├── DO280 ├── 01. Configure Authentication.md ├── 02. Cluster and roles.md ├── 03. Project, Groups and Roles.md ├── 04. Protect External Traffic with TLS.md ├── 05. taint and toleration.md ├── 06. ServiceAccount.md ├── 07 Secret.md ├── 08 Quota.md ├── 09 LimitRange.md ├── 10. scale-deployment.md ├── 11. AutoScale.md ├── 12. Helm.md ├── 13. cronjob.md ├── 14. NetworkPolicy.md ├── 15. Volume.md ├── 16 Template.md ├── 17. Liveness-probes.md ├── 18. Collect Cluster information.md ├── 19. Operator.md ├── 20. How to remove.md ├── Openssl-script.sh └── Questions.md ├── DO316 ├── .00 Read_Me.md ├── 00. All_IN-ONE.md ├── 00. Task 1.md ├── 00. Task 2.md ├── 00. Task 3.md ├── 00. Task 4.md ├── 00. Task 5.md ├── 00. Task 6.md ├── 00. Task 8.md ├── 00. Task 9.md ├── 01 Virtualization-operator.md ├── 02. maintenance Mode.md ├── 03. User Access.md ├── 04 Create VM01.md ├── 05 NetworkPolicy+HTTP.md ├── 06 Multihomed.md ├── 07 Mange_Storage.md ├── 08 MariaDB_From_Template.md ├── 09. LoadBalancer.md ├── 10. VolumeSnapshort.md ├── 11. MigrationVM.md ├── 12. RootDisk_clone.md ├── 13 Probes.md ├── 14. NodeFailure.md ├── 15. vSphere VirtualMachine.md ├── 16. OADP.pptx ├── 16. oadp.md ├── 20. Question.md ├── anish.html ├── datavolume.yaml ├── ha-node-template.yaml ├── httpd-2.4.63-4.fc43.aarch64.rpm ├── netpol.yaml ├── replicated-template.yaml └── web1.template.yaml ├── EX380 ├── 01-01 Ldap.md ├── 01-02 LDAP.md ├── 01-03 LDAP.md ├── 02- OADP.pptx ├── 02-00. OADP.md ├── 02-02 oadp.md ├── 02-03 oadp.md ├── 03-02 Token.md ├── 03-03 Token.md ├── 04-03 Loggin.md ├── 05-02 Gitops.md ├── 05-03-Gitops.md ├── 06-02 Taint.md ├── 06-03 taint.md ├── Console-operator-05-02.yaml ├── DataProtectionApplication.yaml ├── ObjectBucketClaim.yaml ├── backup-db-manual-02-02.yml ├── backup-db-manual.yaml ├── backup-my-app-02-03.yaml ├── ca.crt ├── deployment-02:03-backup.yaml ├── dummy-csr-0303-token.yaml ├── mariadb-application.yaml ├── restore.yaml └── rhds_ca.crt-01-03.crt ├── RHCE ├── V-9.0 │ ├── 00 -00 Read_me.md │ ├── 01-01 Install and Configure Ansible & VIM.md │ ├── 02 Create a Yum repo.md │ ├── 03 Install packages.md │ ├── 03-02 Directory.md │ ├── 04-01 Role_create_rhel-system-roles.md │ ├── 04-02 role_create_rhel-system-roles.md │ ├── 05-01 Install a Collection.md │ ├── 06-01 Role-from-galaxy.md │ ├── 07 Role_manual.md │ ├── 08-01 host.md │ ├── 09-01 Copy.md │ ├── 10-01 lvm.md │ ├── 10-02 lvmcreate.md │ ├── 10-03 files-dir.md │ ├── 11-01 file_creation_modification.md │ ├── 12-01 Vault.md │ ├── 12-02 vault.md │ ├── 13-01 cronjob.md │ ├── 14-01 user_creation.md │ ├── Ansible-document.md │ ├── Screenshot 2025-10-13 at 4.53.25 PM.png │ ├── gather_information-11.yaml │ ├── host.yaml │ ├── lab_for_10-02.yaml │ ├── mydomain-hostfile1.j2 │ ├── mydomain-hostfile2.j2 │ ├── redhat-insights-1.3.0.tar.gz │ ├── redhat-rhel_system_roles-1.108.6.tar.gz │ ├── user_list-14-01.yaml │ ├── usercreation_cronjob.yaml │ └── vault_password_file_14.yaml └── v 8.0 │ └── readme.md └── RHCSA-V.9.3 ├── README.md ├── image_08-01.yaml ├── rhcsa 9.0 ├── 09 Umask.md ├── 10-01 Sudoers.md ├── 18 Banner.md └── read.me ├── servera ├── 01-01 Users and Groups.md ├── 02 Yum_Repo.md ├── 02-03 selinux.md ├── 03-03 Cronjob.md ├── 04 Find_command.md ├── 05 Grep_command.md ├── 06 AutoFS.md ├── 07 NTP service.md ├── 08 Container.md ├── 16 Stickeybit.md ├── 17 Tar.md └── readme.md └── serverb ├── 01 Password_change.md ├── 02 dnf.md ├── 13 Swap.md ├── 14 tuned.md └── 15 LVM.md /DO280/01. Configure Authentication.md: -------------------------------------------------------------------------------- 1 | ### Q1. Manage Identity Providers: 2 | - configure the Oauth to use HTPasswd as the identity provider. 3 | - Identity Provider name is `ex280-provider`. 4 | - Create 4 users, `harry`, `leader` , `raja`, `qa-engineer` and all should have `review` password. 5 | - Configure user and apply password for them. Or Ensure that four users account exist. 6 | - Secret name is `super-secret` 7 | --- 8 | ### Solution: 9 | ``` 10 | oc whoami 11 | ``` 12 | ``` 13 | htpasswd -c -B -b /home/student/htpasswd harry review 14 | ``` 15 | - -c => Create a new file 16 | - -B ==> encrypt the password 17 | - -b => will provide the user name & password. 18 | ``` 19 | cat /home/student/htpasswd 20 | ``` 21 | ``` 22 | htpasswd -b /home/student/htpasswd leader review 23 | htpasswd -b /home/student/htpasswd raja review 24 | htpasswd -b /home/student/htpasswd qa-engineer review 25 | ``` 26 | ``` 27 | cat /home/student/htpasswd 28 | ``` 29 | ``` 30 | oc create secret generic super-secret --from-file htpasswd=/home/student/htpasswd -n openshift-config 31 | ``` 32 | ``` 33 | oc get secret compreview-users -n openshift-config 34 | ``` 35 | ``` 36 | oc get oauth cluster -o yaml > oauth.yaml 37 | ``` 38 | ``` 39 | oc whoami --show-console 40 | ``` 41 | ``` 42 | vi oauth.yaml 43 | ``` 44 | ``` 45 | spec: 46 | identityProviders: 47 | - htpasswd: 48 | fileData: 49 | name: super-secret 50 | mappingMethod: claim 51 | name: ex280-provider 52 | type: HTPasswd 53 | ``` 54 | ``` 55 | oc replace -f oauth.yaml 56 | ``` 57 | ``` 58 | watch oc get pods -n openshift-authentication 59 | ``` 60 | 61 | 62 | -------------------------------------------------------------------------------- /DO280/02. Cluster and roles.md: -------------------------------------------------------------------------------- 1 | ## If you are using REDHAT LAB then use below to create the lab for this question. 2 | ``` 3 | lab start appsec-scc 4 | oc login -u admin -p redhatocp https://api.ocp4.example.com:6443 5 | ``` 6 | 7 | 8 | # Question 2. Manage Cluster Project and Permissions: 9 | - Create 3 projects, `front-end`, `back-end`, and `app-db` 10 | - `harry` user should have cluster administrator rights. 11 | - `leader` user should be able create project but not administrator tasks. 12 | - No other user should able to create project. 13 | - `raja` user can only `view` the resources of `front-end` and `back-end` projects. 14 | - `qa-engineer` user should have `admin` access to `front-end` project. 15 | - `kubaadmin` is not present (make sure your cluster-admin user is working fine before delete kubeadmin, otherwise ocp-cluster not recoverable) 16 | --- 17 | ## Solution: 18 | ### Create a 3 groups by `harry' user. 19 | ``` 20 | oc new-project front-end 21 | ``` 22 | ``` 23 | oc new-project back-end 24 | ``` 25 | ``` 26 | oc new-project app-db 27 | ``` 28 | ### Cluster administrator for harry 29 | ``` 30 | oc adm policy add-cluster-role-to-user cluster-admin harry 31 | ``` 32 | 33 | ### or no other user should able to create project. 34 | ``` 35 | oc describe clusterrolebindings self-provisioners 36 | ``` 37 | 38 | ### You may observe that ClusterRoleBinding "self-provisioners" has some group added like "system:authenticated:oauth" 39 | ``` 40 | [student@workstation compreview-review]$ oc get clusterrolebindings self-provisioners -o yaml 41 | apiVersion: rbac.authorization.k8s.io/v1 42 | kind: ClusterRoleBinding 43 | metadata: 44 | annotations: 45 | rbac.authorization.kubernetes.io/autoupdate: "true" 46 | creationTimestamp: "2024-01-23T12:13:32Z" 47 | name: self-provisioners 48 | resourceVersion: "9902" 49 | uid: c7d8554f-3cd8-40d2-be67-6455c21b03ca 50 | roleRef: 51 | apiGroup: rbac.authorization.k8s.io 52 | kind: ClusterRole ### >>> This is the CLusterRole 53 | name: self-provisioner ### This is the ClusterRole Name. 54 | subjects: 55 | - apiGroup: rbac.authorization.k8s.io 56 | kind: Group ### Kind = Group, it means taht this Cluster-Role_Binding is for Group. 57 | name: system:authenticated:oauth ### Name of the Group is "system:authenticated:oauth" 58 | ``` 59 | 60 | 61 | ### Let's remove this group from this ClusterRole. 62 | ``` 63 | oc adm policy remove-cluster-role-from-group self-provisioner system:authenticated:oauth 64 | ``` 65 | 66 | ### `leader` user should be able create project but not administrator tasks 67 | ``` 68 | oc adm policy add-cluster-role-to-user self-provisioners leader 69 | ``` 70 | ### `raja` user can only `view` the resources of `front-end` and `back-end` projects. 71 | ``` 72 | oc adm policy add-cluster-role-to-user view raja -n front-end 73 | oc adm policy add-cluster-role-to-user view raja -n back-end 74 | ``` 75 | ### `qa-engineer` user should have `admin` access to `front-end` project. 76 | ``` 77 | oc policy add-role-to-user admin qa-engineer -n front-end 78 | ``` 79 | 80 | 81 | ##### As of now, we haven't tried to login into the cluster, so these user are not created at cluster level. 82 | ``` 83 | oc get users 84 | ``` 85 | 86 | ``` 87 | oc login -u harry -p review 88 | ``` 89 | 90 | ``` 91 | oc login -u leader -p review 92 | ``` 93 | 94 | ``` 95 | oc login -u raja -p review 96 | ``` 97 | 98 | ``` 99 | oc login -u qa-engineer -p review 100 | ``` 101 | 102 | ``` 103 | oc new-project test 104 | ``` 105 | ### `kubeadmin` user should not exist (remove kubeadmin user) (make sure your cluster-admin user is working fine before delete kubeadmin, otherwise ocp-cluster not recoverable) 106 | ### Now, its time to remove the kubeadmin but before that login with harry user. 107 | ## Firtly, we will login from our newly admin user `harry` 108 | ``` 109 | oc login -u harry -p review 110 | ``` 111 | 112 | ``` 113 | oc get users 114 | ``` 115 | 116 | ``` 117 | oc -n kube-system get secret/kubeadmin 118 | ``` 119 | 120 | ``` 121 | oc -n kube-system delete secret/kubeadmin 122 | ``` 123 | 124 | 125 | -------------------------------------------------------------------------------- /DO280/03. Project, Groups and Roles.md: -------------------------------------------------------------------------------- 1 | ## Q3. Create project and assign Role For user 2 | 3 | 4 | - The `harry` user will create 3 groups, `leaders`, `developers` and `qa`. 5 | - Add `leader` user in `leaders` group. 6 | - Add `raja` user in `developers` group. 7 | - Assign the `qa-engineer` user to the `qa` group. 8 | - Give `edit` permission to `leaders` group members to `back-end` and `app-db` projects. 9 | - Give `view` permission to `qa` group members to `front-end` project. 10 | --- 11 | ## Solution 12 | ### Login with `harry` user. Please bear in my mind that now, admin user is `harry`. 13 | ``` 14 | oc login -u harry -p review 15 | ``` 16 | 17 | ### The `harry` user will create 3 groups, `leaders`, `developers` and `qa`. 18 | ``` 19 | oc adm groups new leaders 20 | ``` 21 | ``` 22 | oc adm groups new developers 23 | ``` 24 | ``` 25 | oc adm groups new qa 26 | ``` 27 | 28 | ## Post checks. 29 | ``` 30 | oc get groups 31 | ``` 32 | ### Assign the `qa-engineer` user to the `qa` group. 33 | ### `oc adm groups add-users group_name username` 34 | ``` 35 | oc adm groups add-users qa qa-engineer 36 | ``` 37 | 38 | ### Assign the `leader` user to the `leaders` group. 39 | 40 | ``` 41 | oc adm groups add-users leaders leader 42 | ``` 43 | ### Assign the `raja` user to the `developers` group. 44 | 45 | ``` 46 | oc adm groups add-users developers raja 47 | ``` 48 | 49 | ### leader group members are able to `edit` the group `back-end` and `app-db` 50 | ``` 51 | oc adm policy add-role-to-group edit leaders -n back-end 52 | ``` 53 | ``` 54 | oc adm policy add-role-to-group edit leaders -n app-db 55 | ``` 56 | ### `qa` group members are able to view front-end group. 57 | ``` 58 | oc adm policy add-role-to-group view qa -n front-end 59 | ``` 60 | -------------------------------------------------------------------------------- /DO280/04. Protect External Traffic with TLS.md: -------------------------------------------------------------------------------- 1 | ## Prepare the lab. 2 | ``` 3 | oc new-project quart 4 | oc new-app --name todo-http --image registry.ocp4.example.com:8443/redhattraining/todo-angular:v1.1 5 | oc expose service todo-http --hostname server1.apps.ocp4.example.com 6 | ``` 7 | ``` 8 | curl -o /tmp/Openssl-script.sh https://raw.githubusercontent.com/anishrana2001/Openshift/refs/heads/main/DO280/Openssl-script.sh 9 | mv /tmp/Openssl-script.sh /tmp/script.sh 10 | chmod +x /tmp/script.sh 11 | sudo mv /tmp/script.sh /usr/bin/ 12 | ``` 13 | 14 | 15 | # Protect External Traffic with TLS 16 | ### Create secure Route with below information 17 | - Create a secure route in `quart` project. 18 | - End user traffic must decrypt at router level. 19 | - Expose application https://anishrana2001.apps.ocp4.example.com 20 | - Generate self sign certificate using given subject 21 | - "/C=US/ST=North Carolina/L=Raleigh/O=Red Hat/CN=anishrana2001.apps.ocp4.example.com" 22 | - Note: Service already created in any given project you just have to expose service with https 23 | - The application should produce the output. 24 | - You can use the script to generate the certificate `sh script.sh` 25 | --- 26 | ### Solution: 27 | ### Go to the give project `quart` 28 | ``` 29 | oc project quart 30 | ``` 31 | 32 | ``` 33 | oc get all 34 | ``` 35 | 36 | ### Check the website. 37 | ``` 38 | curl server1.apps.ocp4.example.com 39 | ``` 40 | ## Check route 41 | ``` 42 | oc get route 43 | ``` 44 | ### Delete this route, so that we will create a new one. 45 | ``` 46 | oc delete routes.route.openshift.io todo-http 47 | ``` 48 | ### You can use the script 49 | 50 | 51 | ![image](https://github.com/user-attachments/assets/092e8ce5-fd32-42c0-a9e6-c2a894910843) 52 | 53 | 54 | ## Or you can generate manually. 55 | ### 1. Generate a Private Key: 56 | ``` 57 | openssl genrsa -out server.key 4096 58 | ``` 59 | - openssl genrsa: This command generates an RSA private key. 60 | - -out server.key: Specifies the output file name for the key. 61 | - 4096: Sets the key size to 4096 bits (a common and secure size) 62 | 63 | ### 2. Generate the CSR file: 64 | 65 | ``` 66 | openssl req -new -key server.key -out server.csr -subj "/C=US/ST=North Carolina/L=Raleigh/O=Red Hat/CN=anishrana2001.apps.ocp4.example.com" 67 | ``` 68 | 69 | 70 | - -req: Indicates that you're using a CSR. 71 | - -key server.key: Specifies the private key file to use. 72 | - -out server.crt: Specifies the output file name for the self-signed certificate. 73 | - Subject is given in the question. ==> "/C=US/ST=North Carolina/L=Raleigh/O=Red Hat/CN=anishrana2001.apps.ocp4.example.com" 74 | - C: Country Name ==> US 75 | - ST: State or Province Name ==> North Carolina 76 | - L: Locality Name (City) ==> Raleigh 77 | - O: Organization Name ==> Red Hat 78 | - CN: Common Name (FQDN of your server) ==> anishrana2001.apps.ocp4.example.com 79 | 80 | ### 3. Generate the Certificate. 81 | ``` 82 | openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt 83 | ``` 84 | - openssl x509: This command generates the certificate. 85 | - -days 365: Specifies the validity period of the certificate in days (365 in this example). 86 | - -in Your CSR file. 87 | - -signkey Signature key 88 | - -out your Certificate file. 89 | 90 | 91 | ### Now, we have to delete the existing route and created the cretificate and keys from the script / manual. 92 | 93 | ``` 94 | oc get all 95 | ``` 96 | ### We need to create the route edge. 97 | ``` 98 | oc create route edge --service todo-http --key server.key --cert server.crt --hostname anishrana2001.apps.ocp4.example.com 99 | 100 | ``` 101 | 102 | ### Post check 103 | ``` 104 | oc get route 105 | ``` 106 | ### Open the browser 107 | ``` 108 | https://anishrana2001.apps.ocp4.example.com 109 | ``` 110 | 111 | ### How to delete the lab. 112 | ``` 113 | oc delete route todo-http 114 | oc delete service todo-http 115 | oc delete deployment todo-http 116 | rm -rf server.key server.csr server.crt 117 | oc delete project quart 118 | sudo rm -rf /usr/bin/script.sh 119 | ``` 120 | 121 | 122 | -------------------------------------------------------------------------------- /DO280/06. ServiceAccount.md: -------------------------------------------------------------------------------- 1 | ## Prepare the lab for this question. 2 | ``` 3 | lab start appsec-scc 4 | oc new-project alpha 5 | oc login -u admin -p redhatocp https://api.ocp4.example.com:6443 6 | oc new-app --name gitlab --image registry.ocp4.example.com:8443/redhattraining/gitlab-ce:8.4.3-ce.0 7 | ``` 8 | # Question 1: 9 | ## Create a Service Account called `ex280-sa` in a `alpha` project. This project is already created for you. 10 | - There is an application already running. 11 | - ServiceAccoun should be associated with anyuid SCC 12 | --- 13 | 14 | ## Solution: 15 | ``` 16 | oc project alpha 17 | ``` 18 | 19 | 20 | ### Create a Service Account called ex280-sa in a alpha project. 21 | 22 | ``` 23 | oc create serviceaccount --help | less 24 | ``` 25 | ``` 26 | oc create serviceaccount ex280-sa -n alpha 27 | ``` 28 | ### oc adm policy add-scc-to-user system:serviceaccount:: 29 | ### If you are currently in the project to which the service account belongs, you can use the -z flag and just specify the . 30 | ### Security Context Constraints (SCCs) 31 | ``` 32 | oc adm policy --help | less 33 | ``` 34 | ``` 35 | oc adm policy add-scc-to-user anyuid -z ex280-sa 36 | ``` 37 | 38 | 39 | 40 | --- 41 | 42 | 43 | # Question 2: 44 | ## Deploy application in the project `alpha`: 45 | - There is one pod already running 46 | - Modify the application as is should run with any user as provided by application 47 | - Application should produce output 48 | --- 49 | 50 | ### Solution 51 | ### Go to the project first. 52 | ``` 53 | oc project alpha 54 | ``` 55 | 56 | ### Check the application. 57 | ``` 58 | oc get all 59 | ``` 60 | 61 | ### Check the Pod status. 62 | ``` 63 | oc logs POD_NAME 64 | oc get events 65 | ``` 66 | ### Due to the permission issue, our application is not running. It means you need to set the serviceaccount so that container can run with any user. 67 | ``` 68 | oc set serviceaccount --help | less 69 | ``` 70 | 71 | ### Please bear in mind that, you need to check if deployment or dc is runing. 72 | ``` 73 | oc set serviceaccount deployment/deployment_name ex280-sa 74 | ``` 75 | ``` 76 | oc get pods 77 | ``` 78 | ### How to do post check ? 79 | ``` 80 | oc get deployment gitlab -o yaml | grep -i service 81 | ``` 82 | ### You must obseve output like below: 83 | ``` 84 | [student@workstation ~]$ oc get deployment gitlab -o yaml | grep -i service 85 | serviceAccount: ex280-sa 86 | serviceAccountName: ex280-sa 87 | [student@workstation ~]$ 88 | ``` 89 | ### Expose the service 90 | ``` 91 | oc expose service/gitlab 92 | ``` 93 | ### Post check 94 | ``` 95 | oc get route 96 | ``` 97 | ``` 98 | ssh gitlab-alpha.apps.ocp4.example.com 99 | ``` 100 | 101 | 102 | -------------------------------------------------------------------------------- /DO280/07 Secret.md: -------------------------------------------------------------------------------- 1 | ## Prepare the lab for this question. 2 | ``` 3 | oc new-project cloud 4 | oc create deployment mysql-app --image registry.ocp4.example.com:8443/redhattraining/mysql-app:v1 5 | oc create secret generic ex280-root --from-literal=MYSQL_USER=redhat --from-literal=MYSQL_DATABASE=world_x 6 | oc set env --from=secret/ex280-root deployment mysql-app 7 | ``` 8 | 9 | 10 | # Question: Create secret with named `ex280-secret` in `cloud` project. The key name should be `MYSQL_PASSWORD` and the value of key should be `redhat123` 11 | ### Solution 12 | ### Go to the project first. 13 | ``` 14 | oc project cloud 15 | ``` 16 | ### Create a generic secret with name `ex280-secret` with option `--from-literal=MYSQL_PASSWORD=redhat123` 17 | ``` 18 | oc create secret generic ex280-secret --from-literal=MYSQL_PASSWORD=redhat123 19 | ``` 20 | ### Once secret created, you can verify it. 21 | ``` 22 | oc describe secret ex280-secret 23 | ``` 24 | --- 25 | 26 | # Question: Use the secret `ex280-secret` in project `cloud` 27 | - There is one pod already exist 28 | - It should use ex280-secret secret previously created. 29 | - Application should produce output. 30 | --- 31 | ### Solution: 32 | ### Go to the project first. 33 | ``` 34 | oc project cloud 35 | ``` 36 | ``` 37 | oc get all 38 | ``` 39 | ### Due to env variable the application is not running. 40 | ### Verify that the subjective pod is a part of Deployment or StatefulSet or DeploymentConfig (dc). If it is belongs to deploymentConfig then run 41 | 42 | ``` 43 | oc set env dc/mysql --prefix MYSQL_PASSWORD --from secret/ex280-secret 44 | ``` 45 | 46 | ### If it is deployment, then run the below commmand. 47 | ``` 48 | oc set env --from=secret/ex280-secret deployment mysql-app 49 | ``` 50 | 51 | ### check the logs or events. 52 | ``` 53 | oc logs POD_NAME 54 | oc get events 55 | ``` 56 | 57 | ### Once you set the environment variable and after that application is not working than you can see the logs and events for further reasons. May be on worker node taint is applied. if it is than remove the taint from worker node only. 58 | ### If this is an issue with taint then, go to this page 59 | https://github.com/anishrana2001/Openshift/blob/main/DO280/05.%20taint%20and%20toleration.md 60 | -------------------------------------------------------------------------------- /DO280/08 Quota.md: -------------------------------------------------------------------------------- 1 | ## Note: 2 | #### Each container running on a node **consumes compute resources**, which are measurable quantities that can be requested, allocated, and consumed. 3 | 4 | #### When creating a pod configuration file, you can `optionally` specify how much CPU, memory (RAM), and local ephemeral storage each container needs in order to better schedule pods in the cluster and ensure satisfactory performance. 5 | 6 | #### CPU is measured in units called millicores. Each node in a cluster inspects the operating system to determine the amount of CPU cores on the node, then multiplies that value by 1000 to express its total capacity. For example, if a node has 2 cores, the node’s CPU capacity would be represented as 2000m. If you wanted to use 1/10 of a single core, it would be represented as 100m. 7 | 8 | #### Memory and ephemeral storage are measured in bytes. In addition, it may be used with SI suffixes (E, P, T, G, M, K) or their power-of-two-equivalents (Ei, Pi, Ti, Gi, Mi, Ki). 9 | 10 | 11 | # Question: Create Resources Quota with below information for project `beta` 12 | - Quota Name is `ex280-quota` 13 | - Maximum Pods `7` and Service ip `6` and Replication Controller `5` 14 | - Memory `1G` and cpu core is `1` 15 | --- 16 | ## Solution: 17 | 18 | ### Createa project first. 19 | ``` 20 | oc new-project beta 21 | ``` 22 | ### Check the quota. 23 | ``` 24 | oc get quota 25 | ``` 26 | ## Not sure the command ? 27 | ``` 28 | oc create quota --help | head 29 | ``` 30 | ### Now, create the quota. 31 | ``` 32 | oc create quota ex280-quota --hard=memory=1Gi,cpu=1,pods=7,services=6,replicationcontrollers=5 33 | ``` 34 | 35 | ### Post Check for quota. 36 | ``` 37 | oc get quota 38 | ``` 39 | 40 | 41 | ### Question 2: Create a quota with below details. 42 | 43 | - cpu=1 44 | - memory=1G 45 | - pods=2 46 | - services=3 47 | - replicationcontrollers=2 48 | - resourcequotas=1 49 | - secrets=5 50 | - persistentvolumeclaims=10 51 | --- 52 | 53 | ### Solution : 54 | ``` 55 | oc create quota my-quota --hard=cpu=1,memory=1G,pods=2,services=3,replicationcontrollers=2,resourcequotas=1,secrets=5,persistentvolumeclaims=10 56 | ``` 57 | -------------------------------------------------------------------------------- /DO280/09 LimitRange.md: -------------------------------------------------------------------------------- 1 | # Question: Create LimitRange for project `orange`: 2 | - Set the `pod memory limit` between `5Mi and 300Mi` 3 | - Set the `container memory limit` between `5Mi and 300Mi` and container `default request limnit ` for memory is `100Mi` 4 | - Set the `pod cpu limit` between `5m and 300m` 5 | - Set the `container cpu limit` between `5m and 300m` and container `default request limit` for cpu is `100m` 6 | --- 7 | ### Solution. 8 | ### In this question, we need to set the limit range at pod and container level. 9 | ### Set the `pod memory limit` between `5Mi and 300Mi`. 10 | - It means that POD memory limit: 11 | - Minimum: 5Mi 12 | - Maximum: 300Mi 13 | ### Set the `container memory limit` between `5Mi and 300Mi` and container `default memory request` is `100Mi` 14 | - Set the `container memory limit` between `5Mi and 300Mi`. It means, container Memory Limit : 15 | - Minimum: 5Mi 16 | - Maximum: 300Mi 17 | - container `Default Memory Request` is `100Mi` 18 | - defaul: 100Mi 19 | 20 | ### Create a file. 21 | ``` 22 | vi limitrange.yaml 23 | ``` 24 | 25 | ``` 26 | apiVersion: "v1" 27 | kind: "LimitRange" 28 | metadata: 29 | name: "ex280-limitrange" 30 | spec: 31 | limits: 32 | - type: "Pod" 33 | max: 34 | cpu: "300m" 35 | memory: "300Mi" 36 | min: 37 | cpu: "5m" 38 | memory: "5Mi" 39 | - type: "Container" 40 | max: 41 | cpu: "300m" 42 | memory: "300Mi" 43 | min: 44 | cpu: "5m" 45 | memory: "5Mi" 46 | default: 47 | cpu: "100m" 48 | memory: "100Mi" 49 | ``` 50 | 51 | ### Create the limitRange. 52 | ``` 53 | oc apply -f limitrange.yaml 54 | ``` 55 | ### Post Checks. 56 | ``` 57 | oc get limitrange 58 | ``` 59 | -------------------------------------------------------------------------------- /DO280/10. scale-deployment.md: -------------------------------------------------------------------------------- 1 | ## Prepare the lab for this question. 2 | ``` 3 | oc login -u harry -p review 4 | oc new-project tiger 5 | oc new-app --name hello --image registry.ocp4.example.com:8443/redhattraining/hello-world-nginx:v1.0 6 | ``` 7 | # Scale Application Manually: 8 | ## Question: Scale the single-pod replicas to `5` under the project `tiger` and all pods should run. 9 | --- 10 | ### Solution: 11 | ### Go to the project, first. 12 | ``` 13 | oc project tiger 14 | ``` 15 | ### Let's check all the resources in this project `tiger`. You must see one deployment. 16 | ``` 17 | oc get all 18 | ``` 19 | 20 | ``` 21 | oc scale deployment/deployment_name --replicas=5 22 | ``` 23 | -------------------------------------------------------------------------------- /DO280/11. AutoScale.md: -------------------------------------------------------------------------------- 1 | ## Prepare the lab for this question. 2 | ``` 3 | oc login -u harry -p review 4 | oc new-project scalling 5 | oc new-app --name hello --image registry.ocp4.example.com:8443/redhattraining/hello-world-nginx:v1.0 6 | ``` 7 | # Configure `Resource Request` & `limits` into deployment and Apply `AutoScale Rule` in the project `scalling`. 8 | - Minimum replicas = 2 , Maximum replicas = 5 and cpu percentage = 50% 9 | - Default request for containers memory should 100Mi and CPU 50m 10 | --- 11 | ### Solution: 12 | 13 | ## Firt go to project. 14 | ``` 15 | oc project scalling 16 | ``` 17 | ### Check the resources 18 | ``` 19 | oc get all 20 | ``` 21 | ### Task 1. Minimum replicas = 2 , Maximum replicas = 5 and cpu percentage = 50% 22 | ``` 23 | oc autoscale deployment hello --min=2 --max=5 --cpu-percent=50 24 | ``` 25 | ### Post check 26 | ``` 27 | oc get hpa 28 | ``` 29 | 30 | ### Task 2: Default request for containers memory should 100Mi and CPU 50m 31 | ### We can directly `edit` the deployment "oc edit deployment/hello". Or we can use "oc set resources". Command is more easy. 32 | ### Syntax would be "oc set resources deployment/hello `--requests` cpu=200m,memory=256Mi `--limits` cpu=500m,memory=512Mi 33 | 34 | ``` 35 | oc set resources deployment/hello --requests=cpu=50m,memory=100Mi 36 | ``` 37 | 38 | ### Or if you want to edit then make the entry like this. ### Need to check. 39 | 40 | ``` 41 | Spec: 42 | Containers: 43 | resources: 44 | Add below lines 45 | limits: 46 | cpu: “400m” 47 | requests: 48 | cpu: “200m” 49 | ``` 50 | 51 | 52 | -------------------------------------------------------------------------------- /DO280/12. Helm.md: -------------------------------------------------------------------------------- 1 | # Install an helm chart `etherpad` from repository `http://helm.ocp4.example.com/charts` in the `mass` project 2 | 3 | ## Solution: 4 | ### First, create a project `mass` 5 | ``` 6 | oc new-project mass 7 | ``` 8 | ### Use the helm repo list command to list the repositories that are configured for the student user. 9 | ``` 10 | helm repo list 11 | ``` 12 | 13 | ### First, add the repository with one fancy name "do280-repo" 14 | ``` 15 | helm repo add do280-repo http://helm.ocp4.example.com/charts 16 | ``` 17 | 18 | ## Let's check the versions of this repo. 19 | ``` 20 | helm search repo --versions 21 | ``` 22 | 23 | ### See the below output, just as an references. 24 | ``` 25 | [student@workstation ~]$ helm search repo --versions 26 | NAME CHART VERSION APP VERSION ... 27 | do280-repo/etherpad 0.0.7 latest ... 28 | do280-repo/etherpad 0.0.6 latest ... 29 | ...output omitted... 30 | ``` 31 | 32 | ### The `etherpad` chart has the 0.0.7 and 0.0.6 versions. This chart is a copy of a chart from the https://github.com/redhat-cop/helm-charts repository. 33 | ## Now, we can install the application "etherpad" with version. Please note that, if in the exam it is not asked for any version then you can use the latest one. 34 | ``` 35 | helm install etherpad do280-repo/etherpad --version 0.0.7 36 | ``` 37 | 38 | 39 | ### For more details, follow the lab : https://rol.redhat.com/rol/app/courses/do280-4.14/pages/ch02s04 40 | -------------------------------------------------------------------------------- /DO280/13. cronjob.md: -------------------------------------------------------------------------------- 1 | ### Practice Purpose only..... 2 | ### Create a cronjob `test-cron1` in the `tiger' project 3 | - `15:07` time 4 | - It should execute every january 5 | - Use image `registry.io/nginx` 6 | - Use service account and service account name is `ex280-sa1` 7 | - Successful job history limit `10` 8 | - Project name should be `tiger` 9 | - Create a cronjob using webconsole or take yaml from documentation 10 | --- 11 | 12 | ## Qeustion with Solution. 13 | # Create a cronjob `test-cron` in the `tiger' project 14 | - `04:05` time 15 | - Every 2 day and every month 16 | - Use image `registry.io/nginx` 17 | - Use service account and service account name is `ex280-sa` 18 | - Successful job history limit `14` 19 | - Project name should be `tiger` 20 | - Create a cronjob using webconsole or take yaml from documentation 21 | --- 22 | 23 | ### Let's use the help command. 24 | ``` 25 | oc create cronjob -h 26 | ``` 27 | ### cat /etc/crontab, fron this file, we get to know the sytax of "05 04 */2 * *" 28 | 29 | 30 | image 31 | 32 | 33 | ### Use `--dry-run=server` instead of `--dry-run=client`. You will get the syntax of "Successful job history limit" 34 | 35 | ``` 36 | oc create cronjob test-cron --image=registry. io/nginx --schedule="05 04 */2 * *" --dry-run=server -o yaml > /tmp/cronjob.yaml 37 | ``` 38 | ### Explanation of the Command: 39 | 40 | - **oc create cronjob**: Command to create a CronJob. 41 | - **test-cron**: Name of the CronJob. 42 | - **--image=registry.io/nginx**: Specifies the container image to use. 43 | - **--schedule="05 04 */2 * *"**: Sets the schedule for the CronJob (06:07 every 2 days). 44 | - **--service-account=ex280-sa**: Associates the CronJob with the specified service account. 45 | - **--successful-jobs-history-limit=14**: Limits the number of successful job history. 46 | - **-n tiger**: Specifies the namespace (project) where the CronJob will be created. 47 | 48 | 49 | ### Let's open the file and update the value "Successful job history limit = 14" 50 | ``` 51 | vi /tmp/cronjob.yaml 52 | ``` 53 | 54 | ![image](https://github.com/user-attachments/assets/3710c958-69a6-4e7d-bdb8-3dfb3130f8e3) 55 | ### Its time to create the cronjob from our yaml file. 56 | ``` 57 | oc apply -f /tmp/cronjob.yaml 58 | ``` 59 | 60 | ### **Use service account and service account name is `ex280-sa`.** 61 | ``` 62 | oc create sa ex280-sa 63 | ``` 64 | ### Give the privileges to service account "ex280-sa". 65 | ``` 66 | oc adm policy add-scc-to-user anyuid -z ex280-sa 67 | ``` 68 | ### Pre-check before adding the Service Account in the cronjob. 69 | ``` 70 | oc get cronjobs.batch test-cron -o yaml | grep service 71 | ``` 72 | ### Add the serviceAccount "ex280-sa" 73 | ``` 74 | oc set sa cronjob/test-cron ex280-sa 75 | ``` 76 | 77 | ### Post check 78 | ``` 79 | oc get cronjobs.batch test-cron -o yaml | grep service 80 | ---------------------------------- 81 | serviceAccount: ex280-sa 82 | serviceAccountName: ex280-sa 83 | ----------------------------- 84 | ``` 85 | 86 | 87 | 88 | 89 | 90 | -------------------------------------------------------------------------------- /DO280/14. NetworkPolicy.md: -------------------------------------------------------------------------------- 1 | ## Prepare the lab for this question. 2 | ``` 3 | oc new-project network-policy 4 | oc new-app --name hello --image registry.ocp4.example.com:8443/redhattraining/hello-world-nginx:v1.0 5 | cat < Administrator --> Networking--> NetworkPolicies --> 82 | 83 | ### Post checks 84 | ``` 85 | oc project network-policy 86 | ``` 87 | ``` 88 | oc get pods -o wide 89 | oc get all 90 | ``` 91 | 92 | ## Change the project. 93 | ``` 94 | oc project different-namespace 95 | ``` 96 | 97 | ``` 98 | oc rsh sameple_pod_name curl hello_POD_IP:8080 99 | ``` 100 | ### If it work then, congratulation 101 | 102 | ### How to clear the lab ? 103 | 104 | ``` 105 | oc delete project network-policy 106 | oc delete project different-namespace 107 | ``` 108 | 109 | -------------------------------------------------------------------------------- /DO280/15. Volume.md: -------------------------------------------------------------------------------- 1 | # Create PV, PVC and then deployment. 2 | - **Create a pv** 3 | - Name is `tiger-pv` 4 | - Size: `1Gi` 5 | - Policy: `retain` 6 | - Mode: `ReadOnlyMany` 7 | - **Create a pvc** 8 | - Name is `tiger-pvc` 9 | - Size same as pv 10 | - Project name is `page` 11 | - Mode same as pv 12 | - **Create an Deployment with** 13 | - Name of deployment is `tiger` 14 | - consume the pvc `tiger-pvc` 15 | - Mount pvc to `/usr/share/nginx/html` 16 | - Image is `registry.ocp4.example.com:8443/redhattraining/hello-world-nginx:v1.0` 17 | - Application uses this link to show output http://test-anishrana2001.apps.ocp4.example.com 18 | - After attaching storage it shows desired output 19 | --- 20 | 21 | ## Open the web console 22 | ``` 23 | oc whoami --show-console 24 | ``` 25 | -------------------------------------------------------------------------------- /DO280/16 Template.md: -------------------------------------------------------------------------------- 1 | # Install / Manage Operators 2 | ### Question: Create an project template with limitrange with container 3 | - minimum memory is 5Mi, max is 1Gi. `defaultrequest` 254 Mi `defaultlimit` is 512 Mi . 4 | - make sure this template available as default request `new-project` template for users. 5 | --- 6 | ``` 7 | oc adm --help 8 | ``` 9 | ``` 10 | oc adm create-bootstrap-project-template -o yaml > /tmp/bootstrap.yaml 11 | ``` 12 | ### Open the web console 13 | ``` 14 | oc whoami --show-console 15 | ``` 16 | 17 | ### Go to "Administrator -> LimitRange", then copy the yaml file and then paste in one file. 18 | ``` 19 | vi /tmp/limitrange.yaml 20 | ``` 21 | 22 | ### Modify the values as per the question. 23 | ### - minimum memory is 5Mi, max is 1Gi. `defaultrequest` 254 Mi `defaultlimit` is 512 Mi . 24 | ![image](https://github.com/user-attachments/assets/da703c9e-20c1-4805-993b-ae4c12888d3f) 25 | 26 | ### Copy the values from the above file "/tmp/limitrange.yaml" and paste it on file "/tmp/bootstrap.yaml". 27 | ``` 28 | vi /tmp/bootstrap.yaml 29 | ``` 30 | ![image](https://github.com/user-attachments/assets/36f05d2d-afd8-4893-a747-5be2f68de60f) 31 | 32 | ### Create the bootstrap template. 33 | ``` 34 | oc apply -f /tmp/bootstrap.yaml -n openshift-config 35 | ``` 36 | 37 | ### We can check the template. 38 | ``` 39 | oc get template -n openshift-config 40 | ``` 41 | ### You must see like this output. 42 | ``` 43 | NAME DESCRIPTION PARAMETERS OBJECTS 44 | project-request 5 (5 blank) 3 45 | ``` 46 | ### - make sure this template available as default request `new-project` template for users. 47 | 48 | ``` 49 | oc get project.config 50 | ``` 51 | ### You must see like this output. 52 | ![image](https://github.com/user-attachments/assets/52509e7c-8897-4b7a-aa17-3415be4b46b0) 53 | 54 | ``` 55 | oc edit project.config cluster 56 | ``` 57 | 58 | ``` 59 | apiVersion: config.openshift.io/v1 60 | kind: Project 61 | metadata: 62 | annotations : 63 | include. release. openshift. io/ibm-cloud-managed: "true" 64 | include. release. openshift. io/self-managed-high-availability: "true" 65 | include.release. openshift. io/single-node-developer: "true" 66 | release. openshift. io/create-only: "true" 67 | creationTimestamp: "2024-01-23T12:00:53Z" 68 | generation: 1 69 | name: cluster 70 | ownerReferences: 71 | - apiVersion: config.openshift.io/v1 72 | kind: ClusterVersion 73 | name: version 74 | uid: c1595d31-17e8-4a05-9002-d7399f1ed9c3 75 | resourceVersion: "1633" 76 | uid: 1c658959-11a4-4ec5-8532-e6e5dc9a8de7 77 | spec: 78 | projectRequestTemplate: ## Added line 79 | name: project-request ## Added line 80 | 81 | ``` 82 | 83 | ### Check the pods in the namespace "openshift-apiserver". 84 | ``` 85 | oc get pods -n openshift-apiserver -w 86 | ``` 87 | ### Once the new pod/s started running then, create a new project and our limitrange should be there. 88 | ``` 89 | oc new-project anish 90 | ``` 91 | #### Check the limitrange 92 | ``` 93 | oc get limitranges 94 | ``` 95 | 96 | #### You can also create a new application. 97 | ``` 98 | oc new-app --name hello --image registry.ocp4.example.com:8443/redhattraining/hello-world-nginx:v1.0 99 | ``` 100 | -------------------------------------------------------------------------------- /DO280/17. Liveness-probes.md: -------------------------------------------------------------------------------- 1 | ## Prepare the lab for this question. 2 | ``` 3 | oc new-project tuesday 4 | oc new-app --name liveness-deployment --image registry.ocp4.example.com:8443/redhattraining/hello-world-nginx:v1.0 5 | ``` 6 | 7 | 8 | # Start a Probe 9 | - Create a `Liveliness` Health Probe in project `tuesday` which has 1 pod running 10 | - With port `8443` 11 | - Initial delay of `3 sec` 12 | - Time out for the probe is `10 sec` 13 | - Probe must survive atleast `3` crash 14 | --- 15 | ### Solution 16 | 17 | ### Go to the project `tuesday` 18 | ``` 19 | oc project tuesday 20 | ``` 21 | ### Open the web console. 22 | ``` 23 | oc whoami --show=console 24 | ``` 25 | ### Select the project, follow the steps in the below print screen. 26 | 27 | - Step 1. Identify the correct deployment in the give project. 28 | ![image](https://github.com/user-attachments/assets/9243004d-e41b-4be3-93ad-a8523fc9d6e2) 29 | 30 | 31 | - Step 2. Select the "Add Health Checks". 32 | 33 | ![image](https://github.com/user-attachments/assets/d64b97f6-cb3c-4732-b9ce-f50a02bd0c8a) 34 | 35 | Step 3. Click on "Add Liveness probe". 36 | 37 | ![image](https://github.com/user-attachments/assets/dd5c286f-166a-439e-a7d0-324eeb72b59e) 38 | 39 | Step 4. Update the vaules as per question. 40 | 41 | ![image](https://github.com/user-attachments/assets/a924ec6f-2e96-4aa7-9cd0-8270cfc4eac6) 42 | 43 | 44 | -------------------------------------------------------------------------------- /DO280/18. Collect Cluster information.md: -------------------------------------------------------------------------------- 1 | 2 | # Collect Cluster information and create a tar file with name student101.tar.gz and send it to redhat support. 3 | - Use command tar cvaf 4 | - One script has been provided to upload tar in redhat support 5 | - /usr/bin/script student101-.tar.gz 6 | - This script can be performed multiple times and it will overwrite the tar file every time 7 | --- 8 | ### Solution 9 | ### Execute the below command to get gather all the system details. 10 | ``` 11 | oc adm must-gather 12 | ``` 13 | 14 | ``` 15 | ls -ltr 16 | ``` 17 | 18 | 19 | ## How to get the cluster ID? 20 | ![image](https://github.com/user-attachments/assets/d7428ca7-7c1e-4d32-a994-294abb857c9c) 21 | 22 | ### - Use command tar cvaf 23 | ### Create a tar file with name student101.tar.gz 24 | ``` 25 | tar cvaf student101-bld661ca-7fb3-42e2-a62a-968b80672189.tar.gz must-gather.local.6430794611058249749/ 26 | ``` 27 | ``` 28 | ls -ltr 29 | ``` 30 | ![image](https://github.com/user-attachments/assets/9549a333-cfe9-459b-9031-08b319338a19) 31 | 32 | ### /usr/bin/script student101.tar.gz 33 | ### Now, send the report to Redhat. 34 | ``` 35 | /usr/bin/script student101-bld661ca-7fb3-42e2-a62a-968b80672189.tar.gz 36 | ``` 37 | -------------------------------------------------------------------------------- /DO280/19. Operator.md: -------------------------------------------------------------------------------- 1 | # For practice purpose: Deploy Openshift Virtualization operator in the `openshift-cnv` Project. Install and Configure Operator with the name `kubevirt-hyperconverged` in same Project. 2 | --- 3 | # Your task is to install the Operator `File Integrity Operator` in the namespace `openshift-file-integrity`, should enable the monitoring and update should be Automatic in the `mass` project. 4 | --- 5 | ### Solution 6 | 7 | ### Open the Console GUI 8 | 9 | image 10 | 11 | 12 | 13 | image 14 | 15 | 16 | image 17 | -------------------------------------------------------------------------------- /DO280/20. How to remove.md: -------------------------------------------------------------------------------- 1 | 2 | ## How to remove the serviceaccount from Security Context Constraint (SCC) group : Lab mo. 06 3 | ### Syntax 4 | ``` 5 | oc adm policy remove-scc-from-group system:serviceaccount:: 6 | ``` 7 | 8 | ``` 9 | oc adm policy remove-scc-from-user anyuid system:serviceaccount:alpha:ex280-sa 10 | ``` 11 | 12 | 13 | ``` 14 | for i in alpha anish-test1 app-db back-end beta chapter1 chapter2 chapter3 cloud different-namespace front-end network-policy orange page quart scalling tiger tuesday ; do oc delete project $i ;done 15 | oc delete pv tiger-pv 16 | oc delete groups.user.openshift.io qa 17 | oc delete groups.user.openshift.io developers 18 | oc delete groups.user.openshift.io leaders 19 | oc delete user leader qa-engineer raja 20 | rm -rf /tmp/htpasswd 21 | 22 | 23 | cd /tmp 24 | rm -rf server.key server.csr server.crt limitrange.yaml cronjob.yaml allow-specfic.yaml bootstrap.yaml cronjob.yaml 25 | 26 | 27 | oc delete template/project-request -n openshift-config 28 | oc patch project.config cluster --type=json -p='[{"op": "remove", "path": "/spec/projectRequestTemplate", "value": ""}]' 29 | 30 | oc label nodes master01 disktype- 31 | ``` 32 | -------------------------------------------------------------------------------- /DO280/Openssl-script.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | printf "Country Name:" 3 | read Country 4 | printf "State or Province Name:" 5 | read ST 6 | printf "Locality:" 7 | read locality 8 | printf "Organization Name:" 9 | read OName 10 | printf "MyName:" 11 | read Myname 12 | printf "Common Name:" 13 | read CName 14 | openssl genrsa -out server.key 4096 15 | openssl req -new -key server.key -out server.csr -subj "/C=$Country/ST=$ST/L=$locality/O=$OName/CN=$CName" 16 | openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt 17 | -------------------------------------------------------------------------------- /DO316/.00 Read_Me.md: -------------------------------------------------------------------------------- 1 | ## EX316 V4.16 2 | 3 | -------------------------------------------------------------------------------- /DO316/00. Task 1.md: -------------------------------------------------------------------------------- 1 | ## Task 1. : Create a users `raja`, `suraj`, `punit` and `rajan` with using `htpasswd` and all users must have the password `anishrana2001` 2 | --- 3 | 4 | ### Solution 5 | ### If you are using Redhat Lab, then run this command. 6 | ``` 7 | lab start virtualization-architecture 8 | ``` 9 | ## After that run below commands. 10 | ``` 11 | oc login -u admin -p redhatocp https://api.ocp4.example.com:6443 12 | oc -n openshift-config get secrets htpasswd-secret -o json | jq -r '.data.htpasswd' | base64 --decode > /tmp/htpasswd-ex316.text 13 | htpasswd -b /tmp/htpasswd-ex316.text suraj anishrana2001 14 | htpasswd -b /tmp/htpasswd-ex316.text raja anishrana2001 15 | htpasswd -b /tmp/htpasswd-ex316.text rajan anishrana2001 16 | htpasswd -b /tmp/htpasswd-ex316.text punit anishrana2001 17 | oc -n openshift-config delete secrets htpasswd-secret 18 | oc -n openshift-config create secret generic htpasswd-secret --from-file htpasswd=/tmp/htpasswd-ex316.text 19 | ``` 20 | -------------------------------------------------------------------------------- /DO316/00. Task 2.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | ## Task 2. : Create a system user `student` and then create a SSH key by using the `ssh-keygen` command. Save the file on path `/home/student/.ssh/lab_rsa.pub`. 4 | - Add the lable `datacenter: paris` on node worker01 and worker02 5 | 6 | ## Solution: 7 | ``` 8 | [student@workstation ~]$ ssh-keygen -t rsa 9 | Generating public/private rsa key pair. 10 | Enter file in which to save the key (/home/student/.ssh/id_rsa): 11 | Enter passphrase (empty for no passphrase): 12 | Enter same passphrase again: 13 | Your identification has been saved in /home/student/.ssh/id_rsa 14 | Your public key has been saved in /home/student/.ssh/id_rsa.pub 15 | The key fingerprint is: 16 | SHA256:K698K5geckFKHOj7NnxN6n9fT1Cbrx24bI9JKHEr7XE student@workstation 17 | The key's randomart image is: 18 | +---[RSA 3072]----+ 19 | | .. | 20 | |.. . | 21 | |. o . . | 22 | | o o . o| 23 | | o . S. . . o | 24 | | . . . .+ o o .| 25 | | + oo= .o = E o.| 26 | | Bo=.+..+ *.*o.| 27 | | ..=.+=+..o.=oo.| 28 | +----[SHA256]-----+ 29 | [student@workstation ~]$ 30 | 31 | 32 | [student@workstation ~]$ oc label nodes worker01 datacenter=paris 33 | node/worker01 labeled 34 | [student@workstation ~]$ oc label nodes worker02 datacenter=paris 35 | node/worker02 labeled 36 | [student@workstation ~]$ oc describe nodes worker01 | grep -iA 10 label | grep datacenter 37 | datacenter=paris 38 | [student@workstation ~]$ 39 | ``` 40 | -------------------------------------------------------------------------------- /DO316/00. Task 3.md: -------------------------------------------------------------------------------- 1 | ## Task 3. : Deploy Openshift Virtualization operator in the `openshift-cnv` Project. Install and Configure Operator with the name `kubevirt-hyperconverged` in same Project. 2 | 3 | ## Solution. 4 | 5 | ``` 6 | oc login -u admin -p redhatocp https://api.ocp4.example.com:6443 7 | ``` 8 | ### Open a web browser and go to the web console URL. 9 | ``` 10 | https://console-openshift-console.apps.ocp4.example.com 11 | ``` 12 | ## Click `htpasswd_provider` and log in as the `admin` user with `redhatocp` as the password. 13 | 14 | ## Step 1. Open the Redhat Console GUI. 15 | ![image](https://github.com/user-attachments/assets/511e6bca-0160-4793-801e-689780157dea) 16 | 17 | 18 | ## Step 2. Search for `virtualization` 19 | 20 | ![image](https://github.com/user-attachments/assets/afc5ea35-de7f-4306-9588-8d14f33fd3c4) 21 | 22 | ## Step 3. Click on Install. 23 | 24 | ![image](https://github.com/user-attachments/assets/55b7c0d9-0f51-4acd-b34e-c08efb9b02e4) 25 | 26 | 27 | ## Step 4. 28 | ![image](https://github.com/user-attachments/assets/9688d243-70fa-4972-871a-6e8464438533) 29 | 30 | ## Step 5. Click on "Create HyperConverged" 31 | 32 | ![image](https://github.com/user-attachments/assets/8cd66122-06bd-4720-82dc-87208e3789dc) 33 | 34 | ## Step 6. Write the name "" 35 | ![image](https://github.com/user-attachments/assets/eb9ad5b3-9dc0-4b30-9f5b-d30a217deed9) 36 | 37 | ## Step 7. 38 | ![image](https://github.com/user-attachments/assets/2fa96e59-7b49-4de5-b032-ce8cfc7eeef5) 39 | 40 | ## Step 8. 41 | 42 | ![image](https://github.com/user-attachments/assets/e9a3ef93-cafc-447e-b7f8-0749df8c446e) 43 | 44 | ## Step 9. 45 | 46 | ![image](https://github.com/user-attachments/assets/ba47b05f-0d44-4808-b2d3-7fadb14ffa5d) 47 | 48 | ## Step 10. 49 | 50 | ![image](https://github.com/user-attachments/assets/76827bf5-9db1-4e4e-b938-d0968e7c711c) 51 | -------------------------------------------------------------------------------- /DO316/00. Task 4.md: -------------------------------------------------------------------------------- 1 | ## Task 4. : Create a project named `banana`, `apple`, `kiwi` and `mango`. 2 | --- 3 | 4 | ### Solution: 5 | ``` 6 | oc new-project banana 7 | oc new-project apple 8 | oc new-project kiwi 9 | oc new-project mango 10 | ``` 11 | 12 | ### For your references. 13 | ``` 14 | [student@workstation ~]$ oc new-project banana 15 | Now using project "banana" on server "https://api.ocp4.example.com:6443". 16 | 17 | You can add applications to this project with the 'new-app' command. For example, try: 18 | 19 | oc new-app rails-postgresql-example 20 | 21 | to build a new example application in Ruby. Or use kubectl to deploy a simple Kubernetes application: 22 | 23 | kubectl create deployment hello-node --image=registry.k8s.io/e2e-test-images/agnhost:2.43 -- /agnhost serve-hostname 24 | 25 | 26 | [student@workstation ~]$ oc new-project apple 27 | Now using project "apple" on server "https://api.ocp4.example.com:6443". 28 | 29 | You can add applications to this project with the 'new-app' command. For example, try: 30 | 31 | oc new-app rails-postgresql-example 32 | 33 | to build a new example application in Ruby. Or use kubectl to deploy a simple Kubernetes application: 34 | 35 | kubectl create deployment hello-node --image=registry.k8s.io/e2e-test-images/agnhost:2.43 -- /agnhost serve-hostname 36 | 37 | 38 | 39 | [student@workstation ~]$ oc new-project kiwi 40 | Now using project "kiwi" on server "https://api.ocp4.example.com:6443". 41 | 42 | You can add applications to this project with the 'new-app' command. For example, try: 43 | 44 | oc new-app rails-postgresql-example 45 | 46 | to build a new example application in Ruby. Or use kubectl to deploy a simple Kubernetes application: 47 | 48 | kubectl create deployment hello-node --image=registry.k8s.io/e2e-test-images/agnhost:2.43 -- /agnhost serve-hostname 49 | 50 | 51 | 52 | [student@workstation ~]$ oc new-project mango 53 | Now using project "mango" on server "https://api.ocp4.example.com:6443". 54 | 55 | You can add applications to this project with the 'new-app' command. For example, try: 56 | 57 | oc new-app rails-postgresql-example 58 | 59 | to build a new example application in Ruby. Or use kubectl to deploy a simple Kubernetes application: 60 | 61 | kubectl create deployment hello-node --image=registry.k8s.io/e2e-test-images/agnhost:2.43 -- /agnhost serve-hostname 62 | 63 | [student@workstation ~]$ 64 | 65 | ``` 66 | -------------------------------------------------------------------------------- /DO316/00. Task 5.md: -------------------------------------------------------------------------------- 1 | ## Task 5. : Create a Group and assign the role to users. 2 | 3 | - Create 3 groups, `leaders`, `developers` and `qa`. 4 | - Add `suraj` user in `leaders` group. 5 | - Add `raja` user in `developers` group. 6 | - Add `punit` and rajan users in the `qa` group. 7 | 8 | For project `banana` 9 | - As a cluster administrator, assign the roles to users so that 10 | - Group `leaders` should have the admin rights on project `banana` 11 | - Group `qa` should have view permission on project `banana` 12 | - A `raja` user should able to Create and Manage VirtualMachines. 13 | - A `suraj` user should view and access the "VirtualMachine and its performance metrics". 14 | - User `suraj` allowed to `start/stop/restart/pause` the VirtualMachines. 15 | - User `punit` should able to view the VMs. 16 | 17 | For project `apple` 18 | 19 | - As a cluster administrator, assign the roles to users so that 20 | - Group `leaders` should have the admin rights on this project. 21 | - Group `qa` should have edit permission on this project. 22 | - A `suraj` user should able to Create and Manage VirtualMachines. 23 | - A raja user should view and access the "VirtualMachine and its performance metrics". 24 | - User `punit` allowed to start/stop/restart/pause the VirtualMachines. 25 | - User `punit` should able to view the VMs. 26 | 27 | For project `kiwi` 28 | - As a cluster administrator, assign the roles to users so that 29 | - A `punit` user should able to Create and Manage VirtualMachines. 30 | - A `raja` user should view and access the "VirtualMachine and its performance metrics". 31 | - User `raja` allowed to `start/stop/restart/pause` the VirtualMachines. 32 | - User `raja` should able to view the VMs. 33 | --- 34 | ### Solution: 35 | ``` 36 | [student@workstation ~]$ oc adm groups new leaders 37 | group.user.openshift.io/leaders created 38 | [student@workstation ~]$ oc adm groups new developers 39 | group.user.openshift.io/developers created 40 | [student@workstation ~]$ oc adm groups new qa 41 | group.user.openshift.io/qa created 42 | [student@workstation ~]$ oc adm groups add-users leaders suraj 43 | group.user.openshift.io/leaders added: "suraj" 44 | [student@workstation ~]$ oc adm groups add-users developers raja 45 | group.user.openshift.io/developers added: "raja" 46 | [student@workstation ~]$ oc adm groups add-users qa punit 47 | group.user.openshift.io/qa added: "punit" 48 | [student@workstation ~]$ oc get groups 49 | NAME USERS 50 | developers raja 51 | leaders suraj 52 | qa punit 53 | [student@workstation ~]$ 54 | 55 | [student@workstation ~]$ oc create rolebinding qa-view123 --clusterrole=view --group=qa -n banana 56 | [student@workstation ~]$ oc create rolebinding leader-admin --clusterrole=admin --group=leader -n banana 57 | [student@workstation ~]$ oc create rolebinding raja-admin --clusterrole=admin --user=raja -n banana 58 | rolebinding.rbac.authorization.k8s.io/raja-admin created 59 | [student@workstation ~]$ oc create rolebinding suraj-view --clusterrole=view --user=suraj -n banana 60 | rolebinding.rbac.authorization.k8s.io/suraj-view created 61 | [student@workstation ~]$ oc create rolebinding suraj-edit --clusterrole=edit --user=suraj -n banana 62 | rolebinding.rbac.authorization.k8s.io/suraj-edit created 63 | [student@workstation ~]$ oc create rolebinding punit-view --clusterrole=view --user=punit -n banana 64 | rolebinding.rbac.authorization.k8s.io/punit-view created 65 | [student@workstation ~]$ 66 | ``` 67 | 68 | ### For apple project: 69 | ``` 70 | [student@workstation ~]$ oc project apple 71 | Already on project "apple" on server "https://api.ocp4.example.com:6443". 72 | 73 | oc create rolebinding qa-view123 --clusterrole=view --group=qa -n apple 74 | oc create rolebinding leader-admin --clusterrole=admin --group=leader -n apple 75 | oc create rolebinding suraj-admin --clusterrole=admin --user=suraj -n apple 76 | oc create rolebinding raja-view --clusterrole=view --user=raja -n apple 77 | oc create rolebinding punit-edit --clusterrole=edit --user=punit -n apple 78 | oc create rolebinding punit-view --clusterrole=view --user=punit -n apple 79 | [student@workstation ~]$ oc get rolebinding 80 | NAME ROLE AGE 81 | admin ClusterRole/admin 97m 82 | leader-admin ClusterRole/admin 7m21s 83 | punit-edit ClusterRole/edit 48s 84 | punit-view ClusterRole/view 7m21s 85 | qa-view123 ClusterRole/view 7m22s 86 | raja-view ClusterRole/view 49s 87 | suraj-admin ClusterRole/admin 49s 88 | system:deployers ClusterRole/system:deployer 97m 89 | system:image-builders ClusterRole/system:image-builder 97m 90 | system:image-pullers ClusterRole/system:image-puller 97m 91 | ``` 92 | ### For kiwi project. 93 | ``` 94 | oc create rolebinding punit-admin --clusterrole admin --user punit -n kiwi 95 | oc create rolebinding raja-view --clusterrole view --user raja -n kiwi 96 | oc get clusterrole | grep -i kubevirt | grep view 97 | oc create rolebinding raja-edit --clusterrole=kubevirt.io:edit --user raja -n kiwi 98 | ``` 99 | -------------------------------------------------------------------------------- /DO316/01 Virtualization-operator.md: -------------------------------------------------------------------------------- 1 | # Deploy Openshift Virtualization 2 | - Deploy `Openshift Virtualization` operator in the `openshift-cnv` Project. 3 | - Install and Configure Operator with the name `kubevirt-hyperconverged` in same Project. 4 | --- 5 | ## Solution. 6 | 7 | ``` 8 | oc login -u admin -p redhatocp https://api.ocp4.example.com:6443 9 | ``` 10 | ### Open a web browser and go to the web console URL. 11 | ``` 12 | https://console-openshift-console.apps.ocp4.example.com 13 | ``` 14 | ## Click `htpasswd_provider` and log in as the `admin` user with `redhatocp` as the password. 15 | 16 | ## Step 1. Open the Redhat Console GUI. 17 | ![image](https://github.com/user-attachments/assets/511e6bca-0160-4793-801e-689780157dea) 18 | 19 | 20 | ## Step 2. Search for `virtualization` 21 | 22 | ![image](https://github.com/user-attachments/assets/afc5ea35-de7f-4306-9588-8d14f33fd3c4) 23 | 24 | ## Step 3. Click on Install. 25 | 26 | ![image](https://github.com/user-attachments/assets/55b7c0d9-0f51-4acd-b34e-c08efb9b02e4) 27 | 28 | 29 | ## Step 4. 30 | ![image](https://github.com/user-attachments/assets/9688d243-70fa-4972-871a-6e8464438533) 31 | 32 | ## Step 5. Click on "Create HyperConverged" 33 | 34 | ![image](https://github.com/user-attachments/assets/8cd66122-06bd-4720-82dc-87208e3789dc) 35 | 36 | ## Step 6. Write the name "" 37 | ![image](https://github.com/user-attachments/assets/eb9ad5b3-9dc0-4b30-9f5b-d30a217deed9) 38 | 39 | ## Step 7. 40 | ![image](https://github.com/user-attachments/assets/2fa96e59-7b49-4de5-b032-ce8cfc7eeef5) 41 | 42 | ## Step 8. 43 | 44 | ![image](https://github.com/user-attachments/assets/e9a3ef93-cafc-447e-b7f8-0749df8c446e) 45 | 46 | ## Step 9. 47 | 48 | ![image](https://github.com/user-attachments/assets/ba47b05f-0d44-4808-b2d3-7fadb14ffa5d) 49 | 50 | ## Step 10. 51 | 52 | ![image](https://github.com/user-attachments/assets/76827bf5-9db1-4e4e-b938-d0968e7c711c) 53 | 54 | 55 | -------------------------------------------------------------------------------- /DO316/02. maintenance Mode.md: -------------------------------------------------------------------------------- 1 | # Prepare the lab. 2 | ``` 3 | oc adm cordon worker01 4 | ``` 5 | 6 | # Question: You task is to find the node and unset the maintenance mode. 7 | - Make Node is in Ready and Schedule state. 8 | --- 9 | 10 | # Solution: 11 | ### Check the node status. 12 | ``` 13 | oc get nodes 14 | ``` 15 | 16 | ### You will find the node like this. 17 | ``` 18 | worker01 Ready,**SchedulingDisabled** worker 19 | ``` 20 | 21 | ### Remove the mainteance mode. 22 | ``` 23 | oc adm uncordon worker01 24 | ``` 25 | ### Post check! 26 | ``` 27 | oc get nodes 28 | ``` 29 | 30 | 31 | ### For your references. 32 | 33 | ``` 34 | [student@workstation ~]$ oc get nodes 35 | NAME STATUS ROLES AGE VERSION 36 | master01 Ready control-plane,master,worker 220d v1.29.6+aba1e8d 37 | master02 Ready control-plane,master,worker 220d v1.29.6+aba1e8d 38 | master03 Ready control-plane,master,worker 220d v1.29.6+aba1e8d 39 | worker01 Ready,SchedulingDisabled worker 179d v1.29.6+aba1e8d 40 | worker02 Ready worker 179d v1.29.6+aba1e8d 41 | [student@workstation ~]$ oc adm uncordon worker01 42 | node/worker01 uncordoned 43 | [student@workstation ~]$ oc get nodes 44 | NAME STATUS ROLES AGE VERSION 45 | master01 Ready control-plane,master,worker 220d v1.29.6+aba1e8d 46 | master02 Ready control-plane,master,worker 220d v1.29.6+aba1e8d 47 | master03 Ready control-plane,master,worker 220d v1.29.6+aba1e8d 48 | worker01 Ready worker 179d v1.29.6+aba1e8d 49 | worker02 Ready worker 179d v1.29.6+aba1e8d 50 | [student@workstation ~]$ 51 | ``` 52 | 53 | 54 | ### 55 | -------------------------------------------------------------------------------- /DO316/03. User Access.md: -------------------------------------------------------------------------------- 1 | # Prepare the lab. 2 | ``` 3 | oc -n openshift-config get secrets htpasswd-secret -o json | jq -r '.data.htpasswd' | base64 --decode > /tmp/htpasswd-ex316.text 4 | htpasswd -b /tmp/htpasswd-ex316.text suraj anishrana2001 5 | htpasswd -b /tmp/htpasswd-ex316.text raja anishrana2001 6 | oc -n openshift-config delete secrets htpasswd-secret 7 | oc -n openshift-config create secret generic htpasswd-secret --from-file htpasswd=/tmp/htpasswd-ex316.text 8 | ``` 9 | 10 | # Configure User access and complete the below tasks. 11 | As a cluster administrator, assign the roles to users so that 12 | - Create a `banana` Project. 13 | - For project `banana` 14 | - A `raja` user should able to Create and Manage VirtualMachine. 15 | - A `suraj` user should view and access the "VirtualMachine performance metrics". 16 | - User `suraj` allowed to start/stop/restart/pause the VirtualMachine 17 | - A punit user should able to Create and Manage VirtualMachines. 18 | 19 | - Create a `apple` Project 20 | - For project `apple` 21 | - User suraj has the necessary roles needed to create and manage VirtualMachines in `apple` project. 22 | - A punit user should able to Create and Manage VirtualMachines. 23 | - A raja user should view and access the "VirtualMachine and its performance metrics". 24 | - User raja allowed to start/stop/restart/pause the VirtualMachines. 25 | - User raja should able to view the VMs. 26 | 27 | 28 | ### Please note that the password is "anishrana2001" of raja, punit and suraj users. 29 | --- 30 | ## Solution 31 | #### Create a `banana` Project. 32 | ``` 33 | oc new-project banana 34 | ``` 35 | 36 | #### A raja user should able to Create and Manage VirtualMachine. 37 | ``` 38 | oc create rolebinding admin1 --clusterrole=admin --user=raja -n banana 39 | ``` 40 | #### A punit user should able to Create and Manage VirtualMachine. 41 | ``` 42 | oc create rolebinding pinit-admin --clusterrole=admin --user=punit -n banana 43 | ``` 44 | #### A suraj user should view and access the "VirtualMachine performance metrics". 45 | ``` 46 | oc create rolebinding view-suraj --clusterrole=view --user=suraj -n banana 47 | ``` 48 | #### User suraj allowed to start/stop/restart/pause the VirtualMachine 49 | ``` 50 | oc get clusterrole | grep edit | grep kube 51 | oc create rolebinding edit-suraj --clusterrole=kubevirt.io:edit --user=suraj -n banana 52 | ``` 53 | #### Create a `apple` Project 54 | ``` 55 | oc new-project apple 56 | ``` 57 | 58 | #### User suraj has the necessary roles needed to `create and manage` VirtualMachines in `apple` project. 59 | ``` 60 | oc create rolebinding admin1 --clusterrole=admin --user=suraj -n apple 61 | ``` 62 | 63 | 64 | ![image](https://github.com/user-attachments/assets/238e9ad6-a197-4c3a-a664-1f37069019b1) 65 | -------------------------------------------------------------------------------- /DO316/04 Create VM01.md: -------------------------------------------------------------------------------- 1 | ## Preppare the lab for this question. 2 | 3 | ``` 4 | lab start accessing-guicreate 5 | oc login -u admin -p redhatocp https://api.ocp4.example.com:6443 6 | ssh-keygen -t rsa -q -f /home/student/.ssh/id_rsa -N "" 7 | 8 | ``` 9 | 10 | # Create a VirtualMachine in the `banana` project with below requirements. 11 | - User `raja` should create a VirtualMachine named `myvm-lan1` from template "Red Hat Enterprise Linux 9 VM" 12 | - Use PVC URL, `http://utility.lab.example.com:8080/openshift4/images/rhel9-helloworld.qcow2` 13 | - The StorageClassName is `ocs-external-storagecluster-ceph-rbd-virtualization` 14 | - The PVC size should be 30GiB 15 | - The Volume mode should be Block. 16 | - The workload type is the VirtualMachine is `server` 17 | - The flavor type of the VirtualMachine is `small` 18 | - The network interface name is `default` 19 | - The user `raja` with password `anishrana2001` exists in the cloud-init definition 20 | - The ssh Key "/home/student/.ssh/lab_rsa.pub" from user devops at workstation has been added as an authorized ssh key via the cloud-init definition 21 | ## Task: Configure Network interface. 22 | - The first Network Interface configuration 23 | - The first Network interface name is `default` 24 | - The First Network ineterface is attached to the `pod networking` (default) network 25 | - The first network interface type is `masquerade` 26 | - The model for the first network interface is `virtio` 27 | 28 | - The Second Network Interface Configuration 29 | - The second network interface name is `nic-0` 30 | - The second network interface is attached to the `banana/database-network` network 31 | - The second network interface type is `bridge` 32 | - The IP address of the second network interface is provided by OpenShift 33 | - The model for the second network interface is `virto` 34 | 35 | ## Task: Create a Readiness probs with below configuration. 36 | readinessProbe: 37 | httpGet: 38 | path: /health 39 | port: 80 40 | initialDelaySeconds: 10 41 | periodSeconds: 5 42 | timeoutSeconds: 2 43 | failureThreshold: 2 44 | successThreshold: 1 45 | --- 46 | 47 | ### Solution: 48 | 49 | -------------------------------------------------------------------------------- /DO316/05 NetworkPolicy+HTTP.md: -------------------------------------------------------------------------------- 1 | 2 | # Configure a Web Server in a VirtualMachine `myvm-lan1` in a `banana` project 3 | - Install the httpd package. 4 | - One can download the yum.repo file from `sudo curl -o /etc/yum.repos.d/yum.repo-file.repo https://raw.githubusercontent.com/anishrana2001/Openshift/refs/heads/main/DO316/yum.repo-file.repo` 5 | - httpd services must be enabled after the reboot. 6 | - Download the anish.html file from `https://raw.githubusercontent.com/anishrana2001/Openshift/refs/heads/main/DO316/anish.html` and upload on `/var/www/html` on the VM. 7 | - A Network Policy named `netpol-http` should exists in the `banana` Project 8 | - A `Clusterlp Service` allows Web Traffic into the `myvm-lan1` VirtualMachine 9 | - The Network Policy Restricts access to the VirtualMachine `myvm-lan1` and allowing only the member of Project `banana` to access TCP port `80` 10 | - Other Project cannot Reach the VirtualMachine `myvm-lan1` at TCP Port `80` 11 | 12 | ## Task Create a Network policy named `apple-access-netpol` in the `banana` project. Only the member of `apple` project should able to access the VM `myvm-lan2` 13 | ## Task Create a Network policy named `kiwi-access-netpol` in the `banana` project. It should allow only the request coming from `kiwi` project. 14 | --- 15 | 16 | 17 | 18 | ### Solution: 19 | ### Go to the project first. 20 | ``` 21 | oc project banana 22 | ``` 23 | ### Login to VM , user name is `raja` and password is `anishrana2001` 24 | ``` 25 | virtctl console myvm-lan1 26 | ``` 27 | ### Switch to root user 28 | ``` 29 | sudo su - 30 | ``` 31 | - One can download the yum.repo file from "sudo curl -o /etc/yum.repos.d/yum.repo-file.repo https://raw.githubusercontent.com/anishrana2001/Openshift/refs/heads/main/DO316/yum.repo-file.repo" 32 | ``` 33 | sudo curl -o /etc/yum.repos.d/yum.repo-file.repo https://raw.githubusercontent.com/anishrana2001/Openshift/refs/heads/main/DO316/yum.repo-file.repo 34 | ``` 35 | - Install the httpd package. 36 | ``` 37 | sudo yum install httpd -y 38 | ``` 39 | - httpd services must be enabled after the reboot. 40 | ``` 41 | systemctl enable httpd 42 | systemctl start httpd 43 | ``` 44 | 45 | - Download the service.html file from "https://raw.githubusercontent.com/anishrana2001/Openshift/refs/heads/main/DO316/service.html" and upload on `/var/www/html` on the VM. 46 | ``` 47 | cd /var/www/html/ 48 | curl -o anish.html https://raw.githubusercontent.com/anishrana2001/Openshift/refs/heads/main/DO316/anish.html 49 | 50 | systemctl restart httpd 51 | curl localhost/anish.html 52 | ``` 53 | - A Network Policy named `netpol-http` exists in the `banana` Project 54 | ### Check the NetworkPolicy in the banana project. 55 | ``` 56 | oc get netpol 57 | ``` 58 | ``` 59 | oc describe netpol netpol-http 60 | ``` 61 | 62 | ### Based upon the above output, we need to modify the labels on namespace and VM. 63 | ### Add the label on Namespace ==> `name=client-ns` 👈👈👈 64 | ``` 65 | oc get namespaces banana --show-labels 66 | ``` 67 | 68 | ### Add the label on VM under the "/spec/template/metadata/labels/" to "env: production". Based upon the network policy 👈👈👈 69 | ``` 70 | oc edit vm myvm-lan1 71 | ``` 72 | 73 | ## OR you can use this command. 74 | ``` 75 | oc patch vm myvm-lan1 --type='json' -p='[{"op": "add", "path": "/spec/template/metadata/labels/env", "value": "production"}]' 76 | ``` 77 | 78 | - A `Clusterlp Service` allows Web Traffic into the `myvm-lan1` VirtualMachine 79 | ### It's time to create service and expose it. Please bear in mind that we must use "virtctl" command to expose the VMi. 80 | ``` 81 | virtctl expose vmi myvm-lan1 --name svc-netpol --type=ClusterIP --port 80 --target-port=80 82 | ``` 83 | ### you should see the endpoints. 84 | ``` 85 | oc get endpoints/svc-netpol 86 | ``` 87 | 88 | - The Network Policy Restricts access to the VirtualMachine `myvm-lan1` and allowing only the member of Project `banana` to access TCP port `80` 89 | - Other Project cannot Reach the VirtualMachine `myvm-lan1` at TCP Port `80` 90 | ### Post checks!!! 91 | ### Let's create one deployment in the `banana` proejct and check if we can access to our VM / VMI or Web server. It should return the page. 92 | 93 | ### Open the web console and create a dummy deployment 94 | 95 | ![image](https://github.com/user-attachments/assets/5f70181f-edc2-4bb4-a319-e0c1903f264a) 96 | 97 | ``` 98 | oc get pods 99 | oc rsh pod/test-7d674b5dc9-t65jx curl svc-netpol.banana.svc.cluster.local 100 | ``` 101 | 102 | ### Let's create one project and then create a dummy deployment with default image after that try it, if we can access to VM/VMi or webserver. Ideally, it should not. 103 | ``` 104 | oc new-project test 105 | ``` 106 | ![image](https://github.com/user-attachments/assets/b88bf594-6c60-40f5-b387-255b379b80dd) 107 | 108 | 109 | ### It should not work. 110 | ``` 111 | oc rsh pods/webserver-app5-6848fd96fc-8nk9n curl svc-netpol.banana.svc.cluster.local 112 | ``` 113 | -------------------------------------------------------------------------------- /DO316/06 Multihomed.md: -------------------------------------------------------------------------------- 1 | ### Prepare the lab for this question. 2 | ``` 3 | lab start multihomed-nmstate 4 | ``` 5 | 6 | # Deploy a Multihomed VirtualMachine 7 | - Create a VM called `mariadb-server` from template `Red Hat Enterprise Linux 9 VM` with 2 Network interfaces in `apple` project. 8 | - The Workload type of the VirtualMachine is `server` and flavor is `small`. 9 | - The user `suraj` creates the VirtualMachine `mariadb-server` 10 | - The user `suraj` with password "anishrana2001" should exists in the cloud-init definition. 11 | - The ssh Key `/home/opsadm/.ssh/id_rsa_ex316.pub` from user opsadm at workbench.lab.example.com has been added as an authorized ssh key via the cloud-init definition 12 | 13 | ## Storage Configuration 14 | - The Image used to Create the Persistemt volume claim for the VirtualMachine boot source is `http://utility.lab.example.com:8080/openshift4/images/rhel9-helloworld.qcow2` 15 | - The StorageClassName is `ocs-external-storagecluster-ceph-rbd-virtualization` 16 | - The PVC size is `10Gi` 17 | 18 | ## The first Network Interface configuration 19 | - The first Network interface name is `default` 20 | - The First Network ineterface is attached to the pod networking (default) network 21 | - The first network interface type is `masquerade` 22 | - The model for the first network interface is `virtio` 23 | 24 | ## The Second Network Interface Configuration 25 | - The second network interface name is `nic-0` 26 | - The second network interface is attached to the `apple/database-network` network 27 | - The second network interface type is `bridge` 28 | - The IP address of the second network interface is provided by OpenShift 29 | - The model for the second network interface is virto 30 | --- 31 | --- 32 | 33 | ### Solution: 34 | ### Step 1. As per question, we need to add the 2nd interface, it means that first, we need to install the operator "" 35 | ### Step 2. Suraj user must able to create the VM "mariadb-server", In Question 3, we have already gave the rights to this user. 36 | ### Step 3. Switch to `suraj` user on console and create a VM from "RHEL 9.2, server, small" template with using mentioned PVC URL. 37 | 38 | 39 | ### Step 1. As per question, we need to add the 2nd interface, it means that first, we need to install the operator "" 40 | ### Before that, let's add the label on workernodes so that we can create a extra interface. 41 | ``` 42 | oc label nodes worker01 external-network=true 43 | ``` 44 | ``` 45 | oc label nodes worker01 external-network=true 46 | ``` 47 | 48 | ### Create `NodeNetworkConfigurationPolicy` 49 | ![image](https://github.com/user-attachments/assets/17f0a830-4a22-4612-8f51-bc9df9318af2) 50 | ## Create a `NetworkAttachmentDefinitions` in a `apple` project. 51 | ![image](https://github.com/user-attachments/assets/47e60967-b9d7-455e-8703-b3306ca1bf5c) 52 | 53 | 54 | ## Loing through `suraj` user. 55 | 56 | ![image](https://github.com/user-attachments/assets/c2585076-fed2-4251-a3a9-01083fed55e5) 57 | 58 | ## Select the `apple` project and go to the virtuallization. 59 | 60 | ![image](https://github.com/user-attachments/assets/5bd8de74-8dbf-4c8c-b248-b3abcd69ae2e) 61 | 62 | ### Select the right template as per question. 63 | 64 | ![image](https://github.com/user-attachments/assets/76f5cf2b-5c2e-46ea-abd1-09d5c7adc237) 65 | 66 | ## Fill the details, like name of `virtual server` and `disk size` and then click on `customize VirtualMachine` 67 | 68 | ![image](https://github.com/user-attachments/assets/ef03bf68-07ea-4f81-965f-5e5f044ad79d) 69 | 70 | 71 | ## Click on `Network Interfaces` and add the 2nd interface by click on `Add Network Interface`. 72 | 73 | ![image](https://github.com/user-attachments/assets/883c990a-1546-4216-b0d3-514aade4d924) 74 | 75 | ## Fill the details as per question. 76 | 77 | ![image](https://github.com/user-attachments/assets/87c30c1c-4f83-490b-bdcd-8738d030e72e) 78 | 79 | ## Click on `Disk` and modify the details. 80 | 81 | ![image](https://github.com/user-attachments/assets/e05621d0-5c00-4562-a865-f417103b4b62) 82 | 83 | 84 | ### Modify the storageClass name to `ocs-external-storagecluster-ceph-rbd-virtualization` 85 | 86 | ![image](https://github.com/user-attachments/assets/af2653e5-f81c-4631-8d5e-c0963a38dbcd) 87 | 88 | ### Click on `Script` tab. 89 | 90 | ![image](https://github.com/user-attachments/assets/3318f7b3-8fa7-4442-8635-24114432d0c1) 91 | 92 | ## Add the user name `suraj` and its credentials. 93 | 94 | ![image](https://github.com/user-attachments/assets/b5becfd7-4764-419a-ad7f-67dda0a43c90) 95 | 96 | ## Add the id_rsa,key file 97 | 98 | 99 | 100 | 101 | -------------------------------------------------------------------------------- /DO316/07 Mange_Storage.md: -------------------------------------------------------------------------------- 1 | ### Prepare the lab. 2 | ``` 3 | oc new-project vm-image 4 | oc apply -f https://raw.githubusercontent.com/anishrana2001/Openshift/refs/heads/main/DO316/replicated-template.yaml 5 | oc apply -f https://raw.githubusercontent.com/anishrana2001/Openshift/refs/heads/main/DO316/web1.template.yaml 6 | ``` 7 | 8 | # Manage Storage for VirtualMachines 9 | - Create two VirtualMachines in project `vm-image` in the following way: 10 | - Create a VirtualMachine named `replicated` using `replicated-template` template 11 | - Create a VirtualMachine named `web1` using `web1-template` template, do not change the template 12 | - Make sure the following conditions are met: 13 | - Move the disk `goldimg` from the VirtualMachine `replicated` to VirtualMachine `web1` 14 | - The disk uses the same setting as the original `goldimg` on replicated, such as storageClass, acessMode,etc 15 | - The disk is a block device and is accessible via /dev/vdc 16 | - The disk is mounted at /var/www/html of `web1` permanently 17 | - Ensure the VirtualMachine `replicated` has a disk named `gori` 18 | - User name is `raja` and password is `anishrana2001` 19 | - The disk uses `http://utility.lab.example.com:8080/openshift4/images/rhel9-helloworld.qcow2` as a source 20 | - The disk size is `10Gi` 21 | - The disk support shared access 22 | - The disk is a block device and is accessible via `/dev/vdc` 23 | - The disk is mounted at `/var/www/html` on `replicated` permanently 24 | - Ensure the exiting data on these disk is preserved 25 | 26 | Both VirtualMachine are running normally 27 | -------------------------------------------------------------------------------- /DO316/08 MariaDB_From_Template.md: -------------------------------------------------------------------------------- 1 | # Create a VirtualMachine Template 2 | - Create a project `kiwi` and a VirtualMachine template according to the following requirements 3 | - The Template name is `tmprhl9small` in the `kiwi` project 4 | - The Template is clone of the build-in rhel9-server-small template 5 | - Flavor small, with 1 CPU and 2Gi RAM 6 | - Storage space is 10Gi 7 | - Disk source `http://utility.lab.example.com:8080/openshift4/images/rhel9-helloworld.qcow2` 8 | - storageCLassName: `ocs-external-storagecluster-ceph-rbd-virtualization` 9 | - The user `rahul` can login to these VirtualMachines on the console with password `anishrana2001` 10 | - The user `rahul` should have SSH password less authication on VM by using `/home/opsdam/.ssh/id_rsa_ex316.pub key` from the base machine. 11 | - When VM created from this template, it should have 2 packages, i.e. `netlabels` and `mtr`. You can download from the below links. 12 | - `https://yum.oracle.com/repo/OracleLinux/OL9/baseos/latest/x86_64/getPackage/netlabel_tools-0.30.0-13.el9.x86_64.rpm` 13 | - `https://yum.oracle.com/repo/OracleLinux/OL9/baseos/latest/x86_64/getPackage/mtr-0.94-4.el9.x86_64.rpm` 14 | --- 15 | 16 | -------------------------------------------------------------------------------- /DO316/09. LoadBalancer.md: -------------------------------------------------------------------------------- 1 | # Create a service using VirtualMachine load balancing 2 | ### In the Project `kiwi` create the following Objects: 3 | 4 | - Using the temaple `tmprhl9small` which you created previously, instantiate two identical VirtualMachine named `web1` and `web2` 5 | - Create a service name `ex316-kiwi-svc` 6 | Type: NodePort 7 | Pod Selector: `mydb=mariadb-kiwi` 8 | - TCP Port `22` of each VM is connected to any workernode port on `30022` 9 | - Create a route named `web-route` so that above service will be availabled at address `anishrana2001-lb.apps.ocp4.example.com` 10 | - Perform the SSH to `anishrana2001-lb.apps.ocp4.example.com` 11 | 12 | --- 13 | 14 | ### Solution: 15 | 16 | ### Step 1. Select the project `kiwi` in the RedHat console 17 | ### Step 2. Create the VMs `web1` & `web2` from the template `` 18 | ### Step 3. Add the label on VM and then restart it. 19 | 20 | ``` 21 | oc edit vm/web1 22 | oc edit vm/web1 23 | virtctl restart web1 24 | virtctl restart web2 25 | ``` 26 | 27 | ### Step 4. Verify the VM's Label. 28 | ``` 29 | oc get vm,vmi -l app=web 30 | ``` 31 | - Create a service name `ex316-kiwi-svc` 32 | - Type: NodePort 33 | - Pod Selector: app=web 34 | - TCP Port 30022 of each VM is connected to any worker node port 22 35 | ### Traffic first, reach to WorkerNode on Port 22 and then it will be forward to VMi on Port 30022. It means `--tcp=22:22` & `--node-port=30022` 36 | 37 | 38 | ### Step 5. Create a service and modify the NodeSelector. In the end, check the endpoints. It should point to web1 and web2 VM's IP. 39 | ``` 40 | oc create service nodeport ex316-kiwi-svc --tcp=22:22 --node-port=30022 41 | oc edit service/ex316-kiwi-svc 42 | 43 | [student@workstation ~]$ oc describe service ex316-kiwi-svc 44 | Name: ex316-kiwi-svc 45 | Namespace: kiwi 46 | Labels: app=ex316-kiwi-svc 47 | Annotations: 48 | Selector: mydb=mariadb-kiwi 49 | Type: NodePort 50 | IP Family Policy: SingleStack 51 | IP Families: IPv4 52 | IP: 172.30.211.130 53 | IPs: 172.30.211.130 54 | Port: 22-22 22/TCP 55 | TargetPort: 22/TCP 56 | NodePort: 22-22 30022/TCP 57 | Endpoints: 10.8.0.63:22,10.9.0.23:22 58 | Session Affinity: None 59 | External Traffic Policy: Cluster 60 | Events: 61 | 62 | 63 | oc get endpoints ex316-kiwi-svc 64 | ``` 65 | - Create a route named web-route so that above service will be availabled at address `anishrana2001-lb.apps.ocp4.example.com` 66 | ### Create a route. 67 | ``` 68 | oc expose service ex316-kiwi-svc --hostname=anishrana2001-lb.apps.ocp4.example.com 69 | ``` 70 | 71 | ### Post checks!!! 72 | ``` 73 | [student@workstation ~]$ telnet anishrana2001-lb.apps.ocp4.example.com 22 74 | Trying 192.168.50.254... 75 | Connected to anishrana2001-lb.apps.ocp4.example.com. 76 | Escape character is '^]'. 77 | SSH-2.0-OpenSSH_8.7 78 | ``` 79 | -------------------------------------------------------------------------------- /DO316/10. VolumeSnapshort.md: -------------------------------------------------------------------------------- 1 | # Create a VirtualMachine snapshot 2 | - Create a volume snapshot named `web2-snap-maria` of the VM `web2` in the project `kiwi`. 3 | - Note: - The VM must be accessible through SSH and in a 'kiwi' working state bedofre taking the snapshot 4 | 5 | --- 6 | 7 | ### Solution: 8 | 9 | -------------------------------------------------------------------------------- /DO316/11. MigrationVM.md: -------------------------------------------------------------------------------- 1 | ### Prepare the lab for this question. 2 | ``` 3 | oc label nodes worker01 datacenter=paris 4 | oc label nodes worker02 datacenter=paris 5 | ``` 6 | 7 | # Configure VirtualMachine migration 8 | - Configure the VirtualMachine migration so that the following condition are true: 9 | - The VirtualMachine `mariadb-server` in the project `apple` is able to migrate between the nodes with label `datacenter: paris` 10 | - The VirtualMachine `mariadb-server` in the Project `apple` is not able to migrate to any other nodes 11 | --- 12 | 13 | ### Solution: 14 | 15 | ### 16 | 17 | ![image](https://github.com/user-attachments/assets/8f2890fd-1430-4cc2-b4e3-5c47dff7902c) 18 | 19 | ## In the key and value, use the label given in the question. 20 | ![image](https://github.com/user-attachments/assets/fa0dfeef-58cb-4d86-8a4a-87fe5197b3b6) 21 | 22 | 23 | 24 | ## Post checks!!! 25 | ### Go to the project. 26 | ``` 27 | oc project apple 28 | ``` 29 | ### Identify where is this VM running. 30 | ``` 31 | oc get vm,vmi 32 | ``` 33 | ### For your references. 34 | ``` 35 | [student@workstation ~]$ oc get vm,vmi 36 | NAME AGE STATUS READY 37 | virtualmachine.kubevirt.io/mariadb-server 60m Running True 38 | 39 | NAME AGE PHASE IP NODENAME READY 40 | virtualmachineinstance.kubevirt.io/mariadb-server 65s Running 10.11.0.19 worker02 True 41 | ``` 42 | ### Check the nodes stauts. 43 | ``` 44 | oc get nodes 45 | ``` 46 | ### For your references. 47 | ``` 48 | [student@workstation ~]$ oc get nodes 49 | NAME STATUS ROLES AGE VERSION 50 | master01 Ready control-plane,master,worker 224d v1.29.6+aba1e8d 51 | master02 Ready control-plane,master,worker 224d v1.29.6+aba1e8d 52 | master03 Ready control-plane,master,worker 224d v1.29.6+aba1e8d 53 | worker01 Ready worker 183d v1.29.6+aba1e8d 54 | worker02 Ready worker 183d v1.29.6+aba1e8d 55 | [student@workstation ~]$ 56 | 57 | ``` 58 | ## Put the node on maintenence mode by using `cordon` command for worker02 node. 59 | 60 | ``` 61 | oc adm cordon node/worker02 62 | ``` 63 | 64 | ### For your references. 65 | ``` 66 | [student@workstation ~]$ oc get nodes 67 | NAME STATUS ROLES AGE VERSION 68 | master01 Ready control-plane,master,worker 224d v1.29.6+aba1e8d 69 | master02 Ready control-plane,master,worker 224d v1.29.6+aba1e8d 70 | master03 Ready control-plane,master,worker 224d v1.29.6+aba1e8d 71 | worker01 Ready worker 183d v1.29.6+aba1e8d 72 | worker02 Ready,SchedulingDisabled worker 183d v1.29.6+aba1e8d 73 | ``` 74 | 75 | ### Restart the VMi. 76 | ``` 77 | virtctl restart mariadb-server 78 | ``` 79 | 80 | ### Check the VM 81 | ``` 82 | virtctl restart mariadb-server 83 | ``` 84 | ### For your references. It is now, running on worker01 Node. 85 | ``` 86 | [student@workstation ~]$ oc get vm,vmi 87 | NAME AGE STATUS READY 88 | virtualmachine.kubevirt.io/mariadb-server 66m Running True 89 | 90 | NAME AGE PHASE IP NODENAME READY 91 | virtualmachineinstance.kubevirt.io/mariadb-server 4m17s Running 10.8.2.42 worker01 True 92 | ``` 93 | -------------------------------------------------------------------------------- /DO316/12. RootDisk_clone.md: -------------------------------------------------------------------------------- 1 | ## Quesation: You need to prepare a VirtualMachine for cloning. 2 | ## Clone the root disk of the VM named `web1` in the project `kiwi` as `web1-copy` by using Data Volumes 3 | - You can use the sample file `https://raw.githubusercontent.com/anishrana2001/Openshift/refs/heads/main/DO316/datavolume.yaml` 4 | --- 5 | 6 | ### Solution. 7 | ### Go to the project `kiwi` first. 8 | ``` 9 | oc project kiwi 10 | ``` 11 | 12 | ``` 13 | apiVersion: cdi.kubevirt.io/v1beta1 14 | kind: DataVolume 15 | metadata: 16 | name: web1-copy ### New DataVolume Name 17 | namespace: kiwi ### It will create in the `kiwi` namespace 18 | spec: 19 | source: 20 | pvc: 21 | namespace: "kiwi" ### It will copy from this namespace 22 | name: "web1" ### It will copy from this PVC 23 | storage: 24 | resources: 25 | requests: 26 | storage: 11Gi ### PVC size + 1 Gi 27 | storageClassName: ocs-external-storagecluster-ceph-rbd-virtualization ### StorageClass Name of web1 PVC 28 | ``` 29 | ### Check the VM and VMi 30 | ``` 31 | oc get vm,vmi 32 | oc get datavolume,pvc 33 | ``` 34 | -------------------------------------------------------------------------------- /DO316/13 Probes.md: -------------------------------------------------------------------------------- 1 | # Configure a liveness probe 2 | - Configure a liveness probe for the `mariadb-server` VM in the `apple` project and make sure following conditions are true: 3 | - The liveness probe tests the database server at TCP Port 3306 4 | - The time (in seconds) after the VM instance starts before the liveness probe is initiated is 100 5 | - The delay in seconds between performing probes is 5 6 | - download the yum.repo file to `mariadb-server` VM from "sudo curl -o /etc/yum.repos.d/yum.repo-file.repo https://raw.githubusercontent.com/anishrana2001/Openshift/refs/heads/main/DO316/yum.repo-file.repo" 7 | --- 8 | 9 | ## Solution. 10 | # How to add Liveness Probe 11 | ## First, we can create a dummy deploy/test. Where the pods will be created or not, no worries. 12 | ``` 13 | oc create deployment test --image=nginx 14 | oc set probe --help | grep url 15 | ``` 16 | 17 | ### Now, you can search the parameters of probe command. 18 | ``` 19 | oc set probe --help | grep tcp 20 | oc set probe deployment test --liveness --open-tcp=3306 --initial-delay-seconds=100 --period-seconds=5 21 | ``` 22 | 23 | ### Get the details of probe from deployment. 24 | ``` 25 | oc get deployment test -o yaml | grep -iA 10 liveness 26 | ``` 27 | 28 | livenessProbe: 29 | failureThreshold: 3 30 | initialDelaySeconds: 100 31 | periodSeconds: 5 32 | successThreshold: 1 33 | tcpSocket: 34 | port: 3306 35 | timeoutSeconds: 1 36 | 37 | 38 | ### Now, you need to edit these details on the VM `mariadb-server`. Search for `domain`. 39 | ``` 40 | oc edit vm mariadb-server 41 | ``` 42 | ## Make sure the indentation is correct. architecture, livenessProbe and domain should be on same Indentation. See the below 43 | ![image](https://github.com/user-attachments/assets/65f04432-92cf-4448-8230-199e12d5eb00) 44 | 45 | 46 | 47 | ### Or you can use this command, if you have this file. 48 | ``` 49 | [student@workstation ~]$ cat /tmp/liveness.yaml 50 | spec: 51 | template: 52 | spec: 53 | livenessProbe: 54 | failureThreshold: 3 55 | initialDelaySeconds: 100 56 | periodSeconds: 5 57 | successThreshold: 1 58 | tcpSocket: 59 | port: 3306 60 | timeoutSeconds: 1 61 | ``` 62 | 63 | ``` 64 | oc patch vm/mariadb-server --type=merge --patch-file=/tmp/liveness.yaml 65 | ``` 66 | 67 | 68 | ### Need to restart the VM. 69 | ``` 70 | virtctl restart mariadb-server 71 | oc get vmi mariadb-server 72 | ``` 73 | 74 | ### Once vm up, go to the console. 75 | ``` 76 | virtctl console mariadb-server 77 | ``` 78 | ### Enter the credentials. 79 | 80 | ``` 81 | Credentials : root/redhat 82 | 83 | systemctl stop mysql 84 | ``` 85 | ### Logout. 86 | ## mariadb-server VM should be restarted due to liveness probe 87 | 88 | 89 | ### For More practice, you can also try to configure the readiness Probs. Only for increase your knowledge purpose. 90 | 91 | 92 | 93 | MYROUTE_readiness=`oc get routes | awk '{print $2}' | grep -v HOST` ; echo $MYROUTE_readiness 94 | for i in {1..20} ; do curl http://$MYROUTE_readiness ; done 95 | 96 | 97 | 98 | 99 | oc set probe deploy/test --readiness --get-url=http://:8080/healthz --initial-delay-seconds=10 100 | oc get deployment test -o yaml 101 | 102 | Search for readiness probs and copy the contents and modify it as per your requirements 103 | 104 | readinessProbe: 105 | httpGet: 106 | path: /health 107 | port: 80 108 | initialDelaySeconds: 10 109 | periodSeconds: 5 110 | successThreshold: 1 111 | timeoutSeconds: 2 112 | failureThreshold: 2 113 | 114 | 115 | ### Modify the Vm template and then restart the www1 VM. 116 | oc edit vm www1 117 | virtctl restart www1 118 | 119 | 120 | ### Post Cheks. 121 | 122 | ``` 123 | oc get vm,vmi,endpoints 124 | ``` 125 | 126 | ### If you can see the www1 IP in the endpoints and then proceed further. 127 | oc edit vm www2 128 | virtctl restart www2 129 | 130 | ### Post Cheks for www2 VM 131 | 132 | ``` 133 | oc get vm,vmi,endpoints 134 | ``` 135 | 136 | ### Final Post checks 137 | ``` 138 | for i in {1..20} ; do curl http://$MYROUTE_readiness ; done 139 | ``` 140 | 141 | 142 | 143 | 144 | 145 | 146 | oc edit vm/web1 147 | virtctl restart web1 148 | 149 | oc create service clusterip front --tcp=80:80 150 | oc create route edge front --service front --hostname front-review-cr3.apps.ocp4.example.com 151 | curl https://front-review-cr3.apps.ocp4.example.com/?[1-3] 152 | -------------------------------------------------------------------------------- /DO316/14. NodeFailure.md: -------------------------------------------------------------------------------- 1 | ### Prepare the lab for this question. 2 | ``` 3 | oc new-project ha-node 4 | oc create -f https://raw.githubusercontent.com/anishrana2001/Openshift/refs/heads/main/DO316/ha-node-template.yaml 5 | ``` 6 | # Prepare a VirtualMachine for node failure 7 | - Create and configure a VirtualMachine to survive a node failure so that the following conditions are true: 8 | - Create a VirtualMachine named is `ha-node-vm1` from the template called `ha-node-template` 9 | - The VirtualMachine should run in the projects `ha-node` 10 | - VirtualMachine is automatically schedule on either master1.example.com or master2.example.com 11 | - In the event of a failure of either node, the VirtualMachine is automatically started on the other node 12 | 13 | --- 14 | 15 | ### Solution: 16 | 17 | ### Create a VM `ha-node-vm1` from `ha-node-template` template in the `ha-node` project. 18 | ### After that 19 | - VirtualMachine is automatically schedule on either master1.example.com or master2.example.com 20 | 21 | ### For this add a new label on your choice on the mentioned nodes. 22 | ``` 23 | oc label nodes master01 ha-node-vm1=true 24 | oc label nodes master02 ha-node-vm1=true 25 | 26 | ``` 27 | 28 | ### Select the `ha-node-vm1` VM, and then go to the Configuration → Scheduling menu. Confirm that the eviction strategy is set to `LiveMigrate` and Click on Scheduling → Node selector and add the label. 29 | 30 | 31 | ![image](https://github.com/user-attachments/assets/b6d4a073-261c-42c2-ad9d-00136f4fe296) 32 | 33 | ![image](https://github.com/user-attachments/assets/c967d21d-592c-47b9-a5e9-3320d1fc21cd) 34 | 35 | ![image](https://github.com/user-attachments/assets/e4791803-7858-462d-8fe7-2daff3781949) 36 | 37 | ### Go to the YAML tab to open the VM's manifest in the YAML editor. Within the YAML manifest, confirm that the .spec.runStrategy object is set to the RerunOnFailure run strategy. 38 | ![image](https://github.com/user-attachments/assets/190e8aa0-226d-4680-8bb0-40b99c9148d6) 39 | -------------------------------------------------------------------------------- /DO316/15. vSphere VirtualMachine.md: -------------------------------------------------------------------------------- 1 | ### Prepare the Lab. 2 | ### I am using Red Hat Lab, so I am creating the default LAB of Redhat. If you don't have Redhat's lab then create a NFS server on one machine and export the directory. 3 | ``` 4 | lab start advanced-import 5 | ``` 6 | 7 | # Import a vSphere VirtualMachine 8 | - Create a networkplan with named `vsphere` by using `Open Virtual Appliance (OVA)` 9 | - `utility.lab.example.com:/exports-ocp4/ova` images 10 | - Import the VirtualMachine called `rhel9-web` according to the following requirements: 11 | - The imported VirtualMachine exists in the `vms-import` project 12 | - The network of the source VirtualMachine has been mapped to the `pod network` of the imported VirtualMachine. 13 | - The imported VirtualMachine used the `ocs-external-storagecluster-ceph-rbd-virtualization` storage class 14 | - The imported VirtualMachine must be in running state. 15 | - VM has two networks: one that is using the `pod networking`, and the other that is using the `default/vm-private-net` network. 16 | - SSH to `utility` machine and curl the imported VM IP. 17 | --- 18 | 19 | ### Solution. 20 | 21 | ### As the admin user, install the MTV operator. 22 | ### Click Operators → OperatorHub. In the Filter by keyword field, type `mtv` to locate the `MTV operator`, and click `Migration Toolkit for Virtualization Operator`. 23 | 24 | ![image](https://github.com/user-attachments/assets/f93dc42f-4879-4dba-b3c6-c4b516f07483) 25 | 26 | ![image](https://github.com/user-attachments/assets/8593a213-41ef-418a-83a2-e3269eb5c75d) 27 | 28 | ![image](https://github.com/user-attachments/assets/290086f9-5be6-4efe-8427-c50e89e32da9) 29 | 30 | ### After the operator installation completes, click Create `ForkliftController`. 31 | ![image](https://github.com/user-attachments/assets/957f5770-35ea-4747-8f97-74652aaa2d5a) 32 | 33 | ![image](https://github.com/user-attachments/assets/fcfc8d20-65ef-4415-b44e-1148a34c073c) 34 | 35 | 36 | 37 | 38 | At the end, Go to the project `vms-import`, then start the VM and check the IP address. 39 | ![image](https://github.com/user-attachments/assets/51e83c59-2f18-4c62-b5d9-da07dc693e3b) 40 | 41 | ### Curl the IP address 42 | ``` 43 | [student@workstation ~]$ ssh lab@utility 44 | [lab@utility ~]$ curl 192.168.51.101 45 | 46 | 47 |

Hello from VMware virtual machine!

48 | Provisioned on VMware ESXi 8.0.1 49 | 50 | 51 | [lab@utility ~]$ 52 | ``` 53 | 54 | ### Follow the lab : Guided Exercise: Migrate Virtual Machines from Foreign Hypervisors from Redhat. 55 | -------------------------------------------------------------------------------- /DO316/16. OADP.pptx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/anishrana2001/Openshift/7248a5fa2d66b55a43a108097114b8cfa86a175f/DO316/16. OADP.pptx -------------------------------------------------------------------------------- /DO316/anish.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Simple HTML Page 6 | 7 | 8 |

Welcome to "anishrana2001"

9 |

Want to Learn Redhat Openshift , Kubernetes, Docker and many more, then switch to my Youtube Channel "anishrana2001"

10 | 11 | 12 | -------------------------------------------------------------------------------- /DO316/datavolume.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: cdi.kubevirt.io/v1beta1 2 | kind: DataVolume 3 | metadata: 4 | name: @ 5 | spec: 6 | source: 7 | pvc: 8 | namespace: @ 9 | name: @ 10 | storage: 11 | resources: 12 | requests: 13 | storage: @ 14 | storageClassName: @ 15 | -------------------------------------------------------------------------------- /DO316/httpd-2.4.63-4.fc43.aarch64.rpm: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/anishrana2001/Openshift/7248a5fa2d66b55a43a108097114b8cfa86a175f/DO316/httpd-2.4.63-4.fc43.aarch64.rpm -------------------------------------------------------------------------------- /DO316/netpol.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: NetworkPolicy 3 | metadata: 4 | name: netpol-http 5 | namespace: banana 6 | spec: 7 | podSelector: 8 | matchLabels: 9 | env: production 10 | policyTypes: 11 | - Ingress 12 | ingress: 13 | - from: 14 | - podSelector: {} 15 | namespaceSelector: 16 | matchLabels: 17 | name: client-ns 18 | ports: 19 | - protocol: TCP 20 | port: 443 21 | - protocol: TCP 22 | port: 80 23 | -------------------------------------------------------------------------------- /EX380/01-01 Ldap.md: -------------------------------------------------------------------------------- 1 | # Create a LDAP URL from below information 2 | 3 | - URL object: Value 4 | - Connection protocol: ldap 5 | - Server name and port: ldap.example.com:389 6 | - Base DN: dc=example,dc=com 7 | - Attributes: givenName,sn,cn 8 | - Query filter: uid=payden.tomcheck 9 | 10 | ## Solution 11 | 12 | ## Syntax: 13 | 14 | ``` 15 | (Connection Protocol)://(Server name):(port)/(Base DN)?(Query filter) 16 | ``` 17 | ``` 18 | ldap://ldap.example.com:389/dc=example,dc=com?givenName,sn,cn?(uid=payden.tomcheck) 19 | ``` 20 | -------------------------------------------------------------------------------- /EX380/01-02 LDAP.md: -------------------------------------------------------------------------------- 1 | ### Create a lab for this question. 2 | ``` 3 | lab start auth-ldap 4 | ``` 5 | 6 | # You need to install and configure the LDAP 7 | ```html 8 | Name: : ANISH-ldap-ex380-1 9 | Bind DN (-D) : cn=Directory Manager 10 | URL and BaseDN : ldaps://rhds.ocp4.example.com/dc=example,dc=com?uid 11 | Bind password (-w) : redhatocp 12 | Insecure : false 13 | Method : claim 14 | Query Method : uid 15 | 16 | 17 | Attributes 18 | ------------------------ 19 | Preferred username : uid 20 | Email : mail 21 | ID : dn 22 | Name : cn 23 | ``` 24 | 25 | ## Once LDAP configured, user `kristendelgado` must able to login with password `redhat123` 26 | 27 | ## You can download the certificate from below URL and maintain the original name of the certificate. 28 | https://raw.githubusercontent.com/anishrana2001/Openshift/refs/heads/main/EX380/ca.crt 29 | --- 30 | 31 | 32 | ### Solution 33 | # Login by admin user 34 | ``` 35 | oc login -u admin -p redhatocp https://api.ocp4.example.com:6443 36 | ``` 37 | ### Identify the URL for the OpenShift web console. 38 | ``` 39 | oc whoami --show-console 40 | ``` 41 | ### For your references. 42 | ``` 43 | [student@workstation ~]$ oc whoami --show-console 44 | https://console-openshift-console.apps.ocp4.example.com 45 | ``` 46 | ### Take the backup. 47 | 48 | ``` 49 | oc get oauth cluster -o yaml 50 | oc get oauth cluster -o yaml > oath.yaml 51 | ``` 52 | 53 | ### Check the ConfigMap and Secret in the `openshift-config` namespace 54 | ``` 55 | oc -n openshift-config get cm,secret 56 | ``` 57 | 58 | ### Open the web console by click on `Red Hat Identity Management` and log in as the `admin` user with the `redhatocp` password. 59 | ### Click `Administration` → `Cluster Settings` from the sidebar menu and then Click the `Configuration` tab 60 | ### 61 | 62 | 63 | ### If required, you can fallback the changes. 64 | ``` 65 | oc replace -f oauth.yaml 66 | ``` 67 | ``` 68 | watch oc get pods -n openshift-authentication 69 | ``` 70 | 71 | 72 | ### For full solution, please watch my private video for this topic. 73 | -------------------------------------------------------------------------------- /EX380/01-03 LDAP.md: -------------------------------------------------------------------------------- 1 | 2 | ``` 3 | lab start auth-ldap 4 | ``` 5 | 6 | # You need to install and configure the LDAP 7 | ```html 8 | Name: : ANISH-ldap-ex380 9 | Bind DN (-D) : cn=Directory Manager 10 | Base DN : dc=example, dc=com 11 | Server Hostname : rhds.ocp4.example.com 12 | Bind password (-w) : redhatocp 13 | Connection Protocol : ldaps 14 | Insecure : false 15 | Method : claim 16 | Query Method : uid 17 | 18 | 19 | Attributes ⬅️ ⬅️ 👈👈👈👈 20 | ------------------------ 21 | Preferred username : uid 22 | Email : mail 23 | ID : dn 24 | Name : cn 25 | ``` 26 | ## Once LDAP configured, user `kristendelgado` must able to login with password `redhat123` 27 | - You should use 'secret' for `bind password` with name `ldap-bind-pass` in the `openshift-config` namespace. 28 | - You must use 'configmap' for the `certificate` with name `ldap-ca-config` in the `openshift-config` namespace. 29 | ## You can download the certificate from below URL. 30 | https://raw.githubusercontent.com/anishrana2001/Openshift/refs/heads/main/EX380/ca.crt 31 | --- 32 | 33 | 34 | ### Solution 35 | # Login by admin user 36 | ``` 37 | oc login -u admin -p redhatocp https://api.ocp4.example.com:6443 38 | ``` 39 | ### Identify the URL for the OpenShift web console. 40 | ``` 41 | oc whoami --show-console 42 | ``` 43 | ### For your references. 44 | ``` 45 | [student@workstation ~]$ oc whoami --show-console 46 | https://console-openshift-console.apps.ocp4.example.com 47 | ``` 48 | ### Take the backup. 49 | 50 | ``` 51 | oc get oauth cluster -o yaml 52 | oc get oauth cluster -o yaml > oath.yaml 53 | ``` 54 | 55 | ### Check the ConfigMap and Secret in the `openshift-config` namespace 56 | ``` 57 | oc -n openshift-config get cm,secret 58 | ``` 59 | ``` 60 | oc -n openshift-config create configmap ldap-ca-config --from-file ca.crt=rhds_ca.crt 61 | oc -n openshift-config create secret generic ldap-bind-pass --from-literal bindPassword=redhatocp 62 | ``` 63 | ### Open the web console by click on `Red Hat Identity Management` and log in as the `admin` user with the `redhatocp` password. 64 | ### Click `Administration` → `Cluster Settings` from the sidebar menu and then Click the `Configuration` tab 65 | 66 | 67 | 68 | ### If required, you can fallback the changes. 69 | ``` 70 | oc replace -f oauth.yaml 71 | ``` 72 | ``` 73 | watch oc get pods -n openshift-authentication 74 | ``` 75 | -------------------------------------------------------------------------------- /EX380/02- OADP.pptx: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /EX380/02-02 oadp.md: -------------------------------------------------------------------------------- 1 | ### Prepare the lab 2 | ``` 3 | oc login -u admin -p redhatocp https://api.ocp4.example.com:6443 4 | lab start backup-restore 5 | curl -o backup-db-manul.yaml https://raw.githubusercontent.com/anishrana2001/Openshift/refs/heads/main/EX380/backup-db-manual-02-02.yml 6 | 7 | oc apply -f backup-db-manul.yaml 8 | sleep 40s; 9 | oc delete project database 10 | ``` 11 | # Question: One customer database application is suddenly crashed and the good news is that we have a backup. 12 | # Your task is to restore the failed application and the restore name must be 'restore-app' 13 | ## You may download the restore file from below link. 14 | https://raw.githubusercontent.com/anishrana2001/Openshift/refs/heads/main/EX380/restore.yaml 15 | --- 16 | ## Solution: 17 | ``` 18 | velero get backup db-manual 19 | velero get backup db-manual -o yaml | grep -i namespace -A 3 20 | vi restore-db-crash.yml 21 | oc apply -f restore-db-crash.yml 22 | velero get restore 23 | velero describe restore restore-app 24 | velero get restore 25 | velero describe restore restore-app --details 26 | 27 | oc project database 28 | ``` 29 | 30 | -------------------------------------------------------------------------------- /EX380/02-03 oadp.md: -------------------------------------------------------------------------------- 1 | ## How you can reach me? 2 | ``` 3 | linkedin: anishrana2001 4 | Email ID: anishrana2001@rediffmail.com 5 | ``` 6 | 7 | ### Prepare the lab 8 | ``` 9 | oc login -u admin -p redhatocp https://api.ocp4.example.com:6443 10 | lab start backup-restore 11 | 12 | oc new-project chapter1 13 | curl -o my-app-deployment https://raw.githubusercontent.com/anishrana2001/Openshift/refs/heads/main/EX380/deployment-02%3A03-backup.yaml 14 | oc apply -f my-app-deployment 15 | 16 | curl -o backup-my-app.yaml https://raw.githubusercontent.com/anishrana2001/Openshift/refs/heads/main/EX380/backup-my-app-02-03.yaml 17 | oc apply -f backup-my-app.yaml 18 | 19 | sleep 40s; 20 | oc delete project chapter1 21 | ``` 22 | # Question: One customer database application is suddenly crashed and the good news is that we have a backup. 23 | # Your task is to restore the failed application and the restore name must be 'restore-my-app' 24 | 25 | # You can use below documentation: 26 | ``` 27 | https://docs.redhat.com/en/documentation/openshift_container_platform/4.14/html/backup_and_restore/oadp-application-backup-and-restore 28 | ``` 29 | --- 30 | --- 31 | --- 32 | ## Solution: 33 | ``` 34 | 35 | oc project openshift-adp 36 | oc exec -it deployment.apps/velero -c velero -- ./velero get backup my-app 37 | 38 | velero get backup my-app -o yaml | grep -i namespace -A 3 39 | vi restore-my-app.yml 40 | oc apply -f restore-my-app.yml 41 | 42 | 43 | velero get restore 44 | velero describe restore restore-my-app 45 | 46 | velero describe restore restore-my-app --details 47 | 48 | oc project chapter1 49 | 50 | oc get all 51 | oc logs POD_NAME 52 | oc create sa myservice 53 | oc adm policy add-scc-to-user anyuid myservice 54 | oc set serviceaccount deployment.apps/my-app-deployment myservice 55 | oc get all 56 | ``` 57 | 58 | ## How to clean the lab? 59 | 60 | ``` 61 | oc exec -it deployment.apps/velero -c velero -- ./velero delete backup my-app 62 | oc exec -it deployment.apps/velero -c velero -- ./velero delete restore restore-my-app 63 | oc delete project chapter1 64 | lab finish backup-restore 65 | ``` 66 | -------------------------------------------------------------------------------- /EX380/03-03 Token.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | # Question: You need to give ReadOnly access of your OpenShift Container Platform (OCP) cluster to user so that user can monitor all the resources. 4 | For this, you need to create a client certificate that allows the user to examine everything in the cluster but does not allow the user to make any changes. 5 | 6 | - A client certificate must exists with the username: `mon-punit` 7 | - A group name: `cluster-monitoring-app` 8 | - Members of this group have access to the cluster role: `cluster-reader` 9 | - The client certificate you can download from below link. 10 | - The client certificate must not be able to create or delete projects 11 | - The client certificate must be able to view all pods in the cluster 12 | - kubeconfig file name must be `mykube.config` in the `/home/student` directory. 13 | 14 | ## Yuo can use the below command to generate the key and CSR. 15 | `openssl req -newkey rsa:4096 -keyout /home/student/data/monitoing.key -nodes -subj "/O=cluster-monitoring-app/CN=mon-punit" -out /home/student/data/mon.csr` 16 | 17 | --- 18 | ## Solution: 19 | 20 | ``` 21 | [student@workstation ~]$ oc adm groups new cluster-monitoring-app 22 | group.user.openshift.io/cluster-monitoring-app created 23 | 24 | [student@workstation ~]$ oc adm groups add-users cluster-monitoring-app mon-punit 25 | group.user.openshift.io/cluster-monitoring-app added: "mon-punit" 26 | 27 | 28 | [student@workstation ~]$ oc get clusterrole cluster-reader 29 | NAME CREATED AT 30 | cluster-reader 2024-03-05T20:06:28Z 31 | 32 | 33 | [student@workstation ~]$ oc adm policy add-cluster-role-to-group cluster-reader cluster-monitoring-app 34 | clusterrole.rbac.authorization.k8s.io/cluster-reader added: "cluster-monitoring-app" 35 | 36 | [student@workstation ~]$ mkdir test 37 | [student@workstation ~]$ cd test/ 38 | ``` 39 | 40 | 41 | 42 | -------------------------------------------------------------------------------- /EX380/06-02 Taint.md: -------------------------------------------------------------------------------- 1 | ### prepare the lab. 2 | ``` 3 | oc adm taint node $(oc get nodes | awk '{print $1}' | grep -v NAME) datacenter=delhi:NoSchedule 4 | oc new-project chapter1 5 | oc new-app --name webserver-app1 --image registry.ocp4.example.com:8443/redhattraining/hello-world-nginx:v1.0 6 | ``` 7 | 8 | # Question: An application is running on the `chapter1` project. There is one pod running and your task is it must generate the output. 9 | -------------------------------------------------------------------------------- /EX380/06-03 taint.md: -------------------------------------------------------------------------------- 1 | ## Prepare the lab. 2 | ``` 3 | oc adm taint nodes worker01 dedicated=app1:NoSchedule 4 | oc adm taint nodes worker02 dedicated=app1:NoSchedule 5 | oc adm taint nodes worker03 dedicated=app1:NoSchedule 6 | ``` 7 | 8 | ### Just for your information: You can also use `kubeclt` command, `kubectl taint node worker03 dedicated=app1:NoSchedule` 9 | 10 | # Qestion: You need to check why new pods are not being created on the OCP cluster. 11 | 12 | ## Solution: 13 | 14 | ``` 15 | oc get nodes 16 | ``` 17 | ``` 18 | oc get nodes worker01 -o yaml| grep -i taint -A 4 19 | ``` 20 | 21 | ``` 22 | oc adm taint node worker01 dedicated- 23 | oc adm taint node worker02 dedicated- 24 | oc adm taint node worker03 dedicated- 25 | ``` 26 | 27 | ### With the help of FORLOOP command. 28 | 29 | 30 | ``` 31 | for i in {01..03} ; do echo $i ; done 32 | ``` 33 | 34 | 35 | ``` 36 | for i in {01..03} ; do oc get nodes worker$i ; done 37 | ``` 38 | 39 | ``` 40 | for i in {01..03} ; do oc get nodes worker$i -o yaml ; done 41 | ``` 42 | 43 | ``` 44 | for i in {01..03} ; do oc get nodes worker$i -o yaml | grep -i taint ; done 45 | ``` 46 | 47 | ``` 48 | for i in {01..03} ; do oc get nodes worker$i -o yaml | grep -i taint -A 4; done 49 | ``` 50 | 51 | 52 | ### Below is the references. 53 | 54 | ``` 55 | [student@workstation test]$ oc get nodes worker01 -o yaml| grep -i taint -A 4 56 | taints: 57 | - effect: NoSchedule 58 | key: dedicated 59 | value: app1 60 | status: 61 | [student@workstation test]$ oc adm taint node worker01 dedicated- 62 | node/worker01 untainted 63 | [student@workstation test]$ 64 | [student@workstation test]$ oc adm taint node worker02 dedicated- 65 | node/worker02 untainted 66 | [student@workstation test]$ oc adm taint node worker03 dedicated- 67 | node/worker03 untainted 68 | [student@workstation test]$ 69 | ``` 70 | -------------------------------------------------------------------------------- /EX380/Console-operator-05-02.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: operator.openshift.io/v1 2 | kind: Console 3 | metadata: 4 | name: cluster 5 | annotations: 6 | argocd.argoproj.io/sync-options: ServerSideApply=true,Validate=false 7 | spec: 8 | customization: 9 | customProductName: Production 10 | -------------------------------------------------------------------------------- /EX380/DataProtectionApplication.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: oadp.openshift.io/v1alpha1 2 | kind: DataProtectionApplication 3 | metadata: 4 | name: @ 5 | namespace: @ 6 | spec: 7 | configuration: 8 | nodeAgent: 9 | enable: true 10 | uploaderType: kopia 11 | velero: 12 | defaultPlugins: 13 | - aws 14 | - openshift 15 | defaultSnapshotMoveData: true 16 | backupLocations: 17 | - velero: 18 | config: 19 | profile: "default" 20 | region: "us-east-1" 21 | s3Url: @ 22 | s3ForcePathStyle: "true" 23 | insecureSkipTLSVerify: "true" 24 | provider: aws 25 | default: true 26 | credential: 27 | key: @ 28 | name: @ 29 | objectStorage: 30 | bucket: @ 31 | prefix: oadp 32 | caCert: @ 33 | -------------------------------------------------------------------------------- /EX380/ObjectBucketClaim.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: objectbucket.io/v1alpha1 2 | kind: ObjectBucketClaim 3 | metadata: 4 | name: @ 5 | spec: 6 | storageClassName: @ 7 | generateBucketName: @ 8 | -------------------------------------------------------------------------------- /EX380/backup-db-manual-02-02.yml: -------------------------------------------------------------------------------- 1 | apiVersion: velero.io/v1 2 | kind: Backup 3 | metadata: 4 | name: db-manual 5 | namespace: openshift-adp 6 | spec: 7 | includedNamespaces: 8 | - database 9 | orLabelSelectors: 10 | - matchLabels: 11 | app: mariadb 12 | - matchLabels: 13 | kubernetes.io/metadata.name: database 14 | includedResources: 15 | - namespace 16 | - deployments 17 | - configmaps 18 | - secrets 19 | - pvc 20 | - pv 21 | - services 22 | -------------------------------------------------------------------------------- /EX380/backup-db-manual.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: velero.io/v1 2 | kind: Backup 3 | metadata: 4 | name: @ 5 | namespace: @ 6 | spec: 7 | includedNamespaces: 8 | - @ 9 | orLabelSelectors: 10 | - matchLabels: 11 | @ 12 | - matchLabels: 13 | @ 14 | includedResources: 15 | - namespace 16 | - deployments 17 | - configmaps 18 | - secrets 19 | - pvc 20 | - pv 21 | - services 22 | -------------------------------------------------------------------------------- /EX380/backup-my-app-02-03.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: velero.io/v1 2 | kind: Backup 3 | metadata: 4 | name: my-app 5 | namespace: openshift-adp 6 | spec: 7 | includedNamespaces: 8 | - chapter1 9 | orLabelSelectors: 10 | - matchLabels: 11 | app: my-app 12 | - matchLabels: 13 | kubernetes.io/metadata.name: chapter1 14 | includedResources: 15 | - namespace 16 | - deployments 17 | - configmaps 18 | - secrets 19 | - pvc 20 | - pv 21 | - services 22 | -------------------------------------------------------------------------------- /EX380/ca.crt: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIExjCCAy6gAwIBAgIBIzANBgkqhkiG9w0BAQsFADBHMRQwEgYDVQQKEwtFWEFN 3 | UExFLkNPTTEvMC0GA1UEAxMmUmVkIEhhdCBUcmFpbmluZyBDZXJ0aWZpY2F0ZSBB 4 | dXRob3JpdHkwHhcNMjQwMTA4MTIyNjI5WhcNMjkwMTA3MTIyNjI5WjA2MRQwEgYD 5 | VQQKDAtFWEFNUExFLkNPTTEeMBwGA1UEAwwVcmhkcy5vY3A0LmV4YW1wbGUuY29t 6 | MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyaMnMMSo3BQLYdQ8q9AH 7 | HeHeEqhHOB4ImsuU5afeTnob4/gD92qaMT4rQwqX8d/5njbnN5Xqtf0My+cRDSkJ 8 | G1Yt/LBEgS/TkG7+5dIwRe+MF6GF81bDGR2KuqqyLqP/lVmUicICFfjvi6rOdud4 9 | 7Pw9kSp3KGfzoxOiZlriQ444aM49ATzV445wzckhrR4fbkhNPYx1BpdghByEebWa 10 | 56cEBdx9MRi5KzTqDlOx1D3M5whD18XsCpdoISflgErg7sNTujQXsR15l3oAhoZN 11 | F+iT4B/qKj9cu2BxLg6RvRqno26zL57gFJKsxmFMbs7MYugW0tZP+6OQV4TCMABA 12 | GQIDAQABo4IBTDCCAUgwHwYDVR0jBBgwFoAUg01cHlvwbNsqH11HHGYGhXkmcmQw 13 | PQYIKwYBBQUHAQEEMTAvMC0GCCsGAQUFBzABhiFodHRwOi8vaXBhLWNhLmV4YW1w 14 | bGUuY29tL2NhL29jc3AwDgYDVR0PAQH/BAQDAgTwMB0GA1UdJQQWMBQGCCsGAQUF 15 | BwMBBggrBgEFBQcDAjB2BgNVHR8EbzBtMGugM6Axhi9odHRwOi8vaXBhLWNhLmV4 16 | YW1wbGUuY29tL2lwYS9jcmwvTWFzdGVyQ1JMLmJpbqI0pDIwMDEOMAwGA1UECgwF 17 | aXBhY2ExHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAdBgNVHQ4EFgQU 18 | gy27ZEK3xesxLDMZmqUHQSHi/kkwIAYDVR0RBBkwF4IVcmhkcy5vY3A0LmV4YW1w 19 | bGUuY29tMA0GCSqGSIb3DQEBCwUAA4IBgQCUf2483r1zcfRJdgjbk/2M9PWFtTJk 20 | voQOQTpPBvSFqWPuOx+KwLH6M5BabiR4uSDRkJxalJmv2qs/jaJmwJ97GJ/Xn0OI 21 | hnva6VXYvn8vQ3F4oHZ11/pSkK3ieF0cXSYalzTIUByIjFtrCcVlKJwlyhuI7tVC 22 | PnG1SEUecByTUMwDpNj44jOFslEALR0lMYdbPhE8eD3pWn9wzVn8mDXPuzzUKmAf 23 | FBe7IlOmib0UVMHSH4zScGxmJ4kWASnBccNg4Km3tbTWGcv9M8/kd1Ie3S7HZJiv 24 | Oy2hjr8IHgv14m60iMsXcDB2LvRUE9R/NrejBS5MdedUO73WpKWlWCVElhRmVt+e 25 | 7ksRvBGe5y0C5USj6/LiAvccP6OIWS/uTLG4HjaPXVjxYJ8UYgMSX7sZ6i4qvqIb 26 | sGQGnyDqcfbPox/9hGJsNEkDplm4uUPfb3eBCxD5osoMnXzfTq25yz4NfBiXofzP 27 | sGdHrJDfPZR3u7Tb2hHAuaQelu294mBbaHs= 28 | -----END CERTIFICATE----- 29 | -----BEGIN CERTIFICATE----- 30 | MIIENTCCAx2gAwIBAgIUfdC7zfh44q9WKZ8L0rgsbbkXdU0wDQYJKoZIhvcNAQEL 31 | BQAwgY8xCzAJBgNVBAYTAlVTMRcwFQYDVQQIDA5Ob3J0aCBDYXJvbGluYTEQMA4G 32 | A1UEBwwHUmFsZWlnaDEQMA4GA1UECgwHUmVkIEhhdDEZMBcGA1UECwwQUmVkIEhh 33 | dCBUcmFpbmluZzEoMCYGA1UEAwwfUmVkIEhhdCBUcmFpbmluZyBUcnVzdCBTZXJ2 34 | aWNlczAeFw0yMTA1MDUxNjM0MjJaFw0zMTA1MDMxNjM0MjJaMEcxFDASBgNVBAoT 35 | C0VYQU1QTEUuQ09NMS8wLQYDVQQDEyZSZWQgSGF0IFRyYWluaW5nIENlcnRpZmlj 36 | YXRlIEF1dGhvcml0eTCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAJds 37 | bHDkP7HgaaoiZRSTkgyHOnRPNsJK/681OIYZ155DAy8nxxXuGTlfKr0saCSxzMhR 38 | iXLWaXMEGziz2gIzN/JGLmQhgXlZ9qJ6VKzzpfjJiG4cKkarWyMR2HJI0yZJ8olM 39 | 5G+pb10OYBloV3yH7/ZpNuGcXSa8s5xqxMKszyufj+nyDzNbQhSEDWqGVkr3cM2b 40 | HlDlFZ5C0HJoGWWvWFcEHYzysWMMD4gSc5TMr28NZWMtjOChrZKAhgHDysUI8Sjn 41 | KyOGHdNgyuUzWwPosqF4ygDD7vws9VMMOQsokZ6PZJIo07DZSdVvUBeS8foFG5gb 42 | V5VKfIfmHUIP1W+crdV9VfGqxBo79sdTzKGDqG79TIVjGEXE7x9Uit8oc792lkUO 43 | RBASHPFonYN9DMRQpXBnh962kCWA6LfLCuMzkBvOd7LUlyiQF8rADPWadNsRI6Kz 44 | qebDnhdmXDJgCynsNNt6/jCRtSXQVMb5z9buOlkWPb+NDa/oGtuvgBJHSRjoqQID 45 | AQABo1AwTjAdBgNVHQ4EFgQUg01cHlvwbNsqH11HHGYGhXkmcmQwHwYDVR0jBBgw 46 | FoAU7B56pqnyEPd7vapKkPlZbfIZSOswDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0B 47 | AQsFAAOCAQEAApQFG0dpPda51XfwpPPuRO+laftuBuaG+kHmMUYpVkBgnOgHQc3U 48 | 8xwpnJCFbUPLrPJIqFDt0d6MKtOgMKYy/J60hZQK+5m1OlJkfz7iBbDPuG5sz6xn 49 | SQyO9AOR+pL5HqYkQAcOAx3ubvBG+y2S6X8Cc1zHJu7ttoul4T7mBPK8VeYzL3Sw 50 | NaX1grHFHYbtUkv92odN369yCOiFc+tPGvt2g6y0o4RYunomWvtcJ+kBG3lyFU+T 51 | Cfa60S9GWgYc4U37REUMRL7UlVqTsBGmAFmoNuyZyh3RgGVEMSDw7WIYxnNIpc7w 52 | hYeVsviNIHA6irquUWy/gDUTL/xjf+5iiw== 53 | -----END CERTIFICATE----- 54 | -----BEGIN CERTIFICATE----- 55 | MIIEnjCCA4agAwIBAgIJALvQozq5iVl+MA0GCSqGSIb3DQEBCwUAMIGPMQswCQYD 56 | VQQGEwJVUzEXMBUGA1UECAwOTm9ydGggQ2Fyb2xpbmExEDAOBgNVBAcMB1JhbGVp 57 | Z2gxEDAOBgNVBAoMB1JlZCBIYXQxGTAXBgNVBAsMEFJlZCBIYXQgVHJhaW5pbmcx 58 | KDAmBgNVBAMMH1JlZCBIYXQgVHJhaW5pbmcgVHJ1c3QgU2VydmljZXMwHhcNMjEw 59 | NTA1MTYxMTI5WhcNMzEwNTAzMTYxMTI5WjCBjzELMAkGA1UEBhMCVVMxFzAVBgNV 60 | BAgMDk5vcnRoIENhcm9saW5hMRAwDgYDVQQHDAdSYWxlaWdoMRAwDgYDVQQKDAdS 61 | ZWQgSGF0MRkwFwYDVQQLDBBSZWQgSGF0IFRyYWluaW5nMSgwJgYDVQQDDB9SZWQg 62 | SGF0IFRyYWluaW5nIFRydXN0IFNlcnZpY2VzMIIBIjANBgkqhkiG9w0BAQEFAAOC 63 | AQ8AMIIBCgKCAQEAyFdGBsMi7DSYa336xQ6NrPbBNLtVahwZvXj63cTpTgIB1G2m 64 | Sco4cPe9aWTWDEaViTOu0n6yhokCe0IgyPThBBC4T+oerPToGaw2cKCp4O9rU0O+ 65 | nGYZt8pIvWyYDhi0C1th1MRIogAieWmoJ16yWg5UsMdh7GQvTAm7Xq3hlCg7gx3M 66 | OoEMKTxZUxS6U9rQHM1EUh+TreddBSADB0mYGwnQDlsGYqwoBta7EKDq5pwg8EBw 67 | whWAnQkqtuHlLIxcEBQUk8DfVhX43ICk4qnfCZvQ/vPvPSM6uIGBE1uJtwDjOwuL 68 | aOtzC3oRuroq01Xaa7hWNpRFPnbuo8mr4vrMcQIDAQABo4H6MIH3MA8GA1UdEwEB 69 | /wQFMAMBAf8wHQYDVR0OBBYEFOweeqap8hD3e72qSpD5WW3yGUjrMIHEBgNVHSME 70 | gbwwgbmAFOweeqap8hD3e72qSpD5WW3yGUjroYGVpIGSMIGPMQswCQYDVQQGEwJV 71 | UzEXMBUGA1UECAwOTm9ydGggQ2Fyb2xpbmExEDAOBgNVBAcMB1JhbGVpZ2gxEDAO 72 | BgNVBAoMB1JlZCBIYXQxGTAXBgNVBAsMEFJlZCBIYXQgVHJhaW5pbmcxKDAmBgNV 73 | BAMMH1JlZCBIYXQgVHJhaW5pbmcgVHJ1c3QgU2VydmljZXOCCQC70KM6uYlZfjAN 74 | BgkqhkiG9w0BAQsFAAOCAQEAXWSs8K1AtX1tJ+BLUCIJ1+MZffMdEMtoTwvInFar 75 | kzqNKUYtWVGglB8zOYAxw4RrKSPIZa24ejsOw9o+2UpPv5g+YWRJAr82+acZVPtC 76 | lIw7lGkd0LeF/Fsnan7NueV9DBHrMMzzxeK0+eShI/Gxpvsg6CpYkK4y9FegEtkD 77 | HwedSF7lYf/uXO4tgsHqdt5iVx7l1jEQtRzKMlSuzu7Y6b1r5cHjMYu3kqvx4GdW 78 | ENAJapoKIZY79mfNZoS7wvm4q7gZU6iFh4QP7RjK4aOMPUCLAa1DlkQMsO0Q5gbi 79 | bWBk/FHWaJ/lWxv0rIHv5tRQ0YPZj3MJeymyTvwulwynDQ== 80 | -----END CERTIFICATE----- 81 | -------------------------------------------------------------------------------- /EX380/deployment-02:03-backup.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: my-app-deployment 5 | labels: 6 | app: my-app 7 | spec: 8 | replicas: 1 9 | selector: 10 | matchLabels: 11 | app: my-app 12 | template: 13 | metadata: 14 | labels: 15 | app: my-app 16 | spec: 17 | containers: 18 | - name: my-container 19 | image: registry.ocp4.example.com:8443/redhattraining/hello-world-nginx:v1.0 20 | ports: 21 | - containerPort: 80 22 | securityContext: 23 | allowPrivilegeEscalation: false 24 | readOnlyRootFilesystem: true 25 | runAsNonRoot: true 26 | runAsUser: 1000710000 27 | capabilities: 28 | drop: 29 | - ALL 30 | volumeMounts: 31 | - name: nginx-logs 32 | mountPath: "/var/log/nginx" 33 | - name: nginx-tmp 34 | mountPath: "/var/lib/nginx/tmp" 35 | - name: nginx-run 36 | mountPath: "/run" 37 | volumes: 38 | - name: nginx-logs 39 | emptyDir: {} 40 | - name: nginx-tmp 41 | emptyDir: {} 42 | - name: nginx-run 43 | emptyDir: {} 44 | -------------------------------------------------------------------------------- /EX380/dummy-csr-0303-token.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: certificates.k8s.io/v1 2 | kind: CertificateSigningRequest 3 | metadata: 4 | name: @ 5 | spec: 6 | signerName: kubernetes.io/kube-apiserver-client 7 | expirationSeconds: 604800 # one week 8 | request: @ 9 | usages: 10 | - client auth 11 | -------------------------------------------------------------------------------- /EX380/mariadb-application.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: List 3 | items: 4 | - apiVersion: v1 5 | kind: ConfigMap 6 | metadata: 7 | annotations: 8 | openshift.io/generated-by: OpenShiftNewApp 9 | template.openshift.io/expose-database_name: '{.data[''database-name'']}' 10 | creationTimestamp: null 11 | labels: 12 | app: mysql-persistent 13 | app.kubernetes.io/component: mysql-persistent 14 | app.kubernetes.io/instance: mysql-persistent 15 | app.openshift.io/runtime: mysql-database 16 | template: mysql-persistent-template 17 | name: mysql 18 | data: 19 | database-name: database 20 | - apiVersion: v1 21 | kind: Secret 22 | metadata: 23 | annotations: 24 | openshift.io/generated-by: OpenShiftNewApp 25 | template.openshift.io/expose-password: '{.data[''database-password'']}' 26 | template.openshift.io/expose-root_password: '{.data[''database-root-password'']}' 27 | template.openshift.io/expose-username: '{.data[''database-user'']}' 28 | creationTimestamp: null 29 | labels: 30 | app: mysql-persistent 31 | app.kubernetes.io/component: mysql-persistent 32 | app.kubernetes.io/instance: mysql-persistent 33 | app.openshift.io/runtime: mysql-database 34 | template: mysql-persistent-template 35 | name: mysql 36 | stringData: 37 | database-password: password 38 | database-root-password: password 39 | database-user: user 40 | - apiVersion: v1 41 | kind: PersistentVolumeClaim 42 | metadata: 43 | annotations: 44 | openshift.io/generated-by: OpenShiftNewApp 45 | creationTimestamp: null 46 | labels: 47 | app: mysql-persistent 48 | app.kubernetes.io/component: mysql-persistent 49 | app.kubernetes.io/instance: mysql-persistent 50 | app.openshift.io/runtime: mysql-database 51 | template: mysql-persistent-template 52 | name: mysql 53 | spec: 54 | storageClassName: ocs-external-storagecluster-cephfs 55 | accessModes: 56 | - ReadWriteOnce 57 | resources: 58 | requests: 59 | storage: 1Gi 60 | - apiVersion: apps/v1 61 | kind: Deployment 62 | metadata: 63 | annotations: 64 | openshift.io/generated-by: OpenShiftNewApp 65 | template.alpha.openshift.io/wait-for-ready: "true" 66 | creationTimestamp: null 67 | labels: 68 | app: mysql-persistent 69 | app.kubernetes.io/component: mysql-persistent 70 | app.kubernetes.io/instance: mysql-persistent 71 | app.openshift.io/runtime: mysql-database 72 | template: mysql-persistent-template 73 | name: mysql 74 | spec: 75 | replicas: 1 76 | selector: 77 | matchLabels: 78 | name: mysql 79 | strategy: 80 | type: Recreate 81 | template: 82 | metadata: 83 | annotations: 84 | openshift.io/generated-by: OpenShiftNewApp 85 | creationTimestamp: null 86 | labels: 87 | name: mysql 88 | spec: 89 | initContainers: 90 | - name: init 91 | image: registry.ocp4.example.com:8443/ubi9/ubi:latest 92 | imagePullPolicy: IfNotPresent 93 | command: 94 | - /bin/sh 95 | - -vxc 96 | - 'df -h /opt ; dd if=/dev/urandom of=/opt/.BIG-FILE bs=1M count=770 status=progress || true ; df -h /opt' 97 | volumeMounts: 98 | - name: mysql-data 99 | mountPath: /opt 100 | containers: 101 | - name: mysql 102 | image: registry.ocp4.example.com:8443/rhel9/mysql-80:1 103 | imagePullPolicy: IfNotPresent 104 | ports: 105 | - containerPort: 3306 106 | env: 107 | - name: MYSQL_DATABASE 108 | valueFrom: 109 | configMapKeyRef: 110 | key: database-name 111 | name: mysql 112 | - name: MYSQL_USER 113 | valueFrom: 114 | secretKeyRef: 115 | key: database-user 116 | name: mysql 117 | - name: MYSQL_PASSWORD 118 | valueFrom: 119 | secretKeyRef: 120 | key: database-password 121 | name: mysql 122 | - name: MYSQL_ROOT_PASSWORD 123 | valueFrom: 124 | secretKeyRef: 125 | key: database-root-password 126 | name: mysql 127 | livenessProbe: 128 | exec: 129 | command: 130 | - /bin/sh 131 | - -i 132 | - -c 133 | - MYSQL_PWD="${MYSQL_PASSWORD}" mysqladmin -u ${MYSQL_USER} ping 134 | initialDelaySeconds: 30 135 | timeoutSeconds: 1 136 | readinessProbe: 137 | exec: 138 | command: 139 | - /bin/sh 140 | - -i 141 | - -c 142 | - MYSQL_PWD="${MYSQL_PASSWORD}" mysqladmin -u ${MYSQL_USER} ping 143 | initialDelaySeconds: 5 144 | timeoutSeconds: 1 145 | resources: 146 | limits: 147 | memory: 512Mi 148 | volumeMounts: 149 | - mountPath: /var/lib/mysql/data 150 | name: mysql-data 151 | volumes: 152 | - name: mysql-data 153 | persistentVolumeClaim: 154 | claimName: mysql 155 | - apiVersion: v1 156 | kind: Service 157 | metadata: 158 | annotations: 159 | openshift.io/generated-by: OpenShiftNewApp 160 | template.openshift.io/expose-uri: mysql://{.spec.clusterIP}:{.spec.ports[?(.name=="mysql")].port} 161 | creationTimestamp: null 162 | labels: 163 | app: mysql-persistent 164 | app.kubernetes.io/component: mysql-persistent 165 | app.kubernetes.io/instance: mysql-persistent 166 | app.openshift.io/runtime: mysql-database 167 | template: mysql-persistent-template 168 | name: mysql 169 | spec: 170 | ports: 171 | - name: mysql 172 | port: 3306 173 | targetPort: 0 174 | selector: 175 | name: mysql 176 | status: 177 | loadBalancer: {} 178 | -------------------------------------------------------------------------------- /EX380/restore.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: velero.io/v1 2 | kind: Restore 3 | metadata: 4 | name: @ 5 | spec: 6 | backupName: @ 7 | restorePVs: true 8 | namespaceMapping: 9 | @ 10 | -------------------------------------------------------------------------------- /EX380/rhds_ca.crt-01-03.crt: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIExjCCAy6gAwIBAgIBIzANBgkqhkiG9w0BAQsFADBHMRQwEgYDVQQKEwtFWEFN 3 | UExFLkNPTTEvMC0GA1UEAxMmUmVkIEhhdCBUcmFpbmluZyBDZXJ0aWZpY2F0ZSBB 4 | dXRob3JpdHkwHhcNMjQwMTA4MTIyNjI5WhcNMjkwMTA3MTIyNjI5WjA2MRQwEgYD 5 | VQQKDAtFWEFNUExFLkNPTTEeMBwGA1UEAwwVcmhkcy5vY3A0LmV4YW1wbGUuY29t 6 | MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyaMnMMSo3BQLYdQ8q9AH 7 | HeHeEqhHOB4ImsuU5afeTnob4/gD92qaMT4rQwqX8d/5njbnN5Xqtf0My+cRDSkJ 8 | G1Yt/LBEgS/TkG7+5dIwRe+MF6GF81bDGR2KuqqyLqP/lVmUicICFfjvi6rOdud4 9 | 7Pw9kSp3KGfzoxOiZlriQ444aM49ATzV445wzckhrR4fbkhNPYx1BpdghByEebWa 10 | 56cEBdx9MRi5KzTqDlOx1D3M5whD18XsCpdoISflgErg7sNTujQXsR15l3oAhoZN 11 | F+iT4B/qKj9cu2BxLg6RvRqno26zL57gFJKsxmFMbs7MYugW0tZP+6OQV4TCMABA 12 | GQIDAQABo4IBTDCCAUgwHwYDVR0jBBgwFoAUg01cHlvwbNsqH11HHGYGhXkmcmQw 13 | PQYIKwYBBQUHAQEEMTAvMC0GCCsGAQUFBzABhiFodHRwOi8vaXBhLWNhLmV4YW1w 14 | bGUuY29tL2NhL29jc3AwDgYDVR0PAQH/BAQDAgTwMB0GA1UdJQQWMBQGCCsGAQUF 15 | BwMBBggrBgEFBQcDAjB2BgNVHR8EbzBtMGugM6Axhi9odHRwOi8vaXBhLWNhLmV4 16 | YW1wbGUuY29tL2lwYS9jcmwvTWFzdGVyQ1JMLmJpbqI0pDIwMDEOMAwGA1UECgwF 17 | aXBhY2ExHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAdBgNVHQ4EFgQU 18 | gy27ZEK3xesxLDMZmqUHQSHi/kkwIAYDVR0RBBkwF4IVcmhkcy5vY3A0LmV4YW1w 19 | bGUuY29tMA0GCSqGSIb3DQEBCwUAA4IBgQCUf2483r1zcfRJdgjbk/2M9PWFtTJk 20 | voQOQTpPBvSFqWPuOx+KwLH6M5BabiR4uSDRkJxalJmv2qs/jaJmwJ97GJ/Xn0OI 21 | hnva6VXYvn8vQ3F4oHZ11/pSkK3ieF0cXSYalzTIUByIjFtrCcVlKJwlyhuI7tVC 22 | PnG1SEUecByTUMwDpNj44jOFslEALR0lMYdbPhE8eD3pWn9wzVn8mDXPuzzUKmAf 23 | FBe7IlOmib0UVMHSH4zScGxmJ4kWASnBccNg4Km3tbTWGcv9M8/kd1Ie3S7HZJiv 24 | Oy2hjr8IHgv14m60iMsXcDB2LvRUE9R/NrejBS5MdedUO73WpKWlWCVElhRmVt+e 25 | 7ksRvBGe5y0C5USj6/LiAvccP6OIWS/uTLG4HjaPXVjxYJ8UYgMSX7sZ6i4qvqIb 26 | sGQGnyDqcfbPox/9hGJsNEkDplm4uUPfb3eBCxD5osoMnXzfTq25yz4NfBiXofzP 27 | sGdHrJDfPZR3u7Tb2hHAuaQelu294mBbaHs= 28 | -----END CERTIFICATE----- 29 | -----BEGIN CERTIFICATE----- 30 | MIIENTCCAx2gAwIBAgIUfdC7zfh44q9WKZ8L0rgsbbkXdU0wDQYJKoZIhvcNAQEL 31 | BQAwgY8xCzAJBgNVBAYTAlVTMRcwFQYDVQQIDA5Ob3J0aCBDYXJvbGluYTEQMA4G 32 | A1UEBwwHUmFsZWlnaDEQMA4GA1UECgwHUmVkIEhhdDEZMBcGA1UECwwQUmVkIEhh 33 | dCBUcmFpbmluZzEoMCYGA1UEAwwfUmVkIEhhdCBUcmFpbmluZyBUcnVzdCBTZXJ2 34 | aWNlczAeFw0yMTA1MDUxNjM0MjJaFw0zMTA1MDMxNjM0MjJaMEcxFDASBgNVBAoT 35 | C0VYQU1QTEUuQ09NMS8wLQYDVQQDEyZSZWQgSGF0IFRyYWluaW5nIENlcnRpZmlj 36 | YXRlIEF1dGhvcml0eTCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAJds 37 | bHDkP7HgaaoiZRSTkgyHOnRPNsJK/681OIYZ155DAy8nxxXuGTlfKr0saCSxzMhR 38 | iXLWaXMEGziz2gIzN/JGLmQhgXlZ9qJ6VKzzpfjJiG4cKkarWyMR2HJI0yZJ8olM 39 | 5G+pb10OYBloV3yH7/ZpNuGcXSa8s5xqxMKszyufj+nyDzNbQhSEDWqGVkr3cM2b 40 | HlDlFZ5C0HJoGWWvWFcEHYzysWMMD4gSc5TMr28NZWMtjOChrZKAhgHDysUI8Sjn 41 | KyOGHdNgyuUzWwPosqF4ygDD7vws9VMMOQsokZ6PZJIo07DZSdVvUBeS8foFG5gb 42 | V5VKfIfmHUIP1W+crdV9VfGqxBo79sdTzKGDqG79TIVjGEXE7x9Uit8oc792lkUO 43 | RBASHPFonYN9DMRQpXBnh962kCWA6LfLCuMzkBvOd7LUlyiQF8rADPWadNsRI6Kz 44 | qebDnhdmXDJgCynsNNt6/jCRtSXQVMb5z9buOlkWPb+NDa/oGtuvgBJHSRjoqQID 45 | AQABo1AwTjAdBgNVHQ4EFgQUg01cHlvwbNsqH11HHGYGhXkmcmQwHwYDVR0jBBgw 46 | FoAU7B56pqnyEPd7vapKkPlZbfIZSOswDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0B 47 | AQsFAAOCAQEAApQFG0dpPda51XfwpPPuRO+laftuBuaG+kHmMUYpVkBgnOgHQc3U 48 | 8xwpnJCFbUPLrPJIqFDt0d6MKtOgMKYy/J60hZQK+5m1OlJkfz7iBbDPuG5sz6xn 49 | SQyO9AOR+pL5HqYkQAcOAx3ubvBG+y2S6X8Cc1zHJu7ttoul4T7mBPK8VeYzL3Sw 50 | NaX1grHFHYbtUkv92odN369yCOiFc+tPGvt2g6y0o4RYunomWvtcJ+kBG3lyFU+T 51 | Cfa60S9GWgYc4U37REUMRL7UlVqTsBGmAFmoNuyZyh3RgGVEMSDw7WIYxnNIpc7w 52 | hYeVsviNIHA6irquUWy/gDUTL/xjf+5iiw== 53 | -----END CERTIFICATE----- 54 | -----BEGIN CERTIFICATE----- 55 | MIIEnjCCA4agAwIBAgIJALvQozq5iVl+MA0GCSqGSIb3DQEBCwUAMIGPMQswCQYD 56 | VQQGEwJVUzEXMBUGA1UECAwOTm9ydGggQ2Fyb2xpbmExEDAOBgNVBAcMB1JhbGVp 57 | Z2gxEDAOBgNVBAoMB1JlZCBIYXQxGTAXBgNVBAsMEFJlZCBIYXQgVHJhaW5pbmcx 58 | KDAmBgNVBAMMH1JlZCBIYXQgVHJhaW5pbmcgVHJ1c3QgU2VydmljZXMwHhcNMjEw 59 | NTA1MTYxMTI5WhcNMzEwNTAzMTYxMTI5WjCBjzELMAkGA1UEBhMCVVMxFzAVBgNV 60 | BAgMDk5vcnRoIENhcm9saW5hMRAwDgYDVQQHDAdSYWxlaWdoMRAwDgYDVQQKDAdS 61 | ZWQgSGF0MRkwFwYDVQQLDBBSZWQgSGF0IFRyYWluaW5nMSgwJgYDVQQDDB9SZWQg 62 | SGF0IFRyYWluaW5nIFRydXN0IFNlcnZpY2VzMIIBIjANBgkqhkiG9w0BAQEFAAOC 63 | AQ8AMIIBCgKCAQEAyFdGBsMi7DSYa336xQ6NrPbBNLtVahwZvXj63cTpTgIB1G2m 64 | Sco4cPe9aWTWDEaViTOu0n6yhokCe0IgyPThBBC4T+oerPToGaw2cKCp4O9rU0O+ 65 | nGYZt8pIvWyYDhi0C1th1MRIogAieWmoJ16yWg5UsMdh7GQvTAm7Xq3hlCg7gx3M 66 | OoEMKTxZUxS6U9rQHM1EUh+TreddBSADB0mYGwnQDlsGYqwoBta7EKDq5pwg8EBw 67 | whWAnQkqtuHlLIxcEBQUk8DfVhX43ICk4qnfCZvQ/vPvPSM6uIGBE1uJtwDjOwuL 68 | aOtzC3oRuroq01Xaa7hWNpRFPnbuo8mr4vrMcQIDAQABo4H6MIH3MA8GA1UdEwEB 69 | /wQFMAMBAf8wHQYDVR0OBBYEFOweeqap8hD3e72qSpD5WW3yGUjrMIHEBgNVHSME 70 | gbwwgbmAFOweeqap8hD3e72qSpD5WW3yGUjroYGVpIGSMIGPMQswCQYDVQQGEwJV 71 | UzEXMBUGA1UECAwOTm9ydGggQ2Fyb2xpbmExEDAOBgNVBAcMB1JhbGVpZ2gxEDAO 72 | BgNVBAoMB1JlZCBIYXQxGTAXBgNVBAsMEFJlZCBIYXQgVHJhaW5pbmcxKDAmBgNV 73 | BAMMH1JlZCBIYXQgVHJhaW5pbmcgVHJ1c3QgU2VydmljZXOCCQC70KM6uYlZfjAN 74 | BgkqhkiG9w0BAQsFAAOCAQEAXWSs8K1AtX1tJ+BLUCIJ1+MZffMdEMtoTwvInFar 75 | kzqNKUYtWVGglB8zOYAxw4RrKSPIZa24ejsOw9o+2UpPv5g+YWRJAr82+acZVPtC 76 | lIw7lGkd0LeF/Fsnan7NueV9DBHrMMzzxeK0+eShI/Gxpvsg6CpYkK4y9FegEtkD 77 | HwedSF7lYf/uXO4tgsHqdt5iVx7l1jEQtRzKMlSuzu7Y6b1r5cHjMYu3kqvx4GdW 78 | ENAJapoKIZY79mfNZoS7wvm4q7gZU6iFh4QP7RjK4aOMPUCLAa1DlkQMsO0Q5gbi 79 | bWBk/FHWaJ/lWxv0rIHv5tRQ0YPZj3MJeymyTvwulwynDQ== 80 | -----END CERTIFICATE----- 81 | -------------------------------------------------------------------------------- /RHCE/V-9.0/00 -00 Read_me.md: -------------------------------------------------------------------------------- 1 | 2 | ### Classroom Machines 3 | 4 | | Machine name | IP addresses | Role | 5 | | :----------------------: | :--------------: | :---: | 6 | | bastion.lab.example.com | 172.25.250.254 | Gateway system to connect student private network to classroom server (must always be running)| | 7 | |utility.lab.example.com |172.25.250.8 |System with utility services required for the classroom| 8 | |workstation.lab.example.com |172.25.250.9 |Graphical workstation used for system administration| 9 | |servera.lab.example.com |172.25.250.10 |Host managed with Ansible| 10 | |serverb.lab.example.com |172.25.250.11 |Host managed with Ansible| 11 | |serverc.lab.example.com |172.25.250.12 |Host managed with Ansible| 12 | |serverd.lab.example.com |172.25.250.13 |Host managed with Ansible| 13 | 14 | 15 | ### create a playbook as `student` user and remote user name is `devops` 16 | ### All node root password is `redhat` and login as `student` user 17 | 18 | ### Registary URL: utility.lab.example.com 19 | ### username: admin 20 | ### Password redhat 21 | 22 | 23 | -------------------------------------------------------------------------------- /RHCE/V-9.0/03-02 Directory.md: -------------------------------------------------------------------------------- 1 | 2 | ### Create a directory called `/webserver` for nginx server on `myprod` host group. 3 | - Owner and Group of this directory should be `root` user. 4 | - Permission 775 5 | - Set GID (Sticky bit for group) 6 | - Create sybmolic link with `/var/www/html/webserver` 7 | - Create a `index.html` file with content below under `/webserver` directory. 8 | - `Welcome to devops-wala` 9 | - Create a playbook with name `/home/student/ansible/webserver.yaml` 10 | 11 | ### Solution: 12 | 13 | [student@workstation ansible]$ cat webserver.yaml 14 | ``` 15 | --- 16 | - name: Creating directory 17 | hosts: all 18 | tasks: 19 | - name: create a webserver directory 20 | ansible.builtin.file: 21 | path: /webserver 22 | state: directory 23 | owner: root 24 | group: root 25 | mode: '2775' 26 | 27 | - name: Create a symbolic link 28 | ansible.builtin.file: 29 | src: /webserver 30 | dest: /var/www/html/webserver 31 | state: link 32 | 33 | - name: File creation 34 | ansible.builtin.copy: 35 | content: 'Welcome to devops-wala' 36 | dest: /webserver/index.html 37 | setype: httpd_sys_content_t 38 | [student@workstation ansible]$ 39 | 40 | 41 | 42 | [student@workstation ansible]$ ansible-navigator run webserver.yaml -m stdout 43 | 44 | PLAY [Creating directory] ****************************************************** 45 | 46 | TASK [Gathering Facts] ********************************************************* 47 | ok: [serverb] 48 | ok: [serverc] 49 | ok: [serverd] 50 | ok: [servera] 51 | 52 | TASK [create a webserver directory] ******************************************** 53 | changed: [serverc] 54 | changed: [serverd] 55 | changed: [serverb] 56 | changed: [servera] 57 | 58 | TASK [Create a symbolic link] ************************************************** 59 | changed: [serverb] 60 | changed: [serverc] 61 | ok: [serverd] 62 | changed: [servera] 63 | 64 | TASK [File creation] *********************************************************** 65 | ok: [serverd] 66 | changed: [serverb] 67 | changed: [serverc] 68 | changed: [servera] 69 | 70 | PLAY RECAP ********************************************************************* 71 | servera : ok=4 changed=3 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0 72 | serverb : ok=4 changed=3 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0 73 | serverc : ok=4 changed=3 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0 74 | serverd : ok=4 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0 75 | [student@workstation ansible]$ 76 | 77 | 78 | #### Post checks. 79 | ##### Post checks selinx image. 80 | [student@workstation ansible]$ ansible myprod -m shell -a 'ls -ldZ /var/www/html/' 81 | serverd | CHANGED | rc=0 >> 82 | drwxr-xr-x. 2 root root system_u:object_r:httpd_sys_content_t:s0 41 Oct 13 10:02 /var/www/html/ 83 | 84 | 85 | ##### Post checks for symbolic link 86 | [student@workstation ansible]$ ansible myprod -m shell -a 'ls -l /var/www/html/' 87 | serverd | CHANGED | rc=0 >> 88 | total 4 89 | -rw-r--r--. 1 root root 140 Oct 12 12:34 index.html 90 | lrwxrwxrwx. 1 root root 10 Oct 13 10:02 webserver -> /webserver 91 | 92 | 93 | ##### Post checks for index.html file content. 94 | [student@workstation ansible]$ ansible myprod -m shell -a 'cat /var/www/html/webserver/index.html' 95 | serverd | CHANGED | rc=0 >> 96 | Welcome to devops-wala 97 | 98 | 99 | ##### Post checks for Stickybit. 100 | [student@workstation ansible]$ ansible myprod -m shell -a 'ls -ld /webserver/' 101 | serverd | CHANGED | rc=0 >> 102 | drwxrwsr-x. 2 root root 24 Oct 13 10:02 /webserver/ 103 | [student@workstation ansible]$ 104 | 105 | 106 | ##### Post checks for webserver web page opening. 107 | [student@workstation ansible]$ curl http://172.25.250.13/webserver/index.html ; echo 108 | Welcome to devops-wala 109 | [student@workstation ansible]$ 110 | ``` 111 | -------------------------------------------------------------------------------- /RHCE/V-9.0/04-01 Role_create_rhel-system-roles.md: -------------------------------------------------------------------------------- 1 | # Question: Install RHEL role and create a playbook for ntp server with name `ntp-ploybook1.yaml` 2 | - ntp should be installed on all the nodes 3 | - timesync role should be used. 4 | - ntp IP should be used `0.rhel.pool.ntp.org` 5 | --- 6 | 7 | 8 | ### Solution: 9 | 10 | ### Install RHEL role 11 | ``` 12 | sudo yum install rhel-system-roles -y 13 | ``` 14 | 15 | ### copy the file from role documentation as a reference and update the ntp IP address. 16 | 17 | ``` 18 | cp /usr/share/doc/rhel-system-roles/timesync/example-single-pool-playbook.yml ntp-ploybook1.yaml 19 | 20 | ``` 21 | 22 | ``` 23 | vi ntp-ploybook1.yaml 24 | ``` 25 | 26 | ### For your references. 27 | ``` 28 | [student@workstation playbook-manage]$ cp /usr/share/doc/rhel-system-roles/timesync/example-single-pool-playbook.yml ntp-ploybook1.yaml 29 | [student@workstation playbook-manage]$ vi ntp-ploybook1.yaml 30 | [student@workstation playbook-manage]$ cat ntp-ploybook1.yaml 31 | - name: chronyd service 32 | - hosts: all 33 | vars: 34 | timesync_ntp_servers: 35 | - hostname: 0.rhel.pool.ntp.org 36 | pool: yes 37 | iburst: yes 38 | roles: 39 | - rhel-system-roles.timesync 40 | [student@workstation playbook-manage]$ 41 | ``` 42 | ### Roles installed via RPM packages should be executed using ansible-playbook. while roles installed as collections should be executed using-navigator. 43 | ``` 44 | ansible-playbook ntp-ploybook1.yaml 45 | ``` 46 | 47 | ### Post checks..... 48 | ``` 49 | ansible all -m shell -a 'grep 0.rhel.pool.ntp.org /etc/chrony.conf' 50 | ``` 51 | 52 | ### For your references. 53 | ``` 54 | [student@workstation ansible]$ ansible all -m shell -a 'grep 0.rhel.pool.ntp.org /etc/chrony.conf' 55 | serverc | CHANGED | rc=0 >> 56 | pool 0.rhel.pool.ntp.org iburst 57 | serverd | CHANGED | rc=0 >> 58 | pool 0.rhel.pool.ntp.org iburst 59 | serverb | CHANGED | rc=0 >> 60 | pool 0.rhel.pool.ntp.org iburst 61 | servera | CHANGED | rc=0 >> 62 | pool 0.rhel.pool.ntp.org iburst 63 | [student@workstation ansible]$ 64 | ``` 65 | --- 66 | 67 | --- 68 | 69 | --- 70 | 71 | # Question 2: Install RHEL role and create a playbook for ntp server with name `ntp-ploybook2.yaml` 72 | - ntp should be installed only on the lab group. 73 | - timesync role should be used. 74 | - ntp IP should be used `0.rhel.pool.ntp.org` , `1.rhel.pool.ntp.org` and `2.rhel.pool.ntp.org` 75 | --- 76 | 77 | ### Solution: 78 | 79 | ### Install RHEL role 80 | ``` 81 | sudo yum install rhel-system-roles -y 82 | ``` 83 | 84 | ### copy the file from role documentation as a reference and update the ntp IP address. 85 | 86 | ``` 87 | cp /usr/share/doc/rhel-system-roles/timesync/example-multiple-ntp-servers-playbook.yml ntp-ploybook2.yaml 88 | 89 | ``` 90 | 91 | ``` 92 | vi ntp-ploybook2.yaml 93 | ``` 94 | 95 | ``` 96 | [student@workstation playbook-manage]$ cat ntp-ploybook2.yaml 97 | - hosts: lab 98 | name: ntp server for group lab only 99 | vars: 100 | timesync_ntp_servers: 101 | - hostname: 0.rhel.pool.ntp.org 102 | iburst: yes 103 | - hostname: 1.rhel.pool.ntp.org 104 | iburst: yes 105 | - hostname: 2.rhel.pool.ntp.org 106 | iburst: yes 107 | roles: 108 | - rhel-system-roles.timesync 109 | [student@workstation playbook-manage]$ 110 | ``` 111 | 112 | 113 | ### Roles installed via RPM packages should be executed using ansible-playbook. while roles installed as collections should be executed using-navigator. 114 | ``` 115 | ansible-playbook ntp-ploybook2.yaml 116 | ``` 117 | 118 | ### Post checks..... 119 | ``` 120 | ansible all -m shell -a 'grep 0.rhel.pool.ntp.org /etc/chrony.conf' 121 | ``` 122 | -------------------------------------------------------------------------------- /RHCE/V-9.0/04-02 role_create_rhel-system-roles.md: -------------------------------------------------------------------------------- 1 | ## Question: Create a palybook called `/home/student/ansible/ansible-role-selinux.yaml` and below tasks must be completed. 2 | - hosts: all 3 | - Must use `rhel-system-roles.selinux` 4 | - selinux_policy: targeted 5 | - selinux_state: enforcing 6 | --- 7 | 8 | 9 | 10 | ## Solution: 11 | ``` 12 | cp /usr/share/doc/rhel-system-roles/selinux/example-selinux-playbook.yml example-ansible-role-selinux.yaml 13 | ``` 14 | ### Remove the unwanted lines and make it like below. 15 | ``` 16 | [student@workstation ansible]$ cat ansible-role-selinux.yaml 17 | --- 18 | - hosts: all 19 | become: true 20 | become_method: sudo 21 | become_user: root 22 | vars: 23 | # Use "targeted" SELinux policy type 24 | selinux_policy: targeted # ⬅️ ⬅️ 👈👈👈👈 25 | # Set "enforcing" mode # ⬅️ ⬅️ 👈👈👈👈 26 | selinux_state: enforcing 27 | tasks: 28 | - name: execute the role and catch errors 29 | block: 30 | - name: Include selinux role 31 | include_role: 32 | name: rhel-system-roles.selinux 33 | rescue: 34 | # Fail if failed for a different reason than selinux_reboot_required. 35 | - name: handle errors 36 | fail: 37 | msg: "role failed" 38 | when: not selinux_reboot_required 39 | 40 | - name: restart managed host 41 | reboot: 42 | 43 | - name: wait for managed host to come back 44 | wait_for_connection: 45 | delay: 10 46 | timeout: 300 47 | 48 | - name: reapply the role 49 | include_role: 50 | name: rhel-system-roles.selinux # ⬅️ ⬅️ 👈👈👈👈 51 | [student@workstation ansible]$ 52 | ``` 53 | 54 | ### Once file created, apply this playbook. 55 | ``` 56 | ansible-playbook ansible-role-selinux.yaml 57 | ``` 58 | 59 | ### Post checks!!! 60 | ``` 61 | ansible all -m shell -a 'grep ^SELINUX /etc/selinux/config; getenforce' 62 | ``` 63 | 64 | ``` 65 | [student@workstation ansible]$ ansible all -m shell -a 'grep ^SELINUX /etc/selinux/config; getenforce' 66 | serverb | CHANGED | rc=0 >> 67 | SELINUX=enforcing ⬅️ ⬅️ 👈👈👈👈 68 | SELINUXTYPE=targeted ⬅️ ⬅️ 👈👈👈👈 69 | Enforcing ⬅️ ⬅️ 👈👈👈👈 70 | servera | CHANGED | rc=0 >> 71 | SELINUX=enforcing 72 | SELINUXTYPE=targeted 73 | Enforcing 74 | serverc | CHANGED | rc=0 >> 75 | SELINUX=enforcing 76 | SELINUXTYPE=targeted 77 | Enforcing 78 | serverd | CHANGED | rc=0 >> 79 | SELINUX=enforcing 80 | SELINUXTYPE=targeted 81 | Enforcing 82 | [student@workstation ansible]$ 83 | ``` 84 | -------------------------------------------------------------------------------- /RHCE/V-9.0/05-01 Install a Collection.md: -------------------------------------------------------------------------------- 1 | ## Lab for this question 2 | ``` 3 | lab start role-collections 4 | ``` 5 | 6 | 7 | 8 | 9 | ### Question: Install the below collections available on under the directory `/home/student/role-collections/` 10 | - gls-utils-0.0.1.tar.gz 11 | - community-general-5.5.0.tar.gz 12 | - redhat-insights-1.0.7.tar.gz 13 | - redhat-rhel_system_roles-1.19.3.tar.gz 14 | - 15 | #### Please make sure that these collections must be installed on `/home/student/ansible/my-collection` 16 | ### Create a playbook called `requirement.yaml` under the `/home/student/ansible/` dir. 17 | #### Note: It may ask you to download these packages from URL too. Like below. 18 | `http://https://github.com/anishrana2001/Openshift/edit/main/RHCE/V-9.0/` 19 | --- 20 | 21 | ### Solution: 22 | ### Note: 23 | ### We already created a directory `/home/student/ansible/my-collection` in the first question. 24 | 25 | ### Pre-checks!!! 26 | ``` 27 | ansible-galaxy collection list 28 | ``` 29 | ### Create a file with any name `requirements.yml` so that we can remeber the option `-r` 30 | 31 | ``` 32 | vi requirements.yml 33 | ``` 34 | ### For the practice purpose, you can follow like this. 35 | ``` 36 | student@workstation ansible]$ cat requirements.yml 37 | --- 38 | collections: 39 | - name: /home/student/role-collections/gls-utils-0.0.1.tar.gz 40 | - name: /home/student/role-collections/redhat-insights-1.0.7.tar.gz 41 | - name: /home/student/role-collections/redhat-rhel_system_roles-1.19.3.tar.gz 42 | - name: /home/student/role-collections/community-general-5.5.0.tar.gz 43 | [student@workstation ansible]$ 44 | 45 | ``` 46 | ### But actually, it should be like this. If we need to download from the URL. 47 | ``` 48 | --- 49 | collections: 50 | - name: http://https://github.com/anishrana2001/Openshift/edit/main/RHCE/V-9.0/gls-utils-0.0.1.tar.gz 51 | - name: http://https://github.com/anishrana2001/Openshift/edit/main/RHCE/V-9.0/redhat-insights-1.0.7.tar.gz 52 | - name: http://https://github.com/anishrana2001/Openshift/edit/main/RHCE/V-9.0//redhat-rhel_system_roles-1.19.3.tar.gz 53 | - name: http://https://github.com/anishrana2001/Openshift/edit/main/RHCE/V-9.0//community-general-5.5.0.tar.gz 54 | [student@workstation ansible]$ 55 | ``` 56 | 57 | ### Now, run the playbook with `galaxy` command. 58 | 59 | ``` 60 | ansible-galaxy collection install -r requirements.yml -p /home/student/ansible/my-collection/ 61 | ``` 62 | 63 | ### Post checks!!! 64 | ``` 65 | ansible-navigator collections 66 | ``` 67 | 68 | ``` 69 | ansible-galaxy collection list 70 | ``` 71 | -------------------------------------------------------------------------------- /RHCE/V-9.0/09-01 Copy.md: -------------------------------------------------------------------------------- 1 | ### Question : Your task is to overwrite the file `/etc/redhat-release` as follows. 2 | - Create a playbook named `redhat-release.yaml` under `/home/student/ansible/` direcotry for this task. 3 | - Nodes in the `lab` hosts group shoule have `username rajan` 4 | - Nodes in the `production` hosts group shoule have `YouTube channel=devops-wala` 5 | - Node `serverb` shoule have `anishrana2001` 6 | --- 7 | 8 | ### Solution: 9 | 10 | #### Search for `content` key in the below command output. 11 | ``` 12 | ansible-doc copy 13 | ``` 14 | ``` 15 | - name: Copy using inline content 16 | ansible.builtin.copy: 17 | content: '# This file was moved to /etc/other.conf' 18 | dest: /etc/mine.conf 19 | ``` 20 | #### You need to add the line `when: inventory_hostname in groups.lab` at the end, like below. 21 | 22 | ``` 23 | - name: Copy using inline content 24 | ansible.builtin.copy: 25 | content: username rajan 26 | dest: /etc/redhat-release 27 | when: inventory_hostname in groups.lab 28 | ``` 29 | 30 | ### Now, create a ansible playbook `/home/student/ansible/redhat-release.yaml` 31 | ``` 32 | --- 33 | - name: Modidy the file. 34 | hosts: all 35 | tasks: 36 | - name: Copy using inline content 37 | ansible.builtin.copy: 38 | content: username rajan 39 | dest: /etc/redhat-release 40 | when: inventory_hostname in groups.lab 41 | 42 | - name: Copy using inline content 43 | ansible.builtin.copy: 44 | content: YouTube channel=devops-wala 45 | dest: /etc/redhat-release 46 | when: inventory_hostname in groups.production 47 | 48 | - name: Copy using inline content 49 | ansible.builtin.copy: 50 | content: anishrana2001 51 | dest: /etc/redhat-release 52 | when: inventory_hostname == "serverb" 53 | ``` 54 | ### Run the playbook. 55 | ``` 56 | ansible-navigator run redhat-release.yaml -m stdout 57 | ``` 58 | 59 | ### Post checks.!!! 60 | ``` 61 | ansible all -m shell -a 'cat /etc/redhat-release' 62 | ``` 63 | --- 64 | --- 65 | ### . 66 | --- 67 | --- 68 | 69 | ### For your references. 70 | 71 | ``` 72 | [student@workstation ansible]$ cat /etc/redhat-release 73 | Red Hat Enterprise Linux release 9.0 (Plow) 74 | 75 | 76 | [student@workstation ansible]$ cat /home/student/ansible/redhat-release.yaml 77 | --- 78 | - name: Modidy the file. 79 | hosts: all 80 | tasks: 81 | - name: Copy using inline content 82 | ansible.builtin.copy: 83 | content: username rajan 84 | dest: /etc/redhat-release 85 | when: inventory_hostname in groups.lab 86 | 87 | - name: Copy using inline content 88 | ansible.builtin.copy: 89 | content: YouTube channel=devops-wala 90 | dest: /etc/redhat-release 91 | when: inventory_hostname in groups.production 92 | 93 | - name: Copy using inline content 94 | ansible.builtin.copy: 95 | content: anishrana2001 96 | dest: /etc/redhat-release 97 | when: inventory_hostname == "serverb" 98 | [student@workstation ansible]$ 99 | 100 | 101 | 102 | [student@workstation ansible]$ ansible-navigator run redhat-release.yaml -m stdout 103 | 104 | PLAY [Modidy the file.] ******************************************************** 105 | 106 | TASK [Gathering Facts] ********************************************************* 107 | ok: [serverc] 108 | ok: [serverd] 109 | ok: [servera] 110 | ok: [serverb] 111 | 112 | TASK [Copy using inline content] *********************************************** 113 | skipping: [serverb] 114 | skipping: [serverc] 115 | skipping: [serverd] 116 | ok: [servera] 117 | 118 | TASK [Copy using inline content] *********************************************** 119 | skipping: [servera] 120 | skipping: [serverb] 121 | skipping: [serverc] 122 | changed: [serverd] 123 | 124 | TASK [Copy using inline content] *********************************************** 125 | skipping: [servera] 126 | skipping: [serverb] 127 | ok: [serverc] 128 | changed: [serverd] 129 | 130 | TASK [Copy using inline content] *********************************************** 131 | skipping: [servera] 132 | skipping: [serverc] 133 | skipping: [serverd] 134 | changed: [serverb] 135 | 136 | PLAY RECAP ********************************************************************* 137 | servera : ok=2 changed=0 unreachable=0 failed=0 skipped=3 rescued=0 ignored=0 138 | serverb : ok=2 changed=1 unreachable=0 failed=0 skipped=3 rescued=0 ignored=0 139 | serverc : ok=2 changed=0 unreachable=0 failed=0 skipped=3 rescued=0 ignored=0 140 | serverd : ok=3 changed=2 unreachable=0 failed=0 skipped=2 rescued=0 ignored=0 141 | [student@workstation ansible]$ 142 | 143 | 144 | 145 | 146 | #### Post checks 147 | 148 | [student@workstation ansible]$ ansible all -m shell -a 'cat /etc/redhat-release' 149 | serverd | CHANGED | rc=0 >> 150 | YouTube channel=devops-wala 151 | serverc | CHANGED | rc=0 >> 152 | YouTube channel=devops-wala 153 | servera | CHANGED | rc=0 >> 154 | username rajan 155 | serverb | CHANGED | rc=0 >> 156 | anishrana2001 157 | [student@workstation ansible]$ 158 | ``` 159 | -------------------------------------------------------------------------------- /RHCE/V-9.0/10-01 lvm.md: -------------------------------------------------------------------------------- 1 | # From the below question, we get to know that how to create a LVM from Ansible playbook. 2 | 3 | ### Question: Create a lvm and below tasks must be fullfill. 4 | 5 | - Create a play for this task with named `mylvm.yaml` under `/home/student/ansible` directory. 6 | - Create a Volume Group (VG) with named `firefly 7 | - Create a LVM with name `firefly` under the VolumeGroup named `firefly`. 8 | - Size of LVM should be `512 Mib` 9 | - Filesystem of this LVM should ext4. 10 | - Must use the `/dev/vdb` disk. 11 | --- 12 | 13 | 14 | ## Solution: 15 | ### We can take the reference from the below documentation. 16 | ``` 17 | ansible-doc community.general.lvol 18 | ansible-doc community.general.filesystem 19 | ``` 20 | 21 | 22 | 23 | ### Login into your managed node and check which partition is free. For me, I can see that its `vdb` is free. 24 | ``` 25 | [root@workstation ~]# ssh servera -l root 26 | 27 | [root@servera ~]# lsblk -fs 28 | NAME FSTYPE FSVER LABEL UUID FSAVAIL FSUSE% MOUNTPOINTS 29 | vda1 30 | └─vda 31 | vda2 vfat FAT16 7B77-95E7 192.8M 3% /boot/efi 32 | └─vda 33 | vda3 xfs boot 5e75a2b9-1367-4cc8-bb38-4d6abc3964b8 334.7M 32% /boot 34 | └─vda 35 | vda4 xfs root fb535add-9799-4a27-b8bc-e8259f39a767 7.6G 19% / 36 | └─vda 37 | vdb <------- This partition is free. 38 | [root@servera ~]# 39 | ``` 40 | 41 | ### Next, log off from the managed node, and login back to your Ansible host machine. For me, its workstation. 42 | 43 | 44 | 45 | ``` 46 | vim mylvm.yaml 47 | ``` 48 | ``` 49 | --- 50 | - name: Create LVM, volume group, and ext4 filesystem on /dev/vdb without command module 51 | hosts: all 52 | become: true 53 | gather_facts: true 54 | tasks: 55 | - name: Create volume group firefly on /dev/vdb 56 | community.general.lvg: 57 | vg: firefly 58 | pvs: /dev/vdb 59 | 60 | - name: Create logical volume firefly 61 | community.general.lvol: 62 | vg: firefly 63 | lv: firefly 64 | size: 512m 65 | 66 | - name: Create ext4 filesystem on logical volume 67 | ansible.builtin.filesystem: 68 | fstype: ext4 69 | dev: /dev/firefly/firefly 70 | ``` 71 | 72 | 73 | ### Run the playbook. 74 | ``` 75 | ansible-navigator run mylvm.yaml -m stdout 76 | ``` 77 | 78 | ### Post checks. 79 | ``` 80 | ansible servera -m shell -a 'vgdisplay' 81 | ``` 82 | ``` 83 | ansible servera -m shell -a 'lvdisplay' 84 | ``` 85 | 86 | 87 | [student@workstation ansible]$ ansible-navigator run mylvm.yaml -m stdout 88 | 89 | PLAY [Create LVM, volume group, and ext4 filesystem on /dev/vdb without command module] *** 90 | 91 | TASK [Gathering Facts] ********************************************************* 92 | ok: [serverb] 93 | ok: [serverc] 94 | ok: [serverd] 95 | ok: [servera] 96 | 97 | TASK [Create volume group firefly on /dev/vdb] ********************************* 98 | ok: [serverb] 99 | ok: [serverd] 100 | ok: [serverc] 101 | ok: [servera] 102 | 103 | TASK [Create logical volume firefly] ******************************************* 104 | ok: [servera] 105 | ok: [serverb] 106 | ok: [serverd] 107 | ok: [serverc] 108 | 109 | TASK [Create ext4 filesystem on logical volume] ******************************** 110 | ok: [serverb] 111 | ok: [serverd] 112 | ok: [servera] 113 | ok: [serverc] 114 | 115 | PLAY RECAP ********************************************************************* 116 | servera : ok=4 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0 117 | serverb : ok=4 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0 118 | serverc : ok=4 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0 119 | serverd : ok=4 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0 120 | [student@workstation ansible]$ 121 | 122 | 123 | 124 | [student@workstation ansible]$ ansible servera -m shell -a 'lvdisplay' 125 | servera | CHANGED | rc=0 >> 126 | --- Logical volume --- 127 | LV Path /dev/firefly/firefly 128 | LV Name firefly 129 | VG Name firefly 130 | LV UUID EcNKMA-pTiL-fsJi-t8eP-hPFd-vJ4H-s6bX05 131 | LV Write Access read/write 132 | LV Creation host, time servera.lab.example.com, 2025-10-14 05:43:42 -0400 133 | LV Status available 134 | # open 0 135 | LV Size 512.00 MiB 136 | Current LE 128 137 | Segments 1 138 | Allocation inherit 139 | Read ahead sectors auto 140 | - currently set to 8192 141 | Block device 253:0 142 | 143 | [student@workstation ansible]$ ansible servera -m shell -a 'vgdisplay' 144 | servera | CHANGED | rc=0 >> 145 | --- Volume group --- 146 | VG Name firefly 147 | System ID 148 | Format lvm2 149 | Metadata Areas 1 150 | Metadata Sequence No 2 151 | VG Access read/write 152 | VG Status resizable 153 | MAX LV 0 154 | Cur LV 1 155 | Open LV 0 156 | Max PV 0 157 | Cur PV 1 158 | Act PV 1 159 | VG Size 1020.00 MiB 160 | PE Size 4.00 MiB 161 | Total PE 255 162 | Alloc PE / Size 128 / 512.00 MiB 163 | Free PE / Size 127 / 508.00 MiB 164 | VG UUID neNYxg-p1Mh-EnAs-1ENU-Ni2N-KKsB-KcxdKr 165 | 166 | [student@workstation ansible]$ 167 | ``` 168 | -------------------------------------------------------------------------------- /RHCE/V-9.0/10-03 files-dir.md: -------------------------------------------------------------------------------- 1 | ## Question: Create an Ansible playbook with the following requirements: 2 | - Name the playbook `myfile-q2.yaml` and place it in `/home/student/ansible`. 3 | - Create a directory named `/secured_data`. 4 | - Create a file named `/secured_data/secret.txt`. 5 | - Set the permissions of the `directory` to `0700` and the `file` to `0600`. 6 | - If setting permissions to the file or directory fails, print the error message `Could not set strict permissions!` 7 | - If the directory `/secured_data` does not exist and cannot be created, print the error message `Directory /secured_data could not be created, please check!` 8 | - After any failure, ensure no leftover file is present at /secured_data/secret.txt. 9 | 10 | --- 11 | 12 | ### Solution: 13 | 14 | ### Create a file. 15 | 16 | ``` 17 | --- 18 | - name: Secure file and directory creation with error handling 19 | hosts: all 20 | become: true 21 | tasks: 22 | 23 | - block: 24 | - name: Create /secured_data directory 25 | ansible.builtin.file: 26 | path: /secured_data 27 | state: directory 28 | mode: '0700' 29 | 30 | - name: Create /secured_data/secret.txt file 31 | ansible.builtin.file: 32 | path: /secured_data/secret.txt 33 | state: touch 34 | mode: '0600' 35 | 36 | rescue: 37 | - name: Print error if directory or file cannot be created with strict permissions 38 | ansible.builtin.debug: 39 | msg: "Could not set strict permissions!" 40 | - name: Cleanup possible leftover file if error occurs 41 | ansible.builtin.file: 42 | path: /secured_data/secret.txt 43 | state: absent 44 | 45 | - name: Fail if directory creation failed entirely 46 | ansible.builtin.fail: 47 | msg: "Directory /secured_data could not be created, please check!" 48 | when: not (ansible_facts['files']['/secured_data'] is defined and ansible_facts['files']['/secured_data']['exists']) 49 | 50 | ```` 51 | -------------------------------------------------------------------------------- /RHCE/V-9.0/11-01 file_creation_modification.md: -------------------------------------------------------------------------------- 1 | ### Download and then modify the file. 2 | - Create a playbook named `gather-information1.yaml` in the `/home/student/ansible` directory. 3 | - playbook should download the file and name it `node_information.yaml` in the `/root` directory. 4 | - `https://raw.githubusercontent.com/anishrana2001/Openshift/refs/heads/main/RHCE/V-9.0/gather_information-11.yaml` 5 | - Modify this file `node_information.yaml` with inventory hostname. 6 | - BIOS version 7 | - lvm name 8 | - Disk size of vda 9 | - Disk size of vdb 10 | - Total CPU 11 | - Total memory 12 | - FQDN name 13 | - IP address of host 14 | - Should run on all hosts in the inventory file. if values are not fetched then it should print NONE 15 | --- 16 | ### Solution: 17 | 18 | ### Get the help for "how to download the file in the playbook?" 19 | 20 | ``` 21 | ansible-doc get_url 22 | ``` 23 | ``` 24 | EXAMPLES: 25 | 26 | - name: Download foo.conf 27 | ansible.builtin.get_url: 28 | url: http://example.com/path/file.conf 29 | dest: /etc/foo.conf 30 | mode: '0440' 31 | ``` 32 | 33 | ### Get the help for "how to modify the file. 34 | ``` 35 | ansible-doc -l | grep lineinfile 36 | ``` 37 | ``` 38 | ansible-doc ansible.builtin.lineinfile 39 | ``` 40 | ### you will find. 41 | ``` 42 | EXAMPLES: 43 | 44 | # NOTE: Before 2.3, option 'dest', 'destfile' or 'name' was used instead of 'path' 45 | - name: Ensure SELinux is set to enforcing mode 46 | ansible.builtin.lineinfile: 47 | path: /etc/selinux/config 48 | regexp: '^SELINUX=' 49 | line: SELINUX=enforcing 50 | ``` 51 | 52 | 53 | ### Now, let's create an ansible playbook 54 | ``` 55 | --- 56 | - name: Gather information 57 | hosts: all 58 | tasks: 59 | - name: Download foo.conf 60 | ansible.builtin.get_url: 61 | url: https://raw.githubusercontent.com/anishrana2001/Openshift/refs/heads/main/RHCE/V-9.0/gather_information-11.yaml 62 | dest: /root/node_information.yaml 63 | 64 | - name: Ensure SELinux is set to enforcing mode 65 | ansible.builtin.lineinfile: 66 | path: /root/node_information.yaml 67 | regexp: '^HOST=' 68 | line: "HOST={{ inventory_hostname }}" 69 | ``` 70 | 71 | ### Run the playbook. 72 | ``` 73 | ansible-navigator run gather-information1.yaml -m stdout 74 | ``` 75 | 76 | ### Post checks. 77 | ``` 78 | ansible servera -m shell -a "cat /root/node_information.yaml" 79 | ``` 80 | 81 | ### For your reference. 82 | ``` 83 | 84 | student@workstation ansible]$ cat gather-information1.yaml 85 | --- 86 | - name: Gather information 87 | hosts: all 88 | tasks: 89 | - name: Download foo.conf 90 | ansible.builtin.get_url: 91 | url: https://raw.githubusercontent.com/anishrana2001/Openshift/refs/heads/main/RHCE/V-9.0/gather_information-11.yaml 92 | dest: /root/node_information.yaml 93 | 94 | - name: Ensure SELinux is set to enforcing mode 95 | ansible.builtin.lineinfile: 96 | path: /root/node_information.yaml 97 | regexp: '^HOST=' 98 | line: "HOST={{ inventory_hostname }}" 99 | [student@workstation ansible]$ 100 | 101 | 102 | [student@workstation ansible]$ ansible-navigator run gather-information1.yaml -m stdout 103 | 104 | PLAY [Gather information] ****************************************************** 105 | 106 | TASK [Gathering Facts] ********************************************************* 107 | ok: [serverc] 108 | ok: [serverb] 109 | ok: [servera] 110 | ok: [serverd] 111 | 112 | TASK [Download foo.conf] ******************************************************* 113 | changed: [servera] 114 | changed: [serverb] 115 | changed: [serverd] 116 | changed: [serverc] 117 | 118 | TASK [Ensure SELinux is set to enforcing mode] ********************************* 119 | changed: [serverc] 120 | changed: [serverb] 121 | changed: [servera] 122 | changed: [serverd] 123 | 124 | PLAY RECAP ********************************************************************* 125 | servera : ok=3 changed=2 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0 126 | serverb : ok=3 changed=2 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0 127 | serverc : ok=3 changed=2 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0 128 | serverd : ok=3 changed=2 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0 129 | [student@workstation ansible]$ 130 | 131 | 132 | [student@workstation ansible]$ ansible servera -m shell -a "cat /root/node_information.yaml" 133 | servera | CHANGED | rc=0 >> 134 | ### Below are the details of nodes. 135 | HOST=servera 136 | [student@workstation ansible]$ 137 | 138 | ``` 139 | 140 | 141 | 142 | 143 | 144 | ``` 145 | --- 146 | - name: gather information 147 | hosts: all 148 | tasks: 149 | - name: Download foo.conf 150 | ansible.builtin.get_url: 151 | url: https://raw.githubusercontent.com/anishrana2001/Openshift/refs/heads/main/RHCE/V-9.0/gather_information-11.yaml 152 | dest: /root/node_information.yaml 153 | 154 | - name: Ensure SELinux is set to enforcing mode 155 | ansible.builtin.lineinfile: 156 | path: /root/node_information.yaml 157 | regexp: '^HOST' 158 | line: "HOST={{ inventory_hostname }}" 159 | 160 | 161 | - name: Ensure SELinux is set to enforcing mode 162 | ansible.builtin.lineinfile: 163 | path: /root/node_information.yaml 164 | regexp: '^MEMORY' 165 | line: "MEMORY={{ ansible_memtotal_mb | default('NONE', true) }}" 166 | 167 | 168 | - name: Ensure SELinux is set to enforcing mode 169 | ansible.builtin.lineinfile: 170 | path: /root/node_information.yaml 171 | regexp: '^BIOS' 172 | line: "BIIOS={{ ansible_bios_version }}" 173 | 174 | 175 | - name: Ensure SELinux is set to enforcing mode 176 | ansible.builtin.lineinfile: 177 | path: /root/node_information.yaml 178 | regexp: '^DISK_SIZE_VDA' 179 | line: "DISK_SIZE_VDA={{ ansible_devices.vda.size | default('NONE', true) }}" 180 | 181 | 182 | - name: Ensure SELinux is set to enforcing mode 183 | ansible.builtin.lineinfile: 184 | path: /root/node_information.yaml 185 | regexp: '^DISK_SIZE_VDB' 186 | line: "DISK_SIZE_VDB={{ ansible_devices.vdb.size | default('NONE', true) }}" 187 | ``` 188 | -------------------------------------------------------------------------------- /RHCE/V-9.0/12-01 Vault.md: -------------------------------------------------------------------------------- 1 | ### Question 1: Write a ansible vault file named `pass-vault.yml` that creates the `anishrana2001` & `punit` users. It must do so as follows: 2 | - You must set the password as a variable, key `pw_punit` and the value is `devops-wala` in the `pass-vault.yml` file under `/home/student/ansible/` directory. Which is encrypted with Ansible Vault. 3 | - The password for the `pw_rajan` user has the password `vtyshshbash` in the `pass-vault.yml` file under `/home/student/ansible/` directory, which is encrypted with Ansible Vault. 4 | - The password for Encrypt and decrypt the vault is `ThisisaStrongpassword` and store in the `mysecret.txt` file under `/home/student/ansible/` directory. 5 | --- 6 | 7 | ### Solution: 8 | 9 | ### The password for Encrypt and decrypt the vault is `ThisisaStrongpassword` and store in the `mysecret.txt` file under `/home/student/ansible/` directory. 10 | ``` 11 | echo "ThisisaStrongpassword" > /home/student/ansible/mysecret.txt 12 | ``` 13 | 14 | ### Update the ansible.cfg file with the new vault file location. 15 | ``` 16 | vault_password_file=/home/student/ansible/mysecret.txt 17 | ``` 18 | 19 | ### Now, create a file which has users' information. 20 | ``` 21 | ansible-vault create /home/student/ansible/pass-vault.yml 22 | ``` 23 | ### It will ask the password first, use this password `ThisisaStrongpassword` and then add key-value paris. 24 | ``` 25 | --- 26 | pw_punit: devops-wala 27 | pw_rajan: vtyshshbash 28 | ``` 29 | ### Save the file and exit. 30 | 31 | ### You can see the content of this file only after givnging the right password `ThisisaStrongpassword`. 32 | ``` 33 | [student@workstation ansible]$ ansible-vault view --ask-vault-password pass-vault.yml 34 | Vault password: 35 | --- 36 | pw_punit: devops-wala 37 | pw_rajan: vtyshshbash 38 | 39 | [student@workstation ansible]$ 40 | ``` 41 | --- 42 | ### . 43 | ### . 44 | --- 45 | --- 46 | 47 | ### Question 2 : Your task is to update vault password from `ThisisaStrongpassword` to `aalotchale` of file `/home/student/ansible/pass-vault.yml` 48 | 49 | ### Solution: 50 | ``` 51 | ansible-vault rekey --ask-vault-pass /home/student/ansible/mysecret.txt 52 | ``` 53 | 54 | ### Post checks!! 55 | ``` 56 | ansible-vault view --ask-vault-pass /home/student/ansible/mysecret.txt 57 | ``` 58 | 59 | ### For your references. 60 | ``` 61 | [student@workstation ansible]$ ansible-vault rekey --ask-vault-password pass-vault.yml 62 | Vault password: 63 | New Vault password: 64 | Confirm New Vault password: 65 | Rekey successful 66 | [student@workstation ansible]$ ansible-vault view --ask-vault-password pass-vault.yml 67 | Vault password: 68 | --- 69 | pw_punit: devops-wala 70 | pw_rajan: vtyshshbash 71 | 72 | [student@workstation ansible]$ 73 | ``` 74 | -------------------------------------------------------------------------------- /RHCE/V-9.0/12-02 vault.md: -------------------------------------------------------------------------------- 1 | ## Write an Ansible vault file named db-vault.yml to configure database credentials for two applications. It must do so as follows: 2 | - Set the username `appuser1` with the password `AlphaSecure123` in the encrypted vault file `/home/student/ansible/db-vault.yml`. 3 | - Set the username `appuser2` with the password `BetaSafe456` in the same encrypted vault file. 4 | - The vault password should be `DBVaultStrong!,` and must be saved in `/home/student/ansible/db-secret.txt`. 5 | --- 6 | 7 | ### Solutions: 8 | ### Create the vault file: 9 | ``` 10 | ansible-vault create /home/student/ansible/db-vault.yml 11 | ``` 12 | ## Add content likes below: 13 | ``` 14 | appuser1_db_pass: AlphaSecure123 15 | appuser2_db_pass: BetaSafe456 16 | ``` 17 | ### Save the vault password: 18 | ``` 19 | echo "DBVaultStrong!," > /home/student/ansible/db-secret.txt 20 | ``` 21 | 22 | ### Playbook example to use these variables: 23 | ``` 24 | --- 25 | - name: Create database users with vault credentials 26 | hosts: all 27 | become: true 28 | vars_files: 29 | - /home/student/ansible/db-vault.yml 30 | tasks: 31 | - name: Add appuser1 with password from vault 32 | ansible.builtin.user: 33 | name: appuser1 34 | password: "{{ appuser1_db_pass | password_hash('sha512') }}" 35 | - name: Add appuser2 with password from vault 36 | ansible.builtin.user: 37 | name: appuser2 38 | password: "{{ appuser2_db_pass | password_hash('sha512') }}" 39 | ``` 40 | 41 | ### Run the playbook. 42 | ``` 43 | ansible-playbook your-playbook.yml --vault-password-file /home/student/ansible/db-secret.txt 44 | ``` 45 | 46 | 47 | ### Question 2: Write an Ansible vault file named `ssh-vault.yml` with SSH private keys for two users. It must do so as follows: 48 | - Store the SSH private key for `alice` as variable `alice_private_key` in an encrypted vault file `/home/student/ansible/ssh-vault.yml`. 49 | - Store the SSH private key for `bob` as variable `bob_private_key` in the same encrypted vault file. 50 | - The vault password should be `StrongSSH!2025` and saved in `/home/student/ansible/ssh-pass.txt` 51 | --- 52 | 53 | ### Solution 54 | 55 | ### Create a vault file. 56 | ``` 57 | ansible-vault create /home/student/ansible/ssh-vault.yml 58 | ``` 59 | ### Add the content. 60 | ``` 61 | alice_private_key: | 62 | -----BEGIN RSA PRIVATE KEY----- 63 | ... 64 | -----END RSA PRIVATE KEY----- 65 | bob_private_key: | 66 | -----BEGIN RSA PRIVATE KEY----- 67 | ... 68 | -----END RSA PRIVATE KEY----- 69 | ``` 70 | 71 | ### Save the vault password: 72 | ``` 73 | echo "StrongSSH!2024" /home/student/ansible/ssh-pass.txt 74 | ``` 75 | 76 | 77 | ``` 78 | --- 79 | - name: Configure SSH keys using vault 80 | hosts: all 81 | become: true 82 | vars_files: 83 | - /home/student/ansible/ssh-vault.yml 84 | tasks: 85 | - name: Set alice's private key 86 | ansible.builtin.copy: 87 | dest: /home/alice/.ssh/id_rsa 88 | content: "{{ alice_private_key }}" 89 | owner: alice 90 | mode: '0600' 91 | - name: Set bob's private key 92 | ansible.builtin.copy: 93 | dest: /home/bob/.ssh/id_rsa 94 | content: "{{ bob_private_key }}" 95 | owner: bob 96 | mode: '0600' 97 | ``` 98 | 99 | ### Run the playbook. 100 | ``` 101 | ansible-playbook your-playbook.yml --vault-password-file /home/student/ansible/ssh-pass.txt 102 | ``` 103 | -------------------------------------------------------------------------------- /RHCE/V-9.0/13-01 cronjob.md: -------------------------------------------------------------------------------- 1 | ## Prepare the lab 2 | ``` 3 | curl -o usercreation_cronjob.yaml https://raw.githubusercontent.com/anishrana2001/Openshift/refs/heads/main/RHCE/V-9.0/usercreation_cronjob.yaml 4 | ansible-navigator run usercreation_cronjob.yaml -m stdout 5 | ``` 6 | 7 | ### Your task is to create a cronjob 8 | - name of the cron should be `anishrana2001` 9 | - User `rajan` should execute `logger "Youtube Channel devops-wala"` every 7 minutes. 10 | - Create a cronjob playbook with named `mycron.yaml` and it should run only on `lab` host group. 11 | --- 12 | 13 | ### Solution: 14 | 15 | ## Take a reference from 16 | ``` 17 | ansible-doc cron 18 | ``` 19 | 20 | 21 | ### For your references. 22 | ``` 23 | [student@workstation ansible]$ vim mycron.yaml 24 | 25 | [student@workstation ansible]$ cat mycron.yaml 26 | --- 27 | - name: cron 28 | hosts: lab 29 | tasks: 30 | - name: Ensure a job that runs at 2 and 5 exists. Creates an entry like "0 5,2 * * ls -alh > /dev/null" 31 | ansible.builtin.cron: 32 | name: "check dirs" 33 | minute: "*/7" 34 | job: 'logger "Youtube Channel devops-wala"' 35 | user: rajan 36 | 37 | 38 | 39 | 40 | [student@workstation ansible]$ ansible-navigator run mycron.yaml -m stdout 41 | 42 | PLAY [cron] ******************************************************************** 43 | 44 | TASK [Gathering Facts] ********************************************************* 45 | ok: [servera] 46 | 47 | TASK [Ensure a job that runs at 2 and 5 exists. Creates an entry like "0 5,2 * * ls -alh > /dev/null"] *** 48 | changed: [servera] 49 | 50 | PLAY RECAP ********************************************************************* 51 | servera : ok=2 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0 52 | 53 | 54 | [student@workstation ansible]$ ansible servera -m shell -a 'crontab -l -u rajan' 55 | servera | CHANGED | rc=0 >> 56 | #Ansible: check dirs 57 | */7 * * * * logger "Youtube Channel devops-wala" 58 | [student@workstation ansible]$ 59 | 60 | ``` 61 | -------------------------------------------------------------------------------- /RHCE/V-9.0/14-01 user_creation.md: -------------------------------------------------------------------------------- 1 | ### From the below task, we get to know that how to call the variables from multipl files. For an example, let's add the users. 2 | 3 | ### Question: Your task is to create a user and then add a secondary group. Perform the below tasks 4 | - Download the user list from `https://raw.githubusercontent.com/anishrana2001/Openshift/refs/heads/main/RHCE/V-9.0/user_list-14-01.yaml` 5 | - Use the Vault password file `/home/student/ansible/pass-vault.yml` that you created on task 12-01. 6 | - Use the job description `manager` 7 | - create a user on `lab` host managed group. 8 | - use the password `pw_punit` variable. 9 | - It should be the part of `devops` group. 10 | - Use the job description `engineer`. 11 | - Create a user on `myprod` and `prodcution` host managed group. 12 | - Assign the password `pw_rajan` 13 | - The secondary group should be `mon_agent`. 14 | - Password should use `SHA512` hash format. 15 | - Create a playbook called `myuser-list.yaml` under `/home/student/ansible` directory. 16 | -------------------------------------------------------------------------------- /RHCE/V-9.0/Ansible-document.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | Category Modules 4 | Files 5 | 6 | ansible.builtin.copy: Copy a local file to the managed host. 7 | 8 | ansible.builtin.file: Set permissions and other properties of files. 9 | 10 | ansible.builtin.lineinfile: Ensure a particular line is or is not in a file. 11 | 12 | ansible.posix.synchronize: Synchronize content using rsync. 13 | 14 | Software 15 | 16 | ansible.builtin.package: Manage packages using the automatically detected package manager native to the operating system. 17 | 18 | ansible.builtin.dnf: Manage packages using the DNF package manager. 19 | 20 | ansible.builtin.apt: Manage packages using the APT package manager. 21 | 22 | ansible.builtin.pip: Manage Python packages from PyPI. 23 | 24 | System 25 | 26 | ansible.posix.firewalld: Manage arbitrary ports and services using firewalld. 27 | 28 | ansible.builtin.reboot: Reboot a machine. 29 | 30 | ansible.builtin.service: Manage services. 31 | 32 | ansible.builtin.user: Add, remove, and manage user accounts. 33 | 34 | Net Tools 35 | 36 | ansible.builtin.get_url: Download files over HTTP, HTTPS, or FTP. 37 | 38 | ansible.builtin.uri: Interact with web services. 39 | -------------------------------------------------------------------------------- /RHCE/V-9.0/Screenshot 2025-10-13 at 4.53.25 PM.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/anishrana2001/Openshift/7248a5fa2d66b55a43a108097114b8cfa86a175f/RHCE/V-9.0/Screenshot 2025-10-13 at 4.53.25 PM.png -------------------------------------------------------------------------------- /RHCE/V-9.0/gather_information-11.yaml: -------------------------------------------------------------------------------- 1 | ### Below are the details of nodes. 2 | HOST= 3 | BIOS= 4 | VDA_size= 5 | VDB_size= 6 | MEMORY= 7 | -------------------------------------------------------------------------------- /RHCE/V-9.0/host.yaml: -------------------------------------------------------------------------------- 1 | 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 2 | ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 3 | 172.25.250.10 servera.lab.example.com servera 4 | 172.25.250.11 serverb.lab.example.com serverb 5 | 172.25.250.12 serverc.lab.example.com serverc 6 | 172.25.250.13 serverd.lab.example.com serverd 7 | -------------------------------------------------------------------------------- /RHCE/V-9.0/lab_for_10-02.yaml: -------------------------------------------------------------------------------- 1 | - name: Create LVM, volume group, and ext4 filesystem on /dev/vdb without command module 2 | hosts: lab,myprod 3 | become: true 4 | gather_facts: true 5 | tasks: 6 | - name: Create volume group firefly on /dev/vdb 7 | community.general.lvg: 8 | vg: toto 9 | pvs: /dev/vdb 10 | -------------------------------------------------------------------------------- /RHCE/V-9.0/mydomain-hostfile1.j2: -------------------------------------------------------------------------------- 1 | 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 2 | ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 3 | {% for i in groups.all %} 4 | {{ hostvars[i].ansible_default_ipv4.address }} {{ hostvars[i].ansible_fqdn }} {{ hostvars[i].ansible_hostname }} 5 | {% endfor %} 6 | -------------------------------------------------------------------------------- /RHCE/V-9.0/mydomain-hostfile2.j2: -------------------------------------------------------------------------------- 1 | 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 2 | ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 3 | -------------------------------------------------------------------------------- /RHCE/V-9.0/redhat-insights-1.3.0.tar.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/anishrana2001/Openshift/7248a5fa2d66b55a43a108097114b8cfa86a175f/RHCE/V-9.0/redhat-insights-1.3.0.tar.gz -------------------------------------------------------------------------------- /RHCE/V-9.0/redhat-rhel_system_roles-1.108.6.tar.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/anishrana2001/Openshift/7248a5fa2d66b55a43a108097114b8cfa86a175f/RHCE/V-9.0/redhat-rhel_system_roles-1.108.6.tar.gz -------------------------------------------------------------------------------- /RHCE/V-9.0/user_list-14-01.yaml: -------------------------------------------------------------------------------- 1 | users: 2 | - name: punit 3 | job: manager 4 | - name: rajan 5 | job: engineer 6 | - name: rajesh 7 | job: manager 8 | - name: sunil 9 | job: intern 10 | -------------------------------------------------------------------------------- /RHCE/V-9.0/usercreation_cronjob.yaml: -------------------------------------------------------------------------------- 1 | - name: Install httpd,update,development tools,users and group 2 | hosts: lab ### Groups name added. 3 | become: yes 4 | tasks: 5 | - name: Create a group called 'devops-wala' 6 | ansible.builtin.group: 7 | name: devops-wala 8 | state: present # Ensures the group exists 9 | - name: Create user 'rajan' and add to 'devops-wala' group 10 | ansible.builtin.user: 11 | name: rajan 12 | comment: "OCP cluster" 13 | password: "{{ 'anishrana2001' | password_hash('sha512') }}" # Hash the password securely 14 | groups: devops-wala 15 | append: true # Add to the group without removing from others 16 | state: present 17 | uid: 1330 18 | shell: /bin/bash # Specify the default shell 19 | -------------------------------------------------------------------------------- /RHCE/V-9.0/vault_password_file_14.yaml: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Set your variable and value 4 | VAR_NAME1="pw_manager" 5 | VAR_VALUE1="MySecretManagerPassword" 6 | VAR_NAME2="pv_engineer" 7 | VAR_VALUE2="loginfornodes" 8 | VAULT_FILE="/home/student/ansible/vault_password_file_14-01.yaml" 9 | VAULT_PASS_FILE="/home/student/ansible/vault_password_file_14-02.yaml" 10 | 11 | # Create the vault file using encrypt_string and redirect to locker.yml 12 | ansible-vault encrypt_string "$VAR_VALUE1" --name "$VAR_NAME1" --vault-password-file "$VAULT_PASS_FILE" > "$VAULT_FILE" 13 | ansible-vault encrypt_string "$VAR_VALUE2" --name "$VAR_NAME2" --vault-password-file "$VAULT_PASS_FILE" >> "$VAULT_FILE" 14 | -------------------------------------------------------------------------------- /RHCE/v 8.0/readme.md: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /RHCSA-V.9.3/README.md: -------------------------------------------------------------------------------- 1 | Enjoy the content of Openshift 2 | -------------------------------------------------------------------------------- /RHCSA-V.9.3/image_08-01.yaml: -------------------------------------------------------------------------------- 1 | # Set the base image 2 | FROM registry.lab.example.com:5000/ubi8/ubi 3 | 4 | # Print a message to standard output 5 | CMD echo "This container uses the ubi8/ubi image" 6 | -------------------------------------------------------------------------------- /RHCSA-V.9.3/rhcsa 9.0/09 Umask.md: -------------------------------------------------------------------------------- 1 | # Task 1. Your taks are 2 | - a) All new creating files for user `rajan` as -rw- rw- --- as default permission. 3 | - b) All new creating directories for user `rajan` as drwx rwx --x as default permission. 4 | --- 5 | 6 | ### Solution: 7 | ``` 8 | Default Permission for Files is : 666 9 | Default Permission for Directory is : 777 10 | ``` 11 | #### For file: 12 | #### The permissions -rw- rw- --- correspond to 660 in numeric form. 13 | #### Umask = (File Permission - Default permission) 14 | #### umask = (666 - 660) 15 | #### umask = 006 16 | #### Explanation: 17 | 18 | - rw- (6) for the owner: read, write, execute 19 | - rw- (6) for the group: read, execute 20 | - --- (0) for others: no permissions 21 | 22 | #### Directory permission: 775 23 | 24 | #### This permission setting allows: 25 | 26 | - The owner to fully access and modify the directory. 27 | - The group to fully access and modify the directory. 28 | - Others to have no access. 29 | 30 | ### Soution: 31 | 32 | ### Edit the .bash_profile file with `umask 006 ` 33 | ``` 34 | vi .bash_profile 35 | ``` 36 | ### Post checks for file: Create a file and then check the permission 37 | ### First, we need to source this file. 38 | ``` 39 | source .bash_profile 40 | ``` 41 | ``` 42 | touch file9 43 | ``` 44 | ``` 45 | ls -ltr file9 46 | ``` 47 | ### Post checks for Directory: Create a directory and then check the directory permission. 48 | 49 | ``` 50 | mkdir dir 51 | ``` 52 | ``` 53 | ls -ld dir/ 54 | ``` 55 | 56 | 57 | ### For your references. 58 | ``` 59 | rajan@workstation:~$ cat .bash_profile 60 | # .bash_profile 61 | 62 | # Get the aliases and functions 63 | if [ -f ~/.bashrc ]; then 64 | . ~/.bashrc 65 | fi 66 | 67 | # User specific environment and startup programs 68 | umask 006 ### 🤖 ✅ Added this line only 69 | rajan@workstation:~$ 70 | 71 | rajan@workstation:~$ touch file9 72 | rajan@workstation:~$ ls -ltr file9 73 | -rw-rw----. 1 rajan rajan 0 Oct 3 09:58 file9 74 | rajan@workstation:~$ 75 | 76 | rajan@workstation:~$ mkdir dir 77 | rajan@workstation:~$ ls -ld dir/ 78 | drwxrwx--x. 2 rajan rajan 6 Oct 3 09:58 dir/ 79 | rajan@workstation:~$ 80 | 81 | ``` 82 | 83 | 84 | 85 | # Task 2. Your taks are 86 | - a) All new creating files for user `rajan` as -r-- r-- --- as default permission. 87 | - b) All new creating directories for user `rajan` as dr-x r-x --x as default permission. 88 | --- 89 | 90 | ### Solution: 91 | ### Edit the file `.bash_profile` with umask 226 92 | ``` 93 | vi .bash_profile 94 | ``` 95 | ``` 96 | source .bash_profile 97 | touch file1 ; ls -l file1 98 | mkdir dir1; ls -ld dir1 99 | ``` 100 | 101 | ### For your reference. 102 | ``` 103 | rajan@workstation:~$ vi .bash_profile 104 | 105 | rajan@workstation:~$ cat .bash_profile 106 | # .bash_profile 107 | 108 | # Get the aliases and functions 109 | if [ -f ~/.bashrc ]; then 110 | . ~/.bashrc 111 | fi 112 | 113 | # User specific environment and startup programs 114 | umask 226 ### 🤖 ✅ Added this line only 115 | rajan@workstation:~$ 116 | 117 | 118 | rajan@workstation:~$ source .bash_profile 119 | 120 | rajan@workstation:~$ touch file1 ; ls -l file1 121 | -r--r-----. 1 rajan rajan 0 Oct 3 13:57 file1 122 | 123 | rajan@workstation:~$ mkdir dir1; ls -ld dir1 124 | dr-xr-x--x. 2 rajan rajan 6 Oct 3 13:57 dir1 125 | rajan@workstation:~$ 126 | ``` 127 | 128 | 129 | 130 | # Task 3. Your taks are 131 | - a) All new creating files for user `rajan` as -r-- --- --- as default permission. 132 | - b) All new creating directories for user `rajan` as dr-x --x --x as default permission. 133 | --- 134 | 135 | ### Solution: 136 | ### Edit the file `.bash_profile` with umask 266 137 | ``` 138 | vi .bash_profile 139 | ``` 140 | ``` 141 | source .bash_profile 142 | touch file2 ; ls -l file2 143 | mkdir dir2; ls -ld dir2 144 | ``` 145 | ### For your references. 146 | 147 | ``` 148 | rajan@workstation:~$ vi .bash_profile 149 | 150 | rajan@workstation:~$ mkdir dir2; ls -ld dir2 151 | dr-x--x--x. 2 rajan rajan 6 Oct 3 14:02 dir2 152 | rajan@workstation:~$ cat .bash_profile 153 | # .bash_profile 154 | 155 | # Get the aliases and functions 156 | if [ -f ~/.bashrc ]; then 157 | . ~/.bashrc 158 | fi 159 | 160 | # User specific environment and startup programs 161 | umask 266 ### 🤖 ✅ Added this line only 162 | rajan@workstation:~$ 163 | 164 | rajan@workstation:~$ source .bash_profile 165 | 166 | rajan@workstation:~$ touch file2 ; ls -l file2 167 | -r--------. 1 rajan rajan 0 Oct 3 14:01 file2 168 | 169 | ``` 170 | -------------------------------------------------------------------------------- /RHCSA-V.9.3/rhcsa 9.0/10-01 Sudoers.md: -------------------------------------------------------------------------------- 1 | # Question 1. In task1, you have created one group `devops`. Your task is to add Sudo privileges to this group and it must write the password during the execution of commands. This group's users can restart the chronyd service and update or upgrade the packages only. 2 | 3 | ### Solution: 4 | ### Please be noted that whenever you are editing the `/etc/sudoers` file, you have to use `:wq!` to forcefully write in this file. 5 | ``` 6 | [root@servera ~]# vi /etc/sudoers.d/limited_admins_rules1 7 | [ 8 | root@servera ~]# cat /etc/sudoers.d/limited_admins_rules1 9 | Cmnd_Alias RESTART_APACHE = /usr/bin/systemctl restart chronyd.service 10 | Cmnd_Alias UPDATE_PACKAGES = /usr/bin/apt update, /usr/bin/apt upgrade 11 | [root@servera ~]# 12 | 13 | 14 | [root@servera ~]# vi /etc/sudoers 15 | 16 | [root@servera ~]# cat /etc/sudoers | grep devops 17 | %devops ALL = RESTART_APACHE, UPDATE_PACKAGES 18 | [root@servera ~]# 19 | 20 | 21 | ``` 22 | 23 | 24 | 25 | 26 | 27 | # Question 2. In task1, you have created one group `admin`. Your task is to add Sudo privileges to this group so that this group's members can perform administrative tasks with promting the password. 28 | 29 | ### Solutions: 30 | 31 | ### Please be noted that whenever you are editing the `/etc/sudoers` file, you have to use `:wq!` to forcefully write in this file. 32 | ``` 33 | [root@servera ~]# vi /etc/sudoers 34 | [root@servera ~]# cat /etc/sudoers | grep admin 35 | %admin ALL=(ALL) NOPASSWD: ALL 36 | [root@servera ~] 37 | ``` 38 | -------------------------------------------------------------------------------- /RHCSA-V.9.3/rhcsa 9.0/18 Banner.md: -------------------------------------------------------------------------------- 1 | # Question: You need to set the banner "Welcome to my Youtube Channel 'devops-wala'" for user `punit`. Make sure, whenever he login, you should observe this banner. 2 | 3 | ### Solution 4 | 5 | ## Login with `punit` user 6 | ``` 7 | su - punit 8 | ``` 9 | 10 | ### Modify the file `.bash_profile` and add last 2 lines. Save and exit from file. 11 | ``` 12 | # User specific environment and startup programs 13 | export My_exam="Welcome to my Youtube Channel 'devops-wala'" 14 | echo $My_exa 15 | ``` 16 | 17 | ### Logout from `punit` user and login again. You should see the banner. 18 | 19 | ``` 20 | su - punit 21 | ``` 22 | -------------------------------------------------------------------------------- /RHCSA-V.9.3/rhcsa 9.0/read.me: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /RHCSA-V.9.3/servera/01-01 Users and Groups.md: -------------------------------------------------------------------------------- 1 | # Question 1: You are the adminstrator of devops-wala company and you need to perform below tasks on `servera` 2 | 3 | - Create a two groups called `admin` and `devops-wala` 4 | - Creata a users 5 | - `punit` users must be the part of `admin` group. Or you can say that Add `admin` group as a seconday group of these users. 6 | - User `punit` should have `1234` UID and Add the comment `For OCP Cluster` 7 | - User `punit` should have home directory `/home/ocp-cluster/`. 8 | - User `punit` should have login shell `/bin/bash` 9 | - User `rajan` shoudl have `1235` UID and Add the comment `For Database Cluster` 10 | - User `rajan` shoudl have home directory `/home/database-cluster` 11 | - User `rajan` should have login shell `/bin/sh` 12 | - `harry` users must be the part of `devops-wala` group. Or you can say that Add `devops-wala` group as a seconday group of these users. 13 | - User `harry` should have `1334` UID and Add the comment `For OCP Cluster` 14 | - User `harry` should have home directory `/home/harry/`. 15 | - User `harry` should have login shell `/bin/bash` 16 | - User `peter` shoudl have `1335` UID and Add the comment `For Database Cluster` 17 | - User `peter` shoudl have home directory `/home/peter` 18 | - User `peter` should have login shell `/bin/sh` 19 | - Create a user `mon_ocp` and this user should have non=interactive shell and it should not the part of `devops-wala` and `admin` groups 20 | - All users must have password `devops-wala`. 21 | --- 22 | ### Solution: 23 | 24 | 25 | ### Login to `servera` 26 | ``` 27 | ssh root@servera 28 | ``` 29 | ### Let's add the group first. 30 | 31 | #### Create `admin` group. 32 | ``` 33 | groupadd admin 34 | ``` 35 | ### Create a group for `devops-wala`. 36 | ``` 37 | root@servera yum.repos.d]# groupadd devops-wala 38 | ``` 39 | 40 | ### Create punit user. 41 | ``` 42 | useradd -G admin -u 1234 -s /bin/bash -d /home/ocp-cluster -c "For OCP Cluster" punit 43 | ``` 44 | 45 | ### Post checks for `punit` user. 46 | ``` 47 | [root@servera yum.repos.d]# cat /etc/passwd | grep punit 48 | punit:x:1234:1234:For OCP Cluster:/home/ocp-cluster:/bin/bash 49 | [root@servera yum.repos.d]# cat /etc/group | grep punit 50 | admin:x:1003:punit 51 | punit:x:1234: 52 | [root@servera yum.repos.d]# 53 | ``` 54 | 55 | 56 | ### Create a user `harry`. 57 | ``` 58 | useradd -G devops-wala -u 1334 -d /home/harry -s /bin/bash -c "For OCP Cluster" harry 59 | ``` 60 | 61 | ### Post checks for `harry` user. 62 | 63 | ``` 64 | [root@servera ~]# cat /etc/passwd | grep harry 65 | harry:x:1334:1334:For OCP Cluster:/home/harry:/bin/bash 66 | [root@servera ~]# cat /etc/group | grep harry 67 | devops-wala:x:1235:harry 68 | harry:x:1334: 69 | [root@servera yum.repos.d]# 70 | ``` 71 | ### Create a user `peter`. 72 | ``` 73 | useradd -G devops-wala -u 1335 -d /home/peter -s /bin/sh -c "For Database Cluster" peter 74 | ``` 75 | 76 | ### Post checks for `peter` user. 77 | ``` 78 | [root@servera ~]# cat /etc/passwd | grep peter 79 | peter:x:1335:1335:For Database Cluster:/home/peter:/bin/sh 80 | [root@servera ~]# cat /etc/group | grep peter 81 | devops-wala:x:1235:harry,peter 82 | peter:x:1335: 83 | [root@servera ~]# 84 | ``` 85 | 86 | ### Create a user `mon_ocp` with no interactive shell. 87 | ``` 88 | [root@servera yum.repos.d]# cat /etc/passwd | grep no | head -n 1 89 | bin:x:1:1:bin:/bin:/usr/sbin/nologin 90 | 91 | [root@servera yum.repos.d]# useradd -s /usr/sbin/nologin mon_ocp 92 | ``` 93 | 94 | ### Post checks. 95 | ``` 96 | [root@servera yum.repos.d]# cat /etc/passwd | grep mon_ocp 97 | mon_ocp:x:1336:1336::/home/mon_ocp:/usr/sbin/nologin 98 | [root@servera yum.repos.d]# 99 | ``` 100 | 101 | ### To set the password `devops-wala` to all users. 102 | ``` 103 | [root@servera ~]# echo "devops-wala" | passwd --stdin punit 104 | [root@servera ~]# echo "devops-wala" | passwd --stdin harry 105 | [root@servera ~]# echo "devops-wala" | passwd --stdin peter 106 | [root@servera ~]# 107 | 108 | ``` 109 | ## OR you can use this command, but you have to manually copy and paste again and again. 110 | ``` 111 | passwd punit 112 | ``` 113 | 114 | # Question 2: You need to set the password should be expired after `17 days` on server `servera`. 115 | 116 | ### Solutions: 117 | 118 | ### All the password information is stored in the file `/etc/login.defs ` and you just need to modify the value to `PASS_MAX_DAYS 17`. 119 | 120 | ### Open the file 121 | ``` 122 | vi /etc/login.defs 123 | ``` 124 | 125 | 126 | ### For your references. 127 | ``` 128 | student@workstation:~$ ssh student@servera 129 | 130 | [student@servera ~]$ sudo -i 131 | [sudo] password for student: 132 | ``` 133 | 134 | 135 | ### You can exclude the lines with are start by "#", we can use "^# and also remove the blank lines =(^$) 136 | ``` 137 | [root@servera ~]# cat /etc/login.defs | grep -v "^#" | grep -v "^$" 138 | MAIL_DIR /var/spool/mail 139 | UMASK 022 140 | HOME_MODE 0700 141 | PASS_MAX_DAYS 99999 ## ✅ This line we need to modify 142 | PASS_MIN_DAYS 0 143 | PASS_MIN_LEN 8 144 | PASS_WARN_AGE 7 145 | UID_MIN 1000 146 | UID_MAX 60000 147 | SYS_UID_MIN 201 148 | SYS_UID_MAX 999 149 | SUB_UID_MIN 524288 150 | SUB_UID_MAX 600100000 151 | SUB_UID_COUNT 65536 152 | GID_MIN 1000 153 | GID_MAX 60000 154 | SYS_GID_MIN 201 155 | SYS_GID_MAX 999 156 | SUB_GID_MIN 524288 157 | SUB_GID_MAX 600100000 158 | SUB_GID_COUNT 65536 159 | PASS_CHANGE_TRIES 5 160 | PASS_ALWAYS_WARN yes 161 | ENCRYPT_METHOD YESCRYPT 162 | USERGROUPS_ENAB yes 163 | CREATE_HOME yes 164 | HMAC_CRYPTO_ALGO SHA512 165 | 166 | 167 | [root@servera ~]# vi /etc/login.defs 168 | 169 | [root@servera ~]# cat /etc/login.defs | grep "PASS_MAX_DAYS" 170 | # PASS_MAX_DAYS Maximum number of days a password may be used. 171 | PASS_MAX_DAYS 17 ## ✅ Line modified 172 | [root@servera ~]# 173 | 174 | 175 | 176 | ``` 177 | -------------------------------------------------------------------------------- /RHCSA-V.9.3/servera/02 Yum_Repo.md: -------------------------------------------------------------------------------- 1 | ## You are the admin of `devops-wala` company and you need to install the `httpd` package on `servera`. 2 | ## You can use the below URLs: `http://content.example.com/rhel10.0/x86_64/dvd/BaseOS` & `http://content.example.com/rhel10.0/x86_64/dvd/AppStream` 3 | 4 | ## Solution: 5 | 6 | ## Check if the `YUM` repo is available? 7 | 8 | ``` 9 | ls -ltr /etc/yum.repos.d/ 10 | ``` 11 | 12 | ## If not there, then you need create a file with any name but `.repo` at the end. 13 | 14 | ``` 15 | cat /etc/yum.repos.d/question12.repo 16 | [BaseOs] 17 | name = BaseOs 18 | baseurl = http://content.example.com/rhel10.0/x86_64/dvd/BaseOS 19 | enabled = true 20 | gpgcheck = false 21 | 22 | [APPs] 23 | name = Apps 24 | baseurl = http://content.example.com/rhel10.0/x86_64/dvd/AppStream 25 | enabled = true 26 | gpgcheck = false 27 | ``` 28 | ## Install the package. 29 | ``` 30 | dnf install httpd -y 31 | ``` 32 | 33 | ### Question END. 34 | 35 | 36 | ## Read the below for more information about the Yum / DNF . 37 | ## Yum repository configuration files, typically ending with the `.repo` extension, are located in the `/etc/yum.repos.d/` directory on Red Hat-based Linux distributions like CentOS and RHEL. These files instruct the yum package manager where to find software packages. 38 | 39 | ## A typical `.repo` file contains one or more sections, each defining a repository. Each repository section starts with a unique ID enclosed in square brackets, like [repository_id]. 40 | ## In our case `[BaseOs]` 41 | 42 | ## Key directives within a repository section include: 43 | ``` 44 | [] 45 | name: 46 | baseurl= 47 | enabled= 48 | gpgcheck= 49 | gpgkey= 50 | ``` 51 | # 52 | - name: A human-readable name for the repository. 53 | - baseurl: The URL or path to the repository's files. This can be an http://, https://, ftp://, or file:// address. 54 | - enabled: A flag (0 or 1) to enable or disable the repository. 1 enables it, 0 disables it. 55 | - gpgcheck: A flag (0 or 1) to enable or disable GPG signature checking for packages from this repository. 1 enables checking, ensuring package authenticity. 56 | - gpgkey: The URL or path to the GPG public key used to verify package signatures `if gpgcheck is enabled`. 57 | 58 | 59 | -------------------------------------------------------------------------------- /RHCSA-V.9.3/servera/02-03 selinux.md: -------------------------------------------------------------------------------- 1 | ## Prepare the lab. 2 | ``` 3 | dnf install httpd -y 4 | sed -i 's/Listen 80/Listen 85/' /etc/httpd/conf/httpd.conf | grep Listen 5 | 6 | ``` 7 | 8 | ## Question: One web server is running on port `85` and it is not working properly. You need to diganose the issue and resolve it. 9 | 10 | 11 | ## Solution: 12 | 13 | ### The web server should be started 14 | ``` 15 | systemctl start httpd.service 16 | ``` 17 | ### Application must be running even after the VM or host machine rebooted. 18 | ``` 19 | systemctl enable httpd.service 20 | ``` 21 | 22 | ## If web server service is running fine and syntax is also good, then you need to check the Selinux context. 23 | ``` 24 | semanage port -l | grep http 25 | ``` 26 | 27 | ### If the mentioned port is not added then add it. 28 | ``` 29 | semanage port -a -t http_port_t -p tcp 85 30 | ``` 31 | 32 | ### Verify it again. 33 | ``` 34 | semanage port -l | grep http 35 | ``` 36 | ### Add the mentioned port in the Firewall list. 37 | ``` 38 | firewall-cmd --permanent --add-port=85/tcp 39 | ``` 40 | ### After adding the ports, we need to reload the firewall services. 41 | ``` 42 | firewall-cmd --reload 43 | ``` 44 | 45 | ### Verify the port if it is added correctly ? 46 | 47 | ``` 48 | firewall-cmd --list-all 49 | ``` 50 | 51 | ### For your references. 52 | 53 | ``` 54 | 55 | 56 | [root@servera yum.repos.d]# semanage port -l | grep http 57 | http_cache_port_t tcp 8080, 8118, 8123, 10001-10010 58 | http_cache_port_t udp 3130 59 | http_port_t tcp 80, 81, 443, 488, 8008, 8009, 8443, 9000 60 | pegasus_http_port_t tcp 5988 61 | pegasus_https_port_t tcp 5989 62 | [root@servera yum.repos.d]# semanage port -a -t http_port_t -p tcp 85 63 | 64 | [root@servera yum.repos.d]# semanage port -l | grep http 65 | http_cache_port_t tcp 8080, 8118, 8123, 10001-10010 66 | http_cache_port_t udp 3130 67 | http_port_t tcp 85, 80, 81, 443, 488, 8008, 8009, 8443, 9000 68 | pegasus_http_port_t tcp 5988 69 | pegasus_https_port_t tcp 5989 70 | 71 | 72 | [root@servera yum.repos.d]# Environment=OPTIONS="" 73 | 74 | [root@servera yum.repos.d]# systemctl start httpd.service 75 | 76 | [root@servera yum.repos.d]# systemctl enable httpd.service 77 | 78 | [root@servera yum.repos.d]# firewall-cmd --permanent --add-port=85/tcp 79 | success 80 | [root@servera yum.repos.d]# 81 | 82 | [root@servera yum.repos.d]# firewall-cmd --reload 83 | success 84 | [root@servera yum.repos.d]# firewall-cmd --list-all 85 | public (default, active) 86 | target: default 87 | ingress-priority: 0 88 | egress-priority: 0 89 | icmp-block-inversion: no 90 | interfaces: ens3 ens4 91 | sources: 92 | services: cockpit dhcpv6-client ssh 93 | ports: 85/tcp 94 | protocols: 95 | forward: yes 96 | masquerade: no 97 | forward-ports: 98 | source-ports: 99 | icmp-blocks: 100 | rich rules: 101 | 102 | ``` 103 | -------------------------------------------------------------------------------- /RHCSA-V.9.3/servera/03-03 Cronjob.md: -------------------------------------------------------------------------------- 1 | # Cron Job 2 | ### Question: 3 | - Create a user named punit1 4 | - User with UID 1238 5 | - Users must have password `devops-wala` 6 | - User `punit1` create a cronjob with `logger "Devops-wala Youtube channel"` and it must execute every 8 minutes. 7 | --- 8 | 9 | ### Solution: 10 | ``` 11 | [root@servera ~]# useradd -u 1238 punit1 12 | [root@servera ~]# passwd punit1 13 | ``` 14 | ``` 15 | [root@servera ~]# cat /etc/crontab 16 | SHELL=/bin/bash 17 | PATH=/sbin:/bin:/usr/sbin:/usr/bin 18 | MAILTO=root 19 | 20 | # For details see man 4 crontabs 21 | 22 | # Example of job definition: 23 | # .---------------- minute (0 - 59) 24 | # | .------------- hour (0 - 23) 25 | # | | .---------- day of month (1 - 31) 26 | # | | | .------- month (1 - 12) OR jan,feb,mar,apr ... 27 | # | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat 28 | # | | | | | 29 | # * * * * * user-name command to be executed 30 | ``` 31 | 32 | ## Special characters can be used to define specific time intervals: 33 | 34 | ### * : Any value 35 | 36 | ### , : Separate multiple values (e.g., 1,5,10) 37 | 38 | ### - : Range of values (e.g., 1-5) 39 | 40 | ### / : Skip values (e.g., */5 means every 5 minutes) 41 | --- 42 | 43 | 44 | ### Syntax of command. 45 | ``` 46 | * * * * * command to be executed 47 | ``` 48 | 49 | ### Let's modify it. 50 | ``` 51 | [root@servera ~]# crontab -eu punit1 52 | ``` 53 | ``` 54 | */8 * * * * logger "Devops-wala Youtube channel" 55 | ``` 56 | 57 | ``` 58 | [root@servera ~]# crontab -lu punit1 59 | */8 * * * * logger "Devops-wala Youtube channel 60 | [root@servera ~]# 61 | ``` 62 | ### Post checks. 63 | ``` 64 | sudo tail -f /var/log/syslog | grep -i logger 65 | ``` 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | ## 1. Editing the Cron File 74 | ``` 75 | crontab -e 76 | ``` 77 | ## 2. Add a entry and save the file, just like vi editor. 78 | ## Below cronjob execute the command `/home/student/backup.sh` at 17:30 every day. 79 | ``` 80 | 30 17 * * * /home/student/backup.sh 81 | ``` 82 | ## 3. How to list the cronjob? 83 | ``` 84 | crontab -l 85 | ``` 86 | 87 | ## 4. How to add the cronjob by user `punit1`? 88 | ``` 89 | cronjob -ue punit1 90 | ``` 91 | ## 5. How to list the user cronjob? 92 | ``` 93 | cronjob -u punit1 -l 94 | ``` 95 | ## 6. How to check the logs of cronjob? 96 | ``` 97 | sudo tail -f /var/log/syslog | grep -i cron 98 | ``` 99 | 100 | ## Cron Daemon Options 101 | 102 | - The cron daemon can be started, stopped, or restarted using the following commands: 103 | 104 | - Start: sudo /etc/init.d/cron start 105 | - Stop: sudo /etc/init.d/cron stop 106 | - Restart: sudo /etc/init.d/cron restart 107 | 108 | 109 | 110 | 111 | -------------------------------------------------------------------------------- /RHCSA-V.9.3/servera/04 Find_command.md: -------------------------------------------------------------------------------- 1 | ## Prepare the lab for this question. 2 | ``` 3 | 4 | ``` 5 | # Find Command. 6 | 7 | 8 | ## Prepare the lab for this question. 9 | ``` 10 | 11 | ``` 12 | ## Question 1. Locate all the files with name `devops.txt` in the `/home/student` directory. 13 | ``` 14 | 15 | ``` 16 | 17 | ## Question 2. Locate all the files with name `devops.txt` in the `/home/student` directory and save in the /data/question2.txt 18 | ``` 19 | 20 | ``` 21 | 22 | ## Question 3. Locate all the files with name `devops.txt` in the `/home/student` directory but owned by user `punit` and copy it under `/data/question3-files`. 23 | ``` 24 | 25 | ``` 26 | 27 | ## Question 4. Locate all the files which are owned by user `punit` and copy it under `/data/question4-files/flower`. 28 | ``` 29 | mkdir -p /data/question4-files/flower 30 | find / -user punit 31 | find / -user punit -exec cp -rvf {} /data/question4-files/flower/ \; 32 | ls -latr /data/question4-files/flower/ 33 | 34 | ``` 35 | 36 | ## Qestion 5. Create a script named `question5-find.sh` under `/usr/local/bin` directory and this script must locate all the regular files which are less than `1M` under `/usr/share` directory and save the searched file paths under `/root/question5-find-output.txt` file. 37 | 38 | ### Solution: 39 | ### Create a command. 40 | 41 | - path-to-find : /usr/share/ 42 | - Regular file: `-type f` 43 | - Size : Less than 1M = `-1M` 44 | - Save Searched files path to `/root/question5-find-output.txt` 45 | 46 | ### syntax 47 | ``` 48 | find /path-to-find -type f -size 1M > /root/question5-find-output.txt 49 | ``` 50 | 51 | ``` 52 | echo "find /path-to-find -type f -size 1M > /root/question5-find-output.txt" 53 | ``` 54 | ### Save the content on mentioned file `/usr/local/bin/question5-find.sh` 55 | ``` 56 | echo "find /usr/share/ -type f -size -1M > /root/question5-find-output.txt" > /usr/local/bin/question5-find.sh 57 | ``` 58 | ### Give the execute permission. 59 | ``` 60 | chmod +x /usr/local/bin/question5-find.sh 61 | ``` 62 | ## Run the script. Since the path is `/usr/local/bin` directory. You can execute this command without absolute path. 63 | ## You can also verify it. 64 | ``` 65 | echo $PATH 66 | ``` 67 | ``` 68 | question5-find.sh 69 | ``` 70 | ### Post check! 71 | ``` 72 | cat /root/question5-find-output.txt 73 | ``` 74 | 75 | 76 | 77 | 78 | ## Qestion 6. Create a script named `question6-find.sh` under `/usr/local/bin` directory and this script must locate all the regular files which are less than `900k` and more than `30K` under `/var` directory and these files must set SUID permission. You need to save the searched file paths under `/root/question6-find-output`. 79 | 80 | 81 | ### Solution. 82 | 83 | ### Create a directory. 84 | ``` 85 | mdkir -p /root/question6-find-output 86 | ``` 87 | 88 | ``` 89 | echo "find /var -type f -size +30k -size -900k -perm -u+s > /root/question6-find-output" > /usr/bin/question6-find.sh 90 | ``` 91 | 92 | ### Giving execute permission. 93 | ``` 94 | chmod +x /usr/bin/question6-find.sh 95 | ``` 96 | 97 | 98 | ## Post checks 99 | ``` 100 | cat /root/question6-find-output 101 | ``` 102 | 103 | ``` 104 | [root@servera ~]# cat question6-find-output 105 | /var/cache/swcatalog/cache/C-local-metainfo.xb 106 | /var/cache/dnf/packages.db 107 | /var/cache/dnf/BaseOs-9e7683640d492933/repodata/9c5fdcf39b56c9ac62d42deaf7ee8adba1a8590fc7294da57b0cdd1e90d1b753-comps-BaseOS.x86_64.xml.gz 108 | /var/cache/dnf/Apps-b8b87d9e3b38f394/repodata/c5d38adcebf7c0b655635a4994297303244516b2e01120811ca4e0d23330a036-comps-AppStream.x86_64.xml.gz 109 | /var/cache/fwupd/quirks.xmlb 110 | /var/lib/fwupd/pending.db 111 | /var/lib/systemd/catalog/database 112 | /var/lib/PackageKit/transactions.db 113 | /var/lib/selinux/targeted/active/file_contexts 114 | /var/lib/selinux/targeted/active/modules/100/unprivuser/hll 115 | /var/lib/selinux/targeted/active/modules/100/init/hll 116 | /var/lib/selinux/targeted/active/modules/100/staff/hll 117 | /var/lib/selinux/targeted/active/modules/100/virt/cil 118 | /var/lib/selinux/targeted/active/modules/100/virt/hll 119 | /var/lib/selinux/targeted/active/modules/100/sysadm/cil 120 | /var/lib/selinux/targeted/active/modules/100/sysadm/hll 121 | /var/lib/selinux/targeted/active/modules/100/xserver/hll 122 | /var/lib/selinux/targeted/active/modules/100/base/cil 123 | /var/lib/selinux/targeted/active/modules/100/base/hll 124 | /var/lib/dnf/history.sqlite 125 | /var/lib/dnf/history.sqlite-shm 126 | /var/log/wtmp 127 | /var/log/lastlog 128 | /var/log/dnf.log 129 | /var/log/dnf.librepo.log 130 | /var/log/cloud-init.log 131 | /var/log/boot.log-20251006 132 | /var/log/messages-20251006 133 | /var/log/messages 134 | /var/log/secure-20251006 135 | [root@servera ~]# cat /usr/local/bin/question6-find.sh 136 | find /var -type f -size +30k -size -900k > /root/question6-find-output 137 | [root@servera ~]# 138 | ``` 139 | 140 | -------------------------------------------------------------------------------- /RHCSA-V.9.3/servera/05 Grep_command.md: -------------------------------------------------------------------------------- 1 | ## Qeustion 1: Find the string `err` from `/var/log/message` file and save the output in the `/root/err.log` file. 2 | 3 | 4 | ## Qeustion 2: Find the string `err` from `/var/log/message` file and save the output in the `/root/err.log` file. 5 | 6 | ## Qeustion 3: Find the string `err` or `ERR` or `Err` from `/var/log/message` file and save the output in the `/root/err.log` file. 7 | 8 | ## Qeustion 4: Find the string `err` along with line number from `/var/log/message` file and save the output in the `/root/err.log` file. 9 | 10 | 11 | # The `grep` command in Linux is a powerful utility used for searching plain-text data sets for lines that match a regular expression. Here are several examples demonstrating its usage: 12 | 13 | ## Step 1. Basic Search in a Single File: 14 | ``` 15 | grep "error" logfile.txt 16 | ``` 17 | 18 | ## Step 2. Case-Insensitive Search: 19 | ### To search for a pattern ignoring case (e.g., "python", "Python", "PYTHON", PytHon), use the -i option: 20 | ``` 21 | grep -i "python" /var/log/messsage 22 | ``` 23 | 24 | 25 | ## Step 3. Invert Match (Show Non-Matching Lines): 26 | ## To display lines that do not contain a specific pattern, we can use `-v` option: 27 | ``` 28 | grep -v warning /var/log/httpd/logs 29 | ``` 30 | ### Or 31 | ``` 32 | grep -vi warning /var/log/httpd/logs 33 | ``` 34 | 35 | 36 | ## Step 4. Using grep with Pipes: 37 | ### grep is often used in conjunction with other commands via pipes (|) to filter their output. For instance, searching `error` keyword while running python script. 38 | ``` 39 | python my_network.py | grep "error" 40 | ``` 41 | 42 | ## Step 5. Display Line Numbers: 43 | ### To show the line number where the pattern is found, one can use the -n option: 44 | ``` 45 | grep -n "error" output.log 46 | ``` 47 | 48 | -------------------------------------------------------------------------------- /RHCSA-V.9.3/servera/06 AutoFS.md: -------------------------------------------------------------------------------- 1 | # AutoFS: 2 | 3 | ## First terminal: 4 | ``` 5 | lab start compreview-review3 6 | ``` 7 | ``` 8 | ssh student@servera 9 | sudo -i 10 | ``` 11 | ### `student` is the password. 12 | 13 | ### Install the autofs 14 | ``` 15 | dnf install autofs -y 16 | ``` 17 | ## Start and enable the service. 18 | ``` 19 | systemctl enable autofs.service 20 | systemctl start autofs.service 21 | ``` 22 | 23 | ## Check the already shared directory 24 | ``` 25 | showmount -e 26 | ``` 27 | ``` 28 | ls -ltr /home/guest 29 | ``` 30 | ## Edit the `auto.master` file. 31 | ``` 32 | vi /etc/auto.master 33 | ``` 34 | ``` 35 | cat /etc/auto.master | grep guest 36 | /home/guest /etc/auto.misc 37 | ``` 38 | ``` 39 | vi /etc/auto.misc 40 | ``` 41 | ``` 42 | cat /etc/auto.misc | grep produ 43 | production5 -fstype=nfs,rw,sync serverb.lab.example.com:/user-homes/production5 44 | ``` 45 | 46 | ``` 47 | systemctl restart autofs.service 48 | ``` 49 | ``` 50 | ls -ltr /home/guest 51 | ``` 52 | 53 | 54 | 55 | ### For your refernces. 56 | 57 | ``` 58 | [root@servera ~]# showmount -e 59 | Export list for servera: 60 | /user-homes/production5 serverb.lab.example.com 61 | [root@servera ~]# 62 | 63 | [root@servera ~]# dnf install autofs -y 64 | 65 | [root@servera ~]# systemctl enable autofs.service 66 | Created symlink '/etc/systemd/system/multi-user.target.wants/autofs.service' → '/usr/lib/systemd/system/autofs.service'. 67 | 68 | [root@servera ~]# systemctl start autofs.service 69 | [root@servera ~]# 70 | 71 | [root@servera ~]# ls -ltr /home/guest 72 | ls: cannot access '/home/guest': No such file or directory 73 | 74 | [root@servera ~]# vi /etc/auto.master 75 | [root@servera ~]# cat /etc/auto.master | grep guest 76 | /home/guest /etc/auto.misc 77 | 78 | [root@servera ~]# vi /etc/auto.misc 79 | [root@servera ~]# cat /etc/auto.misc | grep produ 80 | production5 -fstype=nfs,rw,sync serverb.lab.example.com:/user-homes/production5 81 | 82 | [root@servera ~]# systemctl restart autofs.service 83 | [root@servera ~]# ls -ltr /home/guest 84 | total 0 85 | [root@servera ~]# 86 | 87 | 88 | ``` 89 | -------------------------------------------------------------------------------- /RHCSA-V.9.3/servera/07 NTP service.md: -------------------------------------------------------------------------------- 1 | # Qeustion: You need to sync `servera` with ntp `classroom.example.com` 2 | 3 | 4 | 5 | 6 | ### Check the status of NTP service. 7 | ``` 8 | systemctl status chronyd.service 9 | ``` 10 | ``` 11 | [root@servera ~]# systemctl status chronyd.service 12 | ● chronyd.service - NTP client/server 13 | Loaded: loaded (/usr/lib/systemd/system/chronyd.service; enabled; preset: enabled) 14 | Active: active (running) since Sun 2025-10-05 15:39:21 UTC; 1h 0min ago 15 | Invocation: e8d2fb61b5274f27a73ea49a263974b5 16 | Docs: man:chronyd(8) 17 | man:chrony.conf(5) 18 | Main PID: 967 (chronyd) 19 | Tasks: 1 (limit: 9897) 20 | Memory: 4.4M (peak: 5.2M) 21 | CPU: 60ms 22 | CGroup: /system.slice/chronyd.service 23 | └─967 /usr/sbin/chronyd -F 2 24 | 25 | Oct 05 15:39:21 servera.lab.example.com chronyd[967]: commandkey directive is no longer supported 26 | Oct 05 15:39:21 servera.lab.example.com chronyd[967]: generatecommandkey directive is no longer supported 27 | Oct 05 15:39:21 servera.lab.example.com chronyd[967]: Could not open keyfile /etc/chrony.keys 28 | Oct 05 15:39:21 servera.lab.example.com chronyd[967]: Frequency -10.753 +/- 1.013 ppm read from /var/lib/chrony/drift 29 | Oct 05 15:39:21 servera.lab.example.com chronyd[967]: Loaded seccomp filter (level 2) 30 | Oct 05 15:39:21 servera.lab.example.com systemd[1]: Started chronyd.service - NTP client/server. 31 | Oct 05 15:39:22 servera chronyd[967]: Source 172.25.254.254 offline 32 | Oct 05 15:39:23 servera chronyd[967]: Source 172.25.254.254 online 33 | Oct 05 15:39:27 servera chronyd[967]: Selected source 172.25.254.254 34 | Oct 05 15:39:27 servera chronyd[967]: System clock wrong by 0.754377 seconds ⬅️ ⬅️ 👈👈👈👈 35 | [root@servera ~]# 36 | ``` 37 | 38 | ### Set the system clock. 39 | ``` 40 | timedatectl set-ntp true 41 | ``` 42 | ``` 43 | [root@servera ~]# timedatectl set-ntp true 44 | [root@servera ~]# 45 | ``` 46 | 47 | ### Update the ntp server `server classroom.example.com iburst` 48 | ``` 49 | vi /etc/chrony.conf 50 | ``` 51 | ### Verify if we added correctly or not. 52 | ``` 53 | [root@servera ~]# cat /etc/chrony.conf | grep classroom 54 | server classroom.example.com iburst 55 | ``` 56 | ``` 57 | #server 0.rhel.pool.ntp.org iburst 58 | #server 1.rhel.pool.ntp.org iburst 59 | #server 2.rhel.pool.ntp.org iburst 60 | #server 3.rhel.pool.ntp.org iburst 61 | #server 172.25.254.254 iburst ⬅️ ⬅️ 👈👈👈👈 Comment this line 62 | server classroom.example.com iburst ⬅️ ⬅️ 👈👈👈👈 Added this line 63 | 64 | # Ignore stratum in source selection. 65 | stratumweight 0 66 | 67 | ``` 68 | ### Restart the NTP service & check the status. 69 | 70 | ``` 71 | systemctl restart chronyd.service 72 | ``` 73 | ``` 74 | [root@servera ~]# systemctl restart chronyd.service 75 | [root@servera ~]# systemctl status chronyd.service 76 | ● chronyd.service - NTP client/server 77 | Loaded: loaded (/usr/lib/systemd/system/chronyd.service; enabled; preset: enabled) 78 | Active: active (running) since Sun 2025-10-05 16:40:53 UTC; 32s ago 79 | Invocation: 29a5bc908796461e9712712b5948c71a 80 | Docs: man:chronyd(8) 81 | man:chrony.conf(5) 82 | Process: 5453 ExecStart=/usr/sbin/chronyd $OPTIONS (code=exited, status=0/SUCCESS) 83 | Main PID: 5455 (chronyd) 84 | Tasks: 1 (limit: 9897) 85 | Memory: 920K (peak: 2.9M) 86 | CPU: 32ms 87 | CGroup: /system.slice/chronyd.service 88 | └─5455 /usr/sbin/chronyd -F 2 89 | 90 | Oct 05 16:40:53 servera systemd[1]: Starting chronyd.service - NTP client/server... 91 | Oct 05 16:40:53 servera chronyd[5455]: chronyd version 4.6.1 starting (+CMDMON +NTP +REFCLOCK +RTC +PRIVDROP +SCFILTER +SIGND +ASYNCDNS +NTS +SECHASH +IPV6 +DEBUG) 92 | Oct 05 16:40:53 servera chronyd[5455]: commandkey directive is no longer supported 93 | Oct 05 16:40:53 servera chronyd[5455]: generatecommandkey directive is no longer supported 94 | Oct 05 16:40:53 servera chronyd[5455]: Could not open keyfile /etc/chrony.keys 95 | Oct 05 16:40:53 servera chronyd[5455]: Frequency -14.588 +/- 0.100 ppm read from /var/lib/chrony/drift 96 | Oct 05 16:40:53 servera chronyd[5455]: Loaded seccomp filter (level 2) 97 | Oct 05 16:40:53 servera systemd[1]: Started chronyd.service - NTP client/server. 98 | Oct 05 16:40:58 servera chronyd[5455]: Selected source 172.25.254.254 (classroom.example.com) ⬅️ ⬅️ 👈👈👈👈 99 | [root@servera ~]# 100 | ``` 101 | 102 | 103 | ### Make sure you have enable NTP service. 104 | ``` 105 | [root@servera yum.repos.d]# systemctl enable chronyd-restricted.service 106 | Created symlink '/etc/systemd/system/multi-user.target.wants/chronyd-restricted.service' → '/usr/lib/systemd/system/chronyd-restricted.service'. 107 | [root@servera yum.repos.d]# 108 | ``` 109 | 110 | 111 | 112 | -------------------------------------------------------------------------------- /RHCSA-V.9.3/servera/16 Stickeybit.md: -------------------------------------------------------------------------------- 1 | # Question: You are the amdin of server `servera` and you need to create one shared directory named `/home/shared-dir`. 2 | - Group owner should be `admin` of this directory. 3 | - People who create a files under this directory, the group name should be `admin` of that file. 4 | - Member of `admin` group should have all rigths (rwx), however other should not have a single rights. 5 | --- 6 | ### Solution 7 | 8 | 9 | 10 | ### Create a directory `/home/shared-dir` 11 | ``` 12 | [root@servera ~]# mkdir /home/shared-dir 13 | ``` 14 | ### Group owner should be `admin` of this directory. 15 | ``` 16 | [root@servera ~]# chgrp admin /home/shared-dir/ 17 | ``` 18 | ## Post check. 19 | ``` 20 | [root@servera ~]# ls -ld /home/shared-dir/ 21 | drwxr-xr-x. root admin Oct 16:27 /home/shared-dir/ 22 | ``` 23 | ### Member of `admin` group should have all rigths (rwx), however other should not have a single rights. 24 | 25 | ``` 26 | chmod 770 /home/shared-dir 27 | ``` 28 | ## Or you can run below command. 29 | ``` 30 | [root@servera ~]# chmod g+rwx,o-rwx /home/shared-dir/ 31 | ``` 32 | ### Post checks. 33 | ``` 34 | [root@servera ~]# ls -ld /home/shared-dir/ 35 | drwxrwx---. root admin Oct 16:27 /home/shared-dir/ 36 | ``` 37 | ### People who create a files under this directory, the group name should be `admin` of that file. 38 | ``` 39 | [root@servera ~]# chmod g+s /home/shared-dir/ 40 | ``` 41 | 42 | ### Post checks. 43 | ``` 44 | [root@servera ~]# touch /home/shared-dir/test.txt 45 | [root@servera ~]# ls -ltr /home/shared-dir/test.txt 46 | -rw-r--r--. root admin Oct 16:29 /home/shared-dir/test.txt 47 | [root@servera ~]# 48 | ``` 49 | -------------------------------------------------------------------------------- /RHCSA-V.9.3/servera/17 Tar.md: -------------------------------------------------------------------------------- 1 | # tar Command to Compress Files in Linux 2 | # The tar command is commonly used to compress files in Linux when combined with options like -z (gzip) or -j (bzip2). 3 | 4 | # The Linux 'tar' stands for tape archive, which is used to create Archive and extract the Archive files. tar command in Linux is one of the important commands that provides archiving functionality in Linux. 5 | 6 | # Syntax of `tar` command in Linux 7 | ``` 8 | tar [options] [archive-file] [file or directory to be archived] 9 | ``` 10 | 11 | ### Options 12 | 13 | - c : Create an archive 14 | - x : Extracts files & directories from an existing archive. 15 | - f : Specifies the filename of the archive to be created or extracted. 16 | - v : Displays verbose information 17 | - z : Uses gzip compression when creating a tar file (tar.gz) 18 | - j : Uses bzip2 compression when creating a tar file (tar.bz2) 19 | - t : Displays or lists the files and directories contained within an archive. 20 | 21 | ## Question: Create a backup by using tar file `/root/test1.tar.gz` from the `/var/log/` directories. 22 | - z : this option is for `tar.gz` or `tar.tgz` 23 | - c : create a tar file. 24 | - v : Verbose mode. 25 | - f : Specifies the filename of the archive. 26 | ``` 27 | tar cvfz /root/test.tar.gz /var/log/* 28 | ``` 29 | 30 | ## Question: Create a backup by using tar file `/root/test2.tar.bz2` from the `/var/log/` directories. 31 | - j : this option is for `tar.bz2` or `tar.tbz2` 32 | ``` 33 | tar cvfj /root/test.tar.gz /var/log/* 34 | ``` 35 | 36 | ## Question: Your task is to extract the tar file `/root/test1.tar.gz` 37 | - x : Extract the file 38 | 39 | ``` 40 | tar zxvf /root/test1.tar.gz 41 | ``` 42 | 43 | ## Question: Your task is to extract the tar file `/root/test2.tar.bz2` 44 | - x : Extract the file 45 | 46 | ``` 47 | tar jxvf /root/test2.tar.bz2 48 | ``` 49 | 50 | 51 | -------------------------------------------------------------------------------- /RHCSA-V.9.3/servera/readme.md: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /RHCSA-V.9.3/serverb/01 Password_change.md: -------------------------------------------------------------------------------- 1 | ## Prepare the lab for this question. 2 | ``` 3 | lab start rootpw-recover 4 | ``` 5 | 6 | # You need to change the `servera` password to `redhat`. 7 | 8 | ### Solution: 9 | 10 | ### you can try to login to `servera` by given credentials. 11 | ``` 12 | servera login: root 13 | Password: redhat 14 | Login incorrect 15 | ``` 16 | 17 | ## Now open the console of servera by running the below command in foundation terminal 18 | 19 | Screenshot 2025-10-04 at 9 13 57 PM 20 | 21 | 22 | ## Send `Ctrl+Alt+Del` to your system by using the relevant button, see the below print screen for your references. 23 | 24 | Screenshot 2025-10-04 at 9 16 27 PM 25 | 26 | # 27 | # 28 | --- 29 | - Step 1. When the boot-loader menu appears, press Esc to interrupt the countdown. 30 | - Step 2. Use the cursor keys to select the kernel entry and then press `e` to edit the current entry. 31 | - Step 3. Move the cursor to the line that starts with the `linux` text. 32 | - Step 4. Remove any `console=` option from the line and then 33 | - Step 5. Append a space followed by the `rw init=/bin/bash` option to the end of the line and then Press Ctrl+X to boot by using the modified configuration. 34 | 35 | --- 36 | 37 | ## Step 2. Use the cursor keys to select the kernel entry and then press `e` to edit the current entry. 38 | Screenshot 2025-10-04 at 9 23 02 PM 39 | 40 | 41 | 42 | # Step 3 & Step 4 43 | # Move the cursor to the line that starts with the `linux` text. 44 | # Remove any `console= option` from the line. 45 | Screenshot 2025-10-04 at 9 25 06 PM 46 | 47 | - Step 5. Append a space followed by the `rw init=/bin/bash` option to the end of the line and then Press Ctrl+X to boot by using the modified configuration. 48 | - Step 6. change the password. 49 | - Step 7. Configure the system to automatically perform a full SELinux relabeling after booting. This step is necessary because the passwd command recreates the /etc/shadow file without an SELinux context. `touch /.autorelabel` 50 | - Step 8. The system runs an SELinux relabel operation, and then reboots automatically. Wait for the servera machine to boot. `exec /sbin/init`. 51 | - See the below print screen. 52 | Screenshot 2025-10-04 at 9 09 41 PM 53 | 54 | 55 | - Step 9 Post check! 56 | ``` 57 | servea login: root 58 | Password: redhat 59 | -------------------------------------------------------------------------------- /RHCSA-V.9.3/serverb/02 dnf.md: -------------------------------------------------------------------------------- 1 | ## You are the admin of `devops-wala` company and you need to install the `httpd` package on `servera`. 2 | ## You can use the below URLs: `http://content.example.com/rhel10.0/x86_64/dvd/BaseOS` & `http://content.example.com/rhel10.0/x86_64/dvd/AppStream` 3 | 4 | ## Solution: 5 | 6 | ## Check if the `YUM` repo is available? 7 | 8 | ``` 9 | ls -ltr /etc/yum.repos.d/ 10 | ``` 11 | 12 | ## If not there, then you need create a file with any name but `.repo` at the end. 13 | 14 | ``` 15 | cat /etc/yum.repos.d/question12.repo 16 | [BaseOs] 17 | name = BaseOs 18 | baseurl = http://content.example.com/rhel10.0/x86_64/dvd/BaseOS 19 | enabled = true 20 | gpgcheck = false 21 | 22 | [APPs] 23 | name = Apps 24 | baseurl = http://content.example.com/rhel10.0/x86_64/dvd/AppStream 25 | enabled = true 26 | gpgcheck = false 27 | ``` 28 | ## Install the package. 29 | ``` 30 | dnf install httpd -y 31 | ``` 32 | 33 | ### Question END. 34 | 35 | 36 | ## Read the below for more information about the Yum / DNF . 37 | ## Yum repository configuration files, typically ending with the `.repo` extension, are located in the `/etc/yum.repos.d/` directory on Red Hat-based Linux distributions like CentOS and RHEL. These files instruct the yum package manager where to find software packages. 38 | 39 | ## A typical `.repo` file contains one or more sections, each defining a repository. Each repository section starts with a unique ID enclosed in square brackets, like [repository_id]. 40 | ## In our case `[BaseOs]` 41 | 42 | ## Key directives within a repository section include: 43 | ``` 44 | [] 45 | name: 46 | baseurl= 47 | enabled= 48 | gpgcheck= 49 | gpgkey= 50 | ``` 51 | # 52 | - name: A human-readable name for the repository. 53 | - baseurl: The URL or path to the repository's files. This can be an http://, https://, ftp://, or file:// address. 54 | - enabled: A flag (0 or 1) to enable or disable the repository. 1 enables it, 0 disables it. 55 | - gpgcheck: A flag (0 or 1) to enable or disable GPG signature checking for packages from this repository. 1 enables checking, ensuring package authenticity. 56 | - gpgkey: The URL or path to the GPG public key used to verify package signatures `if gpgcheck is enabled`. 57 | 58 | 59 | -------------------------------------------------------------------------------- /RHCSA-V.9.3/serverb/13 Swap.md: -------------------------------------------------------------------------------- 1 | 2 | # As a system admin of `devops-wala` firm, you need to add the swap partition so that server can manage the request more efficiently. Thus, you need to add 512M swap memory. 3 | 4 | 5 | ### Solution: 6 | 7 | Screenshot 2025-10-05 at 12 33 40 PM 8 | 9 | ### Format the partition. 10 | ``` 11 | [root@servera ~]# mkswap /dev/sdb1 12 | Setting up swapspace version 1, size = MiB (536866816 bytes) 13 | no label, UUID=41d00f9f-d91f-492e-bbfe-0ec212a85829 14 | [root@servera ~]# 15 | 16 | ``` 17 | ``` 18 | [root@servera ~]# vi /etc/fstab 19 | [root@servera ~]# cat /etc/fstab 20 | UUID=15507695-22bb-4c65-94e6-a438e095983f / xfs defaults 0 0 21 | UUID=7B77-95E7 /boot/efi vfat defaults,uid=0,gid=0,umask=077,shortname=winnt 0 2 22 | UUID=41d00f9f-d91f-492e-bbfe-0ec212a85829 swap swap defaults 0 0 23 | 24 | [root@servera ~]# swapon -a 25 | 26 | [root@servera ~]# lsblk -fp 27 | NAME FSTYPE FSVER LABEL UUID FSAVAIL FSUSE% MOUNTPOINTS 28 | /dev/sda 29 | ├─/dev/sda1 30 | ├─/dev/sda2 vfat FAT16 7B77-95E7 191.4M 4% /boot/efi 31 | └─/dev/sda3 xfs root 15507695-22bb-4c65-94e6-a438e095983f 7.4G 24% / 32 | /dev/sdb 33 | └─/dev/sdb1 swap 1 41d00f9f-d91f-492e-bbfe-0ec212a85829 [SWAP] 34 | /dev/sdc 35 | /dev/sdd 36 | /dev/sr0 iso9660 Joliet Extension config-2 2025-10-05-06-40-12-00 37 | [root@servera ~]# 38 | 39 | [root@servera ~]# free -h 40 | total used free shared buff/cache available 41 | Mem: 1.7Gi 379Mi 1.3Gi 9.2Mi 184Mi 1.3Gi 42 | Swap: 511Mi 0B 511Mi 43 | [root@servera ~]# 44 | 45 | [root@servera ~]# swapon --show 46 | NAME TYPE SIZE USED PRIO 47 | /dev/sdb1 partition 512M 0B -2 48 | [root@servera ~]# 49 | 50 | ``` 51 | 52 | Screenshot 2025-10-05 at 12 54 18 PM 53 | -------------------------------------------------------------------------------- /RHCSA-V.9.3/serverb/14 tuned.md: -------------------------------------------------------------------------------- 1 | # Question: Your taks is to select the recommended `tuned` profile for the `servera` and set it as defult. 2 | 3 | ### Solution 4 | 5 | ``` 6 | [root@servera ~]# dnf install tuned -y 7 | 8 | [root@servera ~]# systemctl status tuned.service 9 | ● tuned.service - Dynamic System Tuning Daemon 10 | Loaded: loaded (/usr/lib/systemd/system/tuned.service; enabled; preset: enabled) 11 | Active: active (running) since Sun 2025-10-05 13:35:04 UTC; 1h 2min ago 12 | Invocation: 4068c40d7142466f98d305acfff734b0 13 | Docs: man:tuned(8) 14 | man:tuned.conf(5) 15 | man:tuned-adm(8) 16 | Main PID: 1042 (tuned) 17 | Tasks: 4 (limit: 9897) 18 | Memory: 17.5M (peak: 19M) 19 | CPU: 1.175s 20 | CGroup: /system.slice/tuned.service 21 | └─1042 /usr/bin/python3 -Es /usr/sbin/tuned -l -P 22 | 23 | Oct 05 13:35:04 servera systemd[1]: Starting tuned.service - Dynamic System Tuning Daemon... 24 | Oct 05 13:35:04 servera systemd[1]: Started tuned.service - Dynamic System Tuning Daemon. 25 | ``` 26 | ### Command `systemctl enable --now tuned.service` will start and enable the service. So you don't need to run 2 commands. i.e. `systemctl start service_name & `systemctl enable service_name` 27 | 28 | ``` 29 | [root@servera ~]# systemctl enable --now tuned.service 30 | ``` 31 | 32 | ### As per the question, check for recommend. Remember the key word `recommend` 33 | ``` 34 | [root@servera ~]# tuned-adm recommend 35 | virtual-guest 36 | ``` 37 | 38 | ``` 39 | [root@servera ~]# tuned-adm profile virtual-guest 40 | 41 | [root@servera ~]# tuned-adm active 42 | Current active profile: virtual-guest 43 | [root@servera ~]# 44 | ``` 45 | --------------------------------------------------------------------------------