RH358答案 - 思维导图

1. 配置IPV6地址

servera

nmcli con show

nmcli con show Wired\ connection\ 1 | grep ipv6

nmcli con mod Wired\ connection\ 1 ipv6.method manual ipv6.addresses

nmcli con mod Wired\ connection\ 1 ipv6.addresses fddb:fe2a:ab1e::c0a8:64/64

nmcli con up Wired\ connection\ 1

验证

ping fddb:fe2a:ab1e::c0a8:65

ping fddb:fe2a:ab1e::c0a8:fe

serverb

nmcli con show

nmcli con show Wired\ connection\ 1 | grep ipv6

nmcli con mod Wired\ connection\ 1 ipv6.method manual ipv6.addresses

nmcli con mod Wired\ connection\ 1 ipv6.addresses fddb:fe2a:ab1e::c0a8:65/64

nmcli con up Wired\ connection\ 1

验证

ping fddb:fe2a:ab1e::c0a8:64

ping fddb:fe2a:ab1e::c0a8:fe

2. 配置DHCP服务器

servera

yum install dhcp-server -y

rpm -ql dhcp-server | grep exam

cp /usr/share/doc/dhcp-server/dhcpd.conf.example /etc/dhcp/dhcpd.conf -y

vim /etc/dhcp/dhcpd.conf

authoritative;log-facility local7;subnet 192.168.0.0 netmask 255.255.255.0 { range 192.168.0.200 192.168.0.254; option domain-name-servers 172.25.254.254; option domain-name "example.net"; option routers 192.168.0.1; option broadcast-address 192.168.0.255; default-lease-time 800; max-lease-time 7200;}host serverb { hardware ethernet 52:54:00:01:fa:0b; fixed-address 192.168.0.11;}

cat /etc/sysconfig/dhcpd

# $ cp /usr/lib/systemd/system/dhcpd.service /etc/systemd/system/# $ vi /etc/systemd/system/dhcpd.service# $ ExecStart=/usr/sbin/dhcpd -f -cf /etc/dhcp/dhcpd.conf -user dhcpd -group dhcpd --no-pid <your_interface_name(s)># $ systemctl --system daemon-reload# $ systemctl restart dhcpd.service

cp /usr/lib/systemd/system/dhcpd.service /etc/systemd/system/

vi /etc/systemd/system/dhcpd.service

ExecStart=/usr/sbin/dhcpd -f -cf /etc/dhcp/dhcpd.conf -user dhcpd -group dhcpd --no-pid eth1

systemctl --system daemon-reload

systemctl restart dhcpd.service

验证

netstat -anpl | grep dhcp

systemctl status dhcpd

tail -f /var/log/messages

tcpdump -i eth1 port 67

firewall-cmd --add-service=dhcp --permanent

firewall-cmd --add-service=dhcp

验证

firewall-cmd --list-all

cat /etc/firewalld/zones/public.xml

serverb

nmcli con add con-name dhcp ifname eth1 type ethernet

nmcli con up dhcp

验证

nmcli dev show eth1

route -n

3. 配置防火墙

servera

man -k rich

man firewalld.richlanguage

firewall-cmd --add-rich-rule='rule family="ipv4" source address="172.25.250.0/24" service name="ssh" accept' --per

firewall-cmd --add-rich-rule='rule family="ipv4" source address="172.24.250.0/24" service name="ssh" reject' --per

firewall-cmd --remove-service=ssh --permanent

firewall-cmd --reload

验证

cat /etc/firewalld/zones/public.xml

firewall-cmd --list-all

serverb

man -k rich

man firewalld.richlanguage

firewall-cmd --add-rich-rule='rule family="ipv4" source address="172.25.250.0/24" service name="ssh" accept' --per

firewall-cmd --add-rich-rule='rule family="ipv4" source address="172.24.250.0/24" service name="ssh" reject' --per

firewall-cmd --remove-service=ssh --permanent

firewall-cmd --reload

验证

cat /etc/firewalld/zones/public.xml

firewall-cmd --list-all

4. 完成主DNS配置

servera

yum install bind -y

vim /etc/named.conf

options { listen-on port 53 { any; }; listen-on-v6 port 53 { any; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; secroots-file "/var/named/data/named.secroots"; recursing-file "/var/named/data/named.recursing"; allow-query { any; }; recursion yes; dnssec-enable yes; dnssec-validation yes; managed-keys-directory "/var/named/dynamic"; pid-file "/run/named/named.pid"; session-keyfile "/run/named/session.key"; /* https://fedoraproject.org/wiki/Changes/CryptoPolicy */ include "/etc/crypto-policies/back-ends/bind.config";};logging { channel default_debug { file "data/named.run"; severity dynamic; };};zone "." IN { type hint; file "named.ca";};include "/etc/named.rfc1912.zones";include "/etc/named.root.key";include "/etc/named.lab.example.com.zones";

listen-on port 53 { any; };

listen-on-v6 port 53 { any; };

allow-query { any; };

recursion no;

include "/etc/named.lab.example.com.zones";

cp -a /etc/named.rfc1912.zones /etc/named.lab.example.com.zones

vim /etc/named.lab.example.com.zones

zone "lab.example.com" IN { type master; file "named.lab.example.com.zones"; allow-update { none; };};zone "250.25.172.in-addr.arpa" IN { type master; file "named.172.25.250.zones"; allow-update { none; };};

cp -a /var/named/named.localhost /var/named/named.lab.example.com.zones

cp -a /var/named/named.lab.example.com.zones /var/named/named.172.25.250.zones

vim /var/named/named.lab.example.com.zones

$TTL 1D@ IN SOA servera.lab.example.com. root.lab.example.com. ( 20220222 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum IN NS servera.lab.example.com.servera IN A 172.25.250.10serverb IN A 172.25.250.11

vim /var/named/named.172.25.250.zones

$TTL 1D@ IN SOA servera.lab.example.com. root.lab.example.com. ( 20220222 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum IN NS servera.lab.example.com.10 IN PTR servera.lab.example.com.11 IN PTR serverb.lab.example.com.

firewall-cmd --add-service=dns --permanent

firewall-cmd --add-service=dns

systemctl enable named --now

验证

systemctl status named

netstat -anpl | grep named

tcpdump -i eth0 port 53

serverb

验证

dig @172.25.250.10 servera.lab.example.com

dig @172.25.250.10 serverb.lab.example.com

dig @172.25.250.10 -x 172.25.250.10

dig @172.25.250.10 -x 172.25.250.11

5. 通过SMB共享目录

servera

yum list | grep samba

yum install samba samba-client -y

useradd -s /sbin/nologin rob

useradd -s /sbin/nologin brian

echo 'redhat' | passwd --stdin rob

echo 'redhat' | passwd --stdin brian

验证

id rob; id brian

uid=1003(rob) gid=1003(rob) groups=1003(rob)

uid=1004(brian) gid=1004(brian) groups=1004(brian)

mkdir /common

chgrp brian /common/

chmod 2775 /common/

grep share_ /etc/samba/smb.conf.example

method_1

chcon -Rt samba_share_t /common

method_2

man semanage fcontext | grep \#

semanage fcontext -a -t samba_share_t "/common(/.*)?"

restorecon -R -v /common

验证

ls -lhdZ /common/

[root@servera ~]# ls -lhdZ /common/drwxrwsr-x. 3 root brian unconfined_u:object_r:samba_share_t:s0 28 Feb 27 16:57 /common/

semanage fcontext -l | grep common

vim /etc/samba/smb.conf

[global] workgroup = STAFF security = user smb encrypt = required client min protocol = SMB3 passdb backend = tdbsam printing = cups printcap name = cups load printers = yes cups options = raw[common] path = /common write list = @brian browseable = Yes hosts allow = lab.example.com

[global]

workgroup = STAFF

modify

client min protocol = SMB3

man smb.conf | grep 'min protocol'

smb encrypt = required

man smb.conf | grep 'smb encry'

append

[common]

path = /common

write list = @brian

browseable = Yes

hosts allow = 172.25.250.

man smb.conf | grep 'hosts all'

append

firewall-cmd --add-service=samba --permanent

firewall-cmd --add-service=samba

验证

firewall-cmd --list-all | grep service

(echo 'redhat'; echo 'redhat') | smbpasswd -a rob

(echo 'redhat'; echo 'redhat') | smbpasswd -a brian

验证

pdbedit -L

systemctl enable --now smb nmb

验证

smbclient -L \\servera -U rob%redhat

[root@servera ~]# smbclient -L \\servera -U rob%redhat Sharename Type Comment --------- ---- ------- common Disk print$ Disk Printer Drivers IPC$ IPC IPC Service (Samba 4.10.4) rob Disk Home DirectoriesSMB1 disabled -- no workgroup available

netstat -tnpl | grep smb

tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN 27315/smbd tcp 0 0 0.0.0.0:445 0.0.0.0:* LISTEN 27315/smbd tcp6 0 0 :::139 :::* LISTEN 27315/smbd tcp6 0 0 :::445 :::* LISTEN 27315/smbd [root@servera ~]# netstat -tnpl | grep smb

6. Samba 多用户

serverb

useradd -u 1003 rob; useradd -u 1004 brian

echo 'redhat' | passwd --stdin rob

echo 'redhat' | passwd --stdin brian

yum list | grep cifs-ut

yum install samba-client cifs-utils

smbclient -L \\servera -U rob%redhat

mkdir /mnt/private

man mount.cifs | grep =filename -A6

credentials=filename

username=value password=value domain=value

man mount.cifs | grep SMBv3

seal

man mount.cifs | grep multiuser

multiuser

vim /etc/samba/passwd

username=robpassword=redhatdomain=STAFF

vim /etc/fstab

//servera/common /mnt/private cifs multiuser,seal,credentials=/etc/samba/passwd 0 0

验证

mount -a

df -hT

tail /var/log/messages

su - rob

cifscreds add servera

cd /mnt/private

touch aaa

su - brian

cifscreds add servera

cd /mnt/private

touch aaa

rm aaa

7. 配置NFS服务

servera

yum list | grep nfs

yum install nfs-utils

mkdir -p /public /protected/project

chown student /protected/project

man -k nfs | grep table

man exports | tail -30

vim /etc/exports

/public *.lab.example.com(ro)

/protected *.lab.example.com(rw)

systemctl enable --now nfs-server.service

firewall-cmd --add-service=mountd

firewall-cmd --add-service=nfs

firewall-cmd --runtime-to-permanent

验证

firewall-cmd --list-all

showmount -e servera

tcpdump -i eth0 port 20048

8. 挂载NFS共享

serverb

showmount -e servera

mkdir /public /protected

vim /etc/fstab

servera:/public /mnt/nfsmount nfs ro 0 0

servera:/protected /mnt/nfssecure nfs rw 0 0

mount -a

验证

df -Th

tcpdump -i eth0 port 2049

9. 配置iSCSI服务端

servera

yum install -y targetcli

lsblk

pvcreate /dev/vdb

vgcreate iscsi_store /dev/vdb

lvcreate -L 3G -n iscsi_store iscsi_store

验证

vgs

lsblk

targetcli

ls

cd /backstores/block

create iscsi_store /dev/mapper/iscsi_store-iscsi_store

ls

cd /iscsi

create wwn=iqn.2014-11.com.example:servera

ls

cd iqn.2014-11.com.example:servera/tpg1/acls

create iqn.2014-11.com.example:serverb

ls

cd ../luns

create /backstores/block/iscsi_store

ls

cd ../portals/

delete 0.0.0.0 3260

create 172.25.250.10 3260

cd /

saveconfig

验证

grep scsi /etc/services

firewall-cmd --add-service=iscsi-target

firewall-cmd --runtime-to-permanent

systemctl enable --now target.service

概要

netstat -anpl | grep 3260

systemctl status target.service

tcpdump -i eth0 port 3260

10. 配置iSCSI的客户端

serverb

yum list | grep iscsi-

yum install iscsi-initiator-utils

vim /etc/iscsi/initiatorname.iscsi

InitiatorName=iqn.2014-11.com.example:serverb

rpm -ql yum install iscsi-initiator-utils | grep bin

man iscsiadm | grep EXAM -A 20

iscsiadm --mode discoverydb --type sendtargets --portal 172.25.250.10 --discover

iscsiadm --mode node --targetname iqn.2014-11.com.example:servera --portal 172.25.250.10:3260 --login

lsblk

netstat -anpl | grep 3260

fdisk /dev/sda

n

p

1

+2100M

w

lsblk

mkdf.ext4 /dev/sda1

mkdir /mnt/data

blkid

vim /etc/fstab

UUID="b751bc3e-c918-4080-8360-b402681dfcf3" /mnt/data ext4 defaults 0 0

mount -a

验证

df -hT

11. 搭建MariaDB

servera

yum install mariadb-server

rpm -qc mariadb-server | grep ser

/etc/my.cnf.d/mariadb-server.cnf

[mysqld] skip-networking=1

systemctl enable mariadb --now

firewall-cmd --add-service=mysql --permanent

mysql_secure_installation

set pasword 'redhat' to root

mysql -u root -predhat

show databases;

create database contacts ;

show databases;

wget http://materials.example.com/classroom/database-working/inventory.dump

help create user

CREATE USER 'mary'@'localhost' IDENTIFIED BY 'mary_password';

help grant

GRANT SELECT ON contacts.* TO 'mary'@'localhost';

[root@servera ~]# mysql -u root -predhat contacts < inventory.dump

12. 数据查询填空1

servera

mysql -u mary -pmary_password

MariaDB [(none)]> show databases;

MariaDB [(none)]> use contacts;

MariaDB [contacts]> show tables;

select * from category ;

select * from manufacturer ;

select * from product ;

select

MariaDB [contacts]> select p.name, m.name from product p left join manufacturer m on m.id = p.id_manufacturer where p.name = 'RT-AC68U';

13. 数据查询填空2

servera

mysql -u mary -pmary_password

MariaDB [(none)]> show databases;

MariaDB [(none)]> use contacts;

MariaDB [contacts]> show tables;

select * from category ;

select * from manufacturer ;

select * from product ;

select

MariaDB [contacts]> select p.name, p.stock from product p where id_manufacturer = 4 and id_category = 2 ;

MariaDB [contacts]> select sum(p.stock) from product p where id_manufacturer = 4 and id_category = 2 ;

14. 实现一个web服务器

servera

yum list | grep _ssl

yum install httpd mod_ssl -y

firewall-cmd --add-service=http

firewall-cmd --runtime

cd /var/www/html

wget http://materials.example.com/laoma/www0.html -O index.html

rpm -qd httpd |grep vhost

cp -a /usr/share/doc/httpd/httpd-vhosts.conf /etc/httpd/conf.d/www0.conf

vim /etc/httpd/conf.d/www0.conf

grep deni /etc/httpd/conf/httpd.conf -C 3

chown apache:apache index.html

systemctl enable --now httpd

验证

curl http://www0.lab.example.com

serverb

curl http://www0.lab.example.com

foundation0

curl http://www0.lab.example.com

15. 配置安全web服务

servera

cd /etc/httpd/conf.d

cp ssl.conf www0-ssl.conf

vim www0-ssl.conf

wget http://materials.example.com/laoma/www0.lab.example.com.crt -P /etc/pki/tls/certs/

wget http://materials.example.com/laoma/www0.lab.example.com.key -P /etc/pki/tls/private/

wget http://materials.example.com/laoma/example-ca.crt -P /etc/pki/tls/certs/

firewall-cmd --add-service=https

firewall-cmd --runtime

systemctl restart httpd

serverb

curl https://www0.lab.example.com -k

16. 配置虚拟主机

servera

id floyd

mkdir /var/www/virtual

chown floyd:apache /var/www/virtual

chmod 2775 /var/www/virtual

cd /etc/httpd/conf.d

wget http://materials.example.com/laoma/webapp0.html -O /var/www/virtual/index.html

chown apache:apache /var/www/virtual/index.html

cd /etc/httpd/conf.d/

cp www0.conf webapp0.conf

grep 'Require all' /etc/httpd/conf.d/welcome.conf

vim cp www0.conf webapp0.conf

systemctl restart httpd

serverb

curl http://webapp0.lab.example.com

17. 配置web内容的访问

servera

mkdir /var/www/html/private

wget http://materials.example.com/laoma/permission.html -O /var/www/html/private/index.html

chown apache:apache /var/www/html/private/index.html

vim /etc/httpd/conf.d/www0.conf

cp -a /var/www/html/private /var/www/virtual

vim /etc/httpd/conf.d/webapp0.conf

systemctl restart httpd

curl http://webapp0.lab.example.com

serverb

curl http://webapp0.lab.example.com

测试

18. 通过 ansible 布署 Nginx

[student@workstation ~]$

mkdir playbooks

cp /etc/ansible/ansible.cfg playbooks/

vim .vimrc

set ai nu sw=2 ts=2 et cursorcolumn

cd playbooks

vim ansible.cfg

vim hosts

验证

ansible-inventory --g

ansible all -m ping

wget http://materials.example.com/laoma/nginx.conf.j2

vim nginx.yml

ansible-playbook nginx.yml

验证

curl http://serverc/

curl http://serverd/

19. 通过 ansible 配置 firewall

[student@workstation ~]$

vim firewall.yml

ansible-playbook firewall.yml

验证

ansible all -a 'firewall-cmd --list-all'

20. 通过 ansible 配置空邮件客户端

[student@workstation ~]$

rpm -ql rhel-system-roles | grep post | grep .md

grep yaml -A 8 /usr/share/ansible/roles/rhel-system-roles.postfix/README.md

vim nullclients.yml

ansible-playbook nullclients.yml

[root@serverd ~]#

yum install postfix

rpm -ql postfix | grep -i stand

/usr/share/doc/postfix/README_FILES/STANDARD_CONFIGURATION_README

less /usr/share/doc/postfix/README_FILES/STANDARD_CONFIGURATION_README

[student@serverc ~]$

mail -s rh358 null client student

mutt -f imaps://imap.lab.example.com

21. 通过 ansible 布署打印机

[student@workstation ~]$

man lpadmin | grep lpadmin

lpadmin -p myprinter -E -v ipp://myprinter.local/ipp/print -m everywhere

vim printer-create.yml

ansible-playbook printer-create.yml

[student@servera ~]$

lpstat -v

lpstat -d