RHCE考试专题2
开启虚拟机:
virsh start ...
重置虚拟机:
rht-vm.....
rht-labcheck 检测
ssh -X root@server0.example.com
**1、SELinux模式调整:
修改配置文件:(两台虚拟机都配置,一般默认配置是对的)
#vim /etc/selinux/config
...
配置结束需执行“reboot”操作,验证结果:“getenforce”。或“setenforce 0|1”切换
**2、配置SSH访问控制:
server0上配置:
确认已加载“sshd”:yum -y install sshd
修改配置文件:
#vim /etc/ssh/sshd_config
...
DenyUsers *@*my133t.org *@172.34.0.0/24
{DenyUsers/AllowUsers 用户名@客户机地址段(mike@172.25.0.0/24)}
#systemctl restart sshd
#systemctl enable sshd
desktop0上配置:
确认已加载“sshd”:yum -y install sshd
修改配置文件:
#vim /etc/ssh/sshd_config
...
DenyUsers *@*my133t.org *@172.34.0.0/24
{DenyUsers/AllowUsers 用户名@客户机地址段(mike@172.25.0.0/24)}
#systemctl restart sshd
#systemctl enable sshd
**3、自定义用户环境(修改别名):
查看: #alias
临时修改: #alias 别名=‘要代替的内容’
为所有用户添加永久别名: #vim /etc/bashrc
....
alias 别名=‘要代替的内容’
server0上配置:
vim /etc/bashrc
......
alias qstat='/bin/ps -Ao pid,tt,user,fname,rsz'
desktop0上配置:
vim /etc/bashrc
......
alias qstat='/bin/ps -Ao pid,tt,user,fname,rsz'
**4、配置firewalld防火墙端口转发:
server0上配置:
启用防火墙:#systemctl restart firewalld /#systemctl enable firewalld
1)#firewall-config(图形配置)....
或者
2)1. #firewall-cmd --get-default-zone //查看
#firewall-cmd --set-default-zone=trusted //修改
2. #firewall-cmd --permanent --zone=block --add-source=172.34.0.0/24 //阻止访问
#firewall-cmd --reload
#firewall-cmd --list-all --zone=block
3. #firewall-cmd --permanent --zone=trusted --add-forward-port=port=5423:proto=tcp:toport=80
#firewall-cmd --reload
#firewall-cmd --list-all
desktop0上配置:
启用防火墙:#systemctl restart firewalld /#systemctl enable firewalld
1)#firewall-config(图形配置)....
或者
2)1. #firewall-cmd --get-default-zone //查看
#firewall-cmd --set-default-zone=trusted //修改
2. #firewall-cmd --permanent --zone=block --add-source=172.34.0.0/24 //阻止访问
#firewall-cmd --reload
#firewall-cmd --list-all --zone=block
3. #firewall-cmd --permanent --zone=trusted --add-forward-port=port=5423:proto=tcp:toport=80
#firewall-cmd --reload
#firewall-cmd --list-all
**5、配置聚合连接:
man teamd.conf
server0上配置:
1) 添加组队:#nm-connection-editor(图形配置)或者 # nmcli con add con-name team0 type team ifname team0 config '{ "runner":{ "name":"activebackup" } }'
2) 添加成员:#nmcli connection add con-name team0-p1 type team-slave ifname eth1 master team0
# nmcli con add con-name team0-p2 type team-slave ifname eth2 master team0
3) 给队配置IP地址:# nmcli connection modify team0 ipv4.method manual ipv4.addresses '172.16.3.20/24'
4)激活队及成员:#nmcli connection up team0
#nmcli connection up team0-p1
#nmcli connection up team0-p2
5)检查队配置: #teamdctl team0 state
desktop0上配置:
1) 添加组队:#nm-connection-editor(图形配置)或者 # nmcli con add con-name team0 type team ifname team0 config '{ "runner":{ "name":"activebackup" } }'
2) 添加成员:#nmcli connection add con-name team0-p1 type team-slave ifname eth1 master team0
# nmcli con add con-name team0-p2 type team-slave ifname eth2 master team0
3) 给队配置IP地址:# nmcli connection modify team0 ipv4.method manual ipv4.addresses '172.16.3.25/24'
4)激活队及成员:#nmcli connection up team0
#nmcli connection up team0-p1
#nmcli connection up team0-p2
5)检查队配置: #teamdctl team0 state
**6、配置主机ipv6地址:
server0上配置:
1)先查看接口:#nmcli connection show
#nm-connection-editor(图形配置) 或者 #nmcli connection modify "System eth0" ipv6.method manual ipv6.addresses "2003:ac18::305/64"
2)#nmcli connection up “System eth0”
注:配置完地址后主机名可能无法识别,需改主机名:“hostnamectl set-hostname 主机名”
desktop0上配置:
1)先查看接口:#nmcli connection show
#nm-connection-editor(图形配置) 或者 #nmcli connection modify "System eth0" ipv6.method manual ipv6.addresses "2003:ac18::306/64"
2)#nmcli connection up “System eth0”
注:配置完地址后主机名可能无法识别,需改主机名:“hostnamectl set-hostname 主机名”
**7、postfix基础邮件服务:
配置并启用服务:(在server0上做)
#yum -y install postfix
#systemctl restart postfix
#systemctl enable postfix
# netstat -antpu | grep :25 //查看邮件服务监听状态
postfix空客户端邮件服务配置:
1)将server0配置为空客户端邮件服务器:
#vim /etc/postfix/main.cf
relayhost = [smtp0.example.com] //目标邮件服务器
inet_interfaces = loopback-only //仅本机
myorigin = desktop0.example.com //发件来源域
mynetworks = 127.0.0.0/8 [::1]/128 //信任网络
mydestination = //投递域设为空
local_transport = error:local delivery disabled //报错提示
#systemctl restart postfix
#systemctl enable postfix
2) 将"desktop0"配置为后端邮件服务器:
#lab smtp-nullclient setup //待确认
3) 在server0上给本机"student"发邮件测试:
#echo "..." | mail -s "..." 收件人...
本机“student”不能受到邮件,“desktop0”的“student”可以受到邮件,且邮件来源显示来自desktop0
mail -u student 检测是否收到邮件,在desktop上检测
**8、配置SMB文件夹共享:
1)server0上发布Samba共享文件夹:
#yum -y install samba
#useradd harry
#pdbedit -a harry
new password: //根据提示设置密码migwhisk
retype new password:
#useradd kenji
#pdbedit -a kenji
new password: //根据提示设置密码atenorth
retype new password:
#useradd chihiro
#pdbedit -a chihiro
new password: //根据提示设置密码atenorth
retype new password:
#pdbedit -L //确认共享帐号
创建文件夹:
#mkdir /common
#mkdir /devops
#setfacl -m u:chihiro:7 /devops //配置写入权限
调整SELinux开关策略,允许发布可写的Samba共享资源:
#getsebool -a | grep ^samba_exp //查看默认配置
#setsebool -P samba_export_all_rw=on //永久打开设置
配置共享目录:
#vim /etc/samba/smb.conf
[global]
workgroup = STAFF
.. ..
[common] //往下都是自己添加的
path = /common
hosts allow = 172.25.0.0/24
[devops]
path = /devops
hosts allow = 172.25.0.0/24
write list = chihiro
#systemctl restart smb
#systemctl enable smb
2)在客户机 desktop0 测试Samba共享资源:
#yum -y install samba-client
#smbclient -L server0.example.com //查看目标主机提供了哪些共享资源(不需要输密码)
#smbclient -U harry //server0.example.com/common //连接目标主机的共享目录
#quit
**9、 多用户Samba挂载(客户机desktop0):
1)挂载Samba共享目录:
#mkdir /mnt/dev
#yum -y install cifs-utils
#vim /etc/fstab
......
//server0.example.com/devops /mnt/dev cifs username=kenji,password=atenorth,_netdev 0 0
#mount -a
#df -hT /mnt/dev
2)启动multiuser多用户支持:
#useradd chihiro
#passwd -d chihiro //清空密码
#vim /etc/fstab
......
//server0.example.com/devops /mnt/dev cifs username=kenji,password=atenorth,multiuser,sec=ntlmssp,_netdev 0 0 //在原来的上边改,不用新添加
#umount /mnt/dev
#mount /mnt/dev
3) 必要的时候,任何普通用户都可以通过用户 chihiro 来临时获取写的权限
# su - chihiro
# cifscreds add -u chihiro server0.example.com
Password: //输入共享账号 chihiro 的密码
# touch /mnt/dev/a.txt //测试写入
# ls /mnt/dev/ //查看写入结果
**10-11、配置NFS共享服务并挂载NFS共享:
普通NFS共享的实现:
server0上配置:
#mkdir /public
#mkdir /protected
#vim /etc/exports
/public 172.25.0.0/24(ro)
/protected 172.25.0.0/24(rw)
#exportfs -r
#systemctl restart nfs-server
#systemctl enable nfs-server
desktop0上配置:
#mkdir /mnt/nfsmount
#vim /etc/fstab
......
server0.example.com:/public /mnt/nfsmount nfs _netdev 0 0
#mount -a
#df -hT /mnt/nfsmount
安全NFS共享的实现:
server0上配置:
#lab nfskrb5 setup
#wget http://classroom/pub/keytabs/server0.keytab -O /etc/krb5.keytab
#mkdir /protected/project
#chown ldapuser0 /protected/project
#vim /etc/exports
/public 172.25.0.0/24(ro)
/protected 172.25.0.0/24(rw,sec=krb5p)
# systemctl restart nfs-server nfs-secure-server
# systemctl enable nfs-server nfs-secure-server
desktop0上配置:
#lab nfskrb5 setup
#wget http://classroom/pub/keytabs/desktop0.keytab -O /etc/krb5.keytab
# mkdir /mnt/nfssecure
# systemctl restart nfs-secure
# systemctl enable nfs-secure
# vim /etc/fstab
.. ..
server0.example.com:/public /mnt/nfsmount nfs _netdev 0 0
server0.example.com:/protected /mnt/nfssecure nfs sec=krb5p,_netdev 0 0
#mount -a
**12、独立Web站点的快速部署:
1)#yum -y install httpd
# cd /var/www/html/ //进入网页目录
# wget http://classroom/pub/materials/station.html -O index.html //下载网页
或者 # wget http://classroom/pub/materials/station.html -O /var/www/html/index.html
#systemcrl restart httpd
#systemctl enable httpd
2) #yum -y install elinks
#elinks -dump http://server0.example.com
或者 #firefox http://server0.example.com
**13、虚拟Web主机的部署:
1) #mkdir /var/www/virtual
#useradd fleyd
#setfacl -m u:fleyd:rwx(7) /var/www/virtual
2) #wget http://classroom/pub/materials/www.html -O /var/www/virtual/index.html
#vim /etc/httpd/conf.d/01-www0.conf
<VirtualHost *:80>
ServerName www0.example.com
DocumentRoot /var/www/virtual
</VirtualHost> httpd -t //检查语法
#systemctl restart httpd
#systemctl enable httpd
#elinks -dump http://www0.example.com
#vim /etc/httpd/conf.d/00-default.conf
<VirtualHost *:80>
ServerName server0.example.com
DocumentRoot /var/www/html
</VirtualHost>
#systemctl restart httpd
#systemctl enable httpd
#elinks -dump http://www0.example.com //测试
#elinks -dump http://server0.example.com /测试
**14、配置网页内容访问:
1) #mkdir /var/www/html/private
#wget http://classroom/pub/materials/private.html -O /var/www/html/private/index.html
2) #vim /etc/httpd/conf.d/00-default.conf
<Directory "/var/www/html/private">
Require ip 127.0.0.0/8 ::1 172.25.0.11
</Directory>
#systemctl restart httpd
#systemctl enable httpd
**15、配置安全Web服务:
1)安装mod_ssl模块软件包:
#yum -y install mod_ssl
2)部署密钥、证书等素材:
#cd /etc/pki/tls/certs/
#wget http://classroom/pub/example-ca.crt
#wget http://classroom/pub/tls/certs/server0.crt
#cd /etc/pki/tls/private
#wget http://classroom/pub/tls/private/server0.key
#vim /etc/httpd/conf.d/ssl.conf
Listen 443 https
.. ..
<VirtualHost _default_:443>
DocumentRoot "/var/www/html" //网页目录
ServerName server0.example.com:443 //站点的域名
.. ..
SSLCertificateFile /etc/pki/tls/certs/server0.crt //网站证书
.. ..
SSLCertificateKeyFile /etc/pki/tls/private/server0.key //网站私钥
.. ..
SSLCACertificateFile /etc/pki/tls/certs/example-ca.crt //根证书
#systemctl restart httpd
#systemctl enable httpd
#netstat -antpu | grep httpd
**16、部署并测试WSGI站点:
1) #mkdir /var/www/webapp0
#cd /var/www/webapp0
#wget http://classroom/pub/materials/webinfo.wsgi
#cat webinfo.wsgi
2) #yum -y install mod_wsgi
#vim /etc/httpd/conf.d/02-webapp0.conf
Listen 8909
<VirtualHost *:8909>
DocumentRoot /var/www/webapp0
ServerName webapp0.example.com
WSGIScriptAlias / /var/www/webapp0/webinfo.wsgi
</VirtualHost>
3)调整SELinux策略,允许Web服务使用8909端口:
服务如果起不来可以添加个1G左右的交换空间,交换分区的设置:
# mkswap /dev/vdb7 //格式化交换分区
# swapon -a //检查并启用fstab中的交换设备
# swapon -s //查看交换分区信息
# swapoff -a //停用所有可用的交换设备
#semanage port -a -t http_port_t -p tcp 8909 //添加新的Web端口
#semanage port -l | grep ^http_port //确认配置结果
#systemctl restart httpd
#systemctl enable httpd
4)测试动态网页结果:
#elinks -dump http://webapp0.example.com:8909
.....
#elinks -dump http://webapp0.example.com:8909
.....
**17、创建一个脚本
vim /root/foo.sh
#!/bin/bash
if [ "$1" == "redhat" ]; then
echo "fedora"
elif [ "$1" == "fedora" ]; then
echo "redhat"
else
echo "/root/foo.sh redhat|fedora" >&2
fi
#chmod +x /root/foo.sh
对脚本进行测试
**18、创建一个添加用户的脚本
#vim /root/batchusers
#!/bin/bash
if [ $# -eq 0 ]; then
echo "Usage:/root/batchusers <userfile>"
exit 1
elif [ ! -f $1 ]; then
echo "Input file not found"
exit 2
fi
for i in $(cat $1)
do
useradd -s /bin/false $i
done
# chmod +x ./batchusers
# wget http://classroom/pub/materials/userlist
# /root/batchusers /root/userlist
**19、配置ISCSI服务端(server0上配置):
#fdisk /dev/vdb (大小3G)
#partprobe /dev/vdb
#yum -y install targetcli
#systemctl restart target
#systemctl enable target
#targetcli
/>ls
/>/backstores/block create iscsi_store /dev/vdb1
/>/iscsi create iqn.2016-02.com.example:server0
/>iscsi/iqn.2016-02.com.example:server0/tpg1/luns create /backstores/block/iscsi_store
/>iscsi/iqn.2016-02.com.example:server0/tpg1/acls create iqn.2016-02.com.example:desktop0
/>iscsi/iqn.2016-02.com.example:server0/tpg1/portals create 172.25.0.11 3260
/>saveconfig
/>exit
#systemctl restart target
#systemctl enable target
#targetcli ls
**20、配置ISCSI客户端(desktop0上配置):
#vim /etc/iscsi/initiatorname.iscsi
InitiatorName=iqn.2016-02.com.example:desktop0
#systemctl restart iscsid
#systemctl enable iscsid
#iscsiadm -m discovery -t st -p server0.example.com
#iscsiadm -m node -L all
#lsblk
#vim /var/lib/iscsi/nodes/*/*/default
node.startup = automatic
node.conn[0].startup = automatic
#systemctl restart iscsi
#systemctl enable iscsi
#fdisk /dev/sda(大小2100M)
#partprobe /dev/sda
#mkfs.ext4 /dev/sda1
#mkdir /mnt/data
#vim /etc/fstab
/dev/sda1 /mnt/data ext4 _netdev 0 0
#mount -a
#df -hT /mnt/data
**21、搭建mariadb数据库系统:
1)装包:
# yum -y install mariadb-server mariadb
# systemctl restart mariadb
# systemctl enable mariadb
2)访问数据库:
# mysql -uroot
MariaDB [(none)]> show databases;
MariaDB [(none)]> quit
配置数据库:
1)禁止mariadb服务提供网络监听(只服务于本机)
#vim /etc/my.cnf
[mysqld]
skip-networking //跳过网络
# systemctl restart mariadb //重启服务
# systemctl enable mariadb
2)配置数据库管理密码:
# mysqladmin -u root password 'atenorth'
3)建Contacts库并导入备份数据:
# mysql -uroot -patenorth
MariaDB [(none)]> create database Contacts;
下载指定的数据库备份:
# wget http://classroom.example.com/pub/materials/users.sql
导入数据库:
# mysql -uroot -patenorth Contacts < users.sql
4)为Contacts库授权:
# mysql -uroot -patenorth
MariaDB [Contacts]> grant select on Contacts.* to Raikon@localhost identified by 'atenorth';
**22、使用数据库查询:
常用的查询命令:
show databases 库名;
use 库名;
show tables;
drop database 库名; (删除库)
describe [库名.]表名;
select * from 库名.]表名;
select 列1名,列3名 from 表名 where 字段1名=值 and|or 字段2名=值;
delete from 表名 where 字段1名=值 and|or 字段2名=值;
1) 使用DESC指令查看表结构,以便了解相关字段名:
MariaDB [(none)]> desc mysql.user;
列出user表中的Host、User、Password字段,限定密码为空的root用户:
MariaDB [(none)]> select host,user,password from mysql.user where user='root' and password='';
**2) 删除空密码root用户记录:
MariaDB [(none)]> delete from mysql.user where user='root' and password='';
**3) 按条件查询表记录:
MariaDB [(none)]> select name from Contacts.base where password='solicitous';
**4) 按多个条件在关联的两张表中查询:
MariaDB [(none)]> use Contacts;
MariaDB [Contacts]> select * from base,location where base.name='Barbara' and location.city='Sunnyvale' and base.id=location.id;
或者用下边命令直接统计数量:
MariaDB [Contacts]> select count(*) from base,location where base.name='Barbara' and location.city='Sunnyvale' and base.id=location.id;
浙公网安备 33010602011771号