1.配置 selinux
Selinux 必須在兩個系統 serverx 和 desktop 中運行 Enforcing 模式
[root@desktop13 ~]# getenforce ##Selinux 在desktop目前是Disabled模式
Disabled
[root@desktop13 ~]# vim /etc/sysconfig/selinux ##修改爲Enforcing模式
SELINUX=enforcing
[root@desktop13 ~]# reboot ##修改完成後需要重啓
Connection to 172.25.13.10 closed by remote host.
Connection to 172.25.13.10 closed.
[root@foundation13 kiosk]# ssh [email protected] -X
[email protected]'s password:
Last login: Wed May 22 09:50:58 2019 from 172.25.13.250
[root@desktop13 ~]# getenforce ##Selinux 在 desktop13 中運行 Enforcing 模式
Enforcing
[root@server13 ~]# getenforce ##Selinux 在 server 中運行 Enforcing 模式
Enforcing
2.配置 ssh 訪問
用戶能從域 example.com 內的客戶端通過 ssh 遠程訪問您的兩個虛擬系統
在域 my133.org 內的客戶端不能訪問您的兩個虛擬機
[root@desktop13 ~]# host -l example.com ##查看哪些屬於域example.com
example.com name server classroom.example.com.
example.com has address 172.25.254.254
classroom.example.com has address 172.25.254.254
content.example.com has address 172.25.254.254
desktop0.example.com has address 172.25.0.10
[root@desktop13 ~]# host -l my133.org. ##查看哪些屬於域my133.org
my133.org name server dns.my133.org.
dns.my133.org has address 192.168.0.254 ##192.168.0.0/24屬於域my133.org
server1.my133.org has address 192.168.0.1
server10.my133.org has address 192.168.0.10
server11.my133.org has address 192.168.0.11
##desktop
[root@desktop13 ~]# firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 1 -s 192.168.0.0/24 -p tcp --dport 22 -j REJECT
success
[root@desktop13 ~]# systemctl restart firewalld
[root@desktop13 ~]# firewall-cmd --direct --get-all-rules
ipv4 filter INPUT 1 -s 192.168.0.0/24 -p tcp --dport 22 -j REJECT
##server
[root@server13 ~]# firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 1 -s 192.168.0.0/24 -p tcp --dport 22 -j REJECT
success
[root@server13 ~]# systemctl restart firewalld
[root@server13 ~]# firewall-cmd --direct --get-all-rules
ipv4 filter INPUT 1 -s 192.168.0.0/24 -p tcp --dport 22 -j REJECT
##測試:
[root@server13 ~]# ifconfig eth0:0 192.168.0.111/24
##物理機
[root@foundation13 kiosk]# ifconfig br0:0 192.168.0.11/24
[root@foundation13 kiosk]# ping 192.168.0.111
PING 192.168.0.111 (192.168.0.111) 56(84) bytes of data.
64 bytes from 192.168.0.111: icmp_seq=1 ttl=64 time=0.233 ms
64 bytes from 192.168.0.111: icmp_seq=2 ttl=64 time=0.134 ms
[root@foundation13 kiosk]# ssh [email protected] ##域 my133.org 內的客戶端不能訪問兩個虛擬機
ssh: connect to host 192.168.0.111 port 22: Connection refused
[root@foundation13 kiosk]# ssh [email protected] ##從域 example.com 內的客戶端通過 ssh 遠程訪問虛擬系統
[email protected]'s password:
Last login: Wed May 22 09:48:00 2019 from 172.25.13.250
3.自定義用戶環境
在系統 serverx 和 desktopx 上傳自定義命令 qstat 此命令將執行一下命令:
/bin/ps -Ao pid,tt,user,fname,rsz
此命令對系統中所有用戶有效
[root@desktop13 ~]# echo "alias qstat='/bin/ps -Ao pid,tt,user,fname,rsz'" >> /etc/bashrc
[root@desktop13 ~]# vim /etc/bashrc ##可以看到這條命令追加到末尾
93 alias qstat='/bin/ps -Ao pid,tt,user,fname,rsz'
[root@desktop13 ~]# source /etc/bashrc
[root@server13 ~]# echo "alias qstat='/bin/ps -Ao pid,tt,user,fname,rsz'" >> /etc/bashrc
[root@server13 ~]# vim /etc/bashrc
[root@server13 ~]# source /etc/bashrc
4.配置端口轉發
在系統 serverx 中配置端口轉發
在 172.25.x.0/24 網絡中的系統,訪問 server1 的本地端口 5423 將被轉發到 80 此設定時永久生效的
[root@server13 ~]# yum install httpd -y
[root@server13 ~]# systemctl enable httpd
ln -s '/usr/lib/systemd/system/httpd.service' '/etc/systemd/system/multi-user.target.wants/httpd.service'
[root@server13 ~]# systemctl start httpd
[root@server13 ~]# firewall-cmd --list-all
public (default, active)
interfaces: eth0
sources:
services: dhcpv6-client ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
[root@server13 ~]# firewall-cmd --permanent --add-source=172.25.13.0/24 --zone=trusted
success
[root@server13 ~]# systemctl restart firewalld
[root@server13 ~]# firewall-cmd --list-all --zone=trusted
trusted
interfaces:
sources: 172.25.13.0/24
services:
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
desktop瀏覽器訪問:
[root@server13 ~]# firewall-cmd --permanent --direct --add-rule ipv4 nat PREROUTING 1 -s 172.25.13.0/24 -p tcp --dport 5423 -j DNAT --to-dest :80
success
[root@server13 ~]# systemctl restart firewalld
##測試
[root@desktop13 ~]# firefox &
[1] 30220
5 配置鏈路聚合
在 serverx.example.com 和 desktopx.example.com 之間按以下要求配置一個鏈接
此鏈路使用 eth1 和 eth2
此鏈路在一個接口失效時仍能正常工作
此鏈路 serverx 使用地址 172.16.x.65/24
此鏈路 desktopx 使用的地址 172.16.x75/24
此鏈路在系統重啓之後仍然保持正常狀態
##server和desktop添加兩塊虛擬網卡eth0和eth1
##Manage VMs --> status (效果與virt-manager相同)
[root@desktop13 ~]# nmcli connection add con-name team0 ifname team0 type team config '{"runner":{"name":"activebackup"}}' ip4 172.16.13.75/24
Connection 'team0' (8be74e38-ad9c-49b9-8442-91205e5c4211) successfully added.
[root@desktop13 ~]# ifconfig
[root@desktop13 ~]# nmcli connection add con-name eth1 ifname eth1 type team-slave master team0
Connection 'eth1' (6b6b7d61-aece-4a4f-9e3c-bd93cda47370) successfully added.
[root@desktop13 ~]# nmcli connection add con-name eth2 ifname eth2 type team-slave master team0
Connection 'eth2' (31266461-4170-4133-827a-2f6b7d485b9a) successfully added.
[root@server13 ~]# nmcli connection add con-name team0 ifname team0 type team config '{"runner":{"name":"activebackup"}}' ip4 172.16.13.65/24
Connection 'team0' (abc864ad-186d-4443-9084-b03a9daf01c4) successfully added.
[root@server13 ~]# nmcli connection add con-name eth1 ifname eth1 type team-slave master team0
Connection 'eth1' (96f4fc87-583b-439c-ae34-1b91aa9b11c9) successfully added.
[root@server13 ~]# nmcli connection add con-name eth2 ifname eth2 type team-slave master team0
Connection 'eth2' (22287e2c-a3ec-4f8b-bcdd-fb2a882fdfea) successfully added.
##測試
在server關閉/開啓eth1和eth2,通過desktop端能否ping通判斷是否符合題意
[root@desktop13 ~]# ping 172.16.13.65
[root@server13 ~]# ifconfig eth1 down
[root@server13 ~]# ifconfig eth2 down
[root@server13 ~]# ifconfig eth2 up
[root@server13 ~]# ifconfig eth1 up
6.配置 ipv6 地址
在您的考試系統上配置接口 eth0 使用下列 ipv6 地址
serverx 上的地址 2018:ac18::10a/64
desktopx 上的地址 2018:ac18::11b/64
兩個地址可以通信,並且在從新啓動後依然生效,兩快網卡的 ipv4 地址依然生效
[root@desktop13 ~]# nmcli connection modify "System eth0" ipv6.method manual ipv6.addresses 2018:ac18::11b/64
[root@desktop13 ~]# systemctl restart network
[root@desktop13 ~]# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.25.13.10 netmask 255.255.255.0 broadcast 172.25.13.255
inet6 2018:ac18::11b prefixlen 64 scopeid 0x0<global>
inet6 fe80::5054:ff:fe00:d0a prefixlen 64 scopeid 0x20<link>
ether 52:54:00:00:0d:0a txqueuelen 1000 (Ethernet)
RX packets 9181 bytes 2927230 (2.7 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 9020 bytes 10472320 (9.9 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
[root@server13 ~]# nmcli connection modify "System eth0" ipv6.method manual ipv6.addresses 2018:ac18::10a/64
[root@server13 ~]# nmcli connection up "System eth0"
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/4)
[root@server13 ~]# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.25.13.11 netmask 255.255.255.0 broadcast 172.25.13.255
inet6 2018:ac18::10a prefixlen 64 scopeid 0x0<global>
inet6 fe80::5054:ff:fe00:d0b prefixlen 64 scopeid 0x20<link>
ether 52:54:00:00:0d:0b txqueuelen 1000 (Ethernet)
RX packets 4163 bytes 1925300 (1.8 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 2631 bytes 325514 (317.8 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
[root@server13 ~]# ping6 2018:ac18::11b
PING 2018:ac18::11b(2018:ac18::11b) 56 data bytes
64 bytes from 2018:ac18::11b: icmp_seq=1 ttl=64 time=0.222 ms
64 bytes from 2018:ac18::11b: icmp_seq=2 ttl=64 time=0.268 ms
7.配置本地郵件服務
在系統 serverx 和 desktopx 上配置郵件服務
這些系統不接收外部發送來的郵件
這些系統上發送的任何郵件都會自動路由到 classroom.example.com
這些系統上發送的郵件顯示來自 example.com
您可以通過用戶 hal 來測試您的配置,訪問:
http://classroom.example.com/exam_mail/hal.txt
[root@desktop13 ~]# systemctl status postfix.service ##查看是否所是enabled
[root@desktop13 ~]# vim /etc/postfix/main.cf
75 myhostname = desktop13.example.com
83 mydomain = example.com
99 myorigin = $mydomain
164 mydestination =
317 relayhost = classroom.example.com
[root@desktop13 ~]# systemctl restart postfix.service
[root@server13 ~]# systemctl status postfix.service ##查看是否是enabled
[root@server13 ~]# vim /etc/postfix/main.cf
75 myhostname = server13.example.com
83 mydomain = example.com
99 myorigin = $mydomain
164 mydestination =
317 relayhost = classroom.example.com
[root@server13 ~]# systemctl restart postfix.service
##測試:
[root@desktop13 ~]# mail hal
Subject: test
this
is
test
.
EOT
[root@desktop13 ~]# firefox &
訪問:
http://classroom.example.com/exam_mail/hal.txt
8.通過 smb 共享目錄
在 serverx 上配置 smb 服務
您的 smb 服務必須時 STAFF 工作組的一個成員
共享/groupdir 目錄共享名必須時 common
只有 example.com 域的客戶可以訪問 common 共享
Common 必須時可以瀏覽的
用戶 barney 必須能夠都取共享的內容,如果需要的話驗證密碼是 westos
[root@server13 ~]# yum search samba
[root@server13 yum.repos.d]# yum install -y samba.x86_64 samba-client.x86_64 samba-common.x86_64
[root@server13 yum.repos.d]# systemctl start smb
[root@server13 yum.repos.d]# systemctl enable smb
ln -s '/usr/lib/systemd/system/smb.service' '/etc/systemd/system/multi-user.target.wants/smb.service'
[root@server13 yum.repos.d]# vim /etc/samba/smb.conf
89 workgroup = STAFF
321 [common]
322 path = /groupdir
323 browseable = yes
324 hosts allow = 172.25.13. 127.
[root@server13 yum.repos.d]# useradd -s /sbin/nologin barney
[root@server13 yum.repos.d]# smbpasswd -a barney
New SMB password:
Retype new SMB password:
Added user barney.
[root@server13 yum.repos.d]# pdbedit -L
barney:1001:
[root@server13 yum.repos.d]# systemctl restart smb.service
[root@server13 ~]# mkdir /groupdir
[root@server13 ~]# systemctl restart smb
[root@server13 ~]# vim /etc/hosts
172.25.254.254 classroom.example.com
172.25.254.254 content.example.com
172.25.13.11 server13.example.com
172.25.13.10 desktop13.example.com
[root@server13 ~]# semanage fcontext -a -t samba_share_t '/groupdir(/.*)'?
[root@server13 ~]# restorecon -RvvF /groupdir/
restorecon reset /groupdir context unconfined_u:object_r:default_t:s0->system_u:object_r:samba_share_t:s0
測試:
[root@desktop13 ~]# yum install -y samba-client.x86_64
[root@desktop13 ~]# smbclient -L //172.25.13.11
[root@desktop13 ~]# smbclient //172.25.13.11/common -U barney
9.Smb 多用戶掛在配置
在 serverx 共享通過 smb 目錄/data
共享名稱 data
共享目錄 data 只能被 example.com 域中的客戶使用
共享目錄 data 必須可以被瀏覽
用戶 manager 必須能以讀的方式訪問此共享,訪問密碼時 westos
用戶 wolferyne 必須能夠以讀寫的方式訪問此共享,訪問密碼時 westos
此 共 享 永 久 掛 在 到 desktopx 主 機 的 /mnt/westos 目 錄 , 並 使 用 用 戶
manager 作爲認證,任何用戶通過用戶 wolferyne 來臨時獲取寫的權限
[root@server13 ~]# mkdir /data
[root@server13 ~]# semanage fcontext -a -t samba_share_t '/data(/.*)?'
[root@server13 ~]# restorecon -RvvF /data/
restorecon reset /data context unconfined_u:object_r:default_t:s0->system_u:object_r:samba_share_t:s0
[root@server13 ~]# ls -Zd /data/
drwxr-xr-x. root root system_u:object_r:samba_share_t:s0 /data/
[root@server13 ~]# vim /etc/samba/smb.conf
326 [data]
327 path = /data
328 browseable = yes
329 hosts allow =172.25.0. 127.
330 write list=wolferyne
[root@server13 ~]# useradd -s /sbin/nologin wolferyne
[root@server13 ~]# useradd -s /sbin/nologin manager
[root@server13 ~]# smbpasswd -a manager
New SMB password:
Retype new SMB password:
Added user manager.
[root@server13 ~]# smbpasswd -a wolferyne
New SMB password:
Retype new SMB password:
Added user wolferyne.
[root@server13 ~]# pdbedit -L
barney:1001:
wolferyne:1002:
manager:1003:
[root@server13 ~]# systemctl restart smb.service
[root@server13 ~]# setfacl -m u:wolferyne:rwx /data/
##測試
##wolferyne有讀寫權限
[root@desktop13 ~]# smbclient //172.25.13.11/data -U wolferyne
##manager只讀權限
[root@desktop13 ~]# smbclient //172.25.13.11/data -U manager
##desktop
[root@desktop13 ~]# yum install -y cifs-utils
[root@desktop13 ~]# vim /root/smbpasswd
username=manager
password=westos
[root@desktop13 ~]# chmod 600 /root/smbpasswd
[root@desktop13 ~]# vim /etc/fstab
//172.25.13.11/data /mnt/westos cifs defaults,credentials=/root/smbpasswd,sec=ntlmssp,multiuser 0 0
[root@desktop13 ~]# mkdir /mnt/westos
[root@desktop13 ~]# mount -a
[root@desktop13 ~]# df
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/vda1 10473900 3267732 7206168 32% /
devtmpfs 469332 0 469332 0% /dev
tmpfs 484920 0 484920 0% /dev/shm
tmpfs 484920 12712 472208 3% /run
tmpfs 484920 0 484920 0% /sys/fs/cgroup
/dev/mapper/vg0-vo 483670 2341 451838 1% /home
//172.25.13.11/data 10473900 3214476 7259424 31% /mnt/westos
## man mount.cifs ##查看cifs掛載方法
[root@desktop13 ~]# su - student
Last login: Thu May 11 20:23:54 EDT 2017 on pts/0
[student@desktop13 ~]$ cd /mnt/
[student@desktop13 mnt]$ ls
ls: cannot access westos: Permission denied
westos
[student@desktop13 mnt]$ cd
[student@desktop13 ~]$ cifscreds add -u wolferyne 172.25.13.11
Password:
[student@desktop13 ~]$ cd /mnt/westos/
[student@desktop13 westos]$ ls
[student@desktop13 westos]$ touch file
[student@desktop13 westos]$ ls
file
[student@desktop13 westos]$ rm -fr file
10.配置 NFS 服務
在 serverx 配置 nfs
以只讀的方式共享目/public 能被 example.com 域中的系統訪問
以讀寫的方式共享目錄/protected 能被 example.com 域中的系統訪問
訪問/protected 需要通過 kerberos 安全加密,您可以使用下面的 url 提
供的祕鑰
http://classroom.example.com/pub/keytabs/serverx.keytab
目錄/protected 應該包含名稱爲 restricted,擁有人爲 ldapuser1 的子
目錄
用戶 ldapuser1 能夠使用讀寫的方式訪問/protected/restricted
[root@server13 ~]# systemctl start nfs-server
[root@server13 ~]# systemctl enable nfs-server
ln -s '/usr/lib/systemd/system/nfs-server.service' '/etc/systemd/system/nfs.target.wants/nfs-server.service'
[root@server13 ~]# mkdir /public
[root@server13 ~]# mkdir /protected
[root@server13 ~]# vim /etc/exports
/public 172.25.13.0/24(ro,async)
/protected 172.25.13.0/24(rw,async,sec=krb5p)
[root@server13 ~]# exportfs -rv
exporting 172.25.13.0/24:/protected
exporting 172.25.13.0/24:/public
[root@server13 ~]# wget http://classroom.example.com/pub/keytabs/desktop13.keytab -O /etc/krb5.keytab
[root@server13 ~]# ktutil
ktutil: rkt /etc/krb5.keytab
ktutil: list
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
1 3 host/[email protected]
2 3 host/[email protected]
[root@server13 ~]# hostname
server13.example.com
[root@server13 ~]#
[root@server13 ~]# showmount -e 172.25.13.11
Export list for 172.25.13.11:
/protected 172.25.13.0/24
/public 172.25.13.0/24
[root@desktop13 ~]# showmount -e 172.25.13.11
Export list for 172.25.13.11:
/protected 172.25.13.0/24
/public 172.25.13.0/24
11.掛在一個 nfs 共享
在 desktop1 上掛在一個來自 serverx.example.com 的 nfs 共享
/public 掛在在下面的目錄上/mnt/nfsmount
/protected 掛載在下面目錄上/mnt/nfssecure 病且使用安全方式訪問,
祕鑰:
http://classroom.example.com/pub/keytabs/desktopx.keytab
用戶 ldapuser1 能夠在/mnt/nfssecure/restricted 上創建文件
這些文件系統在開機啓動時自動掛載
[root@server13 ~]# mkdir /protected/restricted
[root@server13 ~]# chown ldapuser1.ldapuser1 /protected/restricted/
[root@server13 ~]# wget http://classroom.example.com/pub/keytabs/server13.keytab -O /etc/krb5.keytab
--2019-05-23 02:55:25-- http://classroom.example.com/pub/keytabs/server13.keytab
Resolving classroom.example.com (classroom.example.com)... 172.25.254.254
Connecting to classroom.example.com (classroom.example.com)|172.25.254.254|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1258 (1.2K)
Saving to: ‘/etc/krb5.keytab’
100%[======================================>] 1,258 --.-K/s in 0s
2019-05-23 02:55:25 (280 MB/s) - ‘/etc/krb5.keytab’ saved [1258/1258]
[root@desktop13 ~]# systemctl start nfs-secure-server
[root@desktop13 ~]# systemctl enable nfs-secure-server
ln -s '/usr/lib/systemd/system/nfs-secure-server.service' '/etc/systemd/system/nfs.target.wants/nfs-secure-server.service'
[root@desktop13 ~]# systemctl start nfs-secure
[root@desktop13 ~]# systemctl start nfs-secure-server
[root@server13 ~]# systemctl start nfs-secure-server
[root@server13 ~]# systemctl start nfs-secure
[root@desktop13 ~]# wget http://classroom.example.com/pub/keytabs/desktop13.keytab -O /etc/krb5.keytab
--2019-05-23 02:29:25-- http://classroom.example.com/pub/keytabs/desktop13.keytab
Resolving classroom.example.com (classroom.example.com)... 172.25.254.254
Connecting to classroom.example.com (classroom.example.com)|172.25.254.254|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1274 (1.2K)
Saving to: ‘/etc/krb5.keytab’
100%[======================================>] 1,274 --.-K/s in 0s
2019-05-23 02:29:25 (263 MB/s) - ‘/etc/krb5.keytab’ saved [1274/1274]
[root@desktop13 ~]# vim /etc/fstab
172.25.13.11:/public /mnt/nfsmount nfs defaults 0 0
172.25.13.11:/protected /mnt/nfssecure nfs defaults,sec=krb5p 0 0
mount -a
12.實現一個 web 服務器
在 serverx 上配置一個站點 http://serverx.exampmle.com
從 http://classroom.example.com/pub/materials/station.html
下載文件,並且將文件重名名爲 index.html 不要修改該此文件的內容
將文件 index.html 拷貝到您的 web 服務器的 Documentroot 目錄下
來自 example.com 域的客戶可以訪問此 web 服務
來自 my133t.org 域的可以端拒絕訪問此 web
[root@server13 ~]# wget http://classroom.example.com/pub/materials/station.html -O /var/www/html/index.html
[root@server13 ~]# cd /etc/httpd/conf.d/
[root@server13 conf.d]# ls
autoindex.conf README userdir.conf welcome.conf
[root@server13 conf.d]# vim vhost.conf
<VirtualHost _default_:80>
DocumentRoot /var/www/html
</VirtualHost>
<Directory "/var/www/html">
Order Allow,Deny
Allow from All
Deny from 192.168.0.0/24
</Directory>
[root@server13 conf.d]# systemctl restart httpd
測試:
[root@server13 conf.d]# ifconfig eth0:0 192.168.0.100/24 ##eth0設置屬於my133t.org的IP
13.配置安全 web 服務
站點 https://server0.example.com 配置 tls 加密一個已簽名的證書
從 http://classroom.example.com/pub/tls/certs/westos.crt
從 http://classroom.example.com/pub/tls/private/westos.key
從 http://classroom.example.com/pub/example-ca.crt
[root@server13 ~]# cd /etc/httpd/conf.d/
[root@server13 conf.d]# vim ssl.conf
100 SSLCertificateFile /etc/httpd/westos.crt
107 SSLCertificateKeyFile /etc/httpd/westos.key
116 SSLCertificateChainFile /etc/httpd/example-ca.crt
[root@server13 httpd]# wget http://classroom.example.com/pub/tls/certs/westos.crt
[root@server13 httpd]# wget http://classroom.example.com/pub/tls/private/westos.key
[root@server13 httpd]# wget http://classroom.example.com/pub/example-ca.crt
[root@server13 httpd]# systemctl restart httpd
14.配置虛擬主機
在 server1 上 拓 展 您 的 web 服 務 器 , 爲 站 點
http://wwwx.example.com 創建一個虛擬主機
設定默認發佈目錄爲/var/www/virtual
從http://classroom.example.com/pub/materials/www.html 下載文件並
重命名爲 index.html,不要對文件 index.html 的內容做任何修改
將文件 index.html 放到默認發目錄下
確保 barney 用戶能在/var/www/virtual 目錄下創建文件
[root@server13 ~]# mkdir /var/www/virtual
[root@server13 ~]# wget http://classroom.example.com/pub/materials/www.html -O /var/www/virtual/index.html
[root@server13 ~]# getent passwd barney
barney:x:1001:1001::/home/barney:/sbin/nologin
[root@server13 ~]# usermod -s /bin/bash barney
[root@server13 ~]# setfacl -m u:barney:rwx /var/www/virtual/
##測試barney能否在/var/www/virtual目錄下創建文件
[root@server13 ~]# su - barney
[barney@server13 ~]$ cd /var/www/virtual/
[barney@server13 virtual]$ ls
index.html
[barney@server13 virtual]$ touch file
[barney@server13 virtual]$ ls
file index.html
[barney@server13 virtual]$ rm -fr file
[barney@server13 virtual]$ logout
[root@server13 ~]# cd /etc/httpd/conf.d/
[root@server13 conf.d]# vim vhost.conf
<VirtualHost *:80>
ServerName www13.example.com
DocumentRoot /var/www/virtual
</VirtualHost>
<Directory "/var/www/virtual">
Require all granted
</Directory>
[root@server13 conf.d]# systemctl restart httpd
[root@server13 conf.d]# vim /etc/hosts
172.25.13.11 server13.example.com www13.example.com
172.25.13.10 desktop13.example.com
[root@desktop13 ~]# vim /etc/hosts
172.25.13.11 server13.example.com www13.example.com
172.25.13.10 desktop13.example.com
##測試能否訪問http://www13.example.com
[root@server13 conf.d]# cat /var/www/virtual/index.html
www1.example.com---->hehe
15.配置您的 serverx 上的 web 服務器
在默認發佈目錄下創建一個名爲 confidential 的目錄
從 http://classroom.example.com/pub/materials/private.html
下載到這個目錄中,並且重命名爲 index.html
不要修改這個文件的內容
從 serverx 上,任何人都可以瀏覽此目錄,但是其他系統不能訪問此目錄
中的內
[root@server13 ~]# mkdir /var/www/html/confidential
[root@server13 ~]# wget http://classroom.example.com/pub/materials/private.html -O /var/www/html/confidential/index.html
[root@server13 ~]# cd /etc/httpd/conf.d/
[root@server13 conf.d]# vim vhost.conf
<Directory "/var/www/html/confidential">
Order Deny,Allow
Allow from 172.25.13.11
Allow from localhost
Allow from 127.0.0.1
Deny from All
</Directory>
[root@server13 conf.d]# systemctl restart httpd
測試(注意在server或desktop打開firefox &打開瀏覽器時要關閉另外一個)
16.實現動態 web 內容
在 server1 上配置提供 web 內容
動態內容由名爲 transitive.example.com 的虛擬機提供
虛擬機監聽端口:8989
從 http://classroom.example.com/pub/materials/script.wsgi
下載一個腳本,然後放到合適的位置,不要修改該此文件內容
客 戶 訪 問 http://transitive.example.com:8989 時 應 該 生 成 動 態 的
web 頁面
此站點 必須能被 example.com 域內的所有系統訪問
[root@server13 ~]# vim /etc/httpd/conf.d/vhost.conf
<VirtualHost *:8989>
ServerName transitive.example.com
WSGIScriptAlias / /var/www/cgi-bin/scripts.wsgi
</VirtualHost>
Listen 8989
[root@server13 ~]# semanage port -l | grep http
http_cache_port_t tcp 8080, 8118, 8123, 10001-10010
http_cache_port_t udp 3130
http_port_t tcp 80, 81, 443, 488, 8008, 8009, 8443, 9000
pegasus_http_port_t tcp 5988
pegasus_https_port_t tcp 5989
[root@server13 ~]# semanage port -a -t http_port_t -p tcp 8989
[root@server13 ~]# semanage port -l | grep http
http_cache_port_t tcp 8080, 8118, 8123, 10001-10010
http_cache_port_t udp 3130
http_port_t tcp 8989, 80, 81, 443, 488, 8008, 8009, 8443, 9000
pegasus_http_port_t tcp 5988
pegasus_https_port_t tcp 5989
[root@server13 ~]# systemctl restart httpd
[root@server13 ~]# wget http://classroom.example.com/pub/materials/script.wsgi -O /var/www/cgi-bin/scripts.wsgi
測試:
[root@desktop13 ~]# vim /etc/hosts
172.25.13.11 server13.example.com www13.example.com transitive.example.com
瀏覽器訪問:http://transitive.example.com:8989/
F5刷新頁面動態變化
17.創建一個腳本
在 serverx 上創建一個/root/scripts.sh 的腳本,讓其提供下列特性
當運行/root/scripts.sh all 輸出 none
當運行/root/scripts.sh none 輸出 all
當沒有任何參數或者參數不時 all 或 none 時,其錯誤輸出產生下列信息
/root/scripts.sh/ all|none
[root@server13 ~]# vim /root/scripts.sh
#!/bin/bash
case $1 in
all)
echo none
;;
none)
echo all
;;
*)
echo "/root/scripts.sh/ all|none"
esac
[root@server13 ~]# chmod +x /root/scripts.sh
[root@server13 ~]# /root/scripts.sh
/root/scripts.sh/ all|none
[root@server13 ~]# /root/scripts.sh all
none
[root@server13 ~]# /root/scripts.sh none
all
18.配置 iscsi 服務端
配 置 serverx 提 供 一 個 iscsi 服 務 磁 盤 名 稱 iqn.2014-
11.com.example:serverx端口 3260
用 iscsi_data 作爲後端卷,大小爲 3G
此服務只能被 desktopx.example.com 訪問
[root@server13 ~]# yum install targetcli -y
[root@server13 ~]# fdisk /dev/vdb
[root@server13 ~]# partprobe
[root@server13 ~]# pvcreate /dev/vdb1
Physical volume "/dev/vdb1" successfully created
[root@server13 ~]# vgcreate exam /dev/vdb1
Volume group "exam" successfully created
[root@server13 ~]# vgdisplay
[root@server13 ~]# lvcreate -l 767 -n iscsi_data exam
Logical volume "iscsi_data" created
[root@server13 ~]# lvs
LV VG Attr LSize Pool Origin Data% Move Log Cpy%Sync Convert
iscsi_data exam -wi-a----- 3.00g
[root@server13 ~]# targetcli
/> /backstores/block create iscsi_data /dev/exam/iscsi_data
/> /iscsi/ create iqn.2014-11.com.example:server13
/> /iscsi/iqn.2014-11.com.example:server13/tpg1/luns create /backstores/block/iscsi_data
/> /iscsi/iqn.2014-11.com.example:server13/tpg1/acls create iqn.1994-05.com.redhat:9e96ff23da37
/> /iscsi/iqn.2014-11.com.example:server13/tpg1/portals create 172.25.13.11
[root@server13 ~]# systemctl enable target.service
19.配置 iscsi 的客戶端
配置 desktopx 使其能鏈接在 server1 上提供的 iscsi
Iscsi 設備在系統啓動的期間自動加載
塊設備 iscsi 上包含一個大小爲 1900M 的分區,並格式化爲 xfs
此分區自動掛載在/mnt/data 上同時在系統啓動的期間自動掛載
[root@desktop13 ~]# cat /etc/iscsi/initiatorname.iscsi
InitiatorName=iqn.1994-05.com.redhat:9e96ff23da37
[root@desktop13 ~]# iscsiadm -m discovery -t st -p 172.25.13.11
172.25.13.11:3260,1 iqn.2014-11.com.example:server13
[root@desktop13 ~]# iscsiadm -m node -T iqn.2014-11.com.example:server13 -p 172.25.13.11 -l
Logging in to [iface: default, target: iqn.2014-11.com.example:server13, portal: 172.25.13.11,3260] (multiple)
Login to [iface: default, target: iqn.2014-11.com.example:server13, portal: 172.25.13.11,3260] successful.
[root@desktop13 ~]# partprobe
[root@desktop13 ~]# mkfs.xfs /dev/sda1
meta-data=/dev/sda1 isize=256 agcount=8, agsize=60800 blks
= sectsz=512 attr=2, projid32bit=1
= crc=0
data = bsize=4096 blocks=486400, imaxpct=25
= sunit=0 swidth=0 blks
naming =version 2 bsize=4096 ascii-ci=0 ftype=0
log =internal log bsize=4096 blocks=2560, version=2
= sectsz=512 sunit=0 blks, lazy-count=1
realtime =none extsz=4096 blocks=0, rtextents=0
[root@desktop13 ~]# blkid
/dev/vda1: UUID="9bf6b9f7-92ad-441b-848e-0257cbb883d1" TYPE="xfs"
/dev/vdb1: UUID="SIaPf4-OdHu-OzAW-NlQG-vZ3D-X8ZO-1FK3Ih" TYPE="LVM2_member"
/dev/dm-0: UUID="12294be2-bdad-4817-b162-038e22313d9f" TYPE="ext4"
/dev/sda1: UUID="9a72d7fc-003b-4631-964c-a2a546bb6d1d" TYPE="xfs"
[root@desktop13 ~]# vim /etc/fstab
UUID="9a72d7fc-003b-4631-964c-a2a546bb6d1d" /mnt/data xfs defaults,_netdev 0 0
[root@desktop13 ~]# mkdir /mnt/data
[root@desktop13 ~]# mount -a
[root@desktop13 ~]# df
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/vda1 10473900 3362184 7111716 33% /
devtmpfs 469332 0 469332 0% /dev
tmpfs 484920 0 484920 0% /dev/shm
tmpfs 484920 12756 472164 3% /run
tmpfs 484920 0 484920 0% /sys/fs/cgroup
/dev/mapper/vg0-vo 483670 2342 451837 1% /home
//172.25.13.11/data 10473900 3257668 7216232 32% /mnt/westos
/dev/sda1 1935360 33056 1902304 2% /mnt/data
20.配置一個數據庫
在 serverx 上創建一個 mariadb,名爲 Contacts
數據庫應該包含來自數據庫複製的內容。複製文件的 url
http://classroom.example.com/pub/materials/users.mdb
數據庫只能被 localhost 訪問
除了 root 用戶,此數據庫只能被 Luigi 查詢,此用戶密碼爲 westos
超級用戶密碼爲 westos,同時不允許空密碼登陸
[root@server13 ~]# yum install -y mariadb-server
systemctl start mariadb
systemctl enable mariadb
mysql_secure_installation
systemctl restart mariadb
mysql -uroot -p
create database Contacts;
create user Luigi@localhost identified by ‘cetterde’;
grant select on *.* to Luigi@localhost;
quit
vim users.db
Use Contacts;
mysql -uroot -p <users.mdb
