RHCSA Study Guide – Practice Exam

############################
Everything below are my raw notes that I took while attending an unofficial RHCSA training session.  I am posting them here in hopes they will assist others who may be preparing to take this exam.  

My notes are my own interpretation of the lectures, and are certainly not a replacement to classroom training either through your company, or by taking the official RHCSA classes offered through Red Hat.  If you are new to the Red Hat world, I strongly suggest looking into their training courses over at Red Hat.
############################
For all of the following problems:
- SELinux must be activated in enforcing mode.
- The 'X' sign represents your station number.
- The RHEL 6.1 repository url is:
http://server1.example.com/isos/RHEL-6.1-x86_64/Server

0)  Set up access to the yum repository provided above.  Install setroubleshoot.

NOTES:
[root@web01 ~]# vi /etc/yum.repos.d/myrepo.repo
...
[myrepo]
name = my repo
gpgcheck = 0
baseurl=http://server1.example.com/isos/RHEL-6.1-x86_64/Server
...

[root@web01 ~]# yum install setroubleshoot
[root@web01 ~]# service auditd restart
	
STATUS:  COMPLETE
--


1)  Fix your machine so that it will present a graphical login prompt upon bootup.

NOTES:
[root@web01 ~]# vi /etc/inittab
# change
id:4:initdefault:
# to	
id:5:initdefault:

STATUS:  COMPLETE
--


2)  Replace your DHCP-assigned IP configuration with a static network setup.  Your machine should stay in the same subnet, using the same default gateway and DNS server, as well as the same IP address and netmask, but it will be set up statically instead of dynamically.

NOTES:
[root@web01 ~]# service NetworkManager stop
[root@web01 ~]# chkconfig NetworkManager off
[root@web01 ~]# setup
Put in static configuration

STATUS:  COMPLETE
--


3)  Add 1GiB of swap space to your machine using a raw device.
	
NOTES:
[root@web01 ~]# fdisk /dev/sda
n
e
default
default
n
default
+1G
t
5
82
w
[root@web01 ~]# reboot
[root@web01 ~]# mkswap /dev/sda5
[root@web01 ~]# swapon /dev/sda5
[root@web01 ~]# vi /etc/fstab
...
/dev/sda5 swap swap defaults 0 0 
...

STATUS:  COMPLETE
--


4)  Create user accounts named "student", "mike", and "linus" each with passwords of "redhat" and belonging to a secondary group called "rhce".

NOTES:
[root@web01 ~]# groupadd rhce
[root@web01 ~]# for i in student mike linus; do echo "useradd $i -G rhce"; done
[root@web01 ~]# for i in student mike linus; do passwd $i; done

STATUS:  COMPLETE
--


5)  Restrict the "rhce" group to own no more than 1GiB of data and up to 1000 files in the /home filesystem.
	
NOTES:
[root@web01 ~]# vi /etc/fstab
# change
/dev/mapper/VolGroup00-LogVol01 /home ext4 defaults 1 2
# to
/dev/mapper/VolGroup00-LogVol01 /home ext4 defaults,usrquota,grpquota 1 2

[root@web01 ~]# umount /home
[root@web01 ~]# mount -a
[root@web01 ~]# quotacheck -mavug
[root@web01 ~]# quotaon -a
[root@web01 ~]# edquota -g rhce
...
/dev/mapper/VolGroup00-LogVol01 40 0 104857600 5 0 1000
...
	
# Quota dervived from:  echo $((1024*1024*100))
[root@web01 ~]# repquota -g /home

STATUS:  COMPLETE
--	


6)  Setup a /home/rhce directory to facilitate collaboration among the rhce group.  Each member should be able to create files and modify each others' files, but should not be able to delete any one else's files in this directory.

NOTES:
[root@web01 ~]# mkdir /home/rhce
[root@web01 ~]# chown root:rhce /home/rhce
[root@web01 ~]# chmod 770 /home/rhce
[root@web01 ~]# chmod +t /home/rhce
[root@web01 ~]# chmod g+s /home/rhce

STATUS:  COMPLETE
--


7)  Configure your machine to be an NIS client of server1 for authenticating users in the example.com domain.  You should then be able to login with a username of "stationX" using "stationX" for the password.

NOTES:
[root@web01 ~]# setup --> Authentication configuration
Select:  NIS and Kerboros
Domain:  example.com
Server:  server1
Check both boxes at bottom

# Now lets just do the automount stuff for completion
[root@web01 ~]# showmount -e server1
[root@web01 ~]# vi /etc/auto.master
...
/home/nis	/etc/auto.nis
...

[root@web01 ~]# vi /etc/auto.nis
...
* server1.example.com:/home/nis/&
...

[root@web01 ~]# service autofs restart
[root@web01 ~]# ssh station3@localhost # And verify you have your home dir

STATUS:  COMPLETE
--


8)  Expand the filesystem on /home to 3GiB in size.
	
NOTES:
[root@web01 ~]# lvresize -r -L 3G /dev/mapper/VolGroup00-LogVol01
	
STATUS:  COMPLETE
--


9)  Set up a default configuration FTP server.  Verify anonymous access to the pub folder.  Block ftp connections from 192.168.0.32.

NOTES:
[root@web01 ~]# yum install vsftpd
[root@web01 ~]# chkconfig vsftpd on
[root@web01 ~]# service vsftpd start
[root@web01 ~]# iptables --flush
[root@web01 ~]# vi /etc/sysconfig/iptables
...
-A INPUT -s 192.168.0.32 -m tcp -p tcp --dport 21 -j REJECT
...
        
[root@web01 ~]# service iptables restart
[root@web01 ~]# rpm -qlv vsftpd | fgrep /var/ftp # Figure out what perms it should have by default
[root@web01 ~]# chmod 755 /var/ftp	

STATUS:  COMPLETE	
--


10)  Set up a default configuration webserver.  In the index file, place the word "stationX" where X is your station number.  Make this web server only accessible to your machine and server1.example.com.

NOTES:
[root@web01 ~]# yum install httpd
[root@web01 ~]# chkconfig httpd on
[root@web01 ~]# service httpd start
[root@web01 ~]# echo "station3" > /var/www/html/index.html
[root@web01 ~]# vi /etc/sysconfig/iptables
...
-A INPUT -p tcp -s 192.168.1.44 --dport http -j ACCEPT
-A INPUT -p tcp -s 127.0.0.1 --dport http -j ACCEPT
-A INPUT -p tcp -s server1.example.com --dport http -j ACCEPT
-A INPUT -m tcp -p tcp --dport 80 -j REJECT
...
        
# Now, setup the Apache acl cause that was ambigious about access:
[root@web01 ~]# vi /etc/httpd/conf/htpd.conf
...
< Directory />
Order allow,deny
Allow from 192.168.1.44 127.0.0.1 server1.example.com
...
	
[root@web01 ~]# service httpd restart
# Tried to browse to the url, no dice
[root@web01 ~]# ls -alZ /var/www/html/
[root@web01 ~]# setenforce 0
# confirmed selinux is the issue
[root@web01 ~]# setenforce 1
[root@web01 ~]# tail /var/log/messages |grep SELinux
[root@web01 ~]# chcon -R --reference /var/www /var/www/html
# -or-
[root@web01 ~]# restorecon -R /var/www/html
[root@web01 ~]# service httpd restart

STATUS:  COMPLETE
--



11)  Set up a new 1G logical volume.  Encrypt the volume with LUKS and set it up to automatically decrypt and mount to /crypt at boot.  Use the ext4 filesystem and place an empty file in the root of the encrypted filesystem with a name of "stationX".

NOTES:  
[root@web01 ~]# lvcreate -n crypt -L 1G VolGroup00
[root@web01 ~]# mkdir /crypt
[root@web01 ~]# cryptsetup luksFormat /dev/VolGroup00/crypt
[root@web01 ~]# cryptsetup luksOpen /dev/mapper/VolGroup00-crypt crypt
[root@web01 ~]# mkfs -t ext4 /dev/mapper/crypt
[root@web01 ~]# vi /etc/fstab
...
/dev/mapper/crypt /crypt ext4 defaults 1 2
...

[root@web01 ~]# mount -a
[root@web01 ~]# dd if=/dev/urandom of=/etc/keyfile bs=1k count=4
[root@web01 ~]# cryptsetup luksAddKey /dev/VolGroup00/crypt /etc/keyfile
[root@web01 ~]# chmod 400 /etc/keyfile
[root@web01 ~]# vi /etc/crypttab
...
crypt /dev/VolGroup00/crypt /etc/keyfile
...
 
[root@web01 ~]# touch /crypt/station3

# How to test this to ensure it'll mount on boot
[root@web01 ~]# umount /crypt
[root@web01 ~]# cryptsetup luksClose /dev/mapper/crypto
[root@web01 ~]# bash
[root@web01 ~]# . /etc/init.d/functions
[root@web01 ~]# init_crypto 1 # If your key works, it won't prompt for a passphrase.
[root@web01 ~]# mount -a

STATUS:  COMPLETE
--


12)  Create a new user "alice".  Give alice, not in the rhce group, read and write access to /home/rhce.

NOTES:
[root@web01 ~]# useradd alice
[root@web01 ~]# passwd alice
[root@web01 ~]# setfacl -R -m u:alice:rwx /home/rhce
[root@web01 ~]# setfacl -R -m default:u:alice:rwx /home/rhce
[root@web01 ~]# chmod +t /home/rhce # Had to set this again... thinking acl blew it out

STATUS:  COMPLETE

RHCSA Study Guide – Objective 10 : Virtualization

############################
Everything below are my raw notes that I took while attending an unofficial RHCSA training session.  I am posting them here in hopes they will assist others who may be preparing to take this exam.  

My notes are my own interpretation of the lectures, and are certainly not a replacement to classroom training either through your company, or by taking the official RHCSA classes offered through Red Hat.  If you are new to the Red Hat world, I strongly suggest looking into their training courses over at Red Hat.
############################

Virtualization

EXAM NOTE: This will not be on the test since the test is on a vm… so they can’t test for it at the time of this writing as far as I can tell.

RHEL6 virtualization is done by:

- KVM
- QEMU

To run it, you must be on a 64-bit system and the kernel virtualization extensions much be enabled on the cpu’s. (ie. VT (VMX) and AMD-V (svm))

To get this working, 4 package groups are needed to get this setup:

- Virtualization
- Virtualization Client
- Virtualization Platform
- Virtualization Tools

Libvirt is the management framework used in RHEL6 virtualization.

Interface to libvirt available is:

- virsh : cli
- virt-manager : GUI client (Not exactly feature rich...)

RHCSA Study Guide – Objective 9 : Network Security

############################
Everything below are my raw notes that I took while attending an unofficial RHCSA training session.  I am posting them here in hopes they will assist others who may be preparing to take this exam.  

My notes are my own interpretation of the lectures, and are certainly not a replacement to classroom training either through your company, or by taking the official RHCSA classes offered through Red Hat.  If you are new to the Red Hat world, I strongly suggest looking into their training courses over at Red Hat.
############################

TCP Wrappers

TCP wrappers were originally written to provide host based access controls, pretty much back 30 years ago. It can be thought of as the first firewall of sorts. So assuming the service your looking to protect supports tcpwrappers, and tcpwrappers are turned on, then you can enable wrappers.

To see if the application has tcpwrappers built in, you can do the following:

[root@web01 ~]# which sshd
[root@web01 ~]# /usr/sbin/sshd
[root@web01 ~]# ldd /usr/sbin/sshd |grep wrap # If you see libwrap.so.0, it has support.

The 2 configuration files are below:

/etc/hosts.allow
/etc/hosts.deny

They are parsed in the following order:

1.  /etc/hosts.allow is consulted first.  If the configuration permits the requested connections, its allowed.
2.  /etc/hosts.deny is consulted.  If the configuration doesn't permit the connection, its denied.

If the connection is not specifically accepted or rejected in either file, its denied.

The syntax in both of these files are as follows: (Using sshd as the example)

[root@web01 ~]# vi /etc/hosts.deny
# Deny ssh connections from 192.168.2.223
sshd: 192.168.2.223

iptables

Iptables operates at the kernel level, which allows for:

- Flexible layer 2 filtering engine
- NAT support
- Port forwarding
- And a ton more

The configuration is parsed top to bottom. First match wins. If there is no specific match, the chain policy will apply.

Tools:

[root@web01 ~]# iptables # view/modify current firewall rules
[root@web01 ~]# iptables-save # Script to save current firewall rules for use with iptables-restore
[root@web01 ~]# iptables-restore # Restores iptables-save format firewall rules - useful to setup firewalls at boot.

Personally, I like doing this stuff myself by directly editing:

[root@web01 ~]# /etc/sysconfig/iptables.

When creating rules, considerations include:

1.  What chain should the rule apply to?  Note:  A chain is just a collection of rules
  a.  INPUT - Any traffic coming inbound 
  b.  OUTPUT - Egress filtering (outbound filtering)
  c.  FORARD - Responsible for filtering traffic between different interfaces

2.  What traffic pattern to look for
The most common flags for the exam are posted below:
  a.  -i incoming interface
  b.  -p protocol (udp/tcp)
  c.  -s source ip address
  d.  -d destination ip address
  e.  --dport destination port

3.  What should happen with the traffic.
  a.  DROP : Do not deliver, do not respond
  b.  REJECT : Do not deliver, send reject notice
  c.  ACCEPT : Deliver
  d.  Log : Just log the packet.

EXAM NOTE: Will probably only see INPUT chain rules only.

Summary of iptables:
- iptables

What chain should the rule apply to?
 -A INPUT

What is the traffic pattern to look for?
 -s 192.168.222.2

What should happen with the traffic?
 -j REJECT

Lab

1.  Use iptables, configure your web server to NOT accept connections from the 192.168.1.0/24 network, EXCEPT for the ip address of whomever is sitting next to you.  Work together to test firewall settings, and remember, WEB server.

[root@web01 ~]# vi /etc/sysconfig/iptables
...
-A INPUT -s 192.168.1.4 -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -m tcp -p tcp --dport 80 -j REJECT
...

2.  Browse through the man page for iptables.
[root@web01 ~]# man iptables

3.  Use iptables to allow ssh from the classroom network only.
[root@web01 ~]# vi /etc/sysconfig/iptables
...
-A INPUT ! -s 192.168.1.0/24 -m tcp -p tcp --dport 22 -j REJECT
...

RHCSA Study Guide – Objective 8 : Web Services

############################
Everything below are my raw notes that I took while attending an unofficial RHCSA training session.  I am posting them here in hopes they will assist others who may be preparing to take this exam.  

My notes are my own interpretation of the lectures, and are certainly not a replacement to classroom training either through your company, or by taking the official RHCSA classes offered through Red Hat.  If you are new to the Red Hat world, I strongly suggest looking into their training courses over at Red Hat.
############################

Apache

Apache is the default web server on RHEL6. The default configuration file exists at:

/etc/httpd/conf/httpd.conf

In Apache2, the /etc/httpd/conf.d directory stores configuration that are specific to a particular Apache module. All files in this directory ending in .conf will be parsed as a configuration file.

Basic apache vhost default:

< VirtualHost blah.com>
        ServerName blah.com
        ServerAlias www.blah.com
        DocumentRoot /var/www/vhosts/www.blah.com
        CustomLog /var/log/httpd/blah.com.access
        ErrorLog /var/log/httpd/blah.com.error
< VirtualHost>

Apache supports 3 types of virtual hosting:

- IP based hosting : (All sites have different IP's)
- Port based virtual hosting : (Can use the port to tell the server were to go to.  ie. google.com:33333
- Name based virtual hosting : (most popular, as apache looks at the host header and directs the name to the vhost container and match)

Additional docs:

[root@web01 ~]# yum install httpd-manual
[root@web01 ~]# service httpd restart
[root@web01 ~]# firefox localhost:/manual

Lab

1.  Configure two websites on your server.  "X" represents your station #. 

2.  wwwX.example.com should be served from the /var/www/html and should also respond to requests for the short hostname wwwX.

3.  vhostX.example.com should be served from /home/linus/html and should also respond to requests for the short hostname vhostX.

4.  Both should be listening on your primary ip address, but wwwX.exmaple.com should be the default site.

** Too much to post answers here... but its really straight forward.  Just watch selinux, and perms on /home/linus

Securing Apache

2 directives for setting up access controls

-  allow from (host|network|ALL)
-  deny from (host|network|ALL)

These are applied in the given order:

1.  order allow,deny : Allows explicitly allowed clients and denies everyone else.  Anyone matching both deny and allow are denied.

2.  order deny,allow : Denies explicitly denied clients and allows everyone else.  Anyone matching both deny and allow are allowed.

These directives are placed inside one of the following tags:

< Directory>
< File>

In theory, its best to keep these as global variables in the httpd.conf. You have to remember that you are protecting your data, your files and directories, so its best to keep these secured against all vhosts… so you set them globally. In other words, set it OUTSIDE the vhost tag.

RHCSA Study Guide – Objective 7 : File Sharing

############################
Everything below are my raw notes that I took while attending an unofficial RHCSA training session.  I am posting them here in hopes they will assist others who may be preparing to take this exam.  

My notes are my own interpretation of the lectures, and are certainly not a replacement to classroom training either through your company, or by taking the official RHCSA classes offered through Red Hat.  If you are new to the Red Hat world, I strongly suggest looking into their training courses over at Red Hat.
############################

NFS

The network file service (NFS) is used to share data with other servers.

To see if the NFS server has the ports listening:

[root@web01 ~]# rpcinfo -p server1

To see what shares are setup on the NFS server:

[root@web01 ~]# showmount -e server1

To mount the NFS share:

[root@web01 ~]# mount x.x.x.x:/share1 /mnt

To make it persistent across reboots:

[root@web01 ~]# vi /etc/fstab
...
x.x.x.x:/share /mnt nfs defaults 0 0
...

EXAM NOTE: You just need to know how to mount a share for the rhcsa. No real nfs configuration needed

Lab

Mount the /share NFS share from server1, and add it to your fstab for persistence across reboots
[root@web01 ~]# mount -t nfs server1:/share /mnt
[root@web01 ~]# vim /etc/fstab
...
server1:/share  /mnt nfs defaults 0 0
...

VSFTPD

The default FTP server is vsftpd. The primary configuration file is:

/etc/vsftpd/vsftpd.conf

Two types of access are allowed:

1.  Anonymous : By default, these users are chrooted to /var/ftp for security.  (NOTE for SElinux), could use that --reference flag if changing dir
2.  User :  By default, users do not get chrooted.

Indivudual users can be denied by placing their names in:

[root@web01 ~]# vim /etc/vsftpd/ftpusers

Lab

1.  Configure VSFTPd to only allow the user 'richard' to ftp to your server
[root@web01 ~]# yum install vsftpd
[root@web01 ~]# chkconfig vsftpd on

# Now, need to set selinux to allow users to write to their homedir
[root@web01 ~]# getsebool -a |grep ftp
[root@web01 ~]# setsebool -P ftp_home_dir on
[root@web01 ~]# setsebool -P sftpd_enable_homedirs on

# EXAM NOTE: DO NOT FORGET TO SPECIFY THE -P SO THE CHANGE IS PERSISTENT ACROSS REBOOTS!

# Now, set vsftpd to only allow richard in:
[root@web01 ~]# vi /etc/vsftpd/vsftpd.conf
...
userlist_enable=NO
...

[root@web01 ~]# vi /etc/vsftpd/user_list
# Remove everything and add
richard

# Test by:
[root@web01 ~]# ftp localhost

2.  Browse through the man page on vsftpd.conf
[root@web01 ~]# man vsftpd.conf

3.  Make sure vsftpd is started at boot time
[root@web01 ~]# chkconfig vsftpd on

RHCSA Study Guide – Objective 6 : Kernel Features

############################
Everything below are my raw notes that I took while attending an unofficial RHCSA training session.  I am posting them here in hopes they will assist others who may be preparing to take this exam.  

My notes are my own interpretation of the lectures, and are certainly not a replacement to classroom training either through your company, or by taking the official RHCSA classes offered through Red Hat.  If you are new to the Red Hat world, I strongly suggest looking into their training courses over at Red Hat.
############################

LVM

Quick note: There is a gui tool for all this if that is what you like:

[root@web01 ~]# yum install system-config-lvm
[root@web01 ~]# system-config-lvm

LVM abstracts the physical hardware into logical drive spaces which can be dynamically grown/shrunk and span disparate physical devices. Its good for hard drive management as it abstracts away the details of the underlying storage devices.

There is a low amount of overhead to the VFS layer, so you are going to take a slight performance hit.

LVM Terminology:

- Physical Volume (pv) - A physical volume is the partition/raid device for the lvm space.
- Physical Extent (pe) - EXAM NOTE:  You may need to change this on text.  Its a chuck of disk space.  Defaults to 4M
- Volume Group (vg) - Collection of physical volumes
- Logical Volume (lv) - A logical volume is a grouping of physical extents from your physical volume.  This is where you format your fs.

Gist of how this works:
pvcreate : Create a physical volume

[root@web01 ~]# pvcreate /dev/sda4

vgcreate : Create a volume group on PV

vgcreate VolGroup00 /dev/sda4  # This is where the extents are created.

lvcreate : Create a logical volume on VG

[root@web01 ~]# lvcreate -n myvol -L 10G VolGroup00 # This is where the extents are allocated.

Other commands:

vgextend
lvextend
lvresize
resize2fs
lvresize # Use this one when doing your resize:  
ex:  lvresize -r {-l (+extents) | -L (+size)} (lv)

When mounting your new fs, use: /dev/vg/lv.

Lab

EXAM NOTE: Most of this stuff will be on the test

1.  Add logical volume management on top of a new partition.  Use a physical extent size of 16MB.  Use fdisk or whatever to create new volume.  
[root@web01 ~]# pvcreate /dev/sda7
[root@web01 ~]# vgcreate -s 16 vg0 /dev/sda7
[root@web01 ~]# vgdisplay vg0

2.  Use half the available space for a logical volume formatted with ext4 and mounted persistently across reboots.
[root@web01 ~]# lvcreate -n myvol -L 5G vg0
[root@web01 ~]# ls -al /dev/vg0/myvol
[root@web01 ~]# ls -al /dev/mapper/vg0-myvol
[root@web01 ~]# ls -al /dev/dm-3
[root@web01 ~]# mkfs -t ext4 /dev/vg0/myvol
[root@web01 ~]# vi /etc/fstab
...
/dev/vg0/myvol /u03 ext4 defaults 1 2
...
[root@web01 ~]# mkdir /u03
[root@web01 ~]# mount /u03

3.  Take a snapshot of this logical volume and check the file system for errors
[root@web01 ~]# ls -al /u03
[root@web01 ~]# cp /var/log/* /u03/
[root@web01 ~]# lvcreate -s /dev/vg0/myvol -n snap-of-myvol -L 500M
[root@web01 ~]# ls -al /dev/vg0
[root@web01 ~]# lvdisplay vg0 # You will see your 2 logical volumes (and snapshot in 'source of')
[root@web01 ~]# mount /dev/vg0/snap-of-myvol /mnt  # This is how you mount that snapshot.

4.  Assuming none are found, reset the counter for days and mounts until a check is forced on the original file system.
[root@web01 ~]# umount /mnt
[root@web01 ~]# fsck /dev/vg0/snap-of-myvol  # If you see clean, then you should be okay
[root@web01 ~]# tune2fs /dev/vg0/snap-of-myvol # Shows more verifications
[root@web01 ~]# tune2fs -C 25 /dev/vg0/snap-of-myvol # Fake out the system to make it believe it has been mounted 25 times so it will actually fsck
[root@web01 ~]# fsck /dev/vg0/snap-of-myvol
[root@web01 ~]# umount /u03
[root@web01 ~]# lvresize -r -L +100M /dev/vg0/myvol
[root@web01 ~]# lvchange -an /dev/vg0/myvol
[root@web01 ~]# lvchange -ay /dev/vg0/myvol
[root@web01 ~]# lvresize -r -L +100M /dev/vg0/myvol
[root@web01 ~]# lvremove /dev/vg0/snap-of-myvol # If this fails, just try a few more times.  Its a known issue

5.  Copy some data onto the LV, then expand it and the filesystem by 50MB.  fsck, then re-mount the filesystem and verify it's contents.  Also try reducing by 50MB 
[root@web01 ~]# umount /u03
[root@web01 ~]# lvresize -r -L +100M /dev/vg0/myvol
[root@web01 ~]# lvchange -an /dev/vg0/myvol
[root@web01 ~]# lvchange -ay /dev/vg0/myvol
[root@web01 ~]# lvresize -r -L +100M /dev/vg0/myvol
[root@web01 ~]# lvremove /dev/vg0/snap-of-myvol # If this fails, just try a few more times.  Its a known issue.  You can resize till snap is gone.
[root@web01 ~]# lvresize -r -L +100M /dev/vg0/myvol # Grow it
[root@web01 ~]# lvresize -r -L -300M /dev/vg0/myvol # Shrink it
# Or you can set it to 2G by
[root@web01 ~]# lvresize -r -L 2G /dev/vg0/myvol
# NOTE:  The -r flag does everything with the resize2fs... so you won't have to resize your system manually.

Swap space

Swap space allows the kernel to better manage limited system memory by copying segments of memory onto disk.

To create 2G of additional swap space using a file:

[root@web01 ~]# dd if=/dev/zero of=/swap01 bs=1024 count=2097152
[root@web01 ~]# mkswap /swap01
[root@web01 ~]# swapon /swap01

If you no longer need the /swap01, just:

[root@web01 ~]# swapoff /swap01

Now list your active swap areas by:

[root@web01 ~]# cat /proc/swaps

Performance note:
Creating a swap device via lvm or like its own partition (even better) is better for performance. Setting it up on a file within an existing fs is going to be really horrendous for performance.

Lab

1.  Add 500MB of swap space to your system using a device
[root@web01 ~]# lvcreate -n swap02 -L 500M vg0
[root@web01 ~]# mkdir /swap02
[root@web01 ~]# mount /dev/vg0/swap02 /swap02
[root@web01 ~]# mkswap /swap02
[root@web01 ~]# swapon /swap02
[root@web01 ~]# vi /etc/fstab
...
/dev/vg0/swap02 swap swap defaults 0 0
...

2.  Add 500MB of swap space to your system using a swap file
# Calculate how much 500M is:
[root@web01 ~]# echo $((1024*500))
512000
[root@web01 ~]# dd if=/dev/zero of=/swap01 bs=1024 count=512000
[root@web01 ~]# mkswap /swap01
[root@web01 ~]# swapon /swap01
[root@web01 ~]# vi /etc/fstab
...
/swap01 swap swap defaults 0 0
...

RHCSA Study Guide – Objective 5 : Users

############################
Everything below are my raw notes that I took while attending an unofficial RHCSA training session.  I am posting them here in hopes they will assist others who may be preparing to take this exam.  

My notes are my own interpretation of the lectures, and are certainly not a replacement to classroom training either through your company, or by taking the official RHCSA classes offered through Red Hat.  If you are new to the Red Hat world, I strongly suggest looking into their training courses over at Red Hat.
############################

Users and Groups

EXAM NOTE: On the test, I will likely have to link this machine to a ldap or nis server.

Users and Groups define access to the OS through the file permission scheme. Root is the super user (uid 0). All users are associated with at least one group. Secondary group memberships can exist too.

User info is stored in:

/etc/passwd
/etc/shadow 
/etc/group

/etc/passwd has 7 fields

1.  username
2.  Where the pw used to be set, (but exists in /etc/shadow, so its just a place holder)
3.  Numberical identify for the account (UID)
4.  Numerical idenitfer for the primary group (GID)
5.  Comments field (aka gecos field). 
6.  Home directory where your homedir exists
7.  Your shell or program that executes when you log in.

/etc/shadow has 2 important fields

- login:encrypted_password: (The rest are password aging fields).
- aging fields track dates for passwd resets locks, etc

/etc/group

- group name, pw, gid,membergroups.  
- Group passwords allow temp management to a group are rarely used and not setup by default.

Management tools:

1. useradd – add user. Most common option is -g to specify primary group, and -G to add secondary groups. Example:

[root@web01 ~]# useradd -g clowns -G trouble,simpson bart

2. usermod – Modify a users settings. It takes pretty much all the options as useradd. Though, when modifying group behaviors, when you try to add him to a secondary group, just run:

[root@web01 ~]# usermod -a -G detension bart

3. userdel – Remove user from system. If you give it a -r, it’ll also remove his homedir and spool directories. Example:

userdel -r moe

4. groupadd – Add new group
5. groupmod – Mainly used to rename a group ex. groupmod -n mktg mkg
6. groupdel – Remove a group. Ex. groupdel microsoft
7. passwd – change pw
a. root can change all
b. can diasble accounts ex. passwd -l mary
c. Setup passwd aging
d. Time passwd resets
e. Account disabling (or use chage)

Passord aging

You can set max / min lifetimes for a user’s password.
example:

[root@web01 ~]# passwd -x days user

When a users pw has expired, you can set the nuber of days it can remain expired before disabling the account completely:

[root@web01 ~]# passwd -i days user

User environment files

Used files or defaults when creating accounts

1.  /etc/skel : default template for newly added users homedir
2.  /etc/profile : sets env variabled used by all users
3.  /etc/profile.d : contains scripts specific to certain rpms
4.  /etc/bashrc : contains global aliases and system settings
5.  ~/.bashrc : contains users aliases and functions
6.  ~/.bash_profile : contains user env settings, and can be set to automatically start programs at login.

Lab

EXAM NOTE: ALL this stuff is on the test.

1.  Create a new group 'dev'.  Create a new user 'alice' as a member of the 'dev' group, with a description of 'Alice from Dev' and a default shell of '/bin/csh'.  Use the password command to set a password for alice, then log in as alice and verify her access.

[root@web01 ~]# groupadd dev
[root@web01 ~]# useradd -G dev -c "Alice from Dev" -s /bin/csh alice
[root@web01 ~]# passwd alice

2.  Set a maximun pw lifetime of 4 weeks for the alice account.  Look at the password, shadow, and group files

[root@web01 ~]# passwd -x 30 alice

3.  Configure the users simon, linus, richard.  Set all their passwords to 'linux'
[root@web01 ~]# groupadd ru
[root@web01 ~]# useradd -G ru simon
[root@web01 ~]# useradd -G ru linus
[root@web01 ~]# useradd -G ru richard
[root@web01 ~]# passwd simon
[root@web01 ~]# passwd linux
[root@web01 ~]# passwd richard

4.  Make these users part of the ru group
See #3

5.  Configure the directory /home/linux so that each user from the ru group can read, create, and modify files:
[root@web01 ~]# mkdir /home/linux
[root@web01 ~]# chown -R root:ru /home/linux
[root@web01 ~]# chmod 775 /home/linux
[root@web01 ~]# chmod g+s /home/linux # This means that any files created in here will be writable by group ru regardless of ownership.

6.  Configure the directory /home/linux/work so that each user can create and read files, but only the files's owner can delete.
[root@web01 ~]# mkdir /home/linux/work
[root@web01 ~]# chown root:ru /home/linux/work
[root@web01 ~]# chmod 775 /home/linux/work
[root@web01 ~]# chmod -t /home/linux/work

7.  Use ACL's to allow alice, not in 'ru', access to the work folder.
[root@web01 ~]# setfacl -R -m u:alice:rwx /home/linux/work
[root@web01 ~]# setfacl -m default:u:alice:rwx /home/linux/work # As new objects are created in here, they will inherit the acl's.

NIS and LDAP

NIS and LDAP Servers can be configured to centrally manage system and account info.

NIS – This is suppose to be a very basic management system.

[root@web01 ~]# yum install rpcbind ypbind
[root@web01 ~]# system-config-authentication  # <-- GUI tool for setting this up.  Does everything for you.
[root@web01 ~]# setup -> authentication configuration

It’ll modify:

/etc/sysconfig/network
/etc/yp.conf
/etc/nsswitch.conf
/etc/pam.d/system-auth

LDAP – Widely used, flexible db for storing mac, unix, windows, acl’s, and a whole lot more.

[root@web01 ~]# yum install nss-pam-ldapd
[root@web01 ~]# system-config-authentication

It’ll modify:

/etc/ldap.conf
/etc/openldap/ldap.conf
/etc/nsswitch.conf
/etc/pam.d/system-auth

EXAM NOTE: You just need to know how to configure the clients. Setting up the servers isn’t required for rhcsa or rhce.

[root@web01 ~]# vim /etc/auto.nis
* server1:/nis/&

[root@web01 ~]# man 5 autofs

Side note:

All the kernel documentation that exists is available via:

[root@web01 ~]# yum install kernel-doc
[root@web01 ~]# cd /usr/share/docs/kernel-docs/blah

RHCSA Study Guide – Objective 4 : File Systems

############################
Everything below are my raw notes that I took while attending an unofficial RHCSA training session.  I am posting them here in hopes they will assist others who may be preparing to take this exam.  

My notes are my own interpretation of the lectures, and are certainly not a replacement to classroom training either through your company, or by taking the official RHCSA classes offered through Red Hat.  If you are new to the Red Hat world, I strongly suggest looking into their training courses over at Red Hat.
############################

Filesystem Administration

With partitioning, obviously use fdisk. Granted, apparently something called partprobe is no longer used in RHEL6. Thats great, cause I never used it before. So you will have to reboot to bring the system back up. There is a GUI based tool caused disk utility.

So once the partitioning is done, now create the filesystem:

[root@web01 ~]# mkfs.ext4 /dev/sda2

This can help show you if the disk is dirty:

[root@web01 ~]# tune2fs -l

File system tools:

e2label : view/set filesystem label
tune2fs : view/set filesystem attributes
mount/umount : Mount and un-mount filesystems

EXAM NOTE: Be sure that anything you do on the filesystem, you add it to your /etc/fstab cause the system will be rebooted before it will be graded, so you need to ensure that it works properly upon reboot.

Lab

1.  Using fdisk, create a new 100MB partition
[root@web01 ~]# fdisk /dev/sda
n
e
default
default
n
default
+100M
w

2.  Create a new fs on this partition using ext4, a blocksize of 1k, and a reserve space of 2%.  Confirm settings with tune2fs.  Mount the new fs as /u01, and set it to mount at boot.
[root@web01 ~]# mkfs.ext4 -b 1024 -m 2 /dev/sda5
[root@web01 ~]# mount -t blah and update fstab accordingly

3.  Unmount the /u01 fs and force an integrity check.  Remount the /u01 filesystem.  Use e2label to set the fs label on /u01 to /u01.
[root@web01 ~]# umount /u01
[root@web01 ~]# fsck -f /dev/sda5  # NOTE:  You have to specify the -f to FORCE the fsck.  It will NOT run just because you asked for it.  
[root@web01 ~]# e2label /dev/sda5 /u01
[root@web01 ~]# mount -a
[root@web01 ~]# blkid ; just another way to verify your superblock settings.

EXAM NOTE: This may be on test, but it’ll probably be lvm stuff.

Automount (Autofs)

Autofs monitors a certain directory and can automatically mount a file system when a call is made to files in that directory. It will also unmount the directory in RHEL6 after it hasn’t been touched in 5 minutes.

Its configuration is in:

/etc/auto.master

EXAM NOTE: Will need to know how to tell system which directories to monitor.

/etc/auto.master
path config file
ex.  /misc /etc/auto.misc

This tells automountd to ‘watch’ the /misc pathname for activity, and if activity is observed, consult /etc/auto.misc for instructions.

So for the basic syntax:

path    options   mount device nfs -fstype=nfs,ro  nfsserver:/share/nfs

* This tells automountd to dynamically mount the nfs share to /share/nfs. Autofs will mount stuff as needed.

Lab

1.  Configure your server to automatically mount /share as an NFS share from server1 to /server1/share when a process changes directories there.

[root@web01 ~]# vi /etc/auto.master
...
/server1        /etc/auto.server1
...

[root@web01 ~]# vi /etc/auto.server1
...
share 192.168.1.100:/share
...

[root@web01 ~]# service autofs restart

EXAM NOTE: I would imagine this will be on the test.

Extended Attributes

lsattr - list attributes
chattr - change attributes

EXAM NOTE: Redhat will likely test on the -i flag. So watch out for it.

ACL’s

getfacl
setfacl

You must have the acl mount option set. It’ll work on / since rh does this by default, but you will have to specify this on any new partitions.

[root@web01 ~]# setfacl -m u:bob:w memo.txt  -> Set facls
[root@web01 ~]# setfacl -x g:ru memo.txt -> removes facls
[root@web01 ~]# setfacl -m default:u:bob:w memo.txt -> setfacls

EXAM NOTE: These WILL be on the test.

Quotas

Quotes allow you to limit fs resources to users. Basically disk quotas. To enable, add the following to the mount options:

[root@web01 ~]# vi /etc/fstab
usrquota,grpquota

[root@web01 ~]# quotacheck -mavug
[root@web01 ~]# quotaon -a # Turn on quotas
[root@web01 ~]# edquota -u test # Set limits

EXAM NOTE: These will be on the test.

Lab

1.  Create a quota for the user student with:
- block soft limit of 100M and a hard limit of 150M
- soft inode limit of 30 and a hard inode limit of 100

2.  Create a quota for the group gdm so that its members collectively have:
- a block soft limit of 200M and a hard limit of 300M
- a soft inode limit of 50 and a hard inode limit of 200

Answers:

[root@web01 ~]# vi /etc/fstab # Add the following mount options
usrquota,grpquota

[root@web01 ~]# mount -o remount /
[root@web01 ~]# quotacheck -mavug
[root@web01 ~]# quotaon /home # Turn on quotas
[root@web01 ~]# edquota student # Set limits

# Interesting note:  To do the math quickly on the cli, do:
[root@web01 ~]# echo $((1024*1*100))
[root@web01 ~]# edquota -g gdm

# Set quotas accordingly.
[root@web01 ~]# repquota -g /home

EXAM NOTE: This may be on the exam.

Disk Encryption – LUKS

Quick start for those interested:
http://www.cyberciti.biz/hardware/howto-linux-hard-disk-encryption-with-luks-cryptsetup-command/

[root@web01 ~]# cryptsetup luksFormat   # NOTE:  This will delete all your stuff on disk!!!
[root@web01 ~]# cryptsetup luksOpen  ...  
[root@web01 ~]# cryptsetup luksOpen /dev/sda5 crypt01

This will exist in /dev/mapper/mapname ie. /dev/mapper/crypt01.
# NOTE: The luksformat will prompt for a passphrase, and you can set it to use 8 keys if you like.

Now you will be able to format it:

[root@web01 ~]# mkfs -t ext4 /dev/mapper/crypt01
[root@web01 ~]# mkdir /crypt01
[root@web01 ~]# mount /dev/mapper/crypt01 /crypt01

Now add entry into fstab:

[root@web01 ~]# vi /etc/fstab
...
/dev/mapper/crypt01 /crypt01 ext4 defaults 1 2
...

Once done, now close it (encrypt it) by:

[root@web01 ~]# cryptsetup luksClose /dev/mapper/crypt01

To make this stuff persistent at boot, edit /etc/crypttab as shown below.

1. To make a LUKS encrypted device available at boot time:

[root@web01 ~]# vim /etc/crypttab
mapname device keyfile options

2. To create a keyfile:

[root@web01 ~]# dd if=/dev/urandom of=/etc/keyfile bs=1k count=4
[root@web01 ~]# cryptsetup luksAddKey  /etc/keyfile

3. Add to crypttab

[root@web01 ~]# vi /etc/crypttab
...
/dev/mapper/crypt01 /dev/sda5 [/path/to/keyfile] [option] 
...

EXAM NOTE: Use keyfiles for test. But in practice, use a passphrase, but understand risks involved.

LAB

1.  Create a new 100M physical volume, then set up a luks encrypted ext4 filessystem on the logical volume, which will be persistent across reboots.

2.  Reboot your machine to verify LUKS filesystems prompt for the passphrase and become accessible automatically after bootup

3.  Browse through the man pages on cryptsetup and crypttab

Answers:

1.  Create your 100M logical partition through fdisk
2.  Setup luks stuff
[root@web01 ~]# cryptsetup luksFormat /dev/sda5  # Answer YES, and type your passphrase
[root@web01 ~]# blkid # confirm it setup the type:  cryptoluks
[root@web01 ~]# cryptsetup luksOpen /dev/sda5 crypto  # now enter your password
3.  Now put fs on the device
[root@web01 ~]# mkfs -t ext4 /dev/mapper/crypto
[root@web01 ~]# blkid # You can now see both the raw device, and the crypted device
4.  Setup /etc/fstab
[root@web01 ~]# vi /etc/fstab
...
/dev/mapper/crypto /u02 ext4 default 1 2  # If the test is wonky, set it to 0 0 to prevent fsck.
...
5.  Mount it and your done.
6.  Now create crypttab stuff

# Quick and dirty
[root@web01 ~]# echo -n test > /etc/keyfile  # You need the -n to prevent the newline character
[root@web01 ~]# cryptsetup luksClose /dev/mapper/crypto
[root@web01 ~]# cryptsetup luksOpen /dev/sda5 crypto -d /etc/keyfile # The -d flag forces the key to be used.

# Better way of setting up key - If you don't want to use a pw at all, then do the lukFormat with the -d to specify keyfile.
[root@web01 ~]# dd if=/dev/urandom of=/etc/keyfile bs=1k count=4
[root@web01 ~]# cryptsetup luksAddKey /dev/sda5 /etc/keyfile
# add your original key password
[root@web01 ~]# chmod 400 /etc/keyfile
Now your key works, and so does your passphrase.

[root@web01 ~]# vi /etc/crypttab
crypto /dev/sda5 # If you leave it like this, it'll prompt you for pw at boot
crypto /dev/sda5 /etc/keyfile   # <-- This is how you should do it.

# The method above gives you a secure key, and also a backup passphrase to ensure all is well if you lose your key, you aren't in trouble.

# How to verify all this:
# Confirm your device is unmounted
# This is basically just a way to verify your system will boot most likely.  
[root@web01 ~]# bash
[root@web01 ~]# source /etc/init.d/functions
[root@web01 ~]# init_crypto 1 # This is the function that processes crypttab.  It accepts 0 or 1.  Think of it like mount -a sorta.
[root@web01 ~]# ls -al /dev/mapper
[root@web01 ~]# mount -a
[root@web01 ~]# ls -al /u02

SELinux

Exam note: You can likely leave SElinux disabled or permissive. They will likely not test it at all. It'll be on the RHCE though.

SElinux sits on top of the kernel, telling the kernel what is permitted and what is not. There are 3 levels:

- Disabled : Extentions and hooks are not in kernel
- Permissive : Extension and hooks are there, but if there is a policy violation, the kernel will still allow it.
- Enabled:  Everything there, and blocking accordingly.

Redhat made policies called TARGETED. These are done by groups such as web, mail, ftp, db, etc. Its RHEL's way of making our lives a bit easier. Therefore, by using these targetted polcies, we may just have to fix the files/directories contexts or booleans.

So every process or object has a SELinux context:
- identity:role:domain/type

a.  What identities can use which roles
b.  What roles can enter which domains
c.  What domains can access which types.

Again, RHEL makes this easier and basically just uses the types, nothing else. We can take it further, but that is our choice to make that work.

So in short, SELinux tells the kernel weather or not to allow access to whatever thing.

If you want to view a context for a process, run:

[root@web01 ~]# ps -Z - List the processes contexts
[root@web01 ~]# ls -Z - List the file contexts

To change the context of a file, use:

[root@web01 ~]# chcon -R --reference=/var/www/html file

So what does that mean: Go to this other location (/var/www/html), and apply it to my target (file). So if I put my docroots in /srv, to get SELinux to like this directory, we had to change the context of /srv by:

[root@web01 ~]# chcon -R --reference=/var/www/html /srv

So as long as you know the default location where the contexts reside, you can cheat and just copy the context over to the new location.

All policy violations will be logged to /var/log/audit/audit.log as AVC (access vector cache) denials.
** setroubleshoot is a good tool for reading the output of that log.

Lets say you borked your entire setup, you can reapply the default contexts on all common pathnames. So to restore things, you just do:

[root@web01 ~]# restorecon -R path path...

* NOTE: This will not affect your new stuff like /srv, cause that is not in the default labeling. You can set the semanage stuff (may have to install it), and set the default paths.

restorecon knows about the policies and defaults. chcon only changes things.. that is all chcon knows.

EXAM NOTE: restorecon will not really be needed on the RHCE.. unless you break something hardcore.

There is a graphic tool for selinux: system-config-selinux.
NOTE: You MUST reboot the system when enabling selinux, or disabling it since it mucks with the kernel hooks and stuff.

The config for selinux: /etc/sysconfig/selinux
* This is where you set your enforcing/targetting/disabled, etc. Just the startup mode stuff.

Commands:

getenforce - shows the current SELIinux mode
setenforce - will allow you to change the mode.  ie:  setenforce 0 (dir)
setenforce 0 # Disable selinux temporiatly
setenforce 1 # Enable selinux

NOTE: If the server is completely broken and you cannot even boot, you can disable SELinux in grub by passing the enforcing=0 to the kernel line in grub when booting.

Other troubleshooting tools:

policycoreutils
setroubleshoot

Boolean:
These are basically simple on/off flags for enabling/disabling these:

[root@web01 ~]# getsebool -a |grep httpd  # or whatever.
[root@web01 ~]# setsebool -P blah
# IMPORTANT:  DO NOT FORGET TO SPECIFY THE -P TO MAKE THE CHANGE PERSISTENT ACROSS REBOOTS!

What are some practical uses for selinux:

- Allow you to change the default paths for like where you store db, web, etc, etc.  
- Change the boolean's to allow like public_html directories ie: getsebool -a |grep httpd

Lab

1.  With SELinux enforcing, configure a website to be served from /srv
2.  Dont focus on advanced apache settings, accomplish this in the simplest way possible, change the global documentroot
3.  Populate a simple index.html file.  
4.  The settroubleshoot tool is useful here.  Don't be confused by any typos in the output.

Answer:
Easy enough, just get apache setup, then:

[root@web01 ~]# yum -y install setroubleshootd 
# You will see the stuff needed in /var/log/audit/audit.log or /var/log/messages.
[root@web01 ~]# service auditd restart
[root@web01 ~]# chcon -R --reference=/var/www/html /srv

RHCSA Study Guide – Objective 3 : System Administration

############################
Everything below are my raw notes that I took while attending an unofficial RHCSA training session.  I am posting them here in hopes they will assist others who may be preparing to take this exam.  

My notes are my own interpretation of the lectures, and are certainly not a replacement to classroom training either through your company, or by taking the official RHCSA classes offered through Red Hat.  If you are new to the Red Hat world, I strongly suggest looking into their training courses over at Red Hat.
############################

Kickstart : The kickstart file is nothing more then a flat file answer file.

Anaconda will look for this, and use it to install/configure your server. Stuff you can set are:

- Partitioning and filesystems
- Software packages
- Users, groups, passwords
- Features, networking and more

You can build them:

a.  From scratch
b.  From an existing kickstart file (Probably most common way)
c.  Using system-config-kickstart (Tool is very basic in nature)

How does this work exactly? When you start up anaconda, it will look for a ks line within the kernel section, then fetch the path to your kickstart file.

EXAM NOTE: While this is an objective, this is not on the test as there is no way to test for this.

Network Administration

2 ways to set network ip’s:
– Static
– Dynamic

There are a few different methods of doing this.

1.  Type:  setup
2.  Edit the files directly:  vi /etc/sysconfig/network-scripts/ifcfg-ethX
3.  Using the GUI

Interesting note:
ifconfig – deprecated. Replaced with ip addr list
The ip also has ip route, ip link show, etc, etc.

EXAM NOTE: This likely won’t make a difference on the test. Just make sure your settings are persistent cause redhat will reboot your server before they grade it!

To view routes:

[root@web01 ~]# ip route show

Consider differences between:

/etc/hosts
/etc/resolv.conf
/etc/nsswitch.conf

EXAM NOTE: Shouldn’t have to worry about those 3 really. They shouldn’t be broken.

When changing your ip, hostname, etc, you need to watch with RHEL6, as its slightly different from RHEL5, and that is that RHEL6 uses network manager. So what do most people do? Remove network manager and go back to the old way using:

/etc/sysconfig/network-scripts/ifcfg-ethX
/etc/sysconfig/network

For DHCP configurations, setup the configuration as follows:

[root@web01 ~]# vim /etc/sysconfig/network-scripts/ifcfg-ethX
...
DEVICE=eth0
BOOTPROTO=dhcp
ONBOOT=yes
...

For STATIC configurations, setup the configuration as follows:

[root@web01 ~]# vim /etc/sysconfig/network-scripts/ifcfg-ethX
...
DEVICE=eth0
BOOTPROTO=none
IPADDR=x.x.x.x
NETMASK=xxx.xxx.xxx.xxx
ONBOOT=yes
GATEWAY=x.x.x.x  <--- THis required in RHEL6... no longer in /etc/sysconfig/network
DNS1=8.8.8.8 <---These 2 are also new to RHEL6
DNS2=8.8.4.4 <--- These 2 are also new to RHEL6
DOMAIN=www.blah.com
...

When configuring the network settings, its recommended to use nmcli or nm-connection editor.

In practice, its a pain for server administration. If you want, you can remove network manager and just go back and use your normal things.

[root@web01 ~]# service NetworkManager stop
[root@web01 ~]# chkconfig NetworkManager off

Network Manager is great for desktops, but when you are doing server administration, it just gets in the way.

EXAM NOTES: Your first tasks may be to reset root password and fix networking. So be comfortable with this stuff!

Cron

/etc/anacrontab defines the system cron jobs : This is a more flexible way to run cron. So anacrontab wakes up and realizes it missed a job, it'll go back and run it, when it feels like it. Basically this is useful if you are using a desktop, and your system is asleep in the middle of the night, the next morning when you wake the laptop, it'll run its stuff within reason to get things caught back up intelligently. In theory, this is bogus for servers since they run 24/7, but useful for desktops.

EXAM NOTES: If a user can't run a cron job, check for a cron.deny file. The test is known to throw this out there. So this one sounds critical.

EXAM NOTE: Read the man 5 crontab before taking test as it'll be on there.

Lab:

1.  Create a cronjob for the user root that checks the amount of available space on the system every Friday at 12:34PM

2.  Create a crontjob as a regular user that lists teh contents of /tmp at 3:54AM on Sunday, January 2.  

Answer (Plus interesting note)

man 5 crontab : note: The day of a command's execution can be specified by two fields -- day of month, and day of week.  If both fields are restricted (ie, are not *), the command will be run when either field matches the current time.  For example, `30 4 1,15 * 5'' would cause a command to be run at 4:30 am on the 1st and 15th of each month, plus every Friday.

Syslog

RHEL6 is now using rsyslog as the system logger. They did this cause rsyslog can be sent over TCP, and it also supports a cache function so if the message doesn't get out to the log, it'll cache it till it the message actually makes it to the remote device.

Log messages consists of 3 parts:

a.  Facility : Describes where it came from in the OS.  Ie. Kernel, auth, etc
b.  Level  : what is the priority of the message
c.  Messages : the actual log itself

NOTE: local0-local7 are reserved for your own use/defination.

So to use it, you basically just pipe your stuff through logger out to one of these and create a defination within /etc/rsyslog to redirect the output to a file. Another note: Redhat uses local7 for boot.log as they have a built in library which displays all the fun startup messages. IE: HTTPD OK

Config file: /etc/rsyslog.conf
Defines where all the messages should go. Not much different from /etc/syslog.conf

Interesting Note:
*.err /dev/root # If you set this, or any username, the console will get the message displayed on their screen. Def didn't know that.

When you use a .none (ie. *.none;mail.none;authpriv;none /var/log/messages, this means all will be catched except mail and authpriv since those are set to .none.

EXAM NOTE: Most of this will not be applicable to the test. The test will have everything setup to its default locations.

Logrotate

Config file: /etc/logrotate.conf
Basically RHEL6 rotates once a week, with a retention rate of 1 month total. Interesting note, they no longer appear to do 1.gz, 2.gz, etc. They apparently pop the timestamp at the end of the file.

Extended configurations are stored in /etc/logrotate.d file. Each one of these is its own logrotate configuration file. Just use this for your applications, etc.

You can force log rotation to go through by:

[root@web01 ~]# logrotate -vf /etc/logrotate.conf (or whatever file)

In the logrotate.d/blah file:

sharedscripts - Means run all the global scripts
postrotate - This is where you can run your custom thing such as:  service httpd restart

Troubleshooting

A lot of the troubleshooting objectives on the exame are permissions based, and possibly some minor SELinux, as well as locating error messages in logs.

Some useful tools that will be used on test:

- top
- df -h
- ldd : list library dependecies
- ldconfig: Update library locatation database.  Think mlocate.  It basically just reads /etc/ld.so.conf and /etc/ld.so.conf.d/* to create its indexes.

EXAM NOTE: Thankfully, the ldd/ldconfig stuff won't be on test really.

Nice level

The kernel users these priorities when figuring out what needs to run when. Ranges are from -20 to 19. Its not the actual priority, but just a minor tunable. Its not guaranteed to do anything cause its up to the process scheduler at the end of the day, but it'll at least tell it to try to give your (ie database) more priority.

So if you want to give yourself a higher priority, then give yourself a -20. Regular users cannot set their stuff to be a higher priority. Only root can do that. Regular users can however give themselves a lower priority of like 20.. therefore, their application will not impact others as hard.

EXAM NOTE: Probably won't be on test.

Lab

1.  Take a few minutes to browse through the various logs in /var/log.  Familiarize yourself with the kinds of info available.

2.  Browse the man page for rsyslog.conf

3.  Find where the audit service keeps its log and add a corresponding new entry to your logrotate configuration.  Force a rotation to see everything work.

Answer:  it logs to /var/log/audit/*.  So create a new config:  cp cups.conf to audit.conf
Modify the log entry.  Rerun: logrotate -vf /etc/logrotate.conf

4.  Remove the audit logrotate configuration and restart the auditd service

5.  Locate the PIDS of the highest memory and highest CPU utilization processes.  Play with their nice levels.

RHCSA Study Guide – Objective 2 : Packages

############################
Everything below are my raw notes that I took while attending an unofficial RHCSA training session.  I am posting them here in hopes they will assist others who may be preparing to take this exam.  

My notes are my own interpretation of the lectures, and are certainly not a replacement to classroom training either through your company, or by taking the official RHCSA classes offered through Red Hat.  If you are new to the Red Hat world, I strongly suggest looking into their training courses over at Red Hat.
############################

EXAM NOTE: Will need to know how to manually enable/create a repo

rpm -i : install
rpm -q : query the database
rpm -e : erase rpm.

EXAM NOTE: Probably won’t need to know much about rpm other then the above.

rpm -qa : Queries and lets you know everything that is installed.
rpm -qi : Queries the rpm database for pkg info.
rpm -qf : Determines which rpm a file is associated with.
rpm -ql : Queries the rpm database to determine which files are associated with an rpm.
rpm -Va : Verifies all installed packages.
rpm -Vi  : Verifies given package.
rpm -Va |grep ^..5  : This will show you everything user has changed recently.  Can be useful!

EXAM NOTE: Asides from the last one, nothing here is likely going to be applicable for the test.

How to extract RPM Contents:

cd /temp/dir
rpm2cpio /path/to/package | cpio -i -d -m

EXAM NOTE: This will not be on test. If Apache is messed up, just reinstall it.

The wrapper for RPM is yum (Yellowdog updater modified).

install : Install stuff
search : Find stuff  : ex.  yum search bash
provides : Find files within packages when yum search doesn't help : ex. yum provides sed
clean all : Useful if you broke your conf file and yum is broke.  ex. yum clean all

EXAM NOTE: The above stuff will be used on test.

How to setup repository when Redhat says: “All your packages can be found at:
http://www.example.com/directory/of/packages.” To do this, first setup the repo:

vi /etc/yum.repos.d/myrepo.repo
[myrepo]
name = my repo thingy
gpgcheck = 0
baseurl=http://www.example.com/directory/of/packages

Now list the available repos:

yum repolist

To import key if you like:

yum import /url/to/gpg/key

EXAM NOTE: **IMPORTANT** The above will be on test! This is CRITICAL. Without this, you cannot do anything!

To use a local repo, you set the baseurl as follows:

baseurl=file:///path/to/your/file