D90758GC10 Ag1

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates
s
a
h
o) e
c
du Guid
e
r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us
n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non
Oracle Linux 7: Advanced

Administration
Activity Guide Volume I
D90758GC10
Edition 1.0 | September 2015 | D92967
Learn more from Oracle University at oracle.com/education/
Copyright 2015, Oracle and/or its affiliates. All rights reserved.
Disclaimer
This document contains proprietary information and is protected by copyright and other intellectual property laws. You may copy and
print this document solely for your own use in an Oracle training course. The document may not be modified or altered in any way.
Except where your use constitutes "fair use" under copyright law, you may not use, share, download, upload, copy, print, display,
perform, reproduce, publish, license, post, transmit, or distribute this document in whole or in part without the express authorization
of Oracle.
The information contained in this document is subject to change without notice. If you find any problems in the document, please
report them in writing to: Oracle University, 500 Oracle Parkway, Redwood Shores, California 94065 USA. This document is not
warranted to be error-free.
Restricted Rights Notice
If this documentation is delivered to the United States Government or anyone using the documentation on behalf of the United
States Government, the following notice is applicable:
U.S. GOVERNMENT RIGHTS
The U.S. Governments rights to use, modify, reproduce, release, perform, display, or disclose these training materials are restricted
by the terms of the applicable Oracle license agreement and/or the applicable U.S. Government contract.
a
s
a
h
)
o
c ide
u
d Gu
e
r
ita dent
Author
l
i
Craig McBride
nim Stu
u
o@ e this
Technical Contributors and Reviewers rs
coHaraldo Van
usBreederode, Joel Goodman, Manish
Avi Miller, Elena Zannoni, Wim Coekaerts,

n
t
a
Kapur, Yasar Akthar, AntoinettejOSullivan,
( u nseGavin Bowe, Steve Miller, Herbert Van Den Bergh,
s
Todd Vierling and John Haxby
ria e lice
a
o abl
s
r
co published
er using: Oracle Tutor
f
s
n
This book
was
jua -tran
non
Trademark Notice
Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective
owners.
Table of Contents
Practices for Lesson 1: Course Introduction ........................................................................................... 1-1
Course Practice Environment: Security Credentials.................................................................................. 1-2
Practices for Lesson 1: Overview............................................................................................................. 1-3
Practice 1-1: Exploring the dom0 Environment ......................................................................................... 1-4
Practice 1-2: Starting, Stopping, and Listing VM Guests ........................................................................... 1-11
Practice 1-3: Exploring the host01 VM ..................................................................................................... 1-13
Practice 1-6: Logging Off from Your Student PC ...................................................................................... 1-22
Practices for Lesson 2: Network Addressing and Name Services .......................................................... 2-1
Practice 2-1: Configuring a DHCP Server................................................................................................. 2-3
Practice 2-2: Configuring a DHCP Client .................................................................................................. 2-6
Practice 2-3: Viewing and Testing the DNS Configuration......................................................................... 2-9
Practice 2-4: Configuring a Caching-Only Nameserver ............................................................................. 2-16
a
s
a
h 3-1
)
Practices for Lesson 3: Authentication and Directory Services ..............................................................
o
c ide3-2
u
Practices for Lesson 3: Overview.............................................................................................................
d Gu
e
r
Practice 3-1: Configuring an OpenLDAP Server .......................................................................................
3-3
ita dent
l
i
Practice 3-2: Implementing OpenLDAP Authentication .............................................................................
3-21
nim Stu
Practice 3-3: Authenticating from an OpenLDAP Client ............................................................................
3-26
u
s
i
@
Practices for Lesson 4: Pluggable Authentication Modules
.........................................................
4-1
o (PAM)
th
s
r
e
o
Practices for Lesson 4: Overview.............................................................................................................
4-2
us
c to........................................................................
n
Practice 4-1: Configuring PAM for a Single
Login Session
4-3
a
(ju Non-root
seLogin......................................................................... 4-8
Practice 4-2: Configuring PAM tosPrevent
n
e
ia EmaillServices
rand
ic ..................................................................................... 5-1
Practices for Lesson 5: Web
a
e
l
so5: Overview
Practices for Lesson
r
rab............................................................................................................. 5-2
o
Practice 5-1:cConfiguringfe
the Apache Web Server .................................................................................... 5-3
n ans
juafor Lesson
Practices
tr 6: Installing Oracle Linux 7 by Using Kickstart...................................................... 6-1
n
Practices
nofor Lesson 6: Overview............................................................................................................. 6-2
Practice 6-1: Performing a Kickstart Installation........................................................................................ 6-3
Practice 6-2: Using Rescue Mode............................................................................................................ 6-14
Practices for Lesson 7: Samba Services.................................................................................................. 7-1
Practice 7-1: Configuring a Samba Server ............................................................................................... 7-3
Practice 7-2: Accessing Samba Shares from a Client Host ....................................................................... 7-8
Practice 7-3: Accessing a Linux Samba Share from a Windows System ................................................... 7-12
Practices for Lesson 8: Advanced Software Package Management........................................................ 8-1
Practice 8-2: Managing Yum Plug-Ins ...................................................................................................... 8-9
Practice 8-3: Using Yum Utilities .............................................................................................................. 8-16
Practice 8-4: Creating an RPM Package .................................................................................................. 8-22
Practice 8-5: Managing Software Updates with PackageKit ...................................................................... 8-31
Practice 8-6: Working with Yum History and Yum Cache .......................................................................... 8-39
Practices for Lesson 9: Advanced Storage Administration ..................................................................... 9-1
Oracle Linux 7: Advanced Administration Table of Contents

i

Practice 9-1: Creating and Mounting a File System .................................................................................. 9-3
Practice 9-2: Implementing Access Control Lists ...................................................................................... 9-6
Practice 9-3: Setting Disk Quotas ............................................................................................................ 9-9
Practice 9-4: Encrypting a File System ..................................................................................................... 9-13
Practice 9-5: Using kpartx ....................................................................................................................... 9-16
Practice 9-6: Exploring and Configuring Udev .......................................................................................... 9-20
Practices for Lesson 10: Advanced Networking ...................................................................................... 10-1
Practices for Lesson 10: Overview ........................................................................................................... 10-2
Practice 10-1: Configuring Network Bonding by Using the GUI ................................................................. 10-3
Practice 10-2: Configuring Network Bonding from the Command Line....................................................... 10-21
Practice 10-3: Working with Bonded Interfaces ........................................................................................ 10-26
Practice 10-4: Configuring 802.1Q VLAN Tagging by Using the GUI ......................................................... 10-37
Practice 10-5: Configuring 802.1Q VLAN Tagging from the Command Line .............................................. 10-46
Practice 10-6: Working with VLAN Interfaces ........................................................................................... 10-49
Practice 10-7: Configuring a Site-to-Site VPN .......................................................................................... 10-58
a
s
a
h
)
o
c ide
u
d Gu
e
r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us
n
t
ua s.....................................................................................
e
j
Practices for Lesson 12: iSCSI and Multipathing
12-1
(
n
s
e
a
Practices for Lesson 12: Overview
...........................................................................................................
12-2
i
c
li (Target)................................................................................. 12-3
aanr iSCSIleServer
Practice 12-1: Configuring
o
b Client (Initiator)................................................................................. 12-14
rs eanraiSCSI
oConfiguring
Practice 12-2:
c
f
Practice
ns iSCSI Multipathing .......................................................................................... 12-21
an12-3:tConfiguring
a
u
j
r
- 13: Control Groups (Cgroups)................................................................................ 13-1
Practices for
Lesson
nonfor Lesson 13: Overview........................................................................................................... 13-2
Practices
Practices for Lesson 11: OCFS2 and Oracle Clusterware........................................................................ 11-1

Practice 11-1: Preparing for an OCFS2 Configuration............................................................................... 11-3
Practice 11-2: Verifying that the Required Software Is Installed ................................................................ 11-9
Practice 11-3: Configuring the Cluster Layout .......................................................................................... 11-10
Practice 11-4: Configuring and Starting the O2CB Cluster Stack Service .................................................. 11-14
Practice 11-5: Creating an OCFS2 Volume .............................................................................................. 11-17
Practice 11-6: Mounting an OCFS2 Volume ............................................................................................. 11-21
Practice 11-7: Tuning and Debugging OCFS2.......................................................................................... 11-26
Practice 13-1: Exploring cgroup Integration Into systemd.......................................................................... 13-3

Practice 13-2: Exploring cgroup Hierarchies and cgroup Subsystem Parameters ...................................... 13-10
Practice 13-3: Controlling Access to System Resources ........................................................................... 13-15
Practices for Lesson 14: Virtualization with Linux................................................................................... 14-1
Practice 14-1: Preparing the Virtualization Host for KVM .......................................................................... 14-3
Practice 14-2: Starting the Virtual Machine Manager and Preparing to Create a Virtual Machine................ 14-9
Practice 14-3: Creating a Virtual Machine ................................................................................................ 14-22
Practice 14-4: Managing Your Virtual Machine ......................................................................................... 14-36
Practices for Lesson 15: Linux Containers (LXC) .................................................................................... 15-1
Practice 15-1: Completing Linux Container Prerequisites.......................................................................... 15-3
Practice 15-2: Creating an Oracle Linux Container ................................................................................... 15-7
Practice 15-3: Using lxc Commands ........................................................................................................ 15-11
Practices for Lesson 16: Docker .............................................................................................................. 16-1

ii
Practice 16-1: Using sftp to Upload Docker Package and Images ............................................................. 16-3
Practice 16-2: Installing and Configuring Docker ...................................................................................... 16-5
Practice 16-3: Using Docker Commands.................................................................................................. 16-9
Practice for Lesson 17: Security Enhanced Linux (SELinux) .................................................................. 17-1
Practice for Lesson 17: Overview ............................................................................................................ 17-2
Practice 17-1: Exploring SELinux............................................................................................................. 17-3
Practice 17-2: Configuring an SELinux Boolean ....................................................................................... 17-11
Practice 17-3: Configuring SELinux Context ............................................................................................. 17-15
Practices for Lesson 18: Core Dump Analysis......................................................................................... 18-1
Practice 18-1: Configuring Kdump ........................................................................................................... 18-3
Practice 18-2: Creating a Core Dump File ................................................................................................ 18-12
Practice 18-3: Preparing Your System to Analyze the vmcore................................................................... 18-14
Practice 18-4: Using the crash Utility........................................................................................................ 18-16
Practices for Lesson 19: Dynamic Tracing with DTrace .......................................................................... 19-1
Practice 19-1: Using sftp to Upload DTrace Packages .............................................................................. 19-3
Practice 19-2: Installing the DTrace Packages ......................................................................................... 19-8
Practice 19-3: Using DTrace from the Command Line .............................................................................. 19-12
Practice 19-4: Creating and Running D Scripts......................................................................................... 19-20
a
s
a
h
)
o
c ide
u
d Gu
e
r
ta ent
i
l
i
Appendix - NIS Configuration...................................................................................................................
20-1
nim Stud
Appendix - Overview ...............................................................................................................................
20-2
u
s
i
@
h
Practice A-1: Configuring an NIS Server ..................................................................................................
20-3
o
rs se t
o
Practice A-2: Configuring an NIS Client....................................................................................................
20-9
c
u
........................................................................................
n
o
Practice A-3: Implementing NIS Authentication
20-11
t
a
(ju..................................................................................................
se
Practice A-4: Testing NIS Authentication
20-15
n
s
e
a
i
c
Practice A-5: Auto-Mounting
a User Home
li Directory ................................................................................ 20-17
arSystems
e
l
o
Practice A-6: Restoring
the
to
s rab Their Original State...................................................................... 20-20
r
o
c Access
Appendixes: Remote
fe Options...................................................................................................... 21-1
s
n
n
a
Appendixes:
Overview.............................................................................................................................
21-2
ju -tra
Appendix n
an NX Client to Connect to dom0................................................................................ 21-3
no A:B: Using
Appendix
Using an NX Player to Connect to dom0............................................................................... 21-7
Appendix C: Using VNC (TightVNC) to Connect Directly to VM Guests ..................................................... 21-13
Appendix D: Using NoMachine Version 4 to Connect to dom0 .................................................................. 21-16

iii
s
a
h
o) e
c
du Guid
e
r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us
n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non
s
a
h
o) e
c
du Guid
e
r
t 1:
Practices lfor
n
ita Lesson
e
i
Course
Introduction
tud
nim
S
u
o@ 1 this
s
Chapter e
r
co o us
n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non
Practices for Lesson 1: Course Introduction

Chapter 1 - Page 1
Course Practice Environment: Security Credentials
For OS usernames and passwords, see the following:
If you are attending a classroom-based or live virtual class, ask your instructor or LVC
producer for OS credential information.
If you are using a self-study format, refer to the communication that you received from
Oracle University for this course.
For product-specific credentials used in this course, see the following table:
Product-Specific Credentials
Virtual Machines/Application
Username
Password
host01/OS
root
oracle
host01/OS
oracle
oracle
s
a
h
host02/OS
root
oracle
o) e
c
host02/OS
oracle
oracle
du Guid
e
r
host03/OS
root
nt
ita doracle
l
e
i
m tu oracle
host03/OS
oracle uni
S
s
i
@
h
o
rs se t
o
c
u
n
o
t
a
(ju nse
s
ria e lice
a
o abl
s
r
co sfer
n
jua -tran
non

Chapter 1 - Page 2
Practices Overview
In these practices, you will:
Log in to your classroom PC and become familiar with the Oracle VM Server for x86
environment installed on your classroom PC
Connect to the virtual machines used for the hands-on practices and become familiar
with the VM guest configurations
s
a
h
o) e
c
du Guid
e
r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us
n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non

Chapter 1 - Page 3
Practice 1-1: Exploring the dom0 Environment

Overview
In this practice, you explore the dom0 configuration and directory structure.
Assumptions
Your instructor has assigned a student PC to you.

Your student PC is running Oracle VM Server for x86 version 3.2.1.
You are logged in to your student PC as vncuser with the password vnctech.
The GNOME desktop is installed on dom0.

There are three guests (virtual machines): host01, host02, and host03.
All guest VMs have Oracle Linux 7 installed.
Tasks
1.
s
a
Open a terminal window.
h
o) in thee
c
Begin this task from the dom0 GNOME virtual desktop window as shown
du Guid
following screenshot:
e
r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us
n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non
Double-click the Terminal icon on the GNOME desktop.

A terminal window opens.

Chapter 1 - Page 4
2.
Become the root user.
Enter the commands from an open terminal window as shown in the following
screenshot:
s
a
h
o) e
c
du Guid
e
r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us
n
t
a
u
e
j
(
s
Become the root user by
The root password is oracle.
s usingicthe
ensuthe- command.
a
i
r
l
Confirm that you are
root
by
printing
user
identity
with the whoami command:
a le
o
$ su
ors ferab
c
n ans oracle
juaPassword:
tr
#nwhoami
noroot
3.
Determine the operating system that is running on dom0.

Use the uname a command to display the operating system version.
# uname a
Linux edddr20p1 2.6.39-300.22.2.el5uek #1 SMP Fri Jan 4 12:40:29
PST 2013 x86_64 x86_64 x86_64 GNU/Linux
In this example, the operating system is Linux.
The Linux kernel is 2.6.39-300.22.2.el5uek.
The host name is edddr20p1. (Your host name is different.)

Chapter 1 - Page 5
4.
Determine the network configuration of dom0.

Use the ifconfig a command to display the network configuration. Only partial output is
shown.
# ifconfig -a
...
bond0
Link encap:Ethernet ...

inet addr:10.150.30.83 ...
...
eth0
...
lo
...
vif...
...
virbr0

Link encap:Local Loopback ...
inet addr:127.0.0.1 ...
a
s
a
h
)
o
c ide
u
d Gu
e
r
inet addr:192.0.2.1 ...
ta ent
i
l
i
...
im Stud
n
u
virbr1
o@...e this
s
inet addr:192.168.1.1
r
co o us
...
n
ua se t ...
j
virbr2
Link encap:Ethernet
(
saddr:192.168.2.1
en
a
i
inet
...
c
r
i
l
a
e
l
... rso
rabencap:Ethernet ...
o fLink
c
e
virbr3
s
n
jua -tran inet addr:192.168.3.1 ...
n
no...
In this example, the network interface for dom0 is bond0 and is assigned an IP
address of 10.150.30.83. The IP address of your system is different.
The lo interface is a software loopback interface that identifies the localhost. It is

always assigned an IP address of 127.0.0.1.
The virbr0 interface is a xen bridge interface used by VM guests. It is assigned

an IP address of 192.0.2.1.
The virbr1 interface is a second xen bridge interface used by VM guests. It is

assigned an IP address of 192.168.1.1.
The virbr2 interface is a third xen bridge interface used by VM guests. It is

The virbr3 interface is a fourth xen bridge interface used by VM guests. It is

You also notice vif<#>.<#> entries. These are virtual interfaces that are tied to
the VM/domU IDs. You can get the VM/domU IDs from the xm list command,
which you run later in this practice.

Chapter 1 - Page 6
5.
Explore the /OVS directory structure on dom0.
a.
Explore the top level of the /OVS directory. (Only partial output is shown.)
# ls l /OVS
drwxrwxrwx ... iso_pool
drwxrwxrwx ... publish_pool
drwxrwxrwx ... running_pool
drwxrwxrwx ... seed_pool
drwxrwxrwx ... sharedDisk
There are five directories in the /OVS directory.
b.
Explore the /OVS/runing_pool directory:

# cd /OVS/running_pool
# ls l
drwxr-xr-x ... host01
drwxr-xr-x ... vpn-host1
drwxr-xr-x ... vpn-host2
The files needed to create the VMs are in separate directories in the
/OVS/running_pool directory.
a
s
a
h
)
o
c ide
u
d Gu
e
r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us
n
uasevenseVMt directories exist, for VMs host01, host02,
j
(
This example shows
that
shost05,icvpn-host1,
en
a
i
host03, host04,
and vpn-host2.
r
l
a le
o
Therhost04
bis preconfigured with access to Oracles Public Yum Server. This
ra
oissusedfeinVM
c
VM
Practices for Lesson 8: Advanced Software Package Management.
s
n ahost05
n
VM has the virtualization package groups installed. This VM is used in
jua The
r
t
n
Practices
for
14: Virtualization with Linux.
no The vpn VMsLesson
are used in Practice 10-7: Configuring a Site-to-Site Virtual Private
Network (VPN).
c.
Explore the host01 VM directory.

# cd /OVS/running_pool/host01
# ls l
-rw-r--r-- ... system.img
-rw-r--r-- ... u01.img
-rw-r--r-- ... u02.img
-rwxr-xr-x ... vm.cfg
The system.img file is the operating system virtual disk.
The u01.img and u02.img files are utility virtual disks that are used in various
practices in this course.
The vm.cfg file is the configuration file for the virtual machine. This file is read
when the virtual machine is created.

Chapter 1 - Page 7
d.
View the vm.cfg file.

# cat vm.cfg
name = host01
builder = hvm
memory = 1536
boot = cd
disk = [ file:/OVS/running_pool/host01/system.img,xvda,w,
file:/OVS/running_pool/host01/u01.img,xvdb,w,
file:/OVS/running_pool/host01/u02.img,xvdd,w,
file:/OVS/seed_pool/OracleLinux-R7-U1-Server-x86_64dvd.iso,xvdc:cdrom,r]
vif = [ mac=00:16:3e:00:01:01, bridge=virbr0,
mac=00:16:3e:00:02:01, bridge=virbr1,
mac=00:16:3e:00:04:01, bridge=virbr3]
device_model = /usr/lib/xen/bin/qemu-dm
kernel = /usr/lib/xen/boot/hvmloader
vnc = 1
vncunused=1
vcpus = 1
timer_mode = 0
apic = 1
acpi = 1
pae = 1
serial = pty
on_reboot = restart
on_crash = restart
usb = 1
usbdevice = 'tablet'
Note that there are three virtual disks represented by the three .img files.
s
a
h
o) e
c
du Guid
e
r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us
n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non
Note that the Oracle Linux dvd.iso is mounted on a virtual CD ROM device.
Note that there are four virtual network interfaces. The interface on the virbr0
bridge is eth0, the interface on the virbr1 bridge is eth1, the interface on the
virbr2 bridge is eth3, and the interface on the virbr3 bridge is eth4.
e.
Explore the /OVS/sharedDisk directory:

# cd /OVS/sharedDisk
# ls l
-rw-r--r-- ... physDisk1.img
The physDisk1.img file is used as a shared disk (shared by all VM guests) in

Practices for Lesson 11: OCFS2 and Oracle Clusterware.

Chapter 1 - Page 8
f.
Explore the /OVS/seed_pool directory:

# cd /OVS/seed_pool
# ls l
drwxr-xr-x ... debug
drwxr-xr-x ... dtrace_rpms
-rw-r--r-- ... OracleLinux-R7-U1-Server-x86_64-dvd.iso
-rw-r--r-- ... physDisk1.tgz
drwxr-xr-x ... sfws
-rw-r--r-- ... system01.tgz
-rw-r--r-- ... u01_01.tgz
-rw-r--r-- ... u01_03.tgz
-rw-r--r-- ... u02_01.tgz
-rw-r--r-- ... u02_02.tgz
-rw-r--r-- ... u02_03.tgz
-rw-r--r-- ... u03_02.tgz
-rwxr-xr-x ... vm01.cfg
-rwxr-xr-x ... vmvpn1.cfg
-rwxr-xr-x ... vmvpn2.cfg
-rw-r--r-- ... vpn-host1.tgz
-rw-r--r-- ... vpn-host2.tgz
This directory contains many files that are used to create the initial environment.
Oracle Linux 7.1 is installed on the host01, host02, and host03 VMs from the
OracleLinux-R7-U1-Server-x86_64-dvd.iso file in this directory.
s
a
h
o) e
c
du Guid
e
r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us
n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non
Other files in this directory are used in various practices.

Chapter 1 - Page 9
g.
Explore the /var/www/html/repo/OracleLinux/OL7/1/x86_64 directory:
Your system is configured as a local Yum repository.
This directory contains the contents of the Oracle Linux 7.1 ISO.
Note that the RPM software packages are in the Packages directory.
A .repo file exists on each VM pointing to this Yum repository.

# ls -l
addons
EFI
EULA
GPL
/var/www/html/repo/OracleLinux/OL7/1/x86_64
images
RELEASE-NOTES-U1-en RPM-GPG-KEY-oracle
isolinux RELEASE-NOTES-U1-en.html TRANS.TBL
LiveOS
repodata
Packages RPM-GPG-KEY
s
a
h
o) e
c
du Guid
e
r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us
n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non

Chapter 1 - Page 10
Practice 1-2: Starting, Stopping, and Listing VM Guests

Overview
In this practice, you use xm commands to list, create, and shut down virtual machines.
Assumptions
You are logged on to dom0.

You have a terminal window open.
You are the root user.
Tasks
1.
List all currently active guests, as well as dom0 itself.

Use the xm list command. The output shown here is a sample, the ID and Time(s)
values will be different on your system.
2.
a
s
a
h
# xm list
)
o
c Time(s)
e
Name
ID
Mem VCPUs
State
d
u
i
d Gu 281.1
e
Domain-0
0
2048
2
r----r
ta ent
host01
1
1536
1 ili -b---157.6
d
m -b---i
u
t
n
host02
2
1536
1
159.0
u is S
@
host03
3
1536
13.2
so se 1th -b---r
o
You have three guests (host01,
uand host03) running.
c host02,
n
o
t
a
Shut down a VM.
(ju nse
s
e command to shut down the host03 VM. The w
cname>
riaw <VM
Use the xm shutdown
i
l
a
le until all services in the domain shut down cleanly. Run xm
osystematobwait
option tells rthe
s
r
o the
list tocdisplay
VMs.
erunning
f
s
n
axmn shutdown command takes a few seconds to complete.
jua The
r
t
nonNote that host03 is no longer active.
# xm shutdown w host03
Domain host03 terminated
All domains terminated
# xm list
Name
ID
Domain-0
0
host01
1
host02
2
Mem VCPUs
2048
2
1536
1
1536
1
State
r-----b----b----

Chapter 1 - Page 11
Time(s)
289.6
157.6
159.0
3.
Start a VM.
Use the xm create <config_file> command to start the host03 VM. The
<config_file> is named vm.cfg and is located in the
/OVS/running_pool/<VM_name> directory. Run xm list to display the running VMs.
Note that host03 is now active.
The State column for dom0 and host03 shows r (run state). The State column for
host01 and host02 shows b (blocked). The following describes these values:
r: The domain is currently running and healthy
b: The domain is blocked, and not running or runnable. This can be caused
because the domain is waiting on IO (a traditional wait state) or has gone to
sleep because there was nothing else for it to do.
# xm create vm.cfg
Using config file ./vm.cfg.
Started domain host03 (id=#)
# xm list
Name
ID
Mem VCPUs
Domain-0
0
2048
2
host01
4
1536
1
host02
2
1536
1
host03
3
1536
1
a
s
a
h
)
o
c ide
u
d GuTime(s)
State
e
r
t
304.5
n
itar----l
e
i
d
m
-b---18.7
tu
ni
S
u
159.0
o@ e this -b---s
r
r----13.2
co o us
n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non

Chapter 1 - Page 12
Practice 1-3: Exploring the host01 VM
Overview
In this practice, you perform the following:
Log in to host01.
View the storage devices available on host01.
View the network configuration on host01.
View the Unbreakable Enterprise Kernel version on host01.
View the Yum repository configuration on host01.
Assumptions
You are logged on to dom0 as the root user.
The host01 VM guest is running.
a
s
a
Tasks
h
)
o
c ide
1. Explore the host01 VM guest.
u
d Gu
e
a. Use the ssh command to log in to host01.

r
t
ncommand
itassh,dthe
l
e
i
Because this is the first time you have logged in
using
checks to
u
t
nim
make sure that you are connecting to the u
host
that you
think
you
are
connecting
to.
S
s
i
@
Enter yes.
so se th
r
o
The root password is oracle
u
c (alltlowercase).
n
o
a
If you get a message,ju
ssh: connect
to
host
host01 port 22: No route to host, wait a
e
(
s
n
s
few seconds toaallow host01
ri e lice to boot and then run the ssh host01 command
a
again.
l
o acommand
b
s
r
The
hostname
confirms you have successfully logged in to host01.
co sfer
n
n
ahost01
jua# ssh
r
t
n authenticity of host host01 (192.0.2.101) cant be
noThe
established. RSA key fingerprint is ...
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added host01,192.0,2,101 (RSA) to the
list of known hosts.
root@host01s password: oracle
[root@host01 ~]# hostname
host01.example.com
b.
Use the fdisk command to view the storage devices.

# fdisk l | grep /dev
Disk /dev/xvda: 12.9 GB,
/dev/xvda1
*
2048
/dev/xvda2
1026048
Disk /dev/xvdb: 10.7 GB,
Disk /dev/xvdd: 10.7 GB,
12884901888 bytes, 25165824 sectors

1026047
512000
83
Linux
25165823
12069888
8e
Linux LVM
10737418240 bytes, 20971520 sectors
10737418240 bytes, 20971520 sectors

Chapter 1 - Page 13
Disk /dev/mapper/ol-root: 11.0 GB, 11022630912 bytes, ...

Disk /dev/mapper/ol-swap: 1287 MB, 1287651328 bytes, ...
Three devices are available: /dev/xvda, /dev/xvdb, and /dev/xvdd.
Do not run the following commands, this is information only:
The /dev/xvda disk device represents a 12 GB system image file created with
the following command (in the /OVS/running_pool/host01 directory on
dom0):
# dd if=/dev/zero of=system.img bs=1M count=12288
The /dev/xvdb disk device represents a 10 GB utility image file created with
dom0):
# dd if=/dev/zero of=u01.img bs=1M count=10240
The /dev/xvdd disk device represents a 10 GB utility image file created with
dom0):
a
s
a
h
)
o
cInstall Base
e
The /dev/xvda device has Oracle Linux 7.1 installed Minimal

d
u
i
d Gu
e
Environment.
r
nt
itaswapdepartitions.
l
This system disk uses LVM volumes for the rootiand
im Stu
n
u
c. Use the ip addr command to display the network interfaces.
@ this
o
s
r
# ip addr
o
se
c
u
n
1: lo: <LOOPBACK,UP,LOWER_UP>
to mtu 65536 qdisc noqueue ...
a
u
e
j
( 00:00:00:00:00:00:00:
link/loopback
brd 00:00:00:00:00:00
ns
s
e
a
i
c
r
i
l
inet addr:127.0.0.1/8
scope host lo
o a able
... ors
ceth0:s<BROADCAST,MULTICAST,UP,LOWER_UP>
er
f
2:
mtu 1500 qdisc ...
n
an
jua -trlink/ether
00:16:3e:00:01:01 brd ff:ff:ff:ff:ff:ff
n
o
inet 192.0.2.101/24 brd 192.0.2.255 scope global eth0
n
...
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc ...
link/ether 00:16:3e:00:02:01 brd ff:ff:ff:ff:ff:ff
The system has four Ethernet network interfaces, eth0, eth1, eth2, and eth3.
The eth0 interface is on the 192.0.2 subnet, and provides access to dom0 and
the other VM guest systems. The remaining interfaces do not have IP addresses.
The eth1 interface is configured in Practices for Lesson 2: Network Addressing
and Name Services.
The eth2 and eth3 interfaces are configured as part of a bonded network interface
in Practices for Lesson 10: Advanced Networking.

Chapter 1 - Page 14

d.
View the /etc/hosts file on host01.
The eth1 interface is configured on a private subnet, 192.168.1, and is used in

Practices for Lesson 11: OCFS2 and Oracle Clusterware.
No changes are needed in this file.
# cat /etc/hosts
127.0.0.1
localhost.localdomain localhost
192.0.2.1
example.com
dom0
192.0.2.101
host01.example.com
host01
192.0.2.102
host02.example.com
host02
192.0.2.103
host03.example.com
host03
e.
Use the uname -r command to determine your running kernel version.
The kernel is UEK Release 3.

# uname -r
3.8.13-55.1.6.el7uek.x86_64
s
a
h
o) e
f. View the /etc/yum/repos.d directory.
c
id a
duLinuxG7uand
Two .repo files exist, the Public Yum repository file forrOracle
e
t
custom repository file, vm.repo, for the local Yumilrepository
ita deonndom0.
nim Stu
# cd /etc/yum.repos.d
u
# ls
o@ e this
s
r
public-yum-ol7.repo vm.repo
co o us
n
t repositories in both files.
utoaview enabled
e
g. Use the grep command
j
(
s
s file contains
en an enabled repository (enabled=1).
a
i
Only the vm.repo
c
r
i
l
o a ab*le
s
# grep
enabled
r
co sfer
public-yum-ol7.repo:enabled=0
n
an
juapublic-yum-ol7.repo:enabled=0
r
t
n
no...
vm.repo:enabled=1
h.
Use the cat command to view the contents of vm.repo.
Note that the baseurl references the local Yum repository on dom0 (192.0.2.1).
# cat vm.repo
[OL7.1Dom0]
Name="Oracle Linux 7.1 Dom0 Repo"
baseurl=http://192.0.2.1/repo/OracleLinux/OL7/1/x86_64
enabled=1
gpgkey=http://192.0.2.1/repo/OracleLinux/OL7/1/x86_64/RPM-GPGKEY-oracle
gpgcheck=1

Chapter 1 - Page 15
i.
Use the exit command to log off host01.

# exit
logout
Connection to host01 closed.
s
a
h
o) e
c
du Guid
e
r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us
n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non

Chapter 1 - Page 16
Overview
Log in to host02.
Assumptions
Tasks
1.
a
s
a
h
)
o
to
c idchecks
e
Because this is the first time you have logged in using ssh, the
command
u
dyou areGconnecting
u
e
make sure that you are connecting to the host that you r
think
to.
t
a
t
n
Enter yes.
ili ude
m
i
t
The root password is oracle (all lowercase).
n
S
u
o@ e this
# ssh host02
s
r
cohost02
us(192.0.2.102) cant be
The authenticity of host
n
o
t
a
established. RSA key
is ...
e
ju fingerprint
(
s
n
s
Are you sure ia
you want eto continue connecting (yes/no)? yes
r
licadded host02,192.0.2.102 (RSA) to the
a
Warning:o Permanently
e
l
b
rs known
listoof
rahosts.
c
e
f
s
nroot@host02s
password: oracle
n
a
jua[root@host02
r
t
~]#
hostname
n
o
n host02.example.com
Explore the host02 VM guest.
b.
The hostname command confirms whether you have successfully logged in to

host02.
Use the fdisk command to view the storage devices.

Disk /dev/xvda: 21.5 GB, 21474836480 bytes, 41943040 sectors
/dev/xvda1
*
2048
1026047
512000
83
Linux
/dev/xvda2
1026048
41943040
20458496
8e
Linux LVM
Disk /dev/xvdb: 10.7 GB, 10737418240 bytes, 20971520 sectors
Disk /dev/xvdd: 21.5 GB, 21474836480 bytes, 41943040 sectors
Disk /dev/xvde: 10.7 GB, 10737418240 bytes, 20971520 sectors
Four devices are available: /dev/xvda, /dev/xvdb, /dev/xvdd and
/dev/xvde.

Chapter 1 - Page 17
Do not run the following commands; this is for information only:

The /dev/xvda disk device represents a 20 GB system image file created with
dom0):
The /dev/xvdb disk device represents a 10 GB shared disk image file created
with the following command (in the /OVS/sharedDisk directory on dom0):
# dd if=/dev/zero of=physDisk1.img bs=1M count=10240
The /dev/xvdd disk device represents a 20 GB utility image file created with
dom0):
The /dev/xvde disk device represents a 10 GB utility image file created with
dom0):
a
s
a
h
)
o
c GUIidBase
e
The /dev/xvda device has Oracle Linux 7.1 installed Server

with
u
d Gu
Environment.
e
r
nt
itaswapdepartitions.
l
This system disk uses LVM volumes for the rootiand
tu
niminterfaces.
S
c. Use the ip addr command to display the network
u
o@ e this
s
# ip addr
r
co omtu
us 65536 qdisc noqueue ...
n
t
a
(ju00:00:00:00:00:00:00:
se
link/loopback
brd 00:00:00:00:00:00
n
s
e
a
i
c
inet addr:127.0.0.1/8
scope host lo
ar le li
o
... rs
ab
r
o
c
e
f
<BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc ...
n2: eth0:
ans
jua -trlink/ether
n
no inet 192.0.2.102/24 brd 192.0.2.255 scope global eth0
...
...
The system has four Ethernet network interfaces, eth0, eth1, eth2, and eth3.
The eth0 interface is on the 192.0.2 subnet, and provides access to dom0 and
the other VM guest systems.
The eth1 interface is on a private subnet, 192.168.1, and is used in Practices for
Lesson 11: OCFS2 and Oracle Clusterware.

Chapter 1 - Page 18
The eth2 and eth3 interfaces are configured as part of a bonded network interface
in Practices for Lesson 10: Advanced Networking.
The /etc/hosts, kernel version, and Yum configuration is the same on all three VM guests.
d.

# exit
logout
s
a
h
o) e
c
du Guid
e
r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us
n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non

Chapter 1 - Page 19
Overview
Log in to host03.
Assumptions
Tasks
1.
a
s
a
h
)
o
checks
ccommand
e
Because this is the first time you have logged in by using ssh,uthe
d
i
d youG
e
to make sure that you are connecting to the host that you
think
areuconnecting
r
t
to. Enter yes.
lita den
i
m
tu
ni
S
u
is successfully logged in to
@ youthhave
The hostname command confirms
owhether
s
r
e
host03.
co o us
n
# ssh host03
ua se t
j
(
s of ichost
en host03 (192.0.2.103) cant be
The authenticity
a
i
r
l
established.
lekey fingerprint is ...
o a aRSA
b
s
r
Areco
you surer you want to continue connecting (yes/no)? yes
fe
s
n
Warning:
Permanently added host03,192.0.2.103 (RSA) to the
n
a
a known hosts.
ju list
trof
n
noroot@host03s password: oracle
Explore the host03 VM guest.
[root@host03 ~]# hostname

host03.example.com
b.
Use the fdisk command to view the storage devices. The host03 VM has the same
disk configuration as the host01 VM.
/dev/xvda1
*
2048
1026047
512000
83
Linux
/dev/xvda2
1026048
25165823
12069888
8e
Linux LVM
Three devices are available: /dev/xvda, /dev/xvdb, and /dev/xvdd.
This is the same disk configuration as host01.


Chapter 1 - Page 20
c.
The /dev/xvda device has Oracle Linux 7.1 installed Server with GUI Base
Environment.
This system disk uses LVM volumes for the root and swap partitions.
Use the ip addr command to display the network interfaces.
# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue ...
link/loopback 00:00:00:00:00:00:00: brd 00:00:00:00:00:00
inet addr:127.0.0.1/8 scope host lo
...
...
...
...
The system has three Ethernet network interfaces: eth0, eth1, and eth2.
a
s
a
h
)
o
c ide
u
d Gu
e
r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us
n
ua se t
j
(
s interfaces
en are on the 192.0.2 subnet. These interfaces are
The eth0 and
eth1
a
i
c
r
i
l
a lfor
used ino
Practices
e Lesson 12: iSCSI and Multipathing.
b
s
r
a
The
co eth2sfinterface
er is on a private subnet, 192.168.1, and is used in Practices for
n
Lesson
11:
jua -tran OCFS2 and Oracle Clusterware.
n the cat command to view the /etc/resolv.conf file.
d. o
n Use
This file provides access to Domain Name Service (DNS) for host-to-IP address
resolution. It identifies three DNS nameservers and the search domain.
# cat /etc/resolv.conf
# Generated by NetworkManager
search example.com
nameserver 192.0.2.1
The /etc/hosts, kernel version, and Yum configuration is the same on all three VM guests.
e.

# exit
logout

Chapter 1 - Page 21
Practice 1-6: Logging Off from Your Student PC

Overview
In this practice, you learn how to log off from your system.
Tasks
1.
Learn how to log off your student PC.

a.
Open the System menu on the GNOME desktop.
s
a
h
o) e
c
du Guid
e
r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us
n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
on
n
b. Select Log Out vncuser from the System menu.
c.
You can click the Log Out button to log out.

However, do not log out until the end of each day of training.
Click the Cancel button to stay logged in.

Chapter 1 - Page 22
s
a
h
o) e
c
du Guid
e
r
t 2:
Practices lfor
n
ita Lesson
e
i
Network
and
tud
nimAddressing
S
u
Name
o@ eServices
this
s
r
co Chapter
us 2
n
o
t
a
(ju nse
s
ria e lice
a
o abl
s
r
co sfer
n
jua -tran
non
Practices for Lesson 2: Network Addressing and Name Services

Chapter 2 - Page 1
Practices Overview
In these practices, you:
Configure host03 VM as a DHCP server and host01 VM as a DHCP client
Dynamically obtain an IP address for eth1 on host01
View and test the DNS server configuration on dom0

Configure host03 to as a caching-only nameserver
Test the DNS configuration
s
a
h
o) e
c
du Guid
e
r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us
n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non

Chapter 2 - Page 2
Practice 2-1: Configuring a DHCP Server

Overview
In this practice, you configure host03 VM as a DHCP server.
Assumptions
You are the root user on dom0.
Tasks
1.
Log in to the host03 VM guest.

Use the ssh command to log in to host03.

[dom0]# ssh host03
Last login: ...
[host03]#
2.
a
s
a
h
)
o
c ide
u
d Gu
e
r
Install the dhcp package on host03 if necessary.
ita dent
l
i
a. Use the rpm command to check whether the dhcp
tuis installed.
nimpackage
S
u
In this example, only the dhcp-libs @
o and dhcp-common
this packages are installed.
s
r
e
# rpm qa | grep dhcp co
us
n
o
t
a
dhcp-libs-...
(ju nse
s
dhcp-common-...
ria e lice
a
l
b. Use the s
yum
available
command, pipe the output to the grep command,
o list
b
r
a
r string dhcp.
o forfethe
andcsearch
s output is shown.
n apartial
n
jua Only
r
-t
onThe dhcp.x86_64 package needs to be installed in this example.
n
# yum list available | grep dhcp
dhcp.x86_64 ...
dhcp-libs.i686 ...
c.
Use the yum command to install the dhcp package.
You do not need to include the .x86_64 extension.
Answer y when prompted Is this ok.
You are asked about the GPG key only the first time you use the yum install
command.
# yum install dhcp
...
Transaction Summary
============================================================
Install 1 Package

Chapter 2 - Page 3
Total download size: 509 k

Installed size: 1.4 M
Is this ok [y/d/N]: y
...
Retrieving key from http://192.0.2.1/repo/OracleLinux/OL7/...
...
Is this ok [y/N]: y
...
Complete!
3.
Use the vi editor to edit /etc/dhcp/dhcpd.conf as follows:

Note: A preconfigured dhcpd.conf file exists on dom0 in the /OVS/seed_pool/sfws
directory.
4.
You can edit the dhcpd.conf file as follows by using the vi command, or you can
use the sftp command and copy /OVS/seed_pool/sfws/dhcpd.conf from dom0
to /etc/dhcp/dhcpd.conf on host03. See your instructor if you need help in using
the sftp command.
s
a
h
o) e
c
du Guid
e
r
ita dent
# vi /etc/dhcp/dhcpd.conf
l
i
option subnet-mask
255.255.255.0;
nim Stu
u
option domain-name
o@"example.com";
this
s
r
e
option domain-name-servers
s
co o u192.0.2.1;
n
t
option broadcast-address
192.168.1.255;
a
(ju nse
default-lease-time
21600;
s
e
a
i
c
r
i
l
a le
max-lease-time
43200;
o
b
s
r
subnet
192.168.1.0
netmask 255.255.255.0 {
ra
corange
e192.168.1.200
f
s
n
192.168.1.254;
jua} -tran
nonenabling and starting the dhcpd service, specify a command-line argument to
Before
instruct the dhcpd service to only listen for DHCP requests on the eth2 network interface.
a.
Use the cp command to copy the dhcpd.service file from the

/usr/lib/systemd/system/ directory to the /etc/systemd/system/ directory.
The /usr/lib/systemd/system/ systemd units are included with the RPM

packages and are not to be edited.
The /etc/systemd/system/ systemd units are created and managed by the
system administrator and take precedence.
# cp /usr/lib/systemd/system/dhcpd.service /etc/systemd/system/

Chapter 2 - Page 4
b.
Use the vi editor to edit the /etc/systemd/system/dhcpd.service file and

append eth2 to the ExecStart line.
# vi /etc/systemd/system/dhcpd.service
...
ExecStart=/usr/sbin/dhcpd -f -cf /etc/dhcp/dhcpd.conf -user
dhcpd -group dhcpd --no-pid eth2
...
5.
Enable and start the dhcpd service.

a.
Use the systemctl command to enable the dhcpd service to start at boot time.
Note that a symbolic link is created for the

/etc/systemd/system/dhcpd.service file.
# systemctl enable dhcpd
ln s /etc/systemd/system/dhcpd.service
/etc/systemd/system/multi-user.target.wants/dhcpd.service
a
s
a
h
b. Use the systemctl command to start the dhcpd service.
)
o
c ide
u
# systemctl start dhcpd
d Gu
e
r
c. Use the systemctl command to view the status of the
nt
itadhcpddeservice.
l
i
Note that the server is only listening on eth2.
nim Stu
u
o@ e this
# systemctl status dhcpd
s
r
co oDaemon
dhcpd.service DHCPv4 Server
us
n
t
a
Loaded: loaded(ju
(/etc/systemd/system/dhcpd.service;
enabled)
e
s
n
s
Active: active
since ...
ce
ria e (running)
i
l
a
...
o abl
s
r
<date_time>
co sferhost03...: Listening on LPF/eth2/00:16...
n
jua...-tran
non

Chapter 2 - Page 5
Practice 2-2: Configuring a DHCP Client
Overview
In this practice, you:
Configure host01 VM as a DHCP client
Obtain an IP address from the DHCP server (host03) for the eth1 network interface
You begin this practice by opening a second terminal window on dom0 and logging in to host01
as the root user. You are already logged in as the root user to host03 from Practice 2-1.
Assumptions
This practice is performed on host01 and host03 VMs.

You are currently logged in to host03 (from Practice 2-1).
The prompts in the solution section include either host01 or host03 to indicate which
system to enter the command from.
a
s
a
h
)
o
Tasks
c ide
u
d Gu
1. Log in to the host01 VM guest from dom0.
e
r
ita dent
a. Open a second terminal window on dom0.
l
i
m su -tcommand
u
nithe
b. From the second terminal window on dom0, u
use
to become the
S
s
i
@
root user.
h
o
rs se t
o
c
u
n
o
t
a
$ su
(ju nse
s
Password: oracle
ria e lice
a
o abl
#
s
r
o user
eron dom0, use the ssh command to log in to host01.
f
c. n
As c
the roots
n
aroot
jua The
r
t
password is oracle (all lowercase).
n
o
n [dom0]# ssh host01
Last login: ...
[root@host01]#
2.
Use the rpm command to verify that the dhclient package is installed on host01.
In this example, the package is already installed.

[host01]# rpm q dhclient
dhclient-4.2.5-36.0.1.el7.x86_64

Chapter 2 - Page 6
3.
Configure eth1 on host01 for DHCP.

Use the vi editor and change /etc/sysconfig/network-scripts/ifcfg-eth1.
The only change needed is ONBOOT=yes.

The interface is configured to use DHCP by default.
[host01]# vi /etc/sysconfig/network-scripts/ifcfg-eth1
TYPE=Ethernet
BOOTPROTO=dhcp
...
ONBOOT=yes
4.
Use the ip addr command to display the network interfaces on host01.
Note that eth1 does not have an IP address.

[host01]# ip addr
mtu 65536 qdisc noqueue ...
...
...
...
5.
a
s
a
h
)
o
c ide
u
d Gu
e
r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us
n
ua se t
j
(
s icen
a
i
r
a le l
o
raablease for eth1 from the DHCP server.
orsrequest
From host01,
c
e
f
n ans
ja.uaUse-tthe
r dhclient command to request a lease for eth1 from the DHCP server.
n
no[host01]# dhclient eth1

Chapter 2 - Page 7
b.
Use the ip addr command on host01 to verify that eth1 obtained an IP address.
In this example, eth1 now has an IP address of 192.168.1.200.

[host01]# ip addr
...
...
...
6.
s
a
h
o) e
c
View information about the lease.

du Guid
a. View information about the lease on the client (host01). are
it dent
l
i
[host01]# cat /var/lib/dhclient/dhclient.leases
im Stu
n
u
lease {
o@ e this
s
r
interface eth1;
co o us
fixed-address 192.168.1.200;
n
t
ua255.255.255.0;
e
j
(
s
option subnet-mask
s icen
a
i
r
...
a le l
o
}
ors ferab
c
b. n
View information
s about the lease on the server (host03).
n
a
jua[host03]#
r
-t
cat /var/lib/dhcpd/dhcpd.leases
n
o
n ...
lease 192.168.1.200 {
starts ...
ends ...
...
hardware ethernet 00:16:3e:00:02:01
}
7.
[host01]# exit
logout
[dom0]#
In this window, you are logged in as the root user on dom0.
Leave this window open for the next practice (Practice 2-3).

Chapter 2 - Page 8
Practice 2-3: Viewing and Testing the DNS Configuration
Overview
View the DNS configuration on dom0
Test the lookup functionality of DNS from host03
Assumptions
Dom0 is already configured as an authoritative nameserver for the example.com

domain.
This practice is performed on dom0 and on host03 VM.
You are logged in as the root user on dom0 from one terminal window.
You are logged in as the root user on host03 from a second terminal window.
The prompts in the solution section include either dom0 or host03 to indicate which
a.
Use the service command to verify that the named service is started on dom0.
a
s
a
h
)
o
c ide
u
Tasks
d Gu
e
r
1. Use the rpm command to verify that the bind package is linstalled
nt
ita donedom0.
i
In this example, the package is installed.
nim Stu
u
[dom0]# rpm qa | grep bind o@
this
s
r
e
bind-libs-...
co o us
n
bind-utils-...
ua se t
j
(
s icen
bind-...
a
i
r
l is enabled and running on dom0.
a service
e
2. Ensure that the
named
l
o
b
raand
orsservice
e
Usecthe
chkconfig commands on dom0 because dom0 is running
f
s
n
n
a
Oracle
VM
Server
for
x86
version 3.2.1
ju -tra
n the systemctl command on the host01, host02, and host03 virtual machines
o
Use
n because
the VMs are running Oracle Linux 7.1.
In this example, the service is running.

[dom0]# service named status
number of zones: 3
debug level: 0
...
server is up and running
named (pid ...) is running...

Chapter 2 - Page 9
b.
Use the chkconfig command to verify that the named service is configured to start at
boot time on dom0.
In this example, the service is configured to start when the system boots at either
run level 2, 3, or 4.
[dom0]# chkconfig named --list
named
0:off 1:off 2:on 3:on
3.
4:on
5:on
6:off
View the DNS configuration on dom0.

a.
View the main BIND configuration file, /etc/named.conf.
This file lists location and characteristics of your domains zone files.
Note that the zone file, /var/named/data/master-example.com, is defined.
Note that a reverse lookup zone file, /var/named/data/reverse-192.0.2, is

also defined.
[dom0]# cat /etc/named.conf
...
options {
directory /var/named;
...
zone example.com {
type master;
file data/master-example.com;
allow-update { key rndckey; };
notify yes;
};
...
zone 2.0.192.in-addr.arpa IN {
type master;
file data/reverse-192.0.2;
allow-update { key rndckey; };
notify yes;
};
...
s
a
h
o) e
c
du Guid
e
r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us
n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non
b.
View the /var/named/data/master-example.com zone file.
This file defines IPv4 addresses (A records) for the DNS server, the DNS domain,
and the four VM guest systems.
[dom0]# cat /var/named/data/master-example.com
...
dns
A
192.0.2.1
example.com
A
192.0.2.1
host01
A
192.0.2.101
host02
A
192.0.2.102
host03
A
192.0.2.103

Chapter 2 - Page 10
host04
...
c.
192.0.2.104
View the /var/named/data/reverse-192.0.2 file.
This file defines PTR records for reverse name resolution.

[dom0]# cat /var/named/data/reverse-192.0.2
...
1
PTR
dns.us.oracle.com.
101
PTR
host01.example.com.
102
PTR
host02.example.com.
103
PTR
host03.example.com.
104
PTR
host04.example.com.
Perform the next task from host03.

4.
Test host name to IP resolution on host03.
a
s
a
a. Use the ping command to contact host01 and host02.
h
)
o
c ide
You can successfully contact these systems by name, because /etc/hosts
u
d Gu
resolves host names to IP addresses.
e
r
ita dent
l
[host03]# ping host01
i
tubytes of data.
nim56(84)
PING host01.example.com (192.0.2.101)
S
u
64 bytes from host01.example.com
icmp_seq=1...
o@ (192.0.2.101):
this
s
r
e
o
...
c to us
n
a
CTRL-C
(ju nse
s
[host03]# ping
host02
ia lice
r
a
PING host02.example.com
(192.0.2.102) 56(84) bytes of data.
o able
s
r
64 cbytes
o from
er host02.example.com (192.0.2.102): icmp_seq=1...
f
s
n
...
an
juaCTRL-C
r
t
on
n
b. Use the vi editor to edit the /etc/hosts file and comment out the lines for the VMs
with a # sign as follows.
[host03]# vi /etc/hosts
127.0.0.1
localhost.localdomain
192.0.2.1
example.com
#192.0.2.101
host01.example.com
#192.0.2.102
host02.example.com
#192.0.2.103
host03.example.com
c.
localhost
dom0
host01
host02
host03
Use the ping command to contact host01 and host02.
You can still successfully contact these systems by name, because DNS is
resolving host names to IP addresses.
PING host01.example.com (192.0.2.101) 56(84) bytes of data.
64 bytes from host01.example.com (192.0.2.101): icmp_seq=1...

Chapter 2 - Page 11
...
CTRL-C
...
CTRL-C
d.
Use the grep command to search for the hosts string in the
/etc/nsswitch.conf file.
The first hosts entry is a comment.
In the second hosts entry, files means to use the local /etc/hosts file to
resolve host names to IP addresses.
Also in the second hosts entry, dns means to use DNS to resolve host names
to IP addresses when unable to resolve by using the /etc/hosts file.
a
s
a
h
[host03]# grep hosts /etc/nsswitch.conf
)
o
c ide
#hosts: db files nisplus nis dns
u
d Gu
e
hosts:
files dns
r
nt the dns
itaand dremove
l
e
i
e. Use the vi editor to edit the /etc/nsswitch.conf
file
im Stu
argument from the hosts entry as follows. un
o@ e this
s
[host03]# vi /etc/nsswitch.conf
r
co o us
hosts:
files dns
# old entry
n
t
a
hosts:
files (ju
# new entry
se
n
s
e
ria e toliccontact host01 and host02.
f. Use the pingacommand
l these systems by name now because DNS is no longer used.
o contact
b
s
You
cannot
r
a
co sfer
n
[host03]#
n ping host01
a
juaping:
r
t
n- unknown host host01
no[host03]#
ping host02
ping: unknown host host02
g.
Use the vi editor to edit the /etc/nsswitch.conf file and restore the dns
argument to the hosts entry as follows.
[host03]# vi /etc/nsswitch.conf
hosts:
files
hosts:
files dns
h.
# old entry
# new entry
Use the ping command to contact host01 and host02.
You can now successfully contact these systems by name, because DNS is
...

Chapter 2 - Page 12
CTRL-C
...
CTRL-C
i.
View the /etc/resolv.conf file.
DNS is only able to resolve host names to IP addresses because the

/etc/resolv.conf file contains a valid search domain, example.com, and valid
nameserver information.
The nameserver 192.0.2.1 for the example.com domain stores the zone files
that provide host name to IP address resolution.
[host03]# cat /etc/resolv.conf
search example.com
a
s
a
h
)
o
c ide
u
d Gu
e
r
ita dent
l
i
u
tcomment
nimfile and
j. Use the vi editor to edit the /etc/resolv.conf
out all lines as
S
u
s
i
@
follows.
so se th
r
o
[host03]# vi /etc/resolv.conf
c to u
n
a
(ju nse
s
#search example.com
ia lice
r
a
#nameserver
le
o 192.0.2.1
b
s
r
a
#nameserver
co sfer152.68.154.3
n
#nameserver
jua -tran 10.216.106.3
n the ping command to contact host01 and host02.
k. o
n Use
You cannot contact these systems by name now.
l.
Use the vi editor to edit the /etc/resolv.conf file and remove the # signs to
uncomment the search and nameserver entries as follows.
[host03]# vi /etc/resolv.conf
search example.com

Chapter 2 - Page 13
m. Use the ping command to contact host01 and host02.
...
CTRL-C
...
CTRL-C
5.
a
s
a
h
a. View the /etc/resolv.conf file.
)
o
e
c the
Note the commented line indicating that NetworkManager d
generated
d
u
i
u
e
/etc/resolv.conf file.
G
r
t
lita den
i
[host03]# cat /etc/resolv.conf
m
tu
ni
S
# Generated by NetworkManager @u
o e this
s
search example.com
r
o
us
nameserver 192.0.2.1 nc
o
t
a
(ju nse
s
ria e lice
a
o abl
s
b. View the
/etc/sysconfig/network-scripts/ifcfg-eth0
file.
r
o fer
c
sthe DNS[123] entries in the ifcfg-eth0 file correspond to the
n Note that
n
a
jua nameserver
r
entries in the resolv.conf file.
-t
n
o
n Note that the DOMAIN entry in the ifcfg-eth0 file corresponds to the search
Note that NetworkManager generates the /etc/resolv.conf entries on host03.
entry in resolv.conf.
NetworkManager uses the information in the ifcfg-eth0 file to populate the

resolv.conf file.
[host03]# cat /etc/sysconfig/network-scripts/ifcfg-eth0
...
DNS1=192.0.2.1
DNS2=152.68.154.3
DNS3=10.216.106.3
DOMAIN=example.com
6.
Use the host command to perform DNS lookups on host03.

a.
Query DNS for the nameserver for the example.com domain.

[host03]# host t NS example.com
example.com name server dns.example.com.

Chapter 2 - Page 14
b.
Query DNS for the IP address that corresponds to host01 system.

[host03]# host host01
host01.example.com has address 192.0.2.101
c.
Perform a reverse lookup by querying DNS for the domain name that corresponds to IP
address 192.0.2.102.
[host03]# host 192.0.2.102
102.2.0.192.in-addr-arpa domain name pointer host02.example.com
d.
Use the -v option to display verbose information about the example.com domain.
[host03]# host -v example.com
Trying "example.com"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65099
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ...
s
a
h
o) e
IN
A
c
du Guid
e
r
;; AUTHORITY SECTION:
ita dent
l
i
example.com.
86400
IN
SOA
...
tu
nim dns.example.com.
S
u
...
o@ e this
s
r
Use the dig command to perform DNS
on
s host03.
colookups
u
n
o
t
Query DNS for the information
uaabout host02.example.com.
e
j
(
s
s icen
a
[host03]# dig
host02.example.com
i
r
a le l
o
...
ab
ors ferSECTION.
;; cQUESTION
n ans
IN
A
jua;host02.example.com.
tr
n
no;; ANSWER SECTION.
;; QUESTION SECTION:
;example.com.
7.
host02.example.com.
86400
IN
192.0.2.102
;; AUTHORITY SECTION.
example.com.
86400
IN
dns.example.com
IN
192.0.2.1
;; ADDITIONAL SECTION.
dns.example.com.
86400
...

Chapter 2 - Page 15
Practice 2-4: Configuring a Caching-Only Nameserver

Overview
In this practice, you configure host03 as a caching-only nameserver.
Assumptions
You are the root user on host03.
All commands in this practice with one exception are executed on host03.
The one command that needs to be run on dom0 includes dom0 in the prompt.
Tasks
1.
Install the bind software package on host03.

a.
Use the rpm command to determine if the bind package is already installed.
In this example, there are several package names that returned from the rpm
command but the bind package is not installed.
s
a
h
o) e
c
# rpm qa | grep bind

du Guid
e
r
rpcbind-...
ita dent
l
i
PackageKit-device-rebind-...
nim Stu
u
keybinder3-...
o@ e this
bind-utils-...
s
r
co o us
bind-libs-...
n
t
bind-license-... (jua
e
s
s icen
a
bind-libs-lite-...
i
r
l
e
l
o acommand
b. Use thers
yum
to
b install the bind package.
a
r
o
c sy fwhen
e prompted Is this ok.
n Answer
n
a
ju # yum
trainstall bind
n
no...
Transaction Summary
===============================================================
Install 1 Package
Total download size: 1.8 M
...
Complete!
2.
View the BIND configuration files and directories.

a.
View the /etc/named.conf file.
This is the main BIND configuration file.

Note that the default BIND configuration files provide a caching-only nameserver.

Chapter 2 - Page 16
Note that only one zone is defined, whose name is a period (.).
This zone is a hint zone type and specifies that the nameserver look in the
/var/named/named.ca file for IP addresses of authoritative servers for the root
domain when the nameserver starts or does not know which nameserver to query.
The /etc/named.conf also includes the /etc/named.rfc1912.zones file.
# cat /etc/named.conf
...
// Provided by Red Hat bind package to configure the ISC BIND
// named(8) DNS server as a caching only nameserver ...
...
options {
...
directory /var/named;
...
/*
- If you are building an AUTHORITATIVE DNS server,
do NOT enable recursion.
- If you are building an RECURSIVE (caching) DNS
server, you need to enable recursion.
recursion yes;
...
};
s
a
h
o) e
c
du Guid
e
r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us
n
ua se t
j
(
s icen
a
i
r
l
logging { a
e
l
o
rab
ors f...
c
e
s
n};
jua -tran
n . IN {
nozone
type hint;
file named.ca;
};
include /etc/named.rfc1912.zones;
include /etc/named.root.key;
b.
View the /etc/named.rfc1912.zones file.
This is the base configuration file for implementing a caching-only nameserver.

There are five zones defined in this file.
Zone options are included for each of these five zones:

type: Specifies the zone type which is set to master for all five zones. Type
master designates the nameserver as authoritative for this zone. A zone is set
as master if the zone file resides on this system.

Chapter 2 - Page 17
file: Specifies the name of the zone file, which is stored in the working
directory defined by the directory option (/var/named in this example)
allow-update: Specifies which hosts are allowed to dynamically update

information in their zone. Dynamic updates are set to none for these zones,
meaning they are not allowed.
# cat /etc/named.rfc1912.zones
...
// Provided by Red Hat caching-nameserver package
...
zone localhost.localdomain IN {
type master;
file named.localhost;
allow-update { none; };
};
a
s
a
h
)
zone localhost IN {
o
c ide
u
type master;
d Gu
e
r
file named.localhost;
ita dent
l
i
im Stu
n
u
};
o@ e this
s
r
co o us
zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0....ip6.arpa
IN {
n
t
a
u
e
j
type master;
(
ns
s
e
a
i
c
file
named.loopback;
r e li
aallow-update
l
o
{ none; };
b
s
r
a
r
o
}; c
fe
s
n
n
a
ju -tra
n 1.0.0.127.in-addr.arpa IN {
nozone
type master;
file named.loopback;
};
zone 0.in-addr.arpa IN {
type master;
file named.empty;
};

Chapter 2 - Page 18
c.
View the /var/named/ directory.
This is the default directory in which zone files are stored.

# ls l /var/named
total 16
drwxrwx--- ... named
-rw-r----- ... root
-rw-r----- ... root
-rw-r----- ... root
-rw-r----- ... root
d.
named
named
named
named
named
named
named
...
...
...
...
...
...
...
data
dynamic
named.ca
named.empty
named.localhost
named.loopback
slaves
View the /var/named/named.ca file.
This file contains a list of the 13 root authoritative DNS servers.
a
s
a
h
)
o
c ide
u
IN
A
198.41.0.4
d Gu
e
r
ta ent
i
l
i
IN
A
im
ud192.228.79.201
t
n
S
u
IN
A is
192.33.4.12
@
h
o
t
s
199.7.91.13
or INuse A
c
n
toIN
a
u
e
j
A
192.203.230.10
(
s
n
s
e
IN
A
192.5.5.241
ria e lic
a
l
so rab
r
o
c sfe
IN
A
192.112.36.4
n
n
a
IN
A
128.63.2.53
ju -tra
n
no
IN
A
192.36.148.17
# cat /var/named/named.ca
...
a.root-servers.net
3600000
...
b.root-servers.net
3600000
c.root-servers.net
3600000
d.root-servers.net
3600000
...
e.root-servers.net
3600000
f.root-servers.net
3600000
...
g.root-servers.net
3600000
h.root-servers.net
3600000
...
i.root-servers.net
3600000
...
j.root-servers.net
3600000
...
k.root-servers.net
3600000
...
l.root-servers.net
3600000
...
m.root-servers.net
3600000
...
IN
192.58.128.30
IN
193.0.14.129
IN
199.7.83.42
IN
202.12.27.33

Chapter 2 - Page 19
3.
Start a DNS caching-only nameserver on host03.

a.
Use the vi editor to add the following entry to the beginning of the list of nameservers
in the /etc/resolv.conf file:
This line indicates use of the local system as the primary nameserver.
# vi /etc/resolv.conf
search example.com
...
b.
# add this line only
Use the systemctl command to enable the named service.

# systemctl enable named
ln s /usr/lib/systemd/system/named.service
/etc/systemd/system/multi-user.target.wants/named.service
a
s
a
h
)
o
c. Use the systemctl command to start the named service.
c ide
u
d Gu
This command takes a few seconds to complete.
e
r
ita dent
l
# systemctl start named
i
tuas the root user, and
nim
S
d. From the second terminal window on dom0, u
ssh
to host03
s 3e.
o@ e ttohistep
monitor the journal in real time beforesproceeding
r
o allowsuyou
s to see the host name to IP resolution
Monitoring the journal in realc
time
n
o
t
a
occurring.
(jonu host03
seis oracle.
n
s
The root password
e
riato enlarge
ic this window to see more of the journal entries.
l
a
e
You might
want
l
so rab
r
o
c ssh
[dom0]#
fe root@host03
s
n
n
a
password: oracle
ju root@host03s
tra
n
no[root@host03 ~]# journalctl f
-- Logs begin at ...
...
e.
In the original window, use the ping command to contact host01 and host02.
Press Ctrl + C to exit after a few lines of output.

# ping host01
...
CTRL-C
# ping host02

Chapter 2 - Page 20
...
CTRL-C
f.
Notice the resolving messages in the journal window.

[root@host03 ~]# journalctl f
-- Logs begin at ...
<date_time> host03... error (network unreachable) resolving ...
...
g.
Use the CTRL-C command to stop the journalctl f command.

# journalctl f
...
CTRL-C
h.
Use the exit command to log off host03 from this second window.
a
s
a
h
)
o
c ide
u
d status
u of the
e
G
In the first terminal window on host03, use the rndc command
to
obtain
r
t
lita den
i
named service.
m
tu
ni
S
u
# rndc status
o@ e this
s
Version: ...
r
co o us
CPUs found: 1
n
t
a
e
worker threads: 1(ju
s
s icen
a
i
UDP listeners
per interface:
1
r
l
a
e
l
o zones:
numbersof
b 101
r
a
r
o
c level:
debug
fe 0
s
n
n
a
ju ...-tra
n named service on host03 and restore to original configuration.
Stop
nothe
# exit
logout
4.
5.
a.
Use the systemctl command to stop the named service.

# systemctl stop named
b.
Use the systemctl command to disable the named service.

# systemctl disable named
rm /etc/systemd/system/multi-user.target.wants/named.service
c.
Use the vi editor to remove the following entry from the /etc/resolv.conf file:
# vi /etc/resolv.conf
search example.com
...
# delete this line only

Chapter 2 - Page 21
d.
Use the vi editor to edit the /etc/hosts file and remove the comment (# sign) from
the entries previously commented out.
# vi /etc/hosts
192.0.2.101
host01.example.com
192.0.2.102
host02.example.com
192.0.2.103
host03.example.com
6.
host01
host02
host03
Log off host03.

# exit
logout
s
a
h
o) e
c
du Guid
e
r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us
n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non

Chapter 2 - Page 22
a
s
a
h
)
o
c ide
u
d Gu
e
r
Practices lfor
Lesson
ita dent 3:
i
Authentication
nim Stu and Directory
u
Services
o@ e this
s
r
co Chapter
us 3
n
o
t
a
(ju nse
s
ria e lice
a
o abl
s
r
co sfer
n
jua -tran
non
Practices for Lesson 3: Authentication and Directory Services

Chapter 3 - Page 1
Practices Overview
In these practices, you configure:
OpenLDAP server and enable LDAP authentication
OpenLDAP client and log in as an LDAP user
s
a
h
o) e
c
du Guid
e
r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us
n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non

Chapter 3 - Page 2
Practice 3-1: Configuring an OpenLDAP Server
Overview
Configure an OpenLDAP server in preparation to implement LDAP authentication
Install the OpenLDAP packages and the migrationtools package
Configure the slapd.d configuration database
Configure the base domain and test the LDAP server

Migrate users and groups into the LDAP directory
Modify firewalld to allow access from LDAP clients
Assumptions
a
s
a
h
Tasks
)
o
c ide
1. Connect to host03 by using vncviewer.

u
d Gu
e
r
a. From dom0, determine the VNC port number for host03
by
running
ita dentthe xm list l
l
i
host03 | grep location command.
tu Your port number might
nim is 5904.
S
The sample shown indicates that the port u
number s
o@ e thi
be different.
s
r
co location
us
# xm list l host03 |ngrep

o
t
a
e
(location
(ju ns0.0.0.0:5904)
s
e
ria (location
ic 3)
l
a
e
l
o ab command.
b. Run thers
vncviewer&
o
c sfer
n
#
vncviewer&
an
jua -The
r
t
on VNC Viewer: Connection Details dialog box is displayed.
n
c. Enter localhost:<port_number>, substituting the port number displayed from the
previous xm list l host03 | grep location command. For example, if the
port number is 5904, enter localhost:5904 and click Connect.

Chapter 3 - Page 3
The GNOME login screen appears. You might need to press Enter to display the
login screen.
s
a
h
o) e
c
du Guid
e
r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us
n
t You are prompted for the Password.
a list of eusers.
d. Click Oracle Student inju
the
(
s
s Password
enand click Sign In.
a
e. Enter oracle for
the
i
c
r
i
l
le appears.
o a desktop
The GNOME
b
s
r
a
co sfer
n
jua -tran
non

Chapter 3 - Page 4
f.
Right-click the desktop to display the pop-up menu.
s
a
h
o) e
c
du Guid
e
r
ita dent
l
i
nim Stu
u
o@ e this
s
r
g. From the pop-up menu, click Open
co in Terminal.
us
n
o
t
a
A terminal window appears.
(ju nse
s
e su - command to become the root user.
h. In the terminal window,
ria euse
icthe
l
a
l is oracle.
o password
The root
b
s
r
a
co sfer
$ su
n
an oracle
juaPassword:
r
t
no#n
2.
Install the required RPM packages on host03.

Use the yum command to install the following packages:
openldap-servers
openldap-clients
migrationtools
# yum install openldap-servers openldap-clients migrationtools
...
Transaction Summary
=============================================================
Install 3 Packages

Chapter 3 - Page 5

...
Complete!
3.
Copy default DB_CONFIG template file.

a.
Use the ls command to view the contents of the /var/lib/ldap directory.
Note that the directory is empty.

# ls /var/lib/ldap
b.
Use the ls command to view the contents of the /usr/share/openldap-servers

directory.
A default DB_CONFIG template file is installed in the /usr/share/openldapservers directory.
The default DB_CONFIG template file name is DB_CONFIG.example file.
a
s
a
# ls /usr/share/openldap-servers
h
)
o
DB_CONFIG.example slapd.ldif
c ide
u
d Gu
e
c. Use the cp command to copy the /usr/share/openldap
r
nt and rename
ita dedirectory
servers/DB_CONFIG.example file into the /var/lib/ldap
l
i
the copied file DB_CONFIG.
nim Stu
u
o@ e this
# cp /usr/share/openldap-servers/DB_CONFIG.example
s
r
/var/lib/ldap/DB_CONFIGco
us
n
o
t
a
d. Use the ls -l command
econtents of the /var/lib/ldap directory.
(juto listnthe
s
s
a owner
Note that thericurrent
ce and group is root.
i
l
a
legroup need to be changed to ldap.
oowneraand
Bothrs
the
b
co sfer
# ls l /var/lib/ldap
n
an 1 root root ... DB_CONFIG
jua-rw-r--r--.
r
t
on
e.n Use the chown -R command to change both the owner and group of the
/var/lib/ldap directory to ldap.
# chown R ldap.ldap /var/lib/ldap
f.
Use the ls -l command to show the new owner and group.
Note that the owner and group are now set to ldap.
-rw-r--r--. 1 ldap ldap ... DB_CONFIG
4.
Start the slapd service.

a.
Use the systemctl command to enable and start the slapd service.
# systemctl enable slapd
ln s /usr/lib/systemd/system/slapd.service
/etc/systemd/system/multi-user.target.wants/slapd.service
# systemctl start slapd

Chapter 3 - Page 6
b.
Use the ls -l command to list the contents of the /var/lib/ldap directory.
Note that the initial database now exists.

-rw-r--r--. 1 ldap ldap
-rw-------. 1 ldap ldap
-rw-r--r--. 1 ldap ldap
5.
...
...
...
...
...
...
...
...
alock
__db.001
__db.002
__db.003
DB_CONFIG
dn2id.bdb
id2entry.bdb
log.0000000001
View the /etc/openldap directory.

a.
Use the cd command to change to the /etc/openldap directory.
s
a
h
Note that, in this version of OpenLDAP, there is no slapd.confcfile.
o) e
duthe slapd.d
Instead, there is a configuration database, which is located
in
uid
e
G
r
directory.
ita dent
l
i
# cd /etc/openldap
nim Stu
u
# ls l
o@ e this
s
r
drwxr-xr-x. 2 root root c...
o certs
us
n
o
-rw-r--r--. 1 root root
... tcheck_password.conf
a
(jurootn...
se ldap.conf
-rw-r--r--. 1 root
s
e
r2iaroot
ic ... schema
l
drwxr-xr-x.
root
a
e
l
b ldap ... slapd.d
so r3aldap
r
drwx------.
o
c
e
f
scommand to change to the slapd.d directory.
n theacd
n
jb.ua UseUse
r
-t the ls -l command to display the contents of the directory.
n
o
n
Use the ls -l command to display the contents of the directory.
# cd slapd.d
# ls l
drwxr-x---. 3 ldap ldap ... cn=config
-rw-------. 1 ldap ldap ... cd=config.ldif
c.
Use the cd command to change to the cn=config directory.
Use the ls -l command to display the contents of the configuration directory.

# cd cn=config
# ls l
drwxr-x---. 2 ldap
-rw-------. 1 ldap
-rw-------. 1 ldap
-rw-------. 1 ldap
-rw-------. 1 ldap
-rw-------. 1 ldap
ldap
ldap
ldap
ldap
ldap
ldap
...
...
...
...
...
...
cn=schema
cn=schema.ldif
olcDatabase={0}config.ldif
olcDatabase={-1}frontend.ldif
olcDatabase={1}monitor.ldif
olcDatabase={2}hdb.ldif

Chapter 3 - Page 7
6.
Update the OpenLDAP configuration database domain component.

The default is dc=my-domain,dc=com.
Change all occurrences to dc=example,dc=com.
Use the grep command to search for the my-domain string in all files in the configuration
directory.
Note that the following files contain the my-domain string:
olcDatabase={2}hdb.ldif
Change each occurrence of my-domain to example.

# grep my-domain *
grep: cn=schema: Is a directory
olcDatabase={1}monitor.ldif: ,cn=auth read by
dn.base=cn=Manager,dc=my-domain,dc=com read by * none
olcDatabase={2}hdb.ldif:olcSuffix: dc=my-domain,dc=com
olcDatabase={2}hdb.ldif:olcRootDN: cn=Manager,dc=mydomain,dc=com
7.
s
a
h
o) e
c
du Guid
e
Update the Database Suffix.

r
ta ent
i
l
i
a. Use the cat command to view the olcDatabase={2}hdb.ldif
im Stud file.
n
u
The .ldif extension begins with the @
lowercase letter
is l, not the number 1.
h
o
t
s
e
Note the comment, DO NOT EDIT!!
or Useusldapmodify.
c
n
o contain the dc=my-domain string.
tthat
Note that there are two a
parameters
u
e
j
(
ns
olcRootDNas
e
i
c
ar le li
olcSuffix
o
rab
orsolcDatabase={2}hdb.ldif
# cat
c
e
f
n ans
FILE DO NOT EDIT!! Use ldapmodify.
jua# AUTO-GENERATED
r
t
n
no...
olcRootDN: cn=Manager,dc=my-domain,dc=com
...
olcSuffix: dc=my-domain,dc=com
...
b.
Use the cp command to make a backup copy of the olcDatabase={2}hdb.ldif

file.
# cp olcDatabase={2}hdb.ldif hdb_BAK
c.
Use the ldapmodify command to set the Database Suffix.
The Q option means Enable SASL Quiet mode. Never prompt.

SASL is Simple Authentication and Security Layer.
It is a framework for authentication and data security in Internet protocols.
It decouples authentication mechanisms from application protocols, allowing you
to use any authentication mechanism supported by SASL.

Chapter 3 - Page 8
The Y EXTERNAL option specifies the SASL mechanism to be used for

authentication.
A SASL mechanism implements a series of challenges and responses.
EXTERNAL means authentication is implicit in the context (for example, for

protocols already using IPsec or Transport Layer Security).
The H ldapi:/// option specifies URI(s) referring to the ldap server(s). Only the
protocol/host/port fields are allowed. A list of URI separated by whitespace or
commas is expected.
LDAPI allows LDAP connections to run over IPC connections, meaning the
LDAP operations can run over UNIX sockets.
After issuing the ldapmodify command, the prompt changes to >.
Enter the entries in bold as shown.

#
>
>
>
>
>
>
ldapmodify Q Y EXTERNAL H ldapi:/// <<EOF

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=example,dc=com
>
>
>
>
>
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=example,dc=com
a
s
a
h
)
o
c ide
u
d Gu
e
r
ita dent
l
i
EOF
im Stu
n
u
Press the Enter key after entering EOF.
@ this
o
s
r
This terminates the ldapmodify
o command
seand displays the following message:
c
u
n
to
Modifying entry olcDatabase={2}hdb,cn=config
a
u
e
j
(
nsto set the Database RootDN.
s
e
d. Use the ldapmodify
command
a
i
c
li
arthe ldapmodify
e
l
o
After s
issuing
command, the prompt changes to >.
b
r
a
r
o
c thesentries
Enter
fe in bold as shown.
n
n
a
ju # ldapmodify
Q Y EXTERNAL H ldapi:/// <<EOF
tra
n
o
n > dn: olcDatabase={2}hdb,cn=config
EOF
This terminates the ldapmodify command and displays the following message:
Modifying entry olcDatabase={2}hdb,cn=config

e.
Use the diff command to view the differences between the

olcDatabase={2}hdb.ldif file and the hdb_BAK file.
Ensure the differences in olcSuffix and olcRootDN match the following.

If not, repeat steps 6c and 6d as needed to make the corrections.

Chapter 3 - Page 9
Ignore the other differences such as entryCSN, modifiersName, and

modifyTimestamp.
# diff olcDatabase={2}hdb.ldif hdb_BAK
...
> olcSuffix: dc=my-domain,dc=com
> olcRootDN: cn=Manager,dc=my-domain,dc=com
...
> olcSuffix: dc=example,dc=com
> olcRootDN: cn=Manager,dc=example,dc=com
...
f.
Use the grep command to search for the my-domain string in all files in this
directory.
Note that one database file still contains the my-domain string:
a
s
a
h
Ignore the occurrences in the hdb_BAK file.
)
o
c ide
u
# grep my-domain *
d Gu
e
r
ta ent
i
l
i
hdb_BAK:olcSuffix: dc=my-domain,dc=com
im Stud
n
u
hdb_BAK:olcRootDN: cn=Manager,dc=my-domain,dc=com
s
@ thiread
o,cn=auth
olcDatabase={1}monitor.ldif:
by
s
r
e
o
s
c
dn.base=cn=Manager,dc=my-domain,dc=com
read by * none
u
n
o
t
a
Update the Database Access.
(ju nse
s
ce the olcDatabase={1}monitor.ldif file.
ria etoliview
a. Use the cat a
command
lto use ldapmodify to edit this file.
ocomment
b
s
Note
the
r
a
co thatsthere
er is one parameter that contains the dc=my-domain string.
f
n
Note
an
jua -trolcAccess
nonThe my-domain value for this olcAccess parameter needs to be changed to
8.
example.
# cat olcDatabase={1}monitor.ldif
# AUTO-GENERATED FILE DO NOT EDIT!! Use ldapmodify.
...
olcAccess: {0}to * by
dn.base=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
read by dn.base=cn=Manager,dc=my-domain,dc=com read by *
none
...
b.
Use the cp command to make a backup copy of the

olcDatabase={1}monitor.ldif file.
# cp olcDatabase={1}monitor.ldif monitor_BAK

Chapter 3 - Page 10
c.
Use the ldapmodify command to set the Database Access.
# ldapmodify Q Y EXTERNAL H ldapi:/// <<EOF

> dn: olcDatabase={1}monitor,cn=config
> changetype: modify
> replace: olcAccess
> olcAccess: {0}to * by
read by dn.base=cn=Manager,dc=example,dc=com read by * none
>
> EOF
a
s
a
Modifying entry olcDatabase={1}monitor,cn=config
h
)
o
c ide
d. Use the diff command to view the differences between the

u
d file. Gu
e
olcDatabase={1}monitor.ldif file and the monitor_BAK

r
ita dent
l
i
Ensure the differences in olcAccess match the
following.
nim Stu
u
If not, repeat step 7c to make the correction.
is
@ thmodifiersName,
oentryCSN,
Ignore the other differences suchras
and
s
e
o
s
c
u
modifyTimestamp.
n
o
t
a
(ju nse
# diff olcDatabase={1}monitor.ldif
monitor_BAK
s
e
a
i
c
...
ar le li
o
b * by
> olcAccess:
ors fera{0}to
c
n readanbys dn.base=cn=Manager,dc=my-domain,dc=com read by *
juanone
tr
n
no...
This terminates the ldapmodify command and displays the following message:
> olcAccess: {0}to * by

read by dn.base=cn=Manager,dc=example,dc=com read by * none
...

Chapter 3 - Page 11
e.
Use the grep command to search for the my-domain string in all files in this
directory.
Note that no database files now contain the my-domain string.
Ignore the occurrences in the _BAK files.

# grep my-domain *
hdb_BAK:olcSuffix: dc=my-domain,dc=com
hdb_BAK:olcRootDN: cn=Manager,dc=my-domain,dc=com
monitor_BAK: ,cn=auth read by dn.base=cn=Manager,dc=mydomain,dc=com read by * none
9.
Create an encrypted user password.

a.
Use the slappasswd command to create an encrypted user password.
Enter a password of oracle.
Note that the encrypted password is displayed. This is a sample only; yours is
different.
a
s
a
h
)
o
c ide
u
# slappasswd
d Gu
e
r
New password: oracle
ta ent
i
l
i
Re-enter new password: oracle
im Stud
n
u
{SSHA}CsLkwW6B9+yBlzrGuHBdIT0z2Mj4q4l+ is
o@
thbuffer.
s
b. Select the encrypted password and
copy
it into
the
r
e
o
us
c astoshown.
n
Highlight the encrypted a
password
(ju highlighted,
se select Edit > Copy from the terminal window
With encrypted password
n
s
e
menu.
ria e lic
a
o abl
s
r
co sfer
n
jua -tran
non
10. Use the ldapmodify command to set the olcRootPW directive.
You are adding this new directive to the olcDatabase={2}hdb.ldif file.
a.

Ensure that you include a space after the olcRootPW: directive.
#
>
>
>
>

changetype: modify
add: olcRootPW
olcRootPW:

Chapter 3 - Page 12
b.
Paste the encrypted password from the buffer by selecting Edit > Paste from the
terminal window menu.
The olcRootPW: directive appears as follows:
> olcRootPW: {SSHA}CsLkwW6B9+yBlzrGuHBdIT0z2Mj4q4l+

c.
Press the Enter key twice to add a blank line.
The final entry is EOF. The complete list of commands is shown:

#
>
>
>
>
>
>

changetype: modify
add: olcRootPW
olcRootPW: {SSHA}CsLkwW6B9+yBlzrGuHBdIT0z2Mj4q4l+
EOF
a
s
a
hmessage:
)
This terminates the ldapmodify command and displays the following
o
c ide
u
u
Modifying entry olcDatabase={2}hdb,cn=config ed
G
r
t
lita den
11. Load the standard schemas.
i
m
tube loaded by using the
ni whichScan
The standard schemas are provided as LDIFu
files,
ldapadd command.
o@ e this
s
r
The standard schema files are located
co oin the
us/etc/openldap/schema directory.
n
t
a
e of the /etc/openldap/schema directory.
a. Use the ls command (
toju
view thescontents
n
s
e
ia in lboth
Each one is roffered
ic the original LDAP schema form and in LDIF.
a
e
l
so rab
# ls /etc/openldap/schema
r
o
c sfe
collective.ldif
cosine.schema java.ldif
openldap.schema
n
n
a
a
ju collective.schema
r
duaconf.ldif
java.schema pmi.ldif
-t
n
o
n ...
d.
b.
Use the ldapadd command to load the following schemas.
core, cosine, inetorgperson, nis
These four schemas define the basic objects and attributes needed to describe a
typical organization.
Use the -f <filename> option for each schema.
Ignore any Duplicate attributeType messages.

# ldapadd Q Y EXTERNAL H ldapi:/// -f
/etc/openldap/schema/core.ldif
adding new entry cn=core,cn=schema,cn=config
/etc/openldap/schema/cosine.ldif
adding new entry cn=cosine,cn=schema,cn=config

Chapter 3 - Page 13

/etc/openldap/schema/inetorgperson.ldif
adding new entry cn=inetorgperson,cn=schema,cn=config
/etc/openldap/schema/nis.ldif
adding new entry cn=nis,cn=schema,cn=config
12. Add users and groups to host03.
This step populates the /etc/passwd and /etc/group files that are used later in
this practice.
a.
Use the useradd command to add users as follows.

#
#
#
#
useradd
useradd
useradd
useradd
c Oracle Student1 student1

u 1005 c Oracle Student2 s /bin/sh student2
c Oracle Student3 s /bin/sh student3
new_user
a
s
a
h
)
o
e
b. Use the passwd command to create a password (of password) u
forc
the student1
d
i
d Gu
user.
e
r
t as the
n
itotause password
Ignore the BAD PASSWORD warning, continuing
l
e
i
password.
nim Stud
u
# passwd student1
o@ e this
s
r
Changing password for user
co student1.
us
n
o
t
a
New password: password
(jupassword
sefails the dictionary check ...
n
s
BAD PASSWORD:
The
e
ria e licpassword
a
Retype new
password:
o abl
s
r
passwd:
co all
erauthentication tokens updated successfully.
f
s
n
n
command to add the students group.
agroupadd
jc.uaUse-tthe
r
no#ngroupadd students
d.
Use the tail /etc/group command to obtain the GID for the students group.
The output shows that the GID for the students group is 1008.
# tail /etc/group
...
students:x:1008:
e.
Use the usermod command to add oracle, student1, and student2 users to the
students group.
Repeat the tail /etc/group command to view the changes.

#
#
#
#
usermod aG 1008 oracle

usermod aG 1008 student1
usermod aG 1008 student2
tail /etc/group

Chapter 3 - Page 14
...
students:x:1008:oracle,student1,student2
13. Configure the base domain and test the LDAP server.
a.

# cd /etc/openldap
b.
Use the vi editor to create the base.ldif file as follows.
Note: A sample base.ldif file exists on dom0 in the /OVS/seed_pool/sfws directory.
You can create the base.ldif file as follows by using the vi command, or you
can use the sftp command and copy /OVS/seed_pool/sfws/base.ldif from
dom0 to /etc/openldap/base.ldif on host03. See your instructor if you need
help in using the sftp command.
# vi base.ldif
dn: dc=example,dc=com
dc: example
objectClass: top
objectClass: domain
s
a
h
o) e
c
du Guid
e
r
ita dent
l
i
dn: ou=People,dc=example,dc=com
nim Stu
u
ou: People
o@ e this
s
r
objectClass: top
co o us
n
objectClass: organizationalUnit
ua se t
j
(
s icen
a
i
r
dn: ou=Group,dc=example,dc=com
a le l
o
rs erab
ou: o
Group
c
f top
s
n
objectClass:
n
a
ju objectClass:
tra
organizationalUnit
n
o
c.n Use the ldapadd command to add the base information to the LDAP directory.
The x option uses simple authentication instead of SASL.
The W option prompts for simple authentication. This is used instead of specifying
the password on the command line.
The -D cn=Manager,dc=example,dc=com option uses the Distinguished
Name (DN) to bind to the LDAP directory. For SASL binds, the server ignores this
option.

Chapter 3 - Page 15
The LDAP password is oracle.
# ldapadd -x -W -D cn=Manager,dc=example,dc=com -f base.ldif

Enter LDAP Password: oracle
adding new entry dc=example,dc=com
adding new entry ou=People,dc=example,dc=com
adding new entry ou=Group,dc=example,dc=com
d.
Use the ldapsearch command to test the LDAP server.

# ldapsearch -x -b dc=example,dc=com
...
# example.com
dn: dc=example,dc=com
dc: example
objectClass: top
objectClass: domain
s
a
h
o) e
c
du Guid
e
r
ta ent
i
l
i
# People, example.com
im Stud
n
u
dn: ou=People,dc=example,dc=com
o@ e this
ou: People
s
r
co o us
objectClass: top
n
ua se t
j
objectClass: organizationalUnit
(
s icen
a
i
r
a le l
o
# Group,
example.com
rs erab
dn:co
ou=Group,dc=example,dc=com
f
s
n
n
a
ju ou:-tGroup
ra
n
objectClass:
noobjectClass: top
organizationalUnit
# search result
search: 2
result: 0 Success
# numResponses: 4
# numEntries: 3

Chapter 3 - Page 16
14. Update the migrate_common.ph file for correct domain.
a.
Use the vi editor to edit the /usr/share/migrationtools/migrate_common.ph

file.
Use the :set nu command to turn on line numbers.
# vi /usr/share/migrationtools/migrate_common.ph
...
:set nu
b.
At around line number 71, change the value of $DEFAULT_MAIL_DOMAIN from

padl.com to example.com.
$DEFAULT_MAIL_DOMAIN = padl.com;
$DEFAULT_MAIL_DOMAIN = example.com;
c.
(old value)
(new value)
At around line number 74, change dc=padl to dc=example.
a
s
a
h
)
o
c ide
d. Save the migrate_common.ph file and exit vi.

u
d Gu
e
r
15. Migrate the users.
ita dent
l
i
a. Use the grep command to list users in the /etc/passwd
im Stfile
u with UID in the 1000n
u
1009 range.
thasisshown.
so@this
r
The purpose of step 12 was too
populate
file
e
c do
us
entries
n
Do not be concerned if your
not match exactly.
o
t
a
(ju/etc/passwd
se
n
# grep :100[0-9]
s
e
ria e lic
a
oracle:x:1000:1000:Oracle
Student:/home/oracle:/bin/bash
l
o
b
s
r
student1:x:1001:1001:Oracle
Student1:/home/student1:/bin/bash
o fera
c
s
n
Student2:/home/student2:/bin/sh
n
a
juastudent2:x:1005:1005:Oracle
r
t
student3:x:1006:1006:Oracle
Student3:/home/student3:/bin/sh
nnonew_user:x:1007:1007::/home/new_user:/bin/bash
$DEFAULT_BASE = dc=padl,dc=com;
$DEFAULT_BASE = dc=example,dc=com;
b.
(old value)
(new value)
Run the same command but redirect the output to passwd.

# grep :100[0-9] /etc/passwd > passwd
c.
Run the migrate_passwd.pl command to migrate user information in the passwd

file into an LDIF format.
Redirect the output to users.ldif.
Use the absolute path name with the command because the
/usr/share/migrationtools directory is not in your path.
# /usr/share/migrationtools/migrate_passwd.pl passwd >
users.ldif
d.
Use the ldapadd command to import the user information to the LDAP directory.
The LDAP password is oracle.

# ldapadd -x -W -D cn=Manager,dc=example,dc=com -f users.ldif
Enter LDAP Password: oracle

Chapter 3 - Page 17
adding new entry uid=oracle,ou=People,dc=example,dc=com

adding new entry uid=student1,ou=People,dc=example,dc=com

adding new entry uid=new_user,ou=People,dc=example,dc=com
e.
Use the ldapsearch command to display the new oracle user entry in the LDAP
server.
The common name (cn) is Oracle Student.
# ldapsearch x cn=Oracle Student -b dc=example,dc=com
...
# oracle, People, example.com
dn: uid=oracle,ou=People,dc=example,dc=com
uid: oracle
cn: Oracle Student
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0...
shadowLastChange: ...
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1000
gidNumber: 1000
homeDirectory: /home/oracle
gecos: Oracle Student
s
a
h
o) e
c
du Guid
e
r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us
n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1

Chapter 3 - Page 18
16. Migrate the user groups.
a.
Use the grep command to list groups in the /etc/group file with GID in the 10001009 range.
This was the purpose of step 12, to populate this file as shown.
Do not be concerned if your entries do not match exactly.
# grep :100[0-9] /etc/group
oracle:x:1000:oracle
student1:x:1001:
student2:x:1005:
student3:x:1006:
new_user:x:1007:
students:x:1008:oracle,student1,student2
b.
Run the same command but redirect the output to group.
a
s
a
h
)
o
file
c. Run the migrate_group.pl command to migrate group information
c in theidgroup
e
u
into an LDIF format.
d Gu
e
r
Redirect the output to group.ldif.
ita dent
l
i
Use the absolute path name with the command
tuthe
nimbecause
S
u
/usr/share/migrationtools directory
is
not
in
your
@ this path.
o
s
or use
# /usr/share/migrationtools/migrate_group.pl
group > group.ldif
c
n
o
t
a
d. Use the ldapadd command
e the group information to the LDAP directory.
(ju tonimport
s
s
The LDAP password
ce
ria eislioracle.
a
o -x a-Wbl-D cn=Manager,dc=example,dc=com -f group.ldif
# ldapadd
s
r
r
co LDAP
ePassword:
f
Enter
oracle
s
n
n
a
juaadding
r
new
entry
cn=oracle,ou=Group,dc=example,dc=com
-t
n
o
n
# grep :100[0-9] /etc/group > group
adding new entry cn=student1,ou=Group,dc=example,dc=com

adding new entry cn=new_user,ou=Group,dc=example,dc=com
adding new entry cn=students,ou=Group,dc=example,dc=com

Chapter 3 - Page 19
e.
Use the ldapsearch command to display the new students group entry in the
LDAP server.
# ldapsearch x cn=students -b dc=example,dc=com
...
# students, Group, example.com
dn: cn=students,ou=Group,dc=example,dc=com
objectClass: posixGroup
objectClass: top
cn: students
gidNumber: 1008
memberUid: oracle
memberUid: student1
memberUid: student2
a
s
a
h
)
o
# search result
c ide
u
search: 2
d Gu
e
r
result: 0 Success
ita dent
l
i
nim Stu
u
# numResponses: 2
o@ e this
s
r
# numEntries: 1
co o us
n
17. Trust the LDAP service for firewalld.
ua se t
j
(
s command
a. Use the firewall-cmd
en to permanently permit access by LDAP clients for
a
i
c
r
i
l
a le
the public
o zone.
s
r
o ferab--permanent --zone=public --add-service=ldap
# firewall-cmd
c
n ans
juasuccess
tr
n
b.no
Use the systemctl command to restart the firewalld service.
# systemctl restart firewalld
c.
Use the firewall-cmd command to list everything for the active zone.
Note that the ldap service is trusted.

# firewall-cmd --list-all
public (default, active)
...
services: dhcpv6-client ldap ssh
...

Chapter 3 - Page 20
Practice 3-2: Implementing OpenLDAP Authentication
Overview
In this practice, you use the Authentication Configuration Tool to implement OpenLDAP
authentication.
Assumptions
Ensure that you are using vncviewer to connect to host03 and not using ssh.
You are the root user on host03 VM.
Tasks
1.
From host03, use the yum command to install the authconfig-gtk software package.
This package provides the system-config-authentication utility.
a
s
a
h
# yum install authconfig-gtk
)
o
c ide
...
u
d Gu
e
Transaction Summary
r
ita dent
l
==============================================================
i
nim Stu
Install 1 Package
u
o@ e this
s
r
Total download size: 105
cok o us
n
Installed size: 247
uak se t
j
(
s icy en
Is this ok [y/d/N]:
a
i
r
a le l
...
o
Complete!
ors ferab
c
s
n
jua -tran
non

Chapter 3 - Page 21
2.
Open the Authentication Configuration Tool by running the system-configauthentication command.

# system-config-authentication
The GUI appears as follows.
s
a
h
o) e
c
du Guid
e
r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us
n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non
3.
Make the following changes.

a.
Select LDAP from the User Account Database drop-down list.
The following dialog box is displayed.

Chapter 3 - Page 22
b.
Click Install.
a
s
a
h
)
o
c ide
u
d Gu
c. Click Install.
e
r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us
n
ua se t
j
(
s icen
a
i
r
l dialog box closes when you select LDAP password as
a Install.leThis
Do not
click
o
rs erab Method in the next step.
oAuthentication
the
c
f
s
n
n
a
d.
Continue
entering
the following information.
ju -tra
nonEnter dc=example,dc=com as the LDAP Search Base DN.
Enter ldap://host03.example.com as the LDAP Server.
Click Use TLS to encrypt connections.

Select LDAP password as the Authentication Method.

Chapter 3 - Page 23
Ensure that your screen is configured as follows.
s
a
h
o) e
c
du Guid
e
r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us
n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
n
o
n
e. Click Apply to save your changes.
After a few seconds, the Authentication Configuration Tool closes.

Chapter 3 - Page 24
4.
Run the authconfig --test command to view the authentication settings.

# authconfig --test
caching is disabled
...
nss_ldap is enabled
LDAP+TLS is enabled
LDAP server = ldap://host03.example.com
LDAP base DN = dc=example,dc=com
nss_nis is disabled
...
pam_ldap is enabled
LDAP+TLS is enabled
LDAP server = ldap://host03.example.com
LDAP base DN = dc=example,dc=com
...
s
a
h
o) e
c
du Guid
e
r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us
n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non

Chapter 3 - Page 25
Practice 3-3: Authenticating from an OpenLDAP Client
Overview
Install the OpenLDAP client packages
Configure the OpenLDAP client
Log in as OpenLDAP user to test LDAP authentication
Disable OpenLDAP authentication
You begin this practice by opening a second terminal window on dom0 and logging in to host01
as the root user.
Assumptions

You are currently logged in to host03.
a
s
a
h
)
o
Tasks
c ide
u
d Gu
1. Log in to the host01 VM guest from dom0.
e
r
ita dent
l
a. If necessary, open a second terminal window on dom0.
i
m tu
nithe
S- command to become the
b. From the second terminal window on dom0, u
use
su
s
i
@
h
o
root user.
rs se t
o
c
u
n
o
t
a
(ju nse
$ su
s
ria e lice
Password: a
oracle
o abl
s
#
r
co suser
eron dom0, use the ssh command to log in to host01.
f
c. an
As the root
n
aroot
ju The
r
t
password is oracle (all lowercase).
n
no[dom0]#
ssh host01
Last login: ...
[host01]#
2.
Attempt to log in as user student1.

a.
From host01, use the su student1 command to attempt to log in as user

student1.
Note that user student1 is not a valid user on host01.

# su student1
su: user student1 does not exist

Chapter 3 - Page 26
b.
Use the grep command to search for user student1 in the local /etc/passwd file.
The command produces no output indicating student1 is not a local user on

host01.
# grep student1 /etc/passwd

3.
Install the authentication packages on host01.

a.
Use the yum command to install the openldap-clients package.
You are asked about the GPG key only the first time you use the yum install
command.
# yum install openldap-clients
...
Transaction Summary
=============================================================
Install
1 Package
a
s
a
h
)
o
c ide
u
d Gu
e
r
Installed size: 575 k
ita dent
l
i
im Stu
n
u
...
o@ e this
s
Retrieving key from http://192.0.2.1/repo/OracleLinux/OL7/1/...
r
co o us
...
n
t
a
e
Is this ok [y/N]:(ju
y
s
s icen
a
i
...
r
a le l
o
Complete!
ors ferab
c
b. n
Use the yum
s command to install the nss-pam-ldapd package.
n
a
jua Answer
r
-t y when prompted Is this ok.
n
o
n Note that the nscd package is installed as a dependency.
# yum install pam_ldap
...
Transaction Summary
=============================================================
Install
1 Package (+1 Dependent package)
...
Complete!
4.
Configure the /etc/openldap/ldap.conf file on host01.

a.


Chapter 3 - Page 27
Use the ls -l command to display the contents of the directory.

# cd /etc/openldap
# ls l
drwxr-xr-x. 2 root root ... certs
-rw-r--r--. 1 root root ... ldap.conf
b.
Use the vi editor to make the following changes to the ldap.conf file.
Uncomment the lines by removing the # character.
Change the IP address for the URI directive to the IP address of host03.
# vi ldap.conf
BASE
dc=example,dc=com
URI
ldap://192.0.2.103/
5.
Configure the /etc/nslcd.conf file on host01.
This is the configuration file for the Naming Services LDAP Client Daemon.
s
a
h
a. Use the cd command to change to the /etc directory.
o) e
c
# cd /etc
du Guid
e
r
b. Use the vi editor to edit the nslcd.conf file.
ita dent
l
i
nim Stu
u
# vi nslcd.conf
o@ e this
s
r
...
co o us
n
:set nu
ua se t
j
(
s 18,imake
enthe following change.
a
c. At around line number
i
c
r
l
a le
b
uri rso
(old value)
aldap://127.0.0.1/
r
o
c
e
f
(new value)
nuri ans ldap://192.0.2.103/
jd.uaAt around
r
-t line number 25, view the base setting.
n
o
n You do not need to change the base setting.
base
e.
6.
dc=example,dc=com
Save the /etc/nslcd.conf file and exit vi.
Configure the /etc/pam.d/system-auth file on host01.

a.
Use the cd command to change to the /etc/pam.d directory.

# cd /etc/pam.d
b.
Use the cp command to make a backup copy of the system-auth file.
This backup file is used later in this practice to restore the original configuration.
# cp system-auth system-auth.BAK
c.
Use the vi editor to make the following changes to the system-auth file. In the first
section (lines beginning with auth) of the file, add the following bold line in the location
as shown.

Chapter 3 - Page 28
Note: A sample system-auth file exists on dom0 in the /OVS/seed_pool/sfws

directory.
You can edit the system-auth file as follows by using the vi command, or you
can use the sftp command and copy /OVS/seed_pool/sfws/system-auth
from dom0 to /etc/pam.d/system-auth on host01. See your instructor if you
need help in using the sftp command.
You must make several changes to this file. Do not exit the vi editor until step 6g.
# vi system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is ...
auth
required
pam_env.so
auth
sufficient
pam_unix.so nullok try_first_pass
auth
requisite
pam_succeed_if.so uid >= 1000 quiet...
auth
sufficient
pam_ldap.so use_first_pass
auth
required
pam_deny.so
a
s
a
h
)
o
c ide
u
dadd the
d. In the second section of the file (lines beginning with account),
following
bold
u
e
G
r
t
line in the location as shown.
lita den
i
m
Ensure that the new entry is on a single line.ni
tu
S
u
account
required
pam_unix.so
o@ e this
s
r
account
sufficient copam_localuser.so
us
pam_succeed_if.so
n
o
t
account
sufficient
uid < 1000 quiet
a
u
e
j
(
s
account
[default=bad
s icen success=ok user_unknown=ignore]
a
i
r
pam_ldap.so
a le l
o
account
pam_permit.so
ab
ors ferrequired
c
ssection of the file (lines beginning with password), add the following bold
n third
n
a
je.uaInlinethe
r
-int the location as shown.
n
o
n password requisite
pam_pwquality.so try_first_pass ...
password
password
password
f.
sufficient
sufficient
required
pam_unix.so sha512 shadow nullok ...

pam_ldap.so use_authtok
pam_deny.so
In the fourth section of the file (lines beginning with session), add the following two
bold lines in the location as shown.
Ensure that the two new entries are each on a separate single line.
session
session
-session
session
session
session
optional
pam_keyinit.so revoke
required
pam_limits.so
optional
pam_systemd.so
[success=1 default=ignore] pam_succeed_if.so ...
required
pam_unix.so
optional
pam_ldap.so

Chapter 3 - Page 29
session
umask=077
g.
7.
optional
pam_mkhomedir.so skel=/etc/skel
Save the file and exit vi.
Configure the /etc/nsswitch.conf file on host01.

a.
Use the cd command to change to the /etc directory.

# cd /etc
b.
Use the vi editor to remove sss and add ldap to the passwd, shadow, and group
directives as shown.
# vi nsswitch.conf
passwd:
files sss
shadow:
files sss
group:
files sss
passwd:
files ldap
shadow:
files ldap
group:
files ldap
8.
9.
(old
(old
(old
(new
(new
(new
entry)
entry)
entry)
entry)
entry)
entry)
s
a
h
o) e
c
du Guid
e
c. Save the file and exit vi.
r
lita dent
i
Configure the /etc/sysconfig/authconfig file onm
host01.
u
tdirectory.
ni
S
u
a. Use the cd command to change to the /etc/sysconfig
o@ e this
s
r
# cd /etc/sysconfig
co o us
n
t file and change USELDAP=no to
a authconfig
b. Use the vi editor to editju
the
e
(
s
USELDAP=yes asashown.
s icen
i
r
a le l
# vi authconfig
o
ors ferab
USELDAP=no
(old entry)
c
s
n
(new entry)
an
juaUSELDAP=yes
r
t
Useothe
n n systemctl command to start the nslcd service on host01.
# systemctl start nslcd

10. Log in as the OpenLDAP user from host01.
a.
Use the grep command to search for user student1 in the local /etc/passwd file.
The command produces no output, indicating that student1 is not a local user.
# grep student1 /etc/passwd
b.
Use the ls command to list the contents of the /home directory.
Note that there is no home directory for the student1 user.

# ls /home

Chapter 3 - Page 30
c.
Use the ldapsearch command to search for student1 in the OpenLDAP directory.
The common name (cn) for student1 is Oracle Student1.

# ldapsearch x cn=Oracle Student1 -b dc=example,dc=com
...
# student1, People, example.com
dn: uid=student1,ou=People,dc=example,dc=com
uid: student1
cn: Oracle Student1
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
shadowLastChange: ...
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1001
gidNumber: 1001
homeDirectory: /home/student1
gecos: Oracle Student1
s
a
h
o) e
c
du Guid
e
r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us
n
ua se t
j
(
s icen
a
i
r
a le l
# search result
o
search:
ors 2 ferab
c
n an0s Success
juaresult:
tr
n
no# numResponses: 2
# numEntries: 1
d.
Use the su student1 command to log in as OpenLDAP user student1.
Use the whoami command to verify you are logged in as student1.
Notice that you can successfully log in as student1 even though the user account
does not exist locally.
Notice that a home directory was created for student1.
# su student1
Creating directory /home/student1.
[student1@host01 ~]$ whoami
student1

Chapter 3 - Page 31
e.
Use the pwd command to verify that the /home/student1 directory was created on
the localhost.
[student1@host01 ~]$ pwd

/home/student1
f.
Use the ls la command to view the contents of the directory.
Notice that the contents of /etc/skel were copied into the users home directory.
[student1@host01 ~]$ ls la
...
-rw-------. 1
student1 student1 ...
-rw-------. 1
-rw-------. 1
[student1@host01 ~]$ ls la /etc/skel
...
-rw-------. 1
-rw-------. 1
-rw-------. 1
.bash_logout
.bash_profile
.bashrc
s
a
h
o) e
c
du Guid
e
r
g. Use the exit command to log off as student1.
ita dent
l
i
[student1@host01 ~]$ exit
nim Stu
u
logout
o@ e this
s
r
s
11. Disable the OpenLDAP client authentication
co oonuhost01.
n
t
a
a. From host01, use the (systemctl
ju nsecommand to stop the nslcd service.
s
ia nslcd
ce
rstop
i
# systemctl
l
a
le the authconfig file and change USELDAP=yes to
oeditoratobedit
s
r
b. Use the
vi
co sfeasrshown.
USELDAP=no
n
an
jua# vi
r
t
/etc/sysconfig/authconfig
n
noUSELDAP=yes
(old entry)
USELDAP=no
c.
.bash_logout
.bash_profile
.bashrc
(new entry)
Use the vi editor to replace ldap with sss for the passwd, shadow, and group
directives as shown.
# vi /etc/nsswitch.conf
passwd:
files ldap
shadow:
files ldap
group:
files ldap
passwd:
files sss
shadow:
files sss
group:
files sss
(old
(old
(old
(new
(new
(new

Chapter 3 - Page 32
entry)
entry)
entry)
entry)
entry)
entry)
d.
Use the cp command to restore the system-auth file.
# cd /etc/pam.d
# cp system-auth.BAK system-auth
cp: overwrite system-auth? y
e.
Use the su student command to attempt to log in as user student1.
This confirms OpenLDAP client authentication is disabled.

# su student1
su: user student1 does not exist
f.
Use the exit command to log off of host01.

# exit
logout
a
s
a
h
)
12. Disable the OpenLDAP server authentication.
o
c ide
u
a. From host03, open the Authentication Configuration Tool by running
d the
usysteme
G
r
config-authentication command.
t
lita den
i
m
# system-config-authentication
tu
ni
S
u
The GUI appears as follows:
o@ e this
s
r
co o us
n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non
Perform the next step from host03.

Chapter 3 - Page 33
s
a
h
o) e
c
du Guid
e
r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us
n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non

Chapter 3 - Page 34
b.
Select Local accounts only from the User Account Database drop-down list.
Ensure that your screen is configured as shown.
s
a
h
o) e
c
du Guid
e
r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us
n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non
c.
d.
Click Apply to save your changes.

After a few seconds, the Authentication Configuration Tool closes.
Use the systemctl command to stop and disable the slapd service.
# systemctl stop slapd
# systemctl disable slapd
rm /etc/systemd/system/multi-user.target.wants/slapd.service
Do not log off host03. The next practice (Practice 4-1) assumes that you are logged in as the
root user on host03.

Chapter 3 - Page 35
s
a
h
o) e
c
du Guid
e
r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us
n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non

Chapter 3 - Page 36
s
a
h
o) e
c
du Guid
e
r
t 4:
Practices lfor
n
ita Lesson
e
i
Pluggable
tud
nim Authentication
S
u
is
Modules
o@ e th(PAM)
s
r
co Chapter
us 4
n
o
t
a
(ju nse
s
ria e lice
a
o abl
s
r
co sfer
n
jua -tran
non
Practices for Lesson 4: Pluggable Authentication Modules (PAM)

Chapter 4 - Page 1

Practices Overview
In these practices, you configure PAM authentication modules first to allow a single login only,
and then to disable all non-root logins.
s
a
h
o) e
c
du Guid
e
r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us
n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non

Chapter 4 - Page 2
Practice 4-1: Configuring PAM for a Single Login Session

Overview
In this practice, you configure a PAM authentication module on host03 to allow only a single
login session for a user.
Assumptions
You open a terminal window on each system.
You log in as the root user on host03.
Tasks
1.
On host03, view PAM configuration files and directories.

a. Use the ls command to view the PAM configuration directory, /etc/pam.d.
a
s
a
h
)
o
This directory contains files that describe the authentication procedure
for
c idane
u
application.
d Gu
e
r
[host03]# ls /etc/pam.d
ita dent
l
i
atd
gdm-pin
ppp
sudo
nim Stu
u
chfn
gdm-smartcard
remote @sudo-i is
so se th
r
...
o
c sshdo configuration
u
the
n
b. Use the cat command to view
file in /etc/pam.d.
t
a
u
e
j
(
s
This file contains
sa groupicofendirectives that define the authentication modules as well
a
i
r
l
as any controls
or
a larguments.
e
o
s rab modules are listed in the third column.
The
orauthentication
c
e /etc/pam.d/sshd
fcat
s
n
[host03]#
n
a
ju #%PAM-1.0
tra
n
noauth
required
pam_sepermit.so
auth
substack
password-auth
auth
include
postlogin
account
required
pam_nologin.so
account
include
password-auth
password
include
password-auth
# pam_selinux.so close should be the first session rule
session
required
pam_selinux.so close
session
required
pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be
executed in the user context
session
required
pam_selinux.so open env_params
session
optional
pam_keyinit.so force revoke

Chapter 4 - Page 3
session
session
c.
password-auth
postlogin
Use the find command to locate the pam_sepermit.so authentication module.
include
include
In this example, the authentication module is located in /usr/lib64/security.

[host03]# find / -name pam_sepermit.so
/usr/lib64/security/pam_sepermit.so
d.
Use the ls command to view the authentication modules directory.
Note that all authentication modules are located in this directory.

[host03]# ls /usr/lib64/security
pam_access.so
pam_limits.so
pam_cap.so
pam_listfile.so
...
pam_sepermit.so
...
2.
pam_smbpass.so
pam_sss.so
a
s
a
h
)
o
On host03, view the man pages for the pam_sepermit authenticationmodule

the
c iand
e
d
u
d Gu
associated configuration file.
e
r
a. Most of the authentication modules have a man page ldescribing
nt purpose and
ita detheir
i
usage. Use the man pam_sepermit command ito
n mviewSthetuman page for the
u
pam_sepermit authentication module.
his
o@ file,
tsepermit.conf,
s
Note that this module uses a configuration
which controls
r
e
o mode.
s
c
u
access when SELinux is in

enforcing
uan se to Linux and is covered in a subsequent
j
SELinux stands for (Security-Enhanced
s icen
lesson.
a
i
r
l
aman pam_sepermit
e
l
o
[host03]#
rs erab
...co
f
s
n
n
a
pam_sepermit
PAM module to allow/deny login depending
ju -tra
n On SELinux enforcement state
no...
When the user which is logging in matches an entry in the
config file he is allowed access only when the SELinux
is in enforcing mode. Otherwise he is denied access...
...
See sepermit.conf(5) for details.
...

Chapter 4 - Page 4
b.
Use the man sepermit.conf command to view the man page for the
sepermit.conf file.
[host03]# man sepermit.conf
...
sepermit.conf configuration file for the pam_sepermit
module
...
The lines of the configuration file have the following
syntax:
...
3.
SELinux is covered in a subsequent lesson but for the purposes of this practice, use the
sestatus command to display information about SELinux.
The output shown is a sample showing that SELinux is enabled and is in enforcing
mode.
With SELinux in enforcing mode, the pam_sepermit authentication module allows or
denies login.
[host03]# sestatus
SELinux status:
enabled
...
Current mode:
enforcing
...
s
a
h
o) e
c
du Guid
e
r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co logoin toushost03.
From host01, confirm you can remotely
n
t
a
ucommand
a. From dom0, use the ssh
to log in to host01 as the oracle user.
e
j
(
s
s icen
a
i
The password
is oracle.
r
a le l
o
[dom0]#
ssh
s roracle@host01
r
ab
o
c
e
f
oracle@host01s
password: oracle
s
n
n
a
a
ju Last
trlogin...
n
no[oracle@host01 ~]$
4.
b.
From host01, use the ssh command to connect to host03.
Answer yes to Are you sure.
The password is oracle.

[oracle@host01 ~]$ ssh host03
The authenticity of host host03 (192.0.2.103) cant be ...
ECDSA key fingerprint is ...
...
oracle@host03s password: oracle
Last login:...
[oracle@host03 ~]$

Chapter 4 - Page 5
c.
Use the hostname command to confirm that you successfully logged in to host03.
Note that you are successfully able to log in to host03.
[oracle@host03 ~]$ hostname

host03.example.com
d.
Use the logout command to close the connection to host03.
Note that you are now logged off of host03 and back to host01.
[oracle@host03 ~]$ logout
Connect to host03 closed.
host01.example.com
5.
On host03, configure the pam_sepermit authentication module to deny login.

a.
Use the find command to locate the sepermit.conf file.
Note that the sepermit.conf file is located in the /etc/security directory.
a
s
a
h
)
o
c ide
u
d Gu
b. Use the vi editor to add the following entry to /etc/security/sepermit.conf.
e
r
t only a single
ita denallows
This entry, when read by the PAM module pam_sepermit.so,
l
i
login session for the oracle user.
nim Stu
u
[host03]# vi /etc/security/sepermit.conf
o@ e this
s
r
oracle:exclusive
co o us
n
t
From host01, attempt to logju
in a
to host03.
e
(
s
s to iconnect
a. Use the ssh command
en to host03. Password is oracle.
a
i
c
r
l
a connection
Note s
that
le is denied.
o the
b
r
a
[oracle@host01
co sfer ~]$ ssh host03
n
password: oracle
an
juaoracle@host03s
r
t
n
denied, please try again.
noPermission
oracle@host03s password: CTRL-C
[host03]# find / -name sepermit.conf
/etc/security/sepermit.conf
6.
[oracle@host01 ~]$
b.
From host03, use the tail command to view the latest entries in the
/var/log/secure log file.
Note that the connection is denied by the PAM authentication module,

pam_sepermit.
[host03]# tail /var/log/secure
...
<date_time> host03 sshd[...]: pam_sepermit(sshd:auth): User
oracle processes are running. Exclusive login not allowed
...
To permit the oracle user login from host01, you can do either of the following:
Remove the entry in the /etc/pam.d/sshd file to use the pam_sepermit.so

module.

Chapter 4 - Page 6

7.
Remove the entry in the /etc/security/sepermit.conf file to allow only a single

login session.
From host03, permit user oracle to log in from host01 by using the vi editor to comment
out the entry to use the pam_sepermit.so module from the /etc/pam.d/sshd file.
Comment out this line by inserting a # sign at the beginning of the line as follows:
[host03]# vi /etc/pam.d/sshd
auth
required
pam_sepermit.so
#auth
required
pam_sepermit.so
8.
(current entry)
(insert # sign)
From host01, attempt to log in to host03.

a. Use the ssh command to connect to host03.
Password is oracle.
Note that the connection is allowed, and no longer denied by the PAM
authentication module.
[oracle@host01 ~]$ ssh host03
Last failed login: ...
host03.example.com
s
a
h
o) e
c
du Guid
e
r
ita dent
l
i
tu
nimto host03.
b. Use the logout command to close the connection
S
u
is to host01.
@ andthback
ohost03
Note that you are now logged off of
s
r
e
co o us
[oracle@host03 ~]$ logout
n
t
a
Connect to host03(ju
closed.se
s~]$ hostname
en
a
[oracle@host01
i
c
r
i
l
host01.example.com
o a able
s
r
cohost01,
elogr out as oracle user.
c. n
From
f
s
an
jua[oracle@host01
r
~]$ logout
t
n
o
Connect
to
host01
closed.
n
9.
Return host03 back to the original state.

a. From host03, use the vi editor to edit /etc/pam.d/sshd and uncomment the entry
to use the pam_sepermit.so module (remove the # sign).
[host03]# vi /etc/pam.d/sshd
#auth
required
pam_sepermit.so
auth
required
pam_sepermit.so
b.
(current entry)
(remove # sign)
From host03, use the vi editor to edit /etc/security/sepermit.conf and

remove the entry to allow only a single login for user oracle.
[host03]# vi /etc/security/sepermit.conf
oracle:exclusive

Chapter 4 - Page 7
(delete this entry)
Practice 4-2: Configuring PAM to Prevent Non-root Login
Overview
In this practice, you configure a PAM authentication module on host01 to prevent all non-root
user logins.
Assumptions

Open a terminal window on each system.
Log in as the root user on host01.
Tasks
1.
a
s
a
h
)
o
c ide
u
d Gu
e
Password is oracle.
r
ita dent
l
[dom0]# ssh host01
i
nim Stu
u
Last login: ...
o@ e this
s
r
[root@host01]#
co o us
n
t configuration file in /etc/pam.d.
a the elogin
uview
b. Use the cat command(jto
s
n
suses ithe
epam_nologin.so
a
i
The login utility
authentication module as well as
c
r
l
a
e
several
other
PAM
modules.
l
so rab
r
o
[host01]#
c sfcat
e /etc/pam.d/login
n
n
a
a
ju #%PAM-1.0
tr[user_unknown=ignore
n
auth
success=ok ignore=ignore default=...
noauth
substack
system-auth
On host01, configure a PAM authentication module on host01 to prevent all non-root
user logins.
a. From dom0, use the ssh command to log in to host01 as root.
auth
account
...
c.
include
required
postlogin
pam_nologin.so
Use the man pam_nologin command to view the man page for the pam_nologin
authentication module.
Note that this module uses a configuration file /etc/nologin which, if it exists,
disables non-root logins.
[host01]# man pam_nologin
...
pam_nologin Prevent non-root users from login
...
pam_nologin is a PAM module that prevents users from
logging into the system when /var/run/nologin or

Chapter 4 - Page 8
/etc/nologin exists. The contents of the file are displayed

to the user...no effect on the root users ability to ...
...
d.
Use the vi editor and create the /etc/nologin file with the following contents:
[host01]# vi /etc/nologin
No logins allowed at this time.
2.

a. Use the ssh command to connect to host01 as user oracle.
Answer yes to Are you sure.
Note that the connection is denied.

[host03]# ssh oracle@host01
The authenticity of host host01 (192.0.2.101) cant be ...
...
s
a
h
o) e
c
du Guid
e
r
ita dent
l
i
nim Stu
u
o@ e this
s
Connection closed by 192.0.2.101
r
o
c
us
n
b. From host01, use the tail
commandto
to view the latest entries in the
a
(jufile. nse
/var/log/secureslog
a licisedenied by the PAM authentication module.
riconnection
Note that the
a
le
o tailab/var/log/secure
s
r
[host01]#
co sfer
...
n
an host01 sshd[...]: fatal: Access denied for user
jua<date_time>
r
t
n
by PAM account configuration [preauth]
nooracle
To permit the non-root user logins, you can do either of the following:
Delete the /etc/nologin file from host01.
3.
Remove the entry in the /etc/pam.d/login file to use the pam_nologin.so

module.
From host01, permit non-root user logins from host03 by using the vi editor to comment
out the entry to use the pam_nologin.so module from the /etc/pam.d/login file.
Comment out this line by inserting a # sign at the beginning of the line as follows:
[host01]# vi /etc/pam.d/login
...
account
required
pam_nologin.so
#account
required
pam_nologin.so
4.
(current entry)
(insert # sign)

Use the ssh command to connect to host01 as user oracle.
Note that the connection is still denied.


Chapter 4 - Page 9
[host03]# ssh oracle@host01

Connection closed by 192.0.2.101

5.
From host01, use the grep command to search for the string pam_nologin in all the
files in the /etc/pam.d directory.
Note that this module also is called from the ppp, remote, and sshd files.
Because you are using ssh to log in, you would need to comment out the line in the
sshd file as well.
Alternatively, remove the /etc/nologin file to allow non-root logins.

[host01]# grep pam_nologin /etc/pam.d/*
/etc/pam.d/login:#account
required
pam_nologin.so
/etc/pam.d/ppp:account
required
pam_nologin.so
/etc/pam.d/remote:account
required
pam_nologin.so
/etc/pam.d/sshd:account
required
pam_nologin.so
6.
a
s
a
h
)
o
c ide
u
d Gu
e
Return host01 back to the original state.

r
ita dent
l
i
a. Use the rm command to remove the /etc/nologin
file.
nim Stu
u
[host01]# rm /etc/nologin
o@ e thisy
rm: remove regular file /etc/nologin?
s
r
co o us and uncomment the entry to use the
b. Use the vi editor to edit /etc/pam.d/login

n
t
ua(remove
e
j
pam_nologin.so module
the # sign).
(
s
s icen
[host01]# a
viria
/etc/pam.d/login
l
e
l
o
... rs
rab
o ferequired
c
#account
pam_nologin.so
(current entry)
s
n
n
a
ju account
(remove # sign)
tra required pam_nologin.so
n
c.no
Use the exit command to log off of host01.
[host01]# exit
logout
Do not log off host03. The next practice (Practice 5-1) assumes that you are logged in as the
root user on host03.

Chapter 4 - Page 10
a
s
a
h
)
o
c ide
u
d Gu
e
r
Practices lfor
Lesson
ita dent 5: Web
i
and Email
tu
nim Services
S
u
o@ e5 this
Chapter
s
r
co o us
n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non
Practices for Lesson 5: Web and Email Services

Chapter 5 - Page 1

Practices Overview
In these practices, you configure the Apache Web Server.
s
a
h
o) e
c
du Guid
e
r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us
n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non

Chapter 5 - Page 2
Practice 5-1: Configuring the Apache Web Server

Overview
Verify that the httpd package is installed, start the service, and ensure that the
service starts at boot time
Create a test page to verify that Apache is working correctly

Configure two virtual hosts, each serving different web content
Assumptions
You perform this practice exclusively on host03 VM.
You are connected to host03 by using vncviewer.
a
s
a
Install the httpd software package and enable and start the httpd service.) h
co ide
a. Use the yum command to install the httpd package.

u
d Gu
e
Answer y to Is this ok.

r
a ent
t
i
l
i
# yum install httpd
nim Stud
u
...
o@ e this
Transaction Summary
s
r
co o us
==============================================================
n
t packages)
a Dependent
u(+4
e
j
Install 1 Package
(
s
s icen
a
i
r
l
a size:
e
l
o
Total s
download
1.5 M
b
r
a
r
o
Installed
c sfsize:
e 4.3 M
n
n
a
Is
this
ok
ju -tra [y/d/N]: y
n
no...
Complete!
Tasks
1.
b.
Use the systemctl command to enable the httpd service to start at boot time.
# systemctl enable httpd
ln s /usr/lib/systemd/system/httpd.service
/etc/systemd/system/multi-user.target.wants/httpd.service
c.
Use the systemctl command to start the httpd service.

# systemctl start httpd

Chapter 5 - Page 3
2.
Confirm that Apache is working, by pointing a browser on host03 to http://localhost.

a. On the GNOME menu bar, click Applications to view the drop-down menu.
Under Favorites, select the Firefox Web Browser icon to start the Firefox web
browser.
b.
Enter http://localhost in the browser and press Enter.
The Apache Test Page appears and confirms that Apache is working correctly.
s
a
h
o) e
c
du Guid
e
r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us
n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non
c.
3.
Close the Firefox web browser by clicking the X in the top-right corner of the window.
A Confirm close dialog box might appear. If so, click the Close tabs button to
close the window.
Create and view a test webpage.
a. Use the vi editor to create the /var/www/html/index.html file with the following
entry:
# vi /var/www/html/index.html
<html><body>This is my test page.</body></html>

Chapter 5 - Page 4
b.
Restart the Firefox browser and point to http://localhost.
4.
The test webpage appears.
a
s
a
h
)
o
c ide
u
d Gu
e
r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us
n
ua se t
j
(
s icen
a
i
r
l by clicking the X in the top-right corner of the window.
c. Close the Firefox
a weblebrowser
o
rs hosteronabthe Apache web server and name it www.example1.com.
Create a o
virtual
c
f
s
a. an
Use the vi
editor to edit the /etc/httpd/conf/httpd.conf file to add the
n
ju following
tra entries to the end of the file:
n
no# vi /etc/httpd/conf/httpd.conf
<VirtualHost *:80>
ServerName www.example1.com
DocumentRoot /var/www/example1
ErrorLog /var/log/httpd/example1.error_log
<Directory /var/www/example1>
Order deny,allow
Deny from all
Allow from 192.0.2
</Directory>
</VirtualHost>
b.
Use the vi editor to edit the /etc/hosts file and append www.example1.com to the
192.0.2.103 entry as follows:
# vi /etc/hosts
192.0.2.103 host03.example.com
host03
www.example1.com

Chapter 5 - Page 5
c.
Use the mkdir command to make the /var/www/example1 directory.

# mkdir /var/www/example1
d.
Use the cp command to copy the /var/www/html/index.html file to the

/var/www/example1 directory.
# cp /var/www/html/index.html /var/www/example1/
e.
Use the vi editor to edit the /var/www/example1/index.html file as follows:

# vi /var/www/example1/index.html
<html><body>This is my test page for
www.example1.com.</body></html>
f.
Use the apachectl configtest command to check the configuration file for
possible errors.
In this example there are no errors.
Fix any errors you might have made.
a
s
a
h
)
o
c without
e
d
u
i
g. Use the apachectl graceful command to reload the configuration
affecting
d Gu
e
r
active requests.
ta ent
i
l
i
# apachectl graceful
nim Stud
u
o@ e this
s
r
co o us
n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non
# apachectl configtest
Syntax OK

Chapter 5 - Page 6
5.
View the test webpage for www.example1.com.

a. Restart the Firefox browser and point to http://www.example1.com.
6.
The test webpage for www.example1.com appears.
a
s
a
h
)
o
c ide
u
d Gu
e
r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us
n
ua se t
j
(
s icen
a
i
r
a le l
o
b browser by clicking the X in the top-right corner of the window.
rs Firefox
b. Closeothe
raweb
c
e
f
second
nsvirtual host on the Apache web server named www.example2.com.
avi
uanUsea-tthe
ja.Create
r
editor to edit the /etc/httpd/conf/httpd.conf file to add the
n entries
to the end of the file:
nofollowing
# vi /etc/httpd/conf/httpd.conf
<VirtualHost *:80>
ServerName www.example2.com
DocumentRoot /var/www/example2
ErrorLog /var/log/httpd/example2.error_log
<Directory /var/www/example2>
Order deny,allow
Deny from all
Allow from 192.0.2
</Directory>
</VirtualHost>

Chapter 5 - Page 7
b.
Use the vi editor to edit the /etc/hosts file to append www.example2.com to the
192.0.2.103 entry as follows:
# vi /etc/hosts
192.0.2.103 host03... www.example1.com
c.
www.example2.com
Use the mkdir command and make the /var/www/example2 directory.

# mkdir /var/www/example2
d.
Use the cp command to copy the /var/www/example1/index.html file to the

/var/www/example2 directory.
# cp /var/www/example1/index.html /var/www/example2
e.
Use the vi editor to edit the /var/www/example2/index.html file as follows:

# vi /var/www/example2/index.html
<html><body>This is my test page for
www.example2.com.</body></html>
a
s
a
h
)
o
c ide
u
d Gu
e
r
ita dent
l
i
nim Stu
u
thisthe configuration without affecting
so@tosereload
r
g. Use the apachectl graceful o
command
c to u
active requests.
n
a
(ju nse
# apachectl graceful
s
ria e lice
a
o abl
s
r
co sfer
n
jua -tran
non
f.
Use the apachectl configtest command to check the configuration file for
possible errors.
In this example there are no errors.
Fix any errors you might have made.
# apachectl configtest
Syntax OK

Chapter 5 - Page 8
7.
View the test webpage for www.example2.com.

a. Restart the Firefox browser and point to http://www.example2.com.
The test webpage for www.example2.com appears.
a
s
a
h
)
o
c ide
u
d Gu
e
r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us
n
ua se t
j
(
s icen
a
i
r
a le l
o
b browser by clicking the X in the top-right corner of the window.
rs Firefox
b. Closeothe
raweb
c
e
f
s
n
jua -tran
non

Chapter 5 - Page 9
8.
Log off from host03.

a. Click the Oracle Student in the top-right corner of the GNOME desktop to display the
drop-down menu.
s
a
h
o) e
c
du Guid
e
r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us
n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
sOut from the menu.
n aLog
n
jb.uaSelect
r
-t
onThe following window appears.
n
c.
d.
Click Log Out.

Close the VNC window by clicking the X in the top-right corner of the window.

Chapter 5 - Page 10
s
a
h
o) e
c
du Guid
e
r
t 6:
Practices lfor
n
ita Lesson
e
i
Installing
tud Linux 7 by
nim Oracle
S
u
Using
o@ eKickstart
this
s
r
co Chapter
us 6
n
o
t
a
(ju nse
s
ria e lice
a
o abl
s
r
co sfer
n
jua -tran
non
Practices for Lesson 6: Installing Oracle Linux 7 by Using Kickstart

Chapter 6 - Page 1
Practices Overview
Create a new host07 virtual machine and perform a Kickstart installation on host07
Use rescue mode to repair a boot problem on host07
s
a
h
o) e
c
du Guid
e
r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us
n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non

Chapter 6 - Page 2
Practice 6-1: Performing a Kickstart Installation
Overview
In this practice, you do the following:
Configure dom0 as an HTTP server.
Make the installation tree available from the HTTP server.
Create the Kickstart file and make it available from the HTTP server.
Shut down the host01 VM and create a new host07 VM.
Initiate the Kickstart installation on host07.

Log in to host07 and verify the installation.
Shut down host07 and restart host01.
Assumptions
You are logged on as the root user on dom0.
a
s
a
h
Tasks
)
o
c ide
1. Ensure that dom0 is configured as an HTTP server.

u
d G
u
e
a. If necessary, open a terminal window on dom0 and become

the root
user.
r
t
n the root
lita dtoebecome
i
From a terminal window on dom0, use the su m
- command
tu
ni
user.
S
u
@ this
The root password is oracle. so
r
o
se
c
u
$ su
an e to
Password: oracle (ju
ns
s
e
a
#
i
c
ar le li
o
b. As the rroot
raonbdom0, use the rpm command to ensure that the http package is
o s fuser
c
e
installed.
n ans
jua The
tr package is installed.
n
no# rpm qa | grep http
httpd-2.2.3-53.0.1.el5
c.
Use the service command to query the status of the httpd service.
# service httpd status
httpd (pid ...) is running...
In this example, the httpd service is running. If the service is not running, use the
service command to start the httpd service:
# service httpd start
...

Chapter 6 - Page 3
2.
Make the installation tree available.

In this task, you make the installation tree available from the HTTP server running on
dom0.
a. From dom0, use the cd command to change to the /OVS/seed_pool directory. Use
the ls command to list the contents of the directory.
The Oracle Linux 7.1 DVD image is the OracleLinux-R7-U1-Server-x86_64dvd.iso file in the /OVS/seed_pool directory.
# cd /OVS/seed_pool
# ls
...
OracleLinux-R7-U1-Server-x86_64-dvd.iso
...
b.
Use the mkdir command to make a temporary mount, /mnt/iso.
Using a temporary mount point other than /mnt is a requirement imposed by Oracle
University (OU). On OU systems, there is a FAT file system mounted in
/mnt/cdrive. This file system holds binaries that monitor the machine status and
take care of initiating the build for the next class after the current class is finished. If
you are mounting an ISO on /mnt, it mounts on top of /mnt/cdrive. This causes
the binaries to fail to report to the OU Dashboard. Outside of the OU environment,
you can use /mnt for this procedure.
s
a
h
o) e
c
du Guid
e
r
ita dent
l
i
nim Stu
u
# mkdir /mnt/iso
o@ e this
s
r
c. Use the mount command to mount
co theoOL7.1
us DVD image on /mnt/iso.
n
t
a
# mount -t iso9660
(ju-o loop
seOracleLinux-R7-U1-Server-x86_64n
s
dvd.iso /mnt/iso
e
ria e lic
a
d. Use the s
mkdir
l to create the /var/www/html/OL71 directory.
o command
b
r
a
co /var/www/html/OL71
er
# mkdir
f
s
n
n command to copy all files and directories from /mnt/iso to
acp
je.uaUse-tthe
r
n
no/var/www/html/OL71.
This command takes a few minutes to complete.

# cp r /mnt/iso/* /var/www/html/OL71/
The installation tree is now available from the HTTP server running on dom0.
f. Use the umount command to unmount /mnt/iso. Use the rmdir command to
remove the /mnt/iso directory.
# umount /mnt/iso
# rmdir /mnt/iso

Chapter 6 - Page 4
3.
Create the Kickstart file.

The installation of Oracle Linux creates a Kickstart file, /root/anaconda-ks.cfg,
based on the options that you selected during installation.
Use this file as a template for creating the ks.cfg file.
a.
From dom0, use the scp command to copy /root/anaconda-ks.cfg from host01
to /var/www/html/ks.cfg on dom0.
# cd /var/www/html
# scp host01:~/anaconda-ks.cfg ks.cfg
anaconda-ks.cfg
100% ...
The Kickstart file is now available from the HTTP server running on dom0.
You use the vi editor to change this Kickstart file as instructed in step 3c.
a
s
a
h
)
o
c ide
u
d Gu
e
r
ita dent
l
i
nim Stu
u
o@ e this
s
r
cootherwise,
usyou get permission denied errors.
This is a requirement of HTTP;

n
o
t
a
e
(ju ns/var/www/html
# chown R apache.apache
s
e
riato edit
icks.cfg file. Change the file to make it like the following.
l
c. Use the vi editor
the
a
e
l
so andradditions
r
Changes
ab are in bold.
o
c
e
f
s lines in the file that are not shown in the following.
n anany
jua Delete
r
-t that the network line is all one line ending in --activate.
Note
n
o
n # vi ks.cfg
Note: A preconfigured ks.cfg file exists on dom0 in the /OVS/seed_pool/host07

directory.
If you do not want to edit the ks.cfg file as instructed in step 3c, you can use the
cp command to copy /OVS/seed_pool/host07/ks.cfg to
/var/www/html/ks.cfg. If you use this Kickstart file, you need not edit the file in
step 3c.
b. Use the chown R command to change the owner and group to apache on
/var/www/html.
#version=RHEL7
# System authorization information
authconfig --enableshadow --passalgo=sha512
url --url http://192.0.2.1/OL71/
ignoredisk --only-use=xvda
# Keyboard layouts
Keyboard --vckeymap=us --xlayouts=us
# System language
lang en_US.UTF-8
# Network information
network --bootproto static --device eth0 --gateway 192.0.2.1

Chapter 6 - Page 5
--ip 192.0.2.107
--nameserver=10.216.106.3,192.0.2.1,152.68.154.3
--netmask 255.255.255.0 --ipv6=auto
--hostname=host07.example.com --activate
# Root password
rootpw --iscrypted ...
# System timezone
timezone America/Denver --isUtc --nontp
user --name=oracle --password=$6$... --iscrypted --gecos=Oracle
Student
a
s
a
h
)
o
c ide
u
d Gu
e
r
a ent
t
i
l
i
# Partition clearing information
nim Stud
u
clearpart --all --drives=xvda
o@ e this
s
r
co o us
%packages
n
ua se t
j
@core
(
s icen
a
i
r
a le l
%end so
r erab
oKickstart
c
Verify
the
f file.
s
n
n
a
a use the scp command to copy /var/www/html/ks.cfg from dom0 to
ja.u From-trdom0,
n
no/root/ks.cfg on host01.
# System bootloader configuration
bootloader --location=mbr --boot-drive=xvda
autopart --type=lvm
4.
# scp /var/www/html/ks.cfg host01:~/ks.cfg

ks.cfg
b.
100%
...
Use the ssh command to log on to host01.

# ssh host01
c.
From host01, use the yum command to install the pykickstart package.

# yum install pykickstart
...
Transaction Summary
==============================================================

Chapter 6 - Page 6
Install
1 Package

...
Complete!
d.
Use the ksvalidator utility to verify the ks.cfg file in the /root directory on
host01.
In this example, the command produces no output indicating there are no errors in
the ks.cfg file.
# ksvalidator /root/ks.cfg
e.
Create an error in the /root/ks.cfg file.
a
s
a
h
# vi /root/ks.cfg
)
o
c entry)
e
#version=RHEL7
(old
d
u
i
d(new G
u
e
version=RHEL7
entry)
r
t
lita den
i
f. Repeat step 4d and rerun the ksvalidator utility.
m
tu
ni
S
u
o@
thi1s of the kickstart file:
s
The following problem occurred
on e
line
r
co o us
n
ua se t
j
Unknown command: (version=RHEL7
s icen
a
i
r
g. Fix the error in
the
/root/ks.cfg
file.
a le l
o
# vio/root/ks.cfg
rs erab
c
f
version=RHEL7
(old entry)
s
n
n
a
a
ju #version=RHEL7
r
(new entry)
-t
n
o
h.n Repeat step 4d and rerun the ksvalidator utility.
The following example removes the comment (# sign) from the first line.
The command produces no output indicating there are no errors in the ks.cfg file.
i.

# exit
logout
5.
Create a new host07 VM.

a. From dom0, use the mkdir command to make the /OVS/running_pool/host07
directory.
# mkdir /OVS/running_pool/host07
b.
Use the cd command to change to the /OVS/running_pool/host07 directory.


Chapter 6 - Page 7
c.
Use the dd command to create a 12 GB system.img file.
This command takes a few minutes to complete.

12288+0 records in
12288+0 records out
12884901888 bytes (13 GB) copied...
d.
Use the cp command to copy the vm.cfg file from the

/OVS/running_pool/host01 directory to the current directory.
# cp /OVS/running_pool/host01/vm.cfg .
You use the vi editor to change this vm.cfg file as instructed in step 4e.
Note: A preconfigured vm.cfg file exists on dom0 in the /OVS/seed_pool/host07

directory.
If you do not want to edit the vm.cfg file as instructed in step 5e, you can use the
cp command to copy /OVS/seed_pool/host07/vm.cfg to
/OVS/running_pool/host07/vm.cfg. If you use this vm.cfg file, you need not
edit the file in step 5e.
e. Use the vi editor to edit the vm.cfg file. Change the file to make it look like the
following.
Changes and additions are in bold.
Delete any lines in the file that are not shown in the following.
# vi vm.cfg
# Automatically generated xen config file
name = host07
builder = hvm
memory = 1536
boot = cd
disk = [ file:/OVS/running_pool/host07/system.img,hda,w,
file:/OVS/seed_pool/OracleLinux-R7-U1-Server-x86_64dvd.iso,hdc:cdrom,r]
vif = [ mac=00:16:3e:00:01:07,bridge=virbr0]
vnc=1
vncunused=1
vcpus = 1
timer_mode = 0
apic = 1
acpi = 1
pae = 1
serial = pty
on_reboot = restart
on_crash = restart
s
a
h
o) e
c
du Guid
e
r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us
n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non

Chapter 6 - Page 8
usb = 1
6.
Connect to the host07 guest by using vncviewer.
a.
Use the xm shutdown command to shut down the host01 VM.
The available memory on dom0 allows a maximum of only three VMs to be running.
Therefore, it is necessary to shut down one VM to start a new VM.
# xm shutdown w host01
Domain host01 terminated
All domains terminated
If the xm shutdown command is taking more than a few seconds to complete, use
CTRL-C to kill the command and run the following xm destroy command.
# xm destroy host01
b.
Run the xm create command to create the host07 VM.
a
s
a
h
)
o
c ide
u
d Gu
e
r
t l host07 |
a xm list
c. Determine the VNC port number for host07 by running
n
itthe
l
e
i
grep location command.
nim Stud
u
# xm list l host07 | grep location
@ this
o
s
r
(location o
0.0.0.0:5902)
se
c
u
n 3) to
(location
a
u
j
(indicatesnthat
sethe port number is 5902. Your port number might
The sample shown
s
e
ria e lic
be different.
a
o abl command.
d. Run thers
vncviewer&
co sfer
# vncviewer&
n
n
aVNC
jua -The
r
t
Viewer: Connection Details dialog box is displayed.
n
o
e.n Enter localhost:<port_number>, substituting the port number displayed from the
# xm create vm.cfg
Started domain host07 (id=...)


Chapter 6 - Page 9
The Oracle Linux boot menu appears:
a
s
a
h
)
o
c ide
u
d Gu
e
r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us
n
ua se t
j
(
s icen
a
i
r
a le l
o
s rab
orOracle
c
The
feLinux boot menu screen appears for only 60 seconds, after which the
s
n
n
a
Test
this
ju -tra media & install Oracle Linux 7.0 menu option is selected by default.
do not see this screen, meaning the 60-second timeout has expired, click the
nonIfX you
in the top-right corner of the current screen to close it, enter the following
command from dom0, and begin step 6 again starting with 6b.
# xm destroy host07

Chapter 6 - Page 10
f.
7.
From the Oracle Linux boot menu, press Esc to exit to the boot prompt.
The boot prompt is shown:
a
s
a
h
)
o
c ide
u
d Gu
e
r
ita dent
l
i
nim Stu
u
o@ e this
s
Initiate the Kickstart installation.
r
cbeoconfigured
usto retrieve the Kickstart file, ks.cfg,
The network interface needs

to
n
o
t
a
from the 192.0.2.1 HTTP
(ju server.
se
n
s
e
ia network
rthe
icinterface obtains an IP address from DHCP running on the
In many cases,
l
a
e
l
server. However,
so rainbthis example, DHCP is not running on the installation server.
r
o
c syoufeneed to provide initial network configuration information as part of the
n
Therefore,
a
boot
an
ju -tcommand.
r
n the following command from the boot prompt, and press Enter to continue.
a. o
n Enter
Include the following network interface configuration information in addition to the
location of the ks.cfg file in the boot command.
IP address (ip=192.0.2.200)
Netmask (netmask=255.255.255.0)
Gateway (gw=192.0.2.1)
This address information allows an initial network connection required to retrieve the
Kickstart file from the installation server.
The information in the Kickstart file is then used to configure the network interface.
boot: linux ip=192.0.2.200 netmask=255.255.255.0 gw=192.0.2.1
ks=http://192.0.2.1/ks.cfg
There is a slight delay before the Kickstart installation begins.

Chapter 6 - Page 11
8.
When the installation is complete, you are prompted to reboot.
a
s
a
h
)
o
c ide
u
d Gu
e
r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us
n
ua se t
j
(
sprompted.
en
b. Click Reboot when
a
i
c
r
i
l
a verifylethe installation.
Log in to host07
o and
s
r
rathebssh command to connect to host07 as the root user. The
odom0, fuse
a. From
c
e
n anissoracle.
juapassword
-tr the IP address for host07 because the /etc/hosts file on dom0 does not
onUse
n contain an entry to resolve the host name.
You need to wait a few seconds to allow host07 to reboot.

[dom0]# ssh 192.0.2.107
The authenticity of host 192.0.2.107 (192.0.2.107) cant be
established. RSA key fingerprint is ...
Warning: Permanently added 192.0.2.107 (RSA) to the list of
known hosts.
root@192.0.2.107s password: oracle
b.
Use the hostname command to confirm that you are logged on to the host07 VM.
# hostname
host07.example.com

Chapter 6 - Page 12
c.
Use the ip addr command to display the network configuration.

# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state ...
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet addr:127.0.0.1
...
inet addr:192.0.2.107/24 brd 192.0.2.255 scope global eth0
...
d.
Use the df command to list the mounted partitions.

# df h
Filesystem
/dev/mapper/ol_host07-root
...
/dev/xvda1
Size
11G
Used
979M
Avail
9.4G
Use%
10%
Mounted on
/
s
a
h
o) /boot
c
497M 142M
355M
29%
e
d
u
i
d Gu
e
e. Use the cat command to view the /etc/resolv.conf file.

r
ita dent
l
i
nim Stu
u
...
o@ e this
search example.com
s
r
co o us
n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non

Chapter 6 - Page 13
Practice 6-2: Using Rescue Mode
Overview
Corrupt a file on host07 to cause boot failure.
Boot into rescue mode to correct the file.
Assumptions
Tasks
1.
Create an error in the /boot/grub2/grub.cfg file to cause boot failure.

a.
Make a backup of /boot/grub2/grub.cfg.

# cp /boot/grub2/grub.cfg /boot/grub2/grub.cfg.BAK
s
a
h
o) e
c
du Guid
At around line number 103, change linux16 /vmlinuz-3.8.13e
r
55.1.6.el7uek.x86_64 to linux16 /vmlinuz-3.13ta ent
i
l
i
55.1.6.el7uek.x86_64.
im Stud
n
u
# vi /boot/grub2/grub.cfg
o@ e this
s
:set nu
r
co o us
linux16 /vmlinuz-3.8.13-55.1.6.el7uek.x86_64
(old entry)
n
t
a
u
e
j
(
linux16 /vmlinuz-3.13-55.1.6.el7uek.x86_64
(new entry)
ns
s
e
a
i
c
li command to reboot host07.
c. Use the systemctl
ar lreboot
e
o
ab
# systemctl
ors ferreboot
c
n ans to 192.0.2.107 closed by remote host.
juaConnection
tr
Connection
to 192.0.2.107 closed.
n
no[dom0]#
b.
2.
Use the vi command to edit the /boot/grub2/grub.cfg file.
Attempt to log in to host07.

a. From dom0, run the xm list -l host07 | grep location command to
determine the VNC port number for host07.
[dom0]# xm list l host07 | grep location
(location 0.0.0.0:5902)
(location 3)
In this example, the VNC port number is 5902. This might not be true in your case.
b. Run the vncviewer& command.
# vncviewer&
The VNC Viewer: Connection Details dialog box is displayed.

Chapter 6 - Page 14
c.
Enter localhost:<port_number>, substituting the port number displayed from the

The following screen shows that an error occurred during the boot process.
s
a
h
o) e
c
du Guid
e
r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us
n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non
3.
d. Close the window by clicking the X in the upper-right corner of the window.
Shut down host07.
a. Run the xm destroy host07 command to shut down the host07 VM. Run xm list
to display the running VMs.
The output shown is a sample, the ID and Time(s) values are different on your
system.
# xm destroy host07
# xm list
Name
ID
Mem VCPUs
State
Time(s)
Domain-0
0
2048
2
r----281.1
host02
2
1536
1
-b---159.0

Chapter 6 - Page 15
4.
host03
3
1536
1
-b---13.2
Notice that host07 is no longer active. You have two guests (host02 and host03)
running.
Configure host07 to boot from Oracle Linux 7 installation media.
The procedure applies to Oracle VM Server for x86 version 2.2.1 Hardware Virtualized
(HVM) Guests.
For Para-virtualized (PVM) Guests, refer to MOS note 549410.1.
Use the vi editor to change the boot entry in the host07 vm.cfg file from boot =
cd to boot = d.
If the vm.cfg file is read-only, use :wq! to save the file.
# cd
# vi
...
boot
boot
...
5.
6.
/OVS/running_pool/host07
vm.cfg
a
s
a
h
)
o
c ide
u
Start the host07 VM.
d Gu
e
r
Run the xm create vm.cfg command to start the host07
xmt list to display
n
itaVM. Run
l
e
i
the running VMs.
nim Stud
u
# xm create vm.cfg
o@ e this
s
r
co o us
n
Started domain host07
(id=#)
ua se t
j
(
# xm list
s icen
a
i
r
Name
State
Time(s)
a le l ID Mem VCPUs
o
Domain-0
0
2048
2
r----281.1
rs erab
o
c
f
2
1536
1
-b---159.0
nhost02ans
juahost03
r
3
1536
1
-b---13.2
-t
n
o
host07
14
1536
1
-b---13.2
n
= cd
= d
(old entry)
(new entry)
Notice that host07 is now active.

Log in to host07.
a. Run the vncviewer& command.
# vncviewer&

Chapter 6 - Page 16
b.
Enter localhost:<port_number>, substituting the port number displayed from the

xm list l host07 | grep location command in step 2a. For example, if the
The Oracle Linux boot menu appears as shown:
s
a
h
o) e
c
du Guid
e
r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us
n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non
The Oracle Linux boot menu screen appears for only 60 seconds after which the Test
this media & install Oracle Linux 7.0 menu option is selected by default.

Chapter 6 - Page 17
If you do not see this screen, meaning the 60-second timeout has expired, click the X
in the top-right corner of the screen to close it, enter the following command from
dom0, and begin again starting with step 5.
# xm destroy host07
c.
7.
From the Oracle Linux boot menu, press the Esc key to display the boot: prompt. The
following screen appears:
Alternatively, you could use the arrow keys selecting Troubleshooting to display a
new menu, and then select Rescue a Oracle Linux system from the
Troubleshooting menu.
s
a
h
o) e
c
du Guid
e
r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us
n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
ans
uaninto-tRescue
jBoot
r
Mode.
n
o
n
a. Enter linux rescue at the boot: prompt and press Enter.
It takes a few seconds for the rescue process to begin.

boot: linux rescue

Chapter 6 - Page 18
b.
Review the information displayed on the following screen. Use the Tab key to select
Continue and press Enter.
a
s
a
h
)
o
c ide
u
d Gu
e
r
ita dent
l
i
nim Stu
u
his Press Enter to continue.
o@
c. Review the information displayed onrs
the
followingtscreen.
e
co o us
n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non

Chapter 6 - Page 19
d.
8.
Review the information displayed on the following screen. Press Enter to continue.
a
s
a
h
)
o
c ide
u
d Gu
e
r
ita dent
l
i
im Stu
n
u
A shell prompt is displayed.
o@file.
this
s
Repair the corrupted /boot/grub2/grub.cfg
r
e
comounted
ufiles systems.
n
a. Use the df command to view
the
o
t
a
e
(ju are
smounted
Notice that the file
systems
under the /mnt/sysimage directory.
n
s
e
a
i
c
r
i
l
# df -h
a le
o
s
r
Filesystem
...
Mounted on
o ferab
c
s
n
...
an
jua/dev/mapper/ol_host07-root
r
t
...
/mnt/sysimage
n
o
n /dev/xvda1
...
/mnt/sysimage/boot
...
b.
Use the ls command to view the contents of the current / directory.

# ls /
bin
dev
boot etc
c.
firmware
lib
lib64
lost+found
mnt
modules
proc
root
run
sbin
sys
tmp
Use the chroot command to change the root partition of the rescue mode
environment to the root partition of your file system.
# chroot /mnt/sysimage/

Chapter 6 - Page 20
usr
var
d.
Use the df command to view the mounted file systems.
Notice that the file system mount points are different.

# df -h
Filesystem
/dev/mapper/ol_host07-root
...
/dev/xvda1
...
e.
Mounted on
/
...
/boot
Use the ls command to view the contents of the current / directory.
Notice that the contents of the / directory are different.

# ls /
bin
dev
boot etc
home
lib
lib64
media
mnt
opt
proc
root
run
sbin
srv
sys
tmp
usr
var
a
s
a
h
)
o
c ide
# cp /boot/grub2/grub.cfg.BAK /boot/grub2/grub.cfg
u
d Gu
e
r
g. Use the exit command to exit the chroot environment.
ita dent
l
i
# exit
nim Stu
u
is of the window.
h. Close the window by clicking the X in the
top rightth
corner
o@
s
r
e
Boot host07 from the system hard drive.
co o us
n
t the boot entry in the host07 vm.cfg file
a to change
a. From dom0, use the vi u
editor
e
j
(
s
from boot = d s
back to boot
en = cd.
a
i
c
r
i
l
a le
o
b
s
r
# viovm.cfg ra
c
e
f
n ans
jua...
tr= d
boot
(old entry)
n
noboot = cd
(new entry)
f.
9.
...
...
Use the cp command to restore /boot/grub2/grub.cfg from

/boot/grub2/grub.cfg.BAK.
...
b.
Use the xm destroy host07 command to shut down the host07 VM.
# xm destroy host07
c.
Use the xm create vm.cfg command to start the host07 VM.

# xm create vm.cfg
Started domain host07 (id=#)
10. Log in to host07.

From dom0, use the ssh command to connect to 192.0.2.107 (host07). The root
password is oracle.
Use the IP address because the /etc/hosts file on dom0 does not contain an
entry to resolve host07.

Chapter 6 - Page 21
You need to wait a few seconds for the reboot to complete.

# ssh 192.0.2.107
root@192.0.2.107s password: oracle
Notice that your system successfully boots from the hard drive and you can log in.
11. Remove host07 and clean up dom0.
a. Use the systemctl poweroff command to shut down host07.
# systemctl poweroff
Connection to 192.0.2.107 closed by remote host.
Connection to 192.0.2.107 closed.
b.
From dom0, use the rm r command to remove the

/OVS/running_pool/host07/ directory.
# cd /OVS/running_pool
# rm r host07
rm: descent into directory host07? y
rm: remove regular file host07/system.img? y
rm: remove regular file host07/vm.cfg? y
rm: remove directory host07? y
a
s
a
h
)
o
c ide
u
d Gu
e
r
ita dent directory.
l
i
a. Use the /bin/rm r command to remove the /var/www/html/OL71/
nim Stu
u
# cd /var/www/html
o@ e this
# /bin/rm r OL71/
s
r
co o us
12. Restart host01 VM.

n
t
ua/OVS/running_pool/host01
e
a. From dom0, change to(jthe
directory and use the xm
s
n
s
e
a
i
create command
as
follows:
c
ar le li
o
rs erab
ocreate
c
f vm.cfg
#
xm
s
n
n
a
ju Using
traconfig file ./vm.cfg.
n
noStarted domain host01 (id=...)
b.
Use the xm list command to verify that host01, host02, and host03 are running and
that host07 is not running.
# xm list
Name
Domain-0
host01
host02
host03
ID
0
4
5
9
Mem VCPUs
2048
2
1536
1
1536
1
1536
1
State
r-----b----b----b----

Chapter 6 - Page 22
Time(s)
758.9
37.4
37.3
109.3
s
a
h
o) e
c
du Guid
e
r
t 7:
Practices lfor
n
ita Lesson
e
i
Samba
Services
tud
nim
S
u
o@ e7 this
Chapter
s
r
co o us
n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non
Practices for Lesson 7: Samba Services

Chapter 7 - Page 1

Practices Overview
In these practices, you configure a Samba server and access the Samba shares on the server
from an Oracle Linux client host.
s
a
h
o) e
c
du Guid
e
r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us
n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non

Chapter 7 - Page 2
Practice 7-1: Configuring a Samba Server

Overview

Install the packages necessary to configure Samba services on the host03 VM.
Start the smb service.
Add the samba service to firewalld.
Create user user01 on the Samba server.
Edit the smb.conf file.
Use the testparm command to check the syntax of the sbm.conf file.
Create a password for user user01.
Assumptions
s
a
h
Tasks
o) e
c
1. Install the samba packages on host03

du Guid
e
r
t
a. As the root user on dom0, use the ssh command to ilog
tain to host03.
n
l
e
i
nim Stud
u
[dom0]# ssh host03
o@ e this
s
r
root@host03s password: coracle
o
us
n
o
t
Last login: ...
a
(ju nse
[host03]#
s
ia lice
r
a
b. From host03,
lerpm -qa command to list the installed samba packages.
o useathe
b
s
r
In
cothis example,
er two samba packages are installed.
f
s
n
n package and the samba-client package needs to be installed.
asamba
jua The
r
t
nrpm -qa | grep samba
no#samba-libs-4.1.12-21.el7.x86_64
samba-common-4.1.12-21.el7.x86_64
c.
Use the yum command to install the samba package and the samba-client package.
The samba-client package includes the smbpasswd utility.

# yum install samba samba-client
...
Transaction Summary
=============================================================
Install 2 Packages

Chapter 7 - Page 3
...
Complete!
2.
Start the smb service on host03.
a.
Use the systemctl command to obtain status of the smb service.

# systemctl status smb
smb.service Samba SMB Daemon
Loaded: loaded (/usr/lib/systemd/system/smb.service; disabled)
Active: inactive
b.
Use the systemctl command to enable the smb service.

# systemctl enable smb
ln s /usr/lib/systemd/system/smb.service
/etc/systemd/system/multi-user.target.wants/smb.service
c.
Use systemctl to start the smb service.
a
s
a
h
)
# systemctl start smb
o
c ide
u
d Gu
e
r
smb.service Samba SMB Daemon
ita dent
l
i
Loaded: loaded (/usr/lib/systemd/system/smb.service;
enabled)
im Stu
n
u
Active: active (running ) since
@ ...
o
this
s
Main PID: ... (smbd)
r
e
ctoo serve
usconnections...
Status: smbd: ready

n
o
t
a
(ju nse
CGroup: /system.slice/smb.service
s
...
ria e lice
a
l access to the samba service.
o toaallow
b
s
Modify firewalld
r
co sfer
a. an
Use the firewall-cmd
command to determine the active firewalld zone.
anexample, the active
ju In-tthis
r
zone is public.
no#nfirewall-cmd --get-active-zone
3.
Use the systemctl command to obtain status of the smb service.
public
interfaces: eth0 eth1 eth2
b.
Use the firewall-cmd command to list the services that are trusted for the active
zone.
In this example, the dhcpv6-client , ldap, and ssh services are trusted.
# firewall-cmd --list-services
dhcpv6-client ldap ssh
c.
Use the firewall-cmd command to trust the samba service for the public zone.
Update both the runtime configuration and the permanent configuration.

# firewall-cmd --zone=public --add-service=samba
success
# firewall-cmd --permanent --zone=public --add-service=samba
success

Chapter 7 - Page 4
4.
Add a new user on host03.

a. User the useradd command to add user01.
# useradd user01
b.
Use the passwd command to set the password to oracle for user01.
5.
Ignore the BAD PASSWORD warning messages.

# passwd user01
Changing password for user user01.
BAD PASSWORD: The password is shorter than 8 characters
Retype new password: oracle
passwd: all authentication tokens updated successfully.
Edit the smb.conf file.

a.
Use the cd command to change to the /etc/samba directory.
a
s
a
h
)
# cd /etc/samba
o
c ide
u
# ls
d Gu
e
r
lmhosts smb.conf
ita dent
l
i
m :set tunu command to turn on line
b. Use the vi editor to edit the smb.conf file. Use
nithe
S
u
numbers.
s
i
@
h
o
rs se t
# vi smb.conf
o
c
u
n
o
...
t
a
(ju nse
:set nu
s
ce workgroup = MYGROUP to workgroup =
ria e89,lichange
c. At around lineanumber
o abl
s
r
GROUPA.
co workgroup
er parameter defines the workgroup name for your environment. In
f
s
n
The
an
jua the
r
t
classroom environment, this parameter has no effect.
non workgroup = GROUPA
d.
Use the ls command to list the contents of the directory.
At around line number 92, change netbios name = MYSERVER to netbios name
= SMB-HOST03.
Remove the semicolon at the beginning of the line.

The netbios name parameter is set to the name recognized by your Windows
environment for your Samba server. In the classroom environment, this parameter
has no effect.
netbios name = SMB-HOST03
e.
At around line number 123, ensure that the security parameter is set to user and
that the security parameter line is uncommented.
You do not need to make changes to this line.
security = user
f.
At around line number 282, examine the [homes] stanza.
You do not need to make changes to this stanza.


Chapter 7 - Page 5
The default options for this share definition allow users to access their home
directory as Samba shares from a remote location.
[homes]
comment = Home Directories
browseable = no
writable = yes
valid users = %S
valid users = MYDOMAIN\%S
;
;
g.
At around line number 288, immediately following the [homes] stanza, add a [tmp]
stanza for the /tmp directory.
This stanza allows users to access the /tmp directory as a Samba share.
[tmp]
path = /tmp
writable = yes
guest ok = yes
6.
a
s
a
h
)
o
c ide
h. Save the changes to the smb.conf file and exit vi.
u
dfile. Gu
e
Use the testparm command to check the syntax of the sbm.conf
r
t
n
itathe testparm
l
e
If you do not specify a name for the configuration file iwith
command, the
m tud
i
n
command uses the default path name at /etc/samba/smb.conf.
u is S
@
o
Press Enter when prompted.
s se th
r
o
# testparm
c to u
n
a
Load smb config files
(ju from
se/etc/samba/smb.conf
n
s
e
rlimit_max: rincreasing
rlimit_max
(1024) to minimum Windows
ia lic
a
limit (16384)
o able
s
r
Processing
"[homes]"
r
co sfesection
n
n section "[tmp]"
a
juaProcessing
r
t
Processing
section "[printers]"
nnoLoaded
services file OK.
Server role: ROLE_STANDALONE
Press enter to see a dump of your service definitions
<Press the ENTER key>
[global]
workgroup = GROUPA
netbios name = SMB-HOST03
server string = Samba Server Version %v
log file = /var/log/samba/log.%m
max log size = 50
idmap config * : backend = tdb
cups options = raw
[homes]
comment = Home Directories

Chapter 7 - Page 6
read only = No
browseable = No
[tmp]
path = /tmp
read only = No
guest ok = Yes
[printers]
comment = All Printers
path = /var/spool/samba
printable = Yes
print ok = Yes
browseable = No
7.
8.
a
s
a
Reload the smb.conf file.
h
)
o
a. Run the systemctl command to reload the smb service.
c ide
u
d smbGservice.
u
This command reloads the smb.conf file without stopping
the
e
r
t
lita den
# systemctl reload smb
i
m
ni of the Ssmbtuservice.
b. Run the systemctl command to view the status
u
o@ e this
s
r
o
cDaemon
us
smb.service Samba SMB

n
o
t
a
ju nse
Loaded: loaded ((/usr/lib/systemd/system/smb.service;
enabled)
s
e
Active: active
) since ...
ria e(running
ic
l
a
l
o ...ab
Main s
PID:
r
o
er
...c
f
s
n
an host03.example.com systemd[1]: Reloaded Samba ...
jua<date_time>
r
t
n
no...
Create a Samba password for the user01 user.
Use the smbpasswd command to add user user01 to the local smbpasswd file.
Set the password for user01 to MyOracle1.
You use this password when accessing a Samba share from another Linux system
or a Windows system as user01.
# smbpasswd -a user01
New SMB password:MyOracle1
Retype new SMB password:MyOracle1
Added user user01.

Chapter 7 - Page 7
Practice 7-2: Accessing Samba Shares from a Client Host
Overview
Access the Samba shares that you set up on host03 in the previous practice, from
host01, which acts as an Oracle Linux Samba client.
Mount and unmount a Samba share on host01.
Assumptions
All steps are performed from the host01 VM except where indicated.
Tasks
1.
Install the samba-client package on host01.

a. If necessary, open a new terminal window on dom0.
b. Use the su - command to become the root user on dom0.
s
a
h
o) e
c
[dom0]$ su
du Guid
e
Password: oracle
r
t
tain to host01.
n
ilog
l
e
i
c. As the root user on dom0, use the ssh command
to
im Stud
n
u
o@ e this
s
[dom0]# ssh host01
r
o
coracle
us
root@host01's password:
n
o
t
a
u
se
Last login: ...s (j
n
e
riathe eyumliccommand to install the samba-client package.
d. From host01,ause
l ok.
oy to Isathis
b
s
r
Answer
co sfer
n
[host01]#
jua...-tran yum install samba-client
noIsn this ok [y/N]: y
...
Complete!
2.
From host01, access the Samba shares on host03 as user user01.

a.
Use the smbclient command to access the /tmp directory on host03.
The Samba password for user01 is MyOracle1.

[host01]# smbclient //host03/tmp -U user01
Enter user01's password: MyOracle1
Domain=[GROUPA] OS=[Unix] Server=[Samba 4.1.12]
smb: \>

Chapter 7 - Page 8
b.
If the smbclient command returns session setup failed:

NT_STATUS_LOGON_FAILURE, use the systemctl command on host03 to restart
the smb service.
After restarting the smb service, run the smbclient command in step 2a again.
[host03]# systemctl restart smb

c.
At the smb: prompt on host01, use the ls command to list the files in the /tmp
directory on host03.
smb: \> ls
.
..
...
smb: \>
d.
D
DR
0
0
...
...
Use the exit command to exit the smb session on host01.
a
s
a
h on
e. Use the smbclient command to access the home directory for user user01
)
o
c ide
host03.
u
d Gu
e

r
ita dent
l
i
[host01]# smbclient //host03/user01 -U
user01
nim Stu
u
o@ e this4.1.12]
Domain=[GROUPA] OS=[Unix] Server=[Samba
s
r
co o us
smb: \>
n
t
a
e
f. Use the ls command (
toju
list the files
in the home directory for user user01.
s
s because
enSELinux is in Enforcing mode.
a
i
c
r
The command
fails
i
l
lein a subsequent lesson in this course.
oisacovered
b
s
SELinux
r
a
co\> ls
er
f
smb:
s
n
an
juaNT_STATUS_ACCESS_DENIED
r
listing \*
t
n
o
n smb: \>
smb: \> exit
g.
Use the exit command to exit the smb session.

smb: \> exit
h.
To allow Samba users access to their home directories, set SELinux to Permissive
mode on host03.
You could configure SELinux to allow Samba users to access their home
directories; however, for the purposes of this practice, set SELinux to Permissive
mode.
[host03]# getenforce
Enforcing
[host03]# setenforce 0
Permissive

Chapter 7 - Page 9
i.
On host01, re-issue the smbclient command to access the home directory for user
user01 on host03.

[host01]# smbclient //host03/user01 -U user01
Domain=[GROUPA] OS=[Unix] Server=[Samba 4.1.12]
smb: \>
j.
Use the ls command to list the files in the home directory for user user01.
Because of the change in the SELinux mode, you can now list and access the files
in user01s home directory.
smb: \> ls
.
..
.mozilla
.bash_logout
.bash_profile
.bashrc
...
smb: \>
3.
D
D
DH
H
H
H
...
...
...
...
...
...
s
a
h
o) e
c
du Guid
e
r
ita dent
l
i
nim Stu
u
@ this
k. Use the exit command to exit the smb
osession.
s
r
o
se
c
smb: \> exit
u
n
o
tshare
a
u
e
j
On host01, mount and unmount
a
Samba
from your Oracle Linux client.
(
s
n
s
e
a. On host01, create
riaa mount
icpoint for user01s home directory.
l
a
e
l
[host01]#
so mkdir
r
rab /homedir
o
c
e
f
b. n
Use the yum
s command to install the cifs-utils package.
n
a
jua Answer
r
-t y to Is this ok.
n
o
n [host01]# yum install cifs-utils
...
Is this ok [y/N]: y
...
Complete!
c.
Use the mount.cifs command to mount user01s home directory on the newly
created mount point.
Specify read-only in the mount options.

[host01]# mount.cifs -o username=user01,ro //host03/user01
/homedir
Password for user01@//host03/user01: MyOracle1

Chapter 7 - Page 10
d.
Use the df -hT command to verify that the mount operation was successful.
Notice that the file system type for //host03/user01 is cifs.

[host01]# df -hT
Filesystem
...
//host03/user01
e.
Type
Size
Used
Avail
cifs
11G
3.2G
7.1G
Use%
Mounted on
32% /homedir
Verify that the /homedir directory is read-only by using the mount command.
[host01]# mount | grep homedir
//host03/user01 on /homedir type cifs (ro,relatime,vers=1.0...)
f.
List the contents of /homedir.
[host01]# ls /homedir
Notice that the directory is empty.
g. On host03, use the touch command to create the /home/user01/testfile file.
s
a
h
o) e
h. On host01, list the contents of /homedir.
c
u uid
Notice that the testfile can now be seen from host01.ed
G
r
t
a
t
n
i
l
[host01]# ls /homedir
mi tude
i
n
testfile
u is S
@
o
i. On host01, use the umount command
ththe Samba share.
s to unmount
r
e
o
s in the /homedir directory.
c youtoareunot
Using the cd command ensures
n
a
[host01]# cd
(ju nse
s
[host01]# umount
ria e/homedir
ice
l
a
l to log off host01.
o command
b
j. Use thers
exit
a
co sfexit
er
[host01]#
n
an
jualogout
r
t
n
to host01 closed.
noConnection
[host03]# touch /home/user01/testfile
k.
Set SELinux to Enforcing mode on host03.

Permissive
[host03]# setenforce 1
Enforcing
l.
Use the systemctl poweroff command to shut down host03.
You are instructed to shut down host03 in preparation for Practice 8.

[host03]# systemctl poweroff
...

Chapter 7 - Page 11
Practice 7-3: Accessing a Linux Samba Share from a Windows

System
Overview
In this practice, you become familiar with procedures to access a Linux Samba share from a
Windows system. You do not have a Windows system in the Oracle classroom environment. All
you can do is read through the tasks in this practice to help understand the steps.
Assumptions
This practice is not intended to be a hands-on exercise.

The Linux Samba server is host01, IP address is 192.0.2.101.
Tasks
1.
Access user01s home directory on the host01 VM from a Windows machine.
In this task, you examine the steps to access the home directory for user01, residing
on the host01 VM. This home directory is offered as a network share through Samba
services running on host01. You performed the same task previously, but you
accessed the share from an Oracle Linux client.
The steps are identical to the steps that are needed to map any Windows network
share.
You can use your Windows username if the Samba administrator has mapped your
Windows domain username to a Samba Linux username on the Linux host providing
the Samba services.
In this example, you use user01 as the username, and provide the Samba password
set up for this username.
Launch the tool to map a network drive.
s
a
h
o) e
c
du Guid
e
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us
ua se t
j
(
s icen
a
i
r
a.
a le l
o
ors ferab
c
s
n
jua -tran
non

Chapter 7 - Page 12
b.
Provide the name of the share as \\<server name>\<share name>.
a
s
a
h
)
o
c ide
u
d Gu
e
r
ita dent
l
i
nim Stu
u
o@ e this
s
r
ocredentials
Select Connect using different
s to provide your Linux username and its
c
u
n
o
associated Samba password.
t
a
u
e
j
(
s
c. In the Windows Security
s window,
en enter the credentials for the share as user01 and
a
i
c
r
i
the Samba password
as
MyOracle1.
l
o a able
s
r
co sfer
n
jua -tran
non
Click OK to access and map the drive.

Chapter 7 - Page 13
d.
After successful completion of the mapping operation, the home directory for
user01 on host01 is mapped to drive H:.
You can view and manipulate the files in the H: drive:
s
a
h
o) e
c
du Guid
e
r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us
n
ua se t
j
(
n
e. Use Disconnect toarelease
share.
s ictheenetwork
i
r
l
o a able
s
r
co sfer
n
jua -tran
non

Chapter 7 - Page 14
a
s
a
h
)
o
c ide
u
d Gu
e
r
Practices lfor
Lesson
ita dent 8:
i
Advanced
Package
tu
nim Software
S
u
Management
o@ e this
s
r
co Chapter
us 8
n
o
t
a
(ju nse
s
ria e lice
a
o abl
s
r
co sfer
n
jua -tran
non
Practices for Lesson 8: Advanced Software Package Management

Chapter 8 - Page 1
Practices Overview
Learn to manage Yum plug-ins
Create a binary RPM package
Manage software updates with PackageKits Software Update program
Work with Yum history and Yum cache
s
a
h
o) e
c
du Guid
e
r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us
n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non

Chapter 8 - Page 2
Overview
Log in to host04.
View Public Yum Server configuration on host04.
Assumptions
The host04 VM is preconfigured to access Oracles Public Yum Server.
Tasks
1.

a. From dom0, run the xm list command to list the running VMs.
a
s
a
You were instructed to shut down host03 at the end of Practice 7. ) h
o e
In this example, only host01 and host02 VMs are running. uc
d Guid
e
r
# xm list
t
n
ita State
e
Name
ID
Mem VCPUsmil
Time(s)
d
i
u
t
n
u 2 is Sr----Domain-0
0
2048
758.9
@
h
o
host01
4
-b---37.4
s se 1t
r1536
o
c
host02
5
1536 u
1
-b---37.3
n
o
t
a
ju system,
b. If host03 is running on(your
seuse the xm shutdown command to shut it down.
n
s
e
a lon
rimemory
The available
ic dom0 allows a maximum of only three VMs to be running.
a
e
l
so ratobshut down one VM before starting the host04 VM.
It is rnecessary
o
c sfe w host03
# xm shutdown
n
a
anhost03 terminated
ju Domain
r
t
n domains terminated
noAll
c.
If the xm shutdown command is taking more than a few seconds to complete, press
Ctrl + C to kill command and run the following xm destroy command.
# xm destroy host03
d.
Use the cd command to change to the /OVS/running_pool/host04 directory.

e.
Run the xm create command to create the host04 VM.

# xm create vm.cfg

Chapter 8 - Page 3
2.
Log in to host04.
a. Determine the VNC port number for host04 by running the xm list l host04 |
grep location command.
# xm list l host04 | grep location
(location 0.0.0.0:5904)
(location 3)
The sample shown indicates that the port number is 5904. Your port number might
be different.
b. Run the vncviewer& command.
# vncviewer&

s
a
h
o) e
c
du Guid
e
r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us
n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non

Chapter 8 - Page 4
The GNOME login screen appears.
s
a
h
o) e
c
du Guid
e
r
ita dent
l
i
nim Stu
u
his for the Password.
tprompted
so@
r
d. Click Oracle Student in the list ofousers.
You
are
e
us
cand click
n
e. Enter oracle for the Password
Sign In.
o
t
a
(juappears.
se
The GNOME desktop
n
s
e
ria etoldisplay
ic the pop-up menu.
f. Right-click theadesktop
l
so rab
r
o
c sfe
n
a
ju -tran
non

Chapter 8 - Page 5
a
s
a
h
)
o
c ide
u
d Gu
e
r
ita dent
l
i
im Stu
n
u
g. From the pop-up menu, click Open in Terminal.
o@ e this
A terminal window appears. ors
us to become the root user.
csu - command
n
h. In the terminal window, useathe
o
t
(jisuoracle.
se
The root password
n
s
e
ria e lic
a
$ su
l
o oracle
b
s
r
a
Password:
co sfer
n
#
ua -tran
jWhen
nstarting the host04 VM, there might be a pop up notice to update the system. Close
o
n
the pop up window and do not install updates.
3.
View the Public Yum Server configuration on host04.

The host04 VM is preconfigured to access Oracles Public Yum Server.
There are four files that provide access to Public Yum:

/etc/sysconfig/network-scripts/ifcfg-eth0
/etc/resolv.conf
/etc/profile
/etc/yum.repos.d/public-yum-ol7.repo
The DNS and proxy configurations are specific to the Oracle University environment.

Chapter 8 - Page 6
a.
Use the cat command to view the contents of the /etc/sysconfig/networkscripts/ifcfg-eth0 file.
# cat /etc/sysconfig/network-scripts/ifcfg-eth0
...
DNS1=192.0.2.1
DNS2=152.68.154.3
DNS3=10.216.106.3
DNS4=193.32.3.252
DOMAIN= us.oracle.com example.com
...
b.
Use the cat command to view the contents of the /etc/resolv.conf file.
The content of this file is automatically generated by NetworkManager from the

DOMAIN and DNS* entries in the ifcfg-eth0 file.
search us.oracle.com example.com
# NOTE: the libc resolver may not support more than 3
nameservers.
# The nameservers listed below may not be recognized.
s
a
h
o) e
c
du Guid
e
r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us
n
ua se t
j
(
enthe last five lines in the /etc/profile file.
rias e tolicview
c. Use the tailacommand
l variable is set in the last line of this file.
o proxy
b
s
r
The
HTTP
server
a
co /etc/profile
er
f
s
n
#
tail
jua...-tran
n
noexport
http_proxy=http://ges-proxy.us.oracle.com:80

Chapter 8 - Page 7
d.
Use the cat command to view the public-yum-ol7.repo file in the

/etc/yum.repos.d directory.
The following two Public Yum repositories are enabled:

ol7_latest (enabled=1)
ol7_UEKR3 (enabled=1)
# cat /etc/yum.repos.d/public-yum-ol7.repo
[ol7_latest]
...
enabled=1
...
[ol7_UEKR3]
...
enabled=1
...
s
a
h
o) e
c
du Guid
e
r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us
n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non

Chapter 8 - Page 8
Practice 8-2: Managing Yum Plug-Ins
Overview
View currently installed Yum plug-ins.
Exercise the langpacks plug-in.
Install and exercise the aliases plug-in.
Assumptions
Tasks
1.
On host04, display currently installed Yum plug-ins.

Sample output is provided throughout this practice. Your output might be different.
a. Use the yum clean all command to clean all cached information.
a
s
a
h
)
o
# yum clean all
c ide
u
Cleaning repos: ol7_UEKR3 ol7_latest
d Gu
e
r
Cleaning up everything
ita dent
l
i
If the following message appears, open another
imterminal
tuwindow and kill the
n
S
u
PackageKit process id (PID).
o@ e this
s
r
In this example, the PID is 2048.
o
c
usthe yum lock; waiting for it
n
o
Another app is currently
holding
t
a
(ju nse
exit...
s
ia lice is: PackageKit
rapplication
The other
a
le
o : ...
Memory
b
s
r
a
o fer...
cStarted:
s
n
n
a
jua -State
: Sleeping, pid: 2048
r
t
n
no...
In a new terminal window, use the su - command to become the root user
(password is oracle), then use the kill <PID> command to kill the
PackageKit process.
In this example, the PID is 2048.
to
$ su
Password: oracle
# kill 2048
b.
Run the yum repolist command.
Many yum commands display the plug-ins; this is just one example.
The first yum command takes a few minutes to complete because the Public Yum
repositories need to initialize. Subsequent yum commands do not require this
initialization process.
Each time you execute the yum command, the currently enabled Yum plug-ins are
listed immediately, before the output of the yum command.

Chapter 8 - Page 9
In this example, the langpacks Yum plug-in is currently enabled.

# yum repolist
Loaded plugins: langpacks
ol7_UEKR3 ...
ol7_latest ...
...
repo id
repo name
status
ol7_UEKR3/x86_64 Latest Unbreakable Enterprise Kernel ...
ol7_latest/x86_64 Oracle Linux 7Server Latest (x86_64) ...
...
c.
Use the cd command to change to the /etc/yum/pluginconf.d directory.
Use the ls command to list the contents of the directory.
This directory contains a configuration file for each installed Yum plug-in.
s
a
h
o) e
c
du Guid
e
r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us
n
ua se t
j
(
s to iview
d. Use the cat command
enthe contents of the langpacks.conf file.
a
i
c
r
l
This plug-in
le
o ais aenabled.
b
s
r
# cat
co langpacks.conf
er
f
s
n
an
jua[main]
r
t
n
noenabled=1
...
e.
Note that there are two configuration files but only one plug-in listed in the output of
step 1a. The rhnplugin.conf file is the configuration file for the yum-rhnplugin. The yum-rhn-plugin is used to connect to the Red Hat Network (RHN)
and this plug-in is not enabled when running Oracle Linux.
# cd /etc/yum/pluginconf.d
# ls -l
total 12
-rw-r--r--. ... langpacks.conf
-rw-r--r--. ... rhnplugin.conf
Use the cat command to view the contents of the rhnplugin.conf file.
This plug-in is not enabled.

The contents of a Yum plug-in configuration file vary from one plug-in to another.
# cat rhnplugin.conf
[main]
enabled=0
...

Chapter 8 - Page 10
2.
Exercise the langpacks plug-in.

a.
Use the rpm -qa command to find the package name of the langpacks plug-in.
The package name is yum-langpacks.

# rpm qa | grep langpacks
yum-langpacks-0.4.2-3.el7.noarch
b.
Use the rpm ql command to view the files that are included with the yumlangpacks package.
The man page installed with the yum-langpacks package is yumlangpacks(8).

# rpm ql yum-langpacks
/etc/yum/pluginconf.d/langpacks.conf
/usr/lib/python2.7/site-packages/yum_langpacks-0.4.2-py2.7...
...
/usr/share/man/man8/yum-langpacks.8.gz
a
s
a
h
)
c. View the yum-langpacks(8) man page.
o
c ide
u
After viewing the man page, press q to quit.
d Gu
e
r
# man yum-langpacks
ita dent
l
i
...
nim Stu
u
DESCRIPTION
@ this
o
s
r
e yum to install language
yum-langpacks is aoplugin s
for
c
u
n allows
packs. This plug-in
to various user commands.
a
u
e
j
(
ns
s
e
a
i
c
command
li of:
ar isle one
o
langavailable
[language1] [language2] [...]
rab [language1]
ors ** flanginfo
c
e
[language2] [...]
s
n
jua -tran* langinstall [language1] [language2] [...]
* langlist [language1] [language2] [...]
non
* langremove [language1] [language2] [...]
langavailable
This command allows user to find if language
support is available for the given input
languages.
langinfo
This command allows user to check which packages
get installed when the given input language
support is installed.
langinstall
This command allows user to install language

Chapter 8 - Page 11
packs for the given input languages.

langlist
This command prints list of the installed

languages.
langremove
This command allows user to remove the installed
language packs for a given input languages.
...
d.
Use the langpack plug-in to list the available languages.
Pipe the output to less to view one page at a time.

# yum langavailable
Displaying all available language:Afrikanns [af]
Akan [ak]
Albanian [sq]
Amharic [am]
...
Yiddish [yi]
Zulu [zu]
s
a
h
o) e
c
du Guid
e
r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us
n
ua se t
j
(
splug-inictoelistn the packages that get installed with Yiddish
e. Use the langpack
a
i
r
a le l
language support.
o
s use reither
ab Yiddish or the language ID, yi, as an argument to this
orcan
You
c
e
f
s
n command.
n
a
jua# yum
r
-t langinfo Yiddish
n
o
n Loaded plugins: langpacks
Language-Id=Yiddish
hunspell-yi
f.
Use the langpack plug-in to install Yiddish language support.

You are asked about the GPG key only the first time you use yum to install or
update a package.
# yum langinstall Yiddish
...
...
Importing GPG key ...
...

Chapter 8 - Page 12
Is this ok [y/N]: y
...
Language packs installed for: yi
g.
Use the langpack plug-in to list the installed languages.
Note that the Yiddish language support is now installed.

# yum langlist
Installed languages:
Yiddish
h.
Use the langpack plug-in to remove Yiddish language support.

# yum langremove Yiddish
...
Is this ok [y/N]: y
...
Language packs removed for: Yiddish
3.
s
a
h
o) e
c
du Guid
e
r
ita dent
l
i
Install the aliases Yum plug-in.
nim Stu
u
s you can install.
a. Use the yum command to list available Yum
hithat
o@plug-ins
t
s
r
e
In this example, there are sixcYum
o plug-ins
s available to install.
u
n
o
tyum-plugin
# yum list available
ua| grep
e
j
(
s
kabi-yum-plugins.noarch
s icen...
a
i
r
a le l
yum-plugin-aliases.noarch
...
o
b
s
r
yum-plugin-changelog.noarch
...
o fera
c
s
n
...
n
a
juayum-plugin-tmprepo.noarch
r
t
yum-plugin-verify.noarch
...
nnoyum-plugin-versionlock.noarch
...
b.
Use the yum command to install the yum-plugin-aliases plug-in.

# yum install yum-plugin-aliases
...
...
Complete!

Chapter 8 - Page 13
4.
Exercise the aliases plug-in.

a. Use the rpm ql command to view the files that are included with the yum-pluginaliases package.
Note that the man page installed with the yum-plugin-aliases package is yumaliases(1).
# rpm ql yum-plugin-aliases
/etc/yum/aliases.conf
/etc/yum/pluginconf.d/aliases.conf
...
/usr/share/man/man1/yum-aliases.1.gz
b.
View the yum-aliases(1) man page.
After viewing the man page, press q to quit.

# man yum-aliases
...
DESCRIPTION
This plugin changes other commands in yum, much like the
alias command in bash. There are a couple of notable
differences from shell style aliases though. The alias
command has three forms:
* alias
* alias command
* alias command result
a
s
a
h
)
o
c ide
u
d Gu
e
r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us
n
ua se t
j
(
s icen
a
i
r
l lists all current aliases with their
a firstle form
The
o
b
the second form looks up a command and
raresult,
ors final
c
e
f
s
n
its final result or an error message. The last
jua -transhows
form creates a new alias.
n
no...
c.
Use the cat command to view the /etc/yum/aliases.conf file.
This file defines a number of Yum command aliases.

# cat /etc/yum/aliases.conf
...
DEV --enablerepo=development
UPT --enablerepo=updates-testing
...
SEC --security
CRIT --sec-severity=critical
FORCE --skip-broken --disableexcludes=all
DUPS --showduplicates
up upgrade

Chapter 8 - Page 14
inst install
in install
rm remove
down downgrade
rein reinstall
...
ls list
lsi ls installed
lsa ls available
...
d.
Use the aliases plug-in to list Yum command aliases.

# yum alias
Loaded plugins: aliases, langpacks
Alias ALL = --enablerepo=development --enablerepo=updates...
Alias ALLDBG = --enablerepo=fedora-debuginfo --enablerepo=...
Alias CRIT = --sec-severity=critical
...
Alias up = upgrade
Alias upi = updateinfo
Alias v = version
alias done
a
s
a
h
)
o
c ide
u
d Gu
e
r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us
n
t
e. Use the aliases plug-in
available
packages to install.
utoalist the
e
j
(
s
n
s
The commandia
r to listeavailable
ice packages to install is yum list available.
l
a
l the same list of available packages.
oalias aproduces
The lsa
b
s
r
co lsasfer
# yum
n
jua...-tran
n
5.0.2-7.el7_1.1
ol7_latest
nozsh.x86_64
zziplib.i686
0.13.62-5.el7
ol7_latest
zziplib.x86_64
0.13.62-5.el7

Chapter 8 - Page 15
ol7_latest
Practice 8-3: Using Yum Utilities
Overview
View available errata for your system.
View CVE information.
Update the packages affected by the specific CVE.
View software package information.
View dependencies for a software package.
Use the Yum --downloadonly option.
Use the yumdownloader and the repoquery utilities.
Assumptions
a
s
a
h
)
Tasks
o
c ide
u
d Gu
1. Manage errata for your system.
e
r
a. Run the yum updateinfo list to list all the erratalthat
nt for your
ita aredavailable
e
i
system.
im Stu
n
u
Sample output is provided. New errata@
exist sinceis
this example was created.
h
o
t
s
This errata list provides the errata
or ID forueach
se entry in the errata.
c
n
Errata fall into three categories:
to
a
u
e
j
(
Bug fixes
ns
s
e
a
i
c
r listed
i priority (critical, important, moderate)
lby
Securityafixes
e
l
o
oEnhancements
rs erab
c
f
s
n
# yum updateinfo
list
n
a
a
ju Loaded
r
-t plugins: aliases, langpacks
n
o
n ELSA-2015-0672 Moderate/Sec. bind-libs-32:9.9.4-18.el7_1.1...
ELSA-2015-0672 Moderate/Sec.
...
ELBA-2015-0741 bugfix
ELBA-2015-0974 bugfix
...
ELEA-2015-0969 enhancement
ELEA-2015-0732 enhancement
...
ELSA-2015-0265 Critical/Sec.
ELSA-2015-0718 Critical/Sec.
...
updateinfo list done
bind-libs-lite-32:9.9.4-18.el7...
binutils-2.23.52.0.1-30.el7_1.1...
binutils-2.23.52.0.1-30.el7_1.2...
crash-7.0.9-5.el7_1.x86_64
dnsmasq-2.66-13.el7_1.x86_64
firefox-31.5.0-2.0.1.el7_0...
firefox-31.5.3-3.0.1.el7_1...

Chapter 8 - Page 16
b.
Use the cves option with the yum updateinfo list command to display only the
security patches.
This list provides the CVE ID instead of the errata ID.
# yum updateinfo list cves
CVE-2015-1349 Moderate/Sec. bind-libs-32:9.9.4-18.el7_1.1...
CVE-2015-1349 Moderate/Sec. bind-libs-lite-32:9.9.4-18.el7...
...
CVE-2015-0822 Critical/Sec. firefox-31.5.0-2.0.1.el7_0...
CVE-2015-0827 Critical/Sec. firefox-31.5.0-2.0.1.el7_0...
...
CVE-2014-8962 Important/Sec. flac-libs-1.3.0-5.el7_1.x86_64
CVE-2014-9028 Important/Sec. flac-libs-1.3.0-5.el7_1.x86_64
...
CVE-2015-0255 Moderate/Sec. xorg-x11-server-common-1.15.0-...
updateinfo list done
a
s
a
h
)
o
c ide
u
d selects
c. Correlate a published CVE to its errata ID. The following example
uthe last CVE
e
G
r
t
in the previous output.
n
lita list
e
i
d
m
Use the --cve <CVE> option to the yum updateinfo
tu command.
ni
S
u
The list for this CVE includes the security
o@ patches
thisby errata ID for the particular CVE
s
ID. This CVE affects two packages
in this example.
r
e
co a different
us CVE.
Your output differs if you choose

n
o
t
a
ju --cve
(list
se CVE-2015-0255
# yum updateinfo
n
s
e
ria aliases,
ic langpacks
Loaded plugins:
l
a
e
l
so rabModerate/Sec. xorg-x11-server-Xorg-1.15.0...
ELSA-2015-0797
r
o
c sfe Moderate/Sec. xorg-x11-server-common-1.15...
ELSA-2015-0797
n
a
an list done
ju updateinfo
r
t
n
d.no
Display additional information about a specific CVE.
Use the info argument instead of the list argument.
Your output differs if you choose a different CVE.

# yum updateinfo info --cve CVE-2015-0255
==============================================================
xorg-x11-server security update
==============================================================
Update ID : ELSA-2015-0797
Release : Oracle Linux 7
Type : security
Status : final
Issued : 2015-04-09
CVEs : CVE-2015-0255
Description : [1.15.0-26]

Chapter 8 - Page 17
: - CVE fixes for: CVE-2015-0255

Severity : Moderate
updateinfo info done
e.
Update the packages affected by the specific CVE.
Answer y when asked Is this ok.

# yum update --cve CVE-2015-0255
...
...
Complete!
2.
View the Oracle Database preinstallation packages (oracle-rdbms).

a.
Use the yum command to list the Oracle Database preinstallation packages (oraclerdbms) that are available for installation.
a
s
a
h
You can use the lsa alias instead of list available.
)
o
c ide
# yum list available | grep oracle-rdbms

u
d Gu
e
r
oracle-rdbms-server-11gR2-preinstall.x86_64
a ent
t
i
l
i
oracle-rdbms-server-12cR1-preinstall.x86_64
im Stud
n
u
b. View more information for the Oracle Database
packages.
is
@ preinstallation
h
o
t
s
In this example, there are two releases
e package. You select to download the
or inuofthissthis
c
latest release of the package,

which,
example, is oracle-rdbms-servern
o
t
a
12cR1-preinstall.
(ju nse
s
Be careful when
wildcards
ce with the yum command. They are very useful to list
ria using
i
l
a
e get unexpected results when using wildcards to install or
lcan
packages,
o but ayou
b
s
r
remove
co spackages.
er
f
n
n oracle-rdbms*
ainfo
jua# yum
r
t
plugins: aliases, langpacks
n
noLoaded
Available Packages
Name
Arch
Version
Release
Size
Repo
Summary
License
Description
:
:
:
:
:
:
:
:
:
oracle-rdbms-server-11gR2-preinstall
x86_64
1.0
3.el7
18 k
ol7_latest/x86_64
Sets the system for Oracle single instance and ...
GPLv2
This package installs software packages and ...
Name
Arch
Version
Release
:
:
:
:
oracle-rdbms-server-12cR1-preinstall
x86_64
1.0
3.el7

Chapter 8 - Page 18
Size
Repo
Summary
License
Description
c.
:
:
:
:
:
17 k
ol7_latest/x86_64
Sets the system for Oracle single instance and ...
GPLv2
This package installs software packages and ...
Check the dependencies for the target package by using the repoquery command.
The repoquery utility is part of the yum-utils package and is useful for querying
information from Yum repositories.
The --requires option lists package dependencies.
If a dependency package is missing, it is downloaded along with the oraclerdbms-server-12cR1-preinstall package in the next step.
# repoquery --requires oracle-rdbms-server-12cR1-preinstall
/bin/bash
/bin/sh
/etc/redhat-release
bind-utils
...
xorg-x11-utils
xorg-x11-xauth
a
s
a
h
)
o
c ide
u
d Gu
e
r
ita dent
l
i
nim Stu
u
is
o@ ethethoracle-rdbms-server-12cR1d. Use the --downloadonly option tos
download
r
o dependent
preinstall package and anyc
missing
us packages.
n
o
t
a
In this example, six packages
(ju nsaree downloaded in addition to the
oracle-rdbms-server-12cR1-preinstall-1.0-3.el7.x86_64.rpm
s
ia lice
package. ar
le
o aoracle-rdbms-server-12cR1-preinstall
b
s
r
# yum
install
-co sfer
downloadonly
n
anplugins: aliases, langpacks
juaLoaded
r
t
n
no...
Transaction Summary
==============================================================
Install 1 Package (+6 Dependent packages)
Installed size: 29 M
Background downloading packages, then exiting:
(1/7): compat-libcap1-1.10-7.x86_64.rpm ...
...
exiting because Download Only specified
e.
Verify that the package and its dependency packages are downloaded by examining
the content of the /var/cache/yum/x86_64/7Server/ol7_latest/packages
directory.

Chapter 8 - Page 19
3.
You can also specify an alternative directory for the downloaded packages with
downloaddir=<directory path>.
--
If the package that you want to download is already installed, it is not downloaded
and its dependencies are not downloaded. In the next step, you use a different
technique to download a package if the package is already installed on your system.
# cd /var/cache/yum/x86_64/7Server/ol7_latest/packages
# ls
compat-libcap1-1.10-7.x86_64.rpm
...
oracle-rdbms-server-12cR1-preinstall-1.0-3.el7.x86_64.rpm
Using the Yum utilities.
In this task, you examine the Yum utilities available and use the yumdownloader
utility to download a package.
a. Use the rpm -ql command to examine the files that make up the yum-utils
package.
Note that yumdownloader and repoquery are included in the yum-utils
package.
# rpm -ql yum-utils
...
/usr/bin/repoquery
...
/usr/bin/yumdownloader
...
s
a
h
o) e
c
du Guid
e
r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us
n
ua se t
j
(
s icoption
en of the downloadonly plug-in to attempt to
a
i
b. Use the --downloadonly
r
l
le
otheaxorg-x11-server-Xorg
download
program.
b
s
r
a
r
o
c package
n The
fe is not downloaded because it is already installed.
s
n
a
ju # yum
trainstall xorg-x11-server-Xorg --downloadonly
n
noLoaded plugins: aliases, langpacks
Package xorg-x11-server-Xorg-1.15.0-33.el7_1.x86_64 already

installed and latest version
Nothing to do
c.
Use the yumdownloader command to download the xorg-x11-server-Xorg

package.
The command downloads the package in the current directory.
The command does not download the dependencies for the xorg-x11-serverXorg program.
# yumdownloader xorg-x11-server-Xorg
xorg-x11-server-Xorg-1.15.0-33.el7_1.x86_64.rpm ...

Chapter 8 - Page 20
d.
Use the yum deplist command to display the dependencies for the xorg-x11server-Xorg program.
If you download a package by using the yumdownloader utility, you have to

determine the dependencies manually. You can use the rpm command to let you
know which packages are missing and install those packages.
A dependency package is different than a dependent package. When you use the
yum deplist <package name> command, you list the packages that the
<package name> package needs to operate.
A dependent package is a package that needs the <package name> package to
operate. Knowing whether a package is dependent is important when trying to
remove a package. By default, the yum and rpm commands do not allow you to
remove a package that is needed by other packages. To find out which packages
depend on a package, use the repoquery --whatrequires <package name>
command.
a
s
a
h
)
o
c ide
u
d Gu
e
r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us
n
ua se t command for the xorg-x11-server-Xorg
j
(
e. Use the repoquery
--whatrequires
swhich packages
en depend on xorg-x11-server-Xorg.
a
i
c
r
program to find
out
i
l
le a few seconds to run.
o a atakes
b
s
Thisrcommand
co sfthis
erlist with the list obtained with the yum deplist command in step 3d.
n Compare
an --whatrequires xorg-x11-server-Xorg
jua# repoquery
r
t
n
noxorg-x11-drv-ati-0:7.2.0-9.20140113git3213df1.el7.x86_64
# yum deplist xorg-x11-server-Xorg
Finding dependencies:
package: xorg-x11-server-Xorg.x86_64 1.15.0-33.el7_1
dependency: config(xorg-x11-server-Xorg) = 1.15.0-33.el7_1
provider: xorg-x11-server-Xorg.x86_64 1.15.0-33.el7_1
dependency: libGL.so.1()(64bit)
provider: mesa-libGL.x86_64 10.2.7-5.20140910.el7
...
xorg-x11-drv-ati-0:7.4.0-1.20140918git56c7fb8.el7.x86_64
xorg-x11-drv-dummy-0:0.3.6-15.el7.x86_64
...

Chapter 8 - Page 21
Practice 8-4: Creating an RPM Package
Overview
In this practice, you prepare to build an RPM package. The steps for this preparation are:
Create a nonprivileged user to perform the build.
Check for the required packages to perform the build and install them if necessary.
Create the directory infrastructure for the build.
Create the program for the package.
Create the compressed TAR file and store it in the appropriate build directory.
Create the spec file.
After performing the steps to prepare for the RPM package build, you perform the build by using
the rpmbuild command.
In the last task, you install the new RPM package as root to verify that the program gets
installed as you expected.
a
s
a
h
)
Assumptions
o
c ide

u
d Gu
e
r
ita dent
l
Tasks
i
tuinstall it if it is not installed.
nim and
1. Verify the presence of the required rpmdevtools
package
S
u
o@
a. Run the rpm command to search for s
the
rmpdevtools
this command.
r
e
co package
us is not installed.
In this example, the rpmdevtools
n
o
t
a
ju nse
# rpm -qa | grep (rpmdevtools
s
ce to install the rpmdevtools package.
riathe yum
i
b. If necessary, a
use
command
l
le is a dependency for the rpmdevtools package and is
o abpackage
s
The
rpm-build
r
co satfether same time as rpmdevtools. The rpm-build package contains the
installed
n
an command, which you use to build the RPM package in this practice.
jua rpmbuild
r
t
The rpmdevtools package contains several commands that are useful when
noncreating
RPM packages, including the following two commands that you use later in
this practice:
rpmdev-setuptree: Creates the build directory structure
rpmdev-newspec: Creates a skeleton spec file

# yum install rpmdevtools

...
Transaction Summary
==============================================================
Install 1 Package (+6 Dependent packages)

Chapter 8 - Page 22
...
Complete!
2.
Create a nonprivileged user rpmbuilder to perform the build.
a.
Use the useradd command to add the rpmbuild user.

# useradd -d /home/rpmbuilder -m rpmbuilder
b.
Use the ls ld command to view the home directory for the rpmbuilder user.
# ls -ld /home/rpmbuilder
drwx------. 3 rpmbuilder rpmbuilder ... /home/rpmbuilder
c.
Use the passwd command to create a password of oracle for the rpmbuilder user.
3.
Ignore the BAD PASSWORD warning.

# passwd rpmbuilder
Changing password for user rpmbuilder.
BAD PASSWORD: The password is shorter than 8 characters
Retype new password: oracle
passwd: all authentication tokens updated successfully.
s
a
h
o) e
c
du Guid
e
r
ita dent
Create the directory infrastructure for the RPM build.
l
i
tu
a. Use the su - command to become the rpmbuilder
nim user.
S
u
Use the whoami command to confirm
you are tthe
hisrpmbuilder user.
o@
s
r
e
# su rpmbuilder
co o us
n
$ whoami
ua se t
j
(
rpmbuilder ias
en
c
r
i
l
a le to list the contents of the rpmbuilder users home
b. Use the s
lso -la command
r
o ferab
directory.
c
s
n -la
n
a
jua$ ls
r
-t
n
...
o
n -rw-r--r--. ... .bash_logout
-rw-r--r--.
-rw-r--r--.
drwxrwxr-x.
drwxrwxr-x.
drwxr-xr-x.
c.
...
...
...
...
...
.bash_profile
.bashrc
.cache
.config
.mozilla
Run the rpmdev-setuptree command, and then use the ls -la command to verify
the presence of new entries in the home directory.
Note the new rpmbuild directory and the new .rpmmacros file.
$ rpmdev-setuptree
$ ls -la
...
-rw-r--r--. ... .bash_logout
-rw-r--r--. ... .bash_profile

Chapter 8 - Page 23
-rw-r--r--.
drwxrwxr-x.
drwxrwxr-x.
drwxr-xr-x.
drwxrwxr-x.
-rw-rw-r--.
d.
4.
...
...
...
...
...
...
.bashrc
.cache
.config
.mozilla
rpmbuild
.rpmmacros
Use the ls -lR command to view the directory structure in the new rpmbuild
directory.
$ ls -lR rpmbuild
...
drwxrwxr-x. ... BUILD
drwxrwxr-x. ... RPMS
drwxrwxr-x. ... SOURCES
drwxrwxr-x. ... SPECS
drwxrwxr-x. ... SRPMS
...
s
a
h
o) e
c
u uid
Create the program that is going to be part of the RPM package.ed
G
r
t
a
t
n
i
a. Use the cd command to change to the rpmbuild directory.
l
mi tude
i
n
$ cd rpmbuild
u is S
@
o
thfile.
b. Use the vi editor to create the following
s hello.c
r
e
o
c to us
$ vi hello.c
n
a
#include <stdio.h>
(ju nse
s
ria e lice
a
l
main()s{o
b
r
a
o fer World!\n");
cprintf("Hello
s
n
n
a
jua -return(0);
r
t
}n
o
n
c.
Use the gcc command to compile the program.
Name the output file hello.

$ gcc hello.c -o hello
d.
Run the hello program.

$ ./hello
Hello World!
5.
Create the compressed TAR file with the build directory structure and the compiled
program, and store it in the rpmbuild/SOURCES directory.
The build directory name must reflect the correct name and version for the package
that you are building.
a. Use the pwd command to ensure you are in the /home/rpmbuilder/rpmbuild
directory.
From this directory, use the mkdir command to create the hello-1.0 directory.

Chapter 8 - Page 24
Use the mv command to move the hello program to the new directory.
$ pwd
/home/rpmbuilder/rpmbuild
$ mkdir hello-1.0
$ mv hello hello-1.0/
b.
Use the tar command to create a compressed TAR file of the hello-1.0 directory
structure and store the resulting .tar.gz file in the rpmbuild/SOURCES directory.
$ tar cvzf SOURCES/hello-1.0.tar.gz hello-1.0/
hello-1.0/
hello-1.0/hello
c.
Use the ls command to verify that the new .tar.gz file is in the SOURCES directory.
$ ls SOURCES
hello-1.0.tar.gz
6.
a
s
a
hspec file.
)
a. From the rpmbuild directory, use rpmdev-newspec to create a skeleton
o
c ide
u
$ rpmdev-newspec SPECS/hello.spec
d Gu
e
r
t >= 4.11.
SPECS/hello.spec created; type minimal, lirpm
ta version
n
e
i
d
imnew spec
b. Use the cat command to view the contents of n
the
tufile.
S
u
$ cat SPECS/hello.spec
o@ e this
s
r
Name:
hello co
us
n
o
t
a
Version:
(ju nse
s
Release:
1%{?dist}
ria e lice
Summary: a
so rabl
... or
c sfe
n
%changelog
a
an
jc.u Use-tthe
r
cd command to change to the SPECS directory.
no$ncd SPECS
Create and populate the spec file.
d.
Use the vi editor to edit the hello.spec file and populate the header section by
making the following changes:
Note: A preconfigured hello.spec file exists on dom0 (192.0.2.1) in the
/OVS/seed_pool/sfws directory.
You can edit the hello.spec file as follows by using the vi command, or you can
use the sftp root@192.0.2.1 command and copy
/OVS/seed_pool/sfws/hello.spec from dom0 to
/home/rpmbuilder/rpmbuild/SPECS/hello.spec on host04.
If you use this hello.spec file on dom0, you do not need to edit the file as instructed
in the following steps. You can go immediately to step 6j.
Leave hello as the Name tag.
Specify 1.0 for the Version tag.
Leave the Release information as is.

Specify Test for the hello program for the Summary tag.

Chapter 8 - Page 25
Specify GPL for the License tag.

Comment out the URL tag by inserting # at the beginning of the line.
Specify hello-1.0.tar.gz for the Source0 tag.

Comment out the BuildRequires and Requires tags.
Add this line: A program that display Hello World as a new line following
the %description directive.
After making the changes, the header section looks like this:
Name:
Version:
Release:
Summary:
hello
1.0
1%{?dist}
Test for the hello program
License:
#URL:
Source0:
GPL
a
s
a
hello-1.0.tar.gz
h
)
o
c ide
u
d Gu
#BuildRequires:
e
r
#Requires:
ita dent
l
i
nim Stu
u
%description
o@ e this
s
r
A program that displays Hello
co oWorld
us
n
t
a
e. Leave the %prep section
juas is.nse
(
s
The %prep macro
is a section
where you get the files ready for the build section.
cesome
ria patching
i
l
a
This might
involve
files. The %setup macro in this section unpacks
e
l
o
b
s
r
the
rain the SOURCES directory into the BUILD directory. The -q option
cosource
efiles
f
indicates
a
quiet
action.
s
n
anexample, the only necessary step for this section is the unpacking step.
jua In-tthis
r
n
f. no
Use the vi editor to remove the entries in the %build section but leave the %build
macro.
%build
%configure
delete this line
make %{?_smp_mflags]
delete this line
Generally, this section contains the steps to build the software. A command such as
the make command is allowed. In this example, the software is already built.
g. Use the vi editor to make the following changes to the %install section of the
hello.spec file:
Leave the rm -rf $RPM_BUILD_ROOT line as is. This line cleans the BUILDROOT
directory before performing the build.
Comment out the %make_install line. The next line creates the required
directory.
Add a line to create the build directory structure in the BUILDROOT directory by
using the install -d command. This line is followed by an install command
that copies the built program into its build directory.

Chapter 8 - Page 26
After making the changes, the %install section looks like this:
%install
rm -rf $RPM_BUILD_ROOT
#%make_install
install -d $RPM_BUILD_ROOT/usr/local/bin
install hello $RPM_BUILD_ROOT/usr/local/bin/hello
As seen in this example, this section installs the software, which means that the
necessary directories are created and the package files are copied to their
respective directory.
h. Use the vi editor to make the following changes to the %files section:
Change the %doc line to /usr/local/bin/hello.
After making the changes, the %files section looks like this:
%files
/usr/local/bin/hello
In the %files section, you list the files and their location for the binary RPM
package. This section can also trigger the creation of directories.
i. Leave the %changelog section unchanged. Save the file and exit vi.
a
s
a
h
)
o
c ide
u
d Gu
e
r
j. Use the cat command to view the hello.spec file.ilEnsure
thet contents of the
n
ita that
e
hello.spec file match the following.
nim Stud
u
Edit the file again if necessary to ensure
o@theecontents
this of hello.spec looks like
s
r
this:
o
c
us
n
o
$ cat hello.spec
t
a
(ju nse
Name:
hello
s
a 1.0lice
Version: ari
e
o abl1%{?dist}
s
Release:
r
r
co
Summary: sfe
Test for the hello program
n
jua -tran
n
GPL
noLicense:
#URL:
Source0:
hello-1.0.tar.gz
#BuildRequires:
#Requires:
%description
A program that displays Hello World
%prep
%setup -q
%build

Chapter 8 - Page 27
%install
rm -rf $RPM_BUILD_ROOT
#%make_install
install -d $RPM_BUILD_ROOT/usr/local/bin
install hello $RPM_BUILD_ROOT/usr/local/bin/hello
%files
%changelog
7.
a
s
a
h
)
o
c ide
$ cd /home/rpmbuilder/rpmbuild
u
dand spec
ufile
e
b. Run the rpmbuild command, specifying the following options

G
r
t
parameter: rpmbuild -bb -v SPECS/hello.spec
lita den
i
m
u package.
tbinary
ni only the
The -bb option indicates that you want tou
build
S
o@ e this
The -v option requests verbose information.
s
r
co ospecifies
us the location of the spec file for this
The SPECS/hello.specnparameter
t
a
RPM binary build. (ju
se
n
s
e
The four major
iasectionslicduring the build process, %prep, %build, %install, and
rshown
a
%clean,
are
o ablein bold format in this example.
s
r
r
If
you seefaewarning:
Could not canonicalize hostname: message, this
co
s
n
This is a DNS resolution error and can be fixed by adding the host
abentoignored.
jua can
r
t
name
/etc/hosts.
no$nrpmbuild -bb -v SPECS/hello.spec
Perform the build of the binary RPM package.
a. Use the cd command to change to the /home/rpmbuilder/rpmbuild directory.
Executing(%prep): /bin/sh -e /var/tmp/rpm-tmp...

+ umask 022
+ cd /home/rpmbuilder/rpmbuild/BUILD
...
+ exit 0
Executing(%build): /bin/sh -e /var/tmp/rpm-tmp...
+ umask 022
...
+ exit 0
Executing(%install): /bin/sh -e /var/tmp/rpm-tmp...
+ umask 022
...

Chapter 8 - Page 28
Wrote: /home/rpmbuilder/rpmbuild/RPMS/x86_64/hello-debuginfo...
Executing(%clean): /bin/sh -e /var/tmp/rpm-tmp...
+ umask 022
...
+ exit 0
c.
View the new RPM package in the RPMS directory.

The package appears with the version and release specified in the hello.spec
file.
Note that a hello-debuginfo file is also created.

$ cd RPMS
$ ls
x86_64
$ cd x86_64
$ ls
hello-1.0-1.el7.x86_64.rpm
hello-debuginfo-1.0-1.el7.x86_64.rpm
8.
a
s
a
h
)
o
c ide
u
d Gu
e
r
ita dent
l
Install the newly built package.
i
tu
nim user.
a. Use the exit command to log off as the rpmbuilder
S
u
is user.
@are thethroot
oyou
Use the whoami command to verify
s
r
e
co o us
$ exit
n
ua se t
logout
j
(
s icen
a
# whoami
i
r
a le l
root so
or ferab to change to the directory where the new package resides.
b. n
Usecthe cdscommand
an
jua# cd
r
/home/rpmbuilder/rpmbuild/RPMS/x86_64
t
no#nls
hello-1.0-1.el7.x86_64.rpm
hello-debuginfo-1.0-1.el7.x86_64.rpm
c.
Use the rpm command to install the hello package:

# rpm -ivh hello-1.0-1.el7.x86_64.rpm
Preparing...
############################ [100%]
Updating / installing...
1:hello-1.0-1.el7
############################ [100%]
d.
Run the which hello command to display the path of the command.
# which hello
e.
Run the hello program.

# hello
Hello World!

Chapter 8 - Page 29
f.
Use the ls l command to display the file and its permissions in its target directory.
# ls -l /usr/local/bin
total 8
-rwxr-xr-x. 1 root root ... hello
s
a
h
o) e
c
du Guid
e
r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us
n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non

Chapter 8 - Page 30
Practice 8-5: Managing Software Updates with PackageKit
Overview
PackageKit is a software program that provides graphical tools to install software and software
updates on your Linux systems. PackageKit is available for several Linux distributions.
In this practice you use the Software Update program that is part of PackageKit to manage
software updates on your Oracle Linux system.
You also change the frequency at which the Software Update program checks for updates.
PackageKit also includes the Software graphical tool to install and remove packages, but this
program is not used in this practice.
Assumptions
Ensure that you logged in to host04 using vncviewer and not ssh.
a
s
a
h
)
When using the PackageKit Software Update program, the proxy set through
an
o
cthe Yum
e
d
u
environment variable does not work. You need to set the proxy directly
in
i
d Gu
e
configuration file.
r
ita dent file and add
As the root user on host04, use the vi editor to edit m
theil/etc/yum.conf
tu line.
ni
the following proxy line following the installonly_limit=3
S
u
o@ e this
# vi /etc/yum.conf
s
r
co o us
[main]
n
ua se t
...
j
(
s icen
installonly_limit=3
a
i
r
a le l
proxy=http://ges-proxy.us.oracle.com:80
o
ors ferab
c
s
n
jua -tran
non
Tasks
1.

Chapter 8 - Page 31
2.
Launch Software Update.

a. In the GNOME task bar, select Application > System Tools > Software Update.
s
a
h
o) e
c
du Guid
e
r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us
n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
n ans
jua The
tr Software Update window appears.
n
no Checking for updates might take several minutes to complete.
Continue with step 2b while waiting for the update to complete.

Chapter 8 - Page 32
s
a
h
o) e
c
du Guid
e
r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us
n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non
b.
While the list of changes is being created, open a terminal window on the desktop, and
examine the process that is running to obtain the lists of updates, called changes in the
Software Update program.
The yumBackend.py get-updates is the PackageKit program that checks for

updates.
$ ps -ef | grep yum
root ... /usr/bin/python
/usr/share/PackageKit/helpers/yum/yumBackend.py get-updates
newest
...

Chapter 8 - Page 33
3.
View the update(s) flagged by the Software Update program.
If the Software Update program fails with an error message, use the yum clean all
command to clean all cached information and then use the yum repolist command
to initialize the metadata. For example:
# yum clean all
...
# yum repolist
...
a.
Return to the Software Update program. In this example, the program has found 79
updates.
This is sample output. Your environment might be different because updates have
been added since this example was captured.
Do not click the Install Updates button because it takes too long to install all of
the updates.
s
a
h
o) e
c
du Guid
e
r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us
n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non

Chapter 8 - Page 34
s
a
h
o) e
c
du Guid
e
r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us
n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non
b.
Scroll down through the list of updates.

Note that there are Security updates, Bug fix updates, and Other updates.
c. Click Quit to exit the Software Update program.

Chapter 8 - Page 35
4.
Change the frequency at which the Software Update program checks for updates.
a. From a terminal window as the root user, run the gpk-prefs command to view the
Software Update Preferences GUI.
# gpk-prefs
The Software Update Preferences window appears.
s
a
h
o) e
c
du Guid
e
r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us
n
ua se t
j
(
s icen
a
i
r
a le l
o
rs erab
o
c
f for updates: drop-down menu.
b. n
Select the Check
s
n
a
ju The
trachoices are Hourly, Daily, Weekly, and Never as shown.
n
no

Chapter 8 - Page 36
a
s
a
h
)
o
c ide
u
d Gu
e
r
ita dent
l
i
nim Stu
u
@ this
o
s
r
c. From the drop-down list, select Hourly.
o
se
c
u
nprefer totomanage software installation and updates by

Many Linux administrators
a
u
j
(
using the Yum commands
directly,
se rather than use the graphical interfaces offered
n
s
e
by the PackageKit
ria programs.
ic
l
a
e
l
Yourcan
b from the drop-down list to disable the Software Updates
soselectraNever
o
applet
that
checks
c sfe for software updates.
n
athenSoftware Sources tab.
jd.uaSelect
r
t
nonFrom this window, you can enable additional Public Yum repositories.

Chapter 8 - Page 37
s
a
h
o) e
c
du Guid
e
r
ita dent
l
i
nim Stu
u
@ this
o
s
r
e. Click Close to close the Software
window.
o UpdateuPreferences
se
c
n
o
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non

Chapter 8 - Page 38
Practice 8-6: Working with Yum History and Yum Cache
Overview
In this practice, you become familiar with:
The history of transactions kept by Yum
The history contains information about Yum transactions, such as date and time of
occurrence, whether the transactions were successful, and the number of packages
affected in the RPM database. You can use the history kept by Yum to undo a given
transaction or to redo a transaction.
Cache information kept by Yum
Yum caches a variety of information to allow faster operations and, in some cases, to
allow you to perform package management without a network connection. Information
cached by Yum operations includes packages, header information for packages, and
metadata for enabled repositories.
a
s
a
h
)
o
c ide
u
d Gu
Tasks
e
r
1. Display Yum history information.
ita dent
l
i
a. As the root user on host04, use the yum history
tu to list transactions.
nim command
S
u
The following is sample output.
o@ e this
s
r
o outside
Ignore the Warning: RPMDB
altered
c
us of yum message. This message is
n
o
caused by using rpm commands
and
can be ignored. See the following for more
t
a
(ju nse
information: http://illiterat.livejournal.com/7834.html.
s
ce
rialist
i
l
# yum history
a
le
o abaliases,
Loadedrs
plugins:
langpacks
r
o
c
e
f
| Date and time | Action(s)
|
nID a|nsLogin user
juaAltered
r
-t
n
---------------------------------------------------------------------o
n
6 | Oracle Student <oracle> | <date_time>
| Install
|
7
Assumptions

1 | System <unset>
| <date_time>
Warning: RPMDB altered outside of yum.
history list
b.
|
|
|
|
|
Update
Install
Erase
Install
Install
|
2
|
1
|
1
|
1
| 1214
Select the most recent transaction ID and display detailed information for that
transaction.
In this example, the most recent transaction ID is 6.
# yum history info 6
ID
| Command line
| Date and time | Action(s)
Altered

Chapter 8 - Page 39
---------------------------------------------------------------------6 | install rpmdevtools

| <date_time>
| Install
|
7
history list
2.
Install the changelog Yum plug-in and uninstall it by using information in the Yum history.
a.
You install this plug-in package and you uninstall it in this task.
Install the yum-plugin-changelog package by using the yum install command.

# yum install yum-plugin-changelog
...
Transaction Summary
==============================================================
Install 1 Package (+1 Dependent package)
a
s
a
h
)
o
c ide
u
d Gu
e
r
ita dent
l
i
nim Stu
b. List the Yum history to display the latest transaction.
u
his when installing the yumothe@action
The most recent transaction reflects
ttaken
s
r
e
plugin-changelog package.
coTwoopackages
us were installed as part of that
n
t
transaction.
a
(ju nse
s
# yum historyalist
ce changelog, langpacks
ri aliases,
i
l
a
Loaded plugins:
le
so rabuser
ID cor | Login
| Date and time
| Action(s)|Altered
e
f
s
n
an| Oracle Student <oracle> ...
jua-------------------------------------------------------------r
t
7
| Install |
2
n
no...
...
Complete!
history list
c.
Undo the most recent transaction by using the yum history undo <ID number>
command.
Replace <ID number> with the ID number obtained from your previous history
listing.
# yum history undo 7
...
Transaction Summary
==============================================================
Remove 2 Packages
Is this ok [y/N]: y

Chapter 8 - Page 40
...
Complete!
d.
List the history again to examine the latest transaction information.
The packages installed by installing the yum-presto package are uninstalled when
you use the yum history undo command.
# yum history list
Loaded plugins: aliases, changelog, langpacks
ID
| Login user
| Date and time
| Action(s)| Altered
-------------------------------------------------------------8 | Oracle Student <oracle> ...
| Erase
|
2
7 | Oracle Student <oracle> ...
| Install |
2
...
history list
3.
a
s
a
h
)
o
c ide
# cd /var/cache/yum
u
d Gu
e
r
b. Access each subdirectory until you reach the 7Servertdirectory.
nt the ls l
i a deUse
command to display the contents of this directory.mil
u is a subdirectory for
tthere
nidirectory,
S
u
In the /var/cache/yum/x86_64/7Server
o@ e this
each enabled repository.
s
r
co o us
# ls
n
ua se t
x86_64
j
(
en
# cd x86_64/rias
c
i
l
# ls
o a able
s
r
7Server
co sfer
n
7Server/
an
jua# cd
r
t
nls -l
no#drwxr-xr-x.
... ol7_latest
Examine Yum cache information.
a. Use the cd command to change to the /var/cache/yum directory.
drwxr-xr-x. ...
-rw-r--r--. ...
c.
ol7_UEKR3
timedhosts
Use the cd command to change to the ol7_latest directory. Use the ls -l

command to display the contents of the directory.
This directory contains the metadata for the http://publicyum.oracle.com/repo/ OracleLinux/OL7/latest/ repository.
The metadata for this repository consists of several compressed XML files that were
downloaded from the Oracle Public Yum site.
The gen directory contains the uncompressed updateinfo.xml.gz file.

Chapter 8 - Page 41
The packages directory contains cached packages when caching is enabled in the
/etc/yum.conf file or if you have used the --downloadonly flag when using
the yum install command.
# cd ol7_latest
# ls -l
-rw-r--r--. ...
-rw-r--r--. ...
-rw-r--r--. ...
drwxr-xr-x. ...
-rw-r--r--. ...
drwxr-xr-x. ...
-rw-r--r--. ...
-rw-r--r--. ...
-rw-r--r--. ...
a
s
a
h
)
o
In your environment, package caching is disabled but the packages

that
c iyou
e
d
u
downloaded are still present because you have not installeddthese packages.
udisabled.
e
G
r
Packages are deleted after they are installed when package
caching
is
t
lita den
i
# ls -l packages
m
tu
ni
S
u
-rw-r--r--. ... compat-libcap1-1.10-7.el7_1.x86_64.rpm
o@ e this
s
...
r
co o us
n
Clean the Yum cache.
t
ua scommand
e
j
(
a. Use the yum clean
packages
to clean the packages in the Yum cache.
n
s
e
a
i
c
li
# yum clean
arpackages
e
l
o
Loaded
rab aliases, changelog, langpacks
orsplugins:
c
e
f
ol7_UEKR3 ol7_latest
nCleaning
ansrepos:
jua...-tpackage
r
files removed
n
o
b.n Use the ls command to list the contents of the packages directory.
d.
4.
cachecookie
comps.xml
filelists.xml.gz
gen
other.xml.gz
packages
primary.xml.gz
repomd.xml
updateinfo.xml.gz
Use the ls l command to list the contents of the packages directory.
c.
The packages are no longer present.

# ls packages
Use the ls -l command to list the contents of the gen directory.
This directory contains the uncompressed data from updateinfo.xml.gz.

# ls -l gen
-rw-r--r--.
-rw-r--r--.
-rw-r--r--.
-rw-r--r--.
-rw-r--r--.
-rw-r--r--.
-rw-r--r--.
...
...
...
...
...
...
...
filelists.xml
filelists.xml.sqlite
other.xml
other.xml.sqlite
primary.xml
primary.xml.sqlite
updateinfo.xml

Chapter 8 - Page 42
d.
Use the yum clean metadata command to clean the metadata in the Yum cache.
The number of files removed might differ in your environment.

# yum clean metadata
Loaded plugins: aliases, changelog, langpacks
Cleaning repos: ol7_UEKR3 ol7_latest
19 metadata files removed
5 sqlite files removed
0 metadata files removed
e.
Use the ls l command to list the contents of the current directory,

/var/cache/yum/x86_64/7Server/ ol7_latest and the gen subdirectory, and
note the effect of the yum clean metadata command.
a
s
a
h
)
o
c ide
u
d Gu
r
t
If you experience problems accessing packages and
information
from the
n
itapackage
l
e
i
d
m
Oracle Public Yum or from the Oracle Unbreakable
Linux
Network
(ULN)
site,
it is
i
u
t
n
S
u
often helpful to issue the yum clean metadatais
command. This forces yum to
o@
download the latest metadata thers
next
time it isth
invoked.
o
se
c
u
# ls -l
uan se to
j
drwxr-xr-x. ... (gen
s packages
en
a
drwxr-xr-x. r...
i
c
i
l
ogena able
# ls -l
s
r
total
co 0 sfer
n
n and start host03.
ahost04
ua down
jShut
r
t
n the systemctl poweroff command to shut down host04.
a.no
Use
5.
The directories are empty.

The metadata files are gone not only in this directory but in each directory
corresponding to an enabled Oracle Public Yum repository.
There are other variations of the yum clean command. Consult the yum man page
for more information about cleaning the Yum cache.
You can also use the yum clean all command to clean all cached information.
b.
Your VNC window closes.

# systemctl poweroff
From a terminal window on dom0, use the cd command to change to the

/OVS/running_pool/host03 directory.
c.
Run the xm create vm.cfg command to start the host03 VM.

# xm create vm.cfg

Chapter 8 - Page 43
d.
Run the xm list command to list the running VMs.
Only the host01, host02, and host03 VMs are running.

# xm list
Name
Domain-0
host01
host02
host03
ID
0
4
5
15
Mem VCPUs
2048
2
1536
1
1536
1
1536
1
State
r-----b----b----b----
Time(s)
758.9
37.4
37.3
37.3
s
a
h
o) e
c
du Guid
e
r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us
n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non

Chapter 8 - Page 44
s
a
h
o) e
c
du Guid
e
r
t 9:
Practices lfor
n
ita Lesson
e
i
Advanced
tud
nim Storage
S
u
Administration
o@ e this
s
r
co Chapter
us 9
n
o
t
a
(ju nse
s
ria e lice
a
o abl
s
r
co sfer
n
jua -tran
non
Practices for Lesson 9: Advanced Storage Administration

Chapter 9 - Page 1

Practices Overview
Create and mount a file system on /dev/xvdb
Set access control lists (ACLs) on a file system

Set quotas on a directory
Encrypt a file system
Use the kpartx utility
Explore and configure Udev
s
a
h
o) e
c
du Guid
e
r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us
n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non

Chapter 9 - Page 2
Practice 9-1: Creating and Mounting a File System
Overview
Create a partition on a storage device
Create an ext4 file system on the partition
Mount the file system on /Dev
Update the file system mount table
Assumptions
Tasks
1.
2.
Connect to host03 by using vncviewer.

a. If necessary, refer to Practice 3-1: Configuring an OpenLDAP Server for instructions on
connecting with vncviewer.
b. Open a terminal window and become the root user on host03.
Partition a storage device using fdisk.
a. As the root user on host03, use the fdisk command to display the partition table.
a
s
a
h
)
o
c ide
u
d Gu
e
r
ita dent
l
i
nim Stu
u
This lists the following three storage devices:
o@
this
/dev/xvda, approximately 12rs
GB
in size
e
s
co10 GBo inusize
/dev/xvdb, approximately
n
t
a
/dev/xvdd, approximately
(ju ns10e GB in size
s
e
riasystem
The operating
isic
installed on the /dev/xvda device.
l
a
le /dev/xvdd devices are unused.
o aband
s
The
/dev/xvdb
r
co l
e|r grep /dev
f
s
n
#
fdisk
an
juaDisk
r
t
/dev/xvda:
12.9 GB, 12884901888 bytes, 25165824 sectors
n
o
n /dev/xvda1 * 2048 1026047
512000
83
Linux
/dev/xvda2
1026048
25165823
12069888
8e
Linux LVM
b.
Use the fdisk command to partition /dev/xvdb.

# fdisk /dev/xvdb
...
Command (m for help):

Chapter 9 - Page 3
c.
Create a 1 GB primary partition as follows.

Command (m for help): n
Partition type:
p
primary (0 primary, 0 extended, 4 free)
e
extended
Select (default p): ENTER
Using default response p
Partition number (1-4, default 1): ENTER
First sector (2048-20971519, default 2048): ENTER
Using default value 2048
Last sector, +sectors or +size{K,M,G} (2048-20971519, default
20971519): +1G
Partition of type Linux and of size 1 GiB is set
a
s
a
h
)
o
c ide
u
d Gu
e
r
Calling ioctl() to re-read partition table.
a ent
t
i
l
i
Syncing disks.
im Stud
n
u
d. Use the fdisk command to list the partition
@ tablethonis/dev/xvdb.
o
s
# fdisk l /dev/xvdb
or use
c
n
to
a
u
e
j
( GB,ns10737418240 bytes, 20971520 sectors
Disk /dev/xvdb:s 10.7
a
i
r e lice
...
a
l Start
o Boot
b
s
Device
End
Blocks
Id
System
r
a
r
o
c
e
f
/dev/xvdb1
2048 2099199
1048576
83
Linux
ns
asystem
uan a-tfile
jCreate
r
on /dev/xvdb1.
n
o
n
Use the mkfs command to make an ext4 file system on /dev/xvdb1.
Command (m for help): w
The partition table has been altered!
3.
# mkfs t ext4 /dev/xvdb1

mke2fs 1.42.9 (28-Dec-2013)
Filesystem label=
OS type: Linux
...
Writing superblocks and filesystem accounting information: done

Chapter 9 - Page 4
4.
Mount the file system.

a. Use the mkdir command to create a mount point.
# mkdir /Dev
b.
Use the mount command to mount /dev/xvdb1 on /Dev with ACL support.
Include the -o acl mount option for ACL support.

# mount t ext4 o acl /dev/xvdb1 /Dev
c.
Use the df command to display the mounted file systems.

# df h
Filesystem
...
/dev/xvdb1
Size
Used
Avail
Use%
976M
2.6M
907M
1%
Mounted on
/Dev
s
a
h
o) e
c
du Guid
e
r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us
n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non

Chapter 9 - Page 5
Practice 9-2: Implementing Access Control Lists

Overview
In this practice, you set ACLs on a directory.
Assumptions
Ensure that you are using vncviewer to connect to host03 and not using ssh.
You switch between the root user and the oracle user for this practice.
Tasks
1.
Open a tab in the current window.

From the terminal window menu bar, select File > Open Tab, or press Shift + Ctrl + T.
Your window looks like the following screenshot.
You are the root user in one tab and you are the oracle user in the other.
s
a
h
o) e
c
du Guid
e
r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us
n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non
2.
As the oracle user, use the touch command to create the test file in the /Dev
directory.
Note that you do not have permission to create files in the /Dev directory.
[oracle@host03]$ touch /Dev/test
touch: cannot touch Dev/test: Permission denied

Chapter 9 - Page 6
3.
As the root user, use the getfacl command to display the /Dev directorys ACL.
Click the root@host03 tab to enter commands as the root user.

[root@host03]# getfacl /Dev
getfacl: Removing leading / from absolute path names
# file: Dev
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
4.
As the root user, use the setfacl command to add a rule to the ACL giving the oracle
user read, write, and execute permissions to the /Dev directory.
[root@host03]# setfacl m u:oracle:rwx /Dev
5.
6.
s
a
h
Note the new user:oracle:rwx line in the output of the getfacl command.
o) e
c

du Guid
e
r
getfacl: Removing leading / from absolute
t
ta pathennames
i
l
i
# file: Dev
im Stud
n
u
# owner: root
o@ e this
s
# group: root
r
co o us
user::rwx
n
t
a
e
user:oracle:rwx (ju
s
s icen
group::r-x ria
a le l
o
mask::rwx
ors ferab
c
other::r-x
n ans
uathe
jAs
root
tr user, use the ls ld command to display the permissions for the /Dev
n
directory.
no
As the root user, use the getfacl command to display the /Dev directorys ACL.
Note the plus sign (+), indicating that the directory has an ACL.
[root@host03]# ls -ld /Dev
drwxrwxr-x+ ... /Dev
7.
As the oracle user, use the touch command to create the test file in the /Dev
directory.
Click the oracle@host03 tab to enter commands as the oracle user.
Note that the command succeeded this time.

[oracle@host03]$ touch /Dev/test

Chapter 9 - Page 7
8.
As the oracle user, use the ls command to display a long listing of the /Dev directory.
Note that the test file is owned by the oracle user.

[oracle@host03]$ ls -l /Dev
drwx------. 2 root
root ...
lost+found
-rw-rw-r--. 1 oracle oracle ... test
s
a
h
o) e
c
du Guid
e
r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us
n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non

Chapter 9 - Page 8
Practice 9-3: Setting Disk Quotas

Overview
In this practice, you set quotas on a directory for the oracle user. You also remove the quotas
and the ACL on the directory.
Assumptions
You switch between the root user and the oracle user for this practice.
Tasks
1.
As the root user, configure disk quotas.

a.
Click the root@host03 tab to enter commands as the root user.
b.
Use the umount command to unmount the file system on /Dev.

[root@host03]# umount /Dev
a
s
a
h
)
o
cenable iACL
e
These options enable disk quotas for users and groups and also
d
u
d Gu
e
support.
r
ita dent /dev/xvdb1
l
i
[root@host03]# mount t ext4 o acl,usrquota,grpquota
nim Stu
/Dev
u
o@diskeusage
d. Use the quotacheck command to create
thistables for /Dev.
s
r
s
cocugo u/Dev
[root@host03]# quotacheck
n
t
a
e. Use the ls command (
toju
display the
sefiles created in /Dev.
n
s
e
ria lse llic/Dev
[root@host03]#
a
l root ... aquota.group
o root
b
s
-rw-------.
r
a
co sferroot root ... aquota.user
-rw-------.
n
jua...-tran
n
f. no
Use the quotaon command to enable quotas on /Dev.
c.
Use the mount command with the o acl,usrquota,grpquota options to remount

/dev/xvdb1 on /Dev.
[root@host03]# quotaon /Dev

g.
Use the repquota command to report disk usage on /Dev.

[root@host03]# repquota /Dev
*** Report for user quotas on device /dev/xvdb1
Block grace time: 7days; Inode grace time: 7days
Block limits
File limits
User
used soft
hard grace used soft hard grace
------------------------------------------------------------root
-20
0
0
2
0
0
oracle -0
0
0
1
0
0
h.
Use the edquota command to limit the oracle user.
This command invokes the vi editor.

Chapter 9 - Page 9
Change the block quota to set a hard limit of 2048 blocks (2 MB) for the oracle
user.
[root@host03]# edquota oracle
Disk quotas for user oracle (uid 500):
Filesystem blocks soft hard inodes soft hard
/dev/xvdb1
0
0
0
1
0
0 (old entry)
/dev/xvdb1
0
0 2048
1
0
0 (new entry)
Alternatively, you could use the setquota oracle 0 2048 0 0 /Dev
command.
i. Use the repquota command to report disk usage on /Dev.
Note that the hard limit for the oracle user is now 2048.
[root@host03]# repquota /Dev
*** Report for user quotas on device /dev/xvdb1
Block grace time: 7days; Inode grace time: 7days
Block limits
File limits
User
used soft
hard grace used soft hard grace
------------------------------------------------------------root
-20
0
0
2
0
0
oracle -0
0
2048
1
0
0
2.
a
s
a
h
)
o
c ide
u
d Gu
e
r
ita dent
l
i
nim Stu
u
As the oracle user, verify the disk quota setting.
o@ e this
s
r
a. Click the oracle@host03 tab
as the oracle user.
ctooentero commands
us
n
t
a
b. Use the dd if=/dev/zero
bs=1M count=4096 command to
(ju onof=bigfile
se
n
attempt to create a
as
4 MB file e
/Dev.
ri quotaeexceeded
ic
l
a
Note the
Disk
error message.
l
o ab
s
r
[oracle@host03]$
co sfer cd /Dev
n
[oracle@host03]$
dd if=/dev/zero of=bigfile bs=1M count=4096
n
a
juaxvdb1:
r
t
n- write failed, user block limit reached.
nodd:
writing bigfile: Disk quota exceeded
3+0 records in
1+0 records out
2097152 bytes (2.1 MB) copied, ...
c.
Use the ls command to display a long listing of the /Dev directory.
Note that the bigfile is not 4 MB, but was truncated after quota limits were
reached.
[oracle@host03]$ ls l /Dev
...
-rw-rw-r--. 1 oracle oracle 2097152 ... bigfile
...

Chapter 9 - Page 10
d.
Use the quota command to display quota information.
[oracle@host03]$ quota
Filesystem blocks quota limit grace files quota limit grace
/dev/xvdb1
2048*
0 2048
2
0
0
e.
Use the rm command to delete the bigfile file in the /Dev directory.
[oracle@host03]$ rm bigfile
f.
Use the quota command to display quota information.
a
s
a
h
)
o
[oracle@host03]$ rm test
c ide
u
d Gu
h. Use the cd command to change to the oracle users home directory.
e
r
ita dent
l
[oracle@host03]$ cd
i
u
tpractice.
nforim
As the root user, reset the /dev/xvdb1 partition
the next
S
u
o@ e thasisthe root user.
a. Click the root@host03 tab to enter
commands
s
r
o
us command to reset the disk quota for the
b. Use the setquota oraclen0c0 0 0o/Dev
t
a
oracle user.
(ju nse
s
[root@host03]#
ce oracle 0 0 0 0 /Dev
ria setquota
i
l
a
le to remove the ACL from the /Dev directory.
o acommand
c. Use thers
setfacl
b
co sfer setfacl b /Dev
[root@host03]#
n
n
agetfacl
jd.uaUse-tthe
r
command to display the /Dev directorys ACL.
nonNote that the user:oracle:rwx line in the output has been removed.
g.
3.
Note the difference in the number of blocks and number of files from step 13.
[oracle@host03]$ quota
Filesystem blocks quota limit grace files quota limit grace
/dev/xvdb1
0
0 2048
1
0
0
Use the rm command to delete the test file in the /Dev directory.

getfacl: Removing leading / from absolute path names
# file: Dev
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
e.
Use the ls ld command to display the permissions for the /Dev directory.
Note that there is no plus sign (+), indicating that the directory has no ACL.
[root@host03]# ls -ld /Dev
drwxr-xr-x ... /Dev

Chapter 9 - Page 11
f.
Use the umount command to unmount /Dev.

# umount /Dev
g.
Click the X on the oracle@host03 tab to close the tab.
s
a
h
o) e
c
du Guid
e
r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us
n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non

Chapter 9 - Page 12
Practice 9-4: Encrypting a File System
Overview
In this practice, you create an encrypted file system, create a file system on the encrypted
volume, reboot your system and provide the passphrase to mount the encrypted file system,
and remove the encrypted file system.
Assumptions
Tasks
1.
Set up a cryptographic volume.

a. Use the cryptsetup command with luksFormat to initialize the /dev/xvdb1
volume and set an initial key of Cvt69*@P3.
The Cvt69*@P3 entries are not displayed for security reasons.
The initial key needs to be a random sequence of characters to be accepted.
a
s
a
h
)
# cryptsetup luksFormat /dev/xvdb1
o
c ide
u
d Gu
e
r
WARNING!
ita dent
l
i
========
im Stu
n
u
This will overwrite data on /dev/xvdb1
s
@ thiirrevocably.
o
s
r
e
co oyes):
us YES
Are you sure? (Type uppercase

n
t
a
(ju nCvt69*@P3
Enter LUKS passphrase:
se
s
e
ria e lCvt69*@P3
Verify passphrase:
ic
a
l
o ab command with luksOpen to open the partition and create the
scryptsetup
r
b. Use the
o
c mapping
erof cryptfs.
f
device
s
n
an
jua# cryptsetup
r
t
luksOpen /dev/xvdb1 cryptfs
n
o
n Enter passphrase for /dev/xvdb1: Cvt69*@P3
c.
Use the cryptsetup command to check the status of the encrypted volume.
# cryptsetup status cryptfs
/dev/mapper/cryptfs is active.
type: LUKS1
cipher: aes-xts-plain64
keysize: 256 bits
device: /dev/xvdb1
offset: 4096 sectors
size:
2093056 sectors
mode:
read/write

Chapter 9 - Page 13
d.
Use the blkid command to view the attributes of the /dev/xvdb1 block device.
# blkid /dev/xvdb1
/dev/xvdb1: UUID=... TYPE=crypto_LUKS
e.
Use the ls l command to list the /dev entry for the cryptfs encrypted volume.
# ls l /dev/mapper
...
crw-------. ... control
lrwxrwxrwx. ... cryptfs -> ../dm-2
lrwxrwxrwx. ... ol-root -> ../dm-0
lrwxrwxrwx. ... ol-swap -> ../dm-1
2.
Create a file system on the encrypted volume.

a. Use the mkfs.ext4 command to create an ext4 file system.
# mkfs.ext4 /dev/mapper/cryptfs
mke2fs 1.42.9 (28-Dec-2013)
Filesystem label=
OS type: Linux
...
Writing inode tables: done
Creating journal (4096 blocks): done
s
a
h
o) e
c
du Guid
e
r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co a mount
uspoint named /cryptfs.
b. Use the mkdir command to n

create
o
t
a
(ju nse
# mkdir /cryptfs
s
ia litocemount the file system.
rcommand
c. Use the mount
a
le
o/dev/mapper/cryptfs
b
s
r
a
# mount
/cryptfs
co sfer
n
n mounted file systems.
athe
jd.uaDisplay
r
t
ndf h
no#Filesystem
Size Used Avail Use% Mounted on
...
/dev/mapper/cryptfs
990M 2.6M
e.
921M
1%
/cryptfs
Use the vi editor to create /etc/crypttab and to add the following entry.
# vi /etc/crypttab
cryptfs /dev/xvdb1 none luks
3.
Reboot your system and enter the passphrase to mount the encrypted file system.
a. Use the systemctl reboot command to reboot your system.
After you reboot your system, your VNC session closes.

# systemctl reboot
b.
From dom0, connect to host03 guest by using vncviewer.

# vncviewer&
The VNC Viewer: Connection Details window appears.

Chapter 9 - Page 14
c.
Enter the command, localhost:<port_number>, substituting the correct port

number for the host03 guests. For example, if the port number is 5904, enter the
following and click Connect.
localhost:5904
d.
Provide the passphrase, Cvt69*@P3, when prompted for the encrypted file system
passphrase during reboot.
The boot process continues after providing the correct passphrase.
Please enter passphrase for disk cryptfs!: Cvt69*@P3
4.
Remove the encrypted file system.

a. Log in as Oracle Student with password oracle.
b. Open a terminal window.
c. Become the root user. The password is oracle.
$ su
Password: oracle
# whoami
root
s
a
h
o) e
c
du Guid
e
d. Using the vi editor, remove the following entry from /etc/crypttab.

r
ita dent
l
i
# vi /etc/crypttab
nim Stu
u
cryptfs /dev/xvdb2 none luks
is
o@ e ttohremove
s
e. Use the cryptsetup command with
luksOpen
the device mapping.
r
o
s
c
u
# cryptsetup luksClose
n /dev/mapper/cryptfs
to
a
u
e
j
( devicenmapping
s
f. Verify that the cryptfs
has been removed.
s
e
a
i
c
r
i
l
a le
# ls /dev/mapper
o
s
r
control
rab ol-swap
o ol-root
c
e
f
s
n
jua -tran
non

Chapter 9 - Page 15
Practice 9-5: Using kpartx

Overview
In this practice, you use the kpartx utility to create device maps from partitions tables.
Assumptions
This practice is performed on dom0 and on host03 VM.
You are logged in as the root user on dom0 and host03.
Tasks
1.
Review the host03 virtual disk configuration.

a. From dom0, use the cd command to change to the /OVS/running_pool/host03
directory on dom0.
[dom0]# cd /OVS/running_pool/host03
s
a
h
[dom0]# ls l
o) e
c
-rw-r--r-- 12884901888 system.img

du Guid
e
r
-rw-r--r-- 10737418240 u01.img
ta ent
i
l
i
-rw-r--r-- 10737418240 u02.img
im Stud
n
u
-rw-r--r-737 vm.cfg
this
so@file.
r
c. Use the cat command to view theovm.cfg
e
s
c tobyu/dev/xvda.
n
The system.img file isarepresented
(ju nseby /dev/xvdb.
The u01.img a
file
is represented
s
e
i
c
r
i
l
a
The u02.img
o afilebislerepresented by /dev/xvdd.
s
r
[dom0]#
co cat
ervm.cfg
f
s
n
=
anhost03
juaname
r
t
builder
= hvm
n
nomemory
= 1536
b.
Use the ls -l command to list the contents of the directory.
boot = cd
disk = [ file:/OVS/running_pool/host03/system.img,xvda,w,
file:/OVS/running_pool/host03/u01.img,xvdb,w,
file:/OVS/running_pool/host03/u02.img,xvdd,w,
...
2.
Review the partition information on the system.img file.

a.
From dom0, use the kpartx l command to list the partitions on the system.img
disk image file.
The output shows that the system.img disk image file contains two partitions.

Chapter 9 - Page 16
b.
Sample output is shown.

[dom0]# kpartx l system.img
loop8p1 : 0 1024000 /dev/loop8 2048
loop8p2 : 0 24139776 /dev/loop8 1026048
From host03 VM, use the fdisk command to list the partition table for /dev/xvda.
Note that /dev/xvda has two partitions.
This confirms that the system.img file is mapped to /dev/xvda.

[host03]# fdisk l | grep /dev/xvda
/dev/xvda1
*
2048
1026047
512000
83
Linux
/dev/xvda2
1026048
25165823
12069888
8e
Linux LVM
3.
Review the partition information on the u01.img file.

a.
4.
From dom0, use the kpartx l command to list the partitions on the u01.img disk
image file.
The output shows one partition.
[dom0]# kpartx l u01.img
loop8p1 : 0 2097152 /dev/loop8 2048
a
s
a
h
)
o
c ide
u
d Gu
e
r
ita dent
l
i
nim Stu
u
b. From host03 VM, use the fdisk command
o@toelistththeispartition table for /dev/xvdb.
s
r
The output shows one partition.
co o us
n
This confirms that theu
u01.img
filetis mapped to /dev/xvdb.
a
e
j
(
s
s l |icgrep
[host03]# fdisk
en /dev/xvdb
a
i
r
l
Disk /dev/xvdb:
e GB, 10737418240 bytes, 20971520 sectors
o a abl10.7
s
r
/dev/xvdb1
2048 2099199
1048576
83
Linux
co sfer
n
n information on the u02.img file.
apartition
ua -the
jReview
r
t
n dom0, use the kpartx l command to list the partitions on the u02.img disk
a. o
n From
image file.
b.
The output shows no partitions.

From host03 VM, use the fdisk command to list the partition table on /dev/xvdd.
The output shows no partitions on /dev/xvdd.
This confirms that the u02.img file is mapped to /dev/xvdd.

[host03]# fdisk l | grep /dev/xvdd

Chapter 9 - Page 17
5.
Create and mount a file system on /dev/xvdb1.

a. From host03, use the mkfs command to make an ext3 file system on /dev/xvdb1.
[host03]# mkfs t ext3 /dev/xvdb1
mke2fs 1.42.9 (28-Dec-2013)
Filesystem label=
OS type: Linux
...
b.
Use the mount command to mount /dev/xvdb1 on /Dev.

[host03]# mount /dev/xvdb1 /Dev
c.
Use the df command to display the mounted file systems.

[host03]# df h
Filesystem
Size
...
/dev/xvdb1
1008M
6.
Used
Avail
Use%
Mounted on
a
s
a
h
)
34M
924M
4% /Dev
o
c ide
u
d. Use the cp command to copy the init* files from /boot to /Dev.
d Gu
e
r
You view these files later in this practice to confirmlithe
oft the kpartx
tasuccess
n
e
i
command.
nim Stud
u
[host03]# cp /boot/init* /Dev @
o e this
s
r
[host03]# ls /Dev
co o us
n
initramfs-0-rescue-...img
initrd-plymouth.img
t
a
u
e
j
(
initramfs-3.10.0-229.el7.x86_64.img
lost+found
ns
s
e
a
i
c
initramfs-3.8.13-55.1.6.el7uek.x86_64.img
ar le li
o
The remaining
rab in this practice are entered from dom0.
ors commands
c
e
f
s from the partition table on u01.img.
n device
Create
anmaps
ja.uaFrom-trdom0,
use the ls command to list the /dev/mapper directory.
nonBefore adding the device files, a listing of /dev/mapper shows only the control
file.
[dom0]# ls /dev/mapper
control
b.
Use the kpartx l command to list the partitions on the u01.img disk image file.
Recall that u01.img maps to /dev/xvdb.

This confirms that there is one partition on /dev/xvdb.
loop9p1 : 0 2097152 /dev/loop9 2048

Chapter 9 - Page 18
c.
Use the kpartx a command to add the device mappings for the detected partitions.
To save time in this practice, you do not need to shut down the host03 VM before
using the kpartx a command.
It would be best practice to shut down host03 before creating device mappings and
before mounting the devices on dom0.
[dom0]# kpartx a u01.img
d.
Use the ls command to list the /dev/mapper directory.

Note that a file was created for the partition on /dev/xvdb.
[dom0]# ls /dev/mapper
control
loop9p1
7.
Mount the device created by the kpartx command.

a.
From dom0, use the mkdir command to create a mount point, /mnt/map1.
a
s
a
h
)
b. Use the mount command to mount /dev/mapper/loop9p1 on /mnt/map1.
o
c ide
u
d Gu
Substitute the device name from step 6d.
e
r
[dom0]# mount /dev/mapper/loop9p1 /mnt/map1
ita dent
l
i
c. Use the ls command to view the files on /mnt/map1.
nim Stu
u
Note that these are the same filess
that
you copied
o@
thisto /Dev in step 5d.
r
e
[dom0]# ls /mnt/map1 co
us
n
o
t
a
initramfs-0-rescue-...img
initrd-plymouth.img
(ju nse
s
initramfs-3.10.0-229.el7.x86_64.img
lost+found
ria e lice
a
initramfs-3.8.13-55.1.6.el7uek.x86_64.img
o abl
s
r
o kpartx
erdevice mapping on dom0.
Removecthe
f
s
n
an use the umount command to unmount /mnt/map1.
ja.uaFrom-trdom0,
n
umount /mnt/map1
no[dom0]#
[dom0]# mkdir /mnt/map1
8.
b.
Use the rmdir command to delete /mnt/map1.

[dom0]# rmdir /mnt/map1
c.
Use the kpartx d command to disconnect the device.

[dom0]# # kpartx d u01.img
loop deleted : /dev/loop9
d.
Use the ls command to list the contents of /dev/mapper.
Note that the device mapping no longer exists in /dev/mapper.

[domo]# ls /dev/mapper
control

Chapter 9 - Page 19
Practice 9-6: Exploring and Configuring Udev
Overview
Explore Udev files and directories
Query the Udev database
Create a Udev rule to create a symbolic link to a device
Assumptions
You are the root user on the host03 VM.
Tasks
1.
Explore Udev.
Udev is now part of systemd.
a.
Use the rpm -ql command to view the udev files included with the systemd RPM
package.
# rpm ql systemd | grep udev
/etc/udev
/etc/udev/hwdb.bin
/etc/udev/rules.d
/etc/udev/udev.conf
/usr/bin/udevadm
...
a
s
a
h
)
o
c ide
u
d Gu
e
r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us
n
ua se t
j
(
n Udev rules files in the /lib/udev/rules.d
s to view
eexisting
a
i
b. Use the ls command
c
r
i
l
and /etc/udev/rules.d
o a able directories.
s
r
co/lib/udev/rules.d
er
# ls
f
s
n
75-probe_mtd.rules
an
jua100-balloon.rules
r
t
n
75-tty-description.rules
no10-dm.rules
11-dm-lvm.rules
77-mm-ericsson-mbm.rules
...
# ls /etc/udev/rules.d
70-persistent-ipoib.rules
c.
Use the less command to view the /lib/udev/rules.d/50-udevdefault.rules file.
Page through the file. Press q to return to the command prompt.
Note the operators:
==: Compare for equality
=: Assign a value to a key
+=: Add the value to the current values for the key
# less /lib/udev/rules.d/50-udev-default.rules
# do not edit this file, it will be overwritten on update

Chapter 9 - Page 20
SUBSYSTEM==virtio-ports, KERNEL==vport, ATTR{name}==?*,...
# select system RTC or just use the first one

SUBSYSTEM==rtc, ATTR{hctosys}==1, SYMLINK+=rtc
SUBSYSTEM==rtc, KERNEL==rtc0, SYMLINK+=rtc, OPTIONS+=...
SUBSYSTEM==usb, ENV{DEVTYPE}==usb_device, IMPORT{builtin}...
SUBSYSTEM==input, ENV{ID_INPUT}==, IMPORT{builtin}=input...
...
2.
Query the Udev database.

a. Use the udevadm command to query the Udev database for all device information for
/dev/xvdd.
# udevadm info --query=all --name=/dev/xvdd
P: /devices/vbd-5696/block/xvdd
N: xvdd
E: DEVNAME=/dev/xvdd
E: DEVPATH=/devices/vbd-5696/block/xvdd
E: DEVTYPE=disk
E: MAJOR=202
E: MINOR=48
E: MPATH_SBIN_PATH=/sbin
E: SUBSYSTEM=block
E: TAGS=:systemd:
E: USEC_INITIALIZED=12403
s
a
h
o) e
c
du Guid
e
r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us
n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s command to query the Udev database for the device path of
n theaudevadm
n
jb.uaUse
r
/dev/xvdd.
-t
n
o
n # udevadm info --query=path --name=/dev/xvdd
/devices/vbd-5696/block/xvdd
c.
Use the udevadm command to print all sysfs properties of /dev/xvdd.

# udevadm info --attribute-walk --name=/dev/xvdd
Udevadm info starts with the device specified by the devpath and
then walks up the chain of parent devices. It prints for every
device found, all possible attributes in the udev rules key
format. A rule to match, can be composed by the attributes of
the device and the attributes from one single parent device.
looking at device /devices/vbd-5696/block/xvdd:
KERNEL==xvdd
SUBSYSTEM==block
DRIVER==

Chapter 9 - Page 21
ATTR{ro}==0
...
looking at parent device /devices/vbd-5696:
KERNELS==vbd-5696
SUBSYSTEMS==xen
DRIVERS==vbd
ATTR{devtype}==vbd
ATTR{nodename}==device/vbd/5696
3.
Create a symbolic link to a device node.

a. Use the vi editor to create the /etc/udev/rules.d/10-local.rules file as
follows:
Use the KERNEL and SUBSYSTEM values from the previous udevadm info -attribute-walk command.
a
s
a
# vi /etc/udev/rules.d/10-local.rules
h
)
o
KERNEL==xvdd, SUBSYSTEM==block, SYMLINK=my_disk
c ide
u
dto trigger
urules.
e
b. Run the udevadm trigger command to manually force Udev
G
r
t
lita den
i
# udevadm trigger
m
i
tu
ndevices.
S
u
c. Use the ls -l command to list the /dev/my*
o@
this
s
Note that /dev/my_disk is a symlink
to /dev/xvdd.
r
e
co o us
# ls l /dev/my*
n
t
(jua nse -> xvdd
lrwxrwxrwx. ...s /dev/my_disk
ce to query the Udev database for the symlinks for
riainfo
i
l
d. Use the udevadm
command
a
o able
s
/dev/xvdd.
r
co sfinfo
er --query=symlink --name=/dev/xvdd
n
#
udevadm
an
juamy_disk
r
t
non the /dev/my_disk symlink.
Remove
4.
a.
The SYMLINK directive names the new symlink for the device.
Use the rm command to remove the /etc/udev/rules.d/10-local.rules file.

# rm /etc/udev/rules.d/10-local.rules
rm: remove regular file /etc/udev/rules.d/10-local.rules? y
b.
Run the udevadm trigger command to manually force Udev to trigger rules.
# udevadm trigger
c.
Use the ls command to list the /dev/my* devices.
Note that /dev/my_disk no longer exists.

# ls /dev/my*
ls: cannot access /dev/my*: No such file or directory

Chapter 9 - Page 22
5.
Log off host03.

a. Click the Oracle Student in the top-right corner of the GNOME desktop to display the
drop-down menu.
s
a
h
o) e
c
du Guid
e
r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us
n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s from the menu.
n anOut
jb.uaClick-tLog
r
nonThe following window appears.
c.
d.
Click Log Out.

Close the VNC window by clicking the X in the top-right corner of the window.

Chapter 9 - Page 23
s
a
h
o) e
c
du Guid
e
r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us
n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non

Chapter 9 - Page 24
s
a
h
o) e
c
du Guid
e
r
t 10:
Practices lfor
n
ita Lesson
e
i
Advanced
tud
nim Networking
S
u
o@ e10 this
Chapter
s
r
co o us
n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non
Practices for Lesson 10: Advanced Networking

Chapter 10 - Page 1
Practices Overview
In these practices, you do the following:
Configure network bonding by using the GUI and the command line
Explore network bonding interface configuration
Configure 802.1q VLAN tagging interfaces
Explore 802.1q VLAN tagging interface configuration
Configure a site-to-site VPN
s
a
h
o) e
c
du Guid
e
r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us
n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non

Chapter 10 - Page 2
Practice 10-1: Configuring Network Bonding by Using the GUI

Overview

View the network configuration on dom0
Log in to host02 by using vncviewer
View the network configuration on host02

Configure network bonding on host02 by using the Network Settings GUI
Assumptions
Tasks
1.
View the network configuration on dom0.

Use the ifconfig command to view the network configuration.
a
s
a
h
The IP address of bond0 is different on your system.
)
o
c ide
Note that the virbr2 bridge is on the 192.168.2 subnet.

u
d Gu
e
r
The bonded interfaces you create in this practice are also
on
the
subnet.
nt
ita de192.168.2
l
i
[dom0]# ifconfig
im Stu
n
u
...
@ this
o...
s
bond0
Link encap:Ethernet
r
e
o
s...
c
u
inet addr:10.150.30.83
n
to
a
...
u
e
j
(
ns ...
s
eth0
Link
encap:Ethernet
e
a
i
c
ar le li
...
o
lo ors Link
abencap:Local Loopback ...
r
c
e
f
s inet addr:127.0.0.1 ...
n
jua...-tran
n
novif...
...
virbr0
...
virbr1
...
virbr2
...
virbr3

inet addr:192.0.2.1 ...
inet addr:192.168.1.1 ...
inet addr:192.168.2.1 ...
inet addr:192.168.3.1 ...
...
2. Log in to host02 by using vncviewer.

Chapter 10 - Page 3
a.
From dom0, determine the VNC port number for host02 by running the xm list l
host02 | grep location command.
[dom0]# xm list l host02 | grep location

(location 0.0.0.0:5903)
(location 3)
The sample shown indicates that the port number is 5903. This might not be true in
your case.
b. From dom0, run the vncviewer& command.
[dom0]# vncviewer&
The VNC Viewer: Connection Details dialog box appears.
previous xm list l host02 | grep location command.
For example, if the port number is 5903, enter localhost:5903 and click
Connect.
s
a
h
o) e
c
du Guid
e
r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us
n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non

Chapter 10 - Page 4
The GNOME login screen appears.
s
a
h
o) e
c
du Guid
e
r
ita dent
l
i
nim Stu
u
is
th
so@
r
d. Click Oracle Student in the list ofousers.
You
are
prompted
for the password.
e
s
c
u
n and click
e. Enter oracle for the Password
to Sign In.
a
u
e
j
( appears.
The GNOME desktop
ns
s
e
a
i
c
r etoldisplay
i
f. Right-click theadesktop
the pop-up menu.
l
o
b
s
r
co sfera
n
jua -tran
non

Chapter 10 - Page 5
3.
s
a
h
o) e
c
du Guid
e
r
ita dent
l
i
im Stu
n
u
g. From the pop-up menu, click Open in Terminal.
o@ e this
A terminal window appears. ors
us to become the root user.
csu - command
n
h. In the terminal window, useathe
o
t
(jisuoracle.
se
The root password
n
s
e
ria e lic
a
$ su
l
o oracle
b
s
r
a
Password:
co sfer
n
#
ua -tran
jView
the
n network interfaces on host02.
o
n
a. Use the ip addr command to view the network interfaces.
Note that the eth2 and eth3 interfaces do not have IP addresses.
# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue ...
...
...

Chapter 10 - Page 6
...
b.
Use the ls command to view the /etc/sysconfig/network-scripts/ directory.
Note that the eth0, eth1, eth2 and eth3 Ethernet network interfaces have
configuration files
# ls /etc/sysconfig/network-scripts
ifcfg-eth0 ...
ifcfg-eth1 ...
ifcfg-eth2 ...
ifcfg-eth3 ...
...
4.
a
s
a
h
c. Use the nmcli con command to view the network connections.
)
o
c configuration
e
Note that the connections correspond to the existing network interface

d
u
i
d Gu
e
files in the /etc/sysconfig/network-scripts directory.
r
nt a device.
ita dewith
Note that the eth2 and eth3 connections are notilassociated
nim Stu
# nmcli con
u
is
o@ e thDEVICE
NAME
UUID
TYPE
s
r
co o us eth1
eth1
...
802-3-ethernet
n
t
eth2
... (jua
802-3-ethernet
-e
s
n
s
e
eth3
-ia lic802-3-ethernet
r...
a
eth0
le 802-3-ethernet eth0
o ...
b
s
r
a
o fSettings
er Editor to configure network bonding.
Use thecNetwork
s
n
annetwork icon from the GNOME desktop notification area.
ja.uaClick-tthe
r
drop-down menu includes four Ethernet interfaces and the Network Settings
nonThe
option.

Chapter 10 - Page 7
Note that eth2 and eth3 are OFF.
s
a
h
o) e
c
b. Click the Network Settings option from the drop-down menu.
du Guid
e
The Network Settings Editor appears.
r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us
n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non

Chapter 10 - Page 8
c.
Click the + button to add a new connection type.
The Add Network Connection window appears.
s
a
h
o) e
c
du Guid
e
r
ita dent
l
i
nim Stu
u
o@ e this
d. Click Bond to add a bonded interface.
s
r
co o us
The following window appears.
n
t connection 1.
uaname siseBond
The default Connection
j
(
s name
eisnbond0.
a
The default interface
i
c
r
i
l
o a able
s
r
co sfer
n
jua -tran
non

Chapter 10 - Page 9
s
a
h
o) e
c
du Guid
e
r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us
n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non

Chapter 10 - Page 10
e.
Click the Add button to add the slave interfaces to the bond.
a
s
a
h
)
o
c ide
u
dthe following
u window.
e
G
f. Accept the default Ethernet selection. Click Create to display
r
t
lita den
i
m
tu
ni
S
u
o@ e this
s
r
co o us
n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non

g.
Click the down arrow on the Device MAC address prompt to display the available
Ethernet devices.
s
a
h
o) e
c
du Guid
e
r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us
n
ua se t
j
(
s icen
a
i
r
h. Select the eth3
device
l the drop-down list.
a lefrom
o
Click
rabbutton.
orsthe Save
c
e
f
s
n
jua -tran
non

i.
Repeat steps 5e (click Add), 5f (click Create), and 5g (click the down arrow) and
add the eth2 slave interface. Click Save and the following window appears.
Note that two Bonded connections have been added.
s
a
h
o) e
c
du Guid
e
r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us
n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non

j.
Click the down arrow on the Mode prompt to display the available modes.
The list of modes appears.
s
a
h
o) e
c
du Guid
e
r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us
n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non
k.
Select the Active backup option from the drop-down list.

Note that a Primary prompt appears when Active backup is the selected Mode.
You can designate an interface as Primary to make it the active slave when it is
available.

Do not specify a Primary interface for this exercise.
s
a
h
o) e
c
du Guid
e
r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us
n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non
l.
Click the IPv4 Settings tab to assign an IPv4 address to the bonded interface.
Change the Method to Manual.
Click Add to add the following Address information:
Address: 192.168.2.12
Netmask: 24

Gateway: <empty>
s
a
h
o) e
c
du Guid
e
r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us
n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non
m. Click Save to complete configuring network bonding.
You need to click in the Gateway field before Save becomes selectable.

The Bond (bond0) interface now appears in the Network Settings window.
s
a
h
o) e
c
du Guid
e
r
n. Select the Bond (bond0) option to display the followingta
window. t
n
i
l
e
i
d
Note that the Hardware Address, IP Address, iand
Bond slaves
m
tu are shown.
n
S
u
o@ e this
s
r
co o us
n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non
5.
o. Click the X in the top-right corner to close the window.

View the network interfaces on host02.
a. Use the ip addr command to view the network interfaces.
Note that the new bond0 interface is listed and includes MASTER and state
UNKNOWN.
Note that eth2 and eth3 now include SLAVE and master bond0.
Note that eth2, eth3, and bond0 all have the same MAC address.

# ip addr
...
4: eth2: <BROADCAST,MULTICAST,SLAVE,UP,LOWER_UP> mtu 1500 ...
master bond0 state UP ...
6: bond0: <BROADCAST,MULTICAST,MASTER,UP,LOWER_UP> mtu 1500 ...
state UNKNOWN
inet 192.168.2.12/24 brd 192.168.2.255 scope global bond0
...
b.
a
s
a
h
)
o
c idifcfge
Note that there are network configuration files for the two slave
interfaces,
u
d Gu
e
bond0_slave_1 and ifcfg-bond0_slave_2.

r
ita dent
# ls /etc/sysconfig/network-scripts mil
tu
ni
S
u
ifcfg-bond0_slave_1 ...
@ this
ifcfg-bond0_slave_2 ... rso
o... use
c
ifcfg-Bond_connection_1
an e to
ifcfg-eth0 ... (ju
s icens
a
ifcfg-eth1 r...
i
a le l
...
o
rab to view the contents of the ifcfg-Bond_connection_1 file.
ors fcommand
e
c. n
Usecthe cat
s
n
a
jua Note
r
that
the BONDING_OPTS setting has mode=active-backup.
t
n
no Note that the BONDING_OPTS setting also sets the Link Monitoring method to MII
Note that there is a network configuration file for the bonded interface, ifcfgBond_connection_1.
by default.
The Link monitoring frequency is 1 millisecond, and Link up delay and Link down
delay are set to 0 by default.
# cat /etc/sysconfig/network-scripts/ifcfg-Bond_connection_1
DEVICE=bond0
BONDING_OPTS=miimon=1 updelay=0 downdelay=0 mode=active-backup
TYPE=Bond
BONDING_MASTER=yes
BOOTPROTO=none
IPADDR=192.168.2.12
PREFIX=24
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes

IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_PEERDNS=yes
IPV6_PEERROUTES=yes
IPV6_PRIVACY=no
NAME=Bond connection 1
UUID=...
ONBOOT=yes
d.
Use the cat command to view the contents of the ifcfg-bond0_slave_1 file.
Note that MASTER is set to the UUID value in the ifcfg-Bond_connection_1

file.
# cat /etc/sysconfig/network-scripts/ifcfg-bond0_slave_1
HWADDR=00:16:3E:00:04:02
TYPE=Ethernet
NAME=bond0 slave 1
UUID=...
ONBOOT=yes
MASTER=...
SLAVE=yes
a
s
a
h
)
o
c ide
u
d Gu
e
r
ita dent
l
i
nim Stu
u
o@ e this
s
r
e. Use the cat command to viewthe
cocontents
usof the ifcfg-bond0_slave_2 file.
n
o
t
a
Note that MASTERju
is set to theeUUID value in the ifcfg-Bond_connection_1
(
ns
s
file.
e
a
i
c
ar le li
# cat /etc/sysconfig/network-scripts/ifcfg-bond0_slave_2
o
ors ferab
HWADDR=00:16:3E:00:03:02
c
n ans
juaTYPE=Ethernet
tr
NAME=bond0
slave 2
n
noUUID=...
ONBOOT=yes
MASTER=...
SLAVE=yes
f.
Use the nmcli con command to view the network connections.
Note that the bond and slave connections are now shown.
# nmcli con
NAME
eth1
eth2
eth3
Bond connection 1
bond0 slave 2
bond0 slave 1
UUID
...
...
...
...
...
...
TYPE
802-3-ethernet
802-3-ethernet
802-3-ethernet
bond
802-3-ethernet
802-3-ethernet

DEVICE
eth1
--bond0
eth2
eth3
eth0
g.
...
802-3-ethernet
eth0
Use the nmcli utility to bring up the Bond connection 1 connection.
# nmcli con up Bond connection 1

Connection successfully activated (D-BUS active path:...)
h.
Use the ip addr command to view the network interfaces.
Note that the bond0 interface is now UP.
# ip addr
...
state UP
...
Do not log off host02. You use it again in subsequent practices.
i. If necessary, open a new terminal window on dom0.
s
a
h
o) e
c
$ su
du Guid
e
r
Password: oracle
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us
n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non
Use the su - command to become the root user in this new terminal window.

Practice 10-2: Configuring Network Bonding from the Command Line

Overview
Log in to host01 by using ssh
View the network configuration on host01

Configure network bonding on host01 by using the command line
Assumptions
Tasks
1.
From dom0, use the ssh command to connect to host01.
a
s
a
h
)
o
c ide
u
d Gu
e
r
ita dent
l
i
m tu
a. Use the ip addr command to view the network
niinterfaces.
S Yours might be different
u
s
i
The IP address for eth1 was obtained
by usinghDHCP.
@
o
rs se t
than the example shown.
o
c
udo not have IP addresses.
interfaces
n
o
Note that the eth2 anda
eth3
t
(ju nse
# ip addr
s
ria e lice
a
l
o
b
s
r
ra 00:00:00:00:00:00:00: brd 00:00:00:00:00:00
colink/loopback
e
f
s
n
jua...-tran
no2:n eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc ...
[dom0]# ssh host01
Last login: ...
2.

...
...

b.

ifcfg-eth0 ...
ifcfg-eth1 ...
ifcfg-eth2 ...
ifcfg-eth3 ...
...
c.
Note that the eth2 and eth3 connections are not associated with a device.
# nmcli con
NAME
eth1
eth2
eth3
eth0
3.
UUID
...
...
...
...
TYPE
802-3-ethernet
802-3-ethernet
802-3-ethernet
802-3-ethernet
DEVICE
eth1
--eth0
a
s
a
h
)
o
c ide
Use the nmcli utility to configure network bonding.

u
d Gu
e
r
a. Use the nmcli con add command to add a bond connection
t
ta etype.
n
i
l
i
Use the type bond argument to specify a bonded
interface.
im S
tud
n
u
Use the con-name bond0 argument
to specifyithe
s name of the new bond
@
h
o
t
s
connection.
r
e
o
s
c
u
Use the ifname bond0nargument

toto specify the interface to bind the connection
a
u
e
j
to.
(
ns argument to specify the bonding mode.
s
e
a
i
c
Use the mode
active-backup
ar le li
o
b
s ip4ra192.168.2.11/24
Userthe
argument to specify IPv4 address to assign to
ointerface.
c
e
the
f
n ans
jua# nmcli
bond con-name bond0 ifname bond0 mode
tr con addip4type
n
active-backup
192.168.2.11/24
noConnection 'bond0' (...) successfully added.
b.
Use the nmcli con add command to add eth2 as a bond-slave connection type.
The bond-slave interface is eth2.
The bond master is bond0.

# nmcli con add type bond-slave ifname eth2 master bond0
Connection 'bond-slave-eth2' (...) successfully added.
c.
Use the nmcli con add command to add eth3 as a bond-slave connection type.
The bond-slave interface is eth3.
The bond master is bond0.

# nmcli con add type bond-slave ifname eth3 master bond0
Connection 'bond-slave-eth3' (...) successfully added.

d.
Note that a new bond-slave-eth2 connection exists for device eth2.
Note that a new bond-slave-eth3 connection exists for device eth3.
Note that a new bond0 connection exists which is a type bond.

# nmcli con
NAME
eth1
eth2
eth3
bond-slave-eth3
bond-slave-eth2
bond0
eth0
UUID
...
...
...
...
...
...
...
TYPE
802-3-ethernet
802-3-ethernet
802-3-ethernet
802-3-ethernet
802-3-ethernet
bond
802-3-ethernet
DEVICE
eth1
--eth3
eth2
bond0
eth0
s
a
h
Note that a new ifcfg-bond0 file exists.
o) e
c
Note that a new ifcfg-bond-slave-eth2 file exists.

du Guid
e
r
Note that a new ifcfg-bond-slave-eth3 file exists.
ita dent
l
i
# ls /etc/sysconfig/network-scriptsnim
tu
S
u
ifcfg-bond0
...
@ this
o
s
r
ifcfg-bond-slave-eth2 ...o
se
c
u
n... to
ifcfg-bond-slave-eth3
a
u
j
(
se
...
n
s
e
c the contents of the ifcfg-bond0 file.
ria etoliview
f. Use the cat a
command
l
o ab
s/etc/sysconfig/network-scripts/ifcfg-bond0
r
# cat
o
c sfer
n
DEVICE=bond0
an
juaBONDING_OPTS=mode=active-backup
r
t
n
noTYPE=Bond
e.
BONDING_MASTER=yes
BOOTPROTO=none
IPADDR=192.168.2.11
PREFIX=24
DEFROUTE=yes
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_PEERDNS=yes
IPV6_PEERROUTES=yes
NAME=bond0
UUID=...

ONBOOT=yes
g.
Use the cat command to view the contents of the ifcfg-bond-slave-eth2 file.
Note that MASTER is set to bond0.

# cat /etc/sysconfig/network-scripts/ifcfg-bond-slave-eth2
TYPE=Ethernet
NAME=bond-slave-eth2
UUID=...
DEVICE=eth2
ONBOOT=yes
MASTER=bond0
SLAVE=yes
h.
Use the cat command to view the contents of the ifcfg-bond-slave-eth3 file.
Note that MASTER is set to bond0.
a
s
a
h
)
o
c ide
u
d Gu
e
r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us
n
t
ua to view
e
j
(
s
i. Use the ip addr command
the
network interfaces.
n
s
e
a
i
c
li now includes SLAVE and master bond0.
Note that the
areth2leinterface
o
ab interface now includes SLAVE and master bond0.
Note
reth3
orsthat the
c
e
f
sthe new bond0 interface is listed and includes MASTER and state
n athat
n
jua Note
r
UNKNOWN
-t
n
o
n # ip addr
# cat /etc/sysconfig/network-scripts/ifcfg-bond-slave-eth3
TYPE=Ethernet
NAME=bond-slave-eth3
UUID=...
DEVICE=eth3
ONBOOT=yes
MASTER=bond0
SLAVE=yes
...
state UNKNOWN
inet 192.168.2.11/24 brd 192.168.2.255 scope global bond0
...

j.
Use the nmcli utility to bring up bond0.

# nmcli con up bond0
Connection successfully activated (D-BUS active path:...)
k.
Use the ip addr command to ensure that the bond0 interface is UP.
# ip addr
...
state UP
...
Do not log off host01. You use it again in subsequent practices.
s
a
h
o) e
c
du Guid
e
r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us
n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non

Practice 10-3: Working with Bonded Interfaces

Overview

Test connectivity between the bonded interfaces on host01 and host02
Explore the /sys/class/net/bond0 directory
Change the MII monitoring frequency on host01

Test for slave failover on host01
Remove bond and slave connections on host02 by using the GUI
Remove bond and slave connections on host01 by using the command line
Assumptions
You are the root user on host01 and host02.
The bonded interface on host01 has an IP address of 192.168.2.11.
The bonded interface on host02 has an IP address of 192.168.2.12.
a
s
a
h
)
o
c ide
u
Tasks
d Gu
e
r
1. Test connectivity between the bonded interfaces on host01tand
host02.
a ent
i
l
i
a. From host02, use the ping command to communicate
tudbonded interface on
nim toSthe
u
host01.
o@on host01
thisis 192.168.2.11.
The IP address of the bonded interface
s
r
e
o ofuoutput.
s
Press CTRL-C to exit afternac
few lines
o
t
a
(ju nse
[host02]# ping 192.168.2.11
s
ria e (192.168.2.11)
ice
PING 192.168.2.11
56(84) bytes of data.
l
a
l
o
b
64 bytes
icmp_seq=1 ttl=64 time=...
rs from
a192.168.2.11:
r
o
c
e
f
sfrom 192.168.2.11: icmp_seq=1 ttl=64 time=...
n64 bytes
n
a
jua64 -bytes
r
from 192.168.2.11: icmp_seq=1 ttl=64 time=...
t
n
no64 bytes from 192.168.2.11: icmp_seq=1 ttl=64 time=...
^C
...
b.
From host02, use the netstat -r command to view the route table.
Note that the route to 192.168.2.0 is through the bond0 interface.

[host02]# netstat r
Kernel IP routing table
Destination
Gateway ...
Default
...
...
192.0.2.0
...
...
192.168.1.0
...
...
192.168.2.0
...
...
c.
Iface
eth0
eth0
eth1
bond0
From host01, use the ping command to communicate to the bonded interface on
host02.
The IP address of the bonded interface on host02 is 192.168.2.12.


d.
Press CTRL-C to exit after a few lines of output.

[host01]# ping 192.168.2.12
PING 192.168.2.12 (192.168.2.12) 56(84) bytes
64 bytes from 192.168.2.12: icmp_seq=1 ttl=64
^C
...
of data.
time=...
time=...
time=...
time=...
Note that the route to 192.168.2.0 is through the bond0 interface.
If the netstat command is not found, use the yum command to install the nettools package. Answer y to Is this ok.
a
s
a
h
)
o
c ide
u
d Gu
e
r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us
n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
ans of /sys/class/net/bond0/.
uanthe-tcontents
jView
r
n network interface contains a directory in /sys/class/net.
o
Each
n
a. From host01, use the cd command to change to the /sys/class/net directory.
[host01]# netstat r
-bash: netstat: command not found
[host01]# yum install net-tools
...
...
Complete!
[host01]# netstat r
Destination
... Iface
...
192.168.2.0
... bond0
2.
Use the ls command to display the contents of the directory.
Note that bonding_masters is a regular file.

[host01]# cd /sys/class/net
[host01]# ls
bond0 bonding_masters eth0
b.
eth1
eth2
eth3
Use the cat command to view the bonding_masters file.

[host01]# cat bonding_masters
bond0

lo
c.
Use the cd command to change to the bond0 directory.

[host01]# cd bond0
[host01]# ls
addr_assign_type carrier
address
dev_id
addr_len
dormant
bonding
duplex
broadcast
flags
d.
ifalias
ifindex
iflink
link_mode
mtu
netdev_group
operstate
power
queues
slave_eth2
slave_eth3
speed
statistics
subsystem
tx_queue_len
Use the cat command to view the operstate file.

[host01]# cat operstate
up
e.
Use the cat command to view the address file.
a
s
a
h
)
o
c ide
u
f. Use the cat command to view the uevent file.
d Gu
e
r
[host01]# cat uevent
ita dent
l
i
INTERFACE=BOND0
nim Stu
u
IFINDEX=6
o@ e this
s
r
othe bonding
g. Use the cd command to changecto
us directory.
n
o
t
a
Use the ls command
ethe contents of the directory.
(juto display
s
n
s
[host01]# cd ia
bondingce
r
li
a
e
[host01]#
ls
l
o
ors ferab all_slaves_active miimon
active_slave
primary_reselect
c
s
n
arp_interval
mii_status
queue_id
an
juaad_actor_key
r
t
arp_ip_target
min_links
resend_igmp
n
noad_aggregator
ad_num_ports
arp_validate
mode
slaves
[host01]# cat address
00:16:3e:00:03:01
ad_partner_key
ad_partner_mac
ad_select
h.
downdelay
fail_over_mac
lacp_rate
num_grat_arp updelay
num_unsol_na use_carrier
primary
xmit_hash_policy
Use the cat command to view the active_slave file.

[host01]# cat active_slave
eth2
i.
Use the cat command to view the mode file.

[host01]# cat mode
active-backup 1

j.
Use the cat command to view the slaves file.

[host01]# cat slaves
eth2 eth3
k.
Use the cat command to view the miimon file.
l.
This specifies the MII link monitoring frequency in milliseconds.

[host01]# cat miimon
100
Use the cat command to view the mii_status file.
[host01]# cat mii_status
up
3.
Change the MII monitoring frequency.

a. On host01, use the vi command to edit the /etc/sysconfig/networkscripts/ifcfg-bond0 file.
a
s
a
h
)
o
[host01]# vi /etc/sysconfig/network-scripts/ifcfg-bond0
c ide
u
d Gu
...
e
r
BONDING_OPTS=mode=active-backup
ita dent(old value)
l
i
BONDING_OPTS=mode=active-backup miimon=120
(new value)
nim Stu
u
isfrom disk.
@ thfiles
b. Use the nmcli command to reload all o
connection
s
r
e
NetworkManager does not monitor
co changes
us to connection files by default.
n
o
t
a
You need to use thisjcommand
to
to reread the connection
e tella NetworkManager
( u nmaking
s
profiles from diskswhenever
change.
e
ria e licreload
[host01]# a
nmcli lcon
o ab
r
orsnmcli
c. Usecthe
to bring down the bond0 connection.
ecommand
f
s
n
an the master interface also stops the slave interfaces.
jua Stopping
r
t
n
[host01]#
nmcli con down bond0
noConnection
bond0 successfully deactivated (d-Bus active ...)
d.
Change the BONDING_OPTS setting as follows to set miimon to 120.
Use the nmcli command to bring up the bond-slave-eth2 connection.

[host01]# nmcli con up bond-slave-eth2
Connection successfully activated (d-Bus active ...)
e.
Use the nmcli command to bring up the bond-slave-eth3 connection.

[host01]# nmcli con up bond-slave-eth3
f.
Use the nmcli command to bring up the bond0 connection.

[host01]# nmcli con up bond0

g.
Use the cat command to view the miimon file.
Note the value is now 120, instead of 100.
[host01]# cat /sys/class/net/bond0/bonding/miimon

120
4.
Test for slave failover.

The active slave in Active backup mode is stored in the active_slave file.
You can also determine the active slave by viewing the /proc/net/bonding/bond0
file.
On host01, use the cat command to view the active_slave file, which is located in
the /sys/class/net/bond0/bonding directory.
a.
The active slave in this example is eth2.

[host01]# cat /sys/class/net/bond0/bonding/active_slave
eth2
s
a
h
Use the ls command to view the contents of the directory.
o) e
c
[host01]# cd /proc/net/bonding
du Guid
e
r
[host01]# ls
ita dent
l
i
bond0
nim Stu
u
is file.
c. Use the cat command to view the contents
o@ofethethbond0
s
r
Note that Currently Active Slave
co is oeth2.
us
n
t
a
[host01]# cat bond0
ju nse
(Bonding
s
Ethernet Channel
ria e lice Driver: v3.7.1 (April 27, 2011)
a
o abl
s
r
Bonding
co Mode:
er fault-tolerance (active-backup)
f
s
n
Primary
Slave:
None
n
a
juaCurrently
r
t
Active Slave: eth2
nnoMII
Status: up
b.
Use the cd command to change to the /proc/net/bonding directory.
MII Polling Interval (ms): 120

Up Delay (ms): 0
Down Delay (ms): 0
Slave Interface: eth2
MII Status: up
Speed: Unknown
Duplex: Unknown
Link Failure Count: 0
Permanent HW addr: 00:16:3e:00:03:01
Slave queue ID: 0
MII Status: up

Speed: Unknown
Duplex: Unknown
Slave queue ID: 0
d.
Use the ip link command to bring down eth2.

[host01]# ip link set dev eth2 down
e.
Use the ip link command to view the eth2 link.
Note that the state is DOWN for eth2.

[host01]# ip link show eth2
4: eth2: <BROADCAST,MULTICAST,SLAVE. mtu 1500 ... state DOWN ...
...
f.
Use the cat command to view the /var/log/messages file.
a
s
a
h
)
o
[host01]# cat /var/log/messages
c ide
u
d (eth2):
u link
<date_time> host01 NetworkManager[9730]: <info>
e
G
r
t
disconnected (deferring action for 4 seconds)
ita den
l
i
m
<date_time> host01 kernel: bonding: ibond0: tlink
u status
n disabling
S
u
definitely down for interface eth2,
it
o@ e bond0:
this making interface eth3
<date_time> host01 kernel: rbonding:
s
co o us
the new active one.
n
t
a
<date_time> host01
<info> (eth2): link
uNetworkManager[9730]:
e
j
(
s
n
s
disconnected ia
(calling edeferred action)
c
r
iview
l
a
e
g. Use the cat
command
to
the contents of the bond0 file.
l
o ab
s
r
Note
co thatsnow
er the Currently Active Slave is eth3.
f
n
n that eth2 is down.
anote
jua Also
r
t
n
cat bond0
no[host01]#
Note the bonding messages; eth2 is disabled and eth3 is active.
Ethernet Channel Bonding Driver: v3.7.1 (April 27, 2011)

Bonding Mode: fault-tolerance (active-backup)
Primary Slave: None
Currently Active Slave: eth3
MII Status: up
MII Polling Interval (ms): 120
Up Delay (ms): 0
Down Delay (ms): 0
MII Status: down
Speed: Unknown
Duplex: Unknown


Slave queue ID: 0
...
h.
Use the cat command to view the

/sys/class/net/bond0/bonding/active_slave file.
This file also indicates that eth3 is the active slave.

[host01]# cat /sys/class/net/bond0/bonding/active_slave
eth3
5.
Remove bond and slave connections on host02.

Begin by using the Network Settings GUI.
a.
Complete removal of the connections by using the command line.

On host02, click the network icon from the GNOME desktop notification area.
The drop-down menu includes Ethernet interfaces, the Bond (bond0) interface,
and the Network Settings option.
s
a
h
o) e
c
du Guid
e
r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us
n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non

b.
Click the Network Settings option from the menu.

a
s
a
h
)
o
c ide
u
d Gu
e
r
ta ent
i
l
i
c. Select the Bond (bond0) interface and click the i-
mbuttontuto dremove the connection.
n
S
u
The window is shown as follows after @
clicking the i-
button.
s
h
o
t
s
or use
c
n
to
a
u
e
j
(
ns
s
e
a
i
c
ar le li
o
ors ferab
c
s
n
jua -tran
non
d.
e.
Click the X in the top-right corner to close the window.

Use the ls command to view the contents of the /sys/class/net directory.
Note that the bond0 directory no longer exists.

[host02]# ls /sys/class/net
bonding_masters eth0 eth1
eth2
eth3
lo

f.
Use the cat command to view the /sys/class/net/bonding_masters file.
Note that the file is empty.

[host02]# cat /sys/class/net/bonding_masters
g.
Use the ls command to view the contents of the /proc/net/bonding directory.
h.
Note that the directory is empty.

[host02]# ls /proc/net/bonding
Note that the bond connection no longer exists.

Note that the slave connections still exist but are no longer associated with a device.
[host02]# nmcli con
NAME
UUID
TYPE
DEVICE
eth1
...
802-3-ethernet
eth1
eth2
...
802-3-ethernet
-eth3
...
802-3-ethernet
-bond0 slave 1
...
802-3-ethernet
-bond0 slave 2
...
802-3-ethernet
-eth0
...
802-3-ethernet
eth0
s
a
h
o) e
c
du Guid
e
r
ita dent
l
i
i. Use the ip link command to view the links. nim
tu
S
u
@ this
Note that the bond0 entry no longeroexists.
s
r
o noulonger
se include SLAVE or master
Note that the eth2 and eth3
entries
c
n
to
bond0 in their description.
a
u
e
j
(and eth3nsentries have their original MAC addresses.
s
Note that the eth2
e
a
i
c
r
i
l
a
[host02]#
le
o ip alink
b
s
r
...co
er
f
s
n
an <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 ...
jua4: -eth2:
r
t
link/ether
no5:n eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 ...

j.
Note that the network configuration file for the bonded interface no longer exists.
Note that the network configuration files for the slaves still exist.
[host02]# ls /etc/sysconfig/network-scripts
ifcfg-eth0 ...
ifcfg-eth1 ...
...

k.
Use the nmcli con delete command to delete the slave connections.
[host02]# nmcli con delete bond0 slave 1
[host02]# nmcli con delete bond0 slave 2
l.
Note that the slave connections no longer exist.

[host02]# nmcli con
NAME
UUID
TYPE
eth1
...
802-3-ethernet
eth2
...
802-3-ethernet
eth3
...
802-3-ethernet
eth0
...
802-3-ethernet
DEVICE
eth1
--eth0
m. Use the ls command to view the /etc/sysconfig/network-scripts/ directory.
6.
Note that the network configuration files for the slaves no longer exist.
ifcfg-eth0 ...
ifcfg-eth1 ...
...
s
a
h
o) e
c
du Guid
e
r
ita dent
l
i
Remove bond and slave connections on host01.
nim Stu
u
Use the command line to remove the connections.
@ this
o
s
r
a. On host01, use the nmcli con command
to
o
seview the network connections.
c
u
[host01]# nmcli con an

to
u
e
j
( UUIDns TYPE
NAME
DEVICE
s
e
a
i
c
r
i
l
eth1
802-3-ethernet
-a le ...
o
b
s
r
eth2o
...
802-3-ethernet
-c sfera
n
eth3
...
802-3-ethernet
-n
a
juabond-slave-eth3
r
...
802-3-ethernet
eth3
-t
n
o
802-3-ethernet
eth2
n bond-slave-eth2 ...
bond0
eth0
b.
...
...
bond
802-3-ethernet
bond0
eth0
Use the nmcli con delete command to delete the bond and the slave connections.
[host01]# nmcli con delete bond0
[host01]# nmcli con delete bond-slave-eth2
[host01]# nmcli con delete bond-slave-eth3
c.
Note that the bond and slave connections no longer exist.

[host01]# nmcli con
NAME
UUID
TYPE
DEVICE
eth1
...
802-3-ethernet
eth1
eth2
...
802-3-ethernet
-eth3
...
802-3-ethernet
-Copyright 2015, Oracle and/or its affiliates. All rights reserved.

eth0
d.
802-3-ethernet
eth0
...
Note that the network configuration files for the bond and slaves no longer exist.
ifcfg-eth0 ...
ifcfg-eth1 ...
ifcfg-eth2 ...
ifcfg-eth3 ...
...
e.
Use the ip link command to view the links.
Note that the bond0 entry no longer exists.

[host01]# ip link
...
a
s
a
h
)
o
Note that the bond0 directory no longer exists.
c ide
u
d Gu
e
r
a ent
bonding_masters eth0 eth1 eth2 eth3ilitlo
nim Stud
g. Use the cat command to view the /sys/class/net/bonding_masters
file.
u
s
i
@
Note that the file is empty.
so se th
r
o
[host01]# cat /sys/class/net/bonding_masters
c to u
n
a
e of the /proc/net/bonding directory.
h. Use the ls command (
toju
view thescontents
n
s
e
a lisicempty.
Note that the
ridirectory
a
le
o ls a/proc/net/bonding
b
s
[host01]#
r
co sfer
n
jua -tran
non
f.

Practice 10-4: Configuring 802.1Q VLAN Tagging by Using the GUI

Overview
Ensure that the VLAN (8021q) kernel module is loaded on host02
Use the Network Settings Editor to configure VLAN tagging on host02

Review network configuration on host02
Assumptions
Tasks
1.
On host02, load the VLAN (8021q) kernel module if necessary.

a.
Use the lsmod command to view the loaded kernel modules.
a
s
a
h
)
In this example, the kernel module is not loaded.
o
c ide
u
# lsmod | grep 8021q
d Gu
e
r
t the 8021q
b. If the kernel module is not loaded, use the modprobeilcommand
ita detonload
kernel module.
nim Stu
u
Use the lsmod command to ensure 8021q
his
o@ eis tloaded.
s
r
# modprobe 8021q
co o us
n
ua se t
j
(
8021q
20082s
0 en
a
i
r
ic
l
a
...
e
l
so rab
r
o
c sfe
n
a
ju -tran
non
Pipe the output to grep and search for 8021q.

2.
Use the Network Settings Editor to configure VLAN tagging.

a. Click the network icon from the GNOME desktop notification area.
The drop-down menu includes four Ethernet interfaces and the Network Settings
option.
s
a
h
o) e
c
du Guid
e
r
ita dent
l
i
tu
b. Click the Network Settings option from the drop-down
nim menu.
S
u
o@ e this
s
r
co o us
n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non

c.
Click the + button to add a new connection type.
The Add Network Connection window appears.
s
a
h
o) e
c
du Guid
e
r
ita dent
l
i
nim Stu
u
o@ e this
d. Click VLAN to add a VLAN connection.
s
r
co o us
n
t connection 1.
uaname siseVLAN
The default Connection
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non

s
a
h
o) e
c
du Guid
e
r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us
n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
sscreen as follows.
n athe
n
je.ua Update
r
-t Connection name: to vlan-eth0.100.
Change
n
o
n Click the Parent interface: down arrow and select eth0
(00:16:3E:00:01:02).
Change VLAN id: to 100.
Change VLAN interface name: to eth0.100.

The window appears as follows.
s
a
h
o) e
c
du Guid
e
r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us
n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
n ans
jf.uaClick-tthe
r IPv4 Settings tab to assign an IPv4 address to the VLAN interface.
n
no Change the Method to Manual.
Click Add to add the following Address information:
Address: 192.168.100.2
Netmask: 24
Gateway: <empty>

a
s
a
h
)
o
c ide
u
d Gu
e
r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us
n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
n ans
jg.uaClick-tSave
r to complete configuring VLAN tagging.
n
no The VLAN (eth0.100) interface now appears in the Network Settings window.

h.
3.
Select the VLAN (eth0.100) entry to display the following window.

Note that the Addresses are shown.
a
s
a
h
)
o
c ide
u
d Gu
e
r
ta ent
i
l
i
i. Click the X in the top-right corner to close the window.
im Stud
n
u
@ this
oprotocol
s
a. Use the ip addr command to view
the
r
o
se addresses for the network devices.
c
u
n exists.
Note that the eth0.100adevice
to
u
e
j
( MAC
Note that the eth0.100
nsaddress is the same as the eth0 MAC address.
s
e
a
i
c
li
ar192.168.100.2/24
Note that the
IPv4 address is assigned to the eth0.100
e
l
o
b
s
device.
r
o fera
c
s
n
# ip addr
jua...-tran
no2:n eth0: ...
...
7: eth0.100@eth0: ...
inet 192.168.100.2/24 brd 192.168.100.255 scope ... eth0.100
...

b.
Use the nmcli dev command to view the network devices.
Note that the eth0.100 device is associated with the vlan-eth0.100 connection.
# nmcli dev
NAME
eth0
eth1
eth0.100
...
c.
TYPE
ethernet
ethernet
vlan
STATE
connected
connected
connected
CONNECTION
eth0
eth1
vlan-eth0.100
Note that the vlan-eth0.100 connection is listed.

# nmcli con
NAME
vlan-eth0.100
eth0
eth1
UUID
...
...
...
TYPE
vlan
802-3-ethernet
802-3-ethernet
DEVICE
eth0.100
eth0
eth1
a
s
a
h
)
o
c iddirectory.
e
u
d. Use the ls command to view the /etc/sysconfig/network-scripts/
d Gu
e
r
Note that there is a network configuration file for theitVLAN
interface,
a ent ifcfg-vlanl
i
eth0.100.
im Stud
n
u
o@ e this
ifcfg-eth0
... ors
c to us
ifcfg-eth1
...
n
a
(ju ...nse
ifcfg-lo
s
e
ifcfg-vlan-eth0.100
ria e lic...
a
l
... rso
b
a
co sfcommand
er
e. n
Use the cat
to view the contents of the ifcfg-vlan-eth0.100 file.
n
a
jua Note
r
-t that the DEVICE setting is eth0.100.
n
o
n Note that the PHYSDEV setting is eth0.
# cat /etc/sysconfig/network-scripts/ifcfg-vlan-eth0.100
VLAN=yes
TYPE=Vlan
DEVICE=eth0.100
PHYSDEV=eth0
VLAN_ID=100
REORDER_HDR=0
BOOTPROTO=none
IPADDR=192.168.100.2
PREFIX=24
DEFROUTE=yes
IPV6INIT=yes
IPV6_AUTOCONF=yes

IPV6_DEFROUTE=yes
IPV6_PEERDNS=yes
IPV6_PEERROUTES=yes
NAME=vlan-eth0.100
UUID=...
ONBOOT=yes
s
a
h
o) e
c
du Guid
e
r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us
n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non

Practice 10-5: Configuring 802.1Q VLAN Tagging from the Command

Line
Overview
Ensure that the VLAN (8021q) kernel module is loaded on host01
Create an 802.1Q VLAN interface on host01
Assumptions
Tasks
1.
On host01, load the VLAN (8021q) kernel module if necessary.

a.
2.
Use the lsmod command to view the loaded kernel modules.
a
s
a
h
)
In this example, the kernel module is not loaded.
o
c ide
u
d Gu
e
r
t the 8021q
b. If the kernel module is not loaded, use the modprobeilcommand
ita detonload
kernel module.
nim Stu
u
Use the lsmod command to ensure 8021q
his
o@ eis tloaded.
s
r
# modprobe 8021q
co o us
n
# lsmod | grep 8021qa
t
u
e
j
(
s
8021q
20082s
0 en
a
i
r
ic
l
...
a
e
l
b VLAN interface and view the results.
so anra802.1Q
r
On host01,
create
o
c
e
f
n anmcli
ns con add command to create the VLAN interface.
ja.uaUse-tthe
r
the type vlan argument to specify an 802.1q tagged virtual LAN interface.
nonUse
Use the con-name vlan-eth0.100 argument to specify the name of the new
Pipe the output to grep and search for 8021q.
VLAN connection.
Use the ifname eth0.100 argument to specify the interface to bind the
connection to.
Use the dev eth0 argument to specify the parent device this VLAN is on.
Use the id 100 argument to specify the VLAN ID.
Use the ip4 192.168.100.1/24 argument to specify IPv4 address to assign to

the interface.
# nmcli con add type vlan con-name vlan-eth0.100 ifname eth0.100
dev eth0 id 100 ip4 192.168.100.1/24
Connection vlan-eth0.100 (<UUID>) successfully added.
b.
Use the ip addr command to view the protocol addresses for the network devices.
Note that the eth0.100 device exists.
Note that the eth0.100 MAC address is the same as the eth0 MAC address.

c.
Note that the 192.168.100.1/24 IPv4 address is assigned to the eth0.100

device.
# ip addr
...
2: eth0: ...
...
8: eth0.100@eth0: ...
inet 192.168.100.1/24 brd 192.168.100.255 scope ... eth0.100
...
Use the nmcli dev command to view the network devices.
a
s
a
# nmcli dev
h
)
o
c ide
NAME
TYPE
STATE
CONNECTION
u
d eth0Gu
eth0
ethernet
connected
e
r
nt
ita devlan-eth0.100
eth0.100
vlan
connected
l
i
...
nim Stu
u
is
othe@network
d. Use the nmcli con command to view
thconnections.
s
r
e
coconnection
us is listed.
Note that the vlan-eth0.100
n
o
t
a
# nmcli con
(ju nse
s
NAME
DEVICE
ria e lUUID
ice TYPE
a
l
vlan-eth0.100
vlan
eth0.100
so rab ...
r
o
c sfe
eth0
...
802-3-ethernet
eth0
n
n
a
ju ...-tra
n
e.no
Note that the eth0.100 device is associated with the vlan-eth0.100 connection.
Note that there is a network configuration file for the VLAN interface, ifcfg-vlaneth0.100.
ifcfg-eth0
...
ifcfg-eth1
...
...
ifcfg-vlan-eth0.100 ...
...
f.
Use the cat command to view the contents of the ifcfg-vlan-eth0.100 file.
Note that the DEVICE setting is eth0.100.

Note that the PHYSDEV setting is eth0.

# cat /etc/sysconfig/network-scripts/ifcfg-vlan-eth0.100
VLAN=yes
TYPE=Vlan
DEVICE=eth0.100
PHYSDEV=eth0
VLAN_ID=100
REORDER_HDR=0
BOOTPROTO=none
IPADDR=192.168.100.1
PREFIX=24
DEFROUTE=yes
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_PEERDNS=yes
IPV6_PEERROUTES=yes
NAME=vlan-eth0.100
UUID=...
ONBOOT=yes
s
a
h
o) e
c
du Guid
e
r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us
n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non

Practice 10-6: Working with VLAN Interfaces
Overview
Test connectivity between the VLAN interfaces on host01 and host02
Use tcpdump to view tagged and untagged packets
Explore the contents of the /sys/class/net/eth0.100 directory
Explore the contents of the /proc/net/vlan directory
Remove the VLAN interfaces on host01 and host02
Assumptions
s
a
h
Test connectivity between the VLAN interfaces on host01 and host02. co)
d
u
i
a. From host02, use the ping command to communicate to theeVLAN
d interface
u on
G
r
host01.
t
ta en
li192.168.100.1.
i
The IP address of the VLAN interface on host01
is
m
tud
ni
S
u
Press CTRL-C to exit after a few lines@
of output. is
o
th
s
r
e
[host02]# ping 192.168.100.1
o
c to us 56(84) bytes of data.
n
PING 192.168.100.1 (192.168.100.1)
a
(ju nse icmp_seq=1 ttl=64 time=...
64 bytes from 192.168.100.1:
s
ce
ria192.168.100.1:
i
l
64 bytes from
a
e
l
o
b
64 bytes
ra192.168.100.1:
ors from
c
e
f
n64 bytessfrom 192.168.100.1: icmp_seq=1 ttl=64 time=...
jua^C -tran
n
no...
Tasks
1.
b.
Note that the route to 192.168.100.0 is through the eth0.100 interface.

[host02]# netstat r
Destination
... Iface
Default
... eth0
192.0.2.0
... eth0
192.168.1.0
... eth1
192.168.100.0 ... eth0.100
c.
From host01, use the ping command to communicate to the VLAN interface on
host02.
The IP address of the VLAN interface on host02 is 192.168.100.2.


[host01]# ping 192.168.100.2

PING 192.168.100.2 (192.168.100.2) 56(84) bytes of data.
64 bytes from 192.168.100.2: icmp_seq=1 ttl=64 time=...
^C
...
d.
Note that the route to 192.168.100.0 is through the eth0.100 interface.

[host01]# netstat r
Destination
... Iface
...
192.168.100.0 ... eth0.100
2.
a
s
a
h
)
o
c ide
Use tcpdump to view tagged and untagged packets.

u
d Gu
e
r
You first observe traffic on the VLAN interface, eth0.100,
where
ita denyout do not see
l
i
VLAN tags.
im where
tu you do see VLAN tags.
neth0,
S
You next observe traffic on the parent interface,
u
o@ e this
a. On host02, open a second terminalrwindow.
s
co theoroot
ususer in this second terminal.
b. Use the su command to become

n
t
a
uoracle.se
The root password(jis
s
cen
i
[host02]$ a
suria
l
le
o oracle
b
Password:
s
r
a
co sfer
[host02]#
n
an
jc.uaIn this
r
t
second terminal window, enter the following tcpdump command.
nonUse the -e option to view the Ethernet header, which includes the 802.1Q tags.
Use the i eth0.100 to sniff on the VLAN interface.

[host02]# tcpdump e i eth0.100
tcpdump: verbose output suppressed, use v or vv for full ...
listening on eth0.100, link-type EN10MB (Ethernet), capture ...
d.
On host02, in the first terminal window, use the ping command to communicate to the
VLAN interface on host01.

[host02]# ping 192.168.100.1
^C

...
e.
In the second terminal window on host02, view the output of the tcpdump command.
Note that you see normal traffic without VLAN tags.

... 00:16:3e:00:01:02 (oui Unknown) > Broadcast, ethertype ARP
(0x0806), length 42: Request who-has 192.168.100.1 tell
192.168.100.2, length 28
... 00:16:3e:00:01:01 (oui Unknown) > 00:16:3e:00:01:02 (oui
Unknown), ethertype ARP (0x0806), length 42: Reply 192.168.100.1
is at 00:16:3e:00:01:01 (oui Unknown), length 28
Unknown), ethertype IPv4 (0x0800), length 98: 192.168.100.1 >
192.168.100.2: ICMP echo reply, id 15342, seq 1, length 64
...
f.
In the second terminal window on host02, press CTRL-C to exit the tcpdump
command.
a
s
a
... 00:16:3e:00:01:01 (oui Unknown) > 00:16:3e:00:01:02h (oui
o) e >
Unknown), ethertype IPv4 (0x0800), length 98: 192.168.100.1
c
192.168.100.2: ICMP echo reply, id 15342, seq d

1,ulength
uid64
e
G
r
...
ita dent
l
i
^C
im Stu
n
u
... packets captured
o@ e this
s
... packets received by filter
r
co o us
... packets dropped by

kernel
n
t
ua onshost02,
e
j
(
g. In the second terminal
window
enter the following tcpdump command.
n
s
e
a
i
c
r toeview
li the Ethernet header, which includes the 802.1Q tags.
Use the -eaoption
l
o
s i eth0
Use
rab to sniff on the physical interface.
orthe
c
e
f
n ans use the clear command to clear the screen before running tcpdump.
jua Optionally,
tr
n
[host02]#
clear
no[host02]# tcpdump
e i eth0
tcpdump: verbose output suppressed, use v or vv for full ...
listening on eth0, link-type EN10MB (Ethernet), capture size ...
h.
On host02, in the first terminal window, use the ping command to communicate to the
VLAN interface on host01.

i.

[host02]# ping 192.168.100.1
^C
...
In the second terminal window on host02, view the output of the tcpdump command.
Note that you see the tagged 802.1Q packets (vlan 100 is in bold font in the sample
output).
... 00:16:3e:00:01:02 (oui Unknown) > Broadcast, ethertype
802.1Q (0x8100), length 46: vlan 100, p 0, ethertype ARP,
Request who-has 192.168.100.1 tell 192.168.100.2, length 28
Unknown), ethertype 802.1Q (0x8100), length 46: vlan 100, p 0,
ethertype ARP, Reply 192.168.100.1 is at 00:16:3e:00:01:01 (oui
Unknown), length 28
...
a
s
a
h
)
o
c ide
u
d Gu
e
r
ttcpdump
n
itato exit
l
j. In the second terminal window on host02, press CTRL-C
the
e
i
command.
nim Stud
u
is
@ >th00:16:3e:00:01:02
... 00:16:3e:00:01:01 (oui Unknown)
(oui
o
s
r
e
Unknown), ethertype 802.1Q
(0x8100),
length
46:
vlan
100,
0,
o
c to us is at 00:16:3e:00:01:01p(oui
ethertype ARP, Replyan
192.168.100.1
ju nse
Unknown), length (28
s
...
ria e lice
a
o abl
^C
s
r
ercaptured
...co
packets
f
s
n
an received by filter
jua...-tpackets
r
n packets dropped by kernel
no...
k.
3.
Click the X in the upper-right corner of the second terminal window to close the
window.
Click Close Terminal if prompted.
View the contents of /sys/class/net/eth0.100/.
a.
Each network interface contains a directory in /sys/class/net.

From host01, use the cd command to change to the /sys/class/net directory.
Note that eth0.100 is a directory.

[host01]# cd /sys/class/net
[host01]# ls
bonding_masters eth0 eth0.100
eth1
eth2

eth3
lo
b.
Use the cd command to change to the eth0.100 directory.

[host01]# cd eth0.100
[host01]# ls
addr_assign_type carrier
address
dev_id
addr_len
dormant
broadcast
duplex
c.
flags
ifalias
ifindex
iflink
link_mode
mtu
netdev_group
operstate
power
queues
speed
statistics
...
...
...
...
Use the cat command to view the operstate file.

[host01]# cat operstate
up
d.
Use the cat command to view the address file.

[host01]# cat address
00:16:3e:00:01:01
4.
a
s
a
h
)
e. Use the cat command to view the uevent file.
o
c ide
u
d Gu
Sample output is shown. The IFINDEX value might be different.
e
r
[host01]# cat uevent
ita dent
l
i
DEVTYPE=vlan
nim Stu
u
INTERFACE=eth0.100
o@ e this
s
r
IFINDEX=8
co o us
n
t
a
View the /proc/net/vlanju
directory.
e
(
s
s cd command
a. From host01, use
the
en to change to the /proc/net/vlan directory.
a
i
c
r
i
l
Use theolsacommand
le to view the contents of the directory.
b
s
r
a
[host01]#
co sfcd
er /proc/net/vlan
n
an ls
jua[host01]#
r
t
n
eth0.100
noconfig
b.
Use the cat command to view the config file.
[host01]# cat config

VLAN Dev name
| VLAN ID
Name-Type: VLAN_NAME_TYPE_RAW_PLUS_VID_NO_PAD
eth0.100
| 100 | eth0
c.
Use the cat command to view the eth0.100 file.

Egress traffic begins inside of a network and proceeds through its routers to a
destination somewhere outside of the network.

Ingress traffic originates from outside of the networks routers and proceeds toward
a destination inside of the network.
[host01]# cat eth0.100
eth0.100 VID: 100
REORDER_HDR: 1 dev->priv_flags: 1
total frames received
11
total bytes received
700
Broadcast.Multicast Rcvd
0
total frames transmitted
total bytes transmitted
Device: eth0
INGRESS priority mappings: 0:0
EGRESS priority mappings
5.
19
1382
1:0
2:00
3:0
4:0
5:0
...
Remove VLAN interface on host01.

a. Use the nmcli con command to view the network connections.
a
s
a
h
)
o
[host01]# nmcli con
c ide
u
d Gu
NAME
UUID
TYPE
DEVICE
e
r
t
eth0
...
802-3-ethernet
n
ita eth0
l
e
i
...
nim Stud
u
vlan-eth0.100
...
vlan
eth0.100
o@ e this
s
r
s the vlan-eth0.100 connection.
b. Use the nmcli con delete command
co o toudelete
n
t
a
[host01]# nmcli con
evlan-eth0.100
(ju delete
s
n
s
a command
c. Use the nmcliricon
ce to view the network connections.
i
l
a
leconnection no longer exists.
o the VLAN
Note s
that
b
r
a
co sfnmcli
er con
[host01]#
n
an
UUID
TYPE
DEVICE
juaNAME
r
t
n
...
802-3-ethernet
eth0
noeth0
...
d.
e.
Note that the network configuration file for the VLAN interface no longer exists.
ifcfg-eth0 ...
...
Note that the eth0.100 device no longer exists.

[host01]# ip link
...

f.
Note that the eth0.100 directory no longer exists.
g.
eth2
eth3
lo
Use the ls command to view the contents of the /proc/net/vlan directory.
Note that the eth0.100 file no longer exists.

[host01]# ls /proc/net/vlan
config
h.
Note that the file only contains header information.

[host01]# cat /proc/net/vlan/config
VLAN Dev name
| VLAN ID
6.
s
a
Remove VLAN interface on host02.
h
)
odetails.
On host02, use Network Settings Editor to view the VLAN interface

c
e
d
u
i
d Gu
a. Click the network icon from the GNOME desktop notificatione
area.
r
t
n
itaoption.
The drop-down menu includes the Network Settings
l
e
i
b. Click the Network Settings option from the menu.
nim Stud
u
The Network Settings Editor appears,
includes
his the VLAN (eth0.100)
o@which
t
s
r
e
interface.
o
c
us
n
o
c. Click the VLAN (eth0.100)
entry.
t
a
(ju nse
s
ria e lice
a
o abl
s
r
co sfer
n
jua -tran
non

d.
Click the - button to remove the VLAN interface.
a
s
a
h
)
o
c ide
u
d Gu
e
r
ita dent
l
i
e. Click the X in the top-right corner to close the window.
im Stu
n
u
f. Use the nmcli con command to view the
connections.
is
@network
h
o
t
s
r
e
Note that the VLAN connectionono longers
exists.
c
u
n
o
[host02]# nmcli con a
t
u
e
j
(
s
NAME
DEVICE
n TYPE
s UUID
e
a
i
c
r
i
l
eth0
802-3-ethernet
eth0
o a able ...
... ors
c scommand
er to view the /etc/sysconfig/network-scripts/ directory.
f
g. an
Use the ls
an
ju Note
r
t
n that the network configuration file for the VLAN interface no longer exists.
no[host02]#
ls /etc/sysconfig/network-scripts
ifcfg-eth0
...
h.
...
Note that the eth0.100 device no longer exists.

[host02]# ip link
...
i.
Note that the eth0.100 directory no longer exists.

eth2
eth3
lo

j.
Use the ls command to view the contents of the /proc/net/vlan directory.
Note that the eth0.100 file no longer exists.
[host02]# ls /proc/net/vlan
config
k.
Note that the file only contains header information.

[host02]# cat /proc/net/vlan/config
VLAN Dev name
| VLAN ID
7.
In preparation for the next practice, power off host01, host02, and host03.
a. From host01, use the systemctl command to power off host01.
a
s
a
h
)
o
c ide
c. From dom0, use the xm shutdown -w command to power off host03.
u
d Gu
e
[dom0]# xm shutdown w host03

r
t
n
itaseconds,
l
e
i
If the xm shutdown command takes more than
a
few
use
the xm
im Stud
destroy command to power off host03. un
@ this
[dom0]# xm destroy host03 so
r
o
se
c
u
d. From dom0, use the xm list

command.
n
to
a
u
e
j
Note that host01, host02
( and
nshost03 are no longer active.
s
e
a
i
c
r e li
[dom0]# xmalist
l ID Mem VCPUs
o
b
Name rs
State
Time(s)
a
r
o
c
e
f
0
2048
2
r----...
nDomain-0s
jua -tran
non
b.
From host02, use the systemctl command to power off host02.

Practice 10-7: Configuring a Site-to-Site VPN
Overview
Explore and start the vpn-host1 and vpn-host2 virtual machines
Generate RSA authentication keys for vpn-host1 and vpn-host2
Update the /etc/ipsec.conf file for vpn-host1 and vpn-host2
Stop the firewalld service on vpn-host1 and vpn-host2
Start the ipsec service on vpn-host1 and vpn-host2
Verify connectivity between vpn-host1 and vpn-host2

Shut down the vpn-host1 and vpn-host2 virtual machines
Start the host01, host02, and host03 virtual machines
Assumptions
s
a
h
o) e
c
The host01, host02, and host03 virtual machines are shut down.
id
du
e
The vpn-host1 and vpn-host2 virtual machines exist on your
system.Gu
r
t
n
ita configuration.
l
e
i
The following describes the vpn* virtual machines network
nim Stud
u
o@ e this
s
r
co o us
n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non
You create a VPN tunnel from vpn-host1 to vpn-host2.
Tasks
1.
Explore and start the vpn-host1 virtual machine configuration file.

a. From dom0, use the cd command to change to the /OVS/running_pool/vpnhost1 directory.
[dom0]# cd /OVS/running_pool/vpn-host1
b.
Use the cat command to view the vm.cfg file for vpn-host1.
Note that there are three virtual network interfaces:

The interface on the virbr0 bridge is eth0 with IP address 192.0.2.111. This
interface provides access to the Yum repository on dom0.
The interface on the virbr1 bridge is eth1 with IP address 192.168.1.101.

[dom0]# cat vm.cfg

name = vpn-host1
builder = hvm
memory = 1536
boot = cd
disk = [ file:/OVS/running_pool/vpn-host1/system.img,hda,w,
vnc = 1
vncunused=1
vcpus = 1
timer_mode = 0
apic = 1
acpi = 1
pae = 1
serial = pty
on_reboot = restart
on_crash = restart
usb = 1
s
a
h
o) e
c
du Guid
e
r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us
n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
n ans
jc.uaUse-tthe
r xm create command to start the vpn-host1 virtual machine.
n
no[dom0]# xm create vm.cfg
2.
Explore and start the vpn-host2 virtual machine configuration file.

a. From dom0, use the cd command to change to the /OVS/running_pool/vpnhost2 directory.
[dom0]# cd /OVS/running_pool/vpn-host2
b.
Use the cat command to view the vm.cfg file for vpn-host2.
Note that there are three virtual network interfaces:

The interface on the virbr0 bridge is eth0 with IP address 192.0.2.112. This
interface provides access to the Yum repository on dom0.
Note that eth2 on vpn-host2 is on a different bridge and different subnet than
eth2 on vpn-host1.
[dom0]# cat vm.cfg
name = vpn-host2

builder = hvm
memory = 1536
boot = cd
disk = [ file:/OVS/running_pool/vpn-host2/system.img,hda,w,
vnc = 1
vncunused=1
vcpus = 1
timer_mode = 0
apic = 1
acpi = 1
pae = 1
serial = pty
on_reboot = restart
on_crash = restart
usb = 1
3.
a
s
a
h
)
o
c ide
u
d Gu
e
r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us
n
ua se t
j
(
scommand
ento start the vpn-host2 virtual machine.
a
i
c
c. Use the xm create
r
i
l
le vm.cfg
oxmacreate
b
s
[dom0]#
r
a
covpn-host1
erby using vncviewer.
f
s
n
Log
in
to
an determine the VNC port number for vpn-host1 by running the following
ja.uaFrom-trdom0,
noxmnlist command.
[dom0]# xm list l vpn-host1 | grep location
(location 0.0.0.0:5902)
(location 3)
your case.
b. From dom0, run the vncviewer& command.
[dom0]# vncviewer&
previous xm list l vpn-host1 | grep location command.
For example, if the port number is 5902, enter localhost:5902 and click
Connect.

The GNOME login screen appears. You might need to press ENTER to display the
login screen.
s
a
h
o) e
c
du Guid
e
r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us
n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non
d.
e.
Click Oracle Student in the list of users. You are prompted for the password.
Enter oracle for the Password and click Sign In.
f.
The GNOME desktop appears.

Right-click the desktop to display the pop-up menu.

4.
s
a
h
o) e
c
du Guid
e
r
ita dent
l
i
nim Stu
u
@ this
o
s
g. From the pop-up menu, click Open
in
Terminal.
r
o
se
c
u
n
A terminal window appears.
to
a
u
e
j
( use thensus - command to become the root user.
h. In the terminal window,
s
a
i
ce
r eislioracle.
The root a
password
o asubl
s
r
[vpn-host1]$
co sforacle
er
n
Password:
an
jua[vpn-host1]#
r
t
non a new RSA authentication key for vpn-host1.
Generate
Use the ipsec newhostkey command to generate the key.
The --configdir option specifies the Network Security Services (NSS)

configuration directory where the certificate key and databases reside.
The --output option is mandatory.
5.
This command might take a couple minutes to complete.

[vpn-host1]# ipsec newhostkey --configdir /etc/ipsec.d --output
/etc/ipsec.d/www.example.com.secrets
Generated RSA key pair using the NSS database
Log in to vpn-host2 by using vncviewer.

a. From dom0, open a second terminal window by clicking the Terminal icon on the
desktop.
b. In the second terminal window on dom0, use the su - command to become the root
user.


[dom0]$ su
Password: oracle
[dom0]#
c.
Determine the VNC port number for vpn-host2 by running the following xm list
command.
[dom0]# xm list l vpn-host2 | grep location
(location 0.0.0.0:5903)
(location 3)
your case.
d. Run the vncviewer& command.
[dom0]# vncviewer&
e. Enter localhost:<port_number>, substituting the port number displayed from the
previous xm list l vpn-host2 | grep location command.
a
s
a
h
)
o
For example, if the port number is 5903, enter localhost:5903

cand click
e
d
u
i
d Gu
Connect.
e
r
The GNOME login screen appears. You might need
nt to display the
ittoapressdeENTER
l
i
login screen.
im Stu
n
u
f. Click Oracle Student in the list of users.@
You are prompted
is for the password.
h
o
t
s
g. Enter oracle for the Password and
or click Sign
seIn.
c
u
n
The GNOME desktop appears.
to
a
u
e
j
(to display
h. Right-click the desktop
nsthe pop-up menu.
s
e
a
i
c
li Open in Terminal.
i. From the pop-up
click
ar menu,
e
l
o
rs window
Ao
terminal
rab appears.
c
e
f
s window, use the su - command to become the root user.
j. n
In the terminal
n
a
jua The
r
-t root password is oracle.
n
o
n [vpn-host2]$ su
Password: oracle
[vpn-host2]#
6.
Generate a new RSA authentication key for vpn-host2.

Use the ipsec newhostkey command to generate the key.
7.
This command might take a couple minutes to complete.

[vpn-host2]# ipsec newhostkey --configdir /etc/ipsec.d --output
/etc/ipsec.d/www.example.com.secrets
Generated RSA key pair using the NSS database
Put the appropriate RSA keys in the /etc/ipsec.conf file.

a.
On vpn-host1, use the cd command to change to the /etc directory.

[vpn-host1] cd /etc
b.
Use ipsec showhostkey --left to display host key on left host, vpn-host1.
The sample output is shown.


[vpn-host1]# ipsec showhostkey --left

ipsec showhostkey loading secrets from "/etc/ipsec.secrets"
ipsec showhostkey loading secrets from
"/etc/ipsec.d/www.example.com.secrets"
ipsec showhostkey loaded private key for keyid:
PPK_RSA:AQOuaErmq
# rsakey AQOuaErmq
leftrsasigkey=0sAQOuaErmqqXZqWP/5tXPI2xXqR/qq8TPyGUnoUQ+rCkHy+WK
q14MrCcmPaHDVZfMIoRAN4Mot2k2535sHnc+SkWxaDyjueGKczTndALmck0eXXWa
WgcfNS94rH9wtleQuZXmTlnSQvW8kiHO1N1o22NrCRYZF8zrpQTNFC1WNAiO2qxW
ZSgdJn2q9iW6MFq0804AsNKI9QrrpC1n7xXyDrWhi+v5B73C0ly4/uYeNIotyK9C
ImM713QK3MUpZOSNnRiACIQYw8aX+YEKSgjPU3+nEHp243QeUVraIf5LE0cKtTQu
S3Ur1cgZfQZCFX1rGyHqD/ZtUyzL9Fvo5j04kjnZgJTywr4f0Tmw7a+2QJPIQQ52
iOv1jnV5WzbKB2zpDICsCzRZ7yVaK7MXrDxvbNss8gjXjK5BXgFLcVlFh/eJgcji
/AUK0S1vqXdYiJjWtZpjznRTDyE7+jqgLsSi0jY5y7i4dYhD+I0RujzTuv6z7ObD
+yLYpa/DoXQFMrFjB3kz9L+uqz7TtmwCthNdCJVJjnKL0jBIZ7IfVqBvIJoS5nra
WYbF/thUq7C6ziHML8AL2tUcx5wIne28ijJOT2LfjeU=
a
s
a
h
)
c. Select leftrsasigkey=<string> and copy it into the buffer.
o
c ide
u
Highlight the string as shown.
d Gu
e
r
twindow menu.
With the string highlighted, select Edit > Copy fromitthe
a terminal
n
l
e
i
[vpn-host1]# ipsec showhostkey --left
nim Stud
u
ipsec showhostkey loading secrets
from i"/etc/ipsec.secrets"
th s
so@sefrom
r
ipsec showhostkey loadingosecrets
c to u
n
a
e
ipsec showhostkey(ju
loaded sprivate
key for keyid:
n
s
e
a
PPK_RSA:AQOuaErmq
i
c
r e li
arsakey
#
l AQOuaErmq
o
b
s
r
a
co sfer
n
an
juaWgcfNS94rH9wtleQuZXmTlnSQvW8kiHO1N1o22NrCRYZF8zrpQTNFC1WNAiO2qxW
r
t
n
noZSgdJn2q9iW6MFq0804AsNKI9QrrpC1n7xXyDrWhi+v5B73C0ly4/uYeNIotyK9C
d.
Use the vi editor to edit the ipsec.conf file.

[vpn-host1]# vi ipsec.conf
e.
Paste the contents of the buffer at the end of the file.
Position you cursor on the last line of the file.

Press the lowercase letter o key to get into insert mode and open a blank line at the
end of the file.
Select Edit > Paste from the terminal window menu to past the contents of the
buffer into the file.
Press Esc to exit insert mode.


f.
Save and close the ipsec.conf file.

On vpn-host2, use the ipsec showhostkey to display host key on right host, vpnhost2.
[vpn-host2]# ipsec showhostkey --right
ipsec showhostkey loading secrets from "/etc/ipsec.secrets"
ipsec showhostkey loading secrets from
ipsec showhostkey loaded private key for keyid:
PPK_RSA:AQPXXwWB4
# rsakey AQPXXwWB4
rightrsasigkey=0sAQPXXwWB4r62JUqcItOtIps5GIkOxOe0n51jZ/09Sra5Qth
hlc0WaapVjycZIgDj3tVE4h/UCpBGZbE1MZ7u8DRZjrcv3aXF2CSESJcW8w0hoOD
9SUh3ZvDt1OE5bBWtM7moeJ2iY9rM0OqigRfIMeMKw0ZFdglxGGmuvfWtJrD886c
GYUFTP3K3+1zblg9vlcoOGdfb5jy03jAHgBC2waC1YYAZFQOcHp9XBGVzPq8VkXZ
AnECA8VtPuyExBXt/GBGUgJOdrLjG/HHtweLlqgB3hmy5NZhYiyS8UVpC7RBLpWG
OotjmM2dupw+voGP38bWy8K51T8wfRQbfsbUd84Ga6R7676ZKSZXBSMyDsLrsWl6
e1tf9sShJ9E6YZ3ZqSt1FsR8zMlArQhE2gfp+InlQAp1Q7v8TUODy0z1bih407o0
nsYGFXwB9izXGNGrvxoKgvzgleRj7ROP6DAls/8aXdir0N0que975Rc01YM2o0sj
nWwQq124YvenLn1RCbH5fq5NF6V29U7+B5q/2afL6hCvfmQ==
a
s
a
h
)
o
c ide
u
d Gu
e
r
ita dent
l
i
imit intoSthe
g. Select the rightrsasigkey=<string> and n
copy
tu buffer.
u
Highlight the string as shown.
o@ e this
s
r
With the string highlighted, select
> Copy
s from the terminal window menu.
co Edit
u
n
o
t --right
a
[vpn-host2]# ipsecushowhostkey
e
j
(
s
ipsec showhostkey
s loading
en secrets from "/etc/ipsec.secrets"
a
i
c
r
i
l
ipsec showhostkey
o a able loading secrets from
s
r
co sfer
ipsec showhostkey
loaded private key for keyid:
n
n
a
juaPPK_RSA:AQPXXwWB4
r
-t # rsakey AQPXXwWB4
n
o
n rightrsasigkey=0sAQPXXwWB4r62JUqcItOtIps5GIkOxOe0n51jZ/09Sra5Qth
h.
Use the vi editor to create a temporary file named right.
You are going to paste the contents of the buffer into this temporary file and then
append the contents to the /etc/ipsec.conf file on vpn-host1.
[vpn-host2]# vi right
i.
Paste the contents of the buffer at the end of the file.
Press the lowercase letter i key to get into insert mode.


j.
Select Edit > Paste from the terminal window menu to past the contents of the
buffer into the file.
Press Esc to exit insert mode.
Save and close the right file.
From vpn-host2, use the sftp command to copy the right file to vpn-host1.
Include the IP address of vpn-host1, not the host name, as an argument.

The systems are not configured to resolve host names.
Answer yes when prompted.
The root users password is oracle.

[vpn-host2]# sftp 192.0.2.111
The authenticity of host 192.0.2.111 (192.0.2.111) cant be
established.
Warning: Permanently added 192.0.2.111 (ECDSA) to the list ...
Root!192.0.2.111s password: oracle
Connected to 192.0.2.111.
sftp>
a
s
a
h
)
o
c ide
u
d Gu
e
r
ita dent
l
i
nitomcopyStheturight file.
k. From the sftp> prompt, use the put command
u
o@command
After the copy is complete, use thesquit
thisto exit sftp.
r
e
co o us
sftp> put right
n
t ...
a
u/root/right
e
Uploading right to
j
(
s
en
sftp> quit rias
c
i
l
lethe cat command to concatenate the /etc/ipsec.conf file
o a ause
l. From vpn-host1,
b
s
r
o /root/right
er
andcthe
file into a single file.
f
s
n
n
a
ju Use
trathe mv command to rename /etc/ipsec.conf before issuing the cat
n
command.
no The example assumes you are still in the /etc directory.
[vpn-host1]# mv ipsec.conf ipsec.BAK
[vpn-host1]# cat ipsec.BAK /root/right > ipsec.conf
m. Use the cat command to view the updated ipsec.conf file.
The file now includes the leftrsasigkey= string and the rightrsasigkey=
string at the end of the file.


[vpn-host1]# cat ipsec.conf
...
WgcfNS94rH9wtleQuZXmTlnSQvW8kiHO1N1o22NrCRYZF8zrpQTNFC1WNAiO2qxW
ZSgdJn2q9iW6MFq0804AsNKI9QrrpC1n7xXyDrWhi+v5B73C0ly4/uYeNIotyK9C
rightrsasigkey=0sAQPXXwWB4r62JUqcItOtIps5GIkOxOe0n51jZ/09Sra5Qth
8.
a
s
a
h
)
o
c ide
u
d Gu
e
r
ita dent
l
i
nim Stu
u
s
o@ e thinithe
Complete the sitetosite connectionrs
configuration
/etc/ipsec.conf file on
o
s
c
u
vpn-host1.
n
to and add the conn sitetosite
a
u
e
j
a. Use the vi editor to edit
/etc/ipsec.conf
ns information before the leftrsasigkey= line.
s ( iIPceaddress
a
parameter and rthe
left
i
a lestartl with left, including the leftrsasigkey= line.
o
Indentsall
lines that
r erab
conot
n Do
exit
f the vi editor until step 9d.
s
n
a
ju [vpn-host1]#
vi /etc/ipsec.conf
tra
n
o
n ...
#include /etc/ipsec/d/*.conf
conn sitetosite
leftid=192.168.1.101
left=192.168.1.101
leftsourceip=192.168.2.101
leftsubnet=192.168.2.0/24
leftrsasigkey=...
...
b.
Add the right IP address information after the leftrsasigkey= line and before
the rightrsasigkey= line in the /etc/ipsec.conf file on vpn-host1.
Indent all lines that start with right, including the rightrsasigkey= line.
...
leftrsasigkey=...
rightid=192.168.1.102

right=192.168.1.102
rightsourceip=192.168.3.102
rightsubnet=192.168.3.0/24
rightrsasigkey=
...
c.
Add the following two lines at the end of the /etc/ipsec.conf file on vpn-host1.
...
authby=rsasig
auto=start
d.
9.
Save the changes made to the /etc/ipsec.conf file and exit the vi editor.
Check the syntax of the /etc/ipsec.conf file on vpn-host1.
If any errors are returned, the line number is included. Use the vi editor and make the
necessary corrections to the file.
In this example, no errors are returned and the syntax is correct.
a
s
a
h
[vpn-host1]# /usr/libexec/ipsec/addconn --config /etc/ipsec.conf
)
o
c ide
--checkconfig
u
d Guto vpn-host2.
evpn-host1
r
10. Use the sftp command to copy the /etc/ipsec.conf filea
from
t
t
n
i
l
e
i
Include the IP address of vpn-host2, not the hostim
name, asu
andargument.
t
n
S
u
Answer yes when prompted.
o@ e this
s
r
The root users password is oracle.
o
c
us
n
o
[vpn-host1]# sftp 192.0.2.112
t
a
e
ju hostns192.0.2.112
(of
The authenticity
(192.0.2.112) cant be
s
e
a
i
c
established.
r e li
l
o afingerprint
ECDSA rs
key
is ...
b
a
r
o
Arec you sure
fe you want to continue connecting (yes/no)? yes
s
n
n
a
ju Warning:
tra Permanently added 192.0.2.112 (ECDSA) to the list ...
n
noroot@192.0.2.111s password: oracle
Connected to 192.0.2.112.
sftp>
e.
From the sftp> prompt, use the put command to copy the /etc/ipsec.conf file to
/etc/ipsec.conf on vpn-host2.
After the copy is complete, use the quit command to exit sftp.
sftp> put /etc/ipsec.conf /etc/ipsec.conf
Uploading /etc/ipsec.conf to /etc/ipsec.conf ...
sftp> quit
11. Enable IP forwarding on both vpn-host1 and vpn-host2.

a. On vpn-host1, use the sysctl -w command to enable IP forwarding.
[vpn-host1]# sysctl w net.ipv4.ip_forward=1
net.ipv4.ip_forward = 1

b.
On vpn-host2, use the sysctl -w command to enable IP forwarding.

[vpn-host2]# sysctl w net.ipv4.ip_forward=1
net.ipv4.ip_forward = 1
12. Stop the firewalld service on both vpn-host1 and vpn-host2.
You could add rules to trust the ipsec protocols. libreswan requires the firewall to
allow the following packets:
UDP port 500 for the IKE protocol
UDP port 4500 for IKE NAT-Traversal
Protocol 50 for ESP IPSec packets
Protocol 51 for AH IPSec packets
For purposes of this exercise you stop the firewalld service.
a.
On vpn-host1, use the systemctl command to stop the firewalld service.
a
s
a
b. On vpn-host2, use the systemctl command to stop the firewalld service.
h
)
o
c ide
[vpn-host2]# systemctl stop firewalld
u
d Gu
e
13. Test connectivity before starting the ipsec service.

r
t
n
litathe route
e
i
a. On vpn-host1, use the netstat rn command m
to view
table.
tud
ni subnet.
S
u
Note that there is no route to the 192.168.3.0
@ this
[vpn-host1]# netstat rn rso
e
o
s
c
u
Destination Gateway n ... Iface

o
teth0
a
u
e
j
0.0.0.0
192.0.2.1
...
s
s ( icen...
192.0.2.0 ria
0.0.0.0
eth0
l
a
e
l
192.168.1.0
... eth1
b
so ra0.0.0.0
r
o
c sfe 0.0.0.0 ... eth2
192.168.2.0
n
a
an
jb.u From-trvpn-host1,
use the ping command to test connectivity to 192.168.3.102.
n
o
n Note that you cannot ping this address.
[vpn-host1]# systemctl stop firewalld

Press CTRL-C to kill the ping command.
[vpn-host1]# ping 192.168.3.102

CTRL-c
c.
On vpn-host2, use the netstat rn command to view the route table.
Note that there is no route to the 192.168.2.0 subnet.

[vpn-host2]#
Destination
0.0.0.0
192.0.2.0
192.168.1.0
192.168.3.0
d.
netstat rn
Gateway
...
192.0.2.1 ...
0.0.0.0
...
0.0.0.0
...
0.0.0.0
...
Iface
eth0
eth0
eth1
eth2
From vpn-host2, use the ping command to test connectivity to 192.168.2.101.
s
a
h
o) e
c
du Guid
[vpn-host2]# ping 192.168.2.101
e
r
t data.
PING 192.168.2.101 (192.168.2.101) 56(84)
of
n
itabytes
l
e
i
CTRL-c
nim Stud
u
@vpn-host2.
14. Start the ipsec service on both vpn-host1oand
this
s
r
e
a. On vpn-host1, use the systemctl
co command
us to start the ipsec service.
n
o
t
a
[vpn-host1]# systemctl
e ipsec
(ju nstart
s
s
b. On vpn-host2, ruse
ia the systemctl
ce command to start the ipsec service.
i
l
a
le
o asystemctl
[vpn-host1]#
start ipsec
b
s
r
r
o
c sfafter
e starting the ipsec service.
15. Testn
connectivity
n
a
ja.u On -vpn-host1,
use the netstat rn command to view the route table.
tra
n
o
n Note that now there is a route to the 192.168.3.0 subnet.
Note that you cannot ping this address.
[vpn-host1]#
Destination
0.0.0.0
192.0.2.0
192.168.1.0
192.168.2.0
192.168.3.0
b.
netstat rn
Gateway
...
192.0.2.1 ...
0.0.0.0
...
0.0.0.0
...
0.0.0.0
...
0.0.0.0
...
Iface
eth0
eth0
eth1
eth2
eth1
From vpn-host1, use the ping command to test connectivity to 192.168.3.102.
Note that now you can ping this address.


[vpn-host1]# ping 192.168.3.102
CTRL-c
c.
On vpn-host2, use the netstat rn command to view the route table.
Note that now there is a route to the 192.168.2.0 subnet.

[vpn-host2]#
Destination
0.0.0.0
192.0.2.0
192.168.1.0
192.168.2.0
192.168.3.0
netstat rn
Gateway
...
192.0.2.1 ...
0.0.0.0
...
0.0.0.0
...
0.0.0.0
...
0.0.0.0
...
Iface
eth0
eth0
eth1
eth1
eth2
a
s
a
h
)
o
c ide
u
d Gu
e
r
d. From vpn-host2, use the ping command to test connectivity
to
t
ta e192.168.2.101.
n
i
l
i
Note that now you can ping this address.
im Stud
n
u
@ this
o
s
r
[vpn-host2]# ping 192.168.2.101
o
se
c
u
n
PING 192.168.2.101 (192.168.2.101)
56(84) bytes of data.
to
a
u
e
j
(
s
64 bytes from 192.168.2.101:
icmp_seq=1
ttl=64 time=...
n
s
e
a
i
c
li
64 bytes from
ar 192.168.2.101:
e
l
o
b
64 bytes
rs from
a192.168.2.101:
r
o
c
e
f
nCTRL-cans
je.uaFrom-trvpn-host2,
use the ipsec auto --status command to view current
n
status.
noconnection
Note the ESP algorithms supported.

Note the IKE algorithms supported.
Note the Connection list, sitetosite.
Note the Total IPSec connections: 1 loaded, 1 active.

[vpn-host2]# ipsec auto --status
000 using kernel interface: netkey
...
000 config setup options:
000
000 configdir=/etc, configfile=/etc/ipsec.conf, secrets=/etc...
...
ESP algorithms supported:
000
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, ...

000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, ...

...
000 algorithm AH/ESP auth: id=1, name=AUTH_ALGORITHM_HMAC_MD5...
000 algorithm AH/ESP auth: id=2, name=AUTH_ALGORITHM_HMAC_SHA...
...
IKE algorithms supported:
000
000 algorithm IKE encrypt: v1id=0, v1name=0??, v2id=16, v2nam...
000 algorithm IKE encrypt: v1id=0, v1name=0??, v2id=15, v2nam...
...
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashlen=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashlen=20
...
000 Connection list:
000
000 sitetosite:
192.168.3.0/24===192.168.1.102<192.168.1.102>[92.168.1.102]...19
2.168.1.101<192.168.1.101>===192.168.2.0/24; eroute owner: #4
...
000 Total IPSec connections: loaded 1, active 1
000
000 State list:
000
000 #4: sitetosite:500 STATE_QUICK_R2 (IPSec SA established...
...
a
s
a
h
)
o
c ide
u
d Gu
e
r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us
n
ua se t
j
(
s icen
a
i
r
a le l
o
rs vpn-host1
rab and vpn-host2 virtual machines.
othe
16. Shut down
c
e
f
n ans use the systemctl poweroff command to shut down vpn-host2.
ja.uaFrom-trvpn-host2,
n
systemctl poweroff
no[vpn-host2]#
b.
From vpn-host1, use the systemctl poweroff command to shut down vpn-host1.
[vpn-host1]# systemctl poweroff

Do not start the host01, host02, and host03 virtual machines at this time.

D90758GC10 Ag1

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

D90758GC10 Ag1

Uploaded by

Copyright:

Available Formats

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

Oracle Linux 7: Advanced

Learn more from Oracle University at oracle.com/education/

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Avi Miller, Elena Zannoni, Wim Coekaerts,

Oracle Linux 7: Advanced Administration Table of Contents

Practices for Lesson 9: Overview............................................................................................................. 9-2

Practices for Lesson 11: OCFS2 and Oracle Clusterware........................................................................ 11-1

Practice 13-1: Exploring cgroup Integration Into systemd.......................................................................... 13-3

Oracle Linux 7: Advanced Administration Table of Contents

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Oracle Linux 7: Advanced Administration Table of Contents

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 1: Course Introduction

Course Practice Environment: Security Credentials

For OS usernames and passwords, see the following:

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 1: Course Introduction

Practices for Lesson 1: Overview

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 1: Course Introduction

Practice 1-1: Exploring the dom0 Environment

Your instructor has assigned a student PC to you.

The GNOME desktop is installed on dom0.

All guest VMs have Oracle Linux 7 installed.

Double-click the Terminal icon on the GNOME desktop.

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 1: Course Introduction

Become the root user.

Determine the operating system that is running on dom0.

The Linux kernel is 2.6.39-300.22.2.el5uek.

The host name is edddr20p1. (Your host name is different.)

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 1: Course Introduction

Determine the network configuration of dom0.

Link encap:Ethernet ...

Link encap:Ethernet ...

address of 10.150.30.83. The IP address of your system is different.

The lo interface is a software loopback interface that identifies the localhost. It is

The virbr0 interface is a xen bridge interface used by VM guests. It is assigned

The virbr1 interface is a second xen bridge interface used by VM guests. It is

The virbr2 interface is a third xen bridge interface used by VM guests. It is

The virbr3 interface is a fourth xen bridge interface used by VM guests. It is

Practices for Lesson 1: Course Introduction

Explore the /OVS directory structure on dom0.

Explore the /OVS/runing_pool directory:

Explore the host01 VM directory.

Practices for Lesson 1: Course Introduction

View the vm.cfg file.

Explore the /OVS/sharedDisk directory:

The physDisk1.img file is used as a shared disk (shared by all VM guests) in

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 1: Course Introduction

Explore the /OVS/seed_pool directory:

Other files in this directory are used in various practices.

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 1: Course Introduction

Explore the /var/www/html/repo/OracleLinux/OL7/1/x86_64 directory:

Your system is configured as a local Yum repository.

A .repo file exists on each VM pointing to this Yum repository.

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 1: Course Introduction

Practice 1-2: Starting, Stopping, and Listing VM Guests