Hands-on Guide to the Red Hat Exams: RHCSA and RHCE Cert Guide... : book mistakes
thedude666
Member Posts: 69 ■■□□□□□□□□
Hi all,
In this topic I just want to put out some errors in this book for ex200 and ex300 certification.
Didn't find any other good place to put the errors.
NOTE: I started at page 386; I first am looking at RHCSA mistakes (unless I accidentally read some RHCE stuff )
Migration tips:
Although this is not important for your exam I still want to point out that it is actually mostly not necessary to disable SElinux protection for a service. As long as your file contexts are fine you should be able to run most services with SElinux protection. (for example apache)
Page 53:
"In both versions of Red Hat, you can also edit the config file from within the GRUB command line as well."
This might be somewhat misleading. You can edit the grub lines from the grub prompt however you need to make these changes to the file afterwards as well to make them permanent.
Page 94:
Reducing size: IMPORTANTHowever for doing that FIRST resize the filesystem (resize2fs /dev/... smallersize) and then reduce the size of the logical volume (lvresize -L newsizeM /dev/...). Otherwhise you will surely scr** up your filesystem.
Increasing lvs and fs can be done online, for reducing the size you need to unmount the fs first(which might require single user mode).
Page 102:
partition type should be "Linux raid autodetect" (code: fd) for raid devices.
Page 108:
IIRC grub has no understanding of any raid. If grub would read from raid0 (stripe) it would not be able to read correctly as part of the data is on another disk. For raid1 grub has no need to understand how the data is layed out. For grub it is just a normal disk.
Page 126(actually somewhat earlier):
With the mount command options there is -L shown. However later on it is said (so on page 126) that mount LABEL=labelname /mountpoint should be used and that -L is available on Ubuntu/debian
Page 147:
Task 3: both soft and hard limit have to be set to 50MB. So setting the hard limit alone to 50M would be sufficient
Page 184:
The repo file starts with a unique repo id. The man page states that this should be one work, so no spaces should be there.
Page 184:
Creating an rpm package in rhel6 is way simpler than the way outlined here. This is the old method (probably copy paste from RHEL5).
You can use:
Page 210:
# chown nobody:Sales Sales/
# chmod 2770 /tmp/Sales
I am not 100% sure but for example nfs uses user nobody as well when squash_all is used and I wonder if this grants them to write here then.
I think it is always save to set user root for such a setup.
EDIT: checked this in another book and they used nobody as well there.
Page 214:
yum install -y openldap nss_ldap
Errr... that is actually working on RHEL5 but not on RHEL6.
http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/ch-Directory_Servers.html#s2-ldap-pam shows the new procedure
Page 313:
Enable the required Boolean value:
# setsebool -P allow_ssh_keysign=1
Not at all necessary to enable this boolean. Even not for the exercise with keys for logging in.
The only thing you need to do for getting authentication for ssh using keys to work is having the file context set correctly. Use restorecon for that or check what file context you need using semanage fcontext -l | grep ssh and set it manually with chcon.
Page 317:
In the sshd_config file, change the following two options:
PasswordAuthentication no
PubKeyAuthentication yes
Second one is not necessary. This is the default value.
Page 374:
# iptables -I INPUT 5 -p tcp -m tcp --dport 137 -j ACCEPT
# iptables -I INPUT 5 -p udp -m udp --dport 138 -j ACCEPT
# iptables -I INPUT 5 -p udp -m udp --dport 139 -j ACCEPT
# iptables -I INPUT 5 -p tcp -m tcp --dport 445 -j ACCEPT
At first glance these seemed already incorrect to me.
You need these:
netbios-ns 137/udp # NetBIOS Name Service
netbios-dgm 138/udp # NetBIOS Datagram Service
netbios-ssn 139/tcp # NetBIOS Session Service
microsoft-ds 445/tcp # Microsoft Directory Service
If you think this is not correct, install samba, start smb and nmb. Then use netstat -utapn | grep -E "nmb|smb"
Page 386:
There are 2 iptables rules for allowing ftp, one for port 20 and another for port 21 (both incoming). However that is incorrect. With active FTP the server initiates a data channel originating from port 20 (so outgoing).
Page 391:
Task 2 – Secure FTP
Step 1. Set up an FTP server on RHEL01.
Step 2. Allow FTP access to the /home directory for all users on RHEL01.
Step 3. Ensure access from all other users on other systems in the lab is denied.
This task is not clear to me. So only users from rhel01 should be able to login remotely or only using ftp localhost?
In the first way no special actions should be taking except opening the fw on the correct ports. In the second one nothing has to be done. Ftp is blocked by default.
The only thing I can think of is using user_list to enable only those users that are locally defined to be able to login.
Page 400: (actually earlier;DNS)
A forward only server needs:
forwarders{ ip1; ip2; ...};
forward only;
Thats it.
And second, you need to edit the listen-on and allow-query directives and add the address where the server should listen on if you want something useful (as rhce requires you to set it up as a forwarding dns server and in the way explained at first only localhost will be able to make use of it)
Page 435:
In RHEL6, there is no longer a driftfile defined by default in the config file.
Yes there is. Did default install and the directive is there in the config file.
Page 439: What command is used to show all services being controlled by the xinetd
daemon?
chkconfig xinetd --list
No entries are shown. So this does not seem to be correct. I would just use chkconfig --list.
Page 474:
yum install –y python-virtinst libvirt virt-manager libvirt-client
True when following the recommended packages to install.
However
yum install libvirt libvirt-manager
will result in the same.
I would think as well that you need to installt the kvm package.
This installs the hypervisor.
In this topic I just want to put out some errors in this book for ex200 and ex300 certification.
Didn't find any other good place to put the errors.
NOTE: I started at page 386; I first am looking at RHCSA mistakes (unless I accidentally read some RHCE stuff )
Migration tips:
Although this is not important for your exam I still want to point out that it is actually mostly not necessary to disable SElinux protection for a service. As long as your file contexts are fine you should be able to run most services with SElinux protection. (for example apache)
Page 53:
"In both versions of Red Hat, you can also edit the config file from within the GRUB command line as well."
This might be somewhat misleading. You can edit the grub lines from the grub prompt however you need to make these changes to the file afterwards as well to make them permanent.
Page 94:
Reducing size: IMPORTANTHowever for doing that FIRST resize the filesystem (resize2fs /dev/... smallersize) and then reduce the size of the logical volume (lvresize -L newsizeM /dev/...). Otherwhise you will surely scr** up your filesystem.
Increasing lvs and fs can be done online, for reducing the size you need to unmount the fs first(which might require single user mode).
Page 102:
partition type should be "Linux raid autodetect" (code: fd) for raid devices.
Page 108:
IIRC grub has no understanding of any raid. If grub would read from raid0 (stripe) it would not be able to read correctly as part of the data is on another disk. For raid1 grub has no need to understand how the data is layed out. For grub it is just a normal disk.
Page 126(actually somewhat earlier):
With the mount command options there is -L shown. However later on it is said (so on page 126) that mount LABEL=labelname /mountpoint should be used and that -L is available on Ubuntu/debian
Page 147:
Task 3: both soft and hard limit have to be set to 50MB. So setting the hard limit alone to 50M would be sufficient
Page 184:
The repo file starts with a unique repo id. The man page states that this should be one work, so no spaces should be there.
Page 184:
Creating an rpm package in rhel6 is way simpler than the way outlined here. This is the old method (probably copy paste from RHEL5).
You can use:
- rpmdev-setuptree
- cd ~/rpmbuild
- rpmdev-newspec SPEC/hello.spec
- edit SPEC/hello.spec
- rpmbuild -ba SPEC/hello.spec
Page 210:
# chown nobody:Sales Sales/
# chmod 2770 /tmp/Sales
I am not 100% sure but for example nfs uses user nobody as well when squash_all is used and I wonder if this grants them to write here then.
I think it is always save to set user root for such a setup.
EDIT: checked this in another book and they used nobody as well there.
Page 214:
yum install -y openldap nss_ldap
Errr... that is actually working on RHEL5 but not on RHEL6.
http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/ch-Directory_Servers.html#s2-ldap-pam shows the new procedure
Page 313:
Enable the required Boolean value:
# setsebool -P allow_ssh_keysign=1
Not at all necessary to enable this boolean. Even not for the exercise with keys for logging in.
The only thing you need to do for getting authentication for ssh using keys to work is having the file context set correctly. Use restorecon for that or check what file context you need using semanage fcontext -l | grep ssh and set it manually with chcon.
Page 317:
In the sshd_config file, change the following two options:
PasswordAuthentication no
PubKeyAuthentication yes
Second one is not necessary. This is the default value.
Page 374:
# iptables -I INPUT 5 -p tcp -m tcp --dport 137 -j ACCEPT
# iptables -I INPUT 5 -p udp -m udp --dport 138 -j ACCEPT
# iptables -I INPUT 5 -p udp -m udp --dport 139 -j ACCEPT
# iptables -I INPUT 5 -p tcp -m tcp --dport 445 -j ACCEPT
At first glance these seemed already incorrect to me.
You need these:
netbios-ns 137/udp # NetBIOS Name Service
netbios-dgm 138/udp # NetBIOS Datagram Service
netbios-ssn 139/tcp # NetBIOS Session Service
microsoft-ds 445/tcp # Microsoft Directory Service
If you think this is not correct, install samba, start smb and nmb. Then use netstat -utapn | grep -E "nmb|smb"
Page 386:
There are 2 iptables rules for allowing ftp, one for port 20 and another for port 21 (both incoming). However that is incorrect. With active FTP the server initiates a data channel originating from port 20 (so outgoing).
Page 391:
Task 2 – Secure FTP
Step 1. Set up an FTP server on RHEL01.
Step 2. Allow FTP access to the /home directory for all users on RHEL01.
Step 3. Ensure access from all other users on other systems in the lab is denied.
This task is not clear to me. So only users from rhel01 should be able to login remotely or only using ftp localhost?
In the first way no special actions should be taking except opening the fw on the correct ports. In the second one nothing has to be done. Ftp is blocked by default.
The only thing I can think of is using user_list to enable only those users that are locally defined to be able to login.
Page 400: (actually earlier;DNS)
A forward only server needs:
forwarders{ ip1; ip2; ...};
forward only;
Thats it.
And second, you need to edit the listen-on and allow-query directives and add the address where the server should listen on if you want something useful (as rhce requires you to set it up as a forwarding dns server and in the way explained at first only localhost will be able to make use of it)
Page 435:
In RHEL6, there is no longer a driftfile defined by default in the config file.
Yes there is. Did default install and the directive is there in the config file.
Page 439: What command is used to show all services being controlled by the xinetd
daemon?
chkconfig xinetd --list
No entries are shown. So this does not seem to be correct. I would just use chkconfig --list.
Page 474:
yum install –y python-virtinst libvirt virt-manager libvirt-client
True when following the recommended packages to install.
However
yum install libvirt libvirt-manager
will result in the same.
I would think as well that you need to installt the kvm package.
This installs the hypervisor.
Comments
-
Lazydog Member Posts: 19 ■□□□□□□□□□thedude666 wrote: »Page 386:
There are 2 iptables rules for allowing ftp, one for port 20 and another for port 21 (both incoming). However that is incorrect. With active FTP the server initiates a data channel originating from port 20 (so outgoing).
Which you are correct but it would depend on how you have setup your firewall rules.
If you are using PORT based then you need to allow for both ports 20 and 21.
If you are using STATE based then you only need to open port 21 and have the connection tracker for FTP loaded.--
Regards
Robert
Smile....... it increases your face value! -
thedude666 Member Posts: 69 ■■□□□□□□□□Which you are correct but it would depend on how you have setup your firewall rules.
If you are using PORT based then you need to allow for both ports 20 and 21.
If you are using STATE based then you only need to open port 21 and have the connection tracker for FTP loaded.
iptables -I INPUT 5 -p tcp -m tcp —dport 20 -j ACCEPT
The server will initiate the connection so the source port will be 20.
As this is in the INPUT chain and the destination port is 20 this rule will not match.
Also I think in general it is a good idea to use the session state and using IPTABLES_MODULES="ip_conntrack_ftp" in /etc/sysconfig/iptables. -
masterelfy Registered Users Posts: 3 ■□□□□□□□□□Why not just use system-config-firewall ? its a ton faster than manually setting the iptables. Plus the fact most people will forget to set the ftp module in the iptables.
Regards. -
thedude666 Member Posts: 69 ■■□□□□□□□□masterelfy wrote: »Why not just use system-config-firewall ? its a ton faster than manually setting the iptables. Plus the fact most people will forget to set the ftp module in the iptables.
Regards.
Of course you can use system-config-firewall (use anything that best suits your needs and gets you to the solution the fastest, as is the objective of RHCSA/RHCE).
However do note that it only gives basic configuration options and in the end using the config file is like copying a line, changing the port and adding the module which is simple as well.
On some topics these tools might be faster, but on firewall I really doubt it(there are only a few services that are preconfigured so you still need to know the ports).
Note that this tool overwrites any manual config you have done before. To me that is enough to never use it.
Also know that iptables is a skill you will use in real life and it will work on different Linux distros. So there is not much of a reason to not learn iptables.
Thanks for your reply! -
Lazydog Member Posts: 19 ■□□□□□□□□□thedude666 wrote: »The rule is:
iptables -I INPUT 5 -p tcp -m tcp —dport 20 -j ACCEPT
The server will initiate the connection so the source port will be 20.
As this is in the INPUT chain and the destination port is 20 this rule will not match.
I sure I understand why you think this rule will not match. The rule above is a port base rule which means once the server open a connection on port 20 your firewall needs to allow that port back in. If you would not have that rule your connection would be broken.Also I think in general it is a good idea to use the session state and using IPTABLES_MODULES="ip_conntrack_ftp" in /etc/sysconfig/iptables.--
Regards
Robert
Smile....... it increases your face value! -
Lazydog Member Posts: 19 ■□□□□□□□□□masterelfy wrote: »Why not just use system-config-firewall ? its a ton faster than manually setting the iptables. Plus the fact most people will forget to set the ftp module in the iptables.
Regards.
As a system administrator you should know how to access and modify all configuration files that are important to the systems operations. Using short-cuts is fine if you know what you are doing. If you don't they can add to the confusion and keep you from fixing the problem at hand.--
Regards
Robert
Smile....... it increases your face value! -
thedude666 Member Posts: 69 ■■□□□□□□□□I sure I understand why you think this rule will not match. The rule above is a port base rule which means once the server open a connection on port 20 your firewall needs to allow that port back in. If you would not have that rule your connection would be broken.
I agree 100% with this. You will need to also change your rules to use NEW, ESTABLISHED and RELATED in the rules themselves.
True I'm just so used to edit the basic config (which has a ESTABLISHED, RELATED rule) and adding lines to the file that I didn't thought about it.
This is also best for performance as iptables shouldn't go down all the rules. -
Lazydog Member Posts: 19 ■□□□□□□□□□Congratulations!!!!!--
Regards
Robert
Smile....... it increases your face value! -
UnixGuy Mod Posts: 4,570 ModCongratulations ! Update your certifications list here, and welcome ! we have more RHCEs on TE
-
Forsaken_GA Member Posts: 4,024thedude666 wrote: »Page 374:
# iptables -I INPUT 5 -p tcp -m tcp --dport 137 -j ACCEPT
# iptables -I INPUT 5 -p udp -m udp --dport 138 -j ACCEPT
# iptables -I INPUT 5 -p udp -m udp --dport 139 -j ACCEPT
# iptables -I INPUT 5 -p tcp -m tcp --dport 445 -j ACCEPT
At first glance these seemed already incorrect to me.
You need these:
netbios-ns 137/udp # NetBIOS Name Service
netbios-dgm 138/udp # NetBIOS Datagram Service
netbios-ssn 139/tcp # NetBIOS Session Service
microsoft-ds 445/tcp # Microsoft Directory Service
If you think this is not correct, install samba, start smb and nmb. Then use netstat -utapn | grep -E "nmb|smb"
This confused me at first as to what you had a problem with. You went along way to say that the commands for port 137 and 139 need their protocol types reversed