You are on page 1of 282

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

s
a
h
o) e
c

du Guid
e

r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us

n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non

Oracle Linux 7: Advanced


Administration
Activity Guide Volume I
D90758GC10
Edition 1.0 | September 2015 | D92967

Learn more from Oracle University at oracle.com/education/

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

Disclaimer
This document contains proprietary information and is protected by copyright and other intellectual property laws. You may copy and
print this document solely for your own use in an Oracle training course. The document may not be modified or altered in any way.
Except where your use constitutes "fair use" under copyright law, you may not use, share, download, upload, copy, print, display,
perform, reproduce, publish, license, post, transmit, or distribute this document in whole or in part without the express authorization
of Oracle.
The information contained in this document is subject to change without notice. If you find any problems in the document, please
report them in writing to: Oracle University, 500 Oracle Parkway, Redwood Shores, California 94065 USA. This document is not
warranted to be error-free.
Restricted Rights Notice
If this documentation is delivered to the United States Government or anyone using the documentation on behalf of the United
States Government, the following notice is applicable:
U.S. GOVERNMENT RIGHTS
The U.S. Governments rights to use, modify, reproduce, release, perform, display, or disclose these training materials are restricted
by the terms of the applicable Oracle license agreement and/or the applicable U.S. Government contract.

a
s
a
h
)
o
c ide

u
d Gu
e

r
ita dent
Author
l
i
Craig McBride
nim Stu
u
o@ e this
Technical Contributors and Reviewers rs
coHaraldo Van
usBreederode, Joel Goodman, Manish

Avi Miller, Elena Zannoni, Wim Coekaerts,


n
t
a
Kapur, Yasar Akthar, AntoinettejOSullivan,
( u nseGavin Bowe, Steve Miller, Herbert Van Den Bergh,
s
Todd Vierling and John Haxby
ria e lice
a
o abl
s
r
co published
er using: Oracle Tutor
f
s
n
This book
was
jua -tran
non
Trademark Notice

Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective
owners.

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

Table of Contents
Practices for Lesson 1: Course Introduction ........................................................................................... 1-1
Course Practice Environment: Security Credentials.................................................................................. 1-2
Practices for Lesson 1: Overview............................................................................................................. 1-3
Practice 1-1: Exploring the dom0 Environment ......................................................................................... 1-4
Practice 1-2: Starting, Stopping, and Listing VM Guests ........................................................................... 1-11
Practice 1-3: Exploring the host01 VM ..................................................................................................... 1-13
Practice 1-4: Exploring the host02 VM ..................................................................................................... 1-17
Practice 1-5: Exploring the host03 VM ..................................................................................................... 1-20
Practice 1-6: Logging Off from Your Student PC ...................................................................................... 1-22
Practices for Lesson 2: Network Addressing and Name Services .......................................................... 2-1
Practices for Lesson 2: Overview............................................................................................................. 2-2
Practice 2-1: Configuring a DHCP Server................................................................................................. 2-3
Practice 2-2: Configuring a DHCP Client .................................................................................................. 2-6
Practice 2-3: Viewing and Testing the DNS Configuration......................................................................... 2-9
Practice 2-4: Configuring a Caching-Only Nameserver ............................................................................. 2-16

a
s
a
h 3-1
)
Practices for Lesson 3: Authentication and Directory Services ..............................................................
o
c ide3-2

u
Practices for Lesson 3: Overview.............................................................................................................
d Gu
e

r
Practice 3-1: Configuring an OpenLDAP Server .......................................................................................
3-3
ita dent
l
i
Practice 3-2: Implementing OpenLDAP Authentication .............................................................................
3-21
nim Stu
Practice 3-3: Authenticating from an OpenLDAP Client ............................................................................
3-26
u
s
i
@
Practices for Lesson 4: Pluggable Authentication Modules
.........................................................
4-1
o (PAM)
th
s
r
e
o
Practices for Lesson 4: Overview.............................................................................................................
4-2
us
c to........................................................................
n
Practice 4-1: Configuring PAM for a Single
Login Session
4-3
a
(ju Non-root
seLogin......................................................................... 4-8
Practice 4-2: Configuring PAM tosPrevent
n
e
ia EmaillServices
rand
ic ..................................................................................... 5-1
Practices for Lesson 5: Web
a
e
l
so5: Overview
Practices for Lesson
r
rab............................................................................................................. 5-2
o
Practice 5-1:cConfiguringfe
the Apache Web Server .................................................................................... 5-3
n ans
juafor Lesson
Practices
tr 6: Installing Oracle Linux 7 by Using Kickstart...................................................... 6-1
n
Practices
nofor Lesson 6: Overview............................................................................................................. 6-2
Practice 6-1: Performing a Kickstart Installation........................................................................................ 6-3
Practice 6-2: Using Rescue Mode............................................................................................................ 6-14
Practices for Lesson 7: Samba Services.................................................................................................. 7-1
Practices for Lesson 7: Overview............................................................................................................. 7-2
Practice 7-1: Configuring a Samba Server ............................................................................................... 7-3
Practice 7-2: Accessing Samba Shares from a Client Host ....................................................................... 7-8
Practice 7-3: Accessing a Linux Samba Share from a Windows System ................................................... 7-12
Practices for Lesson 8: Advanced Software Package Management........................................................ 8-1
Practices for Lesson 8: Overview............................................................................................................. 8-2
Practice 8-1: Exploring the host04 VM ..................................................................................................... 8-3
Practice 8-2: Managing Yum Plug-Ins ...................................................................................................... 8-9
Practice 8-3: Using Yum Utilities .............................................................................................................. 8-16
Practice 8-4: Creating an RPM Package .................................................................................................. 8-22
Practice 8-5: Managing Software Updates with PackageKit ...................................................................... 8-31
Practice 8-6: Working with Yum History and Yum Cache .......................................................................... 8-39
Practices for Lesson 9: Advanced Storage Administration ..................................................................... 9-1
Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Oracle Linux 7: Advanced Administration Table of Contents


i

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

Practices for Lesson 9: Overview............................................................................................................. 9-2


Practice 9-1: Creating and Mounting a File System .................................................................................. 9-3
Practice 9-2: Implementing Access Control Lists ...................................................................................... 9-6
Practice 9-3: Setting Disk Quotas ............................................................................................................ 9-9
Practice 9-4: Encrypting a File System ..................................................................................................... 9-13
Practice 9-5: Using kpartx ....................................................................................................................... 9-16
Practice 9-6: Exploring and Configuring Udev .......................................................................................... 9-20
Practices for Lesson 10: Advanced Networking ...................................................................................... 10-1
Practices for Lesson 10: Overview ........................................................................................................... 10-2
Practice 10-1: Configuring Network Bonding by Using the GUI ................................................................. 10-3
Practice 10-2: Configuring Network Bonding from the Command Line....................................................... 10-21
Practice 10-3: Working with Bonded Interfaces ........................................................................................ 10-26
Practice 10-4: Configuring 802.1Q VLAN Tagging by Using the GUI ......................................................... 10-37
Practice 10-5: Configuring 802.1Q VLAN Tagging from the Command Line .............................................. 10-46
Practice 10-6: Working with VLAN Interfaces ........................................................................................... 10-49
Practice 10-7: Configuring a Site-to-Site VPN .......................................................................................... 10-58

a
s
a
h
)
o
c ide

u
d Gu
e

r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us

n
t
ua s.....................................................................................
e
j
Practices for Lesson 12: iSCSI and Multipathing
12-1
(
n
s
e
a
Practices for Lesson 12: Overview
...........................................................................................................
12-2
i
c
li (Target)................................................................................. 12-3
aanr iSCSIleServer
Practice 12-1: Configuring
o
b Client (Initiator)................................................................................. 12-14
rs eanraiSCSI
oConfiguring
Practice 12-2:
c
f
Practice
ns iSCSI Multipathing .......................................................................................... 12-21
an12-3:tConfiguring
a
u
j
r
- 13: Control Groups (Cgroups)................................................................................ 13-1
Practices for
Lesson
nonfor Lesson 13: Overview........................................................................................................... 13-2
Practices

Practices for Lesson 11: OCFS2 and Oracle Clusterware........................................................................ 11-1


Practices for Lesson 11: Overview ........................................................................................................... 11-2
Practice 11-1: Preparing for an OCFS2 Configuration............................................................................... 11-3
Practice 11-2: Verifying that the Required Software Is Installed ................................................................ 11-9
Practice 11-3: Configuring the Cluster Layout .......................................................................................... 11-10
Practice 11-4: Configuring and Starting the O2CB Cluster Stack Service .................................................. 11-14
Practice 11-5: Creating an OCFS2 Volume .............................................................................................. 11-17
Practice 11-6: Mounting an OCFS2 Volume ............................................................................................. 11-21
Practice 11-7: Tuning and Debugging OCFS2.......................................................................................... 11-26

Practice 13-1: Exploring cgroup Integration Into systemd.......................................................................... 13-3


Practice 13-2: Exploring cgroup Hierarchies and cgroup Subsystem Parameters ...................................... 13-10
Practice 13-3: Controlling Access to System Resources ........................................................................... 13-15
Practices for Lesson 14: Virtualization with Linux................................................................................... 14-1
Practices for Lesson 14: Overview ........................................................................................................... 14-2
Practice 14-1: Preparing the Virtualization Host for KVM .......................................................................... 14-3
Practice 14-2: Starting the Virtual Machine Manager and Preparing to Create a Virtual Machine................ 14-9
Practice 14-3: Creating a Virtual Machine ................................................................................................ 14-22
Practice 14-4: Managing Your Virtual Machine ......................................................................................... 14-36
Practices for Lesson 15: Linux Containers (LXC) .................................................................................... 15-1
Practices for Lesson 15: Overview ........................................................................................................... 15-2
Practice 15-1: Completing Linux Container Prerequisites.......................................................................... 15-3
Practice 15-2: Creating an Oracle Linux Container ................................................................................... 15-7
Practice 15-3: Using lxc Commands ........................................................................................................ 15-11
Practices for Lesson 16: Docker .............................................................................................................. 16-1
Practices for Lesson 16: Overview ........................................................................................................... 16-2
Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Oracle Linux 7: Advanced Administration Table of Contents


ii

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

Practice 16-1: Using sftp to Upload Docker Package and Images ............................................................. 16-3
Practice 16-2: Installing and Configuring Docker ...................................................................................... 16-5
Practice 16-3: Using Docker Commands.................................................................................................. 16-9
Practice for Lesson 17: Security Enhanced Linux (SELinux) .................................................................. 17-1
Practice for Lesson 17: Overview ............................................................................................................ 17-2
Practice 17-1: Exploring SELinux............................................................................................................. 17-3
Practice 17-2: Configuring an SELinux Boolean ....................................................................................... 17-11
Practice 17-3: Configuring SELinux Context ............................................................................................. 17-15
Practices for Lesson 18: Core Dump Analysis......................................................................................... 18-1
Practices for Lesson 18: Overview ........................................................................................................... 18-2
Practice 18-1: Configuring Kdump ........................................................................................................... 18-3
Practice 18-2: Creating a Core Dump File ................................................................................................ 18-12
Practice 18-3: Preparing Your System to Analyze the vmcore................................................................... 18-14
Practice 18-4: Using the crash Utility........................................................................................................ 18-16
Practices for Lesson 19: Dynamic Tracing with DTrace .......................................................................... 19-1
Practices for Lesson 19: Overview ........................................................................................................... 19-2
Practice 19-1: Using sftp to Upload DTrace Packages .............................................................................. 19-3
Practice 19-2: Installing the DTrace Packages ......................................................................................... 19-8
Practice 19-3: Using DTrace from the Command Line .............................................................................. 19-12
Practice 19-4: Creating and Running D Scripts......................................................................................... 19-20

a
s
a
h
)
o
c ide

u
d Gu
e

r
ta ent
i
l
i
Appendix - NIS Configuration...................................................................................................................
20-1
nim Stud
Appendix - Overview ...............................................................................................................................
20-2
u
s
i
@
h
Practice A-1: Configuring an NIS Server ..................................................................................................
20-3
o
rs se t
o
Practice A-2: Configuring an NIS Client....................................................................................................
20-9
c
u
........................................................................................
n
o
Practice A-3: Implementing NIS Authentication
20-11
t
a
(ju..................................................................................................
se
Practice A-4: Testing NIS Authentication
20-15
n
s
e
a
i
c
Practice A-5: Auto-Mounting
a User Home
li Directory ................................................................................ 20-17
arSystems
e
l
o
Practice A-6: Restoring
the
to
s rab Their Original State...................................................................... 20-20
r
o
c Access
Appendixes: Remote
fe Options...................................................................................................... 21-1
s
n
n
a
Appendixes:
Overview.............................................................................................................................
21-2
ju -tra
Appendix n
an NX Client to Connect to dom0................................................................................ 21-3
no A:B: Using
Appendix
Using an NX Player to Connect to dom0............................................................................... 21-7
Appendix C: Using VNC (TightVNC) to Connect Directly to VM Guests ..................................................... 21-13
Appendix D: Using NoMachine Version 4 to Connect to dom0 .................................................................. 21-16

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Oracle Linux 7: Advanced Administration Table of Contents


iii

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

s
a
h
o) e
c

du Guid
e

r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us

n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

s
a
h
o) e
c

du Guid
e

r
t 1:
Practices lfor
n
ita Lesson
e
i
Course
Introduction
tud
nim
S
u
o@ 1 this
s
Chapter e
r
co o us

n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 1: Course Introduction


Chapter 1 - Page 1

Course Practice Environment: Security Credentials

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

For OS usernames and passwords, see the following:

If you are attending a classroom-based or live virtual class, ask your instructor or LVC
producer for OS credential information.

If you are using a self-study format, refer to the communication that you received from
Oracle University for this course.

For product-specific credentials used in this course, see the following table:
Product-Specific Credentials
Virtual Machines/Application

Username

Password

host01/OS

root

oracle

host01/OS

oracle

oracle

s
a
h
host02/OS
root
oracle
o) e
c

host02/OS
oracle
oracle
du Guid
e

r
host03/OS
root
nt
ita doracle
l
e
i
m tu oracle
host03/OS
oracle uni
S
s
i
@
h
o
rs se t
o
c
u

n
o
t
a
(ju nse
s
ria e lice
a
o abl
s
r
co sfer
n
jua -tran
non

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 1: Course Introduction


Chapter 1 - Page 2

Practices for Lesson 1: Overview

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

Practices Overview
In these practices, you will:
Log in to your classroom PC and become familiar with the Oracle VM Server for x86
environment installed on your classroom PC
Connect to the virtual machines used for the hands-on practices and become familiar
with the VM guest configurations

s
a
h
o) e
c

du Guid
e

r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us

n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 1: Course Introduction


Chapter 1 - Page 3

Practice 1-1: Exploring the dom0 Environment


Overview

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

In this practice, you explore the dom0 configuration and directory structure.

Assumptions

Your instructor has assigned a student PC to you.


Your student PC is running Oracle VM Server for x86 version 3.2.1.

You are logged in to your student PC as vncuser with the password vnctech.

The GNOME desktop is installed on dom0.


There are three guests (virtual machines): host01, host02, and host03.

All guest VMs have Oracle Linux 7 installed.

Tasks
1.

s
a
Open a terminal window.
h
o) in thee
c
Begin this task from the dom0 GNOME virtual desktop window as shown

du Guid
following screenshot:
e

r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us

n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non

Double-click the Terminal icon on the GNOME desktop.


A terminal window opens.

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 1: Course Introduction


Chapter 1 - Page 4

2.

Become the root user.

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

Enter the commands from an open terminal window as shown in the following
screenshot:

s
a
h
o) e
c

du Guid
e

r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us

n
t
a
u
e
j
(
s
Become the root user by
The root password is oracle.
s usingicthe
ensuthe- command.
a
i
r
l
Confirm that you are
root
by
printing
user
identity
with the whoami command:
a le
o
$ su
ors ferab
c
n ans oracle
juaPassword:
tr
#nwhoami
noroot
3.

Determine the operating system that is running on dom0.


Use the uname a command to display the operating system version.
# uname a
Linux edddr20p1 2.6.39-300.22.2.el5uek #1 SMP Fri Jan 4 12:40:29
PST 2013 x86_64 x86_64 x86_64 GNU/Linux
In this example, the operating system is Linux.

The Linux kernel is 2.6.39-300.22.2.el5uek.

The host name is edddr20p1. (Your host name is different.)

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 1: Course Introduction


Chapter 1 - Page 5

4.

Determine the network configuration of dom0.


Use the ifconfig a command to display the network configuration. Only partial output is
shown.

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

# ifconfig -a
...
bond0

Link encap:Ethernet ...


inet addr:10.150.30.83 ...

...
eth0
...
lo
...
vif...
...
virbr0

Link encap:Ethernet ...


Link encap:Local Loopback ...
inet addr:127.0.0.1 ...

a
s
a
h
)
o
c ide

u
Link encap:Ethernet ...
d Gu
e

r
inet addr:192.0.2.1 ...
ta ent
i
l
i
...
im Stud
n
u
virbr1
Link encap:Ethernet ...
o@...e this
s
inet addr:192.168.1.1
r
co o us

...
n
ua se t ...
j
virbr2
Link encap:Ethernet
(
saddr:192.168.2.1
en
a
i
inet
...
c
r
i
l
a
e
l
... rso
rabencap:Ethernet ...
o fLink
c
e
virbr3
s
n
jua -tran inet addr:192.168.3.1 ...
n
no...
In this example, the network interface for dom0 is bond0 and is assigned an IP
Link encap:Ethernet ...

address of 10.150.30.83. The IP address of your system is different.

The lo interface is a software loopback interface that identifies the localhost. It is


always assigned an IP address of 127.0.0.1.

The virbr0 interface is a xen bridge interface used by VM guests. It is assigned


an IP address of 192.0.2.1.

The virbr1 interface is a second xen bridge interface used by VM guests. It is


assigned an IP address of 192.168.1.1.

The virbr2 interface is a third xen bridge interface used by VM guests. It is


assigned an IP address of 192.168.2.1.

The virbr3 interface is a fourth xen bridge interface used by VM guests. It is


assigned an IP address of 192.168.3.1.

You also notice vif<#>.<#> entries. These are virtual interfaces that are tied to
the VM/domU IDs. You can get the VM/domU IDs from the xm list command,
which you run later in this practice.
Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 1: Course Introduction


Chapter 1 - Page 6

5.

Explore the /OVS directory structure on dom0.

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

a.

Explore the top level of the /OVS directory. (Only partial output is shown.)
# ls l /OVS
drwxrwxrwx ... iso_pool
drwxrwxrwx ... publish_pool
drwxrwxrwx ... running_pool
drwxrwxrwx ... seed_pool
drwxrwxrwx ... sharedDisk
There are five directories in the /OVS directory.

b.

Explore the /OVS/runing_pool directory:


# cd /OVS/running_pool
# ls l
drwxr-xr-x ... host01
drwxr-xr-x ... host02
drwxr-xr-x ... host03
drwxr-xr-x ... host04
drwxr-xr-x ... host05
drwxr-xr-x ... vpn-host1
drwxr-xr-x ... vpn-host2
The files needed to create the VMs are in separate directories in the
/OVS/running_pool directory.

a
s
a
h
)
o
c ide

u
d Gu
e

r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us

n
uasevenseVMt directories exist, for VMs host01, host02,
j
(
This example shows
that
shost05,icvpn-host1,
en
a
i
host03, host04,
and vpn-host2.
r
l
a le
o
Therhost04
bis preconfigured with access to Oracles Public Yum Server. This
ra
oissusedfeinVM
c
VM
Practices for Lesson 8: Advanced Software Package Management.
s
n ahost05
n
VM has the virtualization package groups installed. This VM is used in
jua The
r
t
n
Practices
for
14: Virtualization with Linux.
no The vpn VMsLesson
are used in Practice 10-7: Configuring a Site-to-Site Virtual Private
Network (VPN).

c.

Explore the host01 VM directory.


# cd /OVS/running_pool/host01
# ls l
-rw-r--r-- ... system.img
-rw-r--r-- ... u01.img
-rw-r--r-- ... u02.img
-rwxr-xr-x ... vm.cfg
The system.img file is the operating system virtual disk.

The u01.img and u02.img files are utility virtual disks that are used in various
practices in this course.
The vm.cfg file is the configuration file for the virtual machine. This file is read
when the virtual machine is created.
Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 1: Course Introduction


Chapter 1 - Page 7

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

d.

View the vm.cfg file.


# cat vm.cfg
name = host01
builder = hvm
memory = 1536
boot = cd
disk = [ file:/OVS/running_pool/host01/system.img,xvda,w,
file:/OVS/running_pool/host01/u01.img,xvdb,w,
file:/OVS/running_pool/host01/u02.img,xvdd,w,
file:/OVS/seed_pool/OracleLinux-R7-U1-Server-x86_64dvd.iso,xvdc:cdrom,r]
vif = [ mac=00:16:3e:00:01:01, bridge=virbr0,
mac=00:16:3e:00:02:01, bridge=virbr1,
mac=00:16:3e:00:03:01, bridge=virbr2,
mac=00:16:3e:00:04:01, bridge=virbr3]
device_model = /usr/lib/xen/bin/qemu-dm
kernel = /usr/lib/xen/boot/hvmloader
vnc = 1
vncunused=1
vcpus = 1
timer_mode = 0
apic = 1
acpi = 1
pae = 1
serial = pty
on_reboot = restart
on_crash = restart
usb = 1
usbdevice = 'tablet'
Note that there are three virtual disks represented by the three .img files.

s
a
h
o) e
c

du Guid
e

r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us

n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non

Note that the Oracle Linux dvd.iso is mounted on a virtual CD ROM device.

Note that there are four virtual network interfaces. The interface on the virbr0
bridge is eth0, the interface on the virbr1 bridge is eth1, the interface on the
virbr2 bridge is eth3, and the interface on the virbr3 bridge is eth4.

e.

Explore the /OVS/sharedDisk directory:


# cd /OVS/sharedDisk
# ls l
-rw-r--r-- ... physDisk1.img

The physDisk1.img file is used as a shared disk (shared by all VM guests) in


Practices for Lesson 11: OCFS2 and Oracle Clusterware.

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 1: Course Introduction


Chapter 1 - Page 8

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

f.

Explore the /OVS/seed_pool directory:


# cd /OVS/seed_pool
# ls l
drwxr-xr-x ... debug
drwxr-xr-x ... dtrace_rpms
drwxr-xr-x ... host07
-rw-r--r-- ... OracleLinux-R7-U1-Server-x86_64-dvd.iso
-rw-r--r-- ... physDisk1.tgz
drwxr-xr-x ... sfws
-rw-r--r-- ... system01.tgz
-rw-r--r-- ... system02.tgz
-rw-r--r-- ... system03.tgz
-rw-r--r-- ... system04.tgz
-rw-r--r-- ... system05.tgz
-rw-r--r-- ... u01_01.tgz
-rw-r--r-- ... u01_03.tgz
-rw-r--r-- ... u02_01.tgz
-rw-r--r-- ... u02_02.tgz
-rw-r--r-- ... u02_03.tgz
-rw-r--r-- ... u03_02.tgz
-rwxr-xr-x ... vm01.cfg
-rwxr-xr-x ... vm02.cfg
-rwxr-xr-x ... vm03.cfg
-rwxr-xr-x ... vm04.cfg
-rwxr-xr-x ... vm05.cfg
-rwxr-xr-x ... vmvpn1.cfg
-rwxr-xr-x ... vmvpn2.cfg
-rw-r--r-- ... vpn-host1.tgz
-rw-r--r-- ... vpn-host2.tgz
This directory contains many files that are used to create the initial environment.
Oracle Linux 7.1 is installed on the host01, host02, and host03 VMs from the
OracleLinux-R7-U1-Server-x86_64-dvd.iso file in this directory.

s
a
h
o) e
c

du Guid
e

r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us

n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non

Other files in this directory are used in various practices.

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 1: Course Introduction


Chapter 1 - Page 9

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

g.

Explore the /var/www/html/repo/OracleLinux/OL7/1/x86_64 directory:

Your system is configured as a local Yum repository.

This directory contains the contents of the Oracle Linux 7.1 ISO.
Note that the RPM software packages are in the Packages directory.

A .repo file exists on each VM pointing to this Yum repository.


# ls -l
addons
EFI
EULA
GPL

/var/www/html/repo/OracleLinux/OL7/1/x86_64
images
RELEASE-NOTES-U1-en RPM-GPG-KEY-oracle
isolinux RELEASE-NOTES-U1-en.html TRANS.TBL
LiveOS
repodata
Packages RPM-GPG-KEY

s
a
h
o) e
c

du Guid
e

r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us

n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 1: Course Introduction


Chapter 1 - Page 10

Practice 1-2: Starting, Stopping, and Listing VM Guests


Overview

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

In this practice, you use xm commands to list, create, and shut down virtual machines.

Assumptions

You are logged on to dom0.


You have a terminal window open.

You are the root user.

Tasks
1.

List all currently active guests, as well as dom0 itself.


Use the xm list command. The output shown here is a sample, the ID and Time(s)
values will be different on your system.

2.

a
s
a
h
# xm list
)
o

c Time(s)
e

Name
ID
Mem VCPUs
State
d
u
i
d Gu 281.1
e

Domain-0
0
2048
2
r----r
ta ent
host01
1
1536
1 ili -b---157.6
d
m -b---i
u
t
n
host02
2
1536
1
159.0
u is S
@
host03
3
1536
13.2
so se 1th -b---r
o
You have three guests (host01,
uand host03) running.
c host02,
n
o
t
a
Shut down a VM.
(ju nse
s
e command to shut down the host03 VM. The w
cname>
riaw <VM
Use the xm shutdown
i
l
a
le until all services in the domain shut down cleanly. Run xm
osystematobwait
option tells rthe
s
r
o the
list tocdisplay
VMs.
erunning
f
s
n
axmn shutdown command takes a few seconds to complete.
jua The
r
t
nonNote that host03 is no longer active.
# xm shutdown w host03
Domain host03 terminated
All domains terminated
# xm list
Name
ID
Domain-0
0
host01
1
host02
2

Mem VCPUs
2048
2
1536
1
1536
1

State
r-----b----b----

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 1: Course Introduction


Chapter 1 - Page 11

Time(s)
289.6
157.6
159.0

3.

Start a VM.

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

Use the xm create <config_file> command to start the host03 VM. The
<config_file> is named vm.cfg and is located in the
/OVS/running_pool/<VM_name> directory. Run xm list to display the running VMs.

Note that host03 is now active.

The State column for dom0 and host03 shows r (run state). The State column for
host01 and host02 shows b (blocked). The following describes these values:

r: The domain is currently running and healthy

b: The domain is blocked, and not running or runnable. This can be caused
because the domain is waiting on IO (a traditional wait state) or has gone to
sleep because there was nothing else for it to do.

# cd /OVS/running_pool/host03
# xm create vm.cfg
Using config file ./vm.cfg.
Started domain host03 (id=#)
# xm list
Name
ID
Mem VCPUs
Domain-0
0
2048
2
host01
4
1536
1
host02
2
1536
1
host03
3
1536
1

a
s
a
h
)
o
c ide

u
d GuTime(s)
State
e

r
t
304.5
n
itar----l
e
i
d
m
-b---18.7
tu
ni
S
u
159.0
o@ e this -b---s
r
r----13.2
co o us

n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 1: Course Introduction


Chapter 1 - Page 12

Practice 1-3: Exploring the host01 VM

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

Overview
In this practice, you perform the following:
Log in to host01.
View the storage devices available on host01.
View the network configuration on host01.
View the Unbreakable Enterprise Kernel version on host01.

View the Yum repository configuration on host01.

Assumptions

You are logged on to dom0 as the root user.

The host01 VM guest is running.

a
s
a
Tasks
h
)
o
c ide
1. Explore the host01 VM guest.

u
d Gu
e

a. Use the ssh command to log in to host01.


r
t
ncommand
itassh,dthe
l
e
i
Because this is the first time you have logged in
using
checks to
u
t
nim
make sure that you are connecting to the u
host
that you
think
you
are
connecting
to.
S
s
i
@
Enter yes.
so se th
r
o
The root password is oracle
u
c (alltlowercase).
n
o
a
If you get a message,ju
ssh: connect
to
host
host01 port 22: No route to host, wait a
e
(
s
n
s
few seconds toaallow host01
ri e lice to boot and then run the ssh host01 command
a
again.
l
o acommand
b
s
r
The
hostname
confirms you have successfully logged in to host01.
co sfer
n
n
ahost01
jua# ssh
r
t
n authenticity of host host01 (192.0.2.101) cant be
noThe
established. RSA key fingerprint is ...
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added host01,192.0,2,101 (RSA) to the
list of known hosts.
root@host01s password: oracle
[root@host01 ~]# hostname
host01.example.com
b.

Use the fdisk command to view the storage devices.


# fdisk l | grep /dev
Disk /dev/xvda: 12.9 GB,
/dev/xvda1
*
2048
/dev/xvda2
1026048
Disk /dev/xvdb: 10.7 GB,
Disk /dev/xvdd: 10.7 GB,

12884901888 bytes, 25165824 sectors


1026047
512000
83
Linux
25165823
12069888
8e
Linux LVM
10737418240 bytes, 20971520 sectors
10737418240 bytes, 20971520 sectors

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 1: Course Introduction


Chapter 1 - Page 13

Disk /dev/mapper/ol-root: 11.0 GB, 11022630912 bytes, ...


Disk /dev/mapper/ol-swap: 1287 MB, 1287651328 bytes, ...
Three devices are available: /dev/xvda, /dev/xvdb, and /dev/xvdd.

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

Do not run the following commands, this is information only:

The /dev/xvda disk device represents a 12 GB system image file created with
the following command (in the /OVS/running_pool/host01 directory on
dom0):
# dd if=/dev/zero of=system.img bs=1M count=12288

The /dev/xvdb disk device represents a 10 GB utility image file created with
the following command (in the /OVS/running_pool/host01 directory on
dom0):
# dd if=/dev/zero of=u01.img bs=1M count=10240

The /dev/xvdd disk device represents a 10 GB utility image file created with
the following command (in the /OVS/running_pool/host01 directory on
dom0):
# dd if=/dev/zero of=u02.img bs=1M count=10240

a
s
a
h
)
o

cInstall Base
e

The /dev/xvda device has Oracle Linux 7.1 installed Minimal


d
u
i
d Gu
e

Environment.
r
nt
itaswapdepartitions.
l
This system disk uses LVM volumes for the rootiand
im Stu
n
u
c. Use the ip addr command to display the network interfaces.
@ this
o
s
r
# ip addr
o
se
c
u

n
1: lo: <LOOPBACK,UP,LOWER_UP>
to mtu 65536 qdisc noqueue ...
a
u
e
j
( 00:00:00:00:00:00:00:
link/loopback
brd 00:00:00:00:00:00
ns
s
e
a
i
c
r
i
l
inet addr:127.0.0.1/8
scope host lo
o a able
... ors
ceth0:s<BROADCAST,MULTICAST,UP,LOWER_UP>
er
f
2:
mtu 1500 qdisc ...
n
an
jua -trlink/ether
00:16:3e:00:01:01 brd ff:ff:ff:ff:ff:ff
n
o
inet 192.0.2.101/24 brd 192.0.2.255 scope global eth0
n

...
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc ...
link/ether 00:16:3e:00:02:01 brd ff:ff:ff:ff:ff:ff
4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc ...
link/ether 00:16:3e:00:03:01 brd ff:ff:ff:ff:ff:ff
5: eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc ...
link/ether 00:16:3e:00:04:01 brd ff:ff:ff:ff:ff:ff
The system has four Ethernet network interfaces, eth0, eth1, eth2, and eth3.

The eth0 interface is on the 192.0.2 subnet, and provides access to dom0 and
the other VM guest systems. The remaining interfaces do not have IP addresses.
The eth1 interface is configured in Practices for Lesson 2: Network Addressing
and Name Services.
The eth2 and eth3 interfaces are configured as part of a bonded network interface
in Practices for Lesson 10: Advanced Networking.
Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 1: Course Introduction


Chapter 1 - Page 14


d.

View the /etc/hosts file on host01.

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

The eth1 interface is configured on a private subnet, 192.168.1, and is used in


Practices for Lesson 11: OCFS2 and Oracle Clusterware.
No changes are needed in this file.
# cat /etc/hosts
127.0.0.1
localhost.localdomain localhost
192.0.2.1
example.com
dom0
192.0.2.101
host01.example.com
host01
192.0.2.102
host02.example.com
host02
192.0.2.103
host03.example.com
host03

e.

Use the uname -r command to determine your running kernel version.

The kernel is UEK Release 3.


# uname -r
3.8.13-55.1.6.el7uek.x86_64

s
a
h
o) e
f. View the /etc/yum/repos.d directory.
c

id a
duLinuxG7uand
Two .repo files exist, the Public Yum repository file forrOracle
e

t
custom repository file, vm.repo, for the local Yumilrepository
ita deonndom0.
nim Stu
# cd /etc/yum.repos.d
u
# ls
o@ e this
s
r
public-yum-ol7.repo vm.repo
co o us

n
t repositories in both files.
utoaview enabled
e
g. Use the grep command
j
(
s
s file contains
en an enabled repository (enabled=1).
a
i
Only the vm.repo
c
r
i
l
o a ab*le
s
# grep
enabled
r
co sfer
public-yum-ol7.repo:enabled=0
n
an
juapublic-yum-ol7.repo:enabled=0
r
t
n
no...

vm.repo:enabled=1
h.

Use the cat command to view the contents of vm.repo.

Note that the baseurl references the local Yum repository on dom0 (192.0.2.1).
# cat vm.repo
[OL7.1Dom0]
Name="Oracle Linux 7.1 Dom0 Repo"
baseurl=http://192.0.2.1/repo/OracleLinux/OL7/1/x86_64
enabled=1
gpgkey=http://192.0.2.1/repo/OracleLinux/OL7/1/x86_64/RPM-GPGKEY-oracle
gpgcheck=1

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 1: Course Introduction


Chapter 1 - Page 15

i.

Use the exit command to log off host01.


# exit

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

logout
Connection to host01 closed.

s
a
h
o) e
c

du Guid
e

r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us

n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 1: Course Introduction


Chapter 1 - Page 16

Practice 1-4: Exploring the host02 VM

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

Overview
In this practice, you perform the following:
Log in to host02.
View the storage devices available on host02.
View the network configuration on host02.

Assumptions

You are logged on to dom0 as the root user.

The host02 VM guest is running.

Tasks
1.

a
s
a
h
a. Use the ssh command to log in to host02.
)
o
to
c idchecks
e

Because this is the first time you have logged in using ssh, the
command
u
dyou areGconnecting
u
e
make sure that you are connecting to the host that you r
think
to.

t
a
t
n
Enter yes.
ili ude
m
i
t
The root password is oracle (all lowercase).
n
S
u
o@ e this
# ssh host02
s
r
cohost02
us(192.0.2.102) cant be
The authenticity of host

n
o
t
a
established. RSA key
is ...
e
ju fingerprint
(
s
n
s
Are you sure ia
you want eto continue connecting (yes/no)? yes
r
licadded host02,192.0.2.102 (RSA) to the
a
Warning:o Permanently
e
l
b
rs known
listoof
rahosts.
c
e
f
s
nroot@host02s
password: oracle
n
a
jua[root@host02
r
t
~]#
hostname
n
o
n host02.example.com
Explore the host02 VM guest.

b.

The hostname command confirms whether you have successfully logged in to


host02.
Use the fdisk command to view the storage devices.

# fdisk l | grep /dev


Disk /dev/xvda: 21.5 GB, 21474836480 bytes, 41943040 sectors
/dev/xvda1
*
2048
1026047
512000
83
Linux
/dev/xvda2
1026048
41943040
20458496
8e
Linux LVM
Disk /dev/xvdb: 10.7 GB, 10737418240 bytes, 20971520 sectors
Disk /dev/xvdd: 21.5 GB, 21474836480 bytes, 41943040 sectors
Disk /dev/xvde: 10.7 GB, 10737418240 bytes, 20971520 sectors
Disk /dev/mapper/ol-root: 18.8 GB, 18798870528 bytes, ...
Disk /dev/mapper/ol-swap: 2147 MB, 2147483648 bytes, ...
Four devices are available: /dev/xvda, /dev/xvdb, /dev/xvdd and
/dev/xvde.
Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 1: Course Introduction


Chapter 1 - Page 17

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

Do not run the following commands; this is for information only:


The /dev/xvda disk device represents a 20 GB system image file created with
the following command (in the /OVS/running_pool/host02 directory on
dom0):
# dd if=/dev/zero of=system.img bs=1M count=20480

The /dev/xvdb disk device represents a 10 GB shared disk image file created
with the following command (in the /OVS/sharedDisk directory on dom0):
# dd if=/dev/zero of=physDisk1.img bs=1M count=10240

The /dev/xvdd disk device represents a 20 GB utility image file created with
the following command (in the /OVS/running_pool/host02 directory on
dom0):
# dd if=/dev/zero of=u02.img bs=1M count=20480

The /dev/xvde disk device represents a 10 GB utility image file created with
the following command (in the /OVS/running_pool/host02 directory on
dom0):
# dd if=/dev/zero of=u03.img bs=1M count=10240

a
s
a
h
)
o

c GUIidBase
e

The /dev/xvda device has Oracle Linux 7.1 installed Server


with
u
d Gu
Environment.
e

r
nt
itaswapdepartitions.
l
This system disk uses LVM volumes for the rootiand
tu
niminterfaces.
S
c. Use the ip addr command to display the network
u
o@ e this
s
# ip addr
r
co omtu
us 65536 qdisc noqueue ...

1: lo: <LOOPBACK,UP,LOWER_UP>
n
t
a
(ju00:00:00:00:00:00:00:
se
link/loopback
brd 00:00:00:00:00:00
n
s
e
a
i
c
inet addr:127.0.0.1/8
scope host lo
ar le li
o
... rs
ab
r
o
c
e
f
<BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc ...
n2: eth0:
ans
jua -trlink/ether
00:16:3e:00:01:02 brd ff:ff:ff:ff:ff:ff
n
no inet 192.0.2.102/24 brd 192.0.2.255 scope global eth0

...
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc ...
link/ether 00:16:3e:00:02:02 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.102/24 brd 192.168.1.255 scope global eth1
...
4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc ...
link/ether 00:16:3e:00:03:02 brd ff:ff:ff:ff:ff:ff
5: eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc ...
link/ether 00:16:3e:00:04:02 brd ff:ff:ff:ff:ff:ff
The system has four Ethernet network interfaces, eth0, eth1, eth2, and eth3.

The eth0 interface is on the 192.0.2 subnet, and provides access to dom0 and
the other VM guest systems.
The eth1 interface is on a private subnet, 192.168.1, and is used in Practices for
Lesson 11: OCFS2 and Oracle Clusterware.
Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 1: Course Introduction


Chapter 1 - Page 18

The eth2 and eth3 interfaces are configured as part of a bonded network interface
in Practices for Lesson 10: Advanced Networking.

The /etc/hosts, kernel version, and Yum configuration is the same on all three VM guests.

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

d.

Use the exit command to log off host02.


# exit
logout
Connection to host02 closed.

s
a
h
o) e
c

du Guid
e

r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us

n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 1: Course Introduction


Chapter 1 - Page 19

Practice 1-5: Exploring the host03 VM

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

Overview
In this practice, you perform the following:
Log in to host03.
View the storage devices available on host03.
View the network configuration on host03.

Assumptions

You are logged on to dom0 as the root user.

The host03 VM guest is running.

Tasks
1.

a
s
a
h
a. Use the ssh command to log in to host03.
)
o
checks
ccommand
e

Because this is the first time you have logged in by using ssh,uthe
d
i
d youG
e
to make sure that you are connecting to the host that you
think
areuconnecting

r
t
to. Enter yes.
lita den
i
m
tu
The root password is oracle (all lowercase).
ni
S
u
is successfully logged in to
@ youthhave
The hostname command confirms
owhether
s
r
e
host03.
co o us

n
# ssh host03
ua se t
j
(
s of ichost
en host03 (192.0.2.103) cant be
The authenticity
a
i
r
l
established.
lekey fingerprint is ...
o a aRSA
b
s
r
Areco
you surer you want to continue connecting (yes/no)? yes
fe
s
n
Warning:
Permanently added host03,192.0.2.103 (RSA) to the
n
a
a known hosts.
ju list
trof
n
noroot@host03s password: oracle
Explore the host03 VM guest.

[root@host03 ~]# hostname


host03.example.com
b.

Use the fdisk command to view the storage devices. The host03 VM has the same
disk configuration as the host01 VM.
# fdisk l | grep /dev
Disk /dev/xvda: 12.9 GB, 12884901888 bytes, 25165824 sectors
/dev/xvda1
*
2048
1026047
512000
83
Linux
/dev/xvda2
1026048
25165823
12069888
8e
Linux LVM
Disk /dev/xvdb: 10.7 GB, 10737418240 bytes, 20971520 sectors
Disk /dev/xvdd: 10.7 GB, 10737418240 bytes, 20971520 sectors
Disk /dev/mapper/ol-root: 11.0 GB, 11022630912 bytes, ...
Disk /dev/mapper/ol-swap: 1287 MB, 1287651328 bytes, ...
Three devices are available: /dev/xvda, /dev/xvdb, and /dev/xvdd.

This is the same disk configuration as host01.


Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 1: Course Introduction


Chapter 1 - Page 20

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

c.

The /dev/xvda device has Oracle Linux 7.1 installed Server with GUI Base
Environment.
This system disk uses LVM volumes for the root and swap partitions.
Use the ip addr command to display the network interfaces.

# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue ...
link/loopback 00:00:00:00:00:00:00: brd 00:00:00:00:00:00
inet addr:127.0.0.1/8 scope host lo
...
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc ...
link/ether 00:16:3e:00:01:03 brd ff:ff:ff:ff:ff:ff
inet 192.0.2.103/24 brd 192.0.2.255 scope global eth0
...
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc ...
link/ether 00:16:3e:00:02:03 brd ff:ff:ff:ff:ff:ff
inet 192.0.2.104/24 brd 192.0.2.255 scope global eth1
...
4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc ...
link/ether 00:16:3e:00:03:03 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.103/24 brd 192.168.1.255 scope global eth2
...
The system has three Ethernet network interfaces: eth0, eth1, and eth2.

a
s
a
h
)
o
c ide

u
d Gu
e

r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us

n
ua se t
j
(
s interfaces
en are on the 192.0.2 subnet. These interfaces are
The eth0 and
eth1
a
i
c
r
i
l
a lfor
used ino
Practices
e Lesson 12: iSCSI and Multipathing.
b
s
r
a
The
co eth2sfinterface
er is on a private subnet, 192.168.1, and is used in Practices for
n
Lesson
11:
jua -tran OCFS2 and Oracle Clusterware.
n the cat command to view the /etc/resolv.conf file.
d. o
n Use
This file provides access to Domain Name Service (DNS) for host-to-IP address
resolution. It identifies three DNS nameservers and the search domain.

# cat /etc/resolv.conf
# Generated by NetworkManager
search example.com
nameserver 192.0.2.1
nameserver 152.68.154.3
nameserver 10.216.106.3
The /etc/hosts, kernel version, and Yum configuration is the same on all three VM guests.
e.

Use the exit command to log off host03.


# exit
logout
Connection to host03 closed.
Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 1: Course Introduction


Chapter 1 - Page 21

Practice 1-6: Logging Off from Your Student PC


Overview

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

In this practice, you learn how to log off from your system.

Tasks
1.

Learn how to log off your student PC.


a.

Open the System menu on the GNOME desktop.

s
a
h
o) e
c

du Guid
e

r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us

n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
on
n
b. Select Log Out vncuser from the System menu.

c.

You can click the Log Out button to log out.


However, do not log out until the end of each day of training.
Click the Cancel button to stay logged in.

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 1: Course Introduction


Chapter 1 - Page 22

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

s
a
h
o) e
c

du Guid
e

r
t 2:
Practices lfor
n
ita Lesson
e
i
Network
and
tud
nimAddressing
S
u
Name
o@ eServices
this
s
r
co Chapter
us 2

n
o
t
a
(ju nse
s
ria e lice
a
o abl
s
r
co sfer
n
jua -tran
non

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 2: Network Addressing and Name Services


Chapter 2 - Page 1

Practices for Lesson 2: Overview

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

Practices Overview
In these practices, you:
Configure host03 VM as a DHCP server and host01 VM as a DHCP client

Dynamically obtain an IP address for eth1 on host01

View and test the DNS server configuration on dom0


Configure host03 to as a caching-only nameserver

Test the DNS configuration

s
a
h
o) e
c

du Guid
e

r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us

n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 2: Network Addressing and Name Services


Chapter 2 - Page 2

Practice 2-1: Configuring a DHCP Server


Overview

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

In this practice, you configure host03 VM as a DHCP server.

Assumptions
You are the root user on dom0.

Tasks
1.

Log in to the host03 VM guest.


Use the ssh command to log in to host03.

The root password is oracle (all lowercase).


[dom0]# ssh host03
root@host03s password: oracle
Last login: ...
[host03]#

2.

a
s
a
h
)
o
c ide

u
d Gu
e

r
Install the dhcp package on host03 if necessary.
ita dent
l
i
a. Use the rpm command to check whether the dhcp
tuis installed.
nimpackage
S
u
In this example, only the dhcp-libs @
o and dhcp-common
this packages are installed.
s
r
e
# rpm qa | grep dhcp co
us
n
o
t
a
dhcp-libs-...
(ju nse
s
dhcp-common-...
ria e lice
a
l
b. Use the s
yum
available
command, pipe the output to the grep command,
o list
b
r
a
r string dhcp.
o forfethe
andcsearch
s output is shown.
n apartial
n
jua Only
r
-t
onThe dhcp.x86_64 package needs to be installed in this example.
n
# yum list available | grep dhcp
dhcp.x86_64 ...
dhcp-libs.i686 ...
c.

Use the yum command to install the dhcp package.

You do not need to include the .x86_64 extension.

Answer y when prompted Is this ok.

You are asked about the GPG key only the first time you use the yum install
command.
# yum install dhcp
...
Transaction Summary
============================================================
Install 1 Package
Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 2: Network Addressing and Name Services


Chapter 2 - Page 3

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

Total download size: 509 k


Installed size: 1.4 M
Is this ok [y/d/N]: y
...
Retrieving key from http://192.0.2.1/repo/OracleLinux/OL7/...
...
Is this ok [y/N]: y
...
Complete!
3.

Use the vi editor to edit /etc/dhcp/dhcpd.conf as follows:


Note: A preconfigured dhcpd.conf file exists on dom0 in the /OVS/seed_pool/sfws
directory.

4.

You can edit the dhcpd.conf file as follows by using the vi command, or you can
use the sftp command and copy /OVS/seed_pool/sfws/dhcpd.conf from dom0
to /etc/dhcp/dhcpd.conf on host03. See your instructor if you need help in using
the sftp command.

s
a
h
o) e
c

du Guid
e

r
ita dent
# vi /etc/dhcp/dhcpd.conf
l
i
option subnet-mask
255.255.255.0;
nim Stu
u
option domain-name
o@"example.com";
this
s
r
e
option domain-name-servers
s
co o u192.0.2.1;

n
t
option broadcast-address
192.168.1.255;
a
(ju nse
default-lease-time
21600;
s
e
a
i
c
r
i
l
a le
max-lease-time
43200;
o
b
s
r
subnet
192.168.1.0
netmask 255.255.255.0 {
ra
corange
e192.168.1.200
f
s
n
192.168.1.254;
jua} -tran
nonenabling and starting the dhcpd service, specify a command-line argument to
Before

instruct the dhcpd service to only listen for DHCP requests on the eth2 network interface.
a.

Use the cp command to copy the dhcpd.service file from the


/usr/lib/systemd/system/ directory to the /etc/systemd/system/ directory.

The /usr/lib/systemd/system/ systemd units are included with the RPM


packages and are not to be edited.
The /etc/systemd/system/ systemd units are created and managed by the
system administrator and take precedence.
# cp /usr/lib/systemd/system/dhcpd.service /etc/systemd/system/

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 2: Network Addressing and Name Services


Chapter 2 - Page 4

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

b.

Use the vi editor to edit the /etc/systemd/system/dhcpd.service file and


append eth2 to the ExecStart line.
# vi /etc/systemd/system/dhcpd.service
...
ExecStart=/usr/sbin/dhcpd -f -cf /etc/dhcp/dhcpd.conf -user
dhcpd -group dhcpd --no-pid eth2
...

5.

Enable and start the dhcpd service.


a.

Use the systemctl command to enable the dhcpd service to start at boot time.

Note that a symbolic link is created for the


/etc/systemd/system/dhcpd.service file.
# systemctl enable dhcpd
ln s /etc/systemd/system/dhcpd.service
/etc/systemd/system/multi-user.target.wants/dhcpd.service

a
s
a
h
b. Use the systemctl command to start the dhcpd service.
)
o
c ide

u
# systemctl start dhcpd
d Gu
e

r
c. Use the systemctl command to view the status of the
nt
itadhcpddeservice.
l
i
Note that the server is only listening on eth2.
nim Stu
u
o@ e this
# systemctl status dhcpd
s
r
co oDaemon
dhcpd.service DHCPv4 Server
us
n
t
a
Loaded: loaded(ju
(/etc/systemd/system/dhcpd.service;
enabled)
e
s
n
s
Active: active
since ...
ce
ria e (running)
i
l
a
...
o abl
s
r
<date_time>
co sferhost03...: Listening on LPF/eth2/00:16...
n
jua...-tran
non

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 2: Network Addressing and Name Services


Chapter 2 - Page 5

Practice 2-2: Configuring a DHCP Client

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

Overview
In this practice, you:
Configure host01 VM as a DHCP client

Obtain an IP address from the DHCP server (host03) for the eth1 network interface

You begin this practice by opening a second terminal window on dom0 and logging in to host01
as the root user. You are already logged in as the root user to host03 from Practice 2-1.

Assumptions

This practice is performed on host01 and host03 VMs.


You are currently logged in to host03 (from Practice 2-1).
The prompts in the solution section include either host01 or host03 to indicate which
system to enter the command from.

a
s
a
h
)
o
Tasks
c ide

u
d Gu
1. Log in to the host01 VM guest from dom0.
e

r
ita dent
a. Open a second terminal window on dom0.
l
i
m su -tcommand
u
nithe
b. From the second terminal window on dom0, u
use
to become the
S
s
i
@
root user.
h
o
rs se t
o
The root password is oracle.
c
u

n
o
t
a
$ su
(ju nse
s
Password: oracle
ria e lice
a
o abl
#
s
r
o user
eron dom0, use the ssh command to log in to host01.
f
c. n
As c
the roots
n
aroot
jua The
r
t
password is oracle (all lowercase).
n
o
n [dom0]# ssh host01
root@host01s password: oracle
Last login: ...
[root@host01]#
2.

Use the rpm command to verify that the dhclient package is installed on host01.

In this example, the package is already installed.


[host01]# rpm q dhclient
dhclient-4.2.5-36.0.1.el7.x86_64

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 2: Network Addressing and Name Services


Chapter 2 - Page 6

3.

Configure eth1 on host01 for DHCP.


Use the vi editor and change /etc/sysconfig/network-scripts/ifcfg-eth1.

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

The only change needed is ONBOOT=yes.


The interface is configured to use DHCP by default.
[host01]# vi /etc/sysconfig/network-scripts/ifcfg-eth1
TYPE=Ethernet
BOOTPROTO=dhcp
...
ONBOOT=yes

4.

Use the ip addr command to display the network interfaces on host01.

Note that eth1 does not have an IP address.


[host01]# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP>
mtu 65536 qdisc noqueue ...
link/loopback 00:00:00:00:00:00:00: brd 00:00:00:00:00:00
inet addr:127.0.0.1/8 scope host lo
...
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc ...
link/ether 00:16:3e:00:01:01 brd ff:ff:ff:ff:ff:ff
inet 192.0.2.101/24 brd 192.0.2.255 scope global eth0
...
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc ...
link/ether 00:16:3e:00:02:01 brd ff:ff:ff:ff:ff:ff
...

5.

a
s
a
h
)
o
c ide

u
d Gu
e

r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us

n
ua se t
j
(
s icen
a
i
r
a le l
o
raablease for eth1 from the DHCP server.
orsrequest
From host01,
c
e
f
n ans
ja.uaUse-tthe
r dhclient command to request a lease for eth1 from the DHCP server.
n
no[host01]# dhclient eth1

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 2: Network Addressing and Name Services


Chapter 2 - Page 7

b.

Use the ip addr command on host01 to verify that eth1 obtained an IP address.

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

In this example, eth1 now has an IP address of 192.168.1.200.


[host01]# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP>
mtu 65536 qdisc noqueue ...
link/loopback 00:00:00:00:00:00:00: brd 00:00:00:00:00:00
inet addr:127.0.0.1/8 scope host lo
...
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc ...
link/ether 00:16:3e:00:01:01 brd ff:ff:ff:ff:ff:ff
inet 192.0.2.101/24 brd 192.0.2.255 scope global eth0
...
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc ...
link/ether 00:16:3e:00:02:01 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.200/24 brd 192.0.2.255 scope global eth1
...

6.

s
a
h
o) e
c

View information about the lease.


du Guid
a. View information about the lease on the client (host01). are
it dent
l
i
[host01]# cat /var/lib/dhclient/dhclient.leases
im Stu
n
u
lease {
o@ e this
s
r
interface eth1;
co o us

fixed-address 192.168.1.200;
n
t
ua255.255.255.0;
e
j
(
s
option subnet-mask
s icen
a
i
r
...
a le l
o
}
ors ferab
c
b. n
View information
s about the lease on the server (host03).
n
a
jua[host03]#
r
-t
cat /var/lib/dhcpd/dhcpd.leases
n
o
n ...
lease 192.168.1.200 {
starts ...
ends ...
...
hardware ethernet 00:16:3e:00:02:01
}

7.

Use the exit command to log off host01.

[host01]# exit
logout
Connection to host01 closed.
[dom0]#
In this window, you are logged in as the root user on dom0.

Leave this window open for the next practice (Practice 2-3).
Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 2: Network Addressing and Name Services


Chapter 2 - Page 8

Practice 2-3: Viewing and Testing the DNS Configuration

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

Overview
In this practice, you:
View the DNS configuration on dom0
Test the lookup functionality of DNS from host03

Assumptions

Dom0 is already configured as an authoritative nameserver for the example.com


domain.
This practice is performed on dom0 and on host03 VM.

You are logged in as the root user on dom0 from one terminal window.

You are logged in as the root user on host03 from a second terminal window.

The prompts in the solution section include either dom0 or host03 to indicate which
system to enter the command from.

a.

Use the service command to verify that the named service is started on dom0.

a
s
a
h
)
o
c ide

u
Tasks
d Gu
e

r
1. Use the rpm command to verify that the bind package is linstalled
nt
ita donedom0.
i
In this example, the package is installed.
nim Stu
u
[dom0]# rpm qa | grep bind o@
this
s
r
e
bind-libs-...
co o us

n
bind-utils-...
ua se t
j
(
s icen
bind-...
a
i
r
l is enabled and running on dom0.
a service
e
2. Ensure that the
named
l
o
b
raand
orsservice
e
Usecthe
chkconfig commands on dom0 because dom0 is running
f
s
n
n
a
Oracle
VM
Server
for
x86
version 3.2.1
ju -tra
n the systemctl command on the host01, host02, and host03 virtual machines
o
Use
n because
the VMs are running Oracle Linux 7.1.

In this example, the service is running.


[dom0]# service named status
number of zones: 3
debug level: 0
...
server is up and running
named (pid ...) is running...

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 2: Network Addressing and Name Services


Chapter 2 - Page 9

b.

Use the chkconfig command to verify that the named service is configured to start at
boot time on dom0.

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

In this example, the service is configured to start when the system boots at either
run level 2, 3, or 4.
[dom0]# chkconfig named --list
named
0:off 1:off 2:on 3:on

3.

4:on

5:on

6:off

View the DNS configuration on dom0.


a.

View the main BIND configuration file, /etc/named.conf.

This file lists location and characteristics of your domains zone files.
Note that the zone file, /var/named/data/master-example.com, is defined.

Note that a reverse lookup zone file, /var/named/data/reverse-192.0.2, is


also defined.
[dom0]# cat /etc/named.conf
...
options {
directory /var/named;
...
zone example.com {
type master;
file data/master-example.com;
allow-update { key rndckey; };
notify yes;
};
...
zone 2.0.192.in-addr.arpa IN {
type master;
file data/reverse-192.0.2;
allow-update { key rndckey; };
notify yes;
};
...

s
a
h
o) e
c

du Guid
e

r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us

n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non

b.

View the /var/named/data/master-example.com zone file.

This file defines IPv4 addresses (A records) for the DNS server, the DNS domain,
and the four VM guest systems.
[dom0]# cat /var/named/data/master-example.com
...
dns
A
192.0.2.1
example.com
A
192.0.2.1
host01
A
192.0.2.101
host02
A
192.0.2.102
host03
A
192.0.2.103
Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 2: Network Addressing and Name Services


Chapter 2 - Page 10

host04
...
c.

192.0.2.104

View the /var/named/data/reverse-192.0.2 file.

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

This file defines PTR records for reverse name resolution.


[dom0]# cat /var/named/data/reverse-192.0.2
...
1
PTR
dns.us.oracle.com.
101
PTR
host01.example.com.
102
PTR
host02.example.com.
103
PTR
host03.example.com.
104
PTR
host04.example.com.

Perform the next task from host03.


4.

Test host name to IP resolution on host03.

a
s
a
a. Use the ping command to contact host01 and host02.
h
)
o
c ide
You can successfully contact these systems by name, because /etc/hosts
u
d Gu
resolves host names to IP addresses.
e

r
ita dent
l
[host03]# ping host01
i
tubytes of data.
nim56(84)
PING host01.example.com (192.0.2.101)
S
u
64 bytes from host01.example.com
icmp_seq=1...
o@ (192.0.2.101):
this
s
r
e
o
...
c to us
n
a
CTRL-C
(ju nse
s
[host03]# ping
host02
ia lice
r
a
PING host02.example.com
(192.0.2.102) 56(84) bytes of data.
o able
s
r
64 cbytes
o from
er host02.example.com (192.0.2.102): icmp_seq=1...
f
s
n
...
an
juaCTRL-C
r
t
on
n
b. Use the vi editor to edit the /etc/hosts file and comment out the lines for the VMs
with a # sign as follows.
[host03]# vi /etc/hosts
127.0.0.1
localhost.localdomain
192.0.2.1
example.com
#192.0.2.101
host01.example.com
#192.0.2.102
host02.example.com
#192.0.2.103
host03.example.com
c.

localhost
dom0
host01
host02
host03

Use the ping command to contact host01 and host02.

You can still successfully contact these systems by name, because DNS is
resolving host names to IP addresses.
[host03]# ping host01
PING host01.example.com (192.0.2.101) 56(84) bytes of data.
64 bytes from host01.example.com (192.0.2.101): icmp_seq=1...
Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 2: Network Addressing and Name Services


Chapter 2 - Page 11

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

...
CTRL-C
[host03]# ping host02
PING host02.example.com (192.0.2.102) 56(84) bytes of data.
64 bytes from host02.example.com (192.0.2.102): icmp_seq=1...
...
CTRL-C
d.

Use the grep command to search for the hosts string in the
/etc/nsswitch.conf file.

The first hosts entry is a comment.

In the second hosts entry, files means to use the local /etc/hosts file to
resolve host names to IP addresses.
Also in the second hosts entry, dns means to use DNS to resolve host names
to IP addresses when unable to resolve by using the /etc/hosts file.

a
s
a
h
[host03]# grep hosts /etc/nsswitch.conf
)
o
c ide
#hosts: db files nisplus nis dns

u
d Gu
e
hosts:
files dns

r
nt the dns
itaand dremove
l
e
i
e. Use the vi editor to edit the /etc/nsswitch.conf
file
im Stu
argument from the hosts entry as follows. un
o@ e this
s
[host03]# vi /etc/nsswitch.conf
r
co o us

hosts:
files dns
# old entry
n
t
a
hosts:
files (ju
# new entry
se
n
s
e
ria e toliccontact host01 and host02.
f. Use the pingacommand
l these systems by name now because DNS is no longer used.
o contact
b
s
You
cannot
r
a
co sfer
n
[host03]#
n ping host01
a
juaping:
r
t
n- unknown host host01
no[host03]#
ping host02
ping: unknown host host02
g.

Use the vi editor to edit the /etc/nsswitch.conf file and restore the dns
argument to the hosts entry as follows.
[host03]# vi /etc/nsswitch.conf
hosts:
files
hosts:
files dns

h.

# old entry
# new entry

Use the ping command to contact host01 and host02.

You can now successfully contact these systems by name, because DNS is
resolving host names to IP addresses.
[host03]# ping host01
PING host01.example.com (192.0.2.101) 56(84) bytes of data.
64 bytes from host01.example.com (192.0.2.101): icmp_seq=1...
...
Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 2: Network Addressing and Name Services


Chapter 2 - Page 12

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

CTRL-C
[host03]# ping host02
PING host02.example.com (192.0.2.102) 56(84) bytes of data.
64 bytes from host02.example.com (192.0.2.102): icmp_seq=1...
...
CTRL-C
i.

View the /etc/resolv.conf file.

DNS is only able to resolve host names to IP addresses because the


/etc/resolv.conf file contains a valid search domain, example.com, and valid
nameserver information.
The nameserver 192.0.2.1 for the example.com domain stores the zone files
that provide host name to IP address resolution.
[host03]# cat /etc/resolv.conf
# Generated by NetworkManager
search example.com
nameserver 192.0.2.1
nameserver 152.68.154.3
nameserver 10.216.106.3

a
s
a
h
)
o
c ide

u
d Gu
e

r
ita dent
l
i
u
tcomment
nimfile and
j. Use the vi editor to edit the /etc/resolv.conf
out all lines as
S
u
s
i
@
follows.
so se th
r
o
[host03]# vi /etc/resolv.conf
c to u
n
a
# Generated by NetworkManager
(ju nse
s
#search example.com
ia lice
r
a
#nameserver
le
o 192.0.2.1
b
s
r
a
#nameserver
co sfer152.68.154.3
n
#nameserver
jua -tran 10.216.106.3
n the ping command to contact host01 and host02.
k. o
n Use
You cannot contact these systems by name now.
[host03]# ping host01
ping: unknown host host01
[host03]# ping host02
ping: unknown host host02
l.

Use the vi editor to edit the /etc/resolv.conf file and remove the # signs to
uncomment the search and nameserver entries as follows.
[host03]# vi /etc/resolv.conf
# Generated by NetworkManager
search example.com
nameserver 192.0.2.1
nameserver 152.68.154.3
nameserver 10.216.106.3
Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 2: Network Addressing and Name Services


Chapter 2 - Page 13

m. Use the ping command to contact host01 and host02.

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

You can now successfully contact these systems by name, because DNS is
resolving host names to IP addresses.
[host03]# ping host01
PING host01.example.com (192.0.2.101) 56(84) bytes of data.
64 bytes from host01.example.com (192.0.2.101): icmp_seq=1...
...
CTRL-C
[host03]# ping host02
PING host02.example.com (192.0.2.102) 56(84) bytes of data.
64 bytes from host02.example.com (192.0.2.102): icmp_seq=1...
...
CTRL-C

5.

a
s
a
h
a. View the /etc/resolv.conf file.
)
o
e
c the
Note the commented line indicating that NetworkManager d
generated
d
u
i
u
e

/etc/resolv.conf file.
G
r
t
lita den
i
[host03]# cat /etc/resolv.conf
m
tu
ni
S
# Generated by NetworkManager @u
o e this
s
search example.com
r
o
us
nameserver 192.0.2.1 nc
o
t
a
nameserver 152.68.154.3
(ju nse
s
nameserver 10.216.106.3
ria e lice
a
o abl
s
b. View the
/etc/sysconfig/network-scripts/ifcfg-eth0
file.
r
o fer
c
sthe DNS[123] entries in the ifcfg-eth0 file correspond to the
n Note that
n
a
jua nameserver
r
entries in the resolv.conf file.
-t
n
o
n Note that the DOMAIN entry in the ifcfg-eth0 file corresponds to the search
Note that NetworkManager generates the /etc/resolv.conf entries on host03.

entry in resolv.conf.

NetworkManager uses the information in the ifcfg-eth0 file to populate the


resolv.conf file.
[host03]# cat /etc/sysconfig/network-scripts/ifcfg-eth0
...
DNS1=192.0.2.1
DNS2=152.68.154.3
DNS3=10.216.106.3
DOMAIN=example.com

6.

Use the host command to perform DNS lookups on host03.


a.

Query DNS for the nameserver for the example.com domain.


[host03]# host t NS example.com
example.com name server dns.example.com.
Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 2: Network Addressing and Name Services


Chapter 2 - Page 14

b.

Query DNS for the IP address that corresponds to host01 system.


[host03]# host host01
host01.example.com has address 192.0.2.101

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

c.

Perform a reverse lookup by querying DNS for the domain name that corresponds to IP
address 192.0.2.102.
[host03]# host 192.0.2.102
102.2.0.192.in-addr-arpa domain name pointer host02.example.com

d.

Use the -v option to display verbose information about the example.com domain.
[host03]# host -v example.com
Trying "example.com"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65099
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ...

s
a
h
o) e
IN
A
c

du Guid
e

r
;; AUTHORITY SECTION:
ita dent
l
i
example.com.
86400
IN
SOA
...
tu
nim dns.example.com.
S
u
...
o@ e this
s
r
Use the dig command to perform DNS
on
s host03.
colookups
u

n
o
t
Query DNS for the information
uaabout host02.example.com.
e
j
(
s
s icen
a
[host03]# dig
host02.example.com
i
r
a le l
o
...
ab
ors ferSECTION.
;; cQUESTION
n ans
IN
A
jua;host02.example.com.
tr
n
no;; ANSWER SECTION.
;; QUESTION SECTION:
;example.com.

7.

host02.example.com.

86400

IN

192.0.2.102

;; AUTHORITY SECTION.
example.com.
86400

IN

dns.example.com

IN

192.0.2.1

;; ADDITIONAL SECTION.
dns.example.com.
86400
...

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 2: Network Addressing and Name Services


Chapter 2 - Page 15

Practice 2-4: Configuring a Caching-Only Nameserver


Overview

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

In this practice, you configure host03 as a caching-only nameserver.

Assumptions

You are the root user on host03.

All commands in this practice with one exception are executed on host03.

The one command that needs to be run on dom0 includes dom0 in the prompt.

Tasks
1.

Install the bind software package on host03.


a.

Use the rpm command to determine if the bind package is already installed.

In this example, there are several package names that returned from the rpm
command but the bind package is not installed.

s
a
h
o) e
c

# rpm qa | grep bind


du Guid
e

r
rpcbind-...
ita dent
l
i
PackageKit-device-rebind-...
nim Stu
u
keybinder3-...
o@ e this
bind-utils-...
s
r
co o us
bind-libs-...

n
t
bind-license-... (jua
e
s
s icen
a
bind-libs-lite-...
i
r
l
e
l
o acommand
b. Use thers
yum
to
b install the bind package.
a
r
o
c sy fwhen
e prompted Is this ok.
n Answer
n
a
ju # yum
trainstall bind
n
no...

Transaction Summary
===============================================================
Install 1 Package
Total download size: 1.8 M
Installed size: 4.3 M
Is this ok [y/d/N]: y
...
Complete!
2.

View the BIND configuration files and directories.


a.

View the /etc/named.conf file.

This is the main BIND configuration file.


Note that the default BIND configuration files provide a caching-only nameserver.
Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 2: Network Addressing and Name Services


Chapter 2 - Page 16

Note that only one zone is defined, whose name is a period (.).

This zone is a hint zone type and specifies that the nameserver look in the
/var/named/named.ca file for IP addresses of authoritative servers for the root
domain when the nameserver starts or does not know which nameserver to query.
The /etc/named.conf also includes the /etc/named.rfc1912.zones file.

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

# cat /etc/named.conf
...
// Provided by Red Hat bind package to configure the ISC BIND
// named(8) DNS server as a caching only nameserver ...
...
options {
...
directory /var/named;
...
/*
- If you are building an AUTHORITATIVE DNS server,
do NOT enable recursion.
- If you are building an RECURSIVE (caching) DNS
server, you need to enable recursion.
recursion yes;
...
};

s
a
h
o) e
c

du Guid
e

r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us

n
ua se t
j
(
s icen
a
i
r
l
logging { a
e
l
o
rab
ors f...
c
e
s
n};
jua -tran
n . IN {
nozone

type hint;
file named.ca;
};
include /etc/named.rfc1912.zones;
include /etc/named.root.key;
b.

View the /etc/named.rfc1912.zones file.

This is the base configuration file for implementing a caching-only nameserver.


There are five zones defined in this file.

Zone options are included for each of these five zones:


type: Specifies the zone type which is set to master for all five zones. Type
master designates the nameserver as authoritative for this zone. A zone is set
as master if the zone file resides on this system.
Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 2: Network Addressing and Name Services


Chapter 2 - Page 17

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

file: Specifies the name of the zone file, which is stored in the working
directory defined by the directory option (/var/named in this example)

allow-update: Specifies which hosts are allowed to dynamically update


information in their zone. Dynamic updates are set to none for these zones,
meaning they are not allowed.

# cat /etc/named.rfc1912.zones
...
// Provided by Red Hat caching-nameserver package
...
zone localhost.localdomain IN {
type master;
file named.localhost;
allow-update { none; };
};

a
s
a
h
)
zone localhost IN {
o
c ide

u
type master;
d Gu
e

r
file named.localhost;
ita dent
l
i
allow-update { none; };
im Stu
n
u
};
o@ e this
s
r
co o us

zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0....ip6.arpa
IN {
n
t
a
u
e
j
type master;
(
ns
s
e
a
i
c
file
named.loopback;
r e li
aallow-update
l
o
{ none; };
b
s
r
a
r
o
}; c
fe
s
n
n
a
ju -tra
n 1.0.0.127.in-addr.arpa IN {
nozone
type master;
file named.loopback;
allow-update { none; };

};
zone 0.in-addr.arpa IN {
type master;
file named.empty;
allow-update { none; };
};

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 2: Network Addressing and Name Services


Chapter 2 - Page 18

c.

View the /var/named/ directory.

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

This is the default directory in which zone files are stored.


# ls l /var/named
total 16
drwxrwx--- ... named
drwxrwx--- ... named
-rw-r----- ... root
-rw-r----- ... root
-rw-r----- ... root
-rw-r----- ... root
drwxrwx--- ... named

d.

named
named
named
named
named
named
named

...
...
...
...
...
...
...

data
dynamic
named.ca
named.empty
named.localhost
named.loopback
slaves

View the /var/named/named.ca file.

This file contains a list of the 13 root authoritative DNS servers.

a
s
a
h
)
o
c ide

u
IN
A
198.41.0.4
d Gu
e

r
ta ent
i
l
i
IN
A
im
ud192.228.79.201
t
n
S
u
IN
A is
192.33.4.12
@
h
o
t
s
199.7.91.13
or INuse A
c

n
toIN
a
u
e
j
A
192.203.230.10
(
s
n
s
e
IN
A
192.5.5.241
ria e lic
a
l
so rab
r
o
c sfe
IN
A
192.112.36.4
n
n
a
IN
A
128.63.2.53
ju -tra
n
no
IN
A
192.36.148.17
# cat /var/named/named.ca
...
a.root-servers.net
3600000
...
b.root-servers.net
3600000
c.root-servers.net
3600000
d.root-servers.net
3600000
...
e.root-servers.net
3600000
f.root-servers.net
3600000
...
g.root-servers.net
3600000
h.root-servers.net
3600000
...
i.root-servers.net
3600000
...
j.root-servers.net
3600000
...
k.root-servers.net
3600000
...
l.root-servers.net
3600000
...
m.root-servers.net
3600000
...

IN

192.58.128.30

IN

193.0.14.129

IN

199.7.83.42

IN

202.12.27.33

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 2: Network Addressing and Name Services


Chapter 2 - Page 19

3.

Start a DNS caching-only nameserver on host03.


a.

Use the vi editor to add the following entry to the beginning of the list of nameservers
in the /etc/resolv.conf file:

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

nameserver 127.0.0.1

This line indicates use of the local system as the primary nameserver.
# vi /etc/resolv.conf
search example.com
nameserver 127.0.0.1
nameserver 192.0.2.1
...

b.

# add this line only

Use the systemctl command to enable the named service.


# systemctl enable named
ln s /usr/lib/systemd/system/named.service
/etc/systemd/system/multi-user.target.wants/named.service

a
s
a
h
)
o
c. Use the systemctl command to start the named service.
c ide

u
d Gu
This command takes a few seconds to complete.
e

r
ita dent
l
# systemctl start named
i
tuas the root user, and
nim
S
d. From the second terminal window on dom0, u
ssh
to host03
s 3e.
o@ e ttohistep
monitor the journal in real time beforesproceeding
r
o allowsuyou
s to see the host name to IP resolution
Monitoring the journal in realc
time
n
o
t
a
occurring.
(jonu host03
seis oracle.
n
s
The root password
e
riato enlarge
ic this window to see more of the journal entries.
l
a
e
You might
want
l
so rab
r
o
c ssh
[dom0]#
fe root@host03
s
n
n
a
password: oracle
ju root@host03s
tra
n
no[root@host03 ~]# journalctl f
-- Logs begin at ...
...

e.

In the original window, use the ping command to contact host01 and host02.

You can now successfully contact these systems by name, because DNS is
resolving host names to IP addresses.

Press Ctrl + C to exit after a few lines of output.


# ping host01
PING host01.example.com (192.0.2.101) 56(84) bytes of data.
64 bytes from host01.example.com (192.0.2.101): icmp_seq=1...
...
CTRL-C
# ping host02
PING host02.example.com (192.0.2.102) 56(84) bytes of data.
64 bytes from host02.example.com (192.0.2.102): icmp_seq=1...
Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 2: Network Addressing and Name Services


Chapter 2 - Page 20

...
CTRL-C

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

f.

Notice the resolving messages in the journal window.


[root@host03 ~]# journalctl f
-- Logs begin at ...
<date_time> host03... error (network unreachable) resolving ...
...

g.

Use the CTRL-C command to stop the journalctl f command.


# journalctl f
...
CTRL-C

h.

Use the exit command to log off host03 from this second window.

a
s
a
h
)
o
c ide

u
d status
u of the
e

G
In the first terminal window on host03, use the rndc command
to
obtain
r
t
lita den
i
named service.
m
tu
ni
S
u
# rndc status
o@ e this
s
Version: ...
r
co o us

CPUs found: 1
n
t
a
e
worker threads: 1(ju
s
s icen
a
i
UDP listeners
per interface:
1
r
l
a
e
l
o zones:
numbersof
b 101
r
a
r
o
c level:
debug
fe 0
s
n
n
a
ju ...-tra
n named service on host03 and restore to original configuration.
Stop
nothe
# exit
logout
Connection to host03 closed.

4.

5.

a.

Use the systemctl command to stop the named service.


# systemctl stop named

b.

Use the systemctl command to disable the named service.


# systemctl disable named
rm /etc/systemd/system/multi-user.target.wants/named.service

c.

Use the vi editor to remove the following entry from the /etc/resolv.conf file:
nameserver 127.0.0.1
# vi /etc/resolv.conf
search example.com
nameserver 127.0.0.1
nameserver 192.0.2.1
...

# delete this line only

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 2: Network Addressing and Name Services


Chapter 2 - Page 21

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

d.

Use the vi editor to edit the /etc/hosts file and remove the comment (# sign) from
the entries previously commented out.
# vi /etc/hosts
192.0.2.101
host01.example.com
192.0.2.102
host02.example.com
192.0.2.103
host03.example.com

6.

host01
host02
host03

Log off host03.


Use the exit command to log off host03.
# exit
logout
Connection to host03 closed.

s
a
h
o) e
c

du Guid
e

r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us

n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 2: Network Addressing and Name Services


Chapter 2 - Page 22

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

a
s
a
h
)
o
c ide

u
d Gu
e

r
Practices lfor
Lesson
ita dent 3:
i
Authentication
nim Stu and Directory
u
Services
o@ e this
s
r
co Chapter
us 3

n
o
t
a
(ju nse
s
ria e lice
a
o abl
s
r
co sfer
n
jua -tran
non

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 3: Authentication and Directory Services


Chapter 3 - Page 1

Practices for Lesson 3: Overview

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

Practices Overview
In these practices, you configure:
OpenLDAP server and enable LDAP authentication
OpenLDAP client and log in as an LDAP user

s
a
h
o) e
c

du Guid
e

r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us

n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 3: Authentication and Directory Services


Chapter 3 - Page 2

Practice 3-1: Configuring an OpenLDAP Server

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

Overview
In this practice, you:
Configure an OpenLDAP server in preparation to implement LDAP authentication

Install the OpenLDAP packages and the migrationtools package

Configure the slapd.d configuration database

Configure the base domain and test the LDAP server


Migrate users and groups into the LDAP directory

Modify firewalld to allow access from LDAP clients

Assumptions

You are the root user on dom0.

a
s
a
h
Tasks
)
o
c ide

1. Connect to host03 by using vncviewer.


u
d Gu
e

r
a. From dom0, determine the VNC port number for host03
by
running
ita dentthe xm list l
l
i
host03 | grep location command.
tu Your port number might
nim is 5904.
S
The sample shown indicates that the port u
number s
o@ e thi
be different.
s
r
co location
us

# xm list l host03 |ngrep


o
t
a
e
(location
(ju ns0.0.0.0:5904)
s
e
ria (location
ic 3)
l
a
e
l
o ab command.
b. Run thers
vncviewer&
o
c sfer
n
#
vncviewer&
an
jua -The
r
t
on VNC Viewer: Connection Details dialog box is displayed.
n
c. Enter localhost:<port_number>, substituting the port number displayed from the
previous xm list l host03 | grep location command. For example, if the
port number is 5904, enter localhost:5904 and click Connect.

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 3: Authentication and Directory Services


Chapter 3 - Page 3

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

The GNOME login screen appears. You might need to press Enter to display the
login screen.

s
a
h
o) e
c

du Guid
e

r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us

n
t You are prompted for the Password.
a list of eusers.
d. Click Oracle Student inju
the
(
s
s Password
enand click Sign In.
a
e. Enter oracle for
the
i
c
r
i
l
le appears.
o a desktop
The GNOME
b
s
r
a
co sfer
n
jua -tran
non

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 3: Authentication and Directory Services


Chapter 3 - Page 4

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

f.

Right-click the desktop to display the pop-up menu.

s
a
h
o) e
c

du Guid
e

r
ita dent
l
i
nim Stu
u
o@ e this
s
r
g. From the pop-up menu, click Open
co in Terminal.
us

n
o
t
a
A terminal window appears.
(ju nse
s
e su - command to become the root user.
h. In the terminal window,
ria euse
icthe
l
a
l is oracle.
o password
The root
b
s
r
a
co sfer
$ su
n
an oracle
juaPassword:
r
t
no#n
2.

Install the required RPM packages on host03.


Use the yum command to install the following packages:

openldap-servers

openldap-clients

migrationtools
Answer y when prompted Is this ok.
# yum install openldap-servers openldap-clients migrationtools
...
Transaction Summary
=============================================================
Install 3 Packages
Total download size: 2.3 M
Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 3: Authentication and Directory Services


Chapter 3 - Page 5

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

Installed size: 5.3 M


Is this ok [y/d/N]: y
...
Complete!
3.

Copy default DB_CONFIG template file.


a.

Use the ls command to view the contents of the /var/lib/ldap directory.

Note that the directory is empty.


# ls /var/lib/ldap

b.

Use the ls command to view the contents of the /usr/share/openldap-servers


directory.
A default DB_CONFIG template file is installed in the /usr/share/openldapservers directory.

The default DB_CONFIG template file name is DB_CONFIG.example file.

a
s
a
# ls /usr/share/openldap-servers
h
)
o
DB_CONFIG.example slapd.ldif
c ide

u
d Gu
e
c. Use the cp command to copy the /usr/share/openldap
r
nt and rename
ita dedirectory
servers/DB_CONFIG.example file into the /var/lib/ldap
l
i
the copied file DB_CONFIG.
nim Stu
u
o@ e this
# cp /usr/share/openldap-servers/DB_CONFIG.example
s
r
/var/lib/ldap/DB_CONFIGco
us
n
o
t
a
d. Use the ls -l command
econtents of the /var/lib/ldap directory.
(juto listnthe
s
s
a owner
Note that thericurrent
ce and group is root.
i
l
a
legroup need to be changed to ldap.
oowneraand
Bothrs
the
b
co sfer
# ls l /var/lib/ldap
n
an 1 root root ... DB_CONFIG
jua-rw-r--r--.
r
t
on
e.n Use the chown -R command to change both the owner and group of the
/var/lib/ldap directory to ldap.
# chown R ldap.ldap /var/lib/ldap
f.

Use the ls -l command to show the new owner and group.

Note that the owner and group are now set to ldap.
# ls l /var/lib/ldap
-rw-r--r--. 1 ldap ldap ... DB_CONFIG

4.

Start the slapd service.


a.

Use the systemctl command to enable and start the slapd service.
# systemctl enable slapd
ln s /usr/lib/systemd/system/slapd.service
/etc/systemd/system/multi-user.target.wants/slapd.service
# systemctl start slapd
Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 3: Authentication and Directory Services


Chapter 3 - Page 6

b.

Use the ls -l command to list the contents of the /var/lib/ldap directory.

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

Note that the initial database now exists.


# ls l /var/lib/ldap
-rw-r--r--. 1 ldap ldap
-rw-------. 1 ldap ldap
-rw-------. 1 ldap ldap
-rw-------. 1 ldap ldap
-rw-r--r--. 1 ldap ldap
-rw-------. 1 ldap ldap
-rw-------. 1 ldap ldap
-rw-------. 1 ldap ldap

5.

...
...
...
...
...
...
...
...

alock
__db.001
__db.002
__db.003
DB_CONFIG
dn2id.bdb
id2entry.bdb
log.0000000001

View the /etc/openldap directory.


a.

Use the cd command to change to the /etc/openldap directory.

s
a
h
Note that, in this version of OpenLDAP, there is no slapd.confcfile.
o) e

duthe slapd.d
Instead, there is a configuration database, which is located
in
uid
e

G
r
directory.
ita dent
l
i
# cd /etc/openldap
nim Stu
u
# ls l
o@ e this
s
r
drwxr-xr-x. 2 root root c...
o certs
us

n
o
-rw-r--r--. 1 root root
... tcheck_password.conf
a
(jurootn...
se ldap.conf
-rw-r--r--. 1 root
s
e
r2iaroot
ic ... schema
l
drwxr-xr-x.
root
a
e
l
b ldap ... slapd.d
so r3aldap
r
drwx------.
o
c
e
f
scommand to change to the slapd.d directory.
n theacd
n
jb.ua UseUse
r
-t the ls -l command to display the contents of the directory.
n
o
n

Use the ls -l command to display the contents of the directory.

# cd slapd.d
# ls l
drwxr-x---. 3 ldap ldap ... cn=config
-rw-------. 1 ldap ldap ... cd=config.ldif

c.

Use the cd command to change to the cn=config directory.

Use the ls -l command to display the contents of the configuration directory.


# cd cn=config
# ls l
drwxr-x---. 2 ldap
-rw-------. 1 ldap
-rw-------. 1 ldap
-rw-------. 1 ldap
-rw-------. 1 ldap
-rw-------. 1 ldap

ldap
ldap
ldap
ldap
ldap
ldap

...
...
...
...
...
...

cn=schema
cn=schema.ldif
olcDatabase={0}config.ldif
olcDatabase={-1}frontend.ldif
olcDatabase={1}monitor.ldif
olcDatabase={2}hdb.ldif

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 3: Authentication and Directory Services


Chapter 3 - Page 7

6.

Update the OpenLDAP configuration database domain component.


The default is dc=my-domain,dc=com.

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

Change all occurrences to dc=example,dc=com.

Use the grep command to search for the my-domain string in all files in the configuration
directory.
Note that the following files contain the my-domain string:

olcDatabase={1}monitor.ldif

olcDatabase={2}hdb.ldif

Change each occurrence of my-domain to example.


# grep my-domain *
grep: cn=schema: Is a directory
olcDatabase={1}monitor.ldif: ,cn=auth read by
dn.base=cn=Manager,dc=my-domain,dc=com read by * none
olcDatabase={2}hdb.ldif:olcSuffix: dc=my-domain,dc=com
olcDatabase={2}hdb.ldif:olcRootDN: cn=Manager,dc=mydomain,dc=com

7.

s
a
h
o) e
c

du Guid
e

Update the Database Suffix.


r
ta ent
i
l
i
a. Use the cat command to view the olcDatabase={2}hdb.ldif
im Stud file.
n
u
The .ldif extension begins with the @
lowercase letter
is l, not the number 1.
h
o
t
s
e
Note the comment, DO NOT EDIT!!
or Useusldapmodify.
c

n
o contain the dc=my-domain string.
tthat
Note that there are two a
parameters
u
e
j
(
ns
olcRootDNas
e
i
c
ar le li
olcSuffix
o
rab
orsolcDatabase={2}hdb.ldif
# cat
c
e
f
n ans
FILE DO NOT EDIT!! Use ldapmodify.
jua# AUTO-GENERATED
r
t
n
no...
olcRootDN: cn=Manager,dc=my-domain,dc=com

...
olcSuffix: dc=my-domain,dc=com
...
b.

Use the cp command to make a backup copy of the olcDatabase={2}hdb.ldif


file.
# cp olcDatabase={2}hdb.ldif hdb_BAK

c.

Use the ldapmodify command to set the Database Suffix.

The Q option means Enable SASL Quiet mode. Never prompt.


SASL is Simple Authentication and Security Layer.
It is a framework for authentication and data security in Internet protocols.
It decouples authentication mechanisms from application protocols, allowing you
to use any authentication mechanism supported by SASL.

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 3: Authentication and Directory Services


Chapter 3 - Page 8

The Y EXTERNAL option specifies the SASL mechanism to be used for


authentication.
A SASL mechanism implements a series of challenges and responses.

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

EXTERNAL means authentication is implicit in the context (for example, for


protocols already using IPsec or Transport Layer Security).

The H ldapi:/// option specifies URI(s) referring to the ldap server(s). Only the
protocol/host/port fields are allowed. A list of URI separated by whitespace or
commas is expected.
LDAPI allows LDAP connections to run over IPC connections, meaning the
LDAP operations can run over UNIX sockets.
After issuing the ldapmodify command, the prompt changes to >.

Enter the entries in bold as shown.


#
>
>
>
>
>
>

ldapmodify Q Y EXTERNAL H ldapi:/// <<EOF


dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=example,dc=com

>
>
>
>
>

changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=example,dc=com

a
s
a
h
)
o
c ide

u
d Gu
e

r
ita dent
l
i
EOF
im Stu
n
u
Press the Enter key after entering EOF.
@ this
o
s
r
This terminates the ldapmodify
o command
seand displays the following message:
c
u

n
to
Modifying entry olcDatabase={2}hdb,cn=config
a
u
e
j
(
nsto set the Database RootDN.
s
e
d. Use the ldapmodify
command
a
i
c
li
arthe ldapmodify
e
l
o
After s
issuing
command, the prompt changes to >.
b
r
a
r
o
c thesentries
Enter
fe in bold as shown.
n
n
a
ju # ldapmodify
Q Y EXTERNAL H ldapi:/// <<EOF
tra
n
o
n > dn: olcDatabase={2}hdb,cn=config

EOF
Press the Enter key after entering EOF.

This terminates the ldapmodify command and displays the following message:

Modifying entry olcDatabase={2}hdb,cn=config


e.

Use the diff command to view the differences between the


olcDatabase={2}hdb.ldif file and the hdb_BAK file.

Ensure the differences in olcSuffix and olcRootDN match the following.


If not, repeat steps 6c and 6d as needed to make the corrections.

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 3: Authentication and Directory Services


Chapter 3 - Page 9

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

Ignore the other differences such as entryCSN, modifiersName, and


modifyTimestamp.
# diff olcDatabase={2}hdb.ldif hdb_BAK
...
> olcSuffix: dc=my-domain,dc=com
> olcRootDN: cn=Manager,dc=my-domain,dc=com
...
> olcSuffix: dc=example,dc=com
> olcRootDN: cn=Manager,dc=example,dc=com
...

f.

Use the grep command to search for the my-domain string in all files in this
directory.

Note that one database file still contains the my-domain string:

a
s
a
h
Ignore the occurrences in the hdb_BAK file.
)
o
c ide

u
# grep my-domain *
d Gu
e

r
grep: cn=schema: Is a directory
ta ent
i
l
i
hdb_BAK:olcSuffix: dc=my-domain,dc=com
im Stud
n
u
hdb_BAK:olcRootDN: cn=Manager,dc=my-domain,dc=com
s
@ thiread
o,cn=auth
olcDatabase={1}monitor.ldif:
by
s
r
e
o
s
c
dn.base=cn=Manager,dc=my-domain,dc=com
read by * none
u

n
o
t
a
Update the Database Access.
(ju nse
s
ce the olcDatabase={1}monitor.ldif file.
ria etoliview
a. Use the cat a
command
lto use ldapmodify to edit this file.
ocomment
b
s
Note
the
r
a
co thatsthere
er is one parameter that contains the dc=my-domain string.
f
n

Note
an
jua -trolcAccess
nonThe my-domain value for this olcAccess parameter needs to be changed to

8.

olcDatabase={1}monitor.ldif

example.

# cat olcDatabase={1}monitor.ldif
# AUTO-GENERATED FILE DO NOT EDIT!! Use ldapmodify.
...
olcAccess: {0}to * by
dn.base=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
read by dn.base=cn=Manager,dc=my-domain,dc=com read by *
none
...
b.

Use the cp command to make a backup copy of the


olcDatabase={1}monitor.ldif file.
# cp olcDatabase={1}monitor.ldif monitor_BAK

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 3: Authentication and Directory Services


Chapter 3 - Page 10

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

c.

Use the ldapmodify command to set the Database Access.

After issuing the ldapmodify command, the prompt changes to >.

Enter the entries in bold as shown.

# ldapmodify Q Y EXTERNAL H ldapi:/// <<EOF


> dn: olcDatabase={1}monitor,cn=config
> changetype: modify
> replace: olcAccess
> olcAccess: {0}to * by
dn.base=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
read by dn.base=cn=Manager,dc=example,dc=com read by * none
>
> EOF
Press the Enter key after entering EOF.

a
s
a
Modifying entry olcDatabase={1}monitor,cn=config
h
)
o
c ide

d. Use the diff command to view the differences between the


u
d file. Gu
e

olcDatabase={1}monitor.ldif file and the monitor_BAK


r
ita dent
l
i
Ensure the differences in olcAccess match the
following.
nim Stu
u
If not, repeat step 7c to make the correction.
is
@ thmodifiersName,
oentryCSN,
Ignore the other differences suchras
and
s
e
o
s
c
u
modifyTimestamp.

n
o
t
a
(ju nse
# diff olcDatabase={1}monitor.ldif
monitor_BAK
s
e
a
i
c
...
ar le li
o
b * by
> olcAccess:
ors fera{0}to
c
dn.base=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
n readanbys dn.base=cn=Manager,dc=my-domain,dc=com read by *
juanone
tr
n
no...

This terminates the ldapmodify command and displays the following message:

> olcAccess: {0}to * by


dn.base=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
read by dn.base=cn=Manager,dc=example,dc=com read by * none
...

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 3: Authentication and Directory Services


Chapter 3 - Page 11

e.

Use the grep command to search for the my-domain string in all files in this
directory.
Note that no database files now contain the my-domain string.

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

Ignore the occurrences in the _BAK files.


# grep my-domain *
grep: cn=schema: Is a directory
hdb_BAK:olcSuffix: dc=my-domain,dc=com
hdb_BAK:olcRootDN: cn=Manager,dc=my-domain,dc=com
monitor_BAK: ,cn=auth read by dn.base=cn=Manager,dc=mydomain,dc=com read by * none

9.

Create an encrypted user password.


a.

Use the slappasswd command to create an encrypted user password.

Enter a password of oracle.

Note that the encrypted password is displayed. This is a sample only; yours is
different.

a
s
a
h
)
o
c ide

u
# slappasswd
d Gu
e

r
New password: oracle
ta ent
i
l
i
Re-enter new password: oracle
im Stud
n
u
{SSHA}CsLkwW6B9+yBlzrGuHBdIT0z2Mj4q4l+ is
o@
thbuffer.
s
b. Select the encrypted password and
copy
it into
the
r
e
o
us
c astoshown.
n
Highlight the encrypted a
password
(ju highlighted,
se select Edit > Copy from the terminal window
With encrypted password
n
s
e
menu.
ria e lic
a
o abl
s
r
co sfer
n
jua -tran
non
10. Use the ldapmodify command to set the olcRootPW directive.

You are adding this new directive to the olcDatabase={2}hdb.ldif file.

After issuing the ldapmodify command, the prompt changes to >.

a.

Enter the entries in bold as shown.


Ensure that you include a space after the olcRootPW: directive.
#
>
>
>
>

ldapmodify Q Y EXTERNAL H ldapi:/// <<EOF


dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW:

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 3: Authentication and Directory Services


Chapter 3 - Page 12

b.

Paste the encrypted password from the buffer by selecting Edit > Paste from the
terminal window menu.

The olcRootPW: directive appears as follows:

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

> olcRootPW: {SSHA}CsLkwW6B9+yBlzrGuHBdIT0z2Mj4q4l+


c.

Press the Enter key twice to add a blank line.

The final entry is EOF. The complete list of commands is shown:


#
>
>
>
>
>
>

ldapmodify Q Y EXTERNAL H ldapi:/// <<EOF


dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}CsLkwW6B9+yBlzrGuHBdIT0z2Mj4q4l+
EOF

a
s
a
hmessage:
)
This terminates the ldapmodify command and displays the following
o
c ide

u
u
Modifying entry olcDatabase={2}hdb,cn=config ed
G
r
t
lita den
11. Load the standard schemas.
i
m
tube loaded by using the
ni whichScan
The standard schemas are provided as LDIFu
files,
ldapadd command.
o@ e this
s
r
The standard schema files are located
co oin the
us/etc/openldap/schema directory.
n
t
a
e of the /etc/openldap/schema directory.
a. Use the ls command (
toju
view thescontents
n
s
e
ia in lboth
Each one is roffered
ic the original LDAP schema form and in LDIF.
a
e
l
so rab
# ls /etc/openldap/schema
r
o
c sfe
collective.ldif
cosine.schema java.ldif
openldap.schema
n
n
a
a
ju collective.schema
r
duaconf.ldif
java.schema pmi.ldif
-t
n
o
n ...
d.

Press the Enter key after entering EOF.

b.

Use the ldapadd command to load the following schemas.

core, cosine, inetorgperson, nis

These four schemas define the basic objects and attributes needed to describe a
typical organization.

Use the -f <filename> option for each schema.

Ignore any Duplicate attributeType messages.


# ldapadd Q Y EXTERNAL H ldapi:/// -f
/etc/openldap/schema/core.ldif
adding new entry cn=core,cn=schema,cn=config
# ldapadd Q Y EXTERNAL H ldapi:/// -f
/etc/openldap/schema/cosine.ldif
adding new entry cn=cosine,cn=schema,cn=config
Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 3: Authentication and Directory Services


Chapter 3 - Page 13

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

# ldapadd Q Y EXTERNAL H ldapi:/// -f


/etc/openldap/schema/inetorgperson.ldif
adding new entry cn=inetorgperson,cn=schema,cn=config
# ldapadd Q Y EXTERNAL H ldapi:/// -f
/etc/openldap/schema/nis.ldif
adding new entry cn=nis,cn=schema,cn=config
12. Add users and groups to host03.

This step populates the /etc/passwd and /etc/group files that are used later in
this practice.

a.

Use the useradd command to add users as follows.


#
#
#
#

useradd
useradd
useradd
useradd

c Oracle Student1 student1


u 1005 c Oracle Student2 s /bin/sh student2
c Oracle Student3 s /bin/sh student3
new_user

a
s
a
h
)
o

e
b. Use the passwd command to create a password (of password) u
forc
the student1
d
i
d Gu
user.
e

r
t as the
n
itotause password
Ignore the BAD PASSWORD warning, continuing
l
e
i
password.
nim Stud
u
# passwd student1
o@ e this
s
r
Changing password for user
co student1.
us

n
o
t
a
New password: password
(jupassword
sefails the dictionary check ...
n
s
BAD PASSWORD:
The
e
ria e licpassword
a
Retype new
password:
o abl
s
r
passwd:
co all
erauthentication tokens updated successfully.
f
s
n
n
command to add the students group.
agroupadd
jc.uaUse-tthe
r
no#ngroupadd students
d.

Use the tail /etc/group command to obtain the GID for the students group.

The output shows that the GID for the students group is 1008.
# tail /etc/group
...
students:x:1008:

e.

Use the usermod command to add oracle, student1, and student2 users to the
students group.

Repeat the tail /etc/group command to view the changes.


#
#
#
#

usermod aG 1008 oracle


usermod aG 1008 student1
usermod aG 1008 student2
tail /etc/group

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 3: Authentication and Directory Services


Chapter 3 - Page 14

...
students:x:1008:oracle,student1,student2
13. Configure the base domain and test the LDAP server.

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

a.

Use the cd command to change to the /etc/openldap directory.


# cd /etc/openldap

b.

Use the vi editor to create the base.ldif file as follows.

Note: A sample base.ldif file exists on dom0 in the /OVS/seed_pool/sfws directory.

You can create the base.ldif file as follows by using the vi command, or you
can use the sftp command and copy /OVS/seed_pool/sfws/base.ldif from
dom0 to /etc/openldap/base.ldif on host03. See your instructor if you need
help in using the sftp command.
# vi base.ldif
dn: dc=example,dc=com
dc: example
objectClass: top
objectClass: domain

s
a
h
o) e
c

du Guid
e

r
ita dent
l
i
dn: ou=People,dc=example,dc=com
nim Stu
u
ou: People
o@ e this
s
r
objectClass: top
co o us

n
objectClass: organizationalUnit
ua se t
j
(
s icen
a
i
r
dn: ou=Group,dc=example,dc=com
a le l
o
rs erab
ou: o
Group
c
f top
s
n
objectClass:
n
a
ju objectClass:
tra
organizationalUnit
n
o
c.n Use the ldapadd command to add the base information to the LDAP directory.

The x option uses simple authentication instead of SASL.

The W option prompts for simple authentication. This is used instead of specifying
the password on the command line.
The -D cn=Manager,dc=example,dc=com option uses the Distinguished
Name (DN) to bind to the LDAP directory. For SASL binds, the server ignores this
option.

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 3: Authentication and Directory Services


Chapter 3 - Page 15

The LDAP password is oracle.

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

# ldapadd -x -W -D cn=Manager,dc=example,dc=com -f base.ldif


Enter LDAP Password: oracle
adding new entry dc=example,dc=com
adding new entry ou=People,dc=example,dc=com
adding new entry ou=Group,dc=example,dc=com
d.

Use the ldapsearch command to test the LDAP server.


# ldapsearch -x -b dc=example,dc=com
...
# example.com
dn: dc=example,dc=com
dc: example
objectClass: top
objectClass: domain

s
a
h
o) e
c

du Guid
e

r
ta ent
i
l
i
# People, example.com
im Stud
n
u
dn: ou=People,dc=example,dc=com
o@ e this
ou: People
s
r
co o us

objectClass: top
n
ua se t
j
objectClass: organizationalUnit
(
s icen
a
i
r
a le l
o
# Group,
example.com
rs erab
dn:co
ou=Group,dc=example,dc=com
f
s
n
n
a
ju ou:-tGroup
ra
n
objectClass:
noobjectClass: top
organizationalUnit
# search result
search: 2
result: 0 Success
# numResponses: 4
# numEntries: 3

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 3: Authentication and Directory Services


Chapter 3 - Page 16

14. Update the migrate_common.ph file for correct domain.

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

a.

Use the vi editor to edit the /usr/share/migrationtools/migrate_common.ph


file.
Use the :set nu command to turn on line numbers.
# vi /usr/share/migrationtools/migrate_common.ph
...
:set nu

b.

At around line number 71, change the value of $DEFAULT_MAIL_DOMAIN from


padl.com to example.com.
$DEFAULT_MAIL_DOMAIN = padl.com;
$DEFAULT_MAIL_DOMAIN = example.com;

c.

(old value)
(new value)

At around line number 74, change dc=padl to dc=example.

a
s
a
h
)
o
c ide

d. Save the migrate_common.ph file and exit vi.


u
d Gu
e

r
15. Migrate the users.
ita dent
l
i
a. Use the grep command to list users in the /etc/passwd
im Stfile
u with UID in the 1000n
u
1009 range.
thasisshown.
so@this
r
The purpose of step 12 was too
populate
file
e
c do
us
entries
n
Do not be concerned if your
not match exactly.
o
t
a
(ju/etc/passwd
se
n
# grep :100[0-9]
s
e
ria e lic
a
oracle:x:1000:1000:Oracle
Student:/home/oracle:/bin/bash
l
o
b
s
r
student1:x:1001:1001:Oracle
Student1:/home/student1:/bin/bash
o fera
c
s
n
Student2:/home/student2:/bin/sh
n
a
juastudent2:x:1005:1005:Oracle
r
t
student3:x:1006:1006:Oracle
Student3:/home/student3:/bin/sh
nnonew_user:x:1007:1007::/home/new_user:/bin/bash
$DEFAULT_BASE = dc=padl,dc=com;
$DEFAULT_BASE = dc=example,dc=com;

b.

(old value)
(new value)

Run the same command but redirect the output to passwd.


# grep :100[0-9] /etc/passwd > passwd

c.

Run the migrate_passwd.pl command to migrate user information in the passwd


file into an LDIF format.
Redirect the output to users.ldif.

Use the absolute path name with the command because the
/usr/share/migrationtools directory is not in your path.
# /usr/share/migrationtools/migrate_passwd.pl passwd >
users.ldif

d.

Use the ldapadd command to import the user information to the LDAP directory.

The LDAP password is oracle.


# ldapadd -x -W -D cn=Manager,dc=example,dc=com -f users.ldif
Enter LDAP Password: oracle
Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 3: Authentication and Directory Services


Chapter 3 - Page 17

adding new entry uid=oracle,ou=People,dc=example,dc=com


adding new entry uid=student1,ou=People,dc=example,dc=com

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

adding new entry uid=student2,ou=People,dc=example,dc=com


adding new entry uid=student3,ou=People,dc=example,dc=com
adding new entry uid=new_user,ou=People,dc=example,dc=com
e.

Use the ldapsearch command to display the new oracle user entry in the LDAP
server.
The common name (cn) is Oracle Student.
# ldapsearch x cn=Oracle Student -b dc=example,dc=com
...
# oracle, People, example.com
dn: uid=oracle,ou=People,dc=example,dc=com
uid: oracle
cn: Oracle Student
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0...
shadowLastChange: ...
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1000
gidNumber: 1000
homeDirectory: /home/oracle
gecos: Oracle Student

s
a
h
o) e
c

du Guid
e

r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us

n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non

# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 3: Authentication and Directory Services


Chapter 3 - Page 18

16. Migrate the user groups.

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

a.

Use the grep command to list groups in the /etc/group file with GID in the 10001009 range.

This was the purpose of step 12, to populate this file as shown.
Do not be concerned if your entries do not match exactly.
# grep :100[0-9] /etc/group
oracle:x:1000:oracle
student1:x:1001:
student2:x:1005:
student3:x:1006:
new_user:x:1007:
students:x:1008:oracle,student1,student2

b.

Run the same command but redirect the output to group.

a
s
a
h
)
o
file
c. Run the migrate_group.pl command to migrate group information
c in theidgroup
e

u
into an LDIF format.
d Gu
e

r
Redirect the output to group.ldif.
ita dent
l
i
Use the absolute path name with the command
tuthe
nimbecause
S
u
/usr/share/migrationtools directory
is
not
in
your
@ this path.
o
s
or use
# /usr/share/migrationtools/migrate_group.pl
group > group.ldif
c

n
o
t
a
d. Use the ldapadd command
e the group information to the LDAP directory.
(ju tonimport
s
s
The LDAP password
ce
ria eislioracle.
a
o -x a-Wbl-D cn=Manager,dc=example,dc=com -f group.ldif
# ldapadd
s
r
r
co LDAP
ePassword:
f
Enter
oracle
s
n
n
a
juaadding
r
new
entry
cn=oracle,ou=Group,dc=example,dc=com
-t
n
o
n
# grep :100[0-9] /etc/group > group

adding new entry cn=student1,ou=Group,dc=example,dc=com


adding new entry cn=student2,ou=Group,dc=example,dc=com
adding new entry cn=student3,ou=Group,dc=example,dc=com
adding new entry cn=new_user,ou=Group,dc=example,dc=com
adding new entry cn=students,ou=Group,dc=example,dc=com

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 3: Authentication and Directory Services


Chapter 3 - Page 19

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

e.

Use the ldapsearch command to display the new students group entry in the
LDAP server.
# ldapsearch x cn=students -b dc=example,dc=com
...
# students, Group, example.com
dn: cn=students,ou=Group,dc=example,dc=com
objectClass: posixGroup
objectClass: top
cn: students
userPassword:: e2NyeXB0...
gidNumber: 1008
memberUid: oracle
memberUid: student1
memberUid: student2

a
s
a
h
)
o
# search result
c ide

u
search: 2
d Gu
e

r
result: 0 Success
ita dent
l
i
nim Stu
u
# numResponses: 2
o@ e this
s
r
# numEntries: 1
co o us

n
17. Trust the LDAP service for firewalld.
ua se t
j
(
s command
a. Use the firewall-cmd
en to permanently permit access by LDAP clients for
a
i
c
r
i
l
a le
the public
o zone.
s
r
o ferab--permanent --zone=public --add-service=ldap
# firewall-cmd
c
n ans
juasuccess
tr
n
b.no
Use the systemctl command to restart the firewalld service.
# systemctl restart firewalld
c.

Use the firewall-cmd command to list everything for the active zone.

Note that the ldap service is trusted.


# firewall-cmd --list-all
public (default, active)
...
services: dhcpv6-client ldap ssh
...

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 3: Authentication and Directory Services


Chapter 3 - Page 20

Practice 3-2: Implementing OpenLDAP Authentication

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

Overview
In this practice, you use the Authentication Configuration Tool to implement OpenLDAP
authentication.

Assumptions

Ensure that you are using vncviewer to connect to host03 and not using ssh.

You are the root user on host03 VM.

Tasks
1.

From host03, use the yum command to install the authconfig-gtk software package.

This package provides the system-config-authentication utility.

a
s
a
h
# yum install authconfig-gtk
)
o
c ide

...
u
d Gu
e
Transaction Summary

r
ita dent
l
==============================================================
i
nim Stu
Install 1 Package
u
o@ e this
s
r
Total download size: 105
cok o us

n
Installed size: 247
uak se t
j
(
s icy en
Is this ok [y/d/N]:
a
i
r
a le l
...
o
Complete!
ors ferab
c
s
n
jua -tran
non

Answer y when prompted Is this ok.

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 3: Authentication and Directory Services


Chapter 3 - Page 21

2.

Open the Authentication Configuration Tool by running the system-configauthentication command.


# system-config-authentication
The GUI appears as follows.

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

s
a
h
o) e
c

du Guid
e

r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us

n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non
3.

Make the following changes.


a.

Select LDAP from the User Account Database drop-down list.

The following dialog box is displayed.

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 3: Authentication and Directory Services


Chapter 3 - Page 22

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

b.

Click Install.
The following dialog box is displayed.

a
s
a
h
)
o
c ide

u
d Gu
c. Click Install.
e

r
ita dent
The following dialog box is displayed.
l
i
nim Stu
u
o@ e this
s
r
co o us

n
ua se t
j
(
s icen
a
i
r
l dialog box closes when you select LDAP password as
a Install.leThis
Do not
click
o
rs erab Method in the next step.
oAuthentication
the
c
f
s
n
n
a
d.
Continue
entering
the following information.
ju -tra
nonEnter dc=example,dc=com as the LDAP Search Base DN.

Enter ldap://host03.example.com as the LDAP Server.

Click Use TLS to encrypt connections.


Select LDAP password as the Authentication Method.

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 3: Authentication and Directory Services


Chapter 3 - Page 23

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

Ensure that your screen is configured as follows.

s
a
h
o) e
c

du Guid
e

r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us

n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
n
o
n
e. Click Apply to save your changes.

After a few seconds, the Authentication Configuration Tool closes.

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 3: Authentication and Directory Services


Chapter 3 - Page 24

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

4.

Run the authconfig --test command to view the authentication settings.


# authconfig --test
caching is disabled
...
nss_ldap is enabled
LDAP+TLS is enabled
LDAP server = ldap://host03.example.com
LDAP base DN = dc=example,dc=com
nss_nis is disabled
...
pam_ldap is enabled
LDAP+TLS is enabled
LDAP server = ldap://host03.example.com
LDAP base DN = dc=example,dc=com
...

s
a
h
o) e
c

du Guid
e

r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us

n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 3: Authentication and Directory Services


Chapter 3 - Page 25

Practice 3-3: Authenticating from an OpenLDAP Client

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

Overview
In this practice, you:
Install the OpenLDAP client packages
Configure the OpenLDAP client
Log in as OpenLDAP user to test LDAP authentication
Disable OpenLDAP authentication
You begin this practice by opening a second terminal window on dom0 and logging in to host01
as the root user.

Assumptions

This practice is performed on host01 and host03 VMs.


You are currently logged in to host03.

a
s
a
h
)
o
Tasks
c ide

u
d Gu
1. Log in to the host01 VM guest from dom0.
e

r
ita dent
l
a. If necessary, open a second terminal window on dom0.
i
m tu
nithe
S- command to become the
b. From the second terminal window on dom0, u
use
su
s
i
@
h
o
root user.
rs se t
o
c
u
The root password is oracle.

n
o
t
a
(ju nse
$ su
s
ria e lice
Password: a
oracle
o abl
s
#
r
co suser
eron dom0, use the ssh command to log in to host01.
f
c. an
As the root
n
aroot
ju The
r
t
password is oracle (all lowercase).
n
no[dom0]#
ssh host01
root@host01s password: oracle
Last login: ...
[host01]#
2.

Attempt to log in as user student1.


a.

From host01, use the su student1 command to attempt to log in as user


student1.

Note that user student1 is not a valid user on host01.


# su student1
su: user student1 does not exist

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 3: Authentication and Directory Services


Chapter 3 - Page 26

b.

Use the grep command to search for user student1 in the local /etc/passwd file.

The command produces no output indicating student1 is not a local user on


host01.

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

# grep student1 /etc/passwd


3.

Install the authentication packages on host01.


a.

Use the yum command to install the openldap-clients package.

Answer y when prompted Is this ok.

You are asked about the GPG key only the first time you use the yum install
command.
# yum install openldap-clients
...
Transaction Summary
=============================================================
Install
1 Package

a
s
a
h
)
o
c ide

u
Total download size: 183 k
d Gu
e

r
Installed size: 575 k
ita dent
l
i
Is this ok [y/d/N]: y
im Stu
n
u
...
o@ e this
s
Retrieving key from http://192.0.2.1/repo/OracleLinux/OL7/1/...
r
co o us

...
n
t
a
e
Is this ok [y/N]:(ju
y
s
s icen
a
i
...
r
a le l
o
Complete!
ors ferab
c
b. n
Use the yum
s command to install the nss-pam-ldapd package.
n
a
jua Answer
r
-t y when prompted Is this ok.
n
o
n Note that the nscd package is installed as a dependency.
# yum install pam_ldap
...
Transaction Summary
=============================================================
Install
1 Package (+1 Dependent package)
Total download size: 413 k
Installed size: 586 k
Is this ok [y/d/N]: y
...
Complete!
4.

Configure the /etc/openldap/ldap.conf file on host01.


a.

Use the cd command to change to the /etc/openldap directory.


Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 3: Authentication and Directory Services


Chapter 3 - Page 27

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

Use the ls -l command to display the contents of the directory.


# cd /etc/openldap
# ls l
drwxr-xr-x. 2 root root ... certs
-rw-r--r--. 1 root root ... ldap.conf

b.

Use the vi editor to make the following changes to the ldap.conf file.

Uncomment the lines by removing the # character.

Change the IP address for the URI directive to the IP address of host03.
# vi ldap.conf
BASE
dc=example,dc=com
URI
ldap://192.0.2.103/

5.

Configure the /etc/nslcd.conf file on host01.

This is the configuration file for the Naming Services LDAP Client Daemon.

s
a
h
a. Use the cd command to change to the /etc directory.
o) e
c

# cd /etc
du Guid
e

r
b. Use the vi editor to edit the nslcd.conf file.
ita dent
l
i
Use the :set nu command to turn on line numbers.
nim Stu
u
# vi nslcd.conf
o@ e this
s
r
...
co o us

n
:set nu
ua se t
j
(
s 18,imake
enthe following change.
a
c. At around line number
i
c
r
l
a le
b
uri rso
(old value)
aldap://127.0.0.1/
r
o
c
e
f
(new value)
nuri ans ldap://192.0.2.103/
jd.uaAt around
r
-t line number 25, view the base setting.
n
o
n You do not need to change the base setting.
base
e.
6.

dc=example,dc=com

Save the /etc/nslcd.conf file and exit vi.

Configure the /etc/pam.d/system-auth file on host01.


a.

Use the cd command to change to the /etc/pam.d directory.


# cd /etc/pam.d

b.

Use the cp command to make a backup copy of the system-auth file.

This backup file is used later in this practice to restore the original configuration.
# cp system-auth system-auth.BAK

c.

Use the vi editor to make the following changes to the system-auth file. In the first
section (lines beginning with auth) of the file, add the following bold line in the location
as shown.

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 3: Authentication and Directory Services


Chapter 3 - Page 28

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

Note: A sample system-auth file exists on dom0 in the /OVS/seed_pool/sfws


directory.
You can edit the system-auth file as follows by using the vi command, or you
can use the sftp command and copy /OVS/seed_pool/sfws/system-auth
from dom0 to /etc/pam.d/system-auth on host01. See your instructor if you
need help in using the sftp command.

You must make several changes to this file. Do not exit the vi editor until step 6g.
# vi system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is ...
auth
required
pam_env.so
auth
sufficient
pam_unix.so nullok try_first_pass
auth
requisite
pam_succeed_if.so uid >= 1000 quiet...
auth
sufficient
pam_ldap.so use_first_pass
auth
required
pam_deny.so

a
s
a
h
)
o
c ide

u
dadd the
d. In the second section of the file (lines beginning with account),
following
bold
u
e

G
r
t
line in the location as shown.
lita den
i
m
Ensure that the new entry is on a single line.ni
tu
S
u
account
required
pam_unix.so
o@ e this
s
r
account
sufficient copam_localuser.so
us
pam_succeed_if.so
n
o
t
account
sufficient
uid < 1000 quiet
a
u
e
j
(
s
account
[default=bad
s icen success=ok user_unknown=ignore]
a
i
r
pam_ldap.so
a le l
o
account
pam_permit.so
ab
ors ferrequired
c
ssection of the file (lines beginning with password), add the following bold
n third
n
a
je.uaInlinethe
r
-int the location as shown.
n
o
n password requisite
pam_pwquality.so try_first_pass ...
password
password
password
f.

sufficient
sufficient
required

pam_unix.so sha512 shadow nullok ...


pam_ldap.so use_authtok
pam_deny.so

In the fourth section of the file (lines beginning with session), add the following two
bold lines in the location as shown.
Ensure that the two new entries are each on a separate single line.
session
session
-session
session
session
session

optional
pam_keyinit.so revoke
required
pam_limits.so
optional
pam_systemd.so
[success=1 default=ignore] pam_succeed_if.so ...
required
pam_unix.so
optional
pam_ldap.so

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 3: Authentication and Directory Services


Chapter 3 - Page 29

session
umask=077
g.

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

7.

optional

pam_mkhomedir.so skel=/etc/skel

Save the file and exit vi.

Configure the /etc/nsswitch.conf file on host01.


a.

Use the cd command to change to the /etc directory.


# cd /etc

b.

Use the vi editor to remove sss and add ldap to the passwd, shadow, and group
directives as shown.
# vi nsswitch.conf
passwd:
files sss
shadow:
files sss
group:
files sss
passwd:
files ldap
shadow:
files ldap
group:
files ldap

8.

9.

(old
(old
(old
(new
(new
(new

entry)
entry)
entry)
entry)
entry)
entry)

s
a
h
o) e
c

du Guid
e
c. Save the file and exit vi.

r
lita dent
i
Configure the /etc/sysconfig/authconfig file onm
host01.
u
tdirectory.
ni
S
u
a. Use the cd command to change to the /etc/sysconfig
o@ e this
s
r
# cd /etc/sysconfig
co o us

n
t file and change USELDAP=no to
a authconfig
b. Use the vi editor to editju
the
e
(
s
USELDAP=yes asashown.
s icen
i
r
a le l
# vi authconfig
o
ors ferab
USELDAP=no
(old entry)
c
s
n
(new entry)
an
juaUSELDAP=yes
r
t
Useothe
n n systemctl command to start the nslcd service on host01.

# systemctl start nslcd


10. Log in as the OpenLDAP user from host01.
a.

Use the grep command to search for user student1 in the local /etc/passwd file.

The command produces no output, indicating that student1 is not a local user.
# grep student1 /etc/passwd

b.

Use the ls command to list the contents of the /home directory.

Note that there is no home directory for the student1 user.


# ls /home

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 3: Authentication and Directory Services


Chapter 3 - Page 30

c.

Use the ldapsearch command to search for student1 in the OpenLDAP directory.

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

The common name (cn) for student1 is Oracle Student1.


# ldapsearch x cn=Oracle Student1 -b dc=example,dc=com
...
# student1, People, example.com
dn: uid=student1,ou=People,dc=example,dc=com
uid: student1
cn: Oracle Student1
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0...
shadowLastChange: ...
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1001
gidNumber: 1001
homeDirectory: /home/student1
gecos: Oracle Student1

s
a
h
o) e
c

du Guid
e

r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us

n
ua se t
j
(
s icen
a
i
r
a le l
# search result
o
search:
ors 2 ferab
c
n an0s Success
juaresult:
tr
n
no# numResponses: 2

# numEntries: 1
d.

Use the su student1 command to log in as OpenLDAP user student1.

Use the whoami command to verify you are logged in as student1.

Notice that you can successfully log in as student1 even though the user account
does not exist locally.
Notice that a home directory was created for student1.

# su student1
Creating directory /home/student1.
[student1@host01 ~]$ whoami
student1

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 3: Authentication and Directory Services


Chapter 3 - Page 31

e.

Use the pwd command to verify that the /home/student1 directory was created on
the localhost.

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

[student1@host01 ~]$ pwd


/home/student1
f.

Use the ls la command to view the contents of the directory.

Notice that the contents of /etc/skel were copied into the users home directory.
[student1@host01 ~]$ ls la
...
-rw-------. 1
student1 student1 ...
-rw-------. 1
student1 student1 ...
-rw-------. 1
student1 student1 ...
[student1@host01 ~]$ ls la /etc/skel
...
-rw-------. 1
student1 student1 ...
-rw-------. 1
student1 student1 ...
-rw-------. 1
student1 student1 ...

.bash_logout
.bash_profile
.bashrc

s
a
h
o) e
c

du Guid
e

r
g. Use the exit command to log off as student1.
ita dent
l
i
[student1@host01 ~]$ exit
nim Stu
u
logout
o@ e this
s
r
s
11. Disable the OpenLDAP client authentication
co oonuhost01.

n
t
a
a. From host01, use the (systemctl
ju nsecommand to stop the nslcd service.
s
ia nslcd
ce
rstop
i
# systemctl
l
a
le the authconfig file and change USELDAP=yes to
oeditoratobedit
s
r
b. Use the
vi
co sfeasrshown.
USELDAP=no
n
an
jua# vi
r
t
/etc/sysconfig/authconfig
n
noUSELDAP=yes
(old entry)
USELDAP=no
c.

.bash_logout
.bash_profile
.bashrc

(new entry)

Use the vi editor to replace ldap with sss for the passwd, shadow, and group
directives as shown.
# vi /etc/nsswitch.conf
passwd:
files ldap
shadow:
files ldap
group:
files ldap
passwd:
files sss
shadow:
files sss
group:
files sss

(old
(old
(old
(new
(new
(new

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 3: Authentication and Directory Services


Chapter 3 - Page 32

entry)
entry)
entry)
entry)
entry)
entry)

d.

Use the cp command to restore the system-auth file.

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

# cd /etc/pam.d
# cp system-auth.BAK system-auth
cp: overwrite system-auth? y
e.

Use the su student command to attempt to log in as user student1.

This confirms OpenLDAP client authentication is disabled.


# su student1
su: user student1 does not exist

f.

Use the exit command to log off of host01.


# exit
logout
Connection to host01 closed.

a
s
a
h
)
12. Disable the OpenLDAP server authentication.
o
c ide

u
a. From host03, open the Authentication Configuration Tool by running
d the
usysteme

G
r
config-authentication command.
t
lita den
i
m
# system-config-authentication
tu
ni
S
u
The GUI appears as follows:
o@ e this
s
r
co o us

n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non
Perform the next step from host03.

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 3: Authentication and Directory Services


Chapter 3 - Page 33

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

s
a
h
o) e
c

du Guid
e

r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us

n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 3: Authentication and Directory Services


Chapter 3 - Page 34

b.

Select Local accounts only from the User Account Database drop-down list.

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

Ensure that your screen is configured as shown.

s
a
h
o) e
c

du Guid
e

r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us

n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non
c.
d.

Click Apply to save your changes.


After a few seconds, the Authentication Configuration Tool closes.
Use the systemctl command to stop and disable the slapd service.
# systemctl stop slapd
# systemctl disable slapd
rm /etc/systemd/system/multi-user.target.wants/slapd.service

Do not log off host03. The next practice (Practice 4-1) assumes that you are logged in as the
root user on host03.

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 3: Authentication and Directory Services


Chapter 3 - Page 35

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

s
a
h
o) e
c

du Guid
e

r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us

n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 3: Authentication and Directory Services


Chapter 3 - Page 36

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

s
a
h
o) e
c

du Guid
e

r
t 4:
Practices lfor
n
ita Lesson
e
i
Pluggable
tud
nim Authentication
S
u
is
Modules
o@ e th(PAM)
s
r
co Chapter
us 4

n
o
t
a
(ju nse
s
ria e lice
a
o abl
s
r
co sfer
n
jua -tran
non

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 4: Pluggable Authentication Modules (PAM)


Chapter 4 - Page 1

Practices for Lesson 4: Overview


Practices Overview

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

In these practices, you configure PAM authentication modules first to allow a single login only,
and then to disable all non-root logins.

s
a
h
o) e
c

du Guid
e

r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us

n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 4: Pluggable Authentication Modules (PAM)


Chapter 4 - Page 2

Practice 4-1: Configuring PAM for a Single Login Session


Overview

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

In this practice, you configure a PAM authentication module on host03 to allow only a single
login session for a user.

Assumptions

This practice is performed on host01 and host03 VMs.

You open a terminal window on each system.

You log in as the root user on host03.

The prompts in the solution section include either host01 or host03 to indicate which
system to enter the command from.

Tasks
1.

On host03, view PAM configuration files and directories.


a. Use the ls command to view the PAM configuration directory, /etc/pam.d.

a
s
a
h
)
o
This directory contains files that describe the authentication procedure
for
c idane

u
application.
d Gu
e

r
[host03]# ls /etc/pam.d
ita dent
l
i
atd
gdm-pin
ppp
sudo
nim Stu
u
chfn
gdm-smartcard
remote @sudo-i is
so se th
r
...
o
c sshdo configuration
u
the
n
b. Use the cat command to view
file in /etc/pam.d.
t
a
u
e
j
(
s
This file contains
sa groupicofendirectives that define the authentication modules as well
a
i
r
l
as any controls
or
a larguments.
e
o
s rab modules are listed in the third column.
The
orauthentication
c
e /etc/pam.d/sshd
fcat
s
n
[host03]#
n
a
ju #%PAM-1.0
tra
n
noauth
required
pam_sepermit.so
auth
substack
password-auth
auth
include
postlogin
account
required
pam_nologin.so
account
include
password-auth
password
include
password-auth
# pam_selinux.so close should be the first session rule
session
required
pam_selinux.so close
session
required
pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be
executed in the user context
session
required
pam_selinux.so open env_params
session
optional
pam_keyinit.so force revoke

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 4: Pluggable Authentication Modules (PAM)


Chapter 4 - Page 3

session
session
c.

password-auth
postlogin

Use the find command to locate the pam_sepermit.so authentication module.

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

include
include

In this example, the authentication module is located in /usr/lib64/security.


[host03]# find / -name pam_sepermit.so
/usr/lib64/security/pam_sepermit.so

d.

Use the ls command to view the authentication modules directory.

Note that all authentication modules are located in this directory.


[host03]# ls /usr/lib64/security
pam_access.so
pam_limits.so
pam_cap.so
pam_listfile.so
...
pam_sepermit.so
...

2.

pam_smbpass.so
pam_sss.so

a
s
a
h
)
o

On host03, view the man pages for the pam_sepermit authenticationmodule


the
c iand
e
d
u
d Gu
associated configuration file.
e

r
a. Most of the authentication modules have a man page ldescribing
nt purpose and
ita detheir
i
usage. Use the man pam_sepermit command ito
n mviewSthetuman page for the
u
pam_sepermit authentication module.
his
o@ file,
tsepermit.conf,
s
Note that this module uses a configuration
which controls
r
e
o mode.
s
c
u

access when SELinux is in


enforcing
uan se to Linux and is covered in a subsequent
j
SELinux stands for (Security-Enhanced
s icen
lesson.
a
i
r
l
aman pam_sepermit
e
l
o
[host03]#
rs erab
...co
f
s
n
n
a
pam_sepermit
PAM module to allow/deny login depending
ju -tra
n On SELinux enforcement state
no...
When the user which is logging in matches an entry in the
config file he is allowed access only when the SELinux
is in enforcing mode. Otherwise he is denied access...
...
See sepermit.conf(5) for details.
...

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 4: Pluggable Authentication Modules (PAM)


Chapter 4 - Page 4

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

b.

Use the man sepermit.conf command to view the man page for the
sepermit.conf file.
[host03]# man sepermit.conf
...
sepermit.conf configuration file for the pam_sepermit
module
...
The lines of the configuration file have the following
syntax:
...

3.

SELinux is covered in a subsequent lesson but for the purposes of this practice, use the
sestatus command to display information about SELinux.

The output shown is a sample showing that SELinux is enabled and is in enforcing
mode.
With SELinux in enforcing mode, the pam_sepermit authentication module allows or
denies login.
[host03]# sestatus
SELinux status:
enabled
...
Current mode:
enforcing
...

s
a
h
o) e
c

du Guid
e

r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co logoin toushost03.
From host01, confirm you can remotely

n
t
a
ucommand
a. From dom0, use the ssh
to log in to host01 as the oracle user.
e
j
(
s
s icen
a
i
The password
is oracle.
r
a le l
o
[dom0]#
ssh
s roracle@host01
r
ab
o
c
e
f
oracle@host01s
password: oracle
s
n
n
a
a
ju Last
trlogin...
n
no[oracle@host01 ~]$

4.

b.

From host01, use the ssh command to connect to host03.

Answer yes to Are you sure.

The password is oracle.


[oracle@host01 ~]$ ssh host03
The authenticity of host host03 (192.0.2.103) cant be ...
ECDSA key fingerprint is ...
Are you sure you want to continue connecting (yes/no)? yes
...
oracle@host03s password: oracle
Last login:...
[oracle@host03 ~]$

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 4: Pluggable Authentication Modules (PAM)


Chapter 4 - Page 5

c.

Use the hostname command to confirm that you successfully logged in to host03.

Note that you are successfully able to log in to host03.

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

[oracle@host03 ~]$ hostname


host03.example.com
d.

Use the logout command to close the connection to host03.

Note that you are now logged off of host03 and back to host01.
[oracle@host03 ~]$ logout
Connect to host03 closed.
[oracle@host01 ~]$ hostname
host01.example.com

5.

On host03, configure the pam_sepermit authentication module to deny login.


a.

Use the find command to locate the sepermit.conf file.

Note that the sepermit.conf file is located in the /etc/security directory.

a
s
a
h
)
o
c ide

u
d Gu
b. Use the vi editor to add the following entry to /etc/security/sepermit.conf.
e

r
t only a single
ita denallows
This entry, when read by the PAM module pam_sepermit.so,
l
i
login session for the oracle user.
nim Stu
u
[host03]# vi /etc/security/sepermit.conf
o@ e this
s
r
oracle:exclusive
co o us

n
t
From host01, attempt to logju
in a
to host03.
e
(
s
s to iconnect
a. Use the ssh command
en to host03. Password is oracle.
a
i
c
r
l
a connection
Note s
that
le is denied.
o the
b
r
a
[oracle@host01
co sfer ~]$ ssh host03
n
password: oracle
an
juaoracle@host03s
r
t
n
denied, please try again.
noPermission
oracle@host03s password: CTRL-C
[host03]# find / -name sepermit.conf
/etc/security/sepermit.conf

6.

[oracle@host01 ~]$
b.

From host03, use the tail command to view the latest entries in the
/var/log/secure log file.

Note that the connection is denied by the PAM authentication module,


pam_sepermit.
[host03]# tail /var/log/secure
...
<date_time> host03 sshd[...]: pam_sepermit(sshd:auth): User
oracle processes are running. Exclusive login not allowed
...

To permit the oracle user login from host01, you can do either of the following:

Remove the entry in the /etc/pam.d/sshd file to use the pam_sepermit.so


module.
Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 4: Pluggable Authentication Modules (PAM)


Chapter 4 - Page 6


7.

Remove the entry in the /etc/security/sepermit.conf file to allow only a single


login session.
From host03, permit user oracle to log in from host01 by using the vi editor to comment
out the entry to use the pam_sepermit.so module from the /etc/pam.d/sshd file.

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

Comment out this line by inserting a # sign at the beginning of the line as follows:
[host03]# vi /etc/pam.d/sshd
auth
required
pam_sepermit.so
#auth
required
pam_sepermit.so

8.

(current entry)
(insert # sign)

From host01, attempt to log in to host03.


a. Use the ssh command to connect to host03.

Password is oracle.
Note that the connection is allowed, and no longer denied by the PAM
authentication module.
[oracle@host01 ~]$ ssh host03
oracle@host03s password: oracle
Last failed login: ...
[oracle@host03 ~]$ hostname
host03.example.com

s
a
h
o) e
c

du Guid
e

r
ita dent
l
i
tu
nimto host03.
b. Use the logout command to close the connection
S
u
is to host01.
@ andthback
ohost03
Note that you are now logged off of
s
r
e
co o us
[oracle@host03 ~]$ logout

n
t
a
Connect to host03(ju
closed.se
s~]$ hostname
en
a
[oracle@host01
i
c
r
i
l
host01.example.com
o a able
s
r
cohost01,
elogr out as oracle user.
c. n
From
f
s
an
jua[oracle@host01
r
~]$ logout
t
n
o
Connect
to
host01
closed.
n
9.

Return host03 back to the original state.


a. From host03, use the vi editor to edit /etc/pam.d/sshd and uncomment the entry
to use the pam_sepermit.so module (remove the # sign).
[host03]# vi /etc/pam.d/sshd
#auth
required
pam_sepermit.so
auth
required
pam_sepermit.so
b.

(current entry)
(remove # sign)

From host03, use the vi editor to edit /etc/security/sepermit.conf and


remove the entry to allow only a single login for user oracle.
[host03]# vi /etc/security/sepermit.conf
oracle:exclusive

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 4: Pluggable Authentication Modules (PAM)


Chapter 4 - Page 7

(delete this entry)

Practice 4-2: Configuring PAM to Prevent Non-root Login

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

Overview
In this practice, you configure a PAM authentication module on host01 to prevent all non-root
user logins.

Assumptions

This practice is performed on host01 and host03 VMs.


Open a terminal window on each system.

Log in as the root user on host01.

The prompts in the solution section include either host01 or host03 to indicate which
system to enter the command from.

Tasks
1.

a
s
a
h
)
o
c ide

u
d Gu
e
Password is oracle.

r
ita dent
l
[dom0]# ssh host01
i
nim Stu
root@host01s password: oracle
u
Last login: ...
o@ e this
s
r
[root@host01]#
co o us

n
t configuration file in /etc/pam.d.
a the elogin
uview
b. Use the cat command(jto
s
n
suses ithe
epam_nologin.so
a
i
The login utility
authentication module as well as
c
r
l
a
e
several
other
PAM
modules.
l
so rab
r
o
[host01]#
c sfcat
e /etc/pam.d/login
n
n
a
a
ju #%PAM-1.0
tr[user_unknown=ignore
n
auth
success=ok ignore=ignore default=...
noauth
substack
system-auth
On host01, configure a PAM authentication module on host01 to prevent all non-root
user logins.
a. From dom0, use the ssh command to log in to host01 as root.

auth
account
...
c.

include
required

postlogin
pam_nologin.so

Use the man pam_nologin command to view the man page for the pam_nologin
authentication module.
Note that this module uses a configuration file /etc/nologin which, if it exists,
disables non-root logins.
[host01]# man pam_nologin
...
pam_nologin Prevent non-root users from login
...
pam_nologin is a PAM module that prevents users from
logging into the system when /var/run/nologin or
Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 4: Pluggable Authentication Modules (PAM)


Chapter 4 - Page 8

/etc/nologin exists. The contents of the file are displayed


to the user...no effect on the root users ability to ...
...

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

d.

Use the vi editor and create the /etc/nologin file with the following contents:
[host01]# vi /etc/nologin
No logins allowed at this time.

2.

From host03, attempt to log in to host01.


a. Use the ssh command to connect to host01 as user oracle.

Answer yes to Are you sure.

The password is oracle.

Note that the connection is denied.


[host03]# ssh oracle@host01
The authenticity of host host01 (192.0.2.101) cant be ...
ECDSA key fingerprint is ...
Are you sure you want to continue connecting (yes/no)? yes
...
oracle@host01s password: oracle
No logins allowed at this time.

s
a
h
o) e
c

du Guid
e

r
ita dent
l
i
nim Stu
u
o@ e this
s
Connection closed by 192.0.2.101
r
o
c
us

n
b. From host01, use the tail
commandto
to view the latest entries in the
a
(jufile. nse
/var/log/secureslog
a licisedenied by the PAM authentication module.
riconnection
Note that the
a
le
o tailab/var/log/secure
s
r
[host01]#
co sfer
...
n
an host01 sshd[...]: fatal: Access denied for user
jua<date_time>
r
t
n
by PAM account configuration [preauth]
nooracle

To permit the non-root user logins, you can do either of the following:

Delete the /etc/nologin file from host01.

3.

Remove the entry in the /etc/pam.d/login file to use the pam_nologin.so


module.
From host01, permit non-root user logins from host03 by using the vi editor to comment
out the entry to use the pam_nologin.so module from the /etc/pam.d/login file.

Comment out this line by inserting a # sign at the beginning of the line as follows:
[host01]# vi /etc/pam.d/login
...
account
required
pam_nologin.so
#account
required
pam_nologin.so

4.

(current entry)
(insert # sign)

From host03, attempt to log in to host01.


Use the ssh command to connect to host01 as user oracle.

Note that the connection is still denied.


Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 4: Pluggable Authentication Modules (PAM)


Chapter 4 - Page 9

[host03]# ssh oracle@host01


oracle@host01s password: oracle
No logins allowed at this time.

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

Connection closed by 192.0.2.101


5.

From host01, use the grep command to search for the string pam_nologin in all the
files in the /etc/pam.d directory.

Note that this module also is called from the ppp, remote, and sshd files.

Because you are using ssh to log in, you would need to comment out the line in the
sshd file as well.

Alternatively, remove the /etc/nologin file to allow non-root logins.


[host01]# grep pam_nologin /etc/pam.d/*
/etc/pam.d/login:#account
required
pam_nologin.so
/etc/pam.d/ppp:account
required
pam_nologin.so
/etc/pam.d/remote:account
required
pam_nologin.so
/etc/pam.d/sshd:account
required
pam_nologin.so

6.

a
s
a
h
)
o
c ide

u
d Gu
e

Return host01 back to the original state.


r
ita dent
l
i
a. Use the rm command to remove the /etc/nologin
file.
nim Stu
u
[host01]# rm /etc/nologin
o@ e thisy
rm: remove regular file /etc/nologin?
s
r
co o us and uncomment the entry to use the

b. Use the vi editor to edit /etc/pam.d/login


n
t
ua(remove
e
j
pam_nologin.so module
the # sign).
(
s
s icen
[host01]# a
viria
/etc/pam.d/login
l
e
l
o
... rs
rab
o ferequired
c
#account
pam_nologin.so
(current entry)
s
n
n
a
ju account
(remove # sign)
tra required pam_nologin.so
n
c.no
Use the exit command to log off of host01.
[host01]# exit
logout
Connection to host01 closed.

Do not log off host03. The next practice (Practice 5-1) assumes that you are logged in as the
root user on host03.

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 4: Pluggable Authentication Modules (PAM)


Chapter 4 - Page 10

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

a
s
a
h
)
o
c ide

u
d Gu
e

r
Practices lfor
Lesson
ita dent 5: Web
i
and Email
tu
nim Services
S
u
o@ e5 this
Chapter
s
r
co o us

n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 5: Web and Email Services


Chapter 5 - Page 1

Practices for Lesson 5: Overview


Practices Overview

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

In these practices, you configure the Apache Web Server.

s
a
h
o) e
c

du Guid
e

r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us

n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 5: Web and Email Services


Chapter 5 - Page 2

Practice 5-1: Configuring the Apache Web Server


Overview

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

In this practice, you:

Verify that the httpd package is installed, start the service, and ensure that the
service starts at boot time

Create a test page to verify that Apache is working correctly


Configure two virtual hosts, each serving different web content

Assumptions

You perform this practice exclusively on host03 VM.

You are connected to host03 by using vncviewer.

You are the root user on host03 VM.

a
s
a
Install the httpd software package and enable and start the httpd service.) h
co ide

a. Use the yum command to install the httpd package.


u
d Gu
e

Answer y to Is this ok.


r
a ent
t
i
l
i
# yum install httpd
nim Stud
u
...
o@ e this
Transaction Summary
s
r
co o us

==============================================================
n
t packages)
a Dependent
u(+4
e
j
Install 1 Package
(
s
s icen
a
i
r
l
a size:
e
l
o
Total s
download
1.5 M
b
r
a
r
o
Installed
c sfsize:
e 4.3 M
n
n
a
Is
this
ok
ju -tra [y/d/N]: y
n
no...
Complete!

Tasks
1.

b.

Use the systemctl command to enable the httpd service to start at boot time.
# systemctl enable httpd
ln s /usr/lib/systemd/system/httpd.service
/etc/systemd/system/multi-user.target.wants/httpd.service

c.

Use the systemctl command to start the httpd service.


# systemctl start httpd

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 5: Web and Email Services


Chapter 5 - Page 3

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

2.

Confirm that Apache is working, by pointing a browser on host03 to http://localhost.


a. On the GNOME menu bar, click Applications to view the drop-down menu.
Under Favorites, select the Firefox Web Browser icon to start the Firefox web
browser.

b.

Enter http://localhost in the browser and press Enter.

The Apache Test Page appears and confirms that Apache is working correctly.

s
a
h
o) e
c

du Guid
e

r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us

n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non

c.

3.

Close the Firefox web browser by clicking the X in the top-right corner of the window.
A Confirm close dialog box might appear. If so, click the Close tabs button to
close the window.
Create and view a test webpage.
a. Use the vi editor to create the /var/www/html/index.html file with the following
entry:
# vi /var/www/html/index.html
<html><body><p>This is my test page.</p></body></html>

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 5: Web and Email Services


Chapter 5 - Page 4

b.

Restart the Firefox browser and point to http://localhost.

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

4.

The test webpage appears.

a
s
a
h
)
o
c ide

u
d Gu
e

r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us

n
ua se t
j
(
s icen
a
i
r
l by clicking the X in the top-right corner of the window.
c. Close the Firefox
a weblebrowser
o
rs hosteronabthe Apache web server and name it www.example1.com.
Create a o
virtual
c
f
s
a. an
Use the vi
editor to edit the /etc/httpd/conf/httpd.conf file to add the
n
ju following
tra entries to the end of the file:
n
no# vi /etc/httpd/conf/httpd.conf
<VirtualHost *:80>
ServerName www.example1.com
DocumentRoot /var/www/example1
ErrorLog /var/log/httpd/example1.error_log
<Directory /var/www/example1>
Order deny,allow
Deny from all
Allow from 192.0.2
</Directory>
</VirtualHost>
b.

Use the vi editor to edit the /etc/hosts file and append www.example1.com to the
192.0.2.103 entry as follows:
# vi /etc/hosts
192.0.2.103 host03.example.com

host03

www.example1.com

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 5: Web and Email Services


Chapter 5 - Page 5

c.

Use the mkdir command to make the /var/www/example1 directory.


# mkdir /var/www/example1

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

d.

Use the cp command to copy the /var/www/html/index.html file to the


/var/www/example1 directory.
# cp /var/www/html/index.html /var/www/example1/

e.

Use the vi editor to edit the /var/www/example1/index.html file as follows:


# vi /var/www/example1/index.html
<html><body><p>This is my test page for
www.example1.com.</p></body></html>

f.

Use the apachectl configtest command to check the configuration file for
possible errors.
In this example there are no errors.
Fix any errors you might have made.

a
s
a
h
)
o

c without
e

d
u
i
g. Use the apachectl graceful command to reload the configuration
affecting
d Gu
e

r
active requests.
ta ent
i
l
i
# apachectl graceful
nim Stud
u
o@ e this
s
r
co o us

n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non
# apachectl configtest
Syntax OK

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 5: Web and Email Services


Chapter 5 - Page 6

5.

View the test webpage for www.example1.com.


a. Restart the Firefox browser and point to http://www.example1.com.

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

6.

The test webpage for www.example1.com appears.

a
s
a
h
)
o
c ide

u
d Gu
e

r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us

n
ua se t
j
(
s icen
a
i
r
a le l
o
b browser by clicking the X in the top-right corner of the window.
rs Firefox
b. Closeothe
raweb
c
e
f
second
nsvirtual host on the Apache web server named www.example2.com.
avi
uanUsea-tthe
ja.Create
r
editor to edit the /etc/httpd/conf/httpd.conf file to add the
n entries
to the end of the file:
nofollowing
# vi /etc/httpd/conf/httpd.conf
<VirtualHost *:80>
ServerName www.example2.com
DocumentRoot /var/www/example2
ErrorLog /var/log/httpd/example2.error_log
<Directory /var/www/example2>
Order deny,allow
Deny from all
Allow from 192.0.2
</Directory>
</VirtualHost>

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 5: Web and Email Services


Chapter 5 - Page 7

b.

Use the vi editor to edit the /etc/hosts file to append www.example2.com to the
192.0.2.103 entry as follows:

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

# vi /etc/hosts
192.0.2.103 host03... www.example1.com
c.

www.example2.com

Use the mkdir command and make the /var/www/example2 directory.


# mkdir /var/www/example2

d.

Use the cp command to copy the /var/www/example1/index.html file to the


/var/www/example2 directory.
# cp /var/www/example1/index.html /var/www/example2

e.

Use the vi editor to edit the /var/www/example2/index.html file as follows:


# vi /var/www/example2/index.html
<html><body><p>This is my test page for
www.example2.com.</p></body></html>

a
s
a
h
)
o
c ide

u
d Gu
e

r
ita dent
l
i
nim Stu
u
thisthe configuration without affecting
so@tosereload
r
g. Use the apachectl graceful o
command
c to u
active requests.
n
a
(ju nse
# apachectl graceful
s
ria e lice
a
o abl
s
r
co sfer
n
jua -tran
non
f.

Use the apachectl configtest command to check the configuration file for
possible errors.
In this example there are no errors.
Fix any errors you might have made.
# apachectl configtest
Syntax OK

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 5: Web and Email Services


Chapter 5 - Page 8

7.

View the test webpage for www.example2.com.


a. Restart the Firefox browser and point to http://www.example2.com.

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

The test webpage for www.example2.com appears.

a
s
a
h
)
o
c ide

u
d Gu
e

r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us

n
ua se t
j
(
s icen
a
i
r
a le l
o
b browser by clicking the X in the top-right corner of the window.
rs Firefox
b. Closeothe
raweb
c
e
f
s
n
jua -tran
non

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 5: Web and Email Services


Chapter 5 - Page 9

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

8.

Log off from host03.


a. Click the Oracle Student in the top-right corner of the GNOME desktop to display the
drop-down menu.

s
a
h
o) e
c

du Guid
e

r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us

n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
sOut from the menu.
n aLog
n
jb.uaSelect
r
-t
onThe following window appears.
n

c.
d.

Click Log Out.


Close the VNC window by clicking the X in the top-right corner of the window.
Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 5: Web and Email Services


Chapter 5 - Page 10

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

s
a
h
o) e
c

du Guid
e

r
t 6:
Practices lfor
n
ita Lesson
e
i
Installing
tud Linux 7 by
nim Oracle
S
u
Using
o@ eKickstart
this
s
r
co Chapter
us 6

n
o
t
a
(ju nse
s
ria e lice
a
o abl
s
r
co sfer
n
jua -tran
non

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 6: Installing Oracle Linux 7 by Using Kickstart


Chapter 6 - Page 1

Practices for Lesson 6: Overview

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

Practices Overview
In these practices, you:
Create a new host07 virtual machine and perform a Kickstart installation on host07
Use rescue mode to repair a boot problem on host07

s
a
h
o) e
c

du Guid
e

r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us

n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 6: Installing Oracle Linux 7 by Using Kickstart


Chapter 6 - Page 2

Practice 6-1: Performing a Kickstart Installation

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

Overview
In this practice, you do the following:
Configure dom0 as an HTTP server.
Make the installation tree available from the HTTP server.
Create the Kickstart file and make it available from the HTTP server.
Shut down the host01 VM and create a new host07 VM.

Initiate the Kickstart installation on host07.


Log in to host07 and verify the installation.
Shut down host07 and restart host01.

Assumptions
You are logged on as the root user on dom0.

a
s
a
h
Tasks
)
o
c ide

1. Ensure that dom0 is configured as an HTTP server.


u
d G
u
e

a. If necessary, open a terminal window on dom0 and become


the root
user.
r
t
n the root
lita dtoebecome
i
From a terminal window on dom0, use the su m
- command
tu
ni
user.
S
u
@ this
The root password is oracle. so
r
o
se
c
u

$ su
an e to
Password: oracle (ju
ns
s
e
a
#
i
c
ar le li
o
b. As the rroot
raonbdom0, use the rpm command to ensure that the http package is
o s fuser
c
e
installed.
n ans
jua The
tr package is installed.
n
no# rpm qa | grep http
httpd-2.2.3-53.0.1.el5
c.

Use the service command to query the status of the httpd service.
# service httpd status
httpd (pid ...) is running...
In this example, the httpd service is running. If the service is not running, use the
service command to start the httpd service:
# service httpd start
...

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 6: Installing Oracle Linux 7 by Using Kickstart


Chapter 6 - Page 3

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

2.

Make the installation tree available.


In this task, you make the installation tree available from the HTTP server running on
dom0.
a. From dom0, use the cd command to change to the /OVS/seed_pool directory. Use
the ls command to list the contents of the directory.

The Oracle Linux 7.1 DVD image is the OracleLinux-R7-U1-Server-x86_64dvd.iso file in the /OVS/seed_pool directory.
# cd /OVS/seed_pool
# ls
...
OracleLinux-R7-U1-Server-x86_64-dvd.iso
...

b.

Use the mkdir command to make a temporary mount, /mnt/iso.

Using a temporary mount point other than /mnt is a requirement imposed by Oracle
University (OU). On OU systems, there is a FAT file system mounted in
/mnt/cdrive. This file system holds binaries that monitor the machine status and
take care of initiating the build for the next class after the current class is finished. If
you are mounting an ISO on /mnt, it mounts on top of /mnt/cdrive. This causes
the binaries to fail to report to the OU Dashboard. Outside of the OU environment,
you can use /mnt for this procedure.

s
a
h
o) e
c

du Guid
e

r
ita dent
l
i
nim Stu
u
# mkdir /mnt/iso
o@ e this
s
r
c. Use the mount command to mount
co theoOL7.1
us DVD image on /mnt/iso.

n
t
a
# mount -t iso9660
(ju-o loop
seOracleLinux-R7-U1-Server-x86_64n
s
dvd.iso /mnt/iso
e
ria e lic
a
d. Use the s
mkdir
l to create the /var/www/html/OL71 directory.
o command
b
r
a
co /var/www/html/OL71
er
# mkdir
f
s
n
n command to copy all files and directories from /mnt/iso to
acp
je.uaUse-tthe
r
n
no/var/www/html/OL71.

This command takes a few minutes to complete.


# cp r /mnt/iso/* /var/www/html/OL71/
The installation tree is now available from the HTTP server running on dom0.
f. Use the umount command to unmount /mnt/iso. Use the rmdir command to
remove the /mnt/iso directory.
# umount /mnt/iso
# rmdir /mnt/iso

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 6: Installing Oracle Linux 7 by Using Kickstart


Chapter 6 - Page 4

3.

Create the Kickstart file.


The installation of Oracle Linux creates a Kickstart file, /root/anaconda-ks.cfg,
based on the options that you selected during installation.
Use this file as a template for creating the ks.cfg file.

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

a.

From dom0, use the scp command to copy /root/anaconda-ks.cfg from host01
to /var/www/html/ks.cfg on dom0.

The password is oracle.

# cd /var/www/html
# scp host01:~/anaconda-ks.cfg ks.cfg
root@host01s password: oracle
anaconda-ks.cfg
100% ...
The Kickstart file is now available from the HTTP server running on dom0.

You use the vi editor to change this Kickstart file as instructed in step 3c.

a
s
a
h
)
o
c ide

u
d Gu
e

r
ita dent
l
i
nim Stu
u
o@ e this
s
r
cootherwise,
usyou get permission denied errors.

This is a requirement of HTTP;


n
o
t
a
e
(ju ns/var/www/html
# chown R apache.apache
s
e
riato edit
icks.cfg file. Change the file to make it like the following.
l
c. Use the vi editor
the
a
e
l
so andradditions
r
Changes
ab are in bold.
o
c
e
f
s lines in the file that are not shown in the following.
n anany
jua Delete
r
-t that the network line is all one line ending in --activate.
Note
n
o
n # vi ks.cfg

Note: A preconfigured ks.cfg file exists on dom0 in the /OVS/seed_pool/host07


directory.
If you do not want to edit the ks.cfg file as instructed in step 3c, you can use the
cp command to copy /OVS/seed_pool/host07/ks.cfg to
/var/www/html/ks.cfg. If you use this Kickstart file, you need not edit the file in
step 3c.
b. Use the chown R command to change the owner and group to apache on
/var/www/html.

#version=RHEL7
# System authorization information
authconfig --enableshadow --passalgo=sha512
url --url http://192.0.2.1/OL71/
ignoredisk --only-use=xvda
# Keyboard layouts
Keyboard --vckeymap=us --xlayouts=us
# System language
lang en_US.UTF-8
# Network information
network --bootproto static --device eth0 --gateway 192.0.2.1
Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 6: Installing Oracle Linux 7 by Using Kickstart


Chapter 6 - Page 5

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

--ip 192.0.2.107
--nameserver=10.216.106.3,192.0.2.1,152.68.154.3
--netmask 255.255.255.0 --ipv6=auto
--hostname=host07.example.com --activate
# Root password
rootpw --iscrypted ...
# System timezone
timezone America/Denver --isUtc --nontp
user --name=oracle --password=$6$... --iscrypted --gecos=Oracle
Student

a
s
a
h
)
o
c ide

u
d Gu
e

r
a ent
t
i
l
i
# Partition clearing information
nim Stud
u
clearpart --all --drives=xvda
o@ e this
s
r
co o us

%packages
n
ua se t
j
@core
(
s icen
a
i
r
a le l
%end so
r erab
oKickstart
c
Verify
the
f file.
s
n
n
a
a use the scp command to copy /var/www/html/ks.cfg from dom0 to
ja.u From-trdom0,
n
no/root/ks.cfg on host01.
# System bootloader configuration
bootloader --location=mbr --boot-drive=xvda
autopart --type=lvm

4.

The password is oracle.

# scp /var/www/html/ks.cfg host01:~/ks.cfg


root@host01s password: oracle
ks.cfg
b.

100%

...

Use the ssh command to log on to host01.


# ssh host01
root@host01s password: oracle

c.

From host01, use the yum command to install the pykickstart package.

Answer y to Is this ok.


# yum install pykickstart
...
Transaction Summary
==============================================================
Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 6: Installing Oracle Linux 7 by Using Kickstart


Chapter 6 - Page 6

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

Install

1 Package

Total download size: 390 k


Installed size: 1.6 M
Is this ok [y/d/N]: y
...
Complete!
d.

Use the ksvalidator utility to verify the ks.cfg file in the /root directory on
host01.

In this example, the command produces no output indicating there are no errors in
the ks.cfg file.
# ksvalidator /root/ks.cfg

e.

Create an error in the /root/ks.cfg file.

a
s
a
h
# vi /root/ks.cfg
)
o

c entry)
e

#version=RHEL7
(old
d
u
i
d(new G
u
e

version=RHEL7
entry)
r
t
lita den
i
f. Repeat step 4d and rerun the ksvalidator utility.
m
tu
ni
S
u
# ksvalidator /root/ks.cfg
o@
thi1s of the kickstart file:
s
The following problem occurred
on e
line
r
co o us

n
ua se t
j
Unknown command: (version=RHEL7
s icen
a
i
r
g. Fix the error in
the
/root/ks.cfg
file.
a le l
o
# vio/root/ks.cfg
rs erab
c
f
version=RHEL7
(old entry)
s
n
n
a
a
ju #version=RHEL7
r
(new entry)
-t
n
o
h.n Repeat step 4d and rerun the ksvalidator utility.

The following example removes the comment (# sign) from the first line.

The command produces no output indicating there are no errors in the ks.cfg file.
# ksvalidator /root/ks.cfg

i.

Use the exit command to log off host01.


# exit
logout
Connection to host01 closed.

5.

Create a new host07 VM.


a. From dom0, use the mkdir command to make the /OVS/running_pool/host07
directory.
# mkdir /OVS/running_pool/host07
b.

Use the cd command to change to the /OVS/running_pool/host07 directory.


# cd /OVS/running_pool/host07
Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 6: Installing Oracle Linux 7 by Using Kickstart


Chapter 6 - Page 7

c.

Use the dd command to create a 12 GB system.img file.

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

This command takes a few minutes to complete.


# dd if=/dev/zero of=system.img bs=1M count=12288
12288+0 records in
12288+0 records out
12884901888 bytes (13 GB) copied...

d.

Use the cp command to copy the vm.cfg file from the


/OVS/running_pool/host01 directory to the current directory.
# cp /OVS/running_pool/host01/vm.cfg .
You use the vi editor to change this vm.cfg file as instructed in step 4e.

Note: A preconfigured vm.cfg file exists on dom0 in the /OVS/seed_pool/host07


directory.
If you do not want to edit the vm.cfg file as instructed in step 5e, you can use the
cp command to copy /OVS/seed_pool/host07/vm.cfg to
/OVS/running_pool/host07/vm.cfg. If you use this vm.cfg file, you need not
edit the file in step 5e.
e. Use the vi editor to edit the vm.cfg file. Change the file to make it look like the
following.
Changes and additions are in bold.
Delete any lines in the file that are not shown in the following.
# vi vm.cfg
# Automatically generated xen config file
name = host07
builder = hvm
memory = 1536
boot = cd
disk = [ file:/OVS/running_pool/host07/system.img,hda,w,
file:/OVS/seed_pool/OracleLinux-R7-U1-Server-x86_64dvd.iso,hdc:cdrom,r]
vif = [ mac=00:16:3e:00:01:07,bridge=virbr0]
device_model = /usr/lib/xen/bin/qemu-dm
kernel = /usr/lib/xen/boot/hvmloader
vnc=1
vncunused=1
vcpus = 1
timer_mode = 0
apic = 1
acpi = 1
pae = 1
serial = pty
on_reboot = restart
on_crash = restart

s
a
h
o) e
c

du Guid
e

r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us

n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 6: Installing Oracle Linux 7 by Using Kickstart


Chapter 6 - Page 8

usb = 1
usbdevice = 'tablet'
6.

Connect to the host07 guest by using vncviewer.

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

a.

Use the xm shutdown command to shut down the host01 VM.

The available memory on dom0 allows a maximum of only three VMs to be running.
Therefore, it is necessary to shut down one VM to start a new VM.

# xm shutdown w host01
Domain host01 terminated
All domains terminated
If the xm shutdown command is taking more than a few seconds to complete, use
CTRL-C to kill the command and run the following xm destroy command.
# xm destroy host01
b.

Run the xm create command to create the host07 VM.

a
s
a
h
)
o
c ide

u
d Gu
e

r
t l host07 |
a xm list
c. Determine the VNC port number for host07 by running
n
itthe
l
e
i
grep location command.
nim Stud
u
# xm list l host07 | grep location
@ this
o
s
r
(location o
0.0.0.0:5902)
se
c
u

n 3) to
(location
a
u
j
(indicatesnthat
sethe port number is 5902. Your port number might
The sample shown
s
e
ria e lic
be different.
a
o abl command.
d. Run thers
vncviewer&
co sfer
# vncviewer&
n
n
aVNC
jua -The
r
t
Viewer: Connection Details dialog box is displayed.
n
o
e.n Enter localhost:<port_number>, substituting the port number displayed from the
# xm create vm.cfg
Using config file ./vm.cfg.
Started domain host07 (id=...)

previous xm list l host07 | grep location command. For example, if the


port number is 5902, enter localhost:5902 and click Connect.

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 6: Installing Oracle Linux 7 by Using Kickstart


Chapter 6 - Page 9

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

The Oracle Linux boot menu appears:

a
s
a
h
)
o
c ide

u
d Gu
e

r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us

n
ua se t
j
(
s icen
a
i
r
a le l
o
s rab
orOracle
c
The
feLinux boot menu screen appears for only 60 seconds, after which the
s
n
n
a
Test
this
ju -tra media & install Oracle Linux 7.0 menu option is selected by default.
do not see this screen, meaning the 60-second timeout has expired, click the
nonIfX you
in the top-right corner of the current screen to close it, enter the following
command from dom0, and begin step 6 again starting with 6b.
# xm destroy host07

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 6: Installing Oracle Linux 7 by Using Kickstart


Chapter 6 - Page 10

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

f.

7.

From the Oracle Linux boot menu, press Esc to exit to the boot prompt.
The boot prompt is shown:

a
s
a
h
)
o
c ide

u
d Gu
e

r
ita dent
l
i
nim Stu
u
o@ e this
s
Initiate the Kickstart installation.
r
cbeoconfigured
usto retrieve the Kickstart file, ks.cfg,

The network interface needs


to
n
o
t
a
from the 192.0.2.1 HTTP
(ju server.
se
n
s
e
ia network
rthe
icinterface obtains an IP address from DHCP running on the
In many cases,
l
a
e
l
server. However,
so rainbthis example, DHCP is not running on the installation server.
r
o
c syoufeneed to provide initial network configuration information as part of the
n
Therefore,
a
boot
an
ju -tcommand.
r
n the following command from the boot prompt, and press Enter to continue.
a. o
n Enter
Include the following network interface configuration information in addition to the
location of the ks.cfg file in the boot command.

IP address (ip=192.0.2.200)

Netmask (netmask=255.255.255.0)

Gateway (gw=192.0.2.1)

This address information allows an initial network connection required to retrieve the
Kickstart file from the installation server.
The information in the Kickstart file is then used to configure the network interface.
boot: linux ip=192.0.2.200 netmask=255.255.255.0 gw=192.0.2.1
ks=http://192.0.2.1/ks.cfg
There is a slight delay before the Kickstart installation begins.

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 6: Installing Oracle Linux 7 by Using Kickstart


Chapter 6 - Page 11

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

8.

When the installation is complete, you are prompted to reboot.

a
s
a
h
)
o
c ide

u
d Gu
e

r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us

n
ua se t
j
(
sprompted.
en
b. Click Reboot when
a
i
c
r
i
l
a verifylethe installation.
Log in to host07
o and
s
r
rathebssh command to connect to host07 as the root user. The
odom0, fuse
a. From
c
e
n anissoracle.
juapassword
-tr the IP address for host07 because the /etc/hosts file on dom0 does not
onUse
n contain an entry to resolve the host name.

You need to wait a few seconds to allow host07 to reboot.


[dom0]# ssh 192.0.2.107
The authenticity of host 192.0.2.107 (192.0.2.107) cant be
established. RSA key fingerprint is ...
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 192.0.2.107 (RSA) to the list of
known hosts.
root@192.0.2.107s password: oracle

b.

Use the hostname command to confirm that you are logged on to the host07 VM.
# hostname
host07.example.com

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 6: Installing Oracle Linux 7 by Using Kickstart


Chapter 6 - Page 12

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

c.

Use the ip addr command to display the network configuration.


# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state ...
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet addr:127.0.0.1
...
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc ...
link/ether 0:16:3e:00:01:07 brd ff:ff:ff:ff:ff:ff
inet addr:192.0.2.107/24 brd 192.0.2.255 scope global eth0
...

d.

Use the df command to list the mounted partitions.


# df h
Filesystem
/dev/mapper/ol_host07-root
...
/dev/xvda1

Size
11G

Used
979M

Avail
9.4G

Use%
10%

Mounted on
/

s
a
h
o) /boot

c
497M 142M
355M
29%
e

d
u
i
d Gu
e

e. Use the cat command to view the /etc/resolv.conf file.


r
ita dent
l
i
# cat /etc/resolv.conf
nim Stu
u
...
o@ e this
search example.com
s
r
co o us
nameserver 10.26.106.3

n
ua se t
nameserver 192.0.2.1
j
(
s icen
a
nameserver 152.68.154.3
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 6: Installing Oracle Linux 7 by Using Kickstart


Chapter 6 - Page 13

Practice 6-2: Using Rescue Mode

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

Overview
In this practice, you do the following:
Corrupt a file on host07 to cause boot failure.
Boot into rescue mode to correct the file.

Assumptions
You are the root user on host07.

Tasks
1.

Create an error in the /boot/grub2/grub.cfg file to cause boot failure.


a.

Make a backup of /boot/grub2/grub.cfg.


# cp /boot/grub2/grub.cfg /boot/grub2/grub.cfg.BAK

s
a
h
Use the :set nu command to turn on line numbers.
o) e
c

du Guid
At around line number 103, change linux16 /vmlinuz-3.8.13e

r
55.1.6.el7uek.x86_64 to linux16 /vmlinuz-3.13ta ent
i
l
i
55.1.6.el7uek.x86_64.
im Stud
n
u
# vi /boot/grub2/grub.cfg
o@ e this
s
:set nu
r
co o us

linux16 /vmlinuz-3.8.13-55.1.6.el7uek.x86_64
(old entry)
n
t
a
u
e
j
(
linux16 /vmlinuz-3.13-55.1.6.el7uek.x86_64
(new entry)
ns
s
e
a
i
c
li command to reboot host07.
c. Use the systemctl
ar lreboot
e
o
ab
# systemctl
ors ferreboot
c
n ans to 192.0.2.107 closed by remote host.
juaConnection
tr
Connection
to 192.0.2.107 closed.
n
no[dom0]#
b.

2.

Use the vi command to edit the /boot/grub2/grub.cfg file.

Attempt to log in to host07.


a. From dom0, run the xm list -l host07 | grep location command to
determine the VNC port number for host07.
[dom0]# xm list l host07 | grep location
(location 0.0.0.0:5902)
(location 3)
In this example, the VNC port number is 5902. This might not be true in your case.
b. Run the vncviewer& command.
# vncviewer&

The VNC Viewer: Connection Details dialog box is displayed.

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 6: Installing Oracle Linux 7 by Using Kickstart


Chapter 6 - Page 14

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

c.

Enter localhost:<port_number>, substituting the port number displayed from the


previous xm list l host07 | grep location command. For example, if the
port number is 5902, enter localhost:5902 and click Connect.

The following screen shows that an error occurred during the boot process.

s
a
h
o) e
c

du Guid
e

r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us

n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non

3.

d. Close the window by clicking the X in the upper-right corner of the window.
Shut down host07.
a. Run the xm destroy host07 command to shut down the host07 VM. Run xm list
to display the running VMs.
The output shown is a sample, the ID and Time(s) values are different on your
system.
# xm destroy host07
# xm list
Name
ID
Mem VCPUs
State
Time(s)
Domain-0
0
2048
2
r----281.1
host02
2
1536
1
-b---159.0
Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 6: Installing Oracle Linux 7 by Using Kickstart


Chapter 6 - Page 15

4.

host03
3
1536
1
-b---13.2
Notice that host07 is no longer active. You have two guests (host02 and host03)
running.
Configure host07 to boot from Oracle Linux 7 installation media.

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

The procedure applies to Oracle VM Server for x86 version 2.2.1 Hardware Virtualized
(HVM) Guests.
For Para-virtualized (PVM) Guests, refer to MOS note 549410.1.
Use the vi editor to change the boot entry in the host07 vm.cfg file from boot =
cd to boot = d.
If the vm.cfg file is read-only, use :wq! to save the file.
# cd
# vi
...
boot
boot
...

5.

6.

/OVS/running_pool/host07
vm.cfg

a
s
a
h
)
o
c ide

u
Start the host07 VM.
d Gu
e

r
Run the xm create vm.cfg command to start the host07
xmt list to display
n
itaVM. Run
l
e
i
the running VMs.
nim Stud
u
# xm create vm.cfg
o@ e this
s
r
Using config file ./vm.cfg.
co o us

n
Started domain host07
(id=#)
ua se t
j
(
# xm list
s icen
a
i
r
Name
State
Time(s)
a le l ID Mem VCPUs
o
Domain-0
0
2048
2
r----281.1
rs erab
o
c
f
2
1536
1
-b---159.0
nhost02ans
juahost03
r
3
1536
1
-b---13.2
-t
n
o
host07
14
1536
1
-b---13.2
n
= cd
= d

(old entry)
(new entry)

Notice that host07 is now active.


Log in to host07.
a. Run the vncviewer& command.

# vncviewer&

The VNC Viewer: Connection Details dialog box is displayed.

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 6: Installing Oracle Linux 7 by Using Kickstart


Chapter 6 - Page 16

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

b.

Enter localhost:<port_number>, substituting the port number displayed from the


xm list l host07 | grep location command in step 2a. For example, if the
port number is 5902, enter localhost:5902 and click Connect.

The Oracle Linux boot menu appears as shown:

s
a
h
o) e
c

du Guid
e

r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us

n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non

The Oracle Linux boot menu screen appears for only 60 seconds after which the Test
this media & install Oracle Linux 7.0 menu option is selected by default.

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 6: Installing Oracle Linux 7 by Using Kickstart


Chapter 6 - Page 17

If you do not see this screen, meaning the 60-second timeout has expired, click the X
in the top-right corner of the screen to close it, enter the following command from
dom0, and begin again starting with step 5.
# xm destroy host07

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

c.

7.

From the Oracle Linux boot menu, press the Esc key to display the boot: prompt. The
following screen appears:
Alternatively, you could use the arrow keys selecting Troubleshooting to display a
new menu, and then select Rescue a Oracle Linux system from the
Troubleshooting menu.

s
a
h
o) e
c

du Guid
e

r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us

n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
ans
uaninto-tRescue
jBoot
r
Mode.
n
o
n
a. Enter linux rescue at the boot: prompt and press Enter.

It takes a few seconds for the rescue process to begin.


boot: linux rescue

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 6: Installing Oracle Linux 7 by Using Kickstart


Chapter 6 - Page 18

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

b.

Review the information displayed on the following screen. Use the Tab key to select
Continue and press Enter.

a
s
a
h
)
o
c ide

u
d Gu
e

r
ita dent
l
i
nim Stu
u
his Press Enter to continue.
o@
c. Review the information displayed onrs
the
followingtscreen.
e
co o us

n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 6: Installing Oracle Linux 7 by Using Kickstart


Chapter 6 - Page 19

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

d.

8.

Review the information displayed on the following screen. Press Enter to continue.

a
s
a
h
)
o
c ide

u
d Gu
e

r
ita dent
l
i
im Stu
n
u
A shell prompt is displayed.
o@file.
this
s
Repair the corrupted /boot/grub2/grub.cfg
r
e
comounted
ufiles systems.

n
a. Use the df command to view
the
o
t
a
e
(ju are
smounted
Notice that the file
systems
under the /mnt/sysimage directory.
n
s
e
a
i
c
r
i
l
# df -h
a le
o
s
r
Filesystem
...
Mounted on
o ferab
c
s
n
...
an
jua/dev/mapper/ol_host07-root
r
t
...
/mnt/sysimage
n
o
n /dev/xvda1
...
/mnt/sysimage/boot
...
b.

Use the ls command to view the contents of the current / directory.


# ls /
bin
dev
boot etc

c.

firmware
lib

lib64
lost+found

mnt
modules

proc
root

run
sbin

sys
tmp

Use the chroot command to change the root partition of the rescue mode
environment to the root partition of your file system.
# chroot /mnt/sysimage/

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 6: Installing Oracle Linux 7 by Using Kickstart


Chapter 6 - Page 20

usr
var

d.

Use the df command to view the mounted file systems.

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

Notice that the file system mount points are different.


# df -h
Filesystem
/dev/mapper/ol_host07-root
...
/dev/xvda1
...

e.

Mounted on
/

...

/boot

Use the ls command to view the contents of the current / directory.

Notice that the contents of the / directory are different.


# ls /
bin
dev
boot etc

home
lib

lib64
media

mnt
opt

proc
root

run
sbin

srv
sys

tmp
usr

var

a
s
a
h
)
o
c ide

# cp /boot/grub2/grub.cfg.BAK /boot/grub2/grub.cfg
u
d Gu
e

r
g. Use the exit command to exit the chroot environment.
ita dent
l
i
# exit
nim Stu
u
is of the window.
h. Close the window by clicking the X in the
top rightth
corner
o@
s
r
e
Boot host07 from the system hard drive.
co o us

n
t the boot entry in the host07 vm.cfg file
a to change
a. From dom0, use the vi u
editor
e
j
(
s
from boot = d s
back to boot
en = cd.
a
i
c
r
i
l
a le
# cd /OVS/running_pool/host07
o
b
s
r
# viovm.cfg ra
c
e
f
n ans
jua...
tr= d
boot
(old entry)
n
noboot = cd
(new entry)
f.

9.

...
...

Use the cp command to restore /boot/grub2/grub.cfg from


/boot/grub2/grub.cfg.BAK.

...
b.

Use the xm destroy host07 command to shut down the host07 VM.
# xm destroy host07

c.

Use the xm create vm.cfg command to start the host07 VM.


# xm create vm.cfg
Using config file ./vm.cfg.
Started domain host07 (id=#)

10. Log in to host07.


From dom0, use the ssh command to connect to 192.0.2.107 (host07). The root
password is oracle.

Use the IP address because the /etc/hosts file on dom0 does not contain an
entry to resolve host07.

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 6: Installing Oracle Linux 7 by Using Kickstart


Chapter 6 - Page 21

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

You need to wait a few seconds for the reboot to complete.


# ssh 192.0.2.107
root@192.0.2.107s password: oracle
Notice that your system successfully boots from the hard drive and you can log in.
11. Remove host07 and clean up dom0.
a. Use the systemctl poweroff command to shut down host07.
# systemctl poweroff
Connection to 192.0.2.107 closed by remote host.
Connection to 192.0.2.107 closed.
b.

From dom0, use the rm r command to remove the


/OVS/running_pool/host07/ directory.
# cd /OVS/running_pool
# rm r host07
rm: descent into directory host07? y
rm: remove regular file host07/system.img? y
rm: remove regular file host07/vm.cfg? y
rm: remove directory host07? y

a
s
a
h
)
o
c ide

u
d Gu
e

r
ita dent directory.
l
i
a. Use the /bin/rm r command to remove the /var/www/html/OL71/
nim Stu
u
# cd /var/www/html
o@ e this
# /bin/rm r OL71/
s
r
co o us

12. Restart host01 VM.


n
t
ua/OVS/running_pool/host01
e
a. From dom0, change to(jthe
directory and use the xm
s
n
s
e
a
i
create command
as
follows:
c
ar le li
o
# cd /OVS/running_pool/host01
rs erab
ocreate
c
f vm.cfg
#
xm
s
n
n
a
ju Using
traconfig file ./vm.cfg.
n
noStarted domain host01 (id=...)
b.

Use the xm list command to verify that host01, host02, and host03 are running and
that host07 is not running.
# xm list
Name
Domain-0
host01
host02
host03

ID
0
4
5
9

Mem VCPUs
2048
2
1536
1
1536
1
1536
1

State
r-----b----b----b----

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 6: Installing Oracle Linux 7 by Using Kickstart


Chapter 6 - Page 22

Time(s)
758.9
37.4
37.3
109.3

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

s
a
h
o) e
c

du Guid
e

r
t 7:
Practices lfor
n
ita Lesson
e
i
Samba
Services
tud
nim
S
u
o@ e7 this
Chapter
s
r
co o us

n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 7: Samba Services


Chapter 7 - Page 1

Practices for Lesson 7: Overview


Practices Overview

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

In these practices, you configure a Samba server and access the Samba shares on the server
from an Oracle Linux client host.

s
a
h
o) e
c

du Guid
e

r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us

n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 7: Samba Services


Chapter 7 - Page 2

Practice 7-1: Configuring a Samba Server


Overview

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

In this practice, you do the following:


Install the packages necessary to configure Samba services on the host03 VM.

Start the smb service.

Add the samba service to firewalld.

Create user user01 on the Samba server.

Edit the smb.conf file.

Use the testparm command to check the syntax of the sbm.conf file.

Create a password for user user01.

Assumptions
You are the root user on dom0.

s
a
h
Tasks
o) e
c

1. Install the samba packages on host03


du Guid
e

r
t
a. As the root user on dom0, use the ssh command to ilog
tain to host03.
n
l
e
i
The root password is oracle.
nim Stud
u
[dom0]# ssh host03
o@ e this
s
r
root@host03s password: coracle
o
us

n
o
t
Last login: ...
a
(ju nse
[host03]#
s
ia lice
r
a
b. From host03,
lerpm -qa command to list the installed samba packages.
o useathe
b
s
r
In
cothis example,
er two samba packages are installed.
f
s
n
n package and the samba-client package needs to be installed.
asamba
jua The
r
t
nrpm -qa | grep samba
no#samba-libs-4.1.12-21.el7.x86_64

samba-common-4.1.12-21.el7.x86_64
c.

Use the yum command to install the samba package and the samba-client package.

The samba-client package includes the smbpasswd utility.

Answer y to Is this ok.


# yum install samba samba-client
...
Transaction Summary
=============================================================
Install 2 Packages
Total download size: 1.0 M
Installed size: 3.0 M
Is this ok [y/d/N]: y
Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 7: Samba Services


Chapter 7 - Page 3

...
Complete!
2.

Start the smb service on host03.

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

a.

Use the systemctl command to obtain status of the smb service.


# systemctl status smb
smb.service Samba SMB Daemon
Loaded: loaded (/usr/lib/systemd/system/smb.service; disabled)
Active: inactive

b.

Use the systemctl command to enable the smb service.


# systemctl enable smb
ln s /usr/lib/systemd/system/smb.service
/etc/systemd/system/multi-user.target.wants/smb.service

c.

Use systemctl to start the smb service.

a
s
a
h
)
# systemctl start smb
o
c ide

u
# systemctl status smb
d Gu
e

r
smb.service Samba SMB Daemon
ita dent
l
i
Loaded: loaded (/usr/lib/systemd/system/smb.service;
enabled)
im Stu
n
u
Active: active (running ) since
@ ...
o
this
s
Main PID: ... (smbd)
r
e
ctoo serve
usconnections...

Status: smbd: ready


n
o
t
a
(ju nse
CGroup: /system.slice/smb.service
s
...
ria e lice
a
l access to the samba service.
o toaallow
b
s
Modify firewalld
r
co sfer
a. an
Use the firewall-cmd
command to determine the active firewalld zone.
anexample, the active
ju In-tthis
r
zone is public.
no#nfirewall-cmd --get-active-zone

3.

Use the systemctl command to obtain status of the smb service.

public
interfaces: eth0 eth1 eth2
b.

Use the firewall-cmd command to list the services that are trusted for the active
zone.
In this example, the dhcpv6-client , ldap, and ssh services are trusted.
# firewall-cmd --list-services
dhcpv6-client ldap ssh

c.

Use the firewall-cmd command to trust the samba service for the public zone.

Update both the runtime configuration and the permanent configuration.


# firewall-cmd --zone=public --add-service=samba
success
# firewall-cmd --permanent --zone=public --add-service=samba
success
Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 7: Samba Services


Chapter 7 - Page 4

4.

Add a new user on host03.


a. User the useradd command to add user01.
# useradd user01

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

b.

Use the passwd command to set the password to oracle for user01.

5.

Ignore the BAD PASSWORD warning messages.


# passwd user01
Changing password for user user01.
New password: oracle
BAD PASSWORD: The password is shorter than 8 characters
Retype new password: oracle
passwd: all authentication tokens updated successfully.

Edit the smb.conf file.


a.

Use the cd command to change to the /etc/samba directory.

a
s
a
h
)
# cd /etc/samba
o
c ide

u
# ls
d Gu
e

r
lmhosts smb.conf
ita dent
l
i
m :set tunu command to turn on line
b. Use the vi editor to edit the smb.conf file. Use
nithe
S
u
numbers.
s
i
@
h
o
rs se t
# vi smb.conf
o
c
u

n
o
...
t
a
(ju nse
:set nu
s
ce workgroup = MYGROUP to workgroup =
ria e89,lichange
c. At around lineanumber
o abl
s
r
GROUPA.
co workgroup
er parameter defines the workgroup name for your environment. In
f
s
n

The
an
jua the
r
t
classroom environment, this parameter has no effect.
non workgroup = GROUPA

d.

Use the ls command to list the contents of the directory.

At around line number 92, change netbios name = MYSERVER to netbios name
= SMB-HOST03.

Remove the semicolon at the beginning of the line.


The netbios name parameter is set to the name recognized by your Windows
environment for your Samba server. In the classroom environment, this parameter
has no effect.
netbios name = SMB-HOST03

e.

At around line number 123, ensure that the security parameter is set to user and
that the security parameter line is uncommented.
You do not need to make changes to this line.
security = user

f.

At around line number 282, examine the [homes] stanza.

You do not need to make changes to this stanza.


Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 7: Samba Services


Chapter 7 - Page 5

The default options for this share definition allow users to access their home
directory as Samba shares from a remote location.

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

[homes]
comment = Home Directories
browseable = no
writable = yes
valid users = %S
valid users = MYDOMAIN\%S

;
;
g.

At around line number 288, immediately following the [homes] stanza, add a [tmp]
stanza for the /tmp directory.

This stanza allows users to access the /tmp directory as a Samba share.
[tmp]
path = /tmp
writable = yes
guest ok = yes

6.

a
s
a
h
)
o
c ide
h. Save the changes to the smb.conf file and exit vi.

u
dfile. Gu
e
Use the testparm command to check the syntax of the sbm.conf

r
t
n
itathe testparm
l
e
If you do not specify a name for the configuration file iwith
command, the
m tud
i
n
command uses the default path name at /etc/samba/smb.conf.
u is S
@
o
Press Enter when prompted.
s se th
r
o
# testparm
c to u
n
a
Load smb config files
(ju from
se/etc/samba/smb.conf
n
s
e
rlimit_max: rincreasing
rlimit_max
(1024) to minimum Windows
ia lic
a
limit (16384)
o able
s
r
Processing
"[homes]"
r
co sfesection
n
n section "[tmp]"
a
juaProcessing
r
t
Processing
section "[printers]"
nnoLoaded
services file OK.
Server role: ROLE_STANDALONE
Press enter to see a dump of your service definitions
<Press the ENTER key>
[global]
workgroup = GROUPA
netbios name = SMB-HOST03
server string = Samba Server Version %v
log file = /var/log/samba/log.%m
max log size = 50
idmap config * : backend = tdb
cups options = raw
[homes]
comment = Home Directories
Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 7: Samba Services


Chapter 7 - Page 6

read only = No
browseable = No

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

[tmp]
path = /tmp
read only = No
guest ok = Yes
[printers]
comment = All Printers
path = /var/spool/samba
printable = Yes
print ok = Yes
browseable = No

7.

8.

a
s
a
Reload the smb.conf file.
h
)
o
a. Run the systemctl command to reload the smb service.
c ide

u
d smbGservice.
u
This command reloads the smb.conf file without stopping
the
e

r
t
lita den
# systemctl reload smb
i
m
ni of the Ssmbtuservice.
b. Run the systemctl command to view the status
u
o@ e this
# systemctl status smb
s
r
o
cDaemon
us

smb.service Samba SMB


n
o
t
a
ju nse
Loaded: loaded ((/usr/lib/systemd/system/smb.service;
enabled)
s
e
Active: active
) since ...
ria e(running
ic
l
a
l
o ...ab
Main s
PID:
r
o
er
...c
f
s
n
an host03.example.com systemd[1]: Reloaded Samba ...
jua<date_time>
r
t
n
no...
Create a Samba password for the user01 user.

Use the smbpasswd command to add user user01 to the local smbpasswd file.

Set the password for user01 to MyOracle1.

You use this password when accessing a Samba share from another Linux system
or a Windows system as user01.
# smbpasswd -a user01
New SMB password:MyOracle1
Retype new SMB password:MyOracle1
Added user user01.

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 7: Samba Services


Chapter 7 - Page 7

Practice 7-2: Accessing Samba Shares from a Client Host

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

Overview
In this practice, you do the following:
Access the Samba shares that you set up on host03 in the previous practice, from
host01, which acts as an Oracle Linux Samba client.
Mount and unmount a Samba share on host01.

Assumptions
All steps are performed from the host01 VM except where indicated.

Tasks
1.

Install the samba-client package on host01.


a. If necessary, open a new terminal window on dom0.
b. Use the su - command to become the root user on dom0.

s
a
h
The root password is oracle.
o) e
c

[dom0]$ su
du Guid
e

Password: oracle
r
t
tain to host01.
n
ilog
l
e
i
c. As the root user on dom0, use the ssh command
to
im Stud
n
u
The root password is oracle.
o@ e this
s
[dom0]# ssh host01
r
o
coracle
us

root@host01's password:
n
o
t
a
u
se
Last login: ...s (j
n
e
riathe eyumliccommand to install the samba-client package.
d. From host01,ause
l ok.
oy to Isathis
b
s
r
Answer
co sfer
n
[host01]#
jua...-tran yum install samba-client
noIsn this ok [y/N]: y
...
Complete!
2.

From host01, access the Samba shares on host03 as user user01.


a.

Use the smbclient command to access the /tmp directory on host03.

The Samba password for user01 is MyOracle1.


[host01]# smbclient //host03/tmp -U user01
Enter user01's password: MyOracle1
Domain=[GROUPA] OS=[Unix] Server=[Samba 4.1.12]
smb: \>

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 7: Samba Services


Chapter 7 - Page 8

b.

If the smbclient command returns session setup failed:


NT_STATUS_LOGON_FAILURE, use the systemctl command on host03 to restart
the smb service.

After restarting the smb service, run the smbclient command in step 2a again.

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

[host03]# systemctl restart smb


c.

At the smb: prompt on host01, use the ls command to list the files in the /tmp
directory on host03.
smb: \> ls
.
..
...
smb: \>

d.

D
DR

0
0

...
...

Use the exit command to exit the smb session on host01.

a
s
a
h on
e. Use the smbclient command to access the home directory for user user01
)
o
c ide

host03.
u
d Gu
e

The Samba password for user01 is MyOracle1.


r
ita dent
l
i
[host01]# smbclient //host03/user01 -U
user01
nim Stu
Enter user01's password: MyOracle1
u
o@ e this4.1.12]
Domain=[GROUPA] OS=[Unix] Server=[Samba
s
r
co o us
smb: \>

n
t
a
e
f. Use the ls command (
toju
list the files
in the home directory for user user01.
s
s because
enSELinux is in Enforcing mode.
a
i
c
r
The command
fails
i
l
lein a subsequent lesson in this course.
oisacovered
b
s
SELinux
r
a
co\> ls
er
f
smb:
s
n
an
juaNT_STATUS_ACCESS_DENIED
r
listing \*
t
n
o
n smb: \>
smb: \> exit

g.

Use the exit command to exit the smb session.


smb: \> exit

h.

To allow Samba users access to their home directories, set SELinux to Permissive
mode on host03.

You could configure SELinux to allow Samba users to access their home
directories; however, for the purposes of this practice, set SELinux to Permissive
mode.
[host03]# getenforce
Enforcing
[host03]# setenforce 0
[host03]# getenforce
Permissive

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 7: Samba Services


Chapter 7 - Page 9

i.

On host01, re-issue the smbclient command to access the home directory for user
user01 on host03.

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

The Samba password for user01 is MyOracle1.


[host01]# smbclient //host03/user01 -U user01
Enter user01's password: MyOracle1
Domain=[GROUPA] OS=[Unix] Server=[Samba 4.1.12]
smb: \>

j.

Use the ls command to list the files in the home directory for user user01.

Because of the change in the SELinux mode, you can now list and access the files
in user01s home directory.
smb: \> ls
.
..
.mozilla
.bash_logout
.bash_profile
.bashrc
...
smb: \>

3.

D
D
DH
H
H
H

...
...
...
...
...
...

s
a
h
o) e
c

du Guid
e

r
ita dent
l
i
nim Stu
u
@ this
k. Use the exit command to exit the smb
osession.
s
r
o
se
c
smb: \> exit
u

n
o
tshare
a
u
e
j
On host01, mount and unmount
a
Samba
from your Oracle Linux client.
(
s
n
s
e
a. On host01, create
riaa mount
icpoint for user01s home directory.
l
a
e
l
[host01]#
so mkdir
r
rab /homedir
o
c
e
f
b. n
Use the yum
s command to install the cifs-utils package.
n
a
jua Answer
r
-t y to Is this ok.
n
o
n [host01]# yum install cifs-utils

...
Is this ok [y/N]: y
...
Complete!
c.

Use the mount.cifs command to mount user01s home directory on the newly
created mount point.

Specify read-only in the mount options.


The Samba password for user01 is MyOracle1.
[host01]# mount.cifs -o username=user01,ro //host03/user01
/homedir
Password for user01@//host03/user01: MyOracle1

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 7: Samba Services


Chapter 7 - Page 10

d.

Use the df -hT command to verify that the mount operation was successful.

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

Notice that the file system type for //host03/user01 is cifs.


[host01]# df -hT
Filesystem
...
//host03/user01

e.

Type

Size

Used

Avail

cifs

11G

3.2G

7.1G

Use%

Mounted on

32% /homedir

Verify that the /homedir directory is read-only by using the mount command.
[host01]# mount | grep homedir
//host03/user01 on /homedir type cifs (ro,relatime,vers=1.0...)

f.

List the contents of /homedir.

[host01]# ls /homedir
Notice that the directory is empty.
g. On host03, use the touch command to create the /home/user01/testfile file.

s
a
h
o) e
h. On host01, list the contents of /homedir.
c

u uid
Notice that the testfile can now be seen from host01.ed
G
r
t
a
t
n
i
l
[host01]# ls /homedir
mi tude
i
n
testfile
u is S
@
o
i. On host01, use the umount command
ththe Samba share.
s to unmount
r
e
o
s in the /homedir directory.
c youtoareunot
Using the cd command ensures
n
a
[host01]# cd
(ju nse
s
[host01]# umount
ria e/homedir
ice
l
a
l to log off host01.
o command
b
j. Use thers
exit
a
co sfexit
er
[host01]#
n
an
jualogout
r
t
n
to host01 closed.
noConnection
[host03]# touch /home/user01/testfile

k.

Set SELinux to Enforcing mode on host03.


[host03]# getenforce
Permissive
[host03]# setenforce 1
[host03]# getenforce
Enforcing

l.

Use the systemctl poweroff command to shut down host03.

You are instructed to shut down host03 in preparation for Practice 8.


[host03]# systemctl poweroff
...

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 7: Samba Services


Chapter 7 - Page 11

Practice 7-3: Accessing a Linux Samba Share from a Windows


System

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

Overview
In this practice, you become familiar with procedures to access a Linux Samba share from a
Windows system. You do not have a Windows system in the Oracle classroom environment. All
you can do is read through the tasks in this practice to help understand the steps.

Assumptions

This practice is not intended to be a hands-on exercise.


The Linux Samba server is host01, IP address is 192.0.2.101.

Tasks
1.

Access user01s home directory on the host01 VM from a Windows machine.

In this task, you examine the steps to access the home directory for user01, residing
on the host01 VM. This home directory is offered as a network share through Samba
services running on host01. You performed the same task previously, but you
accessed the share from an Oracle Linux client.
The steps are identical to the steps that are needed to map any Windows network
share.
You can use your Windows username if the Samba administrator has mapped your
Windows domain username to a Samba Linux username on the Linux host providing
the Samba services.
In this example, you use user01 as the username, and provide the Samba password
set up for this username.
Launch the tool to map a network drive.

s
a
h
o) e
c

du Guid
e

ita dent
l
i
nim Stu

u
o@ e this
s
r
co o us

ua se t
j
(
s icen
a
i
r
a.
a le l
o
ors ferab
c
s
n
jua -tran
non

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 7: Samba Services


Chapter 7 - Page 12

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

b.

Provide the name of the share as \\<server name>\<share name>.

a
s
a
h
)
o
c ide

u
d Gu
e

r
ita dent
l
i
nim Stu
u
o@ e this
s
r
ocredentials
Select Connect using different
s to provide your Linux username and its
c
u

n
o
associated Samba password.
t
a
u
e
j
(
s
c. In the Windows Security
s window,
en enter the credentials for the share as user01 and
a
i
c
r
i
the Samba password
as
MyOracle1.
l
o a able
s
r
co sfer
n
jua -tran
non

Click OK to access and map the drive.

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 7: Samba Services


Chapter 7 - Page 13

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

d.

After successful completion of the mapping operation, the home directory for
user01 on host01 is mapped to drive H:.

You can view and manipulate the files in the H: drive:

s
a
h
o) e
c

du Guid
e

r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us

n
ua se t
j
(
n
e. Use Disconnect toarelease
share.
s ictheenetwork
i
r
l
o a able
s
r
co sfer
n
jua -tran
non

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 7: Samba Services


Chapter 7 - Page 14

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

a
s
a
h
)
o
c ide

u
d Gu
e

r
Practices lfor
Lesson
ita dent 8:
i
Advanced
Package
tu
nim Software
S
u
Management
o@ e this
s
r
co Chapter
us 8

n
o
t
a
(ju nse
s
ria e lice
a
o abl
s
r
co sfer
n
jua -tran
non

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 8: Advanced Software Package Management


Chapter 8 - Page 1

Practices for Lesson 8: Overview

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

Practices Overview
In these practices, you:
Learn to manage Yum plug-ins
Create a binary RPM package
Manage software updates with PackageKits Software Update program
Work with Yum history and Yum cache

s
a
h
o) e
c

du Guid
e

r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us

n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 8: Advanced Software Package Management


Chapter 8 - Page 2

Practice 8-1: Exploring the host04 VM

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

Overview
In this practice, you do the following:
Start the host04 VM.
Log in to host04.
View Public Yum Server configuration on host04.

Assumptions

You are the root user on dom0.

The host04 VM is preconfigured to access Oracles Public Yum Server.

Tasks
1.

Start the host04 VM.


a. From dom0, run the xm list command to list the running VMs.

a
s
a
You were instructed to shut down host03 at the end of Practice 7. ) h
o e
In this example, only host01 and host02 VMs are running. uc
d Guid
e

r
# xm list
t
n
ita State
e
Name
ID
Mem VCPUsmil
Time(s)
d
i
u
t
n
u 2 is Sr----Domain-0
0
2048
758.9
@
h
o
host01
4
-b---37.4
s se 1t
r1536
o
c
host02
5
1536 u
1
-b---37.3
n
o
t
a
ju system,
b. If host03 is running on(your
seuse the xm shutdown command to shut it down.
n
s
e
a lon
rimemory
The available
ic dom0 allows a maximum of only three VMs to be running.
a
e
l
so ratobshut down one VM before starting the host04 VM.
It is rnecessary
o
c sfe w host03
# xm shutdown
n
a
anhost03 terminated
ju Domain
r
t
n domains terminated
noAll
c.

If the xm shutdown command is taking more than a few seconds to complete, press
Ctrl + C to kill command and run the following xm destroy command.
# xm destroy host03

d.

Use the cd command to change to the /OVS/running_pool/host04 directory.


# cd /OVS/running_pool/host04

e.

Run the xm create command to create the host04 VM.


# xm create vm.cfg
Using config file ./vm.cfg.
Started domain host04 (id=...)

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 8: Advanced Software Package Management


Chapter 8 - Page 3

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

2.

Log in to host04.
a. Determine the VNC port number for host04 by running the xm list l host04 |
grep location command.
# xm list l host04 | grep location
(location 0.0.0.0:5904)
(location 3)
The sample shown indicates that the port number is 5904. Your port number might
be different.
b. Run the vncviewer& command.
# vncviewer&

The VNC Viewer: Connection Details dialog box is displayed.


c. Enter localhost:<port_number>, substituting the port number displayed from the
previous xm list l host04 | grep location command. For example, if the
port number is 5904, enter localhost:5904 and click Connect.

s
a
h
o) e
c

du Guid
e

r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us

n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 8: Advanced Software Package Management


Chapter 8 - Page 4

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

The GNOME login screen appears.

s
a
h
o) e
c

du Guid
e

r
ita dent
l
i
nim Stu
u
his for the Password.
tprompted
so@
r
d. Click Oracle Student in the list ofousers.
You
are
e
us
cand click
n
e. Enter oracle for the Password
Sign In.
o
t
a
(juappears.
se
The GNOME desktop
n
s
e
ria etoldisplay
ic the pop-up menu.
f. Right-click theadesktop
l
so rab
r
o
c sfe
n
a
ju -tran
non

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 8: Advanced Software Package Management


Chapter 8 - Page 5

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

a
s
a
h
)
o
c ide

u
d Gu
e

r
ita dent
l
i
im Stu
n
u
g. From the pop-up menu, click Open in Terminal.
o@ e this
A terminal window appears. ors
us to become the root user.
csu - command
n
h. In the terminal window, useathe
o
t
(jisuoracle.
se
The root password
n
s
e
ria e lic
a
$ su
l
o oracle
b
s
r
a
Password:
co sfer
n
#
ua -tran
jWhen
nstarting the host04 VM, there might be a pop up notice to update the system. Close
o
n
the pop up window and do not install updates.
3.

View the Public Yum Server configuration on host04.


The host04 VM is preconfigured to access Oracles Public Yum Server.

There are four files that provide access to Public Yum:


/etc/sysconfig/network-scripts/ifcfg-eth0

/etc/resolv.conf

/etc/profile

/etc/yum.repos.d/public-yum-ol7.repo
The DNS and proxy configurations are specific to the Oracle University environment.

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 8: Advanced Software Package Management


Chapter 8 - Page 6

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

a.

Use the cat command to view the contents of the /etc/sysconfig/networkscripts/ifcfg-eth0 file.
# cat /etc/sysconfig/network-scripts/ifcfg-eth0
...
DNS1=192.0.2.1
DNS2=152.68.154.3
DNS3=10.216.106.3
DNS4=193.32.3.252
DOMAIN= us.oracle.com example.com
...

b.

Use the cat command to view the contents of the /etc/resolv.conf file.

The content of this file is automatically generated by NetworkManager from the


DOMAIN and DNS* entries in the ifcfg-eth0 file.
# cat /etc/resolv.conf
# Generated by NetworkManager
search us.oracle.com example.com
nameserver 192.0.2.1
nameserver 152.68.154.3
nameserver 10.216.106.3
# NOTE: the libc resolver may not support more than 3
nameservers.
# The nameservers listed below may not be recognized.
nameserver 193.32.3.252

s
a
h
o) e
c

du Guid
e

r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us

n
ua se t
j
(
enthe last five lines in the /etc/profile file.
rias e tolicview
c. Use the tailacommand
l variable is set in the last line of this file.
o proxy
b
s
r
The
HTTP
server
a
co /etc/profile
er
f
s
n
#
tail
jua...-tran
n
noexport
http_proxy=http://ges-proxy.us.oracle.com:80

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 8: Advanced Software Package Management


Chapter 8 - Page 7

d.

Use the cat command to view the public-yum-ol7.repo file in the


/etc/yum.repos.d directory.

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

The following two Public Yum repositories are enabled:


ol7_latest (enabled=1)

ol7_UEKR3 (enabled=1)

# cat /etc/yum.repos.d/public-yum-ol7.repo
[ol7_latest]
...
enabled=1
...
[ol7_UEKR3]
...
enabled=1
...

s
a
h
o) e
c

du Guid
e

r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us

n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 8: Advanced Software Package Management


Chapter 8 - Page 8

Practice 8-2: Managing Yum Plug-Ins

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

Overview
In this practice, you do the following:
View currently installed Yum plug-ins.

Exercise the langpacks plug-in.

Install and exercise the aliases plug-in.

Assumptions
You are the root user on host04.

Tasks
1.

On host04, display currently installed Yum plug-ins.


Sample output is provided throughout this practice. Your output might be different.
a. Use the yum clean all command to clean all cached information.

a
s
a
h
)
o
# yum clean all
c ide

u
Cleaning repos: ol7_UEKR3 ol7_latest
d Gu
e

r
Cleaning up everything
ita dent
l
i
If the following message appears, open another
imterminal
tuwindow and kill the
n
S
u
PackageKit process id (PID).
o@ e this
s
r
In this example, the PID is 2048.
o
c
usthe yum lock; waiting for it

n
o
Another app is currently
holding
t
a
(ju nse
exit...
s
ia lice is: PackageKit
rapplication
The other
a
le
o : ...
Memory
b
s
r
a
o fer...
cStarted:
s
n
n
a
jua -State
: Sleeping, pid: 2048
r
t
n
no...

In a new terminal window, use the su - command to become the root user
(password is oracle), then use the kill <PID> command to kill the
PackageKit process.

In this example, the PID is 2048.

to

$ su
Password: oracle
# kill 2048
b.

Run the yum repolist command.

Many yum commands display the plug-ins; this is just one example.

The first yum command takes a few minutes to complete because the Public Yum
repositories need to initialize. Subsequent yum commands do not require this
initialization process.
Each time you execute the yum command, the currently enabled Yum plug-ins are
listed immediately, before the output of the yum command.

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 8: Advanced Software Package Management


Chapter 8 - Page 9

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

In this example, the langpacks Yum plug-in is currently enabled.


# yum repolist
Loaded plugins: langpacks
ol7_UEKR3 ...
ol7_latest ...
...
repo id
repo name
status
ol7_UEKR3/x86_64 Latest Unbreakable Enterprise Kernel ...
ol7_latest/x86_64 Oracle Linux 7Server Latest (x86_64) ...
...

c.

Use the cd command to change to the /etc/yum/pluginconf.d directory.

Use the ls command to list the contents of the directory.

This directory contains a configuration file for each installed Yum plug-in.

s
a
h
o) e
c

du Guid
e

r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us

n
ua se t
j
(
s to iview
d. Use the cat command
enthe contents of the langpacks.conf file.
a
i
c
r
l
This plug-in
le
o ais aenabled.
b
s
r
# cat
co langpacks.conf
er
f
s
n
an
jua[main]
r
t
n
noenabled=1
...

e.

Note that there are two configuration files but only one plug-in listed in the output of
step 1a. The rhnplugin.conf file is the configuration file for the yum-rhnplugin. The yum-rhn-plugin is used to connect to the Red Hat Network (RHN)
and this plug-in is not enabled when running Oracle Linux.
# cd /etc/yum/pluginconf.d
# ls -l
total 12
-rw-r--r--. ... langpacks.conf
-rw-r--r--. ... rhnplugin.conf

Use the cat command to view the contents of the rhnplugin.conf file.

This plug-in is not enabled.


The contents of a Yum plug-in configuration file vary from one plug-in to another.
# cat rhnplugin.conf
[main]
enabled=0
...

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 8: Advanced Software Package Management


Chapter 8 - Page 10

2.

Exercise the langpacks plug-in.


a.

Use the rpm -qa command to find the package name of the langpacks plug-in.

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

The package name is yum-langpacks.


# rpm qa | grep langpacks
yum-langpacks-0.4.2-3.el7.noarch

b.

Use the rpm ql command to view the files that are included with the yumlangpacks package.

The man page installed with the yum-langpacks package is yumlangpacks(8).


# rpm ql yum-langpacks
/etc/yum/pluginconf.d/langpacks.conf
/usr/lib/python2.7/site-packages/yum_langpacks-0.4.2-py2.7...
...
/usr/share/man/man8/yum-langpacks.8.gz

a
s
a
h
)
c. View the yum-langpacks(8) man page.
o
c ide

u
After viewing the man page, press q to quit.
d Gu
e

r
# man yum-langpacks
ita dent
l
i
...
nim Stu
u
DESCRIPTION
@ this
o
s
r
e yum to install language
yum-langpacks is aoplugin s
for
c
u

n allows
packs. This plug-in
to various user commands.
a
u
e
j
(
ns
s
e
a
i
c
command
li of:
ar isle one
o
langavailable
[language1] [language2] [...]
rab [language1]
ors ** flanginfo
c
e
[language2] [...]
s
n
jua -tran* langinstall [language1] [language2] [...]
* langlist [language1] [language2] [...]
non
* langremove [language1] [language2] [...]
langavailable
This command allows user to find if language
support is available for the given input
languages.
langinfo
This command allows user to check which packages
get installed when the given input language
support is installed.
langinstall
This command allows user to install language
Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 8: Advanced Software Package Management


Chapter 8 - Page 11

packs for the given input languages.


langlist

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

This command prints list of the installed


languages.
langremove
This command allows user to remove the installed
language packs for a given input languages.
...
d.

Use the langpack plug-in to list the available languages.

Pipe the output to less to view one page at a time.


# yum langavailable
Loaded plugins: langpacks
Displaying all available language:Afrikanns [af]
Akan [ak]
Albanian [sq]
Amharic [am]
...
Yiddish [yi]
Zulu [zu]

s
a
h
o) e
c

du Guid
e

r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us

n
ua se t
j
(
splug-inictoelistn the packages that get installed with Yiddish
e. Use the langpack
a
i
r
a le l
language support.
o
s use reither
ab Yiddish or the language ID, yi, as an argument to this
orcan
You
c
e
f
s
n command.
n
a
jua# yum
r
-t langinfo Yiddish
n
o
n Loaded plugins: langpacks
Language-Id=Yiddish
hunspell-yi
f.

Use the langpack plug-in to install Yiddish language support.

Answer y to Is this ok.


You are asked about the GPG key only the first time you use yum to install or
update a package.
# yum langinstall Yiddish
Loaded plugins: langpacks
...
Is this ok [y/d/N]: y
...
Importing GPG key ...
...
Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 8: Advanced Software Package Management


Chapter 8 - Page 12

Is this ok [y/N]: y
...
Language packs installed for: yi

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

g.

Use the langpack plug-in to list the installed languages.

Note that the Yiddish language support is now installed.


# yum langlist
Loaded plugins: langpacks
Installed languages:
Yiddish

h.

Use the langpack plug-in to remove Yiddish language support.

Answer y to Is this ok.


# yum langremove Yiddish
Loaded plugins: langpacks
...
Is this ok [y/N]: y
...
Language packs removed for: Yiddish

3.

s
a
h
o) e
c

du Guid
e

r
ita dent
l
i
Install the aliases Yum plug-in.
nim Stu
u
s you can install.
a. Use the yum command to list available Yum
hithat
o@plug-ins
t
s
r
e
In this example, there are sixcYum
o plug-ins
s available to install.
u

n
o
tyum-plugin
# yum list available
ua| grep
e
j
(
s
kabi-yum-plugins.noarch
s icen...
a
i
r
a le l
yum-plugin-aliases.noarch
...
o
b
s
r
yum-plugin-changelog.noarch
...
o fera
c
s
n
...
n
a
juayum-plugin-tmprepo.noarch
r
t
yum-plugin-verify.noarch
...
nnoyum-plugin-versionlock.noarch
...
b.

Use the yum command to install the yum-plugin-aliases plug-in.

Answer y to Is this ok.


# yum install yum-plugin-aliases
...
Is this ok [y/d/N]: y
...
Complete!

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 8: Advanced Software Package Management


Chapter 8 - Page 13

4.

Exercise the aliases plug-in.


a. Use the rpm ql command to view the files that are included with the yum-pluginaliases package.

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

Note that the man page installed with the yum-plugin-aliases package is yumaliases(1).
# rpm ql yum-plugin-aliases
/etc/yum/aliases.conf
/etc/yum/pluginconf.d/aliases.conf
...
/usr/share/man/man1/yum-aliases.1.gz

b.

View the yum-aliases(1) man page.

After viewing the man page, press q to quit.


# man yum-aliases
...
DESCRIPTION
This plugin changes other commands in yum, much like the
alias command in bash. There are a couple of notable
differences from shell style aliases though. The alias
command has three forms:
* alias
* alias command
* alias command result

a
s
a
h
)
o
c ide

u
d Gu
e

r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us

n
ua se t
j
(
s icen
a
i
r
l lists all current aliases with their
a firstle form
The
o
b
the second form looks up a command and
raresult,
ors final
c
e
f
s
n
its final result or an error message. The last
jua -transhows
form creates a new alias.
n
no...
c.

Use the cat command to view the /etc/yum/aliases.conf file.

This file defines a number of Yum command aliases.


# cat /etc/yum/aliases.conf
...
DEV --enablerepo=development
UPT --enablerepo=updates-testing
...
SEC --security
CRIT --sec-severity=critical
FORCE --skip-broken --disableexcludes=all
DUPS --showduplicates
up upgrade
Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 8: Advanced Software Package Management


Chapter 8 - Page 14

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

inst install
in install
rm remove
down downgrade
rein reinstall
...
ls list
lsi ls installed
lsa ls available
...
d.

Use the aliases plug-in to list Yum command aliases.


# yum alias
Loaded plugins: aliases, langpacks
Alias ALL = --enablerepo=development --enablerepo=updates...
Alias ALLDBG = --enablerepo=fedora-debuginfo --enablerepo=...
Alias CRIT = --sec-severity=critical
...
Alias up = upgrade
Alias upi = updateinfo
Alias v = version
alias done

a
s
a
h
)
o
c ide

u
d Gu
e

r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us

n
t
e. Use the aliases plug-in
available
packages to install.
utoalist the
e
j
(
s
n
s
The commandia
r to listeavailable
ice packages to install is yum list available.
l
a
l the same list of available packages.
oalias aproduces
The lsa
b
s
r
co lsasfer
# yum
n
jua...-tran
n
5.0.2-7.el7_1.1
ol7_latest
nozsh.x86_64
zziplib.i686
0.13.62-5.el7
ol7_latest
zziplib.x86_64

0.13.62-5.el7

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 8: Advanced Software Package Management


Chapter 8 - Page 15

ol7_latest

Practice 8-3: Using Yum Utilities

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

Overview
In this practice, you do the following:
View available errata for your system.
View CVE information.
Update the packages affected by the specific CVE.
View software package information.
View dependencies for a software package.

Use the Yum --downloadonly option.

Use the yumdownloader and the repoquery utilities.

Assumptions

a
s
a
h
)
Tasks
o
c ide

u
d Gu
1. Manage errata for your system.
e

r
a. Run the yum updateinfo list to list all the erratalthat
nt for your
ita aredavailable
e
i
system.
im Stu
n
u
Sample output is provided. New errata@
exist sinceis
this example was created.
h
o
t
s
This errata list provides the errata
or ID forueach
se entry in the errata.
c

n
Errata fall into three categories:
to
a
u
e
j
(
Bug fixes
ns
s
e
a
i
c
r listed
i priority (critical, important, moderate)
lby
Securityafixes
e
l
o
oEnhancements
rs erab
c
f
s
n
# yum updateinfo
list
n
a
a
ju Loaded
r
-t plugins: aliases, langpacks
n
o
n ELSA-2015-0672 Moderate/Sec. bind-libs-32:9.9.4-18.el7_1.1...
You are the root user on host04.

ELSA-2015-0672 Moderate/Sec.
...
ELBA-2015-0741 bugfix
ELBA-2015-0974 bugfix
...
ELEA-2015-0969 enhancement
ELEA-2015-0732 enhancement
...
ELSA-2015-0265 Critical/Sec.
ELSA-2015-0718 Critical/Sec.
...
updateinfo list done

bind-libs-lite-32:9.9.4-18.el7...
binutils-2.23.52.0.1-30.el7_1.1...
binutils-2.23.52.0.1-30.el7_1.2...
crash-7.0.9-5.el7_1.x86_64
dnsmasq-2.66-13.el7_1.x86_64
firefox-31.5.0-2.0.1.el7_0...
firefox-31.5.3-3.0.1.el7_1...

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 8: Advanced Software Package Management


Chapter 8 - Page 16

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

b.

Use the cves option with the yum updateinfo list command to display only the
security patches.
This list provides the CVE ID instead of the errata ID.
# yum updateinfo list cves
Loaded plugins: aliases, langpacks
CVE-2015-1349 Moderate/Sec. bind-libs-32:9.9.4-18.el7_1.1...
CVE-2015-1349 Moderate/Sec. bind-libs-lite-32:9.9.4-18.el7...
...
CVE-2015-0822 Critical/Sec. firefox-31.5.0-2.0.1.el7_0...
CVE-2015-0827 Critical/Sec. firefox-31.5.0-2.0.1.el7_0...
...
CVE-2014-8962 Important/Sec. flac-libs-1.3.0-5.el7_1.x86_64
CVE-2014-9028 Important/Sec. flac-libs-1.3.0-5.el7_1.x86_64
...
CVE-2015-0255 Moderate/Sec. xorg-x11-server-common-1.15.0-...
updateinfo list done

a
s
a
h
)
o
c ide

u
d selects
c. Correlate a published CVE to its errata ID. The following example
uthe last CVE
e

G
r
t
in the previous output.
n
lita list
e
i
d
m
Use the --cve <CVE> option to the yum updateinfo
tu command.
ni
S
u
The list for this CVE includes the security
o@ patches
thisby errata ID for the particular CVE
s
ID. This CVE affects two packages
in this example.
r
e
co a different
us CVE.

Your output differs if you choose


n
o
t
a
ju --cve
(list
se CVE-2015-0255
# yum updateinfo
n
s
e
ria aliases,
ic langpacks
Loaded plugins:
l
a
e
l
so rabModerate/Sec. xorg-x11-server-Xorg-1.15.0...
ELSA-2015-0797
r
o
c sfe Moderate/Sec. xorg-x11-server-common-1.15...
ELSA-2015-0797
n
a
an list done
ju updateinfo
r
t
n
d.no
Display additional information about a specific CVE.

Use the info argument instead of the list argument.

Your output differs if you choose a different CVE.


# yum updateinfo info --cve CVE-2015-0255
Loaded plugins: aliases, langpacks
==============================================================
xorg-x11-server security update
==============================================================
Update ID : ELSA-2015-0797
Release : Oracle Linux 7
Type : security
Status : final
Issued : 2015-04-09
CVEs : CVE-2015-0255
Description : [1.15.0-26]
Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 8: Advanced Software Package Management


Chapter 8 - Page 17

: - CVE fixes for: CVE-2015-0255


Severity : Moderate
updateinfo info done

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

e.

Update the packages affected by the specific CVE.

Answer y when asked Is this ok.


# yum update --cve CVE-2015-0255
Loaded plugins: aliases, langpacks
...
Is this ok [y/d/N]: y
...
Complete!

2.

View the Oracle Database preinstallation packages (oracle-rdbms).


a.

Use the yum command to list the Oracle Database preinstallation packages (oraclerdbms) that are available for installation.

a
s
a
h
You can use the lsa alias instead of list available.
)
o
c ide

# yum list available | grep oracle-rdbms


u
d Gu
e

r
oracle-rdbms-server-11gR2-preinstall.x86_64
a ent
t
i
l
i
oracle-rdbms-server-12cR1-preinstall.x86_64
im Stud
n
u
b. View more information for the Oracle Database
packages.
is
@ preinstallation
h
o
t
s
In this example, there are two releases
e package. You select to download the
or inuofthissthis
c

latest release of the package,


which,
example, is oracle-rdbms-servern
o
t
a
12cR1-preinstall.
(ju nse
s
Be careful when
wildcards
ce with the yum command. They are very useful to list
ria using
i
l
a
e get unexpected results when using wildcards to install or
lcan
packages,
o but ayou
b
s
r
remove
co spackages.
er
f
n
n oracle-rdbms*
ainfo
jua# yum
r
t
plugins: aliases, langpacks
n
noLoaded
Available Packages
Name
Arch
Version
Release
Size
Repo
Summary
License
Description

:
:
:
:
:
:
:
:
:

oracle-rdbms-server-11gR2-preinstall
x86_64
1.0
3.el7
18 k
ol7_latest/x86_64
Sets the system for Oracle single instance and ...
GPLv2
This package installs software packages and ...

Name
Arch
Version
Release

:
:
:
:

oracle-rdbms-server-12cR1-preinstall
x86_64
1.0
3.el7
Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 8: Advanced Software Package Management


Chapter 8 - Page 18

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

Size
Repo
Summary
License
Description
c.

:
:
:
:
:

17 k
ol7_latest/x86_64
Sets the system for Oracle single instance and ...
GPLv2
This package installs software packages and ...

Check the dependencies for the target package by using the repoquery command.

The repoquery utility is part of the yum-utils package and is useful for querying
information from Yum repositories.

The --requires option lists package dependencies.

If a dependency package is missing, it is downloaded along with the oraclerdbms-server-12cR1-preinstall package in the next step.
# repoquery --requires oracle-rdbms-server-12cR1-preinstall
/bin/bash
/bin/sh
/etc/redhat-release
bind-utils
...
xorg-x11-utils
xorg-x11-xauth

a
s
a
h
)
o
c ide

u
d Gu
e

r
ita dent
l
i
nim Stu
u
is
o@ ethethoracle-rdbms-server-12cR1d. Use the --downloadonly option tos
download
r
o dependent
preinstall package and anyc
missing
us packages.
n
o
t
a
In this example, six packages
(ju nsaree downloaded in addition to the
oracle-rdbms-server-12cR1-preinstall-1.0-3.el7.x86_64.rpm
s
ia lice
package. ar
le
o aoracle-rdbms-server-12cR1-preinstall
b
s
r
# yum
install
-co sfer
downloadonly
n
anplugins: aliases, langpacks
juaLoaded
r
t
n
no...
Transaction Summary
==============================================================
Install 1 Package (+6 Dependent packages)
Total download size: 9.8 M
Installed size: 29 M
Background downloading packages, then exiting:
(1/7): compat-libcap1-1.10-7.x86_64.rpm ...
...
exiting because Download Only specified
e.

Verify that the package and its dependency packages are downloaded by examining
the content of the /var/cache/yum/x86_64/7Server/ol7_latest/packages
directory.

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 8: Advanced Software Package Management


Chapter 8 - Page 19

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

3.

You can also specify an alternative directory for the downloaded packages with
downloaddir=<directory path>.

--

If the package that you want to download is already installed, it is not downloaded
and its dependencies are not downloaded. In the next step, you use a different
technique to download a package if the package is already installed on your system.
# cd /var/cache/yum/x86_64/7Server/ol7_latest/packages
# ls
compat-libcap1-1.10-7.x86_64.rpm
...
oracle-rdbms-server-12cR1-preinstall-1.0-3.el7.x86_64.rpm

Using the Yum utilities.

In this task, you examine the Yum utilities available and use the yumdownloader
utility to download a package.
a. Use the rpm -ql command to examine the files that make up the yum-utils
package.
Note that yumdownloader and repoquery are included in the yum-utils
package.
# rpm -ql yum-utils
...
/usr/bin/repoquery
...
/usr/bin/yumdownloader
...

s
a
h
o) e
c

du Guid
e

r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us

n
ua se t
j
(
s icoption
en of the downloadonly plug-in to attempt to
a
i
b. Use the --downloadonly
r
l
le
otheaxorg-x11-server-Xorg
download
program.
b
s
r
a
r
o
c package
n The
fe is not downloaded because it is already installed.
s
n
a
ju # yum
trainstall xorg-x11-server-Xorg --downloadonly
n
noLoaded plugins: aliases, langpacks

Package xorg-x11-server-Xorg-1.15.0-33.el7_1.x86_64 already


installed and latest version
Nothing to do
c.

Use the yumdownloader command to download the xorg-x11-server-Xorg


package.
The command downloads the package in the current directory.

The command does not download the dependencies for the xorg-x11-serverXorg program.
# yumdownloader xorg-x11-server-Xorg
Loaded plugins: aliases, langpacks
xorg-x11-server-Xorg-1.15.0-33.el7_1.x86_64.rpm ...

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 8: Advanced Software Package Management


Chapter 8 - Page 20

d.

Use the yum deplist command to display the dependencies for the xorg-x11server-Xorg program.

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

If you download a package by using the yumdownloader utility, you have to


determine the dependencies manually. You can use the rpm command to let you
know which packages are missing and install those packages.
A dependency package is different than a dependent package. When you use the
yum deplist <package name> command, you list the packages that the
<package name> package needs to operate.
A dependent package is a package that needs the <package name> package to
operate. Knowing whether a package is dependent is important when trying to
remove a package. By default, the yum and rpm commands do not allow you to
remove a package that is needed by other packages. To find out which packages
depend on a package, use the repoquery --whatrequires <package name>
command.

a
s
a
h
)
o
c ide

u
d Gu
e

r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us

n
ua se t command for the xorg-x11-server-Xorg
j
(
e. Use the repoquery
--whatrequires
swhich packages
en depend on xorg-x11-server-Xorg.
a
i
c
r
program to find
out
i
l
le a few seconds to run.
o a atakes
b
s
Thisrcommand
co sfthis
erlist with the list obtained with the yum deplist command in step 3d.
n Compare
an --whatrequires xorg-x11-server-Xorg
jua# repoquery
r
t
n
noxorg-x11-drv-ati-0:7.2.0-9.20140113git3213df1.el7.x86_64
# yum deplist xorg-x11-server-Xorg
Loaded plugins: aliases, langpacks
Finding dependencies:
package: xorg-x11-server-Xorg.x86_64 1.15.0-33.el7_1
dependency: config(xorg-x11-server-Xorg) = 1.15.0-33.el7_1
provider: xorg-x11-server-Xorg.x86_64 1.15.0-33.el7_1
dependency: libGL.so.1()(64bit)
provider: mesa-libGL.x86_64 10.2.7-5.20140910.el7
...

xorg-x11-drv-ati-0:7.4.0-1.20140918git56c7fb8.el7.x86_64
xorg-x11-drv-dummy-0:0.3.6-15.el7.x86_64
...

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 8: Advanced Software Package Management


Chapter 8 - Page 21

Practice 8-4: Creating an RPM Package

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

Overview
In this practice, you prepare to build an RPM package. The steps for this preparation are:
Create a nonprivileged user to perform the build.
Check for the required packages to perform the build and install them if necessary.
Create the directory infrastructure for the build.
Create the program for the package.
Create the compressed TAR file and store it in the appropriate build directory.
Create the spec file.
After performing the steps to prepare for the RPM package build, you perform the build by using
the rpmbuild command.
In the last task, you install the new RPM package as root to verify that the program gets
installed as you expected.

a
s
a
h
)
Assumptions
o
c ide

You are the root user on host04.


u
d Gu
e

r
ita dent
l
Tasks
i
tuinstall it if it is not installed.
nim and
1. Verify the presence of the required rpmdevtools
package
S
u
o@
a. Run the rpm command to search for s
the
rmpdevtools
this command.
r
e
co package
us is not installed.
In this example, the rpmdevtools

n
o
t
a
ju nse
# rpm -qa | grep (rpmdevtools
s
ce to install the rpmdevtools package.
riathe yum
i
b. If necessary, a
use
command
l
le is a dependency for the rpmdevtools package and is
o abpackage
s
The
rpm-build
r
co satfether same time as rpmdevtools. The rpm-build package contains the
installed
n
an command, which you use to build the RPM package in this practice.
jua rpmbuild
r
t
The rpmdevtools package contains several commands that are useful when
noncreating
RPM packages, including the following two commands that you use later in
this practice:

rpmdev-setuptree: Creates the build directory structure

rpmdev-newspec: Creates a skeleton spec file


Answer y to Is this ok.

# yum install rpmdevtools


...
Transaction Summary
==============================================================
Install 1 Package (+6 Dependent packages)
Total download size: 541 k
Installed size: 1.1 M
Is this ok [y/d/N]: y
Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 8: Advanced Software Package Management


Chapter 8 - Page 22

...
Complete!
2.

Create a nonprivileged user rpmbuilder to perform the build.

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

a.

Use the useradd command to add the rpmbuild user.


# useradd -d /home/rpmbuilder -m rpmbuilder

b.

Use the ls ld command to view the home directory for the rpmbuilder user.
# ls -ld /home/rpmbuilder
drwx------. 3 rpmbuilder rpmbuilder ... /home/rpmbuilder

c.

Use the passwd command to create a password of oracle for the rpmbuilder user.

3.

Ignore the BAD PASSWORD warning.


# passwd rpmbuilder
Changing password for user rpmbuilder.
New password: oracle
BAD PASSWORD: The password is shorter than 8 characters
Retype new password: oracle
passwd: all authentication tokens updated successfully.

s
a
h
o) e
c

du Guid
e

r
ita dent
Create the directory infrastructure for the RPM build.
l
i
tu
a. Use the su - command to become the rpmbuilder
nim user.
S
u
Use the whoami command to confirm
you are tthe
hisrpmbuilder user.
o@
s
r
e
# su rpmbuilder
co o us

n
$ whoami
ua se t
j
(
rpmbuilder ias
en
c
r
i
l
a le to list the contents of the rpmbuilder users home
b. Use the s
lso -la command
r
o ferab
directory.
c
s
n -la
n
a
jua$ ls
r
-t
n
...
o
n -rw-r--r--. ... .bash_logout
-rw-r--r--.
-rw-r--r--.
drwxrwxr-x.
drwxrwxr-x.
drwxr-xr-x.
c.

...
...
...
...
...

.bash_profile
.bashrc
.cache
.config
.mozilla

Run the rpmdev-setuptree command, and then use the ls -la command to verify
the presence of new entries in the home directory.
Note the new rpmbuild directory and the new .rpmmacros file.
$ rpmdev-setuptree
$ ls -la
...
-rw-r--r--. ... .bash_logout
-rw-r--r--. ... .bash_profile
Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 8: Advanced Software Package Management


Chapter 8 - Page 23

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

-rw-r--r--.
drwxrwxr-x.
drwxrwxr-x.
drwxr-xr-x.
drwxrwxr-x.
-rw-rw-r--.
d.

4.

...
...
...
...
...
...

.bashrc
.cache
.config
.mozilla
rpmbuild
.rpmmacros

Use the ls -lR command to view the directory structure in the new rpmbuild
directory.
$ ls -lR rpmbuild
...
drwxrwxr-x. ... BUILD
drwxrwxr-x. ... RPMS
drwxrwxr-x. ... SOURCES
drwxrwxr-x. ... SPECS
drwxrwxr-x. ... SRPMS
...

s
a
h
o) e
c

u uid
Create the program that is going to be part of the RPM package.ed
G
r
t
a
t
n
i
a. Use the cd command to change to the rpmbuild directory.
l
mi tude
i
n
$ cd rpmbuild
u is S
@
o
thfile.
b. Use the vi editor to create the following
s hello.c
r
e
o
c to us
$ vi hello.c
n
a
#include <stdio.h>
(ju nse
s
ria e lice
a
l
main()s{o
b
r
a
o fer World!\n");
cprintf("Hello
s
n
n
a
jua -return(0);
r
t
}n
o
n
c.

Use the gcc command to compile the program.

Name the output file hello.


$ gcc hello.c -o hello

d.

Run the hello program.


$ ./hello
Hello World!

5.

Create the compressed TAR file with the build directory structure and the compiled
program, and store it in the rpmbuild/SOURCES directory.

The build directory name must reflect the correct name and version for the package
that you are building.
a. Use the pwd command to ensure you are in the /home/rpmbuilder/rpmbuild
directory.
From this directory, use the mkdir command to create the hello-1.0 directory.
Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 8: Advanced Software Package Management


Chapter 8 - Page 24

Use the mv command to move the hello program to the new directory.

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

$ pwd
/home/rpmbuilder/rpmbuild
$ mkdir hello-1.0
$ mv hello hello-1.0/
b.

Use the tar command to create a compressed TAR file of the hello-1.0 directory
structure and store the resulting .tar.gz file in the rpmbuild/SOURCES directory.
$ tar cvzf SOURCES/hello-1.0.tar.gz hello-1.0/
hello-1.0/
hello-1.0/hello

c.

Use the ls command to verify that the new .tar.gz file is in the SOURCES directory.
$ ls SOURCES
hello-1.0.tar.gz

6.

a
s
a
hspec file.
)
a. From the rpmbuild directory, use rpmdev-newspec to create a skeleton
o
c ide

u
$ rpmdev-newspec SPECS/hello.spec
d Gu
e

r
t >= 4.11.
SPECS/hello.spec created; type minimal, lirpm
ta version
n
e
i
d
imnew spec
b. Use the cat command to view the contents of n
the
tufile.
S
u
$ cat SPECS/hello.spec
o@ e this
s
r
Name:
hello co
us
n
o
t
a
Version:
(ju nse
s
Release:
1%{?dist}
ria e lice
Summary: a
so rabl
... or
c sfe
n
%changelog
a
an
jc.u Use-tthe
r
cd command to change to the SPECS directory.
no$ncd SPECS
Create and populate the spec file.

d.

Use the vi editor to edit the hello.spec file and populate the header section by
making the following changes:
Note: A preconfigured hello.spec file exists on dom0 (192.0.2.1) in the
/OVS/seed_pool/sfws directory.

You can edit the hello.spec file as follows by using the vi command, or you can
use the sftp root@192.0.2.1 command and copy
/OVS/seed_pool/sfws/hello.spec from dom0 to
/home/rpmbuilder/rpmbuild/SPECS/hello.spec on host04.
If you use this hello.spec file on dom0, you do not need to edit the file as instructed
in the following steps. You can go immediately to step 6j.
Leave hello as the Name tag.

Specify 1.0 for the Version tag.

Leave the Release information as is.


Specify Test for the hello program for the Summary tag.
Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 8: Advanced Software Package Management


Chapter 8 - Page 25

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

Specify GPL for the License tag.


Comment out the URL tag by inserting # at the beginning of the line.

Specify hello-1.0.tar.gz for the Source0 tag.


Comment out the BuildRequires and Requires tags.

Add this line: A program that display Hello World as a new line following
the %description directive.
After making the changes, the header section looks like this:

Name:
Version:
Release:
Summary:

hello
1.0
1%{?dist}
Test for the hello program

License:
#URL:
Source0:

GPL

a
s
a
hello-1.0.tar.gz
h
)
o
c ide

u
d Gu
#BuildRequires:
e

r
#Requires:
ita dent
l
i
nim Stu
u
%description
o@ e this
s
r
A program that displays Hello
co oWorld
us

n
t
a
e. Leave the %prep section
juas is.nse
(
s
The %prep macro
is a section
where you get the files ready for the build section.
cesome
ria patching
i
l
a
This might
involve
files. The %setup macro in this section unpacks
e
l
o
b
s
r
the
rain the SOURCES directory into the BUILD directory. The -q option
cosource
efiles
f
indicates
a
quiet
action.
s
n
anexample, the only necessary step for this section is the unpacking step.
jua In-tthis
r
n
f. no
Use the vi editor to remove the entries in the %build section but leave the %build
macro.

%build
%configure
delete this line
make %{?_smp_mflags]
delete this line
Generally, this section contains the steps to build the software. A command such as
the make command is allowed. In this example, the software is already built.
g. Use the vi editor to make the following changes to the %install section of the
hello.spec file:

Leave the rm -rf $RPM_BUILD_ROOT line as is. This line cleans the BUILDROOT
directory before performing the build.
Comment out the %make_install line. The next line creates the required
directory.
Add a line to create the build directory structure in the BUILDROOT directory by
using the install -d command. This line is followed by an install command
that copies the built program into its build directory.
Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 8: Advanced Software Package Management


Chapter 8 - Page 26

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

After making the changes, the %install section looks like this:

%install
rm -rf $RPM_BUILD_ROOT
#%make_install
install -d $RPM_BUILD_ROOT/usr/local/bin
install hello $RPM_BUILD_ROOT/usr/local/bin/hello
As seen in this example, this section installs the software, which means that the
necessary directories are created and the package files are copied to their
respective directory.
h. Use the vi editor to make the following changes to the %files section:

Change the %doc line to /usr/local/bin/hello.

After making the changes, the %files section looks like this:

%files
/usr/local/bin/hello
In the %files section, you list the files and their location for the binary RPM
package. This section can also trigger the creation of directories.
i. Leave the %changelog section unchanged. Save the file and exit vi.

a
s
a
h
)
o
c ide

u
d Gu
e

r
j. Use the cat command to view the hello.spec file.ilEnsure
thet contents of the
n
ita that
e
hello.spec file match the following.
nim Stud
u
Edit the file again if necessary to ensure
o@theecontents
this of hello.spec looks like
s
r
this:
o
c
us

n
o
$ cat hello.spec
t
a
(ju nse
Name:
hello
s
a 1.0lice
Version: ari
e
o abl1%{?dist}
s
Release:
r
r
co
Summary: sfe
Test for the hello program
n
jua -tran
n
GPL
noLicense:
#URL:
Source0:

hello-1.0.tar.gz

#BuildRequires:
#Requires:
%description
A program that displays Hello World
%prep
%setup -q

%build
Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 8: Advanced Software Package Management


Chapter 8 - Page 27

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

%install
rm -rf $RPM_BUILD_ROOT
#%make_install
install -d $RPM_BUILD_ROOT/usr/local/bin
install hello $RPM_BUILD_ROOT/usr/local/bin/hello
%files
/usr/local/bin/hello

%changelog
7.

a
s
a
h
)
o
c ide
$ cd /home/rpmbuilder/rpmbuild

u
dand spec
ufile
e

b. Run the rpmbuild command, specifying the following options


G
r
t
parameter: rpmbuild -bb -v SPECS/hello.spec
lita den
i
m
u package.
tbinary
ni only the
The -bb option indicates that you want tou
build
S
o@ e this
The -v option requests verbose information.
s
r
co ospecifies
us the location of the spec file for this

The SPECS/hello.specnparameter
t
a
RPM binary build. (ju
se
n
s
e
The four major
iasectionslicduring the build process, %prep, %build, %install, and
rshown
a
%clean,
are
o ablein bold format in this example.
s
r
r
If
you seefaewarning:
Could not canonicalize hostname: message, this
co
s
n
This is a DNS resolution error and can be fixed by adding the host
abentoignored.
jua can
r
t
name
/etc/hosts.
no$nrpmbuild -bb -v SPECS/hello.spec
Perform the build of the binary RPM package.
a. Use the cd command to change to the /home/rpmbuilder/rpmbuild directory.

Executing(%prep): /bin/sh -e /var/tmp/rpm-tmp...


+ umask 022
+ cd /home/rpmbuilder/rpmbuild/BUILD
...
+ exit 0
Executing(%build): /bin/sh -e /var/tmp/rpm-tmp...
+ umask 022
+ cd /home/rpmbuilder/rpmbuild/BUILD
...
+ exit 0
Executing(%install): /bin/sh -e /var/tmp/rpm-tmp...
+ umask 022
+ cd /home/rpmbuilder/rpmbuild/BUILD
...
Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 8: Advanced Software Package Management


Chapter 8 - Page 28

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

Wrote: /home/rpmbuilder/rpmbuild/RPMS/x86_64/hello-debuginfo...
Executing(%clean): /bin/sh -e /var/tmp/rpm-tmp...
+ umask 022
+ cd /home/rpmbuilder/rpmbuild/BUILD
...
+ exit 0
c.

View the new RPM package in the RPMS directory.


The package appears with the version and release specified in the hello.spec
file.

Note that a hello-debuginfo file is also created.


$ cd RPMS
$ ls
x86_64
$ cd x86_64
$ ls
hello-1.0-1.el7.x86_64.rpm
hello-debuginfo-1.0-1.el7.x86_64.rpm

8.

a
s
a
h
)
o
c ide

u
d Gu
e

r
ita dent
l
Install the newly built package.
i
tu
nim user.
a. Use the exit command to log off as the rpmbuilder
S
u
is user.
@are thethroot
oyou
Use the whoami command to verify
s
r
e
co o us

$ exit
n
ua se t
logout
j
(
s icen
a
# whoami
i
r
a le l
root so
or ferab to change to the directory where the new package resides.
b. n
Usecthe cdscommand
an
jua# cd
r
/home/rpmbuilder/rpmbuild/RPMS/x86_64
t
no#nls
hello-1.0-1.el7.x86_64.rpm
hello-debuginfo-1.0-1.el7.x86_64.rpm
c.

Use the rpm command to install the hello package:


# rpm -ivh hello-1.0-1.el7.x86_64.rpm
Preparing...
############################ [100%]
Updating / installing...
1:hello-1.0-1.el7
############################ [100%]

d.

Run the which hello command to display the path of the command.
# which hello
/usr/local/bin/hello

e.

Run the hello program.


# hello
Hello World!
Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 8: Advanced Software Package Management


Chapter 8 - Page 29

f.

Use the ls l command to display the file and its permissions in its target directory.

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

# ls -l /usr/local/bin
total 8
-rwxr-xr-x. 1 root root ... hello

s
a
h
o) e
c

du Guid
e

r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us

n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 8: Advanced Software Package Management


Chapter 8 - Page 30

Practice 8-5: Managing Software Updates with PackageKit

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

Overview
PackageKit is a software program that provides graphical tools to install software and software
updates on your Linux systems. PackageKit is available for several Linux distributions.
In this practice you use the Software Update program that is part of PackageKit to manage
software updates on your Oracle Linux system.
You also change the frequency at which the Software Update program checks for updates.
PackageKit also includes the Software graphical tool to install and remove packages, but this
program is not used in this practice.

Assumptions

You are the root user on host04.

Ensure that you logged in to host04 using vncviewer and not ssh.

a
s
a
h
)
When using the PackageKit Software Update program, the proxy set through
an
o

cthe Yum
e

d
u
environment variable does not work. You need to set the proxy directly
in
i
d Gu
e

configuration file.
r
ita dent file and add
As the root user on host04, use the vi editor to edit m
theil/etc/yum.conf
tu line.
ni
the following proxy line following the installonly_limit=3
S
u
o@ e this
# vi /etc/yum.conf
s
r
co o us
[main]

n
ua se t
...
j
(
s icen
installonly_limit=3
a
i
r
a le l
proxy=http://ges-proxy.us.oracle.com:80
o
ors ferab
c
s
n
jua -tran
non

Tasks
1.

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 8: Advanced Software Package Management


Chapter 8 - Page 31

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

2.

Launch Software Update.


a. In the GNOME task bar, select Application > System Tools > Software Update.

s
a
h
o) e
c

du Guid
e

r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us

n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
n ans
jua The
tr Software Update window appears.
n
no Checking for updates might take several minutes to complete.

Continue with step 2b while waiting for the update to complete.

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 8: Advanced Software Package Management


Chapter 8 - Page 32

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

s
a
h
o) e
c

du Guid
e

r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us

n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non
b.

While the list of changes is being created, open a terminal window on the desktop, and
examine the process that is running to obtain the lists of updates, called changes in the
Software Update program.

The yumBackend.py get-updates is the PackageKit program that checks for


updates.
$ ps -ef | grep yum
root ... /usr/bin/python
/usr/share/PackageKit/helpers/yum/yumBackend.py get-updates
newest
...

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 8: Advanced Software Package Management


Chapter 8 - Page 33

3.

View the update(s) flagged by the Software Update program.

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

If the Software Update program fails with an error message, use the yum clean all
command to clean all cached information and then use the yum repolist command
to initialize the metadata. For example:
# yum clean all
...
# yum repolist
...

a.

Return to the Software Update program. In this example, the program has found 79
updates.
This is sample output. Your environment might be different because updates have
been added since this example was captured.
Do not click the Install Updates button because it takes too long to install all of
the updates.

s
a
h
o) e
c

du Guid
e

r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us

n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 8: Advanced Software Package Management


Chapter 8 - Page 34

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

s
a
h
o) e
c

du Guid
e

r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us

n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non
b.

Scroll down through the list of updates.


Note that there are Security updates, Bug fix updates, and Other updates.
c. Click Quit to exit the Software Update program.

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 8: Advanced Software Package Management


Chapter 8 - Page 35

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

4.

Change the frequency at which the Software Update program checks for updates.
a. From a terminal window as the root user, run the gpk-prefs command to view the
Software Update Preferences GUI.
# gpk-prefs
The Software Update Preferences window appears.

s
a
h
o) e
c

du Guid
e

r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us

n
ua se t
j
(
s icen
a
i
r
a le l
o
rs erab
o
c
f for updates: drop-down menu.
b. n
Select the Check
s
n
a
ju The
trachoices are Hourly, Daily, Weekly, and Never as shown.
n
no

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 8: Advanced Software Package Management


Chapter 8 - Page 36

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

a
s
a
h
)
o
c ide

u
d Gu
e

r
ita dent
l
i
nim Stu
u
@ this
o
s
r
c. From the drop-down list, select Hourly.
o
se
c
u

nprefer totomanage software installation and updates by


Many Linux administrators
a
u
j
(
using the Yum commands
directly,
se rather than use the graphical interfaces offered
n
s
e
by the PackageKit
ria programs.
ic
l
a
e
l
Yourcan
b from the drop-down list to disable the Software Updates
soselectraNever
o
applet
that
checks
c sfe for software updates.
n
athenSoftware Sources tab.
jd.uaSelect
r
t
nonFrom this window, you can enable additional Public Yum repositories.

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 8: Advanced Software Package Management


Chapter 8 - Page 37

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

s
a
h
o) e
c

du Guid
e

r
ita dent
l
i
nim Stu
u
@ this
o
s
r
e. Click Close to close the Software
window.
o UpdateuPreferences
se
c

n
o
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 8: Advanced Software Package Management


Chapter 8 - Page 38

Practice 8-6: Working with Yum History and Yum Cache

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

Overview
In this practice, you become familiar with:
The history of transactions kept by Yum
The history contains information about Yum transactions, such as date and time of
occurrence, whether the transactions were successful, and the number of packages
affected in the RPM database. You can use the history kept by Yum to undo a given
transaction or to redo a transaction.
Cache information kept by Yum
Yum caches a variety of information to allow faster operations and, in some cases, to
allow you to perform package management without a network connection. Information
cached by Yum operations includes packages, header information for packages, and
metadata for enabled repositories.

a
s
a
h
You are the root user on host04.
)
o
c ide

u
d Gu
Tasks
e

r
1. Display Yum history information.
ita dent
l
i
a. As the root user on host04, use the yum history
tu to list transactions.
nim command
S
u
The following is sample output.
o@ e this
s
r
o outside
Ignore the Warning: RPMDB
altered
c
us of yum message. This message is

n
o
caused by using rpm commands
and
can be ignored. See the following for more
t
a
(ju nse
information: http://illiterat.livejournal.com/7834.html.
s
ce
rialist
i
l
# yum history
a
le
o abaliases,
Loadedrs
plugins:
langpacks
r
o
c
e
f
| Date and time | Action(s)
|
nID a|nsLogin user
juaAltered
r
-t
n
---------------------------------------------------------------------o
n
6 | Oracle Student <oracle> | <date_time>
| Install
|
7
Assumptions

5 | Oracle Student <oracle> | <date_time>


4 | Oracle Student <oracle> | <date_time>
3 | Oracle Student <oracle> | <date_time>
2 | Oracle Student <oracle> | <date_time>
1 | System <unset>
| <date_time>
Warning: RPMDB altered outside of yum.
history list

b.

|
|
|
|
|

Update
Install
Erase
Install
Install

|
2
|
1
|
1
|
1
| 1214

Select the most recent transaction ID and display detailed information for that
transaction.
In this example, the most recent transaction ID is 6.
# yum history info 6
Loaded plugins: aliases, langpacks
ID
| Command line
| Date and time | Action(s)
Altered
Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 8: Advanced Software Package Management


Chapter 8 - Page 39

---------------------------------------------------------------------6 | install rpmdevtools


| <date_time>
| Install
|
7
history list

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

2.

Install the changelog Yum plug-in and uninstall it by using information in the Yum history.

a.

You install this plug-in package and you uninstall it in this task.
Install the yum-plugin-changelog package by using the yum install command.

Answer y to Is this ok.


# yum install yum-plugin-changelog
...
Transaction Summary
==============================================================
Install 1 Package (+1 Dependent package)

a
s
a
h
)
o
c ide

u
d Gu
e

r
ita dent
l
i
nim Stu
b. List the Yum history to display the latest transaction.
u
his when installing the yumothe@action
The most recent transaction reflects
ttaken
s
r
e
plugin-changelog package.
coTwoopackages
us were installed as part of that

n
t
transaction.
a
(ju nse
s
# yum historyalist
ce changelog, langpacks
ri aliases,
i
l
a
Loaded plugins:
le
so rabuser
ID cor | Login
| Date and time
| Action(s)|Altered
e
f
s
n
an| Oracle Student <oracle> ...
jua-------------------------------------------------------------r
t
7
| Install |
2
n
no...
Total download size: 114 k
Installed size: 384 k
Is this ok [y/d/N]: y
...
Complete!

history list
c.

Undo the most recent transaction by using the yum history undo <ID number>
command.
Replace <ID number> with the ID number obtained from your previous history
listing.
Answer y to Is this ok.
# yum history undo 7
...
Transaction Summary
==============================================================
Remove 2 Packages
Installed size: 384 k
Is this ok [y/N]: y
Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 8: Advanced Software Package Management


Chapter 8 - Page 40

...
Complete!
d.

List the history again to examine the latest transaction information.

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

The packages installed by installing the yum-presto package are uninstalled when
you use the yum history undo command.
# yum history list
Loaded plugins: aliases, changelog, langpacks
ID
| Login user
| Date and time
| Action(s)| Altered
-------------------------------------------------------------8 | Oracle Student <oracle> ...
| Erase
|
2
7 | Oracle Student <oracle> ...
| Install |
2
...
history list

3.

a
s
a
h
)
o
c ide

# cd /var/cache/yum
u
d Gu
e

r
b. Access each subdirectory until you reach the 7Servertdirectory.
nt the ls l
i a deUse
command to display the contents of this directory.mil
u is a subdirectory for
tthere
nidirectory,
S
u
In the /var/cache/yum/x86_64/7Server
o@ e this
each enabled repository.
s
r
co o us
# ls

n
ua se t
x86_64
j
(
en
# cd x86_64/rias
c
i
l
# ls
o a able
s
r
7Server
co sfer
n
7Server/
an
jua# cd
r
t
nls -l
no#drwxr-xr-x.
... ol7_latest
Examine Yum cache information.
a. Use the cd command to change to the /var/cache/yum directory.

drwxr-xr-x. ...
-rw-r--r--. ...
c.

ol7_UEKR3
timedhosts

Use the cd command to change to the ol7_latest directory. Use the ls -l


command to display the contents of the directory.

This directory contains the metadata for the http://publicyum.oracle.com/repo/ OracleLinux/OL7/latest/ repository.

The metadata for this repository consists of several compressed XML files that were
downloaded from the Oracle Public Yum site.
The gen directory contains the uncompressed updateinfo.xml.gz file.

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 8: Advanced Software Package Management


Chapter 8 - Page 41

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

The packages directory contains cached packages when caching is enabled in the
/etc/yum.conf file or if you have used the --downloadonly flag when using
the yum install command.
# cd ol7_latest
# ls -l
-rw-r--r--. ...
-rw-r--r--. ...
-rw-r--r--. ...
drwxr-xr-x. ...
-rw-r--r--. ...
drwxr-xr-x. ...
-rw-r--r--. ...
-rw-r--r--. ...
-rw-r--r--. ...

a
s
a
h
)
o

In your environment, package caching is disabled but the packages


that
c iyou
e

d
u
downloaded are still present because you have not installeddthese packages.
udisabled.
e

G
r
Packages are deleted after they are installed when package
caching
is
t
lita den
i
# ls -l packages
m
tu
ni
S
u
-rw-r--r--. ... compat-libcap1-1.10-7.el7_1.x86_64.rpm
o@ e this
s
...
r
co o us

n
Clean the Yum cache.
t
ua scommand
e
j
(
a. Use the yum clean
packages
to clean the packages in the Yum cache.
n
s
e
a
i
c
li
# yum clean
arpackages
e
l
o
Loaded
rab aliases, changelog, langpacks
orsplugins:
c
e
f
ol7_UEKR3 ol7_latest
nCleaning
ansrepos:
jua...-tpackage
r
files removed
n
o
b.n Use the ls command to list the contents of the packages directory.
d.

4.

cachecookie
comps.xml
filelists.xml.gz
gen
other.xml.gz
packages
primary.xml.gz
repomd.xml
updateinfo.xml.gz

Use the ls l command to list the contents of the packages directory.

c.

The packages are no longer present.


# ls packages
Use the ls -l command to list the contents of the gen directory.

This directory contains the uncompressed data from updateinfo.xml.gz.


# ls -l gen
-rw-r--r--.
-rw-r--r--.
-rw-r--r--.
-rw-r--r--.
-rw-r--r--.
-rw-r--r--.
-rw-r--r--.

...
...
...
...
...
...
...

filelists.xml
filelists.xml.sqlite
other.xml
other.xml.sqlite
primary.xml
primary.xml.sqlite
updateinfo.xml

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 8: Advanced Software Package Management


Chapter 8 - Page 42

d.

Use the yum clean metadata command to clean the metadata in the Yum cache.

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

The number of files removed might differ in your environment.


# yum clean metadata
Loaded plugins: aliases, changelog, langpacks
Cleaning repos: ol7_UEKR3 ol7_latest
19 metadata files removed
5 sqlite files removed
0 metadata files removed

e.

Use the ls l command to list the contents of the current directory,


/var/cache/yum/x86_64/7Server/ ol7_latest and the gen subdirectory, and
note the effect of the yum clean metadata command.

a
s
a
h
)
o
c ide

u
d Gu

r
t
If you experience problems accessing packages and
information
from the
n
itapackage
l
e
i
d
m
Oracle Public Yum or from the Oracle Unbreakable
Linux
Network
(ULN)
site,
it is
i
u
t
n
S
u
often helpful to issue the yum clean metadatais
command. This forces yum to
o@
download the latest metadata thers
next
time it isth
invoked.
o
se
c
u

# ls -l
uan se to
j
drwxr-xr-x. ... (gen
s packages
en
a
drwxr-xr-x. r...
i
c
i
l
ogena able
# ls -l
s
r
total
co 0 sfer
n
n and start host03.
ahost04
ua down
jShut
r
t
n the systemctl poweroff command to shut down host04.
a.no
Use

5.

The directories are empty.


The metadata files are gone not only in this directory but in each directory
corresponding to an enabled Oracle Public Yum repository.
There are other variations of the yum clean command. Consult the yum man page
for more information about cleaning the Yum cache.
You can also use the yum clean all command to clean all cached information.

b.

Your VNC window closes.


# systemctl poweroff

From a terminal window on dom0, use the cd command to change to the


/OVS/running_pool/host03 directory.
# cd /OVS/running_pool/host03

c.

Run the xm create vm.cfg command to start the host03 VM.


# xm create vm.cfg
Using config file ./vm.cfg.
Started domain host03 (id=...)

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 8: Advanced Software Package Management


Chapter 8 - Page 43

d.

Run the xm list command to list the running VMs.

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

Only the host01, host02, and host03 VMs are running.


# xm list
Name
Domain-0
host01
host02
host03

ID
0
4
5
15

Mem VCPUs
2048
2
1536
1
1536
1
1536
1

State
r-----b----b----b----

Time(s)
758.9
37.4
37.3
37.3

s
a
h
o) e
c

du Guid
e

r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us

n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 8: Advanced Software Package Management


Chapter 8 - Page 44

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

s
a
h
o) e
c

du Guid
e

r
t 9:
Practices lfor
n
ita Lesson
e
i
Advanced
tud
nim Storage
S
u
Administration
o@ e this
s
r
co Chapter
us 9

n
o
t
a
(ju nse
s
ria e lice
a
o abl
s
r
co sfer
n
jua -tran
non

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 9: Advanced Storage Administration


Chapter 9 - Page 1

Practices for Lesson 9: Overview


Practices Overview

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

In these practices, you:

Create and mount a file system on /dev/xvdb

Set access control lists (ACLs) on a file system


Set quotas on a directory
Encrypt a file system
Use the kpartx utility

Explore and configure Udev

s
a
h
o) e
c

du Guid
e

r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us

n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 9: Advanced Storage Administration


Chapter 9 - Page 2

Practice 9-1: Creating and Mounting a File System

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

Overview
In this practice, you:
Create a partition on a storage device
Create an ext4 file system on the partition

Mount the file system on /Dev

Update the file system mount table

Assumptions

You are the root user on dom0.

Tasks
1.

2.

Connect to host03 by using vncviewer.


a. If necessary, refer to Practice 3-1: Configuring an OpenLDAP Server for instructions on
connecting with vncviewer.
b. Open a terminal window and become the root user on host03.
Partition a storage device using fdisk.
a. As the root user on host03, use the fdisk command to display the partition table.

a
s
a
h
)
o
c ide

u
d Gu
e

r
ita dent
l
i
nim Stu
u
This lists the following three storage devices:
o@
this
/dev/xvda, approximately 12rs
GB
in size
e
s
co10 GBo inusize

/dev/xvdb, approximately
n
t
a
/dev/xvdd, approximately
(ju ns10e GB in size
s
e
riasystem
The operating
isic
installed on the /dev/xvda device.
l
a
le /dev/xvdd devices are unused.
o aband
s
The
/dev/xvdb
r
co l
e|r grep /dev
f
s
n
#
fdisk
an
juaDisk
r
t
/dev/xvda:
12.9 GB, 12884901888 bytes, 25165824 sectors
n
o
n /dev/xvda1 * 2048 1026047
512000
83
Linux
/dev/xvda2
1026048
25165823
12069888
8e
Linux LVM
Disk /dev/xvdb: 10.7 GB, 10737418240 bytes, 20971520 sectors
Disk /dev/xvdd: 10.7 GB, 10737418240 bytes, 20971520 sectors
Disk /dev/mapper/ol-root: 11.0 GB, 11022630912 bytes, ...
Disk /dev/mapper/ol-swap: 1287 MB, 1287651328 bytes, ...
b.

Use the fdisk command to partition /dev/xvdb.


# fdisk /dev/xvdb
...
Command (m for help):

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 9: Advanced Storage Administration


Chapter 9 - Page 3

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

c.

Create a 1 GB primary partition as follows.


Command (m for help): n
Partition type:
p
primary (0 primary, 0 extended, 4 free)
e
extended
Select (default p): ENTER
Using default response p
Partition number (1-4, default 1): ENTER
First sector (2048-20971519, default 2048): ENTER
Using default value 2048
Last sector, +sectors or +size{K,M,G} (2048-20971519, default
20971519): +1G
Partition of type Linux and of size 1 GiB is set

a
s
a
h
)
o
c ide

u
d Gu
e

r
Calling ioctl() to re-read partition table.
a ent
t
i
l
i
Syncing disks.
im Stud
n
u
d. Use the fdisk command to list the partition
@ tablethonis/dev/xvdb.
o
s
# fdisk l /dev/xvdb
or use
c

n
to
a
u
e
j
( GB,ns10737418240 bytes, 20971520 sectors
Disk /dev/xvdb:s 10.7
a
i
r e lice
...
a
l Start
o Boot
b
s
Device
End
Blocks
Id
System
r
a
r
o
c
e
f
/dev/xvdb1
2048 2099199
1048576
83
Linux
ns
asystem
uan a-tfile
jCreate
r
on /dev/xvdb1.
n
o
n
Use the mkfs command to make an ext4 file system on /dev/xvdb1.
Command (m for help): w
The partition table has been altered!

3.

# mkfs t ext4 /dev/xvdb1


mke2fs 1.42.9 (28-Dec-2013)
Filesystem label=
OS type: Linux
...
Writing superblocks and filesystem accounting information: done

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 9: Advanced Storage Administration


Chapter 9 - Page 4

4.

Mount the file system.


a. Use the mkdir command to create a mount point.
# mkdir /Dev

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

b.

Use the mount command to mount /dev/xvdb1 on /Dev with ACL support.

Include the -o acl mount option for ACL support.


# mount t ext4 o acl /dev/xvdb1 /Dev

c.

Use the df command to display the mounted file systems.


# df h
Filesystem
...
/dev/xvdb1

Size

Used

Avail

Use%

976M

2.6M

907M

1%

Mounted on
/Dev

s
a
h
o) e
c

du Guid
e

r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us

n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 9: Advanced Storage Administration


Chapter 9 - Page 5

Practice 9-2: Implementing Access Control Lists


Overview

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

In this practice, you set ACLs on a directory.

Assumptions

Ensure that you are using vncviewer to connect to host03 and not using ssh.

You are the root user on host03 VM.

You switch between the root user and the oracle user for this practice.

Tasks
1.

Open a tab in the current window.


From the terminal window menu bar, select File > Open Tab, or press Shift + Ctrl + T.
Your window looks like the following screenshot.
You are the root user in one tab and you are the oracle user in the other.

s
a
h
o) e
c

du Guid
e

r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us

n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non

2.

As the oracle user, use the touch command to create the test file in the /Dev
directory.

Note that you do not have permission to create files in the /Dev directory.
[oracle@host03]$ touch /Dev/test
touch: cannot touch Dev/test: Permission denied

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 9: Advanced Storage Administration


Chapter 9 - Page 6

3.

As the root user, use the getfacl command to display the /Dev directorys ACL.

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

Click the root@host03 tab to enter commands as the root user.


[root@host03]# getfacl /Dev
getfacl: Removing leading / from absolute path names
# file: Dev
# owner: root
# group: root
user::rwx
group::r-x
other::r-x

4.

As the root user, use the setfacl command to add a rule to the ACL giving the oracle
user read, write, and execute permissions to the /Dev directory.
[root@host03]# setfacl m u:oracle:rwx /Dev

5.

6.

s
a
h
Note the new user:oracle:rwx line in the output of the getfacl command.
o) e
c

[root@host03]# getfacl /Dev


du Guid
e

r
getfacl: Removing leading / from absolute
t
ta pathennames
i
l
i
# file: Dev
im Stud
n
u
# owner: root
o@ e this
s
# group: root
r
co o us

user::rwx
n
t
a
e
user:oracle:rwx (ju
s
s icen
group::r-x ria
a le l
o
mask::rwx
ors ferab
c
other::r-x
n ans
uathe
jAs
root
tr user, use the ls ld command to display the permissions for the /Dev
n
directory.
no
As the root user, use the getfacl command to display the /Dev directorys ACL.

Note the plus sign (+), indicating that the directory has an ACL.
[root@host03]# ls -ld /Dev
drwxrwxr-x+ ... /Dev

7.

As the oracle user, use the touch command to create the test file in the /Dev
directory.
Click the oracle@host03 tab to enter commands as the oracle user.

Note that the command succeeded this time.


[oracle@host03]$ touch /Dev/test

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 9: Advanced Storage Administration


Chapter 9 - Page 7

8.

As the oracle user, use the ls command to display a long listing of the /Dev directory.

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

Note that the test file is owned by the oracle user.


[oracle@host03]$ ls -l /Dev
drwx------. 2 root
root ...
lost+found
-rw-rw-r--. 1 oracle oracle ... test

s
a
h
o) e
c

du Guid
e

r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us

n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 9: Advanced Storage Administration


Chapter 9 - Page 8

Practice 9-3: Setting Disk Quotas


Overview

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

In this practice, you set quotas on a directory for the oracle user. You also remove the quotas
and the ACL on the directory.

Assumptions
You switch between the root user and the oracle user for this practice.

Tasks
1.

As the root user, configure disk quotas.


a.

Click the root@host03 tab to enter commands as the root user.

b.

Use the umount command to unmount the file system on /Dev.


[root@host03]# umount /Dev

a
s
a
h
)
o

cenable iACL
e

These options enable disk quotas for users and groups and also
d
u
d Gu
e

support.
r
ita dent /dev/xvdb1
l
i
[root@host03]# mount t ext4 o acl,usrquota,grpquota
nim Stu
/Dev
u
o@diskeusage
d. Use the quotacheck command to create
thistables for /Dev.
s
r
s
cocugo u/Dev

[root@host03]# quotacheck
n
t
a
e. Use the ls command (
toju
display the
sefiles created in /Dev.
n
s
e
ria lse llic/Dev
[root@host03]#
a
l root ... aquota.group
o root
b
s
-rw-------.
r
a
co sferroot root ... aquota.user
-rw-------.
n
jua...-tran
n
f. no
Use the quotaon command to enable quotas on /Dev.
c.

Use the mount command with the o acl,usrquota,grpquota options to remount


/dev/xvdb1 on /Dev.

[root@host03]# quotaon /Dev


g.

Use the repquota command to report disk usage on /Dev.


[root@host03]# repquota /Dev
*** Report for user quotas on device /dev/xvdb1
Block grace time: 7days; Inode grace time: 7days
Block limits
File limits
User
used soft
hard grace used soft hard grace
------------------------------------------------------------root
-20
0
0
2
0
0
oracle -0
0
0
1
0
0

h.

Use the edquota command to limit the oracle user.

This command invokes the vi editor.

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 9: Advanced Storage Administration


Chapter 9 - Page 9

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

Change the block quota to set a hard limit of 2048 blocks (2 MB) for the oracle
user.
[root@host03]# edquota oracle
Disk quotas for user oracle (uid 500):
Filesystem blocks soft hard inodes soft hard
/dev/xvdb1
0
0
0
1
0
0 (old entry)
/dev/xvdb1
0
0 2048
1
0
0 (new entry)
Alternatively, you could use the setquota oracle 0 2048 0 0 /Dev
command.
i. Use the repquota command to report disk usage on /Dev.

Note that the hard limit for the oracle user is now 2048.
[root@host03]# repquota /Dev
*** Report for user quotas on device /dev/xvdb1
Block grace time: 7days; Inode grace time: 7days
Block limits
File limits
User
used soft
hard grace used soft hard grace
------------------------------------------------------------root
-20
0
0
2
0
0
oracle -0
0
2048
1
0
0

2.

a
s
a
h
)
o
c ide

u
d Gu
e

r
ita dent
l
i
nim Stu
u
As the oracle user, verify the disk quota setting.
o@ e this
s
r
a. Click the oracle@host03 tab
as the oracle user.
ctooentero commands
us

n
t
a
b. Use the dd if=/dev/zero
bs=1M count=4096 command to
(ju onof=bigfile
se
n
attempt to create a
as
4 MB file e
/Dev.
ri quotaeexceeded
ic
l
a
Note the
Disk
error message.
l
o ab
s
r
[oracle@host03]$
co sfer cd /Dev
n
[oracle@host03]$
dd if=/dev/zero of=bigfile bs=1M count=4096
n
a
juaxvdb1:
r
t
n- write failed, user block limit reached.
nodd:
writing bigfile: Disk quota exceeded
3+0 records in
1+0 records out
2097152 bytes (2.1 MB) copied, ...
c.

Use the ls command to display a long listing of the /Dev directory.

Note that the bigfile is not 4 MB, but was truncated after quota limits were
reached.
[oracle@host03]$ ls l /Dev
...
-rw-rw-r--. 1 oracle oracle 2097152 ... bigfile
...

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 9: Advanced Storage Administration


Chapter 9 - Page 10

d.

Use the quota command to display quota information.

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

[oracle@host03]$ quota
Disk quotas for user oracle (uid 500):
Filesystem blocks quota limit grace files quota limit grace
/dev/xvdb1
2048*
0 2048
2
0
0
e.

Use the rm command to delete the bigfile file in the /Dev directory.
[oracle@host03]$ rm bigfile

f.

Use the quota command to display quota information.

a
s
a
h
)
o
[oracle@host03]$ rm test
c ide

u
d Gu
h. Use the cd command to change to the oracle users home directory.
e

r
ita dent
l
[oracle@host03]$ cd
i
u
tpractice.
nforim
As the root user, reset the /dev/xvdb1 partition
the next
S
u
o@ e thasisthe root user.
a. Click the root@host03 tab to enter
commands
s
r
o
us command to reset the disk quota for the
b. Use the setquota oraclen0c0 0 0o/Dev
t
a
oracle user.
(ju nse
s
[root@host03]#
ce oracle 0 0 0 0 /Dev
ria setquota
i
l
a
le to remove the ACL from the /Dev directory.
o acommand
c. Use thers
setfacl
b
co sfer setfacl b /Dev
[root@host03]#
n
n
agetfacl
jd.uaUse-tthe
r
command to display the /Dev directorys ACL.
nonNote that the user:oracle:rwx line in the output has been removed.
g.

3.

Note the difference in the number of blocks and number of files from step 13.
[oracle@host03]$ quota
Disk quotas for user oracle (uid 500):
Filesystem blocks quota limit grace files quota limit grace
/dev/xvdb1
0
0 2048
1
0
0
Use the rm command to delete the test file in the /Dev directory.

[root@host03]# getfacl /Dev


getfacl: Removing leading / from absolute path names
# file: Dev
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
e.

Use the ls ld command to display the permissions for the /Dev directory.

Note that there is no plus sign (+), indicating that the directory has no ACL.
[root@host03]# ls -ld /Dev
drwxr-xr-x ... /Dev

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 9: Advanced Storage Administration


Chapter 9 - Page 11

f.

Use the umount command to unmount /Dev.


# umount /Dev

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

g.

Click the X on the oracle@host03 tab to close the tab.

s
a
h
o) e
c

du Guid
e

r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us

n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 9: Advanced Storage Administration


Chapter 9 - Page 12

Practice 9-4: Encrypting a File System

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

Overview
In this practice, you create an encrypted file system, create a file system on the encrypted
volume, reboot your system and provide the passphrase to mount the encrypted file system,
and remove the encrypted file system.

Assumptions
You are the root user on host03 VM.

Tasks
1.

Set up a cryptographic volume.


a. Use the cryptsetup command with luksFormat to initialize the /dev/xvdb1
volume and set an initial key of Cvt69*@P3.

The Cvt69*@P3 entries are not displayed for security reasons.

The initial key needs to be a random sequence of characters to be accepted.

a
s
a
h
)
# cryptsetup luksFormat /dev/xvdb1
o
c ide

u
d Gu
e

r
WARNING!
ita dent
l
i
========
im Stu
n
u
This will overwrite data on /dev/xvdb1
s
@ thiirrevocably.
o
s
r
e
co oyes):
us YES

Are you sure? (Type uppercase


n
t
a
(ju nCvt69*@P3
Enter LUKS passphrase:
se
s
e
ria e lCvt69*@P3
Verify passphrase:
ic
a
l
o ab command with luksOpen to open the partition and create the
scryptsetup
r
b. Use the
o
c mapping
erof cryptfs.
f
device
s
n
an
jua# cryptsetup
r
t
luksOpen /dev/xvdb1 cryptfs
n
o
n Enter passphrase for /dev/xvdb1: Cvt69*@P3
c.

Use the cryptsetup command to check the status of the encrypted volume.
# cryptsetup status cryptfs
/dev/mapper/cryptfs is active.
type: LUKS1
cipher: aes-xts-plain64
keysize: 256 bits
device: /dev/xvdb1
offset: 4096 sectors
size:
2093056 sectors
mode:
read/write

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 9: Advanced Storage Administration


Chapter 9 - Page 13

d.

Use the blkid command to view the attributes of the /dev/xvdb1 block device.
# blkid /dev/xvdb1
/dev/xvdb1: UUID=... TYPE=crypto_LUKS

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

e.

Use the ls l command to list the /dev entry for the cryptfs encrypted volume.
# ls l /dev/mapper
...
crw-------. ... control
lrwxrwxrwx. ... cryptfs -> ../dm-2
lrwxrwxrwx. ... ol-root -> ../dm-0
lrwxrwxrwx. ... ol-swap -> ../dm-1

2.

Create a file system on the encrypted volume.


a. Use the mkfs.ext4 command to create an ext4 file system.
# mkfs.ext4 /dev/mapper/cryptfs
mke2fs 1.42.9 (28-Dec-2013)
Filesystem label=
OS type: Linux
...
Writing inode tables: done
Creating journal (4096 blocks): done
Writing superblocks and filesystem accounting information: done

s
a
h
o) e
c

du Guid
e

r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co a mount
uspoint named /cryptfs.

b. Use the mkdir command to n


create
o
t
a
(ju nse
# mkdir /cryptfs
s
ia litocemount the file system.
rcommand
c. Use the mount
a
le
o/dev/mapper/cryptfs
b
s
r
a
# mount
/cryptfs
co sfer
n
n mounted file systems.
athe
jd.uaDisplay
r
t
ndf h
no#Filesystem
Size Used Avail Use% Mounted on
...
/dev/mapper/cryptfs
990M 2.6M
e.

921M

1%

/cryptfs

Use the vi editor to create /etc/crypttab and to add the following entry.
# vi /etc/crypttab
cryptfs /dev/xvdb1 none luks

3.

Reboot your system and enter the passphrase to mount the encrypted file system.
a. Use the systemctl reboot command to reboot your system.

After you reboot your system, your VNC session closes.


# systemctl reboot

b.

From dom0, connect to host03 guest by using vncviewer.


# vncviewer&
The VNC Viewer: Connection Details window appears.
Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 9: Advanced Storage Administration


Chapter 9 - Page 14

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

c.

Enter the command, localhost:<port_number>, substituting the correct port


number for the host03 guests. For example, if the port number is 5904, enter the
following and click Connect.
localhost:5904

d.

Provide the passphrase, Cvt69*@P3, when prompted for the encrypted file system
passphrase during reboot.
The boot process continues after providing the correct passphrase.
Please enter passphrase for disk cryptfs!: Cvt69*@P3

4.

Remove the encrypted file system.


a. Log in as Oracle Student with password oracle.
b. Open a terminal window.
c. Become the root user. The password is oracle.
$ su
Password: oracle
# whoami
root

s
a
h
o) e
c

du Guid
e

d. Using the vi editor, remove the following entry from /etc/crypttab.


r
ita dent
l
i
# vi /etc/crypttab
nim Stu
u
cryptfs /dev/xvdb2 none luks
is
o@ e ttohremove
s
e. Use the cryptsetup command with
luksOpen
the device mapping.
r
o
s
c
u

# cryptsetup luksClose
n /dev/mapper/cryptfs
to
a
u
e
j
( devicenmapping
s
f. Verify that the cryptfs
has been removed.
s
e
a
i
c
r
i
l
a le
# ls /dev/mapper
o
s
r
control
rab ol-swap
o ol-root
c
e
f
s
n
jua -tran
non

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 9: Advanced Storage Administration


Chapter 9 - Page 15

Practice 9-5: Using kpartx


Overview

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

In this practice, you use the kpartx utility to create device maps from partitions tables.

Assumptions

This practice is performed on dom0 and on host03 VM.

You are logged in as the root user on dom0 and host03.

Tasks
1.

Review the host03 virtual disk configuration.


a. From dom0, use the cd command to change to the /OVS/running_pool/host03
directory on dom0.
[dom0]# cd /OVS/running_pool/host03

s
a
h
[dom0]# ls l
o) e
c

-rw-r--r-- 12884901888 system.img


du Guid
e

r
-rw-r--r-- 10737418240 u01.img
ta ent
i
l
i
-rw-r--r-- 10737418240 u02.img
im Stud
n
u
-rw-r--r-737 vm.cfg
this
so@file.
r
c. Use the cat command to view theovm.cfg
e
s
c tobyu/dev/xvda.
n
The system.img file isarepresented
(ju nseby /dev/xvdb.
The u01.img a
file
is represented
s
e
i
c
r
i
l
a
The u02.img
o afilebislerepresented by /dev/xvdd.
s
r
[dom0]#
co cat
ervm.cfg
f
s
n
=
anhost03
juaname
r
t
builder
= hvm
n
nomemory
= 1536
b.

Use the ls -l command to list the contents of the directory.

boot = cd
disk = [ file:/OVS/running_pool/host03/system.img,xvda,w,
file:/OVS/running_pool/host03/u01.img,xvdb,w,
file:/OVS/running_pool/host03/u02.img,xvdd,w,
...
2.

Review the partition information on the system.img file.


a.

From dom0, use the kpartx l command to list the partitions on the system.img
disk image file.

The output shows that the system.img disk image file contains two partitions.

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 9: Advanced Storage Administration


Chapter 9 - Page 16

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

b.

Sample output is shown.


[dom0]# kpartx l system.img
loop8p1 : 0 1024000 /dev/loop8 2048
loop8p2 : 0 24139776 /dev/loop8 1026048
From host03 VM, use the fdisk command to list the partition table for /dev/xvda.

Note that /dev/xvda has two partitions.

This confirms that the system.img file is mapped to /dev/xvda.


[host03]# fdisk l | grep /dev/xvda
Disk /dev/xvda: 12.9 GB, 12884901888 bytes, 25165824 sectors
/dev/xvda1
*
2048
1026047
512000
83
Linux
/dev/xvda2
1026048
25165823
12069888
8e
Linux LVM

3.

Review the partition information on the u01.img file.


a.

4.

From dom0, use the kpartx l command to list the partitions on the u01.img disk
image file.
The output shows one partition.
Sample output is shown.
[dom0]# kpartx l u01.img
loop8p1 : 0 2097152 /dev/loop8 2048

a
s
a
h
)
o
c ide

u
d Gu
e

r
ita dent
l
i
nim Stu
u
b. From host03 VM, use the fdisk command
o@toelistththeispartition table for /dev/xvdb.
s
r
The output shows one partition.
co o us

n
This confirms that theu
u01.img
filetis mapped to /dev/xvdb.
a
e
j
(
s
s l |icgrep
[host03]# fdisk
en /dev/xvdb
a
i
r
l
Disk /dev/xvdb:
e GB, 10737418240 bytes, 20971520 sectors
o a abl10.7
s
r
/dev/xvdb1
2048 2099199
1048576
83
Linux
co sfer
n
n information on the u02.img file.
apartition
ua -the
jReview
r
t
n dom0, use the kpartx l command to list the partitions on the u02.img disk
a. o
n From
image file.

b.

The output shows no partitions.


Sample output is shown.
[dom0]# kpartx l u02.img
From host03 VM, use the fdisk command to list the partition table on /dev/xvdd.

The output shows no partitions on /dev/xvdd.

This confirms that the u02.img file is mapped to /dev/xvdd.


[host03]# fdisk l | grep /dev/xvdd
Disk /dev/xvdd: 10.7 GB, 10737418240 bytes, 20971520 sectors

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 9: Advanced Storage Administration


Chapter 9 - Page 17

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

5.

Create and mount a file system on /dev/xvdb1.


a. From host03, use the mkfs command to make an ext3 file system on /dev/xvdb1.
[host03]# mkfs t ext3 /dev/xvdb1
mke2fs 1.42.9 (28-Dec-2013)
Filesystem label=
OS type: Linux
...
Writing superblocks and filesystem accounting information: done
b.

Use the mount command to mount /dev/xvdb1 on /Dev.


[host03]# mount /dev/xvdb1 /Dev

c.

Use the df command to display the mounted file systems.


[host03]# df h
Filesystem
Size
...
/dev/xvdb1
1008M

6.

Used

Avail

Use%

Mounted on

a
s
a
h
)
34M
924M
4% /Dev
o
c ide

u
d. Use the cp command to copy the init* files from /boot to /Dev.
d Gu
e

r
You view these files later in this practice to confirmlithe
oft the kpartx
tasuccess
n
e
i
command.
nim Stud
u
[host03]# cp /boot/init* /Dev @
o e this
s
r
[host03]# ls /Dev
co o us

n
initramfs-0-rescue-...img
initrd-plymouth.img
t
a
u
e
j
(
initramfs-3.10.0-229.el7.x86_64.img
lost+found
ns
s
e
a
i
c
initramfs-3.8.13-55.1.6.el7uek.x86_64.img
ar le li
o
The remaining
rab in this practice are entered from dom0.
ors commands
c
e
f
s from the partition table on u01.img.
n device
Create
anmaps
ja.uaFrom-trdom0,
use the ls command to list the /dev/mapper directory.
nonBefore adding the device files, a listing of /dev/mapper shows only the control
file.
[dom0]# ls /dev/mapper
control

b.

Use the kpartx l command to list the partitions on the u01.img disk image file.

Recall that u01.img maps to /dev/xvdb.

Sample output is shown.


This confirms that there is one partition on /dev/xvdb.
[dom0]# kpartx l u01.img
loop9p1 : 0 2097152 /dev/loop9 2048

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 9: Advanced Storage Administration


Chapter 9 - Page 18

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

c.

Use the kpartx a command to add the device mappings for the detected partitions.

To save time in this practice, you do not need to shut down the host03 VM before
using the kpartx a command.

It would be best practice to shut down host03 before creating device mappings and
before mounting the devices on dom0.
[dom0]# kpartx a u01.img

d.

Use the ls command to list the /dev/mapper directory.

Sample output is shown.


Note that a file was created for the partition on /dev/xvdb.
[dom0]# ls /dev/mapper
control
loop9p1

7.

Mount the device created by the kpartx command.


a.

From dom0, use the mkdir command to create a mount point, /mnt/map1.

a
s
a
h
)
b. Use the mount command to mount /dev/mapper/loop9p1 on /mnt/map1.
o
c ide

u
d Gu
Substitute the device name from step 6d.
e

r
[dom0]# mount /dev/mapper/loop9p1 /mnt/map1
ita dent
l
i
c. Use the ls command to view the files on /mnt/map1.
nim Stu
u
Note that these are the same filess
that
you copied
o@
thisto /Dev in step 5d.
r
e
[dom0]# ls /mnt/map1 co
us
n
o
t
a
initramfs-0-rescue-...img
initrd-plymouth.img
(ju nse
s
initramfs-3.10.0-229.el7.x86_64.img
lost+found
ria e lice
a
initramfs-3.8.13-55.1.6.el7uek.x86_64.img
o abl
s
r
o kpartx
erdevice mapping on dom0.
Removecthe
f
s
n
an use the umount command to unmount /mnt/map1.
ja.uaFrom-trdom0,
n
umount /mnt/map1
no[dom0]#
[dom0]# mkdir /mnt/map1

8.

b.

Use the rmdir command to delete /mnt/map1.


[dom0]# rmdir /mnt/map1

c.

Use the kpartx d command to disconnect the device.


[dom0]# # kpartx d u01.img
loop deleted : /dev/loop9

d.

Use the ls command to list the contents of /dev/mapper.

Note that the device mapping no longer exists in /dev/mapper.


[domo]# ls /dev/mapper
control

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 9: Advanced Storage Administration


Chapter 9 - Page 19

Practice 9-6: Exploring and Configuring Udev

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

Overview
In this practice, you:
Explore Udev files and directories
Query the Udev database
Create a Udev rule to create a symbolic link to a device

Assumptions
You are the root user on the host03 VM.

Tasks
1.

Explore Udev.

Udev is now part of systemd.

a.

Use the rpm -ql command to view the udev files included with the systemd RPM
package.
# rpm ql systemd | grep udev
/etc/udev
/etc/udev/hwdb.bin
/etc/udev/rules.d
/etc/udev/udev.conf
/usr/bin/udevadm
...

a
s
a
h
)
o
c ide

u
d Gu
e

r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us

n
ua se t
j
(
n Udev rules files in the /lib/udev/rules.d
s to view
eexisting
a
i
b. Use the ls command
c
r
i
l
and /etc/udev/rules.d
o a able directories.
s
r
co/lib/udev/rules.d
er
# ls
f
s
n
75-probe_mtd.rules
an
jua100-balloon.rules
r
t
n
75-tty-description.rules
no10-dm.rules
11-dm-lvm.rules
77-mm-ericsson-mbm.rules
...
# ls /etc/udev/rules.d
70-persistent-ipoib.rules
c.

Use the less command to view the /lib/udev/rules.d/50-udevdefault.rules file.

Page through the file. Press q to return to the command prompt.

Note the operators:

==: Compare for equality

=: Assign a value to a key

+=: Add the value to the current values for the key

# less /lib/udev/rules.d/50-udev-default.rules
# do not edit this file, it will be overwritten on update
Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 9: Advanced Storage Administration


Chapter 9 - Page 20

SUBSYSTEM==virtio-ports, KERNEL==vport, ATTR{name}==?*,...

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

# select system RTC or just use the first one


SUBSYSTEM==rtc, ATTR{hctosys}==1, SYMLINK+=rtc
SUBSYSTEM==rtc, KERNEL==rtc0, SYMLINK+=rtc, OPTIONS+=...
SUBSYSTEM==usb, ENV{DEVTYPE}==usb_device, IMPORT{builtin}...
SUBSYSTEM==input, ENV{ID_INPUT}==, IMPORT{builtin}=input...
...
2.

Query the Udev database.


Sample output is shown.
a. Use the udevadm command to query the Udev database for all device information for
/dev/xvdd.
# udevadm info --query=all --name=/dev/xvdd
P: /devices/vbd-5696/block/xvdd
N: xvdd
E: DEVNAME=/dev/xvdd
E: DEVPATH=/devices/vbd-5696/block/xvdd
E: DEVTYPE=disk
E: MAJOR=202
E: MINOR=48
E: MPATH_SBIN_PATH=/sbin
E: SUBSYSTEM=block
E: TAGS=:systemd:
E: USEC_INITIALIZED=12403

s
a
h
o) e
c

du Guid
e

r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us

n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s command to query the Udev database for the device path of
n theaudevadm
n
jb.uaUse
r
/dev/xvdd.
-t
n
o
n # udevadm info --query=path --name=/dev/xvdd

/devices/vbd-5696/block/xvdd
c.

Use the udevadm command to print all sysfs properties of /dev/xvdd.


# udevadm info --attribute-walk --name=/dev/xvdd
Udevadm info starts with the device specified by the devpath and
then walks up the chain of parent devices. It prints for every
device found, all possible attributes in the udev rules key
format. A rule to match, can be composed by the attributes of
the device and the attributes from one single parent device.
looking at device /devices/vbd-5696/block/xvdd:
KERNEL==xvdd
SUBSYSTEM==block
DRIVER==
Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 9: Advanced Storage Administration


Chapter 9 - Page 21

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

ATTR{ro}==0
...
looking at parent device /devices/vbd-5696:
KERNELS==vbd-5696
SUBSYSTEMS==xen
DRIVERS==vbd
ATTR{devtype}==vbd
ATTR{nodename}==device/vbd/5696
3.

Create a symbolic link to a device node.


a. Use the vi editor to create the /etc/udev/rules.d/10-local.rules file as
follows:
Use the KERNEL and SUBSYSTEM values from the previous udevadm info -attribute-walk command.

a
s
a
# vi /etc/udev/rules.d/10-local.rules
h
)
o
KERNEL==xvdd, SUBSYSTEM==block, SYMLINK=my_disk
c ide

u
dto trigger
urules.
e
b. Run the udevadm trigger command to manually force Udev

G
r
t
lita den
i
# udevadm trigger
m
i
tu
ndevices.
S
u
c. Use the ls -l command to list the /dev/my*
o@
this
s
Note that /dev/my_disk is a symlink
to /dev/xvdd.
r
e
co o us

# ls l /dev/my*
n
t
(jua nse -> xvdd
lrwxrwxrwx. ...s /dev/my_disk
ce to query the Udev database for the symlinks for
riainfo
i
l
d. Use the udevadm
command
a
o able
s
/dev/xvdd.
r
co sfinfo
er --query=symlink --name=/dev/xvdd
n
#
udevadm
an
juamy_disk
r
t
non the /dev/my_disk symlink.
Remove

4.

a.

The SYMLINK directive names the new symlink for the device.

Use the rm command to remove the /etc/udev/rules.d/10-local.rules file.


# rm /etc/udev/rules.d/10-local.rules
rm: remove regular file /etc/udev/rules.d/10-local.rules? y

b.

Run the udevadm trigger command to manually force Udev to trigger rules.
# udevadm trigger

c.

Use the ls command to list the /dev/my* devices.

Note that /dev/my_disk no longer exists.


# ls /dev/my*
ls: cannot access /dev/my*: No such file or directory

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 9: Advanced Storage Administration


Chapter 9 - Page 22

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

5.

Log off host03.


a. Click the Oracle Student in the top-right corner of the GNOME desktop to display the
drop-down menu.

s
a
h
o) e
c

du Guid
e

r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us

n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s from the menu.
n anOut
jb.uaClick-tLog
r
nonThe following window appears.

c.
d.

Click Log Out.


Close the VNC window by clicking the X in the top-right corner of the window.
Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 9: Advanced Storage Administration


Chapter 9 - Page 23

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

s
a
h
o) e
c

du Guid
e

r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us

n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 9: Advanced Storage Administration


Chapter 9 - Page 24

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

s
a
h
o) e
c

du Guid
e

r
t 10:
Practices lfor
n
ita Lesson
e
i
Advanced
tud
nim Networking
S
u
o@ e10 this
Chapter
s
r
co o us

n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 10: Advanced Networking


Chapter 10 - Page 1

Practices for Lesson 10: Overview

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

Practices Overview
In these practices, you do the following:
Configure network bonding by using the GUI and the command line
Explore network bonding interface configuration
Configure 802.1q VLAN tagging interfaces
Explore 802.1q VLAN tagging interface configuration
Configure a site-to-site VPN

s
a
h
o) e
c

du Guid
e

r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us

n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 10: Advanced Networking


Chapter 10 - Page 2

Practice 10-1: Configuring Network Bonding by Using the GUI


Overview

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

In this practice, you:


View the network configuration on dom0

Log in to host02 by using vncviewer

View the network configuration on host02


Configure network bonding on host02 by using the Network Settings GUI

Assumptions

You are the root user on dom0.

Tasks
1.

View the network configuration on dom0.


Use the ifconfig command to view the network configuration.

a
s
a
h
The IP address of bond0 is different on your system.
)
o
c ide

Note that the virbr2 bridge is on the 192.168.2 subnet.


u
d Gu
e

r
The bonded interfaces you create in this practice are also
on
the
subnet.
nt
ita de192.168.2
l
i
[dom0]# ifconfig
im Stu
n
u
...
@ this
o...
s
bond0
Link encap:Ethernet
r
e
o
s...
c
u

inet addr:10.150.30.83
n
to
a
...
u
e
j
(
ns ...
s
eth0
Link
encap:Ethernet
e
a
i
c
ar le li
...
o
lo ors Link
abencap:Local Loopback ...
r
c
e
f
s inet addr:127.0.0.1 ...
n
jua...-tran
n
Link encap:Ethernet ...
novif...
...
virbr0
...
virbr1
...
virbr2
...
virbr3

Link encap:Ethernet ...


inet addr:192.0.2.1 ...
Link encap:Ethernet ...
inet addr:192.168.1.1 ...
Link encap:Ethernet ...
inet addr:192.168.2.1 ...
Link encap:Ethernet ...
inet addr:192.168.3.1 ...

...
2. Log in to host02 by using vncviewer.
Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 10: Advanced Networking


Chapter 10 - Page 3

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

a.

From dom0, determine the VNC port number for host02 by running the xm list l
host02 | grep location command.

[dom0]# xm list l host02 | grep location


(location 0.0.0.0:5903)
(location 3)
The sample shown indicates that the port number is 5903. This might not be true in
your case.
b. From dom0, run the vncviewer& command.
[dom0]# vncviewer&
The VNC Viewer: Connection Details dialog box appears.
c. Enter localhost:<port_number>, substituting the port number displayed from the
previous xm list l host02 | grep location command.

For example, if the port number is 5903, enter localhost:5903 and click
Connect.

s
a
h
o) e
c

du Guid
e

r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us

n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 10: Advanced Networking


Chapter 10 - Page 4

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

The GNOME login screen appears.

s
a
h
o) e
c

du Guid
e

r
ita dent
l
i
nim Stu
u
is
th
so@
r
d. Click Oracle Student in the list ofousers.
You
are
prompted
for the password.
e
s
c
u

n and click
e. Enter oracle for the Password
to Sign In.
a
u
e
j
( appears.
The GNOME desktop
ns
s
e
a
i
c
r etoldisplay
i
f. Right-click theadesktop
the pop-up menu.
l
o
b
s
r
co sfera
n
jua -tran
non

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 10: Advanced Networking


Chapter 10 - Page 5

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

3.

s
a
h
o) e
c

du Guid
e

r
ita dent
l
i
im Stu
n
u
g. From the pop-up menu, click Open in Terminal.
o@ e this
A terminal window appears. ors
us to become the root user.
csu - command
n
h. In the terminal window, useathe
o
t
(jisuoracle.
se
The root password
n
s
e
ria e lic
a
$ su
l
o oracle
b
s
r
a
Password:
co sfer
n
#
ua -tran
jView
the
n network interfaces on host02.
o
n
a. Use the ip addr command to view the network interfaces.

Note that the eth2 and eth3 interfaces do not have IP addresses.
# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue ...
link/loopback 00:00:00:00:00:00:00: brd 00:00:00:00:00:00
inet addr:127.0.0.1/8 scope host lo
...
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc ...
link/ether 00:16:3e:00:01:02 brd ff:ff:ff:ff:ff:ff
inet 192.0.2.102/24 brd 192.0.2.255 scope global eth0
...
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc ...
link/ether 00:16:3e:00:02:02 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.102/24 brd 192.168.1.255 scope global eth1
Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 10: Advanced Networking


Chapter 10 - Page 6

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

...
4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc ...
link/ether 00:16:3e:00:03:02 brd ff:ff:ff:ff:ff:ff
5: eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc ...
link/ether 00:16:3e:00:04:02 brd ff:ff:ff:ff:ff:ff
b.

Use the ls command to view the /etc/sysconfig/network-scripts/ directory.

Note that the eth0, eth1, eth2 and eth3 Ethernet network interfaces have
configuration files
# ls /etc/sysconfig/network-scripts
ifcfg-eth0 ...
ifcfg-eth1 ...
ifcfg-eth2 ...
ifcfg-eth3 ...
...

4.

a
s
a
h
c. Use the nmcli con command to view the network connections.
)
o

c configuration
e

Note that the connections correspond to the existing network interface


d
u
i
d Gu
e
files in the /etc/sysconfig/network-scripts directory.

r
nt a device.
ita dewith
Note that the eth2 and eth3 connections are notilassociated
nim Stu
# nmcli con
u
is
o@ e thDEVICE
NAME
UUID
TYPE
s
r
co o us eth1
eth1
...
802-3-ethernet

n
t
eth2
... (jua
802-3-ethernet
-e
s
n
s
e
eth3
-ia lic802-3-ethernet
r...
a
eth0
le 802-3-ethernet eth0
o ...
b
s
r
a
o fSettings
er Editor to configure network bonding.
Use thecNetwork
s
n
annetwork icon from the GNOME desktop notification area.
ja.uaClick-tthe
r
drop-down menu includes four Ethernet interfaces and the Network Settings
nonThe
option.

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 10: Advanced Networking


Chapter 10 - Page 7

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

Note that eth2 and eth3 are OFF.

s
a
h
o) e
c
b. Click the Network Settings option from the drop-down menu.

du Guid
e
The Network Settings Editor appears.

r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us

n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 10: Advanced Networking


Chapter 10 - Page 8

c.

Click the + button to add a new connection type.

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

The Add Network Connection window appears.

s
a
h
o) e
c

du Guid
e

r
ita dent
l
i
nim Stu
u
o@ e this
d. Click Bond to add a bonded interface.
s
r
co o us
The following window appears.

n
t connection 1.
uaname siseBond
The default Connection
j
(
s name
eisnbond0.
a
The default interface
i
c
r
i
l
o a able
s
r
co sfer
n
jua -tran
non

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 10: Advanced Networking


Chapter 10 - Page 9

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

s
a
h
o) e
c

du Guid
e

r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us

n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 10: Advanced Networking


Chapter 10 - Page 10

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

e.

Click the Add button to add the slave interfaces to the bond.
The following window appears.

a
s
a
h
)
o
c ide

u
dthe following
u window.
e

G
f. Accept the default Ethernet selection. Click Create to display
r
t
lita den
i
m
tu
ni
S
u
o@ e this
s
r
co o us

n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 10: Advanced Networking


Chapter 10 - Page 11

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

g.

Click the down arrow on the Device MAC address prompt to display the available
Ethernet devices.

s
a
h
o) e
c

du Guid
e

r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us

n
ua se t
j
(
s icen
a
i
r
h. Select the eth3
device
l the drop-down list.
a lefrom
o
Click
rabbutton.
orsthe Save
c
e
f
s
n
jua -tran
non

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 10: Advanced Networking


Chapter 10 - Page 12

i.

Repeat steps 5e (click Add), 5f (click Create), and 5g (click the down arrow) and
add the eth2 slave interface. Click Save and the following window appears.

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

Note that two Bonded connections have been added.

s
a
h
o) e
c

du Guid
e

r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us

n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 10: Advanced Networking


Chapter 10 - Page 13

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

j.

Click the down arrow on the Mode prompt to display the available modes.
The list of modes appears.

s
a
h
o) e
c

du Guid
e

r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us

n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non
k.

Select the Active backup option from the drop-down list.


The following window appears.
Note that a Primary prompt appears when Active backup is the selected Mode.

You can designate an interface as Primary to make it the active slave when it is
available.

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 10: Advanced Networking


Chapter 10 - Page 14

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

Do not specify a Primary interface for this exercise.

s
a
h
o) e
c

du Guid
e

r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us

n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non
l.

Click the IPv4 Settings tab to assign an IPv4 address to the bonded interface.
The following window appears.
Change the Method to Manual.
Click Add to add the following Address information:

Address: 192.168.2.12

Netmask: 24

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 10: Advanced Networking


Chapter 10 - Page 15

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

Gateway: <empty>

s
a
h
o) e
c

du Guid
e

r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us

n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non
m. Click Save to complete configuring network bonding.
You need to click in the Gateway field before Save becomes selectable.

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 10: Advanced Networking


Chapter 10 - Page 16

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

The Bond (bond0) interface now appears in the Network Settings window.

s
a
h
o) e
c

du Guid
e

r
n. Select the Bond (bond0) option to display the followingta
window. t
n
i
l
e
i
d
Note that the Hardware Address, IP Address, iand
Bond slaves
m
tu are shown.
n
S
u
o@ e this
s
r
co o us

n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non

5.

o. Click the X in the top-right corner to close the window.


View the network interfaces on host02.
a. Use the ip addr command to view the network interfaces.

Note that the new bond0 interface is listed and includes MASTER and state
UNKNOWN.

Note that eth2 and eth3 now include SLAVE and master bond0.

Note that eth2, eth3, and bond0 all have the same MAC address.
Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 10: Advanced Networking


Chapter 10 - Page 17

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

# ip addr
...
4: eth2: <BROADCAST,MULTICAST,SLAVE,UP,LOWER_UP> mtu 1500 ...
master bond0 state UP ...
link/ether 00:16:3e:00:03:02 brd ff:ff:ff:ff:ff:ff
5: eth3: <BROADCAST,MULTICAST,SLAVE,UP,LOWER_UP> mtu 1500 ...
master bond0 state UP ...
link/ether 00:16:3e:00:03:02 brd ff:ff:ff:ff:ff:ff
6: bond0: <BROADCAST,MULTICAST,MASTER,UP,LOWER_UP> mtu 1500 ...
state UNKNOWN
link/ether 00:16:3e:00:03:02 brd ff:ff:ff:ff:ff:ff
inet 192.168.2.12/24 brd 192.168.2.255 scope global bond0
...
b.

Use the ls command to view the /etc/sysconfig/network-scripts/ directory.

a
s
a
h
)
o

c idifcfge

Note that there are network configuration files for the two slave
interfaces,
u
d Gu
e

bond0_slave_1 and ifcfg-bond0_slave_2.


r
ita dent
# ls /etc/sysconfig/network-scripts mil
tu
ni
S
u
ifcfg-bond0_slave_1 ...
@ this
ifcfg-bond0_slave_2 ... rso
o... use
c
ifcfg-Bond_connection_1

an e to
ifcfg-eth0 ... (ju
s icens
a
ifcfg-eth1 r...
i
a le l
...
o
rab to view the contents of the ifcfg-Bond_connection_1 file.
ors fcommand
e
c. n
Usecthe cat
s
n
a
jua Note
r
that
the BONDING_OPTS setting has mode=active-backup.
t
n
no Note that the BONDING_OPTS setting also sets the Link Monitoring method to MII

Note that there is a network configuration file for the bonded interface, ifcfgBond_connection_1.

by default.
The Link monitoring frequency is 1 millisecond, and Link up delay and Link down
delay are set to 0 by default.
# cat /etc/sysconfig/network-scripts/ifcfg-Bond_connection_1
DEVICE=bond0
BONDING_OPTS=miimon=1 updelay=0 downdelay=0 mode=active-backup
TYPE=Bond
BONDING_MASTER=yes
BOOTPROTO=none
IPADDR=192.168.2.12
PREFIX=24
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 10: Advanced Networking


Chapter 10 - Page 18

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_PEERDNS=yes
IPV6_PEERROUTES=yes
IPV6_FAILURE_FATAL=no
IPV6_PRIVACY=no
NAME=Bond connection 1
UUID=...
ONBOOT=yes
d.

Use the cat command to view the contents of the ifcfg-bond0_slave_1 file.

Note that MASTER is set to the UUID value in the ifcfg-Bond_connection_1


file.
# cat /etc/sysconfig/network-scripts/ifcfg-bond0_slave_1
HWADDR=00:16:3E:00:04:02
TYPE=Ethernet
NAME=bond0 slave 1
UUID=...
ONBOOT=yes
MASTER=...
SLAVE=yes

a
s
a
h
)
o
c ide

u
d Gu
e

r
ita dent
l
i
nim Stu
u
o@ e this
s
r
e. Use the cat command to viewthe
cocontents
usof the ifcfg-bond0_slave_2 file.
n
o
t
a
Note that MASTERju
is set to theeUUID value in the ifcfg-Bond_connection_1
(
ns
s
file.
e
a
i
c
ar le li
# cat /etc/sysconfig/network-scripts/ifcfg-bond0_slave_2
o
ors ferab
HWADDR=00:16:3E:00:03:02
c
n ans
juaTYPE=Ethernet
tr
NAME=bond0
slave 2
n
noUUID=...
ONBOOT=yes
MASTER=...
SLAVE=yes
f.

Use the nmcli con command to view the network connections.

Note that the bond and slave connections are now shown.
# nmcli con
NAME
eth1
eth2
eth3
Bond connection 1
bond0 slave 2
bond0 slave 1

UUID
...
...
...
...
...
...

TYPE
802-3-ethernet
802-3-ethernet
802-3-ethernet
bond
802-3-ethernet
802-3-ethernet

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 10: Advanced Networking


Chapter 10 - Page 19

DEVICE
eth1
--bond0
eth2
eth3

eth0
g.

...

802-3-ethernet

eth0

Use the nmcli utility to bring up the Bond connection 1 connection.

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

# nmcli con up Bond connection 1


Connection successfully activated (D-BUS active path:...)
h.

Use the ip addr command to view the network interfaces.

Note that the bond0 interface is now UP.

# ip addr
...
6: bond0: <BROADCAST,MULTICAST,MASTER,UP,LOWER_UP> mtu 1500 ...
state UP
...
Do not log off host02. You use it again in subsequent practices.
i. If necessary, open a new terminal window on dom0.

s
a
h
The root password is oracle.
o) e
c

$ su
du Guid
e

r
Password: oracle
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us

n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non

Use the su - command to become the root user in this new terminal window.

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 10: Advanced Networking


Chapter 10 - Page 20

Practice 10-2: Configuring Network Bonding from the Command Line


Overview

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

In this practice, you:

Log in to host01 by using ssh

View the network configuration on host01


Configure network bonding on host01 by using the command line

Assumptions

You are the root user on dom0.

Tasks
1.

From dom0, use the ssh command to connect to host01.

The root password is oracle.

a
s
a
h
)
o
c ide

u
d Gu
e

r
View the network interfaces on host01.
ita dent
l
i
m tu
a. Use the ip addr command to view the network
niinterfaces.
S Yours might be different
u
s
i
The IP address for eth1 was obtained
by usinghDHCP.
@
o
rs se t
than the example shown.
o
c
udo not have IP addresses.
interfaces
n
o
Note that the eth2 anda
eth3
t
(ju nse
# ip addr
s
ria e lice
a
1: lo: <LOOPBACK,UP,LOWER_UP>
mtu 65536 qdisc noqueue ...
l
o
b
s
r
ra 00:00:00:00:00:00:00: brd 00:00:00:00:00:00
colink/loopback
e
f
s
n
inet addr:127.0.0.1/8 scope host lo
jua...-tran
no2:n eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc ...
[dom0]# ssh host01
root@host01s password: oracle
Last login: ...

2.

link/ether 00:16:3e:00:01:01 brd ff:ff:ff:ff:ff:ff


inet 192.0.2.101/24 brd 192.0.2.255 scope global eth0
...
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc ...
link/ether 00:16:3e:00:02:01 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.200/24 brd 192.168.1.255 scope global eth1
...
4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc ...
link/ether 00:16:3e:00:03:01 brd ff:ff:ff:ff:ff:ff
5: eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc ...
link/ether 00:16:3e:00:04:01 brd ff:ff:ff:ff:ff:ff

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 10: Advanced Networking


Chapter 10 - Page 21

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

b.

Use the ls command to view the /etc/sysconfig/network-scripts/ directory.


# ls /etc/sysconfig/network-scripts
ifcfg-eth0 ...
ifcfg-eth1 ...
ifcfg-eth2 ...
ifcfg-eth3 ...
...

c.

Use the nmcli con command to view the network connections.

Note that the eth2 and eth3 connections are not associated with a device.
# nmcli con
NAME
eth1
eth2
eth3
eth0

3.

UUID
...
...
...
...

TYPE
802-3-ethernet
802-3-ethernet
802-3-ethernet
802-3-ethernet

DEVICE
eth1
--eth0

a
s
a
h
)
o
c ide

Use the nmcli utility to configure network bonding.


u
d Gu
e

r
a. Use the nmcli con add command to add a bond connection
t
ta etype.
n
i
l
i
Use the type bond argument to specify a bonded
interface.
im S
tud
n
u
Use the con-name bond0 argument
to specifyithe
s name of the new bond
@
h
o
t
s
connection.
r
e
o
s
c
u

Use the ifname bond0nargument


toto specify the interface to bind the connection
a
u
e
j
to.
(
ns argument to specify the bonding mode.
s
e
a
i
c
Use the mode
active-backup
ar le li
o
b
s ip4ra192.168.2.11/24
Userthe
argument to specify IPv4 address to assign to
ointerface.
c
e
the
f
n ans
jua# nmcli
bond con-name bond0 ifname bond0 mode
tr con addip4type
n
active-backup
192.168.2.11/24
noConnection 'bond0' (...) successfully added.
b.

Use the nmcli con add command to add eth2 as a bond-slave connection type.

The bond-slave interface is eth2.

The bond master is bond0.


# nmcli con add type bond-slave ifname eth2 master bond0
Connection 'bond-slave-eth2' (...) successfully added.

c.

Use the nmcli con add command to add eth3 as a bond-slave connection type.

The bond-slave interface is eth3.

The bond master is bond0.


# nmcli con add type bond-slave ifname eth3 master bond0
Connection 'bond-slave-eth3' (...) successfully added.

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 10: Advanced Networking


Chapter 10 - Page 22

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

d.

Use the nmcli con command to view the network connections.

Note that a new bond-slave-eth2 connection exists for device eth2.

Note that a new bond-slave-eth3 connection exists for device eth3.

Note that a new bond0 connection exists which is a type bond.


# nmcli con
NAME
eth1
eth2
eth3
bond-slave-eth3
bond-slave-eth2
bond0
eth0

UUID
...
...
...
...
...
...
...

TYPE
802-3-ethernet
802-3-ethernet
802-3-ethernet
802-3-ethernet
802-3-ethernet
bond
802-3-ethernet

DEVICE
eth1
--eth3
eth2
bond0
eth0

s
a
h
Note that a new ifcfg-bond0 file exists.
o) e
c

Note that a new ifcfg-bond-slave-eth2 file exists.


du Guid
e

r
Note that a new ifcfg-bond-slave-eth3 file exists.
ita dent
l
i
# ls /etc/sysconfig/network-scriptsnim
tu
S
u
ifcfg-bond0
...
@ this
o
s
r
ifcfg-bond-slave-eth2 ...o
se
c
u

n... to
ifcfg-bond-slave-eth3
a
u
j
(
se
...
n
s
e
c the contents of the ifcfg-bond0 file.
ria etoliview
f. Use the cat a
command
l
o ab
s/etc/sysconfig/network-scripts/ifcfg-bond0
r
# cat
o
c sfer
n
DEVICE=bond0
an
juaBONDING_OPTS=mode=active-backup
r
t
n
noTYPE=Bond
e.

Use the ls command to view the /etc/sysconfig/network-scripts/ directory.

BONDING_MASTER=yes
BOOTPROTO=none
IPADDR=192.168.2.11
PREFIX=24
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_PEERDNS=yes
IPV6_PEERROUTES=yes
IPV6_FAILURE_FATAL=no
NAME=bond0
UUID=...
Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 10: Advanced Networking


Chapter 10 - Page 23

ONBOOT=yes
g.

Use the cat command to view the contents of the ifcfg-bond-slave-eth2 file.

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

Note that MASTER is set to bond0.


# cat /etc/sysconfig/network-scripts/ifcfg-bond-slave-eth2
TYPE=Ethernet
NAME=bond-slave-eth2
UUID=...
DEVICE=eth2
ONBOOT=yes
MASTER=bond0
SLAVE=yes

h.

Use the cat command to view the contents of the ifcfg-bond-slave-eth3 file.

Note that MASTER is set to bond0.

a
s
a
h
)
o
c ide

u
d Gu
e

r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us

n
t
ua to view
e
j
(
s
i. Use the ip addr command
the
network interfaces.
n
s
e
a
i
c
li now includes SLAVE and master bond0.
Note that the
areth2leinterface
o
ab interface now includes SLAVE and master bond0.
Note
reth3
orsthat the
c
e
f
sthe new bond0 interface is listed and includes MASTER and state
n athat
n
jua Note
r
UNKNOWN
-t
n
o
n # ip addr
# cat /etc/sysconfig/network-scripts/ifcfg-bond-slave-eth3
TYPE=Ethernet
NAME=bond-slave-eth3
UUID=...
DEVICE=eth3
ONBOOT=yes
MASTER=bond0
SLAVE=yes

...
4: eth2: <BROADCAST,MULTICAST,SLAVE,UP,LOWER_UP> mtu 1500 ...
master bond0 state UP ...
link/ether 00:16:3e:00:03:01 brd ff:ff:ff:ff:ff:ff
5: eth3: <BROADCAST,MULTICAST,SLAVE,UP,LOWER_UP> mtu 1500 ...
master bond0 state UP ...
link/ether 00:16:3e:00:03:01 brd ff:ff:ff:ff:ff:ff
6: bond0: <BROADCAST,MULTICAST,MASTER,UP,LOWER_UP> mtu 1500 ...
state UNKNOWN
link/ether 00:16:3e:00:03:01 brd ff:ff:ff:ff:ff:ff
inet 192.168.2.11/24 brd 192.168.2.255 scope global bond0
...

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 10: Advanced Networking


Chapter 10 - Page 24

j.

Use the nmcli utility to bring up bond0.


# nmcli con up bond0
Connection successfully activated (D-BUS active path:...)

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

k.

Use the ip addr command to ensure that the bond0 interface is UP.
# ip addr
...
6: bond0: <BROADCAST,MULTICAST,MASTER,UP,LOWER_UP> mtu 1500 ...
state UP
...
Do not log off host01. You use it again in subsequent practices.

s
a
h
o) e
c

du Guid
e

r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us

n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 10: Advanced Networking


Chapter 10 - Page 25

Practice 10-3: Working with Bonded Interfaces


Overview

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

In this practice, you:


Test connectivity between the bonded interfaces on host01 and host02

Explore the /sys/class/net/bond0 directory

Change the MII monitoring frequency on host01


Test for slave failover on host01
Remove bond and slave connections on host02 by using the GUI
Remove bond and slave connections on host01 by using the command line

Assumptions

You are the root user on host01 and host02.

The bonded interface on host01 has an IP address of 192.168.2.11.

The bonded interface on host02 has an IP address of 192.168.2.12.

a
s
a
h
)
o
c ide

u
Tasks
d Gu
e

r
1. Test connectivity between the bonded interfaces on host01tand
host02.
a ent
i
l
i
a. From host02, use the ping command to communicate
tudbonded interface on
nim toSthe
u
host01.
o@on host01
thisis 192.168.2.11.
The IP address of the bonded interface
s
r
e
o ofuoutput.
s
Press CTRL-C to exit afternac
few lines
o
t
a
(ju nse
[host02]# ping 192.168.2.11
s
ria e (192.168.2.11)
ice
PING 192.168.2.11
56(84) bytes of data.
l
a
l
o
b
64 bytes
icmp_seq=1 ttl=64 time=...
rs from
a192.168.2.11:
r
o
c
e
f
sfrom 192.168.2.11: icmp_seq=1 ttl=64 time=...
n64 bytes
n
a
jua64 -bytes
r
from 192.168.2.11: icmp_seq=1 ttl=64 time=...
t
n
no64 bytes from 192.168.2.11: icmp_seq=1 ttl=64 time=...
^C
...
b.

From host02, use the netstat -r command to view the route table.

Note that the route to 192.168.2.0 is through the bond0 interface.


[host02]# netstat r
Kernel IP routing table
Destination
Gateway ...
Default
...
...
192.0.2.0
...
...
192.168.1.0
...
...
192.168.2.0
...
...

c.

Iface
eth0
eth0
eth1
bond0

From host01, use the ping command to communicate to the bonded interface on
host02.

The IP address of the bonded interface on host02 is 192.168.2.12.


Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 10: Advanced Networking


Chapter 10 - Page 26

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

d.

Press CTRL-C to exit after a few lines of output.


[host01]# ping 192.168.2.12
PING 192.168.2.12 (192.168.2.12) 56(84) bytes
64 bytes from 192.168.2.12: icmp_seq=1 ttl=64
64 bytes from 192.168.2.12: icmp_seq=1 ttl=64
64 bytes from 192.168.2.12: icmp_seq=1 ttl=64
64 bytes from 192.168.2.12: icmp_seq=1 ttl=64
^C
...

of data.
time=...
time=...
time=...
time=...

From host01, use the netstat -r command to view the route table.

Note that the route to 192.168.2.0 is through the bond0 interface.

If the netstat command is not found, use the yum command to install the nettools package. Answer y to Is this ok.

a
s
a
h
)
o
c ide

u
d Gu
e

r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us

n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
ans of /sys/class/net/bond0/.
uanthe-tcontents
jView
r
n network interface contains a directory in /sys/class/net.
o
Each
n
a. From host01, use the cd command to change to the /sys/class/net directory.
[host01]# netstat r
-bash: netstat: command not found
[host01]# yum install net-tools
...
Is this ok [y/d/N]: y
...
Complete!
[host01]# netstat r
Kernel IP routing table
Destination
... Iface
...
192.168.2.0
... bond0

2.

Use the ls command to display the contents of the directory.

Note that bonding_masters is a regular file.


[host01]# cd /sys/class/net
[host01]# ls
bond0 bonding_masters eth0

b.

eth1

eth2

eth3

Use the cat command to view the bonding_masters file.


[host01]# cat bonding_masters
bond0

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 10: Advanced Networking


Chapter 10 - Page 27

lo

c.

Use the cd command to change to the bond0 directory.

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

Use the ls command to display the contents of the directory.


[host01]# cd bond0
[host01]# ls
addr_assign_type carrier
address
dev_id
addr_len
dormant
bonding
duplex
broadcast
flags

d.

ifalias
ifindex
iflink
link_mode
mtu

netdev_group
operstate
power
queues
slave_eth2

slave_eth3
speed
statistics
subsystem
tx_queue_len

Use the cat command to view the operstate file.


[host01]# cat operstate
up

e.

Use the cat command to view the address file.

a
s
a
h
)
o
c ide

u
f. Use the cat command to view the uevent file.
d Gu
e

r
[host01]# cat uevent
ita dent
l
i
INTERFACE=BOND0
nim Stu
u
IFINDEX=6
o@ e this
s
r
othe bonding
g. Use the cd command to changecto
us directory.

n
o
t
a
Use the ls command
ethe contents of the directory.
(juto display
s
n
s
[host01]# cd ia
bondingce
r
li
a
e
[host01]#
ls
l
o
ors ferab all_slaves_active miimon
active_slave
primary_reselect
c
s
n
arp_interval
mii_status
queue_id
an
juaad_actor_key
r
t
arp_ip_target
min_links
resend_igmp
n
noad_aggregator
ad_num_ports
arp_validate
mode
slaves
[host01]# cat address
00:16:3e:00:03:01

ad_partner_key
ad_partner_mac
ad_select
h.

downdelay
fail_over_mac
lacp_rate

num_grat_arp updelay
num_unsol_na use_carrier
primary
xmit_hash_policy

Use the cat command to view the active_slave file.


[host01]# cat active_slave
eth2

i.

Use the cat command to view the mode file.


[host01]# cat mode
active-backup 1

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 10: Advanced Networking


Chapter 10 - Page 28

j.

Use the cat command to view the slaves file.


[host01]# cat slaves
eth2 eth3

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

k.

Use the cat command to view the miimon file.

l.

This specifies the MII link monitoring frequency in milliseconds.


[host01]# cat miimon
100
Use the cat command to view the mii_status file.
[host01]# cat mii_status
up

3.

Change the MII monitoring frequency.


a. On host01, use the vi command to edit the /etc/sysconfig/networkscripts/ifcfg-bond0 file.

a
s
a
h
)
o
[host01]# vi /etc/sysconfig/network-scripts/ifcfg-bond0
c ide

u
d Gu
...
e

r
BONDING_OPTS=mode=active-backup
ita dent(old value)
l
i
BONDING_OPTS=mode=active-backup miimon=120
(new value)
nim Stu
u
isfrom disk.
@ thfiles
b. Use the nmcli command to reload all o
connection
s
r
e
NetworkManager does not monitor
co changes
us to connection files by default.

n
o
t
a
You need to use thisjcommand
to
to reread the connection
e tella NetworkManager
( u nmaking
s
profiles from diskswhenever
change.
e
ria e licreload
[host01]# a
nmcli lcon
o ab
r
orsnmcli
c. Usecthe
to bring down the bond0 connection.
ecommand
f
s
n
an the master interface also stops the slave interfaces.
jua Stopping
r
t
n
[host01]#
nmcli con down bond0
noConnection
bond0 successfully deactivated (d-Bus active ...)

d.

Change the BONDING_OPTS setting as follows to set miimon to 120.

Use the nmcli command to bring up the bond-slave-eth2 connection.


[host01]# nmcli con up bond-slave-eth2
Connection successfully activated (d-Bus active ...)

e.

Use the nmcli command to bring up the bond-slave-eth3 connection.


[host01]# nmcli con up bond-slave-eth3
Connection successfully activated (d-Bus active ...)

f.

Use the nmcli command to bring up the bond0 connection.


[host01]# nmcli con up bond0
Connection successfully activated (d-Bus active ...)

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 10: Advanced Networking


Chapter 10 - Page 29

g.

Use the cat command to view the miimon file.

Note the value is now 120, instead of 100.

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

[host01]# cat /sys/class/net/bond0/bonding/miimon


120
4.

Test for slave failover.


The active slave in Active backup mode is stored in the active_slave file.

You can also determine the active slave by viewing the /proc/net/bonding/bond0
file.
On host01, use the cat command to view the active_slave file, which is located in
the /sys/class/net/bond0/bonding directory.

a.

The active slave in this example is eth2.


[host01]# cat /sys/class/net/bond0/bonding/active_slave
eth2

s
a
h
Use the ls command to view the contents of the directory.
o) e
c

[host01]# cd /proc/net/bonding
du Guid
e

r
[host01]# ls
ita dent
l
i
bond0
nim Stu
u
is file.
c. Use the cat command to view the contents
o@ofethethbond0
s
r
Note that Currently Active Slave
co is oeth2.
us

n
t
a
[host01]# cat bond0
ju nse
(Bonding
s
Ethernet Channel
ria e lice Driver: v3.7.1 (April 27, 2011)
a
o abl
s
r
Bonding
co Mode:
er fault-tolerance (active-backup)
f
s
n
Primary
Slave:
None
n
a
juaCurrently
r
t
Active Slave: eth2
nnoMII
Status: up
b.

Use the cd command to change to the /proc/net/bonding directory.

MII Polling Interval (ms): 120


Up Delay (ms): 0
Down Delay (ms): 0
Slave Interface: eth2
MII Status: up
Speed: Unknown
Duplex: Unknown
Link Failure Count: 0
Permanent HW addr: 00:16:3e:00:03:01
Slave queue ID: 0
Slave Interface: eth3
MII Status: up
Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 10: Advanced Networking


Chapter 10 - Page 30

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

Speed: Unknown
Duplex: Unknown
Link Failure Count: 0
Permanent HW addr: 00:16:3e:00:03:01
Slave queue ID: 0
d.

Use the ip link command to bring down eth2.


[host01]# ip link set dev eth2 down

e.

Use the ip link command to view the eth2 link.

Note that the state is DOWN for eth2.


[host01]# ip link show eth2
4: eth2: <BROADCAST,MULTICAST,SLAVE. mtu 1500 ... state DOWN ...
...

f.

Use the cat command to view the /var/log/messages file.

a
s
a
h
)
o
[host01]# cat /var/log/messages
c ide

u
d (eth2):
u link
<date_time> host01 NetworkManager[9730]: <info>
e

G
r
t
disconnected (deferring action for 4 seconds)
ita den
l
i
m
<date_time> host01 kernel: bonding: ibond0: tlink
u status
n disabling
S
u
definitely down for interface eth2,
it
o@ e bond0:
this making interface eth3
<date_time> host01 kernel: rbonding:
s
co o us
the new active one.

n
t
a
<date_time> host01
<info> (eth2): link
uNetworkManager[9730]:
e
j
(
s
n
s
disconnected ia
(calling edeferred action)
c
r
iview
l
a
e
g. Use the cat
command
to
the contents of the bond0 file.
l
o ab
s
r
Note
co thatsnow
er the Currently Active Slave is eth3.
f
n
n that eth2 is down.
anote
jua Also
r
t
n
cat bond0
no[host01]#

Note the bonding messages; eth2 is disabled and eth3 is active.

Ethernet Channel Bonding Driver: v3.7.1 (April 27, 2011)


Bonding Mode: fault-tolerance (active-backup)
Primary Slave: None
Currently Active Slave: eth3
MII Status: up
MII Polling Interval (ms): 120
Up Delay (ms): 0
Down Delay (ms): 0
Slave Interface: eth2
MII Status: down
Speed: Unknown
Duplex: Unknown
Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 10: Advanced Networking


Chapter 10 - Page 31

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

Link Failure Count: 0


Permanent HW addr: 00:16:3e:00:03:01
Slave queue ID: 0
...
h.

Use the cat command to view the


/sys/class/net/bond0/bonding/active_slave file.

This file also indicates that eth3 is the active slave.


[host01]# cat /sys/class/net/bond0/bonding/active_slave
eth3

5.

Remove bond and slave connections on host02.


Begin by using the Network Settings GUI.

a.

Complete removal of the connections by using the command line.


On host02, click the network icon from the GNOME desktop notification area.
The drop-down menu includes Ethernet interfaces, the Bond (bond0) interface,
and the Network Settings option.

s
a
h
o) e
c

du Guid
e

r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us

n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 10: Advanced Networking


Chapter 10 - Page 32

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

b.

Click the Network Settings option from the menu.


The Network Settings Editor appears.

a
s
a
h
)
o
c ide

u
d Gu
e

r
ta ent
i
l
i
c. Select the Bond (bond0) interface and click the i-
mbuttontuto dremove the connection.
n
S
u
The window is shown as follows after @
clicking the i-
button.
s
h
o
t
s
or use
c

n
to
a
u
e
j
(
ns
s
e
a
i
c
ar le li
o
ors ferab
c
s
n
jua -tran
non

d.
e.

Click the X in the top-right corner to close the window.


Use the ls command to view the contents of the /sys/class/net directory.

Note that the bond0 directory no longer exists.


[host02]# ls /sys/class/net
bonding_masters eth0 eth1

eth2

eth3

lo

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 10: Advanced Networking


Chapter 10 - Page 33

f.

Use the cat command to view the /sys/class/net/bonding_masters file.

Note that the file is empty.


[host02]# cat /sys/class/net/bonding_masters

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

g.

Use the ls command to view the contents of the /proc/net/bonding directory.

h.

Note that the directory is empty.


[host02]# ls /proc/net/bonding
Use the nmcli con command to view the network connections.

Note that the bond connection no longer exists.


Note that the slave connections still exist but are no longer associated with a device.
[host02]# nmcli con
NAME
UUID
TYPE
DEVICE
eth1
...
802-3-ethernet
eth1
eth2
...
802-3-ethernet
-eth3
...
802-3-ethernet
-bond0 slave 1
...
802-3-ethernet
-bond0 slave 2
...
802-3-ethernet
-eth0
...
802-3-ethernet
eth0

s
a
h
o) e
c

du Guid
e

r
ita dent
l
i
i. Use the ip link command to view the links. nim
tu
S
u
@ this
Note that the bond0 entry no longeroexists.
s
r
o noulonger
se include SLAVE or master
Note that the eth2 and eth3
entries
c

n
to
bond0 in their description.
a
u
e
j
(and eth3nsentries have their original MAC addresses.
s
Note that the eth2
e
a
i
c
r
i
l
a
[host02]#
le
o ip alink
b
s
r
...co
er
f
s
n
an <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 ...
jua4: -eth2:
r
t
link/ether
00:16:3e:00:03:02 brd ff:ff:ff:ff:ff:ff
no5:n eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 ...

link/ether 00:16:3e:00:04:02 brd ff:ff:ff:ff:ff:ff


j.

Use the ls command to view the /etc/sysconfig/network-scripts/ directory.

Note that the network configuration file for the bonded interface no longer exists.
Note that the network configuration files for the slaves still exist.
[host02]# ls /etc/sysconfig/network-scripts
ifcfg-bond0_slave_1 ...
ifcfg-bond0_slave_2 ...
ifcfg-eth0 ...
ifcfg-eth1 ...
...

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 10: Advanced Networking


Chapter 10 - Page 34

k.

Use the nmcli con delete command to delete the slave connections.
[host02]# nmcli con delete bond0 slave 1
[host02]# nmcli con delete bond0 slave 2

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

l.

Use the nmcli con command to view the network connections.

Note that the slave connections no longer exist.


[host02]# nmcli con
NAME
UUID
TYPE
eth1
...
802-3-ethernet
eth2
...
802-3-ethernet
eth3
...
802-3-ethernet
eth0
...
802-3-ethernet

DEVICE
eth1
--eth0

m. Use the ls command to view the /etc/sysconfig/network-scripts/ directory.

6.

Note that the network configuration files for the slaves no longer exist.
[host02]# ls /etc/sysconfig/network-scripts
ifcfg-eth0 ...
ifcfg-eth1 ...
...

s
a
h
o) e
c

du Guid
e

r
ita dent
l
i
Remove bond and slave connections on host01.
nim Stu
u
Use the command line to remove the connections.
@ this
o
s
r
a. On host01, use the nmcli con command
to
o
seview the network connections.
c
u

[host01]# nmcli con an


to
u
e
j
( UUIDns TYPE
NAME
DEVICE
s
e
a
i
c
r
i
l
eth1
802-3-ethernet
-a le ...
o
b
s
r
eth2o
...
802-3-ethernet
-c sfera
n
eth3
...
802-3-ethernet
-n
a
juabond-slave-eth3
r
...
802-3-ethernet
eth3
-t
n
o
802-3-ethernet
eth2
n bond-slave-eth2 ...
bond0
eth0
b.

...
...

bond
802-3-ethernet

bond0
eth0

Use the nmcli con delete command to delete the bond and the slave connections.
[host01]# nmcli con delete bond0
[host01]# nmcli con delete bond-slave-eth2
[host01]# nmcli con delete bond-slave-eth3

c.

Use the nmcli con command to view the network connections.

Note that the bond and slave connections no longer exist.


[host01]# nmcli con
NAME
UUID
TYPE
DEVICE
eth1
...
802-3-ethernet
eth1
eth2
...
802-3-ethernet
-eth3
...
802-3-ethernet
-Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 10: Advanced Networking


Chapter 10 - Page 35

eth0
d.

802-3-ethernet

eth0

Use the ls command to view the /etc/sysconfig/network-scripts/ directory.

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

...

Note that the network configuration files for the bond and slaves no longer exist.
[host01]# ls /etc/sysconfig/network-scripts
ifcfg-eth0 ...
ifcfg-eth1 ...
ifcfg-eth2 ...
ifcfg-eth3 ...
...

e.

Use the ip link command to view the links.

Note that the bond0 entry no longer exists.


[host01]# ip link
...

a
s
a
h
)
o
Note that the bond0 directory no longer exists.
c ide

u
d Gu
[host01]# ls /sys/class/net
e

r
a ent
bonding_masters eth0 eth1 eth2 eth3ilitlo
nim Stud
g. Use the cat command to view the /sys/class/net/bonding_masters
file.
u
s
i
@
Note that the file is empty.
so se th
r
o
[host01]# cat /sys/class/net/bonding_masters
c to u
n
a
e of the /proc/net/bonding directory.
h. Use the ls command (
toju
view thescontents
n
s
e
a lisicempty.
Note that the
ridirectory
a
le
o ls a/proc/net/bonding
b
s
[host01]#
r
co sfer
n
jua -tran
non
f.

Use the ls command to view the contents of the /sys/class/net directory.

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 10: Advanced Networking


Chapter 10 - Page 36

Practice 10-4: Configuring 802.1Q VLAN Tagging by Using the GUI


Overview

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

In this practice, you:

Ensure that the VLAN (8021q) kernel module is loaded on host02

Use the Network Settings Editor to configure VLAN tagging on host02


Review network configuration on host02

Assumptions

You are the root user on host02.

Tasks
1.

On host02, load the VLAN (8021q) kernel module if necessary.


a.

Use the lsmod command to view the loaded kernel modules.

a
s
a
h
)
In this example, the kernel module is not loaded.
o
c ide

u
# lsmod | grep 8021q
d Gu
e

r
t the 8021q
b. If the kernel module is not loaded, use the modprobeilcommand
ita detonload
kernel module.
nim Stu
u
Use the lsmod command to ensure 8021q
his
o@ eis tloaded.
s
r
# modprobe 8021q
co o us

n
# lsmod | grep 8021q
ua se t
j
(
8021q
20082s
0 en
a
i
r
ic
l
a
...
e
l
so rab
r
o
c sfe
n
a
ju -tran
non

Pipe the output to grep and search for 8021q.

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 10: Advanced Networking


Chapter 10 - Page 37

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

2.

Use the Network Settings Editor to configure VLAN tagging.


a. Click the network icon from the GNOME desktop notification area.
The drop-down menu includes four Ethernet interfaces and the Network Settings
option.

s
a
h
o) e
c

du Guid
e

r
ita dent
l
i
tu
b. Click the Network Settings option from the drop-down
nim menu.
S
u
The Network Settings Editor appears.
o@ e this
s
r
co o us

n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 10: Advanced Networking


Chapter 10 - Page 38

c.

Click the + button to add a new connection type.

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

The Add Network Connection window appears.

s
a
h
o) e
c

du Guid
e

r
ita dent
l
i
nim Stu
u
o@ e this
d. Click VLAN to add a VLAN connection.
s
r
co o us
The following window appears.

n
t connection 1.
uaname siseVLAN
The default Connection
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 10: Advanced Networking


Chapter 10 - Page 39

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

s
a
h
o) e
c

du Guid
e

r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us

n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
sscreen as follows.
n athe
n
je.ua Update
r
-t Connection name: to vlan-eth0.100.
Change
n
o
n Click the Parent interface: down arrow and select eth0
(00:16:3E:00:01:02).

Change VLAN id: to 100.

Change VLAN interface name: to eth0.100.

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 10: Advanced Networking


Chapter 10 - Page 40

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

The window appears as follows.

s
a
h
o) e
c

du Guid
e

r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us

n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
n ans
jf.uaClick-tthe
r IPv4 Settings tab to assign an IPv4 address to the VLAN interface.
n
no Change the Method to Manual.

Click Add to add the following Address information:

Address: 192.168.100.2

Netmask: 24

Gateway: <empty>

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 10: Advanced Networking


Chapter 10 - Page 41

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

The window appears as follows.

a
s
a
h
)
o
c ide

u
d Gu
e

r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us

n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
n ans
jg.uaClick-tSave
r to complete configuring VLAN tagging.
n
no The VLAN (eth0.100) interface now appears in the Network Settings window.

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 10: Advanced Networking


Chapter 10 - Page 42

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

h.

3.

Select the VLAN (eth0.100) entry to display the following window.


Note that the Addresses are shown.

a
s
a
h
)
o
c ide

u
d Gu
e

r
ta ent
i
l
i
i. Click the X in the top-right corner to close the window.
im Stud
n
u
View the network interfaces on host02.
@ this
oprotocol
s
a. Use the ip addr command to view
the
r
o
se addresses for the network devices.
c
u

n exists.
Note that the eth0.100adevice
to
u
e
j
( MAC
Note that the eth0.100
nsaddress is the same as the eth0 MAC address.
s
e
a
i
c
li
ar192.168.100.2/24
Note that the
IPv4 address is assigned to the eth0.100
e
l
o
b
s
device.
r
o fera
c
s
n
# ip addr
jua...-tran
no2:n eth0: ...
link/ether 00:16:3e:00:01:02 brd ff:ff:ff:ff:ff:ff
inet 192.0.2.102/24 brd 192.0.2.255 scope global eth0
...
7: eth0.100@eth0: ...
link/ether 00:16:3e:00:01:02 brd ff:ff:ff:ff:ff:ff
inet 192.168.100.2/24 brd 192.168.100.255 scope ... eth0.100
...

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 10: Advanced Networking


Chapter 10 - Page 43

b.

Use the nmcli dev command to view the network devices.

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

Note that the eth0.100 device is associated with the vlan-eth0.100 connection.
# nmcli dev
NAME
eth0
eth1
eth0.100
...

c.

TYPE
ethernet
ethernet
vlan

STATE
connected
connected
connected

CONNECTION
eth0
eth1
vlan-eth0.100

Use the nmcli con command to view the network connections.

Note that the vlan-eth0.100 connection is listed.


# nmcli con
NAME
vlan-eth0.100
eth0
eth1

UUID
...
...
...

TYPE
vlan
802-3-ethernet
802-3-ethernet

DEVICE
eth0.100
eth0
eth1

a
s
a
h
)
o

c iddirectory.
e

u
d. Use the ls command to view the /etc/sysconfig/network-scripts/
d Gu
e

r
Note that there is a network configuration file for theitVLAN
interface,
a ent ifcfg-vlanl
i
eth0.100.
im Stud
n
u
# ls /etc/sysconfig/network-scripts
o@ e this
ifcfg-eth0
... ors
c to us
ifcfg-eth1
...
n
a
(ju ...nse
ifcfg-lo
s
e
ifcfg-vlan-eth0.100
ria e lic...
a
l
... rso
b
a
co sfcommand
er
e. n
Use the cat
to view the contents of the ifcfg-vlan-eth0.100 file.
n
a
jua Note
r
-t that the DEVICE setting is eth0.100.
n
o
n Note that the PHYSDEV setting is eth0.
# cat /etc/sysconfig/network-scripts/ifcfg-vlan-eth0.100
VLAN=yes
TYPE=Vlan
DEVICE=eth0.100
PHYSDEV=eth0
VLAN_ID=100
REORDER_HDR=0
BOOTPROTO=none
IPADDR=192.168.100.2
PREFIX=24
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 10: Advanced Networking


Chapter 10 - Page 44

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

IPV6_DEFROUTE=yes
IPV6_PEERDNS=yes
IPV6_PEERROUTES=yes
IPV6_FAILURE_FATAL=no
NAME=vlan-eth0.100
UUID=...
ONBOOT=yes

s
a
h
o) e
c

du Guid
e

r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us

n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 10: Advanced Networking


Chapter 10 - Page 45

Practice 10-5: Configuring 802.1Q VLAN Tagging from the Command


Line

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

Overview
In this practice, you:

Ensure that the VLAN (8021q) kernel module is loaded on host01

Create an 802.1Q VLAN interface on host01

Assumptions

You are the root user on host01.

Tasks
1.

On host01, load the VLAN (8021q) kernel module if necessary.


a.

2.

Use the lsmod command to view the loaded kernel modules.

a
s
a
h
)
In this example, the kernel module is not loaded.
o
c ide

u
# lsmod | grep 8021q
d Gu
e

r
t the 8021q
b. If the kernel module is not loaded, use the modprobeilcommand
ita detonload
kernel module.
nim Stu
u
Use the lsmod command to ensure 8021q
his
o@ eis tloaded.
s
r
# modprobe 8021q
co o us

n
# lsmod | grep 8021qa
t
u
e
j
(
s
8021q
20082s
0 en
a
i
r
ic
l
...
a
e
l
b VLAN interface and view the results.
so anra802.1Q
r
On host01,
create
o
c
e
f
n anmcli
ns con add command to create the VLAN interface.
ja.uaUse-tthe
r
the type vlan argument to specify an 802.1q tagged virtual LAN interface.
nonUse
Use the con-name vlan-eth0.100 argument to specify the name of the new

Pipe the output to grep and search for 8021q.

VLAN connection.
Use the ifname eth0.100 argument to specify the interface to bind the
connection to.

Use the dev eth0 argument to specify the parent device this VLAN is on.

Use the id 100 argument to specify the VLAN ID.

Use the ip4 192.168.100.1/24 argument to specify IPv4 address to assign to


the interface.
# nmcli con add type vlan con-name vlan-eth0.100 ifname eth0.100
dev eth0 id 100 ip4 192.168.100.1/24
Connection vlan-eth0.100 (<UUID>) successfully added.

b.

Use the ip addr command to view the protocol addresses for the network devices.

Note that the eth0.100 device exists.

Note that the eth0.100 MAC address is the same as the eth0 MAC address.
Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 10: Advanced Networking


Chapter 10 - Page 46

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

c.

Note that the 192.168.100.1/24 IPv4 address is assigned to the eth0.100


device.
# ip addr
...
2: eth0: ...
link/ether 00:16:3e:00:01:01 brd ff:ff:ff:ff:ff:ff
inet 192.0.2.101/24 brd 192.0.2.255 scope global eth0
...
8: eth0.100@eth0: ...
link/ether 00:16:3e:00:01:01 brd ff:ff:ff:ff:ff:ff
inet 192.168.100.1/24 brd 192.168.100.255 scope ... eth0.100
...
Use the nmcli dev command to view the network devices.

a
s
a
# nmcli dev
h
)
o
c ide
NAME
TYPE
STATE
CONNECTION

u
d eth0Gu
eth0
ethernet
connected
e

r
nt
ita devlan-eth0.100
eth0.100
vlan
connected
l
i
...
nim Stu
u
is
othe@network
d. Use the nmcli con command to view
thconnections.
s
r
e
coconnection
us is listed.
Note that the vlan-eth0.100

n
o
t
a
# nmcli con
(ju nse
s
NAME
DEVICE
ria e lUUID
ice TYPE
a
l
vlan-eth0.100
vlan
eth0.100
so rab ...
r
o
c sfe
eth0
...
802-3-ethernet
eth0
n
n
a
ju ...-tra
n
e.no
Use the ls command to view the /etc/sysconfig/network-scripts/ directory.

Note that the eth0.100 device is associated with the vlan-eth0.100 connection.

Note that there is a network configuration file for the VLAN interface, ifcfg-vlaneth0.100.

# ls /etc/sysconfig/network-scripts
ifcfg-eth0
...
ifcfg-eth1
...
...
ifcfg-vlan-eth0.100 ...
...
f.

Use the cat command to view the contents of the ifcfg-vlan-eth0.100 file.

Note that the DEVICE setting is eth0.100.

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 10: Advanced Networking


Chapter 10 - Page 47

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

Note that the PHYSDEV setting is eth0.


# cat /etc/sysconfig/network-scripts/ifcfg-vlan-eth0.100
VLAN=yes
TYPE=Vlan
DEVICE=eth0.100
PHYSDEV=eth0
VLAN_ID=100
REORDER_HDR=0
BOOTPROTO=none
IPADDR=192.168.100.1
PREFIX=24
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_PEERDNS=yes
IPV6_PEERROUTES=yes
IPV6_FAILURE_FATAL=no
NAME=vlan-eth0.100
UUID=...
ONBOOT=yes

s
a
h
o) e
c

du Guid
e

r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us

n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 10: Advanced Networking


Chapter 10 - Page 48

Practice 10-6: Working with VLAN Interfaces

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

Overview
In this practice, you:
Test connectivity between the VLAN interfaces on host01 and host02

Use tcpdump to view tagged and untagged packets

Explore the contents of the /sys/class/net/eth0.100 directory

Explore the contents of the /proc/net/vlan directory

Remove the VLAN interfaces on host01 and host02

Assumptions

You are the root user on host01.

You are the root user on host02.

s
a
h
Test connectivity between the VLAN interfaces on host01 and host02. co)

d
u
i
a. From host02, use the ping command to communicate to theeVLAN
d interface
u on

G
r
host01.
t
ta en
li192.168.100.1.
i
The IP address of the VLAN interface on host01
is
m
tud
ni
S
u
Press CTRL-C to exit after a few lines@
of output. is
o
th
s
r
e
[host02]# ping 192.168.100.1
o
c to us 56(84) bytes of data.
n
PING 192.168.100.1 (192.168.100.1)
a
(ju nse icmp_seq=1 ttl=64 time=...
64 bytes from 192.168.100.1:
s
ce
ria192.168.100.1:
i
l
64 bytes from
icmp_seq=1 ttl=64 time=...
a
e
l
o
b
64 bytes
icmp_seq=1 ttl=64 time=...
ra192.168.100.1:
ors from
c
e
f
n64 bytessfrom 192.168.100.1: icmp_seq=1 ttl=64 time=...
jua^C -tran
n
no...

Tasks
1.

b.

From host02, use the netstat -r command to view the route table.

Note that the route to 192.168.100.0 is through the eth0.100 interface.


[host02]# netstat r
Kernel IP routing table
Destination
... Iface
Default
... eth0
192.0.2.0
... eth0
192.168.1.0
... eth1
192.168.100.0 ... eth0.100

c.

From host01, use the ping command to communicate to the VLAN interface on
host02.

The IP address of the VLAN interface on host02 is 192.168.100.2.

Press CTRL-C to exit after a few lines of output.


Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 10: Advanced Networking


Chapter 10 - Page 49

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

[host01]# ping 192.168.100.2


PING 192.168.100.2 (192.168.100.2) 56(84) bytes of data.
64 bytes from 192.168.100.2: icmp_seq=1 ttl=64 time=...
64 bytes from 192.168.100.2: icmp_seq=1 ttl=64 time=...
64 bytes from 192.168.100.2: icmp_seq=1 ttl=64 time=...
64 bytes from 192.168.100.2: icmp_seq=1 ttl=64 time=...
^C
...
d.

From host01, use the netstat -r command to view the route table.

Note that the route to 192.168.100.0 is through the eth0.100 interface.


[host01]# netstat r
Kernel IP routing table
Destination
... Iface
...
192.168.100.0 ... eth0.100

2.

a
s
a
h
)
o
c ide

Use tcpdump to view tagged and untagged packets.


u
d Gu
e

r
You first observe traffic on the VLAN interface, eth0.100,
where
ita denyout do not see
l
i
VLAN tags.
im where
tu you do see VLAN tags.
neth0,
S
You next observe traffic on the parent interface,
u
o@ e this
a. On host02, open a second terminalrwindow.
s
co theoroot
ususer in this second terminal.

b. Use the su command to become


n
t
a
uoracle.se
The root password(jis
s
cen
i
[host02]$ a
suria

l
le
o oracle
b
Password:
s
r
a
co sfer
[host02]#
n
an
jc.uaIn this
r
t
second terminal window, enter the following tcpdump command.
nonUse the -e option to view the Ethernet header, which includes the 802.1Q tags.

Use the i eth0.100 to sniff on the VLAN interface.


[host02]# tcpdump e i eth0.100
tcpdump: verbose output suppressed, use v or vv for full ...
listening on eth0.100, link-type EN10MB (Ethernet), capture ...

d.

On host02, in the first terminal window, use the ping command to communicate to the
VLAN interface on host01.

The IP address of the VLAN interface on host01 is 192.168.100.1.

Press CTRL-C to exit after a few lines of output.


[host02]# ping 192.168.100.1
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data.
64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=...
64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=...
^C
Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 10: Advanced Networking


Chapter 10 - Page 50

...
e.

In the second terminal window on host02, view the output of the tcpdump command.

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

Note that you see normal traffic without VLAN tags.


... 00:16:3e:00:01:02 (oui Unknown) > Broadcast, ethertype ARP
(0x0806), length 42: Request who-has 192.168.100.1 tell
192.168.100.2, length 28
... 00:16:3e:00:01:01 (oui Unknown) > 00:16:3e:00:01:02 (oui
Unknown), ethertype ARP (0x0806), length 42: Reply 192.168.100.1
is at 00:16:3e:00:01:01 (oui Unknown), length 28
... 00:16:3e:00:01:01 (oui Unknown) > 00:16:3e:00:01:02 (oui
Unknown), ethertype IPv4 (0x0800), length 98: 192.168.100.1 >
192.168.100.2: ICMP echo reply, id 15342, seq 1, length 64
...

f.

In the second terminal window on host02, press CTRL-C to exit the tcpdump
command.

a
s
a
... 00:16:3e:00:01:01 (oui Unknown) > 00:16:3e:00:01:02h (oui
o) e >
Unknown), ethertype IPv4 (0x0800), length 98: 192.168.100.1
c

192.168.100.2: ICMP echo reply, id 15342, seq d


1,ulength
uid64
e

G
r
...
ita dent
l
i
^C
im Stu
n
u
... packets captured
o@ e this
s
... packets received by filter
r
co o us

... packets dropped by


kernel
n
t
ua onshost02,
e
j
(
g. In the second terminal
window
enter the following tcpdump command.
n
s
e
a
i
c
r toeview
li the Ethernet header, which includes the 802.1Q tags.
Use the -eaoption
l
o
s i eth0
Use
rab to sniff on the physical interface.
orthe
c
e
f
n ans use the clear command to clear the screen before running tcpdump.
jua Optionally,
tr
n
[host02]#
clear
no[host02]# tcpdump
e i eth0
tcpdump: verbose output suppressed, use v or vv for full ...
listening on eth0, link-type EN10MB (Ethernet), capture size ...
h.

On host02, in the first terminal window, use the ping command to communicate to the
VLAN interface on host01.

The IP address of the VLAN interface on host01 is 192.168.100.1.

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 10: Advanced Networking


Chapter 10 - Page 51

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

i.

Press CTRL-C to exit after a few lines of output.


[host02]# ping 192.168.100.1
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data.
64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=...
64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=...
^C
...
In the second terminal window on host02, view the output of the tcpdump command.

Note that you see the tagged 802.1Q packets (vlan 100 is in bold font in the sample
output).
... 00:16:3e:00:01:02 (oui Unknown) > Broadcast, ethertype
802.1Q (0x8100), length 46: vlan 100, p 0, ethertype ARP,
Request who-has 192.168.100.1 tell 192.168.100.2, length 28
... 00:16:3e:00:01:01 (oui Unknown) > 00:16:3e:00:01:02 (oui
Unknown), ethertype 802.1Q (0x8100), length 46: vlan 100, p 0,
ethertype ARP, Reply 192.168.100.1 is at 00:16:3e:00:01:01 (oui
Unknown), length 28
...

a
s
a
h
)
o
c ide

u
d Gu
e

r
ttcpdump
n
itato exit
l
j. In the second terminal window on host02, press CTRL-C
the
e
i
command.
nim Stud
u
is
@ >th00:16:3e:00:01:02
... 00:16:3e:00:01:01 (oui Unknown)
(oui
o
s
r
e
Unknown), ethertype 802.1Q
(0x8100),
length
46:
vlan
100,
0,
o
c to us is at 00:16:3e:00:01:01p(oui
ethertype ARP, Replyan
192.168.100.1
ju nse
Unknown), length (28
s
...
ria e lice
a
o abl
^C
s
r
ercaptured
...co
packets
f
s
n
an received by filter
jua...-tpackets
r
n packets dropped by kernel
no...
k.

3.

Click the X in the upper-right corner of the second terminal window to close the
window.
Click Close Terminal if prompted.
View the contents of /sys/class/net/eth0.100/.

a.

Each network interface contains a directory in /sys/class/net.


From host01, use the cd command to change to the /sys/class/net directory.

Use the ls command to display the contents of the directory.

Note that eth0.100 is a directory.


[host01]# cd /sys/class/net
[host01]# ls
bonding_masters eth0 eth0.100

eth1

eth2

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 10: Advanced Networking


Chapter 10 - Page 52

eth3

lo

b.

Use the cd command to change to the eth0.100 directory.

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

Use the ls command to display the contents of the directory.


[host01]# cd eth0.100
[host01]# ls
addr_assign_type carrier
address
dev_id
addr_len
dormant
broadcast
duplex

c.

flags
ifalias
ifindex
iflink

link_mode
mtu
netdev_group
operstate

power
queues
speed
statistics

...
...
...
...

Use the cat command to view the operstate file.


[host01]# cat operstate
up

d.

Use the cat command to view the address file.


[host01]# cat address
00:16:3e:00:01:01

4.

a
s
a
h
)
e. Use the cat command to view the uevent file.
o
c ide

u
d Gu
Sample output is shown. The IFINDEX value might be different.
e

r
[host01]# cat uevent
ita dent
l
i
DEVTYPE=vlan
nim Stu
u
INTERFACE=eth0.100
o@ e this
s
r
IFINDEX=8
co o us

n
t
a
View the /proc/net/vlanju
directory.
e
(
s
s cd command
a. From host01, use
the
en to change to the /proc/net/vlan directory.
a
i
c
r
i
l
Use theolsacommand
le to view the contents of the directory.
b
s
r
a
[host01]#
co sfcd
er /proc/net/vlan
n
an ls
jua[host01]#
r
t
n
eth0.100
noconfig
b.

Use the cat command to view the config file.

[host01]# cat config


VLAN Dev name
| VLAN ID
Name-Type: VLAN_NAME_TYPE_RAW_PLUS_VID_NO_PAD
eth0.100
| 100 | eth0
c.

Use the cat command to view the eth0.100 file.

Sample output is shown.


Egress traffic begins inside of a network and proceeds through its routers to a
destination somewhere outside of the network.

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 10: Advanced Networking


Chapter 10 - Page 53

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

Ingress traffic originates from outside of the networks routers and proceeds toward
a destination inside of the network.
[host01]# cat eth0.100
eth0.100 VID: 100
REORDER_HDR: 1 dev->priv_flags: 1
total frames received
11
total bytes received
700
Broadcast.Multicast Rcvd
0
total frames transmitted
total bytes transmitted
Device: eth0
INGRESS priority mappings: 0:0
EGRESS priority mappings

5.

19
1382
1:0

2:00

3:0

4:0

5:0

...

Remove VLAN interface on host01.


a. Use the nmcli con command to view the network connections.

a
s
a
h
)
o
[host01]# nmcli con
c ide

u
d Gu
NAME
UUID
TYPE
DEVICE
e

r
t
eth0
...
802-3-ethernet
n
ita eth0
l
e
i
...
nim Stud
u
vlan-eth0.100
...
vlan
eth0.100
o@ e this
s
r
s the vlan-eth0.100 connection.
b. Use the nmcli con delete command
co o toudelete
n
t
a
[host01]# nmcli con
evlan-eth0.100
(ju delete
s
n
s
a command
c. Use the nmcliricon
ce to view the network connections.
i
l
a
leconnection no longer exists.
o the VLAN
Note s
that
b
r
a
co sfnmcli
er con
[host01]#
n
an
UUID
TYPE
DEVICE
juaNAME
r
t
n
...
802-3-ethernet
eth0
noeth0
...

d.

Use the ls command to view the /etc/sysconfig/network-scripts/ directory.

e.

Note that the network configuration file for the VLAN interface no longer exists.
[host01]# ls /etc/sysconfig/network-scripts
ifcfg-eth0 ...
...
Use the ip link command to view the links.

Note that the eth0.100 device no longer exists.


[host01]# ip link
...

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 10: Advanced Networking


Chapter 10 - Page 54

f.

Use the ls command to view the contents of the /sys/class/net directory.

Note that the eth0.100 directory no longer exists.

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

[host01]# ls /sys/class/net
bonding_masters eth0 eth1
g.

eth2

eth3

lo

Use the ls command to view the contents of the /proc/net/vlan directory.

Note that the eth0.100 file no longer exists.


[host01]# ls /proc/net/vlan
config

h.

Use the cat command to view the config file.

Note that the file only contains header information.


[host01]# cat /proc/net/vlan/config
VLAN Dev name
| VLAN ID
Name-Type: VLAN_NAME_TYPE_RAW_PLUS_VID_NO_PAD

6.

s
a
Remove VLAN interface on host02.
h
)
odetails.

On host02, use Network Settings Editor to view the VLAN interface


c
e

d
u
i
d Gu
a. Click the network icon from the GNOME desktop notificatione
area.
r
t
n
itaoption.
The drop-down menu includes the Network Settings
l
e
i
b. Click the Network Settings option from the menu.
nim Stud
u
The Network Settings Editor appears,
includes
his the VLAN (eth0.100)
o@which
t
s
r
e
interface.
o
c
us

n
o
c. Click the VLAN (eth0.100)
entry.
t
a
(ju nse
s
ria e lice
a
o abl
s
r
co sfer
n
jua -tran
non

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 10: Advanced Networking


Chapter 10 - Page 55

d.

Click the - button to remove the VLAN interface.

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

The window appears as follows.

a
s
a
h
)
o
c ide

u
d Gu
e

r
ita dent
l
i
e. Click the X in the top-right corner to close the window.
im Stu
n
u
f. Use the nmcli con command to view the
connections.
is
@network
h
o
t
s
r
e
Note that the VLAN connectionono longers
exists.
c
u

n
o
[host02]# nmcli con a
t
u
e
j
(
s
NAME
DEVICE
n TYPE
s UUID
e
a
i
c
r
i
l
eth0
802-3-ethernet
eth0
o a able ...
... ors
c scommand
er to view the /etc/sysconfig/network-scripts/ directory.
f
g. an
Use the ls
an
ju Note
r
t
n that the network configuration file for the VLAN interface no longer exists.
no[host02]#
ls /etc/sysconfig/network-scripts
ifcfg-eth0
...
h.

...

Use the ip link command to view the links.

Note that the eth0.100 device no longer exists.


[host02]# ip link
...

i.

Use the ls command to view the contents of the /sys/class/net directory.

Note that the eth0.100 directory no longer exists.


[host02]# ls /sys/class/net
bonding_masters eth0 eth1

eth2

eth3

lo

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 10: Advanced Networking


Chapter 10 - Page 56

j.

Use the ls command to view the contents of the /proc/net/vlan directory.

Note that the eth0.100 file no longer exists.

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

[host02]# ls /proc/net/vlan
config
k.

Use the cat command to view the config file.

Note that the file only contains header information.


[host02]# cat /proc/net/vlan/config
VLAN Dev name
| VLAN ID
Name-Type: VLAN_NAME_TYPE_RAW_PLUS_VID_NO_PAD

7.

In preparation for the next practice, power off host01, host02, and host03.
a. From host01, use the systemctl command to power off host01.
[host01]# systemctl poweroff

a
s
a
[host02]# systemctl poweroff
h
)
o
c ide
c. From dom0, use the xm shutdown -w command to power off host03.

u
d Gu
e

[dom0]# xm shutdown w host03


r
t
n
itaseconds,
l
e
i
If the xm shutdown command takes more than
a
few
use
the xm
im Stud
destroy command to power off host03. un
@ this
[dom0]# xm destroy host03 so
r
o
se
c
u

d. From dom0, use the xm list


command.
n
to
a
u
e
j
Note that host01, host02
( and
nshost03 are no longer active.
s
e
a
i
c
r e li
[dom0]# xmalist
l ID Mem VCPUs
o
b
Name rs
State
Time(s)
a
r
o
c
e
f
0
2048
2
r----...
nDomain-0s
jua -tran
non
b.

From host02, use the systemctl command to power off host02.

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 10: Advanced Networking


Chapter 10 - Page 57

Practice 10-7: Configuring a Site-to-Site VPN

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

Overview
In this practice, you:
Explore and start the vpn-host1 and vpn-host2 virtual machines
Generate RSA authentication keys for vpn-host1 and vpn-host2

Update the /etc/ipsec.conf file for vpn-host1 and vpn-host2

Stop the firewalld service on vpn-host1 and vpn-host2

Start the ipsec service on vpn-host1 and vpn-host2

Verify connectivity between vpn-host1 and vpn-host2


Shut down the vpn-host1 and vpn-host2 virtual machines
Start the host01, host02, and host03 virtual machines

Assumptions

s
a
You are the root user on dom0.
h
o) e
c
The host01, host02, and host03 virtual machines are shut down.

id
du
e
The vpn-host1 and vpn-host2 virtual machines exist on your
system.Gu

r
t
n
ita configuration.
l
e
i
The following describes the vpn* virtual machines network
nim Stud
u
o@ e this
s
r
co o us

n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non

You create a VPN tunnel from vpn-host1 to vpn-host2.

Tasks
1.

Explore and start the vpn-host1 virtual machine configuration file.


a. From dom0, use the cd command to change to the /OVS/running_pool/vpnhost1 directory.
[dom0]# cd /OVS/running_pool/vpn-host1
b.

Use the cat command to view the vm.cfg file for vpn-host1.

Note that there are three virtual network interfaces:


The interface on the virbr0 bridge is eth0 with IP address 192.0.2.111. This
interface provides access to the Yum repository on dom0.
The interface on the virbr1 bridge is eth1 with IP address 192.168.1.101.
Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 10: Advanced Networking


Chapter 10 - Page 58

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

The interface on the virbr2 bridge is eth2 with IP address 192.168.2.101.

[dom0]# cat vm.cfg


name = vpn-host1
builder = hvm
memory = 1536
boot = cd
disk = [ file:/OVS/running_pool/vpn-host1/system.img,hda,w,
file:/OVS/seed_pool/OracleLinux-R7-U1-Server-x86_64dvd.iso,hdc:cdrom,r]
vif = [ mac=00:16:3e:00:01:01, bridge=virbr0,
mac=00:16:3e:00:02:01, bridge=virbr1,
mac=00:16:3e:00:03:01, bridge=virbr2]
device_model = /usr/lib/xen/bin/qemu-dm
kernel = /usr/lib/xen/boot/hvmloader
vnc = 1
vncunused=1
vcpus = 1
timer_mode = 0
apic = 1
acpi = 1
pae = 1
serial = pty
on_reboot = restart
on_crash = restart
usb = 1
usbdevice = 'tablet'

s
a
h
o) e
c

du Guid
e

r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us

n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
n ans
jc.uaUse-tthe
r xm create command to start the vpn-host1 virtual machine.
n
no[dom0]# xm create vm.cfg
2.

Explore and start the vpn-host2 virtual machine configuration file.


a. From dom0, use the cd command to change to the /OVS/running_pool/vpnhost2 directory.
[dom0]# cd /OVS/running_pool/vpn-host2
b.

Use the cat command to view the vm.cfg file for vpn-host2.

Note that there are three virtual network interfaces:


The interface on the virbr0 bridge is eth0 with IP address 192.0.2.112. This
interface provides access to the Yum repository on dom0.
The interface on the virbr1 bridge is eth1 with IP address 192.168.1.102.
The interface on the virbr3 bridge is eth2 with IP address 192.168.3.102.
Note that eth2 on vpn-host2 is on a different bridge and different subnet than
eth2 on vpn-host1.
[dom0]# cat vm.cfg
name = vpn-host2
Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 10: Advanced Networking


Chapter 10 - Page 59

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

builder = hvm
memory = 1536
boot = cd
disk = [ file:/OVS/running_pool/vpn-host2/system.img,hda,w,
file:/OVS/seed_pool/OracleLinux-R7-U1-Server-x86_64dvd.iso,hdc:cdrom,r]
vif = [ mac=00:16:3e:00:01:02, bridge=virbr0,
mac=00:16:3e:00:02:02, bridge=virbr1,
mac=00:16:3e:00:04:02, bridge=virbr3]
device_model = /usr/lib/xen/bin/qemu-dm
kernel = /usr/lib/xen/boot/hvmloader
vnc = 1
vncunused=1
vcpus = 1
timer_mode = 0
apic = 1
acpi = 1
pae = 1
serial = pty
on_reboot = restart
on_crash = restart
usb = 1
usbdevice = 'tablet'

3.

a
s
a
h
)
o
c ide

u
d Gu
e

r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us

n
ua se t
j
(
scommand
ento start the vpn-host2 virtual machine.
a
i
c
c. Use the xm create
r
i
l
le vm.cfg
oxmacreate
b
s
[dom0]#
r
a
covpn-host1
erby using vncviewer.
f
s
n
Log
in
to
an determine the VNC port number for vpn-host1 by running the following
ja.uaFrom-trdom0,
noxmnlist command.
[dom0]# xm list l vpn-host1 | grep location
(location 0.0.0.0:5902)
(location 3)
The sample shown indicates that the port number is 5902. This might not be true in
your case.
b. From dom0, run the vncviewer& command.
[dom0]# vncviewer&
The VNC Viewer: Connection Details dialog box appears.
c. Enter localhost:<port_number>, substituting the port number displayed from the
previous xm list l vpn-host1 | grep location command.

For example, if the port number is 5902, enter localhost:5902 and click
Connect.

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 10: Advanced Networking


Chapter 10 - Page 60

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

The GNOME login screen appears. You might need to press ENTER to display the
login screen.

s
a
h
o) e
c

du Guid
e

r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us

n
ua se t
j
(
s icen
a
i
r
a le l
o
ors ferab
c
s
n
jua -tran
non
d.
e.

Click Oracle Student in the list of users. You are prompted for the password.
Enter oracle for the Password and click Sign In.

f.

The GNOME desktop appears.


Right-click the desktop to display the pop-up menu.

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 10: Advanced Networking


Chapter 10 - Page 61

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

4.

s
a
h
o) e
c

du Guid
e

r
ita dent
l
i
nim Stu
u
@ this
o
s
g. From the pop-up menu, click Open
in
Terminal.
r
o
se
c
u

n
A terminal window appears.
to
a
u
e
j
( use thensus - command to become the root user.
h. In the terminal window,
s
a
i
ce
r eislioracle.
The root a
password
o asubl
s
r
[vpn-host1]$
co sforacle
er
n
Password:
an
jua[vpn-host1]#
r
t
non a new RSA authentication key for vpn-host1.
Generate

Use the ipsec newhostkey command to generate the key.

The --configdir option specifies the Network Security Services (NSS)


configuration directory where the certificate key and databases reside.

The --output option is mandatory.

5.

This command might take a couple minutes to complete.


[vpn-host1]# ipsec newhostkey --configdir /etc/ipsec.d --output
/etc/ipsec.d/www.example.com.secrets
Generated RSA key pair using the NSS database

Log in to vpn-host2 by using vncviewer.


a. From dom0, open a second terminal window by clicking the Terminal icon on the
desktop.
b. In the second terminal window on dom0, use the su - command to become the root
user.

The root password is oracle.


Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 10: Advanced Networking


Chapter 10 - Page 62

[dom0]$ su
Password: oracle
[dom0]#

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

c.

Determine the VNC port number for vpn-host2 by running the following xm list
command.
[dom0]# xm list l vpn-host2 | grep location
(location 0.0.0.0:5903)
(location 3)
The sample shown indicates that the port number is 5903. This might not be true in
your case.
d. Run the vncviewer& command.
[dom0]# vncviewer&
The VNC Viewer: Connection Details dialog box appears.
e. Enter localhost:<port_number>, substituting the port number displayed from the
previous xm list l vpn-host2 | grep location command.

a
s
a
h
)
o

For example, if the port number is 5903, enter localhost:5903


cand click
e

d
u
i
d Gu
Connect.
e

r
The GNOME login screen appears. You might need
nt to display the
ittoapressdeENTER
l
i
login screen.
im Stu
n
u
f. Click Oracle Student in the list of users.@
You are prompted
is for the password.
h
o
t
s
g. Enter oracle for the Password and
or click Sign
seIn.
c
u

n
The GNOME desktop appears.
to
a
u
e
j
(to display
h. Right-click the desktop
nsthe pop-up menu.
s
e
a
i
c
li Open in Terminal.
i. From the pop-up
click
ar menu,
e
l
o
rs window
Ao
terminal
rab appears.
c
e
f
s window, use the su - command to become the root user.
j. n
In the terminal
n
a
jua The
r
-t root password is oracle.
n
o
n [vpn-host2]$ su
Password: oracle
[vpn-host2]#
6.

Generate a new RSA authentication key for vpn-host2.


Use the ipsec newhostkey command to generate the key.

7.

This command might take a couple minutes to complete.


[vpn-host2]# ipsec newhostkey --configdir /etc/ipsec.d --output
/etc/ipsec.d/www.example.com.secrets
Generated RSA key pair using the NSS database

Put the appropriate RSA keys in the /etc/ipsec.conf file.


a.

On vpn-host1, use the cd command to change to the /etc directory.


[vpn-host1] cd /etc

b.

Use ipsec showhostkey --left to display host key on left host, vpn-host1.

The sample output is shown.


Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 10: Advanced Networking


Chapter 10 - Page 63

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

[vpn-host1]# ipsec showhostkey --left


ipsec showhostkey loading secrets from "/etc/ipsec.secrets"
ipsec showhostkey loading secrets from
"/etc/ipsec.d/www.example.com.secrets"
ipsec showhostkey loaded private key for keyid:
PPK_RSA:AQOuaErmq
# rsakey AQOuaErmq
leftrsasigkey=0sAQOuaErmqqXZqWP/5tXPI2xXqR/qq8TPyGUnoUQ+rCkHy+WK
q14MrCcmPaHDVZfMIoRAN4Mot2k2535sHnc+SkWxaDyjueGKczTndALmck0eXXWa
WgcfNS94rH9wtleQuZXmTlnSQvW8kiHO1N1o22NrCRYZF8zrpQTNFC1WNAiO2qxW
ZSgdJn2q9iW6MFq0804AsNKI9QrrpC1n7xXyDrWhi+v5B73C0ly4/uYeNIotyK9C
ImM713QK3MUpZOSNnRiACIQYw8aX+YEKSgjPU3+nEHp243QeUVraIf5LE0cKtTQu
S3Ur1cgZfQZCFX1rGyHqD/ZtUyzL9Fvo5j04kjnZgJTywr4f0Tmw7a+2QJPIQQ52
iOv1jnV5WzbKB2zpDICsCzRZ7yVaK7MXrDxvbNss8gjXjK5BXgFLcVlFh/eJgcji
/AUK0S1vqXdYiJjWtZpjznRTDyE7+jqgLsSi0jY5y7i4dYhD+I0RujzTuv6z7ObD
+yLYpa/DoXQFMrFjB3kz9L+uqz7TtmwCthNdCJVJjnKL0jBIZ7IfVqBvIJoS5nra
WYbF/thUq7C6ziHML8AL2tUcx5wIne28ijJOT2LfjeU=

a
s
a
h
)
c. Select leftrsasigkey=<string> and copy it into the buffer.
o
c ide

u
Highlight the string as shown.
d Gu
e

r
twindow menu.
With the string highlighted, select Edit > Copy fromitthe
a terminal
n
l
e
i
[vpn-host1]# ipsec showhostkey --left
nim Stud
u
ipsec showhostkey loading secrets
from i"/etc/ipsec.secrets"
th s
so@sefrom
r
ipsec showhostkey loadingosecrets
c to u
"/etc/ipsec.d/www.example.com.secrets"
n
a
e
ipsec showhostkey(ju
loaded sprivate
key for keyid:
n
s
e
a
PPK_RSA:AQOuaErmq
i
c
r e li
arsakey
#
l AQOuaErmq
o
b
s
r
a
leftrsasigkey=0sAQOuaErmqqXZqWP/5tXPI2xXqR/qq8TPyGUnoUQ+rCkHy+WK
co sfer
n
q14MrCcmPaHDVZfMIoRAN4Mot2k2535sHnc+SkWxaDyjueGKczTndALmck0eXXWa
an
juaWgcfNS94rH9wtleQuZXmTlnSQvW8kiHO1N1o22NrCRYZF8zrpQTNFC1WNAiO2qxW
r
t
n
noZSgdJn2q9iW6MFq0804AsNKI9QrrpC1n7xXyDrWhi+v5B73C0ly4/uYeNIotyK9C
ImM713QK3MUpZOSNnRiACIQYw8aX+YEKSgjPU3+nEHp243QeUVraIf5LE0cKtTQu
S3Ur1cgZfQZCFX1rGyHqD/ZtUyzL9Fvo5j04kjnZgJTywr4f0Tmw7a+2QJPIQQ52
iOv1jnV5WzbKB2zpDICsCzRZ7yVaK7MXrDxvbNss8gjXjK5BXgFLcVlFh/eJgcji
/AUK0S1vqXdYiJjWtZpjznRTDyE7+jqgLsSi0jY5y7i4dYhD+I0RujzTuv6z7ObD
+yLYpa/DoXQFMrFjB3kz9L+uqz7TtmwCthNdCJVJjnKL0jBIZ7IfVqBvIJoS5nra
WYbF/thUq7C6ziHML8AL2tUcx5wIne28ijJOT2LfjeU=
d.

Use the vi editor to edit the ipsec.conf file.


[vpn-host1]# vi ipsec.conf

e.

Paste the contents of the buffer at the end of the file.

Position you cursor on the last line of the file.


Press the lowercase letter o key to get into insert mode and open a blank line at the
end of the file.
Select Edit > Paste from the terminal window menu to past the contents of the
buffer into the file.
Press Esc to exit insert mode.
Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 10: Advanced Networking


Chapter 10 - Page 64


f.

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

Save and close the ipsec.conf file.


On vpn-host2, use the ipsec showhostkey to display host key on right host, vpnhost2.
The sample output is shown.
[vpn-host2]# ipsec showhostkey --right
ipsec showhostkey loading secrets from "/etc/ipsec.secrets"
ipsec showhostkey loading secrets from
"/etc/ipsec.d/www.example.com.secrets"
ipsec showhostkey loaded private key for keyid:
PPK_RSA:AQPXXwWB4
# rsakey AQPXXwWB4
rightrsasigkey=0sAQPXXwWB4r62JUqcItOtIps5GIkOxOe0n51jZ/09Sra5Qth
hlc0WaapVjycZIgDj3tVE4h/UCpBGZbE1MZ7u8DRZjrcv3aXF2CSESJcW8w0hoOD
9SUh3ZvDt1OE5bBWtM7moeJ2iY9rM0OqigRfIMeMKw0ZFdglxGGmuvfWtJrD886c
GYUFTP3K3+1zblg9vlcoOGdfb5jy03jAHgBC2waC1YYAZFQOcHp9XBGVzPq8VkXZ
AnECA8VtPuyExBXt/GBGUgJOdrLjG/HHtweLlqgB3hmy5NZhYiyS8UVpC7RBLpWG
OotjmM2dupw+voGP38bWy8K51T8wfRQbfsbUd84Ga6R7676ZKSZXBSMyDsLrsWl6
e1tf9sShJ9E6YZ3ZqSt1FsR8zMlArQhE2gfp+InlQAp1Q7v8TUODy0z1bih407o0
nsYGFXwB9izXGNGrvxoKgvzgleRj7ROP6DAls/8aXdir0N0que975Rc01YM2o0sj
nWwQq124YvenLn1RCbH5fq5NF6V29U7+B5q/2afL6hCvfmQ==

a
s
a
h
)
o
c ide

u
d Gu
e

r
ita dent
l
i
imit intoSthe
g. Select the rightrsasigkey=<string> and n
copy
tu buffer.
u
Highlight the string as shown.
o@ e this
s
r
With the string highlighted, select
> Copy
s from the terminal window menu.
co Edit
u

n
o
t --right
a
[vpn-host2]# ipsecushowhostkey
e
j
(
s
ipsec showhostkey
s loading
en secrets from "/etc/ipsec.secrets"
a
i
c
r
i
l
ipsec showhostkey
o a able loading secrets from
s
"/etc/ipsec.d/www.example.com.secrets"
r
co sfer
ipsec showhostkey
loaded private key for keyid:
n
n
a
juaPPK_RSA:AQPXXwWB4
r
-t # rsakey AQPXXwWB4
n
o
n rightrsasigkey=0sAQPXXwWB4r62JUqcItOtIps5GIkOxOe0n51jZ/09Sra5Qth
hlc0WaapVjycZIgDj3tVE4h/UCpBGZbE1MZ7u8DRZjrcv3aXF2CSESJcW8w0hoOD
9SUh3ZvDt1OE5bBWtM7moeJ2iY9rM0OqigRfIMeMKw0ZFdglxGGmuvfWtJrD886c
GYUFTP3K3+1zblg9vlcoOGdfb5jy03jAHgBC2waC1YYAZFQOcHp9XBGVzPq8VkXZ
AnECA8VtPuyExBXt/GBGUgJOdrLjG/HHtweLlqgB3hmy5NZhYiyS8UVpC7RBLpWG
OotjmM2dupw+voGP38bWy8K51T8wfRQbfsbUd84Ga6R7676ZKSZXBSMyDsLrsWl6
e1tf9sShJ9E6YZ3ZqSt1FsR8zMlArQhE2gfp+InlQAp1Q7v8TUODy0z1bih407o0
nsYGFXwB9izXGNGrvxoKgvzgleRj7ROP6DAls/8aXdir0N0que975Rc01YM2o0sj
nWwQq124YvenLn1RCbH5fq5NF6V29U7+B5q/2afL6hCvfmQ==
h.

Use the vi editor to create a temporary file named right.

You are going to paste the contents of the buffer into this temporary file and then
append the contents to the /etc/ipsec.conf file on vpn-host1.
[vpn-host2]# vi right

i.

Paste the contents of the buffer at the end of the file.

Press the lowercase letter i key to get into insert mode.


Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 10: Advanced Networking


Chapter 10 - Page 65

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

j.

Select Edit > Paste from the terminal window menu to past the contents of the
buffer into the file.
Press Esc to exit insert mode.
Save and close the right file.
From vpn-host2, use the sftp command to copy the right file to vpn-host1.

Include the IP address of vpn-host1, not the host name, as an argument.


The systems are not configured to resolve host names.

Answer yes when prompted.

The root users password is oracle.


[vpn-host2]# sftp 192.0.2.111
The authenticity of host 192.0.2.111 (192.0.2.111) cant be
established.
ECDSA key fingerprint is ...
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 192.0.2.111 (ECDSA) to the list ...
Root!192.0.2.111s password: oracle
Connected to 192.0.2.111.
sftp>

a
s
a
h
)
o
c ide

u
d Gu
e

r
ita dent
l
i
nitomcopyStheturight file.
k. From the sftp> prompt, use the put command
u
o@command
After the copy is complete, use thesquit
thisto exit sftp.
r
e
co o us
sftp> put right

n
t ...
a
u/root/right
e
Uploading right to
j
(
s
en
sftp> quit rias
c
i
l
lethe cat command to concatenate the /etc/ipsec.conf file
o a ause
l. From vpn-host1,
b
s
r
o /root/right
er
andcthe
file into a single file.
f
s
n
n
a
ju Use
trathe mv command to rename /etc/ipsec.conf before issuing the cat
n
command.
no The example assumes you are still in the /etc directory.
[vpn-host1]# mv ipsec.conf ipsec.BAK
[vpn-host1]# cat ipsec.BAK /root/right > ipsec.conf
m. Use the cat command to view the updated ipsec.conf file.

The file now includes the leftrsasigkey= string and the rightrsasigkey=
string at the end of the file.

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 10: Advanced Networking


Chapter 10 - Page 66

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

The sample output is shown.


[vpn-host1]# cat ipsec.conf
...
leftrsasigkey=0sAQOuaErmqqXZqWP/5tXPI2xXqR/qq8TPyGUnoUQ+rCkHy+WK
q14MrCcmPaHDVZfMIoRAN4Mot2k2535sHnc+SkWxaDyjueGKczTndALmck0eXXWa
WgcfNS94rH9wtleQuZXmTlnSQvW8kiHO1N1o22NrCRYZF8zrpQTNFC1WNAiO2qxW
ZSgdJn2q9iW6MFq0804AsNKI9QrrpC1n7xXyDrWhi+v5B73C0ly4/uYeNIotyK9C
ImM713QK3MUpZOSNnRiACIQYw8aX+YEKSgjPU3+nEHp243QeUVraIf5LE0cKtTQu
S3Ur1cgZfQZCFX1rGyHqD/ZtUyzL9Fvo5j04kjnZgJTywr4f0Tmw7a+2QJPIQQ52
iOv1jnV5WzbKB2zpDICsCzRZ7yVaK7MXrDxvbNss8gjXjK5BXgFLcVlFh/eJgcji
/AUK0S1vqXdYiJjWtZpjznRTDyE7+jqgLsSi0jY5y7i4dYhD+I0RujzTuv6z7ObD
+yLYpa/DoXQFMrFjB3kz9L+uqz7TtmwCthNdCJVJjnKL0jBIZ7IfVqBvIJoS5nra
WYbF/thUq7C6ziHML8AL2tUcx5wIne28ijJOT2LfjeU=
rightrsasigkey=0sAQPXXwWB4r62JUqcItOtIps5GIkOxOe0n51jZ/09Sra5Qth
hlc0WaapVjycZIgDj3tVE4h/UCpBGZbE1MZ7u8DRZjrcv3aXF2CSESJcW8w0hoOD
9SUh3ZvDt1OE5bBWtM7moeJ2iY9rM0OqigRfIMeMKw0ZFdglxGGmuvfWtJrD886c
GYUFTP3K3+1zblg9vlcoOGdfb5jy03jAHgBC2waC1YYAZFQOcHp9XBGVzPq8VkXZ
AnECA8VtPuyExBXt/GBGUgJOdrLjG/HHtweLlqgB3hmy5NZhYiyS8UVpC7RBLpWG
OotjmM2dupw+voGP38bWy8K51T8wfRQbfsbUd84Ga6R7676ZKSZXBSMyDsLrsWl6
e1tf9sShJ9E6YZ3ZqSt1FsR8zMlArQhE2gfp+InlQAp1Q7v8TUODy0z1bih407o0
nsYGFXwB9izXGNGrvxoKgvzgleRj7ROP6DAls/8aXdir0N0que975Rc01YM2o0sj
nWwQq124YvenLn1RCbH5fq5NF6V29U7+B5q/2afL6hCvfmQ==

8.

a
s
a
h
)
o
c ide

u
d Gu
e

r
ita dent
l
i
nim Stu
u
s
o@ e thinithe
Complete the sitetosite connectionrs
configuration
/etc/ipsec.conf file on
o
s
c
u

vpn-host1.
n
to and add the conn sitetosite
a
u
e
j
a. Use the vi editor to edit
/etc/ipsec.conf
ns information before the leftrsasigkey= line.
s ( iIPceaddress
a
parameter and rthe
left
i
a lestartl with left, including the leftrsasigkey= line.
o
Indentsall
lines that
r erab
conot
n Do
exit
f the vi editor until step 9d.
s
n
a
ju [vpn-host1]#
vi /etc/ipsec.conf
tra
n
o
n ...
#include /etc/ipsec/d/*.conf
conn sitetosite
leftid=192.168.1.101
left=192.168.1.101
leftsourceip=192.168.2.101
leftsubnet=192.168.2.0/24
leftrsasigkey=...
...
b.

Add the right IP address information after the leftrsasigkey= line and before
the rightrsasigkey= line in the /etc/ipsec.conf file on vpn-host1.

Indent all lines that start with right, including the rightrsasigkey= line.
...
leftrsasigkey=...
rightid=192.168.1.102
Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 10: Advanced Networking


Chapter 10 - Page 67

right=192.168.1.102
rightsourceip=192.168.3.102
rightsubnet=192.168.3.0/24
rightrsasigkey=

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

...
c.

Add the following two lines at the end of the /etc/ipsec.conf file on vpn-host1.
...
authby=rsasig
auto=start

d.
9.

Save the changes made to the /etc/ipsec.conf file and exit the vi editor.

Check the syntax of the /etc/ipsec.conf file on vpn-host1.

If any errors are returned, the line number is included. Use the vi editor and make the
necessary corrections to the file.
In this example, no errors are returned and the syntax is correct.

a
s
a
h
[vpn-host1]# /usr/libexec/ipsec/addconn --config /etc/ipsec.conf
)
o
c ide

--checkconfig
u
d Guto vpn-host2.
evpn-host1

r
10. Use the sftp command to copy the /etc/ipsec.conf filea
from
t
t
n
i
l
e
i
Include the IP address of vpn-host2, not the hostim
name, asu
andargument.
t
n
S
u
Answer yes when prompted.
o@ e this
s
r
The root users password is oracle.
o
c
us

n
o
[vpn-host1]# sftp 192.0.2.112
t
a
e
ju hostns192.0.2.112
(of
The authenticity
(192.0.2.112) cant be
s
e
a
i
c
established.
r e li
l
o afingerprint
ECDSA rs
key
is ...
b
a
r
o
Arec you sure
fe you want to continue connecting (yes/no)? yes
s
n
n
a
ju Warning:
tra Permanently added 192.0.2.112 (ECDSA) to the list ...
n
noroot@192.0.2.111s password: oracle

Connected to 192.0.2.112.
sftp>

e.

From the sftp> prompt, use the put command to copy the /etc/ipsec.conf file to
/etc/ipsec.conf on vpn-host2.

After the copy is complete, use the quit command to exit sftp.
sftp> put /etc/ipsec.conf /etc/ipsec.conf
Uploading /etc/ipsec.conf to /etc/ipsec.conf ...
sftp> quit

11. Enable IP forwarding on both vpn-host1 and vpn-host2.


a. On vpn-host1, use the sysctl -w command to enable IP forwarding.
[vpn-host1]# sysctl w net.ipv4.ip_forward=1
net.ipv4.ip_forward = 1

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 10: Advanced Networking


Chapter 10 - Page 68

b.

On vpn-host2, use the sysctl -w command to enable IP forwarding.


[vpn-host2]# sysctl w net.ipv4.ip_forward=1
net.ipv4.ip_forward = 1

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

12. Stop the firewalld service on both vpn-host1 and vpn-host2.

You could add rules to trust the ipsec protocols. libreswan requires the firewall to
allow the following packets:

UDP port 500 for the IKE protocol

UDP port 4500 for IKE NAT-Traversal

Protocol 50 for ESP IPSec packets

Protocol 51 for AH IPSec packets

For purposes of this exercise you stop the firewalld service.

a.

On vpn-host1, use the systemctl command to stop the firewalld service.

a
s
a
b. On vpn-host2, use the systemctl command to stop the firewalld service.
h
)
o
c ide
[vpn-host2]# systemctl stop firewalld

u
d Gu
e

13. Test connectivity before starting the ipsec service.


r
t
n
litathe route
e
i
a. On vpn-host1, use the netstat rn command m
to view
table.
tud
ni subnet.
S
u
Note that there is no route to the 192.168.3.0
@ this
[vpn-host1]# netstat rn rso
e
o
s
c
u

Destination Gateway n ... Iface


o
teth0
a
u
e
j
0.0.0.0
192.0.2.1
...
s
s ( icen...
192.0.2.0 ria
0.0.0.0
eth0
l
a
e
l
192.168.1.0
... eth1
b
so ra0.0.0.0
r
o
c sfe 0.0.0.0 ... eth2
192.168.2.0
n
a
an
jb.u From-trvpn-host1,
use the ping command to test connectivity to 192.168.3.102.
n
o
n Note that you cannot ping this address.
[vpn-host1]# systemctl stop firewalld

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 10: Advanced Networking


Chapter 10 - Page 69

Press CTRL-C to kill the ping command.

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

[vpn-host1]# ping 192.168.3.102


PING 192.168.3.102 (192.168.3.102) 56(84) bytes of data.
CTRL-c
c.

On vpn-host2, use the netstat rn command to view the route table.

Note that there is no route to the 192.168.2.0 subnet.


[vpn-host2]#
Destination
0.0.0.0
192.0.2.0
192.168.1.0
192.168.3.0

d.

netstat rn
Gateway
...
192.0.2.1 ...
0.0.0.0
...
0.0.0.0
...
0.0.0.0
...

Iface
eth0
eth0
eth1
eth2

From vpn-host2, use the ping command to test connectivity to 192.168.2.101.

s
a
h
Press CTRL-C to kill the ping command.
o) e
c

du Guid
[vpn-host2]# ping 192.168.2.101
e

r
t data.
PING 192.168.2.101 (192.168.2.101) 56(84)
of
n
itabytes
l
e
i
CTRL-c
nim Stud
u
@vpn-host2.
14. Start the ipsec service on both vpn-host1oand
this
s
r
e
a. On vpn-host1, use the systemctl
co command
us to start the ipsec service.

n
o
t
a
[vpn-host1]# systemctl
e ipsec
(ju nstart
s
s
b. On vpn-host2, ruse
ia the systemctl
ce command to start the ipsec service.
i
l
a
le
o asystemctl
[vpn-host1]#
start ipsec
b
s
r
r
o
c sfafter
e starting the ipsec service.
15. Testn
connectivity
n
a
ja.u On -vpn-host1,
use the netstat rn command to view the route table.
tra
n
o
n Note that now there is a route to the 192.168.3.0 subnet.

Note that you cannot ping this address.

[vpn-host1]#
Destination
0.0.0.0
192.0.2.0
192.168.1.0
192.168.2.0
192.168.3.0
b.

netstat rn
Gateway
...
192.0.2.1 ...
0.0.0.0
...
0.0.0.0
...
0.0.0.0
...
0.0.0.0
...

Iface
eth0
eth0
eth1
eth2
eth1

From vpn-host1, use the ping command to test connectivity to 192.168.3.102.

Note that now you can ping this address.

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 10: Advanced Networking


Chapter 10 - Page 70

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

Press CTRL-C to kill the ping command.


[vpn-host1]# ping 192.168.3.102
PING 192.168.3.102 (192.168.3.102) 56(84) bytes of data.
64 bytes from 192.168.3.102: icmp_seq=1 ttl=64 time=...
64 bytes from 192.168.3.102: icmp_seq=2 ttl=64 time=...
64 bytes from 192.168.3.102: icmp_seq=3 ttl=64 time=...
CTRL-c

c.

On vpn-host2, use the netstat rn command to view the route table.

Note that now there is a route to the 192.168.2.0 subnet.


[vpn-host2]#
Destination
0.0.0.0
192.0.2.0
192.168.1.0
192.168.2.0
192.168.3.0

netstat rn
Gateway
...
192.0.2.1 ...
0.0.0.0
...
0.0.0.0
...
0.0.0.0
...
0.0.0.0
...

Iface
eth0
eth0
eth1
eth1
eth2

a
s
a
h
)
o
c ide

u
d Gu
e

r
d. From vpn-host2, use the ping command to test connectivity
to
t
ta e192.168.2.101.
n
i
l
i
Note that now you can ping this address.
im Stud
n
u
Press CTRL-C to kill the ping command.
@ this
o
s
r
[vpn-host2]# ping 192.168.2.101
o
se
c
u

n
PING 192.168.2.101 (192.168.2.101)
56(84) bytes of data.
to
a
u
e
j
(
s
64 bytes from 192.168.2.101:
icmp_seq=1
ttl=64 time=...
n
s
e
a
i
c
li
64 bytes from
icmp_seq=2 ttl=64 time=...
ar 192.168.2.101:
e
l
o
b
64 bytes
icmp_seq=3 ttl=64 time=...
rs from
a192.168.2.101:
r
o
c
e
f
nCTRL-cans
je.uaFrom-trvpn-host2,
use the ipsec auto --status command to view current
n
status.
noconnection

Note the ESP algorithms supported.


Note the IKE algorithms supported.
Note the Connection list, sitetosite.

Note the Total IPSec connections: 1 loaded, 1 active.


[vpn-host2]# ipsec auto --status
000 using kernel interface: netkey
...
000 config setup options:
000
000 configdir=/etc, configfile=/etc/ipsec.conf, secrets=/etc...
...
ESP algorithms supported:
000
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, ...
Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 10: Advanced Networking


Chapter 10 - Page 71

Unauthorized reproduction or distribution prohibited Copyright 2016, Oracle and/or its affiliates

000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, ...


...
000 algorithm AH/ESP auth: id=1, name=AUTH_ALGORITHM_HMAC_MD5...
000 algorithm AH/ESP auth: id=2, name=AUTH_ALGORITHM_HMAC_SHA...
...
IKE algorithms supported:
000
000 algorithm IKE encrypt: v1id=0, v1name=0??, v2id=16, v2nam...
000 algorithm IKE encrypt: v1id=0, v1name=0??, v2id=15, v2nam...
...
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashlen=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashlen=20
...
000 Connection list:
000
000 sitetosite:
192.168.3.0/24===192.168.1.102<192.168.1.102>[92.168.1.102]...19
2.168.1.101<192.168.1.101>===192.168.2.0/24; eroute owner: #4
...
000 Total IPSec connections: loaded 1, active 1
000
000 State list:
000
000 #4: sitetosite:500 STATE_QUICK_R2 (IPSec SA established...
...

a
s
a
h
)
o
c ide

u
d Gu
e

r
ita dent
l
i
nim Stu
u
o@ e this
s
r
co o us

n
ua se t
j
(
s icen
a
i
r
a le l
o
rs vpn-host1
rab and vpn-host2 virtual machines.
othe
16. Shut down
c
e
f
n ans use the systemctl poweroff command to shut down vpn-host2.
ja.uaFrom-trvpn-host2,
n
systemctl poweroff
no[vpn-host2]#
b.

From vpn-host1, use the systemctl poweroff command to shut down vpn-host1.

[vpn-host1]# systemctl poweroff


Do not start the host01, host02, and host03 virtual machines at this time.

Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 10: Advanced Networking


Chapter 10 - Page 72