RHEL7 RHCSA Exam objectives

Understand and use essential tools

Access a shell prompt and issue commands with correct syntax.

Use input-output redirection (>, >>, |, 2>, etc.).
Use grep and regular expressions to analyze text.
Access remote systems using ssh.
Log in and switch users in multiuser targets.
Archive, compress, unpack, and uncompress files using tar, star, gzip, and
bzip2.
Create and edit text files.
Create, delete, copy, and move files and directories.
Create hard and soft links.
List, set, and change standard ugo/rwx permissions.
Locate, read, and use system documentation including man, info, and files
in /usr/share/doc.

NOTE: Red Hat may use applications during the exam that are not included in Red
Hat Enterprise Linux for the purpose of evaluating candidates abilities to meet this
objective.
Operate running systems

Boot, reboot, and shut down a system normally.

Boot systems into different targets manually.
Interrupt the boot process in order to gain access to a system.
Identify CPU/memory intensive processes, adjust process priority with renice,
and kill processes.
Locate and interpret system log files and journals.
Access a virtual machines console.
Start and stop virtual machines.
Start, stop, and check the status of network services.
Securely transfer files between systems.

Configure local storage

List, create, delete partitions on MBR and GPT disks.

Create and remove physical volumes, assign physical volumes to volume
groups, and create and delete logical volumes.
Configure systems to mount file systems at boot by Universally Unique ID
(UUID) or label.
Add new partitions and logical volumes, and swap to a system nondestructively.

Create and configure file systems

Create, mount, unmount, and use vfat, ext4 and xfs file systems.
Mount and unmount CIFS and NFS network file systems.
Extend existing logical volumes.
Create and configure set-GID directories for collaboration.
Create and manage Access Control Lists (ACLs).
Diagnose and correct file permission problems.

Deploy, configure, and maintain systems

Configure networking and hostname resolution statically or dynamically.

Schedule tasks using at and cron.
Start and stop services and configure services to start automatically at boot.
Configure systems to boot into a specific target automatically.
Install Red Hat Enterprise Linux automatically using Kickstart.
Configure a physical machine to host virtual guests.
Install Red Hat Enterprise Linux systems as virtual guests.
Configure systems to launch virtual machines at boot.
Configure network services to start automatically at boot.
Configure a system to use time services.
Install and update software packages from Red Hat Network, a remote
repository, or from the local file system.
Update the kernel package appropriately to ensure a bootable system.
Modify the system bootloader.

Manage users and groups

Create, delete, and modify local user accounts.

Change passwords and adjust password aging for local user accounts.
Create, delete, and modify local groups and group memberships.
Configure a system to use an existing authentication service for user and
group information.

Manage security

Configure firewall settings using firewall-config, firewall-cmd, or iptables.

Configure key-based authentication for SSH.
Set enforcing and permissive modes for SELinux.
List and identify SELinux file and process context.
Restore default file contexts.
Use boolean settings to modify system SELinux settings.
Diagnose and address routine SELinux policy violations.

RHEL7 Changes
1. System changes
New kernel
The RHEL 7 distribution uses the 3.10 kernel. This choice comes from one of the
main Linux kernel developer, Greg Kroah-Hartman, who decided in August 2013 that
this kernel version would receive long-term support.
There is no 32-bit version any more.
Numa improvement
NUMA stands for Non-Uniform Memory Access. In multi-socket server systems, local
memory is directly connected to each processor, resulting in sub-optimal use of the
memory and non-uniform access times.
Red Hat Enterprise Linux 7 introduces a new automatic NUMA balancing feature that
achieves results close to what a performance specialist can provide.
Systemd
The Systemd component replaces the SysVinit part that was in charge of the system
initialization. This is not a shallow change but a deep reorganization. The main
purpose of this replacement is to boot quicker and smarter.
The systemctl command is the most visible face of the Systemd component. It
replaces the still available but deprecated chkconfig and service commands.
A Systemd beginners guide is available. Also, you can look at Lennart Poetterings
video (51min) to get all the story behind Systemd.
In addition, Red Hat annual Summit (2014) provided a presentation called
Demystifying systemd.
OpenLMI
Its sometimes painful when managing hundreds of servers to connect to each of
them separately.
OpenLMI offers an alternative allowing a system administrator to send commands
from a unique client without any ssh connection.
An OpenLMI beginners guide is available. Also, you can look at Tomas Smetanas
video (45min) or the Red Hat annual Summit presentation (2014) about OpenLMI.
Linux Containers

Rather than going for full virtualization with a serious overhead, its sometimes
more relevant to use a lighter approach. The RHEL 7 provides at least (!) two kinds
of Linux containers: those based on virt-sandbox-service, these should be almost
production-ready, and those based on systemd-nspawn for testing. Instructions to
discover the formers (virt-sandbox-service Linux Containers) are available.
You can watch Lennart Poetterings video (54min) to learn more about the latters.
KVM Virtualization
USB 3.0 ports are now supported on KVM Guests.
It is now possible to do a VM live migration from RHEL 6.5 to RHEL 7.
The new virtio-rng driver allows a guest to draw entropy from the host, alleviating
entropy starvation in guests.
With libseccomp, applications can now define interactions with the kernel using
syscall filtering, to reduce the risk of a malicious guest exploiting a kernel
vulnerability.
The virtio-net networking stack has been improved by adding a multi-queue NIC
feature that removes the single queue NIC bottleneck and allows the virtual NIC to
process networking packets in parallel.
Thanks to the new graphics PCI pass through capability, it is now possible to assign
a GPU directly to a virtual machine and provide 3D graphics acceleration for
computing or visualization.
Virtual CPUs (vCPUs) can be now added to a running virtual machine.
QCOW2 version 3 Image Format is now supported.
New Intel instructions are available on KVM Guests:

Floating-Point Fused Multiply-Add,

256-bit Integer vectors,
big-endian move instruction (MOVBE),
HLE/HLE+.

UID/GID
UID (user ID) and GID (group ID) now start by default at 1000 instead of 500. This
slight change can create conflicts when migrating from RHEL 6 to RHEL 7 or when
using pre-RHEL 7 tools.
Man Pages Index Database

The man pages index database used by the whatis and apropos commands is now
updated through the mandb command. The makewhatis command, previously used
for this purpose, has been removed.
2. Security changes
FIREWALLD

After Ipfwadm (2.0.X kernels), Ipchains (2.2.X kernels) and Iptables (2.4.X/2.6.X
kernels), there is now Firewalld which stands for Dynamic Firewall.
This new firewall evolution brings several advantages:

no connection cut during firewall reconfiguration,

use of temporary configuration disappearing after reload/restart,
services with their characteritics (ports, protocoles, modules) already
recorded,
predefined zones with various levels of trust,
D-BUS applications support,
use of rich rules.

The configuration consists in putting the server network interfaces into zones with
the firewall-cmd command or the firewall-config graphical application.
The built-in configuration is located under the /usr/lib/firewalld directory. The
configuration that you can customize is under the /etc/firewalld directory.
It is not possible to use Firewalld and Iptables at the same time. But it is still
possible to disable Firewalld and use Iptables as before.
Further information can be found on the Fedora Project website, explanations about
rich rules included.
A Firewalld beginners guide is available. Also, you can look at Thomas Woerners
video (45min) about Firewalld.
In addition, the Red Hat annual Summit (2014) provided a presentation about the
Next Generation Firewall.
FSS
FSS stands for Forward Secure Sealing. Its a new mechanism invented by Lennart
Poetterings brother (Beltram Poettering) to secure systemd journal.
As FSS is disable by default, everything starts after running the following command:
# journalctl --setup-keys

This commands generates a key pair of sealing key and verification key. The
verification key is only generated once, is not locally stored and must be recorded
by you straight away. There will be no way to recreate it (a QR code is displayed to
make the recording easier). Then, the sealing key will be used to sign all the
messages written into the journal until a predefined delay is reached (15min by
default). At this time, a new sealing key will be generated based on the previous
one with no history kept.
An attacker will not be able to sign old messages, the messages showing when he
broke into the system included, and will need to remove all of them. The removal of
journal messages should make the discovery of any hack easier.
This mechanism doesnt replace a centralized syslog server but offers minimal
security when no such a server is available.
You can also check Lennart Poetterings presentation on Google+.
Identity Management
There is now a better integration with Active Directory through cross-realm Kerberos
trust. This domain federation on the Kerberos level allows RHEL servers to accept
the users coming from Active Directory domains without loosing their native
features in terms of POSIX attributes and SELinux capabilities.
Sources: Red Hats blog and Gordon Haffs blog.
Additional information is available on the Red Hat Enterprise Linux Blog.
SELinux
Instead of putting all the system into SELinux permissive mode in order to debug a
process, it is now possible to only put this process into SELinux permissive mode.
SELinux instructions are available.
In addition, you can look at Dan Walshs presentation.
Also, the HTTPD SELinux policy (Apache and Nginx follow exactly the same SELinux
policy) gets a slightly different behavior by default: the httpd_unified boolean that
was previously enabled in RHEL 6 is now disabled by default in RHEL 7. A dedicated
article about this HTTPD SELinux change is available.
3. Storage change
GRUB2
As GRUB Legacy was not evolving anymore, it was necessary to move to another
solution. GRUB2 comes as a complete rewriting and provides the following new
features:

ability to boot on various file systems (xfs, ext4, ntfs, hfs+, raid, etc),
gzip files decompression on the fly,
management of all disk geometries,
support for GPT (GUID Partition Tables) and MBR (Master Boot Record),
portability with different architectures (BIOS, EFI, Coreboot, etc),
ability to load modules at execution time.

XFS
The new default file system for RHEL 7 is XFS. Its main advantage is to allow the
creation of file system up to 500TB (50TB in RHEL6) compare to the 50TB limit of
ext4 (16TB in RHEL6). This is in line with the requirements of some big Red Hat
customers.
According to Ric Wheeler (the lead for Red Hats storage and filesystem), XFS would
present these additional attractive features:

best performance for most workloads (especially with high speed storage and
larger number of cores),
tends to be less CPU intensive (better optimizations around lock contention,
etc),
the most robust at large scale has been run at hundred plus TB sizes for
many years (and todays storage is getting way bigger, 16TB is about half a
shelf of drives),
the most common file system in multiple key upstream communities: most
common base for ceph, gluster and openstack more broadly,
pioneered most of the techniques now in ext4 for performance (like delayed
allocation).

Also, unlike most of the other file systems, XFS doesnt execute any file system
check at boot time. In case of trouble, you have to rely on the xfs_repair command.
However, XFS has got one serious drawback. It doesnt allow file systems to be
reduced even when unmounted (shrinking support is considered but not available).
This is a good reason to stay with ext4 when big file systems are not needed. In
addition, ext4 tends to be faster with some specific workloads like single threaded,
metadata intensive workloads.
For those without any experience with XFS, a XFS beginners guide is available.
BTRFS
BTRFS is a technology preview. Although BTRFS (B-TRee File System) is not
completely production-ready, its capabilities (copy-on-write, snapshot, filesystem
online shrink, etc) are amazing.
You can get a preview through this Suse BTRFS presentation.

However, about BTRFS and SELinux, here is what Dan Walsh from Red Hat wrote in
one of his articles (Bringing new security features to Docker): SELinux currently will
only work with the device mapper back end. SELinux does not work with BTRFS.
BTRFS does not support context mount labeling yet, which prevents SELinux from
relabeling all content when the container starts via the mount command. Kernel
engineers are working on a fix for this and potentially Overlayfs if it gets merged
into the container.
NFS
The NFS 4.1 version is now supported, bringing better performance on increasinglycongested networks.
Better Parallel NFS client support has been added to improve integration with
commercially available pNFS servers.
Additional information is available on the Red Hat Enterprise Linux Blog. Also, a
presentation about NFS evolutions was given during the Red Hat annual Summit
(2014).
GFS2
GFS2 journaling code has been improved to reduce the number of journal update
operations, consolidate IO operations and increase overall GFS2 file system
performance.
In addition, GFS2 file system creation tools now utilize device topology knowledge,
deal with RAID stripe alignment, and carefully orchestrate the placement of
performance critical file system elements, such as journals and resource groups.
This improvement increases the scalability and performance of GFS2 not only during
file system creation time but also during file system usage.
Additional information is available on the Red Hat Enterprise Linux Blog.
iSCSI
The SCSI Target Daemon, tgtd, has been replaced by the LIO kernel target
subsystem, standard open source SCSI target for block storage. The latter is now
used for all of the following storage fabrics: FCoE, iSCSI, iSER, and SRP.
FS-Cache
FS-Cache is a fully supported feature in the Red Hat Enterprise Linux 7. It provides a
persistent local cache that can be used by file systems to take data retrieved over
the network and cache it on a local disk. This helps minimize network traffic for
users accessing data from a file system mounted over the network (for example,
NFS). FS-Cache can significantly reduce the network and server loading by satisfying
read requests locally without consuming network bandwidth.

Source: Red Hat Enterprise Linux Blog.

IO Scheduler

The IO scheduler policy has changed with Red Hat Enterprise Linux 7.
The default IO Scheduler is now CFQ for SATA drives and Deadline for everything
else.
Indeed, for faster storage than SATA drives, Deadline outperforms CFQ, giving a
performance increase without any special tuning.
Source: RHEL 7 Performance Tuning Guide.
Network changes,
Application changes.

RHEL7 RHCSA Whats new?

Securely transfer files between systems is a new objective that might require calling
the scp command.
Configure key-based authentication for SSH completes the previous objective and
requires an understanding of SSH configuration (this objective was previously part
of the RHCE exam objectives).
Configure a system to use an existing authentication service for user and group
information appears when Configure a system to use an existing LDAP directory
service for user and group information disappears; this new objective might require
mastering both sssd daemon and LDAP configuration.
Create, mount, unmount, and use vfat, ext4 and xfs file systems only adds the xfs
file system to the previous RHCSA exam objective.
There is no longer mention of setting up a default configuration HTTP/FTP server.
VNC doesnt show up any more.
Firewall settings can now be configured through firewall-config, firewall-cmd but the
iptables way is still fine.
Finally, perhaps the biggest change, all LUKS-related tasks have been removed: no
game with encrypted partitions any more!

Even though the RHCSA exam objectives almost stay the same and the exam keeps
the same duration (2.5 hours), it is clear that you will need a good understanding of
the RHEL 7 basic features (Systemd, Grub2, etc) to pass it.

RHEL7 RHCSA Other requirements

In addition to the official RHCSA exam objectives, a successful candidate needs to

satisfy the following requirements:

Set up a virtualization environment (a lab to get hands-on experience)

Download the CentOS 7 distribution (see Software requirements) and install it with
default configuration.

Choose a domain name (example.com strongly recommended), a host name (for

example master.example.com) and an IP address compatible with your network
environment (here 192.168.1.5, gateway is supposed to be 192.168.1.1).

Update your system:

# yum update
Install the KVM packages:

# yum group install "Virtualization Host"

# yum install -y virt-install
# yum install -y virt-top
Start the libvirtd service:

# systemctl start libvirtd

Activate the Chronyd/NTP service at boot and start it:

# systemctl enable chronyd && systemctl start chronyd

Configure a NFS file server (to test NFS client and Autofs configuration)

Configure a LDAP directory service for user connection (to test the LDAP client
configuration),
Deploy additional SELinux man pages (useful when a service doesnt work as
expected),
Debug network services (this could be useful before and after the exam).