Skip to content

lu-chi/RHCE7-Study-Guide

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

27 Commits
README.md
README.md
 
 

Repository files navigation

RHCE7-Study-Guide

My Study Guide for RHCE7

Controlling Services and Daemons - Complete

###Concepts

Unit Types

  • Service Units: have a .service extension and represent system services. This type of unit is used to start frequently accessed daemons, such as a web server.

  • Socket Units: have a .socket extension and represent interprocess communication (IPC) sockets. Control of the socket will be passed to a daemon or newly started service when a client connection is made. Socket units are used to delay the start of a service at boot time and to start less frequently used servies on demand. These are similarin principle to services which use the xinetd superserver to start on demand.

  • Path Units: have a .path extension and are used to delay the activation of a service until a specific file system change occurs. This is commonly used for services which use spool directories, such as a printing system.

Targets

A target is a set of systemd units that should be started to reach a desired state.

Important targets

  • graphical.target: System supports multiple users, graphical and text-based logins.

  • multi-user.target: System supports multiple users, text-based logins only.

  • rescue.target: sulogin prompt, basic system initialization completed.

  • emergency.target: sulogin prompt, initramfs pivot complete and system root mounted on / read-only.

Selecting a different target at boot time.

Simply interrupt the boot loader menu, select the entry to be started, edit it by pressing 'e' and append "systemd.unit=<DESIRED_UNIT>" to the line starting with linux16

Recovering the root password

  • Reboot the System, enter edit mode for the proper entry in the bootloader.

  • Append rd.break to the end of the line that starts with linux16. Restart with Ctrl+X

  • Remount /sysroot as read-write.

switch_root:/# mount -oremount,rw /sysroot
  • Switch into a chroot jail, where /sysroot is treated as the root of the file system tree.
chroot /sysroot

  • Set a new root password

  • Make sure that all unlabeled files (including /etc/shadow at this point) get relabeled during boot.

touch /.autorelabel
  • Type exit twice to continue booting.

Commands

Common systemctl commands

systemctl status <UNIT>
systemctl stop <UNIT>
systemctl start <UNIT>
systemctl restart <UNIT>
systemctl reload <UNIT>
systemctl mask <UNIT>
systemctl unmask <UNIT>
systemctl enable <UNIT>
systemctl disable <UNIT>
systemctl list-dependencies <UNIT>

Change the system target during runtime:

systemctl isolate <TARGET>

Get default system target

systemctl get-default

Set the default target (Not for runtime)

systemctl set-default <DESIRED_TARGET>

Managing IPv6 Networking

###Concepts ####Modifying the system hostname A static host name may be specified in the /etc/hostname file. The hostnamectl command is used to modify this file and may be used to view of the systems FQDN.

###Commands List names of available connections:

nmcli con show

Adding a new connection profile

nmcli con add con-name <NAME> type <TYPE> ifname <INTERFACE_NAME>

Modifying existing connections

nmcli con mod <con-name> ..

Deleting a network connection

nmcli con del <con-name>

Deactivate and disconnect the current connection on the network interface dev

nmcli dev dis <dev-name>

Configuring Link Aggregation and Bridging - Complete

###Network Teaming Software, called runners, implement load balancing and active-backup logic, such as roundrobin. The following runners are avaialble:

  • broadcast: a simple runner which transmits each packet from all ports.

  • roundrobin: a simple runner which transmits packets in a round-robin fashin from each of the ports

  • activebackup: This is a failover runner which watches for link changes and slects an active port for data transfers.

  • loadbalance: This runner monitors traffic and uses a hash function to try to reach a perfect balance when selecting ports for packet transmission.

  • lacp: implements the 802.3ad Link Aggregation Control Protocol.

####Configuring Network Teams: Create the team interface:

nmcli con add type team con-name team0 ifname team0 config '{"runner":{"name":"loadbalance"}}'

Determine the IPv4/IPv6 attributes of the team interface

nmcli con mod team0 ipv4.address 1.2.3.4/24
nmcli con mod team0 ipv4.method manual

Assign the port interfaces. The connection name can be explicitly specified, or it will be team-slave-IFACE by default

nmcli con add type team-slave ifname eth1 master team0
nmcli con add type team-slave ifname eth2 master team0

Bring the team and port interfaces up/down

nmcli con up team0
nmcli dev dis eth2

The teamdctl can be used to display the teams state.

teamdctl team0 state

####Setting and adjusting team configuration

nmcli con mod IFACE team.config JSON-configuration-file-or-string

NOTE: Any changes made do not go into effect until the next time the team interface is brought up

#####Link watch setting The link watch setting determines how the link state of the port interfaces are monitored. The default uses functionality similar to the ethtool command to check the link of each interface. Another way to check link state is to periodically use an ARP ping packet to check for remote connectivity. For Example:

"link_watch": {
	"name": "arp_ping",
	"interval": 100,
	"missed_max": 30,
	"source_host": "192.168.23.2",
	"target_host": "192.168.23.1"
},

####Troubleshooting network teams

teamdctl team0 config dump

###Configuring Software Bridges

nmcli con add type bridge con-name br0 ifname br0
nmcli con add type bridge-slave con-name br0-port1 ifname eth1 master br0
nmcli con add type bridge-slave con-anme br0-port2 ifname eth2 master br0

NOTE: NetworkManager can only attach Ethernet interfaces to a bridge. It does not support aggregate interfaces, such as a teamed or bonded interface. These must be configured by manipulating the configuration files in /etc/sysconfig/network-scripts.

####Notes on adding a teamed interface to a bridge Disable the teamed interface in network manager, disable network manager

nmcli dev dis team0
systemctl stop NetworkManager
systemctl disable NetworkManager

Add the BRIDGE entry to the teamed interface

BRIDGE=brteam0

Delete the IP configurations from the configurations of the team port interfaces.

Create a new interace configuration file for the bridge. Define the configuration information in that file:

DEVICE=brteam0
ONBOOT=yes
TYPE=Bridge
IPADDR0=192.168.0.100
PREFIX0=24

Reset the network

systemctl restart network

Network Port-Security

###Firewalld Some important commands:

firewall-cmd --set-default-zone=dmz
firewall-cmd --permanent ...
firewall-cmd --reload

####Rich rules Examples:

firewall-cmd --permanent --zone=classroom --add-rich-rule='rule family=ipv4 source address=192.168.0.11/32 reject'
firewall-cmd --add-rick-rule='rule service name=ftp limit value=2/m accept'
firewall-cmd --permanent --add-rich-rule='rule protocol value=esp drop'

Logging with rich rules:

firewall-cmd --permanent --zone=work --add-rich-rule='rule service name="ssh" log prefix="ssh " level="notice" limit value="3\m" accept'

For Help, there are examples at the bottom:

man firewalld.richlanguage

###Masquerading

firewall-cmd --permanent --zone=<ZONE> --add-masquerade

###Port Forwarding

firewall-cmd --permanent --zone=<ZONE> --add-forward-port=port=<PORTNUMBER>:proto=<PROTO>[:toport=<PORTNUMBER>][:toaddr=<IPADDR>]

###Managing SELinux Port Labeling Whenever an administrator decides to run a service on a nonstandard port, there is a high chance that SeLinux port labels will need to be updated.

List Port Labels:

semanage port -l

Managing port labels. To add a port to an existing port label:

semanage port -a -t port_label -p tcp|udp PORTNUMBER
semanage port -a -t gopher_port_t -p tcp 71

Remove port labels

semanage port -d -t gopher_port_t -p tcp 71

Modifying port binding, this will modify port 71/tcp from gopher_port_t to httpd_port_t:

semanage port -m -t httpd_port_t -p tcp 71

Managing DNS for Servers

###DNS Concepts Resource Records:

  • A (Ipv4) records - An A record maps a host name to an IPv4 address

  • AAAA (Ipv6 address) records - An AAAA resource record maps a host name to an IPv6 address.

  • CNAME(canonical name) records - A CNAME resource record aliases one name to another name (the canonical name), which should have A or AAAA records.

  • PTR(pointer) records - A PTR record maps IPv4 or IPV6 addresses to a host name. They are used for reverse DNS resolution

  • NS(name server) records - An NS record maps a domain name to a DNS name server which is authoritive for its DNS zone

  • SOA(start of authority) records - an SOA record provides information about how a DNS zone works.

  • MX (mail exchange) records - An MX record maps a domain name to a mail exchange which will accept email for that name.

  • TXT(text) records - A TXT record is used to map a name to arbitrary human-readable text

###Configuring aa Caching Name Server Caching nameserver

Caching nameservers store DNS query results in a local cache and removes resource records from the cache when their TTLs expire. This greatly imporves the efficiency of DNS name resolutions by reducing DNS traffic across the internet.

DNSSEC validation

Prevents cache poisoning. DNSSEC validation enabled allows the authenticity and integrity of resource records to be validated prior to being placed in the cache for use by clients.

####Configuring and administering unbound as a caching nameserver Install unbound

yum install -y unbound

Enable and start the service

systemctl start unbound.service
systemctl enable unbound.service

Configure the network interface to listen on

By default, unbound only listens on the localhost network interface. To make unbound available to remote clients as a caching nameserver, use the interface option in the server clause of /etc/unbound/unbound.conf to specify th enetwork interface(s) to listen on.

interface: 0.0.0.0

Configure client access

By default, unbound refuses recursive queries from all clients. In the server clause of /etc/unbound/unbound.conf, use the access-control option to specify which clients are allowed to make recursive queries.

access-control: 172.25.0.0/24 allow

Configure forwarding

For a caching nameserver, forward all queries by specifying a forward-zone of ".".

forward-zone:
	name: "."
	forward-addr: 172.25.254.254

If desired, bypass DNSSEC validation for select unsigned zones. The domain-insecure option in the server clause of the file can be used to specify a domain for which DNSSEC validation should be skipped.

domain-insecure: example.com

If desired, install trust anchors for select signed-zones without complete chain of trust. Obtain the DNSKEY record for the key signing key of the zone using dig and input it as the value for the trust-anchor option

dig +dnssec DNSKEY example.com
trust-anchor: "example.om 2500 in DNSKEY 243 3 8 ;laksjd;lfkja;sdklfja;slkdfja;lskdjf;alksjdf;laksdjf;lkajsd;lkfjas;dklfja;sdklfj;aiowej;fiajsf;awiejf;alj"

Verify the configuration file:

unbound-checkconf

Restart services, configure firewall to allow DNS.

systemctl restart unbound.service
firewall-cmd --permanent --add-service=dns
firewall-cmd --reload

Dumping and loading unbound cache

unbound-control dump_cache

Flusing unbound cache

unbound-control flush www.example.com

###DNS Troubleshooting Useful commands:

getent hosts example.com
gethostip example.com
dig A example.com

####DNS response codes:

  • SERVFAIL - Failure of the DNS server to communicate with the nameservers authoritative for the name being queried.

  • NXDOMAIN - No records were found associated with the name queried.

  • REFUSED - DNS server has a policy restriction which keeps it from fulfilling the client's query.

Configuring Email Transmission (PostFix) - Complete

###Concepts ####Null Clients In practice, most servers are monitored and send out mails when incidents occur. This is often requires a configured /usr/sbin/sendmail to send emails to notify the respnsible system admins by using the corporate SMTP server. A 'null client' is a client machine that runs a local mail server which forwards all emails to an outbound mail relay for delivery. A null client does not accept local delivery for any messages, it can only send them to the outbound mail relay. Users may run mail clients on the null client ot read and send emails. The following are true on a null client:

  • the sendmail command and programs that use it forward all emails to an existing outbound mail realy for delivery

  • The local Postfix service does not accept local delivery for any email messages

  • Users may run mail clients on the null client to read and send mails.

###Important and Configuration Files with directives.

  • /etc/postfix/main.cf

    • inet_interfaces= Controls which network interfaces Postfix listens on for incoming and outgoing messages. If set to 'loopback-only', Postfix listens only on 127.0.0.1 and ::1. If set to all, Postfix listens on all network interfaces. One or more host names and IP addresses, separated by white space, can be listed.

    • myorigin= Rewrite locally posted email to appear to come from this domain. This helps ensure responses return to the correct domain the mail server is responsible for.

    • relayhost= Forward all message to the mail server specified that are supposed to be sent to foreign mail addresses. Square brackets around the host name suppress the MX record lookup.

    • mydestination= Configure which domains the mail server is an end point for. Email addressed to these domains are delivered into local mailboxes.

    • local_transport= Determine how email addressed to $mydestination should be delivered. By default, set to local:$myhostname, which uses the local mail delivery agent to deliver incoming mail to the local message store in /var/spool/mail.

    • mynetworks= Allow relay through this mail server from a comma-separated list of IP addresses and networks in CIDR notation to anywhere, without further authentication.

*/var/log/maillog - Logs

###Commands View and change postfix directives with the postconf command

postconf [directive .. ..]
postconf -e '\<directive\> = \<value\>'

To show directives that have been changed from the default

postconf -n

Providing Remote Block Storage

###Introduction to iSCSI ####Terminology:

  • initiator: An iSCSI client, typically available as software but also implemented as iSCSI HBAs. Initiators must be given unique names (see IQN)

  • target: An iSCSI storage resource, configured for connection from an iSCSI server. Targets must be given unique names (see IQN). A target provides one or more numbered block devices called logical units (see LUN). An iSCSI server can provide many targets concurrently

  • ACL: An access controll list entry, an access restriction unsing the node IQN(commonly the iSCSI Initiator Name) to validate access permissions for an initiator.

  • discovery: Querying a target server to list configured targets. Target use requires an additional access steps

  • IQN: An iSCSI Qualified Name, a worldwide unique name used to identify both initiators and targets, in the mandated naming format:

iqn.YYYY-MM.com.reversed.domain[:optional_string]

  • login: Authenticating to a target or LUN to begin client block device use.

  • LUN: A Logical Unit Number, numbered block devices attached to and available through a target. One or more LUNs may be attached to a single target, although typically a target provides only one LUN.

  • node: any iSCSI initiator or iSCSI target, identified by it's IQN.

  • portal: An IP address and port on a target or initiator used to establish connections. Some iSCSI implementations use portal and node interchangeably

  • TPG: Target Portal Group, the set of interface IP addresses and TCP ports to which a specified iSCSI target will listen. Target configuration can be added to the TPG to coordinate settings for multiple LUNs

###iSCSI target configuration ####Target server configuration demo

yum -y install targetcli
  • Create backing storage(backstores)
block/ create block1 /dev/vdb2
  • Create an IQN for the target
create iqn.2014-06.com.example:remotedisk1
  • In the TPG, create an ACL for the client node to be used later.
cd iqn.2014-06.com.example:remotedisk1/tpg1
acls/ create iqn.2014-06.com.example:desktop0
  • In this TPG, create a LUN for each existing backstores
luns/ create /backstores/block/block1
  • Still inside the TPG, create a portal configuration to designate the listening IP address and ports.
portals/ create 172.25.0.11
  • Add a port exemption to the firewall for port 3260
firewall-cmd --permanent --add-port=3260/tcp
firewall-cmd --reload
  • Enable the target.service systemd unit.
systemctl enable target

###Accessing iSCSI Storage Restart the iscsi service on the initiator

yum install iscsi-initiator-utils
systemdctl restart iscsi

Perform discovery with the following command:

iscsiadm -m discovery -t sendtargets -p <target-server>[:port]

To use the target, log in using the following command:

iscsiadm -m node -T iqn.2014-06.com.example:serverX [-p target_server[:port]] -l

Log out:

iscsiadm -m node -T <iqn-target-name> [-p target_server[:port]] -u

Delete a node record permantely:

iscsiadm -m node -T <iqn-target-name> [-p target-server[:port]] -o delete

Providing File-based Storage

###NFS Exports The /etc/exports file lists the directory to share to client hosts over the network and indicates which hosts or networks have access to the export. The following are valid nfs exports

/myshare	server0.example.com
/myshare	*.example.com
/myshare	server[0-20].example.com
/myshare	172.25.0.0/16
/myshare	2000:472:18:b51:c32:a21
/myshare	2000:472:18:b51::/64
/myshare	desktop0.example.com(ro,no_root_squash)

Don't forget to allow NFS traffic (port 111 and 2049, TPC and UDP) and reload the exports

exportfs -r
firewall-cmd --permanent --add-service=nfs
firewall-cmd --reload

###Protecting NFS Exports ####Security Methods NFS clients must connect to the exported share using one of the methods mandated for that share, specified as a mount option sec=method.

  • none: Anonymous access to the files, writes to the server will be allocated UID and GID of nfsnobody. This requires the SELinux Boolean nfsd_anon_write to be active.

  • sys: File access based on standard Linux file permissions for UID and GID values. If not specified, this is the default. The NFS server trusts any UID sent by the client.

  • krb5: Clients must prove identity using Kerberos and then standard Linux file permissions apply. UID/GID is determined based upon the Kerberos principal from the accessing user.

  • krb5i: Adds a cryptographically strong guarantee that the data in each request has not been tampered with UID/GID is determined based upon the Kerberos principal from the accessing user.

  • krb5p: Adds encryption to all requests between the client and the server, preventing data exposure on the network. This will have a performance impact, but provides the most security. UID/GID is dtermined based upon the Kerberos principal from the accessing user.

nfs-secure-server needs to be running in addition to nfs-server on the nfs server. On the client, nfs-secure needs to be running. NOTE: Kerberos options will require, at a minimum a /etc/krb5.keytab. Both the client and the server need this.

Example export with kerberos

/securedexport	*.example.com(sec=krb5p,rw)

####SELinux and labeled NFS By default, NFS mounts on the client side have the SELinux context nfs_t, independent of the SELinux context they have on the server that provides the export. This behavior can be changed on the client side by using the mount option 'context=selinux_context'

Switching to NFSv4.2 will cause the SELinux context of a share to be exported. In /etc/sysconfig/nfs:

RPCNFSDARGS="-V 4.2"

Then restart the server

On the client side, mount -o v4.2 must be specified as the mount option.

mount -o sec=krb5p,v4.2 serverX:/securedexport /mnt/securedexport

Or if you want to mount persistantly, in the /etc/fstab:

serverX:/securenfs /mnt/secureshare nfs defaults,v4.2,sec=krb5p 0 0

###Providing SMB File Shares Install Samba

yum install samba

####SeLinux context and booleans If the shared directory will only be accessed through Samba, then the directory and all it's subdirectories and files should be labeled samba_share_t. Also, configure it so that restorecon will set this type on the share and it's contents.

semange fcontext -a -t samba_share_t '/sharedpath(/.*)?'
restorecon -vvFR /sharedpath

####Configuring /etc/samba/smb.conf Under the [global] section,

  • workgroup: Used to specify the Windows workgroup for the server.
workgroup = WORKGROUP

  • security: controls how clients are authenticated by Samba. With security = user clients log in with a valid username and password

  • host allow: comma,space, or tab delimted list of hosts that are permited to access the Samba server. If it is not specified, all hosts can access Samba.

host allow = 172.25.0.0/24

#####File share sections

  • path: must be set to indicate which directory to share

  • writable: if all users should have write access

  • write list: A list of users with write access

  • valid users: A list of users allowed to access the share. If it's blank, all users can access the share.

For example:

[myshare]
	path = /sharedpath
	writable = no
	valid users = fred, @management

@ specifies a group

#####The [homes] section The home section defines a special file share, which is enabled by default. It makes local home directories available via SMB.

[homes]
	comment = Home Directories
	read only = No
	browseable = No

The "samba_enable_home_dirs" SELinux boolean must be on for this to work.

setsebool -P samba_enable_home_dirs=on

#####Validating /etc/samba/smb.conf

testparam

####Preparing Samba users The 'security = user' setting requires a Linux account with a Samba account that has a vlid NTLM passwords. To create a Samba-only system user, keep the Linux password locked, and set the login shell to /sbin/nologin.

For example, to create the locked Linux account for user fred:

useradd -s /sbin/nologin fred
yum install samba-client
smbpasswd -a fred

####Starting Samba

systemctl start smb nmb
systemctl enable smb nmb
firewall-cmd --permanent --add-service=samba
firewall-cmd --reload

####Mounting SMB file systems

mkdir /mnt/myshare
mount -o username=fred //serverX/myshare /mnt/myshare

####Performing a Multiuser SMB Mount cifscred is used to stash users credentials into a kernel managed keyring. This is how users are able to access a mount mounted by root. Root must mount the share with the multiuser option.

For example, for root:

mkdir /mnt/multiuser
mount -o multiuser,sec=ntlmssp,username=fred //serverX/myshare /mnt/multiuser
yum install cifs-utils

For frank:

cifscreds add serverX
<prompt for password>
echo "Frank was here" > /mnt/multiuser/frank2.txt

Configuring MariaDB Databases

Installation

yum groupinstall mariadb mariadb-client -y
mysql_secure_installation

###SQL Commands for getting around

USE mysql;
SHOW TABLES;
DESCRIBE <table>
INSERT INTO <table-name> (column1, column2, ..) VALUES ('value1', value2, ..)
DELETE FROM <table-name> WHERE id = 1
SELECT column1,column2 FROM <table-name>
SELECT * FROM <table-name>

###SQL Commands fro Users and Access Rights

CREATE USER mobius@localhost IDENTIFIED BY 'password';
GRANT SELECT,UPDATE,DELETE,INSERT on <table-name,table-name> to mobius@localhost;
GRANT ALL PRIVILEGES ON *.* to username@hostname

###Backups ####Logical Backups Dump it

mysqldump -u root -p password <table-name> > /backup/inventory.dump

Restore it

mysql -u root -p <table-name> < /backup/inventory.dump

####Physical Backups(Using LVM snapshots) Involves taking a snapshot of the LVM the data base information is on. Then, flush tables and lock them

FLUSH TABLES READ LOCK;

On a seperate terminal, snapshot the logical volume:

lvcreate -L20G -s -n mariadb-backup <logical-volume>

Unlock tables

UNLOCK TABLES;

The snapshot can not be mount at an arbitrary location

Providing Apache HTTD Web Service

###Basic Apache HTTPD configuration /etc/httpd/conf/httpd.conf

Important Blocks and Configs:

* <Directory [directory]>: sets configuration directives for the specified directory, and all decendent directories. 
	
	Common directives inside this block include:

	* AllowOverride None: .htaccess files will not be consulted for per-directory configuration settings. Setting this to any other setting will have a performance penalty. 

	* Require All Denied: httpd will refuse to servce content out of this directory

	* Require All Granted: Allow access to this directory

	* Options [[+|-]OPTIONS].. : Turn on (or off) certain options for a directory. For example, the Indexes option will show a directory listng if a directory is requested and no index.html file exists in that directory. 

* DocumentRoot <directory>: This setting dtermines where httpd will search for requested files. It is important that the directory specified here is both readable by httpd(both regular and SELinux)

* <Files [file]>: works just as a <Directory> block, but here options for individual files is used.

* ErrorLog <file>:

* IncludeOption [directory/*.conf] : Works the same as regular include, but if no files are found, no error is generated.

* CustomLog "log-path" combined - Define custom log location

Starting the service, enabling the firewall

systemctl enable httpd.service
systemctl start httpd.service
firewall-cmd --permanent --ad--service=http --add-service=https
firewall-cmd --reload

Using an alternate document root:

New document root must be readable by the apache user/group. The SELinux context may have to be changed. the /srv/*/www/ directories already have rules in place to relabel these files. If a new rules needs to be added:

semanage fcontext -a -t httpd_sys_content_t '/new/location(/.*)?'

Sometimes you want web devs to have write access to document root. To do this, use facls.

###Configuring and Troubleshooting Virtual Hosts Virtual hosts allow a single httpd server to servce content for multiple domains. Based on either the IP address of the server that was connected to, the hostname request by the client in the httpd request, or a combination of both.

Virtual hosts are configured using blocks inside the main configuration.

<VirtualHost 192.168.0.1:80>
	DocumentRoot /srv/site1/www

	ServerName site1.example.com

	ServerAdmin webmaster@site1.example.com

	ErrorLog "logs/site1_error_log"

	CustomLog "logs/site1_access_log" combined
</VirtualHost>

####Wildcards and Priority When a request comes in, httpd will first try to match aginst virtual hosts that have an explicit IP address set. If those matches failt, virtual hosts with a wildcard IP address are inspected. If there is still no match, the "main" server configuration is used.

If no exact match has been found for a ServerName or ServerAlias directive, and there are multiple virtual hosts defined for the IP/port combination the request came in on, the first virtual host that matches an IP/port is used, with first being seen as the order in which virtual hosts are defined in the config file.

When multiple *.conf files are used, they will be included in alphanumeric sorting order.

###Coniguring HTTPS Using genkey

genkey <FQDN>

This will generate a bunch of files:

  • /etc/pki/tls/private/.key - The private key. NEEDS TO HAVE PERMISSIONS OF 0600

  • /etc/pki/tls/certs/.0.csr - the file generated if you requested a signing reqeust.

  • /etc/pki/tls/certs/.crt - The public certificate

Configure a host with SSL

<VirtualHost *:443>
	ServerName demo.example.com
	SSLEngine on
	SSLProtocol all -SSLv2 -SSLv3
	SSLCipherSuite HIGH:MEDIUM:!aNull:!MD5
	SSLHonorCipherOrder on
	SSLCertificateFile /etc/pki/tls/certs/demo.example.com.crt
	SSLCertificateKeyFile /etc/pki/tls/private/demo.example.com.key
	SSLCertificateChainFile /etc/pki/tls/certs/example-ca.crt
</VirtualHost>

  • SSLEngine on - This is the directive that actually turns on TLS for this virtual host

  • SSLProtocol all -SSLv2 -SSLv3 : This directive specifies the list of protocols that htppd is willing to speack with clients.

  • SSLCipherSUITE HIGH:MEDIUM:!aNull:!MD5 - This directive lists what encryption ciphers httpd is willing to use when communicating with clients.

  • SSLCertificateFile - This directive instructs httpd where it can read the certificate for this virtual host

  • SSLCertificateKeyFile - This directive instructs httpd where it can read the private key for this virtual host.

  • SSLCertificateChainFile - a copy of all CS certificates used in the signing process concatentated together.

###Configuring HTTP Strict Transport Security Automatically redirect clients connecting over http to the same resource using https

RewriteEngine on
RewriteRule ^(/.*)$ https://%{HTTP_POST}$1 [redirect=301]

###Dynamic content To have httpd treat a location as CGI executables, the following syntax is used

ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"

Serving dynamic php content

  1. Install the mod_cgi package

  2. Ensure the SetHandler directive is in the main config

Serving dynamic python content

  1. Install the mod_wsgi package

  2. Add a WSGIScriptAlias line to a virtual host definition

WSGIScriptAlias /myapp/ /srv/myapp/www/myapp.py

NOTE:

When a network connection to another needs to be made from within the web application, and the target is not a well-known database port, the SELinux Boolean httpd_can_network_connect must be set to 1.

Writing Bash Scripts

So easy... Use these commands:

#Turn uppercase letters to lowercase
tr 'A-Z' 'a-z'
#Cut first field of a colon seperated list
cut -d: -f1
#Get first letter of any string
echo "someInput" | cut -c 1
#Count the number of matches in a file
grep -c ^someregex$ /some/file

Bash Conditionals and Control Structures

Special variables

#See arguments as one word
$*
#See arguments as seperate words
$@
#Number of argumnets
$#
#See the exit status of an executed command
$?

Conditonal Structures

#If statements
if <CONDITION>; then
	<STATEMENT>
		...
	<STATEMENT>
elif <CONDITION>; then
	<STATEMENT>
else
	<STATEMENT>
fi

#Case statements
case "$1" in
	start)
		start
		;;
	stop)
		rm -f $lockfile
		stop
		;;
	restart)
		restart
		;;
	reload)
		reload
		;;
	*)
		echo "Usage..."
		;;
esac

Configuring the Shell Environment

Concepts

Environment Variables

What makes variables environment variables is that they have been exported in the shell. The key to making a variable become an environment variable is flaggin it for export using the export command.

bash start-up scripts

Profiles are for setting and exporting of environment variables, as well as running commands that should only be run upon login. RCs, such as /etc/bashrc, are for running commands, setting aliases, defining functions, and other settings that cannot be exported to sub-shells.

Usually, profiles are only executed ina login shell, whereas RCs are executed every time a shell is created.

Using alias

alias is a way administrators or users can define their own command to the system or override the use of existing system commands.

Using functions

function_name() { body }

About

My Study Guide for RHCE7

Resources

Readme
Activity

Stars

1 star

Watchers

4 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published