RHCSA Preparation Guide (RHEL7)

This page is for those preparing for the Red Hat Certified System Administrator (RHCSA) exam. The information here along with the downloadable VirtualBox virtual machines will help students ready themselves for the exam through practice. No hints are given to what’s on the exam.

IMPORTANT POINTS:

  • This preparation guide is followed on by the RHCE guide available here. Please follow through on this first as it deals with the VM environment and other matters that this guide requires.

TIP: Time yourself to complete the process and try it the next day to see how you retain information and improve your performance. Import the virtual machines and then clone them before you try it out. That way, you can always revert back and try again.

There are two virtual machines to download; the server and the client. The following shows required settings, credentials and IP addresses. The IP addresses may need to be adjusted for your environment. The server virtual machine has two names; “server.agix.local” and “ipa.agix.local” that must resolve to it’s IP address. The client’s name is “client.agix.local” and it must resolve to it’s IP address. You will need to either configure a DNS resolver for this or edit your “host” files on your workstation, the server and the client.

Downloads:

Download the client VirtualHost machine.
Download the server VirtualHost machine.

Important environmental settings:

Network settings:
DNS server: 10.0.0.7 (adjust for your environment)
Gateway: 10.0.0.7 (adjust for your environment)

DNS/host and IP settings: 
Note: DNS must resolve properly for LDAP/Kerberos services to work.
server.agix.local -> 10.0.0.99/24 
ipa.agix.local -> 10.0.0.99/24 
client.agix.local -> 10.0.0.98/24

Credentials:
Server and Client root login: root/redhat
Ldap test user login: ldap1/ldap1
Samba test login: samba/samba
Ldap/IPA server administrative web-portal login: admin/[email protected]!!

Server Objectives:

Complete these objectives on the server virtual machine.

  1. Bring up the network with the static IP address of “10.0.0.99/24”, gateway of “10.0.0.7” and DNS server of “10.0.0.7”.
  2. Configure the firewall to allow access to http, https, NFS, rpcbind and samba.
  3. Set the “systemctl” default target to “multi-user” persistently. Change into the new default.
  4. Set the hostname to “ipa.agix.local”.
  5. Set the timezone to your local timezone.
  6. Correct the error (it’s there) in the “/etc/exports” file. The client will use these exported resources later in this exercise.
  7. Verify and start the “ipa” service to enable LDAP and Kerberos services.
  8. Log into “https://ipa.agix.local” as “ldap1/ldap1” and reset the “ldap1” password. This new password will be used later in the client solution.

Client Objectives:

Complete theses objectives on the client virtual machine.

  1. Bring up the network with the correct IP address of “10.0.0.98/24”, gateway of “10.0.0.7” and DNS server of “10.0.0.7”.
  2. Set the hostname to “client.agix.local”.
  3. Set the timezone to be yours.
  4. Add the YUM repository located at “http://server.agix.local/repo”. Verify the existence of the new repository.
  5. Extend “centos-root” LV by “8G” and “centos-swap” LV by “1020MB”. Tip, the two additional hard disks are these sizes. Make sure the new swap and root space are fully utilized.
  6. Execute “/root/password.sh” and reboot the system. Boot the system and reset the root password using the Grub2 boot options.
  7. Join the “client.agix.local” host to the LDAP/kerberos (FreeIPA) system hosted at “ipa.agix.local” with a Base DN of “dc=agix,dc=local”, a Realm of “AGIX.LOCAL”, KDC and Admin server of “ipa.agix.local”. Tip: use “authconfig-gtk”.
  8. Test that you can see details of the “ldap1” LDAP user.
  9. Create a local group called “mygroup”. Create a local user called “redhat” and make that user a member of the “mygroup” group.
  10. Create the directory “/opt/mydir” and ensuring that only the “mygroup” group can access it but not the “redhat” user. Make sure the future files and directories in this directory inherit these permissions.
  11. Install Apache, set it to start on boot and ensure that the “redhat” user can publish a web page from “http://client.agix.local/~redhat/”. Modify the firewall to allow remote access to the “client.agix.local” host on port 80.
  12. Mount the “server.agix.local:/webdocs” NFS export as “/mnt/webdocs” on the client. Set it to mount on boot.
  13. Configure Apache to use the new web directory of “/mnt/webdocs” rather than the default location.
  14. Ensure the “ldap1” user’s home directory mounts automatically (using autofs with kerberos/krb5p) on login via NFS where “server.agix.local:/home/” is the source of user’s home directories.
  15. Using autofs, mount the “shares” CIFS share shared on “server.agix.local” to “/cifs/public” on the client using the “samba” user on the “REDHAT” domain/workgroup.

Solutions

The remainder of this page demonstrates how to solve the process step-by-step. Don’t use it unless you get stuck.

Server solution

1. Prepare the network.

nmcli con up enp0s3
nmcli con mod enp0s3 autoconnect on
nmcli con mod enp0s3 ipv4.addresses 10.0.0.99/24 ipv4.gateway 10.0.0.7 ipv4.dns 10.0.0.7
nmcli con reload 
ip addr

# If the ip settings don't apply, try:
ifdown enp0s3
ifup enp0s3

Verify the settings in the configuration file.

cat /etc/sysconfig/network-scripts/ifcfg-enp0s3

2. Configure the firewall.

firewall-cmd —-list-services
firewall-cmd —-add-service nfs —-permanent
firewall-cmd —-add-service rpc-bind -—permanent
firewall-cmd —-add-service samba —-permanent
firewall-cmd —-add-service http —-permanent
firewall-cmd —-add-service https —-permanent
firewall-cmd —-reload

3. Set and make active the “multi-user” target.

systemctl get-default
systemctl set-default multi-user
systemctl isolate multi-user

4. Set the hostname.

hostnamectl set-hostname server.agix.local

5. Set the timezone.

timedatectl set-timezone Australia/Darwin
ls -l /etc/localtime

6. Correct the “/etc/exports” file.

Change "/home *(rw,sync,krb5p)" to "/home *(rw,sync,sec=krb5p)".
exportfs -ra

7. Verify the IPA service is running and restart it if necessary. You may need to reboot before this stage.

systemctl status ipa
systemctl restart ipa

8. The server is configured. Log into “https://server.agix.local” as “ldap1/ldap1” and change the password to something you’ll remember. You need to use it later in the client-side setup.

Client Solution

1. Prepare the network:

nmcli con up enp0s3
nmcli con mod enp0s3 autoconnect on
nmcli con mod enp0s3 ipv4.addresses 10.0.0.98/24 ipv4.gateway 10.0.0.7 ipv4.dns 10.0.0.7
nmcli con reload
ip addr

Verify the settings in the configuration file.

cat /etc/sysconfig/network-scripts/ifcfg-enp0s3

2. Set the hostname:

hostnamectl set-hostname client.agix.local

3. Set the timezone:

timedatectl set-timezone Australia/Darwin 
ls -l /etc/localtime

4. Add the new YUM repository:

yum-config-manager --add-repo=http://server.agix.local/repo/
yum list-repos

5. Add disks to LVM and extend the “swap” LV by 1020M and extend the “root” LV by 8G.

lsblk (take note)
fdisk /dev/sdb (create a new partition of type 8e)
fdisk /dev/sdc (create a new partition of type 8e)
pvcreate /dev/sdb1 /dev/sdc1
vgextend centos /dev/sdb1 /dev/sdc1
pvs (take note)
lvs (take note)
lvextend /dev/mapper/swap -L+1020M
lvextend /dev/mapper/root -L+8G
xfs_growfs /
swapoff -a
mkswap /dev/mapper/centos-swap
swapon -a

6. Execute the password script and reboot.

/root/password.sh
reboot

Reset the root password on boot.

Interrupt the boot process at the grub2 screen.
Navigate to the latest boot option.
Press “e” and navigate to the “linux16” line.
Press “control+e” to go to the end of the line.
Append “ rd.break”.
Press “control+x” to boot using the new temporary setting.
chroot /sysroot
mount -o remount rw /
passwd
touch /.autorelabel
exit
exit

7. Configure LDAP and Kerberos client-side services.

yum install authconfig-gtk

TAB: Advanced
   Create home directories on the first loign: Tick
TAB: Identity & Authentication
   User account database: IPAv2
   IPA Domain: agix.local
   IPA Realm: AGIX.LOCAL
   IPA Server: ipa.agix.local
"Join Domain"

8. Verify LDAP and Kerberos services.

id ldap1
kinit ldap1
klist

9. Create the “mygroup” group and the “redhat” user and make the new user a part of the new group.

groupadd mygroup
useradd redhat -G mygroup
groups redhat

10. Use setfacl to allow a group but deny a user who’s a member of that group to a directory.

mkdir /opt/mydir
chown nobody.nobody /opt/mydir
setfacl -m g:mygroup:rwx /opt/mydir
setfacl -m u:redhat:--- /opt/mydir

setfacl -d -m g:mygroup:rwx /opt/mydir 
setfacl -d -m u:redhat:--- /opt/mydi

11. Install Apache and ensure it starts on boot. Make sure the “redhat” user can host their own website at “http://client.agix.local/~agix/”.

firewall-cmd --list-services
firewall-cmd --add-service http
firewall-cmd --reload
yum install httpd
vi /etc/http/conf.d/userdir.conf
Change: "UserDir disabled" to "UserDir public_html"
systemctl enable httpd
systemctl restart httpd
chmod o+x /home/redhat
su - redhat
mkdir ~/public_html
echo "redhat website" > ~/public_html/index.html
exit

12. Mount “server.agix.local:/webdocs” as “/mnt/webdocs” on the “client.agix.local” host and ensure it happens at boot time.

mkdir /mnt/webdocs
vi /etc/fstab
Add: server.agix.local:/webdocs  /mnt/webdocs  nfs  defaults,_netdev  0 0
setsebool -P httpd_use_nfs on
mount /mnt/webdocs

13. Set the new web directory for Apache.

mkdir -p /opt/webdocs/html
ls -ldZ /var/www/html
semanage fcontext -a -t httpd_sys_content_t "/opt/webdocs(/.*)?"
restorecon -rv /opt/webdocs
ls -ldZ /opt/webdocs
vi /etc/https/conf/httpd.conf
Change all occurrences of "/var/www/" to "/opt/webdocs/".
Try regex: :%s/\/var\/www/\/opt\/webdocs/g
systemctl restart httpd

14. Configure autofs to mount the “ldap1” user’s home directory on login using krb5p.

vi /etc/users.autofs
Add: /home /etc/users.automount
vi /etc/user.automount
Add: * -rw,sec=krb5p server.agix.local:/home/&
systemctl restart autofs

15. Configure autofs to mount “server.agix.local/public” locally as “/cifs/public” as the “samba” user.

mkdir /cifs
vi /etc/users.master.d/cifs.autofs
Add: /cifs /etc/autofs.cifs
vi /etc/autofs.cifs
Add: public -fstype=cifs,credentials=/etc/cifs.cred ://server.agix.local/shares/&
vi /etc/cifs.creds
username=samba
password=samba
domain=REDHAT
systemctl restart autofs
ls /cifs/public

Verify your work, your done.