This page is for those preparing for the Red Hat Certified Engineer (RHCE) exam. The information here along with the downloadable VirtualBox virtual machines will help students ready themselves for the exam through practice. No hints are given to what’s on the exam.
IMPORTANT POINTS:
- This preparation guide follows on from the RHCSA guide available here. Please follow through on that first as it deals with the VM environment and other matters that this guide requires.
- Make sure to add a second and third (total of three) Ethernet interfaces to the “server” virtual machine. This is used for network interface “teaming”.
TIP: Time yourself to complete the process and try it the next day to see how you retain information and improve your performance. Import the virtual machines and then clone them before you try it out. That way, you can always revert back and try again.
There are two virtual machines to download; the server and the client. The following shows required settings, credentials and IP addresses. The IP addresses may need to be adjusted for your environment. The server virtual machine has two names; “server.agix.local” and “ipa.agix.local” that must resolve to it’s IP address. The client’s name is “client.agix.local” and it must resolve to it’s IP address. You will need to either configure a DNS resolver for this or edit your “host” files on your workstation, the server and the client.
Downloads:
Download the client VirtualHost machine.
Download the server VirtualHost machine.
Important environmental settings:
Network settings: DNS server: 10.0.0.7 (adjust for your environment) Gateway: 10.0.0.7 (adjust for your environment) DNS/host and IP settings: Note: DNS must resolve properly for LDAP/Kerberos services to work. server.agix.local -> 10.0.0.99/24 ipa.agix.local -> 10.0.0.99/24 client.agix.local -> 10.0.0.98/24 Credentials: Server and Client root login: root/redhat Ldap test user login: ldap1/ldap1 Samba test login: samba/samba Ldap/IPA server administrative web-portal login: admin/Redh@t01!!
Server Objectives:
Complete these objectives on the server virtual machine.
Complete theses objectives on the client virtual machine. The items in strikethrough have been completed in the previous tasks (RHCSA):
Using the first Ethernet interface, Bring up the network with the static IP address of “10.0.0.99/24”, gateway of “10.0.0.7” and DNS server of “10.0.0.7”.Set the hostname to “ipa.agix.local”.- Prepare and export LVM storage via iSCSI to the client virtual machine. The server’s block device is “/dev/sdc”.
- Teaming and Bridging:
- Configure network interface teaming in ‘activebackup” mode using the second and third Ethernet interfaces.
- Ensure bridging on the teamed connection with IP address “10.10.10.99/24”.
- Configure the server to relay email from the localhost only to a fictitious remote mail relay at address “remote.example.com”. Relayed emails will have an origin of “server.example.com”.
- Configure DNS caching services for the localnet “10.0.0.0/24”.
- Create and export “/sharenfs” to the localnet “10.0.0.0/24” and require Kerberos authentication using “krb5p”. Ensure SELinux labling is exported too.
- Create and share “/sharesmb” to the group “smb-ro and group smb-rw. Members of the “smb-ro” should have “read/only” access while members of the “smb-rw” group should have “read/write” access. Create two users; “sam” and “kym”. “sam” should be in the “smb-rw” group while “kym” should be in the “smb-ro” group. Ensure ‘kym” and “sam” can’t log in to the Linux system other than to Samba. Accessible only from the localnet “10.0.0.0/24”.
- Install and secure Mariadb and permit the user “bobby” with the password “redhat” to access the newly created database “mydb” from the client virtual machine.
Client Objectives:
Complete theses objectives on the client virtual machine. The items in strikethrough have been completed in the previous tasks (RHCSA):
Bring up the network with the correct IP address of “10.0.0.98/24”, gateway of “10.0.0.7” and DNS server of “10.0.0.7”.Set the hostname to “client.agix.local”.- Format and mount the server’s iSCSI storage on the client as “/mnt/iscsi”.
- Ensure the the client accepts traffic from the “10.2.2.0/24” network in the “dmz” done.
- Ensure the client logs IPv4 traffic from the “10.2.2.0/24” network relating to the “http” service at a rate of 5 entries per minute in the “dmz” zone.
- Configure Apache to listen on port 802/tcp for “http” traffic.
- Configure Apache to listen on port 4432/tcp for “httpd” traffic and serve the Python program located here “https://agix.com.au/pub/rhcsa/hw.wsgi“. Importantly, do not put the program in the document root but rather use an appropriate alias.
- Mount the NFS export “server.agix.local:/exportnfs” locally as “/mnt/exportnfs” ensuring Kerberos is in use. Ensure the mount exists after a reboot. Test with the ldap user “ldap1”.
- Mount the CIFS share “//server.agix.local/sharesmb” locally as “/mnt/sharesmb” ensuring both “kym” and “sam” have appropriate access. Ensure the mount ecists after a reboot (mounted as the “kym” user on boot).
- Ensure you can access the “mydb” on the server as the user “bobby”.
- Create a shell script that summaries all local users disk space and presents a total at the bottom. Include only users with a UID at or over 500 and the root user.
Solutions
The remainder of this page demonstrates how to solve the process step-by-step. Don’t use it unless you get stuck.
Server solution
1. Prepare the network.
nmcli con up enp0s3 nmcli con mod enp0s3 autoconnect yes nmcli con mod enp0s3 ipv4.addresses 10.0.0.99/24 ipv4.gateway 10.0.0.7 ipv4.dns 10.0.0.7 nmcli con mod enp0s3 ipv4.method manual nmcli con reload ip addr # If the ip settings don't apply, try: ifdown enp0s3 ifup enp0s3
2. Set the hostname.
hostnamectl set-hostname ipa.agix.local
3. Set up the iSCSI storage (where the storage is located on the server):
TIP: Expand the disk to the required size (-L) or to the appropriate count of “physical extents” (-l).
lsblk fdisk /dev/sdc pvcreate /dev/sdc1 vgcreate iscsi /dev/sdc1 pvdisplay /dev/sdc1 lvcreate iscsi -n istorage /dev/sdc1 -l +100%FREE
3.1. Set up an iSCSI target (server side storage):
yum install targetcli systemctl restart target systemctl enable target targetcli > cd backstores/ > block/ create block1 /dev/iscsi/istorage > cd /iscsi > create iqn.2019-06.com.example:server1 > cd iqn.2019-06.com.example:storage/tpg1/ > acls/ create iqn.2019-06.com.example:desktop1 > luns/ create /backstores/block/block1 > portals/ delete 0.0.0.0 ip_port=3260 > portals/ create 10.0.0.99 ip_port=3260
3.2 Allow iSCSI through the firewall:
firewall-cmd --add-port 3260/tcp --permanent firewall-cmd --reload
4. Configure network interface teaming:
ip link # Configure teaming with enp0s8 and enp0s9. nmcli con add type team con-name team0 ifname team0 config '{"runner": {"name": "activebackup"}}' nmcli con add type team-slave con-name team0-port1 ifname enp0s8 master team0 nmcli con add type team-slave con-name team0-port2 ifname enp0s9 master team0 ifdown team0; ifup team0 ip addr # Verify the state of the team: teamdctl team0 state
TIP: The above JSON looks like this:
{ "runner": { "name": "activebackup" } }
4.1 Configure bridging on the team0 interface. Use the IP address “10.10.10.99/24” with appropriate DNS settings.
# Disable the team0 connection: nmcli dev dis team0 # From here on we can't use NetworkManager. systemctl stop NetworkManager systemctl disable NetworkManager # Remove all IP settings from "ifcfg-team0-port1" and "ifcfg-team0-port2". # Add the following to "ifcfg-team0": BRIDGE=brteam0 # Create and add the following to "ifcfg-brteam0": NAME=brteam0 DEVICE=brteam0 TYPE=Bridge IPADDR0=10.10.10.99 PREFIX=24 DNS1=10.0.0.7 systemctl restart network reboot
5. Configure the server to relay email from the localhost to a fictitious remote mail relay at address “server.example.com”.
yum install postfix systemctl enable postfix # Set the following 6 items in "/etc/postfix/main.cf": relayhost = [server.example.com] inet_interface = loopback-only mynetworks = 127.0.0.1/8, [::1]/128 local_transport = error: No local delivery. myorigin = server.agix.local mydestination = systemctl restart postfix # No firewall change is required as we don't accept inbound SMTP traffic.
6. Configure DNS caching services for the localnet “10.0.0.0/24”.
yum install unbound systemctl enable unbound # Set the following 4 items in "/etc/unbound/unbound.conf": interface: 0.0.0.0 forward-zone: name: . remote-addr: 10.0.0.7 access-control: 10.0.0.0/24 allow domain-insecure: example.com systemctl restart unbound firewall-cmd --add-service dns --permanent firewall-cmd --reload
7. Export “/sharenfs” to the localnet “10.0.0.0/24” and require Kerberos authentication using “krb5p”. Ensure SELinux labling is exported too.
(Note that CentOS and RHEL use different package names.)
systemctl enable nfs systemctl enable nfs-server systemctl enable nfs-secure mkdir /exportnfs # Add the following to "/etc/exports": /exportnfs 10.0.0.0/24(rw,sec=krb5p,sync) exportfs -r # Change the "/etc/sysconfig/nfs" variable to have a value of "-V 4.2". systemctl restart nfs systemctl restart nfs-server systemctl restart nfs-secure firewall-cmd --add-service nfs --permanent firewall-cmd --add-service rpc-bind --permanent firewall-cmd --reload
8. Share “/sharesmb” only to the users “kym” (in read only) and “sam” in (read write). Ensure ‘kym” and “sam” can’t log in to the Linux system other than to Samba. Accessible only from the localnet “10.0.0.0/24”.
yum install samba mkdir /sharesmb chmod 2777 /sharesmb semanage fcontext -a -t samba_var_t "/sharesmb(/.*)?" restorecon -rv /sharesmb groupadd smb-ro # for read/write access groupadd smb-rw # for read only access useradd -s /sbin/nologin -G smb-ro kym useradd -s /sbin/nologin -G smb-rw sam smbpasswd -a sam # password is redhat smbpasswd -a kym # password is redhat # Add the following to the bottom of the "/etc/samba/smb/conf" file: [sharesmb] comment = share for rhce path = /sharesmb browseable = yes writeable = no write list = @smb-rw valid users = @smb-ro, @smb-rw allow hosts = 10.0.0. systemctl restart smb firewall-cmd --add-service samba --permanent firewall-cmd --reload
9. Install and secure Mariadb and permit the user “bobby” to access the newly created database “mydb” from the client virtual machine.
yum install mariadb mariadb-server systemctl enable mariadb systemctl restart mariadb firewall-cmd --add-service mysql --permanent firewall-cmd --reload mysql-secure_installation # current password = <none> # set the root password = yes, redhat # remove anonymouse users = yes # disable remote root = yes # remove test database = yes # reload privileges = yes mysql > CREATE DATABASE mydb; > GRANT select, update, insert ON mydb.* TO [email protected] IDENTIFIED BY "redhat"; > flush privileges; > quit;
Client solution
1. Prepare the network.
nmcli con up enp0s3 nmcli con mod enp0s3 autoconnect on nmcli con mod enp0s3 ipv4.addresses 10.0.0.98/24 ipv4.gateway 10.0.0.7 ipv4.dns 10.0.0.7 nmcli con mod emp0s3 ipv4.method manuak nmcli con reload ip addr
2. Set the hostname:
hostnamectl set-hostname client.agix.local
3. Discover and mount the remote iSCSI resource (tip: use “man iscsiadm” for examples):
systemctl enable iscsid systemctl restart iscsid # Correct the client IQN in "/etc/iscsi/initiatorname.iscsi" to be: iqn.2019-06.com.example:desktop1 # Issue the commands iscsiadm --mode discoverydb --type sendtargets --portal 10.0.0.96 --discover iscsiadm --mode node --targetname iqn.2019-06.com.example:server1 --portal 10.0.0.96:3260 --login
3.1 Partition, format and mount the iSCSI resource:
lsblk fdisk /dev/sdd mkfs.xfs /dev/sdd1 mkdir /mnt/remote-iscsi # Test it. mount /dev/sdd1 /mnt/remote-iscsi # Add the following to "/etc/fstab": /dev/sdd1 /mnt/iscsi xfs defaults,_netdev 0 0
4. Ensure the client forward traffic from the “10.2.2.0/24” network to the “dmz” zone and allow only services “http, https, ssh and time” on that zone.
firewall-cmd --add-source 10.2.2.0/24 --zone=dmz --permanent firewall-cmd --add-service http --zone=dmz --permanent firewall-cmd --add-service https --zone=dmz --permanent firewall-cmd --add-service ssh --zone=dmz --permanent firewall-cmd --add-service ntp --zone=dmz --permanent firewall-cmd --reload
5. Ensure the client logs IPv4 traffic from the “10.2.2.0/24” network relating to the “http” service at a rate of 5 entries per second in the “dmz” zone. (tip: use “man firewalld.richlanguage” for examples):
firewall-cmd --add-rich-rule 'rule family=ipv4 source address=10.2.2.0/24 service name=https limit value=5/s accept' --zone=dmz --permanent firewall-cmd --reload
6. Configure Apache to listen on port 802/tcp for “http” traffic:
# Open "/etc/http/conf/httpd.conf" and: - change "listen 80" to "listen 802". # Add the SELinux port rule: semanage port -a -t PORT_TYPE -p tcp 802 # Allow through the firewall: firewall-cmd --add-port 802/tcp --permanent firewall-cmd --reload
7. Configure Apache to listen on port 4432/tcp for “https” traffic and serve the application (linked above) in a non-document root:
# Open "/etc/http/conf.d/ssl.conf" and: - change "listen 443 https" to "listen 4432 https". - add the line "WSGIScriptAlias / /var/www/scripts/hw.wsgi" in the "server" section. # Create the directory "/var/www/scripts" and copy the script into that location: mkdir /var/www/scripts cd /var/www/scripts ; wget https://agix.com.au/pub/rhcsa/hw.wsgi chown apache.apache -R /var/www/scripts chmod 755 /var/www/scripts/hw.wsgi # Add the SELinux port rule: semanage port -a -t httpd_port_t -p tcp 4432 # Restart Apache: yum install mod_wsgi mod_ssl systemctl enable httpd systemctl restart httpd # Allow through the firewall: firewall-cmd --add-port 4432/tcp --permanent firewall-cmd --reload
8. Mount the NFS share securely with Kerberos:
yum install krb5-workstation nfs-utils # Add the following to the "/etc/fstab" file: server.agix.local:/exportnfs /mnt/exportnfs nfs sec=krb5p,v4.2,_netdev 0 0 # Test it before a reboot: mount /mnt/exportnfs
9. Mount the Samba share with appropriate restrictions:
yum install cifs-utils samba-client mkdir /mnt/sharesmb # Put the following into "/root/creds": domain=redhat username=kym password=redhat chmod 600 /root/creds # Add the following to "/etc/fstab": //server.agix.local/sharesmb /mnt/sharesmb cifs sec=ntlmssp,multiuser,credentials=/root/creds 0 0
9.1 Test the above using the “cifscreds” utility:
# As 'root' on the client virtual machine: mount /mnt/sharesmb # Create "kym" and switch to it: useradd kym su - kym cifscreds add server.agix.local ls /mnt/sharesmb # Expect read-only. touch /mnt/sharesmb/testFile # Create "sam" and switch to it: useradd sam su - sam cifscreds add server.agix.local ls /mnt/sharesmb # Expect read-write. touch /mnt/sharesmb/testFile
10. Access the “mydb” database on the server with the credentials “bobby/redhat”:
yum install mariadb mysql -u bobby -p -h server.agix.local >>Enter password: <redhat> > show databases; > quit;
11. Create a script according to the requirements:
#!/bin/bash # Get a summary of disk space usage by users. # Set the size sum variable zero. COUNT=0 # Get a list of users. for MY_USERS in `cat /etc/passwd | cut -f1 -d':'` do # Get this user from the passwd file. THIS_USER_LINE=`grep "^${MY_USERS}:" /etc/passwd` # Get the UID. THIS_UID=`echo $THIS_USER_LINE | cut -f3 -d':'` # Get the home directory. THIS_HOME=`echo $THIS_USER_LINE | cut -f6 -d':'` # Get the comment/name of the user. THIS_NAME=`echo $THIS_USER_LINE | cut -f5 -d':'` if [ $THIS_UID -ge 500 ] || [ $THIS_UID -eq 0 ] then if [ "$THIS_HOME" != "/" ] then # Get the size of the space used in this users home. THIS_DU=`du -s ${THIS_HOME} | cut -f1` if [ "$THIS_NAME" = "" ] then THIS_NAME=$MY_USERS fi # Present the details with nice case formatting. echo "${THIS_NAME}: ${THIS_DU}" | tr [[:upper:]] [[:lower:]] | sed 's/\b./\u\0/g' # Add up total COUNT=$[COUNT+THIS_DU] fi fi done echo "----------------" echo "Total space used: ${COUNT}"