Red Hat Enterprise Linux 5 Administration

l^RT l
InsIallaIion and
ConiguraIion
lN THlS l^RT
CH^lTLR 1 lnstalllng Red Hat Lnterprlse Llnux 9
CH^lTLR 2 lostlnstallatlon Conflguratlon 57
CH^lTLR 3 0peratlng System Updates 79
This page intentionally left blank
lN THlS CH^lTLR
Chooslng an lnstallatlon
Method
Creatlng the lnstallatlon
Souroe
Startlng the lnstallatlon
lerformlng the lnstallatlon
lnstalllng wlth Klokstart
lnstalllng wlth lXL
lerformlng an Upgrade
Red Hat Network lrovlslonlng
CH^lTLR 1
InsIalling Red HaI
EnIerprise Linux
The Red HaI EnIerprise Linux insIallaIion program is
guiIe versaIile. II can scale rom an inIeracIive program
used Io insIall Ihe operaIing sysIem on individual sysIems
Io a scripIed, non-inIeracIive program or simulIaneous
insIallaIion on mulIiple sysIems. The insIallaIion process
can even be cusIomized and scheduled via Red HaI
NeIwork. All Ihese insIallaIion meIhods can reIrieve Ihe
insIallaIion soIware rom a cenIral insIallaIion source. This
chapIer describes Ihe dierenI insIallaIion meIhods so IhaI
an adminisIraIor can decide which meIhod is besI or his
organizaIion and his users needs. II deIails how Io make
Ihe insIallaIion iles available Io Ihe sysIems Io be insIalled
depending on Ihe insIallaIion meIhod. Then, iI provides a
guide Ihrough Ihe insIallaIion program. I an auIomaIed,
non-inIeracIive insIallaIion is desired, Ihis chapIer provides
a reerence or Ihe kicksIarI meIhod. I Ihe sysIem Io be
insIalled includes a neIwork inIerace card wiIh FXE
supporI, consider using FXE Io sIarI Ihe insIallaIion insIead
o a CD as discussed aI Ihe end o Ihe chapIer.
Chees|ng an Insta||at|en Methed
One o Ihe many sIrengIhs o Ihe Red HaI EnIerprise Linux
insIallaIion program is IhaI Ihe insIallaIion iles can be
reIrieved in a varieIy o ways. Eor example, i you are only
insIalling one or Iwo sysIems, perorming a IradiIional CD-
ROM insIallaIion is probably easiesI because iI reguires
minimal seIup Iime. However, i you are insIalling Iens or
hundreds o sysIems on Ihe same neIwork, Ihe Iime iI Iakes
Io seI up a cenIralized insIallaIion source wiIh Ihe neces-
sary iles will ulIimaIely save Ihe adminisIraIor Iime and
allow Ihe adminisIraIor Io scale his eorIs. The insIallaIion
CDs do noI have Io be swapped ouI o each machine as Ihey are needed. To perorm
simulIaneous insIalls on all Ihe sysIems, all Ihe sysIems can be booIed using FXE insIead
o burning a seI o CDs or each sysIem, and Ihey can all be insIalled rom one seI o
insIallaIion iles shared over Ihe neIwork.
Keep in mind IhaI you do noI have Io sIandardize on jusI one insIallaIion meIhod. A
combinaIion o meIhods mighI work besI or you.
The ollowing insIallaIion meIhods are available:
CD-ROM
InsIalling rom a seI o insIallaIion CDs is Ihe mosI direcI meIhod. InserI Ihe media
inIo Ihe sysIem, make sure Ihe BIOS is conigured Io booI o Ihe CD, and booI Ihe
sysIem. The adminisIraIor is sIepped Ihrough Ihe process rom keyboard and
language selecIion Io choosing which soIware seIs Io insIall.
Hard Drive
InsIalling rom Ihe hard drive reguires Ihe ISO images o Ihe insIallaIion CDs Io be
on a hard drive parIiIion accessible by Ihe insIallaIion program (ormaIIed as exI2,
exI3, or vaI). II also reguires a booI CD creaIed rom Ihe boo1.1so image ound on
Ihe irsI insIallaIion CD. Reer Io Ihe "CreaIing Ihe InsIallaIion Source" secIion or
deIails on creaIing a booI disc.
NeIwork InsIall (via NES, ETF, or HTTF)
This meIhod also reguires a booI CD creaIed rom Ihe boo1.1so image or FXE booI.
AIer booIing, selecI Ihe preerred neIwork insIallaIion meIhod (NES, ETF, or HTTF).
The insIallaIion source musI be available Io Ihe sysIem using Ihe selecIed neIwork
proIocol. Reer Io Ihe "CreaIing Ihe InsIallaIion Source" secIion or deIails on
seIIing up Ihe insIallaIion source.
KicksIarI
KicksIarI is Ihe name o Ihe Red HaI scripIed insIallaIion meIhod. A kicksIarI-
ormaIIed scripI is wriIIen, Ihe insIallaIion program is sIarIed wiIh a booI CD or via
FXE and Ihen given Ihe locaIion o Ihe kicksIarI ile. Reer Io Ihe "InsIalling wiIh
KicksIarI" secIion or deIails.
FXE
FXE, or Fre-ExecuIion EnvironmenI, is available on some NeIwork InIerace Cards
(NICs) and can be used Io perorm a neIwork insIallaIion by connecIing Io a
neIwork ile server and booIing rom iles reIrieved over Ihe neIwork insIead o rom
local media such as a CD. Reer Io Ihe "SIarIing Ihe InsIallaIion" secIion or deIails.
Red HaI NeIwork Frovisioning
This meIhod reguires an addiIional subscripIion Io Ihe RHN Frovisioning module
and an RHN SaIelliIe Server. The web inIerace Io Ihe RHN SaIelliIe Server includes a
KicksIarI Froile creaIion wizard, which can be used Io creaIe and sIore a cusIomized
kicksIarI ile. Then Ihe clienIs are insIalled rom Ihis kicksIarI ile. Reer Io Ihe "Red
HaI NeIwork Frovisioning"" secIion or a brie synopsis. Reer Io Ihe "InsIalling wiIh
KicksIarI" secIion or urIher inormaIion on kicksIarI insIallaIions.
Creat|ng the Insta||at|en 5eurce
Because each Red HaI EnIerprise Linux subscripIion comes wiIh access Io Red HaI
NeIwork, Ihe iles necessary Io insIall Ihe operaIing sysIem can be downloaded rom
RHN. Each insIallaIion CD is archived inIo one ile called an lSO mae. These ISO image
iles can be used Io creaIe Ihe insIallaIion source, depending on which insIallaIion
meIhod is used. Table 1.1 summarizes Ihe insIallaIion sources per insIallaIion meIhod.
T^BLL 1.1 Looatlon of lnstallatlon Souroe per Method
Insta||at|en Methed Insta||at|en 5eurces
CDR0M lnstallatlon CDs oreated from CD lS0 lmages
Hard drlve lS0s on ext2, ext3, or vfat partltlon
NFS lS0s avallable vla NFS
FTl Loopbaok mounted lS0s avallable vla FTl
HTTl Loopbaok mounted lS0s avallable vla HTTl
This secIion discusses creaIing each o Ihese insIallaIion sources.
Creat|ng the Insta||at|en Cs
The ISO images or Ihe insIallaIion CDs can be downloaded rom Red HaI NeIwork and
Ihen burned onIo Ihe media. An ISO image is a ile, usually wiIh Ihe .1so exIension,
which conIains iles properly ormaIIed so Ihey can be wriIIen Io a CD-R or CD-RW,
including making Ihe disc booIable i necessary.
Go Io hIIp:}}rhn.redhaI.com} and log in Io your accounI. Click Channels rom Ihe hori-
zonIal navigaIion menu on Ihe Iop, and Ihen click Download SoItware rom Ihe verIical
menu on Ihe leI. The soIware channels mosI relevanI Io your sysIems are shown by
deaulI. SelecI Ihe name o Ihe channel Io download Ihe ISO images or iI. I you donI
see Ihe correcI channel, click All rom Ihe verIical navigaIion menu on Ihe leI Io view a
lisI o all available channels.
The download soIware page provides links Io Ihe insIallaIion and source CDs or Ihe
iniIial release o Ihe Red HaI EnIerprise Linux version and varianI you selecIed as well as
links Io download Ihe insIallaIion and source CDs or all updaIe releases available. Each
updaIe release conIains all Ihe iles necessary Io perorm a compleIe insIallaIion, so you
do noI need Io download each updaIe release. To use Ihe laIesI, mosI secure version o Ihe
soIware channel selecIed, download Ihe insIall disc images or Ihe laIesI updaIe release.
You do noI need Io download Ihe source discs unless you need access Io Ihe source RFMs
(Ihe acIual source code) used Io creaIe Ihe soIware Io be insIalled.
Creatlng the lnstallatlon Souroe 11
1
1IP
Thls page also provldes a llnk to a page wlth lnstruotlons for properly downloadlng the
lS0 lmage flles wlth curJ or Wge1. Read lt oarefully before downloadlng the lS0 flles.
Download tlmes wlll vary and depend on the speed of your lnternet oonneotlon.
In Ihe Iable conIaining Ihe links Io Ihe ISO images, noIice Ihe Ihird column. This long
sIring o numbers and leIIers is called a checlsum, which can be used Io veriy IhaI Ihe
ISO ile you downloaded hasnI been corrupIed. I Ihe column conIains MDS checksums,
check Ihe MDS checksum o an ISO ile aIer downloading iI wiIh Ihe ollowing
command, replacing <1so> wiIh Ihe ilename o Ihe ISO image downloaded (repeaI or
each ISO ile):
nd5sun <1so>
I Ihe column conIains SHA1 checksums, check Ihe SHA1 checksum o an ISO ile aIer
downloading iI wiIh Ihe ollowing command, replacing <1so> wiIh Ihe ilename o Ihe
ISO image downloaded (repeaI or each ISO ile):
sha1sun <1so>
When Ihe uIiliIy is inished compuIing Ihe checksum, iI is displayed aI Ihe command
line. Compare iI Io Ihe checksum lisIed on Ihe RHN page. I Ihey maIch exacIly, Ihe
download was successul in reIrieving Ihe enIire ile wiIhouI corrupIion. I Ihey do noI
maIch exacIly, remove Ihe ISO ile and download iI again unIil Ihe MDS checksum
reIurned maIches Ihe checksum on Ihe RHN page exacIly.
Creat|ng a Beet |sc
NeIwork insIallaIions, including kicksIarI insIallaIions, can be sIarIed wiIh a booI CD
creaIed rom Ihe boo1.1so image ound in Ihe 1nages1 direcIory on Ihe irsI insIallaIion
CD. InsIead o creaIing Ihe irsI insIallaIion CD Io access Ihis ile, Ihe iles rom Ihe ISO
image o Ihe disc can be loopback mounIed so Ihe boo1.1so ile can be reIrieved and used
Io creaIe a booI disc.
When an ISO image is loopback mounIed, Ihe iles rom Ihe image are lisIed in a dedi-
caIed direcIory as Ihey would appear on Ihe disc i Ihe image was wriIIen Io disc. The iles
do noI acIually exisI as separaIe iles in Ihis direcIory on Ihe ilesysIem. When Ihey are
accessed, Ihe iles are read rom Ihe ISO image. I Ihey are copied Io Ihe ilesysIem, each
ile copied will acIually exisI on Ihe ilesysIem.
To loopback mounI an ISO image, use Ihe ollowing sIeps:
1. CreaIe an empIy direcIory Io mounI Ihe image inIo, such as 11np1rheJ1.
2. MounI Ihe image inIo Ihis new direcIory (i Ihe image is noI in Ihe currenI direc-
Iory, provide iIs ull paIh so iI can be ound):
noun1 -o Joop <1nage-nane>.1so 11np1rheJ1
3. The 11np1rheJ1 direcIory now conIains a lisI o all Ihe iles rom Ihe image. Copy
Ihe boo1.1so image ile over Io Ihe ilesysIem:
cp 11np1rheJ11nages1boo1.1so 11np
4. UnmounI Ihe ISO image:
unoun1 11np1rheJ1
CreaIe Ihe booI disc rom boo1.1so by browsing or iI in Ihe NauIilus ile browser, righI-
clicking on iI, and selecIing WrIte to DIsc. rom Ihe menu. AlIernaIively, use Ihe
cdrecord command Io wriIe Ihe image Io disc i Ihe graphical deskIop is noI available.
1IP
lf you already have the flrst lnstallatlon CD oreated, you oan lssue the oommand J1nux
askne1hod at the boo1: prompt after bootlng from the CD lnstead of bootlng from a
boot dlso.
Us|ng the I50 F||es
All Ihe insIallaIion Iypes excepI or Ihe CD-ROM insIallaIion meIhod can use ISO image
iles as Ihe insIallaIion source. The ISO iles can be used in Ihe ollowing ways:
ISO iles in a direcIory on Ihe hard drive or Ihe hard drive insIallaIion meIhod or
available via NES or Ihe NES insIallaIion meIhod
ISO iles loopback mounIed and Ihen made available wiIh ETF or HTTF
1IP
Before uslng the lS0 flles for lnstallatlon, be sure to verlfy thelr oheoksums as
desorlbed ln the Creatlng the lnstallatlon CDs seotlon earller ln thls ohapter.
Eor a neIwork insIallaIion, seI up Ihe NES, ETF, or HTTF server, depending on which
insIallaIion meIhod you wanI Io use. DonI orgeI Io make iI accessible by all Ihe clienIs
on which you are insIalling Red HaI EnIerprise Linux. Reer Io FarI IV, "NeIwork
Services," or deIails on seIIing up Ihese neIwork services.
The same neIwork server can provide dierenI varianIs or versions o Ihe same operaIing
sysIem. When doing so, place each seI o ISO images in Iheir own direcIory. Use descrip-
Iive direcIory names such as PREL5Server or PREL5u20J1en1 so you can guickly deIermine
which OS varianI and version Ihey conIain.
Eor hard drive insIallaIions, Iranser all Ihe ISO images inIo an exI2 or vaI parIiIion on
one o Ihe hard drives in Ihe sysIem on which you are abouI Io insIall. This parIiIion
cannoI be ormaIIed during insIallaIion because Ihe insIallaIion program musI access
Creatlng the lnstallatlon Souroe 13
1
Ihese ISO iles during Ihe enIire insIallaIion. Be sure you have enough hard drive space
or Ihe insIallaIion aIer dedicaIing Ihe parIiIion Io sIoring Ihe ISO image iles.
Eor an NES insIallaIion, copy all Ihe ISO image iles inIo Ihe shared direcIory on Ihe NES
server. Eor an ETF or HTTF insIallaIion, use Ihe ollowing sIeps Io share Ihe conIenIs o
each ISO image in iIs own direcIory on Ihe ETF or HTTF server:
1. In Ihe shared direcIory on Ihe ETF or HTTF server, or each ISO image, creaIe a
subdirecIory called d1scX, where X is Ihe number o Ihe ISO image sIarIing wiIh Ihe
number 1.
2. Eor each ISO image, loopback mounI iI inIo iIs corresponding d1scX direcIory wiIh
Ihe command:
noun1 -o Joop <nane>.1so 1shared1d1rec1ory1d1scX
Now Ihe insIallaIion program can access all Ihe insIallaIion iles rom Ihe neIwork server.
NexI, sIarI Ihe insIallaIion wiIh Ihe insIrucIions rom Ihe "SIarIing Ihe InsIallaIion"
secIion laIer in Ihis chapIer.
InsIead o burning a seI o insIallaIion CDs and Ihen creaIing Ihe insIallaIion source, you
can loopback mounI Ihe ISO images as described in Ihe "CreaIing a BooI Disc" secIion
and copy Ihe iles.
Add|ng Udates te Insta||at|en Med|a er 5eurce
SomeIimes updaIes or bug ixes Io Ihe Red HaI insIallaIion program are released, similar
Io Ihe way updaIes are released or Ihe packages IhaI make up Ihe OS. Since Ihe code or
Ihe insIallaIion program is on Ihe insIallaIion media or in Ihe shared direcIory conIaining
Ihe insIallaIion source, you need a way Io use Ihis updaIed code or Ihe insIallaIion
program, which are essenIial updaIed FyIhon iles. The updaIes are disIribuIed as an
updaIe image, which is usually named upda1es.1ng. I an updaIe image is available or
your version o Red HaI EnIerprise Linux and iI is necessary Io insIall Ihe OS on your
sysIem, provide Ihe image Io Ihe insIallaIion program using one Ihe ollowing locaIions:
Eloppy disk. AIer sIarIing Ihe insIallaIion, Iype 1nux updaes aI Ihe boo1: prompI.
1nages1 direcIory o insIallaIion Iree or irsI insIallaIion CD, wiIh Ihe ilename
upda1es.1ng. I Ihe image is ound, Ihe updaIes in iI are auIomaIically used or
insIallaIion. This reguires all Ihe iles rom Ihe ISO or disc 1 Io be copied Io Ihe
d1sc11 direcIory on Ihe neIwork share insIead o jusI loopback mounIing iI so IhaI
Ihe 1nages1 direcIory can be creaIed.
ETF or HTTF server, wiIh Ihe ilename upda1es.1ng. AIer sIarIing Ihe insIallaIion,
Iype 1nux updaes=1p:11<pah> or 1nux updaes=hp:11<pah> where <pa1h>
is Ihe direcIory conIaining Ihe updaIes image.
5tart|ng the Insta||at|en
Each insIallaIion meIhod is sIarIed a biI dierenIly because some reguire more inorma-
Iion Io ind Ihe insIallaIion iles. Eor example, in Ihe CD insIallaIion meIhod, all Ihe iles
are on Ihe CDs, wiIh Ihe irsI one already mounIed and accessible by Ihe insIallaIion
program. However, or a neIwork insIallaIion, Ihe neIwork proIocol Io use and Ihe loca-
Iion o Ihe insIallaIion iles on Ihe neIwork server musI be provided.
5tart|ng a C Insta||at|en
To sIarI a CD insIallaIion, inserI Ihe irsI insIallaIion CD, make sure Ihe BIOS is conig-
ured Io booI o Ihe CD-ROM device, and sIarI Ihe compuIer. Beore Ihe welcome screen
appears, you are prompIed Io run Ihe mediacheck program Io veriy each insIallaIion CD.
Even i you veriied Ihe checksums o each ISO beore creaIing CDs rom Ihe ISOs, iI is
highly recommended IhaI Ihe mediacheck be perormed Io make sure an error did noI
occur while you were creaIing Ihe CDs rom Ihe ISO images.
AIer Ihe welcome screen, selecI Ihe language Io use or Ihe insIallaIion as shown in
Eigure 1.1. The same language is used as Ihe deaulI language or Ihe insIalled sysIem.
Startlng the lnstallatlon 15
1
FlGURL 1.1 Language Seleotlon
AIer Ihe language selecIion, selecI Ihe keyboard layouI as shown in Eigure 1.2 Io use or
insIallaIion. As wiIh language selecIion, Ihis preerence is also used as Ihe deaulI value
or Ihe insIalled sysIem.
FlGURL 1.2 Keyboard Seleotlon
5tart|ng a Netwerk er Rard r|ve Insta||at|en
Eor all oIher insIallaIion meIhods, booI o a booI disc creaIed rom Ihe boo1.1so image
as described in Ihe "CreaIing a BooI Disc" secIion earlier in Ihis chapIer. I you donI have
a booI CD buI you have Ihe irsI insIallaIion CD, you can also booI o Ihe irsI insIalla-
Iion CD and Iype Ihe command 1nux asknehod aI Ihe boo1: prompI.
When Ihe insIallaIion program sIarIs, Ihe irsI Iwo screens allow Ihe adminisIraIor Io
selecI Ihe language and keyboard layouI Io use as previously described or a CD-ROM
insIallaIion excepI IhaI Ihe Iwo screens are shown in IexI-mode insIead o graphical
mode. The Ihird screen allows or Ihe selecIion o Ihe insIallaIion meIhod and mighI be
ollowed by one or Iwo screens wiIh addiIional guesIions, depending on Ihe insIallaIion
meIhod selecIed. SelecI one o Ihe ollowing:
Local CDROM
Hard drive
NES image
ETF
HTTF
I Local CDROM is selecIed and Ihe irsI insIallaIion CD is already inserIed, Ihe insIalla-
Iion is as described in Ihe "Ferorming Ihe InsIallaIion" secIion. I Local CDROM is
selecIed and a booI CD was used Io sIarI Ihe program, Ihe irsI insIallaIion CD musI be
inserIed when prompIed Io conIinue.
I Hard drIve is selecIed, Ihe parIiIion conIaining Ihe insIallaIion ISOs musI be selecIed
rom Ihe lisI, and Ihe direcIory conIaining Ihe ISOs musI be provided. I NFS Image, FTP,
or HTTP is selecIed, Ihe server name and shared direcIory conIaining Ihe ISO images or
Ihe insIallaIion source musI be given. I FTP is selecIed, iI is assumed IhaI Ihe server
accepIs anonymous connecIions or Ihe share. I a username}password combinaIion is
necessary, selecI Ihe Use non-anonymous FTP opIion.
AIer selecIing Ihe insIallaIion meIhod and providing Ihe necessary inormaIion, Ihe
welcome screen is shown. To inish Ihe insIallaIion, ollow Ihe insIrucIions in Ihe
"Ferorming Ihe InsIallaIion" secIion.
5tart|ng a K|ckstart er PX Insta||at|en
To sIarI a kicksIarI insIallaIion, read Ihe "InsIalling wiIh KicksIarI" secIion laIer in Ihis
chapIer Io learn how Io creaIe a kicksIarI ile, make iI available Io Ihe sysIems Io be
insIalled, and sIarI Ihe kicksIarI insIallaIion.
To sIarI a FXE insIallaIion, read Ihe "InsIalling wiIh FXE" secIion laIer in Ihis chapIer or
insIrucIions on coniguring Ihe FXE server and sIarIing Ihe neIwork insIallaIion.
Perferm|ng the Insta||at|en
AIer sIarIing Ihe insIallaIion as described in Ihe previous secIion, Ihe adminisIraIor is
prompIed or an insIallaIion number as demonsIraIed in Eigure 1.3. This number is
provided when Ihe Red HaI EnIerprise Linux subscripIion is purchased and is used by
RHN Io conIrol cusIomer subscripIion enIiIlemenIs. II also unlocks speciic soIware
groups (i appropriaIe) wiIhin Ihe insIallaIion media so IhaI Ihey can be insIalled during
Ihe insIallaIion process This unlocks speciic soIware groups so IhaI Ihey can be insIalled.
Eor example, an insIallaIion number mighI cause Ihe insIallaIion o Ihe soIware neces-
sary or creaIing virIual machines wiIh VirIualizaIion or Ihe clusIering ilesysIem.
The insIallaIion program Ihen searches or exisIing insIallaIions. I one is ound, Ihe
ollowing Iwo opIions are displayed:
InsIall Red HaI EnIerprise Linux
Upgrade an exisIing insIallaIion
I you choose Io upgrade an exisIing insIallaIion, also selecI Ihe rooI parIiIion o Ihe
exisIing insIallaIion Io upgrade. Reer Io Ihe "Ferorming an Upgrade" secIion laIer in Ihis
chapIer or more deIails on upgrades. The resI o Ihis secIion perIains Io insIalling Red
HaI EnIerprise Linux.
FarIiIioning is one o Ihe mosI imporIanI decisions you will make during Ihe insIallaIion
process (see Eigure 1.4 or Ihe sIarI o Ihe parIiIioning process). Decisions such as which
soIware packages Io insIall and Ihe rooI password can be changed aIer insIallaIion, buI
changing Ihe way a ilesysIem is parIiIioned is much harder Io modiy aIer insIallaIion.
Reer Io Ihe "Deciding on a FarIiIioning MeIhod and Type" secIion laIer in Ihis chapIer
or deIails.
lerformlng the lnstallatlon 17
1
FlGURL 1.3 lrovldlng an lnstallatlon Number
FlGURL 1.4 Seleotlng a lartltlonlng Soheme
A booI loader musI be insIalled Io booI inIo Ihe operaIing sysIem. The GRUB booI loader
is insIalled by deaulI (see Eigure 1.S). OpIions such as enabling a booI loader password
can be selecIed. Because GRUB is only used or x8 and x8_4 sysIems, Ihis screen will
vary or oIher archiIecIures.
1
FlGURL 1.5 Conflgurlng the GRUB Boot Loader
NeIwork devices are deIecIed and conigured Io use DHCF and are acIive aI booI Iime as
shown on Ihe NetworR DevIces screen in Eigure 1.. Uncheck Ihe ActIve at Boot opIion
nexI Io a neIwork device i you do noI wanI iI Io reIrieve an IF address aI booI. I your
neIwork does noI use DHCF, you can selecI Io conigure an IF address and neIwork
seIIings or each device on Ihis screen.
Eor Ihe TIme Zone screen, click on Ihe map Io selecI a Iime zone. On Ihe Root password
screen, enIer a rooI password or Ihe sysIem and Ihen Iype iI again Io conirm iI. I Ihey
do noI maIch, you are prompIed Io enIer Ihem again.
CerIain soIware seIs are insIalled by deaulI, varying slighIly wiIh each varianI o Red HaI
EnIerprise Linux such as including Ihe DHCF server wiIh Red HaI EnIerprise Linux Server.
Some addiIional soIware seIs such as SoIware DevelopmenI and Web Server can be
selecIed during insIallaIion. These addiIional soIware seIs also vary depending on Ihe
insIallaIion number and Ihe Red HaI EnIerprise Linux varianI being insIalled.
Also, selecI Io CustomIze later or CustomIze now. I CustomIze later is chosen, no
urIher opIions are presenIed. I CustomIze now is selecIed, Ihe screen shown in Eigure
1.7 is displayed showing a lisI o soIware groups in Ihe Iop-leI box.
FlGURL 1.6 ôtlvatlng Network Devloes
FlGURL 1.7 Customlzlng Software
As a soIware group is selecIed on Ihe leI, soIware seIs are displayed on Ihe righI wiIh
check boxes nexI Io each name. Click Ihe check box nexI Io Ihe soIware seIs Io insIall in
addiIion Io Ihe soIware selecIed by deaulI. As soIware seIs on Ihe righI are selecIed, a
brie descripIion is shown on Ihe boIIom o Ihe screen. I Ihe soIware seI selecIed
conIains opIional packages, Ihe OptIonal pacRages buIIon on Ihe boIIom righI o Ihe
screen is acIive and can be clicked Io urIher cusIomize Ihe individual soIware packages
insIalled or Ihe soIware seI.
The soIware groups shown on Ihe leI side vary slighIly depending on Ihe insIallaIion
number enIered aI Ihe beginning o Ihe process. Eor example, i an insIallaIion number Io
include virIualizaIion is used, Ihe VIrtualIzatIon soIware group is shown in Eigure 1.8.
1
FlGURL 1.8 vlrtuallzatlon Software Group
AIer addiIional soIware is selecIed, Ihe insIallaIion program checks or soIware depen-
dencies. A soIware dependency is an RFM package IhaI musI be insIalled or Ihe RFM
package you selecIed Io work properly. As Ihe soIware is insIalled, Ihe progress is shown
as a Iime esIimaIe and a progress bar (see Eigure 1.). I you are perorming a CD insIalla-
Iion, a popup window is displayed when Ihe nexI CD is needed.
When all Ihe necessary iles are insIalled and all posI-insIallaIion acIions such as wriIing
Ihe booIloader are compleIe, Eigure 1.10 is displayed. AIer Ihe sysIem is rebooIed, Ihe
SeIup AgenI is auIomaIically sIarIed. Reer Io ChapIer 2, "FosI-InsIallaIion
ConiguraIion," or deIails on Ihe SeIup AgenI.
FlGURL 1.9 lnstalllng the Software
FlGURL 1.10 lnstallatlon Complete
N01
^s noted on the last soreen of the lnstallatlon program, a log of the lnstallatlon ls
saved ln the 1roo111ns1aJJ.Jog flle and a baslo klokstart flle ls oreated based on
the lnstallatlon ln the 1roo11anaconda-ks.cfg flle. Both of these flles are ln plaln
text format and oan be read by the root user after the system ls rebooted.
ec|d|ng en a Part|t|en|ng Methed and 1ye
As shown in Eigure 1.4, use Ihe pull-down menu Io choose one o Ihe ollowing parIiIion-
ing schemes so Ihe ilesysIem can be parIiIioned and ormaIIed:
Remove Linux parIiIions on selecIed drives and creaIe deaulI layouI (deaulI)
Remove all parIiIions on selecIed drives and creaIe deaulI layouI
Use ree space on selecIed drives and creaIe deaulI layouI
CreaIe cusIom layouI
I Ihe opIion you selecIed creaIes a deaulI layouI, you can selecI Ihe opIion Io RevIew
and modIIy partItIonIng layout. Eigure 1.11 shows Ihe review and modiy parIiIioning
screen. This is Ihe same inIerace used when creaIing a cusIom layouI. I Ihe opIion you
selecIed reguires parIiIions Io be deleIed, you will be asked Io conirm Iheir deleIion
beore conIinuing.
A rooI parIiIion (}) is reguired aI a minimum. Eor x8 and x8_4 sysIems, iI is also
recommended IhaI a swap parIiIion and 1boo1 parIiIion be creaIed. Eor x8 and x8_4
sysIems, Ihe deaulI parIiIioning layouI creaIes a rooI parIiIion (1), swap parIiIion, and
1boo1 parIiIion. LVM is used by deaulI excepI or Ihe 1boo1 parIiIion, which cannoI be
parI o a logical volume group. The deaulI parIiIions reguired and creaIed or oIher archi-
IecIures mighI be dierenI. Eor example, on IIanium sysIems, a 1boo11ef1 parIiIion is
recommended insIead o a 1boo1 parIiIion. I a 1boo11ef1 parIiIion is creaIed, iI musI be
Ihe irsI primary parIiIion.
MosI adminisIraIors will need Io eiIher creaIe a cusIom layouI or creaIe Ihe deaulI layouI
and Ihen modiy iI Io iI Ihe needs o Ihe sysIem. Eor example, creaIing a separaIe 11np
parIiIion prevenIs a program rom creaIing Iemporary iles IhaI ill up Ihe enIire ilesys-
Iem. Unless Ihe users home direcIories are going Io be mounIed rom a dierenI server,
creaIing a separaIe 1hone direcIory is beneicial and is even more lexible i Ihe separaIe
parIiIion is on a separaIe hard drive. II allows Ihe adminisIraIor Io limiI Ihe IoIal amounI
o disk space used or home direcIories and gives Ihe adminisIraIor Ihe lexibiliIy Io
replace Ihe hard drive wiIh Ihe 1hone parIiIion wiIh a larger drive or a neIwork drive wiIh
minimal reconiguraIion. Should Ihe sysIem ail while users sIill need access Io Iheir daIa,
Ihe hard drive conIaining Ihe 1hone parIiIion can be guickly moved Io a backup sysIem
already insIalled wiIh Ihe OS (assuming Ihe ailure is noI wiIh Ihe physical hardware asso-
ciaIed wiIh Ihe 1hone parIiIion).
1
FlGURL 1.11 Revlewlng and Modlfylng lartltlonlng
As previously menIioned, by deaulI, LVM is used Io parIiIion Ihe ilesysIem. However,
sIandard disk parIiIions and soIware RAID are also available during insIallaIion. The
ollowing subsecIions describe how Io use Ihese dierenI parIiIioning meIhods during
insIallaIion. ChapIer 7, "Managing SIorage," describes how Io seI up and mainIain Ihem
aIer insIallaIion.
5ett|ng U Bas|c Part|t|ens ur|ng Insta||at|en
To use sIandard disk parIiIions, compleIe Ihe ollowing sIeps or each parIiIion as demon-
sIraIed in Eigure 1.12:
1. Click New.
2. EnIer a mounI poinI such as 1 or 1boo1.
3. SelecI swap as Ihe ilesysIem Iype i Ihe parIiIion is Io be used as swap space. SelecI
ext3 or all oIher Linux parIiIions.
4. SelecI Ihe allowable drives i mulIiple drives exisI. Basic parIiIions cannoI span over
more Ihan one physical drive. I more Ihan one drive is selecIed, Ihe parIiIion will
be creaIed on one o Ihe selecIed drives depending on Ihe ree disk space available
on Ihe selecIed drives and Ihe desired size o Ihe parIiIion.
5. The parIiIion size can be seI as a ixed size, a variable size up Io a speciic size
depending on Ihe amounI o ree disk space, or Ihe IoIal amounI o ree disk space
available on one o Ihe allowable drives selecIed.
6. OpIionally, selecI wheIher Io orce Ihe parIiIion Io be a primary parIiIion. This is
necessary or some parIiIions such as 1boo11ef1 on IIanium sysIems.
7. Click OK Io reIurn Io Ihe parIiIion lisI.
1
FlGURL 1.12 Creatlng a Standard Dlsk lartltlon
5ett|ng U LVM ur|ng Insta||at|en
LVM, or Logical Volume Manager, is a sIorage managemenI soluIion IhaI allows adminis-
IraIors Io divide hard drive space inIo physcal volumes (lV), which can Ihen be combined
inIo local volume roups (VG), which are Ihen divided inIo local volumes (lV) on which
Ihe ilesysIem and mounI poinI are creaIed. Reer Io ChapIer 7 or a more deIailed expla-
naIion.
To parIiIion wiIh LVM during insIallaIion eiIher allow Ihe insIallaIion program Io creaIe
Ihe deaulI layouI or creaIe a cusIom layouI.
1IP
lnstead of oreatlng logloal volumes from soratoh, you oan allow the lnstallatlon
program to oreate the default layout and then modlfy lt to your speolfloatlons.
To creaIe Ihe LVM layouI rom scraIch, use Ihe ollowing sIeps:
1. CreaIe a sIandard disk parIiIion or Ihe 1boo1 parIiIion because iI canI be wiIhin a
LVM (or a 1boo11ef1 parIiIion or an IIanium sysIem) as described in Ihe previous
secIion "SeIIing Up Basic FarIiIions During InsIallaIion."
2. CreaIe Ihe physical volumes (FVs). A FV musI be creaIed or each physical hard
drive you wanI Io use or logical volumes. Click New again, excepI Ihis Iime selecI
physIcal volume (LVM) as Ihe ilesysIem Iype as shown in Eigure 1.13. Click OK Io
reIurn Io Ihe parIiIion lisI. RepeaI Ihis sIep or each FV needed.
FlGURL 1.13 Creatlng a lhysloal volume
3. CreaIe Ihe volume groups (VGs). Erom Ihe parIiIion lisI screen, click LVM. The size
o Ihe VG is seI by Ihe number o physical exIenIs, which is 32 MB by deaulI. II is
noI recommended you modiy Ihe physical exIenI size. As shown in Eigure 1.14, a
unigue name is given Io Ihe VG. Modiy Ihe name i you wanI Io use a dierenI
naming convenIion. SelecI Ihe physical volumes Io include in Ihe VG. The IoIal size
or Ihe VG mighI noI be egual Io Ihe summaIion o Ihe FV sizes because a small
amounI o disk space is used as overhead. Click OK Io reIurn Io Ihe parIiIion lisI.
RepeaI Ihis sIep or each VG needed. OIherwise, conIinue Io Ihe nexI sIep.
FlGURL 1.14 Creatlng a volume Group
4. CreaIe logical volumes (LVs) inside Ihe volume groups. An LV musI be creaIed or Ihe
rooI (1) mounI poinI and or Ihe swap space. AddiIional LVs such as 1hone and 11np
are opIional. To creaIe a logical volume, rom Ihe parIiIion lisI, selecI Ihe VG in
which Io creaIe iI, and click LdIt. (Or keep Ihe dialog window open aIer creaIing Ihe
volume group.) Click Add in Ihe LogIcal Volumes secIion aI Ihe boIIom o Ihe
dialog window. As shown in Eigure 1.1S, Ihe mounI poinI, ilesysIem Iype, LV name,
size, and wheIher Ihe LV should be ormaIIed musI be speciied. Click OK Io reIurn
Io Ihe volume group dialog and repeaI Ihis sIep or each LV needed. Then click OK Io
reIurn Io Ihe parIiIion lisI in Ihe main window o Ihe insIallaIion program.
1
FlGURL 1.15 Creatlng a Logloal volume
AIer LVM is seI up, Ihe main window wiIh Ihe parIiIion lisI should look similar Io Eigure 1.1.
FlGURL 1.16 LvM Conflguratlon
5ett|ng U 5eftware RAI ur|ng Insta||at|en
Reer Io Ihe "UndersIanding RAID" secIion o ChapIer 7 or an explanaIion o soIware
RAID. Then use Ihe ollowing sIeps Io creaIe a RAID parIiIion:
1. Click Ihe RAID buIIon.
2. SelecI Create a soItware RAID partItIon and click OK.
3. The Add PartItIon dialog used Io creaIe a sIandard disk parIiIion appears. As shown
in Eigure 1.17, selecI soItware RAID as Ihe ilesysIem Iype, selecI Ihe allowable
drives, and seI iIs size. Click OK.
FlGURL 1.17 ^ddlng a Software R^lD lartltlon
RepeaI Ihese sIeps depending on how many soIware RAID parIiIions you need or your
parIicular RAID coniguraIion. AI leasI Iwo soIware RAID parIiIions are needed or any o
Ihe RAID levels.
N01
lf the 1boo1 or 1boo11ef1 partltlon ls a software R^lD partltlon, lt must be R^lD 1.
AIer seIIing up Ihe RAID parIiIions, RAID devices musI be creaIed rom Ihem wiIh Ihe
ollowing sIeps:
1. Click RAID on Ihe parIiIion lisI screen.
2. SelecI Create a RAID devIce as in Eigure 1.18 and click OK.
FlGURL 1.18 Creatlng a R^lD Devloe
3. In Ihe dialog shown in Eigure 1.1, give Ihe name o Ihe mounI poinI, and selecI
ext3 or swap as Ihe ilesysIem Iype. SelecI Ihe RAID device name, where md0 is Ihe
irsI RAID device, md1 is Ihe second, and so on. SelecI Ihe desired RAID level (reer
Io ChapIer 7 or an explanaIion o Ihe levels), and selecI Ihe RAID members rom
Ihe lisI o RAID parIiIions creaIed earlier. I RAID 1 or S is selecIed, also selecI Ihe
number o spare parIiIions Io creaIe.
1
FlGURL 1.19 R^lD Devloe Speolfloatlons
RepeaI Ihese sIeps unIil all Ihe desired RAID devices are creaIed. All mounI poinIs or Ihe
sysIem do noI have Io be RAID devices. Eor example, Eigure 1.20 shows all Ihe parIiIions
as sIandard disk parIiIions excepI or Ihe 1hone parIiIion because iI conIains daIa IhaI
changes reguenIly and would mosI beneiI rom RAID.
FlGURL 1.20 R^lD Lxample
Insta|||ng w|th K|ckstart
A kicksIarI insIallaIion is sIarIed rom a kicksIarI ile conIaining Ihe answers Io all Ihe
guesIions in Ihe insIallaIion program so IhaI Ihe adminisIraIor can sIarI Ihe insIall and
Ihen walk away unIil iI is inished. I Ihe neIwork card on Ihe sysIem supporIs FXE booI,
Ihe kicksIarI ile can even be on a dierenI server along wiIh Ihe insIallaIion iles, allow-
ing or an easy, auIomaIed, and non-inIeracIive insIallaIion.
AlIhough a CD insIallaIion is possible wiIh a kicksIarI ile, a neIwork or hard drive insIal-
laIion is more convenienI, oIherwise Ihe adminisIraIor will have Io reIurn Io Ihe sysIem
Io change CDs.
To perorm a kicksIarI insIallaIion, use Ihe ollowing sIeps:
1. CreaIe an insIallaIion Iree or Ihe neIwork insIall and make iI available Io Ihe
sysIems being insIalled. Reer Io Ihe "CreaIing Ihe InsIallaIion Source" secIion
earlier in Ihis chapIer or deIails.
2. CreaIe Ihe kicksIarI ile.
3. CreaIe a booI CD (unless you are using FXE).
4. Copy Ihe kicksIarI ile Io Ihe booI CD or make iI available over Ihe neIwork.
5. SIarI Ihe kicksIarI insIallaIion.
Creat|ng the K|ckstart F||e
A kicksIarI ile is a plain IexI ile wiIh each kicksIarI direcIive on a separaIe line. A simple
IexI ediIor should be used Io wriIe or modiy Ihe ile. Do noI use a program IhaI auIomaI-
ically line wraps because each direcIive musI be on iIs own line. I a long line is wrapped,
Ihe insIallaIion program mighI read iI incorrecIly and cause Ihe insIallaIion Io ail. Lines
IhaI begin wiIh Ihe pound sign (#) are commenIs.
The direcIives lisIed in Ihe kicksIarI ile musI be grouped as ollows:
Command secIion
package secIion
pre and pos1 secIions
1IP
lf you have already performed an lnstallatlon, a klokstart flle based on the lnstallatlon
ls wrltten to 1roo11anaconda-ks.cfg. You oan start wlth thls sample flle and modlfy
lt as needed.
Cemmand 5ect|en
The command secIion consisIs o direcIives Io answer all Ihe guesIions rom Ihe inIerac-
Iive version o Ihe insIallaIion program. They can be lisIed in any order as long as Ihey all
appear beore Ihe package, pre, and pos1 secIions. This secIion groups Ihem in caIe-
gories Io make iI easier Io deIermine which direcIives are suiIable or your needs.
NoIice IhaI some commands are reguired. I any reguired direcIives are missing rom Ihe
kicksIarI ile, Ihe auIomaIed insIallaIion will pause on Ihe screen or which no inorma-
Iion was provided in Ihe kicksIarI ile. To conIinue Ihe insIallaIion, Ihe adminisIraIor
musI compleIe Ihe insIrucIions or Ihe screen and click Next.
This secIion divides Ihe kicksIarI commands inIo caIegories based on Iheir usage: insIalla-
Iion, basic seIup, parIiIioning, and addiIional. Some direcIives such as Ihe 1ns1aJJ direc-
Iive reguire relaIed direcIives Io be lisIed on separaIe lines. I a direcIive is ollowed by an
eguals sign (=), a value musI ollow iI. Also noIice IhaI some direcIives are reguired.
tnstaIIation Commands
Eor all kicksIarI iles, eiIher Ihe insIall or upgrade direcIive is reguired. The oIher insIalla-
Iion commands are opIional.
1ns1aJJ
InsIall Red HaI EnIerprise Linux as opposed Io perorming an upgrade. I Ihis
command is speciied, one o Ihe ollowing insIallaIion meIhods musI also be lisIed
on a separaIe line:
cdron
The irsI CD-ROM drive conIains Ihe insIallaIion media.
lnstalllng wlth Klokstart 31
1
harddr1ve --par1111on=<par1111on> --d1r=<d1r>
The insIallaIion CD ISOs or source is locaIed on a hard drive parIiIion in Ihe
sysIem, which is ormaIIed as exI2, exI3, or vaI. The parIiIion and direcIory
conIaining Ihe insIallaIion source or ISOs musI be speciied as opIions Io Ihe
command.
nfs --server=<server> --d1r=<d1r>
The insIallaIion iles are locaIed on an NES share accessible by Ihe sysIem. The
hosIname or IF address o Ihe server and Ihe direcIory on Ihe NES server
conIaining Ihe insIallaIion Iree musI be lisIed. I a hosIname is lisIed, Ihe sysIem
being insIalled musI be able Io resolve iI Io an IF address. NES opIions can also
be provided wiIh Ihe --op1s=<op11ons> argumenI Io Ihe nfs command.
urJ --urJ=<urJ>
The insIallaIion Iree or insIallaIion ISOs are locaIed on an ETF or HTTF server
accessible by Ihe sysIem being insIalled. The <urJ> can be in eiIher o Ihe
ollowing orms:
h11p:11server.exanpJe.con11ns1aJJ11ree1d1r1
f1p:11<usernane>:<passWord>0server.exanpJe.con11ns1aJJ11ree1d1r1
upgrade
Upgrade Ihe exisIing sysIem insIead o perorming a ull insIallaIion.
au1os1ep
Show each insIallaIion screen as kicksIarI auIomaIically perorms Ihe sIeps rom Ihe
screen. Useul or debugging.
1n1erac11ve
Similar Io auIosIep excepI IhaI each screen is populaIed wiIh Ihe values rom Ihe
kicksIarI ile and shown or veriicaIion or modiicaIion. To conIinue, Ihe adminis-
IraIor musI click Next or each screen aIer reviewing iI.
key
Frovide Ihe insIallaIion number or Ihe sysIem. Use key --sk1p i you do noI wanI
Io enIer an insIallaIion number.
cndJ1ne
Use Ihe non-inIeracIive command-line insIallaIion mode. Useul or S}30 sysIems
wiIh Ihe x3270 console.
1ex1
Eorce Ihe insIallaIion Io be perormed in IexI-mode. NeIwork, hard drive, and CD-
ROM insIallaIions are perormed in graphical mode unless Ihe 1ex1 command is
lisIed.
asic Setup Commands
au1hconf1g (reguired)
ExecuIe Ihe au1hconf1g uIiliIy rom Ihe insIallaIion program Io conigure sysIem
auIhenIicaIion. Reer Io Ihe au1hconf1g man page or opIions.
boo1Joader (reguired)
Describe how Ihe booI loader (GRUB or x8 and x8_4 sysIems) is insIalled and
conigured.
--append=
Used Io provide kernel booI opIions. SeparaIe Iwo or more kernel parameIers
wiIh spaces.
--dr1veorder=
Hard drive booI order rom Ihe BIOS. SeparaIe each drive such as sda or hda
wiIh commas.
--Joca11on=
Where Io wriIe Ihe booI record. MusI be one o ollowing: nbr (deaulI),
par1111on (insIall on Ihe irsI secIor o Ihe parIiIion on which Ihe kernel is
insIalled), or none (do noI insIall).
--passWord=
I using GRUB, use Io seI up a booI loader password Io resIricI access Io Ihe
GRUB shell.
--nd5pass=
I using GRUB, Ihe same as --passWord= excepI Ihe password provided is
already encrypIed. Useul i unauIhorized users have access Io Ihe kicksIarI ile.
--Jba32=
Eorce lba32 mode.
--upgrade=
Upgrade booI loader while keeping exisIing booI enIries in grub.conf. Can
only be used when perorming an upgrade o Red HaI EnIerprise Linux.
keyboard (reguired)
SeI Ihe keyboard Iype used aIer insIallaIion. MusI be one o Ihe ollowing or x8,
x8_4, and IIanium (addiIional layouIs mighI exisI or oIher archiIecIures):
1
be-Ja11n1, bg, br-abn12, cf, cz-Ja12, cz-us-qWer1z, de, de-Ja11n1, de-
Ja11n1-nodeadkeys, dk, dk-Ja11n1, dvorak, es, e1, f1, f1-Ja11n1, fr, fr-
Ja11nU, fr-Ja11n1, fr-pc, fr_0R, fr_0R-Ja11n1, gr, hu, hu1U1, 1s-Ja11n1, 11,
11-1bn, 112, p1U6, Ja-Ja11n1, nk-u1f, no, no-Ja11n1, pJ, p1-Ja11n1, ro_W1n,
ru, ru-cp1251, ru-ns, ru1, ru2, ru_W1n, se-Ja11n1, sg, sg-Ja11n1, sk-qWer1y,
sJovene, speakup, speakup-J1, sv-Ja11n1, sg, sg-Ja11n1, sk-quer1y, sJovene,
1rq, ua, uk, us, us-acen1os
The keyboard Iypes are also lisIed in Ihe 1usr1J1b1py1hon2.41s11e-
packages1rhpJ1keyboard_nodeJs.py ile rom Ihe rhpJ package.
Jang <Jang> (reguired)
SeI Ihe deaulI language or Ihe insIalled sysIem. The ile 1usr1share1sys1en-
conf1g-Janguage1JocaJe-J1s1 rom Ihe sys1en-conf1g-Janguage package conIains
a lisI o valid languages. Each line in Ihis ile lisIs a dierenI language. Use Ihe value
o Ihe irsI column such as en_uS.uTF-8 or <Jang>.
non11or
I Ihis command is noI used, Ihe insIallaIion program probes or Ihe moniIor. Use
Ihis command Io manually conigure Ihe moniIor aIIached Io Ihe sysIem or orce
Ihe insIallaIion program noI Io probe Ihe moniIor wiIh Ihe ollowing opIions:
--hsync=
HorizonIal sync raIe.
--non11or=
MoniIor name rom Ihe 1usr1share1hWda1a1Mon11ors08 ile rom Ihe hWda1a
package (Ihe second value rom Ihe semicolon-separaIed lisI o values or each
moniIor). This value is ignored i --hsync= and --vsync= are also speciied.
--noprobe=
DonI probe or Ihe moniIor.
--vsync=
VerIical sync raIe.
ne1Work
I Ihe insIallaIion meIhod chosen is noI a neIwork insIall, neIworking is noI conig-
ured or Ihe sysIem. I a neIwork insIall is chosen, iI is perormed over Ihe irsI
EIherneI device (eIh0) using DHCF wiIh Ihe insIalled sysIem being conigured Io
use DHCF as well. I a dierenI Iype o neIworking proIocol is reguired or Ihe
neIwork insIall, use Ihis command Io conigure iI. The insIalled sysIem will use
Ihese seIIings as well. OpIions include
--boo1pro1o=
BooI proIocol Io use. MusI be one o dhcp, boo1p, or s1a11c. I s1a11c is
chosen, all neIwork coniguraIion musI be lisIed as well wiIh Ihe --1p=, --
ne1nask=, --ga1eWay=, and --naneserver= opIions.
--dev1ce=
Speciy Ihe EIherneI device Io use such as e1hU.
--1p=
IF address Io use wiIh a sIaIic coniguraIion.
--ga1eWay=
GaIeway Io use wiIh a sIaIic coniguraIion.
--naneserver=
Frimary nameserver Io use wiIh a sIaIic coniguraIion.
--nodns=
DonI conigure a DNS server.
--ne1nask=
NeImask Io use or a sIaIic coniguraIion.
--hos1nane=
HosIname or Ihe sysIem.
--e1h1ooJ=
Used Io conigure neIwork seIIings passed Io Ihe e1h1ooJ uIiliIy.
--ess1d=
NeIwork ID Io use or Ihe wireless neIwork.
--Wepkey=
WEF key Io use or Ihe wireless neIwork.
--onboo1=
I seI Io yes, Ihe neIwork device is enabled aI booI Iime.
--cJass=
DHCF class Io use.
1
1scs1
The InIerneI SCSI (ISCSI) proIocol provides SCSI over TCF}IF neIworks or daIa
Iranser. II is a lower cosI alIernaIive Io a Eibre Channel sIorage area neIwork (SAN).
--1paddr=
IF address o remoIe connecIion.
--1arge1=
RemoIe disk Io connecI Io.
--por1=
ForI used Io connecI Io IargeI.
--user=
Username or remoIe connecIion, i reguired.
--passWord=
Fassword or remoIe connecIion, i reguired.
1scs1nane
ISCSI iniIiaIor name. MusI be a unigue, per-hosI idenIiier used wiIh ISCSI.
roo1pW (reguired)
RooI password or Ihe insIalled sysIem. To speciy an encrypIed password, use Ihe
--1sencryp1ed opIion beore speciying Ihe encrypIed password.
11nezone (reguired)
Time zone or Ihe insIalled sysIem.
Partitioning Commands
au1opar1
CreaIe deaulI parIiIions (a rooI (1) parIiIion, swap parIiIion, and 1boo1 parIiIion).
The sizes o Ihese parIiIions can be modiied wiIh Ihe par1 direcIive.
cJearpar1
Remove speciic parIiIions or parIiIion Iypes beore creaIing new parIiIions. I Ihis
command is used, Ihe --onpar1 command canI be used on a logical parIiIion.
--aJJ
All parIiIions are removed.
--dr1ves=
All Ihe parIiIions on Ihe drives lisIed, such as hda or sdc, are removed.
--1n11JabeJ
IniIialize Ihe disk label Io Ihe deaulI or Ihe sysIems archiIecIure. Useul
when insIalling Io a new hard drive IhaI has noI been iniIialized.
--J1nux
Only exisIing Linux parIiIions are removed.
--none {defauJ1)
No parIiIions are removed.
voJgroup <nane> <par1111on> <op11ons>
CreaIe an LVM group. The ollowing <op11ons> are available:
--noforna1
Do noI ormaI. Useul or reIaining an exisIing volume group.
--useex1s11ng
Use exisIing volume group. The LVM group is ormaIIed by deaulI unless
--noforna1 is also speciied.
--pes1ze
Size o physical exIenIs.
N01
Create the partltlon wlth the par1111on dlreotlve before oreatlng a logloal volume group
wlth voJgroup. ^fter oreatlng the LvM group, use the JogvoJ dlreotlve to oreate a logloal
volume.
Refer to Chapter 7 for detalls about LvM and LvM oonflguratlon.
JogvoJ <noun1po1n1> -vgnane=<nane> --s1ze=<s1ze> --nane=<nane> <op11ons>
CreaIe logical volume aIer creaIing a logical group wiIh voJgroup. The ollowing
<op11ons> are available:
--noforna1
Do noI ormaI. Useul or exisIing logical volume.
--useex1s11ng
Use exisIing logical volume. ReormaIIed unless --noforna1 is also speciied.
--fs1ype=
EilesysIem Iype. MusI be one o ex12, ex13, sWap, or vfa1.
1
--fsop11ons=
MounIing opIions Io use or Ihe ilesysIem. They are copied Io 1e1c1fs1ab.
--by1es-per-1node=
Size o inodes or Ihe ilesysIem on Ihe logical volume. Ignored i Ihe ilesys-
Iem speciied does noI supporI Ihis eaIure.
--groW
Allow size o logical volume Io increase i space is available. I a maximum size is
provided wiIh --naxs1ze=, logical volume will noI be bigger Ihan Ihis maximum
size.
--naxs1ze=
I --groW is used Io allow Ihe size o Ihe logical volume Io increase, Ihis opIion
should be seI Io Ihe maximum size Ihe logical volume is allowed Io grow, in
megabyIes.
--reconnended
LeI Ihe insIallaIion program auIomaIically calculaIe Ihe size o Ihe logical
volume depending on ree space available.
--percen1
Size o Ihe logical volume as a percenIage o Ihe ree space available.
par1111on (reguired or insIalls)
CreaIe a ilesysIem parIiIion. EormaIIed by deaulI unless --noforna1 and --onpar1
are speciied. Only applicable Io insIallaIions, noI upgrades.
The ollowing opIions are available:
<nn1po1n1>
MounI poinI or Ihe parIiIion. Valid ormaIs or Ihe mounI poinI are as ollows:
DirecIory paIh such as 1, 11np, or 1hone
sWap Io speciy a swap parIiIion
ra1d.<1d> or soIware RAID
pv.<1d> or LVM
--s1ze=
Minimum size or Ihe parIiIion, in megabyIes.
--groW
Allow size o parIiIion Io increase i space is available. I a maximum size is
provided wiIh --naxs1ze=, logical volume will noI be bigger Ihan Ihis
maximum size.
--naxs1ze=
I --groW is used Io allow Ihe size o Ihe parIiIion Io increase, Ihis opIion
should be seI Io Ihe maximum size Ihe parIiIion is allowed Io grow, in
megabyIes.
--noforna1
Do noI ormaI parIiIion. Use wiIh --onpar1 direcIive.
--onpar1=
ExisIing parIiIion such as sda1 on which Io place Ihe parIiIion. Use
--noforna1 i you donI wanI Ihe exisIing parIiIion Io be ormaIIed
during insIallaIion.
--ond1sk
Hard drive such as sda on which Io creaIe Ihe parIiIion.
--aspr1nary
CreaIe parIiIion as a primary parIiIion or ail.
--fs1ype=
--fsop11ons=
--by1es-per-1node=
Size o inodes or Ihe ilesysIem on Ihe parIiIion. Ignored i Ihe ilesysIem
speciied does noI supporI Ihis eaIure.
--JabeJ=
EilesysIem label Io use or Ihe parIiIion.
--s1ar1=
I --ond1sk= is used, Ihis direcIive can be used Io provide a sIarIing cylinder
or Ihe parIiIion. The ending cylinder musI be lisIed wiIh Ihe --end= direcIive,
and Ihe parIiIion size musI be provided wiIh --s1ze=.
--end=
Ending cylinder or parIiIion i --s1ar1= is used.
--reconnended
LeI Ihe insIallaIion program auIomaIically calculaIe Ihe size o Ihe parIiIion
depending on ree space available.
--onb1osd1sk
CreaIe Ihe parIiIion on a speciic hard drive as deIermined by Ihe BIOS.
1
ra1d
CreaIe a soIware RAID device wiIh Ihe ollowing opIions:
<nn1po1n1>
MounI poinI or Ihe RAID ilesysIem. RAID level musI be 1 or Ihe 1boo1 parIi-
Iion or Ihe parIiIion conIaining Ihe 1boo1 direcIory such as Ihe 1 parIiIion.
--JeveJ=
RAID level. MusI be U, 1, or 5.
--dev1ce=
RAID device name Io use rom ndU Io nd7.
--fs1ype=
--fsop11ons=
--by1es-per-1node=
Size o inodes or Ihe ilesysIem. Ignored i Ihe ilesysIem speciied does noI
supporI Ihis eaIure.
--spares=
Number o spare drives or Ihe RAID array.
--noforna1
Do noI ormaI. Use wiIh --useex1s11ng.
--useex1s11ng
Use an exisIing RAID device. EormaIIed unless --noforna1 is also speciied.
dnra1d
Rename an IDE RAID device.
--nane=
New device name.
--dev=
Device Io rename.
nuJ11pa1h
MulIipaIh is a kernel eaIure IhaI allows a device Io be conigured wiIh mulIiple
spare devices in case o device ailure. Use Ihe ollowing synIax:
nuJ11pa1h --nane=<nane> --dev1ce=<dev1ceJ1s1> --ruJe=<ruJe>
zfcp
On IBM SysIem z sysIems, Ihe zfcp driver can be used Io supporI Eibre Channel
FroIocol (ECF) devices. All zECF devices musI be conigured manually (noI auIomaI-
ically conigured during insIallaIion). All o Ihe ollowing argumenIs are reguired.
--devnun=
Speciy Ihe 1-biI device number.
--fcpJun=
Speciy Ihe 4-biI ECF LUN.
--scs11d=
Speciy Ihe SCSI ID number.
--scs1Jun=
Speciy Ihe SCSI LUN.
--WWpn=
Speciy Ihe 4-biI World Wide ForI Number (WWFN).
1gnored1sk
Ignore Ihe lisIed disks when parIiIioning, ormaIIing, and clearing.
--dr1ves=J1s1
The lisI should be a comma-separaIed lisI o drive names.
AdditionaI Commands
dev1ce
I Ihe insIallaIion program does noI properly probe one or more FCI devices, use
Ihis direcIive Io conigure Ihem wiIh Ihe ollowing reguired parameIers:
<1ype>
EiIher scs1 or e1h.
<noduJenane>
Kernel module Io use or Ihe device.
--op1s=
Kernel module opIions. To lisI more Ihan one opIion, separaIe Ihem by a
space and place all Ihe opIions inside one seI o guoIaIion marks.
1
dr1verd1sk
LocaIion o driver disk Io use or insIallaIion. Can eiIher be on a hard drive parIi-
Iion on Ihe sysIem or an ETF, HTTF, or NES server accessible by Ihe sysIem being
insIalled. To lisI a hard drive parIiIion conIaining Ihe conIenIs o Ihe driver disk,
where <fs1ype> is eiIher ex12 or vfa1:
dr1verd1sk <par1111on> --1ype=<fs1ype>
To lisI a neIwork locaIion, where <pro1o> is f1p, h11p, or nfs:
dr1verd1sk -source=<pro1o>:11pa1h11o1dr1verd1sk
f1reWaJJ
Eirewall seIIings Io use. Can be modiied wiIh sys1en-conf1g-secur11yJeveJ aIer
insIallaIion. One o --enabJed or d1sabJed musI be used i Ihis direcIive is lisIed.
OpIionally use Ihe ollowing parameIers:
--1rus1=
Devices such as e1hU rom which Io allow all incoming Iraic. To lisI mulIiple
devices, reuse Ihe --1rus1 parameIer such as --1rus1=e1hU --1rus1=e1h1.
--ssh
Allow incoming SSH connecIions.
--1eJne1
Allow incoming TelneI connecIions.
--sn1p
Allow incoming SMTF connecIions.
--h11p
Allow incoming HTTF connecIions.
--f1p
Allow incoming ETF connecIions.
--por1=
Allow incoming Iraic rom a speciic porI in Ihe porI:proIocol ormaI such as
2U49:1cp. SeparaIe mulIiple porI}proIocol combinaIions wiIh commas.
f1rs1boo1
I --enabJe is speciied, Ihe SeIup AgenI is sIarIed Ihe irsI Iime Ihe sysIem booIs
aIer insIallaIion. I --d1sabJe is speciied, Ihe SeIup AgenI is noI sIarIed aI irsI
booI. I --enabJe --reconf1g is used wiIh Ihe f1rs1boo1 direcIive, Ihe SeIup AgenI
is sIarIed aI irsI booI in reconiguraIion mode.
reboo1
RebooI when Ihe insIallaIion is inished. I noI speciied, Ihe sysIem waiIs or a key
response beore rebooIing.
repo (experimenIal)
AddiIional yum reposiIory in which Io locaIe RFM packages or insIallaIion.
Speciy one reposiIory per line in Ihe kicksIarI ile. Speciy Ihe reposiIory ID wiIh
Ihe --nane= opIion. Use eiIher --baseurJ= Io provide Ihe URL or Ihe reposiIory or
--n1rrorJ1s1= Io provide Ihe URL or a mirror lisI.
seJ1nux
Conigure SecuriIy-Enhanced Linux (SELinux) or Ihe insIalled sysIem. SeI Io one o
Ihe ollowing:
--d1sabJed
Disable SELinux.
--enforc1ng
Enorce Ihe deaulI SELinux policy.
--pern1ss1ve
Enable SELinux in permissive mode, only logging evenIs IhaI should be
denied buI noI enorcing Ihem.
N01
lf not set, SLLlnux wlll be enforoed by default. Refer to Chapter 23, lroteotlng ^galnst
lntruders wlth SeourltyLnhanoed Llnux, for more lnformatlon about SLLlnux.
serv1ces
Enable or disable speciic services or Ihe insIalled sysIem. The disabled lisI is
processed beore Ihe enabled lisI. Speciy services Io disable wiIh --d1sabJed=<J1s1>,
where <J1s1> is a comma-separaIed lisI. Use --enabJed=<J1s1> Io conigure which
services Io sIarI aI booI Iime.
sk1px
Do noI conigure Ihe X Window SysIem on Ihe insIalled sysIem.
user
CreaIe a new user on Ihe insIalled sysIem wiIh Ihe ollowing parameIers:
--nane= {requ1red)
Username.
1
--groups=
The user is auIomaIically added Io a user privaIe group wiIh Ihe same name as
Ihe username. To add Ihe user Io addiIional user groups, speciy Ihem in a
comma-separaIed lisI.
--honed1r=
Home direcIory or Ihe user i you do noI wanI Io use Ihe deaulI value
1hone1<usernane>.
--passWord=
Fassword or Ihe user. I noI speciied, Ihe accounI is locked.
--1sencryp1ed
Use i Ihe password provided wiIh --passWord is already encrypIed.
--sheJJ=
Login shell. DeaulIs Io bash i noI speciied.
--u1d=
UID or Ihe user. I noI speciied, Ihe nexI available non-sysIem UID is used.
vnc
SIarI Ihe VNC server so IhaI Ihe graphical version o Ihe insIallaIion program can be
displayed remoIely. I no argumenIs are provided, Ihe VNC server is sIarIed, and Ihe
command Io connecI a remoIe clienI is displayed. OpIionally, include Ihe ollowing
argumenIs on Ihe same line in Ihe kicksIarI ile:
--hos1=
AIer sIarIing Ihe VNC server, connecI iI Io Ihe VNC viewer on Ihis hosI.
--por1=
ForI on which Ihe remoIe VNC viewer is lisIening.
--passWord=
Fassword IhaI musI be correcIly given Io connecI Io Ihe VNC server running
Ihe insIallaIion program. I Ihis opIion is noI used, a password is noI conig-
ured.
xconf1g
SeI up Ihe X Window SysIem i iI is Io be insIalled on Ihe sysIem. The ollowing
opIions are available and should be lisIed on Ihe same line:
--dr1ver=
Video card driver Io use.
--v1deoran=
AmounI o RAM on Ihe video card.
--defauJ1desk1op=
SeI Ihe deaulI deskIop Io eiIher 0N0ME or K0E. The deskIop chosen musI also
be insIalled in Ihe packages secIion.
--s1ar1xonboo1
I used, Ihe login screen is seI Io Ihe graphical login screen and users are
provided wiIh Ihe deaulI graphical deskIop aIer successul login.
--resoJu11on=
DeaulI resoluIion or Ihe screen. MusI be compaIible wiIh Ihe video card and
moniIor combinaIion. Fossible values are 64Ux48U, 8UUx6UU, 1U24x768,
1152x864, 128Ux1U24, 14UUx1U5U, and 16UUx12UU.
--dep1h=
DeaulI color depIh. MusI be compaIible wiIh Ihe video card and moniIor
combinaIion. Fossible values are 8, 16, 24, and 32.
zeronbr
I seI Io yes, all invalid parIiIion Iables ound are iniIialized.
Jogg1ng
CusIomize insIallaIion logging.
--hos1=
WriIe log messages Io a remoIe hosI, which has syslogd running and accepIs
remoIe logging.
--por1=
Speciy a porI Io use or remoIe logging.
--JeveJ=
All log messages are wriIIen Io Ihe log ile. Use Ihis opIion Io conigure whaI
messages appear on IIy3 during insIallaIion. SeI Io debug, 1nfo, Warn1ng,
error, or cr111caJ.
1ncJude
Use Io provide Ihe paIh Io anoIher ile conIaining kicksIarI commands. The
conIenIs o Ihe addiIional ile are read as i Ihey were locaIed in Ihe kicksIarI ile in
place o Ihe 1ncJude line.
1
Package 5ect|en
The insIallaIion program insIalls a cerIain lisI o packages by deaulI and allows or
limiIed selecIion o addiIional soIware seIs as described in Ihe "Ferorming Ihe
InsIallaIion" secIion. The package secIion o Ihe kicksIarI ile allows Ihe adminisIraIor Io
lisI addiIional packages or package groups.
Under Ihe package line, package group names are preceded by Ihe 0 symbol and a space.
Individual package names are lisIed by Ihemselves, one per line. I Ihe individual package
name is preceded by a minus sign (-), Ihe package is noI insIalled.
A lisI o package groups and Ihe individual packages in each group are lisIed in Ihe
<var1an1>1repoda1a1conps-<nane>.xnJ ile on Ihe irsI insIallaIion CD. Replace
<var1an1> wiIh Server, 0J1en1, or anoIher direcIory name associaIed wiIh an addiIional
soIware enIiIlemenI such as vT or virIualizaIion. Replace <nane> wiIh Ihe resI o Ihe ile-
name used such as rheJ5-server-core or Ihe Server1repoda1a1 direcIory.
In Ihe conps ile, under Ihe <group> level, Ihe value o Ihe <nane> or Ihe <1d> ield can be
used as Ihe package group name in Ihe kicksIarI ile. The deaulI and opIional packages in
Ihe group are under Ihe <packageJ1s1> Iag.
The Core and Base package groups are always insIalled and do noI have Io be lisIed in Ihe
packages secIion. LisIing 1.1 shows an example package secIion.
LlSTlNG 1.1 Lxample package Seotlon
packages
0 0NS Nane Server
0 FTP Server
dhcp
In Red HaI EnIerprise Linux 4 and lower, language supporI in addiIion Io Ihe deaulI
language lisIed wiIh Ihe --Jang direcIive in Ihe command secIion was added wiIh Ihe
--Jangsuppor1 direcIive. AddiIional language supporI is now added in Ihe package
secIion wiIh a package group name such as 0roa11an Suppor1 as lisIed in Ihe conps.xnJ
ile.
I Ihe --1gnoren1ss1ng parameIer is used on Ihe packages line, packages or package
groups lisIed buI noI ound are ignored and Ihe insIallaIion will conIinue wiIhouI Ihem.
I Ihis parameIer is noI used, Ihe insIallaIion program will pause and prompI wheIher or
noI Io conIinue, reguiring user inIeracIion beore conIinuing or aborIing.
Pre|nsta||at|en 5ect|en
OpIionally, a scripI can be provided and run immediaIely aIer Ihe kicksIarI ile is parsed
and beore Ihe insIallaIion begins. The neIwork is available, buI DNS lookup is noI.
The secIion musI begin wiIh Ihe pre line. The ollowing parameIers can be speciied
aIer pre on Ihe same line:
--1n1erpre1er <1n1erpre1er>
Use a speciic scripIing language such as 1usr1b1n1py1hon Io process Ihe scripI.
--erroronfa1J
I Ihe scripI ails, pause Ihe insIallaIion and display an error dialog showing Ihe locaIion
o Ihe ailure in Ihe scripI.
Pest-|nsta||at|en 5ect|en
OpIionally, a scripI can be run immediaIely aIer Ihe insIallaIion is compleIe and beore
Ihe sysIem is rebooIed. AIer insIallaIion, Ihe neIwork is available. However, DNS servers
are noI available unless a primary nameserver was speciied when coniguring a sIaIic IF
address. I DHCF was used, DNS lookup is noI available and IF addresses musI be used.
The secIion musI begin wiIh Ihe pos1 line. The ollowing parameIers can be speciied
aIer pos1 on Ihe same line:
--nochroo1
DonI run Ihe posI-insIallaIion scripI in Ihe change rooI environmenI. By deaulI, Ihe
posI-insIallaIion scripI is run in a change rooI environmenI where Ihe 1nn11sys1nage
direcIory is IreaIed as Ihe rooI ilesysIem. Thus, by deaulI, cerIain operaIions such as
copied iles rom Ihe insIallaIion media will noI work unless Ihe --nochroo1 opIion is
used.
--1n1erpre1er <1n1erpre1er>
Use a speciic scripIing language such as 1usr1b1n1py1hon Io process Ihe scripI.
--erroronfa1J
I Ihe scripI ails, pause Ihe insIallaIion program and display an error dialog showing Ihe
locaIion o Ihe ailure in Ihe scripI.
Mak|ng the K|ckstart F||e Access|b|e
The kicksIarI ile musI be copied Io a locaIion accessible by Ihe insIallaIion program.
These locaIions include Ihe ollowing:
Hard drive parIiIion
Eloppy disk
HTTF, ETF, or NES share
BooI CD
The irsI Ihree locaIions are sel-explanaIory. Eor example, aIer seIIing up an HTTF, ETF,
or NES server, place Ihe kicksIarI ile in a direcIory shared by Ihe neIwork proIocol.
However, placing Ihe ile on Ihe booI CD creaIed rom Ihe boo1.1so ile needs urIher
deIails. This secIion also explains how Io provide an NES server locaIion via DHCF.
1
0n the Beet C
As described in Ihe previous secIion "Making a BooI Disc," a booI CD can be creaIed rom
Ihe 1nages1boo1.1so ile on Ihe irsI insIallaIion CD. However, aIer Ihe booI CD is made
rom Ihis image, iI is read-only, and iles cannoI be added Io iI aIer Ihe CD is creaIed.
The kicksIarI ile musI be named ks.cfg and musI be locaIed in Ihe Iop-level direcIory o
Ihe CD. To add Ihis ile beore creaIing Ihe CD, loopback mounI Ihe boo1.1so image,
copy Ihe conIenIs Io a dierenI direcIory, add Ihe ks.cfg ile Io Ihe direcIory, and Ihen
use nk1sofs Io creaIe a new ISO image:
1. CreaIe Iwo empIy direcIories such as 11np1boo11so1 and 11np1boo11soks1. The irsI
one will be used Io loopback mounI Ihe boo1.1so image, and Ihe second one will be
used Io creaIe Ihe booI CD wiIh a kicksIarI ile on iI.
2. AIer reIrieving Ihe boo1.1so image rom Ihe irsI insIallaIion CD as described in Ihe
"CreaIing a BooI Disc" secIion earlier in Ihis chapIer, use Ihe su - command Io
become Ihe rooI user, and loopback mounI Ihe image inIo Ihe direcIory jusI creaIed:
noun1 -o Joop boo1.1so 11np1boo11so1
3. Type ex Io reIurn Io using your normal user accounI insIead o a rooI shell.
4. Recursively copy Ihe conIenIs o Ihe CD inIo Ihe second new direcIory:
cp -r 11np1boo11so1* 11np1boo11soks1
5. Change inIo Ihe direcIory IhaI now conIains Ihe iles or Ihe new booI disc:
cd 11np1boo11soks
6. Change Ihe ile permissions o Ihe 1soJ1nux1 direcIory so you have wriIe access Io
Ihem:
chnod u+W 1soJ1nux1*
7. Copy Ihe kicksIarI ile inIo Ihis direcIory, making sure iI is named ks.cfg on Ihe
booI ISO (provide Ihe proper paIh Io Ihe kicksIarI ile):
cp <k1cks1ar1-f1Je> 1soJ1nux1ks.cfg
8. CreaIe a new ISO image o Ihe booI CD wiIh Ihe kicksIarI ile on iI. The command
should be issued as one command wiIhouI Ihe backslash ((). The backslash is used
in Ihe ollowing command because Ihe command is Ioo long Io iI on one prinIed
line:
nk1sofs -o boo1ks.1so -b 1soJ1nux.b1n -c boo1.ca1 -no-enuJ-boo1 (
-boo1-Joad-s1ze 4 -boo1-1nfo-1abJe -P -J -v -T 1soJ1nux1
9. WriIe Ihe boo1ks.1so image Io a CD by eiIher righI-clicking on Ihe ile in Ihe
NauIilus ile manager and selecIing WrIte to DIsc. or using Ihe cdrecord uIiliIy.
Use Ihis booI CD Io sIarI Ihe kicksIarI insIallaIion as described in Ihe "SIarIing Ihe
KicksIarI InsIallaIion" secIion laIer in Ihis chapIer.
0ver NF5 as ef|ned by the RCP 5erver
InsIead o having Io Iype Ihe NES server name and locaIion o Ihe kicksIarI ile on Ihe NES
server each Iime you sIarI a kicksIarI insIallaIion, you can conigure Ihe DHCF server Io
send Ihis inormaIion Io Ihe sysIem being insIalled, as long as iI is conigured Io reIrieve
iIs neIwork inormaIion via DHCF and Ihe DHCF server supporIs Ihis eaIure (Red HaI
EnIerprise Linux as a DHCF server supporIs Ihis eaIure). The DHCF and NES servers used
or kicksIarI insIallaIions can be Ihe same physical sysIem, buI Ihey do noI have Io be.
AIer seIIing up Ihe NES server and making Ihe insIallaIion Iree available on iI, creaIe a
direcIory such as 1k1cks1ar1 on Ihe NES Io sIore Ihe kicksIarI iles or Ihe sysIems you
wanI Io insIall. Copy Ihe kicksIarI iles Io Ihis direcIory and make sure iI is conigured as
a shared direcIory via NES.
Assuming your DHCF server is a Red HaI EnIerprise Linux server, on Ihe DHCF server, use
Ihe ollowing lines in dhcpd.conf Io deine Ihe NES server sharing Ihe kicksIarI iles:
f1Jenane "1shares1k1cks1ar11"
nex1-server nfs.exanpJe.con
I Ihe ilename lisIed in Ihe DHCF server coniguraIion ile ends in a slash (1), iI is
assumed Io be a direcIory, and Ihe insIallaIion program looks or Ihe ile <1p-address>-
k1cks1ar1, where <1p-address> is Ihe IF address o Ihe sysIem being insIalled as assigned
by Ihe DHCF server. I Ihe NES server is noI deined wiIh nex1-server, Ihe insIallaIion
program assumes Ihe NES server has Ihe same IF address as Ihe DHCF server. I a paIh or
ilename is noI speciied wiIh f1Jenane, Ihe insIallaIion program assumes Ihe kicksIarI
ile is in Ihe 1k1cks1ar1 direcIory on Ihe NES server wiIh Ihe ilename <1p-address>-
k1cks1ar1.
5tart|ng the K|ckstart Insta||at|en
To sIarI a kicksIarI insIallaIion by FXE booIing, reer Io Ihe "InsIalling wiIh FXE" secIion
or deIails.
OIherwise, Io sIarI a kicksIarI insIallaIion, make sure Ihe sysIems BIOS is conigured Io
booI o Ihe CD-ROM drive, and booI rom a booI CD creaIed wiIh boo1.1so or Ihe irsI
insIallaIion CD. BooIing o Ihe irsI insIallaIion CD is only reguired i you are perorm-
ing a CD-ROM insIallaIion. AIer booIing rom Ihe CD, a specially ormaIIed command
musI be issued aI Ihe boo1: prompI. This command varies depending on Ihe locaIion o
Ihe kicksIarI ile:
CD-ROM
I Ihe kicksIarI ile is locaIed on Ihe booI CD as previously described in Ihe "Making
Ihe KicksIarI Eile Accessible" secIion, use Ihe ollowing command aI Ihe boo1:
prompI:
J1nux ks=cdron:1ks.cfg
1
NES server
I Ihe kicksIarI ile is on an NES server, use Ihe ollowing command aI Ihe boo1:
prompI, replacing <server> wiIh Ihe hosIname or IF address o Ihe NES server and
<f1Jenane> wiIh Ihe ilename o Ihe kicksIarI ile or Ihe paIh o Ihe direcIory
conIaining Ihe kicksIarI ile:
J1nux ks=nfs:<server>:1<f1Jenane>
I Ihe ilename lisIed in Ihe DHCF server coniguraIion ile ends in a slash (1), iI is
assumed Io be a direcIory, and Ihe insIallaIion program looks or Ihe ile <1p-
address>-k1cks1ar1, where <1p-address> is Ihe IF address o Ihe sysIem being
insIalled as assigned by Ihe DHCF server.
HTTF server
I Ihe kicksIarI ile is on an HTTF server, use Ihe ollowing command aI Ihe boo1:
prompI, replacing <server> wiIh Ihe hosIname or IF address o Ihe HTTF server and
<f1Jenane> wiIh Ihe ilename o Ihe kicksIarI ile or Ihe paIh o Ihe direcIory
conIaining Ihe kicksIarI ile:
J1nux ks=h11p:11<server>1<f1Jenane>
Eloppy disk
I Ihe kicksIarI ile is on a loppy disk, Ihe disk musI be ormaIIed as an exI2 or vaI
ilesysIem. I Ihe ile is named ks.cfg aI Ihe rooI level o Ihe disk (noI in a direc-
Iory), Ihe insIallaIion can be sIarIed wiIh Ihe ollowing command aI Ihe boo1:
prompI:
J1nux ks=fJoppy
I Ihe ile is on a loppy disk ormaIIed as an exI2 o vaI ilesysIem buI noI on Ihe
rooI direcIory o Ihe disk, Ihe paIh Io Ihe ile as well as Ihe ilename can be speci-
ied as ollows:
J1nux ks=fJoppy:1<f1Jenane>
Hard drive
I Ihe kicksIarI ile is on an exI2 or vaI parIiIion o Ihe hard drive in Ihe sysIem Io
be insIalled, use Ihe ollowing command aI Ihe boo1: prompI, replacing <dev1ce>
wiIh Ihe hard drive device name such as sda1 and <f1Je> wiIh Ihe ilename o Ihe
kicksIarI ile including Ihe ull paIh.
J1nux ks=hd:<dev1ce>:1<f1Je>
NES server deined by DHCF
As described in Ihe previous secIion "Making Ihe KicksIarI Eile Accessible," Ihe
DHCF server can send inormaIion abouI Ihe kicksIarI ile locaIed on an NES server
Io Ihe sysIem Io be insIalled. I Ihis coniguraIion is used, use Ihe ollowing
command aI Ihe boo1: prompI:
J1nux ks
N01
^ll of these boot oommands assume that the network oonneotlon started should use
the flrst Lthernet devloe (eth0). To use an alternate Lthernet devloe, append a spaoe
and the followlng to the end of any of the boot oommands, replaolng <dev1ce> wlth
the Lthernet devloe name suoh as eth1 for the seoond Lthernet oard:
ksdev1ce=<dev1ce>
Insta|||ng w|th PX
Some NICs include Ihe abiliIy Io booI using a Fre-ExecuIion EnvironmenI (FXE). II works
by sending ouI a broadcasI reguesI or a DHCF server on Ihe neIwork. I Ihe DHCF server
is conigured Io send Ihe clienI Ihe IF address or hosIname o a IIp server and Ihe loca-
Iion on IhaI IIp server o Ihe iles needed Io sIarI Ihe Red HaI EnIerprise Linux insIalla-
Iion, Ihe clienI can sIarI a neIwork insIallaIion wiIhouI having Io booI rom local media
such as a CD.
This meIhod can also be used wiIh kicksIarI Io perorm an auIomaIed neIwork insIalla-
Iion, iI allows Ihe adminisIraIor Io booI mulIiple sysIems and Ihen walk away while Ihe
clienI received irsI Ihe FXE booI inormaIion and Ihen Ihe kicksIarI ile Io perorm Ihe
insIallaIion.
To perorm a neIwork insIallaIion using FXE booI, use Ihe ollowing sIeps:
1. CreaIe an insIallaIion Iree or Ihe neIwork insIall and make iI available Io Ihe
sysIems being insIalled. Reer Io Ihe "CreaIing Ihe InsIallaIion Source" secIion
earlier in Ihis chapIer or deIails.
2. Conigure Ihe IIp server.
3. Conigure Ihe DHCF server.
4. BooI Ihe sysIem Io sIarI Ihe insIallaIion.
1
Cenf|gur|ng the tft 5erver
InormaIion such as Ihe IF address or hosIname o Ihe neIwork server sharing Ihe insIalla-
Iion Iree Io use musI be reIrieved by Ihe clienI Io be insIalled. The IIp service is used or
Ihis purpose. The server running Ihis xineId service can be Ihe same sysIem used as Ihe
NES, ETF, or HTTF server exporIing Ihe insIallaIion Iree.
The IIp server is noI insIalled by deaulI. Use Red HaI NeIwork as described in ChapIer 3,
"OperaIing SysIem UpdaIes," Io insIall Ihe 1f1p-server package, which provides Ihe IIp
server. You also need Ihe sysJ1nux package i iI is noI already insIalled.
The ollowing inormaIion musI be seI or Ihe IIp server:
Operatn system Jentjer: One unigue word IhaI describes which insIallaIion Iree
Ihe FXE server poinIs Ihe clienI Io.
This is used or a unigue direcIory name.
lrotocol jor nstallatons: FroIocol used Io exporI Ihe insIallaIion Iree on Ihe server.
MusI be one o NES, HTTF, or ETF. I non-anonymous ETF is reguired, uncheck Ihe
Anonymous ETF opIion and enIer Ihe username and password or Ihe ETF server.
Kclstart locaton (opIional): I also perorming a kicksIarI insIallaIion, Ihe locaIion
o Ihe kicksIarI ile. The locaIion can be a local ile on Ihe FXE server or a URL such
as h11p:11server.exanpJe.con1ksf1Jes1ks.cfg.
Networl server ll aJJress: IF address or hosIname o Ihe NES, ETF, or HTTF server
exporIing Ihe insIallaIion Iree. I a hosIname is used, Ihe server musI be able Io
resolve iI Io a valid IF address.
lnstallaton tree locaton: DirecIory on Ihe neIwork server conIaining Ihe insIallaIion
Iree. MusI conIain Ihe 1nages1pxeboo11 direcIory.
5ett|ng U the tft 5erver F||es
EirsI, seI up Ihe 11f1pboo11J1nux-1ns1aJJ1<os-1den1>1 direcIory and populaIe iI wiIh
Ihe iles necessary Io sIarI Ihe insIallaIion program via FXE (all commands musI be
execuIed by Ihe rooI user):
1. The 11f1pboo11 direcIory is creaIed by Ihe 1f1p-server package. CreaIe Ihe
11f1pboo11J1nux-1ns1aJJ1 direcIory.
2. Copy Ihe 1usr1J1b1sysJ1nux1pxeJ1nux.U ile insIalled by Ihe sysJ1nux package
inIo Ihe newly creaIed 11f1pboo11J1nux-1ns1aJJ1 direcIory:
cp 1usr1J1b1sysJ1nux1pxeJ1nux.U 11f1pboo11J1nux-1ns1aJJ1
3. CreaIe Ihe 11f1pboo11J1nux-1ns1aJJ1nsg1 direcIory.
4. Copy all Ihe .msg iles rom Ihe 1soJ1nux1 direcIory in Ihe insIallaIion Iree or rom Ihe
irsI insIallaIion CD in Ihe newly creaIed 11f1pboo11J1nux-1ns1aJJ1nsg1 direcIory.
Now, you should have Ihe ollowing iles:
11f1pboo11J1nux-1ns1aJJ1nsgs1boo1.nsg
11f1pboo11J1nux-1ns1aJJ1nsgs1exper1.nsg
11f1pboo11J1nux-1ns1aJJ1nsgs1generaJ.nsg
11f1pboo11J1nux-1ns1aJJ1nsgs1paran.nsg
11f1pboo11J1nux-1ns1aJJ1nsgs1rescue.nsg
11f1pboo11J1nux-1ns1aJJ1nsgs1snake.nsg
11f1pboo11J1nux-1ns1aJJ1pxeJ1nux.U
Use Ihe ollowing sIeps Io conigure Ihe iles speciic Io Ihe Red HaI EnIerprise Linux
version and varianI Io be insIalled:
1IP
The same lXL server oan be used to offer multlple verslons and varlants of Red Hat
Lnterprlse Llnux lf the flles for eaoh are looated ln dlfferent 11f1pboo11J1nux-
1ns1aJJ1<os-1den1>1 dlreotorles.
1. CreaIe Ihe 11f1pboo11J1nux-1ns1aJJ1<os-1den1>1 direcIory where <os-1den1> is a
unigue idenIiier or Ihe version and varianI o Red HaI EnIerprise Linux Io insIall
via FXE. Eor example, PREL5Server could be used or Red HaI EnIerprise Linux
Server S.
2. Copy Ihe 1n11rd.1ng and vnJ1nuz iles rom Ihe 1nages1pxeboo11 direcIory o Ihe
insIallaIion Iree or Ihe irsI insIallaIion CD inIo Ihe 11f1pboo11J1nux-1ns1aJJ1
<os-1den1>1 direcIory.
3. I perorming a kicksIarI insIallaIion, copy Ihe kicksIarI ile in Ihe }1f1pboo11
J1nux-1ns1aJJ1<os-1den1>1 direcIory as well wiIh Ihe ks.cfg ilename.
Use Ihe ollowing sIeps Io conigure Ihe iles speciic Io Ihe sysIems connecIing Io Ihe
FXE server or insIallaIion:
1. CreaIe Ihe 11f1pboo11J1nux-1ns1aJJ1pxeJ1nux.cfg1 direcIory on Ihe FXE server.
2. The 11f1pboo11J1nux-1ns1aJJ1pxeJ1nux.cfg1 direcIory should conIain a ile or
each sysIem Io be insIalled, where Ihe ilename is Ihe IF address or hosIname o Ihe
sysIem Io be insIalled. I Ihe sysIem Io be insIalled does noI have a coniguraIion
ile based on iIs IF address, Ihe coniguraIion inormaIion in Ihe ile named defauJ1
is used. An example ile or Ihe pxeJ1nux.cfg1 direcIory is in LisIing 1.2. In LisIing
1.2, replace <os-1den1> wiIh Ihe direcIory name creaIed or Red HaI EnIerprise
Linux version and varianI Io insIall on Ihe sysIem, and replace <ne1hod> wiIh Ihe
neIwork insIallaIion meIhod Io use or Ihe insIallaIion such as
nfs:<server>:1<d1r>.
lnstalllng wlth lXL 53
1
LlSTlNG 1.2 Lxample pxeJ1nux.cfg1 Flle
defauJ1 JocaJ
11neou1 1UU
pronp1 1
d1spJay nsgs1boo1.nsg
F1 nsgs1boo1.nsg
F2 nsgs1generaJ.nsg
F3 nsgs1exper1.nsg
F4 nsgs1paran.nsg
F5 nsgs1rescue.nsg
F7 nsgs1snake.nsg
JabeJ JocaJ
JocaJboo1 1
JabeJ U
JocaJboo1 1
JabeJ 1
kerneJ <os-1den1>1vnJ1nuz
append 1n11rd=<os-1den1>11n11rd.1ng rand1sk_s1ze=6878 (
ne1hod=<ne1hod> 1p=dhcp
nab||ng and 5tart|ng the tft 5erv|ce
AIer coniguring Ihe 1f1p server and which clienIs are allowed Io connecI Io iI, Io FXE
booI a neIwork insIallaIion o Red HaI EnIerprise Linux, enable Ihe service aI booI Iime
and sIarI iI. The 1f1p service is conIrolled by x1ne1d, so enable 1f1p and x1ne1d wiIh Ihe
ollowing commands as Ihe rooI user:
chkconf1g -JeveJ 345 x1ne1d on
chkconf1g -JeveJ 345 1f1p on
I xineId is already running, resIarI iI as Ihe rooI user:
serv1ce x1ne1d res1ar1
I iI is noI already running, sIarI iI as Ihe rooI user:
serv1ce x1ne1d s1ar1
Cenf|gur|ng the RCP 5erver
I you do noI already have a DHCF server seIup on your neIwork, consulI ChapIer 14,
"GranIing NeIwork ConnecIiviIy wiIh DHCF," or deIails. The lines in LisIing 1.3 musI be
in Ihe dhcpd.conf ile Io enable FXE booIing. Replace <server-1paddress> wiIh Ihe IF
address or hosIname o Ihe FXE server.
LlSTlNG 1.3 Lnabllng lXL Bootlng on the DHCl Server
aJJoW boo11ng
aJJoW boo1p
cJass "pxecJ1en1s" {
na1ch 1f subs1r1ng{op11on vendor-cJass-1den11f1er, U, 9) = "PXE0J1en1"
nex1-server <server-1paddress>
f1Jenane "J1nux-1ns1aJJ1pxeJ1nux.U"
}
5tart|ng the PX Netwerk Insta||at|en
To sIarI Ihe FXE insIallaIion, conigure Ihe clienI Io booI via FXE. This sIep varies per sysIem,
so consulI your moIherboard or neIwork card documenIaIion or deIails. Then, booI Ihe
sysIem and waiI or Ihe irsI insIallaIion screen Io appear. Eollow Ihe sIeps in Ihe "Ferorming
Ihe InsIallaIion" secIion earlier in Ihis chapIer Io inish Ihe insIallaIion. I perorming a kick-
sIarI insIallaIion, waiI or Ihe insIallaIion Io compleIe and rebooI Ihe sysIem.
Perferm|ng an Ugrade
I Ihe sysIem already has an older version o Red HaI EnIerprise Linux insIalled, iI can be
upgraded, preserving Ihe daIa on Ihe sysIem while upgrading Ihe packages Io Ihe laIesI
versions.
To perorm an upgrade, eiIher choose Upgrade an exIstIng InstallatIon during Ihe inIer-
acIive insIallaIion or use Ihe upgrade direcIive in Ihe kicksIarI ile.
CAU1I0N
Lven lf you are not reformattlng partltlons wlth data that needs to be preserved, lt ls
lmportant that you baok up all data before performlng the upgrade ln oase an error
ooours.
When perorming an upgrade, Ihe sIeps are similar Io Ihose described in Ihe "Ferorming
Ihe InsIallaIion" secIion earlier in Ihis chapIer. However, some screens are omiIIed
because Iheir operaIions are noI permiIIed or upgrades. Eor example, Ihe sysIem cannoI
be reparIiIioned because iI would cause daIa loss.
lerformlng an Upgrade 55
1
An upgrade is achieved by using Ihe upgrade opIion Io RFM as discussed in ChapIer S,
"Working wiIh RFM SoIware." Reer Io ChapIer S Io learn more abouI how coniguraIion
iles are preserved i a package is upgraded.
Red Rat Netwerk Prev|s|en|ng
Red HaI EnIerprise Linux subscribers who have opIed Io seI up a RHN SaIelliIe Server can
also subscribe Io Ihe RHN Frovisioning module, which allows clienIs Io reIrieve a kicksIarI
ile rom Ihe SaIelliIe Server.
AIer seIIing up Ihe SaIelliIe Server, connecI Io iIs web inIerace rom any sysIem on Ihe
neIwork. Erom Ihe Iop horizonIal menu, selecI Systems, KIcRstart, System DetaIls,
ProvIsIonIng Io access Ihe kicksIarI proile creaIion wizard.
I Ihe sysIem Io be insIalled has a NIC wiIh FXE, you can use FXE booIing Io sIarI Ihe
insIallaIion as described in Ihe "InsIalling wiIh FXE" secIion wiIh Ihe locaIion o Ihe
kicksIarI ile being on Ihe saIelliIe server using Ihe HTTF proIocol.
5ummary
As you now know, insIallaIion can range rom a simple seguence o guesIions Io a
complex lisI o direcIives wiIh opIional preinsIallaIion and posI-insIallaIion scripIs. II can
also be scheduled and auIomaIed wiIh Red HaI NeIwork. The Red HaI EnIerprise Linux
insIallaIion program can be adapIed Io iI your needs as an adminisIraIor, depending on
how many sysIems you need Io insIall and how oIen you insIall or reinsIall.
lN THlS CH^lTLR
Red Hat Setup ^gent
Logglng ln for the Flrst Tlme
Network Conflguratlon
lrlnter Conflguratlon
^ddlng Boot larameters
CH^lTLR 2
FosI-InsIallaIion
ConiguraIion
ChapIer 1, "InsIalling Red HaI EnIerprise Linux," deIailed
Ihe Red HaI EnIerprise Linux insIallaIion process. A
cusIomized soIware seI was insIalled based on Ihe sysIems
hardware and a series o guesIions answered by Ihe insIaller.
However, beore Ihe sysIem is up and running, iI is necessary
Io answer a ew more guesIions wiIh Ihe Red HaI SeIup
AgenI. This chapIer also discusses common coniguraIion
changes usually made shorIly aIer insIallaIion.
Red Rat 5etu Agent
The Red HaI SeIup AgenI guides you Ihrough some impor-
IanI posI-insIallaIion coniguraIion Iasks, including seIIing
up a basic irewall, deciding wheIher Io enable SELinux,
regisIering your sysIem or Red HaI NeIwork so iI can
receive updaIes, and adding users.
AIer insIalling Red HaI EnIerprise Linux and rebooIing, Ihe
SeIup AgenI welcome screen appears (see Eigure 2.1). The
lisI on Ihe leI side o Ihe screen shows Ihe Iasks Ihe SeIup
AgenI will guide you Ihrough. Click Eorward Io conIinue.
N01
The soreenshots for the Red Hat Setup ^gent shown
ln thls ohapter are for the graphloal verslon. Thls
verslon ls shown lf you have seleoted to use the
graphloal logln soreen (the default). lf you oonflgured
your system to use a textbased logln soreen, whloh ls
the default lf you do not lnstall a graphloal desktop,
the Red Hat Setup ^gent appears ln textmode. The
questlons are the same, but the lnterfaoe wlll look
sllghtly dlfferent.
FlGURL 2.1 weloome to the Setup ^gent
The irsI Iask is Io read Ihe License AgreemenI, which explains IhaI Ihe soIware can be
copied, modiied, and redisIribuIed wiIh Ihe excepIion o a ew image iles such as Ihe Red
HaI logo. You musI agree Io Ihe license beore conIinuing Io use Red HaI EnIerprise Linux.
The nexI sIep is Io deIermine wheIher or noI Io enable Ihe builI-in irewall (see Eigure
2.2). I you preer Io conigure a cusIom irewall using IFTables (reer Io ChapIer 24,
"Coniguring a Eirewall") you can eiIher disable Ihe builI-in irewall or enable iI or now
and Ihen disable iI laIer aIer coniguring IFTables.
To modiy Ihe irewall seIIings laIer, sIarI Ihe SecuriIy Level ConiguraIion Tool by selecI-
ing Ihe System menu rom Ihe Iop panel o Ihe deskIop and selecIing AdmInIstratIon,
SecurIty Level and FIrewall or by execuIing Ihe sys1en-conf1g-secur11yJeveJ
command. I you are noI rooI when you run Ihe Iool, you will be prompIed Io enIer Ihe
rooI password beore conIinuing.
SecuriIy-Enhanced Linux, or SELinux, allows adminisIraIors Io add an addiIional layer o
securiIy Io Linux. InsIead o relying on users Io secure Iheir iles wiIh ile permissions and
soIware disIribuIors Io make Ihe deaulI ile permissions o criIical sysIem iles secure,
SELinux only allows processes access Io iles Ihey absoluIely need Io uncIion. Eor deIails
on SELinux, reer Io ChapIer 23, "FroIecIing AgainsI InIruders wiIh SecuriIy-Enhanced
Linux." SelecI one o Ihree SELinux modes (see Eigure 2.3):
LnIorcIng: Conigure SELinux or Ihe sysIem using Ihe deaulI IargeIed policy
PermIssIve: Only warn abouI services proIecIed by SELinux
DIsabled: Turn o SELinux
Red Hat Setup ^gent 59
2
FlGURL 2.2 Lnabllng a Baslo Flrewall
FlGURL 2.3 SeourltyLnhanoed Llnux
The SELinux mode can be changed aI any Iime by selecIing Ihe System menu rom Ihe Iop
panel o Ihe deskIop and selecIing AdmInIstratIon, SLLInux Management or by execuI-
ing Ihe sys1en-conf1g-seJ1nux command. AIer sIarIing Ihe Iool, click Ihe SLLInux Iab.
When a Linux sysIem crashes, iI is someIimes possible or Ihe kernel Io ouIpuI a snapshoI,
or Jump, o Ihe sysIem memory. This dump can be analyzed Io Iry and deIermine Ihe
cause o Ihe crash. Kdump can be enabled wiIh Ihe SeIup AgenI as shown in Eigure 2.4.
FlGURL 2.4 Lnabllng Kdump
I Kdump is enabled, a small amounI o sysIem memory is reserved so IhaI Ihe dump can be
wriIIen Io iI and Ihen saved Io disk beore Ihe sysIem compleIely crashes. I you selecI Io
enable Kdump, speciy how much memory Io reserve or iI. To enable or disable Kdump
laIer, execuIe Ihe sys1en-conf1g-kdunp command Io sIarI a graphical applicaIion or conig-
uring iI. Reer Io ChapIer 21, "MoniIoring and Tuning Ihe Kernel," or deIails on Kdump.
CAU1I0N
Kdump does not ourrently work wlth the vlsuallzatlon kernel. lf your kernel verslon
ends wlth the keyword xen, do not enable Kdump.
The sysIem Iime is a crucial componenI o a server or deskIop compuIer whenever iles
are shared or synchronized. The DaIe and Time screen in Eigure 2.S can be used Io seI Ihe
correcI daIe and Iime and opIionally conigure a NeIwork Time FroIocol (NTF) server IhaI
synchronizes Ihe sysIems Iime wiIh a Iime server. Eor more inormaIion abouI NTF, reer
Io ChapIer 1, "Explaining OIher Common NeIwork Services."
FlGURL 2.5 Settlng the Date and Tlme
The Red HaI NeIwork (RHN) acIivaIion process begins nexI, as shown in Ihe screen in
Eigure 2.. FarIs o Ihe RHN service including soIware updaIes are included wiIh each
Red HaI EnIerprise Linux subscripIion. RHN noIiies adminisIraIors o updaIes, permiIs
updaIes Io be applied immediaIely or scheduled, allows addiIional soIware Io be
insIalled, and more. Reer Io ChapIer 3, "OperaIing SysIem UpdaIes," or deIails.
To acIivaIe Ihe RHN subscripIion or Ihe sysIem, selecI Yes, I'd lIRe to regIster now and
click Forward.
1IP
lf you ohoose not to aotlvate your subsorlptlon or reglster the system wlth RHN, you
oan do so later by golng to http://www.redhat.oom/apps/aotlvate/ and exeoutlng the
oommand rhn_reglster as root.
NexI, you need Io choose which server Io connecI Io or receiving soIware updaIes (see
Eigure 2.7). MosI users will connecI Io Red HaI NeIwork. Only selecI Ihe oIher opIion i
you have an RHN SaIelliIe or RHN Froxy Server seIup on your neIwork.
I you donI have a Red HaI login, click Create a New Account on Ihe nexI screen.
OIherwise, enIer your exisIing Red HaI login and password Io conIinue. I you already
have a login, iI is exIremely imporIanI Io use iI or every sysIem regisIraIion so IhaI all
your sysIems are associaIed wiIh Ihe same accounI and can be grouped or services or
mirroring laIer.
2
FlGURL 2.6 Settlng Up Software Updates
FlGURL 2.7 Conneotlng to RHN
AIer you have enIered a valid username and password combinaIion or creaIed a new
login, inormaIion or Ihe sysIem proile is reguesIed (see Eigure 2.8). The deaulI sysIem
name is Ihe ully gualiied hosIname, buI iI can be changed Io a more descripIive name
such as lrmary Baclup System or Weh Server =J. By deaulI, hardware and soIware inor-
maIion is also saved in Ihe sysIems Red HaI NeIwork proile. I you choose noI Io include
Ihe package lisI as parI o Ihe RHN proile, Red HaI NeIwork will noI be able Io noIiy you
when updaIes are available or Ihe sysIem because iI doesnI know whaI packages are
already insIalled. The nexI Iwo SeIup AgenI screens provide a summary o your RHN
subscripIion and inorm you IhaI an icon will appear on Ihe graphical deskIop panel
when updaIes are available.
2
FlGURL 2.8 Creatlng an RHN System lroflle
When insIalling Ihe operaIing sysIem, you seI up a rooI password or Ihe adminisIraIive
accounI. You should noI log in as Ihe rooI user or normal day-Io-day acIiviIies. The rooI
accounI should only be used Io perorm adminisIraIive Iasks because cerIain iles are only
accessible by Ihe rooI user. This is or securiIy and also Io proIecI Ihe iles rom acciden-
Ially being deleIed, modiied, moved, or damaged. The CreaIe User screen in Eigure 2.
allows you Io creaIe a non-rooI user accounI or everyday use. To add addiIional users
laIer, selecI Ihe System menu rom Ihe Iop panel o Ihe deskIop and selecI
AdmInIstratIon, Users and Groups or execuIe Ihe sys1en-conf1g-users command. I
your neIwork uses neIwork auIhenIicaIion such as Kerberos or NIS insIead, click Use
NetworR LogIn. Eor more inormaIion on neIwork auIhenIicaIion, reer Io ChapIer 12,
"IdenIiIy ManagemenI."
FlGURL 2.9 Creatlng a User
I a sound card is deIecIed, Ihe Sound Card screen shows Ihe vendor and model number
along wiIh Ihe kernel module being used or iI. To IesI Ihe card, click Play test sound.
You should hear a sound sample i Ihe card is conigured correcIly. To conigure or IesI
Ihe sound card laIer, selecI Ihe System menu rom Ihe Iop panel o Ihe deskIop and selecI
AdmInIstratIon, Soundcard DetectIon or execuIe Ihe sys1en-conf1g-soundcard
command. You will be prompIed or Ihe rooI password beore conIinuing i you sIarI Ihe
applicaIion as a non-rooI user.
The lasI screen is Ihe FInIsh Setup screen. Click Next Io exiI Ihe SeIup AgenI and go Io
Ihe login screen.
Legg|ng In fer the F|rst 1|me
AIer going Ihrough Ihe SeIup AgenI, Ihe graphical login screen appears i you insIalled
Ihe graphical deskIop. I you chose noI Io insIall Ihe graphical deskIop, a IexI-based login
prompI appears.
AI Ihe login screen or prompI, Iype Ihe username you conigured on Ihe CreaIe User
screen o Ihe SeIup AgenI or any non-rooI user auIhenIicaIed wiIh a neIwork service such
as Kerberos or NIS, press EnIer, and Iype Ihe password or Ihe user.
Upon successul auIhenIicaIion, Ihe graphical deskIop as shown in Eigure 2.10 appears i
Ihe graphical deskIop was insIalled, or a command prompI appears i Ihe graphics subsys-
Iem was noI insIalled.
FlGURL 2.10 Default Graphloal Desktop
Netwerk Cenf|gurat|en
I an EIherneI card was presenI during insIallaIion, Ihe insIallaIion program allowed you
Io conigure Ihe device. This secIion explains how Io modiy Ihe coniguraIion aIer
insIallaIion. Even i you donI need Io modiy Ihe neIwork seIIings, you can use Ihe inor-
maIion in Ihis secIion Io veriy Ihe seIIings are correcI.
N01
Beoause some servers do not have graphloal desktops lnstalled, thls seotlon
dlsousses network oonflguratlon from the oommand llne by modlfylng oonflguratlon
flles. lf you have a graphloal desktop and want to use a graphloal applloatlon, go to the
5ystem menu on the top panel and seleot Adm|n|strat|en, Netwerk.
Netwerk Cenf|gurat|en F||es
The ollowing coniguraIion iles exisI or neIwork coniguraIion:
1e1c1nodprobe.conf ile: Assigns a kernel module Io each neIwork device.
1e1c1sysconf1g1ne1Work ile: SeIs Ihe hosIname and wheIher Ihe neIworking is
enabled. IFv is enabled or disabled in Ihis ile.
1e1c1hos1s iles: LisIs hosIs and Iheir IF addresses or hosInames IhaI canI be
resolved by Ihe DNS servers such as sysIems on Ihe local neIwork.
Network Conflguratlon 65
2
1e1c1resoJv.conf ile: SeIs Ihe DNS servers (using Iheir IF addresses) and Ihe search
domain. The values o Ihe DNS servers are oIen added when Ihe neIwork is acIi-
vaIed because Ihe daIa can be provided by DHCF or a similar service.
1e1c1sysconf1g1ne1Work-scr1p1s1 direcIory: ConIains scripIs Io sIarI and sIop a
neIwork device and a specialized coniguraIion ile or each device.
1e1c1rc.d11n11.d1ne1Work ile: IniIializaIion scripI IhaI sIarIs and sIops Ihe
neIwork.
CAU1I0N
lf the Graphloal Network Conflguratlon Tool from the ^dmlnlstratlon, Network menu
ltem of the System menu has ever been run on the system, an 1e1c1sysconf1g1
ne1Work1ng1 dlreotory wlll exlst. The flles ln thls dlreotory are only used by the graphl
oal tool and are not referenoed by any of the network sorlpts. lf ohanges are made to
these flles, they wlll not be applled to the aotual network oonflguratlon flles used.
Some o Ihe neIwork coniguraIion iles such as Ihe 1fup and 1fdoWn scripIs in 1e1c1
sysconf1g1ne1Work-scr1p1s1 do noI need Io be modiied in mosI cases and should noI
be modiied unless absoluIely necessary. This secIion discusses Ihe neIwork coniguraIion
iles IhaI may be modiied Io change Ihe neIwork seIIings and how Io enable Ihe changes.
LisIing 2.1 shows an example o a 1e1c1nodprobe.conf ile. The irsI line assigns Ihe e100
kernel module Io Ihe eIh0 neIwork device. I Ihe neIwork card is supporIed, Ihe module is
auIomaIically conigured during insIallaIion or by Kudzu Ihe irsI Iime Ihe sysIem is
booIed wiIh Ihe new card. Reer Io ChapIer , "Analyzing Hardware," or more deIailed
inormaIion abouI how Kudzu works, how Io add module parameIers Io Ihe
1e1c1nodprobe.conf ile, or how Io change which kernel module is used or each device.
LlSTlNG 2.1 /eto/modprobe.oonf
aJ1as e1hU e1UU
aJ1as scs1_hos1adap1er sa1a_s1J
aJ1as scs1_hos1adap1er1 a1a_p11x
The 1e1c1sysconf1g1ne1Work ile usually conIains Ihe conIenI shown in LisIing 2.2. I Ihe
NETW0PK1N0 opIion is seI Io yes, Ihe neIworking subsysIem is enabled buI noI necessarily
sIarIed aI booI Iime. The value o Ihe R0STNAME opIion is Ihe hosIname or Ihe sysIem. I
one is noI seI, Ihe deaulI hosIname is localhosI. Reer Io Ihe ile 1usr1share1doc1
1n11scr1p1s-<vers1on>1sysconf1g.1x1 or addiIional opIions or Ihis ile.
LlSTlNG 2.2 /eto/sysoonflg/network
NETW0PK1N0=yes
R0STNAME=snaJJv1JJe
The 1e1c1hos1s ile lisIs IF addresses and hosInames IhaI should resolve Io Ihe IF
addresses as shown in LisIing 2.3. The irsI one lisIed, 127.0.0.1, is reerred Io as Ihe loop-
back inIerace and should never be removed. I some hosInames can noI be resolved by
Ihe DNS servers, lisI Ihem wiIh Iheir IF addresses aIer Ihe loopback device. Eor example,
i your neIwork only consisIs o a handul o sysIems, iI mighI be easier Io lisI Ihem in
Ihe 1e1c1hos1s ile on each local sysIem Ihan seI up a DNS server on Ihe local neIwork
or name resoluIion.
CAU1I0N
Be oareful when llstlng hostnames that oan be resolved by the DNS servers and those
that are not under your oontrol. lf the ll address of the hostname ohanges, you wlll
not be able to oonneot to the host beoause any ll addresses llsted ln 1e1c1hos1s
have preoedenoe over any ll addresses resolved through the DNS servers.
LlSTlNG 2.3 /eto/hosts
# 0o no1 renove 1he foJJoW1ng J1ne, or var1ous prograns
# 1ha1 requ1re ne1Work func11onaJ11y W1JJ fa1J.
127.U.U.1 JocaJhos1.JocaJdona1n JocaJhos1
192.168.U.1 ne1ropoJ1s
192.168.U.2 Jo1s
182.168.U.3 cJarkken1
A Iypical 1e1c1resoJv.conf is shown in LisIing 2.4. Each nameserver line represenIs a
DNS server, and Ihe search line speciies domain names Io Iry i only Ihe irsI parI o a
hosIname is used. Eor example, i jusI Ihe name smallville is used as a hosIname, small-
ville.example.com and Ihen smallville.example.org will be Iried i Ihe 1e1c1resoJv.conf
ile in LisIing 2.4 is on Ihe sysIem.
LlSTlNG 2.4 /eto/resolv.oonf
naneserver 192.168.U.254
naneserver 192.168.1U.254
search exanpJe.con exanpJe.org
In Ihe 1e1c1sysconf1g1ne1Work-scr1p1s1 direcIory, each neIwork device has iIs own
coniguraIion ile wiIh Ihe ilename 1fcfg-<dev1cenane> such as 1fcfg-e1hU or Ihe irsI
EIherneI device.
I Ihe device uses DHCF Io reIrieve neIwork seIIings, a Iypical 1e1c1sysconf1g1ne1Work-
scr1p1s11fcfg-e1hU ile conIains Ihe lines rom LisIing 2.S. I Ihe device is conigured or
a sIaIic IF address, Ihe inIerace coniguraIion ile looks similar Io LisIing 2..
Network Conflguratlon 67
2
LlSTlNG 2.5 Lthernet lnterfaoe Conflguratlon Flle for DHCl
0Ev10E=e1hU
800TPP0T0=dhcp
0N800T=yes
LlSTlNG 2.6 Lthernet lnterfaoe Conflguratlon Flle for Statlo ll
0Ev10E=e1hU
800TPP0T0=none
0N800T=yes
NETW0PK=192.168.1.U
NETMASK=255.255.255.U
1PA00P=192.168.1.15
uSEP0TL=no
I Ihe 0N800T opIion is seI Io yes, Ihe device is acIivaIed aI booI Iime using Ihe neIwork
iniIializaIion scripI.
OIher device names include Jo or Ihe local loopback device, pppX or dialup inIeraces,
and 1rJanX or inrared devices where X is Ihe device number sIarIing wiIh 0. Reer Io Ihe
ile 1usr1share1doc11n11scr1p1s-<vers1on>1sysconf1g.1x1 or addiIional opIions or
Ihe iles in Ihis direcIory.
5tart|ng and 5te|ng the Netwerk
I an EIherneI device is ound during insIallaIion and conigured, Ihe neIwork is conig-
ured Io sIarI auIomaIically aI booI Iime unless you unchecked Ihe ActIvate on boot
opIion or Ihe device. To disable iI aI booI Iime aIer insIallaIion, use Ihe chkconf1g
ne1Work off command. To enable iI aI booI Iime, use Ihe chkconf1g ne1Work on
command.
The 1e1c1hos1s and 1e1c1resoJv.conf are reerenced each Iime Ihey are used, so modii-
caIions Io Ihem Iake place immediaIely. I Ihe hosIname is modiied in 1e1c1sysconf1g1
ne1Work, Ihe change does noI occur unIil Ihe nexI rebooI. To immediaIely change Ihe
hosIname, execuIe Ihe command hos1nane <neWhos1nane> as Ihe rooI user aI a shell
prompI, replacing <neWhos1nane> wiIh Ihe new hosIname or Ihe sysIem.
I you modiy neIwork seIIings in 1e1c1sysconf1g1ne1Work-scr1p1s1, Ihe changes do noI
Iake place unIil Ihe neIwork is resIarIed or Ihe individual device is shuI down and
broughI back up. To resIarI Ihe enIire neIwork (Ihe loopback device and all neIwork
devices), use Ihe command serv1ce ne1Work res1ar1 as rooI. To shuI an individual
device down and bring iI back up, as rooI, execuIe Ihe command 1fdoWn <dev1cenane>
and Ihen 1fup <dev1cenane>, where <dev1cenane> is Ihe name o Ihe device such as
e1hU.
To sIop all Ihe neIwork devices, use Ihe serv1ce ne1Work s1op command as rooI. To sIarI
Ihe neIwork, use Ihe command serv1ce ne1Work s1ar1 as rooI.
CAU1I0N
lf admlnlsterlng the system remotely, lt ls better to use serv1ce ne1Work res1ar1 lf
you need to restart the network slnoe stopplng the network wlll prevent you from
aooesslng your system remotely to brlng the network baok up.
Pr|nter Cenf|gurat|en
One common Iask noI covered by Ihe insIallaIion program or Ihe SeIup AgenI is conigur-
ing a prinIer. Red HaI EnIerprise Linux uses Ihe Common UNIX FrinIing SysIem, also
known as CUlS. CUFS uses Ihe lnternet lrntn lrotocol (IFF) Io allow local prinIing and
prinI sharing. The 1e1c1cups1 direcIory sIores all Ihe coniguraIion iles or prinIing.
However, Ihese iles can be easily managed wiIh Ihe FrinIer ConiguraIion Tool in Red
N01
lf you need to share the prlnter wlth other oomputers on the network, use thls seotlon
to oonflgure the prlnter and then refer to the Creatlng a Network lrlnter wlth CUlS
seotlon of Chapter 19, Lxplalnlng 0ther Common Network Servloes, for detalls.
To sIarI Ihe FrinIer ConiguraIion Tool, go Io Ihe SysIem menu on Ihe Iop panel and
selecI AdmInIstratIon, PrIntIng or execuIe Ihe command sys1en-conf1g-pr1n1er. I you
are noI rooI, you will be prompIed or Ihe rooI password.
I no prinIers are available or Ihe sysIem, only Ihe Server SeIIings view is available or
selecIion. I local prinIers are conigured, a Local FrinIers menu is available.
CUFS is Ihe deaulI prinIing sysIem used by Red HaI EnIerprise Linux, and one o iIs
many advanIages is IhaI iI uses IFF Io broadcasI shared prinIers on Ihe neIwork so IhaI
oIher sysIems can browse or Ihem, selecI one as Ihe deaulI prinIer, and prinI Io iI
wiIhouI any urIher coniguraIion. I any prinIers are broadcasI on your neIwork, Ihey
will appear in a RemoIe FrinIers menu. Eigure 2.11 shows a sysIem wiIh boIh local and
remoIe prinIers. I a lisI isnI already expanded, click on Ihe Iriangle icon Io Ihe leI o iI.
1IP
The log flles for the CUlS prlntlng system are looated ln the 1var1Jog1cups1 dlreo
tory. Refer to thls dlreotory for aooess and error logs.
Add|ng a Pr|nter
I Ihe prinIer you wanI Io connecI Io is in Ihe lisI o remoIe prinIers, selecI iI rom Ihe
lisI, click MaRe DeIault PrInter rom Ihe SeIIings Iab, and click Apply. The selecIed
prinIer becomes Ihe deaulI prinIer or Ihe sysIem, and all prinI jobs are senI Io iI by
deaulI.
lrlnter Conflguratlon 69
2
FlGURL 2.11 Looal and Remote lrlnter Llsts
I Ihe prinIer you wanI Io connecI Io is noI already lisIed (such as a locally connecIed prinIer),
click New PrInter on Ihe Ioolbar. In Ihe dialog window IhaI appears (see Eigure 2.12), accepI
Ihe deaulI gueue name or change iI Io a shorI, descripIive name IhaI begins wiIh a leIIer and
does noI conIain spaces. OpIionally, give Ihe prinI gueue a shorI descripIion and locaIion.
FlGURL 2.12 Lnterlng a ueue Name
In Ihe nexI window as shown in Eigure 2.13, selecI Ihe connecIion Iype.
2
FlGURL 2.13 Seleotlng a Conneotlon Type
The connecIion Iypes lisIed vary per sysIem because Ihe porI Iypes vary rom sysIem Io
sysIem. Some sysIems mighI have a USB porI buI noI a parallel porI. Some sysIems mighI
have Ihe opposiIe: a parallel porI buI no USB porI or a prinIer Io connecI Io. OIher Ihan
local porIs, Ihe FrinIer ConiguraIion Tool can be used Io add Ihe ollowing Iypes o
remoIe prinIers (all neIworked prinIers musI allow Ihe sysIem Io connecI Io iI via porI
31, and all sysIems Irying Io connecI Io a shared prinIer musI be allowed Io send and
accepI connecIions on porI 31):
AppSocRet/HP JetDIrect: FrinIer available on Ihe neIwork using HF JeIDirecI.
Frovide Ihe hosIname as a ully gualiied domain name or an IF address o Ihe
prinIer along wiIh Ihe porI used Io connecI Io iI (deaulI porI is 100).
Internet PrIntIng Protocol (ipp): FrinIer available on Ihe neIwork using Ihe
InIerneI FrinIing FroIocol (IFF) such as one shared by anoIher Red HaI EnIerprise
Linux sysIem. Frovide Ihe hosIname as a ully gualiied domain name or an IF
address. Also provide Ihe prinIer name as deined on Ihe prinI server.
LPD/LPR Host or PrInter: FrinIer available on Ihe neIwork using LFD. Older
versions o Linux used LFD. Frovide Ihe hosIname as a ully gualiied domain name
or an IF address. Also provide Ihe prinIer name as deined on Ihe prinI server.
WIndows PrInter vIa SAMBA: FrinIer available on Ihe neIwork using Samba (SMB)
such as a prinIer connecIed Io and shared by a MicrosoI Windows compuIer. The
neIworked is scanned or Samba shares, and any Samba-shared prinIers can be
ound in Ihe lisI. Click Ihe Iriangle beside each workgroup or compuIer name in Ihe
lisI Io expand Ihe lisI. SelecI Ihe prinIer or enIer iIs hosIname and prinIer name in
Ihe ield sIarIing wiIh smb:}}. I a username and password are reguired or auIhenIi-
caIion, supply Ihem as well.
AIer selecIing Ihe connecIion Iype and possibly providing addiIional inormaIion or Ihe
connecIion, click Forward Io selecI Ihe manuacIurer or Ihe prinIer. Click Forward again
Io selecI Ihe model and driver as shown in Eigure 2.14. The commenI buIIons on Ihe
boIIom leI side o Ihe window Ioggle wheIher Ihe prinIer, driver, and FFD commenIs are
displayed on Ihe righI side o Ihe window. The prinIer commenIs conIain any addiIional
inormaIion abouI Ihe selecIed prinIer. The driver commenIs are noIes abouI Ihe driver
selecIed. I Ihe prinIer is a FosIScripI prinIer, a FFD, or FosIScripI FrinIer DescripIion ile,
iI describes Ihe eaIures available on Ihe prinIer and is used as Ihe driver or Ihe prinIer.
The FFD commenIs show any commenIs abouI Ihe FFD ile or Ihe selecIed prinI driver.
FlGURL 2.14 Seleotlng a lrlnter Model and Drlver
To inish, click Forward and click Apply Io conirm Ihe prinIer creaIion. The main
window or Ihe FrinIer ConiguraIion Tool should now show Ihe new prinIer in Ihe lisI.
The prinIer is now ready Io accepI prinI jobs. SelecI iI rom Ihe lisI Io seI advanced
opIions shown in Eigure 2.1S such as Ihe deaulI page size, Ioner densiIy, and wheIher or
noI Io use a sIarIing or ending banner or each prinI job.
To prinI a IesI page Io veriy IhaI Ihe prinIer is conigured properly, selecI Ihe prinIer
rom Ihe lisI on Ihe leI, and click PrInt Test Page on Ihe SeIIings Iab.
Add|ng a Pr|nter C|ass
A prinIer class is a group o prinIers available Io Ihe sysIem. The group can consisI o boIh
local and remoIe prinIers. I a prinIer class is seI as Ihe deaulI prinIer or is selecIed as Ihe
prinI gueue when prinIing, Ihe irsI available prinIer in Ihe class is senI Ihe prinI job. One
major advanIage o using a prinIer class insIead o an individual prinIer is noI having Io
seI a new deaulI prinIer i Ihe deaulI prinIer goes oline because o ailure or mainIe-
nance. II also saves users Iime by prevenIing Ihem rom sending a prinI job Io a prinIer
already in heavy use. InsIead, Iheir prinI job is senI Io a prinIer IhaI can process iI asIer.
FlGURL 2.15 ^dvanoed lrlnter 0ptlons
To conigure a prinIer class, click New Class on Ihe Ioolbar. Give Ihe prinIer class a
unigue name, an opIional descripIion, and an opIional locaIion. AIer clicking Forward,
move one or more conigured prinIers rom Ihe OIhers lisI Io Ihe Members o Ihis Class
lisI as demonsIraIed in Eigure 2.1. Click Forward Io conIinue.
2
FlGURL 2.16 Seleotlng lrlnters for the Class
Click Apply Io conirm Ihe class creaIion, Ihe new prinIer class appears on Ihe main
window under Ihe FrinIer Class caIegory (as shown in Eigure 2.17).
FlGURL 2.17 lrlnter Class ^dded
The advanced seIIings or Ihe prinIer class are similar Io Ihose or an individual prinIer.
You can enable sharing or iI, make iI Ihe deaulI prinIer (where Ihe irsI available rom
Ihe group is given Ihe prinI job), and limiI Ihe usage Io speciic users.
5ett|ng the efau|t Pr|nter
I more Ihan one prinIer is available Io Ihe sysIem, a deaulI musI be seI so applicaIions
know where Io send Ihe prinI job. To seI Ihe deaulI prinIer, selecI iI rom Ihe lisI, and click
MaRe DeIault PrInter on Ihe SeIIings Iab or Ihe prinIer. Click Apply Io save Ihe changes.
Adm|n|ster|ng Remete|y
The FrinIer ConiguraIion Tool in Red HaI EnIerprise Linux allows Ihe adminisIraIor Io
connecI Io a remoIe CUFS server using Ihe local graphical applicaIion. This is useul or a
varieIy o reasons including allowing an adminisIraIor Io guickly conigure prinIers on
mulIiple machines aI one Iime rom one worksIaIion and allowing an adminisIraIor Io
conigure a prinIer graphically on a server wiIhouI Ihe graphical deskIop insIalled.
RemoIe adminisIraIion is noI enabled by deaulI. To enable iI on Ihe prinI server, sIarI Ihe
FrinIer ConiguraIion Tool wiIh Ihe sys1en-conf1g-pr1n1er command on Ihe prinIer
server, and perorm Ihe ollowing sIeps:
SelecI Server SettIngs.
SelecI Allow remote admInIstratIon.
Click Apply.
I Ihe prinI server does noI have Ihe soIware necessary Io run Ihe graphical FrinIer
ConiguraIion Tool, Ihe 1e1c1cups1cupsd.conf ile can be ediIed direcIly. Make a backup
copy o Ihe ile beore ediIing iI. Remove Ihe lines rom LisIing 2.7, and add Ihe ollowing
lines rom LisIing 2.8. Also modiy Ihe AJJoW lines in Ihe Loca11on secIions Io read AJJoW
0L00AL insIead o AJJoW JocaJhos1 as shown in LisIing 2.. To apply Ihe changes, resIarI
Ihe CUFS service wiIh Ihe serv1ce cups res1ar1 command as rooI.
LlSTlNG 2.7 Remove to ^llow Remote ^dmlnlstratlon
# 0nJy J1s1en for connec11ons fron 1he JocaJ nach1ne.
L1s1en JocaJhos1:631
LlSTlNG 2.8 ^dd to ^llow Remote ^dmlnlstratlon
# AJJoW reno1e access
Por1 631
L1s1en 1var1run1cups1cups.sock
LlSTlNG 2.9 Modlfy to ^llow Remote ^dmlnlstratlon
<Loca11on 1>
# AJJoW reno1e adn1n1s1ra11on...
0rder aJJoW,deny
AJJoW 0L00AL
<1Loca11on>
<Loca11on 1adn1n>
Encryp11on Pequ1red
# AJJoW reno1e adn1n1s1ra11on...
0rder aJJoW,deny
AJJoW 0L00AL
<1Loca11on>
<Loca11on 1adn1n1conf>
Au1hType 8as1c
Pequ1re user 0SYSTEM
# AJJoW reno1e access 1o 1he conf1gura11on f1Jes...
0rder aJJoW,deny
AJJoW 0L00AL
<1Loca11on>
AIer enabling remoIe adminisIraIion on Ihe prinI server, sIarI Ihe FrinIer ConiguraIion
Tool on a dierenI sysIem and click Goto Server on Ihe Ioolbar. In Ihe dialog shown in
Eigure 2.18, enIer Ihe hosIname or IF address o Ihe CUFS server and Ihe username Io use
or auIhenIicaIion. The deaulI username is rooI, which will work or mosI cases.
2
FlGURL 2.18 Conneot to Remote Server
EnIer Ihe rooI password when prompIed. AIer successul auIhenIicaIion, Ihe prinIers and
prinIer classes displayed are or Ihe remoIe server. The IiIle o Ihe window also changes Io
relecI Ihe IF address or hosIname o Ihe prinI server being managed.
Add|ng Beet Parameters
To booI a compuIer inIo an operaIing sysIem, a hoot loaJer is needed. When Ihe compuIer
is booIed, Ihe booI loader sIarIs Ihe kernel IhaI Ihen sIarIs Ihe resI o Ihe operaIing
sysIem. DierenI archiIecIures use dierenI booI loaders as shown in Table 2.1.
T^BLL 2.1 Boot Loaders for Laoh ^rohlteoture
Arch|tecture Beet Leader Beet Leader Cenf|gurat|en F||e
x86 GRUB 1e1c1grub.conf
AM0 AM064 GRUB 1e1c1grub.conf
1n1eJ 11an1un" LLlL0 1boo11ef11EF11redha11eJ1Jo.conf
18M eServer" 0S/400 1boo11vnJ1n11rd-<kerneJ-vers1on>
1Ser1es" (pre-POWER5)
18M eServer" Y^B00T 1e1c1yaboo1.conf
1Ser1es" (POWER5)
18M eServer" z/llL 1e1c1z1pJ.conf
Sys1en z
SomeIimes, booI parameIers are needed or a sysIem Io booI or run properly. Eor example:
noh1: Disable Hyper-Threading
noap1c: Disable Advanced Frogrammable InIerrupI ConIroller (AFIC) available on
selecI moIherboards
acp1=off: Disable advanced coniguraIion and power inIerace (acpi)
6RUB
Eor x8, x8_4, and AMD4 sysIems, Ihe GRUB booI loader coniguraIion ile is
1e1c1grub.conf. Each insIalled kernel conIains a IiIle secIion, which includes a line IhaI
begins wiIh kerneJ. Add booI parameIers Io Ihe end o Ihe kerneJ line. LisIing 2.10 shows
Ihe noh1 parameIer added.
LlSTlNG 2.10 GRUB Conflguratlon Flle
defauJ1=U
11neou1=5
spJash1nage={hdU,U)1boo11grub1spJash.xpn.gz
h1ddennenu
111Je Ped Ra1 En1erpr1se L1nux {2.6.16-1.2U96)
roo1 {hdU,U)
kerneJ 1boo11vnJ1nuz-2.6.16-1.2U96 ro roo1=LA8EL=1 rhgb qu1e1 noh1
1n11rd 1boo111n11rd-2.6.16-1.2U96.1ng
LIL0
In Ihe 1boo11ef11EF11redha11eJ1Jo.conf ile on an IIanium sysIem, Ihe booI parameIers
are added Io Ihe end o Ihe append line. LisIing 2.11 shows Ihe 3 parameIer added Io booI
Ihe sysIem inIo runlevel 3.
LlSTlNG 2.11 LLlL0 Conflguratlon Flle
pronp1
11neou1=2U
defauJ1=J1nux
reJoca1abJe
1nage=vnJ1nuz-2.6.9-34.EL
JabeJ=J1nux
1n11rd=1n11rd-2.6.9-34.EL.1ng
read-onJy
append="rhgb qu1e1 roo1=LA8EL=1 3"
05/400
Eor pre-FOWERS iSeries sysIems, Ihe 1boo11vnJ1n11rd-<kerneJ-vers1on> ile is insIalled
wiIh each kernel. To add booI parameIers, deIermine Ihe deaulI side wiIh Ihe ca1
1proc11Ser1es1nf1s1de command, and Ihen execuIe Ihe ollowing command where
<op11ons> are Ihe booI parameIer opIions Io add (command divided inIo Iwo lines wiIh
Ihe ( characIer or readabiliIy):
dd 1f=1boo11vnJ1n11rd-<kerneJ-vers1on> (
of=1proc11Ser1es1nf1<s1de>1vnJ1nux bs=8k <op11ons>
YAB001
The YABOOT coniguraIion ile 1e1c1yaboo1.conf conIains an image secIion or each
insIalled kernel. The boot parameters are added to the end oI the append line. Listing 2.12
shows the 3 parameter added.
^ddlng Boot larameters 77
2
LlSTlNG 2.12 Y^B00T Conflguratlon Flle
boo1=1dev1sda1
1n11-nessage=WeJcone 1o Ped Ra1 En1erpr1se L1nux!
R11 <TA8> for boo1 op11ons
par1111on=2
11neou1=3U
1ns1aJJ=1usr1J1b1yaboo11yaboo1
deJay=1U
nonvran
1nage=1vnJ1nux--2.6.9-5.EL
JabeJ=J1nux
read-onJy
1n11rd=11n11rd--2.6.9-5.EL.1ng
append="roo1=LA8EL=1 3"
z/IPL
The z}IFL coniguraIion ile 1e1c1z1pJ.conf conIains a secIion or each insIalled kernel.
The boot parameters are added to the end oI the parane1ers line. Listing 2.13 shows the 3
parameter added.
LlSTlNG 2.13 z/llL Conflguratlon Flle
defauJ1boo1
defauJ1=J1nux
1arge1=1boo11
J1nux
1nage=1boo11vnJ1nuz-2.6.9-5.EL
rand1sk=1boo111n11rd-2.6.9-5.EL.1ng
parane1ers="roo1=LA8EL=1 3"
AIer making changes Io Ihe 1e1c1z1pJ.conf ile, you musI execuIe Ihe 1sb1n1z1pJ
command Io enable Ihe changes.
5ummary
AIer insIallaIion, Ihe SeIup AgenI guides you Ihrough Ihe coniguraIion and cusIomiza-
Iion o Ihe sysIem. A ew o Ihe crucial Iasks include deIermining a securiIy level, decid-
ing wheIher Io enable SELinux, and acIivaIing your Red HaI NeIwork accounI so you can
receive soIware updaIes. AIer logging in or Ihe irsI Iime, Iweak Ihe neIwork conigura-
Iion i necessary. I you need Io prinI rom Ihe sysIem, conigure a prinIer using Ihe
FrinIer ConiguraIion Tool. Veriy Ihe proper kernel was insIalled and cusIomize i neces-
sary, and, inally, add booI parameIers i needed.
lN THlS CH^lTLR
Navlgatlng Through the RHN
webslte
^sslgnlng Users for the RHN
webslte
Subsorlblng to RHN Channels
lerformlng ôtlons on
lndlvldual Systems from the
RHN webslte
Uslng System Groups on the
RHN webslte
Retrlevlng Software from RHN
wlth YUM
CH^lTLR 3
OperaIing SysIem
UpdaIes
This chapIer ocuses on soIware updaIes and soIware
insIallaIion. Two meIhods are discussed Io download and
insIall or updaIe soIware rom Red HaI NeIwork servers:
Ihe Red HaI NeIwork websiIe and YUM (boIh Ihe
command-line uIiliIy and Iwo graphical programs).
ChapIer 2, "FosI-InsIallaIion ConiguraIion," guided you
Ihrough Ihe SeIup AgenI, including regisIering your Red HaI
EnIerprise Linux sysIem wiIh Red HaI NeIwork (RHN). Every
Red HaI EnIerprise Linux subscripIion includes access Io Ihe
Red HaI NeIwork UpdaIe module or soIware updaIes.
I you did noI regisIer your sysIem wiIh RHN during Ihe
SeIup AgenI, go Io hIIps:}}www.redhaI.com}apps}acIivaIe}
Io acIivaIe your subscripIion i iI hasnI already been acIi-
vaIed. Then, run Ihe rhn_reg1s1er command on Ihe
sysIem. I you arenI logged in as Ihe rooI user, you will be
prompIed or Ihe rooI password beore conIinuing. I you
have more Ihan one sysIem Io regisIer, be sure you use Ihe
same login (Ihe one associaIed wiIh your RHN enIiIle-
menIs) Io regisIer all o Ihem. The sysIems cannoI be
managed, provisioned, or moniIored IogeIher as a group i
a dierenI login is used or each one. AddiIional logins can
be creaIed or Ihe organizaIion and allowed access Io
speciic sysIems or sysIem groups.
To receive updaIes via RHN, each regisIered sysIem musI be
enIiIled Io a valid subscripIion. Each Red HaI EnIerprise
Linux subscripIion includes an RHN enIiIlemenI. I Ihe
login used has available enIiIlemenIs, Ihe sysIem is auIo-
maIically enIiIled when iI is regisIered. I Ihere are no avail-
able enIiIlemenIs associaIed wiIh Ihe accounI when a
sysIem is regisIered, you musI purchase an addiIional
enIiIlemenI or Ihe sysIem and associaIed iI wiIh Ihe newly
regisIered sysIem beore receiving updaIes.
N01
Go to http://rhn.redhat.oom/ for detalls on eaoh RHN module and to read more
oomprehenslve dooumentatlon on all of thelr features.
Nav|gat|ng 1hreugh the RRN Webs|te
AIer regisIering Ihe sysIem wiIh RHN, go Io hIIps:}}rhn.redhaI.com} and log in. AIer you
log in, Ihe main RHN page appears.
N01
The RHN webslte ls oonstantly updated and modlfled based on user feedbaok and to
lmprove lts usablllty. The lnstruotlons ln thls ohapter for the RHN webslte mlght dlffer
from the ourrent layout of the webslte.
AIer logging in Io Ihe RHN websiIe, you will see Iwo menus: a verIical menu and hori-
zonIal menu. The verIical menu changes depending on which view is selecIed rom Ihe
horizonIal menu.
The views available rom Ihe horizonIal menu include:
Your RHN: Link Io reIurn Io Ihe main RHN page.
Systems: LisI o sysIems and sysIem groups, including wheIher updaIes are needed.
Access Io Ihe SysIem SeI Manager or scheduling erraIa, insIalling or removing pack-
ages, managing groups, and assigning channels.
Lrrata: View o all erraIa or a cusIomized lisI o erraIa relevanI Io your regisIered
sysIems.
Channels: Index o soIware channels (one base channel per Red HaI EnIerprise
Linux release and child channels or soIware add-ons such as Red HaI Global Eile
SysIem), packages in each channel, and how many regisIered sysIems are associaIed
wiIh each channel. Every sysIem musI be associaIed wiIh a base channel and can be
associaIed wiIh one or more child channels, rom which Ihe soIware updaIes are
reIrieved. The Channels view also provides access Io download ISO images, which
can be used Io creaIe insIallaIion CDs o Ihe soIware.
Schedule: Table o scheduled acIions IhaI have noI yeI Iaken place, acIions IhaI
ailed Io compleIe, acIions IhaI have been compleIed, and acIions IhaI have been
archived.
Users: LisI o users or Ihe organizaIion and Iheir roles. Each users roles deIermine
which RHN acIions Ihey are allowed Io perorm. (Only OrganizaIion AdminisIraIors
can see Ihis link as explained in Ihe ollowing secIion "Assigning Users or Ihe RHN
WebsiIe." )
Help: Access Io online documenIaIion including a guick sIarI guide, EAQs, reerence
guide, and besI pracIices guide.
The ollowing views are available rom Ihe verIical menu when Your RHN is Ihe view
selecIed rom Ihe horizonIal menu:
Your RHN: The mosI crucial inormaIion abouI Ihe sysIems regisIered wiIh RHN
such as Ihe sysIems wiIh Ihe mosI soIware updaIes available and Ihe mosI relevanI
securiIy erraIa issued.
Your Account: Eorm Io change Ihe personal inormaIion associaIed wiIh Ihe
accounI such as Ihe password and email address.
Your PreIerences: OpIions or Ihe user Io elecI wheIher or noI Io receive email noIi-
icaIions and cusIomize how daIa is displayed.
Locale PreIerences: OpIions Io selecI Iime zone and language preerence.
SubscrIptIon Management: InIerace or renewing, purchasing, and managing Red
HaI EnIerprise Linux subscripIions as well as applying RHN enIiIlemenIs Io regis-
Iered sysIems i necessary.
Ass|gn|ng Users fer the RRN Webs|te
MosI organizaIions have more Ihan one adminisIraIor wiIh each adminisIraIor being
responsible or speciic sysIems. RHN also allows more Ihan one user Io view and manage
each sysIem. Each user is assigned one or more roles. Some roles mighI noI be available,
depending on which RHN modules you have subscribed Io. More Ihan one user can exisI
or each role. The possible user roles are as ollows:
User: Also reerred Io as a SysIem Group User. DeaulI user role wiIh access Io any
global channels Io which anyone can subscribe. Can be given access Io sysIem
groups and soIware channels.
ActIvatIon Key AdmInIstrator: Allowed Io creaIe, modiy, and deleIe acIivaIion
keys or Ihe organizaIion.
ConIIguratIon AdmInIstrator: Allowed Io manage sysIem coniguraIions or Ihe
organizaIion using Ihe RHN websiIe or Ihe Red HaI NeIwork ConiguraIion
Manager. MusI be subscribed Io Ihe Frovisioning Module or Ihis user role Io exisI.
MonItorIng AdmInIstrator: Only available or Ihe RHN SaIelliIe Server MoniIoring
module. Allowed Io schedule probes and manage Ihe moniIoring uncIionaliIy.
OrganIzatIon AdmInIstrator: HighesI level o user roles. Can perorm any acIion
rom Ihe oIher user roles. A login wiIh Ihis user role should be used Io regisIer
sysIems so Ihe OrgAdmin can creaIe addiIional users or Ihe organizaIion.
Only OrganizaIion AdminisIraIors (OrgAdmins) see Ihe Users link in Ihe horizonIal
menu, and only OrgAdmins can add or disable users. Click Users in Ihe horizonIal menu
Io view a lisI o acIive users.
^sslgnlng Users for the RHN webslte 81
3
Click Ihe create new user link in Ihe upper-righI corner o Ihe page Io creaIe new users.
AIer a user has been creaIed, click on Ihe username rom Ihe lisI o acIive users Io assign
roles and granI users access Io sysIems and sysIem groups.
5ubscr|b|ng te RRN Channe|s
When a sysIem is regisIered wiIh RHN, soIware and hardware inormaIion is gaIhered so
IhaI relevanI erraIa updaIes can be deIermined or iI. The soIware inormaIion includes
Ihe Red HaI EnIerprise Linux release and Ihe sysIem archiIecIure. Erom Ihis daIa, Ihe
sysIem is associaIed wiIh a hase channel such as Red HaI EnIerprise Linux (v. S or 32-biI
x8). Each base channel conIains all Ihe laIesI soIware, including soIware updaIes, or
Ihe release version and archiIecIure. A base channel can have child channels associaIed
wiIh iI. A chlJ channel conIains soIware IhaI can be insIalled on any sysIem wiIh Ihe OS
release and archiIecIure rom Ihe base channel.
A sysIem can only be associaIed wiIh one base channel, buI iI can be subscribed Io one or
more child channels. By using Ihe RHN websiIe or YUM, sysIems can only receive updaIes
or package insIallaIions rom channels Io which Ihey are subscribed. Eor example, a
sysIem subscribed Io Ihe Red HaI EnIerprise Linux (v. S or 32-biI x8) base channel can
also be subscribed Io Ihe RHEL VirIualizaIion (v. S or 32-biI x8) child channel.
Channel subscripIions or sysIems are managed Ihrough Ihe RHN websiIe. To subscribe a
sysIem Io one or more child channels or change Ihe parenI channel, log in Io Ihe RHN
websiIe aI rhn.redhaI.com, and selecI Systems rom Ihe horizonIal menu. Click on Ihe name
o Ihe sysIem Io show a more deIailed view o iI. Under Ihe Subscribed Channels header,
click Alter Channel SubscrIptIons. All child channels available or subscripIion are shown.
SelecI which ones Io subscribe Io, and click Change SubscrIptIons. To change Ihe parenI
channel, selecI a new channel rom Ihe pull-down menu, and click ModIIy Base Channel.
Perferm|ng Act|ens en Ind|v|dua| 5ystems frem the
RRN Webs|te
To perorm an acIion on an individual sysIem using Ihe RHN websiIe, log in, and click
System on Ihe horizonIal menu. Erom Ihe individual sysIem view, many acIions can be
perormed including Ihe ollowing:
UpdaIe soIware
InsIall soIware
Modiy channel subscripIion
EdiI sysIem properIies such as enIiIlemenI and descripIion
View pending acIions or Ihe sysIem
Eor example, using Ihe RHN websiIe, an adminisIraIor can guickly view a lisI o updaIes
or a speciic sysIem regisIered wiIh RHN and apply one or more o Ihese updaIes Io an
individual sysIem. AIer selecIing Systems rom Ihe horizonIal menu, anoIher horizonIal
menu appears on Ihe page under Ihe name o Ihe sysIem. Click SoItware rom Ihe
secondary horizonIal menu. Then, click on Ihe Lrrata menu iIem IhaI appears below IhaI
Io view a lisI o relevanI erraIa. SelecI Ihe erraIa you wanI Io apply (Ihere mighI be more
Ihan one page o erraIa), and click Apply Lrrata. Review Ihe erraIa updaIes selecIed. To
add Ihe erraIa updaIe acIion Io Ihe lisI o pending acIions or Ihe sysIem, click ConIIrm.
On Ihe conirmaIion page, noIice IhaI Ihree Iimes are shown: Ihe lasI sysIem check-in
Iime, Ihe currenI RHN Iime, and Ihe expecIed nexI check-in Iime. When acIions are
perormed using Ihe RHN websiIe, Ihey are acIually scheduled Io happen Ihe nexI Iime
Ihe sysIem checks in wiIh RHN. A sysIem regisIered wiIh RHN should have Ihe RHN
daemon (rhnsd) running on iI. The daemon periodically connecIs Ihe RHN servers and
asks wheIher any acIions have been scheduled or iI. Having Ihe sysIem conIacI Ihe RHN
servers or acIions prevenIs a non-RHN server rom Irying Io conIacI your sysIem and
masguerade as a real RHN server. To deIermine wheIher Ihe RHN daemon is running,
execuIe Ihe serv1ce rhnsd s1a1us command. I iI is noI running, sIarI iI wiIh Ihe
serv1ce rhnsd s1ar1 command as Ihe rooI user. To make sure iI is sIarIed every Iime Ihe
sysIem booIs, execuIe Ihe chkconf1g rhnsd on command as Ihe rooI user.
1IP
lf you want to apply all avallable errata to a system, there ls a quloker way. Cllok
5ystems on the horlzontal menu, ollok on the name of system, and ollok the udate
new llnk. ^ llst of all errata avallable for the seleoted system ls shown. Cllok Cenf|rm
to apply them all. The next tlme the system oheoks ln wlth the RHN daemon, all rele
vant errata wlll be applled to the system. The udate new llnk ls only shown when
updates are avallable.
To insIall new soIware on an individual sysIem, rom Ihe individual sysIem view, click
Ihe SoItware link in Ihe secondary horizonIal menu under Ihe sysIem name. Click Ihe
Install New PacRages opIion rom Ihe lisI o acIions. SelecI one or more packages Io be
insIalled. The lisI can be ilIered by name, or you can skip Io packages IhaI begin wiIh a
speciic leIIer. AIer selecIing all Ihe packages Io be insIalled, click Install Selected
PacRages. Einally, click ConIIrm Io schedule Ihe insIallaIion acIion.
Us|ng 5ystem 6reus en the RRN Webs|te
SysIems can be grouped or Iwo main reasons: Io allow acIions Io be perormed on Ihe
group as a whole, and Io granI users access Io Ihe sysIems wiIhin a deined group insIead
o having Io granI Ihem access Io individual sysIems. This secIion describes how Io
perorm Ihese Iwo acIions as well as how Io perorm acIions on a sysIem group.
Perferm|ng Act|ens en a 5ystem 6reu
II is also possible Io perorm acIions such as soIware updaIes and package insIallaIion Io
mulIiple sysIems aI Ihe same Iime eiIher using a deined sysIem group or selecIing cerIain
sysIems rom Ihe sysIem lisI and perorming a one-Iime acIion using Ihe SysIem SeI
Manager (SSM).
Uslng System Groups on the RHN webslte 83
3
EirsI, selecI which sysIems Io updaIe wiIh one o Ihe ollowing meIhods:
Select specjc systems jor one-tme use: SelecI Systems rom Ihe horizonIal menu.
SelecI Ihe sysIems you wanI Io work wiIh using Ihe check boxes in Ihe irsI column
o Ihe lisI, and click Update LIst. AIer Ihe updaIe lisI acIion is inished, Ihe page
view does noI change. Click System Set Manager rom Ihe verIical menu Io
perorm a one-Iime acIion on Ihese selecIed sysIems.
Use a preJejneJ system roup: To creaIe a sysIem group IhaI can be used repeaIedly,
selecI Systems rom Ihe horizonIal menu, and Ihen selecI System Groups rom Ihe
verIical menu. Click Ihe create new group link in Ihe upper-leI corner o Ihe page.
To perorm an acIion on a sysIem group, selecI Systems rom Ihe horizonIal menu,
System Groups rom Ihe verIical menu, and Ihen click Use Group under Ihe Use In
SSM column or Ihe desired sysIem group.
Erom Ihe System Set Manager, Ihe ollowing acIions can be perormed:
LisI Ihe sysIems you have selecIed Io work wiIh
Schedule soIware updaIes (erraIa) relevanI Io selecIed sysIems
Upgrade, insIall, remove, and veriy packages
CreaIe and manage groups
Manage soIware channels
Frovision sysIems (reguires subscripIion Io RHN Frovisioning Module)
UpdaIe hardware and soIware proiles
Add and remove addiIional RHN enIiIlemenIs
DeleIe sysIems rom RHN proile
RebooI selecIed sysIems
Eor example, Io apply soIware updaIes, click Ihe Schedule errata updates link. A lisI o
erraIa IhaI can be applied Io one or more sysIems rom Ihose you jusI selecIed or Ihe
sysIem group selecIed is shown. SelecI Ihe erraIa Io apply (Ihere mighI be mulIiple pages
o erraIa), and click Apply Lrrata. On Ihe nexI page, make sure all Ihe erraIa you wanI Io
apply are lisIed. SelecI Io eiIher schedule acIion as soon as possible or schedule iI or no
longer Ihan a speciic Iime. Einally, click Schedule Updates Io inish.
1IP
To oheok on the status of the aotlon, ollok the 5chedu|e llnk ln the horlzontal menu.
To insIall soIware via Ihe RHN websiIe on a seI o sysIems, selecI Install rom Ihe lisI o
System Set Manager acIions. I Ihe selecIed sysIems or Ihe sysIem group has more Ihan
one parenI channel, selecI Ihe channel conIaining Ihe soIware Io be insIalled. SelecI Ihe
soIware packages Io insIall rom Ihe lisI. Use Ihe guick alphabeI leIIer links Io skip Io
packages IhaI begin wiIh IhaI leIIer or use Ihe FIlter by Name eaIure Io narrow down
Ihe lisI o packages displayed. AIer selecIing all Ihe packages Io insIall, click Install
PacRages. Veriy Ihe packages Io be insIalled and Ihe sysIem on which Io insIall Ihem.
SelecI a Iime Io insIall Ihe packages: as soon as possible or no longer Ihan a speciic Iime.
Click Schedule Updates Io compleIe Ihe acIion. AlIernaIively, i you click Run Remote
Command, you can schedule a cusIom scripI Io run beore or aIer Ihe package updaIe i
RemoIe Command execuIion is enabled on Ihe sysIem. Use exIreme cauIion when using
Ihis eaIure, especially i execuIing Ihe scripI as Ihe rooI user.
N01
^dmlnlstrators oan only sohedule software to be lnstalled from a base or ohlld ohannel
to whloh the system ls subsorlbed.
6rant|ng Users Access te 5ec|f|c 5ystems
To add users Io your RHN accounI, ollow Ihe insIrucIions in Ihe "Assigning Users Io Ihe
RHN WebsiIe" secIion earlier in Ihis chapIer. NexI, creaIe sysIem groups as described
earlier in Ihis secIion based on Ihe adminisIraIive groups or your organizaIion. Eor
example, i one seI o adminisIraIors is responsible or all web servers and anoIher Ieam
manages all inIernal servers, you mighI wanI Io creaIe a sysIem group o web servers and
a sysIem group o inIernal servers.
SelecI Systems rom Ihe horizonIal menu, and Ihen selecI System Groups rom Ihe verIi-
cal menu Io view a lisI o all deined sysIem groups. Eor each sysIem group, use Ihe
ollowing sIeps Io assign which RHN users can perorm acIions on Ihem via Ihe RHN
websiIe:
Click on Ihe name o Ihe sysIem group Io show Ihe deIailed view o iI.
Click Ihe LdIt group admInIstrators link in Ihe Admins secIion.
SelecI Ihe desired RHN users.
Click Update.
Retr|ev|ng 5eftware frem RRN w|th YUM
AlIhough soIware mainIenance or sysIems can be done via Ihe RHN websiIe, someIimes
iI is necessary or preerred Io perorm Ihe same acIions rom Ihe local sysIem needing Ihe
updaIes or addiIional soIware. Frevious versions o Red HaI EnIerprise Linux used Ihe
UpdaIe AgenI (up2da1e) program Io download and insIall soIware rom RHN. The UpdaIe
AgenI could be run rom Ihe command line or as a graphical program. As o Red HaI
EnIerprise Linux S, Ihe YUM uIiliIy has replaced Ihe UpdaIe AgenI. YUM can insIall or
upgrade soIware by using eiIher Ihe command-line version (execuIed wiIh Ihe yun
command) or one o Iwo graphical programs:
Retrlevlng Software from RHN wlth YUM 85
3
PIrut: Eor adding and removing soIware.
Pup: Fackage updaIer IhaI only shows soIware updaIes available rom RHN.
Beore you can use YUM Io insIall or upgrade soIware, remember you musI seI iI up Io
connecI Io RHN. EiIher regisIer Ihe sysIem wiIh RHN direcIly aIer insIallaIion wiIh Ihe
SeIup AgenI (as described in ChapIer 2) or aI any Iime by execuIing Ihe rhn_reg1s1er
command. RooI access is reguired, so you will be prompIed or Ihe rooI password i you
run Ihe program as a non-rooI user.
This ollowing secIions explain whaI YUM is, how Io use Ihe yun command-line uIiliIy,
and how Io use Ihe Iwo graphical inIeraces Io YUM included wiIh Red HaI EnIerprise
Linux.
N01
^lthough the RHN webslte mlght dlffer from the lnstruotlons ln thls ohapter, the YUM
utlllty should be the same as the one desorlbed ln thls ohapter.
What Is YUM?
YUM sIands or Yellow Jo UpJater, MoJjeJ because iI is based on YUF, Ihe Yellow Jo
UpJater. Where does Ihe name Yellow Jo come rom7 Yellow Dog is a version o Linux or
Ihe Fower ArchiIecIure hardware and is RFM-based, jusI like Red HaI EnIerprise Linux and
Eedora. YUF, and laIer YUM, were wriIIen by Ihe Linux communiIy as a way Io mainIain
an RFM-based sysIem. Eedora Core can be updaIed wiIh Ihe YUM uIiliIy, and, now Red
HaI EnIerprise Linux can be as well sIarIing wiIh Red HaI EnIerprise Linux S.
Some o Ihe advanIages o YUM include
AuIomaIic resoluIion o soIware dependencies. I a package insIallaIion or upgrade
reguesI is made and reguires Ihe insIallaIion or upgrade o addiIional packages,
YUM can lisI Ihese dependencies and prompI Ihe user Io insIall or upgrade Ihem as
long as Ihey are in a reposiIory YUM is conigured Io use.
Command-line and graphical versions. The command-line version can be run on a
sysIem wiIh a minimal number o soIware packages. II also allows adminisIraIors Io
wriIe scripIs Io auIomaIe soIware mainIenance acIions, which can be scheduled aI
Iimes convenienI or everyone. The graphical versions oer ease-o-use and a user-
riendly graphical inIerace Io soIware managemenI.
MulIiple soIware locaIions aI one Iime. YUM can be conigured Io look or soIware
packages in more Ihan one locaIion aI a Iime. The user doesnI have Io remember Io
provide a locaIion each Iime he perorms an acIion. SoIware dependencies can
someIimes be resolved even i Ihe addiIional packages are noI in Ihe same locaIion
as Ihe reguesIed package.
AbiliIy Io speciy parIicular soIware versions or archiIecIures. SoIware locaIions
accessible by YUM can conIain mulIiple versions o Ihe same RFM package and
dierenI builds or dierenI archiIecIures such as one or i8 and one or x8_4.
When perorming soIware managemenI acIions, opIionally, a cerIain version or
build or a cerIain archiIecIure can be reguesIed.
YUM downloads soIware rom repostores locaIed over Ihe neIwork, eiIher on Ihe local
neIwork or over Ihe InIerneI. The iles, including Ihe RFM package iles, in Ihese reposiIo-
ries are organized in a speciic way so IhaI Ihey can be ound by Ihe YUM clienI.
Eor Red HaI EnIerprise Linux, Ihe reposiIory is Red HaI NeIwork. AIer regisIering Ihe
sysIem wiIh RHN, Ihe sysIem is conigured Io use Ihe RHN reposiIory, so no urIher
coniguraIion is reguired.
Because Ihe RFM daIabase has Io be manipulaIed and mosI packages reguire iles Io be
insIalled in locaIions only available Io rooI, mosI o Ihe yun commands musI be run as
Ihe rooI user.
Manag|ng 5eftware w|th YUM
This secIion discusses common acIions perormed wiIh YUM, using boIh Ihe command
line and graphical versions.
The irsI Iime YUM is run as Ihe rooI user Io connecI Io Ihe RHN reposiIory, wheIher iI is
run rom Ihe command line or a graphical applicaIion, Ihe package headers are down-
loaded and sIored in cache. On all subseguenI connecIions Io RHN, only changes Io
package headers are downloaded Io cache.
Insta|||ng 5eftware
InsIalling a soIware package is preIIy sIraighIorward:
yun 1ns1aJJ <pkgnane>
Replace <pkgnane> wiIh Ihe name o one or more packages. I more Ihan one package is
given, separaIe Ihem wiIh spaces. I jusI Ihe package name such as nfs-u11Js is given, Ihe
laIesI version o Ihe package build or Ihe archiIecIure o Ihe sysIem is insIalled. To
speciy a parIicular version o a package:
yun 1ns1aJJ <pkgnane>-<vers1on>
To speciy a parIicular archiIecIure or Ihe package Io be insIalled:
yun 1ns1aJJ <pkgnane>.arch
These can even be combined. Eor example, Ihe ollowing insIalls version 2.3.4-1 o Ihe
example package or Ihe x8_4 archiIecIure:
yun 1ns1aJJ exanpJe-2.3.4-1.x86_64
3
1IP
The -y optlon oan be used wlth yun to assume the answer yes to any questlons
asked, suoh as whether to lnstall paokage dependenoles. For example:
yun -y 1ns1aJJ h11pd
When a yum command is execuIed, Ihe progress o Ihe IransacIion is displayed so IhaI
you waIch Ihe progress. LisIing 3.1 shows Ihe progress o Ihe command yun -y 1ns1aJJ
h11pd. As you can see, iI inds Ihe h11pd package, downloads Ihe header or iI, deIermines
iIs soIware dependencies, lisIs Ihe packages Io be insIalled, and inally insIalls Ihem.
Beore compleIing and reIurning Io Ihe command prompI, iI lisIs Ihe packages insIalled,
Ihe addiIional packages insIalled Io resolve dependencies, and IhaI Ihe IransacIion is
compleIe.
LlSTlNG 3.1 Lxample YUM Transaotlon
Load1ng "1ns1aJJonJyn" pJug1n
Load1ng "rhnpJug1n" pJug1n
Se111ng up 1ns1aJJ Process
Se111ng up repos11or1es
rheJ-x86_64-server-5 1UU ========================= 95U 8 UU:UU
Pead1ng repos11ory ne1ada1a 1n fron JocaJ f1Jes
pr1nary.xnJ.gz 1UU ========================= 634 k8 UU:U1
################################################## 2U8812U88
Pars1ng package 1ns1aJJ argunen1s
PesoJv1ng 0ependenc1es
--> PopuJa11ng 1ransac11on se1 W11h seJec1ed packages. PJease Wa11.
---> 0oWnJoad1ng header for h11pd 1o pack 1n1o 1ransac11on se1.
h11pd-2.2.3-5.eJ5.x86_64.rp 1UU ========================= 53 k8 UU:UU
---> Package h11pd. x86_64 U:2.2.3-5.eJ5 se1 1o be upda1ed
--> Punn1ng 1ransac11on check
--> Process1ng 0ependency: J1bapr-1.so.U for package: h11pd
--> Process1ng 0ependency: J1bapru11J-1.so.U for package: h11pd
--> Pes1ar11ng 0ependency PesoJu11on W11h neW changes.
---> 0oWnJoad1ng header for apr 1o pack 1n1o 1ransac11on se1.
apr-1.2.7-1U.x86_64.rpn 1UU ========================= 1U k8 UU:UU
---> Package apr.x86_64 U:1.2.7-1U se1 1o be upda1ed
---> 0oWnJoad1ng header for apr-u11J 1o pack 1n1o 1ransac11on se1.
apr-u11J-1.2.7-3.x86_64.rpn 1UU ========================= 7.2 k8 UU:UU
---> Package apr-u11J.x86_64 U:1.2.7-3 se1 1o be upda1ed
--> Process1ng 0ependency: J1bpq.so.4 for package: apr-u11J
---> 0oWnJoad1ng header for pos1gresqJ-J1bs 1o pack 1n1o 1ransac11on se1.
pos1gresqJ-J1bs-8.1.4-1.1 1UU ========================= 15 k8 UU:UU
---> Package pos1gresqJ-J1bs.x86_64 U:8.1.4-1.1 se1 1o be upda1ed
0ependenc1es PesoJved
=============================================================================
Package Arch vers1on Pepos11ory S1ze
=============================================================================
1ns1aJJ1ng:
h11pd x86_64 2.2.3-5.eJ5 rheJ-x86_64-server-5 1.1 M
1ns1aJJ1ng for dependenc1es:
apr x86_64 1.2.7-1U rheJ-x86_64-server-5 123 k
apr-u11J x86_64 1.2.7-3 rheJ-x86_64-server-5 75 k
pos1gresqJ-J1bs x86_64 8.1.4-1.1 rheJ-x86_64-server-5 195 k
Transac11on Sunnary
=============================================================================
1ns1aJJ 4 Package{s)
upda1e U Package{s)
Penove U Package{s)
To1aJ doWnJoad s1ze: 1.4 M
0oWnJoad1ng Packages:
{114): pos1gresqJ-J1bs-8. 1UU ========================= 195 k8 UU:UU
{214): apr-1.2.7-1U.x86_64. 1UU ========================= 123 k8 UU:UU
{314): h11pd-2.2.3-5.eJ5. 1UU ========================= 1.1 M8 UU:U2
{414): apr-u11J-1.2.7-3.1 1UU ========================= 75 k8 UU:UU
Punn1ng Transac11on Tes1
F1n1shed Transac11on Tes1
Transac11on Tes1 Succeeded
Punn1ng Transac11on
1ns1aJJ1ng: apr ######################### 114
1ns1aJJ1ng: pos1gresqJ-J1bs ######################### 214
1ns1aJJ1ng: apr-u11J ######################### 314
1ns1aJJ1ng: h11pd ######################### 414
1ns1aJJed: h11pd.x86_64 U:2.2.3-5.eJ5
0ependency 1ns1aJJed: apr.x86_64 U:1.2.7-1U apr-u11J.x86_64 U:1.2.7-3 pos1gresqJ-
J1bs.x86_64 U:8.1.4-1.1
0onpJe1e!
3
LlSTlNG 3.1 Contlnued
To insIall RFM packages using a graphical program, selecI Add/Remove SoItware rom
Ihe ApplIcatIons menu on Ihe Iop panel o Ihe deskIop. I you are noI Ihe rooI user, you
are prompIed Io enIer Ihe rooI password beore conIinuing. Eigure 3.1 shows Ihe inIer-
ace. The Fackage Manager program can also be sIarIed by execuIing Ihe p1ru1 command.
This applicaIion is provided by Ihe p1ru1 RFM package, which is insIalled on a Red HaI
EnIerprise Linux sysIem by deaulI.
FlGURL 3.1 lnstalllng Software
The applicaIion consisIs o Ihree Iabs, which provide dierenI uncIions:
Browse: Browse packages by soIware seIs. This is Ihe same inIerace used during
insIallaIion.
Search: Search or a package by iIs name. EilIer resulIs by already insIalled packages
or available packages.
LIst: LisI all packages in Ihe RHN channels Io which Ihe sysIem is subscribed, lisI all
insIalled packages, or lisI all packages available or insIallaIion on Ihe sysIem.
Fackages wiIh a check mark beside Ihem are already insIalled or are packages
selecIed or insIallaIion.
To insIall a package wiIh Ihe Fackage Manager, use one o Ihe Ihree Iabs Io ind Ihe
package Io insIall, and click Ihe check box beside iI so IhaI a check mark appears in iI. Eor
example, on Ihe Search Iab, selecI Ihe AvaIlable pacRages opIion, enIer a package name
Io ind, and click Search. To view a brie descripIion o a package ound, selecI iI rom Ihe
lisI, and click Ihe Iriangle icon beside PacRage DetaIls as shown in Eigure 3.2.
FlGURL 3.2 vlewlng laokage Detalls
AIer selecIing which packages Io insIall, click Apply. A dialog appears Io conirm which
package Io insIall. Click ContInue. I addiIional packages need Io be insIalled Io resolve
dependencies, Ihe dialog displays dependencies added. Click ContInue Io accepI Ihe
insIallaIion o Ihese packages as well. A progress bar shows Ihe sIaIus o Ihe insIallaIion,
and a compleIion message is shown when inished.
Udat|ng 5eftware
There are several ways Io deIermine wheIher soIware updaIes are available or your Red
HaI EnIerprise Linux sysIem:
Log in Io Ihe RHN websiIe and view Ihe erraIa lisI or Ihe sysIem as described earlier
in Ihis chapIer.
Receive email noIiicaIions rom RHN i you elecIed Io receive Ihem.
See Ihe RHN appleI (pupJe1) appear.
Use Ihe yun check-upda1e command.
Use Ihe SoIware UpdaIer (pup).
When execuIed, Ihe yun check-upda1e command gueries Ihe RHN reposiIory and checks
or any soIware updaIes or Ihe RFM packages currenIly insIalled. I any are ound, Ihey
are lisIed in alphabeIical order along wiIh Ihe package versions available or updaIing.
UpdaIing an already insIalled package via Ihe command line is similar Io insIalling:
yun upda1e <pkgnane>
3
As wiIh yun 1ns1aJJ <pkgnane>, you can replace <pkgnane> wiIh jusI Ihe name, name
and version, name and archiIecIure, or name, version, and archiIecIure combinaIion.
Examples include Ihe ollowing:
yun upda1e exanpJe-2.3.4-1
yun upda1e exanpJe-2.3.4-1.1686
1IP
lf the yun upda1e oommand ls exeouted wlthout speolfylng a paokage, all software
updates for all lnstalled paokages are downloaded and lnstalled.
I you preer a graphical applicaIion, selecI System Tools, SoItware Updater rom Ihe
ApplicaIions menu on Ihe Iop panel o Ihe deskIop. The pup command can also be
execuIed Io sIarI Ihe program. AIer enIering Ihe correcI rooI password i logged in as a
non-rooI user, Ihe inIerace is displayed as in Eigure 3.3.
FlGURL 3.3 vlewlng Software Updates
As you can see, Ihe inIerace is simple and easy Io use. The program conIacIs RHN and
displays a lisI o packages IhaI have updaIes available or iI. By deaulI, all available soI-
ware updaIes are selecIed as indicaIed by Ihe check marks beside Ihem. UnselecI any
updaIes you donI wanI Io apply, and click Apply updates Io updaIe all Ihe selecIed soI-
ware packages.
Remev|ng 5eftware
To remove one or more RFM packages rom a sysIem, use Ihe ollowing command as Ihe
rooI user:
yun renove <pkgnane>
As wiIh Ihe insIall and updaIe commands, <pkgnane> can be a one package name or
mulIiple package names separaIed by spaces. Fackage versions and archiIecIures can be
speciied as in Ihe ollowing examples:
yun renove exanpJe-2.3.4-1
yun renove exanpJe-2.3.4-1.1686
Fackages can be removed wiIh Ihe rpn -e <pkgnane> command as laIer discussed in
ChapIer S, "Working wiIh RFM SoIware", however, deleIing packages wiIh YUM has Ihe
big advanIage o resolving soIware dependencies or you. Eor example, LisIing 3.2 shows
Ihe resulIs o Ihe yun renove h11pd command. As you can see, many oIher packages
depend on Ihe h11pd package and musI be removed aI Ihe same Iime.
LlSTlNG 3.2 Removlng Software wlth the yun Command
Load1ng "rhnpJug1n" pJug1n
Load1ng "1ns1aJJonJyn" pJug1n
Se111ng up Penove Process
PesoJv1ng 0ependenc1es
---> Package h11pd.x86_64 U:2.2.3-5.eJ5 se1 1o be erased
Se111ng up repos11or1es
rheJ-x86_64-server-5 1UU ========================= 95U 8 UU:UU
Pead1ng repos11ory ne1ada1a 1n fron JocaJ f1Jes
--> Process1ng 0ependency: Webserver for package: WebaJ1zer
--> Process1ng 0ependency: h11pd = 2.2.3-5.eJ5 for package: h11pd-nanuaJ
--> Process1ng 0ependency: h11pd >= 2.U.4U for package: nod_py1hon
--> Process1ng 0ependency: h11pd-nnn = 2UU51115 for package: nod_perJ
--> Process1ng 0ependency: h11pd-nnn = 2UU51115 for package: php
--> Process1ng 0ependency: h11pd-nnn = 2UU51115 for package: nod_py1hon
--> Process1ng 0ependency: h11pd-nnn = 2UU51115 for package: nod_ssJ
--> Process1ng 0ependency: h11pd = U:2.2.3-5.eJ5 for package: nod_ssJ
---> Package nod_py1hon.x86_64 U:3.2.8-3.1 se1 1o be erased
---> Package php.x86_64 U:5.1.6-3 se1 1o be erased
---> Package nod_ssJ.x86_64 1:2.2.3-5.eJ5 se1 1o be erased
---> Package h11pd-nanuaJ.x86_64 U:2.2.3-5.eJ5 se1 1o be erased
---> Package WebaJ1zer.x86_64 U:2.U1_1U-3U.1 se1 1o be erased
---> Package nod_perJ.x86_64 U:2.U.2-6.1 se1 1o be erased
--> Process1ng 0ependency: php = 5.1.6-3 for package: php-Jdap
---> Package php-Jdap.x86_64 U:5.1.6-3 se1 1o be erased
3
0ependenc1es PesoJved
=============================================================================
Package Arch vers1on Pepos11ory S1ze
=============================================================================
Penov1ng:
h11pd x86_64 2.2.3-5.eJ5 1ns1aJJed 2.9 M
Penov1ng for dependenc1es:
h11pd-nanuaJ x86_64 2.2.3-5.eJ5 1ns1aJJed 3.4 M
nod_perJ x86_64 2.U.2-6.1 1ns1aJJed 6.7 M
nod_py1hon x86_64 3.2.8-3.1 1ns1aJJed 1.2 M
nod_ssJ x86_64 1:2.2.3-5.eJ5 1ns1aJJed 175 k
php x86_64 5.1.6-3 1ns1aJJed 3.3 M
php-Jdap x86_64 5.1.6-3 1ns1aJJed 45 k
WebaJ1zer x86_64 2.U1_1U-3U.1 1ns1aJJed 259 k
Transac11on Sunnary
=============================================================================
1ns1aJJ U Package{s)
upda1e U Package{s)
Penove 8 Package{s)
1s 1h1s ok y1N: y
0oWnJoad1ng Packages:
Punn1ng Transac11on Tes1
F1n1shed Transac11on Tes1
Transac11on Tes1 Succeeded
Punn1ng Transac11on
Penov1ng : nod_ssJ ######################### 118
Penov1ng : php-Jdap ######################### 218
Penov1ng : nod_py1hon ######################### 318
Penov1ng : php ######################### 418
Penov1ng : h11pd ######################### 518
Penov1ng : h11pd-nanuaJ ######################### 618
Penov1ng : WebaJ1zer ######################### 718
Penov1ng : nod_perJ ######################### 818
Penoved: h11pd.x86_64 U:2.2.3-5.eJ5
0ependency Penoved: h11pd-nanuaJ.x86_64 U:2.2.3-5.eJ5 nod_perJ.x86_64 U:2.U.2-6.1
nod_py1hon.x86_64 U:3.2.8-3.1 nod_ssJ.x86_64 1:2.2.3-5.eJ5 php.x86_64 U:5.1.6-3
php-Jdap.x86_64 U:5.1.6-3 WebaJ1zer.x86_64 U:2.U1_1U-3U.1
0onpJe1e!
CAU1I0N
^lthough the -y optlon to yun oan be used wlth yun renove <pkgnane>, lt ls not
reoommended. ^s shown ln Llstlng 3.2, removlng one paokage mlght mean needlng to
remove more paokages that depend on lt. lf you use the -y optlon to answer yes to all
questlons, you are agreelng to remove all the paokages that depend on the one you
want to remove wlthout knowlng what those paokages are. You mlght depend on one
of those paokages. Read the llst of addltlonal paokages to remove oarefully before
answerlng yes.
The Fackage Manager graphical program as previously described in Ihe "InsIalling SoIware"
secIion can also be used Io remove one or more packages and Iheir dependencies. SIarI iI as
previously described and use Ihe Search or LIst Iabs Io ind Ihe packages Io deleIe. InsIead
o clicking Ihe check box beside Ihe package Io insIall iI, click Ihe check box beside Ihe
packages Io remove Ihe check mark. Click Apply Io sIarI Ihe package removal process.
Conirm Ihe lisI o packages Io remove by clicking ContInue. I addiIional packages need
Io be deleIed as soIware dependencies, Ihey are lisIed nexI. Click ContInue Io agree Io
Iheir removal as well. When Ihe package removal is compleIe, a message is displayed.
Perferm|ng Mere Act|ens
The command-line version o YUM can perorm addiIional acIions useul when managing
RFM on a sysIem. Read Ihe yun man page invoked wiIh Ihe nan yun command or a
compleIe lisI. The ollowing are a ew highlighIs:
yun depJ1s1 <pkgnane>
yun J1s1 ava1JabJe
yun J1s1 upda1es
The yun depJ1s1 <pkgnane> command displays Ihe soIware dependencies or Ihe
package lisIed. The yun J1s1 ava1JabJe ouIpuIs a lisI o packages IhaI are available or
insIallaIion on Ihe sysIem. The yun J1s1 upda1es shows all Ihe soIware updaIes avail-
able or buI noI yeI insIalled on Ihe sysIem.
5ummary
SoIware mainIenance is crucial Io sysIem adminisIraIion, buI iI doesnI have Io be labor
inIensive or Iedious. Every Red HaI EnIerprise Linux subscripIion includes Ihe abiliIy Io
be noIiied o and reIrieve updaIes rom Red HaI NeIwork, so why noI Iake advanIage o
iIs many eaIures including email noIiicaIions o newly released soIware updaIes and Ihe
abiliIy Io schedule package updaIes, insIallaIions, and removals7 These acIions can be
perormed via Ihe RHN websiIe or YUM. YUM can be used rom Ihe command line or
rom one o Iwo graphical programs. The RHN websiIe oers Ihe lexibiliIy o scheduling
acIions. The yun command-line uIiliIy allows adminisIraIors Io manage soIware on a
minimally insIalled sysIem or using scripIs IhaI reguire non-inIeracIive commands. The
graphical YUM programs provide a cusIomized lisI o soIware updaIes speciic Io your
sysIem or guick and easy mainIenance.
Summary 95
3
l^RT ll
OperaIing SysIem Core
ConcepIs
lN THlS l^RT
CH^lTLR 4 Understandlng Llnux Conoepts 99
CH^lTLR 5 worklng wlth RlM Software 125
CH^lTLR 6 ^nalyzlng Hardware 151
CH^lTLR 7 Managlng Storage 167
CH^lTLR 8 64Blt, MultlCore, and
HyperThreadlng Teohnology
lrooessors 195
lN THlS CH^lTLR
Learnlng the Desktop
Fllesystem Hlerarohy System
Shell Baslos
Beoomlng the Root User
Manual lages
Ldltlng Text Flles
Flle lermlsslons
lnltlallzatlon Sorlpts
Runlevels
CH^lTLR 4
UndersIanding Linux
ConcepIs
So ar, Ihis book has covered insIalling Red HaI EnIerprise
Linux and posI-insIallaIion essenIials. Beore conIinuing, iI
is imporIanI Io esIablish a irm background in a ew basic
UNIX and Linux Iopics such as navigaIing Ihe deskIop,
knowing how Ihe ilesysIem is sIrucIured, being able Io use
Ihe command line, and undersIanding ile permissions. I
you are already amiliar wiIh Ihis inormaIion, skim
Ihrough iI guickly as a review and conIinue. I you are new
Io a UNIX-based operaIing sysIem, Ihis chapIer can serve as
an overview o Linux concepIs.
Learn|ng the eskte
Unless you cusIomized Ihe insIallaIion and only insIalled
Ihe programs absoluIely necessary or Ihe sysIem Io unc-
Iion in iIs desired capaciIy, you mosI likely insIalled Ihe
soIware necessary Io use Ihe graphical deskIop environ-
menI. I so, aIer Ihe sysIem booIs, Ihe graphical login
screen appears as discussed in ChapIer 2, "FosI-InsIallaIion
ConiguraIion."
As you can see, iI consisIs o Ihe acIual deskIop area, a ew
icons on Ihe deskIop, and Iwo panels. The Iop panel
conIains Ihe menus, icons Io common deskIop applicaIions
such as a web browser, Ihe sysIem Iime, and a volume
conIrol icon.
The menus on Ihe Iop panel are divided inIo Ihree caIe-
gories:
ApplIcatIons: ConIains Ihe majoriIy o Ihe program
menu iIems, which are also divided inIo caIegories
such as InIerneI and SysIem Tools Io make iI easier Io
ind Ihe program you need.
Places: Allows Ihe user Io open a graphical ile browser (by selecIing Home Folder,
DesRtop, or Computer), go direcIly Io bookmarked olders, connecI Io neIwork
shares as discussed in FarI IV, "NeIwork Services," search Ihe ilesysIem, or guickly
access recenIly opened documenIs.
System: Frovides menu iIems Io seI preerences, perorm adminisIraIion Iasks, view
available documenIaIion, lock Ihe screen so oIhers canI access iI while you are
away rom your compuIer, log ouI o Ihe graphical deskIop, and suspend or shuI-
down Ihe compuIer.
1IP
Mouse over the system tlme on the top panel to dlsplay the date, or ollok on lt to vlew
a oalendar.
Erom leI Io righI, Ihe boIIom panel includes a buIIon Io minimize all Ihe windows and
show Ihe deskIop area, a lisI o open applicaIion windows, a workspace swiIcher, and Ihe
Irash icon.
To bring a dierenI applicaIion window orward on Ihe deskIop, click on iIs IiIle in Ihe
lisI o open windows on Ihe boIIom panel. You can also swiIch beIween open windows
by using Ihe key combinaIion AlI+Tab.
To Ihe leI o Ihe Trash icon, Ihere are our small sguares. These are miniaIure represenIa-
Iions o deskIop worlspaces. Each workspace has Ihe same deskIop background, icons on
Ihe deskIop, and panels. The dierence is IhaI each workspace conIains dierenI applica-
Iion windows. AI irsI, Ihis mighI seem unnecessary Io Ihe user, buI users can develop
Iheir own meIhods o using Ihe workspaces Io organize how Ihey use Iheir compuIers. Eor
example, i you usually work on more Ihan one projecI aI a Iime or IhroughouI Ihe day,
you can use a workspace or each projecI you are working on. When you are working on
one projecI, you can concenIraIe on Ihe applicaIions or iI wiIhouI having Io close all Ihe
windows or a dierenI projecI. When you are ready Io reIurn Io a dierenI projecI, jusI
swiIch workspaces. The necessary applicaIions or Ihe dierenI projecI are open on a
dierenI workspace waiIing or you Io reIurn Io Ihem. Or, you can sorI applicaIion
windows by Iype. You can use one workspace or your online communicaIions by having
iI conIain your email and insIanI messenger clienIs. You can reserve one workspace or
your oice communicaIion needs such as word processing or spreadsheeI programs. YeI
anoIher workspace can be used only or web browsing.
As an adminisIraIor, i you are moniIoring several sysIems aI Ihe same Iime, you can have
all Ihe moniIoring applicaIions or each sysIem on a separaIe workspace and swiIch back
and orIh beIween Ihem. ThaI way, when you are looking aI Ihe moniIoring Iools, you
donI have Io consIanIly Ihink abouI which sysIem you are analyzing.
By deaulI, Ihe deskIop is conigured Io have our workspaces, buI Ihis can be cusIomized
by righI-clicking on Ihe workspace swiIcher (Ihe sguares) and selecIing PreIerences. As
shown in Eigure 4.1, you can even label Ihe workspaces. To swiIch beIween workspaces,
click on Ihe sguare IhaI represenIs iI on Ihe boIIom panel.
FlGURL 4.1 Customlzlng the Desktop workspaoes
On Ihe ar righI side o Ihe boIIom panel is Ihe Trash icon. Drag iles or olders Io iI rom
Ihe deskIop or Ihe ile browser Io deleIe Ihem. They are noI Iruly deleIed unIil Ihe Irash is
empIied. To empIy Ihe Trash and permanenIly remove Ihe iles in iI, righI-click on Ihe
Trash icon, and selecI Lmpty Trash. You musI conirm Ihe deleIion o Ihe iles beore
Ihey are really deleIed. AIer Ihey are deleIed wiIh Ihe Lmpty Trash uncIion, Ihey
cannoI be reIrieved. I iles are sIill in Ihe Irash, click on Ihe Trash icon Io reIrieve Ihem.
A window will open displaying Ihe conIenIs o Ihe Trash. Drag Ihe ile or older Io
anoIher graphical ile browser window or Ihe deskIop Io resIore iI.
To urIher cusIomize Ihe deskIop, play around wiIh Ihe preerences by going Io Ihe System
menu on Ihe Iop panel and selecIing programs rom Ihe PreIerences menu. Eor example,
Eigure 4.2 shows Ihe program Io cusIomize Ihe keyboard shorIcuIs or Ihe graphical deskIop.
Learnlng the Desktop 101
4
FlGURL 4.2 Customlzlng the Keyboard Shortouts
F||esystem R|erarchy 5ystem
The locaIion o Ihe iles and direcIories in a Red HaI EnIerprise Linux sysIem are based on
Ihe llesystem Herarchy System (EHS) guidelines. The purpose o Ihe EHS is Io provide guide-
lines or ile and direcIory locaIions or UNIX-based operaIing sysIems such as Linux. The
major advanIages o using Ihe EHS are Ihe predicIabiliIy and consisIency o ile locaIions.
InsIead o an adminisIraIor searching Ihe enIire ilesysIem or a parIicular Iype o ile, he
can know IhaI iI will be in one o a ew esIablished locaIions. Eor example, mosI conigura-
Iion iles are in Ihe 1e1c1 direcIory, and log iles are in Ihe 1var1Jog1 direcIory.
1IP
For more lnformatlon on the FHS, refer to http://www.pathname.oom/fhs/.
I you have ever browsed around a Linux ilesysIem, you mighI have noIiced IhaI Ihe 1b1n1,
1usr1b1n1, 1sb1n1, and Ihe 1usr1sb1n1 direcIories conIain commands buI IhaI only Ihe
commands in 1b1n1 and 1usr1b1n1 are in your PATR by deaulI. (When you execuIe a
command, iI musI be in one o Ihe direcIories in your PATR environmenI variable or you
will receive Ihe connand no1 found error message even i Ihe command exisIs on Ihe
sysIem. Reer Io Ihe "Shell Basics" secIion laIer in Ihis chapIer or deIails.) This is because,
according Io Ihe EHS, 1b1n1 conIains essenIial user commands IhaI can be used by adminis-
IraIors and users, and 1usr1b1n1 conIains mosI user commands. On Ihe oIher hand, 1sb1n1
should only conIain essenIial sysIem adminisIraIion commands, and 1usr1sb1n1 conIains
addiIional adminisIraIion uIiliIies. Usually, Ihe commands in Ihe 1sb1n1 and 1usr1sb1n1
direcIories can only be execuIed by rooI. The EHS guidelines or Ihese direcIories makes iI
easy Io ind commands and separaIe Ihem by who is allowed Io execuIe Ihem.
An adminisIraIor is consIanIly moniIoring log iles or error messages, connecIions by
unauIhorized users, disk usage, and more. Because Ihe EHS deines Ihe 1var1Jog1 direc-
Iory as Ihe locaIion or log iles, iI is easy or an adminisIraIor Io ind Ihe log iles she is
looking or because Ihey are all in one common direcIory.
Table 4.1 describes some commonly used direcIories and Iheir purpose according Io Ihe EHS.
T^BLL 4.1 Common Dlreotorles and Thelr FHS lurpose
|rectery FR5 Purese
1b1n1 Lssentlal oommands for admlns and users
1usr1b1n1 Common oommands for admlns and users
1sb1n1 Lssentlal oommands for admlns
1usr1sb1n1 Common oommands for admlns
11np1 Temporary flles for all users
1usr1JocaJ1 Looatlon for looallylnstalled software lndependent of operatlng
system updates
1usr1share1nan1 Manual pages (refer to the Manual lages seotlon ln thls ohapter
for detalls)
1usr1src1 Souroe oode
1var1 varlable data flles suoh as spool flles and log flles
1var1Jog1 Log flles, oan lnolude subdlreotorles
1e1c1 Conflguratlon flles, oan lnolude subdlreotorles
1proc1 Kernel vlrtual fllesystem
1dev1 Devloe flles
5he|| Bas|cs
Even Ihough Red HaI EnIerprise Linux provides a graphical deskIop and graphical appli-
caIions or mosI adminisIraIion Iasks, iI is wise Io know Ihe basics o Ihe command line,
also known as Ihe shell prompt. Eor example, you will need Io know how Io use Ihe shell
prompI i you are accessing a sysIem remoIely wiIhouI X orwarding, working wiIh a
sysIem IhaI does noI have a graphical deskIop insIalled, Irying Io diagnose a problem
wiIh Ihe X Window SysIem, or booIing inIo rescue mode wiIhouI a graphical deskIop.
There are Iwo ways Io sIarI a shell prompI. I Ihe X Window SysIem is noI insIalled, Ihe
sysIem deaulIs Io a black screen wiIh a login prompI. AIer you log in, you are aI a shell
prompI. I you have a graphical deskIop insIalled, log inIo Ihe sysIem aI Ihe graphical
login screen, and Ihen sIarI a shell prompI by clicking on Ihe ApplIcatIons menu on Ihe
Iop panel and selecIing AccessorIes, TermInal. A Ierminal window as shown in Eigure 4.3
will appear.
Shell Baslos 103
4
T^BLL 4.1 Contlnued
FlGURL 4.3 Startlng a Termlnal
Once in Ihe Ierminal window or aIer logging in aI Ihe IexI-based login prompI,
commanJs can be execuIed Io navigaIe around Ihe ilesysIem, read iles, sIarI applicaIions,
and perorm adminisIraIive Iasks.
Nav|gat|ng the F||esystem
Now IhaI you undersIand a biI abouI how Ihe ilesysIem is organized and how Io invoke
a shell prompI, you need Io know how Io navigaIe Ihrough iI using Ihe command line.
By deaulI, Ihe prompI looks like Ihe ollowing:
1fox0snaJJv1JJe -$
The irsI word beore Ihe 0 symbol is Ihe username o Ihe person currenIly logged in, and
Ihe word aIer Ihe 0 symbol is Ihe hosIname o Ihe sysIem. The parI IhaI ollows Ihe
space aIer Ihe hosIname is reerred Io as Ihe current worln Jrectory. In Ihis case, Ihe -
symbol means IhaI Ihe currenI working direcIory is Ihe home direcIory o Ihe user. When
you sIarI a Ierminal, Ihe deaulI direcIory is your home direcIory.
To change Io a dierenI direcIory, use Ihe cd <d1rec1ory> command. The <d1rec1ory>
can eiIher be Ihe jull path Io Ihe direcIory or a direcIory relatve Io Ihe currenI direcIory.
The ull paIh is Ihe paIh Ihrough Ihe ilesysIem Io Ihe desired direcIory sIarIing wiIh Ihe
rooI direcIory (1) such as 1hone11fox1 or my home direcIory or 1var1Jog1 or Ihe log iles
direcIory. Speciying a direcIory relaIive Io Ihe currenI working direcIory means IhaI you
donI begin Ihe direcIory wiIh Ihe rooI direcIory. InsIead, you begin iI wiIh a direcIory
inside Ihe currenI working direcIory such as docunen1s1 or Ihe 1hone11fox1docunen1s1
direcIory i you are already in Ihe 1hone11fox1 direcIory. I Ihe direcIory doesnI begin
wiIh a orward slash or Ihe rooI direcIory, Ihe currenI working direcIory is assumed or Ihe
beginning o Ihe paIh. When speciying a relaIive direcIory, you can speciy more Ihan one
level deep such as docunen1s1proec111.
When giving a relaIive direcIory, you can also speciy up one or more direcIories wiIh Ihe
.. noIaIion. Eor example, i Ihe currenI working direcIory is 1var1Jog1sanba1, execuIing
Ihe command cd ..1h11pd Iakes you up one direcIory and Ihen down inIo Ihe h11pd
direcIory, placing you in Ihe 1var1Jog1h11pd1 direcIory.
NoIice IhaI Ihe shell prompI changes as you change direcIories. I you change Io Ihe
docunen1s1 direcIory, Ihe prompI changes Io Ihe ollowing:
1fox0snaJJv1JJe docunen1s$
NoIice IhaI Ihe prompI does noI show where Ihe currenI working direcIory is relaIive Io
Ihe enIire ilesysIem. II jusI shows Ihe name o Ihe currenI direcIory by iIsel. To ouIpuI
Ihe ull paIh Io Ihe currenI working direcIory, execuIe Ihe pWd command. In our example,
Ihe pWd command displays:
1hone11fox1docunen1s
To creaIe a direcIory, use Ihe nkd1r <d1rec1ory> command. Again, Ihe <d1rec1ory> can
be relaIive Io Ihe currenI direcIory or iI can be Ihe ull paIh. Eor example, Io creaIe a
direcIory named proec111 in Ihe 1hone11fox1docunen1s1 direcIory eiIher change inIo
Ihe 1hone11fox1docunen1s1 direcIory and Ihen execuIe Ihe nkd1r proec11 command, or
execuIe Ihe nkd1r 1hone11fox1docunen1s1proec111 command rom any direcIory.
To remove a direcIory, invoke Ihe rnd1r <d1rec1ory> command, where <d1rec1ory> is a
direcIory wiIhin Ihe currenI direcIory or Ihe ull paIh Io Ihe direcIory. I any iles are sIill in
Ihe direcIory , Ihe error message 01rec1ory no1 enp1y will be displayed, and Ihe direcIory
will noI be deleIed. This prevenIs users rom removing a direcIory IhaI sIill conIains iles.
1IP
To foroe the removal of a dlreotory wlth all the flles and subdlreotorles wlthln that
dlreotory, use the rn -rf <d1rec1ory> oommand. Thls oommand does not ask you to
oonflrm the deletlon, and there ls no way to reverse the removal of the flles and dlreo
torles. Use extreme oautlon wlth thls oommand. Doubleoheok the dlreotory speolfled
before presslng Lnter to exeoute the removal.
To remove a ile, use Ihe rn <f1Je> command. I only Ihe ilename is speciied, iI musI be
in Ihe currenI working direcIory. AlIernaIively, Ihe ull paIh Io Ihe ile and Ihe ilename
can be speciied such as Ihe rn 1hone11fox1s1a1us.od1 command.
To view Ihe conIenIs o a currenI direcIory, execuIe Ihe Js command, or use Ihe Js
<d1rec1ory> command Io view Ihe conIenIs o <d1rec1ory>. As wiIh Ihe oIher
commands discussed, <d1rec1ory> can be relaIive Io Ihe currenI working direcIory or Ihe
ull paIh Io a direcIory. The Js command accepIs Ihe * wildcard characIer. Eor example,
Io lisI all Ihe OpenOice.org IexI documenIs, use Ihe Js *.od1 command, or Ihe Js
s1a1us* Io ind all iles whose ilename begins wiIh s1a1us. MulIiple wildcards can be
used such as Js *s1a1us* Io lisI all iles IhaI have sIaIus somewhere in Iheir name.
To copy a ile rom one locaIion Io anoIher, use Ihe cp <fron> <1o>, where <fron> is Ihe
ile Io copy and <1o> is Ihe direcIory or ilename Io copy iI Io. I Ihe <1o> speciied is a
direcIory, Ihe ile is copied Io IhaI direcIory using Ihe same ilename. The direcIory can be
Ihe ull paIh Io a locaIion or a direcIory relaIive Io Ihe currenI working direcIory. I a ile-
name is speciied or <1o>, Ihe original ile is copied Io anoIher ile wiIh Ihe speciied
name. I a paIh ollowed by a ilename is used, Ihe ile is copied Io anoIher ile wiIh Ihe
new name in Ihe speciied direcIory. Eor example, Ihe cp s1a1us.1x1 repor1s1
s1a1usU1.1x1 will copy Ihe s1a1us.1x1 ile rom Ihe currenI working direcIory Io Ihe
repor1s1 direcIory relaIive Io Ihe currenI working direcIory as Ihe new ilename
s1a1usU1.1x1. The repor1s1 direcIory musI exisI, or Ihe error message cp: canno1
crea1e reguJar f1Je `repor1s1s1a1usU1.1x1`: No such f1Je or d1rec1ory is
displayed, and Ihe ile is noI copied.
When a ile is moved, Ihe ile no longer exisIs in Ihe original locaIion. The nv <fron>
<1o> command is similar Io Ihe cp command. The only dierence is IhaI Ihe original
<fron> ile will no longer exisI aIer Ihe move operaIion.
MulIiple iles can be speciied as Ihe <fron> or boIh Ihe cp and nv commands, and boIh
commands accepI Ihe * wildcard. Eor example, Ihe nv *.1x1 1ex1f1Jes1 command
moves all iles IhaI end in .1x1 Io Ihe 1ex1f1Jes1 direcIory in Ihe currenI working direc-
Iory. Or, mulIiple iles can be speciied using Iheir ilenames. Eor example, cp chap1.od1
chap2.od1 chap3.od1 backup1 copies Ihe chap1.od1, chap2.od1, and chap3.od1 iles Io
Ihe backup1 direcIory.
Shell Baslos 105
4
Re|fu| R|nts
The deaulI shell called Ihe hash shell oers many useul shorIcuIs IhaI can speed up your
operaIions on Ihe command line. Eor example, insIead o Iyping Ihe enIire command,
you can Iype Ihe irsI ew characIers o iI and press Ihe Tab key. I no oIher command
begins wiIh Ihe characIers you have Iyped, Ihe command will be compleIed or you. I no
resulIs are displayed aIer pressing Ihe Tab key once, press iI again. I Ihere is no
command IhaI begins wiIh Ihe characIer you Iyped, Ihe cursor will noI move and no
resulIs will be displayed. I Ihere is more Ihan one command IhaI begins wiIh Ihe charac-
Iers you Iyped, pressing Ihe Tab key Iwice will display Ihem. I Ihere are Ioo many
commands IhaI begin wiIh Ihe characIers, you will see a message Ielling you how many
compleIions exisI and ask you Io conirm wheIher you wanI Ihem displayed such as Ihe
ollowing example:
01spJay aJJ 112 poss1b1J111es? {y or n)
Fress Ihe Y key Io display all Ihe resulIs, or press Ihe N key Io go back Io Ihe prompI and
Iype a ew more characIers Io Ihe desired command. Using tah completon Iakes some prac-
Iice and geIIing used Io, buI iI will guickly increase Ihe speed aI which you will be able Io
use Ihe command line.
1IP
Beoause lt sometlmes takes presslng the Tab key twloe to return results, lt ls a good
hablt to always press the Tab key twloe when uslng tab oompletlon to speed up the
results.
When you Iype commands aI a shell prompI, Ihey are saved as parI o your commanJ
hstory so you can reerence Ihem laIer. Type Ihe command h1s1ory aI a shell prompI Io
see Ihe resulIs. I you have ever orgoIIen a recenIly used command or orgoIIen which
command line argumenIs you used or a parIicular command, you can see how Ihis
mighI be useul. I you know all or parI o Ihe command you are searching or, use Ihe
ollowing command:
h1s1ory grep `par1 of 1he connand`
The grep command sIands or et repettons. II can also be used when displaying Ihe
conIenIs o iles as discussed in Ihe "Reading TexI Eiles" secIion laIer in Ihis chapIer.
AlIernaIely, press Ihe CIrl and R keys simulIaneously. Fressing mulIiple keys aI Ihe same
Iime is usually wriIIen wiIh a plus sign beIween Ihe keys such as CIrl+R. This will change
Ihe prompI Io read {reverse-1-search)``: while sIill providing a cursor Io Iype. SIarI
Iyping any parI o Ihe previous command you wanI Io recall and you will sIarI seeing
resulIs. I Ihe command displayed is noI Ihe one you are searching or, keep Iyping. The
resulIs change as you Iype and compleIions are ound.
AI a shell prompI, you can also press Ihe up arrow Io sIarI lisIing your command hisIory
sIarIing wiIh Ihe mosI recenIly execuIed ones. AIer you have iniIiaIed Ihe hisIory
scrolling, press Ihe down arrow Io go in Ihe opposiIe direcIion. Keep in mind IhaI noI
every command you have ever Iyped is saved. I you cannoI ind Ihe command you are
looking or, iI may noI be in your command hisIory anymore.
1IP
lf the termlnal soreen ls startlng to look oluttered or you just want what ls on the
soreen to go away, type the oommand cJear to olear the soreen and plaoe the prompt
at the top of the soreen.
I you are amiliar wiIh Ihe Emacs ediIor (reer Io Ihe "EdiIing TexI Eiles" secIion laIer in
Ihis chapIer), you mighI know a ew o iIs shorIcuIs Io deleIe a word, jump Io Ihe begin-
ning o a line, and jump Io Ihe end o a line. These shorIcuIs are also available on Ihe
command line courIesy o Ihe bash shell. To deleIe Ihe word in ronI o Ihe cursor, press
AlI+D. To move Ihe cursor Io Ihe beginning o Ihe line, press CIrl+A. Fress CIrl+E Io move
Ihe cursor Io Ihe end o Ihe line. To clear Ihe line rom Ihe cursor back Io Ihe prompI,
press CIrl+U.
These shorIcuIs can be used in conjuncIion wiIh Ihe up and down arrows Io scroll Ihrough
your command hisIory or Ihe CIrl+R shorIcuI Io perorm a reverse lookup. Why is Ihis
useul7 I you misIyped a long command and donI wanI Io reIype Ihe enIire command,
jusI press Ihe up arrow, and use Ihe ediIing shorIcuIs Io ind Ihe Iyping error, remove iI,
and replace iI wiIh Ihe correcI characIers. AIer you have a liIIle pracIice wiIh iI, iI will be
asIer Ihan reIyping Ihe enIire command. This meIhod is also useul i you are experimenI-
ing wiIh dierenI command-line argumenIs Io Ihe same command. Try one argumenI,
Ihen press Ihe up arrow Io Iry a dierenI argumenI wiIhouI having Io reIype everyIhing.
F|nd|ng F||es
There are Iwo invaluable commands IhaI can be used Io ind iles on Ihe ilesysIem:
Joca1e and f1nd.
The Joca1e command is Ihe easier o Ihe Iwo Io use. JusI Iype Ihe command ollowed by
parI or all o Ihe ilename you are searching or such as Joca1e .od1 Io ind all
OpenOice.org IexI iles or Joca1e conpare Io ind all ilenames IhaI conIain Ihe word
compare. NoIice IhaI no wildcard characIers are used. II is assumed IhaI whaI you Iype
may only be parI o Ihe ilename you are looking or.
The only caIch Io Ihis command is IhaI iI relies on Ihe generaIion o a daIabase ile so iI
can guickly display resulIs. The Joca1e command is provided by Ihe nJoca1e package,
which also provides Ihe cron scripI 1e1c1cron.da1Jy1nJoca1e.cron Io auIomaIically
generaIe Ihis daIabase daily. I you are looking or a ile creaIed IhaI same day, iI mighI noI
appear in Ihe Joca1e resulIs i Ihe daIabase hasnI been updaIed since Ihe ile was creaIed.
The f1nd command is a biI more complicaIed Io use and Iakes longer Io produce resulIs
because iI does noI rely on a daIabase Io produce resulIs. Because iI Iakes longer, iI is
possible Io speciy a speciic direcIory Io look in. The basic synIax is as ollows:
f1nd <d1rec1ory> -nane <f1Jenane>
Shell Baslos 107
4
Replace <d1rec1ory> wiIh Ihe direcIory Io sIarI looking in. II will look recursively
Ihrough Ihe direcIory, meaning IhaI iI will look in any subdirecIories, subdirecIories o
Ihe subdirecIories, and so on. Replace <f1Jenane> wiIh Ihe ilename or which you are
searching. To search in Ihe currenI direcIory and below, replace <d1rec1ory> wiIh a doI
(.) characIer such as:
f1nd . -nane gu1deJ1nes.1x1
F|nd|ng Cemmands
I you know a command exisIs on Ihe sysIem buI keep geIIing Ihe error message connand
no1 found, check Io make sure you are Iyping Ihe command correcIly. OIherwise, iI
mighI noI be in your PATR environmenI variable. To view Ihe value o your PATR, execuIe
Ihe command echo $PATR rom Ihe command line. As you can see, your PATR is a lisI o
direcIories. When you execuIe a command wiIhouI providing iIs ull paIh, iI musI be in
one o Ihe direcIories lisIed in your PATR. OIherwise, Ihe connand no1 found error is
displayed. You can provide Ihe ull paIh Io Ihe command i you know iI, such as
1sb1n1Jspc1 Io execuIe Ihe command Io lisI Ihe FCI devices. I you use Ihe command
oIen, buI iI is noI in your PATR, you can add Ihe direcIory Io your PATR.
To add a direcIory Io your paIh, modiy Ihe .bashrc ile in your home direcIory. Reer Io
Ihe "EdiIing TexI Eiles" secIion laIer in Ihis chapIer i you donI know how Io modiy a
IexI ile. Eor example, Io add Ihe 1usr1sb1n1 and 1sb1n1 direcIories Io your PATR, add Ihe
ollowing line Io Ihe .bashrc ile in your home direcIory:
expor1 PATR=:$PATR:1usr1sb1n:1sb1n
II is noI recommended IhaI you add Ihe doI (.) characIer Io your paIh so IhaI iI includes
whaIever Ihe currenI working direcIory is. AlIhough Ihis mighI be IempIing when wriIing
and IesIing your own scripIs, iI is a securiIy risk because an auIhorized or nonauIhorized
user can place a dierenI version o common commands in a direcIory you are likely Io
be in while execuIing Ihem such as Ihe 11np1 direcIory, which is wriIable by all users. Eor
example, i someone places a dierenI version o Ihe command Js in Ihe 11np1 direcIory
and (which represenIs Ihe currenI working direcIory) is lisIed beore 1b1n in your PATR,
you will be execuIing a dierenI version o Js, which could conIain code Io do someIhing
harmul Io your daIa or Ihe sysIem. I you need Io execuIe a command in Ihe currenI
working direcIory, precede iI by .1 such as .11es1.pJ or provide iIs ull paIh when
execuIing iI.
1IP
To verlfy whloh oommand you are exeoutlng, type the oommand Wh1ch <connand>. lf a
matoh to the oommand ls found ln the dlreotorles from your PATR, the full path to the
oommand ls dlsplayed.
Read|ng 1ext F||es
SomeIimes you wanI Io guickly read a IexI ile such as a coniguraIion ile wiIhouI having
Io open a IexI ediIor. This is possible wiIh Ihe Jess, nore, and ca1 command-line uIiliIies.
All Ihree have Ihe same basic synIax buI work dierenIly and have dierenI command-
line opIions. To use Ihem in Iheir deaulI modes, Iype Ihe command ollowed by Ihe IexI
ile Io read such as Jess ou1pu1.1x1, nore 1var1Jog1nessages, or ca1 1e1c1sysconf1g1
ne1Work.
WiIh Ihe Jess command, Ihe Fage Up and Fage Down keys can be used Io scroll up and
down Ihe conIenIs o Ihe ile. The nore command only allows you Io scroll down Ihe ile
using Ihe spacebar Io advance. The ca1 command ouIpuIs Ihe conIenIs o Ihe ile Io Ihe
command line and Ihen exiIs, so i Ihe ile is longer Ihan Ihe number o lines in your
Ierminal, you will only see Ihe lasI parI o Ihe ile.
The ca1 command can also be used in conjuncIion wiIh Ihe grep command IhaI was
previously discussed wiIh Ihe h1s1ory command. Eor example, Io view only Ihe kernel
messages in Ihe sysIem log ile, use Ihe ollowing command:
ca1 1var1Jog1nessages grep kerneJ
Because only rooI can view Ihis ile, you need Io be logged in as Ihe rooI user Io view Ihe
conIenIs. Are you already logged in as a user7 Read Ihe laIer secIion "Becoming Ihe RooI
User" Io ind ouI how Io perorm adminisIraIive Iasks while logged in as a user.
Eor inormaIion on IexI ediIors IhaI can read and modiy IexI iles, reer Io Ihe "EdiIing
TexI Eiles" secIion in Ihis chapIer.
1IP
lf you are unsure of the type of a partloular flle, use the f1Je <f1Jenane> oommand
to flnd out. lf the flle type ls reoognlzed, the flle type wlll be dlsplayed.
5tart|ng A||cat|ens
SIarIing an applicaIion rom Ihe command line is as easy as knowing Ihe name o Ihe
command, Iyping iI, and pressing Ihe EnIer key. Eor example, Io sIarI Ihe applicaIion or
coniguring Ihe X Window SysIem, Iype Ihe command sys1en-conf1g-d1spJay and press
EnIer. I Ihe command is execuIed rom a Ierminal window wiIhin a graphical environ-
menI, Ihe graphical version o Ihe applicaIion is sIarIed as shown in Eigure 4.4.
I Ihe applicaIion reguires Ihe rooI password Io conIinue, a dialog window appears so IhaI
Ihe correcI rooI password can be used Io auIhenIicaIe Ihe adminisIraIor. A ew Iools have
boIh graphical and IexI-based versions. However, i you are in a non-graphical environ-
menI and Iry Io sIarI a program IhaI only has a graphical version, an error message such
as canno1 open d1spJay or requ1res a curren1Jy runn1ng X server will be displayed.
Shell Baslos 109
4
FlGURL 4.4 Graphloal verslon of the Dlsplay Conflguratlon Tool
Becem|ng the Reet User
As you learned in ChapIer 2 iI is imporIanI Io log in wiIh your user accounI insIead o as
Ihe rooI user when perorming day-Io-day Iasks. Some o Ihe graphical adminisIraIion
Iools will prompI you or Ihe rooI password i you Iry Io run Ihem as a regular user. BuI,
whaI i you are logged in as a user and need Io perorm an operaIion only Ihe rooI user
can do7 II would be Iime consuming Io close all your open windows, log ouI o Ihe
graphical deskIop, log back in as rooI, execuIe rooI-only commands, log ouI again, and
Ihen log back in wiIh your user accounI.
InsIead, you can Iemporarily sIarI a Ierminal session as rooI. Erom a shell prompI, execuIe
Ihe ollowing command Io Iemporarily become Ihe rooI user:
su -
NoIice Ihe space and Ihen a hyphen aIer Ihe su command. These are exIremely impor-
IanI parIs o Ihe command. WiIhouI iI, you have rooI privileges buI you donI inheriI any
o Ihe environmenI variables o Ihe rooI user, including Ihe imporIanI PATR variable
previously discussed. WiIhouI Ihe proper PATR IhaI includes 1sb1n1 and 1usr1sb1n1, iI
will appear as i many adminisIraIive commands donI exisI. AIer execuIing Ihe su -
command, you will be prompIed Io enIer Ihe rooI password beore being granIed access.
I Ihe correcI rooI password is enIered, you will noIice IhaI Ihe prompI changes Io show
IhaI Ihe rooI user is Ihe currenIly logged-in user.
When you no longer need Io be rooI, Iype Ihe ex11 command and Ihen press Lnter Io
reIurn Io your user shell.
Manua| Pages
One greaI eaIure o Linux and oIher UNIX-based operaIing sysIems is Ihe inclusion o
manual pages, also known as man paes or mosI commands. They can be read rom a
graphical or nongraphical environmenI and do noI reguire a neIwork connecIion like
documenIaIion available over Ihe InIerneI.
Man pages are divided inIo eighI secIions:
1. Commands
2. SysIem Calls
3. Library Calls
4. Special Eiles
5. Eile EormaIs and ConvenIions
6. Games
7. ConvenIions and Miscellaneous
8. SysIem ManagemenI Commands
To read Ihe man page or a command, execuIe nan <connand> rom a shell prompI. I a
man page exisIs or Ihe command, iI will be displayed. Use Ihe Fage Up and Fage Down
keys Io scroll Ihrough Ihe IexI. To ind a word or phrase in a man page, press Ihe orward
slash key (/) ollowed by Ihe word or phrase you are looking or. AIer you press Ihe
orward slash, Ihe colon aI Ihe boIIom o Ihe screen changes Io a orward slash. As you
Iype whaI you are searching or, iI appears aIer Ihe slash aI Ihe boIIom o Ihe screen.
Fress EnIer Io sIarI searching. Fress Ihe N key Io jump Io Ihe nexI insIance o Ihe word or
phrase.
SomeIimes, Ihere are mulIiple man pages or Ihe same command. Eor example, Ihere are
Iwo man pages or man pages. When you execuIe Ihe command nan nan, Ihe page rom
secIion one, "Commands," is shown explaining Ihe basics o how Io use Ihe command.
There is also anoIher man page or man in secIion 7, "ConvenIions and Miscellaneous,"
which describes how Io wriIe man pages. To view Ihe man page or a Iopic in a speciic
secIion, include Ihe secIion in Ihe command such as nan 7 nan or nan 8 useradd.
I you preer Io read Ihe man pages in a graphical environmenI, selecI Ihe System menu
rom Ihe Iop panel and Ihen selecI Ihe Help menu iIem Io sIarI Ihe graphical help program.
SelecI Manual Pages rom Ihe lisI on Ihe leI side. The lisI o man page Iopics Io choose
rom is slighIly dierenI Ihan Ihe man page secIions previously discussed, buI you should
sIill be able Io ind Ihe pages you are looking or such as Ihe one shown in Eigure 4.S.
Manual lages 111
4
FlGURL 4.5 Graphloal vlew of Man lages
d|t|ng 1ext F||es
WhaI i you wanI Io make some guick noIes wiIhouI having Io open a graphical word
processor program7 Do you need Io make a simple ediI Io a coniguraIion ile7 Do you
need Io ediI a ile rom a remoIe Ierminal wiIh limiIed bandwidIh or wiIh X orwarding
disabled7 Sounds like you need a simple nongraphical IexI ediIor.
There are Ioo many IexI ediIors or Red HaI EnIerprise Linux Io discuss all o Ihem in Ihis
brie chapIer. InsIead, Ihis secIion discusses Ihe Iwo mosI popular ones: Vi and Emacs.
They are boIh very dierenI Io use, and users o each are oIen very hesiIanI Io use Ihe
oIher because o Ihese dierences. UlIimaIely, you musI choose one IhaI you eel Ihe
mosI comorIable wiIh. Also consider IhaI some sysIems mighI noI have boIh insIalled, so
iI is a good idea Io aI leasI be amiliar wiIh Ihe basics o boIh such as how Io open a ile,
perorm basic modiicaIions, save Ihe ile, and exiI. I you are in a criIical siIuaIion in
which you only have a IexI environmenI in rescue mode, knowing Ihe IexI ediIor avail-
able mighI mean Ihe dierence beIween ixing Ihe sysIem guickly and sIruggling Ihrough
iI. In minimal environmenIs such as rescue mode, Vi is oIen available more Ihan Emacs
because iI reguires less disk space and sysIem resources.
V| d|ter
The Vi ediIor is IexI based, so iI musI be run in a Ierminal. To use iI, you musI have Ihe
v1n-n1n1naJ RFM package insIalled. I iI is noI insIalled, insIall iI as described in ChapIer
3, "OperaIing SysIem UpdaIes."
To open a ile in Vi, Iype v1 <f1Je> aI Ihe shell prompI. I Ihe ile does noI exisI, iI will
be creaIed wiIh Ihe ilename you provided Ihe irsI Iime you saved iI. Remember, you can
always give Ihe ull paIh Io Ihe ile i you are noI in Ihe direcIory IhaI conIains Ihe ile.
Also remember IhaI you can only modiy iles you have wriIe permission Io. Vi will leI
you open iles you have only read access Io buI will deny Ihe save operaIion i you do noI
have wriIe access. Eor more inormaIion on read and wriIe permissions, reer Io Ihe "Eile
Fermissions" secIion laIer in Ihis chapIer.
As shown in Eigure 4., Ihe Vi ediIor is very basic. By deaulI, you are noI even allowed Io
inpuI characIers.
Ldltlng Text Flles 113
4
FlGURL 4.6 The vl Ldltor
To sIarI making changes Io Ihe ile or sIarI Iyping conIenI inIo a new ile, change Io
inserI mode by pressing Ihe I key. You will noIice IhaI Ihe sIaIus aI Ihe boIIom o Ihe
screen changes Io -- 1NSEPT --. NexI, sIarI Iyping. Vi does noI have auIomaIic word
wrap, so you musI press EnIer Io move Ihe cursor Io Ihe nexI line. When you are inished
Iyping Ihe conIenIs o Ihe ile, press Ihe Esc key Io exiI inserI mode. To save a ile, exiI
inserI mode, Iype :W (Ihe W is or wriIe), and press EnIer. I you have permission Io save
Ihe ile, iI will be saved. I you sIarIed Vi wiIhouI speciying a ilename, Iype :W, press Ihe
spacebar Io add a space, Iype Ihe desired ilename, and press EnIer Io save Ihe ile.
To exiI Vi, Iype :q (or guiI), and press EnIer. To exiI wiIhouI saving Ihe ile, ollow Ihe :q
command by an exclamaIion poinI (!).
Common Vi operaIions are provided in Table 4.2. Eor even more insIrucIions on using
Ihe Vi ediIor, pick up an inexpensive book on Ihe ediIor or read some o Ihe numerous Vi
IuIorials on Ihe Web.
T^BLL 4.2 Common vl Commands
Cemmand escr|t|en
:W Save the flle
:W <f1Jenane> Save the flle wlth a dlfferent fllename
:q ult vl
:q! ult vl wlthout savlng any ohanges
1<search 11en> Searoh for a phrase, word, or group of words
n Repeat last searoh
a Start lnsert mode after oursor
A Start lnsert mode at the end of the llne
dd whlle not ln lnsert mode, out the ourrent llne lnto the buffer
p whlle not ln lnsert mode, paste the last out llne from the buffer
x whlle not ln lnsert mode, delete the oharaoter at the oursor
$ Move oursor to the end of the llne
U Move oursor to the beglnnlng of the llne
:<J1nenun> Move oursor to a speolflo llne number
ES0 Lxlt ourrent mode suoh as lnsert mode
macs d|ter
The Emacs ediIor is considered more user-riendly Ihan Vi because iI is in inserI mode by
deaulI and is available in a graphical version as shown in Eigure 4.7.
FlGURL 4.7 The Lmaos Ldltor
A IexI version is also available or use aI Ihe command line as shown in Eigure 4.8.
Ldltlng Text Flles 115
4
FlGURL 4.8 The TextBased verslon of the Lmaos Ldltor
The enacs RFM package musI be insIalled Io use Ihis ediIor. I iI is noI insIalled, insIall iI
as described in ChapIer 3. To begin, Iype Ihe enacs command. JusI like Vi, Ihe enacs
command can opIionally be ollowed by a space and a ilename. I Ihe ile exisIs, iI will be
opened in Ihe ediIor. I iI doesnI exisI, iI will be creaIed Ihe irsI Iime Ihe ile is saved.
To orce Ihe ediIor Io sIarI in IexI-based mode, execuIe Ihe enacs -nW command or "no
window."
MosI Emacs commands are key combinaIions. AIer Iyping Ihe conIenIs o Ihe ile, press
CIrl+X, CIrl+S Io save Ihe ile. Fress CIrl+X, CIrl+C Io guiI Emacs. To open a ile, use Ihe
CIrl+X, CIrl+E key combo, enIer Ihe ilename aI Ihe prompI aI Ihe boIIom o Ihe ediIor, and
press EnIer. I a ile is already open in Ihe ediIor, Ihe new ile will be opened aI Ihe same Iime.
To swiIch beIween open iles, use Ihe CIrl+X, B key combo. EiIher press EnIer Io swiIch Io Ihe
"buer" lisIed aI Ihe boIIom o Ihe ediIor or press Tab Io see a lisI o available open iles.
Common Emacs operaIions are provided in Table 4.3. Eor even more insIrucIions on using
Ihe ediIor, pick up an inexpensive book on Ihe ediIor or read some o Ihe numerous IuIo-
rials on Ihe Web.
T^BLL 4.3 Common Lmaos Commands
Cemmand escr|t|en
Ctrl+X, Ctrl+S Save the flle
Ctrl+X, Ctrl+w Save the flle wlth a dlfferent fllename
Ctrl+X, Ctrl+C Lxlt Lmaos
Ctrl+X, Ctrl+F 0pen a flle
Ctrl+X, b Swltoh buffers
Ctrl+^ Move oursor to beglnnlng of the llne
Ctrl+L Move oursor to end of the llne
Ctrl+K Cut the ourrent llne from the oursor to the end of the llne lnto the
buffer
Ctrl+Y laste last out llne from buffer lnto the flle at the oursor
Ctrl+S Searoh flle for phrase, word, or group of words (press repeatedly to
keep searohlng for next lnstanoe)
Ctrl+R lerform a baokward searoh ln flle for phrase, word, or group of
words (press repeatedly to keep searohlng for next lnstanoe)
LSC D Delete word at oursor
Ctrl+D Delete oharaoter at oursor
Ctrl+G Canoel ourrent oommand
F||e Perm|ss|ens
In Red HaI EnIerprise Linux, all iles have ile permissions IhaI deIermine wheIher a user
is allowed Io read, wriIe, or execuIe Ihem. When you issue Ihe command Js -J, Ihe irsI
column o inormaIion conIains Ihese ile permissions. WiIhin Ihis irsI column are places
or 10 leIIers or hyphens. The irsI space is eiIher a hyphen, Ihe leIIer d, or Ihe leIIer J. A
hyphen means iI is a ile. I iI is Ihe leIIer d, Ihe ile is acIually a direcIory. I iI is Ihe leIIer
J, iI is a symbolic link Io a direcIory somewhere else on Ihe ilesysIem.
The nexI nine spaces are divided inIo Ihree seIs o Ihree as shown in Eigure 4.. The irsI
seI o Ihree is Ihe read, wriIe, and execuIe permissions or Ihe owner o Ihe ile. The
second seI o Ihree is Ihe read, wriIe, and execuIe permissions or anyone who belongs Io
Ihe user group or Ihe ile. (Eor more inormaIion on Ihe relaIionship beIween users and
groups, reer Io ChapIer , "Managing Users and Groups.") The lasI seI o permissions is
or anyone who has a login Io Ihe sysIem.
T^BLL 4.3 Contlnued
Cemmand escr|t|en
FlGURL 4.9 Flle lermlsslons
As you can probably guess, wiIhin each seI o permissions, Ihe r sIands or read, Ihe W
sIands or wriIe, and Ihe x sIands or execuIe. I Ihe ile is a scripI or command, you musI
have execuIe permission Io run iI. You musI also have execuIe permission Io change inIo
a direcIory.
To change ile permissions, you musI be Ihe owner o Ihe ile or direcIory or be Ihe rooI
user. The chnod uIiliIy is used Io modiy ile permissions. The basic synIax is as ollows:
chnod ugoa+-=<pern1ss1ons> f1Jenane
Eor Ihe irsI argumenI, choose one or more o Ihe leIIers ugoa, where u sIands or Ihe user
who owns Ihe ile (Ihe irsI seI o permissions), g sIands or everyone in Ihe iles group
(Ihe second seI o permissions), o sIands or oIher users noI in Ihe iles group (Ihe Ihird
seI o permissions), and a sIands or all users (all Ihree seIs o permissions). The dierence
beIween speciying o and a is IhaI o changes Ihe Ihird seI o permissions or everyone and
a changes Ihe permissions or all Ihree seIs.
The second argumenI musI be one o +, -, or =. I Ihe plus sign (+) is used, Ihe permis-
sions IhaI ollow iI are added or Ihe users and groups provided by Ihe irsI argumenI. I
Ihe minus sign (-) is used, Ihe permissions IhaI ollow are removed or Ihe users and
groups in Ihe irsI argumenI. Normally, when Ihe chnod command is used, Ihe permis-
sions are added Io Ihe exisIing ones. However, i Ihe eguals sign (=) is used, Ihe ile will
only have Ihe permissions being speciied (Ihe exisIing permissions are overwriIIen and
noI reIained).
The lasI argumenI is a ilename or group o ilenames on which Io seI Ihe permissions.
MulIiple ilenames can be lisIed using Ihe * wildcard characIer such as *.1x1 or all iles
ending in .1x1.
The Ihird argumenI <pern1ss1ons> is Ihe lisI o permissions or Ihe users and groups rom
Ihe irsI argumenI. The lisI can consisI o one or more o Ihe permissions in Table 4.4.
T^BLL 4.4 chnod Flle lermlsslons
Perm|ss|en escr|t|en
r Read
W wrlte
x Lxeoute (also glves permlsslon to ohange lnto a dlreotory)
X Lxeoute only lf lt ls a dlreotory or has exeoute permlsslon for some user
s Set user or group lD on exeoutlon
1 Stloky blt
u lermlsslons granted to user who owns the flle
g lermlsslons granted to users ln the flle`s group
o lermlsslons granted to the owner of the group and the users ln the flle`s group
The irsI Ihree (r, W, x) are sel-explanaIory. Use Ihem Io seI read, wriIe, and execuIe
permissions.
Flle lermlsslons 117
4
The s permission is used on direcIories Io reIain Ihe user or group ID or a ile creaIed in
Ihe direcIory. To seI Ihe user ID or any new iles creaIed in Ihe direcIory Io Ihe owner o
Ihe direcIory, use Ihe chnod u+s <d1rec1ory> command. To seI Ihe group ID or any new
iles creaIed in Ihe direcIory Io Ihe direcIorys group, use Ihe chnod g+s <d1rec1ory>
command.
The sIicky biI permission or iles is no longer used. II was used on older sysIems Io sIore
execuIables in memory so Ihey run asIer, buI wiIh Ihe currenI virIual memory sysIem,
Ihe sIicky biI is no longer needed. I Ihe sIicky biI (Ihe 1 permission) is seI or a direcIory,
Ihe direcIory can only be unlinked or renamed by Ihe rooI user or Ihe owner o Ihe direc-
Iory. I Ihe sIicky biI is noI seI or a direcIory, anyone wiIh wriIe permission can deleIe or
rename Ihe direcIory. I Ihe sIicky biI is seI or a direcIory, Ihe permissions lisIing looks
similar Io Ihe ollowing (noIice Ihe 1 in Ihe lasI seI o permissions) :
drWxrWxrW1 22 roo1 roo1 4U96 Mar 3U 1U:57 11np
The lasI Ihree permissions (u, g, o) are only used wiIh Ihe = operaIor Io seI permissions or
Ihe owner, group, oIhers, or everyone egual Io Ihe exisIing permissions or Ihe owner,
group, oIhers, or everyone. Eor example, chnod g=u <f1Jenane> seIs Ihe group permis-
sions Io Ihe currenI permissions or Ihe owner o Ihe ile.
1IP
To ohange permlsslons reourslvely (on all the flles ln a dlreotory, all the flles ln lts
subdlreotorles, all the flles ln the subdlreotorles of the subdlreotorles, and so on) use
the -P optlon to chnod suoh as chnod -P g+W ou1pu1.1x1.
Examples include Ihe ollowing:
chnod ug+rW <f1Jenane>
Gives Ihe user and group read and wriIe permissions
chnod -P g+r *
Gives Ihe group read permissions or all iles in Ihe currenI direcIory and any iles
and direcIories in Ihe currenI direcIory, recursively
chnod o-x <d1rec1ory>
Does noI leI users who arenI Ihe owner or in Ihe group change inIo Ihe direcIory
Eile permissions can also be seI graphically using Ihe NauIilus ile browser. Erom Ihe
deskIop, click on Ihe Places menu on Ihe Iop panel and selecI Home Folder. NavigaIe Io
Ihe ile you wanI Io view or change permissions or, righI-click on iI, and selecI
PropertIes. Click on Ihe PermIssIons Iab as shown in Eigure 4.10 Io view Ihe exisIing
permissions or change Ihem.
FlGURL 4.10 Changlng Flle lermlsslons
Depending on how your sysIem is conigured, iles mighI also have access conIrol lisIs or
SecuriIy-Enhanced Linux rules associaIed wiIh Ihem. Reer Io Ihe nexI secIion on "Access
ConIrol LisIs" and ChapIer 23, "FroIecIing AgainsI InIruders wiIh SecuriIy-Enhanced
Linux," or deIails.
In|t|a||zat|en 5cr|ts
NeIwork services such as Ihe Apache HTTF Server and DHCF along wiIh oIher programs
such as cron and syslog reguire a Jaemon Io be running aI all Iimes. The daemon perorms
acIions such as lisIening or connecIions Io a service on speciic porIs, making sure
commands are execuIed aI speciic Iimes, and capIuring daIa such as log messages when
Ihey are senI ouI by oIher programs.Frograms IhaI reguire a daemon Io be sIarIed have an
ntalzaton scrpt in Ihe 1e1c1rc.d11n11.d1 direcIory. An iniIializaIion scripI can also be
used Io run a command aI booI Iime such as Ihe readahead_earJy and readahead_Ja1er
scripIs, which run Ihe readahead uIiliIy so IhaI programs used aI sIarIup are loaded inIo
memory beore Ihey are needed. Doing so decreases Ihe amounI o Iime iI Iakes Io sIarI Ihe
sysIem. When you booI a Red HaI EnIerprise Linux sysIem, Ihe 1n11 program is run lasI in
Ihe kernel booI process. This program irsI execuIes Ihe 1e1c1rc.d1rc.sys1n11 scripI Io
perorm acIions such as loading kernel modules or hardware supporI, loading Ihe deaulI
keymap, and seIIing Ihe hosIname. The 1e1c11n111ab scripI is run nexI, which Ihen Iells
1n11 which runlevel Io sIarI. The runlevel deines which services Io sIarI aI booI Iime, or
which iniIializaIion scripIs Io execuIe. Reer Io Ihe laIer secIion "Runlevels" or deIails on
how runlevels are conigured.
LasIly, Ihe 1e1c1rc.d1rc.JocaJ scripI is execuIed. Commands can be added Io Ihis ile or
cusIom iniIializaIion.
lnltlallzatlon Sorlpts 119
4
The iniIializaIion scripIs can also be used Io sIarI, sIop, and resIarI services aIer Ihe
sysIem has booIed. These acIions are perormed wiIh Ihe serv1ce command as Ihe rooI
user. Each scripI has iIs own lisI o acIions. Common acIions deined include s1ar1, s1op,
conres1ar1 (which sIops and sIarIs Ihe service only i iI is already running), and s1a1us.
To perorm an acIion, use Ihe ollowing synIax:
serv1ce <serv1ce> <ac11on>
Eor example, Ihe ollowing sIarIs Ihe OpenSSH service:
serv1ce sshd s1ar1
As each service wiIh an iniIializaIion scripI is discussed in Ihis book, a lisI o acIions IhaI
can be perormed wiIh Ihe scripI is given.
Run|eve|s
How does Ihe sysIem know which iniIializaIion scripIs Io run so IhaI only Ihe desired
services are sIarIed aI booI Iime7 Linux uses Ihe concepI o runlevels Io deine which services
Io sIarI aI booI Iime. There are 7 runlevels, wiIh each having iIs own general purpose:
0: HalI Ihe sysIem
1: Single-user mode (see ChapIer 10, "Technigues or Backup and Recovery" or
deIails)
2: NoI used
3: MulIi-user mode wiIh IexI login
4: NoI used
S: MulIi-user mode wiIh graphical login
: RebooI
Each runlevel has iIs own direcIory named rcX.d in 1e1c1rc.d1, where X is Ihe runlevel
number. Each o Ihese direcIories conIains symbolic links Io Ihe acIual iniIializaIion scripIs in
1e1c1rc.d11n11.d1. Each symbolic link sIarI wiIh Ihe leIIer S or K ollowed by a number. The
S sIands or start, and Ihe K sIands or lll, which means Io sIop a process. When a runlevel is
iniIialized, all Ihe services sIarIing wiIh K are sIopped irsI, and Ihen all Ihe services sIarIing
wiIh S are sIarIed. The number ollowing Ihe leIIer deIermines Ihe order in which Ihe sIop
and sIarI acIions are perormed. The lower Ihe number, Ihe sooner iI is execuIed.
Chang|ng the efau|t Run|eve|
By deaulI, Red HaI EnIerprise Linux booIs inIo runlevel S wiIh a graphical login screen
and a graphical deskIop once Ihe user successully auIhenIicaIes. Runlevel 3 is essenIially
Ihe same excepI Ihe IexI login is used. Runlevels 2 and 4 are noI reserved or a speciic
mode, buI Ihey can be deined or speciic purposes i needed.
The deaulI runlevel is conigured on Ihe ollowing line rom Ihe 1e1c11n111ab ile:
1d:5:1n11defauJ1:
To change Ihe deaulI runlevel, modiy Ihis line. The nexI Iime Ihe sysIem is booIed, iI is
booIed inIo Ihe new deaulI runlevel. To change Io a dierenI runlevel wiIhouI rebooIing Ihe
sysIem, execuIe Ihe ollowing command as rooI, where <runJeveJ> is a number rom 0 Io :
1n11 <runJeveJ>
Cenf|gur|ng the Run|eve|s
To coniguring which services are sIarIed or a runlevel, use one o Ihree programs:
chkconf1g (command line only), n1sysv (simple IexI-based applicaIion IhaI doesnI
reguire a graphical deskIop), or Ihe Service ConiguraIion Tool (graphical applicaIion).
The chkconf1g command can be used Io conigure runlevels and lisI Ihe currenI runlevel
coniguraIion. II musI be run as rooI i modiying a runlevel. OIherwise commands such
as lisIing wheIher a service is sIarIed aI booI Iime can be run as a non-rooI user.
To lisI Ihe sIaIus o all services, execuIe Ihe chkconf1g --J1s1 command. A line is ouIpuI
or each service such as Ihe ollowing or Ihe Apache HTTF Server:
h11pd U:off 1:off 2:off 3:off 4:off 5:off 6:off
To lisI Ihe sIaIus or jusI one service, provide Ihe name o Ihe service:
chkconf1g --J1s1 <serv1ce>
To modiy wheIher Ihe service is Iurned on or o or Ihe runlevel, speciy Ihe service
name and Ihen on, off, or rese1. SeI iI Io on Io have Ihe service sIarIed aI booI Iime. SeI
iI Io off Io have Ihe service sIopped aI booI Iime. SeIIing iI Io rese1 reseIs Ihe values o
all runlevels Io Ihe deaulIs rom Ihe iniIializaIion scripI. The synIax is as ollows:
chkconf1g <serv1ce> onoffrese1
I no runlevels are given, runlevels 2, 3, 4, and S are modiied. To only modiy one or
more runlevels, use Ihe ollowing synIax where levels is a lisI o runlevel numbers noI
separaIed by spaces or commas such as 3S or runlevels 3 and S:
chkconf1g -JeveJ <JeveJs> <serv1ce> onoffrese1
To run Ihe Service ConiguraIion Tool, selecI AdmInIstratIon, Server SettIngs, ServIces
rom Ihe System menu on Ihe Iop panel o Ihe deskIop. Or, execuIe Ihe sys1en-conf1g-
serv1ces command. I running as a non-rooI user, you musI enIer Ihe rooI password
beore conIinuing. The applicaIion allows you Io conigure which services are sIarIed or
runlevels 3, 4, and S. On the BacRground ServIces Iab, iI also allows you Io sIarI and
sIop services. The On Demand ServIces Iab provides an inIerace or enabling or
disabling any xineId services on Ihe sysIem.
Runlevels 121
4
FlGURL 4.11 Changlng Flle lermlsslons
5erv|ce Cenf|gurat|en 1ee|
To immediaIely sIarI, sIop, or resIarI a service, selecI iI rom Ihe lisI and click Ihe Start,
Stop, or Restart buIIon. This does noI aecI wheIher iI is sIarIed or sIopped aI booI Iime.
I you do noI have Ihe graphical deskIop insIalled or jusI preer a more simplisIic inIer-
ace, n1sysv can be used Io conigure runlevels. The program musI be run as Ihe rooI user.
I Ihe n1sysv command is run wiIhouI any command-line argumenIs, Ihe currenI
runlevel is conigured. To conigure a dierenI runlevel or mulIiple runlevels, use Ihe
ollowing synIax, where <JeveJs> is a lisI o runlevel numbers wiIhouI any spaces or
commas such as 35 or runlevels 3 and S:
n1sysv --JeveJ <JeveJs>
A lisI o services is shown wiIh an asIerisk nexI Io Ihose conigured Io sIarI aI booI Iime
(see Eigure 4.12). I mulIiple runlevels are being conigured, an asIerisk indicaIes IhaI Ihe
service is enabled or aI leasI one o Ihe runlevels, buI noI necessarily all o Ihem.
Use Ihe up and down arrow keys Io move Ihrough Ihe lisI. Use Ihe spacebar Io Ioggle Ihe
asIerisk, enabling or disabling Ihe service aI booI Iime or Ihe desired runlevel. Fress Ihe
Tab key when inished Io highlighI Ihe OR buIIon. Click EnIer Io save Ihe changes and
exiI.
Runlevel S is conigured by deaulI. To ediI a dierenI runlevel, selecI iI rom Ihe LdIt
Runlevel menu. As shown in Eigure 4.11, Ihe check box is selecIed nexI Io each service
conigured Io sIarI aI booI Iime or Ihe runlevel. Click on a service Io display a brie
descripIion o iI and iIs sIaIus. AIer making any changes, click Ihe Save buIIon Io enable
Ihe changes.
Summary 123
4
FlGURL 4.12 ntsysv
5ummary
The resI o Ihe book assumes you have an undersIanding o Ihe basic concepIs covered in
Ihis chapIer such as how Io navigaIe around Ihe shell prompI, use man pages, modiy ile
permissions, and execuIe iniIializaIion scripIs. I you were noI already amiliar wiIh Ihem
beore reading Ihis chapIer, use Ihis chapIer Io learn Ihem beore conIinuing. Reer back
Io Ihis chapIer when necessary.
lN THlS CH^lTLR
Understandlng How RlM
works
Flndlng the Software
lnstalllng Software
Updatlng Software
Removlng Software
verlfylng Software Flles
uerylng laokage Flles
Bulldlng RlM laokages
CH^lTLR 5
Working wiIh RFM
SoIware
Alarge parI o a sysIem adminisIraIors job is Io mainIain
Ihe soIware on a companys servers as well as Ihe soIware
on Ihe users deskIops. This can be a very daunIing Iask,
especially or a large corporaIion. The soIware musI be
updaIed or securiIy ixes, compaIibiliIy wiIh oIher soIware,
and eaIure enhancemenIs i Ihey are needed. Beore Ihe
soIware updaIes are applied Io producIion sysIems, Ihe
updaIed soIware musI be IesIed and veriied Io be compaIi-
ble wiIh Ihe exisIing programs. To eicienIly mainIain Ihe
soIware on a Red HaI EnIerprise Linux sysIem, Red HaI
NeIwork (RHN) should be used as discussed in ChapIer 3,
"OperaIing SysIem UpdaIes." Red HaI NeIwork is based on a
soIware mainIenance uIiliIy called RlM (Red HaI Fackage
Manager). EnIire books have been wriIIen on RFM, so Ihis
chapIer will noI aIIempI Io cover every aspecI o Ihe soI-
ware packaging Iool. InsIead, iI gives an overview o Ihe
basic Iopics wiIh which an adminisIraIor should be amiliar.
Understand|ng Rew RPM Werks
How does RFM work7 Each soIware program consisIs o
iles and direcIories, mosI o which musI be locaIed in a
parIicular place on Ihe ilesysIem. I Ihe soIware program
is disIribuIed in RFM ormaI, Ihese iles are compressed
IogeIher inIo one RFM ile along wiIh insIrucIions on
where Ihe iles should be locaIed on Ihe ilesysIem and any
addiIional scripIs or execuIables IhaI musI be run beore or
aIer Ihe iles are insIalled. These RFM iles are oIen
reerred Io as packages.
A soIware program, such as Ihe Eireox web browser, mighI
consisI o one RFM ile. However, some programs are
divided inIo mulIiple RFM iles Io allow Ihe adminisIraIor
Io cusIomize which parIs are necessary or Ihe sysIems usage. Eor example, Ihe GNOME
graphical deskIop is divided inIo many packages IhaI conIain parIs o Ihe overall deskIop.
Eor example, Ihe gnone-nenus package conIains Ihe iles necessary or Ihe deskIop menus,
while gnone-paneJ provides Ihe iles necessary or Ihe panels. Some GNOME packages
supply addiIional uncIionaliIy noI absoluIely necessary or Ihe deskIop Io uncIion prop-
erly. Dividing Ihe deskIop unIil Ihese specialized packages allows Ihe adminisIraIor Io
only insIall Ihe soIware essenIial or each compuIer.
A proper RFM ile should ollow a speciic naming convenIion:
<packagenane>-<vers1on>-<reJease>.<arch>.rpn
Eor example, pc1u11Js-2.2.1-1.2.1386.rpn is Ihe RFM ilename or Ihe 1.2 release o
version 2.2.1 o Ihe FCI uIiliIies soIware package builI or Ihe i38 archiIecIure.
In our example, 2.2.1 is Ihe version o pc1u11Js, and 1.2 is Ihe build version. The version
number is similar Io whaI you mighI have encounIered wiIh oIher soIware. The major
version number is incremenIed when major eaIures are added or iI becomes incompaIible
wiIh previous versions. II usually maps Io speciic package and disIribuIion independenI
upsIream version numbers. The minor version number is usually disIribuIion dependenI
and changes or bug ixes, minor eaIure addiIions, and general mainIenance. The release
version sIarIs aI 1 or each version number change and is incremenIed every Iime IhaI
version is builI or Red HaI EnIerprise Linux. This small change allows Ihe developer and
users Io know Ihe package has been rebuilI while sIill keeping Ihe version number Ihe same.
The nexI parI o Ihe RFM ilename is Ihe archiIecIure or which Ihe package is builI. Because
dierenI processors musI use dierenI soIware libraries, have dierenI sysIem calls, and
uIilize dierenI opIimizaIions, soIware musI be builI wiIh Ihe proper version o Ihe compiler
compaIible wiIh Ihe archiIecIure. There are some excepIions such as soIware wriIIen in an
inIerpreIed language such as FyIhon, which is noI compiled. Eor soIware wriIIen in Ihis Iype
o language, Ihe correcI version o Ihe soIware IhaI inIerpreIs Ihe code musI be insIalled
while Ihe RFM package IhaI insIalls Ihe code can be plaIorm-independenI. The mosI
popular archiIecIures abbreviaIions used by RFM are explained in Table S.1.
T^BLL 5.1 System ^rohlteotures Used by RlM
Arch|tecture escr|t|en
noaroh ^rohlteoturelndependent, oan run on any arohlteoture
l386 Generlo bulld for a 32blt x86 system
l586 Sometlmes used when bulldlng kernels for older x86 prooessors
l686 lntel lentlum ll, lntel lentlum lll, lntel lentlum 4, ^MD ^thlon, and
^MD Duron systems (Most RlMs for these arohlteotures are bullt uslng the
l386 arohlteoture, wlth the kernel for these arohlteotures belng bullt wlth the
l686 for optlmal performanoe.)
x86_64 64blt prooessors suoh as ^MD ^thlon64, ^MD 0pteron, and lntel LM64T
la64 lntel ltanlum
ppo 32blt lBM l0wLR, lBM eServer pSerles , and lBM eServer lSerles
s390x 64blt lBM eServer System z
F|nd|ng the 5eftware
Beore learning how Io insIall and mainIain RFM packages, you need Io know where Io
ind Ihe packages. WiIh an enIerprise sysIem, iI is crucial Io only insIall soIware rom a
reliable source. In Ihe case o Red HaI EnIerprise Linux, Ihe IrusIed source is sIraighI rom
Red HaI or a cerIiied soIware parIner or rom a Red HaI cerIiied ISV. I you are insIalling
cusIom soIware builI inside your company, be sure iI goes Ihrough IesIing beore
insIalling iI on producIion sysIems. InsIalling soIware rom oIher sources is mosI likely
noI supporIed by your Red HaI EnIerprise Linux supporI conIracI.
N01
For more lnformatlon on downloadlng software dlreotly from Red Hat, refer to Chapter 3.
For lnformatlon on software from other vendors, oontaot the vendor dlreotly for Llnux
verslons of thelr software.
Insta|||ng 5eftware
InsIalling an RFM package can be done via Ihe command line or a graphical program.
Because some sysIems such as servers do noI always have a graphical deskIop insIalled, iI
is imporIanI Io learn aI leasI Ihe basics o how Io use Ihe command-line version o RFM.
The command is simple Io remember: II is Ihe rpn command.
N01
Root aooess ls requlred when lnstalllng, upgradlng, or removlng a paokage wlth the
rpn oommand.
Beore insIalling any soIware, conirm IhaI iI was packaged by a IrusIed source and has
noI been alIered since Ihe IrusIed source builI iI. This process is done by checking Ihe
GFG snature o Ihe package.
EirsI, as Ihe rooI user, imporI Ihe GFG signaIure o Ihe IrusIed parIy wiIh Ihe rpn --1npor1
<keyf1Je> command, where <keyf1Je> is Ihe ile conIaining Ihe key. I you do noI know
where Io securely obIain Ihe key ile, ask your IrusIed RFM source.
N01
Key flles for software dlstrlbuted by Red Hat oan be found ln the root dlreotory of the
flrst lnstallatlon CD:
PPM-0P0-KEY-fedora
PPM-0P0-KEY-fedora-1es1
PPM-0P0-KEY-redha1-aux1J1ary
PPM-0P0-KEY-redha1-be1a
PPM-0P0-KEY-redha1-forner
PPM-0P0-KEY-redha1-reJease
lnstalllng Software 127
5
To veriy IhaI Ihe key was imporIed properly, execuIe Ihe rpn -qa gpg-pubkey*
command. I you imporIed Ihe PPM-0P0-KEY-redha1-reJease key, Ihe ouIpuI will be
similar Io Ihe ollowing:
gpg-pubkey-37U17186-45761324
To view Ihe deIails o Ihe key, execuIe Ihe rpn -q1 gpg-pubkey-37U17186-45761324
command (ouIpuI is in LisIing S.1).
LlSTlNG 5.1 Detalls of RlM GlG Key
Nane : gpg-pubkey PeJoca11ons: {no1 reJoca1abJe)
vers1on : 37U17186 vendor: {none)
PeJease : 45761324 8u1Jd 0a1e: Wed 28 Feb 2UU7 12:36:35 AM EST
1ns1aJJ 0a1e: Wed 28 Feb 2UU7 12:36:35 AM EST 8u1Jd Ros1: JocaJhos1
0roup : PubJ1c Keys Source PPM: {none)
S1ze : U L1cense: pubkey
S1gna1ure : {none)
Sunnary : gpg{Ped Ra1, 1nc. {reJease key) <secur11y0redha1.con>)
0escr1p11on :
-----8E01N P0P Pu8L10 KEY 8L00K-----
vers1on: rpn-4.4.2 {beecryp1-4.1.2)
n0018Ev2Ey0P8A041SP69qoLzK4R1a6g91S+ba1XUo3NkLf1FRg1xy+1M0Mg1114c5bupLK
0TMR3+yTU08qpuJ1PALuF0ESKFkZn31SJkJKuroXc88u6s2dh5XX90081SqPWL7M5q88rf0P
KRN+k1XWJ90NpRMdNxnnc2WhnnnRNp6Nr01buER4vW0gJMaUrFPXPaN74U70AP0RvW1ugsE
ANFaeZsFWos1saL1X0PfRZuTnv0Jgz311FY+0L0J0vA01v1NaE0MW1JsM1ho1sW4LuWp4n
750h3ogq3bWqSWNLsfJ9WFnNqX0gany0h1F4q492z6Fpy1b1JZLA88SR7LE0RJP1s1015JE
Wc5Myfzd816J9q0h3y11YLUEbfPA14yoJ1fR9u1h0LZsZPWnn0Jvb+vpPvcvs8104a1Ac0M
bWu2Sp3u9pn6cxZFN71ShnAW1109uXv1Jhp3JnquJLM09vqX0FUYg00a070P1990EEhu8
18o8udFgxc112WJc71sr81Mb0v1SNTo1UbnZuxXa18u92ua061Lupb0xunvk1Ehhd0Wg
SW5L1AocnvsZWFzZS8rZXkp10xzZWN1cnJUeu8yZWPoYX0uY291Pohf88MPAgAf80JFdhMk
Ahs08gsJ0Ac0Ag0vAgg0AxY0A01eA01XgAAK0P8TJoE8NWFxhogXAK00TuYey0rkYXg9Jn0
dTZvs1vfZg0c0WKJX1fb05dbvUp1TR11cdWvzJo=
=nhzo
-----EN0 P0P Pu8L10 KEY 8L00K-----
AIer imporIing Ihe key, Ihe signaIure on Ihe package can be veriied wiIh Ihe rpn -K
<rpnf1Je> command. I Ihe package has noI been corrupIed since iI was signed, Ihe
ouIpuI will include Ihe phrase nd5 gpg 0K.
I Ihe package is noI signed, Ihe ouIpuI will include ouIpuI such as:
N0T 0K
I you havenI imporIed Ihe corresponding public key, Ihe ollowing message is given:
M1SS1N0 KEYS
AIer veriying IhaI Ihe package is IrusIworIhy, insIall iI wiIh Ihis command:
rpn -uvh <rpnf1Je>
The -uvh argumenIs Iell Ihe rpn command Io insIall Ihe package, display verbose inorma-
Iion abouI Ihe insIallaIion, and display Ihe progress o Ihe insIallaIion wiIh hash marks.
The ouIpuI will look similar Io LisIing S.2.
LlSTlNG 5.2 lnstalllng an RlM laokage
Prepar1ng... ########################################### 1UU
1:exanpJe ########################################### 1UU
SomeIimes a package reguires addiIional RFM packages Io be insIalled or updaIed as
shown in LisIing S.3.
LlSTlNG 5.3 Dependenoles Needed
error: Fa1Jed dependenc1es:
exanpJe-core = 1:2.U.U-3.2.1 1s needed by exanpJe-f1J1ers-2.U.U-3.2.1.1386
Download Ihe addiIional package as well and insIall all Ihe packages aI Ihe same Iime:
rpn -uvh <rpnf1Je1> <rpnf1Je2>
1IP
The -u argument lnstalls the software lf lt ls not already lnstalled. lf lt ls already
lnstalled and you only want to upgrade the paokage , use the -F argument lnstead:
rpn -Fvh <packagenane>-<vers1on_nunber>.<arch>.rpn
AddiIional opIions Io Ihe rpn command can be speciied when insIalling packages. Some
o Ihese opIions are described in Table S.2.
T^BLL 5.2 0ptlonal rpn ^rguments when lnstalllng or Updatlng
Argument escr|t|en
--nodeps lnstall or upgrade the paokage wlthout oheoklng for dependenoles. The
software wlll most llkely not funotlon properly wlthout the software
dependenoles lnstalled. lf you oontaot Red Hat support wlth problems,
they wlll most llkely ask you to reproduoe the problem on a system
where all paokage dependenoles have been satlslfled.
--noscr1p1s Do not exeoute any of the sorlpts before or after lnstallatlon, upgrade,
or removal.
--excJudedocs Do not lnstall paokages marked as dooumentatlon flles suoh as man
pages.
lnstalllng Software 129
5
FlGURL 5.1 lnstalllng an RlM laokage wlth Software lnstaller
Click Apply Io insIall Ihe package. I addiIional packages are reguired as dependencies,
Ihe program will Iry Io use yun Io ind Ihe addiIional soIware. Eor Ihis eaIure Io work,
Ihe sysIem musI be regisIered Io use RHN (reer Io ChapIer 3). I Ihe dependencies are
ound, Ihey are lisIed so IhaI you can conirm Iheir insIallaIion as well. When Ihe insIal-
laIion is inished, a compleIion message will appear.
Insta|||ng a New Kerne|
There is a -1 argumenI Io RFM Io insIall packages, buI iI is more convenienI Io use -u
when insIalling and upgrading soIware because -u insIalls or upgrades Ihe package
depending on wheIher or noI iI is already insIalled. However, Ihere is an excepIion:
insIalling a new kernel. When insIalling a new kernel, you should keep Ihe currenI kernel
insIalled in case Ihe new kernel does noI work wiIh Ihe sysIems hardware, does noI
T^BLL 5.2 Contlnued
Argument escr|t|en
--oJdpackage ^llow a paokage to be replaoed wlth an older verslon.
--1es1 Cheok for potentlal oonfllots suoh as paokage dependenoles but do not
lnstall the paokage.
InsIalling an RFM package wiIhouI Red HaI NeIwork Io resolve dependencies can be guiIe
rusIraIing because someIimes Ihe package name is lisIed as a dependency and someIimes
jusI a ilename is lisIed as a dependency, Ihe adminisIraIor has Io deIermine which
package provides Ihe ile. I Ihe package you are Irying Io insIall is provided wiIh Red HaI
EnIerprise Linux, reer Io ChapIer 3 or deIails on insIalling iI and auIomaIically resolving
iIs package dependencies wiIh RHN or Ihe yun command-line uIiliIy.
I Ihe package is noI parI o Red HaI EnIerprise Linux, you sIill mighI be able Io use RHN
Io resolve Ihe soIware dependencies. Open Ihe NauIilus ile browser by selecIing Home
Folder or DesRtop rom Ihe Places menu on Ihe Iop panel o Ihe deskIop. Browse Io Ihe
direcIory conIaining Ihe RFM Io be insIalled. Double-click on iI Io open Ihe SoIware
InsIaller as shown in Eigure S.1.
perorm as well as Ihe currenI kernel, or causes oIher problems. When you use Ihe -u
argumenI Io RFM, Ihe older version o Ihe soIware package is no longer available.
Eor mosI packages, you will receive an error message when Irying Io use Ihe -1 argumenI Io
upgrade a package i you already have an older version insIalled. WiIh Ihe kernel package,
you will noI receive Ihis error because iI is possible Io have mulIiple versions o Ihe kernel
insIalled. Thus, iI is recommended IhaI you always use Ihe rpn -1vh kerneJ-<vers1on>
-<reJease>.<arch>.rpn command when upgrading Ihe kernel so Ihe older kernel remains
on Ihe sysIem. The sysIem musI be rebooIed Io enable Ihe new kernel. AIer rebooIing, you
will noIice Ihe new kernel in Ihe lisI o possible booI choices. By deaulI, Ihe sysIem booI
loader is conigured Io booI Ihe new kernel. To modiy which kernel is booIed by deaulI,
ediI Ihe booI loader coniguraIion ile or your archiIecIure. ChapIer 2, "FosI-InsIallaIion
ConiguraIion," conIains example booI loader iles or all archiIecIures.
Eor x8 and x8_4 sysIems, modiy Ihe value o Ihe defauJ1 opIion in 1e1c1grub.conf
ile. Each kernel insIalled has a secIion in 1e1c1grub.conf sIarIing wiIh a IiIle line such as
Ihe one shown in LisIing S.4. The value o Ihe defauJ1 opIion is Ihe number o Ihe IiIle
secIion, wiIh Ihe counI sIarIing aI 0 and going rom Ihe irsI IiIle secIion lisIed Io Ihe
boIIom o Ihe ile.
LlSTlNG 5.4 Kernel Seotlon ln Bootloader Conflguratlon Flle
111Je Ped Ra1 En1erpr1se L1nux {2.6.16-1.2U96)
roo1 {hdU,U)
kerneJ 1boo11vnJ1nuz-2.6.16-1.2U96 ro roo1=LA8EL=1 rhgb qu1e1
1n11rd 1boo111n11rd-2.6.16-1.2U96.1ng
I you are unable Io booI Ihe new kernel Io modiy Ihe booIloader coniguraIion ile, you
can choose a dierenI kernel using Ihe up and down arrow keys aI Ihe booIloader screen
shown as Ihe sysIem is booIing and beore Ihe kernel is loaded.
Udat|ng 5eftware
I an RFM package is already insIalled, iI can be updaIed Io a newer version. WiIh RFM,
Ihere isnI Ihe concepI o using a dierenI ile or seI o iles Io perorm a soIware
upgrade. The same RFM ile or iles used Io insIall a program can be used Io updaIe Ihe
program as well.
To updaIe Io a newer version o a package already insIalled:
rpn -uvh <packagenane>-<vers1on>-<reJease>.<arch>.rpn
The same addiIional argumenIs available when insIalling packages can be used when
upgrading. They are lisIed in Table S.1.
Some o Ihe iles in an RFM package are marked according Io whaI Iype o iles Ihey are.
Eor example, coniguraIion iles can be marked as coniguraIion iles by Ihe person who
Updatlng Software 131
5
creaIed Ihe RFM package. I a coniguraIion ile is parI o Ihe package being upgraded,
RFM checks Ihe ile Io deIermine i iI has been modiied. So, whaI happens Io Ihe conig-
uraIion iles when a package is upgraded7 Here are Ihe possible scenarios:
CurrenI ile has noI been modiied
Regardless o wheIher Ihe ile rom Ihe updaIed package has changed rom Ihe ile
insIalled by Ihe original package, Ihe coniguraIion ile is replaced wiIh Ihe ile rom
Ihe updaIed package.
CurrenI ile has been modiied buI Ihe ile rom Ihe updaIed package hasnI
changed rom Ihe ile insIalled by Ihe original package
Because Ihe coniguraIion ile hasnI changed rom version Io version, Ihe modiied
ile on Ihe sysIem is leI alone.
CurrenI ile has been modiied and Ihe ile rom Ihe updaIed package has changed
rom Ihe ile insIalled by Ihe original package
Because Ihe coniguraIion ile has changed rom version Io version, iI is noI known
wheIher Ihe currenI coniguraIion ile will work wiIh Ihe new version o Ihe soI-
ware. The modiied ile on Ihe sysIem is renamed wiIh Ihe .rpnsave ile exIension,
and Ihe coniguraIion ile rom Ihe new package version is insIalled over Ihe modi-
ied ile on disk. I you are using Ihe command-line version o RFM, a message is
displayed wiIh Ihe old and new ilenames.
Remev|ng 5eftware
To remove a package, issue Ihe ollowing command:
rpn -e <packagenane>
NoIice IhaI Ihis Iime, only <packagenane> is used, noI Ihe ull name o Ihe ile used Io
insIall Ihe soIware. When Ihis command is issued, Ihe RFM daIabase is searched or Ihe
iles associaIed wiIh Ihis package, and Ihey are removed.
I mulIiple versions o a package are insIalled, such as Ihe kernel, Ihe package version can
also be speciied Io make sure Ihe correcI version is removed:
rpn -e <packagenane>-<vers1on>-<reJease>
As previously discussed, someIimes packages musI have addiIional packages insIalled or
Ihem Io uncIion properly. I you Iry Io remove a package IhaI is needed by a package
insIalled, a message similar Io Ihe ollowing is shown:
exanpJe-f1J1ers 1s needed by exanpJe-core = 1:2.U.U-3.2.1
I Ihe package IhaI depends on Ihe package you are Irying Io remove is sIill needed on
Ihe sysIem, you should noI Iry Io remove Ihe package. I Ihe package IhaI depends on Ihe
package you are Irying Io remove is also noI needed, boIh musI be removed aI Ihe same
Iime Io resolve Ihe dependency:
rpn -e <packagenane1> <packagenane1>
Even i Ihe packages are noI dependenI on each oIher, mulIiple packages can be removed
aI Ihe same Iime by speciying Ihem in Ihe same command separaIed by a space.
I a coniguraIion ile is parI o Ihe package being removed buI iI has been modiied, Ihe
ile will be renamed insIead o removed wiIh Ihe .rpnsave exIension, and a message
similar Io Ihe ollowing is displayed:
Warn1ng: 1e1c1sysconf1g1sanba saved as 1e1c1sysconf1g1sanba.rpnsave
Ver|fy|ng 5eftware F||es
WhaI i you wanI Io veriy IhaI Ihe iles associaIed wiIh a package havenI been corrupIed
or compromised7 Eor example, i you suspecI your sysIem has been accessed by a nonau-
Ihorized user, you can veriy IhaI Ihe iles rom a package have noI been changed wiIh
Ihe RFM veriy eaIure. O course, i Ihe unauIhorized user alIered Ihe RFM daIabase, Ihe
resulIs may noI be accuraIe. II is always besI Io back up Io a known secure sIaIe o Ihe
ilesysIem i you suspecI oul play.
I Ihe veriy uncIion is used, ile properIies such as ile size, MDS sum, ile permissions,
ile Iype, and ile ownership are compared Io Ihe original values sIored in Ihe RFM daIa-
base. To veriy IhaI Ihe iles are associaIed wiIh a package, use Ihe ollowing command:
rpn -v <packagenane>
I no ouIpuI is reIurned, Ihe iles rom Ihe package have noI been modiied since insIalla-
Iion. I a ile, such as a coniguraIion ile, has been modiied, Ihe ouIpuI is similar Io
LisIing S.S.
LlSTlNG 5.5 0utput from rpn -v h11pd
.M.....T c 1e1c1h11pd1conf1h11pd.conf
To veriy Ihe iles rom all Ihe packages insIalled, use Ihe rpn -va command. The ouIpuI
is similar Io LisIing S..
LlSTlNG 5.6 Sample 0utput from rpn -va
....L... c 1e1c1pan.d1sys1en-au1h
..5....T c 1e1c11n111ab
n1ss1ng 1usr1J1b1noz1JJa-1.7.121chrone1overJay1nfo1broWser
n1ss1ng 1usr1J1b1noz1JJa-1.7.121chrone1overJay1nfo1broWser1con1en1
n1ss1ng 1usr1J1b1noz1JJa-1.7.121chrone1overJay1nfo1broWser1sk1n
n1ss1ng 1usr1J1b1noz1JJa-1.7.121chrone1overJay1nfo1cook1e
verlfylng Software Flles 133
5
n1ss1ng 1usr1J1b1noz1JJa-1.7.121chrone1overJay1nfo1cook1e1con1en1
n1ss1ng 1usr1J1b1noz1JJa-1.7.121chrone1overJay1nfo1ed11or
n1ss1ng 1usr1J1b1noz1JJa-1.7.121chrone1overJay1nfo1ed11or1con1en1
n1ss1ng 1usr1J1b1noz1JJa-1.7.121chrone1overJay1nfo1gJobaJ
n1ss1ng 1usr1J1b1noz1JJa-1.7.121chrone1overJay1nfo1gJobaJ1con1en1
n1ss1ng 1usr1J1b1noz1JJa-1.7.121chrone1overJay1nfo1gJobaJ1sk1n
S.5....T c 1e1c1n1p1n1pservers
S.5....T c 1e1c1aud11.ruJes
In LisIing S.S, Ihe c Io Ihe leI o Ihe ilename indicaIes IhaI Ihe ile is a coniguraIion
ile. OIher possible aIIribuIe markers include d or documenIaIion iles, g or ghosI iles
(ile conIenIs are noI included in Ihe package payload), J or license iles, and r or
readme iles.
The leIIers, numbers, and doIs aI Ihe beginning o each line deIail how Ihe ile diers
rom Ihe original sIaIe o Ihe ile. As shown in LisIing S., i a ile is no longer insIalled,
Ihe word n1ss1ng appears insIead o Ihe seguence o codes. OIherwise Ihe eighI leIIers,
numbers, and doIs represenI eighI dierenI IesIs perormed Io veriy Ihe ile. Table S.3
explains Ihe codes IhaI appear in Ihe seguence in Ihe order in which Ihey appear i any
o Ihe IesIs ail. I a doI is shown insIead o a code leIIer or number, Ihe IesI passed.
T^BLL 5.3 RlM verlfloatlon Codes
Cede x|anat|en
S Flle slze has ohanged
M Mode has ohanged, lnoludlng flle permlsslons and flle type
5 MD5 sum has ohanged
0 Devloe major or mlnor number has ohanged
L The path of the symbollo llnk has ohanged
u The owner of the flle has ohanged
0 The group of the flle has ohanged
T The last modlfled tlme has ohanged
query|ng Package F||es
You now know IhaI an RFM daIabase on Ihe sysIem keeps Irack o which iles are associ-
aIed wiIh each RFM insIalled, buI how do you know which iles are associaIed wiIh
which RFM packages7 You can guery Ihe RFM daIabase and ind ouI wiIh Ihe ollowing
command:
rpn -qf <f1Jenane>
The <f1Jenane> musI be Ihe ull paIh Io Ihe ile. I Ihe ile is associaIed wiIh an RFM
package insIalled, Ihe name o Ihe package and Ihe version insIalled is displayed. Eor
example, i Ihe rpn -qf 1e1c1cron1ab command is issued, Ihe ouIpuI is cron1abs-
<vers1on>-<reJease>, where <vers1on>-<reJease> is Ihe version and release o Ihe
cron1abs package insIalled.
1IP
lf the flle ls a oommand already ln your l^TH envlronment varlable, use the followlng
syntax lnstead of typlng the entlre path to the flle,:
rpn -qf `Wh1ch <f1Jenane>`
Notloe the oommand oontalns baok tloks, not apostrophes. The baok tloks tell the
shell to exeoute the oommand lnslde them and use that as part of the overall
oommand.
You also know IhaI coniguraIion iles are marked as coniguraIion iles in Ihe RFM daIa-
base when Ihey are insIalled. To reIrieve a lisI o coniguraIion iles rom a package
insIalled, use Ihe ollowing command:
rpn -qc <packagenane>
I any iles rom Ihe package were marked as coniguraIion iles when Ihe package was
creaIed, a lisI o Ihem will be displayed.
A similar guery can be perormed Io lisI any documenIaIion iles insIalled wiIh a package:
rpn -qd <packagenane>
DocumenIaIion iles include man pages and IexI or HTML ormaIIed iles in
1usr1share1doc1 insIalled by Ihe package.
Each Iime a package is changed, Ihe developer is responsible or adding a changelog enIry
Io describe Ihe change. This becomes parI o Ihe inormaIion provided by Ihe RFM
package. The guery opIion has Ihe abiliIy Io show Ihe changelog or Ihe package wiIh Ihe
ollowing command:
rpn -q --changeJog <packagenane>
These guery commands can also be perormed on an RFM package ile insIead o on Ihe
package name o Ihe package already insIalled. To do so, add Ihe -p argumenI ollowed by
Ihe ull or relaIive paIh Io Ihe package ile. Eor example, Io view Ihe changelog o a
package beore insIalling iI, use Ihe ollowing command:
rpn -q --changeJog -p <packagenane>-<vers1on>-<reJease>.<arch>.rpn
Bu||d|ng RPM Packages
Einally, alIhough building packages is usually leI Io Ihe soIware disIribuIor or soIware
developer, iI is useul or an adminisIraIor Io know how Io build a basic RFM package.
Bulldlng RlM laokages 135
5
Think beyond IradiIional soIware programs. RFM packages can be used Io insIall user
iles reguired or a corporaIe worksIaIion, cusIom VFN soIware or coniguraIion iles,
corporaIe IemplaIes or inIernal and exIernal communicaIions, and so on.
AdvanIages o disIribuIing cusIom scripIs, corporaIe IemplaIes, coniguraIion iles, and
Ihe like in RFM ormaI insIead o jusI copying Ihem Io each sysIem include
Version conIrol. The RFM version number can help you keep Irack o Ihe version
number or debugging or deIermining which sysIems need Io be updaIed.
Easier disIribuIion. InsIalling an RFM can be done remoIely rom an SSH session or
via Red HaI NeIwork SaIelliIe.
ConsisIency. By deining where Ihe iles are insIalled when building Ihe RFM
package, adminisIraIors can ind Ihem in Ihe same locaIion on any sysIem. This can
be especially useul i mulIiple adminisIraIors are responsible or insIalling and
using Ihe soIware.
VeriicaIion. Using Ihe veriy opIion previously discussed, adminisIraIors can
guickly deIermine i Ihe iles have been alIered (assuming Ihe RFM daIabase was noI
modiied Io hide Ihe ile modiicaIions).
The program necessary or building RFM packages is noI insIalled by deaulI. Beore build-
ing your RFM packages or ollowing Ihe example in Ihis secIion, insIall Ihe rpn-bu1Jd
package and iIs dependencies. I your sysIem is regisIered wiIh RHN, insIall Ihe package
wiIh Ihe yun 1ns1aJJ rpn-bu1Jd command or reer Io ChapIer 3 or insIrucIions on how
Io schedule iIs insIallaIion wiIh Ihe RHN websiIe.
N01
The example flles used ln thls seotlon oan be downloaded from the book`s webslte.
This secIion discusses Ihe ollowing sIeps or building an RFM:
SeIIing up Ihe build environmenI.
CreaIing a spec ile IhaI deines Ihe package name, version, release number, descrip-
Iion, and more.
CreaIing a Makeile IhaI conIains IargeI acIions such as building Ihe source and
binary RFM iles.
CreaIing a Iarball o all Ihe source iles.
Running Ihe appropriaIe Makeile IargeI Io build Ihe source RFM, binary RFM, or boIh.
5ett|ng U the Bu||d nv|renment
Beore building Ihe package, seI up your build environmenI. By deaulI, Ihe
1usr1src1redha1} direcIory is used and conIains Ihe ollowing subdirecIories: 8u1L0, PPMS,
S0uP0ES, SPE0S, and SPPMS. However, Ihese direcIories are owned by Ihe rooI user and are
only wriIable by Ihe rooI user. When building RFMs, iI is besI Io build as a non-rooI user
such as your user accounI or perhaps a special user accounI seI up or building RFM. This
is Io make sure Ihe build process does noI accidenIally corrupI Ihe ilesysIem or overwriIe
criIical iles owned by rooI. A small error in a scripI can do uninIenIional damage IhaI
mighI be irreversible.
To seI up build direcIories or your own personal use, creaIe a .rpnnacros ile in your
home direcIory wiIh Ihe conIenIs rom LisIing S.7, replacing <usernane> wiIh your user-
name. This ile musI be creaIed by each user building packages.
LlSTlNG 5.7 -1.rpnnacros Flle
_1opd1r 1hone1<usernane>1PPM8u1L0
The line in LisIing S.7 deines Ihe direcIory Io use when building Ihe RFM iles. You need
Io creaIe Ihis direcIory and some addiIional subdirecIories. Change inIo your home direc-
Iory and Ihen execuIe Ihe ollowing commands:
nkd1r PPM8u1L0
nkd1r -p PPM8u1L01{8u1L0,PPMS1x86_64,S0uP0ES,SPPMS,SPE0S}
The command assumes you are using a x8_4 sysIem. RFMs build or Ihe x8_4 archi-
IecIure are saved Io Ihe 1hone1<usernane>1PPM8u1L01PPMS1x86_641 direcIory. I you need
Io build RFMs or dierenI archiIecIures compaIible wiIh your sysIem such as Ihe noarch
or i38 archiIecIures on an x8_4 sysIem, creaIe direcIories or Ihem as well. The direc-
Iory names should be Ihe same as Ihe RFM archiIecIure abbreviaIions in Table S.1. In our
example, Ihe PPM8u1L01PPMS1noarch1 direcIory musI be creaIed since Ihe example
package is a noarch RFM.
1IP
^ddltlonal maoros oan be deflned ln the .rpnnacros flle. Refer to 1usr1J1b1rpn1
nacros flle for a full llst. For example, lf you want to save the SRlMs ln a dlfferent
dlreotory, you oan add the followlng llne to your .rpnnacros flle:
_srcrpnd1r 1hone1<usernane>1SPPMS
The .rpnnacros ile and Ihe build direcIories only need Io be creaIed once. AIer IhaI,
your build environmenI is seI up or any RFMs and SRFMs you need Io creaIe.
Creat|ng the 5ec F||e
Building a package reguires a package speciicaIion ile (oIen called a spec jle or shorI)
and Ihe iles Io be included in Ihe package. Eor example, you mighI wanI Io package a
cusIom VFN scripI used by lapIop users Io connecI Io Ihe companys privaIe neIwork
while Iraveling or working rom home. The name o Ihe scripI is called s1ar1vpn. Every
VFN soluIion is a biI dierenI, so or Ihe purpose o Ihis example, use LisIing S.8 or Ihe
conIenIs o Ihis scripI. II does noI acIually sIarI a VFN, buI iI does display a message so
IhaI we can IesI our RFM ile.
5
LlSTlNG 5.8 Lxample s1ar1vpn Sorlpt
#!1b1n1bash
echo "s1ar1vpn scr1p1 execu1ed"
This example package depends on Ihe vpnc package Io work properly. An example spec
ile, s1ar1vpn.spec, can be ound in LisIing S..
N01
Thls ls a very slmpllstlo example that does not requlre the oode to be oomplled or any
post oommands to be exeouted. lt ls lntended to lllustrate how bulldlng an RlM oan
be useful for a system admlnlstrator. For more advanoed bulldlng optlons, refer to the
RlM Gulde avallable at http://fedora.redhat.oom/doos/drafts/rpmguldeen/ from the
Fedora lrojeot.
LlSTlNG 5.9 Lxample speo Flle
Nane: s1ar1vpn
Sunnary: 0us1on scr1p1 1o s1ar1 vPN
vers1on: 1.1
PeJease: 1
L1cense: 0PL
0roup: AppJ1ca11ons11n1erne1
uPL: h11p:11WWW.exanpJe.org1
SourceU: {nane}-{vers1on}.1ar.gz
8u1JdPoo1: {_1nppa1h}1{nane}-{vers1on}-{reJease}
8u1JdArch: noarch
Pequ1res: bash
Pequ1res: vpnc
descr1p11on
0us1on scr1p1 1o s1ar1 vPN and connec1 1o conpany`s pr1va1e ne1Work.
For conpany use onJy.
prep
se1up -q
1ns1aJJ
#rn -fr $PPM_8u1L0_P00T
nake 1NSTP00T=$PPM_8u1L0_P00T 1ns1aJJ
cJean
rn -fr $PPM_8u1L0_P00T
139
5
f1Jes
defa11r{-,roo1,roo1,-)
1usr1JocaJ1b1n1{nane}
changeJog
* Thu Apr 27 2UU6 Tanny Fox <1fox0exanpJe.org>
- upda1ed rou1es
* Wed Feb 22 2UU6 Tanny Fox <1fox0exanpJe.org>
- f1rs1 bu1Jd of vPN scr1p1
The ollowing describes Ihe ields and secIions rom Ihe spec ile in LisIing S.:
Nane
Fackage name. The name can noI conIain spaces.
Sunnary
ShorI phrase describing Ihe purpose o Ihe package.
vers1on
SoIware version o Ihe package.
PeJease
Build number. Every Iime Ihe package is rebuilI wiIh Ihe same version number,
Ihis number should be incremenIed so IhaI iI is clear a rebuild has occurred even
i Ihe code has noI changed. I a new version is builI, Ihis number goes back Io 1
because Ihe version number indicaIes a code change and a rebuild.
L1cense
License or Ihe soIware such as GFL, LGFL, or EDL or documenIaIion.
0roup
The soIware group or Ihe package. II musI be a valid group rom Ihe
1usr1share1doc1rpn-<vers1on>10P0uPS ile.
uPL
WebsiIe locaIion or Ihe soIware, i one exisIs.
SourceU
Name o Ihe ile IhaI conIains Ihe source and oIher iles Io be insIalled. The ile
is usually a Iar ile compressed wiIh eiIher gzip or bzip2. Always use macros in
Ihe ilename such as {nane} and {vers1on} when possible. Doing so will resulI
in minimal changes Io Ihe spec ile when oIher parameIers change. I mulIiple
source Iarballs exisI, lisI Ihem on separaIe lines and incremenI Ihe number or
each ile such as SourceU, Source1, Source2, and so on.
Bulldlng RlM laokages
8u1JdPoo1
DirecIory locaIion o where Io build Ihe package. As code is compiled, iI is seI up
in Ihis direcIory so Ihe RFM package can be builI. Be sure Io use Ihe macro
{_1nppa1h} or Ihe Iemporary direcIory Io make sure Ihe correcI direcIory is
used on Ihe build server. As shown in LisIing S., be sure Io include Ihe name
and version o Ihe package in Ihe build rooI direcIory Io ensure Ihe package is
builI in a unigue direcIory IhaI anoIher package build is noI using.
8u1JdArch
ArchiIecIure rom Table S.1 or which Ihe package should be builI. In our
example, Ihe 8u1JdArch is noarch because Ihe bash scripI can be run on any
archiIecIure.
Pequ1res
I addiIional soIware needs Io be insIalled or Ihe soIware Io run, lisI Ihe pack-
ages IhaI provide Ihe addiIional soIware wiIh Ihis ield. LisI each package on
separaIe lines wiIh Ihis keyword. I addiIional soIware is necessary Io build Ihe
source code while building Ihe package, use Ihe 8u1JdPequ1res ield insIead.
descr1p11on
DescripIion o Ihe package. II shouldnI be more Ihan 10 Io 1S lines. This descrip-
Iion is displayed when Ihe rpn -q1 <packagenane> command is execuIed.
prep
How Io unpack Ihe source code rom Ihe source iles lisIed wiIh SourceU,
Source1, and so on. Usually done wiIh Ihe se1up macro in guieI mode:
se1up -q
1ns1aJJ
InsIrucIions or insIalling Ihe iles in Ihe package. II is a good idea Io clean ouI
Ihe build rooI jusI in case a previous build leI iles in iI:
rn -rf $PPM_8u1L0_P00T
I using nake Io insIall Ihe iles, be sure Io speciy Ihe RFM build rooI as Ihe
INSTROOT or iI:
nake 1NSTP00T=$PPM_8u1L0_P00T 1ns1aJJ
The 1ns1aJJ IargeI o Ihe Makef1Je creaIes Ihe 1usr1JocaJ1b1n1 direcIory in Ihe
1NSTP00T and Ihen insIalls Ihe scripI in Ihe direcIory. Because Ihe name o Ihe
scripI ile is Ihe same as Ihe package name, Ihe ${PK0NAME} macro is used.
cJean
Command Io clean up Ihe build rooI. Usually Ihe ollowing will work:
rn -rf $PPM_8u1L0_P00T
f1Jes
The lisI o iles insIalled by Ihe RFM package. These are Ihe iles associaIed wiIh
Ihe package in Ihe RFM daIabase and lisIed when Ihe rpn -qJ <packagenane>
command is run. When lisIing iles, be sure Io use macros such as {nane} and
{vers1on} when possible.
Use Ihe defa11r macro Io seI Ihe deaulI ile permissions or Ihe iles insIalled.
Eor mosI packages iI should be
defa11r{-,roo1,roo1,-)
The ields inside Ihe parenIheses sIand or Ihe ile permissions, owner, group, and
direcIory permissions. A dash or Ihe ile and direcIory permissions causes Ihe
permissions o Ihe iles and direcIories inside Ihe BuildRooI Io be reIained. This
macro is usually lisIed irsI under Ihe f1Jes secIion or easy readabiliIy.
To mark iles as special ile Iypes, include Ihe ollowing macros beore Ihe ile-
name: doc or documenIaIion iles, conf1g or coniguraIion iles,
conf1g{norepJace) or coniguraIion iles IhaI should noI be replaced when
upgrading Ihe package.
I a direcIory is lisIed, place Ihe d1r macro in ronI o iI.
I a speciic ile needs dierenI aIIribuIes, Ihey can be lisIed wiIh Ihe a11r
macro in ronI o Ihe ilename in Ihe lisI such as:
a11r{U644,roo1,roo1)conf1g{norepJace) 1e1c1sysconf1g1{nane}
Macros or special direcIories should be used in case Iheir locaIions change or
dier on dierenI versions o Ihe operaIing sysIem. This prevenIs iles rom being
insIalled in Ihe wrong locaIion should a special direcIory such as Ihe man page
direcIory change locaIions. II also helps Ihe iles sIay EHS-complianI. These
macros include {_b1nd1r} or Ihe sysIem b1n direcIory, {_nand1r} or Ihe man
page direcIory, {_da1ad1r} or Ihe share direcIory, and {_defauJ1docd1r} or
Ihe documenIaIion direcIory.
changeJog
Every Iime Ihe package is builI, a changelog enIry should be added Io Ihe spec
ile in Ihe ormaI shown in LisIing S.. Even i Ihe rebuild is or Ihe same version
wiIh a dierenI release number, a changelog enIry should be added Io describe
why Ihe rebuild occurred. The enIries should be as speciic as possible. Eor
example, insIead o randon bug f1xes, Ihe enIry should include inormaIion
such as f1xed 1raceback error When Jog f1Je doesn`1 ex1s1 so Ihe adminis-
IraIor can deIermine wheIher Ihe updaIe is necessary or wheIher Ihe updaIe will
ix a program he is having wiIh Ihe soIware. I a bug Iracking sysIem is used or
Ihe soIware, include Ihe bug number wiIh Ihe changelog enIry.
5
AddiIional parameIers IhaI can be seI in Ihe spec ile include
bu1Jd
InsIrucIions or building Ihe package. Usually Ihe nake command is used Io run
Ihe deaulI IargeI o Ihe Makef1Je, or Ihe conf1gure macro is used i auIomake
and auIocon are used. Eor our example, Ihis parameIer is noI used since Ihe
program being insIalled is a scripI and does noI need Io be compiled.
8u1JdPequ1res
I a package such as one IhaI provides a compiler or a library necessary Io build
Ihe package is needed, use Ihis ield Io lisI Ihem. Each package should be lisIed
on iIs own line wiIh Ihe 8u1JdPequ1res keyword. I a package is reguired Io run
Ihe soIware aIer iI is insIalled, use Ihe Pequ1res ield insIead.
Pa1chU
I a paIch should be applied Io Ihe source code during Ihe build process, lisI iI
wiIh Ihis ield. I more Ihan one paIch is necessary, lisI Ihem separaIe and incre-
menI Ihe paIch number in Ihe ield name such as Pa1chU, Pa1ch1, Pa1ch2, and
so on.
0bsoJe1es
I Ihe package name has changed, Ihis ield can be used Io lisI Ihe old package
name. When perorming a package updaIe, i Ihe old package is insIalled, iI will
be removed and replaced wiIh Ihe updaIed package wiIh Ihe new package name.
pre
Command IhaI needs Io be run beore Ihe package is insIalled.
pos1
Command run immediaIely aIer Ihe package is insIalled. Eor example, an iniIial-
izaIion scripI Io sIarI a daemon.
preun
Commands run righI beore Ihe package is removed.
pos1un
Commands run righI aIer a package is removed.
In Ihe secIions pre, pos1, preun, and pos1un, always use Ihe ull paIh Io commands,
never ouIpuI messages Io sIandard ouI, and never make Ihe scripIs inIeracIive. I Ihe RFM
insIallaIion, upgrade, or removal is parI o a bigger scripI run or is perormed rom a
graphical inIerace, messages Io sIandard ouI are noI seen, including prompIs or Ihe user
Io inIeracI wiIh Ihe scripI.
Creat|ng the Makef||e
The Makef1Je is similar Io a scripI. II conIains variables IhaI deine values such as Ihe
name o Ihe package. II also conIains sIanzas called tarets. Each IargeI has a unigue name
IhaI represenIs an acIion such as 1ns1aJJ or insIalling Ihe soIware or rpn or building
Ihe RFM ile. Each IargeI conIains a lisI o commands Io run Io perorm Ihe acIion.
LisIing S.10 conIains a simple Makef1Je or our example s1ar1vpn program.
CAU1I0N
when oreatlng the Makef1Je, be sure to use tabs lnstead of spaoes to lndent the
llnes for eaoh target. ^lso, the oommands for eaoh target must be started on the next
llne as shown ln Llstlng 5.10.
LlSTlNG 5.10 Lxample Makeflle
PK0NAME=s1ar1vpn
vEPS10N=${sheJJ aWk `1vers1on:1 { pr1n1 $$2 }` ${PK0NAME}.spec)
defauJ1: 1ns1aJJ
1ns1aJJ:
echo "heJJo"
echo ${1NSTP00T)
nkd1r -p ${1NSTP00T)1usr1JocaJ1b1n
1ns1aJJ ${PK0NAME} ${1NSTP00T)1usr1JocaJ1b1n1${PK0NAME}
srpn:
0rpnbu1Jd -1s ${PK0NAME}-${vEPS10N}.1ar.gz
rpn:
0rpnbu1Jd -1b ${PK0NAME}-${vEPS10N}.1ar.gz
The example Makef1Je sIarIs o by deining Ihe name o Ihe package as Ihe PK0NAME vari-
able and Ihe version o Ihe package as Ihe vEPS10N variable. NoIice IhaI Ihe version number
is reIrieved rom Ihe package spec ile using an aWk command. Using Ihis command
prevenIs you rom geIIing Ihe package versions lisIed in Ihe spec ile and Makef1Je ouI o
sync. Because Ihe Makef1Je reIrieves Ihe version number rom Ihe spec ile, you jusI need Io
change Ihe version number in Ihe spec ile each Iime iI needs Io be incremenIed.
Because our example program is only one ile, Ihe 1ns1aJJ IargeI creaIes Ihe direcIory or
Ihe ile and Ihen insIalls Ihe ile inIo Ihe direcIory. The srpn and rpn IargeIs execuIe Ihe
corresponding rpnbu1Jd commands.
Creat|ng the 5eurce 1arba||
CreaIing Ihe source Iarball is as easy as creaIing a direcIory wiIh Ihe package name and
version in iI such as s1ar1vpn-1.1, copying all Ihe source iles including Ihe Makef1Je
5
and Ihe spec ile in iI, and using Ihe ollowing command Io creaIe Ihe compressed archive
ile whose ilename also includes Ihe package name and version number:
1ar czvf <packagenane>-<vers1on>.1ar.gz <packagenane>-<vers1on>
In our example, Ihe command would be
1ar czvf s1ar1vpn-1.1.1ar.gz s1ar1vpn-1.1
NoIice IhaI Ihe s1ar1vpn-1.11 direcIory is reIained or Ihe iles in Ihe Iarball. When Ihe
Iarball is uncompressed and unarchived, Ihis direcIory musI be creaIed. To IesI Ihe Iarball,
execuIe Ihe 1ar 1zvf s1ar1vpn-1.1.1ar.gz command. You should see Ihe ollowing:
s1ar1vpn-1.11
s1ar1vpn-1.11s1ar1vpn
s1ar1vpn-1.11s1ar1vpn.spec
s1ar1vpn-1.11Makef1Je
Bu||d|ng the Package
Now IhaI Ihe spec ile has been creaIed, Ihe Makeile has been wriIIen, and Ihe source
iles have been archived and compressed inIo a source Iarball, iI is Iime Io build Ihe
source RFM (also reerred Io as Ihe SRFM) and Ihe RFM used Io insIall Ihe soIware.
The rpnbu1Jd command is used Io acIually build Ihe SRFM and RFM iles. II is provided
by Ihe rpn-bu1Jd package, so make sure Ihe rpn-bu1Jd package is insIalled. NoIice IhaI
Ihe Makef1Je in our example rom LisIing S.10 includes srpn and rpn IargeIs IhaI execuIe
Ihe rpnbu1Jd command or building Ihe SRFM and RFM or our package. So, Io build Ihe
SRFM ile, make sure you are in Ihe direcIory IhaI conIains Ihe Makeile, Ihe spec ile, and
Ihe source Iarball you jusI creaIed, and execuIe Ihe nake srpn command. LisIing S.11
shows Ihe ouIpuI when building Ihe SRFM, assuming Ihe user building Ihe package is
Iox. I you are using Ihe .rpnnacros ile rom LisIing S.7, Ihe SRFM ile will be saved Io
Ihe 1hone1<usernane>1SPPMS1 direcIory.
LlSTlNG 5.11 Bulldlng the SRlM
Wro1e: 1hone11fox1PPM8u1L01SPPMS1s1ar1vpn-1.1-1.src.rpn
To build Ihe RFM used Io insIall Ihe soIware, execuIe Ihe nake rpn command. The RFM
will be saved in Ihe }home}<usernane>1PPMS1<arch> direcIory, where <arch> is Ihe archi-
IecIure speciied by Ihe 8u1JdArch parameIer in Ihe spec ile. In our example, Ihe <arch>
is noarch. LisIing S.12 shows Ihe ouIpuI while building Ihe RFM, assuming Ihe user build-
ing Ihe package is Iox.
LlSTlNG 5.12 Bulldlng the RlM
Execu11ng{prep): 1b1n1sh -e 1var11np1rpn-1np.38985
+ unask U22
+ cd 1hone11fox1PPM8u1L018u1L0
+ rn -rf s1ar1vpn-1.1
+ 1b1n1gz1p -dc 1hone11fox1s1ar1vpn1s1ar1vpn-1.1.1ar.gz
+ 1ar -xf -
+ STATuS=U
+ `` U -ne U ``
+ cd s1ar1vpn-1.1
+ ex11 U
Execu11ng{1ns1aJJ): 1b1n1sh -e 1var11np1rpn-1np.38985
+ unask U22
+ cd s1ar1vpn-1.1
+ nake 1NSTP00T=1var11np1s1ar1vpn-1.1-1 1ns1aJJ
nake1: En1er1ng d1rec1ory `1hone11fox1PPM8u1L018u1L01s1ar1vpn-1.1`
echo 1var11np1s1ar1vpn-1.1-1
1var11np1s1ar1vpn-1.1-1
nkd1r -p 1var11np1s1ar1vpn-1.1-11usr1JocaJ1b1n
1ns1aJJ s1ar1vpn 1var11np1s1ar1vpn-1.1-11usr1JocaJ1b1n1s1ar1vpn
nake1: Leav1ng d1rec1ory `1hone11fox1PPM8u1L018u1L01s1ar1vpn-1.1`
+ ex11 U
Process1ng f1Jes: s1ar1vpn-1.1-1
Pequ1res{rpnJ1b): rpnJ1b{0onpressedF1JeNanes) <= 3.U.4-1 rpnJ1b{PayJoadF1Je-
sRavePref1x) <= 4.U-1
Pequ1res: 1b1n1bash bash vpnc
0heck1ng for unpackaged f1Je{s): 1usr1J1b1rpn1check-f1Jes 1var11np1s1ar1vpn-1.1-1
Wro1e: 1hone11fox1PPM8u1L01PPMS1noarch1s1ar1vpn-1.1-1.noarch.rpn
Execu11ng{cJean): 1b1n1sh -e 1var11np1rpn-1np.38985
+ unask U22
+ cd s1ar1vpn-1.1
+ rn -fr 1var11np1s1ar1vpn-1.1-1
+ ex11 U
5|gn|ng the Package
AIer building Ihe package, while noI reguired, iI is recommended IhaI you sign Ihe
package. Signing Ihe package allows anyone insIalling iI Io veriy IhaI Ihe package has
noI been modiied in any way aIer being signed by you. Each Iime you build Ihe
package, you need Io sign iI.
5
I you do noI already have a GFG key or wanI Io use a dierenI one or signing packages,
use Ihe ollowing command Io generaIe a GFG key:
gpg --gen-key
Be sure Io run Ihis command as rooI so IhaI Ihe memory used Io generaIe Ihe key can be
locked. Non-rooI users can noI lock access Io memory, giving someone Ihe opporIuniIy Io
read Ihe memory used Io generaIe Ihe key. Unlocked memory mighI also be wriIIen Io
disk. LisIing S.13 shows whaI is displayed aIer execuIing Ihe command.
LlSTlNG 5.13 Generatlng a GlG Key
gpg {0nuP0) 1.4.5 0opyr1gh1 {0) 2UU6 Free Sof1Ware Founda11on, 1nc.
Th1s progran cones W11h A8S0LuTELY N0 WAPPANTY.
Th1s 1s free sof1Ware, and you are WeJcone 1o red1s1r1bu1e 11
under cer1a1n cond111ons. See 1he f1Je 00PY1N0 for de1a1Js.
gpg: d1rec1ory `1roo11.gnupg` crea1ed
gpg: neW conf1gura11on f1Je `1roo11.gnupg1gpg.conf` crea1ed
gpg: WAPN1N0: op11ons 1n `1roo11.gnupg1gpg.conf` are no1 ye1 ac11ve dur1ng 1h1s run
gpg: keyr1ng `1roo11.gnupg1secr1ng.gpg` crea1ed
gpg: keyr1ng `1roo11.gnupg1pubr1ng.gpg` crea1ed
PJease seJec1 Wha1 k1nd of key you Wan1:
{1) 0SA and EJganaJ {defauJ1)
{2) 0SA {s1gn onJy)
{5) PSA {s1gn onJy)
Your seJec11on?
SelecI Ihe deaulI key Iype by Iyping 1 when prompIed. NexI, you are prompIed or a key
size. The longer Ihe key size, Ihe more secure. A size o aI leasI 1024 biIs is recommended.
A key can have an expiraIion daIe. I an expiraIion daIe is enIered, everyone wiIh Ihe
public key is noIiied o iIs expiraIion when Ihey Iry Io use Ihe public key aIer Ihe expi-
raIion daIe. Unless you have a speciic reason Io make Ihe key expire, enIer U or Ihe expi-
raIion daIe, meaning IhaI Ihere is noI expiraIion daIe or Ihe key. Type y Io conirm IhaI
Ihe key will noI expire.
The ollowing message appears nexI:
You need a user 10 1o 1den11fy your key 1he sof1Ware cons1ruc1s 1he user 10
fron 1he PeaJ Nane, 0onnen1 and Ena1J Address 1n 1h1s forn:
"Re1nr1ch Re1ne {0er 01ch1er) <he1nr1chh0duesseJdorf.de>"
This user ID can be read by everyone wiIh Ihe public key, so choose iI careully. I you
are generaIing Ihis or your company, insIead o using your name, use Ihe company
name. Use an email address IhaI will sIill be acIive aIer several years such as
securiIy@example.com. The individual email address IhaI receives Ihe email can change
over Ihe years, while Ihe generic email address sIays Ihe same.
You are prompIed or each o Ihese Ihree iIems individually. AIer enIering all Ihree, you
can change any o Ihem, conirm Ihem by Iyping 0 or OK, or guiI.
I you Iype 0, nexI enIer a passphrase. JusI like a password, a passphrase should conIain a
combinaIion o upper- and lowercase leIIers, numbers, and special characIers. A
passphrase is used insIead o a password because a passphrase can be and should be
longer Ihan a user password. InsIead o jusI using one word, Iry Io use a passphrase based
on a long phrase. JusI be sure iI is one you can remember because iI musI be Iyped each
Iime you sign an RFM package. AIer enIering Ihe passphrase and enIering iI again Io
conirm iI, Ihe ollowing message is displayed:
We need 1o genera1e a Jo1 of randon by1es. 11 1s a good 1dea 1o perforn
sone o1her ac11on {1ype on 1he keyboard, nove 1he nouse, u11J1ze 1he
d1sks) dur1ng 1he pr1ne genera11on 1h1s g1ves 1he randon nunber
genera1or a be11er chance 1o ga1n enough en1ropy.
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++.+++++..++++++++++
++++++++++++++++++++++++++++++.+++++++++++++++++++++++++>+++++.+++++
As Ihe message says, Iry Io perorm disk and I}O operaIions while Ihe key is being gener-
aIed. AIer Ihe key is generaIe, a message similar Io Ihe ollowing is displayed:
gpg: 1roo11.gnupg11rus1db.gpg: 1rus1db crea1ed
gpg: key AA0A34U7 narked as uJ11na1eJy 1rus1ed
pubJ1c and secre1 key crea1ed and s1gned.
gpg: check1ng 1he 1rus1db
gpg: 3 narg1naJ{s) needed, 1 conpJe1e{s) needed, P0P 1rus1 nodeJ
gpg: dep1h: U vaJ1d: 1 s1gned: U 1rus1: U-, Uq, Un, Un, Uf, 1u
pub 1U2401AA0A34U7 2UU7-U2-28
Key f1ngerpr1n1 = AA96 UUFF 5934 44U0 0E4U 04EA 13F8 1901 AA0A 34U7
u1d T08F 0onpu1ers {T08F) <secur11y0exanpJe.con>
sub 2U48g11A85E0F8 2UU7-U2-28
The public and privaIe keys are wriIIen Io Ihe 1roo11.gnupg1 direcIory. To wriIe Ihe
public key Io a ile named pubJ1c_key.1x1, execuIe Ihe ollowing (replace Nane wiIh Ihe
real name you used when generaIing Ihe key):
gpg --expor1 -a `Nane` > pubJ1c_key.1x1
CAU1I0N
Be sure to baok up the prlvate and publlo keys ln a seoure looatlon. The prlvate key ls
requlred when slgnlng RlM paokages.
Anyone wanIing Io veriy Ihe signaIure o your RFM iles, including yoursel, musI have
Ihis key imporIed inIo Ihe RFM keyring wiIh Ihe ollowing command run as rooI:
rpn --1npor1 pubJ1c_key.1x1
5
Reer Io Ihe "InsIalling SoIware" secIion in Ihis chapIer or insIrucIions on veriying IhaI
Ihe key is imporIed.
Now Ihe rpn uIiliIy musI be seI up Io use Ihis new key when signing packages. EirsI,
deIermine Ihe unigue GFG name given Io Ihe key by execuIing Ihe ollowing command
as rooI:
gpg --J1s1-keys
The ouIpuI looks similar Io Ihe ollowing, and Ihe unigue GFG name you need Io look
or is aIer Ihe slash on Ihe line sIarIing wiIh sub:
1roo11.gnupg1pubr1ng.gpg
------------------------
pub 1U2401AA0A34U7 2UU7-U2-28
u1d T08F 0onpu1ers {T08F) <secur11y0exanpJe.con>
sub 2U48g11A85E0F8 2UU7-U2-28
In our example, 1A85E0F8 is Ihe name you need Io reerence. In Ihe 1roo11.rpnnacros
ile, include Ihe ollowing lines (replace Ihe name wiIh your GFG name):
_s1gna1ure gpg
_gpg_nane 1A85E0F8
To sign a package, execuIe Ihe ollowing as rooI:
rpn --res1gn <rpnf1Je>
EnIer Ihe passphrase used Io generaIe Ihe key when prompIed. I you enIer Ihe correcI
passphrase or Ihe GFG key named in Ihe 1roo11.rpnnacros ile, Ihe message Pass
phrase 1s good is displayed.
1est|ng the Package
AIer building and signing Ihe RFM, insIall iI on a IesI sysIem Io be sure all Ihe iles are
insIalled and iI perorms as expecIed. EirsI, check Ihe signaIure on Ihe package wiIh Ihe
rpn -K <rpnf1Je> command. Remember Io imporI your own key as described in Ihe
previous secIion beore checking Ihe signaIure. I Ihe package has noI been modiied or
corrupIed since iI was signed, Ihe ouIpuI will include Ihe phrase nd5 gpg 0K:
s1ar1vpn-1.1-1.noarch.rpn: {sha1) dsa sha1 nd5 gpg 0K
I Ihe package is noI signed, Ihe ouIpuI will include ouIpuI such as:
N0T 0K
I you havenI imporIed Ihe corresponding public key, Ihe ollowing is displayed:
M1SS1N0 KEYS
When insIalling Ihe example package, i you do noI have Ihe vpnc package insIalled, Ihe
ollowing error is displayed:
vpnc 1s needed by s1ar1vpn-1.1-1.noarch
You can orce Ihe insIallaIion o Ihe package so IhaI you can IesI Ihe package you builI
rom Ihis example:
rpn -uvh --nodeps s1ar1vpn-1.1-1.noarch.rpn
Now IhaI Ihe package is insIalled, execuIe Ihe rpn -q1 s1ar1vpn command. The correcI
ouIpuI is shown in LisIing S.14. The build hosI will be Ihe hosIname o Ihe sysIem used
Io build Ihe package.
LlSTlNG 5.14 lnformatlon ^bout s1ar1vpn RlM
Nane : s1ar1vpn PeJoca11ons: {no1 reJoca1abJe)
vers1on : 1.1 vendor: {none)
PeJease : 1 8u1Jd 0a1e: Wed 28 Feb 2UU7 12:16:12 AM
EST
1ns1aJJ 0a1e: Wed 28 Feb 2UU7 12:16:38 AM EST 8u1Jd Ros1: bu1Jd.exanpJe.org
0roup : AppJ1ca11ons11n1erne1 Source PPM: s1ar1vpn-1.1-1.src.rpn
S1ze : 45 L1cense: 0PL
S1gna1ure : {none)
uPL : h11p:11WWW.exanpJe.org1
Sunnary : 0us1on scr1p1 1o s1ar1 vPN
0escr1p11on :
0us1on scr1p1 1o s1ar1 vPN and connec1 1o conpany`s pr1va1e ne1Work.
For conpany use onJy.
The command rpn -qJ s1ar1vpn shows IhaI only one ile was insIalled:
1usr1JocaJ1b1n1s1ar1vpn
5ummary
I you use Red HaI NeIwork, you may never have Io use Ihe command-line version o
RFM, buI hopeully, Ihis chapIer has given you a basic undersIanding o iI so IhaI you
can beIIer undersIand Red HaI NeIwork. I you have cusIom soIware Io disIribuIe wiIhin
your company, consider disIribuIing iI in an RFM package Io ensure consisIenI insIalla-
Iion across all sysIems and easily keep Irack o whaI versions are insIalled.
Summary 149
5
lN THlS CH^lTLR
Llstlng Devloes
Deteotlng Hardware
Gatherlng lnformatlon from the
Bl0S
Llstlng and Conflgurlng Kernel
Modules
H^L
CH^lTLR 6
Analyzing Hardware
Similar Io oIher operaIing sysIems, Red HaI EnIerprise
Linux musI be conigured Io use drivers, also known as
lernel moJules, or each supporIed device. I Ihe device is
connecIed Io Ihe sysIem during Ihe insIallaIion process,
Ihe insIallaIion program will aIIempI Io conigure Ihe
sysIem Io auIomaIically load Ihe device driver on sIarIup.
One convenience o Linux is IhaI mosI drivers are included
wiIh Ihe operaIing sysIem. There is no need Io remember
where you puI a driver disk or search or a driver on Ihe
manuacIurers websiIe. Red HaI EnIerprise Linux includes
drivers IhaI are compaIible wiIh Ihe kernel version.
WhaI happens when you add new hardware aIer insIalla-
Iion7 Is Ihere a program IhaI can Iell you whaI devices are
connecIed Io Ihe FCI and USB buses7 WhaI does Ihe oper-
aIing sysIem know abouI Ihe BIOS7 How do you know
whaI drivers are being used7 This chapIer answers Ihese
guesIions and more.
This chapIer discusses how Io deIermine whaI hardware
Red HaI EnIerprise Linux recognizes and supporIs, how
IhaI hardware is conigured, and whaI Io do when new
hardware is added.
1IP
Thls ohapter only glves lnstruotlon on how to gather
lnformatlon about hardware, add new hardware, deter
mlne what hardware ls reoognlzed by the operatlng
system, and oonflgure lt. To learn more about monltor
lng the usage of hardware suoh as memory and ClU,
refer to Chapter 20, Monltorlng System Resouroes.
L|st|ng ev|ces
FCI and USB devices can be probed or inormaIion such as an idenIiicaIion number,
chipseI revision number, and amounI o on-board memory. This inormaIion can Ihen be
used Io properly conigure Ihe driver and seIIings used or Ihe device.
This secIion discusses Ihe Jspc1 uIiliIy or lisIing FCI devices and Ihe Jsusb command or
probing USB devices or inormaIion.
L|st|ng PCI ev|ces
Many devices such as neIwork and video cards are aIIached Io Ihe FCI bus. II is imporIanI
IhaI Ihe operaIing sysIem load Ihe correcI driver or each device so IhaI Ihe proper device
seIIings are conigured. Eor example, i your server conIains a GigabiI neIwork card
connecIed Io a GigabiI neIwork swiIch, you can use a ew simple Linux uIiliIies Io veriy
and, i necessary, change Ihe Iranser raIe o Ihe NIC.
To lisI all Ihe FCI buses on Ihe sysIem and all Ihe devices aIIached Io Ihem, use Ihe Jspc1
uIiliIy rom Ihe pc1u11Js package. InsIall Ihis package via Red HaI NeIwork i necessary as
described in ChapIer 3, "OperaIing SysIem UpdaIes."
I run wiIh no command-line opIions, Ihe ouIpuI includes one line per FCI device wiIh
basic inormaIion such as Ihe vendor and producI name as shown in LisIing .1.
LlSTlNG 6.1 Sample Jspc1 0utput
UU:UU.U Ros1 br1dge: 1n1eJ 0orpora11on 82975X Menory 0on1roJJer Rub
UU:U1.U P01 br1dge: 1n1eJ 0orpora11on 82975X P01 Express Poo1 Por1
UU:1b.U Aud1o dev1ce: 1n1eJ 0orpora11on 828U10 {10R7 Fan1Jy) R1gh 0ef1n111on
Aud1o 0on1roJJer {rev U1)
UU:1c.U P01 br1dge: 1n1eJ 0orpora11on 828U10 {10R7 Fan1Jy) P01 Express
Por1 1 {rev U1)
UU:1c.4 P01 br1dge: 1n1eJ 0orpora11on 828U10P10R10RM {10R7 Fan1Jy) P01 Express
Por1 5 {rev U1)
UU:1c.5 P01 br1dge: 1n1eJ 0orpora11on 828U10P10R10RM {10R7 Fan1Jy) P01 Express
Por1 6 {rev U1)
UU:1d.U uS8 0on1roJJer: 1n1eJ 0orpora11on 828U10 {10R7 Fan1Jy) uS8 uR01 #1 {rev U1)
UU:1d.1 uS8 0on1roJJer: 1n1eJ 0orpora11on 828U10 {10R7 Fan1Jy) uS8 uR01 #2 {rev U1)
UU:1d.7 uS8 0on1roJJer: 1n1eJ 0orpora11on 828U10 {10R7 Fan1Jy) uS82 ER01
0on1roJJer {rev U1)
UU:1e.U P01 br1dge: 1n1eJ 0orpora11on 828U1 P01 8r1dge {rev e1)
UU:1f.U 1SA br1dge: 1n1eJ 0orpora11on 828U10R {10R70R) LP0 1n1erface 8r1dge {rev
U1)
UU:1f.1 10E 1n1erface: 1n1eJ 0orpora11on 828U10 {10R7 Fan1Jy) 10E 0on1roJJer {rev
U1)
UU:1f.2 10E 1n1erface: 1n1eJ 0orpora11on 828U10810P10R {10R7 Fan1Jy) Ser1aJ ATA
S1orage 0on1roJJer 10E {rev U1)
UU:1f.3 SM8us: 1n1eJ 0orpora11on 828U10 {10R7 Fan1Jy) SM8us 0on1roJJer {rev U1)
U1:UU.U v0A conpa11bJe con1roJJer: nv1d1a 0orpora11on 07U 0eForce 76UU 0T {rev
a1)
U4:UU.U E1herne1 con1roJJer: 1n1eJ 0orpora11on 82573L 01gab11 E1herne1 0on1roJJer
U5:U4.U F1reW1re {1EEE 1394): Texas 1ns1runen1s TS843A823 1EEE-1394a-2UUU
0on1roJJer {PRY1L1nk)
U5:U5.U PA10 bus con1roJJer: S1J1con 1nage, 1nc. S11 3114 SATAL1nk1SATAPa1d
Ser1aJ ATA 0on1roJJer {rev U2)
To display more verbose inormaIion abouI Ihe devices such as Ihe amounI o inIernal
memory, use Ihe command Jspc1 -v. LisIing .2 shows Ihe verbose ouIpuI or Ihe RAID
conIroller rom LisIing .1.
LlSTlNG 6.2 verbose Jpsc1 0utput
U5:U5.U PA10 bus con1roJJer: S1J1con 1nage, 1nc. S11 3114
SATAL1nk1SATAPa1d Ser1aJ ATA 0on1roJJer {rev U2)
Subsys1en: 1n1eJ 0orpora11on unknoWn dev1ce 7114
FJags: bus nas1er, 66MRz, ned1un devseJ, Ja1ency 32, 1P0 17
110 por1s a1 1U18 s1ze=8
110 por1s a1 1U24 s1ze=4
110 por1s a1 1U1U s1ze=8
110 por1s a1 1U2U s1ze=4
110 por1s a1 1UUU s1ze=16
Menory a1 92UU48UU {32-b11, non-prefe1chabJe) s1ze=1K
Expans1on P0M a1 fff8UUUU d1sabJed s1ze=512K
0apab1J111es: 6U PoWer Managenen1 vers1on 2
To display everyIhing Ihe sysIem knows abouI Ihe devices, use Ihe command Jspc1 -vv.
LisIing .3 shows Ihe even more verbose ouIpuI or Ihe same RAID conIroller.
LlSTlNG 6.3 Lven More verbose Jspc1 0utput
U5:U5.U PA10 bus con1roJJer: S1J1con 1nage, 1nc. S11 3114 SATAL1nk1SATAPa1d
Ser1aJ ATA 0on1roJJer {rev U2)
Subsys1en: 1n1eJ 0orpora11on unknoWn dev1ce 7114
0on1roJ: 110+ Men+ 8usMas1er+ Spec0ycJe- MenW1Nv- v0ASnoop- ParErr-
S1epp1ng- SEPP- Fas1828-
S1a1us: 0ap+ 66MRz+ u0F- Fas1828+ ParErr- 0EvSEL=ned1un >TAbor1-
<TAbor1- <MAbor1- >SEPP- <PEPP-
La1ency: 32, 0ache L1ne S1ze: 64 by1es
1n1errup1: p1n A rou1ed 1o 1P0 17
Peg1on U: 110 por1s a1 1U18 s1ze=8
Peg1on 1: 110 por1s a1 1U24 s1ze=4
Llstlng Devloes 153
6
Peg1on 2: 110 por1s a1 1U1U s1ze=8
Peg1on 3: 110 por1s a1 1U2U s1ze=4
Peg1on 4: 110 por1s a1 1UUU s1ze=16
Peg1on 5: Menory a1 92UU48UU {32-b11, non-prefe1chabJe) s1ze=1K
Expans1on P0M a1 fff8UUUU d1sabJed s1ze=512K
0apab1J111es: 6U PoWer Managenen1 vers1on 2
FJags: PME0Jk- 0S1+ 01+ 02+ Aux0urren1=UnA
PME{0U-,01-,02-,03ho1-,03coJd-)
S1a1us: 0U PME-EnabJe- 0SeJ=U 0ScaJe=2 PME-
The Jspc1 uIiliIy works by probing Ihe device or iIs FCI ID. Then, Ihis ID number is
cross-reerenced wiIh Ihe 1usr1share1hWda1a1pc1.1ds ile rom Ihe hWda1a package. This
ile conIains Ihe vendor, device, subvendor, subdevice, and class idenIiiers or all known
FCI IDs.
1IP
To ohange the output of Jspc1 to a format easler to parse uslng a sorlpt, use the -n
swltoh. Thls argument wlll plaoe quotatlon marks around eaoh devloe property.
L|st|ng U5B ev|ces
Because USB devices are connecIed Io a separaIe conIroller, a dierenI command, Jsusb,
musI be used Io lisI Ihem. The Jsusb uIiliIy is provided by Ihe usbu11Js package. InsIall
Ihis package via Red HaI NeIwork i necessary as described in ChapIer 3.
I execuIed wiIhouI argumenIs, Ihe Jsusb command displays each USB bus and any
devices aIIached Io Ihem on a separaIe line as shown in LisIing .4.
LlSTlNG 6.4 USB Devloe Llst
8us UU2 0ev1ce UU1: 10 UUUU:UUUU
8us UU1 0ev1ce UU4: 10 U46d:c5U1 Log11ech, 1nc. 0ordJess Mouse Pece1ver
Similar Io FCI devices, each USB device has a unigue ID. Jsusb probes or Ihis ID and reer-
ences Ihe 1usr1share1hWda1a1usb.1ds ile or Ihe vendor, producI name, and model
number. I Ihis inormaIion is ound or Ihe ID, Ihis more user-riendly inormaIion is
displayed in Ihe Jsusb ouIpuI as shown in Ihe lasI line o LisIing .4 or Ihe cordless mouse.
To view more inormaIion abouI each bus, use Ihe command Jsusb -v. Eor example,
LisIing .S shows Ihe verbose ouIpuI or Ihe cordless mouse rom LisIing .4.
LlSTlNG 6.5 verbose 0utput for a USB Devloe
8us UU1 0ev1ce UU4: 10 U46d:c5U1 Log11ech, 1nc. 0ordJess Mouse Pece1ver
0ev1ce 0escr1p1or:
bLeng1h 18
b0escr1p1orType 1
bcduS8 1.1U
b0ev1ce0Jass U {0ef1ned a1 1n1erface JeveJ)
b0ev1ceSub0Jass U
b0ev1cePro1ocoJ U
bMaxPacke1S1zeU 8
1dvendor UxU46d Log11ech, 1nc.
1dProduc1 Uxc5U1 0ordJess Mouse Pece1ver
bcd0ev1ce 9.1U
1Manufac1urer 1 Log11ech
1Produc1 2 uS8 Pece1ver
1Ser1aJ U
bNun0onf1gura11ons 1
0onf1gura11on 0escr1p1or:
bLeng1h 9
b0escr1p1orType 2
WTo1aJLeng1h 34
bNun1n1erfaces 1
b0onf1gura11onvaJue 1
10onf1gura11on U
bnA11r1bu1es UxaU
Peno1e Wakeup
MaxPoWer 5UnA
1n1erface 0escr1p1or:
bLeng1h 9
b0escr1p1orType 4
b1n1erfaceNunber U
bAJ1erna1eSe111ng U
bNunEndpo1n1s 1
b1n1erface0Jass 3 Runan 1n1erface 0ev1ces
b1n1erfaceSub0Jass 1 8oo1 1n1erface SubcJass
b1n1erfacePro1ocoJ 2 Mouse
11n1erface U
R10 0ev1ce 0escr1p1or:
bLeng1h 9
b0escr1p1orType 33
bcdR10 1.1U
b0oun1ry0ode U No1 suppor1ed
bNun0escr1p1ors 1
b0escr1p1orType 34 Pepor1
W0escr1p1orLeng1h 82
Pepor1 0escr1p1ors:
Llstlng Devloes 155
6
** uNAvA1LA8LE **
Endpo1n1 0escr1p1or:
bLeng1h 7
b0escr1p1orType 5
bEndpo1n1Address Ux81 EP 1 1N
bnA11r1bu1es 3
Transfer Type 1n1errup1
Synch Type None
usage Type 0a1a
WMaxPacke1S1ze UxUUU8 1x 8 by1es
b1n1ervaJ 1U
L|st|ng 5terage ev|ces
To lisI Ihe drives connecIed Io Ihe sysIem, use Ihe fd1sk -J command as rooI. Each disk
is lisIed along wiIh iIs capaciIy and parIiIions. In LisIing ., Ihere is one disk, 1dev1sda,
wiIh eighI parIiIions. The Iop line shows Ihe capaciIy o Ihe disk: 120 GB.
LlSTlNG 6.6 Llst of Conneoted Dlsks from fd1sk
01sk 1dev1sda: 12U.U 08, 12UU34123776 by1es
255 heads, 63 sec1ors11rack, 14593 cyJ1nders
un11s = cyJ1nders of 16U65 * 512 = 822528U by1es
0ev1ce 8oo1 S1ar1 End 8Jocks 1d Sys1en
1dev1sda1 * 1 13 1U4391 83 L1nux
1dev1sda2 14 1925 1535814U 83 L1nux
1dev1sda3 1926 2179 2U4U255 82 L1nux sWap
1dev1sda4 218U 14593 99715455 83 L1nux
1dev1sda5 218U 2192 1U4391 83 L1nux
1dev1sda6 2193 27U2 4U96543+ 83 L1nux
1dev1sda7 27U3 2715 1U4391 83 L1nux
1dev1sda8 2716 3U97 3U68383+ 83 L1nux
A lisI o parIiIions or a device can also be lisIed using Ihe par1ed uIiliIy. ExecuIing Ihe
par1ed <dev1ce-nane> command as Ihe rooI user gives you a par1ed prompI on which Io
issue commands or Ihe speciied device. Eor example, Io speciy Ihe irsI device on Ihe
SCSI bus, use Ihe par1ed 1dev1sda command. While in par1ed, use Ihe pr1n1 command
Io lisI Ihe disk geomeIry and parIiIions on Ihe device. LisIing .7 shows ouIpuI rom
parIed or a 300 GB disk parIiIioned Io use LVM.
LlSTlNG 6.7 Llst of lartltlons from par1ed
0Nu Par1ed 1.7.1
us1ng 1dev1sda
157
6
WeJcone 1o 0Nu Par1ed! Type `heJp` 1o v1eW a J1s1 of connands.
{par1ed) pr1n1
01sk 1dev1sda: 3UU08
Sec1or s1ze {Jog1caJ1phys1caJ): 512815128
Par1111on TabJe: nsdos
Nunber S1ar1 End S1ze Type F1Je sys1en FJags
1 32.3k8 1U7M8 1U7M8 pr1nary ex13
3 1U7M8 1UU08 99.908 pr1nary Jvn
2 1UU08 3UU08 2UU08 pr1nary n1fs boo1
etect|ng Rardware
AIer Ihe insIallaIion program probes or hardware and maps Ihe IDs Io Ihe appropriaIe
kernel module (i available), Ihe kernel module inormaIion is wriIIen Io Ihe 1e1c1
nodprobe.conf ile so iI can be used on subseguenI booIs.
1IP
For a llst of all kernel modules loaded, lssue the Jsnod oommand as desorlbed ln the
Llstlng and Conflgurlng Kernel Modules seotlon later ln thls ohapter.
BuI, whaI should you do i a device is noI conigured by Ihe insIallaIion program7 You can
use Iools Io probe Ihe hardware and discover inormaIion IhaI can be used Io manually
conigure Ihe device. This secIion discusses Iwo Iools or Ihis purpose: Kudzu and ddcprobe.
etect|ng Rardware w|th Kudzu
WhaI happens when you add a new device aIer insIallaIion7 The Kudzu program runs
each Iime Ihe sysIem booIs and perorms a hardware probe. I new hardware is ound,
Kudzu aIIempIs Io map iI Io a kernel module. I successul, Ihe inormaIion is saved, and
Ihe device is conigured.
The Kudzu program includes an iniIializaIion scripI, 1e1c1rc.d11n11.d1kudzu, which is
run aI booI Iime (unless disabled). A lisI o conigured hardware or Ihe sysIem is sIored
in 1e1c1sysconf1g1hWconf, a ile mainIained by Kudzu. I Kudzu inds new hardware noI
in Ihis ile, iI prompIs Ihe adminisIraIor Io conigure iI. I Kudzu deIecIs removed hard-
ware, iI prompIs Ihe adminisIraIor Io remove Ihe coniguraIion. I Ihe adminisIraIor
conirms Ihe removal, iI is removed rom Ihe hWconf ile as well.
InsIead o reading 1e1c1sysconf1g1hWconf, issue Ihe kudzu --probe command Io view
Ihe lisI o hardware deIecIed by Kudzu. To narrow down Ihe resulIs, you can also speciy
Ihe bus or class:
kudzu --probe --bus=<8uS>
Deteotlng Hardware
or
kudzu --probe --cJass=<0LASS>
Eor example, kudzu --probe --bus=P01 only displays Ihe device on Ihe FCI bus. Or, Ihe
command kudzu --probe --cJass=v10E0 only displays Ihe video devices as demon-
sIraIed in LisIing .8.
LlSTlNG 6.8 Kudzu lrobe for a vldeo Devloe
cJass: v10E0
bus: P01
de1ached: U
dr1ver: nv1d1afb
desc: "nv1d1a 0orpora11on 07U 0eForce 76UU 0T"
v1deo.xdr1ver: nv
vendor1d: 1Ude
dev1ce1d: U391
subvendor1d: 1682
sub0ev1ce1d: 222U
pc1Type: 1
pc1don: U
pc1bus: 1
pc1dev: U
pc1fn: U
I new hardware is deIecIed, Kudzu reerences Ihe hardware lookup Iables in Ihe 1usr1
share1hWda1a1 direcIory insIalled by Ihe hWda1a soIware package and Iries Io map Ihe
hardware ID Io a kernel module. I a driver is ound, a coniguraIion line or Ihe hardware
is added Io Ihe 1e1c1nodprobe.conf so Ihe same driver can be used on subseguenI booIs.
Kudzu does have a small coniguraIion ile 1e1c1sysconf1g1kudzu wiIh one opIion: SAFE.
By deaulI, SAFE is seI Io no. SeI iI Io yes Io enable Ihe sae probe mode. The sae probe
mode disables serial porI, DDC moniIor, and FS}2 probing.
1IP
lf a kernel module ls not avallable for an added pleoe of hardware, try updatlng the
kernel and the hWda1a RlM paokage. Support may have been reoently added for the
hardware.
etect|ng Rardware w|th ddcprobe
Kudzu runs aI booI Iime Io deIecI and conigure new hardware, including video cards.
BuI, whaI i you suspecI IhaI Kudzu was unable Io properly deIecI Ihe video card or
moniIor in your sysIem7
To view Ihe video card and moniIor inormaIion ound by Kudzu, use Ihe ddcprobe
command. You musI be rooI Io run Ihis command. Frovided by Ihe rhpxJ package,
ddcprobe is a scripI wriIIen Io call Ihe Kudzus probing uncIion and display Ihe resulIs in
a user-riendly ouIpuI. I Ihe rhpxJ package is noI insIalled, insIall iI via Red HaI NeIwork
as described in ChapIer 3.
N01
The ddcprobe utlllty doesn`t work on some laptops and LCD monltors. lt ls only avall
able on x86 and x86_64 hardware.
Along wiIh Ihe manuacIurer and producI name o Ihe video card and moniIor, ddcprobe
displays inormaIion such as Ihe amounI o memory Ihe video card has and Ihe moniIor
reresh raIes as shown in LisIing ..
LlSTlNG 6.9 vldeo Card lrobe Results
v1deocard 000 probe resuJ1s
0escr1p11on: 1n1eJ 0orpora11on 1n1eJ{r)8650 0raph1cs 0on1roJJer
Menory {M8): 15
Mon11or 000 probe resuJ1s
10: 0EL3UU7
Nane: 0eJJ 17U2FP {AnaJog)
Ror1zon1aJ Sync {kRZ): 3U-8U
ver11caJ Sync {RZ) : 56-76
W1d1h {nn): 34U
Re1gh1{nn): 27U
I Ihe ddcprobe ouIpuI is noI correcI or Ihe moniIor or video card, run Ihe sys1en-
conf1g-d1spJay uIiliIy by selecIing Ihe System menu rom Ihe Iop panel o Ihe deskIop
and Ihen selecIing AdmInIstratIon, DIsplay or by execuIing Ihe sys1en-conf1g-d1spJay
command. You musI enIer Ihe rooI password Io proceed i you are noI already rooI when
you run Ihe program. Manually selecI Ihe correcI moniIor or video card so IhaI Ihe
correcI seIIings are wriIIen Io Ihe coniguraIion ile.
6ather|ng Infermat|en frem the BI05
When a compuIer irsI sIarIs, Ihe irsI program IhaI runs, and Ihe irsI one you see, is Ihe
BlOS, or Ihe Basc lnput/Output System. MosI BIOSes also have an SMBlOS (System
Manaement BlOS) or a OMl (Oesltop Manaement lnterjace) IhaI generaIes a Iable o daIa
abouI Ihe BIOS and compuIer sysIem in a sIandard ormaI.
Eor a sysIem wiIh a BIOS, iI is possible Io reguesI inormaIion direcIly rom iI and Ihe
SMBIOS or DMI insIead o Ihe physical hardware in Ihe sysIem. The dn1decode RFM
package conIains uIiliIies Io perorm Ihese gueries. The dn1decode, b1osdecode, oWnersh1p,
and vpddecode commands are provided by Ihis package. InsIall iI wiIh RHN (reer Io
ChapIer 3) i iI is noI already insIalled. This secIion discusses each o Ihese programs.
Gatherlng lnformatlon from the Bl0S 159
6
CAU1I0N
The output of the b1osdecode and dn1decode utllltles may not be 100 aoourate. For
example, sometlmes the Bl0S returns the hlghest posslble prooessor speed the moth
erboard allows, not the aotual prooessor speed of the prooessor lnstalled. Use lts
output wlth oautlon.
query|ng the BI05
As Ihe rooI user, execuIe Ihe b1osdecode command Io guery Ihe BIOS or sysIem inorma-
Iion. LisIing .10 shows example ouIpuI.
LlSTlNG 6.10 0utput from b1osdecode
# b1osdecode 2.7
A0P1 1.U presen1.
0EM 1den11f1er: 1NTEL
PS0 TabJe 32-b11 Address: Ux7FEF0E48
PNP 810S 1.U presen1.
Even1 No11f1ca11on: No1 Suppor1ed
PeaJ Mode 16-b11 0ode Address: FUUU:A600
PeaJ Mode 16-b11 0a1a Address: UU4U:UUUU
16-b11 Pro1ec1ed Mode 0ode Address: UxUUUFA6E7
16-b11 Pro1ec1ed Mode 0a1a Address: UxUUUUU4UU
0EM 0ev1ce 1den11f1er: SST24UU
SM810S 2.3 presen1.
S1ruc1ure TabJe Leng1h: 1616 by1es
S1ruc1ure TabJe Address: UxUUUE34FU
Nunber 0f S1ruc1ures: 34
Max1nun S1ruc1ure S1ze: 15U by1es
The ouIpuI or each sysIem will vary, depending on whaI Iype o daIa Ihe BIOS reIurns
and whaI eaIures Ihe BIOS and sysIem hardware have. In LisIing .10, inormaIion abouI
Ihe ACFI, FNF BIOS, and SMBIOS are given. The ollowing Iypes o daIa can be displayed
i reIurned by Ihe BIOS:
SMBIOS
DMI
SYSID
FNF
ACFI
BIOS32
FIR
32OS (Compag-speciic)
SNY
VFD (IBM-speciic)
query|ng the 5MBI05 er MI
I Ihe ouIpuI rom b1osdecode shows a SMBIOS or DMI, urIher inormaIion can be
reIrieved rom Ihe SMBIOS or DMI wiIh Ihe dn1decode command. The dn1decode
command musI be run as Ihe rooI user as well. II displays inormaIion abouI each sIruc-
Iure ound such as Ihe processor and BIOS sIrucIures shown in LisIing .11.
LlSTlNG 6.11 0utput from dn1decode
RandJe UxUUUU, 0M1 1ype 4, 35 by1es.
Processor 1nforna11on
Socke1 0es1gna11on: J3E1
Type: 0en1raJ Processor
Fan1Jy: unknoWn
Manufac1urer: 1n1eJ{P) 0orpora11on
10: F6 U6 UU UU FF F8 E8 8F
vers1on: 1n1eJ{P) 0ore{TM)2 0Pu 66UU 0 2.4U0Rz
voJ1age: 1.6 v
Ex1ernaJ 0Jock: 266 MRz
Max Speed: 4UUU MRz
0urren1 Speed: 24UU MRz
S1a1us: PopuJa1ed, EnabJed
upgrade: 01her
L1 0ache RandJe: UxUUU2
L2 0ache RandJe: No1 Prov1ded
L3 0ache RandJe: No1 Prov1ded
Ser1aJ Nunber: No1 Spec1f1ed
Asse1 Tag: unknoWn
Par1 Nunber: No1 Spec1f1ed
RandJe UxUUU3, 0M1 1ype U, 2U by1es.
810S 1nforna11on
vendor: 1n1eJ 0orp.
vers1on: 8X9751UJ.86A.U618.2UU6.U223.1728
PeJease 0a1e: U212312UU6
Address: UxFUUUU
Pun11ne S1ze: 64 k8
P0M S1ze: 512 k8
0harac1er1s11cs:
P01 1s suppor1ed
810S 1s upgradeabJe
810S shadoW1ng 1s aJJoWed
8oo1 fron 00 1s suppor1ed
SeJec1abJe boo1 1s suppor1ed
E00 1s suppor1ed
8U42 keyboard serv1ces are suppor1ed {1n1 9h)
Ser1aJ serv1ces are suppor1ed {1n1 14h)
Pr1n1er serv1ces are suppor1ed {1n1 17h)
00A1nono v1deo serv1ces are suppor1ed {1n1 1Uh)
A0P1 1s suppor1ed
uS8 Jegacy 1s suppor1ed
ATAP1 Z1p dr1ve boo1 1s suppor1ed
810S boo1 spec1f1ca11on 1s suppor1ed
Func11on key-1n111a1ed ne1Work boo1 1s suppor1ed
Gatherlng lnformatlon from the Bl0S 161
6
Eor each sIrucIure lisIed, Ihe ollowing inormaIion is presenIed:
HanJle: Unigue value or each sIrucIure so oIher sIrucIures can reerence each oIher.
Type: The SMBIOS or DMI Iype number as deined by Ihe SMBIOS or DMI
speciicaIions.
Sze: Size o Ihe sIrucIure. Each one has a 4-byIe header IhaI sIores Ihe handle, Iype,
and size. The remainder o Ihe size sIores Ihe acIual daIa abouI Ihe sIrucIure, which
varies, so Ihe size varies.
OecoJeJ values: InormaIion abouI Ihe sIrucIure. Varies according Io Ihe Iype as
shown in LisIing .11.
The dn1decode ouIpuI can be narrowed down by a ew command-line opIions such as
dn1decode -q Io noI display unknown, inacIive, and OEM-speciic values. Table .1 shows
all Ihe command-line opIions or dn1decode.
T^BLL 6.1 CommandLlne 0ptlons for dn1decode
Cemmand L|ne 0t|en escr|t|en
-d <f1Je> Read memory from a dlfferent devloe flle. The default flle read ls
1dev1nen.
-q ulet mode. Does not dlsplay unknown, lnaotlve, and 0LM
speolflo values.
-s <keyWord> 0nly show values wlth <keyWord>. <keyWord> oan be one of the
followlng: b1os-vendor, b1os-vers1on, b1os-reJease-da1e,
sys1en-nanufac1urer, sys1en-produc1-nane, sys1en-
vers1on, sys1en-ser1aJ-nunber, baseboard-nanufac1urer,
baseboard-produc1-nane, baseboard-vers1on, baseboard-
ser1aJ-nunber, baseboard-asse1-1ag, chass1s-
nanufac1urer, chass1s-vers1on, chass1s-ser1aJ-nunber,
chass1s-asse1-1ag, processor-nanufac1urer, processor-
vers1on. Not all keywords return a value on all systems. To llst
valld keywords for a system, exeoute dn1decode -s (don`t llst a
<keyWord>). Thls optlon oan only be used onoe per oommand
exeoutlon.
-1 <1ype> 0nly show entrles of type <1ype>. <type> oan be one of the
followlng: b1os, sys1en, baseboard, chass1s, processor,
nenory, cache, connec1or, sJo1. Speolfy more than one type by
separatlng them wlth oommas. To llst valld types for a system,
exeoute dn1decode -1 (don`t glve a <1ype>). Refer to the
dn1decode man page for a llst of types along wlth thelr assool
ated type number value.
-u Dump data as hexadeolmal lnstead of deoodlng them. Mostly
used for debugglng purposes.
-h Show brlef usage lnformatlon for dn1decode.
-v Show verslon of dn1decode.
query|ng Vender-5ec|f|c ata
The dn1decode RFM package also includes Ihe oWnersh1p and vpddecode uIiliIies. The
oWnersh1p uIiliIy is a specialized command or Compag compuIers. I b1osdecode displays
inormaIion abouI 32OS daIa, Ihe oWnersh1p command can reIrieve Ihe Compag owner-
ship Iag. The vpddecode uIiliIy is also or a speciic seI o compuIers. II only works on IBM
compuIers Io display Ihe viIal producI daIa rom Ihe sysIem. I VFD daIa is ound in Ihe
b1osdecode guery, use Ihe vpddecode command Io guery or more inormaIion. The
ouIpuI includes Ihe BIOS build ID, producI name, box serial number, moIherboard serial
number, and machine Iype}model. Some sysIems ouIpuI more inormaIion such as BIOS
release daIe.
L|st|ng and Cenf|gur|ng Kerne| Medu|es
Eor a piece o hardware Io work properly in Red HaI EnIerprise Linux, Ihe associaIed
kernel module musI be loaded. The kernel module allows Ihe kernel and end-user
programs Io inIeracI wiIh Ihe hardware.
To view a lisI o all currenIly loaded kernel modules, use Ihe Jsnod command. II can be
run as a normal user or as rooI, buI i run as a non-rooI user, you mighI need Io speciy
Ihe ull paIh Io Ihe command, 1sb1n1Jsnod, because 1sb1n1 is noI in Ihe deaulI paIh o a
non-rooI user.
1IP
To manually load a module, use the nodprobe <noduJenane> oommand. The speolfled
module wlll be loaded along wlth any module dependenoles.
The module Io use or some hardware such as neIwork cards, sound cards, and USB
conIrollers are saved in 1e1c1nodprobe.conf so Ihey donI have Io be conigured each
Iime Ihe sysIem booIs. OIher modules are loaded as needed rom Ihe uIiliIies IhaI reguire
Ihem. Eor example, when Ihe noun1 command is used Io mounI a Samba share, Ihe snbfs
module is loaded.
Kernel module opIions can also be added Io 1e1c1nodprobe.conf Io Iweak Ihe module
seIIings. To deIermine whaI parameIers are available, use Ihe nod1nfo <noduJenane>
command. The beginning o Ihe nod1nfo ouIpuIs displays Ihe ull paIh Io Ihe kernel
module, soIware license or Ihe module, descripIion, and auIhor as shown in LisIing .12
or Ihe 3c59x module.
LlSTlNG 6.12 Beglnnlng of Module lnformatlon for 3o59x Module
f1Jenane: 1J1b1noduJes12.6.18-1.2839.eJ5xen1kerneJ1dr1vers1ne113c59x.ko
J1cense: 0PL
descr1p11on: 30on 3c59x13c9xx e1herne1 dr1ver
au1hor: 0onaJd 8ecker <becker0scyJd.con>
Llstlng and Conflgurlng Kernel Modules 163
6
The ouIpuI also includes lines IhaI begin wiIh Ihe parn keyword. These lines describe
possible kernel module opIions and Ihe value Iype each accepIs. Eor example, Ihe nod1nfo
ouIpuI or 3c59x conIains Ihe lines in LisIing .13.
LlSTlNG 6.13 3o59x Module 0ptlons
parn: debug:3c59x debug JeveJ {U-6) {1n1)
parn: op11ons:3c59x: 811s U-3: ned1a 1ype, b11 4: bus nas1er1ng,
b11 9: fuJJ dupJex {array of 1n1)
parn: gJobaJ_op11ons:3c59x: sane as op11ons, bu1 appJ1es 1o aJJ
N10s 1f op11ons 1s unse1 {1n1)
parn: fuJJ_dupJex:3c59x fuJJ dupJex se111ng{s) {1) {array of 1n1)
parn: gJobaJ_fuJJ_dupJex:3c59x: sane as fuJJ_dupJex, bu1 appJ1es 1o aJJ
N10s 1f fuJJ_dupJex 1s unse1 {1n1)
parn: hW_checksuns:3c59x RardWare checksun check1ng by adap1er{s) {U-1)
{array of 1n1)
parn: fJoW_c1rJ:3c59x 8U2.3x fJoW con1roJ usage {PAuSE onJy) {U-1)
{array of 1n1)
parn: enabJe_WoJ:3c59x: Turn on Wake-on-LAN for adap1er{s) {U-1)
{array of 1n1)
parn: gJobaJ_enabJe_WoJ:3c59x: sane as enabJe_WoJ, bu1 appJ1es 1o aJJ
N10s 1f enabJe_WoJ 1s unse1 {1n1)
parn: rx_copybreak:3c59x copy breakpo1n1 for copy-onJy-11ny-franes {1n1)
parn: nax_1n1errup1_Work:3c59x nax1nun even1s handJed per 1n1errup1 {1n1)
parn: conpaq_1oaddr:3c59x P01 110 base address {0onpaq 810S probJen
Workaround) {1n1)
parn: conpaq_1rq:3c59x P01 1P0 nunber {0onpaq 810S probJen Workaround)
{1n1)
parn: conpaq_dev1ce_1d:3c59x P01 dev1ce 10 {0onpaq 810S probJen
Workaround) {1n1)
parn: Wa1chdog:3c59x 1ransn11 11neou1 1n n1JJ1seconds {1n1)
parn: gJobaJ_use_nn1o:3c59x: sane as use_nn1o, bu1 appJ1es 1o aJJ
N10s 1f op11ons 1s unse1 {1n1)
parn: use_nn1o:3c59x: use nenory-napped P01 110 resource {U-1)
{array of 1n1)
Eor example, Ihe fuJJ_dupJex module is or seIIing Ihe neIwork card Io ull duplex, and
iIs value Iype musI be an array o inIegers. The inIeger value in parenIheses or
fuJJ_dupJex Iells us IhaI a value o 1 seIs Ihe neIwork card Io ull duplex mode.
The parameIers or each kernel module are dierenI, so be sure Io check Ihe nod1nfo
ouIpuI or Ihe module beore Irying Io add opIions Io a module. AIer deIermining Ihe
parameIer name and possible values, Ihey can be added Io 1e1c1nodprobe.conf i neces-
sary. Eor example, Ihe line or Ihe 3c59x module mighI look similar Io Ihe ollowing:
aJ1as e1hU 3c59x fuJJ_dupJex=1
RAL
I Ihe kernel knows abouI a piece o hardware, how does an applicaIion gain access Io iI7
As a user or adminisIraIor, you wanI iI Io "jusI work." This is now possible wiIh HAl
(Hardware AbsIracIion Layer). HAL was inIroduced in Eedora Core 3 and Red HaI
EnIerprise Linux 4.
HAL works by broadcasIing a signal Io Ihe sysIem message bus when a new device is
added. Then, an applicaIion can connecI Io Ihe message bus insIead o Ihe kernel Io learn
abouI Ihe hardware. JusI like Kudzu runs aI booI Iime Io deIecI new hardware, Ihe HAL
daemon runs while Ihe sysIem is running Io deIecI new hardware. The HAL daemon
collecIs inormaIion abouI Ihe device rom Ihe kernel as well as oIher resources. This
allows Ihe sysIem bus Io send as much inormaIion as possible Io Ihe applicaIion, and Ihe
applicaIion only needs Io gaIher inormaIion rom one place.
Eor developers who need Io use HAL, Ihe haJ-gnone package includes an example
program and developmenI Iool or HAL. II can be sIarIed by execuIing Ihe haJ-dev1ce-
nanager command. As shown in Eigure .1, iI provides a Iree view o all Ihe devices HAL
knows abouI. Because iI is a FyIhon program, Ihe haJ-gnone package insIalls Ihe source
iles or Ihe program in 1usr1share1haJ1dev1ce-nanager1. They can be used Io under-
sIand how Io inIeracI wiIh devices via HAL.
H^L 165
6
FlGURL 6.1 H^L Devloe Manager
5ummary
This chapIer was all abouI hardware. II described how Io lisI Ihe devices deIecIed by Red
HaI EnIerprise Linux wiIh Jspc1 and Jsusb, deIecI hardware wiIh Kudzu and ddcprobe,
reIrieve inormaIion rom Ihe BIOS, and lisI Ihe currenIly conigured and loaded kernel
modules. II also provided inormaIion abouI Ihe recenIly developed Hardware AbsIracIion
Layer (HAL).
WiIhouI hardware, a compuIer sysIem could noI exisI. BuI, wiIhouI an operaIing sysIem
such as Red HaI EnIerprise Linux Io inIeracI wiIh Ihe hardware and allow Ihe hardware Io
inIeracI wiIh each oIher, Ihe hardware would be useless.
lN THlS CH^lTLR
Understandlng lartltlonlng
Understandlng LvM
Understandlng R^lD
Understandlng Clusterlng and
GFS
Uslng ôoess Control Llsts
Uslng Dlsk uotas
CH^lTLR 7
Managing SIorage
Managing sIorage is an imporIanI responsibiliIy. The
righI soluIion works seamlessly wiIh liIIle graIiIude. The
wrong soluIion can lead Io many headaches and laIe nighIs
o Irying Io recover rom ailed ile sysIems or inadeguaIe
sIorage allocaIion.
During insIallaIion, you are asked which parIiIioning
meIhod Io use. You musI choose Io remove Linux parIi-
Iions on selecIed drives and creaIe Ihe deaulI layouI,
remove all parIiIions on selecIed drives and creaIe Ihe
deaulI layouI, use ree space on selecIed drives and creaIe
Ihe deaulI layouI, or creaIe a cusIom layouI. I you choose
Io creaIe Ihe deaulI layouI, Ihe Logical Volume Manager
(LVM) is used Io divide Ihe hard drive, and Ihen Ihe neces-
sary Linux mounI poinIs are creaIed. AlIernaIively, i you
choose cusIom layouI, you can insIead use soIware RAID
or creaIe parIiIions direcIly on Ihe hard drives. Global Eile
SysIems (GES) and clusIering are Iwo more sIorage solu-
Iions available wiIh Red HaI EnIerprise Linux.
This chapIer explains Ihese parIiIioning opIions so you can
deIermine which is besI or you and you can learn how Io
manage Ihem. II also discusses how Io use access conIrol
lisIs Io limiI access Io ilesysIems as well as how Io enorce
disk usage limiIs known as guoIas. Analyze how your
company uses sIorage and decide which opIions are besI
or you.
Understand|ng Part|t|en|ng
LVM and RAID oer beneiIs such as resizing, sIriping, and
combining mulIiple hard drives inIo logical physical
devices. SomeIimes iI is necessary Io jusI creaIe parIiIions
on Ihe hard drives. Even when using RAID, parIiIions are
creaIed beore Ihe LVM or RAID layer is implemenIed.
To view a lisI o parIiIions on Ihe sysIem, use Ihe fd1sk -J command as rooI. As you can
see rom LisIing 7.1, Ihe ouIpuI shows each parIiIion along wiIh iIs device name, wheIher
iI is a booIable parIiIion, Ihe sIarIing cylinder, Ihe ending cylinder, Ihe number o blocks,
Ihe ilesysIem idenIiicaIion number used by fd1sk, and Ihe ilesysIem Iype.
LlSTlNG 7.1 lartltlonlng Soheme wlth Standard lartltlons
01sk 1dev1sda: 1UU.U 08, 1UUU3U242816 by1es
1dev1sda1 * 1 1147 9213246 83 L1nux
1dev1sda2 1148 4334 25599577+ 83 L1nux
1dev1sda3 4335 4399 522112+ 82 L1nux sWap 1 SoJar1s
1dev1sda4 44UU 12161 62348265 5 Ex1ended
1dev1sda5 44UU 12161 62348233+ 83 L1nux
I Ihe sysIem uses LVM or RAID, Ihe fd1sk -J ouIpuI will relecI iI. Eor example, LisIing
7.2 shows Ihe ouIpuI or a sysIem parIiIioned wiIh LVM. There are ewer parIiIions shown
because Ihe logical volumes are inside Ihe logical volume group. The irsI parIiIion shown
is Ihe 1boo1 parIiIion because iI canI be inside a logical volume group.
LlSTlNG 7.2 lartltlonlng Soheme wlth LvM
01sk 1dev1sda: 3UU.U 08, 3UUU9U728448 by1es
1dev1sda1 1 13 1U4391 83 L1nux
1dev1sda2 14 36482 292937242+ 8e L1nux LvM
During insIallaIion, Ihe hard drives can be parIiIioned, given a ilesysIem Iype or ormaI-
Iing, and assigned a mounI poinI as described in ChapIer 1, "InsIalling Red HaI EnIerprise
Linux." I hard drives are added Io Ihe sysIem aIer insIallaIion or a hard drive has Io be
replaced, iI is imporIanI Io undersIand how Io perorm Ihese uncIions posI-insIallaIion.
CAU1I0N
lerform all these aotlons ln resoue mode wlthout the fllesystem mounted or ensure
the entlre devloe ls not mounted before manlpulatlng the partltlon table for lt. Refer to
Chapter 10, Teohnlques for Baokup and Reoovery, for lnstruotlons on bootlng lnto
resoue mode. Most ohanges to the partltlon table requlre a reboot. when you exlt
resoue mode, the system wlll reboot.
Creat|ng Part|t|ens
A parIiIion can be creaIed rom ree space on a hard drive. You mighI need Io creaIe a
parIiIion i you add a new hard drive Io Ihe sysIem, i you leI unparIiIioned space on Ihe
sysIem during insIallaIion and wanI Io parIiIion iI, or i you are using LVM and wanI Io
creaIe Ihe physical volumes on a parIiIion insIead o an enIire raw device.
There are Iwo parIiIioning uIiliIies in Red HaI EnIerprise Linux: par1ed and fd1sk. The
par1ed uIiliIy is used in Ihis chapIer because iI includes a resize uIiliIy and is a biI more
user-riendly. Eor more inormaIion on fd1sk, reer Io Ihe man page wiIh Ihe nan fd1sk
command.
As rooI, issue Ihe par1ed command ollowed by Ihe device name such as
par1ed 1dev1sda
You are now in an inIeracIive par1ed shell, in which Ihe commands execuIed manipulaIe
Ihe device speciied. To view exisIing parIiIions rom Ihis inIeracIive shell, Iype Ihe pr1n1
command aI Ihe {par1ed) prompI. The ouIpuI should look similar Io LisIing 7.3. I you
compare Ihis ouIpuI Io Ihe ouIpuI in LisIing 7.1 and LisIing 7.2 rom Ihe fd1sk -J
command, you will see IhaI Ihe par1ed ouIpuI is a liIIle easier Io read because iI includes
Ihe size in user-riendly uniIs such as megabyIes and gigabyIes insIead o Ihe beginning
and ending cylinders rom Ihe fd1sk -J ouIpuI.
LlSTlNG 7.3 lartltlon Table from par1ed for Standard lartltlons
us1ng 1dev1hda
{par1ed) pr1n1
01sk geone1ry for 1dev1hda: Uk8 - 1UU08
01sk JabeJ 1ype: nsdos
1 32k8 9434M8 9434M8 pr1nary ex13 boo1
2 9434M8 3608 2608 pr1nary ex13
3 3608 3608 535M8 pr1nary J1nux-sWap
4 3608 1UU08 6408 ex1ended
5 3608 1UU08 6408 Jog1caJ ex13
Once again, Ihe ouIpuI will dier depending on Ihe parIiIioning scheme being used.
LisIing 7.4 shows ouIpuI rom a sysIem using LVM and can be compared Io LisIing 7.2,
which shows Ihe same ouIpuI rom fd1sk -J.
LlSTlNG 7.4 lartltlon Table from par1ed for LvM
01sk 1dev1sda: 3UU08
Sec1or s1ze {Jog1caJ1phys1caJ): 512815128
Par1111on TabJe: nsdos
1 32.3k8 1U7M8 1U7M8 pr1nary ex13
3 1U7M8 3UU08 299.908 pr1nary Jvn
Understandlng lartltlonlng 169
?
To creaIe a parIiIion in par1ed, issue Ihe ollowing command aI Ihe inIeracIive parIed
prompI:
nkpar1 <par1-1ype> <fs-1ype> <s1ar1> <end>
<par1-1ype> musI be one o pr1nary, Jog1caJ, or ex1ended. <fs-1ype> musI be one o
fa116, fa132, ex12, RFS, J1nux-sWap, NTFS, re1serfs, or ufs. The <s1ar1> and <end>
values should be given in megabyIes and musI be given as inIegers.
The exI3 ilesysIem is Ihe deaulI ilesysIem or Red HaI EnIerprise Linux. II is Ihe exI2
ilesysIem plus journaling. To creaIe an exI3 ilesysIem, use ex12 as Ihe <fs-1ype> and Ihen
use Ihe - opIion Io nke2fs Io make Ihe ilesysIem exI3 as described in Ihe nexI secIion.
AIer creaIing Ihe parIiIion, use Ihe pr1n1 command again Io veriy IhaI Ihe parIiIion was
creaIed. Then Iype qu11 Io exiI parIed.
Creat|ng a F||esystem en a Part|t|en
NexI, creaIe a ilesysIem on Ihe parIiIion. To creaIe an exI3 ilesysIem (deaulI used
during insIallaIion), as rooI, execuIe Ihe ollowing, where <dev1ce> is Ihe device name or
Ihe parIiIion such as 1dev1sda1:
nke2fs - <dev1ce>
I Ihe parIiIion is Io be a swap parIiIion, ormaI iI wiIh Ihe ollowing command as rooI:
nksWap <dev1ce>
Labe||ng the Part|t|en
To label Ihe parIiIion, execuIe Ihe ollowing as rooI:
e2JabeJ <dev1ce> <JabeJ>
While labeling is noI reguired, parIiIion labels can be useul. Eor example, when adding
Ihe parIiIion Io 1e1c1fs1ab, Ihe label can be lisIed insIead o Ihe parIiIion device name.
This proves useul i Ihe parIiIion number is changed rom reparIiIioning Ihe drive or i
Ihe parIiIion is moved.
I Ihe e2JabeJ command is used wiIh jusI Ihe parIiIion device name as an argumenI, Ihe
currenI label or Ihe parIiIion is displayed.
Creat|ng a Meunt Pe|nt
Now IhaI Ihe parIiIion is creaIed and has a ilesysIem, as rooI, creaIe a direcIory so iI can
be mounIed:
nkd1r <d1r-nane>
Then, mounI Ihe new parIiIion:
noun1 <dev1ce> <d1r-nane>
such as:
noun1 1dev1sda5 11np
Access Ihe direcIory and make sure you can read and wriIe Io iI.
Einally, add Ihe parIiIion Io Ihe 1e1c1fs1ab ile so iI is mounIed auIomaIically aI booI
Iime. Eor example:
LA8EL=11np 11np ex13 defauJ1s 1 2
I a new swap parIiIion is added, be sure Io use sWap as Ihe ilesysIem Iype insIead:
LA8EL=sWap2 sWap sWap defauJ1s U U
Res|z|ng Part|t|ens
The par1ed uIiliIy can also be used Io resize a parIiIion. AIer sIarIing par1ed as rooI on
Ihe desired device, use Ihe ollowing command Io resize a speciic parIiIion:
res1ze <n1nor-nun> <s1ar1> <end>
To deIermine Ihe <n1nor-nun> or Ihe parIiIion, look aI Ihe parIiIion Iable wiIh Ihe pr1n1
command such as Ihe ouIpuI shown in LisIing 7.3 and LisIing 7.4. The <s1ar1> and
<end> values should be Ihe sIarI and end poinIs o Ihe parIiIion, in megabyIes.
Remev|ng Part|t|ens
To use par1ed Io remove a parIiIion, sIarI par1ed on Ihe desired device as rooI, and issue
Ihe ollowing command aI Ihe inIeracIive prompI:
rn <n1nor-nun>
The minor number or Ihe parIiIion is displayed when you execuIe Ihe pr1n1 command Io
lisI parIiIions. The daIa on Ihe parIiIion will no longer be accessible aIer Ihe parIiIion is
removed, so be sure Io back up any daIa you wanI Io keep beore removing Ihe parIiIion.
Understand|ng LVM
Logical Volume Manager, or LVM, is a sIorage managemenI soluIion IhaI allows adminis-
IraIors Io divide hard drive space inIo physcal volumes (lV), which can Ihen be combined
inIo local volume roups (VG), which are Ihen divided inIo local volumes (lV) on which
Ihe ilesysIem and mounI poinI are creaIed.
As shown in Eigure 7.1, because a logical volume group can include more Ihan one physi-
cal volume, a mounI poinI can include more Ihan one physical hard drive, meaning Ihe
largesI mounI poinI can be larger Ihan Ihe biggesI hard drive in Ihe seI. These logical
volumes can be resized laIer i more disk space is needed or a parIicular mounI poinI.
AIer Ihe mounI poinIs are creaIed on logical volumes, a ilesysIem musI be creaIed on
Ihem.
Understandlng LvM 171
?
FlGURL 7.1 How Logloal volume Manager works
LVM is used by deaulI during insIallaIion or all mounI poinIs excepI Ihe }booI parIiIion,
which cannoI exisI on a logical volume. This secIion discusses how Io perorm LVM oper-
aIions aIer insIallaIion such as creaIing a physical volume or a newly added hard drive,
expanding logical volumes, and generaIing LV snapshoIs.
Table 7.1 summaries Ihe LVM Iools available aIer insIallaIion.
T^BLL 7.1 LvM Tools
LVM 1ee| escr|t|en
pvcrea1e Create physloal volume from a hard drlve
vgcrea1e Create logloal volume group from one or more physloal volumes
vgex1end ^dd a physloal volume to an exlstlng volume group
vgreduce Remove a physloal volume from a volume group
Jvcrea1e Create a logloal volume from avallable spaoe ln the volume group
Jvex1end Lxtend the slze of a logloal volume from free physloal extents ln the logloal
volume group
Jvrenove Remove a logloal volume from a logloal volume group, after unmountlng lt
vgd1spJay Show propertles of exlstlng volume group
Jvd1spJay Show propertles of exlstlng logloal volumes
pvscan Show propertles of exlstlng physloal volumes
Add|ng Add|t|ena| |sk 5ace
One big advanIage o using LVM is IhaI Ihe size o a logical volume can be increased and
logical volumes can be added Io creaIe addiIional mounI poinIs. To modiy Ihe LVM
coniguraIion posI-insIallaIion, Ihe Jvn2 package needs Io be insIalled. Reer Io ChapIer 3,
"OperaIing SysIem UpdaIes," or deIails on insIalling packages.
1IP
lf posslble, leave free dlsk spaoe when partltlonlng durlng lnstallatlon so logloal
volume slzes oan be lnoreased wlthout addlng addltlonal hard drlves.
IogicaI voIume group
IogicaI voIume
/home
IogicaI voIume
/
IogicaI voIume
/tmp
FREE SPACE
physical volume
100GB
physical volume
100GB
physical volume
100GB
/boot
100MB (ext3)
To increase Ihe size o an exisIing logical volume or Io add a logical volume, you irsI
need ree disk space. This ree disk space can eiIher be disk space IhaI already exisIs in Ihe
sysIem as unparIiIioned space (noI parI o an exisIing logical volume), an unused parIi-
Iion, physical volume IhaI is noI already a member o a logical volume, or disk space as a
resulI o insIalling one or more addiIional hard drives Io Ihe sysIem. The disk space can
come rom removing a logical volume Io creaIe space in Ihe logical volume group,
however, Ihis is noI common because i Ihe LV already exisIs, iI is mosI likely already
being used and cannoI be easily deleIed wiIhouI losing daIa.
AIer deciding which ree disk space Io use, Ihe basic sIeps or increasing Ihe size o a
logical volume are as ollows:
1. CreaIe new physical volume rom ree disk space.
2. Add physical volume Io Ihe logical volume group.
3. Expand Ihe size o Ihe logical volume Io include Ihe newly added disk space in Ihe
volume group.
4. Expand Ihe ilesysIem on Ihe logical volume Io include Ihe new space.
To add a logical volume, use Ihe ollowing sIeps:
1. CreaIe new physical volume rom ree disk space.
2. Add physical volume Io Ihe logical volume group.
3. CreaIe a logical volume wiIh Ihe new space in volume group.
4. CreaIe a ilesysIem on Ihe logical volume.
5. CreaIe a mounI poinI.
6. MounI Ihe logical volume.
7. TesI Ihe ilesysIem.
8. Add Ihe new mounI poinI Io 1e1c1fs1ab.
1IP
lf you prefer a graphloal lnterfaoe, the sys1en-conf1g-Jvn utlllty oan be used to
modlfy your LvM oonflguratlon.
Creat|ng a Phys|ca| Ve|ume
To creaIe a new physical volume rom ree hard drive space or a hard drive parIiIion, use
Ihe pvcrea1e command:
pvcrea1e <d1sk>
Replace <d1sk> wiIh Ihe device name o Ihe hard drive:
pvcrea1e 1dev1sda
?
or Ihe parIiIion name:
pvcrea1e 1dev1sda1
The <d1sk> speciied can also be a meIa device or loopback device, buI using an enIire
hard disk or parIiIion is more common. AIer creaIing a physical volume, you can eiIher
add iI Io an exisIing volume group or creaIe a new volume group wiIh Ihe physical
volume.
Creat|ng and Med|fy|ng Ve|ume 6reus
A volume group can be creaIed rom one or more physical volumes. To scan Ihe sysIem
or all physical volumes, use Ihe pvscan command as rooI. II displays all FVs on Ihe
sysIem. I Ihe FV is parI o a VG, iI will display Ihe name o Ihe VG nexI Io iI.
To creaIe a VG, execuIe Ihe vgcrea1e command as rooI, where <vgnane> is a unigue name
or Ihe volume group and <pvJ1s1> is one or more physical volumes Io use, each sepa-
raIed by a space:
vgcrea1e <vgnane> <pvJ1s1>
Eor example, Io creaIe a VG wiIh Ihe name 0a1abasev0 rom Ihe irsI and second SCSI
hard drives:
vgcrea1e 0a1abasev0 1dev1sda 1dev1sdb
N01
lf the volume group was oreated durlng lnstallatlon, the lnstallatlon program names the
flrst volume group voJ0roupUU, the seoond one voJ0roupU1, and so on.
I a volume group already exisIs buI needs Io be expanded, use Ihe vgex1end command Io
add addiIional physical volumes Io iI:
vgex1end <vgnane> <pvJ1s1>
To remove a physical volume rom a volume group:
vgreduce <vgnane> <pvJ1s1>
Use cauIion when reducing a volume group because any logical volume using Ihe FVs are
removed rom Ihe VG and can no longer be accessed.
Creat|ng and Med|fy|ng Leg|ca| Ve|umes
Now IhaI Ihe physical volumes are ormed inIo volume groups, Ihe volume groups can be
divided inIo logical volumes, and Ihe logical volumes can be ormaIIed wiIh a ilesysIem
and assigned mounI poinIs.
Use Ihe Jvcrea1e command Io creaIe a logical volume. Each LV musI have a unigue
name. I one is noI speciied wiIh Ihe -n <nane> opIion, a name will be assigned Io iI. To
creaIe a logical volume rom Ihe volume group <vgnane> o a cerIain size, speciy Ihe size
uniI aIer Ihe value o Ihe size such as 3UU0 or 300 gigabyIes:
Jvcrea1e -n <Jvnane> --s1ze <s1ze> <vgnane>
Each physical volume consisIs o physcal extents, which are 4 megabyIes in size by
deaulI. When Ihe size is given in gigabyIes, Ihis size musI be converIed Io physical
exIenIs, meaning IhaI some amounI o disk space may noI be used. So, Ihe number o
physical exIenIs Io use when creaIing Ihe logical volume can be given wiIh Ihe -J
<nunpe> opIion:
Jvcrea1e -n <Jvnane> -J <nunpe> <vgnane>
To deIermine Ihe number o physical exIenIs in a logical volume group, issue Ihe ollow-
ing command as rooI:
vgd1spJay <vgnane>
The To1aJ PE line shows Ihe number o physical exIenIs or Ihe volume group. The
ouIpuI should look similar Io LisIing 7.S, which shows a IoIal o 118 physical exIenIs.
Look or Ihe Free PE 1 S1ze line Io deIermine wheIher any ree FEs are available Io allo-
caIe Io a new logical volume. LisIing 7.S shows 220 ree physical exIenIs.
LlSTlNG 7.5 Lxample vgd1spJay 0utput
--- voJune group ---
v0 Nane voJ0roupUU
Sys1en 10
Forna1 Jvn2
Me1ada1a Areas 1
Me1ada1a Sequence No 5
v0 Access read1Wr11e
v0 S1a1us res1zabJe
MAX Lv U
0ur Lv 2
0pen Lv 2
Max Pv U
0ur Pv 1
Ac1 Pv 1
v0 S1ze 37.16 08
PE S1ze 32.UU M8
To1aJ PE 1189
AJJoc PE 1 S1ze 969 1 3U.28 08
Free PE 1 S1ze 22U 1 6.88 08
v0 uu10 N6Uy5u-2sM2-uxRY-M1op-01v3-uvv2-Zkahza
?
1IP
Laoh Lv has a devloe name ln 1dev1 wlth the format 1dev1<vgnane>1<Jvnane>.
By deaulI, logical volumes are creaIed linearly over Ihe physical volumes. However, Ihey
can be sIriped over mulIiple FVs:
Jvcrea1e -1<s1r1pes> -1<s1r1pes1ze> -J <nunpe> -n <Jvnane> <vgnane> <pvJ1s1>
The -1<s1r1pes> opIion seIs Ihe number o sIripes, or physical volumes Io use. The
-1<s1r1pes1ze> is Ihe sIripe size, which musI be 2^n, where n is an inIeger rom 2 Io .
Frovide Ihe number o FEs Io use wiIh Ihe -J <nunpe> opIion or give Ihe size o Ihe LV
wiIh Ihe --s1ze <s1ze> opIion. The -n <Jvnane> opIion speciies Ihe LV name, and
<vgnane> represenIs Ihe name o Ihe VG Io use. OpIionally, lisI Ihe FVs Io use, <pvJ1s1>,
aI Ihe end o Ihe command separaIed by spaces. The number o FVs lisIed should be
egual Io Ihe number o sIripes.
AIer creaIing Ihe logical volume, you musI creaIe a ilesysIem on iI. To creaIe an exI3
ilesysIem, execuIe Ihe ollowing as rooI:
nke2fs - 1dev1<vgnane>1<Jvnane>
I Ihe LV is Io be used as swap, execuIe Ihe ollowing as rooI insIead:
nksWap 1dev1<vgnane>1<Jvnane>
NexI, sIill as Ihe rooI user, creaIe an empIy direcIory as iIs mounI poinI wiIh Ihe nkd1r
command, and use Ihe noun1 command Io mounI Ihe ilesysIem:
noun1 1dev1<vgnane>1<Jvnane> 1noun11po1n1
I iI mounIs properly, Ihe lasI sIep is Io add iI Io 1e1c1fs1ab so iI is mounIed auIomaIi-
cally aI booI Iime. As rooI, add a line similar Io Ihe ollowing, replacing wiIh Ihe appro-
priaIe values:
1dev1<vgnane>1<Jvnane> 1noun11po1n1 ex13 defauJ1s 1 2
To exIend a logical volume, expand Ihe volume group i necessary, and Ihen use Ihe
Jvex1end command. EiIher speciy Ihe inal size o Ihe logical volume:
Jvex1end --s1ze <s1ze> 1dev1<vgnane>1<Jvnane>
or speciy how much Io expand Ihe logical volume:
Jvex1end --s1ze +<adds1ze> 1dev1<vgnane>1<Jvnane>
JusI like physical volumes are composed o 4KB physical exIenIs, logical volumes consisI
o local extents, which also have a deaulI size o 4KB. InsIead o speciying Ihe size or
amounI o space Io add in gigabyIes, iI is also possible Io use Ihe -J <nunJe> Io provide
Ihe inal number o logical exIenIs or -J +<nunJe> Io expand Ihe logical volume by a
cerIain number o logical exIenIs.
AIer exIending Ihe logical volume, Ihe ilesysIem on iI musI be expanded as well. I iI is
an exI3 ilesysIem (deaulI ilesysIem or Red HaI EnIerprise Linux), iI can be expanded
while iI is sIill mounIed (also known as onlne). To do so, execuIe Ihe ollowing as rooI:
res1ze2fs 1dev1<vgnane>1<Jvnane>
The ilesysIem is expanded Io ill Ihe enIire logical volume unless a size is lisIed aIer Ihe
logical volume device name (be sure Io lisI Ihe size uniI such as G or gigabyIe aIer Ihe
size):
res1ze2fs 1dev1<vgnane>1<Jvnane> <s1ze>
To remove a logical volume rom a volume group, irsI unmounI iI wiIh Ihe unoun1
command:
unoun1 1dev1<vgnane>1<Jvnane>
and Ihen use Ihe Jvrenove command:
Jvrenove 1dev1<vgnane>1<Jvnane>
To view Ihe exisIing logical volumes along wiIh inormaIion abouI Ihem such as whaI VG
Ihey are a member o, Ihe number o logical exIenIs, and Iheir size in gigabyIes, execuIe
Ihe Jvd1spJay command as rooI as shown in LisIing 7..
LlSTlNG 7.6 Lxample Jvd1spJay 0utput
--- Log1caJ voJune ---
Lv Nane 1dev1voJ0roupUU1LogvoJUU
v0 Nane voJ0roupUU
Lv uu10 1ugMFo-PESp-31Ns-nr0F-KUWh-s3uU-J9FsTc
Lv Wr11e Access read1Wr11e
Lv S1a1us ava1JabJe
# open 1
Lv S1ze 12.94 08
0urren1 LE 414
Segnen1s 1
AJJoca11on 1nher11
Pead ahead sec1ors U
8Jock dev1ce 253:U
Lv Nane 1dev1voJ0roupUU1LogvoJU1
v0 Nane voJ0roupUU
Lv uu10 fdKfYP-W1P9-M40a-eov3-pP99-W8vb-UyhgZb
?
Lv S1a1us ava1JabJe
# open 1
Lv S1ze 78.12 08
0urren1 LE 25UU
Segnen1s 1
AJJoca11on 1nher11
8Jock dev1ce 253:1
Lv Nane 1dev1voJ0roupUU1LogvoJU2
v0 Nane voJ0roupUU
Lv uu10 bzr4Ag-r0KT-y8zY-F3e8-Sa81-0Y51-r6JJ3T
Lv S1a1us ava1JabJe
# open 1
Lv S1ze 1.94 08
0urren1 LE 62
Segnen1s 1
AJJoca11on 1nher11
8Jock dev1ce 253:2
Creat|ng 5nashets
WiIh LVM, iI is possible Io Iake a snapshoI o a logical volume while Ihe LV is sIill in
read-wriIe mode and being accessed by Ihe sysIem. As Ihe rooI user, issue Ihe ollowing
command:
Jvcrea1e --s1ze <s1ze> -s -n <snapsho1nane> <Jvnane>
The Jvcrea1e command is used Io creaIe a new logical volume, meaning Ihere musI be
ree physical exIenIs in Ihe logical volume group Io creaIe a snapshoI. The -s opIion
means IhaI Ihe LV is a snapshoI, <snapsho1nane> is Ihe name o Ihe new LV creaIed, and
<Jvnane> is Ihe name o Ihe LV rom which Io creaIe Ihe snapshoI.
A snapshoI is noI a copy o Ihe enIire LV. InsIead, iI keeps Irack o Ihe changes rom Ihe
Iime Ihe snapshoI is Iaken and Ihe presenI Iime. Thus, Ihe size o Ihe snapshoI LV does
noI need Io be as large as Ihe LV rom which iI is creaIed. II jusI needs Io be as big as all
Ihe changes rom Ihe Iime Ihe snapshoI is Iaken unIil Ihe snapshoI is used. SnapshoIs are
noI inIended Io be leI around or long periods o Iime. Reasons Io creaIe snapshoIs
include perorming backups (mosI common), creaIing virIual machines using Ihe
VirIualizaIion eaIure (reer Io Appendix B, "CreaIing VirIual Machines"), creaIing a dupli-
caIe IesIing sysIem, and Iranserring daIa rom one logical volume group (and possibly a
dierenI hard drive) Io anoIher.
I a snapshoI LV reaches disk capaciIy, iI will become unusable. When Ihe backup or daIa
Iranser has been compleIed, Ihe snapshoI logical volume should be unmounIed and
removed wiIh Ihe Jvrenove 1dev1<vgnane>1<Jvnane> command. Because Ihe snapshoI
LV is sIoring a copy o all changes made Io Ihe original LV, perormance or Ihe original
LV can be reduced because o Ihis copy process.
Understand|ng RAI
RAID (RedundanI Array o IndependenI Disks) allows an adminisIraIor Io orm an array o
several hard drives inIo one logical drive recognized as one drive by Ihe operaIing sysIem.
II also spreads Ihe daIa sIored over Ihe array o drives Io decrease disk access Iime and
accomplish daIa redundancy. The daIa redundancy can be used Io recover daIa should
one o Ihe hard drives in Ihe array crash.
There are Iwo Iypes o RAID: harJware RAlO and sojtware RAlO. Hardware RAID is imple-
menIed Ihrough Ihe disk conIroller or Ihe sysIem. InsIrucIions or coniguring hardware
RAID dier rom conIroller Io conIroller, so reer Io Ihe manual or your disk conIroller
or insIrucIions. SoIware RAID is implemenIed Ihrough Ihe operaIing sysIem and does
use some processor and memory resources, alIhough some soIware RAID implemenIa-
Iions can produce asIer disk access Iimes Ihan hardware RAID.
During insIallaIion, iI is possible Io conigure soIware RAID as discussed in ChapIer 1.
This secIion explains Ihe dierenI RAID levels available wiIh soIware RAID so you can
decide which level is besI or you. SoIware RAID allows or RAID levels 0, 1, S, and .
RAID level 0, or strpn, means IhaI daIa is wriIIen across all hard drives in Ihe array Io
accomplish Ihe asI disk perormance. No redundancy is used, so Ihe size o Ihe logical
RAID drive is egual Io Ihe size o all Ihe hard drives in Ihe array. Because Ihere is no
redundancy, recovering daIa rom a hard drive crash is noI possible Ihrough RAID.
RAID level 1, or mrrorn, means IhaI all daIa is wriIIen Io each disk in Ihe array, accom-
plishing redundancy. The daIa is "mirrored" on a second drive. This allows or easy recov-
ery should a disk ail. However, iI does mean IhaI, or example, i Ihere are Iwo disks in
Ihe array, Ihe size or Ihe logical disk is size o Ihe smaller o Ihe Iwo disks because daIa
musI be mirrored Io Ihe second disk.
RAID level S combines sIriping and party. DaIa is wriIIen across all disks as in RAID 0, buI
pariIy daIa is also wriIIen Io one o Ihe disks. Should a hard drive ailure occur, Ihis pariIy
daIa can be used Io recover Ihe daIa rom Ihe ailed drive, including while Ihe daIa is
being accessed and Ihe drive is sIill missing rom Ihe array.
RAID level is RAID level S wiIh Jual party. DaIa is wriIIen across all disks as in RAID S,
buI Iwo seIs o pariIy daIa is calculaIed. Ferormance is slighIly worse Ihan RAID S
because Ihe exIra pariIy daIa musI be calculaIed and wriIIen Io disk. RAID S allows or
recovery using Ihe pariIy daIa i only one drive in Ihe array ails. Because o Ihe dual
pariIy, RAID allows or recovery rom Ihe ailure o up Io Iwo drives in Ihe array.
Understandlng R^lD 179
?
5ett|ng U RAI ev|ces
Eor besI resulIs, soIware RAID should be conigured during insIallaIion, buI iI can be
conigured aIer insIallaIion i necessary. To seI up soIware RAID devices aIer insIalla-
Iion, insIall Ihe ndadn soIware package. Reer Io ChapIer 3 or insIrucIions on insIalling
packages. This secIion provides an overview o posI-insIallaIion soIware RAID conigura-
Iion. II shows you how Io creaIe a RAID array and Ihen move Ihe daIa rom Ihe exisIing
ilesysIem onIo iI. Be sure Io IesI Ihe process on a IesI sysIem beore aIIempIing iI on a
producIion sysIem.
CAU1I0N
Remember to baok up all data before oonvertlng partltlons to software R^lD devloes.
^s wlth any prooess that modlfles dlsk partltlons and partltlon tables, data loss ls
posslble.
Beore sIarIing Ihe conversion, add Ihe appropriaIe number o hard drives wiIh Ihe proper
sizes or Ihe RAID level. Eor example, Iwo parIiIions are needed or RAID 1 (mirroring)
and aI leasI Ihree parIiIions are needed or RAID S. To use all Ihe beneiIs o RAID, each
parIiIion in a RAID device should be on separaIe hard drives so each member o Ihe RAID
device can be wriIIen Io aI Ihe same Iime and Ihere is redundancy across separaIe hard
drives should one ail.
II is possible Io conigure a RAID array wiIh a missing parIiIion so IhaI Ihe daIa on Ihe
exisIing parIiIion can be copied Io Ihe degraded array. The exisIing parIiIion is reconig-
ured as a RAID parIiIion and Ihen added Io Ihe RAID array Io compleIe iI. However, Ihe
process or doing so is more complicaIed and noI recommended because iI is easier Io lose
Ihe exisIing daIa. II is recommended IhaI new drives be used Io seI up Ihe RAID device
and or Ihe exisIing daIa Io Ihen be copied Io Ihe new RAID device.
When creaIing parIiIions Io use or Ihe RAID device, make sure Ihey are o Iype L1nux
ra1d au1o. In fd1sk, Ihis is parIiIion id fd. AIer creaIing Ihe parIiIions or Ihe RAID
device, use Ihe ollowing synIax as Ihe rooI user Io creaIe Ihe RAID device:
ndadn --crea1e 1dev1ndX --JeveJ=<nun> --ra1d-dev1ces=<nun> <dev1ce J1s1>
The progress o Ihe device creaIion can be moniIored wiIh Ihe ollowing command as
rooI:
1a1J -f 1proc1nds1a1
Eor example, Io creaIe a RAID level 1 device 1dev1ndU rom Ihree parIiIions, use Ihe
ollowing command:
ndadn --crea1e 1dev1ndU --JeveJ=1 --ra1d-dev1ces=3 1dev1sda5 1dev1sda6 1dev1sda7
The command ca1 1proc1nds1a1 should show ouIpuI similar Io LisIing 7.7.
LlSTlNG 7.7 Creatlng a R^lD ^rray
PersonaJ111es : ra1dU ra1d1
ndU : ac11ve ra1d1 sda72 sda61 sda5U
1U24128U bJocks 313 uuu
>.................... resync = U.U {819211U24128U) f1n1sh=62.3n1n
speed=273UK1sec
unused dev1ces: <none>
The RAID device 1dev1ndU is creaIed. NexI, creaIe a ilesysIem on iI. To creaIe an exI3
ilesysIem, execuIe Ihe ollowing as rooI:
nke2fs - 1dev1ndU
I Ihe new RAID device is Io be used as Ihe swap parIiIion, use Ihe ollowing command as
rooI insIead:
nksWap 1dev1ndU
Copy any daIa over Io Ihe new device and be sure Io change all reerences Io Ihe old
parIiIion Io Ihe new RAID device, including 1e1c1fs1ab and 1e1c1grub.conf. II is recom-
mended IhaI Ihe 1boo1 and Ihe 1 ilesysIems remain on Iheir original ilesysIems Io
ensure Ihe sysIem can sIill booI aIer added Ihe RAID devices. FarIiIions such as 1hone
will beneiI rom RAID more because daIa on iI changes reguenIly.
Add|ng and Fa|||ng RAI Part|t|ens
To add a parIiIion Io a RAID device, execuIe Ihe ollowing as rooI aIer creaIing Ihe parIi-
Iion o Iype L1nux ra1d au1o (fd in fd1sk):
ndadn 1dev1ndX -a <dev1ce J1s1>
To add 1dev1sda8 Io Ihe 1dev1ndU RAID device creaIed in Ihe previous secIion:
ndadn 1dev1ndU -a 1dev1sda8
LisIing 7.8 shows Ihe ouIpuI rom ca1 1proc1nds1a1. The 1dev1sda8 parIiIion is now a
spare parIiIion in Ihe RAID array.
LlSTlNG 7.8 ^ddlng a Spare lartltlon
ndU : ac11ve ra1d1 sda83{S) sda72 sda61 sda5U
1U24128U bJocks 313 uuu
>.................... resync = U.6 {6656U11U24128U) f1n1sh=84.Un1n
speed=2U16K1sec
?
I a parIiIion in Ihe array ails, use Ihe ollowing Io remove iI rom Ihe array and rebuild
Ihe array using Ihe spare parIiIion already added:
ndadn 1dev1ndX -f <fa1Jed dev1ce>
Eor example, Io ail 1dev1sda5 rom 1dev1ndU and replace iI wiIh Ihe spare (assuming Ihe
spare has already been added):
ndadn 1dev1ndU -f 1dev1sda5
To veriy IhaI Ihe device has been ailed and IhaI Ihe rebuild has been compleIe and was
successul, moniIor Ihe 1proc1nds1a1 ile (ouIpuI shown in LisIing 7.):
1a1J -f 1proc1nds1a1
NoIice IhaI 1dev1sda5 is now ailed and IhaI 1dev1sda8 has changed rom a spare Io an
acIive parIiIion in Ihe RAID array.
LlSTlNG 7.9 Falllng a lartltlon and Replaolng wlth a Spare
ndU : ac11ve ra1d1 sda83 sda72 sda61 sda54{F)
1U24128U bJocks 312 _uu
>.................... recovery = U.2 {3U52811U24128U) f1n1sh=11.1n1n
speed=15264K1sec
Men|ter|ng RAI ev|ces
The ollowing commands are useul or moniIoring RAID devices:
ca1 1proc1nds1a1: Shows Ihe sIaIus o Ihe RAID devices and Ihe sIaIus o any
acIions being perormed on Ihem such as adding a new member or rebuilding Ihe
array.
ndadn --query 1dev1ndX: Displays basic daIa abouI Ihe device such as size and
number o spares such as:
1dev1ndU: 9.77018 ra1d1 3 dev1ces, 1 spare.
Add Ihe --de1a1J opIion Io display more daIa ( ndadn --query --de1a1J
1dev1ndX):
1dev1ndU:
vers1on : UU.9U.U3
0rea11on T1ne : Mon 0ec 18 U7:39:U5 2UU6
Pa1d LeveJ : ra1d1
Array S1ze : 1U24128U {9.77 018 1U.49 08)
0ev1ce S1ze : 1U24128U {9.77 018 1U.49 08)
Pa1d 0ev1ces : 3
To1aJ 0ev1ces : 4
Preferred M1nor : U
Pers1s1ence : SuperbJock 1s pers1s1en1
upda1e T1ne : Mon 0ec 18 U7:4U:U1 2UU6
S1a1e : cJean, degraded, recover1ng
Ac11ve 0ev1ces : 2
Work1ng 0ev1ces : 3
Fa1Jed 0ev1ces : 1
Spare 0ev1ces : 1
Pebu1Jd S1a1us : 49 conpJe1e
uu10 : be623775:3e4ed7d6:c133873d:fbd771aa
Even1s : U.5
Nunber Maor M1nor Pa1d0ev1ce S1a1e
3 8 8 U spare rebu1Jd1ng 1dev1sda8
1 8 6 1 ac11ve sync 1dev1sda6
2 8 7 2 ac11ve sync 1dev1sda7
4 8 5 - fauJ1y spare 1dev1sda5
ndadn --exan1ne <par1111on>: Displays deIailed daIa abouI a componenI o a RAID
array such as RAID level, IoIal number o devices, number o working devices, and
number o ailed devices. Eor example, Ihe ouIpuI o ndadn --exan1ne 1dev1sda6
shows Ihe ollowing:
1dev1sda6:
Mag1c : a92b4efc
vers1on : UU.9U.UU
uu10 : be623775:3e4ed7d6:c133873d:fbd771aa
0rea11on T1ne : Mon 0ec 18 U7:39:U5 2UU6
Pa1d LeveJ : ra1d1
0ev1ce S1ze : 1U24128U {9.77 018 1U.49 08)
Array S1ze : 1U24128U {9.77 018 1U.49 08)
Pa1d 0ev1ces : 3
To1aJ 0ev1ces : 4
Preferred M1nor : U
upda1e T1ne : Mon 0ec 18 U7:4U:U1 2UU6
S1a1e : ac11ve
Ac11ve 0ev1ces : 2
Work1ng 0ev1ces : 3
?
Fa1Jed 0ev1ces : U
Spare 0ev1ces : 1
0hecksun : ee9Ub526 - correc1
Even1s : U.5
Nunber Maor M1nor Pa1d0ev1ce S1a1e
1h1s 1 8 6 1 ac11ve sync 1dev1sda6
U U U U U renoved
1 1 8 6 1 ac11ve sync 1dev1sda6
2 2 8 7 2 ac11ve sync 1dev1sda7
3 3 8 8 3 spare 1dev1sda8
Us|ng M Mu|t|ath
The hard drives in a sysIem are connecIed Io Ihe resI o Ihe sysIem hardware via a disk
conIroller. I Ihe conIroller ails, Ihe sysIem can no longer communicaIe wiIh Ihe drives
connecIed Io iI. However, some sysIems oer mulIipaIh disk access in which more Ihan
one conIroller is connecIed Io Ihe disks. I Ihe acIive conIroller ails, a spare one replaces
iI, allowing conIinued access Io Ihe sIorage aIIached.
An example usage o MD MulIipaIh is when a sysIem is connecIed Io a sIorage area
neIwork (SAN) via Eiber Channel FroIocol or Cards. The mulIipaIh device can represenI
one inIerace IhaI connecIs Io Ihe SAN using mulIiple physical cables. I one or more o
Ihe physical connecIions sIops working or geIs disconnecIed, Ihe oIher physical cables are
sIill acIive, and Ihe sIorage is sIill accessible.
The Linux kernel oers MulIiple Device (MD) MulIipaIhing via iIs soIware RAID eaIure.
MD MulIipaIhing allows a device Io be seI up wiIh mulIiple spares so IhaI i Ihe acIive
device ails, I}O reguesIs do noI ail. I Ihe acIive parIiIion ails, Ihe kernel acIivaIes one o
Ihe spare parIiIions as Ihe acIive one.
To seI up an MD MulIipaIh device:
ndadn --crea1e 1dev1ndX --JeveJ=nuJ11pa1h --ra1d-dev1ces=<nun> <dev1ce J1s1>
Eor example, use Ihe ollowing Io seI up 1dev1ndU wiIh Ihree drives, Iwo o which
become spares:
ndadn --crea1e 1dev1ndU --JeveJ=nuJ11pa1h --ra1d-dev1ces=3 1dev1sda1 1dev1sdc1
1dev1sdd1
The kernel moniIors Ihe ailure o Ihe parIiIion and acIivaIes a spare when iI ails.
However, Ihe ndnpd daemon rom Ihe ndadn RFM package musI be running Io auIomaIi-
cally add a ailed parIiIion back Io Ihe array when iI becomes available again.
Understand|ng C|uster|ng and 6F5
In some enIerprise inrasIrucIures, high-perormance, reliable, scalable servers and shared
sIorage are necessary, wiIh minimal downIime. AlIhough RAID oers redundancy and
NES oers shared sIorage, Ihey have limiIaIions. Eor example, NES Iranser and access
raIes are slower Ihan I}O Io local disks and can have even slower raIes depending on Ihe
number o simulIaneous connecIions.
The Red HaI ClusIer SuiIe oers applicaIion ailover across mulIiple servers. Common
servers IhaI use clusIering include web servers, daIabase servers, and ile servers such as
GES, or Global Eile SysIems.
GES is a scalable shared sIorage soluIion wiIh I}O perormance comparable Io local disk
access. II is usually combined wiIh clusIering Io provide even more reliable sIorage wiIh
ailover, redundancy, and simulIaneous shared access Io a GES ilesysIem. When
combined wiIh clusIering, Ihe GES ilesysIem is used on one or more ile servers acIing as
Ihe sIorage pool accessed by all Ihe clusIer nodes via a SIorage Area NeIwork (SAN). In
addiIion Io iIs abiliIy Io scale Io meeI Ihe sIorage needs o hundreds or more servers
simulIaneously, Ihe size o each GES ilesysIem can be expanded while sIill in use.
The easiesI way Io sIarI using Ihe Red HaI ClusIer SuiIe and Red HaI GES is Io insIall Ihe
packages rom RHN using Ihe ClusIer SuiIe and GES soIware channels. Reer Io ChapIer 3
or deIails on insIalling all Ihe packages rom a child soIware channel.
AIer insIalling Ihe appropriaIe RFM packages, seI up Ihe clusIer using Ihe ClusIer
ConiguraIion Tool (sys1en-conf1g-cJus1er) beore coniguring GES. The exacI conigu-
raIion o ClusIer SuiIe and GES depends on a greaI deal o acIors including Ihe needs o
your inrasIrucIure, budgeI allocaIed Io Ihe sysIem group, amounI o shared sIorage
needed plus exIra or uIure expansion, and whaI Iype o applicaIion servers are Io be run
on Ihe clusIer servers. Reer Io Ihe Oocumentaton and KnowleJehase secIions o
redhaI.com or deIailed insIrucIions.
Us|ng Access Centre| L|sts
On an exI3 ilesysIem, read, wriIe, and execuIe permissions can be seI or Ihe owner o
Ihe ile, Ihe group associaIed wiIh Ihe ile, and or everyone else who has access Io Ihe
ilesysIem. These iles are visible wiIh Ihe Js -J command. Reer Io ChapIer 4,
"UndersIanding Linux ConcepIs," or inormaIion on reading sIandard ile permissions.
In mosI cases, Ihese sIandard ile permissions along wiIh resIricIed access Io mounIing
ilesysIems are all IhaI an adminisIraIor needs Io granI ile privileges Io users and Io
prevenI unauIhorized users rom accessing imporIanI iles. However, when Ihese basic ile
permissions are noI enough, access control lsts, or ACls, can be used on an exI3 ilesysIem.
ACLs expand Ihe basic read, wriIe, and execuIe permissions Io more caIegories o users
and groups. In addiIion Io permissions or Ihe owner and group or Ihe ile, ACLs allow
or permissions Io be seI or any user, any user group, and Ihe group o all users noI in
Ihe group or Ihe user. An eecIive righIs mask, which is explained laIer, can also be seI
Io resIricI permissions.
Uslng ôoess Control Llsts 185
?
To use ACLs on Ihe ilesysIem, Ihe acJ package musI be insIalled. I iI is noI already
insIalled, insIall iI via Red HaI NeIwork as discussed in ChapIer 3.
nab||ng ACLs
To use ACLs, Ihey musI be enabled when an exI3 ilesysIem is mounIed. This is mosI
commonly enabled as an opIion in 1e1c1fs1ab. Eor example:
LA8EL=1share 1share ex13 acJ 1 2
I Ihe ilesysIem can be unmounIed and remounIed while Ihe sysIem is sIill running,
modiy 1e1c1fs1ab or Ihe ilesysIem, unmounI iI, and remounI iI so Ihe changes Io
1e1c1fs1ab Iake eecI. OIherwise, Ihe sysIem musI be rebooIed Io enable ACLs on Ihe
desired ilesysIems.
I you are mounIing Ihe ilesysIem via Ihe noun1 command insIead, use Ihe -o acJ
opIion when mounIing:
noun1 -1 ex13 -o acJ <dev1ce> <par1111on>
5ett|ng and Med|fy|ng ACLs
There are our caIegories o ACLs per ile: or an individual user, or a user group, via Ihe
eecIive righIs mask, and or users noI in Ihe user group associaIed wiIh Ihe ile. To view
Ihe exisIing ACLs or a ile, execuIe Ihe ollowing:
ge1facJ <f1Je>
I ACLs are enabled, Ihe ouIpuI should look similar Io LisIing 7.10.
LlSTlNG 7.10 vlewlng ^CLs
# f1Je: 1es1f1Je
# oWner: 1fox
# group: 1fox
user::rWx
group::r-x
nask::rWx
o1her::r-x
To seI or modiy exisIing ACLs, use Ihe ollowing synIax:
se1facJ -n <ruJes> <f1Je>
OIher useul opIions include --1es1 Io show Ihe resulIs o Ihe command buI noI change
Ihe ACL and -P Io apply Ihe rules recursively.
Replace <f1Je> wiIh one or more space-separaIed ile or direcIory names. Rules can be seI
or our dierenI rule Iypes. Replace <ruJes> wiIh one or more o Ihe ollowing, and
replace <perns> in Ihese rules wiIh one or more o r, W, and x (which sIand or read,
wriIe, and execuIe):
Eor an individual user:
u:<u1d>:<perns>
Eor a speciic user group:
g:<g1d>:<perns>
Eor users noI in Ihe user group associaIed wiIh Ihe ile:
o:<perns>
Via Ihe eecIive righIs mask:
n:<perns>
The irsI Ihree rule Iypes (individual user, user group, or users noI in Ihe user group or
Ihe ile) are preIIy sel-explanaIory. They allow you Io give read, wriIe, or execuIe permis-
sions Io users in Ihese Ihree caIegories. A user or group ID may be used, or Ihe acIual user-
name or group name.
CAU1I0N
lf the aotual username or group name ls used to set an ^CL, the UlD or GlD for lt are
stlll used to store the ^CL. lf the UlD or GlD for a user or group name ohanges, the
^CLs are ohanged to refleot the new UlD or GlD.
BuI, whaI is Ihe ejjectve rhts masl7 The eecIive righIs mask resIricIs Ihe ACL permis-
sion seI allowed or users or groups oIher Ihan Ihe owner o Ihe ile. The sIandard ile
permissions are noI aecIed by Ihe mask, jusI Ihe permissions granIed by using ACLs. In
oIher words, i Ihe permission (read, wriIe, or execuIe) is noI in Ihe eecIive righIs mask,
iI appears in Ihe ACLs reIrieved wiIh Ihe ge1facJ command, buI Ihe permission is
ignored. LisIing 7.11 shows an example o Ihis where Ihe eecIive righIs mask is seI Io
read-only, meaning Ihe read-wriIe permissions or user brenI and Ihe group associaIed
wiIh Ihe ile are eecIively read-only. NoIice Ihe commenI Io Ihe righI o Ihe ACLs
aecIed by Ihe eecIive righIs mask.
LlSTlNG 7.11 Lffeotlve Rlghts Mask
# f1Je: 1es1f1Je
# oWner: 1anny
# group: 1anny
user::rW-
user:bren1:rW- #effec11ve:r--
group::rW- #effec11ve:r--
nask::r--
o1her::rW-
The eecIive righIs mask musI be seI ajter Ihe ACL rule Iypes. When an ACL or an indi-
vidual user (oIher Ihan Ihe owner o Ihe ile) or a user group is added, Ihe eecIive righIs
Uslng ôoess Control Llsts 187
?
mask is auIomaIically recalculaIed as Ihe union o all Ihe permissions or all users oIher
Ihan Ihe owner and all groups including Ihe group associaIed wiIh Ihe ile. So, Io make
sure Ihe eecIive righIs mask is noI modiied aIer seIIing iI, seI iI aIer all oIher ACL
permissions.
I Ihe ACL or one o Ihese rule Iypes already exisIs or Ihe ile or direcIory, Ihe exisIing
ACL or Ihe rule Iype is replaced, noI added Io. Eor example, i user 0S already has read
and execuIe permissions Io Ihe ile, aIer Ihe u:6U5:W rule is implemenIed, user 0S only
has wriIe permissions.
5ett|ng efau|t ACLs
Two Iypes o ACLs can be used: access ACls, and Jejault ACls. So ar, Ihis chapIer has
only discussed access ACLs. Access ACLs are seI or individual iles and direcIories.
DirecIories, and direcIories only, can also have deaulI ACLs, which are opIional. I a
direcIory has a deaulI ACL seI or iI, any ile or direcIory creaIed in Ihe direcIory wiIh
deaulI ACLs will inheriI Ihe deaulI ACLs. I a ile is creaIed, Ihe access ACLs are seI Io
whaI Ihe deaulI ACLs are or Ihe parenI direcIory. I a direcIory is creaIed, Ihe access
ACLs are seI Io whaI Ihe deaulI ACLs are or Ihe parenI direcIory anJ Ihe deaulI ACLs
or Ihe new direcIory are seI Io Ihe same deaulI ACLs as Ihe parenI direcIory.
To seI Ihe ACL as a deaulI ACL, prepend d: Io Ihe rule such as d:g:5UU:rWx Io seI a
deaulI ACL o read, wriIe, and execuIe or user group S00. I any deaulI ACL exisIs or
Ihe direcIory, Ihe deaulI ACLs musI include a user, group, and oIher ACL aI a minimum
as shown in LisIing 7.12.
LlSTlNG 7.12 Default ^CLs
# f1Je: 1es1d1r
# oWner: 1fox
# group: 1fox
user::rWx
group::r-x
nask::rWx
o1her::r-x
defauJ1:user::rWx
defauJ1:group::r-x
defauJ1:o1her::r--
I a deaulI ACL is seI or an individual user oIher Ihan Ihe ile owner or or a user group
oIher Ihan Ihe group associaIed wiIh Ihe ile, a deaulI eecIive righIs mask musI also
exisI. I one is noI impliciIly seI, iI is auIomaIically calculaIed as wiIh access ACLs. The
same rules apply or Ihe deaulI ACL eecIive righIs mask: II is recalculaIed aIer an ACL
or any user oIher Ihan Ihe owner is seI or i an ACL or any group including Ihe group
associaIed wiIh Ihe ile is seI, meaning iI should be seI lasI Io ensure iI is noI changed
aIer being seI.
Remev|ng ACLs
The se1facJ -x <ruJes> <f1Je> command can be used Io remove ACL permissions by
ACL rule Iype. The <ruJes> or Ihis command use Ihe same synIax as Ihe se1facJ -n
<ruJes> <f1Je> command excepI IhaI Ihe <perns> ield is omiIIed because all rules or
Ihe rule Iype are removed.
II is also possible Io remove all ACLs or a ile or direcIory wiIh:
se1facJ --renove-aJJ <f1Je>
To remove all deaulI ACLs or a direcIory:
se1facJ --renove-defauJ1 <d1r>
Preserv|ng ACLs
The NES and Samba ile sharing clienIs in Red HaI EnIerprise Linux recognize and use any
ACLs associaIed wiIh Ihe iles shared on Ihe server. I your NES or Samba clienIs are noI
running Red HaI EnIerprise Linux, be sure Io ask Ihe operaIing sysIem vendor abouI ACL
supporI or IesI your clienI coniguraIion or supporI.
The nv command Io move iles preserves Ihe ACLs associaIed wiIh Ihe ile. I iI canI or
some reason, a warning is displayed. However, Ihe cp command Io copy iles does not
preserve ACLs.
The 1ar and dunp commands also do not preserve Ihe ACLs associaIed wiIh iles or direc-
Iories and should noI be used Io back up or archive iles wiIh ACLs. To back up or archive
iles while preserving ACLs use Ihe s1ar uIiliIy. Eor example, i you are moving a large
number o iles wiIh ACLs, creaIe an archive o all Ihe iles using s1ar, copy Ihe s1ar
archive ile Io Ihe new sysIem or direcIory, and unarchive Ihe iles. Be sure Io use ge1facJ
Io veriy IhaI Ihe ACLs are sIill associaIed wiIh Ihe iles. The s1ar RFM package musI be
insIalled Io use Ihe uIiliIy. Reer Io ChapIer 3 or deIails on package insIallaIion via Red
HaI NeIwork. The s1ar command is similar Io 1ar. Reer Io iIs man page wiIh Ihe nan
s1ar command or deIails.
Us|ng |sk quetas
FarI o managing sIorage is deIermining how Ihe available sIorage can be used. AlIhough
seIIing Ihe size o ilesysIems such as 11np and 1hone can limiI sIorage or cerIain Iypes o
daIa, iI is someIimes necessary Io enable disk usage per user or per user group. This is
possible wiIh disk guoIas. To use guoIas, Ihe quo1a RFM package musI be insIalled. Reer
Io ChapIer 3 or deIails on insIalling packages.
Uslng Dlsk uotas 189
?
nab||ng quetas
To use guoIas, Ihey musI be enabled in 1e1c1fs1ab, which is read aI booI Iime Io mounI
ilesysIems. This enables guoIas in Ihe kernel booIed or Ihe sysIem. To add as an opIion
in 1e1c1fs1ab, or example (as Ihe rooI user):
1dev1voJ0roupUU1LogvoJU1 1hone ex13 usrquo1a,grpquo1a 1 2
The usrquo1a mounI opIion enables user guoIas, and Ihe grpquo1a opIion enables group
guoIas. One or boIh can be used. EiIher rebooI Ihe sysIem Io enable Ihe guoIas or
remounI each ilesysIem as rooI wiIh Ihe ollowing command:
noun1 -o renoun1,acJ,usrquo1a,grpquo1a,rW <noun1po1n1>
Once again, one or boIh o usrquo1a or grpquo1a can be used. In our example,
<noun1po1n1> would be 1hone. To veriy IhaI Ihe remounI enabled guoIas, execuIe
Ihe ollowing command:
noun1 grep <noun1po1n1>
or use such as noun1 grep hone i you are ollowing Ihe example. The ouIpuI shows
which mounI opIions were used Io mounI Ihe ilesysIem:
1dev1voJ0roupUU1LogvoJU1 on 1hone 1ype ex13 {rW,acJ,acJ,usrquo1a,grpquo1a)
Creat|ng queta atabase F||es
The irsI Iime Ihe sysIem is booIed wiIh guoIas enabled in 1e1c1fs1ab, guoIas are noI
Iurned on because Ihe guoIa daIabase iles or Ihe ilesysIem do noI exisI. The quo1acheck
command is used Io creaIe Ihese iles.
AIer rebooIing wiIh guoIas enabled in 1e1c1fs1ab and beore execuIing Ihe quo1aon
command Io Iurn on guoIas, Ihe ilesysIem musI be iniIialized Io use guoIas. I Ihey do
noI already exisI, Ihe aquo1a.user and aquo1a.group iles are creaIed in Ihe rooI direcIory
o Ihe ilesysIem. These are daIabase iles used Io enorce guoIas.
Reer Io Ihe quo1acheck man page or a lisI o all opIions and deIermine which opIions
are besI or your siIuaIion. By deaulI, only user guoIas are checked and iniIialized. I you
need Io iniIialize user group guoIas as well, speciy iI wiIh Ihe -g opIion. A Iypical
command Io run wiIh opIions, as Ihe rooI user, would be:
quo1acheck -uvg <dev1cenane>
such as:
quo1acheck -uvg 1dev1voJ0roupUU1LogvoJU2
Because disk usage can change when Ihe ilesysIem is mounIed in read-wriIe mode, iI is
recommended IhaI quo1acheck be run when Ihe ilesysIem is mounIed read-only. I Ihe
ilesysIem is mounIed when quo1acheck is run, quo1acheck will Iry Io mounI iI read-only
beore sIarIing Ihe scan. II Ihen remounIs iI in read-wriIe mode aIer Ihe scan is compleIe.
I iI is unable Io mounI iI read-only, a message similar Io Ihe ollowing appears:
quo1acheck: 0anno1 renoun1 f1Jesys1en noun1ed on 1hone read-onJy
so coun1ed vaJues n1gh1 no1 be r1gh1.
PJease s1op aJJ prograns Wr111ng 1o f1Jesys1en or use -n fJag 1o force check1ng.
I quo1acheck canI remounI Ihe ilesysIem read-only beore sIarIing, you can orce Ihe
guoIa check anyway by using Ihe -n command-line opIion.
The quo1acheck uIiliIy should be run on a regular basis Io keep guoIas accuraIe or aIer a
sysIem crash in which Ihe ilesysIem was noI unmounIed cleanly. To make sure iI is done
on a schedule, seIup a cron Iask IhaI is run auIomaIically aI seI Iimes. Reer Io ChapIer
11, "AuIomaIing Tasks wiIh ScripIs," or deIails on seIIing up a cron Iask.
AIer creaIing Ihe guoIa daIabase iles, be sure Io Iurn guoIas on as described in Ihe nexI
secIion. AIer Ihe guoIa daIabase iles are creaIed, subseguenI booIs wiIh Ihe usrquo1a
and}or grpquo1a mounI opIions in 1e1c1fs1ab will auIomaIically have guoIas Iurned on
or Ihose ilesysIems.
1urn|ng quetas 0n and 0ff
QuoIas can be Iurned on and o wiIhouI rebooIing Ihe sysIem wiIh Ihe quo1aon and
quo1aoff commands, buI only or ilesysIems IhaI meeI Iwo condiIions: The ilesysIem
musI be mounIed aI booI Iime wiIh Ihe usrquo1a and}or grpquo1a mounI opIions in
1e1c1fs1ab, and Ihe ilesysIem musI have Ihe aquo1a.user and}or aquo1a.group iles in
Ihe rooI o Ihe ilesysIem.
To Iurn guoIas on or an already mounIed ilesysIem, Ihe quo1aon uIiliIy can be used. As
rooI, use Ihe ollowing Io enable user and group guoIas:
quo1aon -vug <dev1cenane>
To Iemporarily Iurn o guoIas, execuIe Ihe ollowing command as rooI:
quo1aoff -vug <dev1cenane>
The -vug opIions speciy IhaI messages should be displayed showing IhaI Ihe guoIas are
being Iurned o as well as error messages i Ihey exisI and IhaI boIh Ihe user and group
guoIas should be Iurned o.
To ver1fy 1ha1 1he quo1as have been 1urned on or off, execu1e 1he noun1 connand and
read 1he noun1 op11ons used such as 1he foJJoW1ng:1dev1voJ0roupUU1LogvoJU1 on 1hone
1ype ex13 {rW,acJ,acJ,usrquo1a,grpquo1a)
5ett|ng and Med|fy|ng quetas
QuoIas can be seI per user, group, or ilesysIem wiIh Ihe edquo1a command. The user or
group name can be used or Ihe UID or GID or Ihe user or group. To seI or modiy Ihe
guoIa or a user, execuIe Ihe ollowing as rooI:
edquo1a <usernane>
Uslng Dlsk uotas 191
?
To seI or modiy Ihe guoIa or a user group, execuIe Ihe ollowing as rooI:
edquo1a -g <groupnane>
When Ihe edquo1a command is execuIed, Ihe deaulI IexI ediIor is opened as deIermined
by Ihe $E01T0P environmenI variable. In Red HaI EnIerprise Linux, Ihe deaulI ediIor is
Vi. To seI Ihe deaulI ediIor Io a dierenI ediIor, execuIe Ihe ollowing command, replac-
ing enacs wiIh Ihe ediIor o your choice (Ihis seIIing is per user):
expor1 E01T0P="enacs"
When Ihis command is execuIed, iI only changes Ihe deaulI ediIor or IhaI login session.
When Ihe sysIem is rebooIed, Ihis seIIing is losI. To permanenIly change Ihe deaulI
ediIor, add Ihe command as a line Io your .bashrc ile in your home direcIory. The
.bashrc ile is only read when a user logs in, so Io enable changes Io Ihe ile aIer you
have already logged in, execuIe Ihe source -1.bashrc command.
When seIIing guoIas, Ihere are Iwo Iypes o limiIs: sojt lmts and harJ lmts. When Ihe
soI limiI is reached, Ihe user is warned and allowed Io exceed Ihe soI limiI or a race
peroJ, which is seI Io 7 days by deaulI in Red HaI EnIerprise Linux. This grace period
allows Ihe user or group Iime Io reduce disk usage and reIurn Io below Ihe soI limiI. A
hard limiI is Ihe absoluIe maximum amounI o disk usage Ihe user or group is allowed.
AIer iI is reached, no more disk space is allocaIed Io Ihe user or group.
I a user or group sIill exceeds Ihe soI limiI aIer Ihe grace period has expired, Ihe soI
limiI is IreaIed as a hard limiI, and Ihe user or group is noI allowed addiIional disk usage
unIil Ihe disk usage alls below Ihe soI limiI.
When Ihe edquo1a command is execuIed, Ihe ouIpuI looks similar Io LisIing 7.13, which
shows conIenI or modiying guoIas or Ihe user Iox.
LlSTlNG 7.13 Settlng Dlsk uotas
01sk quo1as for user 1fox {u1d 5U1):
F1Jesys1en bJocks sof1 hard 1nodes sof1 hard
1dev1napper1voJ0roupUU-LogvoJU2 594U3 U U U U U
There are seven columns o inormaIion. The irsI column shows Ihe ilesysIem in gues-
Iion. The nexI Ihree columns are or seIIing guoIas according Io block size, wiIh Ihe irsI
being Ihe currenI block usage or Ihe user or group. The nexI Iwo are or seIIing Ihe soI
and hard limiIs or block usage. The lasI Ihree columns are or inode usage, wiIh Ihe irsI
being Ihe currenI usage or Ihe user or group, and Ihe lasI Iwo being Ihe soI and hard
limiIs. SeIIing any o Ihese limiIs Io 0, Ihe deaulI, means Ihere is no limiI. The block and
inode usage columns are or reerence only and should noI be modiied. Change Ihe
values o Ihe limiIs, save Ihe ile, and exiI.
To modiy Ihe grace period or a ilesysIem, execuIe Ihe ollowing as rooI:
edquo1a -1
This grace period is used or all users and groups. To seI Ihe grace period or a speciic
user, execuIe Ihe ollowing as rooI, where <usernane> is a username or UID:
edquo1a -T <usernane>
To seI Ihe grace period or a speciic user group, execuIe Ihe ollowing as rooI, where
<groupnane> is a group name or GID:
edquo1a -T -g <groupnane>
|s|ay|ng quetas
To display all guoIas along wiIh user and group usage, execuIe Ihe ollowing as rooI:
repquo1a -a
The ouIpuI should look similar Io LisIing 7.14.
LlSTlNG 7.14 Reportlng Dlsk Usage and uotas
*** Pepor1 for user quo1as on dev1ce 1dev1napper1voJ0roupUU-LogvoJU1
8Jock grace 11ne: 7days 1node grace 11ne: 7days
8Jock J1n11s F1Je J1n11s
user used sof1 hard grace used sof1 hard grace
---------------------------------------------------------------------------
roo1 -- 189192 U U 336 U U
bfox -- 3216936 4UUUUUUU 45UUUUUU 26383 U U
1fox -- 36329868 4UUUUUUU 45UUUUUU 56253 U U
5ummary
AIer reading Ihis chapIer, you now have an undersIanding o Ihe many sIorage conigu-
raIion schemes in Red HaI EnIerprise Linux, some o which can be combined. SIandard
parIiIions are sIraighIorward and necessary or some mounI poinIs buI lack Ihe opIion Io
resize wiIhouI desIroying Ihe exisIing parIiIions. LVM is Ihe deaulI parIiIioning scheme
or Red HaI EnIerprise Linux. Logical volumes can be resized easily. SoIware RAID oers
redundancy and some speed advanIages. Global Eile SysIems and clusIering oer scalable,
reliable sIorage or enIerprises.
Summary 193
?
lN THlS CH^lTLR
64Blt lrooessors
MultlCore lrooessors
lrooessors wlth Hyper
Threadlng Teohnology
CH^lTLR 8
4-BiI, MulIi-Core, and
Hyper-Threading
Technology Frocessors
As sysIems, boIh servers and deskIops, reguire more
processing power, large ile sizes, and access Io more and
more memory, CFU manuacIurers have been developing
processors Io address Ihese needs. Red HaI EnIerprise Linux
has also evolved Io supporI Ihese Iechnologies.
64-B|t Precessers
In 2004, Ihe 4-biI processor was inIroduced inIo Ihe
compuIer markeI. In Ihe beginning, Ihese 4-biI processors
were only used or servers, buI ones such as Ihe AMD
AIhlon 4 are now being used or deskIop compuIers as
well.
Red HaI EnIerprise Linux supporIs boIh 32-biI and 4-biI
processors. I you have a sysIem wiIh a 4-biI processor,
insIall Ihe 4-biI version o Ihe operaIing sysIem i you
wanI Ihe 4-biI kernel, libraries, and available applicaIions
Io be insIalled.
MosI o Ihe modern 4-biI processors such as Ihe AMD4
and EM4T can also run 32-biI applicaIions i Ihe operaIing
sysIem also supporIs iI. 32-biI supporI is insIalled by
deaulI when insIalling Ihe 4-biI version o Red HaI
EnIerprise Linux.
To run boIh 32-biI and 4-biI applicaIions, boIh seIs o
libraries musI be insIalled. Having boIh Ihe 4-biI and 32-
biI versions o a library insIalled aI Ihe same Iime is known
as . Red HaI EnIerprise Linux allows or Ihis by
ollowing Ihe EHS guidelines. 32-biI libraries are insIalled in
1J1b1 and 1usr1J1b1, and 4-biI libraries are insIalled in
1J1b641 and 1usr1J1b641.
N01
For the oomplete FHS guldellnes explanatlon of how 32blt and 64blt llbrarles oo
exlst, refer to h11p:11WWW.pa1hnane.con1fhs1pub1fhs-2.3.h1nJ#L1864.
Some packages have been compiled or Ihe 4-biI archiIecIure buI are available in a 32-biI
version as well. When using Red HaI NeIwork Io insIall a package on a 4-biI sysIem wiIh
Ihe 4-biI version o Ihe OS insIalled, Ihe 4-biI version o Ihe package is insIalled i
available. I Ihe 32-biI version is Ihe only one available, iI is insIalled. I boIh versions are
available, Ihe archiIecIure can be speciied i insIalling rom Red HaI NeIwork:
yun 1ns1aJJ <package_nane>.<arch>
Replace <arch> wiIh Ihe 32-biI archiIecIure compaIible wiIh your 4-biI processor such as
1386 or InIel IIanium, AMD4, and EM4T sysIems. I you are selecIing a package Io
insIall via Ihe RHN websiIe, Ihe archiIecIure is included in Ihe package name such as
gJ1bc-2.3.4-2.1686 and gJ1bc-2.3.4-2.1a64. I you are insIalling soIware direcIly rom
Ihe RFM package ile, remember IhaI Ihe ilename includes Ihe archiIecIure such as
gJ1bc-2.3.4-2.1686.rpn. Table 8.1 shows Ihe archiIecIure abbreviaIions used in Ihe RFM
ilename and in Ihe package name lisIed on Ihe RHN websiIe. II also shows Ihe compaIi-
ble 32-biI archiIecIures.
T^BLL 8.1 Compatlble ^rohlteotures
Precesser RPM Arch|tecture Cemat|b|e 32-B|t Arch|tectures
lntel ltanlum la64 l386, l686
^MD64, LM64T x86_64 l386, l686
lBM l0wLR ppo64 ppo
lBM zSerles s390x s390
AIer insIalling boIh versions o a library, how can you veriy Ihey are boIh insIalled7 The
rpn -q <package-nane> command doesnI display Ihe archiIecIure o Ihe package by
deaulI. BuI, Ihe command can be conigured Io show Ihis inormaIion by using Ihe
--queryforna1 opIion:
rpn -q <package-nane> --queryforna1=`{NAME}-{vEPS10N}.{AP0R}(n`
This changes Ihe ormaI displayed Io also include a period aI Ihe end o Ihe package
name ollowed by Ihe archiIecIure such as Ihe ollowing or Iwo dierenI builds o gJ1bc:
gJ1bc-2.3.4-2.19.1686
gJ1bc-2.3.4-2.19.x86_64
This opIion is very useul, buI iI is noI easy Io remember. Luckily, Ihis ormaI can be
saved as Ihe deaulI or each user. In your home direcIory, creaIe a .rpnnacros ile i you
donI already have one. In Ihis ile, add Ihe ollowing line:
_query_aJJ_fn1 {nane}-{vers1on}-{reJease}.{arch}
CH^lTLR 8 64Blt, MultlCore, and HyperThreadlng Teohnology lrooessors 196
DuplicaIe Ihis ile or each user who wanIs Io view Ihe archiIecIure o Ihe packages
gueried.
1IP
^dd thls formattlng llne to the .rpnnacros flle for the root user as well lf you often
perform RlM querles as root.
Mu|t|-Cere Precessers
A mulIi-core processor is a processor IhaI conIains one or more processor cores on a single
processor chip, wiIh each core having iIs own dedicaIed cache. The advanIages o using
mulIi-core processors include Ihe ollowing:
More processor cores on a single processor means a smaller physical ooIprinI or a
mulIi-processor machine. More processor cores can iI in a single uniI.
I combined wiIh VirIualizaIion or a similar Iechnology, each processor core can be
dedicaIed Io a virIual machine. JusI swiIching Io dual-core processors doubles Ihe
number o virIual machines wiIh a dedicaIed processor. Reer Io Appendix B,
"CreaIing VirIual Machines," or deIails on implemenIing Ihe VirIualizaIion layer.
The Linux kernel recognizes Ihe number o physical processors, Ihe number o processor
cores on each physical processor, and Ihe IoIal number o processor cores. II uses each
processor core as iI would a separaIe physical processor. In addiIion Io Ihe processor
vendor, speed, and cache size, Ihe 1proc1cpu1nfo virIual ile shows inormaIion abouI Ihe
processor cores. To view Ihe conIenIs o Ihis virIual ile, use Ihe ca1 1proc1cpu1nfo
command.
LisIing 8.1 shows Ihe ouIpuI on a sysIem wiIh Iwo processors, wiIh each processor having
Iwo processor cores. The processor ield counIs Ihe IoIal number o processor cores or
Ihe enIire sysIem. In LisIing 8.1, Ihis value sIarIs wiIh 0 and ends wiIh 3, or a IoIal o
our processor cores. The IoIal number o physical processors is Iwo, as shown by Ihe
phys1caJ 1d ield sIarIing aI 0 or Ihe irsI processor core and ending aI 1 or Ihe lasI
processor core. The value o Ihe cpu cores ield is Ihe IoIal number o processor cores on
Ihe physical processor. The core 1d ield counIs Ihe number o processor cores or each
physical processor.
LlSTlNG 8.1 Contents of 1proc1cpu1nfo for a 2lrooessor, DualCore System
processor : U
vendor_1d : Au1hen11cAM0
cpu fan1Jy : 15
nodeJ : 33
nodeJ nane : AM0 0p1eron{1n) Processor 86U
s1epp1ng : 2
cpu MRz : 16U7.417
MultlCore lrooessors 197
8
cache s1ze : 1U24 K8
phys1caJ 1d : U
s1bJ1ngs : 2
core 1d : U
cpu cores : 2
fpu : yes
fpu_excep11on : yes
cpu1d JeveJ : 1
Wp : yes
fJags : fpu vne de pse 1sc nsr pae nce cx8 ap1c sep n1rr pge (
nca cnov pa1 pse36 cJfJush nnx fxsr sse sse2 h1 syscaJJ nx nnxex1 Jn (
3dnoWex1 3dnoW pn1
bogon1ps : 3218.U3
TL8 s1ze : 1U88 4K pages
cJfJush s1ze : 64
cache_aJ1gnnen1 : 64
address s1zes : 4U b11s phys1caJ, 48 b11s v1r1uaJ
poWer nanagenen1: 1s 11p
processor : 1
cpu fan1Jy : 15
nodeJ : 33
s1epp1ng : 2
cpu MRz : 16U7.417
phys1caJ 1d : U
s1bJ1ngs : 2
core 1d : 1
cpu cores : 2
fpu : yes
fpu_excep11on : yes
cpu1d JeveJ : 1
Wp : yes
fJags : fpu vne de pse 1sc nsr pae nce cx8 ap1c sep n1rr pge nca (
cnov pa1 pse36 cJfJush nnx fxsr sse sse2 h1 syscaJJ nx nnxex1 Jn 3dnoWex1 (
3dnoW pn1
bogon1ps : 3214.44
cJfJush s1ze : 64
processor : 2
cpu fan1Jy : 15
nodeJ : 33
s1epp1ng : 2
cpu MRz : 16U7.417
phys1caJ 1d : 1
s1bJ1ngs : 2
core 1d : U
cpu cores : 2
fpu : yes
fpu_excep11on : yes
cpu1d JeveJ : 1
Wp : yes
3dnoW pn1
bogon1ps : 3214.42
cJfJush s1ze : 64
processor : 3
cpu fan1Jy : 15
nodeJ : 33
s1epp1ng : 2
cpu MRz : 16U7.417
phys1caJ 1d : 1
s1bJ1ngs : 2
core 1d : 1
cpu cores : 2
fpu : yes
fpu_excep11on : yes
cpu1d JeveJ : 1
Wp : yes
MultlCore lrooessors 199
8
3dnoW pn1
bogon1ps : 3214.42
cJfJush s1ze : 64
Precessers w|th Ryer-1hread|ng 1echne|egy
Frocessors wiIh Hyper-Threading Technology (HT Technology) are seen by Ihe operaIing
sysIem as Iwo logical processors. These processors are dierenI rom mulIi-core processors
because processors wiIh HT Technology do noI conIain all Ihe componenIs o Iwo sepa-
raIe processors. Only speciic parIs o a second processor are included so IhaI Iwo process
Ihreads can be execuIed aI Ihe same Iime.
When Red HaI EnIerprise Linux deIecIs a processor wiIh HT Technology, iI conigures Ihe
sysIem as a mulIi-processor sysIem, and Ihereore uses Ihe SMF kernel. This can be seen in
Ihe ouIpuI o Ihe 1proc1cpu1nfo virIual ile as shown in LisIing 8.2.
LlSTlNG 8.2 Contents of 1proc1cpu1nfo for a lrooess wlth HT Teohnology
processor : U
vendor_1d : 0enu1ne1n1eJ
cpu fan1Jy : 15
nodeJ : 3
nodeJ nane : 0enu1ne 1n1eJ{P) 0Pu 3.2U0Rz
s1epp1ng : 3
cpu Mhz : 2793.829
phys1caJ 1d : U
s1bJ1ngs : 2
core 1d : U
cpu cores : 1
fd1v_bug : no
hJ1_bug : no
fUUf_bug : no
cona_bug : no
fpu : yes
fpu_excep11on : yes
cpu1d JeveJ : 5
Wp : yes
fJags : fpu vne de pse 1sc nsr pae nce cx8 ap1c n1rr pge nca
cnov pa1 pse36 cJfJush d1s acp1 nnx fxsr sse sse2 ss h1 1n pbe pn1
non11or ds_cpJ c1d
bogon1ps : 5592.U2
processor : 1
vendor_1d : 0enu1ne1n1eJ
cpu fan1Jy : 15
nodeJ : 3
nodeJ nane : 0enu1ne 1n1eJ{P) 0Pu 3.2U0Rz
s1epp1ng : 3
cpu Mhz : 2793.829
phys1caJ 1d : U
s1bJ1ngs : 2
core 1d : U
cpu cores : 1
fd1v_bug : no
hJ1_bug : no
fUUf_bug : no
cona_bug : no
fpu : yes
fpu_excep11on : yes
cpu1d JeveJ : 5
Wp : yes
fJags : fpu vne de pse 1sc nsr pae nce cx8 ap1c n1rr pge nca
cnov pa1 pse36 cJfJush d1s acp1 nnx fxsr sse sse2 ss h1 1n pbe pn1
non11or ds_cpJ c1d
bogon1ps : 5585.63
Similar Io Ihe previous example or Ihe mulIi-core processors, look aI Ihe processor,
phys1caJ 1d, core 1d, and cpu cores ields Io veriy IhaI Ihe sysIem is recognized as one
wiIh HT Technology. The processor counI goes rom 0 Io 1, indicaIing IhaI, as ar as Ihe
operaIing sysIem is considered, Ihere are Iwo processors Io send daIa Io or execuIion.
The phys1caJ 1d is 0 or boIh, meaning IhaI Ihere is only one physical processor. The
value o cpu cores is 1, and Ihe value o core 1d is 0 or boIh, meaning IhaI Ihe proces-
sor is noI a mulIi-core processor. Thus, Ihe processor musI have HT Technology because
Ihe virIual processor counI is 2 wiIh only one processor core.
Hyper-Threading can be disabled aI booI-Iime wiIh a kernel opIion passed Io Ihe kernel
using Ihe GRUB booI loader. This process only disables Hyper-Threading or one booI
insIance. II musI be repeaIed on subseguenI booIs Io conIinue disabling Hyper-Threading.
The sIeps are as ollows:
When Ihe GRUB booI menu appears, use Ihe up and down arrows Io selecI Ihe
kernel Io booI.
lrooessors wlth HyperThreadlng Teohnology 201
8
Fress Ihe E key Io add a kernel opIion Io Ihe kernel selecIed.
AI Ihe end o Ihe line, add a space and Ihen Ihe noh1 kernel opIion.
Fress EnIer Io reIurn Io Ihe GRUB booI menu.
Fress Ihe B key Io booI Ihe sysIem.
Hyper-Threading can be disabled or all subseguenI booIs i Ihe kernel opIion is added Io
Ihe GRUB coniguraIion ile. As rooI, open Ihe 1e1c1grub.conf ile and ind Ihe kernel
sIanza or which you wanI Io disable Hyper-Threading. Eind Ihe kernel line or Ihe sIanza,
add a space Io Ihe end, and add Ihe noh1 kernel opIion as shown in LisIing 8.3.
LlSTlNG 8.3 Dlsabllng HyperThreadlng wlth GRUB
defauJ1=U
11neou1=15
spJash1nage={hdU,U)1boo11grub1spJash.xpn.gz
h1ddennenu
111Je Ped Ra1 En1erpr1se L1nux {2.6.16-1.2133)
roo1 {hdU,U)
kerneJ 1boo11vnJ1nuz-2.6.16-1.2133 ro roo1=LA8EL=1 rhgb qu1e1
1n11rd 1boo111n11rd-2.6.16-1.2133.1ng
5ummary
This chapIer explained whaI Io look or when using Red HaI EnIerprise Linux on 4-biI
and mulIi-core sysIems as well as sysIems wiIh Hyper-Threading Technology. InsIall Red
HaI EnIerprise Linux on Ihese sysIems as you would or any oIher sysIem. Eor Ihe 4-biI
sysIem, be sure Io insIall Ihe 4-biI version o Ihe operaIing sysIem. Eor a mulIi-core
sysIem, Ihe number o processor cores is deIecIed, and Ihe appropriaIe kernel is insIalled.
l^RT lll
SysIem AdminisIraIion
lN THlS l^RT
CH^lTLR 9 Managlng Users and Groups 205
CH^lTLR 10 Teohnlques for Baokup
and Reoovery 221
CH^lTLR 11 ûtomatlng Tasks wlth Sorlpts 239
lN THlS CH^lTLR
what ^re Users and Groups?
Managlng Users
Managlng Groups
How lt ^ll works
Best lraotloes
CH^lTLR 9
Managing Users and
Groups
WiIh Red HaI EnIerprise Linux, all users musI enIer a
username and password combinaIion Io use Ihe operaIing
sysIem and applicaIions or securiIy. Frivileges and access
Io speciic iles and direcIories can be granIed or denied
based on a persons username. Thus, parI o an adminisIra-
Iors duIies is Io manage Iheir companys daIabase o users
and groups as employees change, reguesI more sIorage, and
Iranser Io dierenI deparImenIs. AlIhough adding users
and groups seems like a simple Iask on Ihe surace, iI does
reguire orward planning and preparaIion or a large user
group such as one or a large company or corporaIion or
or an organizaIion IhaI reguires users Io have access Io
mulIiple compuIers IhroughouI Ihe same building or even
a seI o worldwide oices.
This chapIer explains how Io manage local users and
groups. Local users and groups are auIhenIicaIed by Ihe
sysIem on which Ihey are logging in Io. The iles sIoring
usernames, groups, and passwords are all on Ihe local
sysIem. Users and groups can also be auIhenIicaIed rom a
neIwork server. Eor deIails on neIwork services IhaI allow
idenIiIy managemenI rom a cenIral server, reer Io ChapIer
12, "IdenIiIy ManagemenI."
Even i you are using remoIe idenIiIy managemenI, iI is
recommended IhaI you read Ihe irsI secIion "WhaI Are
Users and Groups7" and Ihe lasI secIion "BesI FracIices."
The lasI secIion provides Iips on managing usernames,
managing passwords, deleIing accounIs, and sIrucIuring
home direcIories. The meIhods in Ihis secIion apply Io user
managemenI regardless o wheIher Ihe auIhenIicaIion Iakes
place on Ihe local sysIem or rom a remoIe server.
What Are Users and 6reus?
In addiIion Io a Red HaI EnIerprise Linux sysIem having a username or each user allowed
access Io a sysIem, each sysIem has user roups. A user group is a group o one or more
users. A user can be a member o more Ihan one group. As discussed in Ihe secIion "Eile
Fermissions" o ChapIer 4, "UndersIanding Linux ConcepIs," ile and direcIory permis-
sions can be granIed or Ihe owner o Ihe ile, Ihe group associaIed wiIh Ihe ile, and all
users on Ihe sysIem.
User groups can be any grouping o users on which you decide: groups o users in a unc-
Iional deparImenI, groups in Ihe same physical locaIion, or groups based on securiIy
access. II is imporIanI Io plan Ihe user groups or your company careully beore imple-
menIing Ihem because changing Ihem means changing Ihe groups associaIed wiIh iles,
which can someIimes lead Io incorrecI group permissions i Ihey are noI changed correcIly.
Manag|ng Users
Each user on a Red HaI EnIerprise Linux sysIem is assigned a unigue user idenIiicaIion
number, also known as a UlO. UIDs below S00 are reserved or sysIem users such as Ihe rooI
user. SysIem users also include Ihose added or a speciic service such as Ihe nfsnobody, rpc,
and rpcuser users or Ihe NES service.
By deaulI in Red HaI EnIerprise Linux, when a user is added, a prvate user roup is
creaIedmeaning IhaI a user group o Ihe same name is creaIed and IhaI Ihe new user is
Ihe sole user in IhaI group.
Red HaI EnIerprise Linux includes a graphical program or managing users and groups.
The sys1en-conf1g-users package is reguired Io do so. InsIall iI using Ihe RHN websiIe or
YUM as described in ChapIer 3, "OperaIing SysIem UpdaIes." SIarI Ihe user and group
Iool rom Ihe System menu on Ihe Iop panel o Ihe deskIop by selecIing AdmInIstratIon,
Users and Groups or execuIe Ihe command sys1en-conf1g-users. I Ihe program is run
as a non-rooI user, enIer Ihe rooI password when prompIed. As shown in Eigure .1, all
exisIing users are lisIed on Ihe Users Iab.
By deaulI, sysIem users are noI shown in Ihe lisI o users. To show sysIem users in Ihe
lisI, selecI LdIt, PreIerences rom Ihe pull-down menu. In Ihe PreIerences dialog, unse-
lecI Ihe HIde system users and groups opIion, and click Close.
Add|ng and Med|fy|ng Users
To add a new user, click Add User Io display Ihe dialog window in Eigure .2.
Conigure Ihe username, ull name, and password or Ihe new user. The deaulI login
shell or new users is bash. By deaulI, Ihe direcIory 1hone1<usernane>1 is creaIed as Ihe
users home direcIory, and a privaIe group is creaIed or Ihe user. These opIions can be
modiied as shown in Eigure .2. A UID above S00 is auIomaIically selecIed or Ihe user.
To manually seI Ihe UID, selecI Ihe SpecIIy user ID manually opIion and Ihen selecI a
UID. Click OK Io add Ihe user Io Ihe sysIem. The user immediaIely appears on Ihe Users
Iab o Ihe main window, and is also added Io Ihe sysIem.
FlGURL 9.1 Llst of Lxlstlng Users
Managlng Users 207
9
FlGURL 9.2 ^ddlng a New User
To conigure more advanced user opIions or Ihe new user or any exisIing user, selecI him
rom Ihe lisI on Ihe Users Iab and click PropertIes. The dialog box in Eigure .3 appears
and displays Ihe opIions currenIly conigured or Ihe user. EeaIures such as accounI expi-
raIion, password locking, password expiraIion, and groups Io which Ihe user is a member
are conigurable rom Ihe User PropertIes dialog box.
FlGURL 9.3 Modlfylng User lropertles
e|et|ng Users
To deleIe a user, selecI her rom Ihe lisI and click Delete. When deleIing a user, you have
Ihe opIion o deleIing Ihe users home direcIory, mail spool, and Iemporary iles. Changes
Iake eecI immediaIely, so clicking Yes will remove Ihe user and Ihe users iles. Any
remaining iles will sIill exisI wiIh Ihe users old UID, so be careul when creaIing new users.
I Ihe UID is reused or a dierenI user, you mighI be giving Ihe new user access Io Ihe old
users iles because ile permissions are based on Ihe UID and GID associaIed wiIh Ihe ile.
When using Ihe graphical applicaIion, Ihe privaIe user group or Ihe user is deleIed when
Ihe user is deleIed rom Ihe sysIem. The user being deleIed is also removed rom any
oIher groups o which iI was a member.
Cenf|gur|ng v|a the Cemmand L|ne
I you preer Ihe command line or do noI have a graphical deskIop insIalled on Ihe
sysIem, Ihe shadoW-u11Js RFM package provides uIiliIies Io add, modiy, and deleIe users
rom a shell prompI.
The commands discussed in Ihis secIion reguire Ihe adminisIraIor Io be logged in as Ihe
rooI user. I you are logged in as a non-rooI user, execuIe Ihe su- command rom a shell
prompI, and enIer Ihe rooI password Io become Ihe rooI user.
Add|ng Users
To add a new user, use Ihe useradd command. The basic synIax is useradd <usernane>.
The username is Ihe only inormaIion reguired Io add a new user, however, Table .1
shows addiIional command-line argumenIs or useradd. The useradd command creaIes
Ihe accounI, buI Ihe accounI is locked. To unlock Ihe accounI and creaIe a password or
Ihe user, use Ihe command passWd <usernane>. By deaulI, Ihe users home direcIory is
creaIed and Ihe iles rom 1e1c1skeJ1 are copied inIo iI. The Iwo excepIions are i Ihe -M
opIion is used and i Ihe home direcIory already exisIs.
T^BLL 9.1 0ptlons for useradd
Cemmand-L|ne 0t|en escr|t|en
-c <fuJJnane> Full name of the user (or a oomment about the user). lf more than
one word ls needed, plaoe quotatlon marks around the value.
-d <d1rec1ory> Home dlreotory for the user. The default value ls 1hone1
<usernane>1.
-e <da1e> Date on whloh the user aooount wlll explre and be dlsabled. Use
the format YYYY-MM-00 (default: never explre or dlsable).
-f <nundays> Number of days after the password explres untll the aooount wlll be
dlsabled. U dlsables the aooount lmmedlately after the password
explres. -1 dlsables thls feature (default: -1).
-g <group> Default group for the user speolfled as a group name or group lD
number. The group name or GlD must already exlst. The default ls
to oreate a prlvate user group. lf a prlvate user group ls not
oreated, the default ls the users group.
-0 <group> Commaseparated llst of addltlonal group names or GlDs to whloh
the user wlll be a member. Groups must already exlst.
-M Do not oreate a home dlreotory for the user. By default, a home
dlreotory ls oreated unless thls optlon ls used or unless the dlreo
tory already exlsts.
-n Create a home dlreotory for the user lf lt doesn`t exlst. Flles from
1e1c1skeJ1 are oopled lnto the home dlreotory.
-n Do not oreate a prlvate user group for the user. By default, a prlvate
user group ls oreated for the user.
-o ^llow the oreatlon of a user wlth a UlD that already exlsts for
another user. By default, the UlD must be unlque.
-p <passWord> Speolfy an enorypted password for the user as returned by the
cryp1 utlllty. By default, the aooount ls looked untll the passWd
oommand ls used to set the user`s password.
-r ^dd the user as a system user wlth a UlD below 500 and wlth a
password that never explres. The user`s home dlreotory ls not
oreated unless the -n optlon ls used. The default ls UlD 500 or
hlgher for a nonsystem user.
-J Do not add the user to the last logln log flle. The default ls to add
the user to the last logln log flle.
-s <sheJJ> Speolfy the user logln shell for the user. The default shell lf not
speolfled ls 1b1n1bash.
-u <u1d> lnteger to use for the user lD. Must be unlque unless -o ls used.
values less than 500 are reserved for system users.
Med|fy|ng Users
The usernod command can also be used Io modiy opIions or an exisIing user wiIh Ihe
usernod <op11ons> <usernane> command. MosI o Ihe useradd opIions rom Table .1
can be used wiIh usernod. Table .2 lisIs addiIional usernod opIions.
Managlng Users 209
9
T^BLL 9.2 ^ddltlonal 0ptlons for Modlfylng Users
-J <Jog1nnane> Change the user`s username to <Jog1nnane>. You should
oonslder ohanglng the user`s home dlreotory and name of the user
prlvate group to refleot username ohange.
-L Look the user`s password by plaolng the ! oharaoter ln front of lt
ln 1e1c1shadoW or 1e1c1passWd. User oan no longer log ln to the
system wlth the old password.
-u Unlook the user`s password so the user oan log ln to the system
agaln. Removes the ! oharaoter ln front of lt ln 1e1c1shadoW or
1e1c1passWd.
Passwerd Ag|ng
OpIionally, password aging can also be conigured wiIh Ihe chage command. I Ihe chage
command is immediaIely ollowed by a username, Ihe adminisIraIor will be inIeracIively
prompIed or Ihe password aging values as shown in LisIing .1. The command-line
opIions in Table .3 can also be used wiIh chage.
1IP
To llst ourrent password aglng values, use the chage -J <usernane> oommand.
LlSTlNG 9.1 lnteraotlve lassword ^glng Conflguratlon
0hang1ng 1he ag1ng 1nforna11on for 1es1user
En1er 1he neW vaJue, or press ENTEP for 1he defauJ1
M1n1nun PassWord Age U:
Max1nun PassWord Age 99999:
Las1 PassWord 0hange {YYYY-MM-00) 2UU6-U2-12:
PassWord Exp1ra11on Warn1ng 7:
PassWord 1nac11ve -1:
Accoun1 Exp1ra11on 0a1e {YYYY-MM-00) 1969-12-31:
T^BLL 9.3 CommandLlne 0ptlons for lassword ^glng
-d <day> Number of days slnoe 1anuary 1, 1970 when the password was
ohanged or the date when the password was last ohanged ln the
format YYYYMMDD.
-E <da1e> Number of days slnoe 1anuary 1, 1970 on whloh the aooount wlll
be looked or the date on whloh the aooount wlll be looked ln the
format YYYYMMDD.
-1 <days> Number of lnaotlve days slnoe the password has explred before the
aooount ls looked. -1 dlsables thls feature.
-n <days> Mlnlmum number of days between password ohanges. U allows
user to ohange password as many tlmes as he wants.
-M <days> Maxlmum number of days between password ohanges, after whloh
the user wlll be foroed to ohange password before belng allowed to
log ln agaln.
-W <days> Number of days before password ohange ls requlred to warn user
of upoomlng password explratlon.
e|et|ng Users
The userdeJ command is available or deleIing users using Ihe userdeJ <usernane>
synIax. I no command line opIions are used, Ihe user is deleIed and can no longer log
inIo Ihe sysIem. The privaIe user group or Ihe user is also deleIed, and Ihe user is
removed rom any oIher groups o which he was a member. However, Ihe users home
direcIory and any oIher iles Ihe user owned are noI deleIed rom Ihe sysIem.
To remove Ihe users home direcIory and mail spool, use Ihe userdeJ -r <usernane>
command. All oIher iles owned by Ihe user musI be deleIed manually i Ihe adminisIra-
Ior needs Ihem removed. However, use cauIion when removing iles owned by a removed
user, Ihey mighI be shared iles sIill needed by oIhers in Ihe group.
Manag|ng 6reus
As previously menIioned, a new group wiIh Ihe same name as Ihe user is creaIed by
deaulI when a new user is added. This new group is reerred Io as a privaIe user group.
Every user has a deaulI group, which is usually Ihe users privaIe user group, buI every
user can also be a member o more Ihan one group. When a ile or direcIory is creaIed by
a user, Ihe users deaulI group becomes Ihe group associaIed wiIh Ihe ile unless Ihe
direcIory is conigured Io wiIh Ihe s opIion Io chnod IhaI seIs Ihe group ID o iles in IhaI
direcIory upon creaIion. The addiIional groups a user is a member o allows Ihe user Io
have access Io iles associaIed wiIh Ihe group and wiIh Ihe proper group ile permissions.
A unigue inIeger known as a GID is associaIed wiIh each group. GIDs below S00 are
reserved or sysIem groups jusI like UIDs below S00 are reserved or sysIem users.
To sIarI Ihe graphical applicaIion or managing users and groups, selecI AdmInIstratIon,
Users and Groups rom Ihe System menu on Ihe Iop panel o Ihe deskIop, or execuIe Ihe
command sys1en-conf1g-users. I Ihe program is run as a non-rooI user, enIer Ihe rooI
password when prompIed. As shown in Eigure .4, selecI Ihe Groups Iab Io view all exisI-
ing groups.
By deaulI, sysIem groups are noI displayed in Ihe lisI. To show sysIem users in Ihe lisI,
selecI PreIerences, FIlter system users and groups.
Managlng Groups 211
9
T^BLL 9.3 Contlnued
FlGURL 9.4 Llst of Lxlstlng Groups
Add|ng and Med|fy|ng 6reus
To add a group, click Add Group Io display Ihe dialog box in Eigure .S.
FlGURL 9.5 ^ddlng a Group
In Ihis dialog box, Iype Ihe name o Ihe new group. I Ihe opIion Io speciy Ihe GID is
noI selecIed, Ihe nexI available GID above S00 is used. Click OK Io add Ihe group. The
changes Iake place immediaIely, and Ihe group is added Io Ihe lisI o exisIing groups in
Ihe main window.
To add a user Io an exisIing group or change Ihe name o Ihe group, selecI him rom Ihe
lisI on Ihe Groups Iab o Ihe main applicaIion window, and click PropertIes. On Ihe
Group Users Iab, selecI Ihe users who should be members o Ihe group, and click OK Io
enable Ihe changes. The Group Data Iab allows an adminisIraIor Io change Ihe name o
Ihe group. Once again, Ihe changes Iake place immediaIely.
e|et|ng 6reus
To deleIe a group, selecI iI rom Ihe lisI on Ihe Groups Iab, and click Ihe Delete buIIon in
Ihe Ioolbar. Click Yes Io conirm Ihe deleIion. The changes Iake place immediaIely, and
Ihe group is removed rom Ihe lisI o exisIing groups.
CAU1I0N
The applloatlon wlll not let you remove a group lf lt ls the prlmary group for an exlstlng user.
Cenf|gur|ng v|a the Cemmand L|ne
I you preer command-line coniguraIion or jusI donI have Ihe X Window SysIem
insIalled on Ihe sysIem, Ihis secIion describes Ihe command-line uIiliIies IhaI can be used
Io manage groups.
The commands discussed in Ihis secIion musI be execuIed by Ihe rooI user.
Add|ng 6reus
The groupadd command can be used Io add user groups Io Ihe sysIem. The basic synIax is
groupadd <groupnane>. I no command-line opIions are used, Ihe group is creaIed wiIh
Ihe nexI available GID above 4. To speciy a GID, use Ihe groupadd -g <g1d> <group-
nane> command. To add a sysIem group, use Ihe groupadd -r <groupnane> command.
The irsI available GID below S00 is used or Ihe sysIem group. To add a sysIem group and
speciy Ihe GID, use Ihe groupadd -r -g <g1d> <groupnane> command. Even i you
speciy a GID or Ihe sysIem group, Ihe GID sIill needs Io be below S00 Io ollow Ihe
numbering convenIion.
To add users Io a group, use Ihe usernod -0 <groups> <usernane> command as previ-
ously discussed in Ihis chapIer or Ihe gpassWd command as discussed in Ihe nexI secIion
"Modiying Groups."
Med|fy|ng 6reus
OIher Ihan adding users Io Ihe group, Ihe name o Ihe group and Ihe GID o Ihe group
can be changed wiIh Ihe groupnod command. To change Ihe GID o a group, use Ihe
groupnod -g <g1d> <groupnane> command. To change Ihe name o Ihe group, use Ihe
groupnod -n <neWnane> <groupnane> command.
Red HaI EnIerprise Linux also includes Ihe gpassWd command or managing groups. II
allows an adminisIraIor Io conigure group adminisIraIors, group members, and a group
password. Group adminisIraIors can add and deleIe users as well as seI, change, or remove
Ihe group password. A group can have more Ihan one group adminisIraIor.
To add group adminisIraIors, use Ihe gpassWd -A <users> <groupnane> command, where
<users> is a comma-separaIed lisI o exisIing users you wanI Io be group adminisIraIors.
DonI use any spaces beIween Ihe commas.
The rooI user or a group adminisIraIor can add users Io Ihe group wiIh Ihe gpassWd -a
<user> <groupnane> command. Using Ihis meIhod, only one user can be added aI a Iime.
Similarly, Io remove a user rom a group, use Ihe gpassWd -d <user> <groupnane> command.
Managlng Groups 213
9
II is also possible or Ihe rooI user (noI a group adminisIraIor) Io modiy Ihe members o a
group wiIh Ihe gpassWd -M <users> <groupnane> command, where <users> is a comma-
separaIed lisI o all Ihe users in Ihe group. NoIice Ihe word all. When Ihis command is
execuIed, Ihe group members lisI changes Io Ihe users lisIed in Ihis command. Any exisI-
ing members noI lisIed will be removed.
To add or change Ihe password or a group, Ihe rooI user or a group adminisIraIor can use
Ihe gpassWd <groupnane> command. When changing Ihe password, Ihe old password is
noI needed. To remove Ihe group password, use Ihe gpassWd -r <groupnane> command.
I a user is a member o a group, she can use Ihe neWgrp <groupnane> command Io make
IhaI group her deaulI group or IhaI login session. I Ihe group has a password, Ihe user
musI enIer Ihe correcI password beore successully swiIching groups. I Ihe group has a
password, users who arenI members o Ihe group can also make Ihe group Iheir deaulI
group wiIh Ihe neWgrp command. I Ihe group doesnI have a password conigured, only
users who are members o Ihe group can use Ihe neWgrp command Io change groups or
IhaI login session. To disable Ihe use o Ihe neWgrp command or a group, use Ihe gpassWd
-P <groupnane> command.
e|et|ng 6reus
To deleIe an exisIing group, use Ihe groupdeJ <groupnane> command. The group is
removed, and Ihe users in Ihe group are no longer members o Ihe group.
Rew It A|| Werks
A lisI o all local users is sIored in Ihe 1e1c1passWd ile. This ile is in plain IexI ormaI and
is readable by anyone logged in Io Ihe sysIem because iI is reerenced by user-accessible
uIiliIies such as Js and Who Io map user and group IDs Io usernames and group names.
Each user is lisIed on a separaIe line, wiIh Ihe ollowing ormaI:
usernane:passWord:u1d:g1d:reaJ_nane:1hone1d1rec1ory:sheJJ
Table .4 describes Ihese ields.
T^BLL 9.4 1e1c1passWd Flelds
F|e|d escr|t|en
usernane Logln name for the user. Can`t oontaln spaoes or tabs.
passWord The x oharaoter that denotes the enorypted password ls stored ln
1e1c1shadoW. lf shadow passwords are not used, thls fleld oontalns
the enorypted user password.
u1d Unlque lnteger used as the user lD.
g1d Unlque lnteger used as the group lD.
reaJ_nane Full name of the user (not requlred).
1hone1d1rec1ory Full path to the home dlreotory of the user.
sheJJ Logln shell for the user. 1b1n1bash ls the default.
I shadow passwords are used (Ihe deaulI), Ihe encrypIed passwords are sIored in Ihe
1e1c1shadoW ile, readable only by rooI or securiIy reasons. This ile can also sIore
opIional password expiraIion daIa.
All user groups are sIored in Ihe 1e1c1group ile, readable by everyone buI only wriIable
by rooI or Ihe same reason 1e1c1passWd has Ihese permissionsuser uIiliIies need Io be
able Io map group IDs Io group names. Each group is lisIed on a separaIe line in Ihe
ollowing ormaI:
groupnane:passWord:g1d:users
The group name is Ihe acIual name o Ihe user group, Ihe password ield conIains Ihe x
characIer i shadow passwords are used or Ihe encrypIed password i shadow passwords
are noI used. The g1d is Ihe unigue group ID or Ihe group, and Ihe users ield is a
comma-delimiIed lisI o users in Ihe group.
I shadow passwords are used or group passwords (Ihe deaulI), Ihey are sIored in
1e1c1gshadoW, a ile readable only by Ihe rooI user.
When a new user is added, iles rom Ihe 1e1c1skeJ1 direcIory are copied Io Ihe users
home direcIory unless Ihe adminisIraIor chooses noI Io creaIe one.
N01
By default, a home dlreotory ls oreated when a user ls added. lf the user`s home dlreo
tory already exlsts (for example, the 1hone1 dlreotory was preserved durlng relnstalla
tlon), the flles from 1e1c1skeJ1 are oopled to the exlstlng home dlreotory so that
the exlstlng flles are not overwrltten. Thls behavlor has ohanged ln reoent verslons of
useradd, so use oautlon when performlng thls same operatlon on older verslons of
Red Hat Lnterprlse Llnux.
The deaulI values used when adding a user are sIored in Ihe 1e1c1defauJ11useradd ile.
By deaulI, iI conIains Ihe values in LisIing .2.
LlSTlNG 9.2 Default values when ^ddlng a User
# useradd defauJ1s f1Je
0P0uP=1UU
R0ME=1hone
1NA0T1vE=-1
EXP1PE=
SRELL=1b1n1bash
SKEL=1e1c1skeJ
0PEATE_MA1L_SP00L=no
These deaulI values can be modiied wiIh Ihe useradd -0 <op11ons> command.
Available opIions or modiying deaulI values are in Table .S.
How lt ^ll works 215
9
T^BLL 9.5 0ptlons for Modlfylng Default values when ^ddlng a User
Cemmand-L|ne 0t|en |rect|ve efau|t Va|ue escr|t|en
-g <group> 0P0uP 1UU Default group name or GlD for the
user lf a user prlvate group ls not
oreated for the user
-d <d1rec1ory> R0ME 1hone lath preflx to use when oreatlng the
user`s home dlreotory unless the -d
optlon ls used to speolfy a dlfferent
home dlreotory
-f <days> 1NA0T1vE -1 Number of days after the password
explres before the aooount ls
dlsabled (-1 dlsables the feature, U
dlsables the aooount lmmedlately
after the password explres)
-e <da1e> EXP1PE Never explre Date on whloh the user aooount ls
dlsabled
-s <sheJJ> SRELL 1b1n1bash Default shell to use when oreatlng
user aooounts
AddiIional deaulI values or creaIing users and groups are locaIed in Ihe 1e1c1Jog1n.defs
ile. This ile is documenIed wiIh commenIs above each direcIive, which should be easy
Io ollow i modiicaIions are needed. The ollowing can be modiied wiIh opIions rom
Ihis ile:
Mail spool direcIory
Maximum number o days a password can be used
Minimum number o days beIween password changes
Minimum password lengIh accepIed
Number o days Io warn user beore password expires
Maximum UID or auIomaIic selecIion by useradd
Minimum UID or auIomaIic selecIion by useradd
Maximum GID or auIomaIic selecIion by groupadd
Minimum GID or auIomaIic selecIion by groupadd
WheIher Io remove cron and prinI jobs owned by user when user is removed
WheIher or noI Io creaIe Ihe home direcIory by deaulI
Best Pract|ces
Over Iime, every adminisIraIor develops her own meIhod or managing users and groups
rom naming convenIions Io using subdirecIories Io divide users by deparImenIs Io
cusIomized scripIs or removing users who are no longer wiIh Ihe company. This secIion
briely describes a ew pracIices Io Ihink abouI when developing your managemenI sIyle.
Manag|ng Usernames
There are many username sIyles:
EirsI name o Ihe user such as Iammy
EirsI iniIial o Ihe irsI name ollowed by Ihe lasI name such as Iox
Three-leIIer iniIials or Ihe user such as Ic
EirsI name ollowed by a period ollowed by Ihe lasI name such as Iammy.ox
EirsI name ollowed by a period, ollowed by a middle iniIial, ollowed by Ihe lasI
name such as Iammy.c.ox
When selecIing a sIyle Io use, be sure Io ask yoursel i iI is scalable. Eor a home
compuIer, using Ihe irsI name o each user mighI work because mosI members o a
amily donI have Ihe same name. However, Ihis meIhod does noI scale in a corporaIe
environmenI IhaI mighI have ive Io Ien people named Joe. Using Ihe irsI iniIial o Ihe
irsI name ollowed by Ihe lasI name mighI work or a corporaIion as long as Ihere is an
alIernaIive sIyle i more Ihan one person has Ihe same username combinaIion. Eor
example, whaI do you do wiIh a Joe SmiIh and a Jocelyn SmiIh7 Unless Ihey sIarI aI
exacIly Ihe same Iime, Ihe irsI one Io join Ihe company will have jsmiIh or a username.
Eor Ihe nexI person, consider using his middle iniIial as well or spelling ouI his irsI name
i iI is shorI. A similar concern exisIs or Ihe Ihree iniIial meIhodmore Ihan one
employee mighI have Ihe same Ihree iniIials.
In Ihe end, Iry Io be consisIenI wiIh Ihe sIyle you choose.
Manag|ng Passwerds
By deaulI, a user accounI is enabled when Ihe password is seI wiIh Ihe passWd command,
Ihe password does noI expire, and Ihe accounI is never disabled due Io lack o acIiviIy.
EnIerprise adminisIraIors are consIanIly considering Ihe securiIy implicaIions o Iheir
procedures. Thus, consider orcing users Io change Iheir passwords on a regular basis such
as every guarIer Io increase securiIy. Also consider locking Ihe accounI i Ihe user does noI
change his password aIer iI has expired.
AnoIher good pracIice is educaIing users on why Ihey should noI give Iheir passwords Io
anyone else and why Ihey should noI wriIe iI down anywhere oIhers can ind iI. I users
do noI undersIand Ihe securiIy risks, Ihey are less likely Io keep Iheir passwords secure.
When asking users Io seI or change Iheir passwords, give Ihem Iips or selecIing a good
password such as Ihe ollowing:
Use a combinaIion o leIIers, numbers, and special characIers Io make iI harder or
someone Io guess your password.
Do noI use obvious passwords such as any combinaIion o your name or Ihe name
o a amily member.
Do noI use your birIhday or a amily members birIhday.
Best lraotloes 217
9
Do noI use Ihe daIe o a special occasion people know abouI such as your wedding
daIe.
Try using Ihe irsI leIIer o each word in a caIchy phrase you can easily remember so
your password is noI a dicIionary word.
Try replacing a ew leIIers o a real word wiIh numbers or special characIers Io help
you remember iI.
Consider posIing Ihese simple Iips on Ihe companys inIraneI so users can reer Io Ihem
when changing Iheir passwords.
e|et|ng Acceunts
When an employee is IerminaIed or guiIs Ihe company, Iime is o Ihe essence when iI
comes Io disabling and deleIing Ihe users accounI. As an adminisIraIor, you will develop
a sIep-by-sIep process or sysIemaIically removing users i you havenI done so already. A
ew acIions Io consider include disabling Ihe accounI as soon as you are Iold IhaI Ihe
employee no longer works or Ihe company. This can be done by simply adding Ihe !
characIer Io Ihe beginning o Ihe password ield or Ihe user in 1e1c1shadoW. The user can
no longer log in, buI all Ihe users daIa is sIill inIacI. This does noI IerminaIe any exisIing
login sessions, so be sure Io also deIermine wheIher Ihe user is already logged in Io any
sysIems on Ihe neIwork and IerminaIe Ihose sessions.
AIer disabling Ihe accounI, deIermine wheIher Ihe iles owned by Ihe user such as iles in
Ihe users home direcIory and email need Io be saved. I Ihe answer is yes, be sure Io back
Ihem up beore removing Ihe user accounI and Ihe iles associaIed wiIh Ihe user accounI
such as Ihe home direcIory, mail spool, and Iemporary iles.
When removing iles owned by Ihe user, do noI jusI search or Ihem and deleIe Ihem all
rom Ihe sysIem or a shared ilesysIem. I uncIional groups inside Ihe organizaIion have
a shared direcIory seIup, Ihe ormer employee mighI have owned some o Ihe iles a
group is using and sIill needs. I iles o Ihis Iype are ound, be sure Io assign Ihe iles Io a
new owner sIill in Ihe uncIional group and veriy IhaI Ihe permissions allow Ihe group
Io conIinue working.
Also look or cron jobs seI up by Ihe user. Beore deleIing Ihem, again, make sure Ihey are
noI used by a group insIead o Ihe individual user. I any o Ihem are or group use, Ihe
cron Iask will need Io be seI up wiIh a dierenI owner.
5tructur|ng Reme |recter|es
The 1hone direcIory, or whaIever direcIory you have chosen Io sIore users home direcIo-
ries, can eiIher be on Ihe local ilesysIem or on a remoIe ilesysIem mounIed by all neces-
sary clienIs. In an enIerprise environmenI, Ihe remoIe ilesysIem is more likely because iI
is more scalableone large sIorage sysIem is easier Io back up on a regular, auIomaIed
basis, each clienI sysIem has less Io conigure, users can log in Io more Ihan one sysIem
and have access Io Ihe same home direcIory, among oIher Ihings.
I your company is guiIe large, you mighI also wanI Io consider using subdirecIories
wiIhin 1hone Io organize users by deparImenIs or groups. Eor example, 1hone1eng1 can be
used or all users wiIhin Ihe engineering deparImenI and 1hone1nk1g1 can be used or
users wiIhin Ihe markeIing deparImenI. This can also help Ihe adminisIraIor keep Irack o
disk guoIas or each deparImenI i necessary or deIermine which deparImenI has Ihe
mosI sIorage needs.
5ummary
This chapIer explains Ihe many Iools included wiIh Red HaI EnIerprise Linux Io success-
ully manage users and groups. As you have read, iI is much more Ihan jusI adding and
removing Ihem when employees wiIhin Ihe company come and go. I Ihe company is
large, iI mighI be necessary Io documenI a process or managing users and groups such as
a naming convenIion or usernames or sIrucIure o home direcIories.
Summary 219
9
lN THlS CH^lTLR
wrltlng a Baokup llan
Uslng ^manda for Baokups
0ther Llnux Baokup Utllltles
Reoovery and Repalr
CH^lTLR 10
Technigues or Backup
and Recovery
When hardware componenIs or securiIy measures ail,
every adminisIraIor musI be prepared Io recover a sysIem
as guickly and eicienIly as possible. Freparing or a disas-
Ier means having a solid backup procedure and a well-
IesIed recovery process.
Because you canI always deIecI when a ailure will occur, iI
is imporIanI Io creaIe backups on a regular basis depending
on how oIen Ihe daIa changes and how much Iime iI
Iakes Io compleIe Ihe backup. All Ihe iles on Ihe sysIem
donI have Io be included in every backup. Consider how
oIen Ihe iles change. Eor example, operaIing sysIem iles
such as iles in 1b1n1 and "virIual" iles in 1proc1 and
1dev1 do noI need Io be backed up because Ihey can easily
be reinsIalled, Ihis also ensures Ihey have noI be compro-
mised i you are resIoring aIer a securiIy breach.
Eor home direcIories IhaI consIanIly change, daily or even
hourly backups mighI be necessary. Eor Ihe payroll daIabase
or LDAF server, weekly backups mighI be suicienI.
UlIimaIely, iI is up Io Ihe sysIem adminisIraIor or Ihe sysIem
adminisIraIion Ieam Io decide. Each organizaIion has a dier-
enI seI o sysIems, cusIom coniguraIions, and a reguired
lengIh o Iime in which Ihe sysIem musI be resIored.
1IP
Remember to test your reoovery plan a system
reoovery ls needed. Flndlng out that your baokups do not
lnolude all the flles neoessary for a suooessful reoovery
whlle you are reooverlng oan oause more downtlme than
antlolpated, whloh oan mean even more loss of data,
poor oustomer servloe, or a slgnlfloant loss of revenue.
This chapIer provides you wiIh concepIs Io consider when
creaIing a cusIom backup and recovery process as well as
Linux Iools IhaI can be used or backup and recovery.
Wr|t|ng a Backu P|an
The backup plan you wriIe and commiI Io will be specialized Io your needs, your
companys resources, Ihe number o sysIems Io back up, Ihe operaIing sysIems running
on Ihose sysIems, and much more. You will probably go Ihrough many versions o your
plan beore inalizing iI. This secIion provides a ew concepIs Io Ihink abouI when decid-
ing whaI daIa Io back up and wheIher Io perorm incremenIal or ull backups.
1IP
lf your systems are subsorlbed to the lrovlslonlng module of Red Hat Network (not
lnoluded wlth your Red Hat Lnterprlse Llnux subsorlptlon), you oan use Red Hat
Network to asslst wlth oonflguratlon management.
What ata te Back U
Deciding whaI daIa Io back up is nonIrivial and mighI vary or each sysIem. Here is a lisI
o daIa Io consider:
Home direcIories
Email spools and IMAF direcIories
1e1c1 direcIory or various coniguraIion iles
Shared direcIories
DaIabase iles
Cron scripIs
ConIenI managemenI direcIories such as CVS or Subversion
OIher IhoughIs Io consider when devising a backup plan:
Does your backup plan include backups on an osiIe server in case o naIural disas-
Ier or physical damage Io Ihe oice building or server room7
Is redundanI hardware parI o your plan in case o unrecoverable hardware ailure7
Is Ihe IoIal recovery Iime rom backup accepIable or Ihe needs o Ihe company7
Are you alerIed when a sysIem ailure occurs7
Are you alerIed when a ailure occurs during Ihe backup procedure7
WhaI is Ihe iniIial cosI o eguipmenI and soIware7
WhaI is Ihe IoIal annual cosI o Ihe backup media7 Does iI iI in your alloIIed
budgeI7
Does Ihe plan scale i addiIional sysIems need Io be added7
CH^lTLR 10 Teohnlques for Baokup and Reoovery 222
Do mulIiple adminisIraIors have Ihe knowledge Io recover each sysIem in case o
personnel changes or vacaIion Iimes7
Are Ihe processes well-documenIed so Ihey can be easily accessed and reviewed on a
regular basis7
Incrementa| versus Fu|| Backus
I your organizaIion is large or modiies Ihe same subseI o daIa reguenIly, you mighI
wanI Io consider ncremental haclups. You sIarI o wiIh a ull backup and Ihen only back
up Ihe daIa IhaI has changed since Ihe lasI backup. This oIen saves disk space on Ihe
backup servers and shorIens Ihe Iime iI Iakes Io perorm backups.
Even i you implemenI incremenIal backups, iI is a good idea Io perorm a ull backup
less reguenIly (or example, every one or Iwo monIhs i Ihe incremenIal backups are
perormed weekly). Each Iime you perorm a ull backup, Ihe subseguenI incremenIal
backups are based on Ihe lasI ull backup. When you do have Io recover Ihe sysIem, Ihe
resIoraIion process begins wiIh Ihe lasI ull backup and Ihen all Ihe incremenIal backups
are applied. The Iime iI Iakes Io recover will depend on how many incremenIal backups
you musI apply.
Us|ng Amanda fer Backus
Red HaI EnIerprise Linux includes AMANDA, or Ihe Advanced Maryland AuIomaIic
NeIwork Disk Archiver, or assisIing in backups. AMANDA works by seIIing up a masIer
backup server on Ihe neIwork and backing up sysIems running dierenI versions o UNIX
(using 1ar or dunp) and MicrosoI Windows (using SAMBA) Io Iape or hard disk. This
secIion covers seIIing up Ihe server and clienIs on Red HaI EnIerprise Linux. Reer Io
www.amanda.org or seIup insIrucIions or oIher operaIing sysIems.
N01
Lxtenslve dooumentatlon ls avallable on www.amanda.org. Thls seotlon provldes
enough lnformatlon to get you started. Refer to the webslte for more detalls.
CAU1I0N
The 1ar and dunp utllltles do not preserve aooess oontrol llsts (^CLs) assoolated wlth
flles. Refer to Chapter 7, Managlng Storage for detalls on ^CLs.
5ett|ng u the Amanda 5erver
Backups done by Amanda are done in parallel Io holding discs on Ihe hard drives, and
Ihe daIa is Ihen wriIIen Io Ihe Iape or backup media. SoIware or hardware compression
can be used, wiIh hardware compression using ewer CFU resources.
Uslng ^manda for Baokups 223
1
0
The Amanda backup server musI have Ihe Iape drive or oIher backup media aIIached Io
iI. II musI also have Ihe ananda-server RFM package insIalled. Reer Io ChapIer 3,
"OperaIing SysIem UpdaIes," or deIails on package insIallaIion.
The server coniguraIion iles or Amanda are insIalled in Ihe 1e1c1ananda1 direcIory. The
1e1c1ananda10a1JySe111 direcIory conIains Iwo iles: ananda.conf and d1skJ1s1. The
0a1JySe11 direcIory name is Ihe deaulI coniguraIion name and can be changed as long
as Ihe ile permissions and ownership remains Ihe same or Ihe direcIory and Ihe conigu-
raIion iles in iI. CreaIe a new direcIory wiIh a unigue name or each coniguraIion, and
Ihen copy Ihe deaulI coniguraIion iles rom Ihe 0a1JySe111 direcIory inIo iI. The
deaulI coniguraIion iles are jusI examples and musI be modiied Io work properly.
The d1skJ1s1 ile is used Io deine Ihe clienIs Io be backed up and is discussed in Ihe
secIion "SeIIing Up Ihe Amanda ClienIs" laIer in Ihis chapIer.
The ananda.conf ile is Ihe main coniguraIion ile or Ihe Amanda server and conIains
server coniguraIion parameIers. Read Ihe brie descripIions o each parameIer in Ihe
example ile and reer Io Ihe ananda.conf man page or more deIails. Table 10.1 describes
some o Ihe mosI common parameIers.
CAU1I0N
The default ananda.conf uses the dlreotorles ln 1usr1adn1ananda1 for many default
values. The 1e1c1ananda1 dlreotory ls used lnstead of thls dlreotory ln Red Hat
Lnterprlse Llnux. ^ny values wlth 1usr1adn1ananda1 should be modlfled.
T^BLL 10.1 Common ^manda Conflguratlon larameters
Parameter escr|t|en
org Desorlptlve name of the oonflguratlon. Used ln the subjeot of emalls gener
ated for thls oonflguratlon. Laoh oonflguratlon should have a unlque org
name.
na1J1o Lmall addresses of all the admlnlstrators who should reoelve reports from
thls oonflguratlon. Separate eaoh emall address by a spaoe.
dunpcycJe Number of days between full baokups.
runspercycJe Number of runs per oyole, wlth the oyole deflned by dunpcycJe.
ne1usage Maxlmum amount of network bandwldth that oan be used by ^manda.
naxdunps Maxlmum number of baokups ^manda wlll attempt to run at the same tlme.
Jogd1r Dlreotory to wrlte logs. Dlreotory from default value ln ananda.conf does
not exlst. Change to exlstlng 1var1Jog1ananda dlreotory or another exlstlng
dlreotory.
5av|ng te 1ae
I using a Iape drive, be sure Io use a non-rewinding Iape drive IhaI does noI auIomaIi-
cally rewind when closed. Amanda uses a new Iape or each run and can noI be conig-
ured Io append a second run Io a Iape.
Table 10.2 conIains common parameIers IhaI can be used Io cusIomize Ihe Iape drive
seIIings. Reer Io Ihe ananda.conf man page or a ull lisI o parameIers or coniguring a
Iape drive.
T^BLL 10.2 Tape Drlve larameters for ^manda
Parameter escr|t|en
1apedev lath to the tape devloe to use. Must be a nonrewlndlng tape devloe.
1ape1ype Type of tapes to be used. Must be set to a 1ape1ype deflnltlon from
ananda.conf.
1apeJ1s1 Fllename for the 1apeJ1s1 flle. Malntalned by ^manda and should not be
modlfled.
1apebufs Number of buffers used by the baokup prooess to hold data before lt ls
wrltten to tape. Buffer ls ln the shared memory reglon.
1apecycJe Slze of the tape rotatlon. Must be larger than the number of tapes lt takes
for a full baokup.
run1apes Maxlmum number of tapes to be used for a slngle baokup run. lf thls
number ls larger than one, a tape ohanger must be oonflgured wlth the
1pchanger parameter.
5av|ng te 0ther Med|a
Amanda was originally wriIIen Io be used wiIh a Iape device, buI iI can be conigured Io
back up Io oIher media such as a seI o hard drives. To conigure Amanda Io back up Io a
media Iype oIher Ihan a Iape, Ihe parameIers in LisIing 10.1 musI be seI.
LlSTlNG 10.1 Uslng the Hard Drlve as a vlrtual Tape
1pchanger chg-d1sk
1apedev "f1Je:1backups10a1JySe11"
1ape1ype R0
def1ne 1ape1ype R0 {
connen1 "use hard dr1ve as 1ape"
Jeng1h 2U48 nby1es
}
The 1pchanger speciies which scripI Io use Io change Ihe virIual Iape device. Several
scripIs are provided in 1usr1J1b1ananda1 by Ihe ananda-server RFM package. The
chg-d1sk scripI is recommended when using Ihe hard drive as a virIual Iape.
SeI Ihe 1apedev parameIer in ananda.conf Io use Ihe f1Je driver wiIh Ihe name o an
exstn direcIory Io sIore backups. In LisIing 10.1, Ihe 1backups10a1JySe111 direcIory is
used. This direcIory musI be creaIed and conigured as a virIual Iape beore running
andunp Io generaIe backups, and Ihe direcIory and all Ihe iles in iI musI be owned by Ihe
amanda user so andunp has permission Io wriIe Io iI. Use Ihe ollowing sIeps as Ihe rooI
user Io creaIe Ihe virIual Iape (assuming 1backups10a1JySe111 is being conigured as Ihe
virIual Iape):
1
0
1. CreaIe Ihe direcIory being used Io emulaIe Ihe Iape device:
nkd1r 1backups
nkd1r 1backups10a1JySe11
2. CreaIe an empIy ile named 1nfo in Ihe virIual Iape device direcIory:
1ouch 1backups10a1JySe1111nfo
3. CreaIe an empIy ile Io represenI Ihe Iape lisI:
1ouch 1e1c1ananda10a1JySe1111apeJ1s1
4. CreaIe a direcIory or each virIual Iape (where X sIarIs wiIh 1 and increases by 1 or
each Iape):
nkd1r 1backups10a1JySe111sJo1X
5. "Load" Ihe irsI virIual Iape so Ihe backups will sIarI wiIh iI:
Jn -s 1backups10a1JySe111sJo11 1backups10a1JySe111da1a
6. Make sure Ihe amanda user owns all Ihe iles:
choWn -P ananda.d1sk 1backups
7. Become Ihe amanda user:
su ananda
8. Label each virIual Iape wiIh Ihe naming convenIion seI by Ihe JabeJs1r parameIer
in ananda.conf (where X sIarIs wiIh 1 and increases by 1 or each Iape):
anJabeJ 0a1JySe11 0a1JySe11-UX sJo1 X
9. TesI Ihe virIual Iape seIup:
ancheck 0a1JySe11
10. I errors occur, ix Ihem and rerun ancheck. RepeaI unIil no errors exisI.
11. ExiI back Io rooI shell insIead o being Ihe amanda user:
ex11
A 1ape1ype deiniIion or Ihe hard drive musI also be speciied as shown in LisIing 10.1.
The lengIh is Ihe maximum amounI o disk space Io be used by Amanda Io emulaIe Ihe
Iape device. In LisIing 10.1, 2,048 megabyIes is lisIed Io give Amanda 2 gigabyIes o space
or backups. Also seI Ihe 1ape1ype parameIer in ananda.conf Io Ihe name o Ihis
1ape1ype deiniIion.
5ett|ng U Re|d|ng |sks
I holding disks are used, backups are wriIIen Io Ihe holding disks and Ihen lushed Io Ihe
Iapes, reducing IoIal dump Iime and Ihe wear on Ihe Iape and drive. Dumps rom more
Ihan one sysIem can only be done in parallel i a holding disk is used.
Holding disks are deined in Ihe ananda.conf ile, and one or more holding disks can be
deined. The holding disc on Ihe Iape server should be large enough Io hold Ihe Iwo
largesI backups simulIaneously, i possible. The holding disk should also be dedicaIed Io
backups. I a dump is Ioo big or Ihe holding disk, Ihe backup is wriIIen direcIly Io Iape.
1IP
lf the baokup server orashes or a tape falls durlng baokup, the anfJush utlllty oan be
used to wrlte data from the holdlng dlsk to tape.
Eor example, LisIing 10.2 deines Ihe 1dunps10a1JySe11 as a holding disk direcIory. The
direcIory musI already exisI and musI be owned by Ihe amanda user because andunp is
run as Ihe amanda user. AIer creaIing Ihe direcIory as rooI, change Ihe ownership wiIh
choWn ananda.d1sk 1dunps10a1JySe11
LlSTlNG 10.2 Holdlng Dlsk Deflnltlon
hoJd1ngd1sk hd1 {
connen1 "f1rs1 hoJd1ng d1sk"
d1rec1ory "1dunps10a1JySe11"
use -2UU Mb
chunks1ze 10b
}
The use parameIer speciies Ihe amounI o size IhaI can be used by Amanda. I Ihe value is a
negaIive number as in LisIing 10.2, Amanda uses all available space excepI or Ihe value spec-
iied. To spliI large dumps inIo mulIiple iles, speciy Ihe maximum ile size or each chunk
wiIh Ihe chunks1ze parameIer, whose value musI end in Kb, Mb, 0b, or Tb. The maximum
value o chunks1ze is Ihe maximum ile size Ihe kernel can allow minus 1 megabyIe.
5ett|ng U the Amanda C||ents
This secIion discusses Ihe coniguraIion o a Red HaI EnIerprise Linux Amanda clienI. To
conigure clienIs o a dierenI operaIing sysIem, reer Io www.amanda.org. Each clienI
musI have Ihe ananda-cJ1en1 RFM package insIalled. Reer Io ChapIer 3 or deIails on
insIalling soIware.
Beore coniguring Ihe clienIs, decide Ihe ollowing or each clienI:
Which iles and direcIories Io back up
WheIher Io use dump or GNU Iar Io creaIe backups
1
0
WheIher Io use compression (GNU zip) or no compression
I compression is used, wheIher Io compress Ihe iles on Ihe clienI or server
FrioriIy level i all backups canI be perormed
All o Ihese opIions and more are conigured in user-deined Jumptypes in Ihe
ananda.conf ile on Ihe backup server. There are some predeined dumpIypes in Ihe
example ananda.conf ile Io use as a reerence. Each dumpIype is given a unigue name
and can opIionally be based on a dierenI dumpIype. To base a dumpIype on one already
deined, lisI Ihe name o Ihe exisIing dumpIype as Ihe irsI parameIer o Ihe deiniIion. A
parameIer can be redeined in Ihe new dumpIype, overriding Ihe value in Ihe original
dumpIype or clienIs using Ihe new dumpIype. Eor example, LisIing 10.3 shows an
example dumpIype named 1ar-conpress. II includes Ihe parameIers rom Ihe gJobaJ
dumpIype deiniIion and adds archiving wiIh 1ar and fas1 compression on Ihe clienI.
LlSTlNG 10.3 Lxample Dumptype
def1ne dunp1ype 1ar-conpress {
gJobaJ
progran "0NuTAP"
connen1 "1ar and conpressed"
conpress cJ1en1 fas1
}
The possible dumpIype parameIers are lisIed in Table 10.3.
T^BLL 10.3 Dumptype larameters
umtye
Parameters escr|t|en
au1h ûthentloatlon soheme between server and ollent. Llther bsd or krb4, wlth
bsd belng the default.
connen1 Short desorlptlon.
conpra1e Compresslon rate speolfled as two numbers separated by oommas. The
flrst number ls the full oompresslon rate, and the seoond number ls the
lnoremental rate.
conpress whether or not to oompress the flles. lf oompresslon ls used, deolde
whether to oompress on the ollent or server and whether the best
oompresslon (and probably slowest) or fast oompresslon should be used.
losslble values:
none
cJ1en1 bes1
cJ1en1 fas1
server bes1
server fas1
dunpcycJe Number of days between full baokups.
es11na1e How ^manda determlnes estlmates:
cJ1en1: use deflned dumplng program on ollent (from progran parame
ter), whloh ls the most aoourate, but mlght take the longest
caJcs1ze: faster than cJ1en1, but mlght be less aoourate
server: use statlstlos from prevlous run, whloh ls not very aoourate lf dlsk
usage ohanges from day to day
excJude lf GNU tar ls used, llsts flles and dlreotorles to exolude from baokup run.
hoJd1ngd1sk whether or not to use the holdlng dlsk. losslble values: yes or no
1gnore Don`t baok up thls fllesystem.
1ndex Create an lndex of flles baoked up.
kencryp1 Lnorypt the data sent between the server and ollent.
naxdunps Maxlmum number of dumps to run at the same tlme.
naxprono1eday Maxlmum number of days for a promotlon. Set to U for no promotlon. Set
to 1 or 2 lf the dlsk ls overpromoted.
pr1or11y lrlorlty level used lf there ls no tape to wrlte to. Baokups are performed
untll holdlng dlsks are full, uslng the prlorlty to determlne whloh fllesys
tems to baok up flrst. losslble values: JoW, ned1un, h1gh.
progran whether to use dunp or 1ar.
record Reoord baokup ln tlmestampdatabase (1e1c1dunpda1es for dump and
1var1J1b1ananda1gnu1ar-J1s1s1 dlreotory for GNU tar).
sk1p-fuJJ Sklp the dlsk when a level 0 ls due.
sk1p-1ncr Sklp the dlsk when a level 0 ls not due.
s1ar111ne ^mount of tlme to delay the start of the dump.
s1ra1egy Dump strategy from one of the followlng:
s1andard: Default strategy
nofuJJ: Level 1 dumps every tlme
sk1p: Sklp all dumps
lncronJy: lnoremental baokups only
AIer deining dumpIypes, deine Ihe clienIs Io be backed up in Ihe 1e1c1ananda1
<conf1gnane>1d1skJ1s1 (1e1c1ananda10a1JySe111d1skJ1s1 in our example) ile on Ihe
Amanda server, one clienI on each line in Ihe ollowing ormaI:
<hos1nane> <area> <dunp1ype>
Replace <hos1nane> wiIh Ihe hosIname or IF address o Ihe clienI. I a hosIname is used,
Ihe server musI be able Io resolve iI Io an IF address. Replace <area> wiIh a disk name
such as sda, a device name such as 1dev1sda, or a logical name such as 1e1c Io back up.
Replace <dunp1ype> wiIh a dumpIype name as deined in ananda.conf on Ihe server.
To allow Ihe Amanda server access Io Ihe clienI, use Ihe .anandahos1s ile in Ihe home
direcIory o Ihe amanda user on each clienI, even i Ihe clienI is also Ihe server. The home
229
1
0
T^BLL 10.3 Contlnued
umtye
Parameters escr|t|en
Uslng ^manda for Baokups
direcIory o Ihe amanda user on Ihe clienI is seI Io 1var1J1b1ananda1, and Ihe ile
1var1J1b1ananda1.anandahos1s already exisIs wiIh localhosI and localhosI.localdomain
already conigured as possible Amanda servers. LisI each Amanda server on separaIe lines
in Ihe ollowing ormaI:
<hos1nane> ananda
where <hos1nane> is Ihe hosIname or IF address o Ihe Amanda server. I using a hosI-
name, Ihe clienI musI be able Io resolve iI Io an IF address. The username ananda ollows
Ihe hosIname Io lisI Ihe username under which Ihe backups are done. This corresponds
Ihe dunpuser value in ananda.conf on Ihe server.
Einally, Ihe ananda xineId service musI be sIarIed on clienIs. Conigure iI Io sIarI auIomaI-
ically aI booI Iime wiIh Ihe chkconf1g ananda on command as rooI. Because iI is an
xineId service insIead o a sIandalone daemon, make sure iI is also enabled aI booI Iime
wiIh Ihe chkconf1g x1ne1d on command as rooI. ResIarI xineId wiIh Ihe serv1ce x1ne1d
res1ar1 command aI rooI Io enable Amanda immediaIely. I you are noI already using
xineId, be sure Ihe oIher xineId services are disabled i you do noI wanI Ihem Io be
Iurned on, and Ihen sIarI xineId wiIh Ihe serv1ce x1ne1d s1ar1 command.
xecut|ng the Backu
To sIarI Ihe backup process immediaIely, use Ihe ollowing command on Ihe Amanda
server, replacing 0a1JySe11 wiIh Ihe name o your coniguraIion:
su ananda -c "andunp 0a1JySe11"
This command can be used Io immediaIely sIarI a dump or IesIing or Io creaIe Ihe irsI seI
o backups. AIer IhaI, cron can be conigured Io run Ihe backups aI Ihe desired inIervals.
The su ananda parI o Ihe command is used Io run Ihe process as Ihe amanda user. I you
are Ihe rooI user when you execuIe Ihis command, you will noI be prompIed or amanda
users password. I you are a non-rooI user, you will be prompIed or Ihe amanda users
password. However, a password was noI creaIed when Ihe amanda user was added. I you
wanI Ihe amanda user Io have a password, execuIe Ihe passWd ananda command as rooI
Io seI iI.
The ananda-server package insIalls a sample cron Iask ile aI 1e1c1ananda1cron1ab.
sanpJe, which conIains Ihe ollowing:
# Th1s 1s an exanpJe for a cron1ab en1ry for au1ona1ed backup W11h ananda
# W11h 1hese cron J1nes, Ananda W1JJ check 1ha1 1he correc1 1ape 1s 1n
# 1he dr1ve every Weekday af1ernoon a1 4pn {1f 11 1sn`1, aJJ 1he
# opera1ors W1JJ ge1 na1J). A1 12:45an 1ha1 n1gh1 1he dunps W1JJ be run.
#
# Th1s shouJd be pu1 1n user opera1or`s cron1ab
#
U 16 * * 1-5 1usr1sb1n1ancheck -n 0a1JySe11
45 U * * 2-6 1usr1sb1n1andunp 0a1JySe11
As you can see rom Ihe example ile, Ihe ancheck uIiliIy runs a sel-check, and Ihe -n
argumenI causes any errors Io be emailed Io all Ihe adminisIraIors lisIed in ananda.conf.
The andunp uIiliIy sIarIs Ihe acIual backup process. CreaIe a similar cron Iask on your
Amanda server. The andunp command musI be run by Ihe amanda user, so be sure Io add
Ihe cron Iask Io Ihe lisI o jobs or Ihe amanda user. Eor deIails on coniguring a cron
Iask, reer Io ChapIer 11, "AuIomaIing Tasks wiIh ScripIs."
Table 10.4 conIains brie descripIions o Ihe Amanda uIiliIies IhaI can be used on Ihe
Amanda server.
T^BLL 10.4 ^manda Server Utllltles
5erver Ut|||ty escr|t|en
andunp Usually used ln sorlpts to start the baokup prooess on all oonflgured ollents.
Lmall ls sent upon oompletlon, reportlng suooesses and fallures.
ancheck Run before andunp to verlfy the oorreot tape ls mounted and ollent fllesys
tems are ready.
ancheckdb Cheok that eaoh tape ln the ^manda database ls llsted ln the 1apeJ1s1 flle.
ancJeanup lf andunp falls before oompletlon, use thls oommand to olean up.
andd ^manda verslon of dd. Use for full restore lf the standard dd program ls not
avallable.
ann1 ^manda verslon of n1. Use for full restore lf the standard n1 program ls not
avallable.
anadn1n lnteraotlve oommand to perform admln tasks suoh as forolng a full baokup,
oheoklng baokup status of ollents, and determlnlng whloh tape wlll be used
for the next baokup run.
anfJush wrlte flles from holdlng dlsk to tape or baokup medla. Use lf a tape fallure
ooours and after flxlng the problem wlth the tape devloe.
ange1conf Look up the value of an ^manda parameter.
anJabeJ Label tapes to use wlth ^manda. Tapes must be labeled before ^manda oan
use them. Must use label namlng oonventlon deflned by JabeJs1r ln
ananda.conf.
anoverv1eW Dlsplay llst of hosts and fllesystems baoked up, along wlth thelr baokup
sohedule.
anpJo1 lroduoe a graph, uslng gnupJo1, to show ^manda performanoe. Can be
used to determlne lf performanoe oan be lmproved wlth dlfferent settlngs.
anrepor1 Lmall a statlstlos report for an ^manda run to the admlnlstrator.
anrn1ape Delete a tape from the baokup rotatlon.
ans1a1us Determlne status of prevlous or runnlng baokup run.
an1oc lroduoe a T0C for a baokup run. Usually run after andunp ln oron sorlpt.
anver1fy Cheok all tapes for errors.
amverlfyrun Cheok the tapes used by the last run for errors.
an1ape lerform tape ohanger tasks suoh as resettlng, ejeotlng, and oleanlng.
an1ape1ype Create a tapetype deflnltlon for use ln ananda.conf.
1
0
Rester|ng frem Backu
Now IhaI you have learned how Io perorm backups wiIh Amanda, Ihe nexI sIep is Io
learn abouI resIoring rom backup. Remember Io IesI Ihe resIore process beore a sysIem
ailure occurs.
There are Iwo uIiliIies or resIoring wiIh Amanda: anres1ore and anrecover. The anres1ore
uIiliIy can be used Io resIore enIire images rom Ihe backup server, anrecover is an inIerac-
Iive command run on Ihe clienI and used Io recover speciic iles.
Us|ng anres1ore
Beore using anres1ore, deIermine which Iape has Ihe image you wanI Io resIore using
eiIher anadn1n or an1oc. Make sure Ihe Iape is mounIed on Ihe server beore resIoring an
image. To reIrieve all images or Ihe hosI named wudan, use Ihe ollowing command:
anres1ore <1ape-dev1ce> Wudan
Reer Io Ihe man page or anres1ore wiIh Ihe nan anres1ore or addiIional opIions.
Us|ng anrecover
To use anrecover, Ihe 1ndex parameIer musI be seI Io yes or Ihe dumpIype deined in
ananda.conf and seI or Ihe clienI in Ihe d1skJ1s1 ile. Because Ihe rooI user on Ihe clienI
musI run anrecover, be sure Ihe rooI user is allowed as a remoIe user on Ihe clienI in Ihe
.anandahos1s ile on Ihe server.
To sIarI anrecover, log in as rooI on Ihe clienI, sIarI a shell prompI, change Io Ihe direc-
Iory IhaI should conIain Ihe ile or iles you wanI Io resIore, and Iype Ihe anrecover
<conf1gnane> command such as anrecover 0a1JySe11. I connecIion is successul, you
will receive Ihe anrecover> prompI.
The deaulI resIore daIe is seI Io Ihe currenI day. Use Ihe se1da1e command Io change Ihe
daIe rom which you wanI Io resIore iles, use Ihe cd command Io change direcIories Io
ind Ihe iles on Ihe server, and use Ihe Js command Io lisI iles in Ihe currenI direcIory
on Ihe server. AIer inding Ihe ile Io recover, use Ihe add <connand> command Io add
Ihe ile Io Ihe lisI o iles Io recover, and use Ihe ex1rac1 command Io reIrieve Ihe ile.
Reer Io Ihe man page wiIh Ihe nan anrecover command or a ull lisI o possible
commands.
0ther L|nux Backu Ut|||t|es
I you wriIe your own cusIom scripIs or soIware or perorming backups, many Linux
uIiliIies can be used including 1ar and rsync. Use Ihis secIion Io learn more abouI Ihem
and deIermine i Ihey can be useul or you.
1he 1ar Ut|||ty
When backing up daIa IhaI is no longer being used or daIa IhaI is noI reguenIly
changed, consider creaIing a compressed archive ile using Ihe 1ar archive uIiliIy in
combinaIion wiIh one o Ihe compression Iools such as gz1p or bz1p2. CreaIing a
compressed archive ile resulIs in one ile IhaI musI be decompressed and unarchived
beore iles can be resIored rom iI. The compression o Ihe iles saves room on Ihe
backup media. To use 1ar, Ihe 1ar RFM package musI be insIalled. II should be insIalled
on your sysIem unless you chose Io only insIall a speciic seI o packages.
CAU1I0N
The 1ar utlllty does not preserve aooess oontrol llsts.
To archive a seI o iles and compress iI wiIh bz1p2:
1ar cvf <f1Jenane>.1ar.bz <f1Jes>
The 1ar argumenIs used are as ollows:
c: creaIe Ihe archive
: use bzip2 compression
v: be verbose and show Ihe progress
f: iles Io archive will ollow
A ilename or Ihe compressed archive musI be given. Try Io be as descripIive yeI brie as
possible. The commonly used exIension or a Iar ile compressed wiIh bz1p2 is .1ar.bz.
Eor <f1Jes>, mulIiple iles and direcIories can be speciied. I a direcIory is speciied, all
Ihe iles and subdirecIories are archives as well by deaulI.
To uncompress and unarchive a Iar ile compressed wiIh bz1p2:
1ar xvf <f1Jenane>.1ar.bz
When Ihe iles are unarchived, Ihe original direcIory sIrucIure is reIained. Eor example, i
you speciied Ihe direcIory 1enpJa1es1 as Ihe iles Io be archived, when Ihe Iar ile is
unarchived, Ihe direcIory 1enpJa1es1 is creaIed in Ihe currenI working direcIory, and all
Ihe original iles in Ihe direcIory are wriIIen in Ihe newly creaIed direcIory.
Eile ownership is also reIained by UID and GID. Keep in mind IhaI i a Iar ile is creaIed
on one sysIem and Ihen unarchived on a dierenI sysIem, Ihe ile ownership mighI
change i Ihe UID or GID is mapped Io a dierenI user or group on Ihe second sysIem.
To lisI Ihe conIenIs o Ihe ile wiIhouI uncompressing or unarchiving iI:
1ar 1vf <f1Jenane>.1ar.bz
1he rsync Ut|||ty
When developing backup scripIs, consider using Ihe rsync uIiliIy. The rsync uIiliIy allows
you Io copy rom Ihe local sysIem Io a remoIe sysIem or copy beIween Iwo local direcIo-
ries. I Ihe iles exisI in Ihe desIinaIion direcIory, rsync only Iransers Ihe dierences in
Ihe iles, which is ideal or backups. The rsync RFM package is reguired and should
already be insIalled on your sysIem.
0ther Llnux Baokup Utllltles 233
1
0
AIer Ihe rsync command-line argumenIs are lisIed, Ihe irsI direcIory lisIed is Ihe source,
and Ihe second direcIory lisIed is Ihe desIinaIion. I eiIher direcIory is preceded by a hosI-
name and a colon (:), Ihe direcIory is a remoIe direcIory. Eor example, Io Iranser all
home direcIories Io Ihe backup1 direcIory on Ihe remoIe server backup.exanpJe.con:
rsync -avz 1hone backup.exanpJe.con:backups1
The -a argumenI sIands or "archive" mode, meaning IhaI rsync perorms a recursive
Iranser (Ihe source direcIory, iIs subdirecIories, Ihe subdirecIories o Ihe subdirecIories,
and so on are Iranserred), symbolic links are preserved, permissions and Iime sIamps are
preserved, groups are preserved, ile ownership is preserved i iI is rooI, and devices are
preserved i Ihey are owned by rooI. I Ihe -v argumenI is used, progress messages are
displayed including how much daIa is senI and received and Ihe average Iranser raIe.
Using Ihe -z argumenI compresses Ihe daIa Io be Iranserred, speeding up Ihe Iime iI
Iakes Io Iranser Ihe iles or Ihe ile dierences.
When Iranserring iles wiIh rsync, wheIher or noI a Irailing slash is included on Ihe
source direcIory is imporIanI. In our example, a Irailing slash is noI used on Ihe source
direcIory so IhaI Ihe direcIory backups1hone1 is creaIed on Ihe remoIe server and all Ihe
iles in Ihe 1hone1 direcIory on Ihe local sysIem are recursively copied inIo backups1hone1
on Ihe remoIe server. I a Irailing slash is speciied on Ihe source direcIory such as Ihe
ollowing:
rsync -avz 1e1c1sysconf1g1 backup.exanpJe.con:backups1conf1gf1Jes1
The source direcIory speciied is not creaIed in Ihe desIinaIion direcIory. In our example,
all Ihe iles in 1e1c1sysconf1g1 on Ihe local sysIem are recursively copied inIo Ihe
backups1conf1gf1Jes1 direcIory on Ihe remoIe server.
1IP
Conslder uslng rsync ln a oustom shell sorlpt or as a oron task to sohedule baokups.
Refer to Chapter 11 for detalls.
Eor more inormaIion on rsync, including how Io use Ihe rsync daemon or Iransers,
reer Io Ihe manual page by using Ihe nan rsync command aI a shell prompI.
Recevery and Rea|r
To analyze or repair a sysIem ailure, you mighI need Io booI inIo Ihe sysIem. BuI, whaI i
Ihe booI loader is corrupI or whaI i Ihe ilesysIem canI be mounIed anymore7 Red HaI
EnIerprise Linux includes alIernaIive booI meIhods or sysIem repair: rescue moJe, snle-
user moJe, and emerency moJe.
AIer booIed inIo one o Ihese modes, a seI o commonly used ediIors such as Emacs and
Vi are available along wiIh commonly used uIiliIies such as e2fsck or repairing a ilesys-
Iem and grub-1ns1aJJ or repairing Ihe booI loader on an x8 or x8_4 sysIem.
Rescue Mede
Rescue mode allows Ihe adminisIraIor Io bypass Ihe booI loader by insIead booIing o an
insIallaIion media. Fossible reasons Io use rescue mode include
CorrupI booI loader IhaI needs repair
CorrupI ilesysIem IhaI can noI be mounIed and needs repair
To sIarI rescue mode, booI rom Ihe irsI Red HaI EnIerprise Linux insIallaIion CD. AIer
booIing o Ihe CD, Ihe command used Io enIer rescue mode diers by archiIecIure. Reer
Io Table 10.S or Ihe command or your archiIecIure.
T^BLL 10.5 Bootlng lnto Resoue Mode per ^rohlteoture
Arch|tecture Rescue Mede Cemmand
x86, x86_64 Type J1nux rescue at GRUB prompt
lntel ltanlum Type elllo llnux resoue at LlL0 prompt
lBM l0wLR ^ppend rescue after kernel name at Y^B00T prompt
(lBM eServer lSerles,
lBM eServer pSerles)
lBM System z ^dd rescue to the CMS oonf parameter flle
AIer booIing inIo rescue mode, selecI Ihe language and keyboard layouI Io use during
rescue mode. NexI, decide wheIher Io sIarI Ihe neIwork. I Ihe sysIem has been compro-
mised, you probably donI wanI Io sIarI a neIwork connecIion in case a program IhaI
sends daIa Io anoIher sysIem over Ihe neIwork has been added Io Ihe sysIem. I you need
Io copy daIa Io anoIher sysIem Io save iI beore reinsIalling or copying iles Io Ihe sysIem
Io repair iI, you will need Io sIarI Ihe neIwork.
The nexI guesIion is wheIher or noI Io Iry and mounI Ihe Linux ilesysIem. You can
selecI Io skip Ihis sIep, mounI Ihe ilesysIem, or mounI Ihe ilesysIem read-only. I you
are noI sure wheIher Ihe ilesysIem can be mounIed, you can selecI Io mounI iI. I iI canI
be mounIed, a message is displayed, and you are allowed Io go back and selecI Io skip
mounIing Ihe ilesysIem. I Ihe ilesysIem is successully mounIed, iI is mounIed under
Ihe 1nn11sys1nage1 direcIory. I you need Io execuIe a command rom Ihe insIalled
sysIem, remember Ihe paIh Io Ihe command should be prepended wiIh 1nn11sys1nage1.
A shell prompI is displayed nexI. Use Ihis shell Io repair your sysIem. Type ex11 Io exiI
rescue mode and rebooI Ihe sysIem.
AlIernaIively, you can booI rom a disk creaIed rom Ihe boo1.1so image ound in Ihe
1nages1 direcIory o Ihe irsI insIallaIion CD and Ihen use Ihe command rom Table 10.S.
AIer selecIing Ihe language and keyboard, selecI Ihe locaIion o Ihe rescue image. Choose
rom Ihe CD-ROM drive, hard drive, NES, ETF, or HTTF. The locaIion speciied musI
conIain Ihe insIallaIion source iles or Ihe same version o Red HaI EnIerprise Linux as
Ihe boo1.1so you used Io creaIe Ihe booI media. Reer Io ChapIer 1, "InsIalling Red HaI
EnIerprise Linux," or deIails on seIIing up Ihe insIallaIion source.
Reoovery and Repalr 235
1
0
1IP
lf uslng NFS, FTl, or HTTl, remember to allow the system belng booted lnto resoue
mode aooess to the dlreotory oontalnlng the lnstallatlon flles.
I you selecI NES, ETF, or HTTF, a neIwork connecIion will be esIablished, i possible,
beore conIinuing. I Ihe locaIion does noI reguire a neIwork connecIion, rescue mode
opIionally allows Ihe adminisIraIor Io sIarI a neIwork connecIion. AIer choosing wheIher
Io sIarI Ihe neIwork, selecI wheIher Io mounI Ihe ilesysIem. As wiIh using rescue mode
rom Ihe insIallaIion CD or DVD, use Ihe shell Io repair Ihe sysIem, and Iype ex11 Io
rebooI Ihe sysIem when inished.
5|ng|e-User Mede
Single-user mode is eguivalenI Io runlevel 1 on Ihe sysIem. I runlevel 1 is noI conigured
properly, you will noI be able Io booI inIo single-user mode. Rescue mode reguires a booI
media, buI single-user mode is speciied as a kernel opIion using Ihe insIalled booI loader
and does noI reguire addiIional booI media. However, iI does reguire IhaI Ihe booI loader
is working properly and IhaI Ihe ilesysIem be mounIed. II does noI provide Ihe abiliIy Io
sIarI a neIwork connecIion.
Fossible reasons Io use single-user mode include
EorgoI rooI password
Repair runlevel oIher Ihan runlevel 1
To booI inIo single-user mode, booI Ihe sysIem wiIh Ihe s1ngJe kernel parameIer.
Speciying a booI parameIer diers rom archiIecIure Io archiIecIure. Reer Io Table 10.
Io deIermine Ihe correcI meIhod or your archiIecIure.
T^BLL 10.6 Bootlng lnto SlngleUser Mode per ^rohlteoture
Arch|tecture 5|ng|e-User Mede Cemmand
x86, x86_64 lress any key at the 8oo11ng Ped Ra1 En1erpr1se L1nux
{<kerneJ-vers1on>) message to vlew the GRUB menu. lress
the E key to edlt the ourrently seleoted boot llne. ^ppend the llne
wlth the word s1ngJe, and press 8 to boot the system.
lntel ltanlum ^t the LFl shell prompt, type eJ1Jo J1nux s1ngJe.
lBM l0wLR ^ppend a spaoe and the number 1 after the kernel name at
(lBM eServer lSerles, Y^B00T prompt.
lBM eServer pSerles)
lBM System z Create another boot stanza ln 1e1c1z1pJ.conf ldentloal to the
default stanza exoept append a spaoe and the number 1 at the
end of the parameters. Refer to Chapter 2, lostlnstallatlon
Conflguratlon, for a sample 1e1c1z1pJ.conf flle.
Be sure to run the 1sb1n1z1pJ oommand as root to enable the
ohange.
Once in single-user mode, your ilesysIems are mounIed, so any insIalled applicaIions
should be available. Use Ihe ex11 command Io exiI single-user mode and rebooI Ihe sysIem.
mergency Mede
Emergency mode is similar Io single-user mode excepI Ihe rooI ilesysIem is mounIed
read-only and runlevel 1 is noI used. BooI inIo emergency mode using Ihe same meIhod
as single-user mode excepI replace Ihe word s1ngJe wiIh energency in Ihe booI meIhod.
Because Ihe ilesysIem is mounIed read-only, iles can noI be changed or repaired, buI
iles can be reIrieved o Ihe sysIem.
F||esystem Rea|r
I one or more ilesysIems are corrupI, booI inIo rescue mode and do noI mounI Ihe
ilesysIem. Even i you can booI inIo single-user mode, do noI use iI because Ihe ilesys-
Iem can noI be repaired i iI is mounIed.
The e2fsck uIiliIy can be used Io check and repair an exI2 or exI3 (deaulI or Red HaI
EnIerprise Linux) ilesysIem. II musI be run as rooI, and Ihe ilesysIem being checked
should not be mounIed. The basic synIax is as ollows:
e2fsck <dev1ce>
where <dev1ce> is Ihe device ilename or Ihe ilesysIem such as 1dev1hda1 or Ihe irsI
parIiIion on Ihe irsI IDE drive or 1dev1sda2 or Ihe second parIiIion on Ihe irsI SCSI
drive. As Ihe uIiliIy inds errors such as bad inodes, iI prompIs Ihe adminisIraIor Io
conirm Ihe ix. To auIomaIically answer yes Io all guesIions and cause Ihe uIiliIy Io be
non-inIeracIive (or example, you wanI Io call iI rom a non-inIeracIive scripI), use Ihe -y
command-line argumenI. To prinI verbose inormaIion while Ihe ilesysIem check and
repair is occurring, use Ihe -v command-line argumenI. AddiIional argumenIs can be
ound in Ihe e2fsck man page called rom Ihe nan e2fsck command.
Beet Leader Rea|r
I your sysIem does noI display Ihe GRUB inIerace when booIing, i GRUB wonI booI
inIo Red HaI EnIerprise Linux properly, or i you have anoIher problem wiIh Ihe GRUB
booI loader on an x8 or x8_4 sysIem, Iry booIing inIo rescue mode and reinsIalling
GRUB wiIh Ihe ollowing command:
grub-1ns1aJJ --roo1-d1rec1ory=1boo1 `<dev1ce-nane>`
The --roo1-d1rec1ory=1boo1 opIion speciies IhaI Ihe GRUB images should be insIalled
in Ihe 1boo1 direcIory. Replace <dev1ce-nane> wiIh Ihe device name on which Io insIall
Ihe GRUB images. The device name can be eiIher Ihe GRUB device name such as hdU or
sdU or Ihe sysIem device name such as 1dev1hda or 1dev1sda. Eor example, or Ihe GRUB
device named sdU, Ihe command would be
grub-1ns1aJJ --roo1-d1rec1ory=1boo1 `{sdU)`
Reoovery and Repalr 237
1
0
5ummary
This chapIer has sIarIed you on Ihe righI paIh Ioward developing a backup and recovery
plan or your Red HaI EnIerprise Linux sysIems. EiIher use a program such as Amanda or
a Ihird-parIy backup program or wriIe your own cusIom scripIs. As your company and
number o users expand, be sure Io IesI your plan Io ensure iI can scale properly.
lN THlS CH^lTLR
wrltlng Sorlpts wlth Bash
^ddltlonal Sorlptlng Languages
Sohedullng Tasks wlth Cron
CH^lTLR 11
AuIomaIing Tasks
wiIh ScripIs
When an adminisIraIor has Io perorm Ihe same Iask on
hundreds, possibly Ihousands, o sysIems, auIomaIing
everyday mainIenance and deploymenI operaIions is a
necessiIy. Red HaI NeIwork allows Red HaI EnIerprise Linux
adminisIraIors Io schedule package updaIes, package insIal-
laIions, operaIing sysIem insIallaIions, and more, buI whaI
abouI oIher Iasks such as moniIoring disk space, perorm-
ing backups, and removing users7
This chapIer explains how Io auIomaIe Ihese Iasks and
oIhers like iI as scripIs. II also gives sIep-by-sIep insIruc-
Iions or scheduling Ihe execuIion o Ihe scripIs using Ihe
cron daemon.
Red HaI EnIerprise Linux oers a mulIiIude o opIions or
Ihe scripIing language, each wiIh iIs sIrengIhs and weak-
nesses. This chapIer ocuses on Bash because iI is Ihe mosI
commonly used or sysIem adminisIraIion Iasks, and iI also
gives an overview o oIher popular languages.
Wr|t|ng 5cr|ts w|th Bash
The GNU Bourne Again Shell (Bash) scripIing language is
useul when Irying Io auIomaIe a seguence o commands
or when you wanI Io execuIe Ihe same command over and
over again unIil a cerIain limiI is reached.
Because Ihe deaulI shell in Red HaI EnIerprise Linux is Bash,
Ihe bash RFM package is mosI likely already insIalled on
your sysIem. You mighI also wanI Io check ouI Ihe many
commands rom Ihe coreu11Js and Ihe u11J-J1nux packages
such as renane Io rename a group o iles and basenane Io
reIurn Ihe basename o a ile wiIhouI iIs exIension.
CAU1I0N
when wrltlng a Bash sorlpt, use a text edltor suoh as vl, Lmaos, or gLdlt (seleot
Accesser|es, 1ext d|ter from the A||cat|ens menu). Uslng a more oomplex word
prooesslng applloatlon suoh as 0pen0ffloe.org wrlter ls not reoommended beoause lt
automatloally wraps llnes or trles to oorreot oapltallzatlon and spelllng of words. Beoause
spaolng and endofllne oharaoters are used ln Bash to form struotures suoh as loops,
the bulltln formattlng of a word prooessor oan oause syntax errors ln Bash sorlpts.
All Bash scripIs musI sIarI wiIh a line IhaI deines iI as a Bash scripI:
#!1b1n1bash
Any oIher lines IhaI begin wiIh Ihe hash mark (#) are considered commenIs and are noI
processed as lines o code. Eor example, you can add a small descripIion o whaI Ihe program
does, Ihe auIhor, when iI was lasI modiied, and a version number Io Ihe Iop o Ihe scripI:
#!1b1n1bash
# Th1s progran crea1es da1Jy backups for 0onpany Nane
# For 1n1ernaJ use onJy
# Au1hor: Your Nane Rere
# Las1 nod1f1ed: May 15, 2UU6
# vers1on: 1.5
1IP
For a oomplete Bash referenoe, refer to the Bash Referenoe Manual at
http://www.gnu.org/software/bash/manual/.
xecut|ng Cemmands |n a Bash 5cr|t
To execuIe a series o commands in a Bash scripI, lisI each command on a separaIe line.
Eor example, LisIing 11.1 shows Ihe very basic Bash scripI IhaI gaIhers inormaIion abouI
sysIem resources.
LlSTlNG 11.1 Generatlng a System Resouroes Report, verslon 1
#!1b1n1bash
#Scr1p1 1o genera1e a sys1en resources repor1
#Au1hor: Tanny Fox
up11ne
nps1a1
sar
free -n
df -h
vns1a1 -d
1IP
The system monltorlng utllltles used ln Llstlng 11.1 are explalned ln Chapter 20,
Monltorlng System Resouroes, along wlth many other monltorlng tools.
As you can see, Ihe commands are lisIed in Ihe scripI, each on separaIe lines. AlIhough
Ihe resulIing ile is useul Io an adminisIraIor i generaIed on a regular basis, iI would be
more useul i Ihe ouIpuI were puI inIo conIexI. A useul Bash command when wriIing
scripIs is Ihe echo command. Any IexI in guoIaIion marks ollowing Ihe echo command
is displayed Io Ihe Ierminal.
I used on Ihe command line, Ihe echo command can be used Io display messages Io Ihe
Ierminal. I used in a Bash scripI, Ihe echo command can be used Io wriIe messages Io a
ile i Ihe ouIpuI is redirecIed Io a ile. II can be used Io add messages Io Ihe reporI as
shown in LisIing 11.2.
1IP
To exolude the endofllne oharaoter, use the -n optlon suoh as echo -n "nessage".
LlSTlNG 11.2 Generatlng a System Resouroes Report, verslon 2
#!1b1n1bash
#Scr1p1 1o genera1e a sys1en resources repor1
#Au1hor: Tanny Fox
up11ne
echo ""
echo "PP00ESS0P PEP0PT:"
echo "-------------------------------------------------"
echo "0u1pu1 fron nps1a1:"
nps1a1
echo ""
echo "0u1pu1 fron sar:"
sar
echo ""
echo ""
echo "MEM0PY PEP0PT:"
echo "-------------------------------------------------"
echo "0u1pu1 fron free -n:"
wrltlng Sorlpts wlth Bash 241
1
1
free -n
echo ""
echo ""
echo "01SK uSA0E PEP0PT:"
echo "-------------------------------------------------"
echo "0u1pu1 fron df -h:"
df -h
echo ""
echo "0u1pu1 fron vns1a1 -d:"
vns1a1 -d
echo ""
The echo command has oIher beneiIs. Eor example, Ihe echo command can be used Io
prinI a message aI Ihe beginning and end o Ihe program so Ihe user running iI knows
Ihe sIaIus o Ihe program. AddiIional usages o echo will also be discussed as Ihis chapIer
explores oIher Bash programming eaIures.
Var|ab|es
An adminisIraIor would mosI likely wanI Io run Ihis scripI on more Ihan one sysIem. BuI
how can he keep Irack o which ile was generaIed rom each sysIem7 Because each
sysIem has a unigue hosIname, he can add Ihe hosIname Io Ihe reporI. AI Ihe Iop o Ihe
scripI, beore Ihe up11ne command, Ihe ollowing line can be added:
echo "Sys1en Pesources Pepor1 for $R0STNAME"
$R0STNAME in Ihis line is a variable, denoIed by Ihe dollar sign in ronI o iI. In Ihis case,
Ihe variable is an environmenI variable given iIs deaulI value by Ihe sysIem. OIher vari-
ables can be declared and given values in a Bash scripI and Ihen reerenced laIer in Ihe
scripI as shown in LisIing 11.3.
LlSTlNG 11.3 Uslng varlables ln Bash
#!1b1n1bash
vAP1A8LE=vaJue
echo "The vaJue of $vAP1A8LE 1s $vAP1A8LE"
Table 11.1 lisIs addiIional environmenI variables IhaI are useul when wriIing scripIs.
T^BLL 11.1 Command Lnvlronment varlables for Sorlpts
nv|renment Var|ab|e escr|t|en
$R0STNAME Hostname of the system
$uSEP Username of the user ourrently logged ln
$u10 User lD of the user ourrently logged ln
$LAN0 Language set for the system suoh as en_uS.uTF-8
$R0ME Home dlreotory for the user ourrently logged ln
$U The oommand exeouted to run the sorlpt, wlthout any oommand
llne arguments
$1, $2, e1c. 51 ls the value of the flrst oommandllne argument to the sorlpt,
52 ls the value of the seoond argument, and so on.
Runn|ng the 5cr|t
Beore going any urIher, iI is a good idea Io IesI Ihe scripI. II is also beneicial Io IesI Ihe
scripI as you add uncIionaliIy Io make iI easier Io ind errors i Ihey exisI.
EirsI, selecI a direcIory locaIion or Ihe scripI. As menIioned in ChapIer 4, "UndersIanding
Linux ConcepIs," Ihe EilesysIem Hierarchy SysIem (EHS) guidelines designaIe 1usr1JocaJ1
or locally insIalled soIware independenI o operaIing sysIem updaIes. Because Ihis scripI is a
command, iI should be in a b1n direcIory as well. Also, pick a descripIive name or Ihe scripI
such as ge1-resources. So, saving iI as 1usr1JocaJ1b1n1ge1-resources allows you Io place iI
in a consisIenI locaIion across sysIems and allows oIher adminisIraIors Io ind iI easily.
The nexI sIep is Io make iI execuIable wiIh Ihe command chnod +x ge1-resources. I
you arenI in Ihe 1usr1JocaJ1b1n1 direcIory when you execuIe Ihis command, eiIher
change inIo IhaI direcIory or give Ihe ull paIh Io Ihe scripI. This command allows
anyone on Ihe sysIem Io execuIe Ihe scripI. To resIricI ile permissions urIher, reer Io Ihe
"Eile Fermissions" secIion in ChapIer 4.
To run Ihe scripI, eiIher give iIs ull paIh 1usr1JocaJ1b1n1ge1-resources or execuIe Ihe
command .1ge1-resources i iI is in Ihe currenI working direcIory. I execuIing iI rom
anoIher scripI or speciying iI in a cronIab as discussed in Ihis chapIer, be sure Io use Ihe ull
paIh.
When you execuIe Ihe scripI, you can redirecI Ihe ouIpuI Io a ile such as:
.1ge1-resources.sh > 1var1Jog1resources
I Ihe commands are run wiIhouI synIax error, Ihe 1var1Jog1resources ile should
conIain all Ihe ouIpuI. Also waIch Ihe command line rom which you execuIe Ihe scripI
or any messages abouI synIax errors.
OpIionally, you can also use Ihe $R0STNAME variable Io creaIe a unigue ilename or each
ile generaIed by replacing 1var1Jog1resources wiIh 1var1Jog1resources-$R0STNAME in
Ihe scripI. This proves useul i all Ihe iles are wriIIen Io a remoIe shared direcIory rom
each sysIem running Ihe scripI.
1
1
Because Ihis scripI wriIes Ihe ouIpuI ile Io Ihe 1var1Jog1 direcIory, iI musI be run as rooI
as non-rooI users do noI have permission Io wriIe Io Ihis direcIory. I you wanI non-rooI
users Io be able Io run Ihe scripI, change Ihe ouIpuI ile Io a locaIion wriIable by all such as
Ihe 11np1 direcIory, and make Ihe ouIpuI ilename unigue Io each user such as
11np1resources-$R0STNAME-$uSEP, where $uSEP is an environmenI variable or Ihe user-
name o Ihe user currenIly logged in.
Cend|t|ena|s
Similar Io oIher programming languages, Bash allows or condiIionals, or i}Ihen sIaIemenIs.
I a condiIion is meI, Ihen Ihe commands are execuIed. OpIionally, you can use an eJse
sIaIemenI Io provide commands i Ihe condiIion is noI meI or use an eJ1f sIaIemenI Io
provide addiIional condiIionals. LisIing 11.4 shows Ihe basic synIax and sIrucIure.
LlSTlNG 11.4 Bash Syntax for Condltlonals
1f <cond111on> 1hen
...
eJ1f
...
eJse
...
f1
Table 11.2 lisIs commonly used condiIions (<cond111on>). Eor a compleIe lisI, reer Io Ihe
"CondiIional Expressions" secIion o Ihe Bash man page or Ihe "Bash CondiIional Expressions"
secIion o Ihe "Bash Reerence Manual" aI h11p:11WWW.gnu.org1sof1Ware1bash1nanuaJ1.
T^BLL 11.2 Command Lnvlronment varlables for Sorlpts
Cend|t|ena| escr|t|en
-d "f1Jenane" Returns true lf flle exlsts and ls a dlreotory
-e "f1Jenane" Returns true lf flle exlsts
-r "f1Jenane" Returns true lf flle exlsts and ls readable
-s "f1Jenane" Returns true lf flle exlsts and ls blgger than zero bytes
-W "f1Jenane" Returns true lf flle exlsts and ls wrltable
-x "f1Jenane" Returns true lf flle exlsts and ls exeoutable
-N "f1Jenane" Returns true lf flle exlsts and has been modlfled slnoe lt was last read
-n "$vAP1A8LE" Returns true lf strlng ls nonzero
"$vAP1" == "$vAP2" Returns true lf strlngs are equal
"$vAP1" != "$vAP2" Returns true lf strlngs are not equal
"$vAP1" < "$vAP2" Returns true lf the flrst strlng sorts before the seoond strlng lexloo
graphloally aooordlng to the system`s looale suoh as alphabetloally for
the en_US.UTF8 looale
"$vAP1" > "$vAP2" Returns true lf the flrst strlng sorts after the seoond strlng lexloo
graphloally aooordlng to the system`s looale suoh as alphabetloally for
the en_US.UTF8 looale
$NuM1 -eq $NuM2 Returns true lf the two lntegers are equal ln value
$NuM1 -ne $NuM2 Returns true lf the two lntegers are not equal ln value
$NuM1 -J1 $NuM2 Returns true lf the flrst lnteger ls less than the seoond lnteger
$NuM1 -Je $NuM2 Returns true lf the flrst lnteger ls less than or equal to the seoond
lnteger
$NuM1 -g1 $NuM2 Returns true lf the flrst lnteger ls greater than the seoond lnteger
$NuM1 -ge $NuM2 Returns true lf the flrst lnteger ls greater than or equal to the
seoond lnteger
1IP
Be sure to lnolude the spaoes around the operators and operand. ^lso, unless you are
uslng the operands to oompare lntegers, be sure to plaoe quotatlon marks around the
varlables when oomparlng thelr values beoause the values oompared are expeoted to
be strlngs. For example,
1f "$vAP1" == "$vAP2" 1hen
...
f1
ls the proper syntax to determlne lf two varlables are equal.
To keep a copy o Ihe lasI sysIem resource reporI generaIed, you can add Ihe ollowing
line Io Ihe beginning o Ihe scripI:
nv 1var1Jog1resources 1var1Jog1resources.oJd
However, you will receive an error rom Ihe nv command i Ihe ile doesnI exisI such as
Ihe very irsI Iime you run Ihe scripI. To make Ihe scripI more robusI, you can use a condi-
Iional Io check or Ihe exisIence o Ihe ile beore renaming iI as shown in LisIing 11.S.
LlSTlNG 11.5 Cheok for Lxlstenoe of Flle
#Keep prev1ousJy genera1ed repor1
1f -e "1var1Jog1resources" 1hen
nv 1var1Jog1resources 1var1Jog1resources.oJd
f1
Lees
AnoIher useul parI o Ihe Bash scripIing language is Ihe inclusion o loops. There are
Ihree Iypes o loops: Wh1Je, for, and un11J.
A Wh1Je loop allows you Io execuIe a seguence o commands while a IesI is Irue such as
while an inIeger is larger Ihan anoIher inIeger or while a sIring does noI egual anoIher
sIring. LisIing 11. shows Ihe basic synIax o a Wh1Je loop.
1
1
LlSTlNG 11.6 Syntax of a Wh1Je Loop
Wh1Je <1es1>
do
...
done
The <1es1> can be any o Ihe sIring or inIeger comparisons rom Table 11.2. Eor example,
LisIing 11.7 shows a Wh1Je loop IhaI iIeraIes unIil Ihe 1NT variable reaches Ihe value o 4.
LlSTlNG 11.7 Lxample Wh1Je Loop
#!1b1n1bash
1NT=1
Wh1Je $1NT -J1 5
do
echo $1NT
1NT=${{1NT+1))
done
The un11J loop is similar Io Ihe Wh1Je loop excepI IhaI Ihe code in Ihe loop is execuIed
unIil Ihe IesI is Irue. Eor example, Ihe loop is run unIil Ihe 1NT variable reaches Ihe value
o 4 in LisIing 11.8.
LlSTlNG 11.8 Lxample un11J Loop
#!1b1n1bash
1NT=1
un11J $1NT -g1 4
do
echo $1NT
1NT=${{1NT+1))
done
The for loop in Bash changes Ihe value o a variable Io a deined lisI o values, one aI a
Iime, unIil Ihe end o Ihe lisI. LisIing 11. shows Ihe basic synIax o a for loop.
LlSTlNG 11.9 Syntax of a for Loop
for X 1n <J1s1> do
...
done
Eor example:
#!1b1n1bash
for X 1n dog ca1 nouse do
echo "$X"
done
The asIerisk can be used as a wildcard when deining Ihe lisI. Eor example, *.h1nJ can be
used Io iIeraIe Ihrough all Ihe HTML iles in Ihe currenI direcIory.
Add|t|ena| 5cr|t|ng Languages
When auIomaIing sysIem adminisIraIion Iasks, scripIing languages such as Bash are mosI
commonly used because Ihey are eicienI aI execuIing a series o commands. However,
oIher languages, boIh scripIing and compiled, oer uncIions such as inding phrases in
IexI iles and replacing Ihem wiIh a dierenI word or phrase, which can be helpul when
you wanI Io cusIomize coniguraIion iles.
This secIion gives a brie overview o a ew o Ihe oIher scripIing languages used in Red
HaI EnIerprise Linux along wiIh some o Iheir advanIages and disadvanIages or sysIem
adminisIraIors.
Wr|t|ng 5cr|ts w|th Pythen
Compared Io Bash scripIing, Ihe synIax and eaIures o FyIhon look and eel more like a
real programming language. Because Ihe code is inIerpreIed, noI compiled inIo byIe code,
iI can be used as a scripIing language similar Io Bash and can run on mulIiple plaIorms
including Linux, Mac OS X, and Ihe MicrosoI Windows varianIs. Or, Ihe programmer can
choose Io uIilize Ihe objecI-orienIed naIure o FyIhon and wriIe more complex user-end
applicaIions compleIe wiIh graphical inIeraces. In acI, all o Ihe sys1en-conf1g-*
coniguraIion Iools rom Red HaI are wriIIen in FyIhon.
One o FyIhons sIrengIhs is iIs easy-Io-read synIax. InsIead o having Io use semicolons
and remembering whaI keyword is used Io end a loop, Ihe programmer simply uses consis-
IenI indenIaIion Io Iell Ihe inIerpreIer whaI lines are parI o which uncIions or loops.
The py1hon RFM package needs Io be insIalled Io use FyIhon. I you donI have iI
insIalled, reer Io ChapIer 3, "OperaIing SysIem UpdaIes," or insIrucIions. There are also
packages IhaI provide addiIional FyIhon modules such as rpn-py1hon or developing
FyIhon programs Io inIerace wiIh Ihe RFM packages or daIabase. InsIall Ihese addiIional
packages i you reguire Iheir uncIionaliIy.
DocumenIaIion or FyIhon can be ound aI hIIp:}}pyIhon.org}doc}, by insIalling Ihe
py1hon-docs RFM package, and in books dedicaIed Io Ieaching FyIhon.
Wr|t|ng 5cr|ts w|th Per|
Similar Io FyIhon, Ferl is available or many dierenI operaIing sysIems, so iIs code can
be easily porIed Io mulIiple operaIing sysIems. Ferls sIrengIhs include iIs process, ile,
and IexI-manipulaIion abiliIies. II is commonly used Io wriIe sysIem managemenI
programs, scripIs Io access daIabases, and CGI scripIs or Ihe web. Eor example, Ihe
JogWa1ch uIiliIy discussed in ChapIer 20, "MoniIoring SysIem Resources," includes Ferl
scripIs Io generaIe log ile reporIs.
The perJ RFM package needs Io be insIalled Io use Ferl. OpIionally, packages IhaI include
addiIional Ferl modules can be insIalled such as perJ-081 or accessing daIabases wiIh
Ferl and perJ-RTML-Parser or parsing HTML iles in Ferl.
^ddltlonal Sorlptlng Languages 247
1
1
DocumenIaIion or Ferl can be ound in Ihe many man pages IhaI come wiIh Ihe perJ
package. SIarI by execuIing Ihe nan perJ command. The main Ferl man page provides a
lisI o oIher man pages and Iheir purposes. More inormaIion and urIher documenIaIion
can be ound aI hIIp:}}www.perl.org}.
Wr|t|ng 5cr|ts w|th 5ed
A sIream ediIor, Sed, reads Ihe inpuI o IexI seguenIially line by line and processes iI
Ihrough a seI o IexI IransormaIion rules. All Ihe rules are applied Io Ihe IexI wiIh one
pass o Ihe IexI ile rom sIarI Io inish. Sed can be used on Ihe command line rom Ihe
sed command or iI can be called rom a scripI such as a Bash scripI, which was discussed
earlier in Ihis chapIer. The sed RFM package musI be insIalled Io use Sed. InsIall iI rom
Red HaI NeIwork i iI is noI already insIalled. SoIware insIallaIion insIrucIions can be
ound in ChapIer 3.
To use a Sed rule rom Ihe command line, use Ihe ollowing ormaI, which saves Ihe new
conIenI in a separaIe ile:
sed -e `<ruJes>` or1g1naJ.1x1 > neWf1Je.1x1
AlIernaIively, you can ouIpuI Ihe conIenIs o a ile and pipe iI Ihrough Sed:
ca1 or1g1naJ.1x1 sed -e `<ruJes>` > neWf1Je.1x1
To apply Sed rules Io a ile "in-place," use Ihe ollowing ormaI (Ihe changes are made Io
Ihe same ile):
sed -1 -e `<ruJes>` f1Je.1x1
N01
lf you do not redlreot the results lnto a new flle, lt ls dlsplayed to , or
dlsplayed on the oommand llne before returnlng to the oommand prompt.
Sed commands can also be called rom a scripI ile by using a Bash scripI. The irsI line o
Ihe ile musI be
#!1b1n1bash
AIer IhaI, Ihe synIax or calling Ihe command is Ihe same as rom Ihe command line.
Reer Io Ihe "ExecuIing Commands in a Bash ScripI" secIion earlier in Ihis chapIer or
urIher explanaIion o Ihe ile ormaI.
LisIing 11.10 provides some sample Sed commands IhaI can be invoked rom Ihe
command line. They can also be execuIed rom a scripI as previously described. Lines
beginning wiIh # in LisIing 11.10 are commenIs Io explain Ihe commands.
LlSTlNG 11.10 Lxample Sed Commands
#doubJe space a 1ex1 f1Je 1ha1 1s s1ngJe spaced
sed -e 0 s1ngJespace.1x1 > doubJespace.1x1
#repJace 1he Word one W11h 1he nunber 1
sed -s `s1one111g` oJd.1x1 > neW.1x1
#repJace 1he Word oJd W11h 1he Word neW bu1 onJy for 1he f1rs1 1ns1ance on each
J1ne
sed -s `s1oJd1neW1` oJd.1x1 > neW.1x1
Eor a Sed reerence including a lisI o regular expressions accepIed by Sed, reer Io Ihe Sed
manual aI hIIp:}}www.gnu.org}soIware}sed}manual}sed.hIml.
Wr|t|ng 5cr|ts w|th Awk
Compared Io Sed, Awk is a more compleIe language wiIh arrays, builI-in uncIions, and Ihe
abiliIy Io prinI rom an Awk program. II, Ioo, can be called direcIly rom Ihe command line
or rom a Bash scripI. InsIall Ihe gawk package Io use Awk (Red HaI EnIerprise Linux includes
Ihe GNU version o Awk called Gawk). To use Awk rom Ihe command line, invoke Ihe aWk
command ollowed by Ihe code inside curly brackeIs, inside single guoIaIion marks:
aWk `{<code>}`
To use Awk rom a Bash scripI, use Ihe same synIax as i rom Ihe command line. Reer Io
Ihe "ExecuIing Commands in a Bash ScripI" secIion earlier in Ihis chapIer or urIher
explanaIion on including commands in a Bash scripI.
LisIing 11.11 shows a simple aWk command Io parse Ihrough Ihe ouIpuI o Ihe up11ne
command and only display Ihe number o days since Ihe lasI rebooI.
LlSTlNG 11.11 ^wk lrogram to larse 0utput of up11ne Command
#onJy pr1n1 hoW Jong 1he sys1en has been runn1ng fron 1he up11ne connand
up11ne aWk `{pr1n1 $3 " " $4}`
Because Ihe ouIpuI o upIime is always in Ihe same ormaI, you know IhaI Ihe Ihird and
ourIh ields in Ihe space-separaIed lisI conIain Ihe number o days IhaI Ihe sysIem has
been running and Ihe word "days." This daIa is displayed using Ihe Awk pr1n1 command.
Eor a compleIe Gawk reerence including a lisI o builI-in uncIions, reer Io Ihe Gawk
manual aI hIIp:}}www.gnu.org}soIware}gawk}manual}.
5chedu||ng 1asks w|th Cren
Now IhaI you undersIand Ihe basics o auIomaIing Iasks wiIh a scripI or program, Ihe
nexI sIep is Io know how Io schedule Ihe Iasks so Ihey are execuIed aI a speciic Iime or
on a seI schedule. Some scripIs such as removing users may noI need Io be scheduled, buI
Sohedullng Tasks wlth Cron 249
1
1
oIhers such as perorming backups mighI work beIIer on a schedule so users can anIici-
paIe Ihem or so Ihey can be run during a Iime when Ihey wonI inIerere wiIh Ihe daily
workload o Ihe sysIem.
Your Red HaI EnIerprise Linux sysIem should have Ihe packages called v1x1e-cron and
cron1abs insIalled by deaulI because basic sysIem mainIenance such as roIaIing log iles
is auIomaIed Ihrough Ihe cron daemon.
The v1x1e-cron package insIalls a daemon called crond. This daemon reerences a seI o
iles IhaI conIains lisIs o Iasks Io run every hour, every day, every week, every monIh, or
aI a speciic Iime. I a speciic Iime is lisIed, Ihe minuIe, hour, day o Ihe monIh, monIh,
and day o Ihe week can be scheduled. II also provides Ihe iniIializaIion scripI used Io
sIarI Ihe daemon aI booI Iime and Ihe cron1ab execuIable used by non-rooI users Io
schedule cron Iasks.
The cron1abs package seIs up Ihe basic direcIory sIrucIure or Ihe cron iles. The ollow-
ing direcIories are creaIed:
1e1c1cron.da1Jy
1e1c1cron.hourJy
1e1c1cron.non1hJy
1e1c1cron.WeekJy
Along wiIh Ihese direcIories, Ihe 1e1c1cron1ab and Ihe 1usr1b1n1run-par1s iles are
insIalled. The 1e1c1cron1ab ile deines Ihe SRELL, PATR, MA1LT0, and R0ME variables and
Ihen deines when Io run Ihe hourly, daily, weekly, and monIhly cron Iasks. The
1usr1b1n1run-par1s ile is a bash scripI called by Ihe 1e1c1cron1ab ile Io run Ihe Iasks in
Ihe hourly, daily, weekly, and monIhly cron direcIories.
Because you have rooI privileges Io Ihe sysIem as Ihe adminisIraIor, you can add your
cusIom scripI Io one o Ihe direcIories seI up by Ihe cron1abs package or add a specially
ormaIIed ile in Ihe 1e1c1cron.d1 direcIory.
AIer adding your cusIom scripI Io Ihe appropriaIe direcIory, iI is execuIed when Ihe Iasks
or each direcIory are scheduled Io run as deined in 1e1c1cron1ab. The ollowing log
enIry in 1var1Jog1cron conirms IhaI Ihe daemon execuIed Ihe daily scripIs (Ihis
example was added Io 1e1c1cron.da1Jy1):
May 15 U4:U2:U1 goofy crond447: {roo1) 0M0 {run-par1s 1e1c1cron.da1Jy)
To use a specially ormaIIed ile in Ihe 1e1c1cron.d1 direcIory insIead, creaIe a ile in Ihe
direcIory wiIh a unigue, descripIive name such as backup or a cron Iask IhaI creaIes
backup. Eor example, Io echo a message Io a ile 47 minuIes aIer every hour, creaIe a ile
called 1es11ng conIaining Ihe ollowing:
47 * * * * roo1 echo "1es11ng fron cron.d" >> 11np11es11ng
The conIenIs o each ile in Ihe 1e1c1cron.d1 direcIory musI use Ihe ollowing ormaI:
* * * * * usernane connand
The ive asIerisks should be replaced by Ihe minuIe, hour, day o Ihe monIh, monIh, and
day o Ihe week on which Io execuIe Ihe command.
The ollowing enIry in 1var1Jog1cron conirms Ihe addiIion and Ihe execuIion o Ihe Iask:
May 13 15:37:U1 goofy crond1824: {*sys1en*) PEL0A0 {1e1c1cron.d11es11ng)
May 13 15:47:U1 goofy crond6977: {roo1) 0M0 {echo "1es11ng fron cron.d" >>
11np11es11ng)
N01
The oron daemon (crond) looks for new oron tasks every mlnute, so a log entry
oonflrmlng the addltlon of a oron task wlll not appear untll the daemon rereads the
task llsts.
Einally, i you wanI Io add a cron Iask as a user, execuIe Ihe cron1ab -e command as a
non-rooI user. This uIiliIy allows each user Io have his or her own lisI o cron Iasks. Eor
example, suppose Ihe user Iox execuIes cron1ab -e and enIers Ihe conIenI rom LisIing
11.12. NoIe IhaI Ihe deaulI ediIor used is Vi.
LlSTlNG 11.12 Lxample cron1ab -e Lntry
SRELL=1b1n1bash
MA1LT0=1fox
22 15 13 5 * echo "1es11ng" >> 11np11es11ng
The ormaI or each enIry is similar Io Ihe ormaI used or Ihe iles in 1e1c1cron.d1
excepI Ihe username is noI speciied since each cronIab ile creaIed wiIh Ihe cron1ab -e
command is speciic Io a user. Because Ihe ile is speciic Io Ihe user, variables such as
whaI shell Io use and who Io email i Ihe Iasks generaIe ouIpuI can be given values aI Ihe
Iop o Ihe ile as shown in LisIing 11.12.
AIer Ihe user saves Ihe enIry, iI is wriIIen Io Ihe 1var1spooJ1cron1<usernane> ile,
1var1spooJ1cron11fox in Ihe example. Eor securiIy reasons, Ihe1var1spooJ1cron1 direc-
Iory is only readable by Ihe rooI user, buI non-rooI users can execuIe Ihe cron1ab -e
command aI any Iime Io review Iheir cron Iasks.
This simple example creaIes Ihe ile 11np11es11ng wiIh a line IhaI reads 1es11ng in Ihe
ile. II is seI Io execuIe on May 13 aI 3:22 p.m. AIer adding and saving Ihe enIry and
aIer iI is execuIed, Ihe conIenI rom LisIing 11.13 appears in Ihe 1var1Jog1cron log ile.
LlSTlNG 11.13 Log Lntrles after ^ddlng a User Cron Task
May 13 15:2U:U9 goofy cron1ab6588: {1fox) 8E01N E01T {1fox)
May 13 15:2U:42 goofy cron1ab6588: {1fox) PEPLA0E {1fox)
May 13 15:2U:42 goofy cron1ab6588: {1fox) EN0 E01T {1fox)
May 13 15:21:U1 goofy crond1824: {1fox) PEL0A0 {cron11fox)
May 13 15:22:U1 goofy crond6631: {1fox) 0M0 {echo "1es11ng" >> 11np11es11ng)
Sohedullng Tasks wlth Cron 251
1
1
The lasI Iwo examples in Ihis secIion show how Io add a simple command as Ihe cron
Iask. LeIs go back Io Ihe example bash scripI you have been working on Io gaIher sysIem
resources. You can conigure cron Io execuIe Ihe scripI using one o Ihe previously
menIioned meIhods and Ihen as parI o IhaI same cron Iask have Ihe ile emailed Io Ihe
adminisIraIor.
Eor example, i you are adding Ihe ile resources Io Ihe 1e1c1cron.d1 direcIory Io conIrol
precisely when Ihe scripI runs, modiy Ihe ollowing enIry and save iI in a ile named
1e1c1cron.d1resources:
47 U2 * * * roo1 1usr1JocaJ1b1n1ge1-resources > 1var1Jog1resources (
ca1 1var1Jog1resources na1J -s "Pesources repor1 for ècho $R0STNAME`" (
adn1n0exanpJe.con
The na1J command is provided by Ihe na1Jx package. Eor Ihis command Io work, Ihe
sysIem musI be properly conigured Io send email. Reer Io ChapIer 18, "SeIIing Up an
Email Server wiIh Sendmail" or deIails.
5ummary
This chapIer provided you wiIh an overview o some common scripIing languages avail-
able or Red HaI EnIerprise Linux Io help you sIarI wriIing your own scripIs. Think abouI
Iasks you perorm on a regular basis and wheIher Ihey can be auIomaIed wiIh a scripI. I
Ihey can be scripIed, also consider auIomaIing Iheir execuIion aI seI inIervals using Ihe
cron uIiliIy.
l^RT lv
NeIwork Services
lN THlS l^RT
CH^lTLR 12 ldentlty Management 255
CH^lTLR 13 Network Flle Sharlng 293
CH^lTLR 14 Grantlng Network Conneotlvlty
wlth DHCl 319
CH^lTLR 15 Creatlng a web Server wlth the
^paohe HTTl Server 327
CH^lTLR 16 Hostname Resolutlon wlth BlND 339
CH^lTLR 17 Seourlng Remote Loglns wlth
0penSSH 355
CH^lTLR 18 Settlng Up an Lmall Server wlth
Sendmall 367
CH^lTLR 19 Lxplalnlng 0ther Common
Network Servloes 379
lN THlS CH^lTLR
Understandlng l^M
Lnabllng NlS
Lnabllng LD^l
Lnabllng Kerberos
Lnabllng SMB or wlnblnd
ûthentloatlon
Lnabllng wlth ûthentloatlon
Tool
CH^lTLR 12
IdenIiIy ManagemenI
Managing user accounIs, including passwords, on indi-
vidual sysIems does noI scale well when an adminisIraIor
musI mainIain hundreds or Ihousands o users on
hundreds or Ihousands o sysIems, oIen around Ihe world.
Many services are available or Red HaI EnIerprise Linux Io
allow users Io auIhenIicaIe rom a cenIral, remoIe server,
which can also sIore user inormaIion IhaI can be reIrieved
rom clienI sysIems.
Some o Ihe advanIages o using a neIwork service or user
inormaIion and auIhenIicaIion include only having Io
back up Ihis daIa rom one sysIem, updaIing Ihe inorma-
Iion on Ihe server updaIes Ihe inormaIion or all clienIs,
and implemenIing higher securiIy on Ihe server conIaining
user inormaIion.
I local auIhenIicaIion is whaI you reguire, reer Io ChapIer
, "Managing Users and Groups," or deIails. Even i you
are noI using local users and groups, iI is recommended
IhaI you read Ihe "WhaI Are Users and Groups" secIion or
a descripIion o Linux users and groups and Ihe "BesI
FracIices" secIion o ChapIer or suggesIed meIhods or
esIablishing username convenIions, seIIing password expi-
raIion, selecIing secure password, deleIing accounIs, and
sIrucIuring home direcIories.
Red HaI EnIerprise Linux includes many neIwork services
or remoIe idenIiIy managemenI. This chapIer discusses Ihe
NIS, LDAF, Kerberos, Hesiod, SMB, and Winbind auIhenIi-
caIion services.
Understand|ng PAM
lAM, or lluahle Authentcaton MoJules, is an auIhenIicaIion
layer IhaI allows programs Io be wriIIen independenI o a
speciic auIhenIicaIion scheme. ApplicaIions reguesI auIhen-
IicaIion via Ihe FAM library, and Ihe FAM library deIermines
wheIher Ihe user is allowed Io proceed. I an adminisIraIor wanIs Io implemenI a dierenI
auIhenIicaIion scheme, he jusI changes Ihe FAM coniguraIion iles and Ihe exisIing
programs work seamlessly.
All applicaIions and services IhaI depend on FAM or auIhenIicaIion have a ile in Ihe
1e1c1pan.d1 direcIory, wiIh Ihe ilename being exacIly Ihe same as Ihe applicaIion or
service. Eilenames musI be in all lowercase. The RFM or Ihe applicaIion or service is
responsible or insIalling iIs own coniguraIion ile in Ihis direcIory. Eor example, Ihe
reboo1 command is FAM-aware and Ihus Ihe usernode package IhaI included reboo1
insIalls Ihe 1e1c1pan.d1reboo1 ile.
ConIenIs o Ihe 1e1c1pan.d1 coniguraIion iles are case-sensiIive, and each line uses Ihe
ollowing ormaI:
<1ype> <con1roJ> <noduJe> <noduJe_op11ons>
Each line calls a module locaIed in Ihe 1J1b1secur11y1 or 1J1b641secur11y1 direcIory,
depending on wheIher Ihe sysIem is 32-biI or 4-biI and wheIher Ihe module is 32-biI or
4-biI (32-biI modules can exisI on a 4-biI sysIem). Module calls can be sIacked so IhaI
mulIiple criIeria musI be veriied beore allowing auIhenIicaIion. The modules calls are
processed rom Iop Io boIIom, so Ihe order maIIers. OpIions or Ihe module can also be
speciied.
The <1ype> musI be one o Ihe ollowing managemenI groups:
accoun1: Non-auIhenIicaIion accounI managemenI such as veriying Ihe locaIion o
Ihe reguesI or wheIher sysIem resources are available or Ihe reguesI.
au1h: AuIhenIicaIe Ihe reguesIed user based on a password or oIher orm o auIhen-
IicaIion. Also can granI privileges Io auIhorized users.
passWord: Reguired or managing passwords or oIher auIhenIicaIion Iokens.
sess1on: Manage acIions beore and aIer a user is granIed or denied access Io a
service such as logging and mounIing direcIories.
Each module reIurns a success or ailure sIaIus. The <con1roJ> deIermines wheIher or noI
Ihe nexI module should be called Io conIinue Ihe auIhenIicaIion process. The <con1roJ>
is usually one o Ihe ollowing:
requ1red: I Ihe module reIurns success, Ihe nexI module in Ihe sIack is called i iI
exisIs or Ihe auIhenIicaIion is successul i iI is Ihe lasI module called. ReIurn
auIhenIicaIion ailure i Ihe module reIurns ailure buI only aIer calling Ihe remain-
ing modules in Ihe sIack.
requ1s11e: Similar Io reguired excepI IhaI conIrol is immediaIely senI back Io Ihe
applicaIion or service reguesIing auIhenIicaIion insIead o calling Ihe remaining
modules.
suff1c1en1: I Ihe module reIurns a ailure, Ihe auIhenIicaIion can sIill be successul
i all Ihe reguired modules in Ihe sIack reIurn success.
op11onaJ: ResulIs o Ihe module is ignored.
1ncJude: Include lines rom Ihe given coniguraIion ile in Ihe same 1e1c1pan.d1
direcIory such as 1ncJude sys1en-au1h.
The <con1roJ> can also be in Ihe ollowing orm:
vaJue1=ac11on1 vaJue2=ac11on2 ...
The value should be Ihe reIurn code rom Ihe uncIion called in Ihe module. Reer Io Ihe
pam.con man page by execuIing Ihe nan pan.conf command or deIails.
nab||ng NI5
NlS, or Networl lnjormaton Systems, is a neIwork service IhaI allows auIhenIicaIion and
login inormaIion Io be sIored on a cenIrally locaIed server. This includes Ihe username
and password daIabase or login auIhenIicaIion, daIabase o user groups, and Ihe loca-
Iions o home direcIories.
To allow users Io log in Io any sysIem on Ihe neIwork seamlessly, NIS and NES can be
used IogeIher. The NIS server provides Ihe neIwork service or logging in Io Ihe sysIem,
and NES can be used Io exporI user home direcIories rom a cenIral server. I used
IogeIher, users can access any sysIem wiIh Ihe same username and password, sysIem
groups remain Ihe same across Ihe neIwork, and users home direcIories are exacIly Ihe
same regardless o which sysIem Ihey log in Io. I using SELinux, Ihe use_nfs_hone_d1rs
booJean SELinux boolean musI be seI Io 1 on each NES clienI mounIing Ihe home direc-
Iories. Reer Io ChapIer 13, "NeIwork Eile Sharing" or deIails.
NI5 and 5L|nux
In Red HaI EnIerprise Linux S, NIS is proIecIed by Ihe deaulI SecuriIy-Enhanced Linux
(SELinux) policy, known as Ihe IargeIed policy. Reer Io ChapIer 23 or more inormaIion
on SELinux.
By deaulI, Ihis IargeIed policy does noI allow NIS connecIions. To use NIS, you musI seI
Ihe aJJoW_ypb1nd SELinux boolean Io 1 wiIh Ihe ollowing command:
se1sebooJ -P aJJoW_ypb1nd 1
To veriy IhaI Ihe seIIing has been changed, execuIe Ihe ollowing:
ge1sebooJ aJJoW_ypb1nd
I enabled, Ihe ouIpuI should be Ihe ollowing:
aJJoW_ypb1nd --> on
OIher SELinux booleans or NIS include Ihe ollowing (Ihey are seI Io U by deaulI) :
yppassWdd_d1sabJe_1rans: Disable SELinux proIecIion or yppassWd i seI Io 1.
Lnabllng NlS 257
1
2
ypxfr_d1sabJe_1rans: Disable SELinux proIecIion or ypxfr i seI Io 1.
ypb1nd_d1sabJe_1rans: Disable SELinux proIecIion or ypb1nd i seI Io 1.
You can also change Ihe values o Ihese booleans by running Ihe SELinux ManagemenI
Tool. SIarI iI by selecIing AdmInIstratIon, SLLInux Management rom Ihe System menu
on Ihe Iop panel o Ihe deskIop or by execuIing Ihe sys1en-conf1g-seJ1nux command.
EnIer Ihe rooI password when prompIed i running as a non-rooI user. SelecI Boolean
rom Ihe lisI on Ihe leI. On Ihe righI, click Ihe Iriangle icon nexI Io NIS. The SELinux
booleans aecIing NIS appear.
1IP
The SLLlnux booleans that affeot NlS are desorlbed ln the ypblnd_sellnux man page
vlewable wlth the nan ypb1nd_seJ1nux oommand.
A||ew|ng NI5 Cennect|ens
By deaulI, Ihe porIs used by NIS are selecIed aI random by porImap. I you are using ire-
wall rules IhaI only allow connecIions on speciic porIs, sIaIic porIs can be seI or Ihe
ypserv and ypxfrd services buI noI or yppassWdd. Reer Io Ihe 1e1c1serv1ces ile or a
lisI o porIs already reserved or oIher services on Ihe sysIem and Ihen selecI available
porIs. To assign porIs Io ypserv and ypxfrd, add Ihe ollowing lines Io 1e1c1sysconf1g1
ne1Work:
YPSEPv_AP0S="-p <por1>"
YPXFP0_AP0S="p <por1>"
I Ihe services are already running, Ihey musI be resIarIed or Ihe changes Io Iake eecI.
AIer resIarIing Ihem, use Ihe rpc1nfo -p <hos1nane> command Io veriy IhaI Ihe
selecIed porIs are being used.
I cusIom IFTables rules are being used, reer Io ChapIer 24, "Coniguring a Eirewall," or
deIails on how Io allow Ihese porIs.
I Ihe deaulI securiIy level is enabled insIead o cusIom IFTables rules, use Ihe SecuriIy
Level ConiguraIion Iool Io allow NIS connecIions. SIarI iI by selecIing AdmInIstratIon,
SecurIty Level and FIrewall rom Ihe System menu on Ihe Iop panel o Ihe deskIop or
by execuIing Ihe sys1en-conf1g-secur11yJeveJ command. EnIer Ihe rooI password when
prompIed i running as a non-rooI user. In Ihe Other ports area, click Add Io speciy
Ihese Iwo porIs
Cenf|gur|ng the NI5 5erver
To conigure a sysIem as an NIS server, irsI insIall Ihe ypserv RFM package via RHN,
which insIalls Ihe por1nap package as a dependency. Also insIall Ihe ypb1nd via RHN,
which insIalls Ihe yp-1ooJs package as a dependency. The ypserv service provides Ihe NIS
server, and ypb1nd provides Ihe necessary clienI uIiliIies.
1IP
Log messages for ypserv and lts related servloes are wrltten to the 1var1Jog1nessages
flle.
The NIS server musI have a domain name (which is dierenI rom Ihe domain name o a
EQDN as discussed in ChapIer 1, "HosIname ResoluIion wiIh BIND"). The domain name
is used along wiIh iIs IF address or hosIname by clienIs Io connecI Io iI. SeI Ihe NIS
domain name in 1e1c1sysconf1g1ne1Work by adding Ihe ollowing line as rooI (replace
<dona1n> wiIh a unigue name):
N1S00MA1N="<dona1n>"
The server musI be seI up as a clienI o iIsel, so add Ihe ollowing line Io 1e1c1yp.conf:
ypserver 172.U.U.1
The local iles rom which NIS geIs iIs inormaIion Io share wiIh clienIs musI be conigured,
including 1e1c1passWd, 1e1c1shadoW, 1e1c1group, and 1e1c1hos1s. In oIher words, users
musI be added Io Ihe NIS server wiIh Ihe desired passwords, groups musI be added, and any
IF address and hosIname combinaIions Io be shared musI be added Io 1e1c1hos1s.
NexI, sIarI Ihe por1nap, yppassWdd, and ypserv services by execuIing Ihe ollowing as rooI
or each o Ihem:
serv1ce <serv1ce> s1ar1
Be sure Ihese services are sIarIed aI booI Iime wiIh Ihe ollowing command as rooI or
each service:
chkconf1g <serv1ce> on
LasIly, creaIe Ihe NIS daIabase (on a 4-biI sysIem, Ihe J1b direcIory will be J1b64 insIead):
1usr1J1b1yp1yp1n11 -n
EnIer Ihe reguesIed inormaIion and answer Ihe guesIions appropriaIely when prompIed.
The ouIpuI should look similar Io LisIing 12.1.
LlSTlNG 12.1 Creatlng the NlS Database
A1 1h1s po1n1, We have 1o cons1ruc1 a J1s1 of 1he hos1s Wh1ch W1JJ run N1S
servers. snaJJv1JJe.exanpJe.ne1 1s 1n 1he J1s1 of N1S server hos1s.
PJease con11nue 1o add 1he nanes for 1he o1her hos1s, one per J1ne.
When you are done W11h 1he J1s1, 1ype a <con1roJ 0>.
nex1 hos1 1o add: snaJJv1JJe.exanpJe.ne1
nex1 hos1 1o add:
The curren1 J1s1 of N1S servers Jooks J1ke 1h1s:
Lnabllng NlS 259
1
2
snaJJv1JJe.exanpJe.ne1
1s 1h1s correc1? y1n: y y
We need a feW n1nu1es 1o bu1Jd 1he da1abases...
8u1Jd1ng 1var1yp1exanpJe1ypservers...
Punn1ng 1var1yp1Makef1Je...
gnake1: En1er1ng d1rec1ory `1var1yp1exanpJe`
upda11ng passWd.bynane...
upda11ng passWd.byu1d...
upda11ng group.bynane...
upda11ng group.byg1d...
upda11ng hos1s.bynane...
upda11ng hos1s.byaddr...
upda11ng rpc.bynane...
upda11ng rpc.bynunber...
upda11ng serv1ces.bynane...
upda11ng serv1ces.byserv1cenane...
upda11ng ne11d.bynane...
upda11ng pro1ocoJs.bynunber...
upda11ng pro1ocoJs.bynane...
upda11ng na1J.aJ1ases...
gnake1: Leav1ng d1rec1ory `1var1yp1exanpJe`
snaJJv1JJe.exanpJe.ne1 has been se1 up as a N1S nas1er server.
NoW you can run yp1n11 -s snaJJv1JJe.exanpJe.ne1 on aJJ sJave server.
The NIS map iles are creaIed in Ihe 1var1yp1<dona1n>1 direcIory. AIer Ihe NIS daIabase
has been creaIed, Ihe server musI be Iold abouI changes Io Ihe daIa being shared. To
updaIe Ihe NIS maps aIer modiying iles on Ihe server, change Io Ihe 1var1yp1 direcIory
and Iype Ihe nake command as Ihe rooI user. To keep Ihe NIS inormaIion updaIed on a
regular basis, consider creaIing a cron Iask Io execuIe Ihis command periodically. The
updaIe reguency depends on how oIen Ihe inormaIion is updaIed. You can also run
nake in Ihe 1var1yp1 direcIory aIer each change i you need Ihem Io Iake place immedi-
aIely or i you donI updaIe Ihe daIa very oIen. Reer Io ChapIer 11, "AuIomaIing Tasks
wiIh ScripIs," or deIails on seIIing up a cron Iask.
Erom Ihe clienI side, Ihe ypca1 command can be used Io view Ihe conIenIs o Ihe NIS
maps. Eor example, execuIe ypca1 passWd.bynane Io view Ihe user enIries rom
1e1c1passWd on Ihe server. A ull lisI o maps Io guery can be reIrieved rom Ihe ypWh1ch
-n command on Ihe clienI. EnIry names such as passWd.bynane are noI always easy Io
remember, so Ihe 1var1yp1n1cknanes ile on Ihe NIS server can be used Io seI up aliases
or nicknames so Ihey can be used Io guery Ihe server or inormaIion lisIs. Eor example,
Ihe nickname passWd is seI up by deaulI or passWd.bynane. View Ihe conIenIs o Ihe
1var1yp1n1cknanes ile or a compleIe lisI o aliases seI up by deaulI. Erom Ihe clienI, Ihe
ypWh1ch -x command lisIs Ihe available nicknames. Remember Io run Ihe nake command
in Ihe 1var1yp1 direcIory on Ihe server aIer modiying Ihe 1var1yp1n1cknanes ile Io
updaIe Ihe NIS map ile or iI.
The ypserv service also has a coniguraIion ile, 1e1c1ypserv.conf. The deaulI ile
conIains commenIs IhaI deIail Ihe available opIions. The ypserv.conf man page provides
descripIions o Ihem as well. Access conIrol lisIs can also be added Io Ihis ile. Reer Io Ihe
"ResIricIing Access Io NIS Server" secIion or deIails.
The yppassWdd daemon allows users on Ihe NIS clienIs Io change Iheir passwords and oIher
user inormaIion sIored on Ihe server. Reer Io Ihe "ConnecIing Io Ihe NIS Server" secIion
or insIrucIions on using Ihe clienI-side uIiliIy. When passwords and user inormaIion are
changed wiIh yppassWd, Ihe daemon assumes Ihe 1e1c1passWd and 1e1c1shadoW iles by
deaulI. I Ihe server uses dierenI ile locaIions, seI Ihem in 1e1c1sysconf1g1yppassWdd.
This coniguraIion ile also conIains an opIion Io pass argumenIs Io Ihe daemon when iI is
sIarIed. A lisI o Ihese argumenIs can be ound in Ihe yppassWdd man page.
Add|ng 0t|ena| NI5 5|ave 5ervers
The NIS server where Ihe masIer copy o Ihe user inormaIion is sIored and can be modi-
ied is called Ihe master server, and each NIS domain can only have one masIer server.
However, slave NIS servers can be added Io Ihe neIwork.
These slave servers reIrieve Iheir daIa rom Ihe masIer server and are useul i Ihe masIer
server ails or needs Io be Iaken down or mainIenance, Ihe slave server can acI in iIs
place. NIS clienIs will Iry Io ind a dierenI server or iIs NIS domain i Ihe server iI is
connecIed Io is responding slowly or noI aI all. I slave servers or Ihe domain exisI, Ihey
can help handle Ihe heavy reguesI load.
Cenf|gur|ng NI5 5|ave 5ervers
To conigure a slave server, irsI conigure Ihe masIer server or Ihe domain. I slave
servers are Io be seI up or Ihe domain, Ihe ypxfrd service can be run on Ihe NIS server Io
allow or NIS daIabase Iransers. SIarI iI on Ihe masIer server as rooI wiIh Ihe serv1ce
ypxfrd s1ar1 command. Also, make sure iI is sIarIed aI booI Iime wiIh Ihe chkconf1g
ypxfrd on command, also as rooI.
Also on Ihe masIer server, add Ihe hosIname o Ihe slave server Io Ihe lisI o NIS servers
in Ihe 1var1yp1ypservers ile. Enable Ihis change by swiIching Io Ihe 1var1yp1 direcIory
wiIh Ihe cd 1var1yp command and running Ihe nake command as rooI. Make sure Ihe
hosIname o Ihe slave server is in 1e1c1hos1s or can be resolved via DNS.
The same seI o RFM packages reguired on Ihe masIer server musI also be insIalled on
each slave server. Make sure Ihe hosIname o Ihe masIer server can be resolved Io iIs IF
address on Ihe slave server via DNS or Ihe 1e1c1hos1s ile. Then, copy Ihe NIS daIabases
rom Ihe masIer server by execuIing Ihe ollowing as rooI on each slave server, where
<nas1er> is Ihe hosIname o Ihe masIer NIS server (on a 4-biI sysIem, Ihe J1b direcIory
will be J1b64 insIead) :
1usr1J1b1yp1yp1n11 -s <nas1er>
Lnabllng NlS 261
1
2
Change Ihe NIS server or Ihe slave server Io iIsel in Ihe 1e1c1yp.conf ile. I a dierenI
NIS server is already conigured, commenI iI ouI by added a # characIer in ronI o Ihe
line, or deleIe Ihe line. The ollowing line in 1e1c1yp.conf conigures Ihe slave server as
iIs own NIS server:
ypserver 127.U.U.1
On Ihe slave server, Ihe ypserv service musI be sIarIed beore Ihe ypb1nd service. As rooI,
execuIe Ihe ollowing seguence o commands:
serv1ce ypb1nd s1op serv1ce ypserv s1ar1 serv1ce ypb1nd s1ar1
Veriy IhaI Ihe slave server is now using iIsel as Ihe NIS server by execuIing Ihe ypWh1ch
command. II should reIurn Ihe hosIname o Ihe slave server.
Udat|ng NI5 Mas frem Master
To updaIe Ihe NIS maps on a slave server rom Ihe masIer server, Ihe ypxfrd service musI
be running on Ihe masIer server as previously menIioned. This daemon lisIens or clienI
reguesIs. On each slave server, Ihe ypxfr command musI be run as rooI or each map ile
Io be updaIed (on a 4-biI sysIem, Ihe J1b direcIory will be J1b64 insIead):
1usr1J1b1yp1ypxfr <napnane>
To veriy IhaI Ihe map was updaIed, execuIe Ihe ypca1 <napnane> command and look or
Ihe newly added daIa. As previously menIioned, a lisI o maps can be reIrieved wiIh Ihe
ypWh1ch -n command.
InsIead o execuIing Ihe ypxfr command manually every Iime a map ile is changed, you
can conigure a cron Iask Io execuIe iI periodically or each map ile. The inIerval aI
which iI is execuIed depends on how oIen you updaIe Ihe map iles on Ihe masIer server.
Because Ihe xpxfr command musI be execuIed or each map ile, all Ihe map iles do noI
have Io be updaIed aI Ihe same Iime. Reer Io ChapIer 11 or deIails on seIIing up a cron
Iask.
CAU1I0N
Remember, lf shared data ls modlfled on the server, the nake oommand must be run
ln the 1var1yp1 dlreotory on the server to update the master NlS maps before the
updated map flles oan be transferred to the ollents.
Restr|ct|ng Access te NI5 5erver
By deaulI, anyone wiIh access Io Ihe neIwork on which Ihe NIS server is running can
guery Ihe server and guery or daIa in Ihe NIS maps. To resIricI connecIions Io speciic
clienIs, creaIe a 1var1yp1securene1s ile. Lines beginning wiIh # are commenIs. The ile
should conIain Ihe ollowing line Io allow Ihe local hosI Io connecI:
hos1 127.U.U.1
To accepI reguesIs rom addiIional hosIs, add a line wiIh a neImask, ollowed by a space,
ollowed by a neIwork pair or each seI o hosIs such as
255.255.255.U 192.168.1U.U
I clienIs noI in Ihe 1var1yp1securene1s ile Iry Io connecI, Ihe reguesI is ignored, and a
warning message is logged on Ihe server.
Access conIrol lisIs or NIS can also be seI in 1e1c1ypserv.conf. Each access conIrol line is
in Ihe ollowing ormaI:
hos1:dona1n:nap:secur11y
The hos1 ield can be an individual IF address such as 12.18.10.2, an IF address range
and neImask such as 12.18.10.0}2SS.2SS.2SS.0, or Ihe beginning o Ihe IF address range
such as 12.18, which IranslaIes Io 12.18.0.0}2SS.2SS.0.0. The dona1n ield is Ihe NIS
domain or which Ihis rule applies. An asIerisk (*) can be used as Ihe domain name Io
maIch any domain. The map ield musI be an NIS map name or an asIerisk or all NIS
maps. SecuriIy musI be none, por1, or deny. I seI Io none, clienIs maIching Ihe rule are
allowed access. I seI Io por1, clienIs maIching Ihe rule are allowed rom porIs less Ihan
1024 only. I seI Io deny, clienIs maIching Ihe rule are denied access Io Ihe NIS server.
Cennect|ng te the NI5 5erver
The ypb1nd RFM package musI be insIalled on each NIS clienI so IhaI Ihe ypb1nd service
can be run Io connecI Io Ihe NIS server. The clienI connecIs Io Ihe NIS server based on
Ihe hosIname o Ihe NIS server and opIionally Ihe domain name i more Ihan one
domain is on Ihe neIwork.
To conigure Ihe NIS server or Ihe clienI, ediI Ihe 1e1c1yp.conf ile as rooI Io include Ihe
ollowing line, replace <n1s-server> wiIh Ihe IF address or hosIname o Ihe server:
ypserver <n1s-server>
or Io speciy Ihe domain as well:
dona1n <dona1n> server <n1s-server>
NexI, sIarI Ihe service wiIh Ihe serv1ce ypb1nd s1ar1 command as rooI. Also execuIe
chkconf1g ypb1nd on as rooI Io make sure iI is sIarIed aI booI Iime.
To veriy IhaI you are connecIed Io Ihe NIS server, execuIe Ihe ypWh1ch command. II
displays Ihe name o Ihe NIS server Io which you are connecIed. The ypca1 <napnane>
command as previously menIioned can be used on Ihe clienI Io display various maps and
coniguraIion iles rom Ihe server. To view a lisI o available maps, execuIe Ihe ypWh1ch
-n command on Ihe clienI.
To change user daIa rom an NIS clienI, use Ihe ollowing command:
yppassWd <op11on> <usernane>
Lnabllng NlS 263
1
2
The command doesnI have Io be execuIed as rooI on Ihe clienI, buI Ihe rooI password o
Ihe NIS server musI be enIered beore daIa can be changed. I <usernane> is noI given,
Ihe username o Ihe user execuIing Ihe yppassWd command is used.
Replace <op11on> wiIh one o Ihe ollowing:
-p: Change users password, implied i no opIion is given.
-J: Change users login shell.
-f: Change users ull name and relaIed inormaIion displayed by Ihe f1nger uIiliIy.
The currenI value or each ield is shown. To accepI iI, press EnIer. To change iI,
Iype a new value and Ihen press EnIer. To clear Ihe ield, Iype none and Ihen press
EnIer.
Us|ng NI5 w|th autefs
NIS can also be conigured Io serve coniguraIion iles or oIher services such as auIos,
allowing NIS clienIs Io receive Ihe masIer coniguraIion ile au1o.nas1er and any addi-
Iional auIomounI iles such as au1o.hone rom Ihe NIS server. I mounI poinIs, server
names, or direcIory locaIions change, one updaIe Io Ihe NIS server changes Ihe daIa or
Ihe enIire neIwork, and Ihe clienI can reIrieve Ihe updaIed daIa by execuIing Ihe serv1ce
au1ofs reJoad command, or Ihey will receive iI auIomaIically Ihe nexI Iime Ihe sysIem is
rebooIed. NoI having Io change Ihis daIa on each clienI sysIem saves valuable Iime and
eorI.
EirsI, conigure auIos on Ihe NIS server as described in ChapIer 13, "NeIwork Eile
Sharing," and veriy IhaI Ihe auIos service works on Ihe clienI. Then, conigure Ihe NIS
server Io creaIe Ihe auIos NIS map iles by modiying Ihe 1var1yp1Makef1Je ile:
Near Ihe Iop o Ihe ile is a lisI o variables or Ihe auIos coniguraIion iles reerenced in
Ihe Makef1Je. By deaulI, Ihe ollowing auIos iles are declared:
AuT0_MASTEP = ${YPSP001P)1au1o.nas1er
AuT0_R0ME = ${YPSP001P)1au1o.hone
AuT0_L00AL = ${YPSP001P)1au1o.JocaJ
I you are using addiIional au1o.* iles, add Ihem Io Ihe lisI o ile variables using Ihe
same ormaI. Eor example, add Ihe ollowing or au1o.shares:
AuT0_SRAPES = ${YPSP001P)1au1o.shares
Modiy Ihe aJJ IargeI Io include all Ihe au1o.* iles being used on Ihe server. By deaulI,
Ihe aJJ IargeI looks like Ihe ollowing:
aJJ: passWd group hos1s rpc serv1ces ne11d pro1ocoJs na1J (
# ne1grp shadoW pubJ1ckey ne1Works e1hers boo1parans pr1n1cap (
# and.hone au1o.nas1er au1o.hone au1o.JocaJ passWd.adunc1 (
# 11nezone JocaJe ne1nasks
Because Ihe lines IhaI begin wiIh # are commenIs, Ihe au1o.* iles lisIed by deaulI are
noI builI inIo NIS maps. They are jusI shown as examples o iles IhaI can be shared by
NIS. Add au1o.nas1er and any oIher au1o.* iles being used by auIos aI Ihe end o Ihe
irsI line beore Ihe ( characIer.
I you added any au1o.* ile variables in Ihe irsI sIep and Ihen added Ihose iles Io Ihe
aJJ IargeI, you also need Io add a IargeI or each addiIional ile. These individual IargeIs
are near Ihe end o Ihe ile such as Ihe ollowing:
au1o.hone: ${AuT0_R0ME) ${YP01P)1Makef1Je
0echo "upda11ng $0..."
-0sed -e "1`#1d" -e s1#.*$$11 ${AuT0_R0ME) ${08L0A0) (
-1 ${AuT0_R0ME) -o ${YPMAP01P)1$0 - $0
-0${N0PuSR) ${YPPuSR) -d ${00MA1N) $0
CreaIe a new sIanza or each addiIional auIos ile by copying Ihis one and replacing
au1o.hone wiIh Ihe name o Ihe auIos ile and AuT0_R0ME wiIh Ihe name o Ihe variable
you creaIed in Ihe irsI sIep. Be sure Io use Iabs insIead o spaces Io indenI Ihe lines or
you will receive a synIax error when reloading Ihe auIos iles.
Reload Ihe auIos iles wiIh Ihe serv1ce au1ofs reJoad command as rooI. Or, i iI is noI
already sIarIed, execuIe serv1ce au1ofs s1ar1 as rooI on Ihe NIS server.
To ensure auIos is sIarIed by booI Iime, execuIe chkconf1g au1ofs on as rooI.
In Ihe 1var1yp1 direcIory on Ihe NIS server, Iype Ihe nake command as rooI Io creaIe NIS
map iles rom Ihe auIos iles. LisIing 12.2 shows Ihe ouIpuI o Ihe nake command aIer
adding au1o.nas1er and au1o.hone Io Ihe aJJ IargeI.
LlSTlNG 12.2 Creatlng the autofs NlS map
gnake1: En1er1ng d1rec1ory `1var1yp1exanpJe`
upda11ng passWd.bynane...
upda11ng passWd.byu1d...
upda11ng group.bynane...
upda11ng group.byg1d...
upda11ng hos1s.bynane...
upda11ng hos1s.byaddr...
upda11ng rpc.bynane...
upda11ng rpc.bynunber...
upda11ng serv1ces.bynane...
upda11ng serv1ces.byserv1cenane...
upda11ng ne11d.bynane...
upda11ng pro1ocoJs.bynunber...
upda11ng pro1ocoJs.bynane...
upda11ng na1J.aJ1ases...
upda11ng au1o.nas1er...
upda11ng au1o.hone...
gnake1: Leav1ng d1rec1ory `1var1yp1exanpJe`
Lnabllng NlS 265
1
2
Each Iime Ihe au1o.* iles are modiied on Ihe server, Ihe serv1ce au1ofs reJoad
command musI be run Io reload Ihe iles and Ihe nake command musI be run in Ihe
1var1yp1 direcIory Io updaIe Ihe NIS map iles. I an au1o.* ile is removed rom Ihe
auIos coniguraIion, Ihe NIS map ile or Ihe deleIed ile in 1var1yp1<dona1n>1 musI be
deleIed beore running nake in Ihe 1var1yp1 direcIory Io updaIe Ihe NIS maps. I slave
NIS servers exisI, use ypxfr as described in Ihe earlier "Coniguring NIS Slave Servers"
secIion Io updaIe Ihe NIS maps on Ihe slave servers as well.
Erom Ihe NIS clienI, Ihe ypca1 command can be used Io view Ihe conIenIs o Ihese iles
such as Ihe ollowing:
ypca1 au1o.nas1er
Now IhaI Ihe NIS clienI has Ihe auIos coniguraIion iles, sIop Ihe auIos service i iI is
already running wiIh local iles:
serv1ce au1ofs s1op
Remove Ihe local auIos coniguraIion iles so Ihe auIos service knows Io geI Ihem via
NIS. II is a good idea Io back Ihem up in case you need Io reerence Ihem laIer:
rn 1e1c1au1o.*
SIarI Ihe auIos service on Ihe clienI wiIh Ihe serv1ce au1ofs s1ar1 command as rooI.
To ensure auIos is sIarIed by booI Iime, execuIe chkconf1g au1ofs on as rooI as well.
nab||ng LAP
lOAl, or lhtweht Orectory Access lrotocol, is a server-clienI service IhaI provides a
direcIory o inormaIion such as user daIa and user auIhenIicaIion. I Ihe LDAF server
being conIacIed does noI have Ihe reguesIed inormaIion, iI can orward Ihe reguesI Io a
dierenI LDAF server on Ihe same neIwork or on Ihe InIerneI. Even Ihough reguesIs can
be orwarded Io oIher LDAF servers, Ihe mosI common applicaIion o LDAF is an inIernal
direcIory or large organizaIions such as a business oice (rom one oice Io mulIiple
oices around Ihe world) or a universiIy. InsIead o having Io ind a IradiIional phone
direcIory or phone book, inormaIion abouI oIher employees or sIudenIs can be guickly
reerenced online using LDAF. InsIead o updaIing Ihe ile or Ihe direcIory and reprinIing
iI or everyone, Ihe cenIral direcIory is updaIed, and all users have access Io Ihe newly
updaIed inormaIion insIanIly.
A||ew|ng LAP Cennect|ens
By deaulI, OpenLDAF uses TCF and UDF porI 38 or unencrypIed connecIions and TCF
and UDF porI 3 or secure, encrypIed connecIions.
I cusIom IFTables rules are being used, reer Io ChapIer 24 or deIails on how Io allow
Ihese porIs.
I Ihe deaulI securiIy level is enabled insIead o cusIom IFTables rules, use Ihe SecuriIy Level
ConiguraIion Iool Io allow LDAF connecIions. SIarI iI by selecIing AdmInIstratIon, SecurIty
Level and FIrewall rom Ihe System menu on Ihe Iop panel o Ihe deskIop or by execuIing
Ihe sys1en-conf1g-secur11yJeveJ command. EnIer Ihe rooI password when prompIed i
running as a non-rooI user. Click Add nexI Io Ihe Other ports Iable Io add a porI.
Cenf|gur|ng the LAP 5erver
On Red HaI EnIerprise Linux, OpenLDAF is used Io implemenI an LDAF server.
OpenLDAF is an open source implemenIaIion o LDAF. The openJdap and openJdap-
servers RFM packages musI be insIalled on Ihe sysIem Io conigure iI as an LDAF server.
5ett|ng U the LAP Cenf|gurat|en F||es
The LDAF daemon, sJapd, uses 1e1c1openJdap1sJapd.conf as iIs main coniguraIion ile.
There are many coniguraIion opIions available or sJapd.conf. Reer Io Ihe sJapd.conf
man page or a compleIe lisI. AI a minimum, Ihe ollowing need Io be seI:
AI leasI one suix musI be deined wiIh Ihe domain or which Ihe LDAF direcIory is
providing enIries. Replace Ihe sample suff1x line wiIh Ihe inormaIion or your
domain, such as Ihe ollowing or example.com:
suff1x "dc=exanpJe,dc=con"
Deine a user who has compleIe conIrol over Ihe direcIory. This user is noI subjecI
Io access conIrol or oIher resIricIions. Replace Ihe sample roo1dn line wiIh Ihe supe-
ruser or LDAF and Ihe domain name or Ihe direcIory such as Ihe ollowing:
roo1dn "cn=roo1,dc=exanpJe,dc=con"
I you plan Io perorm mainIenance on Ihe direcIory remoIely, an encrypIed pass-
word can be seI so Ihe user deined wiIh Ihe roo1dn opIion has Io provide a pass-
word beore modiying Ihe daIabase. I you donI need remoIe mainIenance, Ihis
opIion is noI necessary. To generaIe Ihe encrypIed version o Ihe password, execuIe
Ihe sJappassWd command. Be sure Io copy and pasIe Ihe enIire ouIpuI as Ihe value
o Ihe roo1pW opIion, including Ihe encrypIion meIhod such as Ihe ollowing:
roo1pW {SSRA}vhSdn003nNZpvxF630nuaAuJNF16yvvT
Even Ihough Ihe password is encrypIed in Ihe coniguraIion ile, iI is sIill senI unen-
crypIed rom Ihe clienI Io Ihe server unless encrypIion is enabled. Reer Io Ihe "Enabling
TLS EncrypIion or LDAF" secIion or deIails.
Also creaIe a 08_00NF10 ile in Ihe 1var1J1b1Jdap1 direcIory (or Ihe direcIory deined
wiIh Ihe d1rec1ory opIion in sJapd.conf). This ile conIains Iuning opIions or Ihe direc-
Iory. The example ile, 1e1c1openJdap108_00NF10.exanpJe is included wiIh Ihe openJdap-
servers package. Use iI as a sIarIing poinI and modiy Ihe seIIings or your LDAF
direcIory environmenI. I Ihis ile doesnI exisI, an error message such as Ihe ollowing is
shown each Iime sJapca1, sJapadd, and oIher adminisIraIive uIiliIies are run:
bdb_db_open: Warn1ng - No 08_00NF10 f1Je found 1n d1rec1ory 1var1J1b1Jdap: {2)
Expec1 poor perfornance for suff1x dc=exanpJe,dc=con.
Lnabllng LD^l 267
1
2
Add|ng LAP ntr|es
Each iIem in Ihe direcIory is called an entry, and each enIry is composed o attrhutes such
as a name and locaIion. AIIribuIes can be reguired or opIional. An LDAF enIry is idenIi-
ied by iIs OstnusheJ Name (ON), which musI be unigue or each enIry.
EnIries added Io Ihe direcIory musI ollow a schema, which deines available aIIribuIe
Iypes. Some schema iles are included wiIh OpenLDAF in Ihe 1e1c1openJdap1schena1
direcIory. To use Ihe aIIribuIe Iypes in one o Ihe schemas, Ihe sJapd.conf ile musI reer-
ence Ihem such as Ihe ollowing:
1ncJude 1e1c1openJdap1schena1core.schena
The core, cos1ne, 1ne1orgperson, and n1s schemas are reerenced in Ihe deaulI
sJapd.conf ile so IhaI Ihe enIry Iypes, called ohject classes, in Ihese iles can be used. Add
1ncJude lines Io reerence addiIional schema iles i necessary or your direcIory conigu-
raIion. AddiIional packages can add includes Io sJapd.conf as well. Eor example, Ihe
b1nd-sdb package adds an include or Ihe dnszone.schena ile.
1IP
The software paokages for some servloes suoh as Samba lnolude LD^l sohema flles
so that the 0penLD^l oan be set up to share lts oonflguratlon flles. Lxeoute rpn -qJ
<packagenane> on the name of the RlM paokage for the servloes you use to deter
mlne lf they provlde a sohema flle.
The included schemas can be exIended or new schemas can be creaIed, depending on whaI
Iype o daIa you are sIoring in your LDAF direcIory. To exIend or creaIe a new schema,
creaIe a new schema ile in Ihe 1e1c1openJdap1schena1 direcIory wiIh Ihe same ile permis-
sions as Ihe exisIing schema iles. Reer Io hIIp:}}www.openldap.org}doc}admin23}
schema.hIml or deIails on wriIing a cusIom schema ile. The exisIing iles provided wiIh
OpenLDAF should noI be modiied. Be sure Io reerence Ihe new ile in 1e1c1openJdap1
sJapd.conf ile wiIh an 1ncJude line as previously menIioned.
To read Ihe schema iles, consider Ihis basic example. LisIing 12.3 includes excerpIs rom
core.schena and 1ne1orgperson.schena. In core.schena, Ihe objecI class (Ihis is Ihe
enIry Iype) o person is deined as a subclass o Ihe 1op objecI class as shown by Ihe line
sIarIing wiIh Ihe keyword SuP. Then, in 1ne1orgperson.schena, Ihe objecI class
1ne10rgPerson is deined as a subclass o person, inheriIing Ihe aIIribuIes lisI rom iIs
parenI objecI class person.
LlSTlNG 12.3 0bjeot Class Deflnltlons
obec1cJass { 2.5.6.6 NAME `person`
0ES0 `PF02256: a person`
SuP 1op STPu0TuPAL
MuST { sn $ cn )
MAY { userPassWord $ 1eJephoneNunber $ seeAJso $ descr1p11on ) )
obec1cJass { 2.5.6.7 NAME `1ne10rgPerson`
0ES0 `PF02256: an organ1za11onaJ person`
SuP person STPu0TuPAL
MAY { 111Je $ x121Address $ reg1s1eredAddress $ des11na11on1nd1ca1or $
preferred0eJ1veryMe1hod $ 1eJexNunber $ 1eJe1exTern1naJ1den11f1er $
1eJephoneNunber $ 1n1erna11onaJ1S0NNunber $
facs1n1JeTeJephoneNunber $ s1ree1 $ pos10ff1ce8ox $ pos1aJ0ode $
pos1aJAddress $ phys1caJ0eJ1very0ff1ceNane $ ou $ s1 $ J ) )
AIIribuIes or an objecI class can be reguired or opIional. The aIIribuIes lisIed wiIhin Ihe
parenIheses aIer Ihe MuST keyword are reguired. The aIIribuIes lisIed wiIhin Ihe parenIhe-
ses aIer Ihe MAY keyword are opIional. In LisIing 12.3, Ihe sn (surname) and cn (common
name) aIIribuIes are reguired or boIh Ihe person and 1ne10rgPerson objecI classes. To
ind a brie descripIion or each aIIribuIe lisIed, look or iIs a11r1bu1e1ype deiniIion such
as Ihe one or sn in LisIing 12.4, which is ound in core.schena.
LlSTlNG 12.4 ^ttrlbute Type Deflnltlon for the sn ^ttrlbute
a11r1bu1e1ype { 2.5.4.4 NAME { `sn` `surnane` )
0ES0 `PF02256: Jas1 {fan1Jy) nane{s) for Wh1ch 1he en111y 1s knoWn by`
SuP nane )
EnIries are added Io a direcIory using a ile ormaIIed in Ihe lOll (lOAl Oata lnterchane
lormat) sIyle, which is demonsIraIed in LisIing 12.S. Lines beginning wiIh a # characIer
are commenIs.
LlSTlNG 12.5 LDlF Style
dn: <dn>
<a11r1bu1e>: <vaJue>
Each enIry in Ihe LDIE ile sIarIs wiIh a DN, which is a unigue value or Ihe enIry used Io
idenIiy iI such as a persons name. Each enIry in Ihe ile is separaIed by one or more
blank lines. The value o an aIIribuIe can be speciied as UTE-8 IexI, base4 encoded daIa,
a URL o Ihe locaIion o Ihe value, or Ihe ile locaIion o Ihe value wiIh f1Je:111 aI Ihe
beginning o Ihe ull paIh Io Ihe ile.
Eor example, LisIing 12. shows an example LDIE ile Io creaIe an employee direcIory. II
uses Ihe organ1za11onaJun11 objecI class Io deine Ihe purpose o Ihe direcIory, an
employee direcIory. II uses Ihe organ1za11onaJPoJe objecI class Io deine Ihe deparImenIs
wiIhin Ihe company and Ihe 1ne10rgPerson objecI class Io add enIries or each employee
wiIhin each deparImenI.
Lnabllng LD^l 269
1
2
CAU1I0N
whltespaoe ls not trlmmed when savlng values. ^ny unneoessary whltespaoe at the
beglnnlng or end of the attrlbute value wlll be lnoluded ln the value.
LlSTlNG 12.6 LDlF Flle for Creatlng an Lmployee Dlreotory
# organ1za11on: exanpJe, con
dn: dc=exanpJe, dc=con
obec10Jass: 1op
obec10Jass: dc0bec1
obec10Jass: organ1za11on
dc: exanpJe
o: T08F, 1nc.
# organ1za11onaJun11: enpJoyeed1r
dn: ou=enpJoyeed1r, dc=exanpJe, dc=con
obec10Jass: 1op
obec10Jass: organ1za11onaJun11
ou: enpJoyeed1r
# organ1za11onaJun11: f1nance
dn: ou=f1nance, ou=enpJoyeed1r, dc=exanpJe, dc=con
obec10Jass: 1op
ou: f1nance
# organ1za11onaJun11: eng1neer1ng
dn: ou=eng1neer1ng, ou=enpJoyeed1r, dc=exanpJe, dc=con
obec10Jass: 1op
ou: eng1neer1ng
# s1ar1 add1ng enpJoyees here
dn: cn=Jane 0oe, ou=eng1neer1ng, ou=enpJoyeed1r, dc=exanpJe, dc=con
obec10Jass: 1op
obec10Jass: 1ne10rgPerson
cn: Jane 0oe
sn: 0oe
1eJephoneNunber: 919-555-1234
na1J: ane.doe0exanpJe.con
111Je: LeveJ 11 sys1ens eng1neer
phys1caJ0eJ1very0ff1ceNane: PaJe1gh 3rd fJoor
dn: cn=Evan WoJf, ou=eng1neer1ng, ou=enpJoyeed1r, dc=exanpJe, dc=con
obec10Jass: 1op
cn: Evan WoJf
sn: WoJf
na1J: evan.WoJf0exanpJe.con
dn: cn=Ed Money, ou=f1nance, ou=enpJoyeed1r, dc=exanpJe, dc=con
obec10Jass: 1op
cn: Ed Money
sn: Money
na1J: ed.noney0exanpJe.con
111Je: Accoun1s PayabJe
phys1caJ0eJ1very0ff1ceNane: PaJe1gh 2nd fJoor
dn: cn=Seynour A1r, ou=f1nance, ou=enpJoyeed1r, dc=exanpJe, dc=con
obec10Jass: 1op
cn: Seynour A1r
sn: A1r
1eJephoneNunber: 919-555-147U
na1J: seynour.a1r0exanpJe.con
111Je: Accoun1s Pece1vabJe
phys1caJ0eJ1very0ff1ceNane: PaJe1gh 2nd fJoor
Beore adding enIries, sIop Ihe LDAF service wiIh Ihe serv1ce Jdap s1op command run
as rooI. Then, use Ihe sJapadd uIiliIy Io add Ihe enIries rom Ihe ile you creaIed in LDIE
ormaI:
sJapadd -v -J exanpJe.Jd1f
I Ihe synIax o Ihe ile is correcI, Ihe ollowing Iype o message is shown or each enIry
successully added:
added: "cn=Seynour A1r,ou=f1nance,ou=enpJoyeed1r,dc=exanpJe,dc=con" {UUUUUUUa)
I you see any error message insIead, go back and ix Ihe error. BuI, remember IhaI Ihe
enIries are added as Ihey are successully read rom Ihe ile. So, be sure Io commenI ouI or
deleIe any enIries rom Ihe LDIE ile IhaI have already been added. I Ihe LDIE ile
conIains enIries IhaI already exisI in Ihe direcIory, all enIries aIer Ihe already added enIry
are noI added Io Ihe direcIory, and Ihe ollowing error is shown:
Lnabllng LD^l 271
1
2
=> bdb_1ooJ_en1ry_pu1: 1d2en1ry_add fa1Jed: 08_KEYEX1ST: Key1da1a pa1r
aJready ex1s1s {-3U996)
=> bdb_1ooJ_en1ry_pu1: 1xn_abor1ed! 08_KEYEX1ST: Key1da1a pa1r aJready
ex1s1s {-3U996)
sJapadd: couJd no1 add en1ry dn="dc=exanpJe,dc=con" {J1ne=6): 1xn_abor1ed!
08_KEYEX1ST: Key1da1a pa1r aJready ex1s1s {-3U996)
As you are adding enIries, use Ihe sJapca1 command Io view all Ihe enIries in Ihe direc-
Iory. Because Ihe ouIpuI is in LDIE ormaI, Ihis uIiliIy can also be used Io creaIe a backup
ile o Ihe enIries in Ihe direcIory.
The daIabase iles or Ihe enIries added are creaIed in Ihe 1var1J1b1Jdap1 direcIory wiIh
read permissions only or Ihe ile owner. The OpenLDAF daemon runs as Ihe ldap user or
securiIy reasons, and Ihe enIry iles musI be readable by Ihe ldap user. Because enIries are
added as Ihe rooI user, use Ihe ollowing command Io change Ihe owner o Ihe daIabase
iles Io ldap:
choWn Jdap.Jdap 1var1J1b1Jdap1*
AIer adding all Ihe enIries Io creaIe Ihe direcIory, sIarI Ihe daemon again wiIh Ihe
serv1ce Jdap s1ar1 command run as rooI. I you ail Io change Ihe owner o Ihe daIa-
base iles, a message similar Io Ihe ollowing appears when sJapd is sIarIed again:
1var1J1b1Jdap1__db.UU5 1s no1 oWned by "Jdap" WAPN1N0
AIer Ihe daemon is back up and running, Ihe Jdapsearch uIiliIy can be used Io guery Ihe
daIabase by speciic parameIers. Reer Io Ihe Jdapsearch man page or a lisI o all
command-line opIions. The openJdap-cJ1en1s package musI be insIalled Io use Ihis
command. An example guery:
Jdapsearch -b `dc=exanpJe,dc=con` `{obec1cJass=*)`
I encrypIion has noI been enabled, Ihe -x opIion musI also be speciied Io use simple
auIhenIicaIion insIead:
Jdapsearch -x -b `dc=exanpJe,dc=con` `{obec1cJass=*)`
Med|fy|ng and e|et|ng LAP ntr|es
To modiy or deleIe an enIry, use Ihe change1ype aIIribuIe aIer Ihe DN in Ihe LDIE ile. II
should be seI Io one o add, nod1fy, deJe1e, or nodrdn. The add Iype is only used when
adding a new enIry. NoIe IhaI iI canI be used Io add new aIIribuIes Io enIries. Use Ihe
nod1fy Iype or adding new aIIribuIes and Iheir values, changing Ihe value o an
aIIribuIe, and deleIing exisIing aIIribuIes or a speciic enIry. The deJe1e Iype is used Io
deleIe an enIire enIry. The nodrdn Iype is used Io change Ihe DN o an enIry. LisIing 12.7
shows some examples. NoIice IhaI a blank line separaIes Ihe enIries or each change.
LlSTlNG 12.7 Modlfylng an Lntry
#change 1he 111Je of an enpJoyee af1er a prono11on
dn: cn=Evan WoJf,ou=eng1neer1ng,ou=enpJoyeed1r,dc=exanpJe ,dc=con
change1ype: nod1fy
repJace: 111Je
#change 1he dn of an enpJoyee af1er he has changed depar1nen1s
dn: cn=Seynour A1r, ou=f1nance, ou=enpJoyeed1r, dc=exanpJe, dc=con
change1ype: nodrdn
neWrdn: cn=Seynour A1r
deJe1eoJdrdn: U
neWsuper1or: ou=eng1neer1ng, ou=enpJoyeed1r, dc=exanpJe, dc=con
#noW change 1he 111Je and Joca11on of 1he sane enpJoyee
dn: cn=Seynour A1r, ou=eng1neer1ng, ou=enpJoyeed1r, dc=exanpJe, dc=con
change1ype: nod1fy
#deJe1e an enpJoyee af1er he no Jonger Works for 1he conpany
dn: cn=Ed Money, ou=f1nance, ou=enpJoyeed1r, dc=exanpJe, dc=con
change1ype: deJe1e
#add a neW enpJoyee
dn: cn=N1ck 8urns, ou=eng1neer1ng, ou=enpJoyeed1r, dc=exanpJe, dc=con
change1ype: add
obec10Jass: 1op
cn: N1ck 8urns
sn: 8urns
1eJephoneNunber: 919-555-9U1U
na1J: n1ck.burns0exanpJe.con
111Je: Eng1neer1ng Adn1n1s1ra1or
#add 1he nanager a11r1bu1e 1o an enpJoyee
dn: cn=Seynour A1r, ou=eng1neer1ng, ou=enpJoyeed1r, dc=exanpJe, dc=con
change1ype: nod1fy
add: nanager
nanager: cn=Evan WoJf,ou=eng1neer1ng,ou=enpJoyeed1r,dc=exanpJe,dc=con
Lnabllng LD^l 273
1
2
To make Ihe changes in LisIing 12.7, execuIe Ihe ollowing:
Jdapnod1fy -0 `cn=roo1,dc=exanpJe,dc=con` -W -f nod1fy.Jd1f
Unlike sJapadd, Jdapnod1fy musI be run while Ihe daemon is running. II connecIs Io Ihe
daemon or modiicaIion o Ihe daIabase. I encrypIion is noI being used, also speciy Ihe
-x opIion Io use simple auIhenIicaIion. The value ollowing -0 musI be Ihe value o
roo1dn rom sJapd.conf. The -W opIion speciies IhaI Ihe user should be prompIed or Ihe
password rom Ihe roo1pW opIion in sJapd.conf, which is more secure Ihan lisIing iI on
Ihe command line wiIh Ihe -W opIion. I Ihe password is lisIed on Ihe command line, iI is
sIored in Ihe users command hisIory, which can be read by unauIhorized users easier
Ihan sJapd.conf. Also remember IhaI, even i you are prompIed or Ihe password, Ihe
password is senI unencrypIed over Ihe neIwork unless encrypIion is enabled as described
in Ihe "Enabling TLS EncrypIion or LDAF" secIion.
As wiIh sJapadd, Ihe sJapca1 or Jdapsearch uIiliIies can be used Io veriy i Ihe enIries
have been modiied or deleIed. The sJapca1 command works regardless o wheIher Ihe
service is sIarIed. The Jdapsearch command only works i sJapd is running.
Custem|z|ng LAP Index|ng
The direcIory can be indexed based on parIicular aIIribuIes so IhaI searches wiIh
Jdapsearch are asIer. Keep in mind IhaI Ioo much indexing can slow down perormance.
Indexing should only be enabled or reguenI searches.
Indexing is deined in sJapd.conf in Ihe ollowing ormaI:
1ndex <a11r1bu1es> <1nd1ces>
Replace <a11r1bu1es> wiIh an aIIribuIe name or a lisI o aIIribuIes separaIed by commas.
Replace <1nd1ces> wiIh one o Ihe ollowing or a comma-separaIed lisI o Iwo or more:
pres: Use i searches have Ihe orm obec1cJass=person or a11r1bu1e-na1J
approx: MusI be used or searches wiIh Ihe orm sn-=person
eq: Use or egualiIy searches wiIhouI wildcards
sub: Use or searches wiIh wildcard subsIiIuIions
noJang: Can be used or searches wiIh lang subIype
nosub1ypes: Can be used or searches wiIh subIypes
OpIionally, Ihe keyword defauJ1 can be placed beIween Ihe aIIribuIes and indices lisIs Io
deine a seI o deaulI indices Io use i an aIIribuIe is given on subseguenI lines wiIhouI
indices:
1ndex <a11r1bu1es> defauJ1 <1nd1ces>
LisIing 12.8 shows examples, which are also Ihe deaulIs in Ihe sJapd.conf ile.
LlSTlNG 12.8 Default lndexlng Settlngs
# 1nd1ces 1o na1n1a1n for 1h1s da1abase
1ndex obec10Jass eq,pres
1ndex ou,cn,na1J,surnane,g1vennane eq,pres,sub
1ndex u1dNunber,g1dNunber,Jog1nSheJJ eq,pres
1ndex u1d,nenberu1d eq,pres,sub
1ndex n1sMapNane,n1sMapEn1ry eq,pres,sub
Each Iime indexing opIions are modiied, Ihe indexes have Io be regeneraIed as Ihe rooI
user on Ihe server wiIh Ihe sJap1ndex uIiliIy, and Ihe daemon has Io be sIopped wiIh Ihe
serv1ce sJapd s1op command beore running sJap1ndex.
nab||ng 1L5 ncryt|en fer LAP
By deaulI, all daIa senI beIween Ihe OpenLDAF server and iIs clienIs are senI unen-
crypIed in plain IexI IhaI can be read by anyone who inIercepIs Ihe packeIs on Ihe
neIwork. I Ihe server is inIernal only, Ihis mighI noI be a concern or you. A TlS, or
Transport layer Securty, cerIiicaIe can be used Io enable auIhenIicaIion using SASl (Smple
Authentcaton anJ Securty layer) EXTERNAL.
EirsI, creaIe an SSL cerIiicaIe or Ihe server. II can be one rom a cerIiicaIe auIhoriIy (CA)
such as VeriSign or iI can be a sel-signing cerIiicaIe creaIed wiIh a program such as
OpenSSL. Reer Io openssl.org or deIails on Ihe laIIer.
The cn aIIribuIe o Ihe server musI be Ihe EQDN o Ihe server, and Ihe DN o Ihe server
cerIiicaIe musI be exacIly Ihe same as Ihe cn aIIribuIe o Ihe OpenLDAF server. Alias
names and wildcards can be speciied using Ihe subec1AJ1Nane cerIiicaIe exIension. The
clienIs can also have a cerIiicaIe Io auIhenIicaIe wiIh SASL EXTERNAL.
1IP
^ dummy oertlfloate, 1e1c1pk111Js1cer1s1sJapd.pen, ls lnoluded wlth the
openJdap-servers paokage and oan be used for testlng purposes.
To enable TLS encrypIion so daIa, including Ihe password used Io adminisIer Ihe direc-
Iory rom a remoIe sysIem, is encrypIed beIween Ihe server and Ihe clienI, uncommenI
Ihe ollowing lines in 1e1c1openJdap1sJapd.conf:
TLS0A0er11f1ca1eF1Je 1e1c1pk111Js1cer1s1ca-bundJe.cr1
TLS0er11f1ca1eF1Je 1e1c1pk111Js1cer1s1sJapd.pen
TLS0er11f1ca1eKeyF1Je 1e1c1pk111Js1cer1s1sJapd.pen
I unchanged, aIer resIarIing Ihe service wiIh serv1ce Jdap res1ar1, Ihe dummy cerIii-
caIe insIalled or IesIing is used. OIherwise, copy your cerIiicaIes Io Ihe 1e1c1pk11
1Js1cer1s1 direcIory and change Ihe values o Ihe opIions Io appropriaIe ilenames.
The clienI musI be conigured Io IrusI Ihe server cerIiicaIe. Reer Io "ConnecIing Io Ihe
LDAF Server" or deIails.
Lnabllng LD^l 275
1
2
5tart|ng and 5te|ng the LAP 5erver
As previously menIioned, Io sIarI Ihe LDAF server daemon, sJapd, execuIe serv1ce Jdap
s1ar1 as rooI.
The ollowing commands can also be run rom Ihe iniIializaIion scripI in Ihe ormaI
serv1ce Jdap <connand>:
conf1g1es1: TesI or common coniguraIion errors.
s1ar1: SIarI sJapd.
s1op: SIop sJapd.
s1a1us: Show wheIher Ihe service is running.
res1ar1: SIop and Ihen sIarI sJapd.
condres1ar1: I sJapd is already running, resIarI iI. OIherwise, do noIhing.
Be sure Io execuIe chkconf1g Jdap on as rooI Io make sure Ihe daemon is sIarIed auIo-
maIically aI booI Iime.
Cennect|ng te the LAP 5erver
ClienIs wishing Io connecI Io an OpenLDAF server musI have Ihe openJdap-cJ1en1s and
nss_Jdap packages insIalled. These clienIs can run Ihe available remoIe OpenLDAF uIili-
Iies such as Jdapadd and Jdapsearch. They can also connecI Io Ihe direcIory rom a user-
end applicaIion such as Ihe EvoluIion email applicaIion.
To conigure a Red HaI EnIerprise Linux sysIem as an LDAF clienI, conigure Ihe ollow-
ing opIions in 1e1c1openJdap1Jdap.conf and 1e1c1Jdap.conf (replace <server-1p> wiIh
Ihe IF address o Ihe LDAF server):
uP1 Jdap:11<server-1p>1
8ASE dc=exanpJe,dc=con
I TLS encrypIion is Io be used, also add Ihe ollowing line Io 1e1c1openJdap1Jdap.conf
and copy Ihe cerIiicaIe iles in Ihe deined direcIory:
TLS_0A0EPT01P 1e1c1openJdap1cacer1s
1IP
^ddltlonal optlons for Jdap.conf oan be found ln the Jdap.conf man page.
To use LDAF or login user auIhenIicaIion, ediI 1e1c1nssW11ch.conf as rooI and add Jdap
Io Ihe passWd, shadoW, and group lines:
passWd: f1Jes Jdap
shadoW: f1Jes Jdap
group: f1Jes Jdap
Many applicaIions can connecI Io an LDAF server Io guery Ihe daIabase such as
EvoluIion. Some applicaIions can reIrieve and modiy enIries in Ihe direcIory. OIhers, like
EvoluIion, can jusI reguesI enIries. Reer Io Ihe documenIaIion or each applicaIion or
deIails on coniguring iI Io connecI Io your LDAF server.
Custem|z|ng LAP Legg|ng
Log messages or Ihe OpenLDAF service are senI Io 1var1Jog1nessages by deaulI using
Ihe syslog mechanism. The log level can be seI in sJapd.conf using Ihe ollowing synIax:
JogJeveJ <JeveJ>
where <JeveJ> deIermines whaI Iype o messages Io log and is one or more o Ihe ollow-
ing (Iwo or more should be space separaIed):
1: Irace uncIion calls
4: heavy Irace debugging
8: connecIion managemenI
16: packeIs senI and received
32: search ilIer processing
64: coniguraIion ile processing
128: access conIrol lisI processing
256: sIaIisIics or log connecIions, operaIions, and resulIs
512: sIaIisIics or log enIries senI
1U24: communicaIion wiIh shell backends
2U48: enIry parsing
4U96: caching (unused)
8192: daIa indexing (unused)
16384: LDAFSync replicaIion
32768: log messages logged regardless o log level
The log levels or combinaIions o log levels can be represenIed by values oIher Ihan inIe-
gers. See Ihe sJapd.conf man page or deIails.
To wriIe log messages Io a separaIe ile, add Ihe ollowing line Io 1e1c1sysJog.conf:
JocaJ4.* 1var1Jog1sJapd.Jog
Lnabllng LD^l 277
1
2
nab||ng Kerberes
Unlike oIher auIhenIicaIion sysIems, Kerberos is designed Io allow auIhorized users access
Io sysIems and services based on an encrypIed IickeIing sysIem. The ley Jstrhuton center
(KOC) sIores Ihe Kerberos daIabase, and Ihe tclet-rantn server (TGS) issues IickeIs Io
clienIs.
Each clienI reguesIs a IickeI rom Ihe KDC. The clienI musI enIer a valid password aIer
Ihe reguesI, and Ihe password is used as Ihe key Io encrypI Ihe IickeI. A tclet-rantn
tclet (TGT) is granIed by Ihe KDC, encrypIed wiIh Ihe users password, and senI back Io
Ihe clienI. The clienI decrypIs iI wiIh Ihe password. The TGT and Ihe corresponding tclet
sesson ley (TSK) on Ihe clienI are called creJentals. The credenIials auIomaIically Iime ouI
aIer a conigured amounI o Iime, which is seI Io 10 hours by deaulI. Each Kerberos
server is responsible or granIing access or a parIicular realm, or neIwork IhaI uIilizes
Kerberos.
Usually, Ihe realm name is Ihe same as Ihe domain name. To disIinguish beIween realm
names and domain names, realms are wriIIen in all uppercase leIIers, and domain names
are wriIIen in all lowercase leIIers. Be sure Io use Ihis convenIion when modiying conig-
uraIion iles.
N01
lf SLLlnux, a mandatory aooess oontrol seourlty meohanlsm, ls set to enforolng mode,
Kerberos ls proteoted by lt. For the default targeted polloy, the system ls allowed to
work wlth Kerberos by settlng the SLLlnux boolean aJJoW_kerberos to 1. Refer to
Chapter 23 for detalls on SLLlnux. Lxeoute the nan kerberos_seJ1nux oommand for
more lnformatlon on how SLLlnux affeots Kerberos.
A||ew|ng Kerberes Cennect|ens
Kerberos uses TCF and UDF porI 88 by deaulI. The kpassWd user applicaIion or changing
Ihe users password uses TCF and UDF porI 44. The kadn1n program uses TCF porI 74.
I kJog1n is used, iI used TCF porI S43 or TCF porI 210S or Ihe encrypIed version. I
addiIional Kerberized applicaIions are enabled, reer Io 1e1c1serv1ces or Iheir porI
numbers.
connecIions rom a speciic porI.
I Ihe deaulI securiIy level is enabled insIead o cusIom IFTables rules, use Ihe SecuriIy Level
ConiguraIion Iool Io allow Kerberos connecIions. SIarI iI by selecIing AdmInIstratIon,
SecurIty Level and FIrewall rom Ihe System menu on Ihe Iop panel o Ihe deskIop or by
execuIing Ihe sys1en-conf1g-secur11yJeveJ command. EnIer Ihe rooI password when
prompIed i running as a non-rooI user. Click Add nexI Io Ihe Other ports Iable Io add a
porI.
Cenf|gur|ng the Kerberes 5erver
Beore seIIing up a Kerberos server or clienI, Ihe clock on Ihe server and all Ihe clienIs
musI be in sync. I Ihe clock beIween Ihe server and clienI are Ioo ar aparI (S minuIes by
deaulI), Ihe credenIials are ignored and Ihe clienI is noI auIhenIicaIed. II is recom-
mended IhaI adminisIraIors use Ihe Networl Tme lrotocol (NTl) on Ihe server and clienIs
Io keep Ihe clocks in sync. Reer Io ChapIer 1, "Explaining OIher Common NeIwork
Services," or deIails on coniguring NTF.
Custem|z|ng the Kerberes Cenf|gurat|en F||es
On Ihe sysIem you are seIIing up as a Kerberos server, insIall Ihe krb5-server and krb5-
Works1a11on RFM packages. The 1e1c1krb5.conf ile is Ihe main coniguraIion ile or Ihe
server. This ile is ormaIIed using Ihe ollowing sIyle:
sec11on
1ag=vaJue
1ag=vaJue
1ag=vaJue
The ollowing secIions exisI:
J1bdefauJ1s: DeaulI values or Kerberos.
Jog1n: DeaulI values or Ihe Kerberos login program.
appdefauJ1s: DeaulI values or applicaIions IhaI use Kerberos.
reaJns: Deine Ihe server locaIion o each Kerberos realm.
dona1n_reaJn: AssociaIes subdomains and domain names Io Kerberos realm
names. Reguired i domain names are noI used as realm names.
Jogg1ng: Logging preerences. Reer Io "Logging Kerberos ConnecIions" or
deIails.
cpa1hs: FaIhs Io auIhenIicaIion cerIiicaIes, i used.
AI a bare minimum, replace all Ihe example.com domain reerences and EXAMFLE.COM
realm reerences in Ihe exisIing 1e1c1krb5.con ile wiIh your domain. The ile is case-
sensiIive so be sure Io preserve Ihe upper- or lowercase.
Also conigure Ihe realm and oIher seIIings or Ihe KDC in 1var1kerberos1krb5kdc1
kdc.conf. The ollowing secIions can be deined:
kdcdefauJ1s: DeaulI values or Ihe KDC.
reaJns: Deine Ihe server locaIions or each Kerberos realm.
AI a bare minimum, replace EXAMFLE.COM wiIh your realm name in Ihe exisIing
kdc.conf, which is usually a domain name, in all uppercase leIIers.
Lnabllng Kerberos 279
1
2
Creat|ng the Kerberes atabase
To creaIe Ihe Kerberos daIabase, use Ihe kdb5_u11J command. OpIionally, also creaIe a
stash jle, or an encrypIed ile conIaining a copy o Ihe masIer keys. The sIash ile also
serves as an auIomaIic auIhenIicaIion sysIem or Ihe KDC Io iIsel when Ihe Kerberos
daemons are sIarIed. Because Ihe sIash ile conIains Ihe masIer key, be sure iI is only read-
able by Ihe rooI user and is on Ihe local ile sysIem or Ihe KDC. Do noI include Ihe sIash
ile in your backup plan unless access Io Ihe ile sysIem conIaining Ihe backup iles are
heavily resIricIed Io IrusIed adminisIraIors because iI can be used Io gain access Io Ihe
enIire Kerberos daIabase. To creaIe Ihe daIabase and sIash ile, use Ihe ollowing command
as rooI (replace <reaJn_nane> wiIh Ihe name o Ihe realm such as EXAMFLE.COM):
1usr1kerberos1sb1n1kdb5_u11J crea1e -r <reaJn_nane> -s
The -s opIion creaIes Ihe sIash ile. I you donI wanI Io creaIe one, do noI include Ihe -s
opIion. The uIiliIy prompIs you or Ihe masIer key as shown in LisIing 12..
LlSTlNG 12.9 Creatlng the Kerberos Database and Stash Flle
Load1ng randon da1a
1n111aJ1z1ng da1abase `1var1kerberos1krb5kdc1pr1nc1paJ` for reaJn ÈXAMPLE.00M`,
nas1er key nane `K1M0EXAMPLE.00M`
You W1JJ be pronp1ed for 1he da1abase Mas1er PassWord.
11 1s 1npor1an1 1ha1 you N0T F0P0ET 1h1s passWord.
En1er K00 da1abase nas1er key:
Pe-en1er K00 da1abase nas1er key 1o ver1fy:
The uIiliIy creaIes Ihe ollowing iles in Ihe 1var1kerberos1krb5kdc1 direcIory:
pr1nc1paJ: Kerberos daIabase ile.
pr1nc1paJ.ok: Kerberos daIabase ile.
pr1nc1paJ.kadn5: Kerberos adminisIraIive daIabase ile.
pr1nc1paJ.kadn5.Jock: Kerberos adminisIraIive daIabase lock ile.
.k5.<reaJn_nane>: SIash ile (i -s is used). Replace <reaJn_nane>.
Manag|ng Kerberes Pr|nc|a|s
Kerberos users allowed access Io Ihe daIabase are called principals, which are divided inIo
Ihree componenIs in Ihe orm <pr1nary>1<1ns1ance>0<PEALM>. Frincipals can have mulIi-
ple insIances: a null insIance represenIed by a username and realm such as 1fox0
EXAMPLE.00M, an admin insIance represenIed by a username ollowed by }admin and a
realm such as 1fox1adn1n0EXAMPLE.00M, and a rooI insIance represenIed by a username
ollowed by }rooI and a realm such as 1fox1roo10EXAMPLE.00M. Having an admin and rooI
insIance or users allows Ihem Io auIhenIicaIe as a dierenI principal when perorming
adminisIraIive Iasks buI use a non-privileged principal when perorming user operaIions.
This is similar Io Ihe non-rooI user and rooI user concepI: Only perorm acIions as a privi-
leged user when necessary Io prevenI uninIended operaIions.
Frincipals musI be expliciIly added using Ihe add_pr1nc1paJ command Io kadn1n or
kadn1n.JocaJ. The kadn1n and kadn1n.JocaJ uIiliIies oer Ihe same uncIionaliIy excepI
IhaI Ihe kadn1n.JocaJ uIiliIy can only be run on Ihe masIer KDC and does noI auIhenIi-
caIe Ihrough Kerberos. Because Ihe KDC service hasnI been sIarIed yeI, add aI leasI one
adminisIraIive principal using Ihe kadn1n.JocaJ uIiliIy. AddiIional principals, boIh
adminisIraIors and non-adminisIraIors, can be added during Ihis seIup phase, or Ihey can
be added laIer.
N01
lf the kadn1n oommand ls used, the prlnolpal addlng, modlfylng, or deletlng prlnolpals
must have permlsslon to do so uslng the Kerberos ^CLs as desorlbed ln the Settlng
ôoess Control Llsts for Kerberos seotlon.
SIarI Ihe kadn1n shell by execuIing kadn1n.JocaJ as Ihe rooI user on Ihe KDC server. To
add a principal, use Ihe ollowing command:
add_pr1nc1paJ <op11ons> <pr1nc1paJ>
1IP
To vlew a llst of valld oommands whlle ln the kadn1n or kadn1n.JocaJ sheJJ, press
the Tab key twloe.
Replace <pr1nc1paJ> wiIh Ihe username such as 1fox1adn1n. Table 12.1 shows available
<op11ons>.
T^BLL 12.1 lrlnolpal 0ptlons
Restr|ct|en F|ags escr|t|en
-exp1re <11ne> Set explratlon date for the prlnolpal.
-pWexp1re <11ne> Set the password explratlon date.
-naxJ1fe <11ne> Set maxlmum tloket llfe for the prlnolpal.
-naxreneWJ1fe <11ne> Set maxlmum renewable tloket llfe for the prlnolpal.
-kvno <kvno> Set the key verslon number.
-poJ1cy <poJ1cy> Set polloy for the prlnolpal. lf no polloy ls set, the polloy
name default ls used lf lt exlsts. ^ warnlng message ls
prlnted lf a prlnolpal doesn`t have a polloy.
-cJearpoJ1cy Do not asslgn the prlnolpal the default polloy lf one ls
not speolfled wlth -poJ1cy <poJ1cy>.
-aJJoW_pos1da1ed Do not allow the prlnolpal to retrleve postdated tlokets.
+aJJoW_pos1da1ed olears thls preferenoe.
-aJJoW_forWardabJe Do not allow the prlnolpal to retrleve forwardable tlokets.
+aJJoW_forWardabJe olears thls preferenoe.
-aJJoW_reneWabJe Do not allow the prlnolpal to retrleve renewable tlokets.
+aJJoW_reneWabJe olears thls preferenoe.
1
2
-aJJoW_prox1abJe Do not allow the prlnolpal to retrleve proxlable tlokets.
+aJJoW_prox1abJe olears thls preferenoe.
-aJJoW_dup_skey Do not allow usertouser authentloatlon for the prlnolpal
by not allowlng the prlnolpal to retrleve a sesslon key from
another user. +aJJoW_dup_skey olears thls preferenoe.
+requ1res_preau1h lrlnolpal must preauthentloate before oalllng k1n11.
-requ1res_preau1h olears thls preferenoe.
+requ1res_hWau1h lrlnolpal must preauthentloate uslng a hardware devloe
before oalllng k1n11. -requ1res_hWau1h olears thls pref
erenoe.
-aJJoW_svr Do not allow the prlnolpal to lssue servloe tlokets.
+aJJoW_svr olears thls preferenoe.
-aJJoW_1gs_req Do not allow the prlnolpal to request a servloe tloket from
a TGS. +aJJoW_1gs_req olears thls preferenoe.
-aJJoW-11x Do not allow the prlnolpal to lssue any tlokets. +aJJoW-
11x olears thls preferenoe.
+needchange Foroe a password for the prlnolpal. -needchange olears
the preferenoe.
+passWord_chang1ng_serv1ce Marks the prlnolpal as a password ohange servloe prlnol
pal. -passWord_chang1ng_serv1ce olears the preferenoe.
-randkey Set the key of the prlnolpal to a random value.
-pW <passWord> Set the key of the prlnolpal to <passWord> and do not
prompt for a password.
-e <J1s1> Use the <J1s1> as <enc1ype>:<saJ11ype> palrs to set
the key of the prlnolpal.
To modiy a principal, use Ihe ollowing command inside Ihe kadn1n or kadn1n.JocaJ
shell (Ihe same opIions rom Table 12.1 can be used):
nod1fy_pr1nc1paJ <op11ons> <pr1nc1paJ>
To deleIe a principal, use Ihe ollowing command inside Ihe kadn1n or kadn1n.JocaJ shell:
deJe1e_pr1nc1paJ <pr1nc1paJ>
You musI conirm Ihe deleIion unless Ihe -force opIion is speciied beore Ihe name o
Ihe principal.
5ett|ng Access Centre| L|sts fer Kerberes
The Kerberos ACL ile kadn5.acJ is locaIed in Ihe 1var1kerberos1krb5kdc1 direcIory. AI
leasI one Kerberos adminisIraIor musI be added Io Ihis access conIrol ile, and all princi-
pals lisIed musI exisI in Ihe daIabase. The order o Ihe access conIrol lines maIIers. The
irsI maIch Iakes precedence. Each line in Ihe ile uses Ihe ollowing ormaI:
<pr1nc1paJ> <pern1ss1ons> <1arge1_pr1nc1paJ> <res1r1c11ons>
Restr|ct|en F|ags escr|t|en
In Ihe ACL ile, Ihe * wildcard can be used when speciying Ihe principal such as
*1adn1n0EXAMPLE.00M or all admin insIances o valid users.
Table 12.2 shows Ihe available permissions. Uppercase leIIers are used or negaIive permis-
sions. To speciy more Ihan one permission, do noI separaIe Ihem by any spaces or punc-
IuaIion such as ad.
T^BLL 12.2 Kerberos ^CL lermlsslons
Perm|ss|en escr|t|en
a ^llow the user to add prlnolpals or polloles.
A Do not allow the user to add prlnolpals or polloles.
d ^llow the user to delete prlnolpals or polloles.
0 Do not allow the user to delete prlnolpals or polloles.
n ^llow the user to modlfy prlnolpals or polloles.
M Do not allow the user to modlfy prlnolpals or polloles.
c ^llow the user to ohange the passwords for prlnolpals.
0 Do not allow the user to ohange the passwords for prlnolpals.
1 ^llow the user to query the database.
1 Do not allow the user to query the database.
J ^llow the user to llst prlnolpals or polloles.
L Do not allow the user to llst prlnolpals or polloles.
s ^llow the user to explloltly set the key for a prlnolpal.
S Do not allow the user to explloltly set the key for a prlnolpal.
* ^ll permlsslons.
x ^ll permlsslons. The same as *.
The <1arge1_pr1nc1paJ> is only applicable i Ihe permission has a IargeI and is Ihereore
opIional. Eor example, a principal can be granIed Ihe abiliIy Io change passwords buI
only or speciic users provided as Ihe <1arge1_pr1nc1paJ>. Each componenI o Ihe
<pr1nc1paJ> can be reerenced in Ihe <1arge1_pr1nc1paJ> wiIh Ihe *<nun> wildcard such
as *1 or Ihe irsI componenI o Ihe principal.
The <res1r1c11ons> resIricI, add, or modiy acIions granIed and are also opIional. They
are in Ihe ormaI +<fJag> or -<fJag>. The same opIions used when adding or modiying
a principal can be used as resIricIions when adding ACLs. They are lisIed in Table 12.1.
5tart|ng and 5te|ng the Kerberes 5erver
To sIarI Ihe Kerberos server, execuIe Ihe ollowing as rooI Io sIarI Ihe appropriaIe
daemons:
serv1ce krb5kdc s1ar1
serv1ce kadn1n s1ar1
Be sure Io conigure Ihe sysIem Io sIarI Ihese services aI booI Iime:
chkconf1g krb5kdc on
1
2
chkconf1g kadn1n on
Eor Ihese services Io sIarI aI booI Iime, a sIash ile musI exisI as described earlier.
Cennect|ng te the Kerberes 5erver
Each Kerberos clienI musI have Ihe krb5-Works1a11on RFM package insIalled Io provide
Ihe Kerberos user commands or reguesIing and managing IickeIs. II also provides
Kerberized versions o auIhenIicaIion uIiliIies such as rJog1n and f1p.
On each clienI, ediI Ihe 1e1c1krb5.conf ile Io seI Ihe realm and Ihe locaIion o Ihe
server or Ihe realm. Replacing Ihe example.com and EXAMFLE.COM insIances in Ihe
deaulI krb5.conf ile is usually suicienI.
The Kerberized applicaIions musI be enabled on each clienI. Eor example, Io enable Ihe
Kerberized IelneI, make sure Ihe krb5-1eJne1 service is enabled and make sure users
execuIe 1usr1kerberos1b1n11eJne1 insIead o 1usr1b1n11eJne1. To ensure Ihe Kerberized
programs are execuIed, veriy IhaI each users paIh includes }usr1kerberos1b1n1 beore
any o Ihe oIher direcIories conIaining Ihe non-Kerberized versions o Ihe commands
such as 1usr1b1n1 or 1usr1JocaJ1b1n1. OIher Kerberized applicaIions include f1p, rsh,
and rcp.
I Kerberos is used, users musI use Ihe kpassWd command Io change Iheir password
insIead o passWd. They musI also use ksu insIead o su Io change Io Ihe rooI user.
I Ihe clienIs are conigured Io use kJog1n insIead o Jog1n, each user is granIed a IickeI,
and using Ihe IickeI is IransparenI Io Ihe user. OIherwise, Ihe user musI expliciIly reguesI
a IickeI wiIh Ihe k1n11 uIiliIy. The user execuIes Ihe k1n11 command, is prompIed or his
password, and is granIed a IickeI i Ihe correcI password is enIered. The user is Ihen
auIhenIicaIed or all Kerberized programs unIil Ihe IickeI expires, which is Ien hours by
deaulI.
A user can view his IickeIs and expiraIion daIes wiIh Ihe kJ1s1 command. A user can also
cancel his IickeIs immediaIely aI any Iime by execuIing Ihe kdes1roy command. Because
Ihe user does noI have Io enIer a password or any oIher orm o idenIiicaIion or
Kerberized programs, users need Io be careul abouI who has access Io Iheir compuIers or
login sessions. I a user is going Io be away rom his compuIer, execuIing kdes1roy Io
expire his Kerberos IickeIs is recommended so IhaI someone else canI use his auIhenIica-
Iion while he is away.
Legg|ng Kerberes Cennect|ens
In Ihe 1e1c1krb5.conf coniguraIion ile, Ihe ollowing logging secIion exisIs:
Jogg1ng
defauJ1 = F1LE:1var1Jog1krb5J1bs.Jog
kdc = F1LE:1var1Jog1krb5kdc.Jog
adn1n_server = F1LE:1var1Jog1kadn1nd.Jog
As you can see, Ihe ollowing enIiIies can be seI:
defauJ1: DeaulI logging i addiIional seIIings are conigured.
kdc: How Io handle logging or Ihe KDC.
adn1n_server: How Io handle logging or Ihe adminisIraIive server.
By deaulI, Ihese Ihree enIiIies are seI Io wriIe logs Io Ihree dierenI iles. The ollowing
values are allowed or each o Ihe enIiIies:
WriIe Io a ile:
F1LE:<f1Jenane>
WriIe Io a sIandard error:
ST0EPP
WriIe Io Ihe console:
00NS0LE
WriIe Io speciied device:
0Ev10E=<dev1cenane>
WriIe Io Ihe sysIem log using syslog wiIh Ihe speciied severiIy and aciliIy (valid
severiIies and aciliIies are in Ihe syslog man page):
SYSL00:<sever11y>:<fac1J11y>
nab||ng 5MB er W|nb|nd Authent|cat|en
ChapIer 13 discusses Ihe basics o coniguring a Samba (SMB) server or ile sharing,
including allowing connecIions and logging cusIomizaIion. II also discusses connecIing Io
exisIing shared direcIories on an SMB server on Ihe neIwork. This secIion discusses how
Io auIhenIicaIe users via an SMB server or Ihe Winbind service on a Samba server.
The pan_snb RFM package is reguired or SMB auIhenIicaIion. The sanba-connon package
is reguired or Winbind auIhenIicaIion. InsIall Ihe package conIaining Ihe auIhenIicaIion
meIhod o your choice via RHN i iI is noI already insIalled.
nab||ng 5MB
OIher Ihan Ihe documenIaIion iles, Ihe pan_snb package conIains Iwo iles: Ihe 1e1c1
pan_snb.conf coniguraIion ile and 1J1b1secur11y1pan_snb_au1h.so (1J1b641
secur11y1pan_snb_au1h.so on 4-biI sysIems).
Lnabllng SMB or wlnblnd ûthentloatlon 285
1
2
The 1e1c1pan_snb.conf ile should conIain Ihree lines. The irsI should be Ihe workgroup
name or Ihe SMB server, and Ihe nexI Iwo lines should be Ihe IF addresses or hosInames
o Ihe primary and secondary domain conIrollers:
<Workgroup>
<pr1nary-server>
<secondary-server>
The 1e1c1pan.d1sys1en-au1h ile is Ihe main FAM auIhenIicaIion coniguraIion ile. I
you view Ihe conIenIs o Ihe oIher iles in 1e1c1pan.d1, you will noIice IhaI mosI have a
line Io include Ihis ile. I you have used Ihe auIhconig Iool as discussed in Ihe "Enabling
wiIh Ihe AuIhenIicaIion Tool" secIion, Ihis ile is removed and symbolically linked Io
1e1c1pan.d1sys1en-au1h-ac, which is modiied by auIhconig.
Because using auIhconig removes Ihe 1e1c1pan.d1sys1en-au1h ile and because you
mighI need Io reverI back Io Ihe original ile, be sure Io make a backup copy o Ihe ile
beore modiying iI. Also, leave a Ierminal open wiIh rooI already logged in while modiy-
ing Ihe ile unIil you have IesIed Ihe new coniguraIion Io make sure you can sIill log in
Io Ihe sysIem. I you creaIe a synIax error in Ihe ile, you mighI noI be able Io log in
again and will need Ihe already opened rooI Ierminal Io ix Ihe ile.
In 1e1c1pan.d1sys1en-au1h (or 1e1c1pan.d1sys1en-au1h-ac), add Ihe ollowing line Io
enable SMB auIhenIicaIion:
au1h suff1c1en1 pan_snb_au1h.so use_f1rs1_pass noJocaJ
The users sIill need Io be in 1e1c1passWd. Users wiIh a sIarred password are auIhenIicaIed
wiIh Ihe SMB server. OIherwise, local auIhenIicaIion is used.
nab||ng W|nb|nd
Enabling Winbind is similar Io enabling SMB auIhenIicaIion. Add Ihe ollowing line Io
1e1c1pan.d1sys1en-au1h (or 1e1c1pan.d1sys1en-au1h-ac):
au1h suff1c1en1 pan_W1nb1nd.so use_f1rs1_pass noJocaJ
The Winbind users should noI be added as local users, buI Iheir home direcIories as
conigured on Ihe Samba server musI be creaIed on Ihe Linux clienI. I Ihe W1nb1nd use
defauJ1 dona1n opIion in snb.conf is seI Io alse (Ihe deaulI), Winbind users musI log in
wiIh a username in Ihe ormaI <dona1n>+<usernane> such as EXAMPLE+1fox or Ihe Iox
user.
1IP
For more detalls about wlnblnd, refer to http://samba.org/samba/doos/man/
Samba3H0wT0/wlnblnd.html.
nab||ng w|th the Authent|cat|en 1ee|
All o Ihese user inormaIion daIabases and auIhenIicaIion meIhods can be easily seI up
wiIh Ihe AuIhenIicaIion ConiguraIion (sys1en-conf1g-au1hen11ca11on) Iool, which has
a IexI-based, graphical, and a command-line version. The IexI-based or command-line
versions are useul when running Ihem remoIely over SSH wiIhouI X orwarding enabled
or when running Ihem rom a console insIead o Ihe graphical deskIop. The command-
line version, which is execuIed wiIh Ihe au1hconf1g command, can be non-inIeracIive or
use in scripIs or kicksIarI.
To use Ihis uIiliIy, insIall Ihe au1hconf1g RFM package as described in ChapIer 3,
"OperaIing SysIem UpdaIes." Also insIall Ihe au1hconf1g-g1k package i you wanI Io use
Ihe graphical version.
When Ihe applicaIion is sIarIed, you are prompIed or Ihe rooI password beore conIinu-
ing i you are noI already logged in as rooI. This secIion assumes you are using Ihe graph-
ical version o Ihe Iool. The same general sIeps apply or Ihe IexI-based version, buI Ihe
inIerace mighI dier slighIly.
Eigure 12.1 shows Ihe graphical applicaIion. As you can see, Ihree Iabs divide Ihe applica-
Iion inIo uncIional groups: User InIormatIon, AuthentIcatIon, and OptIons. II is
assumed IhaI Ihe adminisIraIor has insIalled all necessary RFM packages or any service
reguired beore enabling Ihem wiIh Ihis Iool. All services and opIions are shown in Ihe
inIerace regardless o which packages are currenIly insIalled. Reer Io Ihe secIions earlier in
Ihe chapIer or a lisI o packages necessary or each Iype o idenIiIy managemenI service.
Lnabllng wlth ûthentloatlon Tool 287
1
2
FlGURL 12.1 User lnformatlon
CAU1I0N
Most ohanges take effeot lmmedlately after you ollok 0K. The network servloes
enabled are started and oonflgured to start at boot tlme. lf a servloe ls already
enabled, but lts settlngs are modlfled, the servloe ls restarted wlth the new settlngs. lf
a servloe ls dlsabled ln the lnterfaoe, the servloe ls not always stopped lmmedlately
after you ollok 0K or oonflgured not to start at boot tlme. Be sure to stop the servloe
explloltly and use chkconf1g <serv1ce> off to dlsable lt at boot tlme.
As shown in Eigure 12.1, Ihe NIS, LDAF, Hesiod, and Winbind neIwork services are avail-
able or user inormaIion. Reer Io Iheir corresponding secIions earlier in Ihis chapIer or
more inormaIion abouI each o Ihem. To reIrieve user inormaIion rom a remoIe server
(such as Ihe inormaIion displayed wiIh Ihe f1nger <usernane> command), click Ihe
Lnable check box nexI Io Ihe desired meIhod or meIhods. Then, click Ihe ConIIgure
buIIon or Ihe meIhod. The reguired seIIings dier per supporI opIion. EnIer Ihe
reguesIed inormaIion or each one enabled. Eor example, aIer enabling NIS, enIer Ihe
NIS domain and server Io connecI Io.
To conigure a remoIe auIhenIicaIion meIhod, go Io Ihe AuthentIcatIon Iab as shown in
Eigure 12.2. The Kerberos, LDAF, SmarICard, SMB (Samba), and Winbind neIwork services
are available or user auIhenIicaIion. Click Ihe Lnable check box nexI Io Ihe desired
supporI opIion. Then, click Ihe ConIIgure buIIon or Ihe meIhod and enIer Ihe reguesIed
inormaIion.
FlGURL 12.2 ûthentloatlon Conflguratlon
LasIly, Ihe OptIons Iab allows an adminisIraIor Io cusIomize idenIiIy managemenI or Ihe
sysIem. The ollowing opIions are available:
Cache User InIormatIon: Enable Ihe name caching daemon (nscd) and conigure iI
Io sIarI aI booI Iime. When enabled, Ihis daemon can be conigured Io cache inor-
maIion abouI 1e1c1passWd, 1e1c1group, and hosIname resoluIion. I Ihis opIion is
selecIed, all Ihree are cached. The 1e1c1nscd.conf ile can be modiied by rooI Io
cusIomize Ihe caching such as Ihe Iime-Io-live values and which o Ihe Ihree Io
cache.
CAU1I0N
The wlnblnd authentloatlon method and nscd wlll not work together properly. lf they
are both runnlng at the same tlme, the system wlll not be able to resolve domaln
users and groups.
Use Shadow Passwords: Enabled by deaulI during insIallaIion using Ihe shadoW-
u11Js package. I enabled, insIead o encrypIed passwords being sIored in Ihe
1e1c1passWd ile, which is readable by everyone, Ihey are locaIed in Ihe 1e1c1
shadoW ile, which is readable by Ihe rooI user only.
Use MD5 Passwords: Enabled by deaulI. I enabled, passwords can be 2S charac-
Iers insIead o jusI 8 characIers. This enhances securiIy on Ihe sysIem because iI is
harder Io guess longer passwords.
Local authorIzatIon Is suIIIcIent Ior local users: Allow local users Io be auIhenIi-
caIed wiIh local iles insIead o wiIh Ihe neIwork auIhenIicaIion service.
AuthentIcate system accounts by networR servIces: AuIhenIicaIe sysIem accounIs
(user accounIs under UID S00) wiIh Ihe enabled neIwork auIhenIicaIion service
insIead o local iles.
Us|ng the Cemmand-L|ne Vers|en
As previously menIioned, Ihe command-line version o Ihe AuIhenIicaIion ConiguraIion
Iool allows you Io conigure Ihe same seIIings as Ihe graphical inIerace. Command-line
opIions are used so IhaI Ihe commands are non-inIeracIive, making iI possible Io use in
an auIomaIed scripI or a kicksIarI ile.
Table 12.3 conIains Ihe available command-line opIions. These opIions can also be ound
in Ihe au1hconf1g man page or by execuIing Ihe au1hconf1g --heJp command. They are
invoked by execuIing Ihe au1hconf1g command as rooI ollowed by one or more opIions:
au1hconf1g <op11ons> --upda1e
I Ihe --upda1e opIion is noI lisIed, Ihe seIIings are noI updaIed. I --1es1 is used insIead,
Ihe seIIings are noI updaIed, buI Ihe lisIed changes are displayed in a summary reporI.
The --1es1 opIion can also be used wiIhouI any oIher opIions Io display Ihe currenI
1
2
auIhenIicaIion seIIings. I --probe is used insIead, Ihe neIwork is probed via DNS and
oIher services or coniguraIion inormaIion abouI Ihe sysIem. I any inormaIion is
ound, iI is displayed. I none are ound, no inormaIion is displayed.
I enabling a service, be sure Io also speciy iIs reguired seIIings such as --Jdapserver=
<server> and Jdapbasedn=<dn> wiIh --enabJeJdapau1h. Because Ihe command-line
version is inIended Io be non-inIeracIive, no error messages or warnings appear i you
donI provide Ihe necessary inormaIion or a service. The service is jusI noI enabled or
sIarIed. Be sure Io IesI all commands being used in scripIs or kicksIarI beore relying on
Ihem Io work.
T^BLL 12.3 authoonflg CommandLlne 0ptlons
--heJp Dlsplay all oommandllne optlons and brlef
desorlptlons.
--enabJeshadoW Lnable shadow passwords (the default).
--d1sabJeshadoW Dlsable shadow passwords.
--enabJend5 Lnable MD5 passwords (the default).
--d1sabJend5 Dlsable MD5 passwords.
--enabJen1s Lnable NlS for user lnformatlon.
--d1sabJen1s Dlsable NlS for user lnformatlon.
--n1sdona1n=<dona1n> Speolfy NlS domaln lf enabllng NlS.
--n1sserver=<server> Speolfy NlS server lf enabllng NlS.
--enabJeJdap Lnable LD^l for user lnformatlon.
--d1sabJeJdap Dlsable LD^l for user lnformatlon.
--enabJeJdapau1h Lnable LD^l for authentloatlon.
--d1sabJeJdapau1h Dlsable LD^l for authentloatlon.
--Jdapserver=<server> lrovlde LD^l server lf enabllng LD^l.
--Jdapbasedn=<dn> lrovlde LD^l base DN lf enabllng LD^l.
--enabJeJdap1Js Lnable use of TLS wlth LD^l.
--d1sabJeJdap1Js Dlsable use of TLS wlth LD^l.
--JdapJoadcacer1=<urJ> Load C^ oertlfloate from URL provlded lf
enabllng LD^l.
--enabJesnar1card Lnable smart oard authentloatlon.
--d1sabJesnar1card Dlsable smart oard authentloatlon.
--enabJerequ1resnar1card Requlre smart oard authentloatlon.
--d1sabJerequ1resnar1card Do not requlre smart oard authentloatlon.
--snar1cardnoduJe=<noduJe> Speolfy smart oard module to use lf enabllng lt.
--snar1cardac11on=<ac11on> Set aotlon to take when smart oard ls removed.
Set <ac11on> to U to look or 1 to lgnore.
--enabJekrb5 Lnable Kerberos authentloatlon.
--d1sabJekrb5 Dlsable Kerberos authentloatlon.
--krb5kdc=<server> Set Kerberos KDC when enabllng Kerberos
authentloatlon.
--krb5adn1nserver=<server> Set Kerberos admln server when enabllng
Kerberos authentloatlon.
--krb5reaJn=<reaJn> Set Kerberos realm when enabllng Kerberos
authentloatlon.
--enabJekrb5kdcdns Lnable use of DNS to determlne Kerberos
KDCs.
--d1sabJekrb5kdcdns Dlsable use of DNS to determlne Kerberos
KDCs.
--enabJekrb5reaJndns Lnable use of DNS to determlne Kerberos
realms.
--d1sabJekrb5reaJndns Dlsable use of DNS to determlne Kerberos
realms.
--enabJesnbau1h Lnable Samba authentloatlon.
--d1sabJesnbau1h Dlsable Samba authentloatlon.
--snbservers=<servers> Set Samba server when enabllng Samba
authentloatlon.
--snbWorkgroup=<Workgroup> Set whloh workgroup the Samba authentloatlon
server ls ln when enabllng Samba authentloatlon.
--enabJeW1nb1nd Lnable wlnblnd for user lnformatlon.
--d1sabJeW1nb1nd Dlsable wlnblnd for user lnformatlon.
--enabJeW1nb1ndau1h Lnable wlnblnd for authentloatlon.
--d1sabJeW1nb1ndau1h Dlsable wlnblnd for authentloatlon.
--snbsecur11y=<node> Set seourlty mode for Samba or wlnblnd. Must
be one of user, server, dona1n, or ads.
--snbreaJn=<reaJn> Set realm for Samba and wlnblnd when seou
rlty mode ls set to ads.
--snb1dnapu1d=<range> lrovlde UlD range from lowest to hlghest to
asslgn to wlnblnd users when seourlty ls set to
dona1n or ads.
--snb1dnapg1d=<range> lrovlde GlD range from lowest to hlghest to
asslgn to wlnblnd users when seourlty ls set to
dona1n or ads.
--W1nb1ndsepara1or=<char> Set oharaoter used to separate domaln and
user part of usernames oreated by wlnblnd lf
W1nb1nduserdefauJ1dona1n ls not enabled.
--W1nb1nd1enpJa1ehoned1r=<d1r> Set home dlreotory for users oreated by
wlnblnd. For example, 1hone101u.
--W1nb1nd1enpJa1epr1narygroup=<group> Set prlmary group for users oreated by wlnblnd
suoh as the nobody group.
--W1nb1nd1enpJa1esheJJ=<sheJJ> Set logln shell of users oreated by wlnblnd
suoh as 1b1n1faJse.
--enabJeW1nb1ndusedefauJ1dona1n lf wlnblnd ls enabled, users wlth no domaln ln
thelr usernames are domaln users.
1
2
--d1sabJeW1nb1ndusedefauJ1dona1n lf wlnblnd ls enabled, users wlth no domaln ln
thelr usernames are not domaln users.
--W1nb1ndo1n=<adn1n> when jolnlng the wlnblnd domaln or ads realm,
joln as speolfled admlnlstrator.
--enabJeW1ns Lnable wlNS hostname resolutlon.
--d1sabJeW1ns Dlsable wlNS hostname resolutlon.
--enabJehes1od Lnable Heslod for user lnformatlon.
--d1sabJehes1od Dlsable Heslod for user lnformatlon.
--hes1odJhs=<Jhs> Set Heslod LHS when enabllng Heslod.
--hes1odrhs=<rhs> Set Heslod RHS when enabllng Heslod.
--enabJecache Lnabllng oaohlng of user lnformatlon wlth nscd.
--d1sabJecache Dlsabllng oaohlng of user lnformatlon wlth
nscd.
--enabJeJocau1hor1ze Lnable looal authorlzatlon for looal users.
--d1sabJeJocau1hor1ze Dlsable looal authorlzatlon for looal users.
--enabJesysne1au1h Lnable network authentloatlon for system
users.
--d1sabJesysne1au1h Dlsable network authentloatlon for system
users. System users are authorlzed by looal
flles only.
--nos1ar1 Do not start or stop por1nap, ypb1nd, or nscd.
5ummary
The NIS, LDAF, Kerberos, Hesiod, SMB, and Winbind neIwork auIhenIicaIion services
discussed in Ihis chapIer can cenIralize user inormaIion, including passwords. This allows
or easier mainIenance and backup procedures. They also allow or idenIical auIhenIica-
Iion rom any sysIem on Ihe neIwork.
Review each o Ihese auIhenIicaIion services and decide which one works besI or your
neIwork.
lN THlS CH^lTLR
Network Flle System
Samba Flle Sharlng
CH^lTLR 13
NeIwork Eile Sharing
In an enIerprise compuIing environmenI, iI is common Io
share iles beIween compuIers or allow several users Io
access Ihe same seI o iles on a cenIral server and have all
changes be visible Io all users immediaIely. In a pure UNIX
environmenI, including Ihose consisIing solely o Red HaI
EnIerprise Linux sysIems, Ihis can be achieved via NeIwork
Eile SysIem (NES). I sharing iles beIween Red HaI
EnIerprise Linux and MicrosoI Windows sysIems is
desired, Samba can be used Io achieve connecIiviIy.
Netwerk F||e 5ystem
NlS, or Networl lle System, is a server-clienI proIocol or
sharing iles beIween compuIers on a common neIwork. II
is available on a varieIy o UNIX-based operaIing sysIems,
noI jusI Linux. The server and clienI do noI have Io use Ihe
same operaIing sysIem. The clienI sysIem jusI needs Io be
running an NES clienI compaIible wiIh Ihe NES server.
The NES server exports one or more direcIories Io Ihe clienI
sysIems, and Ihe clienI sysIems mount one or more o Ihe
shared direcIories Io local direcIories called mount ponts. AIer
Ihe share is mounIed, all I}O operaIions are wriIIen back Io
Ihe server, and all clienIs noIice Ihe change as i iI occurred
on Ihe local ilesysIem. A manual reresh is noI needed
because Ihe clienI accesses Ihe remoIe ilesysIem as i iI were
local. Access is granIed or resIricIed by clienI IF addresses.
One advanIage o NES is IhaI Ihe clienI mounIs Ihe remoIe
ilesysIem Io a direcIory Ihus allowing users Io access iI in
Ihe same meIhod used Io access local iles. EurIhermore,
because access is granIed by IF address, a username and
password are noI reguired. However, Ihere are securiIy risks
Io consider because Ihe NES server knows noIhing abouI
Ihe users on Ihe clienI sysIem. The iles rom Ihe NES
server reIain Iheir ile permissions, user ID, and group ID
when mounIed. I Ihe clienI uses a dierenI seI o user and
group IDs, ile ownership will change.
Eor example, i a ile is owned by user ID S00 on Ihe NES server, Ihe ile is exporIed Io Ihe
clienIs wiIh IhaI same user ID. I user ID S00 maps Io Ihe user bs on Ihe NES server buI
maps Io Ihe user ak on Ihe remoIe clienI, user ak will have access Io Ihe ile on Ihe
remoIe clienI. Thus, iI is crucial IhaI Ihe NES server and all iIs clienIs use Ihe same user
daIabase so Ihe user and group IDs are idenIical no maIIer which machine is used Io access
Ihe iles. The adminisIraIor can assign idenIical user and group IDs on sysIems on Ihe
neIwork, buI Ihis can be a Iedious and Iime-consuming Iask i Ihe neIwork has more Ihan
a ew users. A more error-proo and manageable meIhod is Io use NIS as discussed in
ChapIer 12, "IdenIiIy ManagemenI."
N01
NFS does not have lts own log flle. lnstead, the oommands used by NFS suoh as
rpc.noun1d to mount ollent requests are logged ln the system log flle 1var1Jog1
nessages. Kernel messages from nfsd are also logged to thls flle.
NF5 and 5L|nux
In Red HaI EnIerprise Linux S, NES is proIecIed by Ihe deaulI SecuriIy-Enhanced Linux
(SELinux) policy, known as Ihe IargeIed policy. Reer Io ChapIer 23, "FroIecIing AgainsI
InIruders wiIh SecuriIy-Enhanced Linux" or more inormaIion on SELinux.
By deaulI, Ihis IargeIed policy allows NES connecIions Io Ihe server by seIIing Ihe
nfs_expor1_aJJ_ro and nfs_expor1_aJJ_rW SELinux booleans Io 1.
I you are sharing home direcIories over NES while using SELinux, you musI seI
use_nfs_hone_d1rs booJean Io 1 on each clienI connecIing Io Ihe NES server sharing Ihe
home direcIories. ExecuIe Ihe ollowing command as rooI:
se1sebooJ -P use_nfs_hone_d1rs booJean 1
ge1sebooJ use_nfs_hone_d1rs booJean
use_nfs_hone_d1rs --> on
You can also change Ihis seIIing by running Ihe SELinux ManagemenI Tool. SIarI iI by selecI-
ing AdmInIstratIon, SLLInux Management rom Ihe System menu on Ihe Iop panel o Ihe
deskIop or by execuIing Ihe sys1en-conf1g-seJ1nux command. EnIer Ihe rooI password when
prompIed i running as a non-rooI user. SelecI Boolean rom Ihe lisI on Ihe leI. On Ihe righI,
click Ihe Iriangle icon nexI Io NFS. The SELinux booleans aecIing NES appear. Click Ihe
check box nexI Io Support NFS home dIrectorIes. The change Iakes place immediaIely.
1IP
The SLLlnux booleans that affeot NFS are desorlbed ln the nfs_sellnux man page vlew
able wlth the nan nfs_seJ1nux oommand.
The SELinux implemenIaIion in Red HaI EnIerprise Linux does noI reguire Ihe iles shared
wiIh NES Io be labeled wiIh a speciic securiIy conIexI. However, i more Ihan one ile-
sharing proIocol is conigured Io share Ihe same seI o iles such as ETF and Samba, Ihe secu-
riIy conIexI o Ihe iles musI be seI Io pubJ1c_con1en1_1 or pubJ1c_con1en1_rW_1 insIead.
AddiIional SELinux booleans musI be enabled as well. Reer Io Ihe "SecuriIy ConIexI or
MulIiple Eile-Sharing FroIocols" secIion in ChapIer 23 or compleIe insIrucIions.
A||ew|ng NF5 Cennect|ens
Beore coniguring Ihe NES server, conigure your irewall seIIings Io allow Ihe incoming
connecIions. While por1napper and Ihe nfs daemon use sIaIic porIs, NES also employs
our addiIional services: s1a1d, noun1d, rquo1ad, and Jockd. They are assigned a random
porI by por1napper, which makes iI diiculI or irewall coniguraIion. However, iI is
possible Io conigure Ihese our daemons Io use sIaIic porIs. Reer Io Ihe "Assigning SIaIic
NES ForIs" secIion laIer in Ihis chapIer or deIails.
The por1napper service uses UDF and TCF porI 111, and Ihe nfs daemon uses UDF and
TCF porI 204 by deaulI. I cusIom IFTables rules are being used, reer Io ChapIer 24,
"Coniguring a Eirewall," or deIails on how Io allow Ihese porIs.
Level ConiguraIion Iool Io allow NES connecIions. SIarI iI by selecIing AdmInIstratIon,
SecurIty Level and FIrewall rom Ihe SysIem menu on Ihe Iop panel o Ihe deskIop or by
prompIed i running as a user. In Ihe Other ports area, click Add Io speciy each NES
porI. Remember, Ihe porIs will dier depending on which ones you choose
1IP
To retrleve a llst of ollents oonneoted to the NFS server, use the shoWnoun1 oommand
from a shell prompt. To also show the dlreotorles the ollents are oonneoted to, use the
shoWnoun1 -a oommand.
Us|ng a 6rah|ca| 1ee| te Cenf|gure the NF5 5erver
To use a sysIem as an NES server, Ihe nfs-u11Js RFM package musI be insIalled. I iI is noI
insIalled, insIall iI wiIh Red HaI NeIwork as described in ChapIer 3, "OperaIing SysIem
UpdaIes." To conigure iI via Ihe NES Server ConiguraIion graphical Iool, Ihe sys1en-
conf1g-nfs RFM package musI also be insIalled. I you preer Io ediI Ihe coniguraIion ile
direcIly, skip Io Ihe laIer secIion "Coniguring Ihe NES Server on Ihe Command Line."
To sIarI Ihe Iool, selecI AdmInIstratIon, Server SettIngs, NFS rom Ihe System menu on
Ihe Iop panel o Ihe deskIop. AlIernaIively, execuIe Ihe command sys1en-conf1g-nfs
rom a shell prompI.
RooI privileges are reguired Io modiy Ihe NES server seIIings, so you musI have rooI
access Io use Ihis Iool. I you are noI rooI when you sIarI Ihe program, you will be
prompIed or Ihe rooI password.
All currenIly conigured shares are shown each Iime Ihe program is sIarIed as shown in
Eigure 13.1.
Network Flle System 295
1
3
FlGURL 13.1 NFS Server Conflguratlon Tool
N01
Thls graphloal lnterfaoe lnteraots wlth the 1e1c1expor1s flle dlreotly. ^ny ohanges
made dlreotly to the oonflguratlon flle after the graphloal tool ls used wlll appear ln the
graphloal tool the next tlme lt ls used.
Add|ng a New NF5 5hare
To add a new share, click Ihe Add buIIon in Ihe Ioolbar. The Add dialog window appears
as shown in Eigure 13.2.
FlGURL 13.2 ^ddlng an NFS Share
On Ihe BasIc Iab, speciy a direcIory Io share, conigure Ihe allowed clienIs, and selecI
wheIher Ihe clienIs should be allowed read-only or read-wriIe access.
The IF address range or Ihe allowed clienIs musI be in one o Ihe ollowing ormaIs:
Speciic IF address or hosIname: Frovide Ihe IF address, Ihe ully gualiied domain
name (EQDN), or hosIname o Ihe allowed clienI. I Ihe EQDN or hosIname is used,
Ihe server musI be able Io resolve iI Io an IF address.
EQDNs speciied by wildcards: Use Ihe * or 7 special characIer Io lisI a seI o EQDNs
such as *.exanpJe.con. DoIs are noI included in Ihe wildcard. (NoIe: Wildcards can
noI be used wiIh IF addresses.)
IF neIworks: Speciy an IF neIwork wiIh iIs neIwork neImask or Ihe number o biIs
in Ihe neImask such as 12.18.1.0}2SS.2SS.2SS.0 or 12.18.1.0}24.
NeIgroups: Speciy an NIS neIgroup such as @example_group_name.
N01
^s the NFS server optlons are dlsoussed, the oorrespondlng optlon ln the
1e1c1expor1s oonflguratlon flle ls provlded ln braokets suoh as [op11on].
As shown in Eigure 13.3, Ihe General OptIons Iab allows Ihe adminisIraIor Io conigure
Ihe ollowing opIions:
1
3
FlGURL 13.3 NFS General 0ptlons
Allow connectIons Irom port 1024 and hIgher: By deaulI, Ihe NES server reguires
rooI privileges Io sIarI, sIop, or modiy. I Ihis opIion is selecIed, a user oIher Ihan
rooI can sIarI Ihe server. |1nsecure
Allow Insecure IIle locRIng: Lock reguesIs are noI reguired. |1nsecure_Jocks
DIsable subtree checRIng: By deaulI, NES perorms a subIree check, meaning IhaI
i a subdirecIory is shared, buI Ihe enIire ilesysIem isnI, Ihe server veriies IhaI Ihe
reguesIed ile is in Ihe exporIed Iree. When subIree checking is enabled, iI also
makes sure iles inside direcIories wiIh rooI-only access can only be accessed when
exporIed wiIh Ihe no_roo1_squash opIion, which is noI a deaulI opIion. This
opIion disables subIree checking. |no_sub1ree_check
Sync wrIte operatIons on request: WaiI unIil operaIion is wriIIen Io disk beore
responding Io clienI. Enabled by deaulI because iI is parI o Ihe NES proIocol and a
reguired opIion. |sync
Force sync oI wrIte operatIons ImmedIately: By deaulI, wriIe operaIions are
delayed slighIly i Ihe server mighI receive anoIher relaIed wriIe reguesI or i one is
already in progress. The wriIes are perormed in one operaIion, which mighI
improve perormance. When Ihis opIion is enabled, Ihe server does noI delay when
wriIing Io disk. This opIion can noI be used i Ihe async opIion is enabled.
|no_WdeJay
HIde IIlesystems beneath: I a subdirecIory o a direcIory already exporIed is also
conigured as a mounI poinI, by deaulI, Ihe subdirecIory is accessible wiIhouI
having Io speciically mounI iI. I Ihis opIion is enabled, Ihe subdirecIory musI be
mounIed separaIely rom Ihe parenI direcIory. I iI is noI, Ihe subdirecIory will
appear empIy Io NES clienIs. |h1de i checked, no_h1de i unchecked
Lxport only II mounted: ExporI a direcIory only i iI has been successully
mounIed on Ihe NES server. This opIion prevenIs an empIy direcIory rom being
exporIed should Ihe ilesysIem being exporIed ail Io mounI on Ihe NES server. |np
OptIonal mount poInt: I ExporI Only I MounIed is selecIed, a mounI poinI can
be speciied i iI diers rom Ihe exporI poinI. I noI speciied, iI is assumed IhaI Ihe
mounI poinI and exporI poinI are Ihe same. |noun1po1n1
Set explIcIt FIlesystem ID: Override Ihe ilesysIem idenIiicaIion or Ihe ile handle
and ile aIIribuIes wiIh Ihis number. Useul Io ensure IhaI Ihe NES server and iIs
ailover use idenIical NES ile handles. |fs1d
The User Access Iab conIains Ihe ollowing opIions:
Treat remote root user as local root: Do noI map reguesIs rom rooI Io Ihe anony-
mous user and group ID. |no_roo1_squash
Treat all clIent users as anonymous users: Map all user and group IDs Io Ihe
anonymous user and group ID. |aJJ_squash
Local user ID Ior anonymous users: I TreaI All ClienI Users As Anonymous Users
is enabled, use Ihis user ID or Ihe anonymous user. |anonu1d
Local group ID Ior anonymous users: I TreaI All ClienI Users As Anonymous
Users is enabled, use Ihis group ID or Ihe anonymous user. |anong1d
Click OK Io add Ihe share Io Ihe lisI. AIer clicking OK, Ihe seIIings are auIomaIically
saved Io Ihe 1e1c1expor1s ile and Ihe daemon is auIomaIically reloaded so Ihe new
share is available. The old coniguraIion ile is wriIIen Io 1e1c1expor1s.bak.
d|t|ng and e|et|ng NF5 5hares
To modiy an exisIing share, selecI iI rom Ihe lisI and click Ihe PropertIes buIIon in Ihe
Ioolbar. The exisIing seIIings or Ihe share are shown and can be modiied. AIer you click
OK, Ihe changes Iake place immediaIely.
To deleIe a share, selecI iI rom Ihe lisI and click Delete. The shared direcIory is removed
rom Ihe lisI. Once again, Ihe change Iakes place immediaIely.
Cenf|gur|ng the NF5 5erver en the Cemmand L|ne
To conigure a Red HaI EnIerprise Linux sysIem as an NES server via Ihe command line,
make sure Ihe nfs-u11Js RFM package is insIalled.
The server coniguraIion ile, 1e1c1expor1s, uses Ihe ollowing ormaI:
shared_d1rec1ory aJJoWed_hos1s{op11ons)
where shared_d1rec1ory is Ihe name o Ihe direcIory Io be shared, aJJoWed_hos1s is Ihe
IF address range o Ihe allowed clienIs, and op11ons is a lisI o NES opIions or Ihe
exporIed direcIory. Obviously, Ihe exporIed direcIory musI exisI. Reer Io Ihe previous
secIion on graphical coniguraIion or valid IF address range coniguraIion. You musI be
rooI Io modiy Ihis ile.
Eor example, Ihe ollowing 1e1c1expor1s line allows all sysIems wiIh 12.18.1.* IF
addresses read-wriIe access Io Ihe 1shared1 direcIory:
1shared 192.168.1.U1255.255.255.U{sync,rW)
CAU1I0N
Notloe that aJJoWed_hos1s and {op11ons) do not have a spaoe between them. lf a
spaoe ls lnoluded, the optlons are applled to any and all ll addresses, whloh oan be
qulte dangerous lf wrlte permlsslon ls granted.
The sync or async opIion musI be speciied as an NES opIion. I sync is speciied, Ihe
server waiIs unIil Ihe reguesI is wriIIen Io disk beore responding Io Ihe clienI. The sync
opIion is recommended because iI ollows Ihe NES proIocol.
To granI read-wriIe access or Ihe exporIed direcIory, use Ihe rW opIion. Eor addiIional
opIions, reer Io Ihe previous secIion on graphical coniguraIion. Eor a ull lisI o NES
server opIions, reer Io Ihe exporIs man page wiIh Ihe command nan expor1s. OpIions
should be separaIed by commas.
5tart|ng and 5te|ng the NF5 5erver
The rooI user musI execuIe Ihe commands Io sIarI, sIop, and reload Ihe NES server. To
sIarI Ihe NES server, execuIe Ihe command serv1ce nfs s1ar1. To sIop Ihe server,
execuIe Ihe command serv1ce nfs s1op. I Ihe server is already sIarIed and Ihe
1e1c1expor1s coniguraIion ile is alIered, Ihe NES server musI be inormed. Use Ihe
command serv1ce nfs reJoad Io orce Ihe server Io reread Ihe coniguraIion ile.
1
3
To have Ihe service sIarI auIomaIically aI booI Iime, use chkconf1g as Ihe rooI user:
chkconf1g nfs on
To veriy IhaI Ihe NES server is running, issue Ihe command serv1ce nfs s1a1us.
Ass|gn|ng 5tat|c NF5 Perts
Reer Io 1e1c1serv1ces or a lisI o porIs already reserved or oIher services on Ihe sysIem
and Ihen selecI porIs over 1024 Io assign Io Ihe s1a1d, noun1d, rquo1ad, and Jockd
services. In Ihis example, Ihe ollowing porIs will be used:
TCF and UDF porI 38001 or s1a1d
TCF and UDF porI 38002 or s1a1d (ouIgoing)
TCF and UDF porI 38003 or noun1d
TCF and UDF porI 38004 or rquo1ad
TCF porI 3800S or Jockd
UDF porI 3800 or Jockd
The NES iniIializaIion scripIs check or Ihe coniguraIion ile 1e1c1sysconf1g1nfs or
sIaIic porI assignmenIs. I Ihe ile is noI ound, random porIs are used or s1a1d, noun1d,
rquo1ad, and Jockd. To assign sIaIic porIs, creaIe Ihe ile 1e1c1sysconf1g1nfs wiIh Ihe
lines rom LisIing 13.1. Replace Ihe porI numbers wiIh Ihe ones you decided Io use aIer
examining 1e1c1serv1ces.
LlSTlNG 13.1 ^sslgnlng Statlo lorts for NFS
STAT0_P0PT=38UU1
L00K0_T0PP0PT=38UU5
L00K0_u0PP0PT=38UU6
M0uNT0_P0PT=38UU3
I you are using disk guoIa as discussed in ChapIer 7, "Managing SIorage," you also need
Io assign a sIaIic porI Io rquo1ad, Ihe daemon used Io deIermine guoIas or a remoIely
mounIed NES ilesysIem. In addiIion Io Ihe lines in LisIing 13.1, also add Ihe ollowing
line Io 1e1c1sysconf1g1nfs:
P0u0TA0_P0PT=38UU4
Use Ihe command rpc1nfo -p JocaJhos1 Io veriy IhaI Ihe porI numbers or Ihe
por1napper, s1a1us, rquo1ad, nJockngr, and noun1d services are correcI. Because Jockd is a
kernel module, a rebooI mighI be needed or Ihe changes Io Iake eecI.
SIaIic porIs can also be assigned wiIh Ihe graphical NES coniguraIion Iool. AIer sIarIing
Ihe Iool, click Ihe Server SettIngs buIIon on Ihe Ioolbar. The dialog shown in Eigure 13.4
appears.
FlGURL 13.4 ^sslgnlng Statlo NFS lorts
Frovide Ihe porIs you wanI Io use, and click OK.
Cennect|ng te the NF5 5hares
There are Ihree ways Io mounI an NES exporI on a clienI sysIem, assuming Ihe server has
given Ihe clienI permission Io do so:
Use Ihe noun1 command along wiIh Ihe server name, exporIed direcIory, and local
mounI poinI.
Add Ihe exporI Io 1e1c1fs1ab so iI is auIomaIically mounIed aI booI Iime or is
available Io be mounIed.
Use Ihe auIos service Io mounI Ihe share when a user aIIempIs Io access iI rom a
clienI.
Us|ng noun1 te Cennect te the NF5 5hare
I you only need Io mounI Ihe share occasionally (or i you are IesIing Ihe exporI), use
Ihe noun1 command. CreaIe a direcIory Io mounI Ihe share, Ihen, as rooI, execuIe Ihe
ollowing command:
noun1 -o <op11ons> server.exanpJe.con:1expor1edd1r 1noun1po1n1
replacing Ihe server name, exporIed direcIory, and Ihe local mounI poinI. By deaulI, Ihe
share is mounIed in read-wriIe mode, meaning IhaI all ile permissions are reIained rom
Ihe server. II is imporIanI Io know IhaI Ihe ile permissions are based on Ihe user ID and
group ID numbers, noI Ihe user and group names used on Ihe NES server. I Ihe clienI is
allowed access by Ihe server, Ihe shared direcIory will Ihen be available rom Ihe speciied
mounI poinI on Ihe clienI.
Any NES mounI opIions can also be used in place o <op11ons> including Ihe ollowing:
rs1ze=8192
Ws1ze=8192
11neo=14
1n1r
The rs1ze value is Ihe number o byIes used when reading rom Ihe server. The Ws1ze
value is Ihe number o byIes used when wriIing Io Ihe server. The deaulI or boIh is
1
3
1024, buI using 812 greaIly improves IhroughpuI and is recommended. The 11neo value
is Ihe amounI o Iime, in IenIhs o a second, Io waiI beore resending a Iransmission aIer
an RFC IimeouI. AIer Ihe irsI IimeouI, Ihe IimeouI value is doubled or each reIry or a
maximum o 0 seconds or unIil a major IimeouI occurs. I connecIing Io a slow server or
over a busy neIwork, beIIer perormance can be achieved by increasing Ihis IimeouI
value. The 1n1r opIion allows signals Io inIerrupI Ihe ile operaIion i a major IimeouI
occurs or a hard-mounIed share. Reer Io Ihe NES man page wiIh Ihe command nan nfs
or a ull lisI o available opIions.
Us|ng 1e1c1fs1ab te Cennect te the NF5 5hare
AIer you have veriied IhaI Ihe clienI can mounI Ihe share, you can conigure Ihe sysIem
Io mounI iI aI booI Iime by modiying Ihe 1e1c1fs1ab ile as ollows:
server:1expor1ed1d1r 1noun1po1n1 nfs rs1ze=8192,Ws1ze=8192,11neo=14,1n1r
Replace Ihe server name, exporIed direcIory, and mounI poinI wiIh Ihe appropriaIe
values. The Ihird column indicaIes IhaI Ihe mounI poinI is o Ihe Iype nfs.
The lasI column conIains a comma-separaIed lisI o NES opIions. The opIions in our
example were explained in Ihe previous secIion, "Using noun1 Io ConnecI Io Ihe NES
Share."
AIer Ihe enIry is added Io 1e1c1fs1ab, use Ihe command noun1 1noun1po1n1 as rooI Io
mounI Ihe share immediaIely. Unless Ihe noau1o opIion is speciied, iI is auIomaIically
mounIed aI booI Iime.
1IP
The user optlon oan also be used to allow a nonroot user to mount the share wlth the
noun1 1noun1po1n1 oommand. Thls ls useful lf the noau1o optlon ls used to not
mount the share at boot tlme.
Us|ng autefs te Cennect te the NF5 5hare
The lasI opIion is Io use auIos. The auIos service works by using Ihe au1onoun1 daemon
Io moniIor preconigured NES mounI poinIs. They are only mounIed when a user
aIIempIs Io access Ihe local mounI poinI direcIory.
There are several advanIages Io using auIos insIead o coniguring shares in 1e1c1fs1ab.
Because shares are only mounIed when Ihey are accessed, sysIem booI Iime is asIer. The
sysIem doesnI have Io waiI or each NES server Io respond and Ihe mounI Io succeed.
Secondly, iI is more secure. Users on Ihe clienI sysIems musI know whaI direcIory is
conigured Io mounI Ihe share beore changing inIo IhaI direcIory Io orce Ihe mounI.
On Ihe oIher hand, i all shares are mounIed on booIup, users can browse Ihe conIenIs o
Ihe shared direcIory i Ihey have permission. I Ihe sysIem is compromised by an unau-
Ihorized user, having Ihe shares pre-mounIed makes iI IhaI much easier or Ihe inIruder
Io ind Ihe shared iles. Einally, i Ihe clienIs are conigured Io use NIS or user auIhenIica-
Iion, NIS can also be conigured Io provide Ihe 1e1c1au1o.* iles necessary or auIos. So,
when a share needs Io be added, modiied, or removed, Ihe adminisIraIor jusI needs Io
updaIe Ihe coniguraIion iles on Ihe NIS server, and Ihey are populaIed Io all clienIs aIer
Ihe NIS service is resIarIed on Ihe clienIs. The updaIe is almosI seamless Io Ihe end user.
The masIer coniguraIion ile is 1e1c1au1o.nas1er, LisIing 13.2 shows Ihe deaulI
au1o.nas1er ile .
LlSTlNG 13.2 Default au1o.nas1er Flle
#
# $1d: au1o.nas1er,v 1.4 2UU51U11U4 14:36:54 raven Exp $
#
# SanpJe au1o.nas1er f1Je
# Th1s 1s an au1onoun1er nap and 11 has 1he foJJoW1ng forna1
# key -noun1-op11ons-separa1ed-by-conna Joca11on
# For de1a1Js of 1he forna1 Jook a1 au1ofs{5).
#
1n1sc 1e1c1au1o.n1sc
1ne1 -hos1s
#
# 1ncJude cen1raJ nas1er nap 1f 11 can be found us1ng
# nssW11ch sources.
#
# No1e 1ha1 1f 1here are en1r1es for 1ne1 or 1n1sc {as
# above) 1n 1he 1ncJuded nas1er nap any keys 1ha1 are 1he
# sane W1JJ no1 be seen as 1he f1rs1 read key seen 1akes
# precedence.
#
+au1o.nas1er
As you can see, Ihe mounIs or Ihe 1n1sc1 direcIory are deined in a dierenI ile. One
addiIional coniguraIion ile per direcIory is conIrolled by auIos. The 1n1sc1 direcIory in
Red HaI EnIerprise Linux is reserved or auIos mounIs. Because 1e1c1au1o.n1sc is already
creaIed, add NES mounIs Io iI in Ihe ollowing ormaI:
noun1d1r <op11ons> server.exanpJe.con:1expor1edd1r
Replace noun1d1r wiIh Ihe name o Ihe 1n1sc1 subdirecIory you wanI Ihe share Io be
mounIed. Eor example, Io use Ihe direcIory 1n1sc1da1a1, replace noun1d1r wiIh da1a.
This subdirecIory is dynamically creaIed when Ihe share is mounIed. Do noI creaIe iI on
Ihe local ilesysIem.
Replace <op11ons> wiIh a lisI o comma-separaIed NES opIions discussed previously in
Ihis chapIer and ound in Ihe NES man page (accessed wiIh Ihe nan nfs command).
Replace Ihe server name and exporIed direcIory as well.
I a direcIory is used by auIos as a mounI poinI, Ihe direcIory should noI be wriIIen Io
unless Ihe remoIe ilesysIem is mounIed in IhaI direcIory. Consider iI a reserved direcIory
or auIos.
1
3
To sIarI Ihe au1onoun1 daemon, use Ihe command serv1ce au1ofs s1ar1. To sIop iI, use
Ihe command serv1ce au1ofs s1op. I Ihe service is already running when Ihe
au1o.nas1er ile or any o Ihe iles iI includes such as au1o.n1sc is modiied, use Ihe
command serv1ce au1ofs reJoad Io orce a reread o Ihe coniguraIion iles. To conig-
ure Ihe sysIem Io sIarI iI aI booI Iime, execuIe chkconf1g au1ofs on as Ihe rooI user.
5amba F||e 5har|ng
Samba is Ihe ile-sharing proIocol used by Ihe MicrosoI Windows operaIing sysIem.
Because some neIwork environmenIs include more Ihan one operaIing sysIem, Red HaI
EnIerprise Linux provides a way Io use alIernaIive ile-sharing meIhods. I only sharing
beIween Linux and oIher UNIX varianIs, iI is recommended IhaI NES be used insIead.
1IP
For addltlonal lnformatlon on Samba, refer to the 1usr1share1doc1sanba-<vers1on>1
dlreotory. ^mong other resouroes, lt oontalns a lDF of the book.
5amba and 5L|nux
Samba ile sharing is proIecIed by SELinux, a mandaIory access conIrol securiIy mecha-
nism. Reer Io ChapIer 23 or deIails on how SELinux works.
I SELinux is seI Io Ihe enorcing mode, Ihe iles shared via Samba musI be labeled wiIh Ihe
correcI SELinux securiIy conIexI. AIer coniguring Samba Io share a direcIory, execuIe Ihe
ollowing command Io change Ihe securiIy conIexI o Ihe iles in Ihe shared direcIory:
chcon -P -1 sanba_share_1 <d1rec1ory>
I Ihe direcIory is inside a home direcIory, you mighI need Io seI Ihe securiIy conIexI o
Ihe enIire home direcIory:
chcon -P -1 sanba_share_1 <hone_d1rec1ory>
CAU1I0N
lf the fllesystem ls relabeled for SLLlnux, the seourlty oontext ohanges you make wlll
be overwrltten. To make your ohanges permanent even through a relabel, refer to the
Maklng Seourlty Context Changes lermanent seotlon ln Chapter 23.
ExecuIe Ihe ollowing command Io allow home direcIories or direcIories inside home
direcIories Io be shared:
se1sebooJ -P sanba_enabJe_hone_d1rs=1
ge1sebooJ sanba_enabJe_hone_d1rs
sanba_enabJe_hone_d1rs --> on
I more Ihan one ile sharing proIocol is conigured Io share Ihe same seI o iles such as
ETF and Samba, Ihe securiIy conIexI o Ihe iles musI be seI Io pubJ1c_con1en1_1 or
pubJ1c_con1en1_rW_1 insIead. AddiIional SELinux booleans musI be enabled as well. Reer
Io Ihe "SecuriIy ConIexI or MulIiple Eile-Sharing FroIocols" secIion in ChapIer 23 or
compleIe insIrucIions.
To use Samba Io mounI home direcIories rom a Samba server, Ihe use_sanba_hone_d1rs
boolean musI be seI Io 1 on each sysIem mounIing Ihe home direcIories.
Any o Ihese SELinux booleans can also be modiied by running Ihe SELinux ManagemenI
Tool. SIarI iI by selecIing AdmInIstratIon, SLLInux Management rom Ihe System menu
on Ihe Iop panel o Ihe deskIop or by execuIing Ihe sys1en-conf1g-seJ1nux command.
EnIer Ihe rooI password when prompIed i running as a non-rooI user. SelecI Boolean
rom Ihe lisI on Ihe leI. On Ihe righI, click Ihe Iriangle icon nexI Io Samba. The SELinux
booleans aecIing Samba appear. A check box appears nexI Io each boolean enabled.
Changes Iake place immediaIely aIer modiying Ihe check box.
1IP
The SLLlnux booleans that affeot Samba are desorlbed ln the samba_sellnux man
page vlewable wlth the nan sanba_seJ1nux oommand.
A||ew|ng 5amba Cennect|ens
Beore coniguring Ihe Samba server, conigure your irewall seIIings Io allow Ihe incom-
ing connecIions. The ollowing porIs musI be opened:
UDF porI 137 or ne1b1os-ns, Ihe NETBIOS Name Service
UDF porI 138 or ne1b1os-dgn, Ihe NETBIOS DaIagram Service
TCF porI 13 or ne1b1os-ssn, Ihe NETBIOS session service
TCF porI 44S or n1crosof1-ds, Ihe MicrosoI Domain Service
Ihese porIs.
Level ConiguraIion Iool Io allow Samba connecIions. SIarI iI by selecIing AdmInIstratIon,
SecurIty Level and FIrewall rom Ihe System menu on Ihe Iop panel o Ihe deskIop or by
Samba Flle Sharlng 305
1
3
prompIed i running as a non-rooI user. In Ihe Other ports area, click Add Io speciy each
Samba porI.
Us|ng a 6rah|ca| 1ee| te Cenf|gure the 5amba 5erver
To use a sysIem as a Samba server, Ihe sanba RFM package musI be insIalled. I iI is noI
insIalled, insIall iI wiIh Red HaI NeIwork as described in ChapIer 3. To conigure iI via Ihe
Samba Server ConiguraIion graphical inIerace, Ihe sys1en-conf1g-sanba RFM package
musI also be insIalled.
To sIarI Ihe Iool, selecI AdmInIstratIon, Server SettIngs, Samba rom Ihe System menu on
Ihe Iop panel o Ihe deskIop. AlIernaIively, execuIe Ihe command sys1en-conf1g-sanba rom
a shell prompI. All conigured shares are lisIed when Ihe Iool sIarIs as shown Eigure 13.S.
FlGURL 13.5 Samba Server Conflguratlon Tool
RooI privileges are reguired Io modiy Ihe Samba server seIIings, so you musI have rooI
access Io use Ihis Iool. I you are noI rooI when you sIarI Ihe program, you will be
prompIed or Ihe rooI password.
Cenf|gur|ng the 5amba 5erver 5ett|ngs
The irsI sIep when seIIing up Samba is Io conigure Ihe server seIIings. SelecI
PreIerences, Server SettIngs rom Ihe pull-down menu Io display Ihe Server SettIngs
dialog window as shown in Eigure 13..
On Ihe BasIc Iab, conigure Ihe workgroup name or Ihe server and give a brie descripIion.
FlGURL 13.6 Samba Server Settlngs
On Ihe SecurIty Iab, conigure Ihe ollowing:
AuthentIcatIon Mode: SelecI one o Ihe ollowing:
ADS: The Samba server acIs as a domain member in an AcIive DirecIory
Domain (ADS) realm. Kerberos musI be insIalled and properly conigured on
Ihe server or Ihis auIhenIicaIion mode Io work. In addiIion, use Ihe neI
uIiliIy Io make Samba a member o Ihe ADS realm. The neI uIiliIy can be
insIalled wiIh Ihe sanba-connon package. Reer Io Ihe man page or neI (use
Ihe command nan ne1) or deIails. Be sure Io also seI Ihe Kerberos Realm,
which musI be in all uppercase leIIers, such as EXAMFLE.COM.
N01
Thls optlon does not oonflgure Samba to be an ^DS Controller.
DomaIn: AuIhenIicaIion is achieved by passing Ihe username and password
combinaIion Io a Windows NT Frimary or Backup Domain ConIroller jusI like
a Windows NT Server. A valid Linux sysIem accounI musI exisI on Ihe Samba
server so Ihe Windows Domain ConIroller accounI can be mapped Io iI. SeI
Ihe AuIhenIicaIion Server ield Io Ihe NeIBIOS name o Ihe Frimary or Backup
Domain ConIroller IhaI will perorm Ihe auIhenIicaIion.
I Ihis opIion is selecIed, Ihe Samba server musI be added Io Ihe Windows NT
Domain wiIh Ihe ne1 uIiliIy provided by Ihe sanba-connon package. Also,
EncrypIed Fasswords musI be seI Io Yes.
Server: AccounI veriicaIion is passed Io anoIher Samba server. I IhaI ails, Ihe
server Iries Io auIhenIicaIe locally using Ihe User mode. SeI Ihe AuIhenIicaIion
Server ield Io Ihe NeIBIOS name o Ihe remoIe Samba server IhaI will perorm
Ihe auIhenIicaIion. EncrypIed Fasswords musI be seI Io Yes i Ihe remoIe
server used or auIhenIicaIion supporIs iI.
1
3
Share: Samba users can browse Ihe shared direcIories wiIhouI having Io enIer
a username and password combinaIion. They are only prompIed or a user-
name and password when Ihey aIIempI Io connecI Io a speciic shared direc-
Iory rom a Samba server.
User: (DeaulI) Samba users musI provide a valid username and password on a
per-Samba-server basis. SelecI Ihis opIion i you wanI Ihe Windows Username
opIion Io work.
AuthentIcatIon Server: Used in conjuncIion wiIh Ihe Domain and Server auIhenIi-
caIion modes.
Kerberos Realm: Used in combinaIion wiIh Ihe ADS auIhenIicaIion mode. II musI
be in all uppercase leIIers, such as EXAMFLE.COM.
Lncrypt Passwords: SeI Io yes by deaulI. I seI Io no, passwords are senI over Ihe
neIwork in plain IexI and can be inIercepIed by a simple packeI snier. II is highly
recommended noI Io change Ihis seIIing.
Guest Account: To conigure Ihe server Io allow a guesI accounI Io connecI, selecI a
sysIem user rom Ihe pull-down menu. When a guesI connecIs Io Ihe server, Ihe
guesI user will be mapped Io Ihis sysIem user wiIh all Ihe permissions Ihe sysIem
user has.
Click OK Io save Ihe seIIings. The seIIings Iake place immediaIely: I Ihe service is noI
sIarIed, clicking OK sIarIs iI. I Ihe service is already sIarIed, clicking OK orces a reload o
Ihe coniguraIion ile.
Add|ng 5amba Users
AIer coniguring Ihe server seIIings, Ihe nexI sIep is Io conigure Ihe Samba users. I Ihe
auIhenIicaIion Iype is seI Io user, access Io Samba shares are allowed by a username and
password combinaIion. These users musI be conigured as Samba users. Each Samba user
maps Io an exisIing user on Ihe Samba server, so a user accounI musI exisI or each Samba
user added beore adding Ihe Samba user in Ihis graphical program. Reer Io ChapIer ,
"Managing Users and Groups," or more inormaIion on adding sysIem users.
To add Samba users, selecI PreIerences, Samba Users rom Ihe pull-down menu. Click
Add User and provide Ihe ollowing:
UnIx Username: The exisIing user Io map Ihe Samba user Io.
WIndows Username: The username Io be used or Samba auIhenIicaIion. This
opIion is useul i Ihe user already has an accounI on Ihe Windows sysIem connecI-
ing Io Ihe server, buI Ihe username on Ihe Windows sysIem is dierenI rom Ihe
username on Ihe Linux Samba server. Eor Ihis Io work, Ihe AuIhenIicaIion Mode on
Ihe SecuriIy Iab o Ihe Server SeIIings preerences musI be seI Io User.
Samba Password: A password or Ihe Samba user Io be used or Samba auIhenIica-
Iion. Eor higher securiIy, Ihis should be dierenI rom Ihe users sysIem password.
ConIIrm Samba Password: EnIer Ihe password again Io make sure iI is recorded
wiIhouI Iypos.
Clicking OK saves Ihe new user Io 1e1c1sanba1snbusers, making Ihe changes Iake place
immediaIely. RepeaI Ihis process or each Samba user you wanI Io conigure.
Add|ng a 5amba 5hare
All currenIly conigured shares are shown each Iime Ihe program is sIarIed as shown in
Eigure 13.S. To add a new share, click Ihe Add Share buIIon in Ihe Ioolbar. The Create
Samba Share dialog window appears as shown in Eigure 13.7.
1
3
FlGURL 13.7 ^ddlng a Samba Share
The Create Samba Share dialog window includes Iwo Iabs or coniguring Ihe opIions or
each share. The BasIc Iab conIains Ihe ollowing opIions:
DIrectory: The direcIory Io share via Samba. The direcIory musI already exisI.
Share name: The share name visible Io Ihe Samba clienIs.
DescrIptIon: Brie descripIion or Ihe share.
WrItable: I selecIed, clienI sysIems can wriIe back Io Ihe direcIory. I noI selecIed,
Ihe shared direcIory is read-only.
VIsIble: I selecIed, Ihe share will appear when a sysIem on Ihe neIwork browses or
Samba shares. I noI selecIed, Ihe user musI know Ihe share name Io access iI.
On Ihe Access Iab, indicaIe wheIher everyone or only speciic users should be allowed
access Io Ihe share. I Only allow access to specIIIc users is selecIed, selecI Ihem or Ihe
lisI o exisIing Samba users on Ihis Iab as well.
1IP
To flnd out who ls oonneoted to the Samba server, use the snbs1a1us oommand from a
shell prompt. lt wlll llst all aotlve oonneotlons, lnoludlng usernames and ll addresses.
Cenf|gur|ng the 5amba 5erver w|th the Cemmand L|ne
To conigure a Red HaI EnIerprise Linux sysIem as a Samba server, Ihe sanba RFM package
musI be insIalled.
The coniguraIion iles or Samba are locaIed in Ihe 1e1c1sanba1 direcIory wiIh Ihe main
coniguraIion ile being 1e1c1sanba1snb.conf.
The opIions in Ihe gJobaJ secIion o Ihe ile apply Io all shares unless an individual
share secIion overrides Ihe global opIion.
In Ihe gJobaJ secIion o snb.conf, speciy a workgroup and descripIion or Ihe server:
Workgroup=W0PK0P0uP
server s1r1ng=0ES0P1PT10N
Even Ihough access Io a speciic share direcIory is granIed via a username and password
combinaIion, access can also be resIricIed Io all shares rom Ihe server by IF address. To
granI only cerIain sysIems rom accessing Ihe server, use Ihe ollowing opIion in Ihe
gJobaJ secIion o snb.conf:
hos1s aJJoW = <1P addresses>
where <1P addresses> can be Ihe hosInames, IF addresses, or IF address ranges. I hosI-
names are used, Ihe sysIem musI be able Io resolve Ihem Io IF addresses. All accepIable
ormaIs can be lisIed wiIh Ihe command nan 5 hos1s_access. The hos1s aJJoW opIion
can also be used in Ihe individual share secIions.
1IP
Use the oommand nan snb.conf to vlew a oomplete llst of the many oonflguratlon
optlons for Samba.
Add|ng 5amba Users
Samba uses iIs own user daIabase, including passwords. However, a sysIem user wiIh Ihe
same username musI exisI beore a corresponding Samba user can be added Io Ihe server.
To add a Samba user, creaIe a sysIem user wiIh Ihe same username i iI doesnI already
exisI, and Ihen use Ihe ollowing command as rooI:
snbpassWd -a <usernane>
This wriIes an encrypIed password or Ihe user Io Ihe 1e1c1sanba1snbpassWd ile. By
deaulI, Samba encrypIs passwords. The use o encrypIed passwords does noI need Io be
expliciIly included in Ihe coniguraIion ile, buI iI can be seI wiIh Ihe ollowing line in
Ihe gJobaJ secIion:
encryp1ed passWords = yes
I users will be connecIing Io Ihe Samba shares rom a MicrosoI Windows sysIem, iI is
possible Io map Windows usernames Io Samba usernames. This is useul i Ihe Windows
sysIem is conigured wiIh dierenI usernames. To map Windows usernames Io Samba
usernames, add Ihem Io 1e1c1sanba1snbusers wiIh Ihe ollowing ormaI:
usernane = W1ndoWs_nane1
To map more Ihan one Windows username Io Ihe same Linux sysIem username, separaIe
Ihem by spaces:
usernane = W1ndoWs_nane1 W1ndoWs_nane2
Add|ng a 5amba 5hare
To add a shared direcIory, include a secIion in snb.conf:
sharenane
pa1h = <pa1h>
The sharenane should be descripIive and easy Io remember. Table 13.1 includes oIher
common opIions.
T^BLL 13.1 Common Samba Share 0ptlons
Cemmand escr|t|en
connen1 Brlef desorlptlon of the share dlsplayed when browslng for the share.
vaJ1d users Llst of Samba users allowed aooess to the share.
1nvaJ1d users Llst of Samba users denled aooess the share. lf a user ls llsted ln the
vaJ1d users and the 1nvaJ1d users llst, the user ls denled aooess.
pubJ1c lf set to yes, password authentloatlon ls not requlred. ôoess ls granted
through the guest user wlth guest prlvlleges. (default=no)
read onJy lf set to yes, ollent users oan not oreate, modlfy, or delete flles ln the
share. (default=yes)
pr1n1abJe lf set to yes, ollent users oan open, wrlte to, and submlt spool flles on
the shared dlreotory. (default=no)
hos1s aJJoW Llst of ollents allowed aooess to share. Use the oommand nan 5
hos1s_access for detalls on valld ll address formats.
broWseabJe lf set to no, the share wlll not be vlslble by a net vlew or a browse llst.
(default=yes)
Eor example, LisIing 13.3 conIains a secIion Io share a daIa direcIory beIween Ihe users
bs and ak. This direcIory is noI visible in a neI view or browse lisI.
LlSTlNG 13.3 lrlvate Samba Share
da1a
connen1=Pr1va1e share for bsf and akf
pa1h=1shares1da1a
1
3
read onJy = no
vaJ1d users = bsf akf
broWseabJe = no
LisIing 13.4 shows a more open share o Ihe Samba servers 11np direcIory. All valid Samba
users are allowed read-wriIe access, and iI is visible in a neI view or browse lisI.
LlSTlNG 13.4 Samba Share for 11np1
1np
connen1=Shared 1enporary d1sk space
pa1h=11np
read onJy = no
broWseabJe = yes
1est|ng the 5amba Cenf|gurat|en F||e
AIer modiying Ihe snb.conf ile, IesI or synIax errors wiIh Ihe 1es1parn command. By
deaulI, iI looks or Ihe coniguraIion ile in 1e1c1sanba1snb.conf. To orce iI Io look aI a
dierenI ile, speciy iI as a command-line argumenI such as 1es1parn 1e1c1sanba1
snb.conf.neW. This allows an adminisIraIor Io IesI mulIiple iles or creaIe a new Samba
coniguraIion ile elsewhere beore commiIIing iI Io Ihe acIual coniguraIion ile. LisIing
13.S shows Ihe ouIpuI o 1es1parn.
LlSTlNG 13.5 Testlng a Samba Conflguratlon Flle
Load snb conf1g f1Jes fron 1e1c1sanba1snb.conf
Process1ng sec11on "hones"
Process1ng sec11on "pr1n1ers"
Process1ng sec11on "1np"
Loaded serv1ces f1Je 0K.
Server roJe: P0LE_STAN0AL0NE
Press en1er 1o see a dunp of your serv1ce def1n111ons
AIer Ihe IesIing is done, iI prompIs Ihe adminisIraIor Io press EnIer Io display Ihe service
deiniIions. I EnIer is pressed, Ihe global opIions are shown ollowed by a lisI o conig-
ured Samba shares or Ihe server as shown in LisIing 13..
LlSTlNG 13.6 Llst of Samba Shares
# 0JobaJ parane1ers
gJobaJ
Workgroup = Wu0AN
server s1r1ng = Jadefox Sanba Server
Jog f1Je = 1var1Jog1sanba1n.Jog
nax Jog s1ze = 5U
socke1 op11ons = T0P_N00ELAY S0_P0v8uF=8192 S0_SN08uF=8192
pr1n1cap nane = 1e1c1pr1n1cap
dns proxy = No
cups op11ons = raW
hones
connen1 = Rone 01rec1or1es
read onJy = No
broWseabJe = No
pr1n1ers
connen1 = AJJ Pr1n1ers
pa1h = 1var1spooJ1sanba
pr1n1abJe = Yes
broWseabJe = No
1np
connen1 = Tenporary f1Je space
pa1h = 11np
read onJy = No
5tart|ng and 5te|ng the 5amba 5erver
To sIarI Ihe Samba server, execuIe Ihe command serv1ce snb s1ar1. To sIop Ihe server,
execuIe Ihe command serv1ce snb s1op.
To have Ihe service sIarI auIomaIically aI booI Iime, use chkconf1g:
chkconf1g snb on
To deIermine wheIher or noI Ihe Samba server is running, use Ihe command serv1ce snb
s1a1us. I Ihe snb.conf coniguraIion ile is modiied aIer Ihe service is sIarIed, use Ihe
command serv1ce snb reJoad Io orce a reread o Ihe coniguraIion ile so Ihe changes
Iake eecI.
Legg|ng 5amba Cennect|ens
The sysIem log ile, 1var1Jog1nessages, conIains messages rom Ihe Samba services snbd,
nnbd, and noun1.c1fs as well as kernel messages abouI Ihe smb service.
By deaulI, a log ile is creaIed or each sysIem IhaI connecIs Io Ihe server. The log iles
are locaIed in Ihe 1var1Jog1sanba1 direcIory, wiIh Ihe naming convenIion o
<cJ1en1_nane>.Jog or Ihe individual log iles. This deaulI is conigured in snb.conf
wiIh Ihe ollowing line:
Jog f1Je = 1var1Jog1sanba1n.Jog
1
3
To use one log ile or all clienIs insIead, change Ihis line Io Ihe ollowing:
Jog f1Je = 1var1Jog1sanba1Jog.snbd
The log iles are roIaIed once a week and kepI on disk or our weeks by Ihe Jogro1a1e
uIiliIy.
Cennect|ng te the 5amba 5hares
ConnecIing Io a Samba share in Windows varies wiIh Ihe dierenI versions. Reer Io Ihe
documenIaIion or your version o Windows or deIailed inormaIion on connecIing Io a
Samba share. The meIhod or connecIing Io a Windows Samba server and Linux Samba
server are Ihe same. This secIion goes inIo deIail abouI how Io connecI Io a Samba server,
Linux or Windows, rom a Red HaI EnIerprise Linux sysIem.
N01
Conneotlng to a Samba share wlth the Desktop Flle Browser and snbcJ1en1 do not
requlre root prlvlleges. However, the noun1.c1fs and noun1 -1 c1fs <share>
oommands must be run as the root user.
Cennect|ng Us|ng the eskte F||e Brewser
To view all available shares on Ihe neIwork (excepI Ihose IhaI have visibiliIy disabled),
selecI Places, NetworR Servers rom Ihe deskIop menu. As shown in Eigure 13.8, each
server icon represenIs a share server. Double-click on iI Io view Ihe shared direcIories on
Ihe server. Depending on whaI auIhenIicaIion Iype Ihe server is conigured or, you mighI
be prompIed or a username and password.
FlGURL 13.8 Browslng Samba Servers
To narrow down Ihe lisI o servers by workgroup, double-click on Ihe WIndows NetworR
icon. A lisI o workgroups will appear. Double-click on Ihe workgroup Io view Ihe Samba
servers in IhaI workgroup.
I you know Ihe name o Ihe server you wanI Io connecI Io, you can connecI Io iI direcIly
and creaIe a shorIcuI on Ihe deskIop. This is also useul or servers IhaI are conigured Io
noI be visible and Ihus donI appear when you browse Ihe neIwork. SelecI Places,
Connect to Server rom Ihe deskIop menu. Then selecI WIndows share as Ihe ServIce
type, and enIer Ihe name o Ihe server as shown in Eigure 13..
1
3
FlGURL 13.9 Conneotlng Dlreotly to a Samba Share
Under Ihe OpIional inormaIion secIion, Ihe ollowing can be conigured:
Share: The name o Ihe Samba share.
Folder: The older Io open inside Ihe Samba share.
User Name: The username Io use or auIhenIicaIion when connecIing. I a user-
name is noI provided, Ihe connecIion is made wiIh Ihe guesI accounI i iI is
enabled, which usually has limiIed permissions.
Name to use Ior the connectIon: ConnecIion name Io use when labeling Ihe
Iemporary mounI poinI in Ihe Flaces menu and on Ihe deskIop.
An icon will appear on Ihe deskIop using Ihe name o Ihe server or, i provided, Ihe name
in Ihe Name To Use For The ConnectIon ield. A shorIcuI is also lisIed under Ihe Places
menu iIem in Ihe deskIop menu.
N01
To unmount the share, rlghtollok on lts desktop loon and seleot Unmeunt Ve|ume. lf
the share ls not unmounted, lt wlll remaln ln the P|aces menu on reboot, but you must
reauthentloate to aooess the share after rebootlng.
Cennect|ng w|th snbcJ1en1
The snbcJ1en1 command provides an ETF-like inIerace Io Ihe server. II is provided by Ihe
sanba-cJ1en1 package. InsIall iI via RHN i noI already insIalled.
Beore you can connecI Io a Samba share, you musI know iIs name. I you only know Ihe
name o Ihe Samba server, use snbcJ1en1 Io display a lisI o available shares and Ihe
workgroup or Ihe Samba server, and replace Ihe <servernane> and <usernane>:
snbcJ1en1 -L <servernane> -u <usernane>
The ouIpuI will look similar Io LisIing 13.7.
LlSTlNG 13.7 0utput from snbcJ1en1 -L
0ona1n=JA0EF0X 0S=un1x Server=Sanba 3.U.14a-2
Sharenane Type 0onnen1
--------- ---- -------
1np 01sk Tenporary f1Je space
1P0$ 1P0 1P0 Serv1ce {Jadefox)
A0M1N$ 1P0 1P0 Serv1ce {Jadefox)
pr1n1er Pr1n1er pr1n1er
1fox 01sk Rone 01rec1or1es
0ona1n=JA0EF0X 0S=un1x Server=Sanba 3.U.23c-2
Server 0onnen1
--------- -------
Workgroup Mas1er
--------- -------
Wu0AN JA0EF0X
I Ihe -u <usernane> opIion is noI used, Ihe connecIion is aIIempIed as a guesI user. I a
username is speciied, enIer Ihe correcI password when prompIed.
To connecI Io a speciic share using snbcJ1en1, use Ihe ollowing:
snbcJ1en1 11<servernane>1<sharenane> -u <usernane>
A successul connecIion is indicaIed by Ihe snb: (> prompI. Once connecIed, Ihe
commands are similar Io a command-line ETF clienI. Table 13.2 lisIs common commands .
T^BLL 13.2 Common snbcJ1en1 Commands
Cemmand escr|t|en
pWd Dlsplay ourrent remote dlreotory
cd <d1rec1ory_nane> Change dlreotorles lf lt ls aooesslble
Jcd <d1rec1ory_nane> Change ourrent looal dlreotory
ge1 <f1Je> Retrleve <f1Je> from ourrent remote dlreotory to ourrent looal
dlreotory
nge1 <f1Jes> Retrleve multlple flles, wlll be prompted for eaoh matohlng flle
unless prompt ls dlsabled
pu1 <f1Je> Upload looal flle to the ourrent remote dlreotory
npu1 <f1Jes> Upload multlple looal flles to the ourrent remote dlreotory; you wlll
be prompted for eaoh matohlng flle unless prompt ls dlsabled
pronp1 Toggle promptlng oonflrmatlon for eaoh flle wlth nge1 and npu1
oommands
Js Llst flles ln ourrent remote dlreotory
ex11 Close oonneotlon to Samba server and exlt
Meunt|ng the 5amba 5hare
To mounI a Samba share Io a local direcIory similar Io mounIing an NES share, use Ihe
ollowing command (you musI be rooI):
noun1 -1 c1fs 11servernane1sharenane 1noun1po1n1 -o usernane=<usernane>
Replace Ihe servernane, sharenane, noun1po1n1, and usernane. You will be prompIed or
Ihe password. Remember IhaI Ihe user musI exisI as a Samba user on Ihe Samba server.
AIer iI is mounIed, Ihe iles on Ihe mounI can be accessed jusI like local iles in Ihe direc-
Iory given as Ihe mounI poinI. All updaIes Io Ihe share auIomaIically appear on Ihe
clienIs.
To unmounI Ihe share, use Ihe command unoun1 1no1n1po1n1 (replace 1noun1po1n1).
This mounI is noI persisIenIiI will noI be remounIed on rebooI.
AlIernaIively, Ihe noun1.c1fs command rom Ihe sanba-cJ1en1 package can perorm Ihe
same mounI. II is jusI a shorIcuI Io noun1 -1 c1fs. II musI be run as Ihe rooI user as well:
noun1.c1fs 11servernane1sharenane 1noun1po1n1 -o usernane=<usernane>
To creaIe a persisIenI mounI IhaI is auIomaIically mounIed aI booI Iime, add an enIry Io
1e1c1fs1ab:
11servernane1sharenane 1noun1po1n1 c1fs defauJ1s U U
Replace servernane, sharenane, and noun1po1n1. To make Ihe mounI read-wriIe, replace
defauJ1s wiIh rW. Because including Ihe password is a securiIy risk, and jusI giving Ihe
username will prompI or a password, Ihis coniguraIion mounIs Ihe share as a guesI user.
Because mounIing as a guesI only gives Ihe user Ihe permissions o user nobody on Ihe
Samba server, iI is possible Io conigure a credenIials ile IhaI includes Ihe username and
password (and any oIher opIions necessary or Ihe mounI):
11servernane1sharenane 1noun1po1n1 c1fs creden11aJs=1e1c1snbcreds U U
This coniguraIion will reer Io Ihe ile 1e1c1snbcreds or Samba opIions. The ile should
include Ihe ollowing lines (replace <usernane> and <passWord>):
usernane=<usernane>
passWord=<passWord>
1
3
This ile can have a dierenI ilename and be locaIed anywhere on Ihe ilesysIem.
However, Io prevenI oIher users rom geIIing Ihe password be sure Io change Ihe permis-
sions o Ihe credenIial ile wiIh Ihe command chnod 6UU <f1Jenane> so only Ihe owner
can read iI. Eor exIra securiIy, be sure Ihe password used is noI used or access Io oIher
sysIems in case iI is compromised or read by someone else.
N01
^ddlng an entry for a Samba mount polnt to 1e1c1fs1ab does not automatloally
mount the share. lt wlll be mounted the next tlme the system ls booted. To mount the
share lmmedlately, use the followlng oommand as root (replaoe 1noun1po1n1):
noun1 1noun1po1n1
YeI anoIher opIion or coniguring a Samba mounI is Io use auIos. The share can be
mounIed in any direcIory reserved or auIos. Eor example, Io mounI iI in
1n1sc1<noun1_d1r>1, make sure Ihe ollowing line exisIs and is noI commenIed ouI in
1e1c1au1o.nas1er:
1n1sc 1e1c1au1o.n1sc
Then, in 1e1c1au1o.n1sc, add Ihe ollowing line:
noun1_d1r -fs1ype=c1fs,creden11aJs=1e1c1snbcreds :11<servernane>1<sharenane>
As shown, a credenIials ile can also be used wiIh auIos. I Ihe auIos service is already
sIarIed, be sure Io reload Ihe coniguraIion iles wiIh Ihe command serv1ce au1ofs
reJoad. Reer Io Ihe "Using auIos Io ConnecI Io Ihe NES Share" secIion in Ihis chapIer
or more deIails on how auIos works.
5ummary
In Ihis chapIer, boIh Ihe NES and Samba proIocols or sharing iles across a neIwork were
discussed. NES should be used or ile sharing among UNIX-based operaIing sysIems.
However, i Ihe clienIs include MicrosoI Windows clienIs, a Red HaI EnIerprise Linux
sysIem can be conigured as a Samba server, and Red HaI EnIerprise Linux can also serve
as a Samba clienI Io connecI Io a Linux or Windows Samba server.
lN THlS CH^lTLR
^llowlng Conneotlons
Conflgurlng the Server
Logglng Conneotlons
CH^lTLR 14
GranIing NeIwork
ConnecIiviIy wiIh
DHCF
DHCF, or Oynamc Host Conjuraton lrotocol, allows an
adminisIraIor Io conigure neIwork seIIings or all clienIs on
a cenIral server. The DHCF clienIs reguesI an IF address and
oIher neIwork seIIings rom Ihe DHCF server on Ihe
neIwork. The DHCF server in Iurn leases Ihe clienI an IF
address wiIhin a given range or leases Ihe clienI an IF
address based on Ihe MAC address o Ihe clienIs neIwork
inIerace card (NIC). I an IF address is assigned according Io
Ihe MAC address o Ihe clienIs NIC, Ihe same IF address can
be leased Io Ihe clienI every Iime Ihe clienI reguesIs one.
DHCF makes neIwork adminisIraIion easier and less prone
Io error. Eor example, when neIwork seIIings or Ihe IF
address range o a neIwork changes, insIead o changing
Ihe coniguraIion iles on each clienI, Ihe adminisIraIor
simply changes Ihe coniguraIion on Ihe DHCF server and
applies Ihe changes. I your neIwork consisIs o hundreds
o clienIs, iI is easy Io see Ihe beneiIs.
Erom Ihe users poinI o view, DHCF can be useul or
mobile compuIing. I a lapIop is conigured Io use DHCF
or iIs neIwork seIIings, iI can easily move rom one
neIwork Io anoIher wiIhouI reconiguraIion or user inIer-
venIion as long as Ihe neIwork includes a DHCF server
wiIh an available IF address or Ihe lapIop.
N01
lf SLLlnux, a mandatory aooess oontrol seourlty
system, ls enabled, the default targeted polloy
proteots the DHCl daemon. Refer to Chapter 23,
lroteotlng ^galnst lntruders wlth SeourltyLnhanoed
Llnux, for detalls.
A||ew|ng Cennect|ens
By deaulI, Ihe DHCF server lisIens or reguesIs on UDF porI 7. Veriy IhaI your irewall
seIIings allow incoming reguesIs rom Ihis porI.
N01
lf the JocaJ-por1 parameter (dlsoussed ln the next seotlon) ls used ln the oonflgura
tlon flle to ohange the port number, adjust your flrewall settlngs for the deflned port
lnstead.
I using a deaulI securiIy level in Red HaI EnIerprise Linux, use Ihe SecuriIy Level
ConiguraIion Iool. SIarI iI by selecIing AdmInIstratIon, SecurIty Level and FIrewall
rom Ihe System menu on Ihe Iop panel o Ihe deskIop or by execuIing Ihe sys1en-
conf1g-secur11yJeveJ command. EnIer Ihe rooI password when prompIed i running as
a non-rooI user. In Ihe Other ports area, click Add Io speciy Ihe DHCF porI. AIer adding
Ihe porI, iI appears in Ihe Other ports lisI as shown in Eigure 14.1.
CH^lTLR 14 Grantlng Network Conneotlvlty wlth DHCl 320
FlGURL 14.1 ^llowlng DHCl Requests
Cenf|gur|ng the 5erver
To conigure a Red HaI EnIerprise Linux sysIem as a DHCF server, Ihe dhcp RFM package
musI be insIalled. I iI is noI insIalled, use Red HaI NeIwork Io insIall iI as discussed in
ChapIer 3, "OperaIing SysIem UpdaIes." The DHCF server can allow any sysIem on Ihe
neIwork Io reIrieve an IF address, assign sysIems Ihe same IF address each Iime one is
reguesIed, or a combinaIion o Ihe Iwo.
The DHCF service uses Ihe 1e1c1dhcpd.conf coniguraIion ile. A ile wiIhouI any conig-
uraIion opIions is insIalled aI Ihis locaIion wiIh Ihe dhcp package, and a sample ile is
provided in 1usr1share1doc1dhcp-<vers1on>1dhcpd.conf.sanpJe.
N01
Beoause braokets and ourly braokets are used to deflne statement grouplngs and rela
tlonshlps, blank llnes and extra spaolng lnoludlng tabs oan be used to format the flle
so lt ls easler to read. Llnes that begln wlth # are oonsldered oomments.
In older versions o DHCF, Ihe ad-hoc DNS updaIe scheme was available. In Ihe currenI
version, iI is depreciaIed and does noI work. Thus, Ihe 1n1er1n scheme is highly recom-
mended. Eor more deIails, reer Io Ihe dhcpd.conf man page wiIh Ihe command nan
dhcpd.conf. As you can see rom Ihe sample coniguraIion ile 1usr1share1doc1dhcp-
<vers1on>1dhcpd.conf.sanpJe, Ihe irsI line o 1e1c1dhcpd.conf should deine Ihe DNS
updaIe scheme:
ddns-upda1e-s1yJe 1n1er1n
LisIing 14.1 conIains an example DHCF coniguraIion ile. In Ihis example, Ihree subneIs
are deined, Iwo o which are on Ihe same physical neIwork. In Ihe 12.18.0.0 subneI
declaraIion, several opIions including Ihe gaIeway, subneI mask, and DNS server are
conigured or all clienIs in Ihe subneI. ClienIs in Ihe subneI who reguesI an IF address
are leased an IF address in Ihe 12.18.0.128 Io 12.18.0.2S4 range wiIh Ihe excepIion
o Ihe sysIem deined in Ihe hos1 sIaIemenI. I Ihe sysIem wiIh Ihe MAC address lisIed in
Ihe hos1 sIaIemenI connecIs, iI is leased Ihe 12.18.0.4 IF address each and every Iime.
1IP
To obtaln the M^C address of a network lnterfaoe oard ln a Red Hat Lnterprlse Llnux
ollent, use the oommand 1fconf1g <1n1erface-nane>, where <1n1erface-nane> ls
the devloe name for the NlC suoh as e1hU.
LlSTlNG 14.1 Lxample DHCl Conflguratlon Flle
ddns-upda1e-s1yJe 1n1er1n
au1hor11a11ve
subne1 192.168.U.U ne1nask 255.255.255.U {
#gJobaJ parane1ers for 1he subne1
op11on rou1ers 192.168.U.1
op11on subne1-nask 255.255.255.U
Conflgurlng the Server 321
1
4
op11on dona1n-nane "exanpJe.con"
op11on dona1n-nane-servers 192.168.1.1
range dynan1c-boo1p 192.168.U.128 192.168.U.254
defauJ1-Jease-11ne 216UU
nax-Jease-11ne 432UU
# f1xed address exanpJe
hos1 adefox {
nex1-server ns.exanpJe.con
hardWare e1herne1 12:34:56:78:A8:00
f1xed-address 192.168.U.4
}
}
shared-ne1Work 1h1rd-fJoor {
#gJobaJ parane1ers for 1he shared ne1Work
op11on rou1ers 192.168.U.1
op11on n1s-dona1n "exanpJe.con"
op11on dona1n-nane-servers 192.168.1.1
subne1 192.168.1U.U ne1nask 255.255.255.U {
range dynan1c-boo1p 192.168.1U.1 192.168.1U.254
}
subne1 192.168.2U.U ne1nask 255.255.255.U {
range dynan1c-boo1p 192.168.2U.1 192.168.2U.254
}
}
In LisIing 14.1, Ihe Iwo subneIs in Ihe shared-ne1Work grouping are on Ihe same physical
neIwork and share all Ihe parameIers deined beore Ihe irsI subneI declaraIion wiIhin
Ihe shared-ne1Work declaraIion. Each subneI Ihen has an IF address range deined or iIs
clienIs.
To conigure global seIIings or mulIiple declaraIion groups, use Ihe group sIaIemenI as
shown in LisIing 14.2. In Ihis example, all Ihe opIions ouIside Ihe Iwo hos1 declaraIions
apply Io boIh hos1 declaraIions. The group sIaIemenI is noI limiIed Io hos1 sIaIemenIs. II
can be used Io declare Ihe same opIions or mulIiple subneIs, or example.
LlSTlNG 14.2 Lxample group Deolaratlon
group {
#connon parane1ers for bo1h hos1 decJara11ons
op11on rou1ers 192.168.1U.254
op11on dona1n-nane-servers 192.168.1U.24
hos1 pr1n1er {
op11on hos1-nane "pr1n1er.exanpJe.con"
hardWare e1herne1 U1:8E:88:5E:1A:00
f1xed-address 192.168.1U.7
}
hos1 payroJJ {
op11on hos1-nane "payroJJ.exanpJe.con"
hardWare e1herne1 U2:84:70:43:00:FF
f1xed-address 192.168.1U.1U
}
}
Common DHCF parameIers are described in Table 14.1. Eor a compleIe lisI, reer Io Ihe
dhcpd.conf man page wiIh Ihe command nan dhcpd.conf.
T^BLL 14.1 Common DHCl larameters
Cemmand escr|t|en
rou1ers Router or gateway for the ollent`s network oonflguratlon.
dona1n-nane Domaln name for the ollent`s network oonflguratlon.
dona1n-nane-servers DNS servers for the ollent`s network oonflguratlon.
defauJ1-Jease-11ne <11ne> Length of ollent lease, ln seoonds, lf ollent does not
request a dlfferent lease length.
nax-Jease-11ne <11ne> Maxlmum amount of tlme, ln seoonds, the server wlll lease
an ll address.
n1n-Jease-11ne <11ne> Mlnlmum amount of tlme, ln seoonds, the server wlll lease
an ll address.
JocaJ-por1 By default, DHCl llstens for request on UDl port 67. Use
thls optlon to llsten on a dlfferent UDl port.
range <s1ar1-1p> <end-1p> Range of ll addresses to lease to ollents.
Jog-fac1J11y <fac1J11y> lnstead of logglng to 1var1Jog1nessages, log to the speol
fled faolllty. Refer to the Logglng Conneotlons seotlon of
thls ohapter for detalls.
hos1-nane Speolfy a hostname for the ollent wlthln a hos1 deolaratlon.
1
4
hardWare <1ype> <address> Speolfy the hardware address of a ollent suoh as the M^C
address of an Lthernet oard. <1ype> oan be elther
e1herne1 or 1oken-r1ng.
f1xed-address <1P-address> ll address that should be asslgned to a speolflo host. 0nly
valld wlthln a hos1 deolaratlon.
AIer a clienI has successully leased an IF address rom Ihe server, IhaI IF address is
reserved or Ihe MAC address o Ihe clienI or a speciic amounI o Iime as deIermined by
a combinaIion o Ihe defauJ1-Jease-11ne, nax1nun-Jease-11ne, and n1n1nun-Jease-11ne
parameIers. This inormaIion is recorded in Ihe 1var1J1b1dhcp1dhcpd.Jeases ile on Ihe
DHCF server Io make sure an IF address isnI assigned Io more Ihan one sysIem aI Ihe
same Iime.
N01
For DHCl ollent oonflguratlon, refer to Chapter 2, whloh provldes lnstruotlons for
network oonflguratlon.
5tart|ng and 5te|ng the 5erver
Like Ihe oIher services in Red HaI EnIerprise Linux, DHCF can be sIarIed, sIopped, and
resIarIed wiIh Ihe serv1ce command as rooI. To sIarI Ihe server, use Ihe serv1ce dhcpd
s1ar1 command. Each Iime Ihe server is sIarIed, iI looks or Ihe 1var1J1b1dhcp1dhcpd.
Jeases ile. I iI is noI ound, Ihe service is noI sIarIed. Beore Ihe service is sIarIed or Ihe
irsI Iime, Ihe ile musI be creaIed wiIh Ihe command 1ouch 1var1J1b1dhcp1dhcpd.Jeases.
The command serv1ce dhcpd s1a1us displays wheIher Ihe service is running. The
command serv1ce dhcpd res1ar1 resIarIs Ihe service, including re-reading Ihe conigura-
Iion ile. Remember IhaI Ihe dhcpd service musI be resIarIed aIer Ihe coniguraIion ile is
modiied.
To conigure Ihe DHCF service Io sIarI auIomaIically aI booI Iime, use Ihe command:
chkconf1g dhcpd on
The DHCF server also looks or Ihe 1e1c1sysconf1g1dhcpd coniguraIion ile on sIarIup. II
is noI reguired, buI iI can be used Io deine command-line opIions Io dhcpd. The deaulI
ile conIains Ihe ollowing lines:
# 0onnand J1ne op11ons here
0R0P0AP0S=
Eor example, Io only lisIen or connecIions on a speciic neIwork inIerace:
0R0P0AP0S=e1hU
Cemmand escr|t|en
This argumenI is useul or a DHCF server wiIh separaIe neIwork cards or Iraic inside
and ouIside a privaIe neIwork. Eor securiIy reasons, Ihe DHCF server should only lisIen
or clienI connecIions on Ihe NIC conigured or inIernal Iraic.
AddiIional command-line opIions are explained in Ihe man page or dhcpd. Use Ihe
command nan dhcpd Io read iI.
Legg|ng Cennect|ens
By deaulI, log messages rom Ihe DHCF server are wriIIen Io 1var1Jog1nessages.
However, DHCF supporIs logging Io a separaIe ile by adding Ihe ollowing sIaIemenI Io
Ihe Iop o dhcpd.conf:
Jog-fac1J11y <fac1J11y>
Eor example, Io use Ihe local7 aciliIy o syslog, use Ihe ollowing line:
Jog-fac1J11y JocaJ7
The 1e1c1sysJog.conf ile musI also be modiied Io include Ihe ollowing:
#Log 0R0P daenon nessages 1o separa1e f1Je
JocaJ7.* 1var1Jog1dhcpd.Jog
You can use a dierenI name or Ihe log ile, buI Ihe sysJog.conf line musI include iIs
ull paIh and iI musI be creaIed wiIh Ihe same permissions as Ihe 1var1Jog1nessages ile.
Also resIarI syslog Io enable Ihe change (as Ihe rooI user):
serv1ce sysJog res1ar1
Because Ihe Jog-fac1J11y sIaIemenI is noI read unIil dhcpd.conf is read, all logs beore
reading Ihe coniguraIion ile are sIill wriIIen Io 1var1Jog1nessages.
Eor more deIails on log aciliIies, reer Io Ihe sysJog and sysJog.conf man pages.
5ummary
When coniguring a large neIwork o sysIems, DHCF can be used Io guickly and easily
conigure clienI neIwork seIIings. ClienIs can be assigned a speciic IF address based on
Ihe MAC addresses o Iheir neIwork cards or can be assigned a random IF address rom a
deined range. AdminisIraIors beneiI rom Ihis coniguraIion because changes can be
made on a cenIral server insIead o on each individual clienI.
Eor more inormaIion, reer Io Ihe dhcpd and dhcpd.conf man pages wiIh Ihe commands
nan dhcpd and nan dhcpd.conf. Eor a compleIe lisI o DHCF opIions, use Ihe command
nan dhcp-op11ons.
Summary 325
1
4
lN THlS CH^lTLR
^paohe HTTl Server and
SLLlnux
Logglng Conneotlons
Startlng and Stopplng the
Server
CH^lTLR 15
CreaIing a Web Server
wiIh Ihe Apache HTTF
Server
When you view a web page over Ihe InIerneI, Ihe code
Io creaIe IhaI page musI be reIrieved rom a server some-
where on Ihe InIerneI. The server IhaI sends your web
browser Ihe code Io display a web page is called a weh
server. There are counIless web servers all over Ihe InIerneI
serving counIless websiIes Io people all over Ihe world.
A web server can also be seI up on an inIernal neIwork so
IhaI iI is only accessible by Ihe compuIers inside Ihe
privaIe neIwork. I Ihis inIernal neIwork is inside a
company or corporaIion, iI is oIen called an ntranet.
WheIher you need a web server Io hosI a websiIe on Ihe
InIerneI or Io hosI a company porIal inside iIs inIernal
neIwork, a Red HaI EnIerprise Linux server can uncIion as
a web server using Ihe Apache HTTF server. The Apache
HTTF server is a popular, open source server applicaIion
IhaI runs on many UNIX-based sysIems as well as
MicrosoI Windows. This chapIer explains how Io geI a
web server up and running on Red HaI EnIerprise Linux.
Aache R11P 5erver and 5L|nux
I SELinux, a mandaIory access conIrol securiIy sysIem, is
enabled, Ihe deaulI IargeIed policy proIecIs Ihe Apache
HTTF daemon. Reer Io ChapIer 23, "FroIecIing AgainsI
InIruders wiIh SecuriIy-Enhanced Linux," or deIails abouI
SELinux.
All iles accessed via Ihe web server musI be labeled wiIh Ihe proper securiIy conIexI. Eor
example, i SELinux is enabled and Ihe 0ocunen1Poo1 locaIion is modiied, Ihe SELinux
securiIy conIexI o Ihe new locaIion musI be changed. A lisI o valid securiIy conIexIs and
Iheir usages are given in Ihe hIIpd_selinux man page read wiIh Ihe nan h11pd_seJ1nux
command. Reer Io Ihe "Modiying SecuriIy ConIexIs" secIion o ChapIer 23, or sIep-by-
sIep insIrucIions on changing Ihe 0ocunen1Poo1.
The IargeIed SELinux policy allows or CGI scripIs and allows Ihe Apache HTTF Server Io
read home direcIories. OIher eaIures such as allowing Apache Io run as an ETF server are
noI allowed by deaulI Io increase securiIy. SELinux booleans musI be expliciIly seI Io 1 Io
allow Ihese addiIional eaIures. All o Ihe SELinux booleans IhaI aecI Ihe Apache HTTF
server are described in Ihe hIIpd_selinux man page viewable wiIh Ihe nan h11pd_seJ1nux
command.
These SELinux booleans can be seI wiIh Ihe se1sebooJ command or wiIh Ihe SELinux
ManagemenI Tool, boIh o which are discussed in ChapIer 23. To use Ihe SELinux
ManagemenI Tool, sIarI iI by selecIing AdmInIstratIon, SLLInux Management rom Ihe
SysIem menu on Ihe Iop panel o Ihe deskIop or by execuIing Ihe sys1en-conf1g-seJ1nux
command. EnIer Ihe rooI password when prompIed i running as a non-rooI user. SelecI
Boolean rom Ihe lisI on Ihe leI. On Ihe righI, click Ihe Iriangle icon nexI Io HTTFD
Service Io view a lisI o booleans.
By deaulI, Ihe Apache HTTF server uses TCF and UDF porI 80 or HTTF Iransers and
TCF and UDF porI 443 or HTTFS secure Iransers. Veriy IhaI your irewall seIIings allow
incoming reguesIs rom porI 80 i serving non-encrypIed web pages and porI 443 i
serving encrypIed pages.
ConiguraIion Iool Io allow Ihe sysIem Io serve web pages. SIarI Ihe applicaIion by clicking
on Ihe System menu on Ihe Iop panel o Ihe deskIop and Ihen selecIing AdmInIstratIon,
SecurIty Level and FIrewall or by execuIing Ihe sys1en-conf1g-secur11yJeveJ command.
EnIer Ihe rooI password when prompIed i running as a non-rooI user.
As shown in Eigure 1S.1, selecI Ihe WWW (HTTP) opIion in Ihe Trusted servIces secIion
Io allow reguesIs on porI 80, and selecI Ihe Secure WWW (HTTPS) opIion Io allow secure
reguesIs on porI 443. Click OK Io enable Ihe changes immediaIely.
CH^lTLR 15 Creatlng a web Server wlth the ^paohe HTTl Server 328
FlGURL 15.1 ^llowlng HTTl Requests
To conigure a Red HaI EnIerprise Linux sysIem as a web server, Ihe h11pd RFM package
musI be insIalled. I iI is noI insIalled, use Red HaI NeIwork Io insIall iI (reer Io ChapIer
3, "OperaIing SysIem UpdaIes").
The main coniguraIion ile used by Ihe web server is 1e1c1h11pd1conf1h11pd.conf. II is a
plain IexI ile IhaI can be ediIed wiIh a simple IexI ediIor such as Emacs or Vi. Reer Io
ChapIer 4, "UndersIanding Linux ConcepIs," or more inormaIion on using Ihese IexI
ediIors.
N01
Red Hat Lnterprlse Llnux lnoludes verslon 2.2 of the ^paohe HTTl server. when
oonsultlng any dooumentatlon, make sure lt ls for verslon 2.2 beoause dlreotlves oan
ohange from verslon to verslon. To determlne what verslon you have lnstalled, exeoute
the oommand rpn -q h11pd on the oommand llne.
The coniguraIion opIions in Ihe 1e1c1h11pd1conf1h11pd.conf coniguraIion ile are
called Jrectves. The ile is divided inIo Ihree main parIs, or seIs o direcIives:
Global coniguraIion opIions or Ihe server process
Main server opIions, which are also deaulIs or Ihe virIual hosIs
VirIual hosI deiniIions
1
5
The deaulI coniguraIion ile is divided inIo Ihese Ihree caIegories, in Ihe order lisIed previ-
ously. The Apache HTTF server in Red HaI EnIerprise Linux has been cusIomized or Red
HaI EnIerprise Linux. Thus, Ihe deaulI values in Ihe deaulI coniguraIion ile mighI dier
rom Ihe deaulI values in oIher documenIaIion such as Ihe ones ound aI apache.org.
N01
For a oomplete llst of dlreotlves, go to http://httpd.apaohe.org/doos/2.2/mod/dlreotlves.
html. when thls ohapter referenoes the apaohe.org dlreotlve page, go to thls page and
ollok on the name of the dlreotlve for more detalled lnformatlon. Thls ohapter desorlbes
some of the more oommon dlreotlves to help get you started. lt ls by no means a substl
tutlon for readlng the apaohe.org dlreotlve dooumentatlon.
LisIing 1S.1 shows common global coniguraIion and main server direcIives IhaI are
explained in Ihis chapIer. Any line IhaI begins wiIh Ihe # characIer is considered a
commenI.
Llstlng 15.1 Sample ^paohe HTTl Server Conflguratlon Flle
#Sec11on 1. 0JobaJ conf1gura11on op11ons
ServerPoo1 1e1c1h11pd
L1s1en 8U
T1neou1 12U
KeepAJ1ve 0ff
MaxKeepAJ1vePeques1s 1UU
KeepAJ1veT1neou1 15
user apache
0roup apache
#Sec11on 2. Ma1n server conf1gura11on op11ons
ServerAdn1n Webnas1er0exanpJe.con
ServerNane exanpJe.con
0ocunen1Poo1 1var1WWW1h1nJ
01rec1ory1ndex 1ndex.h1nJ 1ndex.php 1ndex.1x1
Error0ocunen1 4U4 1errors14U4.h1nJ
0p11ons 1ndexes MuJ11v1eWs
6|eba| Cenf|gurat|en 5ect|en
Common direcIives or Ihe global coniguraIion secIion include Ihe ollowing. The
deaulI values relecI Ihe values ound in Ihe deaulI coniguraIion ile included wiIh Red
ServerPoo1
DirecIory IhaI conIains Ihe coniguraIion iles, error messages, and log iles. Do noI
add a orward slash aI Ihe end o Ihe direcIory paIh. DeaulI value: 1e1c1h11pd
L1s1en
ForI number on which Io lisIen or nonsecure (hIIp) Iransers. To speciy mulIiple
porIs, lisI Ihem on separaIe lines wiIh Ihe L1s1en direcIive. To only lisIen on a
speciic neIwork inIerace, speciy iI beore Ihe porI number such as L1s1en
192.168.1.1:8U. DeaulI value: 8U
SecureL1s1en
OpIional direcIive Io conigure a secure, encrypIed SSL connecIion on a speciic
porI, usually porI 443.
T1neou1
AmounI o Iime, in seconds, Ihe server will waiI or Ihe ollowing evenIs beore
ailing:
Receive a GET reguesI
Receive TCF packeIs on a FOST or FUT reguesI
Receive ACKs on Iransmissions o TCF packeIs in responses
DeaulI value: 12U
KeepAJ1ve
I seI Io 0n, more Ihan one reguesI is allowed per connecIion, also known as a
persisIenI connecIion. DeaulI value: 0ff
MaxKeepAJ1vePeques1s
I KeepAJ1ve is seI Io 0n, number o reguesIs allowed per connecIion. To allow
unlimiIed reguesIs, seI Ihis direcIive Io U. DeaulI value: 1UU
KeepAJ1veT1neou1
I KeepAJ1ve is seI Io 0n, Ihe amounI o Iime, in seconds, Ihe server will waiI or
addiIional reguesIs rom Ihe same connecIion. The higher Ihe number, Ihe more
h11pd processes will waiI or subseguenI connecIions insIead o accepIing
connecIions rom new clienIs. Use cauIion when seIIing Ihis value because
waiIing Ioo long or subseguenI connecIions mighI resulI in a slow response Io
new connecIions. DeaulI value: 15
LoadModuJe
Module Io be loaded. Speciy mulIiple modules on separaIe lines. Be sure Ihe
module can be used or Ihe version o Apache you are running. To speciy mulIi-
ple modules, lisI Ihem on separaIe lines preceded by Ihe LoadModuJe direcIive.
Reer Io Ihe "Loading Modules" secIion laIer in Ihis chapIer or deIails.
user
Username or UID o Ihe Apache process (h11pd) owner. AIer Ihe service is sIarIed
as rooI, Ihe process changes ownership Io Ihis user wiIh ewer privileges. DeaulI
value: apache
1
5
0roup
Group name or GID o Ihe Apache process (h11pd) group. To be used in conjunc-
Iion wiIh Ihe user direcIive. DeaulI value: apache
Ma|n 5erver 5ect|en
Common direcIives or Ihe main server secIion include
ServerAdn1n
Email address or URL Io be used as Ihe conIacI link or Ihe server adminisIraIor
in error messages senI Io clienIs. This direcIive can also be used in a virIual hosI
declaraIion so each siIe can have dierenI conIacI links.
ServerNane
HosIname and porI Ihe server uses Io idenIiy iIsel Io clienIs. This direcIive can
also be speciied in a virIual hosI secIion.
0ocunen1Poo1
LocaIion o iles accessible by clienIs. By deaulI, Ihe Apache HTTF server in Red
HaI EnIerprise Linux is conigured Io serve iles rom Ihe 1var1WWW1h1nJ1 direc-
Iory. The deaulI web page o Ihe server such as hIIp:}}www.example.com} musI
be locaIed in Ihis direcIory wiIh a ilename deined wiIh Ihe 01rec1ory1ndex
direcIive such as 1ndex.h1nJ. I subdirecIories are creaIed wiIhin 1var1WWW1h1nJ1,
Ihey are also available on Ihe websiIe as subdirecIories. Eor example, Ihe 1var1
WWW1h1nJ1abou11 direcIory IranslaIes Io Ihe hIIp:}}www.example.com}abouI} URL.
CAU1I0N
lf SLLlnux ls enabled and the 0ocunen1Poo1 looatlon ls modlfled, the SLLlnux seourlty
oontext of the new looatlon must be ohanged. Refer to the Modlfylng Seourlty
Contexts seotlon of Chapter 23 for lnstruotlons.
01rec1ory1ndex
LisI o index iles Io use when a direcIory such as hIIp:}}www.example.com} or
hIIp:}}www.example.com}abouI} is reguesIed. MulIiple index pages can be lisIed,
separaIed by a space. Fossible values include 1ndex.h1nJ, 1ndex.php, and
1ndex.1x1. This direcIive can be seI inside a virIual hosI or direcIory secIion as
well. II reguires Ihe nod_d1r module Io be loaded.
Error0ocunen1
Frovide a cusIom message, web page, or remoIe URL Io display or HTTF error
codes. I Ihis direcIive is noI deined, a deaulI error message is displayed. This
direcIive can be deined in a virIual hosI or direcIory secIion Io urIher cusIomize
error messages. Speciy dierenI error codes and how Io handle Ihem on separaIe
lines. The ormaI is as ollows:
Error0ocunen1 <code> <page>
where <code> is Ihe HTTF error code such as 404 or page noI ound and S00 or
a server error. The <page> can be one o Ihe ollowing:
LocaIion o a web page rom Ihe same server, sIarIing wiIh a orward slash.
The page is relaIive Io Ihe 0ocunen1Poo1. II can be a server-side scripI.
Example: }errors}404.hIml
RemoIe URL. Speciy Ihe enIire URL, including Ihe hIIp:}}. Example:
hIIp:}}errors.example.com}404.hIml
CusIom error message conIained in guoIaIion marks. Example: "Page no1
found on 1h1s server"
The keyword defauJ1 Io display Ihe deaulI error message rom Ihe Apache
HTTF server.
0p11ons
Allow a parIicular server eaIure or Ihe main server, in a virIual hosI declaraIion,
or in a direcIory secIion. LisI mulIiple opIions on Ihe same line separaIed by
spaces. The ollowing 0p11ons are available:
AJJ
All opIions excepI MuJ11v1eWs.
Exec001
Allow or Ihe execuIion o CGI scripIs using Ihe nod_cg1 module.
FoJJoWSynL1nks
Eollow symbolic links in Ihe direcIory.
1ncJudes
Allow server-side includes wiIh Ihe nod_1ncJudes module.
1ncJudesN0EXE0
Allow server-side includes excepI or #exec cnd and #exec cg1. Using
#1ncJude v1r1uaJ, CGI scripIs rom direcIories lisIed wiIh Ihe
Scr1p1AJ1as direcIive are sIill allowed.
1ndexes
I Ihe 01rec1ory1ndex direcIive is noI used Io deine valid index pages,
allow Ihe nod_au1o1ndex module Io generaIe Ihe index pages lisI.
MuJ11v1eWs
As provided by Ihe nod_nego11a11on module, allow or Ihe selecIion o
Ihe conIenI according Io whaI works besI or Ihe clienI based on Ihe
clienIs browser, language, preerred encoding, and more.
1
5
SynL1nks1f0WnerMa1ch
Only ollow symbolic links i Ihe IargeI ile or direcIory is owned by Ihe
same user as Ihe ile or direcIory reguesIed.
|rectery 5ect|ens
In Ihe main server secIion, each direcIory IhaI conIains iles accessible Io remoIe sysIems
rom Ihe Apache HTTF server can be conigured separaIely as shown in Ihe <01rec1ory>
secIions in LisIing 1S.2. <01rec1ory> secIions can also be conigured wiIhin a virIual hosI
secIion.
CAU1I0N
Do not end the dlreotory name wlth a tralllng forward slash.
LlSTlNG 15.2 Lxample <01rec1ory> Seotlon
# 0efauJ1s for aJJ d1rec1or1es
<01rec1ory 1>
0p11ons FoJJoWSynL1nks
<101rec1ory>
# Se111ngs for 0ocunen1Poo1
<01rec1ory "1var1WWW1h1nJ">
0p11ons 1ndexes MuJ11v1eWs
<101rec1ory>
# Se111ngs for 1JegaJ1
<01rec1ory "1var1WWW1h1nJ1JegaJ">
01rec1ory1ndex 1ndex.h1nJ
Error0ocunen1 4U4 1errors1JegaJ14U4.h1nJ
<101rec1ory>
As you can see rom LisIing 1S.2, iI is wise Io seI deaulIs or Ihe rooI direcIory o Ihe iles
accessible by Apache and Ihen modiy Ihem per direcIory and subdirecIory. DirecIives
conigured or a direcIory apply Io IhaI direcIory and any subdirecIories unless a separaIe
seI o direcIives is provided or Ihe subdirecIory. I a direcIive is deined in Ihe main
server secIion as well as wiIhin a direcIory declaraIion, Ihe value in Ihe direcIory declara-
Iion is used or IhaI parIicular direcIory.
V|rtua| Rest 5ect|ens
To serve more Ihan one websiIe rom Ihe same Apache HTTF server, you need Io conig-
ure vrtual hosts. There are Iwo Iypes o virIual hosIs: name-haseJ and ll-haseJ. Name-
based virIual hosI means IhaI mulIiple names are running on each IF address. IF-based
virIual hosI means IhaI a dierenI IF address exisIs or each websiIe served. MosI conigu-
raIions are named-based because iI only reguires one IF address, which is Ihe Iype
discussed in Ihis secIion.
VirIual hosIs are conigured one aI a Iime usually aI Ihe end o Ihe h11pd.conf ile. An
example is shown in LisIing 1S.3.
LlSTlNG 15.3 Lxample vlrtual Host
#EnabJe nane-based v1r1uaJ hos11ng
Nanev1r1uaJRos1 *.8U
<v1r1uaJRos1 *:8U>
ServerNane WWW.exanpJe.org
0ocunen1Poo1 1var1WWW1exanpJe.org
#add o1her d1rec11ves here
<1v1r1uaJRos1>
NoIice Ihe Nanev1r1uaJRos1 direcIive musI be seI Io enable name-based virIual hosIing.
The * in Ihe value (and in Ihe <v1r1uaJRos1> values) means reguesIs are answered rom
all server IF addresses IhaI Ihe Apache HTTF server is conigured Io lisIen on wiIh Ihe
L1s1en and SecureL1s1en direcIives.
MosI o Ihe direcIives IhaI can be conigured in Ihe main server secIion can be conigured
in a virIual hosI secIion. The ServerNane and 0ocunen1Poo1 direcIives are reguired in a
virIual hosI secIion so Ihe server knows which websiIe Ihe virIual hosI is or and where
Ihe iles being served or Ihe siIe are locaIed.
Lead|ng Medu|es
The Apache HTTF server supporIs Ihe loading o modules Io implemenI addiIional
eaIures. Examples include nod_Jog_conf1g or cusIomizing log iles, nod_aJ1as or URL
redirecIion, and nod_cg1 or execuIing CGI scripIs.
N01
For a llst of modules avallable for verslon 2.2 of the ^paohe HTTl server, go to
http://httpd.apaohe.org/doos/2.2/mod/.
Eor each module you wanI Io load, add a line similar Io Ihe ollowing in Ihe global
coniguraIion secIion o h11pd.conf (replace noduJe_nane and noduJe_f1Jenane.so):
LoadModuJe noduJe_nane noduJes1noduJe_f1Jenane.so
AIer lisIing Ihe module wiIh Ihe LoadModuJe direcIive, include any o Ihe direcIives rom
Ihe module in Ihe appropriaIe h11pd.conf secIions.
1
5
Legg|ng Cennect|ens
By deaulI, log messages rom Ihe Apache HTTF server are wriIIen Io Ihe 1var1Jog1h11pd1
direcIory. When a ile is Iranserred Io a clienI, inormaIion such as Ihe IF address o Ihe
clienI, Ihe ile Iranserred, a Iime sIamp, and Ihe clienIs browser are wriIIen Io Ihe Irans-
er log. By deaulI, Ihe Iranser log is seI Io access_Jog in Ihe 1var1Jog1h11pd1 direcIory.
Error messages and messages rom sIarIing and sIopping Ihe server are wriIIen Io Ihe
error_Jog ile. I you have enabled SSL connecIions on Ihe web server, any secure Irans-
ers are recorded in ssJ_access_log, and any server messages are wriIIen Io
ssJ_error_Jog.
These log iles are roIaIed using Ihe Jogro1a1e uIiliIy. By deaulI, new log iles are sIarIed
every week, and our weeks o log iles are kepI.
The ollowing direcIives conIrol logging:
TransferLog
Eilename or Ihe Iranser log. I Ihe ilename does noI begin wiIh a orward slash
(1), iI is relaIive Io Ihe server rooI. DeaulI value: Jogs1access_Jog
N01
Beoause the default value of Jogs1access_Jog does not start wlth a forward slash, lt
ls relatlve to the server root, whloh ls 1e1c1h11pd by default. However, the 1e1c1
h11pd1Jogs1 dlreotory ls a symbollo llnk to the 1var1Jog1h11pd1 dlreotory to allow
^paohe to follow the FHS guldellnes of log flles belng looated ln 1var1Jog1. Thus, the
full path to the default transfer log ls 1var1Jog1h11pd1access_Jog.
ErrorLog
Eilename or Ihe error log. I Ihe ilename does noI begin wiIh a orward slash
(1), iI is relaIive Io Ihe server rooI. DeaulI value: Jogs1error_Jog
LogForna1
EormaI used when wriIing log messages. Reer Io Ihe apache.org direcIive page
or deIails on Ihe available ormaIs. The nod_Jog_conf1g module musI be loaded
or Ihis direcIive.
LogLeveJ
Level o log messages wriIIen Io Ihe error log ile. Fossible values include debug,
1nfo, no11ce, Warn, error, cr11, aJer1, and energ. The debug log level produces
Ihe mosI messages, and energ only logs messages abouI Ihe sysIem being unus-
able. DeaulI value: Warn
0us1onLog
SeIs Ihe ilename o Ihe Iranser log and ormaI o Ihe log ile. Can be used insIead
o using boIh TransferLog and LogForna1. Reer Io Ihe apache.org direcIive page
or deIails. The nod_Jog_conf1g module musI be loaded or Ihis direcIive.
Even Ihough a non-rooI user such as apache owns Ihe h11pd processes, you sIill musI be
rooI Io sIarI and sIop Ihe service. Now IhaI you have Ihe basic seIIings conigured, use
Ihe serv1ce h11pd s1ar1 command as rooI Io sIarI Ihe server. I all goes well, Ihe server
will sIarI. I you have a synIax error in Ihe coniguraIion ile, a message is displayed Io leI
you know Ihe server hasnI been sIarIed and a gives a hinI on where Ihe synIax error is
locaIed. Also check Ihe error log ile as deined wiIh Ihe ErrorLog direcIive or messages.
I Ihe web server is already running, Ihe serv1ce h11pd reJoad command musI be run
beore Ihe changes Iake eecI. To sIop Ihe server, use Ihe serv1ce h11pd s1op command.
To conigure Ihe web service Io sIarI auIomaIically aI booI Iime, execuIe Ihe chkconf1g
h11pd on command as rooI.
5ummary
This chapIer provided a basic undersIanding o Ihe Apache HTTF server and how iI is
conigured in Red HaI EnIerprise Linux. The lisI o reguired coniguraIion opIions is
shorI. However, as you have read, Ihe Apache HTTF server can be cusIomized in numer-
ous ways. II can be conigured Io serve mulIiple websiIes, and modules can be added Io
Ihe Apache HTTF server Io enhance iIs uncIionaliIy. WhaI and how log messages are
wriIIen can even be cusIomized.
Summary 337
1
5
lN THlS CH^lTLR
Understandlng DNS Conoepts
Conflgurlng BlND
Conflgurlng BlND Graphloally
Logglng Conneotlons
CH^lTLR 16
HosIname ResoluIion
wiIh BIND
Every compuIer on a neIwork, wheIher iI be a public-acing
sysIem on Ihe InIerneI or one only accessible rom an inIer-
nal neIwork, has a series o numbers called an ll aJJress IhaI
idenIiies iI Io all oIher sysIems on Ihe neIwork. Each
compuIer on Ihe neIwork musI have a unigue IF address.
To make iI easier Io remember and idenIiy sysIems, each
IF address can be resolved Io a hostname such as
server.example.com, which musI also be unigue per
neIwork. IF addresses can be IranslaIed, or resolveJ, Io hosI-
names, and vice versa, via Ihe InIerneI Domain Name
SysIem, or ONS. DNS is a seI o disIribuIed daIabases wiIh a
hierarchy IhaI dicIaIes which server is more auIhoriIaIive
or a parIicular seI o sysIems.
To seI up a DNS server, also reerred Io as a name server, on
Red HaI EnIerprise Linux, use BlNO (Berkeley InIerneI
Name Domain). This chapIer irsI explains Ihe basics o
how DNS works. Then, iI guides you Ihrough coniguraIion
o Red HaI EnIerprise Linux as a DNS server using BIND.
Understand|ng N5 Cencets
A ONS server, or name server, is used Io resolve an IF address
Io a hosIname or vice versa. Beore coniguring BIND Io
creaIe a DNS server, you musI undersIand some basic DNS
concepIs.
When Ialking Io anoIher person, you usually reer Io him
by his irsI name even Ihough he has a surname and some-
Iimes a middle name as well. Similarly, adminisIraIors
oIen reer Io sysIems by Ihe irsI parI o Iheir hosInames
such as Ialon or Ialon.example.com. The enIire hosIname
wiIh iIs domain such as Ialon.example.com is called a jully
qualjeJ Joman name (lQON). The righI-mosI parI o Ihe
EQDN such as .com or .neI is called Ihe top level Joman, wiIh Ihe remaining parIs o
Ihe EQDN, which are separaIed by periods, being suh-Jomans.
These sub-domains are used Io divide EQDNs inIo zones, wiIh Ihe DNS inormaIion or
each zone being mainIained by aI leasI one authortatve name server. MulIiple auIhoriIa-
Iive name servers or a zone can be implemenIed and are useul when server or neIwork
ailures occur. The auIhoriIaIive server IhaI conIains Ihe masIer zone jle, which can be
modiied Io updaIe DNS inormaIion abouI Ihe zone, is called Ihe prmary master server, or
jusI master server. The addiIional name servers or Ihe zone are called seconJary servers or
slave servers. Secondary servers reIrieve inormaIion abouI Ihe zone Ihrough a zone transjer
rom Ihe masIer server or rom anoIher secondary server. DNS inormaIion abouI a zone
is never modiied direcIly on Ihe secondary server because iI would Ihen be ouI o sync
wiIh Ihe masIer server, which is considered Io be Ihe mosI auIhoriIaIive.
Some name servers cache lookup daIa because Ihey depend on oIher name servers or
inormaIion and canI Ialk Io auIhoriIaIive servers direcIly. The amounI o Iime a record is
sIored in cache is seI wiIh Ihe Tme To lve (TTl) ield or each resource record. There are
also name servers IhaI orward reguesIs Io one or more name servers in a lisI unIil Ihe
lookup is achieved or unIil all Ihe name servers in Ihe lisI have been conIacIed.
A name server can acI in mulIiple roles. Eor example, a server can be an auIhoriIaIive server
or some zones buI a slave server or oIhers. Or, a slave server can also be a caching server.
DNS servers use porI S3 by deaulI. Incoming and ouIgoing packeIs should be allowed on
porI S3. Also allow connecIions on porI 21 i you conigure a lighIweighI resolver server.
The DNS conIrol uIiliIy, rndc, connecIs Io Ihe DNS server wiIh TCF porI S3 by deaulI. I
you are running rndc on Ihe name server, connecIions on Ihis TCF porI rom localhosI
should be allowed. I you are running rndc on addiIional sysIems, allow connecIions Io
porI S3 (or whaIever porI you have chosen Io conigure) rom Ihese addiIional sysIems.
deIails on how Io allow connecIions rom a speciic porI.
a user. Click Ihe Add buIIon nexI Io Ihe Other ports Iable Io add a porI.
Cenf|gur|ng BIN
BIND uses 1e1c1naned.conf as iIs main coniguraIion ile, Ihe 1e1c1rndc.conf ile as Ihe
coniguraIion ile or name server conIrol uIiliIy rndc, and Ihe 1var1naned1 direcIory or
zone iles and Ihe like. All Ihese iles can be conigured wiIh a simple IexI ediIor, or Ihey
can be conigured wiIh Ihe graphical Red HaI Iool, sys1en-conf1g-b1nd. Reer Io Ihe
secIion "Coniguring BIND Graphically" aI Ihe end o Ihis chapIer or deIails on using
sys1en-conf1g-b1nd.
InsIall Ihe b1nd package, Ihe b1nd-u11Js package, and Iheir soIware dependencies using
RHN (reer Io ChapIer 3, "OperaIing SysIem UpdaIes") Io seI up BIND.
This chapIer ocuses on basic DNS coniguraIion via Ihe coniguraIion iles Io help you
geI sIarIed. However, you should also read Ihe "BIND AdminisIraIor Reerence Manual"
IhaI comes wiIh Ihe b1nd package in Ihe 1usr1share1doc1b1nd-<vers1on>1arn1
8v9APM.pdf ile. II includes everyIhing rom DNS undamenIals and BIND resource
reguiremenIs Io coniguring and securing Ihe name server.
Cenf|gur|ng naned.conf
The 1e1c1naned.conf ile is Ihe main coniguraIion ile or BIND. II should be owned by
Ihe named user because Ihe naned service is run by Ihis user. The ile permissions or
naned.conf should only allow Ihe owner Io read and wriIe Io Ihe ile (which also allows
Ihe rooI user Io modiy Ihe ile).
To add commenIs Io naned.conf, Ihe ollowing meIhods can be used:
1* Th1s 1s a connen1. *1
11 Th1s 1s a connen1.
# Th1s 1s a connen1.
The ollowing sIaIemenIs are allowed in naned.conf:
acJ: IF address lisI used or access conIrol. Eor example:
acJ <nane> {
<acJ_J1s1>
}
Replace <nane> wiIh a unigue name or Ihe lisI, and replace <acJ_J1s1> wiIh a semi-
colon-separaIed lisI o elemenIs, which can include IF addresses, IF address preixes
in Ihe orm X.X.X.X}X, one o Ihe predeined lisI names (any, none, JocaJhos1, and
JocaJne1s), Ihe name o a key deined in Ihe Iop-level o naned.conf, or a nesIed
address lisI in braces. Any o Ihese elemenIs can be negaIed by preixing iI wiIh an
exclamaIion poinI and a space such as ! 192.168.U.2 Io exclude 12.18.0.2 rom
Ihe lisI. When Ihe maIch is being made, Ihe maIching sIops aI Ihe irsI elemenI in
Ihe lisI iI maIches: Be careul wiIh Ihe order o Ihe elemenIs.
These deined ACLs can laIer be used Io allow or deny access wiIh Ihe aJJoW-1rans-
fer, aJJoW-recurs1on, aJJoW-query, and oIher sIaIemenIs.
con1roJs: Deine conIrol channels or Ihe rndc uIiliIy. Reer Io Ihe nexI secIion
"Coniguring ConIrol Channels" or deIails.
1ncJude: Include Ihe conIenIs o a separaIe ile, which can have more resIricIive
permissions Io proIecI sensiIive daIa. The <f1Jenane> musI include Ihe ull paIh Io
Ihe ile.
1ncJude "<f1Jenane>"
Conflgurlng BlND 341
1
6
key: Deine a shared secreI key Io use wiIh TSIG or Ihe conIrol channel. The secreI
musI be a base-4 encoding o Ihe encrypIion key, enclosed in double guoIaIion
marks. II can be generaIed wiIh Ihe rndc-confgen command as described in Ihe
"Coniguring rndc.conf" secIion.
Replace <key-1d> wiIh a unigue name or Ihe key:
key <key-1d> {
aJgor11hn hnac-nd5
secre1 "<secre1>"
}
The key sIaIemenI musI be inside a v1eW sIaIemenI, inside a server sIaIemenI, or aI
Ihe Iop-level o naned.conf. Keys inside v1eW sIaIemenIs can only be used by
reguesIers maIching Ihe view deiniIion. Keys inside server sIaIemenIs are used Io
sign reguesIs senI Io IhaI server. Top-level sIaIemenIs can be reerenced inside oIher
sIaIemenIs by Ihe <key-1d>. Eor example, Io use a Iop-level key inside Ihe server
sIaIemenI:
server <1p> {
keys { <key-1d> }
}
Jogg1ng: CusIomize logging. Reer Io Ihe "Logging ConnecIions" secIion or deIails.
JWres: Conigure Ihe name server Io acI as a lighIweighI resolver server. MulIiple
JWres sIaIemenIs can be declared.
JWres {
J1s1en-on { <1p> por1 <por1_nun> <1p> por1 <por1_nun> }
v1eW <v1eW-nane>
search { <dona1n_nane> <dona1n_nane2> }
ndo1s <nun>
}
The J1s1en-on sIaIemenI declares a semicolon-separaIed lisI o IF addresses and porI
numbers or Ihe IFs rom which Ihe lighIweighI resolver accepIs reguesIs. I a porI
number is noI given, Ihe deaulI porI (porI 21) is used. I Ihe J1s1en-on sIaIemenI is
missing, only reguesIs rom Ihe local loopback (127.0.0.1) on porI 21 are accepIed.
To bind Ihis lighIweighI resolver Io a view so Ihe response is ormaIIed according Io
Ihe view, use Ihe v1eW sIaIemenI Io lisI Ihe name o Ihe view declared in Ihe Iop-
level o naned.conf. I no view is lisIed, Ihe deaulI view is used.
Use Ihe search sIaIemenI Io lisI domain names used Io converI hosInames Io
EQDNs when Ihey are senI in reguesIs. This is Ihe same as Ihe search sIaIemenI in
1e1c1resoJv.conf. MulIiple domain names can be lisIed, separaIed by semicolons.
The ndo1s sIaIemenI seIs Ihe minimum number o periods in a domain name IhaI
should maIch exacIly beore Ihe domain names declared wiIh Ihe search sIaIemenIs are
added Io Ihe end o iI. This is Ihe same as Ihe ndo1s sIaIemenI in 1e1c1resoJv.conf:
nas1ers: LisI a seI o masIer name servers Io use or sIub and slave zones.
nas1ers <nane> por1 <por1_nun> {
<1p> por1 <por1_nun> key <key>
}
When declaring a masIer server or a sIub or slave server, Ihe porI numbers and keys
are opIional. The IF address o Ihe masIer server is Ihe only reguired componenI.
op11ons: The op11ons sIaIemenI can be used Io seI global opIions or Ihe server and
deaulIs or oIher sIaIemenIs. OpIions include addiIional servers Io guery i Ihe
server doesnI have Ihe daIa, zone Iranser seIIings, seIIings Io limiI sysIem resources
or Ihe name server, and Iime-Io-live values. Reer Io Ihe "BIND AdminisIraIor
Reerence Manual" included wiIh Ihe b1nd package in Ihe 1usr1share1doc1
b1nd-<vers1on>1arn18v9APM.pdf ile or a compleIe lisI o global opIions.
op11ons {
<op11ons>
}
server: SeI properIies o a remoIe name server. These sIaIemenIs can be Iop-level
sIaIemenIs or inside v1eW sIaIemenIs. The bogus sIaIemenI should be seI Io yes or
no, wiIh yes meaning IhaI gueries should noI be senI Io iI. I Ihe local server is a
masIer name server, seI prov1de-1xfr Io yes Io allow incremenIal Iransers Io Ihis
server. I Ihe local server is a slave and Ihe remoIe server is a masIer, seI reques1-
1xfr Io yes Io reguesI incremenIal Iransers rom Ihe remoIe masIer server.
SeI ends Io yes Io allow Ihe local server Io use EDNS (an exIension o DNS) when
communicaIing wiIh Ihe remoIe server. SeI 1ransfer-forna1 Io one-ansWer or
nany-ansWers Io conIrol how many DNS messages per resource record are Irans-
erred aI one Iime. The nany-ansWers opIion is only supporIed by some versions o
BIND. SeI 1ransfers Io Ihe maximum number o simulIaneous inbound zone Irans-
ers allowed. SeI Ihe keys sIaIemenI Io Ihe key Io use when signing reguesIs Io Ihe
server.
Use Ihe 1ransfer-source sIaIemenI Io seI Ihe IFv4 source address used or zone Irans-
ers or 1ransfer-source-v6 Io seI Ihe IFv source address used or zone Iransers:
server <1p> {
bogus <vaJue>
prov1de-1xfr <vaJue>
reques1-1xfr <vaJue>
edns <vaJue>
1ransfers <nun>
1ransfer-forna1 <forna1>
keys { <key-1d-J1s1> }
1ransfer-source <1p> por1 <por1_nun>
1ransfer-source-v6 <1p> por1 <por1_nun>
}
1
6
1rus1ed-keys: SeI DNSSEC (DNS SecuriIy) securiIy rooIs. A securiIy rooI is a public
key or a non-auIhoriIaIive zone, which is known buI can noI be securely reIrieved via
DNS. I iI is lisIed as a IrusIed key, iI is IhoughI Io be valid and secure. The <key-J1s1>
is a semicolon-separaIed lisI o keys wiIh each enIry in Ihe ormaI <dona1nnane>
<fJags> <pro1ocoJ> <aJgor11hn> <key-1d>.
1rus1ed-keys {
<key_J1s1>
}
v1eW: A view deines whaI daIa is senI in a response Io a DNS reguesI. MulIiple
views can be seI. Reer Io Ihe "Coniguring Views" secIion or deIails.
zone: Declare Ihe zone Iype or Ihe server, which can have mulIiple zones. Reer Io
Ihe "Coniguring Zones" secIion or deIails.
Cenf|gur|ng Centre| Channe|s
Use Ihe con1roJs sIaIemenI in naned.conf Io deine conIrol channels or Ihe server.
ConIrol channels accepI commands rom Ihe rndc uIiliIy. Only Ihe 1ne1 conIrol channel
is currenIly available. MulIiple conIrol channels can be deined in Ihe con1roJs sIaIemenI
by declaring mulIiple 1ne1 clauses in iI. Reer Io Ihe "Coniguring rndc.conf" secIion or
an explanaIion o Ihe rndc uIiliIy. The con1roJs sIaIemenI uses Ihe ollowing synIax:
con1roJs {
1ne1 <1p-addr> por1 <por1-nun> aJJoW { <address-J1s1>} keys { <key-J1s1> }
}
Replace <1p-addr> wiIh Ihe IF address o Ihe name server. Using Ihe loopback address
127.0.0.1 is recommended or high securiIy. A porI number does noI have Io lisI wiIh
<por1-nun> unless you are noI using Ihe deaulI porI o S3.
Replace <address-J1s1> wiIh a semicolon-separaIed lisI o IF address elemenIs: eiIher
individual addresses or address ranges in Ihe orm X.X.X.X}X. Only rndc connecIion
reguesIs rom Ihese addresses are allowed, and Ihen only i Ihey auIhenIicaIe wiIh a key
rom <key-J1s1>.
Replace <key-J1s1> wiIh a semicolon-separaIed lisI o key names or keys declared else-
where in Ihe naned.conf ile. These are Ihe auIhenIicaIion keys used by Ihe rndc uIiliIy
when reguesIing connecIion Io Ihe name server. Only rndc uIiliIies auIhenIicaIing wiIh
Ihese keys are allowed Io send commands Io Ihe name server.
1IP
lf the naned.conf flle oontalns seoret keys, be sure to set lts flle permlsslons as
restrlotlve as posslble so that nonauthorlzed users oan not read the key.
I no con1roJs sIaIemenI is presenI, only rndc connecIions rom Ihe localhosI using Ihe
auIhenIicaIion key in 1e1c1rndc.key are accepIed.
Cenf|gur|ng V|ews
On a BIND server, vews can be creaIed Io cusIomize Ihe daIa senI Io dierenI reguesIers
based on Ihe source and desIinaIion IF addresses. MosI o Ihe global opIion sIaIemenIs
can also be used inside a view Io override Ihe deaulI value or Ihe value seI as a global
opIion. They have Ihe ollowing synIax:
v1eW <nane> <cJass> {
na1ch-cJ1en1s { <1p_J1s1> }
na1ch-des11na11ons { <1p_J1s1> }
na1ch-recurs1ve-onJy <vaJue>
<op11ons>
<zone-s1a1enen1s>
}
The <nane> musI be unigue per view and should be a shorI, descripIive word describing
Ihe view speciicaIions. The <cJass> is opIional and deaulIs Io 1N.
Use Ihe na1ch-cJ1en1s clause Io deine Ihe source address Io maIch. Use Ihe na1ch-
des11na11ons clause Io deine Ihe desIinaIion address o Ihe reguesI. I Ihe source address
is noI speciied, reguesIs rom any source maIch. I Ihe desIinaIion address is noI speci-
ied, reguesIs Io be senI Io any address maIch.
The order in which views are lisIed in naned.conf maIIers. The irsI view IhaI maIches Ihe
source and}or desIinaIion addresses o Ihe server reguesIing Ihe daIa is used Io ormaI Ihe
response. So, v1eW sIaIemenIs should go rom Ihe mosI resIricIive Io Ihe leasI resIricIive. I
you wanI Io declare a v1eW sIaIemenI wiIhouI a na1ch-cJ1en1s or na1ch-des11na11ons
sIaIemenI as a "caIch-all" or reguesIers IhaI donI maIch any o Ihe oIher sIaIemenIs, iI
should be Ihe lasI v1eW sIaIemenI in naned.conf, or Ihe oIher v1eW sIaIemenIs will be
ignored because all reguesIs will maIch Ihe "caIch-all" sIaIemenI.
The keys sIaIemenI allows clienIs a way Io selecI Ihe view. I Ihe na1ch-recurs1ve-onJy
sIaIemenI is seI Io yes, only recursive reguesIs maIch. I any views are deined, all zone
sIaIemenIs musI be inside v1eW sIaIemenIs. Zones deined inside views can only be
accessed by clienIs IhaI maIch Ihe view speciicaIions.
Cenf|gur|ng Zenes
A zone sIaIemenI is used Io deine a zone and iIs properIies. Some global opIions apply Io
zones unless Ihey are overridden inside Ihe zone sIaIemenI. Zone iles are wriIIen Io Ihe
1var1naned1 direcIory.
The sIaIemenIs have Ihe ollowing synIax:
zone <nane> <cJass> {
1ype <1ype>
<op11ons>
}
The <nane> musI be unigue and musI be Ihe domain name or Ihe zone such as
example.com or hosI.example.com. II is used Io compleIe hosInames IhaI are noI EQDNs.
1
6
The <cJass> is opIional. II can be one o Ihe ollowing:
1N: InIerneI zone. The deaulI class i one is noI given.
RS: Hesiod zone. Hesiod is a service used Io disIribuIe sysIem inormaIion such as
user and group deiniIion and password iles and prinI coniguraIion iles.
0RA0S: CHAOSneI zone. CHAOSneI is a LAN proIocol.
The <1ype> musI be one o Ihe ollowing:
nas1er: AuIhoriIaIive name server or Ihe zone.
sJave: Secondary name server or Ihe zone. ReIrieve zone daIa rom Ihe masIer server.
h1n1: Frovide a lisI o rooI name servers, which are used Io ind a rooI name server
and reIrieve a lisI o Ihe mosI recenI rooI name servers.
s1ub: Like a slave zone excepI iI only reIrieves Ihe NS records rom Ihe masIer zone.
NoI a sIandard DNS zone: speciic Io BIND.
forWard: SeI orwarding or Ihe domain given as Ihe zone name.
deJega11on-onJy: Use Io enorce delegaIion-only sIaIus o inrasIrucIure zones such
as COM and NET. Does noI aecI answers rom orwarders.
A ull lisI o opIions or <op11ons> is available in Ihe "BIND AdminisIraIor Reerence
Manual" included wiIh Ihe b1nd package in Ihe 1usr1share1doc1b1nd-<vers1on>1arn1
8v9APM.pdf ile.
Cenf|gur|ng rndc.conf
The name server conIrol uIiliIy, rndc, sends naned digiIally signed commands over a TCF
connecIion. IIs coniguraIion ile 1e1c1rndc.conf sIores coniguraIion inormaIion such
as Ihe name server Io connecI Io and which key Io use or Ihe digiIal signaIure. The
uIiliIy is sIarIed when naned is sIarIed using Ihe iniIializaIion scripI.
The rndc.conf ile uses synIax similar Io naned.conf. The same commenI sIyles are avail-
able, sIaIemenIs are wiIhin braces, and Ihe semicolon is used as Ihe IerminaIing characIer.
Only Ihree Iypes o sIaIemenIs can be declared:
N01
The preferenoes ln rndc.conf oan be overrldden by speolfylng values on the oommand
llne when rndc ls started. Refer to Table 16.1 for a llst of oommandllne optlons.
op11ons: The op11ons sIaIemenI can have Ihree clauses. The defauJ1-server clause
deines Ihe IF address o Ihe name server Io which Ihe rndc should connecI Io and
sends commands. The defauJ1-key clause lisIs Ihe key-id o Ihe key Io use i a key
sIaIemenI is noI lisIed in Ihe server sIaIemenI or Ihe name server. I defauJ1-key
is used, a key sIaIemenI wiIh Ihe same key-id musI be declared in Ihe same
rndc.conf ile.
The defauJ1-por1 clause speciies Ihe porI number Io use when connecIing Io Ihe
name server. I a por1 clause is noI lisIed in Ihe server sIaIemenI or Ihe name server,
Ihis deaulI porI is used when connecIing. I no porI is given, Ihe deaulI is S3.
op11ons {
defauJ1-server <1p>
defauJ1-key <key-1d>
defauJ1-por1 <por1-nun>
}
server: A server sIaIemenI can be deined or Ihe name server, wiIh <1p> being Ihe
IF address o Ihe name server Io which rndc is conigured Io connecI. The key
clause should be used Io provide Ihe key-id o Ihe key Io use or auIhenIicaIion wiIh
Ihe name server. The por1 clause lisIs Ihe porI Io use when connecIing Io Ihe name
server.
1IP
lnstead of deolarlng a server statement, you oan just deolare the key and port ln the
op11ons statement.
server <1p> {
key <key-1d>
por1 <por1-nun>
}
key: Each key sIaIemenI musI have a unigue key name, or key-id. The aJgor11hn
clause provides Ihe encrypIion algoriIhm Io use or Ihe key. CurrenIly, only hnac-
nd5 is supporIed by BIND. The secre1 clause musI be a base-4 encoding o Ihe
encrypIion key, enclosed in double guoIaIion marks.
key <key-1d> {
aJgor11hn hnac-nd5
secre1 "<secre1>"
}
An rndc.conf ile can be generaIed wiIh a random key wiIh Ihe rndc-confgen command.
II ouIpuIs Ihe rndc.conf ile and Ihe corresponding key and con1roJs sIaIemenIs or Ihe
naned.conf ile. EiIher cuI and pasIe Ihe ouIpuI Io Ihe appropriaIe iles or redirecI Ihe
ouIpuI inIo a ile named rndc.conf, and remove Ihe exIra sIaIemenIs or naned.conf:
rndc-confgen > rndc.conf
Table 1.1 shows Ihe available rndc command-line opIions such as rndc s1a1us Io show
Ihe servers sIaIus.
1
6
T^BLL 16.1 Command Llne0ptlons for rndc
0t|en escr|t|en
-c <conf1g-f1Je> Speolfy the full path of the oonflguratlon flle to use. Default:
1e1c1rndc.conf.
-k <key-f1Je> lf 1e1c1rndc.conf doesn`t exlst to llst the default key to use,
1e1c1rndc.key ls used as the authentloatlon key. Use thls optlon
to use a dlfferent key flle lf the oonflguratlon flle ls mlsslng.
-s <server> ll address of a server statement ln rndc.conf to oonneot to as
the name server.
-p <por1> lrovlde a dlfferent port to use lnstead of the default TCl port of 953.
-y <key-1d> whloh key to use. ^ key wlth the glven <key-1d> must be deolared
ln rndc.conf.
-v Turn on verbose logglng.
reJoad Reload the oonflguratlon flle and zones.
reJoad <zone> Reload a speolflo zone. The <cJass> and <v1eW> are optlonal.
<cJass> <v1eW>
refresh <zone> Sohedule lmmedlate malntenanoe for a speolflo zone. The
<cJass> <v1eW> <cJass> and <v1eW> are optlonal.
re1ransfer <zone> Retransfer a speolflo zone wlthout oheoklng the serlal number.
<cJass> <v1eW> The <cJass> and <v1eW> are optlonal.
freeze <zone> Temporarlly stop updates to a zone. The <cJass> and <v1eW> are
<cJass> <v1eW> optlonal.
1haW <zone> Reenable transfers to a zone that ls frozen, and reload lts
<cJass> <v1eW> oonflguratlon flles and zones. The <cJass> and <v1eW> are
optlonal.
reconf1g Reload oonflguratlon flles but only reload new zones.
s1a1s Save server statlstlos to the statlstlos flle.
queryJog Lnable query logglng.
dunpdb <-aJJ-cache Dump oaohe to the naned_dunp.db flle. The <v1eW> ls optlonal.
-zones> <v1eW>
s1op Save pendlng updates to master flles, and stop the server.
s1op -p Save pendlng updates to master flles, stop the server, and report
prooess lD (llD).
haJ1 Stop the server wlthout savlng pendlng updates to the master flles.
haJ1 -p Stop the server wlthout savlng pendlng updates to the master
flles, and report prooess lD (llD).
1race lnorease debugglng level by one.
1race <JeveJ> Set debugglng level to <JeveJ>.
no1race Set debugglng level to U.
fJush Flush server`s oaohe.
fJush <v1eW> Flush server`s oaohe for a speolflo vlew.
fJushnane <nane> Flush <nane> from the server`s oaohe.
s1a1us Show server status.
recurs1ng Dump querles ourrently belng reoursed.
The BIND daemon is called naned, which can be conIrolled by iIs iniIializaIion scripI wiIh
serv1ce naned <connand>
Replace <connand> wiIh one o Ihe ollowing:
s1ar1: SIarI Ihe name server.
s1op: SIop Ihe name server.
s1a1us: Show Ihe sIaIus o Ihe name server.
res1ar1: SIop Ihe server i iI is running, Ihen sIarI naned. I Ihe server is noI already
running, Ihe sIop acIion will ail, buI Ihe sIarI acIion will sIill be called.
condres1ar1: I Ihe server is already running, and only i Ihe server is already
running, resIarI iI.
reJoad: Reload Ihe server coniguraIion Io enable changes Io Ihe coniguraIion iles.
To have BIND sIarI aI booI Iime, execuIe Ihe ollowing as rooI:
chkconf1g naned on
Cenf|gur|ng BIN 6rah|ca||y
Even i you use Ihe graphical Iool Io conigure BIND, iI is recommended IhaI you read
Ihe previous secIion "Coniguring BIND" Io undersIand Ihe coniguraIion opIions Ihe
Iool is manipulaIing.
In addiIion Io insIalling Ihe b1nd package, b1nd-u11Js package, and Iheir soIware depen-
dencies, insIall Ihe sys1en-conf1g-b1nd RFM package i you wanI Io use Ihe graphical
coniguraIion Iool.
To sIarI Ihe Iool, go Io Ihe System menu on Ihe Iop panel o Ihe deskIop and selecI
AdmInIstratIon, Server SettIngs, DomaIn Name System. AlIernaIively, execuIe Ihe
sys1en-conf1g-b1nd command. I you are noI already logged in as Ihe rooI user, Ihe
correcI rooI password musI be enIered beore you are allowed Io use Ihe Iool.
The applicaIion comes wiIh a deIailed manual in FDE ormaI in Ihe 1usr1share1doc1
sys1en-conf1g-b1nd-<vers1on>1scb_nanuaJ.pdf ile. This secIion highlighIs some o iIs
eaIures, buI Ihe manual should be consulIed or compleIe insIrucIions.
When Ihe Iool sIarIs, iI reads Ihe exisIing 1e1c1naned.conf ile and loads Ihe currenI
coniguraIion. However, i Ihe ile conIains a synIax error, Ihe error is displayed insIead.
AIer ixing Ihe error, sIarI Ihe Iool again Io proceed. Because Ihe coniguraIion ile is read
each Iime Ihe Iool sIarIs, iI can be modiied manually wiIh a IexI ediIor beore or aIer
using sys1en-conf1g-b1nd wiIhouI losing Ihe changes Ihe nexI Iime Ihe Iool is sIarIed.
Conflgurlng BlND Graphloally 349
1
6
The irsI Iime you sIarI Ihe applicaIion, Ihe deaulI seIIings are shown as in Eigure 1.1.
Beore Ihe deaulI seIIings are shown, a message appears sIaIing IhaI no deaulI conigura-
Iion was ound i Ihe 1e1c1naned.conf ile doesnI exisI,. I you click OK Io Ihe message,
a 1e1c1naned.conf ile is creaIed wiIh deaulI values.
FlGURL 16.1 Default Settlngs
To add, ediI, or deleIe properIies, selecI an enIry rom Ihe lisI in Ihe main window and
righI-click on iI Io view an acIion menu. The acIions in Ihe menu vary depending on
whaI is selecIed.
Imert|ng ef|ned Rests
The Import buIIon on Ihe Ioolbar can be used Io imporI a lisI o IF addresses and Iheir
hosInames in Ihe ormaI o Ihe 1e1c1hos1s ile. AIer clicking Ihe buIIon, use Ihe Open
buIIon Io selecI Ihe ile conIaining hosIs Io imporI.
To imporI all Ihe hosIs lisIed in Ihe selecIed ile, click OK and noIice IhaI Ihe hosIs
appear in Ihe zone lisI o Ihe main window. The lisI o imporIed hosIs rom Ihe given ile
can be ilIered so IhaI only speciic hosIs maIching a paIIern, or noI maIching a given
paIIern, are imporIed. To seI up a ilIer, irsI selecI one o Ihe ilIer Iypes rom Ihe New
LIst Llement lisI. The inpuI ields in Ihe LdIt LIst Llement area changes depending on
which ilIer Iype is selecIed. Eor example, selecIing IPV4 Address FIlter changes Ihe LdIt
LIst Llement rame Io look like Eigure 1.2.
Eor any o Ihe ilIer Iypes, enIer Ihe paIIern Io maIch and click OK in Ihe LdIt LIst
Llement rame Io add iI Io Ihe FIlter LIst. When Ihe ilIer is added, i Ihe unlabeled
buIIon is clicked Io Ihe leI o Ihe inpuI ields in Ihe LdIt LIst Llement rame, an excla-
maIion poinI appears as Ihe label o Ihe buIIon. I a ilIer is added wiIh Ihe exclamaIion
poinI insIead o adding Ihe hosIs IhaI maIch Ihe ilIer, hosIs IhaI maIch Ihe paIIern are
noI added. I Match ALL FIlters is selecIed, hosIs are added only i Ihey maIch all Ihe
paIIerns in Ihe lisI. I Match ANY FIlters is selecIed, hosIs are added i Ihey maIch aI leasI
one o Ihe ilIers. AIer coniguring Ihe ilIers, click OK on Ihe boIIom righI o Ihe dialog
window Io add Ihe desired hosIs Io Ihe zone lisI in Ihe main window.
FlGURL 16.2 lmportlng Deflned Hosts
5av|ng Changes
AIer coniguring Ihe DNS server or making changes Io iIs seIIings, click Ihe Save buIIon
in Ihe Ioolbar o Ihe main window. ConiguraIion iles whose seIIings were modiied are
saved and Ihe previous version is saved as <f1Jenane>.<11nes1anp> such as
naned.conf.2UU6-11-17_11.U.U. I Ihe naned service is already running, iI is resIarIed Io
enable Ihe changes.
To sIarI Ihe server, selecI DNS Server rom Ihe zone lisI, and righI-click on iI Io display a
menu. SelecI Start Server rom Ihe menu. I Ihe server is already running, opIions Io
resIarI, reload, or sIop Ihe server are available insIead.
I changes are saved and Ihe named service is already running, Ihe daemon is resIarIed
aIer Ihe changes are saved.
Legg|ng Cennect|ens
By deaulI, Ihe naned service wriIes log messages Io 1var1Jog1nessages. Logging may be
cusIomized wiIh Ihe Jogg1ng sIaIemenI in naned.conf. I naned.conf has synIax errors,
messages abouI Ihe errors will go Io 1var1Jog1nessages or sIandard error regardless o Ihe
Jogg1ng sIaIemenI.
The locaIion o log messages can be modiied by deining one or more channeJ sIaIe-
menIs inside Ihe Jogg1ng sIaIemenI. LisIing 1.1 shows Ihe basic synIax wiIh reguired
and opIional sIaIemenIs.
LlSTlNG 16.1 Baslo Syntax of a Logglng Statement
Jogg1ng {
channeJ <channeJ-nane> {
<des11na11on>
}
sever11y <sev>
Logglng Conneotlons 351
1
6
pr1n1-ca1egory <vaJue>
pr1n1-sever11y <vaJue>
pr1n1-11ne <vaJue>
ca1egory <ca1egory-nane> <channeJ-J1s1>
}
LisIing 1.2 deines Ihe our predeined channels or logging.
LlSTlNG 16.2 lredeflned Logglng Channels
channeJ defauJ1_sysJog {
sysJog daenon 11 send 1o sysJog`s daenon
11 fac1J11y
sever11y 1nfo 11 onJy send pr1or11y 1nfo
11 and h1gher
}
channeJ defauJ1_debug {
f1Je "naned.run" 11 Wr11e 1o naned.run 1n
11 1he Work1ng d1rec1ory
11 No1e: s1derr 1s used 1ns1ead
11 of "naned.run"
11 1f 1he server 1s s1ar1ed
11 W11h 1he `-f` op11on.
sever11y dynan1c 11 Jog a1 1he server`s
11 curren1 debug JeveJ
}
channeJ defauJ1_s1derr {
s1derr 11 Wr11es 1o s1derr
sever11y 1nfo 11 onJy send pr1or11y 1nfo
11 and h1gher
}
channeJ nuJJ {
nuJJ 11 1oss any1h1ng sen1 1o
11 1h1s channeJ
}
You can also deine your own cusIom channel. When creaIing user-deined channels, use
a unigue channel name, and replace <des11na11on> rom LisIing 1.1 wiIh one o Ihe
ollowing:
Send messages Io a ile:
f1Je <f1Jenane> vers1ons <nun> s1ze <nun>
Only Ihe ilename is reguired. OpIionally, seI how many old log iles are kepI on
disk wiIh vers1ons <nun>. SeI <nun> Io unJ1n11ed Io keep all old log iles. I
vers1ons is noI conigured, no backup log iles are saved. The s1ze opIion musI be
seI or Ihis Io work.
I s1ze is seI and vers1ons is seI Io more Ihan 0, a new log ile is creaIed when iI
reaches Ihe given size and Ihe old ile is renamed <f1Jenane>.U. I Ihe log ile
reaches Ihe given size and vers1ons is noI seI Io sIarI a new ile, Ihe log ile remains
on disk, buI iI is noI wriIIen Io aIer iI reaches Ihe given size. The log ile musI be
renamed manually or somehow reduced in size or logging Io resume. I s1ze is noI
seI, Ihe log ile size is noI limiIed. When seIIing, Ihe number should be ollowed by
k or kilobyIes, n or megabyIes, and so on such as 1Un or 10 megabyIes.
Send messages Io a speciic syslog aciliIy:
sysJog <fac1J11y>
Replace <fac1J11y> wiIh Ihe syslog aciliIy Io use: au1h, au1hpr1v, cron, daenon,
kern, Jpr, na1J, neWs, sysJog, user, uucp, and JocaJU Ihrough JocaJ7. The lisI is
also in Ihe sysJog.conf man page. The 1e1c1sysJog.conf ile musI Ihen be modi-
ied Io deIermine how syslog handles Ihe messages Ihrough Ihe seI aciliIy. Reer Io
Ihe sysJog.conf man page or deIails.
Send messages Io sIandard error:
s1derr
This meIhod is usually only used when naned is running in Ihe oreground while
you are acIively moniIoring s1derr, such as during debugging.
Throw ouI messages and do noI wriIe Ihem anywhere:
nuJJ
OpIionally, i wriIing messages Io a ile, a log severiIy level can be seI wiIh Ihe sever11y
<sev> sIaIemenI inside Ihe Jogg1ng sIaIemenI Io deIermine whaI Iype o messages are
processed by each channel. I syslog is being used, Ihe prioriIy seI or iI is also acIored
inIo Ihe decision.
When cusIomizing logging, Ihe pr1n1-ca1egory, pr1n1-sever11y, and pr1n1-11ne sIaIe-
menIs can each be opIionally seI Io yes or no. I pr1n1-ca1egory is seI Io yes, Ihe caIe-
gory o Ihe message is logged. I pr1n1-sever11y is seI Io yes, Ihe severiIy level o each
messages is logged. I pr1n1-11ne is seI Io yes, a Iime sIamp is wriIIen wiIh each message.
The ca1egory sIaIemenI inside Ihe Jogg1ng sIaIemenI is used Io associaIe channels wiIh
log message caIegories. As shown in LisIing 1.1, Ihe sIaIemenI Iakes Ihe orm:
ca1egory <ca1egory-nane> <channeJ-J1s1>
I a channel is noI lisIed or a caIegory, Ihe predeined channels o defauJ1_sysJog and
defauJ1_debug are used unless Ihe defauJ1 caIegory is redeined. OIherwise, replace
<channeJ-J1s1> wiIh a semicolon-separaIed lisI o predeined and}or user-deined channels.
Logglng Conneotlons 353
1
6
Replace <ca1egory-nane> wiIh one o Ihe ollowing:
defauJ1: SeI which channels Io use i none are seI or a caIegory. I Ihis caIegory is
noI deined, Ihe defauJ1_sysJog and defauJ1_debug predeined channels are used
or oIher nondeined caIegories.
generaJ: Messages IhaI donI all inIo any o Ihe oIher caIegories are in Ihis caIegory.
da1abase: Messages abouI Ihe inIernal daIabase used by named Io keep Irack o
zones and cache daIa.
secur11y: Messages abouI wheIher reguesIs are approved or denied.
conf1g: Messages abouI Ihe coniguraIion ile such as synIax errors.
resoJver: Messages abouI DNS resoluIion.
xfer-1n: Messages abouI zone Iransers received by Ihe server.
xfer-ou1: Messages abouI zone Iransers senI by Ihe server.
no11fy: Messages abouI Ihe NOTIEY proIocol.
cJ1en1: Messages abouI clienI reguesIs.
unna1ched: Messages or which Ihere is no maIching view or or which Ihe daemon
canI igure ouI Ihe class. I a message is in Ihis caIegory, a one line message is also
seI Io Ihe clienI caIegory. By deaulI, Ihese messages are senI Io Ihe nuJJ channel.
ne1Work: Messages abouI neIwork operaIions.
upda1e: Messages abouI dynamic updaIes.
upda1e-secur11y: Messages abouI wheIher updaIe reguesIs were approved or denied.
quer1es: Messages abouI gueries, including Ihe IF address and porI o Ihe clienI,
guery name, class, and Iype.
d1spa1ch: Messages abouI Ihe dispaIching o incoming packeIs Io Ihe server
modules.
dnssec: Messages abouI Ihe DNSSEC and TSIG proIocols.
Jane-servers: Messages abouI Ihe lame servers.
deJega11on-onJy: Messages abouI log gueries orced Io NXDOMAIN rom Ihe
delegaIion-only zone and a delegaIion-only in a hinI or sIub zone.
5ummary
This chapIer explains DNS and Ihe BIND implemenIaIion o Ihe name server. InormaIion
such as access conIrol lisIs and logging preerences can be seI in Ihe BIND coniguraIion ile,
naned.conf. The 1e1c1rndc.conf ile cusIomizes Ihe name server conIrol uIiliIy rndc, while
zone iles are locaIed in Ihe 1var1naned1 direcIory. I you preer a graphical Iool, Ihe
sys1en-conf1g-b1nd uIiliIy provides a graphical inIerace Io Ihe same coniguraIion opIions.
lN THlS CH^lTLR
Conneotlng from the Cllent
Logglng Conneotlons
CH^lTLR 17
Securing RemoIe Logins
wiIh OpenSSH
OpenSSH is Ihe open source version o SSH, or Secure Shell.
ConnecIiviIy Iools such as TelneI and ETF are well-known,
buI Ihey send daIa in plain IexI ormaI, which can be inIer-
cepIed by someone using anoIher sysIem on Ihe same
neIwork, including Ihe InIerneI. On Ihe oIher hand, all daIa
Iranserred using OpenSSH Iools is encrypIed, making iI
inherenIly more secure. The OpenSSH suiIe o Iools includes
ssh or securely logging in Io a remoIe sysIem and execuIing
remoIe commands, scp or encrypIing iles while Iranserring
Ihem Io a remoIe sysIem, and sf1p or secure ETF Iransers.
OpenSSH uses a server-clienI relaIionship. The sysIem
being connecIed to is reerred Io as Ihe server. The sysIem
requestn Ihe connecIion is reerred Io as Ihe clent. A
sysIem can be boIh an SSH server and a clienI.
OpenSSH also has Ihe added beneiIs o X11 jorwarJn and
port jorwarJn. X11 orwarding, i enabled on boIh Ihe
server and clienI, allows users Io display a graphical appli-
caIion rom Ihe sysIem Ihey are logged in Io on Ihe sysIem
Ihey are logged in rom. ForI orwarding allows a connec-
Iion reguesI Io be senI Io one server buI be orwarded Io
anoIher server IhaI acIually accepIs Ihe reguesI.
This chapIer discusses how Io use OpenSSH, boIh rom Ihe
server-side and Ihe clienI-side.
By deaulI, Ihe OpenSSH server lisIens or reguesIs on porI
22 and porI 010 or X11 orwarding.
I cusIom IFTables rules are being used, reer Io ChapIer 24,
"Coniguring a Eirewall," or deIails on how Io allow Ihese
porIs.
ConiguraIion Iool Io allow SSH connecIions. SIarI iI by selecIing AdmInIstratIon,
System SettIngs, SecurIty Level rom Ihe SysIem menu on Ihe Iop panel o Ihe deskIop
or by execuIing Ihe sys1en-conf1g-secur11yJeveJ command. EnIer Ihe rooI password
when prompIed i running as a non-rooI user. SSH is allowed by deaulI i Ihe deaulI
securiIy level is enabled as shown in Eigure 17.1. On Ihe Eirewall OpIions Iab, make sure
Ihe SSH service in Ihe TrusIed services secIion has a check mark beside iI. I noI, click Ihe
check box beside SSH, and click OK Io enable Ihe changes.
CH^lTLR 17 Seourlng Remote Loglns wlth 0penSSH 356
FlGURL 17.1 ^llowlng SSH Requests
The openssh-server RFM package is reguired Io conigure a Red HaI EnIerprise Linux
sysIem as an OpenSSH server. I iI is noI already insIalled, insIall iI wiIh Red HaI NeIwork
as described in ChapIer 3, "OperaIing SysIem UpdaIes."
AIer iI is insIalled, sIarI Ihe service as rooI wiIh Ihe command serv1ce sshd s1ar1. The
sysIem is now an SSH server and can accepI connecIions i Ihe server allows connecIions
on porI 22 as described in Ihe "Allowing ConnecIions" secIion o Ihis chapIer.
To conigure Ihe server Io auIomaIically sIarI Ihe service aI booI Iime, execuIe Ihe
command chkconf1g sshd on as rooI. To sIop Ihe server, execuIe Ihe command serv1ce
sshd s1op. To veriy IhaI Ihe server is running, use Ihe command serv1ce sshd s1a1us.
Reta|n|ng Keys After Re|nsta|||ng
When Ihe OpenSSH server package is insIalled, server auIhenIicaIion keys are generaIed.
The keys are generaIed when Ihe OpenSSH server package is insIalled and are unigue Io
Ihe server. They are used Io veriy IhaI Ihe server being connecIed Io is Ihe inIended
server. The irsI Iime a clienI connecIs Io an OpenSSH server, iI musI accepI Ihe public
key. I accepIed, Ihe clienI sIores Ihe public key and uses iI Io veriy Ihe idenIiIy o Ihe
server wiIh each connecIion.
When a sysIem acIing as an OpenSSH server is reinsIalled, Ihe iles sIoring Ihe OpenSSH
idenIiicaIion keys are re-creaIed as well. Because Ihe SSH clienIs use Ihese keys Io idenIiy
Ihe server beore connecIing Io iI, Ihey will see Ihe warning message in LisIing 17.1 aIer
Ihe operaIing sysIem reinsIallaIion, which generaIes new keys.
LlSTlNG 17.1 warnlng ^bout Keys Not Matohlng
00000000000000000000000000000000000000000000000000000000000
0 WAPN1N0: PEM0TE R0ST 10ENT1F10AT10N RAS 0RAN0E0! 0
00000000000000000000000000000000000000000000000000000000000
1T 1S P0SS18LE TRAT S0ME0NE 1S 001N0 S0METR1N0 NASTY!
Soneone couJd be eavesdropp1ng on you r1gh1 noW {nan-1n-1he-n1ddJe a11ack)!
11 1s aJso poss1bJe 1ha1 1he PSA hos1 key has us1 been changed.
The f1ngerpr1n1 for 1he PSA key sen1 by 1he reno1e hos1 1s
66:5U:c5:dc:ba:36:d4:3f:ea:93:1d:d8:56:e3:38:56.
PJease con1ac1 your sys1en adn1n1s1ra1or.
Add correc1 hos1 key 1n 1hone11fox1.ssh1knoWn_hos1s 1o ge1 r1d of 1h1s nessage.
0ffend1ng key 1n 1hone11fox1.ssh1knoWn_hos1s:73
PSA hos1 key for 172.31.U.1 has changed and you have reques1ed s1r1c1 check1ng.
Ros1 key ver1f1ca11on fa1Jed.
AIer Ihe message is displayed, Ihe program exiIs. I you are sure IhaI Ihe key on Ihe
server changed, ediI Ihe knoWn_hos1s ile in Ihe .ssh direcIory o your home direcIory
such as 1hone11fox1.ssh1knoWn_hos1s. The warning message gives Ihe line number IhaI
conIains Ihe sIored key or Ihe server, or you can search or Ihe hosIname or IF address o
Ihe server, whichever one you use Io connecI Io iI. DeleIe Ihe line, save Ihe ile, and exiI
Ihe IexI ediIor. The nexI Iime you Iry Io connecI Io Ihe server via SSH, you will need Io
accepI Ihe new RSA server key.
CAU1I0N
Before removlng a stored RS^ key for a server and aooeptlng a new one, verlfy wlth the
admlnlstrator of the server that the key has ohanged and that the new key you are
aooeptlng ls oorreot. 0therwlse, the system oould have been oompromlsed, and you
mlght be oompromlslng your system by aooeptlng the dlfferent key and oonneotlng to a
dlfferent server.
InsIead o communicaIing a new key Io users every Iime a server is reinsIalled, an admin-
isIraIor can reIain Ihe hosI keys generaIed or Ihe sysIem beore reinsIalling. To save Ihe
keys beore reinsIalling, save Ihe 1e1c1ssh1ssh_hos1*key* iles on anoIher sysIem or
backup media. AIer reinsIalling, resIore Ihese iles Io Iheir original locaIions on Ihe server
Io reIain Ihe sysIems idenIiicaIion keys. I Ihis process is used, clienIs will noI receive Ihe
warning message when Irying Io connecI Io Ihe sysIem aIer iI is reinsIalled.
1
?
Cennect|ng frem the C||ent
This secIion discusses how Io connecI Io an SSH server rom a Red HaI EnIerprise Linux
sysIem. The SSH server can be any server running an SSH daemon, including a Red HaI
EnIerprise Linux sysIem running OpenSSH.
To connecI Io an SSH server, Ihe openssh-cJ1en1s RFM package musI be insIalled. InsIall
iI via Red HaI NeIwork i iI is noI already insIalled. This package provides Ihe SSH uIiliIies
discussed in Ihis secIion and summarized in Table 17.1.
T^BLL 17.1 0penSSH Cllent Utllltles
0en55R Ut|||ty escr|t|en
ssh Seourely log ln to a remote system or exeoute a oommand on a remote
system
sJog1n ^llas to the ssh oommand
scp Copy flles from one oomputer to another whlle enoryptlng the data
sf1p Seourely transfer flles from one system to another
ssh-add ^dd RS^ or DS^ ldentltles to the authentloatlon agent
ssh-agen1 Remember prlvate keys for publlo key authentloatlon
ssh-keyscan Gather publlo SSH keys
Legg|ng In te a Remete 5ystem
The mosI common OpenSSH uIiliIy is ssh, a secure replacemenI or rJog1n, rsh, and
1eJne1. The ssh command allows users Io remoIely log in Io a sysIem rom anoIher
sysIem using an encrypIed Iranser proIocol. Every Iranser sIarIing wiIh Ihe username
and password senI or auIhenIicaIion is encrypIed so iI canI be easily read i inIercepIed.
The sysIem being connecIed Io is considered Ihe server. The sysIem being connecIed rom
is called Ihe clent.
To log in Io a sysIem wiIh ssh, use Ihe ollowing command, where <hos1nane> is Ihe
hosIname, ully gualiied domain name, or IF address o Ihe remoIe sysIem:
ssh <hos1nane>
I Ihe hosIname or ully gualiied domain name is used, Ihe clienI musI be able Io resolve
iI Io a valid IF address. The irsI Iime a user Iries Io connecI via ssh Io anoIher sysIem, Ihe
message in LisIing 17.2 is displayed.
LlSTlNG 17.2 Conneotlng to an SSH Server for the Flrst Tlme
The au1hen11c11y of hos1 `172.31.U.1 {172.31.U.1)` can`1 be es1abJ1shed.
PSA key f1ngerpr1n1 1s 66:5U:c5:dc:ba:36:d4:3f:ea:93:1d:d8:56:e3:38:56.
Are you sure you Wan1 1o con11nue connec11ng {yes1no)?
I Ihe user Iypes yes, Ihe clienI saves Ihe servers public RSA key, and Ihe server responds
by reguesIing Ihe users password. I Ihe correcI password is enIered, Ihe server accepIs Ihe
reguesI, and Ihe user receives a shell prompI Io Ihe remoIe sysIem. The servers public key
is added Io Ihe .ssh1knoWn_hos1s ile in Ihe users home direcIory. AIer Ihis public key is
wriIIen Io Ihis ile, Ihe message in LisIing 17.2 is no longer displayed when a connecIion
is reguesIed.
When Ihe ssh command is execuIed, Ihe username o Ihe user currenIly logged in Io Ihe
clienI is senI Io Ihe remoIe server as Ihe username reguesIing connecIion. To use a dier-
enI username on Ihe remoIe server, use Ihe command ssh usernane0<hos1nane>.
xecut|ng a Cemmand Remete|y
The ssh uIiliIy also allows users Io execuIe commands remoIely using Ihe ollowing
synIax:
ssh <hos1nane> <connand>
I Ihe command conIains any wildcards, redirecIs, or pipes, iI musI be in guoIaIion marks
such as Ihe ollowing:
ssh nyserver.exanpJe.con "ca1 1proc1cpu1nfo grep fJags"
AIer auIhenIicaIing wiIh a password or passphrase, Ihe resulIs o <connand> are displayed
Io Ihe clienI.
1ransferr|ng F||es 5ecure|y
The scp uIiliIy provides Ihe abiliIy Io Iranser iles rom one sysIem Io anoIher sysIem
running an SSH server such as OpenSSH. The command has many variaIions, buI Ihe
basic synIax is as ollows:
scp <JocaJ-f1Je> <usernane>0reno1e.exanpJe.con:<reno1e-f1Je>
Like ssh, i a username is noI speciied or Ihe remoIe server, Ihe currenI username is
assumed. I only a direcIory paIh is given or <reno1e-f1Je>, Ihe same ilename is used Io
Iranser Ihe ile Io Ihe speciied direcIory on Ihe remoIe server.
The wildcard characIer * can be used Io speciy mulIiple iles or <JocaJ-f1Je> and
<reno1e-f1Je>.
The scp command can also be used Io Iranser remoIe iles Io Ihe local sysIem. JusI
reverse Ihe synIax:
scp <usernane>0reno1e.exanpJe.con:<reno1e-f1Je> <JocaJ-f1Je>
A ew command-line opIions Io scp, such as -J, limiI Ihe amounI o bandwidIh iI is
allowed Io use. Reer Io iIs man page wiIh Ihe nan scp command or a ull lisI wiIh
descripIions.
Conneotlng from the Cllent 359
1
?
1IP
lf the path for the <reno1e-f1Je> does not begln wlth a 1, lt ls assumed that the path
ls relatlve to the user`s home dlreotory. For example, to transfer the flle
Proec1ScheduJe.od1 to your home dlreotory on a remote system, use the scp
Proec1ScheduJe.od1 reno1e.exanpJe.con: oommand.
The sf1p uIiliIy can also be used Io Iranser iles via an encrypIed connecIion. II diers
rom scp and is similar Io f1p in IhaI iI uses an inIeracIive shell. To connecI via sf1p Io a
remoIe sysIem, use Ihe command sf1p usernane0<reno1e-sys1en>. Again, i no user-
name is speciied, Ihe username o Ihe currenI user on Ihe clienI is assumed or Ihe
remoIe sysIem. AIer auIhenIicaIing correcIly, Ihe sf1p> prompI is displayed, giving Ihe
user an inIeracIive session Io Ihe remoIe sysIem (see LisIing 17.3). The inIeracIive
commands are similar Io f1p. Table 17.2 lisIs common sf1p commands.
LlSTlNG 17.3 sf1p Sesslon
0onnec11ng 1o f1Jeserver.exanpJe.con...
1fox0f1Jeserver`s passWord:
sf1p>
T^BLL 17.2 Common sf1p Commands
sf1p cemmand escr|t|en
pWd Dlsplay ourrent remote dlreotory
JpWd Dlsplay ourrent looal dlreotory
cd <d1rec1ory_nane> Change to remote dlreotory
Jcd <d1rec1ory_nane> Change ourrent looal dlreotory
ge1 <f1Je> Retrleve <f1Je> from ourrent remote dlreotory to ourrent
looal dlreotory
nge1 <f1Jes> Retrleve multlple flles
pu1 <f1Je> Upload looal flle to the ourrent remote dlreotory
npu1 <f1Jes> Upload multlple looal flles to the ourrent remote dlreotory
Js Llst flles ln ourrent remote dlreotory
ex11 Close oonneotlon to SSH server and exlt
As you can Iell, Ihe commands are similar Io f1p wiIh a ew excepIions, such as Ihe user is
noI prompIed Io conirm acIions by deaulIIhere is no need Io disable prompIing wiIh
Ihe pronp1 command beore using nge1 and npu1. Hash marks canI be displayed Io show
progress, buI progress in Ierms o percenIage o IoIal Iranser, IoIal kilobyIes already Irans-
erred, Iranser raIe, and Iime remaining is auIomaIically displayed, as in Ihe ollowing:
11np1sanpJef1Je 1UU 1888K8 1.8M81s UU:U1
II is also possible Io connecI Io an FTP server using sf1p rom Ihe NauIilus ile browser.
SelecI Places, Connect to Server rom Ihe deskIop menu, and selecI SSH as Ihe service Iype.
Type Ihe IF address or ull hosIname o Ihe ETF server in Ihe Server ield as shown in
Eigure 17.2.
1
?
FlGURL 17.2 Conneotlng to an sftp Server
Under Ihe OpIional inormaIion secIion, Ihe ollowing can be conigured:
Port: Speciy Ihe server porI Io connecI Io i dierenI Ihan Ihe deaulI ETF porI 21.
Folder: The older Io open aIer logging in Io Ihe ETF server.
User Name: The username Io use or auIhenIicaIion when connecIing. You will be
prompIed or Ihe password laIer.
Name to use Ior the connectIon: ConnecIion name Io use when labeling Ihe
mounI poinI in Ihe Flaces menu and on Ihe deskIop.
An icon will appear on Ihe deskIop using Ihe name o Ihe server or, i provided, Ihe name
in Ihe Name To Use Eor The ConnecIion ield. A shorIcuI is also lisIed under Ihe Flaces
menu iIem in Ihe deskIop menu. Double-clicking on Ihe deskIop icon or selecIing Ihe
shorIcuI iIem in Ihe Flaces menu will open a ile browser window wiIh Ihe iles rom Ihe
ETF server. Depending on your ile permissions rom Ihe server, you can open, copy,
deleIe, rename iles and direcIories, and more.
To unmounI Ihe share, righI-click on iIs deskIop icon and selecI Unmount Volume. I Ihe
share is noI unmounIed, iI will remain in Ihe Flaces menu on rebooI, buI you musI reau-
IhenIicaIe Io access Ihe share aIer rebooIing.
Creat|ng a Passhrase
InsIead o using a password Io auIhenIicaIe, OpenSSH allows Ihe use o a passphrase. Why
use a passphrase7 Unlike a password, a passphrase can conIain spaces and Iabs and is
usually much longer Ihan a password, hence Ihe word phrase in Ihe name. The added
lengIh along wiIh Ihe spaces and Iabs makes a passphrase more secure and harder Io guess.
Fassphrases are unigue per user and musI be creaIed by each user while logged in wiIh
Ihe corresponding username. Red HaI EnIerprise Linux S uses SSH FroIocol 2 and RSA
keys by deaulI. To generaIe an RSA key pair or SSH version 2, use Ihe ollowing
command:
ssh-keygen -1 rsa
As demonsIraIed in LisIing 17.4, press EnIer Io accepI Ihe deaulI locaIion o
$R0ME1.ssh11d_rsa aIer Ihe key pair is generaIed. When prompIed or a passphrase, Iype
a passphrase Io use and Iype iI again Io conirm. The passphrase should be dierenI rom
Ihe users password and should conIain a combinaIion o numbers and leIIers Io make iI
more secure. Remember iI can conIain spaces and Iabs. The RSA public key is Ihen wriIIen
Io $R0ME1.ssh11d_rsa.pub while Ihe privaIe key is wriIIen Io $R0ME1.ssh11d_rsa.
LlSTlNG 17.4 Generatlng a lassphrase
0enera11ng pubJ1c1pr1va1e rsa key pa1r.
En1er f1Je 1n Wh1ch 1o save 1he key {1hone11fox1.ssh11d_rsa):
En1er passphrase {enp1y for no passphrase):
En1er sane passphrase aga1n:
Your 1den11f1ca11on has been saved 1n 1hone11fox1.ssh11d_rsa.
Your pubJ1c key has been saved 1n 1hone11fox1.ssh11d_rsa.pub.
The key f1ngerpr1n1 1s:
ed:U9:c2:a8:31:1f:11:85:Ua:5e:cU:ab:16:b6:f1:98 1fox0rheJ5
CAU1I0N
The prlvate key flle should never be aooesslble by anyone other than the user who
oreated lt. lt ls oreated wlth readwrlte flle permlsslons for the user only. These permls
slons should not be altered.
AIer successully generaIing Ihe key pair, copy Ihe conIenIs o Ihe public key ile
$R0ME1.ssh11d_rsa.pub Io $R0ME1.ssh1au1hor1zed_keys on all Ihe sysIems you wanI Io
connecI Io wiIh Ihe SSH Iools. I Ihe au1hor1zed_keys ile already exisIs, append iI wiIh
Ihe conIenIs o $R0ME1.ssh11d_rsa.pub. I Ihe .ssh1 direcIory does noI exisI in your
home direcIory on Ihe remoIe sysIems, iI musI be creaIed so IhaI only you, Ihe owner,
can access iI. To change Ihe permissions or iI, execuIe Ihe command chnod U7UU
$R0ME1.ssh on Ihe remoIe sysIem. The $R0ME1.ssh1au1hor1zed_keys ile on each remoIe
sysIem musI have Ihe same permissions as Ihe $R0ME1.ssh11d_rsa.pub ile creaIed by
ssh-keygen. Change iIs permissions wiIh Ihe chnod 644 $R0ME1.ssh1au1hor1zed_keys
command on each remoIe sysIem Io which you will be connecIing.
AIer creaIing an RSA key pair and disIribuIing Ihe public key Io Ihe remoIe sysIems,
when Ihe ssh <hos1nane> command is execuIed, Ihe user will be prompIed or Ihe
passphrase used Io creaIe Ihe key pair insIead o being prompIed or a password or
auIhenIicaIion.
Remember|ng the Passhrase
InsIead o enIering Ihe passphrase each Iime you connecI Io a remoIe sysIem, Ihe ssh-
agen1 uIiliIy rom Ihe openssh-cJ1en1s package can be used Io remember Ihe passphrase.
AddiIionally, i a graphical deskIop is used and Ihe openssh-askpass package is insIalled,
Ihe deskIop can be conigured Io prompI Ihe user or Ihe passphrase aIer Ihe user logs in
Io Ihe graphical inIerace. While IhaI graphical login session is acIive, Ihe passphrase will
be remembered or all Ierminals opened wiIhin IhaI graphical session. To conigure ssh-
agen1 as a sIarIup program, use Ihe ollowing sIeps:
Veriy IhaI Ihe openssh-askpass package is insIalled. I iI isnI, insIall iI via Red HaI
NeIwork.
Erom Ihe SysIem menu on Ihe Iop panel o Ihe deskIop, selecI PreIerences, More
PreIerences, SessIons.
When Ihe Sessions window appears, selecI Ihe Startup Programs Iab.
Click Add and enIer 1usr1bn1ssh-add as Ihe sIarIup command. Click OK. The
window will look similar Io Eigure 17.3.
Click Close Io save Ihe seIIings and exiI.
1
?
FlGURL 17.3 ^ddlng ssh-add to the Startup lrograms
The nexI Iime Ihe user logs in Io Ihe graphical deskIop, a dialog window will appear
prompIing Ihe user or Ihe passphrase. I Ihe correcI passphrase is enIered, Ihe user will
noI have Io Iype Ihe passphrase again when connecIing Io sysIems IhaI conIain Ihe corre-
sponding $R0ME1.ssh1au1hor1zed_keys ile.
I a graphical inIerace is noI being used, Ihe passphrase can be remembered by execuIing
Ihe ollowing commands:
exec 1usr1b1n1ssh-agen1 $SRELL
ssh-add
AIer you enIer Ihe correcI passphrase, iI will be remembered or IhaI session or Ierminal
window.
X11 Ferward|ng
X11 jorwarJn means IhaI graphical programs can be execuIed on a remoIe sysIem and
displayed on Ihe local clienI sysIem. Even Ihough Ihe inIerace appears on Ihe clienI, iI is
running on Ihe remoIe server. Eor example, i you wanI Io enable Kdump on a remoIe
sysIem, you can log in Io iI remoIely using ssh, execuIe Ihe sys1en-conf1g-kdunp
command on Ihe remoIe sysIem, and Ihe graphical program appears on your local
compuIer. Conigure Ihe Kdump seIIings or Ihe remoIe sysIem, save Ihe seIIings, and
you are done wiIhouI having Io physically move Io Ihe remoIe sysIem Io geI a graphical
deskIop. X11 orwarding musI be enabled on boIh Ihe clienI and server sysIem or iI Io
work.
By deaulI, X11 orwarding is noI enabled on Ihe clienI. I Ihe server supporIs X11
orwarding, Ihe user can enable iI wiIh Ihe -Y command-line opIion:
ssh -Y <hos1nane>
1IP
when you exeoute a graphloal program from a remote logln sesslon, the program ls
dlsplayed on the ollent, but whlle the graphloal program ls belng used, the sesslon
oannot be used to run other oommands. To prevent thls, add an ampersand oharaoter
(&) after the oommand suoh as sys1en-conf1g-kdunp&.
To always enable X11 orwarding on Ihe clienI sysIem, a user can creaIe Ihe ile
$R0ME1.ssh1conf1g wiIh permissions 000 and add Ihe ollowing line:
ForWardX11 yes
An adminisIraIor can enable X11 orwarding on a clienI sysIem or all users on Ihe
sysIem by modiying Ihe 1e1c1ssh1ssh_conf1g ile and changing Ihe deaulI value o
ForWardX11 rom no Io yes. AIer modiying Ihis global clienI coniguraIion ile, Ihe
service musI be resIarIed or Ihe changes Io Iake eecI wiIh Ihe serv1ce sshd res1ar1
command. SeIIings in Ihis global ile apply Io all users unless Ihe values are overridden in
Ihe $R0ME1.ssh1conf1g user ile.
N01
The 0penSSH ollent tools oheok the flle permlsslon for the $R0ME1.ssh1conf1g flle lf
lt exlsts. lf the flle has wrlte permlsslons for the group or other oategory, the program
wlll exlt lnstead of oonneotlng to the server. lt ls reoommended that the flle have the
permlsslons 0600, whloh oan be modlfled wlth the chnod oommand.
AIer enabling X11 orwarding, i a user is logged in Io a remoIe sysIem via ssh and
execuIes a graphical program, Ihe program is run on Ihe remoIe sysIem, buI Ihe graphical
inIerace is displayed on Ihe clienI sysIem Ihe user is logged in Io. This has many beneiIs
including being able Io run graphical sysIem adminisIraIion Iools remoIely.
To allow X11 orwarding on server, Ihe X11ForWard1ng opIion musI be seI Io yes in Ihe
1e1c1ssh1sshd_conf1g ile on Ihe OpenSSH server. According Io Ihe sshd_conf1g man
page, Ihe deaulI value or X11ForWard1ng is no. However, Ihe deaulI value in Red HaI
EnIerprise Linux is seI Io yes. AIer modiying Ihe coniguraIion ile, execuIe Ihe
command serv1ce sshd res1ar1 Io enable Ihe change.
1IP
To learn about the other optlons ln 1e1c1ssh1ssh_conf1g on the ollent and
1e1c1ssh1sshd_conf1g on the server, read thelr man pages wlth the nan
ssh_conf1g and nan sshd_conf1g oommands.
Pert Ferward|ng
In addiIion Io X11 orwarding, ssh can also be used Io orward connecIions rom one
porI Io anoIher, oIherwise known as port jorwarJn or tunneln. ForI orwarding can be
used Io make an oIherwise unencrypIed connecIion secure by encrypIing iI via ssh. II
can also be used Io connecI Io a server behind a irewall.
The basic synIax is as ollows:
ssh -L <JocaJpor1>:<reno1ehos1>:<reno1epor1> <usernane>0<o1herhos1>
When a connecIion is made Io porI <JocaJpor1> on Ihe local sysIem, Ihe connecIion
goes over an encrypIed Iunnel Io Ihe <o1herhos1> and Ihen is orwarded Io porI
<reno1epor1> on Ihe <reno1ehos1> aIer successul auIhenIicaIion or usernane0
o1herhos1.
Eor an example, reer Io Eigure 17.4. In Ihis igure, an SSH Iunnel is esIablished beIween
Ihe source hosI and Ihe SSH server. The desIinaIion hosI can be any Iype o server conig-
ured Io accepI connecIions on a sIaIic porI such as a FOF3 email server, a web server, or
even anoIher SSH server.
1
?
nternet
encrypted tunnel
SSH server destination host
firewall source host
FlGURL 17.4 Lstabllshlng an SSH Tunnel
The desIinaIion hosI allows connecIions rom Ihe SSH server Ihrough Ihe irewall, buI Ihe
irewall does noI allow connecIions rom Ihe source hosI. So, an encrypIed SSH Iunnel is
esIablished beIween Ihe source hosI and Ihe SSH server. Then, packeIs inIended or Ihe
desIinaIion hosI are senI over Ihe encrypIed Iunnel Io Ihe SSH server and Ihen orwarded
Io Ihe desIinaIion hosI on Ihe oIher side o Ihe irewall. The connecIion beIween Ihe SSH
server and Ihe desIinaIion hosI is noI necessarily encrypIed because 'an SSH Iunnel has
noI been esIablished beIween Ihem. However, Ihe connecIion can be secured wiIh addi-
Iional soIware such as a VFN soluIion. I Ihe desIinaIion hosI is anoIher SSH server, Ihe
connecIion beIween Ihe connecIing SSH server and Ihe desIinaIion hosI is encrypIed
because o Ihe SSH connecIion.
1IP
To dlsable port forwardlng on an 0penSSH server, add the followlng llne to
1e1c1ssh1sshd_conf1g:
AJJoWTcpForWard1ng no
Legg|ng Cennect|ens
By deaulI, Ihe OpenSSH daemon (sshd) uses syslog Io wriIe messages Io 1var1Jog1
nessages when sessions are opened and closed or users as well as when an auIhenIica-
Iion aIIempI has ailed.
To modiy Ihe Iype o messages logged, seI Ihe LogLeveJ direcIive in Ihe 1e1c1ssh1
sshd_conf1g ile. By deaulI, iI is seI Io 1NF0. The possible values in order o verbosiIy are
0u1ET, FATAL, EPP0P, 1NF0, vEP80SE, 0E8u0, 0E8u01, 0E8u02, and 0E8u03. 0E8u0 and 0E8u01
are Ihe same. Logging wiIh any o Ihe 0E8u0 levels violaIes user privacy and is noI recom-
mended.
5ummary
When adminisIering UNIX-based sysIems such as Ihose running Red HaI EnIerprise
Linux, SSH Iools such as Ihe OpenSSH suiIe are essenIial. II can help you perorm a
varieIy o Iasks such as logging in Io a sysIem Io moniIor sysIem perormance, remoIely
running graphical coniguraIion Iools, applying sysIem updaIes, or even checking email.
II can also allow you Io display a graphical applicaIion remoIely wiIh X11 orwarding and
redirecI reguesIs Io a dierenI server using porI orwarding.
lN THlS CH^lTLR
Understandlng Lmall Conoepts
Conflgurlng Sendmall
Uslng l0l and lM^l
Logglng Sendmall Conneotlons
^llowlng Lmall Conneotlons
CH^lTLR 18
SeIIing Up an Email
Server wiIh Sendmail
In a corporaIe environmenI, email is an essenIial compo-
nenI Io Ihe work day. Email is used Io schedule and remind
employees o meeIings, communicaIe wiIh boIh inIernal
employees and exIernal cusIomers, and enable remoIe
employees Io parIicipaIe in company discussions, iI has even
Iaken Ihe place o waIer cooler Ialk or some employees.
The irsI parI o Ihis chapIer ouIlines how an email
message reaches iIs desIinaIion email server. The second
parI o Ihe chapIer explains how Io seI up Red HaI
EnIerprise Linux Io send and receive email wiIh Sendmail.
Einally, users musI reIrieve email o an email server rom
an email clienI using a proIocol such as FOF or IMAF.
Coniguring Ihe email server Io allow FOF and IMAF
connecIions is discussed in Ihe lasI parI o Ihis chapIer.
Understand|ng ma|| Cencets
When a person wanIs Io send an email Io someone else on
Ihe InIerneI, she opens an email clienI, which is also called
a Mal User Aent (MUA), such as EvoluIion or Thunderbird.
InsIead o using a sIandalone email clienI, you can also use
a web browser Io access a web-based email clienI or even
an applicaIion on a porIable InIerneI device such as a cell
phone or FDA.
AIer you send an email, Ihe email is ormaIIed inIo a sIan-
dard ormaI so IhaI all Ihe oIher email servers on Ihe
InIerneI can read iI.
FlGURL 18.1 Sendlng an Lmall
As shown in Eigure 18.1, aIer Ihe message is ormaIIed and opIionally encrypIed, iI is
senI Io a Mal Transport Aent (MTA) using Ihe Simple Mail Transer FroIocol (SMTF). The
email applicaIion used is conigured Io send all ouIgoing emails Io a speciic MTA server.
AIer IhaI, Ihe email may be Iranserred Io several MTA servers beore reaching Ihe MTA
or Ihe domain o Ihe email recipienI. AIer Ihe email reaches iIs desIinaIion MTA, iI is
sIored on Ihe server and waiIs or Ihe recipienI Io reIrieve iI.
The email Iranser in Eigure 18.1 shows Ihe iniIial MTA inside Ihe same privaIe neIwork
as Ihe device used Io send Ihe email. However, Ihe MTA doesnI have Io be inside Ihe
privaIe neIwork. II only needs Io be accessible by Ihe sysIem sending Ihe email. Eor
example, home users are given an MTA server (someIimes called an SMTF server) Io use,
which is accessible over Ihe InIerneI.
I you are adminisIering sysIems or a company IhaI Iransers a large amounI o email as
well as company conidenIial email, you will need Io seI up an MTA inside Ihe companys
privaIe neIwork. As shown in Eigure 18.2, i an employee sends an email Io anoIher
employee inside Ihe privaIe neIwork wiIh an MTA server, Ihe email goes Ihrough Ihe privaIe
MTA server and is never IransmiIIed across Ihe InIerneI, Ihus making iI harder or someone
ouIside Ihe company Io inIercepI and read Ihe email conIaining conidenIial inormaIion.
CH^lTLR 18 Settlng Up an Lmall Server wlth Sendmall 368
Recipient's MUA
MTA Server
Sender's MUA
MAP Server
nternet
Understandlng Lmall Conoepts 369
1
8
Sender's MUA
MTA Server
MAP Server
nternet
Recipient's MUA
FlGURL 18.2 Sendlng an lnternal Lmall
To read Ihe email, Ihe recipienI uses an MUA, commonly known as an email clienI. II
musI be conigured Io download Ihe email using a proIocol accepIed by Ihe MTA sIoring
Ihe email. MosI MTAs accepI Ihe FOF3 proIocol, Ihe IMAF proIocol, or boIh. The dier-
ences beIween Ihese Iwo proIocols are discussed laIer in Ihe "Using FOF and IMAF"
secIion.
AIer Ihe recipienI reads Ihe email, he has many opIions. Eor example, he can choose Io
make a copy o iI on his local ilesysIem, keep Ihe message on Ihe server, deleIe Ihe
message rom Ihe server, orward Ihe email Io a dierenI person, or reply Io Ihe person
who senI Ihe email.
Cenf|gur|ng 5endma||
Sendmail is an MTA, meaning iI accepIs email messages senI Io iI using Ihe SMTF proIo-
col and IransporIs Ihem Io anoIher MTA email server unIil Ihe messages reach Iheir desIi-
naIions. II also accepIs email or Ihe local neIwork and delivers Ihem Io local mail spools,
one or each user.
To conigure a Red HaI EnIerprise Linux sysIem as a mail server, Ihe sendna1J RFM package
musI be insIalled. I iI is noI insIalled, use Red HaI NeIwork Io insIall iI as discussed in
ChapIer 3, "OperaIing SysIem UpdaIes." The sendna1J-cf package is also necessary i you
plan Io change Ihe deaulI coniguraIion. OpIionally, insIall Ihe sendna1J-doc package i
you wanI Ihe Sendmail docs insIalled locally in Ihe 1usr1share1doc1sendna1J1 direcIory.
N01
Sendmall ls qulte oonflgurable wlth hundreds of optlons. Thls ohapter provldes the
essentlal lnformatlon neoessary to get your emall server off the ground and runnlng. To
explore more of lts funotlonallty, oonsult sendmall.org, dooumentatlon from the send-
na1J-docs paokage, or a book dedloated to Sendmall oonflguratlon and malntenanoe.
The 1e1c1na1J1 direcIory conIains all Ihe Sendmail coniguraIion iles, wiIh sendna1J.cf
and subn11.cf being Ihe main coniguraIion iles. The sendna1J.cf ile includes opIions
or Ihe mail Iransmission agenI and accepIs SMTF connecIions or sending email. The
subn11.cf ile conigures Ihe mail submission program. However, Ihese iles should noI
be ediIed direcIly.
InsIead, ediI Ihe 1e1c1na1J1sendna1J.nc and 1e1c1na1J1subn11.nc iles. When Sendmail is
sIarIed or resIarIed wiIh Ihe serv1ce command as described in Ihe "SIarIing and SIopping
Ihe Server" secIion, a new sendna1J.cf ile is auIomaIically generaIed i sendna1J.nc has
been modiied, and a new subn11.cf is generaIed i subn11.nc has been modiied.
In Ihe sendna1J.nc and subn11.nc iles, lines IhaI begin wiIh dnJ, which sIands or Jelete
to new lne, are considered commenIs. Some lines end wiIh dnJ, buI lines enJn in dnJ are
noI commenIs.
Only Ihe rooI user can modiy iles in Ihe 1e1c1na1J1 direcIory. The 1e1c1na1J1 direcIory
also includes Ihe ollowing coniguraIion iles:
access
LisI o hosIs IhaI are allowed Io send email rom Ihis server. Reer Io 1usr1
share1doc1sendna1J1PEA0ME.cf rom Ihe sendna1J-docs package or deIails.
dona1n1abJe
Table o old domain names and Iheir new domain names in case Ihey have
changed.
heJpf1Je
TexI ile conIaining Ihe conIenI displayed or Ihe SMTP RELP command.
JocaJ-hos1-nanes
I Ihe email server should be known by dierenI hosInames, lisI Ihe hosI-
names in Ihis ile, one line per hosIname. Any email senI Io addresses aI Ihese
hosInames is IreaIed as local mail. The FEATuPE{ùse_cW_f1Je`) opIion musI
be enabled in Ihe sendna1J.nc ile or Ihis ile Io be reerenced.
na1Jer1abJe
Table o domains and whaI mailer and domain Ihey should be rouIed Io.
FEATuPE{`na1Jer1abJe`) musI be enabled in sendna1J.nc.
1rus1ed-users
LisI o users IhaI can send email as oIher users wiIhouI a warning including
sysIem users such as apache or Ihe Apache HTTF Server.
v1r1user1abJe
LisI o email address or domain names (meaning all email addresses aI IhaI
domain) along wiIh an email address Io orward Ihem Io or an error code Io
reIurn or Ihe email address.
1IP
Further detalls about all these flles oan be found ln 1usr1share1doc1sendna1J1
PEA0ME.cf from the sendna1J-docs paokage.
Some o Ihese coniguraIion iles are similar Io sendna1J.nc and subn11.nc in IhaI Ihey are
noI Ihe acIual iles reerenced by Sendmail. I Ihe access, dona1n1abJe, na1Jer1abJe, or
v1r1user1abJe ile is modiied, Ihe corresponding daIabase ile reerenced by Sendmail
musI be regeneraIed. When Ihe serv1ce sendna1J {s1ar1,reJoad,res1ar1} command is
execuIed, Ihe iniIializaIion scripI calls Ihe nakenap uIiliIy Io regeneraIe Ihese daIabase iles.
An addiIional coniguraIion ile, 1e1c1aJ1ases, can be used Io redirecI email rom one
user Io anoIher. By deaulI, iI includes redirecIs or sysIem accounIs Io Ihe rooI user. II
can Ihen be used Io redirecI all email or Ihe rooI user Io Ihe user accounI or Ihe sysIem
adminisIraIor. I Ihis ile is modiied, Ihe Sendmail service musI be resIarIed so IhaI Ihe
iniIializaIion scripI runs Ihe neWaJ1ases uIiliIy Io rebuild Ihe aliases daIabase reerenced
by Sendmail.
By deaulI, Sendmail in Red HaI EnIerprise Linux is conigured Io only accepI connecIions
rom Ihe local sysIem Ihrough Ihe loopback device (127.0.0.1). To modiy Ihis behavior,
locaIe Ihe ollowing line in 1e1c1na1J1sendna1J.nc:
0AEM0N_0PT10NS{`Por1=sn1p,Addr=127.U.U.1, Nane=MTA`)dnJ
EiIher commenI ouI Ihe line compleIely by prepending iI wiIh dnJ and a space or by
changing Ihe loopback address (127.0.0.1) Io Ihe IF address o Ihe neIwork device lisIen-
ing or Sendmail connecIions.
Conflgurlng Sendmall 371
1
8
Sendmail can only deliver email Io a users mail spool in 1var1spooJ1na1J1 i Ihe user
exisIs on Ihe sysIem. Eor each email accounI, creaIe a user accounI or conigure neIwork
auIhenIicaIion such as NIS or Ihe sysIem. The direcIories IhaI conIain email such as
1var1spooJ1na1J1 and, by deaulI, Ihe Ma1J1 direcIory in each users home direcIory i
you are using IMAF should noI be locaIed on an NES share because Ihe user or group ID
o Ihe iles can be duplicaIed on a sysIem mounIing Ihe share, granIing anyone access Io
Ihe email iles. Also, iI is good pracIice Io only allow Ihe rooI user Io log in Io Ihe email
server or beIIer securiIy. Users should reIrieve Iheir email rom an email clienI running
on anoIher sysIem and should have no need Io log in Io Ihe email server direcIly.
Us|ng 55L ncryt|en
Sendmail can be conigured Io encrypI email senI and received using SSL (secure sockeIs
layer). EirsI, generaIe an SSL cerIiicaIe. You can eiIher creaIe a sel-signed cerIiicaIe or
purchase one rom verisign.com or oIher similar Ihird-parIy companies.
To generaIe a sel-signed cerIiicaIe, open a Ierminal and use Ihe su - command Io
change Io Ihe rooI user i you are logged in as a non-rooI user. Change inIo Ihe
1e1c1pk111Js1cer1s1 direcIory, and execuIe Ihe nake sendna1J.pen command. You will
be prompIed or inormaIion such as Ihe locaIion o Ihe company, company name, and
email address. LisIing 18.1 shows Ihis process wiIh Ihe example daIa provided in bold.
LlSTlNG 18.1 Generatlng a SelfSlgned SSL Certlfloate
unask 77 (
PEM1=`1b1n1nk1enp 11np1openssJ.XXXXXX` (
PEM2=`1b1n1nk1enp 11np1openssJ.XXXXXX` (
1usr1b1n1openssJ req -u1f8 -neWkey rsa:1U24 -keyou1 $PEM1 -nodes (
-x5U9 -days 365 -ou1 $PEM2 -se1_ser1aJ U (
ca1 $PEM1 > sendna1J.pen (
echo "" >> sendna1J.pen (
ca1 $PEM2 >> sendna1J.pen (
rn -f $PEM1 $PEM2
0enera11ng a 1U24 b11 PSA pr1va1e key
.......++++++
........................++++++
Wr111ng neW pr1va1e key 1o `11np1openssJ.y25478`
-----
You are abou1 1o be asked 1o en1er 1nforna11on 1ha1 W1JJ be 1ncorpora1ed
1n1o your cer11f1ca1e reques1.
Wha1 you are abou1 1o en1er 1s Wha1 1s caJJed a 01s11ngu1shed Nane or a 0N.
There are qu11e a feW f1eJds bu1 you can Jeave sone bJank
For sone f1eJds 1here W1JJ be a defauJ1 vaJue,
1f you en1er `.`, 1he f1eJd W1JJ be Jef1 bJank.
-----
0oun1ry Nane {2 Je11er code) 08:u6
S1a1e or Prov1nce Nane {fuJJ nane) 8erksh1re:horh 6aro1na
LocaJ11y Nane {eg, c11y) NeWbury:a1egh
0rgan1za11on Nane {eg, conpany) My 0onpany L1d:T68F 6onpuers Inc.
0rgan1za11onaJ un11 Nane {eg, sec11on) :
0onnon Nane {eg, your nane or your server`s hos1nane) :My hosnane
Ena1J Address :adnn0exanp1e.con
NexI, coniguraIion changes in 1e1c1na1J1sendna1J.nc musI be made. UncommenI Ihe
ollowing line by removing Ihe dnJ preix:
dnJ 0AEM0N_0PT10NS{`Por1=sn1ps, Nane=TLSMTA, M=s`)dnJ
AIer removing Ihe dnJ preix, iI should look like Ihe ollowing:
0AEM0N_0PT10NS{`Por1=sn1ps, Nane=TLSMTA, M=s`)dnJ
Also uncommenI Ihe ollowing lines so Sendmail knows how Io locaIe Ihe SSL cerIiicaIe
jusI generaIed:
def1ne{`conf0A0EPT_PATR`,`1e1c1pk111Js1cer1s`)dnJ
def1ne{`conf0A0EPT`,`1e1c1pk111Js1cer1s1ca-bundJe.cr1`)dnJ
def1ne{`confSEPvEP_0EPT`,`1e1c1pk111Js1cer1s1sendna1J.pen`)dnJ
def1ne{`confSEPvEP_KEY`,`1e1c1pk111Js1cer1s1sendna1J.pen`)dnJ
CAU1I0N
The formattlng of the sendna1J.nc flle ls sensltlve. Be sure not to use extra whlte
spaoe or blank llnes. Dolng so wlll oause errors when the flle ls oonverted to the
sendna1J.cf flle.
Sendmail musI be resIarIed or Ihe changes Io Iake eecI. ResIarI iI by execuIing Ihe
serv1ce sendna1J res1ar1 command as Ihe rooI user.
Sendmail can be sIarIed, sIopped, and resIarIed wiIh Ihe serv1ce command as rooI. AIer
coniguring Sendmail, sIarI Ihe server wiIh Ihe serv1ce sendna1J s1ar1 command. When
Ihe Sendmail service is sIarIed wiIh Ihis command or resIarIed wiIh serv1ce sendna1J
res1ar1, changes Io Ihe coniguraIion iles in 1e1c1na1J1 are auIomaIically enabled as
previously discussed.
The command serv1ce sendna1J s1a1us displays wheIher Ihe service is running. The
command serv1ce sendna1J reJoad enables any changes made Io Ihe 1e1c1na1J1
coniguraIion iles.
To conigure Ihe Sendmail service Io sIarI auIomaIically aI booI Iime, use Ihe ollowing
command as rooI:
chkconf1g sendna1J on
Conflgurlng Sendmall 373
1
8
Us|ng P0P and IMAP
AIer Ihe emails arrive on Ihe server, users can reIrieve Ihem wiIh an email clienI such as
EvoluIion or Thunderbird. While some email clienIs can be conigured Io read email
direcIly rom Ihe users spool ile in 1var1spooJ1na1J1, Ihis can be inconvenienI because
Ihe mail clienI musI be run on Ihe email server and Ihe emails have noI been run
Ihrough any ilIers Io sorI Ihem inIo easier-Io-manage email olders. All emails are aggre-
gaIed inIo one ile, and when Ihe number o emails becomes large (greaIer Ihan 1,000),
reading email direcIly rom Ihe mail spool can be ineicienI. Two popular proIocols or
reIrieving email are lOl and lMAl.
The laIesI version o FOF, or FosI Oice FroIocol, is pop3. II works by "popping" Ihe
email messages o Ihe users spool on Ihe email server and saving Ihem in olders on Ihe
users local sysIem running Ihe email clienI. By deaulI, Ihe email is deleIed rom Ihe
email server aIer iI is saved locally. OpIionally, Ihe email clienI can be conigured Io ilIer
Ihe mail inIo dierenI mail olders beore saving Ihem on Ihe local sysIem. By deaulI,
emails reIrieved using FOF are noI encrypIed, buI an encrypIed version o pop3 can be seI
up on Ihe server and used i Ihe email clienI supporIs iI.
Because Ihe email is sIored in local mail olders, one disadvanIage is IhaI Ihe user musI
always check email rom Ihe same compuIer (locally or remoIely). Because Ihe email is
removed rom Ihe email server by deaulI (clienIs can be conigured Io leave Ihe email on
Ihe server even aIer iI is copied locally), a disk ailure on Ihe users compuIer can resulI
in loss o email unless Ihe email olders are parI o a rouIine backup plan.
IMAF, or InIerneI Message Access FroIocol, can also be used Io reIrieve email rom a server.
However, unlike FOF, Ihe messages are kepI on Ihe server, including Ihe email olders used
Io organize Ihe messages. The main advanIage o IMAF is IhaI users can open any email
clienI wiIh IMAF supporI on any compuIer IhaI has access Io Ihe email server and see all
Iheir email, compleIe wiIh email olders and senI mail. Because all Ihe email is sIored on Ihe
server, Ihe clienI is simply used Io allow Ihe user Io read email o Ihe server. Messages can
opIionally be copied Io Ihe users local sysIem so Ihey can be read while noI connecIed Io
Ihe neIwork, buI Ihe email is sIill kepI on Ihe server unless speciically deleIed by Ihe user.
By deaulI, Ihe IMAF connecIion is noI encrypIed, buI an encrypIed version o IMAF can be
conigured on Ihe server. IMAF also simpliies an adminisIraIors backup procedure because
he only needs Io back up Ihe direcIories IhaI sIore email on Ihe email server insIead o on
each users compuIer. I a user has a disk ailure on her compuIer, she can log in Io anoIher
compuIer and conIinue reading her email while Ihe disk ailure is ixed.
nab||ng P0P and IMAP
AIer seIIing up Sendmail on Ihe email server, insIall Ihe doveco1 RFM package Io seI up
Ihe IMAF and}or FOF proIocols. Reer Io ChapIer 3, "OperaIing SysIem UpdaIes," or
deIails on how Io insIall an RFM package.
In 1e1c1doveco1.conf ind Ihe ollowing line and uncommenI iI (lines IhaI begin wiIh #
are commenIs):
pro1ocoJs = 1nap 1naps pop3 pop3s
By deaulI, Ihe line lisIs Ihe proIocols or IMAF, IMAF over SSL, FOF, and FOF over SSL. I
you donI wanI Io enable all o Ihese, remove Ihe unwanIed ones rom Ihe lisI. NexI, sIarI
DovecoI wiIh Ihe serv1ce doveco1 s1ar1 command as rooI.
The 1e1c1doveco1.conf ile conIains many more opIions or cusIomizing DovecoI. The
commenIs in Ihe coniguraIion ile oer brie descripIions o Ihe variables. Reer Io Ihe
1usr1share1doc1doveco1-<vers1on>1conf1gura11on.1x1, Ihe oIher iles in Ihe 1usr1
share1doc1doveco1-<vers1on>1 direcIory, and dovecoI.org or deIails.
nab||ng P0P and IMAP w|th 55L
To use Ihe secure versions o FOF and IMAF (pop3s and imaps), you need Io generaIe an
SSL cerIiicaIe. Dummy cerIiicaIes are generaIed when Ihe doveco1 RFM package is
insIalled, buI Ihey should only be used or IesIing purposes because Ihey do noI show Ihe
correcI hosIname or Ihe email server or locaIion. A sel-signed cerIiicaIe can be gener-
aIed wiIh Ihe 1usr1share1doc1doveco1-<vers1on>1exanpJes1nkcer1.sh scripI. An SSL
cerIiicaIe issued by a IrusIed Ihird parIy can be purchased rom siIes such as
verisign.com.
Beore running Ihe nkcer1.sh scripI, modiy 1e1c1pk11doveco11doveco1-openssJ.cnf
wiIh Ihe correcI values or your server. Eor example, Ihe CN opIion or Common Name
needs Io be seI Io Ihe domain name o Ihe email server. Also, in nkcer1.sh, you need Io
modiy Ihe locaIion o Ihe SSL01P variable Io Ihe deaulI direcIory DovecoI expecIs Ihe
SSL keys Io be locaIed in. II should read as ollows:
SSL01P=${SSL01P-1e1c1pk11doveco1}
The nkcer1.sh scripI will noI override exisIing keys, so move Ihe deaulI keys creaIed,
1e1c1pk11doveco11cer1s1doveco1.pen and 1e1c1pk11doveco11pr1va1e1doveco1.pen, inIo
a backup direcIory or rename Ihem. The scripI also assumes Ihe doveco1-openssJ.cnf ile
is in Ihe currenI working direcIory, so change inIo Ihe 1e1c1pk11doveco11 direcIory as
rooI, and execuIe Ihe scripI using Ihe ull paIh Io iIs locaIion: 1usr1share1doc1doveco1-
<vers1on>1exanpJes1nkcer1.sh, where <vers1on> is Ihe version o DovecoI insIalled. I
Ihe scripI successully creaIes Ihe keys, Ihe ouIpuI will look similar Io Ihe ollowing:
0enera11ng a 1U24 b11 PSA pr1va1e key
....++++++
......................................................++++++
Wr111ng neW pr1va1e key 1o `1e1c1pk11doveco11pr1va1e1doveco1.pen`
-----
subec1= 10=uS1ST=Nor1h 0aroJ1na1L=PaJe1gh10u=1MAP
server10N=hos1.exanpJe.con1ena1JAddress=pos1nas1er0exanpJe.con
SRA1 F1ngerpr1n1=83:93:A8:A8:51:1F:28:U8:41:12:14:85:72:5E:58:48:83:8U:88:48
To IesI Ihe connecIion, use Ihe command 1eJne1 JocaJhos1 <por1>, where <por1> is 110
or FOF, 143 or IMAF, S or FOF over SSL, and 3 or IMAF over SSL. I DovecoI is
conigured properly and lisIening or connecIions, you should see Ihe ollowing:
Uslng l0l and lM^l 375
1
8
Try1ng 127.U.U.1...
0onnec1ed 1o JocaJhos1.JocaJdona1n {127.U.U.1).
Escape charac1er 1s ```.
+0K 0oveco1 ready.
Also, IesI Ihe proIocols rom an email clienI. I imaps or pop3s is enabled, Ihe clienI will
ask you Io accepI Ihe SSL cerIiicaIe beore prompIing or a password.
CAU1I0N
lf the 1e1c1doveco1.conf flle ls modlfled whlle the servloe ls runnlng, be sure to
enable the ohanges wlth the serv1ce doveco1 reJoad oommand as root.
Legg|ng 5endma|| Cennect|ens
Sendmail uses Ihe syslog aciliIy Io wriIe log enIries Io Ihe 1var1Jog1na1JJog ile. Each
enIry includes inormaIion such as Ihe recipienI o Ihe email, when iI was senI, and Ihe
delivery sIaIus. Eor example:
na1JJog:May 23 22:46:27 exanpJehos1nane sendna1J29858: k402kMurU29858:
1o=1fox0J1nuxheadquar1ers.con, c1Jaddr=1fox {5U115U1), deJay=UU:UU:U5,
xdeJay=UU:UU:U5, na1Jer=reJay, pr1=4283U, reJay=127.U.U.1 127.U.U.1,
dsn=2.U.U, s1a1=Sen1 {k402kMr0U29859 Message accep1ed for deJ1very)
Because Ihe syslog aciliIy is used, Ihe log ile is roIaIed periodically, and Ihe previous ive
log iles are kepI. The old log iles are named na1JJog.X, where X is a number. The larger
Ihe number, Ihe older Ihe log ile.
The log level can be seI in sendna1J.nc and deaulIs Io level . Levels under 10 are
considered useul, levels 114 are verbose, and levels above 4 are or debugging. EurIher
explanaIion on Ihe commonly used log levels can be ound in 1usr1share1doc1send-
na1J1doc1op1op.ps. Remember Io enable Ihe changes wiIh Ihe serv1ce sendna1J reJoad
command i you modiy Ihe log level.
Basic sIaIisIics are also recorded or Sendmail in Ihe 1var1Jog1na1J1s1a11s11cs ile. The
ile is noI sIored in plain IexI, so Ihe na1Js1a1s uIiliIy musI be used Io read iI. As rooI,
execuIe Ihe na1Js1a1s command Io display Ihe Sendmail sIaIs. By deaulI, iI reads Ihe
sIaIisIics rom Ihe 1var1Jog1na1J1s1a11s11cs ile (or whaIever ile is speciied or
S1a1usF1Je in sendna1J.nc). To speciy a dierenI ile, use Ihe na1Js1a1s -f <f1Jenane>
command, where <f1Jenane> is Ihe alIernaIe ile name and locaIion. LisIing 18.2 shows
sample ouIpuI.
LlSTlNG 18.2 Lxample Sendmall Statlstlos
S1a11s11cs fron Sa1 Mar 25 16:U4:28 2UU6
M nsgsfr by1es_fron nsgs1o by1es_1o nsgsre nsgsd1s nsgsqur Ma1Jer
4 1U54 5467K 1UU4 6U3UK U U U esn1p
9 2U79 7248K 2U75 823UK U U U JocaJ
=====================================================================
T 3133 12716K 3U79 1426UK U U U
0 3133 3U79 U
As you can see rom LisIing 18.2, Ihe na1Js1a1s ouIpuI sIarIs wiIh Ihe daIe on which Ihe
sIaIisIics shown began. The nexI lines beore Ihe line o eguals (=) characIers conIain
sIaIisIics or each mailer wiIh Ihe columns described in Table 18.1.
T^BLL 18.1 na1Js1a1s Columns
Ce|umn escr|t|en
M Maller number
nsgsfr Number of messages reoelved from the maller
by1es_fron Kllobytes reoelved from the maller
nsgs1o Number of messages to the maller
by1es_1o Kllobytes sent to the maller
nsgsre Number of rejeoted messages
nsgsd1s Number of dlsoarded messages
nsgsqur Number of quarantlned messages (speolflo messages marked as quaran
tlned so they are not dellvered or dlsplayed)
Ma1Jer Name of the maller
The line IhaI begins wiIh T lisIs Ihe IoIals or all Ihe mailers, and Ihe lasI row IhaI begins
wiIh 0 shows Ihe number o TCF connecIions.
By deaulI, DovecoI also logs Io Ihe 1var1Jog1na1JJog ile such as Ihe ollowing enIry or
a login aIIempI:
Jun 12 13:52:26 hos1nane doveco1: 1nap-Jog1n: Log1n: user=<1fox>, ne1hod=PLA1N,
r1p=::ffff:127.U.U.1, J1p=::ffff:127.U.U.1, TLS
To wriIe DovecoI log iles Io a separaIe log ile, use Ihe Jog_pa1h variable in
1e1c1doveco1.conf such as
Jog_pa1h = 1var1Jog1doveco1
A||ew|ng ma|| Cennect|ens
By deaulI, Sendmail uses TCF and UDF porI 2S or non-encrypIed Iransers. I Ihe
Sendmail server is conigured Io use SSL or encrypIing email senI and received, iI uses
porI 4S. I you also enable Ihe FOF proIocol or users Io reIrieve email, allow porI 110
or insecure FOF connecIions or porI S or secure FOF over SSL. I you enable IMAF,
allow porI 143 or insecure IMAF connecIions or porI 3 or secure IMAF over SSL. Veriy
IhaI your irewall seIIings on Ihe mail server allow incoming and ouIgoing reguesIs on
Ihe appropriaIe porI.
^llowlng Lmall Conneotlons 377
1
8
rom Ihe SysIem menu on Ihe Iop panel o Ihe deskIop or by execuIing Ihe sys1en-
a user. Click Add nexI Io Ihe OIher porIs Iable Io add Ihe appropriaIe porIs.
1IP
lf settlng up an lnternal emall server, be sure to oonflgure lt to aooept oonneotlons
from ll addresses wlthln your prlvate network. lf the emall server ls aooesslble over
the lnternet and aooepts emall to be sent from any oomputer, lt oould be used by
unauthorlzed users to send spam, or junk emall, to people.
5ummary
In mosI companies Ioday, email is viIal Io inIernal communicaIions. In many companies,
iI has replaced paper memos and bulleIin board noIices. This chapIer described Ihe paIh
an email Iakes aIer being senI. II Ihen provides sIeps or seIIing up an email server on
Red HaI EnIerprise Linux using Sendmail. I used in conjuncIion wiIh DovecoI, Ihe same
server used Io send email can also supporI Ihe IMAF and FOF proIocols or reIrieving
email. Sendmail, FOF, and IMAF can all be conigured wiIh an SSL cerIiicaIe so email
senI and received is encrypIed, making iI harder Io read i inIercepIed over Ihe neIwork.
lN THlS CH^lTLR
The xlnetd Super Server
Transferrlng Flles wlth FTl
Keeplng ôourate Tlme wlth
NTl
Creatlng a Network lrlnter wlth
CUlS
CH^lTLR 19
Explaining OIher
Common NeIwork
Services
This chapIer describes Ihe xineId, ETF, NTF, and CUFS
neIwork services including how Io conigure Ihem, how Io
connecI Io Ihem, and whaI porIs Ihey use so adminisIraIors
can conigure irewalls seIIings or Ihem.
These our services have one Ihing in commonwhen conig-
ured, Ihey generally do noI reguire much mainIenance oIher
Ihan checking or securiIy updaIes via Red HaI NeIwork.
1he x|netd 5uer 5erver
NoI all services have Iheir own iniIializaIion scripI or sIarI-
ing, sIopping, and checking Ihe sIaIus o Ihe daemon. Some
neIwork services are conIrolled by xnetJ, also known as Ihe
super server. Running services Ihrough xineId allows Ihe
adminisIraIor Io uIilize xineId eaIures such as access
conIrol, cusIom logging, and Ihe incoming connecIion raIe.
The xineId service lisIens on all porIs used by Ihe daemons
iI conIrols. When a connecIion is reguesIed, xineId deIer-
mines i Ihe clienI is allowed access. I Ihe clienI is allowed
access, xineId sIarIs up Ihe desired service and passes Ihe
clienI connecIion Io iI.
The x1ne1d RFM package musI be insIalled Io use Ihis super
server. I iI is noI, insIall iI via Red HaI NeIwork as
discussed in ChapIer 3, "OperaIing SysIem UpdaIes."
Cenf|gur|ng the x|netd 5erver
The xineId super daemon uses Ihe 1e1c1x1ne1d.conf ile
as Ihe masIer coniguraIion ile and Ihe 1e1c1x1ne1d.d1
direcIory or coniguraIion iles per service conIrolled by
xineId. This secIion discusses how Io use Ihese iles Io
conigure xineId and iIs services.
N01
For both 1e1c1x1ne1d.conf and the flles ln the 1e1c1x1ne1d.d1 dlreotory, llnes that
begln wlth a hash mark (#) are oonsldered oomments and lgnored. Blank llnes are also
lgnored.
Master x|netd Cenf|gurat|en F||e
LisIing 1.1 shows Ihe deaulI xineId global coniguraIion ile, 1e1c1x1ne1d.conf. This
ile conIains seIIings IhaI apply Io all services conIrolled by xineId unless Ihe ile in
1e1c1x1ne1d.d1 or a speciic service overrides Ihese deaulI values. I changes are made Io
Ihis ile, execuIe Ihe serv1ce x1ne1d reJoad command Io enable Ihe changes.
LlSTlNG 19.1 xlnetd Global Conflguratlon Flle
#
# Th1s 1s 1he nas1er x1ne1d conf1gura11on f1Je. Se111ngs 1n 1he
# defauJ1 sec11on W1JJ be 1nher11ed by aJJ serv1ce conf1gura11ons
# unJess expJ1c11Jy overr1dden 1n 1he serv1ce conf1gura11on. See
# x1ne1d.conf 1n 1he nan pages for a nore de1a1Jed expJana11on of
# 1hese a11r1bu1es.
defauJ1s
{
# The nex1 1Wo 11ens are 1n1ended 1o be a qu1ck access pJace 1o
# 1enporar1Jy enabJe or d1sabJe serv1ces.
#
# enabJed =
# d1sabJed =
# 0ef1ne generaJ Jogg1ng charac1er1s11cs.
Jog_1ype = SYSL00 daenon 1nfo
Jog_on_fa1Jure = R0ST
Jog_on_success = P10 R0ST 0uPAT10N EX1T
# 0ef1ne access res1r1c11on defauJ1s
#
# no_access =
# onJy_fron =
# nax_Joad = U
cps = 5U 1U
1ns1ances = 5U
per_source = 1U
# Address and ne1Work1ng defauJ1s
#
# b1nd =
# ndns = yes
CH^lTLR 19 Lxplalnlng 0ther Common Network Servloes 380
v6onJy = no
# se1up env1ronnen1aJ a11r1bu1es
#
# passenv =
groups = yes
unask = UU2
# 0eneraJJy, banners are no1 used. Th1s se1s up 1he1r gJobaJ defauJ1s
#
# banner =
# banner_fa1J =
# banner_success =
}
1ncJuded1r 1e1c1x1ne1d.d
N01
Laoh of the attrlbutes ln Llstlng 19.1 ls explalned ln the followlng text. However, notloe
that some are oommented out by default beoause settlng them to a blank value has
meanlng.
The irsI Iwo opIions inside Ihe deaulI secIion o x1ne1d.conf are enabJed and d1sabJed.
Enabling and disabling xineId services should be done in Ihe individual services iles in
Ihe 1e1c1x1ne1d.d1 direcIory wiIh Ihe d1sabJe aIIribuIe seI Io yes or no as described in
Ihe nexI secIion "Individual xineId Service Eiles." Using Ihe enabJed and d1sabJed
opIions in x1ne1d.conf is only recommended or Iemporary siIuaIions such as IesIing or
i you Ihink your sysIem has been compromised and need Io Iurn o all Ihe unnecessary
services. To use one or boIh o Ihese aIIribuIes, uncommenI one or boIh o Ihem irsI.
The enabJed opIion can be used Io lisI services IhaI are allowed Io accepI connecIions.
The services lisIed wiIh Ihis opIion sIill need Io be enabled in Iheir individual services
iles in 1e1c1x1ne1d.d1 by seIIing Ihe d1sabJe aIIribuIe Io no and making sure Ihe
01SA8LE lag is noI lisIed in Ihe fJags aIIribuIe. I Ihe d1sabJed opIion is noI seI, only Ihe
xineId services in Ihe enabJed lisI are allowed Io accepI connecIions.
I Ihe d1sabJed opIion is seI, only Ihe xineId services in Ihe enabJed lisI accepI connec-
Iions unless Ihey are also in Ihe d1sabJed lisI. All services lisIed wiIh Ihe d1sabJed opIion
are noI allowed Io accepI connecIion reguesIs.
BoIh aIIribuIes accepI a space-separaIed lisI o service IDs. Eor boIh Ihese opIions, Ihe
service ID musI be used, noI Ihe service name. In Ihe individual service iles in
1e1c1x1ne1d.d1, Ihe 1d aIIribuIe seIs Ihe service ID Io a unigue idenIiier. I an ID is noI
given, Ihe ID deaulIs Io Ihe service name. MosI service IDs are Ihe same as Ihe service
The xlnetd Super Server 381
1
9
names, buI be sure Io double-check when using Ihem wiIh Ihe enabJed and d1sabJed
aIIribuIes.
The nexI seI o aIIribuIes in Ihe deaulI seIIings conIrol logging. They are as ollows:
Jog_1ype: SeI Ihe log service. I seI Io SYSL00 <fac1J11y>, Ihe syslog aciliIy speci-
ied is used. I seI Io F1LE <f1Je>, logs are wriIIen Io Ihe speciied ile.
Jog_on_fa1Jure: SeI Ihe log service. I seI Io SYSL00 <fac1J11y>, Ihe syslog aciliIy
speciied is used. I seI Io F1LE <f1Je>, logs are wriIIen Io Ihe speciied ile.
Jog_on_success: SeI whaI Iype o messages are logged when an xineId service is
sIarIed or when one o Ihem exisIs. Reer Io Ihe man page or x1ne1d.conf or a
compleIe lisI o values. WiIh Ihe deaulI x1ne1d.conf seIIings, Ihe remoIe hosI
address and Ihe service process ID are logged.
The nexI group o aIIribuIes seIs Ihe deaulIs or access conIrol. Reer Io Ihe "Allowing
xineId ConnecIions" secIion laIer in Ihis chapIer or deIails.
The nexI Ihree aIIribuIes are address and neIwork deaulI values. The b1nd and ndns aIIrib-
uIes are lisIed buI commenIed ouI by deaulI. The usage o Ihese aIIribuIes is as ollows:
b1nd: To only lisIen or connecIions on a speciic inIerace, seI Ihis value Io Ihe IF
address o Ihe inIerace.
ndns: SeI Io yes Io enable mdns regisIraIion, which is currenIly only available on
Mac OS X. SeI Io no 1o disable mdns regisIraIion.
v6onJy: SeI Io yes Io use IFv only. SeI Io no by deaulI Io use boIh IFv4 and IFv.
Three environmenIal aIIribuIes are lisIed as well:
passenv: CommenIed ouI by deaulI. I seI Io a lisI o environmenI variables, Ihe
values are passed Io Ihe service sIarIed by xineId when a connecIion is reguesIed
and allowed Io be passed on. I seI Io a blank value, no variables are passed on
excepI Ihose lisIed wiIh Ihe env aIIribuIe.
groups: I seI Io yes, Ihe server is execuIed wiIh access Io Ihe groups accessible by
Ihe eecIive UID o Ihe server. I seI Io no, Ihe server does noI have access Io any
addiIional groups. I seI Io a lisI o group names, Ihe server is given access Io Ihe
groups lisIed.
unask: SeI Ihe deaulI umask or Ihe xineId services. (The umask can be seI or indi-
vidual services in Ihe individual service ile in Ihe 1e1c1x1ne1d.d1 direcIory.)
The very lasI line in x1ne1d.conf uIilizes Ihe 1ncJuded1r aIIribuIe. II Iells Ihe super
daemon Io use Ihe individual service iles in Ihe 1e1c1x1ne1d.d1 direcIory.
Ind|v|dua| x|netd 5erv|ce F||es
Each xineId service has a coniguraIion ile in Ihe 1e1c1x1ne1d.d1 direcIory. Eor example,
Ihe xineId coniguraIion ile or rsync is 1e1c1x1ne1d.d1rsync as shown in LisIing 1.2.
LlSTlNG 19.2 xlnetd Conflguratlon Flle for rsync
# defauJ1: off
# descr1p11on: The rsync server 1s a good add111on 1o an f1p server, as 11 (
# aJJoWs crc checksunn1ng e1c.
serv1ce rsync
{
d1sabJe = yes
socke1_1ype = s1rean
Wa11 = no
user = roo1
server = 1usr1b1n1rsync
server_args = -daenon
Jog_on_fa1Jure += uSEP10
}
Any o Ihe deaulI aIIribuIes rom 1e1c1x1ne1d.conf can be overwriIIen in Ihese individ-
ual service iles. Reer Io Ihe x1ne1d.conf man page wiIh Ihe nan x1ne1d.conf command
or a compleIe lisI o aIIribuIes.
ImporIanI aIIribuIes lisIed in Ihe coniguraIion ile or each xineId service include
d1sabJe, user, and server. The d1sabJe aIIribuIe deIermines wheIher or noI Ihe service is
accepIing incoming connecIions via xineId. I seI Io no, xineId will hand o connecIions
Io iI i Ihe clienI irsI passes Ihrough Ihe xineId access conIrol. SeIIing iI Io yes disables
Ihe service. The user speciied wiIh Ihe user aIIribuIe can be seI Io a username or a UID.
I seI Io a username, iI musI be resolvable Io a UID rom 1e1c1passWd. This UID owns Ihe
server process or Ihe individual xineId service. The server aIIribuIes speciies Ihe
program execuIed i Ihe service is enabled. To enable changes made Io Ihe coniguraIion
iles in 1e1c1x1ne1d.d1, use Ihe serv1ce x1ne1d reJoad command.
5tart|ng and 5te|ng x|netd
To sIarI, sIop, and resIarI xineId, use Ihe ollowing command as rooI:
serv1ce x1ne1d <connand>
Replace <connand> wiIh one o Ihe ollowing:
s1ar1: SIarI Ihe xineId service.
s1op: SIop Ihe xineId service.
s1a1us: Show Ihe sIaIus o xineId.
res1ar1: SIop Ihe service i iI is running, Ihen sIarI xineId. I Ihe service is noI
already running, Ihe sIop acIion will ail, buI Ihe sIarI acIion will sIill be called.
condres1ar1: I Ihe service is already running, and only i Ihe service is already
running, resIarI iI.
reJoad: Reload Ihe server coniguraIion Io enable changes Io Ihe coniguraIion iles.
1
9
To have xineId sIarI aI booI Iime, execuIe Ihe ollowing as rooI:
chkconf1g x1ne1d on
A||ew|ng x|netd Cennect|ens
Access conIrol can be conigured in Ihe individual iles in Ihe 1e1c1x1ne1d.d1 direcIory.
When a reguesI is made, Ihe TCF wrappers access conIrol coniguraIion is checked irsI. I
Ihe clienI is denied access rom Ihe TCF wrappers rules, Ihe connecIion is denied. I Ihe
clienI is allowed access rom Ihe TCF wrappers rules, Ihe aIIribuIes in Ihe individual
1e1c1x1ne1d.d1 iles and Ihe 1e1c1x1ne1d.conf ile are checked. BoIh orms o access
conIrol can be used in conjuncIion wiIh each oIher.
1CP Wraers and x|netd
The xineId services are proIecIed by TCl wrappers, which provide a mechanism or allowing
and denying access Io Ihe services. Two iles are used Io conIrol access: 1e1c1hos1s.aJJoW
and 1e1c1hos1s.deny.
N01
xlnetd ls not the only network servloe proteoted by TCl wrappers. For example, ln Red
Hat Lnterprlse Llnux, both vsf1pd and sshd are oomplled agalnst the TCl wrappers
llbrary.
As Ihe names imply, Ihe hos1s.aJJoW ile conIains a lisI o clienIs allowed access Io
speciic daemons, and Ihe hos1s.deny ile conIains rules denying clienI access. The iles
are read rom Iop Io boIIom, so as soon as a rule Io allow or deny access is ound, IhaI
rule is applied, and Ihe resI o Ihe ile is noI read.
The hos1s.aJJoW ile is read irsI. I boIh iles conIain rules IhaI conIradicI each oIher, Ihe
irsI rule in hos1s.aJJoW Iakes precedence. I no rules are ound or a clienI, access is
granIed. The access iles are reerenced each Iime a reguesI is made, so changes Io Ihem
Iake eecI immediaIely wiIhouI resIarIing any daemons.
BoIh hos1s.aJJoW and hos1s.deny use Ihe same ile ormaI. Blank lines and lines IhaI
begin wiIh Ihe hash mark (#) are ignored. I a line ends wiIh Ihe backslash characIer ((),
Ihe nexI line is considered a conIinuaIion o Ihe previous line wiIhouI Ihe new line char-
acIer. All oIher lines have Ihe ollowing ormaI:
daenon_J1s1 : cJ1en1_J1s1 : op11ons
Only Ihe daenon_J1s1 and cJ1en1_J1s1 are reguired. The daenon_J1s1 is a lisI o one or
more daemons separaIed by commas. Wildcards can be used or Ihis lisI. The cJ1en1_J1s1
is a lisI o hosInames, IF addresses, paIIerns, or wildcards allowed or denied access
(depending on Ihe ile in which is iI lisIed) Io Ihe daemons in Ihe daenon_J1s1.
In Ihe cJ1en1_J1s1, Ihe ollowing paIIerns can be used:
A paIIern IhaI begins wiIh a period speciies all hosInames IhaI end wiIh Ihe
paIIern. Eor example, Ihe paIIern .example.com maIches Ihe hosIname
hosI.example.com.
A paIIern IhaI ends wiIh a period speciies all IF address IhaI begin wiIh Ihe paIIern.
Eor example, Ihe paIIern 12.18. includes 12.18.0.2.
A paIIern IhaI begins wiIh Ihe @ characIer is used Io speciy an NIS neIgroup name.
A paIIern in Ihe orm o a neImask pair such as 12.18.1.0}2SS.2SS.2SS.0 can be
used Io speciy a subneI.
A paIIern in Ihe orm o a |neI|}preixlen pair or |n:n:n:n:n:n:n:n|}m can be used Io
speciy a neIwork.
A paIIern is considered a ilename i iI begins wiIh a orward slash (}). The ile
should conIain zero or more lines wiIh zero or more hosIname or address paIIerns
separaIed by whiIespace.
Some paIIerns can use Ihe * or 7 characIer as a wildcard. II canI be used in conjunc-
Iion wiIh Ihe ollowing paIIerns: neImask maIching, hosIname paIIern IhaI begins
wiIh a period, or IF address paIIern IhaI ends wiIh a period.
In Ihe daenon_J1s1 and cJ1en1_J1s1, Ihe ollowing wildcards can be used:
ALL: The universal wildcard, always maIches.
L00AL: Any hosIname IhaI doesnI conIain a doI characIer.
uNKN0WN: Any user whose name is unknown and any hosI whose name or address is
unknown.
KN0WN: Any user whose name is known and any hosI whose name and address are
known. Use Ihis paIIern wiIh cauIion: HosInames may be Iemporarily unavailable
due Io DNS issues.
PAPAN010: Any hosIname IhaI doesnI maIch iIs address.
In boIh daenon_J1s1 and cJ1en1_J1s1, Ihe EX0EPT operaIor can be used Io exclude names
rom Ihe lisI. However, use cauIion wiIh Ihis operaIor because iI makes iI more diiculI
or adminisIraIors Io read Ihe access rules.
1IP
Use the oommand nan 5 hos1s_access to learn more about the hos1s.aJJoW and
hos1s.deny flles.
Ind|v|dua| Access Centre| fer x|netd
The deaulI 1e1c1x1ne1d.conf ile lisIs mosI o Ihe access conIrol aIIribuIes. They can be
given deaulI values in 1e1c1x1ne1d.conf and can also be given values per individual
service in Ihe individual service iles in Ihe 1e1c1x1ne1d.d1 direcIory.
1
9
The no_access and onJy_fron aIIribuIes can be used IogeIher Io accepI or deny connec-
Iions rom speciic hosIs. HosIs in Ihe no_access lisI are noI granIed connecIiviIy Io
xineId services by deaulI. HosIs in Ihe onJy_fron lisI are granIed access Io xineId services
by deaulI.
Remember Ihese aIIribuIes can be redeined in Ihe individual service iles Io granI or deny
hosIs access Io speciic xineId services. The no_access and Ihe onJy_fron aIIribuIes are
commenIed ouI by deaulI because seIIing onJy_fron Io a blank value denies all hosIs.
BoIh accepI a lisI o hosIs in Ihe ollowing ormaIs:
IFv4 or IFv individual IF address, such as 12.18.10.4.
IFv4 address range denoIed by using 0 as a wildcard in Ihe righI-mosI numbers o
Ihe IF address, such as 12.18.10.0 Io maIch 12.18.10.1 Ihrough 12.18.10.2S4.
0.0.0.0 maIches all IF addresses.
EacIorized IFv4 address, such as Ihe orm X.X.X.{X,X,X,..., where Ihe lasI number
in Ihe IF address is acIorized. I all our inIegers in Ihe IF are noI speciied, Ihe
remaining inIegers are assumed Io be 0, which is inIerpreIed as a wildcard. Eor
example, 12.18.10.{1,S, represenIs Ihe 12.18.10.1, 12.18.10.S, and
12.18.10. addresses.
NeIwork name rom 1e1c1ne1Works. Only works or IFv4 addresses.
Speciic hosIname such as server.example.com.
Domain such as example.com. All hosIs wiIh Ihis domain such as
server.example.com maIch.
IF address}neImask range such as 12.18.10.0}32 or IFv4 and 1234::}4 or IFv.
I an IF address or hosIname maIches boIh lisIs, Ihe more speciic maIch Iakes prece-
dence. Eor example, assume IhaI Ihe no_access aIIribuIe includes 12.18.10.0 and Ihe
onJy_fron aIIribuIe includes 12.18.10.4. I Ihe hosI 12.18.10.4 Iries Io connecI Io an
xineId service, iI is granIed access because iI maIches boIh lisIs buI Ihe speciic IF address
is in Ihe onJy_fron lisI.
The oIher aIIribuIes or access conIrol are as ollows:
nax_Joad: CommenIed ouI by deaulI. I seI Io a loaIing poinI value IhaI represenIs
Ihe one minuIe load average, Ihe service sIops accepIing connecIions when Ihis
load is reached.
cps: SeI Ihe raIe o Ihe incoming connecIions. Two inIeger values musI be speciied.
The irsI inIeger is Ihe number o connecIions per second Io allow. I Ihe raIe o
incoming connecIions exceeds Ihis number, Ihe service is Iemporarily disabled. The
second number is Ihe number o seconds Io waiI beore re-enabling Ihe service.
1ns1ances: Maximum number o xineId connecIions allowed Io be acIive. I seI Io
uNL1M1TE0, Ihere is no limiI.
per_source: SeI Ihe maximum number o service insIances per IF address.
access_11nes: SeI Ihe Iime inIervals when Ihe service is available in Ihe orm
hour:n1n-hour:n1n. ConnecIions are accepIed aI Ihe bounds o Ihe inIerval.
1ransferr|ng F||es w|th F1P
ETF sIands or lle Transjer lrotocol. An ETF server allows clienIs Io connecI Io iI eiIher
anonymously or wiIh a username and password combinaIion. AIer successul auIhenIica-
Iion, iles can be Iranserred back and orIh beIween Ihe server and clienI. The iles are
neiIher encrypIed nor compressed.
CAU1I0N
Beoause the flles are not enorypted, use oautlon when transferrlng flles lf they oontaln
sensltlve lnformatlon. ^nyone on the same network, lnoludlng the lnternet lf the trans
fer goes over the publlo lnternet, oan lnteroept the flles as well as the username and
password used to oonneot to the FTl server.
F1P and 5L|nux
I SELinux, a mandaIory access conIrol securiIy mechanism, is seI Io enorcing mode, Ihe
ETF daemon is proIecIed by iI. Reer Io ChapIer 23 or deIails on SELinux.
I Ihe ETF daemon is conigured Io share iles anonymously, Ihe shared iles musI be
labeled wiIh Ihe pubJ1c_con1en1_1 securiIy conIexI such as Ihe ollowing or Ihe 1var1
f1p1 direcIory:
chcon -P -1 pubJ1c_con1en1_1 1var1f1p1
AIer seIIing up an uploads direcIory, you musI seI Ihe securiIy conIexI o iI Io
pubJ1c_con1en1_rW_1 such as Ihe ollowing or Ihe 1var1f1p11ncon1ng1 direcIory:
chcon -P -1 pubJ1c_con1en1_rW_1 1var1f1p11ncon1ng1
CAU1I0N
Maklng Seourlty Context Changes lermanent seotlon ln Chapter 23.
To allow users Io wriIe Io Ihe uploads direcIory, you musI also enable Ihe
aJJoW_f1pd_anon_Wr11e boolean wiIh Ihe ollowing command:
se1sebooJ -P aJJoW_f1pd_anon_Wr11e=1
ge1sebooJ aJJoW_f1pd_anon_Wr11e=1
Transferrlng Flles wlth FTl 387
1
9
aJJoW_f1pd_anon_Wr11e -> on
To share home direcIories on Ihe ETF server, execuIe Ihe ollowing:
se1sebooJ -P f1p_hone_d1r=1
You can also change Ihese boolean values by running Ihe SELinux ManagemenI Tool. SIarI
iI by selecIing AdmInIstratIon, SLLInux Management rom Ihe System menu on Ihe Iop
panel o Ihe deskIop or by execuIing Ihe sys1en-conf1g-seJ1nux command. EnIer Ihe
rooI password when prompIed i running as a non-rooI user. SelecI Boolean rom Ihe lisI
on Ihe leI. On Ihe righI, click Ihe Iriangle icon nexI Io FTP. The SELinux booleans aecI-
ing ETF appear. Changes Iake eecI immediaIely aIer changing Ihe value o Ihe check
box nexI Io Ihe boolean.
1IP
The SLLlnux booleans that affeot the FTl server are desorlbed ln the ftpd_sellnux man
page vlewable wlth the nan f1pd_seJ1nux oommand.
Cenf|gur|ng the F1P 5erver
Red HaI EnIerprise Linux S includes Ihe vsf1pd ETF service. I Ihe vsf1pd package is noI
already insIalled, insIall iI wiIh Red HaI NeIwork as discussed in ChapIer 3.
The ETF server uses Ihe 1e1c1vsf1pd1vsf1pd.conf coniguraIion ile. Using Ihis ile, you
can seI opIions or displaying a cusIom banner message aIer users log in, seIIing Ihe
deaulI ile permissions or uploaded iles, and seIIing Ihe porI on which Io lisIen or
incoming connecIions.
Eor a ull lisI o available direcIives, read Ihe man page wiIh Ihe nan vsf1pd.conf
command. The vsf1pd package insIalls a basic coniguraIion ile on Ihe sysIem wiIh a ew
commonly used direcIives seI and explained wiIh commenIs. Table 1.1 also includes
some commonly used direcIives.
T^BLL 19.1 Common vsf1pd Dlreotlves
vsf1pd |rect|ve efau|t Va|ue escr|t|en
J1s1en_por1 21 lort on whloh to llsten for lnoomlng FTl oonneotlon requests.
f1pd_banner (none) Use thls strlng as the greetlng message after users log ln
to the server.
JocaJ_enabJe N0 lf set to YES, looal users on the FTl server are allowed to
log ln to the server vla FTl. Lven though the default ls N0,
the sample oonflguratlon flle enables thls feature. Use
oautlon when enabllng thls feature beoause all oommunl
oatlons lnoludlng the username and password authentloa
tlon are not enorypted.
h1de_1ds N0 lf set to YES, all user and group flle ownershlp ls shown
as f1p to hlde the real owners and groups.
nax_cJ1en1s U Maxlmum number of ollents that oan oonneot at one tlme.
lf set to U, the number of ollents ls unllmlted.
To sIarI Ihe ETF server, use Ihe serv1ce vsf1pd s1ar1 command as rooI. To sIop Ihe
server, use Ihe serv1ce vsf1pd s1op command. To have iI auIomaIically sIarIed aI booI
Iime, use Ihe chkconf1g vsf1pd on command.
I Ihe coniguraIion ile is modiied aIer Ihe server is sIarIed, use Ihe serv1ce vsf1pd
res1ar1 command Io enable Ihe coniguraIion changes.
A||ew|ng Anenymeus F1P
Some ETF servers are conigured Io allow users Io access a seI o iles even Ihough Ihey do
noI have a username and password or Ihe server. InsIead, Ihe user enIers Ihe username
anonynous. Then, Ihe ETF server usually asks or Ihe persons email address as Ihe pass-
word. Unless Ihe server is conigured Io deny access Io IhaI parIicular email address pass-
word, Ihe user is allowed Io browse all Ihe iles in a direcIory seI up or anonymous users.
Depending on iIs purpose, Ihe ETF server can be conigured Io allow anonymous users
read-only access or can be conigured Io allow users Io upload iles.
Anonymous ETF is enabled by deaulI by seIIing Ihe anonynous_enabJe direcIive in
1e1c1vsf1pd1vsf1pd.conf Io YES. To disable iI, seI Ihe direcIive Io N0.
I anonymous users are allowed, you can seI Ihe deaulI direcIory inIo which Ihe users are
placed aIer logging in. This is seI wiIh Ihe anon_roo1 direcIive in vsf1pd.conf. I Ihis
direcIive is noI seI Io a direcIory, anonymous users are placed inIo Ihe 1var1f1p1 direc-
Iory, creaIed when Ihe vsf1pd package is insIalled. By deaulI, Ihis direcIory is owned and
can only be wriIIen Io by rooI, buI is readable by everyone.
I anonymous users are allowed Io upload iles, consider creaIing a separaIe direcIory such
as 1var1f1p1pub1upJoads1 or anonymous uploads. II should be wriIable by everyone, buI
iI does noI have Io be readable by everyone. Making iI noI readable by Ihe anonymous
users will discourage people rom inding Ihe ETF server and using iI or unauIhorized
users such as piraIing illegal soIware.
Table 1.2 provides a lisI o direcIives or coniguring anonymous ETF.
1
9
T^BLL 19.2 ^nonymous FTl Dlreotlves
efau|t
vsf1pd |rect|ve Va|ue escr|t|en
anonynous_enabJe YES Set to YES to enable anonymous FTl aooess.
aJJoW_anon_ssJ N0 lf ssJ_enabJe and aJJoW_anon_ssJ are set
to YES, anonymous users are allowed to use
seoure SSL oonneotlons. For these optlons
to work, vsf1pd must be oomplled agalnst
0penSSL, and the ollent oonneotlng must
have SSL support.
anon_nkd1r_Wr11e_enabJe N0 lf set to YLS along wlth Wr11e_enabJe,
anonymous users oan oreate dlreotorles lf
the anonymous FTl user has wrlte permls
slons on the parent dlreotory.
anon_o1her_Wr11e_enabJe N0 lf set to YES, anonymous users oan wrlte
more than just dlreotorles and flles. They oan
delete, rename, and more. Use oautlon when
enabllng thls optlon.
anon_upJoad_enabJe N0 lf set to YES along wlth Wr11e_enabJe,
anonymous users oan upload flles under
oertaln oondltlons. ^nonymous FTl users
must have proper permlsslons ln the dlreo
tory belng uploaded to.
anon_WorJd_readabJe_onJy YES lf set to YES, anonymous users oan only
download flles that are world readable.
choWn_upJoads N0 lf set to YES, all flles uploaded by anonymous
users wlll be owned by the user set wlth
choWn_usernane.
deny_ena1J_enabJe N0 lf set to YES, emall addresses llsted ln the
flle set wlth banned_ena1J_f1Je and used
as the anonymous user password are denled
logln. The default banned emall flle ls
1e1c1vsf1pd1banned_ena1Js.
force_anon_da1a_ssJ N0 lf set to YES along wlth ssJ_enabJe, all
anonymous users are foroed to use SSL for
data transfers.
force_anon_Jog1ns_ssJ N0 lf set to YES along wlth ssJ_enabJe, all
anonymous users are foroed to use SSL
when sendlng the password.
no_anon_passWord N0 lf set to YES, anonymous users do not have
to provlde a password. They are logged ln
after speolfylng anonymous as the username.
secure_ena1J_J1s1_enabJe N0 lf set to YES, only anonymous users wlth
emall passwords llsted ln the flle set by
ena1J_passWord_f1Je are allowed to log ln.
By default, the emall password flle ls set to
1e1c1vsf1pd1ena1J_passWords.
anon_nax_ra1e 0 Maxlmum transfer rate allowed for anony
mous users, ln bytes per seoond. lf set to U,
the maxlmum rate ls unllmlted.
anon_unask U77 Umask value for flles oreated by anonymous
users.
anon_roo1 (no default) Default dlreotory for anonymous users.
banned_ena1J_f1Je 1e1c1vsf1pd1 lf deny_ena1J_enabJe ls set to YES, thls
banned_ flle oontalns the llst of emall passwords denled
ena1Js FTl logln.
ena1J_passWord_f1Je 1e1c1vsf1pd1 lf secure_ena1J_J1s1_enabJe ls set to YES,
ena1J_ thls flle oontalns all the emall passwords
passWords allowed FTl logln.
choWn_usernane roo1 lf choWn_upJoads ls set to YES, all flles
uploaded by an anonymous user are owned
by thls user.
A||ew|ng F1P Cennect|ens
To deny speciic users access Io Ihe ETF server, add Iheir usernames Io Ihe 1e1c1vsf1pd1
f1pusers ile. By deaulI, sysIem users such as rooI and nobody are included in Ihis lisI.
The 1e1c1vsf1pd1user_J1s1 ile is also used Io allow or deny access Io speciic users. I
Ihe userJ1s1_enabJe direcIive in 1e1c1vsf1pd1vsf1pd.conf is seI Io YES, Ihe
1e1c1vsf1pd1user_J1s1 ile is read Io deIermine i a user is allowed ETF access. I Ihe
userJ1s1_deny is seI Io YES (Ihe deaulI), users lisIed in 1e1c1vsf1pd1user_J1s1 are
denied access beore Ihey are asked or a password. I userJ1s1_deny is seI Io N0, only
users expliciIly lisIed in Ihe 1e1c1vsf1pd1user_J1s1 ile are allowed access.
ETF uses Iwo porIs, 20 and 21. By deaulI, Ihe ETF server lisIens or reguesIs on porI 21.
AIer a connecIion is esIablished, Ihe clienI sends commands Io Ihe server on porI 21.
However, porI 20 is used when Ihe server sends daIa back Io Ihe clienI. I a irewall exisIs
on Ihe clienI, be sure Io allow connecIions on porI 20 so daIa can be senI Io iI.
deIails on how Io allow Ihese porIs. I ETF clienIs connecI in passive mode and Ihe server
has IFTables acIive, Ihe 1p_conn1rack_f1p kernel module musI be loaded on Ihe ETF server.
II can be added Io Ihe 1PTA8LES_M00uLES direcIive in 1e1c1sysconf1g11p1abJes-conf1g.
a user. On Ihe FIrewall OptIons Iab, check Ihe FTP service in Ihe Trusted servIces secIion
as shown in Eigure 1.1. Click OK Io enable Ihe changes.
1
9
efau|t
vsf1pd |rect|ve Va|ue escr|t|en
FlGURL 19.1 ^llowlng FTl Conneotlons
Cennect|ng frem an F1P C||ent
To connecI Io an ETF server, an ETF clienI program is reguired. There are numerous ETF
clienIs available or Linux and oIher operaIing sysIems. By deaulI, Red HaI EnIerprise
Linux includes Ihe command-line clienIs f1p and Jf1p as well as a meIhod or connecIng
Io ETF servers rom Ihe deskIop ile browser.
Cennect|ng v|a F1P frem the Cemmand L|ne
The f1p and Jf1p command-line uIiliIies or connecIing Io an ETF server use Ihe same
basic commands. However, Jf1p is more user-riendly so iI will be discussed in Ihis
secIion. Eor example, Jf1p has Iab compleIion similar Io Ihe Bash shell, shows Ihe down-
load progress by deaulI, auIomaIically assumes anonymous login unless a username is
speciied, and resIarIs downloads aI Ihe break poinI i Ihe download is noI compleIed on
Ihe irsI aIIempI.
To connecI Io an ETF server, use Ihe Jf1p <f1pserver> command, where <f1pserver> is
Ihe IF address or hosIname o Ihe ETF server. I using a hosIname, Ihe clienI musI be able
Io resolve iI Io an IF address. I Ihe Jf1p prompI appears, Ihe server has accepIed Ihe
connecIion, and you are logged in as an anonymous user.
To log in Io Ihe server using a speciic username, eiIher use Ihe Jf1p -u <usernane>
<f1pserver> command Io connecI or waiI unIil you are connecIed as an anonymous user
and Ihen Iype Ihe user <usernane> command aI Ihe Jf1p prompI. BoIh meIhods will
prompI you or a password Io auIhenIicaIe.
AIer you are logged in Io Ihe server, basic shell commands such as Js Io lisI Ihe iles and
cd Io change direcIories can be used Io ind Ihe iles Io download or Io change Io Ihe
locaIion inIo which you wanI Io upload iles. Fressing Ihe up arrow will Ioggle Ihrough a
lisI o commands previously execuIed during Ihe currenI ETF session.
To download a ile rom Ihe server (assuming you have permission Io), use Ihe ge1
<f1Je> command. To reIrieve several iles on Ihe server, use Ihe command nge1 <f1Jes>,
where <f1Jes> is a lisI o iles separaIed by spaces. One or all o Ihe mulIiple iles can be
speciied wiIh wildcards such as nge1 *.pdf.
When downloading iles, Ihe iles are saved Io Ihe currenI direcIory on Ihe local sysIem.
By deaulI, Ihis is Ihe direcIory you were in beore you execuIed Ihe Jf1p command. AIer
logged in Io Ihe ETF server, iI is possible Io change Ihe local working direcIory wiIh Ihe
Jcd <d1rec1ory> command. To deIermine whaI Ihe local working direcIory is seI Io, use
Ihe JpWd command.
Uploading iles Io Ihe server has a similar synIax: pu1 <f1Je> or npu1 <f1Jes>. The iles
can eiIher be speciied relaIive Io Ihe currenI local working direcIory or Ihe ull paIh Io
Ihe iles can be speciied wiIh Ihe pu1 and npu1 commands. Eiles are uploaded Io Ihe
currenI working direcIory on Ihe server. To deIermine whaI direcIory Ihis is, use Ihe pWd
command.
1IP
For a oomplete llst of Jf1p oommands, refer to the man page wlth the nan Jf1p
oommand.
LisIing 1.3 shows an example ETF session. In Ihis example, anonymous user access is
granIed, and Ihe ge1 command is used Io download Ihe debug1nfo PPM or xineId.
LlSTlNG 19.3 Lxample FTl Sesslon
$ Jf1p f1p.redha1.con
Jf1p f1p.redha1.con:-> Js
drWxr-xr-x 4 f1p f1p 4U96 Nov U4 2UU5 pub
Jf1p f1p.redha1.con:1>
cd pub1redha11J1nux1en1erpr1se15Server1en1os1x86_6410ebug1nfo1
cd ok, cWd=1pub1redha11J1nux1en1erpr1se15Server1en1os1x86_6410ebug1nfo
Jf1p f1p.redha1.con:1pub1redha11J1nux1en1erpr1se15Server1en1os1x86_641
0ebug1nfo> ge1 x1ne1d-debug1nfo-2.3.14-1U.eJ5.x86_64.rpn
314618 by1es 1ransferred 1n 2 seconds {199.3K1s)
Jf1p f1p.redha1.con:1pub1redha11J1nux1en1erpr1se15Server1en1os1x86_641
0ebug1nfo>
Cennect|ng v|a F1P Us|ng the eskte F||e Brewser
To connecI Io an ETF server using Ihe deskIop ile browser, selecI Places, Connect to
Server rom Ihe Iop panel o Ihe deskIop. SelecI PublIc FTP or anonymous user login or
FTP (wIth logIn) or access via username and password auIhenIicaIion. Type Ihe IF
address or ull hosIname o Ihe ETF server in Ihe Server ield as shown in Eigure 1.2.
1
9
FlGURL 19.2 Conneotlng to an FTl Server
Under Ihe OptIonal InIormatIon secIion, Ihe ollowing can be conigured:
Port: Speciy Ihe server porI Io connecI Io i dierenI Ihan Ihe deaulI ETF porI 21.
Folder: The older Io open aIer logged in Io Ihe ETF server.
User Name: The username Io use or auIhenIicaIion when connecIing. You will be
prompIed or Ihe password laIer. Only shown when FTP (wIth logIn) is selecIed.
Name to use Ior connectIon: ConnecIion name Io use when labeling Ihe mounI
poinI in Ihe Places menu and on Ihe deskIop.
Click Connect Io esIablish an ETF connecIion. An icon will appear on Ihe deskIop using
Ihe name o Ihe server or, i provided, Ihe name in Ihe Name to use Ior connectIon ield.
A shorIcuI is also lisIed under Ihe Places menu iIem in Ihe deskIop menu. Double-clicking
on Ihe deskIop icon or selecIing Ihe shorIcuI iIem in Ihe Places menu will open a ile
browser window wiIh Ihe iles rom Ihe ETF server. Depending on your ile permissions
rom Ihe server, you can open, copy, deleIe, and rename iles and direcIories, and more.
To unmounI Ihe share, righI-click on iIs deskIop icon and selecI Unmount Volume. I Ihe
share is noI unmounIed, iI will remain in Ihe Places menu on rebooI, buI you musI reau-
IhenIicaIe Io access Ihe share aIer rebooIing.
Legg|ng F1P Cennect|ens
I Ihe xferJog_enabJe direcIive in vsf1pd.conf is seI Io YES, ile Iransers using Ihe ETF
proIocol are logged Io 1var1Jog1xferJog. The deaulI value or Ihis direcIive is N0, buI Ihe
sample coniguraIion ile insIalled on Red HaI EnIerprise Linux enables iI. InormaIion
such as a Iime sIamp, IF address o Ihe clienI, Ihe ile being Iranserred, and Ihe username
o Ihe person who auIhenIicaIed Ihe connecIion is included in Ihe log enIry.
To modiy Ihe name o Ihe log ile, seI Ihe xferJog_f1Je direcIive in vsf1pd.conf Io Ihe
ull paIh and ilename o Ihe alIernaIe log ile.
The log ile is roIaIed every week, and our weeks o backlogs are kepI as conigured by
Ihe 1e1c1Jogro1a1e.d1vsf1pd.Jog ile.
Kee|ng Accurate 1|me w|th N1P
The sysIem clock has a varieIy o uses. II can be used or simple Iasks such as including
Ihe Iime sIamp in a log enIry or in an email senI Io anoIher user. II is also used or more
sysIem-criIical Iasks. I Ihe sysIem Iime on Ihe nodes o a clusIer are Ioo ar aparI, Ihe
clusIer mighI Ihink one o Ihe nodes is noI responding and aIIempI Io rebooI iI. When
commiIIing changes Io a CVS server, i Ihe Iime dierence beIween Ihe clienI and server
is Ioo skewed, Ihe CVS server mighI reuse Io commiI Ihe changes. Having an inaccuraIe
sysIem Iime can cause unpredicIable behavior IhaI can be diiculI Io diagnosis.
NTF, or Networl Tme lrotocol, allows a sysIem Io sync iIs Iime wiIh a Iime server. In Red
HaI EnIerprise Linux, Ihis operaIion is perormed by Ihe n1pd service. This daemon polls
Ihe server aI cerIain inIervals. I Ihe sysIem Iime diers rom Ihe NTF server, Ihe Iime is
slowly synchronized in small sIeps. I Ihe Iime dierence is greaIer Ihan 1,000 seconds,
Ihe daemon will exiI and wriIe a message Io Ihe sysIem log. More Ihan one NTF server
can be speciied Io reIrieve Ihe mosI accuraIe Iime.
Where do Ihe Iime servers reIrieve iIs Iime7 FarI o Ihe U.S. Commerce DeparImenIs
Technology AdminisIraIion, Ihe NaIional InsIiIuIe o SIandards and Technology (NIST)
provides Ihe InIerneI Time Service (ITS), which can be used Io synchronize Ihe sysIem
clock o a compuIer rom an InIerneI server. The Iime signal mainIained by NIST is
considered a SIraIum 0 source. Any Iime sources IhaI reIrieve Iheir signals rom Ihis
SIraIum 0 source are considered SIraIum 1. Time sources IhaI reIrieve Iheir signals rom a
SIraIum 1 source are considered SIraIum 2, and so on. NIST provides SIraIum 1 servers as
parI o Iheir ITS. The lower Ihe sIraIum number, Ihe more accuraIe Ihe Iime is.
Even Ihough public Iime servers are available Io allow adminisIraIors Io synchronize Ihe
Iime on Iheir servers wiIh a known reerence, someIimes iI is necessary Io conigure an
inIernal Iime server. Eor example, i all clienIs synchronize rom Ihe same server, Ihey will
all receive Ihe same Iime so IhaI Iheir sysIem Iimes are as close as possible. Also, an
adminisIraIor mighI need Io seI up his own Iime server i Ihe clienIs are inside a irewall
and do noI have InIerneI access.
This secIion irsI discusses how Io conigure a sysIem Io connecI Io an NTF server Io keep
accuraIe Iime. Then, iI describes how Io conigure Ihe NTF service on a Red HaI
EnIerprise Linux server.
Cennect|ng te N1P frem a C||ent
To conigure Ihe sysIem Io use one or more NTF servers via a graphical inIerace, go Io
Ihe System menu on Ihe Iop panel o Ihe deskIop and selecI AdmInIstratIon, Date &
TIme. The command sys1en-conf1g-da1e can also be execuIed rom a shell prompI Io
sIarI Ihe program. Go Io Ihe NetworR TIme Protocol Iab as shown in Eigure 1.3. The
sys1en-conf1g-da1e RFM package is needed Io use Ihis program, buI iI is insIalled by
deaulI along wiIh Ihe graphical deskIop.
Keeplng ôourate Tlme wlth NTl 395
1
9
FlGURL 19.3 Lnabllng NTl
Check Ihe Lnable NetworR TIme Protocol box. A lisI o NTF servers accessible over Ihe
InIerneI is already provided as shown in Ihe NTP Servers rame.
I Ihe clienI is a deskIop sysIem or anoIher Iype o compuIer or which Ihe Iime is noI
crucial, Ihe deaulI Iime server will work ine. However, i Ihe clienI is a server IhaI
reguires an accuraIe Iime source, go Io hIIp:}}www.nIp.org} and hIIp:}}I.nisI.gov}
service}Iime-servers.hIml or a lisI o Iime servers. Be sure you have permission Io connecI
Io Ihe Iime server beore using iI, and remember IhaI Ihe smaller Ihe sIraIum number, Ihe
more accuraIe Ihe Iime.
To add addiIional servers, click Add. To remove an NTF server rom Ihe lisI, selecI iI rom
Ihe lisI, and click Delete. Clicking OK saves and enables Ihe changes immediaIely.
I you preer command-line coniguraIion, only Ihe n1p RFM package is needed. NTF
comes wiIh a deaulI coniguraIion ile. EiIher modiy iI or creaIe your own. To conigure
an NTF clienI, Ihe ollowing lines musI exisI in 1e1c1n1p.conf or each NTF server:
res1r1c1 <servernane> nask 255.255.255.255 nonod1fy no1rap noquery
server <servernane>
Reer Io Ihe documenIaIion in 1usr1share1doc1n1p-<vers1on>1 or more coniguraIion
opIions in 1e1c1n1p.conf.
Beore sIarIing Ihe service, roughly sync Ihe Iime wiIh a server wiIh Ihe ollowing
command:
n1pd -q <n1pserver>
AIer Ihe Iime is roughly synchronized, Ihe daemon will exiI.
I Ihe currenI sysIem Iime and Ihe Iime reIrieved rom Ihe NTF server are more Ihan
1,000 seconds aparI, n1pd will exiI and noI modiy Ihe sysIem Iime. To orce Ihe Iime Io
sync regardless o Ihe Iime dierence, use Ihe -g opIion in addiIion Io Ihe -q opIion:
np1d -g -q <n1pserver>
Then, sIarI Ihe service wiIh Ihe serv1ce n1pd s1ar1 command. To sIop Ihe service, use
Ihe serv1ce n1pd s1op command. To enable Ihe service Io sIarI auIomaIically aI booI
Iime, execuIe Ihe chkconf1g n1pd on command.
Cenf|gur|ng the N1P 5erver
Because an NTF server musI reIrieve iIs Iime rom somewhere, iI is also an NTF clienI.
Conigure Ihe sysIem as an NTF clienI irsI, and Ihen ollow Ihe insIrucIions rom Ihis
secIion. As wiIh Ihe NTF clienI, Ihe n1p package musI be insIalled on Ihe sysIem Io
conigure an NTF server.
An NTF server can be conigured so IhaI each clienI musI speciy iIs IF address or hosI-
name or access, or an NTF server can be conigured in mulIicasI mode Io allow clienIs Io
ind iI.
The deaulI 1e1c1n1p.conf ile conIains Ihe ollowing line near Ihe Iop o Ihe ile:
res1r1c1 defauJ1 nonod1fy no1rap noquery
This line conigures deaulI resIricIions or all connecIions wiIh Ihe defauJ1 keyword. The
deaulI resIricIions can be overridden wiIh resIricI sIaIemenIs abouI speciic neIwork
ranges. The nonod1fy, no1rap, and noquery access conIrol opIions mean IhaI Ihe server
can noI be modiied, conIrol message Irap service is denied, and all Iime sync gueries are
denied.
I a subneI is speciied and Ihe noquery keyword is omiIIed, Ihe server is allowed Io accepI
connecIions rom Ihe speciied subneI (replace subneI):
res1r1c1 192.168.U.U nask 255.255.255.U nonod1fy no1rap
MulIiple res1r1c1 lines can be added Io allow mulIiple subneIs Io connecI Io Ihe NTF server.
To conigure Ihe NTF daemon Io work in mulIicasI mode where clienIs can ind iI
wiIhouI knowing iIs hosIname or IF address, use Ihe ollowing line in 1e1c1n1pd.conf:
broadcas1 224.U.1.1 11J 4
NoIice Ihe 244.0.1.1 address. The InIerneI Assigned Numbers AuIhoriIy (IANA) has
assigned Ihe mulIicasI group address 224.0.1.1 or IFv4 and 0S::101 (siIe local) or IFv
exclusively Io NTF.
AIer modiying Ihe n1p.conf ile, use Ihe serv1ce n1pd res1ar1 command Io enable Ihe
changes.
Keeplng ôourate Tlme wlth NTl 397
1
9
To sIarI Ihe server, execuIe Ihe serv1ce n1pd s1ar1 command. To sIop iI, use Ihe serv1ce
n1pd s1op command. To conigure Ihe sysIem Io sIarI Ihe NTF server aI booI Iime, run
Ihe chkconf1g n1pd on command.
1IP
Cheok 1var1Jog1nessages for messages from n1pd to verlfy lts status or to read
error messages.
A||ew|ng N1P Cennect|ens
BoIh Ihe NTF server and clienIs connecIing Io an NTF server need Io allow incoming and
ouIgoing UDF connecIions on porI 123.
Ihese porIs.
I using Ihe SecuriIy Level ConiguraIion Iool, sIarI iI by selecIing AdmInIstratIon,
SecurIty Level and FIrewall rom Ihe System menu on Ihe Iop panel o Ihe deskIop or
by execuIing Ihe sys1en-conf1g-secur11yJeveJ command. EnIer Ihe rooI password when
prompIed i running as a user. In Ihe Other ports area, click Add Io speciy Ihe NTF porI.
Creat|ng a Netwerk Pr|nter w|th CUP5
In ChapIer 2, "FosI-InsIallaIion ConiguraIion," you learned how Io conigure a local
prinIer or connecI Io a shared prinIer. The same graphical inIerace can also be used Io
share a prinIer wiIh oIher sysIems on Ihe neIwork using Ihe Common UNIX FrinIing
SysIem, also known as CUlS. The cups RFM package musI be insIalled.
Erom Ihe System menu on Ihe Iop panel o Ihe deskIop, selecI AdmInIstratIon, PrIntIng
Io sIarI Ihe Iool, or execuIe Ihe command sys1en-conf1g-pr1n1er. The rooI password is
reguired Io conIinue. The inIerace shows all conigured prinIers, boIh locally aIIached
and shared prinIers accessible by Ihe sysIem.
To share a prinIer over Ihe neIwork, irsI conigure iI as a local prinIer as described in Ihe
"FrinIer ConiguraIion" secIion o ChapIer 2. AIer Ihe local prinIer is added, selecI Ihe
prinIer and make sure Ihe Shared sIaIe is checked aI Ihe boIIom o Ihe SettIngs Iab.
Then click on Server SettIngs in Ihe leI menu as shown in Eigure 1.4 and selecI Share
publIshed prInters connected to thIs system. Click Apply Io enable Ihe changes. All
prinIers wiIh shared sIaIe enabled are broadcasI over Ihe neIwork or oIhers Io connecI Io
or prinIing.
By deaulI, i sharing is enabled, anyone can prinI Io Ihe shared prinIers on Ihe server. To
resIricI prinIer access based on Ihe user sending Ihe prinI reguesI, selecI Ihe prinIer rom
Ihe lisI on Ihe leI, and go Io Ihe Access control Iab. There are Iwo opIions:
Allowing prinIing or everyone excepI Ihese users
Deny prinIing or everyone excepI Ihese users
FlGURL 19.4 Server Settlngs
SelecI one o Ihese opIions and add users Io Ihe desired lisI as shown in Eigure 1.S. Clicking
Apply enables Ihe changes immediaIely. NoIice IhaI Ihis access conIrol lisI is per shared
prinIer, so Ihis sIep musI be repeaIed or each prinIer i more Ihan one is being shared.
Creatlng a Network lrlnter wlth CUlS 399
1
9
FlGURL 19.5 ôoess Control for Shared lrlnter
The prinIer server musI be conigured Io send and receive connecIions on incoming UDF
porI 31. All clienIs musI be allowed Io send and accepI connecIions on porI 31.
5ummary
This chapIer deIailed several imporIanI neIwork services. The xineId super server can be
used Io moniIor Iraic or neIwork services and sIarI Ihe appropriaIe service i Ihe
connecIion passes Ihe hosI-based access conIrol rules. To share iles over a privaIe
neIwork or Ihe InIerneI, Ihe ETF service can be used. Use iI wiIh cauIion because iles are
Iranserred unencrypIed. Eor Iime synchronizaIion across servers, consider Ihe NTF
service. Einally, CUFS is available or neIwork access Io a cenIral prinIer.
l^RT v
MoniIoring and Tuning
lN THlS l^RT
CH^lTLR 20 Monltorlng System Resouroes 403
CH^lTLR 21 Monltorlng and Tunlng the Kernel 423
CH^lTLR 22 Monltorlng and Tunlng
^pplloatlons 449
lN THlS CH^lTLR
Reportlng Fllesystem Usage
Reportlng Dlsk lerformanoe
Reportlng System lrooesses
Reportlng on the System
lrooessors
Reportlng Memory Usage
Reportlng on the Network
Subsystem
Generatlng a System Report
Looatlng Log Flles
vlewlng Log Flles wlth
Logwatoh
CH^lTLR 20
MoniIoring SysIem
Resources
AlIhough mosI users only Ihink abouI Iheir adminisIraIors
when a problem occurs or when Ihey suspecI Iheir sysIem
has been compromised, adminisIraIors spend a considerable
porIion o Iheir Iime moniIoring sysIem resources Io prevenI
ailures. II is oIen a Ihankless job, buI iI can be very reward-
ing or everyone, especially Ihe adminisIraIor who doesnI
have Io geI ouI o bed aI 3 a.m. Io ix a criIical problem IhaI
could have been prevenIed by inIelligenI moniIoring.
This chapIer discusses how Io moniIor ilesysIems, sysIem
processes, CFU uIilizaIion, physical and virIual memory,
and Ihe neIwork subsysIem in Red HaI EnIerprise Linux. II
also deIails how Io generaIe a sysIem reporI or Irouble-
shooIing and where Io ind log iles.
Consider using all or some o Ihe commands provided in
Ihis chapIer in cusIom scripIs Io alerI you o problems IhaI
may arise. Reer Io ChapIer 11, "AuIomaIing Tasks wiIh
ScripIs," or more inormaIion abouI wriIing cusIom scripIs
and scheduling Iheir execuIion aI seI inIervals.
Reert|ng F||esystem Usage
One o Ihe mosI criIical sysIem componenIs Io moniIor is
Ihe ilesysIem. I Ihe ilesysIem becomes unavailable, Ihe
sysIem is mosI likely incapaciIaIed. Discovering problems
beore Ihe sysIem goes down is key Io being a successul
adminisIraIor. Eor example, adding addiIional sIorage or
cleaning o unneeded iles when a disk has almosI reached
capaciIy is much beIIer Ihan waiIing or Ihe all disk space Io
be used and Ihen hearing rom everyone IhaI Ihey canI
wriIe iles Io Ihe disk. The irsI reguires a scheduled acIion
during a scheduled mainIenance Iime, and Ihe laIer reguires
an immediaIe emergency operaIion, which can occur aI any
Iime, including when access Io Ihe sysIem is mosI reguired.
eterm|n|ng F||esystem Usage
To deIermine how much disk space is being used or a given parIiIion, logical volume, or
NES mounI, use Ihe df command. I no argumenIs are given Io Ihe command, disk usage
or all mounIed parIiIions is displayed in 1 kilobyIe blocks. LisIing 20.1 shows ouIpuI
rom Iwo logical volumes: Ihe 1boo1 parIiIion and an NES mounIed direcIory rom Ihe
producIion.example.com server.
LlSTlNG 20.1 Dlsk Spaoe Usage
F1Jesys1en 1K-bJocks used Ava1JabJe use Moun1ed on
1dev1napper1voJ0roupUU-LogvoJUU
1314U72U 3U97624 93648UU 25 1
1dev1sda1 1U1U86 18536 77331 2U 1boo1
1npfs 962696 U 962696 U 1dev1shn
1dev1napper1voJ0roupUU-LogvoJU1
79354688 6U896492 14362196 81 1hone
produc11on.exanpJe.con:1voJ
38587596 26164688 124229U784 68 1da1a
To display Ihe ouIpuI in "human readable" ormaI, use Ihe -h argumenI Io df. The ouIpuI
is Ihen displayed in kilobyIes, megabyIes, gigabyIes, or IerabyIes depending on Ihe size o
Ihe ilesysIem. The same mounI poinIs rom LisIing 20.1 are shown in LisIing 20.2 in
human readable ormaI.
LlSTlNG 20.2 Dlsk Spaoe Usage ln Human Readable Format
F1Jesys1en S1ze used Ava1J use Moun1ed on
1dev1napper1voJ0roupUU-LogvoJUU
130 3.U0 9.U0 25 1
1dev1sda1 99M 19M 76M 2U 1boo1
1npfs 941M U 941M U 1dev1shn
1dev1napper1voJ0roupUU-LogvoJU1
760 590 140 81 1hone
produc11on.exanpJe.con:1voJ
3.6T 2.5T 1.2T 68 1da1a
The deaulI ouIpuI includes Ihe size o Ihe parIiIion, how much space is used, how much
space is available, Ihe percenIage o space used, and on whaI direcIory Ihe ilesysIem is
mounIed. To display Ihe ilesysIem Iype as well, such as ex13 or nfs, use Ihe -T argumenI.
To limiI Ihe ouIpuI Io speciic ilesysIem Iypes, use Ihe -1=<1ype> opIion. To exclude
cerIain ilesysIem Iypes rom Ihe ouIpuI, use Ihe -x-<1ype> argumenI.
Some o Ihe mounIed ilesysIems mighI noI be local such as NES mounIs. To limiI Ihe
ouIpuI Io local ilesysIems, use Ihe -J opIion. To calculaIe disk usage or a speciic parIi-
Iion, include iI as an argumenI Io Ihe command such as df 1dev1sda1.
To view Ihe same inormaIion rom a graphical applicaIion, selecI AdmInIstratIon,
System MonItor rom Ihe System menu on Ihe Iop panel o Ihe deskIop. Click on Ihe
FIle Systems Iab as shown in Eigure 20.1.
Reportlng Fllesystem Usage 405
2
0
FlGURL 20.1 Graphloal Dlsplay of Dlsk Usage
AlIhough Ihe df command is useul in deIermining how much space is being used or
each parIiIion, someIimes iI is necessary Io know whaI Ihe size o a ile, group o iles, or
direcIory is. By deaulI, i no command-line opIions are used, Ihe du command displays
Ihe disk usage IoIals or each subdirecIory and inally Ihe IoIal usage or Ihe currenI direc-
Iory. Values are in kilobyIes. LisIing 20.3 shows Ihe disk usage o Ihe 1e1c1sysconf1g1
direcIory.
LlSTlNG 20.3 Dlsk Usage of a Dlreotory
388 .1ne1Work-scr1p1s
24 .1cbq
8 .1consoJe
16 .1noduJes
8 .1rhn1cJ1en10aps.d
52 .1rhn
8 .1ne1Work1ng1dev1ces
24 .1ne1Work1ng1prof1Jes1defauJ1
32 .1ne1Work1ng1prof1Jes
48 .1ne1Work1ng
88U .
To display Ihe inormaIion in an easier-Io-read ormaI (megabyIes, gigabyIes, and
IerabyIes), use Ihe -h argumenI. To display only Ihe grand IoIal or Ihe currenI direcIory
wiIhouI Ihe usage or each subdirecIory, use Ihe -s argumenI. Combine Ihese Iwo argu-
menIs wiIh Ihe du -hs command, and only Ihe grand IoIal or Ihe currenI direcIory is
displayed in megabyIes or gigabyIes.
To deIermine Ihe size o jusI one ile, provide iI aIer Ihe du command such as
du 1voJ11group11exanpJef1Je
The value is given in kilobyIes unless Ihe -h opIion is used:
du -h 1voJ11group11exanpJef1Je
I you preer a graphical program Io deIermine disk usage, open Ihe ile browser by selecI-
ing Home Folder or DesRtop rom Ihe Places menu on Ihe Iop panel o Ihe deskIop (see
Eigure 20.2).
FlGURL 20.2 Graphloal Dlsplay of Flle Slze
The name, ile Iype, size, locaIion, MIME Iype, lasI modiied daIe, and lasI accessed daIe
are shown or Ihe ile. I a direcIory is selecIed insIead, older is shown as Ihe ile Iype.
Also, Ihe number o iIems in Ihe older, size o all Ihe iles and direcIories in Ihe direcIory,
locaIion, volume, ree size, and lasI modiied daIe are displayed.
Reert|ng 0en F||es
The Jsof command can be used Io lisI open iles, including library and neIwork iles. I
an error occurs because a device is already in use, Jsof can be used Io deIermine which
process is using iI and who owns IhaI process. By deaulI, all open iles or all acIive
processes are lisIed. Use Ihe grep command Io search or a speciic ile.
1IP
Narrow down the output even more uslng one of the oommandllne arguments llsted ln
the Jsof man page.
Eor example, i you need Io unmounI an NES volume buI receive an error message IhaI iI
is already in use, use Ihe ollowing Io deIermine which users are sIill accessing iI (replace
<nfs_noun1ed_d1r> wiIh Ihe direcIory in which Ihe NES share is mounIed):
Jsof grep <nfs_noun1ed_d1r>
All processes using Ihe NES mounIed direcIory are shown such as Ihe ollowing or a bash
session open by user Iox:
bash 12165 1fox cWd 01P U,18 1U24U 1856 1da1a1group1
{f1Jeserver.exanpJe.con:1voJ11da1a)
Reert|ng |sk Perfermance
Disk perormance should be consIanIly moniIored over Iime Io deIermine disk or
conIroller problems. Eor example, i Ihe access Iime or a drive suddenly drops, an admin-
isIraIor musI guickly sIarI IroubleshooIing Ihe problem Io deIermine i iI is a soIware or
hardware issue or simply due Io lack o ree space on Ihe disk.
Us|ng 1os1a1
FarI o Ihe syss1a1 RFM package, Ihe 1os1a1 uIiliIy can be used Io gaIher perormance
sIaIisIics or devices or parIiIions. Use iI in conjuncIion wiIh ne1s1a1 and vns1a1 Io
narrow down Ihe problem Io a possible I}O, neIwork, or memory error. InsIall Ihe syss1a1
RFM package wiIh RHN as described in ChapIer 3, "OperaIing SysIem UpdaIes," i iI is noI
already insIalled. Eor each invocaIion o Ihe 1os1a1 command, Ihe irsI reporI given is
always Ihe average values rom Ihe sysIem booI, while each addiIional reporI is Ihe insIan-
Ianeous change rom Ihe previous reporI. I Ihe command is given wiIhouI any command-
line opIions, only Ihe reporI o average values is displayed as shown in LisIing 20.4.
LlSTlNG 20.4 Lxample 1os1a1 0utput
avg-cpu: user n1ce sys 1oWa11 1dJe
2.47 U.UU U.33 U.43 96.77
0ev1ce: 1ps 8Jk_read1s 8Jk_Wr1n1s 8Jk_read 8Jk_Wr1n
sda 1.41 79.37 38.15 41UU6531 1971U528
sdc U.U7 16.96 U.UU 8762116 U
The irsI parI o Ihe reporI shows CFU usage. I Ihe sysIem has more Ihan one processor,
Ihe perormance percenIages shown are averages rom all Ihe processors. The resI o Ihe
reporI shows inormaIion abouI each device on Ihe sysIem. Table 20.1 explains iIs ouIpuI.
Reportlng Dlsk lerformanoe 407
2
0
To creaIe conIinuous reporIs, speciy a Iime inIerval in seconds aIer Ihe command. Eor
example, Io generaIe 1os1a1 reporIs every minuIe, use Ihe command 1os1a1 6U. Fress
CIrl+C Io sIop Ihe ouIpuI. AlIernaIively, speciy Ihe number o inIervals as well wiIh Ihe
ormaI 1os1a1 <1n1ervaJ> <11era11ons> such as 1os1a1 6U 5 Io generaIe a reporI every
0 seconds or S iIeraIions. As menIioned previously, aIer Ihe irsI reporI o averages,
each reporI is Ihe insIanIaneous change rom Ihe previous reporI.
To include a line o values or Ihe enIire device along wiIh Ihe sIaIisIics or each parIiIion,
use Ihe 1os1a1 -p <dev1ce> command such as Ihe ollowing or 1dev1sda:
1os1a1 -p 1dev1sda
To display Ihe sIaIisIics or more Ihan one device, replace <dev1ce> wiIh a space-separaIed
lisI o device names.
T^BLL 20.1 Lxplanatlon of 1os1a1 Headers
1os1a1 Reader x|anat|en
user leroentage of ClU usage at the user level
n1ce leroentage of ClU usage at the user level wlth nloe prlorlty
sys leroentage of ClU usage at the system level
1oWa11 leroentage of tlme the ClU(s) were ldle whlle the system had an
outstandlng l/0 request
1dJe leroentage of tlme the ClU(s) were ldle whlle the system dld not have
an outstandlng l/0 request
1ps Transfers per seoond
8Jk read1s ^mount of data read from the devloe ln number of blooks per seoond
8Jk Wr1n1s ^mount of data wrltten to the devloe ln number of blooks per seoond
8Jk read Number of blooks read
8Jk Wr1n Number of blooks wrltten
1IP
ln addltlon, the oommand vns1a1 -d reports addltlonal dlsk usage, and vns1a1 -p
<dev1ce> suoh as vns1a1 -p sda1 reports dlsk usage for a speolflo partltlon.
Us|ng sar
Also parI o Ihe syss1a1 commands, Ihe sar uIiliIy produces sysIem reporIs abouI Ihe
I}O, CFU, and memory. The daIa can be collecIed aI speciic inIervals, Ihus making iI easy
Io deIermine perormance aI speciic load Iimes. Eor example, i a sysIems usage peaks aI
a speciic Iime everyday, Ihe sar ouIpuI can be analyzed Io deIermine i more resources
are necessary Io handle Ihe highesI load.
Beore using sar, iI musI be iniIialized wiIh Ihe ollowing commands (replace J1b wiIh
J1b64 or 4-biI sysIem):
1usr1J1b1sa1sa1 1 1
1usr1J1b1sa1sa2 -A
These are auIomaIically run by Ihe cron scripI locaIed aI 1e1c1cron.d1syss1a1. However,
i you jusI insIalled Ihe syss1a1 package and donI wanI Io waiI on Ihe cron job Io iniIial-
ize sar, run Ihe commands as rooI.
Because o Ihe cron job, sar reporIs are generaIed every day aI 23:S3 and sIored in Ihe
direcIory 1var1Jog1sa1 using Ihe ilename convenIion sa<da1e>, where <da1e> is Ihe Iwo-
digiI represenIaIion o Ihe days daIe. Eor example, sar31 is used or December 31. The
year is noI used in Ihe ilename because only Ihe lasI nine reporIs are kepI. However, sar
can easily be used in a scripI Io produce cusIom reporIs. A cusIom scripI can also be
wriIIen Io copy Ihe reporIs Io a dierenI locaIion or server beore Ihey are removed by sar.
I Ihe sar command is run on Ihe command line, Ihe ouIpuI shows sysIem inormaIion
in Ien-minuIe inIervals as shown in LisIing 20.S.
LlSTlNG 20.5 Lxample sar 0utput
12:UU:U2 AM 0Pu user n1ce sys1en 1oWa11 s1eaJ 1dJe
12:1U:U1 AM aJJ 2.95 U.UU U.32 U.U5 U.U1 96.69
12:2U:U1 AM aJJ 2.78 U.UU U.29 U.U5 U.U1 96.88
12:3U:U1 AM aJJ 2.8U U.UU U.31 U.UU U.U1 96.89
12:4U:U1 AM aJJ 2.98 U.UU U.32 U.48 U.U1 96.22
12:5U:U1 AM aJJ 2.83 U.UU U.31 U.1U U.U1 96.76
To speciy Ihe Iime inIerval and number o iIeraIions displayed:
sar <1n1ervaJ> <11era11ons>
Eor example, sar 6U 5 displays S iIeraIions aI 0 second inIervals.
To only Iake a snapshoI or a speciic processor, speciy iI wiIh Ihe -P <nun> argumenI.
Eor example, sar -P U 6U 5 displays S iIeraIions aI 0 second inIervals or Ihe irsI
processor only. The processor numbering sIarIs aI 0.
By deaulI, sar shows CFU inormaIion. Reer Io Table 20.2 or oIher common display
opIions.
T^BLL 20.2 CommandLlne 0ptlons for sar
u Show ClU statlstlos (default)
b Show l/0 and transfer rate statlstlos
r Show memory and swap spaoe statlstlos
R Show memory statlstlos
Reportlng Dlsk lerformanoe 409
2
0
N01
0ther arguments are avallable; refer to the sar man page for detalls. lt oan be
aooessed by exeoutlng the nan sar oommand at a shell prompt.
Reert|ng 5ystem Precesses
The ps command ouIpuIs daIa abouI acIive processes. By deaulI, iI only displays
processes associaIed wiIh Ihe currenI Ierminal and owned by Ihe user execuIing Ihe
command. To view all processes on Ihe sysIem rom all users, use Ihe command ps -aux.
The ouIpuI or all users and processes can be long. Fiping iI Ihrough Jess will help you
scroll Ihrough Ihe ouIpuI: ps -aux Jess. Fiping iI Ihrough grep can help you search
or a speciic process or user: ps -aux grep bash. You can also redirecI Ihe ouIpuI Io a
ile or urIher analysis: ps -aux > psou1pu1.1x1.
N01
Numerous arguments to ps oan be used to oustomlze the output. ^ oomplete llst ls
avallable ln the ps man page.
AlIernaIively, Ihe 1op command shows similar inormaIion buI on a conIinuous basis,
and Ihe daIa can be sorIed by memory usage, CFU usage, process ID, and more. While ps
can be used Io generaIe snapshoIs o usage, 1op can be used Io acIively moniIor Ihe
sysIem. To sIop 1op, press Ihe g key. Example ouIpuI is shown in LisIing 20..
LlSTlNG 20.6 Lxample 1op 0utput
1op - 15:41:45 up 16 days, 3:2U, 6 users, Joad average: U.12, U.18, U.U9
Tasks: 183 1o1aJ, 1 runn1ng, 182 sJeep1ng, U s1opped, U zonb1e
0pu{s): 8.5us, 1.8sy, U.Un1, 89.61d, U.UWa, U.Uh1, U.Us1, U.Us1
Men: 154112Uk 1o1aJ, 1521532k used, 19588k free, 6788Uk buffers
SWap: 2U316U8k 1o1aJ, 14Uk used, 2U31468k free, 335872k cached
P10 uSEP PP N1 v1PT PES SRP S 0Pu MEM T1ME+ 00MMAN0
3183 roo1 15 U 425n 8Un 12n S 14 5.3 54:58.87 Xorg
6584 1fox 15 U 269n 14n 9748 S 7 U.9 U:1U.49 gnone-sys1en-no
3543 1fox 16 U 29Un 24n 95U8 S U 1.7 U:11.8U gnone-1ern1naJ
5326 roo1 2U U 267n 7U2U 1172 S U U.5 5:35.15 py1hon
6566 roo1 15 U 127U8 1124 796 P U U.1 U:UU.39 1op
1 roo1 15 U 1U3UU 656 544 S U U.U U:UU.16 1n11
2 roo1 PT U U U U S U U.U U:UU.U3 n1gra11on1U
3 roo1 34 19 U U U S U U.U U:UU.UU ksof11rqd1U
4 roo1 PT U U U U S U U.U U:UU.UU Wa1chdog1U
An explanaIion o Ihe headers displayed by 1op is in Table 20.3.
T^BLL 20.3 Lxplanatlon of 1op Headers
1op Reader x|anat|en
P10 lrooess lD
uSEP 0wner of prooess
PP lrooess prlorlty
N1 Nloe value
v1PT vlrtual memory used by prooess
PES Nonswapped physloal memory used by the prooess
SRP Shared memory used by the prooess
S Status of prooess
0Pu leroentage of ClU usage
MEM leroentage of physloal memory usage
T1ME+ Total ClU tlme used by prooess
00MMAN0 Command used to start the prooess
1op is also inIeracIive. Eor example, pressing ShiI+M sorIs Ihe ouIpuI by memory usage.
OIher sorIing opIions are lisIed in Table 20.4.
T^BLL 20.4 lnteraotlve 1op Commands
1op Cemmand x|anat|en
Shlft+M Sort by memory usage
Shlft+l Sort by ClU usage
Shlft+N Sort by llD
Shlft+T Sort by TlML+
k Klll a speolflo prooess by llD
u Sort by speolflo user
spaoebar lmmedlately refresh the output
h Show help
q ult top
To view Ihe same inormaIion graphically, selecI AdmInIstratIon, System MonItor rom
Ihe Systems menu on Ihe Iop panel o Ihe deskIop. As shown in Eigure 20.3, Ihe
Processes Iab shows Ihe inormaIion rom Ihe 1op command in an easier Io read ormaI.
Click on a column name Io sorI Ihe inormaIion by Ihe daIa in Ihe column.
All o Ihese Iools can be used Io deIermine i one or a small group o processes is consum-
ing Ihe majoriIy o Ihe sysIem resources. This is especially useul on a server shared by
many.
1IP
want to qulokly flnd out who owns the prooess taklng up the most resouroes? Try the W
oommand. lt llsts all users ourrently logged on and all thelr prooesses.
Reportlng System lrooesses 411
2
0
FlGURL 20.3 Graphloal Dlsplay of System lrooesses
Reert|ng en the 5ystem Precessers
As explained Ihe previous secIions, Ihe inIeracIive 1op command and 1os1a1 provide
inormaIion abouI Ihe processor or processors in Ihe sysIem. The up11ne and nps1a1
commands can also be useul when analyzing Ihe CFU.
up11ne is a simple program IhaI displays Ihe currenI Iime, sysIem upIime, number o
users logged on, and average CFU load or Ihe pasI 1, S, and 1S minuIes:
22:52:42 up 8 days, 1:U4, 5 users, Joad average: U.18, U.36, U.34
AnoIher member o Ihe syss1a1 amily, nps1a1 provides sIaIisIics abouI each processor in
Ihe sysIem as shown in LisIing 20.7.
LlSTlNG 20.7 Lxample nps1a1 0utput
12:24:49 AM 0Pu user n1ce sys1en 1oWa11 1rq sof1 s1eaJ 1dJe 1n1r1s
12:24:49 AM aJJ 3.2U U.UU U.59 U.73 U.U3 U.UU U.U1 95.45 1U2U.55
Similar Io 1os1a1 and sar, you can Iell nps1a1 Io run or a speciic number o iIeraIions aI
speciic Iime inIervals wiIh Ihe ormaI nps1a1 <1n1ervaJ> <1n1era11ons>.
Reert|ng Memery Usage
Two Iypes o sysIem memory exisI: physical and virIual. To display Ihe amounI o ree
and used memory, boIh physical and virIual (swap), use Ihe free command. Example
ouIpuI is shown in LisIing 20.8.
LlSTlNG 20.8 Lxample free 0utput
1o1aJ used free shared buffers cached
Men: 154112U 1521476 19644 U 6828U 335948
-1+ buffers1cache: 1117248 423872
SWap: 2U316U8 14U 2U31468
By deaulI, Ihe ouIpuI is shown in kilobyIes. To show megabyIes insIead, use Ihe
command free -n. The IoIal amounI o memory, amounI o memory used, and amounI
o memory ree is shown irsI or Ihe physical memory and Ihen or Ihe swap space. The
sIaIisIics or Ihe physical memory also include Ihe amounI o shared memory, Ihe buers
used by Ihe kernel, and amounI o memory caches.
The conIenI displayed by free is a snapshoI. To ouIpuI memory usage in speciic inIer-
vals, use Ihe command free -s <1n1ervaJ>, where <1n1ervaJ> is Ihe amounI o delay, in
seconds, beIween ouIpuI. To sIop Ihe conIinuous ouIpuI, press CIrl+C.
To reporI more deIailed sIaIisIics abouI Ihe physical and virIual memory, use vns1a1,
which is parI o Ihe procps package. LisIing 20. shows example ouIpuI in Ihe deaulI
mode (wiIhouI argumenIs).
LlSTlNG 20.9 Lxample vns1a1 0utput
procs -----------nenory---------- ---sWap-- -----1o---- --sys1en-- ----cpu----
r b sWpd free buff cache s1 so b1 bo 1n cs us sy 1d Wa s1
U U 496956 5828 2748 68632 2 2 5U 21 24 41 3 1 96 1 1
By deaulI, Ihe values are in kilobyIes. To use megabyIes insIead, use Ihe command
vns1a1 -S M.
Two columns are under Ihe procs header: r and b. The value under Ihe r column indi-
caIes Ihe number o processes waiIing or runIime. The value under Ihe b column Iells
you Ihe number o processes in uninIerrupIible sleep.
The ollowing values are under Ihe nenory header:
sWpd ^mount of vlrtual memory used
free ^mount of free memory
buff ^mount of memory used ln buffers
cache ^mount of memory used as oaohe
Reportlng Memory Usage 413
2
0
Under Ihe sWap header:
s1 ^mount of memory swapped ln from the dlsk
so ^mount of memory swapped to the dlsk
Under Ihe 1o header:
b1 Number of blooks reoelved from a blook devloe
bo Number of blooks sent to a blook devloe
Under Ihe sys1en header:
1n Number of lnterrupts per seoond
cs Number of oontext swltohes per seoond
Under Ihe cpu header:
us leroentage of tlme the prooessor(s) spent runnlng nonkernel oode
sy leroentage of tlme the prooessor(s) spent runnlng kernel oode
1d leroentage of tlme spent not runnlng any oode
Wa leroentage of tlme spent waltlng for l/0
s1 leroentage of tlme the prooessor(s) spent runnlng kernel oode
JusI like free, Ihe conIenI displayed by vns1a1 is a snapshoI. To generaIe ouIpuI aI
speciic inIervals, use Ihe command vns1a1 <1n1ervaJ>, where <1n1ervaJ> is Ihe amounI
o delay, in seconds, beIween ouIpuI. To sIop Ihe conIinuous ouIpuI, press CIrl+C.
To speciy Ihe number o inIervals, use Ihe ormaI vns1a1 <1n1ervaJ> <11era11ons>. Eor
example, vns1a1 6U 5 produces sIaIisIics every 0 seconds or S iIeraIions and Ihen sIops.
1IP
^nother great argument to vns1a1 ls -s. vns1a1 -s outputs a qulok summary of the
system`s memory as shown ln Llstlng 20.10.
LlSTlNG 20.10 Lxample output from vns1a1 -s
514188 1o1aJ nenory
491292 used nenory
327U68 ac11ve nenory
1U5U8U 1nac11ve nenory
22896 free nenory
14444 buffer nenory
192768 sWap cache
5221U4 1o1aJ sWap
22424U used sWap
297864 free sWap
2638363 non-n1ce user cpu 11cks
3764 n1ce user cpu 11cks
5U3661 sys1en cpu 11cks
78527688 1dJe cpu 11cks
647UUU 10-Wa11 cpu 11cks
26495 1P0 cpu 11cks
U sof11rq cpu 11cks
4U496151 pages paged 1n
16937888 pages paged ou1
678133 pages sWapped 1n
399395 pages sWapped ou1
84U25U343 1n1errup1s
32644777U 0Pu con1ex1 sW11ches
1135738U65 boo1 11ne
1U9526 forks
Reert|ng en the Netwerk 5ubsystem
In an enIerprise company wiIh oices all around Ihe world, Ihe neIwork subsysIem is one
o Ihe mosI careully moniIored sysIem resources. WiIhouI neIwork connecIiviIy, some
companies could noI perorm Iheir day-Io-day Iasks rom someIhing as simple as email Io
someIhing more criIical such as accessing paIienI records.
While 1fconf1g can be used Io conigure neIwork devices as discussed in ChapIer 2,
"FosI-InsIallaIion ConiguraIion," iI can also be used Io guickly deIermine i Ihe device
has an IF address or Io reIrieve Ihe MAC address o an inIerace as shown in LisIing 20.11.
LlSTlNG 20.11 Lxample 0utput from 1fconf1g
e1hU L1nk encap:E1herne1 RWaddr UU:AU:00:28:30:44
1ne1 addr:192.168.U.4 8cas1:192.168.U.255 Mask:255.255.255.U
1ne16 addr: fe8U::2aU:ccff:fe28:3d44164 Scope:L1nk
uP 8P0A00AST PuNN1N0 MuLT10AST MTu:15UU Me1r1c:1
PX packe1s:1699162 errors:1 dropped:U overruns:U frane:U
TX packe1s:274388U errors:3 dropped:U overruns:3 carr1er:U
coJJ1s1ons:3153 1xqueueJen:1UUU
PX by1es:33544U321 {319.9 M18) TX by1es:335679U591 {3.1 018)
1n1errup1:9 8ase address:Ux6cUU
Jo L1nk encap:LocaJ Loopback
1ne1 addr:127.U.U.1 Mask:255.U.U.U
1ne16 addr: ::11128 Scope:Ros1
uP L00P8A0K PuNN1N0 MTu:16436 Me1r1c:1
Reportlng on the Network Subsystem 415
2
0
PX packe1s:894U9 errors:U dropped:U overruns:U frane:U
TX packe1s:894U9 errors:U dropped:U overruns:U carr1er:U
coJJ1s1ons:U 1xqueueJen:U
PX by1es:34682468 {33.U M18) TX by1es:34682468 {33.U M18)
The eIh0 device is Ihe irsI EIherneI device in Ihe sysIem. I addiIional EIherneI devices are
available, Ihey are reerred Io as eIh1, eIh2, and so on. The lo device is Ihe local loopback
device.
I Ihe device has an IF address, iI is lisIed aIer 1ne1 addr: as shown or eIh0 in LisIing
20.11. The MAC address is lisIed aIer RWaddr or each device.
By deaulI, 1fconf1g only displays devices wiIh IF addresses. To lisI Ihe inormaIion or a
speciic device such as one wiIhouI an IF, speciy iI aIer Ihe command such as 1fconf1g e1h1.
To moniIor Iraic on a neIwork, use Ihe 1cpdunp uIiliIy. II enables Ihe promiscuous mode
o Ihe neIwork card Io capIure all Ihe packeIs senI across Ihe neIwork. You musI run
1cpdunp as Ihe rooI user. This can be useul when Irying Io deIermine i packeIs are reach-
ing Iheir desIinaIions and Io check response Iimes.
When run wiIh no argumenIs, 1cpdunp runs conIinuously unIil you press CIrl+C. To limiI
Ihe number o packeIs capIured, use Ihe -c <coun1> argumenI. AIer <coun1> number o
packeIs are capIured, 1cpdunp sIops. To save Ihe ouIpuI Io a ile insIead o displaying iI on
Ihe command line, use Ihe -W <f1Je> opIion, and Ihen use Ihe -r <f1Je> argumenI Io
read iI back rom Ihe ile.
To only capIure packeIs on a speciic inIerace, use Ihe command 1cpdunp -0 Io lisI Ihe
inIeraces 1cpdunp can lisIen Io. In Ihis ouIpuI, each inIerace is preceded by a number.
Speciy Ihis number as <1n1erface> wiIh Ihe command 1cpdunp -1 <1n1erface> Io only
capIure packeIs on Ihe speciied inIerace.
I you preer a graphical, inIeracIive applicaIion Io view packeI Iransers, Iry Wireshark. Use
Red HaI NeIwork as discussed in ChapIer 3 Io insIall Ihe W1reshark-gnone package i iI is
noI already insIalled. II will also insIall Ihe W1reshark package (non-GUI version).
AIer insIalling Ihe RFM packages, selecI Internet, WIresharR NetworR Analyzer rom Ihe
ApplIcatIons menu on Ihe Iop panel o Ihe deskIop. You can also execuIe Ihe W1reshark
command Io sIarI Ihe program. I you run Ihe program as a non-rooI user, you are
prompIed or Ihe rooI password Io conIinue.
As shown in Eigure 20.4, Wireshark uses Ihe same ormaI as 1cpdunp, so i you use 1cpdunp
-W <f1Je> Io save Ihe ouIpuI, you can Ihen open iI in Wireshark Io Iake advanIage o iIs
easy-Io-read color coding and inIeracIive eaIures such as ilIering.
FlGURL 20.4 wlreshark ^fter Capturlng laokets
6enerat|ng a 5ystem Reert
When IroubleshooIing a sysIem, iI is oIen useul Io generaIe a sysIem reporI so IhaI daIa
can be analyzed as a whole or Io send Io oIher adminisIraIors on Ihe Ieam or a cusIomer
supporI represenIaIive. The sysrepor1 program is oIen used by Ihe Red HaI supporI Ieam
and can be invaluable when searching or Ihe rooI o a problem.
The program is provided by Ihe sysrepor1 RFM package. I iI is noI insIalled, insIall iI
using Red HaI NeIwork (reer Io ChapIer 3).
The sysrepor1 command musI be run as Ihe rooI user because iI musI be able Io gaIher
coniguraIion inormaIion only accessible by Ihe rooI user. The program iIsel is acIually a
shell scripI wriIIen by Red HaI as a Iool IhaI allows cusIomers Io easily send Iheir supporI
represenIaIive deIailed inormaIion abouI Ihe hardware and soIware on a given sysIem.
This allows cusIomers Io execuIe one command or common IroubleshooIing daIa insIead
o a series o commands Ihey may noI be amiliar wiIh.
AIer you execuIe Ihe command sysrepor1 as rooI, you will see Ihe ollowing message:
Th1s u11J11y W1JJ go 1hrough and coJJec1 sone de1a1Jed 1nforna11on
abou1 1he hardWare and se1up of your Ped Ra1 L1nux sys1en.
Th1s 1nforna11on W1JJ be used 1o d1agnose probJens W11h your sys1en
and W1JJ be cons1dered conf1den11aJ 1nforna11on. Ped Ra1 W1JJ use
1h1s 1nforna11on for d1agnos11c purposes 0NLY.
Generatlng a System Report 417
2
0
PJease Wa11 Wh1Je We coJJec1 1nforna11on abou1 your sys1en.
Th1s process nay 1ake a Wh1Je 1o conpJe1e....
No changes W1JJ be nade 1o your sys1en dur1ng 1h1s process.
N0TE: You can safeJy 1gnore a fa1Jed nessage. Th1s onJy neans a f1Je
We Were check1ng for d1d no1 ex1s1.
1f your sys1en hangs Wh1Je ga1her1ng rpn 1nforna11on, pJease abor1
1he scr1p1 W11h 0TPL-0 and run 11 aga1n af1er add1ng -norpn 1o 1he
sysrepor1 connand J1ne
Press ENTEP 1o con11nue, or 0TPL-0 1o qu11.
Fress EnIer Io sIarI generaIing Ihe reporI. As inormaIion is gaIhered, you can see Ihe
progress. I you see a ailed message in Ihe ouIpuI, donI worry. II jusI means IhaI Ihe inor-
maIion can noI be gaIhered because Ihe ile doesnI exisI or you arenI using IhaI parIicular
service. As you can see rom Ihe ouIpuI, sysrepor1 gaIhers inormaIion abouI everyIhing
including Ihe kernel version, kernel modules, log iles, and neIwork coniguraIion.
AIer sysrepor1 inishes, you will be prompIed Io enIer a case number i you have one rom
Red HaI CusIomer Service. AIer enIering one and pressing EnIer, a message will appear
Ielling you Ihe ilename o Ihe reporI in Ihe ormaI 1roo11<hos1nane>-<casenun>.
<da1e>.1ar.bz2. To view Ihe conIenIs o Ihe reporI, execuIe Ihe command 1ar xvf
<f1Jenane>, where <f1Jenane> is Ihe name o Ihe ile generaIed. This command creaIes Ihe
subdirecIory wiIh Ihe same ilename as Ihe archive ile buI wiIhouI Ihe .1ar.bz2 exIension.
This subdirecIory conIains all Ihe inormaIion gaIhered by sysrepor1.
Lecat|ng Leg F||es
II is exIremely imporIanI Io keep a waIch on Ihe sysIems log iles. I you are amiliar wiIh
Ihem, iI is much easier Io spoI a change should a problem arise or should you Ihink your
sysIem has been compromised. Log iles are also useul when coniguring a new device or
kernel module. Error messages are wriIIen Io log iles and can be used Io IroubleshooI.
You musI be rooI Io read mosI log iles.
As Ihe sysIem booIs, iI wriIes Io Ihe log ile 1var1Jog1dnesg. This ile conIains inorma-
Iion abouI Ihe machine as iI booIs such as Ihe kernel version, opIions passed Io Ihe booI
loader, Ihe Iype o processor deIecIed, hard drive parIiIions ound, and which parIiIions
are mounIed.
The deaulI sysIem log ile is 1var1Jog1nessages. II conIains inormaIion such as when a
user logs in, when a USB device is inserIed, and when a removable device is mounIed.
AddiIional log iles are locaIed in Ihe 1var1Jog1 direcIory, wiIh some services having Iheir
own subdirecIory such as 1var1Jog1cups1 or Ihe prinIing subsysIem. Some log iles are
roIaIing log ilesmeaning IhaI only a cerIain number are kepI on Ihe disk Io conserve
disk space. I all logs were kepI orever, Ihey would evenIually consume Ihe enIire disk.
Eor a lisI o logs IhaI are roIaIed, reer Io 1e1c1Jogro1a1e.conf and Ihe 1e1c1
Jogro1a1e.d1 direcIory.
V|ew|ng Leg F||es w|th Legwatch
To keep waIch on all Ihe log iles on each sysIem or which you are responsible, you can
wriIe cusIomized scripIs as cron Iasks IhaI execuIe on a regular basis as discussed in
ChapIer 11, or you can use Ihe LogwaIch program Io analyze log iles and generaIe
reporIs abouI Ihem. The LogwaIch program is provided by Ihe JogWa1ch RFM package.
InsIall i iI is noI already insIalled.
This secIion describes how Io cusIomize how log iles are analyzed and reporIed, how Io
cusIomize Ihe scripIs used, and how Io add addiIional log iles or LogwaIch Io moniIor.
Understand|ng the Legwatch Cenf|gurat|en
The LogwaIch program includes a scripI Io execuIe Ihe program once a day and email
reporIs Io Ihe adminisIraIor. InsIalling Ihe JogWa1ch package is all iI Iakes Io have Ihe
program up and running. This subsecIion ouIlines Ihe iles used by LogwaIch.
MosI o Ihe LogwaIch iles are insIalled inIo Ihe 1usr1share1JogWa1ch1 direcIory wiIh Ihe
ollowing subdirecIories:
defauJ1.conf1: DeaulI coniguraIion iles.
d1s1.conf1: DisIribuIion-speciic coniguraIion iles. (Red HaI EnIerprise Linux does
noI include any.)
J1b1: Ferl library iles used by Ihe scripIs.
scr1p1s1: ExecuIable scripIs used by LogwaIch. MosI are wriIIen in Ferl.
The defauJ1.conf1 direcIory conIains Ihe ollowing iles and direcIories:
Jogf1Jes1: DirecIory IhaI conIains coniguraIion iles or log ile groups. Each log
ile group coniguraIion ile lisIs one or more log iles IhaI use Ihe same ormaI.
Some log ile group coniguraIion iles may be used by more Ihan one service.
serv1ces1: DirecIory IhaI conIains coniguraIion iles or each service whose log
iles are moniIored by LogwaIch such as one or Ihe Apache HTTF server and one
or Ihe Samba ile-sharing service.
JogWa1ch.conf: ConiguraIion ile IhaI conIains Ihe deaulI seIIings or LogwaIch.
Custem|z|ng Legwatch Cenf|gurat|en
LogwaIch is conigured or Ihe deaulI log ile locaIions in Red HaI EnIerprise Linux, so
no cusIomizaIion is reguired. The main reasons Io cusIomize iI are i you have modiied
any service Io use a non-deaulI log ile, i you wanI Io change Ihe Iype o daIa LogwaIch
looks or in Ihe log iles, and i you need Io add a new seI o log iles Io waIch.
vlewlng Log Flles wlth Logwatoh 419
2
0
Even Ihough Ihe 1usr1share1JogWa1ch1 direcIory conIains Ihe coniguraIion iles, Ihe
ones in Ihis direcIory are Ihe deaulIs and should noI be modiied. To cusIomize Ihe
LogwaIch coniguraIion, insIead ediI Ihe iles in 1e1c1JogWa1ch1, which conIains Iwo
direcIories: conf1 and scr1p1s1. The 1e1c1JogWa1ch1conf1 direcIory conIains Ihe iles Io
cusIomize Ihe coniguraIion iles. The 1e1c1JogWa1ch1scr1p1s1 direcIory does noI
conIain any iles by deaulI, buI cusIom scripIs can be added Io iI as explained in Ihe
"CusIomizing Ihe LogwaIch ScripIs" secIion laIer in Ihis chapIer.
The coniguraIion iles use Ihe ollowing convenIions:
I a line begins wiIh #, Ihe enIire line is a commenI.
I a line begins wiIh $, Ihe resI o Ihe word is a variable.
I a line begins wiIh *, whaI ollows is an execuIable.
All Ihe variables seI in Ihe iles in Ihe 1e1c1JogWa1ch1conf1 direcIory and subdirecIories
override Ihe values rom Ihe 1usr1share1JogWa1ch1defauJ1.conf1 direcIory and subdirec-
Iories. To modiy a value in JogWa1ch.conf, copy iI in Ihe 1e1c1JogWa1ch1conf1
JogWa1ch.conf ile while preserving any subdirecIories and modiy iIs value. The nexI
Iime LogwaIch is execuIed by Ihe daily cron job, Ihe new values will be used insIead o
Ihe deaulIs.
To change a value in any o Ihe iles in Ihe Jogf1Jes1 or serv1ces1 direcIory, creaIe Ihe
same ile, including subdirecIories in Ihe 1e1c1JogWa1ch1conf1 direcIory, and, in Ihe ile,
declare Ihe variables you wanI Io change. Eor example, Ihe 1usr1share1JogWa1ch1
defauJ1.conf1serv1ces11p1abJes.conf ile conIains Ihe lines rom LisIing 20.12 Io
deine a variable IhaI blocks hosIs wiIh less Ihan a cerIain number o hiIs beIween all
porIs.
LlSTlNG 20.12 llTables varlable from Logwatoh
# Se1 1h1s 1o enabJe a f1J1er on 1p1abJes11pcha1ns d1spJays
# Th1s W1JJ bJock ou1 hos1s Who have Jess 1han 1he spec1f1ed
# nunber of h11s be1Ween aJJ por1s. 0efauJ1s 1o U.
$1p1abJes_hos1_n1n_coun1 = U
To change Ihis value, creaIe Ihe 1e1c1JogWa1ch1conf1serv1ces11p1abJes.conf ile. Copy
Ihese lines inIo Ihe newly creaIed ile, and change Ihe value o 0 Io a dierenI inIeger.
The nexI Iime LogwaIch is execuIed by Ihe daily cron job, Ihe new value will be used
insIead o Ihe deaulI.
1IP
^lternatlvely, oopy the entlre flle from the 1usr1share1JogWa1ch1defauJ1.conf1 flle
and modlfy the values of the varlables. Thls method ls useful lf many varlables wlthln
a flle need to be modlfled.
In addiIion Io Ihe Jogf1Jes1 direcIory, serv1ces1 direcIory, and JogWa1ch.conf ile ound
in 1usr1share1JogWa1ch1defauJ1.conf1, Ihe 1e1c1JogWa1ch1conf1 direcIory conIains Iwo
addiIional coniguraIion iles: 1gnore.conf and overr1de.conf. In 1gnore.conf, i any
LogwaIch ouIpuI rom any service maIches Ihe regular expressions in Ihis ile, Ihey are
ignored and noI included in Ihe reporI generaIed.
To modiy Ihe value o a variable: InsIead o declaring iI again in Ihe 1e1c1JogWa1ch1
conf1JogWa1ch.conf direcIory or re-creaIing in Ihe Jogf1Jes1 or serv1ces1 direcIory, all
changed values can be declared in Ihe one ile, Ihe 1e1c1JogWa1ch1conf1overr1de.conf
ile, using one o Ihe ollowing preixes or each line (Ihe colon musI be included in Ihe
preix ollowed by a space and Ihen Ihe enIire line as iI appears in Ihe deaulI conigura-
Iion ile):
JogWa1ch: This variable overwriIes Ihe one ound in Ihe deaulI JogWa1ch.conf ile.
serv1ces1<f1Jenane>: This variable overwriIes Ihe one ound in Ihe deaulI
serv1ces1<f1Jenane> (replace <f1Jenane> wiIh Ihe speciic name o Ihe ile) ile.
Jogf1Jes1<f1Jenane>: This variable overwriIes Ihe one ound in Ihe deaulI
Jogf1Jes1<f1Jenane> (replace <f1Jenane> wiIh Ihe speciic name o Ihe ile) ile.
Custem|z|ng the Legwatch 5cr|ts
The 1usr1share1JogWa1ch1scr1p1s1 direcIory conIains Ihe ollowing direcIories:
serv1ces1: DirecIory IhaI conIains Ihe execuIable scripIs or each service moniIored
by LogwaIch.
shared1: DirecIory IhaI conIains Ihe execuIable scripIs IhaI mighI be used by more
Ihan one service.
Jogf1Jes1: DirecIory IhaI conIains subdirecIories named or log ile groups. The
execuIables in Ihe subdirecIories are execuIed when running a service IhaI uses Ihe
log ile group.
The same meIhod or overwriIing variable values is used or Ihe scripIs. To modiy a
deaulI scripI, copy iI rom Ihe 1usr1share1JogWa1ch1scr1p1s1 direcIory inIo Ihe
1e1c1JogWa1ch1scr1p1s1 direcIory while preserving any subdirecIories and Ihen modiy
Ihe scripI. I a scripI wiIh Ihe exacI same ilename and relaIive paIh is ound in
1e1c1JogWa1ch1scr1p1s1, iI is used insIead o Ihe deaulI scripI.
Creat|ng 5erv|ce F||ters
As menIioned earlier, Ihe 1usr1share1JogWa1ch1defauJ1.conf1serv1ces1 direcIory
conIains a ile or each service whose log iles are analyzed by LogwaIch. The 1usr1share1
JogWa1ch1scr1p1s1serv1ces1 direcIory conIains Ihe execuIable scripIs run or each service.
To conigure LogwaIch Io moniIor log iles or addiIional services, creaIe a coniguraIion
ile in 1e1c1JogWa1ch1conf1serv1ces1 and a corresponding execuIable in 1e1c1JogWa1ch1
scr1p1s1serv1ces1. You can base Ihe added iles on exisIing iles or a dierenI service.
vlewlng Log Flles wlth Logwatoh 421
2
0
5ummary
Red HaI EnIerprise Linux includes several uIiliIies necessary or adeguaIely moniIoring
and Iuning sysIem resources.
The df and du commands calculaIe used and ree space on parIiIions and in direcIories.
The Jsof uIiliIy lisIs open iles or acIive processes. The syss1a1 programs 1os1a1 and sar
help moniIor disk load and perormance.
Use ps and 1op Io moniIor processes. The up11ne and nps1a1 uIiliIies can help keep Iabs
on Ihe processor or processors in Ihe sysIem while free and vns1a1 provide inormaIion
abouI physical and virIual memory. To analyze neIwork coniguraIion and Iraic, use a
combinaIion o 1fconf1g and 1cpdunp.
The sysrepor1 program gaIhers all sysIem inormaIion in one archive ile or urIher
analysis by an adminisIraIor or cusIomer supporI represenIaIive. In addiIion, becoming
amiliar wiIh log iles can help you learn how your sysIem works and allow you Io recog-
nize changes guickly.
The JogWa1ch uIiliIy can be used Io generaIe log ile reporIs.
lN THlS CH^lTLR
Uslng the 1proc Dlreotory
0ptlmlzlng vlrtual Memory
Managlng Memory wlth NUM^
Uslng ^ltSysRq to Lxeoute
System Requests
Savlng Kernel Dumps for
^nalysls
Settlng SMl lR ^fflnlty
Lnabllng NMl watohdog for
Looked Systems
CH^lTLR 21
Ihe Kernel
The previous chapIer, "MoniIoring SysIem Resources,"
deIails how Io moniIor ilesysIems, sysIem processes, CFU
uIilizaIion, physical and virIual memory, and Ihe neIwork
subsysIem. This chapIer dives even deeper inIo Ihe sysIem
by discussing Ihe moniIoring and Iuning o Ihe kernel
including how iI manages memory, how iI assigns
processes Io each processor in a mulIi-processor sysIem,
and how Io gaIher inormaIion rom Ihe kernel when Ihe
sysIem appears Io be unresponsive.
Us|ng the 1proc |rectery
InsIead o execuIing uIiliIies such as free and 1op Io deIer-
mine Ihe sIaIus o sysIem resources or fd1sk Io view disk
parIiIions, an adminisIraIor can gaIher sysIem inormaIion
direcIly rom Ihe kernel Ihrough Ihe 1proc ilesysIem.
The 1proc direcIory can be IhoughI o as a window inIo
whaI Ihe kernel sees on Ihe sysIem. Even Ihough Ihe direc-
Iory appears Io conIain iles and direcIories, Ihey are noI
ordinary iles. You will noIice IhaI mosI o Ihem are 0
byIes. You will also noIice IhaI iI is mounIed as a pseudo-
ilesysIem in 1e1c1fs1ab:
proc 1proc proc defauJ1s U U
When you view Ihe conIenIs o iles in 1proc, you are really
asking Ihe kernel whaI Ihe currenI sIaIe is or IhaI parIicular
device or subsysIem. To view Ihe conIenIs o a special ile in
1proc, use Ihe ca1, Jess, or nore ile viewing uIiliIies.
Eor example, Ihe ca1 1proc1nen1nfo command displays Ihe
currenI sIaIe o Ihe sysIem memory as shown in LisIing 21.1.
LlSTlNG 21.1 Current State of Memory from 1proc1nen1nfo
MenTo1aJ: 2U57UU4 k8
MenFree: 42468 k8
8uffers: 177332 k8
0ached: 973368 k8
SWap0ached: U k8
Ac11ve: 1U6U956 k8
1nac11ve: 796132 k8
R1ghTo1aJ: U k8
R1ghFree: U k8
LoWTo1aJ: 2U57UU4 k8
LoWFree: 42468 k8
SWapTo1aJ: 2U316U8 k8
SWapFree: 2U3148U k8
01r1y: 44 k8
Wr11eback: U k8
AnonPages: 698652 k8
Mapped: 122272 k8
SJab: 1U512U k8
PageTabJes: 29852 k8
NFS_uns1abJe: U k8
8ounce: U k8
0onn11L1n11: 3U6U1U8 k8
0onn111ed_AS: 1436U88 k8
vnaJJocTo1aJ: 34359738367 k8
vnaJJocused: 1376 k8
vnaJJoc0hunk: 34359736971 k8
RugePages_To1aJ: U
RugePages_Free: U
RugePages_Psvd: U
Rugepages1ze: 2U48 k8
OIher virIual 1proc iles o inIeresI include Ihe ollowing:
1proc1cpu1nfo: InormaIion abouI Ihe sysIems processors such as how many physi-
cal processors exisI and how many processor cores exisI.
1proc1cndJ1ne: BooI parameIers passed Io Ihe kernel aI booI Iime.
1proc1sys1: DirecIory conIaining parameIers IhaI can be modiied by sysc1J. Reer
Io Ihe "Using sysc1J Io Change Values" secIion or deIails.
1proc1vn1: DirecIory conIaining virIual memory managemenI coniguraIion. The
"OpIimizing VirIual Memory" secIion laIer in Ihis chapIer discusses how Io modiy
Ihe virIual iles in 1proc1sys1vn1 Io conigure how Ihe kernel manages virIual
memory.
1proc1ne11: DirecIory conIaining neIwork seIIings.
1proc11rq1: DirecIories conIain a subdirecIory or each used IRQ, wiIh Ihe subdirec-
Iory conIaining inormaIion abouI Ihe speciic IRQ.
Us|ng sysc1J te Change Va|ues
II is also possible Io use Ihe virIual 1proc ilesysIem Io change how Ihe kernel behaves.
The value o some iles can be changed by redirecIing daIa inIo iI such as echo 1 >
1proc1sys1ne111pv411p_forWard Io enable IF orwarding. However, Ihese values are noI
persisIenI aIer a rebooI.
To modiy Ihe values o Ihe virIual iles in 1proc1sys1, Ihe sysc1J command can also be
used by Ihe rooI user Io modiy and IesI Ihe values. Again, Ihese changes are only used
unIil Ihe sysIem is rebooIed. To make Ihe values persisI beIween rebooIs, modiy Ihe
1e1c1sysc1J.conf ile as rooI. Changes Io Ihis ile do noI Iake place immediaIely. EiIher
use Ihe sysc1J -p command Io enable all changes in Ihe ile or echo Ihe new values inIo
Ihe appropriaIe 1proc ile or Ihe changes Io Iake place immediaIely.
To reIrieve a lisI o all values IhaI can be modiied in Ihis manner, execuIe Ihe sysc1J -a
command. NoIice IhaI Ihe Iype o value each parameIer is seI Io diers. Be exIremely
careul Io seI Ihese parameIers Io proper values and IesI Ihem beore seIIing Ihem on
producIion sysIems. II is possible Io lock up Ihe sysIem or cause severe sysIem peror-
mance issues i incorrecI values are given Io Ihem.
To map Ihe parameIers lisIed wiIh Ihe sysc1J -a command Io Ihe virIual ile locaIions,
replace each doI (.) wiIh a orward slash (1) and pre-pend Ihe resulIs wiIh 1proc1sys1.
Eor example, Ihe kerneJ.exec-sh1eJd parameIer maps Io Ihe 1proc1sys1kerneJ1
exec-sh1eJd ile.
1IP
To llst the 1proc1sys1 tunables for a speolflo funotlon suoh as vlrtual memory, use
grep to only show those optlons and redlreot lt lnto a flle:
sys1c1J -a grep vn > vn-1unabJes.1x1
To use Ihe sysc1J command-line uIiliIy Io assign values Io Ihese kernel parameIers, use
Ihe ollowing synIax as Ihe rooI user:
sysc1J -W <parane1er>="<vaJue>"
Changes can be saved or subseguenI rebooIs by adding Ihem Io Ihe 1e1c1sysc1J.conf
ile wiIh Ihe ollowing synIax:
<parane1er> = <vaJue>
Uslng the 1proc Dlreotory 425
2
1
Eor example, Ihe ollowing command increases how much Ihe sysIem should use iIs swap
space rom Ihe deaulI value o 0% Io 70%:
sysc1J -W vn.sWapp1ness="7U"
This command enables Ihe change immediaIely. To save Ihe seIIing so IhaI iI is remem-
bered even i Ihe sysIem is rebooIed, add Ihe ollowing line Io 1e1c1sysc1J.conf:
vn.sWapp1ness = 7U
I you add Ihe change Io 1e1c1sysc1J.conf wiIhouI execuIing Ihe sysc1J -W vn.
sWapp1ness="7U" command, Ihe change will noI go inIo eecI unless Ihe sysc1J
-p command is also execuIed as rooI.
0t|m|z|ng V|rtua| Memery
As discussed in Ihe "Using Ihe 1proc DirecIory" secIion earlier in Ihis chapIer, Ihe seIIings
in 1proc1sys1 can be modiied wiIh Ihe sysc1J -W <parane1er>="<vaJue>" command or
in Ihe 1e1c1sysc1J.conf ile so IhaI Ihe change persisIs beIween rebooIs. One o Ihe
subdirecIories, 1proc1sys1vn1, can be used Io opIimize how Ihe virIual memory is
managed by Ihe kernel.
Table 21.1 shows all Ihe kernel virIual memory seIIings IhaI can be conigured in
1e1c1sysc1J.conf and Iheir deaulI values. The virIual memory seIIing names are Ihe
ones used wiIh Ihe sysc1J uIiliIy.
1IP
To retrleve a llst of all the kernel vlrtual memory settlngs for your system, use the
oommand sysc1J -a grep vn > sysc1J_vn.1x1. The resultlng sysc1J_vn.1x1
flle wlll oontaln the llst along wlth thelr ourrent values.
T^BLL 21.1 vlrtual Memory Settlngs
V|rtua| Memery 5ett|ng efau|t Va|ue
vn.sWap_1oken_11neou1 300
vn.Jegacy_va_Jayou1 0
vn.vfs_cache_pressure 100
vn.bJock_dunp 0
vn.Jap1op_node 0
vn.nax_nap_coun1 65536
vn.percpu_pageJ1s1_frac11on 0
vn.n1n_free_kby1es 2894
vn.drop_caches 0
vn.JoWnen_reserve_ra11o 256 256 32
vn.huge1Jb_shn_group 0
vn.nr_hugepages 0
vn.sWapp1ness 60
vn.nr_pdfJush_1hreads 2
vn.d1r1y_exp1re_cen11secs 3000
vn.d1r1y_Wr11eback_cen11secs 500
vn.d1r1y_ra11o 40
vn.d1r1y_background_ra11o 10
vn.page-cJus1er 3
vn.overconn11_ra11o 50
vn.overconn11_nenory 0
vn.n1n_sJab_ra11o 5*
vn.n1n_unnapped_ra11o 1*
vn.pan1c_on_oon 0
'1hese tunab|es are on|, ava||ab|e for kerne|s w|th NuM4 support.
The ollowing explains each o Ihese seIIings:
vn.sWap_1oken_11neou1
LengIh o Ihe swap ouI proIecIion Ioken, in seconds. Used Io prevenI needless page
aulIs in a Ihrashing sIaIe.
vn.Jegacy_va_Jayou1
I Ihe sysIems archiIecIure allows iI, Ihis parameIer allows Ihe 2.4 kernel layouI
algoriIhm or allocaIing virIual memory or processes.
vn.vfs_cache_pressure
ConIrols how aggressive Ihe kernel is in reclaiming memory used as cache or direc-
Iory and inode objecIs. The higher Ihe value, Ihe more aggressive Ihe kernel is in
reclaiming Ihis Iype o memory.
vn.bJock_dunp
I seI Io a non-zero value and syslog is seI Io record debug messages rom Ihe kernel,
messages abouI I}O reguesIs and page wriIes are logged in 1var1Jog1nessages.
vn.Jap1op_node
Minimizes power consumpIion used or wriIes Io Ihe disk such as perorming wriIe
operaIions when Ihe disk is already being used. AuIomaIically enabled when Ihe
lapIop is using Ihe baIIery i Ihe sysIem uses ACFI. Eor more deIails, insIall Ihe
kernel-doc package and read Ihe 1usr1share1doc1kerneJ-doc-<vers1on>1
0ocunen1a11on1Jap1op-node.1x1 ile.
vn.nax_nap_coun1
Maximum number o memory map areas Ihe kernel will allocaIe each process.
0ptlmlzlng vlrtual Memory 427
2
1
vn.percpu_pageJ1s1_frac11on
Maximum pages allocaIed in each zone or any per_cpu_pageJ1s1, as a racIion. Eor
example, i Ihis value is S0, a maximum o 1}S0 o Ihe pages in each zone can be
allocaIed or each per_cpu_pageJ1s1. Minimum value iI can be seI Io is 8.
vn.n1n_free_kby1es
Minimum number o kilobyIes Io keep ree so Ihe kernel can reserve pages or each
lowmem zone.
vn.drop_caches
Used Io manually ree page cache, denIries, and inodes. Does noI ree dirIy objecIs,
so Ihe sync command should be run irsI Io orce dirIy objecIs Io be wriIIen Io disk.
Use Ihe echo command as rooI Io seI iI Io one o Ihe ollowing values (such as, echo
1 > 1proc1sys1vn1drop_caches):
1: Eree page cache
2: Eree denIries and inodes
3: Eree page cache, denIries, and inodes
vn.JoWnen_reserve_ra11o
SeIs raIio o IoIal pages Io ree pages or each memory zone.
vn.huge1Jb_shn_group
Group ID o Ihe non-rooI group allowed Io allocaIe huge pages or SHM_HUGETLB
shm segmenIs. Useul when using Ihe Oracle DaIabase.
vn.nr_hugepages
CurrenI number o reserved hugeIlb pages. Change Ihis value Io allocaIe or deallo-
caIe hugepages.
vn.sWapp1ness
How much Ihe kernel should swap memory inIo swap space. The value is a percenI-
age o physical memory.
vn.nr_pdfJush_1hreads
Number o pdlush Ihreads running. CannoI be changed because iI is a counI o
running Ihreads. Will be beIween Ihe minimum and maximum pdlush Ihreads
allowed. Useul in moniIoring disk acIiviIy.
vn.d1r1y_exp1re_cen11secs
When dirIy daIa can be wriIIen Io disk by pdlush, in 100Ih o a second. AIer dirIy
daIa has been in memory or Ihis amounI o Iime, iI is wriIIen Io disk Ihe nexI Iime
Ihe pdlush daemon wriIes dirIy daIa Io disk.
vn.d1r1y_Wr11eback_cen11secs
How long a disk buer can sIay in RAM in a dirIy sIaIe, speciied in 100Ih o a
second. I Ihis Iime is exceeded, Ihe buer is wriIIen back Io disk when Ihe pdlush
daemon runs nexI.
vn.d1r1y_ra11o
LimiI aI which processes wiIh dirIy buers sIarI wriIing Io disk (all aI Ihe same
Iime) insIead o waiIing on pdlush. The value is a percenIage o IoIal memory.
vn.d1r1y_background_ra11o
FercenIage o memory. When Ihis percenIage is reached, dirIy daIa is wriIIen ouI in
Ihe background using Ihe pdlush daemon.
vn.page-cJus1er
SeI Io an inIeger value IhaI conIrols Ihe number o pages read aI Ihe same Iime,
minimizing Ihe number o disk reads. The number o pages read aI once is egual Io
2`<page-cJus1er>. Eor example, i Ihis parameIer is seI Io 3, 8 pages are read aI once.
vn.overconn11_nenory
This parameIer seIs how Ihe kernel handles memory allocaIion. I seI Io 0, Ihe
kernel will only assign memory Io a program i Ihere is enough ree memory. I seI
Io 1, Ihe kernel will allocaIe memory even i all Ihe memory has already been allo-
caIed Io oIher programs. I seI Io 2 and all Ihe physical memory and swap space
have already been allocaIed, Ihe kernel will allow a cerIain amounI o addiIional
memory Io be allocaIed based on Ihe value o vn.overconn11_ra11o. I seI Io 2, Ihe
swap space should be Ihe amounI o physical memory plus Ihe amounI o memory
Ihe kernel is allowed Io overcommiI.
CAU1I0N
Use oautlon when allowlng the kernel to overallooate memory. lf programs aotually use
all the memory they request, overallooatlng wlll slow down the performanoe of the
system as memory has to be oonstantly swapped ln and out as programs try to
oompensate for the laok of avallable memory.
vn.overconn11_ra11o
I vn.overconn11_nenory is seI Io 2, or which Ihe kernel allows memory allocaIions
larger Ihan Ihe IoIal amounI o available memory, Ihis percenIage value deIermines
how much addiIional memory can be allocaIed. II is expressed as a percenIage o physi-
cal RAM. Eor example, i a sysIem has 8GB o RAM and 10 GB o swap space, a value o
2S would allow Ihe kernel Io allocaIe an addiIional 2GB o memory (2S% o 8GB).
vn.n1n_sJab_ra11o
Only or NUMA kernels. The percenIage o IoIal pages in each memory zone. I
more Ihan Ihis percenIage o zone pages are reclaimable slab pages, slabs are
reclaimed when a zone reclaim occurs.
0ptlmlzlng vlrtual Memory 429
2
1
vn.n1n_unnapped_ra11o
Only or NUMA kernels. The percenIage o IoIal pages in each memory zone. I, and
only i, more Ihan Ihis percenIage o zone pages are ile backed and mapped, zone
reclaim occurs. This seIIing ensures local pages are sIill available or ile inpuI and
ouIpuI even i a node is overallocaIed.
vn.pan1c_on_oon
I seI Io 0, Ihe OuI o Memory (OOM) killer is enabled. The OOM killer is enabled by
deaulI in Ihe Red HaI EnIerprise Linux kernel. When Ihere is no memory leI on Ihe
sysIem and more memory is reguesIed by an applicaIion, Ihe kernel uses a complex
algoriIhm Io deIermine which process Io kill based on Ihe usage o Ihe process and
how much memory iI has been allocaIed. This usually allows Ihe sysIem Io sIay up
and running. I seI Io 1, Ihe kernel panics when ouI-o-memory occurs.
vn.zone_recJa1n_node
SeIs how memory is reclaimed when a zone runs ouI o memory. I seI Io U, no
reclaim occurs, and memory is allocaIed rom oIher zones or nodes on Ihe sysIem.
The value o Ihis seIIing should be Ihe 0Ped value rom Ihe ollowing:
1: Zone reclaim enabled. Easily reusable pages are reclaimed beore allocaIing
pages in a dierenI node.
2: Zone reclaim wriIes dirIy pages ouI. DirIy pages are wriIIen ouI i a zone ills
up and slows down Ihe sysIem.
4: Zone reclaim swaps pages. Swapping pages limiIs allocaIions on local nodes.
The deaulI value is someIimes 1 insIead o 0 i Ihe kernel deIermines aI booIup IhaI
pages rom remoIe zones will cause a signiicanI decrease in perormance.
Manag|ng Memery w|th NUMA
Non-Unjorm Memory Access (NUMA) is a memory managemenI Iechnology available or
some mulIi-processor sysIems. NUMA works by having dedicaIed memory or each
processor Io decrease access Iime and limiI delays by prevenIing more Ihan one processor
rom Irying Io access Ihe same memory aI Ihe same Iime. When Ihe same daIa in
memory is needed by more Ihan one processor, Ihe daIa musI be moved beIween
memory banks, which slows down Ihe process. The Iime saved by using NUMA depends
on many acIors including how many processors would oIherwise be sharing Ihe same
memory bus, how oIen memory is accessed, wheIher Ihe applicaIions running were
wriIIen or a NUMA sysIem, and how much daIa in memory musI be shared beIween
processors.
NUMA is enabled by deaulI in Red HaI EnIerprise Linux S. In some older versions o Red
HaI EnIerprise Linux, NUMA is disabled by deaulI. Be sure Io read Ihe Release NoIes Io
deIermine wheIher NUMA is enabled or disabled by deaulI.
I iI is enabled, in some cases, you mighI need Io disable iI. To disable NUMA, booI wiIh
Ihe nuna=off kernel booI parameIer. Reer Io "Adding BooI FarameIers" in ChapIer 2,
"FosI-InsIallaIion ConiguraIion" or sIep-by-sIep insIrucIions on adding Ihis booI para-
meIer Io Ihe booI loader coniguraIion ile. AlIernaIively, use Ihe nuna=on kernel booI
parameIer Io expliciIly enable NUMA.
To veriy IhaI NUMA is enabled on your sysIem, use Ihe nunac1J --shoW command rom
Ihe nunac1J package. I iI is noI insIalled on your sysIem, reer Io ChapIer 3, "OperaIing
SysIem UpdaIes," or deIails on insIalling addiIional soIware. I NUMA is available and is
enabled on Ihe sysIem, Ihe ouIpuI should look similar Io LisIing 21.2. I NUMA is noI
available on Ihe sysIem or iI is disabled, Ihe ollowing message is displayed:
No NuMA suppor1 ava1JabJe on 1h1s sys1en.
LlSTlNG 21.2 NUM^ Lnabled on System
poJ1cy: defauJ1
preferred node: curren1
physcpub1nd: U 1
cpub1nd: U
nodeb1nd: U
nenb1nd: U
To show Ihe size o each memory node and how much memory is ree in each node, use
Ihe nunac1J --hardWare command. Eor example, LisIing 21.3 shows our memory nodes
on a sysIem wiIh our processors.
LlSTlNG 21.3 NUM^ Nodes and Free Memory on Laoh Node
ava1JabJe: 4 nodes {U-3)
node U s1ze: 2U47 M8
node U free: 1772 M8
node 1 s1ze: 2U47 M8
node 1 free: 1712 M8
The nunac1J uIiliIy also allows Ihe adminisIraIor Io Iweak Ihe NUMA policies such as
seIIing up inIerleave memory nodes and coniguring a preerred node on which Io allo-
caIe memory i possible. Eor descripIions o Ihese addiIional opIions, reer Io Ihe nunac1J
man page wiIh Ihe nan nunac1J command.
To display sIaIisIics or each NUMA node, execuIe Ihe nunas1a1 command. II reads Ihe
1sys1dev1ces1sys1en1node1 subdirecIories and displays Iheir daIa in a more user-riendly
ormaI as shown in LisIing 21.4 or a sysIem wiIh our memory nodes.
Managlng Memory wlth NUM^ 431
2
1
LlSTlNG 21.4 NUM^ Statlstlos
node3 node2 node1 nodeU
nuna_h11 2246949 2628316 2U88387 2741816
nuna_n1ss U U U U
nuna_fore1gn U U U U
1n1erJeave_h11 38494 39397 3965U 39722
JocaJ_node 2217592 2597994 2U569U4 2713781
o1her_node 29357 3U322 31483 28U35
Us|ng A|t5ysRq te xecute 5ystem Requests
When your sysIem seems unresponsive or is unresponsive Io oIher moniIoring Iools,
using sysIem reguesIs can be useul Io diagnose Ihe problem. SysIem reguesIs are acIi-
vaIed by special key combinaIions. When acIivaIed, anyone aI Ihe console can execuIe
Ihese sysIem reguesIs wiIhouI being logged inIo Ihe sysIem and wiIhouI enIering addi-
Iional auIhenIicaIion inormaIion. Thus, iI should only be enabled Io diagnose problems
wiIh Ihe sysIem and when Ihe physical sysIem is in a secure locaIion or being moniIored
by an adminisIraIor.
To enable, execuIe Ihe ollowing command:
echo 1 > 1proc1sys1kerneJ1sysrq
As previously discussed, modiying Ihe value o a 1proc virIual ile wiIh Ihe echo
command Iakes eecI immediaIely buI does noI save Ihe change aIer Ihe sysIem is
rebooIed. To make Ihe change persisI aIer a rebooI, add Ihe ollowing line Io
1e1c1sysc1J.conf:
kerneJ.sysrq=1
I Ihis ile is modiied, eiIher execuIe Ihe sysc1J -p command Io enable immediaIely or
use Ihe echo command Io modiy Ihe value o Ihe virIual ile.
To execuIe Ihese sysIem reguesIs on an x8 or x8_4 sysIem, use Ihe key combinaIion
AlI-SysRg-<commandkey>. MosI modern keyboards have Ihe SysRg key labeled. I yours
does noI, iI is Ihe same as Ihe FrinIScreen key. Key combinaIions or oIher archiIecIures
vary. However, on any archiIecIure, you can always use Ihe echo command Io change Ihe
value o 1proc1sysrq-1r1gger Io Ihe "command key" parI o Ihe key combinaIion. Eor
example, Io execuIe Ihe AlI-SysRg-m sysIem reguesI, use Ihe ollowing command:
echo n > 1proc1sysrq-1r1gger
Table 21.2 lisIs Ihe available command keys or execuIing sysIem reguesIs.
T^BLL 21.2 Llst of ^ltSysRq Keys
Key escr|t|en
r Turn off raw mode for the keyboard and turn on XL^TL.
k Seoure ôoess Key (S^K). Klll all programs on the ourrent vlrtual oonsole.
b lmmedlately reboot the system wlthout synolng memory to dlsk or unmountlng
dlsks. The oommand keys s and u to syno and remount all fllesystems as readonly
should be attempted flrst.
o lerform a Kexeo reboot so a orash dump oan be taken.
o Shut down the system.
s Syno all mounted fllesystems, lf posslble. Should be used before rebootlng to try
and mlnlmlze data loss. when the syno ls flnlshed the 0K and 0one messages wlll
appear.
u Remount all mounted fllesystems as readonly, lf posslble.
p Dlsplay value of all ourrent reglsters and flags to the oonsole.
t Dlsplay ourrent task llst to the oonsole.
m Dlsplay ourrent memory lnformatlon to the oonsole.
v Dlsplay voyager SMl prooessor lnformatlon to the oonsole.
09 Set what type of kernel messages are dlsplayed to the oonsole, or the oonsole log
level. lf set to U, only emergenoy messages suoh as l^NlCs or 00lSes are prlnted.
The hlgher the number, the more messages are prlnted.
f Lxeoute the 00M klller.
e Termlnate all prooesses exoept lnlt wlth a SlGTLRM slgnal.
l Klll all prooesses exoept lnlt wlth a SlGKlLL slgnal.
l Klll all prooesses lnoludlng lnlt wlth a SlGKlLL slgnal, oauslng the system to be
nonfunotlonal.
h Dlsplay help.
5av|ng Kerne| ums fer Ana|ys|s
When Ihe kernel crashes, someIimes a snapshoI, or "dump" o Ihe sysIem memory, can
be used Io deIermine why Ihe kernel crashes wiIhouI having Io reproduce Ihe problem.
Red HaI EnIerprise Linux includes Ihe Kdump uIiliIy Io save Ihe kernel dump. II replaces
Ihe NeIdump and Diskdump uIiliIies rom previous versions o Red HaI EnIerprise Linux.
The kernel dump ile can be analyzed by Ihe crash program aIer iI is saved.
Kdump has Iwo major advanIages over neIdump and diskdump. EirsI, Ihe same program
can be used Io save Ihe kernel dump Io a local ile or over Ihe neIwork. Freviously,
diskdump had Io be used Io save Io a local ile and neIdump had Io be used Io save over
Ihe neIwork. Second, Kdump uses Kexec Io booI in Io a second kernel wiIhouI rebooIing
Ihe crashed kernel, Ihus giving you a beIIer chance o capIuring Ihe dump ile.
Kdump and Kexec are eaIures compiled inIo Ihe kernel. However, Ihe kexec-1ooJs RFM
package musI also be insIalled because iI includes Ihe uIiliIies Io conigure Kexec and
Kdump. On Ihe ppc4 archiIecIure only, Ihe kerneJ-kdunp RFM package is also reguired
Savlng Kernel Dumps for ^nalysls 433
2
1
or Kdump Io uncIion properly. The kexec-1ooJs package (and Ihe kerneJ-kdunp
package or ppc4) should already be insIalled. I iI is noI, reer Io ChapIer 3 or insIruc-
Iions on insIalling RFM packages rom Red HaI NeIwork.
This secIion describes how Io capIure a kernel dump when Ihe sysIem crashes and Ihen
how Io analyze iIs conIenIs.
N01
Kdump ls only avallable for the l686, x86_64, la64, and ppo64 kernels ln Red Hat
Lnterprlse Llnux.
The Kdump program oannot be used wlth the vlrtuallzatlon kernels. lf the output of the
unane -r oommand ends ln xen, you are runnlng a vlrtuallzatlon kernel. Refer to the
lnstalllng a New Kernel seotlon of Chapter 5 for detalls on bootlng a dlfferent kernel.
Beet|ng w|th Kexec
Kexec is usually used in conjuncIion wiIh Kdump Io booI inIo a secondary kernel so IhaI
Ihe memory rom Ihe iniIial kernel is preserved. However, iI can be used alone Io perorm
a warm rehoot. A warm rebooI uses Ihe conIexI o Ihe running kernel Io rebooI Ihe sysIem
wiIhouI going Ihrough Ihe BIOS, resulIing in a asIer booI Iime.
To perorm a warm rebooI wiIh Kexec, use Ihe ollowing sIeps:
Load Ihe kernel Io booI in Io Ihe currenIly running kernel (musI be execuIed as Ihe
rooI user):
kexec -J 1boo11vnJ1nuz-ùnane -r` --1n11rd=1boo111n11rd-ùnane -r`.1ng (
--connand-J1ne="`ca1 1proc1cndJ1ne`"
NoIice IhaI Ihe command includes Ihree commands in back guoIes (unane -r Iwice
and ca1 1proc1cndJ1ne). Because Ihese commands are in back guoIes, Ihe resulIs o
Ihe commands replace Ihe back guoIes and Ihe commands when Ihe enIire
command is execuIed. Because unane -r reIurns Ihe currenIly running kernel, Ihis
kexec command will rebooI inIo Ihe same kernel version. To booI in Io a dierenI
kernel, use Ihe dierenI kernel version insIead.
The ca1 1proc1cndJ1ne command embedded in Ihe kexec command seIs Ihe kernel
parameIers Io be used or Ihe warm rebooI Io Ihe parameIers used Io booI Ihe
currenIly running kernel. To use dierenI parameIers, lisI Ihem insIead.
RebooI Ihe sysIem and waIch Ihe warm rebooI. This can be perormed by execuIing
Ihe rebooI command as rooI rom Ihe command line or selecIing System, Shut
Down rom Ihe deskIop menus.
As Ihe sysIem rebooIs, you will noIice IhaI aIer going Ihrough Ihe normal shuIdown
process, you see Ihe Linux sIarIup messages immediaIely. You do noI see Ihe sysIem BIOS
or Ihe GRUB booI loader.
The Kexec program has command-line opIions in addiIion Io Ihe -J opIion Io load a new
kernel. Command-line opIions or all archiIecIures can be ound in Table 21.3. AddiIional
command-line opIions exisI per archiIecIure. ExecuIe Ihe kexec -h command Io view a
lisI o Ihese arch-speciic opIions.
T^BLL 21.3 CommandLlne 0ptlons for kexec
-h Dlsplay llst of oommandllne optlons wlth brlef desorlptlons.
-v Dlsplay the Kexeo verslon.
-f Foroe an lmmedlate warm boot wlthout oalllng shutdown.
-x Do not brlng down the network lnterfaoes. Must be the last
optlon speolfled.
-J <vnJ1nuz-f1Je> Load the speolfled kernel lnto the ourrent loaded kernel.
-p Load the new kernel for use on panlo.
-u Unload the ourrently loaded Kexeo kernel.
-e Lxeoute the ourrently loaded Kexeo kernel. The kexec -e
oommand wlll reboot the system wlth the kernel loaded wlth
the -J oommand.
-1=<1ype> lrovlde the type of the kernel loaded wlth the -J optlon.
--nen-n1n=<addr> lrovlde the lowest memory address to load oode lnto.
--nen-nax=<addr> lrovlde the hlghest memory address to load oode lnto.
Reserv|ng Memery fer the 5ecendary Kerne|
Even Ihough Kdump is compiled inIo Ihe kernel, you musI enable iI and conigure a ew
seIIings such as how much memory Io reserve or Ihe second kernel booIed wiIh Kexec
and where Io save Ihe kernel dump ile.
I Kdump is acIivaIed, when a crash occurs, Kexec is used Io booI in Io a second kernel.
This second kernel capIures Ihe kernel dump ile. This is possible because Ihe irsI kernel
reserves memory or Ihe second kernel Io booI. The second kernel can booI wiIh very liIIle
memory. Because Ihe reserved memory is used Io booI Ihe second kernel, Ihe memory
conIenIs o Ihe irsI kernel are sIill available or Ihe second kernel Io creaIe Ihe dump ile.
The amounI o reserved memory is seI as a kernel parameIer in Ihe booI loader conigura-
Iion ile. Eor x8 and x8_4, ediI Ihe 1e1c1grub.conf ile as rooI and append Ihe ollow-
ing Io Ihe end o Ihe kerneJ line in Ihe acIive booI sIanza:
crashkerneJ=128M016M
Eor ia4 sysIems, ediI 1e1c1eJ1Jo.conf as rooI and add Ihe ollowing Io Ihe end o Ihe
line sIarIing wiIh append in Ihe acIive booI sIanza:
2
1
Eor ppc4 sysIems, ediI Ihe 1e1c1yaboo1.conf ile as rooI and add Ihe ollowing Io Ihe
end o Ihe line sIarIing wiIh append in Ihe acIive booI sIanza (remember Io enable Ihe
changes by execuIing 1sb1n1yb1n aIer saving Ihe changes Io Ihe ile):
The Iwo values in Ihis parameIer represenI Ihe amounI o memory Io reserve or Ihe
secondary kernel and Ihe memory oseI aI which Io sIarI Ihe reserved memory, respec-
Iively. NoIice IhaI aI leasI 128 MB should be reserved or x8, x8_4, and ppc4 sysIems.
AI leasI 2S MB musI be reserved or Ihe ia4 archiIecIure.
The sysIem musI be rebooIed wiIh Ihis new booI parameIer so IhaI Ihe seI amounI o
memory is reserved. AIer rebooIing, noIice IhaI Ihe amounI o ree memory is Ihe IoIal
amounI o memory or Ihe sysIem minus Ihe amounI o reserved memory.
5e|ect|ng Lecat|en fer um F||e
NexI, decide wheIher Io save Ihe dump ile Io a local or remoIe ilesysIem. BoIh local and
remoIe ilesysIems have Iheir advanIages. WriIing Io Ihe local ilesysIem doesnI reguire
Ihe neIwork connecIion Io be uncIioning properly aIer a kernel crash. II can be much
asIer and more reliable depending on your neIwork Iranser speeds and Ihe sIaIe o Ihe
neIwork card driver. Imagine Ihe impacI o saving a 3 GB ile over Ihe neIwork. II could
cause Ihe resI o Ihe neIwork Io slow Io a halI. I Ihe sysIem is in producIion, Ihis could
mean ailure or all oIher packeI Iransers. I neIwork Iranser is criIical Io Ihe sysIem,
such as a sysIem accepIing orders or sIock Irades, slowing down Ihe neIwork isnI accepI-
able. Also, i Ihe neIwork is noI working properly on Ihe sysIem, Ihe crash ile mighI noI
ever geI wriIIen Io Ihe remoIe ilesysIem.
1IP
lf you need to send the orash flle to someone suoh as Red Hat Support, you oan
oompress the flle to make lt smaller wlth the gz1p or bz1p utllltles.
However, wriIing Io a local ilesysIem also means having enough dedicaIed disk space on
Ihe sysIem or Ihe kernel dump ile. I you have a neIwork ile server seI up on your
neIwork, iI mighI be more convenienI Io wriIe Io a dedicaIed direcIory on iI insIead.
WriIing Io a neIwork locaIion also has Ihe advanIage o being able Io wriIe all kernel
dumps rom all sysIems on Ihe neIwork Io one cenIral locaIion.
N01
The dump flle oan be qulte largethe slze of the physloal memory plus a header fleld,
so savlng the flle mlght take a oonslderable amount of tlme and requlre a slgnlfloant
amount of avallable dlsk spaoe. Be sure you have plenty of free dlsk spaoe ln the
oonflgured looatlon. lt should be at least as blg as the total memory for the system.
I no locaIion is speciied, Ihe dump ile is wriIIen Io Ihe 1var1crash1 direcIory, which
musI exisI on a mounIed ilesysIem. The ollowing alIernaIe locaIion Iypes can be seI in
1e1c1kdunp.conf:
CAU1I0N
lf you modlfy the oontents of 1e1c1kdunp.conf after Kdump ls already runnlng, be
sure to enable the ohanges by exeoutlng the serv1ce kdunp res1ar1 oommand.
OeJcateJ partton: The parIiIion should be ormaIIed buI noI mounIed. The
1var1crash1<da1e>1 direcIory is creaIed on Ihe parIiIion, and Ihe core dump ile is
wriIIen Io Ihe direcIory. MulIiple dump iles can be wriIIen Io Ihe parIiIion assum-
ing iI has enough disk space. Speciy Ihe ilesysIem Iype or Ihe parIiIion (accepIable
Iypes are ex12, ex13, vfa1, nsdos, and cranfs) as well as Ihe parIiIion device name,
disk label, or UUID:
<fs1ype> <par1111on>
Some examples include Ihe ollowing:
ex13 1dev1sda5
ex13 LA8EL=kdunp
vfa1 uu10=b97e45eb-661U-4a3b-ad27-6cab8e7f2faf
Raw Jsl partton: The parIiIion should exisI on Ihe local sysIem, buI iI should noI
be ormaIIed. When a crash occurs, Ihe dump ile is wriIIen Io Ihe raw parIiIion
using Ihe dd uIiliIy. One more dump ile can be wriIIen Io Ihe raw parIiIion aI a
Iime. In kdunp.conf, replace <par1111on> wiIh Ihe parIiIion device name such as
1dev1sda5:
raW <par1111on>
NlS mounteJ jlesystem: The NES server musI accepI connecIions rom Ihe sysIem
and allow Ihe rooI user o Ihe crashed sysIem Io wriIe Io iI. The NES share does noI
have Io be mounIed. II will be mounIed beore aIIempIing Io wriIe Ihe dump ile Io
iI. I a hosIname is used as Ihe server name, Ihe sysIem musI be able Io resolve iI Io
an IF address, or an IF address can be used.
Each dump ile is wriIIen Io 1var1crash1<hos1>-<da1e>1 in Ihe speciied NES
shared direcIory. The hosIname o Ihe crash sysIem and Ihe daIe are used in Ihe
direcIory paIh so IhaI Ihe server can sIore mulIiple dump iles, assuming enough
disk space is available. Replace Ihe NES server and direcIory name such as
f1Jeserver.exanpJe.con:1kdunp:
ne1 <nfsserver>:<nfsd1r>
2
1
Remote SSH jlesystem: The SSH server musI accepI connecIions rom Ihe sysIem, and
SSH keys musI be seI up or Ihe SSH user provided. AIer coniguring SSH keys or
Ihe user as discussed in ChapIer 17, "Securing RemoIe Logins wiIh OpenSSH,"
execuIe Ihe serv1ce kdunp propaga1e command as Ihe rooI user Io enIer Ihe SSH
passphrase and allow Ihe speciied user Io Iranser iles Io Ihe SSH server wiIhouI
being prompIed or a password or passphrase.
Because Ihis user now has SSH access Io Ihe SSH server wiIhouI having Io enIer a
password, iI is recommended IhaI you use a dedicaIed SSH user or Kdump. The user
should only have access Io wriIe Io Ihe designaIed direcIory or saving dump iles.
The scp uIiliIy is used or Ihe Iranser.
Each dump ile is wriIIen Io 1var1crash1<hos1>-<da1e>1 in Ihe speciied shared
direcIory on Ihe SSH server. The hosIname o Ihe crash sysIem and Ihe daIe are used
in Ihe direcIory paIh so IhaI Ihe server can sIore mulIiple dump iles, assuming
enough disk space is available. Replace Ihe username and Ihe server name such as
kdunp0f1Jeserver.exanpJe.con:
ne1 <user0server>
Eor all o Ihese locaIion opIions excepI Ihe raw parIiIion, Ihe pa1h opIion in kdunp.conf
deIermines Ihe direcIory paIh appended Io Ihe end o Ihe desired locaIion. I a paIh is
noI seI, Ihe core ile is saved in Ihe 1var1crash1 direcIory inside Ihe seI locaIion. To
change Ihis direcIory, add Ihe ollowing line Io 1e1c1kdunp.conf:
pa1h <d1rec1ory>
Add|t|ena| Kdum 0t|ens
Two more opIions exisI in Ihe 1e1c1kdunp.conf ile:
Compresson anJ jltern: Use Ihe nakedunpf1Je program included wiIh Ihe kexec-
1ooJs package Io compress or ilIer Ihe core dump ile. Compression can greaIly
decrease Ihe size o Ihe dump ile, which is useul or sysIems wiIh limiIed disk
space or neIwork Iransers. CannoI be used i Ihe save locaIion is a raw parIiIion or
a remoIe SSH ilesysIem. AIer speciying a locaIion in 1e1c1kdunp.conf, add Ihe
ollowing line (execuIe Ihe nakedunpf1Je -h command Io view a lisI o opIions) :
core_coJJec1or nakedunpf1Je <op11ons>
Oejault acton: I Kdump is conigured Io save Io Ihe local ilesysIem, Ihe sysIem
rebooIs aIer saving Ihe ile, regardless o wheIher Ihe save was successul or noI. Eor
any o Ihe oIher save locaIions ails, Kdump Iries Io save Io Ihe local ilesysIem and
Ihen rebooIs. I you wanI Io Kdump Io skip Irying Io save Io Ihe local ilesysIem
aIer iI ails Io wriIe Io a dierenI locaIion, add Ihe ollowing line Io Ihe end o
1e1c1kdunp.conf:
defauJ1 <ac11on>
Replace <ac11on> wiIh reboo1 Io rebooI Ihe sysIem aIer ailing or sheJJ so IhaI you
can Iry Io save Ihe dump ile manually.
5tart|ng and 5te|ng the Kdum 5erv|ce
AIer dedicaIing memory or Ihe secondary kernel sIarIed wiIh Kexec and seIIing Ihe loca-
Iion in which Io save Ihe dump ile, sIarI Ihe Kdump service as rooI:
serv1ce kdunp s1ar1
N01
Laoh tlme Kdump ls started, the optlons from 1e1c1sysconf1g1kdunp are used suoh
as any addltlonal oommandllne optlons to pass to the kernel. For most oases, thls flle
does not need to be modlfled. The flle oontalns oomments desorlblng eaoh optlon
should you need to modlfy them.
OIher commands include (use wiIh serv1ce kdunp <connand>):
s1op: SIop Ihe Kdump service.
s1a1us: DeIermine wheIher or noI Ihe Kdump service is running.
res1ar1: SIop and sIarI Ihe Kdump service. MusI be used Io enable changes Io Ihe
1e1c1kdunp.conf ile.
condres1ar1: I and only i Ihe Kdump service is already running, resIarI iI.
propaga1e: I an SSH server is conigured in 1e1c1kdunp.conf as Ihe remoIe locaIion
on which Io save Ihe dump ile, Ihis command musI be run Io enIer Ihe passphrase
so Ihe given user can Iranser Ihe dump ile wiIhouI being prompIed or a
passphrase or password.
To have Kdump sIarI aI booI Iime, execuIe Ihe ollowing as rooI:
chkconf1g kdunp on
Act|vat|ng Kdum w|th a 6rah|ca| A||cat|en
Red HaI EnIerprise Linux also includes a graphical program or coniguring Kdump. SIarI
iI by selecIing AdmInIstratIon, Kdump rom Ihe System menu on Ihe Iop panel o Ihe
deskIop or by execuIing Ihe sys1en-conf1g-kdunp command. I you are a non-rooI user,
you are prompIed or Ihe rooI password Io conIinue.
As you can see rom Eigure 21.1, all Ihe previously discussed opIions can be seI, sIarIing
wiIh Ihe amounI o reserved memory. Click Ihe LdIt LocatIon buIIon Io selecI a locaIion
oIher Ihan Ihe deaulI 1var1crash1 direcIory. The DeIault ActIon pulldown menu is
eguivalenI Io Ihe defauJ1 opIion in kdunp.conf previously described in Ihe "AddiIional
Kdump OpIions" secIion. The Core Collector ield is eguivalenI Io Ihe core_coJJec1or
opIion while Ihe Path ield is eguivalenI Io Ihe pa1h opIion IhaI leIs you seI a dierenI
direcIory Io append Io Ihe selecIed locaIion. BoIh o Ihese opIions were also discussed in
Ihe previous secIion "AddiIional Kdump OpIions." The Core Collector and Path opIions
will only accepI inpuI i Ihey can be used wiIh Ihe selecIed locaIion.
2
1
FlGURL 21.1 Kdump Graphloal Conflguratlon
Click OK Io save Ihe changes Io Ihe Kdump coniguraIion ile and Ihe GRUB booI loader
coniguraIion ile. I you jusI enabled Kdump or changed Ihe amounI o reserved
memory, a message appears reminding you IhaI you musI rebooI Ihe sysIem or Ihe
changes Io Iake eecI. This allows Ihe seI amounI o memory Io be reserved or Ihe
secondary kernel should a crash occur.
1est|ng Kdum
Because iI is diiculI Io know wheIher Kdump is working beore you have a kernel crash,
Ihere is a way Io orce a kernel crash.
echo c > 1proc1sysrq-1r1gger
As soon as Ihe command is execuIe, Ihere should be a panic, and Ihe sysIem should be
unresponsive. Then, Ihe sysIem should resIarI inIo Ihe second kernel using Kexec.
Because Kexec is used, you will noI see Ihe BIOS or GRUB booI screen. AIer Ihe dump ile
is creaIed and saved, Ihe sysIem is rebooIed inIo Ihe normal kernel. This Iime you will see
Ihe BIOS and GRUB screens. Depending on how big your sysIem memory is, Ihis enIire
process mighI Iake a while.
Reer Io Ihe nexI secIion "Analyzing Ihe Crash" Io learn how Io gaIher inormaIion rom
Ihis dump ile.
Ana|yz|ng the Crash
The locaIion o Ihe dump ile depends on Ihe locaIion you selecIed in 1e1c1kdunp.conf.
I no locaIion is seI in kdunp.conf, Ihe vncore ile is wriIIen Io Ihe 1var1crash1<da1e>1
direcIory. I Ihe locaIion is seI Io a parIiIion, Ihe vncore ile can be ound in Ihe
1var1crash1<da1e>1 direcIory inside Ihe direcIory in which Ihe parIiIion is mounIed.
I a neIwork locaIion (NES or SSH) is conigured, Ihe vncore ile is Iranserred Io Ihe
1var1crash1<hos1>-<da1e>1 direcIory inside Ihe direcIory speciied along wiIh Ihe
neIwork server name. I a raw parIiIion is used, Ihe conIenIs o Ihe core dump are locaIed
on Ihe raw parIiIion. Remember IhaI i an alIernaIe direcIory is seI wiIh Ihe pa1h variable,
Ihe 1var1crash1 direcIory in Ihese locaIions should be replaced wiIh Ihis dierenI
direcIory.
AIer a vncore ile is creaIed, iI can be inIeracIively analyzed wiIh Ihe crash program.
Make sure you have Ihe crash RFM insIalled Io use iI. The vnJ1nux ile or Ihe kernel is
also reguired Io use crash. II is provided by Ihe kerneJ-debug1nfo package. A kerneJ-
debug1nfo package exisIs or each kernel version, so be sure Io insIall Ihe correcI version.
II is available via ETF rom Ihe Ip.redhaI.com ETF server. AIer logging in as an anony-
mous user, change inIo Ihe pub1redha11J1nux1en1erpr1se1<vers1on>1en1os1<arch>1
0ebug1nfo1 direcIory, replacing <vers1on> and <arch> wiIh Ihe appropriaIe values or
your sysIem such as SServer or Ihe <vers1on> and x86_64 or Ihe <arch>. You can also
view Ihe lisI o packages by visiIing hIIp:}}Ip.redhaI.com} in a web browser.
To sIarI analyzing Ihe ile, execuIe Ihe command crash <vnJ1nux> <vncore> as Ihe rooI
user. Be sure Io use Ihe ull paIh Io Ihe <vncore> i iI is noI in Ihe currenI direcIory.
(replace <kerneJ-vers1on> wiIh Ihe kernel version IhaI was running when Ihe crash
occurred):
crash 1usr1J1b1debug1J1b1noduJes1<kerneJ-vers1on>1vnJ1nux vncore
SIarIing Ihe uIiliIy displays Ihe ouIpuI rom LisIing 21.S.
LlSTlNG 21.5 Startlng the crash Utlllty
crash 4.U-3.11
0opyr1gh1 2UU2, 2UU3, 2UU4, 2UU5, 2UU6 Ped Ra1, 1nc.
0opyr1gh1 2UU4, 2UU5, 2UU6 18M 0orpora11on
0opyr1gh1 1999-2UU6 ReWJe11-Packard 0o
0opyr1gh1 2UU5 Fu11su L1n11ed
0opyr1gh1 2UU5 NE0 0orpora11on
0opyr1gh1 1999, 2UU2 S1J1con 0raph1cs, 1nc.
0opyr1gh1 1999, 2UUU, 2UU1, 2UU2 M1ss1on 0r111caJ L1nux, 1nc.
Th1s progran 1s free sof1Ware, covered by 1he 0Nu 0eneraJ PubJ1c L1cense,
and you are WeJcone 1o change 11 and1or d1s1r1bu1e cop1es of 11 under
cer1a1n cond111ons. En1er "heJp copy1ng" 1o see 1he cond111ons.
Th1s progran has absoJu1eJy no Warran1y. En1er "heJp Warran1y" for de1a1Js.
0Nu gdb 6.1
0opyr1gh1 2UU4 Free Sof1Ware Founda11on, 1nc.
008 1s free sof1Ware, covered by 1he 0Nu 0eneraJ PubJ1c L1cense, and you are
WeJcone 1o change 11 and1or d1s1r1bu1e cop1es of 11 under cer1a1n cond111ons.
2
1
Type "shoW copy1ng" 1o see 1he cond111ons.
There 1s absoJu1eJy no Warran1y for 008. Type "shoW Warran1y" for de1a1Js.
Th1s 008 Was conf1gured as "x86_64-unknoWn-J1nux-gnu"...
KEPNEL: 1usr1J1b1debug1J1b1noduJes12.6.18-1.2747.eJ51vnJ1nux
0uMPF1LE: vncore
0PuS: 2
0ATE: Fr1 Jan 12 15:31:26 2UU7
uPT1ME: UU:U4:2U
L0A0 AvEPA0E: U.31, U.31, U.14
TASKS: 168
N00ENAME: nyhos1nane
PELEASE: 2.6.18-1.2747.eJ5
vEPS10N: #1 SMP Thu Nov 9 18:52:11 EST 2UU6
MA0R1NE: x86_64 {24UU Mhz)
MEM0PY: 2 08
PAN10: "SysPq : Tr1gger a crashdunp"
P10: 4254
00MMAN0: "bash"
TASK: ffff81UU7fbU2U4U TRPEA0_1NF0: ffff81UU6UU36UUU
0Pu: U
STATE: TASK_PuNN1N0 {SYSP0)
crash>
AIer you receive Ihe crash> prompI, you can execuIe any o Ihe crash commands lisIed
in Ihe man page (execuIe nan crash Io view) Io analyze Ihe vncore ile. Eor example, Ihe
vn command shows basic virIual memory inormaIion, and Ihe b1 command shows Ihe
backIrace. The inormaIion shown or each o Ihese commands is whaI was sIored in
memory aI Ihe Iime o Ihe sysIem crash.
1IP
^t the crash> prompt, type heJp at any tlme to dlsplay a llst of oommands. You oan
also type heJp <connand> to dlsplay help for a speolflo oommand.
The deaulI ediIor used when in a crash session is Vi. To change Io Ihe Emacs ediIor,
creaIe a .crashrc ile in your home direcIory wiIh Ihe ollowing line:
se1 enacs
This seIIing musI be conigured per user. To speciically seI Vi as Ihe ediIor during Ihe
crash session, include Ihe ollowing line in a .crashrc ile in your home direcIory:
se1 v1
5ett|ng 5MP IRq Aff|n|ty
I you have ever explored your sysIems BIOS or reviewed your sysIems coniguraIion,
you have probably noIiced IhaI hardware such as Ihe EIherneI card or Ihe sound card is
assigned an lRQ. This IRQ allows Ihe hardware Io send evenI reguesIs Io Ihe processor or
processors in Ihe sysIem. When Ihe hardware sends a reguesI, iI is called an nterrupt.
Eor mulIi-processor sysIems, Ihe Linux kernel balances inIerrupIs across processors accord-
ing Io Ihe Iype o reguesIs. II is possible Io conigure Ihe kernel Io send inIerrupIs rom a
speciic IRQ Io a designaIed processor or group o processors. This concepI is known by
Ihe Linux kernel as SMl lRQ ajjnty. EirsI, deIermine which IRQs are being used and by
whaI hardware rom Ihe 1proc11n1errup1s ile.
CAU1I0N
Be extremely oareful when uslng SMl lR afflnlty. ^sslgnlng too many lnterrupts to a
slngle prooessor oan oause a performanoe degradatlon. ln most oases, the lR balano
lng done by the kernel ls the most optlmal solutlon.
In our example 1proc11n1errup1s ile as shown in LisIing 21., Ihe irsI column is a lisI
o used IRQs, and Ihe nexI Iwo columns reguesI Ihe number o inIerrupIs senI Io each
processor. SMF IRQ ainiIy is only possible wiIh inIerrupIs on Ihe IO-AFIC conIroller,
which is displayed in Ihe second Io lasI column. The lasI column is Ihe kernel module or
device associaIed wiIh Ihe IRQ.
LlSTlNG 21.6 Lxample 1proc11n1errup1s
0PuU 0Pu1
U: 1U293911 1U289264 10-AP10-edge 11ner
1: 3958 4135 10-AP10-edge 18U42
8: 3 U 10-AP10-edge r1c
9: U U 10-AP10-JeveJ acp1
14: 1487U2 1492U7 10-AP10-edge 1deU
5U: 6967 6924 10-AP10-JeveJ uhc1_hcd:usb1, ehc1_hcd:usb5
58: 171 U 10-AP10-JeveJ R0A 1n1eJ
66: 6222841 U P01-MS1 e1hU
169: U U 10-AP10-JeveJ uhc1_hcd:usb4
177: U U 10-AP10-JeveJ J1ba1a
225: 3 U 10-AP10-JeveJ uhc1_hcd:usb3, ohc11394
233: 958U3 9U174 10-AP10-JeveJ J1ba1a, uhc1_hcd:usb2
NM1: U U
L00: 2U654428 2U654427
EPP: U
M1S: U
Settlng SMl lR ^fflnlty 443
2
1
Each IRQ being used has iIs own direcIory in 1proc11rq1, where Ihe direcIory name is Ihe
IRQ number, and each o Ihese direcIories has a ile named snp_aff1n11y in iI. Each o
Ihese snp_aff1n11y iles conIains a number in biImask in hexadecimal ormaI, represenI-
ing which processor or processors Io send inIerrupIs Io.
This biImask number conIains eighI numbers, each represenIing our processors. The irsI
our processors are represenIed by Ihe righI-mosI number, Ihe second our processors are
represenIed by Ihe number Io Ihe leI o IhaI, and so on, or a IoIal o 32 processors.
In hex noIaIion, Ihe numbers 0 Ihrough represenI Ihe decimal numbers 0 Ihrough ,
and Ihe numbers a Ihrough represenI Ihe decimal numbers 10 Ihrough 1S. To deIermine
Ihe hexadecimal number or each processor, iIs binary number musI be converIed Io hex.
Table 21.4 shows Ihe binary Io hex conversion.
T^BLL 21.4 Blnary to Hex Converslon
Precesser Number B|nary Rex
1 0001 1
2 0010 2
3 0100 4
4 1000 8
When seIIing SMF IRQ ainiIy, add Ihe hexadecimal values o Iwo or more processors i
you wanI Io assign more Ihan one processor Io an IRQ. Eor example, Io represenI Ihe irsI
and ourIh processors, adding Ihe hex numbers 1 and 8 resulIs in Ihe hex number .
Adding hex numbers 4 and 8 or Ihe Ihird and ourIh processors resulIs in hex number c.
All our processors are represenIed by Ihe hex number .
To seI Ihe SMF IRQ ainiIy or a speciic inIerrupI, use Ihe echo command Io change Ihe
value o 1proc11rq1<1rqnun>1snp_aff1n11y. In LisIing 21., Ihe EIherneI conIroller uses
IRQ . Using Ihe ca1 1proc11rq1661snp_aff1n11y command shows all EIherneI
conIroller inIerrupIs are senI Io Ihe irsI processor. To send inIerrupIs Io boIh processors,
use Ihe ollowing command:
echo 2 > 1proc11rq1661snp_aff1n11y
The 1askse1 uIiliIy allows adminisIraIors Io conigure SMF IRQ ainiIy or a speciic
process by process ID (pid). Use Ihe ps or 1op command Io deIermine Ihe pid o a process.
To deIermine Ihe SMF IRQ ainiIy or a running process, use Ihe ollowing command:
1askse1 -p <p1d>
To seI Ihe SMF IRQ ainiIy or a running process:
1askse1 -p <b11nask> <p1d>
To sIarI a process wiIh a speciic SMF IRQ ainiIy:
1askse1 <b11nask> <connand>
Eor Ihe lasI Iwo commands, insIead o using Ihe biImask, Ihe -c <cpuJ1s1> opIion can be
used Io speciy Ihe processors, where <cpuJ1s1> is a comma-separaIed lisI o processor
numbers. The numbering sIarIs aI 0. So, U represenIs Ihe irsI processor, 1 represenIs Ihe
second processor, and so on. A hyphen can be used Io lisI seguenIial processor numbers
such as 2-4.
nab||ng NMI Watchdeg fer Lecked 5ystems
I you are experiencing hard sysIem locks where Ihe compuIer, even Ihe keyboard, sIops
responding, iI can be guiIe rusIraIing and diiculI Io diagnose. However, i you have an
x8 and x8_4 sysIem wiIh AFIC (Advanced Frogrammable InIerrupI ConIroller), you
mosI likely have a sysIem capable o producing NMI (Non Maskable InIerrupIs) even i
Ihe sysIem seems locked and unresponsive. The kernel can execuIe Ihese inIerrupIs and
generaIe debugging inormaIion abouI Ihe locked sysIem.
N01
NMl watohdog and 0lroflle (dlsoussed ln Chapter 22, Monltorlng and Tunlng
^pplloatlons) oannot be run slmultaneously. 0lroflle wlll automatloally dlsable NMl
watohdog lf lt ls enabled when the 0lroflle daemon ls started.
NMI waIchdog has Iwo modes:
local AllC: capable o generaIing inIer-processor inIerrupIs and exIernal processor
inIerrupIs
l/O AllC: capable o producing inIerrupIs rom I}O buses and redirecIing Ihem Io
Ihe local AFIC
To enable proiling and NMI waIchdog, add Ihe prof1Je=2 and Wa1chdog=1 booI opIions
Io Ihe kerneJ line o Ihe 1e1c1grub.conf booI loader coniguraIion ile or Ihe deaulI
booI sIanza being used as shown in LisIing 21.7. The kernel line has been divided inIo
Iwo lines wiIh a backward slash (() or prinIing purposes. The conIenI should be all on
one line in your coniguraIion ile.
LlSTlNG 21.7 Lnabllng lroflllng and NMl watohdog
defauJ1=U
11neou1=5
spJash1nage={hdU,U)1grub1spJash.xpn.gz
h1ddennenu
111Je Ped Ra1 En1erpr1se L1nux {2.6.17-1.2174snp)
roo1 {hdU,U)
kerneJ 1vnJ1nuz-2.6.17-1.2174snp ro roo1=1dev1sda1 rhgb (
qu1e1 prof1Je=2 nn1_Wa1chdog=1
1n11rd 11n11rd-2.6.17-1.2174snp.1ng
Lnabllng NMl watohdog for Looked Systems 445
2
1
SeIIing nn1_Wa1chdog Io 1 enables I}O AFIC. To enable local AFIC insIead, seI iIs value Io
2. To veriy IhaI NMI waIchdog and proiling are enabled, make sure Ihe 1proc1prof1Je
ile exisIs.
How does NMI waIchdog work7 A lockup is deined as Ihe processor noI execuIing Ihe
local Iimer inIerrupI more Ihan S seconds rom Ihe lasI Iimer inIerrupI. I a lockup
occurs, Ihe NMI handler generaIes a kernel oops, wriIes debug messages, and kills Ihe
process causing Ihe lockup. I Ihe lockup is so bad an NMI inIerrupI canI be issued or Ihe
kernel canI wriIe debug messages, NMI waIchdog cannoI work.
Local AFIC works wiIh Ihe cycles unhalteJ processor evenI, meaning IhaI iI can only be
Iriggered Io wriIe debug messages i Ihe processor is noI idle. I a sysIem lockup occurs
while Ihe processor is idle, waIchdog will noI be Iriggered. On Ihe oIher hand, Ihe I}O
AFIC works wiIh evenIs ouIside Ihe processor, buI iIs reguency is higher, which can
cause more impacI on Ihe overall perormance o Ihe sysIem.
The 1proc1prof1Je ile is noI wriIIen in a human-readable ormaI. The readprof1Je
uIiliIy musI be used Io read Ihe daIa. The Sys1en.nap ile or Ihe currenIly running kernel
musI be speciied wiIh Ihe -n <nap> opIion such as Ihe ollowing:
readprof1Je -n 1boo11Sys1en-nap-ùnane -r`
1IP
The output oan be qulte lengthy. To redlreot the output to a flle, append > f1Jenane.1x1
to the end of the oommand as follows:
readprof1Je -n 1boo11Sys1en-nap-ùnane -r` > f1Jenane.1x1
I no oIher opIions are passed Io Ihe command, Ihe ouIpuI is in Ihree columns: Ihe
number o clock Iicks, Ihe name o C uncIion in Ihe kernel where Ihose click Iicks
occurred, and Ihe normalized load o Ihe procedure as a raIio o Ihe number o Iicks Io
Ihe procedure lengIh. Table 21.S describes Ihe available command-line opIions.
T^BLL 21.5 CommandLlne 0ptlons for readprof1Je
-n <nap> lrovlde the looatlon of the Sys1en.nap flle for the runnlng kernel.
-1 0utput the proflllng step used by the kernel. Use wlth -1 to only
prlnt the number.
-a Llst symbols ln map flle.
-b Llst the lndlvldual hlstogrambln oounts.
-r Reset the proflllng buffer 1proc1prof1Je. Beoause only root oan
wrlte to the flle, thls optlon oan only be exeouted as root.
-M <nuJ11pJ1er> Set the frequenoy at whloh the kernel sends proflllng lnterrupts to
the prooessor. Frequenoy should be set as a multlpller of the
system olook frequenoy, whloh ls ln Hertz. Resets the buffer flle
as well. 0nly exeoutable by root. Not avallable on all prooessors.
-v Dlsplay verbose output ln four oolumns lnstead of three. The four
oolumns, ln the order ln whloh they appear, are the R^M address
of the kernel funotlon, the name of the C funotlon ln the kernel
where the olook tloks ooourred, the number of olook tloks, and the
normallzed load of the prooedure as a ratlo of the number of
tloks to the prooedure length.
-p <f1Je> Use <f1Je> lnstead of the default 1proc1prof1Je buffer flle. For
example, the kernel proflle at a speolflo polnt ln tlme oan be
saved by oopylng 1proc1prof1Je to a dlfferent flle. Then, the
data oan be analyzed later.
-v 0utput the verslon of readprof1Je.
The ouIpuI can be urIher cusIomized by piping Ihe resulIs Ihrough shell uIiliIies such as
sor1, head, 1a1J, grep, and Jess. Eor example, Io sorI Ihe ouIpuI by Ihe number o clock
Iicks, lisI Ihe highesI numbers irsI:
readprof1Je -n 1boo11Sys1en-nap-ùnane -r` sor1 -nr
Or, Io search or a speciic uncIion name:
readprof1Je -n 1boo11Sys1en-nap-ùnane -r` grep <func11on-nane>
Pref|||ng w|th 5ystem1a
RecenIly, kprobes, or kernel dynamic probes, have been added Io Ihe kernel. These probes
allow you Io add probes inIo Ihe kernel or sysIem diagnosIics as a kernel module insIead
o having Io modiy Ihe kernel source code beore recompiling Ihe kernel.
Since Ihen, a projecI called SysIemTap has been sIarIed Io creaIe a command-line inIer-
ace and scripIing language or kprobes, making iI easier Io use.
CAU1I0N
SystemTap ls stlll ln development and rapldly ohanglng. lt may not be avallable on all
arohlteotures. Thls seotlon dlsousses how to get started and how to flnd the latest
lnformatlon on lt. SystemTap ls not ready for produotlon systems and ls subjeot to
ohange durlng lts development.
To use SysIemTap, you need Io insIall Ihe ollowing packages: sys1en1ap, kerneJ-debug-
1nfo, and kerneJ-deveJ. Reer Io ChapIer 3 or deIails on insIalling addiIional soIware.
The debug1nfo packages are noI available rom RHN. They can be downloaded via ETF
rom Ihe Ip.redhaI.com ETF server. AIer logging in as an anonymous user, change inIo
Ihe pub1redha11J1nux1en1erpr1se1<vers1on>1en1os1<arch>10ebug1nfo1 direcIory,
replacing <vers1on> and <arch> wiIh Ihe appropriaIe values or your sysIem. You can also
view Ihe lisI o packages by visiIing hIIp:}}Ip.redhaI.com} in a web browser, buI iI is
recommended IhaI you use an ETF clienI Io download Ihe iles.
Lnabllng NMl watohdog for Looked Systems 447
2
1
To conigure kernel probes wiIh SysIemTap, you need Io wriIe a scripI using Ihe
SysIemTap scripIing language, which is similar Io Ihe Awk scripIing language. When
saving Ihe scripI, save iI as a IexI ile wiIh Ihe .s1p ile exIension. The uncIions available
are deined in Ihe sIapuncs man page accessible wiIh Ihe nan s1apfuncs command. The
probe poinIs available or moniIoring can be viewed wiIh Ihe nan s1approbes command.
Example scripIs can be sIudied wiIh Ihe nan s1apex command and aI hIIp:}}www.
sourceware.org}sysIemIap}documenIaIion.hIml.
AIer wriIing Ihe scripI, as rooI, execuIe Ihe ollowing command:
s1ap <cus1on_scr1p1>
The s1ap program reads Ihe scripI, converIs iI Io a program wriIIen in Ihe C language,
compiles Ihe C code inIo a kernel module, and loads Ihe kernel module. This module is
used Io gaIher inormaIion abouI Ihe probes. Eor more deIails abouI Ihe s1ap program,
reer Io iIs man page wiIh Ihe nan s1ap command. The scripI will run unIil Ihe user sIops
iI or i Ihe ex11{) uncIion is called in Ihe scripI. By deaulI, ouIpuI rom Ihe scripI is
displayed Io Ihe command line on which Ihe s1ap command was execuIed.
5ummary
The kernel conIrols many aspecIs o Ihe operaIing sysIem. II can be probed Io deIermine
Ihe sIaIe o Ihe various subsysIems such as Ihe amounI o available memory and whaI
processors are assigned Io answer IRQ reguesIs rom speciic hardware devices. While Ihe
kernel Iries Io manage Ihe operaIing sysIem as eicienIly and asI as possible, iIs algo-
riIhms are designed Io work or all Iypes o sysIems. Some o Ihe kernel managemenI
decisions can be Iuned so Ihey work beIIer or your sysIems usage and load. Use Ihis
chapIer Io ind ouI more abouI how your kernel works and i iI can be Iuned beIIer or
any o your sysIems. Remember Io always IesI your kernel Iweaks beore modiying Ihe
kernel on a producIion sysIem. SeIIing some kernel parameIers Io incorrecI values can
cause a slow down in perormance or, in some cases, can cause Ihe sysIem Io become
unresponsive or lock up.
lN THlS CH^lTLR
0lroflle
valgrlnd
^ddltlonal lrograms to
Conslder
CH^lTLR 22
ApplicaIions
ChapIer 20, "MoniIoring SysIem Resources," covered
moniIoring and Iuning sysIem resources, and ChapIer 21,
"MoniIoring and Tuning Ihe Kernel," discussed moniIoring
and Iuning Ihe kernel, buI FarI V, "MoniIoring and
Tuning," would noI be compleIe wiIhouI discussing appli-
caIion Iuning. Because Ihis is a book or adminisIraIors,
Ihis chapIer explains in deIail Iwo programs or Iuning
applicaIions, OFroile and Valgrind, which can also be
beneicial or adminisIraIors. II also provides brie
overviews o addiIional applicaIion Iuning programs or
Ihose inIeresIed.
0Pref||e
OFroile accesses Ihe perormance moniIoring hardware on
Ihe sysIems processor i available Io gaIher perormance-
relaIed daIa, which can Ihen be used Io idenIiy areas or
improvemenI.
To use OFroile, Ihe oprof1Je RFM package musI be
insIalled. II can be insIalled via RHN as described in
ChapIer 3, "OperaIing SysIem UpdaIes." The kerneJ-
debug1nfo package musI also be insIalled Io adeguaIely
collecI daIa rom Ihe kernel. II is available via ETF rom Ihe
Ip.redhaI.com ETF server. AIer logging in as an anony-
mous user, change inIo Ihe }pub}redhaI}linux}enIerprise}
<version>}en}os}<arch>}Debugino} direcIory, replacing
<version> and <arch> wiIh Ihe appropriaIe values or your
sysIem. You can also view Ihe lisI o packages by visiIing
hIIp:}}Ip.redhaI.com} in a web browser, buI iI is recom-
mended IhaI you download any iles using an ETF clienI
insIead.
5ett|ng U 0Pref||e
All OFroile commands musI be run as Ihe rooI user excepI Ihe opcon1roJ --dunp,
opcon1roJ --J1s1-even1s, and opheJp commands. Beore each proile creaIion, make
sure OFroile is noI already running by execuIing Ihe ollowing command as rooI:
opcon1roJ --shu1doWn
Also clear any previous daIa:
opcon1roJ --rese1
Frovide Ihe kernel Io proile and seI up Ihe OFroile environmenI (vnJ1nux comes rom
kerneJ-debug1nfo):
opcon1roJ --se1up --vnJ1nux=1usr1J1b1debug1J1b1noduJes1ùnane -r`1vnJ1nux
In addiIion Io speciying Ihe vnJ1nux ile Io use, Ihis command loads Ihe oprof1Je kernel
module and seIs up Ihe 1dev1oprof1Je1 direcIory. To veriy IhaI Ihe kernel module is
loaded, run Ihe command Jsnod grep oprof1Je. AI Ihis poinI, Ihe 1roo11.oprof1Je1
daenonrc ile is creaIed (or modiied i iI already exisIs) Io save Ihe seIIings as shown in
LisIing 22.1. As seIIings are changed as discussed laIer in Ihis chapIer, Ihe values in Ihis
ile are changed as well so Ihey can be used or subseguenI uses o OFroile.
LlSTlNG 22.1 Default 0lroflle Settlngs
NP_0R0SEN=U
SEPAPATE_L18=U
SEPAPATE_KEPNEL=U
SEPAPATE_TRPEA0=U
SEPAPATE_0Pu=U
vML1NuX=1usr1J1b1debug1J1b1noduJes12.6.18-1.2747.eJ51vnJ1nux
1MA0E_F1LTEP=
0Pu_8uF_S1ZE=U
0ALL0PAPR=U
KEPNEL_PAN0E=cU4UUUUU,cU612de1
XEN1MA0E=none
5ett|ng U vents te Men|ter
Use Ihe ollowing command Io deIermine Ihe CFU Iype being used by OFroile:
ca1 1dev1oprof1Je1cpu_1ype
II displays Ihe processor Iype such as 13861p4 or 13861core_2. I 11ner is displayed, Ihe
processor does noI have perormance moniIoring hardware, so Ihe Iimer inIerrupI is
being used.
CH^lTLR 22 Monltorlng and Tunlng ^pplloatlons 450
The perormance moniIoring hardware on Ihe processor conIains counIers, and Ihe
number o counIers available depends on Ihe processor Iype. The number o evenIs IhaI
can be moniIored by OFroile depends on Ihe number o counIers, and in some cases,
cerIain evenIs can only be moniIored by a speciic counIer. I Ihe Iimer inIerrupI is used
by OFroile, Ihe number o counIers is 1.
ExecuIe Ihe opheJp command (eguivalenI Io opcon1roJ --J1s1-even1s) Io display a lisI
o available evenIs or Ihe sysIems processor Iype. The opheJp ouIpuI is processor-speciic
and varies rom sysIem Io sysIem. I speciic counIers musI be used or Ihe evenI, Ihey are
lisIed wiIh Ihe evenI. Eor example, LisIing 22.2 shows Ihe MEM0PY_00MPLETE evenI or an
i38}p4 processor, which musI be proiled wiIh counIers 2 and .
LlSTlNG 22.2 CounterSpeolflo Lvent
MEM0PY_00MPLETE: {coun1er: 2, 6)
conpJe1ed spJ11 {n1n coun1: 3UUU)
un11 nasks {defauJ1 Ux3)
----------
UxU1: Joad spJ11 conpJe1ed, excJud1ng u01W0 Joads
UxU2: any spJ11 s1ores conpJe1ed
UxU4: uncacheabJe Joad spJ11 conpJe1ed
UxU8: uncacheabJe s1ore spJ11 conpJe1e
I any counIer can be used, Ihe keyword aJJ is used or Ihe counIer numbers as shown in
LisIing 22.3 or Ihe MEM0PY_01SAM810uAT10N evenI on an i38}core2 processor.
LlSTlNG 22.3 Lvent That Can lroflled wlth ^ll Counters
MEM0PY_01SAM810uAT10N: {coun1er: aJJ)
Menory d1sanb1gua11on rese1 cycJes. {n1n coun1: 1UUU)
un11 nasks {defauJ1 Ux1)
----------
UxU1: PESET Menory d1sanb1gua11on rese1 cycJes.
UxU2: Su00ESS Nunber of Joads 1ha1 Were successfuJJy d1sanb1gua1ed.
Eor each counIer available, Ihe ollowing command can be used Io associaIe an evenI wiIh iI:
opcon1roJ -even1=<nane>:<sanpJe-ra1e>:<un11-nask>:<kerneJ>:<user> (
--separa1e=<op11on>
The argumenIs or Ihe command are as ollows:
--even1=<nane> seIs which evenI Io proile. Use Ihe opheJp command Io lisI avail-
able evenIs or Ihe sysIem along wiIh brie descripIions or each.
<sanpJe-ra1e> is Ihe number o evenIs beIween sampling. The lower Ihe number,
Ihe more samples Iaken. Use cauIion when seIIing Ihe sample raIe. I iI is seI Ioo
low, sampling mighI occur Ioo reguenIly and slow down Ihe sysIem or make Ihe
sysIem appear unresponsive.
0lroflle 451
2
2
<un11-nask> mighI be necessary or Ihe evenI proiled. The uniI masks or each
evenI are lisIed wiIh Ihe evenIs rom Ihe opheJp lisI. I Ihe 11ner counIer is used, a
uniI mask is noI reguired.
<kerneJ> seI Io 1 means IhaI samples will be Iaken rom kernel-space. I seI Io U,
kernel-space samples are noI gaIhered.
<user> seI Io 1 means IhaI samples will be Iaken rom user-space. I seI Io U, user-
space samples are noI gaIhered.
--separa1e=<op11on> argumenI can be used Io separaIe kernel and library samples.
The ollowing opIions are available:
none: Kernel and library proiles are noI separaIed (deaulI).
J1brary: SeparaIe library samples wiIh Ihe applicaIions Ihey are associaIed
wiIh (recommended).
kerneJ: SeparaIe kernel and kernel module samples wiIh Ihe applicaIions Ihey
are associaIed wiIh.
aJJ: EguivalenI Io speciying boIh J1brary and kerneJ.
Eor example, Io moniIor Ihe 0Pu_0LK_uNRALTE0 evenI wiIh a sample raIe o 95UUUU and
uniI mask o U in boIh Ihe kernel- and user-space, showing library samples wiIh Ihe appli-
caIions using Ihem, execuIe Ihe ollowing command:
opcon1roJ --even1=0Pu_0LK_uNRALTE0:95UUUU:U:1:1 --separa1e=J1brary
The seIIings in 1roo11.oprof1Je1daenonrc are modiied accordingly aIer speciying an
evenI and opIions relaIed Io Ihe evenI. I an evenI is noI speciied wiIh Ihe opcon1roJ
command, Ihe deaulI evenI or Ihe processor Iype is used. Table 22.1 shows Ihe deaulI
evenI or some o Ihe processor Iypes. These deaulIs are all Iime-based evenIs. The
deaulI evenI can also be reIrieved wiIh Ihe ollowing command:
opheJp -d -c <cpu_1ype>
Replace <cpu_1ype> wiIh Ihe processor Iype rom Ihe ca1 1dev1oprof1Je1cpu_1ype
command. You can also combine Ihese commands Io geI Ihe deaulI evenI:
opheJp -d -c `ca1 1dev1oprof1Je1cpu_1ype`
T^BLL 22.1 Default lrooessor Lvents
Precesser efau|t vent
lntel lentlum lro, lentlum ll, lentlum lll, ^MD 0Pu_0LK_uNRALTE0
^thlon, ^MD64, Core2 Duo
lentlum 4 (HT and nonHT) 0L08AL_P0WEP_EvENTS
lntel ltanlum and ltanlum 2 0Pu_0Y0LES
ppo64/power4 0Y0LES
ppo64/power5 0Y0LES
ppo64/970 0Y0LES
ppo64/power5+ 0Y0LES
5tart|ng 0Pref||e
Einally, Io sIarI Ihe sampling process, execuIe Ihe ollowing as rooI:
opcon1roJ --s1ar1
The seIIings rom 1roo11.oprof1Je1daenonrc are used, and Ihe daemon oprof1Jed is
sIarIed. The ouIpuI should look similar Io LisIing 22.4.
LlSTlNG 22.4 Startlng 0lroflle
us1ng defauJ1 even1: 0Pu_0LK_uNRALTE0:1UUUUU:U:1:1
us1ng 2.6+ 0Prof1Je kerneJ 1n1erface.
Pead1ng noduJe 1nfo.
us1ng Jog f1Je 1var1J1b1oprof1Je1oprof1Jed.Jog
0aenon s1ar1ed.
Prof1Jer runn1ng.
6ather|ng the 5am|es
The samples collecIed are wriIIen Io Ihe 1var1J1b1oprof1Je1sanpJes1 direcIory, and
1var1J1b1oprof1Je1oprof1Jed.Jog is used as Ihe log ile or Ihe daemon.
To orce Ihe sample daIa Io be wriIIen, use Ihe ollowing command as rooI:
opcon1roJ --save=<nane>
The 1var1J1b1oprof1Je1sanpJes1<nane>1 direcIory is creaIed, and Ihe sample daIa is
wriIIen Io Ihe direcIory.
Ana|yz|ng the 5am|es
Beore analyzing Ihe samples in Ihe 1var1J1b1oprof1Je1sanpJes1 direcIory, make sure all
daIa has been wriIIen ouI by execuIing Ihe ollowing command as rooI (daIa is lushed Io
Ihe 1var1J1b1oprof1Je1sanpJes1curren11 direcIory):
opcon1roJ --dunp
AIer running Ihe OFroile daemon Io collecI your daIa and wriIing Ihe daIa Io disk,
OFroile can be sIopped by execuIing Ihe ollowing command as rooI:
opcon1roJ --s1op
0lroflle 453
2
2
When OFroile is sIopped, Ihe daemon is sIopped, meaning IhaI iI sIops collecIing
samples. ReporIs can also be generaIed while Ihe daemon is running i you need Io collecI
samples aI seI inIervals.
Two Iools, oprepor1 and opanno1a1e, can be used Io analyze Ihe OFroile samples. The
exacI execuIables used Io generaIe Ihe samples musI be used wiIh Ihese Iools Io analyze
Ihe daIa. I Ihey need Io be changed aIer collecIing Ihe daIa, back up Ihe execuIables
wiIh Ihe sample daIa beore updaIing Ihe execuIables on Ihe sysIem.
Us|ng oprepor1 te Ana|yze 5am|es
I oprepor1 is run wiIhouI any argumenIs, Ihe number o samples per execuIable along
wiIh Iheir percenIages relaIive Io Ihe IoIal number o samples are displayed as shown in
LisIing 22.S.
LlSTlNG 22.5 Lxample 0utput from oprepor1
0Pu: 0ore 2, speed 1596 MRz {es11na1ed)
0oun1ed 0Pu_0LK_uNRALTE0 even1s {0Jock cycJes When no1 haJ1ed)
W11h a un11 nask of UxUU {unhaJ1ed core cycJes) coun1 1UUUUU
0Pu_0LK_uNRALT...
sanpJes
------------------
1233664 5U.U256 vnJ1nux
28621U 11.6U59 J1bfb.so
15U459 6.1U12 J1bc-2.5.so
139635 5.6623 J1bp1hread-2.5.so
1U3U56 4.179U J1bgJ1b-2.U.so.U.12UU.3
41U31 1.6638 J1bperJ.so
34991 1.4189 J1bsW68UJx.so
34311 1.3913 J1bvcJ68UJx.so
29216 1.1847 dbus-daenon
28631 1.161U Xorg
25432 1.U313 J1buno_saJ.so.3
25125 1.U188 J1bdbus-1.so.3.U.U
19195 U.7784 J1bgobec1-2.U.so.U.12UU.3
18U94 U.7337 e1UUU
17945 U.7277 J1bpy1hon2.4.so.1.U
13699 U.5555 J1bca1ro.so.2.9.2
13477 U.5465 J1bgkJayou1.so
12966 U.5258 J1ba1a
12545 U.5U87 oprof1Jed
11922 U.4834 J1bnozs.so
96U4 U.3894 J1bX11.so.6.2.U
8631 U.35UU J1bsfx68UJx.so
8U23 U.3253 J1bgdk-x11-2.U.so.U.1UUU.4
788U U.3195 oprof1Je
1runca1ed due 1o Jeng1h
To urIher cusIomize Ihe reporI, provide Ihe ull paIh Io an execuIable:
opcon1roJ <op11on> <execu1abJe>
The <execu1abJe> musI include Ihe ull paIh and musI be Ihe exacI execuIable used when
collecIing Ihe samples.
The ouIpuI can be cusIomized in a varieIy o ways using command-line opIions such as
oprepor1 -a --synboJs Io lisI Ihe symbols in addiIion Io Ihe deaulI inormaIion shown.
Reer Io Table 22.2 or a lisI o command-line opIions or oprepor1.
T^BLL 22.2 CommandLlne 0ptlons for oprepor1
-a Dlsplay aooumulated sample and peroentage oounts ln the symbol llst.
-g Dlsplay souroe flle and llne number for eaoh symbol ln the symbol llst.
-0 <denangJer> Set <denangJer> to none, snar1, or nornaJ. lf set to none, there ls
no demangllng. lf set to nornaJ, the default demangler ls used. lf
set to snar1, patternmatohlng ls used to make symbol demangllng
more readable.
-c Dlsplay oall graph data lf avallable.
-d Dlsplay perlnstruotlon detalls for seleoted symbols.
-x lf --separa1e ls used, uslng thls optlon exoludes applloatlon
speolflo lmages for llbrarles, kernel modules, and the kernel.
-e <synboJs> Lxolude the oommaseparated llst of symbols from the symbols llst.
- Caloulate peroentages as peroentages relatlve to the entlre proflle.
--heJp Dlsplay brlef usage and oommandllne optlons llst.
-p <pa1hs> Searoh for blnarles ln the oommaseparated llst of dlreotory paths.
-1 <synboJs> 0nly lnolude these symbols ln the symbols llst. Llst should be
oomma separated.
-f Dlsplay full paths lnstead of just fllenames.
-n <prof1Jes> Merge oommaseparated llst of proflles that were separated wlth
--separa1e. Llst of proflles oan lnolude J1b, cpu, 11d, 1g1d,
un11nask, and aJJ.
--no-header Don`t dlsplay header.
-o <f1Je> wrlte output to <f1Je>.
-r Sort ln the reverse order.
-W Dlsplay the vM^ address of eaoh symbol.
-s <sor1> Sort the symbols llst by method glven by <sor1>. <sor1> oan be
one of the followlng:
vna: Sort by symbol address.
sanpJe: Sort by the number of samples.
synboJ: Sort by symbol name.
debug: Sort by debug fllename and llne number.
1nage: Sort by blnary lmage fllename.
-J Dlsplay persymbol lnformatlon ln llst lnstead of blnary lmage
summary.
0lroflle 455
2
2
-1 <percen1age> 0nly dlsplay data for symbols wlth more than the provlded peroent
age of total samples.
-v Dlsplay verbose output. Useful for debugglng.
-v Dlsplay oprepor1 verslon.
Us|ng opanno1a1e te Ana|yze 5am|es
The opanno1a1e uIiliIy generaIes an annoIaIed lisIing o Ihe assembly or source code
along wiIh Ihe samples. To compile an annoIaIed lisI o Ihe assembly, use Ihe ollowing
command:
opanno1a1e --assenbJy <execu1abJe>
Froducing an annoIaIed lisIing o Ihe source code is possible wiIh a similar command:
opanno1a1e --source <execu1abJe>
However, Ihe execuIable has Io conIain debug inormaIion. I Ihe program is in C or C++,
debug inormaIion can be creaIed by using Ihe -g opIion Io gcc. By deaulI, Ihe soIware
disIribuIed wiIh Red HaI EnIerprise Linux is noI compiled wiIh debug inormaIion.
However, Ihe debug inormaIion necessary Io produce meaningul ouIpuI wiIh opanno1a1e
can be insIalled using Ihe associaIed debug1nfo RFM packages. JusI as Ihe kerneJ-debug-
1nfo package was insIalled so kernel daIa could be sampled, oIher packages have eguiva-
lenI packages such as bash-debug1nfo and h11pd-debug1nfo. The debug iles rom Ihese
packages are insIalled in Ihe 1usr1J1b1debug1 direcIory. Again, Ihese debug1nfo packages
can be downloaded rom Ihe Ip.redhaI.com ETF server using anonymous login.
1IP
Refer to the opanno1a1e man page wlth the nan opanno1a1e oommand for more
oommandllne optlons suoh as -e <synboJs> to exolude oertaln symbols from the llst.
0Pref||e Rev|ew
The ollowing is a summary o all Ihe commands necessary Io use OFroile:
Beore sIarIing OFroile each Iime, make sure iI is shuI down and clear all previous
daIa sampled:
opcon1roJ --shu1doWn
opcon1roJ --rese1
SeI up which kernel Io proile:
opcon1roJ --se1up (
--vnJ1nux=1usr1J1b1debug1J1b1noduJes1ùnane -r`1vnJ1nux
SeI up which processor evenI Io sample and wheIher Io separaIe kernel and library
samples:
opcon1roJ -even1=<nane>:<sanpJe-ra1e>:<un11-nask>:<kerneJ>:<user> (
--separa1e=<op11on>
SIarI Ihe OFroile daemon, which sIarIs Ihe sampling process:
opcon1roJ --s1ar1
WriIe Ihe samples Io disk:
opcon1roJ --dunp
GeneraIe a reporI abouI Ihe samples using oprepor1, opcon1roJ, and opanno1a1e.
AIer collecIing all your samples, sIop Ihe daemon and Ihe sampling process:
opcon1roJ --s1op
Us|ng 0Pref||e 6rah|ca||y
I Ihe oprof1Je-gu1 RFM package is insIalled, you can also use a graphical program Io seI up
OFroile, sIarI OFroile, lush Ihe daIa Io disk, and sIop OFroile. You will sIill need Io use
oprepor1, opcon1roJ, and opanno1a1e Io generaIe reporIs aIer Ihe daIa is lushed Io disk.
To sIarI Ihe graphical inIerace, execuIe Ihe oprof_s1ar1 command as Ihe rooI user. On
Ihe Setup Iab shown in Eigure 22.1, click on one or more processor evenIs Io moniIor.
0lroflle 457
2
2
FlGURL 22.1 0lroflle Graphloal Setup
The inIerace will only leI you selecI evenI combinaIions IhaI work or Ihe number o
counIers or your processor. I an evenI is already selecIed, click iI again Io unselecI iI. As
you selecI evenIs, Ihe colored circle icon nexI Io Ihe all Ihe evenIs change colors. I Ihe
icon is green, Ihe evenI may be selecIed in addiIion Io Ihe already selecIed ones. I Ihe icon
is red, Ihe evenI cannoI be selecIed in conjuncIion wiIh Ihe already selecIed ones.
Flacing Ihe mouse cursor over an evenI displays a brie descripIion o Ihe evenI aI Ihe
boIIom o Ihe applicaIion window. Also noIice IhaI as you selecI evenIs Io moniIor, you
can also selecI Ihe uniI masks speciic Io Ihe evenIs on Ihe righI side o Ihe window. On
Ihe righI side, also selecI wheIher Io proile Ihe kernel and}or Ihe user binaries.
On Ihe ConIIguratIon Iab as shown in Eigure 22.2, provide Ihe ull paIh Io Ihe vnJ1nux
ile o Ihe kernel Io proile. OIher coniguraIion opIions available in Ihe graphical inIer-
ace include Ihe buer size and wheIher Io separaIe Ihe proiles per processor.
FlGURL 22.2 0lroflle Graphloal Conflguratlon
AIer inishing Ihe seIup and coniguraIion, click Ihe Reset sample IIles buIIon Io make
sure all previous sample iles are cleared. Then, click Start Io sIarI collecIing samples wiIh
Ihe OFroile daemon. Clicking Flush is eguivalenI Io Ihe opcon1roJ --dunp command.
DaIa is lushed Io Ihe 1var1J1b1oprof1Je1sanpJes1curren11 direcIory. Be sure Io lush
Ihe daIa beore clicking Stop Io sIop Ihe daemon and sIop Ihe sampling.
Va|gr|nd
Valgrind is seI o debugging and proiling Iools or deIecIing memory and Ihreading prob-
lems and proiling programs Io deIermine i Iheir memory managemenI can be improved.
Eor sysIem adminisIraIors, Valgrind is useul or analyzing reguenIly used programs Io
deIermine whaI processes are using Ihe mosI memory on a sysIem. This inormaIion can
Ihen be passed on Io a developmenI Ieam or, i possible, Ihe program can be replaced by
one IhaI reguires less memory i necessary. Valgrind currenIly only works on Ihe ollow-
ing archiIecIures: x8, x8_4, ppc32, and ppc4.
To use Valgrind, sIarI by insIalling Ihe vaJgr1nd RFM package. InsIrucIions or insIalling
soIware can be ound in ChapIer 3, "OperaIing SysIem UpdaIes."
Valgrind includes Ihe ollowing Iools:
Memchecl: Memory debugging Iool. DeIecIs errors in memory managemenI as Ihey
occur, giving Ihe source code ile and line number o Ihe erroneous code along wiIh
a sIack Irace o uncIions leading up Io IhaI line o code. When using Memcheck,
programs run 10 Io 30 Iimes slower Ihan usual.
Massj: Heap proiler. Takes snapshoIs o Ihe heap and generaIes a graph Io show
heap usage over Iime. Also shows Ihe program parIs IhaI allocaIe Ihe mosI memory.
When using Massi, programs run 20 Iimes slower Ihan usual.
CachernJ: Cache proiler. IdenIiies cache misses by simulaIing Ihe processors
cache. When using Cachegrind, programs run 20 Io 100 Iimes slower Ihan usual.
CallrnJ: ExIension o Cachegrind. Frovides all Ihe inormaIion o Cachegrind plus
daIa abouI callgraphs.
HelrnJ: Thread debugger. DeIecIs memory locaIions IhaI are used by more Ihan
one Ihread.
Eor each program Io be debugged or proiled by Valgrind, you will need Io insIall Ihe
associaIed debug1nfo package. Again, Ihese debug1nfo packages can be downloaded rom
Ihe Ip.redhaI.com ETF server using anonymous login. I you are debugging or proiling a
C or C++ program noI disIribuIed as a Red HaI EnIerprise Linux RFM package, debug
inormaIion can be compiled wiIh Ihe -g argumenI Io gcc.
The vaJgr1nd execuIable is used Io invoke each o Ihese Iools wiIh Ihe ollowing synIax:
vaJgr1nd op11ons <progran> <progran-args>
The Memcheck Iool is used by deaulI i no Iool is speciied. To use a dierenI Iool, use
Ihe --1ooJ=<nane> opIion:
vaJgr1nd --1ooJ=<nane> <progran> <progran-args>
The Valgrind program has opIions available or iI, and each Iool has specialized opIions as
well. Reer Io Ihe Valgrind man page wiIh Ihe nan vaJgr1nd command or Ihe mosI
updaIed lisI o opIions.
N01
Beoause valgrlnd ls stlll under development, refer to www.valgrlnd.org for lnstruotlons
on how to read the output, detalled dooumentatlon on how eaoh of the tools work, and
for updates to the tools.
valgrlnd 459
2
2
Add|t|ena| Pregrams te Cens|der
AddiIional debugging and proiling Iools exisI in Red HaI EnIerprise Linux. Some are sIill
considered under developmenI such as Erysk and some are Iried-and-Irue Iools such as
gdb. Some o Ihe mosI popular include Ihe ollowing:
lrysl. MoniIoring and debugging Iool. SIill in Ihe early developmenI sIages and is
noI ready or producIion. II is included in Red HaI EnIerprise Linux as a Iechnology
preview. Eor Ihe laIesI version, addiIional inormaIion, and Ihe sIaIus o Ihe projecI,
reer Io hIIp:}}sourceware.org}rysk}.
GNU Oehuer: Command-line debugging Iool, which can be used as Ihe program
runs. DocumenIaIion, examples, and more are available aI hIIp:}}www.gnu.org}
soIware}gdb}.
OejaGnu: TesIing ramework used Io creaIe IesI suiIes. FarI o Ihe GNU amily o
programs. Go Io hIIp:}}www.gnu.org}soIware}dejagnu} or deIails.
Ootal: TesIing Iool used Io auIomaIe IesIs or programs wiIh graphical inIeraces.
Eor more inormaIion, go Io hIIp:}}people.redhaI.com}zcerza}dogIail}.
lcov: DeIermines which parIs o a program are execuIed during a IesI case. The
program page is aI hIIp:}}lIp.sourceorge.neI}coverage}lcov.php.
5ummary
Even Ihough iI is noI Ihe primary goal o an adminisIraIor Io debug programs, some
mighI ind Ihese debugging and proiling Iools useul when Irying Io Irack down a
decrease in perormance, especially aIer Ihe addiIion o a soIware Io Ihe sysIem. OFroile
uIilizes Ihe perormance moniIoring hardware o supporIed processors Io analyze program
perormance. Valgrind is useul or deIermining memory and Ihreading problems or jusI
comparing Ihe memory usage o Iwo or more programs.
l^RT vl
lN THlS l^RT
CH^lTLR 23 lroteotlng ^galnst lntruders
wlth SeourltyLnhanoed Llnux 463
CH^lTLR 24 Conflgurlng a Flrewall 477
CH^lTLR 25 Llnux ûdltlng System 505
lN THlS CH^lTLR
Seleotlng an SLLlnux Mode
Seleotlng and Customlzlng the
SLLlnux lolloy
Utlllzlng the SLLlnux
Troubleshootlng Tool
worklng wlth Seourlty Contexts
CH^lTLR 23
FroIecIing AgainsI
InIruders wiIh SecuriIy-
Enhanced Linux
On a sysIem wiIhouI Securty-LnhanceJ lnux (SELinux)
enabled, discreIionary access conIrol (DAC) is used or ile
securiIy. Basic ile permissions as discussed in ChapIer 4,
"UndersIanding Linux ConcepIs," and opIionally access
conIrol lisIs as described in ChapIer 7, "Managing SIorage,"
are used Io granI ile access Io users. Users and programs
alike are allowed Io granI insecure ile permissions Io
oIhers. Eor users, Ihere is no way or an adminisIraIor Io
prevenI a user rom granIing world-readable and world-
wriIable permissions Io his iles. Eor programs, Ihe ile
operaIions are perormed as Ihe owner o Ihe process,
which can be Ihe rooI user, giving Ihe program access Io
any ile on Ihe sysIem.
SELinux is a mandaIory access conIrol (MAC) mechanism,
implemenIed in Ihe kernel. Frograms proIecIed by SELinux
are only allowed access Io parIs o Ihe ilesysIem Ihey
reguire Io uncIion properly, meaning IhaI i a program
inIenIionally or uninIenIionally Iries Io access or modiy a
ile noI necessary or iI Io uncIion or a ile noI in a direc-
Iory conIrolled by Ihe program, ile access is denied and
Ihe acIion is logged.
The abiliIy Io proIecI iles wiIh SELinux is implemenIed in
Ihe kernel. ExacIly whaI iles and direcIories are proIecIed
and Io whaI exIenI Ihey are proIecIed is deined by Ihe
SLlnux polcy. This chapIer gives insIrucIions on how Io
enable Ihe SELinux proIecIion mechanism, describes Ihe
SELinux policies available in Red HaI EnIerprise Linux, Iells
you how Io read Ihe SELinux permissions o a ile, shows
how Ihe SELinux TroubleshooIing Tool alerIs you o
SELinux errors, and sIeps you Ihrough how Io change Ihe
securiIy conIexI o iles.
5e|ect|ng an 5L|nux Mede
When your Red HaI EnIerprise Linux sysIem is booIed or Ihe irsI Iime, Ihe SeIup AgenI
is sIarIed as described in ChapIer 2. When you reach Ihe SELinux sIep, Ihe SELinux mode
is seI Io LnIorcIng by deaulI. The ollowing modes are available:
LnIorcIng: Enable and enorce Ihe SELinux securiIy mechanism on Ihe sysIem,
logging any acIions denied because o iI.
PermIssIve: Enable SELinux buI donI enorce Ihe policy. Only warn abouI iles
proIecIed by SELinux.
DIsabled: Turn o SELinux.
The SELinux mode can be changed aI a laIer Iime by using Ihe SELinux ManagemenI Tool, a
graphical applicaIion or cusIomizing SELinux. The poJ1cycoreu11Js-gu1 RFM package musI
be insIalled Io use Ihis program. Reer Io ChapIer 3 or deIails on package insIallaIion. SIarI
Ihe Iool by execuIing Ihe sys1en-conf1g-seJ1nux command or selecIing AdmInIstratIon,
SLLInux Management rom Ihe System menu o Ihe Iop panel o Ihe deskIop. I you are
noI Ihe rooI user, you are prompIed Io enIer Ihe rooI password beore conIinuing. As shown
in Eigure 23.1, choose Ihe SELinux mode or Ihe ollowing Iwo opIions:
System DeIault LnIorcIng Mode: The mode Io use when Ihe sysIem is booIed. Choose
beIween LnIorcIng, PermIssIve, and DIsabled (described earlier in Ihis secIion). The
mode change does noI Iake place immediaIely. This preerence is wriIIen Io Ihe
1e1c11seJ1nux1conf1g ile. The nexI Iime Ihe sysIem is rebooIed, Ihis mode is used.
I Ihe mode is changed rom DIsabled Io PermIssIve or LnIorcIng, Ihe ilesysIem
musI be relabeled or SELinux during Ihe rebooI, which can be guiIe Iime-consum-
ing depending on Ihe size o Ihe ilesysIem. II is highly recommended IhaI Ihe
ilesysIem be backed up beore changing modes in case o disk ailure or oIher errors
during Ihe conversion process.
Current LnIorcIng Mode: The SELinux mode currenI being implemenIed. I Ihe
sysIem was booIed inIo Ihe enorcing or permissive mode, Ihe currenI mode can be
immediaIely changed beIween Ihe Iwo wiIhouI a rebooI.
1IP
The mode ohanges oan be oonflrmed by exeoutlng the ses1a1us oommand.
I you do noI have a graphical deskIop, are logged in remoIely wiIhouI X orwarding, or jusI
preer Ihe command line, Ihese mode preerences can be made using Ihe command line.
To change Ihe currenIly running SELinux mode, use Ihe se1enforce command as Ihe rooI
user, replacing <node> wiIh eiIher Enforc1ng or Pern1ss1ve:
se1enforce <node>
To conirm Ihe change, execuIe Ihe ge1enforce command, which displays Ihe currenI
SELinux mode.
CH^lTLR 23 lroteotlng ^galnst lntruders wlth SeourltyLnhanoed Llnux 464
FlGURL 23.1 Seleotlng the SLLlnux Mode
The SELinux mode used aI booI Iime can be seI in Ihe 1e1c1seJ1nux1conf1g ile. As Ihe
rooI user, seI Ihe SEL1NuX opIion Io enforc1ng, pern1ss1ve, or d1sabJed such as Ihe
ollowing:
SEL1NuX=enforc1ng
AIer Ihe rebooI, veriy Ihe mode was changed wiIh Ihe ses1a1us command. The ouIpuI
should look similar Io LisIing 23.1.
LlSTlNG 23.1 SLLlnux Status wlth ses1a1us
SEL1nux s1a1us: enabJed
SEL1nuxfs noun1: 1seJ1nux
0urren1 node: enforc1ng
Mode fron conf1g f1Je: enforc1ng
PoJ1cy vers1on: 21
PoJ1cy fron conf1g f1Je: 1arge1ed
Seleotlng an SLLlnux Mode 465
2
3
CAU1I0N
lf uslng se1enforce, be sure to ohange the mode ln 1e1c1seJ1nux1conf1g as well so
the ohange wlll perslst after a reboot.
5e|ect|ng and Custem|z|ng the 5L|nux Pe||cy
I permissive or enorcing mode is enabled, an SELinux policy musI be selecIed Io deIer-
mine which programs are governed by SELinux and which are run in unconined space.
The SELinux policy seIs whaI programs are proIecIed under SELinux. The deaulI policy,
called Ihe tareteJ polcy, in Red HaI EnIerprise Linux is designed Io proIecI Ihe sysIem
wiIhouI being inIrusive Io Ihe users.
The ollowing policies are available:
targeted (deaulI): Works or mosI server and clienI sysIems. FroIecIs users rom
applicaIions and sysIem processes while leaving userspace unconined so Ihe secu-
riIy measures are mosIly undeIecIable Io mosI users. Reguires Ihe seJ1nux-poJ1cy-
1arge1ed package Io be insIalled.
strIct: Very conIrolled environmenI in which mosI sysIem and user processes have
very limiIed access Io Ihe ilesysIem. Users are only granIed access Io speciic direcIo-
ries or maximum securiIy, and sysIem processes are only granIed access Io direcIories
Io which Ihey need access Io run. I an applicaIion is conigured Io use nondeaulI
direcIories, Ihe policy musI be changed Io allow Ihe applicaIion Io access Ihe nonde-
aulI direcIories. Reguires Ihe seJ1nux-poJ1cy-s1r1c1 package Io be insIalled.
mls: Allows securiIy Io be mapped ouI according Io mulIiple levels o securiIy.
Developed or servers reguiring EAL4+}LSFF cerIiicaIion. Useul or organizaIions
IhaI granI securiIy righIs based on a users securiIy level. Reguires Ihe seJ1nux-
poJ1cy-nJs package Io be insIalled.
To change Ihe SELinux policy, irsI insIall Ihe corresponding package. To change Ihe
policy rom Ihe SELinux ManagemenI Tool, go Io Ihe SIaIus view and selecI Ihe desired
policy rom Ihe System DeIault PolIcy Type pull-down menu. Only insIalled policies are
available or selecIion.
To change rom Ihe command line, seI Ihe SEL1NuXTYPE opIion in Ihe
1e1c1seJ1nux1conf1g ile Io 1arge1ed, s1r1c1, or nJs such as Ihe ollowing:
SEL1NuXTYPE=1arge1ed
A rebooI is reguired aIer selecIing a dierenI policy so IhaI Ihe ilesysIem can be rela-
beled. Remember Io back up Ihe ilesysIem beore changing Ihe SELinux policy. AIer Ihe
rebooI, veriy Ihe policy was changed by execuIing Ihe ses1a1us command. The ouIpuI
should look similar Io LisIing 23.1.
When changing Ihe policy, seIIing Ihe mode Io permissive allows Ihe adminisIraIor Io
IesI Ihe policy wiIhouI enabling iI aI irsI. AIer reviewing Ihe SELinux alerIs and sysIem
log iles or any errors or warnings or a IesIing period, Ihe mode can be changed rom
permissive Io enorcing as described in Ihe "SelecIing an SELinux Mode" secIion.
Major modiicaIions Io Ihe policy reguire Ihe policy source Io be modiied and Ihe source
Io be recompiled. However, policies do allow minor changes Io iI wiIhouI recompiling by
seIIing Ihe boolean value (0 or 1) or opIional eaIures. Eor example, by deaulI, Ihe
SELinux IargeIed policy does noI allow Ihe Apache HTTF Server Io serve iles rom home
direcIories. The value o Ihe h11pd_enabJe_honed1rs boolean can be seI Io 1 Io expliciIly
allow iI. Changes Io boolean values can be made wiIh Ihe SELinux ManagemenI Tool or
Ihe se1sebooJ command.
SIarI Ihe graphical Iool wiIh Ihe sys1en-conf1g-seJ1nux command or Ihe AdmInIstratIon,
SLLInux Management menu iIem in Ihe System menu o Ihe Iop panel o Ihe deskIop.
SelecI Ihe Boolean view rom Ihe lisI on Ihe leI. A Iree view o possible boolean modiica-
Iions can now be seen. Click Ihe Iriangle icon nexI Io each caIegory Io view a lisI o
boolean opIions. Boolean opIions wiIh a checkmark beside Ihem are enabled. Check an
opIion Io enable iI, and uncheck an opIion Io disable iI. The changes Iake place immedi-
aIely. Eor example, Eigure 23.2 shows Ihe values or Ihe booleans IhaI aecI Ihe NES
daemon.
N01
The values of the booleans are stored on the vlrtual fllesystem 1seJ1nux1booJean/
and oan be vlewed wlth the oommand ca1 1seJ1nux1booJean1<booJean_nane>.
Seleotlng and Customlzlng the SLLlnux lolloy 467
2
3
FlGURL 23.2 Modlfylng the SLLlnux Mode
DescripIions o each available boolean values can be ound in Ihe 800LEANS secIion o Ihe
man page or Ihe speciic policy. Eor example, Ihe nfs_seJ1nux man page describes Ihe
use_nfs_hone_d1rs boolean, which IranslaIes Io Ihe Support NFS home dIrectorIes
opIion under Ihe NFS caIegory in Ihe graphical applicaIion.
AlIernaIively, use Ihe se1sebooJ command Io seI Ihe boolean Io Ihe desired value:
se1sebooJ -P <booJean> <vaJue>
To view Ihe sIaIus o a boolean via Ihe command line, execuIe Ihe ge1sebooJ command:
ge1sebooJ use_nfs_hone_d1rs
To compleIely disable SELinux or a speciic service, place a checkmark nexI Io Ihe corre-
sponding boolean under Ihe SLLInux ServIce ProtectIon caIegory or Ihe caIegory or Ihe
speciic service such as Kerberos. While Ihis will allow Ihe service Io work wiIh SELinux
enabled, Ihe service will no longer be proIecIed by SELinux and is noI recommended. I a
service can noI be sIarIed because o SELinux, look aI Ihe boolean values IhaI can be
changed or iI. The SELinux TroubleshooIing Tool summarizes why Ihe acIion was
blocked by Ihe SELinux policy. II also oers possible soluIions or Ihe problem. Reer Io
Ihe "UIilizing Ihe SELinux TroubleshooIing Tool" or deIails.
Ut|||z|ng the 5L|nux 1reub|esheet|ng 1ee|
Log messages or SELinux are wriIIen Io 1var1Jog1nessages unless Ihe Linux AudiIing
SysIem is used (reer Io ChapIer 2S, "Linux AudiIing SysIem," or deIails). I audiI is
enabled, messages are wriIIen Io Ihe 1var1Jog1aud111aud11.Jog ile. The log messages are
labeled wiIh Ihe Av0 keyword so Ihey can be easily ilIered rom oIher messages.
SIarIing wiIh Red HaI EnIerprise Linux S, insIead o having Io read Ihrough log iles Io
deIermine why SELinux is prevenIing an acIion, Ihe SELinux TroubleshooIing Tool can be
used Io analyze Ihe SELinux AVC messages. II consisIs o a graphical inIerace or display-
ing Ihese messages and possible soluIions, a deskIop noIiicaIion icon IhaI appears when
Ihere are messages Io view, and a daemon IhaI checks or new SELinux AVC messages so
IhaI you are alerIed by Ihe noIiicaIion icon o Ihem as soon as Ihey occur. The Iool is
provided by Ihe se1roubJeshoo1 RFM package, which is insIalled by deaulI.
The daemon, se1roubJeshoo1d, is sIarIed by deaulI wiIh Ihe 1e1c1rc.d11n11.d1se1rou-
bJeshoo1 iniIializaIion scripI. The 1var1Jog1se1roubJeshoo1d.Jog ile conIains any log
messages concerning Ihe Iool. This log ile is auIomaIically roIaIed on a weekly basis, and
old log iles or Ihe previous Iwo weeks are kepI.
I you are working on Ihe local deskIop or Ihe sysIem(siIIing aI Ihe compuIer), a sIar icon
appears in Ihe noIiicaIion area o Ihe Iop deskIop panel when SELinux AVC messages are
available or viewing. Click on iI Io view Ihe SELinux TroubleshooIing Tool as shown in
Eigure 23.3.
1IP
lf worklng on the looal desktop, you oan also open the SLLlnux Troubleshootlng Tool by
seleotlng Adm|n|strat|en, 5L|nux 1reub|esheet|ng from the 5ystem menu on the top
panel.
FlGURL 23.3 SLLlnux Troubleshootlng Tool
I you are noI working on Ihe local deskIop buI have SSH access Io Ihe sysIem wiIh X
orwarding, you can execuIe Ihe seaJer1 -b command Io remoIely view Ihe graphical
IroubleshooIing browser.
An example o using Ihe SELinux TroubleshooIing Tool is given in Ihe "Modiying
SecuriIy ConIexIs" secIion laIer in Ihis chapIer.
Werk|ng w|th 5ecur|ty Centexts
When SELinux is enabled, all iles and objecIs have a securiIy conIexI. SecuriIy conIexIs
or processes are called domains such as h11pd_1 or Ihe Apache web server daemon
processes. SecuriIy conIexIs or iles are called ile conIexIs and are sIored in Ihe exIended
aIIribuIes o Ihe iles. The securiIy conIexI has our parIs Io iI separaIed by colons:
user:roJe:1ype:nJs
Unless Ihe MLS policy is being used, Ihe lasI nJs ield is noI used. The user ield is Ihe
SELinux user who creaIed Ihe ile. The roJe ield is Ihe role o Ihe objecI or ile, and Ihe
1ype ield is Ihe Iype o rule associaIed wiIh Ihe objecI or ile. An example o a securiIy
conIexI or Ihe IargeIed policy would be Ihe ollowing:
sys1en_u:obec1_r:e1c_1
In Ihis example, Ihe ile is a sysIem ile as indicaIed by Ihe sys1en_u user ield, is a ile
objecI labeled wiIh obec1_r, and is governed by Ihe e1c_r rule Iype because iI is a ile in
Ihe 1e1c1 direcIory.
worklng wlth Seourlty Contexts 469
2
3
CAU1I0N
The 1ar utlllty oommonly used when oreatlng arohlves for baokup purposes does not
preserve extended attrlbutes of the fllesystem. To baok up a fllesystem and lts
SLLlnux labels, use the s1ar utlllty, whloh ls slmllar to 1ar. The s1ar RlM paokage
must be lnstalled to use lt. Refer to the s1ar man page for detalls.
V|ew|ng 5ecur|ty Centexts
Eile uIiliIies such as Js and ps do noI display SELinux securiIy conIexI by deaulI. Use Ihe
-Z opIion or mosI ile uIiliIies Io view Ihis conIenI such as Js -Z and ps -Z. Eor
example, when Ihe -Z opIion is used wiIh Js Io view Ihe 1e1c1sysconf1g1 direcIory, Ihe
securiIy conIexI is shown such as Ihe ollowing:
-rW-r-r- roo1 roo1 sys1en_u:obec1_r:e1c_1 apnd
drWxr-xr-x roo1 roo1 sys1en_u:obec1_r:e1c_1 apn-scr1p1s
-rW-r--- roo1 roo1 sys1en_u:obec1_r:e1c_1 aud11d
-rW-r-r- roo1 roo1 sys1en_u:obec1_r:e1c_1 au1hconf1g
-rW-r-r- roo1 roo1 sys1en_u:obec1_r:e1c_1 au1ofs
-rW-r-r- roo1 roo1 sys1en_u:obec1_r:e1c_1 bJue1oo1h
The cp and nv commands or copying and moving iles handle ile conIexIs dierenIly.
By deaulI, Ihe cp command creaIes a new ile in Ihe desired locaIion wiIh a Iype based
on Ihe creaIing process and Ihe parenI direcIory o Ihe desired locaIion. Eor example, i
Ihe ile is copied rom Ihe 1e1c1 direcIory Io a backup direcIory, Ihe 1ype ield o Ihe ile
changes rom e1c_1 Io whaIever Ihe deaulI Iype is or Ihe IargeI direcIory. The -Z opIion
Io cp can be used Io speciy a Iype Io use when copying Ihe ile:
cp -Z <con1ex1> f1Je 1neW1Joca11on
The nv command Io move iles preserves Ihe ile conIexI o Ihe iles by deaulI. I Ihe ile
needs a dierenI Iype in Ihe new locaIion, be sure Io relabel Ihe ile wiIh Ihe chcon
command:
chcon -1 <con1ex1> <f1Je>
Med|fy|ng 5ecur|ty Centexts
To beIIer undersIand Ihe impacI and usage o securiIy conIexIs, consider an example
concerning Ihe Apache HTTF Server. I you are noI amiliar wiIh Ihe web server, reer Io
ChapIer 1S, "CreaIing a Web Server wiIh Apache HTTF Server."
II is common Io change Ihe deaulI DocumenIRooI Io someIhing oIher Ihan
1var1WWW1h1nJ1. Ferhaps you need iles Io come rom neIwork sIorage mounIed in a
dierenI direcIory. SELinux proIecIs Ihe h11pd process and only allows Ihe web server Io
serve iles and direcIories wiIh a speciic securiIy conIexI.
The securiIy conIexI o Ihe deaulI iles in Ihe 1var1WWW1 direcIory is shown in LisIing
23.2. The ouIpuI is rom Ihe Js -d -Z 1var1WWWJs -Z 1var1WWW command.
LlSTlNG 23.2 Seourlty Context of Default DooumentRoot
drWxr-xr-x roo1 roo1 sys1en_u:obec1_r:h11pd_sys_con1en1_1 1var1WWW
drWxr-xr-x roo1 roo1 sys1en_u:obec1_r:h11pd_sys_scr1p1_exec_1 cg1-b1n
drWxr-xr-x roo1 roo1 sys1en_u:obec1_r:h11pd_sys_con1en1_1 error
drWxr-xr-x roo1 roo1 sys1en_u:obec1_r:h11pd_sys_con1en1_1 h1nJ
drWxr-xr-x roo1 roo1 sys1en_u:obec1_r:h11pd_sys_con1en1_1 1cons
1IP
The secon -f <f1Je> oommand oan also be used to vlew the seourlty oontext of a
flle.
I you change Ihe DocumenIRooI Io 1hone1h1nJ1, aIer resIarIing h11pd and Irying Io
view Ihe pages rom Ihe new DocumenIRooI rom a web browser, Ihe service will sIarI,
buI Ihe websiIe will deaulI Io Ihe IesI page insIead o Ihe index page o your websiIe. The
message rom LisIing 23.3 appear in 1var1Jog1nessages.
LlSTlNG 23.3 System Lrror Messages ^fter Changlng DooumentRoot
Mar 6 14:54:U7 JocaJhos1 se1roubJeshoo1: SEL1nux 1s preven11ng
1he 1usr1sb1n1h11pd fron us1ng po1en11aJJy n1sJabeJed f1Jes
{1hone1h1nJ11ndex.h1nJ).
For conpJe1e SEL1nux nessages. run seaJer1 -J e2d75f44-7c89-4fc1-aU6b-236U3abUUaf8
I you have Ihe Linux AudiIing SysIem enabled (Ihe deaulI), Ihe
1var1Jog1aud111aud11.Jog ile shows Ihe SELinux AVC messages rom LisIing 23.4.
LlSTlNG 23.4 ûdlt Lrror Messages ^fter Changlng DooumentRoot
1ype=Av0 nsg=aud11{1173211195.225:286487): avc: den1ed { ge1a11r } for
p1d=19315 conn="h11pd" nane="1ndex.h1nJ" dev=dn-1 1no=12845U59
scon1ex1=user_u:sys1en_r:h11pd_1:sU 1con1ex1=user_u:obec1_r:user_hone_1:sU
1cJass=f1Je
1ype=SYS0ALL nsg=aud11{1173211195.225:286487): arch=cUUUUU3e syscaJJ=4
success=no ex11=-13 aU=5555ccU34d5U a1=7fffUcb4714U a2=7fffUcb4714U
a3=5555ccU34db8 11ens=U pp1d=193U7 p1d=19315 au1d=5U1 u1d=48 g1d=48 eu1d=48
su1d=48 fsu1d=48 eg1d=48 sg1d=48 fsg1d=48 11y={none) conn="h11pd"
exe="1usr1sb1n1h11pd" sub=user_u:sys1en_r:h11pd_1:sU key={nuJJ)
1ype=Av0_PATR nsg=aud11{1173211195.225:286487): pa1h="1hone1h1nJ11ndex.h1nJ"
1ype=Av0 nsg=aud11{1173211195.225:286488): avc: den1ed { ge1a11r } for
p1d=19315 conn="h11pd" nane="1ndex.h1nJ" dev=dn-1 1no=12845U59 scon1ex1=user_u:sys-
1en_r:h11pd_1:sU 1con1ex1=user_u:obec1_r:user_hone_1:sU
1cJass=f1Je
success=no ex11=-13 aU=5555ccU34e18 a1=7fffUcb4714U a2=7fffUcb4714U
2
3
a3=5555ccU34e22 11ens=U pp1d=193U7 p1d=19315 au1d=5U1 u1d=48 g1d=48 eu1d=48
su1d=48 fsu1d=48 eg1d=48 sg1d=48 fsg1d=48 11y={none) conn="h11pd"
exe="1usr1sb1n1h11pd" sub=user_u:sys1en_r:h11pd_1:sU key={nuJJ)
1ype=Av0_PATR nsg=aud11{1173211195.225:286488): pa1h="1hone1h1nJ11ndex.h1nJ
NoIice IhaI Ihe end o Ihe message rom 1var1Jog1nessages in LisIing 23.3 gives Ihe
seaJer1 -J e2d75f44-7c89-4fc1-aU6b-236U3abUUaf8 command Io execuIe or compleIe
SELinux messages. The seaJer1 command is parI o Ihe SELinux TroubleshooIing Tool. I
Ihe seaJer1 -J <Jookup-1d> command is used, Ihe same inormaIion shown in Ihe
graphical program or Ihe SELinux TroubleshooIing Tool is displayed Io Ihe command
line. The ouIpuI rom our example is shown in LisIing 23.S.
LlSTlNG 23.5 ^nalysls of ^vC Messages
Sunnary
SEL1nux 1s preven11ng 1he 1usr1sb1n1h11pd fron us1ng po1en11aJJy n1sJabeJed
f1Jes {1hone1h1nJ11ndex.h1nJ).
0e1a1Jed 0escr1p11on
SEL1nux has den1ed 1usr1sb1n1h11pd access 1o po1en11aJJy n1sJabeJed f1Je{s)
{1hone1h1nJ11ndex.h1nJ). Th1s neans 1ha1 SEL1nux W1JJ no1 aJJoW
1usr1sb1n1h11pd 1o use 1hese f1Jes. 11 1s connon for users 1o ed11 f1Jes 1n
1he1r hone d1rec1ory or 1np d1rec1or1es and 1hen nove {nv) 1hen 1o sys1en
d1rec1or1es. The probJen 1s 1ha1 1he f1Jes end up W11h 1he Wrong f1Je
con1ex1 Wh1ch conf1ned appJ1ca11ons are no1 aJJoWed 1o access.
AJJoW1ng Access
1f you Wan1 1usr1sb1n1h11pd 1o access 1h1s f1Jes, you need 1o reJabeJ 1hen
us1ng res1orecon -v 1hone1h1nJ11ndex.h1nJ. You n1gh1 Wan1 1o reJabeJ 1he
en11re d1rec1ory us1ng res1orecon -P -v 1hone1h1nJ.
Add111onaJ 1nforna11on
Source 0on1ex1 user_u:sys1en_r:h11pd_1
Targe1 0on1ex1 user_u:obec1_r:user_hone_1
Targe1 0bec1s 1hone1h1nJ11ndex.h1nJ f1Je
Affec1ed PPM Packages h11pd-2.2.3-6.eJ5 appJ1ca11on
PoJ1cy PPM seJ1nux-poJ1cy-2.4.6-22.eJ5
SeJ1nux EnabJed True
PoJ1cy Type 1arge1ed
MLS EnabJed True
Enforc1ng Mode Enforc1ng
PJug1n Nane pJug1ns.hone_1np_bad_JabeJs
Ros1 Nane snaJJv1JJe
PJa1forn L1nux snaJJv1JJe 2.6.18-1.2961.eJ5 #1 SMP Wed Jan
3 14:35:32 EST 2UU7 x86_64 x86_64
AJer1 0oun1 12
L1ne Nunbers
PaW Aud11 Messages
avc: den1ed { ge1a11r } for conn="h11pd" dev=dn-1 eg1d=48 eu1d=48
exe="1usr1sb1n1h11pd" ex11=-13 fsg1d=48 fsu1d=48 g1d=48 11ens=U
nane="1ndex.h1nJ" pa1h="1hone1h1nJ11ndex.h1nJ" p1d=19312
scon1ex1=user_u:sys1en_r:h11pd_1:sU sg1d=48 sub=user_u:sys1en_r:h11pd_1:sU
su1d=48 1cJass=f1Je 1con1ex1=user_u:obec1_r:user_hone_1:sU 11y={none) u1d=48
1IP
To save the output of the seaJer1 -J <Jookup-1d> oommand, redlreot lt lnto a flle
suoh as:
seaJer1 -J e2d75f44-7c89-4fc1-aU6b-236U3abUUaf8 > h11pd_seJ1nux_errors.1x1
You oan also generate the output ln HTML format by addlng the -R oommand llne
optlon:
seaJer1 -R -J e2d75f44-7c89-4fc1-aU6b-236U3abUUaf8 >
h11pd_seJ1nux_errors.1x1
Eigure 23.4 shows Ihe same analysis viewed rom Ihe graphical browser o Ihe SELinux
TroubleshooIing Tool.
The descripIion o Ihe problem rom Ihe SELinux TroubleshooIing Tool is correcI. The
iles in Ihe DocumenIRooI or Ihe web server are mislabeled. The insIrucIions in Ihe
AJJoW1ng Access secIion are suggesIions IhaI may or may noI ix Ihe problem. In Ihis
case, using Ihe res1orecon command Io relabel does noI properly label Ihe iles or Ihe
DocumenIRooI.
The securiIy conIexI o Ihe new DocumenIRooI musI be changed so IhaI SELinux recog-
nizes Ihe iles in iI as valid web pages Io use wiIh Ihe Apache HTTF Server. The securiIy
conIexI o Ihe 1hone1h1nJ1 direcIory is Ihe ollowing (ouIpuI rom Js -d -Z 1hone1h1nJ
command):
drWxr-xr-x roo1 roo1 roo1:obec1_r:user_hone_d1r_1 1hone1h1nJ
Use Ihe chcon command wiIh Ihe -P opIion Io recursively change Ihe securiIy conIexI o
Ihe direcIory. Since Ihe -P opIion is used, Ihe securiIy conIexI or all iles and subdirecIo-
ries is changed Ioo. The command is as ollows:
chcon -v -P -user=sys1en_u -roJe=obec1_r -1ype=h11pd_sys_con1en1_1 1hone1h1nJ
2
3
FlGURL 23.4 Lrror ^nalysls
Since Ihe -v opIion was used, i Ihe command is successul, Ihe ollowing Iypes o
messages are displayed:
con1ex1 of 1hone1h1nJ changed 1o sys1en_u:obec1_r:h11pd_sys_con1en1_1
con1ex1 of 1hone1h1nJ11ndex.h1nJ changed 1o sys1en_u:obec1_r:h11pd_sys_con1en1_1
As you mighI have noIiced rom LisIing 23.2, Ihe cg1-b1n direcIory needs Io have a
dierenI securiIy conIexI Iype since iles in iI can be execuIed. I you have a cg1-b1n
direcIory, use Ihe ollowing Io change iIs securiIy conIexI:
chcon -P -1ype=h11pd_sys_scr1p1_exec_1 1hone1h1nJ1cg1-b1n
Because Ihe user and role o Ihe securiIy conIexI was already changed when you recur-
sively changed Ihe securiIy conIexI or Ihe enIire new DocumenIRooI, Ihis command
only modiies Ihe Iype.
1IP
^ oomplete llst of seourlty oontexts for the ^paohe HTTl server oan be found ln the
httpd_sellnux man page. vlew lt wlth the nan h11pd_seJ1nux oommand.
AIer ixing Ihe securiIy conIexI o Ihe web page iles, IesI your changes by opening a web
browser and Irying Io view Ihe pages. ResIarIing h11pd is noI necessary aIer changing Ihe
securiIy conIexI o Ihe iles because SELinux checks Ihe securiIy conIexI each Iime a
reguesI is made.
I you need Io share Ihe iles in Ihe DocumenIRooI using anoIher ile sharing proIocol
such as ETF or NES, Ihe securiIy conIexI o Ihe iles need Io be pubJ1c_con1en1_1 or
pubJ1c_con1en1_rW_1, depending on wheIher you need Io give wriIe access Io users. Reer
Io Ihe "SecuriIy ConIexI or MulIiple Eile Sharing FroIocols" or deIails on using Ihem.
5ecur|ty Centext fer Mu|t||e F||e 5har|ng Pretece|s
I more Ihan one ile sharing proIocol (ETF, HTTF, NES, rsync, and Samba) is used Io share
Ihe same seI o iles, Ihe securiIy conIexI musI be seI Io pubJ1c_con1en1_1 or pubJ1c_
con1en1_rW_1 insIead o Ihe securiIy conIexI speciic Io Ihe proIocol such as
sanba_share_1 or Samba.
The pubJ1c_con1en1_1 conIexI only allows read access Io Ihe iles. The
pubJ1c_con1en1_rW_1 conIexI allows read and wriIe access. To allow read and wriIe access,
you musI also enable Ihe aJJoW_<pro1ocoJ>_anon_Wr11e boolean, where <pro1ocoJ> is
one o f1pd, h11pd, nfsd, rsync, or snbd. Eor example, Io allow ETF and Ihe Apache HTTF
Server Io share Ihe same iles, execuIe Ihe ollowing commands as rooI:
se1sebooJ -P aJJoW_f1pd_anon_Wr11e=1
se1sebooJ -P aJJoW_h11pd_anon_Wr11e=1
CAU1I0N
Maklng Seourlty Context Changes lermanent seotlon.
Mak|ng 5ecur|ty Centext Changes Permanent
Modiying Ihe securiIy conIexI o iles such as discussed in Ihe previous secIion persisIs
beIween rebooIs unless Ihe ilesysIem is relabeled. A ilesysIem is relabeled or a varieIy o
reasons including changing Ihe SELinux policy. To make sure Ihe securiIy conIexI o your
iles are noI changed, you musI seI Ihe deaulI securiIy conIexI o Ihe iles by adding Ihe
ile speciicaIion, ile Iype, and SELinux securiIy conIexI Io Ihe 1e1c1seJ1nux1<poJ1cy>1
con1ex1s1f1Jes1f1Je_con1ex1s.JocaJ ile. Do noI creaIe or modiy Ihis ile manually.
Use Ihe SELinux ManagemenI Tool or Ihe senanage command.
AIer sIarIing Ihe SELinux ManagemenI Tool as previously described, click on FIle
LabelIng in Ihe lisI on Ihe leI. Click Ihe Add buIIon and enIer Ihe ollowing inormaIion
as shown in Eigure 23.S:
FIle SpecIIIcatIon: EnIer 1hone1h1nJ{1.*)? Io represenI Ihe 1hone1h1nJ1 direcIory
and all Ihe iles and direcIories in iI.
FIle Type: Leave as Ihe deaulI, all IIles.
SLLInux Type: EnIer h11pd_sys_con1en1_1 as Ihe securiIy conIexI.
MLS: Leave as deaulI i you are noI using Ihe MLS policy.
2
3
FlGURL 23.5 ^ddlng Default Seourlty Context
N01
The res1orecon oommand oan be used to manually relabel a fllesystem uslng the
default seourlty oontexts.
To perorm Ihe same acIion on Ihe command line, execuIe Ihe ollowing command as Ihe
rooI user:
senanage fcon1ex1 -a -1 h11pd_sys_con1en1_1 `1hone1h1nJ{1.*)?`
EiIher meIhod creaIes Ihe 1e1c1seJ1nux1<poJ1cy>1con1ex1s1f1Jes1f1Je_con1ex1s.JocaJ
ile i iI doesnI already exisI and adds Ihe ollowing line Io iI:
1hone1h1nJ{1.*)? sys1en_u:obec1_r:h11pd_sys_con1en1_1:sU
I you reguire addiIional securiIy conIexIs such as h11pd_sys_scr1p1_exec_1 or a
cg1_b1n direcIory, add Ihose as well.
5ummary
ImplemenIed aI Ihe kernel level, SELinux provides Ihe abiliIy Io deine a policy rom
which Ihe SELinux mechanism allows or denies ile access Io speciic users and processes.
The deaulI policy in Red HaI EnIerprise Linux, Ihe IargeIed policy, resIricIs access Io
parIicular processes so IhaI Ihe securiIy layer does noI inIerere wiIh Ihe day-Io-day acIivi-
Iies o mosI users. Basic opIions such as Iurning o proIecIion or speciic daemons and
allowing cerIain service eaIures IhaI may be insecure can be enabled and disabled
wiIhouI wriIing a new policy.
lN THlS CH^lTLR
Seleotlng a Table and
Command for llTables
Seleotlng llTables 0ptlons
Uslng llTables Matoh
Lxtenslons
Uslng llTables Target
Lxtenslons
llTables Servloe
Savlng the llTables Rules
llTables Lxamples
Lnabllng the Default Flrewall
CH^lTLR 24
Coniguring a Eirewall
As an adminisIraIor in Iodays world o neIworked
compuIing and easy access Io Ihe InIerneI, securiIy boIh
inIernally and exIernally musI be Ihe irsI and lasI issue
considered. Denying unauIhorized access is Ihe irsI sIep Io
keeping your sysIem secure. The mechanism Io prevenI
access Io all or some neIwork services on a sysIem is called
a jrewall.
Every operaIing sysIem allows or Ihe implemenIaIion o a
irewall dierenIly. Red HaI EnIerprise Linux uses llTahles,
a neIwork packeI-ilIering mechanism in Ihe Linux kernel.
IFTables can be used Io allow or deny packeIs based on
numerous acIors including Iheir desIinaIion, Iheir source,
which porI Ihey are Irying Io access, Ihe user ID o Ihe
process IhaI creaIed Ihe packeI, and more.
InsIall Ihe 1p1abJes RFM package Io use IFTables. II
includes uIiliIies Io conigure which packeIs Io ilIer. Reer
Io ChapIer 3, "OperaIing SysIem UpdaIes," or insIrucIions
on insIalling packages.
The IFTables coniguraIion consisIs o a series o rules. Each
rule musI be or a speciic tahle, wiIh each Iable having iIs
own seI o chains. A chan is a lisI o rules, which are
compared Io Ihe packeIs passed Ihrough Ihe chain. I a seI
o packeIs maIches a chain, Ihe taret o Ihe rule Iells Ihe
sysIem whaI Io do wiIh Ihe packeIs, including passing iI
along Io a dierenI chain.
This chapIer discusses how Io wriIe and enable IFTables
rules. II also discusses Ihe Red HaI EnIerprise Linux securiIy
levels, which are predeined seIs o IFTables rules. They can
be used Io guickly implemenI a basic irewall.
1IP
Log messages for llTables are oontrolled by syslog and go to 1var1Jog1nessages by
default.
5e|ect|ng a 1ab|e and Cemmand fer IP1ab|es
The irsI parI o an IFTables rule is deining Ihe Iable wiIh Ihe -1 <1abJe> opIion:
1p1abJes -1 <1abJe> ...
Choose rom Ihe ollowing Iables:
f1J1er: DeaulI Iable used i -1 <1abJe> is noI speciied. IIs predeined chains are
1NPuT, F0PWAP0, and 0uTPuT.
na1: Use when a packeI Iries Io creaIe a new connecIion. IIs predeined chains are
PPEP0uT1N0, 0uTPuT, and P0STP0uT1N0.
nangJe: Use or specialized packeI alIering such as changing Ihe desIinaIion o
Ihe packeI. IIs predeined chains are PPEP0uT1N0, 0uTPuT, 1NPuT, F0PWAP0, and
P0STP0uT1N0.
raW: Use or exempIing packeIs rom connecIion Iracking when Ihe N0TPA0K IargeI is
used. IIs predeined chains are PPEP0uT1N0 and 0uTPuT.
Each rule musI conIain only one o Ihe commands lisIed in Table 24.1 unless oIherwise
speciied. The command should ollow Ihe Iable deiniIion:
1p1abJes -1 <1abJe> -A <cha1n> <ruJespec> ...
T^BLL 24.1 llTables Commands
IP1ab|es Cemmand escr|t|en
-A <cha1n> <ruJespec> ^ppend rule to the end of the ohaln.
-0 <cha1n> <ruJespec> Delete rule. The <ruJe> oan be the rule number,
wlth the oount startlng at 1.
-1 <cha1n> <ruJnun> <ruJespec> lnsert a rule at a speolflo polnt ln the ohaln.
-P <cha1n> <ruJenun> <ruJespec> Replaoe a rule at a speolflo polnt ln the ohaln.
-L <cha1n> Llst all rules ln the ohaln. The -1 <1abJe> optlon
oan be used to dlsplay rules for a glven table.
-F <cha1n> Delete, or flush, all the rules ln the ohaln.
-Z <cha1n> Set the paoket and byte oounters to zero ln a
speolflo ohaln or ln all ohalns lf no ohaln ls glven.
-N <cha1n> ^dd a new ohaln. Name must be unlque.
-X <cha1n> Delete a glven ohaln. Before a ohaln oan be
deleted, lt oannot be referenoed by any rules, and
the ohaln must not oontaln any rules.
-P <cha1n> <1arge1> Set the target polloy for a glven ohaln, or what to do
wlth the paokets lf they matoh the rule.
-E <oJd> <neW> Rename a userdeflned ohaln. New name must be
unlque.
-h Show very brlef desorlptlon of oommandllne
optlons.
The parameIers in Table 24.2 should be used Io orm Ihe rule speciicaIions or Ihe
commands in Table 24.1 IhaI are ollowed by <ruJespec>.
CAU1I0N
Do not use hostnames when wrltlng llTables rules. llTables ls started before DNS,
and the system wlll not be able to resolve the hostnames.
T^BLL 24.2 llTables Rule larameters
Parameter escr|t|en
-p <pro1ocoJ> lrotoool for the paokets. The most oommon ones are 1cp, udp, and
1cnp. lrotoools from 1e1c1pro1ocoJs oan also be used. lf aJJ ls
used, all protoools are valld for the rule. lf an exolamatlon polnt and
a spaoe are before the protoool name, the rule matohes all proto
ools exoept the one llsted after the exolamatlon polnt.
-s <address> Souroe of the paokets. The <address> oan be a network name, an
ll address, or an ll address wlth a mask. lf an exolamatlon polnt
and a spaoe are before the address, the rule matohes all addresses
exoept the one llsted after the exolamatlon polnt.
-d <address> Destlnatlon of the paokets. The <address> oan be ln the same
formats as for the -s <address> parameter.
- <1arge1> Target of the rule, or what to do wlth the paokets lf they matoh the
rule. Target oan be a userdeflned ohaln other than the one thls rule
ls ln, a predeflned target, or an extenslon. Refer to the Uslng
llTables Target Lxtenslons seotlon for detalls on extenslons.
The followlng predeflned targets are avallable:
A00EPT: ^llow the paoket through.
0P0P: Drop the paoket and do nothlng further wlth lt.
0uEuE: lass the paoket to userspaoe.
PETuPN: Stop prooesslng the ourrent ohaln and return the prevl
ous ohaln.
-g <cha1n> Contlnue prooesslng ln the glven ohaln.
Seleotlng a Table and Command for llTables 479
2
4
IP1ab|es Cemmand escr|t|en
-1 <nane> lnterfaoe on whloh the paoket was reoelved. lf an exolamatlon polnt
and a spaoe are before lt, the rule only matohes lf the paoket was
not reoelved on the glven lnterfaoe. lf a plus mark ls appended to
the lnterfaoe name, the rule ls true for any lnterfaoe that beglns wlth
the name. lf the lnterfaoe name ls not speolfled, paokets reoelved
from any lnterfaoe matohes the rule. 0nly for paokets enterlng the
1NPuT, F0PWAP0, and PPEP0uT1N0 ohalns.
-o <nane> lnterfaoe on whloh the paoket wlll be sent. lf an exolamatlon polnt
and a spaoe ls before lt, the rule only matohes lf the paoket was not
reoelved on the glven lnterfaoe. lf a plus mark ls appended to the
lnterfaoe name, the rule ls true for any lnterfaoe that beglns wlth the
name. lf the lnterfaoe name ls not speolfled, paokets to be sent
from any lnterfaoe matohes the rule. 0nly for paokets enterlng the
1NPuT, F0PWAP0, and PPEP0uT1N0 ohalns.
-f Rule only matohes seoond and further fragmented paokets. lf an
exolamatlon polnt ls before the -f parameter, the rule only matohes
unfragmented paokets.
-c PKTS 8YTES Used to lnltlallze the paoket and byte oounters of the rule. 0nly for
1NSEPT, APPEN0, and PEPLA0E aotlons.
5e|ect|ng IP1ab|es 0t|ens
Each rule may conIain Ihe opIions in Table 24.3, buI Ihey are noI reguired. They should
be lisIed in Ihe rule aIer Ihe command and any rule speciicaIions or Ihe command such
as Ihe ollowing:
1p1abJes -1 <1abJe> -A <cha1n> <ruJespec> --J1ne-nunbers ...
T^BLL 24.3 llTables 0ptlons
IP1ab|es 0t|en escr|t|en
-v Show more detalls lf avallable suoh as the lnterfaoe name
and oounters when llstlng rules.
-n Do not resolve ll addresses to hostnames, port numbers to
servloe names, or network address to network names. Can
be used to speed up output of oommands suoh as llstlng
the rules.
-x lrovlde the exaot values of the paoket and byte oounters.
0nly applloable to the -L oommand.
--J1ne-nunbers when llstlng rules, dlsplay llne numbers ln front of eaoh rule
to show the posltlon of the rule ln the ohaln.
--nodprobe=<connand> when addlng or lnsertlng rules, use the speolfled oommand
to load addltlonal kernel modules.
Parameter escr|t|en
Us|ng IP1ab|es Match xtens|ens
OpIionally, packeI maIching modules, or maIch exIensions can be loaded. Depending on
Ihe module loaded, even more opIions are available. To ind ouI whaI addiIional opIions
are available, load Ihe module, and Ihen use Ihe 1p1abJes -h command Io learn more
abouI Ihe opIions.
The meaning o mosI o Ihe maIch exIensions can be inverIed by adding an exclamaIion
poinI beore iI. ExIensions wiIh Ihis uncIionaliIy are noIed wiIh a |!| where Ihe opIional
exclamaIion poinI should go. Modules are loaded wiIh Ihe -n or -p opIions. Unless noIed,
Ihe modules are loaded wiIh Ihe -n <noduJenane> opIion. The ollowing maIch exIen-
sions are available:
accoun
GaIher Iraic sIaIisIics or all sysIems wiIhin a neIwork deined by iIs
neIwork}neImask combinaIion.
--aaddr <ne1Work1ne1nask>
NeIwork or which Io gaIher sIaIisIics.
--anane <nane>
Name o Ihe sIaIisIics Iable. I a name is noI provided, 0EFAuLT will be used.
--ashor1
Record shorI sIaIisIics.
addrype
MaIch packeIs based on Iheir source and}or desIinaIion address Iype. Address Iype
can be one o Ihe ollowing: uNSPE0, uN10AST, L00AL, 8P0A00AST, ANY0AST,
MuLT10AST, 8LA0KR0LE, uNPEA0RA8LE, PP0R181T, TRP0W, NAT, and XPES0LvE.
--src-1ype <1ype>
Type o source address used Io maIch Ihe rule.
--ds1-1ype <1ype>
Type o desIinaIion address used Io maIch Ihe rule.
ah
MaIch based on SFIs in AuIhenIicaIion header o IFsec packeIs.
--ahsp1 ! <sp1>:<sp1>
Deine range o SFIs Io maIch.
ch1d1eve1
SeI connecIion level o packeIs Io maIch. MosI packeIs are level 0, wiIh Iheir chil-
dren being level 1, and so on.
--ch1JdJeveJ ! <JeveJ>
Deine connecIion level on which Io maIch.
Uslng llTables Matoh Lxtenslons 481
2
4
connen
Add a commenI Io a rule.
--connen1 <connen1>
Frovide a commenI o up Io 2S characIers.
condon
MaIch i Ihe value o Ihe speciied 1proc ile is 0 or 1.
--cond111on ! <f1Jenane>
Replace <f1Jenane> wiIh Ihe ull paIh and ilename o a ile in Ihe 1proc direcIory.
connbyes
MaIch according Io Ihe number o byIes or packeIs Iranserred or by Ihe average
number o byIes per Iranser.
! --connby1es <fron>:<1o>
FackeIs maIch i Ihe number o packeIs, number o byIes, or average packeI size is more
Ihan <fron> buI less Ihan <1o>. The <1o> value or providing an upper limiI is opIional.
--conby1es-d1r <1ype>
Replace <1ype> wiIh or1g1naJ, repJy, or bo1h Io maIch Ihese Iypes o packeIs.
--connby1es-node <node>
Replace <node> wiIh packe1s, by1es, or avgpk1 Io seI whaI Ihe lower and upper
limiIs rom Ihe --connby1es <fron>:<1o> command should be compared Io.
conn1n
Block a clienI by IF address or seI a maximum number o TCF connecIions rom a clienI.
! --connJ1n11=above <nun>
Maximum number o TCF connecIions. I Ihe connecIion number exceeds Ihe limiI,
Ihe packeIs do noI maIch Ihe rule.
--connJ1n11-nask <b11s>
NeIwork mask o Ihe neIwork Io resIricI.
connnark
MaIch neIilIer mark or Ihe connecIion.
--nark <nark>
MaIch packeIs wiIh speciic mark value.
connrae
MaIch currenI Iranser raIe or Ihe connecIion.
--connra1e ! <fron>:<1o>
MaIch Iranser raIe greaIer Ihan <fron> buI less Ihan <1o>.
connrack
MaIch packeI according Io iIs connecIion sIaIe.
--c1s1a1e <s1a1e>
Replace <s1a1e> wiIh a comma-separaIed lisI o sIaIes. Fossible sIaIes:
1NvAL10: FackeI is noI associaIed wiIh a known connecIion.
ESTA8L1SRE0: FackeI is associaIed wiIh an esIablished connecIion, meaning iI
has senI packeIs in boIh direcIions.
NEW: FackeI is associaIed wiIh a new connecIion IhaI has noI senI packeIs in
any direcIion or has sIarIed a new connecIion.
PELATE0: FackeI has sIarIed a new connecIion associaIed wiIh an exisIing
connecIion.
SNAT: Original source address or Ihe packeI is dierenI rom Ihe reply
desIinaIion.
0NAT: Original desIinaIion address or Ihe packeI is dierenI rom Ihe reply
source.
--c1pro1o <pro1o>
MaIch a given proIocol by iIs name or number.
--c1or1gsrc ! <address>1<nask>
MaIch packeIs wiIh a speciied original source address. Address mask is opIional.
--c1or1gds1 ! <address>1<1nask>
MaIch packeIs wiIh a speciic original desIinaIion address. Address mask is
opIional.
--c1repJsrc ! <address>1<nask>
MaIch packeIs wiIh a provided reply source address. Address mask is opIional.
--c1repJds1 ! <address>1<nask>
MaIch packeIs according Io reply desIinaIion address. Address mask is opIional.
--c1s1a1us <s1a1e>
MaIch packeIs according Io inIernal connIrack sIaIe.
--c1exp1re <11ne>:<11ne>
FackeIs maIch i iIs remaining lieIime is wiIhin a range, provided in seconds.
The maximum Iime is opIional.
dccp
MaIch based on DCCF.
--source-por1,--spor1 ! <por1>:<por1>
MaIch according Io minimum source porI number or a range.
--des11na11on-por1,--dpor1 ! <por1>:<por1>
MaIch according Io minimum desIinaIion porI number or a range.
2
4
--dccp-1ypes ! <nask>
MaIch i DCCF packeI Iype is <nask>, where <nask> is a comma-separaIed lisI o
Iypes. Valid Iypes are PE0uEST, PESP0NSE, 0ATA, A0K, 0ATAA0K, 0L0SEPE0, 0L0SE,
PESET, SYN0, SYN0A0K, and 1NvAL10.
--dccp-op11on ! <nun>
MaIch i DCF opIion is seI Io <nun>.
dscp
MaIch according Io -biI DSCF ield wiIhin Ihe TOS ield in Ihe IF header.
--dscp <vaJue>
MaIch i DSCF value maIches.
--dscp-cJass <cJass>
MaIch i DSCF class maIches Ihe BE, EE, AExx, or CSx class provided.
ecn
MaIch ECN biIs o Ihe IFv4 and TCF header.
--ecn-1cp-cWr
MaIch i Ihe TCF ECN CWR biI is seI.
--ecn-1cp-ece
MaIch i Ihe TCF ECN ECE (ECN Echo) biI is seI.
--ecn-1p-ec1 <nun>
MaIch a speciic IFv4 ECT (ECN-Capable TransporI). The number musI be
beIween 0 and 3.
esp
MaIch Ihe SFIs in Ihe ESF header o IFsec packeIs.
--espsp1 ! <sp1>:<sp1>
SeI speciic SFI or a range o SFIs Io maIch.
1uzzy
MaIch Ihe raIe limiI rom Ihe uzzy logic conIroller.
--JoWer-J1n11 <nun>
Minimum raIe limiI in packeIs per second.
--upper-J1n11 <nun>
Maximum raIe limiI in packeIs per second.
hash1n
MaIch based on upper limiI o average packeI Iranser raIe. LimiI is or single desIi-
naIion sysIem or a desIinaIion wiIh iIs porI. Similar Io J1n11.
--hashJ1n11 <ra1e>
Speciy Ihe raIe as a number ollowed by 1<11ne>, where <11ne> is second,
n1nu1e, hour, or day.
--hashJ1n11-burs1 <nun>
Maximum bursI value, where Ihe bursI value is increased by 1 each Iime Ihe
deined raIe limiI is reached. DeaulI value is S.
--hashJ1n11-node <des11na11on>
Replace <des11na11on> wiIh desIinaIion IF address or IF address and porI combi-
naIion in Ihe ormaI <1p>-<por1>.
--hashJ1n11-nane <nane>
Name or Ihe 1proc1ne111p1_hashJ1n111<nane> ile.
--hashJ1n11-h1abJe-s1ze <nun>
Number o buckeIs o Ihe hash Iable.
--hashJ1n11-h1abJe-nax <nun>
Maximum number o enIries in Ihe hash.
--hashJ1n11-h1abJe-exp1re <nun>
Hash enIries expire aIer a deined number o milliseconds.
--hashJ1n11-h1abJe-gc1n1ervaJ <nun>
Time inIerval beIween garbage collecIion in milliseconds.
he1per
MaIch based on connIrack-helper.
--heJper <s1r1ng>
Replace <s1r1ng> wiIh name o service i iI is using Ihe deaulI porI or Ihe name
o Ihe service ollowed by a hyphen and porI number such as hIIp-4343.
cnp
MaIch based on ICMF Iype. MusI be used in conjuncIion wiIh --pro1ocoJ 1cnp.
--1cnp-1ype ! <1ype>
<1ype> can be a number or Ihe ICMF Iype name.
prange
MaIch according Io IF (version 4) range.
!--src-range <1p>-<1p>
MaIch according Io source IF wiIhin given range.
!--ds1-range <1p>-<1p>
MaIch according Io desIinaIion IF wiIhin given range.
2
4
pv4opons
MaIch based on IF (version 4) header opIions.
--ssrr
MaIch packeIs wiIh Ihe lag sIricI source rouIing.
--Jsrr
MaIch packeIs wiIh Ihe lag loose source rouIing.
--no-srr
MaIch packeIs wiIh no lag or source rouIing.
! --rr
MaIch packeIs wiIh Ihe RR lag.
! --1s
MaIch packeIs wiIh Ihe TS lag.
! --ra
MaIch packeIs wiIh Ihe rouIer-alerI opIion.
! --any-op1
MaIch packeIs wiIh aI leasI one IF opIion.
1engh
MaIch exacI packeI lengIh or maIch packeIs based on a range o lengIhs.
--Jeng1h ! <Jeng1h>:<Jeng1h>
Deine a lengIh or range o lengIhs Io maIch.
1n
Use wiIh oIher parameIers and IargeIs Io limiI Ihe value being maIched.
--J1n11 <ra1e>
Upper raIe limiI. RaIe number can opIionally be ollowed by 1<11ne>, where
<11ne> is second, n1nu1e, hour, or day Io gualiy raIe.
--J1n11-burs1 <nun>
Maximum bursI value, where Ihe bursI value is increased by 1 each Iime Ihe
deined raIe limiI is reached. DeaulI value is S.
nac
MaIch Ihe source MAC address o Ihe packeI. Only valid when using EIherneI
devices and enIering Ihe FREROUTING, F0PWAP0, or 1NPuT chain.
--nac-source ! <address>
<address> musI be in Ihe ormaI XX:XX:XX:XX:XX:XX.
nark
MaIch Ihe neIilIer mark ield o Ihe packeI.
--nark <vaJue>1<nask>
Deine Ihe mark value. The 1<nask> is Ihe opIion.
npor
MaIch packeIs wiIh speciic source or desIinaIion porIs. MusI be used wiIh Ihe -p
1cp or -p udp opIions. <por1s> is a comma-separaIed lisI o porI numbers.
--source-por1s <por1s>
Deine source porIs on which Io maIch.
--des11na11on-por1s <por1s>
Deine desIinaIion porIs on which Io maIch.
--por1s <por1s>
Only maIch i source and desIinaIion porIs maIch each oIher and are in Ihe
given lisI o porIs.
nh
MaIch Ihe nIh packeI.
--every <n>
MaIch every nIh packeI.
--coun1er <nun>
Use speciied counIer. MusI be rom U Io 15. DeaulIs Io U.
--s1ar1 <nun>
SIarI counIer aI <nun>. CounIer sIarIs aI U i noI speciied.
--packe1 <nun>
MaIch i packeI number is <nun>.
os1
MaIch daIa rom SYN packeI Io OS ingerprinIs.
--Jog <nun>
I seI Io U, log all deIermined enIries. I seI Io 1, log only irsI deIermined enIry.
Logs are senI Io syslog.
--snar1
Use some smarIness Io deIermine remoIe OS. Use iniIial TTL only i connecIion
source is in local neIwork.
--ne1J1nk
Log all evenIs Ihrough neIlink.
--genre ! s1r1ng
MaIch an OS genre by passive ingerprinIing.
2
4
owner
Eor packeIs creaIed on Ihis sysIem, maIch characIerisIics o Ihe packeI creaIor. Only
works in Ihe 0uTPuT chain. Some packeIs donI maIch because Ihey donI have a
creaIor.
--u1d-oWner <u1d>
MaIches i Ihe process IhaI creaIed Ihe packeI is owned by Ihe given user.
--g1d-oWner <g1d>
MaIches i Ihe process IhaI creaIed Ihe packeI has Ihe given eecIive group ID.
--p1d-oWner <p1d>
MaIches i Ihe process IhaI creaIed Ihe packeI has Ihe given process ID.
--s1d-oWner <s1d>
MaIches i Ihe process IhaI creaIed Ihe packeI is in Ihe given session group.
--cnd-oWner <nane>
MaIches i Ihe process IhaI creaIed Ihe packeI has Ihe provided command name.
physdev
MaIch based on Ihe bridge porI inpuI and ouIpuI devices.
--physdev-1n ! <nane>
Name o a bridge porI rom which Ihe packeI was received. Only works i Ihe
packeI enIered in Ihe 1NPuT, F0PWAP0, or PPEP0uT1N0 chain. I Ihe name ends in a
+, Ihen any inIerace beginning wiIh Ihe given name maIches.
--physdev-ou1 ! <nane>
Name o Ihe bridge porI rom which Ihe packeI is senI. Only works i Ihe packeI
enIered in Ihe F0PWAP0, 0uTPuT, or P0STP0uT1N0 chain. I Ihe inIerace name ends
in a +, Ihen any inIerace beginning wiIh Ihis name will maIch.
! --physdev-1s-1n
MaIches i Ihe packeI has enIered Ihrough a bridge inIerace.
! --physdev-1s-ou1
MaIches i Ihe packeI will leave Ihrough a bridge inIerace.
! --physdev-1s-br1dged
MaIches i Ihe packeI is being bridged and noI rouIed. Only works in Ihe F0PWAP0
or P0STP0uT1N0 chain.
pkype
MaIches based on Ihe link-layer packeI Iype.
--pk1-1ype <1ype>
<1ype> musI be one o un1cas1, broadcas1, or nuJ11cas1.
po1cy
MaIches policy used by IFsec or packeI handling.
--d1r <d1rec11on>
<d1rec11on> musI be 1n or ou1. MaIch i Ihe policy is used or decapsulaIion or
encapsulaIion. The value o 1n only works in Ihe PPEP0uT1N0, 1NPuT, and F0PWAP0
chains. The value o ou1 only works in Ihe P0STP0uT1N0, 0uTPuT, and F0PWAP0
chains.
--poJ <vaJue>
SeI <vaJue> Io 1psec Io maIch packeIs subjecI Io IFsec processing. SeI <vaJue> Io
none Io maIch packeIs noI subjecI Io IFsec processing.
--s1r1c1
I used, Ihe rule only maIches Ihe packeI i Ihe policy maIches exacIly. I noI
used, Ihe rule maIches i any rule o Ihe policy maIches Ihe deined policy.
--req1d <1d>
MaIch Ihe regid o Ihe policy rule.
--sp1 <sp1>
MaIch Ihe SFI o Ihe SA.
--pro1o <pro1o>
MaIch Ihe encapsulaIion proIocol, where <pro1o> is eiIher ah, esp, or 1oconp.
--node <node>
MaIch Ihe encapsulaIion mode, where <node> is 1unneJ or 1ranspor1.
--1unneJ-src <addr>1<nask>
MaIch Ihe source end-poinI address o a Iunnel mode SA. Can only be used i
mode is seI Io Iunnel. The mask is opIional.
--1unneJ-ds1 <addr>1<nask>
MaIch Ihe desIinaIion end-poinI address o a Iunnel mode SA. Can only be used
i mode is seI Io Iunnel.
--nex1
SIarI Ihe nexI elemenI in Ihe policy speciicaIion. Only valid when --s1r1c1 is
also used.
psd
Try Io deIecI TCF and UDF porI scans.
--psd-We1gh1-1hreshoJd <1hreshoJd>
When deIecIing a porI scan seguence, Ihe IoIal weighI o Ihe laIesI TCF or UDF
packeIs wiIh dierenI desIinaIion porIs rom Ihe same hosI.
--psd-deJay-1hreshoJd <deJay>
When deIecIing a porI scan seguence, Ihe delay in hundredIhs o a second or
Ihe TCF or UDF packeIs wiIh dierenI desIinaIion porIs rom Ihe same hosI.
2
4
--psd-Jo-por1s-We1gh1 <We1gh1>
WeighI o a packeI wiIh a privileged desIinaIion porI, which are porI numbers
1024 and under.
--psd-h1-por1s-We1gh1 <We1gh1>
WeighI o a packeI wiIh a nonprivileged desIinaIion porI, which are porI
numbers 1024 and above.
quoa
NeIwork guoIa calculaIed wiIh a byIe counIer or each packeI.
--quo1a <by1es>
ToIal byIes allowed or each packeI.
randon
Randomly maIch a deined percenIage o packeIs.
--average <percen1>
Deined percenIage o packeIs Io maIch. I noI deined, S0% is used.
rea1n
MaIch Ihe rouIing realm.
--reaJn ! <vaJue>1<nask>
Deine Ihe realm value Io maIch. The mask is opIional.
recen
GranI or deny access Io a speciic lisI o IF addresses, which can be modiied aI any
Iime.
--nane <nane>
Name Ihe lisI. 0EFAuLT is used i a name is noI deined. The lisI is sIored in Ihe
1proc1ne111p1_recen11<nane> ile. Use --se1 or --renove Io add or remove Ihe
source address o Ihe packeI Io Ihe lisI.
AlIernaIively, Io add IF addresses Io Ihe lisI (as rooI):
echo xx.xx.xx.xx > 1proc1ne111p1_recen11<nane>
To remove IF address rom Ihe lisI:
echo -xx.xx.xx.xx > 1proc1ne111p1_recen11<nane>
! --se1
Add Ihe source address o Ihe packeI Io Ihe lisI.
! --rcheck
Check i Ihe source address o Ihe packeI is in Ihe lisI.
! --upda1e
I source address o Ihe packeI is in Ihe lisI, updaIe Ihe "lasI seen" IimesIamp.
! --renove
I Ihe source address o Ihe packeI is in Ihe lisI, remove iI rom Ihe lisI.
! --seconds <seconds>
OpIional parameIer IhaI only allows a maIch i Ihe address is in Ihe lisI and was
lasI seen wiIhin Ihe deined number o seconds. MusI be used wiIh --rcheck or
--upda1e.
! --h11coun1 <h11s>
OpIional parameIer IhaI causes a maIch only i Ihe address is in Ihe lisI and Ihe
number o packeIs received is greaIer Ihan or egual Io Ihe deined value. MusI be
used wiIh --rcheck or --upda1e.
--r11J
OpIional parameIer IhaI allows a maIch only i Ihe address is in Ihe lisI and Ihe
TTL o Ihe currenI packeI maIches IhaI o Ihe packeI IhaI hiI Ihe --se1 rule.
MusI be used wiIh --rcheck or --upda1e.
scp
Use Io maIch SCTF packeIs wiIh Ihe -p opIion: -p sc1p
--source-por1 ! <por1>:<por1>
Speciy SCTF source porI as an individual porI or a range o porIs.
--des11na11on-por1 ! <por1>:<por1>
Speciy SCTF desIinaIion porI as an individual porI or a range o porIs.
--chunk-1ypes ! <aJJanyonJy> <chunk1ype>:<fJags>
Speciy aJJ, any, or onJy Io speciy how Io maIch Ihe chunk Iype lisI. Replace
<chunk1ype> wiIh a comma-separaIed lisI o chunk Iypes. Chunk Iypes: 0ATA,
1N1T, 1N1T_A0K, SA0K, REAPT8EAT, REAPT8EAT_A0K, A80PT, SRuT00WN, SRuT00WN_A0K,
EPP0P, 000K1E_E0R0, 000K1E_A0K, E0N_E0NE, E0N_0WP, SRuT00WN_00MPLETE,
ASCONE, AS00NF_A0K. The <fJags> are opIional and are speciic Io cerIain chunk
Iypes. I Ihe lag is in uppercase, Ihe lag is seI Io on. I Ihe lag is in lowercase,
Ihe lag is seI Io o. The 0ATA chunk Iype has Ihe lags u, 8, E, u, b, and e. The
A80PT and SRuT00WN_00MPLETE chunk Iypes boIh have Ihe lags T and 1.
se
MaIches IF seIs deined by 1pse1.
--se1 <nane> <fJags>
<fJags> is an src, ds1, or boIh separaIed by commas. I src is lisIed, packeIs
maIch i Ihe source address or porI number is ound in Ihe IF seI. I ds1 is lisIed,
Ihe packeIs maIch i Ihe desIinaIion address or porI number is ound in Ihe IF
seI.
2
4
sae
Allows access Io connecIion Iracking sIaIe or packeIs when used wiIh connecIion
Iracking.
--s1a1e <s1a1e>
Replace <s1a1e> wiIh comma-separaIed lisI o connecIion sIaIes Io maIch. Valid
sIaIes are 1NvAL10, ESTA8L1SRE0, NEW, and PELATE0. Reer Io Ihe conn1rack enIry
or a descripIion o Ihe sIaIes.
srng
MaIches a user-deined sIring by using one o Iwo paIIern maIching sIraIegies.
--aJgo <s1ra1egy>
Replace <s1ra1egy> wiIh bn Io use Ihe Boyer-Moore paIIern maIching sIraIegy.
Replace <s1ra1egy> wiIh knp Io use Ihe KnuIh-FraII-Morris paIIern maIching
sIraIegy.
--fron <offse1>
I seI, sIarI looking or a maIch aIer Ihe deined oseI. I noI seI, iI sIarIs aI 0.
--1o <offse1>
I seI, Ihe oseI is Ihe lengIh iI looks or a maIch. I noI seI, Ihe enIire packeI size
is used Io maIch Ihe sIring.
--s1r1ng <pa11ern>
FaIIern Io maIch.
--hex-s1r1ng <pa11ern>
FaIIern Io maIch in hex noIaIion.
cp
I -p 1cp is used, Ihe ollowing opIions can be used:
TCF source porI or porI range Io maIch. The porI can be Ihe service name or a
porI number.
TCF desIinaIion porI or porI range Io maIch. The porI can be Ihe service name or
a porI number.
--1cp-fJags ! <fJags> <conp>
MaIch TCF lags lisIed. <fJags> should be a comma-separaIed lisI o lags Io look
aI, and <conp> should be a comma-separaIed lisI o lags IhaI musI be seI. To
maIch, Ihe lags in Ihe <fJags> lisI buI noI in <conp> musI be unseI and Ihe lags
in boIh lisIs musI be seI. Valid lags are SYN, A0K, F1N, PST, uP0, PSR, ALL, and
N0NE.
! --syn
MaIch only i Ihe SYN biI is seI and Ihe A0K, PST, and F1N biIs are cleared. These
packeIs are Irying Io iniIiaIe a TCF connecIion.
--1cp-op11on ! <nun>
MaIch i Ihe TCF opIion lisIed is seI.
--nss <vaJue>:<vaJue>
MaIch TCF SYN or TCF SYN}ACK packeIs wiIh Ihe given MSS value or value range.
cpnss
MaIch Ihe TCF MSS ield o Ihe TCF header. This ield conIrols Ihe maximum
packeI size or Ihe connecIion.
! --nss <vaJue>:<vaJue>
MaIch based on a value or a value range.
ne
Deine a range o arrival Iimes and daIes or packeIs Io maIch.
--11nes1ar1 <vaJue>
MaIch i sIarI Iime is aIer deined Iime, which is in Ihe ormaI HH:MM.
--11nes1op <vaJue>
MaIch i sIop Iime is beore deined Iime, which is in Ihe ormaI HH:MM.
--days <days>
MaIch i Ioday is in Ihe lisI o days, which is a comma-separaIed lisI o days.
CorrecI day ormaIs: Mon, Tue, Wed, Thu, Fr1, Sa1, Sun.
--da1es1op <da1e>
MaIch i sIop daIe is beore deined daIe in Ihe ormaI
YYYY|:MM|:DD|:hh|:mm|:ss|||||. The h, m, and s values sIarI counIing aI 0.
os
MaIch Ihe TOS (Type o Service) ield in Ihe IF header.
--1os <1os>
Name or number Io maIch. ExecuIe 1p1abJes -n 1os -h or a lisI o valid values.
1
MaIch Ihe TTL (Time To Live) ield in Ihe IF header.
--11J-eq <11J>
MaIch deined TTL value.
--11J-g1 <11J>
MaIch i TTL is greaIer Ihan deined value.
--11J-J1 <11J>
MaIch i TTF is less Ihan deined value.
2
4
u32
ExIracI guanIiIies o up Io 4 byIes rom a packeI, AN0 Ihem wiIh speciic masks,
shiI Ihem by deined amounIs, and IesI wheIher Ihe resulIs are in a deined
range.
udp
I -p udp is used, Ihe ollowing can be used:
UDF source porI or porI range Io maIch. The porI can be Ihe service name or a
porI number.
UDF desIinaIion porI or porI range Io maIch. The porI can be Ihe service name
or a porI number.
unc1ean
Tries Io maIch packeIs IhaI are malormed or unusual. ExperimenIal.
Us|ng IP1ab|es 1arget xtens|ens
In addiIion Io Ihe our predeined IargeIs (A00EPT, 0P0P, 0uEuE, and PETuPN), Ihe ollowing
IargeI exIensions are available:
8ALAh6E
Balance DNAT connecIions in a round-robin over a given range o desIinaIion
addresses.
--1o-des11na11on <1p>-<1p>
Address range Io round-robin.
6LA66IFY
SeI Ihe skb->pr1or11y value, which classiies Ihe packeI inIo a speciic CBQ class.
--se1-cJass <naor>:<n1nor>
SeI Ihe major and minor classes.
6Lu6TEIP
SeI up a clusIer o nodes IhaI share an IF and MAC address wiIhouI an expliciI load
balancer in ronI o Ihem. ConnecIions are sIaIically disIribuIed beIween deined
nodes.
--neW
CreaIe new clusIer.
--hashnode <hash>
Hashing mode Io use. MusI be one o source1p, source1p-sourcepor1, or
sourceip-sourcepor1-des1por1.
--cJus1ernac <nac>
MAC address o clusIer. Has Io be a link-layer mulIi-casI address.
--1o1aJ-nodes <nun>
Number o nodes in Ihe clusIer.
--JocaJ-node <nun>
Local node number in Ihe clusIer.
--hash-1n11 <rnd>
Random seed Io use when iniIializing hash.
60hhMAK
SeI neIilIer mark value or Ihe connecIion.
--se1-nark <nark>1<nask>
SeI connecIion mark. The <nask> is opIional. I Ihe mask is deined, only biIs in
Ihe mask are modiied.
--save-nark --nask <nask>
Copy neIilIer packeI mark value Io Ihe connecIion mark. The mask value is
opIional. I Ihe mask is deined, only biIs in Ihe mask are copied.
--res1ore-nark --nask <nask>
Copy Ihe connecIion mark value Io Ihe packeI. The mask value is opIional. I Ihe
mask is deined, only biIs in Ihe mask are copied. Can only be used wiIh Ihe
nangJe Iable.
0hAT
Can only be used wiIh Ihe na1 Iable and in Ihe PPEP0uT1N0 and 0uTPuT chains or in
user-deined chains called rom Ihese Iwo chains. Modiies Ihe desIinaIion address
o Ihe packeI and all uIure packeIs in Ihe connecIion. Rules will noI be examined
or Ihese mangled packeIs.
--1o-des11na11on <1paddr>-<1paddr>:<por1>-<por1>
Deine Ihe new desIinaIion IF or an IF range. OpIionally deine a porI range i -p
1cp or -p udp is used.
066P
AlIer Ihe value o Ihe DSCF ield wiIhin Ihe TOS header o Ihe IF version 4 packeI.
Only valid wiIh Ihe nangJe Iable.
--se1-dscp <dscp>
SeI DSCF Io a decimal or hex number.
--se1-dscp-cJass <cJass>
SeI DSCF Io Ihe deined class.
Uslng llTables Target Lxtenslons 495
2
4
E6h
Work around or known ECN blackholes. Only valid wiIh Ihe nangJe Iable.
--ecn-1cp-renove
Remove all ENC biIs rom Ihe TCF header. Only valid wiIh -p 1cp.
IPMAK
Mark a received packeI based on iIs IF. Should be used in Ihe nangJe Iable wiIh Ihe
PPEP0uT1N0, P0STP0uT1N0, or F0PWAP0 chains.
--addr <address>
Source or desIinaIion IF address.
--and-nask <nask>
AN0 Ihe IF and deined mask.
--or-nask <nask>
0P Ihe IF and deined mask.
IP40PT66TIP
SIrip IF opIions rom packeI.
L06
Enable kernel logging or maIching packeIs. Logs go Io dmesg or syslog.
--Jog-JeveJ <JeveJ>
Log level speciied as a number or Ihe syslog log level name.
--Jog-pref1x <pref1x>
Deine a preix or Ihe log messages up Io 2 leIIers.
--Jog-1cp-sequence
Log TCF seguence numbers.
--Jog-1cp-op11ons
Log opIions rom Ihe TCF packeI header.
--Jog-1p-op11ons
Log opIions rom Ihe IF packeI header.
--Jog-u1d
Log UID o Ihe process IhaI generaIed Ihe packeI.
MAK
SeI neIilIer mark value or packeI. Only valid wiIh nangJe Iable.
--se1-nark <nark>
Deine mark Io use.
MA6uEA0E
Masguerade Ihe IF address o Ihe neIwork inIerace rom which Ihe packeI is
leaving. ConnecIions are orgoIIen when Ihe inIerace goes down. Only or dialup
connecIions wiIhouI a sIaIic IF address. Eor sIaIic IFs, use Ihe SNAT IargeI. Can only
be used wiIh Ihe na1 Iable in Ihe P0STP0uT1N0 chain.
--1o-por1s <por1>-<por1>
Range o source porIs Io use. Only works i -p 1cp or -p udp is used.
MI0
InverI Ihe source and desIinaIion ields in Ihe IF header and send Ihe packeI
again. Can only be used in Ihe 1NPuT, F0PWAP0, and PPEP0uT1N0 chains or user-
deined chains called rom Ihese chains. ExperimenIal.
hETMAP
SIaIically map a neIwork o address onIo anoIher one. Only works wiIh Ihe naI Iable.
--1o <address>1<nask>
Which neIwork address on which Io map. The mask is opIional.
hFuEuE
ExIension o Ihe 0uEuE IargeI. Allows Ihe packeI Io be placed in a speciic gueue.
--queue-nun <nun>
1-biI gueue number in which Io place Ihe packeI, rom 0 Io SS3S. DeaulIs Io 0.
h0TA6K
Disable connecIion Iracking or packeIs maIching Ihe rule. Only works wiIh Ihe
raW Iable.
E0IE6T
RedirecI packeI Io Ihe local hosI by modiying Ihe desIinaIion IF Io Ihe primary
address o Ihe incoming neIwork inIerace. Only works wiIh Ihe na1 Iable in Ihe
PPEP0uT1N0 and 0uTPuT chains or a user-deined chain called rom Ihese chains.
--1o-por1s <por1>-<por1>
Individual desIinaIion porI or porI range. MusI only be used wiIh -p 1cp or -p
udp.
EJE6T
I packeI maIches, an error packeI is senI back as a response. Only works wiIh Ihe
1NPuT, F0PWAP0, and 0uTPuT chains or a user-deined chain called rom Ihese chains.
--reec1-W11h <1ype>
2
4
The error message senI back depends on Ihe Iype chosen. The 1cnp-por1-unreachabJe
Iype is Ihe deaulI. Valid Iypes: 1cnp-ne1-unreachabJe, 1cnp-hos1-unreachabJe,
1cnp-por1-unreachabJe, 1cnp-pro1o-unreachabJe, 1cnp-ne1-proh1b11ed,
1cnp-hos1-proh1b11ed, 1cnp-adn1n-proh1b11ed
0uTE
Change Ihe deaulI rouIing. MusI be used wiIh Ihe nangJe Iable.
--o1f <n1c>
RouIe Ihrough Ihe deined NIC.
--11f <n1c>
Modiy incoming inIerace o packeI Io deined NIC.
--gW <1p>
RouIe Ihe packeI Ihrough Ihe deined gaIeway.
--con11nue
AcI like a nonIerminaIing IargeI and keep processing Ihe rules. CanI be used
wiIh --11f or --1ee.
--1ee
RouIe a copy o Ihe packeI Io Ihe given desIinaIion. The original packeI acIs like
a nonIerminaIing IargeI and keeps processing Ihe rules. CanI be used wiIh
--11f or --con11nue.
6AME
Gives each clienI Ihe same source and desIinaIion address or each connecIion based
on a range.
--1o <1p>-<1p>
Range o IF address Io use.
--nods1
When calculaIing Ihe source address, donI Iake Ihe desIinaIion address inIo
consideraIion.
6ET
Add or deleIe rom IF seIs deined by 1pse1.
--add-se1 <se1nane> <fJags>
Add addresses or porIs Io Ihe named seI. <FJags> is a comma-separaIed lisI, which
can be src and}or ds1.
--deJ-se1 <se1nane> <fJags>
DeleIe addresses or porIs Io Ihe named seI. <FJags> is a comma-separaIed lisI,
which can be src and}or ds1.
6hAT
Modiy Ihe source address o Ihe packeI and all new packeIs rom Ihe same connec-
Iion. Do noI process any more rules. MusI be used in combinaIion wiIh Ihe na1
Iable in Ihe P0STP0uT1N0 chain.
--1o-source <1paddr>-<1paddr>:<por1>-<por1>
Deine a new source IF or a range or Ihe new source IF. OpIionally, provide a
porI range, which can only be used wiIh -p 1cp or -p udp. I a porI range is noI
deined, porIs below S12 are changed Io porIs below S12, porIs rom S12 Io 1023
are mapped Io porIs below 1024, and all oIher porIs are mapped Io porI 1024
and above.
TAPIT
WiIhouI using local per-connecIion resources, capIure and hold incoming TCF
connecIions. AIer connecIions are accepIed, Ihey are insIanIly changed Io Ihe
persisI sIaIe so Ihe remoIe side sIops sending daIa buI conIinues reguesIs every
0 Io 240 seconds. ReguesIs Io close Ihe connecIion are noI accepIed, which
causes Ihe connecIion Io Iime ouI in 12 Io 24 minuIes.
T6PM66
Used Io conIrol Ihe maximum connecIion size. AlIer Ihe MSS value o TCF SYN
packeIs. Only valid wiIh -p 1cp in Ihe nangJe Iable.
--se1-nss <nss>
SeI MSS Io deined value.
--cJanp-nss-1o-pn1u
Clamp MSS value Io 40 less Ihan paIh_MTU.
T06
SeI Ihe 8-biI TOS ield in IF header. Only works wiIh Ihe nangJe Iable.
--se1-1os <1os>
Numerical value o TOS Io use or Ihe TOS name. Use Ihe 1p1abJes - T0S -h
command Io reIrieve a lisI o TOS names.
TA6E
Enable packeI Iracing or packeIs IhaI maIch Ihe rule.
TTL
Change Ihe IF version 4 TTL (Time To Live) header ield, which deines how many
Iimes a packeI can be re-rouIed beore iIs Iime Io live expires. MusI be used in
conjuncIion wiIh Ihe nangJe Iable. Dangerous. Use wiIh exIreme cauIion.
--11J-se1 <11J>
2
4
SeI TTL value.
--11J-dec <anoun1>
Decrease TTL value by deined amounI.
--11J-1nc <anoun1>
Increase TTL by deaulI amounI.
uL06
User-space logging or packeIs IhaI maIch Ihe rule. FackeI is mulIicasI Ihrough a
neIlink sockeI so userspace processes can subscribe Io iI and receive Ihe packeIs.
--uJog-nJgroup <nJgroup>
FackeI is senI Io Ihe chosen neIlink group, deined by a number rom 1 Io 32.
DeaulIs Io 1.
--uJog-pref1x <pref1x>
Deine a preix up Io 32 characIers or Ihe log messages Io seI Ihem aparI rom
oIher messages.
--uJog-cprange <nun>
Number o byIes Io copy Io user-space. I seI Io 0, Ihe whole packeI is copied.
DeaulIs Io 0.
--uJog-q1hreshoJd <nun>
How many packeIs Io gueue inside Ihe kernel beore IransmiIIing Ihem as one
mulIi-parI neIlink message. DeaulIs Io 1.
X0
EncrypI TCF and UDF Iraic using XOR encrypIion.
--key <s1r1ng>
SeI a key.
--bJock-s1ze <s1ze>
SeI block size.
5tart|ng and 5te|ng the IP1ab|es 5erv|ce
The IFTables service can be sIarIed and sIopped using Ihe 1p1abJes service. The scripI Io
manage Ihe service has many oIher opIions. As rooI, Ihe ollowing <op11ons> can be used
wiIh Ihe serv1ce 1p1abJes <op11ons> command:
s1ar1: SIarI service wiIh Ihe rules deined in 1e1c1sysconf1g11p1abJes.
s1op: Elush irewall rules, deleIe chains, unload kernel modules, and seI policy Io
accepI all packeIs again.
res1ar1: SIop Ihe service, Ihen sIarI iI again.
condres1ar1: SIop Ihe service, Ihen sIarI iI again buI only i iI is already running.
save: Save currenI rules in 1e1c1sysconf1g11p1abJes.
s1a1us: I irewall is acIive, display ouIpuI o rules.
pan1c: Same as s1op, buI aIer Ihe irewall is disabled, Ihe policy is seI Io drop all
packeIs.
To acIivaIe Ihe irewall aI booI Iime, execuIe Ihe ollowing as rooI:
chkconf1g 1p1abJes on
5av|ng the IP1ab|es Ru|es
IFTables rules can be seI on Ihe command line by issuing Ihe 1p1abJes commands one by
one as rooI. However, Ihey are only in eecI unIil Ihe sysIem is rebooIed or Ihe Iable o rules
is cleared. They are noI saved. ExecuIing individual ipIables commands is useul or IesIing
Ihe synIax o new rules or waIching how Ihey aecI packeIs in real-Iime. However, aI some
poinI, Ihe rules need Io be saved so IhaI Ihey can be used on subseguenI rebooIs. AIer seIIing
up your rules, use Ihe ollowing command as rooI Io save Ihem Io 1e1c1sysconf1g11p1abJes:
serv1ce 1p1abJes save
The nexI Iime Ihe sysIem is rebooIed and Ihe 1p1abJes service is sIarIed, Ihe rules are read
rom Ihe ile and re-enabled.
AlIernaIely, you can add your IFTables rules direcIly Io Ihe 1e1c1sysconf1g11p1abJes ile.
IP1ab|es xam|es
WiIh so many Iables, chains, and IargeIs, Ihe possible IFTables rules seem endless. This
secIion gives some common examples Io help you undersIand how iI all iIs IogeIher.
Elush rules or Ihe 1NPuT, F0PWAP0, and 0uTPuT chains:
1p1abJes -F 1NPuT
1p1abJes -F F0PWAP0
1p1abJes -F 0uTPuT
Drop all incoming and orwarding packeIs buI allow ouIgoing packeIs Io be senI:
1p1abJes -P 1NPuT 0P0P
1p1abJes -P F0PWAP0 0P0P
1p1abJes -P 0uTPuT A00EPT
To allow incoming and ouIgoing connecIions Io Ihe porI used or a neIwork service:
1p1abJes -A 1NPuT -p 1cp --spor1 <por1> - A00EPT
1p1abJes -A 0uTPuT -p 1cp --dpor1 <por1> - A00EPT
llTables Lxamples 501
2
4
Eor example, Io allow SSH connecIions:
1p1abJes -A 1NPuT -p 1cp --spor1 22 - A00EPT
1p1abJes -A 0uTPuT -p 1cp --dpor1 22 - A00EPT
On an inIernal webserver wiIh eIh1 connecIed Io Ihe inIernal neIwork and eIh0
connecIed Io Ihe InIerneI, only accepI web connecIions rom inIernal clienIs on
porI 80, assuming all inIernal packeIs are rouIed Io eIh1. Drop all packeIs coming
rom Ihe InIerneI, regardless o Ihe porI.
1p1abJes -A 1NPuT -1 e1hU - 0P0P
1p1abJes -A 1NPuT -p 1cp --spor1 8U -1 e1h1 - A00EPT
1p1abJes -A 0uTPuT -p 1cp --dpor1 8U -1 e1h1 - A00EPT
Allow Ihe server Io masguerade packeIs rom oIher sysIems using iI as a gaIeway:
1p1abJes -1 na1 -A P0STP0uT1N0 -o e1hU - MAS0uEPA0E
Eor Ihis Io work, IF orwarding musI also be enabled in Ihe kernel by changing Ihe
value o ne1.1pv4.1p_forWard Io 1 in 1e1c1sysc1J.conf by Ihe rooI user:
ne1.1pv4.1p_forWard=1
Changes Io Ihis ile do noI Iake eecI unIil Ihe sysc1J -p command is execuIed by
rooI.
Using Ihe connJ1n11 maIch exIension, limiI Ihe number o simulIaneous SSH
connecIions Io Ihe server per clienI IF address Io 3:
1p1abJes -p 1cp --syn --dpor1 22 -n connJ1n11 --connJ1n11-above 3 - PEJE0T
nab||ng the efau|t F|rewa||
I you jusI need Io seI which porIs should accepI connecIions and which porIs should deny
reguesIs or connecIions, you can enable Ihe deaulI Red HaI EnIerprise Linux irewall and
Ihen speciy speciic porIs on which Io allow connecIions. This deaulI irewall is a prede-
ined seI o IFTables rules. Using Ihis deaulI seI o rules and Ihen adding porIs on which Io
accepI connecIions insIead o wriIing your own cusIom IFTables rules works besI or deskIop
sysIems IhaI arenI oering any server or neIwork services and single-purpose sysIems IhaI
only need Io accepI connecIions on speciic porIs such as Ihe ETF porI or an ETF server.
To enable Ihe deaulI irewall, use Ihe SecuriIy Level ConiguraIion program in Red HaI
EnIerprise Linux. To sIarI Ihe program, selecI AdmInIstratIon, SecurIty Level and FIrewall
rom Ihe System menu on Ihe Iop panel on Ihe deskIop or execuIe Ihe sys1en-conf1g-
secur11yJeveJ command. This is Ihe same applicaIion used in Ihe SeIup AgenI Ihe irsI
Iime Ihe sysIem is booIed as menIioned in ChapIer 2, "FosI-InsIallaIion ConiguraIion." I
you conigured a securiIy level wiIh Ihe SeIup AgenI, iI can be modiied wiIh Ihis Iool aI
any Iime. To use Ihis program, you musI have Ihe sys1en-conf1g-secur11yJeveJ RFM
package insIalled. Reer Io ChapIer 3 or deIails on insIalling soIware.
As shown in Eigure 24.1, Ihere are Iwo Iabs in Ihe applicaIion: FIrewall OptIons and
SLLInux. The FIrewall OptIons Iab is or enabling or disabling Ihe deaulI irewall.
Lnabllng the Default Flrewall 503
2
4
FlGURL 24.1 Lnabllng the Seourlty Level
SIarI by selecIing Lnabled or DIsabled rom Ihe FIrewall pull-down menu. I you choose
DIsabled, a securiIy level is noI implemenIed and your sysIem will accepI connecIions Io
all porIs wiIh services running on Ihem unless SELinux, cusIom IFTables rules, or oIher
securiIy measures have been enabled insIead.
SelecIing Lnabled rejecIs all connecIions Io all porI excepI Ihe ones selecIed rom Ihe
Trusted servIces lisI or added Io Ihe Other ports lisI. NoIice IhaI SSH is selecIed by
deaulI. The ollowing IrusIed services can be selecIed so Iheir deaulI porIs accepI
connecIions:
ETF
Mail (SMTF)
NES4
SSH
Samba
Secure WWW (HTTFS)
TelneI
WWW (HTTF)
To accepI connecIions Io addiIional porIs, click Ihe arrow beside Other ports Io display
Ihe inpuI box. Eor each porI Io add, click Add. A dialog window as shown in Eigure 24.2
appears prompIing or a porI number and Ihe proIocol (Icp or udp). Click OK Io add iI Io
Ihe porI lisI.
FlGURL 24.2 ^ddlng ^ddltlonal lorts
I you are logged in remoIely via SSH, be sure Io selecI SSH as a IrusIed device so you remain
connecIed Io Ihe sysIem. Einally, click OK in Ihe main window Io enable Ihe irewall.
The securiIy level Iool uses IFTables rules Io conigure Ihe irewall or commonly used
services. AIer seIIing which services Io allow, Ihe rules are wriIIen Io 1e1c1sysconf1g1
1p1abJes. The 1p1abJes service musI be running as discussed earlier in Ihe chapIer or Ihe
irewall Io work. When Ihe irewall is enabled in Ihe sys1en-conf1g-secur11yJeveJ Iool,
Ihe sysIem is auIomaIically conigured Io sIarI Ihe 1p1abJes service aI booI-Iime, and iI is
immediaIely sIarIed i iI is noI already on.
CAU1I0N
Do not use the sys1en-conf1g-secur11yJeveJ program after wrltlng and
savlng oustom rules beoause the oustom rules wlll be overwrltten when a new
1e1c1sysconf1g11p1abJes flle ls wrltten by the program.
5ummary
As you have read, IFTables oers very simple Io exIremely complex packeI ilIering. II can be
used Io block all connecIion reguesIs, only allow reguesIs or a speciic porI Ihrough, limiI
Ihe number o simulIaneous connecIions per clienI while logging Ihe sIaIe o Ihe connec-
Iions, orward reguesIs Io a dierenI server, modiy Ihe desIinaIion o a packeI, and more.
I you jusI need a simple irewall Io block all connecIions excepI ones on speciic porIs,
you can enable Ihe basic Red HaI EnIerprise Linux irewall using Ihe SecuriIy Level graph-
ical applicaIion.
lN THlS CH^lTLR
Conflgurlng the ûdlt Daemon
wrltlng ûdlt Rules and
watohes
Daemon
^nalyzlng the Reoords
Traolng a lrooess wlth ûdlt
CH^lTLR 25
Linux AudiIing SysIem
The 2. Linux kernel has Ihe abiliIy Io log evenIs such as
sysIem calls and ile access. These logs can Ihen be
reviewed by Ihe adminisIraIor Io deIermine possible secu-
riIy breaches such as ailed login aIIempIs or a user ailing
Io access sysIem iles. This uncIionaliIy, called Ihe lnux
AuJtn System, is available in Red HaI EnIerprise Linux S.
To use Ihe Linux AudiIing SysIem, use Ihe ollowing sIeps:
Conigure Ihe audiI daemon.
Add audiI rules and waIches Io collecI desired daIa.
SIarI Ihe daemon, which enables Ihe Linux AudiIing
SysIem in Ihe kernel and sIarIs Ihe logging.
Feriodically analyze daIa by generaIing audiI reporIs
and searching Ihe logs.
This chapIer discusses each o Ihese sIeps in deIail.
Cenf|gur|ng the Aud|t aemen
The Linux AudiIing SysIem in Ihe kernel is Iurned o by
deaulI in Red HaI EnIerprise Linux S. When Ihe audiI
daemon is sIarIed, Ihis kernel eaIure is enabled. To enable
Ihe Linux AudiIing SysIem aI sIarIup wiIhouI using Ihe
daemon aud11d, booI wiIh Ihe aud11=1 parameIer. I Ihis
parameIer is seI Io 1 and aud11d is noI running, Ihe audiI
logs are wriIIen Io 1var1Jog1nessages.
To use aud11d and Ihe uIiliIies or generaIing log ile
reporIs, Ihe aud11 RFM package musI be insIalled. I iI is
noI insIalled, reer Io ChapIer 3, "OperaIing SysIem
UpdaIes," or insIrucIions on package insIallaIion.
Using aud11d allows Ihe adminisIraIor Io cusIomize Ihe
audiI logs produced. The ollowing are jusI some o Ihe
cusIomizaIions available:
SeIIing a dedicaIed log ile or audiI messages
DeIermining wheIher or noI Ihe log ile is roIaIed
Enabling warnings i Ihe log iles sIarI Io Iake up Ioo much disk space
Coniguring audiI rules Io log more deIailed inormaIion
AcIivaIing ile and direcIory waIches
These seIIings and more are conigured in Ihe 1e1c1aud111aud11d.conf ile, which
conIains opIions Io modiy Ihe behavior o Ihe audiI daemon. Each opIion should be on
a separaIe line ollowed by an eguals sign (=) and Ihe value or Ihe opIion. LisIing 2S.1
shows Ihe deaulI coniguraIion ile.
LlSTlNG 25.1 Default ûdlt Daemon larameters
#
# Th1s f1Je con1roJs 1he conf1gura11on of 1he aud11 daenon
#
Jog_f1Je = 1var1Jog1aud111aud11.Jog
Jog_forna1 = PAW
pr1or11y_boos1 = 3
fJush = 1N0PEMENTAL
freq = 2U
nun_Jogs = 4
d1spa1cher = 1sb1n1aud1spd
d1sp_qos = Jossy
nax_Jog_f1Je = 5
nax_Jog_f1Je_ac11on = P0TATE
space_Jef1 = 75
space_Jef1_ac11on = SYSL00
ac11on_na1J_acc1 = roo1
adn1n_space_Jef1 = 5U
adn1n_space_Jef1_ac11on = SuSPEN0
d1sk_fuJJ_ac11on = SuSPEN0
d1sk_error_ac11on = SuSPEN0
The ollowing opIions can be conigured (reer Io LisIing 2S.1 or Ihe deaulI values):
Jog_f1Je
Eull paIh Io Ihe audiI log ile. I you conigure Ihe daemon Io wriIe logs Io a direc-
Iory oIher Ihan Ihe deaulI 1var1Jog1aud111, be sure Io change Ihe ile permis-
sions on iI so IhaI only rooI has read, wriIe, and execuIe permissions. All oIher
users should noI be able Io access Ihe direcIory or Ihe log iles in Ihe direcIory.
Jog_forna1
EormaI Io use when wriIing logs. When seI Io PAW, Ihe daIa is wriIIen Io Ihe log
ile in Ihe exacI ormaI reIrieved rom Ihe kernel. When seI Io N0L00, daIa is noI
wriIIen Io Ihe log ile, buI daIa is sIill senI Io Ihe audiI evenI dispaIcher i one is
speciied wiIh Ihe d1spa1cher opIion.
pr1or11y_boos1
How much o a prioriIy boosI Ihe audiI daemon should Iake. MusI be a non-
negaIive number wiIh U indicaIing no change.
fJush
How oIen Io wriIe daIa Io log ile. Value can be one o N0NE, 1N0PEMENTAL, 0ATA,
and SYN0. I seI Io N0NE, no special eorI is made Io lush daIa Io Ihe log ile. I
seI Io 1N0PEMENTAL, Ihe value o Ihe freq opIion is used Io deIermine how oIen a
lush Io disk occurs. I seI Io 0ATA, Ihe audiI daIa and log ile are in consIanI
synchronizaIion. I seI Io SYN0, Ihe daIa and meIa-daIa are synchronized wiIh
every wriIe Io Ihe log ile.
freq
I fJush is seI Io 1N0PEMENTAL, Ihe number o records Ihe audiI daemon receives
rom Ihe kernel beore wriIing Ihem Io Ihe log ile.
nun_Jogs
Number o log iles Io keep i nax_Jog_f1Je_ac11on is seI Io P0TATE. MusI be a
number rom 0 Io . I seI Io less Ihan 2, logs are noI roIaIed. I Ihe number o
log iles is increased, iI mighI be necessary Io increase Ihe kernel backlog seIIing
in 1e1c1aud111aud11.ruJes Io allow Iime or Ihe log roIaIion. I a nun_Jogs value
is noI seI, iI deaulIs Io U, which means Ihe log ile is never roIaIed.
d1spa1cher
Frogram sIarIed by Ihe audiI daemon when Ihe daemon is sIarIed. All audiI evenIs
are passed Io Ihe program. II can be used Io urIher cusIomize reporIs or produce
Ihem in a dierenI ormaI compaIible wiIh your cusIom analysis programs.
Sample code or a cusIomized program can be ound in 1usr1share1doc1
aud11-<vers1on>1skeJe1on.c. The dispaIcher program is run wiIh rooI privileges,
so pracIice exIreme cauIion when using Ihis opIion. This opIion is noI reguired.
d1sp_qos
ConIrols Ihe Iype o communicaIion beIween Ihe dispaIcher and Ihe audiI
daemon. Valid values are Jossy and JossJess. I seI Io Jossy, incoming evenIs
senI Io Ihe dispaIcher are discarded i Ihe buer beIween Ihe audiI daemon and
dispaIcher is ull (Ihe buer is 128 kilobyIes). However, evenIs are sIill wriIIen Io
disk as long as Jog_forna1 is noI seI Io noJog. I seI Io JossJess, Ihe daemon
waiIs or Ihe buer Io have suicienI space beore sending Ihe evenI Io Ihe
dispaIcher and beore wriIing Ihe log Io disk.
Conflgurlng the ûdlt Daemon 507
2
5
nax_Jog_f1Je
Maximum log ile size, in megabyIes. When Ihis size is reached, Ihe acIion speci-
ied wiIh nax_Jog_f1Je_ac11on is Iaken.
nax_Jog_f1Je_ac11on
AcIion Io Iake when Ihe log ile size rom nax_Jog_f1Je is reached. Value musI be
one o 10N0PE, SYSL00, SuSPEN0, P0TATE, and KEEP_L00S. I seI Io 10N0PE, no
acIion is Iaken aIer Ihe log ile size reaches nax_Jog_f1Je. I seI Io SYSL00, a
warning is wriIIen Io Ihe sysIem log 1var1Jog1nessages aIer Ihe ile size is
reached. I seI Io SuSPEN0, audiI messages arenI wriIIen Io Ihe log ile aIer Ihe
ile size is reached. I seI Io P0TATE, Ihe log ile is roIaIed aIer reaching Ihe speci-
ied ile size, buI only a cerIain number o old log iles are saved as seI by Ihe
nun_Jogs parameIer. The old log iles will have Ihe ilename aud11.Jog.N, where
N is a number. The larger Ihe number, Ihe older Ihe log ile. I seI Io KEEP_L00S,
Ihe log ile is roIaIed, buI Ihe nun_Jogs parameIer is ignored so IhaI no log iles
are deleIed.
space_Jef1
AmounI o ree disk space in megabyIes. When Ihis level is reached, Ihe acIion
rom Ihe space_Jef1_ac11on parameIer is Iaken.
space_Jef1_ac11on
When Ihe amounI o ree disk space reaches Ihe value rom space_Jef1, Ihis
acIion is Iaken. Valid values are 10N0PE, SYSL00, EMA1L, SuSPEN0, S1N0LE, and
RALT. I seI Io 10N0PE, no acIion is Iaken. I seI Io SYSL00, a warning message is
wriIIen Io Ihe sysIem log 1var1Jog1nessages. I seI Io EMA1L, an email is senI Io
Ihe address rom ac11on_na1J_acc1, and a warning message is wriIIen Io
1var1Jog1nessages. I seI Io SuSPEN0, no more log messages are wriIIen Io Ihe
audiI log ile. I seI Io S1N0LE, Ihe sysIem is puI in single user mode. I seI Io
RALT, Ihe sysIem is shuI down.
ac11on_na1J_acc1
Email address o Ihe adminisIraIor responsible or mainIaining Ihe audiI daemon
and logs. I Ihe address does noI have a hosIname, iI is assumed Ihe address is
local such as roo1. sendna1J musI be insIalled and conigured Io send email Io
Ihe speciied email address.
adn1n_space_Jef1
AmounI o ree disk space in megabyIes. Use Ihis opIion Io seI a more aggressive
acIion Ihan space_Jef1_ac11on in case Ihe space_Jef1_ac11on does noI cause
Ihe adminisIraIor Io ree any disk space. This value should be lower Ihan
space_Jef1_ac11on. I Ihis level is reached, Ihe acIion rom
adn1n_space_Jef1_ac11on is Iaken.
adn1n_space_Jef1_ac11on
AcIion Io Iake when Ihe amounI o ree disk space reaches adn1n_space_Jef1.
Valid values are 10N0PE, SYSL00, EMA1L, SuSPEN0, S1N0LE, and RALT. The acIions
associaIed wiIh Ihese values are Ihe same as Ihe ones rom space_Jef1_ac11on.
d1sk_fuJJ_ac11on
Take Ihis acIion i Ihe parIiIion conIaining Ihe audiI log ile becomes ull.
Fossible values are 10N0PE, SYSL00, SuSPEN0, S1N0LE, and RALT. The acIions associ-
aIed wiIh Ihese values are Ihe same as Ihe ones rom space_Jef1_ac11on.
1IP
lf the audlt log flles are not rotated, the partltlon oontalnlng the 1var1Jog1aud111 oan
beoome full and oause system errors. Thus, lt ls reoommended that 1var1Jog1aud111
be a separate dedloated partltlon.
d1sk_error_ac11on
AcIion Io Iake i an error is deIecIed while wriIing audiI logs or roIaIing Ihe audiI
log iles. The value musI be one o 10N0PE, SYSL00, SuSPEN0, S1N0LE, and RALT.
The acIions associaIed wiIh Ihese values are Ihe same as Ihe ones rom
space_Jef1_ac11on.
The 1e1c1sysconf1g1aud11d ile can be used Io seI command-line opIions or aud11d wiIh
Ihe EXTPA0PT10NS parameIer. The only command line opIion, -f, puIs Ihe daemon in
debugging mode. I debugging mode is enabled, messages go Io sIandard error insIead o
Ihe log ile. The Au01T0_LAN0 seIIing can be used Io change Ihe locale or Ihe daemon. I
seI Io none, all locale inormaIion is removed rom Ihe audiI environmenI. I Ihe
Au01T0_0LEAN_ST0P opIion is seI Io yes, audiI rules and waIches are deleIed when Ihe
audiI daemon is sIopped wiIh Ihe serv1ce aud11d s1op command. Eor more inormaIion
on audiI rules, reer Io Ihe nexI secIion.
Wr|t|ng Aud|t Ru|es and Watches
The Linux AudiIing SysIem can be used Io wriIe rules or evenIs such as sysIem calls and
Io waIch operaIions on iles or direcIories using Ihe aud11c1J command-line uIiliIy. I Ihe
iniIializaIion scripI is used Io sIarI aud11d (using Ihe serv1ce aud11d s1ar1 command),
Ihe rules and waIches can be added Io 1e1c1aud111aud11.ruJes so Ihey are execuIed
when Ihe daemon is sIarIed. Only Ihe rooI user can read or modiy Ihis ile.
Each rule and waIch in 1e1c1aud111aud11.ruJes musI be on iIs own line, wiIh lines
beginning wiIh # being ignored. The rules and waIches are Ihe aud11c1J command-line
opIions wiIhouI Ihe aud11c1J command preceding Ihem. They are read rom Ihe Iop o
Ihe ile Io Ihe boIIom. I one or more rules or waIches conlicI wiIh each oIher, Ihe irsI
one ound is used.
wrltlng ûdlt Rules and watohes 509
2
5
Wr|t|ng Aud|t Ru|es
To add an audiI rule, use Ihe ollowing synIax in Ihe 1e1c1aud111aud11.ruJes ile:
-a <J1s1>,<ac11on> <op11ons>
CAU1I0N
lf you add rules 1e1c1aud111aud11.ruJes whlle the daemon ls runnlng, be sure to
enable the ohanges wlth the serv1ce aud11d res1ar1 oommand as root. The
serv1ce aud11d reJoad oommand oan also be used, but you wlll not be notlfled of
oonflguratlon flle errors.
The lisI name musI be one o Ihe ollowing:
1ask
Fer Iask lisI. II is only used when a Iask is creaIed. Only ields known aI creaIion
Iime such as UID can be used wiIh Ihis lisI.
en1ry
SysIem call enIry lisI. Used when enIering a sysIem call Io deIermine i an audiI
even should be creaIed.
ex11
SysIem call exiI lisI. Used when exiIing a sysIem call Io deIermine i an audiI
even should be creaIed.
user
User message ilIer lisI. The kernel uses Ihis lisI Io ilIer user space evenIs beore
passing Ihem on Io Ihe audiI daemon. The only valid ields are u1d, au1d, g1d,
and p1d.
excJude
EvenI Iype exclusion ilIer lisI. Used Io ilIer evenIs Ihe adminisIraIor doesnI
wanI Io see. Use Ihe nsg1ype ield Io speciy message Iypes you donI wanI Io log.
The acIion musI be one o Ihe ollowing:
never
Do noI generaIe audiI records.
aJWays
AllocaIe audiI conIexI, always ill iI in aI sysIem call enIry, and always wriIe an
audiI record aI sysIem call exiI.
The <op11ons> can include one or more o Ihe ollowing:
-S <syscaJJ>
Speciy a sysIem call by name or number. To speciy all sysIem calls, use aJJ as
Ihe sysIem call name. SIarI an audiI record i a program uses Ihis sysIem call.
MulIiple sysIem calls can be speciied or Ihe same rule, and each one musI sIarI
wiIh -S. Speciying mulIiple sysIem calls in Ihe same rule insIead o lisIing separaIe
rules will resulI in beIIer perormance because only one rule has Io be evaluaIed.
-F <nane=,!=,<,>,<=,>=vaJue>
Speciy a rule ield. I mulIiple ields are speciied or a rule, all ields musI be Irue
Io sIarI an audiI record. Each rule musI sIarI wiIh -F, and up Io 4 rules may be
speciied. I usernames and group names are used as ields insIead o UIDs and
GIDs, Ihey are resolved Io UIDs and GIDs or Ihe maIching. The ollowing are
valid ield names:
p1d
Frocess ID.
pp1d
Frocess ID o Ihe parenI process.
u1d
User ID.
eu1d
EecIive user ID.
su1d
SeI user ID.
fsu1d
EilesysIem user ID.
g1d
Group ID.
eg1d
EecIive group ID.
sg1d
SeI group ID.
fsg1d
EilesysIem group ID.
au1d
AudiI ID, or Ihe original ID Ihe user logged in wiIh.
2
5
nsg1ype
Message Iype number. Should only be used on Ihe exclude ilIer lisI.
pers
OS FersonaliIy Number.
arch
Frocessor archiIecIure o Ihe sysIem call. Speciy Ihe exacI archiIecIure
such as 1686 (can be reIrieved rom Ihe unane -n command) or b32 Io
use Ihe 32-biI sysIem call Iable or b64 Io use Ihe 4-biI sysIem call Iable.
devnaor
Device Major Number.
devn1nor
Device Minor Number.
1node
Inode Number.
ex11
ExiI value rom sysIem call.
success
Success value o sysIem call. Use 1 or Irue}yes and U or alse}no.
aU, a1, a2, a3
EirsI our argumenIs Io Ihe sysIem call, respecIively. Only numerical
values can be used.
key
SeI a ilIer key wiIh which Io Iag audiI log message or Ihe evenI. See
LisIing 2S.2 and LisIing 2S.3 or examples. Similar Io Ihe -k opIion used
when adding waIches. Reer Io "WriIing AudiI Rules and WaIches" or
deIails abouI Ihe -k opIion.
ob_user
SELinux user or Ihe resource.
ob_roJe
SELinux role or Ihe resource.
ob_1ype
SELinux Iype or Ihe resource.
ob_Jev_JoW
SELinux low level or Ihe resource.
ob_Jev_h1gh
SELinux high level or Ihe resource.
sub_user
SELinux user or Ihe program.
sub_roJe
SELinux role or Ihe program.
sub_1ype
SELinux Iype or Ihe program.
sub_sen
SELinux sensiIiviIy or Ihe program.
sub_cJr
SELinux clearance or Ihe program.
The -a opIion appends Ihe rule Io Ihe lisI. To add Ihe rule Io Ihe beginning o Ihe lisI,
replace -a wiIh -A. DeleIing a rule has Ihe same synIax excepI -a is replaced by -d. To
deleIe all rules, speciy Ihe -0 opIion. LisIing 2S.2 conIains some example audiI rules or
1e1c1aud111aud11.ruJes.
LlSTlNG 25.2 Lxample ûdlt Rules
#Pecord aJJ f1Je opens fron user 5U1
#use W11h cau11on s1nce 1h1s can qu1ckJy
#produce a Jarge quan111y of records
-a ex11,aJWays -S open -F u1d=5U1 -F key=5U1open
#Pecord f1Je pern1ss1on changes
-a en1ry,aJWays -S chnod
1IP
lf the aud11 paokage ls lnstalled, addltlonal examples are ln the *.ruJes flles
1usr1share1doc1aud11-<vers1on>1 dlreotory.
When an acIion rom Ihe deined rules occurs, iI is senI Ihrough Ihe dispaIcher i one is
deined in 1e1c1aud111aud11d.conf, and Ihen a log message is wriIIen Io 1var1Jog1
aud111aud11.Jog. Eor example, LisIing 2S.3 conIains Ihe log enIries or Ihe irsI rule in
LisIing 2S.2, which logs ile opens rom user S01. The rule includes a ilIer key, which
appears aI Ihe end o Ihe log enIry in LisIing 2S.3.
2
5
LlSTlNG 25.3 Lxample ûdlt Rule Log Message
1ype=SYS0ALL nsg=aud11{11682U6647.422:5227): arch=cUUUUU3e syscaJJ=2 success=no
ex11=-2 aU=7fff37fc5a4U a1=U a2=2aaaaaaabUUU a3=U 11ens=1 pp1d=2664U p1d=2716
au1d=5U1 u1d=5U1 g1d=5U1 eu1d=5U1 su1d=5U1 fsu1d=5U1 eg1d=5U1 sg1d=5U1 fsg1d=5U1
11y=p1s5 conn="v1n" exe="1usr1b1n1v1n" key="5U1open"
Wr|t|ng Aud|t Watches
The Linux AudiIing SysIem also allows adminisIraIors Io waIch iles and direcIories. I a
waIch is placed on a ile or direcIory, successul and ailed acIions such as opening and
execuIing Ihe ile or direcIory are logged. To add waIches, use Ihe -W opIion ollowed by a
ile or direcIory Io waIch.
CAU1I0N
lf you add watohes 1e1c1aud111aud11.ruJes whlle the daemon ls runnlng, be sure to
enable the ohanges wlth the serv1ce aud11d res1ar1 oommand as root. The
serv1ce aud11d reJoad oommand oan also be used, but you wlll not be notlfled of
oonflguratlon flle errors.
LisIing 2S.4 conIains example waIches or inclusion in Ihe 1e1c1aud111aud11.ruJes ile. I
Ihe -k <key> opIion is used in conjuncIion wiIh -W, all records produced by Ihe waIch will
conIain an alerI word (limiIed Io 31 byIes) so IhaI Ihe records or Ihe waIch can be easily
ilIered ouI o Ihe audiI log iles. To limiI ile or direcIory waIches Io cerIain acIions, use
Ihe -p opIion ollowed by one or more o Ihe ollowing: r Io waIch read acIions, W Io
waIch wriIe acIions, x Io waIch execuIe acIions, and a Io waIch append acIions. To deleIe
a waIch, use Ihe -W opIion ollowed by Ihe ile or direcIory.
LlSTlNG 25.4 Lxample ûdlt watohes
#Wa1ch for changes 1o sysconf1g f1Jes
-W 1e1c1sysconf1g -k SYS00NF10
#Wa1ch for changes 1o aud11 conf1g f1Jes
-W 1e1c1aud111aud11.ruJes -k Au01T_PuLES
-W 1e1c1aud111aud11d.conf -k Au01T_00NF
-W 1var1Jog1aud111 -k L00_Au01T
#Wa1ch 1o see Who 1r1es 1o s1ar1 1he vPN cJ1en1
-W 1usr1b1n1vpnc -k vPN0 -p x
#Wa1ch passWord f1Jes
-W 1e1c1group -k PASSW0
-W 1e1c1passWd -k PASSW0
-W 1e1c1shadoW -k PASSW0
Eor example, LisIing 2S.4 includes a waIch on Ihe password iles wiIh Ihe key ilIer
PASSW0. LisIing 2S.S conIains Ihe log enIries rom 1var1Jog1aud111aud11.Jog aIer
deleIing a user, which modiies Ihese password iles being waIched. JusI like Ihe example
in LisIing 2S.3 or a rule wiIh a ilIer key, Ihe key is added Io Ihe end o Ihe log enIry so iI
can be easily ilIered rom Ihe resI o Ihe log enIries.
LlSTlNG 25.5 Lxample Log Lntrles for ûdlt watohes
success=yes ex11=U aU=7fffUU975ddU a1=6Ua7UU a2=U a3=22 11ens=5 pp1d=26575
p1d=4147 au1d=5U1 u1d=U g1d=U eu1d=U su1d=U fsu1d=U eg1d=U sg1d=U fsg1d=U
11y=p1s4 conn="userdeJ" exe="1usr1sb1n1userdeJ" key="PASSW0"
Custem|z|ng aud11c1J
Command-line opIions or coniguring Ihe audiI sysIem parameIers can also be included
in 1e1c1aud111aud11.ruJes. Table 2S.1 lisIs Ihese opIions.
T^BLL 25.1 aud11c1J 0ptlons for Conflgurlng ûdlt System larameters
0t|en escr|t|en
-b <backJog> Maxlmum number of outstandlng audlt buffers allowed. The default from
the kernel ls 64. lf all buffers are full, the kernel refers to the fallure flag
set wlth the -f optlon to determlne whloh aotlon to take.
-e U,1 Set to 0 to dlsable audltlng, or set to 1 to enable audltlng. Useful for
temporarlly dlsabllng audlt for troubleshootlng or other purposes.
-f U,1,2 Set the fallure flag used to tell the kernel how to handle orltloal errors
suoh as the audlt buffers belng full or belng out of kernel memory. valld
values are U (no aotlon), 1 (use prlntk to log messages to 1var1Jog1
nessages), and 2 (panlo). The default ls 1, but 2 ls more seoure.
-r <ra1e> Rate llmlt ln messages/seoond. lf set to 0, there ls no llmlt. lf the rate
llmlt ls exoeeded, the kernel oonsults the fallure flag from the -f optlon
to determlne whloh aotlon to take.
-1 lgnore errors when readlng rules from a flle.
To veriy Ihey have been seI, use Ihe aud11c1J -s command Io view Ihe sIaIus. The
ouIpuI looks like Ihe ollowing:
Au01T_STATuS: enabJed=1 fJag=1 p1d=1954 ra1e_J1n11=U backJog_J1n11=256
Jos1=U backJog=U
5tart|ng and 5te|ng the aemen
AIer coniguring Ihe daemon and adding rules and waIches, sIarI Ihe daemon wiIh Ihe
serv1ce aud11d s1ar1 command as rooI. To sIop iI, use Ihe serv1ce aud11d s1op
command. To enable iI Io auIomaIically sIarI aI booI Iime, execuIe Ihe chkconf1g aud11d
on command as rooI.
Startlng and Stopplng the Daemon 515
2
5
I Ihe daemon is already running when you modiy iIs coniguraIion, use Ihe serv1ce
aud11d res1ar1 command as rooI Io enable Ihe changes. To veriy IhaI Ihe rules and
waIches have been modiied, use Ihe aud11c1J -J command as rooI Io lisI all acIive rules
and waIches. Eor example, LisIing 2S. shows Ihe aud11c1J -J ouIpuI or Ihe rules and
waIches in LisIing 2S.2 and 2S.4.
LlSTlNG 25.6 Llstlng ûdlt Rules and watohes
L1ST_PuLES: en1ry,aJWays syscaJJ=chnod
L1ST_PuLES: ex11,aJWays u1d=5U1 {Ux1f5) key=1fox syscaJJ=open
L1ST_PuLES: ex11,aJWays Wa1ch=1var1Jog1aud11 pern=rWxa key=L00_Au01T
L1ST_PuLES: ex11,aJWays Wa1ch=1e1c1sysconf1g pern=rWxa key=SYS00NF10
L1ST_PuLES: ex11,aJWays Wa1ch=1e1c1passWd pern=rWxa key=PASSW0
L1ST_PuLES: ex11,aJWays Wa1ch=1e1c1shadoW pern=rWxa key=PASSW0
L1ST_PuLES: ex11,aJWays Wa1ch=1e1c1group pern=rWxa key=PASSW0
L1ST_PuLES: ex11,aJWays Wa1ch=1e1c1aud111aud11.ruJes pern=rWxa key=Au01T_PuLES
L1ST_PuLES: ex11,aJWays Wa1ch=1e1c1aud111aud11d.conf pern=rWxa key=Au01T_00NF
L1ST_PuLES: ex11,aJWays Wa1ch=1usr1b1n1vpnc pern=x key=vPN0
Ana|yz|ng the Recerds
I aud11d is used, audiI messages are wriIIen Io 1var1Jog1aud111aud11.Jog unless Ihe ile-
name is changed wiIh Ihe Jog_f1Je parameIer in 1e1c1aud111aud11d.conf. The log ile is
a IexI ile and can be read wiIh Ihe Jess uIiliIy or a IexI ediIor such as Emacs or Vi. The
messages are wriIIen in Ihe ormaI received rom Ihe kernel in Ihe order Ihey are received.
The aurepor1 uIiliIy can be used Io generaIe summary reporIs rom Ihe log ile. The
ausearch uIiliIy can be used Io search or reporIs based on criIeria such as Ihe audiI evenI
ID, a ilename, UID or GID, message Iype, and sysIem call name.
Unless Ihe daemon is conigured Io roIaIe Ihe log iles and remove old ones as previously
described in Ihe "Coniguring Ihe AudiI Daemon" secIion, Ihe log iles in 1var1Jog1
aud111 are never removed. AdminisIraIors should check Ihe logs reguenIly and remove
old ones or move Ihem Io backup sIorage. I Ihe logs are noI removed periodically, Ihey
can ill up Ihe enIire disk. Because o Ihis, iI is recommended IhaI 1var1Jog1aud111 be a
separaIe dedicaIed parIiIion so iI does noI aecI Ihe wriIing o oIher log iles or cause
oIher sysIem errors.
1IP
To foroe the log flle to be rotated lmmedlately, lssue the serv1ce aud11d ro1a1e
oommand as root. The old log flles wlll have the fllename aud11.Jog.N, where N ls a
number. The larger the number, the older the log flle.
6enerat|ng Reerts
To generaIe reporIs o Ihe audiI messages, use Ihe aurepor1. The 1var1Jog1aud111 direc-
Iory and all Ihe audiI log iles in iI are only readable by Ihe rooI user or securiIy. Thus,
you musI be Ihe rooI user Io execuIe Ihe aurepor1 command. I aurepor1 is execuIed
wiIhouI any opIions, a summary reporI as shown in LisIing 2S.7 is displayed.
LlSTlNG 25.7 aurepor1 Summary
Sunnary Pepor1
======================
Pange of 11ne: 1112912UU6 U3:4U:18.155 - U11U712UU7 23:29:U2.898
Nunber of changes 1n conf1gura11on: 71
Nunber of changes 1o accoun1s, groups, or roJes: 14
Nunber of Jog1ns: 38
Nunber of fa1Jed Jog1ns: U
Nunber of users: 3
Nunber of 1ern1naJs: 35
Nunber of hos1 nanes: 7
Nunber of execu1abJes: 55
Nunber of f1Jes: 1186
Nunber of Av0 den1aJs: U
Nunber of MA0 even1s: 7U
Nunber of fa1Jed syscaJJs: 2594
Nunber of anonaJy even1s: 46
Nunber of responses 1o anonaJy even1s: U
Nunber of cryp1o even1s: U
Nunber of process 10s: 3734
Nunber of even1s: 33743
To generaIe a more speciic reporI, execuIe Ihe aurepor1 command as rooI ollowed by
one or more opIions rom Table 2S.2. These opIions narrow down Ihe reporI Io speciic
daIa such as sysIem calls or coniguraIion changes.
T^BLL 25.2 aurepor1 0ptlons for Generatlng Speolflo Reports
0t|en escr|t|en
-a Report messages about aooess veotor oaohe (^vC)
-c Report messages about oonflguratlon ohanges
-cr Report messages about orypto events
-e Report messages about events
-f Report messages about flles
-h Report messages about hosts
-J Report messages about loglns
-n Report messages about aooount modlfloatlons
-na Report messages about Mandatory ôoess Control (M^C) events
-p Report messages about prooesses
-s Report messages about system oalls
-1n Report messages about termlnals
^nalyzlng the Reoords 517
2
5
To produce resulIs in more human-readable ormaI such as replacing UIDs wiIh Ihe
usernames Ihey map Io, also use Ihe -1 opIion:
aurepor1 -<fJag> -1
To display Ihe sIarI and sIop Iimes or each log, add Ihe -1 opIion:
aurepor1 -<fJag> -1 -1
To display evenIs egual Io or beore a speciic Iime, add Ihe -1e opIion ollowed by end
daIe and end Iime. Use Ihe numerical ormaI or Ihe daIe and Iime or your locale, and
speciy Ihe Iime in Ihe 24-hour ormaI. Eor example, or Ihe en_us.UTE-8 locale, use Ihe
daIe ormaI MM}DD}YY:
aurepor1 -<fJag> -1 -1e <end da1e> <end 11ne>
To display evenIs egual Io or aIer a speciic Iime, add Ihe -1s opIion ollowed by sIarI
daIe and Iime. The same daIe and Iime ormaIIing rules apply as Ihe ones or Ihe -1e
opIion:
aurepor1 -<fJag> -1 -1s <s1ar1 da1e> <s1ar1 11ne>
To display only ailed evenIs use --fa1Jed, noIice Ihis opIion is preixed wiIh Iwo dashes
insIead o one:
aurepor1 -<fJag> -1 --fa1Jed
To display only successul evenIs use --success, noIice Ihis opIion is preixed wiIh Iwo
dashes insIead o one:
aurepor1 -<fJag> -1 --success
Some reporIs can also be generaIed in a summary ormaI wiIh Ihe --sunnary opIion,
noIice Ihis opIion is preixed wiIh Iwo dashes insIead o one:
aurepor1 -<fJag> -1 --sunnary
To produce a main summary reporI insIead o one abouI one area, use Ihe -r opIion:
aurepor1 -r -1
To produce reporIs rom a log ile oIher Ihan Ihe deaulI, speciy iI wiIh Ihe -1f opIion:
aurepor1 -<fJag> -1 -1f 1var1Jog1aud111aud11.Jog.1
5earch|ng the Recerds
In addiIion Io generaIing evenI reporIs and summaries wiIh aurepor1, adminisIraIors can
also search Ihe audiI records wiIh ausearch. As rooI, execuIe Ihe ausearch command
ollowed by one or more opIions rom Table 2S.3. I more Ihan one opIion is speciied,
Ihe resulIs shown maIch boIh reguesIs. To reIrieve resulIs IhaI maIch Ihe search criIeria o
one opIion or anoIher opIion, perorm Iwo dierenI searches and combine Ihe resulIs
yoursel.
T^BLL 25.3 ausearch 0ptlons
0t|en escr|t|en
-a <even1 1d> Show messages wlth a speolflo event lD. Laoh message
oontalns an ldentlfloatlon strlng suoh as nsg=aud11
{1145758414.468:8758). The number after the oolon, suoh
as 8758 ln thls example, ls the audlt event lD. ^ll events from
an applloatlon`s system oall have the same audlt event lD so
they oan be grouped together.
-c <conn nane> Show messages wlth a speolflo oomm name, whloh ls the
exeoutable`s name from the task struoture. The oomm name
suoh as f1refox-b1n or v1n ls shown when searohlng for a
speolflo audlt event lD.
-f <f1Jenane> Show messages oonoernlng a speolflo fllename. Useful lf
watohlng a flle wlth aud11c1J.
-ga <group 1d> Show messages wlth elther an effeotlve group lD or group lD
that matohes the glven GlD.
-ge <group 1d> Show messages wlth an effeotlve group lD that matohes the
glven GlD.
-g1 <group 1d> Show messages wlth a group lD that matohes the glven GlD.
-h Dlsplay brlef help.
-hn <hos1nane> Show messages oontalnlng a speolflo hostname.
-1 Show results ln humanreadable format.
-1f <Jogf1Je> Read logs from <Jogf1Je> lnstead of 1var1Jog1aud111
aud11.Jog or flle set wlth the Jog_f1Je parameter ln
1e1c1aud111aud11d.conf.Jog.
-k <key> Show messages wlth <key>.
-n <ness 1ype> Show messages oontalnlng a speolflo message type suoh as
00NF10_0RAN0E or uSEP_A00T.
-o <SEL1nux con1ex1> Show messages oontalnlng SEL1nux 1con1ex1 {obec1)
that matoh the provlded strlng.
-p <p1d> Show messages wlth a speolflo prooess lD.
-sc <syscaJJ> Show messages about a partloular system oall, speolfled by
the system oall name or lts numerlo value.
-se <SEL1nux con1ex1> Show messages oontalnlng SEL1nux scon1ex11subec1 or
1con1ex11obec1 that matoh the provlded strlng.
-su <SEL1nux con1ex1> Show messages oontalnlng SEL1nux scon1ex1 {subec1)
that matoh the provlded strlng.
-sv <success vaJue> Show suooessful or falled events by speolfylng the value yes
or no to thls optlon. ^s shown ln Llstlng 25.8, the success
value ls followed by the res keyword at the end of the
message and oan be elther success or fa1Jed.
^nalyzlng the Reoords 519
2
5
-1e <da1e> <11ne> Show messages wlth tlmestamps equal to or before a glven
date and tlme. The date and tlme formats depend on the
system`s looale. Speolfy the tlme uslng a 24hour olook suoh
as 23:UU:UU. For the en_uS.uTF-8 looale, the date format ls
the numerloal equlvalent of MM/DD/YY.
-1s <da1e> <11ne> Show messages wlth tlmestamps equal to or after a glven
tlme. Tlme and date format rules from the -1e optlon apply.
-1n <1ern1naJ> Show messages wlth the speolfled termlnal suoh as p1s16.
Some exeoutables suoh as oron and atd use the daemon
name for the termlnal.
-ua <u1d> Show messages whose user lD, effeotlve user lD, or logln UlD
(auld) matohes the one speolfled.
-ue <u1d> Show messages whose effeotlve user lD matohes the one
speolfled.
-u1 <u1d> Show messages whose user lD matohes the one speolfled.
-uJ <Jog1n 1d> Show messages whose logln UlD matohes the one speolfled.
-v Dlsplay ausearch verslon.
-W lf a strlng to be matohed ls speolfled, only dlsplay results that
matoh the entlre word.
-x Show messages about an exeoutable suoh as crond or sudo.
The full path to the exeoutable ls provlded after the exe
keyword ln the message suoh as "1b1n1sudo" ln Llstlng 25.8.
Similar Io aurepor1, Ihe -1 opIion can be used Io make Ihe ouIpuI more human-readable,
and Ihe -1f <f1Jenane> opIion can be used Io provide an alIernaIe log ile in which Io
search.
When Ihe resulIs are displayed, each record is separaIed by a line o our dashes, and a
IimesIamp precedes each record as shown in LisIing 2S.8.
LlSTlNG 25.8 Results from ausearch -x sudo
11ne->Fr1 0ec 1 UU:U1:U1 2UU6
1ype=0PE0_A00 nsg=aud11{114521U93U.U22:2U23): user p1d=3U718 u1d=U
au1d=4294967295 nsg=`PAM: se1cred acc1=roo1 : exe="1usr1b1n1sudo"
{hos1nane=?, addr=?, 1ern1naJ=p1s13 res=success)`
----
11ne->Fr1 0ec 1 U4:U1:U1 2UU6
1ype=uSEP_STAPT nsg=aud11{114521U93U.U22:2U24): user p1d=3U718 u1d=U
au1d=4294967295 nsg=`PAM: sess1on open acc1=roo1 : exe="1usr1b1n1sudo"
----
11ne->Fr1 0ec 1 U4:42:U1 2UU6
0t|en escr|t|en
1ype=uSEP_EN0 nsg=aud11{114521U93U.U22:2U25): user p1d=3U718 u1d=U
au1d=4294967295 nsg=`PAM: sess1on cJose acc1=roo1 : exe="1usr1b1n1sudo"
----
11ne->Fr1 0ec 1 U5:U1:U1 2UU6
1ype=0PE0_A00 nsg=aud11{1145249595.972:2482): user p1d=2U62 u1d=U
au1d=4294967295 nsg=`PAM: se1cred acc1=roo1 : exe="1usr1b1n1sudo"
----
11ne->Fr1 0ec 1 U6:U1:U1 2UU6
1ype=uSEP_STAPT nsg=aud11{1145249595.972:2483): user p1d=2U62 u1d=U
au1d=4294967295 nsg=`PAM: sess1on open acc1=roo1 : exe="1usr1b1n1sudo"
----
11ne->Fr1 0ec 1 U9:U1:U1 2UU6
1ype=uSEP_EN0 nsg=aud11{1145249595.972:2484): user p1d=2U62 u1d=U
au1d=4294967295 nsg=`PAM: sess1on cJose acc1=roo1 : exe="1usr1b1n1sudo"
1rac|ng a Precess w|th Aud|t
The au1race uIiliIy can be used Io generaIe audiI records rom a speciic process. No oIher
rules or waIches can be enabled while au1race is running. As wiIh Ihe oIher audiI uIili-
Iies, au1race musI be run as rooI. To audiI Irace a process, use Ihe ollowing sIeps:
Temporarily Iurn o all rules and waIches:
aud11c1J -0
(OpIional) To isolaIe Ihe audiI records rom Ihe process, orce a log ile roIaIion:
serv1ce aud11d ro1a1e
The logs or Ihe au1race will be in 1var1Jog1aud111aud11.Jog.
ExecuIe au1race on Ihe command:
au1race <connand 1o 1race>
WaiI unIil Ihe process is compleIe. A message similar Io Ihe ollowing will be
displayed:
Trace conpJe1e. You can Joca1e 1he records W11h àusearch -1 -p 1U773`
ResIarI Ihe audiI daemon Io re-enable Ihe rules and waIches:
serv1ce aud11d res1ar1
Use ausearch Io display deIails abouI Ihe Irace.
Traolng a lrooess wlth ûdlt 521
2
5
5ummary
The Linux AudiIing SysIem and Ihe audiI daemon can be used Io collecI sysIem call and
ile access inormaIion rom Ihe kernel. The audiI daemon wriIes log messages abouI
Ihese evenIs Io a dedicaIed log ile. ReporIs can Ihen be generaIed wiIh Ihe aurepor1 and
ausearch uIiliIies Io ind ailed sysIem calls, Io deIermine who is accessing iles and how
oIen, successul and ailed aIIempIs aI execuIing programs, and much more.
^llLNDlX ^ lnstalllng lroprletary

Kernel Modules 525
^llLNDlX B Creatlng vlrtual Maohlnes 529
^llLNDlX C lreventlng Seourlty Breaohes wlth
LxeoShleld 547
^llLNDlX D Troubleshootlng 551
lN THlS ^llLNDlX
lnstalllng lroprletary Modules
lnstalllng the nvldla Dlsplay
Drlver
Reoognlzlng a Talnted Kernel
^llLNDlX ^
InsIalling FroprieIary
Kernel Modules
Red HaI EnIerprise Linux includes supporI or a wide
varieIy o hardware in Ihe orm o kernel modules. These
kernel modules allow Ihe hardware and Ihe kernel Io inIer-
acI so IhaI Ihe resI o Ihe operaIing sysIem and applica-
Iions can communicaIe wiIh Ihe hardware.
Ideally, all Ihe kernel modules you need are included wiIh
Red HaI EnIerprise Linux. However, i oIhers are reguired,
Ihis appendix explains how Ihey work wiIh Ihe kernel and
how Io idenIiy Ihem.
The Linux kernel is licensed under Ihe GNU General Fublic
License (GFL), meaning IhaI iIs source code is available aI
kernel.org or anyone Io download and read and IhaI
anyone can modiy Ihe code i Ihe modiied code is also
available under Ihe GFL. All Ihe kernel modules disIribuIed
wiIh Red HaI EnIerprise Linux are licensed under Ihe GFL
or GFL-compaIible licenses.
1IP
Chapter 6, ^nalyzlng Hardware, desorlbes how to llst
and oonflgure kernel module parameters.
How are kernel modules wriIIen7 SomeIimes open source
developers have Ihe cooperaIion o Ihe hardware vendors
Io gain access Io Ihe hardware speciicaIions necessary Io
wriIe an open source kernel module or iI. Because o Ihe
open source model, Ihe module is improved over Iime as
users ind problems and reporI Ihem Io Ihe developer or
oIher developers Iweak Ihe code as Ihey ind problems.
SomeIimes, hardware vendors wriIe Iheir own Linux kernel
modules. Some even make Ihe Linux modules Ihey wriIe
open source. However, some choose noI Io release Iheir
kernel modules under Ihe GFL or GFL-compaIible license
(called a proprieIary module). I Ihe open source communiIy hasnI wriIIen an eguivalenI
open source version o Ihe module (usually because Ihe hardware has jusI been released or
because Ihe open source communiIy does noI have enough inormaIion abouI Ihe hardware
Io wriIe an open source module), Ihe proprieIary module is an adminisIraIors only opIion i
he wanIs Io use Ihe hardware wiIh Ihe Linux operaIing sysIem.
Insta|||ng Prer|etary Medu|es
The process or insIalling Ihird-parIy modules diers rom module Io module:
Some modules are disIribuIed in RFM ormaI, which makes Ihem easy Io insIall. Reer
Io ChapIer S, "Working wiIh RFM SoIware," or deIails on insIalling an RFM package.
Some modules reguire Ihe adminisIraIor Io run a scripI (supplied wiIh Ihe module
when downloaded) IhaI guides you Ihrough Ihe insIallaIion.
OIhers mighI reguire IhaI parIs o Ihe module Io be compiled. However, mosI Ihird-
parIy modules come wiIh deIailed insIallaIion insIrucIions.
Even Ihe process o loading proprieIary modules diers rom module Io module:
Some use user-space applicaIions Io load Ihem.
Some use iniIializaIion scripIs IhaI can be run aI booI Iime. Reer Io ChapIer 4,
"UndersIanding Linux ConcepIs," or more inormaIion on iniIializaIion scripIs.
Some reguire Ihe module be lisIed in 1e1c1nodprobe.conf such as Ihe ollowing or
a module named example or Ihe irsI EIherneI card:
aJ1as e1hU exanpJe
AIer insIalling Ihe module and ollowing Ihe insIrucIions or loading iI, use Ihe
1sb1n1Jsnod command Io veriy IhaI iI has been loaded.
BoIIom line: Eollow Ihe insIrucIions IhaI are included wiIh Ihe proprieIary module and
conIacI Ihe disIribuIor o Ihe module such as Ihe hardware vendor i iI does noI load or
work properly wiIh Ihe Red HaI EnIerprise Linux kernel. II is diiculI or Ihe open source
communiIy or Ihe Red HaI engineering Ieam Io IroubleshooI and ix an issue i Ihe source
code is noI available Io debug.
Insta|||ng the nV|d|a |s|ay r|ver
This secIion shows Ihe process o insIalling Ihe nVidia Linux display driver or Ihe x8_4
archiIecIure. This example is based on version 1.0-74 o Ihe driver downloaded rom
hIIp:}}www.nvidia.com}objecI}linux_display_amd4_1.0-74.hIml. InsIrucIions or
insIalling a dierenI version may dier.
CAU1I0N
The lnstruotlons ln thls seotlon are speolflo to verslon 1.09746 of the nvldla dlsplay
drlver. lnstruotlons for other kernel modules may dlffer. Be sure to oarefully read the
lnstruotlons for the drlver you are downloadlng.
^llLNDlX ^ lnstalllng lroprletary Kernel Modules 526
Use Ihe ollowing sIeps Io insIall Ihe display driver rom hIIp:}}www.nvidia.com}objecI}
linux_display_amd4_1.0-74.hIml:
N01
The driver does noI currenIly work wiIh Ihe VirIualizaIion kernel. Be sure you are
noI running Ihe VirIualizaIion kernel beore conIinuing. Reer Io Appendix B or
deIails on VirIualizaIion.
1. Read Ihe NVIDIA soIware license and be sure you agree Io iI beore proceeding.
NoIe IhaI iI is noI GFL-compaIible. A link Io Ihe license is on Ihe download page.
2. Beore downloading Ihe driver, insIall Ihe kerneJ-deveJ, xorg-x11-server-sdk, and
gcc RFM packages so IhaI Ihe precompiled kernel inIerace can be ound or
compiled. The kerneJ-deveJ package is speciic Io Ihe kernel version running, so be
sure Io insIall Ihe correcI version. I you use Ihe ollowing command Io download
and insIall rom RHN, Ihe proper version is insIalled:
yun 1ns1aJJ kerneJ-deveJ xorg-x11-server-sdk gcc
3. Download Ihe insIallaIion scripI rom Ihe nVidia websiIe, Nv101A-L1nux-x86_64-
1.U-9746-pkg2.run.
4. You cannoI be running Ihe X server (Ihe graphical deskIop or login screen) when
insIalling Ihe driver. Log ouI o Ihe graphical deskIop i you are logged in so IhaI
you are aI Ihe graphical login screen. Fress Ihe key combinaIion CIrl+AlI+E1 Io go Io
Ihe irsI virIual Ierminal. Log in as Ihe rooI user and execuIe Ihe command 1n11 3
Io compleIely sIop Ihe X server.
5. As rooI, run Ihe insIallaIion scripI Io sIarI Ihe insIallaIion process (speciy Ihe ull
paIh Io Ihe scripI i you are noI in Ihe same direcIory):
sh Nv101A-L1nux-x86_64-1.U-9746-pkg2.run
6. A simple IexI-based inIerace is used during Ihe insIallaIion process. AccepI Ihe
license Io conIinue.
7. A message is displayed sIaIing IhaI no precompiled kernel inIerace was ound Io
maIch Ihe kernel. You can choose Io download iI rom Ihe nVidia ETF siIe.
8. I you choose Io download iI buI iI canI be ound or you choose noI Io download
iI, Ihe nexI sIep shows Ihe kernel inIerace being compiled.
9. Answer Yes Io Ihe guesIion asking wheIher Io insIall Ihe NVIDIA 32-biI compaIibil-
iIy OpenGL libraries. The inIeraces shows Ihe progress as iI searches or conlicIing
OpenGL iles and Ihen insIalls Ihe driver.
10. AIer driver insIallaIion is compleIe, you are asked wheIher you wanI Ihe nv1d1a-
xconf1g uIiliIy run Io conigure Ihe X server coniguraIion ile so IhaI Ihe nVidia
driver is used Ihe nexI Iime X is sIarIed. Choose Yes Io Ihis guesIion Io conigure
Ihe 1e1c1X111xorg.conf ile. The old ile is saved as 1e1c1X111xorg.conf.backup.
11. Einally, selecI OK Io exiI Ihe insIallaIion program.
lnstalllng the nvldla Dlsplay Drlver 527
A
12. Now, you can resIarI Ihe X server and sIarI using Ihe nVidia display driver. ExecuIe
Ihe 1n11 5 command as rooI Io sIarI Ihe graphical login screen.
To veriy IhaI Ihe driver is being used, execuIe Ihe ollowing command:
Jsnod grep nv1d1a
You should see a line similar Io Ihe ollowing i Ihe kernel module is loaded:
nv1d1a 5698648 22
Recegn|z|ng a 1a|nted Kerne|
The license o a parIicular kernel module can be deIermined wiIh Ihe ollowing command:
nod1nfo <noduJe> grep J1cense
Eor example, Ihe ollowing ouIpuI shows IhaI Ihe module is wriIIen under Ihe GFL:
J1cense: 0PL
The ollowing shows Ihe ouIpuI rom Ihe nod1nfo nv1d1a grep J1cense or Ihe nVidia
display driver, which is disIribuIed under Ihe nVidia license:
J1cense: Nv101A
I a proprieIary kernel is loaded when a kernel crash occurs, iI is very diiculI Io debug
Ihe problem because Ihe source code is noI available. Eor Ihis reason, a mechanism was
added Io Ihe kernel Io allow developers and users Io deIermine wheIher proprieIary
modules are loaded. When a kernel module is loaded, Ihe kernel checks or a macro called
MODULE_LICENSE. I Ihe license is noI an approved open source license such as Ihe GFL,
Ihe kernel is lagged as "IainIed."
How can you deIermine wheIher Ihe kernel is IainIed7 The 1sb1n1Jsnod command lisIs
Ihe currenIly loaded modules. I you pipe iI Ihrough Jess, you can read Ihe header:
1sb1n1Jsnod Jess
I you see Ihe phrase Ta1n1ed: P aI Ihe end o Ihe header, proprieIary kernel modules are
loaded:
ModuJe S1ze used by Ta1n1ed: P
I Ihe kernel crashes while a proprieIary module is loaded, Iry reproducing Ihe crash
wiIhouI Ihe kernel module loaded. I Ihe problem goes away, chances are IhaI Ihe module
iIsel is causing Ihe crash. I Ihe problem sIill occurs wiIh an unIainIed kernel, Ihe
problem is likely in eiIher Ihe kernel or anoIher kernel module.
^llLNDlX ^ lnstalllng lroprletary Kernel Modules 528
lN THlS CH^lTLR
vlrtuallzatlon System
Requlrements
lnstalllng vlrtuallzatlon
Settlng Up the vM and
lnstalllng the Guest 0S
lntroduolng the v1rsh
Command
vlrtual Maohlne
Modlfylng Dedloated
Resouroes
lerformlng ^ddltlonal ôtlons
Managlng vMs wlth the xn
Utlllty
^llLNDlX B
CreaIing VirIual
Machines
InIroduced in Eedora Core 4 as a Iechnology preview, virIu-
alizaIion is now a supporIed eaIure o Red HaI EnIerprise
Linux S. VirIualizaIion allows mulIiple operaIing sysIems (OS)
Io run on Ihe same physical hardware inside vrtual machnes
(VM). The operaIing sysIems can be Ihe same OS, dierenI
versions o Ihe same OS, or dierenI OSes.
The beneiIs o virIualizaIion include Ihe ollowing:
BeIIer use o hardware. InsIead o Ihe sysIem
resources siIIing idle, Ihey can be used or mulIiple
OS insIances.
Less hardware. II Iakes ewer sysIems Io run mulIiple
OS insIances.
SeparaIion o services. MulIiple services or applica-
Iions do noI have Io work IogeIher in one OS envi-
ronmenI. I dierenI library versions or kernel
versions are reguired, iI is easily achieved wiIh
VirIualizaIion.
SeparaIion o ailures. I one VM goes down or needs
Io be Iaken oline or mainIenance, Ihe oIher VMs
are noI aecIed.
SeparaIion o daIa. The ilesysIems or each VM are
noI shared unless ile sharing is expliciIly conigured.
Users o one VM cannoI view Ihe daIa on a dierenI
VM, allowing an adminisIraIor Io conigure VMs or
dierenI groups who can share daIa among Ihem-
selves. Also, i one VM is compromised, Ihe daIa on
Ihe oIher VMs are sae rom Ihe securiIy breach.
Easier recovery. I a VM goes down, Ihe hosI sysIem
and oIher VMs are sIill up and running so Ihe ailed
VM can be recovered.
DedicaIed resource allocaIion. Each VM is allocaIed speciic resources so one canI
use 100% o Ihe resources and cause Ihe oIhers Io slow down or sIop responding.
MulIiple OSes or OS versions. One sysIem can run mulIiple OSes or dierenI
versions o Ihe same OS, converIing one IesI sysIem inIo mulIiple IesI sysIems or
soIware developmenI.
This appendix guides Ihe reader Ihrough Ihe process o creaIing VMs, sIarIing and sIop-
ping VMs, and managing Ihem wiIh Ihe virIualizaIion Iools.
V|rtua||zat|en 5ystem Requ|rements
The hosI sysIem musI use Ihe GRUB booI loader, which is Ihe deaulI or Red HaI
EnIerprise Linux. II is reguired Io be able Io booI inIo Ihe VirIualizaIion guesIs.
CAU1I0N
The vlrtuallzatlon feature of Red Hat Lnterprlse Llnux wlll not work lf SLLlnux ls
enabled. Refer to Chapter 23, lroteotlng ^galnst lntruders wlth SeourltyLnhanoed
Llnux, for lnstruotlons on dlsabllng lt before oontlnulng.
Beore insIalling and coniguring Ihe VirIualizaIion eaIure, be sure you have enough
sysIem resources or each virIual machine. The sysIem resources or each VM musI be in
addiIion Io Ihe sysIem resources needed or Ihe hosI machine. The addiIional disk space
reguiremenIs or each virIual machine are Ihe same as Ihose or a Red HaI EnIerprise
Linux insIall. The amounI o disk space necessary depends on Ihe Iype o sysIem you are
coniguring. ApproximaIely 4 GB is recommended as a minimum.
A disk parIiIion or a disk image ile can be used as Ihe virIual disk space. The disk image is
creaIed during seIup i iI does noI already exisI, so Ihe disk space or iI jusI needs Io be
parI o Ihe exisIing mounIed ilesysIem. To use a disk parIiIion, creaIe iI irsI and Ihen
ollow Ihe sIeps or creaIing a VM. AI leasI S00 MB o RAM is recommended or each
virIual guesI, possibly more depending on Ihe desired uncIion o Ihe guesI.
CAU1I0N
Red Hat Lnterprlse Llnux 5 lnoludes verslon 3 of the xen RlM paokage. lt ls not
oompatlble wlth vlrtual guests set up wlth prevlous verslons of thls paokage.
CurrenIly, VirIualizaIion only runs as a supporIed eaIure on x8 and x8_4 sysIems.
VirIualizaIion or Ihe IIanium2 is also available wiIh Red HaI EnIerprise Linux S buI is
only oered as a Iechnology preview. To run VirIualizaIion on an x8 sysIem, Ihe proces-
sor musI have Fhysical Address ExIension (FAE) supporI. To deIermine i your processor
has FAE supporI, look or Ihe pae lag in Ihe lisI o lags or Ihe processor in Ihe 1proc1
cpu1nfo virIual ile. To only display Ihe line o lags, use Ihe command ca1 1proc1
cpu1nfo grep fJags, which shows a line similar Io Ihe ollowing:
fJags : fpu vne de pse 1sc nsr pae nce cx8 ap1c n1rr pge nca (
cnov pa1 pse36 cJfJush d1s acp1 nnx fxsr sse sse2 ss h1 1n up
There are Iwo Iypes o virIualizaIion: para-virIualizaIion and ull virIualizaIion. Fara-
virIualizaIion creaIes a VM or Ihe guesI OS, buI Ihe virIual hardware is noI exacIly
idenIical Io Ihe acIual physical hardware. An OS run inside a para-virIualized VM musI
supporI para-virIualizaIion so IhaI Ihe virIual hardware is recognized. Eor example, wiIh
VirIualizaIion, Ihe disk image used as Ihe virIual hard drive has Ihe device name xvda.
On a ully virIualized sysIem, Ihe hardware is simulaIed so IhaI Ihe guesI OS does noI
have Io supporI virIualizaIion. Eor example, Ihe virIual hard drive or a VM on a ully
virIualized hosI uses Ihe device name sda or Ihe irsI SCSI hard drive so IhaI Ihe guesI OS
is unaware IhaI iI is running inside a VM. II is slower Ihan para-virIualizaIion.
Fara-virIualizaIion can be run on Ihe x8_4 and IIanium2 archiIecIures and x8 sysIem
wiIh Ihe FAE exIension. To achieve ull virIualizaIion, Ihe processor on Ihe hosI sysIem
musI be 4-biI (x8_4 or IIanium2) and musI have a Hardware VirIual Machine (HVM)
layer reerred Io as vnx or InIel processors and svn or AMD processors. Check Ihe lisI o
lags in 1proc1cpu1nfo or Ihe lag corresponding Io your 4-biI processor. I you do noI
ind iI, be sure Ihis eaIure has been enabled in Ihe BIOS.
Insta|||ng V|rtua||zat|en
The VirIualizaIion eaIure can be insIalled during Ihe insIallaIion process or aIer iI. To
insIall iI while insIalling Ihe operaIing sysIem, enIer an insIallaIion code IhaI includes
virIualizaIion supporI. This code should have been provided wiIh your Red HaI EnIerprise
Linux subscripIion i you elecIed Io purchase Ihe virIualizaIion eaIure. To veriy IhaI Ihe
insIallaIion will include Ihe VirIualizaIion packages, selecI Io cusIomize Ihe soIware selec-
Iion. On Ihe nexI screen, Ihe VirIualizaIion soIware group should appear and should be
selecIed as shown in Eigure B.1. This soIware group is only shown i an insIallaIion code
IhaI includes virIualizaIion is enIered aI Ihe beginning o Ihe insIallaIion program.
To insIall VirIualizaIion aIer Ihe iniIial insIallaIion process is compleIe, irsI subscribe Ihe
sysIem Io Ihe VirIualizaIion channel in Red HaI NeIwork. II will be lisIed as a child
channel o Ihe Red HaI EnIerprise Linux S channel or Ihe sysIem. Go Io rhn.redhaI.com
Io perorm Ihis acIion and or deIailed insIrucIions on subscribing Io addiIional channels.
AIer Ihe sysIem has access Io Ihe VirIualizaIion channel, use yun Io insIall Ihe necessary
packages. As rooI, execuIe Ihe ollowing where <packages> is a space-separaIed lisI o
package names:
yun 1ns1aJJ <packages>
AlIernaIively, schedule Ihe package insIallaIion via Ihe RHN websiIe. The ollowing pack-
ages are necessary Io conigure VirIualizaIion (addiIional packages will be insIalled as
dependencies):
kerneJ-xen: Linux kernel wiIh VirIualizaIion supporI compiled inIo iI.
xen: VirIualizaIion Iools needed Io seI up and mainIain Ihe virIual machines.
xen-J1bs: Libraries necessary or Ihe VirIualizaIion applicaIions.
lnstalllng vlrtuallzatlon 531
B
v1r1-nanager: Graphical applicaIion or VirIualizaIion adminisIraIion (noI necessary
i using Ihe inIeracIive command-line uIiliIy v1r1-1ns1aJJ insIead).
gnone-appJe1-vn: DeskIop panel appleI Io moniIor virIual domains (noI necessary
or sysIems wiIhouI a graphical deskIop).
J1bv1r1: AFI or VirIualizaIion and uIiliIy or managing virIual domains. Also
includes Ihe v1rsh uIiliIy used Io manage VMs.
FlGURL B.1 vlrtuallzatlon Software Group Durlng lnstallatlon
The kerneJ-xen package insIalls Ihe Linux kernel wiIh VirIualizaIion supporI compiled
inIo iI. II also adds a sIanza or Ihe VirIualizaIion kernel Io Ihe GRUB coniguraIion ile
1e1c1grub.conf buI does noI seI iI Io Ihe deaulI. To change iI Io Ihe deaulI, change Ihe
number ollowing Ihe defauJ1 keyword wiIh Ihe sIanza number or Ihe VirIualizaIion
kernel (Ihe kernel version or iI ends wiIh Ihe keyword xen). The sIanza counI sIarIs
wiIh Ihe number 0 and goes rom Ihe Iop o Ihe ile Io Ihe boIIom. AIer booIing, Ihe
unane -r command can be used Io deIermine which kernel is currenIly running.
5ett|ng U the VM and Insta|||ng the 6uest 05
Beore seIIing up a virIual machine, make sure you are running Ihe VirIualizaIion kernel
as described in Ihe lasI secIion. ExecuIe Ihe unane -r command and veriy IhaI Ihe kernel
version running ends wiIh Ihe xen keyword.
A virIual machine insIance implemenIed wiIh VirIualizaIion is called a Joman. Two
programs are available or seIIing up a domain and insIalling Ihe guesI OS on Ihe virIual
machine: an inIeracIive command-line uIiliIy v1r1-1ns1aJJ and a graphical applicaIion
named VirIual Machine Manager (v1r1-nanager).
Eor a para-virIualized hosI, only neIwork insIallaIion Iypes (NES, HTTF, and ETF) can be
used or Ihe insIallaIion o Ihe guesI OS. However, you can exporI Ihe insIallaIion Iree
rom Ihe same sysIem IhaI is hosIing Ihe guesI VM. InsIrucIions or seIIing up or a
neIwork insIallaIion are provided in ChapIer 1, "InsIalling Red HaI EnIerprise Linux." Eor
a ully virIualized hosI, an ISO image on Ihe hosI ilesysIem, insIallaIion CD seI, or DVD
musI be provided as Ihe insIallaIion media.
1IP
vlrtuallzatlon log flles are looated ln the 1var1Jog1xen1 dlreotory. Refer to these
messages lf an error ooours durlng oreatlon or management of the vlrtual domalns.
W|th the V|rtua| Mach|ne Manager
To creaIe Ihe VM using a graphical inIerace, sIarI Ihe VirIual Machine Manager by execuI-
ing Ihe v1r1-nanager command or selecIing Ihe ApplIcatIons menu on Ihe Iop panel o
Ihe deskIop and Ihen choosing System Tools, VIrtual MachIne Manager. I you are noI
Ihe rooI user, you will be prompIed or Ihe rooI password beore conIinuing. As shown in
Eigure B.2, selecI Local Xen host and click Connect. Even Ihough iI is seen as an opIion
in Ihe inIerace, connecIing Io a remoIe VirIualzaIion hosI is noI yeI implemenIed.
Settlng Up the vM and lnstalllng the Guest 0S 533
B
FlGURL B.2 Conneotlng to the vlrtuallzatlon Host
To open Ihe program wiIhouI Ihe abiliIy Io creaIe new domains or modiy exisIing
domains, selecI Ihe Read only connectIon opIion. In read-only mode, you can view Ihe
lisI o acIive domains and view Ihe graphical and serial consoles or Ihem, buI you cannoI
modiy Iheir seIIings such as Ihe amounI o memory dedicaIed Io Ihem.
AIer connecIing Io Ihe VirIualizaIion hosI, all guesI domains on Ihe hosI are shown,
wiIh Domain-0 being Ihe hosI OS running on Ihe sysIem. I no VMs are running (as is
Ihe case Ihe irsI Iime you run Ihe program Io creaIe Ihe irsI VM), only Domain-0 is
lisIed (see Eigure B.3).
FlGURL B.3 vlrtual Maohlne Manager
Click New on Ihe boIIom Ioolbar or selecI FIle, New Io creaIe a new domain. The wizard
prompIs you or Ihe ollowing inormaIion:
System name: A unigue descripIive name or Ihe sysIem. On Ihe screen shown in
Eigure B.4, provide a name Io use when managing VMs via Ihe command line or Ihe
graphical program. II is also used as Ihe coniguraIion ilename or Ihe VM in Ihe
1e1c1xen1 direcIory.
FlGURL B.4 vlrtuallzatlon Domaln Name
Vrtualzaton methoJ: There are Iwo Iypes o virIualizaIion: para-virIualizaIion and
ull virIualizaIion. I your hardware supporIs ull virIualizaIion as discussed earlier in
Ihis appendix, selecI one o Ihe Iwo meIhods as shown in Eigure B.S. OIherwise,
you are only allowed Io selecI para-virIualizaIion.
FlGURL B.5 vlrtuallzatlon Method
lnstall meJa locaton: Eor para-virIualizaIion, provide Ihe neIwork locaIion o Ihe
insIall media or Ihe neIwork locaIion o Ihe kicksIarI ile Io use or insIallaIion as
shown in Eigure B.. The ollowing ormaIs are accepIed (replace <server> wiIh Ihe
hosIname or IF address o Ihe neIwork ile server and replace Joca11on wiIh Ihe
direcIory conIaining Ihe insIallaIion Iree or Ihe ull paIh, including Ihe ilename,
o Ihe kicksIarI ile):
nfs:<server>:1Joca11on
h11p:11<server>1Joca11on
f1p:11<server>1Joca11on
B
FlGURL B.6 lnstallatlon Medla for laravlrtuallzatlon
Eor ull virIualizaIion, provide Ihe locaIion o Ihe ISO image or Ihe Red HaI
EnIerprise Linux version and varianI Io be insIalled on Ihe VM or Ihe ull paIh Io
Ihe insIallaIion CD or DVD as shown in Eigure B.7.
FlGURL B.7 lnstallatlon Medla for Full vlrtuallzatlon
Osl mae locaton: Frovide Ihe locaIion o Ihe disk image Io use as Ihe ilesysIem
or Ihe virIual machine as shown in Eigure B.8. II can be eiIher a disk parIiIion or
ile on Ihe hosI ilesysIem. I using a disk parIiIion, iI musI already exisI. I a ile is
speciied and does noI exisI, a disk image ile will be creaIed using Ihe size selecIed.
Remember IhaI Ihe disk image size musI be large enough Io insIall Ihe OS and sIore
any iles you mighI need on Ihe local virIual ilesysIem or Ihe VM. I you need
more sIorage, Ihe guesI OS on Ihe VM can access neIwork sIorage using Ihe same
proIocols as a normal Linux sysIem such as NES and Samba.
FlGURL B.8 Dlsk lmage Looatlon
Memory anJ ClU allocaton: SelecI Ihe maximum amounI o memory Ihe VM has
access Io on Ihe hosI sysIem as shown in Eigure B.. I a smaller amounI o sIarIup
memory is selecIed, Ihe amounI o sIarIup memory is dedicaIed Io Ihe VM when iI
is sIarIed insIead o Ihe enIire maximum amounI o memory allowed. I more
memory is needed by Ihe VM laIer, Ihe hosI sysIem can allocaIe more memory Io iI
up Io Ihe maximum amounI conigured.
SelecI Ihe number o virIual processors Ihe VM should have as well. The VM cannoI
have more virIual processors Ihan Ihe hosI has physical processor cores. II is recom-
mended IhaI Ihe VM have no more Ihan one less virIual processor Ihan Ihe hosI
has physical processor cores.
B
FlGURL B.9 System Resouroe ^llooatlon
AIer reviewing Ihe summary o Ihe seIIings selecIed, click FInIsh Io creaIe Ihe VM and
show Ihe virIual console Ihrough which Ihe insIallaIion will occur. The coniguraIion ile
1e1c1xen1<nane> is creaIed. I Ihe disk image doesnI exisI, iI is creaIed as well. I you
receive an error message IhaI Ihe domain canI be creaIed, look in Ihe 1var1Jog1xen1
xend-debug.Jog ile or error messages or Iracebacks. Eor example, Ihe ollowing message
means IhaI Ihe hosI sysIem does noI have enough physical memory Io allocaIe Io
Ihe VM:
vnError: 1 need 262144 K18, bu1 donU_n1n_nen 1s 262144 and shr1nk1ng 1o
262144 K18 WouJd Jeave onJy 243968 K18 free.
I Ihe hosI sysIem is successul in creaIing Ihe VM, a virIual console or Ihe newly creaIed
VM appears. The new domain name appears in Ihe domain lisI in Ihe VirIual Machine
Manager window. I you provided a kicksIarI ile insIead o a neIwork insIallaIion Iree,
Ihe conIenIs o Ihe VirIual Machine Manager window will show Ihe OS being insIalled
via kicksIarI insIead. Eor a para-virIualized hosI, Ihe insIallaIion sIarIs wiIh Ihe language
selecIion screen in Eigure B.10.
FlGURL B.10 Startlng a laravlrtuallzatlon lnstallatlon
Eor a ull virIualizaIion hosI, Ihe insIallaIion sIarIs wiIh Ihe boo1: prompI jusI as an
insIallaIion would sIarI on naIive hardware as shown in Eigure B.11.
FlGURL B.11 Startlng a Full vlrtuallzatlon lnstallatlon
Eollow Ihe insIrucIions rom ChapIer 1 Io insIall Ihe guesI OS on Ihe newly creaIed VM.
The lasI sIep o Ihe insIallaIion program is Io click Ihe Reboot buIIon Io rebooI Ihe
sysIem and compleIe Ihe insIallaIion. AIer Ihe VM shuIs down or Ihe rebooI, Ihe VM is
noI auIomaIically resIarIed and Ihe VM name disappears rom Ihe lisI o domains in Ihe
VirIual Machine Manager window. Reer Io Ihe secIion "SIarIing and SIopping Ihe VirIual
Machine" Io learn how Io sIarI Ihe VM and Ihe guesI OS.
W|th v1r1-1ns1aJJ
The v1r1-1ns1aJJ inIeracIive command-line Iool can be used Io seI up Ihe domain and
Ihen sIarI Ihe insIallaIion program. ExecuIe Ihe v1r1-1ns1aJJ command as rooI Io begin.
The same guesIions rom Ihe VirIual Machine Manager are asked along wiIh wheIher Ihe
graphical or IexI-based insIallaIion program should be used. AIer Ihe VM is successully
seI up, Ihe virIual machine window appears as wiIh Ihe graphical applicaIion. The
command-line process should look similar Io LisIing B.1.
LlSTlNG B.1 Creatlng a vlrtuallzatlon Domaln wlth v1r1-1ns1aJJ
WouJd you J1ke a fuJJy v1r1uaJ1zed gues1 {yes or no)? Th1s W1JJ aJJoW you 1o run
unnod1f1ed opera11ng sys1ens. no
Wha1 1s 1he nane of your v1r1uaJ nach1ne? rheJ5
RoW nuch PAM shouJd be aJJoca1ed {1n negaby1es)? 5UU
Wha1 WouJd you J1ke 1o use as 1he d1sk {pa1h)? 1vn1rheJ5
RoW Jarge WouJd you J1ke 1he d1sk 1o be {1n g1gaby1es)? 4UUU
WouJd you J1ke 1o enabJe graph1cs suppor1? {yes or no) yes
Wha1 1s 1he 1ns1aJJ Joca11on? nfs:1ns1aJJs.exanpJe.con:11rees1rheJ5server
S1ar11ng 1ns1aJJ...
JusI like wiIh Ihe VirIual Machine Manager, Ihe sysIem shuIs down aIer Ihe insIallaIion
and will noI auIomaIically sIarI up again. Reer Io Ihe secIion "SIarIing and SIopping Ihe
VirIual Machine" or deIailed insIrucIions.
Intreduc|ng the v1rsh Cemmand
As o Ihe iniIial release o Red HaI EnIerprise Linux S, Ihe VirIual Machine Manager has
limiIed uncIionaliIy. A ew VM managemenI acIions such as shuIIing down Ihe guesI OS
and alIering Ihe amounI o dedicaIed resources can be done wiIh Ihe VirIual Machine
Manager. I you insIalled an updaIed version o Red HaI EnIerprise Linux S, reer Io Ihe
Release Notes Io deIermine i addiIional uncIionaliIy has been added Io Ihe program.
To perorm addiIional acIions, Ihe v1rsh and xn uIiliIies are available Io use rom Ihe
command line o Ihe hosI OS so IhaI addiIional Iasks can be perormed.
lntroduolng the v1rsh Command 539
B
CAU1I0N
^ll the v1rsh and xn oommands glven ln thls appendlx must be exeouted on the host
0S, on the guest 0S runnlng lnslde the vM.
DevelopmenI on Ihe v1rsh uIiliIy sIarIed aIer xn, buI iI is rapidly developing. IIs goal is
Io oer more uncIionaliIy such as being able Io mainIain virIual machines rom oIher
programs such as VMWare insIead o jusI rom Ihe VirIualizaIion eaIure in Linux.
Because iI is projecIed IhaI v1rsh is going Io be Ihe preerred uIiliIy, Ihis appendix
explains v1rsh. Eor a lisI o eguivalenI xn commands, reer Io Ihe "Managing VMs wiIh
Ihe xn UIiliIy" secIion aI Ihe end o Ihis appendix.
The v1rsh commands can be execuIed in one o Iwo ways. The v1rsh command can be
execuIed as rooI rom a shell prompI ollowed by a command and any opIions or Ihe
command:
v1rsh <connand> <op11ons>
II can also be sIarIed as an inIeracIive so IhaI jusI Ihe commands and opIions need Io be
used. To sIarI Ihe inIeracIive shell, Iype Ihe v1rsh command aI a shell prompI as rooI.
The ollowing prompI is Ihen displayed:
v1rsh #
Eor example, Ihe command Io lisI Ihe currenI domains (domains IhaI are shuI down are
noI shown) is v1rsh J1s1. I you are in Ihe inIeracIive shell, Ihe command would jusI be
J1s1.
5tart|ng and 5te|ng the V|rtua| Mach|ne
To sIarI Ihe VM again aIer insIallaIion or any Iime Ihe VM is shuI down, go Io Ihe shell
prompI (such as sIarIing a GNOME Ierminal) and execuIe Ihe ollowing command as rooI
(where <nane> is Ihe unigue name you gave Ihe VM when seIIing iI up earlier):
xn crea1e -c <nane>
N01
^s of the lnltlal release of Red Hat Lnterprlse Llnux 5, the vlrtual Maohlne Manager
and the v1rsh utlllty do not lnolude the ablllty to start a vM.
The pyGRUB menu is displayed as shown in Eigure B.12. SelecI Ihe OS Io booI or leI Ihe
deaulI OS be selecIed and sIarIed.
FlGURL B.12 Seleotlng 0S to Boot
By deaulI, Ihe VM window (called Ihe console) is noI opened auIomaIically Io display Ihe
graphical booIup or Ihe graphical deskIop aIer Ihe booIup. SIarI Ihe VirIual Machine
Manager i iI is noI already running, and go Io Ihe lisI o domains in Ihe VirIual Machine
Manager, Ihe VM you jusI sIarIed should now appear in Ihe lisI as shown in Eigure B.13.
Startlng and Stopplng the vlrtual Maohlne 541
B
FlGURL B.13 Domaln Runnlng
SelecI iI rom Ihe domain lisI, and double-click iI Io open Ihe console or iI. I Ihis is Ihe
irsI Iime you have sIarIed Ihe VM since Ihe insIallaIion, Ihe SeIup AgenI appears aIer
Ihe VM booIs. OIherwise, Ihe VM console shows Ihe sysIem booIing up and Ihen Ihe
login screen. AIer logging in Io Ihe sysIem, Ihe deskIop appears as shown in Eigure B.14
(unless Ihe graphical deskIop was noI insIalled).
FlGURL B.14 Guest 0S Runnlng ln the vM Console
1IP
To have the vM oonsole opened automatloally lf the vlrtual Maohlne Manager ls
already runnlng when you exeoute the xn crea1e -c <nane> oommand, seleot d|t,
Preferences from the vlrtual Maohlne Manager wlndow. For the Autemat|ca||y een
cense|es optlon, seleot Fer a|| dema|ns. Cllok C|ese to enable the ohange lmmedlately.
I Ihe shuIdown reguesI is given Io Ihe guesI OS rom inside Ihe guesI OS such as by
selecIing iI rom Ihe menus or execuIing Ihe shu1doWn command, Ihe guesI OS shuIs iIsel
down properly, and Ihen Ihe VM is sIopped as well. I a rebooI reguesI is given rom Ihe
guesI OS (oIher Ihan during Ihe insIallaIion process), iI behaves as expecIedIhe guesI
OS rebooIs, keeping Ihe VM acIive.
AlIernaIively, click Ihe Shutdown buIIon on Ihe Ioolbar o Ihe VirIual Machine Manager
window conIaining Ihe graphical deskIop or Ihe VM. The guesI OS and VM can also be
shuI down by execuIing Ihe ollowing command as rooI aI a shell prompI, where
<dona1n> is Ihe unigue name or Ihe domain:
v1rsh shu1doWn <dona1n>
The command reIurns aIer sending Ihe shuIdown acIion. To veriy IhaI Ihe shuIdown
has been compleIed, eiIher execuIe Ihe v1rsh J1s1 command and make sure Ihe domain
is noI in Ihe lisI or waIch Ihe VirIual Machine Manager domain lisI unIil Ihe domain is
removed rom Ihe lisI.
To rebooI Ihe guesI OS, execuIe Ihe ollowing as rooI rom a shell prompI on Ihe hosI OS:
v1rsh reboo1 <dona1n>
JusI like Ihe shu1doWn command or v1rsh, Ihe command reIurns aIer sending Ihe acIion,
noI aIer Ihe rebooI is compleIe.
1IP
^n applet oan be added to the desktop panel for qulok monltorlng of the guest
domalns. To add lt to the panel, rlghtollok on the panel, seleot Add te Pane|., and
seleot VM A|et.
Med|fy|ng ed|cated Reseurces
To modiy Ihe seIIings or a guesI domain using Ihe VirIual Machine Manager, Ihe domain
musI be running. SIarI Ihe domain i necessary beore conIinuing. Erom Ihe domain lisI in
Ihe VirIual Machine Manager window, selecI Ihe desired domain rom Ihe lisI, and selecI
LdIt, MachIne detaIls rom Ihe pull-down menu. The OvervIew Iab on Ihe DetaIls
window shows Ihe VM name, Ihe UUID or Ihe virIual disk, Ihe VM sIaIus such as
Running or Faused, Ihe CFU usage, and Ihe memory usage. The Hardware Iab as shown
in Eigure B.1S shows Ihe virIual sysIem resources assigned Io Ihe VM.
N01
lf runnlng the vlrtual Maohlne Manager ln readonly mode, you are not allowed to
ohange hardware allooatlon for the vM.
Modlfylng Dedloated Resouroes 543
B
FlGURL B.15 Hardware ^llooatlon for the vM
The number o virIual processors and amounI o dedicaIed memory (boIh iniIial alloca-
Iion and maximum allowed allocaIion) can be changed rom Ihe Hardware Iab. Click
Apply Io enable Ihe changes immediaIely.
To view inormaIion abouI a domain rom Ihe command line or veriy hardware alloca-
Iion changes, execuIe Ihe ollowing as rooI:
v1rsh don1nfo <dona1n>
The ouIpuI should look similar Io LisIing B.2.
LlSTlNG B.2 Domaln lnformatlon
1d: 2
Nane: rheJ5
uu10: b5c8ebec-dfe1-91Ue-26e9-8Uf2c7caccfU
0S Type: J1nux
S1a1e: bJocked
0Pu{s): 1
0Pu 11ne: 21.8s
Max nenory: 512UUU k8
used nenory: 5118U8 k8
The same hardware allocaIion changes can be made wiIh Ihe v1rsh command as Ihe rooI
user. To change Ihe memory allocaIion, use se1nen Io seI Ihe amounI o currenIly allo-
caIed memory, se1naxnen Io seI Ihe maximum allowed memory allocaIion, and se1vcpus
Io seI Ihe number o virIual CFUs or Ihe domain:
v1rsh se1nen <dona1n> <kb>
v1rsh se1naxnen <dona1n> <kb>
v1rsh se1vcpus <nun>
AIer seIIing each opIion, use Ihe ollowing command Io veriy Ihe change:
v1rsh don1nfo <dona1n>
Perferm|ng Add|t|ena| Act|ens
The v1rsh command can perorm addiIional acIions rom Ihe command line. This secIion
highlighIs a ew. Reer Io Ihe man page wiIh Ihe nan v1rsh command or execuIe Ihe
v1rsh heJp command Io view a compleIe lisI o commands.
To rebooI Ihe guesI OS, execuIe Ihe ollowing as rooI. The guesI OS is shuI down properly,
Ihe VM is resIarIed, and Ihe guesI OS booIs back up.
v1rsh reboo1 <dona1n>
The command reIurns Io Ihe prompI as soon as Ihe rebooI command is senI Io Ihe guesI
OS and VM. ReIurn o Ihe prompI does noI mean Ihe rebooI has been compleIed.
II is also possible Io suspend Ihe guesI OS and VM. In Ihe graphical console window, click
Pause Io suspend, and click iI again Io resume. Eigure B.1 shows Ihe paused sIaIe rom
Ihe graphical console.
Managlng vMs wlth the xn Utlllty 545
B
FlGURL B.16 Guest 0S and vM laused
Erom Ihe command line, use Ihe ollowing Iwo commands as rooI Io pause and resume:
v1rsh suspend <dona1n>
v1rsh resune <dona1n>
Manag|ng VMs w|th the xn Ut|||ty
The xn command can also be used Io manage Ihe VMs insIead o v1rsh, or in addiIion Io
v1rsh. Because v1rsh has already been discussed, Ihis secIion jusI gives a brie lisI o
eguivalenI xn commands. II also includes a ew addiIional commands noI yeI imple-
menIed or v1rsh.
Reer Io Ihe xn man page or a compleIe lisIing o command-line opIions. Table B.1
summarizes Ihe mosI commonly used commands. Replace <dona1n> wiIh Ihe guesI
domain name conigured during creaIion o Ihe domain. All xn commands musI be run as
Ihe rooI user.
T^BLL B.1 Common xn Commands
Cemmand escr|t|en
xn crea1e -c <dona1n> Start an lnaotlve domaln.
xn J1s1 Llst all runnlng vlrtuallzatlon domalns along wlth
lnformatlon about them suoh as how muoh
memory ls allooated to eaoh domaln.
xn nen-se1 <dona1n> <nb> ^mount of memory to lnltlally allooate to the vM.
lf vM ls already runnlng, dynamloally set amount
of memory allooated to vM.
xn nen-nax <dona1n> <nb> Maxlmum amount of memory ln megabytes the
domaln ls allowed to use.
xn vcpu-se1 <dona1n> <nun> Set number of vlrtual ClUs for the domaln.
xn vcpu-J1s1 <dona1n> Llst vlrtual ClU lnformatlon for the domaln.
xn pause <dona1n> lause the domaln.
xn unpause <dona1n> Unpause the domaln.
xn reboo1 <dona1n> Reboot the domaln. The oommand wlll return
before the reboot ls flnlshed. Use xn J1s1 to
determlne when the vM ls baok up and runnlng.
xn up11ne <dona1n> Dlsplay uptlme for domaln. lf no domaln ls glven,
all aotlve domalns and uptlmes are shown.
xn shu1doWn <dona1n> Shut down the domaln.
lN THlS ^llLNDlX
How LxeoShleld works
Determlnlng Status of
LxeoShleld
Dlsabllng LxeoShleld
^llLNDlX C
FrevenIing SecuriIy
Breaches wiIh
ExecShield
ExecShield is designed Io prevenI securiIy breaches caused
by soIware programs wriIIen Io crawl Ihrough Ihe InIerneI
looking or sysIems wiIh common vulnerabiliIies such as
worms and viruses. II is enabled in Ihe kernel and works in
a way IhaI is noninIrusive Io Ihe user. IIs goal is noI Io
deend againsI Ihe experI hacker who has broken inIo your
local neIwork or an employee inside Ihe company who
already has access Io parIs o Ihe neIwork. IIs goal is Io
prevenI againsI inIruders using scripIs IhaI look or vulner-
abiliIies in Ihe way a program running wiIh rooI privileges
is wriIIen.
You will sIill need Io develop a securiIy plan or keeping
your sysIems secure while allowing auIhorized users Io
access Ihem. However, ExecShield should help you avoid
common exploiIs known Io aecI oIher operaIing sysIems.
ExecShield is enabled by deaulI in Red HaI EnIerprise
Linux. This appendix gives a brie explanaIion o how
ExecShield accomplishes Ihis goal and how Io disable iI in
Red HaI EnIerprise Linux should iI inIerere wiIh oIher
programs.
Rew xec5h|e|d Werks
One o Ihe ExecShield memory-managemenI Iechnigues is
using random memory locaIions each Iime a program is
sIarIed. Using random memory locaIions prevenIs worms
or viruses rom knowing which parIs o memory Io over-
wriIe wiIh execuIables IhaI breach Ihe securiIy o Ihe
sysIem. Eor example, i Ihe same memory locaIion is used
by a program every Iime Ihe program is run, a hacker can
wriIe a virus IhaI waiIs unIil Ihe program has wriIIen Io memory and Ihen overwriIes IhaI
parI o Ihe memory. When Ihe program goes Io execuIe Ihe insIrucIions in memory aI a
laIer Iime, Ihe virus has already overwriIIen iI, and Ihe code rom Ihe virus is execuIed
insIead. The virus code is execuIed wiIh whaIever permissions Ihe program has. I Ihe
program is being run as Ihe rooI user, signiicanI damage can be done Io Ihe sysIem or
conidenIial daIa sIored on Ihe sysIem can be senI Io anoIher compuIer over Ihe neIwork
on Ihe InIerneI.
ExecShield also marks memory locaIions IhaI sIore program daIa as nonexecuIable. I a
virus or worm manages Io overwriIe parIs o a programs memory or program daIa, Ihe
code cannoI be execuIed wiIh ExecShield enabled.
Worms and viruses look or common programming errors IhaI allow or exploiIs such as
Ihe buer overlow. I an applicaIion is noI wriIIen properly, a buer overlow operaIion
overills Ihe memory buer, which is a ixed size, unIil iI overwriIes Ihe reIurn address or
Ihe memory locaIion so IhaI Ihe worm or virus can execuIe a dierenI program wiIh all
Ihe privileges o Ihe applicaIion IhaI was running in IhaI memory locaIion, including
ones running as Ihe rooI user.
Because Ihe worm or virus musI ill Ihe buer beore overwriIing Ihe reIurn address, Ihe
code Io execuIe is oIen wriIIen Io Ihe buer and Ihen Ihe reIurn address is redirecIed Io
Ihe code in Ihe buer, which is usually only illed wiIh daIa. ExecShield works by separaI-
ing execuIables and applicaIion daIa so IhaI applicaIion daIa cannoI be execuIed.
BuI whaI i Ihe exploiI poinIs Ihe reIurn address Io somewhere oIher Ihan Ihe buer iI
overlowed Io geI Io Ihe reIurn address7 ExecShield combaIs Ihis wiIh Iwo eaIures:
Ascii Zone
Address Space RandomizaIion
EuncIions IhaI use sIring buers sIop when Ihey reach zero. Ascii Zone Iries Io place as
many sIring buers as possible aI memory locaIions IhaI have a zero in Ihe address so
IhaI an exploiI IhaI Iries Io overlow a sIring buer ails. Address Space RandomizaIion
Iries Io use random memory locaIions or a program each Iime iI sIarIs so an exploiI
cannoI predicI where iI is in memory.
eterm|n|ng 5tatus ef xec5h|e|d
ExecShield is enabled by deaulI in Ihe Red HaI EnIerprise Linux kernel. To veriy IhaI
ExecShield is enabled, execuIe Ihe ollowing command:
ca1 1proc1sys1kerneJ1exec-sh1eJd
I iI reIurns Ihe value o 1, ExecShield is enabled. The value o U means iI is disabled. You
can also deIermine Ihe sIaIus o ExecShield by execuIing Ihe ollowing command, buI
Ihis command musI be run as Ihe rooI user:
sysc1J -a grep exec-sh1eJd
^llLNDlX C lreventlng Seourlty Breaohes wlth LxeoShleld 548
I iI reIurns Ihe ollowing, ExecShield is enabled:
kerneJ.exec-sh1eJd = 1
Again, a value o 0 indicaIes IhaI ExecShield is disabled.
|sab||ng xec5h|e|d
ExecShield can be disabled by using sysc1J or modiying Ihe booI loader coniguraIion
ile Io seI Ihe exec-sh1eJd kernel parameIer Io U.
To disable ExecShield using sysc1J, execuIe Ihe ollowing command:
sysc1J -W kerneJ.exec-sh1eJd=U
ExecShield is disabled immediaIely. However, execuIing Ihis command alone does noI
disable ExecShield on subseguenI rebooIs. To disable ExecShield or all rebooIs, add Ihe
ollowing line Io 1e1c1sysc1J.conf (as rooI):
kerneJ.exec-sh1eJd = U
Changes made Io Ihis ile are noI enabled unIil a rebooI occurs, because Ihe ile is only
read once during sysIem sIarIup. To enable Ihe change immediaIely, Ihe sysc1J -W
kerneJ.exec-sh1eJd=U command sIill needs Io be execuIed.
AnoIher way Io disable ExecShield aI booI Iime is Io add a booI parameIer and value Io
Ihe booI loader coniguraIion ile. Eor x8 and x8_4 sysIems IhaI use GRUB as Ihe booI
loader, append Ihe ollowing line Io Ihe kerneJ line in 1e1c1grub.conf (as rooI):
exec-sh1eJd=U
RepeaI Ihis sIep or Ihe kernel sIanzas or which you wanI ExecShield disabled. Remember
IhaI Ihis booI opIion and value musI be added Io any kernel sIanzas added Io Ihe GRUB
coniguraIion ile aI a laIer Iime such as when a new kernel is insIalled.
CAU1I0N
lf the same boot parameter ls set ln 1e1c1grub.conf and ln 1e1c1sysc1J.conf, the
value from sysc1J.conf takes preoedenoe. lf you add boot parameters to the GRUB
oonflguratlon flle, make sure there aren`t any oonfllotlng settlngs ln 1e1c1sysc1J.conf.
Changes Io grub.conf do noI go inIo eecI immediaIely. The ile is only read once during
sIarIup. The nexI Iime Ihe sysIem is booIed, ExecShield will be disabled.
1IP
^ddlng a boot parameter to the boot loader for other arohlteotures ls desorlbed ln
Chapter 2, lostlnstallatlon Conflguratlon.
Dlsabllng LxeoShleld 549
C
To re-enable ExecShield, ollow Ihese same insIrucIions, excepI seI Ihe value Io 1 insIead
o U.
Reer Io Ihe "DeIermining Ihe SIaIus o ExecShield" secIion or insIrucIions on how Io
veriy IhaI ExecShield has been disabled or enabled, depending on whaI value you
have seI.
^llLNDlX C lreventlng Seourlty Breaohes wlth LxeoShleld 550
lN THlS ^llLNDlX
lnstallatlon and Conflguratlon
Troubleshootlng
0S Core Conoepts
Troubleshootlng
System ^dmlnlstratlon
Troubleshootlng
Network Troubleshootlng
Monltorlng and Tunlng
Troubleshootlng
Seourlty Troubleshootlng
^llLNDlX D
TroubleshooIing
When a ailure or inadeguaIe sysIem perormance occurs
wiIhouI an obvious soluIion, iI can be guiIe rusIraIing.
This appendix conIains a lisI o common IroubleshooIing
guesIions divided inIo six parIs. The parIs correspond Io
Ihe six parIs inIo which Ihis book is divided Io make iI
easier Io ind guesIions relevanI Io your problems. This
appendix cannoI address all possible issues, buI hopeully iI
will provide a sIarIing poinI or solving some o Ihem.
Insta||at|en and Cenf|gurat|en
1reub|esheet|ng
I have seI up an ETF server wiIh Ihe ISO image iles
necessary or insIallaIion, buI when I sIarI Ihe insIal-
laIion, I receive an error message IhaI Ihe insIallaIion
media canI be ound on Ihe ETF server. How do I geI
Ihe insIallaIion program Io recognize Ihe ISOs o Ihe
ETF server7
ETF and HTTF insIallaIions reguire Ihe insIallaIion
iles rom Ihe ISO iles be loopback mounIed, one
insIallaIion CD per direcIory. Reer Io Ihe "Using Ihe
ISO Eiles" secIion in ChapIer 1, "InsIalling Red HaI
EnIerprise Linux," or deIails.
How do I deIermine which reposiIories were enabled
by Ihe regisIraIion number enIered during insIallaIion7
Look in Ihe 1var1Jog1anaconda.Jog ile and search
or Ihe key word regkey. Eor example, Ihe ollowing
lines show IhaI VirIualizaIion was enabled wiIh Ihe
regisIraIion key by lisIing Ihe VT reposiIory:
U3:14:17 1NF0 : nov1ng {1) 1o s1ep regkey
U3:14:44 1NF0 : Add1ng `vT` repo
U3:14:44 1NF0 : Add1ng `Server` repo
U3:14:44 1NF0 : repopa1hs 1s {`v1r1`: `vT`,
`base`: `Server`}
I didnI seI my hosIname during insIallaIion, and my DHCF server doesnI seI iI or
me. How do I conigure a hosIname or my sysIem7
As Ihe rooI user, ediI Ihe R0STNAME line in Ihe 1e1c1sysconf1g1ne1Work ile. SeIs iIs
value Io Ihe desired hosIname. This value is only read aI booI Iime. To change Ihe
hosIname immediaIely, execuIe Ihe command hos1nane <neWhos1nane> as Ihe rooI
user.
I modiied my booI parameIers as described in ChapIer 2, "FosI-InsIallaIion
ConiguraIion." How do I veriy IhaI Ihe booI parameIer was used7
Use Ihe command ca1 1proc1cndJ1ne Io view a lisI o opIions passed Io Ihe kernel
aI booI Iime.
The irsI Iime my sysIem booIed aIer insIallaIion, Ihe SeIup AgenI asked wheIher I
wanIed a irewall. I enabled iI aI Ihe Iime. Now, I wanI Io wriIe my own cusIom ire-
wall and need Io disable Ihe deaulI irewall. How do I disable iI7
SelecI Ihe System menu rom Ihe Iop panel o Ihe deskIop and Ihen selecI
AdmInIstratIon, SecurIty Level and FIrewall. EnIer Ihe rooI password i prompIed.
The same inIerace used in Ihe SeIup AgenI is displayed. SelecI DIsabled rom Ihe
pull-down menu, and Ihen click OK. The changes Iake place immediaIely. Reer Io
ChapIer 24, "Coniguring a Eirewall," i you need help wriIing cusIom irewall rules
using IFTables.
I received an email alerI sIaIing IhaI some o Ihe GES packages have been updaIed.
When I Iry Io use Yum Io updaIe Ihem, iI says no updaIes are available. How do I
download and insIall Ihe updaIes7
MosI likely, Ihe sysIem is noI subscribed Io Ihe RHN soIware channel IhaI provides
Ihe packages and updaIed packages or GES. Log in Io your RHN accounI aI
rhn.redhaI.com, and make sure Ihe sysIem is subscribed Io Ihe correcI channel. The
channel conIaining Ihe GES packages will be a child channel o Ihe Red HaI
EnIerprise Linux parenI channel.
AIer insIalling Red HaI EnIerprise Linux as a guesI OS in a VM using Ihe
VirIualizaIion eaIure, Ihe insIallaIion program says iI is going Io rebooI, buI Ihe
sysIem shuIs down and never comes back up. How do I sIarI Ihe VM again7
To sIarI Ihe VM aIer insIallaIion (and any Iime Ihe VM is shuIdown), execuIe Ihe
ollowing command as rooI, where <nane> is Ihe unigue name given Io Ihe VM
during seIup:
xn crea1e -c <nane>
Even i you are using Ihe VirIual Machine Manager graphical program, Ihis
command musI be perormed on Ihe command line. As o Ihe iniIial release o Red
HaI EnIerprise Linux S, Ihe VirIual Machine Manager inIerace does noI allow Ihe
VM Io be sIarIed.
05 Cere Cencets 1reub|esheet|ng
I am Irying Io creaIe a direcIory named daIa in my home direcIory, buI every Iime I
execuIe Ihe nkd1r 1da1a command, I receive Ihe error message Pern1ss1on den1ed.
Why am I noI allowed Io creaIe a new direcIory7
I you are Irying Io creaIe a direcIory in your home direcIory rom Ihe command line,
be sure Ihe currenI working direcIory is your home direcIory, and Ihen execuIe Ihe
command nkd1r da1a, wiIhouI Ihe slash (1) in ronI o da1a. The slash in ronI o Ihe
direcIory name means IhaI you are providing Ihe ull paIh Io Ihe direcIory, and you
donI have permission Io creaIe a direcIory on Ihe Iop level o Ihe ilesysIem.
I wanI Io updaIe Ihe RFM package or Ihe Apache web server, buI I have cusIomized
Ihe coniguraIion ile already. I I updaIe Ihe package, will I lose my cusIomized
coniguraIion ile7
No. I you have a modiied coniguraIion ile when updaIing Ihe RFM IhaI provides
iI, one o Iwo acIions occurs. I Ihe deaulI coniguraIion ile in Ihe updaIed package
hasnI changed beIween Ihe package version you have insIalled and Ihe version o
Ihe updaIed package, Ihe coniguraIion ile is leI alone because iI sIill works wiIh
Ihe updaIed package version.
I Ihe coniguraIion ile has changed in Ihe updaIed package version, Ihe exisIing
coniguraIion ile is renamed wiIh a .rpnsave exIension such as h11pd.conf.
rpnsave, and Ihe new coniguraIion ile rom Ihe updaIed package is saved Io Ihe
ilesysIem. I Ihis occurs, Ihe modiicaIions musI be redone in Ihe new conigura-
Iion ile, buI Ihe old coniguraIion ile can be reerenced because iI is noI losI.
I need Io remove some packages rom my Red HaI EnIerprise Linux server because Ihey
are noI needed or Ihe uncIion o Ihe server. Can I jusI use Ihe rpn -e <packages>
command Io remove Ihem or do I need Io use Ihe Yum uIiliIy Io remove Ihem7
You can use eiIher Ihe rpn or Ihe yun command Io deleIe Ihe packages rom Ihe
sysIem, buI using Yum has one major advanIage. I Ihe package being removed is
reguired Io be insIalled by oIher packages, Ihe rpn command displays an error
message lisIing Ihe packages IhaI reguire Ihe one Irying Io be removed, and Ihe
package is noI removed. Yum can provide Ihis same lisI and also ask wheIher you
wanI Ihe addiIional packages removed aI Ihe same Iime. You can review Ihe lisI o
addiIional packages and decide wheIher iI is sae Io remove Ihem as well.
I modiied Ihe 1e1c1nodprobe.conf ile Io change Ihe kernel module used or Ihe
neIwork card in my sysIem. AIer rebooIing Io enable Ihe changes, how do I veriy
IhaI Ihe dierenI module is being used7
The Jsnod command lisIs all Ihe kernel modules currenIly loaded. Use Ihe
command Jsnod grep <noduJenane>, where <noduJenane> is Ihe name o Ihe
new module Io use. I Ihe command ouIpuIs a line conIaining inormaIion abouI
Ihe module, iI has been loaded.
0S Core Conoepts Troubleshootlng 553
When Irying Io use Ihe se1facJ command Io seI Ihe ACLs or a ile, I receive Ihe
error message 0pera11on no1 suppor1ed. I am using Ihe synIax or Ihe command
rom ChapIer 4, "UndersIanding Linux ConcepIs." Why is iI noI working7
I you see Ihis error message, mosI likely you have orgoIIen Io enable ACLs or Ihe
ilesysIem in 1e1c1fs1ab or orgoIIen Io rebooI Io enable Ihe changes Io
1e1c1fs1ab.
Reer Io Ihe secIion "Enabling ACLs" in ChapIer 7, "Managing SIorage," or deIails
on modiying Ihe 1e1c1fs1ab ile.
My sysIem is running Ihe 4-biI version o Red HaI EnIerprise Linux. MosI o Ihe
documenIaIion I read reers Io iles in Ihe 1J1b1 and 1usr1J1b1 direcIories, buI I
cannoI ind Ihese iles on my sysIem. Where do I geI Ihese iles7
MosI likely, you are jusI looking in Ihe wrong direcIory. MosI o Ihe packages and
libraries or Ihe 4-biI version o Red HaI EnIerprise Linux are builI speciically or
Ihe 4-biI archiIecIure. Look in Ihe 1J1b641 and 1usr1J1b641 direcIories insIead.
5ystem Adm|n|strat|en 1reub|esheet|ng
I am exporIing Ihe home direcIories o my organizaIion Io all worksIaIions rom a
SAN using NES. Because NES does noI perorm any auIhenIicaIion, I need Io make
sure all Ihe UIDs or each user are Ihe same on all worksIaIions. How do I do Ihis7
This can be accomplished in a ew dierenI ways. I you are adding local users Io
each worksIaIion, you can eiIher speciy Ihe UID Io use when creaIing each user
wiIh Ihe -u <u1d> opIion Io Ihe useradd command or selecI Ihe SpecIIy user ID
manually opIion in Ihe User Manager graphical applicaIion.
Or, you can conigure all worksIaIions Io use a neIwork auIhenIicaIion meIhod or
user login so IhaI Ihe user daIabase comes rom one locaIion, meaning all Ihe UIDs
used on Ihe worksIaIions are Ihe same. Eor more inormaIion abouI neIwork
auIhenIicaIion meIhods, reer Io ChapIer 12, "IdenIiIy ManagemenI."
I am using Ihe 1ar uIiliIy rom ChapIer 10, "Technigues or Backup and Recovery,"
in my backup process. However, when I recover Ihe iles, Ihe ACLs or Ihe iles are
noI preserved. How do I back up Ihe ACLs or Ihe ilesysIem as well7
The 1ar and dunp programs do noI preserve ACLs. The s1ar uIiliIy musI be used
insIead. InsIalling Ihe s1ar RFM package will allow you Io use Ihe s1ar program.
The ilesysIem conIaining my 1boo1 direcIory has ailed, and I have insIalled a new
hard drive wiIh a new 1boo1 parIiIion, including iles resIored rom backup. How do
I conigure Ihe sysIem Io use Ihe new 1boo1 parIiIion i I can sIarI Ihe operaIing
sysIem7
To booI Ihe sysIem wiIhouI mounIing any ilesysIems, booI in Io rescue mode as
described in Ihe "Recovery and Repair" secIion o ChapIer 10. Once Ihe sysIem is in
rescue mode, mounI Ihe ilesysIem conIaining Ihe 1e1c1fs1ab ile. Modiy Ihe
1e1c1fs1ab ile Io use Ihe new 1boo1 parIiIion.
My sysIem is conigured Io adjusI Ihe Iime and daIe or DaylighIs Savings Time. I
have a cron Iask scheduled during Ihe hour skipped or DaylighIs Savings Iime. Will
Ihe cron Iask geI execuIed7
Cron is wriIIen such IhaI any Iime change o less Ihan Ihree hours is compensaIed
or by running any Iasks scheduled or Ihe missing Iime immediaIely. So, any jobs
scheduled during Ihe skipped hour is run immediaIely aIer Ihe Iime change.
Netwerk 1reub|esheet|ng
I have an NIS server conigured or my neIwork or user auIhenIicaIion on all work-
sIaIions. II recenIly had a disk ailure and needed Io be repaired. During Ihe down-
Iime, users could noI log inIo Iheir compuIers because Ihe auIhenIicaIion server was
down. Is Ihere a way Io allow users Io log in when Ihe NIS server goes down7
I your user daIabase doesnI change IhaI oIen, you can have a backup hard drive
or hard drives ready Io use should anoIher disk ailure occur. However, Ihis soluIion
sIill includes some downIime Io change Ihe disks. A beIIer soluIion would be Io seI
up a slave NIS server. IIs user daIabase is updaIed rom Ihe NIS masIer server, and iI
will answer NIS reguesIs should Ihe masIer go down or geI overloaded. Users on Ihe
worksIaIions will noI even noIice i Ihe masIer NIS server goes down.
I have a irewall IhaI only allows Iraic on speciic porIs. I know IhaI NES uses porI
204 by deaulI, and I have noI changed Ihis. However, my NES connecIions sIill
arenI working. How do I allow NES connecIions Io my clienIs7
NES does use porI 204. II also uses several oIher porIs, some o which are noI sIaIic
by deaulI. Reer Io Ihe "Assigning SIaIic NES ForIs" secIion o ChapIer 13, "NeIwork
Eile Sharing" or deIails.
I have changed Ihe deaulI porI o Ihe Apache Web Server. I donI receive any errors
when sIarIing Ihe daemon, buI how do I connecI Io Ihe server rom a web browser
now7
I you have modiied Ihe deaulI porI number o Apache, append Ihe IF address,
hosIname o Ihe server, or Ihe regisIered domain name such as www.example.com
wiIh a colon and Ihe porI number:
hIIp:}}www.example.com:<porInum>
How do I know i my sysIem is dropping neIwork packeIs7
I you suspecI packeIs are being dropped during neIwork Iransers, look aI ouIpuI o
Ihe 1fconf1g command. The sIanza or each inIerace conIains a line or RX and a
line or TX packeIs. Read Ihese lines and look or Ihe number aIer dropped. I
packeIs are being dropped, Ihe number o dropped packeIs are lisIed as in Ihe
ollowing:
PX packe1s:17643U errors:U dropped:1567 overruns:U frane:U
TX packe1s:16U7U7 errors:U dropped:5873 overruns:U carr1er:U
Network Troubleshootlng 555
I need Io sIarI a graphical program rom a remoIe server. I used Ihe SSH uIiliIy Io log
inIo iI. BuI, when I run Ihe command Io sIarI Ihe graphical program, I see Ihe
ollowing error:
unabJe 1o 1n111aJ1ze graph1caJ env1ronnen1. Mos1 J1keJy cause of fa1Jure
1s 1ha1 1he 1ooJ Was no1 run us1ng a graph1caJ env1ronnen1. PJease e11her
s1ar1 your graph1caJ user 1n1erface or se1 your 01SPLAY var1abJe.
0augh1 excep11on: couJd no1 open d1spJay
You need Io enable X11 orwarding Io be able Io display a graphical inIerace on a
remoIe sysIem via SSH. Use Ihe -Y opIion when execuIing Ihe ssh command Io
connecI Io Ihe server:
ssh -Y <servernane>
Men|ter|ng and 1un|ng 1reub|esheet|ng
How do I limiI Ihe amounI o memory each user is allowed Io use so one user canI
hog all Ihe memory and slow down Ihe oIher users7
The 1e1c1secur11y1J1n11s.conf ile allows an adminisIraIor Io limiI Ihe amounI o
memory locked in by an individual user or a user group. The ile musI be ediIed by
Ihe rooI user. Each line in Ihe ile conIains our values:
<dona1n> <1ype> <11en> <vaJue>
The <dona1n> value is a valid username or a group name preceded by Ihe @ symbol
such as 0JegaJ. The Iype musI be eiIher sof1 or enorcing as a soI limiI or hard or
enorcing as a hard limiI. The iIem should be nenJock or limiIing locked in
memory. The value is Ihe value o Ihe limiI, which is an inIeger IhaI represenIs Ihe
maximum amounI o memory in kilobyIes.
1IP
Read the oomments ln 1e1c1secur11y1J1n11s.conf and the J1n11s.conf man page
for detalls on how to llmlt other ltems suoh as maxlmum flleslze allowed by a user and
maxlmum number of users allowed to log lnto the system at the same tlme.
The processors in my our-way server were being maxed ouI, so I insIalled Iwo more
processors. How do I Iell wheIher Linux recognizes Ihe new processors7
The kernel should auIomaIically deIecI Ihe new processors and balance Ihe load
beIween all processors. To veriy Ihe processors are recognized, use Ihe ca1
1proc1cpu1nfo command Io view a lisI o all processors ound by Ihe kernel. You
should see a processor sIanza or each processor. I you have mulIi-core processors,
each processor core is lisIed as a separaIe processor. Reer Io ChapIer 8, "4-BiI,
MulIi-Core, and Hyper-Threading Technology Frocessors" or deIails on reading Ihe
ouIpuI or mulIi-core processors.
Why does Ihe syslog only reporI recenI daIa7
I Ihe syslog were allowed Io grow indeiniIely, iI would evenIually ill up Ihe parIi-
Iion IhaI iI resides on. The logroIaIe daemon allows Ihe syslog Io be lushed ouI aI a
speciied inIerval. By deaulI, Ihe logroIaIe daemon will keep up Io our weeks o
previous sysIem logs. Once every week, Ihe currenI 1var1Jog1nessages ile will be
renamed Io 1var1Jog1nessages.1 and a new 1var1Jog1nessages ile will be creaIed.
I you need Io keep syslogs or more Ihan our weeks, Ihis can be conigured in Ihe
1e1c1Jogro1a1e.conf ile.
Why is my sysIem running slow7
Foor sysIem perormance can be caused by a number o acIors. More oIen Ihan
noI, perormance problems are caused by excessive demand o Ihe CFU, sysIem
memory, or Ihe I}O subsysIem.
SIarI IroubleshooIing by using Ihe syss1a1 uIiliIies as discussed in ChapIer 20,
"MoniIoring SysIem Resources" Io deIermine i any o your resources are being
100% uIilized or prolonged periods o Iime. Also consider wriIing scripIs and sched-
uling Ihem wiIh cron so you can collecI Ihis daIa on a consisIenI basis as discussed
in "AuIomaIing Tasks wiIh ScripIs," also in ChapIer 20.
Several Iimes on my neIwork ile server a user has used all Ihe ree disk space in Ihe
1hone parIiIion, causing all users Io receive ailure Io wriIe Io disc errors. How can I
moniIor Ihe disk space on Ihe parIiIion and limiI users Io a speciic amounI o disk
space7
MoniIoring Ihe amounI o disk space ree can be done easily wiIh Ihe audiI daemon as
discussed in ChapIer 2S, "Linux AudiIing SysIem." To limiI Ihe amounI o disk space a
user is allowed, Iry using disk guoIas is discussed in ChapIer 7, "Managing SIorage."
I suspecI IhaI Ihe I}O Iranser raIes or my sysIem are slower Ihan Ihey are supposed
Io be. How can I deIermine whaI Ihe acIual Iranser raIes are or my hard drives7
Try using 1os1a1 as discussed in ChapIer 20 Io moniIor Ihe Iranser raIes over a
period o Iime. AIer gaIhering Ihis inormaIion or a ew weeks or even a monIh,
calculaIe Ihe averages Io deIermine i your hard drives are perorming adeguaIely.
Remember Ihis Iask can be auIomaIed wiIh cron as discussed in ChapIer 11,
"AuIomaIing Tasks wiIh ScripIs."
I am seeing Ihe message kerneJ: 0PuU: Tenpera1ure above 1hreshoJd, cpu cJock
1hro11Jed displayed aI Ihe console and virIual Ierminals. WhaI is causing Ihis and
how can I prevenI iI7
This message is displayed when Ihe processor has reached iIs maximum sae Iemper-
aIure. I Ihe processor goes above Ihis Ihreshold, iI mighI harm Ihe processor. I you
see Ihis warning, check Ihe processor an Io make sure iI is running and seaIed
properly. I iI is noI running or Ihere is physical damage, replace Ihe processor an.
I Ihe an seems Io be working properly, check Ihe BIOS o your sysIem or processor
an seIIings Io make sure iI is allowed Io run aI ull capaciIy should iI need Io. I
you sIill see Ihe message, Iry replacing Ihe processor wiIh a known good processor
or Iake Ihe processor somewhere Io be IesIed.
Monltorlng and Tunlng Troubleshootlng 557
5ecur|ty 1reub|esheet|ng
I have sIopped all unnecessary services on my servers wiIh exIernal IF addresses and
blocked all unnecessary connecIion reguesIs wiIh IFTables. However, I would like Io
moniIor which porIs are open on each server Io make sure someone hasnI compro-
mised my sysIem and opened up porIs or oIher uses. How do I geI a lisI o open porIs7
Use Ihe nnap program. I Ihe sysIem is regisIered wiIh Red HaI NeIwork, issue Ihe yun
1ns1aJJ nnap command as rooI Io insIall iI. Then, use execuIe Ihe nnap <address>
command where <address> is Ihe IF address or hosIname o Ihe sysIem Io scan. A
lisI o open porIs and Ihe service associaIed wiIh iI are lisIed as in Ihe ollowing:
S1ar11ng Nnap 4.11 { h11p:11WWW.1nsecure.org1nnap1 ) a1 2UU7-U1-21 UU:26 EST
1n1eres11ng por1s on snaJJv1JJe {127.U.U.1):
No1 shoWn: 1672 cJosed por1s
P0PT STATE SEPv10E
2211cp open ssh
2511cp open sn1p
11111cp open rpcb1nd
13911cp open ne1b1os-ssn
44511cp open n1crosof1-ds
63111cp open 1pp
67111cp open unknoWn
2U4911cp open nfs
I am using Ihe deaulI irewall rom Ihe SecuriIy Level Iool. II is working or me
excepI IhaI I need Io allow connecIions or an addiIional porI or Ihe corporaIe
VFN. Can I conIinue Io use Ihe deaulI securiIy level and jusI add an IFTables rule
or anoIher porI7
Yes. SIarI Ihe SecuriIy Level Iool by selecIing Ihe System menu rom Ihe Iop panel
and Ihen selecIing AdmInIstratIon, SecurIty Level and FIrewall. You can also
execuIe Ihe sys1en-conf1g-secur11yJeveJ command Io sIarI Ihe Iool. AI Ihe boIIom
o Ihe FIrewall OptIons Iab, Ihere is an Other ports area. Click Ihe Iriangle icon
beside Ihe Other ports label Io show a Iable o porIs. II should be empIy since you
havenI added any porIs yeI. Click Ihe Add buIIon Io add your addiIional porIs.
When inished, click OK in Ihe main window o Ihe Iool Io enable Ihe change imme-
diaIely. ExecuIe Ihe 1p1abJes -L command Io veriy IhaI Ihe rule has been added.
AIer modiying Ihe 1e1c1aud111aud11.ruJes ile and resIarIing Ihe daemon, I geI
Ihe ollowing error message:
There Was an error 1n J1ne 26 of 1e1c1aud111aud11.ruJes
WhaI does Ihis mean and how do I ix iI7
II means IhaI Ihere is a synIax error on line 2 o Ihe rules ile. Re-ediI Ihe ile Io ix
Ihe synIax error, and resIarI Ihe deamon wiIh Ihe serv1ce aud11d res1ar1
command. Then use Ihe aud11c1J -J command Io lisI all acIive audiI rules and
waIches Io veriy.

Red Hat Enterprise Linux 5 Administration

Caricato da

Informazioni sul documento

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Red Hat Enterprise Linux 5 Administration

Caricato da

Copyright:

Formati disponibili

l^RT l

^llLNDlX ^ lnstalllng lroprletary

Potrebbero piacerti anche