Thursday, 12 November 2020

Studying and How to do it Better!

Introduction

This document records some of the ways I have learned to study, partly for myself (as I forget how to) and partly because I think some of the study skills I have picked up could be useful. I have a bit of examination experience, having taken the Comp TIA A+ and N+, Microsoft MCP Windows XP (I am old) and MCP Windows Server 2003, Cisco CCNA V2 and V3, and the Red Hat Certified Systems Administrator. I've just used it to pass the AWS Certified Cloud Practioner exam. It does seem to work.

This document does not blow the lid on anything! It's common sense, and I am hopeful it will be useful, but not breaking any rules, so to that end, 

Exam Dumps: Stupid and Pointless

Firstly, my view on Exam Dumps: I don't use them, and you shouldn't either. I want to look at why in this section. Before anything else, ask yourself: why is your certification useful? I think it's for the following reasons:

  • It demonstrates a you have a practical skill (if the exam is a hands on exam)
  • it demonstrates you understand concepts/techniques/ideas and can apply them in a given sent of scenarios (questions or hands on exam)
  • it demonstrates you have commitment to self-improvement and learning
  • It demonstrates that you were able to perform under pressure
  • You've been bench-marked and shown you meet criteria in a predictable way
  • Most importantly: you have demonstrable value

My view of exam dumps is this: their use makes the exam others worked hard at easier, less valuable (because more people have it) and above all pointless. When you use exam dumps, instead of learning the subject, the following becomes true:

  • You waste time, first and foremost: when you should have been learning a subject you can apply in the real world, you learned a pattern of letters that you cannot transfer anywhere else
  • You didn't learn a useful skill, you've blagged your way into a situation you're not equipped for.
  • You're skirting a useful validation system
  • IT is an industry that is primarily about problem solving. Sometimes you're working on a project, sometimes you're working under fire. If you have not learned about a subject, how do you expect to be able to understand it and fix it, when it breaks?
  • and are not helped when you try and use the skills you pretend to have, because under fire, you are utterly useless.
  • you learn nothing and look foolish in a job interview, when asked something (super basic) like "how many hosts in a /26 subnet"
  • you devalue the exam you're working towards - not just now, but for ever and for everybody: other engineers, employers, recruiters. The less respect an engineer has the less chance he has of getting a job. Like it or not, a credible certification does show expertise. If the exam secrecy has been blown, the exam loses value.
  • Most importantly, you shame yourself, because you're a cheat.

Motivation - why do the test at all?

Why are you studying for this exam? For me it's some or all of the the followin

  • To pass the exam (the exam looks nice on Linkedin because I look more capable and because it's a bench mark of skills, which will help me a get a new job)
  • It's a good way to learn a lot of stuff about a new topic in a structured way, and if the topics are exciting, I know I will get a buzz out of doing it
  • It's fun/Interesting and yes, a bit addictive

Exams types

Different exam types need different strategies. 

  • 100% practical exams, like the RHCSA (This point is well documented! I am not telling you anything secret: The RHCSA is completely hands on, and hence the most fun)
  • Semi practical exams - Cisco CCNA: part lab (making changes, solving problems etc) and part question
  • Multiple choice exams - sadly many of these have been devalues because of stupid people who dump, but they are still good as a way to jam concepts forcefully into one's brain). This type is my least favorite. I enjoy terminals.

Study Strategies

General

You have one and only one goal (beyond getting the certification and using your skills on the real world): you want to increase familiarity in your chosen subject.
  • Know how your books are structured
  • Know how chapters are structured
  • Write things out, make notes, throw the notes away, be scrappy, be crappy, nothing matters, don't be like Rimmer on Red Dwarf! Don't spend ages on the time table and not enough time on the study.

Each exam strategy has the following topics:

  • me and my knowledge (i.e. what I knew before I started to study the subject)
  • resources
  • process
  • tips

 

RHCSA 7 

100% Practical exam

Me and my knowledge

I had been using RHEL/CentOS 6 and 7 for several years before I thought hard about doing the exam, however I think my process still has mileage. I had built some servers, I had some networking experience, and a bit of security knowledge.

I studied about 15 - 20 hours a week for roughly 18 months. There were times when I could not get my head into study mode at all, but mostly, the study was good fun. Lots of it I knew, lots of it I didn't. I was working as a junior systems administrator at the time and that boosted by motivation too.

Resources

  • Book and videos by Sander Van Vugt were both superb. I highly recommend him https://www.sandervanvugt.com/
  • Book by Jang was also wonderful: https://www.amazon.co.uk/RHCSA-Linux-Certification-Study-Seventh-ebook/dp/B01DB3H8AM

Process

  • Round 1
    • Read through Jang once
    • Did all the labs, based on my current skills and man pages: many of them were very hard, but that's ok
    • Did the chapter tests
    • Made a study plan based on the scores of the chapter tests
    • Watched about half of Sander's videos
  • Round 2
    • Read over Jang starting with the hardest chapters (for me SELinux, authentication) based on round 1 chapter tests
    • Did the labs a second time round, reread the chapters, made notes
    • Resat the chapter tests
    • Did the labs again, reread the chapters, and made notes
    • Ploughed through SVV's videos
  • Round 3
    • Very similar to round 2, however hopefully using man pages much more than before
    • watched SVVs videos
  • Round 4
    • Practice Tests, from Jang's book
    • Figure out what I stunk at
    • Go back, tedo the labs for those topics
    • Built an LDAP server

The point is to figure out where you're terrible and focus on that.

Tips:

  • Make VMs over and over and don't get too wedded to them
  • use the man pages over and over and over. Don't just learn them, but learn what to search for. They are so useful, and better than info (in my opinion)
  • Delete your VMs and do them over and over (yes, I am repeating myself, but KVM is a wonderful technology)
  • Make notes, but be prepared to trash them, and redo them
  • Use git to monitor you /etc/ folder https://www.blogger.com/blog/post/edit/preview/1201487505817119206/3053962330267496482
  • Get fast. Be able to do stuff without realising your fingers are dancing on their own!

AWS Certified Cloud Practioner

100% Theory Based.

Me and my knowledge

I had used RHEL, load balancers, KVM and VMWare. I knew some networking, and I know what "/26" means, however I know almost nothing about Amazon AWS.

I studied about four hours a day for a month, however some of that time was spent using bad resources. The resources I ended up using are below.

Resources:

  • Sybex AWS CCP Study guide, which, while wordy has turned out the be the best resource.
  • I bought some videos (naming no names) but they didn't help

Process

  • Round 1
    • I read through the whole book, with a highligher pen and highlighted the bits I thought were useful. I regret that, and have decided that marking the book made me miss things on the first reading. I do not recommend it.
    • I took all the end of chapter tests to figure out where I fell down in prep for the second reading
  • Round 2
    • I read the whole book, and made notes
    • I did the chapter tests again, looking for improvement and failure
  • Round 3
    • Much the same as round 2, but this time, I also took the tests in the Sybex book. One test I passed, one I flunked, so ended up going through the book a fourth time.

Tips

  • Do the labs: labs provide context for what is actually quite a theoretical exam. Context is vital: the certification is useful, and the labb will teach you basic skills you'll need in the outside world.
  • Writing out a chapter
    • As yourself: what is the chapter actually about? Sounds silly and basic, but it's vital to have a frameword to hang ideas off. The introduction and the exam essentials is a good indication. Get three pens (red,blue  and black) and a highlighter, and write with them. Once again, you want to breed familiarity with the text: the more familiar you are, the more you will actually learn. There are no shortcuts.
  • I think I passed this test because I did the exam in 45 minutes and then went back and rechecked everything. I mean EVERYTHING.
Posted by at No comments:
Labels:

Friday, 2 October 2020

KVM Post Install

Below is kickstart file, I have been working on for some time, to help me with some redhat study. It's pretty standard, but it does do some things I am pleased about, such as

  • update the server
  • enable console access, so I can console to the server (as well as ssh to it)
  • install a nice basic set of packages that are useful (base, "Directory Client", and some others)
  • remove some stuff I don't like
  • put my /etc into version control
  • TODO: ssh keys, and a repo 

 [dpl@host02 run6]$ cat advanced_gui-ks.cfg
#sudo virt-install --name test --memory 3072 --disk /var/lib/libvirt/images/test.labs.io.qcow2,size=20 --disk /var/lib/libvirt/images/testd2.labs.io.qcow2,size=3 --disk /var/lib/libvirt/images/testd3.labs.io.qcow2,size=3 --location ftp://192.168.122.1/pub/inst/centos7 --extra-args "ks=ftp://192.168.122.1/pub/inst/centos7/advanced-ks.cfg"

#version=DEVEL
# System authorization information
auth --enableshadow --passalgo=sha512
# Use graphical install
graphical
# Run the Setup Agent on first boot
firstboot --enable
ignoredisk --only-use=sda
# Keyboard layouts
keyboard --vckeymap=gb --xlayouts='gb'
# System language
lang en_GB.UTF-8

# Network information
network  --bootproto=static --device=eth0 --gateway=GATEWAY --ip=ADDRESS --nameserver=8.8.8.8 --netmask=255.255.255.0 --ipv6=auto --activate
network  --hostname=HOSTNAME

# Use network installation
url --url="ftp://192.168.122.1/pub/inst/centos7"
# Root password
rootpw --iscrypted $6$7VMoGhXZlGlXEkGL$HMdSD4p0BGkC7E7VdGsOoM.by2MURrbwfhLulAFhHY8kSr/GLOIbBvOp9zTp.bv4eYlvdTceNXkCZOdpNObYt0
# System services
services --enabled="chronyd"
# System timezone
timezone Europe/London --isUtc
user --groups=wheel --name=dpl --password=$6$kdpWmfTi.fxYOg9m$dzHXgv8l3qxVx4oybWcHYsI4QbYNIcO4NzgR4Fk1THY5FDM.3p/GTx6N9cbjIDJc/bKiFfs7LjDi3D.FPmOG9/ --iscrypted --gecos="dpl"
# X Window System configuration information
xconfig  --startxonboot
# System bootloader configuration
bootloader --append=" crashkernel=auto" --location=mbr --boot-drive=sda
autopart --type=lvm
# Partition clearing information
clearpart --none --initlabel

%post
#TODO - ssh keys, and a repo file
#TODO - make a repo server

yum -y update
systemctl enable serial-getty@ttyS0.service
systemctl start serial-getty@ttyS0.service
yum -y install epel-release
yum -y install vim tmux terminator htop mutt elinks lftp telnet git levien-inconsolata-fonts
cd /etc
git init
git add .
git commit -m "fresh build"
yum -y remove evince gnome-boxes gnome-dictionary gnome-text-editor gnome-weather gnome-terminal gedit orca cheese gnome-clocks gnome-contacts empathy
yum -y group install "Base"
yum -y group install "Directory Client"
cd /etc
git init
git add .
git commit -m "base and directory client installed"
wget ftp://192.168.122.1:/pub/inst/centos7/.tmux.conf -P /root/
wget ftp://192.168.122.1:/pub/inst/centos7/.tmux.conf -P /home/dpl/
wget ftp://192.168.122.1:/pub/inst/centos7/.vimrc -P /root/
wget ftp://192.168.122.1:/pub/inst/centos7/.vimrc -P /home/dpl/
wget ftp://192.168.122.1:/pub/inst/centos7/.bashrc -P /root
wget ftp://192.168.122.1:/pub/inst/centos7/.bashrc -P /home/dpl
wget ftp://192.168.122.1:/pub/inst/centos7/.gitconfig -P /root
wget ftp://192.168.122.1:/pub/inst/centos7/.gitconfig /home/dpl
%end
%packages
@^graphical-server-environment
@base
@core
@desktop-debugging
@dial-up
@fonts
@gnome-desktop
@guest-agents
@guest-desktop-agents
@hardware-monitoring
@input-methods
@internet-browser
@multimedia
@print-client
@x11
chrony
kexec-tools

%end

%addon com_redhat_kdump --enable --reserve-mb='auto'

%end

%anaconda
pwpolicy root --minlen=6 --minquality=1 --notstrict --nochanges --notempty
pwpolicy user --minlen=6 --minquality=1 --notstrict --nochanges --emptyok
pwpolicy luks --minlen=6 --minquality=1 --notstrict --nochanges --notempty
%end

Posted by at No comments:

Saturday, 4 July 2020

Writing a Bash Check_MK Check to monitor RHEL 6 LVS Hosts

The check below monitors the number of hosts monitored by Linux Virtual Server, on RHEL6. The logic is as follows:
  • Find active server (clustat -l): 
    • Correct number hosts is OK
    • Too many hosts:
    • Lost hosts: Critical
  • Find passive, and indicate server is passive
  • If neither active or passive, then the LVS server has died: Critical

$ cat check_lvs.sh
# check_lvs.sh
# Configure the correct number of hosts in mrpe.cfg with the "-h" flag.

STATUS=$(ipvsadm -l | wc -l)
BALANCEDHOSTS=$(ipvsadm -l | egrep "\->" | wc-1)

while getopts h: option
do
    case    "${option}"
        in
            h) CHECKEDHOSTS=${OPTARG};;
    esac

done

# A passive cluster member: has no hosts balanced by it
if [ $STATUS -eq 3 ]
    then
        echo "OK: This LVS is the passive server in the cluster. "
        exit 0

# OK: An active cluster member with correct number of hosts
elif [ $STATUS -gt 3 ] && [ $BALANCEDHOSTS -eq $CHECKEDHOSTS ]
    then
        echo "OK: This LVS is the active server in the cluster, and has the correct number of hosts."
        exit 0

# CRITICAL: An active cluster member with less than the right number of hosts
elif [ $STATUS -gt 3 ] && [ $BALANCEDHOSTS -lt $CHECKEDHOSTS ]
    then
        echo "CRITICAL: This LVS has lost hosts."
        exit 2

# CRITICAL: LVS has died
elif [ $STATUS -lt 3 ]
    then
        echo "CRITICAL: This LVS is down."
        exit 2

# UNKNOWN: An active cluster member with more than the right number of hosts
else
        echo "UNKNOWN - Nagios expected $CHECKEDHOSTS hosts, but found $BALANCEDHOSTS hosts."
        exit 3
fi


The script uses bash's optional arguments (optargs) to get input. "-h" flag can be used to tell the check how many devices should be monitored.









Posted by at No comments:

Tuesday, 14 April 2020

Why I found git is useful when Studying for the RHCSA

In my first blog post in in six years I wanted to describe how I am using Git to help me study for the RHCSA (v7). 

The RHCSA is a lot of fun: I am learning lots of very useful stuff I did not know before, and that's fantastic, however I am not just learning the OS, I am picking up study skills, and this is what this post is about.

When I build a new server, I install git as early as possible in the process, and add /etc into it. This is useful because
a) I can revert a config change quickly and easily
b) I can remind myself of changes I have made
c) I quickly discover new configuration files when I install a package
d) most importantly: I have visibility on what the server is doing when I make a change.

As an example, install the authconfig-tui. This is software that helps you hook your server up to OpenLDAP or FreeIPA. It's deceptively simple. A couple of button presses and you can  connect to either type of server, however, the changes that are going on behind the scenes are enormous and without visibility on them you'll miss them. Enter git-versioning on /etc. Even the simple act of using authconfig-tui leads to changes in at least six different files, only now you can see them, with ease, without really knowing very much - a very useful trick!

[root@server01 cacerts]# git diff --ignore-all-space 
diff --git a/nslcd.conf b/nslcd.conf
index a8fd2ad..8604c34 100644
--- a/nslcd.conf
+++ b/nslcd.conf
@@ -15,14 +15,14 @@ gid ldap
 #uri ldaps://127.0.0.1/
 #uri ldapi://%2fvar%2frun%2fldapi_sock/
 # Note: %2f encodes the '/' used as directory separator
-uri ldap://127.0.0.1/
+uri ldap://ldap01.labs.io
 
 # The LDAP version to use (defaults to 3
 # if supported by client library)
 #ldap_version 3
 
 # The distinguished name of the search base.
-base dc=example,dc=com
+base dc=labs,dc=io
 
 # The distinguished name to bind to the server with.
 # Optional: default is to bind anonymously.
@@ -141,3 +141,5 @@ base dc=example,dc=com
 #map    group  cn               groupName
 #map    group  gidNumber        gid
 # This comment prevents repeated auto-migration of settings.
+ssl start_tls
+tls_cacertdir /etc/openldap/cacerts
 
diff --git a/openldap/ldap.conf b/openldap/ldap.conf
index aa6f8fd..b391cab 100644
--- a/openldap/ldap.conf
+++ b/openldap/ldap.conf
@@ -12,7 +12,9 @@
 #TIMELIMIT     15
 #DEREF         never
 
-TLS_CACERTDIR  /etc/openldap/certs
+TLS_CACERTDIR /etc/openldap/cacerts
 
 # Turning this off breaks GSSAPI used with krb5 when rdns = false
 SASL_NOCANON   on
+URI ldap://ldap01.labs.io
+BASE dc=labs,dc=io

diff --git a/pam.d/fingerprint-auth-ac b/pam.d/fingerprint-auth-ac
index 162f0bb..0fb4706 100644
--- a/pam.d/fingerprint-auth-ac
+++ b/pam.d/fingerprint-auth-ac
@@ -5,9 +5,10 @@ auth        required      pam_env.so
 auth        sufficient    pam_fprintd.so
 auth        required      pam_deny.so
 
-account     required      pam_unix.so
+account     required      pam_unix.so broken_shadow
 account     sufficient    pam_localuser.so
 account     sufficient    pam_succeed_if.so uid < 1000 quiet
+account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
 account     required      pam_permit.so
 
 password    required      pam_deny.so
@@ -17,3 +18,4 @@ session     required      pam_limits.so
 -session     optional      pam_systemd.so
 session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
 session     required      pam_unix.so
+session     optional      pam_ldap.so
diff --git a/pam.d/password-auth-ac b/pam.d/password-auth-ac
index 4b80407..4d51faf 100644
--- a/pam.d/password-auth-ac
+++ b/pam.d/password-auth-ac
@@ -5,15 +5,18 @@ auth        required      pam_env.so
 auth        required      pam_faildelay.so delay=2000000
 auth        sufficient    pam_unix.so nullok try_first_pass
 auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
+auth        sufficient    pam_ldap.so use_first_pass
 auth        required      pam_deny.so
 
-account     required      pam_unix.so
+account     required      pam_unix.so broken_shadow
 account     sufficient    pam_localuser.so
 account     sufficient    pam_succeed_if.so uid < 1000 quiet
+account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
 account     required      pam_permit.so
 
 password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
 password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
+password    sufficient    pam_ldap.so use_authtok
 
 
 password    required      pam_deny.so
@@ -23,3 +26,4 @@ session     required      pam_limits.so
 -session     optional      pam_systemd.so
 session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
 session     required      pam_unix.so
+session     optional      pam_ldap.so
diff --git a/pam.d/smartcard-auth-ac b/pam.d/smartcard-auth-ac
index 83b3c90..1c4b1ce 100644
--- a/pam.d/smartcard-auth-ac
+++ b/pam.d/smartcard-auth-ac
@@ -5,9 +5,10 @@ auth        required      pam_env.so
 auth        [success=done ignore=ignore default=die] pam_pkcs11.so nodebug wait_for_card
 auth        required      pam_deny.so
 
-account     required      pam_unix.so
+account     required      pam_unix.so broken_shadow
 account     sufficient    pam_localuser.so
 account     sufficient    pam_succeed_if.so uid < 1000 quiet
+account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
 account     required      pam_permit.so
 
 password    required      pam_pkcs11.so
@@ -17,3 +18,4 @@ session     required      pam_limits.so
 -session     optional      pam_systemd.so
 session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
 session     required      pam_unix.so
+session     optional      pam_ldap.so
diff --git a/pam.d/system-auth-ac b/pam.d/system-auth-ac
index 78a1684..eefa0be 100644
--- a/pam.d/system-auth-ac
+++ b/pam.d/system-auth-ac
@@ -6,15 +6,18 @@ auth        required      pam_faildelay.so delay=2000000
 auth        sufficient    pam_fprintd.so
 auth        sufficient    pam_unix.so nullok try_first_pass
 auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
+auth        sufficient    pam_ldap.so use_first_pass
 auth        required      pam_deny.so
 
-account     required      pam_unix.so
+account     required      pam_unix.so broken_shadow
 account     sufficient    pam_localuser.so
 account     sufficient    pam_succeed_if.so uid < 1000 quiet
+account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
 account     required      pam_permit.so
 
 password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
 password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
+password    sufficient    pam_ldap.so use_authtok
 password    required      pam_deny.so
 
 session     optional      pam_keyinit.so revoke
@@ -22,3 +25,4 @@ session     required      pam_limits.so
 -session     optional      pam_systemd.so
 session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
 session     required      pam_unix.so
+session     optional      pam_ldap.so
diff --git a/selinux/targeted/active/commit_num b/selinux/targeted/active/commit_num
index 406d5d6..abffc04 100644
Binary files a/selinux/targeted/active/commit_num and b/selinux/targeted/active/commit_num differ
diff --git a/selinux/targeted/active/policy.kern b/selinux/targeted/active/policy.kern
index 397fdbe..5558f07 100644
Binary files a/selinux/targeted/active/policy.kern and b/selinux/targeted/active/policy.kern differ
diff --git a/selinux/targeted/policy/policy.31 b/selinux/targeted/policy/policy.31
index 397fdbe..5558f07 100644
Binary files a/selinux/targeted/policy/policy.31 and b/selinux/targeted/policy/policy.31 differ
diff --git a/sysconfig/authconfig b/sysconfig/authconfig
index ef286a7..c03231c 100644
--- a/sysconfig/authconfig
+++ b/sysconfig/authconfig
@@ -12,8 +12,8 @@ USEFPRINTD=yes
 USEHESIOD=no
 USEIPAV2=no
 USEKERBEROS=no
-USELDAP=no
-USELDAPAUTH=no
+USELDAP=yes
+USELDAPAUTH=yes
 USELOCAUTHORIZE=yes
 USEMKHOMEDIR=no
 USENIS=no

Permissions change, lines are added and removed. This way, one can see what one's server is doing.



My "/etc git" life cycle is as follows:
  • Make a new VM, patch it
  • Install vim, tmux and git
  • Turn /etc into a version controlled folder
  • use the server, and use git in the normal way
    • e.g. install a new software package
      • commit the configs
      • change the configs
      • commit the changes
      • change the configs and commit
      • ...usual git stuff
  • Git become useful when one wants to refer back to old changes...
The possibilities are endless.

Best of luck







Posted by at No comments:
Subscribe to: Comments (Atom)