Wednesday 16 February 2011

Red Hat EX300 Objectives and solutions

I. System Configuration and Management

  • Route IP traffic and create static routes

Using a Linux system as a router is nothing new - in fact many routers run some flavor of Linux. To perform this task you need a system with at least 2 interfaces (physical, virtual, or vlans) to route traffic through.

The base of the actions I will be performing are fromhttp://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch03_:_Linux_Networking

SCENARIO:
RHEL6 server with 2 interfaces: eth0 and eth1. eth0 is configured with address 192.168.10.1/24, eth1 is configured with address 192.168.20.1/24. Hosts on either segment will use this this server as their default gateway in order to access resources on the other segment.

STEP 1: Enable IP Forwarding
Edit /etc/sysctl.conf and find the line net.ipv4.ip_forward = 0
Change the value of this line to 1, save and exit the file
Execute sysctl -p to reload the file (or simply reboot)

STEP 2: Enable firewall to forward packets
Use the iptables command to enable forwarding of specific packets and traffic type.
example: Enable ICMP by executing iptables -I FORWARD -p icmp -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT
When things are confirmed to be working, save the firewall rules so they reapply during a reboot by executingiptables-save > /etc/sysconfig/iptables

#netstat -rn
#route -n

#route add -net 10.40.206.0 netmask 255.255.254.0 gw 10.40.204.3 dev eth0
#ip route add 10.40.206.0/23 via 10.40.204.3 dev eth0

to make the route permanent create /etc/sysconfig/network-scripts/route-eth0 with the entries

  • Use iptables to implement packet filtering and configure network address translation (NAT)
Assuming you know basic networking, routing, and firewalling, basic packet filtering in RHEL is fairly easy. While you can get quite complex with solutions, all we are worrying about here is basic filtering.

Packet filtering in RHEL6 is controlled using a program called iptables. You can find the syntax for managing the tables by running iptables -h, or for more detail use man iptables. You can view the currently implemented rules by running iptables -L, or by viewing the file /etc/sysconfig/iptables (these are the rules loaded at startup). Viewing the /etc/sysconfig/iptables file is probably the easiest way to understand the syntax needed to add/modify the rules.

Configuring NAT
NAT'ing is similar to the process of setting up routing, except the firewall rules are different. Here I will be using the information from http://www.revsys.com/writings/quicktips/nat.html as a basis for the below steps.
SCENARIO:  Your server has 2 network cards: eth0 and eth1. The external network (internet) is connected to eth0, and the internal network is connected to eth1. You want all hosts from eth1 to be able to access resources on eth0 via a NAT'ed connection.


STEP 1: Enable IP Forwarding
Edit /etc/sysctl.conf and find the line net.ipv4.ip_forward = 0
Change the value of this line to 1, save and exit the file
Execute sysctl -p to reload the file (or simply reboot)

STEP 2: Enable Masquerading
Execute the following commands to enable Masquerading (NAT'ing)
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

Execute iptables-save > /etc/sysconfig/iptables to save the rules

  • Use /proc/sys and sysctl to modify and set kernel run-time parameters
cat /etc/sysctl.conf
cat /proc/sys

sysctl -a

sysctl -p

sysctl -w net.ipv4.icmp_echo_ignore_all=1

edit /etc/sysctl.conf and add the line for persistent value

cat /proc/sys/net/ipv4/icmp_echo_ignore_all

echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all 


In its simplest form, this is a fairly straight forward task. If you view the file /etc/sysctl.conf, you will see several attributes with their appropriate values, these are the values applied at startup.
This file can be edited directly with a text editor, then the values reloaded by executing sysctl -p

These values can also be changed at runtime by modifying the values under /proc/sys. For instance, in/etc/sysctl.conf there is an attribute named net.ipv4.ip_forward, this attribute can also be viewed or modified as /proc/sys/net/ipv4/ip_forward.
To view the running value, run cat /proc/sys/net/ipv4/ip_forward
To change the running value, run echo 1 > /proc/sys/net/ipv4/ip_forward

The kernel attributes and values available to change can be found by either browsing the /proc/sys folders, or by running sysctl -a
  • Configure system to authenticate using Kerberos

This is a new objective to RHEL6, previously the objective was to setup NIS. Apparently they realized that nobody uses NIS any more and updated the requirements.
Personally, I have been using a tool called Likewise Open (http://www.likewise.com/products/likewise_open/) that enables Linux systems to join an AD domain. Since I doubt this is the solution RedHat is looking for, its back to the books for this one.
STEP 1: Ensure all packages are installed
For this to work properly, you need the kerberos and samba package both installed
yum install krb5-server pam_krb5 samba samba-common samba-winbind samba-client samba-winbind-clients

STEP 2: Configure the system to authenticate
Execute system-config-authentication and choose winbind for the account database
For security model, select ads
Under winbind domain, enter the short-name for the domain (i.e. without the .com)
Under ADS Realm, enter the FQDN of the domain
Under Domain Controllers, enter your preferred domain controller
Select a desired shell template
Click Join Domain and enter the credentials

STEP 3: Confirm
Log out of the system and attempt to log in using domain\user as the username

NOTE: This may be all wrong. I cant find any specific details on what redhat is looking for here (i.e. kerberos authentication via winbind)
  • Build a simple RPM that packages a single file
This is an interesting objective - something that I have never had to do before. After looking around at various tutorials and such, the wording of the objective is even more confusing - RPM packages are designed to install programs, not just copy a file. For example, there is a great how-to for creating RPM packages athttp://fedoraproject.org/wiki/PackageMaintainers/CreatingPackageHowTo.

A few days looking and I actually came upon a need to create a package - I want to have a silent install of Linux in our datacenter that copies custom scripts to the systems. The best way to handle this would of course be to build an RPM package that included just the one script. A little Googling and bingo! http://lincgeek.org/blog/?p=303 has just the information I needed on how to package a single file and direct it to install into a specific location.

STEP 1: Install the necessary packages
Each site you go to says something different, but it appears that the rpmdevtools contains all you need -- yum install rpmdevtools

STEP 2: Setup the folder structure
mkdir -pv rpm/{BUILD,RPMS,SOURCES,SPECS,SRPMS,tmp}

STEP 3: GZip the source file
Assuming you have a script named HelloWorld.sh

  1. Move to the rpm/SOURCES folder
  2. Make a temporary directory with a '-1' at the end -- mkdir HelloWorld-1
  3. GZip the source -- tar czvf HelloWorld-1.tar.gz HelloWorld-1/
STEP 4: Create the spec file
This is the hard part - configuring the RPM on what to build, install, and configure. A sample spec file can be created by running rpmdev-newspec SPECS/HelloWorld.spec, but there is still a lot to add and remove to make this work.
Below is a spec file I created using the sample file
Name:           RandomRootPass
Version:        1
Release:        1%{?dist}
Summary:        Random Root Password changer

Group:          Misc
License:        GPL
#URL:            http://localhost
Source0:        RandomRootPass-1.tar.gz
BuildArch:      noarch
BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)


#BuildRequires:
#Requires:

%description
Script to reset the root password to a random value

%prep
%setup -q


%build


%install
#rm -rf $RPM_BUILD_ROOT
#make install DESTDIR=$RPM_BUILD_ROOT
install -m 0755 -d $RPM_BUILD_ROOT/opt/RandomRootPass
install -m 0755 RandomRootPass.pl $RPM_BUILD_ROOT/opt/RandomRootPass/RandomRootPass.pl


%clean
#rm -rf $RPM_BUILD_ROOT


%files
%dir /opt/RandomRootPass
/opt/RandomRootPass/RandomRootPass.pl

#%defattr(-,root,root,-)
#%doc



#%changelog


STEP 5: Build the RPM
Once the spec file is complete, build the package with rpmbuild -qa SPECS/HelloWorld.spec. Assuming no errors occurred, your package is under the RPMS folder. Otherwise attempt to decipher the errors and try again.
  • Configure a system as an iSCSI initiator that persistently mounts an iSCSI target
Wonderful iSCSI - the cheap mans method of SAN connectivity. A quick update on terminology - iSCSI initiator is the client who initiates the connection, iSCSI target is the server providing the storage.

The first thing to do is setup an iSCSI target - this is not a role provided by redhat out of the box, and the exam objective doesnt seem to state that it is expected. The easiest method I have seen of setting up a target is to use openfiler (http://www.openfiler.com/) its a quick install and a fairly easy configuration. There is a nice walkthrough at http://www.techhead.co.uk/how-to-configure-openfiler-v23-iscsi-storage-for-use-with-vmware-esxthat details how to setup the filer for iscsi.

Once setup, we now need to configure the iSCSI initiator. There is a great article on doing this athttp://www.cyberciti.biz/tips/rhel-centos-fedora-linux-iscsi-howto.html

STEP 1: Install necessary packages
yum install iscsi-initiator-utils
service start iscsi

STEP 2: Configure initiator
Execute iscsiadm -m discoverydb -t sendtargets -p 192.168.10.1 -D to perform the discovery
Use fdisk to view all partitions and identify the new disk fdisk -l (should be something like /dev/sdb)
Use fdisk to create a partition, then execute mkfs.ext4 /dev/sdb1 to format it as ext4

STEP 3: Make the disk mount persistent
Execute chkconfig iscsi on
Because the device name can change between reboots, redhat suggests to mount the partition by using the UUID, execute ls -l /dev/disk/by-uuid, to find the uuid of the new disk
Edit /etc/fstab to configure the disk to mount on startup (should already be an example for /boot)
  • Produce and deliver reports on system utilization (processor, memory, disk, and network)
sar appears to be the tool to save the day here. Installed and running by default, the sysstat package contains tools that capture system performance throughout the day, and automatically summarizes it for you. Generating utilization reports is then a simple matter of knowing the right sar command to execute. If all else fails, simply try man sar

  • Processor
    • Basic processor report: sar or sar -u
    • Basic report every second for the next 10 seconds: sar 1 10
    • Load average: sar -q
    • Per processor statistics: sar -P ALL
    • Power management (not enabled by default): sar -m
  • Memory
    • Kernel paging: sar -B
    • Unused memory: sar -r
    • Swap space: sar -S
  • Disk
    • Disk IO stats (avg): sar -b
    • Disk IO stats: sar -d (-p to use pretty names)
  • Network
    • Network statistics: sar -n DEV
    • Network errors: sar -n EDEV
  • Everything
    • All reports simultaneously: sar -A
  • Use shell scripting to automate system maintenance tasks
This objective is quite a bit more ethereal than the others - with no clear end game, this could mean almost anything. With that in mind, here are a few of the very basic scripts that I have found to assist in automating management. A good place to find help is the man bash page


  • Doing something to each file in a directory
    •  for i in [`ls`]; do echo $i; done
  • Doing something for each line in a file
    •  while read i; do echo $i; done < anaconda-ks.cfg
  • Repeating a task every 10 seconds
    • while true; do echo Hello World; sleep 10; done
  • Create a task that occurs the same time every day
    • crontab -e
    • Enter 1 22 * * * echo Hello World
  • Create a task that occurs once at a specific time/day
    • at 10pm Dec 31 [return]
    • echo Hello World [return]
    • [CTRL]+z
  • Creating an executable script
    • Identify a working set of bash commands and save them to a file
    • Add a #!/bin/bash as the first line (not required, but good form)
    • Execute chmod +x foo.sh to make it executable
http://www.linuxconfig.org/Bash_scripting_Tutorial is a great basic overview of bash scripting. Note that all these commands may work differently in a different shell.

  • Configure a system to log to a remote system
  • Configure a system to accept logging from a remote system
In prior releases of redhat, remote logging was configured via syslogd. In RHEL6, this is replaced with rsyslog.

The first step is to setup a remote server to receive the logging messages, http://www.rsyslog.com/receiving-messages-from-a-remote-system/ has a great walkthrough on setting this up.

  1. Edit /etc/rsyslog.conf an clear the # before the lines allowing syslog reception
    1. $ModLoad imudp.so
    2. $UDPServerRun 514
    3. $ModLoad imtcp.so
    4. $InputTCPServerRUN 514
  2. Restart the rsyslog daemon - service rsyslog restart
  3. Open the firewall to allow syslog connections
    1. iptables -I INPUT -p tcp --dport 514 -j ACCEPT
    2. iptables -I INPUT -p udp --dport 514 -j ACCEPT
    3. iptables-save > /etc/sysconfig/iptables
The next step is to configure the local system to send messages, http://www.rsyslog.com/sending-messages-to-a-remote-syslog-server/ has a great walkthrough on setting this up
  1. Edit /etc/rsyslog.conf and enter the below line (using the appropriate IP or DNS name)
    1. *.*   @@192.168.10.1:514
  2. Restart the rsyslog daemon - service rsyslog restart
Test the configuration by running logger -p warn foo. This will log a message in the local /var/log/messagesand should log a similar message at the same location on the remote server

Network Services

Network services are an important subset of the exam objectives. RHCE candidates should be capable of meeting the following objectives for each of the network services listed below:
  • Install the packages needed to provide the service
  • Configure SELinux to support the service
  • Configure the service to start when the system is booted
  • Configure the service for basic operation
  •  Configure host-based and user-based security for the service
RHCE candidates should also be capable of meeting the following objectives associated with specific services:


HTTP/HTTPS


apachectl start
apachectl stop

  • Configure a virtual host
HTTP virtual hosts allow a single web server to act like multiple web servers, either by publishing to multiple IPs and ports, or by publishing multiple sites and identifying them by name. This feature allows you to publish http://foo.example.com and http://bar.example.com from the same host with a single address, and the server returns the appropriate information based on the site name the customer has typed in.


STEP 1: Create directories to hold the content
cd /var/www
mkdir foo
mkdir bar
echo foo > foo/index.html
echo bar > bar/index.html

STEP 2: Create virtual directories
vi /etc/http/conf/httpd.conf
uncomment the line NameVirtualHost *:80
copy the last 7 lines twice, remove the # at the beginning
edit the DocumentRoot and ServerName lines to match your new directories
Save the file and execute service httpd restart
Test

  • Configure private directories
At first glance, this objective can mean 2 things: allowing users to setup public_html directories, or securing directories with configuration files or .htaccess. A great page detailing the setup of HTTP can be found athttp://www.brennan.id.au/13-Apache_Web_Server.html

public_html
edit the /etc/httpd/conf/httpd.conf and find the line UserDir disabled. Comment out this line, and uncomment the line UserDir public_html.
Restart the web server - service httpd restart
NOTE: There may be multiple layers of security blocking access including folder, file and selinux restrictions.
Specifically, ensure the apache user has access to the home and public_html directories, as well as all files under the public_html directory. Additionally, run setsebool -P httpd_enable_homedirs true

Securing directories
edit the /etc/httpd/conf/httpd.conf file


        AuthType Basic
        AuthName "Private area - authorization required"
        AuthUserFile /etc/httpd/conf/authusers
        Require valid-user
Add users to the authusers file - htpasswd /etc/httpd/conf/authusers username
Restart the web server - service httpd restart
Access should now be restricted to username

.htaccess
This is traditionally used to restrict access to public_html directories since the average user doesnt have access to edit the httpd.conf file.
In the target folder, touch 2 files: .htaccess and .htauthusers
Edit .htaccess and enter the following (note the AuthUserFile appears to need a fully qualified path)
AuthType Basic
AuthName "Private Area"
AuthUserFile /home/username/public_html/private/.htauthusers
Require valid-user
Execute htpasswd .htauthusers username
Access should now be restricted to user username
  • Deploy a basic CGI application
The default apache configuration allows execution of CGI scripts in the /var/www/cgi-bin/ directory. This is controlled by the ExecCGI option for a specified directory. A good reference for this is athttp://www.brennan.id.au/13-Apache_Web_Server.html#cgi

An example of this is below



    Options ExecCGI
    SetHandler cgi-script

Once a script is included in the target directory, it will begin to respond as an executable. A sample cgi script is below to test with, more can be found online with a simple search
helloworld.cgi
#!/usr/bin/perl
print "Content-Type: text/plain", "\n\n";
print "Hello World in Perl", "\n";
  • Configure group-managed content


  • Install the packages needed to provide the service
use :

yum install httpd

or

rpm -ivh httd*x
  • Configure SELinux to support the service
#sestatus -b | grep httpd

to change the selinux boolean use

#setsebool httpd_use_cifs=1

add the following line to /etc/sysconfig/iptables file to allow the http traffic
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
  • Configure the service to start when the system is booted
chkconfig httpd on
  • Configure the service for basic operation

  • Configure host-based and user-based security for the service

DNS

  • Configure a caching-only name server
  • Configure a caching-only name server to forward DNS queries
There is a good walkthrough of setting up a chaching nameserver athttp://www.redhat.com/magazine/025nov06/features/dns/

Install the needed components yum install bind bind-utils bind-libs bind-chroot caching-nameserver

copy /etc/named.conf to /var/named/chroot/etc/
edit /var/named/chroot/etc/named.conf

  • Change listen-on port from 127.0.0.1; to any;
  • Change allow-query from localhost; to any;
  • Add forwarders { 1.2.3.4; 5.6.7.8; }; and forward only; to the options section
Restart dns - service named restart
Edit /etc/resolve.conf to use the local DNS server
  • Note: Candidates are not expected to configure master or slave name servers

FTP

  • Configure anonymous-only download
Enabling anonymous-only download appears to be enabled by default, so I am not sure why this is an objective. Below are the steps needed in case it isnt in the future.

  1. Install packages - yum install vsftpd ftp
  2. Edit /etc/vsftpd/vsftpd.conf
    1. Find the line anonymous_enabled and set it to YES
    2. Ensure anon_upload_enabled is set to NO
  3. Restart ftp - service vsftpd restart

NFS

  • Provide network shares to specific clients
estricting access to NFS shares can be done by restricting firewall access (iptables), or by configuring the/etc/exports file. The /etc/exports file can restrict access to a single machine, a wildcard, or an IP network.
It all starts with installing and starting NFS

  • yum install nfs-utils rpcbind
  • service nfs start
  • service rpcbind start
Restricting to a single machine (can be exported to an IP or hostname)
  • Edit /etc/exports
  • Configure the export command like the following
    • /media 192.168.10.10(rw,no_root_squash)
  • Restart the service - service nfs restart
Restricting to a wildcard -- this allows exporting to a name or IP address with wildcards
  • Edit /etc/exports
  • Configure the export command like the following
    • /media *.example.com(rw,no_root_squash)
    • or /media 192.168.*10(rw,no_root_squash)
  • Restart the service - service nfs restart
 Restricting to an IP network -- this allows exporting to an entire subnet, or group of addresses
  • Edit /etc/exports
  • Configure the export command like the following
    • /media 192.168.10.0/24(rw,no_root_squash)
  • Restart the service - service nfs restart
  • Provide network shares suitable for group collaboration
Restricting access to NFS shares can be done by restricting firewall access (iptables), or by configuring the/etc/exports file. The /etc/exports file can restrict access to a single machine, a wildcard, or an IP network.
It all starts with installing and starting NFS

  • yum install nfs-utils rpcbind
  • service nfs start
  • service rpcbind start
Restricting to a single machine (can be exported to an IP or hostname)
  • Edit /etc/exports
  • Configure the export command like the following
    • /media 192.168.10.10(rw,no_root_squash)
  • Restart the service - service nfs restart
Restricting to a wildcard -- this allows exporting to a name or IP address with wildcards
  • Edit /etc/exports
  • Configure the export command like the following
    • /media *.example.com(rw,no_root_squash)
    • or /media 192.168.*10(rw,no_root_squash)
  • Restart the service - service nfs restart
 Restricting to an IP network -- this allows exporting to an entire subnet, or group of addresses
  • Edit /etc/exports
  • Configure the export command like the following
    • /media 192.168.10.0/24(rw,no_root_squash)
  • Restart the service - service nfs restart

SMB

  • Provide network shares to specific clients
Setting up samba is always fun. Laden with landmines between the Windows and Linux world, everytime you think you have a working solution, it flakes out on you. Here are the steps needed to add an SMB share to specific clients.

  1. Install samba 
    1. yum install samba-client samba-common samba
  2. Configure the /etc/samba/samba.conf file
    1. Find the line workgroup and set the correct workgroup name
    2. At the end of the file, create a new directory block using the same syntax as the others. This example will create a share named "foo" that is only accessible by user "foo"
      1. # foo
      2. [foo]
      3. path = /foo
      4. writeable = yes
      5. browseable = yes
      6. valid users = foo
  3. Save the file and restart the services -- service smb restartservice nmb restart
  4. Make sure the user "foo" exists, and set the samba password - smbpasswd -a foo
  • Provide network shares suitable for group collaboration
Configuring SMB shares for groups is very similar to sharing for an individual. The only gotcha here is making sure security on the folder are set properly.
Scenario: You have a group named group1, users foo and bar are members of this group. You need to share a directory named /group1 to these users only.


  1. Install samba
    1. yum install samba-client samba-common samba
  2. Configure the /etc/samba/samba.conf file
  3. Find the line workgroup and set the correct workgroup name
  4. At the end of the file, create a new directory block using the same syntax as the others. Note the use of the +group1 for valid users, this identifies it as a group instead of a user
    1.  #group1
    2. [group1]
    3. path = /group1
    4. writeable = yes
    5. browseable = yes
    6. valid users = +group1
  5. Save the file and restart the services -- service smb restartservice nmb restart
  6. Ensure the folder being shared is owned by the group
    1. chown root:group1 /group1
  7. Ensure the file permissions allow the group to read/write
    1. chmod 775 /group1 -R

SMTP

  • Configure a mail transfer agent (MTA) to accept inbound email from other systems
This is a simple one, by default postfix will accept only mail originating locally, and all it takes is updating a config file to change that.

  1. Install the necessary packages
    1. yum install postfix 
  2. Edit the /etc/postfix/main.cf file
    1. Find the line inet_interfaces = localhost and change it to inet_interfaces = all
  3. Restart the service
    1. service postfix restart
  4. Open the firewall
    1. iptables -I INPUT -p tcp --dport 25 -j ACCEPT
You should be able to test this by telnetting from a remote computer. If you receive a connection, your good to go.
  • Configure an MTA to forward (relay) email through a smart host
This is a simple one, similar to defaulting to accept mail locally, by default postfix will only send mail to local recipients.


  1. Install the necessary packages
    1. yum install postfix 
  2. Edit the /etc/postfix/main.cf file
    1. Find the relayhost section and add a line relayhost = 192.168.10.1
  3. Restart the service
    1. service postfix restart
You should be able to test this by sending an email to a remote user.

SSH

  • Configure key-based authentication
One of my favorite things to do when managing Linux systems is to configure key-based authentication. This allows me to connect to multiple systems via scripts without have to re-authenticate every time. A decent walkthrough is available at http://linuxproblem.org/art_9.html
Scenario: You are user A on host A, and you want to log onto host B as user B

  1. As user A on host A, execute
    1. ssh-keygen -t rsa
  2. Echo out the contents of ~/.ssh/id_rsa.pub (save to clipboard or copy via ssh to host B)
  3. As user B on host b, make the .ssh directory if it doesnt already exist
    1. mkdir ~/.ssh
  4. Edit the file ~/.ssh/authorized_keys and enter the contents from id_rsa.pub
Your now done. Assuming all went well, user A on host A should be able to run ssh b@b and be automatically logged in
  • Configure additional options described in documentation

NTP

  • Synchronize time using other NTP peers
The easiest way to configure NTP is to use the GUI.

  1. On the top bar, right-click the time and select Preferences
  2. Click Time Settings and the Set System Time
  3. Check the box Synchronize date and time over the network
  4. Edit the list of NTP servers and click OK
Alternatively, you can execute system-config-date to go directly to step 3.

To perform the same via command line:
  1. Edit /etc/ntp.conf
    1. Configure 1 or more server lines like below
      1. server 0.rhel.pool.ntp.org
      2. or server 192.168.10.1
  2. Start the service
    1. service ntpd start
When all finished, make sure ntpd is set to start automatically for next reboot chkconfig ntpd on.
You can also perform a one-off sync by running ntpdate 192.168.10.1 (this only works if ntpd isnt running)

5 comments: