RHCE

查看主机名

（system1，system2）

hostname
system1.group8.example.com

配置 SSH 访问

允许域1访问，禁止域2访问
（system1，system2）

systemctl enable firewalld
systemctl start firewalld
firewall-cmd --permanent --add-service=ssh
firewall-cmd --permanent --add-rich-rule 'rule family=ipv4 source address=172.13.8.0/24 service name=ssh reject'
firewall-cmd --reload

// 验证
firewall-cmd --list-all

自定义用户环境

（system1，system2）

vim /etc/bashrc
# vim:ts=4:sw=4
alias qstat='/bin/ps -Ao pid,tt,user,fname,rsz'

// 验证 which qstat

配置端口转发

（system1）

firewall-config

[图片上传失败...(image-9dbf58-1576021740357)]
[图片上传失败...(image-2af2cd-1576021740358)]

图片

firewall-cmd --permanent --add-rich-rule 'rule family="ipv4" source address="172.24.8.0/24" forward-port port="5423" protocol="tcp" to-port="80"

firewall-cmd --reload

// 验证：firewall-cmd --list-all

配置链路聚合（图形界面）

（system1，system2）

nm-connection-editor

Add→Team
[图片上传失败...(image-ec40ed-1576021740358)]
[图片上传失败...(image-e67172-1576021740358)]
Add→Ethernet

图片

图片

// 验证
systemctl restart network
ping 172.16.3.40

图片

配置 IPV6 地址（图形界面）

（system1，system2）

image

// 重启网络
systemctl restart network

// 验证：ping6 2003:ac18::305

[图片上传失败...(image-ec88d6-1576021740359)]

配置本地邮件服务

（system1，system2）

cp -a main.cf main.cf.source

vim /etc/postfix/main.cf

inet_interfaces = loopback-only
local_transport=error:local
relayhost = mail.group8.example.com
myorigin = server.group8.example.com

postconf -e inet_interfaces=loopback-only
postconf -e mydestination=
postconf -e local_transport=error:err
postconf -e relayhost=[mail.group8.example.com]
postconf -e myorigin=server.group8.example.com

systemctl restart postfix
systemctl enable postfix

// 验证
echo "hello" | mail -s testmail dave
curl http://server.group8.example.com/pub/received_mail/8

通过SMB共享目录

（system1）

yum install samba samba-client -y
mkdir /common
vim /etc/samba/smb.conf

命令模式按大写 G 到文末，按小写 o 在新行输入

workgroup = STAFF
[common]
path = /common
hosts allow = 172.24.8.
browseable = yes

firewall-cmd --permanent --add-service=samba
firewall-cmd --reload

chcon -R -t samba_share_t /common
// -R, --recursive：递归处理所有的文件及子目录
// -t, --type=类型：设置指定类型的目标安全环境
// 创建 samba 用户
smbpasswd -a andy
systemctl restart smb nmb
systemctl enable smb nmb

在 system 2 上验证

yum install samba-client -y
smbclient -L //172.24.1.5 -U andy

配置多用户SMB挂载

（system 1）

mkdir /devops/
chmod o+w /devops/
chcon -R -t samba_share_t /devops/

smbpasswd -a silene
smbpasswd -a akira

vim /etc/samba/smb.conf

[devops]
path = /devops
hosts allow = 172.24.8.
browseable = yes
writable = no
write list = akira

systemctl restart smb nmb
systemctl enable smb nmb

（system 2）

smbclient -L //172.24.8.11 -U silene
yum install cifs* -y
mkdir /mnt/dev
chmod o+w /mnt/dev
vim /etc/fstab
172.24.8.11/devops /mnt/dev cifs defaults,multiuser,username=silene,password=redhat,sec=ntlmssp 0 0

mount -a

// 验证
df -h

配置NFS服务

（system1）

mkdir /public
mkdir -p /protected/confidential
chcon -R -t public_content_t /public
chcon -R -t public_content_t /protected
chown deepak /protected/confidential

vim /etc/exports
/public *.group8.example.com(ro)
/public 172.24.8.0/24(ro)
/protected *.group8.example.com(rw,sec=krb5p)
/protected 172.24.8.0/24(rw,sec=krb5p)

wget -O /etc/krb5.keytab http://server.group8.example.com/pub/keytabs/system1.keytab

vim /etc/sysconfig/nfs
RPCNFSDARGS="-V 4.2"

systemctl start nfs-server nfs-secure-server
systemctl enable nfs-server nfs-secure-server

firewall-cmd --permanent --add-service=nfs
firewall-cmd --permanent --add-service=rpc-bind
firewall-cmd --permanent --add-service=mounted
firewall-cmd --reload

exportfs -r

挂载NFS共享

（System2）

mkdir /mnt/nfsmount
mkdir /mnt/nfssecure

wget -O /etc/krb5.keytab http://server.group8.example.com/pub/keytabs/system2.keytab

vim /etc/fstab
172.24.1.5:/public /mnt/nfsmount nfs defaults 0 0
system1:/public /mnt/nfsmount nfs defaults 0 0
172.24.1.5:/protected /mnt/nfssecure nfs defaults,sec=krb5p,v4.2 0 0
system1:/protected /mnt/nfssecure nfs defaults,sec=krb5p,v4.2 0 0

systemctl start nfs-secure
systemctl enable nfs-secure

mount -a
df -h

实现一个 web 服务器

yum install httpd -y
wget -O /var/www/html/index.html http://server.group8.example.com/pub/system1.html

vim /etc/httpd/conf.d/httpd-vhosts.conf

<VirtualHost *:80>
  ServerName system1.group8.example.com
  DocumentRoot "/var/www/html"  
  <Directory "/var/www/html">    
    <RequireAll>      
      Require all granted
      Require not host .my133t.org
      // Require not ip 172.17.10.0/24
    </RequireAll>  
  </Directory>
</VirtualHost>

systemctl start httpd
systemctl enable httpd

firewall-cmd --permanent --add-service=http
firewall-cmd --reload

// 验证
（system2）
curl system1.group8.example.com
Site:system1.group8.example.com

配置安全 web 服务

yum install mod_ssl -y

cd /var/www/html
wget http://server.group8.example.com/pub/tls/certs/system1.crt
wget http://server.group8.example.com/pub/tls/private/system1.key
wget http://server.group8.example.com/pub/tls/certs/ssl-ca.crt

vim /etc/httpd/conf.d/httpd-vhosts.conf

<VirtualHost *:443>
  DocumentRoot "/var/www/html"
  Servername system1.group8.example.com

  // SSLEngine on
  // SSLProtocol all -SSLv2
  SSLCertificateFile /var/www/html/system1.crt
  SSLCertificateKeyFile /var/www/html/system1.key
  SSLCACertificateFile /var/www/html/ssl-ca.crt
</VirtualHost>

firewall-cmd --permanent --add-service=https
firewall-cmd --reload

systemctl restart httpd

// 验证
（system2）
curl ‐k https://system1.group8.example.com
Site:system1.group8.example.com

测试通过浏览器打开[<u><u>https://server0.example.com</u></u>](https://server0.example.com)（开始会提示错误，添加证书后能正常打开）

配置虚拟主机

（system1）

mkdir /var/www/virtual
setfacl -m u:andy:rwx /var/www/virtual
wget -O /var/www/virtual/index.html http://server.group8.example.com/pub/www8.html

vim /etc/httpd/conf.d/httpd-vhosts.conf

<VirtualHost *:80>   
  ServerName www8.group8.example.com
  DocumentRoot "/var/www/virtual"   
  // <Directory "/var/www/virtual">      
    // Require all granted   
  // </Directory>
</VirtualHost>

systemctl restart httpd

// 验证
（system2）
curl http://www8.group8.example.com
Site:www8.group8.example.com

配置 web 内容的访问

（system1）

mkdir /var/www/html/private
wget -O /var/www/html/private/index.html http://server.group8.example.com/pub/private.html

vim /etc/httpd/conf.d/httpd-vhosts.conf

<VirtualHost *:80>
  DocumentRoot "/var/www/html"
  Servername system1.group8.example.com

  <Directory "/var/www/html">
    <RequireAll>
      Require all granted
      Require not host .my133t.org
    </RequireAll>
  </Directory>

  <Directory "/var/www/html/private">
    Require all denied
    Require local
  </Directory>
</VirtualHost>

<VirtualHost *:80>
  DocumentRoot /var/www/virtual
  ServerName www8.group8.example.com

  <Directory /var/www/virtual/private>
    Require all denied
    Require local
  </Directory>
</VirtualHost>

systemctl restart httpd

在 system1 上测试
[root@system1 ~]# curl http://system1.group8.example.com/private/
This a private file,only for local access!
在 system2 上测试
[root@system2 ~]# curl http://system1.group8.example.com/private/
<!DOCTYPE HTML PUBLIC "‐//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /private/
on this server.</p>
</body></html>

实现动态 web 内容

（system1）

yum install mod_wsgi -y

wget -O /var/www/html/webinfo.wsgi http://server.group8.example.com/pub/webinfo.wsgi

vim /etc/httpd/conf.d/httpd-vhosts.conf

Listen 8909
<VirtualHost *:8909>
  DocumentRoot "/var/www/html" 
  ServerName wsgi.group8.example.com
  WSGIScriptAlias / /var/www/html/webinfo.wsgi
</VirtualHost>

// semanage port -a -t http_port_t -p tcp 8909
firewall-cmd --permanent --add-port=8909/tcp
firewall-cmd --reload

systemctl restart httpd

// 验证
curl http://wsgi.group8.example.com:8909
This Dynamic WSGI Page Was Generated at:
Sun Feb 12 21:23:01 2017

创建一个脚本

（system1）

vim /root/foo.sh

#!/bin/bash
case $1 in
redhat)
echo "fedora"
;;
fedora)
echo "redhat"
;;
*)
echo "/root/foo.sh redhat|fedora"
;;
esac

chmod 755 /root/foo.sh
linux终端先输入ls -al,可以看到如:
-rwx-r--r-- (一共10个参数)
第一个跟参数跟chmod无关,先不管.
2-4参数:属于user
5-7参数:属于group
8-10参数:属于others
接下来就简单了:r==>可读 w==>可写 x==>可执行
r=4 w=2 x=1
所以755代表 rwxr-xr-x
chmod a+x /root/foo.sh

// 验证
/root/foo.sh redhat

创建一个添加用户的脚本

（system1）

vim /root/batchusers

#!/bin/bash
if [ $# -eq 0 ];then
echo "Usage: /root/barchusers userfile"
exit 1
fi
if [ ! -f $1 ];then
echo "Input file not found"
exit 1
fi
while read line
do
useradd -s /bin/false $line
done < $1

chmod 755 /root/batchusers
wget -O /root/userlist http://server.group8.example.com/pub/userlist

// 验证：/root/batchusers /root/userlist

配置 ISCSI 服务端

（system1）

yum insatll target*
systemctl enable target
systemctl start target
firewall-cmd --permanent --add-port=3260/tcp
firewall-cmd --reload

fdisk /dev/sda 考试时是 /dev/vda

[root@system1 Desktop]# systemctl enable target
ln -s '/usr/lib/systemd/system/target.service' '/etc/systemd/system/multi-user.target.wants/target.service'
[root@system1 Desktop]# systemctl enable target
[root@system1 Desktop]# systemctl start target
[root@system1 Desktop]# firewall-cmd --permanent --add-port=3260/tcp
success
[root@system1 Desktop]# firewall-cmd --reload
success
[root@system1 Desktop]# df -hT
Filesystem     Type      Size  Used Avail Use% Mounted on
/dev/sda1      xfs       9.8G  3.2G  6.7G  33% /
devtmpfs       devtmpfs  667M     0  667M   0% /dev
tmpfs          tmpfs     675M  140K  675M   1% /dev/shm
tmpfs          tmpfs     675M  8.8M  667M   2% /run
tmpfs          tmpfs     675M     0  675M   0% /sys/fs/cgroup
[root@system1 Desktop]# fdisk /dev/sda 
Welcome to fdisk (util-linux 2.23.2).

Changes will remain in memory only, until you decide to write them.
Be careful before using the write command.


Command (m for help): n
Partition type:
   p   primary (2 primary, 0 extended, 2 free)
   e   extended
Select (default p): p
Partition number (3,4, default 3): 
First sector (26626048-41943039, default 26626048): 
Using default value 26626048
Last sector, +sectors or +size{K,M,G} (26626048-41943039, default 41943039): +3G
Partition 3 of type Linux and of size 3 GiB is set

Command (m for help): t
Partition number (1-3, default 3): 3
Hex code (type L to list all codes): 8e
Changed type of partition 'Linux' to 'Linux LVM'

Command (m for help): p

Disk /dev/sda: 21.5 GB, 21474836480 bytes, 41943040 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk label type: dos
Disk identifier: 0x000d9a10

   Device Boot      Start         End      Blocks   Id  System
/dev/sda1   *        2048    20482047    10240000   83  Linux
/dev/sda2        20482048    26626047     3072000   82  Linux swap / Solaris
/dev/sda3        26626048    32917503     3145728   8e  Linux LVM

Command (m for help): w
The partition table has been altered!

Calling ioctl() to re-read partition table.

WARNING: Re-reading the partition table failed with error 16: Device or resource busy.
The kernel still uses the old table. The new table will be used at
the next reboot or after you run partprobe(8) or kpartx(8)
Syncing disks.
[root@system1 Desktop]# partprobe
[root@system1 Desktop]# pvcreate /dev/sda3
  Physical volume "/dev/sda3" successfully created
[root@system1 Desktop]# vgcreate iscsi_vg /dev/sda3
  Volume group "iscsi_vg" successfully created
[root@system1 Desktop]# lvcreate -n iscsi_store -l 100%VG iscsi_vg
  Logical volume "iscsi_store" created
[root@system1 Desktop]# target cli
bash: target: command not found...
[root@system1 Desktop]# targetcli
Warning: Could not load preferences file /root/.targetcli/prefs.bin.
targetcli shell version 2.1.fb41
Copyright 2011-2013 by Datera, Inc and others.
For help on commands, type 'help'.

/> ls
o- / ..................................................................... [...]
  o- backstores .......................................................... [...]
  | o- block .............................................. [Storage Objects: 0]
  | o- fileio ............................................. [Storage Objects: 0]
  | o- pscsi .............................................. [Storage Objects: 0]
  | o- ramdisk ............................................ [Storage Objects: 0]
  o- iscsi ........................................................ [Targets: 0]
  o- loopback ..................................................... [Targets: 0]
/> backstores/block create name=iscsi_store dev=/dev/iscsi_vg/iscsi_store 
Created block storage object iscsi_store using /dev/iscsi_vg/iscsi_store.
/> cd iscsi
/iscsi> create iqn.2014-08.com.example.group8:system1
Created target iqn.2014-08.com.example.group8:system1.
Created TPG 1.
Global pref auto_add_default_portal=true
Created default portal listening on all IPs (0.0.0.0), port 3260.
/iscsi> cd iqn.2014-08.com.example.group8:system1/
/iscsi/iqn.20...roup8:system1> ls
o- iqn.2014-08.com.example.group8:system1 ............................ [TPGs: 1]
  o- tpg1 ............................................... [no-gen-acls, no-auth]
    o- acls .......................................................... [ACLs: 0]
    o- luns .......................................................... [LUNs: 0]
    o- portals .................................................... [Portals: 1]
      o- 0.0.0.0:3260 ..................................................... [OK]
/iscsi/iqn.20...roup8:system1> cd tpg1/
/iscsi/iqn.20...:system1/tpg1> ls
o- tpg1 ................................................. [no-gen-acls, no-auth]
  o- acls ............................................................ [ACLs: 0]
  o- luns ............................................................ [LUNs: 0]
  o- portals ...................................................... [Portals: 1]
    o- 0.0.0.0:3260 ....................................................... [OK]
/iscsi/iqn.20...:system1/tpg1> luns/ create /backstores/block/iscsi_store 
Created LUN 0.
/iscsi/iqn.20...:system1/tpg1> acls/ create iqn.2014-08.com.example.group8:system2
Created Node ACL for iqn.2014-08.com.example.group8:system2
Created mapped LUN 0.
/iscsi/iqn.20...:system1/tpg1> portals/ create 172.24.8.11 3260
Using default IP port 3260
Could not create NetworkPortal in configFS
/iscsi/iqn.20...:system1/tpg1> set attribute authentication=0
Parameter authentication is now '0'.
/iscsi/iqn.20...:system1/tpg1> set attribute generate_node_acls=0
Parameter generate_node_acls is now '0'.
/iscsi/iqn.20...:system1/tpg1> cd /
/> saveconfig 
Last 10 configs saved in /etc/target/backup.
Configuration saved to /etc/target/saveconfig.json
/> exit 
Global pref auto_save_on_exit=true
Last 10 configs saved in /etc/target/backup.
Configuration saved to /etc/target/saveconfig.json

配置 ISCSI 的客户端

（system2）

vim /etc/iscsi/initiatorname.iscsi
InitiatorName=iqn.2014‐08.com.example.group8:system2

[rhce]
name=rhce
baseurl=http://server.group8.example.com/yum
enable=1
gpgcheck=0

配置一个数据库

（system1）

yum install -y mariadb*
systemctl enable mariadb.service 
systemctl start mariadb.service 
mysql_secure_installation
Enter current password for root (enter for none): 
ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: YES)
Enter current password for root (enter for none): 
OK, successfully used password, moving on...

Setting the root password ensures that nobody can log into the MariaDB
root user without the proper authorisation.

Set root password? [Y/n] y
New password: 
Re-enter new password: 
Password updated successfully!
Reloading privilege tables..
 ... Success!


By default, a MariaDB installation has an anonymous user, allowing anyone
to log into MariaDB without having to have a user account created for
them.  This is intended only for testing, and to make the installation
go a bit smoother.  You should remove them before moving into a
production environment.

Remove anonymous users? [Y/n] y
 ... Success!

Normally, root should only be allowed to connect from 'localhost'.  This
ensures that someone cannot guess at the root password from the network.

Disallow root login remotely? [Y/n] 
 ... Success!

By default, MariaDB comes with a database named 'test' that anyone can
access.  This is also intended only for testing, and should be removed
before moving into a production environment.

Remove test database and access to it? [Y/n] 
 - Dropping test database...
 ... Success!
 - Removing privileges on test database...
 ... Success!

Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.

Reload privilege tables now? [Y/n] 
 ... Success!

Cleaning up...

All done!  If you've completed all of the above steps, your MariaDB
installation should now be secure.

Thanks for using MariaDB!
[root@system1 Desktop]# mysql -u root -p
Enter password: 
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 11
Server version: 5.5.44-MariaDB MariaDB Server

Copyright (c) 2000, 2015, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> create database Contacts;
Query OK, 1 row affected (0.00 sec)

MariaDB [(none)]> exit
Bye
[root@system1 Desktop]# wget -O /root/users.mdb http://server.group8.example.com/pub/users.mdb
--2019-12-11 07:09:41--  http://server.group8.example.com/pub/users.mdb
Resolving server.group8.example.com (server.group8.example.com)... 172.24.8.254
Connecting to server.group8.example.com (server.group8.example.com)|172.24.8.254|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 4577 (4.5K)
Saving to: ‘/root/users.mdb’

100%[======================================>] 4,577       --.-K/s   in 0s      

2019-12-11 07:09:41 (302 MB/s) - ‘/root/users.mdb’ saved [4577/4577]

[root@system1 Desktop]# mysql -u root -p
Enter password: 
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 12
Server version: 5.5.44-MariaDB MariaDB Server

Copyright (c) 2000, 2015, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> use Contacts;
Database changed
MariaDB [Contacts]> source /root/users.mdb;
MariaDB [Contacts]> show tables;
+--------------------+
| Tables_in_Contacts |
+--------------------+
| u_loc              |
| u_name             |
| u_passwd           |
+--------------------+
3 rows in set (0.00 sec)

MariaDB [Contacts]> desc u_loc;
+----------+-------------+------+-----+---------+----------------+
| Field    | Type        | Null | Key | Default | Extra          |
+----------+-------------+------+-----+---------+----------------+
| uid      | int(11)     | NO   | PRI | NULL    | auto_increment |
| location | varchar(50) | NO   |     | NULL    |                |
+----------+-------------+------+-----+---------+----------------+
2 rows in set (0.00 sec)

MariaDB [Contacts]> grant select on Contacts.* to Mary@localhost identified by 'redhat';
Query OK, 0 rows affected (0.00 sec)

MariaDB [Contacts]> quit

数据库查询

（system1）

MariaDB [(none)]> use Contacts;
MariaDB [Contacts]> select u_name.firstname from u_name, u_passwd where u_name.userid = u_passwd.uid and u_passwd.password = 'fadora';
+-----------+
| firstname |
+-----------+
| John      |
+-----------+
1 row in set (0.00 sec)

MariaDB [Contacts]> select count(*) from u_name, u_loc where u_name.userid = u_loc.uid and u_loc.location = 'Santa Clara' and u_name.firstname = 'John';
+----------+
| count(*) |
+----------+
|        4 |
+----------+
1 row in set (0.00 sec)