System Configuration and Management

Question 1

Route IP traffic and create static routes Option 2

Answer 1

Configure a Default Route
A default route is assigned normally with the dynamic IP address
#route -n
#netstat -rn

to temporarily add a default route
$route add default gw 192.168.122.1

if multiple network devices exist on the local system, you can specify it
$route add default gw 192.168.122.1 dev eth1

Configure a special route
using the Network connections tool
to tart it
$ nm-connection-editor
Select an existing wired or wireless network device, click edit
Under either the IPv4 or IPv6 tab, click the route button for special routes

The network connections tool does not work unless the networkManager service in the /etc/init.d directory is active

Question 2

Use firewalld and associated mechanisms such as rich rules, zones and custom rules, to implement packet filtering and configure network address translation (NAT)

Answer 2

To implement NAT on a server with two network cards (eth0:192.168.1.1/24 connected to the Internet and eth1:192.168.2.1/24 connected to the internal network) several steps are required.

Edit the /etc/sysctl.conf file and assign 1 to the ‘net.ipv4.ip_forward‘ option:

net.ipv4.ip_forward = 1
Update the system:

$ sysctl -p
Add a new rule to the firewall:

$ iptables -t nat -I POSTROUTING -o eth0 -s 192.168.2.0/24 -j MASQUERADE
Save the firewall configuration:

$ service iptables save

Question 3

Use /proc/sys and sysctl to modify and set kernel runtime parameters

Answer 3

Edit the /etc/sysctl.conf file and add the following lines:

net.ipv4.ip_forward = 1 #allow IPv4 forwarding
net.ipv4.icmp_echo_ignore_all = 1 #don’t respond to a ping
net.ipv4.icmp_echo_ignore_broadcasts = 1 #don’t respond to a ping to the broadcast address
Put the changes into practice:

$ sysctl -p
Check the changes:

$ cat /proc/sys/net/ipv4/ip_forward
$ cat /proc/sys/net/ipv4/icmp_echo_ignore_all
$ cat /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

Question 4

Configure a system as an iSCSI initiator that persistently mounts an iSCSI target

Answer 4

In order to test an iSCSI initiator, you will need to configure an iSCSI target.

Install the following package:
#yum install -y iscsi-initiator-utils

Discover the available iSCSI targets from your already installed ‘targetserver‘:
#iscsiadm -m discoverydb -t st -p targetserver -D

Start the iSCSI service:
#service iscsi start

start at boot
#chkconfig iscsi on

Retrieve the new iSCSI disk name (here /dev/sda):
#grep “Attached SCSI” /var/log/messages
Nov 22 10:28:38 testvm kernel: sd 2:0:0:1: [sda] Attached SCSI disk

Create a file system on this disk:
#mkfs.ext4 /dev/sda
Note: if you are connecting remotely, set up a console access before.

Retrieve the UUID of this disk:
#blkid | grep "/dev/sda"

Add the disk UUID to the /etc/fstab file:
#echo "UUID=..." >> /etc/fstab

Edit the /etc/fstab file and add mount point, file system type and mount options (_netdev):
UUID=… /mnt ext4 _netdev 0 0

Question 5

Produce and deliver reports on system utilization (processor, memory, disk, and network

Answer 5

sadf -d /var/log/sa/sa11 – -u -r -dp -n DEV

sar appears to be the tool to save the day here. Installed and running by default, the sysstat package contains tools that capture system performance throughout the day, and automatically summarizes it for you. Generating utilization reports is then a simple matter of knowing the right sar command to execute. If all else fails, simply try man sar

Processor
Basic processor report: sar or sar -u
Basic report every second for the next 10 seconds: sar 1 10
Load average: sar -q
Per processor statistics: sar -P ALL
Power management (not enabled by default): sar -m
Memory
Kernel paging: sar -B
Unused memory: sar -r
Swap space: sar -S
Disk
Disk IO stats (avg): sar -b
Disk IO stats: sar -d (-p to use pretty names)
Network
Network statistics: sar -n DEV
Network errors: sar -n EDEV
Everything
All reports simultaneously: sar -A

OR

Install the sysstat package if it’s not already the case:

#yum install -y sysstat
Activate the sysstat service at boot:

#chkconfig sysstat on
Produce a report for a given day (here the 11th) (-u for CPU usage, -r for memory usage, -dp for disk activity, -n DEV for network activity):

Question 6

Use shell scripting to automate system maintenance tasks

Answer 6

good place to find help is the man bash page

Doing something to each file in a directory
for i in [ls]; do echo $i; done
Doing something for each line in a file
while read i; do echo $i; done

Question 7

SYS: Configure a system to log to a remote system

Answer 7

Edit the /etc/rsyslog.conf file and uncomment the following lines at the end of the file where remote-host is the name of the syslog server:
#$WorkDirectory /var/lib/rsyslog
#$ActionQueueFileName fwdRule1
#$ActionQueueMaxDiskSpace 1g
#$ActionQueueSaveOnShutdown on
#$ActionQueueType LinkedList
#$ActionResumeRetryCount -1
#*.* @@remote-host:514

Restart the syslog service:
#service rsyslog restart

After setting up the syslog server, test the configuration
#logger -p local0.notice -t TEST "Test"

On the syslog server, check the TEST string in the /var/log/messages file:
#grep "TEST" /var/log/messages

Question 8

SYS: Configure a system to accept logging from a remote system

Answer 8

Edit the /etc/rsyslog.conf file and uncomment the following lines to allow TCP syslog reception:
#$ModLoad imtcp
#$InputTCPServerRun 514

Restart the Syslog service:
#service rsyslog restart

Add a new rule to the firewall:
#iptables -I INPUT -m state --state NEW -m tcp -p tcp --dport 514 -j ACCEPT

Save the firewall configuration:
#service iptables save

Question 9

Route IP traffic and create static routes

Answer 9

netstat -nr

Route IP traffic and create static routes

There are two main ways of setting a route with this method,
assuming you want the routes set for eth0.

1. echo “10.10.11.0/24 via 10.168.20.227 dev eth0”&raquo_space; /etc/sysconfig/network-scripts/route-eth0
2. echo “10.10.11.0/24 dev eth0”&raquo_space; /etc/sysconfig/network-scripts/route-eth0

You can activate the routes with the following command:
/etc/sysconfig/network-scripts/ifup-routes eth0

The first way will provide a route to the 10.10.11.0 network and set 10.168.20.227 as the gateway for that route, in other words,
it expects 10.168.20.227 to be able to route those packages to the 10.10.11.0 network (or at least to forward them to a server/router that can),
you can check the routing table in a myriad of ways, for instance (only showing relevant line):

Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
10.10.11.0 10.168.20.227 255.255.255. 0 UG 0 0 0 eth0

The second way will provide a similar route to the 10.10.11.0, but will not set a gateway for that
route. So that instead of sending the packages to the gateway,
it will simply send them directly to the 10.10.11.0 network.

route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.10.11.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0

For completeness, the commands needed to achieve the same as above are the following:
route add -net 10.10.11.0 netmask 255.255.255.0 gw 10.168.20.227 eth0

route add -net 10.10.11.0 netmask 255.255.255.0 eth0

Note, that a reboot will clear these from the routing table, so you should use them only for testin before writing them to the interface route file.

Question 10

Setup a Kerberos Client

Answer 10

yum install -y krb5-workstation pam_krb5

backup the /etc/sssd directory as well as the /etc/nsswitch.conf

using graphical authentication configuration tool
One way to open the GUI version
#authconfig-gtk

You can also use the console authentication configuration Tool
# authconfig-tui