RHCE7.0考試題目解析
前期準備:
systemctl set-default graphical.target
reboot
或者systemctl isolate graphical.target驅動圖形化
ifconfig查看IP地址
cat /etc/resolv.conf查看DNS
hostname查看主機名
systemctl stop iptables
systemctl disable iptables
systemctl mask iptables
systemctl stop ebtables
systemctl disable ebtables
systemctl mask ebtables
-----------------------------------------------------------------------
配置yum
vim /etc/yum.repos.d/server.repo
[base]
name=RedHat
baseurl=file:///mnt 考試時寫http://……
enabeld=1
gpgcheck=0
-----------------------------------------------------------------------
1.selinux
SElinux有三種模式,請將server30與desktop30運行於強制模式
vim /etc/sysconfig/selinux
enforcing
yum -y install setr*
reboot
--------------------------------------------------------------------------------------------------------------------------------
2.配置SSH
用戶能夠從域exampl.com內的客戶端通過SSH訪問您的兩個虛擬機系統
在域my133t.org內的客戶端不能訪問您的兩個虛擬機系統
firewall-cmd --remove-service=ssh --permanent
firewall-cmd --add-rich-rule 'rule family=ipv4 source address=172.16.30.0/24 service name=ssh accept' --permanent
firewall-cmd --reload
firewall-cmd --list-all
-----------------------------------
vim /etc/hosts.deny
sshd : 172.17.30.0/255.255.255.0 (攻擊域)
--------------------------------------------------------------------------------------------------------------------------------
3.命令別名及IP轉發
在系統server30和desktop30上創建自定義命令為psa,此自定義命令將執行/bin/ps aux,此命令對系統中所有用戶有效
vim /etc/bashrc
alias psa='/bin/ps aux'
. /etc/bashrc
----------------------------------------------------------
IP轉發:
vim /usr/lib/sysctl.d/00-system.conf
net.ipv4.ip_forward = 1
sysctl -p /usr/lib/sysctl.d/00-system.conf
---------------------------------------------------------------------------------------------------------------------------------
4.端口轉發
在server30上配置端口轉發,在172.16.30.0/24中的系統,訪問server30的本地端口5423將被轉發到80,此設置永久生效
firewall-cmd --add-rich-rule 'rule family=ipv4 source address=172.16.30.0/24 forward-port port=5423 protocol=tcp to-port=80' --permanent
firewall-cmd --reload
---------------------------------------------------------------------------------------------------------------------------------
5.在server30和desktop30 之間配置鏈路聚合
此鏈路使用接口slave1和slave2
此鏈路在一個接口失效後,仍然能工作
此鏈路在server30上使用地址192.168.0.11/24
此鏈路在desktop30上使用地址192.168.0.10/24
此鏈路在系統重啟後依然保持正常狀態
nmcli connection add con-name eno33600 type ethernet ifname eno33600
nmcli connection add con-name eno55778 type ethernet ifname eno55778
nmcli connection show
nmcli connection add con-name team0 type team ifname team0 config '{"runner":{"name":"activebackup"}}'
nmcli connection modify team0 ipv4.addresses "192.168.1.99/24"
nmcli connection modify team0 ipv4.method manual connection.autoconnect yes
nmcli connection add con-name slave1 ifname eno33600 type team-slave master team0
nmcli connection add con-name slave2 ifname eno55778 type team-slave master team0
nmcli connection show
nmcli connection up slave1
nmcli connection up slave2
ifconfig
nmcli connetction down slave1
測試ping 兩個超時消息後之後連通
--------------------------------------------------------------------------------------------------------------------------
6.在您的考試系統上配置接口,在你的默認網卡上使用如下IPv6地址
server30上的IP地址應該是fd00:ba5e:ba11:10::10/64
desktop30上的IP地址應該是fd00:ba5e:ba11:10::11/64
兩個系統必須能與網絡fd00:ba5e:ba11:10::fe內的系統通信
地址必須在重啟後依然生效
兩個系統保持當前的IPv4地址並能通信
server30:
nmcli connection modify eth0 ipv6.address "fd00:ba5e:ba11:10::10/64"
nmcli connection modify eth0 ipv6.method manual connection.autoconnect yes
systemctl restart Network
systemctl enable network
desktop30:
nmcli connection modify eth0 ipv6.address "fd00:ba5e:ba11:10::11/64"
nmcli connection modify eth0 ipv6.method manual connection.autoconnect yes
systemctl restart network
systemctl enable network
測試:
ping6 fd00:ba5e:ba11:10::fe
--------------------------------------------------------------------------------------------------------------------------------
7.在server30上配置郵件服務----postfix
這些系統不接受外部發來的郵件 127.0.0.1
在這些系統上本地發送任何郵件都會被路由到ldap.example.com
從這些系統上發送的郵件顯示來自於example.com
您可以通過訪問http://ldap.example.com/email/dave來驗證您的配置
發給harry的郵件同時能被natasha收到
rpm -q postfix
systemctl restart postfix
systemctl enable postfix
firewall-cmd --add-service=smtp --permanent
firewall-cmd --reload
vim /etc/postfix/main.cf
inet_interfaces = localhost
mydestination =
myorigin = example.com
relayhost = [ldap.example.com]
mynetworks = 127.0.0.0/8
:wq!
systemctl restart postfix
vim /etc/aliases
harry: harry,natasha 最後一行
:wq!
newaliases
mail -s "test" dave
Firefox http://ldap.example.com/email/dave 通過瀏覽器來訪問查看dave的郵件信息
也可以用下面方法來查看
wget http://ldap.example.com/email/dave
cat /var/spool/mail/dave 來查看用戶dave的郵件信息
---------------------------------------------------------------------------------------------------------------------------------
8.在server30上配置SAMBA服務
您的samba服務器必須是STAFF工作組的一個成員
共享/common目錄,共享名為common
只有example.com域內的客戶端可以訪問common共享
Common必須是可以瀏覽的
用戶natasha必須能夠讀取共享中的內容,如果需要的話,驗證密碼是redhat
server30:
yum -y install samba*
systemctl restart smb nmb
systemctl enable smb nmb
firewall-cmd --add-rich-rule 'rule family=ipv4 source address=172.16.30.0/24 service name=samba accept' --permanent
firewall-cmd --add-rich-rule 'rule family=ipv4 source address=172.16.30.0/24 service name=samba-client accept' --permanent
firewall-cmd --reload
getsebool -a | grep samba | grep dir
setsebool -P samba_enable_home_dirs 1
mkdir /common
chcon -Rt samba_share_t /common
vim /etc/samba/smb.conf
workgroup = STAFF 在89行中修改
[common]
path = /common
browseable = yes
valid users = natasha
:wq!
id natasha 沒有該用戶的話就得創建一個
useradd natasha
smbpasswd -a natasha
systemctl restart smb nmb
pdbedit -L 查看samba數據庫用戶
測試:
desktop30:
yum -y install samba-client cifs*
smbclient -L 172.16.30.130查看一下是否有共享文件了
mkdir /test
mount -t cifs -o username=natasha //172.16.30.130/common /test
用戶natasha將共享目錄掛載到本地/test目錄下後,可以讀取裏面的內容,但是無法創建
-------------------------------------------------------------------------------------------------------------------------------
9.配置多用戶samba掛載
在server30上通過samba共享目錄/devops
共享名為share
共享目錄只能被example.com域內的客戶端使用
共享目錄share必須可以被瀏覽
用戶kenji能以讀的方式訪問此共享,訪問密碼是redhat
用戶chihiro能以讀寫的方式訪問此共享,訪問密碼是redhat
此共享永久掛載在desktop30上的/aaa目錄,並使用用戶kenji進行認證,任何用戶可臨時通過chihiro來獲得讀寫權限因為在上面那題中在防火墻中已經允許了samba服務,所有這裏就是不要在操作了
server30:
mkdir /devops
chcon -Rt samba_share_t /devops
vim /etc/samba/smb.conf
[share]
path = /devops
browseable = yes
valid users = kenji,chihiro
writable = no
write list = chihiro
:wq!
systemctl restart smb
useradd kenji
useradd chihiro
setfacl –m u:kenji:r-x /devops
setfacl –m u:chihiro:rwx /devops
smbpasswd -a kenji
smbpasswd -a chihiro
desktop30:
yum -y install samba-client cifs*
mkdir /aaa
smbclient -L //172.16.30.130/ -U kenji
vim /etc/fstab
//172.16.30.130/share /aaa cifs defaults,multiuser,username=kenji,password=redhat,sec=ntlmssp 0 0
:wq!
mount -a 看能否掛載上
useradd user1
su – user1
cifscreds add 172.16.30.130 -u chihiro
cd /aaa
touch file.txt 可以創建說明實驗成功
----------------------------------------------------------------------------------------------------------------------
10.在server30上配置NFS服務
以只讀的方式共享/public,同時只能被example.com內用戶訪問
以讀寫的方式共享/protected能被example.com內用戶訪問
訪問/protected需要通過kerberos安全加密,您可以使用下邊鏈接的秘鑰:http://ldap.example.com/pub/server30.keytab
目錄/protected應該包含名為project擁有人為guest2001的子目錄
用戶guest2001能以讀寫的方式訪問/protected/project
server30配置:
yum -y install sssd* authconfig* krb5*
authconfig-gtk
LDAP搜索基礎:dc=example,dc=com
LDAP服務器:ldap://ldap.example.com
證書key:http://ldap.example.com/pub/EXAMPLE-CA.crt
域:EXAMPLE.COM
KDC:ldap.example.com
管理服務器:ldap.example.com
id guest2001
mkdir /public
mkdir -p /protected/project
chown guest2001 /protected/project
chmod 777 /protected
firewall-cmd --add-rich-rule 'rule family=ipv4 source address=172.16.30.0/24 service name=nfs accept' --permanent
firewall-cmd --add-rich-rule 'rule family=ipv4 source address=172.16.30.0/24 service name=rpc-bind accept' --permanent
firewall-cmd --reload
wget -O /etc/krb5.keytab http://ldap.example.com/pub/server30.keytab
vim /etc/exports
/public 172.16.30.0/24(ro,sync)
/protected 172.16.30.0/24(rw,sec=krb5p)
:wq!
vim /etc/sysconfig/nfs
第13行RPCNFSDARGS="-V 4.2"
vim /etc/chrony.conf
server ldap.example.com iburst
:wq!
systemctl restart chronyd.service
systemctl enable chronyd.service
systemctl enable nfs-secure-server.service nfs-secure.service nfs-server.service
systemctl restart nfs-secure-server.service nfs-secure.service nfs-server.service
showmount -e 127.0.0.1查看共享
------------------------------------------------------------------------------------------------------------------------------
11.在desktop30上掛載來自於server30的NFS共享
/public掛載在目錄/mnt/nfsmount上
/protected掛載在目錄/mnt/nfssecure,並使用安全的方式,秘鑰http://ldap.example.com/pub/desktop30.keytab
用戶guest2001能在/mnt/nfssecure/project上創建文件
這些文件系統在系統啟動時自動掛載
desktop上的配置:
yum -y install sssd* authconfig* krb5*
authconfig-gtk
LDAP搜索基礎:dc=example,dc=com
LDAP服務器:ldap://ldap.example.com
證書key:http://ldap.example.com/pub/EXAMPLE-CA.crt
域:EXAMPLE.COM
KDC:ldap.example.com
管理服務器:ldap.example.com
vim /etc/sysconfig/nfs
RPCNFSDARGS="-V 4.2"
:wq!
vim /etc/chrony.conf
server ldap.example.com iburst
:wq!
systemctl restart chronyd.service
systemctl enable chronyd.service
wget -O /etc/krb5.keytab http://ldap.example.com/pub/desktop30.keytab
mkdir /mnt/nfsmount
mkdir /mnt/nfssecure
vim /etc/fstab
172.16.30.130:/public /mnt/nfsmount nfs ro 0 0
172.16.30.130:/protected /mnt/nfssecure nfs defaults,v4.2,sec=krb5p 0 0
:wq!
systemctl enable nfs-secure-server.service nfs-secure.service nfs-server.service
systemctl restart nfs-secure-server.service nfs-secure.service nfs-server.service
mount -a
df -h
su - guest2001
cd /mnt/nfssecure/project
touch haha
reboot
df
-------------------------------------------------------------------------------------------------------------------------------
12.在server30上配置一個web站點http://server30.example.com
從http://ldap.example.com/pub/example.html下載文件,並重命名為index.html,不要修改文件內容。
將文件index.html拷貝到您的DocumentRoot目錄下
來自於example.com的客戶端可以訪問該web服務器
來自於my133t.org的客戶端的訪問會被拒絕
server30上配置:
yum -y install httpd
systemctl restart httpd
systemctl enable httpd
cd /var/www/html
wget -O index.html http://ldap.example.com/pub/example.html
firewall-cmd --add-rich-rule 'rule family=ipv4 source address=172.16.30.0/24 service name=http accept' --permanent
firewall-cmd --reload
desktop30上驗證:
firefox http://server30.exampel.com
---------------------------------------------------------------------------------------------------------------------------------
13.為站點http://server30.example.com配置TLS加密
已簽名證書從http://ldap.example.com/pub/server30.crt獲取
證書的秘鑰從http://ldap.example.com/pub/server30.key獲取
證書的簽名授權信息從http://ldap.example.com/pub/group30.crt獲取
server30上的配置:
yum -y install mod_ssl
cd /etc/httpd/conf.d
vim ssl.conf
59行:註釋去掉
60行:註釋去掉 ServerName server30.example.com:443
100行:註釋去掉把後面的localhost.crt改為server30.crt
107行:註釋去掉把後面的localhost.key改為server30.key
122行:註釋去掉把後面的ca-bundle.crt改為group30.crt
cd /etc/pki/tls/certs
wget http://ldap.example.com/pub/server30.crt
wget http://ldap.example.com/pub/group30.crt
cd /etc/pki/tls/private
wget http://ldap.example.com/pub/server30.key
systemctl restart httpd
firwall-cmd --add-rich-rule 'rule family=ipv4 source address=172.16.30.0/24 service name=https accept' --permanent
firewall-cmd --reload
desktop客戶端驗證:
firefox https://server30.example.com
點擊I Understand the Risks-----Add Exception----Get Certificate----Confirm Security Exception
看到的就是server30.example.com
---------------------------------------------------------------------------------------------------------------------------------
14.在server30上擴展您的WEB服務器為站點http://www.example.com創建一個虛擬主機
設置DocumentRoot為/var/www/virtual
從http://ldap.example.com/pub/www.html下載文件,並重命名為index.html,不要修改文件內容。
將文件index.html拷貝到DocumentRoot目錄下
確保floyd用戶能夠在/var/www/virtual下創建文件
註意:原站點server30.example.com必須仍然能夠訪問
server30上配置
cd /var/www/
mkdir virtual
cd virtual
wget -O index.html http://ldap.example.com/pub/www.html
cd /etc/httpd/conf.d
cp /usr/share/doc/httpd-2.4.6/httpd-vhosts.conf .
vim httpd-vhosts.conf
23行開始
<VirtualHost *:80>
DocumentRoot "/var/www/html"
ServerName server30.example.com
</VirtualHost>
<VirtualHost>
DocumentRoot "/var/www/virtual"
ServerName www.example.com
</VirtualHost>
useradd floyd
setfacl -m u:floyd:rwx /var/www/virtual
systemctl restart httpd
客戶端驗證
firefox server30.example.com
firefox www.example.com
------------------------------------------------------------------------------------------------------------------------------
15.Web訪問控制
在您server30上的web服務器的DocumentRoot目錄下創建一個名為private的目錄
從http://ldap.example.com/pub/private.html下載文件到這個目錄,並重命名為index.html,不要修改文件內容
從server30上,任何人都可以瀏覽private的內容,但是從其他系統不能訪問這個目錄的內容
server30配置:
cd /var/www/html
mkdir private
wget -O index.html http://ldap.example.com/pub/private.html
vim /etc/httpd/conf.d/httpd-vhosts.conf
在<VirtualHost *:80>
DocumentRoot "/var/www/html"
ServerName server30.example.com後面寫
<Directory "/var/www/html/private">
Require ip 172.16.30.130
</Directory>
systemctl restart httpd
客戶端驗證:http://server30.example.com/private被拒絕
server30端可以訪問到
-----------------------------------------------------------------------------------------------------------------------------
16.在server30上實現動態web內容
動態內容由名為alt.example.com的虛擬主機提供
虛擬主機偵聽端口為8909
從http://ldap.example.com/pub/webapp.wsgi下載一個腳本,然後放在適當的位置,不要修改文件內容
客戶端訪問http://alt.example.com:8909時,應該接收到動態生成的web頁面
此http://alt.example.com:8909必須能被example.com內所有的系統訪問
server30配置:
cd /var/www/
mkdir wsgi
cd wsgi
wget http://ldap.example.com/pub/webapp.wsgi
yum -y install mod_wsgi
cd /etc/httpd/conf.d
vim /etc/httpd/conf.d/httpd-vhosts.conf
Listen 8909
<VirtualHost *:8909>
WSGIScriptAlias / "var/www/wsgi/webapp.wsgi"
ServerName alt.example.com:8909
</VirtualHost>
semanage port -a -t http_port_t -p tcp 8909
systemctl restart httpd
firewall-cmd --add-rich-rule 'rule family=ipv4 source address=172.16.30.0/24 port port=8909 protocol=tcp accept' --permanent
firewall-cmd --reload
客戶端驗證:firefox alt.example.com:8909 出現hello,world!就是成功的!
--------------------------------------------------------------------------------------------------------------------------------
17、配置server30提供一個iscsi共享服務
磁盤名為iqn.2014-09.com.example:server30
服務端口為3260
使用iscsi_store作為其後端卷大小為3G
此服務只能被desktop30.example.com訪問
server30配置:
fdisk /dev/sda
創建主分區/dev/sda3為3G
partprobe /dev/sda
yum -y install targetcli
systemctl enable target
systemctl restart target
targetcli
cd /backstores/block
create iscsi_store /dev/sda3
cd /iscsi
create iqn.2014-09.com.example:server30
cd /iscsi/iqn.2014-09.com.example:server30/tpg1/acls
create iqn.2014-09.com.example:desktop30
cd ../luns
create /backstores/block/iscsi_store
cd ../portals
create 172.16.30.130
exit
systemctl restart target
firewall-cmd –add-rich-rule ‘rule family=ipv4 source address=172.16.30.0/24 port port=3260 protocol=tcp accept’ --permanent
firewall-cmd --reload
---------------------------------------------------------------------------------------------------------------------------------
18、配置desktop30的iscsi
配置desktop30使其能連接在server30上提供的iqn.2014-09.com.example:server30
iscsi設備在系統啟動的期間自動加載
塊設備iscsi上包含一個大小為2100MiB的分區。並格式化為ext4
此分區掛載/mnt/data上同時在系統啟動的期間自動加載
yum –y install iscsi-init*
systemctl enable iscsid
systemctl restart iscsid
vim /etc/iscsi/initiatorname.iscsi
InitiatorName=iqn.2014-09.com.example:desktop30
systemctl restart iscsi
iscsiadm -m discovery -t sendtargets -p 172.16.30.130
iscsiadm -m node -T iqn.2014-09.com.example:server30 -p 172.16.30.130 -l
lsblk查看是否有/dev/sdb
fdisk /dev/sdb
劃分2100M分區
partprobe /dev/sdb
mkfs.ext4 /dev/sdb1
mkdir /mnt/data
blkid查看sdb1的UID
vim /etc/fstab
UUID=”……” /mnt/data ext4 defaults,_netdev 0 0
--------------------------------------------------------------------------------------------------------------------------------
19、配置一個數據庫
在server30上創建一個MariaDB數據庫,名為Contacts,並符合以下條件:
A 數據庫應該包含來自數據庫復制的內容,復制文件的URL為
http://ldap.example.com/pub/user.mdb
B 數據庫只能被localhost訪問
C 除了root用戶,此數據庫只能被用戶Raikon查詢,此用戶的密碼為redhat
D root用戶的密碼為redhat,同時不允許空密碼登錄
——在server30上做——
yum groupinstal -y mariadb*
systemctl enable mariadb
systemctl restart mariadb
netstat -tulnp | grep 3306
firewall-cmd --add-service=mysql
firewall-cmd --add-service=mysql –permanent
cd /root/
wget http://ldap.example.com/pub/user.mdb
mysql
show databases;
create database Contacts;
use contacts ;
source /root/user.mdb ;
show tables;
grant select on contacts.* to 'raikon'@'localhost’identified by 'redhat';
flush privileges;
exit
mysql_secure_installation //使用向導來設置root密碼
設置密碼後全部輸入y
--------------------------------------------------------------------------------------------------------------------------------
20、數據庫查詢
在系統server30上使用數據庫contacts,並使用相應的SQL查詢以回答下列問題:
A 密碼是123456的人的名字?
B 有多少人的姓名是barbara同時居住在sunnyvale?
server30上:
mysql -u root -p
use contacts
select usernamer from user where password='123456';
select count(*) from user where usernamer='barbara' and live='sunnyvale';
--------------------------------------------------------------------------------------------------------------------------------
21、創建一個腳本
在server30上創建一個名為/root/foo.sh 的腳本,讓其提供下列特征
A 當運行/root/foo.sh redhat, 輸出為Fedora
B 當運行/root/foo.sh fedora,輸出為redhat
C 當沒有任何參數或者參數不是redhat或者fedora時,其錯誤輸出產生以下的信息:/root/foo.sh redhat|fedora
vim /root/foo.sh
#!/bin/bash
if [[ $1 = redhat ]]; then
echo fedora
elif [[ $1 = fedora ]]; then
echo redhat
else
echo "/root/foo.sh redhat|fedora"
fi
chmod 777 /root/foo.sh
/root/foo.sh redhat
/root/foo.sh fedora
--------------------------------------------------------------------------------------------------------------------------------
22、創建一個添加用戶的腳本
在desktop30上創建一個腳本,名為/root/batchusers,此腳本能實現為系統system1創建本地用戶,並且這些用戶的用戶名來自一個包含用戶名列表的文件。同時滿足下列要求:
A 此腳本要求提供一個參數,此參數就是包含用戶名列表的文件
B 如果沒有提供參數,此腳本應該給出下面的提示信息 Usage: /root/batchusers然後退出並返回相應的值
C 如果提供一個不存在的文件名,此腳本應該給出下面的提示信息 input file not found 然後退出並返回相應的值
D 創建的用戶登錄shell為/bin/false
E 此腳本不需要為用戶設置密碼
你可以從下面的URL獲取用戶名列表作為測試用http://ldap.example.com/pub/userlist
vim /root/batchusers
#!/bin/bash
if [ $# -eq 0 ]; then
echo "Usage: /root/batchusers"
elif [ -f $1 ]; then
for username in $(cat $1);
do
useradd -s /bin/false $username;
done
else
echo "input file not found"
fi
:wq!
chmod 777 /root/batchusers
wget http://ldap.example.com/pub/userlist
/root/batchusers userlist
本文永久更新鏈接地址:
Tags: 考試題目 鏈接地址 IP地址 false file
文章來源: