroot chroot /sysroot passwd root touch /.autorelabel exit exit

Debug boot issues Boot into rescue target or emergency target by appending the following to kernel command line systemd.unit=rescue.target # Or systemd.unit=emergency.target # List all jobs running at boot time systemctl list-jobs

2.

nmcli

 for IPv4, IPv6, Teaming

Check current network setup nmcli dev status nmcli con show  ip a ip link

 Adding static connection to interface

eth0

nmcli con add con-name my-con-eth0 ifname eth0 type ethernet \  

ip4 192.168.100.100/24 gw4 192.168.100.1 \

 

ip4 1.2.3.4 \ ip6 abbe::cafe

nmclo con mod my-con-eth0 +ipv4.addresses "10.7.1.2/24" nmcli con mod my-con-eth0 ipv4.dns "8.8.8.8 8.8.4.4" nmcli con mod my-con-eth0 +ipv4.dns 1.2.3.4

nmcli con mod my-con-eth0 ipv6.dns "2001:4860:4860::8888 2001:4860:4860::8 844" nmcli con mod my-con-eth0 ipv4.method manual nmcli -p con show my-con-eth0 nmcli con reload Validate cat /etc/sysconfig/network-scripts/ifcfg-my-con-eth0

Teaming nmcli con add type team con-name team0 ifname team0 config '{"runner": {"n ame" : "roundrobin"}}' nmcli con mod team0 ipv4.addresses "192.168.0.5/24" nmcli con mod team0 ipv4.method manual nmcli con add type team-slave con-name team0-port1 ifname eno1 master team  0 nmcli con add type team-slave con-name team0-port2 ifname eno2 master team  0 Validate teamdctl team0 state  Available runner types: boardcast , roundrobin , activebackup , loadbalance , lacp

Bridging Grading checks nmcli dev | grep team0 teamdctl team0 port present eno1 teamdctl team0 port present eno2 teamdctl team0 state | grep runner brctl show | grep team0 | grep brteam0

Bridging nmcli con add type bridge con-name br1 ifname br1

nmcli con mod br1 ipv4.addresses "192.168.0.10024" nmcli con mod br1 ipv4.method manual

nmcli con add type bridge-slave con-name br1-port0 ifname eno1 master br1 brctl show 

3. hostnamectl , ntp hostnamectl set-hostname demo.example.com  cat /etc/hostname

timedatectl set-ntp true timedatectl set-timezone Asia/Singapore echo "server classroom.example.com iburst" > /etc/chrony.conf systemctl restart chronyd chronyc sources -v

Validate NTP sync is working timedatectl ... NTP synchronized: yes ...

# or checking chronyc sources chronyc sources -v

4. firewall-cmd On-the-field tips

 Always do firewall-cmd --permanent ...  then firewall-cmd --reload man firewalld.richlanguage

firewall-cmd --permanent --add-service http --add-service https firewall-cmd --reload

firewall-cmd --permanent --add-rich-rule 'rule family=ipv4 source address= 172.25.1.10/32 service name="http" log level=notice prefix="NEW HTTP" limi

t = value="3/s" accept'

firewall-cmd --permanent --zone=work --add-source 172.16.100.0/24

masquerade firewall-cmd --permanent --zone={ZONE} --add-masquerade firewall-cmd --permanent --add-rich-rule 'rule family=ipv4 source address= 192.168.0.0/24 masquerade'

port-forwarding # simple firewall-cmd --permanent --zone=public --add-forward-port 'port=513:proto= tcp:toport=132:toaddr=192.168.0.254' # using rich rule firewall-cmd --permanent --add-rich-rule 'rule family=ipv4 source address= 172.25.X.10/32 forward-port port=443 protocol=tcp to-port=22'

reject traffic firewall-cmd --permanent --zone=testing --add-rich-rule='rule family=ipv4 source address=192.168.0.10/24 port=22 reject'

5. selinux seinfo -t | grep {keyword} semange fcontext -a -t samba_share_t '/sambashare(/.*)?' restorecon -vvRf /sambashare semanage port

-l | grep http

semanage port --add --proto tcp --type http_port_t 8081 semenage port --delete --proto tcp --type http_port_t 443

6. Postfix SMTP null client yum install postfix postconf -e "relayhost=[smtp1.example.com]"

postconf -e "inet_interfaces=loopback-only" postconf -e "mydestination=" postconf -e "local_transport=error: disabled" postconf -e "mynetworks=127.0.0.1/8 [::1]/128" systemctl restart postfix

 Attempt to send an email using Red Hat suggests

mail

mutt

 but it did not work for me.

 mutt -s "some subject" foo@example.com < body.txt tail -f /var/log/mailog # Login to imaps to verify email was recevied, double check sender domain  mutt -f imaps://student:password@imap.example.com 

7. iscsi This section assumes candidate is familiar with block device commands, e.g. blkid

,

fdisk

lsblk

,

, etc.. Often candidate is asked to create a block level disk to use as a

backstore for a LUN. IQN - iqn.YYYY-MM.com.reversed.domain[:optional_string]

Server side

systemctl enable target.service systemctl start target.service /iscsi create "iqn.2015-01.com.example:server0" # Must use IP address here for portal /iscsi/iqn.2015-01.com.example:server0/tpg1/portals create 172.25.0.11 [$p ort] /backstores/block create name=disk1 dev=/dev/vdb1 /iscsi/iqn.2015-01.com.example:server0/tpg1/luns create /backstores/block/ disk1 /iscsi/iqn.2015-01.com.example:server0/tpg1/acls create iqn.2015-01.com.ex ample:desktop0 /iscsi/iqn.2015-01.com.example:server0/tpg1 set attribute generate_node_ac ls=1 /iscsi/iqn.2015-01.com.example:server0/tpg1 set attribute authentication=0 # Open firewall

firewall-cmd --permanent --add-port 3260/tcp

Client

yum install iscsi-initiator-utils systemctl enable iscsi.service systemctl start iscsi.service iscsiadm -m discovery -t st -p "server1.example.com:3260" # Configuration is generated # cat /var/lib/iscsi/nodes/[iqnname]/default iscsiadm -m node -T "iqn.2018-04.com.example:server1" -l iscsiadm -m node -P [1|2|3] fdisk /dev/vda  mkfs -x xfs /dev/vda1 echo "UUID=123-123-123 /iscsidisk xfs _netdev 0 2"  mount -a

Remove iscsi umount /iscsidisk iscsiadm -m node -T "iqn.2018-04.com.example:server1" -u iscsiadm -m node -T "iqn.2018-04.com.example:server1" -o delete ls -lah /var/lib/iscsi/nodes

8. NFS You should be able to set up NFS server exporting non-secure and secure (krb5) directory. You may need to enrol to LDAP server. Don’t forget tool such as authconfig-gtk  and krb5-workstation

systemctl enable nfs-server systemctl start nfs-server echo "/myshare desktop0(rw)" >> /etc/exports echo "/public 172.16.0.0/16(ro) *.example.com(ro,no_root_squash)" >> /etc/ exports exportfs -r firewall-cmd --permanent --add-service nfs firewall-cmd --reload

 mount serverX:/myshare /mnt/nfsexport

Protected NFS server # Download and verify keytab is valid  wget -O /etc/krb5.keytab http: //classroom.example.com/serverX.ke ytab klist -k /etc/krb5.keytab

# Start nfs-secure-server systemctl enable nfs-secure-server ^enable^start

 mkdir /secureexport echo '/securedexport *.example.com(sec=krb5p,rw)' >>/etc/exports exportfs -r exportfs -v

To enable SElinux labels, make sure the following exists in /etc/sysconfig/nfs RPCNFSDARGS="-V 4.2"

desktop  wget -O /etc/krb5.keytab http: //classroom.example.com/desktopX.k eytab systemctl enable nfs-secure systemctl start nfs-secure  mount -t nfs4 -o sec=krb5p ser verX:/securedexport /mnt/securedex port

# Mount permanently echo "server1:/secureexport /mnt/secureexport nfs defaults,v4.2,sec=krb5p, rw 0.0" >> /etc/fstab  mount -a

9. Samba You should be able to set up a shared folder in serverX via samba; accessible to groups mngt  and employees . Users in group mngt  should have write access.

server yum install samba -y  mkdir -p /sambashare

chmod -R 2775 /sambashare semanage fcontext -a -t samba_share_t '/sambashare(/.*)?' restorecon -vvFR /sambashare useradd -s /sbin/nologin brian smbpasswd -a brian # List samba user pdbedit -L

desktop yum install samba-client cifs-utils -y smbclient -L server -U brian # Test login credential  mkdir -p /mnt/brian # Mount single user echo "//server/smbshare /mnt/brian cifs credentials=/etc/secure/brian.logi n 0 0" >> /etc/fstab # Mount multi-user echo "//server/smbshare /mnt/share cifs credentials=/root/cred.txt",multiu ser,sec=ntlmssp 0 0" >> /etc/fstab  mount -a

Test multi-user samba on desktop

su - rob cifscreds add server1

10.

unbound

/etc/unbound/conf.d/forwarder.conf

server: interface: 0.0.0.0 interface: ::0 access-control: 172.25.1.0/24 allow  domain-insecure: "example.com" forward-zone: name: . forward-addr: 172.25.254.254

yum install unbound -y systemctl enable unbound systemctl start unbound firewall-cmd --permanent --add-service dns firewall-cmd --reload

11.

httpd

yum install httpd mod_ssl mod_php php-mysql mod_wsgi -y semanage port -a -p tcp -t http_port_t 444 semanage fcontext -a -t public_content_t '/custom/webroot(/.*)?' restorecon -RFv '/custom/webroot'

Sample virtualhost config with SSL ServerName webapp1.example.com  ServerAlias webapp1 SSLEngine On SSLProtocol -SSLv2 -SSLv3 SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5 SSLHonorCipherOrder On  

SSLCertificateFile '/etc/pki/tls/certs/webapp1.crt'

 

SSLCertificateKeyFile '/etc/pki/tls/private/webapp1.key'

 

SSLCertificateChainFile '/etc/pki/tls/certs/ca-example.crt' DocumentRoot /srv/webapp1/www 

Require grant alll

For python web app  WSGIScriptAlias /myapp/ /srv/myapp/www/myapp.py

Validate curl -cacert -vvv example-ca.crt https://webapp1.example.com:444

12. BASH scripting Special variables available in bash script $#   Number of arg $*  all args as one word $@  all args as an array

if [ "@#" -eq 0 ]; then  

echo "Some error message"

 

exit 1;

fi

switch-case

case "$1" in   start)  

do-foo ;;

  reload|restart)  

do-bar

 

exit 0 ;; *)

 

do-default-action ;;

esac

Text manipulation cat /etc/passwd | cut -d: -f1 cat /etc/passwd | awk -F: '{print $1}'

 Appendix A: Command cheatsheet selinux semanage fcontext -t # List all current rules seinfo -t

# List all available context

seinfo -u

# List all context users

seinfo -r

# List all context roles

# panic mode with selinux audit2allow -m mypolicy < /var/log/audit/audit.log semodule -i mypolicy.pp

 Appendix B: Gap-filling labs SMB Create SMB share smbshare  on serverX using mycompany workgroup member of group marketing  have rw permission. all users not in marketing  group have read-only permission. User brian  is part of marketing team and password is redhat . User rob  has password redhat .

NFS Configure the NFS server on serverX to meet the following requirements: Share the newly created /krbnfs directory on serverX with krb5p security.  Allow read and write access on the share from the desktopX system. SELinux labels are exported. Preconfigured krb5 keytabs for the serverX  and desktopX  systems are available at: http://classroom.example.com/pub/keytabs/serverX.keytab. http://classroom.example.com/pub/keytabs/desktopX.keytab.

 Allow access to the NFS service through the firewall.

Mock exam Q19: Client within my133t.org  should not have access to ssh on your systems. Q20: Configure port forwarding in your machine system1 such that forward all incoming

connection on port 5909/tcp  on the firewall to port 80/tcp  of the machine with the 172.26.1.0/24

Q21: Create a script name makeusers in /root  directory when an argument file.txt

pass in front of this script then users listed in this file created with /bin/false sheel. When file

name is different then error shows file not found if file is not pass an argument then error shows please write command again . content of file.txt alice bob sheldon