RHCSA Tasks¶

This page contains some tasks that may be required in the RHCSA exam.

Reset Root Password¶

Knowing how to reset the password of the root user is super important for syadmins, and it's an RHCSA exam objective.

The steps to reset the root password are as follows:

Reboot the system to boot in recovery mode.
```
reboot
```
Then, when we get into GRUB, select the kernel (linux-*) and press E.
Navigate down to the line that starts with linux.
Navigate to the end of the line and type in rd.break.
Hit Ctrl+X. This will boot into emergency mode, which will provide a recovery shell to make changes to the system.
Then, remount the /sysroot/ directory:
```
mount -o remount,rw /sysroot/
```
Now chroot into the remounted /sysroot/ directory:
```
chroot /sysroot
```
This will bring the root filesystem back online (see man chroot).
- If it says chroot is not available, it's probably not in the PATH environment variable. On RHEL 10, find is available in PATH to find where the chroot binary is located.
```
find / -name 'chroot' -executable
```
- On a clean installation of RHEL 10, chroot was found in /sysroot/usr/sbin/chroot, so specify the entire path.
```
/sysroot/usr/sbin/chroot /sysroot
```
Now, change the root password itself.
```
passwd root
```
On the RHCSA exam, change the password to the one that you're given.
Don't just pick one. You usually need to set the password to a specific value.
Then, create the .autorelabel file.
```
touch /.autorelabel
```
- This is primarily for SELinux. It will ensure that SELinux applies labels the way that it's supposed to.
- This is important because changing the password modifies the /etc/shadow file, and if SELinux doesn't apply the correct labels to that file, then you won't be able to log in with the new password.
Exit the chrooted environment.
```
exit
```

Finally, reboot the system.

reboot -f
# or
shutdown -r now
# or
systemctl reboot

When all that is done, try logging in with the password that we set.

TL;DR¶

# Reboot and enter GRUB, edit the kernel line with E to add `rd.break`, then Ctrl+X to boot into emergency mode, then run:
mount -o remount,rw /sysroot/
chroot /sysroot
passwd root
touch /.autorelabel
exit
reboot -f

Note on Other Distros¶

Typically other RHEL-based distros have a somewhat similar boot process (namely Rocky Linux, Alma Linux, etc.).

Other distributions have a similar process but the exact steps differ.

On Ubuntu/Debian:

You would need to edit the linux line in GRUB to add init=/bin/bash instead of rd.break.
Then, you would need to remount the root filesystem with mount -o remount,rw / instead of mount -o remount,rw /sysroot/.
Finally, you would not need to create the .autorelabel file, as Ubuntu /Debian does not use SELinux.
The rest of the steps are the same.

Enable Persistent Storage for Journald¶

One of the RHCSA exam objectives is:

"Preserve system journals"

The process here is fairly straightforward.

journalctl --no-pager | grep -i '/log/journal' | tail

In these logs, you'll see the location for the Runtime Journal:

Oct 01 10:53:08 localhost systemd-journald[271]: Runtime Journal (/run/log/journal/6a521d735b0a43b6a5443c89f42a3570) is 8M, max 73M, 65M free.
Oct 01 10:53:14 rhel systemd-journald[662]: Runtime Journal (/run/log/journal/6a521d735b0a43b6a5443c89f42a3570) is 8M, max 73M, 65M free.
Oct 01 10:53:14 rhel systemd-journald[662]: Runtime Journal (/run/log/journal/6a521d735b0a43b6a5443c89f42a3570) is 8M, max 73M, 65M free.

We can see that the journal is logging to the /run/log/journal/ directory, which does not persist across reboots.

To set it up to be persistent, edit /etc/systemd/journald.conf.

Note

If the file does not exist, create it.

sudo touch /etc/systemd/journald.conf

Add a line under the [Journal] section:

[Journal]
Storage=persistent

Then create the directory:

mkdir /var/log/journal

Then restart journald:

systemctl restart systemd-journald

If you're on RHEL9+, you'll need to flush the log data stored in /run/log/journal/ into /var/log/journal/.

journalctl --flush

Now check the logs again, in the same way:

journalctl --no-pager | grep -i '/log/journal' | tail

Now we should see:

Oct 01 11:01:28 rhel systemd-journald[3696]: Runtime Journal (/run/log/journal/6a521d735b0a43b6a5443c89f42a3570) is 8M, max 73M, 65M free.
Oct 01 11:01:51 rhel systemd-journald[3696]: Time spent on flushing to /var/log/journal/6a521d735b0a43b6a5443c89f42a3570 is 72.686ms for 2184 entries.
Oct 01 11:01:51 rhel systemd-journald[3696]: System Journal (/var/log/journal/6a521d735b0a43b6a5443c89f42a3570) is 8M, max 2.7G, 2.7G free.

We can see the previous logging to /run/log/journal, then we see our --flush command being logged, and finally we see our /var/log/journal directory being written to.

These journal databases will now persist across reboots.

Reboot the machine to verify.

reboot

Check the journal with -b -1 to check the previous boot.

journalctl -b -1

Managing Basic Networking¶

An entire section in the RHCSA exam objectives is "Manage basic networking".

NetworkManager in RHEL systems is a dynamic network control and configuration daemon. It's used to keep network devices and connections up and active when they're available.

There are two main tools used to configure NetworkManager.

nmcli: Command-line tool
- man nmcli
- man nmcli-examples
nmtui: TUI tool (nicer UX)

The more powerful choice is nmcli.

Configure Static IP Addresses¶

There are a few main objectives in this part.

Identify which interface to configure
Create/modify a NetworkManager connection profile for that interface.

check interfaces.

ip a

Identify the interface to configure (e.g., ens18).

Check NM profiles.

nmcli con show

See if we have a profile that already matches the network interface (e.g., ens18).

Note

The name of the profile should not be confused with the name of the interface.
The name of the NM profile is named after the interface.

The connection profile is located in /etc/NetworkManager/system-connections

ls /etc/NetworkManager/system-connections/
# ens18.nmconncection

Deprecated Config Directory

The /etc/sysconfig/network-scripts directory that used to be used to configure NetworkManager is deprecated in RHEL 9+.

Follow the address configuration instructions from the cloud provider.

Using NMTUI¶

sudo nmtui
# > select connection
# > Edit connection
# > Switch from "Automatic" to "Manual" and enter all details

After setting up with nmtui, run:

nmcli con reload
systemctl restart NetworkManager

Check the IP address again:

ip a

See if your new IP is correctly configured.

Using NMCLI¶

To just use the nmcli tool to configure the static IP, start with a clean slate. Delete the current profile that corresponds to the network interface you're configuring.

nmcli con del ens18  # Delete the current profile for the `ens18` interface
systemctl restart NetworkManager

Now check the man nmcli-examples page.

Example 11 shows how to add an ethernet connection profile with a manaual IP config.

nmcli con add type ethernet con-name MyNet ifname ens18 \
    ip4 142.202.190.187/26 \
    gw4 142.202.190.129    \
    ipv4.dns "8.8.8.8 8.8.4.4" \
    ip6 2600:c05:2010:50:184::1/64 \
    gw6 2600:c05:2010:50:1 \
    ipv6.dns "2001:4860:4860::8888 2001:4870:4860::8844"

Now reload the configuration, and check that it worked.

nmcli con show
nmcli con reload
systemctl restart NetworkManager
ip a
curl example.org

Configure Hostname Resolution¶

There's a framework on many Unix systems called NSS (Name Service Switch).

This framework is responsible for figuring out what source/service should be used to resolve names, and in what order.

The config file for NSS is /etc/nsswitch.conf.

The default order on RHEL 10:

# Generated by authselect
# Do not modify this file manually, use authselect instead. Any user changes will be overwritten.
# You can stop authselect from managing your configuration by calling 'authselect opt-out'.
# See authselect(8) for more details.

# In order of likelihood of use to accelerate lookup.
passwd:     files systemd
shadow:     files
group:      files [SUCCESS=merge] systemd
hosts:      files  dns myhostname
services:   files
netgroup:   files
automount:  files

aliases:    files
ethers:     files
gshadow:    files
networks:   files dns
protocols:  files
publickey:  files
rpc:        files

The objective is to configure hostname resolution. So, the line we want to configure here is the one that specifies hosts.

The current order for hosts name resolution:

files: /etc/hosts
dns: /etc/resolv.conf
myhostname: The nss-myhostname plugin. Provides hostname resolution for the locally configured system hostname.
- Resolves the system's own hostname, as well as localhost and other special names.

The order matters!

The order in which these services are queried are the order in which they appear in the nsswitch.conf file.
So here, hostname resolution first goes through /etc/hosts, then /etc/resolv.conf, then finally the nss-myhostname plugin. The next source will only be queried if no match is found.

`/etc/hosts` (files)¶

Check /etc/hosts (the first source).

vi /etc/hosts #(1)!

This file has a man entry: man 5 hosts

The file should look something like this:

# Loopback entries; do not change.
# For historical reasons, localhost precedes localhost.localdomain:

127.0.0.1   rhel localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
# See hosts(5) for proper format and other examples:
# 192.168.1.10 foo.example.org foo
# 192.168.1.13 bar.example.org bar

Here, the local host's hostname is rhel.

Here is where you can configure how hostnames resolve.

For example, you could make the example.org hostname always resolve to the IP address 1.2.3.4, or make blah refer to the localhost, by adding the lines:

1.2.3.4    example.org
blah       127.0.0.1

The address goes on the left, the hostname goes on the right.

We can then ping example.org and it will ping 1.2.3.4.

Changing the Order¶

We can change the order in which we resolve hostnames by editing the nsswitch.conf file.

If we change this line:

hosts:      files  dns myhostname

We can make dns the first service we check for hostname resolution.

hosts:      dns files  dns myhostname

Now, even if we had that example.org entry in /etc/hosts, the DNS will find the real example.org on the internet and ping that instead.

But, if we still have that blah entry, DNS won't be able to resolve it, so /etc/hosts will be queried.

Changing DNS Settings¶

The /etc/resolv.conf is where programs find the IP address for the DNS server.

Making DNS changes persistent

The RHCSA is about persistence -- this file is not modified directly, it's generated by NetworkManager. If we were to modify this file, it would not be persistent, as it would be re-generated by NetworkManager when the service starts/restarts.