Deployment Guide


Red Hat Enterprise Linux 6

Deployment, Configuration and Administration of Red Hat Enterprise Linux 6

Marie Doleželová

Red Hat Customer Content Services

Mirek Jahoda

Red Hat Customer Content Services

Maxim Svistunov

Red Hat Customer Content Services

Stephen Wadeley

Red Hat Customer Content Services

Tomáš Čapek

Red Hat Customer Content Services

Robert Krátký

Red Hat Customer Content Services

Jana Heves

Red Hat Customer Content Services

Jaromír Hradílek

Red Hat Customer Content Services

Douglas Silas

Red Hat Customer Content Services

Barbora Ančincová

Red Hat Customer Content Services

Petr Kovář

Red Hat Customer Content Services

Jiří Herrmann

Red Hat Customer Content Services

Peter Ondrejka

Red Hat Customer Content Services

Petr Bokoč

Red Hat Customer Content Services

Martin Prpič

Red Hat Product Security

Eva Majoršinová

Red Hat Customer Content Services

Eva Kopalová

Red Hat Customer Content Services

Miroslav Svoboda

Red Hat Customer Content Services

Milan Navrátil

Red Hat Customer Content Services

Ella Deon Lackey

Red Hat Customer Content Services

Florian Nadge

Red Hat Customer Content Services

John Ha

Red Hat Customer Content Services

David O'Brien

Red Hat Customer Content Services

Michael Hideo

Red Hat Customer Content Services

Don Domingo

Red Hat Customer Content Services

Abstract

The Deployment Guide documents relevant information regarding the deployment, configuration and administration of Red Hat Enterprise Linux 6. It is oriented towards system administrators with a basic understanding of the system.

Part I. Basic System Configuration

This part covers basic system administration tasks such as keyboard configuration, date and time configuration, managing users and groups, and gaining privileges.

Chapter 1. Keyboard Configuration

This chapter describes how to change the keyboard layout, as well as how to add the Keyboard Indicator applet to the panel. It also covers the option to enforce a typing break, and explains both advantages and disadvantages of doing so.

1.1. Changing the Keyboard Layout

The installation program has allowed you to configure a keyboard layout for your system. However, the default settings may not always suit your current needs. To configure a different keyboard layout after the installation, use the Keyboard Preferences tool.
To open Keyboard Layout Preferences, select SystemPreferencesKeyboard from the panel, and click the Layouts tab.
Keyboard Layout Preferences

Figure 1.1. Keyboard Layout Preferences

You will be presented with a list of available layouts. To add a new one, click the Add button below the list, and you will be prompted to choose which layout you want to add.
Choosing a layout

Figure 1.2. Choosing a layout

Currently, there are two ways how to choose the keyboard layout: you can either find it by the country it is associated with (the By country tab), or you can select it by language (the By language tab). In either case, first select the desired country or language from the Country or Language pulldown menu, then specify the variant from the Variants menu. The preview of the layout changes immediately. To confirm the selection, click Add.
Selecting the default layout

Figure 1.3. Selecting the default layout

The layout should appear in the list. To make it the default, select the radio button next to its name. The changes take effect immediately. Note that there is a text-entry field at the bottom of the window where you can safely test your settings. Once you are satisfied, click Close to close the window.
Testing the layout

Figure 1.4. Testing the layout

Note

By default, changing the keyboard layout affects the active window only. This means that if you change the layout and switch to another window, this window will use the old one, which might be confusing. To turn this behavior off, clear the Separate layout for each window check box.
Doing this has its drawbacks though, as you will no longer be able to choose the default layout by selecting the radio button as shown in Figure 1.3, “Selecting the default layout”. To make the layout the default, drag it to the beginning of the list.

1.2. Adding the Keyboard Layout Indicator

If you want to see what keyboard layout you are currently using, or you would like to switch between different layouts with a single mouse click, add the Keyboard Indicator applet to the panel. To do so, right-click the empty space on the main panel, and select the Add to Panel option from the pulldown menu.
Adding a new applet

Figure 1.5. Adding a new applet

You will be presented with a list of available applets. Scroll through the list (or start typing keyboard into the search field at the top of the window), select Keyboard Indicator, and click the Add button.
Selecting the Keyboard Indicator

Figure 1.6. Selecting the Keyboard Indicator

The applet appears immediately, displaying the shortened name of the country the current layout is associated with. To display the actual variant, hover the pointer over the applet icon.
The Keyboard Indicator applet

Figure 1.7. The Keyboard Indicator applet

1.3. Setting Up a Typing Break

Typing for a long period of time can be not only tiring, but it can also increase the risk of serious health problems, such as carpal tunnel syndrome. One way of preventing this is to configure the system to enforce typing breaks. To do so, select SystemPreferencesKeyboard from the panel, click the Typing Break tab, and select the Lock screen to enforce typing break check box.
Typing Break Properties

Figure 1.8. Typing Break Properties

To increase or decrease the allowed typing time before the break is enforced, click the up or down button next to the Work interval lasts label respectively. You can do the same with the Break interval lasts setting to alter the length of the break itself. Finally, select the Allow postponing of breaks check box if you want to be able to delay the break in case you need to finish the work. The changes take effect immediately.
Taking a break

Figure 1.9. Taking a break

Next time you reach the time limit, you will be presented with a screen advising you to take a break, and a clock displaying the remaining time. If you have enabled it, the Postpone Break button will be located at the bottom right corner of the screen.

Chapter 2. Date and Time Configuration

This chapter covers setting the system date and time in Red Hat Enterprise Linux, both manually and using the Network Time Protocol (NTP), as well as setting the adequate time zone. Two methods are covered: setting the date and time using the Date/Time Properties tool, and doing so on the command line.

2.1. Date/Time Properties Tool

The Date/Time Properties tool allows the user to change the system date and time, to configure the time zone used by the system, and to set up the Network Time Protocol daemon to synchronize the system clock with a time server. Note that to use this application, you must be running the X Window System (see Appendix C, The X Window System for more information on this topic).
To start the tool, select SystemAdministrationDate & Time from the panel, or type the system-config-date command at a shell prompt (e.g., xterm or GNOME Terminal). Unless you are already authenticated, you will be prompted to enter the superuser password.
Authentication Query

Figure 2.1. Authentication Query

2.1.1. Date and Time Properties

As shown in Figure 2.2, “Date and Time Properties”, the Date/Time Properties tool is divided into two separate tabs. The tab containing the configuration of the current date and time is shown by default.
Date and Time Properties

Figure 2.2. Date and Time Properties

To set up your system manually, follow these steps:
  1. Change the current date. Use the arrows to the left and right of the month and year to change the month and year respectively. Then click inside the calendar to select the day of the month.
  2. Change the current time. Use the up and down arrow buttons beside the Hour, Minute, and Second, or replace the values directly.
Click the OK button to apply the changes and exit the application.

2.1.2. Network Time Protocol Properties

If you prefer an automatic setup, select the check box labeled Synchronize date and time over the network instead. This will display the list of available NTP servers as shown in Figure 2.3, “Network Time Protocol Properties”.
Network Time Protocol Properties

Figure 2.3. Network Time Protocol Properties

Here you can choose one of the predefined servers, edit a predefined server by clicking the Edit button, or add a new server name by clicking Add. In the Advanced Options, you can also select whether you want to speed up the initial synchronization of the system clock, or if you want to use a local time source.

Note

Your system does not start synchronizing with the NTP server until you click the OK button at the bottom of the window to confirm your changes.
Click the OK button to apply any changes made to the date and time settings and exit the application.

2.1.3. Time Zone Properties

To configure the system time zone, click the Time Zone tab as shown in Figure 2.4, “Time Zone Properties”.
Time Zone Properties

Figure 2.4. Time Zone Properties

There are two common approaches to the time zone selection:
  1. Using the interactive map. Click “zoom in” and “zoom out” buttons next to the map, or click on the map itself to zoom into the selected region. Then choose the city specific to your time zone. A red X appears and the time zone selection changes in the list below the map.
  2. Use the list below the map. To make the selection easier, cities and countries are grouped within their specific continents. Note that non-geographic time zones have also been added to address needs in the scientific community.
If your system clock is set to use UTC, select the System clock uses UTC option. UTC stands for the Universal Time, Coordinated, also known as Greenwich Mean Time (GMT). Other time zones are determined by adding or subtracting from the UTC time.
Click OK to apply the changes and exit the program.

2.2. Command Line Configuration

In case your system does not have the Date/Time Properties tool installed, or the X Window Server is not running, you will have to change the system date and time on the command line. Note that in order to perform actions described in this section, you have to be logged in as a superuser:
~]$ su -
Password:

2.2.1. Date and Time Setup

The date command allows the superuser to set the system date and time manually:
  1. Change the current date. Type the command in the following form at a shell prompt, replacing the YYYY with a four-digit year, MM with a two-digit month, and DD with a two-digit day of the month:
    ~]# date +%D -s YYYY-MM-DD
    For example, to set the date to 2 June 2010, type:
    ~]# date +%D -s 2010-06-02
  2. Change the current time. Use the following command, where HH stands for an hour, MM is a minute, and SS is a second, all typed in a two-digit form:
    ~]# date +%T -s HH:MM:SS
    If your system clock is set to use UTC (Coordinated Universal Time), add the following option:
    ~]# date +%T -s HH:MM:SS -u
    For instance, to set the system clock to 11:26 PM using the UTC, type:
    ~]# date +%T -s 23:26:00 -u
You can check your current settings by typing date without any additional argument:

Example 2.1. Displaying the current date and time

~]$ date
Wed Jun  2 11:58:48 CEST 2010

2.2.2. Network Time Protocol Setup

As opposed to the manual setup described above, you can also synchronize the system clock with a remote server over the Network Time Protocol (NTP). For the one-time synchronization only, use the ntpdate command:
  1. Firstly, check whether the selected NTP server is accessible:
    ~]# ntpdate -q server_address
    For example:
    ~]# ntpdate -q 0.rhel.pool.ntp.org
  2. When you find a satisfactory server, run the ntpdate command followed by one or more server addresses:
    ~]# ntpdate server_address...
    For instance:
    ~]# ntpdate 0.rhel.pool.ntp.org 1.rhel.pool.ntp.org
    Unless an error message is displayed, the system time should now be set. You can check the current by setting typing date without any additional arguments as shown in Section 2.2.1, “Date and Time Setup”.
  3. In most cases, these steps are sufficient. Only if you really need one or more system services to always use the correct time, enable running the ntpdate at boot time:
    ~]# chkconfig ntpdate on
    For more information about system services and their setup, see Chapter 12, Services and Daemons.

    Note

    If the synchronization with the time server at boot time keeps failing, i.e., you find a relevant error message in the /var/log/boot.log system log, try to add the following line to /etc/sysconfig/network:
    NETWORKWAIT=1
However, the more convenient way is to set the ntpd daemon to synchronize the time at boot time automatically:
  1. Open the NTP configuration file /etc/ntp.conf in a text editor such as vi or nano, or create a new one if it does not already exist:
    ~]# nano /etc/ntp.conf
  2. Now add or edit the list of public NTP servers. If you are using Red Hat Enterprise Linux 6, the file should already contain the following lines, but feel free to change or expand these according to your needs:
    server 0.rhel.pool.ntp.org iburst
    server 1.rhel.pool.ntp.org iburst
    server 2.rhel.pool.ntp.org iburst
    server 3.rhel.pool.ntp.org iburst
    
    The iburst directive at the end of each line is to speed up the initial synchronization. As of Red Hat Enterprise Linux 6.5 it is added by default. If upgrading from a previous minor release, and your /etc/ntp.conf file has been modified, then the upgrade to Red Hat Enterprise Linux 6.5 will create a new file /etc/ntp.conf.rpmnew and will not alter the existing /etc/ntp.conf file.
  3. Once you have the list of servers complete, in the same file, set the proper permissions, giving the unrestricted access to localhost only:
    restrict default kod nomodify notrap nopeer noquery
    restrict -6 default kod nomodify notrap nopeer noquery
    restrict 127.0.0.1
    restrict -6 ::1
  4. Save all changes, exit the editor, and restart the NTP daemon:
    ~]# service ntpd restart
  5. Make sure that ntpd is started at boot time:
    ~]# chkconfig ntpd on

Chapter 3. Managing Users and Groups

3.1. What Users and Groups Are

The control of users and groups is a core element of Red Hat Enterprise Linux system administration. The user of the system is either a human being or an account used by specific applications identified by a unique numerical identification number called user ID (UID). Users within a group can have read permissions, write permissions, execute permissions or any combination of read/write/execute permissions for files owned by that group.
Red Hat Enterprise Linux supports access control lists (ACLs) for files and directories which allow permissions for specific users outside of the owner to be set. For more information about this feature, see the Access Control Lists chapter of the Red Hat Enterprise Linux 6 Storage Administration Guide.
A group is an organization unit tying users together for a common purpose, which can be reading permissions, writing permission, or executing permission for files owned by that group. Similar to UID, each group is associated with a group ID (GID).

Note

Red Hat Enterprise Linux reserves user and group IDs below 500 for system users and groups. By default, the User Manager does not display the system users. Reserved user and group IDs are documented in the setup package. To view the documentation, use this command:
cat /usr/share/doc/setup-2.8.14/uidgid
The recommended practice is to assign non-reserved IDs starting at 5,000, as the reserved range can increase in the future. To make the IDs assigned to new users by default start at 5,000, change the UID_MIN and GID_MIN directives in the /etc/login.defs file:
[file contents truncated]
UID_MIN                  5000
[file contents truncated]
GID_MIN                  5000
[file contents truncated]
Even with new user and group IDs beginning with 5,000, it is recommended not to raise IDs reserved by system above 500 to avoid conflict with systems that retain the 500 limit.
Each user is a member of exactly one primary group and zero or more supplementary groups. By default, when a file is created, the file's owner is its creator and the file's group is the creator's primary group. A user can temporarily change what group is their primary group with the newgrp command, after which all newly created files are owned by the new group. A supplementary group serves to grant a certain set of users, its members, access to a certain set of files, those owned by this group.
The file is assigned separate read, write, and execute permissions for the owner, the group, and everyone else. The file owner can be changed only by root, and access permissions can be changed by both the root user and file owner.
By default, a file or directory can be modified only by its creator. The setting that determines what permissions are applied to a newly created file or directory is called a umask and can be configured in the /etc/bashrc file for all users, or in ~/.bashrc for each user individually . The configuration in ~/.bashrc overrides the configuration in /etc/bashrc. Additionally, the umask command overrides the default permissions for the duration of the shell session.
To authenticate, a user enters their password. A hash sum is generated from the entered string and compared to the hash sum of the user's password. If the hash sums match, the user authenticates successfully.
Hash sums of user passwords are stored in the /etc/shadow file, which is only readable by the root user. The file also stores information about password aging and policies for specific accounts. The default values for a newly created account are stored in the /etc/login.defs and /etc/default/useradd files. The Red Hat Enterprise Linux 6 Security Guide provides more security-related information about users and groups.

3.2. Managing Users via the User Manager Application

The User Manager application allows you to view, modify, add, and delete local users and groups in the graphical user interface.

To start the User Manager application:

  • From the toolbar, select SystemAdministrationUsers and Groups.
  • Or, type system-config-users at the shell prompt.

Note

Unless you have superuser privileges, the application will prompt you to authenticate as root.

3.2.1. Viewing Users

In order to display the main window of the User Manager to view users, from the toolbar of User Manager select EditPreferences. If you want to view all the users, that is including system users, clear the Hide system users and groups check box.
The Users tab provides a list of local users along with additional information about their user ID, primary group, home directory, login shell, and full name.
Viewing Users

Figure 3.1. Viewing Users

To find a specific user, type the first few letters of the name in the Search filter field and either press Enter, or click the Apply filter button. You can also sort the items according to any of the available columns by clicking the column header.

3.2.2. Adding a New User

If there is a new user you need to add to the system, follow this procedure:
  1. Click the Add User button.
  2. Enter the user name and full name in the appropriate fields
  3. Type the user's password in the Password and Confirm Password fields. The password must be at least six characters long.

    Note

    For safety reasons, choose a long password not based on a dictionary term; use a combination of letters, numbers, and special characters.
  4. Select a login shell for the user from the Login Shell drop-down list or accept the default value of /bin/bash.
  5. Clear the Create home directory check box if you choose not to create the home directory for a new user in /home/username/.
    You can also change this home directory by editing the content of the Home Directory text box. Note that when the home directory is created, default configuration files are copied into it from the /etc/skel/ directory.
  6. Clear the Create a private group for the user check box if you do not want a unique group with the same name as the user to be created. User private group (UPG) is a group assigned to a user account to which that user exclusively belongs, which is used for managing file permissions for individual users.
  7. Specify a user ID for the user by selecting Specify user ID manually. If the option is not selected, the next available user ID above 500 is assigned to the new user.
  8. Click the OK button to complete the process.
Look at the sample Add New User dialog box configuration:
To configure more advanced user properties, such as password expiration, modify the user's properties after adding the user.

3.2.3. Modifying User Properties

  1. Select the user from the user list by clicking once on the user name.
  2. Click Properties from the toolbar or choose FileProperties from the drop-down menu.
    User Properties

    Figure 3.2. User Properties

  3. There are four tabs you can update to your preferences. When you have finished, click the OK button to save your changes.

3.3. Managing Groups via the User Manager Application

3.3.1. Viewing Groups

In order to display the main window of User Manager to view groups, from the toolbar select EditPreferences. If you want to view all the groups, clear the Hide system users and groups check box.
The Groups tab provides a list of local groups with information about their group ID and group members as you can see in the picture below.
Viewing Groups

Figure 3.3. Viewing Groups

To find a specific group, type the first few letters of the name in the Search filter field and either press Enter, or click the Apply filter button. You can also sort the items according to any of the available columns by clicking the column header.

3.3.2. Adding a New Group

If there is a new group you need to add to the system, follow this procedure:
  1. Select Add Group from the User Manager toolbar:
    New Group

    Figure 3.4. New Group

  2. Type the name of the new group.
  3. Specify the group ID (GID) for the new group by checking the Specify group ID manually check box.
  4. Select the GID. Note that Red Hat Enterprise Linux also reserves group IDs lower than 500 for system groups.
  5. Click OK to create the group. The new group appears in the group list.

3.3.3. Modifying Group Properties

  1. Select the group from the group list by clicking on its name.
  2. Click Properties from the toolbar or choose FileProperties from the drop-down menu.
    Group Properties

    Figure 3.5. Group Properties

  3. The Group Users tab displays the list of group members. Use this tab to add or remove users from the group. Click OK to save your changes.

3.4. Managing Users via Command-Line Tools

When managing users via command line, the following commands are used: useradd, usermod, userdel, or passwd. The files affected include /etc/passwd which stores user accounts information and /etc/shadow, which stores secure user account information.

3.4.1. Creating Users

The useradd utility creates new users and adds them to the system. Following the short procedure below, you will create a default user account with its UID, automatically create a home directory where default user settings will be stored, /home/username/, and set the default shell to /bin/bash.
  1. Run the following command at a shell prompt as root substituting username with the name of your choice:
    useradd username
  2. By setting a password unlock the account to make it accessible. Type the password twice when the program prompts you to.
    passwd

Example 3.1. Creating a User with Default Settings

~]# useradd robert
~]# passwd robert
Changing password for user robert
New password: 
Re-type new password:
passwd: all authentication tokens updated successfully.
Running the useradd robert command creates an account named robert. If you run cat /etc/passwd to view the content of the /etc/passwd file, you can learn more about the new user from the line displayed to you:
robert:x:502:502::/home/robert:/bin/bash
robert has been assigned a UID of 502, which reflects the rule that the default UID values from 0 to 499 are typically reserved for system accounts. GID, group ID of User Private Group, equals to UID. The home directory is set to /home/robert and login shell to /bin/bash. The letter x signals that shadow passwords are used and that the hashed password is stored in /etc/shadow.
If you want to change the basic default setup for the user while creating the account, you can choose from a list of command-line options modifying the behavior of useradd (see the useradd(8) man page for the whole list of options). As you can see from the basic syntax of the command, you can add one or more options:
useradd [option(s)] username
As a system administrator, you can use the -c option to specify, for example, the full name of the user when creating them. Use -c followed by a string, which adds a comment to the user:
useradd -c "string" username

Example 3.2. Specifying a User's Full Name when Creating a User

~]# useradd -c "Robert Smith" robert
~]# cat /etc/passwd
robert:x:502:502:Robert Smith:/home/robert:/bin/bash
A user account has been created with user name robert, sometimes called the login name, and full name Robert Smith.
If you do not want to create the default /home/username/ directory for the user account, set a different one instead of it. Execute the command below:
useradd -d home_directory

Example 3.3. Adding a User with non-default Home Directory

~]# useradd -d /home/dir_1 robert
robert's home directory is now not the default /home/robert but /home/dir_1/.
If you do not want to create the home directory for the user at all, you can do so by running useradd with the -M option. However, when such a user logs into a system that has just booted and their home directory does not exist, their login directory will be the root directory. If such a user logs into a system using the su command, their login directory will be the current directory of the previous user.
useradd -M username
If you need to copy a directory content to the /home directory while creating a new user, make use of the -m and -k options together followed by the path.

Example 3.4. Creating a User while Copying Contents to the Home Directory

The following command copies the contents of a directory named /dir_1 to /home/jane, which is the default home directory of a new user jane:
~]# useradd -m -k /dir_1 jane
As a system administrator, you may need to create a temporary account. Using the useradd command, this means creating an account for a certain amount of time only and disabling it at a certain date. This is a particularly useful setting as there is no security risk resulting from forgetting to delete a certain account. For this, the -e option is used with the specified expire_date in the YYYY-MM-DD format.

Note

Do not confuse account expiration and password expiration. Account expiration is a particular date, after which it is impossible to log in to the account in any way, as the account no longer exists. Password expiration, the maximum password age and date of password creation or last password change, is the date, when it is not possible to log in using the password (but other ways exist, such as logging in using an SSH key).
useradd -e YYYY-MM-DD username

Example 3.5. Setting the Account Expiration Date

~]# useradd -e 2015-11-05 emily
The account emily will be created now and automatically disabled on 5 November, 2015.
User's login shell defaults to /bin/bash, but can be changed by the -s option to any other shell different from bash, ksh, csh, tsh, for example.
useradd -s login_shell username

Example 3.6. Adding a User with Non-default Shell

~]# useradd -s /bin/ksh robert
This command creates the user robert which has the /bin/ksh shell.
The -r option creates a system account, which is an account for administrative use that has some, but not all, root privileges. Such accounts have a UID lower than the value of UID_MIN defined in /etc/login.defs, typically 500 and above for ordinary users.
useradd -r username

3.4.2. Attaching New Users to Groups

The useradd command creates a User Private Group (UPG, a group assigned to a user account to which that user exclusively belongs) whenever a new user is added to the system and names the group after the user. For example, when the account robert is created, an UPG named robert is created at the same time, the only member of which is the user robert.
If you do not want to create a User Private Group for a user for whatever reason, execute the useradd command with the following option:
useradd -N username
Instead of automatically creating UPG or not creating it at all, you can specify the user's group membership with -g and -G options. While the -g option specifies the primary group membership, -G refers to supplementary groups into which the user is also included. The group names you specify must already exist on the system.

Example 3.7. Adding a User to a Group

~]# useradd -g "friends" -G "family,schoolmates" emily
The useradd -g "friends" -G "family,schoolmates" emily command creates the user emily but emily's primary group is set to friends as specified by the -g option. emily is also a group member of the supplementary groups family and schoolmates.
Provided the user already exists and you want to add them to certain supplementary group(s), use the usermod command with the -G option and a list of groups divided by commas, no spaces:
usermod -G group_1,group_2,group_3

3.4.3. Updating Users' Authentication

When running the basic useradd username command, the password is automatically set to never expire (see the /etc/shadow file).
If you want to change this, use passwd, the standard utility for administering the /etc/passwd file. The syntax of the passwd command look as follows:
passwd option(s) username
You can, for example, lock the specified account. The locking is performed by rendering the encrypted password into an invalid string by prefixing the encrypted string with an the exclamation mark (!). If you later find a reason to unlock the account, passwd has a reverse operation for locking. Only root can carry out these two operations.
passwd -l username
passwd -u username

Example 3.8. Unlocking a User Password

~]# passwd -l robert
Locking password for user robert.
passwd: Success
~]# passwd -u robert
passwd: Warning: unlocked password would be empty
passwd: Unsafe operation (use -f to force)
At first, the -l option locks robert's account password successfully. However, running the passwd -u command does not unlock the password because by default passwd refuses to create a passwordless account.
If you want a password for an account to expire, run passwd with the -e option. The user will be forced to change the password during the next login attempt:
passwd -e username
As far as the password lifetime is concerned, setting the minimum time between password changes is useful for forcing the user to really change the password. The system administrator can set the minimum (the -n option) and the maximum (the -x option) lifetimes. To inform the user about their password expiration, use the -w option. All these options must be accompanied with the number of days and can be run as root only.

Example 3.9. Adjusting Aging Data for User Passwords

~]# passwd -n 10 -x 60 -w 3 jane
The above command has set the minimum password lifetime to 10 days, the maximum password lifetime to 60, and the number of days jane will begin receiving warnings in advance that her password will expire to 3 day.
Later, when you cannot remember the password setting, make use of the -S option which outputs a short information for you to know the status of the password for a given account:
~]# passwd -S jane
jane LK 2014-07-22 10 60 3 -1 (Password locked.)
You can also set the number of days after a password expires with the useradd command, which disables the account permanently. A value of 0 disables the account as soon as the password has expired, and a value of -1 disables the feature, that is, the user will have to change his password when the password expires. The -f option is used to specify the number of days after a password expires until the account is disabled (but may be unblocked by system administrator):
useradd -f number-of-days username
For more information on the passwd command see the passwd(1) man page.

3.4.4. Modifying User Settings

When a user already exists and you need to specify any of the options now, use the usermod command. The logic of using usermod is identical to useradd as well as its syntax:
usermod option(s) username
If you need to change the user's user name, use the -l option with the new user name (or login).

Example 3.10. Changing User's Login

~]# usermod -l "emily-smith" emily
The -l option changes the name of the user from the login emily to the new login, emily-smith. Nothing else is changed. In particular, emily's home directory name (/home/emily) remains the same unless it is changed manually to reflect the new user name.
In a similar way you can change the user's UID or user's home directory. See the example below:

Note

Find all files owned by the specified UID in system and change their owner. Do the same for Access Control List (ACL) referring to the UID. It is recommended to check there are no running processes as they keep running with the old UID.

Example 3.11. Changing User's UID and Home Directory

~]# usermod -a -u 699 -d /home/dir_2 robert
The command with -a -u and -d options changes the settings of user robert. Now, his ID is 699 instead of 501, and his home directory is no longer /home/robert but /home/dir_2.
With the usermod command you can also move the content of the user's home directory to a new location, or lock the account by locking its password.

Example 3.12. Changing User's

~]# usermod -m -d /home/jane -L jane
In this sample command, the -m and -d options used together move the content of jane's home directory to the /home/dir_3 directory. The -L option locks the access to jane's account by locking its password.
For the whole list of options to be used with the usermod command, see the usermod(8) man page or run usermod --help on the command line.

3.4.5. Deleting Users

If you want to remove a user account from the system, use the userdel command on the command line as root.
userdel username
Combining userdel with the -r option removes files in the user's home directory along with the home directory itself and the user's mail spool. Files located in other file systems have to be searched for and deleted manually.
userdel -r username

Note

The -r option is relatively safer, and thus recommended, compared to -f which forces the removal of the user account even if the user is still logged in.

3.4.6. Displaying Comprehensive User Information

When administering users and groups on your system, you need a good tool to monitor their configuration and activity on the system. Red Hat Enterprise Linux 6 provides you with the lslogins command-line utility, which gives you a comprehensive overview of users and groups, not only regarding user or group account configuration but also their activity on the system.
The general syntax of lslogins is the following:
lslogins [OPTIONS]
where OPTIONS can be one or more available options and their related parameters. See the lslogins(1) manual page or the output of the lslogins --help command for the complete list of available options and their usage.
The lslogins utility gives versatile information in a variety of formats based on the chosen options. The following examples introduce the most basic as well as some of the most useful combinations.
Running the lslogins command without any options shows default information about all system and user accounts on the system. Specifically, their UID, user name, and GECOS information, as well as information about the user's last login to the system, and whether their password is locked or login by password disabled.

Example 3.13. Displaying basic information about all accounts on the system

~]# lslogins
  UID USER          PWD-LOCK PWD-DENY  LAST-LOGIN GECOS
    0 root                 0        0             root
    1 bin                  0        1             bin
    2 daemon               0        1             daemon
    3 adm                  0        1             adm
    4 lp                   0        1             lp
    5 sync                 0        1             sync
    6 shutdown             0        1 Jul21/16:20 shutdown
    7 halt                 0        1             halt
    8 mail                 0        1             mail
   10 uucp                 0        1             uucp
   11 operator             0        1             operator
   12 games                0        1             games
   13 gopher               0        1             gopher
   14 ftp                  0        1             FTP User
   29 rpcuser              0        1             RPC Service User
   32 rpc                  0        1             Rpcbind Daemon
   38 ntp                  0        1             
   42 gdm                  0        1             
   48 apache               0        1             Apache
   68 haldaemon            0        1             HAL daemon
   69 vcsa                 0        1             virtual console memory owner
   72 tcpdump              0        1             
   74 sshd                 0        1             Privilege-separated SSH
   81 dbus                 0        1             System message bus
   89 postfix              0        1             
   99 nobody               0        1             Nobody
  113 usbmuxd              0        1             usbmuxd user
  170 avahi-autoipd        0        1             Avahi IPv4LL Stack
  173 abrt                 0        1             
  497 pulse                0        1             PulseAudio System Daemon
  498 saslauth             0        1             Saslauthd user
  499 rtkit                0        1             RealtimeKit
  500 jsmith               0        0    10:56:12 John Smith
  501 jdoe                 0        0    12:13:53 John Doe
  502 esmith               0        0    12:59:05 Emily Smith
  503 jeyre                0        0    12:22:14 Jane Eyre
65534 nfsnobody            0        1             Anonymous NFS User
To display detailed information about a single user, run the lslogins LOGIN command, where LOGIN is either a UID or a user name. The following example displays detailed information about John Doe's account and his activity on the system:

Example 3.14. Displaying detailed information about a single account

~]# lslogins jdoe
Username:                           jdoe                                
UID:                                501                                 
Gecos field:                        John Doe                            
Home directory:                     /home/jdoe                          
Shell:                              /bin/bash                           
No login:                           no                                  
Password is locked:                 no                                  
Password no required:               no                                  
Login by password disabled:         no                                  
Primary group:                      jdoe                                
GID:                                501                                 
Supplementary groups:               users                               
Supplementary group IDs:            100                                 
Last login:                         12:13:53                            
Last terminal:                      pts/3                               
Last hostname:                      192.168.100.1                       
Hushed:                             no                                  
Password expiration warn interval:  7                                   
Password changed:                   Aug01/02:00                            
Maximal change time:                99999                               
Password expiration:                Sep01/02:00                         
Selinux context:                    unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
If you use the --logins=LOGIN option, you can display information about a group of accounts that are specified as a list of UIDs or user names. Specifying the --output=COLUMNS option, where COLUMNS is a list of available output parameters, you can customize the output of the lslogins command. For example, the following command shows login activity of the users root, jsmith, jdoe, and esmith:

Example 3.15. Displaying specific information about a group of users

~]# lslogins --logins=0,500,jdoe,esmith \
> --output=UID,USER,LAST-LOGIN,LAST-TTY,FAILED-LOGIN,FAILED-TTY
UID USER   LAST-LOGIN LAST-TTY FAILED-LOGIN FAILED-TTY
  0 root                                    
500 jsmith   10:56:12 pts/2                 
501 jdoe     12:13:53 pts/3                 
502 esmith   15:46:16 pts/3    15:46:09     ssh:notty
The lslogins utility also distinguishes between system and user accounts. To address system accounts in your query, use the --system-accs option. To address user accounts, use the --user-accs. For example, the following command displays information about supplementary groups and password expirations for all user accounts:

Example 3.16. Displaying information about supplementary groups and password expiration for all user accounts

~]# lslogins --user-accs --supp-groups --acc-expiration
  UID USER        GID GROUP     SUPP-GIDS SUPP-GROUPS PWD-WARN PWD-MIN PWD-MAX PWD-CHANGE
PWD-EXPIR
    0 root          0 root                                   7           99999 Jul21/02:00
  500 jsmith      500 jsmith    1000,100  staff,users        7           99999 Jul21/02:00
  501 jdoe        501 jdoe      100       users              7           99999 Aug01/02:00
Sep01/02:00
  502 esmith      502 esmith    100       users              7           99999 Aug01/02:00
  503 jeyre       503 jeyre     1000,100  staff,users        7           99999 Jul28/02:00
Sep01/02:00
65534 nfsnobody 65534 nfsnobody                                                Jul21/02:00
The ability to format the output of lslogins commands according to the user's needs makes lslogins an ideal tool to use in scripts and for automatic processing. For example, the following command returns a single string that represents the time and date of the last login. This string can be passed as input to another utility for further processing.

Example 3.17. Displaying a single piece of information without the heading

~]# lslogins --logins=jsmith --output=LAST-LOGIN --time-format=iso | tail -1
2014-08-06T10:56:12+0200

3.5. Managing Groups via Command-Line Tools

Groups are a useful tool for permitting co-operation between different users. There is a set of commands for operating with groups such as groupadd, groupmod, groupdel, or gpasswd. The files affected include /etc/group which stores group account information and /etc/gshadow, which stores secure group account information.

3.5.1. Creating Groups

To add a new group to the system with default settings, the groupadd command is run at the shell prompt as root.
groupadd group_name

Example 3.18. Creating a Group with Default Settings

~]# groupadd friends
The groupadd command creates a new group called friends. You can read more information about the group from the newly-created line in the /etc/group file:
classmates:x:30005:
Automatically, the group friends is attached with a unique GID (group ID) of 30005 and is not attached with any users. Optionally, you can set a password for a group by running gpasswd groupname.
Alternatively, you can add command options with specific settings.
groupadd option(s) groupname
If you, for example, want to specify the numerical value of the group's ID (GID) when creating the group, run the groupadd command with the -g option. Remember that this value must be unique (unless the -o option is used) and the value must be non-negative.
groupadd -g GID

Example 3.19. Creating a Group with Specified GID

The command below creates a group named schoolmates and sets GID of 60002 for it:
~]# groupadd -g 60002 schoolmates
When used with -g and GID already exists, groupadd refuses to create another group with existing GID. As a workaround, use the -f option, with which groupadd creates a group, but with a different GID.
groupadd -f GID
You may also create a system group by attaching the -r option to the groupadd command. System groups are used for system purposes, which practically means that GID is allocated from 1 to 499 within the reserved range of 999.
groupadd -r group_name
For more information on groupadd, see the groupadd(8) man pages.

3.5.2. Attaching Users to Groups

If you want to add an existing user to the named group, you can make use of the gpasswd command.
gpasswd -a username which_group_to_edit
To remove a user from the named group, run:
gpasswd -d username which_group_to_edit
To set the list of group members, write the user names after the --members option dividing them with commas and no spaces:
gpasswd --members username_1,username_2 which_group_to_edit

3.5.3. Updating Group Authentication

The gpasswd command administers /etc/group and /etc/gshadow files. Note that this command works only if run by a group administrator.
Who is a group administrator? A group administrator can add and delete users as well as set, change, or remove the group password. A group can have more than one group administrator. The root user can add group administrators with the gpasswd -A users groupname where users is a comma-separated list of existing users you want to be group administrators (without any spaces between commas).
For changing a group's password, run the gpasswd command with the relevant group name. You will be prompted to type the new password of the group.
gpasswd groupname

Example 3.20. Changing a Group Password

~]# gpasswd crowd
Changing password for group crowd
New password:
Re-enter new password:
The password for the group crowd has been changed.
You can also remove the password from the named group by using the -r option.
gpasswd -r schoolmates

3.5.4. Modifying Group Settings

When a group already exists and you need to specify any of the options now, use the groupmod command. The logic of using groupmod is identical to groupadd as well as its syntax:
groupmod option(s) groupname
To change the group ID of a given group, use the groupmod command in the following way:
groupmod -g GID_NEW which_group_to_edit

Note

Find all files owned by the specified GID in system and change their owner. Do the same for Access Control List (ACL) referring to the GID. It is recommended to check there are no running processes as they keep running with the old GID.
To change the name of the group, run the following on the command line. The name of the group will be changed from GROUP_NAME to NEW_GROUP_NAME name.
groupmod -n new_groupname groupname

Example 3.21. Changing a Group's Name

The following command changes the name of the group schoolmates to crowd:
~]# groupmod -n crowd schoolmates

3.5.5. Deleting Groups

The groupdel command modifies the system account files, deleting all entries that see the group. The named group must exist when you execute this command.
groupdel groupname

3.6. Additional Resources

See the following resources for more information about managing users and groups.

3.6.1. Installed Documentation

For information about various utilities for managing users and groups, see the following manual pages:
  • chage(1) — A command to modify password aging policies and account expiration.
  • gpasswd(1) — A command to administer the /etc/group file.
  • groupadd(8) — A command to add groups.
  • grpck(8) — A command to verify the /etc/group file.
  • groupdel(8) — A command to remove groups.
  • groupmod(8) — A command to modify group membership.
  • pwck(8) — A command to verify the /etc/passwd and /etc/shadow files.
  • pwconv(8) — A tool to convert standard passwords to shadow passwords.
  • pwunconv(8) — A tool to convert shadow passwords to standard passwords.
  • useradd(8) — A command to add users.
  • userdel(8) — A command to remove users.
  • usermod(8) — A command to modify users.
For information about related configuration files, see:
  • group(5) — The file containing group information for the system.
  • passwd(5) — The file containing user information for the system.
  • shadow(5) — The file containing passwords and account expiration information for the system.
  • login.defs(5) - The file containing shadow password suite configuration.
  • useradd(8) - For /etc/default/useradd, section “Changing the default values” in manual page.

Chapter 4. Gaining Privileges

System administrators (and in some cases users) will need to perform certain tasks with administrative access. Accessing the system as root is potentially dangerous and can lead to widespread damage to the system and data. This chapter covers ways to gain administrative privileges using the su and sudo programs. These programs allow specific users to perform tasks which would normally be available only to the root user while maintaining a higher level of control and system security.
See the Red Hat Enterprise Linux 6 Security Guide for more information on administrative controls, potential dangers and ways to prevent data loss resulting from improper use of privileged access.

4.1. The su Command

When a user executes the su command, they are prompted for the root password and, after authentication, are given a root shell prompt.
Once logged in via the su command, the user is the root user and has absolute administrative access to the system[1]. In addition, once a user has become root, it is possible for them to use the su command to change to any other user on the system without being prompted for a password.
Because this program is so powerful, administrators within an organization may want to limit who has access to the command.
One of the simplest ways to do this is to add users to the special administrative group called wheel. To do this, type the following command as root:
~]# usermod -a -G wheel username
In the previous command, replace username with the user name you want to add to the wheel group.
You can also use the User Manager to modify group memberships, as follows. Note: you need Administrator privileges to perform this procedure.
  1. Click the System menu on the Panel, point to Administration and then click Users and Groups to display the User Manager. Alternatively, type the command system-config-users at a shell prompt.
  2. Click the Users tab, and select the required user in the list of users.
  3. Click Properties on the toolbar to display the User Properties dialog box (or choose Properties on the File menu).
  4. Click the Groups tab, select the check box for the wheel group, and then click OK.
See Section 3.2, “Managing Users via the User Manager Application” for more information about the User Manager.
After you add the desired users to the wheel group, it is advisable to only allow these specific users to use the su command. To do this, you will need to edit the PAM configuration file for su: /etc/pam.d/su. Open this file in a text editor and remove the comment (#) from the following line:
#auth           required        pam_wheel.so use_uid
This change means that only members of the administrative group wheel can switch to another user using the su command.

Note

The root user is part of the wheel group by default.

4.2. The sudo Command

The sudo command offers another approach to giving users administrative access. When trusted users precede an administrative command with sudo, they are prompted for their own password. Then, when they have been authenticated and assuming that the command is permitted, the administrative command is executed as if they were the root user.
The basic format of the sudo command is as follows:
sudo <command>
In the above example, <command> would be replaced by a command normally reserved for the root user, such as mount.
The sudo command allows for a high degree of flexibility. For instance, only users listed in the /etc/sudoers configuration file are allowed to use the sudo command and the command is executed in the user's shell, not a root shell. This means the root shell can be completely disabled as shown in the Red Hat Enterprise Linux 6 Security Guide.
Each successful authentication using the sudo is logged to the file /var/log/messages and the command issued along with the issuer's user name is logged to the file /var/log/secure. Should you require additional logging, use the pam_tty_audit module to enable TTY auditing for specified users by adding the following line to your /etc/pam.d/system-auth file:
session required pam_tty_audit.so disable=<pattern> enable=<pattern>
where pattern represents a comma-separated listing of users with an optional use of globs. For example, the following configuration will enable TTY auditing for the root user and disable it for all other users:
session required pam_tty_audit.so disable=* enable=root
Another advantage of the sudo command is that an administrator can allow different users access to specific commands based on their needs.
Administrators wanting to edit the sudo configuration file, /etc/sudoers, should use the visudo command.
To give someone full administrative privileges, type visudo and add a line similar to the following in the user privilege specification section:
juan ALL=(ALL) ALL
This example states that the user, juan, can use sudo from any host and execute any command.
The example below illustrates the granularity possible when configuring sudo:
%users localhost=/sbin/shutdown -h now
This example states that any user can issue the command /sbin/shutdown -h now as long as it is issued from the console.
The man page for sudoers has a detailed listing of options for this file.

Important

There are several potential risks to keep in mind when using the sudo command. You can avoid them by editing the /etc/sudoers configuration file using visudo as described above. Leaving the /etc/sudoers file in its default state gives every user in the wheel group unlimited root access.
  • By default, sudo stores the sudoer's password for a five minute timeout period. Any subsequent uses of the command during this period will not prompt the user for a password. This could be exploited by an attacker if the user leaves his workstation unattended and unlocked while still being logged in. This behavior can be changed by adding the following line to the /etc/sudoers file:
    Defaults    timestamp_timeout=<value>
    where <value> is the desired timeout length in minutes. Setting the <value> to 0 causes sudo to require a password every time.
  • If a sudoer's account is compromised, an attacker can use sudo to open a new shell with administrative privileges:
    sudo /bin/bash
    Opening a new shell as root in this or similar fashion gives the attacker administrative access for a theoretically unlimited amount of time, bypassing the timeout period specified in the /etc/sudoers file and never requiring the attacker to input a password for sudo again until the newly opened session is closed.

4.3. Additional Resources

While programs allowing users to gain administrative privileges are a potential security risk, security itself is beyond the scope of this particular book. You should therefore see sources listed below for more information regarding security and privileged access.

Installed Documentation

  • su(1) - the manual page for su provides information regarding the options available with this command.
  • sudo(8) - the manual page for sudo includes a detailed description of this command as well as a list of options available for customizing sudo's behavior.
  • pam(8) - the manual page describing the use of Pluggable Authentication Modules for Linux.

Online Documentation



[1] This access is still subject to the restrictions imposed by SELinux, if it is enabled.

Chapter 5. Console Access

When normal (non-root) users log into a computer locally, they are given two types of special permissions:
  1. They can run certain programs that they otherwise cannot run.
  2. They can access certain files that they otherwise cannot access. These files normally include special device files used to access diskettes, CD-ROMs, and so on.
Since there are multiple consoles on a single computer and multiple users can be logged into the computer locally at the same time, one of the users has to essentially win the race to access the files. The first user to log in at the console owns those files. Once the first user logs out, the next user who logs in owns the files.
In contrast, every user who logs in at the console is allowed to run programs that accomplish tasks normally restricted to the root user. If X is running, these actions can be included as menu items in a graphical user interface. As shipped, these console-accessible programs include halt, poweroff, and reboot.

5.1. Disabling Console Program Access for Non-root Users

Non-root users can be denied console access to any program in the /etc/security/console.apps/ directory. To list these programs, run the following command:
~]$ ls /etc/security/console.apps
abrt-cli-root
config-util
eject
halt
poweroff
reboot
rhn_register
setup
subscription-manager
subscription-manager-gui
system-config-network
system-config-network-cmd
xserver
For each of these programs, console access denial can be configured using the program's Pluggable Authentication Module (PAM) configuration file. For information about PAMs and their usage, see chapter Pluggable Authentication Modules of the Red Hat Enterprise Linux 6 Managing Single Sign-On and Smart Cards guide.
PAM configuration file for each program in /etc/security/console.apps/ resides in the /etc/pam.d/ directory and is named the same as the program. Using this file, you can configure PAM to deny access to the program if the user is not root. To do that, insert line auth requisite pam_deny.so directly after the first uncommented line auth sufficient pam_rootok.so.

Example 5.1. Disabling Access to the Reboot Program

To disable non-root console access to /etc/security/console.apps/reboot, insert line auth requisite pam_deny.so into the /etc/pam.d/reboot PAM configuration file:
#%PAM-1.0
auth       sufficient   pam_rootok.so
auth        requisite   pam_deny.so
auth       required     pam_console.so
#auth       include     system-auth
account    required     pam_permit.so
With this setting, all non-root access to the reboot utility is disabled.
Additionally, several programs in /etc/security/console.apps/ partially derive their PAM configuration from the /etc/pam.d/config-util configuration file. This allows to change configuration for all these programs at once by editing /etc/pam.d/config-util. To find all these programs, search for PAM configuration files that refer to the config-util file:
~]# grep -l "config-util" /etc/pam.d/*
/etc/pam.d/abrt-cli-root
/etc/pam.d/rhn_register
/etc/pam.d/subscription-manager
/etc/pam.d/subscription-manager-gui
/etc/pam.d/system-config-network
/etc/pam.d/system-config-network-cmd
Disabling console program access as described above may be useful in environments where the console is otherwise secured. Security measures may include password protection for BIOS and boot loader, disabling rebooting on pressing Ctrl+Alt+Delete, disabling the power and reset switches, and other. In these cases, you may want to restrict normal user's access to halt, poweroff, reboot, and other programs, which by default are accessible from the console.

5.2. Disabling Rebooting Using Ctrl+Alt+Del

The action that happens in response to pressing Ctrl+Alt+Del at console is specified in the /etc/init/control-alt-delete.conf file. By default, the shutdown utility with the -r option is used to shutdown and reboot the system.
To disable this action, create an overriding configuration file that specifies the exec true command, which does nothing. To do that, run the following command as root:
~]# echo "exec true" >> /etc/init/control-alt-delete.override

Part II. Subscription and Support

To receive updates to the software on a Red Hat Enterprise Linux system it must be subscribed to the Red Hat Content Delivery Network (CDN) and the appropriate repositories enabled. This part describes how to subscribe a system to the Red Hat Content Delivery Network.
Red Hat provides support via the Customer Portal, and you can access this support directly from the command line using the Red Hat Support Tool. This part describes the use of this command-line tool.

Chapter 6. Registering the System and Managing Subscriptions

The subscription service provides a mechanism to handle Red Hat software inventory and allows you to install additional software or update already installed programs to newer versions using the yum or PackageKit package managers. In Red Hat Enterprise Linux 6 the recommended way to register your system and attach subscriptions is to use Red Hat Subscription Management.

Note

It is also possible to register the system and attach subscriptions after installation during the firstboot process. For detailed information about firstboot see the Firstboot chapter in the Installation Guide for Red Hat Enterprise Linux 6. Note that firstboot is only available on systems after a graphical installation or after a kickstart installation where a desktop and the X window system were installed and graphical login was enabled.

6.1. Registering the System and Attaching Subscriptions

Complete the following steps to register your system and attach one or more subscriptions using Red Hat Subscription Management. Note that all subscription-manager commands are supposed to be run as root.
  1. Run the following command to register your system. You will be prompted to enter your user name and password. Note that the user name and password are the same as your login credentials for Red Hat Customer Portal.
    subscription-manager register
  2. Determine the pool ID of a subscription that you require. To do so, type the following at a shell prompt to display a list of all subscriptions that are available for your system:
    subscription-manager list --available
    For each available subscription, this command displays its name, unique identifier, expiration date, and other details related to your subscription. To list subscriptions for all architectures, add the --all option. The pool ID is listed on a line beginning with Pool ID.
  3. Attach the appropriate subscription to your system by entering a command as follows:
    subscription-manager attach --pool=pool_id
    Replace pool_id with the pool ID you determined in the previous step.
    To verify the list of subscriptions your system has currently attached, at any time, run:
    subscription-manager list --consumed

Note

If you use a firewall or a proxy, you may need additional configuration to allow yum and subscription-manager to work correctly. Refer to the "Setting Firewall Access for Content Delivery" section of the Red Hat Enterprise Linux 6 Subscription Management guide if you use a firewall and to the "Using an HTTP Proxy" section if you use a proxy.
For more details on how to register your system using Red Hat Subscription Management and associate it with subscriptions, see the designated solution article. For comprehensive information about subscriptions, see the Red Hat Subscription Management collection of guides.

6.2. Managing Software Repositories

When a system is subscribed to the Red Hat Content Delivery Network, a repository file is created in the /etc/yum.repos.d/ directory. To verify that, use yum to list all enabled repositories:
yum repolist
Red Hat Subscription Management also allows you to manually enable or disable software repositories provided by Red Hat. To list all available repositories, use the following command:
subscription-manager repos --list
The repository names depend on the specific version of Red Hat Enterprise Linux you are using and are in the following format:
rhel-variant-rhscl-version-rpms
rhel-variant-rhscl-version-debug-rpms
rhel-variant-rhscl-version-source-rpms
Where variant is the Red Hat Enterprise Linux system variant (server or workstation), and version is the Red Hat Enterprise Linux system version (6 or 7), for example:
rhel-server-rhscl-6-eus-rpms
rhel-server-rhscl-6-eus-source-rpms
rhel-server-rhscl-6-eus-debug-rpms
To enable a repository, enter a command as follows:
subscription-manager repos --enable repository
Replace repository with a name of the repository to enable.
Similarly, to disable a repository, use the following command:
subscription-manager repos --disable repository
Section 8.4, “Configuring Yum and Yum Repositories” provides detailed information about managing software repositories using yum.

6.3. Removing Subscriptions

To remove a particular subscription, complete the following steps.
  1. Determine the serial number of the subscription you want to remove by listing information about already attached subscriptions:
    subscription-manager list --consumed
    The serial number is the number listed as serial. For instance, 744993814251016831 in the example below:
    SKU:               ES0113909
    Contract:          01234567
    Account:           1234567
    Serial:            744993814251016831
    Pool ID:           8a85f9894bba16dc014bccdd905a5e23
    Active:            False
    Quantity Used:     1
    Service Level:     SELF-SUPPORT
    Service Type:      L1-L3
    Status Details:    
    Subscription Type: Standard
    Starts:            02/27/2015
    Ends:              02/27/2016
    System Type:       Virtual
  2. Enter a command as follows to remove the selected subscription:
    subscription-manager remove --serial=serial_number
    Replace serial_number with the serial number you determined in the previous step.
To remove all subscriptions attached to the system, run the following command:
subscription-manager remove --all

6.4. Additional Resources

For more information on how to register your system using Red Hat Subscription Management and associate it with subscriptions, see the resources listed below.

Installed Documentation

  • subscription-manager(8) — the manual page for Red Hat Subscription Management provides a complete list of supported options and commands.

Online Resources

See Also

  • Chapter 4, Gaining Privileges documents how to gain administrative privileges by using the su and sudo commands.
  • Chapter 8, Yum provides information about using the yum packages manager to install and update software.
  • Chapter 9, PackageKit provides information about using the PackageKit package manager to install and update software.

Chapter 7. Accessing Support Using the Red Hat Support Tool

The Red Hat Support Tool, in the redhat-support-tool package, can function as both an interactive shell and as a single-execution program. It can be run over SSH or from any terminal. It enables, for example, searching the Red Hat Knowledgebase from the command line, copying solutions directly on the command line, opening and updating support cases, and sending files to Red Hat for analysis.

7.1. Installing the Red Hat Support Tool

The Red Hat Support Tool is installed by default on Red Hat Enterprise Linux. If required, to ensure that it is, enter the following command as root:
~]# yum install redhat-support-tool

7.2. Registering the Red Hat Support Tool Using the Command Line

To register the Red Hat Support Tool to the customer portal using the command line, proceed as follows:
  1. ~]# redhat-support-tool config user username
    Where username is the user name of the Red Hat Customer Portal account.
  2. ~]# redhat-support-tool config password
    Please enter the password for username:

7.3. Using the Red Hat Support Tool in Interactive Shell Mode

To start the tool in interactive mode, enter the following command:
~]$ redhat-support-tool
Welcome to the Red Hat Support Tool.
Command (? for help):
The tool can be run as an unprivileged user, with a consequently reduced set of commands, or as root.
The commands can be listed by entering the ? character. The program or menu selection can be exited by entering the q or e character. You will be prompted for your Red Hat Customer Portal user name and password when you first search the Knowledgebase or support cases. Alternately, set the user name and password for your Red Hat Customer Portal account using interactive mode, and optionally save it to the configuration file.

7.4. Configuring the Red Hat Support Tool

When in interactive mode, the configuration options can be listed by entering the command config --help:
~]# redhat-support-tool
Welcome to the Red Hat Support Tool.
Command (? for help): config --help

Usage: config [options] config.option <new option value>

Use the 'config' command to set or get configuration file values.
Options:
  -h, --help    show this help message and exit
  -g, --global  Save configuration option in /etc/redhat-support-tool.conf.
  -u, --unset   Unset configuration option.

The configuration file options which can be set are:
 user      : The Red Hat Customer Portal user.
 password  : The Red Hat Customer Portal password.
 debug     : CRITICAL, ERROR, WARNING, INFO, or DEBUG
 url       : The support services URL.  Default=https://api.access.redhat.com
 proxy_url : A proxy server URL.
 proxy_user: A proxy server user.
 proxy_password: A password for the proxy server user.
 ssl_ca    : Path to certificate authorities to trust during communication.
 kern_debug_dir: Path to the directory where kernel debug symbols should be downloaded and cached. Default=/var/lib/redhat-support-tool/debugkernels

Examples:
- config user
- config user my-rhn-username
- config --unset user

Procedure 7.1. Registering the Red Hat Support Tool Using Interactive Mode

To register the Red Hat Support Tool to the customer portal using interactive mode, proceed as follows:
  1. Start the tool by entering the following command:
    ~]# redhat-support-tool
  2. Enter your Red Hat Customer Portal user name:
    Command (? for help): config user username
    To save your user name to the global configuration file, add the -g option.
  3. Enter your Red Hat Customer Portal password:
    Command (? for help): config password
    Please enter the password for username:

7.4.1. Saving Settings to the Configuration Files

The Red Hat Support Tool, unless otherwise directed, stores values and options locally in the home directory of the current user, using the ~/.redhat-support-tool/redhat-support-tool.conf configuration file. If required, it is recommended to save passwords to this file because it is only readable by that particular user. When the tool starts, it will read values from the global configuration file /etc/redhat-support-tool.conf and from the local configuration file. Locally stored values and options take precedence over globally stored settings.

Warning

It is recommended not to save passwords in the global /etc/redhat-support-tool.conf configuration file because the password is just base64 encoded and can easily be decoded. In addition, the file is world readable.
To save a value or option to the global configuration file, add the -g, --global option as follows:
Command (? for help): config setting -g value

Note

In order to be able to save settings globally, using the -g, --global option, the Red Hat Support Tool must be run as root because normal users do not have the permissions required to write to /etc/redhat-support-tool.conf.
To remove a value or option from the local configuration file, add the -u, --unset option as follows:
Command (? for help): config setting -u value
This will clear, unset, the parameter from the tool and fall back to the equivalent setting in the global configuration file, if available.

Note

When running as an unprivileged user, values stored in the global configuration file cannot be removed using the -u, --unset option, but they can be cleared, unset, from the current running instance of the tool by using the -g, --global option simultaneously with the -u, --unset option. If running as root, values and options can be removed from the global configuration file using -g, --global simultaneously with the -u, --unset option.

7.5. Opening and Updating Support Cases Using Interactive Mode

Procedure 7.2. Opening a New Support Case Using Interactive Mode

To open a new support case using interactive mode, proceed as follows:
  1. Start the tool by entering the following command:
    ~]# redhat-support-tool
  2. Enter the opencase command:
    Command (? for help): opencase
  3. Follow the on screen prompts to select a product and then a version.
  4. Enter a summary of the case.
  5. Enter a description of the case and press Ctrl+D on an empty line when complete.
  6. Select a severity of the case.
  7. Optionally chose to see if there is a solution to this problem before opening a support case.
  8. Confirm you would still like to open the support case.
    Support case 0123456789 has successfully been opened
  9. Optionally chose to attach an SOS report.
  10. Optionally chose to attach a file.

Procedure 7.3. Viewing and Updating an Existing Support Case Using Interactive Mode

To view and update an existing support case using interactive mode, proceed as follows:
  1. Start the tool by entering the following command:
    ~]# redhat-support-tool
  2. Enter the getcase command:
    Command (? for help): getcase case-number
    Where case-number is the number of the case you want to view and update.
  3. Follow the on screen prompts to view the case, modify or add comments, and get or add attachments.

Procedure 7.4. Modifying an Existing Support Case Using Interactive Mode

To modify the attributes of an existing support case using interactive mode, proceed as follows:
  1. Start the tool by entering the following command:
    ~]# redhat-support-tool
  2. Enter the modifycase command:
    Command (? for help): modifycase case-number
    Where case-number is the number of the case you want to view and update.
  3. The modify selection list appears:
    Type the number of the attribute to modify or 'e' to return to the previous menu.
     1 Modify Type
     2 Modify Severity
     3 Modify Status
     4 Modify Alternative-ID
     5 Modify Product
     6 Modify Version
    End of options.
    Follow the on screen prompts to modify one or more of the options.
  4. For example, to modify the status, enter 3:
    Selection: 3
     1   Waiting on Customer                                                        
     2   Waiting on Red Hat                                                         
     3   Closed                                                                     
    Please select a status (or 'q' to exit):

7.6. Viewing Support Cases on the Command Line

Viewing the contents of a case on the command line provides a quick and easy way to apply solutions from the command line.
To view an existing support case on the command line, enter a command as follows:
~]# redhat-support-tool getcase case-number
Where case-number is the number of the case you want to download.

7.7. Additional Resources

The Red Hat Knowledgebase article Red Hat Support Tool has additional information, examples, and video tutorials.

Part III. Installing and Managing Software

All software on a Red Hat Enterprise Linux system is divided into RPM packages, which can be installed, upgraded, or removed. This part focuses on product subscriptions and entitlements, and describes how to manage packages on Red Hat Enterprise Linux using both Yum and the PackageKit suite of graphical package management tools.

Chapter 8. Yum

Yum is the Red Hat package manager that is able to query for information about available packages, fetch packages from repositories, install and uninstall them, and update an entire system to the latest available version. Yum performs automatic dependency resolution on packages you are updating, installing, or removing, and thus is able to automatically determine, fetch, and install all available dependent packages.
Yum can be configured with new, additional repositories, or package sources, and also provides many plug-ins which enhance and extend its capabilities. Yum is able to perform many of the same tasks that RPM can; additionally, many of the command-line options are similar. Yum enables easy and simple package management on a single machine or on groups of them.
The following sections assume your system was registered with Red Hat Subscription Management during installation as described in the Red Hat Enterprise Linux 6 Installation Guide. If your system is not subscribed, see Chapter 6, Registering the System and Managing Subscriptions.

Important

Yum provides secure package management by enabling GPG (Gnu Privacy Guard; also known as GnuPG) signature verification on GPG-signed packages to be turned on for all package repositories (i.e. package sources), or for individual repositories. When signature verification is enabled, Yum will refuse to install any packages not GPG-signed with the correct key for that repository. This means that you can trust that the RPM packages you download and install on your system are from a trusted source, such as Red Hat, and were not modified during transfer. See Section 8.4, “Configuring Yum and Yum Repositories” for details on enabling signature-checking with Yum, or Section B.3, “Checking a Package's Signature” for information on working with and verifying GPG-signed RPM packages in general.
Yum also enables you to easily set up your own repositories of RPM packages for download and installation on other machines.
Learning Yum is a worthwhile investment because it is often the fastest way to perform system administration tasks, and it provides capabilities beyond those provided by the PackageKit graphical package management tools. See Chapter 9, PackageKit for details on using PackageKit.

Note

You must have superuser privileges in order to use yum to install, update or remove packages on your system. All examples in this chapter assume that you have already obtained superuser privileges by using either the su or sudo command.

8.1. Checking For and Updating Packages

8.1.1. Checking For Updates

To see which installed packages on your system have updates available, use the following command:
yum check-update
For example:
~]# yum check-update
Loaded plugins: product-id, refresh-packagekit, subscription-manager
Updating Red Hat repositories.
INFO:rhsm-app.repolib:repos updated: 0
PackageKit.x86_64                  0.5.8-2.el6                rhel
PackageKit-glib.x86_64             0.5.8-2.el6                rhel
PackageKit-yum.x86_64              0.5.8-2.el6                rhel
PackageKit-yum-plugin.x86_64       0.5.8-2.el6                rhel
glibc.x86_64                       2.11.90-20.el6             rhel
glibc-common.x86_64                2.10.90-22                 rhel
kernel.x86_64                      2.6.31-14.el6              rhel
kernel-firmware.noarch             2.6.31-14.el6              rhel
rpm.x86_64                         4.7.1-5.el6                rhel
rpm-libs.x86_64                    4.7.1-5.el6                rhel
rpm-python.x86_64                  4.7.1-5.el6                rhel
udev.x86_64                        147-2.15.el6               rhel
yum.noarch                         3.2.24-4.el6               rhel
The packages in the above output are listed as having updates available. The first package in the list is PackageKit, the graphical package manager. The line in the example output tells us:
  • PackageKit — the name of the package
  • x86_64 — the CPU architecture the package was built for
  • 0.5.8 — the version of the updated package to be installed
  • rhel — the repository in which the updated package is located
The output also shows us that we can update the kernel (the kernel package), Yum and RPM themselves (the yum and rpm packages), as well as their dependencies (such as the kernel-firmware, rpm-libs, and rpm-python packages), all using yum.

8.1.2. Updating Packages

You can choose to update a single package, multiple packages, or all packages at once. If any dependencies of the package (or packages) you update have updates available themselves, then they are updated too.
Updating a Single Package
To update a single package, run the following command as root:
yum update package_name
For example, to update the udev package, type:
~]# yum update udev
Loaded plugins: product-id, refresh-packagekit, subscription-manager
Updating Red Hat repositories.
INFO:rhsm-app.repolib:repos updated: 0
Setting up Update Process
Resolving Dependencies
--> Running transaction check
---> Package udev.x86_64 0:147-2.15.el6 set to be updated
--> Finished Dependency Resolution

Dependencies Resolved

===========================================================================
 Package       Arch            Version                 Repository     Size
===========================================================================
Updating:
 udev          x86_64          147-2.15.el6            rhel          337 k

Transaction Summary
===========================================================================
Install       0 Package(s)
Upgrade       1 Package(s)

Total download size: 337 k
Is this ok [y/N]:
This output contains several items of interest:
  1. Loaded plugins: product-id, refresh-packagekit, subscription-manageryum always informs you which Yum plug-ins are installed and enabled. See Section 8.5, “Yum Plug-ins” for general information on Yum plug-ins, or to Section 8.5.3, “Plug-in Descriptions” for descriptions of specific plug-ins.
  2. udev.x86_64 — you can download and install new udev package.
  3. yum presents the update information and then prompts you as to whether you want it to perform the update; yum runs interactively by default. If you already know which transactions the yum command plans to perform, you can use the -y option to automatically answer yes to any questions that yum asks (in which case it runs non-interactively). However, you should always examine which changes yum plans to make to the system so that you can easily troubleshoot any problems that might arise.
    If a transaction does go awry, you can view Yum's transaction history by using the yum history command as described in Section 8.3, “Working with Transaction History”.

Important

yum always installs a new kernel in the same sense that RPM installs a new kernel when you use the command rpm -i kernel. Therefore, you do not need to worry about the distinction between installing and upgrading a kernel package when you use yum: it will do the right thing, regardless of whether you are using the yum update or yum install command.
When using RPM, on the other hand, it is important to use the rpm -i kernel command (which installs a new kernel) instead of rpm -u kernel (which replaces the current kernel). See Section B.2.2, “Installing and Upgrading” for more information on installing/upgrading kernels with RPM.
Updating All Packages and Their Dependencies
To update all packages and their dependencies, enter yum update (without any arguments):
yum update
Discovering which packages have security updates available and then updating those packages quickly and easily is important. Yum provides the plug-in for this purpose. The security plug-in extends the yum command with a set of highly-useful security-centric commands, subcommands and options. See Section 8.5.3, “Plug-in Descriptions” for specific information.
Updating Packages Automatically
It is also possible to set up periodical automatic updates for your packages. For this purpose, Red Hat Enterprise Linux 6 uses the yum-cron package. It provides a Yum interface for the cron daemon and downloads metadata from your package repositories. With the yum-cron service enabled, the user can schedule an automated daily Yum update as a cron job.

Note

The yum-cron package is provided by the Optional subscription channel. See Section 8.4.8, “Adding the Optional and Supplementary Repositories” for more information on Red Hat additional channels.
To install yum-cron issue the following command:
~]# yum install yum-cron
By default, the yum-cron service is disabled and needs to be activated and started manually:
~]# chkconfig yum-cron on
~]# service yum-cron start
To verify the status of the service, run the following command:
~]# service yum-cron status
The script included in the yum-cron package can be configured to change the extent and frequency of the updates, as well as to send notifications to e-mail. To customize yum-cron, edit the /etc/sysconfig/yum-cron file.
Additional details and instructions for yum-cron can be found in the comments within /etc/sysconfig/yum-cron and at the yum-cron(8) manual page.

8.1.3. Preserving Configuration File Changes

You will inevitably make changes to the configuration files installed by packages as you use your Red Hat Enterprise Linux system. RPM, which Yum uses to perform changes to the system, provides a mechanism for ensuring their integrity. See Section B.2.2, “Installing and Upgrading” for details on how to manage changes to configuration files across package upgrades.

8.1.4. Upgrading the System Off-line with ISO and Yum

For systems that are disconnected from the Internet or Red Hat Network, using the yum update command with the Red Hat Enterprise Linux installation ISO image is an easy and quick way to upgrade systems to the latest minor version. The following steps illustrate the upgrading process:
  1. Create a target directory to mount your ISO image. This directory is not automatically created when mounting, so create it before proceeding to the next step. As root, type:
    mkdir mount_dir
    Replace mount_dir with a path to the mount directory. Typically, users create it as a subdirectory in the /media directory.
  2. Mount the Red Hat Enterprise Linux 6 installation ISO image to the previously created target directory. As root, type:
    mount -o loop iso_name mount_dir
    Replace iso_name with a path to your ISO image and mount_dir with a path to the target directory. Here, the -o loop option is required to mount the file as a block device.
  3. Copy the media.repo file from the mount directory to the /etc/yum.repos.d/ directory. Note that configuration files in this directory must have the .repo extension to function properly.
    cp mount_dir/media.repo /etc/yum.repos.d/new.repo
    This creates a configuration file for the yum repository. Replace new.repo with the filename, for example rhel6.repo.
  4. Edit the new configuration file so that it points to the Red Hat Enterprise Linux installation ISO. Add the following line into the /etc/yum.repos.d/new.repo file:
    baseurl=file:///mount_dir
    Replace mount_dir with a path to the mount point.
  5. Update all yum repositories including /etc/yum.repos.d/new.repo created in previous steps. As root, type:
    yum update
    This upgrades your system to the version provided by the mounted ISO image.
  6. After successful upgrade, you can unmount the ISO image. As root, type:
    umount mount_dir
    where mount_dir is a path to your mount directory. Also, you can remove the mount directory created in the first step. As root, type:
    rmdir mount_dir
  7. If you will not use the previously created configuration file for another installation or update, you can remove it. As root, type:
    rm /etc/yum.repos.d/new.repo

Example 8.1. Upgrading from Red Hat Enterprise Linux 6.3 to 6.4

Imagine you need to upgrade your system without access to the Internet. To do so, you want to use an ISO image with the newer version of the system, called for instance RHEL6.4-Server-20130130.0-x86_64-DVD1.iso. A target directory created for mounting is /media/rhel6/. As root, change into the directory with your ISO image and type:
~]# mount -o loop RHEL6.4-Server-20130130.0-x86_64-DVD1.iso /media/rhel6/
Then set up a yum repository for your image by copying the media.repo file from the mount directory:
~]# cp /media/rhel6/media.repo /etc/yum.repos.d/rhel6.repo
To make yum recognize the mount point as a repository, add the following line into the /etc/yum.repos.d/rhel6.repo copied in the previous step:
baseurl=file:///media/rhel6/
Now, updating the yum repository will upgrade your system to a version provided by RHEL6.4-Server-20130130.0-x86_64-DVD1.iso. As root, execute:
~]# yum update
When your system is successfully upgraded, you can unmount the image, remove the target directory and the configuration file:
~]# umount /media/rhel6/
~]# rmdir /media/rhel6/
~]# rm /etc/yum.repos.d/rhel6.repo

8.2. Packages and Package Groups

8.2.1. Searching Packages

You can search all RPM package names, descriptions and summaries by using the following command:
yum search term
Replace term with a package name you want to search.

Example 8.2. Searching for packages matching a specific string

To list all packages that match vim, gvim, or emacs, type:
~]$ yum search vim gvim emacs
Loaded plugins: langpacks, product-id, search-disabled-repos, subscription-manager
============================= N/S matched: vim ==============================
vim-X11.x86_64 : The VIM version of the vi editor for the X Window System
vim-common.x86_64 : The common files needed by any version of the VIM editor
[output truncated]

============================ N/S matched: emacs =============================
emacs.x86_64 : GNU Emacs text editor
emacs-auctex.noarch : Enhanced TeX modes for Emacs
[output truncated]

  Name and summary matches mostly, use "search all" for everything.
Warning: No matches found for: gvim
The yum search command is useful for searching for packages you do not know the name of, but for which you know a related term. Note that by default, yum search returns matches in package name and summary, which makes the search faster. Use the yum search all command for a more exhaustive but slower search.

8.2.2. Listing Packages

yum list and related commands provide information about packages, package groups, and repositories.
All of Yum's list commands allow you to filter the results by appending one or more glob expressions as arguments. Glob expressions are normal strings of characters which contain one or more of the wildcard characters * (which expands to match any character multiple times) and ? (which expands to match any one character).

Note

Be careful to escape the glob expressions when passing them as arguments to a yum command, otherwise the Bash shell will interpret these expressions as pathname expansions, and potentially pass all files in the current directory that match the globs to yum. To make sure the glob expressions are passed to yum as intended, either:
  • escape the wildcard characters by preceding them with a backslash character
  • double-quote or single-quote the entire glob expression.
yum list glob_expression
Lists information on installed and available packages matching all glob expressions.

Example 8.3. Listing all ABRT add-ons and plug-ins using glob expressions

Packages with various ABRT add-ons and plug-ins either begin with abrt-addon-, or abrt-plugin-. To list these packages, type the following at a shell prompt:
~]# yum list abrt-addon\* abrt-plugin\*
Loaded plugins: product-id, refresh-packagekit, subscription-manager
Updating Red Hat repositories.
INFO:rhsm-app.repolib:repos updated: 0
Installed Packages
abrt-addon-ccpp.x86_64                        1.0.7-5.el6             @rhel
abrt-addon-kerneloops.x86_64                  1.0.7-5.el6             @rhel
abrt-addon-python.x86_64                      1.0.7-5.el6             @rhel
abrt-plugin-bugzilla.x86_64                   1.0.7-5.el6             @rhel
abrt-plugin-logger.x86_64                     1.0.7-5.el6             @rhel
abrt-plugin-sosreport.x86_64                  1.0.7-5.el6             @rhel
abrt-plugin-ticketuploader.x86_64             1.0.7-5.el6             @rhel
yum list all
Lists all installed and available packages.
yum list installed
Lists all packages installed on your system. The rightmost column in the output lists the repository from which the package was retrieved.

Example 8.4. Listing installed packages using a double-quoted glob expression

To list all installed packages that begin with krb followed by exactly one character and a hyphen, type:
~]# yum list installed "krb?-*"
Loaded plugins: product-id, refresh-packagekit, subscription-manager
Updating Red Hat repositories.
INFO:rhsm-app.repolib:repos updated: 0
Installed Packages
krb5-libs.x86_64                         1.8.1-3.el6                  @rhel
krb5-workstation.x86_64                  1.8.1-3.el6                  @rhel
yum list available
Lists all available packages in all enabled repositories.

Example 8.5. Listing available packages using a single glob expression with escaped wildcard characters

To list all available packages with names that contain gstreamer and then plugin, run the following command:
~]# yum list available gstreamer\*plugin\*
Loaded plugins: product-id, refresh-packagekit, subscription-manager
Updating Red Hat repositories.
INFO:rhsm-app.repolib:repos updated: 0
Available Packages
gstreamer-plugins-bad-free.i686               0.10.17-4.el6            rhel
gstreamer-plugins-base.i686                   0.10.26-1.el6            rhel
gstreamer-plugins-base-devel.i686             0.10.26-1.el6            rhel
gstreamer-plugins-base-devel.x86_64           0.10.26-1.el6            rhel
gstreamer-plugins-good.i686                   0.10.18-1.el6            rhel
yum grouplist
Lists all package groups.
yum repolist
Lists the repository ID, name, and number of packages it provides for each enabled repository.

8.2.3. Displaying Package Information

To display information about one or more packages (glob expressions are valid here as well), use the following command:
yum info package_name
For example, to display information about the abrt package, type:
~]# yum info abrt
Loaded plugins: product-id, refresh-packagekit, subscription-manager
Updating Red Hat repositories.
INFO:rhsm-app.repolib:repos updated: 0
Installed Packages
Name       : abrt
Arch       : x86_64
Version    : 1.0.7
Release    : 5.el6
Size       : 578 k
Repo       : installed
From repo  : rhel
Summary    : Automatic bug detection and reporting tool
URL        : https://fedorahosted.org/abrt/
License    : GPLv2+
Description: abrt is a tool to help users to detect defects in applications
           : and to create a bug report with all informations needed by
           : maintainer to fix it. It uses plugin system to extend its
           : functionality.
The yum info package_name command is similar to the rpm -q --info package_name command, but provides as additional information the ID of the Yum repository the RPM package is found in (look for the From repo: line in the output).
You can also query the Yum database for alternative and useful information about a package by using the following command:
yumdb info package_name
This command provides additional information about a package, including the check sum of the package (and algorithm used to produce it, such as SHA-256), the command given on the command line that was invoked to install the package (if any), and the reason that the package is installed on the system (where user indicates it was installed by the user, and dep means it was brought in as a dependency). For example, to display additional information about the yum package, type:
~]# yumdb info yum
Loaded plugins: product-id, refresh-packagekit, subscription-manager
yum-3.2.27-4.el6.noarch
     checksum_data = 23d337ed51a9757bbfbdceb82c4eaca9808ff1009b51e9626d540f44fe95f771
     checksum_type = sha256
     from_repo = rhel
     from_repo_revision = 1298613159
     from_repo_timestamp = 1298614288
     installed_by = 4294967295
     reason = user
     releasever = 6.1
For more information on the yumdb command, see the yumdb(8) manual page.
Listing Files Contained in a Package
repoquery is a program for querying information from yum repositories similarly to rpm queries. You can query both package groups and individual packages. To list all files contained in a specific package, type:
repoquery --list package_name
Replace package_name with a name of the package you want to inspect. For more information on the repoquery command, see the repoquery manual page.
To find out which package provides a specific file, you can use the yum provides command, described in Finding which package owns a file

8.2.4. Installing Packages

Yum allows you to install both a single package and multiple packages, as well as a package group of your choice.
Installing Individual Packages
To install a single package and all of its non-installed dependencies, enter a command in the following form:
yum install package_name
You can also install multiple packages simultaneously by appending their names as arguments:
yum install package_name package_name
If you are installing packages on a multilib system, such as an AMD64 or Intel 64 machine, you can specify the architecture of the package (as long as it is available in an enabled repository) by appending .arch to the package name. For example, to install the sqlite package for i686, type:
~]# yum install sqlite.i686
You can use glob expressions to quickly install multiple similarly-named packages:
~]# yum install perl-Crypt-\*
In addition to package names and glob expressions, you can also provide file names to yum install. If you know the name of the binary you want to install, but not its package name, you can give yum install the path name:
~]# yum install /usr/sbin/named
yum then searches through its package lists, finds the package which provides /usr/sbin/named, if any, and prompts you as to whether you want to install it.

Note

If you know you want to install the package that contains the named binary, but you do not know in which bin or sbin directory is the file installed, use the yum provides command with a glob expression:
~]# yum provides "*bin/named"
Loaded plugins: product-id, refresh-packagekit, subscription-manager
Updating Red Hat repositories.
INFO:rhsm-app.repolib:repos updated: 0
32:bind-9.7.0-4.P1.el6.x86_64 : The Berkeley Internet Name Domain (BIND)
                              : DNS (Domain Name System) server
Repo        : rhel
Matched from:
Filename    : /usr/sbin/named
yum provides "*/file_name" is a common and useful trick to find the package(s) that contain file_name.
Installing a Package Group
A package group is similar to a package: it is not useful by itself, but installing one pulls a group of dependent packages that serve a common purpose. A package group has a name and a groupid. The yum grouplist -v command lists the names of all package groups, and, next to each of them, their groupid in parentheses. The groupid is always the term in the last pair of parentheses, such as kde-desktop in the following example:
~]# yum -v grouplist kde\*
Loading "product-id" plugin
Loading "refresh-packagekit" plugin
Loading "subscription-manager" plugin
Updating Red Hat repositories.
INFO:rhsm-app.repolib:repos updated: 0
Config time: 0.123
Yum Version: 3.2.29
Setting up Group Process
Looking for repo options for [rhel]
rpmdb time: 0.001
group time: 1.291
Available Groups:
   KDE Desktop (kde-desktop)
Done
You can install a package group by passing its full group name (without the groupid part) to groupinstall:
yum groupinstall group_name
You can also install by groupid:
yum groupinstall groupid
You can even pass the groupid (or quoted name) to the install command if you prepend it with an @-symbol (which tells yum that you want to perform a groupinstall):
yum install @group
For example, the following are alternative but equivalent ways of installing the KDE Desktop group:
~]# yum groupinstall "KDE Desktop"
~]# yum groupinstall kde-desktop
~]# yum install @kde-desktop

8.2.5. Removing Packages

Similarly to package installation, Yum allows you to uninstall (remove in RPM and Yum terminology) both individual packages and a package group.
Removing Individual Packages
To uninstall a particular package, as well as any packages that depend on it, run the following command as root:
yum remove package_name
As when you install multiple packages, you can remove several at once by adding more package names to the command. For example, to remove totem, rhythmbox, and sound-juicer, type the following at a shell prompt:
~]# yum remove totem rhythmbox sound-juicer
Similar to install, remove can take these arguments:
  • package names
  • glob expressions
  • file lists
  • package provides

Warning

Yum is not able to remove a package without also removing packages which depend on it. This type of operation can only be performed by RPM, is not advised, and can potentially leave your system in a non-functioning state or cause applications to misbehave and/or crash. For further information, see Section B.2.4, “Uninstalling” in the RPM chapter.
Removing a Package Group
You can remove a package group using syntax congruent with the install syntax:
yum groupremove group
yum remove @group
The following are alternative but equivalent ways of removing the KDE Desktop group:
~]# yum groupremove "KDE Desktop"
~]# yum groupremove kde-desktop
~]# yum remove @kde-desktop

Important

When you tell yum to remove a package group, it will remove every package in that group, even if those packages are members of other package groups or dependencies of other installed packages. However, you can instruct yum to remove only those packages which are not required by any other packages or groups by adding the groupremove_leaf_only=1 directive to the [main] section of the /etc/yum.conf configuration file. For more information on this directive, see Section 8.4.1, “Setting [main] Options”.

8.3. Working with Transaction History

The yum history command allows users to review information about a timeline of Yum transactions, the dates and times they occurred, the number of packages affected, whether transactions succeeded or were aborted, and if the RPM database was changed between transactions. Additionally, this command can be used to undo or redo certain transactions.

8.3.1. Listing Transactions

To display a list of twenty most recent transactions, as root, either run yum history with no additional arguments, or type the following at a shell prompt:
yum history list
To display all transactions, add the all keyword:
yum history list all
To display only transactions in a given range, use the command in the following form:
yum history list start_id..end_id
You can also list only transactions regarding a particular package or packages. To do so, use the command with a package name or a glob expression:
yum history list glob_expression
For example, the list of the first five transactions looks as follows:
~]# yum history list 1..5
Loaded plugins: product-id, refresh-packagekit, subscription-manager
ID     | Login user               | Date and time    | Action(s)      | Altered
-------------------------------------------------------------------------------
     5 | Jaromir ... <jhradilek>  | 2011-07-29 15:33 | Install        |    1
     4 | Jaromir ... <jhradilek>  | 2011-07-21 15:10 | Install        |    1
     3 | Jaromir ... <jhradilek>  | 2011-07-16 15:27 | I, U           |   73
     2 | System <unset>           | 2011-07-16 15:19 | Update         |    1
     1 | System <unset>           | 2011-07-16 14:38 | Install        | 1106
history list
All forms of the yum history list command produce tabular output with each row consisting of the following columns:
  • ID — an integer value that identifies a particular transaction.
  • Login user — the name of the user whose login session was used to initiate a transaction. This information is typically presented in the Full Name <username> form. For transactions that were not issued by a user (such as an automatic system update), System <unset> is used instead.
  • Date and time — the date and time when a transaction was issued.
  • Action(s) — a list of actions that were performed during a transaction as described in Table 8.1, “Possible values of the Action(s) field”.
  • Altered — the number of packages that were affected by a transaction, possibly followed by additional information as described in Table 8.2, “Possible values of the Altered field”.
Table 8.1. Possible values of the Action(s) field
Action Abbreviation Description
Downgrade D At least one package has been downgraded to an older version.
Erase E At least one package has been removed.
Install I At least one new package has been installed.
Obsoleting O At least one package has been marked as obsolete.
Reinstall R At least one package has been reinstalled.
Update U At least one package has been updated to a newer version.
Table 8.2. Possible values of the Altered field
Symbol Description
< Before the transaction finished, the rpmdb database was changed outside Yum.
> After the transaction finished, the rpmdb database was changed outside Yum.
* The transaction failed to finish.
# The transaction finished successfully, but yum returned a non-zero exit code.
E The transaction finished successfully, but an error or a warning was displayed.
P The transaction finished successfully, but problems already existed in the rpmdb database.
s The transaction finished successfully, but the --skip-broken command-line option was used and certain packages were skipped.
Yum also allows you to display a summary of all past transactions. To do so, run the command in the following form as root:
yum history summary
To display only transactions in a given range, type:
yum history summary start_id..end_id
Similarly to the yum history list command, you can also display a summary of transactions regarding a certain package or packages by supplying a package name or a glob expression:
yum history summary glob_expression
For instance, a summary of the transaction history displayed above would look like the following:
~]# yum history summary 1..5
Loaded plugins: product-id, refresh-packagekit, subscription-manager
Login user                 | Time                | Action(s)        | Altered
-------------------------------------------------------------------------------
Jaromir ... <jhradilek>    | Last day            | Install          |        1
Jaromir ... <jhradilek>    | Last week           | Install          |        1
Jaromir ... <jhradilek>    | Last 2 weeks        | I, U             |       73
System <unset>             | Last 2 weeks        | I, U             |     1107
history summary
All forms of the yum history summary command produce simplified tabular output similar to the output of yum history list.
As shown above, both yum history list and yum history summary are oriented towards transactions, and although they allow you to display only transactions related to a given package or packages, they lack important details, such as package versions. To list transactions from the perspective of a package, run the following command as root:
yum history package-list glob_expression
For example, to trace the history of subscription-manager and related packages, type the following at a shell prompt:
~]# yum history package-list subscription-manager\*
Loaded plugins: product-id, refresh-packagekit, subscription-manager
ID     | Action(s)      | Package
-------------------------------------------------------------------------------
     3 | Updated        | subscription-manager-0.95.11-1.el6.x86_64
     3 | Update         |                      0.95.17-1.el6_1.x86_64
     3 | Updated        | subscription-manager-firstboot-0.95.11-1.el6.x86_64
     3 | Update         |                                0.95.17-1.el6_1.x86_64
     3 | Updated        | subscription-manager-gnome-0.95.11-1.el6.x86_64
     3 | Update         |                            0.95.17-1.el6_1.x86_64
     1 | Install        | subscription-manager-0.95.11-1.el6.x86_64
     1 | Install        | subscription-manager-firstboot-0.95.11-1.el6.x86_64
     1 | Install        | subscription-manager-gnome-0.95.11-1.el6.x86_64
history package-list
In this example, three packages were installed during the initial system installation: subscription-manager, subscription-manager-firstboot, and subscription-manager-gnome. In the third transaction, all these packages were updated from version 0.95.11 to version 0.95.17.

8.3.2. Examining Transactions

To display the summary of a single transaction, as root, use the yum history summary command in the following form:
yum history summary id
To examine a particular transaction or transactions in more detail, run the following command as root:
yum history info id
The id argument is optional and when you omit it, yum automatically uses the last transaction. Note that when specifying more than one transaction, you can also use a range:
yum history info start_id..end_id
The following is sample output for two transactions, each installing one new package:
~]# yum history info 4..5
Loaded plugins: product-id, refresh-packagekit, subscription-manager
Transaction ID : 4..5
Begin time     : Thu Jul 21 15:10:46 2011
Begin rpmdb    : 1107:0c67c32219c199f92ed8da7572b4c6df64eacd3a
End time       :            15:33:15 2011 (22 minutes)
End rpmdb      : 1109:1171025bd9b6b5f8db30d063598f590f1c1f3242
User           : Jaromir Hradilek <jhradilek>
Return-Code    : Success
Command Line   : install screen
Command Line   : install yum-plugin-security
Transaction performed with:
    Installed     rpm-4.8.0-16.el6.x86_64
    Installed     yum-3.2.29-17.el6.noarch
    Installed     yum-metadata-parser-1.1.2-16.el6.x86_64
Packages Altered:
    Install screen-4.0.3-16.el6.x86_64
    Install yum-plugin-security-1.1.30-17.el6.noarch
history info
You can also view additional information, such as what configuration options were used at the time of the transaction, or from what repository and why were certain packages installed. To determine what additional information is available for a certain transaction, type the following at a shell prompt as root:
yum history addon-info id
Similarly to yum history info, when no id is provided, yum automatically uses the latest transaction. Another way to see the latest transaction is to use the last keyword:
yum history addon-info last
For instance, for the first transaction in the previous example, the yum history addon-info command would provide the following output:
~]# yum history addon-info 4
Loaded plugins: product-id, refresh-packagekit, subscription-manager
Transaction ID: 4
Available additional history information:
  config-main
  config-repos
  saved_tx

history addon-info
In this example, three types of information are available:
  • config-main — global Yum options that were in use during the transaction. See Section 8.4.1, “Setting [main] Options” for information on how to change global options.
  • config-repos — options for individual Yum repositories. See Section 8.4.2, “Setting [repository] Options” for information on how to change options for individual repositories.
  • saved_tx — the data that can be used by the yum load-transaction command in order to repeat the transaction on another machine (see below).
To display selected type of additional information, run the following command as root:
yum history addon-info id information

8.3.3. Reverting and Repeating Transactions

Apart from reviewing the transaction history, the yum history command provides means to revert or repeat a selected transaction. To revert a transaction, type the following at a shell prompt as root:
yum history undo id
To repeat a particular transaction, as root, run the following command:
yum history redo id
Both commands also accept the last keyword to undo or repeat the latest transaction.
Note that both yum history undo and yum history redo commands only revert or repeat the steps that were performed during a transaction. If the transaction installed a new package, the yum history undo command will uninstall it, and if the transaction uninstalled a package the command will again install it. This command also attempts to downgrade all updated packages to their previous version, if these older packages are still available.
When managing several identical systems, Yum also allows you to perform a transaction on one of them, store the transaction details in a file, and after a period of testing, repeat the same transaction on the remaining systems as well. To store the transaction details to a file, type the following at a shell prompt as root:
yum -q history addon-info id saved_tx > file_name
Once you copy this file to the target system, you can repeat the transaction by using the following command as root:
yum load-transaction file_name
Note, however that the rpmdb version stored in the file must be identical to the version on the target system. You can verify the rpmdb version by using the yum version nogroups command.

8.3.4. Completing Transactions

An unexpected situation, such as power loss or system crash, can prevent you from completing your yum transaction. When such event occurs in the middle of your transaction, you can try to resume it later with the following command as root:
yum-complete-transaction
The yum-complete-transaction tool searches for incomplete or aborted yum transactions on a system and attempts to complete them. By default, these transactions are listed in the /var/lib/yum/transaction-all and /var/lib/yum/transaction-done files. If there are more unfinished transactions, yum-complete-transaction attempts to complete the most recent one first.
To clean transaction journal files without attempting to resume the aborted transactions, use the --cleanup-only option:
yum-complete-transaction --cleanup-only

8.3.5. Starting New Transaction History

Yum stores the transaction history in a single SQLite database file. To start new transaction history, run the following command as root:
yum history new
This will create a new, empty database file in the /var/lib/yum/history/ directory. The old transaction history will be kept, but will not be accessible as long as a newer database file is present in the directory.

8.4. Configuring Yum and Yum Repositories

The configuration file for yum and related utilities is located at /etc/yum.conf. This file contains one mandatory [main] section, which allows you to set Yum options that have global effect, and can also contain one or more [repository] sections, which allow you to set repository-specific options. However, it is recommended to define individual repositories in new or existing .repo files in the /etc/yum.repos.d/ directory. The values you define in individual [repository] sections of the /etc/yum.conf file override values set in the [main] section.
This section shows you how to:
  • set global Yum options by editing the [main] section of the /etc/yum.conf configuration file;
  • set options for individual repositories by editing the [repository] sections in /etc/yum.conf and .repo files in the /etc/yum.repos.d/ directory;
  • use Yum variables in /etc/yum.conf and files in the /etc/yum.repos.d/ directory so that dynamic version and architecture values are handled correctly;
  • add, enable, and disable Yum repositories on the command line; and,
  • set up your own custom Yum repository.

8.4.1. Setting [main] Options

The /etc/yum.conf configuration file contains exactly one [main] section, and while some of the key-value pairs in this section affect how yum operates, others affect how Yum treats repositories. You can add many additional options under the [main] section heading in /etc/yum.conf.
A sample /etc/yum.conf configuration file can look like this:
[main]
cachedir=/var/cache/yum/$basearch/$releasever
keepcache=0
debuglevel=2
logfile=/var/log/yum.log
exactarch=1
obsoletes=1
gpgcheck=1
plugins=1
installonly_limit=3

[comments abridged]

# PUT YOUR REPOS HERE OR IN separate files named file.repo
# in /etc/yum.repos.d
The following are the most commonly-used options in the [main] section:
assumeyes=value
where value is one of:
0yum should prompt for confirmation of critical actions it performs. This is the default.
1 — Do not prompt for confirmation of critical yum actions. If assumeyes=1 is set, yum behaves in the same way that the command-line option -y does.
cachedir=directory
where directory is an absolute path to the directory where Yum should store its cache and database files. By default, Yum's cache directory is /var/cache/yum/$basearch/$releasever.
See Section 8.4.3, “Using Yum Variables” for descriptions of the $basearch and $releasever Yum variables.
debuglevel=value
where value is an integer between 1 and 10. Setting a higher debuglevel value causes yum to display more detailed debugging output. debuglevel=0 disables debugging output, while debuglevel=2 is the default.
exactarch=value
where value is one of:
0 — Do not take into account the exact architecture when updating packages.
1 — Consider the exact architecture when updating packages. With this setting, yum will not install an i686 package to update an i386 package already installed on the system. This is the default.
exclude=package_name [more_package_names]
This option allows you to exclude packages by keyword during installation/updates. Listing multiple packages for exclusion can be accomplished by quoting a space-delimited list of packages. Shell globs using wildcards (for example, * and ?) are allowed.
gpgcheck=value
where value is one of:
0 — Disable GPG signature-checking on packages in all repositories, including local package installation.
1 — Enable GPG signature-checking on all packages in all repositories, including local package installation. gpgcheck=1 is the default, and thus all packages' signatures are checked.
If this option is set in the [main] section of the /etc/yum.conf file, it sets the GPG-checking rule for all repositories. However, you can also set gpgcheck=value for individual repositories instead; that is, you can enable GPG-checking on one repository while disabling it on another. Setting gpgcheck=value for an individual repository in its corresponding .repo file overrides the default if it is present in /etc/yum.conf.
For more information on GPG signature-checking, see Section B.3, “Checking a Package's Signature”.
groupremove_leaf_only=value
where value is one of:
0yum should not check the dependencies of each package when removing a package group. With this setting, yum removes all packages in a package group, regardless of whether those packages are required by other packages or groups. groupremove_leaf_only=0 is the default.
1yum should check the dependencies of each package when removing a package group, and remove only those packages which are not required by any other package or group.
For more information on removing packages, see Intelligent package group removal.
installonlypkgs=space separated list of packages
Here you can provide a space-separated list of packages which yum can install, but will never update. See the yum.conf(5) manual page for the list of packages which are install-only by default.
If you add the installonlypkgs directive to /etc/yum.conf, you should ensure that you list all of the packages that should be install-only, including any of those listed under the installonlypkgs section of yum.conf(5). In particular, kernel packages should always be listed in installonlypkgs (as they are by default), and installonly_limit should always be set to a value greater than 2 so that a backup kernel is always available in case the default one fails to boot.
installonly_limit=value
where value is an integer representing the maximum number of versions that can be installed simultaneously for any single package listed in the installonlypkgs directive.
The defaults for the installonlypkgs directive include several different kernel packages, so be aware that changing the value of installonly_limit will also affect the maximum number of installed versions of any single kernel package. The default value listed in /etc/yum.conf is installonly_limit=3, and it is not recommended to decrease this value, particularly below 2.
keepcache=value
where value is one of:
0 — Do not retain the cache of headers and packages after a successful installation. This is the default.
1 — Retain the cache after a successful installation.
logfile=file_name
where file_name is an absolute path to the file in which yum should write its logging output. By default, yum logs to /var/log/yum.log.
multilib_policy=value
where value is one of:
best — install the best-choice architecture for this system. For example, setting multilib_policy=best on an AMD64 system causes yum to install 64-bit versions of all packages.
all — always install every possible architecture for every package. For example, with multilib_policy set to all on an AMD64 system, yum would install both the i686 and AMD64 versions of a package, if both were available.
obsoletes=value
where value is one of:
0 — Disable yum's obsoletes processing logic when performing updates.
1 — Enable yum's obsoletes processing logic when performing updates. When one package declares in its spec file that it obsoletes another package, the latter package will be replaced by the former package when the former package is installed. Obsoletes are declared, for example, when a package is renamed. obsoletes=1 the default.
plugins=value
where value is one of:
0 — Disable all Yum plug-ins globally.

Important

Disabling all plug-ins is not advised because certain plug-ins provide important Yum services. In particular, rhnplugin provides support for RHN Classic, and product-id and subscription-manager plug-ins provide support for the certificate-based Content Delivery Network (CDN). Disabling plug-ins globally is provided as a convenience option, and is generally only recommended when diagnosing a potential problem with Yum.
1 — Enable all Yum plug-ins globally. With plugins=1, you can still disable a specific Yum plug-in by setting enabled=0 in that plug-in's configuration file.
For more information about various Yum plug-ins, see Section 8.5, “Yum Plug-ins”. For further information on controlling plug-ins, see Section 8.5.1, “Enabling, Configuring, and Disabling Yum Plug-ins”.
reposdir=directory
where directory is an absolute path to the directory where .repo files are located. All .repo files contain repository information (similar to the [repository] sections of /etc/yum.conf). yum collects all repository information from .repo files and the [repository] section of the /etc/yum.conf file to create a master list of repositories to use for transactions. If reposdir is not set, yum uses the default directory /etc/yum.repos.d/.
retries=value
where value is an integer 0 or greater. This value sets the number of times yum should attempt to retrieve a file before returning an error. Setting this to 0 makes yum retry forever. The default value is 10.
For a complete list of available [main] options, see the [main] OPTIONS section of the yum.conf(5) manual page.

8.4.2. Setting [repository] Options

The [repository] sections, where repository is a unique repository ID such as my_personal_repo (spaces are not permitted), allow you to define individual Yum repositories. To avoid conflicts, custom repositories should not use names used by Red Hat repositories.
The following is a bare-minimum example of the form a [repository] section takes:
[repository]
name=repository_name
baseurl=repository_url
Every [repository] section must contain the following directives:
name=repository_name
where repository_name is a human-readable string describing the repository.
baseurl=repository_url
where repository_url is a URL to the directory where the repodata directory of a repository is located:
  • If the repository is available over HTTP, use: http://path/to/repo
  • If the repository is available over FTP, use: ftp://path/to/repo
  • If the repository is local to the machine, use: file:///path/to/local/repo
  • If a specific online repository requires basic HTTP authentication, you can specify your user name and password by prepending it to the URL as username:password@link. For example, if a repository on http://www.example.com/repo/ requires a user name of user and a password of password, then the baseurl link could be specified as http://user:password@www.example.com/repo/.
Usually this URL is an HTTP link, such as:
baseurl=http://path/to/repo/releases/$releasever/server/$basearch/os/
Note that Yum always expands the $releasever, $arch, and $basearch variables in URLs. For more information about Yum variables, see Section 8.4.3, “Using Yum Variables”.
Another useful [repository] directive is the following:
enabled=value
where value is one of:
0 — Do not include this repository as a package source when performing updates and installs. This is an easy way of quickly turning repositories on and off, which is useful when you desire a single package from a repository that you do not want to enable for updates or installs.
1 — Include this repository as a package source.
Turning repositories on and off can also be performed by passing either the --enablerepo=repo_name or --disablerepo=repo_name option to yum, or through the Add/Remove Software window of the PackageKit utility.
Many more [repository] options exist. For a complete list, see the [repository] OPTIONS section of the yum.conf(5) manual page.

Example 8.6. A sample /etc/yum.repos.d/redhat.repo file

The following is a sample /etc/yum.repos.d/redhat.repo file:
#
# Red Hat Repositories
# Managed by (rhsm) subscription-manager
#

[red-hat-enterprise-linux-scalable-file-system-for-rhel-6-entitlement-rpms]
name = Red Hat Enterprise Linux Scalable File System (for RHEL 6 Entitlement) (RPMs)
baseurl = https://cdn.redhat.com/content/dist/rhel/entitlement-6/releases/$releasever/$basearch/scalablefilesystem/os
enabled = 1
gpgcheck = 1
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
sslverify = 1
sslcacert = /etc/rhsm/ca/redhat-uep.pem
sslclientkey = /etc/pki/entitlement/key.pem
sslclientcert = /etc/pki/entitlement/11300387955690106.pem

[red-hat-enterprise-linux-scalable-file-system-for-rhel-6-entitlement-source-rpms]
name = Red Hat Enterprise Linux Scalable File System (for RHEL 6 Entitlement) (Source RPMs)
baseurl = https://cdn.redhat.com/content/dist/rhel/entitlement-6/releases/$releasever/$basearch/scalablefilesystem/source/SRPMS
enabled = 0
gpgcheck = 1
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
sslverify = 1
sslcacert = /etc/rhsm/ca/redhat-uep.pem
sslclientkey = /etc/pki/entitlement/key.pem
sslclientcert = /etc/pki/entitlement/11300387955690106.pem

[red-hat-enterprise-linux-scalable-file-system-for-rhel-6-entitlement-debug-rpms]
name = Red Hat Enterprise Linux Scalable File System (for RHEL 6 Entitlement) (Debug RPMs)
baseurl = https://cdn.redhat.com/content/dist/rhel/entitlement-6/releases/$releasever/$basearch/scalablefilesystem/debug
enabled = 0
gpgcheck = 1
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
sslverify = 1
sslcacert = /etc/rhsm/ca/redhat-uep.pem
sslclientkey = /etc/pki/entitlement/key.pem
sslclientcert = /etc/pki/entitlement/11300387955690106.pem

8.4.3. Using Yum Variables

You can use and reference the following built-in variables in yum commands and in all Yum configuration files (that is, /etc/yum.conf and all .repo files in the /etc/yum.repos.d/ directory):
$releasever
You can use this variable to reference the release version of Red Hat Enterprise Linux. Yum obtains the value of $releasever from the distroverpkg=value line in the /etc/yum.conf configuration file. If there is no such line in /etc/yum.conf, then yum infers the correct value by deriving the version number from the redhat-release-server package. The value of $releasever typically consists of the major release number and the variant of Red Hat Enterprise Linux, for example 6Client, or 6Server.
$arch
You can use this variable to refer to the system's CPU architecture as returned when calling Python's os.uname() function. Valid values for $arch include i686 and x86_64.
$basearch
You can use $basearch to reference the base architecture of the system. For example, i686 machines have a base architecture of i386, and AMD64 and Intel 64 machines have a base architecture of x86_64.
$YUM0-9
These ten variables are each replaced with the value of any shell environment variables with the same name. If one of these variables is referenced (in /etc/yum.conf for example) and a shell environment variable with the same name does not exist, then the configuration file variable is not replaced.
To define a custom variable or to override the value of an existing one, create a file with the same name as the variable (without the $ sign) in the /etc/yum/vars/ directory, and add the desired value on its first line.
For example, repository descriptions often include the operating system name. To define a new variable called $osname, create a new file with Red Hat Enterprise Linux on the first line and save it as /etc/yum/vars/osname:
~]# echo "Red Hat Enterprise Linux" > /etc/yum/vars/osname
Instead of Red Hat Enterprise Linux 6, you can now use the following in the .repo files:
name=$osname $releasever

8.4.4. Viewing the Current Configuration

To display the current values of global Yum options (that is, the options specified in the [main] section of the /etc/yum.conf file), run the yum-config-manager with no command-line options:
yum-config-manager
To list the content of a different configuration section or sections, use the command in the following form:
yum-config-manager section
You can also use a glob expression to display the configuration of all matching sections:
yum-config-manager glob_expression
For example, to list all configuration options and their corresponding values, type the following at a shell prompt:
~]$ yum-config-manager main \*
Loaded plugins: product-id, refresh-packagekit, subscription-manager
================================== main ===================================
[main]
alwaysprompt = True
assumeyes = False
bandwith = 0
bugtracker_url = https://bugzilla.redhat.com/enter_bug.cgi?product=Red%20Hat%20Enterprise%20Linux%206&component=yum
cache = 0
[output truncated]

8.4.5. Adding, Enabling, and Disabling a Yum Repository

Section 8.4.2, “Setting [repository] Options” described various options you can use to define a Yum repository. This section explains how to add, enable, and disable a repository by using the yum-config-manager command.

Important

When the system is registered with the certificate-based Red Hat Network, the Red Hat Subscription Manager tools are used to manage repositories in the /etc/yum.repos.d/redhat.repo file. See Chapter 6, Registering the System and Managing Subscriptions for more information how to register a system with Red Hat Network and use the Red Hat Subscription Manager tools to manage subscriptions.
Adding a Yum Repository
To define a new repository, you can either add a [repository] section to the /etc/yum.conf file, or to a .repo file in the /etc/yum.repos.d/ directory. All files with the .repo file extension in this directory are read by yum, and it is recommended to define your repositories here instead of in /etc/yum.conf.

Warning

Obtaining and installing software packages from unverified or untrusted software sources other than Red Hat Network constitutes a potential security risk, and could lead to security, stability, compatibility, and maintainability issues.
Yum repositories commonly provide their own .repo file. To add such a repository to your system and enable it, run the following command as root:
yum-config-manager --add-repo repository_url
where repository_url is a link to the .repo file. For example, to add a repository located at http://www.example.com/example.repo, type the following at a shell prompt:
~]# yum-config-manager --add-repo http://www.example.com/example.repo
Loaded plugins: product-id, refresh-packagekit, subscription-manager
adding repo from: http://www.example.com/example.repo
grabbing file http://www.example.com/example.repo to /etc/yum.repos.d/example.repo
example.repo                                             |  413 B     00:00
repo saved to /etc/yum.repos.d/example.repo
Enabling a Yum Repository
To enable a particular repository or repositories, type the following at a shell prompt as root:
yum-config-manager --enable repository
where repository is the unique repository ID (use yum repolist all to list available repository IDs). Alternatively, you can use a glob expression to enable all matching repositories:
yum-config-manager --enable glob_expression
For example, to enable repositories defined in the [example], [example-debuginfo], and [example-source]sections, type:
~]# yum-config-manager --enable example\*
Loaded plugins: product-id, refresh-packagekit, subscription-manager
============================== repo: example ==============================
[example]
bandwidth = 0
base_persistdir = /var/lib/yum/repos/x86_64/6Server
baseurl = http://www.example.com/repo/6Server/x86_64/
cache = 0
cachedir = /var/cache/yum/x86_64/6Server/example
[output truncated]
When successful, the yum-config-manager --enable command displays the current repository configuration.
Disabling a Yum Repository
To disable a Yum repository, run the following command as root:
yum-config-manager --disable repository
where repository is the unique repository ID (use yum repolist all to list available repository IDs). Similarly to yum-config-manager --enable, you can use a glob expression to disable all matching repositories at the same time:
yum-config-manager --disable glob_expression
When successful, the yum-config-manager --disable command displays the current configuration.

8.4.6. Creating a Yum Repository

To set up a Yum repository, follow these steps:
  1. Install the createrepo package. To do so, type the following at a shell prompt as root:
    yum install createrepo
  2. Copy all packages that you want to have in your repository into one directory, such as /mnt/local_repo/.
  3. Change to this directory and run the following command:
    createrepo --database /mnt/local_repo
    This creates the necessary metadata for your Yum repository, as well as the sqlite database for speeding up yum operations.

    Important

    Compared to Red Hat Enterprise Linux 5, RPM packages for Red Hat Enterprise Linux 6 are compressed with the XZ lossless data compression format and can be signed with newer hash algorithms like SHA-256. Consequently, it is not recommended to use the createrepo command on Red Hat Enterprise Linux 5 to create the package metadata for Red Hat Enterprise Linux 6.

8.4.7. Working with Yum Cache

By default, yum deletes downloaded data files when they are no longer needed after a successful operation. This minimizes the amount of storage space that yum uses. However, you can enable caching, so that the package files downloaded by yum stay in cache directories. By using cached data, you can carry out certain operations without a network connection, you can also copy packages stored in the caches and reuse them elsewhere.
Yum stores temporary files in the /var/cache/yum/$basearch/$releasever/ directory, where $basearch and $releasever are Yum variables referring to base architecture of the system and the release version of Red Hat Enterprise Linux. Each configured repository has one subdirectory. For example, the directory /var/cache/yum/$basearch/$releasever/development/packages/ holds packages downloaded from the development repository. You can find the values for the $basearch and $releasever variables in the output of the yum version command.
To change the default cache location, modify the cachedir option in the [main] section of the /etc/yum.conf configuration file. See Section 8.4, “Configuring Yum and Yum Repositories” for more information on configuring yum.
Enabling the Caches
To retain the cache of packages after a successful installation, add the following text to the [main] section of /etc/yum.conf.
keepcache = 1
Once you enabled caching, every yum operation may download package data from the configured repositories.
To download and make usable all the metadata for the currently enabled yum repositories, type:
yum makecache
This is useful if you want to make sure that the cache is fully up to date with all metadata. To set the time after which the metadata will expire, use the metadata-expire setting in /etc/yum.conf.
Using yum in Cache-only Mode
To carry out a yum command without a network connection, add the -C or --cacheonly command-line option. With this option, yum proceeds without checking any network repositories, and uses only cached files. In this mode, yum may only install packages that have been downloaded and cached by a previous operation.
For instance, to list packages that use the currently cached data with names that contain gstreamer, enter the following command:
yum -C list gstreamer*
Clearing the yum Caches
It is often useful to remove entries accumulated in the /var/cache/yum/ directory. If you remove a package from the cache, you do not affect the copy of the software installed on your system. To remove all entries for currently enabled repositories from the cache, type the following as a root:
yum clean all
There are various ways to invoke yum in clean mode depending on the type of cached data you want to remove. See Table 8.3, “Available yum clean options” for a complete list of available configuration options.
Table 8.3. Available yum clean options
OptionDescription
expire-cacheeliminates time records of the metadata and mirrorlists download for each repository. This forces yum to revalidate the cache for each repository the next time it is used.
packageseliminates any cached packages from the system
headerseliminates all header files that previous versions of yum used for dependency resolution
metadataeliminates all files that yum uses to determine the remote availability of packages. These metadata are downloaded again the next time yum is run.
dbcacheeliminates the sqlite cache used for faster access to metadata. Using this option will force yum to download the sqlite metadata the next time it is run. This does not apply for repositories that contain only .xml data, in that case, sqlite data are deleted but without subsequent download
rpmdbeliminates any cached data from the local rpmdb
pluginsenabled plugins are forced to eliminate their cached data
allremoves all of the above
The expire-cache option is most preferred from the above list. In many cases, it is a sufficient and much faster replacement for clean all.

8.4.8. Adding the Optional and Supplementary Repositories

Optional and Supplementary subscription channels provide additional software packages for Red Hat Enterprise Linux that cover open source licensed software (in the Optional channel) and proprietary licensed software (in the Supplementary channel).
Before subscribing to the Optional and Supplementary channels see the Scope of Coverage Details. If you decide to install packages from these channels, follow the steps documented in the article called How to access Optional and Supplementary channels, and -devel packages using Red Hat Subscription Manager (RHSM)? on the Red Hat Customer Portal.

8.5. Yum Plug-ins

Yum provides plug-ins that extend and enhance its operations. Certain plug-ins are installed by default. Yum always informs you which plug-ins, if any, are loaded and active whenever you call any yum command. For example:
~]# yum info yum
Loaded plugins: product-id, refresh-packagekit, subscription-manager
[output truncated]
Note that the plug-in names which follow Loaded plugins are the names you can provide to the --disableplugins=plugin_name option.

8.5.1. Enabling, Configuring, and Disabling Yum Plug-ins

To enable Yum plug-ins, ensure that a line beginning with plugins= is present in the [main] section of /etc/yum.conf, and that its value is 1:
plugins=1
You can disable all plug-ins by changing this line to plugins=0.

Important

Disabling all plug-ins is not advised because certain plug-ins provide important Yum services. In particular, rhnplugin provides support for RHN Classic, and product-id and subscription-manager plug-ins provide support for the certificate-based Content Delivery Network (CDN). Disabling plug-ins globally is provided as a convenience option, and is generally only recommended when diagnosing a potential problem with Yum.
Every installed plug-in has its own configuration file in the /etc/yum/pluginconf.d/ directory. You can set plug-in specific options in these files. For example, here is the refresh-packagekit plug-in's refresh-packagekit.conf configuration file:
[main]
enabled=1
Plug-in configuration files always contain a [main] section (similar to Yum's /etc/yum.conf file) in which there is (or you can place if it is missing) an enabled= option that controls whether the plug-in is enabled when you run yum commands.
If you disable all plug-ins by setting enabled=0 in /etc/yum.conf, then all plug-ins are disabled regardless of whether they are enabled in their individual configuration files.
If you merely want to disable all Yum plug-ins for a single yum command, use the --noplugins option.
If you want to disable one or more Yum plug-ins for a single yum command, add the --disableplugin=plugin_name option to the command. For example, to disable the presto plug-in while updating a system, type:
~]# yum update --disableplugin=presto
The plug-in names you provide to the --disableplugin= option are the same names listed after the Loaded plugins line in the output of any yum command. You can disable multiple plug-ins by separating their names with commas. In addition, you can match multiple plug-in names or shorten long ones by using glob expressions:
~]# yum update --disableplugin=presto,refresh-pack*

8.5.2. Installing Additional Yum Plug-ins

Yum plug-ins usually adhere to the yum-plugin-plugin_name package-naming convention, but not always: the package which provides the presto plug-in is named yum-presto, for example. You can install a Yum plug-in in the same way you install other packages. For instance, to install the security plug-in, type the following at a shell prompt:
~]# yum install yum-plugin-security

8.5.3. Plug-in Descriptions

The following list provides descriptions and usage instructions for several useful yum plug-ins. Plug-ins are listed by names, brackets contain the name of the package.
search-disabled-repos (subscription-manager)
The search-disabled-repos plug-in allows you to temporarily or permanently enable disabled repositories to help resolve dependencies. With this plug-in enabled, when Yum fails to install a package due to failed dependency resolution, it offers to temporarily enable disabled repositories and try again. If the installation succeeds, Yum also offers to enable the used repositories permanently. Note that the plug-in works only with the repositories that are managed by subscription-manager and not with custom repositories.

Important

If yum is executed with the --assumeyes or -y option, or if the assumeyes directive is enabled in /etc/yum.conf, the plug-in enables disabled repositories, both temporarily and permanently, without prompting for confirmation. This may lead to problems, for example, enabling repositories that you do not want enabled.
To configure the search-disabled-repos plug-in, edit the configuration file located in /etc/yum/pluginconf.d/search-disabled-repos.conf. For the list of directives you can use in the [main] section, see the table below.
Table 8.4. Supported search-disabled-repos.conf directives
Directive Description
enabled=value Allows you to enable or disable the plug-in. The value must be either 1 (enabled), or 0 (disabled). The plug-in is enabled by default.
notify_only=value Allows you to restrict the behavior of the plug-in to notifications only. The value must be either 1 (notify only without modifying the behavior of Yum), or 0 (modify the behavior of Yum). By default the plug-in only notifies the user.
ignored_repos=repositories Allows you to specify the repositories that will not be enabled by the plug-in.
kabi (kabi-yum-plugins)
The kabi plug-in checks whether a driver update package conforms with official Red Hat kernel Application Binary Interface (kABI). With this plug-in enabled, when a user attempts to install a package that uses kernel symbols which are not on a whitelist, a warning message is written to the system log. Additionally, configuring the plug-in to run in enforcing mode prevents such packages from being installed at all.
To configure the kabi plug-in, edit the configuration file located in /etc/yum/pluginconf.d/kabi.conf. See Table 8.5, “Supported kabi.conf directives” for a list of directives that can be used in the [main] section.
Table 8.5. Supported kabi.conf directives
Directive Description
enabled=value Allows you to enable or disable the plug-in. The value must be either 1 (enabled), or 0 (disabled). When installed, the plug-in is enabled by default.
whitelists=directory Allows you to specify the directory in which the files with supported kernel symbols are located. By default, the kabi plug-in uses files provided by the kernel-abi-whitelists package (that is, the /lib/modules/kabi/ directory).
enforce=value Allows you to enable or disable enforcing mode. The value must be either 1 (enabled), or 0 (disabled). By default, this option is commented out and the kabi plug-in only displays a warning message.
presto (yum-presto)
The presto plug-in adds support to Yum for downloading delta RPM packages, during updates, from repositories which have presto metadata enabled. Delta RPMs contain only the differences between the version of the package installed on the client requesting the RPM package and the updated version in the repository.
Downloading a delta RPM is much quicker than downloading the entire updated package, and can speed up updates considerably. Once the delta RPMs are downloaded, they must be rebuilt to apply the difference to the currently-installed package and thus create the full, updated package. This process takes CPU time on the installing machine. Using delta RPMs is therefore a compromise between time-to-download, which depends on the network connection, and time-to-rebuild, which is CPU-bound. Using the presto plug-in is recommended for fast machines and systems with slower network connections, while slower machines on very fast connections benefit more from downloading normal RPM packages, that is, by disabling presto.
product-id (subscription-manager)
The product-id plug-in manages product identity certificates for products installed from the Content Delivery Network. The product-id plug-in is installed by default.
refresh-packagekit (PackageKit-yum-plugin)
The refresh-packagekit plug-in updates metadata for PackageKit whenever yum is run. The refresh-packagekit plug-in is installed by default.
rhnplugin (yum-rhn-plugin)
The rhnplugin provides support for connecting to RHN Classic. This allows systems registered with RHN Classic to update and install packages from this system. Note that RHN Classic is only provided for older Red Hat Enterprise Linux systems (that is, Red Hat Enterprise Linux 4.x, Red Hat Enterprise Linux 5.x, and Satellite 5.x) in order to migrate them over to Red Hat Enterprise Linux 6. The rhnplugin is installed by default.
See the rhnplugin(8) manual page for more information about the plug-in.
security (yum-plugin-security)
Discovering information about and applying security updates easily and often is important to all system administrators. For this reason Yum provides the security plug-in, which extends yum with a set of highly-useful security-related commands, subcommands and options.
You can check for security-related updates as follows:
~]# yum check-update --security
Loaded plugins: product-id, refresh-packagekit, security, subscription-manager
Updating Red Hat repositories.
INFO:rhsm-app.repolib:repos updated: 0
Limiting package lists to security relevant ones
Needed 3 of 7 packages, for security
elinks.x86_64                   0.12-0.13.el6               rhel
kernel.x86_64                   2.6.30.8-64.el6             rhel
kernel-headers.x86_64           2.6.30.8-64.el6             rhel
You can then use either yum update --security or yum update-minimal --security to update those packages which are affected by security advisories. Both of these commands update all packages on the system for which a security advisory has been issued. yum update-minimal --security updates them to the latest packages which were released as part of a security advisory, while yum update --security will update all packages affected by a security advisory to the latest version of that package available.
In other words, if:
  • the kernel-2.6.30.8-16 package is installed on your system;
  • the kernel-2.6.30.8-32 package was released as a security update;
  • then kernel-2.6.30.8-64 was released as a bug fix update,
...then yum update-minimal --security will update you to kernel-2.6.30.8-32, and yum update --security will update you to kernel-2.6.30.8-64. Conservative system administrators probably want to use update-minimal to reduce the risk incurred by updating packages as much as possible.
See the yum-security(8) manual page for usage details and further explanation of the enhancements the security plug-in adds to yum.
subscription-manager (subscription-manager)
The subscription-manager plug-in provides support for connecting to Red Hat Network. This allows systems registered with Red Hat Network to update and install packages from the certificate-based Content Delivery Network. The subscription-manager plug-in is installed by default.
See Chapter 6, Registering the System and Managing Subscriptions for more information how to manage product subscriptions and entitlements.
yum-downloadonly (yum-plugin-downloadonly)
The yum-downloadonly plug-in provides the --downloadonly command-line option which can be used to download packages from Red Hat Network or a configured Yum repository without installing the packages.
To install the package, follow the instructions in Section 8.5.2, “Installing Additional Yum Plug-ins”. After the installation, see the contents of the /etc/yum/pluginconf.d/downloadonly.conf file to ensure that the plug-in is enabled:
~]$ cat /etc/yum/pluginconf.d/downloadonly.conf
[main]
enabled=1
In the following example, the yum install --downloadonly command is run to download the latest version of the httpd package, without installing it:
~]# yum install httpd --downloadonly
Loaded plugins: downloadonly, product-id, refresh-packagekit, rhnplugin,
              : subscription-manager
Updating Red Hat repositories.
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package httpd.x86_64 0:2.2.15-9.el6_1.2 will be updated
---> Package httpd.x86_64 0:2.2.15-15.el6_2.1 will be an update
--> Processing Dependency: httpd-tools = 2.2.15-15.el6_2.1 for package: httpd-2.2.15-15.el6_2.1.x86_64
--> Running transaction check
---> Package httpd-tools.x86_64 0:2.2.15-9.el6_1.2 will be updated
---> Package httpd-tools.x86_64 0:2.2.15-15.el6_2.1 will be an update
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
 Package        Arch      Version                 Repository               Size
================================================================================
Updating:
 httpd          x86_64    2.2.15-15.el6_2.1       rhel-x86_64-server-6    812 k
Updating for dependencies:
 httpd-tools    x86_64    2.2.15-15.el6_2.1       rhel-x86_64-server-6     70 k

Transaction Summary
================================================================================
Upgrade       2 Package(s)

Total download size: 882 k
Is this ok [y/N]: y
Downloading Packages:
(1/2): httpd-2.2.15-15.el6_2.1.x86_64.rpm                | 812 kB     00:00
(2/2): httpd-tools-2.2.15-15.el6_2.1.x86_64.rpm          |  70 kB     00:00
--------------------------------------------------------------------------------
Total                                           301 kB/s | 882 kB     00:02


exiting because --downloadonly specified
By default, packages downloaded using the --downloadonly option are saved in one of the subdirectories of the /var/cache/yum directory, depending on the Red Hat Enterprise Linux variant and architecture.
If you want to specify an alternate directory to save the packages, pass the --downloaddir option along with --downloadonly:
~]# yum install --downloadonly --downloaddir=/path/to/directory httpd

Note

As an alternative to the yum-downloadonly plugin — to download packages without installing them — you can use the yumdownloader utility that is provided by the yum-utils package.

8.6. Additional Resources

For more information on how to manage software packages on Red Hat Enterprise Linux, see the resources listed below.

Installed Documentation

  • yum(8) — The manual page for the yum command-line utility provides a complete list of supported options and commands.
  • yumdb(8) — The manual page for the yumdb command-line utility documents how to use this tool to query and, if necessary, alter the yum database.
  • yum.conf(5) — The manual page named yum.conf documents available yum configuration options.
  • yum-utils(1) — The manual page named yum-utils lists and briefly describes additional utilities for managing yum configuration, manipulating repositories, and working with yum database.

Online Resources

  • Yum Guides — The Yum Guides page on the project home page provides links to further documentation.
  • Red Hat Access Labs — The Red Hat Access Labs includes a Yum Repository Configuration Helper.

See Also

  • Chapter 4, Gaining Privileges documents how to gain administrative privileges by using the su and sudo commands.
  • Appendix B, RPM describes the RPM Package Manager (RPM), the packaging system used by Red Hat Enterprise Linux.

Chapter 9. PackageKit

Red Hat provides PackageKit for viewing, managing, updating, installing and uninstalling packages compatible with your system. PackageKit consists of several graphical interfaces that can be opened from the GNOME panel menu, or from the Notification Area when PackageKit alerts you that updates are available. For more information on PackageKit's architecture and available front ends, see Section 9.3, “PackageKit Architecture”.

9.1. Updating Packages with Software Update

PackageKit displays a starburst icon in the Notification Area whenever updates are available to be installed on your system.
PackageKit's icon in the Notification Area

Figure 9.1. PackageKit's icon in the Notification Area

Clicking on the notification icon opens the Software Update window. Alternatively, you can open Software Updates by clicking SystemAdministrationSoftware Update from the GNOME panel, or running the gpk-update-viewer command at the shell prompt. In the Software Updates window, all available updates are listed along with the names of the packages being updated (minus the .rpm suffix, but including the CPU architecture), a short summary of the package, and, usually, short descriptions of the changes the update provides. Any updates you do not want to install can be de-selected here by unchecking the check box corresponding to the update.
Installing updates with Software Update

Figure 9.2. Installing updates with Software Update

The updates presented in the Software Updates window only represent the currently-installed packages on your system for which updates are available; dependencies of those packages, whether they are existing packages on your system or new ones, are not shown until you click Install Updates.
PackageKit utilizes the fine-grained user authentication capabilities provided by the PolicyKit toolkit whenever you request it to make changes to the system. Whenever you instruct PackageKit to update, install or remove packages, you will be prompted to enter the superuser password before changes are made to the system.
If you instruct PackageKit to update the kernel package, then it will prompt you after installation, asking you whether you want to reboot the system and thereby boot into the newly-installed kernel.

Setting the Update-Checking Interval

Right-clicking on PackageKit's Notification Area icon and clicking Preferences opens the Software Update Preferences window, where you can define the interval at which PackageKit checks for package updates, as well as whether or not to automatically install all updates or only security updates. Leaving the Check for updates when using mobile broadband box unchecked is handy for avoiding extraneous bandwidth usage when using a wireless connection on which you are charged for the amount of data you download.
Setting PackageKit's update-checking interval

Figure 9.3. Setting PackageKit's update-checking interval

9.2. Using Add/Remove Software

To find and install a new package, on the GNOME panel click on SystemAdministrationAdd/Remove Software, or run the gpk-application command at the shell prompt.
PackageKit's Add/Remove Software window

Figure 9.4. PackageKit's Add/Remove Software window

9.2.1. Refreshing Software Sources (Yum Repositories)

PackageKit refers to Yum repositories as software sources. It obtains all packages from enabled software sources. You can view the list of all configured and unfiltered (see below) Yum repositories by opening Add/Remove Software and clicking SystemSoftware sources. The Software Sources dialog shows the repository name, as written on the name=<My Repository Name> field of all [repository] sections in the /etc/yum.conf configuration file, and in all repository.repo files in the /etc/yum.repos.d/ directory.
Entries which are checked in the Enabled column indicate that the corresponding repository will be used to locate packages to satisfy all update and installation requests (including dependency resolution). You can enable or disable any of the listed Yum repositories by selecting or clearing the check box. Note that doing so causes PolicyKit to prompt you for superuser authentication.
The Enabled column corresponds to the enabled=<1 or 0> field in [repository] sections. When you click the check box, PackageKit inserts the enabled=<1 or 0> line into the correct [repository] section if it does not exist, or changes the value if it does. This means that enabling or disabling a repository through the Software Sources window causes that change to persist after closing the window or rebooting the system.
Note that it is not possible to add or remove Yum repositories through PackageKit.

Note

Checking the box at the bottom of the Software Sources window causes PackageKit to display source RPM, testing and debuginfo repositories as well. This box is unchecked by default.
After making a change to the available Yum repositories, click on SystemRefresh package lists to make sure your package list is up-to-date.

9.2.2. Finding Packages with Filters

Once the software sources have been updated, it is often beneficial to apply some filters so that PackageKit retrieves the results of our Find queries faster. This is especially helpful when performing many package searches. Four of the filters in the Filters drop-down menu are used to split results by matching or not matching a single criterion. By default when PackageKit starts, these filters are all unapplied (No filter), but once you do filter by one of them, that filter remains set until you either change it or close PackageKit.
Because you are usually searching for available packages that are not installed on the system, click FiltersInstalled and select the Only available radio button.
Filtering out already-installed packages

Figure 9.5. Filtering out already-installed packages

Also, unless you require development files such as C header files, click FiltersDevelopment and select the Only end user files radio button. This filters out all of the <package_name>-devel packages we are not interested in.
Filtering out development packages from the list of Find results

Figure 9.6. Filtering out development packages from the list of Find results

The two remaining filters with submenus are:
Graphical
Narrows the search to either applications which provide a GUI interface (Only graphical) or those that do not. This filter is useful when browsing for GUI applications that perform a specific function.
Free
Search for packages which are considered to be free software. See the Fedora Licensing List for details on approved licenses.
The remaining filters can be enabled by selecting the check boxes next to them:
Hide subpackages
Checking the Hide subpackages check box filters out generally-uninteresting packages that are typically only dependencies of other packages that we want. For example, checking Hide subpackages and searching for <package> would cause the following related packages to be filtered out of the Find results (if it exists):
  • <package>-devel
  • <package>-libs
  • <package>-libs-devel
  • <package>-debuginfo
Only newest packages
Checking Only newest packages filters out all older versions of the same package from the list of results, which is generally what we want. Note that this filter is often combined with the Only available filter to search for the latest available versions of new (not installed) packages.
Only native packages
Checking the Only native packages box on a multilib system causes PackageKit to omit listing results for packages compiled for the architecture that runs in compatibility mode. For example, enabling this filter on a 64-bit system with an AMD64 CPU would cause all packages built for the 32-bit x86 CPU architecture not to be shown in the list of results, even though those packages are able to run on an AMD64 machine. Packages which are architecture-agnostic (i.e. noarch packages such as crontabs-1.10-32.1.el6.noarch.rpm) are never filtered out by checking Only native packages. This filter has no affect on non-multilib systems, such as x86 machines.

9.2.3. Installing and Removing Packages (and Dependencies)

With the two filters selected, Only available and Only end user files, search for the screen window manager for the command line and highlight the package. You now have access to some very useful information about it, including: a clickable link to the project homepage; the Yum package group it is found in, if any; the license of the package; a pointer to the GNOME menu location from where the application can be opened, if applicable; and the size of the package, which is relevant when we download and install it.
Viewing and installing a package with PackageKit's Add/Remove Software window

Figure 9.7. Viewing and installing a package with PackageKit's Add/Remove Software window

When the check box next to a package or group is checked, then that item is already installed on the system. Checking an unchecked box causes it to be marked for installation, which only occurs when the Apply button is clicked. In this way, you can search for and select multiple packages or package groups before performing the actual installation transactions. Additionally, you can remove installed packages by unchecking the checked box, and the removal will occur along with any pending installations when Apply is pressed. Dependency resolution, which may add additional packages to be installed or removed, is performed after pressing Apply. PackageKit will then display a window listing those additional packages to install or remove, and ask for confirmation to proceed.
Select screen and click the Apply button. You will then be prompted for the superuser password; enter it, and PackageKit will install screen. After finishing the installation, PackageKit sometimes presents you with a list of your newly-installed applications and offers you the choice of running them immediately. Alternatively, you will remember that finding a package and selecting it in the Add/Remove Software window shows you the Location of where in the GNOME menus its application shortcut is located, which is helpful when you want to run it.
Once it is installed, you can run screen, a screen manager that allows you to have multiple logins on one terminal, by typing screen at a shell prompt.
screen is a very useful utility, but we decide that we do not need it and we want to uninstall it. Remembering that we need to change the Only available filter we recently used to install it to Only installed in FiltersInstalled, we search for screen again and uncheck it. The program did not install any dependencies of its own; if it had, those would be automatically removed as well, as long as they were not also dependencies of any other packages still installed on our system.

Warning

Although PackageKit automatically resolves dependencies during package installation and removal, it is unable to remove a package without also removing packages which depend on it. This type of operation can only be performed by RPM, is not advised, and can potentially leave your system in a non-functioning state or cause applications to behave erratically and/or crash.
Removing a package with PackageKit's Add/Remove Software window

Figure 9.8. Removing a package with PackageKit's Add/Remove Software window

9.2.4. Installing and Removing Package Groups

PackageKit also has the ability to install Yum package groups, which it calls Package collections. Clicking on Package collections in the top-left list of categories in the Software Updates window allows us to scroll through and find the package group we want to install. In this case, we want to install Czech language support (the Czech Support group). Checking the box and clicking apply informs us how many additional packages must be installed in order to fulfill the dependencies of the package group.
Installing the Czech Support package group

Figure 9.9. Installing the Czech Support package group

Similarly, installed package groups can be uninstalled by selecting Package collections, unchecking the appropriate check box, and applying.

9.2.5. Viewing the Transaction Log

PackageKit maintains a log of the transactions that it performs. To view the log, from the Add/Remove Software window, click SystemSoftware log, or run the gpk-log command at the shell prompt.
The Software Log Viewer shows the following information:
  • Date — the date on which the transaction was performed.
  • Action — the action that was performed during the transaction, for example Updated packages or Installed packages.
  • Details — the transaction type such as Updated, Installed, or Removed, followed by a list of affected packages.
  • Username — the name of the user who performed the action.
  • Application — the front end application that was used to perform the action, for example Update System.
Typing the name of a package in the top text entry field filters the list of transactions to those which affected that package.
Viewing the log of package management transactions with the Software Log Viewer

Figure 9.10. Viewing the log of package management transactions with the Software Log Viewer

9.3. PackageKit Architecture

Red Hat provides the PackageKit suite of applications for viewing, updating, installing and uninstalling packages and package groups compatible with your system. Architecturally, PackageKit consists of several graphical front ends that communicate with the packagekitd daemon back end, which communicates with a package manager-specific back end that utilizes Yum to perform the actual transactions, such as installing and removing packages, etc.
Table 9.1, “PackageKit GUI windows, menu locations, and shell prompt commands” shows the name of the GUI window, how to start the window from the GNOME desktop or from the Add/Remove Software window, and the name of the command-line application that opens that window.
Table 9.1. PackageKit GUI windows, menu locations, and shell prompt commands
Window Title Function How to Open Shell Command
Add/Remove Software Install, remove or view package info
From the GNOME panel: SystemAdministrationAdd/Remove Software
gpk-application
Software Update Perform package updates
From the GNOME panel: SystemAdministrationSoftware Update
gpk-update-viewer
Software Sources Enable and disable Yum repositories
From Add/Remove Software: SystemSoftware Sources
gpk-repo
Software Log Viewer View the transaction log
From Add/Remove Software: SystemSoftware Log
gpk-log
Software Update Preferences Set PackageKit preferences gpk-prefs
(Notification Area Alert) Alerts you when updates are available
From the GNOME panel: SystemPreferencesStartup Applications, the Startup Programs tab
gpk-update-icon
The packagekitd daemon runs outside the user session and communicates with the various graphical front ends. The packagekitd daemon[2] communicates via the DBus system message bus with another back end, which utilizes Yum's Python API to perform queries and make changes to the system. On Linux systems other than Red Hat Enterprise Linux and Fedora, packagekitd can communicate with other back ends that are able to utilize the native package manager for that system. This modular architecture provides the abstraction necessary for the graphical interfaces to work with many different package managers to perform essentially the same types of package management tasks. Learning how to use the PackageKit front ends means that you can use the same familiar graphical interface across many different Linux distributions, even when they utilize a native package manager other than Yum.
In addition, PackageKit's separation of concerns provides reliability in that a crash of one of the GUI windows—or even the user's X Window session—will not affect any package management tasks being supervised by the packagekitd daemon, which runs outside of the user session.
All of the front end graphical applications discussed in this chapter are provided by the gnome-packagekit package instead of by PackageKit and its dependencies.
Finally, PackageKit also comes with a console-based front end called pkcon.

9.4. Additional Resources

For more information about PackageKit, see the resources listed below.
Installed Documentation
  • gpk-application(1) — The manual page containing information about the gpk-application command.
  • gpk-backend-status(1) — The manual page containing information about the gpk-backend-status command.
  • gpk-install-local-file(1) — The manual page containing information about the gpk-install-local-file command.
  • gpk-install-mime-type(1) — The manual page containing information about the gpk-install-mime-type command.
  • gpk-install-package-name(1) — The manual page containing information about the qpk-install-package-name command.
  • gpk-install-package-name(1) — The manual page containing information about the gpk-install-package-name command.
  • gpk-prefs(1) — The manual page containing information about the gpk-prefs command.
  • gpk-repo(1) — The manual page containing information about the gpk-repo command.
  • gpk-update-icon(1) — The manual page containing information about the gpk-update-icon command.
  • gpk-update-viewer(1) — The manual page containing information about the gpk-update-viewer command.
  • pkcon(1) and pkmon(1) — The manual pages containing information about the PackageKit console client.
  • pkgenpack(1) — The manual page containing information about the PackageKit Pack Generator.
Online Documentation
  • PackageKit home page — The PackageKit home page listing detailed information about the PackageKit software suite.
  • PackageKit FAQ — An informative list of Frequently Asked Questions for the PackageKit software suite.
See Also


[2] System daemons are typically long-running processes that provide services to the user or to other programs, and which are started, often at boot time, by special initialization scripts (often shortened to init scripts). Daemons respond to the service command and can be turned on or off permanently by using the chkconfig on or chkconfig off commands. They can typically be recognized by a d appended to their name, such as the packagekitd daemon. See Chapter 12, Services and Daemons for information about system services.

Part IV. Networking

This part describes how to configure the network on Red Hat Enterprise Linux.

Chapter 10. NetworkManager

NetworkManager is a dynamic network control and configuration system that attempts to keep network devices and connections up and active when they are available. NetworkManager consists of a core daemon, a GNOME Notification Area applet that provides network status information, and graphical configuration tools that can create, edit and remove connections and interfaces. NetworkManager can be used to configure the following types of connections: Ethernet, wireless, mobile broadband (such as cellular 3G), and DSL and PPPoE (Point-to-Point over Ethernet). In addition, NetworkManager allows for the configuration of network aliases, static routes, DNS information and VPN connections, as well as many connection-specific parameters. Finally, NetworkManager provides a rich API via D-Bus which allows applications to query and control network configuration and state.
Previous versions of Red Hat Enterprise Linux included the Network Administration Tool, which was commonly known as system-config-network after its command-line invocation. In Red Hat Enterprise Linux 6, NetworkManager replaces the former Network Administration Tool while providing enhanced functionality, such as user-specific and mobile broadband configuration. It is also possible to configure the network in Red Hat Enterprise Linux 6 by editing interface configuration files; see Chapter 11, Network Interfaces for more information.
NetworkManager may be installed by default on your version of Red Hat Enterprise Linux. To ensure that it is, run the following command as root:
~]# yum install NetworkManager

10.1. The NetworkManager Daemon

The NetworkManager daemon runs with root privileges and is usually configured to start up at boot time. You can determine whether the NetworkManager daemon is running by entering this command as root:
~]# service NetworkManager status
    NetworkManager (pid  1527) is running...
The service command will report NetworkManager is stopped if the NetworkManager service is not running. To start it for the current session:
~]# service NetworkManager start
Run the chkconfig command to ensure that NetworkManager starts up every time the system boots:
~]# chkconfig NetworkManager on
For more information on starting, stopping and managing services and runlevels, see Chapter 12, Services and Daemons.

10.2. Interacting with NetworkManager

Users do not interact with the NetworkManager system service directly. Instead, you can perform network configuration tasks via NetworkManager's Notification Area applet. The applet has multiple states that serve as visual indicators for the type of connection you are currently using. Hover the pointer over the applet icon for tooltip information on the current connection state.
NetworkManager applet states

Figure 10.1. NetworkManager applet states

If you do not see the NetworkManager applet in the GNOME panel, and assuming that the NetworkManager package is installed on your system, you can start the applet by running the following command as a normal user (not root):
~]$ nm-applet &
After running this command, the applet appears in your Notification Area. You can ensure that the applet runs each time you log in by clicking SystemPreferencesStartup Applications to open the Startup Applications Preferences window. Then, select the Startup Programs tab and check the box next to NetworkManager.

10.2.1. Connecting to a Network

When you left-click on the applet icon, you are presented with:
  • a list of categorized networks you are currently connected to (such as Wired and Wireless);
  • a list of all Available Networks that NetworkManager has detected;
  • options for connecting to any configured Virtual Private Networks (VPNs); and,
  • options for connecting to hidden or new wireless networks.
If you are connected to a network, its name is presented in bold typeface under its network type, such as Wired or Wireless. When many networks are available, such as wireless access points, the More networks expandable menu entry appears.
The NetworkManager applet's left-click menu, showing all available and connected-to networks

Figure 10.2. The NetworkManager applet's left-click menu, showing all available and connected-to networks

10.2.2. Configuring New and Editing Existing Connections

Next, right-click on the NetworkManager applet to open its context menu, which is the main point of entry for interacting with NetworkManager to configure connections.
The NetworkManager applet's context menu

Figure 10.3. The NetworkManager applet's context menu

Ensure that the Enable Networking box is checked. If the system has detected a wireless card, then you will also see an Enable Wireless menu option. Check the Enable Wireless check box as well. NetworkManager notifies you of network connection status changes if you check the Enable Notifications box. Clicking the Connection Information entry presents an informative Connection Information window that lists the connection type and interface, your IP address and routing details, and so on.
Finally, clicking on Edit Connections opens the Network Connections window, from where you can perform most of your network configuration tasks. Note that this window can also be opened by running, as a normal user:
~]$ nm-connection-editor &
Configure networks using the Network Connections window

Figure 10.4. Configure networks using the Network Connections window

There is an arrow head symbol to the left which can be clicked to hide and reveal entries as needed. To create a new connection, click the Add button to view the selection list, select the connection type and click the Create button. Alternatively, to edit an existing connection select the interface name from the list and click the Edit button.
Then, to configure:

10.2.3. Connecting to a Network Automatically

For any connection type you add or configure, you can choose whether you want NetworkManager to try to connect to that network automatically when it is available.

Procedure 10.1. Configuring NetworkManager to Connect to a Network Automatically When Detected

  1. Right-click on the NetworkManager applet icon in the Notification Area and click Edit Connections. The Network Connections window appears.
  2. Click the arrow head if necessary to reveal the list of connections.
  3. Select the specific connection that you want to configure and click Edit.
  4. Check Connect automatically to cause NetworkManager to auto-connect to the connection whenever NetworkManager detects that it is available. Uncheck the check box if you do not want NetworkManager to connect automatically. If the box is unchecked, you will have to select that connection manually in the NetworkManager applet's left-click menu to cause it to connect.

10.2.4. User and System Connections

NetworkManager connections are always either user connections or system connections. Depending on the system-specific policy that the administrator has configured, users may need root privileges to create and modify system connections. NetworkManager's default policy enables users to create and modify user connections, but requires them to have root privileges to add, modify or delete system connections.
User connections are so-called because they are specific to the user who creates them. In contrast to system connections, whose configurations are stored under the /etc/sysconfig/network-scripts/ directory (mainly in ifcfg-<network_type> interface configuration files), user connection settings are stored in the GConf configuration database and the GNOME keyring, and are only available during login sessions for the user who created them. Thus, logging out of the desktop session causes user-specific connections to become unavailable.

Note

Because NetworkManager uses the GConf and GNOME keyring applications to store user connection settings, and because these settings are specific to your desktop session, it is highly recommended to configure your personal VPN connections as user connections. If you do so, other Non-root users on the system cannot view or access these connections in any way.
System connections, on the other hand, become available at boot time and can be used by other users on the system without first logging in to a desktop session.
NetworkManager can quickly and conveniently convert user to system connections and vice versa. Converting a user connection to a system connection causes NetworkManager to create the relevant interface configuration files under the /etc/sysconfig/network-scripts/ directory, and to delete the GConf settings from the user's session. Conversely, converting a system to a user-specific connection causes NetworkManager to remove the system-wide configuration files and create the corresponding GConf/GNOME keyring settings.
The Available to all users check box controls whether connections are user-specific or system-wide

Figure 10.5. The Available to all users check box controls whether connections are user-specific or system-wide

Procedure 10.2. Changing a Connection to be User-Specific instead of System-Wide, or Vice-Versa

Note

Depending on the system's policy, you may need root privileges on the system in order to change whether a connection is user-specific or system-wide.
  1. Right-click on the NetworkManager applet icon in the Notification Area and click Edit Connections. The Network Connections window appears.
  2. If needed, select the arrow head (on the left hand side) to hide and reveal the types of available network connections.
  3. Select the specific connection that you want to configure and click Edit.
  4. Check the Available to all users check box to ask NetworkManager to make the connection a system-wide connection. Depending on system policy, you may then be prompted for the root password by the PolicyKit application. If so, enter the root password to finalize the change.
    Conversely, uncheck the Available to all users check box to make the connection user-specific.

10.3. Establishing Connections

10.3.1. Establishing a Wired (Ethernet) Connection

To establish a wired network connection, Right-click on the NetworkManager applet to open its context menu, ensure that the Enable Networking box is checked, then click on Edit Connections. This opens the Network Connections window. Note that this window can also be opened by running, as a normal user:
~]$ nm-connection-editor &
You can click on the arrow head to reveal and hide the list of connections as needed.
The Network Connections window showing the newly created System eth0 connection

Figure 10.6. The Network Connections window showing the newly created System eth0 connection

The system startup scripts create and configure a single wired connection called System eth0 by default on all systems. Although you can edit System eth0, creating a new wired connection for your custom settings is recommended. You can create a new wired connection by clicking the Add button, selecting the Wired entry from the list that appears and then clicking the Create button.
Selecting a new connection type from the "Choose a Connection Type" list

Figure 10.7. Selecting a new connection type from the "Choose a Connection Type" list

Note

When you add a new connection by clicking the Add button, a list of connection types appears. Once you have made a selection and clicked on the Create button, NetworkManager creates a new configuration file for that connection and then opens the same dialog that is used for editing an existing connection. There is no difference between these dialogs. In effect, you are always editing a connection; the difference only lies in whether that connection previously existed or was just created by NetworkManager when you clicked Create.
Editing the newly created Wired connection System eth0

Figure 10.8.  Editing the newly created Wired connection System eth0

Configuring the Connection Name, Auto-Connect Behavior, and Availability Settings
Three settings in the Editing dialog are common to all connection types:
  • Connection name — Enter a descriptive name for your network connection. This name will be used to list this connection in the Wired section of the Network Connections window.
  • Connect automatically — Check this box if you want NetworkManager to auto-connect to this connection when it is available. See Section 10.2.3, “Connecting to a Network Automatically” for more information.
  • Available to all users — Check this box to create a connection available to all users on the system. Changing this setting may require root privileges. See Section 10.2.4, “User and System Connections” for details.
Configuring the Wired Tab
The final three configurable settings are located within the Wired tab itself: the first is a text-entry field where you can specify a MAC (Media Access Control) address, and the second allows you to specify a cloned MAC address, and third allows you to specify the MTU (Maximum Transmission Unit) value. Normally, you can leave the MAC address field blank and the MTU set to automatic. These defaults will suffice unless you are associating a wired connection with a second or specific NIC, or performing advanced networking. In such cases, see the following descriptions:
MAC Address
Network hardware such as a Network Interface Card (NIC) has a unique MAC address (Media Access Control; also known as a hardware address) that identifies it to the system. Running the ip addr command will show the MAC address associated with each interface. For example, in the following ip addr output, the MAC address for the eth0 interface (which is 52:54:00:26:9e:f1) immediately follows the link/ether keyword:
~]# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
    link/ether 52:54:00:26:9e:f1 brd ff:ff:ff:ff:ff:ff
    inet 192.168.122.251/24 brd 192.168.122.255 scope global eth0
    inet6 fe80::5054:ff:fe26:9ef1/64 scope link
       valid_lft forever preferred_lft forever
A single system can have one or more NICs installed on it. The MAC address field therefore allows you to associate a specific NIC with a specific connection (or connections). As mentioned, you can determine the MAC address using the ip addr command, and then copy and paste that value into the MAC address text-entry field.
The cloned MAC address field is mostly for use in such situations were a network service has been restricted to a specific MAC address and you need to emulate that MAC address.
MTU
The MTU (Maximum Transmission Unit) value represents the size in bytes of the largest packet that the connection will use to transmit. This value defaults to 1500 when using IPv4, or a variable number 1280 or higher for IPv6, and does not generally need to be specified or changed.
Saving Your New (or Modified) Connection and Making Further Configurations
Once you have finished editing your wired connection, click the Apply button and NetworkManager will immediately save your customized configuration. Given a correct configuration, you can connect to your new or customized connection by selecting it from the NetworkManager Notification Area applet. See Section 10.2.1, “Connecting to a Network” for information on using your new or altered connection.
You can further configure an existing connection by selecting it in the Network Connections window and clicking Edit to return to the Editing dialog.
Then, to configure:

10.3.2. Establishing a Wireless Connection

This section explains how to use NetworkManager to configure a wireless (also known as Wi-Fi or 802.11a/b/g/n) connection to an Access Point.
To configure a mobile broadband (such as 3G) connection, see Section 10.3.3, “Establishing a Mobile Broadband Connection”.
Quickly Connecting to an Available Access Point
The easiest way to connect to an available access point is to left-click on the NetworkManager applet, locate the Service Set Identifier (SSID) of the access point in the list of Available networks, and click on it. If the access point is secured, a dialog prompts you for authentication.
Authenticating to a wireless access point

Figure 10.9. Authenticating to a wireless access point

NetworkManager tries to auto-detect the type of security used by the access point. If there are multiple possibilities, NetworkManager guesses the security type and presents it in the Wireless security dropdown menu. To see if there are multiple choices, click the Wireless security dropdown menu and select the type of security the access point is using. If you are unsure, try connecting to each type in turn. Finally, enter the key or passphrase in the Password field. Certain password types, such as a 40-bit WEP or 128-bit WPA key, are invalid unless they are of a requisite length. The Connect button will remain inactive until you enter a key of the length required for the selected security type. To learn more about wireless security, see Section 10.3.9.2, “Configuring Wireless Security”.

Note

In the case of WPA and WPA2 (Personal and Enterprise), an option to select between Auto, WPA and WPA2 has been added. This option is intended for use with an access point that is offering both WPA and WPA2. Select one of the protocols if you would like to prevent roaming between the two protocols. Roaming between WPA and WPA2 on the same access point can cause loss of service.
If NetworkManager connects to the access point successfully, its applet icon will change into a graphical indicator of the wireless connection's signal strength.
Applet icon indicating a wireless connection signal strength of 75%

Figure 10.10. Applet icon indicating a wireless connection signal strength of 75%

You can also edit the settings for one of these auto-created access point connections just as if you had added it yourself. The Wireless tab of the Network Connections window lists all of the connections you have ever tried to connect to: NetworkManager names each of them Auto <SSID>, where SSID is the Service Set identifier of the access point.
An example of access points that have previously been connected to

Figure 10.11. An example of access points that have previously been connected to

Connecting to a Hidden Wireless Network
All access points have a Service Set Identifier (SSID) to identify them. However, an access point may be configured not to broadcast its SSID, in which case it is hidden, and will not show up in NetworkManager's list of Available networks. You can still connect to a wireless access point that is hiding its SSID as long as you know its SSID, authentication method, and secrets.
To connect to a hidden wireless network, left-click NetworkManager's applet icon and select Connect to Hidden Wireless Network to cause a dialog to appear. If you have connected to the hidden network before, use the Connection dropdown to select it, and click Connect. If you have not, leave the Connection dropdown as New, enter the SSID of the hidden network, select its Wireless security method, enter the correct authentication secrets, and click Connect.
For more information on wireless security settings, see Section 10.3.9.2, “Configuring Wireless Security”.
Editing a Connection, or Creating a Completely New One
You can edit an existing connection that you have tried or succeeded in connecting to in the past by opening the Wireless tab of the Network Connections, selecting the connection by name (words which follow Auto refer to the SSID of an access point), and clicking Edit.
You can create a new connection by opening the Network Connections window, clicking the Add button, selecting Wireless, and clicking the Create button.
  1. Right-click on the NetworkManager applet icon in the Notification Area and click Edit Connections. The Network Connections window appears.
  2. Click the Add button.
  3. Select the Wireless entry from the list.
  4. Click the Create button.
Editing the newly created Wireless connection 1

Figure 10.12. Editing the newly created Wireless connection 1

Configuring the Connection Name, Auto-Connect Behavior, and Availability Settings
Three settings in the Editing dialog are common to all connection types:
  • Connection name — Enter a descriptive name for your network connection. This name will be used to list this connection in the Wireless section of the Network Connections window. By default, wireless connections are named the same as the SSID of the wireless access point. You can rename the wireless connection without affecting its ability to connect, but it is recommended to retain the SSID name.
  • Connect automatically — Check this box if you want NetworkManager to auto-connect to this connection when it is available. See Section 10.2.3, “Connecting to a Network Automatically” for more information.
  • Available to all users — Check this box to create a connection available to all users on the system. Changing this setting may require root privileges. See Section 10.2.4, “User and System Connections” for details.
Configuring the Wireless Tab
SSID
All access points have a Service Set identifier to identify them. However, an access point may be configured not to broadcast its SSID, in which case it is hidden, and will not show up in NetworkManager's list of Available networks. You can still connect to a wireless access point that is hiding its SSID as long as you know its SSID (and authentication secrets).
For information on connecting to a hidden wireless network, see the section called “Connecting to a Hidden Wireless Network”.
Mode
Infrastructure — Set Mode to Infrastructure if you are connecting to a dedicated wireless access point or one built into a network device such as a router or a switch.
Ad-hoc — Set Mode to Ad-hoc if you are creating a peer-to-peer network for two or more mobile devices to communicate directly with each other. If you use Ad-hoc mode, referred to as Independent Basic Service Set (IBSS) in the 802.11 standard, you must ensure that the same SSID is set for all participating wireless devices, and that they are all communicating over the same channel.
BSSID
The Basic Service Set Identifier (BSSID) is the MAC address of the specific wireless access point you are connecting to when in Infrastructure mode. This field is blank by default, and you are able to connect to a wireless access point by SSID without having to specify its BSSID. If the BSSID is specified, it will force the system to associate to a specific access point only.
For ad-hoc networks, the BSSID is generated randomly by the mac80211 subsystem when the ad-hoc network is created. It is not displayed by NetworkManager
MAC address
Like an Ethernet Network Interface Card (NIC), a wireless adapter has a unique MAC address (Media Access Control; also known as a hardware address) that identifies it to the system. Running the ip addr command will show the MAC address associated with each interface. For example, in the following ip addr output, the MAC address for the wlan0 interface (which is 00:1c:bf:02:f8:70) immediately follows the link/ether keyword:
~]# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
    link/ether 52:54:00:26:9e:f1 brd ff:ff:ff:ff:ff:ff
    inet 192.168.122.251/24 brd 192.168.122.255 scope global eth0
    inet6 fe80::5054:ff:fe26:9ef1/64 scope link
       valid_lft forever preferred_lft forever
3: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
    link/ether 00:1c:bf:02:f8:70 brd ff:ff:ff:ff:ff:ff
    inet 10.200.130.67/24 brd 10.200.130.255 scope global wlan0
    inet6 fe80::21c:bfff:fe02:f870/64 scope link
       valid_lft forever preferred_lft forever
A single system could have one or more wireless network adapters connected to it. The MAC address field therefore allows you to associate a specific wireless adapter with a specific connection (or connections). As mentioned, you can determine the MAC address using the ip addr command, and then copy and paste that value into the MAC address text-entry field.
MTU
The MTU (Maximum Transmission Unit) value represents the size in bytes of the largest packet that the connection will use to transmit. If set to a non-zero number, only packets of the specified size or smaller will be transmitted. Larger packets are broken up into multiple Ethernet frames. It is recommended to leave this setting on automatic.
Saving Your New (or Modified) Connection and Making Further Configurations
Once you have finished editing the wireless connection, click the Apply button and NetworkManager will immediately save your customized configuration. Given a correct configuration, you can successfully connect to your the modified connection by selecting it from the NetworkManager Notification Area applet. See Section 10.2.1, “Connecting to a Network” for details on selecting and connecting to a network.
You can further configure an existing connection by selecting it in the Network Connections window and clicking Edit to return to the Editing dialog.
Then, to configure:

10.3.3. Establishing a Mobile Broadband Connection

You can use NetworkManager's mobile broadband connection abilities to connect to the following 2G and 3G services:
  • 2G — GPRS (General Packet Radio Service) or EDGE (Enhanced Data Rates for GSM Evolution)
  • 3G — UMTS (Universal Mobile Telecommunications System) or HSPA (High Speed Packet Access)
Your computer must have a mobile broadband device (modem), which the system has discovered and recognized, in order to create the connection. Such a device may be built into your computer (as is the case on many notebooks and netbooks), or may be provided separately as internal or external hardware. Examples include PC card, USB Modem or Dongle, mobile or cellular telephone capable of acting as a modem.

Procedure 10.3. Adding a New Mobile Broadband Connection

You can configure a mobile broadband connection by opening the Network Connections window, clicking Add, and selecting Mobile Broadband from the list.
  1. Right-click on the NetworkManager applet icon in the Notification Area and click Edit Connections. The Network Connections window appears.
  2. Click the Add button to open the selection list. Select Mobile Broadband and then click Create. The Set up a Mobile Broadband Connection assistant appears.
  3. Under Create a connection for this mobile broadband device, choose the 2G- or 3G-capable device you want to use with the connection. If the dropdown menu is inactive, this indicates that the system was unable to detect a device capable of mobile broadband. In this case, click Cancel, ensure that you do have a mobile broadband-capable device attached and recognized by the computer and then retry this procedure. Click the Forward button.
  4. Select the country where your service provider is located from the list and click the Forward button.
  5. Select your provider from the list or enter it manually. Click the Forward button.
  6. Select your payment plan from the dropdown menu and confirm the Access Point Name (APN) is correct. Click the Forward button.
  7. Review and confirm the settings and then click the Apply button.
  8. Edit the mobile broadband-specific settings by referring to the Configuring the Mobile Broadband Tab description below .

Procedure 10.4. Editing an Existing Mobile Broadband Connection

Follow these steps to edit an existing mobile broadband connection.
  1. Right-click on the NetworkManager applet icon in the Notification Area and click Edit Connections. The Network Connections window appears.
  2. Select the connection you want to edit and click the Edit button.
  3. Select the Mobile Broadband tab.
  4. Configure the connection name, auto-connect behavior, and availability settings.
    Three settings in the Editing dialog are common to all connection types:
    • Connection name — Enter a descriptive name for your network connection. This name will be used to list this connection in the Mobile Broadband section of the Network Connections window.
    • Connect automatically — Check this box if you want NetworkManager to auto-connect to this connection when it is available. See Section 10.2.3, “Connecting to a Network Automatically” for more information.
    • Available to all users — Check this box to create a connection available to all users on the system. Changing this setting may require root privileges. See Section 10.2.4, “User and System Connections” for details.
  5. Edit the mobile broadband-specific settings by referring to the Configuring the Mobile Broadband Tab description below .
Saving Your New (or Modified) Connection and Making Further Configurations
Once you have finished editing your mobile broadband connection, click the Apply button and NetworkManager will immediately save your customized configuration. Given a correct configuration, you can connect to your new or customized connection by selecting it from the NetworkManager Notification Area applet. See Section 10.2.1, “Connecting to a Network” for information on using your new or altered connection.
You can further configure an existing connection by selecting it in the Network Connections window and clicking Edit to return to the Editing dialog.
Then, to configure:
Configuring the Mobile Broadband Tab
If you have already added a new mobile broadband connection using the assistant (see Procedure 10.3, “Adding a New Mobile Broadband Connection” for instructions), you can edit the Mobile Broadband tab to disable roaming if home network is not available, assign a network ID, or instruct NetworkManager to prefer a certain technology (such as 3G or 2G) when using the connection.
Number
The number that is dialed to establish a PPP connection with the GSM-based mobile broadband network. This field may be automatically populated during the initial installation of the broadband device. You can usually leave this field blank and enter the APN instead.
Username
Enter the user name used to authenticate with the network. Some providers do not provide a user name, or accept any user name when connecting to the network.
Password
Enter the password used to authenticate with the network. Some providers do not provide a password, or accept any password.
APN
Enter the Access Point Name (APN) used to establish a connection with the GSM-based network. Entering the correct APN for a connection is important because it often determines:
  • how the user is billed for their network usage; and/or
  • whether the user has access to the Internet, an intranet, or a subnetwork.
Network ID
Entering a Network ID causes NetworkManager to force the device to register only to a specific network. This can be used to ensure the connection does not roam when it is not possible to control roaming directly.
Type
Any — The default value of Any leaves the modem to select the fastest network.
3G (UMTS/HSPA) — Force the connection to use only 3G network technologies.
2G (GPRS/EDGE) — Force the connection to use only 2G network technologies.
Prefer 3G (UMTS/HSPA) — First attempt to connect using a 3G technology such as HSPA or UMTS, and fall back to GPRS or EDGE only upon failure.
Prefer 2G (GPRS/EDGE) — First attempt to connect using a 2G technology such as GPRS or EDGE, and fall back to HSPA or UMTS only upon failure.
Allow roaming if home network is not available
Uncheck this box if you want NetworkManager to terminate the connection rather than transition from the home network to a roaming one, thereby avoiding possible roaming charges. If the box is checked, NetworkManager will attempt to maintain a good connection by transitioning from the home network to a roaming one, and vice versa.
PIN
If your device's SIM (Subscriber Identity Module) is locked with a PIN (Personal Identification Number), enter the PIN so that NetworkManager can unlock the device. NetworkManager must unlock the SIM if a PIN is required in order to use the device for any purpose.

10.3.4. Establishing a VPN Connection

Establishing an encrypted Virtual Private Network (VPN) enables you to communicate securely between your Local Area Network (LAN), and another, remote LAN. After successfully establishing a VPN connection, a VPN router or gateway performs the following actions upon the packets you transmit:
  1. it adds an Authentication Header for routing and authentication purposes;
  2. it encrypts the packet data; and,
  3. it encloses the data with an Encapsulating Security Payload (ESP), which constitutes the decryption and handling instructions.
The receiving VPN router strips the header information, decrypts the data, and routes it to its intended destination (either a workstation or other node on a network). Using a network-to-network connection, the receiving node on the local network receives the packets already decrypted and ready for processing. The encryption/decryption process in a network-to-network VPN connection is therefore transparent to clients.
Because they employ several layers of authentication and encryption, VPNs are a secure and effective means of connecting multiple remote nodes to act as a unified intranet.

Procedure 10.5. Adding a New VPN Connection

  1. You can configure a new VPN connection by opening the Network Connections window, clicking the Add button and selecting a type of VPN from the VPN section of the new connection list.
  2. Right-click on the NetworkManager applet icon in the Notification Area and click Edit Connections. The Network Connections window appears.
  3. Click the Add button.
  4. The Choose a Connection Type list appears.
  5. Note

    The appropriate NetworkManager VPN plug-in for the VPN type you want to configure must be installed (see Section 8.2.4, “Installing Packages” for more information on how to install new packages in Red Hat Enterprise Linux 6).
    The VPN section in the Choose a Connection Type list will not appear if you do not have a suitable plug-in installed.
  6. Select the VPN protocol for the gateway you are connecting to from the Choose a Connection Type list. The VPN protocols available for selection in the list correspond to the NetworkManager VPN plug-ins installed. For example, if NetworkManager-openswan, the NetworkManager VPN plug-in for libreswan, is installed, then the IPsec based VPN will be selectable from the Choose a Connection Type list.

    Note

    In Red Hat Enterprise Linux 6.8, openswan has been obsoleted by libreswan. NetworkManager-openswan has been modified to support both openswan and libreswan.
    After selecting the correct one, press the Create button.
  7. The Editing VPN Connection 1 window then appears. This window presents settings customized for the type of VPN connection you selected in Step 6.

Procedure 10.6. Editing an Existing VPN Connection

You can configure an existing VPN connection by opening the Network Connections window and selecting the name of the connection from the list. Then click the Edit button.
  1. Right-click on the NetworkManager applet icon in the Notification Area and click Edit Connections. The Network Connections window appears.
  2. Select the connection you want to edit and click the Edit button.
Editing the newly created IPsec VPN connection 1

Figure 10.13. Editing the newly created IPsec VPN connection 1

Configuring the Connection Name, Auto-Connect Behavior, and Availability Settings
Three settings in the Editing dialog are common to all connection types:
  • Connection name — Enter a descriptive name for your network connection. This name will be used to list this connection in the VPN section of the Network Connections window.
  • Connect automatically — Check this box if you want NetworkManager to auto-connect to this connection when it is available. See Section 10.2.3, “Connecting to a Network Automatically” for more information.
  • Available to all users — Check this box to create a connection available to all users on the system. Changing this setting may require root privileges. See Section 10.2.4, “User and System Connections” for details.
Configuring the VPN Tab
Gateway
The name or IP address of the remote VPN gateway.
Group name
The name of a VPN group configured on the remote gateway.
User password
If required, enter the password used to authenticate with the VPN.
Group password
If required, enter the password used to authenticate with the VPN.
User name
If required, enter the user name used to authenticate with the VPN.
Phase1 Algorithms
If required, enter the algorithms to be used to authenticate and set up an encrypted channel.
Phase2 Algorithms
If required, enter the algorithms to be used for the IPsec negotiations.
Domain
If required, enter the Domain Name.
NAT traversal
Cisco UDP (default) — IPsec over UDP.
NAT-T — ESP encapsulation and IKE extensions are used to handle NAT Traversal.
Disabled — No special NAT measures required.
Disable Dead Peer Detection — Disable the sending of probes to the remote gateway or endpoint.
Saving Your New (or Modified) Connection and Making Further Configurations
Once you have finished editing your new VPN connection, click the Apply button and NetworkManager will immediately save your customized configuration. Given a correct configuration, you can connect to your new or customized connection by selecting it from the NetworkManager Notification Area applet. See Section 10.2.1, “Connecting to a Network” for information on using your new or altered connection.
You can further configure an existing connection by selecting it in the Network Connections window and clicking Edit to return to the Editing dialog.
Then, to configure:

10.3.5. Establishing a DSL Connection

This section is intended for those installations which have a DSL card fitted within a host rather than the external combined DSL modem router combinations typical of private consumer or SOHO installations.

Procedure 10.7. Adding a New DSL Connection

You can configure a new DSL connection by opening the Network Connections window, clicking the Add button and selecting DSL from the Hardware section of the new connection list.
  1. Right-click on the NetworkManager applet icon in the Notification Area and click Edit Connections. The Network Connections window appears.
  2. Click the Add button.
  3. The Choose a Connection Type list appears.
  4. Select DSL and press the Create button.
  5. The Editing DSL Connection 1 window appears.

Procedure 10.8. Editing an Existing DSL Connection

You can configure an existing DSL connection by opening the Network Connections window and selecting the name of the connection from the list. Then click the Edit button.
  1. Right-click on the NetworkManager applet icon in the Notification Area and click Edit Connections. The Network Connections window appears.
  2. Select the connection you want to edit and click the Edit button.
Configuring the Connection Name, Auto-Connect Behavior, and Availability Settings
Three settings in the Editing dialog are common to all connection types:
  • Connection name — Enter a descriptive name for your network connection. This name will be used to list this connection in the DSL section of the Network Connections window.
  • Connect automatically — Check this box if you want NetworkManager to auto-connect to this connection when it is available. See Section 10.2.3, “Connecting to a Network Automatically” for more information.
  • Available to all users — Check this box to create a connection available to all users on the system. Changing this setting may require root privileges. See Section 10.2.4, “User and System Connections” for details.
Configuring the DSL Tab
Username
Enter the user name used to authenticate with the service provider.
Service
Leave blank unless otherwise directed.
Password
Enter the password supplied by the service provider.
Saving Your New (or Modified) Connection and Making Further Configurations
Once you have finished editing your DSL connection, click the Apply button and NetworkManager will immediately save your customized configuration. Given a correct configuration, you can connect to your new or customized connection by selecting it from the NetworkManager Notification Area applet. See Section 10.2.1, “Connecting to a Network” for information on using your new or altered connection.
You can further configure an existing connection by selecting it in the Network Connections window and clicking Edit to return to the Editing dialog.
Then, to configure:

10.3.6. Establishing a Bond Connection

You can use NetworkManager to create a Bond from two or more Wired or Infiniband connections. It is not necessary to create the connections to be bonded first. They can be configured as part of the process to configure the bond. You must have the MAC addresses of the interfaces available in order to complete the configuration process.

Note

NetworkManager support for bonding must be enabled by means of the NM_BOND_VLAN_ENABLED directive and then NetworkManager must be restarted. See Section 11.2.1, “Ethernet Interfaces” for an explanation of NM_CONTROLLED and the NM_BOND_VLAN_ENABLED directive. See Section 12.3.4, “Restarting a Service” for an explanation of restarting a service such as NetworkManager from the command line. Alternatively, for a graphical tool see Section 12.2.1, “Using the Service Configuration Utility”.

Procedure 10.9. Adding a New Bond Connection

You can configure a Bond connection by opening the Network Connections window, clicking Add, and selecting Bond from the list.
  1. Right-click on the NetworkManager applet icon in the Notification Area and click Edit Connections. The Network Connections window appears.
  2. Click the Add button to open the selection list. Select Bond and then click Create. The Editing Bond connection 1 window appears.
  3. On the Bond tab, click Add and select the type of interface you want to use with the bond connection. Click the Create button. Note that the dialog to select the slave type only comes up when you create the first slave; after that, it will automatically use that same type for all further slaves.
  4. The Editing bond0 slave 1 window appears. Fill in the MAC address of the first interface to be bonded. The first slave's MAC address will be used as the MAC address for the bond interface. If required, enter a clone MAC address to be used as the bond's MAC address. Click the Apply button.
  5. The Authenticate window appears. Enter the root password to continue. Click the Authenticate button.
  6. The name of the bonded slave appears in the Bonded Connections window. Click the Add button to add further slave connections.
  7. Review and confirm the settings and then click the Apply button.
  8. Edit the bond-specific settings by referring to the section called “Configuring the Bond Tab” below.
Editing the newly created Bond connection 1

Figure 10.14. Editing the newly created Bond connection 1

Procedure 10.10. Editing an Existing Bond Connection

Follow these steps to edit an existing bond connection.
  1. Right-click on the NetworkManager applet icon in the Notification Area and click Edit Connections. The Network Connections window appears.
  2. Select the connection you want to edit and click the Edit button.
  3. Select the Bond tab.
  4. Configure the connection name, auto-connect behavior, and availability settings.
    Three settings in the Editing dialog are common to all connection types:
    • Connection name — Enter a descriptive name for your network connection. This name will be used to list this connection in the Bond section of the Network Connections window.
    • Connect automatically — Select this box if you want NetworkManager to auto-connect to this connection when it is available. See Section 10.2.3, “Connecting to a Network Automatically” for more information.
    • Available to all users — Select this box to create a connection available to all users on the system. Changing this setting may require root privileges. See Section 10.2.4, “User and System Connections” for details.
  5. Edit the bond-specific settings by referring to the section called “Configuring the Bond Tab” below.
Saving Your New (or Modified) Connection and Making Further Configurations
Once you have finished editing your bond connection, click the Apply button to save your customized configuration. Given a correct configuration, you can connect to your new or customized connection by selecting it from the NetworkManager Notification Area applet. See Section 10.2.1, “Connecting to a Network” for information on using your new or altered connection.
You can further configure an existing connection by selecting it in the Network Connections window and clicking Edit to return to the Editing dialog.
Then, to configure:
Configuring the Bond Tab
If you have already added a new bond connection (see Procedure 10.9, “Adding a New Bond Connection” for instructions), you can edit the Bond tab to set the load sharing mode and the type of link monitoring to use to detect failures of a slave connection.
Mode
The mode that is used to share traffic over the slave connections which make up the bond. The default is Round-robin. Other load sharing modes, such as 802.3ad, can be selected by means of the drop-down list.
Link Monitoring
The method of monitoring the slaves ability to carry network traffic.
The following modes of load sharing are selectable from the Mode drop-down list:
Round-robin
Sets a round-robin policy for fault tolerance and load balancing. Transmissions are received and sent out sequentially on each bonded slave interface beginning with the first one available. This mode might not work behind a bridge with virtual machines without additional switch configuration.
Active backup
Sets an active-backup policy for fault tolerance. Transmissions are received and sent out via the first available bonded slave interface. Another bonded slave interface is only used if the active bonded slave interface fails. Note that this is the only mode available for bonds of InfiniBand devices.
XOR
Sets an XOR (exclusive-or) policy. Transmissions are based on the selected hash policy. The default is to derive a hash by XOR of the source and destination MAC addresses multiplied by the modulo of the number of slave interfaces. In this mode traffic destined for specific peers will always be sent over the same interface. As the destination is determined by the MAC addresses this method works best for traffic to peers on the same link or local network. If traffic has to pass through a single router then this mode of traffic balancing will be suboptimal.
Broadcast
Sets a broadcast policy for fault tolerance. All transmissions are sent on all slave interfaces. This mode might not work behind a bridge with virtual machines without additional switch configuration.
802.3ad
Sets an IEEE 802.3ad dynamic link aggregation policy. Creates aggregation groups that share the same speed and duplex settings. Transmits and receives on all slaves in the active aggregator. Requires a network switch that is 802.3ad compliant.
Adaptive transmit load balancing
Sets an adaptive Transmit Load Balancing (TLB) policy for fault tolerance and load balancing. The outgoing traffic is distributed according to the current load on each slave interface. Incoming traffic is received by the current slave. If the receiving slave fails, another slave takes over the MAC address of the failed slave. This mode is only suitable for local addresses known to the kernel bonding module and therefore cannot be used behind a bridge with virtual machines.
Adaptive load balancing
Sets an Adaptive Load Balancing (ALB) policy for fault tolerance and load balancing. Includes transmit and receive load balancing for IPv4 traffic. Receive load balancing is achieved through ARP negotiation. This mode is only suitable for local addresses known to the kernel bonding module and therefore cannot be used behind a bridge with virtual machines.
The following types of link monitoring can be selected from the Link Monitoring drop-down list. It is a good idea to test which channel bonding module parameters work best for your bonded interfaces.
MII (Media Independent Interface)
The state of the carrier wave of the interface is monitored. This can be done by querying the driver, by querying MII registers directly, or by using ethtool to query the device. Three options are available:
Monitoring Frequency
The time interval, in milliseconds, between querying the driver or MII registers.
Link up delay
The time in milliseconds to wait before attempting to use a link that has been reported as up. This delay can be used if some gratuitous ARP requests are lost in the period immediately following the link being reported as up. This can happen during switch initialization for example.
Link down delay
The time in milliseconds to wait before changing to another link when a previously active link has been reported as down. This delay can be used if an attached switch takes a relatively long time to change to backup mode.
ARP
The address resolution protocol (ARP) is used to probe one or more peers to determine how well the link-layer connections are working. It is dependent on the device driver providing the transmit start time and the last receive time.
Two options are available:
Monitoring Frequency
The time interval, in milliseconds, between sending ARP requests.
ARP targets
A comma separated list of IP addresses to send ARP requests to.

10.3.7. Establishing a VLAN Connection

You can use NetworkManager to create a VLAN using an existing interface. Currently, at time of writing, you can only make VLANs on Ethernet devices.

Procedure 10.11. Adding a New VLAN Connection

You can configure a VLAN connection by opening the Network Connections window, clicking Add, and selecting VLAN from the list.
  1. Right-click on the NetworkManager applet icon in the Notification Area and click Edit Connections. The Network Connections window appears.
  2. Click the Add button to open the selection list. Select VLAN and then click Create. The Editing VLAN Connection 1 window appears.
  3. On the VLAN tab, select the parent interface from the drop-down list you want to use for the VLAN connection.
  4. Enter the VLAN ID
  5. Enter a VLAN interface name. This is the name of the VLAN interface that will be created. For example, "eth0.1" or "vlan2". (Normally this is either the parent interface name plus "." and the VLAN ID, or "vlan" plus the VLAN ID.)
  6. Review and confirm the settings and then click the Apply button.
  7. Edit the VLAN-specific settings by referring to the Configuring the VLAN Tab description below .

Procedure 10.12. Editing an Existing VLAN Connection

Follow these steps to edit an existing VLAN connection.
  1. Right-click on the NetworkManager applet icon in the Notification Area and click Edit Connections. The Network Connections window appears.
  2. Select the connection you want to edit and click the Edit button.
  3. Select the VLAN tab.
  4. Configure the connection name, auto-connect behavior, and availability settings.
    Three settings in the Editing dialog are common to all connection types:
    • Connection name — Enter a descriptive name for your network connection. This name will be used to list this connection in the VLAN section of the Network Connections window.
    • Connect automatically — Check this box if you want NetworkManager to auto-connect to this connection when it is available. See Section 10.2.3, “Connecting to a Network Automatically” for more information.
    • Available to all users — Check this box to create a connection available to all users on the system. Changing this setting may require root privileges. See Section 10.2.4, “User and System Connections” for details.
  5. Edit the VLAN-specific settings by referring to the Configuring the VLAN Tab description below .
Saving Your New (or Modified) Connection and Making Further Configurations
Once you have finished editing your VLAN connection, click the Apply button and NetworkManager will immediately save your customized configuration. Given a correct configuration, you can connect to your new or customized connection by selecting it from the NetworkManager Notification Area applet. See Section 10.2.1, “Connecting to a Network” for information on using your new or altered connection.
You can further configure an existing connection by selecting it in the Network Connections window and clicking Edit to return to the Editing dialog.
Then, to configure:
Configuring the VLAN Tab
If you have already added a new VLAN connection (see Procedure 10.11, “Adding a New VLAN Connection” for instructions), you can edit the VLAN tab to set the parent interface and the VLAN ID.
Parent Interface
A previously configured interface can be selected in the drop-down list.
VLAN ID
The identification number to be used to tag the VLAN network traffic.
VLAN interface name
The name of the VLAN interface that will be created. For example, "eth0.1" or "vlan2".
Cloned MAC address
Optionally sets an alternate MAC address to use for identifying the VLAN interface. This can be used to change the source MAC address for packets sent on this VLAN.
MTU
Optionally sets a Maximum Transmission Unit (MTU) size to be used for packets to be sent over the VLAN connection.

10.3.8. Establishing an IP-over-InfiniBand (IPoIB) Connection

You can use NetworkManager to create an InfiniBand connection.

Procedure 10.13. Adding a New InfiniBand Connection

You can configure an InfiniBand connection by opening the Network Connections window, clicking Add, and selecting InfiniBand from the list.
  1. Right-click on the NetworkManager applet icon in the Notification Area and click Edit Connections. The Network Connections window appears.
  2. Click the Add button to open the selection list. Select InfiniBand and then click Create. The Editing InfiniBand Connection 1 window appears.
  3. On the InfiniBand tab, select the transport mode from the drop-down list you want to use for the InfiniBand connection.
  4. Enter the InfiniBand MAC address.
  5. Review and confirm the settings and then click the Apply button.
  6. Edit the InfiniBand-specific settings by referring to the Configuring the InfiniBand Tab description below .
Editing the newly created InfiniBand connection 1

Figure 10.15. Editing the newly created InfiniBand connection 1

Procedure 10.14. Editing an Existing InfiniBand Connection

Follow these steps to edit an existing InfiniBand connection.
  1. Right-click on the NetworkManager applet icon in the Notification Area and click Edit Connections. The Network Connections window appears.
  2. Select the connection you want to edit and click the Edit button.
  3. Select the InfiniBand tab.
  4. Configure the connection name, auto-connect behavior, and availability settings.
    Three settings in the Editing dialog are common to all connection types:
    • Connection name — Enter a descriptive name for your network connection. This name will be used to list this connection in the InfiniBand section of the Network Connections window.
    • Connect automatically — Check this box if you want NetworkManager to auto-connect to this connection when it is available. See Section 10.2.3, “Connecting to a Network Automatically” for more information.
    • Available to all users — Check this box to create a connection available to all users on the system. Changing this setting may require root privileges. See Section 10.2.4, “User and System Connections” for details.
  5. Edit the InfiniBand-specific settings by referring to the Configuring the InfiniBand Tab description below .
Saving Your New (or Modified) Connection and Making Further Configurations
Once you have finished editing your InfiniBand connection, click the Apply button and NetworkManager will immediately save your customized configuration. Given a correct configuration, you can connect to your new or customized connection by selecting it from the NetworkManager Notification Area applet. See Section 10.2.1, “Connecting to a Network” for information on using your new or altered connection.
You can further configure an existing connection by selecting it in the Network Connections window and clicking Edit to return to the Editing dialog.
Then, to configure:
Configuring the InfiniBand Tab
If you have already added a new InfiniBand connection (see Procedure 10.13, “Adding a New InfiniBand Connection” for instructions), you can edit the InfiniBand tab to set the parent interface and the InfiniBand ID.
Transport mode
Datagram or Connected mode can be selected from the drop-down list. Select the same mode the rest of your IPoIB network is using.
Device MAC address
The MAC address of the InfiniBand capable device to be used for the InfiniBand network traffic.This hardware address field will be pre-filled if you have InfiniBand hardware installed.
MTU
Optionally sets a Maximum Transmission Unit (MTU) size to be used for packets to be sent over the InfiniBand connection.

10.3.9. Configuring Connection Settings

10.3.9.1. Configuring 802.1X Security
802.1X security is the name of the IEEE standard for port-based Network Access Control (PNAC). Simply put, 802.1X security is a way of defining a logical network out of a physical one. All clients who want to join the logical network must authenticate with the server (a router, for example) using the correct 802.1X authentication method.
802.1X security is most often associated with securing wireless networks (WLANs), but can also be used to prevent intruders with physical access to the network (LAN) from gaining entry. In the past, DHCP servers were configured not to lease IP addresses to unauthorized users, but for various reasons this practice is both impractical and insecure, and thus is no longer recommended. Instead, 802.1X security is used to ensure a logically-secure network through port-based authentication.
802.1X provides a framework for WLAN and LAN access control and serves as an envelope for carrying one of the Extensible Authentication Protocol (EAP) types. An EAP type is a protocol that defines how WLAN security is achieved on the network.
You can configure 802.1X security for a wired or wireless connection type by opening the Network Connections window (see Section 10.2.2, “Configuring New and Editing Existing Connections”) and following the applicable procedure:

Procedure 10.15. For a wired connection...

  1. Either click Add, select a new network connection for which you want to configure 802.1X security and then click Create, or select an existing connection and click Edit.
  2. Then select the 802.1X Security tab and check the Use 802.1X security for this connection check box to enable settings configuration.

Procedure 10.16. For a wireless connection...

  1. Either click on Add, select a new network connection for which you want to configure 802.1X security and then click Create, or select an existing connection and click Edit.
  2. Select the Wireless Security tab.
  3. Then click the Security dropdown and choose one of the following security methods: LEAP, Dynamic WEP (802.1X), or WPA & WPA2 Enterprise.
  4. See Section 10.3.9.1.1, “Configuring TLS (Transport Layer Security) Settings” for descriptions of which EAP types correspond to your selection in the Security dropdown.
10.3.9.1.1. Configuring TLS (Transport Layer Security) Settings
With Transport Layer Security, the client and server mutually authenticate using the TLS protocol. The server demonstrates that it holds a digital certificate, the client proves its own identity using its client-side certificate, and key information is exchanged. Once authentication is complete, the TLS tunnel is no longer used. Instead, the client and server use the exchanged keys to encrypt data using AES, TKIP or WEP.
The fact that certificates must be distributed to all clients who want to authenticate means that the EAP-TLS authentication method is very strong, but also more complicated to set up. Using TLS security requires the overhead of a public key infrastructure (PKI) to manage certificates. The benefit of using TLS security is that a compromised password does not allow access to the (W)LAN: an intruder must also have access to the authenticating client's private key.
NetworkManager does not determine the version of TLS supported. NetworkManager gathers the parameters entered by the user and passes them to the daemon, wpa_supplicant, that handles the procedure. It in turn uses OpenSSL to establish the TLS tunnel. OpenSSL itself negotiates the SSL/TLS protocol version. It uses the highest version both ends support.
Identity
Identity string for EAP authentication methods, such as a user name or login name.
User certificate
Click to browse for, and select, a user's certificate.
CA certificate
Click to browse for, and select, a Certificate Authority's certificate.
Private key
Click to browse for, and select, a user's private key file. Note that the key must be password protected.
Private key password
Enter the user password corresponding to the user's private key.
10.3.9.1.2. Configuring Tunneled TLS Settings
Anonymous identity
This value is used as the unencrypted identity.
CA certificate
Click to browse for, and select, a Certificate Authority's certificate.
Inner authentication
PAP — Password Authentication Protocol.
MSCHAP — Challenge Handshake Authentication Protocol.
MSCHAPv2 — Microsoft Challenge Handshake Authentication Protocol version 2.
CHAP — Challenge Handshake Authentication Protocol.
Username
Enter the user name to be used in the authentication process.
Password
Enter the password to be used in the authentication process.
10.3.9.1.3. Configuring Protected EAP (PEAP) Settings
Anonymous Identity
This value is used as the unencrypted identity.
CA certificate
Click to browse for, and select, a Certificate Authority's certificate.
PEAP version
The version of Protected EAP to use. Automatic, 0 or 1.
Inner authentication
MSCHAPv2 — Microsoft Challenge Handshake Authentication Protocol version 2.
MD5 — Message Digest 5, a cryptographic hash function.
GTC — Generic Token Card.
Username
Enter the user name to be used in the authentication process.
Password
Enter the password to be used in the authentication process.
10.3.9.2. Configuring Wireless Security
Security
None — Do not encrypt the Wi-Fi connection.
WEP 40/128-bit Key — Wired Equivalent Privacy (WEP), from the IEEE 802.11 standard. Uses a single pre-shared key (PSK).
WEP 128-bit Passphrase — An MD5 hash of the passphrase will be used to derive a WEP key.
LEAP — Lightweight Extensible Authentication Protocol, from Cisco Systems.
Dynamic WEP (802.1X) — WEP keys are changed dynamically.
WPA & WPA2 Personal — Wi-Fi Protected Access (WPA), from the draft IEEE 802.11i standard. A replacement for WEP. Wi-Fi Protected Access II (WPA2), from the 802.11i-2004 standard. Personal mode uses a pre-shared key (WPA-PSK).
WPA & WPA2 Enterprise — WPA for use with a RADIUS authentication server to provide IEEE 802.1X network access control.
Password
Enter the password to be used in the authentication process.

Note

In the case of WPA and WPA2 (Personal and Enterprise), an option to select between Auto, WPA and WPA2 has been added. This option is intended for use with an access point that is offering both WPA and WPA2. Select one of the protocols if you would like to prevent roaming between the two protocols. Roaming between WPA and WPA2 on the same access point can cause loss of service.
Editing the Wireless Security tab and selecting the WPA protocol

Figure 10.16. Editing the Wireless Security tab and selecting the WPA protocol

10.3.9.3. Configuring PPP (Point-to-Point) Settings
Configure Methods
Use point-to-point encryption (MPPE)
Microsoft Point-To-Point Encryption protocol (RFC 3078).
Allow BSD data compression
PPP BSD Compression Protocol (RFC 1977).
Allow Deflate data compression
PPP Deflate Protocol (RFC 1979).
Use TCP header compression
Compressing TCP/IP Headers for Low-Speed Serial Links (RFC 1144).
Send PPP echo packets
LCP Echo-Request and Echo-Reply Codes for loopback tests (RFC 1661).
10.3.9.4. Configuring IPv4 Settings
Editing the IPv4 Settings Tab

Figure 10.17. Editing the IPv4 Settings Tab

The IPv4 Settings tab allows you to configure the method by which you connect to the Internet and enter IP address, route, and DNS information as required. The IPv4 Settings tab is available when you create and modify one of the following connection types: wired, wireless, mobile broadband, VPN or DSL.
If you are using DHCP to obtain a dynamic IP address from a DHCP server, you can set Method to Automatic (DHCP).
Setting the Method

Available IPv4 Methods by Connection Type

When you click the Method dropdown menu, depending on the type of connection you are configuring, you are able to select one of the following IPv4 connection methods. All of the methods are listed here according to which connection type or types they are associated with.
Method
Automatic (DHCP) — Choose this option if the network you are connecting to uses a DHCP server to assign IP addresses. You do not need to fill in the DHCP client ID field.
Automatic (DHCP) addresses only — Choose this option if the network you are connecting to uses a DHCP server to assign IP addresses but you want to assign DNS servers manually.
Link-Local Only — Choose this option if the network you are connecting to does not have a DHCP server and you do not want to assign IP addresses manually. Random addresses will be selected as per RFC 3927.
Shared to other computers — Choose this option if the interface you are configuring is for sharing an Internet or WAN connection.
Wired, Wireless and DSL Connection Methods
Manual — Choose this option if the network you are connecting to does not have a DHCP server and you want to assign IP addresses manually.
Mobile Broadband Connection Methods
Automatic (PPP) — Choose this option if the network you are connecting to uses a DHCP server to assign IP addresses.
Automatic (PPP) addresses only — Choose this option if the network you are connecting to uses a DHCP server to assign IP addresses but you want to assign DNS servers manually.
VPN Connection Methods
Automatic (VPN) — Choose this option if the network you are connecting to uses a DHCP server to assign IP addresses.
Automatic (VPN) addresses only — Choose this option if the network you are connecting to uses a DHCP server to assign IP addresses but you want to assign DNS servers manually.
DSL Connection Methods
Automatic (PPPoE) — Choose this option if the network you are connecting to uses a DHCP server to assign IP addresses.
Automatic (PPPoE) addresses only — Choose this option if the network you are connecting to uses a DHCP server to assign IP addresses but you want to assign DNS servers manually.
PPPoE Specific Configuration Steps
If more than one NIC is installed, and PPPoE will only be run over one NIC but not the other, then for correct PPPoE operation it is also necessary to lock the connection to the specific Ethernet device PPPoE is supposed to be run over. To lock the connection to one specific NIC, do one of the following:
  • Enter the MAC address in nm-connection-editor for that connection. Optionally select Connect automatically and Available to all users to make the connection come up without requiring user login after system start.
  • Set the hardware-address in the [802-3-ethernet] section in the appropriate file for that connection in /etc/NetworkManager/system-connections/ as follows:
    [802-3-ethernet]
    mac-address=00:11:22:33:44:55
    Mere presence of the file in /etc/NetworkManager/system-connections/ means that it is available to all users. Ensure that autoconnect=true appears in the [connection] section for the connection to be brought up without requiring user login after system start.
For information on configuring static routes for the network connection, go to Section 10.3.9.6, “Configuring Routes”.
10.3.9.5. Configuring IPv6 Settings
Method
Ignore — Choose this option if you want to disable IPv6 settings.
Automatic — Choose this option if the network you are connecting to uses a DHCP server to assign IP addresses.
Automatic, addresses only — Choose this option if the network you are connecting to uses a DHCP server to assign IP addresses but you want to assign DNS servers manually.
Manual — Choose this option if the network you are connecting to does not have a DHCP server and you want to assign IP addresses manually.
Link-Local Only — Choose this option if the network you are connecting to does not have a DHCP server and you do not want to assign IP addresses manually. Random addresses will be selected as per RFC 4862.
Shared to other computers — Choose this option if the interface you are configuring is for sharing an Internet or WAN connection.
Addresses
DNS servers — Enter a comma separated list of DNS servers.
Search domains — Enter a comma separated list of domain controllers.
For information on configuring static routes for the network connection, go to Section 10.3.9.6, “Configuring Routes”.
10.3.9.6. Configuring Routes
A host's routing table will be automatically populated with routes to directly connected networks. The routes are learned by observing the network interfaces when they are up. This section is for entering static routes to networks or hosts which can be reached by traversing an intermediate network or connection, such as a VPN or leased line.
Configuring static network routes

Figure 10.18. Configuring static network routes

Addresses
Address — The IP address of a network, sub-net or host.
Netmask — The netmask or prefix length of the IP address just entered.
Gateway — The IP address of the gateway leading to the network, sub-net or host.
Metric — A network cost, that is to say a preference value to give to this route. Lower values will be preferred over higher values.
Ignore automatically obtained routes
Select this check box to only use manually entered routes for this connection.
Use this connection only for resources on its network
Select this check box to prevent the connection from becoming the default route. Typical examples are where a connection is a VPN or a leased line to a head office and you do not want any Internet bound traffic to pass over the connection. Selecting this option means that only traffic specifically destined for routes learned automatically over the connection or entered here manually will be routed over the connection.

Chapter 11. Network Interfaces

Under Red Hat Enterprise Linux, all network communications occur between configured software interfaces and physical networking devices connected to the system.
The configuration files for network interfaces are located in the /etc/sysconfig/network-scripts/ directory. The scripts used to activate and deactivate these network interfaces are also located here. Although the number and type of interface files can differ from system to system, there are three categories of files that exist in this directory:
  1. Interface configuration files
  2. Interface control scripts
  3. Network function files
The files in each of these categories work together to enable various network devices.
This chapter explores the relationship between these files and how they are used.

11.1. Network Configuration Files

Before delving into the interface configuration files, let us first itemize the primary configuration files used in network configuration. Understanding the role these files play in setting up the network stack can be helpful when customizing a Red Hat Enterprise Linux system.
The primary network configuration files are as follows:
/etc/hosts
The main purpose of this file is to resolve host names that cannot be resolved any other way. It can also be used to resolve host names on small networks with no DNS server. Regardless of the type of network the computer is on, this file should contain a line specifying the IP address of the loopback device (127.0.0.1) as localhost.localdomain. For more information, see the hosts(5) manual page.
/etc/resolv.conf
This file specifies the IP addresses of DNS servers and the search domain. Unless configured to do otherwise, the network initialization scripts populate this file. For more information about this file, see the resolv.conf(5) manual page.
/etc/sysconfig/network
This file specifies routing and host information for all network interfaces. It is used to contain directives which are to have global effect and not to be interface specific. For more information about this file and the directives it accepts, see Section D.1.14, “/etc/sysconfig/network”.
/etc/sysconfig/network-scripts/ifcfg-interface-name
For each network interface, there is a corresponding interface configuration script. Each of these files provide information specific to a particular network interface. See Section 11.2, “Interface Configuration Files” for more information on this type of file and the directives it accepts.

Important

Network interface names may be different on different hardware types. See Appendix A, Consistent Network Device Naming for more information.

Warning

The /etc/sysconfig/networking/ directory is used by the now deprecated Network Administration Tool (system-config-network). Its contents should not be edited manually. Using only one method for network configuration is strongly encouraged, due to the risk of configuration deletion. For more information about configuring network interfaces using graphical configuration tools, see Chapter 10, NetworkManager.

11.1.1. Setting the Host Name

To permanently change the static host name, change the HOSTNAME directive in the /etc/sysconfig/network file. For example:
HOSTNAME=penguin.example.com
Red Hat recommends the static host name matches the fully qualified domain name (FQDN) used for the machine in DNS, such as host.example.com. It is also recommended that the static host name consists only of 7 bit ASCII lower-case characters, no spaces or dots, and limits itself to the format allowed for DNS domain name labels, even though this is not a strict requirement. Older specifications do not permit the underscore, and so their use is not recommended. Changes will only take effect when the networking service, or the system, is restarted.
Note that the FQDN of the host can be supplied by a DNS resolver, by settings in /etc/sysconfig/network, or by the /etc/hosts file. The default setting of hosts: files dns in /etc/nsswitch.conf causes the configuration files to be checked before a resolver. The default setting of multi on in the /etc/host.conf file means that all valid values in the /etc/hosts file are returned, not just the first.
Sometimes you may need to use the host table in the /etc/hosts file instead of the HOSTNAME directive in /etc/sysconfig/network, for example, when DNS is not running during system bootup.
To change the host name using the /etc/hosts file, add lines to it in the following format:
192.168.1.2 penguin.example.com penguin

11.2. Interface Configuration Files

Interface configuration files control the software interfaces for individual network devices. As the system boots, it uses these files to determine what interfaces to bring up and how to configure them. These files are usually named ifcfg-name, where name refers to the name of the device that the configuration file controls.

11.2.1. Ethernet Interfaces

One of the most common interface files is /etc/sysconfig/network-scripts/ifcfg-eth0, which controls the first Ethernet network interface card or NIC in the system. In a system with multiple NICs, there are multiple ifcfg-ethX files (where X is a unique number corresponding to a specific interface). Because each device has its own configuration file, an administrator can control how each interface functions individually.
The following is a sample ifcfg-eth0 file for a system using a fixed IP address:
DEVICE=eth0
BOOTPROTO=none
ONBOOT=yes
NETMASK=255.255.255.0
IPADDR=10.0.1.27
USERCTL=no
The values required in an interface configuration file can change based on other values. For example, the ifcfg-eth0 file for an interface using DHCP looks different because IP information is provided by the DHCP server:
DEVICE=eth0
BOOTPROTO=dhcp
ONBOOT=yes
NetworkManager is graphical configuration tool which provides an easy way to make changes to the various network interface configuration files (see Chapter 10, NetworkManager for detailed instructions on using this tool).
However, it is also possible to manually edit the configuration files for a given network interface.
Below is a listing of the configurable parameters in an Ethernet interface configuration file:
BONDING_OPTS=parameters
sets the configuration parameters for the bonding device, and is used in /etc/sysconfig/network-scripts/ifcfg-bondN (see Section 11.2.4, “Channel Bonding Interfaces”). These parameters are identical to those used for bonding devices in /sys/class/net/bonding_device/bonding, and the module parameters for the bonding driver as described in bonding Module Directives.
This configuration method is used so that multiple bonding devices can have different configurations. In Red Hat Enterprise Linux 6, place all interface-specific bonding options after the BONDING_OPTS directive in ifcfg-name files. See Where to specify bonding module parameters for more information.
BOOTPROTO=protocol
where protocol is one of the following:
  • none — No boot-time protocol should be used.
  • bootp — The BOOTP protocol should be used.
  • dhcp — The DHCP protocol should be used.
BROADCAST=address
where address is the broadcast address. This directive is deprecated, as the value is calculated automatically with ipcalc.
DEVICE=name
where name is the name of the physical device (except for dynamically-allocated PPP devices where it is the logical name).
DHCP_HOSTNAME=name
where name is a short host name to be sent to the DHCP server. Use this option only if the DHCP server requires the client to specify a host name before receiving an IP address.
DHCPV6C=answer
where answer is one of the following:
  • yes — Use DHCP to obtain an IPv6 address for this interface.
  • no — Do not use DHCP to obtain an IPv6 address for this interface. This is the default value.
An IPv6 link-local address will still be assigned by default. The link-local address is based on the MAC address of the interface as per RFC 4862.
DHCPV6C_OPTIONS=answer
where answer is one of the following:
  • -P — Enable IPv6 prefix delegation.
  • -S — Use DHCP to obtain stateless configuration only, not addresses, for this interface.
  • -N — Restore normal operation after using the -T or -P options.
  • -T — Use DHCP to obtain a temporary IPv6 address for this interface.
  • -D — Override the default when selecting the type of DHCP Unique Identifier (DUID) to use.
    By default, the DHCP client (dhclient) creates a DHCP Unique Identifier (DUID) based on the link-layer address (DUID-LL) if it is running in stateless mode (with the -S option, to not request an address), or it creates an identifier based on the link-layer address plus a timestamp (DUID-LLT) if it is running in stateful mode (without -S, requesting an address). The -D option overrides this default, with a value of either LL or LLT.
DNS{1,2}=address
where address is a name server address to be placed in /etc/resolv.conf provided that the PEERDNS directive is not set to no.
ETHTOOL_OPTS=options
where options are any device-specific options supported by ethtool. For example, if you wanted to force 100Mb, full duplex:
ETHTOOL_OPTS="autoneg off speed 100 duplex full"
Instead of a custom initscript, use ETHTOOL_OPTS to set the interface speed and duplex settings. Custom initscripts run outside of the network init script lead to unpredictable results during a post-boot network service restart.

Important

Changing speed or duplex settings almost always requires disabling auto-negotiation with the autoneg off option. This option needs to be stated first, as the option entries are order-dependent.