Edition 2
Copyright © 2008 Red Hat, Inc
1801 Varsity Drive
Raleigh, NC 27606-2072 USA
Phone: +1 919 754 3700
Phone: 888 733 4281
Fax: +1 919 754 3701
Kernel Modules and Manually Updating the Kernel ChaptersKernel Modules and the Upgrading the Kernel Manually chapters include updated information in regards to the 2.6 kernel. Special thanks to Arjan van de Ven for his hard work in helping to complete this chapter.
Mono-spaced Bold
To see the contents of the filemy_next_bestselling_novelin your current working directory, enter thecat my_next_bestselling_novelcommand at the shell prompt and press Enter to execute the command.
Press Enter to execute the command.Press Ctrl+Alt+F2 to switch to the first virtual terminal. Press Ctrl+Alt+F1 to return to your X-Windows session.
mono-spaced bold. For example:
File-related classes includefilesystemfor file systems,filefor files, anddirfor directories. Each class has its own associated set of permissions.
Choose → → from the main menu bar to launch Mouse Preferences. In the Buttons tab, click the Left-handed mouse check box and click to switch the primary mouse button from the left to the right (making the mouse suitable for use in the left hand).To insert a special character into a gedit file, choose → → from the main menu bar. Next, choose → from the Character Map menu bar, type the name of the character in the Search field and click . The character you sought will be highlighted in the Character Table. Double-click this highlighted character to place it in the Text to copy field and then click the button. Now switch back to your document and choose → from the gedit menu bar.
Mono-spaced Bold ItalicProportional Bold Italic
To connect to a remote machine using ssh, typesshat a shell prompt. If the remote machine isusername@domain.nameexample.comand your username on that machine is john, typessh john@example.com.Themount -o remountcommand remounts the named file system. For example, to remount thefile-system/homefile system, the command ismount -o remount /home.To see the version of a currently installed package, use therpm -qcommand. It will return a result as follows:package.package-version-release
Publican is a DocBook publishing system.
mono-spaced roman and presented thus:
books Desktop documentation drafts mss photos stuff svn books_tests Desktop1 downloads images notes scripts svgs
mono-spaced roman but add syntax highlighting as follows:
package org.jboss.book.jca.ex1; import javax.naming.InitialContext; public class ExClient { public static void main(String args[]) throws Exception { InitialContext iniCtx = new InitialContext(); Object ref = iniCtx.lookup("EchoBean"); EchoHome home = (EchoHome) ref; Echo echo = home.create(); System.out.println("Created Echo"); System.out.println("Echo.echo('Hello') = " + echo.echo("Hello")); } }
rh-sag.
rh-sag
Table of Contents
sample.ks file found in the RH-DOCS directory of the Red Hat Enterprise Linux Documentation CD, using the Kickstart Configurator application, or writing it from scratch. The Red Hat Enterprise Linux installation program also creates a sample kickstart file based on the options that you selected during installation. It is written to the file /root/anaconda-ks.cfg. You should be able to edit it with any text editor or word processor that can save files as ASCII text.
%packages section — Refer to Section 1.5, “Package Selection” for details.
%pre and %post sections — These two sections can be in any order and are not required. Refer to Section 1.6, “Pre-installation Script” and Section 1.7, “Post-installation Script” for details.
upgrade keyword
autopart (optional) /) partition, a swap partition, and an appropriate boot partition for the architecture. One or more of the default partition sizes can be redefined with the part directive.
ignoredisk (optional) ignoredisk, attempting to deploy on a SAN-cluster the kickstart would fail, as the installer detects passive paths to the SAN that return no partition table.
ignoredisk option is also useful if you have multiple paths to your disks.
ignoredisk --drives=drive1,drive2,...
driveN is one of sda, sdb,..., hda,... etc.
autostep (optional) interactive except it goes to the next screen for you. It is used mostly for debugging.
auth or authconfig (required) authconfig command, which can be run after the install. By default, passwords are normally encrypted and are not shadowed.
--enablemd5--enablenis--enablenis uses whatever domain it finds on the network. A domain should almost always be set by hand with the --nisdomain= option.
--nisdomain=--nisserver=--useshadow or --enableshadow--enableldap/etc/nsswitch.conf, allowing your system to retrieve information about users (UIDs, home directories, shells, etc.) from an LDAP directory. To use this option, you must install the nss_ldap package. You must also specify a server and a base DN (distinguished name) with --ldapserver= and --ldapbasedn=.
--enableldapauthpam_ldap module for authentication and changing passwords, using an LDAP directory. To use this option, you must have the nss_ldap package installed. You must also specify a server and a base DN with --ldapserver= and --ldapbasedn=.
--ldapserver=--enableldap or --enableldapauth, use this option to specify the name of the LDAP server to use. This option is set in the /etc/ldap.conf file.
--ldapbasedn=--enableldap or --enableldapauth, use this option to specify the DN in your LDAP directory tree under which user information is stored. This option is set in the /etc/ldap.conf file.
--enableldaptls--enablekrb5/usr/sbin/useradd command to make their accounts known to this workstation. If you use this option, you must have the pam_krb5 package installed.
--krb5realm=--krb5kdc=--krb5adminserver=--enablehesiod/usr/share/doc/glibc-2.x.x/README.hesiod, which is included in the glibc package. Hesiod is an extension of DNS that uses DNS records to store information about users, groups, and various other items.
--hesiodlhs/etc/hesiod.conf. This option is used by the Hesiod library to determine the name to search DNS for when looking up information, similar to LDAP's use of a base DN.
--hesiodrhs/etc/hesiod.conf. This option is used by the Hesiod library to determine the name to search DNS for when looking up information, similar to LDAP's use of a base DN.
jim:*:501:501:Jungle Jim:/home/jim:/bin/bash). For groups, the situation is identical, except jim.group<LHS><RHS> would be used.
--enablesmbauth/usr/sbin/useradd command to make their accounts known to the workstation. To use this option, you must have the pam_smb package installed.
--smbservers=--smbworkgroup=--enablecachenscd service. The nscd service caches information about users, groups, and various other types of information. Caching is especially helpful if you choose to distribute information about users and groups over your network using NIS, LDAP, or hesiod.
bootloader (required)bootloader --upgrade.
--append=bootloader --location=mbr --append="hdd=ide-scsi ide=nodma"--driveorderbootloader --driveorder=sda,hda--location=mbr (the default), partition (installs the boot loader on the first sector of the partition containing the kernel), or none (do not install the boot loader).
--password=--md5pass=--password= except the password should already be encrypted.
--upgradeclearpart (optional) clearpart command is used, then the --onpart command cannot be used on a logical partition.
--all--drives=clearpart --drives=hda,hdb --all--initlabelmsdos for x86 and gpt for Itanium). It is useful so that the installation program does not ask if it should initialize the disk label if installing to a brand new hard drive.
--linux--none (default) cmdline (optional) device (optional) device command, which tells the installation program to install extra modules, is in this format:
device<type><moduleName>--opts=<options>
<type>scsi or eth
<moduleName>--opts=/etc/fstab for an NFS mount are allowed. The options are listed in the nfs(5) man page. Multiple options are separated with a comma.
driverdisk (optional) driverdisk command to tell the installation program where to look for the driver disk.
driverdisk<partition>[--type=<fstype>]
driverdisk --source=ftp://path/to/dd.imgdriverdisk --source=http://path/to/dd.imgdriverdisk --source=nfs:host:/path/to/img
<partition>--type=firewall (optional)
firewall --enabled|--disabled [--trust=] <device> [--port=]
--enabled--disabled--trust=--trust eth0 --trust eth1. Do NOT use a comma-separated format such as --trust eth0, eth1.
<incoming>--ssh
--telnet
--smtp
--http
--ftp
--port=imap:tcp. Numeric ports can also be specified explicitly; for example, to allow UDP packets on port 1234 through, specify 1234:udp. To specify multiple ports, separate them by commas.
firstboot (optional) firstboot package must be installed. If not specified, this option is disabled by default.
--enable--disable--reconfighalt (optional) reboot option is used as default.
halt option is roughly equivalent to the shutdown -h command.
poweroff, reboot, and shutdown kickstart options.
install (optional) cdrom, harddrive, nfs, or url (for FTP or HTTP installations). The install command and the installation method command must be on separate lines.
cdromharddrive--partition=
--dir=
RedHat directory of the installation tree.
harddrive --partition=hdb2 --dir=/tmp/install-tree
nfs--server=
--dir=
RedHat directory of the installation tree.
nfs --server=nfsserver.example.com --dir=/tmp/install-tree
urlurl --url http://<server>/<dir>
url --url ftp://<username>:<password>@<server>/<dir>
interactive (optional) autostep command.
keyboard (required) be-latin1, bg, br-abnt2, cf, cz-lat2, cz-us-qwertz, de, de-latin1, de-latin1-nodeadkeys, dk, dk-latin1, dvorak, es, et, fi, fi-latin1, fr, fr-latin0, fr-latin1, fr-pc, fr_CH, fr_CH-latin1, gr, hu, hu101, is-latin1, it, it-ibm, it2, jp106, la-latin1, mk-utf, no, no-latin1, pl, pt-latin1, ro_win, ru, ru-cp1251, ru-ms, ru1, ru2, ru_win, sg, sg-latin1, sk-qwerty, slovene, speakup, speakup-lt, sv-latin1, sg, sg-latin1, sk-querty, slovene, trq, ua, uk, us, us-acentos
/usr/lib/python2.2/site-packages/rhpl/keyboard_models.py also contains this list and is part of the rhpl package.
lang (required)
lang en_US/usr/share/system-config-language/locale-list provides a list of the valid language codes in the first column of each line and is part of the system-config-language package.
langsupport (required) lang can be used with langsupport.
fr_FR:
langsupport fr_FR--default= langsupport --default=en_US fr_FR --default with only one language, all languages are installed with the specified language set to the default.
logvol (optional) logvol <mntpoint> --vgname=<name> --size=<size> --name=<name><options> part pv.01 --size 3000 volgroup myvg pv.01 logvol / --vgname=myvg --size=2000 --name=rootvol logvol in action, refer to Section 1.4.1, “Advanced Partitioning Example”.
mouse (required) --device=--device=ttyS0).
--emulthreealpsps/2, ascii, asciips/2, atibm, generic, generic3, genericps/2, generic3ps/2, genericwheelps/2, genericusb, generic3usb, genericwheelusb, geniusnm, geniusnmps/2, geniusprops/2, geniusscrollps/2, geniusscrollps/2+, thinking, thinkingps/2, logitech, logitechcc, logibm, logimman, logimmanps/2, logimman+, logimman+ps/2, logimmusb, microsoft, msnew, msintelli, msintellips/2, msintelliusb, msbm, mousesystems, mmseries, mmhittab, sun, none
/usr/lib/python2.2/site-packages/rhpl/mouse.py file, which is part of the rhpl package.
network (optional) network option configures networking information for kickstart installations via a network as well as for the installed system.
--bootproto=dhcp, bootp, or static.
dhcp. bootp and dhcp are treated the same.
network --bootproto=dhcp
network --bootproto=bootp
network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 \ --gateway=10.0.2.254 --nameserver=10.0.2.1
network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 \ --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1
--device=--device= is not effective unless the kickstart file is a local file (such as ks=floppy), since the installation program configures the network to find the kickstart file. For example:
network --bootproto=dhcp --device=eth0
--ip=--gateway=--nameserver=--nodns--netmask=--hostname=--nostoragepart or partition (required for installs, ignored for upgrades) --noformat and --onpart are used.
part in action, refer to Section 1.4.1, “Advanced Partitioning Example”.
<mntpoint><mntpoint> is where the partition is mounted and must be of one of the following forms:
/<path>
/, /usr, /home
swap
--recommended option:
swap --recommendedrecommended option yields a limitation of 8GB for the swap partition. If you want to create a larger swap partition, specify the correct size in the kickstart file or create the partitions manually.
raid.<id>
raid).
pv.<id>
logvol).
--size=--grow--maxsize=--noformat--onpart command.
--onpart= or --usepart=partition /home --onpart=hda1/home on /dev/hda1, which must already exist.
--ondisk= or --ondrive=--ondisk=sdb puts the partition on the second SCSI disk on the system.
--asprimary--type= (replaced by fstype) fstype.
--fstype=ext2, ext3, swap, and vfat.
--start=--ondisk= or ondrive=. It also requires that the ending cylinder be specified with --end= or the partition size be specified with --size=.
--end=--start=.
poweroff (optional) reboot option is used as default.
poweroff option is roughly equivalent to the shutdown -p command.
poweroff option is highly dependent on the system hardware in use. Specifically, certain hardware components such as the BIOS, APM (advanced power management), and ACPI (advanced configuration and power interface) must be able to interact with the system kernel. Contact your manufacturer for more information on you system's APM/ACPI abilities.
halt, reboot, and shutdown kickstart options.
raid (optional) raid <mntpoint> --level=<level> --device=<mddevice><partitions*><mntpoint>/, the RAID level must be 1 unless a boot partition (/boot) is present. If a boot partition is present, the /boot partition must be level 1 and the root (/) partition can be any of the available types. The <partitions*> (which denotes that multiple partitions can be listed) lists the RAID identifiers to add to the RAID array.
--level=--device=--spares=--fstype=--noformat--useexisting/, and a RAID level 5 for /usr, assuming there are three SCSI disks on the system. It also creates three swap partitions, one on each drive.
part raid.01 --size=60 --ondisk=sda part raid.02 --size=60 --ondisk=sdb part raid.03 --size=60 --ondisk=sdc
part swap --size=128 --ondisk=sda part swap --size=128 --ondisk=sdb part swap --size=128 --ondisk=sdc
part raid.11 --size=1 --grow --ondisk=sda part raid.12 --size=1 --grow --ondisk=sdb part raid.13 --size=1 --grow --ondisk=sdc
raid / --level=1 --device=md0 raid.01 raid.02 raid.03 raid /usr --level=5 --device=md1 raid.11 raid.12 raid.13
raid in action, refer to Section 1.4.1, “Advanced Partitioning Example”.
reboot (optional) reboot option is roughly equivalent to the shutdown -r command.
reboot option may result in an endless installation loop, depending on the installation media and method.
reboot option is the default completion method if no other methods are explicitly specified in the kickstart file.
halt, poweroff, and shutdown kickstart options.
rootpw (required) <password> argument.
rootpw [--iscrypted] <password>--iscryptedselinux (optional) --enforcingselinux option is not present in the kickstart file, SELinux is enabled and set to --enforcing by default.
--permissive--disabledshutdown (optional) reboot option is used as default.
shutdown option is roughly equivalent to the shutdown command.
halt, poweroff, and reboot kickstart options.
skipx (optional) text (optional) timezone (required) <timezone> which may be any of the time zones listed by timeconfig.
timezone [--utc] <timezone>--utcupgrade (optional) cdrom, harddrive, nfs, or url (for FTP and HTTP) as the location of the installation tree. Refer to install for details.
xconfig (optional) --noprobe--card=/usr/share/hwdata/Cards from the hwdata package. The list of cards can also be found on the X Configuration screen of the Kickstart Configurator. If this argument is not provided, the installation program probes the PCI bus for the card. Since AGP is part of the PCI bus, AGP cards are detected if supported. The probe order is determined by the PCI scan order of the motherboard.
--videoram=--monitor=/usr/share/hwdata/MonitorsDB from the hwdata package. The list of monitors can also be found on the X Configuration screen of the Kickstart Configurator. This is ignored if --hsync or --vsync is provided. If no monitor information is provided, the installation program tries to probe for it automatically.
--hsync=--vsync=--defaultdesktop=%packages).
--startxonboot--resolution=--depth=volgroup (optional) volgroup <name><partition><options> part pv.01 --size 3000 volgroup myvg pv.01 logvol / --vgname=myvg --size=2000 --name=rootvol volgroup in action, refer to Section 1.4.1, “Advanced Partitioning Example”.
zerombr (optional) zerombr is specified, and yes is its sole argument, any invalid partition tables found on disks are initialized. This destroys all of the contents of disks with invalid partition tables. This command should be in the following format:
zerombr yes%include%include /path/to/file command to include the contents of another file in the kickstart file as though the contents were at the location of the %include command in the kickstart file.
clearpart, raid, part, volgroup, and logvol kickstart options in action:
clearpart --drives=hda,hdc --initlabel
# Raid 1 IDE config
part raid.11 --size 1000 --asprimary --ondrive=hda
part raid.12 --size 1000 --asprimary --ondrive=hda
part raid.13 --size 2000 --asprimary --ondrive=hda
part raid.14 --size 8000 --ondrive=hda
part raid.15 --size 1 --grow --ondrive=hda
part raid.21 --size 1000 --asprimary --ondrive=hdc
part raid.22 --size 1000 --asprimary --ondrive=hdc
part raid.23 --size 2000 --asprimary --ondrive=hdc
part raid.24 --size 8000 --ondrive=hdc
part raid.25 --size 1 --grow --ondrive=hdc
# You can add --spares=x
raid / --fstype ext3 --device md0 --level=RAID1 raid.11 raid.21
raid /safe --fstype ext3 --device md1 --level=RAID1 raid.12 raid.22
raid swap --fstype swap --device md2 --level=RAID1 raid.13 raid.23
raid /usr --fstype ext3 --device md3 --level=RAID1 raid.14 raid.24
raid pv.01 --fstype ext3 --device md4 --level=RAID1 raid.15 raid.25
# LVM configuration so that we can resize /var and /usr/local later
volgroup sysvg pv.01
logvol /var --vgname=sysvg --size=8000 --name=var
logvol /var/freespace --vgname=sysvg --size=8000 --name=freespacetouse
logvol /usr/local --vgname=sysvg --size=1 --grow --name=usrlocal
%packages command to begin a kickstart file section that lists the packages you would like to install (this is for installations only, as package selection during upgrades is not supported).
RedHat/base/comps.xml file on the first Red Hat Enterprise Linux CD-ROM for a list of groups. Each group has an id, user visibility value, name, description, and package list. In the package list, the packages marked as mandatory are always installed if the group is selected, the packages marked default are selected by default if the group is selected, and the packages marked optional must be specifically selected even if the group is selected to be installed.
Core and Base groups are always selected by default, so it is not necessary to specify them in the %packages section.
%packages selection:
%packages @ X Window System @ GNOME Desktop Environment @ Graphical Internet @ Sound and Video dhcp @ symbol, a space, and then the full group name as given in the comps.xml file. Groups can also be specified using the id for the group, such as gnome-desktop. Specify individual packages with no additional characters (the dhcp line in the example above is an individual package).
-autofs
%packages option:
--resolvedeps%packages --resolvedeps
--ignoredeps%packages --ignoredeps
--ignoremissing%packages --ignoremissing
ks.cfg has been parsed. This section must be at the end of the kickstart file (after the commands) and must start with the %pre command. You can access the network in the %pre section; however, name service has not been configured at this point, so only IP addresses work.
--interpreter /usr/bin/python/usr/bin/python with the scripting language of your choice.
%pre section:
%pre
#!/bin/sh
hds=""
mymedia=""
for file in /proc/ide/h*
do
mymedia=`cat $file/media`
if [ $mymedia == "disk" ] ; then
hds="$hds `basename $file`"
fi
done
set $hds
numhd=`echo $#`
drive1=`echo $hds | cut -d' ' -f1`
drive2=`echo $hds | cut -d' ' -f2`
#Write out partition scheme based on whether there are 1 or 2 hard drives
if [ $numhd == "2" ] ; then
#2 drives
echo "#partitioning scheme generated in %pre for 2 drives" > /tmp/part-include
echo "clearpart --all" >> /tmp/part-include
echo "part /boot --fstype ext3 --size 75 --ondisk hda" >> /tmp/part-include
echo "part / --fstype ext3 --size 1 --grow --ondisk hda" >> /tmp/part-include
echo "part swap --recommended --ondisk $drive1" >> /tmp/part-include
echo "part /home --fstype ext3 --size 1 --grow --ondisk hdb" >> /tmp/part-include
else
#1 drive
echo "#partitioning scheme generated in %pre for 1 drive" > /tmp/part-include
echo "clearpart --all" >> /tmp/part-include
echo "part /boot --fstype ext3 --size 75" >> /tmp/part-includ
echo "part swap --recommended" >> /tmp/part-include
echo "part / --fstype ext3 --size 2048" >> /tmp/part-include
echo "part /home --fstype ext3 --size 2048 --grow" >> /tmp/part-include
fi
%include /tmp/part-include%post command. This section is useful for functions such as installing additional software and configuring an additional nameserver.
%post section. If you configured the network for DHCP, the /etc/resolv.conf file has not been completed when the installation executes the %post section. You can access the network, but you can not resolve IP addresses. Thus, if you are using DHCP, you must specify IP addresses in the %post section.
--nochroot/etc/resolv.conf to the file system that was just installed.
%post --nochroot cp /etc/resolv.conf /mnt/sysimage/etc/resolv.conf
--interpreter /usr/bin/python/usr/bin/python with the scripting language of your choice.
/sbin/chkconfig --level 345 telnet off /sbin/chkconfig --level 345 finger off /sbin/chkconfig --level 345 lpd off /sbin/chkconfig --level 345 httpd on runme from an NFS share:
mkdir /mnt/temp mount -o nolock 10.10.0.2:/usr/new-machines /mnt/temp open -s -w -- /mnt/temp/runme umount /mnt/temp -o nolock is required when mounting an NFS mount.
/usr/sbin/useradd bob /usr/bin/chfn -f "Bob Smith" bob /usr/sbin/usermod -p 'kjdf$04930FTH/ ' bob ks.cfg.
ks.cfg and must be located in the boot CD-ROM's top-level directory. Since a CD-ROM is read-only, the file must be added to the directory used to create the image that is written to the CD-ROM. Refer to the Installation Guide for instructions on creating boot media; however, before making the file.iso image file, copy the ks.cfg kickstart file to the isolinux/ directory.
ks.cfg and must be located in the flash memory's top-level directory. Create the boot image first, and then copy the ks.cfg file.
/dev/sda) using the dd command:
dd if=diskboot.img of=/dev/sda bs=1M dhcpd.conf file for the DHCP server:
filename"/usr/new-machine/kickstart/"; next-serverblarg.redhat.com;
filename with the name of the kickstart file (or the directory in which the kickstart file resides) and the value after next-server with the NFS server name.
<ip-addr>-kickstart<ip-addr>10.10.0.1-kickstart.
/kickstart from the BOOTP/DHCP server and tries to find the kickstart file using the same <ip-addr>-kickstartks command line argument is passed to the kernel.
linux ks=floppy command also works if the ks.cfg file is located on a vfat or ext2 file system on a diskette and you boot from the Red Hat Enterprise Linux CD-ROM #1.
boot: prompt:
linux ks=hd:fd0:/ks.cfgdd option as well. For example, to boot off a boot diskette and use a driver disk, enter the following command at the boot: prompt:
linux ks=floppy ddboot: prompt (where ks.cfg is the name of the kickstart file):
linux ks=cdrom:/ks.cfgks=nfs:<server>:/<path><server>, as file <path>. The installation program uses DHCP to configure the Ethernet card. For example, if your NFS server is server.example.com and the kickstart file is in the NFS share /mydir/ks.cfg, the correct boot command would be ks=nfs:server.example.com:/mydir/ks.cfg.
ks=http://<server>/<path><server>, as file <path>. The installation program uses DHCP to configure the Ethernet card. For example, if your HTTP server is server.example.com and the kickstart file is in the HTTP directory /mydir/ks.cfg, the correct boot command would be ks=http://server.example.com/mydir/ks.cfg.
ks=floppyks.cfg on a vfat or ext2 file system on the diskette in /dev/fd0.
ks=floppy:/<path>/dev/fd0, as file <path>.
ks=hd:<device>:/<file><device> (which must be vfat or ext2), and look for the kickstart configuration file as <file> in that file system (for example, ks=hd:sda3:/mydir/ks.cfg).
ks=file:/<file><file> from the file system; no mounts are done. This is normally used if the kickstart file is already on the initrd image.
ks=cdrom:/<path><path>.
ksks is used alone, the installation program configures the Ethernet card to use DHCP. The kickstart file is read from the "bootServer" from the DHCP response as if it is an NFS server sharing the kickstart file. By default, the bootServer is the same as the DHCP server. The name of the kickstart file is one of the following:
/, the boot file provided by DHCP is looked for on the NFS server.
/, the boot file provided by DHCP is looked for in the /kickstart directory on the NFS server.
/kickstart/1.2.3.4-kickstart, where 1.2.3.4 is the numeric IP address of the machine being installed.
ksdevice=<device>ks=nfs:<server>:/<path> ksdevice=eth1 at the boot: prompt.
/usr/sbin/system-config-kickstart.
system-config-language) after installation.
RedHat directory of the installation tree. For example, if the NFS server contains the directory /mirrors/redhat/i386/RedHat/, enter /mirrors/redhat/i386/ for the NFS directory.
RedHat directory. For example, if the FTP server contains the directory /mirrors/redhat/i386/RedHat/, enter /mirrors/redhat/i386/ for the FTP directory. If the FTP server requires a username and password, specify them as well.
RedHat directory. For example, if the HTTP server contains the directory /mirrors/redhat/i386/RedHat/, enter /mirrors/redhat/i386/ for the HTTP directory.
md5sum program as well as the linux mediacheck boot option as discussed in the Installation Guide. Enter the hard drive partition that contains the ISO images (for example, /dev/hda1) in the Hard Drive Partition text box. Enter the directory that contains the ISO images in the Hard Drive Directory text box.
/boot partition). Install the boot loader on the MBR if you plan to use it as your boot loader.
cdrecord by configuring hdd=ide-scsi as a kernel parameter (where hdd is the CD-ROM device).
msdos for x86 and gpt for Itanium), select Initialize the disk label if you are installing on a brand new hard drive.
/dev/hda), specify hda as the drive. Do not include /dev in the drive name.
/dev/hda1), specify hda1 as the partition. Do not include /dev in the partition name.
system-config-network). Refer to Chapter 17, Network Configuration for details.
port:protocol. For example, to allow IMAP access through the firewall, specify imap:tcp. Specify numeric ports can also be specified; to allow UDP packets on port 1234 through the firewall, enter 1234:udp. To specify multiple ports, separate them with commas.
skipx option is written to the kickstart file.
/etc/inittab configuration file.
%packages section of the kickstart file after you save it. Refer to Section 1.5, “Package Selection” for details.
/usr/bin/python2.2 can be specified for a Python script. This option corresponds to using %pre --interpreter /usr/bin/python2.2 in your kickstart file.
%pre command. It is added for you.
%post command. It is added for you.
%post section:
echo "Hackers will be punished!" > /etc/motd --nochroot option in the %post section.
/mnt/sysimage/.
echo "Hackers will be punished!" > /mnt/sysimage/etc/motd /usr/bin/python2.2 can be specified for a Python script. This option corresponds to using %post --interpreter /usr/bin/python2.2 in your kickstart file.
askmethod boot option with the Red Hat Enterprise Linux CD #1. Alternatively, if the system to be installed contains a network interface card (NIC) with Pre-Execution Environment (PXE) support, it can be configured to boot from files on another networked system rather than local media such as a CD-ROM.
tftp server (which provides the files necessary to start the installation program), and the location of the files on the tftp server. This is possible because of PXELINUX, which is part of the syslinux package.
tftp server necessary for PXE booting.
tftp service.
tftp server so they can be found when the client requests them. The tftp server is usually the same server as the network server exporting the installation tree.
system-config-netboot RPM package installed. To start the Network Booting Tool from the desktop, go to (the main menu on the
panel) => => => . Or, type the command system-config-netboot at a shell prompt (for example, in an XTerm or a GNOME terminal).
/tftpboot/linux-install/ directory.
RedHat/ directory of the installation tree.
initrd.img and vmlinuz files necessary to boot the installation program are transfered from images/pxeboot/ in the provided installation tree to /tftpboot/linux-install/<os-identifier>/ on the tftp server (the one you are running the Network Booting Tool on).
pxeos command line utility, which is part of the system-config-netboot package, can be used to configure the tftp server files :
pxeos -a -i "<description>" -p <NFS|HTTP|FTP> -D 0 -s client.example.com \ -L <net-location> -k <kernel> -K <kickstart><os-identifer>-a — Specifies that an OS instance is being added to the PXE configuration.
-i "<description>" — Replace "<description>" with a description of the OS instance. This corresponds to the Description field in Figure 3.1, “Network Installation Setup”.
-p <NFS|HTTP|FTP> — Specify which of the NFS, FTP, or HTTP protocols to use for installation. Only one may be specified. This corresponds to the Select protocol for installation menu in Figure 3.1, “Network Installation Setup”.
-D <0|1> — Specify "0" which indicates that it is not a diskless configuration since pxeos can be used to configure a diskless environment as well.
-sclient.example.com — Provide the name of the NFS, FTP, or HTTP server after the -s option. This corresponds to the Server field in Figure 3.1, “Network Installation Setup”.
-L<net-location> — Provide the location of the installation tree on that server after the -L option. This corresponds to the Location field in Figure 3.1, “Network Installation Setup”.
-k<kernel> — Provide the specific kernel version of the server installation tree for booting.
-K<kickstart> — Provide the location of the kickstart file, if available.
<os-identifer> — Specify the OS identifier, which is used as the directory name in the /tftpboot/linux-install/ directory. This corresponds to the Operating system identifier field in Figure 3.1, “Network Installation Setup”.
<os-identifer> in the previous command:
-A 0 -u <username> -p <password>pxeos command, refer to the pxeos man page.
http://server.example.com/kickstart/ks.cfg. This file can be created with the Kickstart Configurator. Refer to Chapter 2, Kickstart Configurator for details.
pxeboot utility, a part of the system-config-netboot package, can be used to add hosts which are allowed to connect to the PXE server:
pxeboot -a -K <kickstart> -O <os-identifier> -r <value><host>-a — Specifies that a host is to be added.
-K<kickstart> — The location of the kickstart file, if available.
-O<os-identifier> — Specifies the operating system identifier as defined in Section 3.2, “PXE Boot Configuration”.
-r<value> — Specifies the ram disk size.
<host> — Specifies the IP address or hostname of the host to add.
pxeboot command, refer to the pxeboot man page.
busybox-anaconda package must be installed.
/diskless/i386/RHEL4-AS/. For example:
mkdir -p /diskless/i386/RHEL4-AS/ diskless directory.
root/:
mkdir -p /diskless/i386/RHEL4-AS/root/ rsync. For example:
rsync -a -e ssh installed-system.example.com:/ /diskless/i386/RHEL4-AS/root/ tftp server
root/ and snapshot/ directories by adding them to /etc/exports. For example:
/diskless/i386/RHEL4-AS/root/ *(ro,sync,no_root_squash) /diskless/i386/RHEL4-AS/snapshot/ *(rw,sync,no_root_squash)
* with one of the hostname formats discussed in Section 21.3.2, “Hostname Formats”. Make the hostname declaration as specific as possible, so unwanted systems can not access the NFS mount.
service nfs start service nfs reload system-config-netboot RPM package installed. To start the Network Booting Tool from the desktop, go to (the main menu on the
panel) => => => . Or, type the command system-config-netboot at a shell prompt (for example, in an XTerm or a GNOME terminal).
/tftpboot/linux-install/<os-identifier>/. The directory snapshot/ is created in the same directory as the root/ directory (for example, /diskless/i386/RHEL4-AS/snapshot/) with a file called files in it. This file contains a list of files and directories that must be read/write for each diskless system. Do not modify this file. If additional entries must be added to the list, create a files.custom file in the same directory as the files file, and add each additional file or directory on a separate line.
snapshot/ directory in the diskless directory, a subdirectory is created with the Snapshot name specified as the file name. Then, all of the files listed in snapshot/files and snapshot/files.custom are copied copy from the root/ directory to this new directory.
root/ directory in the diskless directory as read-only. It also mounts its individual snapshot directory as read/write. Then it mounts all the files and directories in the files and files.custom files using the mount -o bind over the read-only diskless directory to allow applications to write to the root directory of the diskless environment if they need to.
/ partition changes, the boot loader might not be able to find it to mount the partition. To fix this problem, boot in rescue mode and modify the /boot/grub/grub.conf file.
rescue as a kernel parameter. For example, for an x86 system, type the following command at the installation boot prompt:
linux rescueThe rescue environment will now attempt to find your Linux installation and mount it under the directory /mnt/sysimage. You can then make any changes required to your system. If you want to proceed with this step choose 'Continue'. You can also choose to mount your file systems read-only instead of read-write by choosing 'Read-only'. If for some reason this process fails you can choose 'Skip' and this step will be skipped and you will go directly to a command shell.
/mnt/sysimage/. If it fails to mount a partition, it notifies you. If you select , it attempts to mount your file system under the directory /mnt/sysimage/, but in read-only mode. If you select , your file system is not mounted. Choose if you think your file system is corrupted.
sh-3.00b#
chroot /mnt/sysimagerpm that require your root partition to be mounted as /. To exit the chroot environment, type exit to return to the prompt.
/foo
mount -t ext3 /dev/mapper/VolGroup00-LogVol02 /foo/foo/dev/mapper/VolGroup00-LogVol02ext2, replace ext3 with ext2.
fdisk -l
pvdisplay
vgdisplay
lvdisplayssh, scp, and ping if the network is started
dump and restore for users with tape drives
parted and fdisk for managing partitions
rpm for installing or upgrading software
joe for editing configuration files
emacs, pico, or vi, the joe editor is started.
linux rescue at the installation boot prompt to enter the rescue environment.
chroot /mnt/sysimage to mount the root partition.
/sbin/grub-install /dev/hda to reinstall the GRUB boot loader, where /dev/hda is the boot partition.
/boot/grub/grub.conf file, as additional entries may be needed for GRUB to control additional operating systems.
a to append the line.
single as a separate word (press the Spacebar and then type single). Press Enter to exit edit mode.
init files are not loaded. If init is corrupted or not working, you can still mount file systems to recover data that could be lost during a re-installation.
single with the keyword emergency.
parted utility to manage partitions and access control lists (ACLs) to customize file permissions.
Table of Contents
e2fsck program. This is a time-consuming process that can delay system boot time significantly, especially with large volumes containing a large number of files. During this time, any data on the volumes is unreachable.
parted or fdisk.
mkfs.
e2label.
/etc/fstab file.
tune2fs program can add a journal to an existing ext2 file system without altering the data already on the partition. If the file system is already mounted while it is being transitioned, the journal is visible as the file .journal in the root directory of the file system. If the file system is not mounted, the journal is hidden and does not appear in the file system at all.
/sbin/tune2fs -j <file_system><file_system> is an appropriate LVM2 file system.
/dev/mapper/VolGroup00-LogVol02.
/dev/hdbX, where hdb is a storage device name and X is the partition number.
df command to display mounted file systems. For more detailed information on the LVM file system, refer to Chapter 8, LVM Configuration.
/dev/mapper/VolGroup00-LogVol02 /etc/fstab file.
initrd image (or RAM disk) to boot. To create this, run the mkinitrd program. For information on using the mkinitrd command, type man mkinitrd. Also, make sure your GRUB configuration loads the initrd.
resize2fs, which does not yet support ext3. In this situation, it may be necessary to temporarily revert a file system to ext2.
umount /dev/mapper/VolGroup00-LogVol02 /sbin/tune2fs -O ^has_journal /dev/mapper/VolGroup00-LogVol02/sbin/e2fsck -y /dev/mapper/VolGroup00-LogVol02mount -t ext2 /dev/mapper/VolGroup00-LogVol02/mount/point/mount/point with the mount point of the partition.
.journal file at the root level of the partition by changing to the directory where it is mounted and typing:
rm -f .journal/etc/fstab file.
ext2online. ext2online allows you to increase the size of an ext3 file system once it is mounted (online) and on a resizable logical volume. The root file system is set up by default on LVM2 logical volumes during installation.
ext2online will only work on ext3 file systems. For more information, refer to man ext2online.
/boot/ partition. The /boot/ partition cannot be on a logical volume group because the boot loader cannot read it. If the root (/) partition is on a logical volume, create a separate /boot/ partition which is not a part of a volume group.
/home and / m and file system types, such as ext2 or ext3. When "partitions" reach their full capacity, free space from the logical volume group can be added to the logical volume to increase the size of the partition. When a new hard drive is added to the system, it can be added to the logical volume group, and partitions that are logical volumes can be expanded.
rpm -qd lvm — This command shows all the documentation available from the lvm package, including man pages.
lvm help — This command shows all LVM commands available.
lvm package to create your own LVM configuration post-installation, but these instructions focus on using Disk Druid during installation to complete this task.
/dev/sda and /dev/sdb) are used in the following examples. They detail how to create a simple configuration using a single LVM volume group with associated logical volumes during installation.
/boot/ partition resides on its own non-LVM partition. In the following example, it is the first partition on the first drive (/dev/sda1). Bootable partitions cannot reside on LVM logical volumes.
VolGroup00) is created, which spans all selected drives and all remaining space available. In the following example, the remainder of the first drive (/dev/sda2), and the entire second drive (/dev/sdb1) are allocated to the volume group.
LogVol00 and LogVol01) are created from the newly created spanned volume group. In the following example, the recommended swap space is automatically calculated and assigned to LogVol01, and the remainder is allocated to the root file system, LogVol00.
/home/ or /var/, so that each file system has its own independent quota configuration limits.
/boot/ Partition
/boot/ partition cannot reside on an LVM volume group because the GRUB boot loader cannot read it.
/boot/ Partition Displayed
/boot/ Partition Displayed
/, /home/, and swap space. Remember that /boot cannot be a logical volume. To add a logical volume, click the button in the Logical Volumes section. A dialog window as shown in Figure 8.8, “Creating a Logical Volume” appears.
[2] A hot-swap chassis allows you to remove a hard drive without having to power-down your system.
[3]
RAID level 1 comes at a high cost because you write the same information to all of the disks in the array, which wastes drive space. For example, if you have RAID level 1 set up so that your root (/) partition exists on two 40G drives, you have 80G total but are only able to access 40G of that 80G. The other 40G acts like a mirror of the first 40G.
[4] Parity information is calculated based on the contents of the rest of the member disks in the array. This information can then be used to reconstruct data when one disk in the array fails. The reconstructed data can then be used to satisfy I/O requests to the failed disk before it is replaced and to repopulate the failed disk after it has been replaced.
[5] RAID level 4 takes up the same amount of space as RAID level 5, but level 5 has more advantages. For this reason, level 4 is not supported.
/boot/) reside on a RAID parition, it must be on a RAID 1 partition.
/dev/sda and /dev/sdb) are used in the following examples. They detail how to create a simple RAID 1 configuration by implementing multiple RAID devices.
/boot/ partition as a software RAID device, leaving the root partition (/), /home/, and swap as regular file systems. Figure 10.4, “RAID 1 Partitions Ready, Pre-Device and Mount Point Creation” shows successfully allocated space for the RAID 1 configuration (for /boot/), which is now ready for RAID device and mount point creation:
/boot/, you must choose RAID level 1, and it must use one of the first two drives (IDE first, SCSI second). If you are not creating a seperate RAID partition of /boot/, and you are making a RAID partition for the root file system (/), it must be RAID level 1 and must use one of the first two drives (IDE first, SCSI second).
/boot/ Mount Error
/boot/ Mount Error/), /home/, or swap.
free and cat /proc/swaps commands to verify how much and where swap is in use.
/dev/VolGroup00/LogVol01 is the volume you want to extend):
# swapoff -v /dev/VolGroup00/LogVol01 # lvm lvresize /dev/VolGroup00/LogVol01 -L +256M # mkswap /dev/VolGroup00/LogVol01 # swapon -va # cat /proc/swaps # free /dev/VolGroup00/LogVol02 is the swap volume you want to add):
# lvm lvcreate VolGroup00 -n LogVol02 -L 256M # mkswap /dev/VolGroup00/LogVol02 /etc/fstab file:
/dev/VolGroup00/LogVol02 swap swap defaults 0 0 # swapon -va # cat /proc/swaps # free count being equal to the desired block size:
dd if=/dev/zero of=/swapfile bs=1024 count=65536mkswap /swapfileswapon /swapfile/etc/fstab to include the following entry:
/swapfile swap swap defaults 0 0
cat /proc/swaps or free.
/dev/VolGroup00/LogVol01 is the volume you want to extend):
# swapoff -v /dev/VolGroup00/LogVol01 # lvm lvreduce /dev/VolGroup00/LogVol01 -L -512M # mkswap /dev/VolGroup00/LogVol01 # swapon -va # cat /proc/swaps # free /dev/VolGroup00/LogVol02 is the swap volume you want to remove):
# swapoff -v /dev/VolGroup00/LogVol02 # lvm lvremove /dev/VolGroup00/LogVol02 /etc/fstab file:
/dev/VolGroup00/LogVol02 swap swap defaults 0 0 # cat /proc/swaps # free partedparted allows users to perform these tasks. This chapter discusses how to use parted to perform file system tasks.
parted package installed to use the parted utility. To start parted, at a shell prompt as root, type the command parted /dev/sda, where /dev/sda is the device name for the drive you want to configure. The (parted) prompt is displayed. Type help to view a list of available commands.
umount command and turn off all the swap space on the hard drive with the swapoff command.
parted commands” contains a list of commonly used parted commands. The sections that follow explain some of them in more detail.
parted commands| Command | Description |
|---|---|
check
| Perform a simple check of the file system |
cp
|
Copy file system from one partition to another; from and to are the minor numbers of the partitions
|
help
| Display list of available commands |
mklabel
| Create a disk label for the partition table |
mkfs
|
Create a file system of type file-system-type
|
mkpart
| Make a partition without creating a new file system |
mkpartfs
| Make a partition and create the specified file system |
move
| Move the partition |
name
| Name the partition for Mac and PC98 disklabels only |
print
| Display the partition table |
quit
|
Quit parted
|
rescuestart-mbend-mb
|
Rescue a lost partition from start-mb to end-mb
|
resize
|
Resize the partition from start-mb to end-mb
|
rm
| Remove the partition |
select
| Select a different device to configure |
set
|
Set the flag on a partition; state is either on or off
|
parted, type the following command to view the partition table:
printDisk geometry for /dev/sda: 0.000-8678.789 megabytes Disk label type: msdos Minor Start End Type Filesystem Flags 1 0.031 101.975 primary ext3 boot 2 101.975 5098.754 primary ext3 3 5098.755 6361.677 primary linux-swap 4 6361.677 8675.727 extended 5 6361.708 7357.895 logical ext3 Disk geometry for /dev/hda: 0.000-9765.492 megabytes Disk label type: msdos Minor Start End Type Filesystem Flags 1 0.031 101.975 primary ext3 boot 2 101.975 611.850 primary linux-swap 3 611.851 760.891 primary ext3 4 760.891 9758.232 extended lba 5 760.922 9758.232 logical ext3
/dev/sda1. The Start and End values are in megabytes. The Type is one of primary, extended, or logical. The Filesystem is the file system type, which can be one of ext2, ext3, fat16, fat32, hfs, jfs, linux-swap, ntfs, reiserfs, hp-ufs, sun-ufs, or xfs. The Flags column lists the flags set for the partition. Available flags are boot, root, swap, hidden, raid, lvm, or lba.
/boot/ file system, minor number 2 refers to the root file system (/), minor number 3 refers to the swap, and minor number 5 refers to the /home/ file system.
parted, where /dev/sda is the device on which to create the partition:
parted /dev/sdaprintmkpart primary ext3 1024 2048mkpartfs command instead, the file system is created after the partition is created. However, parted does not support creating an ext3 file system. Thus, if you wish to create an ext3 file system, use mkpart and create the file system with the mkfs command as described later. mkpartfs works for file system type linux-swap.
print command to confirm that it is in the partition table with the correct partition type, file system type, and size. Also remember the minor number of the new partition so that you can label it. You should also view the output of
cat /proc/partitions/sbin/mkfs -t ext3 /dev/sda6/dev/sda6 and you want to label it /work:
e2label /dev/sda6 /workmkdir /work/etc/fstab/etc/fstab file to include the new partition. The new line should look similar to the following:
LABEL=/work /work ext3 defaults 1 2
LABEL= followed by the label you gave the partition. The second column should contain the mount point for the new partition, and the next column should be the file system type (for example, ext3 or swap). If you need more information about the format, read the man page with the command man fstab.
defaults, the partition is mounted at boot time. To mount the partition without rebooting, as root, type the command:
mount /workparted, where /dev/sda is the device on which to remove the partition:
parted /dev/sdaprintrm. For example, to remove the partition with minor number 3:
rm 3print command to confirm that it is removed from the partition table. You should also view the output of
cat /proc/partitions/etc/fstab file. Find the line that declares the removed partition, and remove it from the file.
parted, where /dev/sda is the device on which to resize the partition:
parted /dev/sdaprintresize command followed by the minor number for the partition, the starting place in megabytes, and the end place in megabytes. For example:
resize 3 1024 2048print command to confirm that the partition has been resized correctly, is the correct partition type, and is the correct file system type.
df to make sure the partition was mounted and is recognized with the new size.
lvm help at a command prompt.
LVM commands| Command | Description |
|---|---|
dumpconfig
| Dump the active configuration |
formats
| List the available metadata formats |
help
| Display the help commands |
lvchange
| Change the attributes of logical volume(s) |
lvcreate
| Create a logical volume |
lvdisplay
| Display information about a logical volume |
lvextend
| Add space to a logical volume |
lvmchange
| Due to use of the device mapper, this command has been deprecated |
lvmdiskscan
| List devices that may be used as physical volumes |
lvmsadc
| Collect activity data |
lvmsar
| Create activity report |
lvreduce
| Reduce the size of a logical volume |
lvremove
| Remove logical volume(s) from the system |
lvrename
| Rename a logical volume |
lvresize
| Resize a logical volume |
lvs
| Display information about logical volumes |
lvscan
| List all logical volumes in all volume groups |
pvchange
| Change attributes of physical volume(s) |
pvcreate
| Initialize physical volume(s) for use by LVM |
pvdata
| Display the on-disk metadata for physical volume(s) |
pvdisplay
| Display various attributes of physical volume(s) |
pvmove
| Move extents from one physical volume to another |
pvremove
| Remove LVM label(s) from physical volume(s) |
pvresize
| Resize a physical volume in use by a volume group |
pvs
| Display information about physical volumes |
pvscan
| List all physical volumes |
segtypes
| List available segment types |
vgcfgbackup
| Backup volume group configuration |
vgcfgrestore
| Restore volume group configuration |
vgchange
| Change volume group attributes |
vgck
| Check the consistency of a volume group |
vgconvert
| Change volume group metadata format |
vgcreate
| Create a volume group |
vgdisplay
| Display volume group information |
vgexport
| Unregister a volume group from the system |
vgextend
| Add physical volumes to a volume group |
vgimport
| Register exported volume group with system |
vgmerge
| Merge volume groups |
vgmknodes
| Create the special files for volume group devices in /dev/ |
vgreduce
| Remove a physical volume from a volume group |
vgremove
| Remove a volume group |
vgrename
| Rename a volume group |
vgs
| Display information about volume groups |
vgscan
| Search for all volume groups |
vgsplit
| Move physical volumes into a new volume group |
version
| Display software and driver version information |
quota RPM must be installed to implement disk quotas.
/etc/fstab file.
/etc/fstab file. Add the usrquota and/or grpquota options to the file systems that require quotas:
/dev/VolGroup00/LogVol00 / ext3 defaults 1 1 LABEL=/boot /boot ext3 defaults 1 2 none /dev/pts devpts gid=5,mode=620 0 0 none /dev/shm tmpfs defaults 0 0 none /proc proc defaults 0 0 none /sys sysfs defaults 0 0 /dev/VolGroup00/LogVol02 /home ext3 defaults,usrquota,grpquota 1 2 /dev/VolGroup00/LogVol01 swap swap defaults 0 0 . . .
/home file system has both user and group quotas enabled.
/home partition was created during the installation of Red Hat Enterprise Linux. Although not ideal, the root (/) partition (the installation default created partition) can be used for setting quota policies in the /etc/fstab file.
usrquota and/or grpquota options, remount each file system whose fstab entry has been modified. If the file system is not in use by any process, use one of the following methods:
umount command followed by the mount command to remount the file system.
mount -o remount /home command to remount the file system.
quotacheck command.
quotacheck command examines quota-enabled file systems and builds a table of the current disk usage per file system. The table is then used to update the operating system's copy of disk usage. In addition, the file system's disk quota files are updated.
aquota.user and aquota.group) on the file system, use the -c option of the quotacheck command. For example, if user and group quotas are enabled for the /home file system, create the files in the /home directory:
quotacheck -cug /home-c option specifies that the quota files should be created for each file system with quotas enabled, the -u option specifies to check for user quotas, and the -g option specifies to check for group quotas.
-u or -g options are specified, only the user quota file is created. If only -g is specified, only the group quota file is created.
quotacheck -avuga — Check all quota-enabled, locally-mounted file systems
v — Display verbose status information as the quota check proceeds
u — Check user disk quota information
g — Check group disk quota information
quotacheck has finished running, the quota files corresponding to the enabled quotas (user and/or group) are populated with data for each quota-enabled locally-mounted file system such as /home.
edquota command.
edquota username/etc/fstab for the /home partition (/dev/VolGroup00/LogVol02) and the command edquota testuser is executed, the following is shown in the editor configured as the default for the system:
Disk quotas for user testuser (uid 501): Filesystem blocks soft hard inodes soft hard /dev/VolGroup00/LogVol02 440436 0 0 37418 0 0
EDITOR environment variable is used by edquota. To change the editor, set the EDITOR environment variable in your ~/.bash_profile file to the full path of the editor of your choice.
inodes column shows how many inodes the user is currently using. The last two columns are used to set the soft and hard inode limits for the user on the file system.
Disk quotas for user testuser (uid 501): Filesystem blocks soft hard inodes soft hard /dev/VolGroup00/LogVol02 440436 500000 550000 37418 0 0
quota testuserdevel group (the group must exist prior to setting the group quota), use the command:
edquota -g devel Disk quotas for group devel (gid 505): Filesystem blocks soft hard inodes soft hard /dev/VolGroup00/LogVol02 440400 0 0 37418 0 0
quota -g devel edquota -t edquota commands, this one opens the current quotas for the file system in the text editor:
Grace period before enforcing soft limits for users: Time units may be: days, hours, minutes, or seconds Filesystem Block grace period Inode grace period /dev/mapper/VolGroup00-LogVol02 7days 7days
quotaoff -vaug-u or -g options are specified, only the user quotas are disabled. If only -g is specified, only group quotas are disabled.
quotaon command with the same options.
quotaon -vaug/home, use the following command:
quotaon -vug /home-u or -g options are specified, only the user quotas are enabled. If only -g is specified, only group quotas are enabled.
repquota utility. For example, the command repquota /home produces this output:
*** Report for user quotas on device /dev/mapper/VolGroup00-LogVol02
Block grace time: 7days; Inode grace time: 7days
Block limits File limits
User used soft hard grace used soft hard grace
----------------------------------------------------------------------
root -- 36 0 0 4 0 0
kristin -- 540 0 0 125 0 0
testuser -- 440400 500000 550000 37418 0 0
-a) quota-enabled file systems, use the command:
repquota -a-- displayed after each user is a quick way to determine whether the block or inode limits have been exceeded. If either soft limit is exceeded, a + appears in place of the corresponding -; the first - represents the block limit, and the second represents the inode limit.
grace columns are normally blank. If a soft limit has been exceeded, the column contains a time specification equal to the amount of time remaining on the grace period. If the grace period has expired, none appears in its place.
quotacheck. However, quotacheck can be run on a regular basis, even if the system has not crashed. Running the following command periodically keeps the quotas more accurate (the options used have been described in Section 13.1.1, “Enabling Quotas”):
quotacheck -avugcron. As root, either use the crontab -e command to schedule a periodic quotacheck or place a script that runs quotacheck in any one of the following directories (using whichever interval best matches your needs):
/etc/cron.hourly
/etc/cron.daily
/etc/cron.weekly
/etc/cron.monthly
quotacheck for each file system at different times with multiple cron tasks.
cron.
quotacheck, edquota, repquota, quota, quotaon, and quotaoff man pages
acl package is required to implement ACLs. It contains the utilities used to add, modify, remove, and retrieve ACL information.
cp and mv commands copy or move any ACLs associated with files and directories.
mount -t ext3 -o acl <device-name><partition> mount -t ext3 -o acl /dev/VolGroup00/LogVol02 /work /etc/fstab file, the entry for the partition can include the acl option:
LABEL=/work /work ext3 acl 1 2
--with-acl-support option. No special flags are required when accessing or mounting a Samba share.
no_acl option in the /etc/exports file. To disable ACLs on an NFS share when mounting it on a client, mount it with the no_acl option via the command line or the /etc/fstab file.
setfacl utility sets ACLs for files and directories. Use the -m option to add or modify the ACL of a file or directory:
setfacl -m <rules><files><rules>) must be specified in the following formats. Multiple rules can be specified in the same command if they are separated by commas.
u:<uid>:<perms>g:<gid>:<perms>m:<perms>o:<perms><perms>) must be a combination of the characters r, w, and x for read, write, and execute.
setfacl command is used, the additional rules are added to the existing ACL or the existing rule is modified.
setfacl -m u:andrius:rw /project/somefile-x option and do not specify any permissions:
setfacl -x <rules><files>setfacl -x u:500 /project/somefiled: before the rule and specify a directory instead of a file name.
/share/ directory to read and execute for users not in the user group (an access ACL for an individual file can override it):
setfacl -m d:o:rx /sharegetfacl command:
getfacl <filename># file: file # owner: andrius # group: andrius user::rw- user:smoore:r-- group::r-- mask::r-- other::r--
# file: file # owner: andrius # group: andrius user::rw- user:smoore:r-- group::r-- mask::r-- other::r-- default:user::rwx default:user:andrius:rwx default:group::r-x default:mask::rwx default:other::r-x
tar and dump commands do not backup ACLs.
star utility is similar to the tar utility in that it can be used to generate archives of files; however, some of its options are different. Refer to Table 14.1, “Command Line Options for star” for a listing of more commonly used options. For all available options, refer to the star man page. The star package is required to use this utility.
star| Option | Description |
|---|---|
-c
| Creates an archive file. |
-n
|
Do not extract the files; use in conjunction with -x to show what extracting the files does.
|
-r
| Replaces files in the archive. The files are written to the end of the archive file, replacing any files with the same path and file name. |
-t
| Displays the contents of the archive file. |
-u
| Updates the archive file. The files are written to the end of the archive if they do not exist in the archive or if the files are newer than the files of the same name in the archive. This option only work if the archive is a file or an unblocked tape that may backspace. |
-x
|
Extracts the files from the archive. If used with -U and a file in the archive is older than the corresponding file on the file system, the file is not extracted.
|
-help
| Displays the most important options. |
-xhelp
| Displays the least important options. |
-/
| Do not strip leading slashes from file names when extracting the files from an archive. By default, they are striped when files are extracted. |
-acl
| When creating or extracting, archive or restore any ACLs associated with the files and directories. |
ext_attr attribute. This attribute can be seen using the following command:
tune2fs -l <filesystem-device>ext_attr attribute can be mounted with older kernels, but those kernels do not enforce any ACLs which have been set.
e2fsck utility included in version 1.22 and higher of the e2fsprogs package (including the versions in Red Hat Enterprise Linux 2.1 and 4) can check a file system with the ext_attr attribute. Older versions refuse to check it.
acl man page — Description of ACLs
getfacl man page — Discusses how to get file access control lists
setfacl man page — Explains how to set file access control lists
star man page — Explains more about the star utility and its many options
.tar.gz files.
rpm --help or refer to Section 15.5, “Additional Resources” for more information on RPM.
foo-1.0-1.i386.rpm. The file name includes the package name (foo), version (1.0), release (1), and architecture (i386). To install a package, log in as root and type the following command at a shell prompt:
rpm -Uvh foo-1.0-1.i386.rpmPreparing... ########################################### [100%] 1:foo ########################################### [100%]
error: V3 DSA signature: BAD, key ID 0352860f
error: Header V3 DSA signature: BAD, key ID 0352860f
NOKEY such as:
warning: V3 DSA signature: NOKEY, key ID 0352860f
rpm -ivh instead. Refer to Chapter 36, Manually Upgrading the Kernel for details.
Preparing... ########################################### [100%] package foo-1.0-1 is already installed
--replacepkgs option, which tells RPM to ignore the error:
rpm -ivh --replacepkgs foo-1.0-1.i386.rpmPreparing... ########################################### [100%] file /usr/bin/foo from install of foo-1.0-1 conflicts with file from package bar-2.0.20
--replacefiles option:
rpm -ivh --replacefiles foo-1.0-1.i386.rpm
error: Failed dependencies:
bar.so.2 is needed by foo-1.0-1
Suggested resolutions:
bar-2.0.20-3.i386.rpm
rpm -ivh foo-1.0-1.i386.rpm bar-2.0.20-3.i386.rpmPreparing... ########################################### [100%] 1:foo ########################################### [ 50%] 2:bar ########################################### [100%]
--redhatprovides option to determine which package contains the required file. You need the rpmdb-redhat package installed to use this option.
rpm -q --redhatprovides bar.so.2bar.so.2 is in the installed database from the rpmdb-redhat package, the name of the package is displayed:
bar-2.0.20-3.i386.rpm
--nodeps option.
rpm -e foofoo, not the name of the original package filefoo-1.0-1.i386.rpm. To uninstall a package, replace foo with the actual package name of the original package.
error: Failed dependencies:
foo is needed by (installed) bar-2.0.20-3.i386.rpm
--nodeps option.
rpm -Uvh foo-2.0-1.i386.rpmfoo package. In fact, you may want to always use -U to install packages which works even when there are no previous versions of the package installed.
-U option for installing kernel packages because RPM replaces the previous kernel package. This does not affect a running system, but if the new kernel is unable to boot during your next restart, there would be no other kernel to boot instead.
-i option adds the kernel to your GRUB boot menu (/etc/grub.conf). Similarly, removing an old, unneeded kernel removes the kernel from GRUB.
saving /etc/foo.conf as /etc/foo.conf.rpmsave
package foo-2.0-1 (which is newer than foo-1.0-1) is already installed
--oldpackage option:
rpm -Uvh --oldpackage foo-1.0-1.i386.rpmrpm -Fvh foo-1.2-1.i386.rpmrpm -Fvh *.rpmrpm -q command to query the database of installed packages. The rpm -q foo command displays the package name, version, and release number of the installed package foo:
foo-2.0-1
foo with the actual package name.
-q to specify the package(s) you want to query. These are called Package Selection Options.
-a queries all currently installed packages.
-f <file> queries the package which owns <file>/bin/ls).
-p <packagefile> queries the package <packagefile>-i displays package information including name, description, release, size, build date, install date, vendor, and other miscellaneous information.
-l displays the list of files that the package contains.
-s displays the state of all the files in the package.
-d displays a list of files marked as documentation (man pages, info pages, READMEs, etc.).
-c displays a list of files marked as configuration files. These are the files you change after installation to adapt the package to your system (for example, sendmail.cf, passwd, inittab, etc.).
-v to the command to display the lists in a familiar ls -l format.
rpm -V verifies a package. You can use any of the Package Verify Options listed for querying to specify the packages you wish to verify. A simple use of verifying is rpm -V foo, which verifies that all the files in the foo package are as they were when they were originally installed. For example:
rpm -Vf /usr/bin/vimrpm -Varpm -Vp foo-1.0-1.i386.rpmc denotes a configuration file) and then the file name. Each of the eight characters denotes the result of a comparison of one attribute of the file to the value of that attribute recorded in the RPM database. A single period (.) means the test passed. The following characters denote failure of certain tests:
5 — MD5 checksum
S — file size
L — symbolic link
T — file modification time
D — device
U — user
G — group
M — mode (includes permissions and file type)
? — unreadable file
<rpm-file> with file name of the RPM package):
rpm -K --nosignature <rpm-file><rpm-file>: md5 OK-K with -Kvv in the command.
x files as well.
rpm --import /usr/share/rhn/RPM-GPG-KEYrpm -qa gpg-pubkey*gpg-pubkey-db42a60e-37ea5438
rpm -qi followed by the output from the previous command:
rpm -qi gpg-pubkey-db42a60e-37ea5438<rpm-file> with filename of the RPM package):
rpm -K <rpm-file>md5 gpg OK. That means that the signature of the package has been verified and that it is not corrupt.
rpm -Varpm -qf /usr/bin/ggvggv-2.6.0-2
/usr/bin/paste. You would like to verify the package that owns that program, but you do not know which package owns paste. Enter the following command,
rpm -Vf /usr/bin/pasterpm -qdf /usr/bin/free/usr/share/doc/procps-3.2.3/BUGS /usr/share/doc/procps-3.2.3/FAQ /usr/share/doc/procps-3.2.3/NEWS /usr/share/doc/procps-3.2.3/TODO /usr/share/man/man1/free.1.gz /usr/share/man/man1/pgrep.1.gz /usr/share/man/man1/pkill.1.gz /usr/share/man/man1/pmap.1.gz /usr/share/man/man1/ps.1.gz /usr/share/man/man1/skill.1.gz /usr/share/man/man1/slabtop.1.gz /usr/share/man/man1/snice.1.gz /usr/share/man/man1/tload.1.gz /usr/share/man/man1/top.1.gz /usr/share/man/man1/uptime.1.gz /usr/share/man/man1/w.1.gz /usr/share/man/man1/watch.1.gz /usr/share/man/man5/sysctl.conf.5.gz /usr/share/man/man8/sysctl.8.gz /usr/share/man/man8/vmstat.8.gz
rpm -qip crontabs-1.10-7.noarch.rpmName : crontabs Relocations: (not relocatable) Version : 1.10 Vendor: Red Hat, Inc Release : 7 Build Date: Mon 20 Sep 2004 05:58:10 PM EDT Install Date: (not installed) Build Host: tweety.build.redhat.com Group : System Environment/Base Source RPM: crontabs-1.10-7.src.rpm Size : 1004 License: Public Domain Signature : DSA/SHA1, Wed 05 Jan 2005 06:05:25 PM EST, Key ID 219180cddb42a60e Packager : Red Hat, Inc <http://bugzilla.redhat.com/bugzilla> Summary : Root crontab files used to schedule the execution of programs. Description : The crontabs package contains root crontab files. Crontab is the program used to install, uninstall, or list the tables used to drive the cron daemon. The cron daemon checks the crontab files to see when particular commands are scheduled to be executed. If commands are scheduled, then it executes them.
crontabs RPM installs. You would enter the following:
rpm -qlp crontabs-1.10-5.noarch.rpm/etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly /etc/crontab /usr/bin/run-parts
rpm --help — This command displays a quick reference of RPM parameters.
man rpm — The RPM man page gives more detail about RPM parameters than the rpm --help command.
rpm-list-request@redhat.com
with the word subscribe in the subject line.
http://www.redhat.com/apps/activate/
yum update from a shell prompt.
yum from a shell prompt
http://www.redhat.com/docs/manuals/RHNetwork/
Table of Contents
/etc/hosts file used to store additional hostnames and IP address combinations.
system-config-network at a shell prompt (for example, in an XTerm or a GNOME terminal). If you type the command, the graphical version is displayed if X is running; otherwise, the text-based version is displayed.
system-config-network-cmd --help as root to view all of the options.
Modem as shown in Figure 17.7, “Modem Device”.
system-config-network is started on the local host, you may not be able to start another X11 application. As such, you may have to re-login to a new desktop session.
/etc/hosts file. This file contains IP addresses and their corresponding hostnames.
/etc/hosts file before using the name servers (if you are using the default Red Hat Enterprise Linux configuration). If the IP address is listed in the /etc/hosts file, the name servers are not used. If your network contains computers whose IP addresses are not listed in DNS, it is recommended that you add them to the /etc/hosts file.
/etc/hosts file, go to the Hosts tab, click the button on the toolbar, provide the requested information, and click OK. Select => or press Ctrl+S to save the changes to the /etc/hosts file. The network or network services do not need to be restarted since the current version of the file is referred to each time an address is resolved.
localhost entry. Even if the system does not have a network connection or have a network connection running constantly, some programs need to connect to the system via the localhost loopback interface.
/etc/host.conf file. The line order hosts, bind specifies that /etc/hosts takes precedence over the name servers. Changing the line to order bind, hosts configures the system to resolve hostnames and IP addresses using the name servers first. If the IP address cannot be resolved through the name servers, the system then looks for the IP address in the /etc/hosts file.
eth0_office, so that it can be recognized more easily.
eth0_office in a profile called Office and want to activate the logical device if the profile is selected, uncheck the eth0 device and check the eth0_office device.
eth0.
eth0 to activate in the Office profile only and to activate a PPP (modem) device in the Home profile only. Another example is to have the Common profile activate eth0 and an Away profile activate a PPP device for use while traveling.
netprofile=<profilename> option. For example, if the system uses GRUB as the boot loader and /boot/grub/grub.conf contains:
title Red Hat Enterprise Linux (2.6.9-5.EL)
root (hd0,0)
kernel /vmlinuz-2.6.9-5.EL ro root=/dev/VolGroup00/LogVol00 rhgb quiet
initrd /initrd-2.6.9-5.EL.img
<profilename> is the name of the profile to be activated at boot time):
title Red Hat Enterprise Linux (2.6.9-5.EL)
root (hd0,0)
kernel /vmlinuz-2.6.9-5.EL ro root=/dev/VolGroup00/LogVol00 \
netprofile=<profilename> \ rhgb quiet
initrd /initrd-2.6.9-5.EL.img
system-control-network) to select a profile and activate it. The activate profile section only appears in the Network Device Control interface if more than the default Common interface exists.
<profilename> with the name of the profile):
system-config-network-cmd --profile <profilename> --activateeth0 —to use a static IP address (DHCP does not work with aliases), go to the Devices tab and click . Select the Ethernet card to configure with an alias, set the static IP address for the alias, and click to create it. Since a device already exists for the Ethernet card, the one just created is the alias, such as eth0:1.
eth0 device. Notice the eth0:1 device — the first alias for eth0. The second alias for eth0 would have the device name eth0:2, and so on. To modify the settings for the device alias, such as whether to activate it at boot time and the alias number, select it from the list and click the button.
/sbin/ifconfig. The output should show the device and the device alias with different IP addresses:
eth0 Link encap:Ethernet HWaddr 00:A0:CC:60:B7:G4 inet addr:192.168.100.5 Bcast:192.168.100.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:161930 errors:1 dropped:0 overruns:0 frame:0 TX packets:244570 errors:0 dropped:0 overruns:0 carrier:0 collisions:475 txqueuelen:100 RX bytes:55075551 (52.5 Mb) TX bytes:178108895 (169.8 Mb) Interrupt:10 Base address:0x9000 eth0:1 Link encap:Ethernet HWaddr 00:A0:CC:60:B7:G4 inet addr:192.168.100.42 Bcast:192.168.100.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 Interrupt:10 Base address:0x9000 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:5998 errors:0 dropped:0 overruns:0 frame:0 TX packets:5998 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:1627579 (1.5 Mb) TX bytes:1627579 (1.5 Mb)
/tmp/network-config, execute the following command as root:
system-config-network-cmd -e > /tmp/network-config
system-config-network-cmd -i -c -f /tmp/network-config-i option means to import the data, the -c option means to clear the existing configuration prior to importing, and the -f option specifies that the file to import is as follows.
| Method | Description | Advantages | Disadvantages | ||||||
|---|---|---|---|---|---|---|---|---|---|
| NAT | Network Address Translation (NAT) places private IP subnetworks behind one or a small pool of public IP addresses, masquerading all requests to one source rather than several. The Linux kernel has built-in NAT functionality through the Netfilter kernel subsystem. |
|
| ||||||
| Packet Filter | A packet filtering firewall reads each data packet that passes through a LAN. It can read and process packets by header information and filters the packet based on sets of programmable rules implemented by the firewall administrator. The Linux kernel has built-in packet filtering functionality through the Netfilter kernel subsystem. |
|
| ||||||
| Proxy | Proxy firewalls filter all requests of a certain protocol or type from LAN clients to a proxy machine, which then makes those requests to the Internet on behalf of the local client. A proxy machine acts as a buffer between malicious remote users and the internal network client machines. |
|
|
iptables tool.
iptables administration tool, a command line tool similar in syntax to its predecessor, ipchains.
ipchains requires intricate rule sets for: filtering source paths; filtering destination paths; and filtering both source and destination connection ports.
iptables uses the Netfilter subsystem to enhance network connection, inspection, and processing. iptables features advanced logging, pre- and post-routing actions, network address translation, and port forwarding, all in one command line interface.
iptables.
[root@myServer ~] # system-config-selinux
/etc/sysconfig/iptables file. If you choose Disabled and click , these configurations and firewall rules will be lost.
httpd package be installed.
vsftpd package be installed.
openssh-server package be installed.
telnet-server package be installed.
fetchmail. To allow delivery of mail to your machine, select this check box. Note that an improperly configured SMTP server can allow remote machines to use your server to send spam.
iptables. For example, to allow IRC and Internet printing protocol (IPP) to pass through the firewall, add the following to the Other ports section:
194:tcp,631:tcp
iptables commands and written to the /etc/sysconfig/iptables file. The iptables service is also started so that the firewall is activated immediately after saving the selected options. If Disable firewall was selected, the /etc/sysconfig/iptables file is removed and the iptables service is stopped immediately.
/etc/sysconfig/system-config-selinux file so that the settings can be restored the next time the application is started. Do not edit this file by hand.
iptables service is not configured to start automatically at boot time. Refer to Section 18.2.6, “Activating the IPTables Service” for more information.
iptables service is running. To manually start the service, use the following command:
[root@myServer ~] # service iptables restart
iptables starts when the system is booted, use the following command:
[root@myServer ~] # chkconfig --level 345 iptables on
ipchains service is not included in Red Hat Enterprise Linux. However, if ipchains is installed (for example, an upgrade was performed and the system had ipchains previously installed), the ipchains and iptables services should not be activated simultaneously. To make sure the ipchains service is disabled and configured not to start at boot time, use the following two commands:
[root@myServer ~] # service ipchains stop [root@myServer ~] # chkconfig --level 345 ipchains off
iptables is to start the iptables service. Use the following command to start the iptables service:
[root@myServer ~] # service iptables start
ip6tables service can be turned off if you intend to use the iptables service only. If you deactivate the ip6tables service, remember to deactivate the IPv6 network also. Never leave a network device active without the matching firewall.
iptables to start by default when the system is booted, use the following command:
[root@myServer ~] # chkconfig --level 345 iptables on
iptables to start whenever the system is booted into runlevel 3, 4, or 5.
iptables command illustrates the basic command syntax:
[root@myServer ~ ] # iptables -A<chain>-j<target>
-A option specifies that the rule be appended to <chain>. Each chain is comprised of one or more rules, and is therefore also known as a ruleset.
-j <target> option specifies the target of the rule; i.e., what to do if the packet matches the rule. Examples of built-in targets are ACCEPT, DROP, and REJECT.
iptables man page for more information on the available chains, options, and targets.
iptables chain is comprised of a default policy, and zero or more rules which work in concert with the default policy to define the overall ruleset for the firewall.
[root@myServer ~ ] # iptables -P INPUT DROP [root@myServer ~ ] # iptables -P OUTPUT DROP
[root@myServer ~ ] # iptables -P FORWARD DROP
iptables are transitory; if the system is rebooted or if the iptables service is restarted, the rules are automatically flushed and reset. To save the rules so that they are loaded when the iptables service is started, use the following command:
[root@myServer ~ ] # service iptables save
/etc/sysconfig/iptables and are applied whenever the service is started or the machine is rebooted.
[root@myServer ~ ] # iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
[root@myServer ~ ] # iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
iptables ruleset, order is important.
-I option. For example:
[root@myServer ~ ] # iptables -I INPUT 1 -i lo -p all -j ACCEPT
iptables to accept connections from remote SSH clients. For example, the following rules allow remote SSH access:
[root@myServer ~ ] # iptables -A INPUT -p tcp --dport 22 -j ACCEPT [root@myServer ~ ] # iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
iptables filtering rules.
FORWARD and NAT Rulesiptables provides routing and forwarding policies that can be implemented to prevent abnormal usage of network resources.
FORWARD chain allows an administrator to control where packets can be routed within a LAN. For example, to allow forwarding for the entire LAN (assuming the firewall/gateway is assigned an internal IP address on eth1), use the following rules:
[root@myServer ~ ] # iptables -A FORWARD -i eth1 -j ACCEPT [root@myServer ~ ] # iptables -A FORWARD -o eth1 -j ACCEPT
eth1 device.
[root@myServer ~ ] # sysctl -w net.ipv4.ip_forward=1
/etc/sysctl.conf file as follows:
net.ipv4.ip_forward = 0
net.ipv4.ip_forward = 1
sysctl.conf file:
[root@myServer ~ ] # sysctl -p /etc/sysctl.conf
[root@myServer ~ ] # iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
-t nat) and specifies the built-in POSTROUTING chain for NAT (-A POSTROUTING) on the firewall's external networking device (-o eth0).
-j MASQUERADE target is specified to mask the private IP address of a node with the external IP address of the firewall/gateway.
-j DNAT target of the PREROUTING chain in NAT to specify a destination IP address and port where incoming packets requesting a connection to your internal service can be forwarded.
[root@myServer ~ ] # iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 172.31.0.23:80
[root@myServer ~ ] # iptables -A FORWARD -i eth0 -p tcp --dport 80 -d 172.31.0.23 -j ACCEPT
iptables rules to route traffic to certain machines, such as a dedicated HTTP or FTP server, in a demilitarized zone (DMZ). A DMZ is a special local subnetwork dedicated to providing services on a public carrier, such as the Internet.
PREROUTING table to forward the packets to the appropriate destination:
[root@myServer ~ ] # iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 10.0.4.2:80
[root@myServer ~ ] # iptables -A OUTPUT -o eth0 -p tcp --dport 31337 --sport 31337 -j DROP [root@myServer ~ ] # iptables -A FORWARD -o eth0 -p tcp --dport 31337 --sport 31337 -j DROP
[root@myServer ~ ] # iptables -A FORWARD -s 192.168.1.0/24 -i eth0 -j DROP
DROP and REJECT targets when dealing with appended rules.
REJECT target denies access and returns a connection refused error to users who attempt to connect to the service. The DROP target, as the name implies, drops the packet without any warning.
REJECT target is recommended.
iptables uses a method called connection tracking to store information about incoming connections. You can allow or deny access based on the following connection states:
NEW — A packet requesting a new connection, such as an HTTP request.
ESTABLISHED — A packet that is part of an existing connection.
RELATED — A packet that is requesting a new connection but is part of an existing connection. For example, FTP uses port 21 to establish a connection, but data is transferred on a different port (typically port 20).
INVALID — A packet that is not part of any connections in the connection tracking table.
iptables connection tracking with any network protocol, even if the protocol itself is stateless (such as UDP). The following example shows a rule that uses connection tracking to forward only the packets that are associated with an established connection:
[root@myServer ~ ] # iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
ip6tables command. In Red Hat Enterprise Linux 5, both IPv4 and IPv6 services are enabled by default.
ip6tables command syntax is identical to iptables in every aspect except that it supports 128-bit addresses. For example, use the following command to enable SSH connections on an IPv6-aware network server:
[root@myServer ~ ] # ip6tables -A INPUT -i eth0 -p tcp -s 3ffe:ffff:100::1/128 --dport 22 -j ACCEPT
iptables man page contains a brief summary of the various options.
iptables project.
iptables. It includes topics that cover analyzing firewall logs, developing firewall rules, and customizing your firewall using various graphical tools.
ipchains as well as Netfilter and iptables. Additional security topics such as remote access issues and intrusion detection systems are also covered.
httpd if you are running a Web server). However, if you do not need to provide a service, you should turn it off to minimize your exposure to possible bug exploits.
xinetd and the services in the /etc/rc.d/init.d hierarchy (also known as SysV services) can be configured to start or stop using three different applications:
xinetd services can not be started, stopped, or restarted using this program.
chkconfig — a command line utility that allows you to turn services on and off for the different runlevels. Non-xinetd services can not be started, stopped, or restarted using this utility.
/etc/rc.d by hand or editing the xinetd configuration files in /etc/xinetd.d.
iptables to configure an IP firewall. If you are a new Linux user, please realize that iptables may not be the best solution for you. Setting up iptables can be complicated and is best tackled by experienced Linux system administrators.
iptables is flexibility. For example, if you need a customized solution which provides certain hosts access to certain services, iptables can provide it for you. Refer to the Reference Guide and the Security Guide for more information about iptables.
system-config-securitylevel), which allows you to select the security level for your system, similar to the Firewall Configuration screen in the installation program.
iptables chapter in the Reference Guide.
/etc/rc.d/rc<x>.d, where <x> is the number of the runlevel.
/etc/inittab file, which contains a line near the top of the file similar to the following:
id:5:initdefault:
telinit followed by the runlevel number. You must be root to use this command. The telinit command does not change the /etc/inittab file; it only changes the runlevel currently running. When the system is rebooted, it continues to boot the runlevel as specified in /etc/inittab.
xinetd (as well as any program with built-in support for libwrap) can use TCP wrappers to manage access. xinetd can use the /etc/hosts.allow and /etc/hosts.deny files to configure access to system services. As the names imply, hosts.allow contains a list of rules that allow clients to access the network services controlled by xinetd, and hosts.deny contains rules to deny access. The hosts.allow file takes precedence over the hosts.deny file. Permissions to grant or deny access can be based on individual IP address (or hostnames) or on a pattern of clients. Refer to the Reference Guide and hosts_access in section 5 of the man pages (man 5 hosts_access) for details.
xinetdxinetd, which is a secure replacement for inetd. The xinetd daemon conserves system resources, provides access control and logging, and can be used to start special-purpose servers. xinetd can be used to provide access only to particular hosts, to deny access to particular hosts, to provide access to a service at certain times, to limit the rate of incoming connections and/or the load created by connections, and more
xinetd runs constantly and listens on all ports for the services it manages. When a connection request arrives for one of its managed services, xinetd starts up the appropriate server for that service.
xinetd is /etc/xinetd.conf, but the file only contains a few defaults and an instruction to include the /etc/xinetd.d directory. To enable or disable an xinetd service, edit its configuration file in the /etc/xinetd.d directory. If the disable attribute is set to yes, the service is disabled. If the disable attribute is set to no, the service is enabled. You can edit any of the xinetd configuration files or change its enabled status using the Services Configuration Tool, ntsysv, or chkconfig. For a list of network services controlled by xinetd, review the contents of the /etc/xinetd.d directory with the command ls /etc/xinetd.d.
/etc/rc.d/init.d directory are started at boot time (for runlevels 3, 4, and 5) and which xinetd services are enabled. It also allows you to start, stop, and restart SysV services as well as restart xinetd.
system-config-services at a shell prompt (for example, in an XTerm or a GNOME terminal).
/etc/rc.d/init.d directory as well as the services controlled by xinetd. Click on the name of the service from the list on the left-hand side of the application to display a brief description of that service as well as the status of the service. If the service is not an xinetd service, the status window shows whether the service is currently running. If the service is controlled by xinetd, the status window displays the phrase xinetd service.
xinetd service, the action buttons are disabled because they can not be started or stopped individually.
xinetd service by checking or unchecking the checkbox next to the service name, you must select => from the pulldown menu to restart xinetd and immediately enable/disable the xinetd service that you changed. xinetd is also configured to remember the setting. You can enable/disable multiple xinetd services at a time and save the changes when you are finished.
rsync to enable it in runlevel 3 and then save the changes. The rsync service is immediately enabled. The next time xinetd is started, rsync is still enabled.
xinetd services, xinetd is restarted, and the changes take place immediately. When you save changes to other services, the runlevel is reconfigured, but the changes do not take effect immediately.
xinetd service to start at boot time for the currently selected runlevel, check the checkbox beside the name of the service in the list. After configuring the runlevel, apply the changes by selecting => from the pulldown menu. The runlevel configuration is changed, but the runlevel is not restarted; thus, the changes do not take place immediately.
httpd service from checked to unchecked and then select , the runlevel 3 configuration changes so that httpd is not started at boot time. However, runlevel 3 is not reinitialized, so httpd is still running. Select one of following options at this point:
httpd service — Stop the service by selecting it from the list and clicking the button. A message appears stating that the service was stopped successfully.
telinit 3 (where 3 is the runlevel number). This option is recommended if you change the Start at Boot value of multiple services and want to activate the changes immediately.
httpd service. You can wait until the system is rebooted for the service to stop. The next time the system is booted, the runlevel is initialized without the httpd service running.
xinetd-managed service on or off. You can also use ntsysv to configure runlevels. By default, only the current runlevel is configured. To configure a different runlevel, specify one or more runlevels with the --level option. For example, the command ntsysv --level 345 configures runlevels 3, 4, and 5.
xinetd are immediately affected by ntsysv. For all other services, changes do not take effect immediately. You must stop or start the individual service with the command service daemon stop. In the previous example, replace daemon with the name of the service you want to stop; for example, httpd. Replace stop with start or restart to start or restart the service.
chkconfigchkconfig command can also be used to activate and deactivate services. The chkconfig --list command displays a list of system services and whether they are started (on) or stopped (off) in runlevels 0-6. At the end of the list is a section for the services managed by xinetd.
chkconfig --list command is used to query a service managed by xinetd, it displays whether the xinetd service is enabled (on) or disabled (off). For example, the command chkconfig --list finger returns the following output:
finger on
finger is enabled as an xinetd service. If xinetd is running, finger is enabled.
chkconfig --list to query a service in /etc/rc.d, service's settings for each runlevel are displayed. For example, the command chkconfig --list httpd returns the following output:
httpd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
chkconfig can also be used to configure a service to be started (or not) in a specific runlevel. For example, to turn nscd off in runlevels 3, 4, and 5, use the following command:
chkconfig --level 345 nscd offxinetd are immediately affected by chkconfig. For example, if xinetd is running, finger is disabled, and the command chkconfig finger on is executed, finger is immediately enabled without having to restart xinetd manually. Changes for other services do not take effect immediately after using chkconfig. You must stop or start the individual service with the command service daemon stop. In the previous example, replace daemon with the name of the service you want to stop; for example, httpd. Replace stop with start or restart to start or restart the service.
ntsysv, chkconfig, xinetd, and xinetd.conf.
man 5 hosts_access — The man page for the format of host access control files (in section 5 of the man pages).
xinetd webpage. It contains a more detailed list of features and sample configuration files.
xinetd allow or deny access as well as how to configure network access using them. It also provides instructions for creating iptables firewall rules.
xinetd such as logging denied connection attempts.
telnet, ftp, rlogin, rsh, and rcp with secure, encrypted network connectivity tools. OpenSSH supports versions 1.3, 1.5, and 2 of the SSH protocol. Since OpenSSH version 2.9, the default protocol is version 2, which uses RSA keys as the default.
Telnet and ftp use plain text passwords and send all information unencrypted. The information can be intercepted, the passwords can be retrieved, and your system could be compromised by an unauthorized person logging in to your system using one of the intercepted passwords. The OpenSSH set of utilities should be used whenever possible to avoid these security problems.
DISPLAY variable to the client machine. In other words, if you are running the X Window System on your local machine, and you log in to a remote machine using the ssh command, when you run a program on the remote machine that requires X, it will be displayed on your local machine. This feature is convenient if you prefer graphical system administration tools but do not always have physical access to your server.
openssh-server package is required and depends on the openssh package.
/etc/ssh/sshd_config. The default configuration file should be sufficient for most purposes. If you want to configure the daemon in ways not provided by the default sshd_config, read the sshd man page for a list of the keywords that can be defined in the configuration file.
/sbin/service sshd start. To stop the OpenSSH server, use the command /sbin/service sshd stop. If you want the daemon to start automatically at boot time, refer to Chapter 19, Controlling Access to Services for information on how to manage services.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that the RSA host key has just been changed.
/etc/ssh/ssh_host*key* files and restore them after the reinstall. This process retains the system's identity, and when clients try to connect to the system after the reinstall, they will not receive the warning message.
openssh-clients and openssh packages installed on the client machine.
ssh Commandssh command is a secure replacement for the rlogin, rsh, and telnet commands. It allows you to log in to a remote machine as well as execute commands on a remote machine.
ssh is similar to using telnet. To log in to a remote machine named penguin.example.net, type the following command at a shell prompt:
ssh penguin.example.net ssh to a remote machine, you will see a message similar to the following:
The authenticity of host 'penguin.example.net' can't be established. DSA key fingerprint is 94:68:3a:3a:bc:f3:9a:9b:01:5d:b3:07:38:e2:11:0c. Are you sure you want to continue connecting (yes/no)?
yes to continue. This will add the server to your list of known hosts (~/.ssh/known_hosts/) as seen in the following message:
Warning: Permanently added 'penguin.example.net' (RSA) to the list of known hosts.
ssh username@penguin.example.net ssh -l username penguin.example.net.
ssh command can be used to execute a command on the remote machine without logging in to a shell prompt. The syntax is ssh hostnamecommand. For example, if you want to execute the command ls /usr/share/doc on the remote machine penguin.example.net, type the following command at a shell prompt:
ssh penguin.example.net ls /usr/share/doc /usr/share/doc will be displayed, and you will return to your local shell prompt.
scp Commandscp command can be used to transfer files between machines over a secure, encrypted connection. It is similar to rcp.
scp <localfile>username@tohostname:<remotefile><localfile> specifies the source including path to the file, such as /var/log/maillog. The <remotefile> specifies the destination, which can be a new filename such as /tmp/hostname-maillog. For the remote system, if you do not have a preceding /, the path will be relative to the home directory of username, typically /home/username/.
shadowman to the home directory of your account on penguin.example.net, type the following at a shell prompt (replace username with your username):
scp shadowman username@penguin.example.net:shadowman shadowman to /home/username/shadowman on penguin.example.net. Alternately, you can leave off the final shadowman in the scp command.
scp username@tohostname:<remotefile><newlocalfile><remotefile> specifies the source including path, and <newlocalfile> specifies the destination including path.
downloads/ to an existing directory called uploads/ on the remote machine penguin.example.net, type the following at a shell prompt:
scp downloads/* username@penguin.example.net:uploads/ sftp Commandsftp utility can be used to open a secure, interactive FTP session. It is similar to ftp except that it uses a secure, encrypted connection. The general syntax is sftp username@hostname.comsftp man page for a list of these commands. To read the man page, execute the command man sftp at a shell prompt. The sftp utility is only available in OpenSSH version 2.5.0p1 and higher.
ssh, scp, or sftp to connect to a remote machine, you can generate an authorization key pair.
~/.ssh/authorized_keys2, ~/.ssh/known_hosts2, and /etc/ssh_known_hosts2 are obsolete. SSH Protocol 1 and 2 share the ~/.ssh/authorized_keys, ~/.ssh/known_hosts, and /etc/ssh/ssh_known_hosts files.
.ssh directory in your home directory. After reinstalling, copy this directory back to your home directory. This process can be done for all users on your system, including root.
ssh-keygen -t rsa~/.ssh/id_rsa. Enter a passphrase different from your account password and confirm it by entering it again.
~/.ssh/id_rsa.pub. The private key is written to ~/.ssh/id_rsa. Never distribute your private key to anyone.
.ssh directory using the following command:
chmod 755 ~/.ssh~/.ssh/id_rsa.pub into the file ~/.ssh/authorized_keys on the machine to which you want to connect. If the file ~/.ssh/authorized_keys exist, append the contents of the file ~/.ssh/id_rsa.pub to the file ~/.ssh/authorized_keys on the other machine.
authorized_keys file using the following command:
chmod 644 ~/.ssh/authorized_keysssh-agent with GNOME”. If you are not running the X Window System, skip to Section 20.3.4.5, “Configuring ssh-agent”.
ssh-keygen -t dsa~/.ssh/id_dsa. Enter a passphrase different from your account password and confirm it by entering it again.
~/.ssh/id_dsa.pub. The private key is written to ~/.ssh/id_dsa. It is important never to give anyone the private key.
.ssh directory with the following command:
chmod 755 ~/.ssh~/.ssh/id_dsa.pub into the file ~/.ssh/authorized_keys on the machine to which you want to connect. If the file ~/.ssh/authorized_keys exist, append the contents of the file ~/.ssh/id_dsa.pub to the file ~/.ssh/authorized_keys on the other machine.
authorized_keys file using the following command:
chmod 644 ~/.ssh/authorized_keysssh-agent with GNOME”. If you are not running the X Window System, skip to Section 20.3.4.5, “Configuring ssh-agent”.
ssh-keygen -t rsa1~/.ssh/identity). Enter a passphrase different from your account password. Confirm the passphrase by entering it again.
~/.ssh/identity.pub. The private key is written to ~/.ssh/identity. Do not give anyone the private key.
.ssh directory and your key with the commands chmod 755 ~/.ssh and chmod 644 ~/.ssh/identity.pub.
~/.ssh/identity.pub into the file ~/.ssh/authorized_keys on the machine to which you wish to connect. If the file ~/.ssh/authorized_keys does not exist, you can copy the file ~/.ssh/identity.pub to the file ~/.ssh/authorized_keys on the remote machine.
ssh-agent with GNOME”. If you are not running GNOME, skip to Section 20.3.4.5, “Configuring ssh-agent”.
ssh-agent with GNOMEssh-agent utility can be used to save your passphrase so that you do not have to enter it each time you initiate an ssh or scp connection. If you are using GNOME, the openssh-askpass-gnome package contains the application used to prompt you for your passphrase when you log in to GNOME and save it until you log out of GNOME. You will not have to enter your password or passphrase for any ssh or scp connection made during that GNOME session. If you are not using GNOME, refer to Section 20.3.4.5, “Configuring ssh-agent”.
openssh-askpass-gnome installed; you can use the command rpm -q openssh-askpass-gnome to determine if it is installed or not. If it is not installed, install it from your Red Hat Enterprise Linux CD-ROM set, from a Red Hat FTP mirror site, or using Red Hat Network.
/usr/bin/ssh-add in the Startup Command text area. Set it a priority to a number higher than any existing commands to ensure that it is executed last. A good priority number for ssh-add is 70 or higher. The higher the priority number, the lower the priority. If you have other programs listed, this one should have the lowest priority. Click to exit the program.
ssh, scp, or sftp.
ssh-agentssh-agent can be used to store your passphrase so that you do not have to enter it each time you make a ssh or scp connection. If you are not running the X Window System, follow these steps from a shell prompt. If you are running GNOME but you do not want to configure it to prompt you for your passphrase when you log in (refer to Section 20.3.4.4, “Configuring ssh-agent with GNOME”), this procedure will work in a terminal window, such as an XTerm. If you are running X but not GNOME, this procedure will work in a terminal window. However, your passphrase will only be remembered for that terminal window; it is not a global setting.
exec /usr/bin/ssh-agent $SHELLssh-addssh, scp, sftp, sshd, and ssh-keygen man pages — These man pages include information on how to use these commands as well as all the parameters that can be used with them.
/myproject. To access the shared files, the user goes into the /myproject directory on his machine. There are no passwords to enter or special commands to remember. Users work as if the directory is on their local machines.
mount command to mount a shared NFS directory from another machine:
mount shadowman.example.com:/misc/export/misc/local/misc/local in the above example) must exist before this command can be executed.
shadowman.example.com is the hostname of the NFS file server, /misc/export is the directory that shadowman is exporting, and /misc/local is the location to mount the file system on the local machine. After the mount command runs (and if the client has proper permissions from the shadowman.example.com NFS server) the client user can execute the command ls /misc/local to display a listing of the files in /misc/export on shadowman.example.com.
/etc/fstab/etc/fstab file. The line must state the hostname of the NFS server, the directory on the server being exported, and the directory on the local machine where the NFS share is to be mounted. You must be root to modify the /etc/fstab file.
/etc/fstab is as follows:
server:/usr/local/pub /pub nfs rsize=8192,wsize=8192,timeo=14,intr
/pub must exist on the client machine before this command can be executed. After adding this line to /etc/fstab on the client system, type the command mount /pub at a shell prompt, and the mount point /pub is mounted from the server.
/etc/auto.master to determine which mount points are defined. It then starts an automount process with the appropriate parameters for each mount point. Each line in the master map defines a mount point and a separate map file that defines the file systems to be mounted under this mount point. For example, the /etc/auto.misc file might define mount points in the /misc directory; this relationship would be defined in the /etc/auto.master file.
auto.master has three fields. The first field is the mount point. The second field is the location of the map file, and the third field is optional. The third field can contain information such as a timeout value.
/proj52 on the remote machine penguin.example.net at the mount point /misc/myproject on your machine, add the following line to auto.master:
/misc /etc/auto.misc --timeout 60
/etc/auto.misc:
myproject -rw,soft,intr,rsize=8192,wsize=8192 penguin.example.net:/proj52
/etc/auto.misc is the name of the /misc subdirectory. This subdirectory is created dynamically by automount. It should not actually exist on the client machine. The second field contains mount options such as rw for read and write access. The third field is the location of the NFS export including the hostname and directory.
/misc must exist on the local file system. There should be no subdirectories in /misc on the local file system.
/sbin/service autofs restart /sbin/service autofs status /etc/auto.master configuration file while autofs is running, you must tell the automount daemon(s) to reload by typing the following command at a shell prompt:
/sbin/service autofs reload -o udp option to mount when mounting the NFS-exported file system on the client system.
/etc/fstab file (client side), and automatically via autofs configuration files, such as /etc/auto.master and /etc/auto.misc (server side with NIS).
mount -o udp shadowman.example.com:/misc/export /misc/local /etc/fstab (client side):
server:/usr/local/pub /pub nfs rsize=8192,wsize=8192,timeo=14,intr,udp
myproject -rw,soft,intr,rsize=8192,wsize=8192,udp penguin.example.net:/proj52
-o udp option is not specified, the NFS-exported file system is accessed via TCP.
NFS stale file handles messages.
system-config-nfs RPM package installed. To start the application, select the (on the Panel) => => => , or type the command system-config-nfs.
/tmp.
insecure.
insecure_locks.
no_subtree_check.
sync. If this is not selected, the async option is used.
no_wdelay.
no_root_squash.
all_squash.
anonuid.
anongid.
/etc/exports.bak. The new configuration is written to /etc/exports.
/etc/exports configuration file. Thus, the file can be modified manually after using the tool, and the tool can be used after modifying the file manually (provided the file was modified with correct syntax).
/etc/exports file controls what directories the NFS server exports. Its format is as follows:
directoryhostname(options)sync or async (sync is recommended). If sync is specified, the server does not reply to requests before the changes made by the request are written to the disk.
/misc/export speedy.example.com(sync)speedy.example.com to mount /misc/export with the default read-only permissions, but,
/misc/export speedy.example.com(rw,sync)speedy.example.com to mount /misc/export with read/write privileges.
/etc/exports file. If there are no spaces between the hostname and the options in parentheses, the options apply only to the hostname. If there is a space between the hostname and the options, the options apply to the rest of the world. For example, examine the following lines:
/misc/export speedy.example.com(rw,sync) /misc/export speedy.example.com (rw,sync)
speedy.example.com read-write access and denies all other users. The second line grants users from speedy.example.com read-only access (the default) and allows the rest of the world read-write access.
/etc/exports, you must inform the NFS daemon of the change, or reload the configuration file with the following command:
/sbin/service nfs reload*.example.com includes one.example.com but does not include one.two.example.com.
a.b.c.d/z, where a.b.c.d is the network and z is the number of bits in the netmask (for example 192.168.0.0/24). Another acceptable format is a.b.c.d/netmask, where a.b.c.d is the network and netmask is the netmask (for example, 192.168.100.8/255.255.255.0).
@group-name, where group-name is the NIS netgroup name.
nfs service must be running.
/sbin/service nfs status/sbin/service nfs start/sbin/service nfs stopnfs service at boot time, use the command:
/sbin/chkconfig --level 345 nfs onchkconfig, ntsysv or the Services Configuration Tool to configure which services start at boot time. Refer to Chapter 19, Controlling Access to Services for details.
nfsd, mountd, exports, auto.master, and autofs (in manual sections 5 and 8) — These man pages show the correct syntax for the NFS and autofs configuration files.
/etc/samba/smb.conf) allows users to view their home directories as a Samba share. It also shares all printers configured for the system as Samba shared printers. In other words, you can attach a printer to the system and print to it from the Windows machines on your network.
/etc/samba/ directory. Any changes to these files not made using the application are preserved.
system-config-samba RPM package installed. To start the Samba Server Configuration Tool from the desktop, go to the (on the Panel) => => => or type the command system-config-samba at a shell prompt (for example, in an XTerm or a GNOME terminal).
workgroup and server string options in smb.conf.
security option. Select one of the following types of authentication.
net utility, which is part of the samba-client package. Refer to the net man page for details. This option does not configure Samba to be an ADS Controller. Specify the realm of the Kerberos server in the Kerberos Realm field.
EXAMPLE.COM.
/etc/krb5.conf file.
encrypted passwords option. Refer to Section 22.2.3, “Encrypted Passwords” for more information about encrypted Samba passwords.
guest account option.
/etc/samba/smb.conf as its configuration file. If you change this configuration file, the changes do not take effect until you restart the Samba daemon with the command service smb restart.
smb.conf file:
workgroup =WORKGROUPNAMEserver string =BRIEF COMMENT ABOUT SERVER
WORKGROUPNAME with the name of the Windows workgroup to which this machine should belong. The BRIEF COMMENT ABOUT SERVER is optional and is used as the Windows comment about the Samba system.
smb.conf file (after modifying it to reflect your needs and your system):
[sharename] comment =Insert a comment herepath =/home/share/valid users =tfox carolepublic = no writable = yes printable = no create mask = 0765
/home/share, on the Samba server, from a Samba client.
/etc/passwd file, at a shell prompt, type the following command:
cat /etc/passwd | mksmbpasswd.sh > /etc/samba/smbpasswd ypcat passwd | mksmbpasswd.sh > /etc/samba/smbpasswd mksmbpasswd.sh script is installed in your /usr/bin directory with the samba package.
chmod 600 /etc/samba/smbpasswdusername with each user's username):
smbpasswd username/etc/samba/smb.conf, verify that the following line does not exist:
encrypt passwords = no
;) at the beginning of the line, then the line is ignored, and encrypted passwords are enabled. If this line exists but is not commented out, either remove it or comment it out.
etc/samba/smb.conf:
encrypt passwords = yes smb passwd file = /etc/samba/smbpasswd
smb service is started by typing the command service smb restart at a shell prompt.
smb service to start automatically, use ntsysv, chkconfig, or the Services Configuration Tool to enable it at runtime. Refer to Chapter 19, Controlling Access to Services for details.
pam_smbpass PAM module can be used to sync users' Samba passwords with their system passwords when the passwd command is used. If a user invokes the passwd command, the password he uses to log in to the Red Hat Enterprise Linux system as well as the password he must provide to connect to a Samba share are changed.
/etc/pam.d/system-auth below the pam_cracklib.so invocation:
password required /lib/security/pam_smbpass.so nullok use_authtok try_first_pass
smb service must be running.
/sbin/service smb status/sbin/service smb start/sbin/service smb stopsmb service at boot time, use the command:
/sbin/chkconfig --level 345 smb onchkconfig, ntsysv, or the Services Configuration Tool to configure which services start at boot time. Refer to Chapter 19, Controlling Access to Services for details.
smb: in the Location: bar of Nautilus to view the workgroups.
<servername> and <sharename> with the appropriate values):
smb://<servername>/<sharename>/ smb.conf man page — explains how to configure the Samba configuration file
smbd man page — describes how the Samba daemon works
smbclient and findsmb man pages — learn more about these client tools
/usr/share/doc/samba-<version-number>/docs/ — help files included with the samba package
/etc/dhcpd.conf configuration file must be created. A sample file can be found at /usr/share/doc/dhcp-<version>/dhcpd.conf.sample.
/var/lib/dhcp/dhcpd.leases to store the client lease database. Refer to Section 23.2.2, “Lease Database” for more information.
ddns-update-style ad-hoc;
ddns-update-style interim;
dhcpd.conf man page for details about the different modes.
option keyword and are referred to as options. Options configure DHCP options; whereas, parameters configure values that are not optional or control how the DHCP server behaves.
service dhcpd restart.
omshell command provides an interactive way to connect to, query, and change the configuration of a DHCP server. By using omshell, all changes can be made while the server is running. For more information on omshell, refer to the omshell man page.
routers, subnet-mask, domain-name, domain-name-servers, and time-offset options are used for any host statements declared below it.
subnet can be declared, a subnet declaration must be included for every subnet in the network. If it is not, the DHCP server fails to start.
range declared. Clients are assigned an IP address within the range.
subnet 192.168.1.0 netmask 255.255.255.0 {
option routers 192.168.1.254;
option subnet-mask 255.255.255.0;
option domain-name "example.com";
option domain-name-servers 192.168.1.1;
option time-offset -18000; # Eastern Standard Time
range 192.168.1.10 192.168.1.100;
}
shared-network declaration as shown in Example 23.2, “Shared-network Declaration”. Parameters within the shared-network, but outside the enclosed subnet declarations, are considered to be global parameters. The name of the shared-network should be a descriptive title for the network, such as using the title 'test-lab' to describe all the subnets in a test lab environment.
group declaration can be used to apply global parameters to a group of declarations. For example, shared networks, subnets, and hosts can be grouped.
group {
option routers 192.168.1.254;
option subnet-mask 255.255.255.0;
option domain-name "example.com";
option domain-name-servers 192.168.1.1;
option time-offset -18000; # Eastern Standard Time
host apex {
option host-name "apex.example.com";
hardware ethernet 00:A0:78:8E:9E:AA;
fixed-address 192.168.1.4;
}
host raleigh {
option host-name "raleigh.example.com";
hardware ethernet 00:A1:DD:74:C3:F2;
fixed-address 192.168.1.6;
}
}
range 192.168.1.10 and 192.168.1.100 to client systems.
default-lease-time 600;
max-lease-time 7200;
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.1.255;
option routers 192.168.1.254;
option domain-name-servers 192.168.1.1, 192.168.1.2;
option domain-name "example.com";
subnet 192.168.1.0 netmask 255.255.255.0 {
range 192.168.1.10 192.168.1.100;
}
hardware ethernet parameter within a host declaration. As demonstrated in Example 23.5, “Static IP Address using DHCP”, the host apex declaration specifies that the network interface card with the MAC address 00:A0:78:8E:9E:AA always receives the IP address 192.168.1.4.
host-name can also be used to assign a host name to the client.
host apex {
option host-name "apex.example.com";
hardware ethernet 00:A0:78:8E:9E:AA;
fixed-address 192.168.1.4;
}
cp /usr/share/doc/dhcp-<version-number>/dhcpd.conf.sample /etc/dhcpd.conf <version-number> is the DHCP version number).
dhcp-options man page.
/var/lib/dhcp/dhcpd.leases stores the DHCP client lease database. This file should not be modified by hand. DHCP lease information for each recently assigned IP address is automatically stored in the lease database. The information includes the length of the lease, to whom the IP address has been assigned, the start and end dates for the lease, and the MAC address of the network interface card that was used to retrieve the lease.
dhcpd.leases file is renamed dhcpd.leases~ and the temporary lease database is written to dhcpd.leases.
dhcpd.leases file does not exist, but it is required to start the service. Do not create a new lease file. If you do, all old leases are lost which causes many problems. The correct solution is to rename the dhcpd.leases~ backup file to dhcpd.leases and then start the daemon.
dhcpd.leases file exists. Use the command touch /var/lib/dhcp/dhcpd.leases to create the file if it does not exist.
named service automatically checks for a dhcpd.leases file.
/sbin/service dhcpd start. To stop the DHCP server, use the command /sbin/service dhcpd stop.
/etc/sysconfig/dhcpd, add the name of the interface to the list of DHCPDARGS:
# Command line options here DHCPDARGS=eth0
/etc/sysconfig/dhcpd include:
-p <portnum> — Specify the UDP port number on which dhcpd should listen. The default is port 67. The DHCP server transmits responses to the DHCP clients at a port number one greater than the UDP port specified. For example, if the default port 67 is used, the server listens on port 67 for requests and responses to the client on port 68. If a port is specified here and the DHCP relay agent is used, the same port on which the DHCP relay agent should listen must be specified. Refer to Section 23.2.4, “DHCP Relay Agent” for details.
-f — Run the daemon as a foreground process. This is mostly used for debugging.
-d — Log the DHCP server daemon to the standard error descriptor. This is mostly used for debugging. If this is not specified, the log is written to /var/log/messages.
-cf <filename> — Specify the location of the configuration file. The default location is /etc/dhcpd.conf.
-lf <filename> — Specify the location of the lease database file. If a lease database file already exists, it is very important that the same file be used every time the DHCP server is started. It is strongly recommended that this option only be used for debugging purposes on non-production machines. The default location is /var/lib/dhcp/dhcpd.leases.
-q — Do not print the entire copyright message when starting the daemon.
dhcrelay) allows for the relay of DHCP and BOOTP requests from a subnet with no DHCP server on it to one or more DHCP servers on other subnets.
/etc/sysconfig/dhcrelay with the INTERFACES directive.
service dhcrelay start.
/etc/sysconfig/network file to enable networking and the configuration file for each network device in the /etc/sysconfig/network-scripts directory. In this directory, each device should have a configuration file named ifcfg-eth0, where eth0 is the network device name.
/etc/sysconfig/network file should contain the following line:
NETWORKING=yes
NETWORKING variable must be set to yes if you want networking to start at boot time.
/etc/sysconfig/network-scripts/ifcfg-eth0 file should contain the following lines:
DEVICE=eth0 BOOTPROTO=dhcp ONBOOT=yes
DHCP_HOSTNAME — Only use this option if the DHCP server requires the client to specify a hostname before receiving an IP address. (The DHCP server daemon in Red Hat Enterprise Linux does not support this feature.)
PEERDNS=<answer> , where <answer>yes — Modify /etc/resolv.conf with information from the server. If using DHCP, then yes is the default.
no — Do not modify /etc/resolv.conf.
SRCADDR=<address> , where <address>USERCTL=<answer> , where <answer>yes — Non-root users are allowed to control this device.
no — Non-root users are not allowed to control this device.
dhclient and dhclient.conf man pages.
dhcpd man page — Describes how the DHCP daemon works.
dhcpd.conf man page — Explains how to configure the DHCP configuration file; includes some examples.
dhcpd.leases man page — Explains how to configure the DHCP leases file; includes some examples.
dhcp-options man page — Explains the syntax for declaring DHCP options in dhcpd.conf; includes some examples.
dhcrelay man page — Explains the DHCP Relay Agent and its configuration options.
/usr/share/doc/dhcp-<version>/ — Contains sample files, README files, and release notes for the specific version of the DHCP service.
[6] Kudzu is a hardware probing tool run at system boot time to determine what hardware has been added or removed from the system.
/usr/share/doc/httpd-<ver>/migration.html or the Reference Guide for details.
httpd and system-config-httpd RPM packages need to be installed to use the HTTP Configuration Tool. It also requires the X Window System and root access. To start the application, go to the => => => or type the command system-config-httpd at a shell prompt (for example, in an XTerm or GNOME Terminal).
/etc/httpd/conf/httpd.conf configuration file for the Apache HTTP Server. It does not use the old srm.conf or access.conf configuration files; leave them empty. Through the graphical interface, you can configure directives such as virtual hosts, logging attributes, and maximum number of connections.
/etc/httpd/conf/httpd.conf configuration file by hand if you wish to use this tool. The HTTP Configuration Tool generates this file after you save your changes and exit the program. If you want to add additional modules or configuration options that are not available in HTTP Configuration Tool, you cannot use this tool.
DocumentRoot and cgi-bin directories.
ServerName directive in httpd.conf. The ServerName directive sets the hostname of the Web server. It is used when creating redirection URLs. If you do not define a server name, the Web server attempts to resolve it from the IP address of the system. The server name does not have to be the domain name resolved from the IP address of the server. For example, you might set the server name to www.example.com while the server's real DNS name is foo.example.com.
ServerAdmin directive in httpd.conf. If you configure the server's error pages to contain an email address, this email address is used so that users can report a problem to the server's administrator. The default value is root@localhost.
Listen directive in httpd.conf. By default, Red Hat configures the Apache HTTP Server to listen to port 80 for non-secure Web communications.
httpd can be started as a regular user.
DirectoryIndex directive. The DirectoryIndex is the default page served by the server when a user requests an index of a directory by specifying a forward slash (/) at the end of the directory name.
http://www.example.com/this_directory/, they are going to get either the DirectoryIndex page, if it exists, or a server-generated directory list. The server tries to find one of the files listed in the DirectoryIndex directive and returns the first one it finds.
If it does not find any of these files and if Options Indexes is set for that directory, the server generates and returns a list, in HTML format, of the subdirectories and files in the directory.
ErrorDocument directive. If a problem or error occurs when a client tries to connect to the Apache HTTP Server, the default action is to display the short error message shown in the Error Code column. To override this default configuration, select the error code and click the Edit button. Choose to display the default short error message. Choose to redirect the client to an external URL and enter a complete URL, including the http://, in the Location field. Choose to redirect the client to an internal URL and enter a file location under the document root for the Web server. The location must begin the a slash (/) and be relative to the Document Root.
404.html, copy 404.html to DocumentRoot/../error/404.htmlDocumentRoot is the Document Root directory that you have defined (the default is /var/www/html/). If the Document Root is left as the default location, the file should be copied to /var/www/error/404.html. Then, choose as the Behavior for 404 - Not Found error code and enter /error/404.html as the .
ServerAdmin directive. Refer to Section 24.3.1.1, “General Options” for information about configuring the ServerAdmin directive.
/var/log/httpd/access_log file and the error log to the /var/log/httpd/error_log file.
TransferLog directive.
LogFormat directive. Refer to http://httpd.apache.org/docs-2.0/mod/mod_log_config.html#formats for details on the format of this directive.
ErrorLog directive.
LogLevel directive.
HostnameLookups directive. Choosing No Reverse Lookup sets the value to off. Choosing Reverse Lookup sets the value to on. Choosing Double Reverse Lookup sets the value to double.
mod_env module to configure the environment variables which are passed to CGI scripts and SSI pages. Use the Environment Variables page to configure the directives for this module.
MAXNUM to 50, click the button inside the Set for CGI Script section, as shown in Figure 24.5, “Environment Variables”, and type MAXNUM in the Environment Variable text field and 50 in the Value to set text field. Click to add it to the list. The Set for CGI Scripts section configures the SetEnv directive.
env at a shell prompt. Click the button inside the Pass to CGI Scripts section and enter the name of the environment variable in the resulting dialog box. Click to add it to the list. The Pass to CGI Scripts section configures the PassEnv directive.
UnsetEnv directive.
http://httpd.apache.org/docs-2.0/env.html
<Directory> directive.
Options directive within the <Directory> directive. You can configure the following options:
#exec and #include commands in CGI scripts.
DirectoryIndex (such as index.html) exists in the requested directory.
Order directive with the left-hand side options. The Order directive controls the order in which allow and deny directives are evaluated. In the Allow hosts from and Deny hosts from text field, you can specify one of the following:
all to allow access to all hosts.
192.168.1.0/255.255.255.0
10.3.0.0/16
.htaccess file take precedence.
<NameVirtualHost> directive for a name based virtual host.
DocumentRoot directive within the <VirtualHost> directive. The default DocumentRoot is /var/www/html.
ServerAdmin directive within the VirtualHost directive. This email address is used in the footer of error pages if you choose to show a footer with an email address on the error pages.
IP Address:Port. Use "colon, asterisk" (:*) to configure all ports for the IP address. Specify the host name for the virtual host in the Server Host Name field.
NameVirtualHost directive based on the host name of the server. Specify the IP address in the IP address field. To specify multiple IP addresses, separate each IP address with spaces. To specify a port, use the syntax IP Address:Port. Use "colon, asterisk" (:*) to configure all ports for the IP address. Specify the host name for the virtual host in the Server Host Name field. In the Aliases section, click to add a host name alias. Adding an alias here adds a ServerAlias directive within the NameVirtualHost directive.
mod_ssl security module. To enable it through the HTTP Configuration Tool, you must allow access through port 443 under the Main tab => Available Addresses. Refer to Section 24.1, “Basic Settings” for details. Then, select the virtual host name in the Virtual Hosts tab, click the button, choose SSL from the left-hand menu, and check the Enable SSL Support option as shown in Figure 24.9, “SSL Support”. The SSL Configuration section is pre-configured with the dummy digital certificate. The digital certificate provides authentication for your secure Web server and identifies the secure server to client Web browsers. You must purchase your own digital certificate. Do not use the dummy one provided for your website. For details on purchasing a CA-approved digital certificate, refer to the Chapter 25, Apache HTTP Secure Server Configuration.
LockFile directive. This directive sets the path to the lockfile used when the server is compiled with either USE_FCNTL_SERIALIZED_ACCEPT or USE_FLOCK_SERIALIZED_ACCEPT. It must be stored on the local disk. It should be left to the default value unless the logs directory is located on an NFS share. If this is the case, the default value should be changed to a location on the local disk and to a directory that is readable only by root.
PidFile directive. This directive sets the file in which the server records its process ID (pid). This file should only be readable by root. In most cases, it should be left to the default value.
CoreDumpDirectory directive. The Apache HTTP Server tries to switch to this directory before executing a core dump. The default value is the ServerRoot. However, if the user that the server runs as can not write to this directory, the core dump can not be written. Change this value to a directory writable by the user the server runs as, if you want to write the core dumps to disk for debugging purposes.
User directive. It sets the userid used by the server to answer requests. This user's settings determine the server's access. Any files inaccessible to this user are also inaccessible to your website's visitors. The default for User is apache.
User directive to root. Using root as the User creates large security holes for your Web server.
httpd process first runs as root during normal operations, but is then immediately handed off to the apache user. The server must start as root because it needs to bind to a port below 1024. Ports below 1024 are reserved for system use, so they can not be used by anyone but root. Once the server has attached itself to its port, however, it hands the process off to the apache user before it accepts any connection requests.
Group directive. The Group directive is similar to the User directive. Group sets the group under which the server answers requests. The default group is also apache.
httpd process is created. After this maximum number of processes is reached, no one else can connect to the Web server until a child server process is freed. You can not set this value to higher than 256 without recompiling. This option corresponds to the MaxClients directive.
TimeOut directive.
MaxRequestsPerChild directive.
MaxKeepAliveRequests directive is set to 0 and unlimited requests are allowed.
KeepAlive directive is set to false. If you check it, the KeepAlive directive is set to true, and the KeepAliveTimeout directive is set to the number that is selected as the Timeout for next Connection value. This directive sets the number of seconds your server waits for a subsequent request, after a request has been served, before it closes the connection. Once a request has been received, the Connection Timeout value applies instead.
/etc/httpd/conf/httpd.conf. Remember that your original configuration file is overwritten with your new settings.
httpd.conf configuration file has been manually modified, it saves the manually modified file as /etc/httpd/conf/httpd.conf.bak.
httpd daemon with the command service httpd restart. You must be logged in as root to execute this command.
/usr/share/docs/httpd-<version>/migration.html — The Apache Migration HOWTO document contains a list of changes from version 1.3 to version 2.0 as well as information about how to migration the configuration file manually.
mod_ssl security module enabled to use the OpenSSL library and toolkit. The combination of these three components are referred to in this chapter as the secure Web server or just as the secure server.
mod_ssl module is a security module for the Apache HTTP Server. The mod_ssl module uses the tools provided by the OpenSSL Project to add a very important feature to the Apache HTTP Server — the ability to encrypt communications. In contrast, regular HTTP communications between a browser and a Web server are sent in plain text, which could be intercepted and read by someone along the route between the browser and the server.
mod_ssl configuration file is located at /etc/httpd/conf.d/ssl.conf. For this file to be loaded, and hence for mod_ssl to work, you must have the statement Include conf.d/*.conf in the /etc/httpd/conf/httpd.conf file. This statement is included by default in the default Apache HTTP Server configuration file.
httpdhttpd package contains the httpd daemon and related utilities, configuration files, icons, Apache HTTP Server modules, man pages, and other files used by the Apache HTTP Server.
mod_sslmod_ssl package includes the mod_ssl module, which provides strong cryptography for the Apache HTTP Server via the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols.
opensslopenssl package contains the OpenSSL toolkit. The OpenSSL toolkit implements the SSL and TLS protocols, and also includes a general purpose cryptography library.
httpd-devel
httpd-devel package contains the Apache HTTP Server include files, header files, and the APXS utility. You need all of these if you intend to load any extra modules, other than the modules provided with this product. Refer to the Reference Guide for more information on loading modules onto your secure server using Apache's dynamic shared object (DSO) functionality.
openssh package includes core files needed by both the OpenSSH client programs and the OpenSSH server. The openssh package also contains scp, a secure replacement for rcp (for securely copying files between machines).
openssh-askpass package supports the display of a dialog window which prompts for a password during use of the OpenSSH agent.
openssh-askpass-gnome package can be used in conjunction with the GNOME desktop environment to display a graphical dialog window when OpenSSH programs prompt for a password. If you are running GNOME and using OpenSSH utilities, you should install this package.
openssh-server package contains the sshd secure shell daemon and related files. The secure shell daemon is the server side of the OpenSSH suite and must be installed on your host to allow SSH clients to connect to your host.
openssh-clients package contains the client programs needed to make encrypted connections to SSH servers, including the following: ssh, a secure replacement for rsh; sftp, a secure replacement for ftp (for transferring files between machines); and slogin, a secure replacement for rlogin (for remote login) and telnet (for communicating with another host via the Telnet protocol).
openssl-developenssl-devel package contains the static libraries and the include file needed to compile applications with support for various cryptographic algorithms and protocols. You need to install this package only if you are developing applications which include SSL support — you do not need this package to use SSL.
stunnelstunnel package provides the Stunnel SSL wrapper. Stunnel supports the SSL encryption of TCP connections. It provides encryption for non-SSL aware daemons and protocols (such as POP, IMAP, and LDAP) without requiring any changes to the daemon's code.
dovecot or OpenLDAP's slapd server, which may be more desirable than using stunnel.
stunnel only provides wrapping of protocols, while the native support in OpenLDAP's slapd can also handle in-band upgrades for using encryption in response to a StartTLS client request.
| Package Name | Optional? |
|---|---|
httpd
| no |
mod_ssl
| no |
openssl
| no |
httpd-devel
| yes |
openssh
| yes |
openssh-askpass
| yes |
openssh-askpass-gnome
| yes |
openssh-clients
| yes |
openssh-server
| yes |
openssl-devel
| yes |
stunnel
| yes |
https:// prefix is used at the beginning of the Uniform Resource Locator (URL) in the navigation bar.
/etc/httpd/conf/ssl.key/server.key/etc/httpd/conf/ssl.crt/server.crthttpsd.key) and certificate (httpsd.crt) are located in /etc/httpd/conf/. Move and rename your key and certificate so that the secure server can use them. Use the following two commands to move and rename your key and certificate files:
mv /etc/httpd/conf/httpsd.key /etc/httpd/conf/ssl.key/server.key mv /etc/httpd/conf/httpsd.crt /etc/httpd/conf/ssl.crt/server.crt /sbin/service httpd startcd command to change to the /etc/httpd/conf/ directory. Remove the fake key and certificate that were generated during the installation with the following commands:
rm ssl.key/server.keyrm ssl.crt/server.crt
/usr/share/ssl/certs/ directory and type in the following command:
make genkey umask 77 ; \ /usr/bin/openssl genrsa -des3 1024 > /etc/httpd/conf/ssl.key/server.key Generating RSA private key, 1024 bit long modulus .......++++++ ................................................................++++++ e is 65537 (0x10001) Enter pass phrase:
/etc/httpd/conf/ssl.key/server.key, the file containing your key, is created.
make genkey to create the key.
/usr/bin/openssl genrsa 1024 > /etc/httpd/conf/ssl.key/server.keychmod go-rwx /etc/httpd/conf/ssl.key/server.keyserver.key file). The key could be used to serve webpages that appear to be from your secure server.
server.key file should be owned by the root user on your system and should not be accessible to any other user. Make a backup copy of this file and keep the backup copy in a safe, secure place. You need the backup copy because if you ever lose the server.key file after using it to create your certificate request, your certificate no longer works and the CA is not able to help you. Your only option is to request (and pay for) a new certificate.
/usr/share/ssl/certs/ directory, and type the following command:
make certreq umask 77 ; \ /usr/bin/openssl req -new -key -set_serial num /etc/httpd/conf/ssl.key/server.key -out /etc/httpd/conf/ssl.csr/server.csr Using configuration from /usr/share/ssl/openssl.cnf Enter pass phrase:
You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [GB]:USState or Province Name (full name) [Berkshire]:North CarolinaLocality Name (eg, city) [Newbury]:RaleighOrganization Name (eg, company) [My Company Ltd]:Test CompanyOrganizational Unit Name (eg, section) []:TestingCommon Name (your name or server's hostname) []:test.example.comEmail Address []:admin@example.comPlease enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
[]) immediately after each request for input. For example, the first information required is the name of the country where the certificate is to be used, shown like the following:
Country Name (2 letter code) [GB]:
GB. Accept the default by pressing Enter or fill in your country's two letter code.
Organization Name and the Common Name. CAs check the information provided in the CSR to determine whether your organization is responsible for what you provided as the Common Name. CAs rejects CSRs which include information they perceive as invalid.
Common Name, make sure you type in the real name of your secure server (a valid DNS name) and not any aliases which the server may have.
Email Address should be the email address for the webmaster or system administrator.
A challenge password and An optional company name). To continue without entering these fields, just press Enter to accept the blank default for both inputs.
/etc/httpd/conf/ssl.csr/server.csr is created when you have finished entering your information. This file is your certificate request, ready to send to your CA.
/etc/httpd/conf/ssl.crt/server.crt. Be sure to keep a backup of this file.
/usr/share/ssl/certs/ directory, and type the following command:
make testcertumask 77 ; \ /usr/bin/openssl req -new -key -set_serial num /etc/httpd/conf/ssl.key/server.key -x509 -days 365 -out /etc/httpd/conf/ssl.crt/server.crt Using configuration from /usr/share/ssl/openssl.cnf Enter pass phrase:
You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [GB]:USState or Province Name (full name) [Berkshire]:North CarolinaLocality Name (eg, city) [Newbury]:RaleighOrganization Name (eg, company) [My Company Ltd]:My Company, Inc.Organizational Unit Name (eg, section) []:DocumentationCommon Name (your name or server's hostname) []:myhost.example.comEmail Address []:myemail@example.com
/etc/httpd/conf/ssl.crt/server.crt. Restart the secure server after generating the certificate with following the command:
/sbin/service httpd restartserver.example.com with your domain name):
https://server.example.coms after http. The https: prefix is used for secure HTTP transactions.
https://server.example.com
http://server.example.com
http://server.example.com:12331
mod_ssl website is the definitive source for information about mod_ssl. The website includes a wealth of documentation, including a User Manual at http://www.modssl.org/docs/.
system-config-authentication at a shell prompt (for example, in an XTerm or a GNOME terminal). To start the text-based version, type the command authconfig as root at a shell prompt.
ypbind package must be installed for this option to work. If NIS support is enabled, the portmap and ypbind services are started and are also enabled to start at boot time.
openldap-clients package must be installed for this option to work.
hesiod package must be installed.
nscd) and configure it to start at boot time.
nscd package must be installed for this option to work.
kadmind.
krb5-libs and krb5-workstation packages must be installed for this option to work. Refer to the Reference Guide for more information on Kerberos.
openldap-clients package must be installed for this option to work. Refer to the Reference Guide for more information about LDAP.
/etc/shadow file instead of /etc/passwd. Shadow passwords are enabled by default during installation and are highly recommended to increase the security of the system.
shadow-utils package must be installed for this option to work. For more information about shadow passwords, refer to the Users and Groups chapter in the Reference Guide.
authconfig man page or by typing authconfig --help at a shell prompt.
| Option | Description |
|---|---|
--enableshadow
| Enable shadow passwords |
--disableshadow
| Disable shadow passwords |
--enablemd5
| Enable MD5 passwords |
--disablemd5
| Disable MD5 passwords |
--enablenis
| Enable NIS |
--disablenis
| Disable NIS |
--nisdomain=
| Specify NIS domain |
--nisserver=
| Specify NIS server |
--enableldap
| Enable LDAP for user information |
--disableldap
| Disable LDAP for user information |
--enableldaptls
| Enable use of TLS with LDAP |
--disableldaptls
| Disable use of TLS with LDAP |
--enableldapauth
| Enable LDAP for authentication |
--disableldapauth
| Disable LDAP for authentication |
--ldapserver=
| Specify LDAP server |
--ldapbasedn=
| Specify LDAP base DN |
--enablekrb5
| Enable Kerberos |
--disablekrb5
| Disable Kerberos |
--krb5kdc=
| Specify Kerberos KDC |
--krb5adminserver=
| Specify Kerberos administration server |
--krb5realm=
| Specify Kerberos realm |
--enablekrb5kdcdns
| Enable use of DNS to find Kerberos KDCs |
--disablekrb5kdcdns
| Disable use of DNS to find Kerberos KDCs |
--enablekrb5realmdns
| Enable use of DNS to find Kerberos realms |
--disablekrb5realmdns
| Disable use of DNS to find Kerberos realms |
--enablesmbauth
| Enable SMB |
--disablesmbauth
| Disable SMB |
--smbworkgroup=
| Specify SMB workgroup |
--smbservers=
| Specify SMB servers |
--enablewinbind
| Enable winbind for user information by default |
--disablewinbind
| Disable winbind for user information by default |
--enablewinbindauth
| Enable winbindauth for authentication by default |
--disablewinbindauth
| Disable winbindauth for authentication by default |
--smbsecurity=
| Security mode to use for Samba and winbind |
--smbrealm=
|
Default realm for Samba and winbind when security=ads
|
--smbidmapuid=
| UID range winbind assigns to domain or ADS users |
--smbidmapgid=
| GID range winbind assigns to domain or ADS users |
--winbindseparator=
|
Character used to separate the domain and user part of winbind usernames if winbindusedefaultdomain is not enabled
|
--winbindtemplatehomedir=
| Directory that winbind users have as their home |
--winbindtemplateprimarygroup=
| Group that winbind users have as their primary group |
--winbindtemplateshell=
| Shell that winbind users have as their default login shell |
--enablewinbindusedefaultdomain
| Configures winbind to assume that users with no domain in their usernames are domain users |
--disablewinbindusedefaultdomain
| Configures winbind to assume that users with no domain in their usernames are not domain users |
--winbindjoin=
| Joins the winbind domain or ADS realm now as this administrator |
--enablewins
| Enable WINS for hostname resolution |
--disablewins
| Disable WINS for hostname resolution |
--enablehesiod
| Enable Hesiod |
--disablehesiod
| Disable Hesiod |
--hesiodlhs=
| Specify Hesiod LHS |
--hesiodrhs=
| Specify Hesiod RHS |
--enablecache
|
Enable nscd
|
--disablecache
|
Disable nscd
|
--nostart
|
Do not start or stop the portmap, ypbind, or nscd services even if they are configured
|
--kickstart
| Do not display the user interface |
--probe
| Probe and display network defaults |
Table of Contents
halt, poweroff, and reboot.
/etc/inittab specifies that your system is set to shutdown and reboot in response to a Ctrl+Alt+Del key combination used at the console. To completely disable this ability, comment out the following line in /etc/inittab by putting a hash mark (#) in front of it:
ca::ctrlaltdel:/sbin/shutdown -t3 -r now
-a option to the /etc/inittab line shown above, so that it reads:
ca::ctrlaltdel:/sbin/shutdown -a -t3 -r now
-a flag tells shutdown to look for the /etc/shutdown.allow file.
shutdown.allow in /etc. The shutdown.allow file should list the usernames of any users who are allowed to shutdown the system using Ctrl+Alt+Del. The format of the shutdown.allow file is a list of usernames, one per line, like the following:
stephen jack sophie
shutdown.allow file, the users stephen, jack, and sophie are allowed to shutdown the system from the console using Ctrl+Alt+Del. When that key combination is used, the shutdown -a command in /etc/inittab checks to see if any of the users in /etc/shutdown.allow (or root) are logged in on a virtual console. If one of them is, the shutdown of the system continues; if not, an error message is written to the system console instead.
shutdown.allow, refer to the shutdown man page.
rm -f /etc/security/console.apps/*
poweroff, halt, and reboot, which are accessible from the console by default.
rm -f /etc/security/console.apps/poweroffrm -f /etc/security/console.apps/haltrm -f /etc/security/console.apps/reboot
pam_console.so module uses the /etc/security/console.perms file to determine the permissions for users at the system console. The syntax of the file is very flexible; you can edit the file so that these instructions no longer apply. However, the default file has a line that looks like this:
<console>=tty[0-9][0-9]* vc/[0-9][0-9]* :[0-9]\.[0-9] :[0-9]:0 or mymachine.example.com:1.0, or a device like /dev/ttyS0 or /dev/pts/2. The default is to define that local virtual consoles and local X servers are considered local, but if you want to consider the serial terminal next to you on port /dev/ttyS1 to also be local, you can change that line to read:
<console>=tty[0-9][0-9]* vc/[0-9][0-9]* :[0-9]\.[0-9] :[0-9] /dev/ttyS1/etc/security/console.perms, there is a section with lines like:
<floppy>=/dev/fd[0-1]* \
/dev/floppy/* /mnt/floppy*
<sound>=/dev/dsp* /dev/audio* /dev/midi* \
/dev/mixer* /dev/sequencer \
/dev/sound/* /dev/beep \
/dev/snd/*
<cdrom>=/dev/cdrom* /dev/cdroms/* /dev/cdwriter* /mnt/cdrom*
<scanner>=/dev/scanner /dev/usb/scanner*
/dev/scanner is really your scanner and not, say, your hard drive.)
/etc/security/console.perms for lines similar to:
<console> 0660 <floppy> 0660 root.floppy <console> 0600 <sound> 0640 root <console> 0600 <cdrom> 0600 root.disk
<console> 0600 <scanner> 0600 root/dev/scanner device with the permissions of 0600 (readable and writable by you only). When you log out, the device is owned by root and still has the permissions 0600 (now readable and writable by root only).
/sbin/ or /usr/sbin/, so the application that you wish to run must be there. After verifying that, do the following steps:
foo/usr/bin/consolehelper application:
cd /usr/binln -sconsolehelperfoo
/etc/security/console.apps/foo:
touch /etc/security/console.apps/foofoo/etc/pam.d/. An easy way to do this is to start with a copy of the halt service's PAM configuration file, and then modify the file if you want to change the behavior:
cp /etc/pam.d/halt /etc/pam.d/foo/usr/bin/foo is executed, consolehelper is called, which authenticates the user with the help of /usr/sbin/userhelper. To authenticate the user, consolehelper asks for the user's password if /etc/pam.d/foo is a copy of /etc/pam.d/halt (otherwise, it does precisely what is specified in /etc/pam.d/foo) and then runs /usr/sbin/foo with root permissions.
pam_timestamp and run from the same session is automatically authenticated for the user — the user does not have to enter the root password again.
pam package. To enable this feature, the PAM configuration file in etc/pam.d/ must include the following lines:
auth sufficient /lib/security/pam_timestamp.so session optional /lib/security/pam_timestamp.so
auth should be after any other auth sufficient lines, and the line that begins with session should be after any other session optional lines.
pam_timestamp is successfully authenticated from the (on the Panel), the
icon is displayed in the notification area of the panel if you are running the GNOME or KDE desktop environment. After the authentication expires (the default is five minutes), the icon disappears.
floppy Groupfloppy group. Add the user(s) to the floppy group using the tool of your choice. For example, the gpasswd command can be used to add user fred to the floppy group:
gpasswd -a fred floppysystem-config-date, system-config-time, or dateconfig at a shell prompt (for example, in an XTerm or a GNOME terminal).
system-config-keyboard at a shell prompt.
system-config-mouse at a shell prompt (for example, in an XTerm or GNOME terminal). If the X Window System is not running, the text-based version of the tool is started.
/dev/ttyS0 for the mouse.
/etc/sysconfig/mouse, and the console mouse service, gpm is restarted. The changes are also written to the X Window System configuration file /etc/X11/xorg.conf; however, the mouse type change is not automatically applied to the current X session. To enable the new mouse type, log out of the graphical desktop and log back in.
system-config-display at a shell prompt (for example, in an XTerm or GNOME terminal). If the X Window System is not running, a small version of X is started to run the program.
system-config-users RPM package installed. To start the User Manager from the desktop, go to (the main menu on the
panel) => => . You can also type the command system-config-users at a shell prompt (for example, in an XTerm or a GNOME terminal).
/bin/bash. The default home directory is /home/<username>/. You can change the home directory that is created for the user, or you can choose not to create the home directory by unselecting Create home directory.
/etc/skel/ directory into the new home directory.
system-config-users). For more information on User Manager, refer to Section 32.1, “User and Group Configuration”.
useradd, usermod, and userdel — Industry-standard methods of adding, deleting and modifying user accounts
groupadd, groupmod, and groupdel — Industry-standard methods of adding, deleting, and modifying user groups
gpasswd — Industry-standard method of administering the /etc/group file
pwck, grpck — Tools used for the verification of the password, group, and associated shadow files
pwconv, pwunconv — Tools used for the conversion of passwords to shadow passwords and back to standard passwords
useradd are detailed in Table 32.1, “useradd Command Line Options”.
useradd Command Line Options| Option | Description |
|---|---|
-c '<comment>'
|
<comment> can be replaced with any string. This option is generally used to specify the full name of a user.
|
-d <home-dir>
|
Home directory to be used instead of default /home/
|
-e <date>
| Date for the account to be disabled in the format YYYY-MM-DD |
-f <days>
|
Number of days after the password expires until the account is disabled. If 0 is specified, the account is disabled immediately after the password expires. If -1 is specified, the account is not be disabled after the password expires.
|
-g <group-name>
| Group name or group number for the user's default group. The group must exist prior to being specified here. |
-G <group-list>
| List of additional (other than default) group names or group numbers, separated by commas, of which the user is a member. The groups must exist prior to being specified here. |
-m
| Create the home directory if it does not exist. |
-M
| Do not create the home directory. |
-n
| Do not create a user private group for the user. |
-r
| Create a system account with a UID less than 500 and without a home directory |
-p <password>
|
The password encrypted with crypt
|
-s
|
User's login shell, which defaults to /bin/bash
|
-u <uid>
| User ID for the user, which must be unique and greater than 499 |
groupadd:
groupadd <group-name>groupadd are detailed in Table 32.2, “groupadd Command Line Options”.
groupadd Command Line Options| Option | Description |
|---|---|
-g <gid>
| Group ID for the group, which must be unique and greater than 499 |
-r
| Create a system group with a GID less than 500 |
-f
|
When used with -g <gid> and <gid> already exists, groupadd will choose another unique <gid> for the group.
|
chage command, followed by an option from Table 32.3, “chage Command Line Options”, followed by the username of the user.
chage command.
chage Command Line Options| Option | Description |
|---|---|
-m <days>
| Specifies the minimum number of days between which the user must change passwords. If the value is 0, the password does not expire. |
-M <days>
|
Specifies the maximum number of days for which the password is valid. When the number of days specified by this option plus the number of days specified with the -d option is less than the current day, the user must change passwords before using the account.
|
-d <days>
| Specifies the number of days since January 1, 1970 the password was changed |
-I <days>
| Specifies the number of inactive days after the password expiration before locking the account. If the value is 0, the account is not locked after the password expires. |
-E <date>
| Specifies the date on which the account is locked, in the format YYYY-MM-DD. Instead of the date, the number of days since January 1, 1970 can also be used. |
-W <days>
| Specifies the number of days before the password expiration date to warn the user. |
chage command is followed directly by a username (with no options), it displays the current password aging values and allows them to be changed.
useradd command to create the user account, but do not give it a password so that it remains locked.
usermod -L usernamechage -d 0 usernamepasswd command to set the password as it disables the immediate password expiration just configured.
python command. It displays the following:
Python 2.4.3 (#1, Jul 21 2006, 08:46:09) [GCC 4.1.1 20060718 (Red Hat 4.1.1-9)] on linux2 Type "help", "copyright", "credits" or "license" for more information. >>>
<password> with the password to encrypt and <salt> with a random combination of at least 2 of the following: any alphanumeric character, the slash (/) character or a dot (.):
import crypt; print crypt.crypt("<password>","<salt>")'12CsGd8FRcMSM'.
<encrypted-password> with the encrypted output of the Python interpreter):
usermod -p "<encrypted-password>"<username>
usermod -p "" usernameuseradd juan is issued on a system that has shadow passwords enabled:
juan is created in /etc/passwd. The line has the following characteristics:
juan.
x for the password field indicating that the system is using shadow passwords.
juan is set to /home/juan/.
/bin/bash.
juan is created in /etc/shadow. The line has the following characteristics:
juan.
!!) appear in the password field of the /etc/shadow file, which locks the account.
-p flag, it is placed in the /etc/shadow file on the new line for the user.
juan is created in /etc/group. A group with the same name as a user is called a user private group. For more information on user private groups, refer to Section 32.1.1, “Adding a New User”.
/etc/group has the following characteristics:
juan.
x appears in the password field indicating that the system is using shadow group passwords.
juan in /etc/passwd.
juan is created in /etc/gshadow. The line has the following characteristics:
juan.
!) appears in the password field of the /etc/gshadow file, which locks the group.
juan is created in the /home/ directory. This directory is owned by user juan and group juan. However, it has read, write, and execute privileges only for the user juan. All other permissions are denied.
/etc/skel/ directory (which contain default user settings) are copied into the new /home/juan/ directory.
juan exists on the system. To activate it, the administrator must next assign a password to the account using the passwd command and, optionally, set password aging guidelines.
/etc/passwd file by an Everything installation. The groupid (GID) in this table is the primary group for the user. See Section 32.4, “Standard Groups” for a listing of standard groups.
| User | UID | GID | Home Directory | Shell |
|---|---|---|---|---|
| root | 0 | 0 |
/root
|
/bin/bash
|
| bin | 1 | 1 |
/bin
|
/sbin/nologin
|
| daemon | 2 | 2 |
/sbin
|
/sbin/nologin
|
| adm | 3 | 4 |
/var/adm
|
/sbin/nologin
|
| lp | 4 | 7 |
/var/spool/lpd
|
/sbin/nologin
|
| sync | 5 | 0 |
/sbin
|
/bin/sync
|
| shutdown | 6 | 0 |
/sbin
|
/sbin/shutdown
|
| halt | 7 | 0 |
/sbin
|
/sbin/halt
|
| 8 | 12 |
/var/spool/mail
|
/sbin/nologin
| |
| news | 9 | 13 |
/etc/news
| |
| uucp | 10 | 14 |
/var/spool/uucp
|
/sbin/nologin
|
| operator | 11 | 0 |
/root
|
/sbin/nologin
|
| games | 12 | 100 |
/usr/games
|
/sbin/nologin
|
| gopher | 13 | 30 |
/var/gopher
|
/sbin/nologin
|
| ftp | 14 | 50 |
/var/ftp
|
/sbin/nologin
|
| nobody | 99 | 99 |
/
|
/sbin/nologin
|
| rpm | 37 | 37 |
/var/lib/rpm
|
/sbin/nologin
|
| vcsa | 69 | 69 |
/dev
|
/sbin/nologin
|
| dbus | 81 | 81 |
/
|
/sbin/nologin
|
| ntp | 38 | 38 |
/etc/ntp
|
/sbin/nologin
|
| canna | 39 | 39 |
/var/lib/canna
|
/sbin/nologin
|
| nscd | 28 | 28 |
/
|
/sbin/nologin
|
| rpc | 32 | 32 |
/
|
/sbin/nologin
|
| postfix | 89 | 89 |
/var/spool/postfix
|
/sbin/nologin
|
| mailman | 41 | 41 |
/var/mailman
|
/sbin/nologin
|
| named | 25 | 25 |
/var/named
|
/bin/false
|
| amanda | 33 | 6 |
var/lib/amanda/
|
/bin/bash
|
| postgres | 26 | 26 |
/var/lib/pgsql
|
/bin/bash
|
| exim | 93 | 93 |
/var/spool/exim
|
/sbin/nologin
|
| sshd | 74 | 74 |
/var/empty/sshd
|
/sbin/nologin
|
| rpcuser | 29 | 29 |
/var/lib/nfs
|
/sbin/nologin
|
| nsfnobody | 65534 | 65534 |
/var/lib/nfs
|
/sbin/nologin
|
| pvm | 24 | 24 |
/usr/share/pvm3
|
/bin/bash
|
| apache | 48 | 48 |
/var/www
|
/sbin/nologin
|
| xfs | 43 | 43 |
/etc/X11/fs
|
/sbin/nologin
|
| gdm | 42 | 42 |
/var/gdm
|
/sbin/nologin
|
| htt | 100 | 101 |
/usr/lib/im
|
/sbin/nologin
|
| mysql | 27 | 27 |
/var/lib/mysql
|
/bin/bash
|
| webalizer | 67 | 67 |
/var/www/usage
|
/sbin/nologin
|
| mailnull | 47 | 47 |
/var/spool/mqueue
|
/sbin/nologin
|
| smmsp | 51 | 51 |
/var/spool/mqueue
|
/sbin/nologin
|
| squid | 23 | 23 |
/var/spool/squid
|
/sbin/nologin
|
| ldap | 55 | 55 |
/var/lib/ldap
|
/bin/false
|
| netdump | 34 | 34 |
/var/crash
|
/bin/bash
|
| pcap | 77 | 77 |
/var/arpwatch
|
/sbin/nologin
|
| radiusd | 95 | 95 |
/
|
/bin/false
|
| radvd | 75 | 75 |
/
|
/sbin/nologin
|
| quagga | 92 | 92 |
/var/run/quagga
|
/sbin/login
|
| wnn | 49 | 49 |
/var/lib/wnn
|
/sbin/nologin
|
| dovecot | 97 | 97 |
/usr/libexec/dovecot
|
/sbin/nologin
|
/etc/group file.
| Group | GID | Members |
|---|---|---|
| root | 0 | root |
| bin | 1 | root, bin, daemon |
| daemon | 2 | root, bin, daemon |
| sys | 3 | root, bin, adm |
| adm | 4 | root, adm, daemon |
| tty | 5 | |
| disk | 6 | root |
| lp | 7 | daemon, lp |
| mem | 8 | |
| kmem | 9 | |
| wheel | 10 | root |
| 12 | mail, postfix, exim | |
| news | 13 | news |
| uucp | 14 | uucp |
| man | 15 | |
| games | 20 | |
| gopher | 30 | |
| dip | 40 | |
| ftp | 50 | |
| lock | 54 | |
| nobody | 99 | |
| users | 100 | |
| rpm | 37 | |
| utmp | 22 | |
| floppy | 19 | |
| vcsa | 69 | |
| dbus | 81 | |
| ntp | 38 | |
| canna | 39 | |
| nscd | 28 | |
| rpc | 32 | |
| postdrop | 90 | |
| postfix | 89 | |
| mailman | 41 | |
| exim | 93 | |
| named | 25 | |
| postgres | 26 | |
| sshd | 74 | |
| rpcuser | 29 | |
| nfsnobody | 65534 | |
| pvm | 24 | |
| apache | 48 | |
| xfs | 43 | |
| gdm | 42 | |
| htt | 101 | |
| mysql | 27 | |
| webalizer | 67 | |
| mailnull | 47 | |
| smmsp | 51 | |
| squid | 23 | |
| ldap | 55 | |
| netdump | 34 | |
| pcap | 77 | |
| quaggavt | 102 | |
| quagga | 92 | |
| radvd | 75 | |
| slocate | 21 | |
| wnn | 49 | |
| dovecot | 97 | |
| radiusd | 95 |
/etc/bashrc file. Traditionally on UNIX systems, the umask is set to 022, which allows only the user who created the file or directory to make modifications. Under this scheme, all other users, including members of the creator's group, are not allowed to make any modifications. However, under the UPG scheme, this "group protection" is not necessary since every user has their own private group.
/usr/share/emacs/site-lisp/ directory. Some people are trusted to modify the directory, but certainly not everyone is trusted. First create an emacs group, as in the following command:
/usr/sbin/groupadd emacsemacs group, type:
chown -R root.emacs /usr/share/emacs/site-lispgpasswd command:
/usr/bin/gpasswd -a <username> emacs
chmod 775 /usr/share/emacs/site-lispemacs). Use the following command:
chmod 2775 /usr/share/emacs/site-lispemacs group can create and edit files in the /usr/share/emacs/site-lisp/ directory without the administrator having to change file permissions every time users write new files.
shadow-utils package). Doing so enhances the security of system authentication files. For this reason, the installation program enables shadow passwords by default.
/etc/passwd file to /etc/shadow, which is readable only by the root user.
/etc/login.defs file to enforce security policies.
shadow-utils package work properly whether or not shadow passwords are enabled. However, since password aging information is stored exclusively in the /etc/shadow file, any commands which create or modify password aging information do not work.
chage
gpasswd
/usr/sbin/usermod -e or -f options
/usr/sbin/useradd -e or -f options
man chage — A command to modify password aging policies and account expiration.
man gpasswd — A command to administer the /etc/group file.
man groupadd — A command to add groups.
man grpck — A command to verify the /etc/group file.
man groupdel — A command to remove groups.
man groupmod — A command to modify group membership.
man pwck — A command to verify the /etc/passwd and /etc/shadow files.
man pwconv — A tool to convert standard passwords to shadow passwords.
man pwunconv — A tool to convert shadow passwords to standard passwords.
man useradd — A command to add users.
man userdel — A command to remove users.
man usermod — A command to modify users.
man 5 group — The file containing group information for the system.
man 5 passwd — The file containing user information for the system.
man 5 shadow — The file containing passwords and account expiration information for the system.
system-config-printer at a shell prompt.
) beside a Workgroup to expand it. From the expanded list, select a printer.
computer name/printer share. In Figure 33.5, “Adding a SMB Printer”, the computer name is dellbox, while the printer share is r2.
guest for Windows servers, or nobody for Samba servers.
lpq. The last few lines look similar to the following:
lpq outputRank Owner/ID Class Job Files Size Time active user@localhost+902 A 902 sample.txt 2050 01:20:46
lpq and then use the command lprm job number. For example, lprm 902 would cancel the print job in Example 33.1, “Example of lpq output”. You must have proper permissions to cancel a print job. You can not cancel print jobs that were started by other users unless you are logged in as root on the machine to which the printer is attached.
lpr sample.txt prints the text file sample.txt. The print filter determines what type of file it is and converts it into a format the printer can understand.
map lpr — The manual page for the lpr command that allows you to print files from the command line.
man lprm — The manual page for the command line utility to remove print jobs from the print queue.
man mpage — The manual page for the command line utility to print multiple pages on one sheet of paper.
man cupsd — The manual page for the CUPS printer daemon.
man cupsd.conf — The manual page for the CUPS printer daemon configuration file.
man classes.conf — The manual page for the class configuration file for CUPS.
locate command is updated daily. A system administrator can use automated tasks to perform periodic backups, monitor the system, run custom scripts, and more.
cron, at, and batch.
vixie-cron RPM package must be installed and the crond service must be running. To determine if the package is installed, use the rpm -q vixie-cron command. To determine if the service is running, use the command /sbin/service crond status.
/etc/crontab, contains the following lines:
SHELL=/bin/bash PATH=/sbin:/bin:/usr/sbin:/usr/bin MAILTO=root HOME=/ # run-parts 01 * * * * root run-parts /etc/cron.hourly 02 4 * * * root run-parts /etc/cron.daily 22 4 * * 0 root run-parts /etc/cron.weekly 42 4 1 * * root run-parts /etc/cron.monthly
SHELL variable tells the system which shell environment to use (in this example the bash shell), while the PATH variable defines the path used to execute commands. The output of the cron tasks are emailed to the username defined with the MAILTO variable. If the MAILTO variable is defined as an empty string (MAILTO=""), email is not sent. The HOME variable can be used to set the home directory to use when executing commands or scripts.
/etc/crontab file represents a task and has the following format:
minute hour day month dayofweek command
minute — any integer from 0 to 59
hour — any integer from 0 to 23
day — any integer from 1 to 31 (must be a valid day if a month is specified)
month — any integer from 1 to 12 (or the short name of the month such as jan or feb)
dayofweek — any integer from 0 to 7, where 0 or 7 represents Sunday (or the short name of the week such as sun or mon)
command — the command to execute (the command can either be a command such as ls /proc >> /tmp/proc or the command to execute a custom script)
1-4 means the integers 1, 2, 3, and 4.
3, 4, 6, 8 indicates those four specific integers.
/<integer>. For example, 0-59/2 can be used to define every other minute in the minute field. Step values can also be used with an asterisk. For instance, the value */3 can be used in the month field to run the task every third month.
/etc/crontab file, the run-parts script executes the scripts in the /etc/cron.hourly/, /etc/cron.daily/, /etc/cron.weekly/, and /etc/cron.monthly/ directories on an hourly, daily, weekly, or monthly basis respectively. The files in these directories should be shell scripts.
/etc/cron.d/ directory. All files in this directory use the same syntax as /etc/crontab. Refer to Example 34.1, “Crontab Examples” for examples.
# record the memory usage of the system every monday # at 3:30AM in the file /tmp/meminfo 30 3 * * mon cat /proc/meminfo >> /tmp/meminfo # run custom script the first day of every month at 4:10AM 10 4 1 * * /root/scripts/backup.sh
crontab utility. All user-defined crontabs are stored in the /var/spool/cron/ directory and are executed using the usernames of the users that created them. To create a crontab as a user, login as that user and type the command crontab -e to edit the user's crontab using the editor specified by the VISUAL or EDITOR environment variable. The file uses the same format as /etc/crontab. When the changes to the crontab are saved, the crontab is stored according to username and written to the file /var/spool/cron/username.
/etc/crontab file, the /etc/cron.d/ directory, and the /var/spool/cron/ directory every minute for any changes. If any changes are found, they are loaded into memory. Thus, the daemon does not need to be restarted if a crontab file is changed.
/etc/cron.allow and /etc/cron.deny files are used to restrict access to cron. The format of both access control files is one username on each line. Whitespace is not permitted in either file. The cron daemon (crond) does not have to be restarted if the access control files are modified. The access control files are read each time a user tries to add or delete a cron task.
cron.allow exists, only users listed in it are allowed to use cron, and the cron.deny file is ignored.
cron.allow does not exist, users listed in cron.deny are not allowed to use cron.
/sbin/service crond start. To stop the service, use the command /sbin/service crond stop. It is recommended that you start the service at boot time. Refer to Chapter 19, Controlling Access to Services for details on starting the cron service automatically at boot time.
at command is used to schedule a one-time task at a specific time and the batch command is used to schedule a one-time task to be executed when the systems load average drops below 0.8.
at or batch, the at RPM package must be installed, and the atd service must be running. To determine if the package is installed, use the rpm -q at command. To determine if the service is running, use the command /sbin/service atd status.
at time, where timetime can be one of the following:
/usr/share/doc/at-<version>/timespec text file.
at command with the time argument, the at> prompt is displayed. Type the command to execute, press Enter, and type Ctrl+D. Multiple commands can be specified by typing each command followed by the Enter key. After typing all the commands, press Enter to go to a blank line and type Ctrl+D. Alternatively, a shell script can be entered at the prompt, pressing Enter after each line in the script, and typing Ctrl+D on a blank line to exit. If a script is entered, the shell used is the shell set in the user's SHELL environment, the user's login shell, or /bin/sh (whichever is found first).
atq to view pending jobs. Refer to Section 34.2.3, “Viewing Pending Jobs” for more information.
at command can be restricted. For more information, refer to Section 34.2.5, “Controlling Access to At and Batch” for details.
batch command.
batch command, the at> prompt is displayed. Type the command to execute, press Enter, and type Ctrl+D. Multiple commands can be specified by typing each command followed by the Enter key. After typing all the commands, press Enter to go to a blank line and type Ctrl+D. Alternatively, a shell script can be entered at the prompt, pressing Enter after each line in the script, and typing Ctrl+D on a blank line to exit. If a script is entered, the shell used is the shell set in the user's SHELL environment, the user's login shell, or /bin/sh (whichever is found first). As soon as the load average is below 0.8, the set of commands or script is executed.
atq to view pending jobs. Refer to Section 34.2.3, “Viewing Pending Jobs” for more information.
batch command can be restricted. For more information, refer to Section 34.2.5, “Controlling Access to At and Batch” for details.
at and batch jobs, use the atq command. The atq command displays a list of pending jobs, with each job on a line. Each line follows the job number, date, hour, job class, and username format. Users can only view their own jobs. If the root user executes the atq command, all jobs for all users are displayed.
at and batch include:
at and batch Command Line Options| Option | Description |
|---|---|
-f
| Read the commands or shell script from a file instead of specifying them at the prompt. |
-m
| Send email to the user when the job has been completed. |
-v
| Display the time that the job is executed. |
/etc/at.allow and /etc/at.deny files can be used to restrict access to the at and batch commands. The format of both access control files is one username on each line. Whitespace is not permitted in either file. The at daemon (atd) does not have to be restarted if the access control files are modified. The access control files are read each time a user tries to execute the at or batch commands.
at and batch commands, regardless of the access control files.
at.allow exists, only users listed in it are allowed to use at or batch, and the at.deny file is ignored.
at.allow does not exist, users listed in at.deny are not allowed to use at or batch.
at service, use the command /sbin/service atd start. To stop the service, use the command /sbin/service atd stop. It is recommended that you start the service at boot time. Refer to Chapter 19, Controlling Access to Services for details on starting the cron service automatically at boot time.
cron man page — overview of cron.
crontab man pages in sections 1 and 5 — The man page in section 1 contains an overview of the crontab file. The man page in section 5 contains the format for the file and some example entries.
/usr/share/doc/at-<version>/timespec contains more detailed information about the times that can be specified for cron jobs.
at man page — description of at and batch and their command line options.
syslogd. A list of log messages maintained by syslogd can be found in the /etc/syslog.conf configuration file.
/var/log/ directory. Some applications such as httpd and samba have a directory within /var/log/ for their log files.
logrotate package contains a cron task that automatically rotates log files according to the /etc/logrotate.conf configuration file and the configuration files in the /etc/logrotate.d/ directory. By default, it is configured to rotate every week and keep four weeks worth of previous log files.
Vi or Emacs. Some log files are readable by all users on the system; however, root privileges are required to read most log files.
system-logviewer at a shell prompt.
is displayed to the left of the lines that contains any of the alert words.
is displayed to the left of the lines that contains any of the warning words.
up2date command. The Red Hat User Agent automatically queries the Red Hat Network servers and determines which packages need to be updated on your machine, including the kernel. This chapter is only useful for those individuals that require manual updating of kernel packages, without using the up2date command.
up2date is highly recommended by Red Hat for installing upgraded kernels.
up2date, refer to Chapter 16, Red Hat Network.
kernel — Contains the kernel and the following key features:
kernel-hugemem package for x86 systems with over 4 GB of RAM
kernel-devel — Contains the kernel headers and makefiles sufficient to build modules against the kernel package.
kernel-hugemem — (only for i686 systems) In addition to the options enabled for the kernel package, the key configuration options are as follows:
kernel-hugemem is required for memory configurations higher than 16 GB.
kernel-hugemem-devel — Contains the kernel headers and makefiles sufficient to build modules against the kernel-hugemem package.
kernel-smp — Contains the kernel for multi-processor systems. The following are the key features:
kernel-smp-devel — Contains the kernel headers and makefiles sufficient to build modules against the kernel-smp package.
kernel-utils — Contains utilities that can be used to control the kernel or system hardware.
kernel-doc — Contains documentation files from the kernel source. Various portions of the Linux kernel and the device drivers shipped with it are documented in these files. Installation of this package provides a reference to the options that can be passed to Linux kernel modules at load time.
/usr/share/doc/kernel-doc-<version>/ directory.
kernel-source package has been removed and replaced with an RPM that can only be retrieved from Red Hat Network. This *.src.rpm must then be rebuilt locally using the rpmbuild command. Refer to the latest distribution Release Notes, including all updates, at https://www.redhat.com/docs/manuals/enterprise/ for more information on obtaining and installing the kernel source package.
/sbin/mkbootdisk `uname -r` mkbootdisk man page for more options. Creating bootable media via CD-Rs, CD-RWs, and USB flash drives are also supported given the system BIOS also supports it.
rpm -qa | grep kernel kernel-2.6.9-5.EL kernel-devel-2.6.9-5.EL kernel-utils-2.6.9-5.EL kernel-doc-2.6.9-5.EL kernel-smp-2.6.9-5.EL kernel-smp-devel-2.6.9-5.EL kernel-hugemem-devel-2.6.9-5.EL kernel package. Refer to Section 36.1, “Overview of Kernel Packages” for descriptions of the different packages.
<variant>-<version>.<arch>.rpm, where <variant> is smp, utils, or so forth. The <arch> is one of the following:
x86_64 for the AMD64 architecture
ia64 for the Intel®Itanium™ architecture
ppc64 for the IBM®eServer™pSeries™ architecture
ppc64 for the IBM®eServer™iSeries™ architecture
s390 for the IBM®S/390® architecture
s390x for the IBM®eServer™zSeries® architecture
i686 for Intel®Pentium® II, Intel®Pentium® III, Intel®Pentium® 4, AMD Athlon®, and AMD Duron® systems
http://www.redhat.com/apps/support/errata/
http://www.redhat.com/apps/support/errata/rhlas_errata_policy.html
-i argument with the rpm command to keep the old kernel. Do not use the -U option, since it overwrites the currently installed kernel, which creates boot loader problems. Issue the following command (the kernel version may vary):
rpm -ivh kernel-2.6.9-5.EL.<arch>.rpm kernel-smp packages as well (the kernel version may vary):
rpm -ivh kernel-smp-2.6.9-5.EL.<arch>.rpm i686-based and contains more than 4 GB of RAM, install the kernel-hugemem package built for the i686 architecture as well (the kernel version might vary):
rpm -ivh kernel-hugemem-2.6.9-5.EL.i686.rpm /etc/fstab, an initial RAM disk is needed. The initial RAM disk allows a modular kernel to have access to modules that it might need to boot from before the kernel has access to the device where the modules normally reside.
mkinitrd command. However, this step is performed automatically if the kernel and its associated packages are installed or upgraded from the RPM packages distributed by Red Hat, Inc; thus, it does not need to be executed manually. To verify that it was created, use the command ls -l /boot to make sure the initrd-<version>.img file was created (the version should match the version of the kernel just installed).
vmlinux file are combined into one file, which is created with the addRamDisk command. This step is performed automatically if the kernel and its associated packages are installed or upgraded from the RPM packages distributed by Red Hat, Inc; thus, it does not need to be executed manually. To verify that it was created, use the command ls -l /boot to make sure the /boot/vmlinitrd-<kernel-version> file was created (the version should match the version of the kernel just installed).
kernel RPM package configures the boot loader to boot the newly installed kernel (except for IBM eServer iSeries systems). However, it does not configure the boot loader to boot the new kernel by default.
/boot/grub/grub.conf contains a title section with the same version as the kernel package just installed (if the kernel-smp or kernel-hugemem package was installed, a section exists for it as well):
# Note that you do not have to rerun grub after making changes to this file
# NOTICE: You have a /boot partition. This means that
# all kernel and initrd paths are relative to /boot/, eg.
# root (hd0,0)
# kernel /vmlinuz-version ro root=/dev/hda2
# initrd /initrd-version.img
#boot=/dev/hda
default=1
timeout=10
splashimage=(hd0,0)/grub/splash.xpm.gz
title Red Hat Enterprise Linux (2.6.9-5.EL)
root (hd0,0)
kernel /vmlinuz-2.6.9-5.EL ro root=LABEL=/
initrd /initrd-2.6.9-5.EL.img
title Red Hat Enterprise Linux (2.6.9-1.906_EL)
root (hd0,0)
kernel /vmlinuz-2.6.9-1.906_EL ro root=LABEL=/
initrd /initrd-2.6.9-1.906_EL.img
/boot/ partition was created, the paths to the kernel and initrd image are relative to /boot/.
default variable to the title section number for the title section that contains the new kernel. The count starts with 0. For example, if the new kernel is the first title section, set default to 0.
/boot/efi/EFI/redhat/elilo.conf as the configuration file. Confirm that this file contains an image section with the same version as the kernel package just installed:
prompt
timeout=50
default=old
image=vmlinuz-2.6.9-5.EL
label=linux
initrd=initrd-2.6.9-5.EL.img
read-only
append="root=LABEL=/"
image=vmlinuz-2.6.9-1.906_EL
label=old
initrd=initrd-2.6.9-1.906.img
read-only
append="root=LABEL=/"
default variable to the value of the label for the image section that contains the new kernel.
/etc/zipl.conf as the configuration file. Confirm that the file contains a section with the same version as the kernel package just installed:
[defaultboot]
default=old
target=/boot/
[linux]
image=/boot/vmlinuz-2.6.9-5.EL
ramdisk=/boot/initrd-2.6.9-5.EL.img
parameters="root=LABEL=/"
[old]
image=/boot/vmlinuz-2.6.9-1.906_EL
ramdisk=/boot/initrd-2.6.9-1.906_EL.img
parameters="root=LABEL=/"
default variable to the name of the section that contains the new kernel. The first line of each section contains the name in brackets.
/sbin/zipl/boot/vmlinitrd-<kernel-version> file is installed when you upgrade the kernel. However, you must use the dd command to configure the system to boot the new kernel:
cat /proc/iSeries/mf/side to determine the default side (either A, B, or C).
<kernel-version> is the version of the new kernel and <side> is the side from the previous command:
dd if=/boot/vmlinitrd-<kernel-version> of=/proc/iSeries/mf/<side>/vmlinux bs=8k /etc/aboot.conf as the configuration file. Confirm that the file contains an image section with the same version as the kernel package just installed:
boot=/dev/sda1
init-message=Welcome to Red Hat Enterprise Linux!
Hit <TAB> for boot options
partition=2
timeout=30
install=/usr/lib/yaboot/yaboot
delay=10
nonvram
image=/vmlinux--2.6.9-5.EL
label=old
read-only
initrd=/initrd--2.6.9-5.EL.img
append="root=LABEL=/"
image=/vmlinux-2.6.9-5.EL
label=linux
read-only
initrd=/initrd-2.6.9-5.EL.img
append="root=LABEL=/"
default and set it to the label of the image stanza that contains the new kernel.
/etc/modprobe.conf.
xorg-X11 packages, not the kernel; thus, this chapter does not apply to them.
alias eth0 tulip
/etc/modprobe.conf:
alias eth1 tulip
module-init-tools package is installed. Use these commands to determine if a module has been loaded successfully or when trying different modules for a piece of new hardware.
/sbin/lsmod displays a list of currently loaded modules. For example:
Module Size Used by nfs 218437 1 lockd 63977 2 nfs parport_pc 24705 1 lp 12077 0 parport 37129 2 parport_pc,lp autofs4 23237 2 i2c_dev 11329 0 i2c_core 22081 1 i2c_dev sunrpc 157093 5 nfs,lockd button 6481 0 battery 8901 0 ac 4805 0 md5 4033 1 ipv6 232833 16 ohci_hcd 21713 0 e100 39493 0 mii 4673 1 e100 floppy 58481 0 sg 33377 0 dm_snapshot 17029 0 dm_zero 2369 0 dm_mirror 22957 2 ext3 116809 2 jbd 71257 1 ext3 dm_mod 54741 6 dm_snapshot,dm_zero,dm_mirror ips 46173 2 aic7xxx 148121 0 sd_mod 17217 3 scsi_mod 121421 4 sg,ips,aic7xxx,sd_mod
/sbin/lsmod output is less verbose and easier to read than the output from viewing /proc/modules.
/sbin/modprobe command followed by the kernel module name. By default, modprobe attempts to load the module from the /lib/modules/<kernel-version>/kernel/drivers/ subdirectories. There is a subdirectory for each type of module, such as the net/ subdirectory for network interface drivers. Some kernel modules have module dependencies, meaning that other modules must be loaded first for it to load. The /sbin/modprobe command checks for these dependencies and loads the module dependencies before loading the specified module.
/sbin/modprobe e100 e100 module.
/sbin/modprobe executes them, use the -v option. For example:
/sbin/modprobe -v e100 /sbin/insmod /lib/modules/2.6.9-5.EL/kernel/drivers/net/e100.ko Using /lib/modules/2.6.9-5.EL/kernel/drivers/net/e100.ko Symbol version prefix 'smp_' /sbin/insmod command also exists to load kernel modules; however, it does not resolve dependencies. Thus, it is recommended that the /sbin/modprobe command be used.
/sbin/rmmod command followed by the module name. The rmmod utility only unloads modules that are not in use and that are not a dependency of other modules in use.
/sbin/rmmod e100 e100 kernel module.
modinfo. Use the command /sbin/modinfo to display information about a kernel module. The general syntax is:
/sbin/modinfo [options]<module>-d, which displays a brief description of the module, and -p, which lists the parameters the module supports. For a complete list of options, refer to the modinfo man page (man modinfo).
/etc/modprobe.conf file. However, it is sometimes necessary to explicitly force the loading of a module at boot time.
/etc/rc.modules file at boot time, which contains various commands to load modules. The rc.modules should be used, and notrc.local because rc.modules is executed earlier in the boot process.
foo module at boot time (as root):
# echo modprobe foo >> /etc/rc.modules # chmod +x /etc/rc.modules
lsmod man page — description and explanation of its output.
insmod man page — description and list of command line options.
modprobe man page — description and list of command line options.
rmmod man page — description and list of command line options.
modinfo man page — description and list of command line options.
/usr/share/doc/kernel-doc-<version>/Documentation/kbuild/modules.txt — how to compile and use kernel modules.
/bin/mail command to send email containing log messages to the root user of the local system.
sendmail is the default MTA. The Mail Transport Agent Switcher allows for the selection of either sendmail, postfix, or exim as the default MTA for the system.
system-switch-mail RPM package must be installed to use the text-based version of the Mail Transport Agent Switcher program. If you want to use the graphical version, the system-switch-mail-gnome package must also be installed.
system-switch-mail at a shell prompt (for example, in an XTerm or GNOME terminal).
system-switch-mail-nox.
ps ax command displays a list of current system processes, including processes owned by other users. To display the owner alongside each process, use the ps aux command. This list is a static list; in other words, it is a snapshot of what was running when you invoked the command. If you want a constantly updated list of running processes, use top as described below.
ps output can be long. To prevent it from scrolling off the screen, you can pipe it through less:
ps aux | lessps command in combination with the grep command to see if a process is running. For example, to determine if Emacs is running, use the following command:
ps ax | grep emacstop command displays currently running processes and important information about them including their memory and CPU usage. The list is both real-time and interactive. An example of output from the top command is provided as follows:
top - 15:02:46 up 35 min, 4 users, load average: 0.17, 0.65, 1.00
Tasks: 110 total, 1 running, 107 sleeping, 0 stopped, 2 zombie
Cpu(s): 41.1% us, 2.0% sy, 0.0% ni, 56.6% id, 0.0% wa, 0.3% hi, 0.0% si
Mem: 775024k total, 772028k used, 2996k free, 68468k buffers
Swap: 1048568k total, 176k used, 1048392k free, 441172k cached
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
4624 root 15 0 40192 18m 7228 S 28.4 2.4 1:23.21 X
4926 mhideo 15 0 55564 33m 9784 S 13.5 4.4 0:25.96 gnome-terminal
6475 mhideo 16 0 3612 968 760 R 0.7 0.1 0:00.11 top
4920 mhideo 15 0 20872 10m 7808 S 0.3 1.4 0:01.61 wnck-applet
1 root 16 0 1732 548 472 S 0.0 0.1 0:00.23 init
2 root 34 19 0 0 0 S 0.0 0.0 0:00.00 ksoftirqd/0
3 root 5 -10 0 0 0 S 0.0 0.0 0:00.03 events/0
4 root 6 -10 0 0 0 S 0.0 0.0 0:00.02 khelper
5 root 5 -10 0 0 0 S 0.0 0.0 0:00.00 kacpid
29 root 5 -10 0 0 0 S 0.0 0.0 0:00.00 kblockd/0
47 root 16 0 0 0 0 S 0.0 0.0 0:01.74 pdflush
50 root 11 -10 0 0 0 S 0.0 0.0 0:00.00 aio/0
30 root 15 0 0 0 0 S 0.0 0.0 0:00.05 khubd
49 root 16 0 0 0 0 S 0.0 0.0 0:01.44 kswapd0
top, press the q key.
top commands” contains useful interactive commands that you can use with top. For more information, refer to the top(1) manual page.
top commands| Command | Description |
|---|---|
| Space | Immediately refresh the display |
| h | Display a help screen |
| k | Kill a process. You are prompted for the process ID and the signal to send to it. |
| n | Change the number of processes displayed. You are prompted to enter the number. |
| u | Sort by user. |
| M | Sort by memory usage. |
| P | Sort by CPU usage. |
top, you can use the GNOME System Monitor. To start it from the desktop, select => => or type gnome-system-monitor at a shell prompt (such as an XTerm). Select the Process Listing tab.
free command displays the total amount of physical memory and swap space for the system as well as the amount of memory that is used, free, shared, in kernel buffers, and cached.
total used free shared buffers cached
Mem: 645712 549720 95992 0 176248 224452
-/+ buffers/cache: 149020 496692
Swap: 1310712 0 1310712
free -m shows the same information in megabytes, which are easier to read.
total used free shared buffers cached
Mem: 630 536 93 0 172 219
-/+ buffers/cache: 145 485
Swap: 1279 0 1279
free, you can use the GNOME System Monitor. To start it from the desktop, go to => => or type gnome-system-monitor at a shell prompt (such as an XTerm). Click on the Resources tab.
df command reports the system's disk space usage. If you type the command df at a shell prompt, the output looks similar to the following:
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/mapper/VolGroup00-LogVol00
11675568 6272120 4810348 57% / /dev/sda1
100691 9281 86211 10% /boot
none 322856 0 322856 0% /dev/shm
df -h. The -h argument stands for human-readable format. The output looks similar to the following:
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/VolGroup00-LogVol00
12G 6.0G 4.6G 57% / /dev/sda1
99M 9.1M 85M 10% /boot
none 316M 0 316M 0% /dev/shm
/dev/shm. This entry represents the system's virtual memory file system.
du command displays the estimated amount of space being used by files in a directory. If you type du at a shell prompt, the disk usage for each of the subdirectories is displayed in a list. The grand total for the current directory and subdirectories are also shown as the last line in the list. If you do not want to see the totals for all the subdirectories, use the command du -hs to see only the grand total for the directory in human-readable format. Use the du --help command to see more options.
gnome-system-monitor at a shell prompt (such as an XTerm). Select the File Systems tab to view the system's partitions. The figure below illustrates the File Systems tab.
hwbrowser at a shell prompt. As shown in Figure 39.4, “Hardware Browser”, it displays your CD-ROM devices, diskette drives, hard drives and their partitions, network devices, pointing devices, system devices, and video cards. Click on the category name in the left menu, and the information is displayed.
hal-device-manager. Depending on your installation preferences, the graphical menu above may start this application or the Hardware Browser when clicked. The figure below illustrates the Device Manager window.
lspci command to list all PCI devices. Use the command lspci -v for more verbose information or lspci -vv for very verbose output.
lspci can be used to determine the manufacturer, model, and memory size of a system's video card:
00:00.0 Host bridge: ServerWorks CNB20LE Host Bridge (rev 06) 00:00.1 Host bridge: ServerWorks CNB20LE Host Bridge (rev 06) 00:01.0 VGA compatible controller: S3 Inc. Savage 4 (rev 04) 00:02.0 Ethernet controller: Intel Corp. 82557/8/9 [Ethernet Pro 100] (rev 08) 00:0f.0 ISA bridge: ServerWorks OSB4 South Bridge (rev 50) 00:0f.1 IDE interface: ServerWorks OSB4 IDE Controller 00:0f.2 USB Controller: ServerWorks OSB4/CSB5 OHCI USB Controller (rev 04) 01:03.0 SCSI storage controller: Adaptec AIC-7892P U160/m (rev 02) 01:05.0 RAID bus controller: IBM ServeRAID Controller
lspci is also useful to determine the network card in your system if you do not know the manufacturer or model number.
ps --help — Displays a list of options that can be used with ps.
top manual page — Type man top to learn more about top and its many options.
free manual page — type man free to learn more about free and its many options.
df manual page — Type man df to learn more about the df command and its many options.
du manual page — Type man du to learn more about the du command and its many options.
lspci manual page — Type man lspci to learn more about the lspci command and its many options.
oprofile RPM package must be installed to use this tool.
--separate=library option is used.
opreport does not associate samples for inline functions' properly — opreport uses a simple address range mechanism to determine which function an address is in. Inline function samples are not attributed to the inline function but rather to the function the inline function was inserted into.
opcontrol --reset to clear out the samples from previous runs.
oprofile package.
| Command | Description |
|---|---|
op_help
|
Displays available events for the system's processor along with a brief description of each.
|
op_import
|
Converts sample database files from a foreign binary format to the native format for the system. Only use this option when analyzing a sample database from a different architecture.
|
opannotate
|
Creates annotated source for an executable if the application was compiled with debugging symbols. Refer to Section 40.5.3, “Using opannotate” for details.
|
opcontrol
|
Configures what data is collected. Refer to Section 40.2, “Configuring OProfile” for details.
|
opreport
|
Retrieves profile data. Refer to Section 40.5.1, “Using
opreport” for details.
|
oprofiled
|
Runs as a daemon to periodically write sample data to disk.
|
opcontrol utility to configure OProfile. As the opcontrol commands are executed, the setup options are saved to the /root/.oprofile/daemonrc file.
opcontrol --setup --vmlinux=/usr/lib/debug/lib/modules/`uname -r`/vmlinuxdebuginfo package must be installed (which contains the uncompressed kernel) in order to monitor the kernel.
opcontrol --setup --no-vmlinuxoprofile kernel module, if it is not already loaded, and creates the /dev/oprofile/ directory, if it does not already exist. Refer to Section 40.6, “Understanding /dev/oprofile/” for details about this directory.
oprofile module can be loaded from it.
| Processor |
cpu_type
| Number of Counters |
|---|---|---|
| Pentium Pro | i386/ppro | 2 |
| Pentium II | i386/pii | 2 |
| Pentium III | i386/piii | 2 |
| Pentium 4 (non-hyper-threaded) | i386/p4 | 8 |
| Pentium 4 (hyper-threaded) | i386/p4-ht | 4 |
| Athlon | i386/athlon | 4 |
| AMD64 | x86-64/hammer | 4 |
| Itanium | ia64/itanium | 4 |
| Itanium 2 | ia64/itanium2 | 4 |
| TIMER_INT | timer | 1 |
| IBM eServer iSeries and pSeries | timer | 1 |
| ppc64/power4 | 8 | |
| ppc64/power5 | 6 | |
| ppc64/970 | 8 | |
| IBM eServer S/390 and S/390x | timer | 1 |
| IBM eServer zSeries | timer | 1 |
timer is used as the processor type if the processor does not have supported performance monitoring hardware.
timer is used, events cannot be set for any processor because the hardware does not have support for hardware performance counters. Instead, the timer interrupt is used for profiling.
timer is not used as the processor type, the events monitored can be changed, and counter 0 for the processor is set to a time-based event by default. If more than one counter exists on the processor, the counters other than counter 0 are not set to an event by default. The default events monitored are shown in Table 40.3, “Default Events”.
| Processor | Default Event for Counter | Description |
|---|---|---|
| Pentium Pro, Pentium II, Pentium III, Athlon, AMD64 | CPU_CLK_UNHALTED | The processor's clock is not halted |
| Pentium 4 (HT and non-HT) | GLOBAL_POWER_EVENTS | The time during which the processor is not stopped |
| Itanium 2 | CPU_CYCLES | CPU Cycles |
| TIMER_INT | (none) | Sample for each timer interrupt |
| ppc64/power4 | CYCLES | Processor Cycles |
| ppc64/power5 | CYCLES | Processor Cycles |
| ppc64/970 | CYCLES | Processor Cycles |
cat /dev/oprofile/cpu_typeop_helpopcontrol:
opcontrol --event=<event-name>:<sample-rate><event-name> with the exact name of the event from op_help, and replace <sample-rate> with the number of events between samples.
cpu_type is not timer, each event can have a sampling rate set for it. The sampling rate is the number of events between each sample snapshot.
opcontrol --event=<event-name>:<sample-rate><sample-rate> with the number of events to wait before sampling again. The smaller the count, the more frequent the samples. For events that do not happen frequently, a lower count may be needed to capture the event instances.
cpu_type is not timer, unit masks may also be required to further define the event.
op_help command. The values for each unit mask are listed in hexadecimal format. To specify more than one unit mask, the hexadecimal values must be combined using a bitwise or operation.
opcontrol --event=<event-name>:<sample-rate>:<unit-mask>opcontrol --event=<event-name>:<sample-rate>:<unit-mask>:0opcontrol --event=<event-name>:<sample-rate>:<unit-mask>:1opcontrol --event=<event-name>:<sample-rate>:<unit-mask>:<kernel>:0opcontrol --event=<event-name>:<sample-rate>:<unit-mask>:<kernel>:1 opcontrol --separate=<choice><choice> can be one of the following:
none — do not separate the profiles (default)
library — generate per-application profiles for libraries
kernel — generate per-application profiles for the kernel and kernel modules
all — generate per-application profiles for libraries and per-application profiles for the kernel and kernel modules
--separate=library is used, the sample file name includes the name of the executable as well as the name of the library.
opcontrol --startUsing log file /var/lib/oprofile/oprofiled.log Daemon started. Profiler running.
/root/.oprofile/daemonrc are used.
oprofiled, is started; it periodically writes the sample data to the /var/lib/oprofile/samples/ directory. The log file for the daemon is located at /var/lib/oprofile/oprofiled.log.
opcontrol --shutdown<name> with a unique descriptive name for the current session.
opcontrol --save=<name>/var/lib/oprofile/samples/name/ is created and the current sample files are copied to it.
oprofiled, collects the samples and writes them to the /var/lib/oprofile/samples/ directory. Before reading the data, make sure all data has been written to this directory by executing the following command as root:
opcontrol --dump/bin/bash becomes:
\{root\}/bin/bash/\{dep\}/\{root\}/bin/bash/CPU_CLK_UNHALTED.100000
opreport
opannotate
opreportopreport tool provides an overview of all the executables being profiled.
Profiling through timer interrupt
TIMER:0|
samples| %|
------------------
25926 97.5212 no-vmlinux
359 1.3504 pi
65 0.2445 Xorg
62 0.2332 libvte.so.4.4.0
56 0.2106 libc-2.3.4.so
34 0.1279 libglib-2.0.so.0.400.7
19 0.0715 libXft.so.2.1.2
17 0.0639 bash
8 0.0301 ld-2.3.4.so
8 0.0301 libgdk-x11-2.0.so.0.400.13
6 0.0226 libgobject-2.0.so.0.400.7
5 0.0188 oprofiled
4 0.0150 libpthread-2.3.4.so
4 0.0150 libgtk-x11-2.0.so.0.400.13
3 0.0113 libXrender.so.1.2.2
3 0.0113 du
1 0.0038 libcrypto.so.0.9.7a
1 0.0038 libpam.so.0.77
1 0.0038 libtermcap.so.2.0.8
1 0.0038 libX11.so.6.2
1 0.0038 libgthread-2.0.so.0.400.7
1 0.0038 libwnck-1.so.4.9.0
opreport man page for a list of available command line options, such as the -r option used to sort the output from the executable with the smallest number of samples to the one with the largest number of samples.
opreport on a Single Executableopreport:
opreport <mode><executable><executable> must be the full path to the executable to be analyzed. <mode> must be one of the following:
-lopreport -l /lib/tls/libc-<version>.so:
samples % symbol name 12 21.4286 __gconv_transform_utf8_internal 5 8.9286 _int_malloc 4 7.1429 malloc 3 5.3571 __i686.get_pc_thunk.bx 3 5.3571 _dl_mcount_wrapper_check 3 5.3571 mbrtowc 3 5.3571 memcpy 2 3.5714 _int_realloc 2 3.5714 _nl_intern_locale_data 2 3.5714 free 2 3.5714 strcmp 1 1.7857 __ctype_get_mb_cur_max 1 1.7857 __unregister_atfork 1 1.7857 __write_nocancel 1 1.7857 _dl_addr 1 1.7857 _int_free 1 1.7857 _itoa_word 1 1.7857 calc_eclosure_iter 1 1.7857 fopen@@GLIBC_2.1 1 1.7857 getpid 1 1.7857 memmove 1 1.7857 msort_with_tmp 1 1.7857 strcpy 1 1.7857 strlen 1 1.7857 vfprintf 1 1.7857 write
-r in conjunction with the -l option.
-i <symbol-name>opreport -l -i __gconv_transform_utf8_internal /lib/tls/libc-<version>.so:
samples % symbol name 12 100.000 __gconv_transform_utf8_internal
-d-l. For example, the following output is from the command opreport -l -d __gconv_transform_utf8_internal /lib/tls/libc-<version>.so:
vma samples % symbol name 00a98640 12 100.000 __gconv_transform_utf8_internal 00a98640 1 8.3333 00a9868c 2 16.6667 00a9869a 1 8.3333 00a986c1 1 8.3333 00a98720 1 8.3333 00a98749 1 8.3333 00a98753 1 8.3333 00a98789 1 8.3333 00a98864 1 8.3333 00a98869 1 8.3333 00a98b08 1 8.3333
-l option except that for each symbol, each virtual memory address used is shown. For each virtual memory address, the number of samples and percentage of samples relative to the number of samples for the symbol is displayed.
-x<symbol-name>session:<name>/var/lib/oprofile/samples/ directory.
opannotateopannotate tool tries to match the samples for particular instructions to the corresponding lines in the source code. The resulting files generated should have the samples for the lines at the left. It also puts in a comment at the beginning of each function listing the total samples for the function.
-g option. By default, Red Hat Enterprise Linux packages are not compiled with this option.
opannotate is as follows:
opannotate --search-dirs <src-dir> --source <executable>opannotate man page for a list of additional command line options.
/dev/oprofile//dev/oprofile/ directory contains the file system for OProfile. Use the cat command to display the values of the virtual files in this file system. For example, the following command displays the type of processor OProfile detected:
cat /dev/oprofile/cpu_type/dev/oprofile/ for each counter. For example, if there are 2 counters, the directories /dev/oprofile/0/ and dev/oprofile/1/ exist.
count — The interval between samples.
enabled — If 0, the counter is off and no samples are collected for it; if 1, the counter is on and samples are being collected for it.
event — The event to monitor.
kernel — If 0, samples are not collected for this counter event when the processor is in kernel-space; if 1, samples are collected even if the processor is in kernel-space.
unit_mask — Defines which unit masks are enabled for the counter.
user — If 0, samples are not collected for the counter event when the processor is in user-space; if 1, samples are collected even if the processor is in user-space.
cat command. For example:
cat /dev/oprofile/0/countopreport can be used to determine how much processor time an application or service uses. If the system is used for multiple services but is under performing, the services consuming the most processor time can be moved to dedicated systems.
CPU_CLK_UNHALTED event can be monitored to determine the processor load over a given period of time. This data can then be used to determine if additional processors or a faster processor might improve system performance.
oprof_start command as root at a shell prompt.
/root/.oprofile/daemonrc, and the application exits. Exiting the application does not stop OProfile from sampling.
oprof_start interface
vmlinux file for the kernel to monitor in the Kernel image file text field. To configure OProfile not to monitor the kernel, select No kernel image.
oprofiled daemon log includes more information.
opcontrol --separate=kernel command. If Per-application shared libs samples files is selected, OProfile generates per-application profiles for libraries. This is equivalent to the opcontrol --separate=library command.
opcontrol --dump command.
/usr/share/doc/oprofile-<version>/oprofile.html — OProfile Manual
oprofile man page — Discusses opcontrol, opreport, opannotate, and op_help
Table of Contents
| Revision History | |||
|---|---|---|---|
| Revision 1.0 | Thu Sep 18 2008 | ||
| |||