18

Practice Exercises – 1

In this practice exercise, we will run a set of steps to check the knowledge you have acquired throughout this book. As opposed to previous chapters, not all steps will be indicated, and it’s therefore left to your discretion to perform the steps required to accomplish your desired goals. It is recommended to avoid referencing past chapters for guidance. Instead, try to use your memory or the tools available in the system. This exercise, if performed correctly, will train you effectively for official exams.

It is strongly advised to start this exercise with a clock to keep track of time.

Technical requirements

All the practice exercises in this chapter require the use of a virtual machine (VM), running Red Hat Enterprise Linux 9 (RHEL 9) installed with the base installation. Additionally, new virtual drives will be required for storage operations.

For the exercises, it is assumed you possess the following:

• RHEL 9 installed with the base operating system using the Minimal Install software selection.
• Access to the Red Hat Customer Portal, with an active subscription.
• The VM must be expendable. This is because actions performed on it during the exercise might render it unusable and require it to be reinstalled.

Tips for the exercise

This is a list of general recommendations for any test, and most fall under the category of common sense, but it’s always important to have them in our mind before performing any such test:

• Read all the questions before starting the official exam or any test.
• Specific words have specific meanings that give hints about the requirements or ways to accomplish the goals. This is why reading everything first might give you multiple perspectives on how to complete the test.
• Make yourself comfortable. Install your favorite editor and run updatedb to have a fresh database of packages and installed files ready for use. Define your keyboard layout. Install tmux and learn how to use it so that you can open new tabs and name them without requiring extra windows.
• Locate dependencies between requests, as some goals depend on others for completion. Find those dependencies to see how you can locate the solution without later having to come back and redo some steps as a result of choosing the wrong path.
• Use a timer. This is important to get an idea of which exercises will take you more time to complete, in order to see the areas that you need to improve in.
• Don’t remember specific command lines. Learn how to use the documentation available in the system via man, /usr/share/docs, or arguments such as --help for the commands required.
• Ensure that changes persist and are still active after a reboot. Some changes might be active while you run them, but those must be persisted. Examples may include firewall rules, services to start at boot, and so on.
• Remember to use dnf whatprovides /path/COMMAND to find packages providing a file you might be missing.
• Check the following link: https://www.redhat.com/en/services/training/ex200-red-hat-certified-system-administrator-rhcsa-exam?=Objectives. This will provide you with the official EX200 exam objectives.

Practice exercise 1

Important Note

The following exercise has, by design, been created so that there will be no highlights on commands, packages, and so on. Remember what you’ve learned so far in order to detect the keywords to see what needs to be done.

Don’t jump into the walk-through too early. Try to remember what was covered.

Exercises

1. Configure the time zone to GMT.
2. Allow passwordless login for the root user using SSH.
3. Create a user (named user) that can connect to the machine without a password.
4. The user user should change their password every week, with 2 days’ warning and 1 day of usage once expired.
5. The root user must be able to SSH as user without a password so that nobody can connect remotely as root using a password.
6. The user user should be able to become the root user without a password and also execute commands without a password.
7. When a user tries to log in over SSH, display a legal message about not allowing unauthorized access to this system.
8. SSH must listen on port 22222 instead of the default one (22).
9. Create a group named devel.
10. Make user a member of devel.
11. Store user membership in a file named userids in the home folder for user.
12. The user user and root user should be able to connect to localhost via SSH without specifying the port, and default to compression for the connection.
13. Find all man page names in the system, and put the names into a file named manpages.txt.
14. Print usernames for users without logins permitted to the system. For each username, print the user ID (UID) and groups for that user.
15. Monitor available system resources every 5 minutes. Do not use cron. Store as /root/resources.log.
16. Add a per-minute job to report the available percentage of free disk space, and store it in /root/freespace.log so that it shows both the filesystem and free space.
17. Configure the system to only leave 3 days of logs.
18. Configure the log rotation for /root/freespace.log and /root/resources.log.
19. Configure the time synchronization against pool.ntp.org, using Fast Sync.
20. Provide Network Time Protocol (NTP) server services for the 172.22.0.1/24 subnet.
21. Configure system stats for collection every minute.
22. Configure the password length for users in the system to be 12 characters long.
23. Create a bot user named privacy that will keep its files only visible to itself by default.
24. Create a folder named /shared that can be accessed by all users and that defaults new files and directories to still be accessible to users of the devel group.
25. Configure a network connection with IPv4 and IPv6 addresses named mynic, using the following data:

    Ip6: 2001:db8:0:1::c000:207/64 g

    gateway 2001:db8:0:1::1

    Ipv4 192.0.1.3/24

    gateway 192.0.1.1

26. Allow the host to use the hostname google to reach www.google.com, and the hostname redhat to reach www.redhat.com.
27. Report the files modified from those that the vendor distributed, and store them in /root/altered.txt.
28. Make our system installation media packages available via HTTP under the /mirror path for other systems to use as a mirror, configuring the repository in our system. Remove the kernel packages from that mirror so that other systems (even ours) can’t find new kernels. Prevent the glibc packages from being installed from this repository without removing them.
29. As user, make a copy of the /root folder in the /home/user/root/ folder and keep it in sync every day, synchronizing additions and deletions.
30. Check that our system conforms to the Payment Card Industry Data Security Standard (PCI-DSS) standard.
31. Add a second hard drive of 30 GB to the system. However, use only 15 GB to move the mirror to it, making it available at boot using compression and deduplication. Make it available under /mirror/mirror.
32. Create a second copy of the mirror under /mirror/mytailormirror, removing all packages starting with the letter k*.
33. Create a new volume in the remaining space of the added hard drive (15 GB), and use it to extend the root filesystem.
34. Create a boot entry that allows you to boot into emergency mode in order to change the root password.
35. Create a custom tuning profile that defines the readahead to be 4096 for the first drive and 1024 for the second drive. This profile should also crash the system should an out-of-memory (OOM) event occur.
36. Disable and remove the installed httpd package. Then, set up the httpd server using the registry.redhat.io/rhel9/httpd-24 image.

For this section, we’ll copy each item in the list of goals, and then provide an explanation below it, using proper syntax highlighting and explanations.

Exercise 1 solution

1. Configuring the time zone to GMT

We can check the current system date by executing the date command. At the very last part of the line that is subsequently printed, the time zone will be shown. In order to configure it, we can use the timedatectl command, or alter the /etc/localtime symbolic link.

So, to achieve this goal, we can use one of the following:

• timedatectl set-timezone GMT
• rm –fv /etc/localtime; ln –s /usr/share/zoneinfo/GMT /etc/localtime

Now, date should report the proper time zone.

2. Allowing passwordless login to the root user using SSH

Doing this will require the following:

• SSH must be installed and available (that means installed and started).
• The root user should have an SSH key generated and added to the list of authorized keys.

First, let’s tackle this with SSH, as seen in the following code snippet:

dnf –y install openssh-server; systemctl enable sshd; systemctl start sshd

Now, let’s generate an SSH key by pressing Enter to accept all defaults, like so:

ssh-keygen

Now, let’s add the generated key (/root/.ssh/id_rsa) to the authorized keys, like so:

cd; cd .ssh; cat id_rsa.pub >> authorized_keys; chmod 600 authorized_keys

To validate this, we can execute ssh localhost date, after which we will be able to get our current system’s date and time without providing a password.

3. Creating a user named user that can connect to the machine without a password

This requires creating a user and an SSH key that is added in a similar fashion to the root user. The next options will also be relevant to a user, but for the purposes of this demonstration, we will tackle them as separate tasks:

useradd user

su – user

Now, let’s generate an SSH key by pressing Enter to accept all defaults, like so:

ssh-keygen

Now, let’s add the generated key (/root/.ssh/id_rsa) to the authorized keys, as follows:

cd; cd .ssh; cat id_rsa.pub >> authorized_keys; chmod 600 authorized_keys

To validate this, we can execute ssh localhost date, and we will be able to get the current system date and time without providing a password.

Then, use logout to return to our root user.

4. The user user should change their password every week, with 2 days’ warning and 1 day of usage once expired

This requires us to tune the user restrictions, as follows:

chage –W 2 user

chage –I 1 user

chage -M 7 user

5. The root user must be able to SSH as user without a password so that nobody can connect remotely as the root user using a password

This requires two steps. The first is to enable user with the root user’s authorized key, and then tune the sshd daemon, as follows:

cat /root/.ssh/id_rsa.pub >> ~user/.ssh/authorized_keys

Edit the /etc/ssh/sshd_config file and add or replace the PermitRootLogin line so that it looks like this:

PermitRootLogin prohibit-password

Save and then restart the sshd daemon, like so:

systemctl restart sshd

6. The user user should be able to become root and also execute commands without a password

This means configuring the /etc/sudoers file by adding the following line:

user ALL=(ALL) NOPASSWD:ALL

7. When a user tries to log in over SSH, display a legal message about not allowing unauthorized access to this system

Create a file—for example, /etc/ssh/banner—with the message to display: for example, "Get out of here".

Modify /etc/ssh/sshd_config and set the Banner /etc/ssh/banner line, then restart the sshd daemon with systemctl restart sshd.

8. SSH must listen on port 22222 instead of the default one

This is a tricky one. The first step is to alter /etc/ssh/sshd_config and define port 22222. Once this is done, restart sshd with the following command:

systemctl restart sshd

This, of course, will fail... why?

The firewall must be configured, like this:

firewall-cmd –-add-port=22222/tcp --permanent

firewall-cmd –-add-port=22222/tcp

SELinux must then be configured, like so:

semanage port -a -t ssh_port_t -p tcp 22222

Now, the sshd daemon can be restarted by running the following command:

systemctl restart sshd

9. Creating a group named devel

Use the following command:

groupadd devel

10. Making user a member of devel

Use the following command:

usermod –G devel user

11. Storing user membership in a file called userids in the home folder for user

Use the following command:

id user > ~user/userids

12. The user user and root user should be able to connect to the localhost via SSH without specifying the port, and default to compression for the connection

We altered the default SSH port to be 22222.

Create a file named .ssh/config for both user and root, with the following contents:

Host localhost
Port 22222
    Compression yes

13. Finding all man page names in the system, and putting the names into a file named manpages.txt

Man pages are stored in /usr/share/man. Therefore, use the following command:

find  /usr/share/man/ -type f > manpages.txt

14. Printing usernames for users without a login so that they can be permitted access to the system, and printing the UID and groups for each user

The following command first builds a list of users in the system with the nologin shell:

for user in $(cat /etc/passwd| grep nologin|cut -d ":" -f 1)

do

echo "$user -- $(grep $user /etc/group|cut -d ":" -f 1|xargs)"

done

From that list, check the membership in the /etc/group file, leaving only the group name and using xargs to concatenate them into a string to be printed.

The previous example makes use of for loops and inline execution of commands, via $().

15. Monitoring available system resources every 5 minutes without using cron, and storing them as /root/resources.log

The ideal way to monitor something would be cron, but as we’re told not to use it, this only leaves us with systemd timers. (You can check the files tested via the following link: https://github.com/PacktPublishing/Red-Hat-Enterprise-Linux-RHEL-9-Administration/tree/main/chapter-18-exercise1.)

Create a /etc/systemd/system/monitorresources.service file with the following contents:

[Unit]
Description=Monitor system resources
[Service]
Type=oneshot
ExecStart=/root/myresources.sh

Create a /etc/systemd/system/monitorresources.timer file with the following contents:

[Unit]
Description=Monitor system resources
[Timer]
OnCalendar=*-*-* *:0,5,10,15,20,25,30,35,40,45,50,55:00
Persistent=true
[Install]
WantedBy=timers.target

Create a /root/myresources.sh file with the following contents:

#!/bin/bash
df > /root/resources.log

Enable the new timer, as follows:

systemctl daemon-reload

systemctl enable  --now monitorresources.timer

Does it work? If not, journalctl –f will give some details. SELinux prevents us from executing a root file, so let’s convert it into a binary type and mark it as executable, as shown in the following snippet:

chcon –t bin_t /root/myresources.sh

chmod +x /root/myresources.sh

16. Adding a per-minute job to report the available percentage of free disk space and storing it in /root/freespace.log so that it shows the filesystem and free space

df reports used disk space and available space, so we need to do some math.

This will report the mounted location, size, used space, and available space, with ; as a separator. Refer to the following example:

df|awk '{print $6";"$2";"$3";"$4}'

bash allows us to do some math operations, but these lack fractional parts. Luckily, we can do a trick—we will be looping over it, as follows:

for each in $(df|awk '{print $6";"$2";"$3";"$4}'|grep -v "Mounted")
do
    FREE=$(echo $each|cut -d ";" -f 4)
    TOTAL=$(echo $each|cut -d ";" -f 2)
    echo "$each has $((FREE*100/TOTAL)) free"
done

The for loop will check all the available data, grab some specific fields, separate them with ;, and then run the loop for each line, stored in the $each variable.

We cut the output and then get the fourth field. This is the available space.

We cut the output and then we get the second field. This is the total number of blocks.

As bash can do integer divisions, we can multiply by 100 and then divide to get the percentage and add a string as part of the output.

Alternatively (but not as illustrative), we could have discounted to 100 the percentage used already given by df and saved some steps of the calculation.

We also need to store the output in a file. To do this, we can either wrap the whole loop in a redirection or add it in the echo line so that it appends to a file.

And we also need to do it via cron—we show the full solution next.

Create a /root/myfreespace.sh script with the following contents:

for each in $(df|awk '{print $6";"$2";"$3";"$4}'|grep -v "Mounted")
do
    FREE=$(echo $each|cut -d ";" -f 4)
    TOTAL=$(echo $each|cut -d ";" -f 2)
    echo "$each has $((FREE*100/TOTAL)) free"
done

Then, use chmod 755 /root/myfreespace.sh to make it executable.

Run crontab -e to edit root’s crontab, and add the following line:

*/1 * * * * /root/myfreespace.sh >> /root/freespace.log

17. Configuring the system to only leave 3 days of logs

This can be done by editing /etc/logrorate.conf, with the following settings:

daily
rotate 3

Remove other occurrences of weekly, monthly, and so on, to leave only the one we want.

18. Configuring the log rotation for /root/freespace.log and /root/resources.log

Create a /etc/logrotate.d/rotateroot file, with the following contents:

/root/freespace.log {
    missingok
    notifempty
    sharedscripts
    copytruncate
}
/root/resources.log {
    missingok
    notifempty
    sharedscripts
    copytruncate
}

19. Configuring the time synchronization against pool.ntp.org with fast sync

Edit /etc/chrony.conf and add the following line:

pool pool.ntp.org iburst

Then, run the following command:

systemctl restart chronyd

20. Providing NTP server services for the 172.22.0.1/24 subnet

Edit /etc/chrony.conf by adding the following line:

Allow 172.22.0.1/24

Then, run the following command:

systemctl restart chronyd

21. Configuring system stats for collection every minute

Run the following command:

dnf –y install sysstat

We now need to modify /usr/lib/systemd/system/sysstat-collect.timer. Let’s do this by creating an override, as follows:

cp /usr/lib/systemd/system/sysstat-collect.timer /etc/systemd/system/

Edit /etc/systemd/system/sysstat-collect.timer by replacing the OnCalendar value so that it looks like this:

OnCalendar=*:00/1

Then, reload the units with the following command:

systemctl daemon-reload

22. Configuring the password length for users in the system to be 12 characters long

Edit /etc/security/pwquality.conf with the following line:

minlen =  12

23. Creating a bot user named privacy that keeps its files only visible to itself by default

To do this, run the following:

adduser privacy

su – privacy

echo "umask 0077" >> .bashrc

This resolution uses umask to remove permissions from others on all newly created files.

24. Creating a folder named /shared that can be accessed by all users and defaults new files and directories to still be accessible to users of the devel group

To do this, run the following:

mkdir /shared

chown root:devel /shared

chmod 777 /shared

chmod +s /shared

25. Configuring a network connection with IPv4 and IPv6 addressing named mynic, using the following data: 2001:db8:0:1::c000:207/64 g gateway 2001:db8:0:1::1 ipv4 192.0.1.3/24 gateway 192.0.1.1

See the following snippet for how to accomplish this:

nmcli con add con-name mynic type ethernet ifname eth0 ipv6.address 2001:db8:0:1::c000:207/64 ipv6.gateway 2001:db8:0:1::1 ipv4.address 192.0.1.3/24 ipv4.gateway 192.0.1.1

26. Allowing the host to use the hostname google to reach www.google.com, and the hostname redhat to reach www.redhat.com

Run and record the IPs obtained, as shown here:

ping www.google.com

ping www.redhat.com

Note down the IPs obtained previously.

Edit /etc/hosts by adding the following:

IPFORGOOGLE google
IPFORREDHAT redhat

Then, save and exit.

27. Reporting the files modified from those that the vendor distributed, and storing them in /root/altered.txt

See the following snippet for how to accomplish this:

rpm  -Va > /root/altered.txt

28. Making our system installation media packages available via HTTP under the /mirror path for other systems to use as a mirror, and configuring the repository in our system. Removing the kernel packages from that mirror so that other systems (even ours) can’t find new kernels. Ignoring the glibc packages from this repository to be installed without removing them

This is a complex one, so let’s examine it step by step.

Install http and enable it using the following code:

dnf –y install httpd

firewall-cmd  --add-service=http –permanent

firewall-cmd  --add-service=http

systemctl start httpd

systemctl enable httpd

Create a folder under /mirror, then copy the source media packages and make them available over http, like so:

mkdir /mirror /var/www/html/mirror

mount /dev/cdrom /mnt

rsync –avr –progress /mnt/ /mirror/

mount –o bind /mirror /var/www/html/mirror

chcon  -R -t httpd_sys_content_t /var/www/html/mirror/

Remove the kernel packages, as follows:

find /mirror -name kernel* -exec rm '{}' ;

Create repository file metadata by using the following commands:

dnf –y install createrepo

cd /mirror

createrepo .

Create a repository file using the repository we created, and set it up on the system, ignoring the glibc* packages from it.

Edit /etc/yum.repos.d/mymirror.repo by adding the following contents:

[mymirror]
name=My RHEL9 Mirror
baseurl=http://localhost/mirror/
enabled=1
gpgcheck=0
exclude=glibc*

29. As user, make a copy of the /root folder in the /home/user/root/ folder and keep it in sync every day, synchronizing additions and deletions

See the following snippet for how to accomplish this:

su – user

crontab –e

Edit crontab and add the following line:

@daily rsync  -avr –-progress –-delete root@localhost:/root/ /home/user/root/

30. Checking whether our system conforms to the PCI-DSS standard

See the following snippet for how to accomplish this:

dnf –y install openscap  scap-security-guide openscap-utils

oscap xccdf eval --report pci-dss-report.html --profile pci-dss /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml

31. Adding a second hard drive of 30 GB to the system, but using only 15 GB to move the mirror to it, making it available at boot using compression and deduplication, and available under /mirror/mirror

Compression and deduplication in this sentence mean Virtual Data Optimizer (VDO). We need to move the mirror we currently have to it and make the old mirror, we had, go there instead.

If we have the installation media, we can choose to copy it over and repeat the kernel removal or transfer. To do so, let’s first create a VDO volume in a partition in our new hard drive (sdb), like so:

fdisk /dev/sdb

n <enter>

p <enter>

1 <enter>

<enter>

+15G <enter>

w <enter>

q <enter>

This will create a partition of 15 GB from the start. Let’s create a VDO volume on it, by using the following command:

dnf –y install vdo kmod-kvdo

pvcreate /dev/sdb1

vgcreate myvdo /dev/sdb1

lvcreate --type vdo --name myvdo vdo  -L 15G

mkfs.xfs /dev/myvdo/vdo

# Let's umount cdrom if it was still mounted

umount /mnt

# Mount vdo under /mnt and copy files over

mount /dev/myvdo/vdo/mnt

rsync –avr –progress /mirror/ /mnt/mirror/

# Delete the original mirror once copy has finished

rm –Rfv /mirror

umount /mnt

mount /dev/myvdo/vdomyvol /mirror

At this point, the old mirror was copied into a mirror folder on the VDO volume. This is mounted under /mirror, hence it has the original mirror under /mirror/mirror as requested. We might need to perform the following actions:

• Bind the /mirror mount to /var/www/html/mirror/ to make the file available.
• Restore SELinux context to allow the httpd daemon to access files in /var/www/html/mirror/.

Adjust the repository file we created to point to the new path.

32. Creating a second copy of the mirror under /mirror/mytailormirror and removing all packages starting with k*

See the following snippet for how to accomplish this:

rsync –avr –progress /mirror/mirror/ /mirror/mytailormirror/

find /mirror/mytailormirror/ -name "k*" -type f –exec rm '{}' ;

cd /mirror/mytailormirror/

createrepo .

33. Creating a new volume in the remaining space (15 GB) of the hard drive and using it to extend the root filesystem

See the following snippet for how to accomplish this:

fdisk /dev/sdb

n <enter>

p <enter>

<enter>

<enter>

w <enter>

q <enter>

pvcreate /dev/sdb2

# run vgscan to find out the volume name to use (avoid myvdo as is the VDO from above)

vgextend $MYROOTVG /dev/sdb2

# run lvscan to find out the LV storing the root filesystem and pvscan to find the maximum available space

lvresize –L +15G /dev/rhel/root

34. Creating a boot entry that allows us to boot into emergency mode in order to change the root password

See the following snippet for how to accomplish this:

grubby --args="systemd.unit=emergency.target" --update-kernel=/boot/vmlinuz-$(uname –r)

35. Creating a custom tuning profile that defines the readahead to be 4096 for the first drive and 1024 for the second drive – this profile should also crash the system should an OOM event occur

Refer to the following command:

dnf –y install tuned

mkdir –p /etc/tuned/myprofile

Edit the /etc/tuned/myprofile/tuned.conf file by adding the following contents:

[main]
summary=My custom tuned profile
[sysctl]
vm.panic_on_oom=1
[main_disk]
type=disk
devices=sda
readahead=>4096
[data_disk]
type=disk
devices=!sda
readahead=>1024

36. Disabling and removing the installed httpd package, and setting up the httpd server using the registry.redhat.io/rhel9/httpd-24 image

See the following snippet for how to accomplish this:

dnf remove -y httpd

dnf –y install podman

podman login registry.redhat.io # provide RHN credentials

podman pull registry.redhat.io/rhel9/httpd-24

mkdir /var/www #only if it doesn't exist

podman run -d --name httpd –p 80:8080 -v /var/www:/var/www:Z registry.redhat.io/rhel9/httpd-24