Rhce Exam Rhel5

Systemnotes.org RHCE Study Guide for RHEL5

v1.0 2007/12/02

It is very important to study the official objectives for any exam, as that is the only way to know what to expect. It is not meant to replace official training courses and manuals, but is meant to help students quickly review, so they can determine where to focus their efforts and study in more detail.

This guide is based on the official redhat objectives for the RHEL5 exam see: https://www.redhat.com/certification/rhce/prep_guide/

This guide is freely available from http://systemnotesorg.blogspot.comhttp://systemnotesorg.blogspot.com/2007/12/rhce-study-guide-for-rhel5.html

For more detailed study info on each objective see:http://systemnotesorg.blogspot.com/search/label/RHCE

This guide was prepared by looking at each objective, and asking the questions:

-- What could they ask in order to test for knowledge of this objective?, or -- What kind of troubleshooting might be required?-- How can this requirement be met?

Q: is used to denote possible questions, and A: for possible answers.

Note that there may be more than one answer based on what the objective is, or depending which method is preferred to meet the objective. Some items and ideas were taken from labs in the RHCE course book, and great care was taken to not give away any hints about what might be on the exam, other than what the labs and official objectives lead one to infer.

of 17

https://www.redhat.com/certification/rhce/prep_guide/

http://systemnotesorg.blogspot.com/search/label/RHCE

http://systemnotesorg.blogspot.com/

http://systemnotesorg.blogspot.com/2007/12/rhce-study-guide-for-rhel5.html


RHCT skillsTroubleshooting and System Maintenance

RHCTs should be able to:

1) boot systems into different run levels for troubleshooting and system maintenance

boot single to set root password, or fix mounting, or init problemQ: Machine won't bootA: modify /boot/grub/grub.conf root (hd0,0)A: Check files

/etc/rc.local/etc/inittab

A: Fix initrdmkinitrd initrd-`uname -r`.img `uname -r`Q: root password not knownA: 1) boot single (at grub screen, "a", "space", "1", enter), 2) passwd rootItems to study: grub, initrd,vmlinuz, inittab, rc.sysinit...

2) diagnose and correct misconfigured networking

system-config-network, orvi /etc/sysconfig/network-scripts/ifcfg-eth0

check IPADDR, NETMASK, GATEWAY ONBOOT=yes

PEERDNS=novi /etc/sysconfig/network

3) diagnose and correct hostname resolution problems

/etc/resolv.conf/etc/hosts

4) configure the X Window System and a desktop environment

Remember X troubleshooting should be done from the command prompt, andnot within X.

Files:/etc/X11/xinit/xinitrc.d/etc/X11/xorg.conf

of 17


Q: Boot to XA: Set runlevel 5 in /etc/inittab

vi /etc/inittabchangeid:3:initdefault:toid:5:initdefault:

Q: X won't loadA: Check config filesA: system-config-display --reconfigA: /tmp or /home is full

5) add new partitions, filesystems, and swap to existing systems

This one is a little hard to explain. It just takes some practice to understand.Tools available:fdisk /dev/hda

t / fd (raid)partprobemdadm -C /dev/md0 -l 5 -n 3 /dev/hda6 /dev/hda7 /dev/hda8mke2fs -j /dev/md0Q: mount something, such as: /dev/hda7 on /dataA: make directory, mount, modify /etc/fstab

1) mkdir /data2) mount -t ext3 /dev/hda7 /data3) vi /etc/fstab/data /data ext3 defaults 1 2

view or change label: e2label /dev/hda2 e2label /dev/vg0/data0 /data

6) use standard command-line tools to analyze problems and configure systemls, cp, mv, rm, tail, cat, etcsystem-config-<tab>

of 17


Installation and Configuration

RHCTs must be able to:

1) perform network OS installation

Enter the nfs, or ftp server address and path

2) implement a custom partitioning scheme

Probably easiest during GUI install

3) configure printing

probably the easiest thing to do is use:system-config-printer

/etc/cups/cupsd.conflpadminlpstat, lpqreject disableaccept /usr/bin/enable

4) configure the scheduling of tasks using cron and at

Understand how cron fields work:min hr month_day month weekday

copy script to /etc/cron.daily, /etc.cron.monthly, etc. orModify /etc/crontab: crontab -eList cron jobs: crontab -l

Add an at job: at [-f file] TIMEView at queue: atqRemove at jog: atrm job

5) attach system to a network directory service, such as NIS or LDAP

1) Install ypbind, portmap 2) system-config-authentication

check: Enable NIS Support, or Enable LDAP Supportclick: Configure NIS..., or Configure LDAP...

3) configure firewall, if requirediptables -A INPUT -s 192.168.0.0/255.255.255.0 -p tcp -m tcp --dport 835:837 -j ACCEPT service iptables save

of 17


test:ypwhichnisdomainname -ygenent servicesgetent passwd smithrpcinfo -p

files:/etc/yp.conf/etc/sysconfig/network/etc/pam.d/system-auth/etc/nsswitch.conf

6) configure autofs

/etc/auto.master/home/guests /etc/auto.guests --timeout=60

/etc/auto.guests* -rw,soft,intr server1:/home/guests/&

service autofs restartchkconfig portmap onchkconfig autofs on

7) add and manage users, groups, quotas, and File Access Control Lists

Q: Create group, add users, set primary groupA: Use groupadd, useradd, usermod

groupadd -g 1000 groupnameuseradd usernameusermod -G groupname username

(-G for primary group)

quotas Q: Setup a 70kb hard block user quota for user tim on /home/tim:A: Use a Hard Block user quota (or Soft depending on question).

1) modify /etc/fstabchange defaults to usrquota for /home

2) mount -o remount /home3) quotacheck -cuf /home4) quotaon /home5) setquota -u tim 0 60 0 0 /home or5a) edquota tim

of 17


Disk quotas for user tim (uid 502): Filesystem blocks soft hard inodes soft hard /dev/hda5 16 0 0 8 0 0

6) repquota /homeor

quota tim7) test

a) quota timb) su - timc) dd if=/dev/zero of=/home/tim/somefile bs=1024 count=70d) ls -lfile should be less than 70 kilobytes

Quota Command to remember:

quotacheck -cuf /homequotaon /homeedquota timquota timrepquota /home

*** Lab: Set a user soft block quota of 1MB for user diskhog on /blackhole, (or hard block, hard / soft inode). Know when to use each type of quota ***

Enable quotas:

quotacheck -cuf /blackholequotaon /blackhole

Set Quota: block inode h s h s

setquota -u diskhog 0 1024 0 0 /blackholeoredquota -u diskhog

Report on Quota for user or directory:

quota -u diskhogrepquota /blackhole

Passworddefaults:

/etc/login.defschage [options] username

of 17


password files:/etc/passwd/etc/shadow/etc/group

8) configure filesystem permissions for collaboration

Q: Make user alex a member of sales with write permissions to /depts/salesQ: Make user sales, hr, and web groups in /depts/A:mkdir -p /depts/{sales,hr,web}for GROUP in sales hr web;do chgrp $GROUP /depts/$GROUP;donechmod 770 /depts/*chmod g+s /depts/*

Test permissions as alex:su - alex

9) install and update packages using rpm

You may have to mount a directory over nfs, or install directly from http://

rpm -Uvh filenamex.i386.rpmrpm --import /usr/share/rhn/RPM-GPG-KEYrpm -K /tmp/rpmversion.i386.rpm

10) properly update the kernel package

Just remember to use rpm -i, so the old kernel will still be there.

1) mkdir /server12) mount server1:/var/ftp/pub /server13) cd /server1/Redhat/RPMS4) rpm -ivh kernel-*5) vi /boot/grub/grub.conf

default=0

11) configure the system to update/install packages from remote repositories using yum or pup

/etc/yum.conf

12) modify the system bootloader

/boot/grub/grub.conf

of 17


13) implement software RAID at install-time and run-time

fdisk /dev/hdafd (raid)

partprobemdadm -C /dev/md0 -l 5 -n 3 /dev/hda6 /dev/hda7 /dev/hda8mke2fs -j /dev/md0mount /etc/fstabmdadm --detail /dev/md0recover

mdadm /dev/md0 -a /dev/sda1

14) use /proc/sys and sysctl to modify and set kernel run-time parameters

Q: turn on ip forwardardingA: 1) vi /etc/sysctl.conf net.ipv4.ip_forward=1 2) sysctl -p

orecho 1 > /proc/sys/net/ipv4/ip_forward

to view:sysctl -a | grep ipv4to find available options for ipv4:ls /proc/sys/net/ipv4

15) use scripting to automate system maintenance tasks

Maybe put a script in /etc/cron.daily?Login Shell Scripts/etc/profile/etc/profile.d/*.sh~/.bash_profile~/.bashrc/etc/bashrc

of 17


RHCE skillsTroubleshooting and System Maintenance

RHCEs must demonstrate the RHCT skills listed above, and should be able to:

1) use the rescue environment provided by first installation CD

linux rescue

2) diagnose and correct boot failures arising from bootloader, module, and filesystem errors

init/etc/rc.d/rc.sysinit/etc/rc.d/rc adn /etc/rc.d/rc?.d/etc/rc.d/rc.localgrub/boot/grub/grub.conffilesystem/etc/fstabfsck /dev/hda

3) diagnose and correct problems with network services (see Installation and Configuration below for a list of these services)

4) add, remove, and resize logical volumes

LVM - Hint: use apropos quota, or just lvm to find commands. Q: expand or shrink logical volume (RHCE) A: Make sure there is enough space, and volume is online, use vgconvert if necessary

ext2online /dev/vg0/data0 120Mlvextend -L +100M /dev/vg0/data0lvreduce -L 120M /dev/vg0/data0vgdisplay -v vg0pvdisplaylvdisplay

Q: Create a logical volume A: First create physical volume, then volume group, then logical volume PV -> VG -> LV

pvcreate /dev/hda6 /dev/hda7 /dev/hda8vgcreate vg0 /dev/hda6 /dev/hda7lvcreate -L 50M -n data0 vg0ext2online /dev/vg0/data0 lvextend -L +6M /dev/vg0/data0

of 17


resize2fs -L /dev/vg0/data0 40Mlvreduce -L 40M /dev/vg0/data0 vgconvert

5) diagnose and correct networking services problems where SELinux contexts are interfering with proper operation.

SELinux getenforce

setenforce 1check context with ls -ZQ: Set up directory to use context of another directoryA: Use the other directory as a reference

chcon -R --reference /var/www/html /var/www/html/www1

of 17


Installation and Configuration

RHCEs must demonstrate the RHCT-level skills listed above, and they must be capable of configuring the following network services:

1) HTTP/HTTPS

install httpd, check context with ls -ZQ: Create a virtual host www1.example.com w/ subdirectory /var/www/html/www1A: 1) install httpd, modify /etc/httpd/conf/httpd.conf file

<VirtualHost 192.168.0.1:80>ServerName www1.example.comDocumentRoot /var/www/html/www1

</VirtualHost> 2) chcon -R --reference /var/www/html /var/www/html/www1 3) service httpd restart 4) chkconfig httpd onTesting

service httpd configtest

2) SMB

Q: Configure Samba share /home/depts/legal1) install samba

rpm -Uvh samba-* system-config-samba*(optional)2) vi /etc/samba/smb.conf

[sharename]path = /home/depts/legalbrowseable = nowriteable = no

3) configure firewallport 445, 137-139

3) NFS

Q: Export /data directory with nfsThe nfs server is an RPC service, and thus requires portmapA: Modify /etc/exports, start nfs & portmap (make sure /data directory exists)1) modify /etc/exports

/data *(sync,rw)2) start services

service nfs startservice portmap start

of 17


chkconfig nfs onchkconfig portmap on

3) verify config, & check mountsexportfs -vshowmount -e localhostrpcinfo -p localhost

4) restartexportfs -r, orservice nfs reload

Q: Mount server1:/var/ftp/pub with nfs on /server11) mkdir /server12) vi /etc/fstab

192.168.2.254:/var/ftp/pub /server1 nfs soft,defaults 0 03) mount -a

* configure autofsAutomountQ: Configure automount for nfs mount from nis domain on server1A: 1) mkdir /net 2) vi /etc/auto.master

# uncomment /net line/net /etc/auto.net

3) start servicesservice portmap startservice autofs startchkconfig autofs onchkconfig portmap on

Q: Configure automount for nfs mount of /rhome directories from nis domain on server1A: Create base directory 1) mkdir /rhome 2) vi /etc/auto.master

# copy and modify /misc line/rhome /etc/auto.rhome

3) vi /etc/auto.rhome* -rw,soft.intr server1:/home/guests/&

4) start servicesservice portmap startservice autofs startchkconfig autofs onchkconfig portmap on

of 17


4) FTP

Q: Configure ftp with /var/ftp/incoming directoryA:install vsftpd1) rpm -Uvh vsftpd*2) service vsftpd start3) chkconfig vsftpd on4) create incoming directory

cd /var/ftpmkdir incomingchown root:ftp fincomingchmod 730 incoming

5) vi /etc/vsftpd/vsftpd.confuncomment the lines -- #anon_upload_enable=YES#chown_uploads=YES#chown_username=whoeveraddanon_umask=077

6) service vsftpd restart7) configure firewall

iptables -A INPUT -s 192.168.0.0/24 -p tcp --dport 21 -j ACCEPTservice iptables save

5) Web proxy

Q: Install a web proxy and allow a certain network to access itA: Install & configure squid1) install squid, and start the service

rpm -ivh --aid squid*service squid startchkconfig squid on

2) vi /etc/squidacl example src 192.168.0.0/24http_access allow example

3) service squid reload4) Configure browser to test:

Edit / Preferences /General / Connection SettingsManual proxy configuration / HTTP Proxy: localhost Port: 3128

Enable port in firewall, if requirediptables -A INPUT -s 192.168.0.0/24 -p tcp --dport 3128 -j ACCEPTservice iptables save

of 17


Useful parameters:http_port 3128cache_mem 8 MBcache_dir ufs /var/spool/squid 100 16 256acl all src 0.0.0.0/0.0.0.0http_access allow localhosthttp_access deny all

hint: find out that port number is 3128grep squid /etc/services

6) SMTP

install sendmail, sendmail-cf, sendmail-doc (optional)

Q: Configure mail server to accept internet emailA: modify /etc/mail/sendmail.mc

1) cd /etc/mail2) vi /etc/mail/sendmail.mc

search for 127.0, put dnl at the front of the line3) make

or m4 sendmail.mc > sendmail.cf service sendmail restart

Q: Mail aliasA: modify /etc/aliases, run newaliasesQ: Receive mail for DomainX.example.comA: modify sendmail mc as above, and add domain to /etc/mail/local-host-names

domainx.example.com

Debugging: mail -v root mailq, mailq -Ac sendmail -q tail -f /var/log/maillog

7) IMAP, IMAPS, and POP3

Q: Configure for pop3 (or imap)A: 1) install dovecot 2) vi /etc/dovcot.conf

protocols = pop3 3) service dovecot restart 4) chkconfig dovecot onTesting:note: root is not permitted to login

of 17


echo "pop" | mail -s test studenttelnet localhost 110user studentpass studentstatlistretr 1quit

8) SSH

/etc/ssh/~/.ssh/

9) DNS (caching name server, slave name server)

Q: Setup a slave name serverA: 1) install bind, bind-utils, and caching-nameserver2) when configuring a slave name server, start with caching, and modify3) vi /etc/named.conf

comment out dump-file sectionadd:zone "example.com" { type slave; masters { 192.168.0.254 }; file "slaves/slave-example.com.zone";};

4) vi 0.168.192.in-addr.arpaadd:zone "0.168.192.in-addr.arpa" { type slave; masters { 192.168.0.254 }; file "slaves/0.168.192.zone";};

To verify: named-checkconf named-checkconf -t /var/named named-checkzone example.com example.com.zone5) start named, and make it start at boot service named restart; tail -f /var/log/messages | grep named chkconfig named onRemember to check /etc/resolv.conf on all client machines.

of 17


10) NTP

/etc/ntp.conf

For each of these services, RHCEs must be able to:

1) install the packages needed to provide the service

rpm -Uvh packagename.rpm, oryum install packagename

2) configure SELinux to support the service

getenforcesetenforce 1check context with ls -Zchcon -R --reference /var/www/html /var/www/html/www1

3) configure the service to start when the system is booted

chkconfig servicename on

4) configure the service for basic operation

different for each service

5) Configure host-based and user-based security for the service

setuid?/etc/xinet.d/

RHCEs must also be able to:

1) configure hands-free installation using Kickstart

2) implement logical volumes at install-time

3) use iptables to implement packet filtering and/or NAT

iptables is usually configured to be as restrictive as possible, but thismay be difficult to implement in an exam environment. Read the instructionscarefully, and try to find the best way to implement it.

of 17


--- commands ---iptables -Liptables -Fservice iptables saveservice iptables restartchkconfig iptables on

--- starting config ---iptables -P INPUT DROPiptables -A INPUT -i lo -j ACCEPTiptables -A INPUT -m state --state ESTABLISHED, RELATED -j ACCEPT

--- sample file ---cat /etc/sysconfig/iptables*filter:INPUT DROP [67:11217]:FORWARD ACCEPT [0:0]:OUTPUT ACCEPT [58:6450]-A INPUT -s 192.168.0.10 -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -s 192.168.0.1 -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -s 192.168.0.254 -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -s 192.168.0.254 -p udp -m udp --sport 53 -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -s 192.168.0.0/255.255.255.0 -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -s 192.168.0.0/255.255.255.0 -p udp -m udp --dport 53 -j ACCEPT -A INPUT -s 192.168.0.0/255.255.255.0 -p tcp -m tcp --dport 445 -j ACCEPT -A INPUT -s 192.168.0.0/255.255.255.0 -p tcp -m tcp --dport 21 -j ACCEPT -A INPUT -s 192.168.0.0/255.255.255.0 -p tcp -m tcp --dport 2049 -j ACCEPT -A INPUT -s 192.168.0.0/255.255.255.0 -p udp -m udp --dport 2049 -j ACCEPT -A INPUT -s 192.168.0.0/255.255.255.0 -p tcp -m tcp --dport 25 -j ACCEPT -A INPUT -s 192.168.0.0/255.255.255.0 -p tcp -m tcp --dport 110 -j ACCEPT -A INPUT -s 192.168.0.0/255.255.255.0 -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -s 192.168.0.0/255.255.255.0 -p tcp -m tcp --dport 3128 -j ACCEPT -A INPUT -s 192.168.0.0/255.255.255.0 -p tcp -m tcp --dport 835:837 -j ACCEPT COMMIT

4) use PAM to implement user-level restrictions

/lib/security//etc/pam.d/

of 17

Rhce Exam Rhel5

Documents

Transcript of Rhce Exam Rhel5