IT training RH134 RHEL7

n D D rr - - - - - - - - - - - - - - - - Red Hat System - Administration 11 Student Workbook - - - - RH134-RHEL?-en-1-20140610 MAN-RH134SKE-R2 .;ii ' r ·� ' I n ri· -�, ! rr Comprehensive, hands-on training that solves real world problems Red Hat System Administration 11 Student Workbook © 2014 Red H a t , I n c R H 34-RHEL7 - e n -1 -20140610 ··_.:.:-=- ·- :." rr / r'"i· �.· :: · !i I ·r-; I H· ·�! , r ; i I, ! 19'"'! : I ri - - - - - - - - - - - - - - - - - - - - - - - RED HAT SYSTEM ADMINISTRATION II - - R H 34 - Red Hat Enterprise Linux RH134 - Red Hat System Administration II Edition - Authors: Wander Boessenkool, Bruce Wolfe, Scott McBrien, George Hacker, - Chen Chang Editor: Copyright© Steven Bonneville - 2014 Red Hat, Inc The contents of this course and all its modules and related materials, including handouts to audience members, are Copyright© 2014 Red Hat, Inc No part of this publication may be stored in a retrieval system, transmitted or reproduced in any way, including, but not limited to, photocopy, photograph, magnetic, electronic or other - - record, without the prior written permission of Red Hat, Inc This instructional program, including all material provided herein, is supplied without any - guarantees from Red Hat, Inc Red Hat, Inc assumes no liability for damages or legal action arising from the use or misuse of contents or details contained herein If you believe Red Hat training materials are being used, copied, or otherwise improperly distributed please e-mail training@redhat.com or phone toll-free (USA) or +1 (919) 754-3700 +1 (866) 626-2994 Red Hat, Red Hat Enterprise Linux, the Shadowman logo, JBoss, Hibernate, Fedora, the Infinity Logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and - - other countries Linux® is the registered trademark of Linus Torvalds in the United States and other - countries Java® is a registered trademark of Oracle and/or its affiliates XFS® is a registered trademark of Silicon Graphics International Corp or its subsidiaries in the United States and /or other countries The OpenStack® Word Mark and OpenStack Logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States - - - and other countries and are used with the OpenStack Foundation's permission We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack - community All other trademarks are the property of their respective owners C o n t r i b utors: R o b Loc ke, Bowe Stric k l a n d , Fo r rest Tay l o r, R u d o l f Kastl Reviewers: M i c h a e l P h i l l i ps, L a rs B o h n s a c k , M i c h a e l B a s hford , C l i nt T i n s l ey - - - - - C h a pte r C o m p re h e n s i ve Review of System A d m i n istra t i o n I I • Repa i r boot l o a d e r p ro b l e ms - Chapter 14, Limiting Network Communication with firewalld To confi g u re a b a s i c fi rewa l l Confi g u re a basic fi rewa l l u s i n g f i r ewalld, firewall - config, a n d f i r ewall - cmd • References R - - Get i nfo r m a t i o n o n m o re c l a sses ava i l a b l e from Red H a t a t www.re d hat.com/t i n i ng / - - - - - - - - - - - - - - - 304 R H134- R H E L 7-en-1 -2014061 - - - - L a b : C o m p r e h e n s i ve Review of Syst e m A d m i n ist rat i o n I I - L a b : Co m p re h e n s i ve Rev i ew o f Syste m - Ad m i n i st t i o n 1 Task scenario - I n t h i s l a b, you wi l l confi g u re a syst e m u s i n g t h e s k i l l s t a u g h t in t h i s cou rse - Resou rces: Files: Machines: - - - se rverX and deskt opX Outcomes: Two syste m s confi g u re d accord i n g to t h e s p e c i f i e d req u i rements that fo l l ow Before you begin • - h t t p : / / s e rverX example com/logfile • Reset yo u r se rve rX syste m L o g i nto a n d s e t u p y o u r se rverX syst e m [ s t u d e n t@s e r v e r X - ] $ l a b sa2 - review s e t u p - • - - � - � Reset yo u r de s k t o pX syste m Yo u have b e e n tasked w i t h confi g u ri n g a n e w system f o r yo u r compa ny: de s k t opX T h e system s h o u l d be confi g u re d accord i n g to t h e fo l l ow i n g req u i re m ents • - - - - The system s h o u l d a u t h e n t i cate users u s i n g L DAP and Ke r beros using t h e fo l l ow i n g sett i n g s: Name Va l u e L D A P server c lass room example com Search Base dc=example , dc=com Use T L S Yes T L S CA Cert h t t p : //clas s r oom example com/ pu b/example - ca c r t Kerberos Rea l m EXAMP L E COM Kerberos K O C c l as s r oom example com Kerberos Ad m i n S e rver class room example com - Fo r test i n g p u rposes, you ca n u s e t h e user ldapu s e rX, with the password k e r b e ros - Home d i rectories for your LDAP users s h o u l d b e a u t o m at i ca l ly m o u nted o n access These h o m e d i rectories a re served from the N FS s h a re class r oom example com : /home/ g u e s t s • - - - se rve rX e x p o r t s a C I FS s h a re ca l led we s t e r os T h i s s h a re shou l d b e m o u nted a utomatica l ly at boot on t h e m o u nt p o i n t /mnt /wes t e r os To m o u n t t h i s s h a re, you w i l l n e e d to use t h e R H134- R H E L -en -1-2014061 305 - - C h a pter C o m p r e h e n s ive Review of System Ad m i n istra t i o n I I - u s e r n a m e t y r ion w i t h t h e password slap j offreyslap T h i s passwo rd s h o u l d n ot b e stored a nywhere a n u n p r i v i l e g e d user can read it • se rve rx exports an N FSv4 s h a re ca l l e d /essos This s h a re needs to be m o u nted read-write at boot o n /mnt/essos u s i n g Ke rberos a u t h e nt i c a t i o n , e n c ry pt i o n , and integ rity c h e c k i n g - A keytab f o r yo u r syst e m ca n be down l oa d e d from h t t p : / / c l a s s r o o m e x a m p l e c o m / p u b / k e y t a b s / d e s k t o pX k e y t a b • - Config u re a new 51 M i B l o g i c a l vo l u me ca l l ed a rya i n a new G i B vo l u m e g ro u p ca l l e d s t a r k This new l o g i c a l vo l u m e s h o u l d be form atted w i t h a n X FS f i l e system, a n d m o u nted p e rsiste n t l y o n /mn t / u nd e r f o o t • • • Yo u r system s h o u l d be o u tfitted with a new 512 M i B swa p p a r t i t i o n , a ut o m a t i ca l l y act ivated at boot C reate a new g ro u p ca l l e d kings, and fou r new u s e rs b e l o n g i n g to that g ro u p: s t an n i s , j offrey, renly, a n d r o b b C reate a new d i rectory / i r o n t h rone, owned by root : root with p e r m i s s i o n s 700 Conf i g u re t h i s d i rectory so that u s e rs i n t h e kings g ro u p have both read and write p r i v i l eges o n it with t h e exce p t i o n of t h e user j offrey, who s h o u l d o n l y be g nted read p r i v i l e g es These rest rictions s h o u l d a l so a p p l y to a l l new f i l es and d i rectories created u n d e r t h e /iron t h rone d i recto ry • • • • • - - - - - I n sta l l t h e httpd a n d mod_ss/ packages, t h e n e n a b l e a n d start t h e h t t pd se rvice service Open up port 12345 / t c p in the defa u lt zo n e for t h e fi rewa l l r u n n i n g o n yo u r syste m C reate a n e w d i rectory ca l l ed /doc r o o t M a ke s u re t h a t t h e S E L i n u x context fo r t h i s d i rectory i s set to p u blic_c o n t e n t_t , and that t h i s context wi l l s u rvive a re l a b e l o p e rat i o n conta i n s t h e l o g s f o r a recent p roject D ow n l o a d this f i l e, t h e n extract all l i n e s e n d i n g i n E RROR or FAI L to t h e f i l e / home/ s t u d e n t / e r r o r s t x t A l l l i n es s h o u l d be kept i n t h e o rd e r i n w h i c h t h ey a p p e a r i n t h e l o g f i l e - - h t t p : / / s e r v e rX e x a m p l e c o m / l o g f i l e You r system s h o u l d h a ve a new d i rectory used to sto re tem porary f i l es n a m e d / r u n/ve ryveryvolat ile W h e never sys t emd - tmpfiles - - c lean i s r u n , a n y f i l e o l d e r t h a n seco n d s sh o u l d be d e l eted f r o m t h at d i rectory - - - This d i rectory s h o u l d h a ve p e r m i s s i o n s 177 , a n d be owned by root : r o o t A l l c h a n g e s m u st s u rvive a reboot W h e n you are d o n e confi g u ri n g yo u r syst e m , you ca n test yo u r work by re boot i n g your d e s k t o pX m a c h i n e a n d r u n n i n g the fo l l ow i n g co m m a n d : l� -! [ s t u d e n t @d e s k t opX L � � - - - - - - -] � $ lab sa2 - review g rade - - _ - - 306 RH134- R H E L 7-en-1-2014061 - - - - Sol ution - - Solution I n t h i s l a b, you wi l l confi g u re a system u s i n g t h e s k i l l s ta u g h t i n t h i s co u rse Resou rces: - Files: Machines: - h t t p : / / s e rve rX example com/logfile serverx a n d d e s k t opX Outcomes: - Two syst e m s confi g u red accord i n g to t h e specified req u i re m e nts t h a t fo l l ow Before you begin • • - • - - - - - - The system should a ut h e n t icate u s e rs using LDAP and Ke r b e r o s using t h e fo l l owi n g sett i n g s: Name Va l u e L D A P s e rver class room example com S e a rc h Base dc=example , dc=com Use TLS Yes T L S CA Cert h t t p : / / c lass room example com/ pub/example - ca c r t Ke r b e ros Rea l m EXAM P L E COM Ke r b e ros K D C class room example com Ke r b e ros Ad m i n S e rver class room example com Fo r test i n g p u rposes, you ca n u s e t h e u s e r ldapuse rx, w i t h t h e pa ssword kerberos • • • - Reset your deskt opX syste m Yo u have b e e n taske d w i t h confi g u ri n g a n e w system f o r yo u r compa ny: desktopX T h e syst e m s h o u l d be config u red accord i n g to t h e fo l l ow i n g req u i re m ents • - Log i nto a n d set u p yo u r se rve rX syst e m [ s t u d e n t@ s e r v e r x - ] $ lab sa2 - r eview s e t u p - - Reset yo u r se rverX syste m H o me d i recto ries for yo u r LDAP u s e rs s h o u l d be a u to m a t i ca l ly m o u nted on access These home d i rectories a re s e rved from t h e N FS s h a re class room example com : /home/g u e s t s s e rverX expo rts a C I FS s h a re ca l l ed wes t e ros T h i s s h a re s h o u l d b e mou nted automatica l l y a t boot o n t h e m o u nt point /mn t /we s t e ros To m o u nt t h i s s h a re, you w i l l need t o u s e t h e u s e r n a m e t y r ion w i t h t h e password slapj off r eyslap T h i s pa ssword s h o u l d n ot b e stored a n y w h e re a n u n privi l eg e d user ca n read it s e rverX exports an N FSv4 s h a re ca l l e d /es sos This s h a re needs to be m o u nted read-w rite at boot o n /mn t /essos u s i n g Ker beros a u t h e nticat i o n , e n crypt i o n , and i nteg rity c h ec k i n g A keyt a b f o r yo u r system ca n b e d ow n l oa d e d from - - - h t t p : / / c l a s s r o o m e x a m p l e c o m / p u b / k e y t a b s / d e s k t o pX k e y t a b R H1 4- R H E L 7-en-1-2014061 307 C h a p t e r C o m p re h e n s i ve Review of System A d m i n i s t t i o n I I C o nfi g u re a new 512 M i B l o g i c a l v o l u m e c a l l e d arya i n a n e w G i B v o l u m e g ro u p c a l l e d s t a r k T h i s n e w l o g i c a l v o l u m e s h o u l d be f o r m atted w i t h a n X F S f i l e syst e m , a n d m o u nted p e r s i s te n t l y o n /mn t / unde rfoot Yo u r s y s t e m s h o u l d be o u tfitted w i t h a n ew 512 M i B swa p p a r t i t i o n , a ut o m a t i ca l l y a c t i vated a t b o ot C reate a n e w g ro u p c a l l e d kings, and f o u r n e w u s e rs b e l o n g i n g to that g r o u p: s t an n i s , j of f r ey, r e n ly, a n d r o b b C reate a n ew d i rectory / i r on t h r on e , o w n e d by r oot : root w i t h p e r m i s s i o n s 700 C o nfig u re t h i s d i rectory s o t h a t users i n t h e kings g r o u p h a ve b o t h r e a d a n d w r i t e p r i v i l e g e s o n i t , w i t h t h e exce p t i o n of t h e u s e r j o f f rey, w h o s h o u l d o n l y b e g n ted re ad p r i v i l eg e s T h e s e rest r i c t i o n s s h o u l d a l so a p p l y t o a l l new f i l es a n d d i re c t o r i e s c reated u n d e r t h e / i r o n t h rone d i re cto ry I n sta l l t h e httpd a n d mod_ssl p a c k a g e s , t h e n e n a b l e a n d start t h e h t t pd se rvice s e rv i ce Open up port 12345 / t c p in t h e d e fa u l t z o n e for t h e fi rewa l l r u n n i n g o n your syst e m C reate a n e w d i rectory c a l l e d /doc r o o t M a ke s u re t h a t t h e S E L i n u x c o n text f o r t h i s d i rectory i s set to pu blic_con t e n t_t , and t h a t t h i s context wi l l s u rvive a re l a b e l o p e t i o n h t t p : I I s e r v e rx e x a m p l e c o m / l o g f il e conta i n s t h e l o g s for a recent p roject D ow n l oad this f i l e, then extract a l l l i n es e n d i n g i n ERROR o r FAI L to t h e f i l e /home / s t u d e n t /e r ro r s t x t A l l l i n e s s h o u l d b e kept i n t h e o r d e r i n w h i c h t h e y a p p e a r i n t h e l o g f i l e Yo u r system s h o u l d have a n ew d i rectory used to store t e m p o ry f i l e s n a m e d / r u n/ve r yve ryvolatile W h e n ev e r syst emd - tmpfiles - - clean i s r u n , a n y f i l e o l d e r t h a n s e c o n d s s h o u l d be d e l eted f r o m t h a t d i recto ry T h i s d i re ctory s h o u l d h ave p e r m i s s i o n s 1777, a n d be owned by root : r o o t A l l c h a n g e s m u st s u rv i ve a reboot W h e n you a re d o n e conf i g u r i n g y o u r syste m , y o u c a n test your work b y reboot i n g y o u r d e s k t o pX m a c h i n e and r u n n i n g t h e f o l l o w i n g c o m m a n d : [ s t u de n t@des k t o pX - ] $ lab sa2 - review grade T h e system s h o u l d a u t h e n t icate u s e rs u s i n g LDAP a n d Ke r be ro s u s i n g t h e fo l l o w i n g sett i n g s : 308 Name Va l u e L D A P server clas s room example com S e a r c h Base d c=example , dc=com Use T L S Yes T L S CA Cert h t t p : //class room example com/pub/example - ca c r t Ke r b e ros Rea l m EXAMP L E COM Ke r b e ros K D C c lass room example com R H 4- R H E L7 - e n - -20140610 - - Sol ution - - - Fo r test i n g p u rposes, y o u can u s e t h e u s e r ldap u s e rx, with t h e password k e r b e ros - I n sta l l the authconfig-gtk and sssd p a c ka g es ! [ s t u d e n t @d e s k t opX - ] $ sudo yum i n s t all aut hconfig - g t k sssd I i - - Run aut hconfig - g t k, and enter the i nformation p rovid e d Do not forget to u nc h e c k t h e Use DNS to locate K D Cs for rea l m s o p t i o n I I - - H o m e d i recto ries for your L D A P users s h o u l d be a utomatica l l y m o u nted o n access These home d i rectories a re served from t h e N FS s h a re class room example com : /home/ guests - I n sta l l t h e autofs package i i i - [ s t ud e n t@d e s k t opX - ] $ s u d o aut hconfig - gt k - [ s t ud e n t @d e s k t opX - ] $ sudo yum i n s t all au t ofs - � - -· - C reate a new file ca l l e d /etc/au t o mas t e r d/gues t s autofs with the fo l l ow i n g contents: I / h ome/g u e s t s /etc/au t o g u e s t s t-��-�� -� - C reate a new file ca l l e d /etc/au t o g u e s t s with t h e fo l l ow i n g contents: * - rw , s y n c - clas s r oom example co m : / h ome/ g u e s t s /& Sta rt a n d e n a b l e t h e autofs s e rvice service I [ s t u d e n t@d e s k t opX - - ] $ sudo systemct l enable autofs s e rvice [ s t u d e n t@d e s k t opX - ] $ sudo systemct l s t a r t autofs se rvice - - - serverX exports a C I FS s h a re ca l l e d we s t e ros This s h a re s h o u l d b e m o u nted a u t o m atica l l y at boot on t h e m o u nt point /mnt/wes t e ros To m o u nt this s h a re, you wi l l need t o use t h e u s e r n a m e t y r io n w i t h t h e pa ssword slapj off r eyslap T h i s pa ssword s ho u l d not b e stored a nywhere an u n p ri v i l e g e d user can read it I nsta l l the cifs-utils packa g e [ s t u d e n t@d e s k t opX - ] $ sudo yum i n s t all cifs - u t ils - C reate t h e m o u nt point - - - R H134- R H E L 7-en-1 -2014061 309 - - C h a pter C o m p r e h e n s ive Review of Syste m A d m i n istra t i o n I I [ s t u d e n t@d e s k t opX - ] $ sudo mkdir - p /mnt/we s t e r o s - C reate a cred e n t i a l s f i l e n a m e d / roo t / t y r ion c reds with t h e fo l l ow i n g content t h e n s e t t h e p e r m i s s i o n s o n t h a t f i l e to 0600: u s e r n ame= t y r i o n p a s swo r d = s lapj o f f r eyslap - [ s t u de n t@d e s k t o pX - ] $ sudo c hmod 0600 / root/tyrion c reds - A d d t h e fo l l o w i n g l i n e to / e t c / f s t ab: / / s e rve rX example com/wes t e r o s / m n t /we s t e r o s ci fs c r e d s = / r o o t / t y rion c r e d s 0 - M o u n t a l l fi l e syste ms, and i n s pect the m o u nted fi l e syste m [ s t u d e n t@d e s k t o pX - ] $ sudo mount - a [ s t u d e n t @d e s k t opX - ] $ cat /mnt/we s t e ros/README txt - se rve rX exports an N FSv4 s h a re ca l l ed /essos This s h a re needs to b e m o u nted rea d w r i t e at b o o t on /mnt /essos u s i n g Kerbe ros a u t hentication, e n c r y pt i o n , a n d i nteg rity chec k i n g - - A keyt a b for you r system can be d o w n l o a d e d from h t t p : / / c l a s s r o o m e x a m p l e c o m / p u b / k e y t a b s / d e s k t o pX k e y t a b - C reate t h e m o u nt poi nt [ s t ud e n t@d e s k t o pX - ] $ sudo mkdir -p /mnt/essos - Dow n l oa d t h e keyt a b for you r syste m - [ s t u d en t@de s k t o pX - ] $ sudo wget - o /etc/krb5 keytab h t t p : // clas s r oom example com/ pub/keyt abs/de s k t o pX keytab Add the fo l l o w i n g l i n e to / e t c / f s t ab: s e rve rX example com : / e s s o s /mn t / e s s o s n f s sec= k r b p , rw 0 - - Start a n d e n a b l e t h e nfs - secu r e se rvice service [ s t ud e n t@de s k t o pX - ] $ sudo systemc t l enable nfs - secure s e rvice [ s t u d e n t @d e s k t o pX - ] $ sudo systemct l start nfs - secure se rvice - M o u nt a l l fi l e syste ms - - - 31 R H134- R H E L 7-en-1 -2014061 - - - - Solution - [ s t u d e n t @d e s k t o pX - ] $ sudo mount - a - - Config u re a n e w M i B l o g i c a l vo l u m e ca l l ed arya i n a n e w G i B vo l u m e g ro u p ca l l e d s t a r k T h i s new l o g i ca l vo l u m e s h o u l d be formatted with a n X FS f i l e syste m , a n d m o u nted persiste n t l y o n /mn t / u n d e rfoot - C reate a G i B par ti ti o n o n y o u r seco n d a ry d i s k [ s t u d e n t @d e s k t o pX - ] $ s u fdisk /dev/vdb Welcome to f d i s k ( u t il - li n u x 23 ) - Changes will remain i n memo ry o n l y , u n t il y o u decide t o w r i t e t hem Be c a r e f u l b e f o r e u s i n g t h e w r i t e c omman d - Device d o e s n o t c o n t n a r e c o g nized p a r t i t i o n t able B u ilding a n ew DOS d i s klabel wit h d i s k i d e n t ifie r 0xcade6cae - Command ( m f o r help ) : n Partition type : p p r imary ( p r ima r y , e x t e n d e d , f r e e ) e x t e n ded e Select ( d efault p ) : p P a r t i t i o n n u m b e r ( - , default ) : E n t e r First s e c t o r ( 2048 - 1519 , d efa u l t 2048 ) : E n t e r U s i n g default val u e 2048 Last s ec t o r , + s ec t o r s o r + s i z e { K , M , G } ( 2048 - 9 , default 20971519 ) : +2G Partition of t y p e Linux and of s i z e G i B i s s e t - - - Command ( m f o r h e lp ) : t Selec t e d p a r t i t i o n Hex c o d e ( t y p e L t o l i s t all c o d e s ) : Se Changed t y p e of p a r t i t i o n ' Li n u x ' t o ' Li n u x LVM ' - Command ( m f o r h e lp ) : w The p a r t i t io n table h a s been alt e r e d ! - Callin g ioc t l ( ) t o r e - read p a r t i t io n table Syncing d i s k s - - I - I I [ s t u d e n t@de s k t opX - ] $ sudo vgcreate s t a r k /dev/vdbl C reate a new 512 M i B l o g i c a l vo l u m e ( LV ) in t h e n e w vol u m e g ro u p ! • - [ s t u d e n t @d e s k t o p X - ] $ sudo pvc reate /dev/vdbl B u i l d a new vo l u me g ro u p u s i n g t h e new phys ica l vo l u m e i - - Tu r n t h e n e w partit i o n i nto a phys i c a l vo l u m e [ s t u d e n t @d e s k t opX - ] $ sudo lvc reate - n arya - L 512M s t a r k Fo rmat t h e new LV with an X FS f i l e system - - - R H1 4- R H E L 7-en-1-2014061 311 - - C h a pter C o m p re h e n s i ve Review of System Ad m i n i st rat i o n I I [ s t u d e n t@d e s k t o pX $ sudo mkfs - t xfs /dev/ s t a r k/arya C reate the m o u nt poi nt [ s t u d e n t@d e s k t opX -] - ) $ sudo mkdir -p /mnt/unde rfoot A d d t h e fo l l o w i n g l i n e to / e t c /f s t ab: - /dev/ s t a r k/arya / m n t / u n d e r f o o t xfs defaul t s M o u nt a l l fi l e systems l_ [ s t u d e n t@d e s k t opX - ] $ sudo mount - -a Yo u r system s ho u l d be o u tfitted with a new 512 M i B swa p p a r t i t i o n , automat ica l l y act ivated at boot - C reate a new 512 M i B pa r t i t i o n o n yo u r seco n d a ry d i s k a n d set t h e partition type t o 82 - [ s t u d e n t@de s k t opX - ] $ sudo f d i s k /dev/vdb Welcome t o fdi s k ( u t il - l i n u x ) C h a n g e s will remain in m e m o r y only , u n t il yo u d e c i d e to w r i t e t h em Be c a r e f u l be f o r e u s i n g t h e w r i t e comman d - Command ( m fo r help ) : n P a r t i t ion t y p e : p r im a r y ( p r imary , e x t e n d e d , f r e e ) p extended e S e l e c t ( d efault p ) : p P a r t i t ion n u m b e r ( - , default ) : E n t e r F i r s t sec t o r ( 4196352 - 20971519 , d e f a u l t 4196352 ) : E n t e r U s i n g default value 4196352 L a s t sect o r , + s e c t o r s or + s i z e { K , M , G} ( 4196352 - 1519 , default 2097 1519 ) : +512M P a r t i t ion o f type L i n u x and of size 512 MiB i s s e t - - - Command ( m f o r help ) : t P a r t i t ion n u m b e r ( , , default ) : E n t e r Hex code ( type L t o l i s t a l l codes ) : 82 C h a n g e d type o f p a r t i t io n ' Li n u x ' t o ' Li n u x swap I Sola r i s ' - Command ( m f o r h e lp ) : w T h e p a r t i t i o n t ab l e has been al t e red ! - Calli ng i o c t l ( ) t o r e - read p a r t i t i o n table WARN I N G : Re - r ea d i n g t h e p a r t i t io n table failed wit h e r r o r 16 : Device o r r e s o u r c e busy The k e r nel s t ill u ses t h e old table The new t a b l e will be u sed at the next r e b o o t or af t e r you r u n par t p r o be ( B ) or k p a r t x ( B ) Syn c i n g d i s k s [ s t u d e n t@d e s k t o pX - ] $ sudo partprobe I I I - - 312 R H134- R H E L - e n -1 -2014061 - - - - Solution - Fo r m a t t h e new partition a s swa p - [ s t u d e n t@des k t opX - ] $ sudo mkswap /dev/vdb2 - Retrieve t h e U U I D for yo u r new swap partition [ s t u d e n t @d e s k t opX - ] $ s u d o blkid /dev/vdb2 - - Add t h e fo l l o w i n g l i n e to / e t c / f s t ab; m a ke s u re to use the U U I D you fo u n d i n the prev i o u s step U U I D= " xxxxxxxx - x xxx - x xxx - xxxxxxxxxxxx " swap swap defau l t s 0 - I - - - - C reate a new d i rectory / i r on t h rone, owned by root : root with p e r m i s s i o n s 0700 Confi g u re t h i s d i rectory so that u s e rs i n the kings g ro u p have both read and write privi l e g e s o n it, w i t h t h e exce ption of the user j off rey, who s h o u l d only b e g nted read privi l eges These rest r i c t i o n s should a l so apply to a l l n e w fi l es a n d d i rectories c reated under t h e / i r o n t h rone d i rectory - - - C reate t h e fou r users, a n d a d d t h e m t o t h e kings g ro u p [ s t ud e n t@de s k t o pX - ] $ for NEWUSER in stannis j offrey r enly robb ; d o > s u d o u s e r add - G kings S { N EWUSER} > done - - C reate the kings g ro u p [ s t ud e n t@d e s k t opX - ] $ s u d o g roupadd kings - - [ s t ud e n t@de s k t opX - ] $ sudo swapon - a C reate a new g r o u p ca l l e d kings, a n d fo u r n ew u s e rs b e l o ng i n g to t h a t g ro u p : st annis, j of f r ey, renly, and robb - Activate a l l swa ps C reate t h e d i rectory w i t h t h e correct p e r m i s s i o n s [ s t ud e n t@d e s k t opX - ] $ s u d o m k d i r - m 0 /ironth rone Add an ACL o n /iron t h rone g n t i n g u s e rs in the kings g ro u p read a n d w rite p r i v i l eges D o not forget to add execute p e r m i s s i o n s as we l l , s i n ce t h i s is a d i recto ry [ s t u d e n t@de s k t o pX - ] $ sudo s e t facl - m g : kings : rwX / i r o n t h rone - - - RH134- R H E L 7-en-1-201 4061 313 - - C h a pte r C o m p re h e ns i ve Review of System Ad m i n istra t i o n I I Add an ACL for the user j of f r ey, w i t h o n l y rea d and execute p e r m issions lr[ s t ud e n t@d e s k t o pX - ] $ sudo setfacl - m u : j offrey : r - x /iron t h rone Add the two p rev i o u s ACLs a s d e fa u l t A C L s as we l l , �� [ s t u de n t @d e s k t o pX - ] $ sudo set facl - m d : g : kings : rwx /iront h rone [ s t u d e n t@de s k t o p X - ] $ sudo setfacl - m d : u : j offrey : r - x / i r o n t h rone I I I n sta l l the httpd a n d mod_ss/ packages, t h e n e n a b l e and start the h t t pd se rvice se rvice I n sta l l the httpd and mod_ssl packages I �·�� -, [ s t u d en t@d e s k t o pX - ] $ sudo yum i n s t all h t t pd mod_ssl Start and e n a b l e t h e h t t pd se rvice se rvice [ s t u d en t@d e s k t o pX -]$ sudo syst emc t l s t a r t h t t pd se rvice [ s t u d e n t@de s k t o pX - ] $ sudo systemc t l enable h t t pd se rvice O p e n up port 12345 / t c p in t h e d e fa u l t z o n e for the fi rewa l l r u n n i n g on your syste m O p e n port 12345 / t c p i n t h e p e r m a n e n t confi g u t i o n o f t h e d e fa u l t z o n e f o r yo u r fi rewa l l i ! [ s t ud e n t@de s k t opX - ] $ sudo firewall - cmd - - pe rmanen t - - add - po r t =12345/tcp R e l o a d yo u r f i rewa l l to activate your c h a nges [ s t u d e n t@de s k t opX - ] $ s u d o fi rewall - cmd - - reload 11 - C reate a new d i rectory ca l l ed /doc root M a ke s u re that t h e S E L i n u x context for t h i s d i rectory is s e t to p u blic_co n t e n t_t , a n d t h a t t h i s context w i l l s u rvive a re l a b e l operat i o n C reate the /doc root d i rectory I [ s t u d e n t@de s k t opX - ] $ sudo mkdir /docroot - Add a new defa u lt f i l e context for the /doc root d i rectory and a l l its d esce n d a nts - [ s t u d e n t@de s k t o pX - ] $ sudo semanage fcontext - a - t pu blic_content_t ' / doc root ( / * ) ? ' Re l a b e l the /doc root d i recto ry - [ s t u d e n t@d e s k t o pX - ] $ sudo restorecon - RvF /doc root - 314 R H1 4- R H E L 7-en-1 -2014061 - - S o l ution 12 - - h t t p : / / s e r v e rX e x am p l e c o m / l o g f i l e conta i n s t h e logs fo r a rece nt p roject Dow n l oa d t h i s f i l e , t h e n extract all l i nes e n d i n g i n ERROR o r FAI L to t h e f i l e / home/ s t u de n t / e r r o r s t x t A l l l i nes s h o u l d b e kept i n the o rd e r i n w h i c h t h ey a p pe a r i n t h e l o g f i l e Dow n l oa d t h e l o g f i l e I i [ s t ud e n t@de s k t o pX - ] $ wget h t t p : //serverX example com/logfile Extract every line t h a t ends i n e i t h e r ERROR o r FAI L i nto t h e f i l e /home/ s t u d e n t / e r r o r s t x t , w h i l e kee p i n g t h e l i n e o rd e r i ntact [ s t u d e n t @d e s k t opX - ] $ g r e p -e ' ERROR$ ' e r rors t xt - 13 -e ' FAIL$ ' logfile > /home/student/ Yo u r system s h o u l d have a new d i rectory used to sto re t e m porary f i l e s n a m e d / r u n/ve ryve ryvolatile W h e never syst emd - tmpfiles - - clean is r u n , a n y f i l e o l d e r t h a n seco n d s s h o u l d b e d e l eted f r o m t h a t d i recto ry T h i s d i rectory s h o u l d have p e r m i s s i o n s 7 , a n d be owned by root : roo t - C reate a n e w f i l e ca l l e d / e t c / t mpfiles d/ve ryveryvolat ile conf w i t h t h e fo l l ow i n g content: I I d / r u n/veryver �:;� at ile 1777 r o o t r o o t s ·�· ��- -�� - Have sys t emd - t mpfiles c reate t h e d i recto ry I [ s t u d e n t@de s k t opX - ] $ sudo systemd - tmpfiles - - c reate 14 Ve rify yo u r work by reboot i n g yo u r d e s k t opX m a c h i n e and r u n n i n g the fo l l ow i n g co m m a n d on yo u r deskt opX sy � e m : [ s t u d e n t@de s k t o pX - ] $ lab sa2 - review g rade If any req u i re m e n t comes up as " FA I L" , rev i s i t that req u i re m e nt, a n d t h e n reboot a n d g d e again - - - - - - - RH134- R H E L 7-e n-1-20140610 31 - - C h a pter Co m p re h e n s i ve Review of System Ad m i n istra t i o n I I S u m m a ry Red H at System A d m i n istra t i o n I I C o m p re h e n s ive Review • • Review c h a pters to va l i d ate k n ow l e d g e l eve l Review p r a c t i c e exercises to va l i date s ki l l l eve l - - - - - - - - - - - 31 R H134- R H E L7 - e n -1 -201 4061 - - ti ! · - · � I - """i i _ I """"' I ... 29 32 34 84 86 88 90 93 97 98 03 106 110 114 vii - - RH134 - 123 Managing SELinux Security E n a b l i n g a n d M o n it o r i n g Secu rity E n h a n ce d L i n u x (S E L i n u x ) ... - Red Hat Enterprise Linux RH134 - Red Hat System Administration II Edition - Authors: Wander Boessenkool, Bruce Wolfe, Scott McBrien, George Hacker, - Chen Chang Editor: Copyright© Steven Bonneville... or reproduced in any way, including, but not limited to, photocopy, photograph, magnetic, electronic or other - - record, without the prior written permission of Red Hat, Inc This instructional

IT training RH134 RHEL7

Thông tin tài liệu

Từ khóa liên quan

Tài liệu cùng người dùng

Tài liệu liên quan