RHCE 7版本认证考试练习

写在前面的话：考试练习不等于真实考试考题，里面的数据可能也与您考试练习的数据不一样，请认真仔细。祝愿RHCE取得好成绩！！

[TOC]

模拟考前配置

准备前

首先我们要将三台虚拟机开启
classroom是172.25.0.254

desktop是172.25.0.10

server是172.25.0.11

前提是三个主机能互相ping通

然后我们在本地上远程到classroom

[kiosk@foundation0 ~]$ ssh root@172.25.0.254
Last login: Sat Jul  6 09:08:15 2019 from 172.25.0.250
[root@classroom ~]#

等待远程过去之后

[root@classroom ~]# tail /etc/httpd/logs/error_log

将那段字母复制(NSS开头，off结尾的那段，具体我也不是带清楚)

[root@classroom ~]# vim /etc/httpd/conf.d/nss.conf

将你复制的那段粘贴到最底部，然后保存并退出

[root@classroom ~]# cd /var/www/html/pub/
[root@classroom pub]# echo "zheshi yige 在 server 上配置一个 web 站点" > example.html
[root@classroom pub]# echo "zheshi yige 在 server 上扩展您的 WEB 服务器" > www.html
[root@classroom pub]# echo "zheshi yige web 访问控制“ > private.html
[root@classroom pub]# vim webapp.wsgi
[root@classroom pub]# cat webapp.wsgi 
def application(environ, start_response):
    status = '200 OK'
    output = 'Hello World!'

    response_headers = [('Content-type', 'text/plain'),
                        ('Content-Length', str(len(output)))]
    start_response(status, response_headers)

    return [output]

[root@classroom pub]# vim user
[root@classroom pub]# cat user
user1
user2
user3
user4
user5

[root@foundation0 ~]# vim /etc/hosts
[root@foundation0 ~]# tail -n 1 /etc/hosts
172.25.0.11 server.example.com alt.example.com www.example.com
[root@foundation0 ~]# ssh root@172.25.0.10
Last login: Sat Jul  6 09:08:15 2019 from 172.25.0.10
[root@desktop0 ~]# vim /etc/hosts
[root@desktop0 ~]# tail -n 1 /etc/hosts
172.25.0.11 server.example.com alt.example.com www.example.com
[root@foundation0 ~]# ssh root@172.25.0.11
[root@server0 ~]# vim /etc/hosts
[root@desktop0 ~]# tail -n 1 /etc/hosts
172.25.0.11 server.example.com alt.example.com www.example.com

更改网卡在本地切换到root用户（此题需要做后面的链路聚合）

[kiosk@foundation0 ~]$ su -
Password: 
[root@foundation0 ~]#

密码是：Asimov

[root@foundation0 ~]# virt-manager

按照这种方式，在server 和 desktop两台虚拟机里面添加两块网卡，保证有三快网卡

[root@foundation0 ~]# reboot

然后直接将整个大虚拟机重启

数据库文件因过繁多内容，此处数据库文件请找我进行拷贝。

打开火狐浏览器输入：http://classroom.example.com/

以上是模拟考试前需要做的，真实考试不需要配置以上步骤

下面就开始模拟考题

开始考题

请注意：由于本机环境原因上述模拟考前配置是正式考试前不需要做的，考者切记正式考试是不用做前面的东西

现在正式开始你的考试:

配置信息

您在考试中将使用到两个系统的信息如下：

desktop0.example.com : 作为服务器

server0.example.com : 作为客户端

两个系统的root密码为redhat

系统的IP地址有DHCP提供，您可以视为正常，或者您可以按照一下信息重新设置未静态IP：

server0.example.com ： 172.24.8.11/24

desktop0.example.com ： 172.24.8.10/24

两个系统均为DNS域example.com的成员。除非特别知名，所有要求配置的网络服务都必须能被该域的系统访问。

classroom.example.com提供了集中认证的服务器为example.com。两个系统desktop0和server0都已经预先配置成此域的客户端。

classroom.example.com 提供了YUM软件仓库，URL是 http://classroom.example.com/content/rhel7.0/x86_64/dvd/ .

防火墙是默认打开的，在您认为适当的时候可以关闭。其他防火墙的设置可能在单独的要求中。

my133.org(172.13.0.0/24)作为不可信网络。

》 》 》 》 》》》》》》》》》》》》》》》》》》》》》》》》

参考答案

1.配置 YUM

配置yum源考试时候是不作为考题的，需要考者自己去阅读配置文档，里面有说明

• 分别在 server 和 desktop 上配置 YUM,指向:

server0

[root@server0 ~]# vim /etc/yum.repos.d/rhce.repo
[root@server0 ~]# cat /etc/yum.repos.d/rhce.repo
[rhce]
name=http://classroom.example.com/content/rhel7.0/x86_64/dvd/
baseurl=http://classroom.example.com/content/rhel7.0/x86_64/dvd/
enabled=1
gpgcheck=0
[root@server0 ~]#

desktop0

[root@desktop0 ~]# vim /etc/yum.repos.d/rhce.repo
[root@desktop0 ~]# cat /etc/yum.repos.d/rhce.repo
[rhce]
name=http://classroom.example.com/content/rhel7.0/x86_64/dvd/
baseurl=http://classroom.example.com/content/rhel7.0/x86_64/dvd/
enabled=1
gpgcheck=0

这一题是在真实考试中不做考题，您需要自己配置，yum源就在文中的信息当中，包括后面的各个域名的所归属的网段。您需要去阅读配置信息，这里配置信息在本博客开头部分。

2.配置 SELinux

• SElinux 有三种模式,请将 server 与 desktop 运行于强制模式

server0

[root@server0 ~]# vim /etc/selinux/config
[root@server0 ~]# cat /etc/selinux/config | grep SELINUX=en
SELINUX=enforcing
[root@server0 ~]# reboot

desktop0

[root@desktop0 ~]# vim /etc/selinux/config
[root@desktop0 ~]# cat /etc/selinux/config | grep SELINUX=en
SELINUX=enforcing
[root@desktop0 ~]# reboot

其实可以不用reboot重启虚拟机，两边改完配置文件之后

我们可以这样

> [root@desktop0 ~]# setenforce 1
> [root@desktop0 ~]# getenforce
> Enforcing
>

配置文件也改为enforcing

同样我们也临时获取到Enforcing权限

接下来可不要忘记了另外一台虚拟机了哦

> [root@server0 ~]# setenforce 1
> [root@server0 ~]# getenforce
> Enforcing
>

3.配置 SSH

• 用户能够从域 example.com 内的客户端通过 SSH 访问您的两个虚拟机系统
• 在域 my133t.org 内的客户端不能访问您的两个虚拟机系统

server0

[root@server0 ~]# systemctl stop iptables ebtables
[root@server0 ~]# systemctl disable iptables ebtables
[root@server0 ~]# systemctl mask iptables ebtables
ln -s '/dev/null' '/etc/systemd/system/iptables.service'
ln -s '/dev/null' '/etc/systemd/system/ebtables.service'
[root@server0 ~]# systemctl restart firewalld
[root@server0 ~]# systemctl enable firewalld
[root@server0 ~]# firewall-cmd --remove-service=ssh --permanent 
success
[root@server0 ~]# firewall-cmd --add-rich-rule 'rule family=ipv4 source address=172.25.0.0/24 service name=ssh accept' --permanent 
success
[root@server0 ~]# firewall-cmd --reload 
success

desktop0

[root@desktop0 ~]# systemctl stop iptables ebtables
[root@desktop0 ~]# systemctl disable iptables ebtables
[root@desktop0 ~]# systemctl mask iptables ebtables
ln -s '/dev/null' '/etc/systemd/system/iptables.service'
ln -s '/dev/null' '/etc/systemd/system/ebtables.service'
[root@desktop0 ~]# systemctl restart firewalld
[root@desktop0 ~]# systemctl enable firewalld
[root@desktop0 ~]# firewall-cmd --remove-service=ssh --permanent 
success
[root@desktop0 ~]# firewall-cmd --add-rich-rule 'rule family=ipv4 source address=172.25.0.0/24 service name=ssh accept' --permanent 
success
[root@desktop0 ~]# firewall-cmd --reload 
success

做完这些操作之后，我们可以列出来查看一下，看看是否与我们想的一致

> [root@server0 ~]# firewall-cmd --list-all
> public (default, active)
>   interfaces: eth0
>   sources: 
>   services: dhcpv6-client
>   ports: 
>   masquerade: no
>   forward-ports: 
>   icmp-blocks: 
>   rich rules: 
> 	rule family="ipv4" source address="172.25.0.0/24" service name="ssh" accept
>

从此处我们可以看出ssh这个服务没有了，从而添加上了允许172.25.0.0/24这个网段的主机去访问，与我们所想的一致，接下来看看另外一个

> [root@desktop0 ~]# firewall-cmd --list-all
> public (default, active)
>   interfaces: eth0
>   sources: 
>   services: dhcpv6-client
>   ports: 
>   masquerade: no
>   forward-ports: 
>   icmp-blocks: 
>   rich rules: 
> 	rule family="ipv4" source address="172.25.0.0/24" service name="ssh" accept
>

4.命令别名及IP 转发

1）在系统 server 和 desktop 上创建自定义命令为 tk,此自定义命令将执行/bin/ps aux,此命令对系统中所有用户有效

server0

[root@desktop0 ~]# vim /etc/bashrc
[root@desktop0 ~]# tail -n 1 /etc/bashrc 
alias tk='/bin/ps aux'
[root@desktop0 ~]# bash
[root@desktop0 ~]# which tk
alias tk='/bin/ps aux'
	/bin/ps

desktop0

[root@server0 ~]# vim /etc/bashrc 
[root@server0 ~]# tail -n 1 /etc/bashrc
alias tk='/bin/ps aux'
[root@server0 ~]# bash
[root@server0 ~]# which tk
alias tk='/bin/ps aux'
	/bin/ps

此题过于简单，这里就不过多解释

2）开启 IP 转发功能

server0

[root@server0 ~]# cat /etc/sysctl.conf 
# System default settings live in /usr/lib/sysctl.d/00-system.conf.
# To override those settings, enter new settings here, or in an 
.........................................
[root@server0 ~]# vim /usr/lib/sysctl.d/00-system.conf
[root@server0 ~]# cat /usr/lib/sysctl.d/00-system.conf 
........................................
net.bridge.bridge-nf-call-arptables = 0
net.ipv4.ip_forward = 1 #在此处添加

........................................
[root@server0 ~]# sysctl -p /usr/lib/sysctl.d/00-system.conf
net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0
net.ipv4.ip_forward = 1      #有这个表示成功
kernel.shmmax = 4294967295
kernel.shmall = 268435456

同样在desktop 这台虚拟机上也要做，此处不做过多演示

[root@desktop0 ~]# cat /etc/sysctl.conf 
# System default settings live in /usr/lib/sysctl.d/00-system.conf.
# To override those settings, enter new settings here, or in an /etc/sysctl.d/<name>.conf file
#
# For more information, see sysctl.conf(5) and sysctl.d(5).
[root@desktop0 ~]# vim /usr/lib/sysctl.d/00-system.conf
[root@desktop0 ~]# sysctl -p /usr/lib/sysctl.d/00-system.conf
net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0
net.ipv4.ip_forward = 1
kernel.shmmax = 4294967295
kernel.shmall = 268435456
[root@desktop0 ~]#

5.端口转发

• 在 server 上配置端口转发,在 172.25.0.0/24 中的系统,访问 server 的本地端口 9527 将被转发到 80,此设置永久生效

server0

[root@server0 ~]# firewall-cmd --add-rich-rule 'rule family=ipv4 source address=172.25.0.0/24 forward-port port=9527 protocol=tcp to-port=80' --permanent 
success
[root@server0 ~]# firewall-cmd --reload 
success

可以用firewall-cmd --list-all命令来查看是否添加上去

> [root@server0 ~]# firewall-cmd --list-all
> public (default, active)
>   interfaces: eth0
>   sources: 
>   services: dhcpv6-client
>   ports: 
>   masquerade: no
>   forward-ports: 
>   icmp-blocks: 
>   rich rules: 
> 	rule family="ipv4" source address="172.25.0.0/24" forward-port port="9527" protocol="tcp" to-port="80"
> 	rule family="ipv4" source address="172.25.0.0/24" service name="ssh" accept
>

切记：此题需要之在server0上面操作，而且考试中题目需要你在那操作就在那操作，切勿心急盲目

6.聚合网络

在 server 和 desktop 之间配置链路聚合

此链路使用接口 slave1 和 slave2

此链路在一个接口失效后,仍然能工作

此链路在 server 上使用地址 192.168.0.1/24

此链路在 desktop 上使用地址 192.168.0.2/24

此链路在系统重启后依然保持正常状态

server0

[root@server0 ~]# nmcli device 
DEVICE  TYPE      STATE         CONNECTION  
eth0    ethernet  connected     System eth0 
eth1    ethernet  disconnected  --          
eth2    ethernet  disconnected  --          
lo      loopback  unmanaged     --          
[root@server0 ~]# nmcli connection add type team con-name team0 ifname team0 config '{"runner":{"name":"activebackup"}}'
Connection 'team0' (f816c00c-0488-455e-8d17-d66004112ef7) successfully added.
[root@server0 ~]# nmcli connection modify team0 ipv4.addresses "192.168.0.1/24" ipv4.method manual connection.autoconnect yes
[root@server0 ~]# nmcli connection add type team-slave con-name slave1 ifname eth1 master team0 
Connection 'slave1' (5276955f-cbd6-4ec3-82dc-daf6b0073998) successfully added.
[root@server0 ~]# nmcli connection add type team-slave con-name slave2 ifname eth2 master team0 
Connection 'slave2' (26009b44-7428-4cb4-a2b6-41d5aa5f3cac) successfully added.
[root@server0 ~]# nmcli connection up team0
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/4)
[root@server0 ~]# systemctl restart network

desktop

[root@desktop0 ~]# nmcli device 
DEVICE  TYPE      STATE         CONNECTION  
eth0    ethernet  connected     System eth0 
eth1    ethernet  disconnected  --          
eth2    ethernet  disconnected  --          
lo      loopback  unmanaged     --          
[root@desktop0 ~]# nmcli connection add type team con-name team0 ifname team0 config '{"runner":{"name":"activebackup"}}'
[root@desktop0 ~]# nmcli connection modify team0 ipv4.addresses "192.168.0.2/24" ipv4.method manual connection.autoconnect yes
[root@desktop0 ~]# nmcli connection add type team-slave con-name slave1 ifname eth1 master team0 
Connection 'slave1' (5c6c05b2-63b9-4aca-b991-ab570f4e23bd) successfully added.
[root@desktop0 ~]# nmcli connection add type team-slave con-name slave2 ifname eth2 master team0  
Connection 'slave2' (546bc410-6a94-4fff-9bef-398e54b2feff) successfully added.
[root@desktop0 ~]# nmcli connection up team0 
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/4)
[root@desktop0 ~]# systemctl restart network

最后我们验证以下

> [root@desktop0 ~]# ping 192.168.0.1
> PING 192.168.0.1 (192.168.0.1) 56(84) bytes of data.
> 64 bytes from 192.168.0.1: icmp_seq=1 ttl=64 time=1.17 ms
> 64 bytes from 192.168.0.1: icmp_seq=2 ttl=64 time=0.301 ms
>

然后我们断掉一个接口

> [root@desktop0 ~]# nmcli connection down slave1
> [root@desktop0 ~]# ping 192.168.0.1
> PING 192.168.0.1 (192.168.0.1) 56(84) bytes of data.
> 64 bytes from 192.168.0.1: icmp_seq=1 ttl=64 time=0.582 ms
> ^C
> --- 192.168.0.1 ping statistics ---
> 1 packets transmitted, 1 received, 0% packet loss, time 0ms
> rtt min/avg/max/mdev = 0.582/0.582/0.582/0.000 ms
>

我们down掉其中一个接口，还能ping通

7.IPv6 设置

在您的考试系统上配置接口,在你的默认网卡上使用如下 IPv6 地址

server 上的 IP 地址应该是 fd00:ba5e:ba11:10::1/64

desktop 上的 IP 地址应该是 fd00:ba5e:ba11:10::2/64

两个系统必须能与网络 fd00:ba5e:ba11:10::cc 内的系统通信

地址必须在重启后依然生效

两个系统保持当前的 IPv4 地址并能通信

server0

[root@server0 ~]# nmcli connection show 
NAME         UUID                                  TYPE            DEVICE 
slave1       5276955f-cbd6-4ec3-82dc-daf6b0073998  802-3-ethernet  eth1   
team0        f816c00c-0488-455e-8d17-d66004112ef7  team            team0  
System eth0  5fb06bd0-0bb0-7ffb-45f1-d6edd65f3e03  802-3-ethernet  eth0   
slave2       26009b44-7428-4cb4-a2b6-41d5aa5f3cac  802-3-ethernet  eth2   
[root@server0 ~]# nmcli connection modify "System eth0" ipv6.addresses fd00:ba5e:ba11:10::1/64 ipv6.method manual connection.autoconnect yes
[root@server0 ~]# systemctl restart network

desktop

[root@desktop0 ~]# nmcli connection show 
NAME         UUID                                  TYPE            DEVICE 
slave1       5c6c05b2-63b9-4aca-b991-ab570f4e23bd  802-3-ethernet  eth1   
team0        8ccca14c-7275-4996-9d06-9bfd33cf7b3e  team            team0  
System eth0  5fb06bd0-0bb0-7ffb-45f1-d6edd65f3e03  802-3-ethernet  eth0   
slave2       546bc410-6a94-4fff-9bef-398e54b2feff  802-3-ethernet  eth2   
[root@desktop0 ~]# nmcli connection modify "System eth0" ipv6.addresses "fd00:ba5e:ba11:10::2/64" ipv6.method manual connection.autoconnect yes
[root@desktop0 ~]# systemctl restart network

验证

> [root@desktop0 ~]# ping6 fd00:ba5e:ba11:10::1
> PING fd00:ba5e:ba11:10::1(fd00:ba5e:ba11:10::1) 56 data bytes
> 64 bytes from fd00:ba5e:ba11:10::1: icmp_seq=1 ttl=64 time=4.55 ms
> 64 bytes from fd00:ba5e:ba11:10::1: icmp_seq=2 ttl=64 time=0.413 ms
> ^C
> --- fd00:ba5e:ba11:10::1 ping statistics ---
> 2 packets transmitted, 2 received, 0% packet loss, time 1003ms
> rtt min/avg/max/mdev = 0.413/2.485/4.558/2.073 ms
>

有好多考者都在思考这么一个问题，

两个系统必须能与网络 fd00:ba5e:ba11:10::cc 内的系统通信

请问：你电脑能平通自己的网段吗，考题说的是能与这个网络里面得系统

8.邮件服务

在 server 上配置邮件服务

这些系统不接受外部发来的邮件

在这些系统上本地发送任何邮件都会被路由到 server1.example.com

从这些系统上发送的邮件显示来自于 example.com

您可以通过发送邮件到 harry 来测试您的配置

您可以通过访问 http://server1.example.com/email/harry 来验证您的配置(模拟环境上面没有这个地址，所以此题验证不了)

发给 harry 的邮件同时能被 natasha 收到

server0

[root@server0 ~]# vim /etc/postfix/main.cf 
myorigin = example.com    #大概在99行
inet_interfaces = localhost #大概在117行，默认是localhost
mydestination = 			#大概在165行，将=号后面的删掉
mynetworks =  127.0.0.0/8	#大概在265行，仅需要127.0.0.0/8
relayhost = [server1.example.com]	#大概在319行
#保存并退出
[root@server0 ~]# vim  /etc/aliases
[root@server0 ~]# tail -n 1 /etc/aliases
harry:		harry,natasha
[root@server0 ~]# useradd harry
[root@server0 ~]# useradd natasha
[root@server0 ~]# systemctl restart postfix.service 
[root@server0 ~]# systemctl enable postfix.service 
[root@server0 ~]# firewall-cmd --add-service=smtp --permanent 
success
[root@server0 ~]# firewall-cmd --reload 
success

因为环境原因此题无法验证，真实考试环境中是可以验证的具体验证如下

> [root@server0 ~]# echo "hello" | mail -s testmail harry
> [root@server0 ~]# curl http://server1.example.com/email/harry
>

然后在最下面可以看到一个hello

配置文件具体解释：

myorigin = example.com #来自哪里
mynetworks = 127.0.0.0/8 # 邮件信息仅本地环回
relayhost = [server1.example.com] # 类似中间站，例如B在A和C的中间，A发给C的消息B就会收到。

9.Samba 服务

在 server 上配置 SAMBA 服务

您的 samba 服务器必须是 STAFF 工作组的一个成员

共享/common 目录,共享名为 common

只有 example.com 域内的客户端可以访问 common 共享

common 必须是可以浏览的

用户 natasha 必须能够读取共享中的内容,如果需要的话,验证密码是:tangkai

server0

[root@server0 ~]# yum install -y samba*
[root@server0 ~]# systemctl restart smb nmb
[root@server0 ~]# systemctl enable smb nmb
[root@server0 ~]# mkdir /common
[root@server0 ~]# vim /etc/samba/smb.conf 
#找到：
[global]
workgroup = STAFF #将=后面改为STAFF
..................
..................
#在最下面，新加入：
[common]
        path = /common
        browseable = yes
        valid users = natasha
# 保存并退出
[root@server0 ~]# getsebool -a | grep samba
samba_create_home_dirs --> off
samba_domain_controller --> off
samba_enable_home_dirs --> off
samba_export_all_ro --> off
samba_export_all_rw --> off
samba_portmapper --> off
samba_run_unconfined --> off
samba_share_fusefs --> off
samba_share_nfs --> off
sanlock_use_samba --> off
use_samba_home_dirs --> off
virt_sandbox_use_samba --> off
virt_use_samba --> off
[root@server0 ~]# setsebool -P samba_enable_home_dirs 1
[root@server0 ~]# chcon -Rt samba_share_t /common/
[root@server0 ~]# firewall-cmd --add-rich-rule 'rule family=ipv4 source address=172.25.0.0/24 service name=samba accept' --permanent 
success
[root@server0 ~]# firewall-cmd --add-rich-rule 'rule family=ipv4 source address=172.25.0.0/24 service name=samba-client accept' --permanent 
success
[root@server0 ~]# firewall-cmd --reload 
success
[root@server0 ~]# id natasha
uid=1002(natasha) gid=1002(natasha) groups=1002(natasha)
[root@server0 ~]# smbpasswd -a natasha
New SMB password:
Retype new SMB password:
Added user natasha.
[root@server0 ~]# systemctl restart smb nmb
[root@server0 ~]# systemctl enable smb nmb

我们要养成一种习惯，不管之前有没有加入启动项，在每次重启之后，我们都要顺手把他加入到开机启动项里面

验证:需要到desktop0里面验证

> [root@desktop0 ~]# yum install -y cifs-util*
> [root@desktop0 ~]# mount -t cifs -o username=natasha,password=tangkai //172.25.0.11/common /media/
> [root@desktop0 ~]# df -h
> Filesystem            Size  Used Avail Use% Mounted on
> /dev/vda1              10G  3.1G  7.0G  31% /
> devtmpfs              906M     0  906M   0% /dev
> tmpfs                 921M   80K  921M   1% /dev/shm
> tmpfs                 921M   17M  904M   2% /run
> tmpfs                 921M     0  921M   0% /sys/fs/cgroup
> //172.25.0.11/common   10G  3.1G  7.0G  31% /media
>

10.多用户 samba 挂载

在 server 上通过 samba 共享目录/storage

共享名为 share

共享目录只能被 example.com 域内的客户端使用

共享目录 share 必须可以被浏览

用户 sarah 能以读的方式访问此共享,访问密码是 tangkai

用户 kitty 能以读写的方式访问此共享,访问密码是 tangkai

此共享永久挂载在 desktop 上的/mnt/dev 目录,并使用用户 sarah 进行认证,任何用户可临时通过 kitty 来获得读写权限

server0

[root@server0 ~]# vim /etc/samba/smb.conf 
[root@server0 ~]# tail n 6 /etc/samba/smb.conf 
[share]
	path = /storage
	browseable = yes
    valid users = sarah,kitty
	writable = no
	write list = kitty
[root@server0 ~]# systemctl restart smb nmb
[root@server0 ~]# systemctl enable smb nmb
[root@server0 ~]# mkdir /storage
[root@server0 ~]# useradd sarah
[root@server0 ~]# useradd kitty
[root@server0 ~]# chcon -Rt samba_share_t /storage/
[root@server0 ~]# setfacl -m u:sarah:r-x /storage/
[root@server0 ~]# setfacl -m u:kitty:rwx /storage/
[root@server0 ~]# smbpasswd -a sarah
New SMB password:
Retype new SMB password:
Added user sarah.
[root@server0 ~]# smbpasswd -a kitty
New SMB password:
Retype new SMB password:
Added user kitty.

desktop

[root@desktop0 ~]# vim /etc/fstab
[root@desktop0 ~]# tail -n 1 /etc/fstab 
//172.25.0.11/share	/mnt/dev	cifs multiuser,username=sarah,password=tangkai,sec=ntlmssp 0 0
[root@desktop0 ~]# mkdir /mnt/dev
[root@desktop0 ~]# mount -a
[root@desktop0 ~]# df -h
Filesystem            Size  Used Avail Use% Mounted on
/dev/vda1              10G  3.1G  7.0G  31% /
devtmpfs              906M     0  906M   0% /dev
tmpfs                 921M   80K  921M   1% /dev/shm
tmpfs                 921M   17M  904M   2% /run
tmpfs                 921M     0  921M   0% /sys/fs/cgroup
//172.25.0.11/common   10G  3.1G  7.0G  31% /media
//172.25.0.11/share    10G  3.1G  7.0G  31% /mnt/dev

11.配置 NFS 服务

1.) 在 server 上配置 NFS
以只读的方式共享/public,同时只能被 example.com 内用户访问

以读写的方式共享/protected 能被 example.com 内用户访问

访问/protected 需要通过 kerberos 安全加密,您可以使用下边链接的秘钥: http://classroom.example.com/pub/keytabs/server0.keytab

目录/protected 应该包含名为 project 拥有人为 ldapuser12 的子目录

用户 ldapuser12 能以读写的方式访问/protected/project

server0

[root@server0 ~]# vim /etc/exports
[root@server0 ~]# cat /etc/exports
/public	172.25.0.0/24(ro)
/protected 172.25.0.0/24(rw,sec=krb5p)
[root@server0 ~]# mkdir /public
[root@server0 ~]# mkdir /protected
[root@server0 ~]# mkdir /protected/project

# 这一栏的步骤有可能考试不需要你操作，但我们要以防万一
[root@server0 ~]# yum install -y krb5* sssd* authconfig*
[root@server0 ~]# cd /etc/openldap/
[root@server0 openldap]# ls
certs  ldap.conf  schema
[root@server0 openldap]# mkdir cacerts
[root@server0 openldap]# cd cacerts/
[root@server0 cacerts]# wget http://classroom.example.com/pub/example-ca.crt
[root@server0 cacerts]# authconfig-tui 
# 过程在考rhcse的时候有描述，这里就不再介绍
[root@server0 cacerts]# su - ldapuser12
su: warning: cannot change directory to /home/guests/ldapuser12: No such file or directory
mkdir: cannot create directory '/home/guests': Permission denied
-bash-4.2$

[root@server0 ~]# chown ldapuser12 /protected/project
[root@server0 ~]# wget -O /etc/krb5.keytab  http://classroom.example.com/pub/keytabs/server0.keytab
[root@server0 ~]# vim /etc/sysconfig/nfs
RPCNFSDARGS="-V 4.2"  # 在第13行，引号里面加入-V 4.2
[root@server0 ~]# systemctl enable nfs-secure nfs-secure-server nfs-server
ln -s '/usr/lib/systemd/system/nfs-secure.service' '/etc/systemd/system/nfs.target.wants/nfs-secure.service'
ln -s '/usr/lib/systemd/system/nfs-secure-server.service' '/etc/systemd/system/nfs.target.wants/nfs-secure-server.service'
ln -s '/usr/lib/systemd/system/nfs-server.service' '/etc/systemd/system/nfs.target.wants/nfs-server.service'
[root@server0 ~]# systemctl start nfs-secure nfs-secure-server nfs-server
[root@server0 ~]# firewall-cmd --add-rich-rule 'rule family=ipv4 source address=172.25.0.0/24 service name=nfs accept' --permanent 
success
[root@server0 ~]# firewall-cmd --add-rich-rule 'rule family=ipv4 source address=172.25.0.0/24 service name=rpc-bind accept' --permanent 
success
[root@server0 ~]# firewall-cmd --reload 
success

2.)
在 desktop 上挂载来自于 server0 的 NFS 共享

/public 挂载在目录/mnt/nfsmount 上

/protected 挂载在目录/mnt/nfssecure,并使用安全的方式,秘钥：

http://classroom.example.com/pub/keytabs/desktop0.keytab

用户 ldapuser12 能在/mnt/nfssecure/project 上创建文件

这些文件系统在系统启动时自动挂载

desktop

[root@desktop0 ~]# mkdir /mnt/nfsmount
[root@desktop0 ~]# mkdir /mnt/nfssecure

# 这一栏的步骤有可能考试不需要你操作，但我们要以防万一
[root@desktop0 ~]# yum install sssd* krb5* authconfig* -y
[root@desktop0 ~]# cd /etc/openldap/
[root@desktop0 openldap]# ls
certs  ldap.conf
[root@desktop0 openldap]# mkdir cacerts
[root@desktop0 openldap]# cd cacerts/
[root@desktop0 cacerts]# wget http://classroom.example.com/pub/example-ca.crt
[root@desktop0 cacerts]# authconfig-tui
# 过程在考rhcse的时候有描述，这里就不再介绍
[root@desktop0 cacerts]# su - ldapuser12
su: warning: cannot change directory to /home/guests/ldapuser12: No such file or directory
mkdir: cannot create directory '/home/guests': Permission denied
-bash-4.2$

[root@desktop0 ~]# wget -O /etc/krb5.keytab http://classroom.example.com/pub/keytabs/desktop0.keytab
[root@desktop0 ~]# vim /etc/sysconfig/nfs
RPCNFSDARGS="-V 4.2"  # 在第13行，引号里面加入-V 4.2
[root@desktop0 ~]# systemctl enable nfs-secure
ln -s '/usr/lib/systemd/system/nfs-secure.service' '/etc/systemd/system/nfs.target.wants/nfs-secure.service'
[root@desktop0 ~]# systemctl start nfs-secure
[root@desktop0 ~]# vim /etc/fstab
[root@desktop0 ~]# tail -n 2 /etc/fstab 
172.25.0.11:/public /mnt/nfsmount nfs ro,v4.2 0 0
172.25.0.11:/protected /mnt/nfssecure nfs defaults,v4.2,sec=krb5p 0 0
[root@desktop0 ~]# mount -a

12.在 server 上配置一个 web 站点 http://server.example.com

从http://classroom.example.com/pub/example.html 下载文件,

并重命名为 index.html，不要修改文件内容。

将文件 index.html 拷贝到您的 DocumentRoot 目录下

来自于 example.com 的客户端可以访问该 web 服务器

来自于 my133t.org 的客户端的访问会被拒绝

server

[root@server0 ~]# yum install httpd -y
[root@server0 ~]# cd /var/www/html/
[root@server0 html]# ls
[root@server0 html]# wget -O  index.html http://classroom.example.com/pub/example.html
[root@server0 html]# ls
index.html
[root@server0 html]# systemctl restart httpd
[root@server0 html]# systemctl enable httpd
ln -s '/usr/lib/systemd/system/httpd.service' '/etc/systemd/system/multi-user.target.wants/httpd.service'
[root@server0 html]# firewall-cmd --add-rich-rule 'rule family=ipv4 source address=172.25.0.0/24 service name=http accept' --permanent 
success
[root@server0 html]# firewall-cmd --reload 
success

验证

>[root@server0 html]# curl http://server.example.com
> zheshi yige 在 server 上配置一个 web 站点
>

13.为站点 http://server.example.com 配置 TLS 加密

已签名证书从 http://classroom.example.com/pub/tls/certs/server0.crt 获取

证书的秘钥从 http://classroom.example.com/pub/tls/private/server0.key 获取

证书的签名授权信息从 http://classroom.example.com/pub/tls/certs/www0.crt 获取

[root@server0 html]# yum -y install mod_ssl.x86_64
[root@server0 html]# cd /etc/httpd/conf.d/
[root@server0 conf.d]# vim ssl.conf 
#到120行左右
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt

#将这三个的后面的文件名改掉，然后将最后一个的#号去掉，效果如下：
SSLCertificateFile /etc/pki/tls/certs/server0.crt
SSLCertificateKeyFile /etc/pki/tls/private/server0.key
SSLCACertificateFile /etc/pki/tls/certs/www0.crt
# 记住这三个路径之后保存并退出
[root@server0 conf.d]# cd /etc/pki/tls/certs/
[root@server0 certs]# wget http://classroom.example.com/pub/tls/certs/server0.crt
[root@server0 certs]# cd /etc/pki/tls/private/
[root@server0 private]# wget http://classroom.example.com/pub/tls/private/server0.key
[root@server0 private]# cd /etc/pki/tls/certs/
[root@server0 certs]# wget http://classroom.example.com/pub/tls/certs/www0.crt

[root@server0 certs]# systemctl restart httpd.service 
[root@server0 certs]# systemctl enable httpd.service 
[root@server0 certs]# firewall-cmd --add-rich-rule 'rule family=ipv4 source address=172.25.0.0/24 service name=https accept' --permanent 
success
[root@server0 certs]# firewall-cmd --reload 
success

验证

> [root@server0 certs]# curl -k https://server.example.com
> zheshi yige 在 server 上配置一个 web 站点
> [root@server0 certs]# curl http://server.example.com
> zheshi yige 在 server 上配置一个 web 站点
>

14.在 server 上扩展您的 WEB 服务器

1. 为站点 http://www.example.com 创建一个虚拟主机
2. 设置 DocumentRoot 为/var/www/virtual
3. 从 http://classroom.example.com/pub/www.html 下载文件,并重命名为 index.html,不要修改文件内容。
4. 将文件 index.html 拷贝到 DocumentRoot 目录下
5. 确保 floyd 用户能够在/var/www/virtual 下创建文件

server

[root@server0 ~]# find / -name *vhosts.conf
/usr/share/doc/httpd-2.4.6/httpd-vhosts.conf
[root@server0 ~]# cp /usr/share/doc/httpd-2.4.6/httpd-vhosts.conf /etc/httpd/conf.d/
[root@server0 ~]# cd /etc/httpd/conf.d/
[root@server0 conf.d]# vim httpd-vhosts.conf 
[root@server0 conf.d]# tail -n 8 httpd-vhosts.conf 
<VirtualHost *:80>
    DocumentRoot "/var/www/html"
    ServerName server.example.com
</VirtualHost>
<VirtualHost *:80>
    DocumentRoot "/var/www/virtual"
    ServerName www.example.com
</VirtualHost>
[root@server0 ~]# mkdir /var/www/virtual
oot@server0 ~]# cd /var/www/virtual/
[root@server0 virtual]# wget -O index.html http://classroom.example.com/pub/www.html
[root@server0 conf.d]# useradd floyd
[root@server0 conf.d]# setfacl -m u:floyd:rwx /var/www/virtual
[root@server0 conf.d]# systemctl restart httpd.service 
[root@server0 conf.d]# systemctl enable httpd.service

验证

> [root@server0 conf.d]# curl www.example.com 
> zheshi yige 在 server 上扩展您的 WEB 服务器
> [root@server0 conf.d]# curl -k https://server.example.com
> zheshi yige 在 server 上配置一个 web 站点
> [root@server0 conf.d]# curl http://server.example.com
> zheshi yige 在 server 上配置一个 web 站点
>

15.web 访问控制

在您 server 上的 web 服务器的 DocumentRoot 目录下创建一个名为 private 的目录

从http://classroom.example.com/pub/private.html 下载文件到这个目录,并重命名为index.html,不要修改文件内容

从 server 上,任何人都可以浏览 private 的内容,但是从其他系统不能访问这个目录的内容

[root@server0 conf.d]# cd /var/www/html/
[root@server0 html]# mkdir private
[root@server0 html]# cd private/
[root@server0 private]# wget -O index.html http://classroom.example.com/pub/private.
[root@server0 private]# vim /etc/httpd/conf/httpd.conf
#搜索Requ，复制
<Directory />
    AllowOverride none
    Require all denied
</Directory>
[root@server0 private]# vim /etc/httpd/conf.d/httpd-vhosts.conf
<VirtualHost *:80>
    DocumentRoot "/var/www/html"
    ServerName server.example.com
   #<Directory "/var/www/html/private">
   #    Require ip 172.25.0.11
   #</Directory>
</VirtualHost> 
<VirtualHost *:80>
    DocumentRoot "/var/www/virtual"
    ServerName www.example.com
</VirtualHost>
# 这里#号表示加在这里三个，不要照着敲，把#号都敲进去了

[root@server0 private]# systemctl restart httpd.service 
[root@server0 private]# systemctl enable httpd.service

验证

> [root@server0 private]# curl server.example.com/private/ 
> zheshi yige web 访问控制
> # 然后我们用客户端去访问
> root@desktop0 ~]# curl server.example.com/private/
> <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
> <html><head>
> <title>403 Forbidden</title>
> </head><body>
> <h1>Forbidden</h1>
> <p>You don't have permission to access /private/
> on this server.</p>
> </body></html>
>

16.在 server 上实现动态 web 内容

动态内容由名为 alt.example.com 的虚拟主机提供虚拟主机侦听端口为 8909

从 http://classroom.example.com/pub/webapp.wsgi 下载一个脚本,然后放在适当的位置,不要修改文件内容

客户端访问 http://alt.example.com:8909 时,应该接收到动态生成的 web 页面此 http://alt.example.com:8909 必须能被 example.com 内所有的系统访问

server

[root@server0 private]# yum install mod_wsgi.x86_64 -y
[root@server0 private]# cd /var/www/
[root@server0 www]# mkdir wsgi
[root@server0 www]# cd wsgi/
[root@server0 wsgi]# wget http://classroom.example.com/pub/webapp.wsgi
[root@server0 wsgi]# vim /etc/httpd/conf.d/httpd-vhosts.conf 
[root@server0 wsgi]# tail -n 5 /etc/httpd/conf.d/httpd-vhosts.conf 
Listen 8909
<VirtualHost *:8909>
    WSGIScriptAlias / "/var/www/wsgi/webapp.wsgi"
    ServerName alt.example.com:8909
</VirtualHost>
[root@server0 wsgi]# firewall-cmd --add-rich-rule 'rule family=ipv4 port port=8909 protocol=tcp accept' --permanent 
success
[root@server0 wsgi]# firewall-cmd --reload 
success
[root@server0 wsgi]# curl alt.example.com:8909
curl: (7) Failed connect to alt.example.com:8909; Connection refused
[root@server0 wsgi]# semanage port -l | grep http
http_cache_port_t              tcp      8080, 8118, 8123, 10001-10010
http_cache_port_t              udp      3130
http_port_t                    tcp      80, 81, 443, 488, 8008, 8009, 8443, 9000
pegasus_http_port_t            tcp      5988
pegasus_https_port_t           tcp      5989
[root@server0 wsgi]# semanage port -a -t http_port_t -p tcp 8909
[root@server0 wsgi]# systemctl restart httpd.service 
[root@server0 wsgi]# systemctl enable httpd.service

验证

> [root@server0 wsgi]# curl http://alt.example.com:8909
> Hello World!
>

17.配置 server 提供一个 iSCSI 共享服务

磁盘名为 iqn.2014-09.com.example:server

服务端口为 3260

使用 iscsi_store 作为其后端卷其大小为 3G

此服务只能被 desktop.example.com 访问

server

[root@server0 wsgi]# yum install targetcli* -y
[root@server0 wsgi]# lsblk 
NAME   MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
vda    253:0    0  10G  0 disk 
└─vda1 253:1    0  10G  0 part /
vdb    253:16   0  10G  0 disk 
[root@server0 wsgi]# fdisk /dev/vdb
Command (m for help): n
Partition type:
   p   primary (0 primary, 0 extended, 4 free)
   e   extended
Select (default p): p
Partition number (1-4, default 1): 
First sector (2048-20971519, default 2048): 
Last sector, +sectors or +size{K,M,G} (2048-20971519, default 20971519): +3G
Command (m for help): w
[root@server0 wsgi]# partprobe 
[root@server0 wsgi]# lsblk 
NAME   MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
vda    253:0    0  10G  0 disk 
└─vda1 253:1    0  10G  0 part /
vdb    253:16   0  10G  0 disk 
└─vdb1 253:17   0   3G  0 part 
[root@server0 wsgi]# targetcli 
/> ls
o- / ................................................ [...]
  o- backstores ..................................... [...]
  | o- block ........................................ [Storage Objects: 0]
  | o- fileio ....................................... [Storage Objects: 0]
  | o- pscsi ........................................ [Storage Objects: 0]
  | o- ramdisk ...................................... [Storage Objects: 0]
  o- iscsi .......................................... [Targets: 0]
  o- loopback ....................................... [Targets: 0]
/> cd /backstores/block 
/backstores/block> create iscsi_store /dev/vdb1
Created block storage object iscsi_store using /dev/vdb1.
/backstores/block> cd /iscsi 
/iscsi> create iqn.2014-09.com.example:server
Created target iqn.2014-09.com.example:server.
Created TPG 1.
/iscsi> ls
o- iscsi ........................................... [Targets: 1]
  o- iqn.2014-09.com.example:server ................ [TPGs: 1]
    o- tpg1 ........................................ [no-gen-acls, no-auth]
      o- acls ...................................... [ACLs: 0]
      o- luns ...................................... [LUNs: 0]
      o- portals ................................... [Portals: 0]
/iscsi> cd iqn.2014-09.com.example:server/tpg1/acls 
/iscsi/iqn.20...ver/tpg1/acls> create iqn.2014-09.com.example:desktop
Created Node ACL for iqn.2014-09.com.example:desktop
/iscsi/iqn.20...ver/tpg1/acls> cd /iscsi/iqn.2014-09.com.example:server/tpg1/luns 
/iscsi/iqn.20...ver/tpg1/luns> create /backstores/block/iscsi_store 
Created LUN 0.
Created LUN 0->0 mapping in node ACL iqn.2014-09.com.example:desktop
/iscsi/iqn.20...ver/tpg1/luns> cd /iscsi/iqn.2014-09.com.example:server/tpg1/portals 
/iscsi/iqn.20.../tpg1/portals> create 172.25.0.11 3260
Using default IP port 3260
Created network portal 172.25.0.11:3260.
/iscsi/iqn.20.../tpg1/portals> exit
Global pref auto_save_on_exit=true
Last 10 configs saved in /etc/target/backup.
Configuration saved to /etc/target/saveconfig.json

[root@server0 wsgi]# firewall-cmd --add-rich-rule 'rule family="ipv4" source address="172.25.0.0/24" port port=3260 protocol=tcp accept' --permanent 
success
[root@server0 wsgi]# firewall-cmd --reload 
success
[root@server0 wsgi]# systemctl restart target
[root@server0 wsgi]# systemctl enable target
ln -s '/usr/lib/systemd/system/target.service' '/etc/systemd/system/multi-user.target.wants/target.service'

这一题的验证是下一题

18.配置 desktop 使其能连接在 server 上提供的 iscsi

iSCSI 设备在系统启动的期间自动加载

块设备 iSCSI 上包含一个大小 1500MiB 的分区,并格式化为 ext4

此分区挂载在/mnt/netdev 上同时在系统启动的期间自动加载

desktop

[root@desktop0 ~]# yum install -y iscsi-init*
[root@desktop0 ~]# mkdir /mnt/netdev
[root@desktop0 ~]# vim /etc/iscsi/initiatorname.iscsi 
[root@desktop0 ~]# cat /etc/iscsi/initiatorname.iscsi 
InitiatorName=iqn.2014-09.com.example:desktop
[root@desktop0 ~]# systemctl restart iscsi iscsid
[root@desktop0 ~]# systemctl enable iscsi iscsid
ln -s '/usr/lib/systemd/system/iscsid.service' '/etc/systemd/system/multi-user.target.wants/iscsid.service'
[root@desktop0 ~]# iscsiadm -m discovery -t st -p 172.25.0.11
172.25.0.11:3260,1 iqn.2014-09.com.example:server
[root@desktop0 ~]# iscsiadm -m node -l
Logging in to [iface: default, target: iqn.2014-09.com.example:server, portal: 172.25.0.11,3260] (multiple)
Login to [iface: default, target: iqn.2014-09.com.example:server, portal: 172.25.0.11,3260] successful.
[root@desktop0 ~]# lsblk 
NAME   MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda      8:0    0   3G  0 disk 
vda    253:0    0  10G  0 disk 
└─vda1 253:1    0  10G  0 part /
vdb    253:16   0  10G  0 disk 
[root@desktop0 ~]# fdisk /dev/sda
Command (m for help): n
Partition type:
   p   primary (0 primary, 0 extended, 4 free)
   e   extended
Select (default p): p
Partition number (1-4, default 1): 
First sector (8192-6291455, default 8192): 
Last sector, +sectors or +size{K,M,G} (8192-6291455, default 6291455): +1500M
Command (m for help): w
[root@desktop0 ~]# partprobe
[root@desktop0 ~]# mkfs.ext4 /dev/sda1
[root@desktop0 ~]# blkid | grep sda
/dev/sda1: UUID="142c6ec3-0d06-4f89-91e3-8201e8186d37" TYPE="ext4"
[root@desktop0 ~]# vim /etc/fstab 
[root@desktop0 ~]# tail -n 1 /etc/fstab 
UUID="142c6ec3-0d06-4f89-91e3-8201e8186d37"	/mnt/netdev	ext4 defaults,_netdev 0 0
[root@desktop0 ~]# mount -a
[root@desktop0 ~]# df -h
/dev/vda1              10G  3.1G  7.0G  31% /
devtmpfs              906M     0  906M   0% /dev
tmpfs                 921M   80K  921M   1% /dev/shm
.............................
/dev/sda1             1.5G  4.5M  1.4G   1% /mnt/netdev

19.编写一个位于/root/program 的 shell 脚本

当执行/root/program tang 时,终端显示 kai

当执行/root/program kai 时,终端显示 tang

当仅执行/root/program 不加参数,或者加上其他参数时,终端显示标准错误输出/root/program tang|kai

server

[root@server0 ~]# vim /root/program
[root@server0 ~]# cat /root/program 
#!/bin/bash
case $1 in
    tang)
	echo "kai"
	;;
    kai)
	echo "tang"
	;;
    *)
	echo "/root/program tang|kai"
	;;
esac
[root@server0 ~]# chmod +x /root/program
[root@server0 ~]# /root/program tang 
kai
[root@server0 ~]# /root/program kai
tang
[root@server0 ~]# /root/program
/root/program tang|kai

20.写一个创建用户的脚本

脚本名为/root/mkuser,脚本执行时需要添加一个参数,

请在 http://classroom.example.com/pub/user 下载下来,这个 user 就是参数

如果没有参数,将提示:Usage:/root/mkuser

如果参数为不存在的文件,则提示:Input file not found

如果存在,则创建用户,用户不需要设置密码,用户的 shell 为/bin/flase

server

[root@server0 ~]# vim /root/mkuser
[root@server0 ~]# cat /root/mkuser 
#!/bin/bash
if [ $# -eq 0 ];then
    echo "Usage:/root/mkuser"
else
    if [ -f $1 ];then
    for user in $(cat $1);do
	useradd -s /bin/flase $user
    done
    else
	echo "Input file not found"
    fi
fi
[root@server0 ~]# chmod +x /root/mkuser 
[root@server0 ~]# cd /root
[root@server0 ~]# wget http://classroom.example.com/pub/user 
[root@server0 ~]# /root/mkuser
Usage:/root/mkuser
[root@server0 ~]# /root/mkuser dfs
Input file not found
[root@server0 ~]# /root/mkuser user
[root@server0 ~]# id user1
uid=1001(user1) gid=1001(user1) groups=1001(user1)
[root@server0 ~]# id user2
uid=1002(user2) gid=1002(user2) groups=1002(user2)
[root@server0 ~]# id user3
uid=1003(user3) gid=1003(user3) groups=1003(user3)
[root@server0 ~]# cat user 
user1
user2
user3
user4
user5
[root@server0 ~]#

21.在你的机器上创建一个 mariadb 数据库;

数据库名为 contacts

数据库应该包含来自数据库复制的内容。复制文件的 URL 为
http://classroom.example.com/pub/user.mdb

数据库只能被 localhost 访问

除了 root 用户,此数据库只能被用户 raikon 查询,此用户密码为 redhat

root 用户密码为 redhat,同时不允许空密码登陆

server

[root@server0 ~]# yum install mariadb* -y
[root@server0 ~]# systemctl restart mariadb
[root@server0 ~]# systemctl enable mariadb
ln -s '/usr/lib/systemd/system/mariadb.service' '/etc/systemd/system/multi-user.target.wants/mariadb.service'
[root@server0 ~]# mysql_secure_installation
Set root password? [Y/n] y
New password: #redhat
Re-enter new password: #redhat
Password updated successfully!
Remove anonymous users? [Y/n] y
 ... Success!
Disallow root login remotely? [Y/n] n
 ... skipping.
Remove test database and access to it? [Y/n] y
 - Dropping test database...
 ... Success!
Reload privilege tables now? [Y/n] y
 ... Success!
[root@server0 ~]# wget http://classroom.example.com/pub/users.mdb

[root@server0 ~]# mysql -uroot -predhat
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 11
Server version: 5.5.35-MariaDB MariaDB Server

Copyright (c) 2000, 2013, Oracle, Monty Program Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> create database Contacts;
Query OK, 1 row affected (0.00 sec)

MariaDB [(none)]> use Contacts;
Database changed
MariaDB [Contacts]> source /root/user.mdb;
MariaDB [Contacts]> grant select on Contacts .* to 'raikon@localhost' identified by 'redhat';
MariaDB [Contacts]> flush privileges;
MariaDB [Contacts]> exit

24.数据库查询

在 system1 上使用数据库 Contacts ，并使用相应的 SQL 查询以回答下列问题：

密码是fadora 的人的名字是什么？

有多少人的姓名是 John ，同时居住在 Santa Clara ？

system1

[root@system1 ~]# mysql -u root -predhat

MariaDB [(none)]> use Contacts;

MariaDB [Contacts]> SELECT u_name.firstname FROM u_name, u_passwd WHERE u_name.userid = u_passwd.uid AND u_passwd.password = 'fadora';
+-----------+
| firstname |
+-----------+
| John      |
+-----------+
1 row in set (0.00 sec)

MariaDB [Contacts]> SELECT COUNT(*) FROM u_name,u_loc WHERE u_name.userid = u_loc.uid AND u_name.firstname = 'John' AND u_loc.location = 'Santa Clara';
+----------+
| COUNT(*) |
+----------+
|        4 |
+----------+
1 row in set (0.00 sec)

密码是fadora 的人的名字是什么？

John

有多少人的姓名是 John ，同时居住在 Santa Clara ？

4

在这里，考者请切记，查询之后的答案记住一定要填写到所填写的正确地方。

不要忘记填写进去

》》》》》》》》》》》》》》》》》》》》》》

以上就是本次RHCE 7 版本的认证考试参考答案，如有错误请联系博主进行更改，最后祝愿大家RHCE认证取得好成绩！！！！

打赏