RHCE Preparation Guide (RHEL7)

This page is for those preparing for the Red Hat Certified Engineer (RHCE) exam. The information here along with the downloadable VirtualBox virtual machines will help students ready themselves for the exam through practice. No hints are given to what’s on the exam.

IMPORTANT POINTS:

  • This preparation guide follows on from the RHCSA guide available here. Please follow through on that first as it deals with the VM environment and other matters that this guide requires.
  • Make sure to add a second and third (total of three) Ethernet interfaces to the “server” virtual machine. This is used for network interface “teaming”.

TIP: Time yourself to complete the process and try it the next day to see how you retain information and improve your performance. Import the virtual machines and then clone them before you try it out. That way, you can always revert back and try again.

There are two virtual machines to download; the server and the client. The following shows required settings, credentials and IP addresses. The IP addresses may need to be adjusted for your environment. The server virtual machine has two names; “server.agix.local” and “ipa.agix.local” that must resolve to it’s IP address. The client’s name is “client.agix.local” and it must resolve to it’s IP address. You will need to either configure a DNS resolver for this or edit your “host” files on your workstation, the server and the client.

Downloads:

Download the client VirtualHost machine.
Download the server VirtualHost machine.

Important environmental settings:

Network settings:
DNS server: 10.0.0.7 (adjust for your environment)
Gateway: 10.0.0.7 (adjust for your environment)

DNS/host and IP settings: 
Note: DNS must resolve properly for LDAP/Kerberos services to work.
server.agix.local -> 10.0.0.99/24 
ipa.agix.local -> 10.0.0.99/24 
client.agix.local -> 10.0.0.98/24

Credentials:
Server and Client root login: root/redhat
Ldap test user login: ldap1/ldap1
Samba test login: samba/samba
Ldap/IPA server administrative web-portal login: admin/[email protected]!!

Server Objectives:

Complete these objectives on the server virtual machine.

Complete theses objectives on the client virtual machine. The items in strikethrough have been completed in the previous tasks (RHCSA):

  1. Using the first Ethernet interface, Bring up the network with the static IP address of “10.0.0.99/24”, gateway of “10.0.0.7” and DNS server of “10.0.0.7”.
  2. Set the hostname to “ipa.agix.local”.
  3. Prepare and export LVM storage via iSCSI to the client virtual machine. The server’s block device is “/dev/sdc”.
  4. Teaming and Bridging:
    1. Configure network interface teaming in ‘activebackup” mode using the second and third Ethernet interfaces.
    2. Ensure bridging on the teamed connection with IP address “10.10.10.99/24”.
  5. Configure the server to relay email from the localhost only to a fictitious remote mail relay at address “remote.example.com”. Relayed emails will have an origin of “server.example.com”.
  6. Configure DNS caching services for the localnet “10.0.0.0/24”.
  7. Create and export “/sharenfs” to the localnet “10.0.0.0/24” and require Kerberos authentication using “krb5p”. Ensure SELinux labling is exported too.
  8. Create and share “/sharesmb” to the group “smb-ro and group smb-rw. Members of the “smb-ro” should have “read/only” access while members of the “smb-rw” group should have “read/write” access. Create two users; “sam” and “kym”. “sam” should be in the “smb-rw” group while “kym” should be in the “smb-ro” group. Ensure ‘kym” and “sam” can’t log in to the Linux system other than to Samba. Accessible only from the localnet “10.0.0.0/24”.
  9. Install and secure Mariadb and permit the user “bobby” with the password “redhat” to access the newly created database “mydb” from the client virtual machine.

Client Objectives:

Complete theses objectives on the client virtual machine. The items in strikethrough have been completed in the previous tasks (RHCSA):

  1. Bring up the network with the correct IP address of “10.0.0.98/24”, gateway of “10.0.0.7” and DNS server of “10.0.0.7”.
  2. Set the hostname to “client.agix.local”.
  3. Format and mount the server’s iSCSI storage on the client as “/mnt/iscsi”.
  4. Ensure the the client accepts traffic from the “10.2.2.0/24” network in the “dmz” done.
  5. Ensure the client logs IPv4 traffic from the “10.2.2.0/24” network relating to the “http” service at a rate of 5 entries per minute in the “dmz” zone.
  6. Configure Apache to listen on port 802/tcp for “http” traffic.
  7. Configure Apache to listen on port 4432/tcp for “httpd” traffic and serve the Python program located here “https://agix.com.au/pub/rhcsa/hw.wsgi“. Importantly, do not put the program in the document root but rather use an appropriate alias.
  8. Mount the NFS export “server.agix.local:/exportnfs” locally as “/mnt/exportnfs” ensuring Kerberos is in use. Ensure the mount exists after a reboot. Test with the ldap user “ldap1”.
  9. Mount the CIFS share “//server.agix.local/sharesmb” locally as “/mnt/sharesmb” ensuring both “kym” and “sam” have appropriate access. Ensure the mount ecists after a reboot (mounted as the “kym” user on boot).
  10. Ensure you can access the “mydb” on the server as the user “bobby”.
  11. Create a shell script that summaries all local users disk space and presents a total at the bottom. Include only users with a UID at or over 500 and the root user.

Solutions

The remainder of this page demonstrates how to solve the process step-by-step. Don’t use it unless you get stuck.

Server solution

1. Prepare the network.

nmcli con up enp0s3
nmcli con mod enp0s3 autoconnect yes
nmcli con mod enp0s3 ipv4.addresses 10.0.0.99/24 ipv4.gateway 10.0.0.7 ipv4.dns 10.0.0.7
nmcli con mod enp0s3 ipv4.method manual
nmcli con reload 
ip addr

# If the ip settings don't apply, try:
ifdown enp0s3
ifup enp0s3

2. Set the hostname.

hostnamectl set-hostname ipa.agix.local

3. Set up the iSCSI storage (where the storage is located on the server):

TIP: Expand the disk to the required size (-L) or to the appropriate count of “physical extents” (-l).

lsblk
fdisk /dev/sdc
pvcreate /dev/sdc1
vgcreate iscsi /dev/sdc1
pvdisplay /dev/sdc1
lvcreate iscsi -n istorage /dev/sdc1 -l +100%FREE

3.1. Set up an iSCSI target (server side storage):

yum install targetcli
systemctl restart target
systemctl enable target

targetcli
> cd backstores/
> block/ create block1 /dev/iscsi/istorage

> cd /iscsi
>  create iqn.2019-06.com.example:server1

>  cd iqn.2019-06.com.example:storage/tpg1/

>    acls/ create iqn.2019-06.com.example:desktop1
>      luns/ create /backstores/block/block1
>      portals/ delete 0.0.0.0 ip_port=3260
>      portals/ create 10.0.0.99 ip_port=3260

3.2 Allow iSCSI through the firewall:

firewall-cmd --add-port 3260/tcp --permanent
firewall-cmd --reload

4. Configure network interface teaming:

ip link

# Configure teaming with enp0s8 and enp0s9.
nmcli con add type team con-name team0 ifname team0 config '{"runner": {"name": "activebackup"}}'
nmcli con add type team-slave con-name team0-port1 ifname enp0s8 master team0
nmcli con add type team-slave con-name team0-port2 ifname enp0s9 master team0
ifdown team0; ifup team0
ip addr

# Verify the state of the team:
teamdctl team0 state

TIP: The above JSON looks like this:

{
  "runner": {
    "name": "activebackup"
  }
}

4.1 Configure bridging on the team0 interface.  Use the IP address “10.10.10.99/24” with appropriate DNS settings.

# Disable the team0 connection: 
nmcli dev dis team0

# From here on we can't use NetworkManager.
systemctl stop NetworkManager
systemctl disable NetworkManager

# Remove all IP settings from "ifcfg-team0-port1" and "ifcfg-team0-port2". 

# Add the following to "ifcfg-team0":
BRIDGE=brteam0

# Create and add the following to "ifcfg-brteam0":
NAME=brteam0
DEVICE=brteam0
TYPE=Bridge
IPADDR0=10.10.10.99
PREFIX=24
DNS1=10.0.0.7

systemctl restart network
reboot

5. Configure the server to relay email from the localhost to a fictitious remote mail relay at address “server.example.com”.

yum install postfix
systemctl enable postfix

# Set the following 6 items in "/etc/postfix/main.cf":
relayhost = [server.example.com]
inet_interface = loopback-only
mynetworks = 127.0.0.1/8, [::1]/128
local_transport = error: No local delivery.
myorigin = server.agix.local
mydestination = 

systemctl restart postfix

# No firewall change is required as we don't accept inbound SMTP traffic.

6. Configure DNS caching services for the localnet “10.0.0.0/24”.

yum install unbound
systemctl enable unbound

# Set the following 4 items in "/etc/unbound/unbound.conf":
interface: 0.0.0.0
forward-zone:
   name: .
   remote-addr: 10.0.0.7
access-control: 10.0.0.0/24 allow
domain-insecure: example.com

systemctl restart unbound

firewall-cmd --add-service dns --permanent
firewall-cmd --reload

7. Export “/sharenfs” to the localnet “10.0.0.0/24” and require Kerberos authentication using “krb5p”. Ensure SELinux labling is exported too.

(Note that CentOS and RHEL use different package names.)

systemctl enable nfs
systemctl enable nfs-server
systemctl enable nfs-secure

mkdir /exportnfs

# Add the following to "/etc/exports":
/exportnfs 10.0.0.0/24(rw,sec=krb5p,sync)

exportfs -r

# Change the "/etc/sysconfig/nfs" variable to have a value of "-V 4.2".

systemctl restart nfs
systemctl restart nfs-server
systemctl restart nfs-secure

firewall-cmd --add-service nfs --permanent
firewall-cmd --add-service rpc-bind --permanent
firewall-cmd --reload

8. Share “/sharesmb” only to the users “kym” (in read only) and “sam” in (read write). Ensure ‘kym” and “sam” can’t log in to the Linux system other than to Samba. Accessible only from the localnet “10.0.0.0/24”.

yum install samba

mkdir /sharesmb
chmod 2777 /sharesmb
semanage fcontext -a -t samba_var_t "/sharesmb(/.*)?"
restorecon -rv /sharesmb
groupadd smb-ro # for read/write access
groupadd smb-rw # for read only access

useradd -s /sbin/nologin -G smb-ro kym
useradd -s /sbin/nologin -G smb-rw sam

smbpasswd -a sam # password is redhat
smbpasswd -a kym # password is redhat 

# Add the following to the bottom of the "/etc/samba/smb/conf" file:
[sharesmb]
   comment = share for rhce
   path = /sharesmb
   browseable = yes
   writeable = yes
   write list = @smb-rw
   valid users = @smb-ro, @smb-rw
   allow hosts = 10.0.0.

systemctl restart smb

firewall-cmd --add-service samba --permanent
firewall-cmd --reload

9. Install and secure Mariadb and permit the user “bobby” to access the newly created database “mydb” from the client virtual machine.

yum install mariadb mariadb-server

systemctl enable mariadb
systemctl restart mariadb

firewall-cmd --add-service mysql --permanent
firewall-cmd --reload

mysql-secure_installation
# current password = <none>
# set the root password = yes, redhat
# remove anonymouse users = yes
# disable remote root = yes
# remove test database = yes
# reload privileges = yes

mysql
> CREATE DATABASE mydb;
> GRANT select, update, insert ON mydb.* TO [email protected] IDENTIFIED BY "redhat";
> flush privileges;
> quit;

Client solution

1. Prepare the network.

nmcli con up enp0s3
nmcli con mod enp0s3 autoconnect on
nmcli con mod enp0s3 ipv4.addresses 10.0.0.98/24 ipv4.gateway 10.0.0.7 ipv4.dns 10.0.0.7
nmcli con mod emp0s3 ipv4.method manuak
nmcli con reload 
ip addr

2. Set the hostname:

hostnamectl set-hostname client.agix.local

3. Discover and mount the remote iSCSI resource (tip: use “man iscsiadm” for examples):

systemctl enable iscsid
systemctl restart iscsid

# Correct the client IQN in "/etc/iscsi/initiatorname.iscsi" to be:
iqn.2019-06.com.example:desktop1

# Issue the commands
iscsiadm --mode discoverydb --type sendtargets --portal 10.0.0.96 --discover
iscsiadm --mode node --targetname iqn.2019-06.com.example:server1 --portal 10.0.0.96:3260 --login

3.1 Partition, format and mount the iSCSI resource:

lsblk
fdisk /dev/sdd
mkfs.xfs /dev/sdd1
mkdir /mnt/remote-iscsi

# Test it.
mount /dev/sdd1 /mnt/remote-iscsi

# Add the following to "/etc/fstab":
/dev/sdd1 /mnt/iscsi xfs defaults,_netdev 0 0

4. Ensure the client forward traffic from the “10.2.2.0/24” network to the “dmz” zone and allow only services “http, https, ssh and time” on that zone.

firewall-cmd --add-source 10.2.2.0/24 --zone=dmz --permanent
firewall-cmd --add-service http --zone=dmz --permanent
firewall-cmd --add-service https --zone=dmz --permanent
firewall-cmd --add-service ssh --zone=dmz --permanent
firewall-cmd --add-service ntp --zone=dmz --permanent
firewall-cmd --reload

5. Ensure the client logs IPv4 traffic from the “10.2.2.0/24” network relating to the “http” service at a rate of 5 entries per second in the “dmz” zone. (tip: use “man firewalld.richlanguage” for examples):

firewall-cmd --add-rich-rule 'rule family=ipv4 source address=10.2.2.0/24 service name=https limit value=5/s accept' --zone=dmz --permanent
firewall-cmd --reload

6. Configure Apache to listen on port 802/tcp for “http” traffic:

# Open "/etc/http/conf/httpd.conf" and:
 - change "listen 80" to "listen 802". 

# Add the SELinux port rule: 
semanage port -a -t PORT_TYPE -p tcp 802 

# Allow through the firewall: 
firewall-cmd --add-port 802/tcp --permanent firewall-cmd --reload

7. Configure Apache to listen on port 4432/tcp for “https” traffic and serve the application (linked above) in a non-document root:

# Open "/etc/http/conf.d/ssl.conf" and:
 - change "listen 443 https" to "listen 4432 https". 
- add the line "WSGIScriptAlias / /var/www/scripts/hw.wsgi" in the "server" section. 

# Create the directory "/var/www/scripts" and copy the script into that location: 
mkdir /var/www/scripts 
cd /var/www/scripts ; wget https://www.agix.com.au/pub/rhcsa/hw.wsgi 
chown apache.apache -R /var/www/scripts 
chmod 755 /var/www/scripts/hw.wsgi 

# Add the SELinux port rule: 
semanage port -a -t httpd_port_t -p tcp 4432 

# Restart Apache: 
yum install mod_wsgi mod_ssl 
systemctl enable httpd 
systemctl restart httpd 

# Allow through the firewall: 
firewall-cmd --add-port 4432/tcp --permanent 
firewall-cmd --reload

8. Mount the NFS share securely with Kerberos:

yum install krb5-workstation nfs-utils

# Add the following to the "/etc/fstab" file:
server.agix.local:/exportnfs /mnt/exportnfs nfs sec=krb5p,v4.2,_netdev 0 0

# Test it before a reboot:
mount /mnt/exportnfs

9. Mount the Samba share with appropriate restrictions:

yum install cifs-utils samba-client
mkdir /mnt/sharesmb

# Put the following into "/root/creds":
domain=redhat
username=kym
password=redhat

chmod 600 /root/creds

# Add the following to "/etc/fstab":
//server.agix.local/sharesmb /mnt/sharesmb cifs sec=ntlmssp,multiuser,credentials=/root/creds 0 0

9.1 Test the above using the “cifscreds” utility:

# As 'root' on the client virtual machine:
mount /mnt/sharesmb

# Create "kym" and switch to it:
useradd kym
su - kym
cifscreds add server.agix.local
ls /mnt/sharesmb
# Expect read-only.
touch /mnt/sharesmb/testFile

# Create "sam" and switch to it: 
useradd sam
su - sam
cifscreds add server.agix.local 
ls /mnt/sharesmb
# Expect read-write.
touch /mnt/sharesmb/testFile

10. Access the “mydb” database on the server with the credentials “bobby/redhat”:

yum install mariadb
mysql -u bobby -p -h server.agix.local
>>Enter password: <redhat>
> show databases;
> quit;

11.  Create a script according to the requirements:

#!/bin/bash

# Get a summary of disk space usage by users.

# Set the size sum variable zero.
COUNT=0
# Get a list of users.
for MY_USERS in `cat /etc/passwd | cut -f1 -d':'`
do
        # Get this user from the passwd file.
        THIS_USER_LINE=`grep "^${MY_USERS}:" /etc/passwd`

        # Get the UID.
        THIS_UID=`echo $THIS_USER_LINE | cut -f3 -d':'`

        # Get the home directory.
        THIS_HOME=`echo $THIS_USER_LINE | cut -f6 -d':'`

        # Get the comment/name of the user.
        THIS_NAME=`echo $THIS_USER_LINE | cut -f5 -d':'`
        if [ $THIS_UID -ge 500 ] || [ $THIS_UID -eq 0 ]
        then
                if [ "$THIS_HOME" != "/" ]
                then
                        # Get the size of the space used in this users home.
                        THIS_DU=`du -s ${THIS_HOME} | cut -f1`
                        if [ "$THIS_NAME" = "" ]
                        then
                                THIS_NAME=$MY_USERS
                        fi

                        # Present the details with nice case formatting.
                        echo "${THIS_NAME}: ${THIS_DU}" | tr [[:upper:]] [[:lower:]] | sed 's/\b./\u\0/g'

                        # Add up total
                        COUNT=$[COUNT+THIS_DU]
                fi
        fi
done

echo "----------------"
echo "Total space used: ${COUNT}"