注意:下午考试不需要破解密码不需要额外配置IP操作,需要配置完成yum的配置。记得进入Server,Desktop分别查看对应的IP、DNS、网关及主机名等相关信息。
练习环境说明: desktop IP:172.25.0.10/16 server IP:172.25.0.11/16 classroom IP:172.25.0.254
文档中有些编码有问题,>> 追加符号 会编码为 >> 注意替换
练习环境说明: desktop IP:172.25.0.10/16 server IP:172.25.0.11/16 classroom IP:172.25.0.254
文档中有些编码有问题,>> 追加符号 会编码为 >> 注意替换
一、CE 考试需要自己配置YUM,服务端(Server),客户端(Desktop)都需要自己配置
二、配置SE Linux
1.SE Linux 有三种模式,请将server与desktop运行与强制模式
# 修改server的selinux为enforcing
[root@server0 ~]# vim /etc/selinux/config
...
SELINUX=enforcing
...
[root@server0 ~]# setenforce 1
[root@server0 ~]# reboot
[root@server0 ~]# getenforce
Enforcing
[root@server0 ~]#
# 修改desktop的selinux为enforcing
[root@desktop0 ~]# vim /etc/selinux/config
...
SELINUX=enforcing
...
[root@desktop0 ~]# setenforce 1
[root@desktop0 ~]# reboot
[root@desktop0 ~]# getenforce
Enforcing三、配置SSH
用户能够从域example.com内的客户端通过SSH访问您的两个虚拟系统,在域my133t.org内的客户端不能访问您的两个虚拟机系统
# server端操作
[root@server0 ~]# systemctl stop iptables ebtables
[root@server0 ~]# systemctl disable iptables ebtables
[root@server0 ~]# systemctl enable firewalld
[root@server0 ~]# systemctl restart firewalld
[root@server0 ~]# firewall-cmd --list-all
public (default, active)
interfaces: eth0
sources:
services: dhcpv6-client ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="172.25.0.0/24" service name="rpc-bind" accept
rule family="ipv4" source address="172.25.0.0/24" service name="nfs" accept
[root@server0 ~]#
[root@server0 ~]# firewall-cmd --remove-service=ssh --permanent
[root@server0 ~]# firewall-cmd --add-rich-rule 'rule family="ipv4" source address="172.25.0.0/24" service name="ssh" accept' --permanent
success
[root@server0 ~]# firewall-cmd --reload
success
[root@server0 ~]# firewall-cmd --list-all
public (default, active)
interfaces: eth0
sources:
services: dhcpv6-client
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="172.25.0.0/24" service name="rpc-bind" accept
rule family="ipv4" source address="172.25.0.0/24" service name="nfs" accept
rule family="ipv4" source address="172.25.0.0/24" service name="ssh" accept
[root@server0 ~]## desktop 端操作
[root@desktop0 ~]# systemctl stop iptables ebtables
[root@desktop0 ~]# systemctl disable iptables entables
[root@desktop0 ~]# systemctl enable firewalld
[root@desktop0 ~]# systemctl restart firewalld
[root@desktop0 ~]# firewall-cmd --list-all
public (default, active)
interfaces: eth0
sources:
services: dhcpv6-client ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
[root@desktop0 ~]#
[root@desktop0 ~]# firewall-cmd --remove-service=ssh --permanent
[root@desktop0 ~]# firewall-cmd --add-rich-rule 'rule family="ipv4" source address="172.25.0.0/24" service name="ssh" accept' --permanent
success
[root@desktop0 ~]# firewall-cmd --reload
success
[root@desktop0 ~]# firewall-cmd --list-all
public (default, active)
interfaces: eth0
sources:
services: dhcpv6-client
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="172.25.0.0/24" service name="ssh" accept
[root@desktop0 ~]#四、命令别名及IP转发
1.在系统server和desktop上创建自定义命令tk,此自定义命令将执行/bin/ps aux ,此命令对系统中所有用户有效
# server端
[root@server0 ~]# echo "alias tk='/bin/ps aux'" >> /etc/bashrc
[root@server0 ~]# source /etc/bashrc
[root@server0 ~]# tk
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.1 0.3 52996 6696 ? Ss 21:02 0:05 /usr/lib/systemd/s
root 2 0.0 0.0 0 0 ? S 21:02 0:00 [kthreadd]
root 3 0.0 0.0 0 0 ? S 21:02 0:00 [ksoftirqd/0]
root 5 0.0 0.0 0 0 ? S< 21:02 0:00 [kworker/0:0H]
root 6 0.0 0.0 0 0 ? S 21:02 0:00 [kworker/u2:0]
root 7 0.0 0.0 0 0 ? S 21:02 0:00 [migration/0]
root 8 0.0 0.0 0 0 ? S 21:02 0:00 [rcu_bh]
root 9 0.0 0.0 0 0 ? S 21:02 0:00 [rcuob/0]
root 10 0.0 0.0 0 0 ? S 21:02 0:01 [rcu_sched]
root 11 0.1 0.0 0 0 ? R 21:02 0:04 [rcuos/0]
root 12 0.0 0.0 0 0 ? S 21:02 0:00 [watchdog/0]
root 13 0.0 0.0 0 0 ? S< 21:02 0:00 [khelper]
root 14 0.0 0.0 0 0 ? S 21:02 0:00 [kdevtmpfs]
root 15 0.0 0.0 0 0 ? S< 21:02 0:00 [netns]
...# desktop端
[root@desktop0 ~]# echo "alias tk='/bin/ps aux'" >> /etc/bashrc
[root@desktop0 ~]# source /etc/bashrc
[root@desktop0 ~]# tk
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.2 0.3 52480 6600 ? Ss 21:04 0:09 /usr/lib/systemd
root 2 0.0 0.0 0 0 ? S 21:04 0:00 [kthreadd]
root 3 0.0 0.0 0 0 ? S 21:04 0:00 [ksoftirqd/0]
root 5 0.0 0.0 0 0 ? S< 21:04 0:00 [kworker/0:0H]
root 7 0.0 0.0 0 0 ? S 21:04 0:00 [migration/0]
root 8 0.0 0.0 0 0 ? S 21:04 0:00 [rcu_bh]
root 9 0.0 0.0 0 0 ? S 21:04 0:00 [rcuob/0]
root 10 0.0 0.0 0 0 ? R 21:04 0:00 [rcu_sched]
...2.开启IP转发功能
# server端
[root@server0 ~]# echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
[root@server0 ~]# sysctl -p
net.ipv4.ip_forward = 1
[root@server0 ~]#
# desktop端
[root@desktop0 ~]# echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
[root@desktop0 ~]# sysctl -p
net.ipv4.ip_forward = 1
[root@desktop0 ~]#五、端口转发
1.在server上配置端口转发,在172.16.30.0/24 中的系统,访问server的本地端口9527将被转发到80,此配置永久生效
# 只在 server 端操作
[root@server0 ~]# firewall-cmd --add-rich-rule 'rule family="ipv4" source address="172.16.30.0/24" forward-port port=9527 protocol=tcp to-port=80' --permanent
success
[root@server0 ~]# firewall-cmd --reload
success
[root@server0 ~]# firewall-cmd --list-all
public (default, active)
interfaces: eth0
sources:
services: dhcpv6-client
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="172.16.30.0/24" forward-port port="9527" protocol="tcp" to-port="80"
rule family="ipv4" source address="172.25.0.0/24" service name="ssh" accept
[root@server0 ~]# 六、聚合网络
在server和desktop之间配置链路聚合
此链路使用接口slave1和slave2
此链路在一个接口失效后,仍然能工作
此链路在server上使用地址192.168.0.1/24
此链路在desktop上使用地址192.168.0.2/24
此链路在系统重启后依然保持正常状态
# server端
[root@server0 ~]# nmcli connection add type team con-name "team0" ifname team config '{"runner":{"name":"activebackup"}}'
Connection 'team0' (dfb92e61-2fb8-4b09-a075-1da9e62a5f7e) successfully added.
[root@server0 ~]#
[root@server0 ~]# nmcli connection modify team0 ipv4.addresses 192.168.0.1/24 ipv4.method manual connection.autoconnect yes
[root@server0 ~]# nmcli connection show
NAME UUID TYPE DEVICE
team0 f65ad4a0-1968-4628-a5ed-313c782d392e team team
System eth0 5fb06bd0-0bb0-7ffb-45f1-d6edd65f3e03 802-3-ethernet eth0
[root@server0 ~]#
[root@server0 ~]# nmcli connection up team0
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/4)
[root@server0 ~]# nmcli connection add type team-slave con-name "slave1" ifname eth1 master team0
Connection 'slave1' (de43be10-9eab-4a59-960c-29f1da0e6f29) successfully added.
[root@server0 ~]# nmcli connection add type team-slave con-name "slave2" ifname eth2 master team0
Connection 'slave2' (53da242c-d0e2-47fc-bb4e-e64601f62d47) successfully added.
[root@server0 ~]# nmcli connection up slave1
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/7)
[root@server0 ~]# nmcli connection up slave2
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/8)
[root@server0 ~]#
[root@server0 ~]# teamdctl team state
setup:
runner: activebackup
ports:
eth1
link watches:
link summary: up
instance[link_watch_0]:
name: ethtool
link: up
eth2
link watches:
link summary: up
instance[link_watch_0]:
name: ethtool
link: up
runner:
active port: eth1
[root@server0 ~]#
[root@desktop0 ~]# nmcli connection add type team con-name "team0" ifname team config '{"runner":{"name":"activebackup"}}'
Connection 'team0' (ef67153a-831d-492b-87b4-a181542d42dc) successfully added.
[root@desktop0 ~]# nmcli connection modify team0 ipv4.addresses 192.168.0.2/24 ipv4.method manual connection.autoconnect yes
[root@desktop0 ~]# nmcli connection up team0
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/2)
[root@desktop0 ~]#
[root@desktop0 ~]# nmcli connection add type team-slave con-name "slave1" ifname eth1 master team
Connection 'slave1' (92c9c36d-0f24-42c8-a0b3-e843f90d0d91) successfully added.
[root@desktop0 ~]# nmcli connection add type team-slave con-name "slave2" ifname eth2 master team
Connection 'slave2' (aeff8233-e1c2-4178-a43b-9912416e74f4) successfully added.
[root@desktop0 ~]# nmcli connection up slave1
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/5)
[root@desktop0 ~]# nmcli connection up slave2
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/6)
[root@desktop0 ~]#
[root@desktop0 ~]# teamdctl team state
setup:
runner: activebackup
ports:
eth1
link watches:
link summary: up
instance[link_watch_0]:
name: ethtool
link: up
eth2
link watches:
link summary: up
instance[link_watch_0]:
name: ethtool
link: up
runner:
active port: eth2
[root@desktop0 ~]#七、IPV6设置
在您的考试系统上配置接口,在你的默认网卡上使用如下IPV6地址
server上的IP地址应该是 fd00:ba5e:ba11:10::1/64
desktop上的IP地址应该是 fd00:ba5e:ba11:10::2/64
两个系统必须能与网络 fd00:ba5e:ba11:10::cc 内的系统通信
地址必须在重启后依然生效
两个系统保持当前IPV4地址并能通信
[root@server0 ~]# nmcli connection modify "System eth0" ipv6.addresses fd00:ba5e:ba11:10::1/64 ipv6.method manual connection.autoconnect yes
[root@server0 ~]# nmcli connection up "System eth0"
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/9)
[root@server0 ~]#
[root@server0 ~]# ifconfig
eth0: flags=4163 mtu 1500
inet 172.25.0.11 netmask 255.255.255.0 broadcast 172.25.0.255
inet6 fd00:ba5e:ba11:10::1 prefixlen 64 scopeid 0x0
inet6 fe80::5054:ff:fe00:b prefixlen 64 scopeid 0x20
ether 52:54:00:00:00:0b txqueuelen 1000 (Ethernet)
RX packets 7221 bytes 705496 (688.9 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 4177 bytes 520308 (508.1 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
...[root@desktop0 ~]# nmcli connection modify "System eth0" ipv6.addresses fd00:ba5e:ba11:10::2/64 ipv6.method manual connection.autoconnect yes
[root@desktop0 ~]# nmcli connection up "System eth0"
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/10)
[root@desktop0 ~]# ifconfig
eth0: flags=4163 mtu 1500
inet 172.25.0.10 netmask 255.255.255.0 broadcast 172.25.0.255
inet6 fd00:ba5e:ba11:10::2 prefixlen 64 scopeid 0x0
inet6 fe80::5054:ff:fe00:a prefixlen 64 scopeid 0x20
ether 52:54:00:00:00:0a txqueuelen 1000 (Ethernet)
RX packets 4514 bytes 454271 (443.6 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 2605 bytes 294407 (287.5 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
八、邮件服务
在server上配置邮件服务
这些系统不接受外部发来的邮件
在这些系统上本地发送任何邮件都会被路由到server1.example.com
从这些系统上发送的邮件显示来自于example.com
您可以通过访问 http://server1.example.com/email/harry 来验证您的配置
发给harry的邮件同时能被natasha收到
[root@server0 ~]# rpm -qa postfix
postfix-2.10.1-6.el7.x86_64
[root@server0 ~]#
[root@server0 ~]# systemctl enable postfix.service
[root@server0 ~]# systemctl restart postfix.service
[root@server0 ~]# firewall-cmd --add-service=smtp --permanent
success
[root@server0 ~]# firewall-cmd --reload
success
[root@server0 ~]#
[root@server0 ~]# vim /etc/postfix/main.cf
...
myorigin = example.com //98行
inet_interfaces = localhost //116行
mydestination = //164行
mynetworks = 172.0.0.0/8 //264行
relayhost = [classroom.example.com] //318行
...
[root@server0 ~]# systemctl restart postfix.service# 发给 harry 的邮件同时能被natasha收到
[root@server0 ~]# useradd harry
[root@server0 ~]# useradd natasha
[root@server0 ~]# echo "harry: harry,natasha" >> /etc/aliases
[root@server0 ~]# tail -n1 /etc/aliases
harry: harry,natasha
[root@server0 ~]#九、Samba服务
在server上配置SAMBA服务
您的samba服务器必须是STAFF工作组的一个成员
共享/common目录,共享名为common
只有example.com域内的客户端可以访问common共享
common 必须是可以浏览的
用户natasha必须能够读取共享中的内容,如果需要的话,验证密码是:tangkai
[root@server0 ~]# yum install samba* -y
[root@server0 ~]# systemctl enable smb nmb
ln -s '/usr/lib/systemd/system/smb.service' '/etc/systemd/system/multi-user.target.wants/smb.service'
ln -s '/usr/lib/systemd/system/nmb.service' '/etc/systemd/system/multi-user.target.wants/nmb.service'
[root@server0 ~]# systemctl restart smb nmb
[root@server0 ~]#
[root@server0 ~]# vim /etc/samba/smb.conf
workgroup = STAFF
...
[common]
path = /common
browseable = yes
valid users = natasha
[root@server0 ~]# smbpasswd -a natasha
New SMB password:
Retype new SMB password:
Added user natasha.
[root@server0 ~]#
[root@server0 ~]# mkdir /common
[root@server0 ~]# systemctl restart smb nmb
[root@server0 ~]# firewall-cmd --add-rich-rule 'rule family="ipv4" source address="172.25.0.0/24" service name="samba" accept' --permanent
success
[root@server0 ~]# firewall-cmd --add-rich-rule 'rule family="ipv4" source address="172.25.0.0/24" service name="samba-client" accept' --permanent
success
[root@server0 ~]# firewall-cmd --reload
success
[root@server0 ~]# getsebool -a |grep samba |grep dir
samba_create_home_dirs --> off
samba_enable_home_dirs --> off
use_samba_home_dirs --> off
[root@server0 ~]#
[root@server0 ~]# setsebool -P samba_enable_home_dirs on
[root@server0 ~]# getsebool -a |grep samba |grep dir
samba_create_home_dirs --> off
samba_enable_home_dirs --> on
use_samba_home_dirs --> off
[root@server0 ~]#
[root@server0 ~]# ls -dZ /common/
drwxr-xr-x. root root unconfined_u:object_r:default_t:s0 /common/
[root@server0 ~]# chcon -Rt samba_share_t /common/
[root@server0 ~]# ll -Zd /common/
drwxr-xr-x. root root unconfined_u:object_r:samba_share_t:s0 /common/
[root@server0 ~]#
[root@server0 ~]# systemctl restart smb nmb# 验证
[root@desktop0 ~]# yum install samba-client -y
[root@desktop0 ~]# smbclient -U natasha -L 172.25.0.11
Enter natasha's password:
Domain=[STAFF] OS=[Unix] Server=[Samba 4.1.1]
Sharename Type Comment
--------- ---- -------
common Disk
IPC$ IPC IPC Service (Samba Server Version 4.1.1)
natasha Disk Home Directories
Domain=[STAFF] OS=[Unix] Server=[Samba 4.1.1]
Server Comment
--------- -------
LOCALHOST Samba Server Version 4.1.1
Workgroup Master
--------- -------
STAFF LOCALHOST
[root@desktop0 ~]#
[root@desktop0 ~]# mount -t cifs -o username=natasha,password=tangkai //172.25.0.11/common /media/
[root@desktop0 ~]# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/vda1 10G 3.1G 7.0G 31% /
devtmpfs 906M 0 906M 0% /dev
tmpfs 921M 80K 921M 1% /dev/shm
tmpfs 921M 17M 904M 2% /run
tmpfs 921M 0 921M 0% /sys/fs/cgroup
//172.25.0.11/common 10G 3.3G 6.8G 33% /media
[root@desktop0 ~]#
十、多用户 samba 挂载
在 server 上通过 samba 共享目录/storage
共享名为 share
共享目录只能被 example.com 域内的客户端使用
共享目录 share 必须可以被浏览
用户 sarah 能以读的方式访问此共享,访问密码是 tangkai
用户 kitty 能以读写的方式访问此共享,访问密码是 tangkai
此共享永久挂载在 desktop 上的/mnt/dev 目录,并使用用户 sarah 进行认证,任何用
户可临时通过 kitty 来获得读写权限
# 基于上题完成
#server端配置
[root@server0 Desktop]# mkdir /storage
[root@server0 Desktop]# chcon -Rt samba_share_t /storage/
[root@server0 Desktop]# ll -Zd /storage/
drwxr-xr-x. root root unconfined_u:object_r:samba_share_t:s0 /storage/
[root@server0 Desktop]#
[root@server0 Desktop]# vim /etc/samba/smb.conf
...
[share]
path = /storage
browseable = yes
valid users = sarah,kitty
writable = no
write list = kitty
[root@server0 Desktop]# systemctl restart smb nmb
[root@server0 Desktop]# useradd sarah
[root@server0 Desktop]# useradd kitty
[root@server0 Desktop]# setfacl -m u:sarah:r-x /storage/
[root@server0 Desktop]# setfacl -m u:kitty:rwx /storage/
[root@server0 Desktop]# smbpasswd -a sarah
New SMB password:
Retype new SMB password:
Added user sarah.
[root@server0 Desktop]# smbpasswd -a kitty
New SMB password:
Retype new SMB password:
Added user kitty.
[root@server0 Desktop]#
# desktop 端
[root@desktop0 ~]# mkdir /mnt/dev/
[root@desktop0 ~]#
[root@desktop0 ~]# vim /etc/fstab
...
//172.25.0.11/share /mnt/dev cifs multiuser,username=sarah,password=tangkai,sec=ntlmssp 0 0
[root@desktop0 ~]# mount -a
[root@desktop0 ~]# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/sda1 10G 3.1G 7.0G 31% /
devtmpfs 475M 0 475M 0% /dev
tmpfs 490M 140K 490M 1% /dev/shm
tmpfs 490M 14M 477M 3% /run
tmpfs 490M 0 490M 0% /sys/fs/cgroup
tmpfs 490M 14M 477M 3% /run/netns
//172.25.0.11/share 10G 3.1G 7.0G 31% /mnt/dev
[root@desktop0 ~]#
# 用kitty用户验证读写权限,需要安装如下包,然后切换到普通用户中使用cifscreds登录验证
[root@desktop0 ~]# yum install cifs-utils.x86_64 -y
[root@desktop0 ~]# su - student
[student@desktop0 ~]$ cifscreds add -u kitty 172.25.0.11
Password:
[student@desktop0 ~]$
[student@desktop0 ~]$ cd /mnt/dev/
[student@desktop0 dev]$ touch hh
[student@desktop0 dev]$ ll
total 0
-rw-r--r--. 1 1004 1004 0 Jun 2 21:45 hh
[student@desktop0 dev]$
# 服务端查看这个1004属于哪个用户
[root@server0 Desktop]# id 1004
uid=1004(kitty) gid=1004(kitty) groups=1004(kitty)
十一、配置 NFS 服务
1.) 在 server 上配置 NFS
以只读的方式共享/public,同时只能被 example.com 内用户访问
以读写的方式共享/protected 能被 example.com 内用户访问
访问/protected 需要通过 kerberos 安全加密,您可以使用下边链接的秘钥:
http://ldap.example.com/pub/server30.keytab
目录/protected 应该包含名为 project 拥有人为 guest2001 的子目录
用户 guest2001 能以读写的方式访问/protected/project
[root@server0 Desktop]# mkdir /public /protected
[root@server0 Desktop]# vim /etc/exports
[root@server0 Desktop]# cat /etc/exports
/public 172.25.0.0/24(ro)
/protected 172.25.0.0/24(rw,sec=krb5p)
[root@server0 Desktop]#
# 配置kerberos认证,考试时环境如果有配置Kerberos就无需自己配置,没有的话就得自己配置了,
可以通过 su - ldapuser12 切换远程用户看看有没有。这里配置略
[root@server0 Desktop]# wget -O /etc/krb5.keytab http://classroom.example.com/pub/keytabs/server0.keytab
[root@server0 Desktop]# cd /protected/
[root@server0 protected]# mkdir project
[root@server0 protected]# chown ldapuser12 project/
[root@server0 protected]# ll
total 0
drwxr-xr-x. 2 ldapuser12 root 6 Jun 2 22:04 project
[root@server0 protected]#
[root@server0 ~]# vim /etc/sysconfig/nfs
RPCNFSDARGS="-V 4.2"
[root@server0 ~]# systemctl enable nfs-secure.service nfs-secure-server.service nfs-server.service
ln -s '/usr/lib/systemd/system/nfs-secure.service' '/etc/systemd/system/nfs.target.wants/nfs-secure.service'
ln -s '/usr/lib/systemd/system/nfs-secure-server.service' '/etc/systemd/system/nfs.target.wants/nfs-secure-server.service'
ln -s '/usr/lib/systemd/system/nfs-server.service' '/etc/systemd/system/nfs.target.wants/nfs-server.service'
[root@server0 ~]# systemctl start nfs-secure.service nfs-secure-server.service nfs-server.service
[root@server0 ~]#
[root@server0 ~]# firewall-cmd --add-rich-rule 'rule family="ipv4" source address="172.25.0.0/24" service name="nfs" accept ' --permanent
success
[root@server0 ~]# firewall-cmd --add-rich-rule 'rule family="ipv4" source address="172.25.0.0/24" service name="rpc-bind" accept ' --permanent
success
[root@server0 ~]# firewall-cmd --reload
success
[root@server0 ~]#2.) 在 desktop 上挂载来自于 server30 的 NFS 共享
/public 挂载在目录/mnt/nfsmount 上
/protected 挂载在目录/mnt/nfssecure,并使用安全的方式,秘钥
http://ldap.example.com/pub/desktop30.keytab
用户 guest2001 能在/mnt/nfssecure/project 上创建文件
这些文件系统在系统启动时自动挂载
# 客户端配置
# 配置kerberos认证,考试时环境如果有配置Kerberos就无需自己配置,没有的话就得自己配置了,
可以通过 su - ldapuser12 切换远程用户看看有没有。这里配置略
[root@desktop0 ~]# mkdir /mnt/{nfsmount,nfssecure}
[root@desktop0 ~]# wget -O /etc/krb5.keytab http://classroom.example.com/pub/keytabs/desktop0.keytab
[root@desktop0 ~]# vim /etc/sysconfig/nfs
...
RPCNFSDARGS="-V 4.2"
[root@desktop0 ~]# vim /etc/fstab
...
172.25.0.11:/public /mnt/nfsmount nfs ro 0 0
172.25.0.11:/protected /mnt/nfssecure nfs defaults,v4.2,sec=krb5p 0 0
[root@desktop0 ~]# systemctl enable nfs-secure.service
ln -s '/usr/lib/systemd/system/nfs-secure.service' '/etc/systemd/system/nfs.target.wants/nfs-secure.service'
[root@desktop0 ~]# systemctl start nfs-secure.service
[root@desktop0 ~]# mount -a
[root@desktop0 ~]# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/sda1 10G 3.1G 7.0G 31% /
devtmpfs 475M 0 475M 0% /dev
tmpfs 490M 140K 490M 1% /dev/shm
tmpfs 490M 14M 477M 3% /run
tmpfs 490M 0 490M 0% /sys/fs/cgroup
tmpfs 490M 14M 477M 3% /run/netns
//172.25.0.11/share 10G 3.1G 6.9G 31% /mnt/dev
172.25.0.11:/public 10G 3.1G 6.9G 31% /mnt/nfsmount
172.25.0.11:/protected 10G 3.1G 6.9G 31% /mnt/nfssecure
[root@desktop0 ~]#
[root@desktop0 ~]# ssh ldapuser12@localhost
ldapuser12@localhost's password: kerberos
[ldapuser12@desktop0 ~]$ cd /mnt/nfssecure/
[ldapuser12@desktop0 nfssecure]$ ll
total 0
drwxr-xr-x. 2 ldapuser12 root 6 Jun 2 22:04 project
[ldapuser12@desktop0 nfssecure]$ cd project/
[ldapuser12@desktop0 project]$ touch aaa
[ldapuser12@desktop0 project]$ ll
total 0
-rw-rw-r--. 1 ldapuser12 ldapuser12 0 Jun 2 22:32 aaa
[ldapuser12@desktop0 project]$ 十二、在 server 上配置一个 web 站点 http://server.example.com;
从 http://ldap.example.com/pub/example.html 下载文件,并重命名为 index.html,
不要修改文件内容。
将文件 index.html 拷贝到您的 DocumentRoot 目录下
来自于 example.com 的客户端可以访问该 web 服务器
来自于 my133t.org 的客户端的访问会被拒绝
[root@server0 ~]# yum install httpd -y
[root@server0 ~]# cd /var/www/html/
[root@server0 html]# ls
[root@server0 html]# wget -O index.html http://classroom.example.com/pub/example.html
[root@server0 html]# ls
index.html
[root@server0 html]# cat index.html
server.example.com
[root@server0 html]#
[root@server0 ~]# systemctl enable httpd.service
ln -s '/usr/lib/systemd/system/httpd.service' '/etc/systemd/system/multi-user.target.wants/httpd.service'
[root@server0 ~]# systemctl start httpd.service
[root@server0 ~]# firewall-cmd --add-rich-rule 'rule family="ipv4" source address="172.25.0.0/24" service name="http" accept' --permanent
success
[root@server0 ~]# firewall-cmd --reload
success
十三、为站点 http://server.example.com 配置 TLS 加密;
已签名证书从 http://ldap.example.com/pub/server30.crt 获取
证书的秘钥从 http://ldap.example.com/pub/server30.key 获取
证书的签名授权信息从 http://ldap.example.com/pub/group30.crt 获取
[root@server0 ~]# yum install mod_ssl.x86_64 -y
[root@server0 ~]# cd /etc/httpd/
[root@server0 httpd]# ls
conf conf.d conf.modules.d logs modules run
[root@server0 httpd]# mkdir ssl
[root@server0 httpd]# cd ssl
[root@server0 ssl]# wget http://classroom.example.com/pub/tls/certs/server0.crt
[root@server0 ssl]# wget http://classroom.example.com/pub/tls/certs/www0.crt
[root@server0 ssl]# wget http://classroom.example.com/pub/tls/private/server0.key
[root@server0 ssl]# ls
server0.crt server0.key www0.crt
[root@server0 ssl]# cd ..
[root@server0 httpd]# cd conf.d/
[root@server0 conf.d]# ls
autoindex.conf README ssl.conf userdir.conf welcome.conf
[root@server0 conf.d]# vim ssl.conf
...
DocumentRoot "/var/www/html" //59行取消注释
ServerName server0.example.com:443 //60行取消注释 并修改为 server0.example.com:443
...
SSLCertificateFile /etc/httpd/ssl/server0.crt //100行 修改证书地址
...
SSLCertificateKeyFile /etc/httpd/ssl/server0.key //117 行 修改证书地址
...
SSLCACertificateFile /etc/httpd/ssl/www0.crt //122 行 修改证书地址
[root@server0 ~]# systemctl restart httpd.service
[root@server0 ~]# firewall-cmd --add-rich-rule 'rule family="ipv4" source address="172.25.0.0/24" service name="https" accept' --permanent
success
[root@server0 ~]# firewall-cmd --reload
success
[root@server0 ~]#
十四、在 server 上扩展您的 WEB 服务器;
1. 为站点 http://www.example.com 创建一个虚拟主机
2. 设置 DocumentRoot 为/var/www/virtual
3. 从 http://ldap.example.com/pub/www.html 下载文件,并重命名为 index.html,
不要修改文件内容。
4. 将文件 index.html 拷贝到 DocumentRoot 目录下
5. 确保 floyd 用户能够在/var/www/virtual 下创建文件
[root@server0 ~]# cd /etc/httpd/conf.d/
[root@server0 conf.d]# ls
autoindex.conf README ssl.conf userdir.conf welcome.conf
[root@server0 conf.d]# find / -name '*httpd-vhosts*' -exec cp {} . \;
[root@server0 conf.d]# ls
autoindex.conf httpd-vhosts.conf README ssl.conf userdir.conf welcome.conf
[root@server0 conf.d]# vim httpd-vhosts.conf
<VirtualHost *:80>
DocumentRoot "/var/www/virtual"
ServerName "www.example.com"
</VirtualHost>
[root@server0 ~]# mkdir /var/www/virtual
[root@server0 ~]# cd /var/www/virtual
[root@server0 virtual]# wget -O index.html http://classroom.example.com/pub/www.html
[root@server0 virtual]# ls
index.html
[root@server0 ~]# cat /var/www/virtual/index.html
www.example.com
[root@server0 ~]#
[root@server0 virtual]# useradd floyd
[root@server0 virtual]# id floyd
uid=1005(floyd) gid=1005(floyd) groups=1005(floyd)
[root@server0 virtual]# cd ..
[root@server0 www]# ll
total 0
drwxr-xr-x. 2 root root 6 Mar 20 2014 cgi-bin
drwxr-xr-x. 2 root root 23 Jun 4 15:15 html
drwxr-xr-x. 2 root root 23 Jun 4 15:55 virtual
[root@server0 www]# setfacl -m u:floyd:rwx /var/www/virtual/
[root@server0 www]#
[root@server0 conf.d]# systemctl restart httpd.service
# 模拟环境中需要配置hosts文件解析地址
# 注意:这里配置了虚拟主机后,那么上一题的server0.example.com这地域名访问时则会访问到www.example.com的内容这就冲突了,
所以需要把server0.example.com 这个单独写入虚拟主机配置,实现不同域名相同端口不同内容
[root@server0 ~]# vim /etc/httpd/conf.d/httpd-vhosts.conf
<VirtualHost *:80>
DocumentRoot "/var/www/html"
ServerName server0.example.com
</VirtualHost>
[root@server0 ~]# systemctl restart httpd.service
十五、Web 访问控制;
在您 server 上的 web 服务器的 DocumentRoot 目录下创建一个名为 private 的目录
从 http://ldap.example.com/pub/private.html 下载文件到这个目录,并重命名为
index.html,不要修改文件内容
从 server 上,任何人都可以浏览 private 的内容,但是从其他系统不能访问这个目录的
内容
[root@server0 ~]# cd /var/www/html/
[root@server0 html]# mkdir private
[root@server0 html]# ll
total 4
-rw-r--r--. 1 root root 19 Dec 3 2019 index.html
drwxr-xr-x. 2 root root 6 Jun 4 16:34 private
[root@server0 html]# cd private/
[root@server0 private]# wget -O index.html http://classroom.example.com/pub/private.html
[root@server0 private]# ls
index.html
[root@server0 ~]# cd /etc/httpd/conf.d/
[root@server0 conf.d]# vim httpd-vhosts.conf
# 修改为这样
<VirtualHost *:80>
DocumentRoot "/var/www/html"
ServerName server0.example.com
<Directory "/var/www/html/private">
Require ip 172.25.0.11
</Directory>
</VirtualHost>
[root@server0 conf.d]# systemctl restart httpd.service
十六、在 server 上实现动态 web 内容;
动态内容由名为 alt.example.com 的虚拟主机提供
虚拟主机侦听端口为 8909
从 http://ldap.example.com/pub/webapp.wsgi 下载一个脚本,然后放在适当的位
置,不要修改文件内容
客户端访问 http://alt.example.com:8909 时,应该接收到动态生成的 web 页面
此 http://alt.example.com:8909 必须能被 example.com 内所有的系统访问
[root@server0 ~]# yum install mod_wsgi.x86_64 -y
[root@server0 ~]# cd /var/www/
[root@server0 www]# mkdir wsgi
[root@server0 www]# cd wsgi/
[root@server0 wsgi]# wget http://classroom.example.com/pub/webapp.wsgi
[root@server0 wsgi]# ls
webapp.wsgi
[root@server0 ~]# cd /etc/httpd/conf.d/
[root@server0 conf.d]# vim httpd-vhosts.conf
...
Listen 8909
<VirtualHost *:8909>
ServerName alt.example.com
WSGIScriptAlias / "/var/www/wsgi/webapp.wsgi"
</VirtualHost>
...
[root@server0 ~]# firewall-cmd --add-rich-rule 'rule family="ipv4" source address="172.25.0.0/24" port port=8909 protocol=tcp accept' --permanent
success
[root@server0 ~]# firewall-cmd --reload
success
[root@server0 ~]#
[root@server0 ~]# semanage port -l |grep http
http_cache_port_t tcp 8080, 8118, 8123, 10001-10010
http_cache_port_t udp 3130
http_port_t tcp 80, 81, 443, 488, 8008, 8009, 8443, 9000
pegasus_http_port_t tcp 5988
pegasus_https_port_t tcp 5989
[root@server0 ~]#
[root@server0 ~]# semanage port -a 8909 -p tcp -t http_port_t
[root@server0 ~]# semanage port -l |grep http
http_cache_port_t tcp 8080, 8118, 8123, 10001-10010
http_cache_port_t udp 3130
http_port_t tcp 8909, 80, 81, 443, 488, 8008, 8009, 8443, 9000
pegasus_http_port_t tcp 5988
pegasus_https_port_t tcp 5989
[root@server0 ~]#
[root@server0 ~]# systemctl restart httpd.service 十七、配置 server 提供一个 iSCSI 共享服务;
磁盘名为 iqn.2014-09.com.example:server
服务端口为 3260
使用 iscsi_store 作为其后端卷其大小为 3G
此服务只能被 desktop.example.com 访问
[root@server0 ~]# yum install targetcli -y
[root@server0 ~]# systemctl enable target.service
[root@server0 ~]# systemctl start target.service
# 分区,分一个3G的分区
[root@server0 ~]# fdisk /dev/vdb
[root@server0 ~]# partprobe
[root@server0 ~]# lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
vda 253:0 0 10G 0 disk
└─vda1 253:1 0 10G 0 part /
vdb 253:16 0 10G 0 disk
└─vdb1 253:17 0 3G 0 par
[root@server0 ~]# targetcli
Warning: Could not load preferences file /root/.targetcli/prefs.bin.
targetcli shell version 2.1.fb34
Copyright 2011-2013 by Datera, Inc and others.
For help on commands, type 'help'.
/> ls
o- / ..................................................................... [...]
o- backstores .......................................................... [...]
| o- block .............................................. [Storage Objects: 0]
| o- fileio ............................................. [Storage Objects: 0]
| o- pscsi .............................................. [Storage Objects: 0]
| o- ramdisk ............................................ [Storage Objects: 0]
o- iscsi ........................................................ [Targets: 0]
o- loopback ..................................................... [Targets: 0]
/>cd /backstores/block
/backstores/block>ls
o- block .................................................. [Storage Objects: 0]
/backstores/block> create iscsi_store /dev/vdb1
Created block storage object iscsi_store using /dev/vdb1.
/backstores/block> ls
o- block .................................................. [Storage Objects: 1]
o- iscsi_store ................... [/dev/vdb1 (3.0GiB) write-thru deactivated]
/backstores/block> cd ..
/backstores> ls
o- backstores ............................................................ [...]
o- block ................................................ [Storage Objects: 1]
| o- iscsi_store ................. [/dev/vdb1 (3.0GiB) write-thru deactivated]
o- fileio ............................................... [Storage Objects: 0]
o- pscsi ................................................ [Storage Objects: 0]
o- ramdisk .............................................. [Storage Objects: 0]
/backstores>cd ..
/> cd /iscsi
/iscsi> ls
o- iscsi .......................................................... [Targets: 0]
/iscsi> create iqn.2014-09.com.example:server0
Created target iqn.2014-09.com.example:server0.
Created TPG 1.
/iscsi> ls
o- iscsi .......................................................... [Targets: 1]
o- iqn.2014-09.com.example:server0 ................................. [TPGs: 1]
o- tpg1 ............................................. [no-gen-acls, no-auth]
o- acls ........................................................ [ACLs: 0]
o- luns ........................................................ [LUNs: 0]
o- portals .................................................. [Portals: 0]
/iscsi>
/iscsi> cd iqn.2014-09.com.example:server0/tpg1/
/iscsi/iqn.20...:server0/tpg1> ls
o- tpg1 ................................................. [no-gen-acls, no-auth]
o- acls ............................................................ [ACLs: 0]
o- luns ............................................................ [LUNs: 0]
o- portals ...................................................... [Portals: 0]
/iscsi/iqn.20...:server0/tpg1> cd acls
/iscsi/iqn.20...er0/tpg1/acls> create iqn.2014-09.com.example:desktop0
Created Node ACL for iqn.2014-09.com.example:desktop0
/iscsi/iqn.20...er0/tpg1/acls> ls
o- acls .............................................................. [ACLs: 1]
o- iqn.2014-09.com.example:desktop0 ......................... [Mapped LUNs: 0]
/iscsi/iqn.20...er0/tpg1/acls>
/iscsi/iqn.20...er0/tpg1/acls> cd ..
/iscsi/iqn.20...:server0/tpg1> ls
o- tpg1 ................................................. [no-gen-acls, no-auth]
o- acls ............................................................ [ACLs: 1]
| o- iqn.2014-09.com.example:desktop0 ....................... [Mapped LUNs: 0]
o- luns ............................................................ [LUNs: 0]
o- portals ...................................................... [Portals: 0]
/iscsi/iqn.20...:server0/tpg1> cd luns
/iscsi/iqn.20...er0/tpg1/luns> create /backstores/block/iscsi_store
Created LUN 0.
Created LUN 0->0 mapping in node ACL iqn.2014-09.com.example:desktop0
/iscsi/iqn.20...er0/tpg1/luns> ls
o- luns .............................................................. [LUNs: 1]
o- lun0 ...................................... [block/iscsi_store (/dev/vdb1)]
/iscsi/iqn.20...er0/tpg1/luns>
/iscsi/iqn.20...er0/tpg1/luns> cd ..
/iscsi/iqn.20...:server0/tpg1> ls
o- tpg1 .................................................. [no-gen-acls, no-auth]
o- acls ............................................................. [ACLs: 1]
| o- iqn.2014-09.com.example:desktop0 ........................ [Mapped LUNs: 1]
| o- mapped_lun0 .............................. [lun0 block/iscsi_store (rw)]
o- luns ............................................................. [LUNs: 1]
| o- lun0 ..................................... [block/iscsi_store (/dev/vdb1)]
o- portals ....................................................... [Portals: 0]
/iscsi/iqn.20...:server0/tpg1> cd portals
/iscsi/iqn.20.../tpg1/portals> ls
o- portals ......................................................... [Portals: 0]
/iscsi/iqn.20.../tpg1/portals> create 172.25.0.11 3260
Using default IP port 3260
Created network portal 172.25.0.11:3260.
/iscsi/iqn.20.../tpg1/portals> ls
o- portals ......................................................... [Portals: 1]
o- 172.25.0.11:3260 ...................................................... [OK]
/iscsi/iqn.20.../tpg1/portals>
/> exit
[root@server0 ~]# systemctl restart target.service
[root@server0 ~]# firewall-cmd --add-rich-rule 'rule family="ipv4" source address="172.25.0.11/24" port port=3260 protocol=tcp accept' --permanent
success
[root@server0 ~]# firewall-cmd --reload
success
[root@server0 ~]#
十八、配置 desktop 使其能连接在 server 上提供的 iscsi;
iSCSI 设备在系统启动的期间自动加载
块设备 iSCSI 上包含一个大小 1500MiB 的分区,并格式化为 ext4
此分区挂载在/mnt/netdev 上同时在系统启动的期间自动加载
[root@desktop0 ~]# yum install iscsi-initiator-utils.i686 -y
[root@desktop0 ~]# cd /etc/iscsi/
[root@desktop0 iscsi]# ls
initiatorname.iscsi iscsid.conf
[root@desktop0 iscsi]# vim initiatorname.iscsi
InitiatorName=iqn.2014-09.com.example:server0
[root@desktop0 ~]# systemctl enable iscsid.service
ln -s '/usr/lib/systemd/system/iscsid.service' '/etc/systemd/system/multi-user.target.wants/iscsid.service'
[root@desktop0 ~]# systemctl start iscsid
# 查询man帮助的EXAMPLES示例 复制后修改对应参数后操作
[root@desktop0 ~]# man iscsiadm
[root@desktop0 ~]# iscsiadm --mode discoverydb --type sendtargets --portal 172.25.0.11 --discover
172.25.0.11:3260,1 iqn.2014-09.com.example:server0
[root@desktop0 ~]#
[root@desktop0 ~]# iscsiadm --mode node --targetname iqn.2014-09.com.example:server0 --portal 172.25.0.11:3260 --login
Logging in to [iface: default, target: iqn.2014-09.com.example:server0, portal: 172.25.0.11,3260] (multiple)
Login to [iface: default, target: iqn.2014-09.com.example:server0, portal: 172.25.0.11,3260] successful.
[root@desktop0 ~]#
[root@desktop0 ~]# lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda 8:0 0 3G 0 disk
vda 253:0 0 10G 0 disk
└─vda1 253:1 0 10G 0 part /
vdb 253:16 0 10G 0 disk
[root@desktop0 ~]#
[root@desktop0 ~]# fdisk /dev/sda
[root@desktop0 ~]# partprobe
[root@desktop0 ~]# lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda 8:0 0 3G 0 disk
└─sda1 8:1 0 1.5G 0 part
vda 253:0 0 10G 0 disk
└─vda1 253:1 0 10G 0 part /
vdb 253:16 0 10G 0 disk
[root@desktop0 ~]#
[root@desktop0 ~]# mkfs.ext4 /dev/sda1
[root@desktop0 ~]# mkdir /mnt/netdev
[root@desktop0 ~]# blkid
/dev/vda1: UUID="9bf6b9f7-92ad-441b-848e-0257cbb883d1" TYPE="xfs"
/dev/sda1: UUID="50d11070-8aac-4be2-8ab4-da31584bcbe6" TYPE="ext4"
[root@desktop0 ~]#
[root@desktop0 ~]# vim /etc/fstab
UUID="50d11070-8aac-4be2-8ab4-da31584bcbe6" /mnt/netdev ext4 defaults,_netdev 0 0
十九、编写一个位于/root/program 的 shell 脚本;
当执行/root/program tang 时,终端显示 kai
当执行/root/program kai 时,终端显示 tang
当仅执行/root/program 不加参数,或者加上其他参数时,终端显示标准错误
输出/root/program tang|kai
[root@server0 ~]# pwd
/root
[root@server0 ~]# vim program
[root@server0 ~]# chmod +x program
[root@server0 ~]# vim program
[root@server0 ~]# cat program
#!/bin/bash
case $1 in
'tang')
echo 'kai'
;;
'kai')
echo 'tang'
;;
*)
echo '/root/program tang|kai'
esac
[root@server0 ~]
[root@server0 ~]# ./program
/root/program tang|kai
[root@server0 ~]# ./program tang
kai
[root@server0 ~]# ./program kai
tang
[root@server0 ~]#二十、写一个创建用户的脚本;
脚本名为/root/mkuser,脚本执行时需要添加一个参数,
请在 http://ldap.example.com/pub/user 下载下来,这个 user 就是参数
如果没有参数,将提示:Usage:/root/mkuser
如果参数为不存在的文件,则提示:Input file not found
如果存在,则创建用户,用户不需要设置密码,用户的 shell 为/bin/flase
[root@server0 ~]# vim mkuser
[root@server0 ~]# chmod +x mkuser
[root@server0 ~]# cat mkuser
#!/bin/bash
if [ $# -eq 0 ];then
echo "Usage:$0";
else
if [ ! -f $1 ];then
echo 'Inpute file not found.'
else
for user in $(cat $1);do
useradd -s /bin/false $user
done
fi
fi
[root@server0 ~]#
[root@server0 ~]# ./mkuser
Usage:./mkuser
[root@server0 ~]#
[root@server0 ~]# ./mkuser users
Inpute file not found.
[root@server0 ~]#
[root@server0 ~]# id zhouxiang
uid=1006(zhouxiang) gid=1006(zhouxiang) groups=1006(zhouxiang)
[root@server0 ~]# id zhangsan
uid=1008(zhangsan) gid=1008(zhangsan) groups=1008(zhangsan)
[root@server0 ~]# id lisi
uid=1009(lisi) gid=1009(lisi) groups=1009(lisi)
[root@server0 ~]# id wangwu
uid=1007(wangwu) gid=1007(wangwu) groups=1007(wangwu)
[root@server0 ~]#
二十一、在你的机器上创建一个 mariadb 数据库;
1.数据库名为 contacts
数据库应该包含来自数据库复制的内容。复制文件的 URL 为
http://ldap.example.com/pub/user.mdb
数据库只能被 localhost 访问
除了 root 用户,此数据库只能被用户 raikon 查询,此用户密码为 redhat
root 用户密码为 redhat,同时不允许空密码登陆
[root@server0 ~]# yum install mariadb* -y
[root@server0 ~]# systemctl enable mariadb.service
ln -s '/usr/lib/systemd/system/mariadb.service' '/etc/systemd/system/multi-user.target.wants/mariadb.service'
[root@server0 ~]# systemctl start mariadb.service
[root@server0 ~]# mysql_secure_installation
/usr/bin/mysql_secure_installation: line 379: find_mysql_client: command not found
NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY!
In order to log into MariaDB to secure it, we'll need the current
password for the root user. If you've just installed MariaDB, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.
Enter current password for root (enter for none):
OK, successfully used password, moving on...
Setting the root password ensures that nobody can log into the MariaDB
root user without the proper authorisation.
Set root password? [Y/n] y
New password:
Re-enter new password:
Password updated successfully!
Reloading privilege tables..
... Success!
By default, a MariaDB installation has an anonymous user, allowing anyone
to log into MariaDB without having to have a user account created for
them. This is intended only for testing, and to make the installation
go a bit smoother. You should remove them before moving into a
production environment.
Remove anonymous users? [Y/n] y
... Success!
Normally, root should only be allowed to connect from 'localhost'. This
ensures that someone cannot guess at the root password from the network.
Disallow root login remotely? [Y/n] n
... skipping.
By default, MariaDB comes with a database named 'test' that anyone can
access. This is also intended only for testing, and should be removed
before moving into a production environment.
Remove test database and access to it? [Y/n] y
- Dropping test database...
... Success!
- Removing privileges on test database...
... Success!
Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.
Reload privilege tables now? [Y/n] y
... Success!
Cleaning up...
All done! If you've completed all of the above steps, your MariaDB
installation should now be secure.
Thanks for using MariaDB!
[root@server0 ~]#
[root@server0 ~]# wget http://classroom.example.com/users.mdb
[root@server0 ~]# mysql -uroot -predhat
...
MariaDB [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| performance_schema |
+--------------------+
3 rows in set (0.00 sec)
MariaDB [(none)]>
MariaDB [(none)]> create database Contacts;
Query OK, 1 row affected (0.00 sec)
MariaDB [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| Contacts |
| mysql |
| performance_schema |
+--------------------+
4 rows in set (0.00 sec)
MariaDB [(none)]> use Contacts
Database changed
MariaDB [Contacts]> source users.mdb
...
MariaDB [Contacts]> show tables;
+--------------------+
| Tables_in_Contacts |
+--------------------+
| u_loc |
| u_name |
| u_passwd |
+--------------------+
3 rows in set (0.00 sec)
MariaDB [Contacts]>
MariaDB [Contacts]> grant select on Contacts.* to 'raikon'@'localhost' identified by 'redhat';
Query OK, 0 rows affected (0.00 sec)
MariaDB [Contacts]> flush privileges;
Query OK, 0 rows affected (0.00 sec)
MariaDB [Contacts]>
2. 密码是 123456 的人的名字
有多少人的姓名是 barbara 同时居住在 sunnyvale
MariaDB [Contacts]> select * from u_passwd,u_name where u_passwd.password = 'fedora' and u_name.userid = u_passwd.uid;
+-----+----------+--------+-----------+----------+
| uid | password | userid | firstname | lastname |
+-----+----------+--------+-----------+----------+
| 2 | fedora | 2 | si | li |
+-----+----------+--------+-----------+----------+
1 row in set (0.00 sec)
MariaDB [Contacts]>
MariaDB [Contacts]> select * from u_name,u_loc where u_name.firstname = 'John' and u_name.userid = u_loc.uid and u_loc.location = 'Santa Clara';
+--------+-----------+-------------+-----+-------------+
| userid | firstname | lastname | uid | location |
+--------+-----------+-------------+-----+-------------+
| 8 | John | Clinton | 8 | Santa Clara |
| 15 | John | Clinton | 15 | Santa Clara |
| 21 | John | Jackson | 21 | Santa Clara |
| 24 | John | Walker Bush | 24 | Santa Clara |
+--------+-----------+-------------+-----+-------------+
4 rows in set (0.00 sec)
MariaDB [Contacts]>
MariaDB [Contacts]> select count(*) from u_name,u_loc where u_name.firstname = 'John' and u_name.userid = u_loc.uid and u_loc.location = 'Santa Clara';
+----------+
| count(*) |
+----------+
| 4 |
+----------+
1 row in set (0.00 sec)