Sie sind auf Seite 1von 6

Qsn 1.

NFS-Server
configure nfs on system1 as follows:
export the /public directory with read only access to the
groupx.example.com domain only
export the /protected directory with read write access to the
groupx.example.com
access to /protected should be secure by kerbros. you can use keytab at
http://host.groupx.example.com/materials/nfs_server.keytab
the /protected directory should contain a sub-directory name project that
is owned by krishna
krishna should have read write access to /protected/project.
ANs:- NFS (On server)smb
#yum -y install nfs*
#mkdir /public
#semanage fcontext -a -t public_content_t '/public(/.*)?'
#restorecon -vFR /public
#ls -ldZ /public
#vim /etc/exports
/public 172.25.X.0/24(ro)
#systemctl restart nfs-server
#systemctl enable nfs-server
#firewall-cmd --permananet --add-service=nfs
#firewall-cmd --complete-reload
#wget -O /etc/krb5.keytab
http://host.groupX.example.com/materials/nfs_server.keytab
#mkdir /protected
#cd /protected
#semanage fcontext -a -t public_content_rw_t '/protected(/.*)?'
#restorecon -vFR /protected
#vim /etc/sysconfig/nfs
RPCNFDRAGS= "-V 4.2"
#vim /etc/exports
/protected 172.25.X.0/24(rw,sync,sec=krb5p)
#mkdir /protected/project
#useradd krishna
#chown krishna /protected/project
#setfacl -m u:krishna:rwx /protected/project
#chown nfsnobody /protected
#systemctl restart nfs-server
#systemctl restart nfs-secure-server
#systemctl enable nfs-secure-server
#firewall-cmd --permanent --add-service=nfs
#firewall-cmd --complete-reload
#firewall-cmd --permanenet --add-service=rpc-bind
#firewall-cmd --permanent --add-service=mountd
Qsn2. Mount an nfs share
configure system2 to mount the following nfs share from
system1.groupx.example.com
/public should be mounted to /mnt/nfsmount
/protected should be mounted to /mnt/nfssecure using the keytab at
http://host.groupx.example.com/materials/nfs_client.keytab
krishna should be able to create file in /mnt/nfssecure/project
the file system should automatically be mounted at boot
Ans:- Mount nfs (
Client side)Untitled Folder 4
#yum -y install nfs-utils
#mkdir /mnt/nfsmount
#mkdir /mnt/nfs
#vim /etc/fstab
serverX:/public mnt/nfsmount nfs defaults 0 0
#mount -a
#df -h
#wget -O /etc/krb5.keytab
http://host.groupX.example.com/materials/nfs_client.keytab
#mkdir /mnt/nfssecure
#vim /etc/fstab
system1:/protected /mnt/nfssecure nfs
defaults,v4.2,sec=krb5p 0 0
#systemctl restart nfse-secure

#mount -a
#df -h
Qsn3. SAMBA
configure sm
b service on system1 as follows
your smb server must be a member of the STAFF workgroup
the service must share the /common directory. the share name must be
common
the common share must be available to groupx.example.com domain client
only
the common must be browseable
the user floyd must have read access the share,authenticating with the
password indionce if necessary.
Ans:- samba (on system1)
#yum -y install samba*
#mkdir /common
#semanage fcontext -a -t samba_share_t '/common(/.*)?'
#restorecon -vFR /common
#ls -ldZ /common
#vim /etc/samba/smb.conf
workgroup=STAFF
[common]:-------------------------------------------- sharing name
path=/common :---------------------------------------- directory
name
valid users = floyd
browseable = yes
writable = yes :------------------------------------- no need in
single user
hosts allow = 172.24.X.0/24
#adduser floyd
#smbpasswd -a floyd
#smppasswd -e floyd
#systemctl restart smb nmb
#systemctl enable smb nmb
#firewall-cmd --permanent -add-service=samba
#firewall-cmd --complete-reload

(system2)
#smbclient //system1/common -U floyd
smn:_>
Qsn4. MULTIuser SAMBA
on system1 share the /devops directory via SMB as follows:
the share should be named devops
the devops share must only be available to clients in the
groupx.example.com domain
the devops share must be browseable
kenji must have read access to share,authenticating with password indionce
chihiro must have read and write access to the share, authenticating with
the password indionce
the smb share is permanently mounted on system2 at /mnt/dev using the
credentials of kenji. the share must allow anyone who can
authenticate as chihiro to temprary acquire write permission.
Ans:- (on system1)
mkdir /devops
#semanage fcontext -a -t samba_share_t '/devops(/.*)?'
#restorecon -vFR /devops
#vim /etc/samba/smb.conf
[devops]:---------------------------------------------- sharing name
path = /devops :---------------------------------------
---directory name
valid users = kenji chihiro
write list = chihiro
browseable = yes
hosts allow = 172.24.X.0/24
#useradd kenji
#useradd chihiro
#smbpasswd -a kenji
#smbpasswd -a chihiro
#smbpasswd -e kenji
#smbpasswd -e chihiro
#setfacl -m u:chihiro:rwx /devops
#sestatus -b |grep samba
#setsebool -P samba_enable_export_home_dirs on
#setsebool -P samba_export_all_rw on
#systemctl restart smb nmb
(System2 Side)
yum -y install cifs-utils samba-client
#mkdir /mnt/dev
#vim /root/file.txt
username=kenji
password=indionce
#vim /etc/fstab

//system1/devops /mnt/dev cifs


defaults,multiuser,sec=ntlmssp,username=kenji,password=indionce 0 0
#mount -a
#df -h

Qsn5. ISCSI
configure system1 to provide an iscsi disk device name iqn.2016-
08.com.example.groupx:system1
the iscsi service uses port 3260
this target usasge 3G backing logical volume name iscsi_store
the target is only available to system2.groupx.example.com only
Ans:- ISCSI Server (On system1)
# yum -y install targetcli*
#systectl restart target
#systemctl enable target
#firewall-cmd --permanent --add-port=3260/tcp
#firewall-cmd -reload
#fdisk /dev/vda
n-new
p-primary
+4G-size
t-type
8e-lvm hex code
w-write or save
#partprobe /dev/vda
#pvcreate /dev/vda1
#vgcreate myvol /dev/vda1
#lvcreate -n mylv -L 3G myvol
#lvdisplay
#targetcli
/>backstore/block create iscsi_store /dev/myvol/mylv
/>/iscsi create iqn.2016-08.com.example.groupX:system1
/>/iscsi create iqn.2016-08.com.example.groupX:system1/tpg1/acls create
iqn.2016-08.com.example.groupX:system2
/>/iscsi create iqn.2016-08.com.example.groupX:system1/tpg1/portals create
172.24.X.30
/>/iscsi create iqn.2016-08.com.example.groupX:system1/tpg1/luns create
/backstores/block iscsi_store
/>ls
/>saveconfig
/>exit
#systemctl restart target
Qsn6. ISCSI INITIATOR
configure system2 so that it connects to the iqn.2016-
08.com.example.groupx:system1 as follows
the iscsi device should automaticaly be available on system boot
the iscsi block device contains a 2100MB partition that is formated as
ext4
the partition is mounted to /mnt/data and is automatically mounted to this
directory
Ans:- #yum -y install iscsi-initiators-utils
#vim /etc/iscsi/initiator.iscsi
InitiatorName=iqn.2016-08.com.example.groupX:system2
#systemctl restart iscsi
#systemctl enable iscsi
#iscsiadm -m discovery -t st -p 172.24.X.30:3260 -l
#lsblkl
#fdsik /dev/sda
n
p
+2100M
w
#partprobe /dev/sda
#mkfs.ext4 /dev/sda1
#blkid
#mkdir /mnt/data
#vim /etc/fstab
/dev/sda1 /mnt/data ext4 _netdev 0 0
#mount -a
#df- h
Qsn7. MARIADB
create a mariadb database name contacts on system1 such that following
condtions exist
the database should contain the content of the database dump from
http://server1.groupx.example.com/materials/users.mdb
the database should be accessible from localhost only
other than the root user, the database only allow queries from the user
raikon. this user should have the password zaldebro
the root user should have password zaldebro and must not be allowed to log
in without using a password
Ans:- (On system1)
#yum -y groupinstall mariadb*
#systemctl restart mariadb
#systemctl enable mariadb
#firewall-cmd --permanent --add-service=mysql
#firewall-cmd --complete-reload
#mysql_secure_installation
set password - y
zaldebro
#mysql -u root -p
/> create database contacts ;
/> show databases ;
/> flush privileges ;
/> exit==
#wget http://server1.groupX.example.com/materials/users.mdb
#mysql -u root -p contacts <users.mdb
#mysql -u root -p contacts
/>create user raikon@'localhost' identified by 'zaldebro' ;
/>grant update,insert,delete,select on contacts.* to raikon@'localhost' ;
/>flush privileges;
/>exit
#vim /etc/my.cnf
skip-networking=1
#systemctl restart mariadb
Qsn8. Query database
use the d atabase contacts on system1 and the appropriate sql queries to
answer the following question
what is the first name of person whose password is solicitous ?
Ans:- (On system1)
#mysql -u root -p contacts
/> show tables;
/> describe tablename ;
/> select * from tablename where field_name='field_value' ;
Qsn9. IMplement dynamic web content
configure your webserver on system1 to provide dynamic web content as
follows:
dynamic content is provided by a virtual host named alt.groupx.example.com
the virtual host listen on port 8909
download a copy of script at
http://server1.groupx.example.com/materials/webinfo.wsgi and place it in an
appropriate location for
your virtual host so that it genrate dynamic web content. don not alter or
change the content of the file in any way
clients connecting to http://alt.groupx.example.com:8909/ should receive a
dynamicaly genrated webpage
the location http://alt.groupx.example.com:8909 must be accessble to all
system in the domain groupx.example.com
Ans:- (on system1)
#yum -y install httpd*
#yum -y install mod_wsgi
#wget http://server1.groupX.example.com/materials/webinfo.wsgi
#mv webinfo.wsgi /var/www/html
#restorecon -vvFR /var/www/html/webinfo.wsgi
#ls -ldZ /var/www/html/webinfo.wsgi
#vim /etc/httpd/conf.d/webinfo.conf
listen 8909
<virtualhost 172.24.X.30:8909>
servername alt.groupX.example.com
wsgiscriptalias / /var/www/html/webinfo.wsgi
</virtualhost>
<directory /var/www/html>
oreder allow,deny
allow from 172.24.X.0/24
</directory>
#semanage port -a -t http_port_t -p tcp 8909
#systemctl restart httpd
#systemctl enable httpd
#firewall-cmd --permanent --add-port=8909/tcp
#firewall-cmd --complete-reload
#firewall-cmd --permanent --add-service=http
#firewall-cmd --complete-reload
ON SYSTEM2
#firefox http://alt.groupX.example.com:8909
Qsn10. IMplement a web server
implement a webserver on system1 for the site
http://system1.groupx.example.com and perform the following steps
download http://server1.groupx.example.com/materials/station.html
rename the downloaded file to index.html do not make modification to the
content of this file
copy this index.html to the documentroot of your webserver
clients within groupx.example.com should be able to access the webserver
clients with in my133t.org should not have acces the webserver
Ans:- (on system1)
#wget http://server1.groupX.example.com/materials/station.html
#mv station.html /var/www/html/index.html
#restorecon -vvFR /var/www/html/index.html
#ls -ldZ /var/www/html/index.html
#vim /etc/httpd/conf.d/abc.confmkdir
<virtualhost 172.24.X.30:80>
servername system1.groupX.example.com
documentroot /var/www/html
</virtualhost>
<directory /var/www/html>
order allow,deny
allow from 172.24.X.0/24
</directory>
#systemctl restart httpd
ON SYSTEM 2
#firefox http://system1.groupX.example.com
Qsn11. configure a virtual host
extend your webserver on system1 to inculde a virtualhost for the site
http://www.groupx.example.com then perform the following step
set the document root for the virtual host to /var/www/virtual
download http://server1.groupx.example.com/materials/www.html
rename the downloaded file index.html do not make any modification to the
content of this file
place this file in the document root of the virtual host
the usr floyd must be able to create content in /var/www/virtual
NOTE- the original webstie http://system1.groupx.example.com must still be
accessible. dns resolution for the host name www.groupx.example.com
is[kiosk@foundation0 Desktop]$ rht-vmctl view all
allready provided by the name server groupx.example.com.
Ans:- (on system1)
#mkdir /var/www/virtual
#wget http://server1.groupX.example.com/materials/www.html
#mv www.html /var/www/virtual/index.html
#restorecon -vvFR /var/www/virtual
#restorecon -vvFR /var/www/virtual/index.html
#ls -ldZ /var/www/virtual/index.html
#vim /etc/httpd/conf.d/www.conf
<virtualhost 172.24.X.30:80>
servername www.groupx.example.com
documentroot /var/www/virtual
</virtualhost>
<directory /var/www/virtual>
require all granted
</directory>
#setfacl -m u:floyd:rwx /var/www/virtual
#systemctl restart httpd
ON SYSTEM 2
#firefox http://www.groupX.example.com
Qsn12. Configure web content access
on your webserver on system1 create directory name private under the
document root directory and configure as follows:
download a copy of the file
http://server1.groupx.example.com/materials/private.html into this directory and
rename it index.html do not make
any modification to the content of this file.
the contents of private should be visible to anyone browsing from system1
(including localhost) but should not be accessible from other location
Ans:- on system1
#mkdir /var/www/html/private
#wget http://server1.groupX.example.com/materials/private.html
#mv private.html /var/www/html/private/index.html
#restorecon -vvFR /var/www/html/private
#restorecon -vvFR /var/www/html/private/index.html
#ls -ldZ /var/www/html/index.html
#vim /etc/httpd/conf.d/abc.conf
<directory /var/www/html/private>
order allow,deny
allow from 172.24.X.30
</directory>
#systemctl restart httpd
ON SYSTEM 2
#firefox http://system1.groupx.example.com/private
Qsn13. link aggrigation
configure a network name link between system1.groupx.example.com and
system2.groupx.example.com according to the following requirements
the link uses the interfaces eth1 and eth2
the link will continue to functions even if one of the underlying
interfaces or network is down
the link interface on system1has the address 172.16.x.25/24
the link interface on system2 has the address 172.16.x.25/24
the link is active after a system reboot.
Ans:- (Same thing on both systems SYSTEM1 and SYSTEM2)
#nmcli connection add type team con-name team1 ifname team1 config
'{"runner": {"name": "activebackup"}}'
#nmcli connection show
#nmcli connection modify team1 ipv4.addresses 172.16.10.25/24
#nmcli connection modify team1 ipv4.method static
#ifconfig
#nmcli connection add type team-slave con-name team1_port1 ifname eth1
master team1
#nmcli connection add type team-slave con-name team1_port2 ifname eth2
master team1
#nmcli connection show
#teamdctl team1 stat
#ping -I team1 172.16.10.25
Qsn14. MAIL service
configure mail on both system1 and system2
the system donot accpet incoming email from external resources
any mail send locally on these system is automatically routed to
server1.groupx.example.com
mail sent from these systems show up as coming from groupx.example.com
you may test your configuration by sending eamil to the localuser arthur
+. the system server1.groupx.example.com has been configured drop email for
this user into
http://server1.groupx.example.com/recieved_mail/11
Ans:- (Same thing on both systems SYSTEM1 and SYSTEM2)
#yum -y install postfix*
#vim /etc/postfix/mainf.cf
inet_interfaces = localhost
Mydestination =
Relayhost = [server1.groupX.example.com]
Mynetwork = 127.0.0.0/8
Myorigin = groupX.example.com
#systemctl restart postfix
#systemctl enable postfix
#firewall-cmd --permanent --add-service=smtp
#firewall-cmd --complete-reload
#mail arthur
(for checking mail click on this link
http://server1.groupX.example.com/recieved_mail/11)
Qsn15. configure ipv6
configure the eth0 on your exam system with the following ipv6 addresses
system1 should have the address 200a:ac18::a05/64
system2 should have the address 200a:ac18::a0a/64
Ans:- (ON SYSTEM1)
#nmcli connection show
#nmcli connection modify "eth0" ipv6.addresses 200a:ac18::a05/64
#nmcli connection modify "eth0" ipv6.method static
#ifconfig
#ping6 200a:ac18::a05
(ON SYSTEM2)
#nmcli connection show
#nmcli connection modify "eth0" ipv6.addresses 200a:ac18::a0a/64
#nmcli connection modify "eth0" ipv6.method static
#ifconfig
#ping6 200a:ac18::a0a
Qsn16. Configure your system to use a default repository:-
A yum repository has been provided at
http://server1.net13.example.com//rhel
Ans:- #vim /etc/yum.repos.d/server.repo
[server]
gpgcheck=0
enabled=1
baseurl=http://server1.net13.example.com/rhel
Qsn17. Script
create a script on system1 named /root/foo.sh that does the following
when run as /root/foo.sh redhat it produces the output fedora on stdout
when run as /root/foo.sh fedora it produces the output redhat on stdout
when run without arguments or any other arguments other than redhat or
fedora, it sends the following output to stderr:
/root/foo.sh redhat|fedora
Ans:- #vim /root/foo.sh
#!/bin/bash
if [ "$1" == "redhat" ]
then
echo "fedora"
elif [ "$1" == "fedora" ]
then
echo "redhat"
else
echo "/root/foo.sh redhat|fedora"
fi
Qsn.18 user environment 17
create a custom command called qstat on both system1 and system2 that
runs the command: /bin/ps -Ao pid,tt,user,fname,rsz
this command should be available to all usres on the system.
Ans:- #vim /etc/bashrc
alias qstat="/bin/ps -Ao pid,tt,user,fname,rsz"
#reboot
Qsn.19 SSH Configure 17
configure SSH access as follows:
users have remote SSH access to your virtual systems from within
group10.example.com
client within my133t.org should not have access to ssh on your systems.
Ans:- #yum -y install openssh*
#vim /etc/hosts.deny
sshd : 172.26.20.0/24
#systemctl restart sshd
#systemctl enable sshd
#firewall-cmd --permanent --add-service=ssh
#firewall-cmd --complete-reload
Qsn20. Port forwarding
configure port forwarding in your machine system1 such that forward all
incoming connection on port 5909/tcp
on the firewall to port 80/tcp of the machine with the 172.26.1.0/24
Ans:- #firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source
address=172.26.1.0/24 forward-port port=5909 protocol=tcp to-port=80'
#firewall-cmd --permanent --complete-reload
Qsn21. Create a script name makeusers in /root directory when an argument
file.txt pass in front of this script then users listed in this file
created with /bin/false sheel. When file name is different then error shows file
not found if file is not pass an argument then error shows please write
command again. Download this file from http://classroom.example.com/pub/file.txt
Ans:- #vim /root/makeusers
#!/bin/bash
if [ "$#" -lt 1 ]
then
echo "please write command again"
exit 0
fi
if [ -f $1 ]
then
for users in `cat $1`
do
adduser -s /bin/false $users
done
else
echo "file not found"
fi