Category Archives: Linux

All posts around Linux.

Ansible EX294 practice exam and solutions

I am hopefully going to take the second half of my RHCE exam this year, which is EX294. I have taken inspiration from https://www.lisenet.com/2019/ansible-sample-exam-for-ex294/ and https://ziyonotes.uz/rJt6DcqXr, and have decided to provide my own answers and explanations as I myself prepare for the exam.

I’ve also only used 4 VM’s in total, 1 controller and 3 nodes, and not 4 nodes as the practice exam suggests.

Here are the tips that I’ve found helpful so far:

  • ansible and ansible-playbook share most of it’s syntax. So if it’s -b to use become on ansible-playbook, then it’s most likely the same with ansible.
  • The most important tip of all – use ansible-doc! ansible-doc <module> (like ansible-doc user) will not only give you a list of attributes that you can use, but if you see almost at the bottom of the page, there are examples!
  • Make sure that all of the services that are supposed to come back up at boot, do so! Make the services persistent, if the exam says so!
  • Remember that if you enable a service, that it doesn’t mean that the change is immediate! Remember to check the ansible-doc page for the module if there is an immediate attribute that you can use.
  • Use the command ansible all -m setup after you have set up your inventory to see all of the variables gathered by the facts module. They might come in handy!

Task 1 – Ansible installation and configuration

Remember that the default location for the original ansible.cfg is /etc/ansible/ansible.cfg, which you can copy over to your local folder (in this case it’s /home/automation/plays/).

ansible.cfg

These are the fields that I’ve changed in my own ansible.cfg file:

inventory

Task 2 – Ad-Hoc commands

What they mean by the use of “Ad-Hoc” is your typical ansible one liners. Which is to actually use the command ansible. I’ve placed the following ansible one liners in a file named adhoc. Remember to change the permissions on the file (chmod +x adhoc) before you run it.

adhoc

In this particular case I’m connecting as the user cloud_user, which will then use sudo to perform the commands.

The above is exactly the same as the playbook below (which I have named create_automation_user.yml):

Task 3 – File content

motd.yml

Task 4 – Configure SSH server

sshd.yml

Task 5 – Ansible vault

secret.yml

Use the following command to create the ansible vault file named secret.yml:

This file should contain:

Use the password devops to protect the file you create.

vault_key

Create a regular file named vault_key that contains the following:

Task 6 – Users and groups

This is the most difficult task I’ve encountered so far.

user_list.yml

users.yml

Task 7 – Scheduled tasks

regular_tasks.yml

Task 8 – Software repositories

repository.yml

Task 9 – Create and work with roles

mysql.yml

sample-mysql/tasks/main.yml

You can create an empty role, named sample-mysql, by running the commands:

I decided to go with the package mysql-server instead of the mysql-community-server that is listed in the Lisenet exam. The contents of the file sample-mysql/tasks/main.yml:

sample-mysql/templates/my.cnf.j2

Task 10 – Create and work with roles (some more)

apache.yml

sample-apache/handlers/main.yml

You can create an empty role, named sample-apache, by running the commands:

As for the contents of the file sample-apache/handlers/main.yml:

sample-apache/tasks/main.yml

Task 11: Download roles from Ansible Galaxy and use them

Install the role named geerlingguy.haproxy by running these commands:

It will install the role in the roles-location specified in ansible.cfg. In this case, /home/automation/plays/roles/.

haproxy.yml

Task 12: Security

We need to make sure that the package named rhel-system-roles is installed on the controller itself (not the nodes!). So run:

This will install the roles to the folder /usr/share/ansible/roles/.

ansible.cfg

Because the role is installed in a different location than we have specified in our ansible.cfg, we need to add this path. So the following line in ansible.cfg:

becomes this:

If you look in the folder /usr/share/ansible/roles/ now, you’ll see that there is a symlink named linux-system-roles.selinux, which points to rhel-system-roles.selinux. We will be using the symlink in the next configuration file.

selinux.yml

Task 13: Use conditionals to control play execution

sysctl.yml

Task 14 – Use archiving

archive.yml

Task 15 – Work with Ansible facts

facts.yml

Task 16 – Software packages

packages.yml

Task 17 – Services

target.yml

Task 18 – Create and use templates to create customised configuration files

server_list.j2

server_list.yml

vim – Goodbye to :set paste

I’ve been using vim as my editor of choice ever since I started learning Linux, and something that has been bothering me for a while is how vim handles pasting.

Say I want to paste a large bit of code into a terminal running vim. Before I do this I have to type:

When everything is pasted, I turn it off with:

or:

The command :set paste prevents vim from auto-indenting the code I’ve just pasted.

Luckily, as it most often goes, there is a solution. Why I haven’t bothered to actually find the answer till recently is a whole other matter.

As it turns out, my terminal of choice (which currently is rxvt-unicode) supports something called bracketed paste mode.

In short, when bracketed paste mode is set, pasted text is bracketed with control sequences so that the program can differentiate between pasted text and typed-in text.

Let’s stay that I copied the text:

from another program. When I paste it into my terminal, if it supports bracketed paste mode, it actually sends the text:

Now the thing is to let vim know how to watch out for these control sequences, and tell it what to do. Paste the following code into your .vimrc:

And that should reduce your use of :set paste quite a bit!

SimpleHTTPServer with SSL

I’ve often used Python’s SimpleHTTPServer to simply share a directory with someone over a network, it being either local or the Internet. In case you don’t know how it works, it’s simple. To start a HTTP server, at your current location, type:

and the result:

It listens on all IPv4 interfaces, and binds to the port you specify, which in my case is 8080. The person on the other side will then be able to access the files in the directory from the outside by going to http://server1.example.com:8080, provided that your machine has the hostname server1.example.com, and that you have the port 8080 forwarded to the IP of server1.

But what if you want to provide a secure connection, say over SSL? SimpleHTTPServer has no built in way of doing this.

But behold ssl, Python’s built in SSL-module!

To create a secure connection for your SimpleHTTPServer, first create a self signed certificate by running the following command (if you don’t have a proper SSL-certificate, that is):

Now create a script named shttps.py that contains the following code:

The only thing that needs further explanation is the variable bind_to_address. Fill this in with the text localhost if you want it to only listen to 127.0.0.1. Leave it blank to have it listen to all IPv4 interfaces (0.0.0.0).

Now that the certificate and key is all in place, and the script has been created, make it executable with:

Go to the folder you’d like to share the contents of, and run the script:

The result when you visit https://server1.example.com:8080?Because there is no third party verification it’s listed as insecure, but it should do the trick well enough for sharing files with others.

If you however do want a free SSL certificate for a more permanent setup, I suggest LetsEncrypt! Check out https://letsencrypt.org/getting-started/ for more information.

VMware, i3 and multiple monitors

For a while now I’ve been trying to set up VMware to work with multiple monitors, in a Linux guest. With some windowmanagers it works out of the box without any issue, such as with Unity. I never figured out how to do it with xmonad, and recently I switched to i3 just to try something new. The damn “Cycle multiple monitors” button didn’t work here either. When I tried it, a message popped up saying:

The virtual machine must have up-to-date VMware Tools installed and running.

..which it had! At this point I had installed vmware-tools, which is described as:

“A suite of utilities that enhances the performance of the virtual machine’s guest operating system and improves management of the virtual machine”

However, I found a solution! Place the following line in your i3 configuration file, whether it be ~/.i3/config or ~/.config/i3/config:

..and that’s it! Reload your i3 configuration, and now you should be able to press the “Cycle multiple monitors” button and have dual monitors in your VMware guest!

Now, if you’re using open-vm-tools instead of the native vmware-tools, do what Fabian suggested – use the following line in your config-file instead:

It should work!

ncat, a modern implementation of netcat

ncat is a utility that is like the UNIX cat command but for network connections. It’s based on the original netcat and comes with a couple of more modern features.

In this short post, we’ll go through a couple of examples to see exactly what uses this tool has. I’m currently using ncat version 7.01, in Ubuntu 16.04. ncat is a part of the nmap package in Ubuntu.

Shiny new things

A couple of the features of ncat, some of which are new, are:

  • IPv6 Support
  • Chain multiple ncat together
  • Support for SSL
  • Ability to specify specific hosts to allow or deny access to in listen mode

While the new features are great, it’s important to note that ncat is not 100% reverse compatible with the original netcat.

Examples

Let’s continue with a couple of examples to get you started.

IPv4 or IPv6?

To force ncat to only use either IPv4 og IPv6, use:

  • -4
  • -6

..as in:


..to connect to a server only through IPv6.


..and type in:


..and press enter twice. The result will be something along the lines of:


The option -C is used because it requires CRLF line endings.

Chaining

An example from nmap’s website; sending a log file from host1 to host3, by way of host2:

host3

host2

host1

Cloning partitions over the network

One of the more useful tricks is the ability to clone partitions over the network.

On the system you’d like to clone the partition from, do:


..and on the receiving machine:


To speed up the process of transfer you can always throw in gzip for compression:


..and:

Web server

Setting up a simple webserver is also easy:


The option -k makes ncat keep listening and accepting more connections after the first one is finished.

File transfer with SSL

On the machine you want to send the file from:


..and on the receiving end:


The option –send-only does what it says – it only sends data and ignores received.

Ports

Need to check if a port is open? Try:

This example checks if port 53 is open, with a timeout of 5 seconds. When a port is open:

..and when it’s closed:

Chat server

As far I know, the are two main ways to do this.

First way

Start listening on a port of your choice:


..and connect to it from another machine:


Type in some text and the line will appear on the other machine when you press enter. You won’t be able to see who wrote what, but hey, it’s good enough if you want to communicate with someone.

Second way

The new fancier way of starting a chat-server is by using –chat:


Users who then want to connect to the chat:


The output will be something along the lines of:


The user IDs generated by ncat are based on the file descriptor for each connection and must be considered arbitrary. Also, you won’t see <userX> in front of the text you type, but others will see it. The main difference when using –chat is that you and every user connected to the server will get a <userX> tag, making it easier to see who wrote what.

Mail client

ncat also works as a mail client. Expect to type a lot:


..followed up by typing:

TCP/UDP daytime server

The daytime service, defined in RFC 867, sends a human-readable date and time string over TCP or UDP port 13. It ignores any input. So, we can use:


Add –udp to create an UDP daytime server instead.

Access control

Allow one host, deny others

Deny one host, allow others

Allow or deny hosts from file


Replace –allowfile with –denyfile to deny and trusted-hosts.txt with a file that contains the hosts to be denied.

These are just a few of the things that you can do with ncat. Have fun exploring the rest!