Thanks to visit codestin.com
Credit goes to www.scribd.com

Scribd
Upload
242 views369 pages

HCIP-openEuler V1.0 Lab Guide

Uploaded by

deathland2352
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
242 views369 pages

HCIP-openEuler V1.0 Lab Guide

Uploaded by

deathland2352
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 369

Huawei openEuler Certification Training

HCIP-openEuler

Lab Guide
ISSUE: 1.0

HUAWEI TECHNOLOGIES CO., LTD.

2
Copyright © Huawei Technologies Co., Ltd. 2024. All rights reserved.
No part of this document may be reproduced or transmitted in any form or by any
means without prior written consent of Huawei Technologies Co., Ltd.

Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of
their respective holders.

Notice
The purchased products, services and features are stipulated by the contract made
between Huawei and the customer. All or part of the products, services and features
described in this document may not be within the purchase scope or the usage scope.
Unless otherwise specified in the contract, all statements, information, and
recommendations in this document are provided "AS IS" without warranties,
guarantees or representations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has
been made in the preparation of this document to ensure accuracy of the contents, but
all statements, information, and recommendations in this document do not constitute
a warranty of any kind, express or implied.

Huawei Technologies Co., Ltd.


Huawei Industrial Base Bantian, Longgang Shenzhen 518129 People's
Address:
Republic of China
Website: https://e.huawei.com

Huawei Proprietary and Confidential


Copyright © Huawei Technologies Co.,Ltd
HCIP-openEuler Lab Guide Page 1

Huawei Certification System


Huawei Certification is an integral part of the company's Platform + Ecosystem
strategy. It supports the development of ICT infrastructure that features Cloud-Pipe-
Device synergy. Our certification is always evolving to reflect the latest trends in ICT
development. Huawei Certification consists of three categories: ICT Infrastructure
Certification, Basic Software & Hardware Certification, and Cloud Platform & Services
Certification, making it the most extensive technical certification program in the
industry.
Huawei offers three levels of certification: Huawei Certified ICT Associate (HCIA),
Huawei Certified ICT Professional (HCIP), and Huawei Certified ICT Expert (HCIE).
Our programs cover all ICT fields and follow the industry's trend of ICT convergence.
With our leading talent development system and certification standards, we are
committed to fostering new digital ICT talent and building a sound ICT talent
ecosystem.
HCIP-openEuler is mainly for frontline engineers from Huawei and representative
offices and readers who wish to learn openEuler O&M technologies. HCIP-openEuler
certification covers common openEuler enterprise service management, openEuler HA
cluster architecture, openEuler storage management, openEuler automated O&M, Linux
shell scripts, openEuler system security hardening, and openEuler system monitoring.
Huawei certification helps you unlock opportunities to advance your career and take
one more step towards the top of the industry.
HCIP-openEuler Lab Guide Page 2
HCIP-openEuler Lab Guide Page 3

About This Document

Overview
This document is an HCIP-openEuler certification training course and is intended for
trainees who are going to take the HCIP-openEuler exam or readers who want to learn
how to build enterprise services, master shell scripts, or perform automated O&M using
Zabbix or Salt on openEuler and other Linux distributions.

Description
This lab guide describes five labs about how to set up Apache, NGINX, DNS, and MySQL
servers based on openEuler and how to perform LAMP-related operations through a
comprehensive lab.
⚫ Lab 1: Apache lab. This lab involves service installation and basic management,
helping you further understand Apache.
⚫ Lab 2: NGINX lab. This lab involves NGINX installation, static resource access, and
reverse proxy.
⚫ Lab 2: DNS lab. This lab combines lab 2 to configure forward and reverse DNS
resolution for the NGINX server.
⚫ Lab 4: MySQL lab. This lab involves how to install and perform basic operations on
MySQL, including adding, deleting, querying, and modifying MySQL.
⚫ Lab 5: Comprehensive lab. This lab describes how to set up WordPress, a LAMP
typical application, to help you further understand enterprise services.

Background Knowledge Required


This course is for Huawei's basic certification. To better understand this course, you need
to:
⚫ Have basic Linux knowledge. You are advised to complete HCIA-openEuler learning
and pass the HCIA-openEuler certification exam.

Lab Environment Overview


Four Elastic Cloud Servers (ECSs) are required: Server01 to Server04 with IP addresses
ranging from 192.168.1.11 to 192.168.1.14. Server01 is for Apache, Server02 for NGINX,
Server03 for DNS, and Server04 for MySQL. To view the lab result on the browser, bind
elastic IP addresses (EIPs) to the ECSs. Because the EIPs are not manually specified, use
the actual EIPs in your labs.
HCIP-openEuler Lab Guide Page 4

In this environment, the EIPs of Server01, Server02, Server03, and Server04 are
124.70.153.72, 123.60.63.199, 121.37.184.67, and 124.70.167.64, respectively. See the
following figure.

For the ECS security group, allow both inbound and outbound traffic, as shown in the
following figure.

Lab Environment Preparation


Checking Devices
Before starting the labs, each group of trainees should apply for ECSs on Huawei Cloud
according to the following table.

ECS Name Specifications Remarks

Server01 2 vCPUs | 4 GiB | s7.large.2

Server02 2 vCPU | 4 GiB | s7.large.2

Server03 1 vCPU | 1 GiB | s7.small.1

Server04 2 vCPUs | 4 GiB | s7.large.2


HCIP-openEuler Lab Guide Page 5

Contents

About This Document ............................................................................................................... 3


Overview ............................................................................................................................................................................................. 3
Description ......................................................................................................................................................................................... 3
Background Knowledge Required ............................................................................................................................................. 3
Lab Environment Overview .......................................................................................................................................................... 3
1 Apache Configurations .......................................................................................................... 1
1.1 Installing and Testing Apache ............................................................................................................................................. 1
1.1.1 Procedure ................................................................................................................................................................................. 1
1.1.2 Quiz ............................................................................................................................................................................................ 3
1.2 Configuring the Apache Home Page ................................................................................................................................ 3
1.2.1 Procedure ................................................................................................................................................................................. 3
1.2.2 Quiz ............................................................................................................................................................................................ 7
1.3 Loading and Unloading an Apache DSO Module ........................................................................................................ 7
1.3.1 Configuration Roadmap ..................................................................................................................................................... 7
1.3.2 Procedure ................................................................................................................................................................................. 7
1.4 Changing the Working Mode of the MPM ..................................................................................................................... 9
1.4.1 Procedure ................................................................................................................................................................................. 9
1.4.2 Quiz ..........................................................................................................................................................................................10
1.5 Configuring Apache Persistent Connection ..................................................................................................................11
1.5.1 Procedure ...............................................................................................................................................................................11
1.5.2 Quiz ..........................................................................................................................................................................................12
1.6 Configuring Apache Static Resources .............................................................................................................................12
1.6.1 Specifying Static Resources by File System Path .....................................................................................................12
1.6.2 Setting Access Permissions for Static Resources (Based on Source Addresses) ..........................................15
1.6.3 Setting Access Permissions for Static Resources (Based on Accounts) ...........................................................17
1.6.4 Quiz ..........................................................................................................................................................................................18
1.7 Configuring Apache Virtual Hosts ....................................................................................................................................18
1.8 Configuring the HTTPS Service .........................................................................................................................................20
2 NGINX Configurations .........................................................................................................25
2.1 Installing and Testing NGINX ............................................................................................................................................25
2.1.1 Preparing Resources ...........................................................................................................................................................25
2.1.2 Procedure ...............................................................................................................................................................................25
2.2 Performing Basic NGINX Configurations .......................................................................................................................26
2.2.1 Configuring Static Resource Access ..............................................................................................................................26
HCIP-openEuler Lab Guide Page 6

2.2.2 Configuring Virtual Hosts ................................................................................................................................................29


2.2.3 Configuring the Location Directive...............................................................................................................................30
2.3 Configuring Reverse Proxies and Load Balancing with NGINX .............................................................................34
2.3.1 Configuring Reverse Proxies with NGINX ..................................................................................................................34
2.3.2 Configuring Load Balancing with NGINX ...................................................................................................................36
3 DNS Configurations .............................................................................................................41
3.1 Introduction ..............................................................................................................................................................................41
3.1.1 About This Lab .....................................................................................................................................................................41
3.2 Installing the DNS Software ...............................................................................................................................................41
3.2.1 Preparing Resources ...........................................................................................................................................................41
3.2.2 Installing the DNS Software ...........................................................................................................................................41
3.3 Setting Up the Master DNS Server ..................................................................................................................................42
3.4 Configuring Reverse DNS Resolution ..............................................................................................................................44
4 MySQL Configurations ........................................................................................................46
4.1 Installing and Initializing MySQL ......................................................................................................................................46
4.1.1 Preparing Resources ...........................................................................................................................................................46
4.1.2 Installing MySQL .................................................................................................................................................................46
4.1.3 Logging In to and Initializing MySQL ..........................................................................................................................48
4.1.4 Using mysqladmin ..............................................................................................................................................................49
4.2 Performing Comprehensive MySQL Practices ..............................................................................................................51
5 LAMP Practices ......................................................................................................................60
5.1 Introduction ..............................................................................................................................................................................60
5.2 Interconnecting Components in the Early Stage ........................................................................................................60
5.2.1 Interconnecting Apache with PHP ................................................................................................................................60
5.2.2 Interconnecting PHP with MySQL ................................................................................................................................62
5.3 Performing LAMP Practices ................................................................................................................................................64
5.3.1 Introduction ..........................................................................................................................................................................64
5.3.2 Preparing Resources ...........................................................................................................................................................64
5.3.3 Installing and Testing WordPress .................................................................................................................................65
HCIP-openEuler Lab Guide Page 1

1 Apache Configurations

1.1 Installing and Testing Apache


1.1.1 Procedure
Step 1 Purchase Server01 based on the lab environment description and networking.

Step 2 Run the dnf command to install httpd.

Log in to the installed openEuler, run the dnf install -y httpd command, and wait until
the installation is complete.

[root@apache-http mnt]# dnf install -y httpd

Step 3 Start httpd and test it.

Run the httpd -v command to view the version.

[root@apache-http ~]# httpd -v


Server version: Apache/2.4.51 (Unix)
Server built: Mar 18 2022 00:00:00
HCIP-openEuler Lab Guide Page 2

Run the httpd -t command to check whether the configuration file is correct.

[root@apache-http ~]# httpd -t


AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using
fe80::f21:38fa:dc6d:d4e9%ens33. Set the 'ServerName' directive globally to suppress this message
Syntax OK

Modify the ServerName configuration in line 97 of the /etc/httpd/conf/httpd.conf


configuration file to suppress the error message.

Save the modification and exit. Check whether the configuration file is correct.

Run the systemctl enable httpd --now command to start the httpd service and set it to
start upon system startup. Then run the systemctl status httpd command to check the
httpd service status.

[root@apache-http ~]# systemctl enable httpd --now


Created symlink /etc/systemd/system/multi-user.target.wants/httpd.service →
/usr/lib/systemd/system/httpd.service.
[root@apache-http ~]# systemctl status httpd

Note: If the server fails to be started, restart it and try again.

Step 4 Alternatively, use the following methods for testing the httpd service status:

Method 1:
Run the ss -lnp | grep 80 command to check whether port 80 is in the listening state.

[root@apache-http ~]# ss -lnp | grep 80


HCIP-openEuler Lab Guide Page 3

Method 2:
Run the curl command on the HTTP server to access port 80.

[root@apache-http ~]# curl 127.0.0.1:80

Method 3:
Enter the EIP of the HTTP server in the address box of the browser and check whether
the test page is displayed.

1.1.2 Quiz
Check whether the test page can be accessed using method 3. If not, why?
The access may fail. If both methods 1 and 2 succeeded but method 3 failed, there is a
high probability that port 80 is not enabled on the HTTP server. In this case, check the
firewall or security group.

1.2 Configuring the Apache Home Page


1.2.1 Procedure
Step 1 Configure the listening IP address and port of the server.

Requirement: Clients are allowed to access the HTTP server only through port 81 at the
server IP address (192.168.1.11).
HCIP-openEuler Lab Guide Page 4

Comment out the listening IP address and port number in the main configuration file, as
shown in the following figure.

Create a configuration file port.conf in /etc/httpd/conf.d and add the following content
to the file:

Listen 192.168.1.11:81

Run the following command to reload the httpd configuration file:

[root@apache-http conf.d]# systemctl reload httpd

Run the curl 192.168.1.11:81, curl 192.168.1.11:80, and curl 127.0.0.1:81 commands to
check whether the test page can be accessed.

⚫ Question: If the content in the main configuration file is not commented out, can the
effect in the requirement be achieved?
Answer: No. If you do not comment out the content, clients can access the service
through port 80.
⚫ Question: Can I directly modify the main configuration file to achieve the effect
specified in the requirement?
Answer: Yes, you can. However, if the main configuration file is modified, it is difficult to
maintain the file. You are advised to add the mentioned configuration file to the conf.d
directory.

Step 2 Configure the home page.

Requirement: "hello, openEuler" is returned after the HTTP server is accessed.


Create an Index.html file in the /var/www/html directory and add "hello, openEuler"
to the file, as shown in the following figure.
HCIP-openEuler Lab Guide Page 5

Run the systemctl reload httpd command and access the server again, as shown in the
following figure.

Step 3 Change the directory for storing the home page.

Requirement: Create the /home/source directory and move index.html to the directory
to enable the server to return "hello, openEuler".
Comment out the configuration of the directory for storing static resources in the main
configuration file, as shown in the following figure.

Create a home/source directory and cut the index.html file to the directory, as shown in
the following figure.

Create a configuration file source.conf in conf.d and enter the following content:

DocumentRoot "/home/source"

See the following figure.

Run the systemctl reload httpd command and access the server again, as shown in the
following figure.
HCIP-openEuler Lab Guide Page 6

⚫ Question: Why is the expected content not returned?


Check the httpd log file. It is found that the access to the /home/source directory is
denied, as shown in the following figure.

Add the following content to the source.conf file to grant the access permission on the
directory:

<Directory "/home/source">
AllowOverride None
# Allow open access:
Require all granted
</Directory>

See the following figure.

Run the systemctl reload httpd command and access the server again. The result meets
the requirement, as shown in the following figure.

Step 4 Change the name of the home page.

Change index.html to Index.html and access the service again. The system returns to
the test page, as shown in the following figure.
HCIP-openEuler Lab Guide Page 7

Add the following content to the source.conf file to change the static page name to
Index.html:

DirectoryIndex Index.html

Reload the configurations and try to access the service again, as shown in the following
figure.

1.2.2 Quiz
Can an HTTP server return different static pages for different users?
Yes, it can. This is the virtual host function of the Apache httpd service, which will be
introduced and implemented later.

1.3 Loading and Unloading an Apache DSO Module


1.3.1 Configuration Roadmap
The mod_status module allows an administrator to monitor the Apache running status
on a web page. Use LoadModule directive to load the module, configure related
permissions, and enable ExtendedStatus to enable the module.

1.3.2 Procedure
Step 1 Check the status of the mod_status module.

Run the httpd –M command to check whether mod_status is loaded. The command
output is as follows:

[root@apache-http conf.modules.d]# httpd -M | grep status


HCIP-openEuler Lab Guide Page 8

status_module (shared)

Step 2 Configure related permissions and enable ExtendedStatus.

Add a configuration file module.conf to /etc/httpd/conf.d and add the following


content:

<Location /server-status>
SetHandler server-status
Order deny,allow
Deny from all
Allow from all
</Location>
ExtendedStatus On

Step 3 Check the Apache status.

Reload the Apache configurations, and enter EIP:81/server-status in the address box of
the browser to check the Apache status.

Step 4 Unload the mod_status module.

In the /etc/httpd/conf.modules.d directory, edit the 00-base.conf file to comment out


the mod_status configuration as follows.
HCIP-openEuler Lab Guide Page 9

Reload the Apache configurations, and use EIP:81/server-status to access the Apache
again. The following information is displayed.

Step 5 Restore the module.

This module will be used in subsequent labs. Uncomment the line in step 4 and reload
the Apache configurations to restore the module.

1.4 Changing the Working Mode of the MPM


1.4.1 Procedure
Step 1 Check the current working mode of the MPM.

Method 1: Run the httpd –M command, as shown in the following figure.

Method 2: Use the mod_status module, as shown in the following figure.

Method 3: View the related configuration file, as shown in the following figure.
HCIP-openEuler Lab Guide Page 10

Step 2 Change the MPM working mode.

Comment out the configuration related to the event mode in the configuration file and
uncomment the configuration related to the worker mode, as shown in the following
figure.

Step 3 Verify the configurations.

Restart the httpd service and use method 2 in step 1 to check whether the configuration
takes effect, as shown in the following figure.

1.4.2 Quiz
⚫ After the MPM working mode is changed, can the modification take effect after the
Apache is reloaded? Why?
No, it cannot. You need to restart the service for the modification to take effect. The
MPM determines the working mode of the httpd processes and threads. You need to
restart the service to enable the systemd to create the corresponding processes.
⚫ Can I enable multiple working modes at the same time?
HCIP-openEuler Lab Guide Page 11

No, you cannot. If multiple working modes are enabled, the system displays the
following error message.

1.5 Configuring Apache Persistent Connection


1.5.1 Procedure
Step 1 Check the status of non-persistent connections.

On the mod_status page, the value of keep-alive is 0, as shown in the following figure.

Step 2 Enable persistent connection and set related parameters.

Create a keepalived.conf configuration file related to persistent connections


in the /etc/httpd/conf.d directory and add the following configurations:

KeepAlive On
KeepAliveTimeout 20
MaxKeepAliveRequests 500

Step 3 Verify the configurations.

Reload the Apache configurations and check the value of keep-alive on the mod_status
page, as shown in the following figure.
HCIP-openEuler Lab Guide Page 12

1.5.2 Quiz
Does a longer persistent connection indicate better effect?
No, it does not. If a connection is occupied for a long time, the number of concurrent
connections increases, increasing the pressure on the server.

1.6 Configuring Apache Static Resources


1.6.1 Specifying Static Resources by File System Path
Step 1 Prepare resources.

Create a test directory in /home/source, and create files test1 and test2 in test. Enter
"hello,test1" in test1, and soft link test1 to test2.

[root@apache-http source]# cd /home/source


[root@apache-http source]# mkdir test
[root@apache-http source]# cd test
[root@apache-http test]# echo "hello,test1" > test1
[root@apache-http test]# ln -s test1 test2

Step 2 Add configurations.

Add the following content to /etc/httpd/conf.d/source.conf:

<Directory "/test">
Options Indexes
AllowOverride None
# Allow open access:
Require all granted
</Directory>
HCIP-openEuler Lab Guide Page 13

Step 3 Verify the configurations.

Reload the httpd service, enter EIP:81/test in the address box of the browser. The
following information is displayed.

Add the FollowSymLinks directive to Options, as shown in the following figure.

Reload the httpd service and access the path again. The following information is
displayed.
HCIP-openEuler Lab Guide Page 14

⚫ Question: If there is no configuration file about /test, can I access the corresponding
resources through 192.168.1.11:81/test?
Answer: Yes, you can.
⚫ Question: If the Index.html file is created in the test directory, can I access the
corresponding resources through 192.168.1.11:81/test?
Answer: No, you cannot. The system returns the home page content, or indexes the
current directory only when the specified home page cannot be found in the directory.

Step 4 Specify static resources by alias.

Add the following configuration to the source.conf file:

Alias /test2 "/home/source/test"

See the following figure.

Reload the httpd service, enter EIP:81/test2 in the address box of the browser. The
following information is displayed.
HCIP-openEuler Lab Guide Page 15

1.6.2 Setting Access Permissions for Static Resources (Based on


Source Addresses)
Requirement: Allow all source addresses to access 192.168.1.11:81/test2/, except
192.168.38.1 (the IP address of the test machine after NAT, which can be determined by
viewing HTTP logs).

Step 1 Modify the configuration file.

Add the following content to the configuration of the real directory of test2 in the
source.conf file:

<RequireAll>
Require all granted
Require not ip 192.168.38.1
</RequireAll>

See the following figure.

Step 2 Verify the configurations.

Reload the Apache configurations and access the directory using the browser of the test
machine. The following information is displayed.

If you access the same directory on the server, the following information is displayed.
HCIP-openEuler Lab Guide Page 16

View the cause of the access failure of the test machine in logs. The details are as
follows.

Step 3 Use the .htaccess file to set the permissions.

Comment out the configuration added in step 1 in the source.conf file and add
AllowOverride All, as shown in the following figure.

Create an .htaccess file in /home/source/test and enter the following configurations:

<RequireAll>
Require all granted
Require not ip 192.168.38.1
</RequireAll>
HCIP-openEuler Lab Guide Page 17

See the following figure.

Step 4 Verify the configurations.

Refer to step 2.

1.6.3 Setting Access Permissions for Static Resources (Based on


Accounts)
Step 1 Create an account.

Run the following command to create a .passwd file in the directory where the resource
is located:

htpasswd -cb .passwd test Huawei@123

Step 2 Add configurations.

Add the following configurations to the .htaccess file:

AuthType Basic
AuthName "http test"
AuthUserFile "/home/source/test/.passwd"
Require user test

See the following figure.

Step 3 Verify the configurations.

Reload the Apache configurations and use a browser to access EIP:81/test2/. The system
prompts you to enter the authentication information, as shown in the following figure.
HCIP-openEuler Lab Guide Page 18

Enter the user name test and password Huawei@123. The static resources can be
accessed successfully, as shown in the following figure.

1.6.4 Quiz
Can the configuration of controlling static resource access permissions through accounts
be written to source.conf instead of .htaccess?
Yes, it can be controlled by AllowOverride.

1.7 Configuring Apache Virtual Hosts


Requirements: Access the page of test1 through www.test1.com, the page of test2
through www.test2.com, and the page of test3 through www.test3.com. Resolve the
three domain names to 192.168.1.11. Store test1, test2, and test3 in
/home/source/test1, /home/source/test2, and /home/source/test3, and set their page
contents to "hello,test1", "hello,test2", and "hello,test3", respectively.

Step 1 Prepare resources.

Run the following commands to create three directories in /home/source:


HCIP-openEuler Lab Guide Page 19

cd /home/source
mkdir test{1..3}

Create the corresponding files in the directories and enter the corresponding contents.

echo "hello,test1" > test1/test1


echo "hello,test2" > test2/test2
echo "hello,test3" > test3/test3

Step 2 Create virtual hosts.

Create a vhost.conf configuration file in the /etc/httpd/conf.d directory and enter the
following content:

<VirtualHost *:81>
ServerName www.test1.com
DocumentRoot "/home/source/test1"
DirectoryIndex test1
</VirtualHost>
<VirtualHost *:81>
ServerName www.test2.com
DocumentRoot "/home/source/test2"
DirectoryIndex test2
</VirtualHost>
<VirtualHost *:81>
ServerName www.test3.com
DocumentRoot "/home/source/test3"
DirectoryIndex test3
</VirtualHost>

Step 3 Verify the configurations.

There is no DNS server in the environment. Therefore, you need to manually configure
domain name resolution by adding the following content to the /etc/hosts file:

192.168.1.11 www.test1.com
192.168.1.11 www.test2.com
192.168.1.11 www.test3.com

Reload the configurations and run the following commands to perform a test:

curl www.test1.com:81
curl www.test2.com:81
curl www.test3.com:81

If the following information is displayed.


HCIP-openEuler Lab Guide Page 20

⚫ Question: Why does www.test2.com:81 not return the expected content?


Answer: The alias of test2 is configured in the source.conf file. As a result, the system
does not return the expected content. Comment out the alias in the source.conf file and
try again. The expected content is returned, as shown in the following figure.

⚫ Question: Is there any log in error_log when an error is reported during the access to
www.test2.com:81?
Answer: No, there is no such log. The /etc/httpd/logs/error_log file does not store error
logs of virtual hosts, but the access_log file stores access logs of virtual hosts. To view
related logs, add the following configuration to the virtual host:

errorLog "logs/test1_error_log"

1.8 Configuring the HTTPS Service


Set the access mode of www.test1.com to HTTPS based on section "1.7 Configuring
Apache Virtual Hosts."

Step 1 Install the dependent module.

Run the following command to install mod_ssl:

yum install -y mod_ssl


HCIP-openEuler Lab Guide Page 21

Step 2 Create a self-signed certificate.

Run the following commands to create a private key:

mkdir ca
cd ca
openssl genrsa -out ca.key 2048

Use the private key to generate a CA certificate.

openssl req -newkey rsa:4096 -nodes -sha256 -keyout ca.key -x509 -days 3650 -out ca.crt
HCIP-openEuler Lab Guide Page 22

Generate a request file using the private key and CA certificate.

openssl req -newkey rsa:4096 -nodes -sha256 -keyout www.test1.com.key -out www.test1.com.csr

Issue a certificate to the server.

openssl x509 -req -days 36500 -in www.test1.com.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out
www.test1.com.crt

Step 3 Specify a certificate file.

Run the following command to open the SSL configuration file:

vim /etc/httpd/conf.d/ssl.conf

Edit the file as follows.


HCIP-openEuler Lab Guide Page 23

Step 4 Verify the configurations.

Add a static resolution entry to the client to resolve www.test1.com to the EIP of
Server01.
Enter https://www.test1.com in the address box of the browser. The following page is
displayed.

Click Advanced and select Proceed to www.test1.com (unsafe). The following page is
displayed.

⚫ Question: Is the preceding page displayed after performing the preceding operations?
Why?
HCIP-openEuler Lab Guide Page 24

Answer: The preceding page may not be displayed. If port 443 of www.test1.com is not
configured on the virtual host, an error page is displayed.
HCIP-openEuler Lab Guide Page 25

2 NGINX Configurations

2.1 Installing and Testing NGINX


2.1.1 Preparing Resources
Purchase the Server02 ECS as planned.

2.1.2 Procedure
Step 1 Install NGINX using the Yum repository.

In openEuler, run the following command to automatically install NGINX:

yum install -y nginx

After the installation is complete, run the following command to check the NGINX
version:

nginx -v

After confirming that the NGINX is correctly installed, run the following commands to
start NGINX and check whether the NGINX processes are started:
HCIP-openEuler Lab Guide Page 26

systemctl start nginx


ps -f | grep nginx

Step 2 Verify the configurations.

Enter the IP address of the NGINX server in the address box of the browser. The following
page is displayed.

2.2 Performing Basic NGINX Configurations


2.2.1 Configuring Static Resource Access
Description: Use NGINX to access different types of resources, such as HTML files, image
files, and TXT files.

Step 1 Modify global configurations.

The default global configurations in the main configuration file are as follows:

user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;

Modify the configurations as follows:


1. Change the user of the worker process to nobody.
2. Change the number of worker processes to 4.
The modified configurations are as follows:

user nobody;
worker_processes 4;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
HCIP-openEuler Lab Guide Page 27

Run the following commands to reload the NGINX configurations and check the
processes:

nginx -s reload
ps -ef | grep nginx

The following information is displayed.

The user of the worker processes changes to nobody, and the user of the master process
changes to root. In addition, the number of worker processes changes to 4.

Step 2 Access static web resources.

Requirement: Use the domain name www.test.com to access the specified home page of
the NGINX service and the specified image file and TXT file.
Run the following command to create a directory for storing static resources:

mkdir -p /data/Nginx

See the following figure.

Create a home page file index.html in NGINX and enter "hello,openEuler".

touch /data/Nginx/index.html
echo "hello,openEuler" > /data/Nginx/index.html

Create a test.txt file in the Nginx directory and enter "hello,Nginx".

touch /data/Nginx/test.txt
echo "hello,Nginx" > /data/Nginx/test.txt

Copy nginx-logo.png in /usr/share/Nginx/html to the Nginx directory.

cp /usr/share/nginx/html/nginx-logo.png /data/Nginx/

After the configuration is complete, the files in the Nginx directory are as follows:

[root@localhost nginx]# ls /data/Nginx/


index.html nginx-logo.png test.txt

In the /etc/nginx/conf.d directory, create a configuration file static.conf for the new
static website and configure the following content:
HCIP-openEuler Lab Guide Page 28

server {
listen 81;
server_name www.test.com;
root /data/Nginx;
index index.html;
}

Run the nginx -t command to check whether the configuration is correct. If the
configuration is incorrect, rectify the fault before performing subsequent operations. If
the configuration is correct, the following information is displayed.

After confirming that the information is correct, run the nginx -s reload command to
reload the service.
Configure static domain name resolution on the host where the browser is located to
map www.test.com to the server. Then access www.test.com:81 using the browser. The
following page is displayed.

Access www.test.com:81/nginx-logo.png. The following page is displayed.

Access www.test.com:81/test.txt. The following page is displayed.

⚫ Question 1: If a test.nn file is created in the Nginx directory and certain content is
entered, will the system return the corresponding content when the file is accessed
through www.test.com:81/test.nn? Why?
HCIP-openEuler Lab Guide Page 29

No, it will not. The .nn file is not in mime.type. Therefore, NGINX cannot parse the file.
When you access the URL, the corresponding file is downloaded to the local host by
default.
⚫ Question 2: To implement the same function of the preceding website, is there any
other writing format for the configuration file?
Yes, there is. You can refer to the following content:
server {
listen 81;
server_name www.test.com;
location / {
root /data/Nginx;
index index.html;
}
}

2.2.2 Configuring Virtual Hosts


Description: On the NGINX server, configure virtual hosts using different port numbers.

Step 1 Prepare resources.

Create the nginx1, nginx2, and nginx3 directories in the /data directory.

mkdir nginx{1..3}

Run the following commands to create index.html in the three directories and enter
"hello,nginx1", "hello,nginx2", and "hello,nginx3" in the files:

echo "hello,nginx1" > nginx1/index.html


echo "hello,nginx2" > nginx2/index.html
echo "hello,nginx3" > nginx3/index.html

Step 2 Configure virtual hosts.

To avoid interference between configurations, delete the existing configuration file in


/etc/nginx/conf.d or change the file name extension to .bk.
Create a configuration file vhost.conf and enter the following content:
HCIP-openEuler Lab Guide Page 30

server {
listen 81;
server_name localhost;
location / {
root /data/nginx1;
index index.html;
}
}
server {
listen 82;
server_name localhost;
location / {
root /data/nginx2;
index index.html;
}
}
server {
listen 83;
server_name localhost;
location / {
root /data/nginx3;
index index.html;
}
}

After the configuration is complete, run the nginx -t command to check whether syntax
errors exist. If no syntax error exists, run the nginx -s reload command to reload the
configurations.

Step 3 Verify the configurations.

Run the curl command to configure virtual hosts with different ports, as shown in the
following figure.

2.2.3 Configuring the Location Directive


Description: This lab is based on the virtual host configuration. Try to use different
representation methods to configure routes.

Step 1 Prepare resources.

Rename /data/nginx1 to /data/Nginx1.

Step 2 Modify the configuration file.

Modify the vhost.conf configuration file as follows:

server {
listen 81;
HCIP-openEuler Lab Guide Page 31

server_name localhost;
location / {
root /data/nginx1;
index index.html;
}
}
server {
listen 82;
server_name localhost;
location /nginx2 {
root /data;
index index.html;
}
}
server {
listen 83;
server_name localhost;
location / {
root /data/nginx3;
index index.html;
}
}

Reload the NGINX configurations.

Step 3 Verify the configurations.

Run the curl localhost:81, curl localhost:82, and curl localhost:83 commands. The
following information is displayed.

After you run the curl localhost:82/nginx2 command, the following information is
displayed.
HCIP-openEuler Lab Guide Page 32

⚫ Question: What conclusions can be drawn based on the preceding information?


Answer:
1. NGINX is case sensitive. After nginx1 is changed to Nginx1, the corresponding
resource cannot be accessed.
2. After the location directive specifies a path, the specified path will be matched in the
URL when the resource is accessed.
3. If the resource to be accessed is a directory, a slash (/) needs to be added to the end of
the URL.

Step 4 Modify the configuration file.

Modify the vhost.conf file as follows:

server {
listen 81;
server_name localhost;
location ~* \.html$ {
root /data/Nginx1;
# index index.html;
}
}
server {
listen 82;
server_name localhost;
location = /nginx2/index.html {
root /data;
# index index.html;
}
}
server {
listen 83;
server_name localhost;
location = / {
root /data/nginx3;
index index.html;
}
}

Reload the NGINX configurations.

Step 5 Verify the configurations.


⚫ Question: Based on the preceding configuration file, which URLs can be used to
access the corresponding resources?
HCIP-openEuler Lab Guide Page 33

Answer: Virtual host 1 uses a case-insensitive regular expression to match all resources
whose name extension is html. The corresponding URL is localhost:81. See the following
figure.

Virtual host 2 uses exact match to strictly match the required resource. The
corresponding URL is localhost:82/nginx2/index.html. See the following figure.

Virtual host 3 also uses exact match but the URL must end with a slash (/). However, the
actual path of the server is /data/nginx3/index.html. For this reason, the corresponding
resource cannot be accessed, and the system returns the default home page. See the
following figure.

Step 6 Modify the configuration file.

Modify the vhost.conf file as follows:

server {
listen 81;
server_name localhost;
location /Nginx1 {
root /data;
index index.html;
}
}
server {
listen 82;
server_name localhost;
location /nginx2 {
alias /data/nginx2/index.html;
# index index.html;
}
}
server {
listen 83;
server_name localhost;
location = / {
HCIP-openEuler Lab Guide Page 34

root /data/nginx3;
index index.html;
}
}

Reload the NGINX configurations.

Step 7 Verify the configurations.

Run the curl localhost:81/Nginx1/ and curl localhost:82/nginx2 commands. The


following information is displayed.

⚫ Question: What conclusions can be drawn from the preceding test?


Answer: When root is used to specify a resource path in location, a relative path is used.
When an alias is used, an absolute path is used.

2.3 Configuring Reverse Proxies and Load Balancing with


NGINX
2.3.1 Configuring Reverse Proxies with NGINX
Description: This lab describes how to configure and use the reverse proxy function of
NGINX based on section "Configuring the Location Directive". However, it is greatly
different from the actual application scenario. You are advised not to use this
architecture in actual practice.

Step 1 Set virtual host 1 as the proxy of virtual host 3.

Modify the vhost.conf file as follows:

server {
listen 81;
server_name localhost;
location / {
proxy_pass http://127.0.0.1:83;
# root /data;
# index index.html;
}
}
server {
listen 82;
server_name localhost;
location /nginx2 {
alias /data/nginx2/index.html;
# index index.html;
}
}
HCIP-openEuler Lab Guide Page 35

server {
listen 83;
server_name localhost;
location / {
root /data/nginx3;
index index.html;
}
}

Reload the NGINX configurations.

Step 2 Verify the configurations.

Run the curl localhost:81 command to access the corresponding resource and check the
returned information, as shown in the following figure.

Step 3 Set virtual host 1 as the proxy of virtual host 2.

Modify the vhost.conf file as follows:

server {
listen 81;
server_name localhost;
location /nginx1 {
proxy_pass http://127.0.0.1:82/nginx2;
# root /data;
# index index.html;
}
}
server {
listen 82;
server_name localhost;
location /nginx2 {
alias /data/nginx2/index.html;
# index index.html;
}
}
server {
listen 83;
server_name localhost;
location / {
root /data/nginx3;
index index.html;
}
}

After the configuration is complete, reload the NGINX configurations.

Step 4 Verify the configurations.

Run the curl localhost:81/nginx1 command to access the corresponding resource and
check the returned information, as shown in the following figure.
HCIP-openEuler Lab Guide Page 36

2.3.2 Configuring Load Balancing with NGINX


Description: This lab describes how to configure and use NGINX virtual hosts for load
balancing. However, it is greatly different from the actual application scenario. You are
advised not to use this architecture in actual practice.

Step 1 Prepare resources.

Restore the vhost.conf file to the content in step 2 in section "Configuring Virtual Hosts."
The details are as follows:

server {
listen 81;
server_name localhost;
location / {
root /data/nginx1;
index index.html;
}
}
server {
listen 82;
server_name localhost;
location / {
root /data/nginx2;
index index.html;
}
}
server {
listen 83;
server_name localhost;
location / {
root /data/nginx3;
index index.html;
}
}

Restore Nginx1 to nginx1. After the restoration, the /data directory is as follows.

Reload the NGINX configurations and check whether the services corresponding to the
virtual hosts can be accessed, as shown in the following figure.

Step 2 Configure load balancing.


HCIP-openEuler Lab Guide Page 37

Create a load balancing configuration file lb.conf in the conf.d directory and enter the
following content:

upstream www.test.com {
server 192.168.1.12:81;
server 192.168.1.12:82;
server 192.168.1.12:83;
}
server {
location / {
proxy_pass http://www.test.com;
}
}

After the configuration is complete, reload the NGINX configurations and manually add
the static domain name resolution of www.test.com to /etc/hosts, as shown in the
following figure.

Step 3 Verify the configurations.

Run the curl www.test.com command on the server for multiple times and check the
returned information, as shown in the following figure.

It can be observed that each request is served by the three virtual hosts in turn.

Step 4 Configure weights.

Modify the lb.conf file to add weights for load balancing as follows:

upstream www.test.com {
server 192.168.1.12:81 weight=2;
server 192.168.1.12:82 weight=1;
server 192.168.1.12:83;
}
server {
location / {
proxy_pass http://www.test.com;
}
HCIP-openEuler Lab Guide Page 38

Reload the NGINX configurations.

Step 5 Verify the configurations.

Run the curl www.test.com command on the server for multiple times and check the
returned information, as shown in the following figure.

The three virtual hosts provide services based on the configured weights.

Step 6 Configure the backup NGINX server.

Modify the lb.conf configuration file as follows:

upstream www.test.com {
server 192.168.1.12:81 backup;
server 192.168.1.12:82;
server 192.168.1.12:83;
}
server {
location / {
proxy_pass http://www.test.com;
}
}

After the configuration is complete, reload the NGINX configurations.

Step 7 Verify the configurations.

Run the curl www.test.com command on the server for multiple times and check the
returned information, as shown in the following figure.
HCIP-openEuler Lab Guide Page 39

You can see that NGINX does not forward requests to virtual host 1.

Step 8 Enable the backup host.

Modify the lb.conf configuration file as follows:


upstream www.test.com {
server 192.168.1.12:81 backup;
server 192.168.1.12:82 down;
server 192.168.1.12:83 down;
}
server {
location / {
proxy_pass http://www.test.com;
}
}

Reload the NGINX configurations.

Step 9 Verify the configurations.

Run the curl www.test.com command on the server for multiple times and check the
returned information, as shown in the following figure.

⚫ Question: If you change the lb.conf file to the following content:

upstream www.test.com {
server 192.168.1.12:81 backup;
server 192.168.1.12:82;
server 192.168.1.12:83 down;
}
server {
location / {
proxy_pass http://www.test.com;
}
}

What is returned by the system when you run the curl www.test.com command to
request a resource? Why?
Answer: The system returns "hello,nginx2". Because virtual host 3 is down but virtual
host 2 is still available, NGINX does not forward the request to backup virtual host 1 and
the system thus returns the resource provided by virtual host 2. See the following figure.
HCIP-openEuler Lab Guide Page 40
HCIP-openEuler Lab Guide Page 41

3 DNS Configurations

3.1 Introduction
3.1.1 About This Lab
This lab is based on section "Configuring Load Balancing with NGINX." The DNS server is
used to replace the original static DNS to provide services for the client.

3.2 Installing the DNS Software


3.2.1 Preparing Resources
Purchase the Server03 ECS as planned.

3.2.2 Installing the DNS Software


Run the following command on the newly created VM that functions as the DNS server
to install DNS-related software:

yum install -y bind

Wait until the installation is complete and run the following command to start DNS-
related services:

systemctl start named

If no error message is displayed, check whether the port used by DNS is listened on, as
shown in the following figure.

If port 53 is listened on, DNS is installed and started successfully.


HCIP-openEuler Lab Guide Page 42

3.3 Setting Up the Master DNS Server


Resolve www.test.com to 192.168.1.12 on the newly created DNS server.

Step 1 Create a forward resolution resource record.

Bind provides the administrator with a template file for configuring resource records. The
file is stored in the /var/named directory and named named.localhost. Run the cp
command to copy the file as test.com.zone. The details are as follows:

cd /var/named
cp named.localhost test.com.zone -p

After the copy is complete, modify the configurations in test.com.zone as follows:

$TTL 1D
@ IN SOA master.test.com. admin.test.com. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS master
master A 192.168.1.13
www CNAME main
main A 192.168.1.12

Step 2 Modify the configurations.

Modify the listening port and permission configurations in the /etc/named.conf


configuration file of the DNS service, as shown in the following figure.

Add the test.com zone configuration to /etc/named.rfc1912.zones, as shown in the


following figure.
HCIP-openEuler Lab Guide Page 43

After the preceding configurations are complete, run the named-checkconf command to
check whether the DNS configuration file is correct, and run the named-checkzone
test.com /var/named/test.com.zone command to check whether the test.com zone
configuration is correct, as shown in the following figure.

If all configurations pass the check, run the rndc reload command to reload the DNS
service configurations, as shown in the following figure.

Step 3 Verify the configurations.

On the VM of the NGINX server, run the following commands (change ens33 in the
commands as required) to point the DNS server address to the newly configured server:

nmcli con mod ens33 ipv4.dns 192.168.1.13


nmcli con down ens33 && nmcli con up ens33

To ensure the lab effect, manually set the DNS server address of the VPC where the ECS
resides to 192.168.1.13, as shown in the following figure.
HCIP-openEuler Lab Guide Page 44

After the configuration is complete, run the nslookup command to check whether the
DNS service can correctly resolve www.test.com to 192.168.1.12, as shown in the
following figure.

Run the curl command to access www.test.com, as shown in the following figure.

3.4 Configuring Reverse DNS Resolution


Resolve www.test.com to 192.168.1.12 on the newly created DNS server.

Step 1 Create a reverse resolution resource record.

Bind provides the administrator with a template file for configuring resource records. The
file is stored in the /var/named directory and named named.loopback. Run the cp
command to copy the file as 192.168.1.zone. The details are as follows:

cd /var/named
cp named.loopback 192.168.1.zone -p

After the copy is complete, modify the configurations in 192.168.1.zone as follows:


HCIP-openEuler Lab Guide Page 45

$TTL 1D
@ IN SOA master.test.com. admin.test.com. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS master
master A 192.168.1.13
12 PTR www.test.com

Step 2 Modify the configurations.

Add the following configurations to the /etc/named.rfc1912.zones file.

Check whether the configurations are correct, as shown in the following figure.

If no error is found, run the rndc reload command to reload the DNS configuration file.

Step 3 Verify the configurations.

Log in to the NGINX server and run the nslookup command to check whether the
configurations take effect.
HCIP-openEuler Lab Guide Page 46

4 MySQL Configurations

4.1 Installing and Initializing MySQL


4.1.1 Preparing Resources
Purchase the Server04 ECS as planned, and reset the VPC DNS configurations modified in
the preceding lab. Otherwise, the ECS cannot connect to the network.

4.1.2 Installing MySQL


Step 1 Check the MySQL version supported by the Yum repository of openEuler.

Run the following command on openEuler to check the MySQL version supported by the
Yum repository of openEuler:

yum provides mysql-server*


HCIP-openEuler Lab Guide Page 47

According to the query result, you can install MySQL 8.0.x or 5.7.x.

Step 2 Install MySQL 8.0.28.

Run the yum command to install MySQL-server, as shown in the following figure.

After the installation is complete, run the systemctl start mysqld command to start the
service and check whether the corresponding port is listened on, as shown in the
following figure.
HCIP-openEuler Lab Guide Page 48

4.1.3 Logging In to and Initializing MySQL


Step 1 Log in to MySQL.

After the installation is complete, run the mysql command to log in to the MySQL
database, as shown in the following figure.

⚫ Question: What are the user name and password for logging in to the MySQL
database?
Answer:
The current user is root. After 8.0.x is installed, the default password of user root is
empty. Therefore, you can log in to the MySQL database without entering the password.
However, the permission is low. You must initialize the password before performing the
next step.
In MySQL 5.7, the password of user root is not empty and is automatically generated by
the system. You can view the password in the /var/log/mysql/mysqld.log file.

Step 2 Initialize MySQL.

Run the following command to configure the password of user root:

alter user root@'localhost' identified by 'Huawei@123';

See the following figure.

After the modification is complete, exit the MySQL database and log in to the MySQL
database as user root again.
HCIP-openEuler Lab Guide Page 49

Run the show databases; command to view the default databases, as shown in the
following figure.

Run the select user,host from mysql.user; command to view the information about the
current system user, as shown in the following figure.

4.1.4 Using mysqladmin


Step 1 Check the MySQL status and version.

Use the status statement to check the status of the MySQL database.

mysqladmin -uroot -p'Huawei@123' status

Use the version statement to view the MySQL version.


HCIP-openEuler Lab Guide Page 50

mysqladmin -uroot -p'Huawei@123' version

Use the processlist statement to view the active threads of the MySQL database.

mysqladmin -uroot -p'Huawei@123' processlist

Step 2 Flush MySQL tables and threads.

Run the following command to flush all tables:

mysqladmin -uroot -p'Huawei@123' flush-tables

Run the following command to flush the cache of all threads:

mysqladmin -uroot -p'Huawei@123' flush-threads

Run the following command to flush all logs:

mysqladmin -uroot -p'Huawei@123' flush-logs

Step 3 Check whether the MySQL status is normal.

Use the ping statement to check whether the MySQL server is normal.

mysqladmin -uroot -p'Huawei@123' ping


HCIP-openEuler Lab Guide Page 51

Step 4 Create and delete a database.

Use the create statement to create a database.


mysqladmin -uroot -p'Huawei@123' create test

Use the drop statement to delete a database and its tables.


mysqladmin -uroot -p'Huawei@123' drop test

4.2 Performing Comprehensive MySQL Practices


Create a Vegetables database for vegetables in a shopping mall in the following format
for subsequent applications to invoke.

ID Name Price Qty PIC

1 Cabbage 200 Tom

2 Potato 2.60 300 Peter

3 Bok choy 6.00 150 Jim

4 Tomato 5.20 230 Betty

5 Cucumber 8.00 330 Jim

Create user vegetables_usser and allow it to perform SELECT query on the database. In
addition, create user vegetables_admin and grant it all permissions on the database.

Step 1 Create a database.

Run the following command to create a database:

mysql> CREATE DATABASE Vegetables;

After the creation is complete, view information about the created database.

mysql> SHOW databases;


HCIP-openEuler Lab Guide Page 52

Use the USE statement to access the database, and then use the SELECT statement to
view information about the database.

mysql> USE Vegetables;


mysql> SELECT database();

Step 2 Create a data table.

When creating a table, set ID to the primary key and set Name and PIC to NOT NULL.

mysql> CREATE TABLE Vegetables ( ID SMALLINT UNSIGNED PRIMARY KEY , Name VARCHAR(10)
NOT NULL , Price DECIMAL(5, 2) , Qty DECIMAL(7, 2) , PIC VARCHAR(10) NOT NULL );

To make the statement structure clearer, you can also write it as follows:

mysql> CREATE TABLE Vegetables (


-> ID SMALLINT UNSIGNED PRIMARY KEY,
-> Name VARCHAR(10) NOT NULL,
-> Price DECIMAL(5, 2),
-> Qty DECIMAL(7, 2),
-> PIC VARCHAR(10) NOT NULL
-> );

After the table is created, use related statements to view information about the table,
such as SHOW and SELECT.
HCIP-openEuler Lab Guide Page 53

Check whether the table is successfully created.

View the table structure.

Check the table status.

Step 3 Add data.

Add data to the table in sequence.

mysql> INSERT Vegetables VALUES


-> (1,'Cabbage',NULL,200,'Tom'),
-> (2,'Potato',2.60,300,'Peter'),
-> (3,'Bok choy',6,150,'Jim'),
-> (4,'Tomato',5.2,230,'Betty'),
-> (5,'Cucumber',8,330,'Jim');

After the table is added, view data in the table, as shown in the following figure.
HCIP-openEuler Lab Guide Page 54

⚫ Question: Why are the values in Price and Qty automatically saved to two decimal
places?
Answer: When the table is created, the DECIMAL modifier is added to Price and Qty to
make the values accurate to two decimal places.

Step 4 Perform data queries.

Query information about the vegetables managed by Jim from the table.

mysql> SELECT * FROM Vegetables WHERE PIC='Jim';

Query the names and prices of the vegetables managed by Jim.

mysql> SELECT Name,Price FROM Vegetables WHERE PIC='Jim';

Query information about the vegetables managed by Jim or Tom from the table.

mysql> SELECT * FROM Vegetables WHERE PIC='Jim' or PIC='Tom';


HCIP-openEuler Lab Guide Page 55

Query information about the vegetables whose prices are higher than 7.00 and quantity
is less than 180.

mysql> SELECT * FROM Vegetables WHERE Price>7 and Qty<180;

Query information about the vegetables managed by the salesmen whose names start
with T (fuzzy query).

mysql> SELECT * FROM Vegetables WHERE PIC LIKE 'T%';

Step 5 Modify data.

Change the price of the vegetable whose ID is 1 to 4.2.

mysql> UPDATE Vegetables SET Price=4.2 WHERE ID=1;

Check whether the modification takes effect.

Step 6 Create users and grant permissions.

Create users vegetable_user and vegetable_admin as planned and set their passwords
to Huawei@123.

mysql> CREATE USER vegetable_user@localhost identified by 'Huawei@123';


HCIP-openEuler Lab Guide Page 56

Query OK, 0 rows affected (0.50 sec)

mysql> CREATE USER vegetable_admin@localhost identified by 'Huawei@123';


Query OK, 0 rows affected (0.01 sec)

mysql> FLUSH PRIVILEGES;


Query OK, 0 rows affected (0.41 sec)

⚫ Question: Are there any deficiencies in the users created by running the preceding
commands? How do you make up for such deficiencies?
Answer: The users created by running the preceding commands can log in to the
database only on the local host but cannot log in to the database over the Internet.
When creating a user, you can specify the hosts or network segments that are allowed to
log in to the MySQL database. For example, to allow the 192.168.1.0 network segment,
use the following statement:

CREATE USER vegetable_user@'192.168.1.%' identified by 'Huawei@123';

To allow all network segments, use the following statement:

CREATE USER vegetable_user@'%' identified by 'Huawei@123';

Alternatively, use the following statement:

CREATE USER vegetable_user@ identified by 'Huawei@123';

Modify the attributes of the users.

mysql> use mysql;


mysql> UPDATE user SET HOST='%' WHERE user LIKE 'vege%';

Grant permissions to the created users as planned.

mysql> GRANT ALL PRIVILEGES ON *.* TO 'root'@'localhost' WITH GRANT OPTION;


mysql> flush privileges;
mysql> GRANT ALL PRIVILEGES ON Vegetables.* TO vegetable_admin@'%';
mysql> GRANT SELECT ON Vegetables.* TO vegetable_user@'%';
HCIP-openEuler Lab Guide Page 57

Log out of user root, log in to the database as users vegetable_admin and
vegetable_user, and check whether the configurations take effect. Log in to the
database as user vegetable_user.

Log in to the database as user vegetable_admin.


HCIP-openEuler Lab Guide Page 58

Step 7 Modify and delete the database, data tables, and users.

Change the table name from Vegetables to Vegetable1.

mysql> ALTER TABLE Vegetables rename as Vegetable1;

Delete the Vegetable1 table.

mysql> DROP TABLE Vegetable1;

Delete the Vegetables database.


HCIP-openEuler Lab Guide Page 59

mysql> DROP DATABASE Vegetables;

Log in to the MySQL database as user root and delete users vegetable_user and
vegetable_admin.

mysql> DROP USER vegetable_user, vegetable_admin;


HCIP-openEuler Lab Guide Page 60

5 LAMP Practices

5.1 Introduction
This lab uses Server01 and Server04 to set up a WordPress server developed in PHP.

5.2 Interconnecting Components in the Early Stage


5.2.1 Interconnecting Apache with PHP
Step 1 Install PHP.

On the Apache host, run the following command to install PHP:

yum install -y php

After the installation is complete, run the following command to check whether the
installation is correct:

php -v

Step 2 Modify Apache configurations.

Add the PHP configuration to the Apache main configuration file as follows.
HCIP-openEuler Lab Guide Page 61

To prevent interference, back up or delete all configurations in the previous labs. For
example, copy all sub-configuration files in conf.d to the new conf.bk directory and
retain only the php.conf file related to PHP.

cd /etc/httpd/conf.d
mkdir conf.bk && mv * conf.bk/
mv conf.bk/php.conf .

After the configuration is complete, the files in the conf.d directory are as follows.

Restart the httpd service and check whether it can be accessed.

Step 3 Verify the configurations.

Create index.php in the root directory of httpd to test whether Apache and PHP can
work properly. The content of index.php is as follows:

<?php
phpinfo();
?>

In the address box of the browser, enter Apache_host_EIP/index.php to access the


Apache server. If the following page is displayed, the configuration is correct.
HCIP-openEuler Lab Guide Page 62

If the page is not displayed, check whether the php-fpm service is normal, as shown in
the following figure.

5.2.2 Interconnecting PHP with MySQL


Step 1 Grant the MySQL access permission.

This lab uses user root for testing. Check whether user root has the required permissions,
as shown in the following figure.

If user root is not allowed to access all other hosts or the Apache host, complete the
configuration by referring to the MySQL section.
After checking the permissions of user root, run the following commands on the Apache
host to install and connect to the MySQL server:

yum install -y mysql


mysql -h'192.168.1.14' -uroot -p'Huawei@123'
HCIP-openEuler Lab Guide Page 63

Step 2 Install the driver for connecting PHP to MySQL.

Run the following command to install the driver:

yum install -y php-mysqlnd

Step 3 Compile a test file for connecting PHP to MySQL.

Create a conn_mysql.php file in the root directory of httpd and enter the following
content:

<?php
$con = mysqli_connect("192.168.1.14","root","Huawei@123");
if ($con)
echo 'OK';
else
echo 'NOT OK';
$con->close();
?>

Enter Apache_host_EIP/conn_mysql.php in the address box of the browser to access the


Apache server and check whether OK is returned.
HCIP-openEuler Lab Guide Page 64

5.3 Performing LAMP Practices


5.3.1 Introduction
WordPress is an open source blog platform developed using PHP. Due to its ease of use
and openness, WordPress is widely used in various industries. This LAMP lab will be
completed based on WordPress.

5.3.2 Preparing Resources


Step 1 Download and decompress the WordPress installation package.

Run the following commands on the Apache host to download the WordPress installation
package:

cd /home
mkdir wordpress
wget https://wordpress.org/latest.tar.gz

Run the following commands to decompress the downloaded package:

mv latest.tar.gz wordpress/
cd wordpress/
tar -xzf latest.tar.gz
HCIP-openEuler Lab Guide Page 65

If the tar command is not available, install it using the Yum repository.

Step 2 Create the database required by WordPress.

Create a wordpress database required by WordPress on the MySQL server.

mysql> CREATE DATABASE wordpress;

Create a dedicated user named wp for the database and grant the read and write
permissions on the database to the user.

mysql> CREATE USER wp@'%' identified by 'Huawei@123';


mysql> GRANT ALL PRIVILEGES ON wordpress.* TO 'wp'@'%';
mysql> FLUSH PRIVILEGES;

After the configuration is complete, check whether you can access the database as user
wp on the Apache host.

5.3.3 Installing and Testing WordPress


Run the following commands to copy all files in the decompressed WordPress directory
to the root directory of the httpd service:
HCIP-openEuler Lab Guide Page 66

cd /home/wordpress/wordpress/
cp -r * /var/www/html
ls /var/www/html

⚫ Note: During the copy, the system asks you whether to overwrite the original
index.php file. Enter y to overwrite the original index.php file. Alternatively, back up
the original index.php file and copy the file again.
After the copy is complete, enter http://Apache_server_EIP/wp-admin/install.php in the
address box of the browser to start installation, as shown in the following figure.

Click Let's go to start installation. On the next page, enter the MySQL database
information, as shown in the following figure.
HCIP-openEuler Lab Guide Page 67

Click Submit. A message is displayed, indicating that the WordPress configuration file
wp-config.php cannot be found and needs to be manually created, as shown in the
following figure.

Manually create wp-config.php in the /var/www/html directory, copy the content


highlighted in the red box in the preceding figure to the file, and click Run the
installation. The installation program automatically switches to the configuration page.
The following figure shows the parameters that have been set.
HCIP-openEuler Lab Guide Page 68

After the configuration is complete, click Install WordPress. After the installation is
complete, the following page is displayed.

Click Log In and enter the user name and password to log in, as shown in the following
figure.
HCIP-openEuler Lab Guide Page 69

Click Log In to log in to the home page, as shown in the following figure.

⚫ Question: What are L, A, M, and P in WordPress practice?


Answer:
In practice, both the WordPress installation package, Apache, and MySQL run on the
openEuler OS. openEuler is an advanced Linux distribution, which is the embodiment of
"L".
The WordPress installation and access after the installation are implemented through
web services. In this practice, web services are provided by Apache, which is the
embodiment of "A".
Before installing WordPress, you have created the wordpress database in MySQL. During
the installation, you have entered related information, such as the user name and
password. After the installation is complete, WordPress automatically creates tables and
data in the database, as shown in the following figure.
HCIP-openEuler Lab Guide Page 70

These are the embodiments of "M".


WordPress is developed based on PHP, which is the embodiment of "P".

---------End---------
Huawei openEuler Certification Training

HCIP-openEuler

Lab Guide
Issue: 1.0

Huawei Technologies Co., Ltd.

2
Copyright © Huawei Technologies Co., Ltd. 2024. All rights reserved.
No part of this document may be reproduced or transmitted in any form or by any
means without prior written consent of Huawei Technologies Co., Ltd.

Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of
their respective holders.

Notice
The purchased products, services and features are stipulated by the contract made
between Huawei and the customer. All or part of the products, services and features
described in this document may not be within the purchase scope or the usage scope.
Unless otherwise specified in the contract, all statements, information, and
recommendations in this document are provided "AS IS" without warranties,
guarantees or representations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has
been made in the preparation of this document to ensure accuracy of the contents, but
all statements, information, and recommendations in this document do not constitute
a warranty of any kind, express or implied.

Huawei Technologies Co., Ltd.


Huawei Industrial Base Bantian, Longgang Shenzhen 518129 People's
Address:
Republic of China
Website: https://e.huawei.com

Huawei Proprietary and Confidential


Copyright © Huawei Technologies Co., Ltd
openEuler Cluster Architecture Lab Guide Page 1

Huawei Certification System


Huawei Certification is an integral part of the company's Platform + Ecosystem
strategy. It supports the development of ICT infrastructure that features Cloud-Pipe-
Device synergy. Our certification is always evolving to reflect the latest trends in ICT
development. Huawei Certification consists of three categories: ICT Infrastructure
Certification, Basic Software & Hardware Certification, and Cloud Platform & Services
Certification, making it the most extensive technical certification program in the
industry.
Huawei offers three levels of certification: Huawei Certified ICT Associate (HCIA),
Huawei Certified ICT Professional (HCIP), and Huawei Certified ICT Expert (HCIE).
Our programs cover all ICT fields and follow the industry's trend of ICT convergence.
With our leading talent development system and certification standards, we are
committed to fostering new digital ICT talent and building a sound ICT talent
ecosystem.
HCIP-openEuler is intended for frontline engineers at Huawei regional offices or
representative offices, and other personnel who want to learn openEuler O&M
technologies. HCIP-openEuler certification covers common openEuler enterprise service
management, openEuler HA cluster architecture, openEuler storage management,
openEuler automated O&M, Linux shell scripts, openEuler system security hardening,
and openEuler system monitoring.
Huawei certification helps you unlock opportunities to advance your career and take
one more step towards the top of the industry.
openEuler Cluster Architecture Lab Guide Page 2
openEuler Cluster Architecture Lab Guide Page 3

About This Document

Overview
This document is intended for trainees preparing for the HCIP-openEuler certification
exam and those who are interested in building enterprise services and shell scripts or
performing automated O&M using Zabbix or Salt on openEuler and other Linux
distributions.

Description
This lab guide consists of five labs, starting from basic device configurations, and
describes how to install and configure cluster software on openEuler, including the Linux
Virtual Server (LVS), NGINX, HAProxy, and Keepalived.
⚫ Lab 1: LVS configuration
➢ This lab employs the LVS-NAT and LVS-DR modes to balance the loads of web
servers.
⚫ Lab 2: NGINX reverse proxy and load balancing configuration
➢ This lab mainly introduces load balancing algorithms.
⚫ Lab 3: HAProxy configuration
➢ This lab focuses on how to use the monitoring function of HAProxy, configure
HAProxy logs, and configure the access control feature of HAProxy.
⚫ Lab 4: Keepalived configuration
➢ This lab uses Keepalived to provide high availability (HA) for NGINX and
implement an NGINX cluster together with LVS.
⚫ Lab 5: Redis operations
➢ This lab involves addition, deletion, query, and modification operations and
applies Redis in WordPress.

Background Knowledge Required


This course is for Huawei's basic certification. To better understand this course, the
intended audience should:
⚫ Have basic Linux knowledge. You are advised to complete HCIA-openEuler learning
and pass the HCIA-openEuler certification exam.
openEuler Cluster Architecture Lab Guide Page 4

Lab Environment Preparation


Checking Devices
Before starting the labs, each group of trainees should apply for ECSs on Huawei Cloud
according to the following table.

Device Name Specifications Remarks

The required quantity is


ECS 1 vCPUs | 1 GiB | s7.small.1
subject to each lab.
HCIP-openEuler Lab Guide Page 5

Contents

1 LVS Configuration .................................................................................................................. 1


1.1 LVS-NAT Configuration .......................................................................................................................................................... 1
1.1.1 Introduction ............................................................................................................................................................................ 1
1.1.2 Networking.............................................................................................................................................................................. 1
1.1.3 Procedure ................................................................................................................................................................................. 2
1.2 LVS-DR Configuration ............................................................................................................................................................. 5
1.2.1 Introduction ............................................................................................................................................................................ 5
1.2.2 Networking.............................................................................................................................................................................. 5
1.2.3 Procedure ................................................................................................................................................................................. 6
2 NGINX Reverse Proxy and Load Balancing Configuration ............................................ 9
2.1 Introduction ................................................................................................................................................................................ 9
2.2 Networking ................................................................................................................................................................................. 9
2.3 Procedure ..................................................................................................................................................................................10
3 HAProxy Configuration .......................................................................................................16
3.1 Introduction ..............................................................................................................................................................................16
3.2 Networking ...............................................................................................................................................................................16
3.3 Procedure ..................................................................................................................................................................................17
3.3.1 Implementing Basic Load Balancing with HAProxy ...............................................................................................17
3.3.2 Configuring GUI-based HAProxy Monitoring ...........................................................................................................18
3.3.3 Configuring HAProxy Logs...............................................................................................................................................19
3.3.4 Configuring HAProxy ACLs ..............................................................................................................................................20
4 Keepalived Configuration ...................................................................................................22
4.1 NGINX HA Cluster Configuration with Keepalived ....................................................................................................22
4.1.1 Introduction ..........................................................................................................................................................................22
4.1.2 Networking............................................................................................................................................................................22
4.1.3 Procedure ...............................................................................................................................................................................23
4.2 NGINX Cluster Configuration with Keepalived + LVS ...............................................................................................27
4.2.1 Introduction ..........................................................................................................................................................................27
4.2.2 Networking............................................................................................................................................................................27
4.2.3 Procedure ...............................................................................................................................................................................27
5 Basic Redis Operations ........................................................................................................31
5.1 Introduction ..............................................................................................................................................................................31
5.2 Performing Basic Redis Operations .................................................................................................................................31
5.3 Configuring Redis as the Cache of WordPress ............................................................................................................35
HCIP-openEuler Lab Guide Page 6

5.3.1 Introduction ..........................................................................................................................................................................35


5.3.2 Networking............................................................................................................................................................................35
5.3.3 Procedure ...............................................................................................................................................................................35
HCIP-openEuler Lab Guide Page 1

1 LVS Configuration

1.1 LVS-NAT Configuration


1.1.1 Introduction
This lab shows how to access an NGINX cluster in LVS-NAT mode. In actual scenarios, the
system returns the same content when the cluster provides the service externally. In this
lab, to better explain LVS algorithms, the NGINX service displays different contents. For
example, "hello,10.0.0.2" is displayed for Nginx1, and "hello,10.0.0.3" is displayed for
Nginx2.

1.1.2 Networking
This lab requires four ECSs that functions as the client, LVS, Nginx1, and Nginx2. The
virtual IP address (VIP) of the LVS is 192.168.1.10/24, and its director IP address (DIP) is
10.0.0.10/24. The real IP address (RIP) of Nginx1 is 10.0.0.2/24, and the RIP of Nginx2 is
10.0.0.3/24. The RIPs are accessed by the client, as shown in the following figure.
HCIP-openEuler Lab Guide Page 2

On Huawei Cloud, subnet 1 and subnet 2 are two subnets in the same virtual private
cloud.

1.1.3 Procedure
Step 1 Configure Nginx1 and Nginx2.

Set the gateway of Nginx1 and Nginx2 to the LVS DIP according to the preceding
figure. Command example:

nmcli con mod ens224 ipv4.address 10.0.0.2/24 ipv4.gateway 10.0.0.10


nmcli con down ens224 & nmcli con up ens224

Note: After the modification is done, the network will be interrupted. Log in to the ECS
using VNC and perform following operations.
Configure Nginx1 and Nginx2 based on the knowledge in course 1. It is required that the
system returns "hello,10.0.0.2" when port 80 of Nginx1 is accessed and "hello,10.0.0.3"
port 80 of Nginx2 is accessed. Example:

[root@Nginx1 ~]# curl 10.0.0.2


"hello,10.0.0.2"
[root@Nginx2 ~]# curl 10.0.0.3
"hello,10.0.0.3"

Step 2 Preconfigure the LVS.

Configure two NICs for the LVS ECS, one for the VIP and the other for the DIP. The DIP is
an intranet IP address and does not need a gateway. The VIP is a public IP address and
needs to be configured with gateway information. In addition, to ensure normal IP
forwarding, disable the Source/Destination Check item, as shown in the following
figure.

Enable the IP forwarding function on the LVS ECS.

[root@Cluster1 ~]# sed -i "s/ip_forward=0/ip_forward=1/g" /etc/sysctl.conf


HCIP-openEuler Lab Guide Page 3

[root@Cluster1 ~]# sysctl -p | grep net.ipv4.ip_forward


net.ipv4.ip_forward = 1
[root@Cluster1 ~]# sysctl -a | grep net.ipv4.ip_forward
net.ipv4.ip_forward = 1

After the configuration, test whether Nginx1 and Nginx2 can be accessed.

[root@Cluster1 ~]# curl 10.0.0.2


"hello,10.0.0.2"
[root@Cluster1 ~]# curl 10.0.0.3
"hello,10.0.0.3"

Step 3 Install and configure the LVS.

On the LVS, run the following command to install ipvsadm:

[root@Cluster1 ~]# yum install -y ipvsadm

After the installation is complete, create a configuration file required for starting
ipvsadm.
[root@Cluster1 ~]# touch /etc/sysconfig/ipvsadm

Start the service and check whether the service is started normally.

If the service is started properly, run the following command to create a cluster using the
round robin algorithm:

[root@Cluster1 ~]# ipvsadm -A -t 192.168.1.10:80 -s rr

Add Nginx1 and Nginx2 as backend real servers, or RSs.

[root@Cluster1 ~]# ipvsadm -a -t 192.168.1.10:80 -r 10.0.0.2 -m


[root@Cluster1 ~]# ipvsadm -a -t 192.168.1.10:80 -r 10.0.0.3 -m

Check whether the configuration takes effect.

[root@Cluster1 ~]# ipvsadm -Ln


IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
-> RemoteAddress:Port Forward Weight ActiveConn InActConn
TCP 192.168.1.10:80 rr
-> 10.0.0.2:80 Masq 1 0 0
-> 10.0.0.3:80 Masq 1 0 0
HCIP-openEuler Lab Guide Page 4

Step 4 Check the LVS configuration.

On the ECS where the LVS resides, use the LVS VIP to repeatedly access the web service.
The following information is displayed:

Or, use different browsers on the local PC to repeatedly access the EIP of the ECS and
view the responses.
It shows that the LVS forwards the requests to Nginx1 and Nginx2 in round robin mode
and returns the corresponding contents to the client.
⚫ Question: Is it mandatory to set the gateway of Nginx1 and Nginx2 to the LVS DIP?
Answer: Yes.
⚫ Task: Change the LVS algorithm to weighted round robin.

Step 1 Modify the LVS configuration.


Run the following command to change the LVS algorithm to weighted round robin:

[root@Cluster1 ~]# ipvsadm -E -t 192.168.1.10:80 -s wrr

Check whether the modification takes effect.

Step 2 Change the weights of the two RSs.


HCIP-openEuler Lab Guide Page 5

Change the weight of Nginx1 to 2.

[root@Cluster1 ~]# ipvsadm -e -t 192.168.1.10:80 -r 10.0.0.2 -m -w 2

Check whether the modification takes effect.

Step 3 Check the LVS configuration.

Log in to the client ECS, use the LVS VIP to repeatedly access the web service. The
following information is displayed:

As shown in the preceding figure, the LVS algorithm has been changed to weighted
round robin.

1.2 LVS-DR Configuration


1.2.1 Introduction
The requirements in this lab are basically the same as those in the preceding lab. The
only difference is that the LVS working mode is changed from NAT to DR.

1.2.2 Networking
This lab requires four ECSs, one as the LVS, two as the NGINX servers, and the other as
the client. The NGINX servers in the previous lab can be reused. The LVS requires only
one NIC. Remove the NIC corresponding to 10.0.0.10 and change the IP address of the
NIC where 192.168.1.10 is located to 10.0.0.10. The two NGINX servers and the LVS are in
the same subnet, and the client is in another subnet. Configure dummy interfaces on the
NGINX servers and the LVS to carry VIPs.
HCIP-openEuler Lab Guide Page 6

1.2.3 Procedure
Step 1 Configure Nginx1 and Nginx2.

The configuration method is the same as that in the previous lab.


Additionally, perform network configuration on the two NGINX nodes.
Run the following command to add VIP configurations:

nmcli connection add type dummy ifname dummy2 ipv4.method manual ipv4.addresses 10.0.0.100/32

Run the following commands to change the RIP gateway address to the router interface
address:

nmcli connection modify ens224 ipv4.gateway 10.0.0.1


nmcli connection down ens224
nmcli connection up ens224

After the network configuration is complete, modify the ARP kernel parameters.

cat >> /etc/sysctl.conf << EOF


net.ipv4.conf.all.arp_ignore = 1
HCIP-openEuler Lab Guide Page 7

net.ipv4.conf.all.arp_announce = 2
net.ipv4.conf.dummy2.arp_ignore = 1
net.ipv4.conf.dummy2.arp_announce = 2
EOF

After the configuration is complete, run the sysctl -p command for the configuration to
take effect.

Step 2 Preconfigure the LVS.

If the LVS in the previous lab is reused in this lab, remove the existing configurations.
Run the following command to delete the LVS configuration added in the preceding lab:

ipvsadm -D -t 192.168.1.10:80

After the deletion, run the following command to add VIP configurations:

nmcli connection add type dummy ifname dummy2 ipv4.method manual ipv4.addresses 10.0.0.100/32

Run the following commands to set the DIP gateway address to the router interface
address:

nmcli connection modify ipv4.gateway 10.0.0.1


nmcli connection down ens224
nmcli connection up ens224

If the LVS is newly created, you only need to add the VIP configurations and change the
gateway address.

Step 3 Configure the LVS.

If the LVS is newly created, install ipvsadm based on Step 3 in 1.1.3.


Run the following commands to add required configurations:

ipvsadm -A -t 10.0.0.100:80 -s rr
ipvsadm -a -t 10.0.0.100:80 -r 10.0.0.3
ipvsadm -a -t 10.0.0.100:80 -r 10.0.0.2

Verify the configuration. Information in the following figure is displayed:


HCIP-openEuler Lab Guide Page 8

⚫ Question: What information in the preceding figure indicates that the current mode
is DR?
Answer: Route in the Forward column.

Step 4 Check the LVS configuration.

Log in to the client ECS, use the LVS VIP to repeatedly access the web service. The
following information is displayed:

It shows that the LVS forwards the requests to Nginx1 and Nginx2 in round robin mode
and returns the page to the client.
HCIP-openEuler Lab Guide Page 9

2 NGINX Reverse Proxy and Load


Balancing Configuration

2.1 Introduction
This lab uses multiple NGINX algorithms to implement load balancing on backend servers
and demonstrates the effect to enhance understanding of each algorithm.

2.2 Networking
In this lab, four ECSs are used. The two NGINX servers and the client in the LVS
configuration lab can be reused. An NGINX proxy server needs be created. You can also
reuse the LVS in the LVS configuration lab after clearing its configurations. The following
figure shows the topology.
HCIP-openEuler Lab Guide Page 10

2.3 Procedure
Step 1 Check whether the resources are available.

On the client, ping the IP address in segment 10 of the proxy server and ensure that the
network connection between them is normal, as shown in the following figure.

Access the two NGINX servers on the proxy server to ensure that the NGINX servers are
available, as shown in the following figure.

Step 2 Install and configure the NGINX proxy.

Install NGINX on the proxy server based on the knowledge in course 1, and then start the
NGINX service, as shown in the following figure.

Create a proxy and load balancing configuration file in the NGINX configuration file sub-
directory of the proxy server and add the following configurations to the file:

upstream 10.0.0.10 {
server 10.0.0.2:80;
server 10.0.0.3:80;
}
server {
listen 80;
server_name localhost;
location / {
proxy_pass http://10.0.0.10;
}
}

After the configuration, run the nginx -s reload command to reload the NGINX service.
HCIP-openEuler Lab Guide Page 11

Step 3 Verify the proxy server configuration.

Access 10.0.0.1 from the client. If the configuration is correct, the following information is
displayed:

Step 4 Configure virtual hosts on Nginx1 and Nginx2.

To amplify the algorithm effect, add virtual hosts for the two NGINX servers.
Configuration example:

server {
listen 0.0.0.0:80;
root /data/Nginx/;
server_name localhost;
index index80.html;
}
server {
listen 0.0.0.0:81;
root /data/Nginx/;
server_name localhost;
index index81.html;
}
server {
listen 0.0.0.0:82;
root /data/Nginx/;
server_name localhost;
index index82.html;
}

Create the index80.html, index81.html, and index82.html files in /data/Nginx/, and


add the port to be used to the files.

Step 5 Add the virtual hosts to the backend host group.

Configuration example:

upstream 10.0.0.10 {
server 10.0.0.2:80;
server 10.0.0.2:81;
server 10.0.0.2:82;
server 10.0.0.3:80;
server 10.0.0.3:81;
HCIP-openEuler Lab Guide Page 12

server 10.0.0.3:82;
}

Reload the NGINX configuration file.

Step 6 Use the IP Hash algorithm for load balancing.

Modify to the configuration file of the proxy server as follows to change the algorithm to
IP Hash:
upstream 10.0.0.10 {
ip_hash;
server 10.0.0.2:80;
server 10.0.0.2:81;
……
}
…….

Reload NGINX configurations and perform a test on the client. The result is as follows:

Step 7 Use the Generic Hash algorithm for load balancing.

Create test files in the root directory on the two NGINX servers.
Run the following command on Nginx2:

[root@Nginx2 Nginx]# echo "10.0.0.3 Generic Hash practice" > test.txt

Run the following command on Nginx1:

[root@Nginx1 Nginx]# echo "10.0.0.2 Generic Hash practice" > test.txt

Reload the NGINX service.


To show the effect of the Generic Hash algorithm, use the default algorithm first.

Load NGINX configurations and access the test.txt file from the client. The result is as
follows:
HCIP-openEuler Lab Guide Page 13

Modify the load balancing configuration file.

Reload NGINX configurations and access the test.txt file from the client. The result is as
follows:

Step 8 Use the Random algorithm for load balancing.

Change the load balancing algorithm to Random as follows:


HCIP-openEuler Lab Guide Page 14

Reload NGINX configurations and perform a test. The result is as follows:

⚫ Question: After the algorithm is set to Random, will the test result be exactly the
same as the preceding figure?
Answer: Not exactly. As the algorithm name indicates, the requests are scheduled to
randomly selected servers.

Step 9 Configure algorithm options.

Modify the configuration file of the proxy server. Set all virtual hosts of Nginx2 to
backup and assign a weight for the virtual hosts of Nginx1. Configuration example:
HCIP-openEuler Lab Guide Page 15

Reload NGINX configurations and perform a test on the client. The result is as follows:

Manually stop the service on Nginx1, as shown in the following figure:

Perform the test on the client again. The result is as follows:

Modify the configuration file on the proxy server and change the status of some virtual
hosts of Nginx2 to down. Configuration example:

Reload NGINX configurations and perform a test on the client. The result is as follows:
HCIP-openEuler Lab Guide Page 16

3 HAProxy Configuration

3.1 Introduction
This lab consists of multiple sub-labs to show various HAProxy functions.

3.2 Networking
This lab requires four ECSs, one as the HAProxy server, two as the NGINX servers, and the
other as the client. The NGINX servers in the previous lab can be reused, and their
configurations after the previous lab is complete can be retained. Each NGINX runs three
virtual hosts. HAProxy uses two NICs to connect to the intranet and public network
respectively. The following figure shows the topology.
HCIP-openEuler Lab Guide Page 17

3.3 Procedure
3.3.1 Implementing Basic Load Balancing with HAProxy
Step 1 Install HAProxy.

Run the following command on the HAProxy ECS to install HAProxy:

yum install -y haproxy

Step 2 Modify the HAProxy configuration file.

The HAProxy configuration file is /etc/haproxy/haproxy.cfg. You are advised to back up


the file before modifying it.
This lab implements basic load balancing of HAProxy. You only need to modify the
backend section as follows:

frontend main
bind *:80
default_backend http_back

backend http_back
balance roundrobin
server node1 10.0.0.2:80 check
server node2 10.0.0.2:81 check
server node3 10.0.0.2:82 check
server node4 10.0.0.3:80 check
server node5 10.0.0.3:81 check
server node6 10.0.0.3:82 check

After the configuration, run the systemctl restart haproxy command to restart the
HAProxy service. Then access HAProxy from the client. If the configuration is correct, the
result is as follows:
HCIP-openEuler Lab Guide Page 18

3.3.2 Configuring GUI-based HAProxy Monitoring


Step 1 Modify the HAProxy configuration file.

In the listen section in the HAProxy configuration file, configure GUI-based HAProxy
monitoring.

listen admin_stat
bind 0.0.0.0:8443
mode http
stats refresh 30s
stats uri /haproxy_stats
stats realm Haproxy\ Statistics
stats auth openEuler:Huawei@123
stats hide-version

admin_stat indicates the user-defined name, refresh 30s indicates the refresh frequency,
uri /haproxy_stats indicates the URI to the monitoring page, and
openEuler:Huawei@123 indicates the authentication information for logging in to this
page.

Step 2 View the monitoring page.

After the configuration is complete, restart the HAProxy service. Open a browser on the
PC, enter http://EIP:8443/haproxy_stats in the address box, and press Enter. In the
displayed dialog box, enter the user name and password to log in to the monitoring
page.
HCIP-openEuler Lab Guide Page 19

3.3.3 Configuring HAProxy Logs


Step 1 Modify the HAProxy configuration file.

HAProxy logs can be defined in the global, default, or frontend section. This lab uses
global as an example. Add log configuration information to the HAProxy configuration
file as follows:

global
log 127.0.0.1 local3 info
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
user haproxy
group haproxy
daemon
maxconn 4000

Step 2 Modify rsyslog configuration information.

Add the following contents to the end of /etc/rsyslog.conf:

local3.* /var/log/haproxy.log
$ModLoad imudp
$UDPServerRun 514

Step 3 Perform a test.

After steps 1 and 2 are complete, restart the HAProxy and rsyslog services. After the
restart, the system automatically creates a log file, as shown in the following figure.

Enable the firewall on Nginx2 and check whether the corresponding logs are generated,
as shown in the following figure.
HCIP-openEuler Lab Guide Page 20

⚫ Task: Log in to the monitoring page and check whether the status of the monitored
hosts changes.
Expected result: The status of the monitored hosts changes to DOWN, as shown in the
following figure.

Step 4 Restore Nginx2.

Disable the firewall service on Nginx2 to restore services.

3.3.4 Configuring HAProxy ACLs


In this lab, the URI ending with txt is sent to specified hosts. Configuration example:

frontend main
bind *:80
acl test url_reg -i \.txt$
use_backend test if test
default_backend http_back
backend http_back
balance roundrobin
server node1 10.0.0.2:80 check
server node2 10.0.0.2:81 check
server node3 10.0.0.2:82 check
server node4 10.0.0.3:80 check
server node5 10.0.0.3:81 check
server node6 10.0.0.3:82 check
backend test
balance roundrobin
server test1 10.0.0.2:80/test.txt check
server test2 10.0.0.3:80/test.txt check

After the configuration, restart the HAProxy service and perform a test on the client. The
result is as follows:
HCIP-openEuler Lab Guide Page 21

⚫ Question: What if 192.168.1.10/test.txt is accessed with no ACL added?


Answer: HAProxy will forward the requests to the default backend host group in
sequence. The result is as follows:
HCIP-openEuler Lab Guide Page 22

4 Keepalived Configuration

4.1 NGINX HA Cluster Configuration with Keepalived


4.1.1 Introduction
In this lab, Keepalived is used to implement an NGINX HA cluster. When the master
server in the cluster is faulty, services are automatically switched to the backup server.

4.1.2 Networking
This lab requires three ECSs. Nginx1 and Nginx2 in the previous lab can be reused to run
the NGINX service, and Keepalived is used to virtualize a host for client access. Nginx1
and Nginx2 detect each other's heartbeat through network segment 10 and provide
services through floating IP address 192.168.1.20. If one host or the NGINX process on it
is down, services are automatically switched to the other host. The following figure shows
the topology.
HCIP-openEuler Lab Guide Page 23

Nginx1 and Nginx2 use two network interfaces. Configure them as planned, which will
not be described in the following steps.

4.1.3 Procedure
Step 1 Install Keepalived.

Run the following command on Nginx1 and Nginx2 to install Keepalived:

yum install -y keepalived

Step 2 Check the network configurations of Nginx1 and Nginx2.

On Nginx1, ping Nginx2. If the network connection is normal, the following information
is displayed:

Step 3 Configure Keepalived.

In this lab, Nginx1 is configured as the master node and Nginx2 is configured as the
backup node. Modify the Keepalived configuration file
(/etc/keepalived/keepalived.conf) on Nginx1 as follows:

! Configuration File for keepalived

global_defs {
router_id Nginx1
}
HCIP-openEuler Lab Guide Page 24

vrrp_instance Nginx {
state MASTER
interface ens192
virtual_router_id 51
priority 225
advert_int 1
authentication {
auth_type PASS
auth_pass Huawei@1
}
virtual_ipaddress {
192.168.1.20/24
}
}

Modify the Keepalived configuration file of Nginx2 as follows:

! Configuration File for keepalived

global_defs {
router_id Nginx2
}

vrrp_instance Nginx {
state BACKUP
interface ens192
virtual_router_id 51
priority 100
advert_int 1
authentication {
auth_type PASS
auth_pass Huawei@1
}
virtual_ipaddress {
192.168.1.20/24
}
}

After the configuration is complete, run the following command on Nginx1 and Nginx2
to restart the Keepalived service:

systemctl restart keepalived

Check whether a floating IP address is generated on Nginx1, as shown in the following


figure.

Step 4 Perform a test.


HCIP-openEuler Lab Guide Page 25

On the client, use the floating IP address to access the NGINX service. The result shows
that Nginx1 responds to all the requests and returns the corresponding contents.

Shut down Nginx1 and use the floating IP address to access NGINX again. The result is as
follows:

The floating IP address floats to Nginx2, as shown in the following figure.

Step 5 Configure a health check.

Currently, Keepalived can switch services only based on whether the master node breaks
down. If only the NGINX service is faulty, Keepalived cannot switch services. Therefore,
configure a health check in Keepalived to check whether NGINX is available.
Start Nginx1 that is shut down in step 4 and add health check configurations to the
Keepalived configuration files of Nginx1 and Nginx2. The details are as follows:

global_defs {
router_id Nginx1
}
vrrp_script nginx_check {
script "/etc/keepalived/check.sh"
interval 1
weight -5
fail 3
}
HCIP-openEuler Lab Guide Page 26

vrrp_instance Nginx {
……
track_script {
nginx_check
}
}

Create a check.sh script for checking NGINX service status in /etc/keepalived on the two
NGINX servers. The script contents are as follows. Note: To prevent errors, do not directly
copy and paste the following contents.

#!/bin.bash
systemctl status nginx | grep "active (running)" > /dev/null
if [ $? -ne 0 ]; then
systemctl restart nginx &> /dev/null
sleep 1
systemctl status nginx | grep "active (running)" > /dev/null
if [ $? -ne 0 ]; then
systemctl stop keepalived
else
exit
fi
fi

Step 6 Perform a test.

After the configuration is complete, run the systemctl restart keepalived command to
restart the service. Modify the NGINX configuration file on Nginx1 so that the NGINX
process cannot be started properly (for example, rename the nginx.conf file
nginx.conf.bk). Then manually stop the NGINX service.

[root@Nginx1 ~]# mv /etc/nginx/nginx.conf /etc/nginx/nginx.conf.bk


[root@Nginx1 ~]# systemctl stop nginx

Run the systemctl start nginx command and ensure that NGINX cannot be started, as
shown in the following figure.

Perform the test on the client. It shows that Nginx2 provides services.
HCIP-openEuler Lab Guide Page 27

4.2 NGINX Cluster Configuration with Keepalived + LVS


4.2.1 Introduction
In this lab, an NGINX cluster in configured, where Keepalived provides HA configuration
for the LVS and the LVS provides load balancing for backend servers Nginx1 and Nginx2.

4.2.2 Networking
This lab requires five ECSs. Nginx1 and Nginx2 in the previous lab can be reused, but you
need to reconfigure IP addresses as planned in the topology below and uninstall
Keepalived. IP address configuration procedure will not be described.

LVS1 and LVS2 form an HA cluster through Keepalived and provide load balancing for
backend servers Nginx1 and Nginx2.

4.2.3 Procedure
Step 1 Install Keepalived and ipvsadm on LVS1 and LVS2 ECSs.

Run the following command:

yum install -y keepalived ipvsadm


HCIP-openEuler Lab Guide Page 28

Step 2 Modify the configuration file of LVS1.

Modify the Keepalived configuration file of LVS1 as follows:

! Configuration File for keepalived

global_defs {
router_id Cluster1
}

vrrp_instance Nginx {
state MASTER
interface ens192
mcast_src_ip 20.0.0.1
virtual_router_id 51
priority 255
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
192.168.1.20/24
}
}

virtual_server 192.168.1.20 80 {
delay_loop 6
lb_algo rr
lb_kind DR
persistence_timeout 50
protocol TCP

real_server 192.168.1.14 80 {
weight 1
TCP_CHECK {
connect_timeout 3
retry 3
delay_before_retry 3
}
}
real_server 192.168.1.15 80 {
weight 2
TCP_CHECK {
connect_timeout 3
retry 3
delay_before_retry 3
}
}
}

Step 3 Modify the configuration file of LVS2.

Modify the Keepalived configuration file of LVS2 as follows:


HCIP-openEuler Lab Guide Page 29

! Configuration File for keepalived

global_defs {
router_id Cluster2
}

vrrp_instance Nginx {
state BACKUP
interface ens192
mcast_src_ip 20.0.0.2
virtual_router_id 51
priority 100
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
192.168.1.20/24
}
}

virtual_server 192.168.1.20 80 {
delay_loop 6
lb_algo rr
lb_kind DR
persistence_timeout 50
protocol TCP

real_server 192.168.1.14 80 {
weight 1
TCP_CHECK {
connect_timeout 3
retry 3
delay_before_retry 3
}
}
real_server 192.168.1.15 80 {
weight 2
TCP_CHECK {
connect_timeout 3
retry 3
delay_before_retry 3
}
}
}

Step 4 Perform a test.

After the two LVS servers are configured, restart them and perform an access test on the
client. The result is as follows:
HCIP-openEuler Lab Guide Page 30

⚫ Question: Why does Nginx2 respond to the requests every time?


Answer: Check the LVS configuration on LVS1. The details are as follows:

As shown in the preceding figure, LVS connections are configured as persistent


connections by default, and the timeout interval is set to 50. Therefore, each request is
forwarded to the server allocated for the first time. You can comment out related
configurations in the Keepalived configuration file to implement load balancing. See the
following figure.

Restart the Keepalived service and perform a test again. The test result is as follows:
HCIP-openEuler Lab Guide Page 31

5 Basic Redis Operations

5.1 Introduction
This lab shows how to install Redis in standalone mode and perform some simple Redis
operations, such as creating, querying, and modifying keys.

5.2 Performing Basic Redis Operations


Step 1 Install Redis on an ECS.

Run the following command to install Redis:

yum install -y redis6-6.2.7-1.oe2203.x86_64

After the installation is complete, run the systemctl start redis command to start the
Redis service.
HCIP-openEuler Lab Guide Page 32

Step 2 Log in to Redis and perform basic operations.

Run the redis-cli command to log in to Redis, as shown in the following figure.

Create data in key-value format.

set test1 openEuler1


set test2 openEuler2
set test3 openEuler3

Query all keys in the current database.

keys *

Run the get command to view the value of a key. For example:

Run the expire command to set the expiration time of a key. For example:

expire test1 2

Run the move command to migrate a key value to another database. For example:
HCIP-openEuler Lab Guide Page 33

⚫ Question: Does the data still exist in Redis after the ECS is restarted in the current
state?
Answer: Yes. By default, Redis automatically generates a dump.rdb file, which is a
memory snapshot.

Step 3 Set a Redis login password.

Modify the Redis configuration file /etc/redis/redis.conf. Uncomment requirepass


foobared (line 903 in the current version) and replace foobared with a password, as
shown in the following figure.

After the modification, restart the Redis service and check whether the password takes
effect.

Step 4 Configure Redis persistent storage.

Modify the Redis configuration file, set dbfilename to snapshot.rdb, and set dir to a
directory that stores this file, as shown in the following figure.
HCIP-openEuler Lab Guide Page 34

Run the save command to set the RDB policy. In the following figure, 10 indicates that a
snapshot is saved if one key changes within 10 seconds (line 386 in the configuration
file).

After the modification is complete, restart the Redis service, go to Redis, and manually
create two keys. The system creates a snapshot file in the specified directory, as shown in
the following figure.
HCIP-openEuler Lab Guide Page 35

5.3 Configuring Redis as the Cache of WordPress


5.3.1 Introduction
In "LAMP Practices" in course 1, WordPress uses the HTTP service provided by Apache. In
this lab, the LNMP architecture is used, that is, NGINX provides the HTTP service. In
addition, Redis provides the cache for WordPress, together with WordPress plugins.

5.3.2 Networking
This lab requires four ECSs. Redis in the preceding lab can be reused, and Nginx1 in other
labs can be reused as the WordPress server. A browser needs to be installed on the client.
The following figure shows the topology and address planning.

5.3.3 Procedure
Step 1 Preconfigure Redis.

If Redis in the preceding lab is reused, delete all configurations.

Delete snapshot files.

Modify the configuration file (line 75) so that Redis can be accessed over the network.
HCIP-openEuler Lab Guide Page 36

After the configuration is complete, restart the server and check whether the
configuration takes effect.

Step 2 Interconnect NGINX with PHP.

On WordPress, run the yum install -y php command to install PHP and its dependencies.
After the installation is complete, add listen = 9000 under listen.allowed_clients =
127.0.0.1 in the /etc/php-fpm.d/www.conf file, as shown in the following figure.

Run the systemctl restart php-fpm command to restart PHP and check whether port
9000 is enabled.

Create a wordpress.conf file in the /etc/nginx/conf.d directory of WordPress. The file


content is as follows:

server {
listen 0.0.0.0:80;
root /data/WordPress;
#server_name localhost;
index index.php;
location ~ \.php$ {
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}

Create a directory /data/WordPress, create a test file index.php in this directory, and
add the following contents to the file:

<?php
phpinfo();
?>
HCIP-openEuler Lab Guide Page 37

Restart the NGINX service and access the PHP page in the client browser to check
whether the page can be displayed.

Step 3 Interconnect PHP with MySQL.

This lab uses user root for testing. Check whether user root has the required permissions,
as shown in the following figure.

If user root is not allowed to access all other hosts or the WordPress host, complete the
configuration by referring to the MySQL section.
After checking the permissions of user root, run the following commands on the
WordPress host to install and connect to the MySQL server:

yum install –y mysql


mysql -h'192.168.1.8' -uroot -p'Huawei@123'

After the login is successful, run the following command on WordPress to install the PHP
driver for MySQL:
HCIP-openEuler Lab Guide Page 38

yum install -y php-mysqlnd

After the installation is complete, create a conn_mysql.php file in the /data/WordPress


directory and enter the following content in the file:

<?php
$con = mysqli_connect("192.168.1.8","root","Huawei@123");
if ($con)
echo 'OK';
else
echo 'NOT OK';
$con->close();
?>

After the configuration is complete, check whether OK is returned, as shown in the


following figure.

Step 4 Prepare WordPress resources.

Download WordPress and create a database by following the instructions in "Preparing


Resources" in course 1.

Step 5 Install WordPress.

Install and test WordPress by following the instructions in "Installing and Testing
WordPress" in course 1.

Step 6 Install a Redis plugin.

Add the following content to the end of the WordPress configuration file wp-config:

define("FS_METHOD", "direct");
define("FS_CHMOD_DIR", 0777);
define("FS_CHMOD_FILE", 0777);

Run the following command to modify the permission on the WordPress directory:

chmod -R 777 WordPress

Log in to WordPress and click Plugins > Add New.


HCIP-openEuler Lab Guide Page 39

On the displayed page, enter Redis Object Cache in the search box and click Install Now
in the search result, as shown in the following figure.

After the installation is complete, add the Redis configuration information to the
WordPress configuration file wp-config.php. The details are as follows:

define( 'WP_REDIS_HOST', '192.168.1.9' );


define( 'WP_REDIS_PORT', 6379 );
define( 'WP_REDIS_PASSWORD', 'Huawei@123' );
define( 'WP_REDIS_TIMEOUT', 1 );
define( 'WP_REDIS_READ_TIMEOUT', 1 );
define( 'WP_REDIS_DATABASE', 0 );

Click Activate and then check the plugin status in Installed Plugins.
HCIP-openEuler Lab Guide Page 40

If the following information in displayed, the plugin is running properly.

Step 7 Query WordPress data stored in Redis.

Log in to the Redis host. In the WordPress configuration, the generated data is stored in
database 0. Therefore, you can run the keys * command to query the generated cache
data.
HCIP-openEuler Lab Guide Page 41

------------End------------
Huawei openEuler Certification Training

HCIP-openEuler

Storage Management

Lab Guide
ISSUE: 1.0

HUAWEI TECHNOLOGIES CO., LTD

2
Copyright © Huawei Technologies Co., Ltd. 2024. All rights reserved.
No part of this document may be reproduced or transmitted in any form or by any
means without prior written consent of Huawei Technologies Co., Ltd.

Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of
their respective holders.

Notice
The purchased products, services and features are stipulated by the contract made
between Huawei and the customer. All or part of the products, services and features
described in this document may not be within the purchase scope or the usage scope.
Unless otherwise specified in the contract, all statements, information, and
recommendations in this document are provided "AS IS" without warranties,
guarantees or representations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has
been made in the preparation of this document to ensure accuracy of the contents, but
all statements, information, and recommendations in this document do not constitute
a warranty of any kind, express or implied.

Huawei Technologies Co., Ltd.


Address: Huawei Industrial Base Bantian, Longgang Shenzhen 518129
People's Republic of China
Website: https://e.huawei.com

Huawei Proprietary and Confidential


Copyright © Huawei Technologies Co.,Ltd
HCIP-openEuler Storage Management Lab Guide Page 1

Huawei Certification System


Huawei Certification is an integral part of the company's Platform + Ecosystem
strategy. It supports the development of ICT infrastructure that features Cloud-Pipe-
Device synergy. Our certification is always evolving to reflect the latest trends in ICT
development.
Huawei Certification consists of three categories: ICT Infrastructure Certification, Basic
Software & Hardware Certification, and Cloud Platform & Services Certification, making
it the most extensive technical certification program in the industry.
Huawei offers three levels of certification: Huawei Certified ICT Associate (HCIA),
Huawei Certified ICT Professional (HCIP), and Huawei Certified ICT Expert (HCIE).
Our programs cover all ICT fields and follow the industry's trend of ICT convergence.
With our leading talent development system and certification standards, we are
committed to fostering new digital ICT talent and building a sound ICT talent
ecosystem.
HCIP-openEuler is mainly for frontline engineers from Huawei and representative
offices and readers who wish to learn openEuler O&M technologies. HCIP-openEuler
certification covers common openEuler enterprise service management, openEuler HA
cluster architecture, openEuler storage management, openEuler automated O&M, Linux
shell scripts, openEuler system security hardening, and openEuler system monitoring.
Huawei certification helps you unlock opportunities to advance your career and take
one more step towards the top of the industry.
HCIP-openEuler Storage Management Lab Guide Page 2
HCIP-openEuler Storage Management Lab Guide Page 3

About This Document

Overview
This document is an HCIP-openEuler certification training course and is intended for
trainees who are going to take the HCIP-openEuler exam or readers who want to learn
how to build enterprise services and master storage management on openEuler and
other Linux distributions.

Description
This lab guide consists of two labs, covering Network File System (NFS) and storage area
network (SAN) on shared networks, as well as the configuration and implementation of
GlusterFS distributed storage.
⚫ Lab 1: shared storage configuration
➢ This lab focuses on setting up and utilizing NFS and SAN storage, providing a
foundation in basic shared storage usage.
⚫ Lab 2: GlusterFS distributed storage management
➢ This lab covers storage cluster setup, along with the creation and utilization of
various volume types.

Background Knowledge Required


This course is for Huawei certification. To better understand this course, you need to:
⚫ Have basic Linux knowledge. You are advised to complete HCIA-openEuler learning
and pass the HCIA-openEuler certification exam.

Lab Environment Overview


This experiment is based on Huawei Cloud Elastic Cloud Server (ECS). Some lab resources
are utilized across different labs. You can choose to create new ECSs or reuse existing
ones as needed.
For details about the lab environment parameters of each lab, see the corresponding lab
networking guide and lab resource list.
You can refer to the lab guide of the HCIA-Cloud Service certification course for the basic
usage of Huawei Cloud.
HCIP-openEuler Storage Management Lab Guide Page 4

Lab Environment Preparation


Checking Devices
Prepare a Huawei Cloud account with a sufficient budget.
HCIP-openEuler Storage Management Lab Guide Page 5

Contents

About This Document ............................................................................................................... 3


Overview ............................................................................................................................................................................................. 3
Description ......................................................................................................................................................................................... 3
Background Knowledge Required ............................................................................................................................................. 3
Lab Environment Overview .......................................................................................................................................................... 3
Lab Environment Preparation ..................................................................................................................................................... 4
1 Shared Storage Management .............................................................................................. 1
1.1 NFS Storage Management.................................................................................................................................................... 1
1.1.1 Introduction ............................................................................................................................................................................ 1
1.1.2 Networking.............................................................................................................................................................................. 1
1.1.3 Procedure ................................................................................................................................................................................. 2
1.2 SAN Storage ............................................................................................................................................................................... 9
1.2.1 Introduction ............................................................................................................................................................................ 9
1.2.2 Networking.............................................................................................................................................................................. 9
1.2.3 Procedure ...............................................................................................................................................................................10
2 GlusterFS Distributed Storage ...........................................................................................33
2.1 Introduction ..............................................................................................................................................................................33
2.2 Networking ...............................................................................................................................................................................33
2.3 Procedure ..................................................................................................................................................................................35
HCIP-openEuler Storage Management Lab Guide Page 1

1 Shared Storage Management

1.1 NFS Storage Management


1.1.1 Introduction
In this lab, you will set up an NFS server on a Huawei Cloud ECS and mount the shared
storage to another two ECS for access. Lab operations include:
⚫ NFS server setup
⚫ NFS client setup
⚫ Mounting of volumes and use of NFS shared storage on a client
⚫ NFS access control
⚫ NFS automatic mounting configuration

1.1.2 Networking
This lab involves three ECSs: Client01, Client02, and ecs-nfs. The following figure shows
the networking.
HCIP-openEuler Storage Management Lab Guide Page 2

ECS
IP Address Specifications
Name

ecs-nfs 192.168.1.10 OS: openEuler 22.03 LTS

Client01 192.168.1.21 Password: Set a password as needed.


Flavor: 2 vCPUs | 4 GB

Client02 192.168.1.22 Drive: 40 GB


Each ECS is bound to an EIP.

1.1.3 Procedure
Step 1 Create ECSs.

Create three ECSs based on the lab networking.

Step 2 Install the NFS server.

Log in to ecs-nfs and check whether nfs-utils and rpcbind have been installed.

rpm -aq | grep nfs


rpm -aq | grep rpcbind

The private OS image used in this lab contains the nfs-utils and rpcbind software
packages, and the services have been installed. You only need to start the services.
If the nfs or rpcbind process does not exist in the environment, manually install nfs-utils.
rpcbind will be automatically installed with nfs-utils.

yum install nfs-utils

After the installation is complete, check the NFS service status.

systemctl status nfs

Start the nfs service and enable it to automatically start upon system startup.

systemctl enable nfs


HCIP-openEuler Storage Management Lab Guide Page 3

systemctl start nfs

Check the NFS service status again.

Step 3 Configure an NFS shared directory.

Create a shared directory /data and check whether the creation is successful. The shared
directory will be mounted and accessed by clients on other ECSs.

mkdir /data
ls /

Edit the /etc/exports configuration file to allow access from any clients.

/data *(rw,sync,no_root_squash)

After the configuration is complete, restart the nfs service.

systemctl restart nfs

Check whether the shared directory exists.

showmount -e
HCIP-openEuler Storage Management Lab Guide Page 4

Step 4 Configure the client.

Log in to ECS Client01 and install the nfs-utils and rpcbind services by referring to Step 2.

In this lab, Client01 and ecs-nfs are on the same network and are mutually reachable.

Proceed to Step 5. If the ECSs cannot reach each other, establish connectivity between
them before performing subsequent operations.

Step 5 Mount the shared directory to the client.

On Client01, create mount point /mnt/data.

mkdir /mnt/data

Check whether the shared directory is available on ecs-nfs.

showmount -e 192.168.1.10

If the shared directory exists, mount it to the /mnt/data directory on the client.

mount -t nfs 192.168.1.10:/data /mnt/data


HCIP-openEuler Storage Management Lab Guide Page 5

Successful mounting produces no output. Run the df -h command to check the status of
storage on Client01.

Step 6 Uses the NFS shared directory on the client.

On Client01, enter the mount point and create file01 in the shared directory.

Write “This is from Client01!” in file01.

On ecs-nfs, go to the /data directory and check whether the preceding operation is
successful.

Log in to Client02 and repeat steps 4 and 5 to mount the NFS shared directory.
HCIP-openEuler Storage Management Lab Guide Page 6

Step 7 Access files in the share directory from a client.

On Client02, go to the mount directory and view files in the directory.

Modify file01 as follows:

On Client01, check the file content.

You can see that the file has been modified.

Step 8 Configure access control on the NFS shared directory.

On ecs-nfs, modify the /etc/exports file to refine client access permissions and restart
the NFS service.

/data 192.168.1.21/32(rw,sync,no_root_squash)
/data 192.168.1.22/32(ro)
HCIP-openEuler Storage Management Lab Guide Page 7

On Client01, modify file01 in the shared directory as follows.

On Client02, modify file01 in the shared directory as follows.

You can see that Client02 has only the read-only permission on the file and cannot
modify it. Try creating files in the shared directory. You can see that Client02 does not
have the permission to create files, while Client01 does.
HCIP-openEuler Storage Management Lab Guide Page 8

Step 9 Set automatic mounting upon system startup.

Restart Client01 and check its storage information.

After the restart, the shared directory is unmounted. Configure automatic mounting.
On Client01, add the following content to the /etc/fstab file, and save the file.

192.168.1.10:/data /mnt/data nfs defaults 0 0

Restart Client01 again and check its storage information. You can see that the shared
directory is automatically mounted.
HCIP-openEuler Storage Management Lab Guide Page 9

1.2 SAN Storage


1.2.1 Introduction
In this lab, you will reuse Client01 and Client02 from the NFS storage management lab
as clients to run initiator processes. You will also create a separate ECS to simulate setup
and usage of IP-SAN storage. Lab operations include:
⚫ IP-SAN storage server setup
⚫ Client setup and storage mounting
⚫ Shared storage access and read/write

1.2.2 Networking
This lab involves three ECSs: Client01 and Client02 (from the NFS storage management
lab) as clients, and a separate ECS as the simulated IP-SAN storage. The following figure
shows the networking.

ECS Name IP Address Remarks Specifications

ecs-san 192.168.1.3 SAN server OS: openEuler 22.03 LTS

Client01 192.168.1.21 Reused Password: Set a password as


needed.
Flavor: 2 vCPUs | 4 GB
System drive: 40 GB
Client02 192.168.1.22 Reused
Data drive: 10 GB
Each ECS is bound to an EIP.
HCIP-openEuler Storage Management Lab Guide Page 10

1.2.3 Procedure
Step 1 Log in to the Huawei Cloud official website and create ECS ecs-san.

Step 2 Install the iSCSI software package on the SAN server.

Log in to ecs-san and install the target software package.

yum -y install scsi-target-utils

Check the generated files.

rpm -ql scsi-target-utils


HCIP-openEuler Storage Management Lab Guide Page 11

Start the target service and enable it to automatically start upon system startup.

systemctl start tgtd


systemctl enable tgtd

Check the service status and open ports.

systemctl status tgtd


netstat -tnlp | grep 3260

Step 3 Create a target using the tgtadm command.

On ecs-san, run the following command to create a target:

tgtadm --lld iscsi --mode target --op new --tid 1 --targetname iqn.2023-04.com.openeuler:target1

View information about the created target. This example uses short options, while other
examples in this lab use long options. Use whichever format as you prefer.

tgtadm -L iscsi -m target -o show


HCIP-openEuler Storage Management Lab Guide Page 12

In the information about the created target, you can see that a logical unit with logical
unit number (LUN) 0 is automatically created. LUN 0 is created for each target and acts
as the controller. backing store type is null, indicating that the logical unit has no
underlying logical device.
Add a logical unit for the target. A data drive has been added during ecs-san creation.
Check the location of the drive.

fdisk -l
HCIP-openEuler Storage Management Lab Guide Page 13

A 10 GB drive /dev/vdb is displayed. You can either add the entire drive as a logical unit
to target1, or partition the drive and add a partition as a logical unit.

tgtadm --lld iscsi --mode logicalunit --op new --tid 1 --lun 1 --backing-store /dev/vdb

Check the target information.

tgtadm --lld iscsi --mode target --op show


HCIP-openEuler Storage Management Lab Guide Page 14

You can see that LUN 1 has been added to target1. LUN 1 is a readable and writable
(rdwr) device of the disk type and has logical device /dev/bdb. However, Account
information and ACL information is still empty, indicating that the target is not shared.

Step 4 Configure sharing.

Bind an IP address to target1 to allow the IP address to connect to target1. The


following command allows Client01 to connect to target1.

tgtadm --lld iscsi --mode target --op bind --tid 1 --initiator-address 192.168.1.21

Check the target information again.

tgtadm --lld iscsi --mode target --op show


HCIP-openEuler Storage Management Lab Guide Page 15

ACL information of target1 becomes 192.168.1.21.


⚫ Question: Can you allow different IP addresses to access distinct LUNs by binding
LUNs of the same target to different IP addresses?
⚫ Answer: No. IP address-based sharing is at the target level. The bound IP address can
access all LUNs of target1.

Step 5 Configure the connection on the client.

Log in to Client01 and install iscsi-initiator-utils.

yum -y install iscsi-initiator-utils

Start the iscsid service.

systemctl start iscsid


HCIP-openEuler Storage Management Lab Guide Page 16

systemctl status iscsid


systemctl enable iscsid

Step 6 Discover and connect to the target.

On Client01, run the following command to discover the target:

iscsiadm -m discovery -t sendtargets -p 192.168.1.3

Step 7 Associate and disassociate the target.

Create a session between the initiator and target by associating the target. This session
enables the initiator to view, access, and operate SCSI devices of the target.
On Client01, run the following command to associate all discovered targets:

iscsiadm -m node -L all

Run the fdisk -l command to check the drive list.


HCIP-openEuler Storage Management Lab Guide Page 17

On ecs-san, run the following command to check the connection status:

tgtadm --lld iscsi --op show --mode target


HCIP-openEuler Storage Management Lab Guide Page 18

I_T nexus information shows information about connections between initiators and
LUNs of the target. nexus is the number of association times.
Run the following command to disassociate the target:

iscsiadm -m node -T iqn.2023-04.com.openeuler:target1 -u


HCIP-openEuler Storage Management Lab Guide Page 19

Run the following command to associate target 1 again:

iscsiadm -m node -T iqn.2023-04.com.openeuler:target1 -p 192.168.1.3 -l

Run the fdisk -l command to check the drive list again.


HCIP-openEuler Storage Management Lab Guide Page 20

Check the connection status.

iscsiadm -m session

Step 8 Format the drive.

On Client01, check the drive name, format the drive, and write a file to it.

fdisk -l
HCIP-openEuler Storage Management Lab Guide Page 21

mkfs.ext4 /dev/sda

Check the drive format.

blkid /dev/sda

⚫ Question: If you format a server drive through a client-side operation, will the
changes be reflected on the server as well?
Answer: Yes. The drive format information on ecs-san is as follows.

blkid /dev/vdb

The drive format is ext4, indicating that the drive on the SAN is formatted.
HCIP-openEuler Storage Management Lab Guide Page 22

Step 9 Mount and use the drive.

On Client01, and create a directory.

mkdir /mnt/san

Mount the drive to the directory.

mount /dev/sda /mnt/san


df -h

In /mnt/san, create file test.txt and write This is from Client01 into it.

On ecs-san, bind the IP address of Client02 to target1.

tgtadm --lld iscsi --mode target --op bind --tid 1 --initiator-address 192.168.1.22
HCIP-openEuler Storage Management Lab Guide Page 23

Log in to Client02 and repeat steps 5 to 7 to connect to target1.

On ecs-san, run the following command to check the connection status:


tgtadm --lld iscsi --op show --mode target
Two I_T nexus records are displayed, each corresponding to a distinct initiator.
HCIP-openEuler Storage Management Lab Guide Page 24

On Client02, check the drive information.

lsblk

Create a directory.

mkdir /mnt/san

Mount drive /dev/sda to the directory.


HCIP-openEuler Storage Management Lab Guide Page 25

mount /dev/sda /mnt/san

Check files in the mounted directory. The file created by Client01 exists.

On Client02, go to /mnt/san/, create file test1.txt, and write This is from Client02 to it.

On Client01, and check the content of /mnt/san. You can see that data is not
synchronized.

On Client01, create file test2.txt.

echo "This is from Client01 again" > test2.txt


cat test2.txt

On Client02, unmount /mnt/san and mount it again. You can see that test1.txt is lost.
HCIP-openEuler Storage Management Lab Guide Page 26

The logical storage device is accessed by multiple hosts simultaneously. As a result, data
may conflict and cannot be synchronized in a timely manner, causing data loss.
⚫ Question: When multiple hosts access a logical storage device simultaneously, how
do you keep data synchronized and prevent data loss?
Answer: Configure a cluster or distributed file system for iSCSI to ensure data
synchronization and loss prevention.

Step 10 Unmount the drive and disconnect the clients from the target.

On Client01, unmount /dev/sda.

umount /mnt/san
df -h

Disconnect from target1.

iscsiadm -m node -T iqn.2023-04.com.openeuler:target1 -u


iscsiadm -m session

On Client02, repeat the operations to unmount the drive and disconnect from target1.
HCIP-openEuler Storage Management Lab Guide Page 27

Step 11 Delete the target on the server.

On ecs-san, check the target information. No connection exists.

Delete the connection addresses, logical unit, and target1 in sequence.

tgtadm --lld iscsi --mode target --op unbind --tid 1 --initiator-address 192.168.1.21
tgtadm --lld iscsi --mode target --op unbind --tid 1 --initiator-address 192.168.1.22

tgtadm --lld iscsi --mode logicalunit --op delete --tid 1 --lun 1


tgtadm --lld iscsi --mode target --op show
HCIP-openEuler Storage Management Lab Guide Page 28

Run the following command to delete target1:

tgtadm --lld iscsi --mode target --op delete --tid 1

Step 12 Create a target using the target configuration file.

Configurations set by the tgtadm command are saved in the memory and will be lost
when the tgt service or system restarts. To make the configurations persistent, save them
to the configuration file.
The default target configuration file is /etc/tgt/targets.conf.
On ecs-san, add the following content to the end of /etc/tgt/targets.conf, save the file,
and exit.

<target iqn.2023-04.com.openeuler:target2> # Start creation. Edit the target and IQN.


backing-store /dev/vdb # Add a drive.
initiator-address 192.168.1.0/24 # Allow connections from subnet
192.168.1.0/24.
</target> # End target creation.

Restart the tgtd service and check the target information.


HCIP-openEuler Storage Management Lab Guide Page 29

systemctl restart tgtd


tgtadm --lld iscsi --op show --mode target

On Client01, connect to and mount the target. Then, test the connection.

Step 13 Enable the client to automatically mount the SAN storage upon system startup.
HCIP-openEuler Storage Management Lab Guide Page 30

By default, the storage mounting configuration is lost after a client is restarted, and
manual remounting is required. Configuring automatic mounting at startup streamlines
operations and enhances user experience.
On Client01, check whether the mounted directory still exists after the restart.

The mount point does not exist.


Check the drive information. The drive is not connected. Reconnect and log in to the
target.
HCIP-openEuler Storage Management Lab Guide Page 31

Run the following command to enable automatic login upon system startup:

iscsiadm -m node -T iqn.2023-04.com.openeuler:target2 -p 192.168.1.3 --op update -n node.startup -v


automatic

Remount drive /dev/sda to mount point /mnt/san.

Add the following content to /etc/fstab and save the file:

/dev/sda /mnt/san ext4 defaults,_netdev 0 0

Restart Client01 again and check whether the drive is mounted.


HCIP-openEuler Storage Management Lab Guide Page 32
HCIP-openEuler Storage Management Lab Guide Page 33

2 GlusterFS Distributed Storage

2.1 Introduction
In this lab, you will use ECSs as storage nodes to set up a GlusterFS cluster and create
different types of volumes for client access. Lab operations include:
⚫ GlusterFS server cluster setup
⚫ GlusterFS client setup
⚫ Creation and usage of different types of volumes
⚫ Cluster and volume management

2.2 Networking
This lab involves seven ECSs. You can reuse Client01 from the shared storage
management lab and create six additional ECSs as storage nodes to form a GlusterFS
distributed storage cluster. The following figure shows the topology.
HCIP-openEuler Storage Management Lab Guide Page 34

ECS Name IP Address Drives Remarks Specifications

For the /exp/vdb1


distributed volume
For the /exp/vdb2
/dev/vdb1 2G
replicated volume
/dev/vdb2 2G
For the /exp/vdb3
/dev/vdb3 2G distributed
node1 192.168.1.31
/dev/vdb4 5G replicated volume
/dev/vdb5 2G For the /exp/vdb5
dispersed volume
/dev/vdb6 2G
For the /exp/vdb6
distributed
dispersed volume

For the /exp/vdb1


distributed volume
For the /exp/vdb2 OS: openEuler
/dev/vdb1 2G 22.03 LTS
replicated volume
/dev/vdb2 2G Password: Set a
For the /exp/vdb3
/dev/vdb3 2G distributed password as
node2 192.168.1.32 needed.
/dev/vdb4 5G replicated volume
/dev/vdb5 2G For the /exp/vdb5 Flavor: 1 vCPU | 2
dispersed volume GB
/dev/vdb6 2G
For the /exp/vdb6 System drive: 40
distributed GB
dispersed volume Data drive: 11 GB
For the /exp/vdb2 Each ECS is
replicated volume bound to an EIP.
/dev/vdb1 2G
For the /exp/vdb3
/dev/vdb2 2G distributed
/dev/vdb3 2G replicated volume
node3 192.168.1.33
/dev/vdb4 5G For the /exp/vdb5
/dev/vdb5 2G dispersed volume

/dev/vdb6 2G For the /exp/vdb6


distributed
dispersed volume

/dev/vdb1 2G
For the /exp/vdb1
/dev/vdb2 2G test volume
node4 192.168.1.34 /dev/vdb3 2G For the /exp/vdb3
/dev/vdb4 5G distributed
replicated volume
/dev/vdb5 2G
HCIP-openEuler Storage Management Lab Guide Page 35

ECS Name IP Address Drives Remarks Specifications


/dev/vdb6 2G For the /exp/vdb6
distributed
dispersed volume

/dev/vdb1 2G
/dev/vdb2 2G For the /exp/vdb1
test volume
/dev/vdb3 2G
node5 192.168.1.35 For the /exp/vdb6
/dev/vdb4 5G
distributed
/dev/vdb5 2G dispersed volume
/dev/vdb6 2G

/dev/vdb1 2G
/dev/vdb2 2G
/dev/vdb3 2G For the /exp/vdb6
node6 192.168.1.36 distributed
/dev/vdb4 5G dispersed volume
/dev/vdb5 2G
/dev/vdb6 2G

OS: openEuler
22.03 LTS
Password: Set a
password as
needed.
Client01 192.168.1.21 Reused
Flavor: 2 vCPUs |
4 GB
Drive: 40 GB
Each ECS is
bound to an EIP.

2.3 Procedure
Step 1 Log in to Huawei Cloud and create six ECSs based on the resource information.

Step 2 Partition the data drive.

Log in to node1 and check the drive status.


HCIP-openEuler Storage Management Lab Guide Page 36

Partition drive /dev/vdb into /dev/vdb1, /dev/vdb2, /dev/vdb3, /dev/vdb4, /dev/vdb5


and /dev/vdb6. /dev/vdb1, /dev/vdb2, and /dev/vdb3 are primary partitions. /dev/vdb5
and /dev/vdb6 are 2 GB logical partitions. /dev/vdb4 is a 5 GB extended partition.
HCIP-openEuler Storage Management Lab Guide Page 37

Format the created partitions.

mkfs.xfs /dev/vdb1
mkfs.xfs /dev/vdb2
mkfs.xfs /dev/vdb3
mkfs.xfs /dev/vdb5
mkfs.xfs /dev/vdb6

After the formatting is complete, check the drive types.

Step 3 Mount the partitions.

Create mount points for the partitions.

mkdir -p /exp/vdb1 /exp/vdb2 /exp/vdb3 /exp/vdb5 /exp/vdb6

Mount the partitions to the corresponding mount points.

mount /dev/vdb1 /exp/vdb1


mount /dev/vdb2 /exp/vdb2
mount /dev/vdb3 /exp/vdb3
mount /dev/vdb5 /exp/vdb5
mount /dev/vdb6 /exp/vdb6
HCIP-openEuler Storage Management Lab Guide Page 38

Edit fstab to enable automatic mounting upon system startup.

echo "/dev/vdb1 /exp/vdb1 xfs defaults 0 0" >> /etc/fstab


echo "/dev/vdb2 /exp/vdb2 xfs defaults 0 0" >> /etc/fstab
echo "/dev/vdb3 /exp/vdb3 xfs defaults 0 0" >> /etc/fstab
echo "/dev/vdb5 /exp/vdb5 xfs defaults 0 0" >> /etc/fstab
echo "/dev/vdb6 /exp/vdb6 xfs defaults 0 0" >> /etc/fstab

Create a subdirectory in each mount point as a brick of GlusterFS.

mkdir -p /exp/vdb1/brick /exp/vdb2/brick /exp/vdb3/brick /exp/vdb5/brick /exp/vdb6/brick

Step 4 Edit the /etc/hosts file to set host name mapping for each storage node.
HCIP-openEuler Storage Management Lab Guide Page 39

echo "192.168.1.31 node1" >> /etc/hosts


echo "192.168.1.32 node2" >> /etc/hosts
echo "192.168.1.33 node3" >> /etc/hosts
echo "192.168.1.34 node4" >> /etc/hosts
echo "192.168.1.35 node5" >> /etc/hosts
echo "192.168.1.36 node6" >> /etc/hosts

Step 5 Install the GlusterFS server software package.

Run the following commands to install the GlusterFS server and start the service:

yum -y install glusterfs-server


systemctl start glusterd
systemctl enable glusterd
HCIP-openEuler Storage Management Lab Guide Page 40

Step 6 Repeat steps 2 to 4 on node2, node3, node4, node5, and node6.


HCIP-openEuler Storage Management Lab Guide Page 41
HCIP-openEuler Storage Management Lab Guide Page 42

Step 7 Configure the GlusterFS trusted storage pool (trusted pool).

On node1, add other nodes to the trusted pool.

gluster peer probe node2


gluster peer probe node3
gluster peer probe node4
gluster peer probe node5
gluster peer probe node6

Check the trusted pool status.

gluster peer status


HCIP-openEuler Storage Management Lab Guide Page 43

Check the list of nodes in the trusted pool.

node1, node2, node3, node4, node5 and node6 have joined the trusted pool. You can
also query the trusted pool status and node list on other nodes.
HCIP-openEuler Storage Management Lab Guide Page 44

Step 8 Create a test volume.

Use /dev/vdb1/brick on node4 and /dev/vdb1/brick on node5 to create a simple


replicated volume test-volume for testing client mounting.

gluster volume create test-volume replica 2 node4:/exp/vdb1/brick node5:/exp/vdb1/brick

Check volume information.

gluster volume info


HCIP-openEuler Storage Management Lab Guide Page 45

The status of test-volume is Created, and the bricks of the volume are displayed. Start
the volume and check the volume information again.

gluster volume start test-volume

The volume status changes to Started.

Step 9 Install the client.

Log in to Client01 and run the following command to install the client service:

yum install -y glusterfs glusterfs-fuse


HCIP-openEuler Storage Management Lab Guide Page 46

Edit /etc/hosts to set host name mapping for each storage node.

echo "192.168.1.31 node1" >> /etc/hosts


echo "192.168.1.32 node2" >> /etc/hosts
echo "192.168.1.33 node3" >> /etc/hosts
echo "192.168.1.34 node4" >> /etc/hosts
echo "192.168.1.35 node5" >> /etc/hosts
echo "192.168.1.36 node6" >> /etc/hosts
HCIP-openEuler Storage Management Lab Guide Page 47

Step 10 Mount the volume to the client.

On Client01, create the /mnt/gfs/test directory for mounting test-volume.

mkdir -p /mnt/gfs/test

Mount the volume.

mount -t glusterfs node1:test-volume /mnt/gfs/test

In /mnt/gfs/test, create file test.txt and write This is from Client01 into it.

cd /mnt/gfs/test
echo "This is from Client01" > test.txt

On node4 and node5, check the content of /exp/vdb1/brick.

The same file exists in the bricks on the two nodes, indicating that replicated volume
test-volume is successfully mounted and has two replicas.

Step 11 Create and use a distributed volume.

A GlusterFS distributed volume stores created files in different bricks randomly. Create
and start distributed volume gv-dis.

gluster volume create gv-dis node1:/exp/vdb1/brick node2:/exp/vdb1/brick


gluster volume start gv-dis
HCIP-openEuler Storage Management Lab Guide Page 48

Check the volume list.

gluster volume list

On Client01, create mount point /mnt/gfs/dis and mount gv-dis to it.

mkdir -p /mnt/gfs/dis
mount -t glusterfs node1:gv-dis /mnt/gfs/dis
HCIP-openEuler Storage Management Lab Guide Page 49

gv-dis contains two 2 GB bricks. The size of the mounted gv-dis volume is 4 GB, which is
the sum of the capacities of the two bricks.
Write five files into /mnt/gfs/dis.

dd if=/dev/zero of=/mnt/gfs/dis/test1.txt bs=1M count=40


dd if=/dev/zero of=/mnt/gfs/dis/test2.txt bs=1M count=40
dd if=/dev/zero of=/mnt/gfs/dis/test3.txt bs=1M count=40
dd if=/dev/zero of=/mnt/gfs/dis/test4.txt bs=1M count=40
dd if=/dev/zero of=/mnt/gfs/dis/test5.txt bs=1M count=40

On node1 and node2, check the content of /exp/vdb1/brick.

The five files are distributed in different bricks, and each file can exist in only one brick.

Step 12 Create and use a replicated volume.

Use /exp/vdb2/brick on node1, node2, and node3 to create a volume gv-rep with three
replicas by referring to the networking information and Step 8.
HCIP-openEuler Storage Management Lab Guide Page 50

gluster volume create gv-rep replic 3 node1:/exp/vdb2/brick node2:/exp/vdb2/brick


node3:/exp/vdb2/brick
gluster volume start gv-rep

On Client01, mount gv-rep to /mnt/gfs/rep.

gv-rep contains three 2 GB bricks. The size of the mounted gv-rep volume is 2 GB, which
is a third of the total size.
Write five files into /mnt/gfs/rep.

dd if=/dev/zero of=/mnt/gfs/rep/test1.txt bs=1M count=40


dd if=/dev/zero of=/mnt/gfs/rep/test2.txt bs=1M count=40
dd if=/dev/zero of=/mnt/gfs/rep/test3.txt bs=1M count=40
dd if=/dev/zero of=/mnt/gfs/rep/test4.txt bs=1M count=40
dd if=/dev/zero of=/mnt/gfs/rep/test5.txt bs=1M count=40

On node1, node2, and node3, check the content of /exp/vdb2/brick.


HCIP-openEuler Storage Management Lab Guide Page 51

In this replicated volume, each brick stores a replica of the files.

Step 13 Create and use a distributed replicated volume.

Use four bricks to create volume gv-disrep based on the networking information.

gluster volume create gv-disrep replica 2 node1:/exp/vdb3/brick node2:/exp/vdb3/brick


node3:/exp/vdb3/brick node4:/exp/vdb3/brick
gluster volume start gv-disrep
HCIP-openEuler Storage Management Lab Guide Page 52

The command for creating the distributed replicated volume is similar to that for the
replicated volume, differing only in the number of replicas and added bricks.
On Client01, mount gv-disrep to /mnt/gfs/disrep.

mkdir -p /mnt/gfs/disrep
mount -t glusterfs node1:gv-disrep /mnt/gfs/disrep

gv-disrep contains four 2 GB bricks. The size of the mounted gv-disrep volume is 4 GB,
which is a half of the total capacity. This means that the other half is used as the replica.
Write five files into /mnt/gfs/disrep.

dd if=/dev/zero of=/mnt/gfs/disrep/test1.txt bs=1M count=40


dd if=/dev/zero of=/mnt/gfs/disrep/test2.txt bs=1M count=40
dd if=/dev/zero of=/mnt/gfs/disrep/test3.txt bs=1M count=40
dd if=/dev/zero of=/mnt/gfs/disrep/test4.txt bs=1M count=40
dd if=/dev/zero of=/mnt/gfs/disrep/test5.txt bs=1M count=40

On node1, node2, node3, and node4, check the content of /exp/vdb3/brick.


HCIP-openEuler Storage Management Lab Guide Page 53

The bricks on node1 and node2 are replicas of each other, as are the bricks on node3
and node4. This is because when a distributed replicated volume is created, two adjacent
bricks become replicas of each other.

Step 14 Create and use a dispersed volume.

Dispersed volumes stripe the encoded data of files, add some redundancy, and store
them across multiple bricks in the volume. Use /exp/vdb5/brick on node1, node2, and
node3 to create dispersed volume gv-disp by referring to the networking information.
Divide each file into three stripes, including two for storage and one for redundancy.

gluster volume create gv-disp disperse 3 redundancy 1 node1:/exp/vdb5/brick node2:/exp/vdb5/brick


node3:/exp/vdb5/brick
gluster volume start gv-disp
HCIP-openEuler Storage Management Lab Guide Page 54

On Client01, mount gv-disp to /mnt/gfs/disp.

mkdir -p /mnt/gfs/disp
mount -t glusterfs node1:gv-disp /mnt/gfs/disp

gv-disp contains three 2 GB bricks. The size of the mounted gv-disp volume is 4 GB,
which means that 2 GB is used for redundancy.
Write five files into /mnt/gfs/disp.

dd if=/dev/zero of=/mnt/gfs/disp/test1.txt bs=1M count=40


dd if=/dev/zero of=/mnt/gfs/disp/test2.txt bs=1M count=40
dd if=/dev/zero of=/mnt/gfs/disp/test3.txt bs=1M count=40
dd if=/dev/zero of=/mnt/gfs/disp/test4.txt bs=1M count=40
dd if=/dev/zero of=/mnt/gfs/disp/test5.txt bs=1M count=40
HCIP-openEuler Storage Management Lab Guide Page 55

On node1, node2, and node3, check the content of /exp/vdb5/brick.

Each TXT file is divided into two data blocks and then encoded into three encode blocks
distributed across different bricks.

Step 15 Create and use a distributed dispersed volume.

Distributed dispersed and distributed replicated volumes both distribute data across
nodes, but differ in the order of operations. Distributed replicated volumes first distribute,
then replicate, while distributed dispersed volumes first disperse, then distribute. Use
HCIP-openEuler Storage Management Lab Guide Page 56

/exp/vb6/brick on node1, node2, node3, node4, node5, and node6 to create distributed
dispersed volume gv-dd. Divide each file into three stripes, including two for storage and
one for redundancy.

gluster volume create gv-dd disperse 3 redundancy 1 node1:/exp/vdb6/brick node2:/exp/vdb6/brick


node3:/exp/vdb6/brick node4:/exp/vdb6/brick node5:/exp/vdb6/brick node6:/exp/vdb6/brick
gluster volume start gv-dd

On Client01, mount gv-disp to /mnt/gfs/dd.

mkdir -p /mnt/gfs/dd
mount -t glusterfs node1:gv-dd /mnt/gfs/dd
HCIP-openEuler Storage Management Lab Guide Page 57

gv-disp contains six 2 GB bricks. The size of the mounted gv-dd volume is 8 GB, which
means that 4 GB is used for redundancy.
Write five files into /mnt/gfs/dd.

dd if=/dev/zero of=/mnt/gfs/dd/test1.txt bs=1M count=40


dd if=/dev/zero of=/mnt/gfs/dd/test2.txt bs=1M count=40
dd if=/dev/zero of=/mnt/gfs/dd/test3.txt bs=1M count=40
dd if=/dev/zero of=/mnt/gfs/dd/test4.txt bs=1M count=40
dd if=/dev/zero of=/mnt/gfs/dd/test5.txt bs=1M count=40

On node1, node2, node3, node4, node5, and node6, check the content of /exp/vdb6/brick.
HCIP-openEuler Storage Management Lab Guide Page 58

Files are distributed in two dispersed volumes. One volume consists of node1, node2, and
node3, the other of node4, node5, and node6. In each dispersed volume, a file is divided
into two blocks, encoded into three blocks using erasure coding, and then stored in
different bricks.
HCIP-openEuler Storage Management Lab Guide Page 59

Step 16 Add a brick to a volume

Adds a brick to a distributed volume. Run the following command to add


/exp/vdb1/brick in node3 to the gv-dis volume:

gluster volume add-brick gv-dis node3:/exp/vdb1/brick

The brick has been added. On Client01, check the volume capacity.

Create three files in /mnt/gfs/dis.

dd if=/dev/zero of=/mnt/gfs/dis/add1.txt bs=1M count=40


dd if=/dev/zero of=/mnt/gfs/dis/add2.txt bs=1M count=40
dd if=/dev/zero of=/mnt/gfs/dis/add3.txt bs=1M count=40
HCIP-openEuler Storage Management Lab Guide Page 60

On node1, node2, and node3, check the files in /exp/vdb1/brick.

⚫ Question: Why are the files not stored in the newly added brick?
Answer: A brick added to a GlusterFS volume can be used only after the volume is
rebalanced.
Rebalance the volume.

gluster volume rebalance gv-dis start


gluster volume rebalance gv-dis status
HCIP-openEuler Storage Management Lab Guide Page 61

On node1, node2, and node3, check the files in /exp/vdb1/brick again.

A file exists in the brick on node3.

Step 17 Remove a brick from a volume.

Run the following command to remove /exp/vdb1/brick on node1 from gv-dis:

gluster volume remove-brick gv-dis node1:/exp/vdb1/brick start


gluster volume remove-brick gv-dis node1:/exp/vdb1/brick status
gluster volume remove-brick gv-dis node1:/exp/vdb1/brick commit
HCIP-openEuler Storage Management Lab Guide Page 62

Check /exp/vdb1/brick on node1, node2, and node3 again.

No file exists in /exp/vdb1/brick on node1.

Step 18 Delete a volume.

Check the current volume list.

gluster volume list


HCIP-openEuler Storage Management Lab Guide Page 63

Check the status of test-volume.

gluster volume status test-volume

Stop test-volume.

gluster volume stop test-volume

Delete test-volume.

gluster volume delete test-volume

Check the volume list again. test-volume has been deleted.

gluster volume list


HCIP-openEuler Storage Management Lab Guide Page 64

Step 19 Perform a disaster resilience test.

Stop the glusterd service on node1.

On another node, check the list of nodes in the trusted pool.

node1 is disconnected. Check the status of different types of volumes.


HCIP-openEuler Storage Management Lab Guide Page 65
HCIP-openEuler Storage Management Lab Guide Page 66

No volume contains bricks in node1. On Client01, check the mounting status of different
volumes.

All volumes are mounted normally. Check files in different volumes.


HCIP-openEuler Storage Management Lab Guide Page 67

Files in all volumes exist.


Huawei openEuler Certification Training

HCIP-openEuler

Lab Guide
ISSUE: 1.0

HUAWEI TECHNOLOGIES CO., LTD

2
Copyright © Huawei Technologies Co., Ltd. 2024. All rights reserved.
No part of this document may be reproduced or transmitted in any form or by any
means without prior written consent of Huawei Technologies Co., Ltd.

Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of
their respective holders.

Notice
The purchased products, services, and features are stipulated by the commercial
contract made between Huawei and the customer. All or partial products, services, and
features described in this document may not be within the purchased scope or the
usage scope. Unless otherwise specified in the contract, all statements, information,
and recommendations in this document are provided "AS IS" without warranties,
guarantees or representations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has
been made in the preparation of this document to ensure accuracy of the contents, but
all statements, information, and recommendations in this document do not constitute
a warranty of any kind, express or implied.

Huawei Technologies Co., Ltd.


Huawei Industrial Base Bantian, Longgang Shenzhen 518129
Address:
People's Republic of China
Website: https://e.huawei.com

Huawei Proprietary and Confidential


Copyright © Huawei Technologies Co.,Ltd
HCIP-openEuler Lab Guide Page 1

Huawei Certification System


Huawei Certification is an integral part of the company's Platform + Ecosystem
strategy. It supports the development of ICT infrastructure that features Cloud-Pipe-
Device synergy. Our certification is always evolving to reflect the latest trends in ICT
development. Huawei Certification consists of three categories: ICT Infrastructure
Certification, Basic Software & Hardware Certification, and Cloud Platform & Services
Certification, making it the most extensive technical certification program in the
industry.
Huawei offers three levels of certification: Huawei Certified ICT Associate (HCIA),
Huawei Certified ICT Professional (HCIP), and Huawei Certified ICT Expert (HCIE).
Our programs cover all ICT fields and follow the industry's trend of ICT convergence.
With our leading talent development system and certification standards, we are
committed to fostering new digital ICT talent and building a sound ICT talent
ecosystem.
HCIP-openEuler is mainly for frontline engineers from Huawei and representative
offices and readers who wish to learn openEuler operations and maintenance (O&M)
technologies. HCIP-openEuler certification covers common openEuler enterprise service
management, openEuler HA cluster architecture, openEuler storage management,
openEuler automated O&M, Linux shell scripts, openEuler system security hardening,
and openEuler system monitoring.
Huawei certification helps you unlock opportunities to advance your career and take
one more step towards the top of the industry.
HCIP-openEuler Lab Guide Page 2
HCIP-openEuler Lab Guide Page 3

About This Document

Overview
This document is an HCIP-openEuler certification training course and is intended for
trainees who are going to take the HCIP-openEuler exam or readers who want to learn
how to build enterprise services, shell scripts, or perform automated O&M using Zabbix
or SaltStack on openEuler and other Linux distributions.

Description
This lab guide consists of two labs, one for Ansible and the other for SaltStack automated
O&M.
⚫ Lab 1 is related to Ansible. This lab introduces basic Ansible operations, practices
common function modules, and simply compiles and executes the playbook.
⚫ Lab 2 is related to SaltStack. This lab introduces the remote execution function and
configuration management function of SaltStack.

Background Knowledge Required


This course is for Huawei's basic certification. To better understand this course, the
intended audiences are advised to meet the following requirement:
⚫ Have basic Linux knowledge. You are advised to complete HCIA-openEuler learning
and pass the HCIA-openEuler certification exam.

Lab Environment Overview


Four virtual machines (VMs) are used in this lab. One is the controller of the automation
tool, and the other three are controlled hosts. The following table lists the IP addresses of
the VMs.

Role Host Name Specification IP Address

Controller Ansible or SaltStack 2 vCPUs | 4 GiB | s7.large.2 192.168.1.60

Controlled host 1 Zabbix 1 vCPU | 1 GiB | s7.small.1 192.168.1.4

Controlled host 2 Nginx1 1 vCPU | 1 GiB | s7.small.1 192.168.1.14

Controlled host 3 Nginx2 1 vCPU | 1 GiB | s7.small.1 192.168.1.15


HCIX-XXXX Lab Guide Page 1

Contents
About This Document ............................................................................................................... 3
Overview ............................................................................................................................................................................................. 3
Description ......................................................................................................................................................................................... 3
Background Knowledge Required ............................................................................................................................................. 3
Lab Environment Overview .......................................................................................................................................................... 3
1 Basic Operations of Ansible ................................................................................................. 1
1.1 Installing and Configuring the Ansible Controller ........................................................................................................ 1
1.2 Basic Operations of the Ansible Command .................................................................................................................... 2
1.3 Practice of Common Ansible Modules.............................................................................................................................. 6
1.3.1 Practice of the command Module .................................................................................................................................. 6
1.3.2 Practice of the shell Module ............................................................................................................................................. 6
1.3.3 Practice of the script Module ........................................................................................................................................... 7
1.3.4 Practice of the copy Module ............................................................................................................................................. 7
1.3.5 Practice of the fetch Module ............................................................................................................................................ 8
1.3.6 Practice of the file Module ................................................................................................................................................ 9
1.3.7 Practice of the archive and unarchive Modules ......................................................................................................11
1.4 Playbook Comprehensive Practice ...................................................................................................................................12
1.4.1 Environment Preparation .................................................................................................................................................12
1.4.2 Lab Practice ...........................................................................................................................................................................12
2 Basic Operations of SaltStack............................................................................................15
2.1 Installing and Configuring SaltStack ...............................................................................................................................15
2.1.1 Installing salt-master and salt-minion ........................................................................................................................15
2.1.2 Configuring the Master and Minion Authentication .............................................................................................17
2.1.3 Adding a Client in SSH Mode .........................................................................................................................................17
2.2 SaltStack Remote Execution Function Practice ...........................................................................................................18
2.2.1 Specifying the Target.........................................................................................................................................................18
2.2.2 Practice of Remote Execution Function Modules – cmd ......................................................................................19
2.2.3 Practice of Remote Execution Function Modules – pkg .......................................................................................20
2.2.4 Practice of Remote Execution Function Modules – service .................................................................................21
2.2.5 Practice of Remote Execution Function Modules – network ..............................................................................22
2.2.6 Practice of Remote Execution Function Modules – file ........................................................................................23
2.3 SaltStack Configuration Management Function Practice ........................................................................................25
2.3.1 Configuration Management Script Practice ..............................................................................................................25
2.3.2 Composing the top.sls File...............................................................................................................................................27
HCIP-openEuler Lab Guide Page 1

1 Basic Operations of Ansible

1.1 Installing and Configuring the Ansible Controller


Step 1 Install Ansible.

Log in to the Ansible host and run the following command to install Ansible:

yum install -y ansible

After the installation is complete, run the following command to check Ansible:

ansible --version

Step 2 Configure Ansible.

Modify the Ansible configuration file and uncomment the host_key_checking parameter,
as shown in the following figure:

Modify the Ansible host list, add IP addresses of hosts Zabbix, Nginx1, and Nginx2 to the
list, and group the hosts as shown in the following figure:
HCIP-openEuler Lab Guide Page 2

Step 3 Configure password-free login for the controlled hosts.

Run the following commands to configure SSH password-free login from the controller to
the controlled hosts:

ssh-keygen
ssh-copy-id 192.168.1.4
ssh-copy-id 192.168.1.14
ssh-copy-id 192.168.1.15

1.2 Basic Operations of the Ansible Command


In this lab, the ping module is used to practice the basic operations of the Ansible
command.

Step 1 Ansible uses the ping module to check whether the communication with the
controlled hosts is normal.

Run the following command to invoke the ping module and check whether the controller
can communicate with the controlled hosts:

ansible all -m ping


HCIP-openEuler Lab Guide Page 3

The command output contains warning information. You can add interpreter_python =
auto_legacy_silent to [default] in the configuration file to clear the warning.

Step 2 Practice the Ansible -k option.

Use the -k option to enter the SSH password in interactive mode. The method is as
follows:

ansible all -k -m ping

Step 3 Use the host tag to execute tasks.

all indicates all hosts in the host list. Use the host tag to specify the host that runs the
command. The command is as follows:

ansible Nginx -m ping

⚫ Task: Check the communication status between the host in the Zabbix group and the
controller.
HCIP-openEuler Lab Guide Page 4

Step 4 Use --list-host to list the corresponding hosts.

--list-host can be abbreviated as --list, as shown in the following figure:

Step 5 Logical relationship of Ansible.

Run the following command to check the communication between the Zabbix or Nginx
host group and the controller.

ansible "Zabbix:Nginx" -m ping


HCIP-openEuler Lab Guide Page 5

Run the following command to check the communication between the shared hosts in
the Zabbix and Nginx host groups and the controller:

ansible "Zabbix:&Nginx" -m ping

⚫ Question: Why are there no matched hosts?


Answer: The preceding information is displayed because the two host groups do not have
shared hosts.
Run the following command to check the communication between the controller and the
hosts that do not belong to the Nginx host group:

ansible ': !Nginx' -m ping

Step 6 Check the Ansible execution process.

Use the -v parameter to check the Ansible command execution process, as shown in the
following figure:

ansible ':!Nginx' -v -m ping

⚫ Task: Run -vv and -vvv to check more detailed execution process.
HCIP-openEuler Lab Guide Page 6

1.3 Practice of Common Ansible Modules


1.3.1 Practice of the command Module
Requirement: Copy /etc/passwd from the Nginx host group to /data and check the
content in the file.
The commands are as follows:

ansible Nginx -m command -a "mkdir /data"


ansible Nginx -m command -a "cp /etc/passwd /data"
ansible Nginx -m command -a "removes=/data/passwd cat /data/passwd"

⚫ command is the default module of Ansible. Can you prove it?


Answer: If the -m option is not used when running the Ansible command, the command
module is invoked.

1.3.2 Practice of the shell Module


Requirement: Check whether the / directory in the Nginx host group contains directories
related to data. If yes, use "this is a test" to overwrite the file content in the data
directory.
The commands are as follows:

ansible Nginx -m shell -a "ls / | grep data"


ansible Nginx -m shell -a "ls /data"
ansible Nginx -m shell -a "echo 'this is a test' > /data/passwd"
HCIP-openEuler Lab Guide Page 7

1.3.3 Practice of the script Module


Requirement: Print the MAC addresses of all the hosts.
Create the following script on the Ansible controller:

#!/bin/bash
ip addr | grep link/ether | awk '{print $2}'

Run the following command on the controller to execute the script on all the controlled
hosts:

ansible all -m script -a "~/mac.sh" | grep stdout | awk '{print $2}' | grep \n

1.3.4 Practice of the copy Module


Requirement: Create the /root/data/copy file on the controller, copy the file to the /tmp
directory on the controlled node in the Nginx host group, and enter "hello, openEuler".
Enter "hello, world" in /root/data/copy, copy the file to the same file in the Nginx group
again, and keep the destination file unchanged when the file content differs.
The commands are as follows:

mkdir /root/data
touch /root/data/copy

ansible Nginx -m copy -a "src=/root/data/copy dest=tmp"


HCIP-openEuler Lab Guide Page 8

ansible Nginx -m copy -a "content='hello,openEuler' dest=/tmp/copy"

[root@Ansible ~]# echo "hello,world" > /root/data/test


ansible Nginx -m copy -a "force=no src=/root/data/copy dest=/tmp"

1.3.5 Practice of the fetch Module


Requirement: Save the /tmp/copy file on the Nginx host to the /tmp directory on the
controller.
The commands are as follows:

ansible Nginx -m fetch -a "src=/tmp/copy dest=/tmp/"


HCIP-openEuler Lab Guide Page 9

After the file is fetched, the structure of the /tmp directory is as follows:

1.3.6 Practice of the file Module


Requirement: Create the /tmp/file/data directory in the Nginx host group, set owner
and group to test:test, and set the permission to 755. Create the test file in the
directory, create a soft link pointing to /tmp/link for the test file, and delete the
/tmp/file directory.
The commands are as follows:

ansible Nginx -m file -a "path=/tmp/file/data owner=test group=test mode=755 state=directory"


HCIP-openEuler Lab Guide Page 10

ansible Nginx -m file -a "path=/tmp/file/data/test state=touch"

ansible Nginx -m file -a "src=/tmp/file/data/test dest=/tmp/link state=link"

ansible Nginx -m file -a "path=/tmp/file state=absent"


HCIP-openEuler Lab Guide Page 11

⚫ Question: What are the owner and group to which the test file belongs? Why?
Answer: In this lab, the owner and group to which the test file belongs are root:root.
This is because the owner and group are not specified when the file is created. By default,
the owner and group that are running the Ansible commands are used.

1.3.7 Practice of the archive and unarchive Modules


Requirement: Create files test1 and test2 in the /tmp directory of the Nginx host group,
compress them into test.bz2, and delete test1 and test2. Copy the compressed file to the
/tmp directory of the controller, and decompress the compressed file on 192.168.1.14 to
the /tmp directory on 192.168.1.15.
The commands are as follows:

ansible Nginx -m file -a "path=/tmp/test1 state=touch"


ansible Nginx -m file -a "path=/tmp/test1 state=touch"
ansible Nginx -m archive -a "path=/tmp/test,/tmp/test1 format=zip remove=yes dest=/tmp/test.zip"

ansible Nginx -m fetch -a "src=/tmp/test.bz2 dest=/tmp/"

ansible 192.168.1.15 -m unarchive -a "src=/tmp/192.168.1.14/tmp/test.bz2 dest=/tmp/"

Check whether the execution is complete. The details are as follows:


HCIP-openEuler Lab Guide Page 12

1.4 Playbook Comprehensive Practice


1.4.1 Environment Preparation
To exclude the impact from the remaining configurations on this lab, clear the
configurations in sections 1.2 and 1.3. In this lab, Zabbix is installed using a playbook. The
Zabbix host name is set to zabbix_server, hosts Nginx1 and Nginx2 are installed as
Zabbix clients, and the host names are set to Nginx-01 and Nginx-02.
To enhance your understanding of the playbook, this lab will complete the playbook
compilation by segment.

1.4.2 Lab Practice


Step 1 Change the host name.

In this step, variables are used to change the Zabbix host name to Zabbix_server, and
change the host names of Nginx01 and Nginx02 to Nginx-01 and Nginx-02.
Modify the Ansible host file as follows:

[Nginx]
192.168.1.14 host=01
192.168.1.15 host=02
[Nginx:vars]
group=Nginx
[Zabbix]
192.168.1.4 host=Server

Create an Ansible playbook and enter the following commands:

---
- hosts: Zabbix
remote_user: root
gather_facts: no

tasks:
- name: set hostname for 192.168.1.4
hostname:
name={{ host }}

- hosts: Nginx
remote_user: root
gather_facts: no

tasks:
- name: set hostname for 192.168.1.14 and 192.168.1.15
hostname:
name={{ group }}-{{ host }}

After the editing is complete, use ansible-playbook –C to run the script and check
whether there is an error. If an error is reported, rectify the fault. After no error is
reported, perform the following steps.
HCIP-openEuler Lab Guide Page 13

Step 2 Install and configure zabbix-agent2.

Add the following content to the Ansible playbook and set related tags:

……

tasks:
- name: set hostname for 192.168.1.14 and 192.168.1.15
hostname:
name={{ group }}-{{ host }}
- name: download Zabbix yum repolist
tags: agent1
shell: rpm -Uvh https://repo.zabbix.com/zabbix/6.2/rhel/8/x86_64/zabbix-release-6.2-
3.el8.noarch.rpm
- name: install zabbix-agent
tags: agent2
yum:
name=zabbix-agent2
state=present
- name: config zabbix-agent
tags: agent3
replace:
path: /etc/zabbix/zabbix_agent2.conf
regexp: '^Server=127.0.0.1$'
replace: 'Server=192.168.1.4'
notify: restart zabbix-agent2
- name: config zabbix-agent service
tags: agent3
service:
name: zabbix-agent2
state: started
enabled: yes

handlers:
- name: restart zabbix-agent2
service:
name: zabbix-agent2
state: restarted

Use the tag to perform the test step by step until all the items pass the test. Then,
proceed to the next step.

Step 3 Run the playbook.

Run the compiled playbook to install zabbix-agent. The details are as follows:
HCIP-openEuler Lab Guide Page 14
HCIP-openEuler Lab Guide Page 15

2 Basic Operations of SaltStack

2.1 Installing and Configuring SaltStack


2.1.1 Installing salt-master and salt-minion
Step 1 Configure a Yum repository.

Log in to all hosts (192.168.1.60 is called SaltStack) and run the following commands to
configure the Yum repository required by SaltStack:

rpm --import https://repo.saltproject.io/salt/py3/redhat/8/x86_64/latest/SALTSTACK-GPG-KEY.pub


curl -fsSL https://repo.saltproject.io/salt/py3/redhat/8/x86_64/latest.repo | sudo tee
/etc/yum.repos.d/salt.repo

The following figure shows the details.

Step 2 Install salt-master.

Run the following command to install salt-master on the host SaltStack:

yum install salt-master -y

The following figure shows an example.

After the installation is complete, run the following command to start salt-master and set
it to start upon system startup:

systemctl enable salt-master --now


HCIP-openEuler Lab Guide Page 16

Run the following command to install salt-ssh. The Zabbix host is managed using SSH,
and the Nginx1 and Nginx2 hosts are managed using salt-minion.

yum install salt-ssh -y

Step 3 Configure salt-master.

Create the master.conf file in the /etc/salt/master.d directory on the host SaltStack and
enter the following content:

interface: 0.0.0.0
publish_port: 4505
ret_port: 4506
pki_dir: /etc/salt/pki/master
file_roots:
base:
- /srv/salt/
pillar_roots:
base:
- /srv/pillar

Restart the salt-master service and check the service status. If any error occurs, rectify the
fault before proceeding to the next step.

Step 4 Install salt-minion.

On Nginx1 and Nginx2, run the following command to install salt-minion:

yum install salt-minion -y

The following figure shows an example.

After the installation is complete, run the following command to start salt-minion and set
it to start upon system startup:

systemctl enable salt-minion --now

Step 5 Configure salt-minion.

Create the minion.conf file in the /etc/salt/minion.d directory on the host Nginx1 and
enter the following content:

master: 192.168.1.60
id: Nginx1
HCIP-openEuler Lab Guide Page 17

Create the minion.conf file in the /etc/salt/minion.d directory on the host Nginx2 and
enter the following content:

master: 192.168.1.60
id: Nginx2

After the configuration is complete, restart the salt-minion service on the two hosts and
ensure that the service is running properly.

2.1.2 Configuring the Master and Minion Authentication


Run the salt-key command on the master node to check whether the public key sent by
the minion is received. If the public key is received, the following information is displayed:

Run the salt-key -A command to receive all keys. The details are as follows:

After the keys are received, run the following command to check whether the
communication between the master and minion is normal:

salt "*" test.ping

If the communication is normal, the following information is displayed:

2.1.3 Adding a Client in SSH Mode


Requirement: The Zabbix host is managed by the master in SSH mode.
HCIP-openEuler Lab Guide Page 18

Add the following content about the Zabbix host to /etc/salt/roster:

Zabbix:
host: 192.168.1.4
user: root
port: 22

Modify the SSH configuration file /etc/ssh/ssh_config on the Zabbix host by changing
StrictHostKeyChecking from ask to no, as shown in the following figure.

After the modification, run the systemctl restart sshd command to restart the SSH
service.
Then, run the following commands to configure SSH mutual trust between the hosts,
SaltStack and Zabbix:

ssh-keygen
ssh-copy-id 192.168.1.4

After the configuration is complete, run the following command to check whether the
communication between the two hosts is normal:

salt-ssh Zabbix test.ping

Authentication is required for the first connection. Enter the password as prompted. If the
connection is normal, the following information is displayed:

2.2 SaltStack Remote Execution Function Practice


2.2.1 Specifying the Target
In this lab, test.ping is used to practice multiple methods of specifying targets.
HCIP-openEuler Lab Guide Page 19

Requirement 1: Check whether the communication between all minions and the master is
normal.
Command: salt '*' test.ping

Requirement 2: Check whether the communication between all minions whose IDs start
with Nginx but do not contain Nginx1 and the master is normal.
Command: salt 'Nginx[!1]' test.ping

⚫ Question: Why is the Zabbix host not displayed in Requirement 1?


Answer: Zabbix is not a minion host but a host managed in SSH mode.
⚫ Question: Can grains be used to specify a host?
Answer: Yes. Use the -G option when running the command. For example, to test
whether the minion whose IP address is 192.168.1.14 communicates with the master, run
the salt -G 'ipv4:192.168.1.14' test.pin command, as shown in the following figure.

2.2.2 Practice of Remote Execution Function Modules – cmd


Run the ip addr command for Nginx1 and Nginx2 in list mode. The command is as
follows:

[root@SaltStack master.d]# salt -L 'Nginx1,Nginx2' cmd.run "ip addr"


HCIP-openEuler Lab Guide Page 20

⚫ Question: Does cmd.run support all commands?


Answer: When cmd.run is used, the minion must support the command to be executed.
As shown in the following figure, when the host command is executed on the minion, the
system displays a message indicating that the command is not found.

2.2.3 Practice of Remote Execution Function Modules – pkg


Run the following command to list information about the Yum repository on Nginx1:

[root@SaltStack master.d]# salt Nginx1 pkg.list_repos

Run the following command to list NGINX of the latest version that can be installed on
Nginx1 using the current Yum repository:

[root@SaltStack master.d]# salt Nginx1 pkg.available_version nginx


HCIP-openEuler Lab Guide Page 21

Run the following command to install NGINX for Nginx1 and Nginx2:

[root@SaltStack master.d]# salt 'Nginx*' pkg.install nginx

Run the following command to check whether NGINX has been installed:

[root@SaltStack master.d]# salt 'Nginx*' cmd.run "nginx -v"

2.2.4 Practice of Remote Execution Function Modules – service


Run the following command to check whether the NGINX service on Nginx1 and Nginx2
is available:

[root@SaltStack master.d]# salt 'Nginx*' service.available nginx

Run the following command to set the NGINX service on Nginx1 and Nginx2 to
automatically start upon system startup:

[root@SaltStack master.d]# salt 'Nginx*' service.enable nginx


HCIP-openEuler Lab Guide Page 22

Run the following command to check whether the automatic startup of NGINX is enabled
upon system startup:

[root@SaltStack master.d]# salt 'Nginx*' service.enabled Nginx

Alternatively, run the following command:

[root@SaltStack master.d]# salt 'Nginx*' service.disabled Nginx

Run the following command to start NGINX:

[root@SaltStack ~]# salt 'Nginx*' service.start nginx

2.2.5 Practice of Remote Execution Function Modules – network


Run network.connect to test whether Nginx1 and Nginx2 can access each other's NGINX
service port (80). Before the test, run the following command to obtain the IP addresses
of Nginx1 and Nginx2:

[root@SaltStack ~]# salt "*" network.ipaddrs

Run the following command to test whether Nginx1 can access the NGINX service of
Nginx2:

[root@SaltStack ~]# salt Nginx1 network.connect 192.168.1.15 80


HCIP-openEuler Lab Guide Page 23

Use the same method to test whether Nginx2 can access the NGINX service of Nginx1.

[root@SaltStack ~]# salt Nginx2 network.connect 192.168.1.14 80

2.2.6 Practice of Remote Execution Function Modules – file


Requirement: Use SaltStack to create the /data/Nginx directory on Nginx1 and Nginx2 as
the root directory of the NGINX service, and create index.html in the directory as the
default page. On this page, the message "hello, host name" is displayed, where host
name indicates the host names of Nginx1 and Nginx2.

Step 1 Create the /data/Nginx directory.

Run the following command to create the /data/Nginx directory:

[root@SaltStack ~]# salt "*" file.mkdir /data/Nginx

Step 2 Create index.html.

Run the following command to create the index.html file:

[root@SaltStack ~]# salt "*" file.touch /data/Nginx/index.html

Step 3 Add content to the page.

Run the following command to add content to index.html:

[root@SaltStack ~]# salt '*' file.append /data/Nginx/index.html "hello, $HOSTNAME"


HCIP-openEuler Lab Guide Page 24

Step 4 Modify the NGINX configurations.

Run the following command to create the test.conf configuration file in the Nginx
configuration directory:

[root@SaltStack ~]# salt "*" file.touch /etc/nginx/conf.d/test.conf

Enter the following content in the configuration file:

[root@SaltStack ~]# salt '*' file.append /etc/nginx/conf.d/test.conf \


> "server {" \
> " root /data/Nginx;" \
> " index index.html;" \
> "}"

Step 5 Reload the NGINX service.

Run the following command to reload the NGINX service:

[root@SaltStack ~]# salt '*' service.reload nginx

After the preceding operations are complete, check whether the configuration takes
effect.
⚫ Question: Is the page displayed as expected?
Answer: No. The host names of Nginx1 and Nginx2 are not displayed on the page. The
host name of the master is displayed. The reason is that the master converts variables
HCIP-openEuler Lab Guide Page 25

and then sends them to the minion. To achieve the expected effect, you are advised to
use the Jinja template to invoke the grains value.

2.3 SaltStack Configuration Management Function


Practice
Before starting this lab, delete the NGINX configurations from Nginx1 and Nginx2 to
avoid interference.

2.3.1 Configuration Management Script Practice


Requirement: The SaltStack management script is used to complete the requirement in
section 2.2.6 on Nginx1.

Step 1 Modify the configuration file.

Cancel the configuration of the file_roots parameter on the master node, as shown in
the following figure.

Create the directory in the configuration.


Run the systemctl restart salt-master command to restart the service.

Step 2 Compose the SLS file.

Create the nginx.sls file in /srv/salt and enter the following content:

---
nginx_install:
pkg.installed:
- name: nginx

create_test:
file.touch:
- name: /etc/nginx/conf.d/test.conf

config_test:
file.append:
- name: /etc/nginx/conf.d/test.conf
- text:
- "server {"
- " root /data/Nginx;"
- " index index.html;"
- "}"

create_root_dir:
file.directory:
HCIP-openEuler Lab Guide Page 26

- name: /data/Nginx
- makedirs: True

create_index:
file.touch:
- name: /data/Nginx/index.html

config_index:
file.append:
- name: /data/Nginx/index.html
- text: hello,{{ grains['host'] }}
- template: jinja

enable_nginx:
service.running:
- name: nginx
- enable: True
- reload: True

Step 3 Run the configuration management script.

Run the following command to execute the script compiled in step 2:

[root@SaltStack salt]# salt Nginx1 state.sls nginx

If the command is successfully executed, the system returns the number of Succeeded
records, as shown in the following figure.

⚫ Task: Compile a configuration script to install Apache on Nginx2 and place the home
page in /data/Apache. The home page content is "hello, host name".
Answer: The SLS script for reference is as follows:

---
apache_install:
pkg.installed:
- name: httpd

create_test:
file.touch:
- name: /etc/httpd/conf.d/test.conf

config_test:
file.append:
- name: /etc/httpd/conf.d/test.conf
- text:
- DocumentRoot "/data/apache"
- '<Directory "/data/apache">'
HCIP-openEuler Lab Guide Page 27

- ' AllowOverride None'


- ' Require all granted'
- '</Directory>'

modify_default_config:
file.replace:
- name: /etc/httpd/conf/httpd.conf
- pattern: 'DocumentRoot "/var/www/html"'
- repl: '#DocumentRoot "/var/www/html"'

create_root_dir:
file.directory:
- name: /data/apache
- makedirs: True

create_index:
file.touch:
- name: /data/apache/index.html

config_index:
file.append:
- name: /data/apache/index.html
- text: hello,{{ grains['host'] }}
- template: jinja

enable_apache:
service.running:
- name: httpd
- enable: True
- reload: True

2.3.2 Composing the top.sls File


Requirement: Install the NGINX service on the minion whose host name is Nginx1, and
install the Apache service on the minion whose host name is Nginx2.
Create the top.sls file in /srv/salt and enter the following content:

base:
'host:Nginx1':
- match: grain
- nginx
'host:Nginx2':
- match: grain
- apache

Save the file and run the following command to test the top.sls file:

[root@SaltStack salt]# salt "*" state.highstate test=True


HCIP-openEuler Lab Guide Page 28

If the test is successful, run the top.sls file to complete the requirement.

------------------ End ------------------


Huawei openEuler Certification Training

HCIP-openEuler

Lab Guide
ISSUE: 1.0

HUAWEI TECHNOLOGIES CO., LTD

2
Copyright © Huawei Technologies Co., Ltd. 2024. All rights reserved.
No part of this document may be reproduced or transmitted in any form or by any
means without prior written consent of Huawei Technologies Co., Ltd.

Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of
their respective holders.

Notice
The purchased products, services, and features are stipulated by the commercial
contract made between Huawei and the customer. All or partial products, services, and
features described in this document may not be within the purchased scope or the
usage scope. Unless otherwise specified in the contract, all statements, information,
and recommendations in this document are provided "AS IS" without warranties,
guarantees or representations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has
been made in the preparation of this document to ensure accuracy of the contents, but
all statements, information, and recommendations in this document do not constitute
a warranty of any kind, express or implied.

Huawei Technologies Co., Ltd.


Huawei Industrial Base Bantian, Longgang Shenzhen 518129 People's
Address:
Republic of China
Website: https://e.huawei.com

Huawei Proprietary and Confidential


Copyright © Huawei Technologies Co.,Ltd
HCIP-openEuler Lab Guide Page 1

Huawei Certification System


Huawei Certification is an integral part of the company's Platform + Ecosystem
strategy. It supports the development of ICT infrastructure that features Cloud-Pipe-
Device synergy. Our certification is always evolving to reflect the latest trends in ICT
development. Huawei Certification consists of three categories: ICT Infrastructure
Certification, Basic Software & Hardware Certification, and Cloud Platform & Services
Certification, making it the most extensive technical certification program in the
industry.
Huawei offers three levels of certification: Huawei Certified ICT Associate (HCIA),
Huawei Certified ICT Professional (HCIP), and Huawei Certified ICT Expert (HCIE).
Our programs cover all ICT fields and follow the industry's trend of ICT convergence.
With our leading talent development system and certification standards, we are
committed to fostering new digital ICT talent and building a sound ICT talent
ecosystem.
HCIP-openEuler is intended for frontline engineers at Huawei regional offices or
representative offices, and other personnel who want to learn openEuler operations
and maintenance (O&M) technologies. HCIP-openEuler certification covers common
openEuler enterprise service management, openEuler HA cluster architecture,
openEuler storage management, openEuler automated O&M, Linux shell scripts,
openEuler system security hardening, and openEuler system monitoring.
Huawei certification helps you unlock opportunities to advance your career and take
one more step towards the top of the industry.
HCIP-openEuler Lab Guide Page 2
HCIP-openEuler Lab Guide Page 3

About This Document

Overview
This document is an HCIP-openEuler certification training course and is intended for
trainees who are going to take the HCIP-openEuler exam or readers who want to learn
how to build enterprise services, shell scripts, or perform automated O&M using Zabbix
or SaltStack on openEuler and other Linux distributions.

Description
This lab guide consists of six labs, including advanced process control statements,
functions, regular expressions, global regular expression search and print (grep)
commands, stream editor (sed), and AWK statements in shell scripts.
⚫ Lab 1: Advanced process control statements. Through user password verification,
readers can master the process control statements and condition testing.
⚫ Lab 2: Functions. By creating the addUser function, readers can master how to create
and use functions.
⚫ Lab 3: Regular expressions. By filtering and querying the NIC and process
information, readers can master the usage of regular expression common characters,
common metacharacters, and extended metacharacters.
⚫ Lab 4: grep commands. By filtering and querying the NIC and process information,
readers can master output control options, context control options, and pattern
selection options of grep commands.
⚫ Lab5: sed. By filtering and querying the NIC and process information, readers can
master sed line number addressing, regular expression addressing, adding, deleting,
modifying, and querying, search and replacement, file operations, and parameter
options.
⚫ Lab 6: AWK statements. By filtering and querying the NIC and process information,
readers can master the built-in variables, field separators, record separators,
formatted output, regular expressions, control statements, and the script mode of
AWK statements.

Background Knowledge Required


This course is for Huawei certification. To better understand this course, the intended
audiences are advised to meet the following requirement:
⚫ Have basic Linux knowledge. You are advised to complete HCIA-openEuler learning
and pass the HCIA-openEuler certification exam.
HCIP-openEuler Lab Guide Page 4

Lab Environment Overview


In this lab environment, one Elastic Cloud Server (ECS) is required.

Lab Environment Preparation


Checking Devices
Before labs start, trainees of each group should check whether the devices in the
following table are available:

Device Name Specifications Remarks

ECS 1 vCPU | 1 GiB | s7.small.1


HCIP-openEuler Lab Guide Page 5

Contents
About This Document ............................................................................................................... 3
Overview ............................................................................................................................................................................................. 3
Description ......................................................................................................................................................................................... 3
Background Knowledge Required ............................................................................................................................................. 3
Lab Environment Overview .......................................................................................................................................................... 4
1 Advanced Process Control Statement Practice ................................................................ 1
1.1 Verifying Input ........................................................................................................................................................................... 1
1.2 Verifying Files ............................................................................................................................................................................ 4
1.3 Verifying the User Name and Password .......................................................................................................................... 5
2 Function Practice .................................................................................................................... 7
2.1 addUser Function ..................................................................................................................................................................... 7
3 Regular Expression Practice ................................................................................................. 8
3.1 Common Characters ................................................................................................................................................................ 8
3.2 Common Metacharacters ...................................................................................................................................................... 8
3.3 Extended Metacharacters ...................................................................................................................................................... 9
4 grep Command Practice......................................................................................................11
4.1 Output Control Options .......................................................................................................................................................11
4.2 Context Control Options ......................................................................................................................................................12
4.3 Pattern Selection Options ...................................................................................................................................................13
5 sed Practice ............................................................................................................................14
5.1 Line Number Addressing .....................................................................................................................................................14
5.2 Regular Expression Addressing ..........................................................................................................................................15
5.3 Adding, Deleting, Modifying, and Querying Texts .....................................................................................................15
5.4 Searching and Replacing Texts ..........................................................................................................................................17
5.5 File Operations ........................................................................................................................................................................19
5.6 Parameter Options.................................................................................................................................................................20
6 AWK Statements ..................................................................................................................22
6.1 Built-in Variables ....................................................................................................................................................................22
6.2 Field Separators ......................................................................................................................................................................23
6.3 Record Separators ..................................................................................................................................................................24
6.4 Formatted Output ..................................................................................................................................................................24
6.5 Regular Expressions ...............................................................................................................................................................25
6.6 Control Statements ................................................................................................................................................................25
6.7 Script Mode ..............................................................................................................................................................................26
HCIP-openEuler Lab Guide Page 1

1 Advanced Process Control Statement


Practice

1.1 Verifying Input


Step 1 Create a script file.

Log in to the openEuler operating system (OS) and run the following command to create
a shell script:

[root@openEuler ~]# vim user.sh

Specify an interpreter for the script file in user.sh.

#!/bin/bash

Step 2 Add variables.

Add the user name and password variables to the user.sh file for verification.

#!/bin/bash

username_file="root"
password_file="123456"

Step 3 Add the while loop.

The code for adding the while loop to user.sh is as follows:

#!/bin/bash

username_file="root"
password_file="123456"
echo "Please enter username:"
while :
do
read username
done

Step 4 If the input is empty, continue the input.

Add the if condition for checking whether the input is empty to the while loop.
HCIP-openEuler Lab Guide Page 2

#!/bin/bash

username_file="root"
password_file="123456"
echo "Please enter username:"
while :
do
read username
if test -z $username
then
echo "Please enter a non empty username:"
continue
fi
done

Step 5 If the input is correct, the loop exits.

If the input is correct, the while loop exits.

#!/bin/bash

username_file="root"
password_file="123456"
echo "Please enter username:"
while :
do
read username
if test -z $username
then
echo "Please enter a non empty username:"
continue
elif test $username = $username_file
then
echo "User $username wants to login!"
break
fi
done

Step 6 If the input is incorrect, continue the input.

If the input is incorrect, continue the while loop.

#!/bin/bash

username_file="root"
password_file="123456"
echo "Please enter username:"
while :
do
read username
if test -z $username
then
echo "Please enter a non empty username:"
continue
elif test $username = $username_file
HCIP-openEuler Lab Guide Page 3

then
echo "User $username wants to login!"
break
else
echo "Incorrect! Please re-enter the username:"
continue
fi
done

Step 7 Adding password verification.

After the user name is verified, enter the password and verify it.

#!/bin/bash

username_file="root"
password_file="123456"
echo "Please enter username:"
while :
do
read username
if test -z $username
then
echo "Please enter a non empty username:"
continue
elif test $username = $username_file
then
echo "User $username wants to login!"
break
else
echo "Incorrect! Please re-enter the username:"
continue
fi
done

echo "Please enter password:"


while :
do
read password
if test -z $password
then
echo "Please enter a non empty password:"
continue
elif test $password -eq $password_file
then
echo "Welcome user $username login!"
break
else
echo "Incorrect! Please re-enter the password:"
continue
fi
done
HCIP-openEuler Lab Guide Page 4

Step 8 Verify the result.

Save the script and exit the vim insert mode. Enter an empty user name and password,
an incorrect user name and password, and a correct user name and password. The
following shows an example:

[root@openEuler ~]# sh user.sh


Please enter username:
root
User root wants to login!
Please enter password:
a
user.sh: line 29: test: a: integer expression expected
Incorrect! Please re-enter the password:
123456
Welcome user root login!
[root@openEuler ~]#

⚫ Question: Why is an alarm generated during script execution? How to modify the
script to clear the alarm?
Answer: In this script, test compares numbers. Therefore, the entered value must be an
integer, and "a" is a character. As a result, a system alarm is generated. To clear the
alarm, replace -eq in the shell script with an equal sign (=).

1.2 Verifying Files


Step 1 Verifying Files

Add file verification to user.sh. The user.txt file stores the user name and password. If
the user.txt file does not exist, the system prompts you to enter the user name and
password and saves them to a user.txt file.

#!/bin/bash

while :
do
if test -e user.txt
then
echo "Entering the Login Program:"
break
else
echo "The user does not exist. Enter the user registration program."
echo "Please enter username for storage:"
read username
echo "Please enter password for storage:"
read password
fi
done

username_file="root"
password_file="123456"
HCIP-openEuler Lab Guide Page 5

…….

Step 2 Check the user name and password based on multiple conditions.

Add the user name and password judgment.

#!/bin/bash

while :
do
if test -e user.txt
then
echo "Entering the Login Program:"
break
else
echo "The user does not exist. Enter the user registration program."
echo "Please enter username for storage:"
read username
echo "Please enter password for storage:"
read password
if test -n $username -a -n $password
then
echo "$username $password" > user.txt
echo "Storage Successed!"
echo ""
break
else
echo "Please enter a non empty username or password:"
continue
fi
fi
done
………

1.3 Verifying the User Name and Password


Step 1 Save the user name and password.

Save the data in the user.txt file to the user name and password variables for
subsequent user name and password verification.

username_file=`awk 'NR==1{print $1}' user.txt`


password_file=`awk 'NR==1{print $2}' user.txt`

Step 2 Verify the result.

Save and exit the vim insert mode. Enter an empty user name and password, an incorrect
user name and password, and a correct user name and password. The following shows
an example:

[root@openEuler ~]# sh user.sh


The user does not exist. Enter the user registration program.
HCIP-openEuler Lab Guide Page 6

Please enter username for storage:


root
Please enter password for storage:
123
Storage Successed!

Please enter username:


root
User root wants to login!
Please enter password:
123
Welcome user root login!
[root@openEuler ~]#
HCIP-openEuler Lab Guide Page 7

2 Function Practice

2.1 addUser Function


Step 1 Create a function.

Add a function to user.sh for adding the user name and password using commands.

#!/bin/bash

addUser(){
if test -n $1 -a -n $2
then
echo "$1 $2" >> user.txt
else
echo "Add failed.The parameter is incorrect."
fi
}

Step 2 Verify the result.

Run the source command to add the addUser function to the current shell environment.
Run set to view the function. Execute the addUser function.

[root@openEuler ~]# source user.sh


Entering the Login Program:
Please enter username:
^C
[root@openEuler ~]# set
addUser ()
{
if test -n $1 -a -n $2;
then
echo "$1 $2" >> user.txt;
else
echo "Add failed.The parameter is incorrect.";
fi
}
[root@openEuler ~]# addUser a 123
[root@openEuler ~]# cat user.txt
root 123
a 123
[root@openEuler ~]#
HCIP-openEuler Lab Guide Page 8

3 Regular Expression Practice

3.1 Common Characters


Step 1 Filter by letter.

View the IP addresses of the host.

[root@openEuler ~]# ifconfig | grep 'inet'


inet 192.168.0.22 netmask 255.255.255.0 broadcast 192.168.0.255
inet6 fe80::f816:3eff:fe5d:b5cb prefixlen 64 scopeid 0x20<link>
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
[root@openEuler ~]#

Step 2 Filter by digit.

View the IP address of the host that contains 192.

[root@openEuler ~]# ifconfig | grep '192'


inet 192.168.0.22 netmask 255.255.255.0 broadcast 192.168.0.255
[root@openEuler ~]#

Step 3 Filter by punctuation.

View the IPv6 address of the host.

[root@openEuler ~]# ifconfig | grep '::'


inet6 fe80::f816:3eff:fe5d:b5cb prefixlen 64 scopeid 0x20<link>
inet6 ::1 prefixlen 128 scopeid 0x10<host>
[root@openEuler ~]#

3.2 Common Metacharacters


Step 1 Single character.

View the processes whose IDs start with "10".

[root@openEuler ~]# ps -ef | grep ' 10. '


root 10 2 0 02:03 ? 00:00:00 [rcu_tasks_trace]
root 102 2 0 02:03 ? 00:00:00 [kswapd0]
root 103 2 0 02:03 ? 00:00:00 [kpagecache_limi]
root 105 2 0 02:03 ? 00:00:00 [kthrotld]
HCIP-openEuler Lab Guide Page 9

root 106 2 0 02:03 ? 00:00:00 [acpi_thermal_pm]


root 107 2 0 02:03 ? 00:00:00 [kmpath_rdacd]
root 108 2 0 02:03 ? 00:00:00 [kaluad]
root 109 2 0 02:03 ? 00:00:00 [ipv6_addrconf]
root 1052 879 0 02:44 pts/0 00:00:00 grep --color=auto 10.
[root@openEuler ~]#

Step 2 The preceding character appears zero or more times.

View the processes whose names contain zero or more hyphens (-) before "gp".

[root@openEuler ~]# ps -ef | grep '_*gp'


root 3 2 0 02:03 ? 00:00:00 [rcu_gp]
root 4 2 0 02:03 ? 00:00:00 [rcu_par_gp]
root 1141 879 0 03:11 pts/0 00:00:00 grep --color=auto _*gp
[root@openEuler ~]#

Step 3 The starting position of the line.

View the lines starting with "ens" in the NIC information.

[root@openEuler ~]# ifconfig | grep '^ens'


ens3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
[root@openEuler ~]#

Step 4 The ending position of the line.

View the lines ending with "255" in the NIC information.

[root@openEuler ~]# ifconfig | grep '255$'


inet 192.168.0.22 netmask 255.255.255.0 broadcast 192.168.0.255
[root@openEuler ~]#

Step 5 A group of single characters.

View the NIC whose name contains "ens" and a number.

[root@openEuler ~]# ifconfig | grep 'ens[0-9]'


ens3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
[root@openEuler ~]#

3.3 Extended Metacharacters


Step 1 The preceding character appears one or more times.

View the lines that contain one or more occurrences of "192" in the NIC information.

[root@openEuler ~]# ifconfig | grep -E '(192)+'


inet 192.168.0.22 netmask 255.255.255.0 broadcast 192.168.0.255
[root@openEuler ~]#
HCIP-openEuler Lab Guide Page 10

Step 2 The preceding character appears zero or one time.

View the lines that contain zero or more occurrences of "255" after "255." in the NIC
information.

[root@openEuler ~]# ifconfig | grep -E '255.(255)?'


inet 192.168.0.22 netmask 255.255.255.0 broadcast 192.168.0.255
inet 127.0.0.1 netmask 255.0.0.0
[root@openEuler ~]#

Step 3 The or character.

View the lines that contain zero or more occurrences of "255" or "0" after "255." in the
NIC information.

[root@openEuler ~]# ifconfig | grep -E '255.(255|0)+'


inet 192.168.0.22 netmask 255.255.255.0 broadcast 192.168.0.255
inet 127.0.0.1 netmask 255.0.0.0
[root@openEuler ~]#

Step 4 Specify the number of repetitions of preceding characters in the NIC information.

View the lines that contain two occurrences of "255." after "255.".

[root@openEuler ~]# ifconfig | grep -E '255.(255.){2}'


inet 192.168.0.22 netmask 255.255.255.0 broadcast 192.168.0.255
[root@openEuler ~]#

View the lines that contain two or more occurrences of "255." after "255.".

[root@openEuler ~]# ifconfig | grep -E '255.(255.){2,}'


inet 192.168.0.22 netmask 255.255.255.0 broadcast 192.168.0.255
[root@openEuler ~]#

View the lines that contain a maximum of two occurrences of "255." after "255.".

[root@openEuler ~]# ifconfig | grep -E '255.(255.){,2}'


inet 192.168.0.22 netmask 255.255.255.0 broadcast 192.168.0.255
inet 127.0.0.1 netmask 255.0.0.0
[root@openEuler ~]#

View the lines that contain one to two occurrences of "255." after "255.".

[root@openEuler ~]# ifconfig | grep -E '255.(255.){1,2}'


inet 192.168.0.22 netmask 255.255.255.0 broadcast 192.168.0.255
[root@openEuler ~]#
HCIP-openEuler Lab Guide Page 11

4 grep Command Practice

4.1 Output Control Options


Step 1 A maximum of n lines are displayed.

View a maximum of one line that contains "inet" in the NIC information.

[root@openEuler ~]# ifconfig | grep -m1 'inet'


inet 192.168.0.22 netmask 255.255.255.0 broadcast 192.168.0.255
[root@openEuler ~]#

Step 2 The matched lines and line numbers are displayed.

View the lines that contain "inet6" and their line numbers in the NIC information.

[root@openEuler ~]# ifconfig | grep -n 'inet6'


3: inet6 fe80::f816:3eff:fe5d:b5cb prefixlen 64 scopeid 0x20<link>
12: inet6 ::1 prefixlen 128 scopeid 0x10<host>
[root@openEuler ~]#

Step 3 The number of matched lines is displayed.

View the number of lines that contain "inet6" in the NIC information.

[root@openEuler ~]# ifconfig | grep -c 'inet6'


2
[root@openEuler ~]#

Step 4 The unmatched lines are displayed.

View the lines that do not start with a space in the NIC information.

[root@openEuler ~]# ifconfig | grep -v '^ '


ens3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500

lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536

[root@openEuler ~]#

Step 5 Only the matched content is displayed.

View the content that only contains "192.168.0.255" in the NIC information.

[root@openEuler ~]# ifconfig | grep -o '192.168.0.255'


HCIP-openEuler Lab Guide Page 12

192.168.0.255
[root@openEuler ~]#

Step 6 The matched lines and file names are displayed.

View the lines and file names that contain "Ethernet" in the NIC configuration file.

[root@openEuler ~]# grep -H 'Ethernet' /etc/sysconfig/network-scripts/ifcfg-ens3


/etc/sysconfig/network-scripts/ifcfg-ens3:TYPE=Ethernet
[root@openEuler ~]#

Step 7 The matched file names are displayed.

View the file names that contain "Ethernet" in the NIC configuration file.

[root@openEuler ~]# grep -l 'Ethernet' /etc/sysconfig/network-scripts/ifcfg-ens3


/etc/sysconfig/network-scripts/ifcfg-ens3
[root@openEuler ~]#

4.2 Context Control Options


Step 1 The last n lines that are matched.

View the lines that contain "192" and the following one line in the NIC information.

[root@openEuler ~]# ifconfig | grep -A1 '192'


inet 192.168.0.22 netmask 255.255.255.0 broadcast 192.168.0.255
inet6 fe80::f816:3eff:fe5d:b5cb prefixlen 64 scopeid 0x20<link>
[root@openEuler ~]#

Step 2 The first n lines that are matched.

View the lines that contain "192" and one line before the matched line in the NIC
information.

[root@openEuler ~]# ifconfig | grep -B1 '192'


ens3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.0.22 netmask 255.255.255.0 broadcast 192.168.0.255
[root@openEuler ~]#

Step 3 The matched line and n lines before and after it.

View the lines that contain "192" and one line before and after the matched line in the
NIC information.

[root@openEuler ~]# ifconfig | grep -C1 '192'


ens3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.0.22 netmask 255.255.255.0 broadcast 192.168.0.255
inet6 fe80::f816:3eff:fe5d:b5cb prefixlen 64 scopeid 0x20<link>
[root@openEuler ~]#
HCIP-openEuler Lab Guide Page 13

4.3 Pattern Selection Options


Step 1 Match only whole words.

View the lines that match the whole word "inet" in the NIC information.

[root@openEuler ~]# ifconfig | grep -w 'inet'


inet 192.168.0.22 netmask 255.255.255.0 broadcast 192.168.0.255
inet 127.0.0.1 netmask 255.0.0.0
[root@openEuler ~]#

Step 2 Match only whole lines.

View the lines that match the whole line "TYPE=Ethernet" in the NIC configuration file.

[root@openEuler ~]# grep -x 'TYPE=Ethernet' /etc/sysconfig/network-scripts/ifcfg-ens3


TYPE=Ethernet
[root@openEuler ~]#

Step 3 Ignore case distinctions.

View the lines that match "broadcast" and ignore case distinctions in the NIC
information.

[root@openEuler ~]# ifconfig | grep -i 'broadcast'


ens3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.0.22 netmask 255.255.255.0 broadcast 192.168.0.255
[root@openEuler ~]#
HCIP-openEuler Lab Guide Page 14

5 sed Practice

5.1 Line Number Addressing


Step 1 Match a single line.

[root@openEuler ~]# ifconfig | grep -n ''


1:ens3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
2: inet 192.168.0.22 netmask 255.255.255.0 broadcast 192.168.0.255
3: inet6 fe80::f816:3eff:fe5d:b5cb prefixlen 64 scopeid 0x20<link>
4: ether fa:16:3e:5d:b5:cb txqueuelen 1000 (Ethernet)
5: RX packets 128447 bytes 55452425 (52.8 MiB)
6: RX errors 0 dropped 0 overruns 0 frame 0
7: TX packets 119518 bytes 13028554 (12.4 MiB)
8: TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
9:
10:lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
11: inet 127.0.0.1 netmask 255.0.0.0
12: inet6 ::1 prefixlen 128 scopeid 0x10<host>
13: loop txqueuelen 1000 (Local Loopback)
14: RX packets 0 bytes 0 (0.0 B)
15: RX errors 0 dropped 0 overruns 0 frame 0
16: TX packets 0 bytes 0 (0.0 B)
17: TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
18:
[root@openEuler ~]#

View line 2 in the NIC information.

[root@openEuler ~]# ifconfig | sed -n '2p'


inet 192.168.0.22 netmask 255.255.255.0 broadcast 192.168.0.255
[root@openEuler ~]#

Step 2 Match multiple specified lines.

View lines 2 to 3 in the NIC information.

[root@openEuler ~]# ifconfig | sed -n '2,3p'


inet 192.168.0.22 netmask 255.255.255.0 broadcast 192.168.0.255
inet6 fe80::f816:3eff:fe5d:b5cb prefixlen 64 scopeid 0x20<link>
[root@openEuler ~]#

Step 3 Match lines by the specified step.

Print from line 1 with a step of 2 in the NIC information.


HCIP-openEuler Lab Guide Page 15

[root@openEuler ~]# ifconfig | sed -n '1~2p'


ens3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet6 fe80::f816:3eff:fe5d:b5cb prefixlen 64 scopeid 0x20<link>
RX packets 128587 bytes 55463781 (52.8 MiB)
TX packets 119617 bytes 13039916 (12.4 MiB)

inet 127.0.0.1 netmask 255.0.0.0


loop txqueuelen 1000 (Local Loopback)
RX errors 0 dropped 0 overruns 0 frame 0
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
[root@openEuler ~]#

Step 4 Match n lines after the specified line.

View line 2 and the following three lines in the NIC information.

[root@openEuler ~]# ifconfig | sed -n '2,+3p'


inet 192.168.0.22 netmask 255.255.255.0 broadcast 192.168.0.255
inet6 fe80::f816:3eff:fe5d:b5cb prefixlen 64 scopeid 0x20<link>
ether fa:16:3e:5d:b5:cb txqueuelen 1000 (Ethernet)
RX packets 128614 bytes 55465947 (52.8 MiB)
[root@openEuler ~]#

5.2 Regular Expression Addressing


Step 1 Match lines using common regular expressions.

View the lines that contain "192" in the NIC information.

[root@openEuler ~]# ifconfig | sed -n '/192/p'


inet 192.168.0.22 netmask 255.255.255.0 broadcast 192.168.0.255
[root@openEuler ~]#

Step 2 Match lines using extended regular expressions.

View the lines that contain six consecutive digits in the NIC information.

[root@openEuler ~]# ifconfig | sed -rn '/[0-9]{6}/p'


RX packets 129004 bytes 55498555 (52.9 MiB)
TX packets 119919 bytes 13071368 (12.4 MiB)
[root@openEuler ~]#

5.3 Adding, Deleting, Modifying, and Querying Texts


Step 1 Insert before specified lines.

Insert one line before the first line in the NIC configuration information.

[root@openEuler ~]# ifconfig | sed '1iNetwork card configuration information'


Network card configuration information
HCIP-openEuler Lab Guide Page 16

ens3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500


inet 192.168.0.22 netmask 255.255.255.0 broadcast 192.168.0.255
inet6 fe80::f816:3eff:fe5d:b5cb prefixlen 64 scopeid 0x20<link>
ether fa:16:3e:5d:b5:cb txqueuelen 1000 (Ethernet)
RX packets 129196 bytes 55514263 (52.9 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 120085 bytes 13088784 (12.4 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536


inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

[root@openEuler ~]#

Step 2 Insert after specified lines.

Insert one line after the first line in the NIC configuration information.

[root@openEuler ~]# ifconfig | sed '1aNetwork card configuration information'


ens3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
Network card configuration information
inet 192.168.0.22 netmask 255.255.255.0 broadcast 192.168.0.255
inet6 fe80::f816:3eff:fe5d:b5cb prefixlen 64 scopeid 0x20<link>
ether fa:16:3e:5d:b5:cb txqueuelen 1000 (Ethernet)
RX packets 129257 bytes 55519729 (52.9 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 120138 bytes 13094862 (12.4 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536


inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

[root@openEuler ~]#

Step 3 Delete specified lines.

Delete the first line in the NIC configuration information.

[root@openEuler ~]# ifconfig | sed '1d'


inet 192.168.0.22 netmask 255.255.255.0 broadcast 192.168.0.255
inet6 fe80::f816:3eff:fe5d:b5cb prefixlen 64 scopeid 0x20<link>
ether fa:16:3e:5d:b5:cb txqueuelen 1000 (Ethernet)
RX packets 129383 bytes 55530875 (52.9 MiB)
HCIP-openEuler Lab Guide Page 17

RX errors 0 dropped 0 overruns 0 frame 0


TX packets 120233 bytes 13105352 (12.4 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536


inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

[root@openEuler ~]#

Step 4 Replace specified lines.

Replace the first line in the NIC configuration information.

[root@openEuler ~]# ifconfig | sed '1cNetwork card configuration information'


Network card configuration information
inet 192.168.0.22 netmask 255.255.255.0 broadcast 192.168.0.255
inet6 fe80::f816:3eff:fe5d:b5cb prefixlen 64 scopeid 0x20<link>
ether fa:16:3e:5d:b5:cb txqueuelen 1000 (Ethernet)
RX packets 129453 bytes 55537071 (52.9 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 120289 bytes 13111608 (12.5 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536


inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

[root@openEuler ~]#

5.4 Searching and Replacing Texts


Step 1 Replace the first matched content in the search.

Replace the first "255" of each line in the NIC information with "11111111".

[root@openEuler ~]# ifconfig | sed 's/255/11111111/'


ens3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.0.22 netmask 11111111.255.255.0 broadcast 192.168.0.255
inet6 fe80::f816:3eff:fe5d:b5cb prefixlen 64 scopeid 0x20<link>
ether fa:16:3e:5d:b5:cb txqueuelen 1000 (Ethernet)
RX packets 129819 bytes 55567269 (52.9 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
HCIP-openEuler Lab Guide Page 18

TX packets 120546 bytes 13141330 (12.5 MiB)


TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536


inet 127.0.0.1 netmask 11111111.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

[root@openEuler ~]#

Step 2 Search and replace all the matched content.

Replace every "255" in the NIC information with "11111111".

[root@openEuler ~]# ifconfig | sed 's/255/11111111/g'


ens3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.0.22 netmask 11111111.11111111.11111111.0 broadcast 192.168.0.11111111
inet6 fe80::f816:3eff:fe5d:b5cb prefixlen 64 scopeid 0x20<link>
ether fa:16:3e:5d:b5:cb txqueuelen 1000 (Ethernet)
RX packets 129829 bytes 55568127 (52.9 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 120561 bytes 13143500 (12.5 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536


inet 127.0.0.1 netmask 11111111.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

[root@openEuler ~]#

Step 3 Search and replace by using custom separators.

Replace the slash (/) with the at sign (@) for search.

[root@openEuler ~]# ifconfig | sed 's@RX@Receive@'


ens3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.0.22 netmask 255.255.255.0 broadcast 192.168.0.255
inet6 fe80::f816:3eff:fe5d:b5cb prefixlen 64 scopeid 0x20<link>
ether fa:16:3e:5d:b5:cb txqueuelen 1000 (Ethernet)
Receive packets 130033 bytes 55584699 (53.0 MiB)
Receive errors 0 dropped 0 overruns 0 frame 0
TX packets 120713 bytes 13166204 (12.5 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536


inet 127.0.0.1 netmask 255.0.0.0
HCIP-openEuler Lab Guide Page 19

inet6 ::1 prefixlen 128 scopeid 0x10<host>


loop txqueuelen 1000 (Local Loopback)
Receive packets 0 bytes 0 (0.0 B)
Receive errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

[root@openEuler ~]#

Step 4 Reference a search string in a replacement string.

The text matched by the search string "RX" replaces & in the replacement string.

[root@openEuler ~]# ifconfig | sed 's/RX/&:Receive/'


ens3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.0.22 netmask 255.255.255.0 broadcast 192.168.0.255
inet6 fe80::f816:3eff:fe5d:b5cb prefixlen 64 scopeid 0x20<link>
ether fa:16:3e:5d:b5:cb txqueuelen 1000 (Ethernet)
RX:Receive packets 130080 bytes 55588485 (53.0 MiB)
RX:Receive errors 0 dropped 0 overruns 0 frame 0
TX packets 120746 bytes 13170194 (12.5 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536


inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX:Receive packets 0 bytes 0 (0.0 B)
RX:Receive errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

[root@openEuler ~]#

5.5 File Operations


Step 1 Read content from another file.

Read the content from the NIC configurations, insert the read content after the first line
of the ifconfig1.txt file, and the ifconfig1.txt file is not edited.

[root@openEuler ~]# echo 'myifconfig' > ifconfig1.txt


[root@openEuler ~]# sed '1r /etc/sysconfig/network-scripts/ifcfg-ens3' ifconfig1.txt
myifconfig
# Created by cloud-init on instance boot automatically, do not edit.
#
BOOTPROTO=dhcp
DEVICE=ens3
HWADDR=fa:16:3e:5d:b5:cb
ONBOOT=yes
TYPE=Ethernet
USERCTL=no
HCIP-openEuler Lab Guide Page 20

[root@openEuler ~]#

Step 2 Save content as another file.

Save the first line of the ifconfig1.txt file to the ifconfig2.txt file.

[root@openEuler ~]# sed '1w ifconfig2.txt' ifconfig1.txt


myifconfig
[root@openEuler ~]# cat ifconfig2.txt
myifconfig
[root@openEuler ~]#

5.6 Parameter Options


Step 1 Modify the input file.

Change the first line in ifconfig2.txt to "myifconig2".

[root@openEuler ~]# sed -i '1c myifconfig2' ifconfig2.txt


[root@openEuler ~]# cat ifconfig2.txt
myifconfig2
[root@openEuler ~]#

Step 2 Execute multiple editing commands.

Print the first line of ifconfig2.txt and insert "Network card configuration information"
after the first line.

[root@openEuler ~]# sed -e '1p' -e '1a Network card configuration information' ifconfig2.txt
myifconfig2
myifconfig2
Network card configuration information
[root@openEuler ~]#

Step 3 Specify the sed script.

Create the ifconfig2.sed script and perform the editing operations described in Step 2.

[root@openEuler ~]# vim ifconfig2.sed


[root@openEuler ~]# cat ifconfig2.sed
#!/bin/sed -f

1p
1a Network card configuration information
[root@openEuler ~]# sed -f ifconfig2.sed ifconfig2.txt
myifconfig2
myifconfig2
Network card configuration information
[root@openEuler ~]#
HCIP-openEuler Lab Guide Page 21

Step 4 Cancel the default output.

Cancel the default output when running commands and display only the changed lines.

[root@openEuler ~]# sed -n '1aNetwork card configuration information' ifconfig2.txt


Network card configuration information
[root@openEuler ~]#
HCIP-openEuler Lab Guide Page 22

6 AWK Statements

6.1 Built-in Variables


Step 1 Current records.

Print the lines that contain "inet" in the NIC information:

[root@openEuler ~]# ifconfig | awk '/inet/{print $0}'


inet 192.168.0.22 netmask 255.255.255.0 broadcast 192.168.0.255
inet6 fe80::f816:3eff:fe5d:b5cb prefixlen 64 scopeid 0x20<link>
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
[root@openEuler ~]#

Step 2 Record fields.

Print the IP address and subnet mask in the NIC information.

[root@openEuler ~]# ifconfig | awk '/inet/{print $2,$4}'


192.168.0.22 255.255.255.0
fe80::f816:3eff:fe5d:b5cb 64
127.0.0.1 255.0.0.0
::1 128
[root@openEuler ~]#

Step 3 The number of record fields.

Print the number of columns of the IPv6 address in the NIC information.

[root@openEuler ~]# ifconfig | awk '/inet6/{print NF}'


6
6
[root@openEuler ~]#

Step 4 Last column.

Print the IPv4 broadcast address in the NIC information.

[root@openEuler ~]# ifconfig | awk '/inet /{print $NF}'


192.168.0.255
255.0.0.0
[root@openEuler ~]#
HCIP-openEuler Lab Guide Page 23

Step 5 Line number.

Print the last column of the second line.

[root@openEuler ~]# ifconfig | awk 'NR==2{print $NF}'


192.168.0.255
[root@openEuler ~]#

6.2 Field Separators


Step 1 Input field separator (FS).

Print the eight groups of IPv6 addresses separately. Method 1:

[root@openEuler ~]# ifconfig | awk '/inet6/{print $2}' > ifconfig3.txt


[root@openEuler ~]# cat ifconfig3.txt
fe80::f816:3eff:fe5d:b5cb
::1
[root@openEuler ~]# awk -F: '{print $1,$2,$3,$4,$5,$6,$7,$8}' ifconfig3.txt
fe80 f816 3eff fe5d b5cb
1
[root@openEuler ~]#

Method 2:

[root@openEuler ~]# awk 'BEGIN{FS=":"};{print $1,$2,$3,$4,$5,$6,$7,$8}' ifconfig3.txt


fe80 f816 3eff fe5d b5cb
1
[root@openEuler ~]#

Step 2 Output field separator (OFS).

Print the eight groups of IPv6 addresses that are separated by vertical bars (|). Method 1:

[root@openEuler ~]# awk -F: '{print $1"|"$2"|"$3"|"$4"|"$5"|"$6"|"$7"|"$8}' ifconfig3.txt


fe80||f816|3eff|fe5d|b5cb||
||1|||||
[root@openEuler ~]#

Method 2:

[root@openEuler ~]# awk -F: 'BEGIN{OFS="|"};{print $1,$2,$3,$4,$5,$6,$7,$8}' ifconfig3.txt


fe80||f816|3eff|fe5d|b5cb||
||1|||||
[root@openEuler ~]#
HCIP-openEuler Lab Guide Page 24

6.3 Record Separators


Step 1 Input record separator (RS).

Print the IPv4 address by line.

[root@openEuler ~]# ifconfig | awk 'NR==2{print $2}' > ifconfig3.txt


[root@openEuler ~]# cat ifconfig3.txt
192.168.0.22
[root@openEuler ~]# awk 'BEGIN{RS="."}{print $0}' ifconfig3.txt
192
168
0
22

[root@openEuler ~]#

Step 2 Output record separator (ORS).

Set the ORS to a space.

[root@openEuler ~]# awk 'BEGIN{RS=".";ORS=" "};{print $0}' ifconfig3.txt


192 168 0 22
[root@openEuler ~]#

6.4 Formatted Output


Step 1 print

Output customized IPv4 address information.

[root@openEuler ~]# ifconfig | awk 'NR==2{print $0}' > ifconfig3.txt


[root@openEuler ~]# cat ifconfig3.txt
inet 192.168.0.22 netmask 255.255.255.0 broadcast 192.168.0.255
[root@openEuler ~]# awk '{print "ip:"$2,"netmask:"$4,"broadcast:"$6}' ifconfig3.txt
ip:192.168.0.22 netmask:255.255.255.0 broadcast:192.168.0.255
[root@openEuler ~]#

Step 2 printf

Output customized IPv4 address information.

[root@openEuler ~]# ifconfig | awk 'NR==2;NR==11{print $0}' > ifconfig3.txt


[root@openEuler ~]# cat ifconfig3.txt
inet 192.168.0.22 netmask 255.255.255.0 broadcast 192.168.0.255
inet 127.0.0.1 netmask 255.0.0.0
[root@openEuler ~]# awk '{printf "%-5s%-20s%-10s%-20s%-10s%-20s\n",$1,$2,$3,$4,$5,$6}'
ifconfig3.txt
inet 192.168.0.22 netmask 255.255.255.0 broadcast 192.168.0.255
inet 127.0.0.1 netmask 255.0.0.0
[root@openEuler ~]#
HCIP-openEuler Lab Guide Page 25

6.5 Regular Expressions


Step 1 Line number judgment.

Print the first two lines of the NIC information.

[root@openEuler ~]# ifconfig | awk 'NR<=2{print $0}'


ens3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.0.22 netmask 255.255.255.0 broadcast 192.168.0.255
[root@openEuler ~]#

Step 2 Logical judgment.

Print the second column of line 2 or line 11.

[root@openEuler ~]# ifconfig | awk 'NR==2 || NR==11 {print $2}'


192.168.0.22
127.0.0.1
[root@openEuler ~]#

Step 3 Content judgment.

Print the second column of the first two lines that contain "192".

[root@openEuler ~]# ifconfig | awk 'NR<=2 && $0 ~ /192/{print $2}'


192.168.0.22
[root@openEuler ~]#

6.6 Control Statements


Step 1 Condition statements.

Print the IPv4 address in the NIC information.

[root@openEuler ~]# ifconfig | awk '{if($1=="inet"){print $2}}'


192.168.0.22
127.0.0.1
[root@openEuler ~]#

Step 2 Loop statements.

Add 20 asterisks (*) before the second column of the second line and 20 number signs
(#) after the second column.

[root@openEuler ~]# ifconfig | awk 'BEGIN{for(i=1;i<20;i++){printf "*"};printf "\n"};NR==2{print


$2};END{i=1;while(i<20){printf "#";i++};printf "\n"}'
*******************
192.168.0.22
###################
[root@openEuler ~]#
HCIP-openEuler Lab Guide Page 26

6.7 Script Mode


Step 1 Create a script.

Create an AWK script.

[root@openEuler ~]# vim ifconfig3.sh


[root@openEuler ~]# cat ifconfig3.sh
#!/bin/awk -f

BEGIN{for(i=1;i<20;i++){printf "*"};printf "\n"};NR==2{print $2};END{i=1;while(i<20){printf


"#";i++};printf "\n"}
[root@openEuler ~]#

Step 2 Use the script.

Use the AWK script.

[root@openEuler ~]# ifconfig | awk -f ifconfig3.sh


*******************
192.168.0.22
###################
[root@openEuler ~]#
Huawei openEuler Certification Training

HCIP-openEuler

Lab Guide
Issue: 1.0

Huawei Technologies Co., Ltd.

2
Copyright © Huawei Technologies Co., Ltd. 2024. All rights reserved.
No part of this document may be reproduced or transmitted in any form or by any
means without prior written consent of Huawei Technologies Co., Ltd.

Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of
their respective holders.

Notice
The purchased products, services and features are stipulated by the contract made
between Huawei and the customer. All or part of the products, services and features
described in this document may not be within the purchase scope or the usage scope.
Unless otherwise specified in the contract, all statements, information, and
recommendations in this document are provided "AS IS" without warranties,
guarantees or representations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has
been made in the preparation of this document to ensure accuracy of the contents, but
all statements, information, and recommendations in this document do not constitute
a warranty of any kind, express or implied.

Huawei Technologies Co., Ltd.


Address: Huawei Industrial Base Bantian, Longgang Shenzhen 518129
People's Republic of China
Website: https://e.huawei.com
OS Security Hardening Lab Guide Page 2

Huawei Certification System


Huawei Certification is an integral part of the company's Platform + Ecosystem
strategy. It supports the development of ICT infrastructure that features Cloud-Pipe-
Device synergy. Our certification is always evolving to reflect the latest trends in ICT
development. Huawei Certification consists of three categories: ICT Infrastructure
Certification, Basic Software & Hardware Certification, and Cloud Platform & Services
Certification, making it the most extensive technical certification program in the
industry.
Huawei offers three levels of certification: Huawei Certified ICT Associate (HCIA),
Huawei Certified ICT Professional (HCIP), and Huawei Certified ICT Expert (HCIE).
Our programs cover all ICT fields and follow the industry's trend of ICT convergence.
With our leading talent development system and certification standards, we are
committed to fostering new digital ICT talent and building a sound ICT talent
ecosystem.
Huawei Certified ICT Professor-openEuler (HCIP-openEuler) is intended for frontline
engineers at Huawei regional offices or representative offices, and other personnel who
want to learn openEuler technologies. HCIP-openEuler certification covers common
openEuler enterprise service management, openEuler HA cluster architecture,
openEuler storage management, openEuler automated O&M, Linux shell scripts,
openEuler system security hardening, and openEuler system monitoring.
Huawei certification helps you unlock opportunities to advance your career and take
one more step towards the top of the industry.
OS Security Hardening Lab Guide Page 3
OS Security Hardening Lab Guide Page 4

About This Document

Overview
This document is intended for trainees preparing for the HCIP-openEuler certification
exam and those who are interested in security technologies of openEuler or other Linux
distributions, including security hardening policies, principles and usage of common
firewalls, and SELinux mandatory access control policies.

Description
This document consists of eight labs, covering security hardening policies from five
aspects: kernel parameters, authorization and authentication, account and password, file
permission, and system services. It also describes the principles and command usage of
common firewall tools.
⚫ Lab 1: Kernel parameter hardening
⚫ Lab 2: Authorization and authentication hardening
⚫ Lab 3: Account and password hardening
⚫ Lab 4: File permission hardening
⚫ Lab 5: SSH service hardening
⚫ Lab 6: iptables comprehensive practice
⚫ Lab 7: firewalld comprehensive practice
⚫ Lab 8: SELinux access control practice

Background Knowledge Required


This course is for Huawei's basic certification. To better understand this course,
familiarize yourself with the following:
⚫ Linux knowledge. You are advised to complete HCIA-openEuler learning and pass the
HCIA-openEuler certification exam.
⚫ Basic network knowledge and the concepts and commands related to the operating
system (OS).

Lab Environment
The lab requires two ECSs with one serving as the bastion host and the other serving as
the web application server to security the network. JumpServer is the only entry for
accessing intranet services.
OS Security Hardening Lab Guide Page 5

Figure 1-1 Topology

Environment Preparation
Checking Devices
Before the lab, each group of trainees should apply for ECSs on Huawei Cloud according
to the following table.

Device Name Specifications Remarks


JumpServer 2 vCPUs | 4 GiB | s7.large.2

Server 2 vCPUs | 4 GiB | s7.large.2


OS Security Hardening Lab Guide Page 6

Contents
About This Document ............................................................................................................... 4
Overview ............................................................................................................................................................................................. 4
Description ......................................................................................................................................................................................... 4
Background Knowledge Required ............................................................................................................................................. 4
Lab Environment .............................................................................................................................................................................. 4
Environment Preparation .............................................................................................................................................................. 5
1 OS Security Hardening .......................................................................................................... 1
1.1 Introduction ................................................................................................................................................................................ 1
1.1.1 About This Lab ....................................................................................................................................................................... 1
1.1.2 Objectives ................................................................................................................................................................................ 1
1.1.3 Planning ................................................................................................................................................................................... 1
1.2 Kernel Parameter Hardening Practice .............................................................................................................................. 1
1.2.1 Hardening Policy Configuration ...................................................................................................................................... 1
1.3 Authorization and Authentication Hardening Practice .............................................................................................. 2
1.3.1 Configuring a Warning for Remote Network Access ............................................................................................... 2
1.3.2 Disabling System Restart Using Ctrl+Alt+Del ............................................................................................................. 2
1.3.3 Setting the Automatic Timeout for Terminals ........................................................................................................... 3
1.3.4 Setting the Default User's umask Value to 0077 ...................................................................................................... 3
1.3.5 Setting the Encryption Password of GRUB2 ................................................................................................................ 3
1.3.6 Resetting the Root Password ............................................................................................................................................ 4
1.4 Account and Password Hardening Practice .................................................................................................................... 5
1.4.1 Shielding System Accounts ................................................................................................................................................ 5
1.4.2 Restricting Accounts that Are Allowed to Use su Commands ............................................................................. 6
1.4.3 Hardening su Commands .................................................................................................................................................. 6
1.4.4 Setting a Password Validity Period ................................................................................................................................. 6
1.4.5 Setting Password Complexity ........................................................................................................................................... 6
1.4.6 Setting Password Encryption Algorithms ..................................................................................................................... 7
1.4.7 Locking an Account After Three Login Failures ......................................................................................................... 7
1.5 File Permission Hardening Practice ................................................................................................................................... 7
1.5.1 Setting File Permissions and Ownership ...................................................................................................................... 7
1.5.2 Deleting Unowned Files ..................................................................................................................................................... 8
1.5.3 Deleting Link Files Pointing to Deleted Files .............................................................................................................. 8
1.5.4 Adding the Sticky Bit Property for Globally Writable Directories ....................................................................... 9
1.5.5 Disabling Global Write on Unauthorized Files ........................................................................................................... 9
1.5.6 Restricting Permissions to Run at Commands ........................................................................................................... 9
1.5.7 Restricting Permissions to Run cron Commands .....................................................................................................10
OS Security Hardening Lab Guide Page 7

1.5.8 Restricting Permissions to Run sudo Commands ....................................................................................................10


1.6 SSH Service Hardening Practice ........................................................................................................................................10
1.6.1 Limiting the Number of Identity Authentication Attempts .................................................................................11
1.6.2 Forbidding Login Using Accounts with Empty Passwords ...................................................................................11
1.6.3 Disabling Password-Free Login Based on Trusted Hosts .....................................................................................11
1.6.4 Displaying the Date and Time of the Last Login ....................................................................................................11
1.6.5 Terminating Idle SSH Sessions .......................................................................................................................................12
1.6.6 Listening to a Specific Address ......................................................................................................................................12
1.6.7 Configuring the SSH Blocklist.........................................................................................................................................12
1.6.8 Disabling Login of the Root User ..................................................................................................................................12
1.6.9 Allowing Login Through Key Authentication ............................................................................................................13
1.6.10 Disabling Password Authentication Login ...............................................................................................................14
1.7 Quiz .............................................................................................................................................................................................14
2 OS Network Security ...........................................................................................................15
2.1 Introduction ..............................................................................................................................................................................15
2.1.1 About This Lab .....................................................................................................................................................................15
2.1.2 Objectives ..............................................................................................................................................................................15
2.1.3 Environment Preparation .................................................................................................................................................15
2.2 Comprehensive Practices of iptables ...............................................................................................................................16
2.2.1 Installing and Enabling iptables ....................................................................................................................................16
2.2.2 Configuring JumpServer Rules .......................................................................................................................................16
2.2.3 (Optional) Network Address Translation ...................................................................................................................17
2.3 Comprehensive Practices of firewalld .............................................................................................................................20
2.3.1 Installing and Enabling firewalld ..................................................................................................................................20
2.3.2 Network Address Translation .........................................................................................................................................21
2.3.3 Adding firewalld Rules Using CLI ..................................................................................................................................23
2.3.4 Adding firewalld Rules Using an XML File.................................................................................................................24
2.4 Quiz .............................................................................................................................................................................................25
3 Mandatory Access Control on SELinux ............................................................................27
3.1 Introduction ..............................................................................................................................................................................27
3.1.1 About This Lab .....................................................................................................................................................................27
3.1.2 Objectives ..............................................................................................................................................................................27
3.2 Comprehensive Practices of SELinux Access Control.................................................................................................27
3.2.1 Installing and Enabling SELinux ....................................................................................................................................27
3.2.2 Restricting SELinux Ports ..................................................................................................................................................29
3.2.3 Restricting SELinux Types.................................................................................................................................................30
3.3 Quiz .............................................................................................................................................................................................32
OS Security Hardening Lab Guide Page 1

1 OS Security Hardening

1.1 Introduction
1.1.1 About This Lab
This lab describes hardening policies of the openEuler OS from five aspects to improve
system and networking security.

1.1.2 Objectives
⚫ Master hardening policies for system services.
⚫ Master hardening policies for kernel parameters.
⚫ Master hardening policies for accounts and passwords.
⚫ Master hardening policies for authorization and authentication.
⚫ Master hardening policies for file permissions.

1.1.3 Planning
In this lab, the JumpServer cloud host is used as the only entry to the intranet, and
security hardening is performed on the host.

1.2 Kernel Parameter Hardening Practice


The kernel provides a configurable system control function, which can improve the OS
security by controlling various configurable kernel parameters.
⚫ All hardening items are written in the /etc/sysctl.conf file.
⚫ Load the sysctl.conf file for the configured kernel parameters to take effect.

[root@Jumpserver ~]# sysctl -p /etc/sysctl.conf

1.2.1 Hardening Policy Configuration


Step 1 ip_forward: enables IP routing to facilitate data packet forwarding.

net.ipv4.ip_forward=1

Step 2 log_martians: records data packets with abnormal IP addresses in logs.


OS Security Hardening Lab Guide Page 2

net.ipv4.conf.all.log_martians=1

Step 3 send_redirects: disables all interfaces from sending IPv4 ICMP redirection packets.

net.ipv4.conf.all.send_redirects=0

Step 4 accept_source_route: disables source routing data packets.

net.ipv4.conf.all.accept_source_route=0

Step 5 accept_redirects: disables the function of accepting ICMP redirection packets.

net.ipv4.conf.all.accept_redirects=0

Step 6 icmp_echo_ignore_broadcasts: disables response to the ping broadcast.

net.ipv4.icmp_echo_ignore_broadcasts=1

Step 7 rp_filter: disables triangular routing and responds to queries from the same API.
This prevents IP spoofing.

net.ipv4.conf.all.rp_filter=1

Step 8 tcp_syncookies: enables SYN flooding protection to prevent DoS attacks.

net.ipv4.tcp_syncookies=1

1.3 Authorization and Authentication Hardening Practice


1.3.1 Configuring a Warning for Remote Network Access
The warning is used to warn users before logging in to a system, telling that they may be
punished for illegal intrusion to deter potential attackers. In addition, this can also hide
system architecture and information to prevent targeted attacks on the system.
You can modify the /etc/issue.net file to implement this setting. Replace the original
content of the /etc/issue.net file with the following information (which has been set in
openEuler by default):

Authorized users only. All activities may be monitored and reported.

1.3.2 Disabling System Restart Using Ctrl+Alt+Del


By default, the OS can be restarted by pressing "Ctrl+Alt+Del". You are advised to disable
this function to prevent data loss caused by misoperations.
To disable this function, perform the following steps:

Step 1 Delete the two ctrl-alt-del.target files.


OS Security Hardening Lab Guide Page 3

[root@Jumpserver ~]# rm -f /etc/systemd/system/ctrl-alt-del.target


[root@Jumpserver ~]# rm -f /usr/lib/systemd/system/ctrl-alt-del.target

Step 2 Modify the /etc/systemd/system.conf file.

Change #CtrlAltDelBurstAction=reboot-force to CtrlAltDelBurstAction=none.

Step 3 Restart systemd for the modification to take effect.

[root@Jumpserver ~]# systemctl daemon-reexec

1.3.3 Setting the Automatic Timeout for Terminals


Unattended devices are prone to listening or attacks. Therefore, you are advised to set
terminals to automatically exit after they stop running for a period of time.
At the end of the /etc/profile file, set the TMOUT field (unit: second) that specifies the
interval for automatic exit as follows:

export TMOUT=300

1.3.4 Setting the Default User's umask Value to 0077


The umask value is used to set the default permission on a newly created file or
directory. If the umask value is too small, the permission of group users or other users is
too high, which threatens system security. Therefore, the default umask value for all
users is set to 0077. That is, the default permission on directories created by users is 700,
and the default permission on files is 600.
By default, the default user's umask value in openEuler is 0022.

Step 1 Add umask 0077 to the /etc/bashrc file and all files in /etc/profile.d/.

[root@Jumpserver ~]# echo "umask 0077" >> /etc/bashrc


[root@Jumpserver ~]# for i in `ls /etc/profile.d`;do echo "umask 0077" >> $i;done

Step 2 Set the owner and group of the /etc/bashrc file and all files in /etc/profile.d/ to
root.

$FILE indicates the file name, for example, /etc/bashrc.

[root@Jumpserver ~]# chown root.root $FILE

1.3.5 Setting the Encryption Password of GRUB2


The default password of GRUB2 is openEuler#12. You are advised to change the default
password upon the first login and periodically update the password. If the password is
leaked, startup item configurations may be modified, causing the system startup failure.

Step 1 Use the grub2-mkpasswd-pbkdf2 command to generate an encrypted password.

[root@Jumpserver ~]# grub2-mkpasswd-pbkdf2


Enter password:
OS Security Hardening Lab Guide Page 4

Reenter password:
PBKDF2 hash of your password is
grub.pbkdf2.sha512.10000.011476329D0DCD1DE1758B7F19BC275BB60CC6C3DF1082BFB812D249112
484E7E7C084E6687A957BB91B40F0A8860E78872AACB89F277EB7D68DC2BD86D34E13.B29208FBE27
1A702ECA14CCB518C165F86564EED56D277434A289948C2504C5AAB73DFCF8E87B160525953DFC51
A57B3A17CE4452E2DD6BB0FAC1A0F36120FB4

Step 2 Add the following fields to the /etc/grub2.cfg file:

[root@Jumpserver ~]# vi /etc/grub2.cfg


set superusers="root"
password_pbkdf2 root
grub.pbkdf2.sha512.10000.011476329D0DCD1DE1758B7F19BC275BB60CC6C3DF1082BFB812D249112
484E7E7C084E6687A957BB91B40F0A8860E78872AACB89F277EB7D68DC2BD86D34E13.B29208FBE27
1A702ECA14CCB518C165F86564EED56D277434A289948C2504C5AAB73DFCF8E87B160525953DFC51
A57B3A17CE4452E2DD6BB0FAC1A0F36120FB4

The superusers field is used to set the account name of the super GRUB2 administrator.
The first parameter following the password_pbkdf2 field is the GRUB2 account name,
and the second parameter is the encrypted password of the account.

1.3.6 Resetting the Root Password


Step 1 Restart the system and go to the GRUB screen.

Restart the openEuler system. When the GUN GRUB screen is displayed, press e to modify
the startup command of the system.
Enter the user name root and the encrypted GRUB2 password to go to the startup
command modification screen.

Step 2 Add the rd.break parameter to enter the single-user mode.

Find the line starting with "linux" and add rd.break to the end of the line.
Press CTRL+x to enable the single-user mode.
OS Security Hardening Lab Guide Page 5

Step 3 Remount the root directory.

Remount the root directory (/sysroot) in writable mode and switch to this environment.

sh-5.1# mount -o remount, rw /sysroot


sh-5.1# chroot /sysroot

Step 4 Reset the password of the root user.

sh-5.1# echo "Huawei@123" | passwd --stdin root


sh-5.1# exit
sh-5.1# reboot

1.4 Account and Password Hardening Practice


1.4.1 Shielding System Accounts
Accounts are classified into user accounts and system accounts. System accounts can only
be used inside a system and cannot be used to log in to the system or perform other
operations. Therefore, system accounts are shielded.
Change shell of a system account to /sbin/nologin. systemaccount indicates a system
account.

usermod -L -s /sbin/nologin systemaccount

Find out the accounts that are forbidden from logging in to the system and check the
account status.

[root@Jumpserver ~]# cat /etc/passwd | grep nologin


bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
OS Security Hardening Lab Guide Page 6

adm:x:3:4:adm:/var/adm:/sbin/nologin
dhcpd:x:177:177:DHCP server:/:/sbin/nologin
[root@Jumpserver ~]# passwd -S dhcpd
dhcpd LK 2022-03-30 -1 -1 -1 -1 (Password locked.)

1.4.2 Restricting Accounts that Are Allowed to Use su Commands


su commands are used to switch between accounts. To enhance system security, it is
necessary to control the permissions to use su commands. Only the root user and those
in the wheel group are allowed to use su commands.
You can modify the /etc/pam.d/su file to control the use of su commands as follows:

auth required pam_wheel.so use_uid

1.4.3 Hardening su Commands


To enhance system security and prevent environment variables of the current user from
being brought into other environments when you run su commands to switch to another
user, this configuration has been made in openEuler by default. PATH is always initialized
when su commands are used to switch users.
Implement this setting in the /etc/login.defs file as follows:

ALWAYS_SET_PATH=yes

1.4.4 Setting a Password Validity Period


To ensure system security, you are advised to set a password validity period and notify
users of changing passwords before the passwords expire.
You can set a password validity period by modifying the hardening-related field in the
/etc/login.defs file.

PASS_MAX_DAYS 90
PASS_MIN_DAYS 0
PASS_MIN_LEN 5
PASS_WARN_AGE 7

1.4.5 Setting Password Complexity


You can set password complexity by modifying the corresponding configuration file as
required.
Add the following content to the first two lines of the password configuration item in the
/etc/pam.d/password-auth and /etc/pam.d/system-auth files:

password requisite pam_pwquality.so minlen=8 minclass=3 enforce_for_root try_first_pass


local_users_only retry=3 dcredit=0 ucredit=0 lcredit=0 ocredit=0
password required pam_pwhistory.so use_authtok remember=5 enforce_for_root
OS Security Hardening Lab Guide Page 7

1.4.6 Setting Password Encryption Algorithms


For system security, passwords cannot be stored in plaintext in the system and must be
encrypted. Irreversible cryptographic algorithms must be used in scenarios where
passwords do not need to be recovered.
Set the password encryption algorithm to sha512, which has been set by default in
openEuler. These settings can effectively prevent password disclosure and keep
passwords secure.
Modify the /etc/pam.d/password-auth and /etc/pam.d/system-auth files.

password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok

1.4.7 Locking an Account After Three Login Failures


To ensure system security, you are advised to set the maximum number of incorrect
password attempts (three times recommended) and the automatic unlocking time (300
seconds recommended) for a locked account.
During the locking period, any input is considered invalid, but will not cause the locking
timer to re-count. Records of users' incorrect attempts are cleared once the account is
unlocked. The preceding settings protect passwords from being forcibly cracked and
improve system security.
You can set password complexity by modifying the /etc/pam.d/password-auth and
/etc/pam.d/system-auth files. In the following example, the maximum number of
incorrect password attempts is set to 3 and the unlocking time after an account is locked
is set to 300 seconds.

auth required pam_faillock.so preauth audit deny=3 even_deny_root unlock_time=300


auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root unlock_time=300
auth sufficient pam_faillock.so authsucc audit deny=3 even_deny_root unlock_time=300

1.5 File Permission Hardening Practice


1.5.1 Setting File Permissions and Ownership
Linux treats all objects as files. Even a directory is regarded as a large file containing
multiple other files. Therefore, file and directory security is essential to Linux. The security
of files and directories is ensured by permissions and ownership.
In openEuler, permissions and ownership for common directories, executable files, and
configuration files are set by default.
Take the /bin directory as an example. To change the file permission and ownership,
perform the following steps:

Step 1 Modify the file permission. For example, set the permission on the /bin directory to
755.

chmod 755 /bin


OS Security Hardening Lab Guide Page 8

Step 2 Change the file ownership. For example, set the owner and group of the /bin
directory to root:root.

chown root:root /bin

1.5.2 Deleting Unowned Files


When deleting a user or group, the system administrator may forget to delete the files
owned by the user or group. If there is a new user or group with an identical name to
that of the user or group to be deleted, the new user or group will own some files that
do not belong to them. Therefore, you are advised to delete these files.
⚫ Deleting files whose user IDs do not exist

Step 1 Search for files whose user IDs do not exist.

find / -nouser

Step 2 Delete the found files. In the command, filename indicates the name of a file
whose user ID does not exist.

rm -f filename

⚫ Deleting files whose group IDs do not exist

Step 3 Search for files whose group IDs do not exist.

find / -nogroup

Step 4 Delete the found files. In the command, filename indicates the name of a file
whose group ID does not exist.

rm -f filename

1.5.3 Deleting Link Files Pointing to Deleted Files


Link files pointing to deleted files may be exploited by malicious users, deteriorating
system security. You are advised to delete those files to improve system security.
After openEuler is installed, link files pointing to deleted files may exist, and these files
may have corresponding functions. (Some of them are preconfigured and may be
depended on by other components.)

Step 1 Run the following command to search for link files pointing to deleted files:

find dirname -type l -follow 2>/dev/null

dirname is the name of the directory to be searched. Pay special attention to key
directories /bin, /boot, /usr, /lib64, /lib, and /var.

Step 2 If such files are useless, run the following command to delete them. In the
command, filename is the name of a link file pointing to deleted files.
OS Security Hardening Lab Guide Page 9

rm -f filename

1.5.4 Adding the Sticky Bit Property for Globally Writable


Directories
Any user can delete or modify files and directories in globally writable directories. To
prevent those files and directories from being arbitrarily deleted, add the sticky bit
property for the globally writable directories.

Step 1 Find globally writable directories.

find / -type d -perm -0002 ! -perm -1000 -ls | grep -v proc

Step 2 Add the sticky bit property for globally writable directories. Replace dirname with
the actual directory name.

chmod +t dirname

1.5.5 Disabling Global Write on Unauthorized Files


Globally writable files can be modified by any user in a system, which impacts system
integrity.

Step 1 Display all globally writable files.

for i in `find / -type d -perm -o+w | grep -v proc`;do ls -ld $i | awk '{print $1,$NF}';done
for i in `find / -type f -perm -o+w | grep -v proc`;do ls -l $i | awk '{print $1,$NF}';done

Step 2 View all listed files, exclude files and directories with sticky bits, and delete files or
remove their global write permission. In the command, filename indicates the
corresponding file name.

chmod o-w filename

1.5.6 Restricting Permissions to Run at Commands


at commands are used to create tasks that are automatically executed at a specific time
point. To prevent users from arbitrarily running at commands, you need to specify users
who can use the at commands. Otherwise, the system may be vulnerable to attacks.

Step 1 Delete the /etc/at.deny file.

rm -f /etc/at.deny

Step 2 Create the /etc/at.allow file.

touch /etc/at.allow
OS Security Hardening Lab Guide Page 10

Step 3 Change the owner of the /etc/at.allow file to root:root.

chown root:root /etc/at.allow

Step 4 Control the permission on the /etc/at.allow file. Only the root user can perform
this operation.

chmod og-rwx /etc/at.allow

1.5.7 Restricting Permissions to Run cron Commands


cron commands are used to create routine tasks. To prevent users from arbitrarily
running cron commands, you need to specify users who can use the cron commands.
Otherwise, the system may be vulnerable to attacks.

Step 1 Delete the /etc/cron.deny file.

rm -f /etc/cron.deny

Step 2 Create the /etc/cron.allow file.

touch /etc/cron.allow

Step 3 Change the owner of the /etc/cron.allow file to root:root.

chown root:root /etc/cron.allow

Step 4 Control the permission on the /etc/cron.allow file. Only the root user can perform
this operation.

chmod og-rwx /etc/cron.allow

1.5.8 Restricting Permissions to Run sudo Commands


sudo commands are used by a common user with the root permission. To enhance
system security, it is necessary to control the permission to use sudo commands. Only the
root user is allowed to execute sudo commands. By default, openEuler does not restrict
the permission of non-root users to execute sudo commands.
You can modify the /etc/sudoers file to control the use of sudo commands. Comment
out the following configuration line:

#%wheel ALL=(ALL) ALL

1.6 SSH Service Hardening Practice


The SSH protocol can effectively prevent information leakage during remote
management.
⚫ All hardening items of the SSH service are stored in the /etc/ssh/sshd_config file.
OS Security Hardening Lab Guide Page 11

⚫ The configuration that has been commented out in the file is the default openEuler
policy.
⚫ After the configuration is modified, restart the SSH service for the modification to
take effect.

[root@Jumpserver ~]# systemctl restart sshd

1.6.1 Limiting the Number of Identity Authentication Attempts


It is a good way to mitigate brute force attacks by limiting the maximum number of
authentication failures.

MaxAuthTries 3

If a user fails to enter the correct password for three consecutive times when logging in
to the OS, the user will be locked for 60 seconds.

1.6.2 Forbidding Login Using Accounts with Empty Passwords


Any SSH connection requires a non-null password string.

PermitEmptyPasswords no

1.6.3 Disabling Password-Free Login Based on Trusted Hosts


The rhosts file is a method of controlling the trust relationship between systems. If a
system trusts another system, the system allows login from the trusted system without a
password.
This file is seldom used. It is recommended that you disable it in most cases.

IgnoreRhosts yes

1.6.4 Displaying the Date and Time of the Last Login


By printing the date and time of the last login, users can be aware of unauthorized
account login events, which will facilitate investigation of unidentified accesses.

PrintLastLog yes

The last login time of the user is displayed as follows.


OS Security Hardening Lab Guide Page 12

1.6.5 Terminating Idle SSH Sessions


Keeping SSH sessions active for a long time may cause security risks. It is recommended
that idle SSH sessions be terminated.

ClientAliveInterval 900
ClientAliveCountMax 0

Inactive sessions are automatically disconnected after 15 minutes (900 seconds).

1.6.6 Listening to a Specific Address


By default, SSH listens to all IP addresses configured on the local host, but you should
bind SSH to a specific IP address.

ListenAddress 192.168.0.48

1.6.7 Configuring the SSH Blocklist


Users in the DenyUsers list are not allowed to log in.

DenyUsers $username

By default, users not listed in the blocklist are considered trustlist users. Blocklist and
trustlist users cannot exist at the same time.

1.6.8 Disabling Login of the Root User


Forcing users to remotely log in to the system using specific accounts ensures
accountability.

PermitRootLogin no

The root user is not allowed to remotely log in to the system, and a common user is not
allowed to switch to the root user.
OS Security Hardening Lab Guide Page 13

1.6.9 Allowing Login Through Key Authentication


Key authentication remembers passwords and allows for password-free authentication.

PubkeyAuthentication yes

Step 1 Generate a local key.

Step 2 View the key and modify the permission.

[root@Jumpserver ~]# ls .ssh/


id_rsa id_rsa.pub known_hosts known_hosts.old
[root@Jumpserver ~]# chmod 600 ~/.ssh/id_rsa
[root@Jumpserver ~]# chmod 600 ~/.ssh/id_rsa.pub
[root@Jumpserver ~]# chmod 700 ~/.ssh

Step 3 Upload the public key to the server.

[root@Jumpserver ~]# cd .ssh/


[root@Jumpserver .ssh]# ssh-copy-id -i id_rsa.pub [email protected]

Step 4 View the public key and verify the result.

[root@Server ~]# ls -l .ssh/


total 12
-rw------- 1 root root 569 May 15 06:45 authorized_keys
-rw------- 1 root root 834 May 15 03:07 known_hosts
-rw-r--r-- 1 root root 94 May 15 03:06 known_hosts.old
OS Security Hardening Lab Guide Page 14

1.6.10 Disabling Password Authentication Login


After a public key is used for login authentication, do not use a password to log in to the
system to prevent password leakage. This policy applies only to the intranet web server.

PasswordAuthentication no

1.7 Quiz
⚫ Can a common user switch to the root user after the root user is forbidden from
remote login during SSHD service hardening?
Answer: Yes.
OS Security Hardening Lab Guide Page 15

2 OS Network Security

2.1 Introduction
2.1.1 About This Lab
This lab describes how to use iptables and firewalld, and harden network security based
on the lab networking.

2.1.2 Objectives
⚫ Master the syntax rules of iptables.
⚫ Master firewalld commands.

2.1.3 Environment Preparation


2.1.3.1 Installing the httpd Service on the Server
Step 1 Install the httpd service and enable it to be automatically started upon system
startup.

[root@Server ~]# dnf install -y httpd


[root@Server ~]# systemctl enable httpd --now
Created symlink /etc/systemd/system/multi-user.target.wants/httpd.service →
/usr/lib/systemd/system/httpd.service.

Step 2 Check the httpd service status.

[root@Server ~]# systemctl status httpd


● httpd.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled)
Active: active (running) since Tue 2023-05-16 09:30:00 UTC; 7s ago
Docs: man:httpd.service(8)
Main PID: 1159 (httpd)
Status: "Processing requests..."
Tasks: 177 (limit: 22471)
Memory: 18.3M
CGroup: /system.slice/httpd.service
├─1159 /usr/sbin/httpd -DFOREGROUND
├─1160 /usr/sbin/httpd -DFOREGROUND
├─1161 /usr/sbin/httpd -DFOREGROUND
└─1163 /usr/sbin/httpd -DFOREGROUND
OS Security Hardening Lab Guide Page 16

2.2 Comprehensive Practices of iptables


2.2.1 Installing and Enabling iptables
Step 1 Install iptables and enable the service.

dnf -y install iptables policycoreutils


service iptables start
systemctl enable --now iptables.service

Step 2 Check the status of iptables.service and enable it to be automatically started upon
system startup.

[root@Jumpserver ~]# systemctl status iptables


● iptables.service - IPv4 firewall with iptables
Loaded: loaded (/usr/lib/systemd/system/iptables.service; disabled; vendor preset: disabled)
Active: active (exited) since Sun 2023-05-14 14:18:27 UTC; 3s ago
Process: 1607 ExecStart=/usr/libexec/iptables/iptables.init start (code=exited, status=0/SUCCESS)
Main PID: 1607 (code=exited, status=0/SUCCESS)
[root@Jumpserver ~]# systemctl enable --now iptables.service
Created symlink /etc/systemd/system/basic.target.wants/iptables.service →
/usr/lib/systemd/system/iptables.service.

2.2.2 Configuring JumpServer Rules


Step 1 Clear all rules.

iptables -F

Step 2 Allow IP addresses from all sources to access TCP port 22 (OpenSSH).

iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT


iptables -A OUTPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT

Step 3 Allow the local host to access TCP port 22 (OpenSSH) of all hosts on the intranet
(192.168.0.0/24).

iptables -A OUTPUT -p tcp -s 192.168.0.0/24 --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j


ACCEPT
iptables -A INPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT

Step 4 Adjust the default policy of a chain.

Following the least privilege principle:


⚫ Forbid all other input traffic by default.
⚫ Forbid the local host to forward data packets by default.
⚫ Forbid hosts to initiate external connections by default. This could effectively defend
against attacks such as reverse shell.
OS Security Hardening Lab Guide Page 17

iptables -P INPUT DROP


iptables -P FORWARD DROP
iptables -P OUTPUT DROP

Step 5 Allow the local host to ping other hosts.

iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT


iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT

Step 6 Allow the local host to access UDP port 53 (DNS) of the remote host.

iptables -A INPUT -p udp -m udp --sport 53 -j ACCEPT


iptables -A OUTPUT -p udp -m udp --dport 53 -j ACCEPT

Step 7 Allow for loopback connections.

iptables -A INPUT -i lo -j ACCEPT


iptables -A OUTPUT -o lo -j ACCEPT

Step 8 Allow for established and associated input connections.

iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

Step 9 Allow for established output connections.

iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT

Step 10 View the configured rules and save them.

[root@Jumpserver ~]# service iptables save


iptables: Saving firewall rules to /etc/sysconfig/iptables: [ OK ]

2.2.3 (Optional) Network Address Translation


iptables is often used in a network address translation (NAT) environment. NAT can
effectively reduce the number of servers with public IP addresses configured and enhance
network security.
OS Security Hardening Lab Guide Page 18

NAT is classified into source network address translation (SNAT) and destination network
address translation (DNAT).

2.2.3.1 SNAT
Step 1 Disable Source/Destination Check.

On the JumpServer ECS details page, click the Elastic NICs tab, unfold it, and set
Source/Destination Check to OFF.

Step 2 Check whether the JumpServer can access the Internet.

[root@Jumpserver ~]# ping www.huaweicloud.com


PING koa8myv3.sslego-dk.tcloudscdn.com (110.249.196.149) 56(84) bytes of data.
64 bytes from 110.249.196.149 (110.249.196.149): icmp_seq=1 ttl=51 time=26.6 ms
64 bytes from 110.249.196.149 (110.249.196.149): icmp_seq=2 ttl=51 time=26.7 ms
64 bytes from 110.249.196.149 (110.249.196.149): icmp_seq=3 ttl=51 time=26.6 ms

Step 3 Enable IP route forwarding of the JumpServer ECS.

sysctl -w net.ipv4.ip_forward=1

Step 4 Configure SNAT and check the configuration.

iptables -t filter -A FORWARD -j ACCEPT


iptables -t nat -A POSTROUTING -o ens3 -s 192.168.0.0/24 -j SNAT --to 192.168.0.48
iptables -t nat -nvL --line-numbers

Step 5 Save iptables configurations and enable them to be automatically started upon
system startup.

[root@Jumpserver ~]# service iptables save


iptables: Saving firewall rules to /etc/sysconfig/iptables: [ OK ]
[root@Jumpserver ~]# chkconfig iptables on
Note: Forwarding request to 'systemctl enable iptables.service'.
OS Security Hardening Lab Guide Page 19

Created symlink /etc/systemd/system/basic.target.wants/iptables.service →


/usr/lib/systemd/system/iptables.service.

Step 6 Add a route.

Select a VPC to which a route is to be added and click Route Tables. On the Route
Tables page, click Add Route.

Enter the route information as prompted. Set the default gateway of the Server to the
private IP address of JmpServer.

Step 7 Log in to the server and verify the lab result.

[root@Server ~]# ping www.huaweicloud.com


PING koa8myv3.sslego-dk.tcloudscdn.com (110.249.196.149) 56(84) bytes of data.
64 bytes from 110.249.196.149 (110.249.196.149): icmp_seq=1 ttl=51 time=26.6 ms
64 bytes from 110.249.196.149 (110.249.196.149): icmp_seq=2 ttl=51 time=26.7 ms
64 bytes from 110.249.196.149 (110.249.196.149): icmp_seq=3 ttl=51 time=26.6 ms

2.2.3.2 DNAT
DNAT enables external users to directly access services provided by servers without
external IP addresses.
For example, an external user can access a web application on a server without a public
IP address through the Internet (the listening port is TCP 80).

Step 1 Rewrite the destination address and port.

iptables -t nat -A PREROUTING -d 192.168.0.48 -p tcp -m tcp --dport 80 -j DNAT --to-destination


192.168.0.49:80

Step 2 Rewrite the source address.

Change the source IP address to the internal IP address of JumpServer. In this case, the
server communicates with JumpServer.

iptables -t nat -A POSTROUTING -d 192.168.0.48 -p tcp -m tcp --dport 80 -j SNAT --to-source


192.168.0.49

Step 3 Check and save DNAT configurations.


OS Security Hardening Lab Guide Page 20

[root@Jumpserver ~]# iptables -t nat -nvL --line-numbers


Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 2 104 DNAT tcp -- * * 0.0.0.0/0 192.168.0.48 tcp dpt:80 to:192.168.0.49:80
Chain POSTROUTING (policy ACCEPT 2 packets, 104 bytes)
num pkts bytes target prot opt in out source destination
1 74 4680 SNAT all -- * ens3 192.168.0.0/24 0.0.0.0/0 to:192.168.0.48
2 0 0 SNAT tcp -- * * 0.0.0.0/0 192.168.0.48 tcp dpt:80 to:192.168.0.49
[root@Jumpserver ~]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables: [ OK ]

Step 4 Access the JumpServer public IP address (http://123.60.49.188/) to verify the lab
result.

2.3 Comprehensive Practices of firewalld


2.3.1 Installing and Enabling firewalld
The firewalld service cannot be used together with iptables. Therefore, if iptables,
ip6tables, ebtables, and ipset are being used, disable these services before enabling
firewalld.

Step 1 Install firewalld and enable it to be automatically started upon system startup.

systemctl disable --now iptables.service


systemctl disable --now ip6tables.service
systemctl disable --now etables.service
systemctl disable --now ipset.service
dnf -y install firewalld firewall-config
systemctl unmask --now firewalld.service
systemctl enable --now firewalld.service

Step 2 Check the firewalld status.

[root@Jumpserver ~]# systemctl status firewalld


● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor pr
Active: active (running) since Wed 2016-06-29 14:28:51 CEST; 1 weeks 6 days a
OS Security Hardening Lab Guide Page 21

Docs: man:firewalld(1)
Main PID: 24540 (firewalld)
Tasks: 2 (limit: 512)
CGroup: /system.slice/firewalld.service
└─24540 /usr/bin/python3 -Es /usr/sbin/firewalld --nofork –nopid

2.3.2 Network Address Translation


2.3.2.1 SNAT
Step 1 Enable route forwarding.

[root@Jumpserver ~]# sysctl -w net.ipv4.ip_forward=1


net.ipv4.ip_forward = 1

Step 2 Enable address masquerading.

[root@Jumpserver ~]# firewall-cmd --add-masquerade


success
[root@Jumpserver ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: ens3
sources:
services: dhcpv6-client mdns ssh
ports:
protocols:
forward: yes
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:

Step 3 Add a route.

Select a VPC to which a route is to be added and click Route Tables. On the Route
Tables page, click Add Route.

Enter the route information as prompted. Set the default gateway of the Server to the
private IP address of JumpServer.
OS Security Hardening Lab Guide Page 22

Step 4 Log in to the server and verify the lab result.

As shown in the following, the server can access the external network.

[root@Jumperver ~]# ssh [email protected]


[root@Server ~]# ping www.huaweicloud.com -c 3
PING koa8myv3.sslego-dk.tcloudscdn.com (122.189.171.111) 56(84) bytes of data.
64 bytes from 122.189.171.111 (122.189.171.111): icmp_seq=1 ttl=45 time=23.9 ms
64 bytes from 122.189.171.111 (122.189.171.111): icmp_seq=2 ttl=45 time=23.9 ms
64 bytes from 122.189.171.111 (122.189.171.111): icmp_seq=3 ttl=45 time=23.9 ms

--- koa8myv3.sslego-dk.tcloudscdn.com ping statistics ---


3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 23.878/23.888/23.907/0.013 ms

2.3.2.2 DNAT
Step 1 Add port forwarding rules.

[root@Jumpserver ~]# firewall-cmd --zone=public --add-forward-


port=port=80:proto=tcp:toport=80:toaddr=192.168.0.86
success
[root@openEuler ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: ens3
sources:
services: dhcpv6-client mdns ssh
ports:
protocols:
forward: yes
masquerade: yes
forward-ports:
port=80:proto=tcp:toport=80:toaddr=192.168.0.86
source-ports:
icmp-blocks:
rich rules:

Step 2 Access the JumpServer public IP address (http://123.60.49.188/) to verify the lab
result.
OS Security Hardening Lab Guide Page 23

2.3.3 Adding firewalld Rules Using CLI


Step 1 Install firewalld and view the default zone information.

[root@Server ~]# firewall-cmd --list-all


public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: ssh mdns dhcpv6-client
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

In this case, the web service cannot be accessed through http://123.60.49.188/.

Step 2 View services supported by firewalld.

By default, firewalld provides more than 80 service groups. Check whether the HTTP
service is included.

[root@Server ~]# firewall-cmd --get-services | tr " " "\n" | grep 'http'


http
https
wbem-http
wbem-https

Step 3 Add the HTTP service to the firewall zone and view the lab result.

[root@Server ~]# firewall-cmd --add-service=http


[root@Server ~]# firewall-cmd --list-services
dhcpv6-client http mdns ssh

The web page can be accessed through http://123.60.49.188/.


OS Security Hardening Lab Guide Page 24

Step 4 Forbid other hosts to ping the local host.

[root@Server ~]# firewall-cmd --add-rich-rule='rule family=ipv4 protocol value=icmp reject'


success

Step 5 Set port forwarding rules.

Forward an access request to port 22 of the local host when 192.168.0.209 is used to
access port 5555.

[root@Server ~]# firewall-cmd --add-rich-rule='rule family=ipv4 source address=192.168.0.209


forward-port port=5555 protocol=tcp to-port=22'
success
[root@Server ~]# firewall-cmd --add-masquerade
success

Step 6 Permanently save firewall configurations.

[root@Server ~]# firewall-cmd --runtime-to-permanent


success

2.3.4 Adding firewalld Rules Using an XML File


Step 1 Delete firewalld rules.

[root@Server ~]# cd /etc/firewalld/zones/


[root@Server zones]# mv public.xml public.xml.old

Step 2 Reload and check firewalld rules.

[root@Server zones]# firewall-cmd --reload


success
[root@Server zones]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: ens3
sources:
services: dhcpv6-client mdns ssh
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

Step 3 Use the default firewalld rule file.

[root@Server zones]# mv /usr/lib/firewalld/zones/public.xml .


OS Security Hardening Lab Guide Page 25

Step 4 Modify the public.xml file as follows:


⚫ (SNAT) Enable address masquerading.
⚫ (DNAT) Forward an access request to port 80 of 192.168.0.86 when an external
server is used to access port 80 of the local host.
⚫ Forbid other hosts to ping the local host.
⚫ Forward an access request to port 22 of the local host when 192.168.0.209 is used to
access port 5555.

Step 5 Reload and check rules.

[root@Server zones]# firewall-cmd --reload


success
[root@Server zones]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: ens3
sources:
services: dhcpv6-client mdns ssh
ports:
protocols:
forward: yes
masquerade: yes
forward-ports:
port=80:proto=tcp:toport=80:toaddr=192.168.0.86
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" protocol value="icmp" reject
rule family="ipv4" source address="192.168.0.209" forward-port port="5555" protocol="tcp" to-
port="22"

2.4 Quiz
⚫ Can firewalld and iptables be used at the same time?
Answer: No. If iptables is directly used when firewalld is running, some unexpected
problems may occur. For example, if a user directly uses iptables to delete rules or chains,
the firewall may need to be reloaded to create them again.
OS Security Hardening Lab Guide Page 26

⚫ Can a public IP address be directly written during NAT?


Answer: No. The public IP address of Huawei Cloud uses dynamic BGP mapping mode.
When writing iptables rules, you must use the private IP address of the host.
OS Security Hardening Lab Guide Page 27

3 Mandatory Access Control on SELinux

3.1 Introduction
3.1.1 About This Lab
When SELinux is enabled, the Apache HTTP server (httpd) is restricted by default.
Restricted processes run in their own domains and are separated from other restricted
processes. If a restricted process is attacked, the attacker's access to resources and
possible damage are also restricted due to SELinux policy configurations.
This lab demonstrates the impact of SELinux policies on httpd processes running in their
own domains.

3.1.2 Objectives
⚫ Be familiar with mandatory access control (MAC) models.
⚫ Master the identification and use of SELinux context information.

3.2 Comprehensive Practices of SELinux Access Control


3.2.1 Installing and Enabling SELinux
If SELinux has been installed, skip this section.

Step 1 Check the current SELinux mode.

[root@Server ~]# getenforce


Disabled

Step 2 Install the SELinux policy.

dnf install selinux-policy-targeted, policycoreutils-python-utils

Step 3 Configure the SELinux configuration file.

Enable SELinux in permissive mode.

[root@Server ~]# vim /etc/selinux/config


# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
OS Security Hardening Lab Guide Page 28

# permissive - SELinux prints warnings instead of enforcing.


# disabled - No SELinux policy is loaded.
SELINUX=permissive
# SELINUXTYPE= can take one of these two values:
# targeted - Targeted processes are protected,
# mls - Multi Level Security protection.
SELINUXTYPE=targeted

Step 4 Modify system startup parameters.

Check the system boot mode.

[root@Server ~]# [ -d /sys/firmware/efi ] && echo UEFI || echo BIOS


BIOS

If BIOS is returned, modify the /etc/grub2.cfg file. If UEFI is returned, modify the
/etc/grub2-efi.cfg file.
Find the line starting with "linux" in the file and delete selinux=0.

Step 5 Restart the system and check the SELinux mode.

[root@Server ~]# getenforce


Permissive

Step 6 Re-label the file.

[root@Server ~]# fixfiles -F onboot


System will relabel on next boot

Step 7 Configure the SELinux configuration file.

Enable SELinux in enforcing mode.

[root@Server ~]# vim /etc/selinux/config


# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of these two values:
# targeted - Targeted processes are protected,
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
OS Security Hardening Lab Guide Page 29

Step 8 Restart the system and check the SELinux mode.

[root@Server ~]# getenforce


Enforcing

Step 9 Enable the SELinux log service.

[root@Server ~]# systemctl enable --now auditd.service


[root@Server ~]# systemctl status auditd.service
● auditd.service - Security Auditing Service
Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; vendor preset: enabled)
Active: active (running) since Tue 2023-05-16 13:30:09 UTC; 5s ago
Docs: man:auditd(8)
https://github.com/linux-audit/audit-documentation
Process: 2482 ExecStart=/sbin/auditd (code=exited, status=0/SUCCESS)
Process: 2486 ExecStartPost=/sbin/augenrules --load (code=exited, status=0/SUCCESS)
Main PID: 2483 (auditd)
Tasks: 2 (limit: 22471)
Memory: 856.0K
CGroup: /system.slice/auditd.service
└─2483 /sbin/auditd

3.2.2 Restricting SELinux Ports


Step 1 Ensure that the httpd service is running.

[root@Server ~]# systemctl start httpd.service


[root@Server ~]# systemctl status httpd
● httpd.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled)
Active: active (running) since Tue 2023-05-16 13:33:19 UTC; 2min 5s ago
Docs: man:httpd.service(8)

Step 2 Check the context of the httpd process.

[root@Server ~]# ps -eZ | grep httpd


system_u:system_r:httpd_t:s0 2524 ? 00:00:00 httpd
system_u:system_r:httpd_t:s0 2525 ? 00:00:00 httpd
system_u:system_r:httpd_t:s0 2526 ? 00:00:00 httpd
system_u:system_r:httpd_t:s0 2527 ? 00:00:00 httpd
system_u:system_r:httpd_t:s0 2528 ? 00:00:00 httpd

Step 3 Stop the httpd service and check its status.

[root@Server ~]# systemctl stop httpd


[root@Server ~]# systemctl status httpd
○ httpd.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled)
Active: inactive (dead) since Tue 2023-05-16 13:40:46 UTC; 11s ago
Docs: man:httpd.service(8)

Step 4 Check the SELinux ports that allow for httpd listening.
OS Security Hardening Lab Guide Page 30

[root@Server ~]# semanage port -l | grep -w http_port_t


http_port_t tcp 80, 81, 443, 488, 8008, 8009, 8443, 9000

Step 5 Change the listening port of the httpd service to 82.

[root@Server ~]# vim /etc/httpd/conf/httpd.conf


Listen 192.168.0.49:82

Step 6 Start the httpd service again.

The httpd service fails to be started.

[root@Server ~]# systemctl start httpd


Job for httpd.service failed because the control process exited with error code.
See "systemctl status httpd.service" and "journalctl -xeu httpd.service" for details.

Step 7 Check SELinux logs.

Due to port restrictions, SELinux rejects httpd listening on port 82.

[root@Server ~]# ausearch -m avc -c httpd


----
time->Tue May 16 13:42:46 2023
type=AVC msg=audit(1684244566.444:21): avc: denied { name_bind } for pid=2726
comm="httpd" src=82 scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:reserved_port_t:s0 tclass=tcp_socket permissive=0

Step 8 Configure SELinux and allow httpd to listen to port 82.

semanage port -a -t http_port_t -p tcp 82

Step 9 Restart the httpd service.

[root@Server ~]# systemctl start httpd


[root@Server ~]# systemctl status httpd
● httpd.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled)
Active: active (running) since Tue 2023-05-16 13:50:38 UTC; 7s ago
Docs: man:httpd.service(8)

Step 10 Verify the lab result.

[root@Server ~]# curl 192.168.0.49:82


<title>Test Page for the Apache HTTP Server on openEuler Linux</title>

3.2.3 Restricting SELinux Types


Step 1 Temporarily Change the SELinux mode to permissive.

[root@Server ~]# setenforce 0


[root@Server ~]# getenforce
OS Security Hardening Lab Guide Page 31

Permissive

Step 2 Create an httpd home page.

mkdir /home/mywebsite
echo "hello,openEuler!" > /home/mywebsite/index.html
chmod 755 /home/mywebsite

Step 3 Modify httpd configurations.

Modify the home directory of static resources and add the access permission.

[root@Server ~]# vim /etc/httpd/conf/httpd.conf


#DocumentRoot "/var/www/html"
DocumentRoot "/home/mywebsite"
<Directory "/home/mywebsite">
AllowOverride None
# Allow open access:
Require all granted
</Directory>

Step 4 Reload and verify configurations.

If the returned content meets the expectation, the modification on the home page is
successful.

[root@Server ~]# systemctl reload httpd


[root@Server ~]# curl 192.168.0.49:82
hello,openEuler!

Step 5 Change the SELinux mode to enforcing and verify the access.

The returned content does not meet the expectation.

[root@Server ~]# setenforce 1


[root@Server ~]# curl 192.168.0.49:82
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access this resource.</p>
</body></html>

Step 6 Check SELinux logs.

SELinux denies the httpd service's access to static resources because the context type
does not match.

[root@Server ~]# ausearch -m avc -c httpd


----
time->Wed May 17 02:17:53 2023
OS Security Hardening Lab Guide Page 32

type=AVC msg=audit(1684289873.780:191): avc: denied { getattr } for pid=1958 comm="httpd"


path="/mywebsite/index.html" dev="sda2" ino=1048579 scontext=system_u:system_r:httpd_t:s0
tcontext=unconfined_u:object_r:default_t:s0 tclass=file permissive=0

Step 7 Change the type of index.html.

[root@Server ~]# semanage fcontext -a -t httpd_sys_content_t "/home/mywebsite(/.*)?"


[root@Server ~]# restorecon -R -v /home/mywebsite
Relabeled /mywebsite from unconfined_u:object_r:default_t:s0 to
unconfined_u:object_r:httpd_sys_content_t:s0
Relabeled /mywebsite/index.html from unconfined_u:object_r:default_t:s0 to
unconfined_u:object_r:httpd_sys_content_t:s0

Step 8 Change the Boolean value.

[root@Server ~]# setsebool -P httpd_enable_homedirs=on

Step 9 Verify the lab result again.

The expected content is returned due to type consistency.

[root@Server ~]# curl 192.168.0.49:82


hello,openEuler!

3.3 Quiz
⚫ What are the differences between using the chcon and semanage fcontext
commands to modify the SELinux context?
Answer: The SELinux context modified by chon is not recorded in the file system. You can
run restorecon to restore the SELinux context to the default context. By contrast, the
SELinux context modified by semanage fcontext is recorded in the file system, and the
default context is modified.
⚫ Can SELinux replace firewalld to protect hosts?
Answer: SELinux can be used to guarantee data confidentiality and integrity and protect
processes from untrusted input, but it cannot replace security software such as firewalld.
Huawei openEuler Certification Training

HCIP-openEuler

System Monitoring

Lab Guide
ISSUE: 1.0

HUAWEI TECHNOLOGIES CO., LTD

2
Copyright © Huawei Technologies Co., Ltd. 2024. All rights reserved.
No part of this document may be reproduced or transmitted in any form or by any
means without prior written consent of Huawei Technologies Co., Ltd.

Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of
their respective holders.

Notice
The purchased products, services and features are stipulated by the contract made
between Huawei and the customer. All or part of the products, services and features
described in this document may not be within the purchase scope or the usage scope.
Unless otherwise specified in the contract, all statements, information, and
recommendations in this document are provided "AS IS" without warranties,
guarantees or representations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has
been made in the preparation of this document to ensure accuracy of the contents, but
all statements, information, and recommendations in this document do not constitute
a warranty of any kind, express or implied.

Huawei Technologies Co., Ltd.


Address: Huawei Industrial Base Bantian, Longgang Shenzhen 518129
People's Republic of China
Website: https://e.huawei.com

Huawei Proprietary and Confidential


Copyright © Huawei Technologies Co., Ltd
HCIP-openEuler System Monitoring Lab Guide Page 1

Huawei Certification System


Huawei Certification is an integral part of the company's Platform + Ecosystem
strategy. It supports the development of ICT infrastructure that features Cloud-Pipe-
Device synergy. Our certification is always evolving to reflect the latest trends in ICT
development.
Huawei Certification consists of three categories: ICT Infrastructure Certification, Basic
Software & Hardware Certification, and Cloud Platform & Services Certification, making
it the most extensive technical certification program in the industry.
Huawei offers three levels of certification: Huawei Certified ICT Associate (HCIA),
Huawei Certified ICT Professional (HCIP), and Huawei Certified ICT Expert (HCIE).
Our programs cover all ICT fields and follow the industry's trend of ICT convergence.
With our leading talent development system and certification standards, we are
committed to fostering new digital ICT talent and building a sound ICT talent
ecosystem.
HCIP-openEuler is mainly for frontline engineers from Huawei and representative
offices and readers who wish to learn openEuler O&M technologies. HCIP-openEuler
certification covers common openEuler enterprise service management, openEuler HA
cluster architecture, openEuler storage management, openEuler automated O&M, Linux
shell scripts, openEuler system security hardening, and openEuler system monitoring.
Huawei certification helps you unlock opportunities to advance your career and take
one more step towards the top of the industry.
HCIP-openEuler System Monitoring Lab Guide Page 2
HCIP-openEuler System Monitoring Lab Guide Page 3

About This Document

Overview
This document is an HCIP-openEuler certification training course and is intended for
trainees who are going to take the HCIP-openEuler exam or readers who want to learn
about system performance metrics, basic monitoring commands, and Zabbix on
openEuler and other Linux distributions.

Description
This lab guide consists of six labs, covering basic usage of system monitoring commands
and Zabbix monitoring setup.
⚫ Lab 1: CPU performance metric practice
⚫ Lab 2: memory performance metric practice
⚫ Lab 3: drive I/O performance metric practice
⚫ Lab 4: network I/O performance metric practice
⚫ Lab 5: top performance analysis practice
⚫ Lab 6: Zabbix monitoring practice

Background Knowledge Required


This course is for Huawei certification. To better understand this course, you need to:
⚫ Have basic Linux knowledge. You are advised to complete HCIA-openEuler learning
and pass the HCIA-openEuler certification exam.

Lab Environment Preparation


Checking Devices
Before starting the labs, each group of trainees should apply for ECSs on Huawei Cloud
according to the following table.

Device Name Specifications Remarks

openEuler ECSs 2 vCPUs | 4 GiB | s7.large.2 Prepare two ECSs.


HCIP-openEuler System Monitoring Lab Guide Page 4

Contents

About This Document ............................................................................................................... 3


Overview ............................................................................................................................................................................................. 3
Description ......................................................................................................................................................................................... 3
Background Knowledge Required ............................................................................................................................................. 3
Lab Environment Preparation ..................................................................................................................................................... 3
1 Basic System Monitoring Command Practice .................................................................. 1
1.1 Introduction ................................................................................................................................................................................ 1
1.1.1 About This Lab ....................................................................................................................................................................... 1
1.1.2 Objectives ................................................................................................................................................................................ 1
1.2 CPU Performance Metric Practice ...................................................................................................................................... 1
1.2.1 Installing Lab Tools .............................................................................................................................................................. 1
1.2.2 Viewing CPU Usage .............................................................................................................................................................. 1
1.2.3 Viewing Context Switches .................................................................................................................................................. 2
1.3 Memory Performance Metric Practice .............................................................................................................................. 3
1.3.1 Creating a Swap Partition .................................................................................................................................................. 3
1.3.2 Checking System Memory ................................................................................................................................................. 4
1.3.3 Checking Process Memory ................................................................................................................................................. 5
1.4 Drive I/O Performance Metric Practice ............................................................................................................................ 5
1.4.1 Installing Lab Tools .............................................................................................................................................................. 5
1.4.2 Checking the Drive IOPS and Throughput................................................................................................................... 6
1.5 Network I/O Performance Metric Practice ...................................................................................................................... 6
1.5.1 Installing Lab Tools .............................................................................................................................................................. 6
1.5.2 Checking the Network Connection Status ................................................................................................................... 7
1.5.3 Checking the Network Response Time ......................................................................................................................... 7
1.5.4 Checking the Network Bandwidth .................................................................................................................................. 7
1.6 top Performance Analysis Tool Practice .......................................................................................................................... 8
1.6.1 Interactive Operations on the Main Interface ............................................................................................................ 8
1.7 Quiz .............................................................................................................................................................................................11
2 Practice of Zabbix Monitoring ...........................................................................................12
2.1 Zabbix Installation and Deployment ...............................................................................................................................12
2.1.1 Resource Preparations.......................................................................................................................................................12
2.1.2 Zabbix Configuration .........................................................................................................................................................14
2.1.3 Install Zabbix Agent ...........................................................................................................................................................18
2.1.4 Basic Zabbix Operations ...................................................................................................................................................19
HCIP-openEuler System Monitoring Lab Guide Page 5

2.2 Quiz .............................................................................................................................................................................................27


HCIP-openEuler System Monitoring Lab Guide Page 1

1 Basic System Monitoring Command


Practice

1.1 Introduction
1.1.1 About This Lab
This lab describes how to use the basic commands for monitoring the CPU, memory, and
I/O performance metrics on openEuler.

1.1.2 Objectives
⚫ Master the usage of basic system monitoring commands.
⚫ Understand the meanings of CPU, memory, and I/O performance metrics.

1.2 CPU Performance Metric Practice


1.2.1 Installing Lab Tools
Step 1 Install the system stress test tool stress.

[root@openEuler ~]# dnf config-manager --add-repo


https://repo.oepkgs.net/openeuler/rpm/openEuler-22.03-LTS/extras/x86_64/
[root@openEuler ~]# dnf -y install stress

Step 2 Install the thread stress test tool sysbench.

dnf -y install sysbench

Step 3 Install the system performance monitoring tool sysstat.

dnf -y install sysstat

1.2.2 Viewing CPU Usage


Step 1 Perform a CPU performance stress test.

[root@openEuler ~]# stress -c 2 -i 2 --timeout 300s &


[1] 6042
HCIP-openEuler System Monitoring Lab Guide Page 2

stress: info: [6042] dispatching hogs: 2 cpu, 2 io, 0 vm, 0 hdd

Step 2 View the CPU usage.

Step 3 Check the CPU usage of each process.

Step 4 Check the average system load.

[root@openEuler ~]# uptime


02:39:52 up 1:45, 2 users, load average: 0.02, 0.47, 0.44

1.2.3 Viewing Context Switches


Step 1 Perform a context switch stress test.

[root@openEuler ~]# sysbench --threads=4 --time=300 threads run &


[1] 6086
sysbench 1.0.20 (using system LuaJIT 2.1.0-beta3)

Running the test with following options:


Number of threads: 4
...

Step 2 Check system context switches.


HCIP-openEuler System Monitoring Lab Guide Page 3

Step 3 Check thread context switches.

In the multi-threaded scenario, the system load increases as the number of CPU context
switches per second reaches 3.2 million, accompanied by an increase in both voluntary
and involuntary task switches.

Step 4 Check the average system load.

[root@openEuler ~]# uptime


03:14:46 up 2:20, 2 users, load average: 4.90, 3.12, 1.89

1.3 Memory Performance Metric Practice


1.3.1 Creating a Swap Partition
Step 1 Generate a 2 GiB data file.

[root@openEuler ~]# dd if=/dev/zero of=/mnt/swap bs=1M count=2048


2048+0 records in
2048+0 records out
2147483648 bytes (2.1 GB, 2.0 GiB) copied, 11.4539 s, 187 MB/s

Step 2 Format the file and check file information.

[root@openEuler ~]# mkswap /mnt/swap


mkswap: /mnt/swap: insecure permissions 0644, fix with: chmod 0600 /mnt/swap
Setting up swapspace version 1, size = 2 GiB (2147479552 bytes)
no label, UUID=8e4e45fb-253a-45c8-a530-f13ed8a606c3
[root@openEuler ~]# file /mnt/swap
/mnt/swap: Linux swap file, 4k page size, little endian, version 1, size 524287 pages, 0 bad pages, no
label, UUID=8e4e45fb-253a-45c8-a530-f13ed8a606c3

Step 3 Modify the permissions on the partition file and activate the swap partition.

chmod 0600 /mnt/swap


swapon /mnt/swap
HCIP-openEuler System Monitoring Lab Guide Page 4

Step 4 Check the swap partition size.

1.3.2 Checking System Memory


Step 1 Perform a physical memory performance stress test.

[root@openEuler ~]# stress --vm 2 --vm-bytes 300M --vm-keep --timeout 300s &
[1] 6091
stress: info: [1247] dispatching hogs: 0 cpu, 0 io, 2 vm, 0 hdd

Step 2 Check the physical memory.

Step 3 Check the swappiness and priority of the swap space.

swappiness controls memory reclamation: the higher the value, the more actively the
kernel will use the swap space.
priority indicates the priority of the swap space: the higher the value, the higher the
priority, and the more likely the kernel will use it.

Step 4 Perform a swap space memory stress test.

[root@openEuler ~]# stress --vm 7 --vm-bytes 500M --vm-hang 5 --timeout 300s &
[1] 6091
stress: info: [1361] dispatching hogs: 0 cpu, 0 io, 7 vm, 0 hdd

Step 5 Check the swap space memory.


HCIP-openEuler System Monitoring Lab Guide Page 5

Step 6 Check the system virtual memory.

1.3.3 Checking Process Memory


Step 1 Perform a process memory stress test.

[root@openEuler ~]# sysbench --threads=4 --time=300 threads run --timeout 300s &
[1] 6091
sysbench 1.0.20 (using system LuaJIT 2.1.0-beta3)

Running the test with following options:


Number of threads: 4
...

Step 2 Check the process memory.


⚫ On the monitoring interface of top, press the following keys in sequence: h > h > 3 >
Enter > J > H > e
Press the above keys to change the functions and format of the top main interface and
check the process memory details.

1.4 Drive I/O Performance Metric Practice


1.4.1 Installing Lab Tools
Step 1 Install the drive I/O test tool.

dnf -y install fio


HCIP-openEuler System Monitoring Lab Guide Page 6

Step 2 Create a directory for stress test data.

mkdir /data

1.4.2 Checking the Drive IOPS and Throughput


Step 1 Perform a stress test on drive I/O performance.

[root@openEuler ~]# fio -filename=/data/test.file -direct=1 -iodepth 1 -thread -rw=randrw -


rwmixread=70 -ioengine=psync -bs=16k -size=2G -numjobs=10 -runtime=60 -group_reporting -
name=test_r_w
test_r_w: (g=0): rw=randrw, bs=(R) 16.0KiB-16.0KiB, (W) 16.0KiB-16.0KiB, (T) 16.0KiB-16.0KiB,
ioengine=psync, iodepth=1
...

Step 2 Check the drive IOPS and throughput.

Start another terminal. You can see that the IOPS of drive sda is 7,705 and the
throughput is 120 Mbit/s.

Step 3 Check the IOPS and throughput of block device sda.

1.5 Network I/O Performance Metric Practice


1.5.1 Installing Lab Tools
Step 1 Install the network performance test tool iperf.

dnf -y install iperf


HCIP-openEuler System Monitoring Lab Guide Page 7

1.5.2 Checking the Network Connection Status


Step 1 Check the network connection status.

1.5.3 Checking the Network Response Time

1.5.4 Checking the Network Bandwidth

Step 1 Start the service on an ECS.

Use either ECS on the intranet as the server.

[root@Server ~]# iperf3 -s


-----------------------------------------------------------
Server listening on 5201 (test #1)
-----------------------------------------------------------

Step 2 Test the intranet bandwidth on the client.

You can see that the intranet bandwidth is about 4 Gbit/s.


HCIP-openEuler System Monitoring Lab Guide Page 8

Step 3 Check the throughput of the network interface.

The throughput of the ens3 interface is about 500,000 kilobytes per second.

1.6 top Performance Analysis Practice


The top command is a commonly used Linux performance analysis tool. It can display the
resource usage of each process in real time, similar to Task Manager on Windows. The
real-time system status view provides a summary of system information and a list of
processes or threads currently managed by the Linux kernel. The system summary
information and the type, order, and unit of process resources can be customized and
stored permanently.

1.6.1 Interactive Operations on the Main Interface


Step 1 View the system information on the main interface of top.

# top

The following information is displayed from top to bottom: system time and load, task
status, CPU usage, memory and virtual memory, and processes under the fields.
HCIP-openEuler System Monitoring Lab Guide Page 9

Step 2 Move the cursor.

Press the arrow keys to scroll and view fields and processes in the task area.

Step 3 Customize the main interface.

Key Function Key Function

Aligns texts to the Toggles the bold text


j B
left or right. mode.

Toggles between the


Aligns numbers to
J z multicolor and
the left or right.
monochrome mode.

In this lab, numbers are left-aligned, texts are right-aligned, the multicolor mode is used,
and keywords are in bold.

Step 4 Adjust the information displayed in the summary area.

Press keys for interactive commands to display or hide information in the summary area
or adjust information display.

Key Function

l Displays or hides the average system load.

Displays or hides task and CPU statistics, and adjusts the


t
display mode of CPU statistics.
HCIP-openEuler System Monitoring Lab Guide Page 10

Key Function

Displays or hides memory information, and adjusts the display


m
mode of memory information.

1 Toggles between per-CPU usage and average CPU usage.

In this lab, the usage of each CPU is displayed, and the display mode of CPU and memory
statistics in the summary area is modified.

Step 5 Sort and modify fields in the task area.

Press f to go to the field management page. You can check the meaning of each field,
select required fields, and sort them.

Key Function Key Function

Specifies the field by


Shows or hides
d s which processes will
a field.
be sorted.

Confirms the location


Right Selects a field. Left
of a field.

Adjusts the
Exits the field
Up/Down location of a q
management page.
field.

In this lab, processes are sorted by the PID field, the TIME+ field is hidden, the PPID and
ENVIRON fields are added for display, and the PPID field is moved to the first column.
(1) The content under the ENVIRON field is not fully displayed. You can press the right
arrow key to scroll the view for the complete content.
HCIP-openEuler System Monitoring Lab Guide Page 11

(2) By default, processes in the task area are sorted in descending order based on the
selected field. You can press R to reverse the sorting order.

Step 6 Adjust the information displayed in the task area.

Key Function Key Function

Sorts process in ascending Sets the maximum number


R n
or descending order. of processes for display.

Displays process names or Toggles highlighting of the


c x
startup commands. sorting column.

Toggles highlighting of
V Toggles the tree view. y
running tasks.

Shows or hides thread


</> Switches the sorting field. H
information.

In this lab, a maximum of five processes are displayed, the tree view is enabled to
visualize parent-child process relationships, and the sorting field and running processes
are highlighted.

Step 7 Save the configuration permanently.

Press W to save the modified configuration to a file. If the following information is


displayed, the configuration is successfully saved:

Wrote configuration to '/root/.config/procps/toprc'

1.7 Quiz
⚫ How do you adjust the frequency at which the system uses the swap space?
Answer: Adjust the swappiness and priority of the swap space.
⚫ What is the difference between buff and cache in memory performance metrics?
Answer: buff is used to reduce the number of I/O responses and handle excessive
resource accesses. cache is a compromise strategy used to handle speed mismatches and
accelerate accesses.
HCIP-openEuler System Monitoring Lab Guide Page 12

2 Practice of Zabbix Monitoring

2.1 Zabbix Installation and Deployment


2.1.1 Resource Preparations
Zabbix can use Nginx's resources deployed in previous labs. Alternatively, you can create
a new VM to install and deploy Zabbix. This lab uses a new VM as an example. If you
want to reuse Nginx's resources, skip LNMP setup and just modify the Nginx
configuration file.

Step 1 Configure LNMP.

For details, see previous lab guides.


1. Install Nginx.
2 Install and configure PHP.
Install PHP and related dependencies.

yum install -y php-cli php-fpm php-gd php-mbstring php-bcmath php-xml php-ldap php-mysqlnd

3. Modify PHP configurations based on Zabbix requirements.

sed -i 's/post_max_size = 8M/post_max_size = 16M/g' /etc/php.ini


sed -i 's/max_execution_time = 30/max_execution_time = 300/g' /etc/php.ini
sed -i 's/max_input_time = 60/max_input_time = 300/g' /etc/php.ini

4. Modify the Nginx configuration file.

server {
listen 0.0.0.0:80;
root /data/zabbix;
index index.php;
location ~ \.php$ {
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}

Step 2 Download and compile Zabbix.

Download the Zabbix source package.


HCIP-openEuler System Monitoring Lab Guide Page 13

wget https://cdn.zabbix.com/zabbix/sources/oldstable/6.2/zabbix-6.2.8.tar.gz

After the download, run the tar command to decompress the package.

tar -zxvf zabbix-6.2.8.tar.gz

Create the user and user group required by Zabbix.

groupadd --system zabbix


useradd --system -g zabbix -d /usr/lib/zabbix -s /sbin/nologin -c "Zabbix Monitoring System" zabbix

Before compiling Zabbix, install required dependencies.

yum install -y mysql-devel pcre-devel openssl-devel zlib-devel libxml2-devel net-snmp-devel net-


snmp libssh2-devel OpenIPMI-devel libevent-devel openldap-devel libcurl-devel

Go to the decompressed directory and configure the Zabbix compilation file.

mkdir /etc/zabbix
./configure --sysconfdir=/etc/zabbix --enable-server --enable-agent --with-mysql --with-ssh2 --with-
zlib --with-libpthread --with-libevent --with-libpcre --with-net-snmp --with-libcurl --with-libxml2 --
with-openipmi --openssl --with-ldap

The following figure shows the information returned after the configuration.

After the compilation is complete, install Zabbix.

make install

The following figure shows the information returned after the compilation and
installation.
HCIP-openEuler System Monitoring Lab Guide Page 14

Step 3 Configure a database.

The MySQL database is used in this lab, which shares the same VM with previous labs.
You only need to create a database and user for Zabbix on the original database server.

create database zabbix charset utf8 collate utf8_bin;


create user 'zabbix'@'%' identified by 'Huawei@123';
grant all on zabbix.* to 'zabbix'@'%';
flush privileges;

After the preceding configuration is complete, copy the files to be imported from Zabbix
to MySQL.

scp -r [email protected]:/root/zabbix-6.0.14/database/mysql .

Strictly follow the sequence as below; otherwise, an error will be reported.

mysql -uroot -pHuawei@123 zabbix < schema.sql


mysql -uroot -pHuawei@123 zabbix < images.sql
mysql -uroot -pHuawei@123 zabbix < data.sql
mysql -uroot -pHuawei@123 zabbix < double.sql
mysql -uroot -pHuawei@123 zabbix < history_pk_prepare.sql

So far, all preparations are complete.

2.1.2 Zabbix Configuration


Step 1 Connect the Zabbix server to MySQL and start the Zabbix server.

Modify the Zabbix configuration file /etc/zabbix/zabbix_server.conf and change the


value of DBHost to the MySQL address (line 87).
HCIP-openEuler System Monitoring Lab Guide Page 15

Change the value of DBPassword to the password specified during user creation (line
123).

Specify DBPort to 3306 (line 140).

Uncomment ListenPort (line 12).

Save the settings and exit. Run the zabbix_server -c /etc/zabbix/zabbix_server.conf


command to start the service. If the service is started properly, the related port is listened
on, as shown in the following figure.

Step 2 Deploy the web interface.

Copy all files in the ui directory of the source package to the specified root directory of
the Nginx service.

mkdir -p /data/zabbix/
cp -r /root/zabbix-6.2.8/ui/* /data/zabbix/

Enter the Zabbix IP address in the address box of the browser to access Zabbix and
deploy the web interface. The following figure shows its home page.
HCIP-openEuler System Monitoring Lab Guide Page 16

Click Next twice. On the database configuration page, complete the configuration as
planned.

After the configuration, click Next step. On the displayed page, set the parameters as
shown in the following figure.
HCIP-openEuler System Monitoring Lab Guide Page 17

After the configuration, click Next step. On the displayed page, check whether the
configuration is correct. If the configuration is correct, click Next step.

After the configuration, the system displays a message indicating that the installation is
complete, as shown in the following figure.
HCIP-openEuler System Monitoring Lab Guide Page 18

Click Finish. On the Zabbix web interface, enter the default username (Admin) and
password (zabbix), and click Sign In.

2.1.3 Install Zabbix Agent


Step 1 Download and install the official Yum source file of Zabbix.

rpm -Uvh https://repo.zabbix.com/zabbix/6.2/rhel/8/x86_64/zabbix-release-6.2-3.el8.noarch.rpm


HCIP-openEuler System Monitoring Lab Guide Page 19

Step 2 Run the yum command to install zabbix-agent2.

yum install -y zabbix-agent2

Step 3 Configure and start the agent.

Modify the agent configuration file and specify the IP address of Zabbix server.

sed -i 's/Server=127.0.0.1/Server=192.168.1.4/g' /etc/zabbix/zabbix_agent2.conf

After the modification, start the agent.

systemctl start zabbix-agent2

2.1.4 Basic Zabbix Operations


Step 1 Add a host.

In the Monitoring area on the Zabbix home page, click Hosts. The following page is
displayed:

Click Create host in the upper right corner. On the displayed page, enter the host name
as planned.

Click Select following Templates to select a template. Preset templates are available.
Because the MySQL host runs in Linux and the MySQL database is running, you can enter
Operating systems or Databases in the search box to filter templates. The following
figure shows database-related templates. Select MySQL by Zabbix agent2.
HCIP-openEuler System Monitoring Lab Guide Page 20

You can also select multiple templates, as shown in the following figure:

Specify host groups as follows:


HCIP-openEuler System Monitoring Lab Guide Page 21

Click Add in the Interfaces area, select Agent, and enter the agent information, as
shown in the following figure:

After the preceding configuration is complete, click Add to add the host. Then, you can
view the MySQL monitoring statistics, as shown in the following figure:

You can click Latest data, Graphs, or Dashboard to view the monitoring statistics in
respective forms. The following figure shows the dashboard view.

Step 2 Check monitored hosts.

On the Zabbix home page, click Dashboard in the Monitoring area to view the global
information, as shown in the following figure.
HCIP-openEuler System Monitoring Lab Guide Page 22

In the Monitoring area, click Problems to view information about abnormal hosts, as
shown in the following figure.

Click the Ack status corresponding to a faulty host. The window for handling the problem
is displayed, as shown in the following figures.
HCIP-openEuler System Monitoring Lab Guide Page 23

After the update, the status of the problem will be updated, as shown in the following
figure.

Step 3 Customize a monitoring item.

This following uses the monitoring of online users of the MySQL server as an example to
describe how to create a custom monitoring item.
Create a User_MySQL.conf configuration file in the MySQL agent installation directory,
for example, /etc/zabbix/zabbix_agent2.d, and enter the following content to the file:

UserParameter=User.MySQL,who | wc -l

Restart the zabbix-agent2 server and run the zabbix_agent2 command to check whether
the value corresponding to the specified key can be obtained, as shown in the following
figure.
HCIP-openEuler System Monitoring Lab Guide Page 24

If the value cannot be obtained, adjust the command based on the command output. If
the value can be obtained, log in to the Zabbix server through the web interface, click
Hosts in the Configuration area, and select Items corresponding to MySQL, as shown in
the following figure.

On the displayed page, click Create item in the upper right corner and then set
parameters as planned.
HCIP-openEuler System Monitoring Lab Guide Page 25

After the configuration is complete, click Test. On the test page, click Get value and test
to check whether the corresponding value can be obtained, as shown in the following
figure.
HCIP-openEuler System Monitoring Lab Guide Page 26

If the returned value is normal, close the page and click Add.
Note: Zabbix has preset items for monitoring online users. You can refer to their
configurations to perform this lab.

Step 4 Customize a trigger.

In the Configuration area, click Hosts and select Triggers corresponding to MySQL, as
shown in the following figure.

On the displayed page, click Create trigger in the upper right corner. Enter the trigger
name and severity as planned.

In the Expression area, click Add to add an expression as follows:


HCIP-openEuler System Monitoring Lab Guide Page 27

After the configuration is complete, click Insert. The expression is added, as shown in the
following figure.

Click Add to create the trigger.

2.2 Quiz
⚫ What are the differences between the active and passive modes of Zabbix?
Answer: The passive mode is the default mode of Zabbix. In this mode, the server polls
the agent status. In active mode, the agent proactively reports information to the server,
which reduces the load of the server and thus accelerates server response.
Huawei openEuler Certification Training

HCIP-openEuler

Lab Guide
Issue: 1.0

Huawei Technologies Co., Ltd.

2
Copyright © Huawei Technologies Co., Ltd. 2024. All rights reserved.
No part of this document may be reproduced or transmitted in any form or by any
means without prior written consent of Huawei Technologies Co., Ltd.

Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of
their respective holders.

Notice
The purchased products, services and features are stipulated by the contract made
between Huawei and the customer. All or part of the products, services and features
described in this document may not be within the purchase scope or the usage scope.
Unless otherwise specified in the contract, all statements, information, and
recommendations in this document are provided "AS IS" without warranties,
guarantees or representations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has
been made in the preparation of this document to ensure accuracy of the contents, but
all statements, information, and recommendations in this document do not constitute
a warranty of any kind, express or implied.

Huawei Technologies Co., Ltd.


Address: Huawei Industrial Base Bantian, Longgang Shenzhen 518129
People's Republic of China
Website: http://e.huawei.com
Comprehensive Practice Page 1

Huawei Certification System


Huawei Certification is an integral part of the company's Platform + Ecosystem
strategy. It supports the development of ICT infrastructure that features Cloud-Pipe-
Device synergy. Our certification is always evolving to reflect the latest trends in ICT
development. Huawei Certification consists of three categories: ICT Infrastructure
Certification, Basic Software & Hardware Certification, and Cloud Platform & Services
Certification, making it the most extensive technical certification program in the
industry.
Huawei offers three levels of certification: Huawei Certified ICT Associate (HCIA),
Huawei Certified ICT Professional (HCIP), and Huawei Certified ICT Expert (HCIE).
Our programs cover all ICT fields and follow the industry's trend of ICT convergence.
With our leading talent development system and certification standards, we are
committed to fostering new digital ICT talent and building a sound ICT talent
ecosystem.
HCIP-openEuler is mainly for frontline engineers from Huawei and representative
offices and readers who wish to learn openEuler O&M technologies. HCIP-openEuler
certification covers common openEuler enterprise service management, openEuler HA
cluster architecture, openEuler storage management, openEuler automated O&M, Linux
shell scripts, openEuler system security hardening, and openEuler system monitoring.
Huawei certification helps you unlock opportunities to advance your career and take
one more step towards the top of the industry.
Comprehensive Practice Page 2
Comprehensive Practice Page 3

About This Document

Overview
This document is an HCIP-openEuler certification training course and is intended for
trainees who are going to take the HCIP-openEuler exam or readers who want to learn
how to build enterprise services, shell scripts, or perform automated O&M using Zabbix
or Salt on openEuler and other Linux distributions.

Description
This lab guide introduces a comprehensive practice, which uses Ansible to set up an
enterprise website. The website can access static pages and internal blog systems. Static
data of the website is stored in the shared storage provided by GlusterFS, and dynamic
data is stored in the MySQL database. The domain name of the website is www.test.com.
Therefore, you need to configure the DNS to resolve the domain name to the IP address
of the web server. To monitor the status of each host, you need to also install and
configure Zabbix.

Background Knowledge Required


This course is for Huawei's basic certification. To better understand this course,
familiarize yourself with the following:
⚫ Have basic Linux knowledge. You are advised to complete HCIA-openEuler learning
and pass the HCIA-openEuler certification exam.
Comprehensive Practice Page 4

Contents

About This Document ............................................................................................................... 3


Overview ............................................................................................................................................................................................. 3
Description ......................................................................................................................................................................................... 3
Background Knowledge Required ............................................................................................................................................. 3
1 Comprehensive Practice – Preparation ............................................................................. 1
1.1 Environment Planning and Resource Preparation ....................................................................................................... 1
1.1.1 Environment Planning ......................................................................................................................................................... 1
1.1.2 Resource Preparation .......................................................................................................................................................... 2
1.2 Ansible Controller Configurations and Basic Host Configurations ........................................................................ 2
1.2.1 Ansible Installation and Basic Configurations ............................................................................................................ 2
1.2.2 Basic Configurations ............................................................................................................................................................ 3
2 Comprehensive Practice – Implementation ..................................................................... 5
2.1 Basic Software Installation ................................................................................................................................................... 5
2.2 Service Configurations ............................................................................................................................................................ 8
2.2.1 MySQL Active/Standby Cluster Configurations .......................................................................................................... 8
2.2.2 GlusterFS Cluster Setup ....................................................................................................................................................11
2.2.3 Apache Service Configurations ......................................................................................................................................14
2.2.4 Nginx + Keepalived + LVS Cluster Configurations ..................................................................................................17
2.2.5 DNS Configurations ...........................................................................................................................................................20
2.2.6 Zabbix Configurations .......................................................................................................................................................20
Comprehensive Practice Page 1

1 Comprehensive Practice – Preparation

1.1 Environment Planning and Resource Preparation


1.1.1 Environment Planning
The following table lists required ECS addresses and host names.

Service Host IP Address Description

192.168.1.11 Service plane

LVS + Keepalived LVS-01 Data and storage


10.0.0.11
cluster planes
Floating IP address: 192.168.1.12 Service plane
192.168.1.10
LVS-02 Data and storage
10.0.0.12
planes

Nginx-01 10.0.0.13 Service plane


Nginx cluster
Nginx-02 10.0.0.14 Service plane

Cluster-01 10.0.0.21 Storage plane


GlusterFS cluster
Floating IP address: Cluster-02 10.0.0.22 Storage plane
10.0.0.20
Cluster-03 10.0.0.23 Storage plane
MySQL-01 10.0.0.31 Data plane
MySQL cluster
MySQL-02 10.0.0.32 Data plane
Data and storage
Apache-01 10.0.0.41
planes
Apache cluster
Data and storage
Apache-02 10.0.0.42
planes
DNS DNS 192.168.1.13 Service plane
Ansible Ansible 192.168.1.50 Management plane
192.168.1.15 Service plane
Zabbix Zabbix
10.0.0.15 Management plane
Comprehensive Practice Page 2

The mask of all addresses is 24 bits. The gateway of 192.168.1.0/24 is 192.168.1.1. No


gateway is set for the 10.0.0.0/24 network segment.
In addition, an Elastic Volume Service (EVS) drive with at least 11 GB capacity must be
attached to the host in the GlusterFS cluster.

1.1.2 Resource Preparation


Purchase ECSs on Huawei Cloud based on the following plan:

ECS Usage Specification Quantity Description

1 vCPUs | 2 GiB | s7.medium.2, single


Ansible 1 Ansible installation
NIC

LVS cluster 2 vCPUs | 4 GiB | s7.large.2, dual NICs 2 Layer-4 proxy

1 vCPUs | 2 GiB | s7.medium.2, single


Nginx cluster 2 Layer-7 proxy
NIC

GlusterFS 1 vCPUs | 2 GiB | s7.medium.2, single


3
cluster NIC

1 vCPUs | 2 GiB | s7.medium.2, single Database for all


MySQL cluster 2
NIC applications

1 vCPUs | 2 GiB | s7.medium.2, single


Apache cluster 2 Web service
NIC

DNS 1 vCPUs | 2 GiB | s7.small.1, single NIC 1

1 vCPUs | 2 GiB | s7.medium.2, dual


Zabbix 1
NICs

1.2 Ansible Controller Configurations and Basic Host


Configurations
1.2.1 Ansible Installation and Basic Configurations
Install Ansible and perform basic configurations by following the instructions provided in
section 1.1 in Automation Management.
The following lists the configured hosts for reference:

[Apache]
10.0.0.41 host=01
10.0.0.42 host=02
[Nginx]
10.0.0.13 host=01
10.0.0.14 host=02
[Gluster]
10.0.0.21 host=01
Comprehensive Practice Page 3

10.0.0.22 host=02
10.0.0.23 host=03
[Mysql]
10.0.0.31 host=01
10.0.0.32 host=02
[keepalive]
192.168.1.[11:12]
10.0.0.[21:23]
[lvs]
192.168.1.[11:12]
[dns]
192.168.1.13 host=dns
[zabbix]
192.168.1.15 host=zabbix

After the configuration is complete, use the ping module to test whether the
communication between the Ansible controller and all services is normal by running the
following command:

[root@Ansible ~]# ansible all -m ping

1.2.2 Basic Configurations


Step 1 Change ECS host names.

Compile playbook and change the host names of all ECSs to the planned values. The
following playbook content is for reference only:

---
- hosts: Nginx
remote_user: root
gather_facts: no

tasks:
- name: set hostname for Nginx
hostname:
name=Nginx-{{ host }}

- hosts: Mysql
remote_user: root
gather_facts: no

tasks:
- name: set hostname for Mysql
hostname:
name=Mysql-{{ host }}

- hosts: Gluster
remote_user: root
gather_facts: no

tasks:
- name: set hostname for Gluster
hostname:
Comprehensive Practice Page 4

name=Gluster-{{ host }}

- hosts: dns:zabbix
remote_user: root
gather_facts: no

tasks:
- name: set hostname for dns and zabbix
hostname:
name={{ host }}
Comprehensive Practice Page 5

2 Comprehensive Practice –
Implementation

2.1 Basic Software Installation


Step 1 Install and configure Apache and PHP components.

Compile playbook to install Apache and PHP components on Apache1 and Apache2. The
following information is for reference:

---
- hosts: Apache
remote_user: root
gather_facts: no

tasks:
- name: install httpd
yum:
name: httpd
state: present
- name: enable and start httpd
service:
name: httpd
state: started
enabled: yes
- name: install php
yum:
name: php
state: present
- name: install php-mysqlnd
yum:
name: php-mysqlnd
state: present

Step 2 Install a MySQL database.

Compile playbook to install MySQL-related components on MySQL1 and MySQL2. The


following information is for reference:

---
- hosts: Mysql
remote_user: root
gather_facts: no
Comprehensive Practice Page 6

tasks:
- name: install mysql
yum:
name: mysql-server
state: present
- name: enable and start mysql
service:
name: mysqld
state: started
enabled: yes

Step 3 Install Keepalived.

Compile playbook to install Keepalived components on Nginx1, Nginx2, Gluster1,


Gluster2, and Gluster3. The following information is for reference:

---
- hosts: Nginx:Gluster
remote_user: root
gather_facts: no

tasks:
- name: install keepalived
yum:
name: keepalived
state: present

⚫ Question: In the preceding tasks, why does not start Keepalived after it is installed?
Answer: After Keepalived is installed, the configuration files of Keepalived on all hosts are
the same. If Keepalived is started at this time, the startup fails. Therefore, you are advised
to start Keepalived after it is configured.

Step 4 Install Nginx.

Compile playbook to install Nginx components on Nginx1, Nginx2, and Zabbix. The
following information is for reference:

---
- hosts: Nginx:zabbix
remote_user: root
gather_facts: no

tasks:
- name: install nginx
yum:
name: nginx
state: present
- name: enable and start nginx
service:
name: nginx
state: started
enabled: yes

- hosts: zabbix
Comprehensive Practice Page 7

remote_user: root
gather_facts: no

tasks:
- name: install php
yum:
name: php
state: present
- name: config port of php
lineinfile:
path: /etc/php-fpm.d/www.conf
insertafter: "listen.allowed_clients = 127.0.0.1"
line: "listen = 9000"
- name: enable and start php
service:
name: php-fpm
state: started
enabled: yes

Step 5 Install GlusterFS.

Compile playbook to install GlusterFS components on Gluster-01, Gluster-02, and


Gluster-03. The following information is for reference:

---
- hosts: Gluster
remote_user: root
gather_facts: no

tasks:
- name: install glusterfs-server
yum:
name: glusterfs-server
state: present
- name: enable and star glusterfs-server
service:
name: glusterd
state: started
enabled: yes

Step 6 Install the DNS service.

Compile playbook to install bind-related components on the DNS. The following


information is for reference:

---
- hosts: dns
remote_user: root
gather_facts: no

tasks:
- name: install dns
yum:
name: bind
Comprehensive Practice Page 8

state: present
- name: enable and start named
service:
name: named
state: started
enabled: yes

2.2 Service Configurations


Ansible does not have a dedicated module for configuring the database. Therefore, you
need to log in to the data host to modify some configurations.

2.2.1 MySQL Active/Standby Cluster Configurations


Step 1 Initialize the database.

Use playbook to initialize the database and set the password of the root user to
Huawei@123. The following information is for reference:

---
- hosts: Mysql
remote_user: root
gather_facts: no

tasks:
- name: set password for root
command: mysql -e "alter user root@'localhost' identified by 'Huawei@123';"

Step 2 Modify the configuration file of the active database.

Set 10.0.0.31 as the master node of the MySQL cluster using playbook. The following
information is for reference:

---
- hosts: 10.0.0.31
remote_user: root
gather_facts: no

tasks:
- name: create user for replication
command: mysql -uroot -p"Huawei@123" -e "create user slave identified with
mysql_native_password by 'Huawei@123';"
- name: grant replication for slave
command: mysql -uroot -p"Huawei@123" -e "GRANT REPLICATION SLAVE ON *.* to
'slave'@'%';"
- name: enable privileges
tags: master
command: mysql -uroot -p"Huawei@123" -e "FLUSH PRIVILEGES;"
- name: config master
lineinfile:
path: /etc/my.cnf
line: "{{ item }}"
Comprehensive Practice Page 9

state: present
with_items:
- 'server-id=1'
- 'log-bin=/var/lib/mysql/binlog'
notify: restart mysqld

handlers:
- name: restart mysqld
service:
name: mysqld
state: restarted

Run the following command to view the current binary log name and offset of the
primary service:

ansible 10.0.0.31 -a 'mysql -uroot -p"Huawei@123" -e "show master status;"'

See the following figure.

Step 3 Modify the configuration file of the standby database.

Set 10.0.0.32 as the slave node of the MySQL cluster using playbook. The following
information is for reference:

---
- hosts: 10.0.0.32
remote_user: root
gather_facts: no

tasks:
- name: config slave
lineinfile:
path: /etc/my.cnf
line: "{{ item }}"
state: present
with_items:
- 'server-id=2'
- 'log-bin=/var/lib/mysql/binlog'
notify: restart slave
- name: choose master
tags: master
command: mysql -uroot -p"Huawei@123" -e "CHANGE MASTER TO
MASTER_HOST='10.0.0.31',MASTER_PORT=3306,MASTER_USER='slave',MASTER_PASSWORD='Huawei
@123',MASTER_LOG_FILE='binlog.000002',MASTER_LOG_POS=157;"
- name: start slave
tags: start
command: mysql -uroot -p"Huawei@123" -e "start slave;"

handlers:
- name: restart slave
service:
name: mysqld
Comprehensive Practice Page 10

state: restarted

Run the following command to check the slave status:

ansible 10.0.0.32 -a 'mysql -uroot -p"Huawei@123" -e "show slave status\G;"'

See the following figure.

If the status is Yes, the MySQL active/standby cluster is successfully created. Otherwise,
the creation fails. For details about the failure cause, see Last_IO_Error in the command
output.

Step 4 Create the database and user required by WordPress.

Run the following command to create the database required by WordPress and set the
name of the created database to WP as planned:

ansible 10.0.0.31 -a 'mysql -uroot -p"Huawei@123" -e "create database WP character set =


utf8mb4;"'

After the creation is complete, check whether the WP is synchronized on the standby
node.

ansible 10.0.0.32 -a 'mysql -uroot -p"Huawei@123" -e "show databases"'

If the synchronization is successful, the database is successfully configured.


Finally, log in to 10.0.0.31 and run the following commands to create the user required
by WordPress:
mysql> CREATE USER wp@'%' identified by 'Huawei@123';
mysql> GRANT ALL PRIVILEGES ON WP.* TO 'wp'@'%';
Comprehensive Practice Page 11

mysql> FLUSH PRIVILEGES;

2.2.2 GlusterFS Cluster Setup


Step 1 Create partitions required by the GlusterFS cluster.

Create two partitions vdb1 and vdb2, both with 5 GB capacity, on the GlusterFS node.
Format the partitions as xfs and mount them to /mnt/point1 and /mnt/point2
respectively. point1 and point2 are storage blocks. For details about the playbook
content, see the following:

---
- hosts: Gluster
remote_user: root
gather_facts: no

tasks:
- name: create mount brick1
file:
path: /mnt/point1
state: directory
- name: create mount brick2
file:
path: /mnt/point2
state: directory
- name: install parted
yum:
name: parted
state: present
- name: create part1
parted:
device: /dev/vdb
number: 1
part_end: 5GiB
state: present
- name: create part2
parted:
device: /dev/vdb
number: 2
part_start: 5GiB
part_end: 10GiB
state: present
- name: install xfsprogs
yum:
name: xfsprogs
state: present
- name: format vdb1
filesystem:
dev: /dev/vdb1
fstype: xfs
force: yes
- name: format vdb2
filesystem:
Comprehensive Practice Page 12

dev: /dev/vdb2
fstype: xfs
force: yes
- name: mount vbd1
mount:
src: /dev/vdb1
path: /mnt/point1
fstype: xfs
state: mounted
- name: mount vbd2
mount:
src: /dev/vdb2
path: /mnt/point2
fstype: xfs
state: mounted
- name: config hosts
lineinfile:
path: /etc/hosts
line: "{{ item }}"
state: present
with_items:
- '10.0.0.21 Gluster-01'
- '10.0.0.22 Gluster-02'
- '10.0.0.23 Gluster-03'

Step 2 Create a GlusterFS cluster.

Use Keepalived to configure three GlusterFS nodes as an HA cluster. First, create the
jinja2 template corresponding to the Keepalived configuration file. For details, see the
following content:

! Configuration File for keepalived

global_defs {
router_id {{ ansible_fqdn }}
}

vrrp_instance Nginx {
state {{ role }}
interface ens3
virtual_router_id 52
priority {{ priority }}
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
10.0.0.20/24
}
}

Use playbook to upload the template to each node and start the Keepalived service. Refer
to the following to configure playbook:
Comprehensive Practice Page 13

---
- hosts: 10.0.0.21
remote_user: root
vars:
- role: MASTER
- priority: 255

tasks:
- name: upload configuration to glusterfs
template: src=/root/yaml/file/keepalived.conf.j2 dest=/etc/keepalived/keepalived.conf
- name: restart keepalived
service:
name: keepalived
state: started
enabled: yes

- hosts: 10.0.0.22
remote_user: root
vars:
- role: BACKUP
- priority: 200

tasks:
- name: upload configuration to glusterfs
template: src=/root/yaml/file/keepalived.conf.j2 dest=/etc/keepalived/keepalived.conf
- name: restart keepalived
service:
name: keepalived
state: started
enabled: yes

- hosts: 10.0.0.23
remote_user: root
vars:
- role: BACKUP
- priority: 100

tasks:
- name: upload configuration to glusterfs
template: src=/root/yaml/file/keepalived.conf.j2 dest=/etc/keepalived/keepalived.conf
- name: restart keepalived
service:
name: keepalived
state: started
enabled: yes

Step 3 Create logical volumes of GlusterFS.

Run the following commands to create logical volumes of GlusterFS:

ansible 10.0.0.21 -a "gluster peer probe Gluster-02"


ansible 10.0.0.21 -a "gluster peer probe Gluster-03"
ansible 10.0.0.21 -a "gluster volume create wp disperse 3 redundancy 1 Gluster-01:/mnt/point1
Gluster-02:/mnt/point1 Gluster-03:/mnt/point1 force"
ansible 10.0.0.21 -a "gluster volume start wp"
Comprehensive Practice Page 14

ansible 10.0.0.21 -a "gluster volume create image disperse 3 redundancy 1 Gluster-01:/mnt/point2


Gluster-02:/mnt/point2 Gluster-03:/mnt/point2 force"
ansible 10.0.0.21 -a "gluster volume start image"

2.2.3 Apache Service Configurations


Step 1 Add PHP-related configurations.

Compile playbook and add PHP-related configurations to the Apache configuration file.
For details, see the following content:

---
- hosts: Apache
remote_user: root
gather_facts: no

tasks:
- name: config php
lineinfile:
path: /etc/httpd/conf/httpd.conf
insertafter: AddType application/x-gzip .gz .tgz
line: " AddType application/x-httpd-php .php"

Step 2 Mount logical volumes provided by GlusterFS.

According to the plan, WordPress files are stored in the /data/wp/ directory on the
Apache server, and static data is stored in the /data/image directory. Therefore, you
need to compile playbook to create the corresponding directories and mount the logical
volumes of GlusterFS to the corresponding directories as follows:

---
- hosts: Apache
remote_user: root
gather_facts: no

tasks:
- name: create wp
file:
path: /data/wp
owner: apache
group: apache
recurse: yes
state: directory
- name: create image
file:
path: /data/image
owner: apache
group: apache
recurse: yes
state: directory
- name: install glusterfs client
yum:
name: glusterfs-client
state: present
Comprehensive Practice Page 15

- name: config hosts


lineinfile:
path: /etc/hosts
line: "{{ item }}"
state: present
with_items:
- '10.0.0.21 Gluster-01'
- '10.0.0.22 Gluster-02'
- '10.0.0.23 Gluster-03'
- name: mount glusterfs to wp
mount:
name: /data/wp
src: 10.0.0.20:/wp
fstype: glusterfs
state: mounted
opts: defaults,_netdev
- name: mount glusterfs to image
mount:
name: /data/image
src: 10.0.0.20:/image
fstype: glusterfs
state: mounted
opts: defaults,_netdev

Step 3 Create a virtual host.

Create a configuration file for configuring the Apache virtual host in Ansible as follows:

<VirtualHost *:81>
ServerName localhost
DocumentRoot "/data/wp/"
<Directory "/data/wp">
AllowOverride None
Require all granted
</Directory>
</VirtualHost>
<VirtualHost *:82>
DocumentRoot "/data/image"
<Directory "/data/image">
AllowOverride None
Require all granted
</Directory>
ServerName localhost
</VirtualHost>

Use playbook to send the configuration to the Apache host and enable the corresponding
port as follows:

---
- hosts: Apache
remote_user: root
gather_facts: no

tasks:
- name: upload configure
Comprehensive Practice Page 16

copy:
src: /root/yaml/file/vhost.conf
dest: /etc/httpd/conf.d/vhost.conf
- name: set 81 and 82
lineinfile:
path: /etc/httpd/conf/httpd.conf
insertafter: Listen 80
line: "{{ item }}"
with_items:
- "Listen 81"
- "Listen 82"
- name: restart httpd
service:
name: httpd
state: restarted

Step 4 Create a static page.

Log in to an Apache host, for example, host 10.0.0.41, to perform the following
operations.
Create a static page for displaying images as follows:

<!DOCTYPE html>
<html>
<head>
<title>Image display page</title>
<style>
img {
max-width: 100%;
height: auto;
}
.separator {
border-top: 2px solid #000;
margin: 20px 0;
}
</style>
</head>
<body>
<h1>Image display page</h1>
<ul>
<li><img src="image1.png" alt="image1.png"></li>
<li class="separator"></li>
<li><img src="image2.png" alt="image2.png"></li>
<li class="separator"></li>
<li><img src="image3.png" alt="image3.png"></li>
<li class="separator"></li>
<li><img src="image4.png" alt="image4.png"></li>
</ul>
</body>
</html>

Save the file to the /data/image/ directory and upload four images named image1.png,
image2.png, image3.png, and image4.png to this directory. After the upload is complete,
the files in the /data/image/ directory are shown as follows.
Comprehensive Practice Page 17

⚫ Question: Why is only one Apache host required to perform the preceding
operations?
Answer: The same GlusterFS logical volumes are mounted to two Apache hosts.
Therefore, the data is consistent. Once you perform the operations on one Apache host,
you can view the same data on the other Apache host.

Step 5 Create WordPress.

Create WordPress on one Apache host by referring to the previous content.

Step 6 Conduct a testing.

After all the preceding configurations are complete, use the EIP and port of the Apache
host to check whether the corresponding page can be accessed. Ensure that the page is
correct before performing subsequent operations.

2.2.4 Nginx + Keepalived + LVS Cluster Configurations


Step 1 Use Nginx to configure a layer-7 proxy for Apache.

On the Ansible host, create a layer-7 proxy configuration file required by Nginx and use
the planned addresses to access WordPress and images as follows:

upstream wp {
server blog.test.com;
}
upstream image {
server 10.0.0.41:82;
server 10.0.0.42:82;
}
server {
listen 80;
server_name 10.0.0.12;
location /blog/ {
proxy_pass http://wp/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $server_port;

}
location /image/ {
proxy_pass http://image/;
}
}

Note: WordPress writes the access address to the database. For example, 10.0.0.41:81 is
used during WordPress installation.
Comprehensive Practice Page 18

Use playbook to upload the file to the Nginx host and reload the Nginx service as
follows:

---
- hosts: Nginx
remote_user: root

tasks:
- name: upload configure
template:
src: /root/yaml/file/proxy.conf
dest: /etc/nginx/conf.d/proxy.conf
- name: reload nginx
service:
name: nginx
state: reloaded

Log in to the Nginx host and to set the gateway to the DIP of the active LVS:

nmcli con mod "System enp4s4" +ipv4.gateway 10.0.0.11

Run the following command for the configuration to take effect:

nmcli con down "System enp4s4" && nmcli con up "System enp4s4"

Step 2 Use LVS and Keepalived to configure a layer-4 Proxy for Nginx.

Compile the Keepalived configuration file as follows:

! Configuration File for keepalived

global_defs {
router_id {{ ansible_fqdn }}
}

vrrp_instance LVS {
state {{ role }}
interface ens3
virtual_router_id 53
priority {{ priority }}
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
192.168.1.10/24
}
}
virtual_server 192.168.1.10 80 {
delay_loop 6
lb_algo rr
lb_kind NAT
persistence_timeout 50
Comprehensive Practice Page 19

protocol TCP

real_server 10.0.0.13 80 {
weight 1
TCP_CHECK {
connect_timeout 3
retry 3
delay_before_retry 3
}
}
real_server 10.0.0.14 80 {
weight 2
TCP_CHECK {
connect_timeout 3
retry 3
delay_before_retry 3
}
}
}

Compile playbook, upload the Keepalived configuration file to the corresponding host,
and restart the Keepalived service as follows:

---
- hosts: 192.168.1.11
remote_user: root
vars:
- role: MASTER
- priority: 255

tasks:
- name: upload configuration to Nginx
template: src=/root/yaml/file/lvs-keep.conf.j2 dest=/etc/keepalived/keepalived.conf
- name: restart keepalived
service:
name: keepalived
state: restarted
enabled: yes

- hosts: 192.168.1.12
remote_user: root
vars:
- role: BACKUP
- priority: 200

tasks:
- name: upload configuration to Nginx
template: src=/root/yaml/file/lvs-keep.conf.j2 dest=/etc/keepalived/keepalived.conf
- name: restart keepalived
service:
name: keepalived
state: restarted
enabled: yes
Comprehensive Practice Page 20

2.2.5 DNS Configurations


Step 1 Configure the DNS service.

In this practice, there is only one DNS server. Therefore, you can directly log in to the
DNS server for configurations. According to the planning, you need to resolve
www.test.com to 192.168.1.10, add a record A (blog.test.com), and resolve it to
10.0.0.41 and 10.0.0.42. For details about the DNS configuration file, see the following:

$TTL 1D
@ IN SOA master.test.com. admin.test.com. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS master
master A 192.168.1.10
www CNAME main
main A 192.168.1.10
blog A 10.0.0.41
blog A 10.0.0.42

Supplement other configurations by referring to chapter 1 so that hosts in the


192.168.1.x/24 network segment can resolve www.test.com and Nginx hosts can resolve
blog.test.com.
When WordPress is installed, it writes the address of the host where it is located to the
database. You need to change the address in the database to blog.test.com on the
MySQL host.

use WP;
update wp_options set option_value="http://blog.test.com:81" where option_name="home";
update wp_options set option_value="http://blog.test.com:81" where option_name="siteurl";

2.2.6 Zabbix Configurations


Step 1 Install zabbix-server.

In this practice, zabbix-server is deployed in a single-node system. You need to install


zabbix-server on the zabbix host based on the learned knowledge.

Step 2 Install zabbix-agent.

Compile ansible-playbook to install zabbix-agent2 on the involved hosts as follows:

---
- hosts: all
remote_user: root
gather_facts: no

tasks:
- name: install zabbix-release
Comprehensive Practice Page 21

command: rpm -Uvh https://repo.zabbix.com/zabbix/6.2/rhel/8/x86_64/zabbix-release-6.2-


3.el8.noarch.rpm
- name: install zabbix-agent2
yum:
name: zabbix-agent2
state: present
- name: assign IP of zabbix_server
replace:
path: /etc/zabbix/zabbix_agent2.conf
regexp: Server=127.0.0.1
replace: Server=10.0.0.31
- name: enable zabbix-agent2
service:
name: zabbix-agent2
state: started
enabled: yes

Step 3 Add hosts.

Add all hosts on the Zabbix web page. The following figure shows some host information.

------------End----------------

You might also like