final study Flashcards
Launch a rootless container and configure it to auto-start via
systemd
as a regular user!
mkdir ~/.config/systemd/user -p
podman run -dt –name rootless-container ubi8
podman generate systemd –new –name rootless-container > ~/.config/systemd/user/rootless-container.service
podman stop rootless-container
podman rm rootless-container
systemctl daemon-reload
systemctl –user –now enable rootless-container
add a non-standard network port 8010 to the SELinux policy database for the httpd service
semanage port -at http_port_t -p tcp 8010
semanage port -l
configure nfs
Server:
mkdir /dir1
chmod 777 /dir1
vi /etc/exports
exportfs -a
firewall-cmd –permanent –add-service=nfs
firewall-cmd –reload
systemctl restart nfs.server
Client
mkdir /dir2
chmod 777 /dir2
firewall-cmd –permanent –add-service=nfs
firewall-cmd –reload
systemctl restart nfs.server
mount
fstab:
server1:/dir1 /dir2 nfs _netdev 0 0
On rhcsa3, create directory /var/dir1 with full permissions
for everyone. Disallow non-owners to remove files.
chmod 1777 /var/dir1
[root@dr-test1 /]# ls -ld /var/dir1/
drwxrwxrwt. 2 root root 6 Feb 6 10:51 /var/dir1/
install module postgresql version 9.6
dnf module install postgresql:9.6
On rhcsa3, set SELinux type shadow_t on a new file
testfile1 in /usr and ensure that the context is not affected by a
SELinux relabeling
semanage fcontext -a -t shadow_t “/var/testfile1(/.*)?”
restorecon -R -v /var/testfile1
ls -lZ testfile1
On rhcsa3, launch a named container as user60 with host
port 10000 mapped to container port 80. Employ the latest version of
the ubi7 image. Configure a systemd service to auto-start the
container without the need for user60 to log in. Validate port mapping
using an appropriate podman subcommand
mkdir ~/.config/systemd/user -p
podman run -dp 10000:8000 –name daniel-container ubi7
podman generate systemd –new –name daniel-container > ~/.config/systemd/user/daniel-container.service
podman stop daniel-container
podman rm daniel-container
systemctl –user daemon-reload
systemctl –user –now enable daniel-container
On rhcsa3, launch another named container as user60 with
/host_data01 mapped to /container_data01, one variable
ENVIRON=Exam, and host port 1050 mapped to container port
1050. Use the latest version of the ubi8 image. Configure a separate
systemd service to auto-start the container without the need for
user60 to log in. Create a file under the shared directory and validate
data persistence. Verify port mapping and variable settings using
appropriate podman subcommands
sudo podman run -dp 1050:1050 -it -e ENVIRON=”Exam” -v /host_data01:/container_data01:Z –name daniel-container3 ubi8
Synchronize the entire /etc directory on rhcsa5 to
/var/tmp/etc on rhcsa6. Use in-transit compression. Capture the
output and any errors in the /var/tmp/etc.transfer file on rhcsa5
during the synchronization process
rsync -avz /etc test1:/var/tmp/etc 2> /var/tmp/etc.transfer
On rhcsa6, list all files that are part of the “setup” package,
and use regular expressions and I/O redirection to send the output
lines containing “hosts” to /var/tmp/setup.pkg
rpm -ql setup | grep hosts > /var/tmp/setup.pkg
On rhcsa5, configure journald to store messages
permanently under /var/log/journal and fall back to memory-only
option if /var/log/journal directory does not exist or has
permission/access issues.
mkdir /var/log/journal
systemctl restart systemd-journald
debug selinux
semanage port -l | grep http
semanage port -a -t http_port_t -p tcp 83
systemctl start httpd
wget localhost:82/index.html
sealert -l “*”
matchpathcon /var/www/html /var/test_www/html
semanage fcontext -a -e /var/www /var/test_www
restorecon -Rv /var/
ssh banner
vi /etc/ssh/banner
edit /etc/ssh/sshd_config on the banner line place the path /etc/ssh/banner
restart sshd
Configuring the system to only leave 3 days of logs
editing /etc/logrorate.conf,
daily
rotate 3
Creating a bot user named privacy that keeps its files only
visible to itself by default
adduser privacy
su – privacy
echo “umask 0077”»_space; .bashrc
