本篇主要以RHCE練習題為線索,介紹其中涉及的知識點。
紅色引用的字為題目要求(不是正式題目,難度略低於正式題目)
In serverX or desktopX
1. (lab teambridge setup[in serverX])Configure Link Aggregation in
serverX with config “activebackup” ip “192.168.0.11” gw
“192.168.0.254”.
lab teambridge setup
[root@server0 ~]# ip link
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT qlen 1000
link/ether 52:54:00:00:00:0b brd ff:ff:ff:ff:ff:ff
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT qlen 1000
link/ether 52:54:00:00:00:0e brd ff:ff:ff:ff:ff:ff
4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT qlen 1000
link/ether 52:54:00:00:00:0f brd ff:ff:ff:ff:ff:ff
6: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT qlen 1000
link/ether da:da:11:ca:26:07 brd ff:ff:ff:ff:ff:ff
8: eno2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT qlen 1000
link/ether ca:2a:c4:8c:f1:ce brd ff:ff:ff:ff:ff:ff
添加類型為team的網卡:
- [root@server0 ~]# nmcli connection add con-name team0 ifname team0 type team config ‘{“runner”:{“name”:”activebackup”}}’
Connection ‘team0’ (fcc3dcd2-ecfe-429a-9056-4a4115f48e7a) successfully added.
修改該網卡的配置:
- [root@server0 ~]# nmcli connection modify “team0” ipv4.addresses “192.168.0.11/24 192.168.0.254” ipv4.method manual
分配兩張網卡,作為子端口:
- [root@server0 ~]# nmcli connection add con-name team0-port1 ifname eno1 type team-slave master team0
- [root@server0 ~]# nmcli connection add con-name team0-port2 ifname eno2 type team-slave master team0
- 檢查狀態:
[root@server0 ~]# teamdctl team0 state
setup:
runner: activebackup
ports:
eno1
link watches:
link summary: up
instance[link_watch_0]:
name: ethtool
link: up
eno2
link watches:
link summary: up
instance[link_watch_0]:
name: ethtool
link: up
runner:
active port: eno1
- ip -a
……..
6: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master team0 state UP qlen 1000
link/ether ca:0f:d9:cb:e7:7b brd ff:ff:ff:ff:ff:ff
8: eno2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master team0 state UP qlen 1000
link/ether ca:0f:d9:cb:e7:7b brd ff:ff:ff:ff:ff:ff
15: team0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP
link/ether ca:0f:d9:cb:e7:7b brd ff:ff:ff:ff:ff:ff
inet 192.168.0.11/24 brd 192.168.0.255 scope global team0
valid_lft forever preferred_lft forever
inet6 fe80::400b:2dff:fe43:bdde/64 scope link
valid_lft forever preferred_lft forever
[root@server0 ~]# nmcli connection show
測試:
[root@server0 ~]# nmcli connection show
NAME UUID TYPE DEVICE
System eth0 5fb06bd0-0bb0-7ffb-45f1-d6edd65f3e03 802-3-ethernet eth0
team0-port2 5cce5b22-6da3-4063-b637-b22df585525d 802-3-ethernet eno2
team0-port1 c4e4faf7-49c6-4ff1-b14a-9d803bf1e3ed 802-3-ethernet eno1
team0 96c7eec8-4265-4e32-a378-cdf17a429f83 team team0
[root@server0 ~]# ping -I team0 192.168.0.254
PING 192.168.0.254 (192.168.0.254) from 192.168.0.11 team0: 56(84) bytes of data.
64 bytes from 192.168.0.254: icmp_seq=1 ttl=64 time=0.317 ms
64 bytes from 192.168.0.254: icmp_seq=2 ttl=64 time=0.046 ms
64 bytes from 192.168.0.254: icmp_seq=3 ttl=64 time=0.047 ms
64 bytes from 192.168.0.254: icmp_seq=4 ttl=64 time=0.047 ms
^C
— 192.168.0.254 ping statistics —
4 packets transmitted, 4 received, 0% packet loss, time 2999ms
rtt min/avg/max/mdev = 0.046/0.114/0.317/0.117 ms
2. Managing DNS forward requires from anywhere to “classroom.example.com”
in serverX.
3. (lab smtp-nullclient setup[in serverX & desktopX])Configure a local
mail server as a null client(serverX) that forwards all messages to a
central server(desktopX) for delivery.
4. Configure a iSCSI target server(serverX) with ACL-validated access:
you should create a new 1G target on serverX. This target should be
called “iqn.2014-10.com.example:serverX”. And it should only be
available to client with a initiatorname of “iqn.2014-
10.com.example:desktopX”.In desktopX you should mount it in
“/mnt/iscsi”.
服務端配置:
安裝軟件
- yum search targetcli
- yum install targetcli -y
先按照要求分區(注意千萬不要格式化)
- [root@server0 ~]# fdisk /dev/vdb
- [root@server0 ~]# partprobe
[root@server0 ~]# fdisk -l
配置ISCSI服務端:
- [root@server0 ~]# targetcli
/> backstores/block create disk1 /dev/vdb
/> iscsi/ create iqn.2014-10.com.example:server0
/> iscsi/iqn.2014-10.com.example:server0/tpg1/luns create /backstores/block/disk1
iscsi/iqn.2014-10.com.example:server0/tpg1/acls create iqn.2014-10.com.example:desktop0 (這里客戶端的地址)
/> iscsi/iqn.2014-10.com.example:server0/tpg1/portals create 172.25.0.11
/> saveconfig
開啟防火牆
- [root@server0 ~]# firewall-cmd –permanent –add-port=3260/tcp
success
[root@server0 ~]# firewall-cmd –reload
success
客戶端配置:
- [root@desktop0 ~]# vim /etc/iscsi/initiatorname.iscsi
InitiatorName=iqn.2014-10.com.example:desktop0 (這里是客戶端的地址)
安裝客戶端,並設置開機啟動:
- [root@desktop0 ~]# yum install iscsi-initiator-utils.x86_64 -y
- [root@desktop0 ~]# systemctl enable iscsi iscsid
- [root@desktop0 ~]# systemctl start iscsi iscsid
主動發現服務端:(如果記不得參數, 可以man iscsiadm 里面有example)
- [root@desktop0 ~]# iscsiadm –mode discoverydb –type sendtargets –portal 172.25.0.11 –discover
登陸
- [root@desktop0 ~]# iscsiadm –mode node –targetname iqn.2014-10.com.example:server0 –portal 172.25.0.11:3260 –login
Logging in to [iface: default, target: iqn.2014-10.com.example:server0, portal: 172.25.0.11,3260] (multiple)
Login to [iface: default, target: iqn.2014-10.com.example:server0, portal: 172.25.0.11,3260] successful.
[root@desktop0 ~]#
測試發現多了一塊sda設備:
- [root@desktop0 ~]# ll /dev/sd*
brw-rw—-. 1 root disk 8, 0 Aug 3 11:31 /dev/sda
分區、格式化、開機自動掛載:
- fdisk /d/dev/sda1
- [root@desktop0 ~]# mkdir /mnt/iscsi
- [root@desktop0 ~]# vim /etc/fstab (這個配置_netdev千萬要寫對)
/dev/sda1 /mnt/iscsi xfs _netdev 0 0
- [root@desktop0 ~]# mount -a
- [root@desktop0 ~]# df -h
(ISCSI貌似有個bug,client端配置完成后重啟會卡住,所以必須手動斷電,再重開)
5. Share directory “/nornfs” with NFS and on serverX and mount it on
desktopX in “/mnt/nfs”, User in desktopX should have only read
permission on it. Make sure it mounted at startup time.
服務端:
首先修改NFS版本號:
- vim /etc/sysconfig/nfs
修改其中的 RHCNFSDARGS=”-V 4.2”
首先建立一個單獨的分區,然后掛載到制定的目錄下(這個就是之后NFS共享目錄了)
- fdisk /dev/vdb
- partprobe
- mkfs.xfs /dev/vdb2
- vim /etc/fstab
- mount -a
- df -h
安裝文件/設置啟動
- yum search nfs
- yum install nfs-utils.x86_64 -y
- systemctl enable nfs-server.service
- systemctl start nfs-server.service
修改主配置
- vim /etc/exports
/nornfs 172.25.0.10/24(ro,sync)
- exportfs -r
配置防火牆:
- firewall-cmd –permanent –add-service=nfs
- firewall-cmd –permanent –add-service=rpc-bind
- firewall-cmd –permanent –add-service=mountd
- firewall-cmd –reload
在本機測試:
- showmount -e
客戶端:
測試連接NFS服務器:
- showmount -e 172.25.0.11
- systemctl enable nfs
- systemctl enable nfs.service
創建目錄,設置開機掛載:
- mkdir /mnt/nfs
- mount 172.25.0.11:/nornfs /mnt/nfs/
- df -h
- vim /etc/fstab
172.25.0.11:/nornfs /mnt/nfs nfs defaults 0 0
- mount -a
- reboot
6. (lab storageshares setup[in serverX & desktopX])Share directory
“/krbnfs” with NFS and Kerberos on serverX and mount it on desktopX in
“/mnt/nfsspace”.User in desktopX should have full permission on it.
Make sure it mounted at startup time.
服務端:
下載證書:
- wget -O /etc/krb5.keytab http://classroom.example.com/pub/keytabs/server0.keytab
創建對應的目錄並在server0上設置自動掛載:
- mkdir /krbnfs
- vim /etc/fstab
- mount -a
設置nfs配置文件:
- vim /etc/exports
/krbnfs 172.25.0.0/24(rw,sec=krb5p)
- exportfs -r
啟動服務:
- systemctl enable nfs-secure-server.service (這里和Client不一樣,要注意)
- systemctl start nfs-secure-server.service
- firewall-cmd –permanent –add-service=nfs
- firewall-cmd –permanent –add-service=rpc-bind
- firewall-cmd –permanent –add-service=mountd
- firewall-cmd –reload
登陸ldap:
- ssh ldapuser0@desktop0.example.com
客戶端
下載證書:
- wget -O /etc/krb5.keytab http://classroom.example.com/pub/keytabs/desktop0.keytab
啟動服務
- systemctl enable nfs-secure.service (這里和server不一樣,要注意)
- systemctl start nfs-secure.service
設置開機自動掛載:
- vim /etc/fstab
172.25.0.11:/krbnfs /mnt/nfsspace nfs defaults,v4.2,sec=krb5p 0 0
- mount -a
登陸ldap:
- ssh ldapuser0@desktop0.example.com
7. Share a directory “/smbshare” with SMB and it can only mounted on
desktopX in “/mnt/smb”, members of the group “share” has full
permission on the share. Others only have the read permission.Create a
Samba-only user natasha and harry with password “redhat”.Configure
multiuser config in desktopX with user harry. root in desktopX should
have only read permission in it . natasha in desktopX should have full
permission in it.
服務端配置:
安裝需要的軟件:
- yum install samba.x86_64 samba-client.x86_64 -y
設置啟動,開啟兩個服務:(這里不要忘了nmb服務)
- systemctl enable smb nmb
- systemctl start smb nmb
設置防火牆:
- firewall-cmd –permanent –add-service=samba
- firewall-cmd –reload
設置samba用戶組及其用戶,並設置其samba密碼:
- groupadd share
- useradd -G share -s /sbin/nologin natasha
- useradd -G share -s /sbin/nologin harry
- smbpasswd -a natasha
- smbpasswd -a harry
按題目要求創建目錄,並且修改該目錄的安全上下文以及目錄權限:
- mkdir /smbshare
- chown .share /smbshare/
- chmod 775 /smbshare/
- semanage fcontext -a -t samba_share_t ‘/smbshare(/.*)?‘ (如果記不得安全上下文的類型,可以在samba主配置文件/etc/samba/smb.conf中找到)
- restorecon -vvRF /smb1share/
- ll -dZ /smb1share/
修改主配置文件/etc/samba/smb.conf:
[smb]
comment = SMB share
path = /smbshare
browseable = yes
guest ok = no
writeable = yes
write list = @share
read list = root
read list 指定只能讀取該共享資源的用戶和組
write list 指定能讀取和寫該共享資源的用戶和組
另外可能還會遇到限制特定域/IP段訪問samba的情況,在[grobal]中和自定義的模塊中,加入
有如下幾種格式:(這里根據題目要求)
hosts allow =172.25.0.0/24
hosts allow =172.25.0. (不要忘記最后的點)
hosts allow = .example.com (不要忘記前面的點)
hosts allow =172.25.0.1
即可 (推薦在自己定義的模塊中填寫,這樣配置更靈活)
配置好之后,可以用命令檢查一下配置是否正確:
- testparm
重啟服務:
- systemctl restart smb nmb
可以先在本地測試一下:
- smbclient -L //172.25.0.11/smb -U natasha
- smbclient //172.25.0.11/smb -U natasha
- smbclient //172.25.0.11/smb
客戶端配置:
測試samba客戶端:
在配置cifs之前,可以先測試一下samba是否可用:
先安裝samba客戶端:
- yum install samba-client.x86_64 -y
- smbclient -L //172.25.0.11/smb -U natasha
- smbclient //172.25.0.11/smb -U harry
- smbclient //172.25.0.11/smb
配置cifs
安裝需要的軟件:
- yum install cifs-utils.x86_64 -y
創建掛載點,並自動掛載目錄:
- mkdir /mnt/smbspace
可以先用mount測試一下,是否能夠成功掛載:
- mount -t cifs //172.25.0.11/smb /mnt/smbspace/ -o username=harry
- df -h
- 設置samba用戶的密碼文件/root/smb.pass:
username=harry
password=redhat
- 編輯配置文件,添加如下(這里的配置如果不會寫的話, 可以man mount.cifs ,里面都有參數的介紹):
- vim /etc/fstab
//172.25.0.11/smb /mnt/smbspace cifs defaults,credentials=/root/smb.pass,multiuser,sec=ntlmssp 0 0
- df -h (再查看一下)
最后兩台機器都重啟一下,先重啟server,再desktop
配置客戶端cifs的時候有個坑:
不論是
- mount -t cifs //172.25.0.11/smb /mnt/smbspace/ -o username=harry
還是修改/etc/fstab,
填寫遠程samba服務端的地址時(紅色字體) //172.25.0.11/smb, 一定不是路徑 !!! 而是/etc/samba/smb.conf中samba的名稱,而不是path:
如果按照上圖的配置, 在客戶端這樣掛載:
- mount -t cifs //172.25.0.11/smbshare /mnt/smbspace/ -o username=natasha
你就會得到這樣的錯誤:
Retrying with upper case share name
mount error(6): No such device or address
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)
8. Configure MariaDB with a database named “inventory” in
“http://classroom.example.com/pub/materials/mariadb/inventory.dump”.Co
nfig password “redhat” for root.
下載文件:
- wget http://classroom.example.com/pub/materials/mariadb/inventory.dump
安裝文件
- yum groupinstall mariadb -y
配置啟動:
- systemctl enable mariadb.service
- systemctl start mariadb.service
設置安全性
- mysql_secure_installation
按照要求進行設置即可
然后創建數據庫inventory
- mysql -u root -p
MariaDB [(none)]> Create database inventory;
Query OK, 1 row affected (0.00 sec)MariaDB [(none)]> exit
Bye
導入數據:
- [root@server0 ~]# mysql -u root -p inventory < inventory.dump
Enter password:
查詢一下:
MariaDB [inventory]> show tables;
+———————+
| Tables_in_inventory |
+———————+
| category |
| manufacturer |
| product |
+———————+
3 rows in set (0.00 sec)
(未完待續)
文章來源:
http://www.attacker2001.com/
雲襲2001's blog
一個不努力的菜鳥