NODEB-ASK

Setup an ip address for node2 virtual machine:

hostname: node2.lab.example.com

Password: TombigSmall

IP: 172.25.250.11/24

GW: 172.25.250.254

DNS: 172.25.250.254

00: First crack password of node2 Machine & set it to the instruction is above instructions:

ans: #reboot the vm. press ESC then select boot loader, press 'e' to enter grub mode.

then type: rd.break console=tty1 rw

Press Ctrl + x to start:

# chroot /sysroot/

# passwd root

give the password and re-type it.

# touch /.autorelabel

# exit

# exit to logout.

if we mount readonly then we can use this:

switch_root:/# mount -o remount,rw /sysroot/

switch_root:/# chroot /sysroot

FILE LABELING

All files, directories, devices ... have a security context/label associated with them. These
context are stored in the extended

attributes of the file system. Problems with SELinux often arise from the file system being
mislabeled. This can be caused by boot‐

ing the machine with a non SELinux kernel. If you see an error message containing file_t, that is
usually a good indicator that you

have a serious problem with file system labeling.

 The best way to relabel the file system is to create the flag file /.autorelabel and reboot. system-
config-selinux, also has this

capability. The restorecon/fixfiles commands are also available for relabeling files.

network connection:

# hostnamectl set-hostname node2.lab.example.com

# ifconfig to check your physical or virtual interface name: here is: enp1s0

# nmcli connection show

# nmcli connection add con-name lan1 ifname enp2s0 type ethernet ipv4.method
manual ipv4.addresses 172.25.250.11/24 ipv4.gateway 172.25.250.254 ipv4.dns 172.25.250.254
autoconnect yes

# nmcli connection up lan1

or, we can create a new config file or modify existing config file

# vim /etc/sysconfig/network-scripts/ifcfg-lan1

01: SElinux Must be Running in Enable.

ans: # getenforce

# setenforce 1 or # setenforce 0 to change the selinux policy on runtime. so you

should change the config file.

# vim /etc/selinux/config

selinux=enforcing

To change the sestatus from config file then reboot your system.

02: Yum repository configuration on node1 machine:

◾Packages are available at: url1= http://content.example.com/rhel8.0/x86_64/dvd/AppStream/

◾Packages are available at: url2= http://content.example.com/rhel8.0/x86_64/dvd/BaseOS/

ans: #vim /etc/yum.repos.d/appstream.repo

[appstream_any_name_you_can_assign_but_no_space_here]

name=any name or if specify any name in the exam

baseurl=http://content.example.com/rhel8.0/x86_64/dvd/BaseOS/

gpgcheck=0

Test: #yum clean all

#yum repolist all

##BaseOS is same:
 03: Set a recommended tuning profile for your system. (profile already available).

ans: # rpm -qa tuned to check package is installed or not.

# yum install tuned -y

# systemctl restart tuned.service

# systemctl enable tuned.service

# tuned-adm active [to see the active profile]

# tuned-adm list [check how many profiles are available]

# tuned-adm recommend [check which profile recommend to your system]

# tuned-adm profile virtual-guest [set the profile]

04: Create a SWAP partition of 250 megabyte & make available at next reboot.

# fdisk /dev/vdb

Hex code (type L to list all codes): 82

Changed type of partition 'Linux' to 'Linux swap / Solaris'.

# lsblk

# fdisk -l

# partprobe [ to update partition table. if the partition shows # fdisk -l

comman but not # lsblk then we can use # partprobe or just reboot the system.]

# mkswap /dev/vdb1

# blkid

/dev/vdb1: UUID="b2337e16-691e-4a2a-92d1-35d5c1be3f18" TYPE="swap"

PARTUUID="d8f3c21a-01"

# vim /etc/fstab

UUID="b2337e16-691e-4a2a-92d1-35d5c1be3f18" swap swap defaults 0 0

# swapon -av

verification: # swapon -s # free -h

05: Create the volume group with name myvolume with 8MiB P.E. and create the lvm name
mydatabase with the 100P.E. format this lvm with ext4 and create a directory /database & mount
this lvm permanently on /database.

ans: # fdisk /dev/vdb

Last sector, +sectors or +size{K,M,G,T,P} (514048-10485759, default

10485759): +850M

Hex code (type L to list all codes): 8e

Changed type of partition 'Linux' to 'Linux LVM'.

 # lsblk

# fdisk -l

# pvcreate /dev/vdb2

Physical volume "/dev/vdb2" successfully created.

# pvdisplay or, # pvs

# vgcreate myvolume -s 8M /dev/vdb2

Volume group "myvolume" successfully created

# vgdisplay or, # vgs

# lvcreate -n mydatabase -l 100 myvolume

# lvdisplay or, lvs

# mkfs.ext4 /dev/myvolume/mydatabase

or, # mkfs.ext4 /dev/mapper/myvolume-mydatabase

# blkid

/dev/mapper/myvolume-mydatabase: UUID="a747660c-8d14-4943-
a227-a1320a31e943" TYPE="ext4"

# vim /etc/fstab +

UUID="a747660c-8d14-4943-a227-a1320a31e943" /database ext4 defaults 0 0

# mkdir /database

# mount -av

06: Extend or Resize the LVM partition /dev/myvolume/mydatabase into 500 MiB from the
current size and mount the LVM /dev/myvolume/mydatabase to a mount point /database.

The extended partition size must be within approximately 450MiB to 550MiB.

ans: # lvresize -r -L 500M /dev/myvolume/mydatabase

# df -HT

07: You have been provided with a disk drive attached to your system /dev/vdX. Make use of it to
create a VDO. VDO device name is myvdo1 with a logical size of 100GiB & format this vdo storage
as xfs & create a mount point /vdostorage & mount it permanently.

Step 1: Install the VDO in RHEL 8:

# rpm -qa vdo kmod-kvdo

# yum install kmod-kvdo vdo

# systemctl restart vdo.service

# systemctl enable vdo.service

 Step 2: Create a VDO Volume in RHEL 8:

# man vdo [to see the manual simply copy an example] # vdo create --
name=vdo0 --device=/dev/sdb1 --vdoLogicalSize=10T

# lsblk

# vdo create --name=myvdo1 --device=/dev/vdb --vdoLogicalSize=100G

>> create --This initiates the creation of the VDO volume.

>> --name=myvdo1 --This gives the volume a label known as myvdo1.

>> --device=/dev/sdX --The device option specifies the disk on which

the volume will be created.

>> --vdoLogicalSize=100G --This indicates the effective volume capacity

to be used by the operating system, in this case, 100G.

# blkid

/dev/vdb: UUID="9a19fe3d-0000-442b-aea9-840be34f22bb" TYPE="vdo"

# lsblk

# fdisk /dev/mapper/myvdo1

# lsblk

# fdisk -l

# fdisk -l /dev/mapper/myvdo1

/dev/mapper/myvdo1-part1 256 26214399 26214144 100G 83 Linux

# mkfs.xfs /dev/mapper/myvdo1 -K -f

# blkid

/dev/mapper/myvdo1: UUID="5f4fbb6e-9f31-4b66-b6c3-c87df039db7f" TYPE="xfs"

/dev/vdb: UUID="9a19fe3d-0000-442b-aea9-840be34f22bb" TYPE="vdo"

# vim /etc/fstab

UUID="5f4fbb6e-9f31-4b66-b6c3-c87df039db7f" /vdostorage xfs

defaults,x-systemd.requires=vdo.service 0 0

# mkdir /vdostorage

# mount -av

NOTE:

##Usually, when a filesystem is created, a trim operation is carried out on the device.

This is undesirable in the case of the VDO. When formating using the mkfs command, use
the -K option to instruct the command not to discard blocks during the creation to the filesystem.
 # ls -l /dev/mapper/myvdo1 >> We can use the ls command as shown to

investigate file permissions & ownership.

# vdostats --hu >> vdostats command to retrieve statistics on the

size and the usage of the volume.

# vdostats --verbose /dev/mapper/myvdo1 | grep -B6 'saving percent'

>>The vdostats command can be used with the

--verbose flag to retrieve more detailed information as shown.

08. Configure the rhcsa application so that when run as "pandora" it shows below message "Labla
lbal lahs ksbhs".

# vim /etc/bashrc

pandora ()

(echo "Labla lbal lahs ksbhs")

save & exit

# source /etc/bashrc

# pandora

Customize user environment:

- Create a command called starton on your server.

- It should able to execute the following command (ps -eo

pid,tid,class,rtprio,ni,pri,psr,pcpu,stat,comm).

# vim /etc/bashrc

starton ()

(ps -eo pid,tid,class,rtprio,ni,pri,psr,pcpu,stat,comm)

};

# source /etc/bashrc >>reload file

# starton
NODE-A-ASK:

01: SElinux Must be Running in Enable.

ans: # getenforce

# setenforce 1 or # setenforce 0 to change the selinux policy on runtime. so you should

change the config file.

# vim /etc/selinux/config

selinux=enforcing

To change the sestatus from config file then reboot your system.

02: Yum repository configuration on node1 machine:

◾Packages are available at: url1= http://content.example.com/rhel8.0/x86_64/dvd/AppStream/

◾Packages are available at: url2= http://content.example.com/rhel8.0/x86_64/dvd/BaseOS/

ans: #vim /etc/yum.repos.d/appstream.repo

[appstream_any_name_you_can_assign_but_no_space_here]

name=any name or if specify any name in the exam

baseurl=http://content.example.com/rhel8.0/x86_64/dvd/BaseOS/

gpgcheck=0

Test:

#yum clean all

#yum repolist all

##BaseOS is same:

03: Configure a cron job on Primary machine:

◾a. The user natasha must configure a cron job that runs daily at 14:23 local time & executes
/bin/echo "hi alex"

ans: cronie package is already installed in the exam if doesn't installed you have to installed.

# yum install cronie

# systemctl enable crond

# systemctl start crond

crontab -eu natasha

23 14 * * * /bin/echo "hi alex"

verification: crontab -u -l natasha

◾b. The user harry must configure a cron job that runs daily at every 3 minute local time &
executes /bin/echo I got RHCE certificate.
 # crontab -e -u harry

# */3 * * * * /bin/echo "I got RHCE certificate."

# cd /var/spool/cron/ */20

# cat natasha harry

04: Debug Selinux:

Fixed the HTTP service, the page isn't provived node2 machine by this
link=http://172.25.250.10:2658

SELinux must be running in the Enforcing mode.

[Note: first you install HTTP service on node1 machine & configure the Main
Configuration File: /etc/httpd/conf/httpd.conf

Now, set the Listen port is:2658. 2nd step:Create a file name index.html to
Document Root: /var/www/html & write it to "I got RHCE certificate."]

ans:

# yum install httpd

# systemctl enable httpd

# systemctl restart httpd

# vim /etc/httpd/conf/httpd.conf

listen on 2658

# vim /var/www/html/index.html

I got RHCE certificate.

## This part is already done in the exam & document root is aslo set.

## Frist you check the service is running or not, # systemctl status httpd

or you can restart the service.

then it's show [ journalctl -xe ]

# journalctl -xe you can check the log.

# semanage port -l|grep http

Check the port is here or not.

# man semanage port for manual to see the example & simply
copy the example & change the port no:

# semanage port -a -t http_port_t -p tcp 2658

# curl http://172.25.250.10:2658 first check it servera or nodea

# Then check it from serverb or nodeb if you can't found the page then check firewall.
 # firewall-cmd --list-all

# firewall-cmd --permanent --add-service=http

# firewall-cmd --permanent --add-port=2658/tcp

# firewall-cmd --reload

# systemctl restart httpd

# curl http://172.25.250.10:2658

05: Create the following users, groups, and group memberships:

Ans: A group named sysadmin

# cat /etc/group|grep sysadmin

# groupadd sysadmin

A user natasha who belongs to sysadmin as a secondary group.

# useradd natasha

# usermod -G sysadmin natasha

A user sarah who also belongs to sysadmin as a secondary group.

# useradd sarah

# usermod -G sysadmin sarah

A user harry who does not have access to an interactive shell on the system & who is not a member
of sysadmin.

# usermod -s /sbin/nologin harry

natasha, sarah & harry should all have the password of password.

# passwd sarah

# passwd harry

# passwd natasha

or # # echo password |passwd --stdin natasha

06: Create a collaborative directory "/common/admin" with the following characteristics:

ans:

# mkdir /common/admin -p

Group ownership of "/common/admin/" is sysadmin.

# chgrp sysadmin /common/admin

The directory should be readable, writable & accessible to members of sysadmin, but not to any
other users. (It is understood that root has access to all files & directories on the system.)

Files created in "/common/admin/" automatically have group ownership set to the sysadmin.
 # chmod 2770 /common/admin

or

# chmod o-rwx /common/admin/

# chmod g+s /common/admin/

verification: # getfacl /common/admin/

# ls -ld /common/admin

07: Copy the file "/etc/passwd" to "/var/tmp". Configure the permissions of "/var/tmp/passwd"
so that:

ans: #cp /etc/passwd /var/tmp

The file "/var/tmp/passwd" is owned by the root user.

The file "/var/tmp/passwd" belong to the group root.

The file "/var/tmp/passwd" should not be executable by anyone.

# getfacl /var/tmp/passwd

The user harry is able to read and write "var/tmp/passwd". [ACL]

# setfacl -m u:harry:rw- /var/tmp/passwd

The user sarah can neither write nor read "/var/tmp/passwd". [Note that: all other
users (current or future) have the ability to read "/var/tmp/passwd".]

# setfacl -m u:sarah:--- /var/tmp/passwd

verification: #getfacl /var/tmp/passwd

08: Syncronise your system time with the classroom.example.com. or Configure NTP in your
system so that it is an NTP client of 3.in.pool.ntp.org

ans: #yum install chrony -y

# vim /etc/chrony.conf

server classroom.example.com iburst

# systemctl restart chronyd

# systemctl enable chronyd

verification: # chronyc tracking

or # chronyc sources -v

09: Using automounter service to mount node2 machine /data directory.

The shared directory is /ourhome/nfsuser on node1 machine.

[Note that: first you configure node1 machine & share /ourhome/nfsuser directory with
the .example.com domain clients only, share must be writable.]
ans:

SERVERA OR NODEA

# yum install nfs-utils -y [package is already installed]

# systemctl status nfs-server.service [start & enable]

# mkdir /ourhome/nfsuser -p

# cd /ourhome/nfsuser

# mkdir user1

# touch user.txt

# vim /etc/exports

/ourhome/nfsuser 172.25.250.0/24(rw,sync)

# systemctl restart nfs-server.service

or

# exportfs -avr

# showmount -e

# setfacl -m u:nobody:rwx /ourhome/nfsuser

# firewall-cmd --permanent --add-service=nfs

# firewall-cmd --permanent --add-service=mountd

# firewall-cmd --permanent --add-service=rpc-bind

# firewall-cmd --rel

SERVERB OR NODEB

# rpm -qa autofs

# yum install autofs -y

Edit the Master map file (/etc/auto.master.d):

First method: # vim /etc/auto.master.d/nfs.autofs

/data /etc/auto.master.d/user

# vim /etc/auto.master.d/user

remoteuser 172.25.250.10:/ourhome/nfsuser

Second method: # vim /etc/auto.master.d/nfs.autofs

/- /etc/auto.master.d/user

# vim /etc/auto.master.d/user
 /data 172.25.250.10:/ourhome/nfsuser

Or /data -fstype=nfs,rw,sync
172.25.250.10:/ourhome/nfsuser

# systemctl restart autofs.service

# df -HT

NOTE: ##Direct map support

Direct maps in autofs provide a mechanism to automatically mount file systems at arbitrary
points in the file system hierarchy.

A direct map is denoted by a mount point of /- in the master map. Entries in a direct map
contain an absolute path name as a key (instead of the relative path names used in indirect maps).

##Multiple master map entries per autofs mount point

One thing that is frequently used but not yet mentioned is the handling of multiple master
map entries for the direct mount point /-. The map keys for each entry are merged and behave as
one map.

10: Create a backup.tar.(bz2 and gz) of /etc directory in /home location.

ans: # tar -cvjf /home/backup.tar.bz2 /etc

# file /home/backup.tar.bz2

# tar -cvzf /home/backup.tar.gz /etc

# file /home/backup.tar.gz

11: Deny cronjob for user susan so that other user for this system are not effected for this cronjob.

ans: # vim /etc/cron.deny

susan

12: Find all files owned by user brain and put them into /root/brain.

ans:

# find / -user brain -exec cp -frvp {} /root/brain/ \;

13: Download a file word.dict from http://content.example.com & put it to "/root". Copy all the
lines from /root/word.dict files that contains the word "mail" and put those lines in
/root/sorted.dict

ans: # cd /root

# wget http://classroom.example.com/content/word.dict

or

# wget -O /root/word.dict http://classroom.example.com/content/word.dict

# grep mail word.dict > /root/sorted.dict