Installation and Configuration | Linux Patch Management: Keeping Linux Systems Up To Date

The Installation and Configuration section is the second part of the Red Hat exam. If you're taking the RHCT, you're allowed 2.0 hours; if you're taking the RHCE, you're allowed 3.0 hours to install and configure Red Hat Enterprise Linux. You may get partial credit on some of these problems. You'll have access to the Red Hat Enterprise Linux installation files through a network server (the Exam Prep guide specifies a network installation). Once Red Hat Enterprise Linux is installed, you'll also have access to the man pages as well as any other documentation that you may have installed.

If you're studying for the RHCT, you can limit your focus to the RHCT-level skills; if you're studying for the RHCE, you'll need to complete all RHCT- and RHCE-level skills, in the time allotted.

No specific techniques or commands are required. Any reasonable technique is allowed if it gets you to the objective. For example, if you need to limit access to a specific service, you can use iptables, /etc/hosts.deny, or even SELinux. As long as it does the job, the configuration can get you full credit for that part of the exam.

You may need to limit access to network servers to specific users or other computers. However, this is a certification exam. Do not expect to have physical access to any other computer to test your settings. You will not have access to any outside networks such as the Internet.

If you're going for your RHCT, you'll need a grade of at least 70 percent in the RHCT-level skills. If you're going for your RHCE, you'll need a score of 70 percent on both sections.

Exam Watch

Read the entire Installation and Configuration exam before you finish installing RHEL. It's easier to configure RAID and logical volumes during the installation process. It can save time to install required servers during the installation process. And remember that you can start configuring RHEL through the CTRL-ALT-F2 console even while packages are being installed.

Most of you will find it difficult to complete this exercise within 3 hours. I've deliberately added extra difficulty to this second sample exam, which will hopefully ease your required effort during the actual RHCE exam. I've also split up this sample exam into RHCT- and RHCE-level skills for your convenience; it may not represent what you'll actually see on the exam. (I'm not allowed to tell you about it.)

If you're preparing for the RHCT exam, you can ignore the RHCE issues. If you're preparing for the RHCE exam, you'll have to meet all requirements in this section. Remember that the RHCE is inclusive of the RHCT.

Once you've mastered the skills in this book, try other variations. Practice with different scenarios until you become comfortable with the scenarios described in this book, as well as in the Red Hat Exam Prep guide.

Server Installation Problem: RHCT-Level Skills

Install Red Hat Enterprise Linux. The following conditions specify a connection to network servers, configured with some very specific partitions. Assume this computer gets its IP addressing information from a DHCP server. Let users start at a virtual console.

Install Linux with the partitions shown in Table B-1. The sizes shown are minimums. Make sure that the /home directory is configured in a RAID 5 software array with no spare partitions. Leave 1000MB of free, unallocated space on the hard drive. If your system has less available hard drive space, some adjustments may be possible, such as reducing the amount of space allocated to / and /usr to 2000MB each.

Table B-1: Required Partitions
Filesystem	Size
/boot	100MB
/	4000MB
/home	1000MB
/var	1000MB
/usr	4000MB

Once RHEL is installed, you'll also want to configure the following:

A connection to a local printer
Active networking only during working hours (8:00 A.M to 5:00 P.M.)
An NIS client, on the biglan NIS domain
The automounter, configured to read the CD on the /misc/cd directory
Support for IP forwarding, as this computer may be a router in the future
Installation of the system-config-boot RPM
A Linux kernel, upgraded to the latest requirements

Configure a cross-functional group of users: avionics, vendor, seats, and galleys. Set them up as a group named pcplane. Create a /home/pcplane directory and allow them to share files without having to change permissions or ownership on any file they put in this directory. Do not give vendor read privileges on this directory. Limit each of these users to 100MB of files in this directory. Make it possible to create ACLs on the /home directory partition. Configure secret.doc (with a user and group owner of galleys) in /home/galleys with ACLs that allow user michael read-write access.

Set up appropriate partitions as a RAID 1 array (with one spare partition), dedicated to the /home/pcplane directory. While you could do this during the installation process, do so after installation, for the purpose of this exercise.

Server Installation Problem: RHCE-Level Skills

In this part of the exam, you'll configure a number of different servers on the RHEL system. Assume this computer is on a gateway between your LAN and an external network such as the Internet. Based on the configuration shown in Table B-1, set up /var on an LVM array.

Set up both a regular and a secure Web server. Make sure the home pages for each server are different. Limit access to within the LAN only, and to the users avionics, seats, and galleys. Create and activate a Web proxy server. Configure a Samba server that allows users to access their home directories from remote computers on the LAN. Create an NFS share, with full privileges, on your /tmp directory. Make sure SELinux settings support access to this share.

Set up an FTP server that supports only anonymous access, even from outside your LAN. Configure sendmail to support access from within the LAN; do not require address confirmation from a DNS server. Configure an incoming e-mail service that supports regular, non-secure IMAP4 connections. Activate the Secure Shell service, and allow access from inside and outside the LAN. Do not allow direct root logins through the Secure Shell connection.

Edit the Kickstart file that is created; set it up to be usable for other computers with an identical hardware configuration. The Kickstart file should also support the creation of the same partitions.

Installation Discussion

Since you can set up a Red Hat Enterprise Linux configuration in several ways, there is no one right answer for the listed requirements. But you should remember a few general concepts. It's normally fastest to include packages during the installation process. It's easiest (and generally faster) to set up RAID arrays and LVM groups during the installation process. Make sure that the services you set up are active at the appropriate runlevels.

You can set up DHCP addressing through the Red Hat installation program or in /etc/sysconfig/network. You'll also want to allow incoming connections to your SSH and FTP servers. You can do this with the Security Level Configuration tool, commands in /etc/hosts.allow and /etc/hosts.deny, directives in service-level configuration files, or even with appropriate iptables commands.

You can connect to a local printer by editing the files in /etc/cups or using the Printer Configuration utility. You can limit networking to working hours using appropriate cron jobs, stored in the /etc/cron.daily directory. Setting up an NIS client means activating the ypbind daemon and using domainname to designate the biglan NIS domain, or you can use the Authentication Configuration tool. Also, activate the SELinux allow_ypbind (Allow Daemons To Run With NIS) setting. Before the automounter works, you have to activate the autofs service as well as the appropriate commands in /etc/auto.master and /etc/auto.misc.

To support IP forwarding, you'll need to set the net.ipv4.ip_forward variable in /etc/sysctl.conf and activate it in the /proc/sys/net/ipv4/ip_forward file. You can install the RPMs of your choice, including system-config-boot, with the appropriate rpm -ivh packagename command; if there are dependencies, and you're connected to an appropriate repository, you can use the yum install packagename command. When you upgrade the Linux kernel, however, you should install it with rpm -i just in case the new kernel doesn't work. When you set up users in a special directory, don't forget to set up the directory with the SGID bit.

To make the /home directory work with quotas and ACL, you'll need to add the usrquota and acl options to the associated directive in /etc/fstab. Before you can configure quotas, you'll need to remount /home with at least the usrquota and acl settings. To give user michael read-write permissions to secret.doc in /home/galleys, set appropriate permissions to /home/galleys:

 # chmod 701 /home/galleys/

and set appropriate permissions on /home/galleys/secret.doc:

 # setfacl -m user:michael:rw- /home/galleys/secret.doc

Now that quotas are set, create appropriate quota configuration files with quotacheck -cuvm (or reboot); and then activate quotas with quotaon. You can then add quotas on a username with the edquota username command.

If you're setting up a RAID array after installation, you'll first need to configure appropriate partitions using fdisk or parted, and then collect them into an array with the right mdadm command. Remember that a RAID 1 array requires two partitions, and one spare is specified in the exam requirements (for a total of three RAID partitions). To make sure the configuration takes after you reboot, you'll need to configure the RAID array device, such as /dev/md0, with the specified directory, /home/pcplane, in the /etc/fstab configuration file.

Remember to set up a regular Web server in /etc/httpd/conf/httpd.conf and a secure Web server in /etc/httpd/conf.d/ssl.conf. You can set up index.html home pages in the appropriate DocumentRoot directories; plain text in these files is sufficient. To limit access to specific users, you'll want to set up a group with the htpasswd command and add the group name to the appropriate configuration file with the AuthUserFile command.

The Squid Web Proxy server is straightforward; it requires configuration of three commands in your /etc/squid/squid.conf file: visible_hostname, http_access, and acl. The default Samba server configuration already allows user access to their home directories, but you'll need to add passwords with the smbpasswd -a username command. But this won't work until you enable the Allow Samba To Share Users Home Directories option using the SELinux Management tool (or the corresponding setsebool -P samba_enable_home_dirs 1 command). You can set up an NFS share through /etc/exports or the NFS Server Configuration tool and the appropriate commands.

The vsFTP server already allows only anonymous access by default. To configure sendmail to support access within the LAN, you need to comment out the command in sendmail.mc that limits access to the local computer; it's well commented. Similarly, the command that allows connections to domain names unverified by DNS is active by default and need not be changed. The standard e-mail service for RHEL 5 that supports incoming connections is Dovecot. You can configure it in /etc/dovecot.conf. If you want to limit the protocols to IMAP4 connections, use the protocols directive; a helpful sample is included in the default version of this file. To activate the Secure Shell service (sshd), as well as the others, use the service command (or run the script from the /etc/init.d directory). For a hint on how to limit access to non-root users, look up the PermitRootLogin directive in the man page for sshd_config.

Make sure the SELinux booleans are compatible with these settings. If you use non-standard directories, you may have to apply the chcon command to make sure these directories have the same SELinux labels as the default directories. The SELinux Management Tool can help give access to appropriate services, as well as options such as home directory access

A default, partially disabled Kickstart file is available in the /root/anaconda-ks.cfg file. Once you've activated the partition command and saved it as ks.cfg, you can use it to install RHEL on other computers with a nearly identical hardware configuration. If you've saved it on a floppy, you can cite it at the installation boot prompt with the linux ks=hd:fd0:/ks.cfg command or on the local CD with the linux ks=cdrom:/ ks.cfg command.