Category Archives: Learning

It’s bold strategy, Cotton. Let see if it pays off

A month ago, I took the RHCE exam, fairly confident I will pass after spending hours studying and practicing.

It did not happen. I was not even able to complete the exam on time. I was hoping when I came home that I somehow squeaked though, but then came the exam notification::

Passing score for the exam: 210
Your score: 206

Result: NO PASS

For the next few hours, I was pretty depressed. I actually studied for the test far more extensively than the last time I took the RHCE, so it was a big blow to my confidence. At one point, I thought about not continuing on the RHCA path.

Then I decided to re-group and give it another go.

After signing up for the exam again (which, I will add, came at considerable cost, as Red Hat do not offer free re-takes), I took another look at the exam objectives and realize that in order to pass the exam, I need to complete all objectives in 3 1/2 hours (or 210 minutes). So I consolidated the list of objects as follows:

  • Configure a caching-only name server
  • Configure a system to forward all email to a central mail server
  • SSH Key Configuration with ACL
  • Synchronize time using other NTP peers
  • Apache – Configure a virtual host – with acl
  • Apache – Configure private directories
  • Apache – Configure group-managed content
  • Apache – Deploy a basic CGI application
  • Apache – Configure TLS security
  • Produce and deliver reports on system utilization (processor, memory, disk, and network)
  • Configure a system to authenticate using Kerberos
  • NFS – Provide network shares to specific clients
  • NFS – Provide network shares suitable for group collaboration (multi-user)
  • NFS – Use Kerberos to control access to NFS network shares
  • Samba – Provide network shares to specific clients
  • Samba – Provide network shares suitable for group collaboration
  • Use firewalld and associated mechanisms such as rich rules, zones and custom rules, to implement packet filtering and configure network address translation (NAT)
  • Route IP traffic and create static routes
  • Use /proc/sys and sysctl to modify and set kernel runtime parameters
  • Configure IPv6 addresses and perform basic IPv6 troubleshooting
  • Use network teaming or bonding to configure aggregated network links between two Red Hat Enterprise Linux systems
  • Install and configure MariaDB
  • Use shell scripting to automate system maintainance tasks
  • Configure a system as either an iSCSI target or initiator that persistently mounts an iSCSI target

Then I put them spreadsheet and start logging the time it takes me to complete each task over the course the week. The results were not pretty – it took about 162 minutes complete most of them.

(Actually, some of the tasks (in particularly, Apache), took far longer than I expected and some others I gave up after 10-15 minutes).

The important thing, though, is after that practice run, I know where my area sof weaknesses were. So I review the material again on my way to work and back, did some quick practice sessions and then went through the tasks again.

As the result, the following week was a different story I was able to cut my time down by almost 40 minutes – down to 128 minutes.

Again, I look at areas where I was weak at, practice and review. By the Sunday before the exam, I was able to cut my time to under 2 hours. Then I did some final review on some parts on Sunday and Monday.

As the result, when I re-took the exam Tuesday afternoon, I was able to breeze through all the items, and complete all of them with an hour to spare. At that point, I was able to spend the remaining time validating the setup, and going back and correcting things that I missed.

Later on that evening, I received the results:

 

Passing score for the exam: 210
Your score: 271

Result: PASS

Boom, baby.

Hold your nose and close your eyes

Aggregating interfaces can be a pain, but it doesn’t have to be. With Red Hat 7 and above, you can team your interfaces with very little effort. Frankly, it is pretty awesome.

There is one catch, though. You will have to learn to use Network Manager. Specifically, nmcli.

Much can be say about whether  Network Manager is necessary or not on the server, but after working with nmcli, I could at least see how useful it is when comes to persistently set teaming configurations. I mean, the setup goes something like this:

Create a team configuration file, using one of the example in the documentation directory

cd /usr/share/doc/teamd-1.17/example_configs/
cp activebackup_ethtool_1.conf tmp.json
cat tmp.json

Then create the master, using the above configuration:

nmcli con add type team con-name team0 ifname team0 config tmp.json

Then add the slaves:

nmcli con add type team-slave con-name ens8 ifname ens8 master team0
nmcli con add type team-slave con-name ens9 ifname ens9 master team0

Re-start the interfaces and you are done!

It does smell a bit, but after fighting with Network Manager for the last decade, maybe it is time to at least give it a chance.

I should put something here

Some days, keeping up with technology can be a mix of frustration and excitement.

I am currently working on getting back my RHCE (Red Hat Certified Engineer) credentials (I had it before, but for reasons I won’t get to, it expired). From there, I will be able to avail myself of a suite of certificates from Red Hat, eventually getting either a RHCA (Red Hat Certified Architect) in Cloud or DevOps (or if time does not permits, just plain RHCA) I will do this by using existing resources (books, documentation and supplemented by in-expensive online training) rather that taking the rather pricey ROLE courses.

That is the idea, at least.

Case in point, Samba. Now, I don’t use Samba that much, but it is a key objective to complete in the RHCE exam – not just using it, but configuring and setting up the appropriate access controls. From reading the RHCE books, it seems pretty straight forward. For example:

  • Provide network shares to specific clients
  • Provide network shares suitable for group collaboration

Which mean you need to do the following on the server:

1) Install Samba on the server.

yum -y install samba samba-client

2) Add group that will be used for collaboration

groupadd -g 8888 shared

3) Modify existing users so they are part of the group

usermod -aG shared amy
usermod -aG shared rory

5) Create samba users:

smbpasswd -a amy
smbpasswd -a rory

6) Set the appropriate permissions on the directory you want to share.

chmod 770 /srv/directory_to_be_shared
chown nobody:shared /srv/directory_to_be_shared

7) Set selinux permissions as follows:

semanage fcontext -a -t samba_public_t /srv/directory_to_be_shared
restorecon -rv /srv/directory_to_be_shared

8) Create entry in /etc/samba/smb.conf

[shared]
comment = “shared directory”
path = /srv/directory_to_be_shared
writable = yes
browsable = yes
write list = +shared
hosts allow = foo.bar.monzell.com

9) run testparm to validate the configuration

10) Enable and start samba:

systemctl enable samba
systemctl start samba

11) open the firewall:

firewall-cmd —add-service=samba
firewall-cmd —add-service=samba —permanent

While on the client:

1) Install samba and cifs-utils:

yum -y install cifs-utils samba

2) Create directory to mount the share:

mkdir /mnt/shared

3) Create a file that contain the credentials used to mount the share and secure the file:

echo 'username=amy' > /etc/samba/secret
echo 'password=doctor!' >> /etc/samba/secret
chmod 0400 /etc/samba/secret

4) Update fstab to mount the directory

//samba.server.monzell.com/shared /mnt/shared cifs _netdev,credentials=/etc/samba/pw 0 0

5) Finally, mount the share:

mount /mnt/shared

As you can tell, I got it down cold. Why? Because until today, I couldn’t do step 5. I kept getting permission errors:

mount error(13): Permission denied
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)

Now I was able to mount if I remove the hosts allow entry:

[shared]
comment = “shared directory”
path = /srv/directory_to_be_shared
writable = yes
browsable = yes
write list = +shared

But that would mean that I wouldn’t be able to use ACL controls.

After some searching, I found that I can block via IP, which is sort of better – but I still wasn’t satisfied.

I looked at the walkthroughs for all the RHCE books (Van Vugt, Ghori, Jang, Tecmint) and so far, from what I can tell, it should work. I mean, surely the authors have all figured it out, right?

Well, today, I gave it one more and something occur to me that, perhaps, Samba don’t do lookups by default. Sure enough, after some searching, I found:

http://serverfault.com/questions/702455/samba-hosts-allow-example-com

In order for host allow entries using hostnames to work you need to enable

hostname lookups = yes
In the global configuration of smb.conf.

And sure enough, adding that in smb.conf:

[global]
hostname lookups = yes

Allow me to mount with using host controls on the hostname.

Turns out that hostname lookups are quite expensive, resource-wise, so samba have it turned off by default.

I am not sure why all the major RHCE prep books missed this. I thought at first that it may a problem with the editing, which I could understand for one book

But all four?

Interesting.