Labs Flashcards
serverb is relocated to Jamaica. update the time zone and view the recorded log events.
tzselect
sudo timedatectl set-timezone America/Jamaica
journalctl --since 06:49:00 --until 07:19:00
Configure rsyslog to write the Logging test authpriv.alert message to the /var/log/auth-errors file.
echo "authpriv.alert /var/log/auth-errors" >> /var/rsyslog.d/auth-erros.conf
sudo systemctl restart rsyslog
logger -p authpriv.alert "Logging test authpriv.alert"
sudo tail /var/log/auth-errors
On serverb, synchronize /etc directory from servera to the /configsync directory.
rsync -av root@servera:/etc /configsync
Create a configfile-backup-servera.tar.gz archive with the /configsync directory contents.
tar -czf configfile-backup-servera.tar.gz /configsync
Securely copy /root/configfile-backup-servera.tar.gz from serverb to the /home/student directory on workstation.
sftp student@workstation
put configfile-backup-servera.tar.gz
bye
Extract the content of configfile-backup-servera.tar.gz to /tmp/savedconfig/
mkdir /tmp/savedconfig && cd $_
tar -xzf ~/configfile-backup-servera.tar.gz
Change the current tuning profile for serverb to balanced. List the information for the balanced tuning profile when it is the current tuning profile.
dnf list tuned
dnf install -y tuned
sudo tuned-adm list
sudo tune-adm profile balanced
sudo tuned-adm profile_info
Two processes on serverb are consuming a high percentage of CPU usage. Adjust each process’s nice level to 10.
ps aux --sort=pcpu
ps -o pid,pcpu,nice,comm
sudo renice -n 10 1079 1095
Open http://serverb/lab.html web page. You see an error message. Research and identify the SELinux issue that prevents Apache from serving web content.
less /var/log/messages
sealert -l 35c9e452-2552-4ca3-8217-493b72ba6d0b
ausearch -m AVC -ts recent
Display the SELinux context of the new HTTP document directory and the original HTTP document directory. Resolve the SELinux issue that prevents the Apache server from serving web content.
ls -dZ /lab-content /var/www/html
semanage fcontext -a -t httpd_sys_content_t '/lab-content(/.*)?'
restorecon -R /lab-content/
serverb has several unused disks. On first, create a GPT partition label and a 2 GB GPT partition named backup.
Configure the backup partition to host an XFS file system.
lsblk
parted /dev/vdb mklabel gpt
parted /dev/vdb mkpart backup 1028s 2GB
mkds.xfs /dev/vdb
udevadm settle
Initialize the two 512 MB partitions as swap spaces, and configure them to activate at boot. Set the swap space on the swap2 partition to be preferred over the other.
mkswap /dev/vdb2 mkswap /dev/vdb3
swapon /dev/vdb2 swapon /dev/vdb3
UUID=87976166-4697-47b7-86d1-73a02f0fc803 swap swap pri=10 0 0 UUID=4d9b847b-98e0-4d4e-9ef7-dfaaf736b942 swap swap pri=20 0 0
systemctl daemon-reload
swapon -a
swap --show
Create a 512 MiB partition on the /dev/vdb disk. Initialize this partition as a physical volume, and extend the serverb_01_vg volume group to use this partition.
parted /dev/vdb unit MiB print
parted /dev/vdb mkpart primary 514MiB 1026MiB
udevadm settle
pvcreate /dev/vdb2
vgextend serverb_01_vg /dev/vdb2
lvextend -L 768M /dev/serverb_01_vg/serverb_01_lv
xfs_growfs /storage/data1
Create serverb_02_lv LV with 128 MiB. Create the XFS file system on the newly created volume. Mount the newly created logical volume on the /storage/data2 directory.
lvcreate -n serverb_02_lv -L 128M serverb_01_vg
mkfs -t xfs /dev/serverb_01_vg/serverb_02_lv
mkdir /storage/data2
/etc/fstab: /dev/serverb_01_vg/serverb_02_lv /storage/data2 xfs defaults 0 0
systemctl daemon-reload
mount /storage/data2
df -h /storage/data1
lvdisplay /dev/serverb_01_vg/serverb_01_lv
Configure an automounter indirect map on servera with exports from serverb. Create an indirect map with files that are named /etc/auto.master.d/shares.autofs for the master map and /etc/auto.shares for the mapping file. Use the /remote directory as the main mount point on servera.
/remote /etc/auto.shares
* -rw,sync,fstype=nfs4 serverb.lab.example.com:/shares/&
systemctl enable --now autofs
Change the default systemd target on the serverb machine for the system to automatically start a graphical interface when it boots.
systemctl set-default graphical.target
Log in to the serverb machine to determine what is preventing access to the web servers.
systemctl status httpd.service
sudo sealert -a /var/log/audit/audit.log
Configure SELinux and FirewallD to allow the httpd service to listen on the 1001/TCP port.
sudo semanage port -l | grep 'http'
sudo semanage port -a -t http_port_t -p tcp 1001
sudo systemctl enable --now httpd
sudo firewall-cmd --permanent --zone=public --add-port=1001/tcp
sudo firewall-cmd --reload
Install podman and skopeo
sudo dnf install container-tools
registry.lab.example.com stores the rhel8/mariadb-103 image with several tags.
- Use podsvc user to list available tags
- Note the tag with lowest version number.
- Use admin and redhat321 to authenticate to the registry.
- Use /tmp/registries.conf as a template for the registry configuration.
ssh podsvc@serverb
mkdir -p ~/.config/containers/
cp /tmp/registries.conf ~/.config/containers/
podman login registry.lab.example.com
skopeo inspect docker://registry.lab.example.com/rhel8/mariadb-103
- Create dir /home/podsvc/db_data
- Configure it so containers have read/write access.
- Create the inventorydb detached container.
* Use the rhel8/mariadb-103 image,
* Use the tag with the lowest version number
* Map port 3306 in the container to port 13306 on the host.
* Mount /home/podsvc/db_data on the host as /var/lib/mysql/data in the container.
podman run -d --name db_01 -p 13306:3306 \ -e MYSQL_USER=operator1 \ -e MYSQL_PASSWORD=redhat \ -e MYSQL_DATABASE=inventory \ -e MYSQL_ROOT_PASSWORD=redhat \ registry.lab.example.com/rhel8/mariadb-103:1-86
mkdir /home/podsvc/db_data
podman exec -it db_01 cat /etc/passwd
podman stop db_01
podman rm db_01
podman unshare chown 27:27 /home/podsvc/db_data
podman run -d --name inventorydb -p 13306:3306 \ -e MYSQL_USER=operator1 \ -e MYSQL_PASSWORD=redhat \ -e MYSQL_DATABASE=inventory \ -e MYSQL_ROOT_PASSWORD=redhat \ -v /home/podsvc/db_data:/var/lib/mysql/data:Z \ registry.lab.example.com/rhel8/mariadb-103:1-86
~/containers-review/testdb.sh
Configure systemd so that inventorydb container starts automatically when the system boots.
mkdir -p ~/.config/systemd/user/
cd ~/.config/systemd/user/
podman generate systemd --name inventorydb --files --new
podman stop inventorydb
podman rm inventorydb
systemctl --user daemon-reload
systemctl --user enable --now container-inventorydb.service
loginctl enable-linger
Identify the UUID for /dev/vdb1, and mount it manually using its UUID on /mnt/freespace.
lsblk -fp /dev/vdb
mkdir /mnt/freespace
mount UUID="44bfb7c8-970c-4d0b-b53d-90ae31cb27ca" /mnt/freespace
Generate a disk usage report for the /usr/share directory. Save the result in the /mnt/freespace/results.txt file.
du /usr/share > /mnt/freespace/results.txt
Locate all the files that match the rsyslog.conf keyword, and store the result in the /mnt/freespace/search1.txt file.
updatedb
locate rsyslog.conf > /mnt/freespace/search1.txt
Store in the /mnt/freespace/search2.txt file the search result of all files in the /usr/share directory that are greater than 50 MB and less than 100 MB.
find /usr/share -size +50M -size -100M /mnt/freespace/search2.txt
On serverb , configure a software repository to obtain updates. Name the repository errata and configure the repository in the /etc/yum.repos.d/errata.repo file. Configure the errata.repo file to use the http://content.example.com/rhel9.0/x86_64/rhcsa-practice/errata repository. Do not verify GPG signatures.
vi /etc/yum.repos.d/errata.repo
[errata] name=Red Hat Updates baseurl=http://content.example.com/rhel9.0/x86_64/rhcsa-practice/errata enabled=1 gpgcheck=0
Create a connection with a static network configuration by using the settings in the table.
~~~
Connection name: lab
Interface name: enX
Mac: 52:54:00:00:fa:0b MAC address
IP address 172.25.250.11/24
Gateway address 172.25.250.254
DNS address 172.25.250.254
~~~
ip link
nmcli con add con-name lab ifname eth0 type ethernet ipv4.method manual ipv4.dns 172.25.250.254 ipv4.addresses 172.25.250.11/24 ipv4.gateway 172.25.250.254
Configure the new connection to start automatically. Other connections should not start automatically.
nmcli con mod "lab" connection.autoconnect yes
nmcli con mod "System eth0" connection.autoconnect no
Modify the new connection to use also the 10.0.1.1/24 IP address.
nmcli con mod "lab" +ipv4.addresses 10.0.1.1/24
Configure the hosts file so that you can reference the 10.0.1.1 IP address with the private name.
echo "10.0.1.1 private" >> /etc/hosts
Generate keys for ssh login
ssh-keygen
Send the public key of the SSH key pair to the production1 user on the serverb machine.
ssh-copy-id production1@serverb
Configure the sshd service on serverb to prevent users from logging in as the root user.
vi /etc/ssh/sshd_config
PermitRootLogin no
systemctl reload sshd.service
Configure the sshd service on serverb to allow users to authenticate with SSH keys only, rather than with their passwords.
vi /etc/ssh/sshd_config
PasswordAuthentication no PubkeyAuthentication yes
systemctl reload sshd.service
Create a /home/techdocs directory and Set permissions on the /home/techdocs directory. On the /home/techdocs directory, configure setgid; read, write, and execute permissions for the owner/user and group; and no permissions for other users.
chmod 2770 /home/techdocs
chmod g+s,u=rwx,g=rwx,o=
Modify the /etc/login.defs file to adjust the default umask for login shells. Normal users should have a umask setting that allows the user and group to create, write, and execute files and directories, and preventing other users from viewing, modifying, or executing new files and directories.
vi /etc/login.defs
UMASK 007
On serverb machine, ensure that newly created users must change their passwords every 30 days.
vi /etc/login.defs
PASS_MAX_DAYS 30
Create consultant1 user with the consultants group as supplementary group.
useradd -G consultants consultant1
Set the consultant1 account to expire in 90 days from the current day.
date -d "+90 days" +%F
chage -E 2022-06-08 consultant1
Change the password policy for user consultant2 to require a new password every 15 days.
chage -M 15 consultant2
force user consultant1 to change its password on the first login.
chage -d 0 consultant1
NFS mount fedora:/shares/public to /public persistently
fedora:/shares/public /public nfs rw,sync 0 0
