Red Hat Certified Engineer

Exam Preparation Session

RHEL 7
Md. Shah Alam (Shohag)
CCNP (Route)|| CCNA Security || CCNA R&S || RHCE | | RHCSA on RHEL-7

Cell: +880 1914486186

Sr. Systems Specialist

MetroNet Bangladesh Ltd.

Configure Repository

Create repository for system1 and system2. You can use this URL for your
repository: http://classroom.example.com/content/rhel7.0/x86_64/dvd

Answer:
#cd /etc/yum.repos.d
(Show with ls command and delete previous repo)
#vim yum.repo [repo name is user define]
[rhce]
name=repo for rhce exam
baseurl=http://classroom.example.com/pub/x86_64/server
enabled=1
gpgcheck=0
[Save & Exit]
# yum update -y

Configure SELinux

Configure System-1 and System-2 that should be running in

Enforcing mode.

Answer:
# vim /etc/selinux/config
SELINUX=enforcing (Be careful about this change)
(Save and Exit)
# reboot
[You can check this with getenforce command]
# getenforce

Enforcing

SSH Configuration

Configure SSH access on your both hosts (System-1 and System-2) as follows. Clients within
rny22ilt.org should not have access to ssh on your hosts.

Answer:

# yum install openssh y

# systemctl enable sshd

# systemctl start sshd

# firewall-cmd - - permanent - - add-service=ssh
# firewall-cmd - - reload
# systemctl restart sshd.service

--------------------(SSH service access control for rny22ilt.org)-----------------# firewall-config

[After execute this command graphical window will appear, rest of the task you can do graphically]

For check the firewall list execute bellow command:

# firewall-cmd - - list - - all

Configure Port Forwarding

Configure system1 to forward traffic incoming on port 80/tcp from source network
172.25.11.0/24 or 172.25.11.0 / 255.255.255.0 to port on 5243/tcp

Answer:
# firewall-config

Customize User Environment

Create a command called qstat on both systems (System-1 and System2). It should be able to execute the followings.

(ps -eo pid,tid,class,rtprio,ni,pri,psr,pcpu,stat,wchan:14,comm)

Answer:
# vim /etc/bashrc
[ Go to bellow the file and write]

qstat ( ) {
ps -eo pid,tid,class,rtprio,ni,pri,psr,pcpu,stat,wchan:14,comm
}
[save and exit]

# source /etc/bashrc
[Type bellow command for check]
# qstat

Configure IP Address (IPv6)

Configure eth0 interface with static ipv6 address on both systems and able
to communicate within the network.
System-1: 2001:123::1/64
System-2: 2001:123::2/64

Both systems are able to communicate within the network 2001:123::/64

Both systems should be maintain the current IPv4 address and changes should
be permanent even after the reboot.
Answer: [for System-1]
#nmcli connection modify eth0ipv6.address 2001:123::1/64 connection.autoconnect yes ipv6.method manual

#nmcli connection up eth0

#ping6 2001:123::1
[Above configuration will also in system-2, only ipv6 address will be change]
[For check the configuration ping each other]

Link Aggregation

Configure syatem-1 and syatem-2 with eth0 and eth1 which watches for link changes. Selects
an active port for data transfers.

System-1 IP address: 192.168.X.10/24 and System-2 IP address: 192.168.X.11/24

Answer:
# lab teambridge setup (Not in exam only for lab environment)
# nmcli connection show

(For show the connection)

# nmcli connection add con-name team0 type team ifname team0 config {runner:{name:activebackup}}
# nmcli connection add con-name team0-p1 type team-slave ifname eno1 mater team0
# nmcli connection add con-name team0-p2 type team-slave ifname eno2 master team0
# nmcli connection modify team0 ipv4.address 192.168.X.10/24 ipv4.method manual connection.autoconnect yes
# nmcli connection up team0
# nmcli connection up team0-p1
# nmcli connection up team0-p2
# teamdctl team0 state
[Ping each other for check the task]

SMTP Configuration

Configure SMTP mail service on both systems which relay the mail only from local system through
smtpX.example.com, all outgoing mail have their sender domain as example.com. Ensure the mail should not store
locally. Verify the mail server is working by sending mail to root@desktopX.example.com user.
Solution:
# yum install postfix y
#cd /etc/postfix

# vim main.cf [set line number with set nu command]

75. myhostname = serverX.example.com
84. mydomain = example.com
101. myorigin = $mydomain
119. inet_interfaces = localhost
168. mydestination =
269. mynetworks = 127.0.0.0/8
323. relayhost = [smtpX.example.com]
local_transport = error: Disable by Admin. [Write it manually]
In lab environment you have to type #lab smtp-nullclient setup at client side for receive the mail

Continue

SMTP Configuration
# firewall-cmd - - permanent - - add-service=smtp
# firewall-cmd - - reload
# systemct enable postfix

# systemctl start postfix

For send mail:
# mail v root@desktopX.example.com
Subject: Test mail
Just for test.
.
EOT
For check the mail:

Just type mail command at recipient site. [Real Time]

In exam time for check the mail, they will provide two links bellow the question.

10

SMTP Configuration

11

Your server system should accept new mail over smtp from the 172.25.X.0/24. All messages not addressed to running
on desktop.example.com.
Solution:
# yum install postfix y
#cd /etc/postfix
# vim main.cf [set line number with set nu command]

75. myhostname = serverX.example.com

84. mydomain = example.com
101. myorigin = $mydomain
119. inet_interfaces = all
168. mydestination = $myhostname, localhost.mydomain, localhost

269. mynetworks = 172.25.X.0/24, 127.0.0.0/8

323. relayhost = [smtpX.example.com]
local_transport = error: Disable by Admin. [Write it manually]
In lab environment you have to type #lab smtp null-client setup at client side for receive the mail

Continue

SMTP Configuration
# firewall-cmd - - permanent - - add-service=smtp
# firewall-cmd - - reload
# systemct enable postfix

# systemctl start postfix

For send mail:
# mail v root@desktop.example.com
Subject: Test mail
Just for test.
.
EOT
For check the mail:

Just type mail command at recipient site. [Real Time]

In exam time for check the mail, they will provide two links bellow the question.

12

NFS Server Configuration

13

1.

Share /nfsshare directory within the example.com domain clients only, share
must be writable.

2.

Share /nfssecure/protected, enable krb5p security to secure access to the

NFS share. Keytab URL
http://classroom.example.com/pub/keytabs/serverX.keytab

3.

Create a directory named protected under /nfssecure. The exported

directory should have read/write access from all subdomains of the
example.com. Ensure the directory /nfssecure/protected should be owned by
the user harry with read/write permissions.

4.

Mount both directory at desktopX.example.com.

[ At exam time no need to create any user for NFS, they will create and provide you the user name]

NFS Server Configuration

Requirements:
# lab nfskrb5 setup [For lab environment only]

In exam time, you have to download three packages for this configuration:
1.

sssd.

2.

Authconfig-gtk

3.

Krb5-workstation

14

NFS Server Configuration

Answer: (Normal Share)
# mkdir /nfsshare
#vim

/etc/exports

/nfsshare
#exportfs

Common Mistakes:

15

1. Domain address entry in exports file with proper permissions.

2. Execute exportfs -ra command.
3. Allow in firewall
4. Proper service enable and start.

172.25.X.0/24(rw)

-ra

# firewall-cmd - - permanent --add-service=nfs

# firewall-cmd - - reload
# systemctl enable nfs-server.service
# systemctl start nfs-server.service
# showmount e 172.25.X.X [For show the share directory]

NFS Mount (Normal Share)

Mount normal Share:
# yum install nfs-utils -y

Common Mistakes:

[Create mount point, where they want]

1. Source directory entry in fstab.

# mkdir /public
# vim

/etc/fstab

serverX.example.com:/nfsshare

/public nfs defaults 0

[Save & Exit]

# mount -a
# df -h

[ For show the mounted directory]

16

NFS Server Configuration

17

Answer: (Secure Share)

# mkdir -p /nfssecure/protected
#vim

/etc/exports

/nfssecure/protected

172.25.X.0/24(sec=krb5p,rw)

# wget O /etc/krb5.keytab http://classroom.example.com/pub/keytabs/serverX.keytab

#exportfs

-ra

# firewall-cmd - - permanent --add-service=nfs

# firewall-cmd --reload
# systemctl enable nfs-secure-server.service

Common Mistakes:

1. Domain address entry in exports file with proper permissions.

2. Execute exportfs -ra command.
3. Key download properly.
4. Allow in firewall.
5. Proper service enable and start.

# systemctl start nfs-secure-server.service

# showmount e 172.25.X.X [For show the share directory]

NFS Mount (Secure Share)

# yum install nfs-utils -y

[Create mount point, where they want]

# mkdir -p /secure/protected

18

Common Mistakes:

1. Source directory and mounting method entry in fstab.

2. krb5 file download mismatch.
3. Enable proper service.

# vim /etc/fstab
serverX.example.com: /nfssecure/protected

/secure/protected

nfs sec=krb5p,defaults

# wget O /etc/krb5.keytab http://classroom.example.com/pub/keytabs/desktopX.keytab

# systemctl enable nfs-secure.service
# systemctl start nfs-secure.service

# mount -a
# df -h

[ For show the mounted directory]

Shared Directory Ownership

We can do it two different way:
1.

Provide ownership on directory to mention user.

# chown harry
1.

/secure

ACL

# setfacl

-m u:harry:rwx

/secure

# getfacl /secure [For check the ACL]

Preferable

19

Samba Configure (Single User)

Share the /sambadir directory via SMB serverX:
1.

Your samba server must be a member of the TESTGROUP workgroup.

2.

The share name must be data.

3.

The data share must be available to content.com domain clients only.

4.

The data share must be browseable.

5.

Susan must have the read access to the share, authenticating with the
same password if necessary.

20

Samba Configure (Single User)

# yum install samba

-y

# yum install samba-client

# mkdir

21

-y

/sambadir

[Apply SELinux context on directory, you can get help from man page with man semanage-fcontext command]

# semanage fcontext a -t samba_share_t /sambadir(/.*)?

# restorecon -R v /sambadir
# ls

-ldZ /sambadir

[For check the context]

[Create smb user with smb password]

# useradd -s /sbin/nologin susan

# smbpasswd -a susan

Samba Configure (Single User)

# vim

/etc/samba/smb.conf

workgroup = TESTGROUP
host allows = 172.25.0.
[data]
path = /sambadir
valid users = susan
# testparm -s
# systemctl enable smb nmb
# systemctl start smb nmb
# firewall-cmd - - permanent --add-service=samba
# firewall-cmd - - reload

22

Samba Configure (Multi User)

Share the /opstack directory via SMB serverX:
1.

The share name must be cluster.

2.

The user frankenstain has readable, writeable access to the

/opstack SMB share.

3.

The user martin has the read access to the /opstack SMB share.

4.

Both user should have the SMB password SaniTago

5.

The samba server must be a member of the TESTGROUP workgroup.

23

Samba Configure (Multi User)

# yum install samba

-y

# yum install samba-client

# mkdir

24

-y

/opstack

[Apply SELinux context on directory, you can get help from man page with man semanage-fcontext command]

# semanage fcontext a -t samba_share_t /opstack(/.*)?

# restorecon -R v /opstack
# ls

-ldZ /opstack

[For check the context]

[Create smb users with smb password]

# useradd -s /sbin/nologin frankenstain

# smbpasswd -a frankenstain
# useradd -s /sbin/nologin martin
# smbpasswd -a martin

Samba Configure (Multi User)

# vim /etc/samba/smb.conf
workgroup = TESTGROUP
host allows = 172.25.0.
[cluster]
path = /opstack
valid users = frankenstain, martin
write list = frankenstain
# testparm -s
# systemctl enable smb nmb
# systemctl start smb nmb
# firewall-cmd - - permanent --add-service=samba
# firewall-cmd - - reload

25

Samba Test

# smbclient //serverX.example.com/data -U susan

# smbclient //serverX.example.com/cluster -U frankenstain

# smbclient //serverX.example.com/cluster -U martin

26

Samba Mount (Multi User)

1.

Mount the samba share /opstack permanently at /mnt/smbspace

on desktop as a multiuser mount.

2.

The Samba share should be mounted with the credentials of

frankenstain.

27

Samba Mount (Multi User)

28

Answer:
# yum install samba-client -y
# yum install cifs-utils -y
# mkdir -p /mnt/smbspace
# vim /root/pass.txt
username=frankenstain
password=Sanitago
# vim /etc/fstab
//serverX.example.com/cluster
# mount -a
# df -h

/mnt/smbspace

cifs credentials=/root/pass.txt,multiuser,sec=ntlmssp 0

Webserver Configuration

29

Implement a webserver for the site http://serverX.example.com. Download the page

from http://classroom.example.com/pub/rhce/rhce.html. Rename the file to the
index.html. Copy the file into the document root. Do not modify the content of
index.html. Clients within rny22ilt.org should not access the webserver on your systems.
Answer:
# yum install httpd -y
# cd /var/www/html
# wget http://classroom.example.com/pub/rhce/rhce.html
# mv

rhce.html

index.html

# firewall-cmd - - permanent - - add-service=http

# firewall-cmd - - reload
# systemctl enable httpd.service
# systemctl start httpd.service
# curl http://serverX.example.com

Virtual Hosting

30

Setup a virtual host with an alternate document root. Extend your web to include a virtual for
the site http://wwwX.example.com Set the document root as /usr/local/vhosts
Download http://classroom.example.com/pub/rhce/vhost.htrnl - rename it as index.html
place this document root of the virtual host Note: The other websites configures for your server
must still accessible.
Answer:
# mkdir -p /usr/local/vhosts
[Apply SELinux context on directory, you can get help from man page with man semanage-fcontext command]

# semanage fcontext a -t httpd_sys_content_t /usr/local/vhosts(/.*)?

# restorecon -R v /usr/local/vhosts
# ls

-ldZ /usr/local/vhosts

[For check the context]

# cd /usr/local/vhosts
#wget http://classroom.example.com/pub/rhce/www.html

Virtual Hosting
# cp /usr/share/doc/httpd-2.4.6/httpd-vhosts.conf
# vim /etc/httpd/conf.d/ httpd-vhosts.conf
<VirtualHost serverX.example.com:80>
DocumentRoot "/var/www/html"
ServerName serverX.example.com
</VirtualHost>

<VirtualHost wwwX.example.com:80>
DocumentRoot "/usr/local/vhosts"
ServerName wwwX.example.com
</VirtualHost>

/etc/httpd/conf.d/

31

Virtual Hosting
#vim /etc/httpd/conf/httpd.conf
#vim httpd-vhosts.conf

<Directory /var/www/html>
Require all granted
</Directory>

Copy this four lines from

httpd.conf file and paste
bellow the vhosts
configuration file

<Directory "/usr/local/vhosts">
Require all granted
</Directory>
# httpd -t [For check the syntax error in configuration file]
# systemctl restart httpd.service
[Write on browser wwwX.example.com for test the vhost server]

32

Restricted Webpage

33

Implement website for http://serverX.content.com/owndir. Create a directory named as "owndir" under the document
root of webserver. Download http://station.networkO.content.com/pub/rhce/restrict.htrnl. Rename the file into
index.html. The content of the owndir should be visible to everyone browsing from your local system but should not be
accessible from other location.
Answer:
#mkdir -p /var/www/html/owndir
[Apply SELinux contect on directory, you can get help from man page with man semanage-fcontext command]

# semanage fcontext a -t httpd_sys_content_t /var/www/html/owndir(/.*)?

# restorecon -R v /var/www/html/owndir
#cd owndir
#wget http://classroom.example.com/pub/rhce/secure.html

# vim /etc/httpd/conf/httpd.conf
<Directory /var/www/html/owndir>
Require host serverX.example.com
</Directory>
#httpd -t

#systemctl restart httpd.service

Secured Webserver
Configure the website https://serverX.content.com with TLS SSLCertificate file.
1.

TLS Certificate:

http://classroom.example.com/pub/tls/certs/webappX.crt
2. TLS private key:
http://classroom.example.com/pub/tls/private/webappX.key
3. TLS CA certificate:

http://classroom.example.com/pub/example-ca.crt

34

Secured Webserver

35

Answer:
#yum install mod_ssl -y
#cd /etc/pki/tls/certs
wget http://classroom.example.com/pub/tls/certs/webappX.crt
http://classroom.example.com/pub/example-ca.crt
#cd /etc/pki/tls/private
http://classroom.example.com/pub/tls/private/webappX.key

All .crt files will be download under certs and .key file will download under private directory.

Secured Webserver
#vim /etc/httpd/conf.d/ssl.conf
<virtualhost *:443>
ServerName serverX.example.com
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite HIGH:MEDIUM:!aNULL:!aMD5
SSLCertificateFile /etc/pki/tls/certs/webapp.crt
SSLCertificateKeyFile /etc/pki/tls/private/webappX.key
SSLCertificateChainFile
/etc/pki/tls/certs/example-ca.crt
</virtualhost >
#firewall-cmd - -permanent - -add- -service=https
#firewall-cmd reload
#httpd -t
#systemctl restart httpd.service

36

Dynamic Webserver Configuration (WSGI)

37

configure website http://serverX.example.com:8961 on systernl with the docurnentroot

/srv/webapp Site should executes webapp.wsgi.
Answer: [ lab webapp setup ]
# yum install mod_wsgi -y
#mkdir -p /srv/webapp
[Apply SELinux contect on directory, you can get help from man page with man semanage-fcontext command]

# semanage fcontext a -t httpd_sys_content_t /srv/webapp(/.*)?

# restorecon -R v /srv/webapp
# cp /home/student/webapp.wsgi /srv/webapp/

Dynamic Webserver Configuration (WSGI)

#vim /etc/httpd/conf.d/ssl.conf
<virtualhost *:443>
ServerName webappX.example.com
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite HIGH:MEDIUM:!aNULL:!aMD5
SSLCertificateFile /etc/pki/tls/certs/webapp.crt
SSLCertificateKeyFile /etc/pki/tls/private/webappX.key
SSLCertificateChainFile

/etc/pki/tls/certs/example-ca.crt

WSGIScriptAlias / /srv/webapp/webapp.wsgi
</virtualhost >
<Directory /srv/webapp>
Require all granted
</Directory>

38

Webserver Logical Port Change

Run your https webserver through 8989/tcp port:
Answer:
# semanage port l | grep http
# semanage port a t http_port_t p tcp 8989

# firewall-cmd - - permanent - - add-port=8989/tcp

# firewall-cmd - - reload

39

Webserver Logical Port Change

Listen 8989 https

<virtualhost *:8989>
ServerName webappX.example.com
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3

SSLCipherSuite HIGH:MEDIUM:!aNULL:!aMD5
SSLCertificateFile /etc/pki/tls/certs/webapp.crt
SSLCertificateKeyFile /etc/pki/tls/private/webappX.key

SSLCertificateChainFile
</virtualhost >
# systemctl restart httpd.service

/etc/pki/tls/certs/example-ca.crt

40

Script # 01

41

Create a script on serverX called /root/random with following details:

1. When run as /root/random foo,should bring the output as bar.
2. When run as /root/random bar, should bring the output foo.
3. When run with any other argument or without argument, should appear the message Type foo
or bar.
Answer:
# mkdir /root/random
# vim /root/random/script
#! /bin/bash
case $@ in
foo ) echo bar;;
bar ) echo foo;;
* ) echo Type foo or bar;;
esac

# chmod +x /root/random/script
# /root/random/script foo

[For check the script]

# /root/random/script bar

[For check the script]

Script # 02
Create a script on serverX called /root/createusers with following details:

42

1. When run as /root/createusers testfile, it should add all the users from the downloaded
file.(http://serverX.example.com/testfile). All users should have the loginshell as /bin/false,
password not required.

2. When this script is run with any other argument, it should print the message as Input File
Not Found.
3. When run without any argument, it should display Usage:/root/createusers.
NOTE: If the users are added, no need to delete.

[For lab environment, create a file with user name. File name should be testfile]

Script # 02
Answer:
# vim testfile [Write user name list---Only for lab]
# vim /root/createusers
#! /bin/bash
a=
case $@ in

testfile) for user in $(cat $1);

do
echo Adding users:$user
useradd -s /bin/false $user
done;;

$a)
echo Usage: /root/createusers;;
*) echo Input File Not Found;;
esac
# chmod +x /root/createusers

# /root/createusers testfile

[For check the script]

# /root/createusers [Enter]

[For check the script]

# /root/createusers [Wrong Value] [For check the script]

43

iSCSI (Traget) Configuration

44

Create a new 3GB LVM target on your serverX.example.com. The block device
name should be data block. The server should export an iscsi disk called iqn.201410.com.example:serverX. LVM name should be /dev/iscsivg/iscsilv

Answer:
# fdisk -l

#fdisk /dev/vdb
[Create 3300MB LVM partition]
# partprobe
# pvcreate /dev/vdb
# vgcreate iscsivg /dev/vdb1
# lvcreate -L 3072M -n iscsilv iscsivg
# lvdisplay

[For display the path]

iSCSI (Traget) Configuration

45

# yum install targetcli -y

# systemctl enable target
# systemctl start target
#targetcli
/> backstores/block create data /dev/iscsivg/iscsilv
/> iscsi/ create iqn.2014-10.com.example:serverX
/> iscsi/ iqn.2014-06.com.example:server1/tpg1/acls create iqn.201410.com.example:desktop1
/> iscsi/ iqn.2014-10.com.example:server1/tpg1/lun create /backstores/block/data
/> iscsi/ iqn.2014-06.com.example:server1/tpg1/portal create 172.25.1.11
/>ls
/> saveconfig
#firewall-cmd - -permanent - -add-port=3260/tcp
#firewall-cmd - -reload

iSCSI (Initiator) Configuration

46

The systemX.example.com provides an called iqn.2014-10.com.example:serverX

With port 3260/tcp. Connect the disk with client and configure filesystem with
the following requirements.
1.

Create 3GB partition on iSCSI block device and assign the file system as ext3.

2.

Mount the volume under /mnt/initiator at the system boot time.

3.

The file System should be contain the copy of

http://classroom.example.com/pub/iscsi.txt

4.

The file should be owned by root with 0644 permissions.

iSCSI (Initiator) Configuration

47

Answer:
#yum install iscsi-initiator-utils -y
#vim /etc/iscsi/initiatorname.iscsi

InitiatorName= iqn.2014-10.com.example:desktopX
# systemctl enable iscsi
# systemctl start iscsi
# iscsiadm --mode discovery --type sendtargets --portal 172.25.X.X discover
# iscsiadm --mode node --targetname iqn.2014-10.com.example:systemX --portal
172.25.X.X:3260 login
[For above two command you can get help from man page man iscsiadm]

iSCSI (Initiator) Configuration

48

# fdisk -l
# fdisk /dev/sda
[Create a 3GB partition]
# partprobe
# mkfs.ext3 /dev/sda1

# blkid /dev/sda1 [For show the /dev/sda1 UUID]

# vim /etc/fstab
UUID=c9213938-6753-4001-b939-4b5720c8ec5e

/mnt/initiator

# mount -a
# mkdir /mnt/initiator

# cd /mnt/initiator
# wget http://classroom.example.com/pub/iscsi.txt
# chown root iscsi.txt
# chmod 0644 iscsi.txt

ext3

_netdev

MariaDB # 1

49

Restore a database on serverX from the URL

http://classroom.content.com/pub/rhce/backup.mdb
1. The database name should be Contacts.
2. It should be access only within the localhost.

Most important

3. Set a password for root user as "Postroll".

4. Other than the root user, the user andrew able to read,write,update,delete the
query from the above mentioned database. [Andrew is a local user]
5. The user should be authenticated with the password as "Postroll".

MariaDB # 1

50

# yum groupinstall mariadb -y

# yum groupinstall mariadb-client -y
# systemctl enable mariadb.service
# systemctl start mariadb.service

# mysql_secure_installation
Enter/:Y/New Password:Postroll/Y/Y/Y/Y/
# mysql -u root p
MariaDB [(none)]> create database Contacts;

MariaDB [(none)]> exit

Database create
command.

# wget http://content.example.com/courses/rhce/rhel7.0/materials/mariadb/mariadb.dump
# mysql -u root -p Contacts < mariadb.dump
Enter password: Postroll

Database Backup

MariaDB # 1

51

# mysql -u root -p
Enter password: [ ******]
MariaDB [(none)]> show databases;
MariaDB [(none)]> use Contacts;

Only for Check.

MariaDB [inventory]> show tables;

MariaDB [inventory]> exit

# mysql -u root p
Enter password: [ ******]
MariaDB [(none)]> create user andrew@localhost identified by Postroll';

MariaDB [(none)]> grant select on Contacts.* to andrew@localhost;

MariaDB [(none)]> create user steve@'% identified by Postroll';
MariaDB [(none)]> grant insert,update,delete on Contacts.* to steve@'%;
MariaDB [(none)]> flush privileges;
MariaDB [(none)]> exit

User Create

MariaDB # 1
# mysql -u steve p
MariaDB [(none)]> use Contacts;

# firewall-cmd permanent add-service=mysql

# firewall-cmd reload
#vim /etc/my.cnf
[mysqld]
skip-networking=1
#systemctl restart mariadb.service

If in question says, It should be

access only within the localhost.
Then must be edit this file.

52