Red Hat Certified Engineer

Exam Preparation Session

RHEL 7

Md. Shah Alam (Shohag)

CCNP (Route)|| CCNA Security || CCNA R&S || RHCE | | RHCSA on RHEL-7

Cell: +880 1914486186

Sr. Systems Specialist

MetroNet Bangladesh Ltd.
 Configure Repository
 Create repository for system1 and system2. You can use this URL for your
2
repository: http://classroom.example.com/content/rhel7.0/x86_64/dvd

Answer:
#cd /etc/yum.repos.d
(Show with “ls” command and delete previous repo)
#vim yum.repo [repo name is user define]
[rhce]
name=repo for rhce exam
baseurl=http://classroom.example.com/pub/x86_64/server
enabled=1
gpgcheck=0
[Save & Exit]
# yum update -y
 Configure SELinux 3

 Configure System-1 and System-2 that should be running in

Enforcing mode.

Answer:
# vim /etc/selinux/config
SELINUX=enforcing (Be careful about this change)
(Save and Exit)
# reboot
[You can check this with “getenforce” command]
# getenforce
Enforcing
 SSH Configuration
4
 Configure SSH access on your both hosts (System-1 and System-2) as follows. Clients within
rny22ilt.org should not have access to ssh on your hosts.

 Answer:
# yum install openssh –y
# systemctl enable sshd
# systemctl start sshd
# firewall-cmd - - permanent - - add-service=ssh
# firewall-cmd - - reload
# systemctl restart sshd.service
--------------------(SSH service access control for rny22ilt.org)------------------
# firewall-config
[After execute this command graphical window will appear, rest of the task you can do graphically]
For check the firewall list execute bellow command:
# firewall-cmd - - list - - all
 Configure Port Forwarding 5

Configure system1 to forward traffic incoming on port 80/tcp from source network
172.25.11.0/24 or 172.25.11.0 / 255.255.255.0 to port on 5243/tcp

Answer:
# firewall-config
 Customize User Environment
6
 Create a command called “qstat” on both systems (System-1 and System-
2). It should be able to execute the followings.
(ps -eo pid,tid,class,rtprio,ni,pri,psr,pcpu,stat,wchan:14,comm)

Answer:
# vim /etc/bashrc
[ Go to bellow the file and write]
qstat ( ) {
ps -eo pid,tid,class,rtprio,ni,pri,psr,pcpu,stat,wchan:14,comm
}
[save and exit]
# source /etc/bashrc
[Type bellow command for check]
# qstat
 Configure IP Address (IPv6) 7
 Configure eth0 interface with static ipv6 address on both systems and able
to communicate within the network.
System-1: 2001:123::1/64
System-2: 2001:123::2/64
Both systems are able to communicate within the network 2001:123::/64
Both systems should be maintain the current IPv4 address and changes should
be permanent even after the reboot.
Answer: [for System-1]
#nmcli connection modify eth0ipv6.address ‘2001:123::1/64’ connection.autoconnect yes ipv6.method manual
#nmcli connection up eth0
#ping6 2001:123::1
[Above configuration will also in system-2, only ipv6 address will be change]
[For check the configuration ping each other]
 Link Aggregation
8
 Configure syatem-1 and syatem-2 with eth0 and eth1 which watches for link changes. Selects
an active port for data transfers.
System-1 IP address: 192.168.X.10/24 and System-2 IP address: 192.168.X.11/24
Answer:
# lab teambridge setup (Not in exam only for lab environment)
# nmcli connection show (For show the connection)

# nmcli connection add con-name team0 type team ifname team0 config ‘{“runner”:{“name”:”activebackup”}}’
# nmcli connection add con-name team0-p1 type team-slave ifname eno1 mater team0
# nmcli connection add con-name team0-p2 type team-slave ifname eno2 master team0
# nmcli connection modify team0 ipv4.address 192.168.X.10/24 ipv4.method manual connection.autoconnect yes
# nmcli connection up team0
# nmcli connection up team0-p1
# nmcli connection up team0-p2
# teamdctl team0 state
[Ping each other for check the task]
SMTP Configuration 9
Configure SMTP mail service on both systems which relay the mail only from local system through
smtpX.example.com, all outgoing mail have their sender domain as example.com. Ensure the mail should not store
locally. Verify the mail server is working by sending mail to root@desktopX.example.com user.
Solution:
# yum install postfix –y
#cd /etc/postfix
# vim main.cf [set line number with “set nu” command]
75. myhostname = serverX.example.com
84. mydomain = example.com
101. myorigin = $mydomain
119. inet_interfaces = localhost
168. mydestination =
269. mynetworks = 127.0.0.0/8
323. relayhost = [smtpX.example.com]
local_transport = error: Disable by Admin. [Write it manually]
In lab environment you have to type #lab smtp-nullclient setup at client side for receive the mail

Continue …
 SMTP Configuration 10

# firewall-cmd - - permanent - - add-service=smtp

# firewall-cmd - - reload
# systemct enable postfix
# systemctl start postfix

For send mail:

# mail –v root@desktopX.example.com
Subject: Test mail
Just for test.
.
EOT
For check the mail:
Just type “mail” command at recipient site. [Real Time]
In exam time for check the mail, they will provide two links bellow the question.
SMTP Configuration 11
Your server system should accept new mail over smtp from the 172.25.X.0/24. All messages not addressed to running
on desktop.example.com.
Solution:
# yum install postfix –y
#cd /etc/postfix
# vim main.cf [set line number with “set nu” command]
75. myhostname = serverX.example.com
84. mydomain = example.com
101. myorigin = $mydomain
119. inet_interfaces = all
168. mydestination = $myhostname, localhost.mydomain, localhost
269. mynetworks = 172.25.X.0/24, 127.0.0.0/8
323. relayhost = [smtpX.example.com]
local_transport = error: Disable by Admin. [Write it manually]
In lab environment you have to type #lab smtp null-client setup at client side for receive the mail

…
Continue
 SMTP Configuration 12

# firewall-cmd - - permanent - - add-service=smtp

# firewall-cmd - - reload
# systemct enable postfix
# systemctl start postfix

For send mail:

# mail –v root@desktop.example.com
Subject: Test mail
Just for test.
.
EOT
For check the mail:
Just type “mail” command at recipient site. [Real Time]
In exam time for check the mail, they will provide two links bellow the question.
 NFS Server Configuration 13
1. Share /nfsshare directory within the example.com domain clients only, share
must be writable.
2. Share /nfssecure/protected, enable krb5p security to secure access to the
NFS share. Keytab URL
http://classroom.example.com/pub/keytabs/serverX.keytab
3. Create a directory named protected under /nfssecure. The exported
directory should have read/write access from all subdomains of the
example.com. Ensure the directory /nfssecure/protected should be owned by
the user harry with read/write permissions.
4. Mount both directory at desktopX.example.com.

[ At exam time no need to create any user for NFS, they will create and provide you the user name]
 NFS Server Configuration 14
Requirements:
# lab nfskrb5 setup [For lab environment only]

In exam time, you have to download three packages for this configuration:
1. sssd.
2. Authconfig-gtk
3. Krb5-workstation
 NFS Server Configuration 15
Answer: (Normal Share) Common Mistakes:
1. Domain address entry in exports file with proper permissions.
2. Execute “exportfs -ra” command.
# mkdir /nfsshare 3. Allow in firewall
4. Proper service enable and start.
#vim /etc/exports
/nfsshare 172.25.X.0/24(rw)
#exportfs -ra
# firewall-cmd - - permanent --add-service=nfs
# firewall-cmd - - reload
# systemctl enable nfs-server.service
# systemctl start nfs-server.service

# showmount –e 172.25.X.X [For show the share directory]

 NFS Mount (Normal Share) 16

Mount normal Share:

# yum install nfs-utils -y Common Mistakes:
[Create mount point, where they want] 1. Source directory entry in fstab.

# mkdir /public
# vim /etc/fstab
serverX.example.com:/nfsshare /public nfs defaults 0 0
[Save & Exit]
# mount -a
# df -h [ For show the mounted directory]
 NFS Server Configuration 17
Answer: (Secure Share)
# mkdir -p /nfssecure/protected
#vim /etc/exports
/nfssecure/protected 172.25.X.0/24(sec=krb5p,rw)
# wget –O /etc/krb5.keytab http://classroom.example.com/pub/keytabs/serverX.keytab
#exportfs -ra
Common Mistakes:
# firewall-cmd - - permanent --add-service=nfs 1. Domain address entry in exports file with proper permissions.
2. Execute “exportfs -ra” command.
# firewall-cmd --reload 3. Key download properly.
4. Allow in firewall.
# systemctl enable nfs-secure-server.service 5. Proper service enable and start.

# systemctl start nfs-secure-server.service

# showmount –e 172.25.X.X [For show the share directory]
 NFS Mount (Secure Share)
# yum install nfs-utils -y
[Create mount point, where they want]
# mkdir -p /secure/protected
18
Common Mistakes:
1. Source directory and mounting method entry in fstab.
2. krb5 file download mismatch.
3. Enable proper service.

# vim /etc/fstab
serverX.example.com: /nfssecure/protected /secure/protected nfs sec=krb5p,defaults 0 0

# wget –O /etc/krb5.keytab http://classroom.example.com/pub/keytabs/desktopX.keytab

# systemctl enable nfs-secure.service
# systemctl start nfs-secure.service
# mount -a
# df -h [ For show the mounted directory]
 Shared Directory Ownership 19

We can do it two different way:

1. Provide ownership on directory to mention user. Preferable
# chown harry /secure

1. ACL
# setfacl -m u:harry:rwx /secure
# getfacl /secure [For check the ACL]
 Samba Configure (Single User) 20
Share the /sambadir directory via SMB serverX:
1. Your samba server must be a member of the TESTGROUP workgroup.
2. The share name must be data.
3. The data share must be available to content.com domain clients only.
4. The data share must be browseable.
5. Susan must have the read access to the share, authenticating with the
same password if necessary.
 Samba Configure (Single User) 21
# yum install samba -y
# yum install samba-client -y
# mkdir /sambadir
[Apply SELinux context on directory, you can get help from “man page” with man semanage-fcontext command]

# semanage fcontext –a -t samba_share_t “/sambadir(/.*)?”

# restorecon -R –v /sambadir
# ls -ldZ /sambadir [For check the context]

[Create smb user with smb password]

# useradd -s /sbin/nologin susan

# smbpasswd -a susan
 Samba Configure (Single User) 22

# vim /etc/samba/smb.conf
workgroup = TESTGROUP
host allows = 172.25.0.

[data]
path = /sambadir
valid users = susan
# testparm -s
# systemctl enable smb nmb
# systemctl start smb nmb
# firewall-cmd - - permanent --add-service=samba
# firewall-cmd - - reload
 Samba Configure (Multi User) 23

Share the /opstack directory via SMB serverX:

1. The share name must be cluster.
2. The user frankenstain has readable, writeable access to the
/opstack SMB share.
3. The user martin has the read access to the /opstack SMB share.
4. Both user should have the SMB password “SaniTago”
5. The samba server must be a member of the TESTGROUP workgroup.
 Samba Configure (Multi User) 24
# yum install samba -y
# yum install samba-client -y
# mkdir /opstack
[Apply SELinux context on directory, you can get help from “man page” with man semanage-fcontext command]

# semanage fcontext –a -t samba_share_t “/opstack(/.*)?”

# restorecon -R –v /opstack
# ls -ldZ /opstack [For check the context]

[Create smb users with smb password]

# useradd -s /sbin/nologin frankenstain
# smbpasswd -a frankenstain
# useradd -s /sbin/nologin martin
# smbpasswd -a martin
 Samba Configure (Multi User) 25

# vim /etc/samba/smb.conf
workgroup = TESTGROUP
host allows = 172.25.0.

[cluster]
path = /opstack
valid users = frankenstain, martin
write list = frankenstain
# testparm -s
# systemctl enable smb nmb
# systemctl start smb nmb
# firewall-cmd - - permanent --add-service=samba
# firewall-cmd - - reload
 Samba Test 26

# smbclient //serverX.example.com/data -U susan

# smbclient //serverX.example.com/cluster -U frankenstain
# smbclient //serverX.example.com/cluster -U martin
 Samba Mount (Multi User) 27

1. Mount the samba share /opstack permanently at /mnt/smbspace

on desktop as a multiuser mount.
2. The Samba share should be mounted with the credentials of
frankenstain.
 Samba Mount (Multi User) 28

Answer:
# yum install samba-client -y
# yum install cifs-utils -y
# mkdir -p /mnt/smbspace
# vim /root/pass.txt
username=frankenstain
password=Sanitago
# vim /etc/fstab
//serverX.example.com/cluster /mnt/smbspace cifs credentials=/root/pass.txt,multiuser,sec=ntlmssp 0 0
# mount -a
# df -h
 Webserver Configuration 29
Implement a webserver for the site http://serverX.example.com. Download the page
from http://classroom.example.com/pub/rhce/rhce.html. Rename the file to the
index.html. Copy the file into the document root. Do not modify the content of
index.html. Clients within rny22ilt.org should not access the webserver on your systems.
Answer:
# yum install httpd -y
# cd /var/www/html
# wget http://classroom.example.com/pub/rhce/rhce.html
# mv rhce.html index.html
# firewall-cmd - - permanent - - add-service=http
# firewall-cmd - - reload
# systemctl enable httpd.service
# systemctl start httpd.service
# curl http://serverX.example.com
 Virtual Hosting 30
Setup a virtual host with an alternate document root. Extend your web to include a virtual for
the site http://wwwX.example.com Set the document root as /usr/local/vhosts
Download http://classroom.example.com/pub/rhce/vhost.htrnl - rename it as index.html
place this document root of the virtual host Note: The other websites configures for your server
must still accessible.

Answer:
# mkdir -p /usr/local/vhosts
[Apply SELinux context on directory, you can get help from “man page” with man semanage-fcontext command]

# semanage fcontext –a -t httpd_sys_content_t “/usr/local/vhosts(/.*)?”

# restorecon -R –v /usr/local/vhosts
# ls -ldZ /usr/local/vhosts [For check the context]
# cd /usr/local/vhosts
#wget http://classroom.example.com/pub/rhce/www.html
 Virtual Hosting 31
# cp /usr/share/doc/httpd-2.4.6/httpd-vhosts.conf /etc/httpd/conf.d/
# vim /etc/httpd/conf.d/ httpd-vhosts.conf
<VirtualHost serverX.example.com:80>
DocumentRoot "/var/www/html"
ServerName serverX.example.com
</VirtualHost>

<VirtualHost wwwX.example.com:80>
DocumentRoot "/usr/local/vhosts"
ServerName wwwX.example.com
</VirtualHost>
 Virtual Hosting 32
#vim /etc/httpd/conf/httpd.conf
#vim httpd-vhosts.conf
<Directory /var/www/html> Copy this four lines from
Require all granted httpd.conf file and paste
bellow the vhosts
</Directory> configuration file

<Directory "/usr/local/vhosts">
Require all granted
</Directory>
# httpd -t [For check the syntax error in configuration file]
# systemctl restart httpd.service
[Write on browser wwwX.example.com for test the vhost server]
 Restricted Webpage 33
Implement website for http://serverX.content.com/owndir. Create a directory named as "owndir" under the document
root of webserver. Download http://station.networkO.content.com/pub/rhce/restrict.htrnl. Rename the file into
index.html. The content of the owndir should be visible to everyone browsing from your local system but should not be
accessible from other location.
Answer:
#mkdir -p /var/www/html/owndir
[Apply SELinux contect on directory, you can get help from “man page” with man semanage-fcontext command]

# semanage fcontext –a -t httpd_sys_content_t “/var/www/html/owndir(/.*)?”

# restorecon -R –v /var/www/html/owndir
#cd owndir
#wget http://classroom.example.com/pub/rhce/secure.html
# vim /etc/httpd/conf/httpd.conf
<Directory /var/www/html/owndir>
Require host serverX.example.com
</Directory>
#httpd -t
#systemctl restart httpd.service
 Secured Webserver 34
Configure the website https://serverX.content.com with TLS SSLCertificate file.
1. TLS Certificate:
http://classroom.example.com/pub/tls/certs/webappX.crt
2. TLS private key:
http://classroom.example.com/pub/tls/private/webappX.key
3. TLS CA certificate:
http://classroom.example.com/pub/example-ca.crt
 Secured Webserver 35
Answer:
#yum install mod_ssl -y
#cd /etc/pki/tls/certs
wget http://classroom.example.com/pub/tls/certs/webappX.crt
http://classroom.example.com/pub/example-ca.crt
#cd /etc/pki/tls/private
http://classroom.example.com/pub/tls/private/webappX.key

All .crt files will be download under certs and .key file will download under private directory.
 Secured Webserver 36
#vim /etc/httpd/conf.d/ssl.conf
<virtualhost *:443>
ServerName serverX.example.com
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite HIGH:MEDIUM:!aNULL:!aMD5
SSLCertificateFile /etc/pki/tls/certs/webapp.crt
SSLCertificateKeyFile /etc/pki/tls/private/webappX.key
SSLCertificateChainFile /etc/pki/tls/certs/example-ca.crt
</virtualhost >
#firewall-cmd - -permanent - -add- -service=https
#firewall-cmd –reload
#httpd -t
#systemctl restart httpd.service
 Dynamic Webserver Configuration (WSGI) 37

configure website http://serverX.example.com:8961 on systernl with the docurnentroot

/srv/webapp Site should executes webapp.wsgi.
Answer: [ lab webapp setup ]
# yum install mod_wsgi -y
#mkdir -p /srv/webapp
[Apply SELinux contect on directory, you can get help from “man page” with man semanage-fcontext command]

# semanage fcontext –a -t httpd_sys_content_t “/srv/webapp(/.*)?”

# restorecon -R –v /srv/webapp
# cp /home/student/webapp.wsgi /srv/webapp/
Dynamic Webserver Configuration (WSGI) 38
#vim /etc/httpd/conf.d/ssl.conf
<virtualhost *:443>
ServerName webappX.example.com
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite HIGH:MEDIUM:!aNULL:!aMD5
SSLCertificateFile /etc/pki/tls/certs/webapp.crt
SSLCertificateKeyFile /etc/pki/tls/private/webappX.key
SSLCertificateChainFile /etc/pki/tls/certs/example-ca.crt
WSGIScriptAlias / /srv/webapp/webapp.wsgi
</virtualhost >
<Directory /srv/webapp>
Require all granted
</Directory>
 Webserver Logical Port Change 39

Run your https webserver through 8989/tcp port:

Answer:
# semanage port – l | grep http
# semanage port –a –t http_port_t –p tcp 8989
# firewall-cmd - - permanent - - add-port=8989/tcp
# firewall-cmd - - reload
 Webserver Logical Port Change 40

Listen 8989 https

<virtualhost *:8989>
ServerName webappX.example.com
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite HIGH:MEDIUM:!aNULL:!aMD5
SSLCertificateFile /etc/pki/tls/certs/webapp.crt
SSLCertificateKeyFile /etc/pki/tls/private/webappX.key
SSLCertificateChainFile /etc/pki/tls/certs/example-ca.crt
</virtualhost >
# systemctl restart httpd.service
 Script # 01 41
Create a script on serverX called /root/random with following details:
1. When run as /root/random foo,should bring the output as “bar”.
2. When run as /root/random bar, should bring the output “foo”.
3. When run with any other argument or without argument, should appear the message Type foo
or bar.
Answer:
# mkdir /root/random
# vim /root/random/script
#! /bin/bash
case $@ in
foo ) echo “bar”;;
bar ) echo “foo”;;
* ) echo “Type foo or bar”;;
esac
# chmod +x /root/random/script
# /root/random/script foo [For check the script]

# /root/random/script bar [For check the script]

 Script # 02 42
Create a script on serverX called /root/createusers with following details:
1. When run as /root/createusers testfile, it should add all the users from the downloaded
file.(http://serverX.example.com/testfile). All users should have the loginshell as /bin/false,
password not required.
2. When this script is run with any other argument, it should print the message as “Input File
Not Found”.
3. When run without any argument, it should display “Usage:/root/createusers”.
NOTE: If the users are added, no need to delete.
[For lab environment, create a file with user name. File name should be testfile]
 Script # 02 43
Answer:
# vim testfile [Write user name list---Only for lab]
# vim /root/createusers
#! /bin/bash
a=“”
case $@ in
testfile) for user in $(cat $1);
do
echo “Adding users:”$user
useradd -s /bin/false $user
done;;
$a)
echo “Usage: /root/createusers”;;
*) echo “Input File Not Found”;;
esac
# chmod +x /root/createusers
# /root/createusers testfile [For check the script]

# /root/createusers [Enter] [For check the script]

# /root/createusers [Wrong Value] [For check the script]
 iSCSI (Traget) Configuration 44
 Create a new 3GB LVM target on your serverX.example.com. The block device
name should be data block. The server should export an iscsi disk called iqn.2014-
10.com.example:serverX. LVM name should be /dev/iscsivg/iscsilv
Answer:
# fdisk -l
#fdisk /dev/vdb
[Create 3300MB LVM partition]
# partprobe
# pvcreate /dev/vdb
# vgcreate iscsivg /dev/vdb1
# lvcreate -L 3072M -n iscsilv iscsivg
# lvdisplay [For display the path]
 iSCSI (Traget) Configuration 45
# yum install targetcli -y
# systemctl enable target
# systemctl start target
#targetcli
/> backstores/block create data /dev/iscsivg/iscsilv
/> iscsi/ create iqn.2014-10.com.example:serverX
/> iscsi/ iqn.2014-06.com.example:server1/tpg1/acls create iqn.2014-
10.com.example:desktop1
/> iscsi/ iqn.2014-10.com.example:server1/tpg1/lun create /backstores/block/data
/> iscsi/ iqn.2014-06.com.example:server1/tpg1/portal create 172.25.1.11
/>ls
/> saveconfig
#firewall-cmd - -permanent - -add-port=3260/tcp
#firewall-cmd - -reload
 iSCSI (Initiator) Configuration 46
The systemX.example.com provides an called iqn.2014-10.com.example:serverX
With port 3260/tcp. Connect the disk with client and configure filesystem with
the following requirements.
1. Create 3GB partition on iSCSI block device and assign the file system as ext3.
2. Mount the volume under /mnt/initiator at the system boot time.
3. The file System should be contain the copy of
http://classroom.example.com/pub/iscsi.txt
4. The file should be owned by root with 0644 permissions.
 iSCSI (Initiator) Configuration 47

Answer:
#yum install iscsi-initiator-utils -y
#vim /etc/iscsi/initiatorname.iscsi
InitiatorName= iqn.2014-10.com.example:desktopX
# systemctl enable iscsi
# systemctl start iscsi
# iscsiadm --mode discovery --type sendtargets --portal 172.25.X.X –discover
# iscsiadm --mode node --targetname iqn.2014-10.com.example:systemX --portal
172.25.X.X:3260 –login
[For above two command you can get help from man page “man iscsiadm”]
 iSCSI (Initiator) Configuration 48
# fdisk -l
# fdisk /dev/sda
[Create a 3GB partition]
# partprobe
# mkfs.ext3 /dev/sda1
# blkid /dev/sda1 [For show the /dev/sda1 UUID]
# vim /etc/fstab
UUID=c9213938-6753-4001-b939-4b5720c8ec5e /mnt/initiator ext3 _netdev 0 0
# mount -a
# mkdir /mnt/initiator
# cd /mnt/initiator
# wget http://classroom.example.com/pub/iscsi.txt
# chown root iscsi.txt
# chmod 0644 iscsi.txt
 MariaDB # 1 49
Restore a database on serverX from the URL
http://classroom.content.com/pub/rhce/backup.mdb
1. The database name should be Contacts.
2. It should be access only within the localhost. Most important
3. Set a password for root user as "Postroll".
4. Other than the root user, the user andrew able to “read,write,update,delete” the
query from the above mentioned database. [Andrew is a local user]
5. The user should be authenticated with the password as "Postroll".
 MariaDB # 1 50
# yum groupinstall mariadb -y
# yum groupinstall mariadb-client -y
# systemctl enable mariadb.service
# systemctl start mariadb.service
# mysql_secure_installation
Enter/:Y/New Password:Postroll/Y/Y/Y/Y/
# mysql -u root –p
MariaDB [(none)]> create database Contacts; Database create
command.
MariaDB [(none)]> exit
# wget http://content.example.com/courses/rhce/rhel7.0/materials/mariadb/mariadb.dump
# mysql -u root -p Contacts < mariadb.dump
Enter password: Postroll Database Backup
 MariaDB # 1 51
# mysql -u root -p
Enter password: [ ******]
MariaDB [(none)]> show databases;
MariaDB [(none)]> use Contacts; Only for Check.
MariaDB [inventory]> show tables;
MariaDB [inventory]> exit
# mysql -u root –p
Enter password: [ ******]
MariaDB [(none)]> create user andrew@localhost identified by ‘Postroll';
MariaDB [(none)]> grant select on Contacts.* to andrew@localhost;
MariaDB [(none)]> create user steve@'%’ identified by ‘Postroll'; User Create
MariaDB [(none)]> grant insert,update,delete on Contacts.* to steve@'%’;
MariaDB [(none)]> flush privileges;
MariaDB [(none)]> exit
 MariaDB # 1 52

# mysql -u steve –p
MariaDB [(none)]> use Contacts;
# firewall-cmd –permanent –add-service=mysql
# firewall-cmd –reload

#vim /etc/my.cnf
[mysqld] If in question says, It should be
access only within the localhost.
skip-networking=1 Then must be edit this file.
#systemctl restart mariadb.service