RHCSA Training

Details: Last Updated: 07 February 2026

To install XAMPP in Alma Linux:

sudo yum install tree
sudo yum install net-tools
sudo yum install perl
sudo yum install libnsl

copy the file test.conf to the directory /etc/tmpfiles.d and the system will create the folder for you upon rebooting

d /testing-temp 1777 root root 20d #this folder will be created upon reboot, then deleted after 20 days
L /root/ifcfg-wlan1 -  #creates a shortcut, when the permission are always 777

Put your *.conf file locations in /etc/tmpfiles.d/* for then to run

/usr/lib/tmpfiles.d/ - packages mangenet, normally the programs copy its temporarely idrectories here. The following is the hierarchy of the files, the ones on top will take preference over the other folders.

/etc/tmpfiles.d/ ;

/run/tmpfiles.d/ ;normally from run-time, dinamically use, don't worry about that

/usr/lib/tmpfiles.d/ ;for customisation done by us, copy the *.conf file from here to the /etc/tmpfiles.d/ so they don't get overriden when the system is updated

The above is all NEW in RH7

CHAPTER 1

The file /root/anaconda-ks.cfg can be used as a template to install RH7

On a kickstart file you have these opints

COMMNAD
PACKAGE ;start from line 217 in the anaconda-ks.conf file (% packages .....................%end)
Pre-Install script (optional) (%pre.....................%end) scripts to join a domain, etc
Post-install script (options) (%post ...........%end) scripts to create specific users, etc

User yum grouplist OR yum grouplist hidden ;find that "Core" is one of the packages

CHAPTER 5

When running top, see the column S (sleep) or R (running) for processes; don't let a single process dominate the CPU; check the "rt" for real time. To put stress on a system use these tasks:

md5sum /etc/passwd
md5sum /dev/zero &
dd if=/dev/zero of=/dev/null &

ps axo ;pid,user,ni,comm are these are columns, you'd need to thorught the man pages
ps -eo pid,user,ni,comm ;same as above

The actual priority is PR which we cannot change, but we can influence it by modifying the NICE value. Priority only takes effect when there is contention

CHAPTER 6

Even if you set the group:stoegs:rwx in the ACL, youll only get the effective permission of that minus the umask. Use the -k to remove the default settings of a folder, use -b to come backto square one. If Anaconda format the drive, mostl likely it will have ACL support, but on RHEL6 drives added after installation you need to add the "acl" entry on the /etc/fstab file. Note that vfat has no ACL support

Big X (when using chmod or setfacl the X will only mark the files with x with any of them alreayd has an x)

CHAPTER 7 - SELINUX

getenforce to check the way SELinux operate; the change the secuity levels you can use setenforce 0 (permissive) or setenforce 1( enforce); setenforce can only be set to 0 or 1, to disable this service visit /etc/selinux/config

If you cp a file with the -a it will reset the context of the file, and probably SELInux will block it, if you mv the context won't change. To troubleshoot you can use seteforce 0 and see if the service can access the files okay, but don't test this on live servers; curl http://localhost/index.html use the browser curl withing the cli.

get use to use the man pages a lot, there are available on the exam, see the semanage-fcontext and other files. Fore RHCE must know real well how to use SELinux, but for RHCSA mostly how to operate the commands, etc

semanage -fcontext -l

getsebool -a | grep http ;notice how @httpd_use_nfs@ is disable, you must set the boolean on to allow this: setsebool -P httpd_use_nfs on (only add the -P if you want to make the change persistent). Another one to look for is "ftpd_anon_write" to allow anonymous users to write ; semanage boolen -l to manage all your booleans

yum install selinux-policy-level ;good for troubleshoting, man httpd_selinux you can use after for example, but remeber that run "mandb" to re-index the man pages; man -k _selinux

CHAPTER 8

After yum installa authconfig-gtk, do yum install sssd

yum list "ipa*"

CHAPTER 9

blkid /dev/sda ;it tells you if you are using 'dos' (MBR) or UFEI; the command lsblk shows you everything while the blkid only shows you the formatted partitions; on CentOS you should use fdisk -cu /dev/sda, in RH you don't need the -cu

Type 'mkfs' and double tab to see the options; extended partitions cannot be formatted, they are used only as containers

On /etc/fstab is better to put the UUID (which only changes if you format) and not the /dev/sda1 name, just in case you add a new drive, use the command blkid to find out the UUID, this is consider best practise

BK is really good, he grep the line he needed from blkid and appended >> to the fstab file, so he has the UUID there on the file

sysctl -a | grep swap ;the value goes from 0 to 100, put it to 1 on DB system so the system will try not to swap

vmstat 2 ;shows you statiscits every 2 seconds; swapon -s shows you the device use for swapping

ensure all partitions show in /proc/partitions , if not run partprobe to pass them to the kernel. In the /etc/fstab the higher number (pri=20) have got priority for swapping

LVM ;first use pvcreate to create volumes out of the physical drives (pvdisplay to check); then use vgcreate to create a volume

In the man pages the [ ] are optionsal ;you cannot reduce or should not recude xfs formatted volume drives

CHAPTER 11

cat /etc/exports to see your nfs shares

iptables --flush ; firewall-cmd

in sec=sys the permission is determine by the user ID (UID)

in sec=krb5 the client needs to download the file etc/krb5. from the nfs server; keytab, systemctl enable nfs-secure

yum instal ssd autoconfig krb-workstaiton = you must remember well in the exam!!!

wget -0 /etc/krb5.keytab http://lfjsfjsmycert.

CHAPTER 12

For Samba you need to install cifs-utils ;the server is in /etc/samba/smb.conf ;NFS don't have that concept, but for Samba you have the concepts of Share Name and Share Path, on NFS you only need the Share Path; to mount a samba share into the /mnt folder use: mount -o username:student,password=student //server13/public /mnt

//server13/public /abc cifs credentials=/root/mypasswd 0 0
#The above is an entry on the fstab that secure the credentials to mount

yum provides "*/smbclient" ;query the repos to see what package you need in order to get the smbclient command

find /lib/modules/3.10.0.5xxxx/ -name *.ko"

lsinitrd ;use to display the content of the modules used by the kernel

pstree ;shows parent-click relation

mount -o remount,rw / ;lovely command to know to re-mount the fs while in emergency mode

rd.break console=tty0 ;on rescue mode the /root (that contains the shadow file) is mounted as /sysroot

ls /sysroot/usr/bin/passwd ;this is where the passwd command reside in the rescue mode to reset the root password

touch / .autorelabel ;ensure you typed correctly

edit the file /boot/grub2/grub.cfg and visit the sections from menuentry ;the section "set root='hd0,msdos1' specifies which had drive and what partition the system will be using

grub2-mkconfig > book/grub2/grub.cfg ;to generate the file; grub also run the scripts foud in /etc/grb.do; you can also edit /etc/default/grub and then re-generate teh finsallatoion file.

dd if=/dev/zero of=/dev/vda bs=400 count=1 ;this command erares teh oot loder! To fix it boot from DVD then run grub2-install /dev/vda

CHAPTER 14

on RH6 they use systemctl status iptables.service, bur from RHEL7 this service is disabled and they use instead firewalld

A zone is just a set of rules

Zone matching:

1. match by source ip

2. march by nic

firewall-cmd -- ;and you'll see all the options, most popular are : get-active-zones, get-active-zone (this will tall you what is matching), list-all (shows you the services that are allowed); remove-service=samba-client (remove from the runtime hat service) add-service then press tab-tab to see the services available (add the swtich --permanet to make it all permanent)

firewall-cmd --add-source:/24 --zone=dmz --permanent
any traffice from this range will go to dmz, while others will go to public

firewall-config to call the GUI

Globbing

* , ? , []

{} Brace expansion; echo a{1,2,3}

$(VARIABLE) ??

$(CMMAND)

'COMMAND'

"" = weak quote, prevent brace expansion but not command substitiution

' ' = strong quote, it prevents everything

NOTES FROM BK - DAY 1

    grep 'regex' FILE...

   COMMAND | grep 'regex'

   grep -iR 'regex' DIRECTORY

   ------------------------------------------

   -v - reverse logic (not)
   -i - case-insensitive
   -Ax -
   -Bx -
    --color   - color code results
   -E - support ext regex
   -e - REGEX. can be used multiple times

Globbing != REgex

   / - forward search
   ? - reverse search

   RegEx Metacharacters
   ===============================================================================

   ^ - line starts with

   $ - line ends with
   [] - character set. match ONE character in the set
   [^] - not in the set
   . - match one character, any character
   * - multipler. previous character can be repeated 0 or more times

   + - multipler. previous character can be repeated 1 or more times (extended)

   {X} - multiplier. exacty X times. (extended)

   <   - word starts with (extended)
   >   - word ends with (extended)

   \   - Escape next character.
   -------------------------------

   Basic regex vs Extended regex

   LAB pages 32 + 34

- - - - () --------

    LAB pages 44,55,57

Commands:
---------
i   - insert
G   - goto last line
gg   - goto first line
yy   - yank (copy) line
dd   - cut line
p/P   - paste after/before
u   - undo
ctrl-r - redo
v,V,ctrl+v - visual char,visual line,visual block

Extended Commands
------------------
w
q
wq
q!
NUMBER
set number
register

:RANGEs/cat/dog/gi
:%s/cat/dog/gi
   %   ---> process entire file
   1,3 ---> process line 1 to line 3 inclusive
   - g ---> global replacement (per line basis)
   - i ---> case-insensitive
MULTIPLIER   ACTION       MOVEMENT
   2          y           w       - copy two words
   3          d           }       - delete/cut three paragraphs
                  c                w       - change a word

- - - -() - - - -

Review Day 1
------------

Kickstart
---------
- To automate Red Hat Installations
- Need a kickstart text file
   - use /root/anaconda-ks.cfg as a template
   - GUI: system-config-kickstart
- File has 4 sections: command,packages,pre,post
- ksvalidator can check the file syntax for errors
- You can place your kickstart file in a
   - usb drive, cdrom, upload to a webserver/ftp server
- Boot from DVD
   - Select the install option and press TAB
   - append: ks=http://server/myks.cfg

Regular expressions
-------------------
- For string pattern matching
- grep, searching in man, searching in less/vim, and many more
- Special characters:
   ^    - line starts with
   $    - line ends with
   [akx]   - single character must be a OR k OR X
   [^akx] - single character CANNOT be a OR k OR X
   .    - any single character
   \   - escape next character

- Multipliers
   *   - Previous character can be repeated 0 or more times
   +    - Previous character can be repeated 1 or more times
           (with grep must use -E option), in vim must be escaped!
   \{X\}   - Previous character must occur EXACTLY X times

VIM
---
- Text editor
- Three modes: command, insert, ex
- Useful commands:
   u    - undo
   ctrl-r - redo
   yy   - yank (copy) entire line
   dd    - cut entire line
   v    - visual mode
   p/P   - paste after/before
   i   - insert
   o   - open new line in insert mode
- ex
   :wq
   :q!
   :set number

Cron, at, systemd-tmpfile
--------------------------
- at for one time job
- cron for recurring jobs

- at TIMESPEC (always time first before date)
   at 10pm
   at 3pm 31 July
- ctrl-d
- atq
- atrm JOBID

- cron
   - user cron   --> crontab -e
   - system cron --> /etc/crontab , /etc/cron.d/
- anacron
   - executed hourly by cron (/etc/cron.hourly/0anacron)
   - /etc/anacrontab
   - controls /etc/cron.{daily,weekly,monthly)
   - Benefit: missed jobs will be executed
   - Con: Cannot control exact time the job is run

- systemd-tmpfiles --clean --remove
   -> executed once at boot time
   -> creates or delete files based on configuration
- systemd-tmpfiles --clean
   -> purges files based on aging
   -> executes once a day
- /etc/tmpfiles.d/
   --OVERRRIDES--
       /run/tmpfiles.d
           --OVERRRIDES--
               /usr/lib/tmpfiles.d

- e.g.
   cat /etc/tmpfiles.d/test.conf
       d /testing 1777 root root 1d -

   cat /usr/lib/tmpfiles.d/test.conf
       d /testing 1777 root root 20d -

   ==> files in /testing age will be 1d and not 20d because /etc has preference over /usr/lib

NOTES FROM BK - DAY 2

REVIEW day 2
------------

Process priorities:
-------------------
- can be affected by the NICE value
- (higher priority) -20 --> +19 (lower priority)
   <-------increase priority (root) --------

   -------decrease priority (normal users) -->

- nice -n NICEVALUE CMD
- renice -n NICEVALUE PID
- top can also renice proceses:
   short-cut --> r

ACL
---
- To overcome basic permission limitations
   - more than one user
   - more than one group
- Three types of entries:
   - normal acl entries
   - default acl entries (only applies to dir)
       - files/subdir inherit the default acl
   - mask (does not affect original user owner and others)
- setfacl -m ACL_SPEC FILE|DIR
- setfacl -x ACL_SPEC FILE|DIR
- ACL_SPEC examples:
   u:john:rx
   g::rwx
   g:sales:rw
   o::-
- if BIG X is used, it only applies to subdirectories and existing files that
have ANY execute bit
(useful for recursions)

SELINUX
-------
- 3 modes: enforcing,permissive,disabled
- /etc/selinux/config
- getenforce
- setenforce 0|1   (will not survive a reboot)
- yum install selinux-policy-devel
   mandb
   man -k _selinux
- yum install setroubleshoot-server
   /var/log/messages
   sealert -l UUID
- restorecon -vFR DIR
- man semanage-fcontext
   -> we can add custom rules to the file context

NETWORK USERS
-------------
- Centralize user account and authentication
- authconfig-gtk, sssd, krb5-workstation
- ldap for user info + kerberos for authentication
- LDAP:
   1. FQDN ldap server
   2. BASE DN
   3. CA cert (for tls encryption)
- KERBEROS:
   1. KDC
   2. REALM
   3. ADMIN servers
   (or dns could be used to auto detect settings
   if configured)

NOTES FROM BK - DAY 3

Review Day 3
-------------

Partitions and File Systems
---------------------------
- 2 partitioning schemes - MBR and GPT
   MBR                   GPT
   ---                   ---
   - fdisk                   - gdisk
   - Primary,extended,Logical       - N/A
   - Need extended partition to have    - N/A
      more than 4
   - Max 2 TB per partition       - Max 8 ZiB per partition

- For an existing disk that has been partitioned, DON'T simply convert
the partitiong scheme (even though gdisk will offer to convert MBR to
GPT for you)

   File system               Swap
   ------------               ------
   1. Create partition           1. Create partition
       - id: 83/8300               - id: 82/8200
   2. cat /proc/partitions           2. - SAME -
       - if not visible
           partprobe
   3. Format with a filesystem       3. Format as swap
       mkfs -t FSTYPE DEVICE           mkswap DEVICE
       (ext4,xfs,vfat,...)
   4. Create a mount point           4. - N/A -
       mkdir DIRECTORY
   5. Update /etc/fstab           5. - SAME with slightly diff settings -
   6. mount -a ; df -h           6. swapon -a ; swapon -s

LVM
---
- Provides the ability to group multiple storage as ONE
- Each storage is formatted as a PV and then grouped together as a VG
- PE is the smallest unit/chunk in a VG. Specified when the VG is created
with -s
- LV and VG can be extended or reduced (hence flexible)
- pvs,vgs,lvs
- pvdisplay,vgdisplay,lvdisplay
- pvcreate , vgcreate , lvcreate
- vgextend, pvmove , vgreduce
- lvextend
- resize2fs , xfs_growfs

Access NFS
----------
- Package required: nfs-utils
- 5 security mechanisms:
   sec=none|sys|krb5|krb5i|krb5p
- If using krb5 stuff, needs:
   - Client must be authenticated with the same
       central authentication server as the nfs server
   - Client should enable and start nfs-secure service
   - Client needs a /etc/krb5.keytab file issued from the
      kerberos administrator
- Manual mount:
   mount -o sec=SEC_TYPE,sync NFS_SERVER:SHARE_PATH   MOUNT_POINT
- Mount at boot time:
   /etc/fstab
       NFS_SERVER:SHARE_PATH   MOUNT_POINT   nfs   sec=SEC_TYPE,sync 0 0
- Mount on demand:
   yum install autofs
   systemctl enable autofs
   systemctl start autofs

   Indirect Map
   -------------
   NFS share    server1:/shares/public
   Mount point /myshares/pub
       (indirect map needs a parent/child directory structure)

   /etc/auto.master.d/myfile.autofs
       /myshares    /etc/auto.myshares

   /etc/auto.myshares
       pub   -rw,sec=SEC_TYPE,sync   server1:/shares/public

   systemctl restart autofs

   Direct Map
   ----------
   NFS share    server1:/shares/public
   Mount point /pub

   /etc/auto.master.d/myfile.autofs
       /-    /etc/auto.pub

   /etc/auto.pub
       /pub   -rw,sec=SEC_TYPE,sync   server1:/shares/public

   systemctl restart autofs

Accessing SMB
-------------
- Required package: cifs-utils
- Optional      : samba-client (gives you the smbclient command)
- To identify the share:
   smbclient -L   //server
   (list the shares)

- Ways to connect:
   - manual mount
       mount -t cifs -o user=USERNAME //server/sharename /MOUNT_POINT

   - mount at boot time: /etc/fstab
       //server/sharename /mount_point   cifs   user=USER,password=123 0 0
       OR
       //server/sharename /mount_point   cifs   credentials=/root/myfile 0 0

       WHERE /root/myfile       -> FILE MODE MUST BE 600
               username=USER
               password=123
               domain=DOMAIN <-- optional

   - via smbclient (similar to ftp client)
       smbclient -U USER   //server/share

   - Mount on demand (autofs)
       - install, start and enable autofs

           INDIRECT MAP example
          --------------------
          /etc/auto.master.d/shares.autofs
       /shares /etc/auto.shares
         /etc/auto.shares
       pub   -fstype=cifs,credentials=/root/myfile,rw ://server/public

           DIRECT MAP example
          --------------------
          /etc/auto.master.d/shares-direct.autofs
       /- /etc/auto.shares
         /etc/auto.shares-direct
       /shares   -fstype=cifs,credentials=/root/myfile,rw ://server/public

REVIEW DAY 4

Review Day 4
------------

Boot chapter
------------
- systemd replaces systemV
- no more run levels
   - instead we have targets
- systemd uses units
   - units have types
       autofs.service
       cupds.socket
       etc...
   - A target is a set of units grouped together
      to achieve a system state

- When we boot up the system we can a default target is used
to setup the system
   graphical.target   (with GUI)
   multi-user.target   (NO GUI)
- To manually switch between targets:
   systemctl isolate graphical.target
   systemctl isolate multi-user.target

- You can set/get the default target:
   systemctl get-default
   systemctl set-default TARGET

- Targets can be set by passing in kernel argument at the booloader menu
   - systemd.unit=TARGET
   - e.g.    systemd.unit=rescue.target OR systemd.unit=emergency.target

- Use rd.break when trying to reset root password:
   1. Interupt GRUB at boot time
   2. e to edit
   3. Pass in rd.break, then ctrl-x
   4. mount -o remount,rw /sysroot
   5. chroot /sysroot
   6. passwd
   7. touch /.autorelabel
   8. exit ; exit

- grub2-mkconfig regenerates the /boot/grub2/grub.cfg file
based on settings in /etc/default/grub and /etc/grub.d/



Firewall Chapter
-----------------
- Packet filtering handled by the kernel module netfilter
- Managed through EITHER iptables service or firewalld
- systemctl mask iptables.service
   -> ensures that iptables service does not get started (will disrupt firewalld)
- firewalld
   -> firewall-config (GUI tool)
   -> firewall-cmd (command line)
       - if --zone not specified, use default zone

- For persistent changes:
   - Modify the PERMANENT settings (firewall-cmd .... --permanent )
   - Reload firewall ( firewall-cmd --reload )
- A zone has a set of rules
- A packet is associated with a zone:
   - depending on the interface it arrives on
   - depending on its source IP
   - if the above 2 items does ot match, the use the default zone rules