This page is for those preparing for the Red Hat Certified System Administrator (RHCSA) exam. The information here along with the downloadable VirtualBox virtual machines will help students ready themselves for the exam through practice. No hints are given to what’s on the exam.
IMPORTANT POINTS:
- This preparation guide is followed on by the RHCE guide available here. Please follow through on this first as it deals with the VM environment and other matters that this guide requires.
TIP: Time yourself to complete the process and try it the next day to see how you retain information and improve your performance. Import the virtual machines and then clone them before you try it out. That way, you can always revert back and try again.
There are two virtual machines to download; the server and the client. The following shows required settings, credentials and IP addresses. The IP addresses may need to be adjusted for your environment. The server virtual machine has two names; “server.agix.local” and “ipa.agix.local” that must resolve to it’s IP address. The client’s name is “client.agix.local” and it must resolve to it’s IP address. You will need to either configure a DNS resolver for this or edit your “host” files on your workstation, the server and the client.
Downloads:
Download the client VirtualHost machine.
Download the server VirtualHost machine.
Important environmental settings:
Network settings: DNS server: 10.0.0.7 (adjust for your environment) Gateway: 10.0.0.7 (adjust for your environment) DNS/host and IP settings: Note: DNS must resolve properly for LDAP/Kerberos services to work. server.agix.local -> 10.0.0.99/24 ipa.agix.local -> 10.0.0.99/24 client.agix.local -> 10.0.0.98/24 Credentials: Server and Client root login: root/redhat Ldap test user login: ldap1/ldap1 Samba test login: samba/samba Ldap/IPA server administrative web-portal login: admin/Redh@t01!!
Server Objectives:
Complete these objectives on the server virtual machine.
- Bring up the network with the static IP address of “10.0.0.99/24”, gateway of “10.0.0.7” and DNS server of “10.0.0.7”.
- Configure the firewall to allow access to http, https, NFS, rpcbind and samba.
- Set the “systemctl” default target to “multi-user” persistently. Change into the new default.
- Set the hostname to “ipa.agix.local”.
- Set the timezone to your local timezone.
- Correct the error (it’s there) in the “/etc/exports” file. The client will use these exported resources later in this exercise.
- Verify and start the “ipa” service to enable LDAP and Kerberos services.
- Log into “https://ipa.agix.local” as “ldap1/ldap1” and reset the “ldap1” password. This new password will be used later in the client solution.
Client Objectives:
Complete theses objectives on the client virtual machine.
- Bring up the network with the correct IP address of “10.0.0.98/24”, gateway of “10.0.0.7” and DNS server of “10.0.0.7”.
- Set the hostname to “client.agix.local”.
- Set the timezone to be yours.
- Add the YUM repository located at “http://server.agix.local/repo”. Verify the existence of the new repository.
- Extend “centos-root” LV by “8G” and “centos-swap” LV by “1020MB”. Tip, the two additional hard disks are these sizes. Make sure the new swap and root space are fully utilized.
- Execute “/root/password.sh” and reboot the system. Boot the system and reset the root password using the Grub2 boot options.
- Join the “client.agix.local” host to the LDAP/kerberos (FreeIPA) system hosted at “ipa.agix.local” with a Base DN of “dc=agix,dc=local”, a Realm of “AGIX.LOCAL”, KDC and Admin server of “ipa.agix.local”. Tip: use “authconfig-gtk”.
- Test that you can see details of the “ldap1” LDAP user.
- Create a local group called “mygroup”. Create a local user called “redhat” and make that user a member of the “mygroup” group.
- Create the directory “/opt/mydir” and ensuring that only the “mygroup” group can access it but not the “redhat” user. Make sure the future files and directories in this directory inherit these permissions.
- Install Apache, set it to start on boot and ensure that the “redhat” user can publish a web page from “http://client.agix.local/~redhat/”. Modify the firewall to allow remote access to the “client.agix.local” host on port 80.
- Mount the “server.agix.local:/webdocs” NFS export as “/mnt/webdocs” on the client. Set it to mount on boot.
- Configure Apache to use the new web directory of “/mnt/webdocs” rather than the default location.
- Ensure the “ldap1” user’s home directory mounts automatically (using autofs with kerberos/krb5p) on login via NFS where “server.agix.local:/home/” is the source of user’s home directories.
- Using autofs, mount the “shares” CIFS share shared on “server.agix.local” to “/cifs/public” on the client using the “samba” user on the “REDHAT” domain/workgroup.
Solutions
The remainder of this page demonstrates how to solve the process step-by-step. Don’t use it unless you get stuck.
Server solution
1. Prepare the network.
nmcli con up enp0s3 nmcli con mod enp0s3 autoconnect on nmcli con mod enp0s3 ipv4.addresses 10.0.0.99/24 ipv4.gateway 10.0.0.7 ipv4.dns 10.0.0.7 nmcli con reload ip addr # If the ip settings don't apply, try: ifdown enp0s3 ifup enp0s3
Verify the settings in the configuration file.
cat /etc/sysconfig/network-scripts/ifcfg-enp0s3
2. Configure the firewall.
firewall-cmd —-list-services firewall-cmd —-add-service nfs —-permanent firewall-cmd —-add-service rpc-bind -—permanent firewall-cmd —-add-service samba —-permanent firewall-cmd —-add-service http —-permanent firewall-cmd —-add-service https —-permanent firewall-cmd —-reload
3. Set and make active the “multi-user” target.
systemctl get-default systemctl set-default multi-user systemctl isolate multi-user
4. Set the hostname.
hostnamectl set-hostname server.agix.local
5. Set the timezone.
timedatectl set-timezone Australia/Darwin ls -l /etc/localtime
6. Correct the “/etc/exports” file.
Change "/home *(rw,sync,krb5p)" to "/home *(rw,sync,sec=krb5p)". exportfs -ra
7. Verify the IPA service is running and restart it if necessary. You may need to reboot before this stage.
systemctl status ipa systemctl restart ipa
8. The server is configured. Log into “https://server.agix.local” as “ldap1/ldap1” and change the password to something you’ll remember. You need to use it later in the client-side setup.
Client Solution
1. Prepare the network:
nmcli con up enp0s3 nmcli con mod enp0s3 autoconnect on nmcli con mod enp0s3 ipv4.addresses 10.0.0.98/24 ipv4.gateway 10.0.0.7 ipv4.dns 10.0.0.7 nmcli con reload ip addr
Verify the settings in the configuration file.
cat /etc/sysconfig/network-scripts/ifcfg-enp0s3
2. Set the hostname:
hostnamectl set-hostname client.agix.local
3. Set the timezone:
timedatectl set-timezone Australia/Darwin ls -l /etc/localtime
4. Add the new YUM repository:
yum-config-manager --add-repo=http://server.agix.local/repo/ yum list-repos
5. Add disks to LVM and extend the “swap” LV by 1020M and extend the “root” LV by 8G.
lsblk (take note) fdisk /dev/sdb (create a new partition of type 8e) fdisk /dev/sdc (create a new partition of type 8e) pvcreate /dev/sdb1 /dev/sdc1 vgextend centos /dev/sdb1 /dev/sdc1 pvs (take note) lvs (take note) lvextend /dev/mapper/swap -L+1020M lvextend /dev/mapper/root -L+8G xfs_growfs / swapoff -a mkswap /dev/mapper/centos-swap swapon -a
6. Execute the password script and reboot.
/root/password.sh reboot
Reset the root password on boot.
Interrupt the boot process at the grub2 screen. Navigate to the latest boot option. Press “e” and navigate to the “linux16” line. Press “control+e” to go to the end of the line. Append “ rd.break”. Press “control+x” to boot using the new temporary setting. chroot /sysroot mount -o remount rw / passwd touch /.autorelabel exit exit
7. Configure LDAP and Kerberos client-side services.
yum install authconfig-gtk TAB: Advanced Create home directories on the first loign: Tick TAB: Identity & Authentication User account database: IPAv2 IPA Domain: agix.local IPA Realm: AGIX.LOCAL IPA Server: ipa.agix.local "Join Domain"
8. Verify LDAP and Kerberos services.
id ldap1 kinit ldap1 klist
9. Create the “mygroup” group and the “redhat” user and make the new user a part of the new group.
groupadd mygroup useradd redhat -G mygroup groups redhat
10. Use setfacl to allow a group but deny a user who’s a member of that group to a directory.
mkdir /opt/mydir chown nobody.nobody /opt/mydir setfacl -m g:mygroup:rwx /opt/mydir setfacl -m u:redhat:--- /opt/mydir setfacl -d -m g:mygroup:rwx /opt/mydir setfacl -d -m u:redhat:--- /opt/mydi
11. Install Apache and ensure it starts on boot. Make sure the “redhat” user can host their own website at “http://client.agix.local/~agix/”.
firewall-cmd --list-services firewall-cmd --add-service http firewall-cmd --reload yum install httpd vi /etc/http/conf.d/userdir.conf Change: "UserDir disabled" to "UserDir public_html" systemctl enable httpd systemctl restart httpd chmod o+x /home/redhat su - redhat mkdir ~/public_html echo "redhat website" > ~/public_html/index.html exit
12. Mount “server.agix.local:/webdocs” as “/mnt/webdocs” on the “client.agix.local” host and ensure it happens at boot time.
mkdir /mnt/webdocs vi /etc/fstab Add: server.agix.local:/webdocs /mnt/webdocs nfs defaults,_netdev 0 0 setsebool -P httpd_use_nfs on mount /mnt/webdocs
13. Set the new web directory for Apache.
mkdir -p /opt/webdocs/html ls -ldZ /var/www/html semanage fcontext -a -t httpd_sys_content_t "/opt/webdocs(/.*)?" restorecon -rv /opt/webdocs ls -ldZ /opt/webdocs vi /etc/https/conf/httpd.conf Change all occurrences of "/var/www/" to "/opt/webdocs/". Try regex: :%s/\/var\/www/\/opt\/webdocs/g systemctl restart httpd
14. Configure autofs to mount the “ldap1” user’s home directory on login using krb5p.
vi /etc/users.autofs Add: /home /etc/users.automount vi /etc/user.automount Add: * -rw,sec=krb5p server.agix.local:/home/& systemctl restart autofs
15. Configure autofs to mount “server.agix.local/public” locally as “/cifs/public” as the “samba” user.
mkdir /cifs vi /etc/users.master.d/cifs.autofs Add: /cifs /etc/autofs.cifs vi /etc/autofs.cifs Add: public -fstype=cifs,credentials=/etc/cifs.cred ://server.agix.local/shares/& vi /etc/cifs.creds username=samba password=samba domain=REDHAT systemctl restart autofs ls /cifs/public
Verify your work, your done.