RHCE Sample Exam for RHEL 7

This is a sample exam that I’ve created after finishing RHCE studies. It is to prepare for the RHCE exam based on RHEL 7, which I have yet to take.

[Update August 2016]: I have passed the RHCE exam.

Requirements

There are 20 questions in total. You will need three RHEL 7 (or CentOS 7) virtual machines to be able to successfully complete all questions. I recommend registering with RedHat and downloading a RHEL 7 iso image free of charge.

One VM has to be configured as a FreeIPA server to provide LDAP, Kerberos, NTP and DNS services. Other two VMs will be used to solve the sample exam questions. These VMs need to have two network interfaces for link aggregation. They also need to have a RHEL DVD (.iso file) attached.

Tips and Suggestions

Read all questions and try to understand the whole picture of what is required.

Spend 10 minutes identifying packages that you are going to need, and then install everything in one go – this will provide you with a solid base to build on.

Enable all required services. Also, setup firewalld rules for any services that require them.

You obviously need to have a repository configured before you can install packages. However, in this particular case we use a locally mounted RHEL DVD image meaning that no network is required before we can install packages. This may not be the case on a real RHCE exam and you may need to set up networking in advance in order to get access to a repository.

If you can complete all 20 questions in less than 3 hours, then you are a full fledged shinobi and likely OK to take the Chunin exam.

Sample Exam Questions

It is assumed that you use the following details.

Hostnames:

  1. Server1: srv1.rhce.local
  2. Server2: srv2.rhce.local

IP addresses and networking:

  1. Server1: 10.8.8.71/24
  2. Server2: 10.8.8.72/24
  3. Name server: 10.8.8.70
  4. Gateway: 10.8.8.70

Once you configure networking with the details above, you will be able to resolve the following domains successfully (as they’re set up on the FreeIPA/DNS server):

  1. ipa.rhce.local
  2. srv1.rhce.local
  3. srv2.rhce.local
  4. vhost1.rhce.local
  5. dynamic1.rhce.local

The following LDAP (FreeIPA) users are available for testing:

  1. alice
  2. vince

Before you begin, reset the root user password to pass on both servers, server1 and server2.

1. Configure SELinux

Configure server1 and server2 to have SELinux running in enforcing mode.

2. Configure Repository

Configure a repository on server1 and server2. Use the RHEL 7 DVD that’s available on /dev/cdrom on both machines. The changes should persist after reboot.

3. Link Aggregation

Configure server1 and server2 for link aggregation, which watches for link changes and selects an active port for data transfers. The server1 should use the address of 10.8.8.71/24. The server2 should use the address 10.8.8.72/24. The gateway and the name server address is 10.8.8.70. The changes should persist after reboot.

Configure the “dmz” firewalld zone to be the default zone on both servers server1 and server2, and ensure that the the aggregated network connection uses to the default zone.

4. IPv6 Network

Configure previously configured aggregated network links with static IPv6 addresses. The changes should persist after reboot.

Configure a static IPv6 address on the server1 as fc00::a:b:c:71/64. Configure a static IPv6 address on the server2 as fc00::a:b:c:72/64.

5. NTP

Configure server1 and server2 to synchronise time with the NTP server ipa.rhce.local.

6. SMTP Configuration

Configure server1 as a null client to relay email from local system through ipa.rhce.local. All outgoing mail have their sender domain as rhce.local.

7. Kernel Parameters

Configure server1 to be a router. Also ensure that the server1 reboots automatically after 300 seconds in case of a kernel panic. The changes should persist after reboot.

8. Kerberos Authentication

Configure server1 and server2 for Kerberos authentication.

Use the following LDAP authentication details:

  1. Server: ipa.rhce.local
  2. Base DN: dc=rhce,dc=local
  3. LDAP cacert is available on ftp://ipa.rhce.local/pub/cacert.p12

There is an LDAP user alice created on the FreeIPA server, use it for testing.

Use the following Kerberos authentication details:

  1. Realm: RHCE.LOCAL
  2. KDC: ipa.rhce.local
  3. Admin Server: ipa.rhce.local

To test, you can obtain a Kerberos ticket for the user alice.

9. NFS Server

Configure server1 to provide a Kerberised NFSv4 share.

Set up a Kerberised NFSv4 share /srv/nfssec in a read-write mode and share it to the client srv2.rhce.local only. Enable krb5p security to secure access to the NFS share from URI ftp://ipa.rhce.local/pub/srv1.keytab. The owner of the share must be LDAP user alice.

10. NFS Mount

Configure server2 to mount a Kerberised NFSv4 share.

Mount Kerberised NFSv4 share /srv/nfssec on /mnt/protected directory persistently at boot time provided with the keytab ftp://ipa.rhce.local/pub/srv2.keytab. LDAP user alice should be able to write to the share.

11. MariaDB Server

Configure server2 to meet the following requirements.

Set up a default secure MariaDB database called shop with a user john with all privileges. The user john must be identified by “pass”. In this database, create one simple table with the name products that allows to store names varchar(20) and their prices int(10). Enter two products. Backup the database with mysqldump to /root/shop.sql.

MariaDB must listen on a TCP port 5555 with a dataroot on /srv/mariadb. Firewall should allow access to port 5555 from srv1.rhce.local only. The MariaDB root password must be “pass”.

12. Samba Server

Configure server1 to provide a Samba share. Share /srv/smb_docs directory via SMB. The SMB server must be a member of the DEVOPS workgroup. The share name must be docs. Only the host srv2.rhce.local should be allowed to connect to the docs share. The docs share must be browseable but not writable nor printable. User vince must have read-write access to the docs share, authenticating with the password “pass”.

Ensure that SELinux allows sharing of home directories.

13. Samba Mount

Configure server2 to mount a Samba share. Mount the Samba share docs permanently on /mnt/samba as a multi-user mount. The share should be mounted with the credentials of vince.

14. Port Forwarding

Configure server2 to forward incoming traffic on port 8080/tcp to 10.8.8.71:80 (srv1.rhce.local:80).

Also configure server2 for firewall SSH logging with a prefix of “SSH_” and a debug level, limit to 2 per minute. The changes should persist after reboot.

15. iSCSI Target

Configure server1 to provide iSCSI LUNs. Set up an iSCSI target with CHAP authentication (username=client/password=client) based on a fileio backstore /srv/iscsifile of 200MB. The logical block name should be file1. A local file system cache must be disabled to reduce the risk of data loss.

Also set up an LVM based block backstore of 100MB called lv_iscsi (use a volume group of your choice). The logical block name should be block1.

Use the IQN of iqn.2003-01.local.rhce:srv1 for the iSCSI server, apply standard firewall configuration. Create LUNs for both backstores, ensure the LUNs are available to the client iqn.2003-01.local.rhce:srv2.

16. iSCSI Initiator

Configure server2 as an iSCSI initiator. Use the IQN of iqn.2003-01.local.rhce:srv2 for it.

The datastore block1 should be formated as ext4 and mounted permanently on /mnt/san1.

The datastore file1 should be added to a new LVM volume group vg_san, a new 50MB logical volume lv_lun1 should be created, formatted as xfs, and mounted permanently on /mnt/san2.

17. Webserver

Configure server1 to meet all of the following requirements.

17.1 Secure Webserver

Configure a webserver for the site http://srv1.rhce.local. The webpage should say “hello”.

Also configure website http://srv1.rhce.local with TLS. Generate a self-signed certificate, the only requirement for the certificate is to match the webserver name srv1.rhce.local. Make sure that SSLv2 and SSLv3 protocols are disabled.

The content of the websites should be visible to everyone browsing from the localhost but should not be accessible from any other location.

17.2 Webpage Content Modification

Implement a website for http://srv1.rhce.local/group. Create a directory “group” under the document root used for the website. The webpage should say “group”.

The webpage must be configured for group-based authentication and require users to login. Only user alice, who is a member of the devops group, should be allowed to access the website with a password “password”.

17.3. Virtual Hosting

Setup a virtual host http://vhost1.rhce.local with the alternate document root under /srv/www/vhost1. The webpage should say “vhost1”. The webpage must be configured for user-based authentication. Only user alice should be allowed to login with a password “password”.

Note: the other websites configured on the server1 must still be accessible.

17.4. Dynamic Content Configuration

Configure website http://dynamic1.rhce.local:8888/ with the document root /srv/www/scripts to serve a PHP application. The site should execute index.php. The PHP application is provided on ftp://ipa.rhce.local/pub/index.php. Content of the script should not be modified.

Note: the PHP application won’t work until you have a MariaDB server configured as per task #11.

18. Name Server

Configure server1 as a caching-only DNS server to forward DNS queries. Forward all requests (zone for the root . domain) to another DNS server 10.8.8.70. External access to the DNS server should only be allowed from srv2.rhce.local.

19. SSH Configuration

Configure server1 to meet the following requirements.

SSH should listen on ports 22 and 2222. Firewall should allow access to port 2222 from srv2.rhce.local only. Client ipa.rhce.local must not have access to SSH at all. Enable password and key authentication. The changes should persist after reboot.

Configure server2 for passwordless root authentication against the server1.

20. Scripting

Create a script on the server1 called /root/newusers. When the script is called with an argument users.txt, it should add all the users from the file. Download the file from ftp://ipa.rhce.local/pub/users.txt.

All users should have the login shell as /sbin/nologin, password is not required. When this script is called with any other argument, it should print the message as “Input File Not Found”. When this script is run without any argument, it should display “Usage: /root/newusers users.txt”

43 thoughts on “RHCE Sample Exam for RHEL 7

  1. Thanks for sharing this.
    13. I don’t think there will be requested to set up multiple ISCSI initiators with CHAP auth. It’s a crazy configuration. Any thoughts about this?

    Btw, as I was told that it’s still 7.0 version on the exam in my country.

    • It’s a step towards failure if you think this way :) My advice is to be prepared for any surprise that may be thrown, rather than guessing what might not be requested. It may look like a crazy configuration if you’re not familiar with iSCSI, but it takes a few minutes to setup an iSCSI target if you know the drill.

      As for a RHEL version, be ready to perform tasks on both v7.0 and v7.1 (and perhaps even 7.2), and you’re good to go. Not that many differences to remember between the versions anyway.

    • Passed recently. It was rhel 7.0 indeed and a real nightmare, because limited time doesn’t allow you to re-check all the things.

    • Congratulations. I suspect that RedHat are moving the RHCE exam towards RHEL 7.1, but depending on a country you take the exam in, it may still be on RHEL 7.0.

    • Dude how was the exam? I’m stressing out pretty much. Will this practice exam help a bit?

    • The exam was fairly easy, but I felt like I was overprepared therefore don’t take my words for granted.

      Any practice that you do should help, the more the better I believe.

  2. Hi Tomas,

    Thank you for the great effort you put into this site, and for taking the time to reply to the comments.
    Have you taken the RHCE exam?

  3. Hi Tomas,
    Thank you for your sample exam questions. It really helps as I have been working on RHCE7 exam for months now!
    There are too many objectives and I don’t know whether I study enough!
    Do you have answers for your Sample exam questions so that I can use them as a guideline to correct/improve my steps.
    Thanks again!

    • All sample exam questions (except those really easy ones) have weblinks to topic-related articles. If you check them, you’ll find instructions and hints for how to solve the questions.

  4. Where is the php file? can you put it somewhere so I can download it ? I like that it tests the database and the web server config at the same time.

    • Please read the requirements again, one VM has to be configured as a FreeIPA server. There is a weblink to the page on how to set it up. The PHP file will be available on ipa.rhce.local/pub/index.php via FTP protocol.

    • Thanks Tomas, sorry, I hadn’t read that link as I had already configured an IPA server :). Appreciate it

    • No worries. The sample exam is heavily based on that IPA server configuration, hence part of the requirements.

  5. Hello,

    I cannot excute index.php. Python and Perl scrips work fine
    Is there anything else besides SELInux contexts, DirectoryIndex and chmox+x to set?

  6. And I could not make anything with iscsi iofile mounted as /dev/sdb on initiator. I simply cannot make a file system on it:

    [[email protected] ~]# mkfs xfs /dev/sdb
    mke2fs 1.42.9 (28-Dec-2013)
    mkfs.ext2: invalid blocks ‘/dev/sdb’ on device ‘xfs’

    • Here is a hint: why do you have mkfs.ext2, when you need xfs?

      You are trying to make ext2 on the device “xfs”, which does not exist.

  7. I cannot even partition it:

    [[email protected] /]# fdisk /dev/sdb
    fdisk: cannot open /dev/sdb: No such file or directory
    [[email protected] /]# lsscsi
    [0:0:0:0] disk VMware, VMware Virtual S 1.0 /dev/sda
    [2:0:0:0] cd/dvd NECVMWar VMware IDE CDR10 1.00 /dev/sr0
    [3:0:0:0] disk LIO-ORG file1 4.0 /dev/sdb
    [3:0:0:1] disk LIO-ORG block1 4.0 /dev/sdc
    [[email protected] /]#

    • ops, I cant format it because I havent partitioned it:

      [[email protected] ~]# vgcreate vgsan /dev/sdb
      Device /dev/sdb not found (or ignored by filtering).
      Unable to add physical volume ‘/dev/sdb’ to volume group ‘vgsan’.

      I cant create a volume group to create a logical volume, to format the volume as LVM Volume and the re-format it to xfs.
      With a block device it worked like a charm, but with the iofile it does not, the file has permissions 770 on the target

    • I have permissions 0640 on the file on the target, and I have no issues adding /dev/sdb disk to a VG.

      You may want to take a look here for iSCSI target configuration.

    • Tomas, the issue with iscsifile is fixed: it was caused by the fact that I was creating the file on filesystem prior to adding it in targetcli, so it was zero-sized )) No need to create the file on filesystem

  8. and Tomas, “Configure server2 for passwordless root authentication against the server1.” – did you mean configuring ssh-agent?

    • What I mean is this: configure SSH authentication in such way that the root user would be able to connect from the server2 to the server1 without using a password.

  9. iSCSI: will be a special device provided to create an LVM group-volume-block-lun on? like a new device /dev/sdb.
    if it will not, should I create it on existing “centos” volume group?

  10. Its very weird. Doing exactly the same as before on 2 instattaltions – 7.1 and 7.2 – and getting this:

    [[email protected] ~]# mount -t nfs4 -o sec=krb5p,vers=4.2 server1.example.com:/srv/nfssec /protected –verbose
    mount.nfs4: timeout set for Fri Dec 2 00:23:43 2016
    mount.nfs4: trying text-based options ‘sec=krb5p,vers=4.2,addr=192.168.0.102,clientaddr=192.168.0.104’
    mount.nfs4: mount(2): Invalid argument
    mount.nfs4: an incorrect mount option was specified
    [[email protected] ~]# systemctl status nfs-secure
    ● rpc-gssd.service – RPC security service for NFS client and server
    Loaded: loaded (/usr/lib/systemd/system/rpc-gssd.service; static; vendor preset: disabled)
    Active: failed (Result: signal) since Fri 2016-12-02 00:20:21 +07; 2min 15s ago
    Process: 739 ExecStart=/usr/sbin/rpc.gssd $GSSDARGS (code=exited, status=0/SUCCESS)
    Main PID: 740 (code=killed, signal=SEGV)

    the service fails at the mount command. Found similar bugs is Google

  11. Dec 2 03:17:36 server2 systemd: Starting Session 1 of user root.
    Dec 2 03:18:43 server2 kernel: FS-Cache: Loaded
    Dec 2 03:18:43 server2 kernel: FS-Cache: Netfs ‘nfs’ registered for caching
    Dec 2 03:18:43 server2 kernel: NFS: Registering the id_resolver key type
    Dec 2 03:18:43 server2 kernel: Key type id_resolver registered
    Dec 2 03:18:43 server2 kernel: Key type id_legacy registered
    Dec 2 03:18:43 server2 rpc.gssd[738]: handling gssd upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt0)
    Dec 2 03:18:43 server2 rpc.gssd[738]: handle_gssd_upcall: ‘mech=krb5 uid=0 service=* enctypes=18,17,16,23,3,1,2 ‘
    Dec 2 03:18:43 server2 rpc.gssd[738]: handling krb5 upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt0)
    Dec 2 03:18:43 server2 rpc.gssd[738]: process_krb5_upcall: service is ‘*’
    Dec 2 03:18:43 server2 rpc.gssd[738]: krb5_use_machine_creds: uid 0 tgtname (null)
    Dec 2 03:18:43 server2 rpc.gssd[738]: Full hostname for ‘server1.example.com’ is ‘server1.example.com’
    Dec 2 03:18:43 server2 rpc.gssd[738]: Full hostname for ‘server2.example.com’ is ‘server2.example.com’
    Dec 2 03:18:43 server2 rpc.gssd[738]: No key table entry found for [email protected] while getting keytab entry for ‘[email protected]
    Dec 2 03:18:43 server2 rpc.gssd[738]: No key table entry found for [email protected] while getting keytab entry for ‘[email protected]
    Dec 2 03:18:43 server2 rpc.gssd[738]: No key table entry found for [email protected] while getting keytab entry for ‘[email protected]
    Dec 2 03:18:43 server2 rpc.gssd[738]: No key table entry found for [email protected] while getting keytab entry for ‘[email protected]
    Dec 2 03:18:43 server2 kernel: traps: rpc.gssd[738] general protection ip:7f6e27de3e96 sp:7fff5b2cc878 error:0 in libc-2.17.so[7f6e27ca6000+1b7000]
    Dec 2 03:18:43 server2 rpc.gssd[738]: No key table entry found for [email protected] while getting keytab entry for ‘[email protected]
    Dec 2 03:18:43 server2 systemd: rpc-gssd.service: main process exited, code=killed, status=11/SEGV
    Dec 2 03:18:43 server2 systemd: Unit rpc-gssd.service entered failed state.
    Dec 2 03:18:43 server2 systemd: rpc-gssd.service failed.

    Strange, klist -k shows the keys are in the place. On the servers kvno is 2 and on IPA the same keys are 1. But it was like this when everything was working

  12. [[email protected] ~]# kinit -k -t /etc/krb5.keytab [email protected]
    kinit: Keytab contains no suitable keys for [email protected] while getting initial credentials

    sure, the keytab got spoiled. will dig into it.

  13. [[email protected] ~]# cat /etc/resolv.conf
    # Generated by NetworkManager
    search example.com
    nameserver 192.168.0.103

    [email protected]‘s password:
    Last login: Fri Dec 2 00:11:37 2016
    [[email protected] ~]# ipactl status
    Directory Service: RUNNING
    krb5kdc Service: RUNNING
    kadmin Service: RUNNING
    named Service: RUNNING
    ipa_memcached Service: RUNNING
    httpd Service: RUNNING
    pki-tomcatd Service: RUNNING
    ipa-otpd Service: RUNNING
    ipa-dnskeysyncd Service: RUNNING
    ipa: INFO: The ipactl command was successful

  14. looked back to my previous comments at NFS topic: I think I should not use capitols in service names. I will re-register the services as nfs/serverX.example.com, ktrem and ktadd them to keytab and re-deploy the keytab files on the servers

Leave a Reply

Your email address will not be published. Required fields are marked *