Edition 8
1801 Varsity Drive
Raleigh, NC 27606-2072 USA
Phone: +1 919 754 3700
Phone: 888 733 4281
Fax: +1 919 754 3701
mount Commandproc File Systemproc File System/proc/apm /proc/buddyinfo /proc/cmdline /proc/cpuinfo /proc/crypto /proc/devices /proc/dma /proc/execdomains /proc/fb /proc/filesystems /proc/interrupts /proc/iomem /proc/ioports /proc/kcore /proc/kmsg /proc/loadavg /proc/locks /proc/mdstat /proc/meminfo /proc/misc /proc/modules /proc/mounts /proc/mtrr /proc/partitions /proc/pci /proc/slabinfo /proc/stat /proc/swaps /proc/sysrq-trigger /proc/uptime /proc/version /proc/ sysctl Commandsmb.conf Filehttpdhttpd.conf/etc/openldap/schema/ Directorysysconfig Directory/etc/sysconfig/ Directory/etc/sysconfig/amd/etc/sysconfig/apmd/etc/sysconfig/arpwatch/etc/sysconfig/authconfig/etc/sysconfig/autofs/etc/sysconfig/clock/etc/sysconfig/desktop/etc/sysconfig/dhcpd/etc/sysconfig/exim/etc/sysconfig/firstboot/etc/sysconfig/gpm/etc/sysconfig/hwconf/etc/sysconfig/i18n/etc/sysconfig/init/etc/sysconfig/ip6tables-config/etc/sysconfig/iptables-config/etc/sysconfig/irda/etc/sysconfig/keyboard/etc/sysconfig/kudzu/etc/sysconfig/named/etc/sysconfig/network/etc/sysconfig/nfs/etc/sysconfig/ntpd/etc/sysconfig/radvd/etc/sysconfig/samba/etc/sysconfig/selinux/etc/sysconfig/sendmail/etc/sysconfig/spamassassin/etc/sysconfig/squid/etc/sysconfig/system-config-securitylevel/etc/sysconfig/system-config-selinux/etc/sysconfig/system-config-users/etc/sysconfig/system-logviewer/etc/sysconfig/tux/etc/sysconfig/vncservers/etc/sysconfig/xinetd/etc/sysconfig/ Directorycommandcat testfile command to view the contents of a file, named testfile, in the current working directory.
file name.bashrc file in your home directory contains bash shell definitions and aliases for your own use.
/etc/fstab file contains information about different system devices and file systems.
webalizer RPM if you want to use a Web server log file analysis program.
ls, then a character, and finally the Tab key. Your terminal displays the list of files in the working directory that begin with that character.
computer outputls command displays the contents of a directory. For example:
Desktop about.html logs paulwesterberg.png Mail backupfiles mail reports
prompt$
#
[stephen@maturin stephen]$
leopard login:
user inputtext is displayed in this style:
text command at the boot: prompt.
<replaceable><version-number> is displayed in this style:
/usr/src/kernels/<version-number>/, where <version-number> is the version and type of kernel installed on this system.
/usr/share/doc/ contains additional documentation for packages installed on your system.
http://bugzilla.redhat.com/bugzilla/) against the component Deployment_Guide.
parted utility to manage partitions and access control lists (ACLs) to customize file permissions.
Table of Contents
mount Commandproc File Systemproc File System/proc/apm /proc/buddyinfo /proc/cmdline /proc/cpuinfo /proc/crypto /proc/devices /proc/dma /proc/execdomains /proc/fb /proc/filesystems /proc/interrupts /proc/iomem /proc/ioports /proc/kcore /proc/kmsg /proc/loadavg /proc/locks /proc/mdstat /proc/meminfo /proc/misc /proc/modules /proc/mounts /proc/mtrr /proc/partitions /proc/pci /proc/slabinfo /proc/stat /proc/swaps /proc/sysrq-trigger /proc/uptime /proc/version /proc/ sysctl Command/usr/ partition as read-only. This second point is important because the directory contains common executables and should not be changed by users. Also, since the /usr/ directory is mounted as read-only, it can be mounted from the CD-ROM or from another machine via a read-only NFS mount.
/boot/ Directory/boot/ directory contains static files required to boot the system, such as the Linux kernel. These files are essential for the system to boot properly.
/boot/ directory. Doing so renders the system unbootable.
/dev/ Directory/dev/ directory contains device nodes that either represent devices that are attached to the system or virtual devices that are provided by the kernel. These device nodes are essential for the system to function properly. The udev daemon takes care of creating and removing all these device nodes in /dev/.
/dev directory and subdirectories are either character (providing only a serial stream of input/output) or block (accessible randomly). Character devices include mouse, keyboard, modem while block devices include hard disk, floppy drive etc. If you have GNOME or KDE installed in your system, devices such as external drives or cds are automatically detected when connected (e.g via usb) or inserted (e.g via CD or DVD drive) and a popup window displaying the contents is automatically displayed. Files in the /dev directory are essential for the system to function properly.
/dev| File | Description |
|---|---|
| /dev/hda | The master device on primary IDE channel. |
| /dev/hdb | The slave device on primary IDE channel. |
| /dev/tty0 | The first virtual console. |
| /dev/tty1 | The second virtual console. |
| /dev/sda | The first device on primary SCSI or SATA channel. |
| /dev/lp0 | The first parallel port. |
/etc/ Directory/etc/ directory is reserved for configuration files that are local to the machine. No binaries are to be placed in /etc/. Any binaries that were once located in /etc/ should be placed into /sbin/ or /bin/.
/etc are the X11/ and skel/:
/etc |- X11/ |- skel/
/etc/X11/ directory is for X Window System configuration files, such as xorg.conf. The /etc/skel/ directory is for "skeleton" user files, which are used to populate a home directory when a user is first created. Applications also store their configuration files in this directory and may reference them when they are executed.
/lib/ Directory/lib/ directory should contain only those libraries needed to execute the binaries in /bin/ and /sbin/. These shared library images are particularly important for booting the system and executing commands within the root file system.
/media/ Directory/media/ directory contains subdirectories used as mount points for removable media such as usb storage media, DVDs, CD-ROMs, and Zip disks.
/mnt/ Directory/mnt/ directory is reserved for temporarily mounted file systems, such as NFS file system mounts. For all removable media, please use the /media/ directory. Automatically detected removable media will be mounted in the /media directory.
/mnt directory must not be used by installation programs.
/opt/ Directory/opt/ directory provides storage for most application software packages.
/opt/ directory creates a directory bearing the same name as the package. This directory, in turn, holds files that otherwise would be scattered throughout the file system, giving the system administrator an easy way to determine the role of each file within a particular package.
sample is the name of a particular software package located within the /opt/ directory, then all of its files are placed in directories inside the /opt/sample/ directory, such as /opt/sample/bin/ for binaries and /opt/sample/man/ for manual pages.
/opt/ directory, giving that large package a way to organize itself. In this way, our sample package may have different tools that each go in their own sub-directories, such as /opt/sample/tool1/ and /opt/sample/tool2/, each of which can have their own bin/, man/, and other similar directories.
/proc/ Directory/proc/ directory contains special files that either extract information from or send information to the kernel. Examples include system memory, cpu information, hardware configuration etc.
/proc/ and the many ways this directory can be used to communicate with the kernel, an entire chapter has been devoted to the subject. For more information, refer to Chapter 4, The proc File System.
/sbin/ Directory/sbin/ directory stores executables used by the root user. The executables in /sbin/ are used at boot time, for system administration and to perform system recovery operations. Of this directory, the FHS says:
/sbincontains binaries essential for booting, restoring, recovering, and/or repairing the system in addition to the binaries in/bin. Programs executed after/usr/is known to be mounted (when there are no problems) are generally placed into/usr/sbin. Locally-installed system administration programs should be placed into/usr/local/sbin.
/sbin/:
arp,clock,halt,init,fsck.*,grub,ifconfig,mingetty,mkfs.*,mkswap,reboot,route,shutdown,swapoff,swapon
/srv/ Directory/srv/ directory contains site-specific data served by your system running Red Hat Enterprise Linux. This directory gives users the location of data files for a particular service, such as FTP, WWW, or CVS. Data that only pertains to a specific user should go in the /home/ directory.
/sys/ Directory/sys/ directory utilizes the new sysfs virtual file system specific to the 2.6 kernel. With the increased support for hot plug hardware devices in the 2.6 kernel, the /sys/ directory contains information similarly held in /proc/, but displays a hierarchical view of specific device information in regards to hot plug devices.
/usr/ Directory/usr/ directory is for files that can be shared across multiple machines. The /usr/ directory is often on its own partition and is mounted read-only. At a minimum, the following directories should be subdirectories of /usr/:
/usr |- bin/ |- etc/ |- games/ |- include/ |- kerberos/ |- lib/ |- libexec/ |- local/ |- sbin/ |- share/ |- src/ |- tmp -> ../var/tmp/
/usr/ directory, the bin/ subdirectory contains executables, etc/ contains system-wide configuration files, games is for games, include/ contains C header files, kerberos/ contains binaries and other Kerberos-related files, and lib/ contains object files and libraries that are not designed to be directly utilized by users or shell scripts. The libexec/ directory contains small helper programs called by other programs, sbin/ is for system administration binaries (those that do not belong in the /sbin/ directory), share/ contains files that are not architecture-specific, src/ is for source code.
/usr/local/ DirectoryThe/usr/localhierarchy is for use by the system administrator when installing software locally. It needs to be safe from being overwritten when the system software is updated. It may be used for programs and data that are shareable among a group of hosts, but not found in/usr.
/usr/local/ directory is similar in structure to the /usr/ directory. It has the following subdirectories, which are similar in purpose to those in the /usr/ directory:
/usr/local |- bin/ |- etc/ |- games/ |- include/ |- lib/ |- libexec/ |- sbin/ |- share/ |- src/
/usr/local/ directory is slightly different from that specified by the FHS. The FHS says that /usr/local/ should be where software that is to remain safe from system software upgrades is stored. Since software upgrades can be performed safely with RPM Package Manager (RPM), it is not necessary to protect files by putting them in /usr/local/. Instead, the /usr/local/ directory is used for software that is local to the machine.
/usr/ directory is mounted as a read-only NFS share from a remote host, it is still possible to install a package or program under the /usr/local/ directory.
/var/ Directory/usr/ as read-only, any programs that write log files or need spool/ or lock/ directories should write them to the /var/ directory. The FHS states /var/ is for:
...variable data files. This includes spool directories and files, administrative and logging data, and transient and temporary files.
/var/ directory:
/var
|- account/
|- arpwatch/
|- cache/
|- crash/
|- db/
|- empty/
|- ftp/
|- gdm/
|- kerberos/
|- lib/
|- local/
|- lock/
|- log/
|- mail -> spool/mail/
|- mailman/
|- named/
|- nis/
|- opt/
|- preserve/
|- run/
+- spool/
|- at/
|- clientmqueue/
|- cron/
|- cups/
|- exim/
|- lpd/
|- mail/
|- mailman/
|- mqueue/
|- news/
|- postfix/
|- repackage/
|- rwho/
|- samba/
|- squid/
|- squirrelmail/
|- up2date/
|- uucp
|- uucppublic/
|- vbox/
|- tmp/
|- tux/
|- www/
|- yp/messages and lastlog, go in the /var/log/ directory. The /var/lib/rpm/ directory contains RPM system databases. Lock files go in the /var/lock/ directory, usually in directories for the program using the file. The /var/spool/ directory has subdirectories for programs in which data files are stored.
/var/lib/rpm/ directory. For more information on RPM, refer to the chapter Chapter 11, Package Management with RPM.
/var/cache/yum/ directory contains files used by the Package Updater, including RPM header information for the system. This location may also be used to temporarily store RPMs downloaded while updating the system. For more information about Red Hat Network, refer to Chapter 14, Product Subscriptions and Entitlements.
/etc/sysconfig/ directory. This directory stores a variety of configuration information. Many scripts that run at boot time use the files in this directory. Refer to Chapter 30, The sysconfig Directory for more information about what is within this directory and the role these files play in the boot process.
mount Commandmount or umount command respectively. This chapter describes the basic usage of these commands, and covers some advanced topics such as moving a mount point or creating shared subtrees.
mount command with no additional arguments:
mountdeviceondirectorytypetype(options)
sysfs, tmpfs, and others. To display only the devices with a certain file system type, supply the -t option on the command line:
mount-ttype
mount command to list the mounted file systems, see Example 2.1, “Listing Currently Mounted ext3 File Systems”.
ext3 File Systems/ and /boot partitions are formatted to use ext3. To display only the mount points that use this file system, type the following at a shell prompt:
~]$ mount -t ext3
/dev/mapper/VolGroup00-LogVol00 on / type ext3 (rw)
/dev/vda1 on /boot type ext3 (rw)mount command in the following form:
mount[option…]devicedirectory
mount command is run, it reads the content of the /etc/fstab configuration file to see if the given file system is listed. This file contains a list of device names and the directory in which the selected file systems should be mounted, as well as the file system type and mount options. Because of this, when you are mounting a file system that is specified in this file, you can use one of the following variants of the command:
mount[option…]directorymount[option…]device
root, you must have permissions to mount the file system (see Section 2.2.2, “Specifying the Mount Options”).
mount detects the file system automatically. However, there are certain file systems, such as NFS (Network File System) or CIFS (Common Internet File System), that are not recognized, and need to be specified manually. To specify the file system type, use the mount command in the following form:
mount-ttypedevicedirectory
mount command. For a complete list of all available file system types, consult the relevant manual page as referred to in Section 2.4.1, “Installed Documentation”.
| Type | Description |
|---|---|
ext2
|
The ext2 file system.
|
ext3
|
The ext3 file system.
|
iso9660
|
The ISO 9660 file system. It is commonly used by optical media, typically CDs.
|
jfs
|
The JFS file system created by IBM.
|
nfs
|
The NFS file system. It is commonly used to access files over the network.
|
nfs4
|
The NFSv4 file system. It is commonly used to access files over the network.
|
ntfs
|
The NTFS file system. It is commonly used on machines that are running the Windows operating system.
|
udf
|
The UDF file system. It is commonly used by optical media, typically DVDs.
|
vfat
|
The FAT file system. It is commonly used on machines that are running the Windows operating system, and on certain digital media such as USB flash drives or floppy disks.
|
/dev/sdc1 device and that the /media/flashdisk/ directory exists, you can mount it to this directory by typing the following at a shell prompt as root:
~]# mount -t vfat /dev/sdc1 /media/flashdiskmount-ooptions
mount will incorrectly interpret the values following spaces as additional parameters.
| Option | Description |
|---|---|
async
| Allows the asynchronous input/output operations on the file system. |
auto
|
Allows the file system to be mounted automatically using the mount -a command.
|
defaults
|
Provides an alias for async,auto,dev,exec,nouser,rw,suid.
|
exec
| Allows the execution of binary files on the particular file system. |
loop
| Mounts an image as a loop device. |
noauto
|
Disallows the automatic mount of the file system using the mount -a command.
|
noexec
| Disallows the execution of binary files on the particular file system. |
nouser
|
Disallows an ordinary user (that is, other than root) to mount and unmount the file system.
|
remount
| Remounts the file system in case it is already mounted. |
ro
| Mounts the file system for reading only. |
rw
| Mounts the file system for both reading and writing. |
user
|
Allows an ordinary user (that is, other than root) to mount and unmount the file system.
|
/media/cdrom/ directory exists, you can mount the image to this directory by running the following command as root:
~]# mount -o ro,loop Fedora-14-x86_64-Live-Desktop.iso /media/cdrommount command implements the --bind option that provides a means for duplicating certain mounts. Its usage is as follows:
mount--bindold_directorynew_directory
mount--rbindold_directorynew_directory
mount--make-sharedmount_point
mount--make-rsharedmount_point
mount--make-slavemount_point
mount--make-rslavemount_point
/media directory to appear in /mnt as well, but you do not want any mounts in the /mnt directory to be reflected in /media. To do so, as root, first mark the /media directory as “shared”:
~]#mount --bind /media /media~]#mount --make-shared /media
/mnt, but mark it as “slave”:
~]#mount --bind /media /mnt~]#mount --make-slave /mnt
/media also appears in /mnt. For example, if you have non-empty media in your CD-ROM drive and the /media/cdrom/ directory exists, run the following commands:
~]#mount /dev/cdrom /media/cdrom~]#ls /media/cdromEFI GPL isolinux LiveOS ~]#ls /mnt/cdromEFI GPL isolinux LiveOS
/mnt directory are not reflected in /media. For instance, if you have a non-empty USB flash drive that uses the /dev/sdc1 device plugged in and the /mnt/flashdisk/ directory is present, type: :
~]#mount /dev/sdc1 /mnt/flashdisk~]#ls /media/flashdisk~]#ls /mnt/flashdisken-US publican.cfg
mount--make-privatemount_point
mount--make-rprivatemount_point
root:
~]#mount --bind /media /media~]#mount --make-shared /media~]#mount --bind /media /mnt
/mnt directory as “private”, type:
~]# mount --make-private /mnt/media appears in /mnt. For example, if you have non-empty media in your CD-ROM drive and the /media/cdrom/ directory exists, run the following commands:
~]#mount /dev/cdrom /media/cdrom~]#ls /media/cdromEFI GPL isolinux LiveOS ~]#ls /mnt/cdrom~]#
/mnt directory are not reflected in /media. For instance, if you have a non-empty USB flash drive that uses the /dev/sdc1 device plugged in and the /mnt/flashdisk/ directory is present, type:
~]#mount /dev/sdc1 /mnt/flashdisk~]#ls /media/flashdisk~]#ls /mnt/flashdisken-US publican.cfg
mount--make-unbindablemount_point
mount--make-runbindablemount_point
/media directory from being shared, as root, type the following at a shell prompt:
~]#mount --bind /media /media~]#mount --make-unbindable /media
~]# mount --bind /media /mnt
mount: wrong fs type, bad option, bad superblock on /media/,
missing code page or other error
In some cases useful info is found in syslog - try
dmesg | tail or somount--moveold_directorynew_directory
/mnt/userdirs/, as root, you can move this mount point to /home by using the following command:
~]# mount --move /mnt/userdirs /home~]#ls /mnt/userdirs~]#ls /homejill joe
umount command:
umountdirectoryumountdevice
root, you must have permissions to unmount the file system (see Section 2.2.2, “Specifying the Mount Options”). See Example 2.9, “Unmounting a CD” for an example usage.
umount command will fail with an error. To determine which processes are accessing the file system, use the fuser command in the following form:
fuser-mdirectory
/media/cdrom/ directory, type:
~]$ fuser -m /media/cdrom
/media/cdrom: 1793 2013 2022 2435 10532c 10672c/media/cdrom/ directory, type the following at a shell prompt:
~]$ umount /media/cdromman 8 mount — The manual page for the mount command that provides a full documentation on its usage.
man 8 umount — The manual page for the umount command that provides a full documentation on its usage.
man 5 fstab — The manual page providing a thorough description of the /etc/fstab file format.
e2fsck program. This is a time-consuming process that can delay system boot time significantly, especially with large volumes containing a large number of files. During this time, any data on the volumes is unreachable.
mkfs.
e2label.
tune2fs allows you to convert an ext2 filesystem to ext3.
e2fsck utility to check your filesystem before and after using tune2fs. A default installation of Red Hat Enterprise Linux uses ext3 for all file systems.
ext2 filesystem to ext3, log in as root and type the following command in a terminal:
tune2fs -j <block_device><block_device> contains the ext2 filesystem you wish to convert.
/dev/mapper/VolGroup00-LogVol02.
/dev/hdbX, where hdb is a storage device name and X is the partition number.
df command to display mounted file systems.
/dev/mapper/VolGroup00-LogVol02
mkinitrd program. For information on using the mkinitrd command, type man mkinitrd. Also, make sure your GRUB configuration loads the initrd.
umount /dev/mapper/VolGroup00-LogVol02tune2fs -O ^has_journal /dev/mapper/VolGroup00-LogVol02e2fsck -y /dev/mapper/VolGroup00-LogVol02mount -t ext2 /dev/mapper/VolGroup00-LogVol02 /mount/point/mount/point with the mount point of the partition.
.journal file at the root level of the partition by changing to the directory where it is mounted and typing:
rm -f .journal/etc/fstab file.
proc File Systemproc File System/proc/apm /proc/buddyinfo /proc/cmdline /proc/cpuinfo /proc/crypto /proc/devices /proc/dma /proc/execdomains /proc/fb /proc/filesystems /proc/interrupts /proc/iomem /proc/ioports /proc/kcore /proc/kmsg /proc/loadavg /proc/locks /proc/mdstat /proc/meminfo /proc/misc /proc/modules /proc/mounts /proc/mtrr /proc/partitions /proc/pci /proc/slabinfo /proc/stat /proc/swaps /proc/sysrq-trigger /proc/uptime /proc/version /proc/ sysctl Command/proc/ directory — also called the proc file system — contains a hierarchy of special files which represent the current state of the kernel — allowing applications and users to peer into the kernel's view of the system.
/proc/ directory, one can find a wealth of information detailing the system hardware and any processes currently running. In addition, some of the files within the /proc/ directory tree can be manipulated by users and applications to communicate configuration changes to the kernel.
/proc/ directory contains another type of file called a virtual file. It is for this reason that /proc/ is often referred to as a virtual file system.
/proc/interrupts, /proc/meminfo, /proc/mounts, and /proc/partitions provide an up-to-the-moment glimpse of the system's hardware. Others, like the /proc/filesystems file and the /proc/sys/ directory provide system configuration information and interfaces.
/proc/ide/ contains information for all physical IDE devices. Likewise, process directories contain information about each running process on the system.
cat, more, or less commands on files within the /proc/ directory, users can immediately access enormous amounts of information about the system. For example, to display the type of CPU a computer has, type cat /proc/cpuinfo to receive output similar to the following:
processor : 0 vendor_id : AuthenticAMD cpu family : 5 model : 9 model name : AMD-K6(tm) 3D+ Processor stepping : 1 cpu MHz : 400.919 cache size : 256 KB fdiv_bug : no hlt_bug : no f00f_bug : no coma_bug : no fpu : yes fpu_exception : yes cpuid level : 1 wp : yes flags : fpu vme de pse tsc msr mce cx8 pge mmx syscall 3dnow k6_mtrr bogomips : 799.53
/proc/ file system, some of the information is easily understandable while some is not human-readable. This is in part why utilities exist to pull data from virtual files and display it in a useful way. Examples of these utilities include lspci, apm, free, and top.
/proc/ directory are readable only by the root user.
/proc/ directory are read-only. However, some can be used to adjust settings in the kernel. This is especially true for files in the /proc/sys/ subdirectory.
echo command and a greater than symbol (>) to redirect the new value to the file. For example, to change the hostname on the fly, type:
echo www.example.com > /proc/sys/kernel/hostname cat /proc/sys/net/ipv4/ip_forward returns either a 0 or a 1. A 0 indicates that the kernel is not forwarding network packets. Using the echo command to change the value of the ip_forward file to 1 immediately turns packet forwarding on.
/proc/sys/ subdirectory is /sbin/sysctl. For more information on this command, refer to Section 4.4, “Using the sysctl Command”
/proc/sys/ subdirectory, refer to Section 4.3.9, “ /proc/sys/ ”.
proc File System/proc/ directory.
/proc/apm apm command. If a system with no battery is connected to an AC power source, this virtual file would look similar to the following:
1.16 1.2 0x07 0x01 0xff 0x80 -1% -1 ?
apm -v command on such a system results in output similar to the following:
APM BIOS 1.2 (kernel driver 1.16ac) AC on-line, no system battery
apm is able do little more than put the machine in standby mode. The apm command is much more useful on laptops. For example, the following output is from the command cat /proc/apm on a laptop while plugged into a power outlet:
1.16 1.2 0x03 0x01 0x03 0x09 100% -1 ?
apm file changes to something like the following:
1.16 1.2 0x03 0x00 0x00 0x01 99% 1792 min
apm -v command now yields more useful data, such as the following:
APM BIOS 1.2 (kernel driver 1.16) AC off-line, battery status high: 99% (1 day, 5:52)
/proc/buddyinfo DMA row references the first 16 MB on a system, the HighMem row references all memory greater than 4 GB on a system, and the Normal row references all memory in between.
/proc/buddyinfo:
Node 0, zone DMA 90 6 2 1 1 ... Node 0, zone Normal 1650 310 5 0 0 ... Node 0, zone HighMem 2 0 0 1 1 ...
/proc/cmdline /proc/cmdline file looks like the following:
ro root=/dev/VolGroup00/LogVol00 rhgb quiet 3
ro on the kernel boot line overrides any instances of rw.
/proc/cmdline output, the root filesystem image is located on the first logical volume (LogVol00) of the first LVM volume group (VolGroup00). On a system not using Logical Volume Management, the root file system might be located on /dev/sda1 or /dev/sda2, meaning on either the first or second partition of the first SCSI or SATA disk drive, depending on whether we have a separate (preceding) boot or swap partition on that drive.
/etc/inittab shows that the default runlevel is set to 5 with a line like this:
id:5:initdefault:
/proc/cpuinfo /proc/cpuinfo:
processor : 0 vendor_id : GenuineIntel cpu family : 15 model : 2 model name : Intel(R) Xeon(TM) CPU 2.40GHz stepping : 7 cpu MHz : 2392.371 cache size : 512 KB physical id : 0 siblings : 2 runqueue : 0 fdiv_bug : no hlt_bug : no f00f_bug : no coma_bug : no fpu : yes fpu_exception : yes cpuid level : 2 wp : yes flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm bogomips : 4771.02
processor — Provides each processor with an identifying number. On systems that have one processor, only a 0 is present.
cpu family — Authoritatively identifies the type of processor in the system. For an Intel-based system, place the number in front of "86" to determine the value. This is particularly helpful for those attempting to identify the architecture of an older system such as a 586, 486, or 386. Because some RPM packages are compiled for each of these particular architectures, this value also helps users determine which packages to install.
model name — Displays the common name of the processor, including its project name.
cpu MHz — Shows the precise speed in megahertz for the processor to the thousandths decimal place.
cache size — Displays the amount of level 2 memory cache available to the processor.
siblings — Displays the number of sibling CPUs on the same physical CPU for architectures which use hyper-threading.
flags — Defines a number of different qualities about the processor, such as the presence of a floating point unit (FPU) and the ability to process MMX instructions.
/proc/crypto /proc/crypto file looks like the following:
name : sha1 module : kernel type : digest blocksize : 64 digestsize : 20 name : md5 module : md5 type : digest blocksize : 64 digestsize : 16
/proc/devices Character devices: 1 mem 4 /dev/vc/0 4 tty 4 ttyS 5 /dev/tty 5 /dev/console 5 /dev/ptmx 7 vcs 10 misc 13 input 29 fb 36 netlink 128 ptm 136 pts 180 usb Block devices: 1 ramdisk 3 ide0 9 md 22 ide1 253 device-mapper 254 mdp
/proc/devices includes the major number and name of the device, and is broken into two major sections: Character devices and Block devices.
/usr/share/doc/kernel-doc-<version>/Documentation/devices.txt/proc/dma /proc/dma files looks like the following:
4: cascade
/proc/execdomains 0-0 Linux [kernel]
PER_LINUX execution domain, different personalities can be implemented as dynamically loadable modules.
/proc/fb /proc/fb for systems which contain frame buffer devices looks similar to the following:
0 VESA VGA
/proc/filesystems /proc/filesystems file looks similar to the following:
nodev sysfs nodev rootfs nodev bdev nodev proc nodev sockfs nodev binfmt_misc nodev usbfs nodev usbdevfs nodev futexfs nodev tmpfs nodev pipefs nodev eventpollfs nodev devpts ext2 nodev ramfs nodev hugetlbfs iso9660 nodev mqueue ext3 nodev rpc_pipefs nodev autofs
nodev are not mounted on a device. The second column lists the names of the file systems supported.
mount command cycles through the file systems listed here when one is not specified as an argument.
/proc/interrupts /proc/interrupts looks similar to the following:
CPU0 0: 80448940 XT-PIC timer 1: 174412 XT-PIC keyboard 2: 0 XT-PIC cascade 8: 1 XT-PIC rtc 10: 410964 XT-PIC eth0 12: 60330 XT-PIC PS/2 Mouse 14: 1314121 XT-PIC ide0 15: 5195422 XT-PIC ide1 NMI: 0 ERR: 0
CPU0 CPU1 0: 1366814704 0 XT-PIC timer 1: 128 340 IO-APIC-edge keyboard 2: 0 0 XT-PIC cascade 8: 0 1 IO-APIC-edge rtc 12: 5323 5793 IO-APIC-edge PS/2 Mouse 13: 1 0 XT-PIC fpu 16: 11184294 15940594 IO-APIC-level Intel EtherExpress Pro 10/100 Ethernet 20: 8450043 11120093 IO-APIC-level megaraid 30: 10432 10722 IO-APIC-level aic7xxx 31: 23 22 IO-APIC-level aic7xxx NMI: 0 ERR: 0
XT-PIC — This is the old AT computer interrupts.
IO-APIC-edge — The voltage signal on this interrupt transitions from low to high, creating an edge, where the interrupt occurs and is only signaled once. This kind of interrupt, as well as the IO-APIC-level interrupt, are only seen on systems with processors from the 586 family and higher.
IO-APIC-level — Generates interrupts when its voltage signal is high until the signal is low again.
/proc/iomem 00000000-0009fbff : System RAM 0009fc00-0009ffff : reserved 000a0000-000bffff : Video RAM area 000c0000-000c7fff : Video ROM 000f0000-000fffff : System ROM 00100000-07ffffff : System RAM 00100000-00291ba8 : Kernel code 00291ba9-002e09cb : Kernel data e0000000-e3ffffff : VIA Technologies, Inc. VT82C597 [Apollo VP3] e4000000-e7ffffff : PCI Bus #01 e4000000-e4003fff : Matrox Graphics, Inc. MGA G200 AGP e5000000-e57fffff : Matrox Graphics, Inc. MGA G200 AGP e8000000-e8ffffff : PCI Bus #01 e8000000-e8ffffff : Matrox Graphics, Inc. MGA G200 AGP ea000000-ea00007f : Digital Equipment Corporation DECchip 21140 [FasterNet] ea000000-ea00007f : tulip ffff0000-ffffffff : reserved
/proc/ioports /proc/ioports provides a list of currently registered port regions used for input or output communication with a device. This file can be quite long. The following is a partial listing:
0000-001f : dma1 0020-003f : pic1 0040-005f : timer 0060-006f : keyboard 0070-007f : rtc 0080-008f : dma page reg 00a0-00bf : pic2 00c0-00df : dma2 00f0-00ff : fpu 0170-0177 : ide1 01f0-01f7 : ide0 02f8-02ff : serial(auto) 0376-0376 : ide1 03c0-03df : vga+ 03f6-03f6 : ide0 03f8-03ff : serial(auto) 0cf8-0cff : PCI conf1 d000-dfff : PCI Bus #01 e000-e00f : VIA Technologies, Inc. Bus Master IDE e000-e007 : ide0 e008-e00f : ide1 e800-e87f : Digital Equipment Corporation DECchip 21140 [FasterNet] e800-e87f : tulip
/proc/kcore /proc/ files, kcore displays a size. This value is given in bytes and is equal to the size of the physical memory (RAM) used plus 4 KB.
gdb, and is not human readable.
/proc/kcore virtual file. The contents of the file scramble text output on the terminal. If this file is accidentally viewed, press Ctrl+C to stop the process and then type reset to bring back the command line prompt.
/proc/kmsg /sbin/klogd or /bin/dmesg.
/proc/loadavg uptime and other commands. A sample /proc/loadavg file looks similar to the following:
0.20 0.18 0.12 1/80 11206
/proc/locks /proc/locks file for a lightly loaded system looks similar to the following:
1: POSIX ADVISORY WRITE 3568 fd:00:2531452 0 EOF 2: FLOCK ADVISORY WRITE 3517 fd:00:2531448 0 EOF 3: POSIX ADVISORY WRITE 3452 fd:00:2531442 0 EOF 4: POSIX ADVISORY WRITE 3443 fd:00:2531440 0 EOF 5: POSIX ADVISORY WRITE 3326 fd:00:2531430 0 EOF 6: POSIX ADVISORY WRITE 3175 fd:00:2531425 0 EOF 7: POSIX ADVISORY WRITE 3056 fd:00:2548663 0 EOF
FLOCK signifying the older-style UNIX file locks from a flock system call and POSIX representing the newer POSIX locks from the lockf system call.
ADVISORY or MANDATORY. ADVISORY means that the lock does not prevent other people from accessing the data; it only prevents other attempts to lock it. MANDATORY means that no other access to the data is permitted while the lock is held. The fourth column reveals whether the lock is allowing the holder READ or WRITE access to the file. The fifth column shows the ID of the process holding the lock. The sixth column shows the ID of the file being locked, in the format of MAJOR-DEVICE:MINOR-DEVICE:INODE-NUMBER /proc/mdstat /proc/mdstat looks similar to the following:
Personalities : read_ahead not set unused devices: <none>
md device is present. In that case, view /proc/mdstat to find the current status of mdX RAID devices.
/proc/mdstat file below shows a system with its md0 configured as a RAID 1 device, while it is currently re-syncing the disks:
Personalities : [linear] [raid1] read_ahead 1024 sectors md0: active raid1 sda2[1] sdb2[0] 9940 blocks [2/2] [UU] resync=1% finish=12.3min algorithm 2 [3/3] [UUU] unused devices: <none>
/proc/meminfo /proc/ directory, as it reports a large amount of valuable information about the systems RAM usage.
/proc/meminfo virtual file is from a system with 256 MB of RAM and 512 MB of swap space:
MemTotal: 255908 kB MemFree: 69936 kB Buffers: 15812 kB Cached: 115124 kB SwapCached: 0 kB Active: 92700 kB Inactive: 63792 kB HighTotal: 0 kB HighFree: 0 kB LowTotal: 255908 kB LowFree: 69936 kB SwapTotal: 524280 kB SwapFree: 524280 kB Dirty: 4 kB Writeback: 0 kB Mapped: 42236 kB Slab: 25912 kB Committed_AS: 118680 kB PageTables: 1236 kB VmallocTotal: 3874808 kB VmallocUsed: 1416 kB VmallocChunk: 3872908 kB HugePages_Total: 0 HugePages_Free: 0 Hugepagesize: 4096 kB
free, top, and ps commands. In fact, the output of the free command is similar in appearance to the contents and structure of /proc/meminfo. But by looking directly at /proc/meminfo, more details are revealed:
MemTotal — Total amount of physical RAM, in kilobytes.
MemFree — The amount of physical RAM, in kilobytes, left unused by the system.
Buffers — The amount of physical RAM, in kilobytes, used for file buffers.
Cached — The amount of physical RAM, in kilobytes, used as cache memory.
SwapCached — The amount of swap, in kilobytes, used as cache memory.
Active — The total amount of buffer or page cache memory, in kilobytes, that is in active use. This is memory that has been recently used and is usually not reclaimed for other purposes.
Inactive — The total amount of buffer or page cache memory, in kilobytes, that are free and available. This is memory that has not been recently used and can be reclaimed for other purposes.
HighTotal and HighFree — The total and free amount of memory, in kilobytes, that is not directly mapped into kernel space. The HighTotal value can vary based on the type of kernel used.
LowTotal and LowFree — The total and free amount of memory, in kilobytes, that is directly mapped into kernel space. The LowTotal value can vary based on the type of kernel used.
SwapTotal — The total amount of swap available, in kilobytes.
SwapFree — The total amount of swap free, in kilobytes.
Dirty — The total amount of memory, in kilobytes, waiting to be written back to the disk.
Writeback — The total amount of memory, in kilobytes, actively being written back to the disk.
Mapped — The total amount of memory, in kilobytes, which have been used to map devices, files, or libraries using the mmap command.
Slab — The total amount of memory, in kilobytes, used by the kernel to cache data structures for its own use.
Committed_AS — The total amount of memory, in kilobytes, estimated to complete the workload. This value represents the worst case scenario value, and also includes swap memory.
PageTables — The total amount of memory, in kilobytes, dedicated to the lowest page table level.
VMallocTotal — The total amount of memory, in kilobytes, of total allocated virtual address space.
VMallocUsed — The total amount of memory, in kilobytes, of used virtual address space.
VMallocChunk — The largest contiguous block of memory, in kilobytes, of available virtual address space.
HugePages_Total — The total number of hugepages for the system. The number is derived by dividing Hugepagesize by the megabytes set aside for hugepages specified in /proc/sys/vm/hugetlb_pool. This statistic only appears on the x86, Itanium, and AMD64 architectures.
HugePages_Free — The total number of hugepages available for the system. This statistic only appears on the x86, Itanium, and AMD64 architectures.
Hugepagesize — The size for each hugepages unit in kilobytes. By default, the value is 4096 KB on uniprocessor kernels for 32 bit architectures. For SMP, hugemem kernels, and AMD64, the default is 2048 KB. For Itanium architectures, the default is 262144 KB. This statistic only appears on the x86, Itanium, and AMD64 architectures.
/proc/misc 63 device-mapper 175 agpgart 135 rtc 134 apm_bios
/proc/modules /proc/modules file output:
/sbin/lsmod command.
nfs 170109 0 - Live 0x129b0000 lockd 51593 1 nfs, Live 0x128b0000 nls_utf8 1729 0 - Live 0x12830000 vfat 12097 0 - Live 0x12823000 fat 38881 1 vfat, Live 0x1287b000 autofs4 20293 2 - Live 0x1284f000 sunrpc 140453 3 nfs,lockd, Live 0x12954000 3c59x 33257 0 - Live 0x12871000 uhci_hcd 28377 0 - Live 0x12869000 md5 3777 1 - Live 0x1282c000 ipv6 211845 16 - Live 0x128de000 ext3 92585 2 - Live 0x12886000 jbd 65625 1 ext3, Live 0x12857000 dm_mod 46677 3 - Live 0x12833000
Live, Loading, or Unloading are the only possible values.
oprofile.
/proc/mounts rootfs / rootfs rw 0 0 /proc /proc proc rw,nodiratime 0 0 none /dev ramfs rw 0 0 /dev/mapper/VolGroup00-LogVol00 / ext3 rw 0 0 none /dev ramfs rw 0 0 /proc /proc proc rw,nodiratime 0 0 /sys /sys sysfs rw 0 0 none /dev/pts devpts rw 0 0 usbdevfs /proc/bus/usb usbdevfs rw 0 0 /dev/hda1 /boot ext3 rw 0 0 none /dev/shm tmpfs rw 0 0 none /proc/sys/fs/binfmt_misc binfmt_misc rw 0 0 sunrpc /var/lib/nfs/rpc_pipefs rpc_pipefs rw 0 0
/etc/mtab, except that /proc/mount is more up-to-date.
ro) or read-write (rw). The fifth and sixth columns are dummy values designed to match the format used in /etc/mtab.
/proc/mtrr /proc/mtrr file may look similar to the following:
reg00: base=0x00000000 ( 0MB), size= 256MB: write-back, count=1 reg01: base=0xe8000000 (3712MB), size= 32MB: write-combining, count=1
/proc/mtrr file can increase performance more than 150%.
/usr/share/doc/kernel-doc-<version>/Documentation/mtrr.txt/proc/partitions major minor #blocks name 3 0 19531250 hda 3 1 104391 hda1 3 2 19422585 hda2 253 0 22708224 dm-0 253 1 524288 dm-1
major — The major number of the device with this partition. The major number in the /proc/partitions, (3), corresponds with the block device ide0, in /proc/devices.
minor — The minor number of the device with this partition. This serves to separate the partitions into different physical devices and relates to the number at the end of the name of the partition.
#blocks — Lists the number of physical disk blocks contained in a particular partition.
name — The name of the partition.
/proc/pci /proc/pci can be rather long. A sampling of this file from a basic system looks similar to the following:
Bus 0, device 0, function 0: Host bridge: Intel Corporation 440BX/ZX - 82443BX/ZX Host bridge (rev 3). Master Capable. Latency=64. Prefetchable 32 bit memory at 0xe4000000 [0xe7ffffff]. Bus 0, device 1, function 0: PCI bridge: Intel Corporation 440BX/ZX - 82443BX/ZX AGP bridge (rev 3). Master Capable. Latency=64. Min Gnt=128. Bus 0, device 4, function 0: ISA bridge: Intel Corporation 82371AB PIIX4 ISA (rev 2). Bus 0, device 4, function 1: IDE interface: Intel Corporation 82371AB PIIX4 IDE (rev 1). Master Capable. Latency=32. I/O at 0xd800 [0xd80f]. Bus 0, device 4, function 2: USB Controller: Intel Corporation 82371AB PIIX4 USB (rev 1). IRQ 5. Master Capable. Latency=32. I/O at 0xd400 [0xd41f]. Bus 0, device 4, function 3: Bridge: Intel Corporation 82371AB PIIX4 ACPI (rev 2). IRQ 9. Bus 0, device 9, function 0: Ethernet controller: Lite-On Communications Inc LNE100TX (rev 33). IRQ 5. Master Capable. Latency=32. I/O at 0xd000 [0xd0ff]. Bus 0, device 12, function 0: VGA compatible controller: S3 Inc. ViRGE/DX or /GX (rev 1). IRQ 11. Master Capable. Latency=32. Min Gnt=4.Max Lat=255.
lspci -vb/proc/slabinfo /proc/slabinfo file manually, the /usr/bin/slabtop program displays kernel slab cache information in real time. This program allows for custom configurations, including column sorting and screen refreshing.
/usr/bin/slabtop usually looks like the following example:
Active / Total Objects (% used) : 133629 / 147300 (90.7%) Active / Total Slabs (% used) : 11492 / 11493 (100.0%) Active / Total Caches (% used) : 77 / 121 (63.6%) Active / Total Size (% used) : 41739.83K / 44081.89K (94.7%) Minimum / Average / Maximum Object : 0.01K / 0.30K / 128.00K OBJS ACTIVE USE OBJ SIZE SLABS OBJ/SLAB CACHE SIZE NAME 44814 43159 96% 0.62K 7469 6 29876K ext3_inode_cache 36900 34614 93% 0.05K 492 75 1968K buffer_head 35213 33124 94% 0.16K 1531 23 6124K dentry_cache 7364 6463 87% 0.27K 526 14 2104K radix_tree_node 2585 1781 68% 0.08K 55 47 220K vm_area_struct 2263 2116 93% 0.12K 73 31 292K size-128 1904 1125 59% 0.03K 16 119 64K size-32 1666 768 46% 0.03K 14 119 56K anon_vma 1512 1482 98% 0.44K 168 9 672K inode_cache 1464 1040 71% 0.06K 24 61 96K size-64 1320 820 62% 0.19K 66 20 264K filp 678 587 86% 0.02K 3 226 12K dm_io 678 587 86% 0.02K 3 226 12K dm_tio 576 574 99% 0.47K 72 8 288K proc_inode_cache 528 514 97% 0.50K 66 8 264K size-512 492 372 75% 0.09K 12 41 48K bio 465 314 67% 0.25K 31 15 124K size-256 452 331 73% 0.02K 2 226 8K biovec-1 420 420 100% 0.19K 21 20 84K skbuff_head_cache 305 256 83% 0.06K 5 61 20K biovec-4 290 4 1% 0.01K 1 290 4K revoke_table 264 264 100% 4.00K 264 1 1056K size-4096 260 256 98% 0.19K 13 20 52K biovec-16 260 256 98% 0.75K 52 5 208K biovec-64
/proc/slabinfo that are included into /usr/bin/slabtop include:
OBJS — The total number of objects (memory blocks), including those in use (allocated), and some spares not in use.
ACTIVE — The number of objects (memory blocks) that are in use (allocated).
USE — Percentage of total objects that are active. ((ACTIVE/OBJS)(100))
OBJ SIZE — The size of the objects.
SLABS — The total number of slabs.
OBJ/SLAB — The number of objects that fit into a slab.
CACHE SIZE — The cache size of the slab.
NAME — The name of the slab.
/usr/bin/slabtop program, refer to the slabtop man page.
/proc/stat /proc/stat, which can be quite long, usually begins like the following example:
cpu 259246 7001 60190 34250993 137517 772 0 cpu0 259246 7001 60190 34250993 137517 772 0 intr 354133732 347209999 2272 0 4 4 0 0 3 1 1249247 0 0 80143 0 422626 5169433 ctxt 12547729 btime 1093631447 processes 130523 procs_running 1 procs_blocked 0 preempt 5651840 cpu 209841 1554 21720 118519346 72939 154 27168 cpu0 42536 798 4841 14790880 14778 124 3117 cpu1 24184 569 3875 14794524 30209 29 3130 cpu2 28616 11 2182 14818198 4020 1 3493 cpu3 35350 6 2942 14811519 3045 0 3659 cpu4 18209 135 2263 14820076 12465 0 3373 cpu5 20795 35 1866 14825701 4508 0 3615 cpu6 21607 0 2201 14827053 2325 0 3334 cpu7 18544 0 1550 14831395 1589 0 3447 intr 15239682 14857833 6 0 6 6 0 5 0 1 0 0 0 29 0 2 0 0 0 0 0 0 0 94982 0 286812 ctxt 4209609 btime 1078711415 processes 21905 procs_running 1 procs_blocked 0
cpu — Measures the number of jiffies (1/100 of a second for x86 systems) that the system has been in user mode, user mode with low priority (nice), system mode, idle task, I/O wait, IRQ (hardirq), and softirq respectively. The IRQ (hardirq) is the direct response to a hardware event. The IRQ takes minimal work for queuing the "heavy" work up for the softirq to execute. The softirq runs at a lower priority than the IRQ and therefore may be interrupted more frequently. The total for all CPUs is given at the top, while each individual CPU is listed below with its own statistics. The following example is a 4-way Intel Pentium Xeon configuration with multi-threading enabled, therefore showing four physical processors and four virtual processors totaling eight processors.
page — The number of memory pages the system has written in and out to disk.
swap — The number of swap pages the system has brought in and out.
intr — The number of interrupts the system has experienced.
btime — The boot time, measured in the number of seconds since January 1, 1970, otherwise known as the epoch.
/proc/swaps /proc/swaps may look similar to the following:
Filename Type Size Used Priority /dev/mapper/VolGroup00-LogVol01 partition 524280 0 -1
/proc/ directory, /proc/swaps provides a snapshot of every swap file name, the type of swap space, the total size, and the amount of space in use (in kilobytes). The priority column is useful when multiple swap files are in use. The lower the priority, the more likely the swap file is to be used.
/proc/sysrq-trigger echo command to write to this file, a remote root user can execute most System Request Key commands remotely as if at the local terminal. To echo values to this file, the /proc/sys/kernel/sysrq must be set to a value other than 0. For more information about the System Request Key, refer to Section 4.3.9.3, “ /proc/sys/kernel/ ”.
/proc/uptime /proc/uptime is quite minimal:
350735.47 234388.90
/proc/version gcc in use, as well as the version of Red Hat Enterprise Linux installed on the system:
Linux version 2.6.8-1.523 (user@foo.redhat.com) (gcc version 3.4.1 20040714 \ (Red Hat Enterprise Linux 3.4.1-7)) #1 Mon Aug 16 13:27:03 EDT 2004
/proc/ /proc/ directory.
/proc/ directory contains a number of directories with numerical names. A listing of them may be similar to the following:
dr-xr-xr-x 3 root root 0 Feb 13 01:28 1 dr-xr-xr-x 3 root root 0 Feb 13 01:28 1010 dr-xr-xr-x 3 xfs xfs 0 Feb 13 01:28 1087 dr-xr-xr-x 3 daemon daemon 0 Feb 13 01:28 1123 dr-xr-xr-x 3 root root 0 Feb 13 01:28 11307 dr-xr-xr-x 3 apache apache 0 Feb 13 01:28 13660 dr-xr-xr-x 3 rpc rpc 0 Feb 13 01:28 637 dr-xr-xr-x 3 rpcuser rpcuser 0 Feb 13 01:28 666
/proc/ process directory vanishes.
cmdline — Contains the command issued when starting the process.
cwd — A symbolic link to the current working directory for the process.
environ — A list of the environment variables for the process. The environment variable is given in all upper-case characters, and the value is in lower-case characters.
exe — A symbolic link to the executable of this process.
fd — A directory containing all of the file descriptors for a particular process. These are given in numbered links:
total 0 lrwx------ 1 root root 64 May 8 11:31 0 -> /dev/null lrwx------ 1 root root 64 May 8 11:31 1 -> /dev/null lrwx------ 1 root root 64 May 8 11:31 2 -> /dev/null lrwx------ 1 root root 64 May 8 11:31 3 -> /dev/ptmx lrwx------ 1 root root 64 May 8 11:31 4 -> socket:[7774817] lrwx------ 1 root root 64 May 8 11:31 5 -> /dev/ptmx lrwx------ 1 root root 64 May 8 11:31 6 -> socket:[7774829] lrwx------ 1 root root 64 May 8 11:31 7 -> /dev/ptmx
maps — A list of memory maps to the various executables and library files associated with this process. This file can be rather long, depending upon the complexity of the process, but sample output from the sshd process begins like the following:
08048000-08086000 r-xp 00000000 03:03 391479 /usr/sbin/sshd 08086000-08088000 rw-p 0003e000 03:03 391479 /usr/sbin/sshd 08088000-08095000 rwxp 00000000 00:00 0 40000000-40013000 r-xp 0000000 03:03 293205 /lib/ld-2.2.5.so 40013000-40014000 rw-p 00013000 03:03 293205 /lib/ld-2.2.5.so 40031000-40038000 r-xp 00000000 03:03 293282 /lib/libpam.so.0.75 40038000-40039000 rw-p 00006000 03:03 293282 /lib/libpam.so.0.75 40039000-4003a000 rw-p 00000000 00:00 0 4003a000-4003c000 r-xp 00000000 03:03 293218 /lib/libdl-2.2.5.so 4003c000-4003d000 rw-p 00001000 03:03 293218 /lib/libdl-2.2.5.so
mem — The memory held by the process. This file cannot be read by the user.
root — A link to the root directory of the process.
stat — The status of the process.
statm — The status of the memory in use by the process. Below is a sample /proc/statm file:
263 210 210 5 0 205 0
status — The status of the process in a more readable form than stat or statm. Sample output for sshd looks similar to the following:
Name: sshd State: S (sleeping) Tgid: 797 Pid: 797 PPid: 1 TracerPid: 0 Uid: 0 0 0 0 Gid: 0 0 0 0 FDSize: 32 Groups: VmSize: 3072 kB VmLck: 0 kB VmRSS: 840 kB VmData: 104 kB VmStk: 12 kB VmExe: 300 kB VmLib: 2528 kB SigPnd: 0000000000000000 SigBlk: 0000000000000000 SigIgn: 8000000000001000 SigCgt: 0000000000014005 CapInh: 0000000000000000 CapPrm: 00000000fffffeff CapEff: 00000000fffffeff
S (sleeping) or R (running)), user/group ID running the process, and detailed data regarding memory usage.
/proc/self/ /proc/self/ directory is a link to the currently running process. This allows a process to look at itself without having to know its process ID.
/proc/self/ directory produces the same contents as listing the process directory for that process.
/proc/bus/ /proc/bus/ by the same name, such as /proc/bus/pci/.
/proc/bus/ vary depending on the devices connected to the system. However, each bus type has at least one directory. Within these bus directories are normally at least one subdirectory with a numerical name, such as 001, which contain binary files.
/proc/bus/usb/ subdirectory contains files that track the various devices on any USB buses, as well as the drivers required for them. The following is a sample listing of a /proc/bus/usb/ directory:
total 0 dr-xr-xr-x 1 root root 0 May 3 16:25 001 -r--r--r-- 1 root root 0 May 3 16:25 devices -r--r--r-- 1 root root 0 May 3 16:25 drivers
/proc/bus/usb/001/ directory contains all devices on the first USB bus and the devices file identifies the USB root hub on the motherboard.
/proc/bus/usb/devices file:
T: Bus=01 Lev=00 Prnt=00 Port=00 Cnt=00 Dev#= 1 Spd=12 MxCh= 2 B: Alloc= 0/900 us ( 0%), #Int= 0, #Iso= 0 D: Ver= 1.00 Cls=09(hub ) Sub=00 Prot=00 MxPS= 8 #Cfgs= 1 P: Vendor=0000 ProdID=0000 Rev= 0.00 S: Product=USB UHCI Root Hub S: SerialNumber=d400 C:* #Ifs= 1 Cfg#= 1 Atr=40 MxPwr= 0mA I: If#= 0 Alt= 0 #EPs= 1 Cls=09(hub ) Sub=00 Prot=00 Driver=hub E: Ad=81(I) Atr=03(Int.) MxPS= 8 Ivl=255ms
/proc/driver/ rtc which provides output from the driver for the system's Real Time Clock (RTC), the device that keeps the time while the system is switched off. Sample output from /proc/driver/rtc looks like the following:
rtc_time : 16:21:00 rtc_date : 2004-08-31 rtc_epoch : 1900 alarm : 21:16:27 DST_enable : no BCD : yes 24hr : yes square_wave : no alarm_IRQ : no update_IRQ : no periodic_IRQ : no periodic_freq : 1024 batt_status : okay
/usr/share/doc/kernel-doc-<version>/Documentation/rtc.txt.
/proc/fs cat /proc/fs/nfsd/exports displays the file systems being shared and the permissions granted for those file systems. For more on file system sharing with NFS, refer to Chapter 20, Network File System (NFS).
/proc/ide/ /proc/ide/ide0 and /proc/ide/ide1. In addition, a drivers file is available, providing the version number of the various drivers used on the IDE channels:
ide-floppy version 0.99. newide ide-cdrom version 4.61 ide-disk version 1.18
/proc/ide/piix file which reveals whether DMA or UDMA is enabled for the devices on the IDE channels:
Intel PIIX4 Ultra 33 Chipset. ------------- Primary Channel ---------------- Secondary Channel ------------- enabled enabled ------------- drive0 --------- drive1 -------- drive0 ---------- drive1 ------ DMA enabled: yes no yes no UDMA enabled: yes no no no UDMA enabled: 2 X X X UDMA DMA PIO
ide0, provides additional information. The channel file provides the channel number, while the model identifies the bus type for the channel (such as pci).
/dev/ directory. For instance, the first IDE drive on ide0 would be hda.
/proc/ide/ directory.
cache — The device cache.
capacity — The capacity of the device, in 512 byte blocks.
driver — The driver and version used to control the device.
geometry — The physical and logical geometry of the device.
media — The type of device, such as a disk.
model — The model name or number of the device.
settings — A collection of current device parameters. This file usually contains quite a bit of useful, technical information. A sample settings file for a standard IDE hard disk looks similar to the following:
name value min max mode ---- ----- --- --- ---- acoustic 0 0 254 rw address 0 0 2 rw bios_cyl 38752 0 65535 rw bios_head 16 0 255 rw bios_sect 63 0 63 rw bswap 0 0 1 r current_speed 68 0 70 rw failures 0 0 65535 rw init_speed 68 0 70 rw io_32bit 0 0 3 rw keepsettings 0 0 1 rw lun 0 0 7 rw max_failures 1 0 65535 rw multcount 16 0 16 rw nice1 1 0 1 rw nowerr 0 0 1 rw number 0 0 3 rw pio_mode write-only 0 255 w unmaskirq 0 0 1 rw using_dma 1 0 1 rw wcache 1 0 1 rw
/proc/irq/ /proc/irq/prof_cpu_mask file is a bitmask that contains the default values for the smp_affinity file in the IRQ directory. The values in smp_affinity specify which CPUs handle that particular IRQ.
/proc/irq/ directory, refer to the following installed documentation:
/usr/share/doc/kernel-doc-<version>/Documentation/filesystems/proc.txt/proc/net/ /proc/net/ directory:
arp — Lists the kernel's ARP table. This file is particularly useful for connecting a hardware address to an IP address on a system.
atm/ directory — The files within this directory contain Asynchronous Transfer Mode (ATM) settings and statistics. This directory is primarily used with ATM networking and ADSL cards.
dev — Lists the various network devices configured on the system, complete with transmit and receive statistics. This file displays the number of bytes each interface has sent and received, the number of packets inbound and outbound, the number of errors seen, the number of packets dropped, and more.
dev_mcast — Lists Layer2 multicast groups on which each device is listening.
igmp — Lists the IP multicast addresses which this system joined.
ip_conntrack — Lists tracked network connections for machines that are forwarding IP connections.
ip_tables_names — Lists the types of iptables in use. This file is only present if iptables is active on the system and contains one or more of the following values: filter, mangle, or nat.
ip_mr_cache — Lists the multicast routing cache.
ip_mr_vif — Lists multicast virtual interfaces.
netstat — Contains a broad yet detailed collection of networking statistics, including TCP timeouts, SYN cookies sent and received, and much more.
psched — Lists global packet scheduler parameters.
raw — Lists raw device statistics.
route — Lists the kernel's routing table.
rt_cache — Contains the current routing cache.
snmp — List of Simple Network Management Protocol (SNMP) data for various networking protocols in use.
sockstat — Provides socket statistics.
tcp — Contains detailed TCP socket information.
tr_rif — Lists the token ring RIF routing table.
udp — Contains detailed UDP socket information.
unix — Lists UNIX domain sockets currently in use.
wireless — Lists wireless interface data.
/proc/scsi/ /proc/ide/ directory, but it is for connected SCSI devices.
/proc/scsi/scsi, which contains a list of every recognized SCSI device. From this listing, the type of device, as well as the model name, vendor, SCSI channel and ID data is available.
Attached devices: Host: scsi1 Channel: 00 Id: 05 Lun: 00 Vendor: NEC Model: CD-ROM DRIVE:466 Rev: 1.06 Type: CD-ROM ANSI SCSI revision: 02 Host: scsi1 Channel: 00 Id: 06 Lun: 00 Vendor: ARCHIVE Model: Python 04106-XXX Rev: 7350 Type: Sequential-Access ANSI SCSI revision: 02 Host: scsi2 Channel: 00 Id: 06 Lun: 00 Vendor: DELL Model: 1x6 U2W SCSI BP Rev: 5.35 Type: Processor ANSI SCSI revision: 02 Host: scsi2 Channel: 02 Id: 00 Lun: 00 Vendor: MegaRAID Model: LD0 RAID5 34556R Rev: 1.01 Type: Direct-Access ANSI SCSI revision: 02
/proc/scsi/, which contains files specific to each SCSI controller using that driver. From the previous example, aic7xxx/ and megaraid/ directories are present, since two drivers are in use. The files in each of the directories typically contain an I/O address range, IRQ information, and statistics for the SCSI controller using that driver. Each controller can report a different type and amount of information. The Adaptec AIC-7880 Ultra SCSI host adapter's file in this example system produces the following output:
Adaptec AIC7xxx driver version: 5.1.20/3.2.4
Compile Options:
TCQ Enabled By Default : Disabled
AIC7XXX_PROC_STATS : Enabled
AIC7XXX_RESET_DELAY : 5
Adapter Configuration:
SCSI Adapter: Adaptec AIC-7880 Ultra SCSI host adapter
Ultra Narrow Controller PCI MMAPed
I/O Base: 0xfcffe000
Adapter SEEPROM Config: SEEPROM found and used.
Adaptec SCSI BIOS: Enabled
IRQ: 30
SCBs: Active 0, Max Active 1, Allocated 15, HW 16, Page 255
Interrupts: 33726
BIOS Control Word: 0x18a6
Adapter Control Word: 0x1c5f
Extended Translation: Enabled
Disconnect Enable Flags: 0x00ff
Ultra Enable Flags: 0x0020
Tag Queue Enable Flags: 0x0000
Ordered Queue Tag Flags: 0x0000
Default Tag Queue Depth: 8
Tagged Queue By Device array for aic7xxx
host instance 1: {255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255}
Actual queue depth per device for aic7xxx host instance 1: {1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1}
Statistics:
(scsi1:0:5:0) Device using Narrow/Sync transfers at 20.0 MByte/sec, offset 15
Transinfo settings: current(12/15/0/0), goal(12/15/0/0), user(12/15/0/0)
Total transfers 0 (0 reads and 0 writes)
< 2K 2K+ 4K+ 8K+ 16K+ 32K+ 64K+ 128K+
Reads: 0 0 0 0 0 0 0 0
Writes: 0 0 0 0 0 0 0 0
(scsi1:0:6:0) Device using Narrow/Sync transfers at 10.0 MByte/sec, offset 15
Transinfo settings: current(25/15/0/0), goal(12/15/0/0), user(12/15/0/0)
Total transfers 132 (0 reads and 132 writes)
< 2K 2K+ 4K+ 8K+ 16K+ 32K+ 64K+ 128K+
Reads: 0 0 0 0 0 0 0 0
Writes: 0 0 0 1 131 0 0 0/proc/sys/ /proc/sys/ directory is different from others in /proc/ because it not only provides information about the system but also allows the system administrator to immediately enable and disable kernel features.
/proc/sys/ directory. Changing the wrong setting may render the kernel unstable, requiring a system reboot.
/proc/sys/.
-l option at the shell prompt. If the file is writable, it may be used to configure the kernel. For example, a partial listing of /proc/sys/fs looks like the following:
-r--r--r-- 1 root root 0 May 10 16:14 dentry-state -rw-r--r-- 1 root root 0 May 10 16:14 dir-notify-enable -r--r--r-- 1 root root 0 May 10 16:14 dquot-nr -rw-r--r-- 1 root root 0 May 10 16:14 file-max -r--r--r-- 1 root root 0 May 10 16:14 file-nr
dir-notify-enable and file-max can be written to and, therefore, can be used to configure the kernel. The other files only provide feedback on current settings.
/proc/sys/ file is done by echoing the new value into the file. For example, to enable the System Request Key on a running kernel, type the command:
echo 1 > /proc/sys/kernel/sysrqsysrq from 0 (off) to 1 (on).
/proc/sys/ configuration files contain more than one value. To correctly send new values to them, place a space character between each value passed with the echo command, such as is done in this example:
echo 4 2 45 > /proc/sys/kernel/acctecho command disappear when the system is restarted. To make configuration changes take effect after the system is rebooted, refer to Section 4.4, “Using the sysctl Command”.
/proc/sys/ directory contains several subdirectories controlling different aspects of a running kernel.
/proc/sys/dev/ cdrom/ and raid/. Customized kernels can have other directories, such as parport/, which provides the ability to share one parallel port between multiple device drivers.
cdrom/ directory contains a file called info, which reveals a number of important CD-ROM parameters:
CD-ROM information, Id: cdrom.c 3.20 2003/12/17 drive name: hdc drive speed: 48 drive # of slots: 1 Can close tray: 1 Can open tray: 1 Can lock tray: 1 Can change speed: 1 Can select disk: 0 Can read multisession: 1 Can read MCN: 1 Reports media changed: 1 Can play audio: 1 Can write CD-R: 0 Can write CD-RW: 0 Can read DVD: 0 Can write DVD-R: 0 Can write DVD-RAM: 0 Can read MRW: 0 Can write MRW: 0 Can write RAM: 0
/proc/sys/dev/cdrom, such as autoclose and checkmedia, can be used to control the system's CD-ROM. Use the echo command to enable or disable these features.
/proc/sys/dev/raid/ directory becomes available with at least two files in it: speed_limit_min and speed_limit_max. These settings determine the acceleration of RAID devices for I/O intensive tasks, such as resyncing the disks.
/proc/sys/fs/ binfmt_misc/ directory is used to provide kernel support for miscellaneous binary formats.
/proc/sys/fs/ include:
dentry-state — Provides the status of the directory cache. The file looks similar to the following:
57411 52939 45 0 0 0
dquot-nr — Lists the maximum number of cached disk quota entries.
file-max — Lists the maximum number of file handles that the kernel allocates. Raising the value in this file can resolve errors caused by a lack of available file handles.
file-nr — Lists the number of allocated file handles, used file handles, and the maximum number of file handles.
overflowgid and overflowuid — Defines the fixed group ID and user ID, respectively, for use with file systems that only support 16-bit group and user IDs.
super-max — Controls the maximum number of superblocks available.
super-nr — Displays the current number of superblocks in use.
/proc/sys/kernel/ acct — Controls the suspension of process accounting based on the percentage of free space available on the file system containing the log. By default, the file looks like the following:
4 2 30
cap-bound — Controls the capability bounding settings, which provides a list of capabilities for any process on the system. If a capability is not listed here, then no process, no matter how privileged, can do it. The idea is to make the system more secure by ensuring that certain things cannot happen, at least beyond a certain point in the boot process.
/lib/modules/<kernel-version>/build/include/linux/capability.h.
ctrl-alt-del — Controls whether Ctrl+Alt+Delete gracefully restarts the computer using init (0) or forces an immediate reboot without syncing the dirty buffers to disk (1).
domainname — Configures the system domain name, such as example.com.
exec-shield — Configures the Exec Shield feature of the kernel. Exec Shield provides protection against certain types of buffer overflow attacks.
0 — Disables Exec Shield.
1 — Enables Exec Shield. This is the default value.
exec-shield-randomize — Enables location randomization of various items in memory. This helps deter potential attackers from locating programs and daemons in memory. Each time a program or daemon starts, it is put into a different memory location each time, never in a static or absolute memory address.
0 — Disables randomization of Exec Shield. This may be useful for application debugging purposes.
1 — Enables randomization of Exec Shield. This is the default value. Note: The exec-shield file must also be set to 1 for exec-shield-randomize to be effective.
hostname — Configures the system hostname, such as www.example.com.
hotplug — Configures the utility to be used when a configuration change is detected by the system. This is primarily used with USB and Cardbus PCI. The default value of /sbin/hotplug should not be changed unless testing a new program to fulfill this role.
modprobe — Sets the location of the program used to load kernel modules. The default value is /sbin/modprobe which means kmod calls it to load the module when a kernel thread calls kmod.
msgmax — Sets the maximum size of any message sent from one process to another and is set to 8192 bytes by default. Be careful when raising this value, as queued messages between processes are stored in non-swappable kernel memory. Any increase in msgmax would increase RAM requirements for the system.
msgmnb — Sets the maximum number of bytes in a single message queue. The default is 16384.
msgmni — Sets the maximum number of message queue identifiers. The default is 16.
osrelease — Lists the Linux kernel release number. This file can only be altered by changing the kernel source and recompiling.
ostype — Displays the type of operating system. By default, this file is set to Linux, and this value can only be changed by changing the kernel source and recompiling.
overflowgid and overflowuid — Defines the fixed group ID and user ID, respectively, for use with system calls on architectures that only support 16-bit group and user IDs.
panic — Defines the number of seconds the kernel postpones rebooting when the system experiences a kernel panic. By default, the value is set to 0, which disables automatic rebooting after a panic.
printk — This file controls a variety of settings related to printing or logging error messages. Each error message reported by the kernel has a loglevel associated with it that defines the importance of the message. The loglevel values break down in this order:
0 — Kernel emergency. The system is unusable.
1 — Kernel alert. Action must be taken immediately.
2 — Condition of the kernel is considered critical.
3 — General kernel error condition.
4 — General kernel warning condition.
5 — Kernel notice of a normal but significant condition.
6 — Kernel informational message.
7 — Kernel debug-level messages.
printk file:
6 4 1 7
random/ directory — Lists a number of values related to generating random numbers for the kernel.
rtsig-max — Configures the maximum number of POSIX real-time signals that the system may have queued at any one time. The default value is 1024.
rtsig-nr — Lists the current number of POSIX real-time signals queued by the kernel.
sem — Configures semaphore settings within the kernel. A semaphore is a System V IPC object that is used to control utilization of a particular process.
shmall— Sets the total amount of shared memory pages that can be used at one time, system-wide. By default, this value is 2097152.
shmmax — Sets the largest shared memory segment size allowed by the kernel. By default, this value is 33554432. However, the kernel supports much larger values than this.
shmmni — Sets the maximum number of shared memory segments for the whole system. By default, this value is 4096.
sysrq — Activates the System Request Key, if this value is set to anything other than zero (0), the default.
<system request code> . Replace <system request code> with one of the following system request codes:
r — Disables raw mode for the keyboard and sets it to XLATE (a limited keyboard mode which does not recognize modifiers such as Alt, Ctrl, or Shift for all keys).
k — Kills all processes active in a virtual console. Also called Secure Access Key (SAK), it is often used to verify that the login prompt is spawned from init and not a Trojan copy designed to capture usernames and passwords.
b — Reboots the kernel without first unmounting file systems or syncing disks attached to the system.
c — Crashes the system without first unmounting file systems or syncing disks attached to the system.
o — Shuts off the system.
s — Attempts to sync disks attached to the system.
u — Attempts to unmount and remount all file systems as read-only.
p — Outputs all flags and registers to the console.
t — Outputs a list of processes to the console.
m — Outputs memory statistics to the console.
0 through 9 — Sets the log level for the console.
e — Kills all processes except init using SIGTERM.
i — Kills all processes except init using SIGKILL.
l — Kills all processes using SIGKILL (including init). The system is unusable after issuing this System Request Key code.
h — Displays help text.
/usr/share/doc/kernel-doc-<version>/Documentation/sysrq.txt for more information about the System Request Key.
sysrq-key — Defines the key code for the System Request Key (84 is the default).
sysrq-sticky — Defines whether the System Request Key is a chorded key combination. The accepted values are as follows:
0 — Alt+SysRq and the system request code must be pressed simultaneously. This is the default value.
1 — Alt+SysRq must be pressed simultaneously, but the system request code can be pressed anytime before the number of seconds specified in /proc/sys/kernel/sysrq-timer elapses.
sysrq-timer — Specifies the number of seconds allowed to pass before the system request code must be pressed. The default value is 10.
tainted — Indicates whether a non-GPL module is loaded.
0 — No non-GPL modules are loaded.
1 — At least one module without a GPL license (including modules with no license) is loaded.
2 — At least one module was force-loaded with the command insmod -f.
threads-max — Sets the maximum number of threads to be used by the kernel, with a default value of 2048.
version — Displays the date and time the kernel was last compiled. The first field in this file, such as #3, relates to the number of times a kernel was built from the source base.
/proc/sys/net/ ethernet/, ipv4/, ipx/, and ipv6/. By altering the files within these directories, system administrators are able to adjust the network configuration on a running system.
/proc/sys/net/ directories are discussed.
/proc/sys/net/core/ directory contains a variety of settings that control the interaction between the kernel and networking layers. The most important of these files are:
message_burst — Sets the amount of time in tenths of a second required to write a new warning message. This setting is used to mitigate Denial of Service (DoS) attacks. The default setting is 50.
message_cost — Sets a cost on every warning message. The higher the value of this file (default of 5), the more likely the warning message is ignored. This setting is used to mitigate DoS attacks.
message_burst and message_cost are designed to be modified based on the system's acceptable risk versus the need for comprehensive logging.
netdev_max_backlog — Sets the maximum number of packets allowed to queue when a particular interface receives packets faster than the kernel can process them. The default value for this file is 300.
optmem_max — Configures the maximum ancillary buffer size allowed per socket.
rmem_default — Sets the receive socket buffer default size in bytes.
rmem_max — Sets the receive socket buffer maximum size in bytes.
wmem_default — Sets the send socket buffer default size in bytes.
wmem_max — Sets the send socket buffer maximum size in bytes.
/proc/sys/net/ipv4/ directory contains additional networking settings. Many of these settings, used in conjunction with one another, are useful in preventing attacks on the system or when using the system to act as a router.
/proc/sys/net/ipv4/ directory:
icmp_destunreach_rate, icmp_echoreply_rate, icmp_paramprob_rate, and icmp_timeexeed_rate — Set the maximum ICMP send packet rate, in 1/100 of a second, to hosts under certain conditions. A setting of 0 removes any delay and is not a good idea.
icmp_echo_ignore_all and icmp_echo_ignore_broadcasts — Allows the kernel to ignore ICMP ECHO packets from every host or only those originating from broadcast and multicast addresses, respectively. A value of 0 allows the kernel to respond, while a value of 1 ignores the packets.
ip_default_ttl — Sets the default Time To Live (TTL), which limits the number of hops a packet may make before reaching its destination. Increasing this value can diminish system performance.
ip_forward — Permits interfaces on the system to forward packets to one other. By default, this file is set to 0. Setting this file to 1 enables network packet forwarding.
ip_local_port_range — Specifies the range of ports to be used by TCP or UDP when a local port is needed. The first number is the lowest port to be used and the second number specifies the highest port. Any systems that expect to require more ports than the default 1024 to 4999 should use a range from 32768 to 61000.
tcp_syn_retries — Provides a limit on the number of times the system re-transmits a SYN packet when attempting to make a connection.
tcp_retries1 — Sets the number of permitted re-transmissions attempting to answer an incoming connection. Default of 3.
tcp_retries2 — Sets the number of permitted re-transmissions of TCP packets. Default of 15.
/usr/share/doc/kernel-doc-<version>/Documentation/networking/ ip-sysctl.txt/proc/sys/net/ipv4/ directory.
/proc/sys/net/ipv4/ directory and each covers a different aspect of the network stack. The /proc/sys/net/ipv4/conf/ directory allows each system interface to be configured in different ways, including the use of default settings for unconfigured devices (in the /proc/sys/net/ipv4/conf/default/ subdirectory) and settings that override all special configurations (in the /proc/sys/net/ipv4/conf/all/ subdirectory).
/proc/sys/net/ipv4/neigh/ directory contains settings for communicating with a host directly connected to the system (called a network neighbor) and also contains different settings for systems more than one hop away.
/proc/sys/net/ipv4/route/. Unlike conf/ and neigh/, the /proc/sys/net/ipv4/route/ directory contains specifications that apply to routing with any interfaces on the system. Many of these settings, such as max_size, max_delay, and min_delay, relate to controlling the size of the routing cache. To clear the routing cache, write any value to the flush file.
/usr/share/doc/kernel-doc-<version>/Documentation/filesystems/proc.txt/proc/sys/vm/ /proc/sys/vm/ directory:
block_dump — Configures block I/O debugging when enabled. All read/write and block dirtying operations done to files are logged accordingly. This can be useful if diagnosing disk spin up and spin downs for laptop battery conservation. All output when block_dump is enabled can be retrieved via dmesg. The default value is 0.
block_dump is enabled at the same time as kernel debugging, it is prudent to stop the klogd daemon, as it generates erroneous disk activity caused by block_dump.
dirty_background_ratio — Starts background writeback of dirty data at this percentage of total memory, via a pdflush daemon. The default value is 10.
dirty_expire_centisecs — Defines when dirty in-memory data is old enough to be eligible for writeout. Data which has been dirty in-memory for longer than this interval is written out next time a pdflush daemon wakes up. The default value is 3000, expressed in hundredths of a second.
dirty_ratio — Starts active writeback of dirty data at this percentage of total memory for the generator of dirty data, via pdflush. The default value is 40.
dirty_writeback_centisecs — Defines the interval between pdflush daemon wakeups, which periodically writes dirty in-memory data out to disk. The default value is 500, expressed in hundredths of a second.
laptop_mode — Minimizes the number of times that a hard disk needs to spin up by keeping the disk spun down for as long as possible, therefore conserving battery power on laptops. This increases efficiency by combining all future I/O processes together, reducing the frequency of spin ups. The default value is 0, but is automatically enabled in case a battery on a laptop is used.
/usr/share/doc/kernel-doc-<version>/Documentation/laptop-mode.txt
lower_zone_protection — Determines how aggressive the kernel is in defending lower memory allocation zones. This is effective when utilized with machines configured with highmem memory space enabled. The default value is 0, no protection at all. All other integer values are in megabytes, and lowmem memory is therefore protected from being allocated by users.
/usr/share/doc/kernel-doc-<version>/Documentation/filesystems/proc.txt
max_map_count — Configures the maximum number of memory map areas a process may have. In most cases, the default value of 65536 is appropriate.
min_free_kbytes — Forces the Linux VM (virtual memory manager) to keep a minimum number of kilobytes free. The VM uses this number to compute a pages_min value for each lowmem zone in the system. The default value is in respect to the total memory on the machine.
nr_hugepages — Indicates the current number of configured hugetlb pages in the kernel.
/usr/share/doc/kernel-doc-<version>/Documentation/vm/hugetlbpage.txt
nr_pdflush_threads — Indicates the number of pdflush daemons that are currently running. This file is read-only, and should not be changed by the user. Under heavy I/O loads, the default value of two is increased by the kernel.
overcommit_memory — Configures the conditions under which a large memory request is accepted or denied. The following three modes are available:
0 — The kernel performs heuristic memory over commit handling by estimating the amount of memory available and failing requests that are blatantly invalid. Unfortunately, since memory is allocated using a heuristic rather than a precise algorithm, this setting can sometimes allow available memory on the system to be overloaded. This is the default setting.
1 — The kernel performs no memory over commit handling. Under this setting, the potential for memory overload is increased, but so is performance for memory intensive tasks (such as those executed by some scientific software).
2 — The kernel fails requests for memory that add up to all of swap plus the percent of physical RAM specified in /proc/sys/vm/overcommit_ratio. This setting is best for those who desire less risk of memory overcommitment.
overcommit_ratio — Specifies the percentage of physical RAM considered when /proc/sys/vm/overcommit_memory is set to 2. The default value is 50.
page-cluster — Sets the number of pages read in a single attempt. The default value of 3, which actually relates to 16 pages, is appropriate for most systems.
swappiness — Determines how much a machine should swap. The higher the value, the more swapping occurs. The default value, as a percentage, is set to 60.
/usr/share/doc/kernel-doc-<version>/Documentation/, which contains additional information.
/proc/sysvipc/ msg), semaphores (sem), and shared memory (shm).
/proc/tty/ drivers file is a list of the current tty devices in use, as in the following example:
serial /dev/cua 5 64-127 serial:callout serial /dev/ttyS 4 64-127 serial pty_slave /dev/pts 136 0-255 pty:slave pty_master /dev/ptm 128 0-255 pty:master pty_slave /dev/ttyp 3 0-255 pty:slave pty_master /dev/pty 2 0-255 pty:master /dev/vc/0 /dev/vc/0 4 0 system:vtmaster /dev/ptmx /dev/ptmx 5 2 system /dev/console /dev/console 5 1 system:console /dev/tty /dev/tty 5 0 system:/dev/tty unknown /dev/vc/%d 4 1-63 console
/proc/tty/driver/serial file lists the usage statistics and status of each of the serial tty lines.
ldiscs file, and more detailed information is available within the ldisc/ directory.
/proc/<PID>/ /proc/sys/vm/panic_on_oom. When set to 1 the kernel will panic on OOM. A setting of 0 instructs the kernel to call a function named oom_killer on an OOM. Usually, oom_killer can kill rogue processes and the system will survive.
/proc/sys/vm/panic_on_oom.
~]#cat /proc/sys/vm/panic_on_oom1 ~]#echo 0 > /proc/sys/vm/panic_on_oom~]#cat /proc/sys/vm/panic_on_oom0
oom_killer score. In /proc/<PID>/ there are two tools labelled oom_adj and oom_score. Valid scores for oom_adj are in the range -16 to +15. To see the current oom_killer score, view the oom_score for the process. oom_killer will kill processes with the highest scores first.
oom_killer will kill it.
~]#cat /proc/12465/oom_score79872 ~]#echo -5 > /proc/12465/oom_adj~]#cat /proc/12465/oom_score78
oom_killer for that process. In the example below, oom_score returns a value of 0, indicating that this process would not be killed.
~]#cat /proc/12465/oom_score78 ~]#echo -17 > /proc/12465/oom_adj~]#cat /proc/12465/oom_score0
badness() is used to determine the actual score for each process. This is done by adding up 'points' for each examined process. The process scoring is done in the following way:
CAP_SYS_ADMIN and CAP_SYS_RAWIO capabilities have their scores reduced.
oom_adj file.
oom_score value will most probably be a non-privileged, recently started process that, along with its children, uses a large amount of memory, has been 'niced', and handles no raw I/O.
sysctl Command/sbin/sysctl command is used to view, set, and automate kernel settings in the /proc/sys/ directory.
/proc/sys/ directory, type the /sbin/sysctl -a command as root. This creates a large, comprehensive list, a small portion of which looks something like the following:
net.ipv4.route.min_delay = 2 kernel.sysrq = 0 kernel.sem = 250 32000 32 128
/proc/sys/net/ipv4/route/min_delay file is listed as net.ipv4.route.min_delay, with the directory slashes replaced by dots and the proc.sys portion assumed.
sysctl command can be used in place of echo to assign values to writable files in the /proc/sys/ directory. For example, instead of using the command
echo 1 > /proc/sys/kernel/sysrqsysctl command as follows:
~]# sysctl -w kernel.sysrq="1"
kernel.sysrq = 1/proc/sys/ is helpful during testing, this method does not work as well on a production system as special settings within /proc/sys/ are lost when the machine is rebooted. To preserve custom settings, add them to the /etc/sysctl.conf file.
init program runs the /etc/rc.d/rc.sysinit script. This script contains a command to execute sysctl using /etc/sysctl.conf to determine the values passed to the kernel. Any values added to /etc/sysctl.conf therefore take effect each time the system boots.
proc file system.
proc file system is installed on the system by default.
/usr/share/doc/kernel-doc-<version>/Documentation/filesystems/proc.txt — Contains assorted, but limited, information about all aspects of the /proc/ directory.
/usr/share/doc/kernel-doc-<version>/Documentation/sysrq.txt — An overview of System Request Key options.
/usr/share/doc/kernel-doc-<version>/Documentation/sysctl/ — A directory containing a variety of sysctl tips, including modifying values that concern the kernel (kernel.txt), accessing file systems (fs.txt), and virtual memory use (vm.txt).
/usr/share/doc/kernel-doc-<version>/Documentation/networking/ip-sysctl.txt — A detailed overview of IP networking options.
/) partition exists on two 40G drives, you have 80G total but are only able to access 40G of that 80G. The other 40G acts like a mirror of the first 40G.
/dev/hda and /dev/hdb) to illustrate the creation of simple RAID 1 and RAID 0 configurations, and detail how to create a simple RAID configuration by implementing multiple RAID devices.
/boot partition as a software RAID device, leaving the root partition (/), /home, and swap as regular file systems. Figure 5.4, “RAID 1 Partitions Ready, Pre-Device and Mount Point Creation” shows successfully allocated space for the RAID 1 configuration (for /boot), which is now ready for RAID device and mount point creation:
/boot, you must choose RAID level 1, and it must use one of the first two drives (IDE first, SCSI second). If you are not creating a separate RAID partition of /boot, and you are making a RAID partition for the root file system (that is, /), it must be RAID level 1 and must use one of the first two drives (IDE first, SCSI second).
/), home partition (/home), or swap.
/proc/mdstat special file. To list these devices, display the content of this file by typing the following at a shell prompt:
cat/proc/mdstat
root:
mdadm--querydevice…
mdadm--detailraid_device…
mdadm--examinecomponent_device…
mdadm --detail command displays information about a RAID device, mdadm --examine only relays information about a RAID device as it relates to a given component device. This distinction is particularly important when working with a RAID device that itself is a component of another RAID device.
mdadm --query command, as well as both mdadm --detail and mdadm --examine commands allow you to specify multiple devices at once.
/dev/md0 is a RAID device by typing the following at a shell prompt:
~]# mdadm --query /dev/md0
/dev/md0: 125.38MiB raid1 2 devices, 0 spares. Use mdadm --detail for more detail.
/dev/md0: No md super block found, not an md component.~]# mdadm --detail /dev/md0
/dev/md0:
Version : 0.90
Creation Time : Tue Jun 28 16:05:49 2011
Raid Level : raid1
Array Size : 128384 (125.40 MiB 131.47 MB)
Used Dev Size : 128384 (125.40 MiB 131.47 MB)
Raid Devices : 2
Total Devices : 2
Preferred Minor : 0
Persistence : Superblock is persistent
Update Time : Thu Jun 30 17:06:34 2011
State : clean
Active Devices : 2
Working Devices : 2
Failed Devices : 0
Spare Devices : 0
UUID : 49c5ac74:c2b79501:5c28cb9c:16a6dd9f
Events : 0.6
Number Major Minor RaidDevice State
0 3 1 0 active sync /dev/hda1
1 3 65 1 active sync /dev/hdb1~]$ cat /proc/mdstat
Personalities : [raid0] [raid1]
md0 : active raid1 hdb1[1] hda1[0]
128384 blocks [2/2] [UU]
md1 : active raid0 hdb2[1] hda2[0]
1573888 blocks 256k chunks
md2 : active raid0 hdb3[1] hda3[0]
19132928 blocks 256k chunks
unused devices: <none>root:
mdadm--createraid_device--level=level--raid-devices=numbercomponent_device…
mdadm(8) manual page.
~]# ls /dev/sd*
/dev/sda /dev/sda1 /dev/sdb /dev/sdb1/dev/md3 as a new RAID level 1 array from /dev/sda1 and /dev/sdb1, run the following command:
~]# mdadm --create /dev/md3 --level=1 --raid-devices=2 /dev/sda1 /dev/sdb1
mdadm: array /dev/md3 started.root:
mdadmraid_device--failcomponent_device
mdadmraid_device--removecomponent_device
mdadmraid_device--addcomponent_device
/dev/md3, with the following layout (that is, the RAID device created in Example 5.2, “Creating a new RAID device”):
~]# mdadm --detail /dev/md3 | tail -n 3
Number Major Minor RaidDevice State
0 8 1 0 active sync /dev/sda1
1 8 17 1 active sync /dev/sdb1/dev/sdb1 device as faulty:
~]# mdadm /dev/md3 --fail /dev/sdb1
mdadm: set /dev/sdb1 faulty in /dev/md3~]# mdadm /dev/md3 --remove /dev/sdb1
mdadm: hot removed /dev/sdb1~]# mdadm /dev/md3 --add /dev/sdb1
mdadm: added /dev/sdb1root:
mdadmraid_device--addcomponent_device
mdadm--growraid_device--raid-devices=number
/dev/md3, with the following layout (that is, the RAID device created in Example 5.2, “Creating a new RAID device”):
~]# mdadm --detail /dev/md3 | tail -n 3
Number Major Minor RaidDevice State
0 8 1 0 active sync /dev/sda1
1 8 17 1 active sync /dev/sdb1/dev/sdc, has been added and has exactly one partition. To add it to the /dev/md3 array, type the following at a shell prompt:
~]# mdadm /dev/md3 --add /dev/sdc1
mdadm: added /dev/sdc1/dev/sdc1 as a spare device. To change the size of the array to actually use it, type:
~]# mdadm --grow /dev/md3 --raid-devices=3root:
mdadm--stopraid_device
mdadm--removeraid_device
mdadm--zero-superblockcomponent_device…
/dev/md3, with the following layout (that is, the RAID device created in Example 5.4, “Extending a RAID device”):
~]# mdadm --detail /dev/md3 | tail -n 4
Number Major Minor RaidDevice State
0 8 1 0 active sync /dev/sda1
1 8 17 1 active sync /dev/sdb1
2 8 33 2 active sync /dev/sdc1~]# mdadm --stop /dev/md3
mdadm: stopped /dev/md3/dev/md3 device by running the following command:
~]# mdadm --remove /dev/md3~]# mdadm --zero-superblock /dev/sda1 /dev/sdb1 /dev/sdc1mdadm command only apply to the current session, and will not survive a system restart. At boot time, the mdmonitor service reads the content of the /etc/mdadm.conf configuration file to see which RAID devices to start. If the software RAID was configured during the graphical installation process, this file contains directives listed in Table 5.1, “Common mdadm.conf directives” by default.
| Option | Description |
|---|---|
ARRAY
|
Allows you to identify a particular array.
|
DEVICE
|
Allows you to specify a list of devices to scan for a RAID component (for example, “/dev/hda1”). You can also use the keyword
partitions to use all partitions listed in /proc/partitions, or containers to specify an array container.
|
MAILADDR
| Allows you to specify an email address to use in case of an alert. |
ARRAY lines are presently in use regardless of the configuration, run the following command as root:
mdadm--detail--scan
/etc/mdadm.conf file. You can also display the ARRAY line for a particular device:
mdadm--detail--briefraid_device
mdadm--detail--briefraid_device>>/etc/mdadm.conf
/etc/mdadm.conf contains the software RAID configuration created during the system installation:
# mdadm.conf written out by anaconda DEVICE partitions MAILADDR root ARRAY /dev/md0 level=raid1 num-devices=2 UUID=49c5ac74:c2b79501:5c28cb9c:16a6dd9f ARRAY /dev/md1 level=raid0 num-devices=2 UUID=76914c11:5bfa2c00:dc6097d1:a1f4506d ARRAY /dev/md2 level=raid0 num-devices=2 UUID=2b5d38d0:aea898bf:92be20e2:f9d893c5
/dev/md3 device as shown in Example 5.2, “Creating a new RAID device”, you can make it persistent by running the following command:
~]# mdadm --detail --brief /dev/md3 >> /etc/mdadm.confmdadm man page — A manual page for the mdadm utility.
mdadm.conf man page — A manual page that provides a comprehensive list of available /etc/mdadm.conf configuration options.
| Amount of RAM in the System | Recommended Amount of Swap Space |
|---|---|
| 4GB of RAM or less | a minimum of 2GB of swap space |
| 4GB to 16GB of RAM | a minimum of 4GB of swap space |
| 16GB to 64GB of RAM | a minimum of 8GB of swap space |
| 64GB to 256GB of RAM | a minimum of 16GB of swap space |
| 256GB to 512GB of RAM | a minimum of 32GB of swap space |
free and cat /proc/swaps commands to verify how much and where swap is in use.
/dev/VolGroup00/LogVol01 is the volume you want to extend):
swapoff -v /dev/VolGroup00/LogVol01lvm lvresize /dev/VolGroup00/LogVol01 -L +256Mmkswap /dev/VolGroup00/LogVol01swapon -vacat /proc/swapsfree
/dev/VolGroup00/LogVol02 is the swap volume you want to add):
lvm lvcreate VolGroup00 -n LogVol02 -L 256Mmkswap /dev/VolGroup00/LogVol02/etc/fstab file:
/dev/VolGroup00/LogVol02 swap swap defaults 0 0
swapon -vacat /proc/swapsfree
count being equal to the desired block size:
dd if=/dev/zero of=/swapfile bs=1024 count=65536mkswap /swapfileswapon /swapfile/etc/fstab to include the following entry:
/swapfile swap swap defaults 0 0
cat /proc/swaps or free.
/dev/VolGroup00/LogVol01 is the volume you want to reduce):
swapoff -v /dev/VolGroup00/LogVol01lvm lvreduce /dev/VolGroup00/LogVol01 -L -512Mmkswap /dev/VolGroup00/LogVol01swapon -vacat /proc/swapsfree
/dev/VolGroup00/LogVol02 is the swap volume you want to remove):
swapoff -v /dev/VolGroup00/LogVol02lvm lvremove /dev/VolGroup00/LogVol02/etc/fstab file:
/dev/VolGroup00/LogVol02 swap swap defaults 0 0
cat /proc/swapsfree
partedparted allows users to:
parted package is included when installing Red Hat Enterprise Linux. To start parted, log in as root and type the command parted /dev/sda at a shell prompt (where /dev/sdaumount command and turn off all the swap space on the hard drive with the swapoff command.
parted commands” contains a list of commonly used parted commands. The sections that follow explain some of these commands and arguments in more detail.
parted commands| Command | Description |
|---|---|
check
| Perform a simple check of the file system |
cp
|
Copy file system from one partition to another; from and to are the minor numbers of the partitions
|
help
| Display list of available commands |
mklabel
| Create a disk label for the partition table |
mkfs
|
Create a file system of type file-system-type
|
mkpart
| Make a partition without creating a new file system |
mkpartfs
| Make a partition and create the specified file system |
move
| Move the partition |
name
| Name the partition for Mac and PC98 disklabels only |
print
| Display the partition table |
quit
|
Quit parted
|
rescue start-mb end-mb
|
Rescue a lost partition from start-mb to end-mb
|
resize
|
Resize the partition from start-mb to end-mb
|
rm
| Remove the partition |
select
| Select a different device to configure |
set
|
Set the flag on a partition; state is either on or off
|
toggle [
|
Toggle the state of FLAG on partition NUMBER
|
unit
|
Set the default unit to UNIT
|
parted, use the command print to view the partition table. A table similar to the following appears:
Model: ATA ST3160812AS (scsi) Disk /dev/sda: 160GB Sector size (logical/physical): 512B/512B Partition Table: msdos Number Start End Size Type File system Flags 1 32.3kB 107MB 107MB primary ext3 boot 2 107MB 105GB 105GB primary ext3 3 105GB 107GB 2147MB primary linux-swap 4 107GB 160GB 52.9GB extended root 5 107GB 133GB 26.2GB logical ext3 6 133GB 133GB 107MB logical ext3 7 133GB 160GB 26.6GB logical lvm
number. For example, the partition with minor number 1 corresponds to /dev/sda1. The Start and End values are in megabytes. Valid Type are metadata, free, primary, extended, or logical. The Filesystem is the file system type, which can be any of the following:
Filesystem of a device shows no value, this means that its file system type is unknown.
parted, where /dev/sda is the device on which to create the partition:
parted /dev/sdaprintmkpart primary ext3 1024 2048mkpartfs command instead, the file system is created after the partition is created. However, parted does not support creating an ext3 file system. Thus, if you wish to create an ext3 file system, use mkpart and create the file system with the mkfs command as described later.
print command to confirm that it is in the partition table with the correct partition type, file system type, and size. Also remember the minor number of the new partition so that you can label it. You should also view the output of
cat /proc/partitionsmkfs -t ext3 /dev/sda6/dev/sda6 and you want to label it /work:
e2label /dev/sda6 /workmkdir /work/etc/fstab/etc/fstab file to include the new partition. The new line should look similar to the following:
LABEL=/work /work ext3 defaults 1 2
LABEL= followed by the label you gave the partition. The second column should contain the mount point for the new partition, and the next column should be the file system type (for example, ext3 or swap). If you need more information about the format, read the man page with the command man fstab.
defaults, the partition is mounted at boot time. To mount the partition without rebooting, as root, type the command:
mount /workparted, where /dev/sda is the device on which to remove the partition:
parted /dev/sdaprintrm. For example, to remove the partition with minor number 3:
rm 3print command to confirm that it is removed from the partition table. You should also view the output of
cat /proc/partitions/etc/fstab file. Find the line that declares the removed partition, and remove it from the file.
parted, where /dev/sda is the device on which to resize the partition:
parted /dev/sdaprintresize command followed by the minor number for the partition, the starting place in megabytes, and the end place in megabytes. For example:
resize 3 1024 2048print command to confirm that the partition has been resized correctly, is the correct partition type, and is the correct file system type.
df to make sure the partition was mounted and is recognized with the new size.
lvm help at a command prompt.
LVM commands| Command | Description |
|---|---|
dumpconfig
| Dump the active configuration |
formats
| List the available metadata formats |
help
| Display the help commands |
lvchange
| Change the attributes of logical volume(s) |
lvcreate
| Create a logical volume |
lvdisplay
| Display information about a logical volume |
lvextend
| Add space to a logical volume |
lvmchange
| Due to use of the device mapper, this command has been deprecated |
lvmdiskscan
| List devices that may be used as physical volumes |
lvmsadc
| Collect activity data |
lvmsar
| Create activity report |
lvreduce
| Reduce the size of a logical volume |
lvremove
| Remove logical volume(s) from the system |
lvrename
| Rename a logical volume |
lvresize
| Resize a logical volume |
lvs
| Display information about logical volumes |
lvscan
| List all logical volumes in all volume groups |
pvchange
| Change attributes of physical volume(s) |
pvcreate
| Initialize physical volume(s) for use by LVM |
pvdata
| Display the on-disk metadata for physical volume(s) |
pvdisplay
| Display various attributes of physical volume(s) |
pvmove
| Move extents from one physical volume to another |
pvremove
| Remove LVM label(s) from physical volume(s) |
pvresize
| Resize a physical volume in use by a volume group |
pvs
| Display information about physical volumes |
pvscan
| List all physical volumes |
segtypes
| List available segment types |
vgcfgbackup
| Backup volume group configuration |
vgcfgrestore
| Restore volume group configuration |
vgchange
| Change volume group attributes |
vgck
| Check the consistency of a volume group |
vgconvert
| Change volume group metadata format |
vgcreate
| Create a volume group |
vgdisplay
| Display volume group information |
vgexport
| Unregister a volume group from the system |
vgextend
| Add physical volumes to a volume group |
vgimport
| Register exported volume group with system |
vgmerge
| Merge volume groups |
vgmknodes
| Create the special files for volume group devices in /dev/ |
vgreduce
| Remove a physical volume from a volume group |
vgremove
| Remove a volume group |
vgrename
| Rename a volume group |
vgs
| Display information about volume groups |
vgscan
| Search for all volume groups |
vgsplit
| Move physical volumes into a new volume group |
version
| Display software and driver version information |
quota RPM must be installed to implement disk quotas. /etc/fstab file.
/etc/fstab file. Add the usrquota and/or grpquota options to the file systems that require quotas:
/dev/VolGroup00/LogVol00 / ext3 defaults 1 1 LABEL=/boot /boot ext3 defaults 1 2 none /dev/pts devpts gid=5,mode=620 0 0 none /dev/shm tmpfs defaults 0 0 none /proc proc defaults 0 0 none /sys sysfs defaults 0 0 /dev/VolGroup00/LogVol02 /home ext3 defaults,usrquota,grpquota 1 2 /dev/VolGroup00/LogVol01 swap swap defaults 0 0 . . .
/home file system has both user and group quotas enabled.
/home partition was created during the installation of Red Hat Enterprise Linux. The root (/) partition can be used for setting quota policies in the /etc/fstab file.
usrquota and/or grpquota options, remount each file system whose fstab entry has been modified. If the file system is not in use by any process, use one of the following methods:
umount command followed by the mount command to remount the file system.(See the man page for both umount and mount for the specific syntax for mounting and unmounting various filesystem types.)
mount -o remount <file-system> command (where <file-system> /home file system, the command to issue is mount -o remount /home.
quotacheck command.
quotacheck command examines quota-enabled file systems and builds a table of the current disk usage per file system. The table is then used to update the operating system's copy of disk usage. In addition, the file system's disk quota files are updated.
aquota.user and aquota.group) on the file system, use the -c option of the quotacheck command. For example, if user and group quotas are enabled for the /home file system, create the files in the /home directory:
quotacheck -cug /home-c option specifies that the quota files should be created for each file system with quotas enabled, the -u option specifies to check for user quotas, and the -g option specifies to check for group quotas.
-u or -g options are specified, only the user quota file is created. If only -g is specified, only the group quota file is created.
quotacheck -avuga — Check all quota-enabled, locally-mounted file systems
v — Display verbose status information as the quota check proceeds
u — Check user disk quota information
g — Check group disk quota information
quotacheck has finished running, the quota files corresponding to the enabled quotas (user and/or group) are populated with data for each quota-enabled locally-mounted file system such as /home.
edquota command.
edquota username/etc/fstab for the /home partition (/dev/VolGroup00/LogVol02 in the example below) and the command edquota testuser is executed, the following is shown in the editor configured as the default for the system:
Disk quotas for user testuser (uid 501): Filesystem blocks soft hard inodes soft hard /dev/VolGroup00/LogVol02 440436 0 0 37418 0 0
EDITOR environment variable is used by edquota. To change the editor, set the EDITOR environment variable in your ~/.bash_profile file to the full path of the editor of your choice.
inodes column shows how many inodes the user is currently using. The last two columns are used to set the soft and hard inode limits for the user on the file system.
Disk quotas for user testuser (uid 501): Filesystem blocks soft hard inodes soft hard /dev/VolGroup00/LogVol02 440436 500000 550000 37418 0 0
quota testuserdevel group (the group must exist prior to setting the group quota), use the command:
edquota -g develDisk quotas for group devel (gid 505): Filesystem blocks soft hard inodes soft hard /dev/VolGroup00/LogVol02 440400 0 0 37418 0 0
quota -g develedquota -tedquota commands operate on a particular user's or group's quota, the -t option operates on every filesystem with quotas enabled.
quotaoff -vaug-u or -g options are specified, only the user quotas are disabled. If only -g is specified, only group quotas are disabled. The -v switch causes verbose status information to display as the command executes.
quotaon command with the same options.
quotaon -vaug/home, use the following command:
quotaon -vug /home-u or -g options are specified, only the user quotas are enabled. If only -g is specified, only group quotas are enabled.
repquota utility. For example, the command repquota /home produces this output:
*** Report for user quotas on device /dev/mapper/VolGroup00-LogVol02
Block grace time: 7days; Inode grace time: 7days
Block limits File limits
User used soft hard grace used soft hard grace
----------------------------------------------------------------------
root -- 36 0 0 4 0 0
kristin -- 540 0 0 125 0 0
testuser -- 440400 500000 550000 37418 0 0-a) quota-enabled file systems, use the command:
repquota -a-- displayed after each user is a quick way to determine whether the block or inode limits have been exceeded. If either soft limit is exceeded, a + appears in place of the corresponding -; the first - represents the block limit, and the second represents the inode limit.
grace columns are normally blank. If a soft limit has been exceeded, the column contains a time specification equal to the amount of time remaining on the grace period. If the grace period has expired, none appears in its place.
quotacheck include:
/etc/cron.daily/ or /etc/cron.weekly/ directory—or schedule one using the crontab -e command—that contains the touch /forcequotacheck command. This creates an empty forcequotacheck file in the root directory, which the system init script looks for at boot time. If it is found, the init script runs quotacheck. Afterward, the init script removes the /forcequotacheck file; thus, scheduling this file to be created periodically with cron ensures that quotacheck is run during the next reboot.
cron.
quotacheck is to (re-)boot the system into single-user mode to prevent the possibility of data corruption in quota files and run:
~]# quotaoff -vaug /<file_system>~]# quotacheck -vaug /<file_system>~]# quotaon -vaug /<file_system>
quotacheck on a machine during a time when no users are logged in, and thus have no open files on the file system being checked. Run the command quotacheck -vaug <file_system> ; this command will fail if quotacheck cannot remount the given <file_system> as read-only. Note that, following the check, the file system will be remounted read-write.
quotacheck on a live file system mounted read-write is not recommended due to the possibility of quota file corruption.
cron.
acl package is required to implement ACLs. It contains the utilities used to add, modify, remove, and retrieve ACL information.
cp and mv commands copy or move any ACLs associated with files and directories.
mount -t ext3 -o acl <device-name> <partition>mount -t ext3 -o acl /dev/VolGroup00/LogVol02 /work/etc/fstab file, the entry for the partition can include the acl option:
LABEL=/work /work ext3 acl 1 2
--with-acl-support option. No special flags are required when accessing or mounting a Samba share.
no_acl option in the /etc/exports file. To disable ACLs on an NFS share when mounting it on a client, mount it with the no_acl option via the command line or the /etc/fstab file.
setfacl utility sets ACLs for files and directories. Use the -m option to add or modify the ACL of a file or directory:
setfacl -m <rules> <files><rules>) must be specified in the following formats. Multiple rules can be specified in the same command if they are separated by commas.
u:<uid>:<perms>g:<gid>:<perms>m:<perms>o:<perms><perms>) must be a combination of the characters r, w, and x for read, write, and execute.
setfacl command is used, the additional rules are added to the existing ACL or the existing rule is modified.
setfacl -m u:andrius:rw /project/somefile-x option and do not specify any permissions:
setfacl -x <rules> <files>setfacl -x u:500 /project/somefiled: before the rule and specify a directory instead of a file name.
/share/ directory to read and execute for users not in the user group (an access ACL for an individual file can override it):
setfacl -m d:o:rx /sharegetfacl command. In the example below, the getfacl is used to determine the existing ACLs for a file.
getfacl home/john/picture.png# file: home/john/picture.png # owner: john # group: john user::rw- group::r-- other::r--
[john@main /]$ getfacl home/sales/
# file: home/sales/
# owner: john
# group: john
user::rw-
user:barryg:r--
group::r--
mask::r--
other::r--
default:user::rwx
default:user:john:rwx
default:group::r-x
default:mask::rwx
default:other::r-xtar and dump commands do not backup ACLs.
star utility is similar to the tar utility in that it can be used to generate archives of files; however, some of its options are different. Refer to Table 9.1, “Command Line Options for star” for a listing of more commonly used options. For all available options, refer to the star man page. The star package is required to use this utility.
star| Option | Description |
|---|---|
-c
| Creates an archive file. |
-n
|
Do not extract the files; use in conjunction with -x to show what extracting the files does.
|
-r
| Replaces files in the archive. The files are written to the end of the archive file, replacing any files with the same path and file name. |
-t
| Displays the contents of the archive file. |
-u
| Updates the archive file. The files are written to the end of the archive if they do not exist in the archive or if the files are newer than the files of the same name in the archive. This option only work if the archive is a file or an unblocked tape that may backspace. |
-x
|
Extracts the files from the archive. If used with -U and a file in the archive is older than the corresponding file on the file system, the file is not extracted.
|
-help
| Displays the most important options. |
-xhelp
| Displays the least important options. |
-/
| Do not strip leading slashes from file names when extracting the files from an archive. By default, they are striped when files are extracted. |
-acl
| When creating or extracting, archive or restore any ACLs associated with the files and directories. |
ext_attr attribute. This attribute can be seen using the following command:
tune2fs -l <filesystem-device>ext_attr attribute can be mounted with older kernels, but those kernels do not enforce any ACLs which have been set.
e2fsck utility included in version 1.22 and higher of the e2fsprogs package (including the versions in Red Hat Enterprise Linux 2.1 and 4) can check a file system with the ext_attr attribute. Older versions refuse to check it.
acl man page — Description of ACLs
getfacl man page — Discusses how to get file access control lists
setfacl man page — Explains how to set file access control lists
star man page — Explains more about the star utility and its many options
/boot partition. The /boot partition cannot be on a logical volume group because the boot loader cannot read it. If the root (/) partition is on a logical volume, create a separate /boot partition which is not a part of a volume group.
/home and / and file system types, such as ext2 or ext3. When "partitions" reach their full capacity, free space from the volume group can be added to the logical volume to increase the size of the partition. When a new hard drive is added to the system, it can be added to the volume group, and partitions that are logical volumes can be increased in size.
system-config-lvm utility to create your own LVM configuration post-installation. The next two sections focus on using Disk Druid during installation to complete this task. The third section introduces the LVM utility (system-config-lvm) which allows you to manage your LVM volumes in X windows or graphically.
/dev/sda and /dev/sdb) are used in the following examples. They detail how to create a simple configuration using a single LVM volume group with associated logical volumes during installation.
/boot partition resides on its own non-LVM partition. In the following example, it is the first partition on the first drive (/dev/sda1). Bootable partitions cannot reside on LVM logical volumes.
VolGroup00) is created, which spans all selected drives and all remaining space available. In the following example, the remainder of the first drive (/dev/sda2), and the entire second drive (/dev/sdb1) are allocated to the volume group.
LogVol00 and LogVol01) are created from the newly created spanned volume group. In the following example, the recommended swap space is automatically calculated and assigned to LogVol01, and the remainder is allocated to the root file system, LogVol00.
/home or /var, so that each file system has its own independent quota configuration limits.
/boot Partition
/boot partition cannot reside on an LVM volume because the GRUB boot loader cannot read it.
/boot Partition Displayed
/boot Partition Displayed
/, /home, and swap space. Remember that /boot cannot be a logical volume. To add a logical volume, click the button in the Logical Volumes section. A dialog window as shown in Figure 10.10, “Creating a Logical Volume” appears.
system-config-lvmsystem-config-lvm from a terminal.
/boot - (Ext3) file system. Displayed under 'Uninitialized Entities'. (DO NOT initialize this partition). LogVol00 - (LVM) contains the (/) directory (312 extents). LogVol02 - (LVM) contains the (/home) directory (128 extents). LogVol03 - (LVM) swap (28 extents).
/dev/hda2 while /boot was created in /dev/hda1. The system also consists of 'Uninitialized Entities' which are illustrated in Figure 10.17, “Uninitialized Entities”. The figure below illustrates the main window in the LVM utility. The logical and the physical views of the above configuration are illustrated below. The three logical volumes exist on the same physical volume (hda2).
/ (root) directory, this task will not be successful as the volume cannot be unmounted.
/boot. Uninitialized entities are illustrated below.
/dev/hda6 was selected as illustrated below.
/mnt/backups. This is illustrated in the figure below.
rpm -qd lvm2 — This command shows all the documentation available from the lvm package, including man pages.
lvm help — This command shows all LVM commands available.
Table of Contents
rpm package. For the end user, RPM makes system updates easy. Installing, uninstalling, and upgrading RPM packages can be accomplished with short commands. RPM maintains a database of installed packages and their files, so you can invoke powerful queries and verifications on your system. If you prefer a graphical interface, you can use the Package Management Tool to perform many RPM commands. Refer to Chapter 12, Package Management Tool for details.
.tar.gz files.
rpm --help or man rpm. You can also refer to Section 11.5, “Additional Resources” for more information on RPM.
foo-1.0-1.i386.rpm. The file name includes the package name (foo), version (1.0), release (1), and architecture (i386). To install a package, log in as root and type the following command at a shell prompt:
rpm -ivh foo-1.0-1.i386.rpmrpm -Uvh foo-1.0-1.i386.rpmPreparing... ########################################### [100%] 1:foo ########################################### [100%]
error: V3 DSA signature: BAD, key ID 0352860f
error: Header V3 DSA signature: BAD, key ID 0352860f
NOKEY such as:
warning: V3 DSA signature: NOKEY, key ID 0352860f
rpm -ivh instead. Refer to Chapter 42, Manually Upgrading the Kernel for details.
Preparing... ########################################### [100%] package foo-1.0-1 is already installed
--replacepkgs option, which tells RPM to ignore the error:
rpm -ivh --replacepkgs foo-1.0-1.i386.rpmPreparing... ########################################### [100%] file /usr/bin/foo from install of foo-1.0-1 conflicts with file from package bar-2.0.20
--replacefiles option:
rpm -ivh --replacefiles foo-1.0-1.i386.rpmerror: Failed dependencies:
bar.so.2 is needed by foo-1.0-1
Suggested resolutions:
bar-2.0.20-3.i386.rpmrpm -ivh foo-1.0-1.i386.rpm bar-2.0.20-3.i386.rpmPreparing... ########################################### [100%] 1:foo ########################################### [ 50%] 2:bar ########################################### [100%]
-q --whatprovides option combination to determine which package contains the required file.
rpm -q --whatprovides bar.so.2--nodeps option.
rpm -e foofoo, not the name of the original package file foo-1.0-1.i386.rpm. To uninstall a package, replace foo with the actual package name of the original package.
error: Failed dependencies: foo is needed by (installed) bar-2.0.20-3.i386.rpm
--nodeps option.
rpm -Uvh foo-2.0-1.i386.rpmfoo package. Note that -U will also install a package even when there are no previous versions of the package installed.
-U option for installing kernel packages, because RPM replaces the previous kernel package. This does not affect a running system, but if the new kernel is unable to boot during your next restart, there would be no other kernel to boot instead.
-i option adds the kernel to your GRUB boot menu (/etc/grub.conf). Similarly, removing an old, unneeded kernel removes the kernel from GRUB.
saving /etc/foo.conf as /etc/foo.conf.rpmsave
package foo-2.0-1 (which is newer than foo-1.0-1) is already installed
--oldpackage option:
rpm -Uvh --oldpackage foo-1.0-1.i386.rpmrpm -Fvh foo-1.2-1.i386.rpmrpm -Fvh *.rpm/var/lib/rpm/, and is used to query what packages are installed, what versions each package is, and any changes to any files in the package since installation, among others.
-q option. The rpm -q package name command displays the package name, version, and release number of the installed package package name rpm -q foo to query installed package foo might generate the following output:
foo-2.0-1
-q to further refine or qualify your query:
-a — queries all currently installed packages.
-f <filename> — queries the RPM database for which package owns f<filename> . When specifying a file, specify the absolute path of the file (for example, rpm -qf /bin/ls ).
-p <packagefile> — queries the uninstalled package <packagefile> -i displays package information including name, description, release, size, build date, install date, vendor, and other miscellaneous information.
-l displays the list of files that the package contains.
-s displays the state of all the files in the package.
-d displays a list of files marked as documentation (man pages, info pages, READMEs, etc.).
-c displays a list of files marked as configuration files. These are the files you edit after installation to adapt and customize the package to your system (for example, sendmail.cf, passwd, inittab, etc.).
-v to the command to display the lists in a familiar ls -l format.
rpm -V verifies a package. You can use any of the Verify Options listed for querying to specify the packages you wish to verify. A simple use of verifying is rpm -V foo, which verifies that all the files in the foo package are as they were when they were originally installed. For example:
rpm -Vf /usr/bin/foo/usr/bin/foo is the absolute path to the file used to query a package.
rpm -Varpm -Vp foo-1.0-1.i386.rpmc denotes a configuration file) and then the file name. Each of the eight characters denotes the result of a comparison of one attribute of the file to the value of that attribute recorded in the RPM database. A single period (.) means the test passed. The following characters denote specific discrepancies:
5 — MD5 checksum
S — file size
L — symbolic link
T — file modification time
D — device
U — user
G — group
M — mode (includes permissions and file type)
? — unreadable file
<rpm-file> is the file name of the RPM package):
rpm -K --nosignature <rpm-file><rpm-file>: md5 OK-K with -Kvv in the command.
x files as well.
rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-releaserpm -qa gpg-pubkey*gpg-pubkey-37017186-45761324
rpm -qi followed by the output from the previous command:
rpm -qi gpg-pubkey-37017186-45761324<rpm-file> with the filename of the RPM package):
rpm -K <rpm-file>md5 gpg OK. This means that the signature of the package has been verified, and that it is not corrupt.
rpm -Varpm -qf /usr/bin/ggvggv-2.6.0-2
/usr/bin/paste. You would like to verify the package that owns that program, but you do not know which package owns paste. Enter the following command,
rpm -Vf /usr/bin/pasterpm -qdf /usr/bin/free/usr/share/doc/procps-3.2.3/BUGS /usr/share/doc/procps-3.2.3/FAQ /usr/share/doc/procps-3.2.3/NEWS /usr/share/doc/procps-3.2.3/TODO /usr/share/man/man1/free.1.gz /usr/share/man/man1/pgrep.1.gz /usr/share/man/man1/pkill.1.gz /usr/share/man/man1/pmap.1.gz /usr/share/man/man1/ps.1.gz /usr/share/man/man1/skill.1.gz /usr/share/man/man1/slabtop.1.gz /usr/share/man/man1/snice.1.gz /usr/share/man/man1/tload.1.gz /usr/share/man/man1/top.1.gz /usr/share/man/man1/uptime.1.gz /usr/share/man/man1/w.1.gz /usr/share/man/man1/watch.1.gz /usr/share/man/man5/sysctl.conf.5.gz /usr/share/man/man8/sysctl.8.gz /usr/share/man/man8/vmstat.8.gz
rpm -qip crontabs-1.10-7.noarch.rpmName : crontabs Relocations: (not relocatable) Version : 1.10 Vendor: Red Hat, Inc. Release : 7 Build Date: Mon 20 Sep 2004 05:58:10 PM EDT Install Date: (not installed) Build Host: tweety.build.redhat.com Group : System Environment/Base Source RPM: crontabs-1.10-7.src.rpm Size : 1004 License: Public Domain Signature : DSA/SHA1, Wed 05 Jan 2005 06:05:25 PM EST, Key ID 219180cddb42a60e Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla> Summary : Root crontab files used to schedule the execution of programs. Description : The crontabs package contains root crontab files. Crontab is the program used to install, uninstall, or list the tables used to drive the cron daemon. The cron daemon checks the crontab files to see when particular commands are scheduled to be executed. If commands are scheduled, then it executes them.
crontabs RPM installs. You would enter the following:
rpm -qlp crontabs-1.10-5.noarch.rpm/etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly /etc/crontab /usr/bin/run-parts
rpm --help — This command displays a quick reference of RPM parameters.
man rpm — The RPM man page gives more detail about RPM parameters than the rpm --help command.
rpm command does.
rpm -e --nodeps or rpm -U --nodeps can.
system-config-packages or pirut at shell prompt.
).
) appears beside its checkbox. This indicates that the package is queued for download and installation. You can select multiple packages to download and install; once you have made your selection, click the button.
). This indicates that the package is queued for removal; you can also select multiple packages to be removed at the same time. Once you have selected the packages you want to remove, click the button.
yum searches numerous repositories for packages and their dependencies so they may be installed together in an effort to alleviate dependency issues. Red Hat Enterprise Linux 5.8 uses yum to fetch packages and install RPMs.
up2date is now deprecated in favor of yum (Yellowdog Updater Modified). The entire stack of tools which installs and updates software in Red Hat Enterprise Linux 5.8 is now based on yum. This includes everything, from the initial installation via Anaconda to host software management tools like pirut.
yum also allows system administrators to configure a local (i.e. available over a local network) repository to supplement packages provided by Red Hat. This is useful for user groups that use applications and packages that are not officially supported by Red Hat.
yum repository also saves bandwidth for the entire network. Further, clients that use local yum repositories do not need to be registered individually to install or update the latest packages from Red Hat Network.
createrepo package:
~]# yum install createrepo/mnt/local_repo for example).
createrepo on that directory (for example, createrepo /mnt/local_repo). This will create the necessary metadata for your Yum repository.
yum Commandsyum commands are typically run as yum <command> <package name/s> . By default, yum will automatically attempt to check all configured repositories to resolve all package dependencies during an installation/upgrade.
yum commands. For a complete list of available yum commands, refer to man yum.
yum install <package name/s> yum update <package name/s> yum will attempt to update all installed packages.
--obsoletes option is used (i.e. yum --obsoletes <package name/s> , yum will process obsolete packages. As such, packages that are obsoleted across updates will be removed and replaced accordingly.
yum check-update yum returns a list of all package updates from all repositories if any are available.
yum remove <package name/s> yum provides <file name> yum search <keyword> yum localinstall <absolute path to package name/s> yum to install a package located locally in the machine.
yum Optionsyum options are typically stated before specific yum commands; i.e. yum <options> <command> <package name/s> . Most of these options can be set as default using the configuration file.
yum options. For a complete list of available yum options, refer to man yum.
-y -t yum to be "tolerant" of errors with regard to packages specified in the transaction. For example, if you run yum update package1 package2 and package2 is already installed, yum will continue to install package1.
--exclude=<package name> yum yum is configured through /etc/yum.conf. The following is an example of a typical /etc/yum.conf file:
[main] cachedir=/var/cache/yum keepcache=0 debuglevel=2 logfile=/var/log/yum.log distroverpkg=redhat-release tolerant=1 exactarch=1 obsoletes=1 gpgcheck=1 plugins=1 metadata_expire=1800 [myrepo] name=RHEL 5 $releasever - $basearch baseurl=http://local/path/to/yum/repository/ enabled=1
/etc/yum.conf file is made up of two types of sections: a [main] section, and a repository section. There can only be one [main] section, but you can specify multiple repositories in a single /etc/yum.conf.
[main] Options[main] section is mandatory, and there must only be one. For a complete list of options you can use in the [main] section, refer to man yum.conf.
[main] section.
cachedir yum should store its cache and database files. By default, the cache directory of yum is /var/cache/yum.
keepcache=<1 or 0> keepcache=1 instructs yum to keep the cache of headers and packages after a successful installation. keepcache=1 is the default.
reposdir=<absolute path to directory of .repo files> .repo files are located. .repo files contain repository information (similar to the [repository] section of /etc/yum.conf).
yum collects all repository information from .repo files and the [repository] section of the /etc/yum.conf file to create a master list of repositories to use for each transaction. Refer to Section 13.4.2, “ [repository] Options” for more information about options you can use for both the [repository] section and .repo files.
reposdir is not set, yum uses the default directory /etc/yum.repos.d.
gpgcheck=<1 or 0> gpgcheck=0, which disables GPG checking.
[main] section of the /etc/yum.conf file, it sets the GPG checking rule for all repositories. However, you can also set this on individual repositories instead; i.e., you can enable GPG checking on one repository while disabling it on another.
assumeyes=<1 or 0> yum should prompt for confirmation of critical actions. The default if assumeyes=0, which means yum will prompt you for confirmation.
assumeyes=1 is set, yum behaves in the same way that the command line option -y does.
tolerant=<1 or 0> tolerant=1), yum will be tolerant of errors on the command line with regard to packages. This is similar to the yum command line option -t.
tolerant=0 (not tolerant).
exclude=<package name/s> retries=<number of retries> yum should attempt to retrieve a file before returning an error. Setting this to 0 makes yum retry forever. The default value is 6.
[repository] Options[repository] section of the /etc/yum.conf file contains information about a repository yum can use to find packages during package installation, updating and dependency resolution. A repository entry takes the following form:
[repository ID] name=repository namebaseurl=url, file or ftp://path to repository
.repo files (for example, rhel5.repo). The format of repository information placed in .repo files is identical with the [repository] of /etc/yum.conf.
.repo files are typically placed in /etc/yum.repos.d, unless you specify a different repository path in the [main] section of /etc/yum.conf with reposdir=. .repo files and the /etc/yum.conf file can contain multiple repository entries.
repository ID]name=repository name baseurl=http, file or ftp://path repodatadirectory of a repository is located. If the repository is local to the machine, use baseurl=file://path to local repository . If the repository is located online using HTTP, use baseurl=http://link . If the repository is online and uses FTP, use baseurl=ftp://link .
baseurl line by prepending it as username:password@link. For example, if a repository on http://www.example.com/repo/ requires a username of "user" and a password os "password", then the baseurl link can be specified as baseurl=http://user:password@www.example.com/repo/.
man yum.conf.
gpgcheck=<1 or 0> gpgcheck=0, which disables GPG checking.
gpgkey=URL yum needs a public key to verify a package and the required key was not imported into the RPM database.
yum will automatically import the key from the specified URL. You will be prompted before the key is installed unless you set assumeyes=1 (in the [main] section of /etc/yum.conf) or -y (in a yum transaction).
exclude=<package name/s> exclude option in the [main] section of /etc/yum.conf. However, it only applies to the repository in which it is specified.
includepkgs=<package name/s> exclude. When this option is set on a repository, yum will only be able to see the specified packages in that repository. By default, all packages in a repository are visible to yum.
yum Variablesyum commands and yum configuration files (i.e. /etc/yum.conf and .repo files).
$releasever distroverpkg. This defaults to the version of the redhat-release package.
$arch os.uname() in Python.
$basearch $arch=i686 then $basearch=i386.
$YUM0-9 yum to unite content delivery with subscription management. The Subscription Manager handles only the subscription-system associations. yum or other package management tools handle the actual content delivery. Chapter 13, YUM (Yellowdog Updater Modified) describes how to use yum.
yum plug-ins that come with the Subscription Manager tools.
root because of the nature of the changes to the system. However, Red Hat Subscription Manager connects to the subscription service as a user account for the Customer Service Portal.
firstboot process for configuring content and updates, but the system can be registered at any time through the Red Hat Subscription Manager GUI or CLI. New subscriptions, new products, and updates can be viewed and applied to a system through the Red Hat Subscription Manager tools.
yum service through the Red Hat Subscription Manager yum plug-in.
yum.
root.
[root@server1 ~]# subscription-manager-gui
subscription-manager tool. This tool has the following format:
[root@server1 ~]# subscription-manager command [options]subscription-manager help and manpage have more information.
| Command | Description |
|---|---|
| register | Registers or identifies a new system to the subscription service. |
| unregister | Unregisters a machine, which strips its subscriptions and removes the machine from the subscription service. |
| subscribe | Allocates a specific subscription to the machine. |
| redeem | Autosubscribes a machine to a pre-specified subscription that was purchased from a vendor, based on its hardware and BIOS information. |
| refresh |
Pulls the latest entitlement data from the server. Normally, the system polls the entitlement server at a set interval (4 hours by default) to check for any changes in the available subscriptions. The refresh command checks with the entitlement server immediately, outside the normal interval.
|
| unsubscribe | Removes a specific subscription or all subscriptions from the machine. |
| list | Lists all of the subscriptions that are compatible with a machine, either subscriptions that are actually consumed by the machine or unused subscriptions that are available to the machine. |
| identity | Handles the identity certificate and registration ID for a system. This command can be used to return the current UUID or generate a new identity certificate. |
| facts | Lists the system information, like the release version, number of CPUs, and other architecture information. |
| clean |
Removes all of the subscription and identity data from the local system, without affecting the consumer information in the subscription service. Any of the subscriptions consumed by the system are still consumed and are not available for other systems to use. The clean command is useful in cases where the local entitlement information is corrupted or lost somehow, and the system will be reregistered using the register --consumerid=EXISTING_ID command.
|
| orgs, repos, environments | Lists all of the configured organizations, environments, and content repositories that are available to the given user account or system. These commands are used to view information in a multi-org infrastructure. They are not used to configure the local machine or multi-org infrastructure. |
virt-who, checks virtual processes and then relays that information to Subscription Manager and any configured subscription service (Certificate-based Red Hat Network or a local Subscription Asset Manager). Each guest machine on a host is assigned a guest ID, and that guest ID is both associated with the host and used to generate the identity certificate for the guest when it is registered.
system, meaning that each individual server subscribes to its own entitlements for its own use. There is another type of consumer, though, which is available for server groups, the domain type. domain-based entitlements are not allocated to a single system; they are distributed across the group of servers to govern the behavior of that group of servers. (That server group is called a domain.)
system consumer and added to the inventory individually.
domain entitlements apply to the behavior of the entire server group, not to any one system.
domain entitlements using the Red Hat Subscription Manager tools, and the entitlement certificate is replicated between the domain servers.
[root@server ~]# subscription-manager-gui
[root@server ~]# subscription-manager-gui
.zip file. Save the file to some kind of portable media, like a flash drive.
certificates.zip file. Unzip the directories until the PEM files for the entitlement certificates are available.
import command. For example:
# subscription-manager import --certificate=/tmp/export/entitlement_certificates/596576341785244687.pem --certificate=/tmp/export/entitlement_certificates/3195996649750311162.pem Successfully imported certificate 596576341785244687.pem Successfully imported certificate 3195996649750311162.pem
cert.pem file directly into the /etc/pki/consumer directory. For example:
cp /tmp/downloads/cert.pem /etc/pki/consumer
register command with the user account information required to authenticate to the Certificate-based Red Hat Network (the credentials used to access subscription service or the Customer Portal). When the system is successfully authenticated, it echoes back the newly-assigned consumer ID and the user account name which registered it.
register options are listed in Table 14.2, “register Options”.
[root@server1 ~]# subscription-manager register --username admin-example --password secret The system has been registered with id: 7d133d55-876f-4f47-83eb-0ee931cb0a97
--org option in addition to the username and password. The given user must also have the access permissions to add systems to that organization. (See Section 14.12, “Working with Subscription Asset Manager” for information about organizations and Subscription Asset Manager.)
[root@server1 ~]# subscription-manager register --username admin-example --password secret --org="IT Department"
The system has been registered with id: 7d133d55-876f-4f47-83eb-0ee931cb0a97[root@server1 ~]# subscription-manager register --username admin-example --password secret --org="IT Department" --environment=Dev1,ITallregister command returns a Remote Server error.
register command has an option, --autosubscribe, which allows the system to be registered to the subscription service and immediately subscribed to the subscription which best matches its architecture in a single step.
[root@server1 ~]# subscription-manager register --username admin-example --password secret --autosubscribe--activationkey option can pass the activation key to apply existing, already-assigned certificates along with the other registration information. The activation keys for multiple subscriptions are set in a comma-separated list.
--org option, but in multi-org environments, the --org option is required. The organization is not defined as part of the activation key. See Section 14.12, “Working with Subscription Asset Manager” for information about activation keys and Subscription Asset Manager.
# subscription-manager register --activationkey=1234abcd --org="IT Dept"
| Options | Description | Required |
|---|---|---|
| --username=name | Gives the content server user account name. | Required |
| --password=password | Gives the password for the user account. | Required |
| --org=name | Gives the organization to which to join the system. | Required, except for hosted environments |
| --environment=name | Registers the consumer to an environment within an organization. | Optional |
| --name=machine_name | Sets the name of the consumer (machine) to register. This defaults to be the same as the hostname. | Optional |
| --autosubscribe | Automatically subscribes this system to the best-matched compatible subscription. This is good for automated setup operations, since the system can be configured in a single step. | Optional |
| --activationkey=key | Applies existing subscriptions as part of the registration process. The subscriptions are pre-assigned by a vendor or by a systems administrator using Subscription Asset Manager. | Optional |
| --force | Registers the system even if it is already registered. Normally, any register operations will fail if the machine is already registered. | Optional |
unregister command. This removes the system's entry from the subscription service, unsubscribes it from any subscriptions, and, locally, deletes its identity and entitlement certificates.
unregister command.
[root@server1 ~]# subscription-manager unregister
register command. This command passes the original UUID for a system to issue a request to the subscription service to receive a new certificate using the same UUID. This essentially renews its previous registration.
register command uses the original ID to identify itself to the subscription service and restore its previous subscriptions.
[root@server1 ~]# subscription-manager register --username admin-example --password secret --consumerid=7d133d55-876f-4f47-83eb-0ee931cb0a97
| Options | Description | Required |
|---|---|---|
| --consumerid | Gives the consumer UUID used by an existing consumer. The system's consumer entry must exist in the Red Hat subscription service for the reregister operation to succeed. | Required |
| --username=name | Gives the content server user account name. | Optional |
| --password=password | Gives the password for the user account. | Optional |
rhn-migrate-classic-to-rhsm
install-num-migrate-to-rhsm
[root@server ~]# yum install subscription-manager-migration subscription-manager-migration-data
rhn-migrate-classic-to-rhsm script.
rhn-migrate-classic-to-rhsm script has this syntax:
rhn-migrate-classic-to-rhsm [--force|--cli-only|--help|--no-auto]
[root@server ~]# subscription-manager facts --list | grep migr migration.classic_system_id: 09876 migration.migrated_from: rhn_hosted_classic
rhn-migrate-classic-to-rhsm tool migrates the system profile and then opens the Subscription Manager GUI so that administrators can assign subscriptions to the system.
[root@server ~]# rhn-migrate-classic-to-rhsm RHN Username: jsmith@example.com Password:
Retrieving existing RHN classic subscription information ... +----------------------------------+ System is currently subscribed to: +----------------------------------+ rhel-i386-client-5
/etc/pki/product directory.
List of channels for which certs are being copied rhel-i386-client-5 Product Certificates copied successfully to /etc/pki/product !!
Preparing to unregister system from RHN classic ... System successfully unregistered from RHN Classic.
Attempting to register system to Certificate-based RHN ... The system has been registered with id: abcd1234 System server.example.com successfully registered to Certificate-based RHN. Launching the GUI tool to manually subscribe the system ...
rhn-migrate-classic-to-rhsm can automatically subscribe the system to matching subscriptions.
--cli-only option tells the rhn-migrate-classic-to-rhsm to register the system with the autosubscribe option, so all of the migration process occurs in the command line.
[root@server ~]# rhn-migrate-classic-to-rhsm --cli-only RHN Username: jsmith@example.com Password: .... Attempting to auto-subscribe to appropriate subscriptions ... Installed Product Current Status: ProductName: Red Hat Enterprise Linux Desktop Status: Subscribed Please visit https://access.redhat.com/management/consumers/abcd1234 to view the details, and to make changes if necessary.
rhn-migrate-classic-to-rhsm tool can be used simply to unregister a system from RHN Classic. This still copies over the product certificates for the classic channels to configure the system in the style of certificate-based subscriptions, but it does not register the machine with the subscription service.
--no-auto option.
[root@server ~]# rhn-migrate-classic-to-rhsm --no-auto RHN Username: jsmith@example.com Password: Retrieving existing RHN classic subscription information ... +----------------------------------+ System is currently subscribed to: +----------------------------------+ rhel-i386-client-5 List of channels for which certs are being copied rhel-i386-client-5 Product Certificates copied successfully to /etc/pki/product !! Preparing to unregister system from RHN classic ... System successfully unregistered from RHN Classic.
rhn-migrate-classic-to-rhsm script uses the information in /etc/sysconfig/rhn/systemid to get the previous registration information and map channels to certificates. If a system is disconnected, it may not have a systemid file.
/etc/sysconfig/rhn/install-num file.
[root@server ~]# python /usr/lib/python2.4/site-packages/instnum.py da3122afdb7edd23
Product: RHEL Client
Type: Installer Only
Options: Eval FullProd Workstation
Allowed CPU Sockets: Unlimited
Allowed Virtual Instances: Unlimited
Package Repositories: Client Workstation
key: 14299426 "da3122"
checksum: 175 "af"
options: 4416 "Eval FullProd Workstation"
socklimit: -1 "Unlimited"
virtlimit: -1 "Unlimited"
type: 2 "Installer Only"
product: 1 "client"
{"Workstation": "Workstation", "Base": "Client"}install-num-migrate-to-rhsm script identifies the channels that a disconnected system is subscribed to and then copies in the appropriate product certificates. Simply run the command:
[root@server ~]# install-num-migrate-to-rhsm
/etc/pki/product directory.
[root@server ~]# subscription-manager facts --list | grep migr migration.migrated_from: install_number
/usr/share/rhsm/product/RHEL-5/channel-cert-mapping.txt) uses simple keys to map the values:
channel_name:product_name-hash-product_cert.pem
rhel-i386-client-workstation-5: Client-Workstation-i386-b0d4c042-6e31-45a9-bd94-ff0b82e43b1a-71.pem
.pem and the product certificate is copied into the /etc/pki/product directory. For the rhel-i386-client-workstation-5, this migrates to the 71.pem product certificate (the last two digits of the mapping).
jbappplatform-4.3.0-fp-i386-server-5-rpm: none
[root@server ~]# subscription-manager-gui
[root@server ~]# subscription-manager-gui
--pool option.
[root@server1 ~]# subscription-manager subscribe --pool=XYZ01234567
subscribe command are listed in Table 14.4, “subscribe Options”.
list command:
[root@server1 ~]# subscription-manager list --available
+-------------------------------------------+
Available Subscriptions
+-------------------------------------------+
ProductName: RHEL for Physical Servers
ProductId: MKT-rhel-server
PoolId: ff8080812bc382e3012bc3845ca000cb
Quantity: 10
Expires: 2011-09-20--auto option (which is analogous to the --autosubscribe option with the register command).
[root@server1 ~]# subscription-manager subscribe --auto
| Options | Description | Required |
|---|---|---|
| --pool=pool-id | Gives the ID for the subscription to subscribe the machine to. |
Required, unless --auto is used
|
| --auto | Automatically subscribes the system to the best-match subscription or subscriptions. | Optional |
| --quantity=number | Subscribes multiple counts of an entitlement to the system. This is used to cover subscriptions that define a count limit, like using two 2-socket server subscriptions to cover a 4-socket machine. | Optional |
unsubscribe command with the --all option unsubscribes the system from every product and subscription pool it is currently subscribed to.
[root@server1 ~]# subscription-manager unsubscribe --all
unsubscribe command by referencing the ID number of that X.509 certificate.
.pem file (for example, 392729555585697907.pem) or by using the list command. For example:
[root@server1 ~]# subscription-manager list --consumed
+-------------------------------------------+
Consumed Product Subscriptions
+-------------------------------------------+
ProductName: High availability (cluster suite)
ContractNumber: 0
SerialNumber: 11287514358600162
Active: True
Begins: 2010-09-18
Expires: 2011-11-18--serial option to specify the certificate.
[root@server1 ~]# subscription-manager unsubscribe --serial=11287514358600162
--quantity option. The quantity taken applies to the product in the --pool option:
[root@server1 ~]# subscription-manager subscribe --pool=XYZ01234567 --quantity=2
.zip file. Save the file to some kind of portable media device, like a flash drive.
certificates.zip file. Unzip the directories until the PEM files for the subscription certificates are available.
import command:
# subscription-manager import --certificate=/tmp/export/entitlement_certificates/596576341785244687.pem --certificate=/tmp/export/entitlement_certificates/3195996649750311162.pem Successfully imported certificate 596576341785244687.pem Successfully imported certificate 3195996649750311162.pem
[root@server ~]# subscription-manager-gui
.pem file of the product certificate.
[root@server ~]# subscription-manager-gui
redeem command, with an email address to send the redemption email to when the process is complete.
# subscription-manager redeem --email=jsmith@example.com
# subscription-manager redeem --email=jsmith@example.com --org="IT Dept"
list command to display different areas of the subscriptions and products on the system.
| Option | Description |
|---|---|
| --installed (or nothing) |
Lists all of the installed and subscribed product on the system. If no option is given with list, it is the same as using the --installed argument.
|
| --consumed | Lists all of the subscriptions allocated to the system. |
| --available [--all] |
Using --available alone lists all of the compatible, active subscriptions for the system. Using --available --all lists all options, even ones not compatible with the system or with no more available quantities.
|
| --ondate=YYYY-MM-DD |
Shows subscriptions which are active and available on the specified date. This is only used with the --available option. If this is not used, then the command uses the current date.
|
| --installed | Lists all of the products that are installed on the system (and whether they have a subscription) and it lists all of the product subscriptions which are assigned to the system (and whether those products are installed). |
list command shows all of the subscriptions that are currently allocated to the system by using the --consumed option.
[root@server1 ~]# subscription-manager list --consumed
+-------------------------------------------+
Consumed Product Subscriptions
+-------------------------------------------+
ProductName: Red Hat Enterprise Linux Server
ContractNumber: 1458961
SerialNumber: 171286550006020205
Active: True
Begins: 2009-01-01
Expires: 2011-12-31list command shows all of the subscriptions that are compatible with and available to the system using the --available option. To include every subscription the organization has — both the ones that are compatible with the system and for other platforms — use the --all option with the --available. The --ondate option shows only subscriptions which are active on that date, based on their activation and expiry dates.
[root@server1 ~]# subscription-manager list --available --all
+-------------------------------------------+
Available Subscriptions
+-------------------------------------------+
ProductName: RHEL for Physical Servers
ProductId: MKT-rhel-server
PoolId: ff8080812bc382e3012bc3845ca000cb
Quantity: 10
Expires: 2011-09-20
ProductName: RHEL Workstation
ProductId: MKT-rhel-workstation-mkt
PoolId: 5e09a31f95885cc4
Quantity: 10
Expires: 2011-09-20
[snip]--installed option correlates the products that are actually installed on the system (and their subscription status) and the products which could be installed on the system based on the assigned subscriptions (and whether those products are installed).
[root@server1 ~]# subscription-manager list --installed
+-------------------------------------------+
Installed Product Status
+-------------------------------------------+
ProductName: Red Hat Enterprise Linux
Status: Not Subscribed
Expires:
Subscription:
ContractNumber:
AccountNumber:
ProductName: Awesome OS Server
Status: Not Installed
Expires: 2012-02-20
Subscription: 54129829316535230
ContractNumber: 39
AccountNumber: 12331131231
yum. Subscription Manager has its own yum plug-ins: product-id for subscription-related information for products and subscription-manager which is used for the content repositories.
baseurl parameter of the rhsm.conf file.
[root@server ~]# yum repolist all repo id repo name status rhel-5-server Red Hat Enterprise Linux 5Server - enabled: 1,749 rhel-5-server-beta Red Hat Enterprise Linux 5Server Be enabled: 869 rhel-5-server-optional-rpms Red Hat Enterprise Linux 5Server Op disabled rhel-5-server-supplementary Red Hat Enterprise Linux 5Server Su disabled
rhel-5-server-optional-rpms and rhel-5-server-supplementary, respectively.
yum-config-manager command:
[root@server ~]# yum-config-manager --enable rhel-5-server-optional-rpms
yum. This uses the --enablerepo repo_name option. For example:
# yum install rubygems --enablerepo=rhel-5-server-optional-rpms Loaded plugins:product-id, refresh-packagekit,subscription-managerUpdating Red Hat repositories. ....
yum is described in Chapter 13, YUM (Yellowdog Updater Modified).
[root@server ~]# subscription-manager list
+-------------------------------------------+
Installed Product Status
+-------------------------------------------+
ProductName: Red Hat Enterprise Linux Server
Status: Not Subscribed
Expires:
SerialNumber:
ContractNumber:
AccountNumber:
rhsmcertd. This daemon checks the certificate validity dates daily. If a subscription is within 24 hours of expiring, then Subscription Manager will check for any available compatible subscriptions and automatically re-subscribes the system, much like auto-subscribing during registration.
healFrequency parameter to zero means that Subscription Manager simply uses the default time setting.
# vim /etc/rhsm/rhsm.conf
[rhsmcertd] section, set the healFrequency parameter to the time, in minutes, to check for changed subscriptions.
[rhsmcertd] certFrequency = 240 healFrequency = 1440
rhsmcertd daemon to reload the configuration.
# service rhsmcertd start
[root@server ~]# cd /etc/rhsm/ca [root@server ca]# scp sam.example.com:/etc/candlepin/certs/candlepin-ca.crt . [root@server ca]# mv candlepin-ca.crt sam-local.pem
rhsm.conf file. Several parameters need to be reset:
hostname = sam.example.com
/sam/api.
prefix= /sam/api
baseurl= https://sam.example.com:8088
repo_ca_cert = %(ca_cert_dir)ssam_certificate.pemrhsm.conf file directly or by using the config command. For example:
[root@server1 ~]# subscription-manager config --server.hostname=sam.example.com --server.prefix=/sam/api --rhsm.baseurl=https://sam.example.com:8088 --rhsm.repo_ca_cert=%(ca_cert_dir)ssam_certificate.pem
config command is covered in Section 14.14.2, “Using the config Command”.
orgs, environments, and repos commands list the organization, environment, and repository information for the system, depending on the organization and environments it belongs to.
orgs lists the friendly name of the organization, such as Dev East, and then the key or ID for the organization which is used when registering consumers.
[root@server1 ~]# subscription-manager orgs --username=jsmith --password=secret
+-------------------------------------------+
admin Organizations
+-------------------------------------------+
OrgName: Admin Owner
OrgKey: admin
OrgName: Dev East
OrgKey: deveast
OrgName: Dev West
OrgKey: devwestenvironments lists whatever environments are configured for the given organization which are assigned to that system. The organization may have other environments available, but they are only listed if the system belongs to them.
[root@server1 ~]# subscription-manager environments --username=jsmith --password=secret --org=admin
+-------------------------------------------+
Environments
+-------------------------------------------+
Name: Locker
Description: None
Name: Dev
Description:
Name: Prod
Description:repos command lists all of the repositories that are available to the configuration environments and organization for a system, and then shows whether those repositories are enabled for the system.
[root@server1 ~]# subscription-manager repos --list
+----------------------------------------------------------+
Entitled Repositories in /etc/yum.repos.d/redhat.repo
+----------------------------------------------------------+
RepoName: never-enabled-content
RepoId: never-enabled-content
RepoUrl: https://content.example.com/repos/optional
Enabled: 0
RepoName: always-enabled-content
RepoId: always-enabled-content
RepoUrl: https://content.example.com/repos/dev
Enabled: 1
RepoName: content
RepoId: content-label
RepoUrl: https://content.example.com/repos/prod
Enabled: 1.pem file.
https://access.redhat.com/
certificates.zip file. Unzip the directories until the PEM files for the entitlement certificates are available.
import command:
# subscription-manager import --certificate=/tmp/export/entitlement_certificates/596576341785244687.pem --certificate=/tmp/export/entitlement_certificates/3195996649750311162.pem Successfully imported certificate 596576341785244687.pem Successfully imported certificate 3195996649750311162.pem
refresh command updates all of the subscription information that is available to the consumer. This removes expired subscriptions and adds new subscriptions to the list. This does not subscribe the machine, but it does pull in the newest data for administrators to use.
[root@server1 ~]# subscription-manager refresh
rhsm.conf configuration file. There are other support files that either influence the Red Hat Subscription Manager service or can help administrators better use the Subscription Manager.
| File or Directory | Description |
|---|---|
| /etc/rhsm | The primary Red Hat Subscription Manager configuration directory. |
| /etc/rhsm/rhsm.conf | The Red Hat Subscription Manager configuration file. This is used by both the GUI and the CLI. |
| /etc/rhsm/facts |
Any user-defined JSON files that override or add system facts to determine entitlement compatibility. Any facts files must end in .facts.
|
| /var/lib/rhsm/cache/installed_products.json | A master list of installed products, which is sent by Subscription Manager to a hosted content service, such as Subscription Asset Manager. |
| /var/lib/rhsm/facts/facts.json | The default system facts filed, gathered by the Subscription Manager. |
| /var/lib/rhsm/packages/ | The package profile cache (a list of installed products) which is gathered and periodically updated by the Subscription Manager. |
| /var/log/rhsm | The Red Hat Subscription Manager log directory. |
| /var/log/rhsm/rhsm.log | The log for the Red Hat Subscription Manager tools. |
| /var/log/rhsm/rhsmcertd.log |
The log for the Red Hat Subscription Manager daemon, rhsmcertd.
|
| /etc/pki/consumer | The directory which contains the identity certificates used by the system to identify itself to the subscription service. |
| /etc/pki/consumer/cert.pem | The base-64 consumer identity certificate file. |
| /etc/pki/consumer/key.pem | The base-64 consumer identity key file. |
| /etc/pki/entitlement | The directory which contains the entitlement certificates for the available subscriptions. |
/etc/pki/product/product_serial#.pem
| The product certificates for installed software products. |
| /var/run/subsys/rhsm | Runtime files for Red Hat Subscription Manager |
| /etc/init.d/rhsmcertd | The subscription certificate daemon. |
| /etc/cron.daily/rhsm-complianced and /usr/libexec/rhsm-complianced | Files to run daily checks and notifications for subscription validity. |
| /etc/yum/pluginconf.d/rhsmplugin.conf |
The configuration file to include the Red Hat Subscription Manager plug-in in the yum configuration.
|
| /usr/share/rhsm | All of the Python and script files used by both Red Hat Subscription Manager tool to perform subscription tasks. |
| /usr/share/rhsm/gui | All of the Python script and image files used to render the Red Hat Subscription Manager GUI. |
rhsm.conf. This file configures several important aspects of how Red Hat Subscription Manager interacts with both entitlements and content services:
rhsm.conf file is divided into three sections. Two major sections define the subscription service ([server]) and content and product delivery ([rhsm]). The third section relates to the rhsmcertd daemon. Each assertion is a simple attribute= value pair. Any of the default values can be edited; all possible attributes are present and active in the default rhsm.conf file.
# Red Hat Subscription Manager Configuration File: # Unified Entitlement Platform Configuration [server] # Server hostname: hostname = subscription.rhn.redhat.com # Server prefix: prefix = /subscription # Server port: port = 443 # Set to 1 to disable certificate validation: insecure = 0 # Set the depth of certs which should be checked # when validating a certificate ssl_verify_depth = 3 # Server CA certificate location: ca_cert_dir = /etc/rhsm/ca/ # an http proxy server to use proxy_hostname = # port for http proxy server proxy_port = # user name for authenticating to an http proxy, if needed proxy_user = # password for basic http proxy auth, if needed proxy_password = [rhsm] # Content base URL: baseurl= https://cdn.redhat.com # Default CA cert to use when generating yum repo configs: repo_ca_cert = %(ca_cert_dir)sredhat-uep.pem # Where the certificates should be stored productCertDir = /etc/pki/product entitlementCertDir = /etc/pki/entitlement consumerCertDir = /etc/pki/consumer [rhsmcertd] # Frequency of certificate refresh (in minutes): certFrequency = 240 # Frequency of autoheal check (1440 min = 1 day): healFrequency = 1440
| Parameter | Description | Default Value |
|---|---|---|
| [server] Parameters | ||
| hostname | Gives the IP address or fully-qualified domain name of the subscription service. | subscription.rhn.redhat.com |
| prefix | Gives the directory, in the URL, to use to connect to the subscription service. | /subscription |
| port | Gives the port to use to connect to the subscription service. | 443 |
| insecure | Sets whether to use a secure (0) or insecure (1) connection for connections between the Subscription Manager clients and the subscription service. | 0 |
| ssl_verify_depth | Sets how far back in the certificate chain to verify the certificate. | 3 |
| proxy_hostname | Gives the hostname of the proxy server. This is required. | |
| proxy_port | Gives the port of the proxy server. This is required. | |
| proxy_user | Gives the user account to use to access the proxy server. This may not be required, depending on the proxy server configuration. | |
| proxy_password | Gives the password credentials to access the proxy server. This may not be required, depending on the proxy server configuration. | |
| ca_cert_dir | Gives the location for the CA certificate for the CA which issued the subscription service's certificates. This allows the client to identify and trust the subscription service for authentication for establishing an SSL connection. | /etc/rhsm/ca |
| [rhsm] Parameters | ||
| baseurl | Gives the full URL to access the content delivery system. | https://cdn.redhat.com |
| repo_ca_cert | Identifies the default CA certificate to use to set the yum repo configuration. | %(ca_cert_dir)sredhat-uep.pem |
| productCertDir | Sets the root directory where the product certificates are stored and can be accessed by Subscription Manager. | /etc/pki/product |
| consumerCertDir | Sets the directory where the identity certificate for the system is stored and can be accessed by Subscription Manager. | /etc/pki/consumer |
| entitlementCertDir | Sets the directory where the entitlement certificates for the system are stored and can be accessed by Subscription Manager. Each subscription has its own entitlement certificate. | /etc/pki/entitlement |
| [rhsmcertd] Parameters | ||
| certFrequency | Sets the interval, in minutes, to check and update entitlement certificates used by Subscription Manager. | 240 |
| healFrequency | Sets the interval, in minutes, to check for change subscriptions and installed products and to allocate subscriptions, as necessary, to maintain subscription status for all products. | 1440 |
| healFrequency | Sets the interval, in minutes, to check for change subscriptions and installed products and to allocate subscriptions, as necessary, to maintain subscription status for all products. | 1440 |
subscription-manager has a subcommand that can change the rhsm.conf configuration file. Almost all of the connection information used by Subscription Manager to access the subscription server, content server, and any proxies is set in the configuration file, as well as general configuration parameters like the frequency Subscription Manager checks for entitlements updates. There are major divisions in the rhsm.conf file, such as [server] which is used to configure the subscription server. When changing the Subscription Manager configuration, the settings are identified with the format section.parameter and then the new value. For example:
server.hostname=newsubscription.example.com
config command:
[root@server1 ~]# subscription-manager config --section.parameter=newValue
[root@server1 ~]# subscription-manager config --server.hostname=subscription.example.com
rhsm.conf file parameters are listed in Table 14.7, “rhsm.conf Parameters”. This is most commonly used to change connection settings:
config command also has a --remove option. This deletes the current value for the parameter without supplying a new parameter. A blank value tells Subscription Manager to use any default values that are set for that parameter rather than a user-defined value. For example:
[root@server1 ~]# subscription-manager config --remove=rhsm.certFrequency The default value for rhsm.certFrequency will now be used.
[root@server1 ~]# subscription-manager config --remove=server.proxy You have removed the value in section server for parameter proxy.
[root@server ~]# subscription-manager-gui
rhsm.conf file; this is the same as configuring it in the Subscription Manager GUI. The proxy configuration is stored and used for every connection between the subscription service and the local system.
vim /etc/rhsm/rhsm.conf
[server] section that relate to the HTTP proxy. All parameters are described in Table 14.7, “rhsm.conf Parameters”. There are four parameters directly related to the proxy:
proxy_hostname for the IP address or fully-qualified domain name of the proxy server; this is required.
proxy_hostname argument blank means that no HTTP proxy is used.
proxy_port for the proxy server port.
proxy_user for the user account to connect to the proxy; this may not be required, depending on the proxy server's configuration.
proxy_password for the password for the user account to connect to the proxy; this may not be required, depending on the proxy server's configuration.
[server] # an http proxy server to use proxy_hostname = proxy.example.com # port for http proxy server proxy_port = 443 # user name for authenticating to an http proxy, if needed proxy_user = # password for basic http proxy auth, if needed proxy_password =
subscription-manager.
| Argument | Description | Required for a Proxy Connection? |
|---|---|---|
| --proxy | Gives the proxy server to connect to, in the format hostname:port. | Yes |
| --proxyuser | Gives the username to use to authenticate. This is only required if user authentication is required. | No |
| --proxypassword | Gives the password to use with the user account. This is only required if user authentication is required. | No |
subscription-manager operation. For example:
[root@server1 ~]# subscription-manager subscribe --pool=ff8080812bc382e3012bc3845ca000cb --proxy=proxy.example.com:8443 --proxyuser=jsmith --proxypassword=secret
rhsm.conf file. There may be instances when an organization is running a mirror or an internal subscription service; in those situations, the connection settings can be altered to connect to the specific servers. The subscription service connection settings are in the [server] section of the configuration file.
vim /etc/rhsm/rhsm.conf
[server] section that relate to the subscription service connection. All parameters are described in Table 14.7, “rhsm.conf Parameters”. There are three parameters directly related to the connection:
hostname for the IP address or fully-qualified domain name of the machine
prefix for the subscription service directory
port for the subscription service port
[server] hostname=entitlements.server.example.com prefix=/candlepin port=8443
vim /etc/rhsm/rhsm.conf
baseurl directive in the [rhsm] section. This is the full URL to the service.
[rhsm] # Content base URL: baseurl= http://content.example.com/content
vim /etc/rhsm/rhsm.conf
[server] section that relate to a secure connection. All parameters are described in Table 14.7, “rhsm.conf Parameters”. There are three parameters directly related to the connection:
insecure to set whether to use a secure (0) or insecure (1) connection
ca_cert_dir for the directory location for the CA certificate for authentication and verification
port for the subscription service port; this should be an SSL port if a secure connection is required
[server] port=8443 insecure = 1 ca_cert_dir = /etc/rhsm/ca
ssl_verify_depth = 3
rhsmcertd, runs as a service on the system. The daemon, by default, starts with the system, and it can be started, stopped, or checked with the service command.
service rhsmcertd status rhsmcertd (pid 13084) is running...
chkconfig”. When a system reboots, some services can be automatically restarted. chkconfig also defines startup settings for different run levels of the server.
chkconfig. By default, the Red Hat Subscription Manager daemon, rhsmcertd, is configured to run at levels 3, 4, and 5, so that the service is started automatically when the server reboots.
chkconfig. For example, to enable run level 2:
chkconfig --level 2345 rhsmcertd on
rhsmcertd from the start list, change the run level settings off:
chkconfig --level 2345 rhsmcertd off
service and chkconfig settings.
system-config-services package must be installed for the wizard to be available.
rhsmcertd item in the list of services on the left, and then edit the service as desired.
/var/log/rhsm directory:
rhsm.log shows every invocation and result of running the Subscription Manager GUI or CLI
rhsmcertd.log shows every time a new certificate is generated, which happens on a schedule defined by the certFrequency parameter in the rhsm.conf file.
rhsm.log file contains the sequence of every Python call for every operation invoked through the Subscription Manager tools. Each entry has this format:
YYYY-MM-DD HH:MM:SS,process_id [MESSAGE_TYPE] call python_script response
rhsm.log relates to the Python script or function that was called, there can be multiple log entries for a single operation.
2010-10-01 17:27:57,874 [INFO] _request() @connection.py:97 - status code: 200 2010-10-01 17:27:57,875 [INFO] perform() @certlib.py:132 - updated: Total updates: 0 Found (local) serial# [] Expected (UEP) serial# [] Added (new) <NONE> Deleted (rogue): <NONE> Expired (not deleted): <NONE> Expired (deleted): <NONE> 2010-10-01 17:27:57,878 [INFO] __init__() @connection.py:193 - Using certificate authentication: key = /etc/pki/consumer/key.pem, cert = /etc/pki/consumer/cert.pem, ca = /etc/pki/CA/candlepin.pem, insecure = True 2010-10-01 17:27:57,878 [INFO] __init__() @connection.py:196 - Connection Established: host: candlepin.example.com, port: 443, handler: /candlepin
rhsmcertd.log file are much simpler. The log only records when the rhsmcertd daemon starts or stops and every time a certificate is updated.
Fri Oct 1 13:27:44 2010: started: interval = 240 minutes Fri Oct 1 13:27:50 2010: certificates updated
/etc/redhat-release or /etc/sysconfig. In both the Red Hat Subscription Manager GUI and CLI, the facts are represented as simple attribute: value pairs.
[root@server ~]# subscription-manager-gui
facts command with the --list option.
[root@server1 ~]# subscription-manager facts --list cpu.architecture: i686 cpu.core(s)_per_socket: 4 cpu.cpu(s): 4 cpu.cpu_family: 6 cpu.cpu_mhz: 2000.010 cpu.cpu_op-mode(s): 32-bit, 64-bit cpu.cpu_socket(s): 1 cpu.l1d_cache: 32K cpu.l1i_cache: 32K cpu.l2_cache: 6144K cpu.model: 23 cpu.stepping: 6 cpu.thread(s)_per_core: 1 cpu.vendor_id: GenuineIntel cpu.virtualization: VT-x distribution.id: Santiago distribution.name: Red Hat Enterprise Linux Workstation distribution.version: 5 dmi.baseboard.manufacturer: IBM dmi.baseboard.product_name: Server Blade ... [snip] ...
--update option with the facts command.
[root@server1 ~]# subscription-manager facts --update
/var/lib/rhsm/facts/facts.json. These facts are stored as attribute: value pairs, in a comma-separated list.
{"fact1": "value1","fact2": "value2"}/etc/rhsm/facts directory. These JSON files can override existing facts or even add new facts to be used by the subscription service.
vim /etc/rhsm/facts/my-example.facts {"uname.machine": "x86","kernel_version": "2.6.32","physical_location": "MTV colo rack 5"}
identity command.
identity command, using the --force option will require the username and password and will cause the Subscription Manager to prompt for the credentials if they are not passed in the command. This can be helpful if the identity certificate needs to be regenerated using a different Red Hat account than the original registration.
[root@server1 ~]# subscription-manager identity --regenerate --force Username: jsmith@example.com Password: Identity certificate has been regenerated.
identity command to return the current UUID. The UUID is the Current identity is value.
[root@server1 ~]# subscription-manager identity Current identity is: 63701087-f625-4519-8ab2-633bb50cb261 name: server1.example.com org name: 6340056 org id: 8a85f981302cbaf201302d89931e059a
list --installed command with the command-line tools.
rhsmcertd, checks the system periodically — once when it is first registered and then when it runs a refresh operation every four hours — to get the most current list of installed products. When the system is registered and then whenever there is a change to the package list, Subscription Manager sends an updated package profile to the subscription service.
/var/lib/rhsm/packages/.
subscription-manager script. Information like the consumer ID or subscription pool ID is pulled up and referenced automatically in the Red Hat Subscription Manager UI, but it has to be entered manually in the command line.
| Information | Description | Operations Used In | Find It In ... |
|---|---|---|---|
| Consumer ID | A unique identifier for each system that is registered to the subscription service. | identity |
The simplest method is to use the identity command to return the current UUID.
[root@server1 ~]# subscription-manager identity Current identity is: 63701087-f625-4519-8ab2-633bb50cb261 name: consumer-1.example.com org name: 6340056 org id: 8a85f981302cbaf201302d89931e059aThe Subject CN element of the identity certificate for the system, /etc/pki/consumer/cert.pem. The UUID can also be returned by using openssl to pretty-print the certificate.
openssl x509 -text -in /etc/pki/consumer/cert.pem Certificate: ... snip ... Subject: CN=7d133d55 876f 4f47 83eb 0ee931cb0a97 |
| Pool ID | An identifier for a specific set of subscriptions. This set is created when subscriptions are purchased. Whenever a system needs to subscribe to a product, it references a pool ID to identify which purchased set of subscriptions to use. | subscribe |
The PoolID value given for a product when listing available subscriptions. For example:
[root@server1 ~]# subscription-manager list --available +----------------------+ Available Subscriptions +----------------------+ ProductName: Red Hat Enterprise Linux, Standard (up to 2 sockets) 3 year ProductId: MCT0346F3 PoolId: ff8080812bc382e3012bc3845ca000cb Quantity: 2 Expires: 2011-02-28 |
| Product certificate serial number | The identification used for a specific, installed product. A certificate with a unique serial number is generated when a product is installed; this serial number is used to identify that specific product installation when managing subscriptions. | unsubscribe |
The SerialNumber line in the product subscription information. This can be returned by running list --consumed.
[root@server1 ~]# subscription-manager list --consumed +-----------------------------+ Consumed Product Subscriptions +-----------------------------+ ProductName: High availability (cluster suite) ContractNumber: 0 SerialNumber: 11287514358600162 .... |
| Product ID | The internal identifier used to identify a type of product. |
The ProductID value given for a product when listing available subscriptions. For example:
[root@server1 ~]# subscription-manager list --available +----------------------+ Available Subscriptions +----------------------+ ProductName: RHEL for Physical Servers ProductId: MKT-rhel-server ... snip ... |
.pem formatted file. This file format stores both keys and certificates in a base-64 blob. For example:
-----BEGIN CERTIFICATE----- MIIDaTCCAtKgAwIBAgICBZYwDQYJKoZIhvcNAQEFBQAwSzEqMCgGA1UEAxMhY2Fu ZGxlcGluMS5kZXZsYWIucGh4MS5yZWRoYXQuY29tMQswCQYDVQQGEwJVUzEQMA4G A1UEBxMHUmFsZWlnaDAeFw0xMDEwMDYxNjMyMDVaFw0xMTEwMDYyMzU5NTlaMC8x LTArBgNVBAMMJDQ4ODFiZDJmLTg2OGItNDM4Yy1hZjk2LThiMWQyODNkYWZmYzCC ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKNyLw6+IMtjY03F7Otxj2GL GTz5VKx1kfWY7q4OD4w+XlBHTkt+2tQV9S+4TFkUZ7XoI80LDL/BONpy/gq5c5cw yKvjv2gjSS/pihgYNXc5zUOIfSj1vb3fHGHOkzdCcZMyWq1z0N/zaLClp/zP/pcM og4NTAg2niNPjFYvkQ+oIl16WmQpefM0y0SY7N7oJd2T8dZjOiuLV2cVZLfwjrwG 9UpkT2J03g+n1ZA9q95ibLD5NVOdTy9+2lfRhdDViZaVoFiQXvg86qBHQ0ieENuF a6bCvGgpTxcBuVXmsnl2+9dnMiwoDqPZp1HB6G2uNmyNe/IvkTOPFJ/ZVbtBTYUC AwEAAaOB8zCB8DARBglghkgBhvhCAQEEBAMCBaAwCwYDVR0PBAQDAgSwMHsGA1Ud IwR0MHKAFGiY1N2UtulxcMFy0j6gQGLTyo6CoU+kTTBLMSowKAYDVQQDEyFjYW5k bGVwaW4xLmRldmxhYi5waHgxLnJlZGhhdC5jb20xCzAJBgNVBAYTAlVTMRAwDgYD VQQHEwdSYWxlaWdoggkA1s54sVacN0EwHQYDVR0OBBYEFGbB5fqOzh32g4Wqrwhc /96IupIgMBMGA1UdJQQMMAoGCCsGAQUFBwMCMB0GA1UdEQQWMBSkEjAQMQ4wDAYD VQQDDAV4ZW9wczANBgkqhkiG9w0BAQUFAAOBgQANxHRsev4fYfnHO9kYcHo4UeK7 owN+fq92gl76iRHRnhzkPlhWL+uV2tyqGG9zJASOX+qEDOqN5sVAB4iNQTDGiUbK z757igD2hsQ4ewv9Vq3QtnajWnfdaUZH919GgWs09Etg6ucsKwgfx1fqjSRLBbOo lZuvBTYROOX6W2vKXw== -----END CERTIFICATE-----
openssl or pk12util can be used to extract and view information from these certificates, in a pretty-print format. The product- and subscription-related information is extracted and viewable in the Red Hat Subscription Manager GUI or command-line tools.
| Certificate Type | Description | Default Location |
|---|---|---|
| Consumer Identity Certificate | Used to identify the system (consumer) to the subscription service. This contains a unique ID which is assigned to the system when it is registered to the system. The identity certificate itself is generated by the subscription service when the system is registered and then sent to the consumer. | /etc/pki/consumer |
| Entitlement Certificate | Contains a list of products that are available to a system to install, based on the subscriptions that the system has been subscribed to. The entitlement certificate defines the software products, the content delivery location, and validity dates. The presence of an entitlement certificate means that the system has consumed one of the quantities from the subscription. | /etc/pki/entitlement |
| Product Certificate | Contains the information about a product after it has been installed. |
/etc/pki/product/product_serial#.pem
|
| CA Certificate | A certificate for the certificate authority which issued the SSL server certificate used by the subscription service. This must be installed on a system for the system to use SSL to connect to the subscription service. | /etc/rhsm/ca/candlepin-ca.pem |
| Satellite Certificate | An XML-formatted certificate which contains a product list. This is used by local Satellite 5.x systems, not the newer subscription service. |
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1430 (0x596)
Signature Algorithm: sha1WithRSAEncryption
Issuer: CN=entitlement.server.example.com, C=US, L=Raleigh
Validity
Not Before: Oct 6 16:32:05 2010 GMT
Not After : Oct 6 23:59:59 2011 GMT
Subject: CN=4881bd2f-868b-438c-af96-8b1d283daffc
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:a3:72:2f:0e:be:20:cb:63:63:4d:c5:ec:eb:71:
8f:61:8b:19:3c:f9:54:ac:75:91:f5:98:ee:ae:0e:
0f:8c:3e:5e:50:47:4e:4b:7e:da:d4:15:f5:2f:b8:
4c:59:14:67:b5:e8:23:cd:0b:0c:bf:c1:38:da:72:
fe:0a:b9:73:97:30:c8:ab:e3:bf:68:23:49:2f:e9:
8a:18:18:35:77:39:cd:43:88:7d:28:f5:bd:bd:df:
1c:61:ce:93:37:42:71:93:32:5a:ad:73:d0:df:f3:
68:b0:a5:a7:fc:cf:fe:97:0c:a2:0e:0d:4c:08:36:
9e:23:4f:8c:56:2f:91:0f:a8:22:5d:7a:5a:64:29:
79:f3:34:cb:44:98:ec:de:e8:25:dd:93:f1:d6:63:
3a:2b:8b:57:67:15:64:b7:f0:8e:bc:06:f5:4a:64:
4f:62:74:de:0f:a7:d5:90:3d:ab:de:62:6c:b0:f9:
35:53:9d:4f:2f:7e:da:57:d1:85:d0:d5:89:96:95:
a0:58:90:5e:f8:3c:ea:a0:47:43:48:9e:10:db:85:
6b:a6:c2:bc:68:29:4f:17:01:b9:55:e6:b2:79:76:
fb:d7:67:32:2c:28:0e:a3:d9:a7:51:c1:e8:6d:ae:
36:6c:8d:7b:f2:2f:91:33:8f:14:9f:d9:55:bb:41:
4d:85
Exponent: 65537 (0x10001)
X509v3 extensions:
Netscape Cert Type:
SSL Client, S/MIME
X509v3 Key Usage:
Digital Signature, Key Encipherment, Data Encipherment
X509v3 Authority Key Identifier:
keyid:68:98:D4:DD:94:B6:E9:71:70:C1:72:D2:3E:A0:40:62:D3:CA:8E:82
DirName:/CN=entitlement.server.example.com/C=US/L=Raleigh
serial:D6:CE:78:B1:56:9C:37:41
X509v3 Subject Key Identifier:
66:C1:E5:FA:8E:CE:1D:F6:83:85:AA:AF:08:5C:FF:DE:88:BA:92:20
X509v3 Extended Key Usage:
TLS Web Client Authentication
X509v3 Subject Alternative Name:
DirName:/CN=admin-example
Signature Algorithm: sha1WithRSAEncryption
0d:c4:74:6c:7a:fe:1f:61:f9:c7:3b:d9:18:70:7a:38:51:e2:
bb:a3:03:7e:7e:af:76:82:5e:fa:89:11:d1:9e:1c:e4:3e:58:
56:2f:eb:95:da:dc:aa:18:6f:73:24:04:8e:5f:ea:84:0c:ea:
8d:e6:c5:40:07:88:8d:41:30:c6:89:46:ca:cf:be:7b:8a:00:
f6:86:c4:38:7b:0b:fd:56:ad:d0:b6:76:a3:5a:77:dd:69:46:
47:f7:5f:46:81:6b:34:f4:4b:60:ea:e7:2c:2b:08:1f:c7:57:
ea:8d:24:4b:05:b3:a8:95:9b:af:05:36:11:38:e5:fa:5b:6b:
ca:5f*.pem file stored in the entitlement certificates directory, /etc/pki/entitlement. The name of the *.pem file is a numeric identifier that is generated by the subscription service. This ID is an inventory number that is used to associate a subscription quantity with the system in the software inventory.
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
3c:da:6c:06:90:7f:ff
Signature Algorithm: sha1WithRSAEncryption
Issuer: CN=candlepin.example.com, C=US, L=City
Validity
Not Before: Oct 8 17:55:28 2010 GMT
Not After : Oct 2 23:59:59 2011 GMT
Subject: CN=8a878c912b875189012b8cfbc3f2264a
... [snip] ...1.3.6.1.4.1.2312.9.2.product_#.config_#: ..config_value
2 indicates that it is a product entry. product_# is a unique ID which identifies the specific product or variant. config_# relates to the installation information for that product, like its content server or the quantity available.
1.3.6.1.4.1.2312.9. The subsequent numbers identify different subscription areas:
.2. is the product-specific information
.1. is the subscription information
.4. contains the contract information, like its ID number and start and end dates
.5. contains the consumer information, like the consumer ID which installed a product
content repository type
1.3.6.1.4.1.2312.9.2.30393.1:
..yum
product
1.3.6.1.4.1.2312.9.2.30393.1.1:
.HRed Hat Enterprise Linux High Availability (for RHEL Entitlement) (RPMs)
channel name
1.3.6.1.4.1.2312.9.2.30393.1.2:
.Dred-hat-enterprise-linux-high-availability-for-rhel-entitlement-rpms
vendor
1.3.6.1.4.1.2312.9.2.30393.1.5:
..Red Hat
download URL
1.3.6.1.4.1.2312.9.2.30393.1.6:
.Q/content/dist/rhel/entitlement/releases/$releasever/$basearch/highavailability/os
key download URL
1.3.6.1.4.1.2312.9.2.30393.1.7:
.2file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
flex quantity
1.3.6.1.4.1.2312.9.2.30393.1.4:
..0
quantity
1.3.6.1.4.1.2312.9.2.30393.1.3:
..25
repo enabled setting
1.3.6.1.4.1.2312.9.2.30393.1.8:
..1*.pem file stored in the entitlement certificates directory, /etc/pki/product/product_serial#.pem. The name of the *.pem file is a numeric identifier that is generated by the subscription service. As with entitlement tracking, the generated ID is an inventory number, used to track installed products and associate them with systems within the subscription service.
<rhn-cert-field name="configuration_area">value</rhn-cert-field>
name argument identifies what entity is being configured. This can be the organization which ordered the subscription (name="owner"), the start and end dates for the entitlement (name="issued" and name="expires"), or the entitlement itself. A system entitlement uses the name argument to set the service being entitled; every content entitlement is set as a name="channel-family" type, with the specific product identified in an additional family argument.
name argument, while the value is between the tags. The last lines of the certificate also set metadata for the subscription, including the version of the Satellite and the signature that signs the XML document (and allows the XML file to be used as a certificate).
<rhn-cert-field name="product">RHN-SATELLITE-001</rhn-cert-field> <rhn-cert-field name="owner">Example Corp</rhn-cert-field> <rhn-cert-field name="issued">2009-04-07 10:18:33</rhn-cert-field> <rhn-cert-field name="expires">2009-11-25 00:00:00</rhn-cert-field> ... [snip] ... <rhn-cert-field name="satellite-version">5.3</rhn-cert-field> <rhn-cert-field name="generation">2</rhn-cert-field> <rhn-cert-signature> -----BEGIN PGP SIGNATURE----- Version: Crypt::OpenPGP 1.03 iQBGBAARAwAGBQJJ22C+AAoJEJ5ynaAAAAkyyZ0An18+4hK5Ozt4HWieFvahsTnF aPcaAJ0e5neOfdDZRLOgDE+Tp/Im3Hc3Rg== =gqP7 -----END PGP SIGNATURE----- </rhn-cert-signature>
name="slot" field lists how many total systems are allowed to use this Satellite certificate to receive content. It is a global quantity.
<rhn-cert-field name="slots">119</rhn-cert-field>
name argument and then setting the quantity as the value within the tags.
<rhn-cert-field name="provisioning-slots">117</rhn-cert-field> <rhn-cert-field name="monitoring-slots">20</rhn-cert-field> <rhn-cert-field name="virtualization_host">67</rhn-cert-field>
rhel-server family, while a specific Virtualization Server subscription provides an additional rhel-server-vt family.
<rhn-cert-field name="channel-families" quantity="95" family="rhel-server"/> <rhn-cert-field name="channel-families" quantity="67" family="rhel-server-vt"/>
rhel-* family, because that refers to the platform the product is supported on. In this example, Red Hat Directory Server is in the rhel-rhdirserv family.
<rhn-cert-field name="channel-families" quantity="3" family="rhel-rhdirserv"/>
<rhn-cert-field name="channel-families" quantity="212" family="rhn-tools"/>
Table of Contents
smb.conf Filehttpdhttpd.conf/etc/openldap/schema/ Directory/etc/sysconfig/network-scripts/ directory. The scripts used to activate and deactivate these network interfaces are also located here. Although the number and type of interface files can differ from system to system, there are three categories of files that exist in this directory:
/etc/hosts 127.0.0.1) as localhost.localdomain. For more information, refer to the hosts man page.
/etc/resolv.conf resolv.conf man page.
/etc/sysconfig/network /etc/sysconfig/network”.
/etc/sysconfig/network-scripts/ifcfg-<interface-name> /etc/sysconfig/networking/ directory is used by the Network Administration Tool (system-config-network) and its contents should not be edited manually. Using only one method for network configuration is strongly encouraged, due to the risk of configuration deletion.
ifcfg-<name> , where <name> refers to the name of the device that the configuration file controls.
ifcfg-eth0, which controls the first Ethernet network interface card or NIC in the system. In a system with multiple NICs, there are multiple ifcfg-eth<X> files (where <X> is a unique number corresponding to a specific interface). Because each device has its own configuration file, an administrator can control how each interface functions individually.
ifcfg-eth0 file for a system using a fixed IP address:
DEVICE=eth0 BOOTPROTO=none ONBOOT=yes NETWORK=10.0.1.0 NETMASK=255.255.255.0 IPADDR=10.0.1.27 USERCTL=no
ifcfg-eth0 file for an interface using DHCP looks different because IP information is provided by the DHCP server:
DEVICE=eth0 BOOTPROTO=dhcp ONBOOT=yes
system-config-network) is an easy way to make changes to the various network interface configuration files (refer to Chapter 16, Network Configuration for detailed instructions on using this tool).
BONDING_OPTS=<parameters> /etc/sysconfig/network-scripts/ifcfg-bond<N> (see Section 15.2.3, “Channel Bonding Interfaces”). These parameters are identical to those used for bonding devices in /sys/class/net/<bonding device>/bonding, and the module parameters for the bonding driver as described in bonding Module Directives.
BONDING_OPTS in ifcfg-<name> , do not use /etc/modprobe.conf to specify options for the bonding device.
BOOTPROTO=<protocol> <protocol> none — No boot-time protocol should be used.
bootp — The BOOTP protocol should be used.
dhcp — The DHCP protocol should be used.
BROADCAST=<address> <address> ipcalc.
DEVICE=<name> <name> DHCP_HOSTNAME=<name> <name>DNS{1,2}=<address> <address> /etc/resolv.conf if the PEERDNS directive is set to yes.
ETHTOOL_OPTS=<options> <options> ethtool. For example, if you wanted to force 100Mb, full duplex:
ETHTOOL_OPTS="autoneg off speed 100 duplex full"
ETHTOOL_OPTS to set the interface speed and duplex settings. Custom initscripts run outside of the network init script lead to unpredictable results during a post-boot network service restart.
autoneg off option. This needs to be stated first, as the option entries are order-dependent.
GATEWAY=<address> <address> is the IP address of the network router or gateway device (if any).
HOTPLUG=<answer> <answer> is one of the following:
yes — This device should be activated when it is hot-plugged (this is the default option).
no — This device should not be activated when it is hot-plugged.
HOTPLUG=no option can be used to prevent a channel bonding interface from being activated when a bonding kernel module is loaded.
HWADDR=<MAC-address> <MAC-address> is the hardware address of the Ethernet device in the form AA:BB:CC:DD:EE:FF. This directive must be used in machines containing more than one NIC to ensure that the interfaces are assigned the correct device names regardless of the configured load order for each NIC's module. This directive should not be used in conjunction with MACADDR.
IPADDR=<address> <address> LINKDELAY=<time> <time> is the number of seconds to wait for link negotiation before configuring the device.
MACADDR=<MAC-address> <MAC-address> is the hardware address of the Ethernet device in the form AA:BB:CC:DD:EE:FF. This directive is used to assign a MAC address to an interface, overriding the one assigned to the physical NIC. This directive should not be used in conjunction with HWADDR.
MASTER=<bond-interface> <bond-interface> SLAVE directive.
NETMASK=<mask> <mask> NETWORK=<address> <address> ipcalc.
ONBOOT=<answer> <answer> yes — This device should be activated at boot-time.
no — This device should not be activated at boot-time.
PEERDNS=<answer> <answer> yes — Modify /etc/resolv.conf if the DNS directive is set. If using DHCP, then yes is the default.
no — Do not modify /etc/resolv.conf.
SLAVE=<answer> <answer> yes — This device is controlled by the channel bonding interface specified in the MASTER directive.
no — This device is not controlled by the channel bonding interface specified in the MASTER directive.
MASTER directive.
SRCADDR=<address> <address> USERCTL=<answer> <answer> yes — Non-root users are allowed to control this device.
no — Non-root users are not allowed to control this device.
ifcfg file for a network-to-network IPsec connection for LAN A. The unique name to identify the connection in this example is ipsec1, so the resulting file is named /etc/sysconfig/network-scripts/ifcfg-ipsec1.
TYPE=IPsec
ONBOOT=yes
IKE_METHOD=PSK
SRCNET=192.168.1.0/24
DSTNET=192.168.2.0/24
DST=X.X.X.XX.X.X.X is the publicly routable IP address of the destination IPsec router.
DST=<address> <address> is the IP address of the IPsec destination host or router. This is used for both host-to-host and network-to-network IPsec configurations.
DSTNET=<network> <network> is the network address of the IPsec destination network. This is only used for network-to-network IPsec configurations.
SRC=<address> <address> is the IP address of the IPsec source host or router. This setting is optional and is only used for host-to-host IPsec configurations.
SRCNET=<network> <network> is the network address of the IPsec source network. This is only used for network-to-network IPsec configurations.
TYPE=<interface-type> <interface-type> is IPSEC. Both applications are part of the ipsec-tools package.
/usr/share/doc/initscripts-<version-number>/sysconfig.txt (replace <version-number> with the version of the initscripts package installed) for configuration parameters.
racoon IKEv1 key management daemon negotiates and configures a set of parameters for IPSec. It can use preshared keys, RSA signatures, or GSS-API. If racoon is used to automatically manage key encryption, the following options are required:
IKE_METHOD=<encryption-method> <encryption-method> is either PSK, X509, or GSSAPI. If PSK is specified, the IKE_PSK parameter must also be set. If X509 is specified, the IKE_CERTFILE parameter must also be set.
IKE_PSK=<shared-key> <shared-key> is the shared, secret value for the PSK (preshared keys) method.
IKE_CERTFILE=<cert-file> <cert-file> is a valid X.509 certificate file for the host.
IKE_PEER_CERTFILE=<cert-file> <cert-file> is a valid X.509 certificate file for the remote host.
IKE_DNSSEC=<answer> <answer> is yes. The racoon daemon retrieves the remote host's X.509 certificate via DNS. If a IKE_PEER_CERTFILE is specified, do not include this parameter.
setkey man page. For more information about racoon, refer to the racoon and racoon.conf man pages.
bonding kernel module and a special network interface called a channel bonding interface. Channel bonding enables two or more network interfaces to act as one, simultaneously increasing the bandwidth and providing redundancy.
/etc/sysconfig/network-scripts/ directory called ifcfg-bond<N> , replacing <N> with the number for the interface, such as 0.
DEVICE= directive must be bond<N> , replacing <N> with the number for the interface.
ifcfg-bond0:
DEVICE=bond0
IPADDR=192.168.1.1
NETMASK=255.255.255.0
ONBOOT=yes
BOOTPROTO=none
USERCTL=no
BONDING_OPTS="<bonding parameters separated by spaces>"MASTER= and SLAVE= directives to their configuration files. The configuration files for each of the channel-bonded interfaces can be nearly identical.
eth0 and eth1 may look like the following example:
DEVICE=eth<N>
BOOTPROTO=none
ONBOOT=yes
MASTER=bond0
SLAVE=yes
USERCTL=no<N> with the numerical value for the interface.
/etc/modprobe.conf:
alias bond<N> bonding<N> with the number of the interface, such as 0.
/etc/modprobe.conf file. Instead, specify them as a space-separated list in the BONDING_OPTS="<bonding parameters>" directive in the ifcfg-bond<N> interface file.
debug parameter, which cannot be used on a per-device basis, and which should therefore be specified in /etc/modprobe.conf as follows:
options bonding debug=1
ifcfg-<if-name>:<alias-value> naming scheme.
ifcfg-eth0:0 file could be configured to specify DEVICE=eth0:0 and a static IP address of 10.0.0.2, serving as an alias of an Ethernet interface already configured to receive its IP information via DHCP in ifcfg-eth0. Under this configuration, eth0 is bound to a dynamic IP address, but the same physical network card can receive requests via the fixed, 10.0.0.2 IP address.
ifcfg-<if-name>-<clone-name> . While an alias file allows multiple addresses for an existing interface, a clone file is used to specify additional options for an interface. For example, a standard DHCP Ethernet interface called eth0, may look similar to this:
DEVICE=eth0 ONBOOT=yes BOOTPROTO=dhcp
USERCTL directive is no if it is not specified, users cannot bring this interface up and down. To give users the ability to control the interface, create a clone by copying ifcfg-eth0 to ifcfg-eth0-user and add the following line to ifcfg-eth0-user:
USERCTL=yes
eth0 interface using the /sbin/ifup eth0-user command because the configuration options from ifcfg-eth0 and ifcfg-eth0-user are combined. While this is a very basic example, this method can be used with a variety of options and interfaces.
ifcfg-ppp<X> <X> is a unique number corresponding to a specific interface.
wvdial, the Network Administration Tool or Kppp is used to create a dialup account. It is also possible to create and edit this file manually.
ifcfg-ppp0 file:
DEVICE=ppp0 NAME=test WVDIALSECT=test MODEMPORT=/dev/modem LINESPEED=115200 PAPNAME=test USERCTL=true ONBOOT=no PERSIST=no DEFROUTE=yes PEERDNS=yes DEMAND=no IDLETIMEOUT=600
ifcfg-sl0.
DEFROUTE=<answer> <answer> yes — Set this interface as the default route.
no — Do not set this interface as the default route.
DEMAND=<answer> <answer> yes — This interface allows pppd to initiate a connection when someone attempts to use it.
no — A connection must be manually established for this interface.
IDLETIMEOUT=<value> <value> INITSTRING=<string> <string> LINESPEED=<value> <value> 57600, 38400, 19200, and 9600.
MODEMPORT=<device> <device> MTU=<value> <value> 576 results in fewer packets dropped and a slight improvement to the throughput for a connection.
NAME=<name> <name> PAPNAME=<name> <name> PERSIST=<answer> <answer> yes — This interface should be kept active at all times, even if deactivated after a modem hang up.
no — This interface should not be kept active at all times.
REMIP=<address> <address> WVDIALSECT=<name> <name> /etc/wvdial.conf. This file contains the phone number to be dialed and other important information for the interface.
ifcfg-lo /etc/sysconfig/network-scripts/ifcfg-lo, should never be edited manually. Doing so can prevent the system from operating correctly.
ifcfg-irlan0 ifcfg-plip0 ifcfg-tr0 /etc/sysconfig/network-scripts/ directory: /sbin/ifdown and /sbin/ifup.
ifup and ifdown interface scripts are symbolic links to scripts in the /sbin/ directory. When either of these scripts are called, they require the value of the interface to be specified, such as:
ifup eth0ifup and ifdown interface scripts are the only scripts that the user should use to bring up and take down network interfaces.
/etc/rc.d/init.d/functions and /etc/sysconfig/network-scripts/network-functions. Refer to Section 15.5, “Network Function Files” for more information.
/etc/sysconfig/network-scripts/ directory:
ifup-aliases ifup-ippp and ifdown-ippp ifup-ipsec and ifdown-ipsec ifup-ipv6 and ifdown-ipv6 ifup-ipx ifup-plip ifup-plusb ifup-post and ifdown-post ifup-ppp and ifdown-ppp ifup-routes ifdown-sit and ifup-sit ifup-sl and ifdown-sl ifup-wireless /etc/sysconfig/network-scripts/ directory can cause interface connections to act irregularly or fail. Only advanced users should modify scripts related to a network interface.
/sbin/service command on the network service (/etc/rc.d/init.d/network), as illustrated the following command:
service network <action><action> can be either start, stop, or restart.
service network statusroute command to display the IP routing table.
/etc/sysconfig/network-scripts/route-interface file. For example, static routes for the eth0 interface would be stored in the /etc/sysconfig/network-scripts/route-eth0 file. The route-interface file has two formats: IP command arguments and network/netmask directives.
default viaX.X.X.Xdevinterface
X.X.X.X is the IP address of the default gateway. The interface is the interface that is connected to, or can reach, the default gateway.
X.X.X.X/XviaX.X.X.Xdevinterface
X.X.X.X/X is the network number and netmask for the static route. X.X.X.X and interface are the IP address and interface for the default gateway respectively. The X.X.X.X address does not have to be the default gateway IP address. In most cases, X.X.X.X will be an IP address in a different subnet, and interface will be the interface that is connected to, or can reach, that subnet. Add as many static routes as required.
route-eth0 file using the IP command arguments format. The default gateway is 192.168.0.1, interface eth0. The two static routes are for the 10.10.10.0/24 and 172.16.1.0/24 networks:
default via 192.168.0.1 dev eth0 10.10.10.0/24 via 192.168.0.1 dev eth0 172.16.1.0/24 via 192.168.0.1 dev eth0
10.10.10.0/24 via 10.10.10.1 dev eth1
ifup command: "RTNETLINK answers: File exists" or 'Error: either "to" is a duplicate, or "X.X.X.X" is a garbage.', where X.X.X.X is the gateway, or a different IP address. These errors can also occur if you have another route to another network using the default gateway. Both of these errors are safe to ignore.
route-interface files. The following is a template for the network/netmask format, with instructions following afterwards:
ADDRESS0=X.X.X.XNETMASK0=X.X.X.XGATEWAY0=X.X.X.X
ADDRESS0=X.X.X.X is the network number for the static route.
NETMASK0=X.X.X.X is the netmask for the network number defined with ADDRESS0=X.X.X.X .
GATEWAY0=X.X.X.X is the default gateway, or an IP address that can be used to reach ADDRESS0=X.X.X.X
route-eth0 file using the network/netmask directives format. The default gateway is 192.168.0.1, interface eth0. The two static routes are for the 10.10.10.0/24 and 172.16.1.0/24 networks. However, as mentioned before, this example is not necessary as the 10.10.10.0/24 and 172.16.1.0/24 networks would use the default gateway anyway:
ADDRESS0=10.10.10.0 NETMASK0=255.255.255.0 GATEWAY0=192.168.0.1 ADDRESS1=172.16.1.0 NETMASK1=255.255.255.0 GATEWAY1=192.168.0.1
ADDRESS0, ADDRESS1, ADDRESS2, and so on.
ADDRESS0=10.10.10.0 NETMASK0=255.255.255.0 GATEWAY0=10.10.10.1
/etc/sysconfig/network-scripts/network-functions file contains the most commonly used IPv4 functions, which are useful to many interface control scripts. These functions include contacting running programs that have requested information about changes in the status of an interface, setting hostnames, finding a gateway device, verifying whether or not a particular device is down, and adding a default route.
/etc/sysconfig/network-scripts/network-functions-ipv6 file exists specifically to hold this information. The functions in this file configure and delete static IPv6 routes, create and remove tunnels, add and remove IPv6 addresses to an interface, and test for the existence of an IPv6 address on an interface.
/usr/share/doc/initscripts-<version>/sysconfig.txt /usr/share/doc/iproute-<version>/ip-cref.ps ip command, which can be used to manipulate routing tables, among other things. Use the ggv or kghostview application to view this file.
/etc/hosts file used to store additional hostnames and IP address combinations.
system-config-network at a shell prompt (for example, in an XTerm or a GNOME terminal). If you type the command, the graphical version is displayed if X is running; otherwise, the text-based version is displayed.
system-config-network-cmd --help as root to view all of the options.
Modem as shown in Figure 16.7, “Modem Device”.
system-config-network is started on the local host, you may not be able to start another X11 application. As such, you may have to re-login to a new desktop session.
/etc/hosts file. This file contains IP addresses and their corresponding hostnames.
/etc/hosts file before using the name servers (if you are using the default Red Hat Enterprise Linux configuration). If the IP address is listed in the /etc/hosts file, the name servers are not used. If your network contains computers whose IP addresses are not listed in DNS, it is recommended that you add them to the /etc/hosts file.
/etc/hosts file, go to the Hosts tab, click the button on the toolbar, provide the requested information, and click OK. Select > or press Ctrl+S to save the changes to the /etc/hosts file. The network or network services do not need to be restarted since the current version of the file is referred to each time an address is resolved.
localhost entry. Even if the system does not have a network connection or have a network connection running constantly, some programs need to connect to the system via the localhost loopback interface.
/etc/host.conf file. The line order hosts, bind specifies that /etc/hosts takes precedence over the name servers. Changing the line to order bind, hosts configures the system to resolve hostnames and IP addresses using the name servers first. If the IP address cannot be resolved through the name servers, the system then looks for the IP address in the /etc/hosts file.
eth0_office, so that it can be recognized more easily. Once you have finished editing your new profile, make sure to save it by clicking from the menu. If you forget to save after creating a profile, that profile will be lost.
eth0_office in a profile called Office and want to activate the logical device if the profile is selected, uncheck the eth0 device and check the eth0_office device.
eth0.
eth0 to activate in the Office profile only and to activate a PPP (modem) device in the Home profile only. Another example is to have the Common profile activate eth0 and an Away profile activate a PPP device for use while traveling.
netprofile=<profilename> option. For example, if the system uses GRUB as the boot loader and /boot/grub/grub.conf contains:
title Red Hat Enterprise Linux (2.6.9-5.EL)
root (hd0,0)
kernel /vmlinuz-2.6.9-5.EL ro root=/dev/VolGroup00/LogVol00 rhgb quiet
initrd /initrd-2.6.9-5.EL.img<profilename> is the name of the profile to be activated at boot time):
title Red Hat Enterprise Linux (2.6.9-5.EL)
root (hd0,0)
kernel /vmlinuz-2.6.9-5.EL ro root=/dev/VolGroup00/LogVol00 \
netprofile=<profilename> \ rhgb quiet
initrd /initrd-2.6.9-5.EL.imgsystem-control-network) to select a profile and activate it. The activate profile section only appears in the Network Device Control interface if more than the default Common interface exists.
<profilename> with the name of the profile):
system-config-network-cmd --profile <profilename> --activateeth0 —to use a static IP address (DHCP does not work with aliases), go to the Devices tab and click . Select the Ethernet card to configure with an alias, set the static IP address for the alias, and click to create it. Since a device already exists for the Ethernet card, the one just created is the alias, such as eth0:1.
eth0 device. Notice the eth0:1 device — the first alias for eth0. The second alias for eth0 would have the device name eth0:2, and so on. To modify the settings for the device alias, such as whether to activate it at boot time and the alias number, select it from the list and click the button.
/sbin/ifconfig. The output should show the device and the device alias with different IP addresses:
eth0 Link encap:Ethernet HWaddr 00:A0:CC:60:B7:G4 inet addr:192.168.100.5 Bcast:192.168.100.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:161930 errors:1 dropped:0 overruns:0 frame:0 TX packets:244570 errors:0 dropped:0 overruns:0 carrier:0 collisions:475 txqueuelen:100 RX bytes:55075551 (52.5 Mb) TX bytes:178108895 (169.8 Mb) Interrupt:10 Base address:0x9000 eth0:1 Link encap:Ethernet HWaddr 00:A0:CC:60:B7:G4 inet addr:192.168.100.42 Bcast:192.168.100.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 Interrupt:10 Base address:0x9000 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:5998 errors:0 dropped:0 overruns:0 frame:0 TX packets:5998 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:1627579 (1.5 Mb) TX bytes:1627579 (1.5 Mb)
/tmp/network-config, execute the following command as root:
system-config-network-cmd -e > /tmp/network-configsystem-config-network-cmd -i -c -f /tmp/network-config-i option means to import the data, the -c option means to clear the existing configuration prior to importing, and the -f option specifies that the file to import is as follows.
httpd if you are running a Web server). However, if you do not need to provide a service, you should turn it off to minimize your exposure to possible bug exploits.
xinetd and the services in the /etc/rc.d/init.d hierarchy (also known as SysV services) can be configured to start or stop using three different applications:
xinetd services can not be started, stopped, or restarted using this program.
chkconfigxinetd services can not be started, stopped, or restarted using this utility.
/etc/rc.d by hand or editing the xinetd configuration files in /etc/xinetd.d.
iptables to configure an IP firewall. If you are a new Linux user, note that iptables may not be the best solution for you. Setting up iptables can be complicated, and is best tackled by experienced Linux system administrators.
iptables is flexibility. For example, if you need a customized solution which provides certain hosts access to certain services, iptables can provide it for you. Refer to Section 46.8.1, “Netfilter and IPTables” and Section 46.8.3, “Using IPTables” for more information about iptables.
system-config-securitylevel), which allows you to select the security level for your system, similar to the Firewall Configuration screen in the installation program.
/etc/rc.d/rc<x>.d, where <x> is the number of the runlevel.
/etc/inittab file, which contains a line near the top of the file similar to the following:
id:5:initdefault:
xinetd (as well as any program with built-in support for libwrap) can use TCP wrappers to manage access. xinetd can use the /etc/hosts.allow and /etc/hosts.deny files to configure access to system services. As the names imply, hosts.allow contains a list of rules that allow clients to access the network services controlled by xinetd, and hosts.deny contains rules to deny access. The hosts.allow file takes precedence over the hosts.deny file. Permissions to grant or deny access can be based on individual IP address (or hostnames) or on a pattern of clients. Refer to hosts_access in section 5 of the man pages (man 5 hosts_access) for details.
xinetdxinetd, which is a secure replacement for inetd. The xinetd daemon conserves system resources, provides access control and logging, and can be used to start special-purpose servers. xinetd can also be used to grant or deny access to particular hosts, provide service access at specific times, limit the rate of incoming connections, limit the load created by connections, and more.
xinetd runs constantly and listens on all ports for the services it manages. When a connection request arrives for one of its managed services, xinetd starts up the appropriate server for that service.
xinetd is /etc/xinetd.conf, but the file only contains a few defaults and an instruction to include the /etc/xinetd.d directory. To enable or disable an xinetd service, edit its configuration file in the /etc/xinetd.d directory. If the disable attribute is set to yes, the service is disabled. If the disable attribute is set to no, the service is enabled. You can edit any of the xinetd configuration files or change its enabled status using the Services Configuration Tool, ntsysv, or chkconfig. For a list of network services controlled by xinetd, review the contents of the /etc/xinetd.d directory with the command ls /etc/xinetd.d.
/etc/rc.d/init.d directory are started at boot time (for runlevels 3, 4, and 5) and which xinetd services are enabled. It also allows you to start, stop, and restart SysV services as well as reload xinetd.
system-config-services at a shell prompt (for example, in an XTerm or a GNOME terminal).
/etc/rc.d/init.d directory as well as the services controlled by xinetd. Click on the name of the service from the list on the left-hand side of the application to display a brief description of that service as well as the status of the service. If the service is not an xinetd service, the status window shows whether the service is currently running. If the service is controlled by xinetd, the status window displays the phrase xinetd service.
xinetd service, the action buttons are disabled because they cannot be started or stopped individually.
xinetd service by checking or unchecking the checkbox next to the service name, you must select > from the pulldown menu (or the button above the tabs) to reload xinetd and immediately enable/disable the xinetd service that you changed. xinetd is also configured to remember the setting. You can enable/disable multiple xinetd services at a time and save the changes when you are finished.
rsync to enable it in runlevel 3 and then save the changes. The rsync service is immediately enabled. The next time xinetd is started, rsync is still enabled.
xinetd services, xinetd is reloaded, and the changes take place immediately. When you save changes to other services, the runlevel is reconfigured, but the changes do not take effect immediately.
xinetd service to start at boot time for the currently selected runlevel, check the box beside the name of the service in the list. After configuring the runlevel, apply the changes by selecting > from the pulldown menu. The runlevel configuration is changed, but the runlevel is not restarted; thus, the changes do not take place immediately.
httpd service from checked to unchecked and then select , the runlevel 3 configuration changes so that httpd is not started at boot time. However, runlevel 3 is not reinitialized, so httpd is still running. Select one of following options at this point:
httpd service — Stop the service by selecting it from the list and clicking the button. A message appears stating that the service was stopped successfully.
telinit x (where x is the runlevel number; in this example, 3.). This option is recommended if you change the Start at Boot value of multiple services and want to activate the changes immediately.
httpd service. You can wait until the system is rebooted for the service to stop. The next time the system is booted, the runlevel is initialized without the httpd service running.
xinetd-managed service on or off. You can also use ntsysv to configure runlevels. By default, only the current runlevel is configured. To configure a different runlevel, specify one or more runlevels with the --level option. For example, the command ntsysv --level 345 configures runlevels 3, 4, and 5.
xinetd are immediately affected by ntsysv. For all other services, changes do not take effect immediately. You must stop or start the individual service with the command service <daemon> stop (where <daemon> is the name of the service you want to stop; for example, httpd). Replace stop with start or restart to start or restart the service.
chkconfigchkconfig command can also be used to activate and deactivate services. The chkconfig --list command displays a list of system services and whether they are started (on) or stopped (off) in runlevels 0-6. At the end of the list is a section for the services managed by xinetd.
chkconfig --list command is used to query a service managed by xinetd, it displays whether the xinetd service is enabled (on) or disabled (off). For example, the command chkconfig --list rsync returns the following output:
rsync on
rsync is enabled as an xinetd service. If xinetd is running, rsync is enabled.
chkconfig --list to query a service in /etc/rc.d, that service's settings for each runlevel are displayed. For example, the command chkconfig --list httpd returns the following output:
httpd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
chkconfig can also be used to configure a service to be started (or not) in a specific runlevel. For example, to turn nscd off in runlevels 3, 4, and 5, use the following command:
chkconfig --level 345 nscd offxinetd are immediately affected by chkconfig. For example, if xinetd is running while rsync is disabled, and the command chkconfig rsync on is executed, then rsync is immediately enabled without having to restart xinetd manually. Changes for other services do not take effect immediately after using chkconfig. You must stop or start the individual service with the command service <daemon> stop (where <daemon> is the name of the service you want to stop; for example, httpd). Replace stop with start or restart to start or restart the service.
ntsysv, chkconfig, xinetd, and xinetd.conf.
man 5 hosts_access — The man page for the format of host access control files (in section 5 of the man pages).
xinetd webpage. It contains sample configuration files and a more detailed list of features.
named in Red Hat Enterprise Linux. You can manage it via the Services Configuration Tool (system-config-service).
bob.sales.example.com
.). In this example, com defines the top level domain for this FQDN. The name example is a sub-domain under com, while sales is a sub-domain under example. The name furthest to the left, bob, identifies a specific machine hostname.
/usr/sbin/named daemon. BIND also includes an administration utility called /usr/sbin/rndc. More information about rndc can be found in Section 18.4, “Using rndc ”.
/etc/named.conf named daemon
/var/named/ directorynamed working directory which stores zone, statistic, and cache files
bind-chroot package, the BIND service will run in the /var/named/chroot environment. All configuration files will be moved there. As such, named.conf will be located in /var/named/chroot/etc/named.conf, and so on.
caching-nameserver package, the default configuration file is /etc/named.caching-nameserver.conf. To override this default configuration, you can create your own custom configuration file in /etc/named.conf. BIND will use the /etc/named.conf custom file instead of the default configuration file after you restart.
/etc/named.conf named.conf file is a collection of statements using nested options surrounded by opening and closing ellipse characters, { }. Administrators must be careful when editing named.conf to avoid syntax errors as many seemingly minor errors prevent the named service from starting.
named.conf file is organized similar to the following example:
<statement-1>["<statement-1-name>"] [<statement-1-class>] {<option-1>;<option-2>;<option-N>; };<statement-2>["<statement-2-name>"] [<statement-2-class>] {<option-1>;<option-2>;<option-N>; };<statement-N>["<statement-N-name>"] [<statement-N-class>] {<option-1>;<option-2>;<option-N>; };
/etc/named.conf:
acl Statementacl statement (or access control statement) defines groups of hosts which can then be permitted or denied access to the nameserver.
acl statement takes the following form:
acl<acl-name>{<match-element>; [<match-element>; ...] };
<acl-name> with the name of the access control list and replace <match-element> with a semi-colon separated list of IP addresses. Most of the time, an individual IP address or IP network notation (such as 10.0.1.0/24) is used to identify the IP addresses within the acl statement.
any — Matches every IP address
localhost — Matches any IP address in use by the local system
localnets — Matches any IP address on any network to which the local system is connected
none — Matches no IP addresses
options statement), acl statements can be very useful in preventing the misuse of a BIND nameserver.
options statement to define how they are treated by the nameserver:
acl black-hats {
10.0.2.0/24;
192.168.0.0/24;
};
acl red-hats {
10.0.1.0/24;
};
options {
blackhole { black-hats; };
allow-query { red-hats; };
allow-recursion { red-hats; };
};black-hats and red-hats. Hosts in the black-hats list are denied access to the nameserver, while hosts in the red-hats list are given normal access.
include Statementinclude statement allows files to be included in a named.conf file. In this way, sensitive configuration data (such as keys) can be placed in a separate file with restrictive permissions.
include statement takes the following form:
include "<file-name>"<file-name> is replaced with an absolute path to a file.
options Statementoptions statement defines global server configuration options and sets defaults for other statements. It can be used to specify the location of the named working directory, the types of queries allowed, and much more.
options statement takes the following form:
options {
<option>;
[<option>; ...]
};<option> directives are replaced with a valid option.
allow-query allow-recursion allow-query, this option applies to recursive queries. By default, all hosts are allowed to perform recursive queries on the nameserver.
blackhole directory named working directory if different from the default value, /var/named/.
forwarders forward forwarders directive.
first — Specifies that the nameservers listed in the forwarders directive be queried before named attempts to resolve the name itself.
only — Specifies that named does not attempt name resolution itself in the event that queries to nameservers specified in the forwarders directive fail.
listen-on named listens for queries. By default, all interfaces are used.
listen-on directive:
options {
listen-on { 10.0.1.1; };
};10.0.1.1) are accepted.
notify named notifies the slave servers when a zone is updated. It accepts the following options:
yes — Notifies slave servers.
no — Does not notify slave servers.
explicit — Only notifies slave servers specified in an also-notify list within a zone statement.
pid-file named.
root-delegation-only root-delegation-only example specifies an exclude list of TLDs from whom undelegated responses are expected and trusted:
options {
root-delegation-only exclude { "ad"; "ar"; "biz"; "cr"; "cu"; "de"; "dm"; "id";
"lu"; "lv"; "md"; "ms"; "museum"; "name"; "no"; "pa";
"pf"; "se"; "sr"; "to"; "tw"; "us"; "uy"; };
};statistics-file named statistics are saved to the /var/named/named.stats file.
bind.conf man page for more details.
zone Statementzone statement defines the characteristics of a zone, such as the location of its configuration file and zone-specific options. This statement can be used to override the global options statements.
zone statement takes the following form:
zone<zone-name><zone-class>{<zone-options>; [<zone-options>; ...] };
<zone-name> is the name of the zone, <zone-class> is the optional class of the zone, and <zone-options> is a list of options characterizing the zone.
<zone-name> attribute for the zone statement is particularly important. It is the default value assigned for the $ORIGIN directive used within the corresponding zone file located in the /var/named/ directory. The named daemon appends the name of the zone to any non-fully qualified domain name listed in the zone file.
caching-nameserver package, the default configuration file will be in /etc/named.rfc1912.zones.
zone statement defines the namespace for example.com, use example.com as the <zone-name> so it is placed at the end of hostnames within the example.com zone file.
zone statement options include the following:
allow-query allow-transfer allow-update named service.
file named working directory that contains the zone's configuration data.
masters type slave.
notify named notifies the slave servers when a zone is updated. This directive accepts the following options:
yes — Notifies slave servers.
no — Does not notify slave servers.
explicit — Only notifies slave servers specified in an also-notify list within a zone statement.
type delegation-only — Enforces the delegation status of infrastructure zones such as COM, NET, or ORG. Any answer that is received without an explicit or implicit delegation is treated as NXDOMAIN. This option is only applicable in TLDs or root zone files used in recursive or caching implementations.
forward — Forwards all requests for information about this zone to other nameservers.
hint — A special type of zone used to point to the root nameservers which resolve queries when a zone is not otherwise known. No configuration beyond the default is necessary with a hint zone.
master — Designates the nameserver as authoritative for this zone. A zone should be set as the master if the zone's configuration files reside on the system.
slave — Designates the nameserver as a slave server for this zone. Also specifies the IP address of the master nameserver for the zone.
zone-statistics named to keep statistics concerning this zone, writing them to either the default location (/var/named/named.stats) or the file listed in the statistics-file option in the server statement. Refer to Section 18.2.2, “Other Statement Types” for more information about the server statement.
zone Statements/etc/named.conf file of a master or slave nameserver involves adding, modifying, or deleting zone statements. While these zone statements can contain many options, most nameservers require only a small subset to function efficiently. The following zone statements are very basic examples illustrating a master-slave nameserver relationship.
zone statement for the primary nameserver hosting example.com (192.168.0.1):
zone "example.com" IN {
type master;
file "example.com.zone";
allow-update { none; };
};example.com, the type is set to master, and the named service is instructed to read the /var/named/example.com.zone file. It also tells named not to allow any other hosts to update.
zone statement for example.com is slightly different from the previous example. For a slave server, the type is set to slave and in place of the allow-update line is a directive telling named the IP address of the master server.
zone statement for example.com zone:
zone "example.com" {
type slave;
file "example.com.zone";
masters { 192.168.0.1; };
};zone statement configures named on the slave server to query the master server at the 192.168.0.1 IP address for information about the example.com zone. The information that the slave server receives from the master server is saved to the /var/named/example.com.zone file.
named.conf:
controls rndc command to administer the named service.
/etc/named.conf ” to learn more about how the controls statement is structured and what options are available.
key "<key-name>" rndc command. Two options are used with key:
algorithm <algorithm-name> — The type of algorithm used, such as dsa or hmac-md5.
secret "<key-value>" — The encrypted key.
/etc/rndc.conf ” for instructions on how to write a key statement.
logging channel option within the logging statement, a customized type of log can be constructed — with its own file name (file), size limit (size), versioning (version), and level of importance (severity). Once a customized channel is defined, a category option is used to categorize the channel and begin logging when named is restarted.
named logs standard messages to the syslog daemon, which places them in /var/log/messages. This occurs because several standard channels are built into BIND with various severity levels, such as default_syslog (which handles informational logging messages) and default_debug (which specifically handles debugging messages). A default category, called default, uses the built-in channels to do normal logging without any special configuration.
server named should respond to remote nameservers, especially with regard to notifications and zone transfers.
transfer-format option controls whether one resource record is sent with each message (one-answer) or multiple resource records are sent with each message (many-answers). While many-answers is more efficient, only newer BIND nameservers understand it.
trusted-keys view "<view-name>" match-clients option specifies the IP addresses that apply to a particular view. Any options statement may also be used within a view, overriding the global options already configured for named. Most view statements contain multiple zone statements that apply to the match-clients list. The order in which view statements are listed is important, as the first view statement that matches a particular client's IP address is used.
view statement.
named.conf:
// — When placed at the beginning of a line, that line is ignored by named.
# — When placed at the beginning of a line, that line is ignored by named.
/* and */ — When text is enclosed in these tags, the block of text is ignored by named.
named working directory (/var/named/) by default. Each zone file is named according to the file option data in the zone statement, usually in a way that relates to the domain in question and identifies the file as containing zone data, such as example.com.zone.
bind-chroot package, the BIND service will run in the /var/named/chroot environment. All configuration files will be moved there. As such, you can find the zone files in /var/named/chroot/var/named.
;) in zone files.
$) followed by the name of the directive. They usually appear at the top of the zone file.
$INCLUDE named to include another zone file in this zone file at the place where the directive appears. This allows additional zone settings to be stored apart from the main zone file.
$ORIGIN
$ORIGIN example.com..) are appended with example.com.
$ORIGIN directive is unnecessary if the zone is specified in /etc/named.conf because the zone name is used as the value for the $ORIGIN directive by default.
$TTL A
<host> IN A <IP-address> <host> value is omitted, then an A record points to a default IP address for the top of the namespace. This system is the target for all non-FQDN requests.
A record examples for the example.com zone file:
server1 IN A 10.0.1.3 IN A 10.0.1.5
example.com are pointed to 10.0.1.3 or 10.0.1.5.
CNAME named that any requests sent to the <alias-name> should point to the host, <real-name>. CNAME records are most commonly used to point to services that use a common naming scheme, such as www for Web servers.
<alias-name> IN CNAME <real-name> A record binds a hostname to an IP address, while a CNAME record points the commonly used www hostname to it.
server1 IN A 10.0.1.5 www IN CNAME server1
MX
IN MX <preference-value> <email-server-name> <preference-value> allows numerical ranking of the email servers for a namespace, giving preference to some email systems over others. The MX resource record with the lowest <preference-value> is preferred over the others. However, multiple email servers can possess the same value to distribute email traffic evenly among them.
<email-server-name> may be a hostname or FQDN.
IN MX 10 mail.example.com. IN MX 20 mail2.example.com.
mail.example.com email server is preferred to the mail2.example.com email server when receiving email destined for the example.com domain.
NS NS record:
IN NS <nameserver-name> <nameserver-name> should be an FQDN.
IN NS dns1.example.com. IN NS dns2.example.com.
PTR PTR records are primarily used for reverse name resolution, as they point IP addresses back to a particular name. Refer to Section 18.3.4, “Reverse Name Resolution Zone Files” for more examples of PTR records in use.
SOA SOA resource record is the first resource record in a zone file.
SOA resource record:
@ IN SOA<primary-name-server><hostmaster-email>(<serial-number><time-to-refresh><time-to-retry><time-to-expire><minimum-TTL>)
@ symbol places the $ORIGIN directive (or the zone's name, if the $ORIGIN directive is not set) as the namespace being defined by this SOA resource record. The hostname of the primary nameserver that is authoritative for this domain is the <primary-name-server> directive, and the email of the person to contact about this namespace is the <hostmaster-email> directive.
<serial-number> directive is a numerical value incremented every time the zone file is altered to indicate it is time for named to reload the zone. The <time-to-refresh> directive is the numerical value slave servers use to determine how long to wait before asking the master nameserver if any changes have been made to the zone. The <serial-number> directive is a numerical value used by the slave servers to determine if it is using outdated zone data and should therefore refresh it.
<time-to-retry> directive is a numerical value used by slave servers to determine the length of time to wait before issuing a refresh request in the event that the master nameserver is not answering. If the master has not replied to a refresh request before the amount of time specified in the <time-to-expire> directive elapses, the slave servers stop responding as an authority for requests concerning that namespace.
<minimum-TTL> directive is the amount of time other nameservers cache the zone's information. However, in BIND 9, the <minimum-TTL> directive defines how long negative answers are cached for. Caching of negative answers can be set to a maximum of 3 hours (3H).
M), hours (H), days (D), and weeks (W). The table in Table 18.1, “Seconds compared to other time units” shows an amount of time in seconds and the equivalent time in another format.
| Seconds | Other Time Units |
|---|---|
60
|
1M
|
1800
|
30M
|
3600
|
1H
|
10800
|
3H
|
21600
|
6H
|
43200
|
12H
|
86400
|
1D
|
259200
|
3D
|
604800
|
1W
|
31536000
|
365D
|
SOA resource record might take when it is populated with real values.
@ IN SOA dns1.example.com. hostmaster.example.com. ( 2001062501 ; serial 21600 ; refresh after 6 hours 3600 ; retry after 1 hour 604800 ; expire after 1 week 86400 ) ; minimum TTL of 1 day
$ORIGIN example.com. $TTL 86400 @ IN SOA dns1.example.com. hostmaster.example.com. ( 2001062501 ; serial 21600 ; refresh after 6 hours 3600 ; retry after 1 hour 604800 ; expire after 1 week 86400 ) ; minimum TTL of 1 day ; ; IN NS dns1.example.com. IN NS dns2.example.com. dns1 IN A 10.0.1.1 IN AAAA aaaa:bbbb::1 dns2 IN A 10.0.1.2 IN AAAA aaaa:bbbb::2 ; ; @ IN MX 10 mail.example.com. IN MX 20 mail2.example.com. mail IN A 10.0.1.5 IN AAAA aaaa:bbbb::5 mail2 IN A 10.0.1.6 IN AAAA aaaa:bbbb::6 ; ; ; This sample zone file illustrates sharing the same IP addresses ; for multiple services: ; services IN A 10.0.1.10 IN AAAA aaaa:bbbb::10 IN A 10.0.1.11 IN AAAA aaaa:bbbb::11 ftp IN CNAME services.example.com. www IN CNAME services.example.com. ; ;
SOA values are used. The authoritative nameservers are set as dns1.example.com and dns2.example.com, which have A records that tie them to 10.0.1.1 and 10.0.1.2, respectively.
MX records point to mail and mail2 via A records. Since the mail and mail2 names do not end in a trailing period (.), the $ORIGIN domain is placed after them, expanding them to mail.example.com and mail2.example.com. Through the related A resource records, their IP addresses can be determined.
www.example.com (WWW), are pointed at the appropriate servers using a CNAME record.
zone statement in the named.conf similar to the following:
zone "example.com" IN {
type master;
file "example.com.zone";
allow-update { none; };
};
PTR resource records are used to link the IP addresses to a fully qualified domain name.
PTR record:
<last-IP-digit> IN PTR <FQDN-of-system> <last-IP-digit> is the last number in an IP address which points to a particular system's FQDN.
10.0.1.1 through 10.0.1.6 are pointed to corresponding FQDNs. It can be located in /var/named/example.com.rr.zone.
$ORIGIN 1.0.10.in-addr.arpa. $TTL 86400 @ IN SOA dns1.example.com. hostmaster.example.com. ( 2001062501 ; serial 21600 ; refresh after 6 hours 3600 ; retry after 1 hour 604800 ; expire after 1 week 86400 ) ; minimum TTL of 1 day ; @ IN NS dns1.example.com. ; 1 IN PTR dns1.example.com. 2 IN PTR dns2.example.com. ; 5 IN PTR server1.example.com. 6 IN PTR server2.example.com. ; 3 IN PTR ftp.example.com. 4 IN PTR ftp.example.com.
zone statement in the named.conf file similar to the following:
zone "1.0.10.in-addr.arpa" IN {
type master;
file "example.com.rr.zone";
allow-update { none; };
};
zone statement, except for the zone name. Note that a reverse name resolution zone requires the first three blocks of the IP address reversed followed by .in-addr.arpa. This allows the single block of IP numbers used in the reverse name resolution zone file to be associated with the zone.
rndc rndc which allows command line administration of the named daemon from the localhost or a remote host.
named daemon, BIND uses a shared secret key authentication method to grant privileges to hosts. This means an identical key must be present in both /etc/named.conf and the rndc configuration file, /etc/rndc.conf.
bind-chroot package, the BIND service will run in the /var/named/chroot environment. All configuration files will be moved there. As such, the rndc.conf file is located in /var/named/chroot/etc/rndc.conf.
rndc utility does not run in a chroot environment, /etc/rndc.conf is a symlink to /var/named/chroot/etc/rndc.conf.
/etc/named.conf rndc to connect to a named service, there must be a controls statement in the BIND server's /etc/named.conf file.
controls statement, shown in the following example, allows rndc to connect from the localhost.
controls {
inet 127.0.0.1
allow { localhost; } keys { <key-name>; };
};
named to listen on the default TCP port 953 of the loopback address and allow rndc commands coming from the localhost, if the proper key is given. The <key-name> specifies a name in the key statement within the /etc/named.conf file. The next example illustrates a sample key statement.
key "<key-name>" { algorithm hmac-md5; secret "<key-value>"; };
<key-value> uses the HMAC-MD5 algorithm. Use the following command to generate keys using the HMAC-MD5 algorithm:
dnssec-keygen -a hmac-md5 -b <bit-length> -n HOST <key-file-name> <key-value> area can be found in the <key-file-name> /etc/named.conf is world-readable, it is advisable to place the key statement in a separate file, readable only by root, and then use an include statement to reference it. For example:
include "/etc/rndc.key";named daemon to other nameservers, the recommended best practice is to change the firewall settings whenever possible.
query-source (and query-source-v6) directive, or one randomly chosen at startup. When a static query source port is used, TXID offers insufficient protection against spoofed replies and allows an attacker to efficiently perform cache-poisoning attacks. To address this issue, BIND was updated to allow the use of a randomly-selected source port for each DNS query, making it more difficult for an attacker to spoof replies, when the query packets cannot be detected. A security update [3] was released for all the affected Red Hat Enterprise Linux versions. Additionally, the default configuration provided by the caching-nameserver package was updated to no longer specify a fixed query source port.
53 as a query source port, and only allow DNS queries from that port on the firewall.
/etc/rndc.conf key is the most important statement in /etc/rndc.conf.
key "<key-name>" { algorithm hmac-md5; secret "<key-value>"; };
<key-name> and <key-value> should be exactly the same as their settings in /etc/named.conf.
/etc/named.conf, add the following lines to /etc/rndc.conf.
options {
default-server localhost;
default-key "<key-name>";
};
rndc configuration file can also specify different keys for different servers, as in the following example:
server localhost {
key "<key-name>";
};
/etc/rndc.conf file.
/etc/rndc.conf file, refer to the rndc.conf man page.
rndc command takes the following form:
rndc <options> <command> <command-options> rndc on a properly configured localhost, the following commands are available:
halt — Stops the named service immediately.
querylog — Logs all queries made to this nameserver.
refresh — Refreshes the nameserver's database.
reload — Reloads the zone files but keeps all other previously cached responses. This command also allows changes to zone files without losing all stored name resolutions.
reload command.
stats — Dumps the current named statistics to the /var/named/named.stats file.
stop — Stops the server gracefully, saving any dynamic update and Incremental Zone Transfers (IXFR) data before exiting.
/etc/rndc.conf file. The following options are available:
-c <configuration-file> — Specifies the alternate location of a configuration file.
-p <port-number> — Specifies a port number to use for the rndc connection other than the default port 953.
-s <server> — Specifies a server other than the default-server listed in /etc/rndc.conf.
-y <key-name> — Specifies a key other than the default-key option in /etc/rndc.conf.
rndc man page.
named to provide name resolution services or to act as an authority for a particular domain or sub-domain. However, BIND version 9 has a number of advanced features that allow for a more secure and efficient DNS service.
view statement in named.conf, BIND can present different information depending on which network a request originates from.
view statement uses the match-clients option to match IP addresses or entire networks and give them special options and zone data.
A6 zone records.
lwresd lightweight resolver daemon on all network clients. This daemon is a very efficient, caching-only nameserver which understands the new A6 and DNAME records used under IPv6. Refer to the lwresd man page for more information.
/etc/named.conf file.
named to refuse to start.
.) in zone files after all FQDNs and omit them on hostnames.
named appends the name of the zone or the $ORIGIN value to complete it.
named daemon to other nameservers, the recommended best practice is to change the firewall settings whenever possible. For important security information regarding fixed UDP source ports, refer to Section 18.4.1.1, “Firewall Blocking Communication”
<version-number> with the version of bind installed on the system:
/usr/share/doc/bind-<version-number>/ /usr/share/doc/bind-<version-number>/arm/ /usr/share/doc/bind-<version-number>/draft/ /usr/share/doc/bind-<version-number>/misc/ migration document for specific changes they must make when moving to BIND 9. The options file lists all of the options implemented in BIND 9 that are used in /etc/named.conf.
/usr/share/doc/bind-<version-number>/rfc/ man rndc — Explains the different options available when using the rndc command to control a BIND nameserver.
man named — Explores assorted arguments that can be used to control the BIND nameserver daemon.
man lwresd — Describes the purpose of and options available for the lightweight resolver daemon.
man named.conf — A comprehensive list of options available within the named configuration file.
man rndc.conf — A comprehensive list of options available within the rndc configuration file.
telnet or rsh. A related program called scp replaces older programs designed to copy files between hosts, such as rcp. Because these older applications do not encrypt passwords transmitted between the client and the server, avoid them whenever possible. Using secure methods to log into remote systems decreases the risks for both the client system and the remote host.
openssh) as well as the OpenSSH server (openssh-server) and client (openssh-clients) packages. Note, the OpenSSH packages require the OpenSSL package (openssl) which installs several important cryptographic libraries, enabling OpenSSH to provide encrypted communications.
openssh-server package is required and is dependent on the openssh package.
/etc/ssh/sshd_config. The default configuration file should be sufficient for most purposes. If you want to configure the daemon in ways not provided by the default sshd_config, read the sshd man page for a list of the keywords that can be defined in the configuration file.
/sbin/service sshd start. To stop the OpenSSH server, use the command /sbin/service sshd stop. If you want the daemon to start automatically at boot time, refer to Chapter 17, Controlling Access to Services for information on how to manage services.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that the RSA host key has just been changed.
/etc/ssh/ssh_host*key* files and restore them after the reinstall. This process retains the system's identity, and when clients try to connect to the system after the reinstall, they will not receive the warning message.
telnet
rsh
rlogin
vsftpd
chkconfig, the ncurses-based program /usr/sbin/ntsysv, or the Services Configuration Tool (system-config-services) graphical application. All of these tools require root level access.
chkconfig, /usr/sbin/ntsysv, and the Services Configuration Tool, refer to Chapter 17, Controlling Access to Services.
ssh, scp, and sftp) and one for the server daemon (sshd).
/etc/ssh/ directory:
moduli — Contains Diffie-Hellman groups used for the Diffie-Hellman key exchange which is critical for constructing a secure transport layer. When keys are exchanged at the beginning of an SSH session, a shared, secret value is created which cannot be determined by either party alone. This value is then used to provide host authentication.
ssh_config — The system-wide default SSH client configuration file. It is overridden if one is also present in the user's home directory (~/.ssh/config).
sshd_config — The configuration file for the sshd daemon.
ssh_host_dsa_key — The DSA private key used by the sshd daemon.
ssh_host_dsa_key.pub — The DSA public key used by the sshd daemon.
ssh_host_key — The RSA private key used by the sshd daemon for version 1 of the SSH protocol.
ssh_host_key.pub — The RSA public key used by the sshd daemon for version 1 of the SSH protocol.
ssh_host_rsa_key — The RSA private key used by the sshd daemon for version 2 of the SSH protocol.
ssh_host_rsa_key.pub — The RSA public key used by the sshd for version 2 of the SSH protocol.
~/.ssh/ directory:
authorized_keys — This file holds a list of authorized public keys for servers. When the client connects to a server, the server authenticates the client by checking its signed public key stored within this file.
id_dsa — Contains the DSA private key of the user.
id_dsa.pub — The DSA public key of the user.
id_rsa — The RSA private key used by ssh for version 2 of the SSH protocol.
id_rsa.pub — The RSA public key used by ssh for version 2 of the SSH protocol
identity — The RSA private key used by ssh for version 1 of the SSH protocol.
identity.pub — The RSA public key used by ssh for version 1 of the SSH protocol.
known_hosts — This file contains DSA host keys of SSH servers accessed by the user. This file is very important for ensuring that the SSH client is connecting the correct SSH server.
known_hosts file using a text editor. Before doing this, however, contact the system administrator of the SSH server to verify the server is not compromised.
ssh_config and sshd_config man pages for information concerning the various directives available in the SSH configuration files.
openssh-clients and openssh packages installed on the client machine.
ssh Commandssh command is a secure replacement for the rlogin, rsh, and telnet commands. It allows you to log in to a remote machine as well as execute commands on a remote machine.
ssh is similar to using telnet. To log in to a remote machine named penguin.example.net, type the following command at a shell prompt:
ssh penguin.example.netssh to a remote machine, you will see a message similar to the following:
The authenticity of host 'penguin.example.net' can't be established. DSA key fingerprint is 94:68:3a:3a:bc:f3:9a:9b:01:5d:b3:07:38:e2:11:0c. Are you sure you want to continue connecting (yes/no)?
yes to continue. This will add the server to your list of known hosts (~/.ssh/known_hosts) as seen in the following message:
Warning: Permanently added 'penguin.example.net' (RSA) to the list of known hosts.
ssh username@penguin.example.netssh -l username penguin.example.net.
ssh command can be used to execute a command on the remote machine without logging in to a shell prompt. The syntax is ssh hostname command. For example, if you want to execute the command ls /usr/share/doc on the remote machine penguin.example.net, type the following command at a shell prompt:
ssh penguin.example.net ls /usr/share/doc/usr/share/doc will be displayed, and you will return to your local shell prompt.
scp Commandscp command can be used to transfer files between machines over a secure, encrypted connection. It is similar to rcp.
scp <localfile> username@tohostname:<remotefile><localfile> specifies the source including path to the file, such as /var/log/maillog. The <remotefile> specifies the destination, which can be a new filename such as /tmp/hostname-maillog. For the remote system, if you do not have a preceding /, the path will be relative to the home directory of username, typically /home/username/.
shadowman to the home directory of your account on penguin.example.net, type the following at a shell prompt (replace username with your username):
scp shadowman username@penguin.example.net:shadowmanshadowman to /home/username/shadowman on penguin.example.net. Alternately, you can leave off the final shadowman in the scp command.
scp username@tohostname:<remotefile> <newlocalfile><remotefile> specifies the source including path, and <newlocalfile> specifies the destination including path.
downloads/ to an existing directory called uploads/ on the remote machine penguin.example.net, type the following at a shell prompt:
scp downloads/* username@penguin.example.net:uploads/sftp Commandsftp utility can be used to open a secure, interactive FTP session. It is similar to ftp except that it uses a secure, encrypted connection. The general syntax is sftp username@hostname.com. Once authenticated, you can use a set of commands similar to those used by FTP. Refer to the sftp man page for a list of these commands. To read the man page, execute the command man sftp at a shell prompt. The sftp utility is only available in OpenSSH version 2.5.0p1 and higher.
-Y option and running an X program on a local machine.
ssh -Y <user>@example.comsystem-config-printer &ssh -L local-port:remote-hostname:remote-port username@hostnamemail.example.com using POP3 through an encrypted connection, use the following command:
ssh -L 1100:mail.example.com:110 mail.example.commail.example.com server.
mail.example.com is not running an SSH server, but another machine on the same network is, SSH can still be used to secure part of the connection. However, a slightly different command is necessary:
ssh -L 1100:mail.example.com:110 other.example.comother.example.com. Then, other.example.com connects to port 110 on mail.example.com to check for new mail. Note, when using this technique only the connection between the client system and other.example.com SSH server is secure.
No parameter for the AllowTcpForwarding line in /etc/ssh/sshd_config and restarting the sshd service.
ssh, scp, or sftp to connect to a remote machine, you can generate an authorization key pair.
~/.ssh/authorized_keys2, ~/.ssh/known_hosts2, and /etc/ssh_known_hosts2 are obsolete. SSH Protocol 1 and 2 share the ~/.ssh/authorized_keys, ~/.ssh/known_hosts, and /etc/ssh/ssh_known_hosts files.
.ssh directory in your home directory. After reinstalling, copy this directory back to your home directory. This process can be done for all users on your system, including root.
ssh-keygen -t rsa~/.ssh/id_rsa. Enter a passphrase different from your account password and confirm it by entering it again.
~/.ssh/id_rsa.pub. The private key is written to ~/.ssh/id_rsa. Never distribute your private key to anyone.
.ssh directory using the following command:
chmod 755 ~/.ssh~/.ssh/id_rsa.pub into the file ~/.ssh/authorized_keys on the machine to which you want to connect. If the file ~/.ssh/authorized_keys exist, append the contents of the file ~/.ssh/id_rsa.pub to the file ~/.ssh/authorized_keys on the other machine.
authorized_keys file using the following command:
chmod 644 ~/.ssh/authorized_keysssh-agent with a GUI”. If you are not running the X Window System, skip to Section 19.7.3.5, “Configuring ssh-agent”.
ssh-keygen -t dsa~/.ssh/id_dsa. Enter a passphrase different from your account password and confirm it by entering it again.
~/.ssh/id_dsa.pub. The private key is written to ~/.ssh/id_dsa. It is important never to give anyone the private key.
.ssh directory with the following command:
chmod 755 ~/.ssh~/.ssh/id_dsa.pub into the file ~/.ssh/authorized_keys on the machine to which you want to connect. If the file ~/.ssh/authorized_keys exist, append the contents of the file ~/.ssh/id_dsa.pub to the file ~/.ssh/authorized_keys on the other machine.
authorized_keys file using the following command:
chmod 644 ~/.ssh/authorized_keysssh-agent with a GUI”. If you are not running the X Window System, skip to Section 19.7.3.5, “Configuring ssh-agent”.
ssh-keygen -t rsa1~/.ssh/identity). Enter a passphrase different from your account password. Confirm the passphrase by entering it again.
~/.ssh/identity.pub. The private key is written to ~/.ssh/identity. Do not give anyone the private key.
.ssh directory and your key with the commands chmod 755 ~/.ssh and chmod 644 ~/.ssh/identity.pub.
~/.ssh/identity.pub into the file ~/.ssh/authorized_keys on the machine to which you wish to connect. If the file ~/.ssh/authorized_keys does not exist, you can copy the file ~/.ssh/identity.pub to the file ~/.ssh/authorized_keys on the remote machine.
ssh-agent with a GUI”. If you are not running GNOME, skip to Section 19.7.3.5, “Configuring ssh-agent”.
ssh-agent with a GUIssh-agent utility can be used to save your passphrase so that you do not have to enter it each time you initiate an ssh or scp connection. If you are using GNOME, the gnome-ssh-askpass package contains the application used to prompt you for your passphrase when you log in to GNOME and save it until you log out of GNOME. You will not have to enter your password or passphrase for any ssh or scp connection made during that GNOME session. If you are not using GNOME, refer to Section 19.7.3.5, “Configuring ssh-agent”.
gnome-ssh-askpass installed; you can use the command rpm -q openssh-askpass to determine if it is installed or not. If it is not installed, install it from your Red Hat Enterprise Linux CD-ROM set, from a Red Hat FTP mirror site, or using Red Hat Network.
/usr/bin/ssh-add in the Startup Command text area. Set it a priority to a number higher than any existing commands to ensure that it is executed last. A good priority number for ssh-add is 70 or higher. The higher the priority number, the lower the priority. If you have other programs listed, this one should have the lowest priority. Click to exit the program.
ssh, scp, or sftp.
ssh-agentssh-agent can be used to store your passphrase so that you do not have to enter it each time you make a ssh or scp connection. If you are not running the X Window System, follow these steps from a shell prompt. If you are running GNOME but you do not want to configure it to prompt you for your passphrase when you log in (refer to Section 19.7.3.4, “Configuring ssh-agent with a GUI”), this procedure will work in a terminal window, such as an XTerm. If you are running X but not GNOME, this procedure will work in a terminal window. However, your passphrase will only be remembered for that terminal window; it is not a global setting.
exec /usr/bin/ssh-agent $SHELLssh-addssh, scp, sftp, sshd, and ssh-keygen man pages — These man pages include information on how to use these commands as well as all the parameters that can be used with them.
portmap, rpc.lockd, and rpc.statd daemons. NFSv4 listens on the well-known TCP port 2049, which eliminates the need for portmap interaction. The mounting and locking protocols have been incorporated into the V4 protocol which eliminates the need for interaction with rpc.lockd and rpc.statd. The rpc.mountd daemon is still required on the server, but is not involved in any over-the-wire operations.
-p command line option that can set the port, making firewall configuration easier.
/etc/exports, to determine whether the client is allowed to access any of the exported file systems. Once access is granted, all file and directory operations are available to the user.
rpc.nfsd process now allow binding to any specified port during system start up. However, this can be error prone if the port is unavailable or conflicts with another daemon.
portmap service. To share or mount NFS file systems, the following services work together, depending on which version of NFS is implemented:
nfs — (/sbin/service nfs start) starts the NFS server and the appropriate RPC processes to service requests for shared NFS file systems.
nfslock — (/sbin/service nfslock start) is a mandatory service that starts the appropriate RPC processes to allow NFS clients to lock files on the server.
portmap — accepts port reservations from local RPC services. These ports are then made available (or advertised) so the corresponding remote RPC services access them. portmap responds to requests for RPC services and sets up connections to the requested RPC service.
rpc.mountd — This process receives mount requests from NFS clients and verifies the requested file system is currently exported. This process is started automatically by the nfs service and does not require user configuration.
rpc.nfsd — Allows explicit NFS versions and protocols the server advertises to be defined. It works with the Linux kernel to meet the dynamic demands of NFS clients, such as providing server threads each time an NFS client connects. This process corresponds to the nfs service.
rpc.lockd — allows NFS clients to lock files on the server. If rpc.lockd is not started, file locking will fail. rpc.lockd implements the Network Lock Manager (NLM) protocol. This process corresponds to the nfslock service. This is not used with NFSv4.
rpc.statd — This process implements the Network Status Monitor (NSM) RPC protocol which notifies NFS clients when an NFS server is restarted without being gracefully brought down. This process is started automatically by the nfslock service and does not require user configuration. This is not used with NFSv4.
rpc.rquotad — This process provides user quota information for remote users. This process is started automatically by the nfs service and does not require user configuration.
rpc.idmapd — This process provides NFSv4 client and server upcalls which map between on-the-wire NFSv4 names (which are strings in the form of user@domain) and local UIDs and GIDs. For idmapd to function with NFSv4, the /etc/idmapd.conf must be configured. This service is required for use with NFSv4.
mount command. The format of the command is as follows:
mount -t <nfs-type> -o <options> <host>:</remote/export> </local/directory><nfs-type> with either nfs for NFSv2 or NFSv3 servers, or nfs4 for NFSv4 servers. Replace <options> with a comma separated list of options for the NFS file system (refer to Section 20.4, “Common NFS Mount Options” for details). Replace <host> with the remote host, </remote/export> with the remote directory being mounted, and </local/directory> with the local directory where the remote file system is to be mounted.
mount man page for more details.
mount command, the file system must be remounted manually after the system is rebooted. Red Hat Enterprise Linux offers two methods for mounting remote file systems automatically at boot time: the /etc/fstab file or the autofs service.
/etc/fstab/etc/fstab file. The /etc/fstab file is referenced by the netfs service at boot time, so lines referencing NFS shares have the same effect as manually typing the mount command during the boot process. Each line in this file must state the hostname of the NFS server, the directory on the server being exported, and the directory on the local machine where the NFS share is to be mounted. You must be root to modify the /etc/fstab file.
/etc/fstab is as follows:
<server>:</remote/export> </local/directory> <nfs-type> <options> 0 0<server></remote/export></local/directory><nfs-type>nfs for NFSv2 or NFSv3 servers, or nfs4 for NFSv4 servers. Finally, replace <options> with a comma separated list of options for the NFS file system (see Section 20.4, “Common NFS Mount Options” for details). Note that the mount point must exist before /etc/fstab is read, otherwise the mount fails.
/etc/fstab line to mount an NFS export:
server:/usr/local/pub /pub nfs defaults 0 0
/etc/fstab on the client system, type the command mount /pub at a shell prompt, and the mount point /pub is mounted from the server. The mount point /pub must exist on the client machine before this command can be executed.
/etc/fstab configuration file and its contents, refer to the fstab manual page.
autofs/etc/fstab is that, regardless of how infrequently a user accesses the NFS mounted file system, the system must dedicate resources to keep the mounted file system in place. This is not a problem with one or two mounts, but when the system is maintaining mounts to many systems at one time, overall system performance can be affected. An alternative to /etc/fstab is to use the kernel-based automount utility. An automounter consists of two components. One is a kernel module that implements a file system, while the other is a user-space daemon that performs all of the other functions. The automount utility can mount and unmount NFS file systems automatically (on demand mounting) therefore saving system resources. The automount utility can be used to mount other file systems including AFS, SMBFS, CIFS and local file systems.
autofs uses /etc/auto.master (master map) as its default primary configuration file. This can be changed to use another supported network source and name using the autofs configuration (in /etc/sysconfig/autofs) in conjunction with the Name Service Switch mechanism. An instance of the version 4 daemon was run for each mount point configured in the master map and so it could be run manually from the command line for any given mount point. This is not possible with version 5 because it uses a single daemon to manage all configured mount points, so all automounts must be configured in the master map. This is in line with the usual requirements of other industry standard automounters. Mount point, hostname, exported directory, and options can all be specified in a set of files (or other supported network sources) rather than configuring them manually for each host. Please ensure that you have the autofs package installed if you wish to use this service.
autofs version 5?/net/<host>" as a multi-mount map entry. When using the "-hosts" map, an 'ls' of "/net/<host>" will mount autofs trigger mounts for each export from <host> and mount and expire them as they are accessed. This can greatly reduce the number of active mounts needed when accessing a server with a large number of exports.
/etc/sysconfig/autofs) provides a mechanism to specify the autofs schema that a site implements, thus precluding the need to determine this via trial and error in the application itself. In addition, authenticated binds to the LDAP server are now supported, using most mechanisms supported by the common LDAP server implementations. A new configuration file has been added for this support: /etc/autofs_ldap_auth.conf. The default configuration file is self-documenting, and uses an XML format.
nsswitch) configuration./- /tmp/auto_dcthon /- /tmp/auto_test3_direct /- /tmp/auto_test4_direct
autofs Configuration/etc/auto.master, also referred to as the master map which may be changed as described in the introduction section above. The master map lists autofs-controlled mount points on the system, and their corresponding configuration files or network sources known as automount maps. The format of the master map is as follows:
<mount-point> <map-name> <options>
mount-point is the autofs mount point such as /home.
map-name is the name of a map source which contains a list of mount points, and the file system location from which those mount points should be mounted. The syntax for a map entry is described below.
options if supplied, will apply to all entries in the given map provided they don't themselves have options specified. This behavior is different from autofs version 4 where the options where cumulative. This has been changed to meet our primary goal of mixed environment compatibility.
/etc/auto.master file:
~]$ cat /etc/auto.master
/home /etc/auto.misc<mount-point> [<options>] <location>
<mount-point> is the autofs mount point. This can be a single directory name for an indirect mount or the full path of the mount point for direct mounts. Each direct and indirect map entry key (<mount-point> above) may be followed by a space separated list of offset directories (sub directory names each beginning with a "/") making them what is known as a mutli-mount entry.
~]$ cat /etc/auto.misc
payroll -fstype=nfs personnel:/dev/hda3
sales -fstype=ext3 :/dev/hda4sales and payroll from the server called personnel). The second column indicates the options for the autofs mount while the third column indicates the source of the mount. Following the above configuration, the autofs mount points will be /home/payroll and /home/sales. The -fstype= option is often omitted and is generally not needed for correct operation.
service autofs startservice autofs restart/home/payroll/2006/July.sxc, the automount daemon automatically mounts the directory. If a timeout is specified, the directory will automatically be unmounted if the directory is not accessed for the timeout period.
/sbin/service/autofs statusautofs Common Tasks/etc/nsswitch.conf file has the following directive:
automount: files nis
auto.master map file contains the following:
/home auto.home
auto.home map contains the following:
beth fileserver.example.com:/export/home/beth joe fileserver.example.com:/export/home/joe * fileserver.example.com:/export/home/&
/etc/auto.home does not exist.
/etc/auto.master map:
/home /etc/auto.home2 +auto.master
/etc/auto.home2 map contains the entry:
* labserver.example.com:/export/home/&
/home will contain the contents of /etc/auto.home2 instead of the NIS auto.home map.
auto.home map with a few entries, create a /etc/auto.home file map, and in it put your new entries and at the end, include the NIS auto.home map. Then the /etc/auto.home file map might look similar to:
mydir someserver:/export/mydir +auto.home
auto.home map listed above, an ls of /home would now give:
~]$ ls /home
beth joe mydirautofs knows not to include the contents of a file map of the same name as the one it is reading and so moves on to the next map source in the nsswitch configuration.
openldap package should be installed automatically as a dependency of the automounter. To configure LDAP access, modify /etc/openldap/ldap.conf. Ensure that BASE and URI are set appropriately for your site. Please also ensure that the schema is set in the configuration.
rfc2307bis. To use this schema it is necessary to set it in the autofs configuration (/etc/sysconfig/autofs) by removing the comment characters from the schema definition. For example:
DEFAULT_MAP_OBJECT_CLASS="automountMap" DEFAULT_ENTRY_OBJECT_CLASS="automount" DEFAULT_MAP_ATTRIBUTE="automountMapName" DEFAULT_ENTRY_ATTRIBUTE="automountKey" DEFAULT_VALUE_ATTRIBUTE="automountInformation"
automountKey replaces the cn attribute in the rfc2307bis schema. An LDIF of a sample configuration is described below:
# extended LDIF # # LDAPv3 # base <> with scope subtree # filter: (&(objectclass=automountMap)(automountMapName=auto.master)) # requesting: ALL # # auto.master, example.com dn: automountMapName=auto.master,dc=example,dc=com objectClass: top objectClass: automountMap automountMapName: auto.master # extended LDIF # # LDAPv3 # base <automountMapName=auto.master,dc=example,dc=com> with scope subtree # filter: (objectclass=automount) # requesting: ALL # # /home, auto.master, example.com dn: automountMapName=auto.master,dc=example,dc=com objectClass: automount cn: /home automountKey: /home automountInformation: auto.home # extended LDIF # # LDAPv3 # base <> with scope subtree # filter: (&(objectclass=automountMap)(automountMapName=auto.home)) # requesting: ALL # # auto.home, example.com dn: automountMapName=auto.home,dc=example,dc=com objectClass: automountMap automountMapName: auto.home # extended LDIF # # LDAPv3 # base <automountMapName=auto.home,dc=example,dc=com> with scope subtree # filter: (objectclass=automount) # requesting: ALL # # foo, auto.home, example.com dn: automountKey=foo,automountMapName=auto.home,dc=example,dc=com objectClass: automount automountKey: foo automountInformation: filer.example.com:/export/foo # /, auto.home, example.com dn: automountKey=/,automountMapName=auto.home,dc=example,dc=com objectClass: automount automountKey: / automountInformation: filer.example.com:/export/&
<mount-point> <maptype1> <mapname1> <options1> -- <maptype2> <mapname2> <options2> -- ...
/home file /etc/auto.home -- nis auto.home/etc/nsswitch.conf must list:
automount: files nis
/etc/auto.master should contain:
/home auto.home
/etc/auto.home should contain:
<entries for the home directory> +auto.home
/etc/auto.home and the nis auto.home map are combined.
/etc/nsswitch.conf. The map is read if it exists and its contents are merged into one large auto.master map.
nsswitch.conf is consulted. If it is desirable to merge the contents of multiple master maps, included maps can be used. Consider the following example:
/etc/nsswitch.conf: automount: files nis
/etc/auto.master: /home /etc/auto.home +auto.master
auto.master and the NIS-based auto.master. However, because included map entries are only allowed in file maps, there is no way to include both an NIS auto.master and an LDAP auto.master.
auto.master.ldap we could also add "+auto.master.ldap" to the file based master map and provided that "ldap" is listed as a source in our nsswitch configuration it would also be included.
mount commands, /etc/fstab settings, and autofs.
hard or soft — Specifies whether the program using a file via an NFS connection should stop and wait (hard) for the server to come back online, if the host serving the exported file system is unavailable, or if it should report an error (soft).
hard is specified, the user cannot terminate the process waiting for the NFS communication to resume unless the intr option is also specified.
soft is specified, the user can set an additional timeo=<value> option, where <value>intr — Allows NFS requests to be interrupted if the server goes down or cannot be reached.
nfsvers=2 or nfsvers=3 — Specifies which version of the NFS protocol to use. This is useful for hosts that run multiple NFS servers. If no version is specified, NFS uses the highest supported version by the kernel and mount command. This option is not supported with NFSv4 and should not be used.
noacl — Turns off all ACL processing. This may be needed when interfacing with older versions of Red Hat Enterprise Linux, Red Hat Linux, or Solaris, since the most recent ACL technology is not compatible with older systems.
nolock — Disables file locking. This setting is occasionally required when connecting to older NFS servers.
noexec — Prevents execution of binaries on mounted file systems. This is useful if the system is mounting a non-Linux file system via NFS containing incompatible binaries.
nosuid — Disables set-user-identifier or set-group-identifier bits. This prevents remote users from gaining higher privileges by running a setuid program.
port=num — Specifies the numeric value of the NFS server port. If num0 (the default), then mount queries the remote host's portmapper for the port number to use. If the remote host's NFS daemon is not registered with its portmapper, the standard NFS port number of TCP 2049 is used instead.
rsize=num and wsize=num — These settings speed up NFS communication for reads (rsize) and writes (wsize) by setting a larger data block size, in bytes, to be transferred at one time. Be careful when changing these values; some older Linux kernels and network cards do not work well with larger block sizes. For NFSv2 or NFSv3, the default values for both parameters is set to 8192. For NFSv4, the default values for both parameters is set to 32768.
sec=mode — Specifies the type of security to utilize when authenticating an NFS connection.
sec=sys is the default setting, which uses local UNIX UIDs and GIDs by means of AUTH_SYS to authenticate NFS operations.
sec=krb5 uses Kerberos V5 instead of local UNIX UIDs and GIDs to authenticate users.
sec=krb5i uses Kerberos V5 for user authentication and performs integrity checking of NFS operations using secure checksums to prevent data tampering.
sec=krb5p uses Kerberos V5 for user authentication, integrity checking, and encrypts NFS traffic to prevent traffic sniffing. This is the most secure setting, but it also has the most performance overhead involved.
tcp — Specifies for the NFS mount to use the TCP protocol.
udp — Specifies for the NFS mount to use the UDP protocol.
mount and nfs man pages.
portmap service must be running. To verify that portmap is active, type the following command as root:
service portmap statusportmap service is running, then the nfs service can be started. To start an NFS server, as root type:
service nfs startnfslock also has to be started for both the NFS client and server to function properly. To start NFS locking as root type: /sbin/service nfslock start. If NFS is set to start at boot, please ensure that nfslock also starts by running chkconfig --list nfslock. If nfslock is not set to on, this implies that you will need to manually run the /sbin/service nfslock start each time the computer starts. To set nfslock to automatically start on boot, type the following command in a terminal chkconfig nfslock on.
service nfs stoprestart option is a shorthand way of stopping and then starting NFS. This is the most efficient way to make configuration changes take effect after editing the configuration file for NFS.
service nfs restartcondrestart (conditional restart) option only starts nfs if it is currently running. This option is useful for scripts, because it does not start the daemon if it is not running.
service nfs condrestartservice nfs reloadnfs service does not start automatically at boot time. To configure the NFS to start up at boot time, use an initscript utility, such as /sbin/chkconfig, /usr/sbin/ntsysv, or the Services Configuration Tool program. Refer to Chapter 17, Controlling Access to Services for more information regarding these tools.
system-config-nfs), manually editing its configuration file (/etc/exports), or using the /usr/sbin/exportfs command.
system-config-nfs in a terminal. The NFS Server Configuration tool window is illustrated below.
/tmp.
insecure.
insecure_locks.
no_subtree_check.
sync. If this is not selected, the async option is used.
no_wdelay.
nohide option on or off. When the nohide option is off, nested directories are revealed. The clients can therefore navigate through a filesystem from the parent without noticing any changes.
mountpoint option which allows a directory to be exported only if it has been mounted.
fsid=X option. This is mainly used in a clustered setup. Using a consistent filesystem ID in all clusters avoids having stale NFS filehandles.
no_root_squash.
all_squash.
anonuid.
anongid.
/etc/exports.bak. The new configuration is written to /etc/exports.
/etc/exports configuration file. Thus, the file can be modified manually after using the tool, and the tool can be used after modifying the file manually (provided the file was modified with correct syntax).
/etc/exports and using the /usr/sbin/exportfs command to export NFS file systems.
/etc/exports file controls what directories the NFS server exports. Its format is as follows:
directoryhostname(options)
sync or async (sync is recommended). If sync is specified, the server does not reply to requests before the changes made by the request are written to the disk.
/misc/export speedy.example.com(sync)
speedy.example.com to mount /misc/export with the default read-only permissions, but,
/misc/export speedy.example.com(rw,sync)
speedy.example.com to mount /misc/export with read/write privileges.
/etc/exports file. If there are no spaces between the hostname and the options in parentheses, the options apply only to the hostname. If there is a space between the hostname and the options, the options apply to the rest of the world. For example, examine the following lines:
/misc/export speedy.example.com(rw,sync) /misc/export speedy.example.com (rw,sync)
speedy.example.com read-write access and denies all other users. The second line grants users from speedy.example.com read-only access (the default) and allows the rest of the world read-write access.
/etc/exports, you must inform the NFS daemon of the change, or reload the configuration file with the following command:
service nfs reload/etc/sysconfig/nfs configuration file to control which ports the required RPC services run on. Refer to and read Section 30.1.22, “/etc/sysconfig/nfs” for instructions on how to configure a firewall to allow NFS.
*.example.com includes one.example.com but does not include one.two.example.com.
a.b.c.d/z, where a.b.c.d is the network and z is the number of bits in the netmask (for example 192.168.0.0/24). Another acceptable format is a.b.c.d/netmask, where a.b.c.d is the network and netmask is the netmask (for example, 192.168.100.8/255.255.255.0).
@group-name, where group-name is the NIS netgroup name.
/etc/exports Configuration File/etc/exports file controls which file systems are exported to remote hosts and specifies options. Blank lines are ignored, comments can be made by starting a line with the hash mark (#), and long lines can be wrapped with a backslash (\). Each exported file system should be on its own individual line, and any lists of authorized hosts placed after an exported file system must be separated by space characters. Options for each of the hosts must be placed in parentheses directly after the host identifier, without any spaces separating the host and the first parenthesis. Valid host types are gss/krb5, gss/krb5i, and gss/krb5p.
<export><host1>(<options>)<hostN>(<options>)...
<export> with the directory being exported, replace <host1> with the host or network to which the export is being shared, and replace <options> with the options for that host or network. Additional hosts can be specified in a space separated list.
* or ? character is used to take into account a grouping of fully qualified domain names that match a particular string of letters. Wildcards should not be used with IP addresses; however, it is possible for them to work accidentally if reverse DNS lookups fail.
*.example.com as a wildcard allows sales.example.com to access an exported file system, but not bob.sales.example.com. To match both possibilities both *.example.com and *.*.example.com must be specified.
192.168.0.0/28 allows the first 16 IP addresses, from 192.168.0.0 to 192.168.0.15, to access the exported file system, but not 192.168.0.16 and higher.
@<group-name>, to be used. This effectively puts the NIS server in charge of access control for this exported file system, where users can be added and removed from an NIS group without affecting /etc/exports.
/etc/exports file only specifies the exported directory and the hosts permitted to access it, as in the following example:
/exported/directory bob.example.com
bob.example.com can mount /exported/directory/. Because no options are specified in this example, the following default NFS options take effect:
ro — Mounts of the exported file system are read-only. Remote hosts are not able to make changes to the data shared on the file system. To allow hosts to make changes to the file system, the read/write (rw) option must be specified.
wdelay — Causes the NFS server to delay writing to the disk if it suspects another write request is imminent. This can improve performance by reducing the number of times the disk must be accessed by separate write commands, reducing write overhead. The no_wdelay option turns off this feature, but is only available when using the sync option.
root_squash — Prevents root users connected remotely from having root privileges and assigns them the user ID for the user nfsnobody. This effectively "squashes" the power of the remote root user to the lowest local user, preventing unauthorized alteration of files on the remote server. Alternatively, the no_root_squash option turns off root squashing. To squash every remote user, including root, use the all_squash option. To specify the user and group IDs to use with remote users from a particular host, use the anonuid and anongid options, respectively. In this case, a special user account can be created for remote NFS users to share and specify (anonuid=<uid-value>,anongid=<gid-value>), where <uid-value><gid-value>no_acl option when exporting the file system.
rw option is not specified, then the exported file system is shared as read-only. The following is a sample line from /etc/exports which overrides two default options:
/another/exported/directory 192.168.0.3(rw,sync)
192.168.0.3 can mount /another/exported/directory/ read/write and all transfers to disk are committed to the disk before the write request by the client is completed.
exports man page for details on these lesser used options.
/etc/exports file is very precise, particularly in regards to use of the space character. Remember to always separate exported file systems from hosts and hosts from one another with a space character. However, there should be no other space characters in the file except on comment lines.
/home bob.example.com(rw) /home bob.example.com (rw)
bob.example.com read/write access to the /home directory. The second line allows users from bob.example.com to mount the directory as read-only (the default), while the rest of the world can mount it read/write.
exportfs Command/etc/exports file. When the nfs service starts, the /usr/sbin/exportfs command launches and reads this file, passes control to rpc.mountd (if NFSv2 or NFSv3) for the actual mounting process, then to rpc.nfsd where the file systems are then available to remote users.
/usr/sbin/exportfs command allows the root user to selectively export or unexport directories without restarting the NFS service. When given the proper options, the /usr/sbin/exportfs command writes the exported file systems to /var/lib/nfs/xtab. Since rpc.mountd refers to the xtab file when deciding access privileges to a file system, changes to the list of exported file systems take effect immediately.
/usr/sbin/exportfs:
-r — Causes all directories listed in /etc/exports to be exported by constructing a new export list in /etc/lib/nfs/xtab. This option effectively refreshes the export list with any changes that have been made to /etc/exports.
-a — Causes all directories to be exported or unexported, depending on what other options are passed to /usr/sbin/exportfs. If no other options are specified, /usr/sbin/exportfs exports all file systems specified in /etc/exports.
-o file-systems — Specifies directories to be exported that are not listed in /etc/exports. Replace file-systems with additional file systems to be exported. These file systems must be formatted in the same way they are specified in /etc/exports. Refer to Section 20.7, “The /etc/exports Configuration File” for more information on /etc/exports syntax. This option is often used to test an exported file system before adding it permanently to the list of file systems to be exported.
-i — Ignores /etc/exports; only options given from the command line are used to define exported file systems.
-u — Unexports all shared directories. The command /usr/sbin/exportfs -ua suspends NFS file sharing while keeping all NFS daemons up. To re-enable NFS sharing, type exportfs -r.
-v — Verbose operation, where the file systems being exported or unexported are displayed in greater detail when the exportfs command is executed.
/usr/sbin/exportfs command, it displays a list of currently exported file systems.
/usr/sbin/exportfs command, refer to the exportfs man page.
exportfs with NFSv4exportfs command is used in maintaining the NFS table of exported file systems. When typed in a terminal with no arguments, the exportfs command shows all the exported directories.
MOUNT protocol, which was used with the NFSv2 and NFSv3 protocols, the mounting of file systems has changed.
fsid=0 option.
mkdir /exportsmkdir /exports/optmkdir /exports/etcmount --bind /usr/local/opt /exports/optmount --bind /usr/local/etc /exports/etcexportfs -o fsid=0,insecure,no_subtree_check gss/krb5p:/exportsexportfs -o rw,nohide,insecure,no_subtree_check gss/krb5p:/exports/optexportfs -o rw,nohide,insecure,no_subtree_check gss/krb5p:/exports/etc
--bind option which creates unbreakable links.
/home /home/sam /home/john /home/joe
/home *(rw,fsid=0,sync)
mount server:/home /mnt/homels /mnt/home/joe
mount -t nfs4 server:/ /mnt/homels /mnt/home/joe
server:/home" and "server:/". To make the exports configurations compatible for all version, one needs to export (read only) the root filesystem with an fsid=0. The fsid=0 signals the NFS server that this export is the root.
/ *(ro,fsid=0) /home *(rw,sync,nohide)
mount server:/home /mnt/home" and "mount -t nfs server:/home /mnt/home" will work as expected.
portmap service via TCP wrappers. Access to ports used by portmap, rpc.mountd, and rpc.nfsd can also be limited by creating firewall rules with iptables.
portmap, refer to Section 46.9, “IPTables”.
rpc.svcgssd and rpc.gssd inter operate, refer to http://www.citi.umich.edu/projects/nfsv4/gssd/.
su - command to become a user who could access particular files via the NFS share.
nfsnobody account. Never turn off root squashing.
all_squash option, which makes every user accessing the exported file system take the user ID of the nfsnobody user.
portmapportmap service for backward compatibility.
portmapper maps RPC services to the ports they are listening on. RPC processes notify portmap when they start, registering the ports they are listening on and the RPC program numbers they expect to serve. The client system then contacts portmap on the server with a particular RPC program number. The portmap service redirects the client to the proper port number so it can communicate with the requested service.
portmap to make all connections with incoming client requests, portmap must be available before any of these services start.
portmap service uses TCP wrappers for access control, and access control rules for portmap affect all RPC-based services. Alternatively, it is possible to specify access control rules for each of the NFS RPC daemons. The man pages for rpc.mountd and rpc.statd contain information regarding the precise syntax for these rules.
portmapportmap provides coordination between RPC services and the port numbers used to communicate with them, it is useful to view the status of current RPC services using portmap when troubleshooting. The rpcinfo command shows each RPC-based service with port numbers, an RPC program number, a version number, and an IP protocol type (TCP or UDP).
portmap, issue the following command as root:
rpcinfo -pprogram vers proto port 100000 2 tcp 111 portmapper 100000 2 udp 111 portmapper 100021 1 udp 32774 nlockmgr 100021 3 udp 32774 nlockmgr 100021 4 udp 32774 nlockmgr 100021 1 tcp 34437 nlockmgr 100021 3 tcp 34437 nlockmgr 100021 4 tcp 34437 nlockmgr 100011 1 udp 819 rquotad 100011 2 udp 819 rquotad 100011 1 tcp 822 rquotad 100011 2 tcp 822 rquotad 100003 2 udp 2049 nfs 100003 3 udp 2049 nfs 100003 2 tcp 2049 nfs 100003 3 tcp 2049 nfs 100005 1 udp 836 mountd 100005 1 tcp 839 mountd 100005 2 udp 836 mountd 100005 2 tcp 839 mountd 100005 3 udp 836 mountd 100005 3 tcp 839 mountd
portmap is unable to map RPC requests from clients for that service to the correct port. In many cases, if NFS is not present in rpcinfo output, restarting NFS causes the service to correctly register with portmap and begin working. For instructions on starting NFS, refer to Section 20.5, “Starting and Stopping NFS”.
rpcinfo command. Refer to the rpcinfo man page for more information.
-o udp option to mount when mounting the NFS-exported file system on the client system.
/etc/fstab file (client side), and automatically via autofs configuration files, such as /etc/auto.master and /etc/auto.misc (server side with NIS).
mount -o udp shadowman.example.com:/misc/export /misc/local/etc/fstab (client side):
server:/usr/local/pub /pub nfs rsize=8192,wsize=8192,timeo=14,intr,udp
myproject -rw,soft,intr,rsize=8192,wsize=8192,udp penguin.example.net:/proj52
-o udp option is not specified, the NFS-exported file system is accessed via TCP.
NFS stale file handles messages.
/usr/share/doc/nfs-utils-<version-number>/ — Replace <version-number> with the version number of the NFS package installed. This directory contains a wealth of information about the NFS implementation for Linux, including a look at various NFS configurations and their impact on file transfer performance.
man mount — Contains a comprehensive look at mount options for both NFS server and client configurations.
man fstab — Gives details for the format of the /etc/fstab file used to mount file systems at boot-time.
man nfs — Provides details on NFS-specific file system export and mount options.
man exports — Shows common options used in the /etc/exports file when exporting NFS file systems.
smb.conf Filesmbd, nmbd, and winbindd). Two services (smb and windbind) control how the daemons are started, stopped, and other service-related features. Each daemon is listed in detail, as well as which specific service has control over it.
smbd smbd server daemon provides file sharing and printing services to Windows clients. In addition, it is responsible for user authentication, resource locking, and data sharing through the SMB protocol. The default ports on which the server listens for SMB traffic are TCP ports 139 and 445.
smbd daemon is controlled by the smb service.
nmbd nmbd server daemon understands and replies to NetBIOS name service requests such as those produced by SMB/CIFS in Windows-based systems. These systems include Windows 95/98/ME, Windows NT, Windows 2000, Windows XP, and LanManager clients. It also participates in the browsing protocols that make up the Windows Network Neighborhood view. The default port that the server listens to for NMB traffic is UDP port 137.
nmbd daemon is controlled by the smb service.
winbindd winbind service resolves user and group information on a server running Windows NT 2000 or Windows Server 2003. This makes Windows user / group information understandable by UNIX platforms. This is achieved by using Microsoft RPC calls, Pluggable Authentication Modules (PAM), and the Name Service Switch (NSS). This allows Windows NT domain users to appear and operate as UNIX users on a UNIX machine. Though bundled with the Samba distribution, the winbind service is controlled separately from the smb service.
winbindd daemon is controlled by the winbind service and does not require the smb service to be started in order to operate. Winbindd is also used when Samba is an Active Directory member, and may also be used on a Samba domain controller (to implement nested groups and/or interdomain trust). Because winbind is a client-side service used to connect to Windows NT-based servers, further discussion of winbind is beyond the scope of this manual.
smb: in the File > Open Location bar of Nautilus to view the workgroups.
<servername> and <sharename> with the appropriate values):
smb://<servername>/<sharename>mount -t cifs -o <username>,<password> //<servername>/<sharename> /mnt/point/<sharename> from <servername> in the local directory /mnt/point/. For more information about mounting a samba share, refer to man mount.cifs.
/etc/samba/smb.conf) allows users to view their home directories as a Samba share. It also shares all printers configured for the system as Samba shared printers. In other words, you can attach a printer to the system and print to it from the Windows machines on your network.
/etc/samba/ directory. Any changes to these files not made using the application are preserved.
system-config-samba RPM package installed. To start the Samba Server Configuration Tool from the desktop, go to the (on the Panel) > > > or type the command system-config-samba at a shell prompt (for example, in an XTerm or a GNOME terminal).
workgroup and server string options in smb.conf.
security option. Select one of the following types of authentication.
net utility, which is part of the samba-client package. Refer to the net man page for details. This option does not configure Samba to be an ADS Controller. Specify the realm of the Kerberos server in the Kerberos Realm field.
EXAMPLE.COM.
/etc/krb5.conf file.
encrypted passwords option. Refer to Section 21.4.3, “Encrypted Passwords” for more information about encrypted Samba passwords.
guest account option.
/etc/samba/smb.conf as its configuration file. If you change this configuration file, the changes do not take effect until you restart the Samba daemon with the command service smb restart.
smb.conf file:
workgroup =WORKGROUPNAMEserver string =BRIEF COMMENT ABOUT SERVER
WORKGROUPNAME with the name of the Windows workgroup to which this machine should belong. The BRIEF COMMENT ABOUT SERVER is optional and is used as the Windows comment about the Samba system.
smb.conf file (after modifying it to reflect your needs and your system):
[sharename] comment =Insert a comment herepath =/home/share/valid users =tfox carolepublic = no writable = yes printable = no create mask = 0765
tfox and carole to read and write to the directory /home/share, on the Samba server, from a Samba client.
service smb startnet join command before starting the smb service.
service smb stoprestart option is a quick way of stopping and then starting Samba. This is the most reliable way to make configuration changes take effect after editing the configuration file for Samba. Note that the restart option starts the daemon even if it was not running originally.
service smb restartcondrestart (conditional restart) option only starts smb on the condition that it is currently running. This option is useful for scripts, because it does not start the daemon if it is not running.
smb.conf file is changed, Samba automatically reloads it after a few minutes. Issuing a manual restart or reload is just as effective.
service smb condrestartsmb.conf file can be useful in case of a failed automatic reload by the smb service. To ensure that the Samba server configuration file is reloaded without restarting the service, type the following command as root:
service smb reloadsmb service does not start automatically at boot time. To configure Samba to start at boot time, use an initscript utility, such as /sbin/chkconfig, /usr/sbin/ntsysv, or the Services Configuration Tool program. Refer to Chapter 17, Controlling Access to Services for more information regarding these tools.
smb.conf File/etc/samba/smb.conf configuration file. Although the default smb.conf file is well documented, it does not address complex topics such as LDAP, Active Directory, and the numerous domain controller implementations.
smb.conf file for a successful configuration.
smb.conf file shows a sample configuration needed to implement anonymous read-only file sharing. The security = share parameter makes a share anonymous. Note, security levels for a single Samba server cannot be mixed. The security directive is a global Samba parameter located in the [global] configuration section of the smb.conf file.
[global] workgroup = DOCS netbios name = DOCS_SRV security = share [data] comment = Documentation Samba Server path = /export read only = Yes guest only = Yes
smb.conf file shows a sample configuration needed to implement anonymous read/write file sharing. To enable anonymous read/write file sharing, set the read only directive to no. The force user and force group directives are also added to enforce the ownership of any newly placed files specified in the share.
force user) and group (force group) in the smb.conf file.
[global] workgroup = DOCS netbios name = DOCS_SRV security = share [data] comment = Data path = /export force user = docsbot force group = users read only = No guest ok = Yes
smb.conf file shows a sample configuration needed to implement an anonymous print server. Setting browseable to no as shown does not list the printer in Windows Network Neighborhood. Although hidden from browsing, configuring the printer explicitly is possible. By connecting to DOCS_SRV using NetBIOS, the client can have access to the printer if the client is also part of the DOCS workgroup. It is also assumed that the client has the correct local printer driver installed, as the use client driver directive is set to Yes. In this case, the Samba server has no responsibility for sharing printer drivers to the client.
[global] workgroup = DOCS netbios name = DOCS_SRV security = share printcap name = cups disable spools= Yes show add printer wizard = No printing = cups [printers] comment = All Printers path = /var/spool/samba guest ok = Yes printable = Yes use client driver = Yes browseable = Yes
smb.conf file shows a sample configuration needed to implement a secure read/write print server. Setting the security directive to user forces Samba to authenticate client connections. Notice the [homes] share does not have a force user or force group directive as the [public] share does. The [homes] share uses the authenticated user details for any files created as opposed to the force user and force group in [public].
[global] workgroup = DOCS netbios name = DOCS_SRV security = user printcap name = cups disable spools = Yes show add printer wizard = No printing = cups [homes] comment = Home Directories valid users = %S read only = No browseable = No [public] comment = Data path = /export force user = docsbot force group = users guest ok = Yes [printers] comment = All Printers path = /var/spool/samba printer admin = john, ed, @admins create mask = 0600 guest ok = Yes printable = Yes use client driver = Yes browseable = Yes
smb.conf file shows a sample configuration needed to implement an Active Directory domain member server. In this example, Samba authenticates users for services being run locally but is also a client of the Active Directory. Ensure that your kerberos realm parameter is shown in all caps (for example realm = EXAMPLE.COM). Since Windows 2000/2003 requires Kerberos for Active Directory authentication, the realm directive is required. If Active Directory and Kerberos are running on different servers, the password server directive may be required to help the distinction.
[global] realm = EXAMPLE.COM security = ADS encrypt passwords = yes # Optional. Use only if Samba cannot determine the Kerberos server automatically. password server = kerberos.example.com
smb.conf file on the member server
/etc/krb5.conf file, on the member server
kinit administrator@EXAMPLE.COMkinit command is a Kerberos initialization script that references the Active Directory administrator account and Kerberos realm. Since Active Directory requires Kerberos tickets, kinit obtains and caches a Kerberos ticket-granting ticket for client/server authentication. For more information on Kerberos, the /etc/krb5.conf file, and the kinit command, refer to Section 46.6, “Kerberos”.
net ads join -S windows1.example.com -U administrator%passwordwindows1 was automatically found in the corresponding Kerberos realm (the kinit command succeeded), the net command connects to the Active Directory server using its required administrator account and password. This creates the appropriate machine account on the Active Directory and grants permissions to the Samba domain member server to join the domain.
security = ads and not security = user is used, a local password backend such as smbpasswd is not needed. Older clients that do not support security = ads are authenticated as if security = domain had been set. This change does not affect functionality and allows local users not previously in the domain.
smb.conf file shows a sample configuration needed to implement a Windows NT4-based domain member server. Becoming a member server of an NT4-based domain is similar to connecting to an Active Directory. The main difference is NT4-based domains do not use Kerberos in their authentication method, making the smb.conf file simpler. In this instance, the Samba member server functions as a pass through to the NT4-based domain server.
[global] workgroup = DOCS netbios name = DOCS_SRV security = domain [homes] comment = Home Directories valid users = %S read only = No browseable = No [public] comment = Data path = /export force user = docsbot force group = users guest ok = Yes
smb.conf file to convert the server to a Samba-based PDC. If Windows NT-based servers are upgraded to Windows 2000/2003, the smb.conf file is easily modifiable to incorporate the infrastructure change to Active Directory if needed.
smb.conf file, join the domain before starting Samba by typing the following command as root:
net rpc join -U administrator%password-S option, which specifies the domain server hostname, does not need to be stated in the net rpc join command. Samba uses the hostname specified by the workgroup directive in the smb.conf file instead of it being stated explicitly.
tdbsam tdbsam password database backend. Planned to replace the aging smbpasswd backend, tdbsam has numerous improvements that are explained in more detail in Section 21.8, “Samba Account Information Databases”. The passdb backend directive controls which backend is to be used for the PDC.
[global]
workgroup = DOCS
netbios name = DOCS_SRV
passdb backend = tdbsam
security = user
add user script = /usr/sbin/useradd -m "%u"
delete user script = /usr/sbin/userdel -r "%u"
add group script = /usr/sbin/groupadd "%g"
delete group script = /usr/sbin/groupdel "%g"
add user to group script = /usr/sbin/usermod -G "%g" "%u"
add machine script = /usr/sbin/useradd -s /bin/false -d /dev/null -g machines "%u"
# The following specifies the default logon script
# Per user logon scripts can be specified in the user
# account using pdbedit logon script = logon.bat
# This sets the default profile path.
# Set per user paths with pdbedit
logon drive = H:
domain logons = Yes
os level = 35
preferred master = Yes
domain master = Yes
[homes]
comment = Home Directories
valid users = %S
read only = No
[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon/scripts
browseable = No
read only = No
# For profiles to work, create a user directory under the
# path shown.
mkdir -p /var/lib/samba/profiles/john
[Profiles]
comment = Roaming Profile Share
path = /var/lib/samba/profiles
read only = No
browseable = No
guest ok = Yes
profile acls = Yes
# Other resource shares ... ...tdbsam follow these steps:
smb.conf file as shown in the example above.
smbpasswd -a root
Provide the password here.smb service.
groupadd -f usersgroupadd -f nobodygroupadd -f ntadmins
net groupmap add ntgroup="Domain Users" unixgroup=usersnet groupmap add ntgroup="Domain Guests" unixgroup=nobodynet groupmap add ntgroup="Domain Admins" unixgroup=ntadmins
net rpc rights grant 'DOCS\Domain Admins' SetMachineAccountPrivilege -S PDC -U roottdbsam authentication backend. LDAP is recommended in these cases.
security = user directive is not listed in the smb.conf file, it is used by Samba. If the server accepts the client's username/password, the client can then mount multiple shares without specifying a password for each instance. Samba can also accept session-based username/password requests. The client maintains multiple authentication contexts by using a unique UID for each logon.
smb.conf, the security = user directive that sets user-level security is:
[GLOBAL] ... security = user ...
smb.conf:
[GLOBAL] ... security = domain workgroup = MARKETING ...
smb.conf, the following directives make Samba an Active Directory member server:
[GLOBAL] ... security = ADS realm = EXAMPLE.COM password server = kerberos.example.com ...
smb.conf, the following directives enable Samba to operate in server security mode:
[GLOBAL] ... encrypt passwords = Yes security = server password server = "NetBIOS_of_Domain_Controller" ...
/etc/passwd type backends. With a plain text backend, all usernames and passwords are sent unencrypted between the client and the Samba server. This method is very unsecure and is not recommended for use by any means. It is possible that different Windows clients connecting to the Samba server with plain text passwords cannot support such an authentication method.
smbpasswd smbpasswd backend utilizes a plain ASCII text layout that includes the MS Windows LanMan and NT account, and encrypted password information. The smbpasswd backend lacks the storage of the Windows NT/2000/2003 SAM extended controls. The smbpasswd backend is not recommended because it does not scale well or hold any Windows information, such as RIDs for NT-based groups. The tdbsam backend solves these issues for use in a smaller database (250 users), but is still not an enterprise-class solution.
ldapsam_compat ldapsam_compat backend allows continued OpenLDAP support for use with upgraded versions of Samba. This option normally used when migrating to Samba 3.0.
tdbsam tdbsam backend provides an ideal database backend for local servers, servers that do not need built-in database replication, and servers that do not require the scalability or complexity of LDAP. The tdbsam backend includes all of the smbpasswd database information as well as the previously-excluded SAM information. The inclusion of the extended SAM data allows Samba to implement the same account and system access controls as seen with Windows NT/2000/2003-based systems.
tdbsam backend is recommended for 250 users at most. Larger organizations should require Active Directory or LDAP integration due to scalability and possible network infrastructure concerns.
ldapsam ldapsam backend provides an optimal distributed account installation method for Samba. LDAP is optimal because of its ability to replicate its database to any number of servers using the OpenLDAP slurpd daemon. LDAP databases are light-weight and scalable, and as such are preferred by large enterprises.
/usr/share/doc/samba-<version>/LDAP/samba.schema has changed. This file contains the attribute syntax definitions and objectclass definitions that the ldapsam backend will need in order to function properly.
ldapsam backend for your Samba server, you will need to configure slapd to include this schema file. Refer to Section 26.5, “The /etc/openldap/schema/ Directory” for directions on how to do this.
openldap-server package installed if you want to use the ldapsam backend.
mysqlsam mysqlsam backend uses a MySQL-based database backend. This is useful for sites that already implement MySQL. At present, mysqlsam is now packed in a module separate from Samba, and as such is not officially supported by Samba.
/etc/hosts) or DNS, must be used.
smb.conf for a local master browser (or no browsing at all) in a domain controller environment is the same as workgroup configuration.
smb.conf file in which the Samba server is serving as a WINS server:
[global] wins support = Yes
smb.conf Settingssmb.conf configuration for CUPS support:
[global] load printers = Yes printing = cups printcap name = cups [printers] comment = All Printers path = /var/spool/samba/print printer = IBMInfoP browseable = No public = Yes guest ok = Yes writable = No printable = Yes printer admin = @ntadmins [print$] comment = Printer Drivers Share path = /var/lib/samba/drivers write list = ed, john printer admin = ed, john
print$ share contains printer drivers for clients to access if not available locally. The print$ share is optional and may not be required depending on the organization.
browseable to Yes enables the printer to be viewed in the Windows Network Neighborhood, provided the Samba server is set up correctly in the domain/workgroup.
findsmb program is a Perl script which reports information about SMB-aware systems on a specific subnet. If no subnet is specified the local subnet is used. Items displayed include IP address, NetBIOS name, workgroup or domain name, operating system, and version.
findsmb as any valid user on a system:
~]# findsmb
IP ADDR NETBIOS NAME WORKGROUP/OS/VERSION
------------------------------------------------------------------
10.1.59.25 VERVE [MYGROUP] [Unix] [Samba 3.0.0-15]
10.1.59.26 STATION22 [MYGROUP] [Unix] [Samba 3.0.2-7.FC1]
10.1.56.45 TREK +[WORKGROUP] [Windows 5.0] [Windows 2000 LAN Manager]
10.1.57.94 PIXEL [MYGROUP] [Unix] [Samba 3.0.0-15]
10.1.57.137 MOBILE001 [WORKGROUP] [Windows 5.0] [Windows 2000 LAN Manager]
10.1.57.141 JAWS +[KWIKIMART] [Unix] [Samba 2.2.7a-security-rollup-fix]
10.1.56.159 FRED +[MYGROUP] [Unix] [Samba 3.0.0-14.3E]
10.1.59.192 LEGION *[MYGROUP] [Unix] [Samba 2.2.7-security-rollup-fix]
10.1.56.205 NANCYN +[MYGROUP] [Unix] [Samba 2.2.7a-security-rollup-fix]net utility is similar to the net utility used for Windows and MS-DOS. The first argument is used to specify the protocol to use when executing a command. The <protocol> ads, rap, or rpc for specifying the type of server connection. Active Directory uses ads, Win9x/NT3 uses rap, and Windows NT4/2000/2003 uses rpc. If the protocol is omitted, net automatically tries to determine it.
wakko:
~]# net -l share -S wakko
Password:
Enumerating shared resources (exports) on remote server:
Share name Type Description
---------- ---- -----------
data Disk Wakko data share
tmp Disk Wakko tmp share
IPC$ IPC IPC Service (Samba Server)
ADMIN$ IPC IPC Service (Samba Server)wakko:
~]# net -l user -S wakko
root password:
User name Comment
-----------------------------
andriusb Documentation
joe Marketing
lisa Salesnmblookup program resolves NetBIOS names into IP addresses. The program broadcasts its query on the local subnet until the target machine replies.
~]# nmblookup trek
querying trek on 10.1.59.255
10.1.56.45 trek<00>pdbedit program manages accounts located in the SAM database. All backends are supported including smbpasswd, LDAP, NIS+, and the tdb database library.
~]#pdbedit -a kristinnew password: retype new password: Unix username: kristin NT username: Account Flags: [U ] User SID: S-1-5-21-1210235352-3804200048-1474496110-2012 Primary Group SID: S-1-5-21-1210235352-3804200048-1474496110-2077 Full Name: Home Directory: \\wakko\kristin HomeDir Drive: Logon Script: Profile Path: \\wakko\kristin\profile Domain: WAKKO Account desc: Workstations: Munged dial: Logon time: 0 Logoff time: Mon, 18 Jan 2038 22:14:07 GMT Kickoff time: Mon, 18 Jan 2038 22:14:07 GMT Password last set: Thu, 29 Jan 2004 08:29:28 GMT Password can change: Thu, 29 Jan 2004 08:29:28 GMT Password must change: Mon, 18 Jan 2038 22:14:07 GMT ~]#pdbedit -v -L kristinUnix username: kristin NT username: Account Flags: [U ] User SID: S-1-5-21-1210235352-3804200048-1474496110-2012 Primary Group SID: S-1-5-21-1210235352-3804200048-1474496110-2077 Full Name: Home Directory: \\wakko\kristin HomeDir Drive: Logon Script: Profile Path: \\wakko\kristin\profile Domain: WAKKO Account desc: Workstations: Munged dial: Logon time: 0 Logoff time: Mon, 18 Jan 2038 22:14:07 GMT Kickoff time: Mon, 18 Jan 2038 22:14:07 GMT Password last set: Thu, 29 Jan 2004 08:29:28 GMT Password can change: Thu, 29 Jan 2004 08:29:28 GMT Password must change: Mon, 18 Jan 2038 22:14:07 GMT ~]#pdbedit -Landriusb:505: joe:503: lisa:504: kristin:506: ~]#pdbedit -x joe~]#pdbedit -Landriusb:505: lisa:504: kristin:506:
rpcclient program issues administrative commands using Microsoft RPCs, which provide access to the Windows administration graphical user interfaces (GUIs) for systems management. This is most often used by advanced users that understand the full complexity of Microsoft RPCs.
smbcacls program modifies Windows ACLs on files and directories shared by the Samba server.
smbclient program is a versatile UNIX client which provides functionality similar to ftp.
smbcontrol <options> <destination> <messagetype> <parameters>
smbcontrol program sends control messages to running smbd or nmbd daemons. Executing smbcontrol -i runs commands interactively until a blank line or a 'q' is entered.
smbpasswd program manages encrypted passwords. This program can be run by a superuser to change any user's password as well as by an ordinary user to change their own Samba password.
smbspool program is a CUPS-compatible printing interface to Samba. Although designed for use with CUPS printers, smbspool can work with non-CUPS printers as well.
smbstatus program displays the status of current connections to a Samba server.
smbtar program performs backup and restores of Windows-based share files and directories to a local tape archive. Though similar to the tar command, the two are not compatible.
testparm program checks the syntax of the smb.conf file. If your smb.conf file is in the default location (/etc/samba/smb.conf) you do not need to specify the location. Specifying the hostname and IP address to the testparm program verifies that the hosts.allow and host.deny files are configured correctly. The testparm program also displays a summary of your smb.conf file and the server's role (stand-alone, domain, etc.) after testing. This is convenient when debugging as it excludes comments and concisely presents information for experienced administrators to read.
~]#testparmLoad smb config files from /etc/samba/smb.conf Processing section "[homes]" Processing section "[printers]" Processing section "[tmp]" Processing section "[html]" Loaded services file OK. Server role: ROLE_STANDALONE Press enter to see a dump of your service definitions<enter># Global parameters [global] workgroup = MYGROUP server string = Samba Server security = SHARE log file = /var/log/samba/%m.log max log size = 50 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 dns proxy = No [homes] comment = Home Directories read only = No browseable = No [printers] comment = All Printers path = /var/spool/samba printable = Yes browseable = No [tmp] comment = Wakko tmp path = /tmp guest only = Yes [html] comment = Wakko www path = /var/www/html force user = andriusb force group = users read only = No guest only = Yes
wbinfo program displays information from the winbindd daemon. The winbindd daemon must be running for wbinfo to work.
/usr/share/doc/samba-<version-number>/ — All additional files included with the Samba distribution. This includes all helper scripts, sample configuration files, and documentation.
dhcp package contains an ISC DHCP server. First, install the package as the superuser:
~]# yum install dhcpdhcp package creates a file, /etc/dhcpd.conf, which is merely an empty configuration file:
~]# cat /etc/dhcpd.conf
#
# DHCP Server Configuration file.
# see /usr/share/doc/dhcp*/dhcpd.conf.sample/usr/share/doc/dhcp-<version>/dhcpd.conf.sample. You should use this file to help you configure /etc/dhcpd.conf, which is explained in detail below.
/var/lib/dhcpd/dhcpd.leases to store the client lease database. Refer to Section 22.2.2, “Lease Database” for more information.
ddns-update-style ad-hoc;
ddns-update-style interim;
dhcpd.conf man page for details about the different modes.
service dhcpd restart.
omshell command provides an interactive way to connect to, query, and change the configuration of a DHCP server. By using omshell, all changes can be made while the server is running. For more information on omshell, refer to the omshell man page.
routers, subnet-mask, domain-name, domain-name-servers, and time-offset options are used for any host statements declared below it.
subnet can be declared, a subnet declaration must be included for every subnet in the network. If it is not, the DHCP server fails to start.
range declared. Clients are assigned an IP address within the range.
subnet 192.168.1.0 netmask 255.255.255.0 {
option routers 192.168.1.254;
option subnet-mask 255.255.255.0;
option domain-name "example.com";
option domain-name-servers 192.168.1.1;
option time-offset -18000; # Eastern Standard Time
range 192.168.1.10 192.168.1.100;
}shared-network declaration as shown in Example 22.2, “Shared-network Declaration”. Parameters within the shared-network, but outside the enclosed subnet declarations, are considered to be global parameters. The name of the shared-network must be a descriptive title for the network, such as using the title 'test-lab' to describe all the subnets in a test lab environment.
group declaration is used to apply global parameters to a group of declarations. For example, shared networks, subnets, and hosts can be grouped.
group {
option routers 192.168.1.254;
option subnet-mask 255.255.255.0;
option domain-name "example.com";
option domain-name-servers 192.168.1.1;
option time-offset -18000; # Eastern Standard Time
host apex {
option host-name "apex.example.com";
hardware ethernet 00:A0:78:8E:9E:AA;
fixed-address 192.168.1.4;
}
host raleigh {
option host-name "raleigh.example.com";
hardware ethernet 00:A1:DD:74:C3:F2;
fixed-address 192.168.1.6;
}
}range 192.168.1.10 and 192.168.1.100 to client systems.
default-lease-time 600;
max-lease-time 7200;
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.1.255;
option routers 192.168.1.254;
option domain-name-servers 192.168.1.1, 192.168.1.2;
option domain-name "example.com";
subnet 192.168.1.0 netmask 255.255.255.0 {
range 192.168.1.10 192.168.1.100;
}hardware ethernet parameter within a host declaration. As demonstrated in Example 22.5, “Static IP Address using DHCP”, the host apex declaration specifies that the network interface card with the MAC address 00:A0:78:8E:9E:AA always receives the IP address 192.168.1.4.
host-name can also be used to assign a host name to the client.
host apex {
option host-name "apex.example.com";
hardware ethernet 00:A0:78:8E:9E:AA;
fixed-address 192.168.1.4;
}cp /usr/share/doc/dhcp-<version-number>/dhcpd.conf.sample /etc/dhcpd.conf<version-number> is the DHCP version number).
dhcp-options man page.
/var/lib/dhcpd/dhcpd.leases stores the DHCP client lease database. Do not change this file. DHCP lease information for each recently assigned IP address is automatically stored in the lease database. The information includes the length of the lease, to whom the IP address has been assigned, the start and end dates for the lease, and the MAC address of the network interface card that was used to retrieve the lease.
dhcpd.leases file is renamed dhcpd.leases~ and the temporary lease database is written to dhcpd.leases.
dhcpd.leases file does not exist, but it is required to start the service. Do not create a new lease file. If you do, all old leases are lost which causes many problems. The correct solution is to rename the dhcpd.leases~ backup file to dhcpd.leases and then start the daemon.
dhcpd.leases file exists. Use the command touch /var/lib/dhcpd/dhcpd.leases to create the file if it does not exist.
named service automatically checks for a dhcpd.leases file.
/sbin/service dhcpd start. To stop the DHCP server, use the command /sbin/service dhcpd stop.
/etc/sysconfig/dhcpd, add the name of the interface to the list of DHCPDARGS:
# Command line options here DHCPDARGS=eth0
/etc/sysconfig/dhcpd include:
-p <portnum> — Specifies the UDP port number on which dhcpd should listen. The default is port 67. The DHCP server transmits responses to the DHCP clients at a port number one greater than the UDP port specified. For example, if the default port 67 is used, the server listens on port 67 for requests and responses to the client on port 68. If a port is specified here and the DHCP relay agent is used, the same port on which the DHCP relay agent should listen must be specified. Refer to Section 22.2.4, “DHCP Relay Agent” for details.
-f — Runs the daemon as a foreground process. This is mostly used for debugging.
-d — Logs the DHCP server daemon to the standard error descriptor. This is mostly used for debugging. If this is not specified, the log is written to /var/log/messages.
-cf <filename> — Specifies the location of the configuration file. The default location is /etc/dhcpd.conf.
-lf <filename> — Specifies the location of the lease database file. If a lease database file already exists, it is very important that the same file be used every time the DHCP server is started. It is strongly recommended that this option only be used for debugging purposes on non-production machines. The default location is /var/lib/dhcpd/dhcpd.leases.
-q — Do not print the entire copyright message when starting the daemon.
dhcrelay) allows for the relay of DHCP and BOOTP requests from a subnet with no DHCP server on it to one or more DHCP servers on other subnets.
/etc/sysconfig/dhcrelay with the INTERFACES directive.
service dhcrelay start.
/etc/sysconfig/network file to enable networking and the configuration file for each network device in the /etc/sysconfig/network-scripts directory. In this directory, each device should have a configuration file named ifcfg-eth0, where eth0 is the network device name.
/etc/sysconfig/network file should contain the following line:
NETWORKING=yes
NETWORKING variable must be set to yes if you want networking to start at boot time.
/etc/sysconfig/network-scripts/ifcfg-eth0 file should contain the following lines:
DEVICE=eth0 BOOTPROTO=dhcp ONBOOT=yes
DHCP_HOSTNAME — Only use this option if the DHCP server requires the client to specify a hostname before receiving an IP address. (The DHCP server daemon in Red Hat Enterprise Linux does not support this feature.)
PEERDNS=<answer> , where <answer> yes — Modify /etc/resolv.conf with information from the server. If using DHCP, then yes is the default.
no — Do not modify /etc/resolv.conf.
SRCADDR=<address> , where <address> USERCTL=<answer> , where <answer> yes — Non-root users are allowed to control this device.
no — Non-root users are not allowed to control this device.
dhclient and dhclient.conf man pages.
/etc/sysconfig/dhcpd and /etc/dhcpd.conf files.
/etc/sysconfig/dhcpd file to specify which network interfaces the DHCP daemon listens on. The following /etc/sysconfig/dhcpd example specifies that the DHCP daemon listens on the eth0 and eth1 interfaces:
DHCPDARGS="eth0 eth1";
eth0, eth1, and eth2 -- and it is only desired that the DHCP daemon listens on eth0, then only specify eth0 in /etc/sysconfig/dhcpd:
DHCPDARGS="eth0";
/etc/dhcpd.conf file, for a server that has two network interfaces, eth0 in a 10.0.0.0/24 network, and eth1 in a 172.16.0.0/24 network. Multiple subnet declarations allow different settings to be defined for multiple networks:
ddns-update-styleinterim; default-lease-time600; max-lease-time7200; subnet 10.0.0.0 netmask 255.255.255.0 { option subnet-mask 255.255.255.0; option routers 10.0.0.1; range 10.0.0.5 10.0.0.15; } subnet 172.16.0.0 netmask 255.255.255.0 { option subnet-mask 255.255.255.0; option routers 172.16.0.1; range 172.16.0.5 172.16.0.15; }
subnet 10.0.0.0 netmask 255.255.255.0 subnet declaration is required for every network your DHCP server is serving. Multiple subnets require multiple subnet declarations. If the DHCP server does not have a network interface in a range of a subnet declaration, the DHCP server does not serve that network.
subnet declaration, and no network interfaces are in the range of that subnet, the DHCP daemon fails to start, and an error such as the following is logged to /var/log/messages:
dhcpd: No subnet declaration for eth0 (0.0.0.0). dhcpd: ** Ignoring requests on eth0. If this is not what dhcpd: you want, please write a subnet declaration dhcpd: in your dhcpd.conf file for the network segment dhcpd: to which interface eth1 is attached. ** dhcpd: dhcpd: dhcpd: Not configured to listen on any interfaces!
option subnet-mask 255.255.255.0; option subnet-mask option defines a subnet mask, and overrides the netmask value in the subnet declaration. In simple cases, the subnet and netmask values are the same.
option routers 10.0.0.1; option routers option defines the default gateway for the subnet. This is required for systems to reach internal networks on a different subnet, as well as external networks.
range 10.0.0.5 10.0.0.15; range option specifies the pool of available IP addresses. Systems are assigned an address from the range of specified IP addresses.
dhcpd.conf(5) man page.
/etc/dhcpd.conf, the DHCP daemon fails to start.
/etc/sysconfig/dhcpd and /etc/dhcpd.conf files.
/etc/dhcpd.conf example creates two subnets, and configures an IP address for the same system, depending on which network it connects to:
ddns-update-styleinterim; default-lease-time600; max-lease-time7200; subnet 10.0.0.0 netmask 255.255.255.0 { option subnet-mask 255.255.255.0; option routers 10.0.0.1; range 10.0.0.5 10.0.0.15; } subnet 172.16.0.0 netmask 255.255.255.0 { option subnet-mask 255.255.255.0; option routers 172.16.0.1; range 172.16.0.5 172.16.0.15; } host example0 { hardware ethernet 00:1A:6B:6A:2E:0B; fixed-address 10.0.0.20; } host example1 { hardware ethernet 00:1A:6B:6A:2E:0B; fixed-address 172.16.0.20; }
host example0 host declaration defines specific parameters for a single system, such as an IP address. To configure specific parameters for multiple hosts, use multiple host declarations.
host declarations, and as such, this name can anything, as long as it is unique to other host declarations. To configure the same system for multiple networks, use a different name for each host declaration, otherwise the DHCP daemon fails to start. Systems are identified by the hardware ethernet option, not the name in the host declaration.
hardware ethernet 00:1A:6B:6A:2E:0B; hardware ethernet option identifies the system. To find this address, run the ifconfig command on the desired system, and look for the HWaddr address.
fixed-address 10.0.0.20; fixed-address option assigns a valid IP address to the system specified by the hardware ethernet option. This address must be outside the IP address pool specified with the range option.
option statements do not end with a semicolon, the DHCP daemon fails to start, and an error such as the following is logged to /var/log/messages:
/etc/dhcpd.conf line 20: semicolon expected. dhcpd: } dhcpd: ^ dhcpd: /etc/dhcpd.conf line 38: unexpected end of file dhcpd: dhcpd: ^ dhcpd: Configuration file errors encountered -- exiting
host declarations configure a single system, that has multiple network interfaces, so that each interface receives the same IP address. This configuration will not work if both network interfaces are connected to the same network at the same time:
host interface0 {
hardware ethernet 00:1a:6b:6a:2e:0b;
fixed-address 10.0.0.18;
}
host interface1 {
hardware ethernet 00:1A:6B:6A:27:3A;
fixed-address 10.0.0.18;
}
interface0 is the first network interface, and interface1 is the second interface. The different hardware ethernet options identify each interface.
host declarations, remembering to:
fixed-address for the network the host is connecting to.
host declaration unique.
host declaration is not unique, the DHCP daemon fails to start, and an error such as the following is logged to /var/log/messages:
dhcpd: /etc/dhcpd.conf line 31: host interface0: already exists dhcpd: } dhcpd: ^ dhcpd: Configuration file errors encountered -- exiting
host interface0 declarations defined in /etc/dhcpd.conf.
dhcpd man page — Describes how the DHCP daemon works.
dhcpd.conf man page — Explains how to configure the DHCP configuration file; includes some examples.
dhcpd.leases man page — Explains how to configure the DHCP leases file; includes some examples.
dhcp-options man page — Explains the syntax for declaring DHCP options in dhcpd.conf; includes some examples.
dhcrelay man page — Explains the DHCP Relay Agent and its configuration options.
/usr/share/doc/dhcp-<version>/ — Contains sample files, README files, and release notes for current versions of the DHCP service.
httpdhttpd.conf/etc/httpd/conf/httpd.conf) to aid those who require a custom configuration or need to convert a configuration file from the older Apache HTTP Server 1.3 format.
LoadModule line will need to be updated.
mod_userdir module will only act on requests if you provide a UserDir directive indicating a directory name. If you wish to maintain the procedures used in version 2.0, add the directive UserDir public_html in your configuration file.
httpd.conf file adding the necessary mod_ssl directives. Use apachectl start as apachectl startssl is unavailable in version 2.2. You can view an example of SSL configuration for httpd in conf/extra/httpd-ssl.conf.
service httpd configtest which will detect configuration errors.
/etc/httpd/conf/httpd.conf.rpmnew and the original version 1.3 httpd.conf is left untouched. It is entirely up to you whether to use the new configuration file and migrate the old settings to it, or use the existing file as a base and modify it to suit; however, some parts of the file have changed more than others and a mixed approach is generally the best. The stock configuration files for both version 1.3 and 2.0 are divided into three sections.
/etc/httpd/conf/httpd.conf file is a modified version of the newly installed default and a saved a copy of the original configuration file is available, it may be easiest to invoke the diff command, as in the following example (logged in as root):
diff -u httpd.conf.orig httpd.conf | lessrpm2cpio and cpio commands, as in the following example:
rpm2cpio apache-<version-number>.i386.rpm | cpio -i --make<version-number> with the version number for the apache package.
apachectl configtestBindAddress and Port directives no longer exist; their functionality is now provided by a more flexible Listen directive.
Port 80 was set in the 1.3 version configuration file, change it to Listen 80 in the 2.0 configuration file. If Port was set to some value other than 80, then append the port number to the contents of the ServerName directive.
Port 123 ServerName www.example.com
Listen123 ServerName www.example.com:123
prefork, worker, and perchild. Currently only the prefork and worker MPMs are available, although the perchild MPM may be available at a later date.
prefork MPM. The prefork MPM accepts the same directives as Apache HTTP Server 1.3, so the following directives may be migrated directly:
StartServers
MinSpareServers
MaxSpareServers
MaxClients
MaxRequestsPerChild
worker MPM implements a multi-process, multi-threaded server providing greater scalability. When using this MPM, requests are handled by threads, conserving system resources and allowing large numbers of requests to be served efficiently. Although some of the directives accepted by the worker MPM are the same as those accepted by the prefork MPM, the values for those directives should not be transferred directly from an Apache HTTP Server 1.3 installation. It is best to instead use the default values as a guide, then experiment to determine what values work best.
worker MPM, create the file /etc/sysconfig/httpd and add the following directive:
HTTPD=/usr/sbin/httpd.worker
AddModule and ClearModuleList directives no longer exist. These directives where used to ensure that modules could be enabled in the correct order. The Apache HTTP Server 2.0 API allows modules to specify their ordering, eliminating the need for these two directives.
LoadModule lines are no longer relevant in most cases.
LoadModule lines for modules packaged in their own RPMs (mod_ssl, php, mod_perl, and the like) are no longer necessary as they can be found in their relevant files within the /etc/httpd/conf.d/ directory.
HAVE_XXX definitions are no longer defined.
httpd.conf contains the following directive:
Include conf.d/*.conf
mod_perl, php, and mod_ssl).
ServerType — The Apache HTTP Server can only be run as ServerType standalone making this directive irrelevant.
AccessConfig and ResourceConfig — These directives have been removed as they mirror the functionality of the Include directive. If the AccessConfig and ResourceConfig directives are set, replace them with Include directives.
Include directives should be placed at the end of the httpd.conf, with the one corresponding to ResourceConfig preceding the one corresponding to AccessConfig. If using the default values, include them explicitly as conf/srm.conf and conf/access.conf files.
<VirtualHost> container. Values here also provide defaults for any <VirtualHost> containers defined.
UserDir MappingUserDir directive is used to enable URLs such as http://example.com/~bob/ to map to a subdirectory within the home directory of the user bob, such as /home/bob/public_html/. A side-effect of this feature allows a potential attacker to determine whether a given username is present on the system. For this reason, the default configuration for Apache HTTP Server 2.0 disables this directive.
UserDir mapping, change the directive in httpd.conf from:
UserDir disable
UserDir public_htmlAgentLog
RefererLog
RefererIgnore
CustomLog and LogFormat directives.
FancyIndexing directive has now been removed. The same functionality is available through the FancyIndexing option within the IndexOptions directive.
VersionSort option to the IndexOptions directive causes files containing version numbers to be sorted in a more natural way. For example, httpd-2.0.6.tar appears before httpd-2.0.36.tar in a directory index page.
ReadmeName and HeaderName directives have changed from README and HEADER to README.html and HEADER.html.
CacheNegotiatedDocs directive now takes the argument on or off. Existing instances of CacheNegotiatedDocs should be replaced with CacheNegotiatedDocs on.
ErrorDocument directive, the message should be enclosed in a pair of double quotation marks ", rather than just preceded by a double quotation mark as required in Apache HTTP Server 1.3.
ErrorDocument 404 "The document was not found
ErrorDocument setting to Apache HTTP Server 2.0, use the following structure:
ErrorDocument 404 "The document was not found"
ErrorDocument directive example.
<VirtualHost> containers should be migrated in the same way as the main server section as described in Section 23.2.2.2, “Main Server Configuration”.
/etc/httpd/conf.d/ssl.conf.
mod_include. This opens up a tremendous number of possibilities with regards to how modules can be combined to achieve a specific goal.
mod_perl). Under Apache HTTP Server 2.0, the request is initially handled by the core module — which serves static files — and is then filtered by mod_perl.
PATH_INFO directive is used for a document which is handled by a module that is now implemented as a filter, as each contains trailing path information after the true file name. The core module, which initially handles the request, does not by default understand PATH_INFO and returns 404 Not Found errors for requests that contain such information. As an alternative, use the AcceptPathInfo directive to coerce the core module into accepting requests with PATH_INFO.
AcceptPathInfo on
suexec Modulemod_suexec module uses the SuexecUserGroup directive, rather than the User and Group directives, which is used for configuring virtual hosts. The User and Group directives can still be used in general, but are deprecated for configuring virtual hosts.
<VirtualHost vhost.example.com:80> User someone Group somegroup </VirtualHost>
<VirtualHost vhost.example.com:80> SuexecUserGroup someone somegroup </VirtualHost>
mod_ssl Modulemod_ssl has been moved from the httpd.conf file into the /etc/httpd/conf.d/ssl.conf file. For this file to be loaded, and for mod_ssl to work, the statement Include conf.d/*.conf must be in the httpd.conf file as described in Section 23.2.2.1.3, “Dynamic Shared Object (DSO) Support”.
ServerName directives in SSL virtual hosts must explicitly specify the port number.
<VirtualHost _default_:443> # General setup for the virtual host ServerName ssl.example.name ... </VirtualHost>
<VirtualHost _default_:443>
# General setup for the virtual host
ServerName ssl.host.name:443
...
</VirtualHost>SSLLog and SSLLogLevel directives have been removed. The mod_ssl module now obeys the ErrorLog and LogLevel directives. Refer to ErrorLog and LogLevel for more information about these directives.
mod_proxy Module<Proxy> block rather than a <Directory proxy:>.
mod_proxy has been split out into the following three modules:
mod_cache
mod_disk_cache
mod_mem_cache
mod_proxy module, but it is advisable to verify each directive before migrating any cache settings.
mod_include Modulemod_include module is now implemented as a filter and is therefore enabled differently. Refer to Section 23.2.2.4, “Modules and Apache HTTP Server 2.0” for more about filters.
AddType text/html .shtml AddHandler server-parsed .shtml
AddType text/html .shtml
AddOutputFilter INCLUDES .shtmlOptions +Includes directive is still required for the <Directory> container or in a .htaccess file.
mod_auth_dbm and mod_auth_db Modulesmod_auth_db and mod_auth_dbm, which used Berkeley Databases and DBM databases respectively. These modules have been combined into a single module named mod_auth_dbm in Apache HTTP Server 2.0, which can access several different database formats. To migrate from mod_auth_db, configuration files should be adjusted by replacing AuthDBUserFile and AuthDBGroupFile with the mod_auth_dbm equivalents, AuthDBMUserFile and AuthDBMGroupFile. Also, the directive AuthDBMType DB must be added to indicate the type of database file in use.
mod_auth_db configuration for Apache HTTP Server 1.3:
<Location /private/> AuthType Basic AuthName "My Private Files" AuthDBUserFile /var/www/authdb require valid-user </Location>
<Location /private/> AuthType Basic AuthName "My Private Files"AuthDBMUserFile/var/www/authdbAuthDBMType DBrequire valid-user </Location>
AuthDBMUserFile directive can also be used in .htaccess files.
dbmmanage Perl script, used to manipulate username and password databases, has been replaced by htdbm in Apache HTTP Server 2.0. The htdbm program offers equivalent functionality and, like mod_auth_dbm, can operate a variety of database formats; the -T option can be used on the command line to specify the format to use.
dbmmanage to htdbm” shows how to migrate from a DBM-format database to htdbm format using dbmmanage.
dbmmanage to htdbm| Action | dbmmanage command (1.3) | Equivalent htdbm command (2.0) |
|---|---|---|
| Add user to database (using given password) |
dbmmanage authdb add username password
|
htdbm -b -TDB authdb username password
|
| Add user to database (prompts for password) |
dbmmanage authdb adduser username
|
htdbm -TDB authdb username
|
| Remove user from database |
dbmmanage authdb delete username
|
htdbm -x -TDB authdb username
|
| List users in database |
dbmmanage authdb view
|
htdbm -l -TDB authdb
|
| Verify a password |
dbmmanage authdb check username
|
htdbm -v -TDB authdb username
|
-m and -s options work with both dbmmanage and htdbm, enabling the use of the MD5 or SHA1 algorithms for hashing passwords, respectively.
htdbm, the -c option must be used.
mod_perl Modulemod_perl has been moved from httpd.conf into the file /etc/httpd/conf.d/perl.conf. For this file to be loaded, and hence for mod_perl to work, the statement Include conf.d/*.conf must be included in httpd.conf as described in Section 23.2.2.1.3, “Dynamic Shared Object (DSO) Support”.
Apache:: in httpd.conf must be replaced with ModPerl::. Additionally, the manner in which handlers are registered has been changed.
mod_perl configuration:
<Directory /var/www/perl> SetHandler perl-script PerlHandler Apache::Registry Options +ExecCGI </Directory>
mod_perl for Apache HTTP Server 2.0:
<Directory /var/www/perl>
SetHandler perl-script
PerlResponseHandler ModPerl::Registry
Options +ExecCGI
</Directory>mod_perl 1.x should work without modification with mod_perl 2.x. XS modules require recompilation and may require minor Makefile modifications.
mod_python Modulemod_python has moved from httpd.conf to the /etc/httpd/conf.d/python.conf file. For this file to be loaded, and hence for mod_python to work, the statement Include conf.d/*.conf must be in httpd.conf as described in Section 23.2.2.1.3, “Dynamic Shared Object (DSO) Support”.
httpd.conf into the file /etc/httpd/conf.d/php.conf. For this file to be loaded, the statement Include conf.d/*.conf must be in httpd.conf as described in Section 23.2.2.1.3, “Dynamic Shared Object (DSO) Support”.
register_globals to On in the file /etc/php.ini.
mod_authz_ldap Modulemod_authz_ldap module for the Apache HTTP Server. This module uses the short form of the distinguished name for a subject and the issuer of the client SSL certificate to determine the distinguished name of the user within an LDAP directory. It is also capable of authorizing users based on attributes of that user's LDAP directory entry, determining access to assets based on the user and group privileges of the asset, and denying access for users with expired passwords. The mod_ssl module is required when using the mod_authz_ldap module.
mod_authz_ldap module does not authenticate a user to an LDAP directory using an encrypted password hash. This functionality is provided by the experimental mod_auth_ldap module. Refer to the mod_auth_ldap module documentation online at http://httpd.apache.org/docs-2.0/mod/mod_auth_ldap.html for details on the status of this module.
/etc/httpd/conf.d/authz_ldap.conf file configures the mod_authz_ldap module.
/usr/share/doc/mod_authz_ldap-<version>/index.html (replacing <version> with the version number of the package) or http://authzldap.othello.ch/ for more information on configuring the mod_authz_ldap third party module.
httpdhttpd package, review the Apache HTTP Server's documentation available online at http://httpd.apache.org/docs/2.2/.
httpd RPM installs the /etc/init.d/httpd script, which can be accessed using the /sbin/service command.
httpd using the apachectl control script sets the environmental variables in /etc/sysconfig/httpd and starts httpd. You can also set the environment variables using the init script.
apachectl control script as root type:
apachectl starthttpd using /sbin/service httpd start. This starts httpd but does not set the environment variables. If you are using the default Listen directive in httpd.conf, which is port 80, you will need to have root privileges to start the apache server.
apachectl stophttpd using /sbin/service httpd stop. The restart option is a shorthand way of stopping and then starting the Apache HTTP Server.
apachectl restartservice httpd restartErrorLog if it encounters an error while starting.
httpd service does not start automatically at boot time. If you would wish to have Apache startup at boot time, you will need to add a call to apachectl in your startup files within the rc.N directory. A typical file used is rc.local. As this starts Apache as root, it is recommended to properly configure your security and authentication before adding this call.
httpd service to start up at boot time, using an initscript utility, such as /sbin/chkconfig, /usr/sbin/ntsysv, or the Services Configuration Tool program.
apachectl statusmod_status however needs to be enabled in your httpd.conf configuration file for this to work. For more details on mod_status can be found on http://httpd.apache.org/docs/2.2/mod/mod_status.html.
/etc/httpd/conf/httpd.conf configuration file for the Apache HTTP Server. It does not use the old srm.conf or access.conf configuration files; leave them empty. Through the graphical interface, you can configure directives such as virtual hosts, logging attributes, and maximum number of connections. To start the HTTD Configuration Tool, click on System > Administration > Server Settings > HTTP.
/etc/httpd/conf/httpd.conf configuration file by hand if you wish to use this tool. The HTTP Configuration Tool generates this file after you save your changes and exit the program. If you want to add additional modules or configuration options that are not available in HTTP Configuration Tool, you cannot use this tool.
DocumentRoot and cgi-bin directories.
ServerName directive in httpd.conf. The ServerName directive sets the hostname of the Web server. It is used when creating redirection URLs. If you do not define a server name, the Web server attempts to resolve it from the IP address of the system. The server name does not have to be the domain name resolved from the IP address of the server. For example, you might set the server name to www.example.com while the server's real DNS name is foo.example.com.
ServerAdmin directive in httpd.conf. If you configure the server's error pages to contain an email address, this email address is used so that users can report a problem to the server's administrator. The default value is root@localhost.
Listen directive in httpd.conf. By default, Red Hat configures the Apache HTTP Server to listen to port 80 for non-secure Web communications.
httpd can be started as a regular user.
DirectoryIndex directive. The DirectoryIndex is the default page served by the server when a user requests an index of a directory by specifying a forward slash (/) at the end of the directory name.
http://www.example.com/this_directory/, they are going to get either the DirectoryIndex page, if it exists, or a server-generated directory list. The server tries to find one of the files listed in the DirectoryIndex directive and returns the first one it finds.
If it does not find any of these files and if Options Indexes is set for that directory, the server generates and returns a list, in HTML format, of the subdirectories and files in the directory.
ErrorDocument directive. If a problem or error occurs when a client tries to connect to the Apache HTTP Server, the default action is to display the short error message shown in the Error Code column. To override this default configuration, select the error code and click the Edit button. Choose to display the default short error message. Choose to redirect the client to an external URL and enter a complete URL, including the http://, in the Location field. Choose to redirect the client to an internal URL and enter a file location under the document root for the Web server. The location must begin the a slash (/) and be relative to the Document Root.
404.html, copy 404.html to DocumentRoot/../error/404.htmlDocumentRoot is the Document Root directory that you have defined (the default is /var/www/html/). If the Document Root is left as the default location, the file should be copied to /var/www/error/404.html. Then, choose as the Behavior for 404 - Not Found error code and enter /error/404.html as the .
ServerAdmin directive.
mod_ssl enables encryption of the HTTP protocol over SSL. SSL (Secure Sockets Layer) protocol is used for communication and encryption over TCP/IP networks. The SSL tab enables you to configure SSL for your server. To configure SSL you need to provide the path to your:
SSLCertificateFile directive which points the path to the PEM (Privacy Enhanced Mail)-encoded server certificate file.
SSLCertificateKeyFile directive which points the path to the PEM-encoded server private key file.
SSLCertificateChainFile directive which points the path to the certificate file containing all the server's chain of certificates.
SSLOptions with the following options:
SSL_SERVER_CERT, SSL_CLIENT_CERT and SSL_CLIENT_CERT_CHAIN_n where n is a number 0,1,2,3,4... These files are used for more certificate checks by CGI scripts.
SSLRequireSSL and SSLRequire directives indicate access is forbidden.
mod_ssl which also performs safe parameter checks. It is recommended to enable OptRenegotiate on a per directory basis.
/var/log/httpd/access_log file and the error log to the /var/log/httpd/error_log file.
TransferLog directive.
LogFormat directive. Refer to http://httpd.apache.org/docs/2.2/mod/mod_log_config.html#logformat for details on the format of this directive.
ErrorLog directive.
LogLevel directive.
HostnameLookups directive. Choosing No Reverse Lookup sets the value to off. Choosing Reverse Lookup sets the value to on. Choosing Double Reverse Lookup sets the value to double.
mod_env module to configure the environment variables which are passed to CGI scripts and SSI pages. Use the Environment Variables page to configure the directives for this module.
MAXNUM to 50, click the button inside the Set for CGI Script section, as shown in Figure 23.8, “Environment Variables”, and type MAXNUM in the Environment Variable text field and 50 in the Value to set text field. Click to add it to the list. The Set for CGI Scripts section configures the SetEnv directive.
env at a shell prompt. Click the button inside the Pass to CGI Scripts section and enter the name of the environment variable in the resulting dialog box. Click to add it to the list. The Pass to CGI Scripts section configures the PassEnv directive.
UnsetEnv directive.
<Directory> directive.
Options directive within the <Directory> directive. You can configure the following options:
#exec and #include commands in CGI scripts.
DirectoryIndex (such as index.html) exists in the requested directory.
Order directive with the left-hand side options. The Order directive controls the order in which allow and deny directives are evaluated. In the Allow hosts from and Deny hosts from text field, you can specify one of the following:
all to allow access to all hosts.
192.168.1.0/255.255.255.0
10.3.0.0/16
.htaccess file take precedence.
httpd.conf/etc/httpd/conf/httpd.conf. The httpd.conf file is well-commented and mostly self-explanatory. The default configuration works for most situations; however, it is a good idea to become familiar some of the more important configuration options.
/etc/httpd/conf/httpd.conf and then either reload, restart, or stop and start the httpd process as outlined in Section 23.3, “Starting and Stopping httpd”.
httpd.conf, make a copy the original file. Creating a backup makes it easier to recover from mistakes made while editing the configuration file.
httpd.conf to verify there are no typos.
/var/log/httpd/error_log. The error log may not be easy to interpret, depending on your level of expertise. However, the last entries in the error log should provide useful information.
httpd.conf. These descriptions are not exhaustive. For more information, refer to the Apache documentation online at http://httpd.apache.org/docs/2.2/.
mod_ssl directives, refer to the documentation online at http://httpd.apache.org/docs/2.2/mod/mod_ssl.html.
AccessFileName names the file which the server should use for access control information in each directory. The default is .htaccess.
AccessFileName directive, a set of Files tags apply access control to any file beginning with a .ht. These directives deny Web access to any .htaccess files (or other files which begin with .ht) for security reasons.
Action specifies a MIME content type and CGI script pair, so that when a file of that media type is requested, a particular CGI script is executed.
FancyIndexing as an IndexOptions parameter, the AddDescription directive can be used to display user-specified descriptions for certain files or file types in a server generated directory listing. The AddDescription directive supports listing specific files, wildcard expressions, or file extensions.
AddEncoding names file name extensions which should specify a particular encoding type. AddEncoding can also be used to instruct some browsers to uncompress certain files as they are downloaded.
AddHandler maps file extensions to specific handlers. For example, the cgi-script handler can be matched with the extension .cgi to automatically treat a file ending with .cgi as a CGI script. The following is a sample AddHandler directive for the .cgi extension.
AddHandler cgi-script .cgi
cgi-bin to function in any directory on the server which has the ExecCGI option within the directories container. Refer to Directory for more information about setting the ExecCGI option for a directory.
AddHandler directive is used to process server-parsed HTML and image-map files.
AddIcon specifies which icon to show in server generated directory listings for files with certain extensions. For example, the Web server is set to show the icon binary.gif for files with .bin or .exe extensions.
compressed.gif icon next to MIME encoded x-compress and x-gzip files in server generated directory listings.
text.gif next to files with a mime-type of text, in server generated directory listings.
AddLanguage associates file name extensions with specific languages. This directive is useful for Apache HTTP Servers which serve content in multiple languages based on the client Web browser's language settings.
AddType directive to define or override a default MIME type and file extension pairs. The following example directive tells the Apache HTTP Server to recognize the .tgz file extension:
AddType application/x-tar .tgz
Alias setting allows directories outside the DocumentRoot directory to be accessible. Any URL ending in the alias automatically resolves to the alias' path. By default, one alias for an icons/ directory is already set up. An icons/ directory can be accessed by the Web server, but the directory is not in the DocumentRoot.
Allow specifies which client can access a given directory. The client can be all, a domain name, an IP address, a partial IP address, a network/netmask pair, and so on. The DocumentRoot directory is configured to Allow requests from all, meaning everyone has access.
AllowOverride directive sets whether any Options can be overridden by the declarations in an .htaccess file. By default, both the root directory and the DocumentRoot are set to allow no .htaccess overrides.
BrowserMatch directive allows the server to define environment variables and take appropriate actions based on the User-Agent HTTP header field — which identifies the client's Web browser type. By default, the Web server uses BrowserMatch to deny connections to specific browsers with known problems and also to disable keepalives and HTTP header flushes for browsers that are known to have problems with those actions.
#) from the beginning of the line is sufficient. The following, however, is a list of some of the more important cache-related directives.
CacheEnable — Specifies whether the cache is a disk, memory, or file descriptor cache. By default CacheEnable configures a disk cache for URLs at or below /.
CacheRoot — Specifies the name of the directory containing cached files. The default CacheRoot is the /var/httpd/proxy/ directory.
CacheSize — Specifies how much space the cache can use in kilobytes. The default CacheSize is 5 KB.
CacheMaxExpire — Specifies how long HTML documents are retained (without a reload from the originating Web server) in the cache. The default is 24 hours (86400 seconds).
CacheLastModifiedFactor — Specifies the creation of an expiry (expiration) date for a document which did not come from its originating server with its own expiry set. The default CacheLastModifiedFactor is set to 0.1, meaning that the expiry date for such documents equals one-tenth of the amount of time since the document was last modified.
CacheDefaultExpire — Specifies the expiry time in hours for a document that was received using a protocol that does not support expiry times. The default is set to 1 hour (3600 seconds).
NoProxy — Specifies a space-separated list of subnets, IP addresses, domains, or hosts whose content is not cached. This setting is most useful for Intranet sites.
CacheNegotiatedDocs is set to on, this function is disabled and proxy servers are allowed to cache such documents.
CustomLog identifies the log file and the log file format. By default, the access log is recorded to the /var/log/httpd/access_log file while errors are recorded in the /var/log/httpd/error_log file.
CustomLog format is the combined log file format, as illustrated here:
remotehost rfc931 user date "request" status bytes referrer user-agentDefaultIcon specifies the icon displayed in server generated directory listings for files which have no other icon specified. The unknown.gif image file is the default.
DefaultType sets a default content type for the Web server to use for documents whose MIME types cannot be determined. The default is text/plain.
Deny works similar to Allow, except it specifies who is denied access. The DocumentRoot is not configured to Deny requests from anyone by default.
<Directory /path/to/directory> and </Directory> tags create a container used to enclose a group of configuration directives which apply only to a specific directory and its subdirectories. Any directive which is applicable to a directory may be used within Directory tags.
/), using the Options (refer to Options) and AllowOverride (refer to AllowOverride) directives. Under this configuration, any directory on the system which needs more permissive settings has to be explicitly given those settings.
Directory container is configured for the DocumentRoot which assigns less rigid parameters to the directory tree so that the Apache HTTP Server can access the files residing there.
Directory container can be also be used to configure additional cgi-bin directories for server-side applications outside of the directory specified in the ScriptAlias directive (refer to ScriptAlias for more information).
Directory container must set the ExecCGI option for that directory.
/home/my_cgi_directory, add the following Directory container to the httpd.conf file:
<Directory /home/my_cgi_directory> Options +ExecCGI </Directory>
AddHandler directive must be uncommented to identify files with the .cgi extension as CGI scripts. Refer to AddHandler for instructions on setting AddHandler.
DirectoryIndex is the default page served by the server when a user requests an index of a directory by specifying a forward slash (/) at the end of the directory name.
example/this_directory/, they get either the DirectoryIndex page, if it exists, or a server-generated directory list. The default for DirectoryIndex is index.html and the index.html.var type map. The server tries to find either of these files and returns the first one it finds. If it does not find one of these files and Options Indexes is set for that directory, the server generates and returns a listing, in HTML format, of the subdirectories and files within the directory, unless the directory listing feature is turned off.
DocumentRoot is the directory which contains most of the HTML files which are served in response to requests. The default DocumentRoot, for both the non-secure and secure Web servers, is the /var/www/html directory. For example, the server might receive a request for the following document:
http://example.com/foo.html/var/www/html/foo.htmlDocumentRoot so that it is not shared by the secure and the non-secure Web servers, refer to Section 23.7, “Virtual Hosts”.
ErrorDocument directive associates an HTTP response code with a message or a URL to be sent back to the client. By default, the Web server outputs a simple and usually cryptic error message when an error occurs. The ErrorDocument directive forces the Web server to instead output a customized message or page.
".
ErrorLog specifies the file where server errors are logged. By default, this directive is set to /var/log/httpd/error_log.
ExtendedStatus directive controls whether Apache generates basic (off) or detailed server status information (on), when the server-status handler is called. The server-status handler is called using Location tags. More information on calling server-status is included in Location.
Group is set to apache.
HeaderName names the file which, if it exists in the directory, is prepended to the start of server generated directory listings. Like ReadmeName, the server tries to include it as an HTML document if possible or in plain text if not.
HostnameLookups can be set to on, off, or double. If HostnameLookups is set to on, the server automatically resolves the IP address for each connection. Resolving the IP address means that the server makes one or more connections to a DNS server, adding processing overhead. If HostnameLookups is set to double, the server performs a double-reverse DNS look up adding even more processing overhead.
HostnameLookups is set to off by default.
IfDefine tags surround configuration directives that are applied if the "test" stated in the IfDefine tag is true. The directives are ignored if the test is false.
IfDefine tags is a parameter name (for example, HAVE_PERL). If the parameter is defined, meaning that it is provided as an argument to the server's start-up command, then the test is true. In this case, when the Web server is started, the test is true and the directives contained in the IfDefine tags are applied.
<IfModule> and </IfModule> tags create a conditional container which are only activated if the specified module is loaded. Directives within the IfModule container are processed under one of two conditions. The directives are processed if the module contained within the starting <IfModule> tag is loaded. Or, if an exclamation point ! appears before the module name, the directives are processed only if the module specified in the <IfModule> tag is not loaded.
ServerRoot.
mod_ssl, mod_perl, and php, the following directive must be included in Section 1: Global Environment of httpd.conf:
Include conf.d/*.conf
IndexIgnore lists file extensions, partial file names, wildcard expressions, or full file names. The Web server does not include any files which match any of those parameters in server generated directory listings.
IndexOptions controls the appearance of server generated directing listings, by adding icons, file descriptions, and so on. If Options Indexes is set (refer to Options), the Web server generates a directory listing when the Web server receives an HTTP request for a directory without an index.
DirectoryIndex directive (usually, index.html). If an index.html file is not found, Apache HTTP Server creates an HTML directory listing of the requested directory. The appearance of this directory listing is controlled, in part, by the IndexOptions directive.
FancyIndexing. This means that a user can re-sort a directory listing by clicking on column headers. Another click on the same header switches from ascending to descending order. FancyIndexing also shows different icons for different files, based upon file extensions.
AddDescription option, when used in conjunction with FancyIndexing, presents a short description for the file in server generated directory listings.
IndexOptions has a number of other parameters which can be set to control the appearance of server generated directories. The IconHeight and IconWidth parameters require the server to include HTML HEIGHT and WIDTH tags for the icons in server generated webpages. The IconsAreLinks parameter combines the graphical icon with the HTML link anchor, which contains the URL link target.
KeepAlive sets whether the server allows more than one request per connection and can be used to prevent any one client from consuming too much of the server's resources.
Keepalive is set to off. If Keepalive is set to on and the server becomes very busy, the server can quickly spawn the maximum number of child processes. In this situation, the server slows down significantly. If Keepalive is enabled, it is a good idea to set the KeepAliveTimeout low (refer to KeepAliveTimeout for more information about the KeepAliveTimeout directive) and monitor the /var/log/httpd/error_log log file on the server. This log reports when the server is running out of child processes.
KeepAliveTimeout sets the number of seconds the server waits after a request has been served before it closes the connection. Once the server receives a request, the Timeout directive applies instead. The KeepAliveTimeout directive is set to 15 seconds by default.
LanguagePriority sets precedence for different languages in case the client Web browser has no language preference set.
Listen command identifies the ports on which the Web server accepts incoming requests. By default, the Apache HTTP Server is set to listen to port 80 for non-secure Web communications and (in the /etc/httpd/conf.d/ssl.conf file which defines any secure servers) to port 443 for secure Web communications.
httpd can be started as a regular user.
Listen directive can also be used to specify particular IP addresses over which the server accepts connections.
LoadModule is used to load Dynamic Shared Object (DSO) modules. More information on the Apache HTTP Server's DSO support, including instructions for using the LoadModule directive, can be found in Section 23.6, “Adding Modules”. Note, the load order of the modules is no longer important with Apache HTTP Server 2.0. Refer to Section 23.2.2.1.3, “Dynamic Shared Object (DSO) Support” for more information about Apache HTTP Server 2.0 DSO support.
<Location> and </Location> tags create a container in which access control based on URL can be specified.
<Location /server-status>
SetHandler server-status
Order deny,allow
Deny from all
Allow from <.example.com>
</Location><.example.com> with the second-level domain name for the Web server.
<Location /server-info>
SetHandler server-info
Order deny,allow
Deny from all
Allow from <.example.com>
</Location><.example.com> with the second-level domain name for the Web server.
LogFormat directive configures the format of the various Web server log files. The actual LogFormat used depends on the settings given in the CustomLog directive (refer to CustomLog).
CustomLog directive is set to combined:
%h (remote host's IP address or hostname) HostnameLookups is set to on, the client hostname is recorded unless it is not available from DNS.
%l (rfc931) %u (authenticated user) %t (date) %r (request string) %s (status) %b (bytes) %\"%{Referer}i\" (referrer) %\"%{User-Agent}i\" (user-agent) LogLevel sets how verbose the error messages in the error logs are. LogLevel can be set (from least verbose to most verbose) to emerg, alert, crit, error, warn, notice, info, or debug. The default LogLevel is warn.
MaxKeepAliveRequests is set to 100 by default, which should be appropriate for most situations.
NameVirtualHost directive associates an IP address and port number, if necessary, for any name-based virtual hosts. Name-based virtual hosting allows one Apache HTTP Server to serve different domains without using multiple IP addresses.
NameVirtualHost configuration directive and add the correct IP address. Then add additional VirtualHost containers for each virtual host as is necessary for your configuration.
Options directive controls which server features are available in a particular directory. For example, under the restrictive parameters specified for the root directory, Options is only set to the FollowSymLinks directive. No features are enabled, except that the server is allowed to follow symbolic links in the root directory.
DocumentRoot directory, Options is set to include Indexes and FollowSymLinks. Indexes permits the server to generate a directory listing for a directory if no DirectoryIndex (for example, index.html) is specified. FollowSymLinks allows the server to follow symbolic links in that directory.
Options statements from the main server configuration section need to be replicated to each VirtualHost container individually. Refer to VirtualHost for more information.
Order directive controls the order in which allow and deny directives are evaluated. The server is configured to evaluate the Allow directives before the Deny directives for the DocumentRoot directory.
PidFile names the file where the server records its process ID (PID). By default the PID is listed in /var/run/httpd.pid.
<Proxy *> and </Proxy> tags create a container which encloses a group of configuration directives meant to apply only to the proxy server. Many directives which are allowed within a <Directory> container may also be used within <Proxy> container.
#) from the beginning of the <IfModule mod_proxy.c> line, the ProxyRequests, and each line in the <Proxy> stanza. Set the ProxyRequests directive to On, and set which domains are allowed access to the server in the Allow from directive of the <Proxy> stanza.
ReadmeName names the file which, if it exists in the directory, is appended to the end of server generated directory listings. The Web server first tries to include the file as an HTML document and then tries to include it as plain text. By default, ReadmeName is set to README.html.
Redirect can be used to map the file location to a new URL. The format is as follows:
Redirect /<old-path>/<file-name>http://<current-domain>/<current-path>/<file-name>
<old-path> with the old path information for <file-name> and <current-domain> and <current-path> with the current domain and path information for <file-name>.
<file-name> at the old location is automatically redirected to the new location.
mod_rewrite module included with the Apache HTTP Server. For more information about configuring the mod_rewrite module, refer to the Apache Software Foundation documentation online at http://httpd.apache.org/docs/2.2/mod/mod_rewrite.html.
ScriptAlias directive defines where CGI scripts are located. Generally, it is not good practice to leave CGI scripts within the DocumentRoot, where they can potentially be viewed as text documents. For this reason, a special directory outside of the DocumentRoot directory containing server-side executables and scripts is designated by the ScriptAlias directive. This directory is known as a cgi-bin and is set to /var/www/cgi-bin/ by default.
cgi-bin/ directory. For instructions on doing so, refer to AddHandler and Directory.
ServerAdmin directive to the email address of the Web server administrator. This email address shows up in error messages on server-generated Web pages, so users can report a problem by sending email to the server administrator.
ServerAdmin is set to root@localhost.
ServerAdmin is to set it to webmaster@example.com. Once set, alias webmaster to the person responsible for the Web server in /etc/aliases and run /usr/bin/newaliases.
ServerName specifies a hostname and port number (matching the Listen directive) for the server. The ServerName does not need to match the machine's actual hostname. For example, the Web server may be www.example.com, but the server's hostname is actually foo.example.com. The value specified in ServerName must be a valid Domain Name Service (DNS) name that can be resolved by the system — do not make something up.
ServerName directive:
ServerName www.example.com:80
ServerName, be sure the IP address and server name pair are included in the /etc/hosts file.
ServerRoot directive specifies the top-level directory containing website content. By default, ServerRoot is set to "/etc/httpd" for both secure and non-secure servers.
ServerSignature directive adds a line containing the Apache HTTP Server server version and the ServerName to any server-generated documents, such as error messages sent back to clients. ServerSignature is set to on by default.
ServerSignature can be set to EMail which adds a mailto:ServerAdmin HTML tag to the signature line of auto-generated responses. ServerSignature can also be set to Off to stop Apache from sending out its version number and module information. Please also check the ServerTokens settings.
ServerTokens directive determines if the Server response header field sent back to clients should include details of the Operating System type and information about compiled-in modules. By default, ServerTokens is set to Full which sends information about the Operating System type and compiled-in modules. Setting the ServerTokens to Prod sends the product name only and is recommended as many hackers check information in the Server header when scanning for vulnerabilities. You can also set the ServerTokens to Min (minimal) or to OS (operating system).
SuexecUserGroup directive, which originates from the mod_suexec module, allows the specification of user and group execution privileges for CGI programs. Non-CGI requests are still processed with the user and group specified in the User and Group directives.
SuexecUserGroup directive replaced the Apache HTTP Server 1.3 configuration of using the User and Group directives inside the configuration of VirtualHosts sections.
Timeout defines, in seconds, the amount of time that the server waits for receipts and transmissions during communications. Timeout is set to 300 seconds by default, which is appropriate for most situations.
TypesConfig names the file which sets the default list of MIME type mappings (file name extensions to content types). The default TypesConfig file is /etc/mime.types. Instead of editing /etc/mime.types, the recommended way to add MIME type mappings is to use the AddType directive.
AddType, refer to AddType.
on, this directive configures the Apache HTTP Server to reference itself using the value specified in the ServerName and Port directives. When UseCanonicalName is set to off, the server instead uses the value used by the requesting client when referring to itself.
UseCanonicalName is set to off by default.
User directive sets the username of the server process and determines what files the server is allowed to access. Any files inaccessible to this user are also inaccessible to clients connecting to the Apache HTTP Server.
User is set to apache.
UserDir is the subdirectory within each user's home directory where they should place personal HTML files which are served by the Web server. This directive is set to disable by default.
public_html in the default configuration. For example, the server might receive the following request:
http://example.com/~username/foo.html/home/username/public_html/foo.html/home/username/ is the user's home directory (note that the default path to users' home directories may vary).
public_html directories (0755 also works). Files that are served in a users' public_html directories must be set to at least 0644.
<VirtualHost> and </VirtualHost> tags create a container outlining the characteristics of a virtual host. The VirtualHost container accepts most configuration directives.
VirtualHost container is provided in httpd.conf, which illustrates the minimum set of configuration directives necessary for each virtual host. Refer to Section 23.7, “Virtual Hosts” for more information about virtual hosts.
/etc/httpd/conf.d/ssl.conf.
/etc/httpd/conf.d/ssl.conf file can be configured to enable secure Web communications using SSL and TLS.
SetEnvIf sets environment variables based on the headers of incoming connections. It is not solely an SSL directive, though it is present in the supplied /etc/httpd/conf.d/ssl.conf file. It's purpose in this context is to disable HTTP keepalive and to allow SSL to close the connection without a closing notification from the client browser. This setting is necessary for certain browsers that do not reliably shut down the SSL connection.
IfModule container is necessary to define the server-pool for the MPM in use.
prefork and worker MPMs.
MaxClients sets a limit on the total number of server processes, or simultaneously connected clients, that can run at one time. The main purpose of this directive is to keep a runaway Apache HTTP Server from crashing the operating system. For busy servers this value should be set to a high value. The server's default is set to 150 regardless of the MPM in use. However, it is not recommended that the value for MaxClients exceeds 256 when using the prefork MPM.
MaxRequestsPerChild sets the total number of requests each child server process serves before the child dies. The main reason for setting MaxRequestsPerChild is to avoid long-lived process induced memory leaks. The default MaxRequestsPerChild for the prefork MPM is 4000 and for the worker MPM is 0.
prefork MPM. They adjust how the Apache HTTP Server dynamically adapts to the perceived load by maintaining an appropriate number of spare server processes based on the number of incoming requests. The server checks the number of servers waiting for a request and kills some if there are more than MaxSpareServers or creates some if the number of servers is less than MinSpareServers.
MinSpareServers value is 5; the default MaxSpareServers value is 20. These default settings should be appropriate for most situations. Be careful not to increase the MinSpareServers to a large number as doing so creates a heavy processing load on the server even when traffic is light.
worker MPM. They adjust how the Apache HTTP Server dynamically adapts to the perceived load by maintaining an appropriate number of spare server threads based on the number of incoming requests. The server checks the number of server threads waiting for a request and kills some if there are more than MaxSpareThreads or creates some if the number of servers is less than MinSpareThreads.
MinSpareThreads value is 25; the default MaxSpareThreads value is 75. These default settings should be appropriate for most situations. The value for MaxSpareThreads must be greater than or equal to the sum of MinSpareThreads and ThreadsPerChild, else the Apache HTTP Server automatically corrects it.
StartServers directive sets how many server processes are created upon startup. Since the Web server dynamically kills and creates server processes based on traffic load, it is not necessary to change this parameter. The Web server is set to start 8 server processes at startup for the prefork MPM and 2 for the worker MPM.
http-manual package is installed, documentation about DSOs can be found online at http://localhost/manual/mod/.
LoadModule directive within /etc/httpd/conf/httpd.conf. If the module is provided by a separate package, the line must appear within the modules configuration file in the /etc/httpd/conf.d/ directory. Refer to LoadModule for more information.
http.conf, Apache HTTP Server must be reloaded or restarted, as referred to in Section 23.3, “Starting and Stopping httpd”.
httpd-devel package which contains the include files, the header files, as well as the APache eXtenSion (/usr/sbin/apxs) application, which uses the include files and the header files to compile DSOs.
/usr/sbin/apxs to compile the module sources outside the Apache source tree. For more information about using the /usr/sbin/apxs command, refer to the Apache documentation online at http://httpd.apache.org/docs/2.2/dso.html as well as the apxs man page.
/usr/lib/httpd/modules/ directory. For RHEL platforms using default-64-bit userspace (x86_64, ia64, ?) this path will be /usr/lib64/httpd/modules/. Then add a LoadModule line to the httpd.conf, using the following structure:
LoadModule <module-name> <path/to/module.so><module-name> is the name of the module and <path/to/module.so> is the path to the DSO.
httpd.conf as an example.
#NameVirtualHost *:80 # #<VirtualHost *:80> # ServerAdmin webmaster@dummy-host.example.com # DocumentRoot /www/docs/dummy-host.example.com # ServerName dummy-host.example.com # ErrorLog logs/dummy-host.example.com-error_log # CustomLog logs/dummy-host.example.com-access_log common #</VirtualHost>
NameVirtualHost line by removing the hash mark (#) and replace the asterisk (*) with the IP address assigned to the machine.
<VirtualHost> container.
<VirtualHost> line, change the asterisk (*) to the server's IP address. Change the ServerName to a valid DNS name assigned to the machine, and configure the other directives as necessary.
<VirtualHost> container is highly customizable and accepts almost every directive available within the main server configuration.
Listen directive in the global settings section of /etc/httpd/conf/httpd.conf file.
httpd” for further instructions.
mod_ssl security module enabled to use the OpenSSL library and toolkit. The combination of these three components are referred to in this section as the secure Web server or just as the secure server.
mod_ssl module is a security module for the Apache HTTP Server. The mod_ssl module uses the tools provided by the OpenSSL Project to add a very important feature to the Apache HTTP Server — the ability to encrypt communications. In contrast, regular HTTP communications between a browser and a Web server are sent in plain text, which could be intercepted and read by someone along the route between the browser and the server.
mod_ssl configuration file is located at /etc/httpd/conf.d/ssl.conf. For this file to be loaded, and hence for mod_ssl to work, you must have the statement Include conf.d/*.conf in the /etc/httpd/conf/httpd.conf file. This statement is included by default in the default Apache HTTP Server configuration file.
httpdhttpd package contains the httpd daemon and related utilities, configuration files, icons, Apache HTTP Server modules, man pages, and other files used by the Apache HTTP Server.
mod_sslmod_ssl package includes the mod_ssl module, which provides strong cryptography for the Apache HTTP Server via the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols.
opensslopenssl package contains the OpenSSL toolkit. The OpenSSL toolkit implements the SSL and TLS protocols, and also includes a general purpose cryptography library.
https:// prefix is used at the beginning of the Uniform Resource Locator (URL) in the navigation bar.
/etc/pki/tls/private/server.key/etc/pki/tls/certs/server.crthttpsd.key) and certificate (httpsd.crt) are located in /etc/httpd/conf/. Move and rename your key and certificate so that the secure server can use them. Use the following two commands to move and rename your key and certificate files:
mv /etc/httpd/conf/httpsd.key /etc/pki/tls/private/server.keymv /etc/httpd/conf/httpsd.crt /etc/pki/tls/certs/server.crt
service httpd startcd command to change to the /etc/pki/tls/ directory. Remove the fake key and certificate that were generated during the installation with the following commands:
rm private/server.keyrm certs/server.crt
crypto-utils package contains the genkey utility which you can use to generate keys as the name implies. To create your own private key, please ensure the crypto-utils package is installed. You can view more options by typing man genkey in your terminal. Assuming you wish to generate keys for www.example.com using the genkey utility, type in the following command in your terminal:
genkey www.example.commake based process is no longer shipped with RHEL 5. This will start the genkey graphical user interface. The figure below illustrates the first screen. To navigate, use the keyboard arrow and tab keys. This windows indicates where your key will be stored and prompts you to proceed or cancel the operation. To proceed to the next step, select Next and press the Return (Enter) key.
genkey www.example.com on a server that already has an existing key pair for the particular hostname, an error message will be displayed as illustrated below. You need to delete your existing key file as indicated to generate a new key pair.
/etc/pki/tls/certs/www.example.com.crt
/etc/httpd/conf.d/ssl.conf. Change the SSLCertificateFile and SSLCertificateKey lines to be.
SSLCertificateFile /etc/pki/tls/certs/www.example.com.crt SSLCertificateKeyFile /etc/pki/tls/private/www.example.com.keyNote that the “www.example.com” part should match the argument passed on the
genkey command.
mod_ssl.
vsftpd.
vsftpd — A fast, secure FTP daemon which is the preferred FTP server for Red Hat Enterprise Linux. The remainder of this chapter focuses on vsftpd.
vsftpdvsftpd) is designed from the ground up to be fast, stable, and, most importantly, secure. vsftpd is the only stand-alone FTP server distributed with Red Hat Enterprise Linux, due to its ability to handle large numbers of connections efficiently and securely.
vsftpd has three primary aspects:
libcap library, tasks that usually require full root privileges can be executed more safely from a less privileged process.
chroot jail — Whenever possible, processes are change-rooted to the directory being shared; this directory is then considered a chroot jail. For example, if the directory /var/ftp/ is the primary shared directory, vsftpd reassigns /var/ftp/ to the new root directory, known as /. This disallows any potential malicious hacker activities for any directories not contained below the new root directory.
vsftpd deals with requests:
vsftpd launches unprivileged child processes to handle incoming connections. This allows the privileged, parent process to be as small as possible and handle relatively few tasks.
chroot jail — Because these child processes are unprivileged and only have access to the directory being shared, any crashed processes only allows the attacker access to the shared files.
vsftpdvsftpd RPM installs the daemon (/usr/sbin/vsftpd), its configuration and related files, as well as FTP directories onto the system. The following lists the files and directories related to vsftpd configuration:
/etc/rc.d/init.d/vsftpd — The initialization script (initscript) used by the /sbin/service command to start, stop, or reload vsftpd. Refer to Section 24.4, “Starting and Stopping vsftpd” for more information about using this script.
/etc/pam.d/vsftpd — The Pluggable Authentication Modules (PAM) configuration file for vsftpd. This file specifies the requirements a user must meet to login to the FTP server. For more information, refer to Section 46.4, “Pluggable Authentication Modules (PAM)”.
/etc/vsftpd/vsftpd.conf — The configuration file for vsftpd. Refer to Section 24.5, “vsftpd Configuration Options” for a list of important options contained within this file.
/etc/vsftpd.ftpusers — A list of users not allowed to log into vsftpd. By default, this list includes the root, bin, and daemon users, among others.
/etc/vsftpd.user_list — This file can be configured to either deny or allow access to the users listed, depending on whether the userlist_deny directive is set to YES (default) or NO in /etc/vsftpd/vsftpd.conf. If /etc/vsftpd.user_list is used to grant access to users, the usernames listed must not appear in /etc/vsftpd.ftpusers.
/var/ftp/ — The directory containing files served by vsftpd. It also contains the /var/ftp/pub/ directory for anonymous users. Both directories are world-readable, but writable only by the root user.
vsftpdvsftpd RPM installs the /etc/rc.d/init.d/vsftpd script, which can be accessed using the /sbin/service command.
service vsftpd startservice vsftpd stoprestart option is a shorthand way of stopping and then starting vsftpd. This is the most efficient way to make configuration changes take effect after editing the configuration file for vsftpd.
service vsftpd restartcondrestart (conditional restart) option only starts vsftpd if it is currently running. This option is useful for scripts, because it does not start the daemon if it is not running.
service vsftpd condrestartvsftpd service does not start automatically at boot time. To configure the vsftpd service to start at boot time, use an initscript utility, such as /sbin/chkconfig, /usr/sbin/ntsysv, or the Services Configuration Tool program. Refer to Chapter 17, Controlling Access to Services for more information regarding these tools.
vsftpdvsftpd is by running multiple copies of the daemon, each with its own configuration file.
vsftpd to answer requests on different IP addresses, multiple copies of the daemon must be running. The first copy must be run using the vsftpd initscripts, as outlined in Section 24.4, “Starting and Stopping vsftpd”. This copy uses the standard configuration file, /etc/vsftpd/vsftpd.conf.
/etc/vsftpd/ directory, such as /etc/vsftpd/vsftpd-site-2.conf. Each configuration file must be readable and writable only by root. Within each configuration file for each FTP server listening on an IPv4 network, the following directive must be unique:
listen_address=N.N.N.NN.N.N.N with the unique IP address for the FTP site being served. If the site is using IPv6, use the listen_address6 directive instead.
vsftpd daemon must be launched from a root shell prompt using the following command:
vsftpd /etc/vsftpd/<configuration-file> [amp ]<configuration-file> with the unique name for the server's configuration file, such as /etc/vsftpd/vsftpd-site-2.conf.
anon_root
local_root
vsftpd_log_file
xferlog_file
vsftpd's configuration file, refer to Section 24.5, “vsftpd Configuration Options”.
/etc/rc.local file.
vsftpd Configuration Optionsvsftpd may not offer the level of customization other widely available FTP servers have, it offers enough options to fill most administrator's needs. The fact that it is not overly feature-laden limits configuration and programmatic errors.
vsftpd is handled by its configuration file, /etc/vsftpd/vsftpd.conf. Each directive is on its own line within the file and follows the following format:
<directive>=<value>
<directive> with a valid directive and <value> with a valid value.
<directive>, equal symbol, and the <value> in a directive.
#) and are ignored by the daemon.
vsftpd.conf.
vsftpd, refer to Section 46.2, “Server Security”.
/etc/vsftpd/vsftpd.conf. All directives not explicitly found within vsftpd's configuration file are set to their default value.
vsftpd daemon.
listen — When enabled, vsftpd runs in stand-alone mode. Red Hat Enterprise Linux sets this value to YES. This directive cannot be used in conjunction with the listen_ipv6 directive.
NO.
listen_ipv6 — When enabled, vsftpd runs in stand-alone mode, but listens only to IPv6 sockets. This directive cannot be used in conjunction with the listen directive.
NO.
session_support — When enabled, vsftpd attempts to maintain login sessions for each user through Pluggable Authentication Modules (PAM). Refer to Section 46.4, “Pluggable Authentication Modules (PAM)” for more information. If session logging is not necessary, disabling this option allows vsftpd to run with less processes and lower privileges.
YES.
anonymous_enable — When enabled, anonymous users are allowed to log in. The usernames anonymous and ftp are accepted.
YES.
banned_email_file — If the deny_email_enable directive is set to YES, this directive specifies the file containing a list of anonymous email passwords which are not permitted access to the server.
/etc/vsftpd.banned_emails.
banner_file — Specifies the file containing text displayed when a connection is established to the server. This option overrides any text specified in the ftpd_banner directive.
cmds_allowed — Specifies a comma-delimited list of FTP commands allowed by the server. All other commands are rejected.
deny_email_enable — When enabled, any anonymous user utilizing email passwords specified in the /etc/vsftpd.banned_emails are denied access to the server. The name of the file referenced by this directive can be specified using the banned_email_file directive.
NO.
ftpd_banner — When enabled, the string specified within this directive is displayed when a connection is established to the server. This option can be overridden by the banner_file directive.
vsftpd displays its standard banner.
local_enable — When enabled, local users are allowed to log into the system.
YES.
pam_service_name — Specifies the PAM service name for vsftpd.
ftp. On Red Hat Enterprise Linux 5.8, this option is set to vsftpd in the configuration file.
tcp_wrappers — When enabled, TCP wrappers are used to grant access to the server. If the FTP server is configured on multiple IP addresses, the VSFTPD_LOAD_CONF option can be used to load different configuration files based on the IP address being requested by the client.
NO. On Red Hat Enterprise Linux 5.8, this option is set to YES in the configuration file.
userlist_deny — When used in conjunction with the userlist_enable directive and set to NO, all local users are denied access unless the username is listed in the file specified by the userlist_file directive. Because access is denied before the client is asked for a password, setting this directive to NO prevents local users from submitting unencrypted passwords over the network.
YES.
userlist_enable — When enabled, the users listed in the file specified by the userlist_file directive are denied access. Because access is denied before the client is asked for a password, users are prevented from submitting unencrypted passwords over the network.
NO. On Red Hat Enterprise Linux 5.8, this option is set to YES in the configuration file.
userlist_file — Specifies the file referenced by vsftpd when the userlist_enable directive is enabled.
/etc/vsftpd.user_list and is created during installation.
anonymous_enable directive must be set to YES.
anon_mkdir_write_enable — When enabled in conjunction with the write_enable directive, anonymous users are allowed to create new directories within a parent directory which has write permissions.
NO.
anon_root — Specifies the directory vsftpd changes to after an anonymous user logs in.
anon_upload_enable — When enabled in conjunction with the write_enable directive, anonymous users are allowed to upload files within a parent directory which has write permissions.
NO.
anon_world_readable_only — When enabled, anonymous users are only allowed to download world-readable files.
YES.
ftp_username — Specifies the local user account (listed in /etc/passwd) used for the anonymous FTP user. The home directory specified in /etc/passwd for the user is the root directory of the anonymous FTP user.
ftp.
no_anon_password — When enabled, the anonymous user is not asked for a password.
NO.
secure_email_list_enable — When enabled, only a specified list of email passwords for anonymous logins are accepted. This is a convenient way to offer limited security to public content without the need for virtual users.
/etc/vsftpd.email_passwords. The file format is one password per line, with no trailing white spaces.
NO.
local_enable directive must be set to YES.
chmod_enable — When enabled, the FTP command SITE CHMOD is allowed for local users. This command allows the users to change the permissions on files.
YES.
chroot_list_enable — When enabled, the local users listed in the file specified in the chroot_list_file directive are placed in a chroot jail upon log in.
chroot_local_user directive, the local users listed in the file specified in the chroot_list_file directive are not placed in a chroot jail upon log in.
NO.
chroot_list_file — Specifies the file containing a list of local users referenced when the chroot_list_enable directive is set to YES.
/etc/vsftpd.chroot_list.
chroot_local_user — When enabled, local users are change-rooted to their home directories after logging in.
NO.
chroot_local_user opens up a number of security issues, especially for users with upload privileges. For this reason, it is not recommended.
guest_enable — When enabled, all non-anonymous users are logged in as the user guest, which is the local user specified in the guest_username directive.
NO.
guest_username — Specifies the username the guest user is mapped to.
ftp.
local_root — Specifies the directory vsftpd changes to after a local user logs in.
local_umask — Specifies the umask value for file creation. Note that the default value is in octal form (a numerical system with a base of eight), which includes a "0" prefix. Otherwise the value is treated as a base-10 integer.
022.
passwd_chroot_enable — When enabled in conjunction with the chroot_local_user directive, vsftpd change-roots local users based on the occurrence of the /./ in the home directory field within /etc/passwd.
NO.
user_config_dir — Specifies the path to a directory containing configuration files bearing the name of local system users that contain specific setting for that user. Any directive in the user's configuration file overrides those found in /etc/vsftpd/vsftpd.conf.
dirlist_enable — When enabled, users are allowed to view directory lists.
YES.
dirmessage_enable — When enabled, a message is displayed whenever a user enters a directory with a message file. This message resides within the current directory. The name of this file is specified in the message_file directive and is .message by default.
NO. On Red Hat Enterprise Linux 5.8, this option is set to YES in the configuration file.
force_dot_files — When enabled, files beginning with a dot (.) are listed in directory listings, with the exception of the . and .. files.
NO.
hide_ids — When enabled, all directory listings show ftp as the user and group for each file.
NO.
message_file — Specifies the name of the message file when using the dirmessage_enable directive.
.message.
text_userdb_names — When enabled, text usernames and group names are used in place of UID and GID entries. Enabling this option may slow performance of the server.
NO.
use_localtime — When enabled, directory listings reveal the local time for the computer instead of GMT.
NO.
download_enable — When enabled, file downloads are permitted.
YES.
chown_uploads — When enabled, all files uploaded by anonymous users are owned by the user specified in the chown_username directive.
NO.
chown_username — Specifies the ownership of anonymously uploaded files if the chown_uploads directive is enabled.
root.
write_enable — When enabled, FTP commands which can change the file system are allowed, such as DELE, RNFR, and STOR.
YES.
vsftpd's logging behavior.
dual_log_enable — When enabled in conjunction with xferlog_enable, vsftpd writes two files simultaneously: a wu-ftpd-compatible log to the file specified in the xferlog_file directive (/var/log/xferlog by default) and a standard vsftpd log file specified in the vsftpd_log_file directive (/var/log/vsftpd.log by default).
NO.
log_ftp_protocol — When enabled in conjunction with xferlog_enable and with xferlog_std_format set to NO, all FTP commands and responses are logged. This directive is useful for debugging.
NO.
syslog_enable — When enabled in conjunction with xferlog_enable, all logging normally written to the standard vsftpd log file specified in the vsftpd_log_file directive (/var/log/vsftpd.log by default) is sent to the system logger instead under the FTPD facility.
NO.
vsftpd_log_file — Specifies the vsftpd log file. For this file to be used, xferlog_enable must be enabled and xferlog_std_format must either be set to NO or, if xferlog_std_format is set to YES, dual_log_enable must be enabled. It is important to note that if syslog_enable is set to YES, the system log is used instead of the file specified in this directive.
/var/log/vsftpd.log.
xferlog_enable — When enabled, vsftpd logs connections (vsftpd format only) and file transfer information to the log file specified in the vsftpd_log_file directive (/var/log/vsftpd.log by default). If xferlog_std_format is set to YES, file transfer information is logged but connections are not, and the log file specified in xferlog_file (/var/log/xferlog by default) is used instead. It is important to note that both log files and log formats are used if dual_log_enable is set to YES.
NO. On Red Hat Enterprise Linux 5.8, this option is set to YES in the configuration file.
xferlog_file — Specifies the wu-ftpd-compatible log file. For this file to be used, xferlog_enable must be enabled and xferlog_std_format must be set to YES. It is also used if dual_log_enable is set to YES.
/var/log/xferlog.
xferlog_std_format — When enabled in conjunction with xferlog_enable, only a wu-ftpd-compatible file transfer log is written to the file specified in the xferlog_file directive (/var/log/xferlog by default). It is important to note that this file only logs file transfers and does not log connections to the server.
NO. On Red Hat Enterprise Linux 5.8, this option is set to YES in the configuration file.
wu-ftpd FTP server, the xferlog_std_format directive is set to YES under Red Hat Enterprise Linux. However, this setting means that connections to the server are not logged.
vsftpd format and maintain a wu-ftpd-compatible file transfer log, set dual_log_enable to YES.
wu-ftpd-compatible file transfer log is not important, either set xferlog_std_format to NO, comment the line with a hash mark (#), or delete the line entirely.
vsftpd interacts with the network.
accept_timeout — Specifies the amount of time for a client using passive mode to establish a connection.
60.
anon_max_rate — Specifies the maximum data transfer rate for anonymous users in bytes per second.
0, which does not limit the transfer rate.
connect_from_port_20 When enabled, vsftpd runs with enough privileges to open port 20 on the server during active mode data transfers. Disabling this option allows vsftpd to run with less privileges, but may be incompatible with some FTP clients.
NO. On Red Hat Enterprise Linux 5.8, this option is set to YES in the configuration file.
connect_timeout — Specifies the maximum amount of time a client using active mode has to respond to a data connection, in seconds.
60.
data_connection_timeout — Specifies maximum amount of time data transfers are allowed to stall, in seconds. Once triggered, the connection to the remote client is closed.
300.
ftp_data_port — Specifies the port used for active data connections when connect_from_port_20 is set to YES.
20.
idle_session_timeout — Specifies the maximum amount of time between commands from a remote client. Once triggered, the connection to the remote client is closed.
300.
listen_address — Specifies the IP address on which vsftpd listens for network connections.
vsftpd serving different IP addresses, the configuration file for each copy of the vsftpd daemon must have a different value for this directive. Refer to Section 24.4.1, “Starting Multiple Copies of vsftpd” for more information about multihomed FTP servers.
listen_address6 — Specifies the IPv6 address on which vsftpd listens for network connections when listen_ipv6 is set to YES.
vsftpd serving different IP addresses, the configuration file for each copy of the vsftpd daemon must have a different value for this directive. Refer to Section 24.4.1, “Starting Multiple Copies of vsftpd” for more information about multihomed FTP servers.
listen_port — Specifies the port on which vsftpd listens for network connections.
21.
local_max_rate — Specifies the maximum rate data is transferred for local users logged into the server in bytes per second.
0, which does not limit the transfer rate.
max_clients — Specifies the maximum number of simultaneous clients allowed to connect to the server when it is running in standalone mode. Any additional client connections would result in an error message.
0, which does not limit connections.
max_per_ip — Specifies the maximum of clients allowed to connected from the same source IP address.
0, which does not limit connections.
pasv_address — Specifies the IP address for the public facing IP address of the server for servers behind Network Address Translation (NAT) firewalls. This enables vsftpd to hand out the correct return address for passive mode connections.
pasv_enable — When enabled, passive mode connects are allowed.
YES.
pasv_max_port — Specifies the highest possible port sent to the FTP clients for passive mode connections. This setting is used to limit the port range so that firewall rules are easier to create.
0, which does not limit the highest passive port range. The value must not exceed 65535.
pasv_min_port — Specifies the lowest possible port sent to the FTP clients for passive mode connections. This setting is used to limit the port range so that firewall rules are easier to create.
0, which does not limit the lowest passive port range. The value must not be lower 1024.
pasv_promiscuous — When enabled, data connections are not checked to make sure they are originating from the same IP address. This setting is only useful for certain types of tunneling.
NO.
port_enable — When enabled, active mode connects are allowed.
YES.
vsftpd, refer to the following resources.
/usr/share/doc/vsftpd-<version-number>/ directory — Replace <version-number> with the installed version of the vsftpd package. This directory contains a README with basic information about the software. The TUNING file contains basic performance tuning tips and the SECURITY/ directory contains information about the security model employed by vsftpd.
vsftpd related man pages — There are a number of man pages for the daemon and configuration files. The following lists some of the more important man pages.
man vsftpd — Describes available command line options for vsftpd.
man vsftpd.conf — Contains a detailed list of options available within the configuration file for vsftpd.
man 5 hosts_access — Describes the format and options available within the TCP wrappers configuration files: hosts.allow and hosts.deny.
vsftpd project page is a great place to locate the latest documentation and to contact the author of the software.
/usr/sbin/sendmail) is the default SMTP program under Red Hat Enterprise Linux. However, a simpler mail server application called Postfix (/usr/sbin/postfix) is also available.
/usr/lib/cyrus-imapd/pop3d and is provided by the cyrus-imapd package. When using a POP server, email messages are downloaded by email client applications. By default, most POP email clients are automatically configured to delete the message on the email server after it has been successfully transferred, however this setting usually can be changed.
ipop3s service or by using the /usr/sbin/stunnel program. Refer to Section 25.6.1, “Securing Communication” for more information.
/usr/lib/cyrus-imapd/imapd and is provided by the cyrus-imapd package. When using an IMAP mail server, email messages remain on the server where users can read or delete them. IMAP also allows client applications to create, rename, or delete mail directories on the server to organize and store email.
imaps service, or by using the /usr/sbin/stunnel program. Refer to Section 25.6.1, “Securing Communication” for more information.
imap-login and pop3-login daemons which implement the IMAP and POP3 protocols are included in the dovecot package. The use of IMAP and POP is configured through dovecot; by default dovecot runs only IMAP. To configure dovecot to use POP:
/etc/dovecot.conf to have the line:
protocols = imap imaps pop3 pop3s
service dovecot restartchkconfig dovecot ondovecot only reports that it started the IMAP server, but also starts the POP3 server.
dovecot configuration file /etc/pki/dovecot/dovecot-openssl.conf as you prefer. However in a typical installation, this file does not require modification.
/etc/pki/dovecot/certs/dovecot.pem and /etc/pki/dovecot/private/dovecot.pem.
/usr/share/doc/dovecot-1.0/examples/mkcert.sh script which creates the dovecot self signed certificates. The certificates are copied in the /etc/pki/dovecot/certs and /etc/pki/dovecot/private directories. To implement the changes, restart dovecot (/sbin/service dovecot restart).
dovecot can be found online at http://www.dovecot.org.
mail or Procmail.
mutt.
/usr/sbin/sendmail.
/etc/mail/sendmail.cf. Avoid editing the sendmail.cf file directly. To make configuration changes to Sendmail, edit the /etc/mail/sendmail.mc file, back up the original /etc/mail/sendmail.cf, and use the following alternatives to generate a new configuration file:
/etc/mail (make all -C /etc/mail) to create a new /etc/mail/sendmail.cf configuration file. All other generated files in /etc/mail (db files) will be regenerated if needed. The old makemap commands are still usable. The make command will automatically be used by service sendmail start | restart | reload if the make package is installed.
m4 macro processor to create a new /etc/mail/sendmail.cf.
/etc/mail/ directory including:
access — Specifies which systems can use Sendmail for outbound email.
domaintable — Specifies domain name mapping.
local-host-names — Specifies aliases for the host.
mailertable — Specifies instructions that override routing for particular domains.
virtusertable — Specifies a domain-specific form of aliasing, allowing multiple virtual domains to be hosted on one machine.
/etc/mail/, such as access, domaintable, mailertable and virtusertable, must actually store their information in database files before Sendmail can use any configuration changes. To include any changes made to these configurations in their database files, run the following command:
makemap hash /etc/mail/<name> < /etc/mail/<name>
<name> is replaced with the name of the configuration file to convert.
example.com domain delivered to bob@other-example.com
, add the following line to the virtusertable file:
@example.com bob@other-example.com
virtusertable.db file must be updated using the following command as root:
makemap hash /etc/mail/virtusertable < /etc/mail/virtusertablevirtusertable.db file containing the new configuration.
/etc/mail/sendmail.cf file.
sendmail.cf file, it is a good idea to create a backup copy.
/etc/mail/sendmail.mc file as the root user. When finished, use the m4 macro processor to generate a new sendmail.cf by executing the following command:
m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cfm4 macro processor is installed with Sendmail but is part of the m4 package.
/etc/mail/sendmail.cf file, restart Sendmail for the changes to take effect. The easiest way to do this is to type the following command:
service sendmail restartsendmail.cf file does not allow Sendmail to accept network connections from any host other than the local computer. To configure Sendmail as a server for other clients, edit the /etc/mail/sendmail.mc file, and either change the address specified in the Addr= option of the DAEMON_OPTIONS directive from 127.0.0.1 to the IP address of an active network device or comment out the DAEMON_OPTIONS directive all together by placing dnl at the beginning of the line. When finished, regenerate /etc/mail/sendmail.cf by executing the following command:
m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf/etc/mail/sendmail.mc file must be reconfigured and a new /etc/mail/sendmail.cf must be generated.
/usr/share/sendmail-cf/README file before editing any files in the directories under the /usr/share/sendmail-cf directory, as they can affect the future configuration of /etc/mail/sendmail.cf files.
mail.example.com that handles all of their email and assigns a consistent return address to all outgoing mail.
user@example.com instead of user@host.example.com.
/etc/mail/sendmail.mc:
FEATURE(always_add_domain)dnl FEATURE(`masquerade_entire_domain')dnl FEATURE(`masquerade_envelope')dnl FEATURE(`allmasquerade')dnl MASQUERADE_AS(`bigcorp.com.')dnl MASQUERADE_DOMAIN(`bigcorp.com.')dnl MASQUERADE_AS(bigcorp.com)dnl
sendmail.cf using m4, this configuration makes all mail from inside the network appear as if it were sent from bigcorp.com.
x.edu) to accept messages from one party (y.com) and sent them to a different party (z.net). Now, however, Sendmail must be configured to permit any domain to relay mail through the server. To configure relay domains, edit the /etc/mail/relay-domains file and restart Sendmail.
/etc/mail/access file can be used to prevent connections from unwanted hosts. The following example illustrates how this file can be used to both block and specifically allow access to the Sendmail server:
badspammer.com ERROR:550 "Go away and do not spam us anymore" tux.badspammer.com OK 10.0 RELAY
badspammer.com is blocked with a 550 RFC-821 compliant error code, with a message sent back to the spammer. Email sent from the tux.badspammer.com sub-domain, is accepted. The last line shows that any email sent from the 10.0.*.* network can be relayed through the mail server.
/etc/mail/access.db is a database, use makemap to activate any changes. Do this using the following command as root:
makemap hash /etc/mail/access < /etc/mail/access/usr/share/sendmail-cf/README for more information and examples.
aliases and virtusertables, on different mail servers that work together to support a medium- to enterprise-level organization. In short, LDAP abstracts the mail routing level from Sendmail and its separate configuration files to a powerful LDAP cluster that can be leveraged by many different applications.
/etc/mail/sendmail.mc to include the following:
LDAPROUTE_DOMAIN('yourdomain.com')dnl
FEATURE('ldap_routing')dnl/usr/share/sendmail-cf/README for detailed LDAP routing configuration instructions and examples.
/etc/mail/sendmail.cf file by running m4 and restarting Sendmail. Refer to Section 25.3.1.3, “Common Sendmail Configuration Changes” for instructions.
/usr/sbin/postfix. This daemon launches all related processes needed to handle mail delivery.
/etc/postfix/ directory. The following is a list of the more commonly used files:
access — Used for access control, this file specifies which hosts are allowed to connect to Postfix.
aliases — A configurable list required by the mail protocol.
main.cf — The global Postfix configuration file. The majority of configuration options are specified in this file.
master.cf — Specifies how Postfix interacts with various processes to accomplish mail delivery.
transport — Maps email addresses to relay hosts.
/etc/postfix/main.cf file does not allow Postfix to accept network connections from a host other than the local computer. For instructions on configuring Postfix as a server for other clients, refer to Section 25.3.2.2, “Basic Postfix Configuration”.
/etc/postfix/ directory, it may be necessary to restart the postfix service for the changes to take effect. The easiest way to do this is to type the following command:
service postfix restart/etc/postfix/main.cf file with a text editor, such as vi.
mydomain line by removing the hash mark (#), and replace domain.tld with the domain the mail server is servicing, such as example.com.
myorigin = $mydomain line.
myhostname line, and replace host.domain.tld with the hostname for the machine.
mydestination = $myhostname, localhost.$mydomain line.
mynetworks line, and replace 168.100.189.0/28 with a valid network setting for hosts that can connect to the server.
inet_interfaces = all line.
inet_interfaces = localhost line.
postfix service.
/etc/postfix/main.cf. Additional resources including information about LDAP and SpamAssassin integration are available online at http://www.postfix.org/.
.fetchmailrc file in the user's home directory.
.fetchmailrc file, Fetchmail checks for email on a remote server and downloads it. It then delivers it to port 25 on the local machine, using the local MTA to place the email in the correct user's spool file. If Procmail is available, it is launched to filter the email and place it in a mailbox so that it can be read by an MUA.
.fetchmailrc file is much easier. Place any desired configuration options in the .fetchmailrc file for those options to be used each time the fetchmail command is issued. It is possible to override these at the time Fetchmail is run by specifying that option on the command line.
.fetchmailrc file contains three classes of configuration options:
.fetchmailrc file, followed by one or more server options, each of which designate a different email server that Fetchmail should check. User options follow server options for each user account checking that email server. Like server options, multiple user options may be specified for use with a particular server as well as to check multiple email accounts on the same server.
.fetchmailrc file by the use of a special option verb, poll or skip, that precedes any of the server information. The poll action tells Fetchmail to use this server option when it is run, which checks for email using the specified user options. Any server options after a skip action, however, are not checked unless this server's hostname is specified when Fetchmail is invoked. The skip option is useful when testing configurations in .fetchmailrc because it only checks skipped servers when specifically invoked, and does not affect any currently working configurations.
.fetchmailrc file looks similar to the following example:
set postmaster "user1" set bouncemail poll pop.domain.com proto pop3 user 'user1' there with password 'secret' is user1 here poll mail.domain2.com user 'user5' there with password 'secret2' is user1 here user 'user7' there with password 'secret3' is user1 here
postmaster option) and all email errors are sent to the postmaster instead of the sender (bouncemail option). The set action tells Fetchmail that this line contains a global option. Then, two email servers are specified, one set to check using POP3, the other for trying various protocols to find one that works. Two users are checked using the second server option, but all email found for any user is sent to user1's mail spool. This allows multiple mailboxes to be checked on multiple servers, while appearing in a single MUA inbox. Each user's specific information begins with the user action.
.fetchmailrc file. Omitting the with password '<password>' section causes Fetchmail to ask for a password when it is launched.
fetchmail man page explains each option in detail, but the most common ones are listed here.
set action.
daemon <seconds> — Specifies daemon-mode, where Fetchmail stays in the background. Replace <seconds> with the number of seconds Fetchmail is to wait before polling the server.
postmaster — Specifies a local user to send mail to in case of delivery problems.
syslog — Specifies the log file for errors and status messages. By default, this is /var/log/maillog.
.fetchmailrc after a poll or skip action.
auth <auth-type> — Replace <auth-type> with the type of authentication to be used. By default, password authentication is used, but some protocols support other types of authentication, including kerberos_v5, kerberos_v4, and ssh. If the any authentication type is used, Fetchmail first tries methods that do not require a password, then methods that mask the password, and finally attempts to send the password unencrypted to authenticate to the server.
interval <number> — Polls the specified server every <number> port <port-number> — Replace <port-number> with the port number. This value overrides the default port number for the specified protocol.
proto <protocol> — Replace <protocol> with the protocol, such as pop3 or imap, to use when checking for messages on the server.
timeout <seconds> — Replace <seconds> with the number of seconds of server inactivity after which Fetchmail gives up on a connection attempt. If this value is not set, a default of 300 seconds is assumed.
user option (defined below).
fetchall — Orders Fetchmail to download all messages in the queue, including messages that have already been viewed. By default, Fetchmail only pulls down new messages.
fetchlimit <number> — Replace <number> with the number of messages to be retrieved before stopping.
flush — Deletes all previously viewed messages in the queue before retrieving new messages.
limit <max-number-bytes> — Replace <max-number-bytes> with the maximum size in bytes that messages are allowed to be when retrieved by Fetchmail. This option is useful with slow network links, when a large message takes too long to download.
password '<password>' — Replace <password> with the user's password.
preconnect "<command>" — Replace <command> with a command to be executed before retrieving messages for the user.
postconnect "<command>" — Replace <command> with a command to be executed after retrieving messages for the user.
ssl — Activates SSL encryption.
user "<username>" — Replace <username> with the username used by Fetchmail to retrieve messages. This option must precede all other user options.
fetchmail command mirror the .fetchmailrc configuration options. In this way, Fetchmail may be used with or without a configuration file. These options are not used on the command line by most users because it is easier to leave them in the .fetchmailrc file.
fetchmail command with other options for a particular purpose. It is possible to issue command options to temporarily override a .fetchmailrc setting that is causing an error, as any options specified at the command line override configuration file options.
fetchmail command can supply important information.
--configdump — Displays every possible option based on information from .fetchmailrc and Fetchmail defaults. No email is retrieved for any users when using this option.
-s — Executes Fetchmail in silent mode, preventing any messages, other than errors, from appearing after the fetchmail command.
-v — Executes Fetchmail in verbose mode, displaying every communication between Fetchmail and remote email servers.
-V — Displays detailed version information, lists its global options, and shows settings to be used with each user, including the email protocol and authentication method. No email is retrieved for any users when using this option.
.fetchmailrc file.
-a — Fetchmail downloads all messages from the remote email server, whether new or previously viewed. By default, Fetchmail only downloads new messages.
-k — Fetchmail leaves the messages on the remote email server after downloading them. This option overrides the default behavior of deleting messages after downloading them.
-l <max-number-bytes> — Fetchmail does not download any messages over a particular size and leaves them on the remote email server.
--quit — Quits the Fetchmail daemon process.
.fetchmailrc options can be found in the fetchmail man page.
/bin/mail command to send email containing log messages to the root user of the local system.
sendmail is the default MTA. The Mail Transport Agent Switcher allows for the selection of either sendmail, postfix, or exim as the default MTA for the system.
system-switch-mail RPM package must be installed to use the text-based version of the Mail Transport Agent Switcher program. If you want to use the graphical version, the system-switch-mail-gnome package must also be installed. system-switch-mail at a shell prompt (for example, in an XTerm or GNOME terminal).
system-switch-mail-nox.
mail. Both of the applications are considered LDAs and both move email from the MTA's spool file into the user's mailbox. However, Procmail provides a robust filtering system.
mail command, consult its man page.
/etc/procmailrc or of a .procmailrc file (also called an rc file) in the user's home directory invokes Procmail whenever an MTA receives a new message.
rc file. If a message matches a recipe, then the email is placed in a specified file, is deleted, or is otherwise processed.
/etc/procmailrc and rc files in the /etc/procmailrcs directory for default, system-wide, Procmail environmental variables and recipes. Procmail then searches for a .procmailrc file in the user's home directory. Many users also create additional rc files for Procmail that are referred to within the .procmailrc file in their home directory.
rc files exist in the /etc/ directory and no .procmailrc files exist in any user's home directory. Therefore, to use Procmail, each user must construct a .procmailrc file with specific environment variables and rules.
.procmailrc in the following format:
<env-variable>="<value>"
<env-variable> <value> DEFAULT — Sets the default mailbox where messages that do not match any recipes are placed.
DEFAULT value is the same as $ORGMAIL.
INCLUDERC — Specifies additional rc files containing more recipes for messages to be checked against. This breaks up the Procmail recipe lists into individual files that fulfill different roles, such as blocking spam and managing email lists, that can then be turned off or on by using comment characters in the user's .procmailrc file.
.procmailrc file may look like this:
MAILDIR=$HOME/Msgs INCLUDERC=$MAILDIR/lists.rc INCLUDERC=$MAILDIR/spam.rc
INCLUDERC line with a hash mark character (#).
LOCKSLEEP — Sets the amount of time, in seconds, between attempts by Procmail to use a particular lockfile. The default is eight seconds.
LOCKTIMEOUT — Sets the amount of time, in seconds, that must pass after a lockfile was last modified before Procmail assumes that the lockfile is old and can be deleted. The default is 1024 seconds.
LOGFILE — The file to which any Procmail information or error messages are written.
MAILDIR — Sets the current working directory for Procmail. If set, all other Procmail paths are relative to this directory.
ORGMAIL — Specifies the original mailbox, or another place to put the messages if they cannot be placed in the default or recipe-required location.
/var/spool/mail/$LOGNAME is used.
SUSPEND — Sets the amount of time, in seconds, that Procmail pauses if a necessary resource, such as swap space, is not available.
SWITCHRC — Allows a user to specify an external file containing additional Procmail recipes, much like the INCLUDERC option, except that recipe checking is actually stopped on the referring configuration file and only the recipes on the SWITCHRC-specified file are used.
VERBOSE — Causes Procmail to log more information. This option is useful for debugging.
LOGNAME, which is the login name; HOME, which is the location of the home directory; and SHELL, which is the default shell.
procmailrc man page.
:0<flags>: <lockfile-name>*<special-condition-character><condition-1>*<special-condition-character><condition-2>*<special-condition-character><condition-N><special-action-character><action-to-perform>
<flags> <lockfile-name> * character can further control the condition.
<action-to-perform> { }, that are performed on messages which match the recipe's conditions. Nesting blocks can be nested inside one another, providing greater control for identifying and performing actions on messages.
A — Specifies that this recipe is only used if the previous recipe without an A or a flag also matched this message.
a — Specifies that this recipe is only used if the previous recipe with an A or a flag also matched this message and was successfully completed.
B — Parses the body of the message and looks for matching conditions.
b — Uses the body in any resulting action, such as writing the message to a file or forwarding it. This is the default behavior.
c — Generates a carbon copy of the email. This is useful with delivering recipes, since the required action can be performed on the message and a copy of the message can continue being processed in the rc files.
D — Makes the egrep comparison case-sensitive. By default, the comparison process is not case-sensitive.
E — While similar to the A flag, the conditions in the recipe are only compared to the message if the immediately preceding the recipe without an E flag did not match. This is comparable to an else action.
e — The recipe is compared to the message only if the action specified in the immediately preceding recipe fails.
f — Uses the pipe as a filter.
H — Parses the header of the message and looks for matching conditions. This occurs by default.
h — Uses the header in a resulting action. This is the default behavior.
w — Tells Procmail to wait for the specified filter or program to finish, and reports whether or not it was successful before considering the message filtered.
W — Is identical to w except that "Program failure" messages are suppressed.
procmailrc man page.
:) after any flags on a recipe's first line. This creates a local lockfile based on the destination file name plus whatever has been set in the LOCKEXT global environment variable.
* character at the beginning of a recipe's condition line:
! — In the condition line, this character inverts the condition, causing a match to occur only if the condition does not match the message.
< — Checks if the message is under a specified number of bytes.
> — Checks if the message is over a specified number of bytes.
! — In the action line, this character tells Procmail to forward the message to the specified email addresses.
$ — Refers to a variable set earlier in the rc file. This is often used to set a common mailbox that is referred to by various recipes.
| — Starts a specified program to process the message.
{ and } — Constructs a nesting block, used to contain additional recipes to apply to matching messages.
grep man page.
:0: new-mail.spool
LOCKEXT environment variable. No condition is specified, so every message matches this recipe and is placed in the single spool file called new-mail.spool, located within the directory specified by the MAILDIR environment variable. An MUA can then view messages in this file.
rc files to direct messages to a default location.
:0 * ^From: spammer@domain.com /dev/null
spammer@domain.com are sent to the /dev/null device, deleting them.
/dev/null for permanent deletion. If a recipe inadvertently catches unintended messages, and those messages disappear, it becomes difficult to troubleshoot the rule.
/dev/null.
:0: * ^(From|CC|To).*tux-lug tuxlug
tux-lug@domain.com mailing list are placed in the tuxlug mailbox automatically for the MUA. Note that the condition in this example matches the message if it has the mailing list's email address on the From, CC, or To lines.
~/.procmailrc file:
INCLUDERC=/etc/mail/spamassassin/spamassassin-default.rc
/etc/mail/spamassassin/spamassassin-default.rc contains a simple Procmail rule that activates SpamAssassin for all incoming email. If an email is determined to be spam, it is tagged in the header as such and the title is prepended with the following pattern:
*****SPAM*****
:0 Hw * ^X-Spam-Status: Yes spam
spam.
spamd) and client application (spamc). Configuring SpamAssassin this way, however, requires root access to the host.
spamd daemon, type the following command as root:
service spamassassin startsystem-config-services), to turn on the spamassassin service. Refer to Chapter 17, Controlling Access to Services for more information about initscript utilities.
~/.procmailrc file. For a system-wide configuration, place it in /etc/procmailrc:
INCLUDERC=/etc/mail/spamassassin/spamassassin-spamc.rc
mutt.
mutt offer SSL-encrypted email sessions.
/etc/pki/tls/certs/ directory and type the following commands as root:
rm -f cyrus-imapd.pem make cyrus-imapd.pem/etc/pki/tls/certs/ directory, and type the following commands as root:
rm -f ipop3d.pem make ipop3d.pemimapd.pem and ipop3d.pem files before issuing each make command.
/sbin/service xinetd restart command to restart the xinetd daemon which controls imapd and ipop3d.
stunnel command can be used as an SSL encryption wrapper around the standard, non-secure daemons, imapd or pop3d.
stunnel program uses external OpenSSL libraries included with Red Hat Enterprise Linux to provide strong cryptography and protect the connections. It is best to apply to a CA to obtain an SSL certificate, but it is also possible to create a self-signed certificate.
/etc/pki/tls/certs/ directory, and type the following command:
make stunnel.pemstunnel command to start the imapd mail daemon using the following command:
/usr/sbin/stunnel -d 993 -l /usr/sbin/imapd imapdpop3d using the stunnel command, type the following command:
/usr/sbin/stunnel -d 995 -l /usr/sbin/pop3d pop3dstunnel, read the stunnel man page or refer to the documents in the /usr/share/doc/stunnel-<version-number> / directory, where <version-number> is the version number for stunnel.
sendmail and sendmail-cf packages.
/usr/share/sendmail-cf/README — Contains information on m4, file locations for Sendmail, supported mailers, how to access enhanced features, and more.
sendmail and aliases man pages contain helpful information covering various Sendmail options and the proper configuration of the Sendmail /etc/mail/aliases file.
/usr/share/doc/postfix-<version-number> — Contains a large amount of information about ways to configure Postfix. Replace <version-number> with the version number of Postfix.
/usr/share/doc/fetchmail-<version-number> — Contains a full list of Fetchmail features in the FEATURES file and an introductory FAQ document. Replace <version-number> with the version number of Fetchmail.
/usr/share/doc/procmail-<version-number> — Contains a README file that provides an overview of Procmail, a FEATURES file that explores every program feature, and an FAQ file with answers to many common configuration questions. Replace <version-number> with the version number of Procmail.
procmail — Provides an overview of how Procmail works and the steps involved with filtering email.
procmailrc — Explains the rc file format used to construct recipes.
procmailex — Gives a number of useful, real-world examples of Procmail recipes.
procmailsc — Explains the weighted scoring technique used by Procmail to match a particular recipe to a message.
/usr/share/doc/spamassassin-<version-number>/ — Contains a large amount of information pertaining to SpamAssassin. Replace <version-number> with the version number of the spamassassin package.
.procmailrc files and use Procmail scoring to decide if a particular action should be taken.
/etc/openldap/schema/ Directory/etc/openldap/schema/ directory. For more information, refer to Section 26.5, “The /etc/openldap/schema/ Directory”.
[<id>] dn: <distinguished name> <attrtype>: <attrvalue> <attrtype>: <attrvalue> <attrtype>: <attrvalue>
<attrtype>: <attrvalue> pairs as needed. A blank line indicates the end of an entry.
<attrtype> and <attrvalue> pairs must be defined in a corresponding schema file to use this information.
< and a > is a variable and can be set whenever a new LDAP entry is created. This rule does not apply, however, to <id>. The <id> is a number determined by the application used to edit the entry.
openldap — Contains the libraries necessary to run the OpenLDAP server and client applications.
openldap-clients — Contains command line tools for viewing and modifying directories on an LDAP server.
openldap-servers — Contains the servers and other utilities necessary to configure and run an LDAP server.
openldap-servers package: the Standalone LDAP Daemon (/usr/sbin/slapd) and the Standalone LDAP Update Replication Daemon (/usr/sbin/slurpd).
slapd daemon is the standalone LDAP server while the slurpd daemon is used to synchronize changes from one LDAP server to other LDAP servers on the network. The slurpd daemon is only used when dealing with multiple LDAP servers.
openldap-servers package installs the following utilities into the /usr/sbin/ directory:
slapadd — Adds entries from an LDIF file to an LDAP directory. For example, the command /usr/sbin/slapadd -l ldif-input reads in the LDIF file, ldif-input/usr/sbin/slapadd. However, the directory server runs as the ldap user. Therefore the directory server is unable to modify any files created by slapadd. To correct this issue, after using slapadd, type the following command:
chown -R ldap /var/lib/ldapslapcat — Pulls entries from an LDAP directory in the default format, Sleepycat Software's Berkeley DB system, and saves them in an LDIF file. For example, the command /usr/sbin/slapcat -l ldif-output outputs an LDIF file called ldif-outputslapindex — Re-indexes the slapd directory based on the current content. This tool should be run whenever indexing options within /etc/openldap/slapd.conf are changed.
slappasswd — Generates an encrypted user password value for use with ldapmodify or the rootpw value in the slapd configuration file, /etc/openldap/slapd.conf. Execute the /usr/sbin/slappasswd command to create the password.
slapd by issuing the /sbin/service ldap stop command before using slapadd, slapcat or slapindex. Otherwise, the integrity of the LDAP directory is at risk.
openldap-clients package installs tools into /usr/bin/ which are used to add, modify, and delete entries in an LDAP directory. These tools include the following:
ldapadd — Adds entries to an LDAP directory by accepting input via a file or standard input; ldapadd is actually a hard link to ldapmodify -a.
ldapdelete — Deletes entries from an LDAP directory by accepting user input at a shell prompt or via a file.
ldapmodify — Modifies entries in an LDAP directory, accepting input via a file or standard input.
ldappasswd — Sets the password for an LDAP user.
ldapsearch — Searches for entries in an LDAP directory using a shell prompt.
ldapcompare — Opens a connection to an LDAP server, binds, and performs a comparison using specified parameters.
ldapwhoami — Opens a connection to an LDAP server, binds, and performs a whoami operation.
ldapmodrdn — Opens a connection to an LDAP server, binds, and modifies the RDNs of entries.
ldapsearch, each of these utilities is more easily used by referencing a file containing the changes to be made rather than typing a command for each entry to be changed within an LDAP directory. The format of such a file is outlined in the man page for each utility.
nss_ldap, which enhances LDAP's ability to integrate into both Linux and other UNIX environments.
nss_ldap package provides the following modules (where <version> refers to the version of libnss_ldap in use):
/lib/libnss_ldap-<version>.so
/lib/security/pam_ldap.so
nss_ldap package provides the following modules for Itanium or AMD64 architectures:
/lib64/libnss_ldap-<version>.so
/lib64/security/pam_ldap.so
libnss_ldap-<version>.so module allows applications to look up users, groups, hosts, and other information using an LDAP directory via the Nameservice Switch (NSS) interface of glibc. NSS allows applications to authenticate using LDAP in conjunction with the NIS name service and flat authentication files.
pam_ldap module allows PAM-aware applications to authenticate users using information stored in an LDAP directory. PAM-aware applications include console login, POP and IMAP mail servers, and Samba. By deploying an LDAP server on a network, all of these applications can authenticate using the same user ID and password combination, greatly simplifying administration.
php-ldap package adds LDAP support to the PHP4 HTML-embedded scripting language via the /usr/lib/php4/ldap.so module. This module allows PHP4 scripts to access information stored in an LDAP directory.
mod_authz_ldap module for the Apache HTTP Server. This module uses the short form of the distinguished name for a subject and the issuer of the client SSL certificate to determine the distinguished name of the user within an LDAP directory. It is also capable of authorizing users based on attributes of that user's LDAP directory entry, determining access to assets based on the user and group privileges of the asset, and denying access for users with expired passwords. The mod_ssl module is required when using the mod_authz_ldap module.
mod_authz_ldap module does not authenticate a user to an LDAP directory using an encrypted password hash. This functionality is provided by the experimental mod_auth_ldap module, which is not included with Red Hat Enterprise Linux. Refer to the Apache Software Foundation website online at http://www.apache.org/ for details on the status of this module.
/etc/openldap/ directory. The following is a brief list highlighting the most important directories and files:
/etc/openldap/ldap.conf — This is the configuration file for all client applications which use the OpenLDAP libraries such as ldapsearch, ldapadd, Sendmail, Evolution, and Gnome Meeting.
/etc/openldap/slapd.conf — This is the configuration file for the slapd daemon. Refer to Section 26.6.1, “Editing /etc/openldap/slapd.conf” for more information.
/etc/openldap/schema/ directory — This subdirectory contains the schema used by the slapd daemon. Refer to Section 26.5, “The /etc/openldap/schema/ Directory” for more information.
nss_ldap package is installed, it creates a file named /etc/ldap.conf. This file is used by the PAM and NSS modules supplied by the nss_ldap package. Refer to Section 26.7, “Configuring a System to Authenticate Using OpenLDAP” for more information.
/etc/openldap/schema/ Directory/etc/openldap/schema/ directory holds LDAP definitions, previously located in the slapd.at.conf and slapd.oc.conf files. The /etc/openldap/schema/redhat/ directory holds customized schemas distributed by Red Hat for Red Hat Enterprise Linux.
/etc/openldap/slapd.conf using include lines, as shown in this example:
include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/rfc822-MailMember.schema include /etc/openldap/schema/redhat/autofs.schema
local.schema file in the /etc/openldap/schema/ directory. Reference this new schema within slapd.conf by adding the following line below the default include schema lines:
include /etc/openldap/schema/local.schema
local.schema file. Many organizations use existing attribute types from the schema files installed by default and add new object classes to the local.schema file.
openldap, openldap-servers, and openldap-clients RPMs.
/etc/openldap/slapd.conf file to specify the LDAP domain and server. Refer to Section 26.6.1, “Editing /etc/openldap/slapd.conf” for more information.
slapd with the command:
service ldap startchkconfig, /usr/sbin/ntsysv, or the Services Configuration Tool to configure LDAP to start at boot time. For more information about configuring services, refer to Chapter 17, Controlling Access to Services.
ldapadd.
ldapsearch to determine if slapd is accessing the information correctly.
/etc/openldap/slapd.confslapd LDAP server, modify its configuration file, /etc/openldap/slapd.conf, to specify the correct domain and server.
suffix line names the domain for which the LDAP server provides information and should be changed from:
suffix "dc=your-domain,dc=com"
suffix "dc=example,dc=com"
rootdn entry is the Distinguished Name (DN) for a user who is unrestricted by access controls or administrative limit parameters set for operations on the LDAP directory. The rootdn user can be thought of as the root user for the LDAP directory. In the configuration file, change the rootdn line from its default value as in the following example:
rootdn "cn=root,dc=example,dc=com"
rootpw line — replacing the default value with an encrypted password string. To create an encrypted password string, type the following command:
slappasswd/etc/openldap/slapd.conf on one of the rootpw lines and remove the hash mark (#).
rootpw {SSHA}vv2y+i6V6esazrIv70xSSnNAJE18bb2urootpw directive specified in /etc/openldap/slapd.conf, are sent over the network unencrypted, unless TLS encryption is enabled.
/etc/openldap/slapd.conf and refer to the man page for slapd.conf.
rootpw directive should be commented out after populating the LDAP directory by preceding it with a hash mark (#).
/usr/sbin/slapadd command line tool locally to populate the LDAP directory, use of the rootpw directive is not necessary.
/usr/sbin/slapadd. However, the directory server runs as the ldap user. Therefore, the directory server is unable to modify any files created by slapadd. To correct this issue, after using slapadd, type the following command:
chown -R ldap /var/lib/ldapopenldap-servers package.
openldap, openldap-clients, and nss_ldap packages need to be installed on all LDAP client machines.
/etc/openldap/slapd.conf file on the LDAP server to make sure it matches the specifics of the organization. Refer to Section 26.6.1, “Editing /etc/openldap/slapd.conf” for instructions about editing slapd.conf.
/etc/ldap.conf and /etc/openldap/ldap.conf need to contain the proper server and search base information for the organization.
system-config-authentication) and select Enable LDAP Support under the User Information tab.
/etc/nsswitch.conf must be edited to use LDAP.
system-config-authentication) and select Enable LDAP Support under the User Information tab.
/etc/nsswitch.conf by hand, add ldap to the appropriate lines.
passwd: files ldap shadow: files ldap group: files ldap
system-config-authentication) and select Enable LDAP Support under the Authentication tab. For more about configuring PAM, refer to Section 46.4, “Pluggable Authentication Modules (PAM)” and the PAM man pages.
/usr/share/openldap/migration/ directory contains a set of shell and Perl scripts for migrating authentication information into an LDAP format.
migrate_common.ph file so that it reflects the correct domain. The default DNS domain should be changed from its default value to something like:
$DEFAULT_MAIL_DOMAIN = "example";$DEFAULT_BASE = "dc=example,dc=com";
README and the migration-tools.txt files in the /usr/share/openldap/migration/ directory provide more details on how to migrate the information.
| Existing name service | Is LDAP running? | Script to Use |
|---|---|---|
/etc flat files
| yes |
migrate_all_online.sh
|
/etc flat files
| no |
migrate_all_offline.sh
|
| NetInfo | yes |
migrate_all_netinfo_online.sh
|
| NetInfo | no |
migrate_all_netinfo_offline.sh
|
| NIS (YP) | yes |
migrate_all_nis_online.sh
|
| NIS (YP) | no |
migrate_all_nis_offline.sh
|
/usr/sbin/slapcat -l ldif-output. This outputs an LDIF file called ldif-output/usr/sbin/slapadd -l ldif-output.
/usr/share/docs/openldap-<versionnumber>/ directory — Contains a general README document and miscellaneous information.
man ldapadd — Describes how to add entries to an LDAP directory.
man ldapdelete — Describes how to delete entries within an LDAP directory.
man ldapmodify — Describes how to modify entries within an LDAP directory.
man ldapsearch — Describes how to search for entries within an LDAP directory.
man ldappasswd — Describes how to set or change the password of an LDAP user.
man ldapcompare — Describes how to use the ldapcompare tool.
man ldapwhoami — Describes how to use the ldapwhoami tool.
man ldapmodrdn — Describes how to modify the RDNs of entries.
man slapd — Describes command line options for the LDAP server.
man slurpd — Describes command line options for the LDAP replication server.
man slapadd — Describes command line options used to add entries to a slapd database.
man slapcat — Describes command line options used to generate an LDIF file from a slapd database.
man slapindex — Describes command line options used to regenerate an index based upon the contents of a slapd database.
man slappasswd — Describes command line options used to generate user passwords for LDAP directories.
man ldap.conf — Describes the format and options available within the configuration file for LDAP clients.
man slapd.conf — Describes the format and options available within the configuration file referenced by both the LDAP server applications (slapd and slurpd) and the LDAP administrative tools (slapadd, slapcat, and slapindex).
system-config-authentication at a shell prompt (for example, in an XTerm or a GNOME terminal).
ypbind package must be installed for this option to work. If NIS support is enabled, the portmap and ypbind services are started and are also enabled to start at boot time.
openldap-clients package must be installed for this option to work.
hesiod package must be installed for this option to work.
man hesiod. You can also refer to the hesiod.conf man page (man hesiod.conf) for more information on LHS and RHS.
krb5-server package must be installed, and Kerberos must be configured properly.
winbind should use. For more information about domain controllers, please refer to Section 21.6.3, “Domain Controller”.
winbindd daemon uses the value chosen here to to specify the login shell for that user.
winbind service, refer to winbindd under Section 21.2, “Samba Daemons and Related Services”.
kadmind.
krb5-libs and krb5-workstation packages must be installed for this option to work. For more information about Kerberos, refer to Section 46.6, “Kerberos”.
openldap-clients package must be installed for this option to work.
pam_pkcs11 and coolkey packages must be installed for this option to work. For more information about smart cards, refer to Section 46.3.1.3, “Supported Smart Cards” under Section 46.3, “Single Sign-on (SSO)”.
nscd) and configure it to start at boot time.
nscd package must be installed for this option to work. For more information about nscd, refer to its man page using the command man nscd.
/etc/shadow file instead of /etc/passwd. Shadow passwords are enabled by default during installation and are highly recommended to increase the security of the system.
shadow-utils package must be installed for this option to work. For more information about shadow passwords, refer to Section 35.6, “Shadow Passwords”.
authconfig man page or by typing authconfig --help at a shell prompt.
| Option | Description |
|---|---|
--enableshadow
| Enable shadow passwords |
--disableshadow
| Disable shadow passwords |
--enablemd5
| Enable MD5 passwords |
--disablemd5
| Disable MD5 passwords |
--enablenis
| Enable NIS |
--disablenis
| Disable NIS |
--nisdomain=
| Specify NIS domain |
--nisserver=
| Specify NIS server |
--enableldap
| Enable LDAP for user information |
--disableldap
| Disable LDAP for user information |
--enableldaptls
| Enable use of TLS with LDAP |
--disableldaptls
| Disable use of TLS with LDAP |
--enableldapauth
| Enable LDAP for authentication |
--disableldapauth
| Disable LDAP for authentication |
--ldapserver=
| Specify LDAP server |
--ldapbasedn=
| Specify LDAP base DN |
--enablekrb5
| Enable Kerberos |
--disablekrb5
| Disable Kerberos |
--krb5kdc=
| Specify Kerberos KDC |
--krb5adminserver=
| Specify Kerberos administration server |
--krb5realm=
| Specify Kerberos realm |
--enablekrb5kdcdns
| Enable use of DNS to find Kerberos KDCs |
--disablekrb5kdcdns
| Disable use of DNS to find Kerberos KDCs |
--enablekrb5realmdns
| Enable use of DNS to find Kerberos realms |
--disablekrb5realmdns
| Disable use of DNS to find Kerberos realms |
--enablesmbauth
| Enable SMB |
--disablesmbauth
| Disable SMB |
--smbworkgroup=
| Specify SMB workgroup |
--smbservers=
| Specify SMB servers |
--enablewinbind
| Enable winbind for user information by default |
--disablewinbind
| Disable winbind for user information by default |
--enablewinbindauth
| Enable winbindauth for authentication by default |
--disablewinbindauth
| Disable winbindauth for authentication by default |
--smbsecurity=
| Security mode to use for Samba and winbind |
--smbrealm=
|
Default realm for Samba and winbind when security=ads
|
--smbidmapuid=
| UID range winbind assigns to domain or ADS users |
--smbidmapgid=
| GID range winbind assigns to domain or ADS users |
--winbindseparator=
|
Character used to separate the domain and user part of winbind usernames if winbindusedefaultdomain is not enabled
|
--winbindtemplatehomedir=
| Directory that winbind users have as their home |
--winbindtemplateprimarygroup=
| Group that winbind users have as their primary group |
--winbindtemplateshell=
| Shell that winbind users have as their default login shell |
--enablewinbindusedefaultdomain
| Configures winbind to assume that users with no domain in their usernames are domain users |
--disablewinbindusedefaultdomain
| Configures winbind to assume that users with no domain in their usernames are not domain users |
--winbindjoin=
| Joins the winbind domain or ADS realm now as this administrator |
--enablewins
| Enable WINS for hostname resolution |
--disablewins
| Disable WINS for hostname resolution |
--enablehesiod
| Enable Hesiod |
--disablehesiod
| Disable Hesiod |
--hesiodlhs=
| Specify Hesiod LHS |
--hesiodrhs=
| Specify Hesiod RHS |
--enablecache
|
Enable nscd
|
--disablecache
|
Disable nscd
|
--nostart
|
Do not start or stop the portmap, ypbind, or nscd services even if they are configured
|
--kickstart
| Do not display the user interface |
--probe
| Probe and display network defaults |
.conf file. The default file is /etc/sssd/sssd.conf, although alternative files can be passed to SSSD by using the -c option with the sssd command:
# sssd -c /etc/sssd/customfile.conf
[domain/LDAP]. The configuration file uses simple key = value lines to set the configuration. Comment lines are set by either a hash sign (#) or a semicolon (;)
[section] # Comment line key1 = val1 key10 = val1,val2
service command or the /etc/init.d/sssd script can start SSSD. For example:
# service sssd start
chkconfig command:
[root@server ~]# chkconfig sssd on
sssd.conf file. on sections. The [sssd] section also lists the services that are active and should be started when sssd starts within the services directive.
sssd_nss module. This is configured in the [nss] section of the configuration.
sssd_pam PAM module. This is configured in the [pam] section of the configuration.
monitor, a special service that monitors and starts or restarts all other SSSD services. Its options are specified in the [sssd] section of the /etc/sssd/sssd.conf configuration file.
lookup family order option in the sssd.conf configuration file.
sssd_nss, which instructs the system to use SSSD to retrieve user information. The NSS configuration must include a reference to the SSSD module, and then the SSSD configuration sets how SSSD interacts with NSS.
sssd.conf file.
# vim /etc/sssd/sssd.conf
[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam[nss] section, change any of the NSS parameters. These are listed in Table 28.1, “SSSD [nss] Configuration Parameters”.
[nss] filter_groups = root filter_users = root reconnection_retries = 3 entry_cache_timeout = 300 entry_cache_nowait_percentage = 75
service sssd restart
| Parameter | Value Format | Description |
|---|---|---|
| enum_cache_timeout | integer | Specifies how long, in seconds, sssd_nss should cache requests for information about all users (enumerations). |
| entry_cache_nowait_percentage | integer |
Specifies how long sssd_nss should return cached entries before refreshing the cache. Setting this to zero (0) disables the entry cache refresh.
This configures the entry cache to update entries in the background automatically if they are requested if the time before the next update is a certain percentage of the next interval. For example, if the interval is 300 seconds and the cache percentage is 75, then the entry cache will begin refreshing when a request comes in at 225 seconds — 75% of the interval.
The allowed values for this option are 0 to 99, which sets the percentage based on the
entry_cache_timeout value. The default value is 50%.
|
| entry_negative_timeout | integer | Specifies how long, in seconds, sssd_nss should cache negative cache hits. A negative cache hit is a query for an invalid database entries, including non-existent entries. |
| filter_users, filter_groups | string |
Tells SSSD to exclude certain users from being fetched from the NSS database. This is particularly useful for system accounts such as root.
|
| filter_users_in_groups | Boolean |
Sets whether users listed in the filter_users list appear in group memberships when performing group lookups. If set to FALSE, group lookups return all users that are members of that group. If not specified, this value defaults to TRUE, which filters the group member lists.
|
sssd_pam, which instructs the system to use SSSD to retrieve user information. The PAM configuration must include a reference to the SSSD module, and then the SSSD configuration sets how SSSD interacts with PAM.
/etc/pam.d/system-auth-ac file, which is symlinked to /etc/pam.d/system-auth. Any changes made to /etc/pam.d/system-auth are overwritten the next time that authconfig is run.
/etc/pam.d/system-auth symlink.
[root@server ~]# rm /etc/pam.d/system-auth rm: remove symbolic link `/etc/pam.d/system-auth'? y
/etc/pam.d/system-auth-local file. One easy way to do this is simply to copy the /etc/pam.d/system-auth-ac file.
[root@server ~]# cp /etc/pam.d/system-auth-ac /etc/pam.d/system-auth-local
/etc/pam.d/system-auth-local file and /etc/pam.d/system-auth.
[root@server ~]# ln -s /etc/pam.d/system-auth-local /etc/pam.d/system-auth
/etc/pam.d/system-auth-local file, and add all of the SSSD modules to the PAM configuration:
#%PAM-1.0 ... auth sufficient pam_sss.so use_first_pass auth required pam_deny.so ... account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so ... password sufficient pam_sss.so use_authtok password required pam_deny.so ... session sufficient pam_sss.so session required pam_unix.so
include statements, as necessary.
sssd.conf file.
# vim /etc/sssd/sssd.conf
[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam[pam] section, change any of the PAM parameters. These are listed in Table 28.2, “SSSD [pam] Configuration Parameters”.
[pam] reconnection_retries = 3 offline_credentials_expiration = 2 offline_failed_login_attempts = 3 offline_failed_login_delay = 5
service sssd restart
| Parameter | Value Format | Description |
|---|---|---|
| offline_credentials_expiration | integer |
Sets how long, in days, to allow cached logins if the authentication provider is offline. This value is measured from the last successful online login. If not specified, this defaults to zero (0), which is unlimited.
|
| offline_failed_login_attempts | integer |
Sets how many failed login attempts are allowed if the authentication provider is offline. If not specified, this defaults to zero (0), which is unlimited.
|
| offline_failed_login_delay | integer |
Sets how long to prevent login attempts if a user hits the failed login attempt limit. If set to zero (0), the user cannot authenticate while the provider is offline once he hits the failed attempt limit. Only a successful online authentication can re-enable offline authentication. If not specified, this defaults to five (5).
|
jsmith in the ldap.example.com domain and jsmith in the ldap.otherexample.com domain. SSSD allows requests using fully-qualified domain names, so requesting information for jsmith@ldap.example.com returns the the proper user account. Specifying only the username returns the user for whichever domain comes first in the lookup order.
filter_users option, which excludes the specified users from being returned in a search.
| Identification Provider | Authentication Provider |
|---|---|
| LDAP | LDAP |
| LDAP | Kerberos |
| proxy | LDAP |
| proxy | Kerberos |
| proxy | proxy |
domains = LOCAL,Name[domain/Name] id_provider =typeauth_provider =typeprovider_specific = valueglobal = value
| Parameter | Value Format | Description |
|---|---|---|
| id_provider | string |
Specifies the data provider identity backend to use for this domain. The supported identity backends are:
|
| auth_provider | string |
Sets the authentication provider used for the domain. The default value for this option is the value of id_provider. The supported authentication providers are ldap, ipa, krb5 (Kerberos), proxy, and none.
|
| min_id,max_id | integer |
Optional. Specifies the UID and GID range for the domain. If a domain contains entries that are outside that range, they are ignored. The default value for min_id is 1; the default value for max_id is 0, which is unlimited.
Important
The default min_id value is the same for all types of identity provider. If LDAP directories are using UID numbers that start at one, it could cause conflicts with users in the local /etc/passwd file. To avoid these conflicts, set min_id to 1000 or higher as possible.
|
| enumerate | Boolean |
Optional. Specifies whether to list the users and groups of a domain. Enumeration means that the entire set of available users and groups on the remote source is cached on the local machine. When enumeration is disabled, users and groups are only cached as they are requested.
Warning
When enumeration is enabled, reinitializing a client results in a complete refresh of the entire set of available users and groups from the remote source. Similarly, when SSSD is connected to a new server, the entire set of available users and groups from the remote source is pulled and cached on the local machine. In a domain with a large number of clients connected to a remote source, this refresh process can harm the network performance because of frequent queries from the clients. If the set of available users and groups is large enough, it degrades client performance as well.
false, which disables enumeration.
|
| cache_credentials | Boolean |
Optional. Specifies whether to store user credentials in the local SSSD domain database cache. The default value for this parameter is false. Set this value to true for domains other than the LOCAL domain to enable offline authentication.
|
| entry_cache_timeout | integer | Optional. Specifies how long, in seconds, SSSD should cache positive cache hits. A positive cache hit is a successful query. |
| use_fully_qualified_names | Boolean |
Optional. Specifies whether requests to this domain require fully-qualified domain names. If set to true, all requests to this domain must use fully-qualified domain names. It also means that the output from the request displays the fully-qualified name. Restricting requests to fully-qualified user names allows SSSD to differentiate between domains with users with conflicting usernames.
If
use_fully_qualified_names is set to false, it is possible to use the fully-qualified name in the requests, but only the simplified version is displayed in the output.
SSSD can only parse names based on the domain name, not the realm name. The same name can be used for both domains and realms, however.
|
sssd-ldap(5).
| Parameter | Description |
|---|---|
| ldap_uri | Gives a comma-separated list of the URIs of the LDAP servers to which SSSD will connect. The list is given in order of preference, so the first server in the list is tried first. Listing additional servers provides failover protection. This can be detected from the DNS SRV records if it is not given. |
| ldap_search_base | Gives the base DN to use for performing LDAP user operations. |
| ldap_tls_reqcert |
Specifies how to check for SSL server certificates in a TLS session. There are four options:
|
| ldap_tls_cacert |
Gives the full path and file name to the file that contains the CA certificates for all of the CAs that SSSD recognizes. SSSD will accept any certificate issued by these CAs.
This uses the OpenLDAP system defaults if it is not given explicitly.
|
| ldap_referrals |
Sets whether SSSD will use LDAP referrals, meaning forwarding queries from one LDAP database to another. SSSD supports database-level and subtree referrals. For referrals within the same LDAP server, SSSD will adjust the DN of the entry being queried. For referrals that go to different LDAP servers, SSSD does an exact match on the DN. Setting this value to true enables referrals; by default, referrals are enabled.
|
| ldap_schema |
Sets what version of schema to use when searching for user entries. This can be either rfc2307 or rfc2307bis. The default is rfc2307.
In RFC 2307, group objects use a multi-valued attribute,
memberuid, which lists the names of the users that belong to that group. In RFC 2307bis, group objects use the member attribute, which contains the full distinguished name (DN) of a user or group entry. RFC 2307bis allows nested groups usning the member attribute. Because these different schema use different definitions for group membership, using the wrong LDAP schema with SSSD can affect both viewing and managing network resources, even if the appropriate permissions are in place.
For example, with RFC 2307bis, all groups are returned when using nested groups or primary/secondary groups.
$ id uid=500(myserver) gid=500(myserver) groups=500(myserver),510(myothergroup)
If SSSD is using RFC 2307 schema, only the primary group is returned.
This setting only affects how SSSD determines the group members. It does not change the actual user data.
|
| ldap_search_timeout |
Sets the time, in seconds, that LDAP searches are allowed to run before they are canceled and cached results are returned. This defaults to five when the enumerate value is false and defaults to 30 when enumerate is true.
When an LDAP search times out, SSSD automatically switches to offline mode.
|
| ldap_network_timeout | Sets the time, in seconds, SSSD attempts to poll an LDAP server after a connection attempt fails. The default is six seconds. |
| ldap_opt_timeout | Sets the time, in seconds, to wait before aborting synchronous LDAP operations if no response is received from the server. This option also controls the timeout when communicating with the KDC in case of a SASL bind. The default is five seconds. |
sssd.conf file. For example:
domains = LOCAL,LDAP1,AD,PROXYNIS
ldap_uri option:
# An LDAP domain [domain/LDAP] enumerate = false cache_credentials = TRUE id_provider = ldap auth_provider = ldap ldap_uri = ldaps://ldap.example.com:636 ldap_search_base = dc=example,dc=com
ldap_id_use_start_tls option to use Start TLS and then ldap_tls_cacert to identify the CA certificate which issued the SSL server certificates.
# An LDAP domain [domain/LDAP] enumerate = false cache_credentials = TRUE id_provider = ldap auth_provider = ldap ldap_uri = ldap://ldap.example.com ldap_search_base = dc=example,dc=com ldap_id_use_start_tls = True ldap_tls_reqcert = demand ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt
cacertdir_rehash function to create the appropriate symlinks.
sssd-ldap(5).
# Example LDAP domain where the LDAP server is an Active Directory 2003 server. [domain/AD] description = LDAP domain with AD server enumerate = false ; id_provider = ldap auth_provider = ldap ldap_uri = ldap://your.ad.server.com ldap_schema = rfc2307bis ldap_search_base = dc=example,dc=com ldap_default_bind_dn = cn=Administrator,cn=Users,dc=example,dc=com ldap_default_authtok_type = password ldap_default_authtok = secret ldap_user_object_class = person ldap_user_name = msSFU30Name ldap_user_uid_number = msSFU30UidNumber ldap_user_gid_number = msSFU30GidNumber ldap_user_home_directory = msSFU30HomeDirectory ldap_user_shell = msSFU30LoginShell ldap_user_principal = userPrincipalName ldap_group_object_class = group ldap_group_name = msSFU30Name ldap_group_gid_number = msSFU30GidNumber
sssd-ldap(5).
# Example LDAP domain where the LDAP server is an Active Directory 2003 R2 or an Active Directory 2008 server. [domain/AD] description = LDAP domain with AD server ; debug_level = 9 enumerate = false id_provider = ldap auth_provider = ldap chpass_provider = ldap ldap_uri = ldap://your.ad.server.com ldap_tls_cacertdir = /etc/openldap/cacerts ldap_tls_cacert = /etc/openldap/cacerts/test.cer ldap_search_base = dc=example,dc=com ldap_default_bind_dn = cn=Administrator,cn=Users,dc=example,dc=com ldap_default_authtok_type = password ldap_default_authtok = secret ldap_pwd_policy = none ldap_user_object_class = user ldap_group_object_class = group
ldap_uri option instead of the server name may cause the TLS/SSL connection to fail. TLS/SSL certificates contain the server name, not the IP address. However, the subject alternative name field in the certificate can be used to include the IP address of the server, which allows a successful secure connection using an IP address.
-signkey) is the key of the issuer of whatever CA originally issued the certificate. If this is done by an external CA, it requires a separate PEM file; if the certificate is self-signed, then this is the certificate itself. For example:
openssl x509 -x509toreq -in old_cert.pem -out req.pem -signkey key.pem
openssl x509 -x509toreq -in old_cert.pem -out req.pem -signkey old_cert.pem
/etc/pki/tls/openssl.cnf configuration file to include the server's IP address under the [ v3_ca ] section:
subjectAltName = IP:10.0.0.10
openssl x509 -req -in req.pem -out new_cert.pem -extfile ./openssl.cnf -extensions v3_ca -signkey old_cert.pem
-extensions option sets which extensions to use with the certificate. For this, it should be v3_ca to load the appropriate section.
old_cert.pem file into the new_cert.pem file to keep all relevant information in one file.
krb5_kpasswd option to specify where the password changing service is running or if it is running on a non-default port. If the krb5_kpasswd option is not defined, SSSD tries to use the Kerberos KDC to change the password.
# A domain with identities provided by LDAP and authentication by Kerberos [domain/KRBDOMAIN] enumerate = false id_provider = ldap chpass_provider = krb5 ldap_uri = ldap://ldap.example.com ldap_search_base = dc=example,dc=com ldap-tls_reqcert = demand ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt auth_provider = krb5 krb5_server = 192.168.1.1, kerberos.example.com krb5_realm = EXAMPLE.COM krb5_kpasswd = kerveros.admin.example.com krb5_auth_timeout = 15
| Parameter | Description |
|---|---|
| chpass_provider | Specifies which service to use for password change operations. This is assumed to be the same as the authentication provider. To use Kerberos, set this to krb5. |
| krb5_server |
Gives a comma-separated list of IP addresses or hostnames of Kerberos servers to which SSSD will connect. The list is given in order of preference, so the first server in the list is tried first. Listing additional servers provides failover protection.
When using service discovery for KDC or kpasswd servers, SSSD first searches for DNS entries that specify UDP as the connection protocol, and then falls back to TCP.
|
| krb5_realm | Identies the Kerberos realm served by the KDC. |
| krb5_lifetime | Requests a Kerberos ticket with the specified lifetime in seconds (s), minutes (m), hours (h) or days (d). |
| krb5_renewable_lifetime | Requests a renewable Kerberos ticket with a total lifetime that is specified in seconds (s), minutes (m), hours (h) or days (d). |
| krb5_renew_interval | Sets the time, in seconds, for SSSD to check if tickets should be renewed. Tickets are renewed automatically once they exceed half their lifetime. If this option is missing or set to zero, then automatic ticket renewal is disabled. |
| krb5_store_password_if_offline |
Sets whether to store user passwords if the Kerberos authentication provider is offline, and then to use that cache to request tickets when the provider is back online. The default is false, which does not store passwords.
|
| krb5_kpasswd | Lists alternate Kerberos kadmin servers to use if the change password service is not running on the KDC. |
| krb5_ccname_template |
Gives the directory to use to store the user's credential cache. This can be templatized, and the following tokens are supported:
krb5_ccname_template = FILE:%d/krb5cc_%U_XXXXXX |
| krb5_ccachedir |
Specifies the directory to store credential caches. This can be templatized, using the same tokens as krb5_ccname_template, except for %d and %P. If %u, %U, %p, or %h are used, then SSSD creates a private directory for each user; otherwise, it creates a public directory.
|
| krb5_auth_timeout | Gives the time, in seconds, before an online authentication or change password request is aborted. If possible, the authentication request is continued offline. The default is 15 seconds. |
| Parameter | Description |
|---|---|
| proxy_pam_target |
Specifies the target to which PAM must proxy as an authentication provider.. The PAM target is a file containing PAM stack information in the default PAM directory, /etc/pam.d/.
This is used to proxy an authentication provider.
Important
Ensure that the proxy PAM stack does not recursively include pam_sss.so.
|
| proxy_lib_name |
Specifies which existing NSS library to proxy identity requests through.
This is used to proxy an identity provider.
|
proxy_lib_name parameter. This library can be anything as long as it is compatible with the given authentication service. For a Kerberos authentication provider, it must be a Kerberos-compatible library, like NIS.
[domain/PROXY_KRB5] auth_provider = krb5 krb5_server = 192.168.1.1 krb5_realm = EXAMPLE.COM id_provider = proxy proxy_lib_name = nis enumerate = true cache_credentials = true
proxy_pam_target parameter. This library must be a PAM module that is compatible with the given identity provider. For example, this uses a PAM fingerprint module with LDAP:
[domain/LDAP_PROXY] id_provider = ldap ldap_uri = ldap://example.com ldap_search_base = dc=example,dc=com auth_provider = proxy proxy_pam_target = sssdpamproxy enumerate = true cache_credentials = true
sssdpamproxy, so create a /etc/pam.d/sssdpamproxy file and load the PAM/LDAP modules:
auth required pam_frprint.so account required pam_frprint.so password required pam_frprint.so session required pam_frprint.so
proxy_pam_target for the authentication PAM module and proxy_lib_name for the service, like NIS or LDAP.
[domain/PROXY_PROXY] auth_provider = proxy id_provider = proxy proxy_lib_name = ldap proxy_pam_target = sssdproxyldap enumerate = true cache_credentials = true
/etc/pam.d/sssdproxyldap file which requires the pam_ldap.so module:
auth required pam_ldap.so account required pam_ldap.so password required pam_ldap.so session required pam_ldap.so
/etc/nslcd.conf file, the configuration file for the LDAP name service daemon, to contain the information for the LDAP directory:
uid nslcd gid ldap uri ldaps://ldap.example.com:636 base dc=example,dc=com ssl on tls_cacertdir /etc/openldap/cacerts
simple_allow_users and simple_allow_groups, which grant access explicitly to specific users (either the given users or group members) and deny access to everyone else. It is also possible to create deny lists (which deny access only to explicit people and implicitly allow everyone else access).
[domain/example.com] access_provider = simple simple_allow_users = jsmith,bjensen simple_allow_groups = itgroup
simple as an access provider.
ldap_access_filter) specifies which users are granted access to the specified host. The user filter must be used or all users are denied access.
[domain/example.com] access_provider = ldap ldap_access_filter = memberOf=cn=allowedusers,ou=Groups,dc=example,dc=com
authorizedService attribute.
/etc/sssd/sssd.conf file. The servers are listed in order of preference. This list can contain any number of servers.
ldap_uri = ldap://ldap0.example.com, ldap://ldap1.example.com, ldap://ldap2.example.com
ldap://ldap0.example.com, is the primary server. If this server fails, SSSD first attempts to connect to ldap1.example.com and then ldap2.example.com.
_service._protocol._domain TTL priority weight port hostname
/var/lib/sss/db/ directory.
exampleldap, the cache file is named cache_exampleldap.ldb.
resolv.conf file. This file is typically only read once, and so any changes made to this file are not automatically applied. This can cause NFS locking to fail on the machine where the NSCD service is running, unless that service is manually restarted.
/etc/nscd.conf file and rely on the SSSD cache for the passwd, group, and netgroup entries.
/etc/nscd.conf file:
enable-cache hosts yes enable-cache passwd no enable-cache group no enable-cache netgroup no
/var/log/sssd/ directory. SSSD produces a log file for each domain, as well as an sssd_pam.log and an sssd_nss.log file.
/var/log/secure file logs authentication failures and the reason for the failure.
debug_level parameter for each section in the sssd.conf file for which to product extra logs. For example:
[sssd]
config_file_version = 2
services = nss, pam
domains = LDAP
debug_level = 9# sssd -d4 [sssd] [ldb] (3): server_sort:Unable to register control with rootdse! [sssd] [confdb_get_domains] (0): No domains configured, fatal error! [sssd] [get_monitor_config] (0): No domains configured.
/etc/sssd/sssd.conf file and create at least one domain.
[sssd] [get_monitor_config] (0): No services configured!
/etc/sssd/sssd.conf file and configure at least one service provider.
services entry in the /etc/sssd/sssd.conf file. If services are listed in multiple entries, only the last entry is recognized by SSSD.
# service sssd status
[nss] section of the /etc/sssd/sssd.conf file. Especially check the filter_users and filter_groups attributes.
/etc/nsswitch.conf file.
use_fully_qualified_domains attribute to TRUE in the /etc/sssd/sssd.conf file. This differentiates between different users in different domains with the same name.
[root@clientF11 tmp]# passwd user1000 Changing password for user user1000. New password: Retype new password: New Password: Reenter new Password: passwd: all authentication tokens updated successfully.
use_authtok option is correctly configured in your /etc/pam.d/system-auth file.
Table of Contents
sysconfig Directory/etc/sysconfig/ Directory/etc/sysconfig/amd/etc/sysconfig/apmd/etc/sysconfig/arpwatch/etc/sysconfig/authconfig/etc/sysconfig/autofs/etc/sysconfig/clock/etc/sysconfig/desktop/etc/sysconfig/dhcpd/etc/sysconfig/exim/etc/sysconfig/firstboot/etc/sysconfig/gpm/etc/sysconfig/hwconf/etc/sysconfig/i18n/etc/sysconfig/init/etc/sysconfig/ip6tables-config/etc/sysconfig/iptables-config/etc/sysconfig/irda/etc/sysconfig/keyboard/etc/sysconfig/kudzu/etc/sysconfig/named/etc/sysconfig/network/etc/sysconfig/nfs/etc/sysconfig/ntpd/etc/sysconfig/radvd/etc/sysconfig/samba/etc/sysconfig/selinux/etc/sysconfig/sendmail/etc/sysconfig/spamassassin/etc/sysconfig/squid/etc/sysconfig/system-config-securitylevel/etc/sysconfig/system-config-selinux/etc/sysconfig/system-config-users/etc/sysconfig/system-logviewer/etc/sysconfig/tux/etc/sysconfig/vncservers/etc/sysconfig/xinetd/etc/sysconfig/ Directoryhalt, poweroff, and reboot.
/etc/inittab specifies that your system is set to shutdown and reboot in response to a Ctrl+Alt+Del key combination used at the console. To completely disable this ability, comment out the following line in /etc/inittab by putting a hash mark (#) in front of it:
ca::ctrlaltdel:/sbin/shutdown -t3 -r now
-a option to the /etc/inittab line shown above, so that it reads:
ca::ctrlaltdel:/sbin/shutdown -a -t3 -r now
-a flag tells shutdown to look for the /etc/shutdown.allow file.
shutdown.allow in /etc. The shutdown.allow file should list the usernames of any users who are allowed to shutdown the system using Ctrl+Alt+Del . The format of the shutdown.allow file is a list of usernames, one per line, like the following:
stephen jack sophie
shutdown.allow file, the users stephen, jack, and sophie are allowed to shutdown the system from the console using Ctrl+Alt+Del . When that key combination is used, the shutdown -a command in /etc/inittab checks to see if any of the users in /etc/shutdown.allow (or root) are logged in on a virtual console. If one of them is, the shutdown of the system continues; if not, an error message is written to the system console instead.
shutdown.allow, refer to the shutdown man page.
rm -f /etc/security/console.apps/*poweroff, halt, and reboot, which are accessible from the console by default.
rm -f /etc/security/console.apps/poweroffrm -f /etc/security/console.apps/haltrm -f /etc/security/console.apps/reboot
pam_console.so module uses the /etc/security/console.perms file to determine the permissions for users at the system console. The syntax of the file is very flexible; you can edit the file so that these instructions no longer apply. However, the default file has a line that looks like this:
<console>=tty[0-9][0-9]* vc/[0-9][0-9]* :[0-9]\.[0-9] :[0-9]
:0 or mymachine.example.com:1.0, or a device like /dev/ttyS0 or /dev/pts/2. The default is to define that local virtual consoles and local X servers are considered local, but if you want to consider the serial terminal next to you on port /dev/ttyS1 to also be local, you can change that line to read:
<console>=tty[0-9][0-9]* vc/[0-9][0-9]* :[0-9]\.[0-9] :[0-9] /dev/ttyS1
/etc/security/console.perms.d/50-default.perms. To edit file and device permissions, it is advisable to create a new default file in /etc/security/console.perms.d/ containing your preferred settings for a specified set of files or devices. The name of the new default file must begin with a number higher than 50 (for example, 51-default.perms) in order to override 50-default.perms.
51-default.perms in /etc/security/console.perms.d/:
touch /etc/security/console.perms.d/51-default.permsperms file, 50-default.perms. The first section defines device classes, with lines similar to the following:
<floppy>=/dev/fd[0-1]* \
/dev/floppy/* /mnt/floppy*
<sound>=/dev/dsp* /dev/audio* /dev/midi* \
/dev/mixer* /dev/sequencer \
/dev/sound/* /dev/beep \
/dev/snd/*
<cdrom>=/dev/cdrom* /dev/cdroms/* /dev/cdwriter* /mnt/cdrom*<cdrom> refers to the CD-ROM drive. To add a new device, do not define it in the default 50-default.perms file; instead, define it in 51-default.perms. For example, to define a scanner, add the following line to 51-default.perms:
<scanner>=/dev/scanner /dev/usb/scanner*
/dev/scanner is really your scanner and not some other device, such as your hard drive.
/etc/security/console.perms.d/50-default.perms defines this, with lines similar to the following:
<console> 0660 <floppy> 0660 root.floppy <console> 0600 <sound> 0640 root <console> 0600 <cdrom> 0600 root.disk
51-default.perms:
<console> 0600 <scanner> 0600 root
/dev/scanner device with the permissions of 0600 (readable and writable by you only). When you log out, the device is owned by root, and still has the permissions 0600 (now readable and writable by root only).
50-default.perms file. To edit permissions for a device already defined in 50-default.perms, add the desired permission definition for that device in 51-default.perms. This will override whatever permissions are defined in 50-default.perms.
/sbin/ or /usr/sbin/, so the application that you wish to run must be there. After verifying that, perform the following steps:
foo program, to the /usr/bin/consolehelper application:
cd /usr/binln -s consolehelper foo
/etc/security/console.apps/foo:
touch /etc/security/console.apps/foofoo service in /etc/pam.d/. An easy way to do this is to copy the PAM configuration file of the halt service, and then modify the copy if you want to change the behavior:
cp /etc/pam.d/halt /etc/pam.d/foo/usr/bin/foo is executed, consolehelper is called, which authenticates the user with the help of /usr/sbin/userhelper. To authenticate the user, consolehelper asks for the user's password if /etc/pam.d/foo is a copy of /etc/pam.d/halt (otherwise, it does precisely what is specified in /etc/pam.d/foo) and then runs /usr/sbin/foo with root permissions.
pam_timestamp and run from the same session is automatically authenticated for the user — the user does not have to enter the root password again.
pam package. To enable this feature, add the following lines to your PAM configuration file in etc/pam.d/:
auth include config-util account include config-util session include config-util
/etc/pam.d/system-config-* configuration files. Note that these lines must be added below any other auth sufficient session optional lines in your PAM configuration file.
pam_timestamp is successfully authenticated from the Applications (the main menu on the panel), the
icon is displayed in the notification area of the panel if you are running the GNOME or KDE desktop environment. After the authentication expires (the default is five minutes), the icon disappears.
floppy Groupfloppy group. Add the user(s) to the floppy group using the tool of your choice. For example, the gpasswd command can be used to add user fred to the floppy group:
gpasswd -a fred floppyfred is able to access the system's diskette drive from the console.
sysconfig Directory/etc/sysconfig/ Directory/etc/sysconfig/amd/etc/sysconfig/apmd/etc/sysconfig/arpwatch/etc/sysconfig/authconfig/etc/sysconfig/autofs/etc/sysconfig/clock/etc/sysconfig/desktop/etc/sysconfig/dhcpd/etc/sysconfig/exim/etc/sysconfig/firstboot/etc/sysconfig/gpm/etc/sysconfig/hwconf/etc/sysconfig/i18n/etc/sysconfig/init/etc/sysconfig/ip6tables-config/etc/sysconfig/iptables-config/etc/sysconfig/irda/etc/sysconfig/keyboard/etc/sysconfig/kudzu/etc/sysconfig/named/etc/sysconfig/network/etc/sysconfig/nfs/etc/sysconfig/ntpd/etc/sysconfig/radvd/etc/sysconfig/samba/etc/sysconfig/selinux/etc/sysconfig/sendmail/etc/sysconfig/spamassassin/etc/sysconfig/squid/etc/sysconfig/system-config-securitylevel/etc/sysconfig/system-config-selinux/etc/sysconfig/system-config-users/etc/sysconfig/system-logviewer/etc/sysconfig/tux/etc/sysconfig/vncservers/etc/sysconfig/xinetd/etc/sysconfig/ Directory/etc/sysconfig/ directory contains a variety of system configuration files for Red Hat Enterprise Linux.
/etc/sysconfig/ directory, their function, and their contents. The information in this chapter is not intended to be complete, as many of these files have a variety of options that are only used in very specific or rare circumstances.
/etc/sysconfig/ Directory/etc/sysconfig/ directory. Files not listed here, as well as extra file options, are found in the /usr/share/doc/initscripts-<version-number>/sysconfig.txt file (replace <version-number> with the version of the initscripts package). Alternatively, looking through the initscripts in the /etc/rc.d/ directory can prove helpful.
/etc/sysconfig/ directory, then the corresponding program may not be installed.
/etc/sysconfig/amd/etc/sysconfig/amd file contains various parameters used by amd; these parameters allow for the automatic mounting and unmounting of file systems.
/etc/sysconfig/apmd/etc/sysconfig/apmd file is used by apmd to configure what power settings to start/stop/change on suspend or resume. This file configures how apmd functions at boot time, depending on whether the hardware supports Advanced Power Management (APM) or whether the user has configured the system to use it. The apm daemon is a monitoring program that works with power management code within the Linux kernel. It is capable of alerting users to low battery power on laptops and other power-related settings.
/etc/sysconfig/arpwatch/etc/sysconfig/arpwatch file is used to pass arguments to the arpwatch daemon at boot time. The arpwatch daemon maintains a table of Ethernet MAC addresses and their IP address pairings. By default, this file sets the owner of the arpwatch process to the user pcap and sends any messages to the root mail queue. For more information regarding available parameters for this file, refer to the arpwatch man page.
/etc/sysconfig/authconfig/etc/sysconfig/authconfig file sets the authorization to be used on the host. It contains one or more of the following lines:
USEMD5=<value>, where <value>yes — MD5 is used for authentication.
no — MD5 is not used for authentication.
USEKERBEROS=<value>, where <value>yes — Kerberos is used for authentication.
no — Kerberos is not used for authentication.
USELDAPAUTH=<value>, where <value>yes — LDAP is used for authentication.
no — LDAP is not used for authentication.
/etc/sysconfig/autofs/etc/sysconfig/autofs file defines custom options for the automatic mounting of devices. This file controls the operation of the automount daemons, which automatically mount file systems when you use them and unmount them after a period of inactivity. File systems can include network file systems, CD-ROMs, diskettes, and other media.
/etc/sysconfig/autofs file may contain the following:
LOCALOPTIONS="<value>", where <value> is a string for defining machine-specific automount rules. The default value is an empty string ("").
DAEMONOPTIONS="<value>", where <value> is the timeout length in seconds before unmounting the device. The default value is 60 seconds ("--timeout=60").
UNDERSCORETODOT=<value>, where <value> is a binary value that controls whether to convert underscores in file names into dots. For example, auto_home to auto.home and auto_mnt to auto.mnt. The default value is 1 (true).
DISABLE_DIRECT=<value>, where <value> is a binary value that controls whether to disable direct mount support, as the Linux implementation does not conform to the Sun Microsystems' automounter behavior. The default value is 1 (true), and allows for compatibility with the Sun automounter options specification syntax.
/etc/sysconfig/clock/etc/sysconfig/clock file controls the interpretation of values read from the system hardware clock.
UTC=<value>, where <value>true or yes — The hardware clock is set to Universal Time.
false or no — The hardware clock is set to local time.
ARC=<value>, where <value>false or no — This value indicates that the normal UNIX epoch is in use. Other values are used by systems not supported by Red Hat Enterprise Linux.
SRM=<value>, where <value>false or no — This value indicates that the normal UNIX epoch is in use. Other values are used by systems not supported by Red Hat Enterprise Linux.
ZONE=<filename> — The time zone file under /usr/share/zoneinfo that /etc/localtime is a copy of. The file contains information such as:
ZONE="America/New York"
ZONE parameter is read by the Time and Date Properties Tool (system-config-date), and manually editing it does not change the system timezone.
CLOCKMODE=<value>, where <value>GMT — The clock is set to Universal Time (Greenwich Mean Time).
ARC — The ARC console's 42-year time offset is in effect (for Alpha-based systems only).
/etc/sysconfig/desktop/etc/sysconfig/desktop file specifies the desktop for new users and the display manager to run when entering runlevel 5.
DESKTOP="<value>", where "<value>" is one of the following:
GNOME — Selects the GNOME desktop environment.
KDE — Selects the KDE desktop environment.
DISPLAYMANAGER="<value>", where "<value>" is one of the following:
GNOME — Selects the GNOME Display Manager.
KDE — Selects the KDE Display Manager.
XDM — Selects the X Display Manager.
/etc/sysconfig/dhcpd/etc/sysconfig/dhcpd file is used to pass arguments to the dhcpd daemon at boot time. The dhcpd daemon implements the Dynamic Host Configuration Protocol (DHCP) and the Internet Bootstrap Protocol (BOOTP). DHCP and BOOTP assign hostnames to machines on the network. For more information about what parameters are available in this file, refer to the dhcpd man page.
/etc/sysconfig/exim/etc/sysconfig/exim file allows messages to be sent to one or more clients, routing the messages over whatever networks are necessary. The file sets the default values for exim to run. Its default values are set to run as a background daemon and to check its queue each hour in case something has backed up.
DAEMON=<value>, where <value>yes — exim should be configured to listen to port 25 for incoming mail. yes implies the use of the Exim's -bd options.
no — exim should not be configured to listen to port 25 for incoming mail.
QUEUE=1h which is given to exim as -q$QUEUE. The -q option is not given to exim if /etc/sysconfig/exim exists and QUEUE is empty or undefined.
/etc/sysconfig/firstboot/sbin/init program calls the etc/rc.d/init.d/firstboot script, which in turn launches the Setup Agent. This application allows the user to install the latest updates as well as additional applications and documentation.
/etc/sysconfig/firstboot file tells the Setup Agent application not to run on subsequent reboots. To run it the next time the system boots, remove /etc/sysconfig/firstboot and execute chkconfig --level 5 firstboot on.
/etc/sysconfig/gpm/etc/sysconfig/gpm file is used to pass arguments to the gpm daemon at boot time. The gpm daemon is the mouse server which allows mouse acceleration and middle-click pasting. For more information about what parameters are available for this file, refer to the gpm man page. By default, the DEVICE directive is set to /dev/input/mice.
/etc/sysconfig/hwconf/etc/sysconfig/hwconf file lists all the hardware that kudzu detected on the system, as well as the drivers used, vendor ID, and device ID information. The kudzu program detects and configures new and/or changed hardware on a system. The /etc/sysconfig/hwconf file is not meant to be manually edited. If edited, devices could suddenly show up as being added or removed.
/etc/sysconfig/i18n/etc/sysconfig/i18n file sets the default language, any supported languages, and the default system font. For example:
LANG="en_US.UTF-8" SUPPORTED="en_US.UTF-8:en_US:en" SYSFONT="latarcyrheb-sun16"
/etc/sysconfig/init/etc/sysconfig/init file controls how the system appears and functions during the boot process.
BOOTUP=<value>, where <value>color — The standard color boot display, where the success or failure of devices and services starting up is shown in different colors.
verbose — An old style display which provides more information than purely a message of success or failure.
RES_COL=<value>, where <value>MOVE_TO_COL=<value>, where <value>RES_COL line via the echo -en command.
SETCOLOR_SUCCESS=<value>, where <value>echo -en command. The default color is set to green.
SETCOLOR_FAILURE=<value>, where <value>echo -en command. The default color is set to red.
SETCOLOR_WARNING=<value>, where <value>echo -en command. The default color is set to yellow.
SETCOLOR_NORMAL=<value>, where <value>echo -en.
LOGLEVEL=<value>, where <value>syslo