RHCE Sample Exam for RHEL 7

This is a sample exam that I’ve created after finishing RHCE studies. It is to prepare for the RHCE exam based on RHEL 7, which I have yet to take.

[Update August 2016]: I have passed the RHCE exam.

Requirements

There are 20 questions in total. You will need three RHEL 7 (or CentOS 7) virtual machines to be able to successfully complete all questions. I recommend registering with RedHat and downloading a RHEL 7 iso image free of charge.

One VM has to be configured as a FreeIPA server to provide LDAP, Kerberos, NTP and DNS services. Note that in our case the FreeIPA server will also provide FTP services. Other two VMs will be used to solve the sample exam questions. These VMs need to have two network interfaces for link aggregation. They also need to have a RHEL DVD (.iso file) attached.

Tips and Suggestions

Read all questions and try to understand the whole picture of what is required.

Spend 10 minutes identifying packages that you are going to need, and then install everything in one go – this will provide you with a solid base to build on.

Enable all required services. Also, setup firewalld rules for any services that require them.

You obviously need to have a repository configured before you can install packages. However, in this particular case we use a locally mounted RHEL DVD image meaning that no network is required before we can install packages. This may not be the case on a real RHCE exam and you may need to set up networking in advance in order to get access to a repository.

If you can complete all 20 questions in less than 3 hours, then you are a full-fledged shinobi and likely OK to take the Chunin exam.

Sample Exam Questions

It is assumed that you use the following details.

Hostnames:

  1. Server1: srv1.rhce.local
  2. Server2: srv2.rhce.local

IP addresses and networking:

  1. Server1: 10.8.8.71/24
  2. Server2: 10.8.8.72/24
  3. Name server: 10.8.8.70
  4. Gateway: 10.8.8.70

Once you configure networking with the details above, you will be able to resolve the following domains successfully (as they’re set up on the FreeIPA/DNS server):

  1. ipa.rhce.local
  2. srv1.rhce.local
  3. srv2.rhce.local
  4. vhost1.rhce.local
  5. dynamic1.rhce.local

The following LDAP (FreeIPA) users are available for testing:

  1. alice
  2. vince

Before you begin, reset the root user password to pass on both servers, server1 and server2.

1. Configure SELinux

Configure server1 and server2 to have SELinux running in enforcing mode.

2. Configure Repository

Configure a repository on server1 and server2. Use the RHEL 7 DVD that’s available on /dev/cdrom on both machines. The changes should persist after reboot.

3. Link Aggregation

Configure server1 and server2 for link aggregation, which watches for link changes and selects an active port for data transfers. The server1 should use the address of 10.8.8.71/24. The server2 should use the address 10.8.8.72/24. The gateway and the name server address is 10.8.8.70. The changes should persist after reboot.

Configure the “dmz” firewalld zone to be the default zone on both servers server1 and server2, and ensure that the the aggregated network connection uses to the default zone.

4. IPv6 Network

Configure previously configured aggregated network links with static IPv6 addresses. The changes should persist after reboot.

Configure a static IPv6 address on the server1 as fc00::a:b:c:71/64. Configure a static IPv6 address on the server2 as fc00::a:b:c:72/64.

5. NTP

Configure server1 and server2 to synchronise time with the NTP server ipa.rhce.local.

6. SMTP Configuration

Configure server1 as a null client to relay email from local system through ipa.rhce.local. All outgoing mail have their sender domain as rhce.local.

7. Kernel Parameters

Configure server1 to be a router. Also ensure that the server1 reboots automatically after 300 seconds in case of a kernel panic. The changes should persist after reboot.

8. Kerberos Authentication

Configure server1 and server2 for Kerberos authentication.

Use the following LDAP authentication details:

  1. Server: ipa.rhce.local
  2. Base DN: dc=rhce,dc=local
  3. LDAP cacert is available on ftp://ipa.rhce.local/pub/cacert.p12

There is an LDAP user alice created on the FreeIPA server, use it for testing.

Use the following Kerberos authentication details:

  1. Realm: RHCE.LOCAL
  2. KDC: ipa.rhce.local
  3. Admin Server: ipa.rhce.local

To test, you can obtain a Kerberos ticket for the user alice.

9. NFS Server

Configure server1 to provide a Kerberised NFSv4 share.

Set up a Kerberised NFSv4 share /srv/nfssec in a read-write mode and share it to the client srv2.rhce.local only. Enable krb5p security to secure access to the NFS share from URI ftp://ipa.rhce.local/pub/srv1.keytab. The owner of the share must be LDAP user alice.

10. NFS Mount

Configure server2 to mount a Kerberised NFSv4 share.

Mount Kerberised NFSv4 share /srv/nfssec on /mnt/protected directory persistently at boot time provided with the keytab ftp://ipa.rhce.local/pub/srv2.keytab. LDAP user alice should be able to write to the share.

11. MariaDB Server

Configure server2 to meet the following requirements.

Set up a default secure MariaDB database called shop with a user john with all privileges. The user john must be identified by “pass”. In this database, create one simple table with the name products that allows to store names varchar(20) and their prices int(10). Enter two products. Backup the database with mysqldump to /root/shop.sql.

MariaDB must listen on a TCP port 5555 with a dataroot on /srv/mariadb. Firewall should allow access to port 5555 from srv1.rhce.local only. The MariaDB root password must be “pass”.

12. Samba Server

Configure server1 to provide a Samba share. Share /srv/smb_docs directory via SMB. The SMB server must be a member of the DEVOPS workgroup. The share name must be docs. Only the host srv2.rhce.local should be allowed to connect to the docs share. The docs share must be browseable but not writable nor printable. User vince must have read-write access to the docs share, authenticating with the password “pass”.

Ensure that SELinux allows sharing of home directories.

13. Samba Mount

Configure server2 to mount a Samba share. Mount the Samba share docs permanently on /mnt/samba as a multi-user mount. The share should be mounted with the credentials of vince.

14. Port Forwarding

Configure server2 to forward incoming traffic on port 8080/tcp to 10.8.8.71:80 (srv1.rhce.local:80).

Also configure server2 for firewalld SSH logging with a prefix of “SSH_” and a debug level, limit to 2 log entries per minute. The changes should persist after reboot.

15. iSCSI Target

Configure server1 to provide iSCSI LUNs. Set up an iSCSI target with CHAP authentication (username=client/password=client) based on a fileio backstore /srv/iscsifile of 200MB. The logical block name should be file1. A local file system cache must be disabled to reduce the risk of data loss.

Also set up an LVM based block backstore of 100MB called lv_iscsi (use a volume group of your choice). The logical block name should be block1.

Use the IQN of iqn.2003-01.local.rhce:srv1 for the iSCSI server, apply standard firewall configuration. Create LUNs for both backstores, ensure the LUNs are available to the client iqn.2003-01.local.rhce:srv2.

16. iSCSI Initiator

Configure server2 as an iSCSI initiator. Use the IQN of iqn.2003-01.local.rhce:srv2 for it.

The datastore block1 should be formated as ext4 and mounted permanently on /mnt/san1.

The datastore file1 should be added to a new LVM volume group vg_san, a new 50MB logical volume lv_lun1 should be created, formatted as xfs, and mounted permanently on /mnt/san2.

17. Webserver

Configure server1 to meet all of the following requirements.

17.1 Secure Webserver

Configure a webserver for the site http://srv1.rhce.local. The webpage should say “hello”.

Also configure website http://srv1.rhce.local with TLS. Generate a self-signed certificate, the only requirement for the certificate is to match the webserver name srv1.rhce.local. Make sure that SSLv2 and SSLv3 protocols are disabled.

The content of the websites should be visible to everyone browsing from the localhost but should not be accessible from any other location.

17.2 Webpage Content Modification

Implement a website for http://srv1.rhce.local/group. Create a directory “group” under the document root used for the website. The webpage should say “group”.

The webpage must be configured for group-based authentication and require users to login. Only user alice, who is a member of the devops group, should be allowed to access the website with a password “password”.

17.3. Virtual Hosting

Setup a virtual host http://vhost1.rhce.local with the alternate document root under /srv/www/vhost1. The webpage should say “vhost1”. The webpage must be configured for user-based authentication. Only user alice should be allowed to login with a password “password”.

Note: the other websites configured on the server1 must still be accessible.

17.4. Dynamic Content Configuration

Configure website http://dynamic1.rhce.local:8888/ with the document root /srv/www/scripts to serve a PHP application. The site should execute index.php. The PHP application is provided on ftp://ipa.rhce.local/pub/index.php. Content of the script should not be modified.

Note: the PHP application won’t work until you have a MariaDB server configured as per task #11.

18. Name Server

Configure server1 as a caching-only DNS server to forward DNS queries. Forward all requests (zone for the root . domain) to another DNS server 10.8.8.70. External access to the DNS server should only be allowed from srv2.rhce.local.

19. SSH Configuration

Configure server1 to meet the following requirements.

SSH should listen on ports 22 and 2222. Firewall should allow access to port 2222 from srv2.rhce.local only. Client ipa.rhce.local must not have access to SSH at all. Enable password and key authentication. The changes should persist after reboot.

Configure server2 for passwordless root authentication against the server1.

20. Scripting

Create a script on the server1 called /root/newusers. When the script is called with an argument users.txt, it should add all the users from the file. Download the file from ftp://ipa.rhce.local/pub/users.txt.

All users should have the login shell as /sbin/nologin, password is not required. When this script is called with any other argument, it should print the message as “Input File Not Found”. When this script is run without any argument, it should display “Usage: /root/newusers users.txt”

239 thoughts on “RHCE Sample Exam for RHEL 7

  1. Thanks for sharing this.
    13. I don’t think there will be requested to set up multiple ISCSI initiators with CHAP auth. It’s a crazy configuration. Any thoughts about this?

    Btw, as I was told that it’s still 7.0 version on the exam in my country.

    • It’s a step towards failure if you think this way :) My advice is to be prepared for any surprise that may be thrown, rather than guessing what might not be requested. It may look like a crazy configuration if you’re not familiar with iSCSI, but it takes a few minutes to setup an iSCSI target if you know the drill.

      As for a RHEL version, be ready to perform tasks on both v7.0 and v7.1 (and perhaps even 7.2), and you’re good to go. Not that many differences to remember between the versions anyway.

    • Passed recently. It was rhel 7.0 indeed and a real nightmare, because limited time doesn’t allow you to re-check all the things.

    • Congratulations. I suspect that RedHat are moving the RHCE exam towards RHEL 7.1, but depending on a country you take the exam in, it may still be on RHEL 7.0.

    • Dude how was the exam? I’m stressing out pretty much. Will this practice exam help a bit?

    • The exam was fairly easy, but I felt like I was overprepared therefore don’t take my words for granted.

      Any practice that you do should help, the more the better I believe.

  2. Hi Tomas,

    Thank you for the great effort you put into this site, and for taking the time to reply to the comments.
    Have you taken the RHCE exam?

  3. Hi Tomas,
    Thank you for your sample exam questions. It really helps as I have been working on RHCE7 exam for months now!
    There are too many objectives and I don’t know whether I study enough!
    Do you have answers for your Sample exam questions so that I can use them as a guideline to correct/improve my steps.
    Thanks again!

    • All sample exam questions (except those really easy ones) have weblinks to topic-related articles. If you check them, you’ll find instructions and hints for how to solve the questions.

  4. Where is the php file? can you put it somewhere so I can download it ? I like that it tests the database and the web server config at the same time.

    • Please read the requirements again, one VM has to be configured as a FreeIPA server. There is a weblink to the page on how to set it up. The PHP file will be available on ipa.rhce.local/pub/index.php via FTP protocol.

    • Thanks Tomas, sorry, I hadn’t read that link as I had already configured an IPA server :). Appreciate it

  5. Hello,

    I cannot excute index.php. Python and Perl scrips work fine
    Is there anything else besides SELInux contexts, DirectoryIndex and chmox+x to set?

  6. And I could not make anything with iscsi iofile mounted as /dev/sdb on initiator. I simply cannot make a file system on it:

    [root@server2 ~]# mkfs xfs /dev/sdb
    mke2fs 1.42.9 (28-Dec-2013)
    mkfs.ext2: invalid blocks ‘/dev/sdb’ on device ‘xfs’

  7. I cannot even partition it:

    [root@server2 /]# fdisk /dev/sdb
    fdisk: cannot open /dev/sdb: No such file or directory
    [root@server2 /]# lsscsi
    [0:0:0:0] disk VMware, VMware Virtual S 1.0 /dev/sda
    [2:0:0:0] cd/dvd NECVMWar VMware IDE CDR10 1.00 /dev/sr0
    [3:0:0:0] disk LIO-ORG file1 4.0 /dev/sdb
    [3:0:0:1] disk LIO-ORG block1 4.0 /dev/sdc
    [root@server2 /]#

    • ops, I cant format it because I havent partitioned it:

      [root@server2 ~]# vgcreate vgsan /dev/sdb
      Device /dev/sdb not found (or ignored by filtering).
      Unable to add physical volume ‘/dev/sdb’ to volume group ‘vgsan’.

      I cant create a volume group to create a logical volume, to format the volume as LVM Volume and the re-format it to xfs.
      With a block device it worked like a charm, but with the iofile it does not, the file has permissions 770 on the target

    • I have permissions 0640 on the file on the target, and I have no issues adding /dev/sdb disk to a VG.

      You may want to take a look here for iSCSI target configuration.

    • Tomas, the issue with iscsifile is fixed: it was caused by the fact that I was creating the file on filesystem prior to adding it in targetcli, so it was zero-sized )) No need to create the file on filesystem

  8. and Tomas, “Configure server2 for passwordless root authentication against the server1.” – did you mean configuring ssh-agent?

    • What I mean is this: configure SSH authentication in such way that the root user would be able to connect from the server2 to the server1 without using a password.

  9. iSCSI: will be a special device provided to create an LVM group-volume-block-lun on? like a new device /dev/sdb.
    if it will not, should I create it on existing “centos” volume group?

  10. Its very weird. Doing exactly the same as before on 2 instattaltions – 7.1 and 7.2 – and getting this:

    [root@server2 ~]# mount -t nfs4 -o sec=krb5p,vers=4.2 server1.example.com:/srv/nfssec /protected –verbose
    mount.nfs4: timeout set for Fri Dec 2 00:23:43 2016
    mount.nfs4: trying text-based options ‘sec=krb5p,vers=4.2,addr=192.168.0.102,clientaddr=192.168.0.104’
    mount.nfs4: mount(2): Invalid argument
    mount.nfs4: an incorrect mount option was specified
    [root@server2 ~]# systemctl status nfs-secure
    ● rpc-gssd.service – RPC security service for NFS client and server
    Loaded: loaded (/usr/lib/systemd/system/rpc-gssd.service; static; vendor preset: disabled)
    Active: failed (Result: signal) since Fri 2016-12-02 00:20:21 +07; 2min 15s ago
    Process: 739 ExecStart=/usr/sbin/rpc.gssd $GSSDARGS (code=exited, status=0/SUCCESS)
    Main PID: 740 (code=killed, signal=SEGV)

    the service fails at the mount command. Found similar bugs is Google

  11. Dec 2 03:17:36 server2 systemd: Starting Session 1 of user root.
    Dec 2 03:18:43 server2 kernel: FS-Cache: Loaded
    Dec 2 03:18:43 server2 kernel: FS-Cache: Netfs ‘nfs’ registered for caching
    Dec 2 03:18:43 server2 kernel: NFS: Registering the id_resolver key type
    Dec 2 03:18:43 server2 kernel: Key type id_resolver registered
    Dec 2 03:18:43 server2 kernel: Key type id_legacy registered
    Dec 2 03:18:43 server2 rpc.gssd[738]: handling gssd upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt0)
    Dec 2 03:18:43 server2 rpc.gssd[738]: handle_gssd_upcall: ‘mech=krb5 uid=0 service=* enctypes=18,17,16,23,3,1,2 ‘
    Dec 2 03:18:43 server2 rpc.gssd[738]: handling krb5 upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt0)
    Dec 2 03:18:43 server2 rpc.gssd[738]: process_krb5_upcall: service is ‘*’
    Dec 2 03:18:43 server2 rpc.gssd[738]: krb5_use_machine_creds: uid 0 tgtname (null)
    Dec 2 03:18:43 server2 rpc.gssd[738]: Full hostname for ‘server1.example.com’ is ‘server1.example.com’
    Dec 2 03:18:43 server2 rpc.gssd[738]: Full hostname for ‘server2.example.com’ is ‘server2.example.com’
    Dec 2 03:18:43 server2 rpc.gssd[738]: No key table entry found for [email protected] while getting keytab entry for ‘[email protected]
    Dec 2 03:18:43 server2 rpc.gssd[738]: No key table entry found for [email protected] while getting keytab entry for ‘[email protected]
    Dec 2 03:18:43 server2 rpc.gssd[738]: No key table entry found for root/[email protected] while getting keytab entry for ‘root/[email protected]
    Dec 2 03:18:43 server2 rpc.gssd[738]: No key table entry found for nfs/[email protected] while getting keytab entry for ‘nfs/[email protected]
    Dec 2 03:18:43 server2 kernel: traps: rpc.gssd[738] general protection ip:7f6e27de3e96 sp:7fff5b2cc878 error:0 in libc-2.17.so[7f6e27ca6000+1b7000]
    Dec 2 03:18:43 server2 rpc.gssd[738]: No key table entry found for host/[email protected] while getting keytab entry for ‘host/[email protected]
    Dec 2 03:18:43 server2 systemd: rpc-gssd.service: main process exited, code=killed, status=11/SEGV
    Dec 2 03:18:43 server2 systemd: Unit rpc-gssd.service entered failed state.
    Dec 2 03:18:43 server2 systemd: rpc-gssd.service failed.

    Strange, klist -k shows the keys are in the place. On the servers kvno is 2 and on IPA the same keys are 1. But it was like this when everything was working

  12. [root@server2 ~]# cat /etc/resolv.conf
    # Generated by NetworkManager
    search example.com
    nameserver 192.168.0.103

    [email protected]‘s password:
    Last login: Fri Dec 2 00:11:37 2016
    [root@ipa ~]# ipactl status
    Directory Service: RUNNING
    krb5kdc Service: RUNNING
    kadmin Service: RUNNING
    named Service: RUNNING
    ipa_memcached Service: RUNNING
    httpd Service: RUNNING
    pki-tomcatd Service: RUNNING
    ipa-otpd Service: RUNNING
    ipa-dnskeysyncd Service: RUNNING
    ipa: INFO: The ipactl command was successful

  13. looked back to my previous comments at NFS topic: I think I should not use capitols in service names. I will re-register the services as nfs/serverX.example.com, ktrem and ktadd them to keytab and re-deploy the keytab files on the servers

  14. Hello Tomas,
    First I gotta thank you for sharing such great resource, you cannot imagine how valuable this is exam for me, Thanks A LOT.
    I have a few notes if you can help with:
    1- Regarding objective 14 (port forwarding) here is my rule -ignore the change in ip address it is my virtualization topology- :
    rule family=”ipv4″ forward-port port=”8080″ protocol=”tcp” to-port=”80″ to-addr=”192.168.1.171″
    guess it is right, I ensured to enable ip forwarding, ensured permanent configs, reloaded firewalld – and the whole vm – but whenever I try to curl or lynx the srv2 machine at port 8080 it shows nothing and the connection times out, no errors , no logs in httpd on srv1 no selinux issues, I have no clue whether it is working or not, just for testing I added masquerade to the public zone in srv2 but nothing changed, added logging to the rule but no logs appear, removed the host restrictions from the default website in srv1 still nothing, am I missing something?
    =============================
    2- In objective 7 “Configure server1 to be a router.” does this imply that I should automatically enable masquerade on the public zone? or the sysctl ip forward is enough?
    ============================
    3- Objective 14 again regarding logging the ssh connection the objective asked the log level to be debug, while the log level in rsyslog is info, so I had to edit rsyslog.conf to be able to check the logging, I recommend that you change the requested log level to info or warning just for the objective to make sense.
    ============================
    4- Objective 5 “NTP” when the objective states that it needs ntp do I have to do it using ntpd? or chrony is fine? I know that ipa server uses ntpd is it compatible with chrony?
    =============================
    5- What is the estimated time for completing this exam? for me it took about 5 hours!! I am slow I know but I am asking about the average time amount for those 20 tasks.

    I am scheduling my exam within 10 days, I would appreciate your assistance and again Thank you for such great resource.

    • Thanks for the kind words, and you are welcome. Please see my comments to your questions below.

      1. Your firewalld rich rule looks good. You need to connect from the srv1 to srv2.rhce.local:8080 to see if the port forwarding works. You are effectively making a connection from the srv1 to the srv2 to browse the web page that is hosted on the srv1 (due to port forwarding back to the srv1).

      2. I won’t tell you the answer, but I’ll give you a hint to figure it out yourself. In practice, is router going to work without masquerade? Or will it be useless?

      3. You misread the question. There is no mention of rsyslog at all. Hint: for firewalld SSH logging. You need a rich rule.

      4. The question does not specify the tool you have to use to achieve the goal, therefore use any suitable software you find on a RHEL DVD to get the job done. You are fine as long as both servers can synchronise their time with the FreeIPA machine.

      5. The RHCE exam is 3.5 hours, therefore that’s as much time as you get in reality. When I was practising for the exam, I was able to solve those 20 sample questions in just under 2 hours. Hope that helps.

  15. Thanks for your reply,

    1- I got it working by applying masquerade to the dmz zone in srv2, it makes sense now as the reply from srv1 should use the same route back. the visitor should be dealing only with srv2 so srv2 should masquerade(hide) anything beyond it.

    2- Sure got your point in here.

    3- I get it, I know it is rich-rule logging, I solved it but my point is > The question is asking to set the log level to debug, while by default rsyslog will not write debugs in /var/log/messages so even with the right rich rule it won’t log anything.

    4- Yeah good to know.

    5- O_O 2 hours!! I am turtle slow, sure I need to work on it.
    Once more Many thanks for your help, I wish you all the best during your career life.

    • With regards to the question #3, the question didn’t ask you to configure rsyslog. Please leave it alone.

      Systemd uses journal, that’s all that matters in this case. The journal is implemented with the journald daemon, which handles all of the messages produced by the kernel, initrd, services etc. When you configure firewalld to log debug level messages, these are logged into systemd journal.

  16. Hey Tomas, I have added a rich rule to log SSH packets with prefix and limit and reloaded firewalld config and logged in to the server via SSH, but nothing is logged. Is there anything else I should do?

    • I faced that issue, my problem was I was expecting firewalld to log in /var/log/message , while it was actually logging in journald.
      As I discussed with Tomas, rsyslog prevents log priority lower than info from reaching /var/log/messages so as the question asks you to set log level to debug, to find it you should check journald, or modify rsyslog.conf (which Tomas clearly advised against).

    • Always check with journalctl. RHEL 7 focuses on systemd and journald, therefore I advise you to do the same for the sake of the exam.

      I’d like to clarify myself, I was trying to say that you don’t have to modify rsyslog.conf to see the logs – you simply need to look at the right place.

    • [root@server2 /]# firewall-cmd –list-all
      dmz (default, active)
      interfaces: ens32 ens34 team0
      sources:
      services: mysql ssh
      ports:
      masquerade: no
      forward-ports:
      icmp-blocks:
      rich rules:
      rule family=”ipv4″ source address=”192.168.0.104/32″ service name=”ssh” log prefix=”SSH_” level=”debug” limit value=”2/m” accept
      rule family=”ipv4″ source NOT address=”192.168.0.102/32″ service name=”mysql” reject

    • Tomas, what do you prefer, tailf in /var/log/messages? tailf /var/log/audit.log
      or journalctl -xe..

      You know what makes me confuse here, in my examination, I only have 1 screen for my rhcsa. I wonder why you can open 3 screen…

    • I usually do tailf on /var/log/audit/audit.log as well as “journalctl -lf” to continuously print new entries as they are appended to the journal, and sometimes tailf on /var/log/maillog if it’s required.

      I don’t tail the messages file because things are logged in the system journal.

  17. Dec 08 20:37:49 server2.example.com sshd[6671]: Accepted password for root from 192.168.0.102 port 53582 ssh2
    Dec 08 20:37:49 server2.example.com systemd[1]: Started Session 15 of user root.
    Dec 08 20:37:49 server2.example.com sshd[6671]: pam_unix(sshd:session): session opened for user root by (uid=0)
    Dec 08 20:37:49 server2.example.com systemd-logind[714]: New session 15 of user root.
    Dec 08 20:37:49 server2.example.com systemd[1]: Starting Session 15 of user root.

    but no SSH_ prefix there

    • Can you post the output of the following?

      # iptables -v -nL|grep LOG|awk '{ print $1" "$2" "$11 }'

      This will show the number of hits for the rule.

  18. in the rule, I should specify address of the remote machine, right? I have added 2 rules with both addresses, but nothing

  19. [root@server2 ~]# iptables -v -nL|grep LOG|awk ‘{ print $1″ “$2” “$11 }’
    0 0 dpt:22
    0 0 dpt:22

    • That explains it, there is nothing logged because you never hit those rules.

      Are you connecting from the server with the IP of 192.168.0.104?

      Try removing both rules and add a new one without any source address filtering.

  20. Dec 08 21:51:12 server2.example.com kernel: SSH_IN=team0 OUT= MAC=00:0c:29:ce:05:76:00:0c:29:42:15:fe:08:00 SRC=192.168.0.102 DST=192.168.0.104 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=30236 DF PROTO=TCP SPT=53624 DPT=22 WINDOW=29200 RES=0x00 SYN URGP=0

    yep , looks great. thanks again))

    • So you firewalld rule was incorrect, you had the source address listed as 192.168.0.104 when you were actually connecting from 192.168.0.102.

  21. And about restricting access to services using rich rules: firewalld applies restriction based on what? All ports listened by the service, or based on /etc/services lookup, or based on selinux ports labels? I made a restriction to service name=ssh and it worked for both ports 22 and 2222. but with mysql service it did not work.

  22. and, sometimes “source address” rule works, and sometimes “–add-service” + “not source address restrict” works. Thats weird.

  23. Seems Sander van Vught has an outdated task in his sample exam 1: configure server1 to offer contents of /repo as a repository via FTP. Doesnt he?

  24. Hi Tomas,

    I have couple more questions,
    1- In the webserver question> when I add the
    SSLProtocol all -SSLv2 -SSLv3
    I cannot browse the website using “lynx https:// server1” , samething if I try from server1 or server2 , I tried using elinks same result here is the error log:
    [Tue Dec 13 18:28:35.961440 2016] [authz_core:error] [pid 5013] [client 192.168.1.172:49818] AH01630: client denied by server configuration: /var/www/html/

    Clearly it is a problem caused by ssl version, is it a client or server issue?
    =====================
    2- In the “write script” question 20 ,, as the question stated, I was able to write the script to accept only “users.txt” as input, I am asking what if the user used the script like this: “./root/newusers /root/users.txt” according to the question it should output the “Input File Not Found” message but here is my question >> what if I wanted it to work? I thought about it but couldn’t figure it out, how can I check for the file name regardless of the path? I could confirm that it is a readable file, but how would I check its name to match the “users.txt” pattern?
    Best regards

    • Regarding the issue #1, the error log that you posted refers to one of Apache authentication modules and access is being denied due to server configuration. This has nothing to do with SSL as far as I see, as otherwise the session would’ve been dropped way before the auth came into play. Try accessing that URL with curl – if it works, then SSL problem is client-related (lynx/elinks in this case).

      In terms of #2, you could strip everything from the path that was supplied except the file name part. That would allow you to check its name.

    • Thanks, I got it working using curl -k , so I believe it is client related issue.
      Regarding the script, I did it using the “basename” command, works like charm.
      Appreciate your assistance.

  25. Example of script from question 20.
    #!/bin/bash

    [ -z $1 ] && echo “Usage: /root/newusers users.txt” || ( [ -f $1 ] && for i in `cat $1`; do useradd -s /sbin/nologin “$i” ; done || echo “Input File Not Found” )

    exit0
    #EOF

  26. I know most likely there will be a question asking me to write a script. However, I have ZERO bash scripting or any programming knowledge or experience. I’ll try and memorize some example scripts for the exam but for the most part am I just gonna take the hit on this question if it shows up?

  27. Hi,

    First off – thanks for this resource.

    Both yourself and CertDepot have put in a hell of a lot of work. It really is appreciated!

    Second – I assume the IPA server is provided to us in the exam and we don’t actually need to setup that part ourselves?

    Thanks,

    • You’re welcome Jerome. Setting up an IPA server is not part of exam objectives. I hope this answers your question.

    • Thank you.

      But, I think that you just copied this from another place and you are looking for the answers.
      I’m invite you to watch some of my videos in my channel. Probably you will see all the answers to all the above questions.

      Regards

    • Hi,

      @Tomas. Great post. Thanks you very much for sharing.

      @guest1, can you share your youtube channel?

      Thanks much!

  28. @Tomas , thanks for the challenge. I will redo it again,because If the exam was today – I would have failed.
    I’ve learned my lesson – to read more carefully. Deploying the DB on the wrong server wasted a lot of time :)

  29. Tomas,

    could you advise on the following. If something is not specified in the requirement – it should be via default or as I want.
    To be more specific- in 17.1 the location of the DocumentRoot for these websites is not defined. Should it be in “/var/www/html” or wherever I want ?
    Thanks in advance for your comment.

    • I can tell you what I did, if something wasn’t specified or explicitly asked, I used defaults, would that be configuration settings, location etc.

    • You’re more likely to lose points by trying to be clever. Just stick with the defaults unless told otherwise.

    • Not sure about the part of losing points, but I second the rest, just stick with the defaults unless told otherwise.

  30. Hi Tomas,

    I have passed my RHCE and although I was aiming for full 300 points , I got only 270.
    I can share that the exam seemed easy after 3 weeks of serious training and trying different setups. I managed to complete the last task 55 min before the end and after that I verified my tasks several times.I have learned a very important thing with this sample exam – to READ carefully, as some of the tasks are tricky.

    For all of you that will attend an EX300 session – just train a lot and you will pass.Just READ your tasks in advance, and realise what is required.As Tomas mentioned – look it from a client’s perspective. No matter how well you have deployed your service – if it can’t be accessed – it’s just not working.

    • Congrats on passing the RHCE exam! 270 is a very good mark!

      Same here regards the time management, the exam isn’t hard if you cover different setups while studying, and there is plenty of time to do each task if you read carefully. It takes double if not triple the time to fix something if you misread a question, therefore do spend 10 minutes reading the whole thing, you won’t regret it.

      Once again, my congrats, well done!

    • You can download the script from the link provided, store locally and pass the file as an argument, or you can script the download part, up to you really.

  31. > When the script is called with an argument users.txt, it should add all the users from the file.

    What if the user already exists? Do we need to worry about error handling?

  32. Hi! Thx for the info, that you provide for us.
    Could you pls explain question #3:

    > Configure the “dmz” firewalld zone to be the default zone on both servers server1 and server2, and ensure that the the aggregated network connection uses to the default zone.

    shall i add for dmz source address?
    firewall-cmd –add-source 10.8.8.0/24 –permanent
    ————-
    my firewall-cmd –list-all:
    dmz (default, active)
    interfaces: Team1 ens6 eth2
    sources: 10.8.8.0/24
    services: ntp smtp ssh
    ports:
    masquerade: no
    forward-ports:
    icmp-blocks:
    rich rules:

    without –source parameter firewall block all connections to Team1 interface. Am i right?

    Thx in advance!

    • The question doesn’t ask you to configure any sources, therefore you don’t need to do that. Simply configure the dmz zone to be the default one, and make sure it’s used by the aggregated network connection.

    • If we have more than one network interface, by default we have more than one default route (If we did not set in nmcli defroute no). Then services where we are using just names or one ip from both working not properly. Because in routes we have metric and if metric closer to 1, this route goes as primary and this situation can bring problems and a lot of time for debugging(tcpdump’ing).

      How will be correct on exam in this situation?
      Few names like roundrobin (but it doesn’t work in /etc/hosts)
      set all possible interfaces in service for access from other side?

      Thx in advance!

    • The majority of the sample exam questions have weblinks to topic-related articles. Please check them to find instructions and hints for how to solve the questions.

    • The sample exam is based on published RHCE objectives. I had created the sample exam before I took the RHCE exam to help me practise.

  33. Ok, Im using Sander van vugts book first edition, and i think the sample exam thats included in the book does not cover the objektives very well.
    Thereof the question, keep up the god work ?

    • Sander’s book was the book which I used myself.

      The are two RHCE practice exams available in the book, named A and B, and they cover the following objectives: repository creation, Kerberos with NFS, Apache, SSH, SMTP, DNS, Samba, MariaDB, network link aggregation, routing, scripting and probably other bits. What they don’t cover though is iSCSI.

  34. Hello Tomas.

    Thanks for this great content to pass rhce.
    I am about to appear in rhce with in couple of days.

    by looking at your sample exam, is it safe to assume that paper setup will be same like as you have shown here.
    i.e.
    1) ipa server (
    smtp server, dns, with client machines recrods and MX records are in place during the exam, and candidate does not have to worry about seting these things up )
    2) to setup kerberos nfs we need keytab file those will be provided during the exam. but the cert files ?? will they also be provided during the exam..

    I am facing some issues with smtp null client with MX records without dns by using local /etc/hosts.

    I understand that you may not be able to give any hints about the exam questions, but answering above question should not violate your NDA.

    • It’s just a sample exam I created before taking the exam therefore I wouldn’t assume it will be the same, however, I would expect a similar structure.

      Setting up an IPA server is not the exam requirement therefore you will not be asked to do that. With regards to Kerberos, everything that is necessary to set it up will be provided to you during the exam.

  35. Is it possible during the test to use ssh instead of kvm console, and can you access apache manual with gui web browser?

  36. Also,I’m getting mount error(112) host is down on client while try to mount with minimal user.Please suggest to me.Thanks!

  37. Those question are so far away from the real exam. There is no benefit reading/practicing those at all

    • The purpose of the sample exam is to help you practise.

      If you’re looking for a way to sharpen your skills, then practicing is always beneficial.

      Thanks for your feedback!

    • There is a far difference between working in real life and passing the exam. questions in the exam really make no sense compared to reallife problems.

  38. Hi Tomas,
    I just wanted to say thank you for providing this extremely valuable RHCE resource. I have found it to be a huge help and I sincerely appreciate you taking the time and effort to provide it.
    Pete

  39. Hi Tomas, thank you for your work.

    I have got a question about Webserver tasks.
    In tasks 17.1 and 17.2 we are supposed to configure apache for the web site http:// srv1.rhce.local and http:// srv1.rhce.local/group.
    But at the step 17.3 we have to create a VirtualHost and the other websites must still be accessible.

    In other words we was not supposed to create Vhosts in steps 17.1 and 17.2, but when we are using a Vhost in step 17.3, everything become Vhost and http:// srv1.rhce.local is not accessible anymore.

    So are we supposed to reconfigure websites at steps 17.1 and 17.2 as Vhosts ?

    I have had the same instructions in a real RHCE exam and I’m not sure if my configuration was good. I created a Vhost for http:// srv1.rhce.local with an Alias to acces to http:// srv1.rhce.local/group and another vhost for http:// vhost1.rhce.local.

    Do you think that my configuration was good ?

    • I can’t stress this enough that for RHCE you have to read all questions to see the bigger picture of what is required. Tasks 17.1 and 17.2 ask you to create a website, therefore you can use virtual hosts if you want, it’s up to you. There is nothing that says “don’t use virtual hosts for 17.1 and 17.2”. I hope this clarifies things.

  40. Hi, Tomas,

    First, I want to echo the plethora of comments here thanking you for building and maintaining this site. With your help, I passed my RHCSA with a perfect score and, as of about an hour ago, passed my RHCE with an acceptable score. I can’t imagine putting this together and answering all of these questions is easy, so please know that your hard work is highly appreciated!

    I had a problem with Q. 15 that I’m having trouble reproducing, but I still have my terminal output (I rebuilt the environment). When I rebooted the iSCSI target server, the block device would not come back. The fileio device was fine after a reboot (and yes, target.service was already enabled!). If I added the block device back manually using targetcli, it worked fine until I rebooted again.
    Here is a line from systemctl status target.service -l:

    Feb 20 17:19:14 srv1.rhce.local target[1215]: Could not create StorageObject block1: Device /dev/datavg/lv_iscsi is not a TYPE_DISK block device, skipped

    Maybe it’s a moot point since I’ve passed the exam already, but I am still curious.

    Thanks again!

    • Hi Matthew,

      First of all, congratutalions, and welcome to the RHCE family!

      To answer your quetion, although I didn’t come across this problem during my studies, I received feedback from people who did. It looks like if you use LVM in both your iSCSI host and guest, you have to edit /etc/lvm/lvm.conf and configure global_filter. You may want to give it a go and see if that makes a difference.

    • Hi Tomas,

      The solution to exclude the /dev/vd* in lvm.conf via global_filter fixed my problem. This problem was caused when the lvscan picked up the formatted (lvm) disk, which interfered with my iscsi target server’s config. It claimed that the device “was already in use” despite no process being attached to it.

      Take not this only happens when the initiator formatted the disk as lvm. With ext4 or xfs there were no issues.

  41. Hello,
    In the chapter https://www.lisenet.com/2016/advanced-apache-configuration-with-selinux-on-rhel-7/ examples are tested by the elinks browser.
    I recommend to use the curl for checking tasks related with Web server section and others. Cause when I’d tried to check the website (point 17.3) with the alice credentials I got the 401 error. Whereas the web page from 17.2 was opened well using the elinks and the same credentials.
    $ curl –user alice:password http:// vhost1.rhce.local works properly in all cases.

  42. Hello, Tomas! I’ve just received a message from RH with ‘EX300.. Result: PASS’ =)

    Perhaps my experience can be useful for someone.
    To prepare for EX200 I used M.Jang/A.Orsaria guide and practice – it’s enough.
    For EX300 exam I used your site, M.Jang/A.Orsaria and Sander van Vugt certification guides.
    This site + Jang/Orsaria is more helpful. Van Vugt is also good, I used it additionally.
    And of course the key of success is practice in a process of preparing.

    Also I think if you are not a Linux system administrator it probably will be difficult to pass EX300 for the first time.
    But anyway it’s a very valuable experience)

    Some important advices: don’t rush, don’t think about time and don’t “scan” the exam questions.
    Read it carefully, do tasks slowly and consistently. If you’re doing all slowly, you’ll do more than if you’re doing it rapidly.

    I want to say thank you for this resource, for your hard work.
    I will definitely recommend it to the Russian audience. Thank you!

    • Hi Andersson, this is superb, my congratulations! And welcome to the RHCE family!

      I’m really glad that you found the website useful, and your feedback is greatly appreciated (спасибо тебе большое). I’m sure that others will find it helpful.

  43. Q5: Firewall should allow access to port 5555 from srv1.rhce.local only.

    How to write firewall rule for this task.

  44. 15. iSCSI Target :

    I am not able to enable authentication for acls only. rather its gets enabled for whole tpg

    Kindly advice

    my configuration is below:

    /> ls
    o- / ......................................................................................................................... [...]
      o- backstores .............................................................................................................. [...]
      | o- block .................................................................................................. [Storage Objects: 1]
      | | o- block1 ............................................................ [/dev/vg_iscsi/lv_iscsi (52.0MiB) write-thru activated]
      | o- fileio ................................................................................................. [Storage Objects: 1]
      | | o- file1 .................................................................... [/root/file1.img (10.0MiB) write-thru activated]
      | o- pscsi .................................................................................................. [Storage Objects: 0]
      | o- ramdisk ................................................................................................ [Storage Objects: 0]
      o- iscsi ............................................................................................................ [Targets: 1]
      | o- iqn.2018-03.local.rhce:target ..................................................................................... [TPGs: 1]
      |   o- tpg1 .......................................................................................... [no-gen-acls, auth per-acl]
      |     o- acls .......................................................................................................... [ACLs: 2]
      |     | o- iqn.2018-03.local.rhce.srv1 ............................................................. [mutual auth, Mapped LUNs: 1]
      |     | | o- mapped_lun0 ................................................................................ [lun1 block/block1 (rw)]
      |     | o- iqn.2018-03.local.rhce.srv2 .............................................................. [1-way auth, Mapped LUNs: 2]
      |     |   o- mapped_lun0 ................................................................................ [lun0 fileio/file1 (rw)]
      |     |   o- mapped_lun1 ................................................................................ [lun1 block/block1 (rw)]
      |     o- luns .......................................................................................................... [LUNs: 2]
      |     | o- lun0 ................................................................................. [fileio/file1 (/root/file1.img)]
      |     | o- lun1 .......................................................................... [block/block1 (/dev/vg_iscsi/lv_iscsi)]
      |     o- portals .................................................................................................... [Portals: 1]
      |       o- 192.168.56.112:3260 .............................................................................................. [OK]
      o- loopback ......................................................................................................... [Targets: 0]
    />

    srv1. auth is enabled …

    /iscsi/iqn.20...e:target/tpg1> acls/iqn.2018-03.local.rhce.srv1/
    /iscsi/iqn.20...cal.rhce.srv1> get auth
    AUTH CONFIG GROUP
    =================
    mutual_password=asif10
    ----------------------
    The mutual_password auth parameter.
    
    mutual_userid=asif
    ------------------
    The mutual_userid auth parameter.
    
    password=asif10
    ---------------
    The password auth parameter.
    
    userid=atif
    -----------
    The userid auth parameter.

    srv2: no auth;

    ==========
    
    /iscsi/iqn.20...e:target/tpg1> acls/iqn.2018-03.local.rhce.srv2
    /iscsi/iqn.20...cal.rhce.srv2> ls
    o- iqn.2018-03.local.rhce.srv2 ........................................................................ [1-way auth, Mapped LUNs: 2]
      o- mapped_lun0 .......................................................................................... [lun0 fileio/file1 (rw)]
      o- mapped_lun1 .......................................................................................... [lun1 block/block1 (rw)]
    /iscsi/iqn.20...cal.rhce.srv2> get auth
    AUTH CONFIG GROUP
    =================
    mutual_password=
    ----------------
    The mutual_password auth parameter.
    
    mutual_userid=
    --------------
    The mutual_userid auth parameter.
    
    password=
    ---------
    The password auth parameter.
    
    userid=
    -------
    The userid auth parameter.
    • Login authentication is enabled either under the TPG node or under ACLs. If you want to enable it for an ACL, you can do so this way:

      /> iscsi/iqn.2003-01.local.rhce.ipa:target/tpg1/acls/iqn.1994-05.com.redhat:srv1/ set auth userid=client password=client
  45. under tpg >
    set authenticaion = 0

    i have have disabled that .

    and enabled it under acl as suggested by you .

    When auth is disbaled under tpg it logs in from client with out auth .
    when auth is enabled under tpg it asks for username and password even for individual acl.

    just to summerize.
    set auth = 0 ( under tpg )
    and set user and password ( under individual acl )
    this is the procedure for solve the question ?
    or some other steps are required ?

    • Again, authentication in a normal session may be set at the TPG level, or per ACL. Kernel’s target subsystem only uses one or the other, depending on the TPG’s attribute setting. You can check the man page of targetcli for more info.

  46. Thanks Tomas for your reply.

    Just to rephrase my question.

    Authentication is enabled on per ACL Basis.
    i.e.

    under tpg 
    =========
    
    /iscsi/iqn.20...:target8/tpg1> get attribute authentication
    authentication=0
    
    under ACL:
    ==========
    /iscsi/iqn.20...al.rhce:test1> get auth
    AUTH CONFIG GROUP
    =================
    mutual_password=
    ----------------
    The mutual_password auth parameter.
    mutual_userid=
    --------------
    The mutual_userid auth parameter.
    password=username
    ---------------
    The password auth parameter.
    userid=password
    -----------
    The userid auth parameter.
    
    ================

    As per the target configuration , It should only allow access to this acl using mentioned username/password

    On Client:

    /etc/iscsi/iscsid.conf
    If i disable ( # ) , chap settings . ( i.e.) remove user/pass settings .
    #node.session.auth.authmethod = CHAP

    It should not be able to access the acl and should through error of user/password ? correct me if i am wrong .
    but it get logs into the target and i am able to mount iscsi drives on the client even without password.

    Kindly support

  47. update:
    I have tried the same setup on fresh machines. just to be sure that nothing is wrong with my configuration.
    same result

    it logs in even without password.

  48. [root@test1 ~]# rpm -qa | grep targetcli
    targetcli-2.1.fb34-1.el7.noarch

    [root@test1 ~]# cat /etc/redhat-release
    CentOS Linux release 7.0.1406 (Core)

    Tomas,

    Have you tried to achieve this task on your test lab. does it produce the required results as mentioned in the question ?

    • I did test CHAP authentication when studying for the RHCE exam and it worked for me. It’s been a while ago to be honest, I don’t think I tested it as much as you do.

  49. Hi Tomas,

    I’ve ran through this a few times on 7.0 and found somewhere around rebooting after adding the iscsi disks srv2 would hang for about 2 minutes per reboot. It’s random and doesn’t happen every reboot. I’m not sure the cause but suspect it has to do with the mounts. If I umount /mnt/protected and /mnt/samba no hangs on reboot occur. I did find a close but not exactly the same type issue someone reported as a bug. The fix seems to work. Copy NetworkManager.service to /etc/systemd/system and add After=syslog.target dbus.service to the [Unit] section. Run systemctl daemon-reload or reboot and that seems to fix the hang.

    Thank you very much for this site and all you have contributed. I’ll sit my exam in a week and half and feel very prepared after reviewing all this content.

    Thank you,
    Steve

    • Hi Steve, no worries, and thanks for your feedback, as I’m sure that others will find it helpful.

      Also, best of luck with the exam!

  50. Hi Tomas,

    As I review I keep finding myself double checking number 14. In that question are you asking to setup logging and limit the logging to 2 per minute or the limit the ssh connections to 2 per minute?

    Thank you,
    Steve

  51. I wish I would have seen your site earlier. Failed the RHCE not by much but this lab would have gotten me ready.

    Great resource!!

    If you can set up this lab and understand and complete these questions this will help pass the RHCE big time!

    great job!

  52. Thanks for the great work you are doing on this site helping people improve their lives.
    Quick Question:
    In RHCE Exam is it require to reset a password to both server1 and desktop? and then login? or password is provided for login. If not, could you refer me to any site where i can research how to login on server1 and desktop during RHCE Exam.
    Building ipa server is it part of the RHCE exam?
    Thanks.

    • Hi, thanks for your feedback, it’s really appreciated!

      I cannot tell you what’s on the exam I’m afraid, but I can tell you that password reset is an RHCSA objective, not RHCE.

      Building an IPA server is not an RHCE objective.

  53. My problem is how set up your network for system 1 and system 2 . Would you be using dns value as the default gateway ? IN the exam you are not given any default gateway.

  54. Hi Tomas, Thanks for the reply to my earlier question and for the suggestion of using xterm. but here I m stuck again.
    I am unable to copy/paste between two xterm windows for both virtual machines and even text from pdf and internet explorer I have tried combinations but not fruitful yet .please help out

    ctlr+shift+ c ctrl+shfit+v
    ctrl+c ctrl+v
    ctrl+c center mouse button twice.

    2nd question is about iscsi portals
    o- portals ………………………………………………………………………………………. [Portals: 1]
    | o- 192.168.56.112:3260 (can I use here the name” server1.example.com 3260) will it work as its not working on my testing system

    please suggest a solution I will be grateful.
    thanks and stay blesses

  55. Today I passed RHCE 7.0 Score 271.Kudos
    Thanks, Tomas for such a nice website very hel[pful and very quick replies to my queries really appreciated.
    Now need suggestions what else I can go next Ansible, Open Stack or anything else for good prospects.
    I have 2 tips I would like to share with others help in this forum.
    1= make habit firewall-cmd –permanent ….. firewall-cmd –list-all
    2=Xterm is very good but Qiosk based exam improve typing speed or have eyesight supernatural

    thanks

    • Well done! And thank you for your feedback!

      If you want dive into DevOps, then go for a configuration management tool, e.g. Puppet or Ansible. Docker and OpenStack are also popular.

    • Hi Rizwan,
      Xterm for copy paste? What can you say about Qiosk? Is it scary than classroom?

    • Thanks I had to take the individual exam and the laptop pretty much blows. It was slow and difficulty typing. The classroom desktop exam is much better. You also aren’t allowed a pen and paper on the individual exam. My next exam on the list is the ansible specialists. My work sent me to the class back in May and so I have a voucher to the exam. Didn’t take the class for the RHCE 7 class just studied on my own but fortunately my work will give me my money back for the exam since I passed. Thanks and I recommend your site to all my coworkers if they are studying for the RHCSA or the RHCE. It is really good.

  56. Hi Tomas,

    I am so impressed with the content here.
    Please I am planning to sit RHCE in March 2019, any help and suggestions will really be a privilege.
    Thanks

    • Thanks for reaching out. With regards to suggestions, read all RHCE-tagged blog posts and practise the sample exam until you can complete it in 2 hours, then take the RHCE exam. Good luck with your studies!

  57. The screen used during the exam is small. Any tips on using xterm and making the font little bigger. Bottom line time is not our friend during the exam, any suggestion to speed things up, like copy/paste or switching to graphical mode?

    • You can change xterm font settings under preferences.

      My advise is simple: type fast, avoid making too many typos and know where to find information (all three things will save you time). If you struggle to type fast, then practise typing. In most cases you will find typing less time consuming than copying something from a man page.

      I don’t know about the graphical mode, I don’t use.

  58. Is the graphical interface available for the exam, or allowed to switch to it. Wondering we will be allowed to use Firewall configuration from Application -> -Sundry -> Firewall?

    • I don’t use GUI, therefore I really don’t know. You can try reaching out to the Red Hat certification team, perhaps they’ll be able to advise.

  59. I passed RHCE few days ago with a score of 281. No linux background and current job doesn’t give any opportunity to practice so it was a lot of self-study and scripting all the requirements.

    I was doing 2 hours in practice, but had to use all of 3 1/2 hrs in the exam. The exam is not really tough. It’s just a lot of tasks to complete. If you get stuck on one, it might be better to skip and come back to it in the end

    One tip – practice on 7.0. The current version has some differences on a few important objectives.

    Tomas, I came back to this site many times over the last year for tips and learnings. This is a great resource and thanks for creating it.

    • Well done, 281 is a superb score for somebody with no Linux background! Thanks, and all the best for you in the future.

  60. Hi Tomas

    Aboud 17.4. Dynamic Content Configuration

    I setup mariadb as a prerequisite to 17.4. using user JOHN i able to do query from mysql shell.

    I setup a /srv/www/scripts/index.php with following permissions . root root system_u:object_r:httpd_sys_content_t
    and created a vhost with following content

    documentroot “/srv/www/scripts/”

    options none
    allowoverride none
    require all granted

    ServerName dynamic1.rhce.local
    serveralias dynamic1
    loglevel info
    ErrorLog “logs/dynamic1-error-log”
    CustomLog “logs/dynamic1-access_log” common

    When i run “elinks http:// dynamic1.rhce.local:8888” it shows nothing and in dynamic-error log it shows

    [Tue Apr 09 15:13:50.129876 2019] [:error] [pid 20613] [client 10.8.8.50:35124] PHP Fatal error: Call to undefined function mysql_connect() in /srv/www/scripts/index.php on line 6

    Now i checked mariadb is running on port 5555 on ipv4

    tcp 0 0 10.8.8.50:5555 0.0.0.0:* LISTEN 20567/mysqld

    my.cnf output

    [mysqld]
    port = 5555
    #skip-networking = 1
    bind-address = 10.8.8.50
    datadir=/srv/mariadb
    socket=/var/lib/mysql/mysql.sock

    What im missing. mod_php is already installed

    • You don’t have MySQL database support for PHP, that’s what the error message says.

      You need php-mysql package.

    • Yup didnt install the package. i installed the mod_php but didnt install mysql-php package. But now im receiving this error. i enabled boolean httpd_can_network_connect_db and restart mariadb and httpd , now getting “unable to connect to ‘127.0.0.1:5555’

      firewall rules added .

      rule family=”ipv4″ source address=”127.0.0.1″ port port=”5555″ protocol=”tcp” accept
      rule family=”ipv4″ source address=”10.8.8.50″ port port=”5555″ protocol=”tcp” accept

    • Ok found the issue. in index.php i set dbhost to localhost:5555. Also i didnt apply any firewall rule as this is local both DB and HTTPD.

  61. Hi Tomas,

    During RHCSA exam i faced one big problem, They were using small laptop and the font was very big which text was wrapping to next line. Is there a way to decrease the size of Font. I looked for it but didnt find any working solution

  62. Yesterday i sat in exam and failed in most awesome way. Cant believe i made those mistakes. In such exam time is really enemy. On just link aggregation i spent 45 mins on both machines combined. And normally i do this rask in 5 mins max. Kept making stupid mistakes. But there is always lesson to learnt. And for kerberised nfs there is a big twist keep your eyes open.

  63. Hi Tomas,
    Thank you for this. Question to you. From the sample exam. Is there a way we can test it? like objective 14. How will you know it is working?
    Thanks

    • Of course, you can test and verify every single task.

      With regards to #14, the port forwarding rule uses the Apache webserver that you configure in #17. You can easily test the rule by using elinks. You should get a web page.

      As for SSH logging, simply check the log file. If the prefix is there, then you are all set.

    • @BeerBeach For port forwarding, NC command is your very best friend. This is what i did

      On IPA server i initiated a port using “nc -l 5433” and on System1(10.8.8.50) i added forward rule “rule family=”ipv4″ source address=”10.8.8.0/24″ forward-port port=”5423″ protocol=”tcp” to-port=”5433″ to-addr=”10.8.8.2″” and to test using system2(10.8.8.51) i did telnet on system1 on port 5433.

      telnet 10.8.8.50 5423
      Trying 10.8.8.50…
      Connected to 10.8.8.50.
      Escape character is ‘^]’.

      What ever you type will disaplay on IPA server

  64. Thank you Tomas,
    I know I jsut read this awhile ago. Is it good I will create a script that will

    1. install all the packages
    yum install php mariadb-server httpd iscsi-initiator targetcli nfs curl lynx etc
    2. Create a script to do the firewall or add-rich rule
    for i in 3260 80 8080 (name all the ports in the objective)
    do
    firewall-cmd –permanent –add-port=$i/tcp; firewall-cmd reload; done
    3.Then configure

    Have you ever done something like that in the exam?

    • Why would you do that? The time that it takes to write a script can be used to run the commands which you would put in that script.

    • Why? just in case you will not miss anything? example for number 2. DO a for loop to all firewall ports? so u wont miss or a for loop to all enabling servces?

    • You can pass all ports you want opening to a single command, e.g.:

      # firewall-cmd --permanent --add-port={21,80,443,8080}/tcp
    • My approach would be to check the input and proceed depending on the outcome.

      Take an argument from the CLI and check whether it matches the expected file name. If it does, then check the actual file to make sure that it exists and is not empty. If so, then read the file line by line and create users accordingly.

      If the argument does not match the expected file name then print an error. If there is no argument supplied then print the usage message.

      Also, you can use ShellCheck to find bugs in your shell script.

  65. I did this for scripting, but soemthing is missing. It is not complete.

    #!/bin/bash
    if [ $# -eq 0 ]
    then
    echo “$(basename $0) ”
    fi

    case $1 in
    userlist)
    if [ -f /home/a/dfile ]
    then
    for user in `cat /home/a/dfile|awk -F: ‘{print $1}’`
    do
    useradd -s /bin/false $user
    done
    echo “file is tehre”
    else
    echo “Input file is no there”
    fi
    ;;
    esac

  66. Hi Tomas,

    I have a question.
    17.1 says: “The content of the websites should be visible to everyone browsing from the localhost but should not be accessible from any other location”.
    14. says to forward incoming traffic on srv2:8080 to srv1:80.

    When testing task 14 from srv1, i.e. I ‘ve added http in firewall rules on srv1 to verify port-forwarding on srv2 (it works). But, then we are able to access the basic webpage (“hello”) from other servers. Does this collides with 17.1?.
    What was the intention of your task? Port-forwarding rule is not mandatory to “actually work” at the end of the exam (validation is performed i.e. just by comparing the output of firewall-cmd –list-all ) *or* both should work and we need to resolve this in a clever way (elinks http:// srv2.rhce.local:8080 opens “hello” web page when tested from srv1 && http:// srv1.rhce.local is still browseable *only* from localhost?).
    If the later is the case, can you hint how to tackle this?

    Thanks for your time and clarification :)

    • Note that as per question #14, the port forwarding rule has to be created on server2 and not server1.

      The port forwading rule has to work, but you should not be able to view the content of the website unless you’re accesing it from localhost.

    • Hi Tomas,

      first of all, thanks for your answer, but maybe I didn’t explain this well :).
      Let me try again.
      Surely, I understand forwarding needs to be set on srv2 (“port-forwarding on srv2 (it works)”).
      What’s troubling me is the fact when trying i.e. this:
      srv1: # elinks http:// srv2:8080
      I am getting “no route to host” (same with curl commands). Also, servers are able to ping each other and both are alive.

      What I’ve tried next? Of course, when adding http service in firewall rules on srv1, I am able to see webpage “hello” when running the same command as above from srv1. But I assume adding http service in firewall may not be good approach since we let everybody in. So, I assume this needs to be handled by using rich rules and/or some Apache configuration.
      Within richlanguage, the most I’ve managed to succeed is by setting source and destination addresses within firewall rich rules (+ firewall-cmd –permanent –remove-service=http && firewall-cmd –reload). But, again, I am able to access “hello” webpage from srv2 (this is also expected).
      So I assume something needs to be added in Apache conf. I’ve been considering Require, Location directives as well as limiting interfaces only to localhost/127.0.0.1 (either within Listen or within declaration in VirtualHost 127.0.0.1:80 tag). But didn’t manage to display webpage + nobody external to localhost can come in.
      Is there any hint you may provide how to approach this further on? :D

      In case you are interested in some more information on srv1/srv2 environment, I would be glad to provide it.
      You advices are greatly appreciated and thank you once again for maintaining this blog!

      Kind regards

    • You’re getting closer. As you already realised there are different ways you can achieve this.

      I’d suggest implementing host-based security on Apache (Require host etc). It’s easier that having to mess around with firewalld rich rules, however, the choice is yours.

    • Hi Tomas. Thanks for your reply. I have to be honest and say this is just not quite clear to me.
      It’s either me misusing the directives or I don’t know.
      When I run i.e. elinks http:// srv2.rhce.local:8080 on srv1 (and port-forwarding is triggered on srv2) source address which arrives on srv1 is *from srv2 and not srv1* (It shows in error logs as well).
      So, obviously my srv1 sees like srv2 is trying to come in. And the task is not to let any non-srv1 in. So, if I put Require host srv1.rhce.local => it does not work; if I add Require host srv2.rhce.local => it works, but then I am able to execute on srv2 as well elinks http:// srv1.rhce.local and the page will be displayed (and it is supposed not to be).
      What am I doing wrong?

    • The source address will be from srv2, because that’s where the request is coming from, nothing wrong with that.

      When you say that it does not work, what does that actually mean? You cannot connect? You don’t see the page? You see an error page? What happens?

      Take a look at RequireAll directive.

    • Basically, I’ve managed to get all possible wrong variants you listed, but the one where this is actually working as you described :).
      Currently, I got test page when trying both curl -v -L http:// srv2.rhce.local:8080 (from srv1) and the same when trying curl -v -L http:// srv1.rhce.local (from srv2). I tried bunch of options where localhost, 127.0.0.1 and srv1.rhce.local are Required (also with RequireAll and RequireAny directives) and/or when srv2.rhce.local is (not) allowed but just could not make it done in the way you described.
      Can you please be kind and provide more info on this behalf?

      Thank you very much for your patience

    • When you access srv2.rhce.local:8080 from srv1 you should get an error page saying that access is not allowed.

      When you access srv1.rhce.local from srv2 you should get an error page saying that access is not allowed.

      When you access srv1.rhce.local from srv1 you should get the page that says “hello”.

      Do you have reverse DNS configured for your hostnames?

      Post the lines from Apache log where it does not work as expected.

    • Hi Tomas, once again, thanks for your reply.

      Oh, I would say it seems like I didn’t have an actual issue at the first place.
      According to your comment here:
      “With regards to #14, the port forwarding rule uses the Apache webserver that you configure in #17. You can easily test the rule by using elinks. You should get a web page.”, I assumed you are trying to say we should see “hello” when trying http:// srv2.rhce.local:8080 from srv1. That’s why I reasked this in the initial post and you let me think displaying “hello” is desired behaviour, you sneaky :).

      No, jk… Good thing is I am finally in peace with this.
      Exam is approaching!

      Thank you once again for great blog and studying material!

  67. Hi all. I would like to share my experiences and impressions.

    Passed the exam a week ago with the 1st attempt. Lots of credits go to Sander and Tomas! Once again: Thank you very much Tomas!

    My experience: I believe I was overprepared and if things went smoothly, exam could be easily done in lenient 2hrs (did the classroom exam). I spent some time reading intro instructions, looking into tasks (since I assumed I must not overlook something important before even starting the exam) and started to panic after realizing it just passed half an hour already before I did almost anything. Ok, I’ll hurry up I thought. I followed the strategy from the night before. So, in case all topics actually appear on the exam I planned to do the following: (1) do “everything else”, then do (2) SMB, iSCSI, NFS (rebooting in between to make sure mounts are done as expected) and finally (3) HTTP tasks.
    I did all of it (besides iSCSI and HTTP) in the following 80mins and then…….. I made a “one char” typo while configuring the iSCSI :). 1 hour later (after trying various things and surviving Dracut 2 times), I’ ve managed to sort it out so it was an easy closure with HTTP tasks in the following 20mins.
    During the exam, I didn’t find anything I didn’t know how to do, personally tried out homelabbing all the things and there was just one HTTP directive which caught me off the guard (but I saw how to deal with it on another place even though I didn’t try it on my own, so it was not kind of an issue really).
    I used this blog + Sander’s materials to prepare for this exam and it was more than sufficient.

    My advice:
    Be extremely well prepared. Don’t panic. Think of strategy you are about to apply on the exam and don’t lose your head during the exam. Did I say don’t panic? :)

    After turning on to Ansible specialist exam, I realized RHCSA/RHCE topics and studying materials are quite covered free of charge/affordable to regular people, but then there is a giant gap for other specialist exams (especially compared to RHCSA/RHCE). Hope this will improve in future times “in an affordable way” somewhere on the web.

    Good luck everybody! :)

    • Well done, my congratulations! I agree that reading the exam objectives takes time, but it’s crucual in order to understand the bigger picture and plan your work accordingly. There is a ton of free RHCE RHEL7 material on the Internet, you don’t need a paid training course to pass it. Having said that, the amout of time it takes to prepare will vary, however, it’s probably one of the most rewarding Red Hat exams there is!

Leave a Reply

Your email address will not be published. Required fields are marked *