RHCE7
下RHCE部分
您在考试中将使用到两个系统的信息如下:
system1.group8.example.com :
system2.group8.example.com :
rootredhat
IPDHCPIP
system1.group8.example.com 172.24.8.11/24
system2.group8.example.com 172.24.8.12/24
DNSgroup8.example.com特别指名,不然所有要求配置的网络服务都必须能被该域的系统访问。
server.group8.example.com group8.example.comsystem1system2
server.group8.example.com YUMURLhttp://server.group8.example.com/yum
防火墙是默认打开的,在您认为适当的时候可以关闭。其他防火墙的设置可能在单独的要求中。
my133.org(172.13.8.0/24)
第一题:SELinux
system1 system2 SELinux enforcing :
要求系统重启后依然生效。
seliunx
#
#
#selinux
第二题:配置防火墙
system1 system2
group8.example.com system1 system2 ssh
my133t.org system1 system2 ssh
my133t.org 172.13.8.0/24
1
systemctl mask iptables#iptables,
systemctl mask ip6tables#ip6tables,
systemctl enable firewalld#firewall
systemctl start firewalld#firewall
firewall-cmd --permanent --add-service=ssh #ssh
#璁剧疆SSH
#
fir#
2firewall-config 图形工具
第三题:自定义用户环境
system1system2qstat
/bin/ps -Ao pid,tt,user,fname,rsz
此命令对系统中的所有用户有效
vim /etc/bashrc#
alias qstat=‘/bin/ps -Ao pid,tt,user,fname,rsz‘
. /etc/bashrc#
#
第四题:配置端口转发
system1
172.24.8.0/24system15423 80
此设置必须永久有效
1
#璁剧疆TCP542380
4.8.0/24 forward-port port=5423 protocol=tcp to-port=80‘
#璁剧疆UDP542380
4.8.0/24 forward-port port=5423 protocol=udp to-port=80‘
#
#
2
运行firewall-config打开图形工具
system2system1
eth1eth2
此链路在一个接口失效时仍然能工作
system1172.16.3.40/255.255.255.0
system2172.16.3.45/255.255.255.0
此链路在系统重启之后依然保持正常状态
1)teamteam0,activebackup
activebackup 表示热备,loadbalance 表示负载均衡
nmcli connectionadd type team con-name team0 ifname team0
config ‘{"runner":{"name":"activebackup"}}‘
2team0链路接口IP,manual
nmclimodify team0 ipv4.addresses172.16.3.40/24
3ens33ens37team0
nmcli eth1 master team0
nmcli th2 master team0
4)启动接口中的网卡
nmcli connection up team0-port2
nmcli connection up team0
5)验证
#
nmcli device status
#
6system2
特别注释:需要启动team0-port1up team0-port2team0才有高可用功能。
等会尝试一下将聚合网卡模式改为负载均衡
:配置IPV6地址
eth0使用下列IPV6地址:
system1上的地址应该是2003:ac18::305/64
system2上的地址应该是2003:ac18::30a/64
2003:ac18/64内的系统通信
IPV4地址并能通信
1
nmcliconnection modify eth02003:ac18::305/64connection.autoconnect yes#璁剧疆IPV6
nmcli connection up eth0#
Ifconfig
ping6 2003:ac18::305#ping server1IPV6
ping6 2003:ac18::30a#ping server2IPV6
2nm-connection-editor
nmcli con reload#
nmcli con down eth0#
nmcli con up eth0#
ping6 2003:ac18::305#ping server1IPV6
ping6 2003:ac18::30a#ping server2IPV6
第七题:配置本地邮件服务
system2 system1
这些系统不接受外部发送来的邮件
mail.group8.example.com
server.group8.example.com
dave ,
系统URL
http://server.group8.example.com/pub/received_mail/8
1
yum install postfix -ycneots6 centos7rpm -q postfix
systemctl enable postfixcneots6 centos7systemctl is-enabled postfix.service
2)修改配置
vim /etc/postfix/main.cf
#默认值,可不加
server.group8.example.com璁剧疆本地邮件显示来源域
postconfmail.group8.example.com指定中继邮件服务器
#
默认值,可不加
3
systemctl restart postfix
postconf 可查看设置
4mail
mail -s ‘fuxk’
erwerwr
.
EOT
curl http://server.group8.example.com/pub/received_mail/8多试几次,可以看到邮件
SMB
system1 SMB
SMB STAFF
/common common
group8.example.com common
common
andy redhat
1
yum -y
#
systemctl start smb nmb
systemctl status smb nmb
#
systemctl is-enabled smb nmb
2)设置防火墙策略
firewall-cmd --permanent --add-service=sambasamba
firewall-cmd --reload
Firewall-cmd --list-all
3)
mkdir /common
4设置目录权限
1#璁剧疆ACLandy/common
setfacl andy:rwx /common
5SElinux
6)samba用户
#andy
andy
#samba
smbpasswd -a andy
#输入密码
redhat
#输入密码
redhat
6)璁剧疆samba
vim /etc/samba/smb.conf#centos7
#按照题目要求修改工作组不可省略
[common]#不可省略
path = /common#不可省略
comment = redhat
hosts allow=172.24.8.#不可省略
write list = #不可省略
#不可省略
#
7
smbclient -L 172.24.8.11查看到共享成功!
touch /root/{a,b}
touch /common/{c,d}
smbclient //172.24.8.11/common -Uandy%redhat成功!
smb: \> get c 成功
smb: \> put a 成功
smb: \> exit
SMB
system1 SMB /devops ,
devops
devops group8.example.com
devops
silene redhat
akira redhat
system2.group8.example.com /mnt/dev
silene akira
1
mkdir /
2)SElinux
devops
3) 设置目录权限
璁剧疆ACL
setfacl -m u:silene:rx /devops
setfacl -m u:akira:rwx /devops
4)samba用户
#silene
smbpasswd -a silene
#输入密码
redhat
#输入密码
redhat
#akira
smbpasswd -a akira
#输入密码
redhat
#输入密码
redhat
5)璁剧疆samba
vim /etc/samba/smb.conf#centos7
#按照题目要求修改工作组不可省略
[devops]#不可省略
path = /#不可省略
comment = redhat
hosts allow=172.24.8.#不可省略
write list = #不可省略
#
重启服务
7
smbclient -L 172.24.8.11查看到共享
touch /root/{a,b}
touch /common/{c,d}
smbclient //172.24.8.11/devopsakira%redhat
smb: \> get c 成功
smb: \> put a 成功
smb: \> exit
smbclient //172.24.8.11/devopssilene%redhat
smb: \> put b 失败
smb: \> exit
#system2
安装包和准备挂载点
#
yum -y
yum -y install samba-client #smbclient,
#
mkdir /mnt/dev
实现多用户挂载
#silenefstab
echo ‘username=silene‘ >/root/smb-multiuser.txt
#brianfstab
echo ‘password=redhat‘ >>/root/smb-multiuser.txt
#
vim /etc/fstab
//172.24.8.11/devops/dev
或者
//172.24.8.11/devopsdevdefaults,multiuser,username=silene,password=redhat,sec=ntlmssp 0 0
#
a
3切换用户
su - akira
#
cifscreds add
#输入密码
redhat
echo "Multiuser" >/mnt/dev/akira成功写入
NFS
system1 NFS
/public group8.example.com
/protected group8.example.com
访问KerberosURL
目录 /protected andres
用户 /protected/project
yum install nfs-utils实验环境中这项忽略!!!(已安装)
systemctl start nfs
systemctl enable nfs-server #
firewall-cmd --permanent --add-service=nfs#
firewall-cmd --permanent --add-service=rpc-bind#
firewall-cmd --permanent --add-service=mountd#
firewall-cmd --list-all#
mkdir /public#
#
chown/protected/project#
chmod 770
protected/project#
ic_content_t /public/SElinux这个标签为什么是
#SElinux
#SElinux
wget -O /etc/krb5.keytabhttp://server.group8.example.com/pub/keytabs/system1.keytab
#
vim /etc/exports#
o)#璁剧疆/public
#璁剧疆/protected
vim /etc/sysconfig/nfs
# Optional arguments passed to rpc.nfsd. See rpc.nfsd(8)
RPCNFSDARGS="-V 4.2"#璁剧疆nfs4.2
systemctl restart nfsnfs-secure-server
systemctl enablenfs-secure-server#
exportfs -r#
exportfs
system2 system1.group8.example.com NFS,
并符合下列要求:
/public /mnt/nfsmount
/protected/mnt/nfssecure
URL
http://server.group8.example.com/pub/keytabs/system2.keytab
andres /mnt/nfssecure/project
nmb
SYSTEM2:
mkdir /mnt/nfsmount /mnt/nfssecure#
http://server.group8.example.com/pub/keytabs/system2.keytab
#
vim /etc/fstab#
#
172.24.8.11:/protected /mnt/nfssecure nfs defaults,sec=krb5p,v4.2 0 0
systemctl start nfs-secure
mount a
验证:
su
kinit
klist
cd /mnt/nfssecure/project
touch hello
web
system1 http://system1.group8.example.com/
http://server.group8.example.com/pub/system1.html index.html
index.html web DocumentRoot
group8.example.com web
my133t.orgweb
1
yum install httpd #
systemctl enable httpd#
systemctl start httpd
2
firewall-cmd --permanent --add-service=http
firewall-cmd --reload#
#
httpd
#
cp /usr/share/doc/httpd-2.4.6/httpd-vhosts.conf/vhosts.conf
vim /etc/httpd/conf.d/vhosts.conf#
<VirtualHost *:80>#
system1.group8.example.com
#
</VirtualHost>
wget -O /var/www/html/index.html http://server.group8.example.com/pub/system1.html
systemctl restart httpd#
SYSTEM2system2
curl system1.group8.example.com
Site:system1.group8.example.com#
#selinux值
drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 /var/www/html/
web
http://system1.group8.example.com TLS
http://server.group8.example.com/pub/tls/private/system1.key
http://server.group8.example.com/pub/tls/certs/ssl-ca.crt
1
yum -y install httpd mod_ssl
2)防火墙配置
firewall-cmd --permanent --add-service=https
firewall-cmd --reload
下载相关证书文件
wget -O /etc/pki/tls/certs/system1.crt http://server.group8.example.com/pub/tls/certs/system1.crt
wget -O /etc/pki/tls/private/system1.key
http://server.group8.example.com/pub/tls/private/system1.key
wget -O /etc/pki/tls/certs/ssl-ca.crt
http://server.group8.example.com/pub/tls/certs/ssl-ca.crt
https
cat /etc/httpd/conf.d/ssl.conf|grep -v "^#.*"#
复制这几行作为模板修改
vim /etc/httpd/conf.d/vhosts.conf
<VirtualHost *:443>
m:443
ll>
ystem1.crt
system1.key
SSLCACertificateFile /etc/pki/tls/certs/ssl-ca.crt
</VirtualHost>
systemctl restart httpd
5)测试
SYSTEM2:
curl -k https://system1.group8.example.com#
Site:system1.group8.example.com#
第十四题:配置虚拟主机
system1 webhttp://www8.group8.example.com
璁剧疆 DocumentRoot 为 /var/www/virtual
http://server.group8.example.com/pub/www8.html index.html ,index.html
index.html DocumentRoot
andy /var/www/virtual
http://system1.group8.example.com server.group8.example.com www8.group8.example.com
1
yum install httpd
systemctl enable httpd#
firewall-cmd --permanent --add-service=http
firewall-cmd --reload
2)准备虚拟网站的目录和网页文件
mkdir -p /var/www/virtual#
wget -O /var/www/virtual/index.html http://server.group8.example.com/pub/www8.html
3SELinux
SELinux
或者
semanage fcontext -a -t httpd_sys_content_t ‘/var/www/virtual(/.*)?‘
restorecon -R /var/www/virtual
4)实现用户的权限控制
id如果用户不存在就自己建立
setfaclu:andy:rwx#ACL
5)配置虚拟服务器
vim /etc/httpd/conf.d/vhosts.conf
<VirtualHost *:80>
#
<Directory "/var/www/virtual">
</VirtualHost>
systemctl restart httpd
6
SYSTEM2
curl www8.group8.example.com#
Site:www8.group8.example.com
web
system1 web DocumentRoot private
http://server.group8.example.com/pub/private.html index.html
不要对这个文件的内容做任何修改
system1 private DocumentRoot/var/www/virtual/
1
mkdir -p /var/www/virtual/private#
wget -O /var/www/virtual/private/index.html #
http://server.group8.example.com/pub/private.html
2httpd
vim /etc/httpd/conf.d/vhosts.conf#
<VirtualHost *:80>
#
<RequireAll>
Require all granted
</Directory>
<Directory "/var/www/virtual/private">
#
</VirtualHost>
3systemctl restart httpd
4
SYSTEM1
curl http://www8.group8.example.com/private/
This a private file,only for local access!
SYSTEM1
curl http://www8.group8.example.com/private/
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don‘t have permission to access /private/
on this server.</p>
</body></html>
WEB
system1 web
wsgi.group8.example.com
8909
http://server.group8.example.com/pub/webinfo.wsgi
http://wsgi.group8.example.com:8909/ web
http://wsgi.group8.example.com:8909/ group8.example.com
1
yum
systemctl is-enabled httpd || systemctl enable httpd#
2httpd
mkdir -p /var/www/wsgi.group8
wget -O /var/www/wsgi.group8/webinfo.wsgi http://server.group8.example.com/pub/webinfo.wsgi#
3SELinux
semanage port -a -t http_port_t -p tcp 8909璁剧疆SELinux
chcon -t httpd_sys_content_t /var/www/wsgi.group8[#默认设置,可不执行]
4)设置防火墙
n9/tcp
firewall-cmd reload
5httpd
vim /etc/httpd/conf.d/vhosts.conf
Listen 8909
<VirtualHost *:8909>
WSGIScriptAlias8/webinfo.wsgi
</VirtualHost>
systemctl restart httpd#
6
SYSTEM1
curl wsgi.group8.example.com:8909
This Dynamic WSGI Page Was Generated at:
Web
W
第十七题:
创建一个脚本
system1/root/foo.sh
/root/foo.sh redhat ,fedora
/root/foo.sh fedora ,redhat
redhat fedora
SYSTEM1
#!/bin/bashbash
if [ "$1" = "redhat" ];thenredhat
fedora
elif [ "$1" = "fedora" ];then#fedo
#redhat
else#
#
chmod 777 /root/foo.sh#
:
[root@system1 ~]# /root/foo.sh redhat
fedora
[root@system1 ~]# /root/foo.sh fedora
redhat
[root@system1 ~]# /root/foo.sh > /dev/null
/root/foo.sh redhat | fedora
第十八题:创建一个添加用户的脚本
system1 /root/batchusers ,system1
此脚本要求提供一个参数,此参数就是包含用户名列表的的文件
Usage: /root/batchusers userfile
shell为 /bin/false
此脚本不需要为用户设置密码
URLhttp://server.group8.example.com/pub/userlist
#
vim /root/batchusers.sh
#!/bin/bash
if [ $# -eq 1 ];then
echo redhat|passwd stdin $username &>/dev/null
else
fi
chmod+x #
wget -O /root/userlist http://server.group8.example.com/pub/userlist#
#
/root/batchusers
Usage: /root/barchusers userfile
/root/batchusers haha
Input file not found
ISCSI
system1 ISCSI iqn.2014-08.com.example.group8:system1
13260
2iscsi_store 3G
3system2.group8.example.com
SYSTEM1
yum install targetcli
systemctl start target#
systemctl enable target#
firewall-cmd --permanent --add-rich-rule=‘rule family="ipv4"ource address=172.24.8.12 port port=3260 protocol=tcp accept‘3260
firewall-cmd --reload
firewall-cmd --list-all
fdisk /dev/sda/dev/sda
5G#5G
8eLVM
partprobe
pvcreate /dev/sda3#
vgcreate/dev/sda3
lvcreate -L 3Giscsi_store vg0#iscsi_store并指定其大小
targetcliiSCSi
#定义了一个本地的块设备
/> backstores/block create name=iscsi_store dev=/dev/vg0/iscsi_store
/> cd iscsi
#iscsi target
/iscsi> cd iqn.2014-08.com.example.group8:system1/
/iscsi/iqn.20...roup8:system1> cd tpg1/
#target
/iscsi/iqn.20...:system1/tpg1> luns/ create /backstores/block/iscsi_store
/iscsi/iqn.20...:system1/tpg1> acls/ create iqn.2014-08.com.example.group8:system2
#target(IP)
/iscsi/iqn.20...:system1/tpg1> portals/ create 172.24.8.11
iqnacl:iscsitagert
/iscsi/iqn.20...:system1/tpg1> set attribute generate_node_acls=0
/iscsi/iqn.20...:system1/tpg1> cd /
/> saveconfig
/> exit
iSCISI
system2 system1 iqn.2014-08.com.example.group8:system1,
1 iSCISI
2 iSCISI 2100 MiB ext4
3 /mnt/data
1
yum -y install iscsi-initiator-utils
2)设定服务开机启动和马上启动
systemctl start iscsi
systemctl enable iscsi
3iscsi
vim /etc/iscsi/initiatorname.iscsi
InitiatorName=iqn.2014-08.com.example.group8:system2ACL
4target
iscsiadm -m discovery-p 172.24.8.11
172.24.8.11:3260,1 iqn.2014-08.com.example.group8:system1
5target
iscsiadm -m node -l
# lsblk
3G
└―
6
fdisk /dev/sdb
+2100M
mkfs.ext4 /dev/sdb1
blkid /dev/sdb1
/dev/sdb1: UUID="4e4dda09-6bca-4f9d-9477-843c110d856d" TYPE="ext4"
创建挂载点
mkdir /mnt/data
7
mkdir /mnt/data
_netdev
8iscsi客户端(考试不用执行)
Umount /mnt/data
注销
iscsiadm -m node -o delete 删除
第二十一题:配置一个数据库
system1Maria DB Contacts
1URL为 http://server.group8.example.com/pub/users.mdb localhost
2root Mary redhat
3 root redhat
1
yum -y install mariadb-server
systemctl enable mariadb
systemctl start mariadb
2)配置防火墙
firewall---add-service=mysql
3)初始化安全设置
mysql_secure_installation
...
Disallow root login remotely? [Y/n] y root
4)还原数据库
wget -O /root/users.mdb
http://server.group8.example.com/pub/users.mdb
mysql -predhat#Mysql
MariaDB [(none)]> create database Contacts;#Contacts数据库
MariaDB [(none)]> use ContactsContacts数据库
MariaDB [Contacts]> source /root/users.mdbContacts数据库
MariaDB [Contacts]> show tables;#Contacts数据库中的表格
设置访问权限
MariaDB [Contacts]> grant select on Contacts.* to Mary@localhost identified by ‘redhat‘;
第二十二题:数据库查询
system1 Contacts SQL
fadora
John Santa Clara
MariaDB [Contacts]> select * from u_name right join u_passwd on u_name.userid=u_passwd.uid where password=‘fadora‘;
或:
MariaDB [Contacts]> select * from u_name right join u_loc on u_name.userid=u_loc.uid where firstname=‘John‘ and location=‘Santa Clara‘;
或
MariaDB [Contacts]> select * from u_name,u_loc where u_name.userid=u_loc.uid and firstname=‘John‘ and location=‘Santa Clara‘;
原文:https://www.cnblogs.com/Yuopen/p/9360641.html