Red hat RHCE exam afternoon - RHCE (RH294)

RH294 mission overview

• The examination time is 4 hours, 6 virtual machines and 15 questions
• The problems originally done through scripts or clusters now need to be implemented by playbook
• There are about 6 virtual servers in the exam, all of which have made mutual secret free
• The problem is done in the ansible control node workstation, but it needs to be verified by other virtual servers
• During the examination, you need to start all 6 virtual servers in the examination environment, and click the button on the left of the physical machine interface to start
• During the exam, all Ansible playbook s are placed in the ordinary user directory and executed by ordinary users

1. Note: during the exam, please put the playbook in the designated user's home directory and log in with the designated user to do the questions!
2. Note: the scoring method of the test is to remotely execute the playbook or script under the specified directory through ordinary users. If you use root to do the test, you will get zero if you don't have permission

11. Create Web content directory with playbook

• Create a playbook named / home / student / adaptive / webcontent.yml as described below:
• The playbook runs on managed nodes in the dev host group

Task requirements

1. Create a directory / webdev that meets the following requirements: the owner is the devops group and has general permissions:
   owner=read+write+execute，group=read+write+execute， other=read+execute
2. With special permission: set group ID
3. Link / var/www/html/webdev to / webdev with symbolic links
4. Create the file / webdev/index.html, which contains a single line of text as follows: Development
5. Browse this directory on the host in the dev host group (for example http://servera.lab.example.com/webdev/ )The following output will be generated: Development
   be careful:

Prepare a job

• You don't need to do it during the exam

ansible-doc file ## View file module

Complete step

1. Install the httpd service first, because it may not be installed
2. Then set the httpd service to startup, because it may not be set
3. You also need to configure a firewall to access it, because it may not be enabled
4. This is the official start to create the weight requirements directory. Remember to set httpd with setype_ sys_ content_ t
5. Then create the soft link required in the question
6. Finally, create the access content file required in the question, and remember to set httpd with setype_ sys_ content_ t

[student@workstation ansible]$ vim webcontent.yml
---
- hosts: dev 
  tasks:
  ## Since it is uncertain whether the httpd service has been enabled on dev, install httpd first
    - name: 
      yum:
        name: httpd 
        state: present
    - name: 
      service:
        name: httpd 
        state: started 
        enabled: yes
    ## If the firewall test is OK, you can also do without setting it
    - name: 
      firewalld:
        service: http 
        permanent: yes 
        state: enabled 
        immediate: yes
    - name: create dir
      file:
        path: /webdev 
        group: devops 
        state: directory 
        mode: 2775
        setype: httpd_sys_content_t
    - name: createlink
      file:
        src: /webdev
        dest: /var/www/html/webdev 
        state: link
    - name: create a file 
      copy:
        content: "Development\n" 
        dest: /webdev/index.html 
        setype: httpd_sys_content_t
[student@workstation ansible]$ ansible-playbook webcontent.yml

• Verification still needs to be done
  curl http://servera.lab.example.com/webdev/

• This problem is so easy that it may not work out the result
  In selinux, if the content value is incorrect, you may not be able to access it,
  When generating the directory, change the value of the folder directly through setype
  When generating the page file, you should also change setype at the same time
  Note: use ll -Z to view the content value of files and folders. If you don't know what it should be, drag it back to the upper html directory to create a file to see the value
  The file can be accessed normally by specifying the type value of se

cd /var/www/html
touch a.log
ll -Z a.log

Knowledge points of investigation

ansible file module

• Functions: setting file properties, creating soft links, etc
  ansible-doc file
• Common parameters of file module

path       Path to managed file
state
    ## Status common parameters:
    absent           Delete target file
    touch            If the target file does not exist, create a file; If present, change the timestamp of the target file
    directory        Create directory
    hard             Create a hard link to the target file (and src (used together)
    link             Create a soft link to the target file (and src (used together)
setype      Set target file security context properties
owner       The master of the device object file
group       Set the group to which the target file belongs
mode        Set file permissions
    mode Common format: File: 0644    Catalog: 0755   
    Or use quotation marks: File:'0644'    catalog:'0755'
    Also start specifying symbol mode: mode: u+rwx    perhaps  mode: u=r,g=w,o=x   Or: mode: u+r,g+w,o+x
src      Specifies the path to the linked file
dest     Specify the directory where the requested file will be saved

#Create an empty file
ansible all -m file -a 'path=/data/test.txt state=touch'
ansible all -m file -a 'path=/data/test.txt state=absent'
ansible all -m file -a "path=/root/test.sh owner=wang mode=755"
#Create directory
ansible all -m file -a "path=/data/mysql state=directory owner=mysql group=mysql"
#Create soft link
ansible all -m file -a 'src=/data/testfile path|dest|name=/data/testfile-link state=link'
#Create directory
ansible all -m file -a 'path=/data/testdir state=directory'
#Modify directory properties recursively, but not to subdirectories
ansible all -m file -a "path=/data/mysql state=directory owner=mysql group=mysql"
#Recursively modify the properties of directories and subdirectories
ansible all -m file -a "path=/data/mysql state=directory owner=mysql group=mysql recurse=yes"

Modify the default security context.

• When selinux is enabled, the security context of directories and files needs to be set to httpd_sys_content_t. apahce's httpd can only be accessed

[root@localhost ~]# mkdir /www
#Create a new / www / directory. You plan to use this directory as the main directory of apache Web pages instead of / var/www/html /
[root@localhost ~]# ls -Zd /www/
drwxr-xr-x．root root unconfined_u: object_r: default_t: s0 /www/
#The security context type of this directory is default_t. Then, of course, apache processes cannot access and use the / www / directory

• This directory is created manually and is not the system default directory. Therefore, there is no default security context and we need to set it manually

[root@localhost ~]# semanage fcontext -a -t httpd_sys_content_t "/www(/.*)?"
#This command will set the default security context type for the / www / directory and all contents in the directory as httpd_sys_content_t
[root@localhost ~# semanage fcontext -l | grep "/www"
#... omit some output
/www(/.*)? all files system_u: object_r: httpd_sys_content_t: s0
#/The default security context for the www / directory appears

• Restore the security context of the directory itself to the reset default value

[root@localhost ~]# ls -Zd /www/
drwxr-xr-x．root root unconfined_u: object_r: default_t: s0 /www/
#However, the query found that the security context of the / www / directory was not modified because we only modified the default security context, not the current security context of the directory
[root@localhost ~]# restorecon -Rv /www/
restorecon reset /www context
unconfined_u: object_r: default_t: s0->unconfined_u: object_r: httpd_sys_content_t: s0
#Restore the default security context of the / www / directory and find that the type has been changed to httpd_sys_content_t