RH135
1.请设定您虚拟机server 和 client 的基本信息要求如下
@@@@在server主机中:@@@@
*建立sshd服务的秘钥认证,认证用户为root,
秘钥下载地址为http://172.25.254.250/exam/id_rsa.pub
建设为下载的http://172.25.254.250/exam/id_rsa.pub
[root@dns_server .ssh]# cat id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDIDmiF5nV3kDoHBbqWt3Vdpcub2C4T6Z+uiVZdomHU+hmnpGlyMercL0ZWfw39Wcdff/3NSDsQFy6yZDaK69npA/F6nq6sl8h6+ntm4MCuLGl5OAZwdfrZqcmocbqtulZAu3qOcqXB4BzaGXQVwlJt9akdHDTmihw1aaVVI+zV67n5g5gmQ6mY1MiVSGxR7pfPVi25KHY48P0Os+SIYOqO1y7WsA390NShqGL6ccHc/dpmoPq+b1ZHto9vnwrVykd0XoX1KgQxVxMWxLmQVgH/woXVk1+F0hbUoXUbemZE65jLXogHm7ZtOOvcZXlOdxmIWi61vmU60atmN4WjUvBproot@dns_server
[root@node1 .ssh]#
ssh-keygen120主机中
[root@node1 .ssh]# ls
id_rsa id_rsa.pub known_hosts
将公钥传至120主机
[root@node1 .ssh]# cat id_rsa.-pub – >覆盖了原本的公钥
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDIDmiF5nV3kDoHBbqWt3Vdpcub2C4T6Z+uiVZdomHU+hmnpGlyMercL0ZWfw39Wcdff/3NSDsQFy6yZDaK69npA/F6nq6sl8h6+ntm4MCuLGl5OAZwdfrZqcmocbqtulZAu3qOcqXB4BzaGXQVwlJt9akdHDTmihw1aaVVI+zV67n5g5gmQ6mY1MiVSGxR7pfPVi25KHY48P0Os+SIYOqO1y7WsA390NShqGL6ccHc/dpmoPq+b1ZHto9vnwrVykd0XoX1KgQxVxMWxLmQVgH/woXVk1+F0hbUoXUbemZE65jLXogHm7ZtOOvcZXlOdxmIWi61vmU60atmN4WjUvBproot@dns_server
[root@node1 .ssh]#
ssh-copy-id -i /root/.ssh/id_rsa.pubroot@172.25.254.120
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: “/root/.ssh/id_rsa.pub”
The authenticity of host ‘172.25.254.120 (172.25.254.120)’ can’t be established.
ECDSA key fingerprint is SHA256:iFSe6c1LzQ77XSFGNaakEobsKjh4CL3KhSAYqrmJQH0.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed – if you are prompted now it is to install the new keys
root@172.25.254.120’s password:
Number of key(s) added: 1
Now try logging into the machine, with: “ssh ‘root@172.25.254.120’”
and check to make sure that only the key(s) you wanted were added.
[root@dns_server .ssh]#
ssh root@172.25.254.120无需密码,直接登录第一次连接的时候需要yes,但无需密码
Activate the web console with: systemctl enable --now cockpit.socket
Last login: Fri Dec 11 20:32:22 2020 from 172.25.254.204
*设定root用户密码为westos
*IPADDRESS=172.25.254.120
GATEWAY=172.25.254.250
DNS=172.25.254.250
*搭建本地软件仓库并可以使直连网络主机使用仓库地址 http://172.25.254.120/rhel8
先搭建本地仓库,安装httpd
firewall-cmd --permanent --add-service=http
firewall-cmd --reload
参考第五题:修改/westos/html的安全上下文,
chcon -Rt httpd_sys_content_t /westos/html----->可以semange使用永久修改
参考第五题,因为默认发布目录的修改,所以搭建网络源的时候需要注意挂载镜像目录的改变
vim /etc/httpd/conf/httpd.conf
systemctl restart httpd
mkdir /westos/html/rhel8
mount /dev/sr0 /westos/html/rhel8
vim /etc/yum.repos.d/westos.repo
[AppStream]
baseurl = http://172.25.254.120/rhel8/AppStream
enabled = 1
gpgcheck = 0
name = AppStream_westos
[BaseOS]
baseurl = http://172.25.254.120/rhel8/BaseOS
enabled = 1
gpgcheck = 0
name = BaseOS_westos
http://172.25.254.120/rhel8/-------->可以访问到镜像资源
*在主机中添加两块硬盘要求如下
vdb 5G
vdc 5G
@@@@在client主机中:@@@@
*建立sshd服务的秘钥认证,认证用户为root,
秘钥下载地址为http://172.25.254.250/exam/id_rsa.pub
*设定root用户密码为westos
*IPADDRESS=172.25.254.220
GATEWAY=172.25.254.250
DNS=172.25.254.250
*搭建本地软件仓库并可以使直连网络主机使用仓库地址 http://172.25.254.120/rhel8
2.在vdb中建立分区并完成以下要求
1*新建分区/dev/vdb1,大小为500M,并把设备做为swap分区激活
fdisk /dev/vdb —>建立分区
Device Boot Start End Sectors Size Id Type
/dev/vdb1 2048 1026047 1024000 500M 82 Linux swap / Solaris
/dev/vdb2 1026048 1230847 204800 100M 83 Linux
/dev/vdb3 1230848 3327999 2097152 1G 8e Linux LVM
/dev/vdb4 3328000 10485759 7157760 3.4G 5 Extended
/dev/vdb5 3330048 5427199 2097152 1G 83 Linux ---->设置为lvm形式
mkswap /dev/vdb1
2*新建分区/dev/vdb2,大小100M,并把设备挂载到/westos_pub目录中 设定/westos_pub目录对所有人可写,确保westos用户只能使用50M的数据空间
mkswap /dev/vdb1
mkfs.xfs /dev/vdb2
mount -o usrquota /dev/vdb2 /westos_pub/
chmod 777 /westos_pub/
edquota --user westos
修改hard值51200 ---->50M
Disk quotas for user westos (uid 1000):
Filesystem blocks soft hard inodes soft hard
/dev/vdb2 51200 0 51200 1 0 0
~
[root@localhost Desktop]# su - westos
[westos@localhost ~]$ dd if=/dev/zero of=/westos_pub/westosfile1 bs=1M count=60
dd: error writing ‘/westos_pub/westosfile1’: Disk quota exceeded
51+0 records in
50+0 records out
52428800 bytes (52 MB, 50 MiB) copied, 0.0261061 s, 2.0 GB/s
[westos@localhost ~]$
3*新建lvm设备,组名称为westos_vg,pe大小为2M,在westos_vg中建立westos_datal逻辑卷 把逻辑卷挂载到/westos/westoslv中
mkdir /westos/westoslv -p
pvcreate /dev/vdb3
vgcreate -s 3M westos_vg /dev/vdb3
lvcreate -L 300M -n westos_datal westos_vg
mkfs.xfs /dev/westos_vg/westos_datal
mount /dev/westos_vg/westos_datal /westos/westoslv/
vim /etc/fstab----->永久挂载文件
/dev/westos_vg/westos_datal /westos/westoslv xfs defaults 0 0
/dev/vdb2 /westos_pub xfs defaults,usrquota 0 0
mount -a 检测文件里面写的内容是否写好,否则系统无法重启
注意:以上操作确保在开机时仍然生效
3.开启系统中的selinux并设定默认状态为强制模式
vim /etc/sysconfig/selinux
SELINUX=enforcing
4.部署ftp服务可以实现匿名用户的上传功能
1.semanage fcontext -a -t public_content_rw_t ‘/var/ftp/pub(/.*)?’----->修改上传目录安全上下文为rw
2.restorecon -RvvF /var/ftp/pub/
[root@localhost Desktop]# ls -Zd /var/ftp/pub/
system_u:object_r:public_content_rw_t:s0 /var/ftp/pub/
3.setsebool -P ftpd_anon_write on -P 永久打开 ------->打开写开关
[root@localhost Desktop]# getsebool -a | grep ftp
ftpd_anon_write --> on
vim /etc/vsftpd/vsftpd.conf
anon_upload_enable=YES
anonymous_enable=YES
systemctl restart vsftpd
[root@localhost Desktop]# ls -ld /var/ftp/pub/ ---->上传目录的权限
drwxrwxr-x. 2 root ftp 20 Nov 29 09:25 /var/ftp/pub/
5.部署apache要求如下
1*设定apache的默认发布目录为/westos/html并确保默认发布内容和下列文件一致
http://172.25.254.250/exam/index_default
default page
mkdir /westos/html -p
vim /etc/httpd/conf/httpd.conf
DocumentRoot “/westos/html”
<Directory “/westos/html”>
AllowOverride None
# Allow open access:
Require all granted
chcon -Rt httpd_sys_content_t /westos/html----->可以semange使用永久修改
[root@localhost ~]# ls -Zd /westos/html/
unconfined_u:object_r:httpd_sys_content_t:s0 /westos/html/
[root@localhost ~]# cat /westos/html/index.html
default page
systemctl restart httpd
http://172.25.254.120/
default page
2*设定虚拟主机bbs.westos.com 确保当前主机中的解析成立,默认发布页面内容和下列文件一致
http://172.25.254.250/exam/index_bbs
bbs page
[root@localhost conf.d]# mkdir /westos/bbs.com/html -p
[root@localhost conf.d]# ls -Zd /westos/bbs.com/html
unconfined_u:object_r:default_t:s0 /westos/bbs.com/html
[root@localhost conf.d]# chcon -Rt httpd_sys_content_t /westos/bbs.westos.com/html
chcon: cannot access ‘/westos/bbs.westos.com/html’: No such file or directory
[root@localhost conf.d]# chcon -Rt httpd_sys_content_t /westos/bbs.com/html
[root@localhost conf.d]# vim /westos/bbs.com/html/index.html
[root@localhost conf.d]# cat /westos/bbs.com/html/index.html
bbs page
[root@localhost conf.d]# vim vhost.conf
[root@localhost conf.d]# systemctl restart httpd
[root@localhost conf.d]# cat /etc/httpd/conf.d/vhost.conf
DocumentRoot /westos/html
CustomLog logs/default.log combined
<VirtualHost *:80>
ServerName bbs.westos.com
DocumentRoot /westos/bbs.com/html
CustomLog logs/bbs.log combined
<Directory /westos/bbs.com/html>
Require all granted
测试
vim /etc/hosts
172.25.254.120 www.westos.com bbs.westos.com
http://bbs.westos.com/
bbs page
http://www.westos.com/
default page
6.配置 iSCSI 服务
1*在 server120 上安装服务端程序,设置开机自启,防火墙允许此服务
dnf install targetcli -y
firewall-cmd --permanent --add-service=iscsi-target
firewall-cmd --reload
2*在vdb磁盘上分一个1G大小的LVM分区,用以创建逻辑卷组iSCSI_vg和一个100M大小的逻辑卷disk1_lv
/dev/vdb5 1G ----->格式化
pvcreate /dev/vdb5
vgcreate ISCSI_vg /dev/vdb5
lvcreate -L 100M -n disk1_lv ISCSI_vg
mkfs.xfs /dev/ISCSI_vg/disk1_lv
3*使用 disk1_lv 作为 iSCSI 的后端存储名称为 server120.disk1
targetcli
/> backstores/block create server120.disk1 /dev/ISCSI_vg/disk1_lv
4*定义IQN为 iqn.2020-04.com.westos:server120
/> iscsi/ create iqn.2020-04.com.westos:server120
5*设置ACL允许initiator name为iqn.2020-04.com.westos:client220的客户端可以连接 程序监听172.25.254.120的3260端口
/> iscsi/iqn.2020-04.com.westos:server120/tpg1/luns create /backstores/block/server120.disk1
/> iscsi/iqn.2020-04.com.westos:server120/tpg1/acls create iqn.2020-04.com.westos:westoskey
/> exit
6*client安装客户端程序,连接server120的iSCSI目标资源到本地 用以创建一个xfs文件系统,并开机自动挂载到/iscsidisk
dnf install iscsi-initiator-utils -y
vim /etc/iscsi/initiatorname.iscsi
InitiatorName= iqn.2020-04.com.westos:server120:westoskey
systemctl restart iscsid
[root@westos_student4 ~]#
iscsiadm -m discovery -t st -p 172.25.254.120
172.25.254.120:3260,1 iqn.2020-04.com.westos:server120
[root@westos_student4 ~]#
iscsiadm -m node -T iqn.2020-04.com.westos:server120 -p 172.25.254.120 -l--登录
Logging in to [iface: default, target: iqn.2020-04.com.westos:server120, portal: 172.25.254.120,3260]
Login to [iface: default, target: iqn.2020-04.com.westos:server120, portal: 172.25.254.120,3260] successful.
fdisk -l
会看到一块多出来的设备sda
[root@westos_student4 ~]# fdisk -l
Device Boot Start End Sectors Size Id Type
/dev/loop0p1 * 0 16478207 16478208 7.9G 0 Empty
/dev/loop0p2 23900 44279 20380 10M ef EFI (FAT-12/16/32)
Disk /dev/sda: 100 MiB, 104857600 bytes, 204800 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
fdisk /dev/sda ------> /dev/sda1 ----mkfs.xfs /dev/sda1 ---->
mkdir /iscsidisk
vim /etc/fstab —网络设备永久挂载
/dev/sda1 /iscsidisk xfs default,_netdev 0 0
7.配置 Mariadb 数据库服务:
1*在 server120上安装 mariadb 数据库,开机自启动,防火墙允许此服务。 给数据库设置 root 管理员密码为 westos 限制 root 用户只能从localhost 登录,移除匿名用户,删除 test 库。
---->? root 用户登录数据库的时候不能用-h ip的形式登录
dnf install mariadb-server -y
systemctl enable --now mariadb
firewall-cmd --permanent --add-service=mysql
mysql_secure_installation ----->安全初始化
设置密码为westos
2*创建一个名为 redhat 的库,并从备份文件中恢复数据到此数据库, 备份文件的位置在: http://classroom.example.com/pub/materials/mariadb/mariadb.dump 。
CREATE DATABASE redhat ;
mkdir /westos/html/pub/materials/mariadb -p
mysqldump -uroot -p redhat > /westos/html/pub/materials/mariadb/mariadb.dump
/westos/htmlhttp的默认发布目录
----->?建立目录,备份在此目录
vim /etc/hosts
172.25.254.120 classroom.example.com
http://classroom.example.com/pub/materials/mariadb/mariadb.dump
3*创建数据库用户 mary ,对 redhat 数据库具有查询、插入、更新、删除权限 密码为 mary_passwd natasha 用户可以从 client120上登录数据库, 对 redhat 库拥有查询权限,密码为natasha_passwd 。
m
------>? 授权
[root@node1 ~]# mysql -uroot -p
Enter password:
MariaDB [(none)]> CREATE USER marry@localhost identified by ‘marry_passwd’; ------>建立用户
Query OK, 0 rows affected (0.001 sec)
MariaDB [(none)]> SELECT Host,User,Password FROM mysql.user;
±----------±------±------------------------------------------+
| Host | User | Password |
±----------±------±------------------------------------------+
| localhost | root | *28C1E2BE21B45562A34B6CC34A19CFAFC2F88F96 |
| 127.0.0.1 | root | *28C1E2BE21B45562A34B6CC34A19CFAFC2F88F96 |
| ::1 | root | *28C1E2BE21B45562A34B6CC34A19CFAFC2F88F96 |
| localhost | marry | *3C2113A96DB3D97C7E129966461E107FC1DA214C |
±----------±------±------------------------------------------+
4 rows in set (0.001 sec)
授权
MariaDB [(none)]> GRANT SELECT,INSERT,UPDATE,DELETE on redhat.* to marry@localhost;
Query OK, 0 rows affected (0.001 sec)
MariaDB [(none)]> show grants for marry@localhost
-> ;
+--------------------------------------------------------------------------------------------------------------+
| Grants for marry@localhost |
+--------------------------------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'marry'@'localhost' IDENTIFIED BY PASSWORD '*3C2113A96DB3D97C7E129966461E107FC1DA214C' |
| GRANT SELECT, INSERT, UPDATE, DELETE ON `redhat`.* TO 'marry'@'localhost' |
+--------------------------------------------------------------------------------------------------------------+
建立natasha用户
MariaDB [(none)]> CREATE USER natasha@’%’ identified by ‘natasha_passwd’;
Query OK, 0 rows affected (0.001 sec)
MariaDB [(none)]> SELECT User,Host FROM mysql.user;
+---------+-----------+
| User | Host |
+---------+-----------+
| natasha | % |
| root | 127.0.0.1 |
| root | ::1 |
| marry | localhost |
| root | localhost |
+---------+-----------+
5 rows in set (0.001 sec)
授权
MariaDB [(none)]> GRANT SELECT on redhat.* to natasha@’%’;
Query OK, 0 rows affected (0.001 sec)
MariaDB [(none)]> show grants for natasha@'%';
+--------------------------------------------------------------------------------------------------------+
| Grants for natasha@% |
+--------------------------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'natasha'@'%' IDENTIFIED BY PASSWORD '*9F16233DC12AAB6C73F2B10432D0B00B44D8A94D' |
| GRANT SELECT ON `redhat`.* TO 'natasha'@'%' |
+--------------------------------------------------------------------------------------------------------+
2 rows in set (0.000 sec)
客户端
mysql -unatasha -p -h172.25.254.120可以登录
8.配 SMB 服务
1*在 server120 上配置 smb 共享服务,要求开机自启,防火墙允许此服务。
2*创建共享目录为 /smbshare ,共享名为 smbshare , marketing 组成员可以读写此共享 不属于marketing 组的人只能读
。
-#####
直接在本机中做的测试,所以安装客户端
dnf install samba samba-client samba-common
systemctl enable --now smb
firewall-cmd --permanent --add-service=samba
firewall-cmd --reload
mkdir /smbshare
chcon -t samba_share_t /smbshare/
cp /etc/samba/smb.conf.example /etc/samba/smb.conf
vim /etc/samba/smb.conf
314 [smbshare]
315 comment = smb
316 path = /smbshare
317 write list = +marketing —>只写文件,建立用户只是为了测试
318
systemctl restart smbshare
[root@localhost ~]# smbclient -L //172.25.254.120/smbshare
Enter MYGROUP\root’s password:
Anonymous login successful
Sharename Type Comment
--------- ---- -------
smbshare Disk smb
IPC$ IPC IPC Service (Samba Server Version 4.11.2)
SMB1 disabled – no workgroup available
chmod 777 /sambashare
useradd marketing
useradd linux
smbpasswd -a marketing
smbpasswd -a linux
[root@localhost ~]# pdbedit -L
marketing:1003:
linux:1001:
[root@localhost ~]# mount -o username=linux,password=westos //172.25.254.120/smbshare /mnt
[root@localhost ~]# df
//172.25.254.120/smbshare 9450496 4739344 4711152 51% /mnt
[root@localhost ~]# cd /mnt/
[root@localhost mnt]# ls
file
[root@localhost mnt]# touch westos
touch: cannot touch ‘westos’: Permission denied
[root@localhost mnt]# usermod -G marketing linux
[root@localhost ~]# umount /mnt
[root@localhost ~]# mount -o username=linux,password=westos //172.25.254.120/smbshare /mnt
[root@localhost ~]# cd /mnt/
[root@localhost mnt]# ls
file
[root@localhost mnt]# touch westos
[root@localhost mnt]# ls
file westos
3*创建 samba-only 用户 brian 和 rob 其中 brian 用户属于marketing 组,用户密码都是 westos。
[root@localhost ~]# useradd -s /sbin/nologin brian -M
[root@localhost ~]# useradd -s /sbin/nologin rob -M
[root@localhost ~]# smbpasswd -a brian
New SMB password:
Retype new SMB password:
Added user brian.
[root@localhost ~]# smbpasswd -a rob
New SMB password:
Retype new SMB password:
Added user rob.
[root@localhost ~]# pdbedit -L
marketing:1003:
brian:1005:
linux:1001:
rob:1006:
[root@localhost ~]# usermod -G marketing brian
[root@localhost ~]# id brian
uid=1005(brian) gid=1005(brian) groups=1005(brian),1003(marketing)
----->brian相当于 linux
4*在 client120 上建立挂载点 /mnt/multiuser 目录 开机自动挂载server120 上的 smbshare 共享 激活 smb 多用户挂载支持。
----->客户端在安装autofs,cifs-utils
samba客户端的多用户挂载,支持访问samba共享的用户身份,
但不需要重新挂载资源。挂载参数需要添加multiuser参数
,客户机上的普通用户可以通过cifscreds提交新的身份凭据,
在客户端挂载samba共享目录,需要软件包cifs-util的支持
,为访问网络资源配置开机挂载时,
注意添加参数_netdev,
表示等客户机网络配置可用后才挂载对应资源
dnf install cifs-utils
[root@westos_student4 ~]# vim /etc/auto.master
/mnt /etc/auto.cifs
[root@westos_student4 ~]# vim /etc/auto.cifs
multiuser -fstype=cifs,credentials=/root/smbauth,multiuser,sec=ntlmssp ://172.25.254.120/smbshare
[root@westos_student4 ~]# vim /root/smbauth
username=linux
password=westos
[root@westos_student4 ~]# su - kiosk
Last login: 一 12月 7 03:32:58 CST 2020 on tty2
[kiosk@westos_student4 ~]$ cd /mnt/
[kiosk@westos_student4 mnt]$ cd multiuser
[kiosk@westos_student4 multiuser]$ df
//172.25.254.120/smbshare 9450496 4747716 4702780 51% /mnt/multiuser
[kiosk@westos_student4 multiuser]$ ll
ls: cannot open directory ‘.’: Permission denied
[kiosk@westos_student4 multiuser]$ cifscreds add -u linux 172.25.254.120 —>linux (服务端主机的samba用户)
Password:
[kiosk@westos_student4 multiuser]$ ll
total 0
-rwxr-xr-x. 1 kiosk kiosk 0 12月 7 04:33 file
-rwxr-xr-x. 1 kiosk kiosk 0 12月 7 04:36 westos
1651
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
