Chapter 17: Comprehensive Review

🎯 RHCSA Exam Objectives (EX200)

1. Understand and Use Essential Tools

✅ Access shell prompt and execute commands
✅ Use I/O redirection (>, >>, <, |, 2>&1)
✅ Use grep and regular expressions
✅ Access remote systems using SSH
✅ Log in and switch users (su, sudo)
✅ Archive, compress, unpack files (tar, gzip, bzip2)
✅ Create and edit text files (vim)
✅ Create, delete, copy, move files and directories
✅ Create hard and soft links
✅ List, set, change file permissions
✅ Locate, read, and use documentation (man, info, /usr/share/doc)

2. Create Simple Shell Scripts

✅ Conditionally execute code (if, test)
✅ Use looping constructs (for, while)
✅ Process script inputs ($1, $2, $#, $@)

3. Operate Running Systems

✅ Boot, reboot, shutdown systems normally
✅ Boot systems into different targets manually
✅ Interrupt boot process to gain access
✅ Identify CPU/memory intensive processes
✅ Adjust process scheduling (nice, renice)
✅ Manage tuning profiles (tuned)
✅ Locate and interpret system log files
✅ Preserve system journals
✅ Start, stop, check service status
✅ Transfer files between systems securely

4. Configure Local Storage

✅ List, create, delete partitions (MBR and GPT)
✅ Create and remove physical volumes
✅ Assign physical volumes to volume groups
✅ Create and delete logical volumes
✅ Configure systems to mount file systems at boot
✅ Add new partitions, logical volumes, swap non-destructively

5. Create and Configure File Systems

✅ Create, mount, unmount, use vfat, ext4, xfs
✅ Mount and unmount network file systems (NFS)
✅ Configure autofs
✅ Extend existing logical volumes
✅ Create and configure set-GID directories
✅ Diagnose and correct file permission problems

6. Deploy, Configure, Maintain Systems

✅ Schedule tasks using at and cron
✅ Start and stop services, configure services to start at boot
✅ Configure systems to boot into a specific target
✅ Configure time service clients
✅ Install and update software packages
✅ Modify system bootloader

7. Manage Basic Networking

✅ Configure IPv4 and IPv6 addresses
✅ Configure hostname resolution
✅ Configure network services to start at boot
✅ Restrict network access using firewall-cmd/firewalld

8. Manage Users and Groups

✅ Create, delete, modify local user accounts
✅ Change passwords and adjust password aging
✅ Create, delete, modify local groups
✅ Configure superuser access

9. Manage Security

✅ Configure firewall settings (firewall-cmd)
✅ Manage default file permissions (umask)
✅ Configure key-based authentication for SSH
✅ Set enforcing and permissive modes for SELinux
✅ List and identify SELinux file and process context
✅ Restore default file contexts
✅ Manage SELinux port labels
✅ Use boolean settings to modify system SELinux
✅ Diagnose and address routine SELinux policy violations

10. Manage Containers

✅ Find and retrieve container images from remote registry
✅ Inspect container images
✅ Perform container management (run, start, stop, list)
✅ Run a service inside a container
✅ Configure a container to start automatically
✅ Attach persistent storage to a container

📚 Essential Command Reference

File Management

# Navigation & listing
ls -lah, cd, pwd, tree

# File operations
cp -r, mv, rm -rf, mkdir -p, touch
ln -s source link  # symbolic link
ln source link     # hard link

# Search & find
find /path -name "*.txt" -type f -size +10M
locate filename
which command
whereis command

# Text processing
cat, less, more, head -n 10, tail -f
grep -r "pattern" /path
cut -d: -f1 /etc/passwd
sort, uniq, wc -l
sed 's/old/new/g' file
awk '{print $1}' file

User & Group Management

# Users
useradd -m -s /bin/bash -G wheel username
usermod -aG group username
userdel -r username
passwd username
chage -l username
chage -M 90 username  # max password age

# Groups
groupadd groupname
groupmod -n newname oldname
groupdel groupname
groups username
id username

# Sudo access
visudo
usermod -aG wheel username

Permissions & ACLs

# Basic permissions
chmod 755 file
chmod u+x,g+w,o-r file
chown user:group file
chown -R user:group directory

# Special permissions
chmod 2755 directory  # setgid
chmod 1777 directory  # sticky bit
chmod 4755 file       # setuid

# ACLs
setfacl -m u:user:rwx file
setfacl -m g:group:rx file
setfacl -x u:user file
getfacl file
setfacl -R -m d:u:user:rwx directory  # default ACL

# SELinux contexts
ls -Z, ps -Z
chcon -t httpd_sys_content_t file
restorecon -Rv /path
semanage fcontext -a -t type "/path(/.*)?"
semanage fcontext -l | grep /path

Storage Management

# Partitioning
lsblk, fdisk -l, parted -l
fdisk /dev/sdb       # MBR
parted /dev/sdb      # GPT
partprobe /dev/sdb

# File systems
mkfs.xfs /dev/sdb1
mkfs.ext4 /dev/sdb1
mkfs.vfat /dev/sdb1
mount /dev/sdb1 /mnt
umount /mnt
blkid  # show UUIDs

# /etc/fstab
UUID=xxx /mnt xfs defaults 0 0
/dev/sdb1 /data ext4 defaults 0 0

# LVM
pvcreate /dev/sdb
pvs, pvdisplay
vgcreate vg01 /dev/sdb /dev/sdc
vgs, vgdisplay, vgextend vg01 /dev/sdd
lvcreate -n lv01 -L 5G vg01
lvs, lvdisplay
lvextend -L +2G /dev/vg01/lv01
lvextend -r -L +2G /dev/vg01/lv01  # resize fs too
xfs_growfs /mnt  # xfs
resize2fs /dev/vg01/lv01  # ext4

# Swap
mkswap /dev/sdb2
swapon /dev/sdb2
swapoff /dev/sdb2
swapon -a  # activate all in fstab

Systemd & Services

# Service management
systemctl start service
systemctl stop service
systemctl restart service
systemctl status service
systemctl enable --now service
systemctl disable service
systemctl is-enabled service
systemctl list-units --type=service
systemctl daemon-reload

# Targets
systemctl get-default
systemctl set-default multi-user.target
systemctl isolate graphical.target
systemctl list-units --type=target

# Boot process
systemctl reboot
systemctl poweroff
systemctl rescue
systemctl emergency

Networking

# NetworkManager
nmcli con show
nmcli con add type ethernet con-name ens33 ifname ens33
nmcli con mod ens33 ipv4.addresses 192.168.1.100/24
nmcli con mod ens33 ipv4.gateway 192.168.1.1
nmcli con mod ens33 ipv4.dns "8.8.8.8 8.8.4.4"
nmcli con mod ens33 ipv4.method manual
nmcli con up ens33
nmcli con down ens33

# Hostname
hostnamectl set-hostname server.example.com
nmcli general hostname server.example.com

# Testing
ping -c 4 8.8.8.8
ip addr show
ip route
ss -tulpn
curl, wget

Firewalld

# Basic operations
firewall-cmd --state
firewall-cmd --get-default-zone
firewall-cmd --set-default-zone=public
firewall-cmd --list-all
firewall-cmd --reload

# Services & ports
firewall-cmd --permanent --add-service=http
firewall-cmd --permanent --add-port=8080/tcp
firewall-cmd --permanent --remove-service=http
firewall-cmd --reload

# Rich rules
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.1.0/24" service name="ssh" accept'
firewall-cmd --list-rich-rules

Containers (Podman)

# Images
podman search nginx
podman pull nginx
podman images
podman rmi nginx

# Containers
podman run -d --name web -p 8080:80 nginx
podman ps
podman ps -a
podman stop web
podman start web
podman rm web
podman logs web
podman exec -it web /bin/bash

# Storage
podman run -d -v ~/data:/data:Z nginx

# Systemd
podman generate systemd --name web --files --new
mkdir -p ~/.config/systemd/user
mv container-web.service ~/.config/systemd/user/
systemctl --user daemon-reload
systemctl --user enable --now container-web
loginctl enable-linger $USER

🧪 Practice Scenarios

Scenario 1: Create User with Restricted Access

Task: Create user "developer" with:

Home directory /home/developer
Default shell /bin/bash
Member of "devteam" group
Password expires every 60 days
Sudo access to restart httpd service only

# Create group
sudo groupadd devteam

# Create user
sudo useradd -m -s /bin/bash -G devteam developer

# Set password
sudo passwd developer

# Configure password aging
sudo chage -M 60 developer

# Configure sudo
sudo visudo
# Add line:
developer ALL=(ALL) /usr/bin/systemctl restart httpd

# Verify
id developer
sudo -l -U developer

Scenario 2: Configure Persistent Storage

Task: Create 2GB logical volume for /data:

Use disk /dev/sdb
Volume group: vg_data
Logical volume: lv_data
File system: XFS
Mount persistently at /data

# Create physical volume
sudo pvcreate /dev/sdb

# Create volume group
sudo vgcreate vg_data /dev/sdb

# Create logical volume
sudo lvcreate -n lv_data -L 2G vg_data

# Create filesystem
sudo mkfs.xfs /dev/vg_data/lv_data

# Create mount point
sudo mkdir /data

# Add to fstab
echo '/dev/vg_data/lv_data /data xfs defaults 0 0' | sudo tee -a /etc/fstab

# Mount
sudo mount -a

# Verify
df -h /data
lsblk

Scenario 3: Configure Web Server with Firewall

Task: Setup httpd accessible only from 192.168.1.0/24:

# Install httpd
sudo dnf install -y httpd

# Enable and start
sudo systemctl enable --now httpd

# Create test page
echo "<h1>Test Page</h1>" | sudo tee /var/www/html/index.html

# SELinux (if needed)
sudo restorecon -Rv /var/www/html

# Firewall - allow from specific subnet only
sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.1.0/24" service name="http" accept'
sudo firewall-cmd --reload

# Verify
curl http://localhost
sudo firewall-cmd --list-all

Scenario 4: Automate Container at Boot

Task: Run nginx container that starts automatically:

# Pull image
podman pull nginx

# Run container
podman run -d --name webserver -p 8080:80 nginx

# Test
curl http://localhost:8080

# Generate systemd unit
podman generate systemd --name webserver --files --new

# Stop original container
podman stop webserver
podman rm webserver

# Install service
mkdir -p ~/.config/systemd/user
mv container-webserver.service ~/.config/systemd/user/

# Reload systemd
systemctl --user daemon-reload

# Enable linger
sudo loginctl enable-linger $USER

# Enable and start
systemctl --user enable --now container-webserver.service

# Verify
systemctl --user status container-webserver.service
curl http://localhost:8080

Scenario 5: Troubleshoot SELinux Denial

Task: Apache can't access /web/index.html:

# Check SELinux mode
getenforce

# Check context
ls -Z /web/index.html

# Check for denials
sudo ausearch -m AVC -ts recent
sudo journalctl -t setroubleshoot

# Fix context
sudo semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?"
sudo restorecon -Rv /web

# Verify
ls -Z /web
curl http://localhost/index.html

# Alternative: troubleshoot tool
sudo sealert -a /var/log/audit/audit.log

🔧 Troubleshooting Guide

Boot Issues

Problem	Solution
Forgot root password	Boot to rd.break, mount -o remount,rw /sysroot, chroot /sysroot, passwd, touch /.autorelabel
Wrong fstab entry	Boot to emergency.target, edit /etc/fstab, systemctl daemon-reload, mount -a
SELinux blocking boot	Add selinux=0 to kernel line (temporary), or enforcing=0

Network Issues

Problem	Check	Fix
No IP address	ip addr, nmcli con show	nmcli con up connection
Can't ping gateway	ip route	nmcli con mod con ipv4.gateway x.x.x.x
DNS not working	cat /etc/resolv.conf	nmcli con mod con ipv4.dns "8.8.8.8"
Port blocked	firewall-cmd --list-all	firewall-cmd --add-port=X/tcp --permanent

Storage Issues

Problem	Solution
Disk full	df -h, du -sh /*, lvextend -r -L +5G /dev/vg/lv
Mount fails	Check blkid UUID, verify /etc/fstab syntax, mount -a
Permission denied	ls -ld, chmod, chown, getfacl, ls -Z, restorecon

Service Issues

# Service won't start
systemctl status service.service
journalctl -u service.service -n 50
journalctl -xe

# Service not enabled
systemctl is-enabled service
systemctl enable service

# Port already in use
ss -tulpn | grep :80
kill -9 PID

💡 Exam Tips & Strategy

⏱️ Time Management

Exam Duration: 3 hours (180 minutes)
Strategy:
• Read ALL questions first (5-10 min)
• Do easy tasks first to build confidence (30 min)
• Tackle medium difficulty tasks (60 min)
• Work on complex tasks (60 min)
• Review and verify all work (20-30 min)
• Don't get stuck! Move on and come back

Before You Start

✅ Read instructions carefully
✅ Note server names and IP addresses
✅ Check connectivity to all machines
✅ Verify sudo/root access works
✅ Check SELinux is enforcing (don't disable it!)

During the Exam

✅ Use man pages liberally (man -k keyword)
✅ Check examples: /usr/share/doc/
✅ Verify after each task (systemctl status, mount -a, etc.)
✅ Make configurations persistent (/etc/fstab, systemctl enable)
✅ Test survival after reboot for critical tasks
✅ Use systemctl daemon-reload after changing unit files
✅ Use firewall-cmd --reload after firewall changes
✅ Don't forget :Z for container volumes on SELinux systems

Common Mistakes to Avoid

Mistake	Prevention
Forgetting --permanent for firewall	Always use --permanent then --reload
Not enabling services	Use systemctl enable --now
Typos in /etc/fstab	Test with mount -a before reboot
Wrong SELinux context	Use semanage + restorecon, not just chcon
Missing _netdev for NFS	Always use _netdev in fstab for network mounts
Container volume without :Z	Use :Z for bind mounts with SELinux

Quick Verification Checklist

# After each configuration, verify:

# Services
systemctl is-enabled service
systemctl status service
ss -tulpn | grep port

# Firewall
firewall-cmd --list-all
curl http://localhost

# Storage
lsblk
df -h
cat /etc/fstab
mount -a  # Test without reboot!

# Network
ip addr
ip route
ping gateway
ping 8.8.8.8
ping google.com

# Users
id username
sudo -l -U username

# SELinux
getenforce  # Should be Enforcing
ls -Z /path
ps -Z | grep service

# Containers
podman ps
systemctl --user status container-*
loginctl show-user $USER | grep Linger

⚠️ Critical Reboot Survival

These MUST survive reboot:
• Services: systemctl enable
• Mounts: /etc/fstab with correct options
• Network: nmcli configurations persist by default
• Firewall: --permanent flag required
• Containers: systemd unit + loginctl enable-linger
• AutoFS: systemctl enable autofs

If time permits, REBOOT to verify critical tasks!

📝 Final Review Quiz

Question 1: User created with useradd needs what to login?

A) Nothing, ready to use
B) Password set with passwd
C) Home directory created with -m
D) Both B and shell defined

Answer: B) Password set with passwd
User needs password before login. Home directory optional (created with -m). Default shell from /etc/default/useradd (usually /bin/bash). useradd -m user; passwd user

Question 2: Make LVM logical volume persistent at boot?

A) Add to /etc/fstab
B) Use systemctl enable lvm
C) Run vgchange -ay at boot
D) No action needed, automatic

Answer: A) Add to /etc/fstab
LVM volumes activate automatically, but MOUNT requires /etc/fstab entry. /dev/vg/lv /mnt xfs defaults 0 0. Test with mount -a before rebooting!

Question 3: After setting permanent SELinux context, what's next?

A) Reboot system
B) Run restorecon -Rv /path
C) setenforce 0 then 1
D) Nothing, automatic

Answer: B) Run restorecon -Rv /path
semanage fcontext sets policy (permanent), but restorecon applies it to files. Full sequence:
semanage fcontext -a -t type "/path(/.*)?"
restorecon -Rv /path

Question 4: Container with persistent storage needs what flag?

A) -v /host:/container
B) -v /host:/container:Z
C) --mount /host:/container
D) --storage /host:/container

Answer: B) -v /host:/container:Z
:Z sets SELinux context on RHEL. Without it, container can't access files. Example: podman run -d -v ~/data:/data:Z nginx. Use :z for shared, :Z for private.

Question 5: Extend XFS filesystem on LVM?

A) lvextend -L +5G /dev/vg/lv; xfs_growfs /mnt
B) lvextend -r -L +5G /dev/vg/lv
C) lvextend -L +5G /dev/vg/lv; resize2fs /dev/vg/lv
D) Both A and B

Answer: D) Both A and B
Method 1: lvextend -L +5G /dev/vg/lv; xfs_growfs /mnt
Method 2: lvextend -r -L +5G /dev/vg/lv (resizes fs automatically)
Note: ext4 uses resize2fs, XFS uses xfs_growfs

Question 6: Most critical step for rootless container at boot?

A) systemctl --user enable container-name
B) loginctl enable-linger $USER
C) podman generate systemd
D) All of the above

Answer: D) All of the above
Need ALL steps: generate systemd unit, move to ~/.config/systemd/user/, enable service, AND enable linger. Without linger, user services only run when logged in. loginctl enable-linger $USER is often forgotten!

🎓 You're Ready!

You've completed all 17 chapters of RHCSA preparation. Remember:
• Practice on real RHEL 9 systems
• Time yourself on practice exams
• Verify configurations survive reboot
• Use man pages during practice
• Focus on exam objectives

Good luck on your RHCSA exam! 🚀