Embed Size (px)
DESCRIPTION
rhce 7 details
Citation preview
RHEL7 RHCE Exam objectives
System configuration and management
Use network teaming or bonding to configure aggregated network links between two Red Hat Enterprise Linux systems.
Configure IPv6 addresses and perform basic IPv6 troubleshooting. Route IP traffic and create static routes. Use firewalld and associated mechanisms such as rich rules, zones and custom rules, to implement packet filtering
and configure network address translation (NAT). Use /proc/sys and sysctl to modify and set kernel runtime parameters. Configure a system to authenticate using Kerberos. Configure a system as either an iSCSI target or initiator that persistently mounts an iSCSI target. Produce and deliver reports on system utilization (processor, memory, disk, and network). Use shell scripting to automate system maintenance tasks.
Network Services
Network services are an important subset of the exam objectives. RHCE candidates should be capable of meeting the following objectives for each of the network services listed below:
Install the packages needed to provide the service. Configure SELinux to support the service. Use SELinux port labelling to allow services to use non-standard ports. Configure the service to start when the system is booted. Configure the service for basic operation. Configure host-based and user-based security for the service.
HTTP/HTTPS
Configure a virtual host. Configure private directories. Deploy a basic CGI application. Configure group-managed content. Configure TLS security.
DNS
Configure a caching-only name server. Troubleshoot DNS client issues.
NFS
Provide network shares to specific clients. Provide network shares suitable for group collaboration. Use Kerberos to control access to NFS network shares.
SMB
Provide network shares to specific clients. Provide network shares suitable for group collaboration. Use Kerberos to authenticate access to shared directories.
SMTP
Configure a system to forward all email to a central mail server.
SSH
Configure key-based authentication. Configure additional options described in documentation.
NTP
Synchronize time using other NTP peers.
Database Services
Install and configure MariaDB. Backup and restore a database. Create a simple database schema. Perform simple SQL queries against a database.
RHEL7 RHCSA What’s new?
Between the RHCSAv6 and the RHCSAv7 exams, there are only limited changes:
Securely transfer files between systems is a new objective that might require calling the scp command. Configure key-based authentication for SSH completes the previous objective and requires an understanding of
SSH configuration (this objective was previously part of the RHCE exam objectives). Configure a system to use an existing authentication service for user and group information appears when
Configure a system to use an existing LDAP directory service for user and group information disappears; this new objective might require mastering both sssd daemon and LDAP configuration.
Create, mount, unmount, and use vfat, ext4 and xfs file systems only adds the xfs file system to the previous RHCSA exam objective.
There is no longer mention of setting up a default configuration HTTP/FTP server. VNC doesn’t show up any more. Firewall settings can now be configured through firewall-config, firewall-cmd but the iptables way is still fine. Finally, perhaps the biggest change, all LUKS-related tasks have been removed: no game with encrypted
partitions any more!
Even though the RHCSA exam objectives almost stay the same and the exam keeps the same duration (2.5 hours), it is clear that you will need a good understanding of the RHEL 7 basic features (Systemd, Grub2, etc) to pass it.
RHEL7 RHCE What’s new?
Between RHCEv6 and RHCEv7, changes are very significant. The exam now lasts 3.5 hours and numerous objectives have been added (and almost none removed):
Use network teaming or bonding to configure aggregated network links between two Red Hat Enterprise Linux systems.
Configure IPv6 addresses and perform basic IPv6 troubleshooting. Use firewalld and associated mechanisms such as rich rules, zones and custom rules, to implement packet
filtering and configure network address translation (NAT) (this objective replaces the Use iptables to implement packet filtering and configure network address translation objective).
Configure a systems as either an iSCSI target or initiator that persistently mounts an iSCSI target (previously, only the iSCSI initiator configuration was an objective, not the iSCSI target part).
Use SELinux port labelling to allow services to use non-standard ports. Configure TLS security on a HTTPS server.
Troubleshoot DNS client issues. Use Kerberos to control access to NFS network shares. Use Kerberos to authenticate access to SMB shared directories.
Last but not least, some new RHCE exam objectives relate to MariaDB. A successful RHCE candidate will be able to:
Install and configure MariaDB. Backup and restore a database. Create a simple database schema. Perform simple SQL queries against a database.
Although FTP & Rsyslog configuration are no longer RHCE exam objectives, Red Hat has seriously increased the difficulty of the RHCE exam. It now lasts 3.5 hours instead of 2, topics are more numerous and more technical (Kerberos, TLS, IPv6, Firewalld, teaming/bonding, iSCSI target, SELinux port labelling, MariaDB, etc).
RHCE 7 SAMPLE QUESTION PAPER
RHCSA
Question1:-Create two users: john with uid/gid equal to 2000, password 12345678 and davis with uid/gid equal to 3000, password 87654321. Make davis‘ account validity stopping in one month.
# useradd -u 2000 john# passwd johnNew password: 12345678# useradd -u 3000 davis# passwd davisNew password: 87654321# date -d “+1month”# usermod -e YYYY-MM-DD davisor # chage -E YYYY-MM-DD davis# chage -l davis
Question2:- Allow davis (and only davis) to get full access to john‘s home directory
# setfacl -R -m u:davis:rwx /home/john
Question3:- Create a directory named /common. Allow john and davis to share documents in the /common directory using a group called team. Both of them can read, write and remove documents from the other in this directory but any user not member of the group can’t.
# mkdir /common# groupadd -g 50000 team# chgrp team /common# chmod 2770 /common# usermod -aG team john# usermod -aG team davis
Question4:- Create a xfs file system on a new logical volume of 100MB called lv_xfs. Mount it permanently with uuid under /xfs.
# lvcreate –size 100M –name lv_xfs /dev/vg# mkfs.xfs /dev/vg/lv_xfs# mkdir /xfs# blkid | grep lv_xfs >> /etc/fstab# vi /etc/fstabUUID=… /xfs xfs defaults 1 2# mount –a
Question5:- Extend the existing xfs file system to a total size of 200MB and add a label called myFS.
# lvextend –size 200M /dev/vg/lv_xfsor # lvextend –size +100M /dev/vg/lv_xfs# xfs_growfs /xfs# umount /xfs# xfs_admin -L “myFS” /dev/vg/lv_xfs# mount /xfs
Question6:- Write a Bash script called prog.sh in the /root directory that creates 40 files of 2MB each with the fallocate command in the mounted /xfs directory. Each file has got a name as follows: .file_N where N is a number from 1 to 40.
cd /rootvi prog.sh#!/bin/bash
cd /xfsN=40while [ “$N” -gt 0 ]dofallocate -l 2M .file_$NN=`expr $N – 1`done
# chmod u+x prog.sh# ./prog.sh
Question7:- Create an ext4 file system on a new logical volume of 100MB called lv_ext4. Mount it permanently under the /ext4 directory. Copy the files previously created into this new space.
# lvcreate –size 100M –name lv_ext4 /dev/vg# mkfs.ext4 /dev/vg/lv_ext4# mkdir /ext4# vi /etc/fstab/dev/vg/lv_ext4 /ext4 ext4 defaults 1 2# cp -p /xfs/.f* /ext4
Question8:- Assign the same SELinux contexts used by the home directories to the /xfs directory permanently.
# yum install -y setroubleshoot-server# semanage fcontext -a -t user_home_t “/xfs(/.*)?”# restorecon -R /xfs
Question9:- Configure a virtual console.
# grubby –update-kernel=ALL –args=”console=ttyS0″
Question10:- Create a logical volume of 200MB called lv_swap2 and add it permanently to the current swap space.
# lvcreate –size 200M –name lv_swap2 /dev/vg# mkswap /dev/vg/lv_swap2# swapon /dev/vg/lv_swap2vi /etc/fstab/dev/vg/lv_swap2 swap swap defaults 0 0
Question11:- Install the Apache package. Allow it to get documents stored on NFS mounted directories.
# yum install -y httpd# firewall-cmd –permanent –add-service=http# firewall-cmd –reload# systemctl enable httpd# systemctl start httpd# getsebool -a | grep nfs | grep httpd# setsebool httpd_use_nfs on
Question12:- Create a cron job running as root, starting at 11PM every day and writing a report on daily system resource consumption in the /var/log/consumption.log file.
# crontab -e00 23 * * * /usr/bin/sar -A > /var/log/consumption.log
Question13:- Set the default target to boot into X Window level (previously level 5).
# systemctl set-default graphical.target
Question14:- Change the hostname to mycentos.example.com
# hostnamectl set-hostname mycentos.example.com
Question15:- Create a user account named "tony" with password “redhat” and belonging to a secondary group called “team”.
Question16:-Boot in single user mode and change the root password.
Question17:- Set up a default configuration HTTP server with SELinux in Enforcing mode and active iptables.
Question18:-
Question18:-
Question18:-
Question18:-
Question18:-
Question18:-
Question18:-
Question18:-
RHCE
Question1:- Configure a httpd server that executes a Perl script in the /var/www/cgi-bin directory displaying "Hello!".
Question2:- Set up a httpd virtual server called "dummy" with DocumentRoot assigned to /opt.
Question3:- Set up time synchronization with default configuration.
Question4:-
Question18:-
Question18:-
Question18:-
Question18:-
Question18:-
Question18:-
Question18:-
Question18:-
Question18:-
Question18:-
Question18:-
Upgrading Red Hat Enterprise Linux / CentOS
RHEL/CentOS 5–6–7 Changes
You encounter enormous changes when you change to the next major version of Red Hat's Enterprise Linux product suite. Here are my notes on what is different when you upgrade from one major release of Red Hat Enterprise Linux (or its clone CentOS). In other words, how to upgrade from RHEL (or CentOS) 5 to 6 to 7. The major releases of RHEL appear further and further apart in time, meaning that the changes are more and more complicated.
Remember that it's not that Red Hat is changing all these things. Their installer and their graphical configuration tools, sure, those are Red Hat changes. But much of this is the result of the many underlying projects changing.
RHEL 2.1 26 March 2002RHEL 3 22 October 2003RHEL 4 15 February 2005RHEL 5 14 March 2007RHEL 6 10 November 2010RHEL 7 10 June 2014
1 — Installation and Exploring the Newly Installed System
The order of events and the logic of the installation completely change with every major release.
It was impossible to do a 5–6 upgrade, but 6–7 should be possible.
Once you get it installed, the configuration of Gnome within RHEL hides the terminal emulator in ever more inconvenient corners of the menus. Gnome 3 supports using the Windows Start Key to bring up a "run this command" text box.
I thought it was just me being naïve, but I have discovered that many other serious Linux system administrators don't know what the "Windows Start Key" is. If your keyboard has a key with the Microsoft logo on it, down around the left-hand Shift and Alt and Control keys, it's that thing.
The manual page indices always need to be rebuilt so man -k will work after the installation. There will be a cron job to do that, or you can do it manually. This used the makewhatis utility for ages, but with RHEL 7 mandb replaces makewhatis. The file /etc/cron.daily/man-db.cron makes this happen every night.
When you upgrade from RHEL 5 to 6, you will notice that the network configuration has become rather complicated. See the IP networking section later for what's behind this. Among other things, be careful to de-select Require addressing for this connection to complete for IPv4 and also IPv6 if you use it. You get more choices about storage starting with RHEL 6, some of it a bit exotic for typical users. If you customize the package selection, watch out! It is very tempting to click the Next button prematurely. That immediately starts an installation process, and the only way to abort it is to reset or power-cycle the machine and start over.
When you upgrade from 6 to 7, it becomes more complicated yet. The graphical configuration tool for networkings now includes tabs for 802.1x security and higher performance data center type LAN technology.
The distribution had grown to the point that RHEL 6 no longer fit onto one single-layer DVD. DVD1 is the main installation media, it's 4.0 GB for the RHEL 6 workstation and the single CentOS image. DVD2 is the "optional" media, it's just 1.2 GB. DVD2 for the most part contains the -doc and -devel packages, but it also contains some of the intranet/LAN server packages. For example, samba-swat and lpd-cups.
RHEL 5 gave you a choice about using SELinux and the iptables and ip6tables firewall rules. RHEL 6 and later force these on you, preconfigured and enabled.
The firstboot program that runs on the first post-installation graphical boot starting with RHEL 6 insists that you create a user. However, the user creation tool is poorly designed and it does not let you fully control all the attributes of this user. Workaround: Create a dummy user to make it happy, create your real users, and then delete the dummy user.
If you're using VMware, Red Hat has included drivers that give you the benefits of VMware's VMtools, such as the ability to simply move the mouse out of the VM window without first pressing <Ctrl><Alt>. Do not install VMtools, as that can make things worse instead of better. My experience was that VMtools took away my control of the display settings and recreated the mouse and keyboard focus problem. Just install RHEL or CentOS and enjoy.
Release Default OptionalRHEL 5 Gnome 2.16 KDE 3.5RHEL 6 Gnome 2.28 KDE 4.3RHEL 7 Gnome 3.8 KDE 4.10
The desktop graphical user interface goes through major changes, especially going from RHEL 6 to 7. Both the default Gnome and the optional KDE graphical interface go through major version changes.
By RHEL 7 many more packages had moved to having one main configuration file plus a collection, like what xinetd has done for some time. For example, sudo puts its system-wide settings in /etc/sudoers and then reads all the user-specific files /etc/sudoers.d/*. Rsyslog reads /etc/rsyslog.conf and then all the files in /etc/rsyslog.d/*.
This isn't anything specific to Red Hat, it is a Linux-wide trend that became common between the releases of RHEL 6 and 7. This is also similar to the shells that for some time now first use /etc/profile and then /etc/profile.d/*, followed by ~/.profile.
This is good, take advantage of it. The intent is that you don't touch the distribution-provided file /etc/*.conf. When the package updates, rpm discovers that the main configuration file is still in pristine form and you have no confusing *.rpmnew, *.rpmold, and so on to track down and manually merge changes. Let the distribution's provided configuration file do whatever they intended, and their your locally created files can "correct" any system-wide settings you want to change.
2 — Booting
RHEL 5 Grub 0.97RHEL 6 Grub 0.97RHEL 7 Grub2 v2.00
Red Hat moved from Grub to Grub 2 with RHEL 7. Grub 2 is needed to support booting on UEFI-GPT platforms. See my page on how Linux boots for details on UEFI and GPT.
These two configuration files do approximately the same thing. Notice the much greater complexity of Grub 2.
Typical Grub 0.97 /boot/grub/menu.lst
timeout 10color black/cyan yellow/cyandefault 0
title Linux release-newerroot (hd0,0)kernel (hd0,0)/vmlinuz-release-newer root=LABEL=/initrd /initrd-release-newer.img
title Linux release-olderroot (hd0,0)kernel (hd0,0)/vmlinuz-release-older root=LABEL=/initrd /initrd-release-older.img
Typical Grub 2 /boot/grub2/grub.cfg ### BEGIN /etc/grub.d/00_header ###if [ -s $prefix/grubenv ]; then load_envfiif [ "${next_entry}" ] ; then set default="${next_entry}" set next_entry= save_env next_entry set boot_once=trueelse set default="0"fi
if [ x"${feature_menuentry_id}" = xy ]; then
menuentry_id_option="--id"else menuentry_id_option=""fi
export menuentry_id_option
if [ "${prev_saved_entry}" ]; then set saved_entry="${prev_saved_entry}" save_env saved_entry set prev_saved_entry= save_env prev_saved_entry set boot_once=truefi
function savedefault { if [ -z "${boot_once}" ]; then saved_entry="${chosen}" save_env saved_entry fi}
function load_video { if [ x$feature_all_video_module = xy ]; then insmod all_video else insmod efi_gop insmod efi_uga insmod ieee1275_fb insmod vbe insmod vga insmod video_bochs insmod video_cirrus fi}
if loadfont unicode ; then set gfxmode=auto load_video insmod gfxtermfiterminal_output gfxterminsmod part_msdos insmod ext2set root='hd0,msdos1'if [ x$feature_platform_search_hint = xy ]; then search --no-floppy --fs-uuid --set=root --hint-bios=hd0,msdos1 --hint-efi=hd0,msdos1 --hint-baremetal=ahci0,msdos1 1d2e37f5-1a3d-419a-996e-d7fd5d876a75else search --no-floppy --fs-uuid --set=root 1d2e37f5-1a3d-419a-996e-d7fd5d876a75fiinsmod gfxmenuloadfont ($root)/grub2/themes/maggy/MageiaLogo-Bold-16.pf2loadfont ($root)/grub2/themes/maggy/MageiaLogo-Bold-20.pf2loadfont ($root)/grub2/themes/maggy/MageiaLogo-Bold-28.pf2
loadfont ($root)/grub2/themes/maggy/MageiaLogo-Regular-20.pf2insmod pngset theme=($root)/grub2/themes/maggy/theme.txtexport themeset timeout=10### END /etc/grub.d/00_header ###
### BEGIN /etc/grub.d/10_linux ###menuentry 'Linux release-newer' {
set gfxpayload=textinsmod gzioinsmod part_msdos insmod ext2set root='hd0,msdos1'if [ x$feature_platform_search_hint = xy ]; then search --no-floppy --fs-uuid --set=root --hint-bios=hd0,msdos1 --hint-
efi=hd0,msdos1 --hint-baremetal=ahci0,msdos1 1d2e37f5-1a3d-419a-996e-d7fd5d876a75
else search --no-floppy --fs-uuid --set=root 1d2e37f5-1a3d-419a-996e-
d7fd5d876a75filinux /vmlinuz-release-newer root=UUID=62dfc4a4-86c2-4ebf-aaa3-
442ecc740122 ro noacpi nofb initrd /initrd-release-newer.img
}menuentry 'Linux release-older' {
set gfxpayload=textinsmod gzioinsmod part_msdos insmod ext2set root='hd0,msdos1'if [ x$feature_platform_search_hint = xy ]; then search --no-floppy --fs-uuid --set=root --hint-bios=hd0,msdos1 --hint-
efi=hd0,msdos1 --hint-baremetal=ahci0,msdos1 1d2e37f5-1a3d-419a-996e-d7fd5d876a75
else search --no-floppy --fs-uuid --set=root 1d2e37f5-1a3d-419a-996e-
d7fd5d876a75filinux /vmlinuz-release-older root=UUID=62dfc4a4-86c2-4ebf-aaa3-
442ecc740122 ro noacpi nofb initrd /initrd-release-older.img
}### END /etc/grub.d/10_linux ###
### BEGIN /etc/grub.d/20_linux_xen ###### END /etc/grub.d/20_linux_xen ###
### BEGIN /etc/grub.d/20_ppc_terminfo ###### END /etc/grub.d/20_ppc_terminfo ###
### BEGIN /etc/grub.d/30_os-prober ###### END /etc/grub.d/30_os-prober ###
### BEGIN /etc/grub.d/40_custom ###
# This file provides an easy way to add custom menu entries. Simply type the# menu entries you want to add after this comment. Be careful not to change# the 'exec tail' line above.### END /etc/grub.d/40_custom ###
### BEGIN /etc/grub.d/41_custom ###if [ -f ${config_directory}/custom.cfg ]; then source ${config_directory}/custom.cfgelif [ -z "${config_directory}" -a -f $prefix/custom.cfg ]; then source $prefix/custom.cfg;fi### END /etc/grub.d/41_custom ###
GRUB now uses a kernel line about twice the length of that in RHEL/CentOS 5.*, many more parameters are passed to the kernel at boot time.
Starting with RHEL 6 GRUB uses UUID rather than LABEL to specify the root file system, and adds several parameters specifying that it is not on LVM or encrypted through LUKS or on NFS or other network-attached storage.
RHEL 5 SVR4 initRHEL 6 UpstartRHEL 7 systemd
The old SVR4 init has been replaced twice now.
Systemd is significantly more capable than Upstart or classic init, with a corresponding increase in complexity. See my page on Linux booting and process control for the rather complicated details on this.
There's much more to it than this, but here's what an administrator sees day-to-day:
SVR4 init on RHEL 5:One file /etc/inittab configures the init program as to what run level to enter by default and what it takes to get there. Other than starting multiple virtual consoles with text login in run levels 3 and 5, and starting a graphical login in run level 5, it says to use the directory /etc/rc[0-6].d/ corresponding to the target run level. That directory will contain symbolic links pointing to the collection of boot scripts in /etc/init.d/. Each link has the same name as the actual script, preceded with either K (to kill) or S (to start) and a two-digit number to impose order. You use the chkconfig program to enable or disable services, it reads specially coded comments in the comment block at the top of the boot script to specify which run levels to start and stop the service and at what numerical order position. You directly run the boot script /etc/init.d/servicename to stop, start, or restart it right now.
Upstart on RHEL 6:Very similar to SVR4 init as far as configuration and operation goes. The exception is that /etc/inittab is now almost empty. Its functionality has been expanded and moved into the files /etc/sysconfig/init and /etc/init/*.
Systemd on RHEL 7:This is very different! Instead of run levels, in which only 1 (maintenance or rescue), 3 (text-only, server) and 5 (graphics, workstation) are useful, it uses "targets". The commonly used one correspond to the traditional run levels 3 and 5, but you can boot or transition into any combination of the targets found in /lib/systemd/system/*.target. Very few boot scripts remain in /etc/init.d/. You use the program systemctl to query the current overall system state, to query the state of individual services, to control a service right now, and to enable or disable it for the future.
Simplified "Phrase SVR4 init, Upstart systemd
Book" of Equivalent Commands
RHEL 5, RHEL 6 RHEL 7
What run state are we in? What services were started/stopped to get here, and with what order dependencies?
runlevel
ls /etc/rcN.d
systemctl get-defaultsystemctlsystemctl -asystemctl list-dependenciessystemctl list-socketssystemctl status crond sshd httpd ...
What is the default run state if the system is simply rebooted?
grep initdefault /etc/inittab systemctl get-default
Change the default run state to newtarget.
vim /etc/inittab systemctl set-default newtarget
What services are available? Of the available services, which are enabled and disabled?
ls /etc/rc.d/init.dchkconfig --list
systemctl list-unit-files
Stop service xyz. Start service xyz. Stop and restart service xyz. Signal service xyz to re-read its configuration file.
/etc/init.d/xyz stop/etc/init.d/xyz start/etc/init.d/xyz restart/etc/init.d/xyz reload
systemctl xyz stopsystemctl xyz startsystemctl xyz restartsystemctl xyz reload
Enable service xyz to automatically start at the next boot.
Disable service xyz to not automatically start at Start a service.
chkconfig --add xyzchkconfig xyz onchkconfig --levels 345 xyz on
chkconfig --del xyzchkconfig xyz off
systemctl enable xyz
systemctl disable xyzSystemd will automatically enable services that xyz depends upon.
What is involved in service xyz?
A short description, what it needs to run before it, what else wants this to run before it can, is it running now or stopped now, since when, if running what's it PID, and far more?
more /etc/init.d/xyzls /etc/rc$(runlevel | awk '{print $2}').d//etc/init.d/xyz statusgrep xyz /var/log/messagesls /var/run/xyzcat /var/run/xyzps axuww | egrep 'PID|xyz'Oof!
You would have to do all of these, plus many more, plus do some careful analysis of all of the output, to get everything you can get from the one systemd command.
This is an area where systemd has an advantage.
systemctl show xyz
Halt or reboot the system. init 0haltpoweroffshutdown -h now -t 0
init 6
systemctl haltsystemctl poweroff
systemctl reboot
rebootshutdown -r now -t 0
The system is shut down, boot it into a non-default run state (typically used for rescue or maintenance.
Interrupt the boot loader's countdown timer and modify the line that will be passed to the kernel. Add the desired target state to the end — 1, 3, or 5 for SVR4 init or Upstart; rescue, multi-user, or graphical for systemd (1, 3, and 5 will probably work, but don't count on it). The kernel's command line at the last boot is kept in /proc/cmdline.
3 — Logging
RHEL 5 SyslogRHEL 6 RsyslogRHEL 7 journalctl plus Rsyslog
The logging mechanism has changed twice, although Red Hat hasn't changed what it saves to which file in /var/log for a long time. Most interesting things go into messages, authentication events that might contain sensitive information go into auth.log, and subsystems like printing and mail have their own files.
See my page on Linux booting and process control for the details on this. Journalctl is less complex than Rsyslog, if you consider Rsyslog capabilities like TLS-protected remote logging and message content matching and rewriting. But its use of database files and its own tool before you apply grep and sed and awk certainly gives it a different feel.
RHEL 7 includes many subsystems moving toward a "file plus directory" rather than "just one file" configuration, and Rsyslog is the first example we've come to involving a change when moving from RHEL 6 to 7.
Rsyslog in RHEL 6:Start Rsyslog daemon according to /etc/sysconfig/rsyslog,configure it with the file /etc/rsyslog.conf
Rsyslog in RHEL 7:Start Rsyslog daemon according to /etc/sysconfig/rsyslog,configure it with the file /etc/rsyslog.conf and then apply all files /etc/rsyslog.d/*
Similarly, logrotate is configured first by /etc/logrotate.conf and then all of /etc/logrotate.d/*.
4 — User / Group Administration
RHEL 5: MD5RHEL 6: SHA-512RHEL 7: SHA-512
The hash stored in /etc/shadow changed with RHEL 6. $1 indicates an MD5 hash, $2a indicates a Blowfish-based hash, $5 indicates SHA-2-256, and $6 indicates SHA-2-512. RHEL 6 went to SHA-2-512 hashes of passwords with 516 bits of salt (86 base-64 encoded characters at 6 bits per character).
See the complaints in the Installation section above about the insistence on creating a user but not allowing you to fully control all its attributes. That has been the case in both RHEL 6 and RHEL 7.
Password quality control, to the limited extent that it really matters, is now best done with pam_pwquality.so and pam_pwhistory.so.
Be careful. Use of pam_pwhistory.so means that you now must also protect /etc/security/opasswd as that contains information on users' old passwords which will give you very useful hints as to what their later passwords will look like.
pam_pwquality.so can be configured with parameters within the PAM files, but a better approach would be to customize it within /etc/security/pwquality.conf so that every program handling password changes uses the same rules.
In the past, pam_cracklib.so was the only thing you could count on being there in any distribution. Then pam_passwdqc.so came along. They are still available, although pam_pwquality.so is now the best tool. However, people used to setting up password policies on Windows will be unhappy with all of them as none allow you to rigidly enforce a password policy exactly the same way you can in Windows. Just set something and move forward as password security is largely an illusion.
5 — Storage
The default file system has changed twice in going from RHEL 5 to RHEL 6 to RHEL 7.
ReleaseDefault FS
File System Tools
CreateModify/view metadata
Modify/grow file system
Check/Repair Dump/Restore
RHEL 5 Ext3 mkfs.ext3 tune2fs dumpe2fs
resize2fs fsck.ext3 dump restore
RHEL 6 Ext4 mkfs.ext4 tune2fs dumpe2fs
resize2fs fsck.ext4 dump restore
RHEL 7 XFS mkfs.xfs xfs_admin xfs_growfs xfs_check xfs_repair
xfsdump xfsrestore
RHEL ? Btrfs mkfs.btrfs
btrfs filesystem
btrfs-debug-tree
btrfs property
btrfs filesystem
btrfs scrub btrfsck btrfs rescue btrfs restore
btrfs image
btrfs image
The kernel drivers used for IDE/PATA disks have changed. IDE/PATA disks appeared as devices /dev/hd? in RHEL 5, starting with RHEL 6 all disks are /dev/sd?.
File system device definitions in /etc/fstab were in terms of LABEL= in RHEL 5. That changed to UUID= in RHEL 6.
Starting with RHEL 7, it is no longer practical for /usr to be a separate file system. This isn't specifically the fault of RHEL, it's that the components used by all distributions now disregard or violate the old convention that the root file system be small with just what's needed for booting while /usr has things needed later. But now /bin, /lib, /lib64 and /sbin are just symbolic links to directories within /usr.
Red Hat's recommendation for swap area continues to change and contradict itself. For example, install RHEL 7 onto a system with 8 GB of RAM and let the installer set up the storage. Red Hat's documentation recommends either 4 or 8 GB in that situation, but their installer creates a 2 GB swap area.
The NFS server now uses /etc/exports.d/* in addition to /etc/exports.
The automounter now uses /etc/auto.master.d/* in addition to /etc/auto.master.
The mount command shows an ever-larger list of mounts that aren't file systems appearing in routine df output. They do appear if you run df -a.
ReleasePhysical RAM
Swap Recommendation
To allow hibernation
RHEL 4always at least 32 MB≤ 2 GB 2 × RAM> 2 GB 2 + RAM
RHEL 5
< 4 GB at least 2 GB4–16 GB 4 GB16–64 GB 8 GB64–256 GB 16 GB256–512 GB 32 GB
RHEL 6
≤ 2 GB 2 × RAM 3 × RAM2–8 GB same as RAM 2 × RAM8–64 GB at least 4 GB 1.5 × RAM> 64 GB at least 4 GB don't
RHEL 7
≤ 2 GB 2 × RAM 3 × RAM2–8 GB same as RAM 2 × RAM8–64 GB 0.5 × RAM 1.5 × RAM> 64 GB it depends don't
6 — Package Management
RHEL/CentOS 5.* gave you both IA32 and IA64 binaries and libraries for most packages when you install onto 64-bit hardware. Put another way, starting with RHEL 6 you no longer get two lines of output when you type:
$ rpm -q firefox
and so you no longer have to type this to figure it out:
$ rpm -q --qf '%{name}.%{arch}\n' firefox
7 — Building Software from Source
Starting with RHEL 6, rpmbuild and related tools no longer use directories under /usr/src/ as their working area. They instead use ~/rpmbuild, meaning that things like building a kernel as root requires an unusually large amount of space on the / partition. That is, unless you do this:
# mkdir /usr/src/rpmbuild# ln -s /usr/src/rpmbuild ~/rpmbuild
8 — Networking: IP Configuration
Kernel support for hardware
RHEL 5
Used /etc/modprobe.conf and /etc/modprobe.d/* to control which kernel module is used for which device, and used its parameters to control which of two Ethernet interfaces with the same chipset became eth0 versus eth1.
RHEL 6
Used /etc/udev/rules.d/70-persistent-net-rules to remember Ethernet devices by MAC address. Replace a card or (move onto new hardware) and a single Ethernet card is no longer eth0, it is now eth1.
RHEL 7
Udev activity has been absorbed into systemd. Network interface names change, see details below.
TCP/IP Commands
The traditional commands ifconfig, route, and netstat are deprecated in favor of the Iproute2 package and its ip and ss. This has been happening gradually on all distributions, but it becomes much more obvious with RHEL 7. I have more details elsewhere, but here is a short summary of just what changes:
Task Traditional Unix, OS X Android Linux
LAN statistics netstat -i ip -s link ifstat
IP address, netmask ifconfig [-a] ip addr ip -6 addr
IP routing tableroute netstat -r
ip route ip -6 route
UDP/TCP activity netstat -a ss -a
IP Configuration and Scripts
Red Hat's network configuration starting with RHEL 6 does a very good job of handling what a few people want — situations where wired and wireless networks appear, disappear, and change. But.... Is an operating system costing hundreds to a few thousands of dollars per CPU socket pair per year going to be used in a notebook carried from coffeeshop to coffeeshop?
Red Hat's NetworkManager service in RHEL 6 slows down the process to the point that restarting the networking can take 30 seconds or more. And while I applaud their attempt to use a netmask length instead of a literal netmask pattern (e.g., 24 instead of 255.255.255.0), their script logic bungles the attempt. You end up with network or broadcast addresses that make no sense.
My recommendation for RHEL 6 has been to disable the NetworkManager service and create new minimal ifcfg-eth* files:
# /etc/init.d/NetworkManager stop# chkconfig NetworkManager off# mv /etc/sysconfig/network-scripts/ifcfg-eth0 /root# vim /etc/sysconfig/network-scripts/ifcfg-eth0
For just IPv4 put this in the new ifcfg-eth0 file:
DEVICE=eth0ONBOOT=yesBOOTPROTO=noneIPADDR=192.168.1.12
NETMASK=255.255.255.0
IPV6INIT=no
For IPv4 plus IPv6 autoconfiguration:
DEVICE=eth0ONBOOT=yesBOOTPROTO=noneIPADDR=192.168.1.12NETMASK=255.255.255.0
IPV6INIT=yesIPV6AUTOCONF=yes
For IPv4 plus IPv6 with an explicit IPv6 configuration:
DEVICE=eth0ONBOOT=yesBOOTPROTO=noneIPADDR=192.168.1.12NETMASK=255.255.255.0
IPV6INIT=yesIPV6AUTOCONF=noIPV6ADDR=2001:1800:1234:90::c8/64IPV6DEFROUTE=yes
Keep in mind that an IPv6 address is laid out like the following, using my example address above for illustration. Remember that leading zeros can be deleted in each 16-bit block, and one string of consecutive zeros can be collapsed into "::", so the final "::c8" really represents 64 bits:
3 bits 45 bits 16 bits 64 bits001 global routing prefix subnet ID interface ID2001:1800:1234 0090 0000:0000:0000:00c8
Meanwhile, the default gateway belongs in the file /etc/sysconfig/network:
NETWORKING=yesHOSTNAME=host.domain.comGATEWAY=192.168.1.254
Network Interface Names
Starting with RHEL 7 (really with v197 systemd), the traditional interface names eth0, wlan0, and so on have been replaced. See the details here, and even more details here, but the interface names are now based on en for Ethernet or wl for wireless LAN, followed by one of:
1. Firmware-provided index numbers for on-board devices: eno1 for the first on-board Ethernet. However, note that this Fedora page says "Ethernet ports embedded on server motherboards will be named em<port_number>, while ports on PCI cards will be named p<slot_number>p<port_number>, corresponding to the chassis labels."
2. Firmware-provided PCI Express hotplug index numbers: ens1 for the first hotplug Ethernet. 3. Physical locations: enp2s0 for an Ethernet device at PCI bus address 02:00.0.
4. Chained physical locations: wlp0s2f1u4 for a USB WLAN device, with the USB controller at PCI bus address 00:02.0 and using USB function 1 and port 4.
5. MAC address: enx0011951E8EB6 for a device with MAC address 00:11:95:1E:8E:B6.
Version #1 applies if that information is available, falling back to #2 and then #3 or #4, and finally defaulting to an unpredictable detection order and the old style named ethN and wlanN. The MAC address version is only used if the administrator configures it.
On VMware, a bug leads to the nonsensical numbered name eno16777736. Wow, where are the other 16,777,735 Ethernet ports? One workaround is to edit the *.vmx line and change the number found here:ethernet0.pciSlotNumber="33"from 33 to a smaller unused number such as 20. That virtual Ethernet device will appear at PCI address 00:14.0 (which is base 16, 0x14 = 20), and it will be enp0s20. Experiment: Not all numbers work, many will result in 16777736.
For example, I boot my laptop from a CentOS 7 live cd and see the following. Both the wireless LAN and Ethernet controllers are on the PCI bus, but the WLAN device gets a motherboard device name and the Ethernet devices gets a PCI device name.
# lspci | grep -i net02:00.0 Network controller: Realtek Semiconductor Co., Ltd. RTL8191SEvA Wireless LAN Controller (rev 10)03:00.0 Ethernet controller: Realtek Semiconductor Co., Ltd. RTL8101E/RTL8102E PCI Express Fast Ethernet controller (rev 02)# ip link1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode default link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:002: enp3s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode default qlen 1000 link/ether 2c:27:d7:c5:d3:7b brd ff:ff:ff:ff:ff:ff3: wlo1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN mode DORMANT qlen 1000 link/ether 68:a34:c4:70:f1:73 brd ff:ff:ff:ff:ff:ff
The biosdevname command is intented to take a kernel device name as an argument and return the BIOS-given name it "should" be. Or at least that's what its manual page says. I honestly don't know what's going on here, I get a completely different name for the Ethernet port and no output at all for the wireless device in either the new or traditional name:
# biosdevname -i enp3s0p1p1# biosdevname -i wlo1# biosdevname -i wlan0
My desktop has a wireless LAN interface plugged into a USB port:
$ lspci | grep USB00:02.0 USB controller: NVIDIA Corporation MCP61 USB 1.1 Controller (rev a3)00:02.1 USB controller: NVIDIA Corporation MCP61 USB 2.0 Controller (rev a3)01:09.0 USB controller: OPTi Inc. 82C861 (rev 10)$ lsusbBus 003 Device 004: ID 148f:5370 Ralink Technology, Corp. RT5370 Wireless Adapter$ lsusb -t/: Bus 03.Port 1: Dev 1, Class=root_hub, Driver=ehci-pci/10p, 480M |__ Port 1: Dev 2, If 0, Class=Mass Storage, Driver=usb-storage, 480M |__ Port 4: Dev 4, If 0, Class=Vendor Specific Class, Driver=rt2800usb, 480M
/: Bus 02.Port 1: Dev 1, Class=root_hub, Driver=ohci-pci/2p, 12M/: Bus 01.Port 1: Dev 1, Class=root_hub, Driver=ohci-pci/10p, 12M |__ Port 7: Dev 6, If 0, Class=Human Interface Device, Driver=usbhid, 1.5M$ ip addr[...]4: wlp0s2f1u4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 link/ether c8:3a:35:cf:3b:b9 brd ff:ff:ff:ff:ff:ff inet 192.168.1.102/24 brd 192.168.1.255 scope global wlp0s2f1u4 valid_lft forever preferred_lft forever inet6 fe80::ca3a:35ff:fecf:3bb9/64 scope link valid_lft forever preferred_lft foreverwl = Wireless LANp0s2 = Through PCI bus address 00:02.0 to...f1u4 = USB function 1, port 4
You can inventory the network devices by searching the /sys/devices hierarchy:
# ls -F $( find /sys/devices -name net )/sys/devices/pci0000:00/0000:00:1c.0/0000:02:00.0/net:wlo1/
/sys/devices/pci0000:00/0000:00:1c.1/0000:03:00.0/net:enp3s0/
/sys/devices/virtual/net:lo/
# ls -F /sys/devices/pci*/*/*/net/*/sys/devices/pci0000:00/0000:00:1c.0/0000:02:00.0/net/wlo1:addr_assign_type device@ ifalias netdev_group queues/ typeaddress dev_id ifindex operstate speed ueventaddr_len dormant iflink phy80211@ statistics/ wireless/broadcast duplex link_mode phys_port_id subsystem@carrier flags mtu power/ tx_queue_len
/sys/devices/pci0000:00/0000:00:1c.0/0000:03:00.0/net/enp3s0:addr_assign_type device@ ifalias netdev_group speed ueventaddress dev_id ifindex operstate statistics/addr_len dormant iflink phys_port_id subsystem@broadcast duplex link_mode power/ tx_queue_lencarrier flags mtu queues type
Filtering with iptables / ip6tables
Recall that you got default packet filtering rules with iptables and ip6tables starting with RHEL 6. The RHEL 6 iptables default rules are:
Chain INPUT (policy ACCEPT)target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)target prot opt source destination REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)target prot opt source destination
The RHEL 6 ip6tables default rules are:
Chain INPUT (policy ACCEPT)target prot opt source destination ACCEPT all anywhere anywhere state RELATED,ESTABLISHED ACCEPT ipv6-icmp anywhere anywhere ACCEPT all anywhere anywhere ACCEPT tcp anywhere anywhere state NEW tcp dpt:ssh REJECT all anywhere anywhere reject-with icmp6-adm-prohibited
Chain FORWARD (policy ACCEPT)target prot opt source destination REJECT all anywhere anywhere reject-with icmp6-adm-prohibited
Chain OUTPUT (policy ACCEPT)target prot opt source destination
With RHEL 7 the outputs of iptables -L and ip6tables -L are typically over 200 lines long. The rule sets are maintained by a daemon:
# systemctl status firewalldfirewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled) Active: active (running) since Tue 20xx-xx-xx 18:54:04 UTC; 22min ago Main PID: 785 (firewalld) CGroup: /system.slice/firewalld.service +-/usr/bin/python /usr/sbin/firewalld --nofork --nopid
The daemon is a Python program that listens on a Unix domain socket. Verify that for yourself with this:
# lsof -p $( pgrep firewalld )...
When you start a service through systemd, it can contact the firewall daemon through that socket. "Hello, this is the SSH daemon sshd starting. Please let me accept connections on TCP/22."
9 — Networking: Network Services, and 10 — Print and File Service
For RHEL 6, see the earlier discussion of the media split into DVD1 and DVD2. If you want samba-swat, lpd-cups, and several other network servers, you will need to get the packages from DVD2.
Better yet, add the CentOS.org YUM respository and install things from there.
RHEL 7 includes an update to Samba 4, meaning that your Linux server can function as a full Active Directory server.
11 — Kernel
The file /etc/modprobe.conf last appeared with RHEL 5. The kernel can now detect every device on its own. This means that the Udev daemon became involved in some of the device naming in RHEL 6. Then Udev was absorbed into systemd in RHEL 7.
Red Hat generally does not build their kernel with the IKCONFIG=y configuration setting. If it were set, you could ask the kernel to tell you how it was built by reading the /proc/config.gz kernel data structure. Since it would be the kernel telling you, then you could believe it.
Unfortunately, all Red Hat gives us is the file /boot/config-RELEASE. My experience has shown that it is close to the truth but not entirely correct.
See my page on building Linux kernels for further details on building the kernel. In particular, using the environment variable INSTALL_MOD_STRIP=1 during the build to strip out the symbol information and create a collection of modules and initrd file only about 10% the size of the unstripped alternative.
Base KernelRHEL 5: 2.6.18RHEL 6: 2.6.32RHEL 7: 3.10.0
Red Hat uses the same base version of the kernel throughout one major release. They make changes to patch kernel bugs, tune performance, and add functionality but base all of these on the same base version modified to build the *.0 kernel. The GNU GPL requires that the modified source code be freely distributed, but at times Red Hat have obfuscated their changes. Oracle's RedPatch project de-obfuscates these changes, providing the patch files that create Red Hat's variant kernels.
Automatic post-boot kernel tuning now uses /etc/sysctl.conf first, followed by /usr/lib/systemd/sysctl.d/* and /etc/sysctl.d/*.
Load Balancing and High Availability
RHEL 6 built high-availability load-balancing clusters using Linux Virtual Server, using packages including ipvsadm to manage the kernel-based Linux Virtual Server code, Piranha for a web-based cluster configuration tool, and nanny for the monitoring.
RHEL 7 uses Keepalived to manage the load balancing, with the Virtual Router Redundancy Protocol (VRRP) managing router redundancy.
12 — Security-Enhanced Linux
Red Hat has become more ambitious in their use of the NSA Security-Enhanced Linux mechanisms as they progress from one distribution to the next. If you install their product and use it as they direct, it works fine.
Remember that the design philosophy of SELinux is that the policy is always correct. So it is always appropriate to relabel your entire file system:
# restorecon -R -v -e /cgroup /dev /proc /selinux /srv /sys /
--- or ---
# find / -fstype ext3 -o -fstype ext4 -o -fstype xfs -exec restorecon -v {} \;
Below are the results of running seinfo on some CentOS and RHEL examples.
From CentOS 5.6:
Statistics for policy file: /etc/selinux/targeted/policy/policy.21Policy Version & Type: v.21 (binary, MLS)
Classes: 61 Permissions: 220 Types: 1868 Attributes: 217 Users: 3 Roles: 6 Booleans: 271 Cond. Expr.: 254 Sensitivities: 1 Categories: 1024 Allow: 130713 Neverallow: 0 Auditallow: 42 Dontaudit: 7348 Role allow: 5 Role trans: 0 Type_trans: 2309 Type_change: 0 Type_member: 0 Range_trans: 578 Constraints: 47 Validatetrans: 0 Fs_use: 19 Genfscon: 74 Portcon: 337 Netifcon: 0 Nodecon: 8 Initial SIDs: 27
From RHEL 6:
Statistics for policy file: /etc/selinux/targeted/policy/policy.24Policy Version & Type: v.24 (binary, mls)
Classes: 77 Permissions: 229 Sensitivities: 1 Categories: 1024 Types: 3073 Attributes: 250 Users: 9 Roles: 13 Booleans: 168 Cond. Expr.: 203 Allow: 269649 Neverallow: 0 Auditallow: 44 Dontaudit: 162489 Type_trans: 10914 Type_change: 38 Type_member: 44 Role allow: 20 Role_trans: 241 Range_trans: 2590 Constraints: 64 Validatetrans: 0 Initial SIDs: 27 Fs_use: 22 Genfscon: 82 Portcon: 378 Netifcon: 0 Nodecon: 0 Permissives: 21 Polcap: 2
From RHEL 7:
Statistics for policy file: /sys/fs/selinux/policy
Policy Version & Type: v.28 (binary, mls)
Classes: 83 Permissions: 255 Sensitivities: 1 Categories: 1024 Types: 4263 Attributes: 349 Users: 8 Roles: 14 Booleans: 261 Cond. Expr.: 306 Allow: 92722 Neverallow: 0 Auditallow: 120 Dontaudit: 7645 Type_trans: 14717 Type_change: 74 Type_member: 27 Role allow: 29 Role_trans: 734 Range_trans: 5006 Constraints: 98 Validatetrans: 0 Initial SIDs: 27 Fs_use: 26 Genfscon: 91 Portcon: 528 Netifcon: 0 Nodecon: 0 Permissives: 0 Polcap: 2
Finally, you will find that the output of ls -l began to look a little different with the version included with RHEL 6. There is now a "." after the permission mask, indicating that an SELinux ACL exists for the object:
# ls -l /etc/rsyslog.conf /sbin/rsyslogd-rw-r--r--. 1 root root 2741 May 20 2009 /etc/rsyslog.conf-rwxr-xr-x. 1 root root 344528 Jun 8 2010 /sbin/rsyslogd
How to Configure Network Teaming in RHEL 7 ?
Network Teaming in RHEL 7 is not replacement of bonds. But it’s alternate option depending upon the requirement. In this post I am going to show you how to create team using two ethernet interfaces. I am creating it using static network configuration files.
Step 1 : I have create configuration file for team. Below is the content of that file.
[root@node1 ~]# more /etc/sysconfig/network-scripts/ifcfg-team0DEVICE=team0DEVICETYPE=TeamONBOOT=yesBOOTPROTO=staticIPADDR=192.168.120.11NETMASK=255.255.255.0TEAM_CONFIG='{“runner”: {“name”: “activebackup”}, “link_watch”: {“name”:”ethtool”}}’
Step 2 : After that I have configured the files for two interfaces which are going to part of team configuration.I have given one priority of 100 and 99 to another interface.
[root@node1 ~]# more /etc/sysconfig/network-scripts/ifcfg-ens38DEVICE=ens38HWADDR=00:0c:29:9e:4c:f7DEVICETYPE=TeamPortONBOOT=yes
TEAM_MASTER=team0TEAM_PORT_CONFIG='{“prio”: 100}’
[root@node1 ~]# more /etc/sysconfig/network-scripts/ifcfg-ens39DEVICE=ens39HWADDR=00:0c:29:9e:4c:01DEVICETYPE=TeamPortONBOOT=yesTEAM_MASTER=team0TEAM_PORT_CONFIG='{“prio”: 99}’
Step 3 : After configuing configuration files. We can restart the network service.
[root@node1 ~]# systemctl restart network
Step 4 : In the output of ifconfig you can see the team0 will come up. Now to check the whether our configuration is as expected. We can issue the below commands.
a) How to check which NICs are part of team ?
[root@node1 network-scripts]# teamnl team0 ports5: ens39: up 1000Mbit FD4: ens38: up 1000Mbit FD
b) How to check which NIC is currently working actively in team ?
[root@node1 network-scripts]# teamdctl team0 statesetup:runner: activebackupports:ens38link watches:link summary: upinstance[link_watch_0]:name: ethtoollink: upens39link watches:link summary: upinstance[link_watch_0]:name: ethtoollink: uprunner:active port: ens38
From above output we clearly see that ens38 is our active NIC.
c) How to check the fail over in team?
[root@node1 network-scripts]# ip link set ens38 down
[root@node1 network-scripts]# teamdctl team0 state viewsetup:runner: activebackupports:ens38link watches:link summary: downinstance[link_watch_0]:name: ethtoollink: downens39link watches:link summary: upinstance[link_watch_0]:name: ethtoollink: uprunner:active port: ens39
We can see that active port has changed to another NIC ens39 when we manually bring down the ens38. That means our team0 is working as expected. Very soon I will come up with Bridge configuration as well.
LDAP: Configure a LDAP directory service for user connection.
Try to follow the instructions very precisely because LDAP syntax is sometimes cumbersome (case sensitive, space, etc) and prone to errors (dn/dc/cn).Let’s assume that we use the example.com domain and the instructor.example.com hostname.
Install the following packages:
# yum install -y openldap openldap-servers migrationtools
Generate a LDAP password from a secret key (here redhat):
# slappasswd -s redhat -n > /etc/openldap/passwd
Generate a X509 certificate valid for 365 days:
# openssl req -new -x509 -nodes -out /etc/openldap/certs/cert.pem -keyout /etc/openldap/certs/priv.pem -days 365Generating a 2048 bit RSA private key.....+++..............+++writing new private key to '/etc/openldap/certs/priv.pem'-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [XX]:State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:Organization Name (eg, company) [Default Company Ltd]:Organizational Unit Name (eg, section) []:Common Name (eg, your name or your server's hostname) []:instructor.example.comEmail Address []:
Secure the content of the /etc/openldap/certs directory:
# cd /etc/openldap/certs# chown ldap:ldap *# chmod 600 priv.pem
Prepare the LDAP database:
# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
Start the configuration of the LDAP server:
# cd /etc/openldap/slapd.d/cn=config
Edit the olcDatabase={2}bdb.ldif file and replace/type the values specified in bold:
olcSuffix: dc=example,dc=comolcRootDN: cn=Manager,dc=example,dc=comolcRootPW: passwd # password previously generatedolcTLSCertificateFile: /etc/openldap/certs/cert.pemolcTLSCertificateKeyFile: /etc/openldap/certs/priv.pem
Edit the olcDatabase={1}monitor.ldif file and replace/type the values specified in bold:
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=Manager,dc=example,dc=com" read by * none
Edit the /etc/sysconfig/ldap file and change the following option from ‘no‘ to ‘yes‘:
SLAPD_LDAPS=yes
Check the LDAP configuration (there should be no error message):
# slaptest -u
Generate database files (don’t worry about error messages!):
# slaptest
Change LDAP database ownership:
# chown ldap:ldap /var/lib/ldap/*
Activate the slapd service at boot:
# chkconfig slapd on
Start the slapd service:
# service slapd start
Check the LDAP activity:
# netstat -lt | grep ldap
Create the /etc/openldap/base.ldif file with the following content:
dn: dc=example,dc=comdc: exampleobjectClass: topobjectClass: domain
dn: ou=People,dc=example,dc=comou: PeopleobjectClass: topobjectClass: organizationalUnit
dn: ou=Group,dc=example,dc=comou: GroupobjectClass: topobjectClass: organizationalUnit
Build the structure of the directory service:
# ldapadd -x -w redhat -D cn=Manager,dc=example,dc=com -f base.ldif
Create two users for testing:
# mkdir /home/guests# useradd -d /home/guests/ldapuser01 ldapuser01# passwd ldapuser01# useradd -d /home/guests/ldapuser02 ldapuser02# passwd ldapuser02
Go to the directory for the migration of the user accounts:
# cd /usr/share/migrationtools
Edit the migrate_common.ph file and replace in the following lines:
$DEFAULT_MAIL_DOMAIN = "example.com";$DEFAULT_BASE = "dc=example,dc=com";
Create the current users in the directory service:
# grep ":5[0-9][0-9]" /etc/passwd > passwd# ./migrate_passwd.pl passwd users.ldif# ldapadd -x -w redhat -D cn=Manager,dc=example,dc=com -f users.ldif# grep ":5[0-9][0-9]" /etc/group > group# ./migrate_group.pl group groups.ldif# ldapadd -x -w redhat -D cn=Manager,dc=example,dc=com -f groups.ldif
Test the configuration with the user called ldapuser01:
# ldapsearch -x cn=ldapuser01 -b dc=example,dc=com
Add two new rules to the firewall:
# iptables -I INPUT -m state --state NEW -m tcp -p tcp --dport 389 -j ACCEPT# iptables -I INPUT -m state --state NEW -m tcp -p tcp --dport 636 -j ACCEPT
Save the firewall configuration:
# service iptables save
Edit the /etc/rsyslog.conf file and add the following line:
local4.* /var/log/ldap.log
Edit the /etc/openldap/slapd.d/cn=config.ldif file and add the following line in the middle of the file:
olcLogLevel: -1
Restart the rsyslog service:
# service rsyslog restart
In addition, Ramdev’s blog provides interesting information (configuration, troubleshooting, etc) on this topic.
![Rhce Notes[1]](https://img.dokumen.tips/doc/110x75/5526ef2c5503461c368b45e6/rhce-notes1.jpg)
