You are on page 1of 30

RHEL7 RHCE Exam objectives

System configuration and management

Use network teaming or bonding to configure aggregated network links between two Red Hat Enterprise Linux
systems.

Configure IPv6 addresses and perform basic IPv6 troubleshooting.

Route IP traffic and create static routes.

Use firewalld and associated mechanisms such as rich rules, zones and custom rules, to implement packet filtering
and configure network address translation (NAT).

Use /proc/sys and sysctl to modify and set kernel runtime parameters.

Configure a system to authenticate using Kerberos.

Configure a system as either an iSCSI target or initiator that persistently mounts an iSCSI target.

Produce and deliver reports on system utilization (processor, memory, disk, and network).

Use shell scripting to automate system maintenance tasks.

Network Services
Network services are an important subset of the exam objectives. RHCE candidates should be capable of meeting the
following objectives for each of the network services listed below:

Install the packages needed to provide the service.

Configure SELinux to support the service.

Use SELinux port labelling to allow services to use non-standard ports.

Configure the service to start when the system is booted.

Configure the service for basic operation.

Configure host-based and user-based security for the service.

HTTP/HTTPS

Configure a virtual host.

Configure private directories.

Deploy a basic CGI application.

Configure group-managed content.

Configure TLS security.

DNS

Configure a caching-only name server.

Troubleshoot DNS client issues.

NFS

Provide network shares to specific clients.

Provide network shares suitable for group collaboration.

Use Kerberos to control access to NFS network shares.

SMB

Provide network shares to specific clients.

Provide network shares suitable for group collaboration.

Use Kerberos to authenticate access to shared directories.

SMTP

Configure a system to forward all email to a central mail server.

SSH

Configure key-based authentication.

Configure additional options described in documentation.

NTP

Synchronize time using other NTP peers.

Database Services

Install and configure MariaDB.

Backup and restore a database.

Create a simple database schema.

Perform simple SQL queries against a database.

RHEL7 RHCSA Whats new?


Between the RHCSAv6 and the RHCSAv7 exams, there are only limited changes:

Securely transfer files between systems is a new objective that might require calling the scp command.

Configure key-based authentication for SSH completes the previous objective and requires an understanding of
SSH configuration (this objective was previously part of the RHCE exam objectives).

Configure a system to use an existing authentication service for user and group information appears when
Configure a system to use an existing LDAP directory service for user and group information disappears;
this new objective might require mastering both sssd daemon and LDAP configuration.

Create, mount, unmount, and use vfat, ext4 and xfs file systems only adds the xfs file system to the previous
RHCSA exam objective.

There is no longer mention of setting up a default configuration HTTP/FTP server.

VNC doesnt show up any more.

Firewall settings can now be configured through firewall-config, firewall-cmd but the iptables way is still fine.

Finally, perhaps the biggest change, all LUKS-related tasks have been removed: no game with encrypted
partitions any more!

Even though the RHCSA exam objectives almost stay the same and the exam keeps the same duration (2.5 hours), it is
clear that you will need a good understanding of the RHEL 7 basic features (Systemd, Grub2, etc) to pass it.
RHEL7 RHCE Whats new?
Between RHCEv6 and RHCEv7, changes are very significant. The exam now lasts 3.5 hours and numerous objectives
have been added (and almost none removed):

Use network teaming or bonding to configure aggregated network links between two Red Hat Enterprise
Linux systems.

Configure IPv6 addresses and perform basic IPv6 troubleshooting.

Use firewalld and associated mechanisms such as rich rules, zones and custom rules, to implement packet
filtering and configure network address translation (NAT) (this objective replaces the Use iptables to
implement packet filtering and configure network address translation objective).

Configure a systems as either an iSCSI target or initiator that persistently mounts an iSCSI target
(previously, only the iSCSI initiator configuration was an objective, not the iSCSI target part).

Use SELinux port labelling to allow services to use non-standard ports.

Configure TLS security on a HTTPS server.

Troubleshoot DNS client issues.

Use Kerberos to control access to NFS network shares.

Use Kerberos to authenticate access to SMB shared directories.

Last but not least, some new RHCE exam objectives relate to MariaDB. A successful RHCE candidate will be able to:

Install and configure MariaDB.

Backup and restore a database.

Create a simple database schema.

Perform simple SQL queries against a database.

Although FTP & Rsyslog configuration are no longer RHCE exam objectives, Red Hat has seriously increased the
difficulty of the RHCE exam. It now lasts 3.5 hours instead of 2, topics are more numerous and more technical
(Kerberos, TLS, IPv6, Firewalld, teaming/bonding, iSCSI target, SELinux port labelling, MariaDB, etc).

RHCE 7 SAMPLE QUESTION PAPER


RHCSA
Question1:-Create two users: john with uid/gid equal to 2000, password 12345678 and davis
with uid/gid equal to 3000, password 87654321. Make davis account validity stopping in one
month.
# useradd -u 2000 john
# passwd john
New password: 12345678
# useradd -u 3000 davis
# passwd davis
New password: 87654321
# date -d +1month
# usermod -e YYYY-MM-DD davis
or # chage -E YYYY-MM-DD davis
# chage -l davis
Question2:- Allow davis (and only davis) to get full access to johns home directory
# setfacl -R -m u:davis:rwx /home/john
Question3:- Create a directory named /common. Allow john and davis to share documents in
the /common directory using a group called team. Both of them can read, write and remove
documents from the other in this directory but any user not member of the group cant.

#
#
#
#
#
#

mkdir /common
groupadd -g 50000 team
chgrp team /common
chmod 2770 /common
usermod -aG team john
usermod -aG team davis

Question4:- Create a xfs file system on a new logical volume of 100MB called lv_xfs. Mount it
permanently with uuid under /xfs.
# lvcreate size 100M name lv_xfs /dev/vg
# mkfs.xfs /dev/vg/lv_xfs
# mkdir /xfs
# blkid | grep lv_xfs >> /etc/fstab
# vi /etc/fstab
UUID= /xfs xfs defaults 1 2
# mount a
Question5:- Extend the existing xfs file system to a total size of 200MB and add a label called
myFS.
# lvextend size 200M /dev/vg/lv_xfs
or # lvextend size +100M /dev/vg/lv_xfs
# xfs_growfs /xfs
# umount /xfs
# xfs_admin -L myFS /dev/vg/lv_xfs
# mount /xfs
Question6:- Write a Bash script called prog.sh in the /root directory that creates 40 files of
2MB each with the fallocate command in the mounted /xfs directory. Each file has got a name
as follows: .file_N where N is a number from 1 to 40.
cd /root
vi prog.sh
#!/bin/bash
cd /xfs
N=40
while [ $N -gt 0 ]
do
fallocate -l 2M .file_$N
N=`expr $N 1`
done
# chmod u+x prog.sh
# ./prog.sh
Question7:- Create an ext4 file system on a new logical volume of 100MB called lv_ext4. Mount
it permanently under the /ext4 directory. Copy the files previously created into this new space.

# lvcreate size 100M name lv_ext4 /dev/vg


# mkfs.ext4 /dev/vg/lv_ext4
# mkdir /ext4
# vi /etc/fstab
/dev/vg/lv_ext4 /ext4 ext4 defaults 1 2
# cp -p /xfs/.f* /ext4
Question8:- Assign the same SELinux contexts used by the home directories to the /xfs
directory permanently.
# yum install -y setroubleshoot-server
# semanage fcontext -a -t user_home_t /xfs(/.*)?
# restorecon -R /xfs
Question9:- Configure a virtual console.
# grubby update-kernel=ALL args=console=ttyS0
Question10:- Create a logical volume of 200MB called lv_swap2 and add it permanently to the
current swap space.
# lvcreate size 200M name lv_swap2 /dev/vg
# mkswap /dev/vg/lv_swap2
# swapon /dev/vg/lv_swap2
vi /etc/fstab
/dev/vg/lv_swap2 swap swap defaults 0 0
Question11:- Install the Apache package. Allow it to get documents stored on NFS mounted
directories.
#
#
#
#
#
#
#

yum install -y httpd


firewall-cmd permanent add-service=http
firewall-cmd reload
systemctl enable httpd
systemctl start httpd
getsebool -a | grep nfs | grep httpd
setsebool httpd_use_nfs on

Question12:- Create a cron job running as root, starting at 11PM every day and writing a report
on daily system resource consumption in the /var/log/consumption.log file.
# crontab -e
00 23 * * * /usr/bin/sar -A > /var/log/consumption.log
Question13:- Set the default target to boot into X Window level (previously level 5).
# systemctl set-default graphical.target
Question14:- Change the hostname to mycentos.example.com
# hostnamectl set-hostname mycentos.example.com

Question15:- Create a user account named "tony" with password redhat and belonging to a
secondary group called team.
Question16:-Boot in single user mode and change the root password.
Question17:- Set up a default configuration HTTP server with SELinux in Enforcing mode and
active iptables.
Question18:Question18:Question18:Question18:Question18:Question18:Question18:Question18:-

RHCE
Question1:- Configure a httpd server that executes a Perl script in the /var/www/cgi-bin directory
displaying "Hello!".
Question2:- Set up a httpd virtual server called "dummy" with DocumentRoot assigned to /opt.
Question3:- Set up time synchronization with default configuration.
Question4:Question18:Question18:Question18:Question18:Question18:Question18:Question18:Question18:Question18:-

Question18:Question18:-

Upgrading Red Hat Enterprise Linux / CentOS


RHEL/CentOS 567 Changes
You encounter enormous changes when you change to the next major version of Red Hat's Enterprise Linux product suite.
Here are my notes on what is different when you upgrade from one major release of Red Hat Enterprise Linux (or its
clone CentOS). In other words, how to upgrade from RHEL (or CentOS) 5 to 6 to 7. The major releases of RHEL appear
further and further apart in time, meaning that the changes are more and more complicated.
Remember that it's not that Red Hat is changing all these things. Their installer and their graphical configuration tools,
sure, those are Red Hat changes. But much of this is the result of the many underlying projects changing.
RHEL 2.1
RHEL 3
RHEL 4
RHEL 5
RHEL 6
RHEL 7

1 Installation and Exploring the Newly Installed System


The order of events and the logic of the installation completely change with every major release.

26 March 2002
22 October 2003
15 February 2005
14 March 2007
10 November 2010
10 June 2014

It was impossible to do a 56 upgrade, but 67 should be possible.


Once you get it installed, the configuration of Gnome within RHEL hides the terminal emulator in ever more inconvenient
corners of the menus. Gnome 3 supports using the Windows Start Key to bring up a "run this command" text box.
I thought it was just me being nave, but I have discovered that many other serious Linux system administrators don't
know what the "Windows Start Key" is. If your keyboard has a key with the Microsoft logo on it, down around the lefthand Shift and Alt and Control keys, it's that thing.
The manual page indices always need to be rebuilt so man -k will work after the installation. There will be a cron job to
do that, or you can do it manually. This used the makewhatis utility for ages, but with RHEL 7 mandb replaces
makewhatis. The file /etc/cron.daily/man-db.cron makes this happen every night.
When you upgrade from RHEL 5 to 6, you will notice that the network configuration has become rather complicated. See
the IP networking section later for what's behind this. Among other things, be careful to de-select Require addressing for
this connection to complete for IPv4 and also IPv6 if you use it. You get more choices about storage starting with RHEL 6,
some of it a bit exotic for typical users. If you customize the package selection, watch out! It is very tempting to click the
Next button prematurely. That immediately starts an installation process, and the only way to abort it is to reset or powercycle the machine and start over.
When you upgrade from 6 to 7, it becomes more complicated yet. The graphical configuration tool for networkings now
includes tabs for 802.1x security and higher performance data center type LAN technology.
The distribution had grown to the point that RHEL 6 no longer fit onto one single-layer DVD. DVD1 is the main
installation media, it's 4.0 GB for the RHEL 6 workstation and the single CentOS image. DVD2 is the "optional" media,
it's just 1.2 GB. DVD2 for the most part contains the -doc and -devel packages, but it also contains some of the
intranet/LAN server packages. For example, samba-swat and lpd-cups.
RHEL 5 gave you a choice about using SELinux and the iptables and ip6tables firewall rules. RHEL 6 and later
force these on you, preconfigured and enabled.
The firstboot program that runs on the first post-installation graphical boot starting with RHEL 6 insists that you
create a user. However, the user creation tool is poorly designed and it does not let you fully control all the attributes of
this user. Workaround: Create a dummy user to make it happy, create your real users, and then delete the dummy user.
If you're using VMware, Red Hat has included drivers that give you the benefits of VMware's VMtools, such as the ability
to simply move the mouse out of the VM window without first pressing <Ctrl><Alt>. Do not install VMtools, as that can
make things worse instead of better. My experience was that VMtools took away my control of the display settings and
recreated the mouse and keyboard focus problem. Just install RHEL or CentOS and enjoy.
Release
RHEL 5
RHEL 6
RHEL 7

Default
Gnome 2.16
Gnome 2.28
Gnome 3.8

Optional
KDE 3.5
KDE 4.3
KDE 4.10

The desktop graphical user interface goes through major changes, especially going from RHEL 6 to 7. Both the default
Gnome and the optional KDE graphical interface go through major version changes.
By RHEL 7 many more packages had moved to having one main configuration file plus a collection, like what xinetd
has done for some time. For example, sudo puts its system-wide settings in /etc/sudoers and then reads all the userspecific files /etc/sudoers.d/*. Rsyslog reads /etc/rsyslog.conf and then all the files in
/etc/rsyslog.d/*.

This isn't anything specific to Red Hat, it is a Linux-wide trend that became common between the releases of RHEL 6 and
7. This is also similar to the shells that for some time now first use /etc/profile and then /etc/profile.d/*,
followed by ~/.profile.
This is good, take advantage of it. The intent is that you don't touch the distribution-provided file /etc/*.conf.
When the package updates, rpm discovers that the main configuration file is still in pristine form and you have no
confusing *.rpmnew, *.rpmold, and so on to track down and manually merge changes. Let the distribution's provided
configuration file do whatever they intended, and their your locally created files can "correct" any system-wide settings
you want to change.

2 Booting
RHEL 5
RHEL 6
RHEL 7

Grub 0.97
Grub 0.97
Grub2 v2.00

Red Hat moved from Grub to Grub 2 with RHEL 7. Grub 2 is needed to support booting on UEFI-GPT platforms. See my
page on how Linux boots for details on UEFI and GPT.
These two configuration files do approximately the same thing. Notice the much greater complexity of Grub 2.
Typical Grub 0.97 /boot/grub/menu.lst
timeout 10
color black/cyan yellow/cyan
default 0
title Linux release-newer
root (hd0,0)
kernel (hd0,0)/vmlinuz-release-newer root=LABEL=/
initrd /initrd-release-newer.img
title Linux release-older
root (hd0,0)
kernel (hd0,0)/vmlinuz-release-older root=LABEL=/
initrd /initrd-release-older.img
Typical Grub 2 /boot/grub2/grub.cfg
### BEGIN /etc/grub.d/00_header ###
if [ -s $prefix/grubenv ]; then
load_env
fi
if [ "${next_entry}" ] ; then
set default="${next_entry}"
set next_entry=
save_env next_entry
set boot_once=true
else
set default="0"
fi
if [ x"${feature_menuentry_id}" = xy ]; then

menuentry_id_option="--id"
else
menuentry_id_option=""
fi
export menuentry_id_option
if [ "${prev_saved_entry}" ]; then
set saved_entry="${prev_saved_entry}"
save_env saved_entry
set prev_saved_entry=
save_env prev_saved_entry
set boot_once=true
fi
function savedefault {
if [ -z "${boot_once}" ]; then
saved_entry="${chosen}"
save_env saved_entry
fi
}
function load_video {
if [ x$feature_all_video_module = xy ]; then
insmod all_video
else
insmod efi_gop
insmod efi_uga
insmod ieee1275_fb
insmod vbe
insmod vga
insmod video_bochs
insmod video_cirrus
fi
}
if loadfont unicode ; then
set gfxmode=auto
load_video
insmod gfxterm
fi
terminal_output gfxterm
insmod part_msdos
insmod ext2
set root='hd0,msdos1'
if [ x$feature_platform_search_hint = xy ]; then
search --no-floppy --fs-uuid --set=root --hint-bios=hd0,msdos1 --hintefi=hd0,msdos1 --hint-baremetal=ahci0,msdos1 1d2e37f5-1a3d-419a-996ed7fd5d876a75
else
search --no-floppy --fs-uuid --set=root 1d2e37f5-1a3d-419a-996e-d7fd5d876a75
fi
insmod gfxmenu
loadfont ($root)/grub2/themes/maggy/MageiaLogo-Bold-16.pf2
loadfont ($root)/grub2/themes/maggy/MageiaLogo-Bold-20.pf2
loadfont ($root)/grub2/themes/maggy/MageiaLogo-Bold-28.pf2

loadfont ($root)/grub2/themes/maggy/MageiaLogo-Regular-20.pf2
insmod png
set theme=($root)/grub2/themes/maggy/theme.txt
export theme
set timeout=10
### END /etc/grub.d/00_header ###
### BEGIN /etc/grub.d/10_linux ###
menuentry 'Linux release-newer' {
set gfxpayload=text
insmod gzio
insmod part_msdos
insmod ext2
set root='hd0,msdos1'
if [ x$feature_platform_search_hint = xy ]; then
search --no-floppy --fs-uuid --set=root --hint-bios=hd0,msdos1 --hintefi=hd0,msdos1 --hint-baremetal=ahci0,msdos1 1d2e37f5-1a3d-419a-996ed7fd5d876a75
else
search --no-floppy --fs-uuid --set=root 1d2e37f5-1a3d-419a-996ed7fd5d876a75
fi
linux /vmlinuz-release-newer root=UUID=62dfc4a4-86c2-4ebf-aaa3442ecc740122 ro noacpi nofb
initrd /initrd-release-newer.img
}
menuentry 'Linux release-older' {
set gfxpayload=text
insmod gzio
insmod part_msdos
insmod ext2
set root='hd0,msdos1'
if [ x$feature_platform_search_hint = xy ]; then
search --no-floppy --fs-uuid --set=root --hint-bios=hd0,msdos1 --hintefi=hd0,msdos1 --hint-baremetal=ahci0,msdos1 1d2e37f5-1a3d-419a-996ed7fd5d876a75
else
search --no-floppy --fs-uuid --set=root 1d2e37f5-1a3d-419a-996ed7fd5d876a75
fi
linux /vmlinuz-release-older root=UUID=62dfc4a4-86c2-4ebf-aaa3442ecc740122 ro noacpi nofb
initrd /initrd-release-older.img
}
### END /etc/grub.d/10_linux ###
### BEGIN /etc/grub.d/20_linux_xen ###
### END /etc/grub.d/20_linux_xen ###
### BEGIN /etc/grub.d/20_ppc_terminfo ###
### END /etc/grub.d/20_ppc_terminfo ###
### BEGIN /etc/grub.d/30_os-prober ###
### END /etc/grub.d/30_os-prober ###
### BEGIN /etc/grub.d/40_custom ###

# This file provides an easy way to add custom menu entries. Simply type the
# menu entries you want to add after this comment. Be careful not to change
# the 'exec tail' line above.
### END /etc/grub.d/40_custom ###
### BEGIN /etc/grub.d/41_custom ###
if [ -f ${config_directory}/custom.cfg ]; then
source ${config_directory}/custom.cfg
elif [ -z "${config_directory}" -a -f $prefix/custom.cfg ]; then
source $prefix/custom.cfg;
fi
### END /etc/grub.d/41_custom ###
GRUB now uses a kernel line about twice the length of that in RHEL/CentOS 5.*, many more parameters are passed to
the kernel at boot time.
Starting with RHEL 6 GRUB uses UUID rather than LABEL to specify the root file system, and adds several parameters
specifying that it is not on LVM or encrypted through LUKS or on NFS or other network-attached storage.
SVR4 init
Upstart
systemd

RHEL 5
RHEL 6
RHEL 7

The old SVR4 init has been replaced twice now.


Systemd is significantly more capable than Upstart or classic init, with a corresponding increase in complexity. See my
page on Linux booting and process control for the rather complicated details on this.
There's much more to it than this, but here's what an administrator sees day-to-day:
SVR4 init on RHEL 5:
One file /etc/inittab configures the init program as to what run level to enter by default and what it takes to get
there. Other than starting multiple virtual consoles with text login in run levels 3 and 5, and starting a graphical login in
run level 5, it says to use the directory /etc/rc[0-6].d/ corresponding to the target run level. That directory will
contain symbolic links pointing to the collection of boot scripts in /etc/init.d/. Each link has the same name as the
actual script, preceded with either K (to kill) or S (to start) and a two-digit number to impose order. You use the
chkconfig program to enable or disable services, it reads specially coded comments in the comment block at the top of
the boot script to specify which run levels to start and stop the service and at what numerical order position. You directly
run the boot script /etc/init.d/servicename to stop, start, or restart it right now.
Upstart on RHEL 6:
Very similar to SVR4 init as far as configuration and operation goes. The exception is that /etc/inittab is now
almost empty. Its functionality has been expanded and moved into the files /etc/sysconfig/init and
/etc/init/*.
Systemd on RHEL 7:
This is very different! Instead of run levels, in which only 1 (maintenance or rescue), 3 (text-only, server) and 5 (graphics,
workstation) are useful, it uses "targets". The commonly used one correspond to the traditional run levels 3 and 5, but you
can boot or transition into any combination of the targets found in /lib/systemd/system/*.target. Very few
boot scripts remain in /etc/init.d/. You use the program systemctl to query the current overall system state, to
query the state of individual services, to control a service right now, and to enable or disable it for the future.
Simplified "Phrase

SVR4 init, Upstart

systemd

Book" of Equivalent
Commands

RHEL 5, RHEL 6

RHEL 7
systemctl
systemctl
systemctl
systemctl
systemctl
systemctl
httpd ...

What run state are we in?


runlevel
What services were
started/stopped to get
here, and with what order ls /etc/rcN.d
dependencies?
What is the default run
state if the system is
simply rebooted?
Change the default run
state to newtarget.
What services are
available? Of the
available services, which
are enabled and disabled?
Stop service xyz.
Start service xyz.
Stop and restart service
xyz.
Signal service xyz to reread its configuration file.
Enable service xyz to
automatically start at the
next boot.

get-default
-a
list-dependencies
list-sockets
status crond sshd

grep initdefault /etc/inittab

systemctl get-default

vim /etc/inittab

systemctl set-default newtarget

ls /etc/rc.d/init.d
chkconfig --list

systemctl list-unit-files

/etc/init.d/xyz
/etc/init.d/xyz
/etc/init.d/xyz
/etc/init.d/xyz

systemctl
systemctl
systemctl
systemctl

stop
start
restart
reload

chkconfig --add xyz


chkconfig xyz on
chkconfig --levels 345 xyz on

xyz
xyz
xyz
xyz

stop
start
restart
reload

systemctl enable xyz


systemctl disable xyz
Systemd will automatically enable services that
xyz depends upon.

Disable service xyz to not chkconfig --del xyz


automatically start at Start chkconfig xyz off
a service.
more /etc/init.d/xyz
ls /etc/rc$(runlevel | awk
'{print $2}').d/
/etc/init.d/xyz status
What is involved in
grep xyz /var/log/messages
service xyz?
ls /var/run/xyz
A short description, what cat /var/run/xyz
it needs to run before it, ps axuww | egrep 'PID|xyz'
systemctl show xyz
Oof!
what else wants this to
run before it can, is it
running now or stopped You would have to do all of these, plus many
more, plus do some careful analysis of all of
now, since when, if
running what's it PID, and the output, to get everything you can get from
the one systemd command.
far more?
This is an area where systemd has an
advantage.
Halt or reboot the system. init 0
halt
poweroff
shutdown -h now -t 0
init 6

systemctl halt
systemctl poweroff
systemctl reboot

reboot
shutdown -r now -t 0
The system is shut down, Interrupt the boot loader's countdown timer and modify the line that will be passed to the
boot it into a non-default kernel. Add the desired target state to the end 1, 3, or 5 for SVR4 init or Upstart; rescue,
run state (typically used multi-user, or graphical for systemd (1, 3, and 5 will probably work, but don't count on it). The
for rescue or maintenance. kernel's command line at the last boot is kept in /proc/cmdline.

3 Logging
RHEL 5
RHEL 6
RHEL 7

Syslog
Rsyslog
journalctl plus Rsyslog

The logging mechanism has changed twice, although Red Hat hasn't changed what it saves to which file in /var/log
for a long time. Most interesting things go into messages, authentication events that might contain sensitive information
go into auth.log, and subsystems like printing and mail have their own files.
See my page on Linux booting and process control for the details on this. Journalctl is less complex than Rsyslog, if
you consider Rsyslog capabilities like TLS-protected remote logging and message content matching and rewriting. But its
use of database files and its own tool before you apply grep and sed and awk certainly gives it a different feel.
RHEL 7 includes many subsystems moving toward a "file plus directory" rather than "just one file" configuration, and
Rsyslog is the first example we've come to involving a change when moving from RHEL 6 to 7.
Rsyslog in RHEL 6:
Start Rsyslog daemon according to /etc/sysconfig/rsyslog,
configure it with the file /etc/rsyslog.conf
Rsyslog in RHEL 7:
Start Rsyslog daemon according to /etc/sysconfig/rsyslog,
configure it with the file /etc/rsyslog.conf and then apply all files /etc/rsyslog.d/*
Similarly, logrotate is configured first by /etc/logrotate.conf and then all of /etc/logrotate.d/*.

4 User / Group Administration


RHEL 5:
RHEL 6:
RHEL 7:

MD5
SHA-512
SHA-512

The hash stored in /etc/shadow changed with RHEL 6. $1 indicates an MD5 hash, $2a indicates a Blowfish-based
hash, $5 indicates SHA-2-256, and $6 indicates SHA-2-512. RHEL 6 went to SHA-2-512 hashes of passwords with 516
bits of salt (86 base-64 encoded characters at 6 bits per character).
See the complaints in the Installation section above about the insistence on creating a user but not allowing you to fully
control all its attributes. That has been the case in both RHEL 6 and RHEL 7.

Password quality control, to the limited extent that it really matters, is now best done with pam_pwquality.so and
pam_pwhistory.so.
Be careful. Use of pam_pwhistory.so means that you now must also protect /etc/security/opasswd as that
contains information on users' old passwords which will give you very useful hints as to what their later passwords will
look like.
pam_pwquality.so can be configured with parameters within the PAM files, but a better approach would be to
customize it within /etc/security/pwquality.conf so that every program handling password changes uses the
same rules.
In the past, pam_cracklib.so was the only thing you could count on being there in any distribution. Then
pam_passwdqc.so came along. They are still available, although pam_pwquality.so is now the best tool.
However, people used to setting up password policies on Windows will be unhappy with all of them as none allow you to
rigidly enforce a password policy exactly the same way you can in Windows. Just set something and move forward as
password security is largely an illusion.

5 Storage
The default file system has changed twice in going from RHEL 5 to RHEL 6 to RHEL 7.
Default
Release
FS
RHEL 5 Ext3
RHEL 6 Ext4
RHEL 7 XFS

File System Tools


Modify/view
Create
metadata
tune2fs
mkfs.ext3
dumpe2fs
tune2fs
mkfs.ext4
dumpe2fs
mkfs.xfs

xfs_admin

Modify/grow
file system

Check/Repair

resize2fs

fsck.ext3

resize2fs

fsck.ext4

xfs_growfs

xfs_check
xfs_repair

Dump/Restore
dump
restore
dump
restore
xfsdump
xfsrestore

btrfs filesystem

RHEL ? Btrfs

btrfs scrub
btrfs image
btrfsck
mkfs.btrfs btrfs-debug-tree btrfs filesystem
btrfs rescue
btrfs image
btrfs restore
btrfs property

The kernel drivers used for IDE/PATA disks have changed. IDE/PATA disks appeared as devices /dev/hd? in RHEL 5,
starting with RHEL 6 all disks are /dev/sd?.
File system device definitions in /etc/fstab were in terms of LABEL= in RHEL 5. That changed to UUID= in RHEL
6.
Starting with RHEL 7, it is no longer practical for /usr to be a separate file system. This isn't specifically the fault of
RHEL, it's that the components used by all distributions now disregard or violate the old convention that the root file
system be small with just what's needed for booting while /usr has things needed later. But now /bin, /lib, /lib64
and /sbin are just symbolic links to directories within /usr.
Red Hat's recommendation for swap area continues to change and contradict itself. For example, install RHEL 7 onto a
system with 8 GB of RAM and let the installer set up the storage. Red Hat's documentation recommends either 4 or 8 GB
in that situation, but their installer creates a 2 GB swap area.

The NFS server now uses /etc/exports.d/* in addition to /etc/exports.


The automounter now uses /etc/auto.master.d/* in addition to /etc/auto.master.
The mount command shows an ever-larger list of mounts that aren't file systems appearing in routine df output. They do
appear if you run df -a.
Release
RHEL 4

RHEL 5

RHEL 6

RHEL 7

Physical
RAM
always
2 GB
> 2 GB
< 4 GB
416 GB
1664 GB
64256 GB
256512 GB
2 GB
28 GB
864 GB
> 64 GB
2 GB
28 GB
864 GB
> 64 GB

Swap
Recommendation
at least 32 MB
2 RAM
2 + RAM
at least 2 GB
4 GB
8 GB
16 GB
32 GB
2 RAM
same as RAM
at least 4 GB
at least 4 GB
2 RAM
same as RAM
0.5 RAM
it depends

To allow
hibernation

3 RAM
2 RAM
1.5 RAM
don't
3 RAM
2 RAM
1.5 RAM
don't

6 Package Management
RHEL/CentOS 5.* gave you both IA32 and IA64 binaries and libraries for most packages when you install onto 64-bit
hardware. Put another way, starting with RHEL 6 you no longer get two lines of output when you type:
$ rpm -q firefox
and so you no longer have to type this to figure it out:
$ rpm -q --qf '%{name}.%{arch}\n' firefox
7 Building Software from Source
Starting with RHEL 6, rpmbuild and related tools no longer use directories under /usr/src/ as their working area.
They instead use ~/rpmbuild, meaning that things like building a kernel as root requires an unusually large amount
of space on the / partition. That is, unless you do this:
# mkdir /usr/src/rpmbuild
# ln -s /usr/src/rpmbuild ~/rpmbuild

8 Networking: IP Configuration

Kernel support for hardware


Used /etc/modprobe.conf and /etc/modprobe.d/* to control which kernel module is used for which
RHEL
device, and used its parameters to control which of two Ethernet interfaces with the same chipset became eth0
5
versus eth1.
Used /etc/udev/rules.d/70-persistent-net-rules to remember Ethernet devices by MAC
RHEL
address. Replace a card or (move onto new hardware) and a single Ethernet card is no longer eth0, it is now
6
eth1.
RHEL Udev activity has been absorbed into systemd.
7
Network interface names change, see details below.
TCP/IP Commands
The traditional commands ifconfig, route, and netstat are deprecated in favor of the Iproute2 package and its ip
and ss. This has been happening gradually on all distributions, but it becomes much more obvious with RHEL 7. I have
more details elsewhere, but here is a short summary of just what changes:
Task

Traditional Unix, OS X

LAN statistics

netstat -i

IP address, netmask

ifconfig [-a]

IP routing table
UDP/TCP activity

route
netstat -r
netstat -a

Android
Linux
ip -s link
ifstat
ip addr
ip -6 addr
ip route
ip -6 route
ss -a

IP Configuration and Scripts


Red Hat's network configuration starting with RHEL 6 does a very good job of handling what a few people want
situations where wired and wireless networks appear, disappear, and change. But.... Is an operating system costing
hundreds to a few thousands of dollars per CPU socket pair per year going to be used in a notebook carried from
coffeeshop to coffeeshop?
Red Hat's NetworkManager service in RHEL 6 slows down the process to the point that restarting the networking can take
30 seconds or more. And while I applaud their attempt to use a netmask length instead of a literal netmask pattern (e.g.,
24 instead of 255.255.255.0), their script logic bungles the attempt. You end up with network or broadcast addresses
that make no sense.
My recommendation for RHEL 6 has been to disable the NetworkManager service and create new minimal ifcfgeth* files:
#
#
#
#

/etc/init.d/NetworkManager stop
chkconfig NetworkManager off
mv /etc/sysconfig/network-scripts/ifcfg-eth0 /root
vim /etc/sysconfig/network-scripts/ifcfg-eth0

For just IPv4 put this in the new ifcfg-eth0 file:


DEVICE=eth0
ONBOOT=yes
BOOTPROTO=none
IPADDR=192.168.1.12

NETMASK=255.255.255.0
IPV6INIT=no
For IPv4 plus IPv6 autoconfiguration:
DEVICE=eth0
ONBOOT=yes
BOOTPROTO=none
IPADDR=192.168.1.12
NETMASK=255.255.255.0
IPV6INIT=yes
IPV6AUTOCONF=yes
For IPv4 plus IPv6 with an explicit IPv6 configuration:
DEVICE=eth0
ONBOOT=yes
BOOTPROTO=none
IPADDR=192.168.1.12
NETMASK=255.255.255.0
IPV6INIT=yes
IPV6AUTOCONF=no
IPV6ADDR=2001:1800:1234:90::c8/64
IPV6DEFROUTE=yes
Keep in mind that an IPv6 address is laid out like the following, using my example address above for illustration.
Remember that leading zeros can be deleted in each 16-bit block, and one string of consecutive zeros can be collapsed
into "::", so the final "::c8" really represents 64 bits:
3 bits 45 bits
001
global routing prefix
2001:1800:1234

16 bits
subnet ID
0090

64 bits
interface ID
0000:0000:0000:00c8

Meanwhile, the default gateway belongs in the file /etc/sysconfig/network:


NETWORKING=yes
HOSTNAME=host.domain.com
GATEWAY=192.168.1.254
Network Interface Names
Starting with RHEL 7 (really with v197 systemd), the traditional interface names eth0, wlan0, and so on have been
replaced. See the details here, and even more details here, but the interface names are now based on en for Ethernet or wl
for wireless LAN, followed by one of:
1. Firmware-provided index numbers for on-board devices: eno1 for the first on-board Ethernet.
However, note that this Fedora page says "Ethernet ports embedded on server motherboards will be named
em<port_number>, while ports on PCI cards will be named p<slot_number>p<port_number>, corresponding to
the chassis labels."
2. Firmware-provided PCI Express hotplug index numbers: ens1 for the first hotplug Ethernet.

3. Physical locations: enp2s0 for an Ethernet device at PCI bus address 02:00.0.
4. Chained physical locations: wlp0s2f1u4 for a USB WLAN device, with the USB controller at PCI bus address
00:02.0 and using USB function 1 and port 4.
5. MAC address: enx0011951E8EB6 for a device with MAC address 00:11:95:1E:8E:B6.
Version #1 applies if that information is available, falling back to #2 and then #3 or #4, and finally defaulting to an
unpredictable detection order and the old style named ethN and wlanN. The MAC address version is only used if the
administrator configures it.
On VMware, a bug leads to the nonsensical numbered name eno16777736. Wow, where are the other 16,777,735
Ethernet ports? One workaround is to edit the *.vmx line and change the number found here:
ethernet0.pciSlotNumber="33"
from 33 to a smaller unused number such as 20. That virtual Ethernet device will appear at PCI address 00:14.0 (which is
base 16, 0x14 = 20), and it will be enp0s20. Experiment: Not all numbers work, many will result in 16777736.
For example, I boot my laptop from a CentOS 7 live cd and see the following. Both the wireless LAN and Ethernet
controllers are on the PCI bus, but the WLAN device gets a motherboard device name and the Ethernet devices gets a PCI
device name.
# lspci | grep -i net
02:00.0 Network controller: Realtek Semiconductor Co., Ltd. RTL8191SEvA Wireless
LAN Controller (rev 10)
03:00.0 Ethernet controller: Realtek Semiconductor Co., Ltd. RTL8101E/RTL8102E
PCI Express Fast Ethernet controller (rev 02)
# ip link
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode default
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: enp3s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP
mode default qlen 1000
link/ether 2c:27:d7:c5:d3:7b brd ff:ff:ff:ff:ff:ff
3: wlo1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN mode
DORMANT qlen 1000
link/ether 68:a34:c4:70:f1:73 brd ff:ff:ff:ff:ff:ff
The biosdevname command is intented to take a kernel device name as an argument and return the BIOS-given name it
"should" be. Or at least that's what its manual page says. I honestly don't know what's going on here, I get a completely
different name for the Ethernet port and no output at all for the wireless device in either the new or traditional name:
# biosdevname -i enp3s0
p1p1
# biosdevname -i wlo1
# biosdevname -i wlan0
My desktop has a wireless LAN interface plugged into a USB port:
$ lspci | grep USB
00:02.0 USB controller: NVIDIA Corporation MCP61 USB 1.1 Controller (rev a3)
00:02.1 USB controller: NVIDIA Corporation MCP61 USB 2.0 Controller (rev a3)
01:09.0 USB controller: OPTi Inc. 82C861 (rev 10)
$ lsusb
Bus 003 Device 004: ID 148f:5370 Ralink Technology, Corp. RT5370 Wireless Adapter
$ lsusb -t

/:

Bus 03.Port 1: Dev 1, Class=root_hub, Driver=ehci-pci/10p, 480M


|__ Port 1: Dev 2, If 0, Class=Mass Storage, Driver=usb-storage, 480M
|__ Port 4: Dev 4, If 0, Class=Vendor Specific Class, Driver=rt2800usb, 480M
/: Bus 02.Port 1: Dev 1, Class=root_hub, Driver=ohci-pci/2p, 12M
/: Bus 01.Port 1: Dev 1, Class=root_hub, Driver=ohci-pci/10p, 12M
|__ Port 7: Dev 6, If 0, Class=Human Interface Device, Driver=usbhid, 1.5M
$ ip addr
[...]
4: wlp0s2f1u4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group
default qlen 1000
link/ether c8:3a:35:cf:3b:b9 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.102/24 brd 192.168.1.255 scope global wlp0s2f1u4
valid_lft forever preferred_lft forever
inet6 fe80::ca3a:35ff:fecf:3bb9/64 scope link
valid_lft forever preferred_lft forever
wl
= Wireless LAN
p0s2
= Through PCI bus address 00:02.0 to...
f1u4
= USB function 1, port 4
You can inventory the network devices by searching the /sys/devices hierarchy:
# ls -F $( find /sys/devices -name net )
/sys/devices/pci0000:00/0000:00:1c.0/0000:02:00.0/net:
wlo1/
/sys/devices/pci0000:00/0000:00:1c.1/0000:03:00.0/net:
enp3s0/
/sys/devices/virtual/net:
lo/
# ls -F /sys/devices/pci*/*/*/net/*
/sys/devices/pci0000:00/0000:00:1c.0/0000:02:00.0/net/wlo1:
addr_assign_type device@ ifalias
netdev_group queues/
address
dev_id
ifindex
operstate
speed
addr_len
dormant iflink
phy80211@
statistics/
broadcast
duplex
link_mode phys_port_id subsystem@
carrier
flags
mtu
power/
tx_queue_len
/sys/devices/pci0000:00/0000:00:1c.0/0000:03:00.0/net/enp3s0:
addr_assign_type device@ ifalias
netdev_group speed
address
dev_id
ifindex
operstate
statistics/
addr_len
dormant iflink
phys_port_id subsystem@
broadcast
duplex
link_mode power/
tx_queue_len
carrier
flags
mtu
queues
type

type
uevent
wireless/

uevent

Filtering with iptables / ip6tables


Recall that you got default packet filtering rules with iptables and ip6tables starting with RHEL 6. The RHEL 6
iptables default rules are:
Chain INPUT (policy ACCEPT)
target
prot opt source
ACCEPT
all -- anywhere
ACCEPT
icmp -- anywhere

destination
anywhere
anywhere

state RELATED,ESTABLISHED

ACCEPT
ACCEPT
REJECT

all
tcp
all

----

anywhere
anywhere
anywhere

anywhere
anywhere
anywhere

state NEW tcp dpt:ssh


reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)


target
prot opt source
REJECT
all -- anywhere

destination
anywhere

reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)


target
prot opt source

destination

The RHEL 6 ip6tables default rules are:


Chain INPUT (policy ACCEPT)
target
prot opt source
ACCEPT
all
anywhere
ACCEPT
ipv6-icmp anywhere
ACCEPT
all
anywhere
ACCEPT
tcp
anywhere
REJECT
all
anywhere

destination
anywhere
anywhere
anywhere
anywhere
anywhere

Chain FORWARD (policy ACCEPT)


target
prot opt source
REJECT
all
anywhere

destination
anywhere

Chain OUTPUT (policy ACCEPT)


target
prot opt source

destination

state RELATED,ESTABLISHED
state NEW tcp dpt:ssh
reject-with icmp6-adm-prohibited

reject-with icmp6-adm-prohibited

With RHEL 7 the outputs of iptables -L and ip6tables -L are typically over 200 lines long. The rule sets are
maintained by a daemon:
# systemctl status firewalld
firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled)
Active: active (running) since Tue 20xx-xx-xx 18:54:04 UTC; 22min ago
Main PID: 785 (firewalld)
CGroup: /system.slice/firewalld.service
+-/usr/bin/python /usr/sbin/firewalld --nofork --nopid
The daemon is a Python program that listens on a Unix domain socket. Verify that for yourself with this:
# lsof -p $( pgrep firewalld )
...
When you start a service through systemd, it can contact the firewall daemon through that socket. "Hello, this is the SSH
daemon sshd starting. Please let me accept connections on TCP/22."

9 Networking: Network Services, and


10 Print and File Service
For RHEL 6, see the earlier discussion of the media split into DVD1 and DVD2. If you want samba-swat, lpd-cups,
and several other network servers, you will need to get the packages from DVD2.

Better yet, add the CentOS.org YUM respository and install things from there.
RHEL 7 includes an update to Samba 4, meaning that your Linux server can function as a full Active Directory server.

11 Kernel
The file /etc/modprobe.conf last appeared with RHEL 5. The kernel can now detect every device on its own. This
means that the Udev daemon became involved in some of the device naming in RHEL 6. Then Udev was absorbed into
systemd in RHEL 7.
Red Hat generally does not build their kernel with the IKCONFIG=y configuration setting. If it were set, you could ask
the kernel to tell you how it was built by reading the /proc/config.gz kernel data structure. Since it would be the
kernel telling you, then you could believe it.
Unfortunately, all Red Hat gives us is the file /boot/config-RELEASE. My experience has shown that it is close to
the truth but not entirely correct.
See my page on building Linux kernels for further details on building the kernel. In particular, using the environment
variable INSTALL_MOD_STRIP=1 during the build to strip out the symbol information and create a collection of
modules and initrd file only about 10% the size of the unstripped alternative.
Base Kernel
RHEL 5:
RHEL 6:
RHEL 7:

2.6.18
2.6.32
3.10.0

Red Hat uses the same base version of the kernel throughout one major release. They make changes to patch kernel bugs,
tune performance, and add functionality but base all of these on the same base version modified to build the *.0 kernel.
The GNU GPL requires that the modified source code be freely distributed, but at times Red Hat have obfuscated their
changes. Oracle's RedPatch project de-obfuscates these changes, providing the patch files that create Red Hat's variant
kernels.
Automatic post-boot kernel tuning now uses /etc/sysctl.conf first, followed by
/usr/lib/systemd/sysctl.d/* and /etc/sysctl.d/*.
Load Balancing and High Availability
RHEL 6 built high-availability load-balancing clusters using Linux Virtual Server, using packages including ipvsadm to
manage the kernel-based Linux Virtual Server code, Piranha for a web-based cluster configuration tool, and nanny for
the monitoring.
RHEL 7 uses Keepalived to manage the load balancing, with the Virtual Router Redundancy Protocol (VRRP) managing
router redundancy.

12 Security-Enhanced Linux
Red Hat has become more ambitious in their use of the NSA Security-Enhanced Linux mechanisms as they progress from
one distribution to the next. If you install their product and use it as they direct, it works fine.

Remember that the design philosophy of SELinux is that the policy is always correct. So it is always appropriate to relabel
your entire file system:
# restorecon -R -v -e /cgroup /dev /proc /selinux /srv /sys /
--- or --# find / -fstype ext3 -o -fstype ext4 -o -fstype xfs -exec restorecon -v {} \;
Below are the results of running seinfo on some CentOS and RHEL examples.
From CentOS 5.6:
Statistics for policy file: /etc/selinux/targeted/policy/policy.21
Policy Version & Type: v.21 (binary, MLS)
Classes:
Types:
Users:
Booleans:
Sensitivities:
Allow:
Auditallow:
Role allow:
Type_trans:
Type_member:
Constraints:
Fs_use:
Portcon:
Nodecon:

61
1868
3
271
1
130713
42
5
2309
0
47
19
337
8

Permissions:
Attributes:
Roles:
Cond. Expr.:
Categories:
Neverallow:
Dontaudit:
Role trans:
Type_change:
Range_trans:
Validatetrans:
Genfscon:
Netifcon:
Initial SIDs:

220
217
6
254
1024
0
7348
0
0
578
0
74
0
27

From RHEL 6:
Statistics for policy file: /etc/selinux/targeted/policy/policy.24
Policy Version & Type: v.24 (binary, mls)
Classes:
Sensitivities:
Types:
Users:
Booleans:
Allow:
Auditallow:
Type_trans:
Type_member:
Role_trans:
Constraints:
Initial SIDs:
Genfscon:
Netifcon:
Permissives:

77
1
3073
9
168
269649
44
10914
44
241
64
27
82
0
21

Permissions:
Categories:
Attributes:
Roles:
Cond. Expr.:
Neverallow:
Dontaudit:
Type_change:
Role allow:
Range_trans:
Validatetrans:
Fs_use:
Portcon:
Nodecon:
Polcap:

229
1024
250
13
203
0
162489
38
20
2590
0
22
378
0
2

From RHEL 7:
Statistics for policy file: /sys/fs/selinux/policy

Policy Version & Type: v.28 (binary, mls)


Classes:
Sensitivities:
Types:
Users:
Booleans:
Allow:
Auditallow:
Type_trans:
Type_member:
Role_trans:
Constraints:
Initial SIDs:
Genfscon:
Netifcon:
Permissives:

83
1
4263
8
261
92722
120
14717
27
734
98
27
91
0
0

Permissions:
Categories:
Attributes:
Roles:
Cond. Expr.:
Neverallow:
Dontaudit:
Type_change:
Role allow:
Range_trans:
Validatetrans:
Fs_use:
Portcon:
Nodecon:
Polcap:

255
1024
349
14
306
0
7645
74
29
5006
0
26
528
0
2

Finally, you will find that the output of ls -l began to look a little different with the version included with RHEL 6.
There is now a "." after the permission mask, indicating that an SELinux ACL exists for the object:
# ls -l /etc/rsyslog.conf /sbin/rsyslogd
-rw-r--r--. 1 root root
2741 May 20 2009 /etc/rsyslog.conf
-rwxr-xr-x. 1 root root 344528 Jun 8 2010 /sbin/rsyslogd

How to Configure Network Teaming in RHEL 7 ?


Network Teaming in RHEL 7 is not replacement of bonds. But its alternate option depending upon the
requirement. In this post I am going to show you how to create team using two ethernet interfaces. I am creating
it using static network configuration files.
Step 1 : I have create configuration file for team. Below is the content of that file.
[root@node1 ~]# more /etc/sysconfig/network-scripts/ifcfg-team0
DEVICE=team0
DEVICETYPE=Team
ONBOOT=yes
BOOTPROTO=static
IPADDR=192.168.120.11
NETMASK=255.255.255.0
TEAM_CONFIG='{runner: {name: activebackup}, link_watch: {name:ethtool}}
Step 2 : After that I have configured the files for two interfaces which are going to part of team configuration.I
have given one priority of 100 and 99 to another interface.
[root@node1 ~]# more /etc/sysconfig/network-scripts/ifcfg-ens38
DEVICE=ens38
HWADDR=00:0c:29:9e:4c:f7
DEVICETYPE=TeamPort
ONBOOT=yes

TEAM_MASTER=team0
TEAM_PORT_CONFIG='{prio: 100}
[root@node1 ~]# more /etc/sysconfig/network-scripts/ifcfg-ens39
DEVICE=ens39
HWADDR=00:0c:29:9e:4c:01
DEVICETYPE=TeamPort
ONBOOT=yes
TEAM_MASTER=team0
TEAM_PORT_CONFIG='{prio: 99}
Step 3 : After configuing configuration files. We can restart the network service.
[root@node1 ~]# systemctl restart network
Step 4 : In the output of ifconfig you can see the team0 will come up. Now to check the whether our
configuration is as expected. We can issue the below commands.
a) How to check which NICs are part of team ?
[root@node1 network-scripts]# teamnl team0 ports
5: ens39: up 1000Mbit FD
4: ens38: up 1000Mbit FD
b) How to check which NIC is currently working actively in team ?
[root@node1 network-scripts]# teamdctl team0 state
setup:
runner: activebackup
ports:
ens38
link watches:
link summary: up
instance[link_watch_0]:
name: ethtool
link: up
ens39
link watches:
link summary: up
instance[link_watch_0]:
name: ethtool
link: up
runner:
active port: ens38
From above output we clearly see that ens38 is our active NIC.
c) How to check the fail over in team?
[root@node1 network-scripts]# ip link set ens38 down

[root@node1 network-scripts]# teamdctl team0 state view


setup:
runner: activebackup
ports:
ens38
link watches:
link summary: down
instance[link_watch_0]:
name: ethtool
link: down
ens39
link watches:
link summary: up
instance[link_watch_0]:
name: ethtool
link: up
runner:
active port: ens39
We can see that active port has changed to another NIC ens39 when we manually bring down the ens38. That
means our team0 is working as expected. Very soon I will come up with Bridge configuration as well.

LDAP: Configure a LDAP directory service for user connection.


Try to follow the instructions very precisely because LDAP syntax is sometimes cumbersome (case sensitive,
space, etc) and prone to errors (dn/dc/cn).
Lets assume that we use the example.com domain and the instructor.example.com hostname.
Install the following packages:
# yum install -y openldap openldap-servers migrationtools

Generate a LDAP password from a secret key (here redhat):


# slappasswd -s redhat -n > /etc/openldap/passwd

Generate a X509 certificate valid for 365 days:


# openssl req -new -x509 -nodes -out /etc/openldap/certs/cert.pem -keyout
/etc/openldap/certs/priv.pem -days 365
Generating a 2048 bit RSA private key
.....+++
..............+++
writing new private key to '/etc/openldap/certs/priv.pem'
----You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.

----Country Name (2 letter code) [XX]:


State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:instructor.example.com
Email Address []:

Secure the content of the /etc/openldap/certs directory:


# cd /etc/openldap/certs
# chown ldap:ldap *
# chmod 600 priv.pem

Prepare the LDAP database:


# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

Start the configuration of the LDAP server:


# cd /etc/openldap/slapd.d/cn=config

Edit the olcDatabase={2}bdb.ldif file and replace/type the values specified in bold:
olcSuffix: dc=example,dc=com
olcRootDN: cn=Manager,dc=example,dc=com
olcRootPW: passwd # password previously generated
olcTLSCertificateFile: /etc/openldap/certs/cert.pem
olcTLSCertificateKeyFile: /etc/openldap/certs/priv.pem

Edit the olcDatabase={1}monitor.ldif file and replace/type the values specified in bold:
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
read by dn.base="cn=Manager,dc=example,dc=com" read by * none

Edit the /etc/sysconfig/ldap file and change the following option from no to yes:
SLAPD_LDAPS=yes

Check the LDAP configuration (there should be no error message):


# slaptest -u

Generate database files (dont worry about error messages!):


# slaptest

Change LDAP database ownership:


# chown ldap:ldap /var/lib/ldap/*

Activate the slapd service at boot:


# chkconfig slapd on

Start the slapd service:


# service slapd start

Check the LDAP activity:


# netstat -lt | grep ldap

Create the /etc/openldap/base.ldif file with the following content:


dn: dc=example,dc=com
dc: example
objectClass: top
objectClass: domain
dn: ou=People,dc=example,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit
dn: ou=Group,dc=example,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit

Build the structure of the directory service:


# ldapadd -x -w redhat -D cn=Manager,dc=example,dc=com -f base.ldif

Create two users for testing:


#
#
#
#
#

mkdir /home/guests
useradd -d /home/guests/ldapuser01 ldapuser01
passwd ldapuser01
useradd -d /home/guests/ldapuser02 ldapuser02
passwd ldapuser02

Go to the directory for the migration of the user accounts:


# cd /usr/share/migrationtools

Edit the migrate_common.ph file and replace in the following lines:


$DEFAULT_MAIL_DOMAIN = "example.com";
$DEFAULT_BASE = "dc=example,dc=com";

Create the current users in the directory service:


#
#
#
#
#
#

grep ":5[0-9][0-9]" /etc/passwd > passwd


./migrate_passwd.pl passwd users.ldif
ldapadd -x -w redhat -D cn=Manager,dc=example,dc=com -f users.ldif
grep ":5[0-9][0-9]" /etc/group > group
./migrate_group.pl group groups.ldif
ldapadd -x -w redhat -D cn=Manager,dc=example,dc=com -f groups.ldif

Test the configuration with the user called ldapuser01:

# ldapsearch -x cn=ldapuser01 -b dc=example,dc=com

Add two new rules to the firewall:


# iptables -I INPUT -m state --state NEW -m tcp -p tcp --dport 389 -j ACCEPT
# iptables -I INPUT -m state --state NEW -m tcp -p tcp --dport 636 -j ACCEPT

Save the firewall configuration:


# service iptables save

Edit the /etc/rsyslog.conf file and add the following line:


local4.* /var/log/ldap.log

Edit the /etc/openldap/slapd.d/cn=config.ldif file and add the following line in the middle of the file:
olcLogLevel: -1

Restart the rsyslog service:


# service rsyslog restart

In addition, Ramdevs blog provides interesting information (configuration, troubleshooting, etc) on this topic.