一、环境模拟
- * server0.example.com :172.25.0.11
- * desktop0.example.com :172.25.0.10
- * 子网掩码为:255.255.255.0
- * 默认网关为:172.25.0.254
- 考试中使用的 Red Hat Enterprise Linux 操作系统版本对应的
- 分发包可以通过YUM在下面的链接中找到:http://classroom.example.com/content/rhel7.0/x86_64/dvd
- 确保您的两台虚拟机的 SELinux 处于强制启用模式
解题:
[root@server0 ~]# vim /etc/yum.repos.d/classroom.example.com_content_rhel7.0_x86_64_dvd.repo
在尾部添加:
gpgcheck=0
[root@server0 ~]# yum clean all
[root@server0 ~]# yum makecache
两台机器先配置SELINUX:
[root@server0 ~]# vim /etc/selinux/config
修改:
SELINUX=enforcing
[root@server0 ~]# setenforce 1
两台机配置chronyd:
添加:
[root@desktop0 ~]# vim /etc/chrony.conf
server classroom.example.com iburst
[root@desktop0 ~]# systemctl enable chronyd
[root@desktop0 ~]# systemctl restart chronyd
[root@desktop0 ~]# chronyc sources -v
将网卡全部设置为静态:
[root@server0 ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
BOOTPROTO=static
ONBOOT=yes
TYPE=Ethernet
NAME=eth0
IPADDR1=172.25.0.11
PREFIX=24
GATEWAY=172.25.0.254
DNS1=172.25.254.254
DEVICE=eth0
BOOTPROTO=static
ONBOOT=yes
TYPE=Ethernet
NAME=eth0
IPADDR1=172.25.0.10
PREFIX=24
GATEWAY=172.25.0.254
DNS1=172.25.254.254
二、配置SSH
- 用户能够从域 example.com 内的客户端 SSH 远程访问您的两个虚拟机系统;
- 在域 my133t.org 内的客户端不能访问您的两个虚拟机系统
解题:
在两台机器执行:
server0:
[root@server0 ~]# firewall-cmd --permanent --add-rich-rule "rule family="ipv4" source address="172.25.0.0/24" service name="ssh" accept
[root@server0 ~]# firewall-cmd --permanent --add-rich-rule "rule family="ipv4" source address="172.24.0.0/24" service name="ssh" reject"
[root@server0 ~]# firewall-cmd --reload
desktop0:
[root@desktop0 ~]# firewall-cmd --permanent --add-rich-rule "rule family="ipv4" source address="172.25.0.0/24" service name="ssh" accept"
[root@desktop0 ~]# firewall-cmd --permanent --add-rich-rule "rule family="ipv4" source address="172.24.0.0/24" service name="ssh" reject"
[root@desktop0 ~]# firewall-cmd --reload
三、配置端口转发
- 在 172.25.0.0/24 网络中的系统,访问 server0 的本地端口 9394 将被转发到本地端口 443 ;
- 此设置必须永久有效。
解题:
[root@server0 ~]# firewall-cmd --permanent --add-rich-rule "rule family="ipv4" source address="172.25.0.0/24" forward-port to-port="443" protocol="tcp" port="9394" accept"
[root@server0 ~]# firewall-cmd --reload
四、配置链路聚合
- 在 server0.example.com 和 desktop0.example.com 之间按以下要求配置一个链路 team1 :
- 此链路使用接口 eth1和 eth2;
- 此链路在一个接口失效时仍然能工作;
- 此链路在 server0 使用下面的地址 :172.26.20.10/255.255.255.0 ;
- 此链路在 desktop0 使用下面的地址 :172.26.20.20/255.255.255.0 ;
- 此链路在系统重启之后依然保持正常状态。
解题:
server:
[root@server0 ~]# nmcli connection add con-name team1 type team ifname team1 config '{"runner": {"name": "activebackup"}}'
[root@server0 ~]# nmcli connection modify team1 ipv4.addresses "172.26.20.10/24" ipv4.method manual connection.autoconnect yes
[root@server0 ~]# nmcli connection add con-name team1-slave1 ifname eth1 type team-slave master team1
[root@server0 ~]# nmcli connection add con-name team1-slave2 ifname eth2 type team-slave master team1
[root@server0 ~]# nmcli connection reload
[root@server0 ~]# nmcli connection up team1
[root@server0 ~]# nmcli connection up team1-slave1
[root@server0 ~]# nmcli connection up team1-slave2
[root@server0 ~]# teamdctl team1 state
setup:
runner: activebackup
ports:
eth2
link watches:
link summary: up
instance[link_watch_0]:
name: ethtool
link: up
eth1
link watches:
link summary: up
instance[link_watch_0]:
name: ethtool
link: up
runner:
active port: eth1
[root@server0 ~]#
desktop:
[root@desktop0 ~]# nmcli connection add con-name team1 type team ifname team1 config '{"runner": {"name": "activebackup"}}'
[root@desktop0 ~]# nmcli connection modify team1 ipv4.addresses "172.26.20.20/24" ipv4.method manual connection.autoconnect yes
[root@desktop0 ~]# nmcli connection add con-name team1-slave2 ifname eth2 type team-slave master team1
[root@desktop0 ~]# nmcli connection add con-name team1-slave2 ifname eth2 type team-slave master team1
[root@desktop0 ~]# nmcli connection add con-name team1-slave1 ifname eth1 type team-slave master team1
[root@desktop0 ~]# nmcli connection reload
[root@desktop0 ~]# nmcli connection up team1
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/13)
[root@desktop0 ~]# nmcli connection up team1
[root@desktop0 ~]# nmcli connection up team1-slave1
[root@desktop0 ~]# nmcli connection up team1-slave2
[root@desktop0 ~]#
[root@desktop0 ~]# teamdctl team1 state
setup:
runner: activebackup
ports:
eth1
link watches:
link summary: up
instance[link_watch_0]:
name: ethtool
link: up
eth2
link watches:
link summary: up
instance[link_watch_0]:
name: ethtool
link: up
runner:
active port: eth1
五、配置ipv6
- 在您的两个考试系统上配置接口 eth0 使用下列 IPv6 地址:
- server0 上的地址应该是 2019:ce11::1748/64 ;
- desktop0 上的地址应该是 2019:ce11::1757/64 ;
- 两个系统必须能与网络 2019:ce11/64 内的系统通信;
- 地址必须在重启系统后依旧生效;
- 两个系统必须保持当前的 IPv4 地址并仍然能够通信。
解题:
server:
[root@server0 ~]# nmcli connection modify eth0 ipv6.addresses "2019:ce11::1748/64" ipv6.method manual connection.autoconnect yes
[root@server0 ~]# nmcli connection reload
[root@server0 ~]# service network restart
[root@server0 ~]# nmcli connection reload
[root@server0 ~]# nmcli connection up team1 (配置完成ipv6需要重启链路聚合)
[root@server0 ~]# nmcli connection up team1-slave1
[root@server0 ~]# nmcli connection up team1-slave2
desktop:
[root@desktop0 ~]# nmcli connection modify eth0 ipv6.addresses "2019:ce11::1757/64" ipv6.method manual connection.autoconnect yes
[root@desktop0 ~]# nmcli connection reload
[root@desktop0 ~]# service network restart
[root@desktop0 ~]# nmcli connection up team1 (配置完成ipv6需要重启链路聚合)
[root@desktop0 ~]# nmcli connection up team1-slave1
[root@desktop0 ~]# nmcli connection up team1-slave2
六、配置邮件服务
- 在系统 server0 和 desktop0 上配置邮件服务,满足以下要求:
- 这些系统不接收外部发送来的邮件;
- 在这些系统上本地发送的任何邮件都会自动路由到 smtp0.example.com ;
- 从这些系统上发送的邮件显示来自于 desktop0.example.com ;
- 您可以通过在 server0.example.com 发送邮件到本地用户 student 来测试您的配置,并将系统 desktop0.example.com 配置为后端邮件服务器,确保可接收并投递来自 server0 的邮件。
解题:
server:
[root@server0 ~]# systemctl enable postfix
[root@server0 ~]# firewall-cmd --permanent --add-rich-rule "rule family="ipv4" source address="172.25.0.0/24" service name="stmp" accept"
success
[root@server0 ~]# firewall-cmd --permanent --add-rich-rule "rule family="ipv4" source address="172.25.0.0/24" port port="25" protocol="tcp" accept"
success
[root@server0 ~]# firewall-cmd --reload
success
[root@server0 ~]#
[root@server0 ~]# postconf -e 'inet_interfaces=loopback-only'
[root@server0 ~]# postconf -e 'relayhost=[smtp0.example.com]'
[root@server0 ~]# postconf -e 'mydestination='
[root@server0 ~]# postconf -e 'myorigin=desktop0.example.com'
[root@server0 ~]# systemctl restart postfix.service
desktop:
[root@desktop0 ~]# systemctl enable postfix
[root@desktop0 ~]# firewall-cmd --permanent --add-rich-rule "rule family="ipv4" source address="172.25.0.0/24" service name="stmp" accept"
[root@desktop0 ~]# firewall-cmd --permanent --add-rich-rule "rule family="ipv4" source address="172.25.0.0/24" port port="25" protocol="tcp" accept"
[root@desktop0 ~]# firewall-cmd --reload
[root@desktop0 ~]# postconf -e 'inet_interfaces=loopback-only'
[root@desktop0 ~]# postconf -e 'relayhost=[smtp0.example.com]'
[root@desktop0 ~]# postconf -e 'mydestination='
[root@desktop0 ~]# postconf -e 'myorigin=desktop0.example.com'
[root@desktop0 ~]# systemctl restart postfix.service
[root@desktop0 ~]# echo 'hello'|mail -s testmail student
七、SMB
- 在 server0 通过 SMB 共享 /exam_share 目录:
- 您的 SMB 服务器必须是 WORKSTAFF 工作组的一个成员;
- 共享名必须为 exam share ;
- 只有 example.com 域内的客户端可以访问 exam_share 共享;
- exam_share 必须是可以浏览的;
- 用户 harris 必须能够读取共享中的内容,如果需要的话,验证的密码是 123456。
解题:
server:
[root@server0 ~]# yum install samba samba-client -y
[root@server0 ~]# systemctl enable nmb smb
[root@server0 ~]# firewall-cmd --permanent --add-rich-rule "rule family="ipv4" source address="172.25.0.0/24" service name="samba" accept"
success
[root@server0 ~]# firewall-cmd --reload
[root@server0 ~]# mkdir /exam_share -p
[root@server0 ~]# semanage fcontext -a -t 'samba_share_t' '/exam_share(/.*)?'
[root@server0 ~]# restorecon -Rv /exam_share/
restorecon reset /exam_share context unconfined_u:object_r:default_t:s0->unconfined_u:object_r:samba_share_t:s0
[root@server0 ~]#
[root@server0 ~]# smbpasswd -a harris
[root@server0 ~]# vim /etc/samba/smb.conf
workgroup = WORKSTAFF
[exam_share]
path = /exam_share
browseable = yes
desktop:
[root@desktop0 ~]# yum install samba-client -y
[root@desktop0 ~]# smbclient //172.25.0.11/exam_share -U harris
Enter harris's password:
Domain=[WORKSTAFF] OS=[Unix] Server=[Samba 4.1.1]
smb: \> ls
八、SMB多用户挂载
- 在 server0 通过 SMB 共享目录 /exam_devops,并满足以下要求:
- 共享名为 exam devops ;
- 共享目录 exam_devops 只能被 example.com 域中的客户端使用;
- 共享目录 exam_devops 必须可以被浏览;
- 用户 johnson 必须能以读的方式访问此共享,该问密码是 123456 ;
- 用户 kristina 必须能以读写的方式访问此共享,访问密码是 123456 ;
- 此共享永久挂载在 desktop0.example.com 上的/mnt/exam_devops 目录,并使用用户 johnson 作为认证。任何用户可以通过用户 kristina 来临时获取写的权限。
解题:
[root@server0 ~]# semanage fcontext -a -t 'samba_share_t' '/exam_devops(/.*)?'
[root@server0 ~]# restorecon -Rv /exam_devops/
[root@server0 ~]#
[root@server0 ~]# setfacl -Rm u:kristina:rwX /exam_devops
[root@server0 ~]# vim /etc/samba/smb.conf
[exam_devops]
path = /exam_devops
browseable = yes
write list = kristina
[root@server0 ~]# systemctl restart nmb smb
[root@server0 ~]# smbpasswd -a kristina
[root@server0 ~]# smbpasswd -a johnson
desktop:
[root@desktop0 ~]# yum install cifs-utils -y
[root@desktop0 ~]# mkdir -p /mnt/exam_devops
[root@desktop0 ~]# vim /etc/fstab
//172.25.0.11/exam_devops /mnt/exam_devops cifs defaults,multiuser,username=johnson,password=exam@1748,sec=ntlmssp 0 0
[root@desktop0 ~]# mount -av
/ : ignored
/mnt/iscsi_storage : already mounted
/mnt/exam_devops : already mounted
[root@desktop0 ~]# su student
[student@desktop0 exam_devops]$ ls
ls: reading directory .: Permission denied
[student@desktop0 exam_devops]$ cifscreds add 172.25.0.11 -u kristina
[student@desktop0 exam_devops]$ touch xx
[student@desktop0 exam_devops]$ ll
total 0
-rw-r--r--. 1 1004 1004 0 Nov 14 07:54 test01
-rw-r--r--. 1 1004 1004 0 Nov 14 08:12 xx
九、NFS
- 在 server0 配置 NFS 服务,要求如下:
- 以只读的方式共享目录 /nfspublic ,只能被 example.com 域中的系统访问;
- 以读写的方式共享目录 /nfsprotected ,只能被 example.com 域中的系统访问;
- 访问 /nfsprotected 需要通过 Kerberos 安全加密,您可以使用下面 URL 提供的密钥:http://classroom.example.com/pub/keytabs/server0.keytab ;
- 目录 /nfsprotected 应该包含名为 nfsproject 拥有人为 ldapuser0 的子目录;
- 用户 ldapuser0 能以读写方式访问 /nfsprotected/nfsproject 。
解题:
[root@server0 ~]# yum install nfs-utils -y
[root@server0 ~]# firewall-cmd --permanent --add-service=nfs
success
[root@server0 ~]# firewall-cmd --permanent --add-service=mountd
success
[root@server0 ~]# firewall-cmd --permanent --add-service=rpc-bind
[root@server0 ~]# firewall-cmd --reload
[root@server0 ~]# systemctl enable nfs-server.service nfs-secure-server.service
[root@server0 ~]# vim /etc/sysconfig/nfs
RPCNFSDARGS="-V 4.2"
[root@server0 ~]# wget -O /etc/krb5.keytab http://classroom.example.com/pub/keytabs/server0.keytab
[root@server0 ~]# systemctl restart nfs-secure-server.service
[root@server0 ~]# systemctl restart nfs-server.service
[root@server0 ~]# mkdir -p /nfspublic
[root@server0 ~]# mkdir -p /nfsprotected/nfsproject
[root@server0 ~]# useradd ldapuser0
[root@server0 ~]# chown -R ldapuser0 /nfsprotected/nfsproject
[root@server0 ~]# ls -ldZ /nfsprotected/nfsproject/
drwxr-xr-x. ldapuser0 root unconfined_u:object_r:default_t:s0 /nfsprotected/nfsproject/
[root@server0 ~]#
[root@server0 ~]# semanage fcontext -a -t 'public_content_t' '/nfsprotected(/.*)?'
[root@server0 ~]# restorecon -Rv /nfsprotected/
restorecon reset /nfsprotected context unconfined_u:object_r:default_t:s0->unconfined_u:object_r:public_content_t:s0
restorecon reset /nfsprotected/nfsproject context unconfined_u:object_r:default_t:s0->unconfined_u:object_r:public_content_t:s0
[root@server0 ~]# systemctl restart nfs-server.service
[root@server0 ~]# systemctl restart nfs-secure-server.service
[root@server0 ~]#
[root@server0 ~]# vim /etc/exports
/nfspublic 172.25.0.0/24(ro,sync)
/nfsprotected 172.25.0.0/24(rw,sec=krb5p,sync)
[root@server0 ~]#
[root@server0 ~]# exportfs -avr
exporting 172.25.0.0/24:/nfsprotected
exporting 172.25.0.0/24:/nfspublic
[root@server0 ~]#
十、NFS挂载
- 在 desktop0 上挂载一个来自 server0.example.com 的共享,并符合下列要求:
- /nfspublic 挂载在下面的目录上 /mnt/nfsmount ;
- /nfsprotected 挂载在下面的目录上 /mnt/nfssecure 并使用安全的方式,密钥下载 URL:http://classroom.example.com/pub/keytabs/desktop0.keytab
- 用户 ldapuser0 能够在/mnt/nfssecure/nfsproject 上创建文件;
- 这些文件系统在系统启动时自动挂载。
解题:
[root@desktop0 ~]# mkdir -p /mnt/nfsmount
[root@desktop0 ~]# mkdir -p /mnt/nfssecure
root@desktop0 ~]# showmount -e 172.25.0.11
Export list for 172.25.0.11:
/nfsprotected 172.25.0.0/24
/nfspublic 172.25.0.0/24
[root@desktop0 ~]#
[root@desktop0 ~]# vim /etc/fstab
172.25.0.11:/nfspublic /mnt/nfsmount nfs defaults 0 0
[root@desktop0 ~]# mount -av
/mnt/nfsmount : successfully mounted
[root@desktop0 ~]# wget -O /etc/krb5.keytab http://classroom.example.com/pub/keytabs/desktop0.keytab
[root@desktop0 ~]# systemctl enable nfs-secure
[root@desktop0 ~]# systemctl restart nfs-secure
[root@desktop0 ~]# vim /etc/fstab
172.25.0.11:/nfsprotected /mnt/nfssecure nfs defaults,vers=4.2,sec=krb5p,sync 0 0
(执行 lab nfskrb5 setup,开启ldap和keyboard服务可以挂载,考试时是在设置好这个环境的基础上进行)
[root@desktop0 ~]# mount -av
/ : ignored
/mnt/iscsi_storage : already mounted
/mnt/exam_devops : already mounted
/mnt/nfsmount : already mounted
[root@desktop0 ~]#
十一、配置web服务器
- 为 http://server0.example.com 配置 Web 服务器:
- 从 URL 地址 http://classroom.example.com/pub/materials/station.html 下载一个主页文件,并将该文件重命名为 index.html (此处请新建文件);
- 将文件 index.html 拷贝到您的 Web 服务器的 DocumentRoot 目录下;
- 不要对文件 index.html 的内容进行任何修改。
解题:
[root@server0 ~]# yum install http\* -y
[root@server0 ~]# systemctl enable httpd.service
[root@server0 ~]# firewall-cmd --permanent --add-rich-rule "rule family="ipv4" source address="172.25.0.0/24" service name="http" accept"
[root@server0 ~]# firewall-cmd --reload
[root@server0 ~]# cd /etc/httpd/conf.d/
[root@server0 conf.d]# cat 1.conf
<VirtualHost *:80>
ServerName server0.example.com
DocumentRoot /var/www/html
</VirtualHost>
<Directory "/var/www/html">
AllowOverride None
Require all granted
</Directory>
[root@server0 conf.d]#
[root@server0 conf.d]# wget -O /var/www/html/index.html http://classroom.example.com/pub/materials/station.html (notfund表示系统环境没有该文件)
建立测试:
[root@server0 conf.d]# systemctl restart httpd.service
[root@server0 conf.d]# echo "test01">/var/www/html/index.html
[root@server0 conf.d]# curl http://server0.example.com
test01
[root@server0 conf.d]#
十二、WebTLS加密
- 为站点 http://server0.example.com 配置 TLS 加密:
- 一个已签名证书从 http://classroom.example.com/pub/tls/certs/server0.crt 获取;
- 此证书的密钥从 http://classroom.example.com/pub/tls/private/server0.key 获取;
- 此证书的签名授权信息从 http://classroom.example.com/pub/example-ca.crt 获取。
解题:
[root@server0 conf.d]# yum install mod_ssl -y
[root@server0 conf.d]# firewall-cmd --permanent --add-rich-rule " rule family="ipv4" source address="172.25.0.0/24" service name="https" accept"
success
[root@server0 conf.d]# firewall-cmd --reload
[root@server0 conf.d]# cp -a 1.conf 2.conf
[root@server0 conf.d]# cat 2.conf
<VirtualHost *:443>
ServerName server0.example.com
DocumentRoot /var/www/html
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
SSLCertificateFile /etc/pki/tls/certs/server0.crt
SSLCertificateKeyFile /etc/pki/tls/private/server0.key
SSLCACertificateFile /etc/pki/tls/certs/example-ca.crt
</VirtualHost>
<Directory "/var/www/html">
AllowOverride None
Require all granted
</Directory>
[root@server0 conf.d]#
[root@server0 conf.d]# wget -O /etc/pki/tls/certs/server0.crt http://classroom.example.com/pub/tls/certs/server0.crt
[root@server0 conf.d]# wget -O /etc/pki/tls/private/server0.key http://classroom.example.com/pub/tls/private/server0.key
[root@server0 conf.d]# wget -O /etc/pki/tls/certs/example-ca.crt http://classroom.example.com/pub/example-
[root@server0 conf.d]# systemctl restart httpd.service
[root@server0 conf.d]# curl -k https://server0.example.com
test01
[root@server0 conf.d]#
十三、配置虚拟主机
- 在 server0 上扩展您的 web 服务器,为站点 http://www0.example.com 创建一个虚拟主机,然后执行下述步骤:
- 设置 DocumentRoot 为/var/www/website ;
- 从 http://classroom.example.com/pub/materials/www.html 下载文件并重命名为index.html (此处请新建文件);
- 不要对文件 index.html 的内容进行任何修改;
- 将文件 index.html 放到虚拟主机的 DocumentRoot 目录下 ;
- 确保 harris 用户能够在 /var/www/website 目录下创建文件;
- 从 server0 上,任何人都可以浏览 website 的内容,但是从其他系统不能访问这个目录的内容。
- 注意:原始站点 http://server0.example.com 必须仍然能够访问,名称服务器 example.com 提供对主机名 www0.example.com 的域名解析。
解题:
[root@server0 conf.d]# mkdir -p /var/www/website
[root@server0 conf.d]# wget -O /var/www/website/index.html http://classroom.example.com/pub/materials/www.html
[root@server0 conf.d]# cat 3.conf
<VirtualHost *:80>
ServerName www0.example.com
DocumentRoot /var/www/website
</VirtualHost>
<Directory "/var/www/website">
AllowOverride None
Require all denied
Require local
</Directory>
[root@server0 conf.d]#
创建测试:
[root@server0 conf.d]# echo "test03" > /var/www/website/index.html
[root@server0 conf.d]# setfacl -Rm u:harris:rwX /var/www/website/
[root@server0 conf.d]# systemctl restart httpd.service
[root@server0 conf.d]# curl http://www0.example.com
test03
[root@server0 conf.d]#
十四、web动态页面
- 在 server0 上配置提供动态 Web 内容,要求如下:
- 动态内容由名为 webapp0.example.com 的虚拟主机提供
- 虚拟主机侦听在端口 8998 ;
- 从 http://classroom.example.com/pub/materials/webinfo.wsgi 下载一个脚本,然后放在适当的位置,无论如何不要修改此文件的内容(文件此前已提供);
- 客户端访问 http://webapp0.example.com:8998 可接收到动态生成的 Web 页;
- 此 http://webapp0.example.com:8998 必须能被 example.com 域内的所有系统访问。
解题:
[root@server0 conf.d]# yum install -y mod_wsgi
[root@server0 conf.d]# firewall-cmd --permanent --add-rich-rule "rule family="ipv4" source address="172.25.0.0/24" port port="8998" protocol="tcp" accept"
success
[root@server0 conf.d]# firewall-cmd --reload
success
[root@server0 conf.d]#
[root@server0 conf.d]# wget -O /var/www/html/webinfo.wsgi http://classroom.example.com/pub/materials/webinfo.wsgi
自行上传测试页面
[root@server0 conf.d]# semanage port -a -t http_port_t -p tcp 8998
[root@server0 conf.d]# systemctl restart httpd.service
[root@server0 conf.d]# curl http://server0.example.com:8998
UNIX EPOCH time is now: 1573692142.7
[root@desktop0 ~]# curl http://server0.example.com:8998
UNIX EPOCH time is now: 1573692148.15
[root@desktop0 ~]#
十五、编写shell脚本case
方法一:
[root@server0 ~]# touch foo.sh
[root@server0 ~]# chmod 755 foo.sh
#!/bin/bash
if [ $# -eq 1 ]; then
if [ $1 == "redhat" ]; then
echo "fedora"
exit 1
elif [ $1 == "fedora" ]; then
echo "redhat"
else
echo "/root/foo.sh redhat|fedora"
fi
else
echo "/root/foo.sh redhat|fedora"
fi
方法二:
#!/bin/bash
case $1 in
redhat)
echo "fedora"
;;
fedora)
echo "redhat"
;;
*)
echo "/root/foo.sh redhat|fedora"
esac
十六、编写shell脚本创建用户
[root@server0 ~]# touch batchusers
[root@server0 ~]# chmod 755 batchusers
[root@server0 ~]# touch userlist
[root@server0 ~]# echo user01 >userlist
#!/bin/bash
if [ $# -eq 1 ]; then
if [ -f "$1" ]; then
username=$( cat /root/userlist )
for uname in $username
do
useradd -s /bin/false $uname &>/dev/null
done
else
echo "Input file not found"
fi
else
echo "Usage: /root/batchusers userfile"
fi
十七、ISCSI服务器
- 配置 server0 提供一个 iSCSI 服务,目标段名为 iqn.2019-11.com.example:server0 ,并符合下列要求:
- 服务端口为 3260 ;
- 使用 iscsi_storage 作其后端卷,其大小为 2 GiB ;
- 此服务只能被 desktop0.example.com 访问。
解题:
server:
[root@server0 ~]# yum install targetcli -y
[root@server0 ~]# systemctl enable target
[root@server0 ~]# systemctl restart target
[root@server0 ~]# partprobe
[root@server0 ~]# pvcreate /dev/vdb1
Physical volume "/dev/vdb1" successfully created
[root@server0 ~]# vgcreate iscsi_vg /dev/vdb1
Volume group "iscsi_vg" successfully created
[root@server0 ~]# lvcreate -n iscsi_storage -l 100%VG iscsi_vg
Logical volume "iscsi_storage" created
[root@server0 ~]#
[root@server0 ~]# partprobe
[root@server0 ~]# targetcli
/> ls
o- / .................................................................. [...]
o- backstores ....................................................... [...]
| o- block ........................................... [Storage Objects: 1]
| | o- iscsi_storage [/dev/iscsi_vg/iscsi_storage (2.0GiB) write-thru activated]
| o- fileio .......................................... [Storage Objects: 0]
| o- pscsi ........................................... [Storage Objects: 0]
| o- ramdisk ......................................... [Storage Objects: 0]
o- iscsi ..................................................... [Targets: 1]
| o- iqn.2019-11.com.example:desktop0 ............................ [TPGs: 1]
| o- tpg1 ........................................ [no-gen-acls, no-auth]
| o- acls ................................................... [ACLs: 1]
| | o- iqn.2019-11.com.example:server0 ............... [Mapped LUNs: 1]
| | o- mapped_lun0 .................. [lun0 block/iscsi_storage (rw)]
| o- luns ................................................... [LUNs: 1]
| | o- lun0 ....... [block/iscsi_storage (/dev/iscsi_vg/iscsi_storage)]
| o- portals ............................................. [Portals: 1]
| o- 172.25.0.11:3260 .......................................... [OK]
o- loopback .................................................. [Targets: 0]
/>
/iscsi/iqn.20...:server0/tpg1> set attribute authentication=0
Parameter authentication is now '0'.
/iscsi/iqn.20...:server0/tpg1> set attribute generate_node_acls=0
/> saveconfig
[root@server0 ~]# firewall-cmd --permanent --add-rich-rule "rule family="ipv4" source address="172.25.0.0/24" port port=3260 protocol="tcp" accept "
success
[root@server0 ~]# firewall-cmd --reload
success
十八、ISCSI客户端
- 配置 desktop0 使其能连接 server0 上提供的 iqn.2019-11.com.example:server0 ,并符合以下要求:
- 发起端名为 iqn.2019-11.com.example:server0 ;
- iSCSI 设备在系统启动的期间自动加载;
- 块设备 iSCSI 上包含一个大小为 1600 MiB 的分区,并格式化为 ext4 文件系统;
- 此分区挂载在 /mnt/iscsi_storage 上,同时在系统启动的期间自动挂载。
解题:
desktop:
[root@desktop0 ~]# systemctl enable iscsi iscsid
[root@desktop0 ~]# vim /etc/iscsi/initiatorname.iscsi
InitiatorName=iqn.2019-11.com.example:desktop0
[root@desktop0 ~]# systemctl restart iscsi iscsid
[root@desktop0 ~]# iscsiadm -m discovery -t st -p 172.25.0.11
172.25.0.11:3260,1 iqn.2019-11.com.example:server0
[root@desktop0 ~]#
[root@desktop0 ~]# iscsiadm -m node -l
Logging in to [iface: default, target: iqn.2019-11.com.example:server0, portal: 172.25.0.11,3260] (multiple)
Login to [iface: default, target: iqn.2019-11.com.example:server0, portal: 172.25.0.11,3260] successful.
[root@desktop0 ~]#
[root@desktop0 ~]# fdisk /dev/sda
[root@desktop0 ~]# partprobe
[root@desktop0 ~]# lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda 8:0 0 2G 0 disk
└─sda1 8:1 0 1.6G 0 part
vda 253:0 0 10G 0 disk
└─vda1 253:1 0 10G 0 part /
vdb 253:16 0
[root@desktop0 ~]# mkdir -p /mnt/iscsi_storage
[root@desktop0 ~]# blkid
/dev/vda1: UUID="9bf6b9f7-92ad-441b-848e-0257cbb883d1" TYPE="xfs"
/dev/sda1: UUID="2689c309-c6c7-4785-8939-d8ac83e0d40c" TYPE="ext4"
[root@desktop0 ~]# vim /etc/fstab
UUID="2689c309-c6c7-4785-8939-d8ac83e0d40c" /mnt/iscsi_storage ext4 defaults,_netdev 0 0
[root@desktop0 ~]# mount -av
/ : ignored
mount: /mnt/iscsi_storage does not contain SELinux labels.
......
/mnt/iscsi_storage : successfully mounted
第一次需重启验证(严格按照下列顺序):
[root@desktop0 ~]# iscsiadm -m node -u
Logging out of session [sid: 1, target: iqn.2019-11.com.example:server0, portal: 172.25.0.11,3260]
Logout of [sid: 1, target: iqn.2019-11.com.example:server0, portal: 172.25.0.11,3260] successful.
[root@desktop0 ~]#
[root@desktop0 ~]# shutdown -h 0
[root@server0 ~]# reboot
开启client验证:
[root@desktop0 ~]# df -lh
Filesystem Size Used Avail Use% Mounted on
/dev/vda1 10G 3.1G 7.0G 31% /
devtmpfs 906M 0 906M 0% /dev
tmpfs 921M 80K 921M 1% /dev/shm
tmpfs 921M 17M 904M 2% /run
tmpfs 921M 0 921M 0% /sys/fs/cgroup
/dev/sda1 1.6G 4.7M 1.5G 1% /mnt/iscsi_storage
[root@desktop0 ~]#
十九、mariadb安装与配置
- 在 server0 上创建一个 MariaDB 数据库,名为 Inventory,并符合以下条件:
- 数据库应该包含来自数据库复制的内容,复制文件的 URL 为:http://classroom.example.com/pub/materials/maradb.dump ;
- 数据库只能被 localhost 访问;
- 除了 root 用户,此数据库只能被用户 Lampard 查询,此用户密码为 123456 ;
- root 用户的密码为 123456 ,同时不允许空密码登陆。
[root@server0 ~]# yum groupinstall mariadb mariadb-client -y
[root@server0 ~]# wget http://classroom.example.com/pub/materials/maradb.dump
[root@server0 ~]# systemctl enable mariadb
[root@server0 ~]# systemctl restart mariadb
[root@server0 ~]# mysql_secure_installation
Set root password? [Y/n] y
New password:
Re-enter new password:
Remove anonymous users? [Y/n] y
... Success!
Disallow root login remotely? [Y/n] y
... Success!
Remove test database and access to it? [Y/n] y
Reload privilege tables now? [Y/n] y
... Success!
[root@server0 ~]#
[root@server0 ~]# mysql -uroot -p123456
MariaDB [(none)]> create database Inventory;
MariaDB [Inventory]> grant select on Inventory.* to 'Lampard'@'localhost' identified by '123456';
Query OK, 0 rows affected (0.00 sec)
MariaDB [Inventory]> flush privileges;
Query OK, 0 rows affected (0.00 sec)
[root@server0 ~]# vim /etc/my.cnf
skip-networking=1
S[root@server0 ~]# systemctl restart mariadb
[root@server0 ~]#
二十、数据库查询
在系统 system1 上使用数据库 Contacts ,并使用相应的SQL 查询以回答下列问题:
- 密码是 tangerine 的人的名字?
- 有多少人的姓名是 John 同时居住在 Santa Clara ?
登录数据库,查看表和表结构
[root@system1 ~]# mysql -uroot -p
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 16
Server version: 5.5.35-MariaDB MariaDB Server
Copyright (c) 2000, 2013, Oracle, Monty Program Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> SHOW DATABASES;
+--------------------+
| Database |
+--------------------+
| information_schema |
| Contacts |
| mysql |
| performance_schema |
+--------------------+
4 rows in set (0.01 sec)
MariaDB [(none)]> USE Contacts;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MariaDB [Contacts]> SHOW TABLES;
+--------------------+
| Tables_in_Contacts |
+--------------------+
| u_loc |
| u_name |
| u_passwd |
+--------------------+
3 rows in set (0.00 sec)
MariaDB [Contacts]> DESC u_loc;
+----------+-------------+------+-----+---------+----------------+
| Field | Type | Null | Key | Default | Extra |
+----------+-------------+------+-----+---------+----------------+
| uid | int(11) | NO | PRI | NULL | auto_increment |
| location | varchar(50) | NO | | NULL | |
+----------+-------------+------+-----+---------+----------------+
2 rows in set (0.00 sec)
MariaDB [Contacts]> DESC u_name;
+-----------+-------------+------+-----+---------+----------------+
| Field | Type | Null | Key | Default | Extra |
+-----------+-------------+------+-----+---------+----------------+
| userid | int(11) | NO | PRI | NULL | auto_increment |
| firstname | varchar(50) | NO | | NULL | |
| lastname | varchar(50) | NO | | NULL | |
+-----------+-------------+------+-----+---------+----------------+
3 rows in set (0.00 sec)
MariaDB [Contacts]> DESC u_passwd;
+----------+-------------+------+-----+---------+----------------+
| Field | Type | Null | Key | Default | Extra |
+----------+-------------+------+-----+---------+----------------+
| uid | int(11) | NO | PRI | NULL | auto_increment |
| password | varchar(50) | NO | | NULL | |
+----------+-------------+------+-----+---------+----------------+
2 rows in set (0.00 sec)
第一问,只需要用到 u_name 和 u_passwd 表就可以
//嵌套子查询
MariaDB [Contacts]> SELECT firstname FROM u_name WHERE userid=(SELECT uid FROM u_passwd WHERE password = "tangerine");
+-----------+
| firstname |
+-----------+
| Georgexx |
+-----------+
1 row in set (0.00 sec)
//多表查询
MariaDB [Contacts]> select firstname from u_name,u_passwd where u_name.userid=u_passwd.uid and u_passwd.password='tangerine';
+-----------+
| firstname |
+-----------+
| Georgexx |
+-----------+
1 row in set (0.00 sec)
第二问,只需要用到 u_name 和 u_loc 表就可以
MariaDB [Contacts]> SELECT COUNT(*) FROM u_loc l,u_name n WHERE l.uid = n.userid and n.firstname = 'John' and l.location = 'Santa Clara';
+----------+
| COUNT(*) |
+----------+
| 4 |
+----------+
1 row in set (0.01 sec)