Deployment Guide
Deployment, Configuration and Administration of Red Hat Enterprise Linux 6
Abstract
Part I. Basic System Configuration
Chapter 1. Keyboard Configuration
1.1. Changing the Keyboard Layout
Figure 1.1. Keyboard Layout Preferences
Figure 1.2. Choosing a layout
Figure 1.3. Selecting the default layout
Figure 1.4. Testing the layout
Note
1.2. Adding the Keyboard Layout Indicator
Figure 1.5. Adding a new applet
Figure 1.6. Selecting the Keyboard Indicator
Figure 1.7. The Keyboard Indicator applet
1.3. Setting Up a Typing Break
Figure 1.8. Typing Break Properties
Figure 1.9. Taking a break
Chapter 2. Date and Time Configuration
2.1. Date/Time Properties Tool
system-config-date
command at a shell prompt (e.g., xterm or GNOME Terminal). Unless you are already authenticated, you will be prompted to enter the superuser password.
Figure 2.1. Authentication Query
2.1.1. Date and Time Properties
Figure 2.2. Date and Time Properties
- Change the current date. Use the arrows to the left and right of the month and year to change the month and year respectively. Then click inside the calendar to select the day of the month.
- Change the current time. Use the up and down arrow buttons beside the Hour, Minute, and Second, or replace the values directly.
2.1.2. Network Time Protocol Properties
Figure 2.3. Network Time Protocol Properties
Note
2.1.3. Time Zone Properties
Figure 2.4. Time Zone Properties
- Using the interactive map. Click “zoom in” and “zoom out” buttons next to the map, or click on the map itself to zoom into the selected region. Then choose the city specific to your time zone. A red X appears and the time zone selection changes in the list below the map.
- Use the list below the map. To make the selection easier, cities and countries are grouped within their specific continents. Note that non-geographic time zones have also been added to address needs in the scientific community.
2.2. Command Line Configuration
~]$ su -
Password:
2.2.1. Date and Time Setup
date
command allows the superuser to set the system date and time manually:
- Change the current date. Type the command in the following form at a shell prompt, replacing the YYYY with a four-digit year, MM with a two-digit month, and DD with a two-digit day of the month:
~]#
date +%D -s YYYY-MM-DD
For example, to set the date to 2 June 2010, type:~]#
date +%D -s 2010-06-02
- Change the current time. Use the following command, where HH stands for an hour, MM is a minute, and SS is a second, all typed in a two-digit form:
~]#
date +%T -s HH:MM:SS
If your system clock is set to use UTC (Coordinated Universal Time), add the following option:~]#
date +%T -s HH:MM:SS -u
For instance, to set the system clock to 11:26 PM using the UTC, type:~]#
date +%T -s 23:26:00 -u
date
without any additional argument:
Example 2.1. Displaying the current date and time
~]$ date
Wed Jun 2 11:58:48 CEST 2010
2.2.2. Network Time Protocol Setup
- Firstly, check whether the selected NTP server is accessible:
~]#
ntpdate -q server_address
For example:~]#
ntpdate -q 0.rhel.pool.ntp.org
- When you find a satisfactory server, run the ntpdate command followed by one or more server addresses:
~]#
ntpdate server_address...
For instance:~]#
ntpdate 0.rhel.pool.ntp.org 1.rhel.pool.ntp.org
Unless an error message is displayed, the system time should now be set. You can check the current by setting typingdate
without any additional arguments as shown in Section 2.2.1, “Date and Time Setup”. - In most cases, these steps are sufficient. Only if you really need one or more system services to always use the correct time, enable running the ntpdate at boot time:
~]#
chkconfig ntpdate on
For more information about system services and their setup, see Chapter 12, Services and Daemons.Note
If the synchronization with the time server at boot time keeps failing, i.e., you find a relevant error message in the/var/log/boot.log
system log, try to add the following line to/etc/sysconfig/network
:NETWORKWAIT=1
- Open the NTP configuration file
/etc/ntp.conf
in a text editor such as vi or nano, or create a new one if it does not already exist:~]#
nano /etc/ntp.conf
- Now add or edit the list of public NTP servers. If you are using Red Hat Enterprise Linux 6, the file should already contain the following lines, but feel free to change or expand these according to your needs:
server 0.rhel.pool.ntp.org iburst server 1.rhel.pool.ntp.org iburst server 2.rhel.pool.ntp.org iburst server 3.rhel.pool.ntp.org iburst
Theiburst
directive at the end of each line is to speed up the initial synchronization. As of Red Hat Enterprise Linux 6.5 it is added by default. If upgrading from a previous minor release, and your/etc/ntp.conf
file has been modified, then the upgrade to Red Hat Enterprise Linux 6.5 will create a new file/etc/ntp.conf.rpmnew
and will not alter the existing/etc/ntp.conf
file. - Once you have the list of servers complete, in the same file, set the proper permissions, giving the unrestricted access to localhost only:
restrict default kod nomodify notrap nopeer noquery restrict -6 default kod nomodify notrap nopeer noquery restrict 127.0.0.1 restrict -6 ::1
- Save all changes, exit the editor, and restart the NTP daemon:
~]#
service ntpd restart
- Make sure that
ntpd
is started at boot time:~]#
chkconfig ntpd on
Chapter 3. Managing Users and Groups
3.1. What Users and Groups Are
Note
cat /usr/share/doc/setup-2.8.14/uidgid
The recommended practice is to assign non-reserved IDs starting at 5,000, as the reserved range can increase in the future. To make the IDs assigned to new users by default start at 5,000, change the UID_MIN
and GID_MIN
directives in the /etc/login.defs
file:
[file contents truncated] UID_MIN 5000 [file contents truncated] GID_MIN 5000 [file contents truncated]
newgrp
command, after which all newly created files are owned by the new group. A supplementary group serves to grant a certain set of users, its members, access to a certain set of files, those owned by this group.
root
, and access permissions can be changed by both the root
user and file owner.
umask
and can be configured in the /etc/bashrc
file for all users, or in ~/.bashrc
for each user individually . The configuration in ~/.bashrc
overrides the configuration in /etc/bashrc
. Additionally, the umask
command overrides the default permissions for the duration of the shell session.
/etc/shadow
file, which is only readable by the root
user. The file also stores information about password aging and policies for specific accounts. The default values for a newly created account are stored in the /etc/login.defs
and /etc/default/useradd
files. The Red Hat Enterprise Linux 6 Security Guide provides more security-related information about users and groups.
3.2. Managing Users via the User Manager Application
To start the User Manager application:
- From the toolbar, select→ → .
- Or, type
system-config-users
at the shell prompt.
Note
root
.
3.2.1. Viewing Users
Figure 3.1. Viewing Users
3.2.2. Adding a New User
- Click thebutton.
- Enter the user name and full name in the appropriate fields
- Type the user's password in the Password and Confirm Password fields. The password must be at least six characters long.
Note
For safety reasons, choose a long password not based on a dictionary term; use a combination of letters, numbers, and special characters. - Select a login shell for the user from the Login Shell drop-down list or accept the default value of .
- Clear the Create home directory check box if you choose not to create the home directory for a new user in
/home/username/
.You can also change this home directory by editing the content of the Home Directory text box. Note that when the home directory is created, default configuration files are copied into it from the/etc/skel/
directory. - Clear the Create a private group for the user check box if you do not want a unique group with the same name as the user to be created. User private group (UPG) is a group assigned to a user account to which that user exclusively belongs, which is used for managing file permissions for individual users.
- Specify a user ID for the user by selecting Specify user ID manually. If the option is not selected, the next available user ID above 500 is assigned to the new user.
- Click thebutton to complete the process.
3.2.3. Modifying User Properties
- Select the user from the user list by clicking once on the user name.
- Clickfrom the toolbar or choose → from the drop-down menu.
Figure 3.2. User Properties
- There are four tabs you can update to your preferences. When you have finished, click thebutton to save your changes.
3.3. Managing Groups via the User Manager Application
3.3.1. Viewing Groups
Figure 3.3. Viewing Groups
3.3.2. Adding a New Group
- Selectfrom the User Manager toolbar:
Figure 3.4. New Group
- Type the name of the new group.
- Specify the group ID (GID) for the new group by checking the Specify group ID manually check box.
- Select the GID. Note that Red Hat Enterprise Linux also reserves group IDs lower than 500 for system groups.
- Clickto create the group. The new group appears in the group list.
3.3.3. Modifying Group Properties
- Select the group from the group list by clicking on its name.
- Clickfrom the toolbar or choose → from the drop-down menu.
Figure 3.5. Group Properties
- The Group Users tab displays the list of group members. Use this tab to add or remove users from the group. Click to save your changes.
3.4. Managing Users via Command-Line Tools
useradd
, usermod
, userdel
, or passwd
. The files affected include /etc/passwd
which stores user accounts information and /etc/shadow
, which stores secure user account information.
3.4.1. Creating Users
useradd
utility creates new users and adds them to the system. Following the short procedure below, you will create a default user account with its UID, automatically create a home directory where default user settings will be stored, /home/username/
, and set the default shell to /bin/bash
.
- Run the following command at a shell prompt as
root
substituting username with the name of your choice:useradd username
- By setting a password unlock the account to make it accessible. Type the password twice when the program prompts you to.
passwd
Example 3.1. Creating a User with Default Settings
~]# useradd robert ~]# passwd robert Changing password for user robert New password: Re-type new password: passwd: all authentication tokens updated successfully.
useradd robert
command creates an account named robert
. If you run cat /etc/passwd
to view the content of the /etc/passwd
file, you can learn more about the new user from the line displayed to you:
robert:x:502:502::/home/robert:/bin/bash
robert
has been assigned a UID of 502, which reflects the rule that the default UID values from 0 to 499 are typically reserved for system accounts. GID, group ID of User Private Group
, equals to UID. The home directory is set to /home/robert
and login shell to /bin/bash
. The letter x
signals that shadow passwords are used and that the hashed password is stored in /etc/shadow
.
useradd
(see the useradd
(8) man page for the whole list of options). As you can see from the basic syntax of the command, you can add one or more options:
useradd [option(s)] username
-c
option to specify, for example, the full name of the user when creating them. Use -c
followed by a string, which adds a comment to the user:
useradd -c "string" username
Example 3.2. Specifying a User's Full Name when Creating a User
~]# useradd -c "Robert Smith" robert ~]# cat /etc/passwd robert:x:502:502:Robert Smith:/home/robert:/bin/bash
robert
, sometimes called the login name, and full name Robert Smith.
/home/username/
directory for the user account, set a different one instead of it. Execute the command below:
useradd -d home_directory
Example 3.3. Adding a User with non-default Home Directory
~]# useradd -d /home/dir_1 robert
robert
's home directory is now not the default /home/robert
but /home/dir_1/
.
useradd
with the -M
option. However, when such a user logs into a system that has just booted and their home directory does not exist, their login directory will be the root directory. If such a user logs into a system using the su
command, their login directory will be the current directory of the previous user.
useradd -M username
/home
directory while creating a new user, make use of the -m
and -k
options together followed by the path.
Example 3.4. Creating a User while Copying Contents to the Home Directory
/dir_1
to /home/jane
, which is the default home directory of a new user jane
:
~]# useradd -m -k /dir_1 jane
useradd
command, this means creating an account for a certain amount of time only and disabling it at a certain date. This is a particularly useful setting as there is no security risk resulting from forgetting to delete a certain account. For this, the -e
option is used with the specified expire_date in the YYYY-MM-DD format.
Note
useradd -e YYYY-MM-DD username
Example 3.5. Setting the Account Expiration Date
~]# useradd -e 2015-11-05 emily
emily
will be created now and automatically disabled on 5 November, 2015.
/bin/bash
, but can be changed by the -s
option to any other shell different from bash, ksh, csh, tsh, for example.
useradd -s login_shell username
Example 3.6. Adding a User with Non-default Shell
~]# useradd -s /bin/ksh robert
robert
which has the /bin/ksh
shell.
-r
option creates a system account, which is an account for administrative use that has some, but not all, root privileges. Such accounts have a UID lower than the value of UID_MIN defined in /etc/login.defs
, typically 500 and above for ordinary users.
useradd -r username
3.4.2. Attaching New Users to Groups
useradd
command creates a User Private Group
(UPG, a group assigned to a user account to which that user exclusively belongs) whenever a new user is added to the system and names the group after the user. For example, when the account robert
is created, an UPG named robert
is created at the same time, the only member of which is the user robert
.
User Private Group
for a user for whatever reason, execute the useradd
command with the following option:
useradd -N username
-g
and -G
options. While the -g
option specifies the primary group membership, -G
refers to supplementary groups into which the user is also included. The group names you specify must already exist on the system.
Example 3.7. Adding a User to a Group
~]# useradd -g "friends" -G "family,schoolmates" emily
useradd -g "friends" -G "family,schoolmates" emily
command creates the user emily
but emily
's primary group is set to friends
as specified by the -g
option. emily
is also a group member of the supplementary groups family
and schoolmates
.
usermod
command with the -G
option and a list of groups divided by commas, no spaces:
usermod -G group_1,group_2,group_3
3.4.3. Updating Users' Authentication
useradd username
command, the password is automatically set to never expire (see the /etc/shadow
file).
passwd
, the standard utility for administering the /etc/passwd
file. The syntax of the passwd
command look as follows:
passwd option(s) username
!
). If you later find a reason to unlock the account, passwd
has a reverse operation for locking. Only root
can carry out these two operations.
passwd -l username
passwd -u username
Example 3.8. Unlocking a User Password
~]# passwd -l robert Locking password for user robert. passwd: Success ~]# passwd -u robert passwd: Warning: unlocked password would be empty passwd: Unsafe operation (use -f to force)
-l
option locks robert
's account password successfully. However, running the passwd -u
command does not unlock the password because by default passwd
refuses to create a passwordless account.
passwd
with the -e
option. The user will be forced to change the password during the next login attempt:
passwd -e username
-n
option) and the maximum (the -x
option) lifetimes. To inform the user about their password expiration, use the -w
option. All these options must be accompanied with the number of days and can be run as root
only.
Example 3.9. Adjusting Aging Data for User Passwords
~]# passwd -n 10 -x 60 -w 3 jane
jane
will begin receiving warnings in advance that her password will expire to 3 day.
-S
option which outputs a short information for you to know the status of the password for a given account:
~]# passwd -S jane jane LK 2014-07-22 10 60 3 -1 (Password locked.)
useradd
command, which disables the account permanently. A value of 0
disables the account as soon as the password has expired, and a value of -1
disables the feature, that is, the user will have to change his password when the password expires. The -f
option is used to specify the number of days after a password expires until the account is disabled (but may be unblocked by system administrator):
useradd -f
number-of-days username
passwd
command see the passwd
(1) man page.
3.4.4. Modifying User Settings
usermod
command. The logic of using usermod
is identical to useradd
as well as its syntax:
usermod option(s) username
-l
option with the new user name (or login).
Example 3.10. Changing User's Login
~]# usermod -l "emily-smith" emily
-l
option changes the name of the user from the login emily
to the new login, emily-smith
. Nothing else is changed. In particular, emily
's home directory name (/home/emily
) remains the same unless it is changed manually to reflect the new user name.
Note
Example 3.11. Changing User's UID and Home Directory
~]# usermod -a -u 699 -d /home/dir_2 robert
-a -u
and -d
options changes the settings of user robert
. Now, his ID is 699 instead of 501, and his home directory is no longer /home/robert
but /home/dir_2
.
usermod
command you can also move the content of the user's home directory to a new location, or lock the account by locking its password.
Example 3.12. Changing User's
~]# usermod -m -d /home/jane -L jane
-m
and -d
options used together move the content of jane
's home directory to the /home/dir_3
directory. The -L
option locks the access to jane
's account by locking its password.
usermod
command, see the usermod
(8) man page or run usermod --help
on the command line.
3.4.5. Deleting Users
userdel
command on the command line as root
.
userdel username
userdel
with the -r
option removes files in the user's home directory along with the home directory itself and the user's mail spool. Files located in other file systems have to be searched for and deleted manually.
userdel -r username
Note
-r
option is relatively safer, and thus recommended, compared to -f
which forces the removal of the user account even if the user is still logged in.
3.4.6. Displaying Comprehensive User Information
lslogins [OPTIONS]
lslogins
(1) manual page or the output of the lslogins --help
command for the complete list of available options and their usage.
lslogins
command without any options shows default information about all system and user accounts on the system. Specifically, their UID, user name, and GECOS information, as well as information about the user's last login to the system, and whether their password is locked or login by password disabled.
Example 3.13. Displaying basic information about all accounts on the system
~]# lslogins
UID USER PWD-LOCK PWD-DENY LAST-LOGIN GECOS
0 root 0 0 root
1 bin 0 1 bin
2 daemon 0 1 daemon
3 adm 0 1 adm
4 lp 0 1 lp
5 sync 0 1 sync
6 shutdown 0 1 Jul21/16:20 shutdown
7 halt 0 1 halt
8 mail 0 1 mail
10 uucp 0 1 uucp
11 operator 0 1 operator
12 games 0 1 games
13 gopher 0 1 gopher
14 ftp 0 1 FTP User
29 rpcuser 0 1 RPC Service User
32 rpc 0 1 Rpcbind Daemon
38 ntp 0 1
42 gdm 0 1
48 apache 0 1 Apache
68 haldaemon 0 1 HAL daemon
69 vcsa 0 1 virtual console memory owner
72 tcpdump 0 1
74 sshd 0 1 Privilege-separated SSH
81 dbus 0 1 System message bus
89 postfix 0 1
99 nobody 0 1 Nobody
113 usbmuxd 0 1 usbmuxd user
170 avahi-autoipd 0 1 Avahi IPv4LL Stack
173 abrt 0 1
497 pulse 0 1 PulseAudio System Daemon
498 saslauth 0 1 Saslauthd user
499 rtkit 0 1 RealtimeKit
500 jsmith 0 0 10:56:12 John Smith
501 jdoe 0 0 12:13:53 John Doe
502 esmith 0 0 12:59:05 Emily Smith
503 jeyre 0 0 12:22:14 Jane Eyre
65534 nfsnobody 0 1 Anonymous NFS User
lslogins LOGIN
command, where LOGIN is either a UID or a user name. The following example displays detailed information about John Doe
's account and his activity on the system:
Example 3.14. Displaying detailed information about a single account
~]# lslogins jdoe
Username: jdoe
UID: 501
Gecos field: John Doe
Home directory: /home/jdoe
Shell: /bin/bash
No login: no
Password is locked: no
Password no required: no
Login by password disabled: no
Primary group: jdoe
GID: 501
Supplementary groups: users
Supplementary group IDs: 100
Last login: 12:13:53
Last terminal: pts/3
Last hostname: 192.168.100.1
Hushed: no
Password expiration warn interval: 7
Password changed: Aug01/02:00
Maximal change time: 99999
Password expiration: Sep01/02:00
Selinux context: unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
--logins=LOGIN
option, you can display information about a group of accounts that are specified as a list of UIDs or user names. Specifying the --output=COLUMNS
option, where COLUMNS is a list of available output parameters, you can customize the output of the lslogins
command. For example, the following command shows login activity of the users root, jsmith, jdoe, and esmith:
Example 3.15. Displaying specific information about a group of users
~]#lslogins --logins=0,500,jdoe,esmith \
> --output=UID,USER,LAST-LOGIN,LAST-TTY,FAILED-LOGIN,FAILED-TTY
UID USER LAST-LOGIN LAST-TTY FAILED-LOGIN FAILED-TTY 0 root 500 jsmith 10:56:12 pts/2 501 jdoe 12:13:53 pts/3 502 esmith 15:46:16 pts/3 15:46:09 ssh:notty
--system-accs
option. To address user accounts, use the --user-accs
. For example, the following command displays information about supplementary groups and password expirations for all user accounts:
Example 3.16. Displaying information about supplementary groups and password expiration for all user accounts
~]# lslogins --user-accs --supp-groups --acc-expiration
UID USER GID GROUP SUPP-GIDS SUPP-GROUPS PWD-WARN PWD-MIN PWD-MAX PWD-CHANGE
PWD-EXPIR
0 root 0 root 7 99999 Jul21/02:00
500 jsmith 500 jsmith 1000,100 staff,users 7 99999 Jul21/02:00
501 jdoe 501 jdoe 100 users 7 99999 Aug01/02:00
Sep01/02:00
502 esmith 502 esmith 100 users 7 99999 Aug01/02:00
503 jeyre 503 jeyre 1000,100 staff,users 7 99999 Jul28/02:00
Sep01/02:00
65534 nfsnobody 65534 nfsnobody Jul21/02:00
lslogins
commands according to the user's needs makes lslogins an ideal tool to use in scripts and for automatic processing. For example, the following command returns a single string that represents the time and date of the last login. This string can be passed as input to another utility for further processing.
Example 3.17. Displaying a single piece of information without the heading
~]# lslogins --logins=jsmith --output=LAST-LOGIN --time-format=iso | tail -1
2014-08-06T10:56:12+0200
3.5. Managing Groups via Command-Line Tools
groupadd
, groupmod
, groupdel
, or gpasswd
. The files affected include /etc/group
which stores group account information and /etc/gshadow
, which stores secure group account information.
3.5.1. Creating Groups
groupadd
command is run at the shell prompt as root
.
groupadd group_name
Example 3.18. Creating a Group with Default Settings
~]# groupadd friends
groupadd
command creates a new group called friends
. You can read more information about the group from the newly-created line in the /etc/group
file:
classmates:x:30005:
friends
is attached with a unique GID (group ID) of 30005 and is not attached with any users. Optionally, you can set a password for a group by running gpasswd groupname
.
groupadd option(s) groupname
groupadd
command with the -g
option. Remember that this value must be unique (unless the -o
option is used) and the value must be non-negative.
groupadd -g GID
Example 3.19. Creating a Group with Specified GID
schoolmates
and sets GID of 60002 for it:
~]# groupadd -g 60002 schoolmates
-g
and GID already exists, groupadd
refuses to create another group with existing GID. As a workaround, use the -f
option, with which groupadd
creates a group, but with a different GID.
groupadd -f GID
-r
option to the groupadd
command. System groups are used for system purposes, which practically means that GID is allocated from 1 to 499 within the reserved range of 999.
groupadd -r group_name
groupadd
, see the groupadd(8) man pages.
3.5.2. Attaching Users to Groups
gpasswd
command.
gpasswd -a username which_group_to_edit
gpasswd -d username which_group_to_edit
--members
option dividing them with commas and no spaces:
gpasswd --members username_1,username_2 which_group_to_edit
3.5.3. Updating Group Authentication
gpasswd
command administers /etc/group
and /etc/gshadow
files. Note that this command works only if run by a group administrator.
root
user can add group administrators with the gpasswd -A users groupname
where users is a comma-separated list of existing users you want to be group administrators (without any spaces between commas).
gpasswd
command with the relevant group name. You will be prompted to type the new password of the group.
gpasswd groupname
Example 3.20. Changing a Group Password
~]# gpasswd crowd Changing password for group crowd New password: Re-enter new password:
crowd
has been changed.
-r
option.
gpasswd -r schoolmates
3.5.4. Modifying Group Settings
groupmod
command. The logic of using groupmod
is identical to groupadd
as well as its syntax:
groupmod option(s) groupname
groupmod
command in the following way:
groupmod -g GID_NEW which_group_to_edit
Note
groupmod -n new_groupname groupname
Example 3.21. Changing a Group's Name
schoolmates
to crowd
:
~]# groupmod -n crowd schoolmates
3.5.5. Deleting Groups
groupdel
command modifies the system account files, deleting all entries that see the group. The named group must exist when you execute this command.
groupdel groupname
3.6. Additional Resources
3.6.1. Installed Documentation
- chage(1) — A command to modify password aging policies and account expiration.
- gpasswd(1) — A command to administer the
/etc/group
file. - groupadd(8) — A command to add groups.
- grpck(8) — A command to verify the
/etc/group
file. - groupdel(8) — A command to remove groups.
- groupmod(8) — A command to modify group membership.
- pwck(8) — A command to verify the
/etc/passwd
and/etc/shadow
files. - pwconv(8) — A tool to convert standard passwords to shadow passwords.
- pwunconv(8) — A tool to convert shadow passwords to standard passwords.
- useradd(8) — A command to add users.
- userdel(8) — A command to remove users.
- usermod(8) — A command to modify users.
- group(5) — The file containing group information for the system.
- passwd(5) — The file containing user information for the system.
- shadow(5) — The file containing passwords and account expiration information for the system.
- login.defs(5) - The file containing shadow password suite configuration.
- useradd(8) - For
/etc/default/useradd
, section “Changing the default values” in manual page.
Chapter 4. Gaining Privileges
root
is potentially dangerous and can lead to widespread damage to the system and data. This chapter covers ways to gain administrative privileges using the su
and sudo
programs. These programs allow specific users to perform tasks which would normally be available only to the root user while maintaining a higher level of control and system security.
4.1. The su
Command
su
command, they are prompted for the root password and, after authentication, are given a root shell prompt.
su
command, the user is the root user and has absolute administrative access to the system[1]. In addition, once a user has become root, it is possible for them to use the su
command to change to any other user on the system without being prompted for a password.
~]# usermod -a -G wheel
username
wheel
group.
- Click themenu on the Panel, point to and then click to display the User Manager. Alternatively, type the command
system-config-users
at a shell prompt. - Click the Users tab, and select the required user in the list of users.
- Clickon the toolbar to display the User Properties dialog box (or choose on the menu).
- Click the Groups tab, select the check box for the wheel group, and then click .
wheel
group, it is advisable to only allow these specific users to use the su
command. To do this, you will need to edit the PAM configuration file for su
: /etc/pam.d/su
. Open this file in a text editor and remove the comment (#) from the following line:
#auth required pam_wheel.so use_uid
wheel
can switch to another user using the su
command.
Note
root
user is part of the wheel
group by default.
4.2. The sudo Command
sudo
command offers another approach to giving users administrative access. When trusted users precede an administrative command with sudo
, they are prompted for their own password. Then, when they have been authenticated and assuming that the command is permitted, the administrative command is executed as if they were the root user.
sudo
command is as follows:
sudo
<command>
mount
.
sudo
command allows for a high degree of flexibility. For instance, only users listed in the /etc/sudoers
configuration file are allowed to use the sudo
command and the command is executed in the user's shell, not a root shell. This means the root shell can be completely disabled as shown in the Red Hat Enterprise Linux 6 Security Guide.
sudo
is logged to the file /var/log/messages
and the command issued along with the issuer's user name is logged to the file /var/log/secure
. Should you require additional logging, use the pam_tty_audit
module to enable TTY auditing for specified users by adding the following line to your /etc/pam.d/system-auth
file:
session required pam_tty_audit.so disable=<pattern> enable=<pattern>
session required pam_tty_audit.so disable=* enable=root
sudo
command is that an administrator can allow different users access to specific commands based on their needs.
sudo
configuration file, /etc/sudoers
, should use the visudo
command.
visudo
and add a line similar to the following in the user privilege specification section:
juan ALL=(ALL) ALL
juan
, can use sudo
from any host and execute any command.
sudo
:
%users localhost=/sbin/shutdown -h now
/sbin/shutdown -h now
as long as it is issued from the console.
sudoers
has a detailed listing of options for this file.
Important
sudo
command. You can avoid them by editing the /etc/sudoers
configuration file using visudo
as described above. Leaving the /etc/sudoers
file in its default state gives every user in the wheel
group unlimited root access.
- By default,
sudo
stores the sudoer's password for a five minute timeout period. Any subsequent uses of the command during this period will not prompt the user for a password. This could be exploited by an attacker if the user leaves his workstation unattended and unlocked while still being logged in. This behavior can be changed by adding the following line to the/etc/sudoers
file:Defaults timestamp_timeout=<value>
where <value> is the desired timeout length in minutes. Setting the <value> to 0 causessudo
to require a password every time. - If a sudoer's account is compromised, an attacker can use
sudo
to open a new shell with administrative privileges:sudo /bin/bash
Opening a new shell as root in this or similar fashion gives the attacker administrative access for a theoretically unlimited amount of time, bypassing the timeout period specified in the/etc/sudoers
file and never requiring the attacker to input a password forsudo
again until the newly opened session is closed.
4.3. Additional Resources
Installed Documentation
- su(1) - the manual page for
su
provides information regarding the options available with this command. - sudo(8) - the manual page for
sudo
includes a detailed description of this command as well as a list of options available for customizingsudo
's behavior. - pam(8) - the manual page describing the use of Pluggable Authentication Modules for Linux.
Online Documentation
- Red Hat Enterprise Linux 6 Security Guide - The Security Guide describes in detail security risks and mitigating techniques related to programs for gaining privileges.
- Red Hat Enterprise Linux 6 Managing Single Sign-On and Smart Cards - This guide provides, among other things, a detailed description of Pluggable Authentication Modules (PAM), their configuration and usage.
Chapter 5. Console Access
- They can run certain programs that they otherwise cannot run.
- They can access certain files that they otherwise cannot access. These files normally include special device files used to access diskettes, CD-ROMs, and so on.
halt
, poweroff
, and reboot
.
5.1. Disabling Console Program Access for Non-root Users
/etc/security/console.apps/
directory. To list these programs, run the following command:
~]$ ls /etc/security/console.apps
abrt-cli-root
config-util
eject
halt
poweroff
reboot
rhn_register
setup
subscription-manager
subscription-manager-gui
system-config-network
system-config-network-cmd
xserver
/etc/security/console.apps/
resides in the /etc/pam.d/
directory and is named the same as the program. Using this file, you can configure PAM to deny access to the program if the user is not root. To do that, insert line auth requisite pam_deny.so
directly after the first uncommented line auth sufficient pam_rootok.so
.
Example 5.1. Disabling Access to the Reboot Program
/etc/security/console.apps/reboot
, insert line auth requisite pam_deny.so
into the /etc/pam.d/reboot
PAM configuration file:
#%PAM-1.0 auth sufficient pam_rootok.so auth requisite pam_deny.so auth required pam_console.so #auth include system-auth account required pam_permit.so
reboot
utility is disabled.
/etc/security/console.apps/
partially derive their PAM configuration from the /etc/pam.d/config-util
configuration file. This allows to change configuration for all these programs at once by editing /etc/pam.d/config-util
. To find all these programs, search for PAM configuration files that refer to the config-util
file:
~]# grep -l "config-util" /etc/pam.d/*
/etc/pam.d/abrt-cli-root
/etc/pam.d/rhn_register
/etc/pam.d/subscription-manager
/etc/pam.d/subscription-manager-gui
/etc/pam.d/system-config-network
/etc/pam.d/system-config-network-cmd
halt
, poweroff
, reboot
, and other programs, which by default are accessible from the console.
5.2. Disabling Rebooting Using Ctrl+Alt+Del
/etc/init/control-alt-delete.conf
file. By default, the shutdown
utility with the -r
option is used to shutdown and reboot the system.
exec true
command, which does nothing. To do that, run the following command as root:
~]# echo "exec true" >> /etc/init/control-alt-delete.override
Part II. Subscription and Support
Chapter 6. Registering the System and Managing Subscriptions
Note
6.1. Registering the System and Attaching Subscriptions
subscription-manager
commands are supposed to be run as root
.
- Run the following command to register your system. You will be prompted to enter your user name and password. Note that the user name and password are the same as your login credentials for Red Hat Customer Portal.
subscription-manager register
- Determine the pool ID of a subscription that you require. To do so, type the following at a shell prompt to display a list of all subscriptions that are available for your system:
subscription-manager list --available
For each available subscription, this command displays its name, unique identifier, expiration date, and other details related to your subscription. To list subscriptions for all architectures, add the--all
option. The pool ID is listed on a line beginning withPool ID
. - Attach the appropriate subscription to your system by entering a command as follows:
subscription-manager attach --pool=pool_id
Replace pool_id with the pool ID you determined in the previous step.To verify the list of subscriptions your system has currently attached, at any time, run:subscription-manager list --consumed
Note
yum
and subscription-manager
to work correctly. Refer to the "Setting Firewall Access for Content Delivery" section of the Red Hat Enterprise Linux 6 Subscription Management guide if you use a firewall and to the "Using an HTTP Proxy" section if you use a proxy.
6.2. Managing Software Repositories
/etc/yum.repos.d/
directory. To verify that, use yum to list all enabled repositories:
yum repolist
subscription-manager repos --list
rhel-variant-rhscl-version-rpms rhel-variant-rhscl-version-debug-rpms rhel-variant-rhscl-version-source-rpms
server
or workstation
), and version is the Red Hat Enterprise Linux system version (6
or 7
), for example:
rhel-server-rhscl-6-eus-rpms rhel-server-rhscl-6-eus-source-rpms rhel-server-rhscl-6-eus-debug-rpms
subscription-manager repos --enable repository
subscription-manager repos --disable repository
6.3. Removing Subscriptions
- Determine the serial number of the subscription you want to remove by listing information about already attached subscriptions:
subscription-manager list --consumed
The serial number is the number listed asserial
. For instance,744993814251016831
in the example below:SKU: ES0113909 Contract: 01234567 Account: 1234567 Serial: 744993814251016831 Pool ID: 8a85f9894bba16dc014bccdd905a5e23 Active: False Quantity Used: 1 Service Level: SELF-SUPPORT Service Type: L1-L3 Status Details: Subscription Type: Standard Starts: 02/27/2015 Ends: 02/27/2016 System Type: Virtual
- Enter a command as follows to remove the selected subscription:
subscription-manager remove --serial=serial_number
Replace serial_number with the serial number you determined in the previous step.
subscription-manager remove --all
6.4. Additional Resources
Installed Documentation
subscription-manager
(8) — the manual page for Red Hat Subscription Management provides a complete list of supported options and commands.
Related Books
- Red Hat Subscription Management collection of guides — These guides contain detailed information how to use Red Hat Subscription Management.
- Installation Guide — see the Firstboot chapter for detailed information on how to register during the firstboot process.
Online Resources
- Red Hat Access Labs — The Red Hat Access Labs includes a “Registration Assistant”.
See Also
- Chapter 4, Gaining Privileges documents how to gain administrative privileges by using the
su
andsudo
commands. - Chapter 8, Yum provides information about using the yum packages manager to install and update software.
- Chapter 9, PackageKit provides information about using the PackageKit package manager to install and update software.
Chapter 7. Accessing Support Using the Red Hat Support Tool
SSH
or from any terminal. It enables, for example, searching the Red Hat Knowledgebase from the command line, copying solutions directly on the command line, opening and updating support cases, and sending files to Red Hat for analysis.
7.1. Installing the Red Hat Support Tool
root
:
~]# yum install redhat-support-tool
7.2. Registering the Red Hat Support Tool Using the Command Line
~]#
Where username is the user name of the Red Hat Customer Portal account.redhat-support-tool config user username
~]#
redhat-support-tool config password
Please enter the password for username:
7.3. Using the Red Hat Support Tool in Interactive Shell Mode
~]$ redhat-support-tool
Welcome to the Red Hat Support Tool.
Command (? for help):
The tool can be run as an unprivileged user, with a consequently reduced set of commands, or as root
.
?
character. The program or menu selection can be exited by entering the q
or e
character. You will be prompted for your Red Hat Customer Portal user name and password when you first search the Knowledgebase or support cases. Alternately, set the user name and password for your Red Hat Customer Portal account using interactive mode, and optionally save it to the configuration file.
7.4. Configuring the Red Hat Support Tool
config --help
:
~]#redhat-support-tool
Welcome to the Red Hat Support Tool. Command (? for help):config --help
Usage: config [options] config.option <new option value> Use the 'config' command to set or get configuration file values. Options: -h, --help show this help message and exit -g, --global Save configuration option in /etc/redhat-support-tool.conf. -u, --unset Unset configuration option. The configuration file options which can be set are: user : The Red Hat Customer Portal user. password : The Red Hat Customer Portal password. debug : CRITICAL, ERROR, WARNING, INFO, or DEBUG url : The support services URL. Default=https://api.access.redhat.com proxy_url : A proxy server URL. proxy_user: A proxy server user. proxy_password: A password for the proxy server user. ssl_ca : Path to certificate authorities to trust during communication. kern_debug_dir: Path to the directory where kernel debug symbols should be downloaded and cached. Default=/var/lib/redhat-support-tool/debugkernels Examples: - config user - config user my-rhn-username - config --unset user
Procedure 7.1. Registering the Red Hat Support Tool Using Interactive Mode
- Start the tool by entering the following command:
~]#
redhat-support-tool
- Enter your Red Hat Customer Portal user name:
Command (? for help):
To save your user name to the global configuration file, add theconfig user username
-g
option. - Enter your Red Hat Customer Portal password:
Command (? for help):
config password
Please enter the password for username:
7.4.1. Saving Settings to the Configuration Files
~/.redhat-support-tool/redhat-support-tool.conf
configuration file. If required, it is recommended to save passwords to this file because it is only readable by that particular user. When the tool starts, it will read values from the global configuration file /etc/redhat-support-tool.conf
and from the local configuration file. Locally stored values and options take precedence over globally stored settings.
Warning
/etc/redhat-support-tool.conf
configuration file because the password is just base64
encoded and can easily be decoded. In addition, the file is world readable.
-g, --global
option as follows:
Command (? for help): config setting -g value
Note
-g, --global
option, the Red Hat Support Tool must be run as root
because normal users do not have the permissions required to write to /etc/redhat-support-tool.conf
.
-u, --unset
option as follows:
Command (? for help): config setting -u value
This will clear, unset, the parameter from the tool and fall back to the equivalent setting in the global configuration file, if available.
Note
-u, --unset
option, but they can be cleared, unset, from the current running instance of the tool by using the -g, --global
option simultaneously with the -u, --unset
option. If running as root
, values and options can be removed from the global configuration file using -g, --global
simultaneously with the -u, --unset
option.
7.5. Opening and Updating Support Cases Using Interactive Mode
Procedure 7.2. Opening a New Support Case Using Interactive Mode
- Start the tool by entering the following command:
~]#
redhat-support-tool
- Enter the
opencase
command:Command (? for help):
opencase
- Follow the on screen prompts to select a product and then a version.
- Enter a summary of the case.
- Enter a description of the case and press Ctrl+D on an empty line when complete.
- Select a severity of the case.
- Optionally chose to see if there is a solution to this problem before opening a support case.
- Confirm you would still like to open the support case.
Support case 0123456789 has successfully been opened
- Optionally chose to attach an SOS report.
- Optionally chose to attach a file.
Procedure 7.3. Viewing and Updating an Existing Support Case Using Interactive Mode
- Start the tool by entering the following command:
~]#
redhat-support-tool
- Enter the
getcase
command:Command (? for help):
Where case-number is the number of the case you want to view and update.getcase case-number
- Follow the on screen prompts to view the case, modify or add comments, and get or add attachments.
Procedure 7.4. Modifying an Existing Support Case Using Interactive Mode
- Start the tool by entering the following command:
~]#
redhat-support-tool
- Enter the
modifycase
command:Command (? for help):
Where case-number is the number of the case you want to view and update.modifycase case-number
- The modify selection list appears:
Type the number of the attribute to modify or 'e' to return to the previous menu. 1 Modify Type 2 Modify Severity 3 Modify Status 4 Modify Alternative-ID 5 Modify Product 6 Modify Version End of options.
Follow the on screen prompts to modify one or more of the options. - For example, to modify the status, enter
3
:Selection: 3 1 Waiting on Customer 2 Waiting on Red Hat 3 Closed Please select a status (or 'q' to exit):
7.6. Viewing Support Cases on the Command Line
~]# redhat-support-tool getcase case-number
Where case-number is the number of the case you want to download.
7.7. Additional Resources
Part III. Installing and Managing Software
Chapter 8. Yum
Important
Note
yum
to install, update or remove packages on your system. All examples in this chapter assume that you have already obtained superuser privileges by using either the su
or sudo
command.
8.1. Checking For and Updating Packages
8.1.1. Checking For Updates
yum
check-update
~]# yum check-update
Loaded plugins: product-id, refresh-packagekit, subscription-manager
Updating Red Hat repositories.
INFO:rhsm-app.repolib:repos updated: 0
PackageKit.x86_64 0.5.8-2.el6 rhel
PackageKit-glib.x86_64 0.5.8-2.el6 rhel
PackageKit-yum.x86_64 0.5.8-2.el6 rhel
PackageKit-yum-plugin.x86_64 0.5.8-2.el6 rhel
glibc.x86_64 2.11.90-20.el6 rhel
glibc-common.x86_64 2.10.90-22 rhel
kernel.x86_64 2.6.31-14.el6 rhel
kernel-firmware.noarch 2.6.31-14.el6 rhel
rpm.x86_64 4.7.1-5.el6 rhel
rpm-libs.x86_64 4.7.1-5.el6 rhel
rpm-python.x86_64 4.7.1-5.el6 rhel
udev.x86_64 147-2.15.el6 rhel
yum.noarch 3.2.24-4.el6 rhel
PackageKit
— the name of the packagex86_64
— the CPU architecture the package was built for0.5.8
— the version of the updated package to be installedrhel
— the repository in which the updated package is located
yum
.
8.1.2. Updating Packages
Updating a Single Package
root
:
yum
update
package_name
~]# yum update udev
Loaded plugins: product-id, refresh-packagekit, subscription-manager
Updating Red Hat repositories.
INFO:rhsm-app.repolib:repos updated: 0
Setting up Update Process
Resolving Dependencies
--> Running transaction check
---> Package udev.x86_64 0:147-2.15.el6 set to be updated
--> Finished Dependency Resolution
Dependencies Resolved
===========================================================================
Package Arch Version Repository Size
===========================================================================
Updating:
udev x86_64 147-2.15.el6 rhel 337 k
Transaction Summary
===========================================================================
Install 0 Package(s)
Upgrade 1 Package(s)
Total download size: 337 k
Is this ok [y/N]:
Loaded plugins: product-id, refresh-packagekit, subscription-manager
—yum
always informs you which Yum plug-ins are installed and enabled. See Section 8.5, “Yum Plug-ins” for general information on Yum plug-ins, or to Section 8.5.3, “Plug-in Descriptions” for descriptions of specific plug-ins.udev.x86_64
— you can download and install new udev package.yum
presents the update information and then prompts you as to whether you want it to perform the update;yum
runs interactively by default. If you already know which transactions theyum
command plans to perform, you can use the-y
option to automatically answeryes
to any questions thatyum
asks (in which case it runs non-interactively). However, you should always examine which changesyum
plans to make to the system so that you can easily troubleshoot any problems that might arise.If a transaction does go awry, you can view Yum's transaction history by using theyum history
command as described in Section 8.3, “Working with Transaction History”.
Important
yum
always installs a new kernel in the same sense that RPM installs a new kernel when you use the command rpm -i kernel
. Therefore, you do not need to worry about the distinction between installing and upgrading a kernel package when you use yum
: it will do the right thing, regardless of whether you are using the yum update
or yum install
command.
rpm -i kernel
command (which installs a new kernel) instead of rpm -u kernel
(which replaces the current kernel). See Section B.2.2, “Installing and Upgrading” for more information on installing/upgrading kernels with RPM.
Updating All Packages and Their Dependencies
yum update
(without any arguments):
yum update
Updating Security-Related Packages
yum
command with a set of highly-useful security-centric commands, subcommands and options. See Section 8.5.3, “Plug-in Descriptions” for specific information.
Updating Packages Automatically
cron
daemon and downloads metadata from your package repositories. With the yum-cron service enabled, the user can schedule an automated daily Yum update as a cron job.
Note
~]# yum install yum-cron
~]# chkconfig yum-cron on
~]# service yum-cron start
~]# service yum-cron status
/etc/sysconfig/yum-cron
file.
yum-cron
can be found in the comments within /etc/sysconfig/yum-cron
and at the yum-cron(8) manual page.
8.1.3. Preserving Configuration File Changes
8.1.4. Upgrading the System Off-line with ISO and Yum
yum update
command with the Red Hat Enterprise Linux installation ISO image is an easy and quick way to upgrade systems to the latest minor version. The following steps illustrate the upgrading process:
- Create a target directory to mount your ISO image. This directory is not automatically created when mounting, so create it before proceeding to the next step. As
root
, type:mkdir
mount_dirReplace mount_dir with a path to the mount directory. Typically, users create it as a subdirectory in the/media
directory. - Mount the Red Hat Enterprise Linux 6 installation ISO image to the previously created target directory. As
root
, type:mount
-o
loop
iso_name mount_dirReplace iso_name with a path to your ISO image and mount_dir with a path to the target directory. Here, the-o
loop
option is required to mount the file as a block device. - Copy the
media.repo
file from the mount directory to the/etc/yum.repos.d/
directory. Note that configuration files in this directory must have the .repo extension to function properly.cp
mount_dir/media.repo
/etc/yum.repos.d/new.repo
This creates a configuration file for the yum repository. Replace new.repo with the filename, for example rhel6.repo. - Edit the new configuration file so that it points to the Red Hat Enterprise Linux installation ISO. Add the following line into the
/etc/yum.repos.d/new.repo
file:baseurl=file:///mount_dir
Replace mount_dir with a path to the mount point. - Update all yum repositories including
/etc/yum.repos.d/new.repo
created in previous steps. Asroot
, type:yum
update
This upgrades your system to the version provided by the mounted ISO image. - After successful upgrade, you can unmount the ISO image. As
root
, type:umount
mount_dirwhere mount_dir is a path to your mount directory. Also, you can remove the mount directory created in the first step. Asroot
, type:rmdir
mount_dir - If you will not use the previously created configuration file for another installation or update, you can remove it. As
root
, type:rm
/etc/yum.repos.d/new.repo
Example 8.1. Upgrading from Red Hat Enterprise Linux 6.3 to 6.4
RHEL6.4-Server-20130130.0-x86_64-DVD1.iso
. A target directory created for mounting is /media/rhel6/
. As root
, change into the directory with your ISO image and type:
~]#mount
-o
loop
RHEL6.4-Server-20130130.0-x86_64-DVD1.iso
/media/rhel6/
media.repo
file from the mount directory:
~]#cp
/media/rhel6/media.repo
/etc/yum.repos.d/rhel6.repo
/etc/yum.repos.d/rhel6.repo
copied in the previous step:
baseurl=file:///media/rhel6/
RHEL6.4-Server-20130130.0-x86_64-DVD1.iso
. As root
, execute:
~]#yum
update
~]#umount
/media/rhel6/
~]#rmdir
/media/rhel6/
~]#rm
/etc/yum.repos.d/rhel6.repo
8.2. Packages and Package Groups
8.2.1. Searching Packages
yum
search
term…
Example 8.2. Searching for packages matching a specific string
~]$ yum search vim gvim emacs
Loaded plugins: langpacks, product-id, search-disabled-repos, subscription-manager
============================= N/S matched: vim ==============================
vim-X11.x86_64 : The VIM version of the vi editor for the X Window System
vim-common.x86_64 : The common files needed by any version of the VIM editor
[output truncated]
============================ N/S matched: emacs =============================
emacs.x86_64 : GNU Emacs text editor
emacs-auctex.noarch : Enhanced TeX modes for Emacs
[output truncated]
Name and summary matches mostly, use "search all" for everything.
Warning: No matches found for: gvim
yum search
command is useful for searching for packages you do not know the name of, but for which you know a related term. Note that by default, yum search
returns matches in package name and summary, which makes the search faster. Use the yum search all
command for a more exhaustive but slower search.
8.2.2. Listing Packages
yum list
and related commands provide information about packages, package groups, and repositories.
*
(which expands to match any character multiple times) and ?
(which expands to match any one character).
Note
yum
command, otherwise the Bash shell will interpret these expressions as pathname expansions, and potentially pass all files in the current directory that match the globs to yum
. To make sure the glob expressions are passed to yum
as intended, either:
- escape the wildcard characters by preceding them with a backslash character
- double-quote or single-quote the entire glob expression.
-
yum list glob_expression
- Lists information on installed and available packages matching all glob expressions.
Example 8.3. Listing all ABRT add-ons and plug-ins using glob expressions
Packages with various ABRT add-ons and plug-ins either begin with “abrt-addon-”, or “abrt-plugin-”. To list these packages, type the following at a shell prompt:~]#
yum list abrt-addon\* abrt-plugin\*
Loaded plugins: product-id, refresh-packagekit, subscription-manager Updating Red Hat repositories. INFO:rhsm-app.repolib:repos updated: 0 Installed Packages abrt-addon-ccpp.x86_64 1.0.7-5.el6 @rhel abrt-addon-kerneloops.x86_64 1.0.7-5.el6 @rhel abrt-addon-python.x86_64 1.0.7-5.el6 @rhel abrt-plugin-bugzilla.x86_64 1.0.7-5.el6 @rhel abrt-plugin-logger.x86_64 1.0.7-5.el6 @rhel abrt-plugin-sosreport.x86_64 1.0.7-5.el6 @rhel abrt-plugin-ticketuploader.x86_64 1.0.7-5.el6 @rhel -
yum list all
- Lists all installed and available packages.
-
yum list installed
- Lists all packages installed on your system. The rightmost column in the output lists the repository from which the package was retrieved.
Example 8.4. Listing installed packages using a double-quoted glob expression
To list all installed packages that begin with “krb” followed by exactly one character and a hyphen, type:~]#
yum list installed "krb?-*"
Loaded plugins: product-id, refresh-packagekit, subscription-manager Updating Red Hat repositories. INFO:rhsm-app.repolib:repos updated: 0 Installed Packages krb5-libs.x86_64 1.8.1-3.el6 @rhel krb5-workstation.x86_64 1.8.1-3.el6 @rhel -
yum list available
- Lists all available packages in all enabled repositories.
Example 8.5. Listing available packages using a single glob expression with escaped wildcard characters
To list all available packages with names that contain “gstreamer” and then “plugin”, run the following command:~]#
yum list available gstreamer\*plugin\*
Loaded plugins: product-id, refresh-packagekit, subscription-manager Updating Red Hat repositories. INFO:rhsm-app.repolib:repos updated: 0 Available Packages gstreamer-plugins-bad-free.i686 0.10.17-4.el6 rhel gstreamer-plugins-base.i686 0.10.26-1.el6 rhel gstreamer-plugins-base-devel.i686 0.10.26-1.el6 rhel gstreamer-plugins-base-devel.x86_64 0.10.26-1.el6 rhel gstreamer-plugins-good.i686 0.10.18-1.el6 rhel -
yum grouplist
- Lists all package groups.
-
yum repolist
- Lists the repository ID, name, and number of packages it provides for each enabled repository.
8.2.3. Displaying Package Information
yum
info
package_name
~]# yum info abrt
Loaded plugins: product-id, refresh-packagekit, subscription-manager
Updating Red Hat repositories.
INFO:rhsm-app.repolib:repos updated: 0
Installed Packages
Name : abrt
Arch : x86_64
Version : 1.0.7
Release : 5.el6
Size : 578 k
Repo : installed
From repo : rhel
Summary : Automatic bug detection and reporting tool
URL : https://fedorahosted.org/abrt/
License : GPLv2+
Description: abrt is a tool to help users to detect defects in applications
: and to create a bug report with all informations needed by
: maintainer to fix it. It uses plugin system to extend its
: functionality.
yum info package_name
command is similar to the rpm -q --info package_name
command, but provides as additional information the ID of the Yum repository the RPM package is found in (look for the From repo:
line in the output).
yumdb
info
package_name
user
indicates it was installed by the user, and dep
means it was brought in as a dependency). For example, to display additional information about the yum package, type:
~]# yumdb info yum
Loaded plugins: product-id, refresh-packagekit, subscription-manager
yum-3.2.27-4.el6.noarch
checksum_data = 23d337ed51a9757bbfbdceb82c4eaca9808ff1009b51e9626d540f44fe95f771
checksum_type = sha256
from_repo = rhel
from_repo_revision = 1298613159
from_repo_timestamp = 1298614288
installed_by = 4294967295
reason = user
releasever = 6.1
yumdb
command, see the yumdb(8) manual page.
Listing Files Contained in a Package
repoquery
--list
package_name
repoquery
command, see the repoquery manual page.
yum
provides
command, described in Finding which package owns a file
8.2.4. Installing Packages
Installing Individual Packages
yum
install
package_name
yum
install
package_name package_name
i686
, type:
~]# yum install sqlite.i686
~]# yum install perl-Crypt-\*
yum install
. If you know the name of the binary you want to install, but not its package name, you can give yum install
the path name:
~]# yum install /usr/sbin/named
yum
then searches through its package lists, finds the package which provides /usr/sbin/named
, if any, and prompts you as to whether you want to install it.
Note
named
binary, but you do not know in which bin
or sbin
directory is the file installed, use the yum provides
command with a glob expression:
~]# yum provides "*bin/named"
Loaded plugins: product-id, refresh-packagekit, subscription-manager
Updating Red Hat repositories.
INFO:rhsm-app.repolib:repos updated: 0
32:bind-9.7.0-4.P1.el6.x86_64 : The Berkeley Internet Name Domain (BIND)
: DNS (Domain Name System) server
Repo : rhel
Matched from:
Filename : /usr/sbin/named
yum provides "*/file_name"
is a common and useful trick to find the package(s) that contain file_name.
Installing a Package Group
yum grouplist -v
command lists the names of all package groups, and, next to each of them, their groupid in parentheses. The groupid is always the term in the last pair of parentheses, such as kde-desktop
in the following example:
~]# yum -v grouplist kde\*
Loading "product-id" plugin
Loading "refresh-packagekit" plugin
Loading "subscription-manager" plugin
Updating Red Hat repositories.
INFO:rhsm-app.repolib:repos updated: 0
Config time: 0.123
Yum Version: 3.2.29
Setting up Group Process
Looking for repo options for [rhel]
rpmdb time: 0.001
group time: 1.291
Available Groups:
KDE Desktop (kde-desktop)
Done
groupinstall
:
yum
groupinstall
group_name
yum
groupinstall
groupid
install
command if you prepend it with an @-symbol (which tells yum
that you want to perform a groupinstall
):
yum
install
@group
KDE Desktop
group:
~]#yum groupinstall "KDE Desktop"
~]#yum groupinstall kde-desktop
~]#yum install @kde-desktop
8.2.5. Removing Packages
Removing Individual Packages
root
:
yum
remove
package_name
~]# yum remove totem rhythmbox sound-juicer
install
, remove
can take these arguments:
- package names
- glob expressions
- file lists
- package provides
Warning
Removing a Package Group
install
syntax:
yum
groupremove
group
yum
remove
@group
KDE Desktop
group:
~]#yum groupremove "KDE Desktop"
~]#yum groupremove kde-desktop
~]#yum remove @kde-desktop
Important
yum
to remove only those packages which are not required by any other packages or groups by adding the groupremove_leaf_only=1
directive to the [main]
section of the /etc/yum.conf
configuration file. For more information on this directive, see Section 8.4.1, “Setting [main] Options”.
8.3. Working with Transaction History
yum history
command allows users to review information about a timeline of Yum transactions, the dates and times they occurred, the number of packages affected, whether transactions succeeded or were aborted, and if the RPM database was changed between transactions. Additionally, this command can be used to undo or redo certain transactions.
8.3.1. Listing Transactions
root
, either run yum history
with no additional arguments, or type the following at a shell prompt:
yum
history
list
all
keyword:
yum
history
list
all
yum
history
list
start_id..end_id
yum
history
list
glob_expression
~]# yum history list 1..5
Loaded plugins: product-id, refresh-packagekit, subscription-manager
ID | Login user | Date and time | Action(s) | Altered
-------------------------------------------------------------------------------
5 | Jaromir ... <jhradilek> | 2011-07-29 15:33 | Install | 1
4 | Jaromir ... <jhradilek> | 2011-07-21 15:10 | Install | 1
3 | Jaromir ... <jhradilek> | 2011-07-16 15:27 | I, U | 73
2 | System <unset> | 2011-07-16 15:19 | Update | 1
1 | System <unset> | 2011-07-16 14:38 | Install | 1106
history list
yum history list
command produce tabular output with each row consisting of the following columns:
ID
— an integer value that identifies a particular transaction.Login user
— the name of the user whose login session was used to initiate a transaction. This information is typically presented in theFull Name <username>
form. For transactions that were not issued by a user (such as an automatic system update),System <unset>
is used instead.Date and time
— the date and time when a transaction was issued.Action(s)
— a list of actions that were performed during a transaction as described in Table 8.1, “Possible values of the Action(s) field”.Altered
— the number of packages that were affected by a transaction, possibly followed by additional information as described in Table 8.2, “Possible values of the Altered field”.
Action | Abbreviation | Description |
---|---|---|
Downgrade | D | At least one package has been downgraded to an older version. |
Erase | E | At least one package has been removed. |
Install | I | At least one new package has been installed. |
Obsoleting | O | At least one package has been marked as obsolete. |
Reinstall | R | At least one package has been reinstalled. |
Update | U | At least one package has been updated to a newer version. |
Symbol | Description |
---|---|
< | Before the transaction finished, the rpmdb database was changed outside Yum. |
> | After the transaction finished, the rpmdb database was changed outside Yum. |
* | The transaction failed to finish. |
# | The transaction finished successfully, but yum returned a non-zero exit code. |
E | The transaction finished successfully, but an error or a warning was displayed. |
P | The transaction finished successfully, but problems already existed in the rpmdb database. |
s | The transaction finished successfully, but the --skip-broken command-line option was used and certain packages were skipped. |
root
:
yum
history
summary
yum
history
summary
start_id..end_id
yum history list
command, you can also display a summary of transactions regarding a certain package or packages by supplying a package name or a glob expression:
yum
history
summary
glob_expression
~]# yum history summary 1..5
Loaded plugins: product-id, refresh-packagekit, subscription-manager
Login user | Time | Action(s) | Altered
-------------------------------------------------------------------------------
Jaromir ... <jhradilek> | Last day | Install | 1
Jaromir ... <jhradilek> | Last week | Install | 1
Jaromir ... <jhradilek> | Last 2 weeks | I, U | 73
System <unset> | Last 2 weeks | I, U | 1107
history summary
yum history summary
command produce simplified tabular output similar to the output of yum history list
.
yum history list
and yum history summary
are oriented towards transactions, and although they allow you to display only transactions related to a given package or packages, they lack important details, such as package versions. To list transactions from the perspective of a package, run the following command as root
:
yum
history
package-list
glob_expression
~]# yum history package-list subscription-manager\*
Loaded plugins: product-id, refresh-packagekit, subscription-manager
ID | Action(s) | Package
-------------------------------------------------------------------------------
3 | Updated | subscription-manager-0.95.11-1.el6.x86_64
3 | Update | 0.95.17-1.el6_1.x86_64
3 | Updated | subscription-manager-firstboot-0.95.11-1.el6.x86_64
3 | Update | 0.95.17-1.el6_1.x86_64
3 | Updated | subscription-manager-gnome-0.95.11-1.el6.x86_64
3 | Update | 0.95.17-1.el6_1.x86_64
1 | Install | subscription-manager-0.95.11-1.el6.x86_64
1 | Install | subscription-manager-firstboot-0.95.11-1.el6.x86_64
1 | Install | subscription-manager-gnome-0.95.11-1.el6.x86_64
history package-list
8.3.2. Examining Transactions
root
, use the yum history summary
command in the following form:
yum
history
summary
id
root
:
yum
history
info
id
yum
automatically uses the last transaction. Note that when specifying more than one transaction, you can also use a range:
yum
history
info
start_id..end_id
~]# yum history info 4..5
Loaded plugins: product-id, refresh-packagekit, subscription-manager
Transaction ID : 4..5
Begin time : Thu Jul 21 15:10:46 2011
Begin rpmdb : 1107:0c67c32219c199f92ed8da7572b4c6df64eacd3a
End time : 15:33:15 2011 (22 minutes)
End rpmdb : 1109:1171025bd9b6b5f8db30d063598f590f1c1f3242
User : Jaromir Hradilek <jhradilek>
Return-Code : Success
Command Line : install screen
Command Line : install yum-plugin-security
Transaction performed with:
Installed rpm-4.8.0-16.el6.x86_64
Installed yum-3.2.29-17.el6.noarch
Installed yum-metadata-parser-1.1.2-16.el6.x86_64
Packages Altered:
Install screen-4.0.3-16.el6.x86_64
Install yum-plugin-security-1.1.30-17.el6.noarch
history info
root
:
yum
history
addon-info
id
yum history info
, when no id is provided, yum
automatically uses the latest transaction. Another way to see the latest transaction is to use the last
keyword:
yum
history
addon-info
last
yum history addon-info
command would provide the following output:
~]# yum history addon-info 4
Loaded plugins: product-id, refresh-packagekit, subscription-manager
Transaction ID: 4
Available additional history information:
config-main
config-repos
saved_tx
history addon-info
config-main
— global Yum options that were in use during the transaction. See Section 8.4.1, “Setting [main] Options” for information on how to change global options.config-repos
— options for individual Yum repositories. See Section 8.4.2, “Setting [repository] Options” for information on how to change options for individual repositories.saved_tx
— the data that can be used by theyum load-transaction
command in order to repeat the transaction on another machine (see below).
root
:
yum
history
addon-info
id information
8.3.3. Reverting and Repeating Transactions
yum history
command provides means to revert or repeat a selected transaction. To revert a transaction, type the following at a shell prompt as root
:
yum
history
undo
id
root
, run the following command:
yum
history
redo
id
last
keyword to undo or repeat the latest transaction.
yum history undo
and yum history redo
commands only revert or repeat the steps that were performed during a transaction. If the transaction installed a new package, the yum history undo
command will uninstall it, and if the transaction uninstalled a package the command will again install it. This command also attempts to downgrade all updated packages to their previous version, if these older packages are still available.
root
:
yum
-q
history
addon-info
idsaved_tx
>file_name
root
:
yum
load-transaction
file_name
rpmdb
version stored in the file must be identical to the version on the target system. You can verify the rpmdb
version by using the yum version nogroups
command.
8.3.4. Completing Transactions
root
:
yum-complete-transaction
/var/lib/yum/transaction-all
and /var/lib/yum/transaction-done
files. If there are more unfinished transactions, yum-complete-transaction attempts to complete the most recent one first.
--cleanup-only
option:
yum-complete-transaction
--cleanup-only
8.3.5. Starting New Transaction History
root
:
yum
history
new
/var/lib/yum/history/
directory. The old transaction history will be kept, but will not be accessible as long as a newer database file is present in the directory.
8.4. Configuring Yum and Yum Repositories
yum
and related utilities is located at /etc/yum.conf
. This file contains one mandatory [main]
section, which allows you to set Yum options that have global effect, and can also contain one or more [repository]
sections, which allow you to set repository-specific options. However, it is recommended to define individual repositories in new or existing .repo
files in the /etc/yum.repos.d/
directory. The values you define in individual [repository]
sections of the /etc/yum.conf
file override values set in the [main]
section.
- set global Yum options by editing the
[main]
section of the/etc/yum.conf
configuration file; - set options for individual repositories by editing the
[repository]
sections in/etc/yum.conf
and.repo
files in the/etc/yum.repos.d/
directory; - use Yum variables in
/etc/yum.conf
and files in the/etc/yum.repos.d/
directory so that dynamic version and architecture values are handled correctly; - add, enable, and disable Yum repositories on the command line; and,
- set up your own custom Yum repository.
8.4.1. Setting [main] Options
/etc/yum.conf
configuration file contains exactly one [main]
section, and while some of the key-value pairs in this section affect how yum
operates, others affect how Yum treats repositories. You can add many additional options under the [main]
section heading in /etc/yum.conf
.
/etc/yum.conf
configuration file can look like this:
[main]
cachedir=/var/cache/yum/$basearch/$releasever
keepcache=0
debuglevel=2
logfile=/var/log/yum.log
exactarch=1
obsoletes=1
gpgcheck=1
plugins=1
installonly_limit=3
[comments abridged]
# PUT YOUR REPOS HERE OR IN separate files named file.repo
# in /etc/yum.repos.d
[main]
section:
assumeyes
=value- where value is one of:
0
—yum
should prompt for confirmation of critical actions it performs. This is the default.1
— Do not prompt for confirmation of criticalyum
actions. Ifassumeyes=1
is set,yum
behaves in the same way that the command-line option-y
does. cachedir
=directory- where directory is an absolute path to the directory where Yum should store its cache and database files. By default, Yum's cache directory is
/var/cache/yum/$basearch/$releasever
.See Section 8.4.3, “Using Yum Variables” for descriptions of the$basearch
and$releasever
Yum variables. debuglevel
=value- where value is an integer between
1
and10
. Setting a higherdebuglevel
value causesyum
to display more detailed debugging output.debuglevel=0
disables debugging output, whiledebuglevel=2
is the default. exactarch
=value- where value is one of:
0
— Do not take into account the exact architecture when updating packages.1
— Consider the exact architecture when updating packages. With this setting,yum
will not install an i686 package to update an i386 package already installed on the system. This is the default. exclude
=package_name [more_package_names]- This option allows you to exclude packages by keyword during installation/updates. Listing multiple packages for exclusion can be accomplished by quoting a space-delimited list of packages. Shell globs using wildcards (for example,
*
and?
) are allowed. gpgcheck
=value- where value is one of:
0
— Disable GPG signature-checking on packages in all repositories, including local package installation.1
— Enable GPG signature-checking on all packages in all repositories, including local package installation.gpgcheck=1
is the default, and thus all packages' signatures are checked.If this option is set in the[main]
section of the/etc/yum.conf
file, it sets the GPG-checking rule for all repositories. However, you can also setgpgcheck=value
for individual repositories instead; that is, you can enable GPG-checking on one repository while disabling it on another. Settinggpgcheck=value
for an individual repository in its corresponding.repo
file overrides the default if it is present in/etc/yum.conf
.For more information on GPG signature-checking, see Section B.3, “Checking a Package's Signature”. groupremove_leaf_only
=value- where value is one of:
0
—yum
should not check the dependencies of each package when removing a package group. With this setting,yum
removes all packages in a package group, regardless of whether those packages are required by other packages or groups.groupremove_leaf_only=0
is the default.1
—yum
should check the dependencies of each package when removing a package group, and remove only those packages which are not required by any other package or group.For more information on removing packages, see Intelligent package group removal. installonlypkgs
=space separated list of packages- Here you can provide a space-separated list of packages which
yum
can install, but will never update. See the yum.conf(5) manual page for the list of packages which are install-only by default.If you add theinstallonlypkgs
directive to/etc/yum.conf
, you should ensure that you list all of the packages that should be install-only, including any of those listed under theinstallonlypkgs
section of yum.conf(5). In particular, kernel packages should always be listed ininstallonlypkgs
(as they are by default), andinstallonly_limit
should always be set to a value greater than2
so that a backup kernel is always available in case the default one fails to boot. installonly_limit
=value- where value is an integer representing the maximum number of versions that can be installed simultaneously for any single package listed in the
installonlypkgs
directive.The defaults for theinstallonlypkgs
directive include several different kernel packages, so be aware that changing the value ofinstallonly_limit
will also affect the maximum number of installed versions of any single kernel package. The default value listed in/etc/yum.conf
isinstallonly_limit=3
, and it is not recommended to decrease this value, particularly below2
. keepcache
=value- where value is one of:
0
— Do not retain the cache of headers and packages after a successful installation. This is the default.1
— Retain the cache after a successful installation. logfile
=file_name- where file_name is an absolute path to the file in which
yum
should write its logging output. By default,yum
logs to/var/log/yum.log
. multilib_policy
=value- where value is one of:
best
— install the best-choice architecture for this system. For example, settingmultilib_policy=best
on an AMD64 system causesyum
to install 64-bit versions of all packages.all
— always install every possible architecture for every package. For example, withmultilib_policy
set toall
on an AMD64 system,yum
would install both the i686 and AMD64 versions of a package, if both were available. obsoletes
=value- where value is one of:
0
— Disableyum
's obsoletes processing logic when performing updates.1
— Enableyum
's obsoletes processing logic when performing updates. When one package declares in its spec file that it obsoletes another package, the latter package will be replaced by the former package when the former package is installed. Obsoletes are declared, for example, when a package is renamed.obsoletes=1
the default. plugins
=value- where value is one of:
0
— Disable all Yum plug-ins globally.Important
Disabling all plug-ins is not advised because certain plug-ins provide importantYum
services. In particular, rhnplugin provides support forRHN Classic
, and product-id and subscription-manager plug-ins provide support for the certificate-basedContent Delivery Network
(CDN). Disabling plug-ins globally is provided as a convenience option, and is generally only recommended when diagnosing a potential problem withYum
.1
— Enable all Yum plug-ins globally. Withplugins=1
, you can still disable a specific Yum plug-in by settingenabled=0
in that plug-in's configuration file.For more information about various Yum plug-ins, see Section 8.5, “Yum Plug-ins”. For further information on controlling plug-ins, see Section 8.5.1, “Enabling, Configuring, and Disabling Yum Plug-ins”. reposdir
=directory- where directory is an absolute path to the directory where
.repo
files are located. All.repo
files contain repository information (similar to the[repository]
sections of/etc/yum.conf
).yum
collects all repository information from.repo
files and the[repository]
section of the/etc/yum.conf
file to create a master list of repositories to use for transactions. Ifreposdir
is not set,yum
uses the default directory/etc/yum.repos.d/
. retries
=value- where value is an integer
0
or greater. This value sets the number of timesyum
should attempt to retrieve a file before returning an error. Setting this to0
makesyum
retry forever. The default value is10
.
[main]
options, see the [main] OPTIONS
section of the yum.conf(5) manual page.
8.4.2. Setting [repository] Options
[repository]
sections, where repository is a unique repository ID such as my_personal_repo
(spaces are not permitted), allow you to define individual Yum repositories. To avoid conflicts, custom repositories should not use names used by Red Hat repositories.
[repository]
section takes:
[repository] name=repository_name baseurl=repository_url
[repository]
section must contain the following directives:
name
=repository_name- where repository_name is a human-readable string describing the repository.
baseurl
=repository_url- where repository_url is a URL to the directory where the
repodata
directory of a repository is located:- If the repository is available over HTTP, use:
http://path/to/repo
- If the repository is available over FTP, use:
ftp://path/to/repo
- If the repository is local to the machine, use:
file:///path/to/local/repo
- If a specific online repository requires basic HTTP authentication, you can specify your user name and password by prepending it to the URL as
username:password@link
. For example, if a repository on http://www.example.com/repo/ requires a user name of “user” and a password of “password”, then thebaseurl
link could be specified ashttp://
.user
:password
@www.example.com/repo/
Usually this URL is an HTTP link, such as:baseurl=http://path/to/repo/releases/$releasever/server/$basearch/os/
Note that Yum always expands the$releasever
,$arch
, and$basearch
variables in URLs. For more information about Yum variables, see Section 8.4.3, “Using Yum Variables”.
[repository]
directive is the following:
enabled
=value- where value is one of:
0
— Do not include this repository as a package source when performing updates and installs. This is an easy way of quickly turning repositories on and off, which is useful when you desire a single package from a repository that you do not want to enable for updates or installs.1
— Include this repository as a package source.Turning repositories on and off can also be performed by passing either the--enablerepo=repo_name
or--disablerepo=repo_name
option toyum
, or through the Add/Remove Software window of the PackageKit utility.
[repository]
options exist. For a complete list, see the [repository] OPTIONS
section of the yum.conf(5) manual page.
Example 8.6. A sample /etc/yum.repos.d/redhat.repo file
/etc/yum.repos.d/redhat.repo
file:
# # Red Hat Repositories # Managed by (rhsm) subscription-manager # [red-hat-enterprise-linux-scalable-file-system-for-rhel-6-entitlement-rpms] name = Red Hat Enterprise Linux Scalable File System (for RHEL 6 Entitlement) (RPMs) baseurl = https://cdn.redhat.com/content/dist/rhel/entitlement-6/releases/$releasever/$basearch/scalablefilesystem/os enabled = 1 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem sslclientkey = /etc/pki/entitlement/key.pem sslclientcert = /etc/pki/entitlement/11300387955690106.pem [red-hat-enterprise-linux-scalable-file-system-for-rhel-6-entitlement-source-rpms] name = Red Hat Enterprise Linux Scalable File System (for RHEL 6 Entitlement) (Source RPMs) baseurl = https://cdn.redhat.com/content/dist/rhel/entitlement-6/releases/$releasever/$basearch/scalablefilesystem/source/SRPMS enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem sslclientkey = /etc/pki/entitlement/key.pem sslclientcert = /etc/pki/entitlement/11300387955690106.pem [red-hat-enterprise-linux-scalable-file-system-for-rhel-6-entitlement-debug-rpms] name = Red Hat Enterprise Linux Scalable File System (for RHEL 6 Entitlement) (Debug RPMs) baseurl = https://cdn.redhat.com/content/dist/rhel/entitlement-6/releases/$releasever/$basearch/scalablefilesystem/debug enabled = 0 gpgcheck = 1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify = 1 sslcacert = /etc/rhsm/ca/redhat-uep.pem sslclientkey = /etc/pki/entitlement/key.pem sslclientcert = /etc/pki/entitlement/11300387955690106.pem
8.4.3. Using Yum Variables
yum
commands and in all Yum configuration files (that is, /etc/yum.conf
and all .repo
files in the /etc/yum.repos.d/
directory):
$releasever
- You can use this variable to reference the release version of Red Hat Enterprise Linux. Yum obtains the value of
$releasever
from thedistroverpkg=value
line in the/etc/yum.conf
configuration file. If there is no such line in/etc/yum.conf
, thenyum
infers the correct value by deriving the version number from the redhat-release-server package. The value of$releasever
typically consists of the major release number and the variant of Red Hat Enterprise Linux, for example6Client
, or6Server
. $arch
- You can use this variable to refer to the system's CPU architecture as returned when calling Python's
os.uname()
function. Valid values for$arch
includei686
andx86_64
. $basearch
- You can use
$basearch
to reference the base architecture of the system. For example, i686 machines have a base architecture ofi386
, and AMD64 and Intel 64 machines have a base architecture ofx86_64
. $YUM0-9
- These ten variables are each replaced with the value of any shell environment variables with the same name. If one of these variables is referenced (in
/etc/yum.conf
for example) and a shell environment variable with the same name does not exist, then the configuration file variable is not replaced.
$
” sign) in the /etc/yum/vars/
directory, and add the desired value on its first line.
$osname
, create a new file with “Red Hat Enterprise Linux” on the first line and save it as /etc/yum/vars/osname
:
~]# echo "Red Hat Enterprise Linux" > /etc/yum/vars/osname
.repo
files:
name=$osname $releasever
8.4.4. Viewing the Current Configuration
[main]
section of the /etc/yum.conf
file), run the yum-config-manager
with no command-line options:
yum-config-manager
yum-config-manager
section
yum-config-manager
glob_expression
~]$ yum-config-manager main \*
Loaded plugins: product-id, refresh-packagekit, subscription-manager
================================== main ===================================
[main]
alwaysprompt = True
assumeyes = False
bandwith = 0
bugtracker_url = https://bugzilla.redhat.com/enter_bug.cgi?product=Red%20Hat%20Enterprise%20Linux%206&component=yum
cache = 0
[output truncated]
8.4.5. Adding, Enabling, and Disabling a Yum Repository
yum-config-manager
command.
Important
Red Hat Network
, the Red Hat Subscription Manager tools are used to manage repositories in the /etc/yum.repos.d/redhat.repo
file. See Chapter 6, Registering the System and Managing Subscriptions for more information how to register a system with Red Hat Network
and use the Red Hat Subscription Manager tools to manage subscriptions.
Adding a Yum Repository
[repository]
section to the /etc/yum.conf
file, or to a .repo
file in the /etc/yum.repos.d/
directory. All files with the .repo
file extension in this directory are read by yum
, and it is recommended to define your repositories here instead of in /etc/yum.conf
.
Warning
.repo
file. To add such a repository to your system and enable it, run the following command as root
:
yum-config-manager
--add-repo
repository_url
.repo
file. For example, to add a repository located at http://www.example.com/example.repo, type the following at a shell prompt:
~]# yum-config-manager --add-repo http://www.example.com/example.repo
Loaded plugins: product-id, refresh-packagekit, subscription-manager
adding repo from: http://www.example.com/example.repo
grabbing file http://www.example.com/example.repo to /etc/yum.repos.d/example.repo
example.repo | 413 B 00:00
repo saved to /etc/yum.repos.d/example.repo
Enabling a Yum Repository
root
:
yum-config-manager
--enable
repository
yum repolist all
to list available repository IDs). Alternatively, you can use a glob expression to enable all matching repositories:
yum-config-manager
--enable
glob_expression
[example]
, [example-debuginfo]
, and [example-source]
sections, type:
~]# yum-config-manager --enable example\*
Loaded plugins: product-id, refresh-packagekit, subscription-manager
============================== repo: example ==============================
[example]
bandwidth = 0
base_persistdir = /var/lib/yum/repos/x86_64/6Server
baseurl = http://www.example.com/repo/6Server/x86_64/
cache = 0
cachedir = /var/cache/yum/x86_64/6Server/example
[output truncated]
yum-config-manager --enable
command displays the current repository configuration.
Disabling a Yum Repository
root
:
yum-config-manager
--disable
repository
yum repolist all
to list available repository IDs). Similarly to yum-config-manager --enable
, you can use a glob expression to disable all matching repositories at the same time:
yum-config-manager
--disable
glob_expression
yum-config-manager --disable
command displays the current configuration.
8.4.6. Creating a Yum Repository
- Install the createrepo package. To do so, type the following at a shell prompt as
root
:yum install createrepo
- Copy all packages that you want to have in your repository into one directory, such as
/mnt/local_repo/
. - Change to this directory and run the following command:
createrepo --database /mnt/local_repo
This creates the necessary metadata for your Yum repository, as well as the sqlite database for speeding upyum
operations.Important
Compared to Red Hat Enterprise Linux 5, RPM packages for Red Hat Enterprise Linux 6 are compressed with the XZ lossless data compression format and can be signed with newer hash algorithms like SHA-256. Consequently, it is not recommended to use thecreaterepo
command on Red Hat Enterprise Linux 5 to create the package metadata for Red Hat Enterprise Linux 6.
8.4.7. Working with Yum Cache
/var/cache/yum/$basearch/$releasever/
directory, where $basearch
and $releasever
are Yum variables referring to base architecture of the system and the release version of Red Hat Enterprise Linux. Each configured repository has one subdirectory. For example, the directory /var/cache/yum/$basearch/$releasever/development/packages/
holds packages downloaded from the development repository. You can find the values for the $basearch and $releasever variables in the output of the yum version
command.
cachedir
option in the [main]
section of the /etc/yum.conf
configuration file. See Section 8.4, “Configuring Yum and Yum Repositories” for more information on configuring yum.
Enabling the Caches
[main]
section of /etc/yum.conf
.
keepcache = 1
yum
makecache
metadata-expire
setting in /etc/yum.conf
.
Using yum in Cache-only Mode
-C
or --cacheonly
command-line option. With this option, yum proceeds without checking any network repositories, and uses only cached files. In this mode, yum may only install packages that have been downloaded and cached by a previous operation.
yum
-C
list
gstreamer*
Clearing the yum Caches
/var/cache/yum/
directory. If you remove a package from the cache, you do not affect the copy of the software installed on your system. To remove all entries for currently enabled repositories from the cache, type the following as a root
:
yum
clean
all
yum
in clean
mode depending on the type of cached data you want to remove. See Table 8.3, “Available yum
clean
options” for a complete list of available configuration options.
Option | Description |
---|---|
expire-cache | eliminates time records of the metadata and mirrorlists download for each repository. This forces yum to revalidate the cache for each repository the next time it is used. |
packages | eliminates any cached packages from the system |
headers | eliminates all header files that previous versions of yum used for dependency resolution |
metadata | eliminates all files that yum uses to determine the remote availability of packages. These metadata are downloaded again the next time yum is run. |
dbcache | eliminates the sqlite cache used for faster access to metadata. Using this option will force yum to download the sqlite metadata the next time it is run. This does not apply for repositories that contain only .xml data, in that case, sqlite data are deleted but without subsequent download |
rpmdb | eliminates any cached data from the local rpmdb |
plugins | enabled plugins are forced to eliminate their cached data |
all | removes all of the above |
expire-cache
option is most preferred from the above list. In many cases, it is a sufficient and much faster replacement for clean
all
.
8.4.8. Adding the Optional and Supplementary Repositories
8.5. Yum Plug-ins
yum
command. For example:
~]# yum info yum
Loaded plugins: product-id, refresh-packagekit, subscription-manager
[output truncated]
Loaded plugins
are the names you can provide to the --disableplugins=plugin_name
option.
8.5.1. Enabling, Configuring, and Disabling Yum Plug-ins
plugins=
is present in the [main]
section of /etc/yum.conf
, and that its value is 1
:
plugins=1
plugins=0
.
Important
Yum
services. In particular, rhnplugin provides support for RHN Classic
, and product-id and subscription-manager plug-ins provide support for the certificate-based Content Delivery Network
(CDN). Disabling plug-ins globally is provided as a convenience option, and is generally only recommended when diagnosing a potential problem with Yum
.
/etc/yum/pluginconf.d/
directory. You can set plug-in specific options in these files. For example, here is the refresh-packagekit plug-in's refresh-packagekit.conf
configuration file:
[main] enabled=1
[main]
section (similar to Yum's /etc/yum.conf
file) in which there is (or you can place if it is missing) an enabled=
option that controls whether the plug-in is enabled when you run yum
commands.
enabled=0
in /etc/yum.conf
, then all plug-ins are disabled regardless of whether they are enabled in their individual configuration files.
yum
command, use the --noplugins
option.
yum
command, add the --disableplugin=plugin_name
option to the command. For example, to disable the presto plug-in while updating a system, type:
~]# yum update --disableplugin=presto
--disableplugin=
option are the same names listed after the Loaded plugins
line in the output of any yum
command. You can disable multiple plug-ins by separating their names with commas. In addition, you can match multiple plug-in names or shorten long ones by using glob expressions:
~]# yum update --disableplugin=presto,refresh-pack*
8.5.2. Installing Additional Yum Plug-ins
yum-plugin-plugin_name
package-naming convention, but not always: the package which provides the presto plug-in is named yum-presto
, for example. You can install a Yum plug-in in the same way you install other packages. For instance, to install the security plug-in, type the following at a shell prompt:
~]# yum install yum-plugin-security
8.5.3. Plug-in Descriptions
- search-disabled-repos (subscription-manager)
- The search-disabled-repos plug-in allows you to temporarily or permanently enable disabled repositories to help resolve dependencies. With this plug-in enabled, when Yum fails to install a package due to failed dependency resolution, it offers to temporarily enable disabled repositories and try again. If the installation succeeds, Yum also offers to enable the used repositories permanently. Note that the plug-in works only with the repositories that are managed by subscription-manager and not with custom repositories.
Important
Ifyum
is executed with the--assumeyes
or-y
option, or if theassumeyes
directive is enabled in/etc/yum.conf
, the plug-in enables disabled repositories, both temporarily and permanently, without prompting for confirmation. This may lead to problems, for example, enabling repositories that you do not want enabled.To configure the search-disabled-repos plug-in, edit the configuration file located in/etc/yum/pluginconf.d/search-disabled-repos.conf
. For the list of directives you can use in the[main]
section, see the table below.Table 8.4. Supported search-disabled-repos.conf directives Directive Description enabled
=valueAllows you to enable or disable the plug-in. The value must be either 1
(enabled), or0
(disabled). The plug-in is enabled by default.notify_only
=valueAllows you to restrict the behavior of the plug-in to notifications only. The value must be either 1
(notify only without modifying the behavior of Yum), or0
(modify the behavior of Yum). By default the plug-in only notifies the user.ignored_repos
=repositoriesAllows you to specify the repositories that will not be enabled by the plug-in. - kabi (kabi-yum-plugins)
- The kabi plug-in checks whether a driver update package conforms with official Red Hat kernel Application Binary Interface (kABI). With this plug-in enabled, when a user attempts to install a package that uses kernel symbols which are not on a whitelist, a warning message is written to the system log. Additionally, configuring the plug-in to run in enforcing mode prevents such packages from being installed at all.To configure the kabi plug-in, edit the configuration file located in
/etc/yum/pluginconf.d/kabi.conf
. See Table 8.5, “Supportedkabi.conf
directives” for a list of directives that can be used in the[main]
section.Table 8.5. Supported kabi.conf directives Directive Description enabled
=valueAllows you to enable or disable the plug-in. The value must be either 1
(enabled), or0
(disabled). When installed, the plug-in is enabled by default.whitelists
=directoryAllows you to specify the directory in which the files with supported kernel symbols are located. By default, the kabi plug-in uses files provided by the kernel-abi-whitelists package (that is, the /lib/modules/kabi/
directory).enforce
=valueAllows you to enable or disable enforcing mode. The value must be either 1
(enabled), or0
(disabled). By default, this option is commented out and the kabi plug-in only displays a warning message. - presto (yum-presto)
- The presto plug-in adds support to Yum for downloading delta RPM packages, during updates, from repositories which have presto metadata enabled. Delta RPMs contain only the differences between the version of the package installed on the client requesting the RPM package and the updated version in the repository.Downloading a delta RPM is much quicker than downloading the entire updated package, and can speed up updates considerably. Once the delta RPMs are downloaded, they must be rebuilt to apply the difference to the currently-installed package and thus create the full, updated package. This process takes CPU time on the installing machine. Using delta RPMs is therefore a compromise between time-to-download, which depends on the network connection, and time-to-rebuild, which is CPU-bound. Using the presto plug-in is recommended for fast machines and systems with slower network connections, while slower machines on very fast connections benefit more from downloading normal RPM packages, that is, by disabling presto.
- product-id (subscription-manager)
- The product-id plug-in manages product identity certificates for products installed from the Content Delivery Network. The product-id plug-in is installed by default.
- refresh-packagekit (PackageKit-yum-plugin)
- The refresh-packagekit plug-in updates metadata for PackageKit whenever
yum
is run. The refresh-packagekit plug-in is installed by default. - rhnplugin (yum-rhn-plugin)
- The rhnplugin provides support for connecting to
RHN Classic
. This allows systems registered withRHN Classic
to update and install packages from this system. Note thatRHN Classic
is only provided for older Red Hat Enterprise Linux systems (that is, Red Hat Enterprise Linux 4.x, Red Hat Enterprise Linux 5.x, and Satellite 5.x) in order to migrate them over to Red Hat Enterprise Linux 6. The rhnplugin is installed by default.See the rhnplugin(8) manual page for more information about the plug-in. - security (yum-plugin-security)
- Discovering information about and applying security updates easily and often is important to all system administrators. For this reason Yum provides the security plug-in, which extends
yum
with a set of highly-useful security-related commands, subcommands and options.You can check for security-related updates as follows:~]#
yum check-update --security
Loaded plugins: product-id, refresh-packagekit, security, subscription-manager Updating Red Hat repositories. INFO:rhsm-app.repolib:repos updated: 0 Limiting package lists to security relevant ones Needed 3 of 7 packages, for security elinks.x86_64 0.12-0.13.el6 rhel kernel.x86_64 2.6.30.8-64.el6 rhel kernel-headers.x86_64 2.6.30.8-64.el6 rhelYou can then use eitheryum update --security
oryum update-minimal --security
to update those packages which are affected by security advisories. Both of these commands update all packages on the system for which a security advisory has been issued.yum update-minimal --security
updates them to the latest packages which were released as part of a security advisory, whileyum update --security
will update all packages affected by a security advisory to the latest version of that package available.In other words, if:- the kernel-2.6.30.8-16 package is installed on your system;
- the kernel-2.6.30.8-32 package was released as a security update;
- then kernel-2.6.30.8-64 was released as a bug fix update,
...thenyum update-minimal --security
will update you to kernel-2.6.30.8-32, andyum update --security
will update you to kernel-2.6.30.8-64. Conservative system administrators probably want to useupdate-minimal
to reduce the risk incurred by updating packages as much as possible.See the yum-security(8) manual page for usage details and further explanation of the enhancements the security plug-in adds toyum
. - subscription-manager (subscription-manager)
- The subscription-manager plug-in provides support for connecting to
Red Hat Network
. This allows systems registered withRed Hat Network
to update and install packages from the certificate-based Content Delivery Network. The subscription-manager plug-in is installed by default.See Chapter 6, Registering the System and Managing Subscriptions for more information how to manage product subscriptions and entitlements. - yum-downloadonly (yum-plugin-downloadonly)
- The yum-downloadonly plug-in provides the
--downloadonly
command-line option which can be used to download packages from Red Hat Network or a configured Yum repository without installing the packages.To install the package, follow the instructions in Section 8.5.2, “Installing Additional Yum Plug-ins”. After the installation, see the contents of the/etc/yum/pluginconf.d/downloadonly.conf
file to ensure that the plug-in is enabled:~]$
cat /etc/yum/pluginconf.d/downloadonly.conf
[main] enabled=1In the following example, theyum install --downloadonly
command is run to download the latest version of the httpd package, without installing it:~]#
yum install httpd --downloadonly
Loaded plugins: downloadonly, product-id, refresh-packagekit, rhnplugin, : subscription-manager Updating Red Hat repositories. Setting up Install Process Resolving Dependencies --> Running transaction check ---> Package httpd.x86_64 0:2.2.15-9.el6_1.2 will be updated ---> Package httpd.x86_64 0:2.2.15-15.el6_2.1 will be an update --> Processing Dependency: httpd-tools = 2.2.15-15.el6_2.1 for package: httpd-2.2.15-15.el6_2.1.x86_64 --> Running transaction check ---> Package httpd-tools.x86_64 0:2.2.15-9.el6_1.2 will be updated ---> Package httpd-tools.x86_64 0:2.2.15-15.el6_2.1 will be an update --> Finished Dependency Resolution Dependencies Resolved ================================================================================ Package Arch Version Repository Size ================================================================================ Updating: httpd x86_64 2.2.15-15.el6_2.1 rhel-x86_64-server-6 812 k Updating for dependencies: httpd-tools x86_64 2.2.15-15.el6_2.1 rhel-x86_64-server-6 70 k Transaction Summary ================================================================================ Upgrade 2 Package(s) Total download size: 882 k Is this ok [y/N]: y Downloading Packages: (1/2): httpd-2.2.15-15.el6_2.1.x86_64.rpm | 812 kB 00:00 (2/2): httpd-tools-2.2.15-15.el6_2.1.x86_64.rpm | 70 kB 00:00 -------------------------------------------------------------------------------- Total 301 kB/s | 882 kB 00:02 exiting because --downloadonly specifiedBy default, packages downloaded using the--downloadonly
option are saved in one of the subdirectories of the/var/cache/yum
directory, depending on the Red Hat Enterprise Linux variant and architecture.If you want to specify an alternate directory to save the packages, pass the--downloaddir
option along with--downloadonly
:~]#
yum install --downloadonly --downloaddir=/path/to/directory httpd
Note
As an alternative to the yum-downloadonly plugin — to download packages without installing them — you can use the yumdownloader utility that is provided by the yum-utils package.
8.6. Additional Resources
Installed Documentation
yum
(8) — The manual page for theyum
command-line utility provides a complete list of supported options and commands.yumdb
(8) — The manual page for theyumdb
command-line utility documents how to use this tool to query and, if necessary, alter the yum database.yum.conf
(5) — The manual page namedyum.conf
documents available yum configuration options.yum-utils
(1) — The manual page namedyum-utils
lists and briefly describes additional utilities for managing yum configuration, manipulating repositories, and working with yum database.
Online Resources
- Yum Guides — The Yum Guides page on the project home page provides links to further documentation.
- Red Hat Access Labs — The Red Hat Access Labs includes a “Yum Repository Configuration Helper”.
See Also
- Chapter 4, Gaining Privileges documents how to gain administrative privileges by using the
su
andsudo
commands. - Appendix B, RPM describes the RPM Package Manager (RPM), the packaging system used by Red Hat Enterprise Linux.
Chapter 9. PackageKit
9.1. Updating Packages with Software Update
Figure 9.1. PackageKit's icon in the Notification Area
gpk-update-viewer
command at the shell prompt. In the Software Updates window, all available updates are listed along with the names of the packages being updated (minus the .rpm
suffix, but including the CPU architecture), a short summary of the package, and, usually, short descriptions of the changes the update provides. Any updates you do not want to install can be de-selected here by unchecking the check box corresponding to the update.
Figure 9.2. Installing updates with Software Update
Setting the Update-Checking Interval
Figure 9.3. Setting PackageKit's update-checking interval
9.2. Using Add/Remove Software
gpk-application
command at the shell prompt.
Figure 9.4. PackageKit's Add/Remove Software window
9.2.1. Refreshing Software Sources (Yum Repositories)
name=<My Repository Name>
field of all [repository] sections in the /etc/yum.conf
configuration file, and in all repository.repo
files in the /etc/yum.repos.d/
directory.
enabled=<1 or 0>
field in [repository] sections. When you click the check box, PackageKit inserts the enabled=<1 or 0>
line into the correct [repository] section if it does not exist, or changes the value if it does. This means that enabling or disabling a repository through the Software Sources window causes that change to persist after closing the window or rebooting the system.
Note
9.2.2. Finding Packages with Filters
Figure 9.5. Filtering out already-installed packages
<package_name>-devel
packages we are not interested in.
Figure 9.6. Filtering out development packages from the list of Find results
- Narrows the search to either applications which provide a GUI interface () or those that do not. This filter is useful when browsing for GUI applications that perform a specific function.
- Search for packages which are considered to be free software. See the Fedora Licensing List for details on approved licenses.
- Checking thecheck box filters out generally-uninteresting packages that are typically only dependencies of other packages that we want. For example, checking and searching for
<package>
would cause the following related packages to be filtered out of the results (if it exists):<package>-devel
<package>-libs
<package>-libs-devel
<package>-debuginfo
- Checkingfilters out all older versions of the same package from the list of results, which is generally what we want. Note that this filter is often combined with the filter to search for the latest available versions of new (not installed) packages.
- Only native packages
- Checking the compatibility mode. For example, enabling this filter on a 64-bit system with an AMD64 CPU would cause all packages built for the 32-bit x86 CPU architecture not to be shown in the list of results, even though those packages are able to run on an AMD64 machine. Packages which are architecture-agnostic (i.e. noarch packages such asbox on a multilib system causes PackageKit to omit listing results for packages compiled for the architecture that runs in
crontabs-1.10-32.1.el6.noarch.rpm
) are never filtered out by checking . This filter has no affect on non-multilib systems, such as x86 machines.
9.2.3. Installing and Removing Packages (and Dependencies)
Figure 9.7. Viewing and installing a package with PackageKit's Add/Remove Software window
screen
, a screen manager that allows you to have multiple logins on one terminal, by typing screen
at a shell prompt.
Warning
Figure 9.8. Removing a package with PackageKit's Add/Remove Software window
9.2.4. Installing and Removing Package Groups
Figure 9.9. Installing the Czech Support package group
9.2.5. Viewing the Transaction Log
gpk-log
command at the shell prompt.
- Date — the date on which the transaction was performed.
- Action — the action that was performed during the transaction, for example Updated packages or Installed packages.
- Details — the transaction type such as Updated, Installed, or Removed, followed by a list of affected packages.
- Username — the name of the user who performed the action.
- Application — the front end application that was used to perform the action, for example Update System.
Figure 9.10. Viewing the log of package management transactions with the Software Log Viewer
9.3. PackageKit Architecture
packagekitd
daemon back end, which communicates with a package manager-specific back end that utilizes Yum to perform the actual transactions, such as installing and removing packages, etc.
Window Title | Function | How to Open | Shell Command |
---|---|---|---|
Add/Remove Software | Install, remove or view package info |
From the GNOME panel:
→ →
| gpk-application |
Software Update | Perform package updates |
From the GNOME panel:
→ →
| gpk-update-viewer |
Software Sources | Enable and disable Yum repositories |
From Add/Remove Software: →
| gpk-repo |
Software Log Viewer | View the transaction log |
From Add/Remove Software: →
| gpk-log |
Software Update Preferences | Set PackageKit preferences | gpk-prefs | |
(Notification Area Alert) | Alerts you when updates are available |
From the GNOME panel: Startup Programs tab
→ → , the | gpk-update-icon |
packagekitd
daemon runs outside the user session and communicates with the various graphical front ends. The packagekitd
daemon[2] communicates via the DBus system message bus with another back end, which utilizes Yum's Python API to perform queries and make changes to the system. On Linux systems other than Red Hat Enterprise Linux and Fedora, packagekitd
can communicate with other back ends that are able to utilize the native package manager for that system. This modular architecture provides the abstraction necessary for the graphical interfaces to work with many different package managers to perform essentially the same types of package management tasks. Learning how to use the PackageKit front ends means that you can use the same familiar graphical interface across many different Linux distributions, even when they utilize a native package manager other than Yum.
packagekitd
daemon, which runs outside of the user session.
pkcon
.
9.4. Additional Resources
Installed Documentation
gpk-application(1)
— The manual page containing information about thegpk-application
command.gpk-backend-status(1)
— The manual page containing information about thegpk-backend-status
command.gpk-install-local-file(1)
— The manual page containing information about thegpk-install-local-file
command.gpk-install-mime-type(1)
— The manual page containing information about thegpk-install-mime-type
command.gpk-install-package-name(1)
— The manual page containing information about theqpk-install-package-name
command.gpk-install-package-name(1)
— The manual page containing information about thegpk-install-package-name
command.gpk-prefs(1)
— The manual page containing information about thegpk-prefs
command.gpk-repo(1)
— The manual page containing information about thegpk-repo
command.gpk-update-icon(1)
— The manual page containing information about thegpk-update-icon
command.gpk-update-viewer(1)
— The manual page containing information about thegpk-update-viewer
command.pkcon(1)
andpkmon(1)
— The manual pages containing information about the PackageKit console client.pkgenpack(1)
— The manual page containing information about the PackageKit Pack Generator.
Online Documentation
- PackageKit home page — The PackageKit home page listing detailed information about the PackageKit software suite.
- PackageKit FAQ — An informative list of Frequently Asked Questions for the PackageKit software suite.
See Also
- Chapter 8, Yum documents Yum, the Red Hat package manager.
service
command and can be turned on or off permanently by using the chkconfig on
or chkconfig off
commands. They can typically be recognized by a “d” appended to their name, such as the packagekitd
daemon. See Chapter 12, Services and Daemons for information about system services.
Part IV. Networking
Chapter 10. NetworkManager
DSL
and PPPoE
(Point-to-Point over Ethernet). In addition, NetworkManager allows for the configuration of network aliases, static routes, DNS information and VPN connections, as well as many connection-specific parameters. Finally, NetworkManager provides a rich API via D-Bus which allows applications to query and control network configuration and state.
system-config-network
after its command-line invocation. In Red Hat Enterprise Linux 6, NetworkManager replaces the former Network Administration Tool while providing enhanced functionality, such as user-specific and mobile broadband configuration. It is also possible to configure the network in Red Hat Enterprise Linux 6 by editing interface configuration files; see Chapter 11, Network Interfaces for more information.
root
:
~]# yum install NetworkManager
10.1. The NetworkManager Daemon
root
privileges and is usually configured to start up at boot time. You can determine whether the NetworkManager daemon is running by entering this command as root
:
~]# service NetworkManager status
NetworkManager (pid 1527) is running...
service
command will report NetworkManager is stopped
if the NetworkManager service is not running. To start it for the current session:
~]# service NetworkManager start
chkconfig
command to ensure that NetworkManager starts up every time the system boots:
~]# chkconfig NetworkManager on
10.2. Interacting with NetworkManager
Figure 10.1. NetworkManager applet states
root
):
~]$ nm-applet &
10.2.1. Connecting to a Network
- a list of categorized networks you are currently connected to (such as Wired and Wireless);
- a list of all Available Networks that NetworkManager has detected;
- options for connecting to any configured Virtual Private Networks (VPNs); and,
- options for connecting to hidden or new wireless networks.
Figure 10.2. The NetworkManager applet's left-click menu, showing all available and connected-to networks
10.2.2. Configuring New and Editing Existing Connections
~]$ nm-connection-editor &
Figure 10.4. Configure networks using the Network Connections window
- wired Ethernet connections, proceed to Section 10.3.1, “Establishing a Wired (Ethernet) Connection”;
- wireless connections, proceed to Section 10.3.2, “Establishing a Wireless Connection”; or,
- mobile broadband connections, proceed to Section 10.3.3, “Establishing a Mobile Broadband Connection”; or,
- VPN connections, proceed to Section 10.3.4, “Establishing a VPN Connection”.
10.2.3. Connecting to a Network Automatically
Procedure 10.1. Configuring NetworkManager to Connect to a Network Automatically When Detected
- Right-click on the NetworkManager applet icon in the Notification Area and click Edit Connections. The Network Connections window appears.
- Click the arrow head if necessary to reveal the list of connections.
- Select the specific connection that you want to configure and click.
- Check Connect automatically to cause NetworkManager to auto-connect to the connection whenever NetworkManager detects that it is available. Uncheck the check box if you do not want NetworkManager to connect automatically. If the box is unchecked, you will have to select that connection manually in the NetworkManager applet's left-click menu to cause it to connect.
10.2.4. User and System Connections
root
privileges to create and modify system connections. NetworkManager's default policy enables users to create and modify user connections, but requires them to have root
privileges to add, modify or delete system connections.
/etc/sysconfig/network-scripts/
directory (mainly in ifcfg-<network_type>
interface configuration files), user connection settings are stored in the GConf configuration database and the GNOME keyring, and are only available during login sessions for the user who created them. Thus, logging out of the desktop session causes user-specific connections to become unavailable.
Note
root
users on the system cannot view or access these connections in any way.
/etc/sysconfig/network-scripts/
directory, and to delete the GConf settings from the user's session. Conversely, converting a system to a user-specific connection causes NetworkManager to remove the system-wide configuration files and create the corresponding GConf/GNOME keyring settings.
Figure 10.5. The Available to all users check box controls whether connections are user-specific or system-wide
Procedure 10.2. Changing a Connection to be User-Specific instead of System-Wide, or Vice-Versa
Note
root
privileges on the system in order to change whether a connection is user-specific or system-wide.
- Right-click on the NetworkManager applet icon in the Notification Area and click Edit Connections. The Network Connections window appears.
- If needed, select the arrow head (on the left hand side) to hide and reveal the types of available network connections.
- Select the specific connection that you want to configure and click.
- Check the Available to all users check box to ask NetworkManager to make the connection a system-wide connection. Depending on system policy, you may then be prompted for the
root
password by the PolicyKit application. If so, enter theroot
password to finalize the change.Conversely, uncheck the Available to all users check box to make the connection user-specific.
10.3. Establishing Connections
10.3.1. Establishing a Wired (Ethernet) Connection
~]$ nm-connection-editor &
Figure 10.6. The Network Connections window showing the newly created System eth0 connection
Figure 10.7. Selecting a new connection type from the "Choose a Connection Type" list
Note
Figure 10.8. Editing the newly created Wired connection System eth0
Configuring the Connection Name, Auto-Connect Behavior, and Availability Settings
- Connection name — Enter a descriptive name for your network connection. This name will be used to list this connection in the Wired section of the Network Connections window.
- Connect automatically — Check this box if you want NetworkManager to auto-connect to this connection when it is available. See Section 10.2.3, “Connecting to a Network Automatically” for more information.
- Available to all users — Check this box to create a connection available to all users on the system. Changing this setting may require
root
privileges. See Section 10.2.4, “User and System Connections” for details.
Configuring the Wired Tab
automatic
. These defaults will suffice unless you are associating a wired connection with a second or specific NIC, or performing advanced networking. In such cases, see the following descriptions:
- MAC Address
- Network hardware such as a Network Interface Card (NIC) has a unique MAC address (Media Access Control; also known as a hardware address) that identifies it to the system. Running the
ip addr
command will show the MAC address associated with each interface. For example, in the followingip addr
output, the MAC address for the eth0 interface (which is52:54:00:26:9e:f1
) immediately follows thelink/ether
keyword:~]#
ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000 link/ether 52:54:00:26:9e:f1 brd ff:ff:ff:ff:ff:ff inet 192.168.122.251/24 brd 192.168.122.255 scope global eth0 inet6 fe80::5054:ff:fe26:9ef1/64 scope link valid_lft forever preferred_lft foreverA single system can have one or more NICs installed on it. The MAC address field therefore allows you to associate a specific NIC with a specific connection (or connections). As mentioned, you can determine the MAC address using theip addr
command, and then copy and paste that value into the MAC address text-entry field.The cloned MAC address field is mostly for use in such situations were a network service has been restricted to a specific MAC address and you need to emulate that MAC address. - MTU
- The MTU (Maximum Transmission Unit) value represents the size in bytes of the largest packet that the connection will use to transmit. This value defaults to
1500
when using IPv4, or a variable number1280
or higher for IPv6, and does not generally need to be specified or changed.
Saving Your New (or Modified) Connection and Making Further Configurations
- port-based Network Access Control (PNAC), click the 802.1X Security tab and proceed to Section 10.3.9.1, “Configuring 802.1X Security”;
- IPv4 settings for the connection, click the IPv4 Settings tab and proceed to Section 10.3.9.4, “Configuring IPv4 Settings”; or,
- IPv6 settings for the connection, click the IPv6 Settings tab and proceed to Section 10.3.9.5, “Configuring IPv6 Settings”.
10.3.2. Establishing a Wireless Connection
Quickly Connecting to an Available Access Point
Figure 10.9. Authenticating to a wireless access point
Note
Figure 10.10. Applet icon indicating a wireless connection signal strength of 75%
Auto <SSID>
, where SSID is the Service Set identifier of the access point.
Figure 10.11. An example of access points that have previously been connected to
Connecting to a Hidden Wireless Network
Editing a Connection, or Creating a Completely New One
Auto
refer to the SSID of an access point), and clicking Edit.
- Right-click on the NetworkManager applet icon in the Notification Area and click Edit Connections. The Network Connections window appears.
- Click thebutton.
- Select the Wireless entry from the list.
- Click thebutton.
Figure 10.12. Editing the newly created Wireless connection 1
Configuring the Connection Name, Auto-Connect Behavior, and Availability Settings
- Connection name — Enter a descriptive name for your network connection. This name will be used to list this connection in the Wireless section of the Network Connections window. By default, wireless connections are named the same as the SSID of the wireless access point. You can rename the wireless connection without affecting its ability to connect, but it is recommended to retain the SSID name.
- Connect automatically — Check this box if you want NetworkManager to auto-connect to this connection when it is available. See Section 10.2.3, “Connecting to a Network Automatically” for more information.
- Available to all users — Check this box to create a connection available to all users on the system. Changing this setting may require
root
privileges. See Section 10.2.4, “User and System Connections” for details.
Configuring the Wireless Tab
- SSID
- All access points have a Service Set identifier to identify them. However, an access point may be configured not to broadcast its SSID, in which case it is hidden, and will not show up in NetworkManager's list of Available networks. You can still connect to a wireless access point that is hiding its SSID as long as you know its SSID (and authentication secrets).For information on connecting to a hidden wireless network, see the section called “Connecting to a Hidden Wireless Network”.
- Mode
- Mode to if you are connecting to a dedicated wireless access point or one built into a network device such as a router or a switch.— SetMode to if you are creating a peer-to-peer network for two or more mobile devices to communicate directly with each other. If you use mode, referred to as Independent Basic Service Set (IBSS) in the 802.11 standard, you must ensure that the same SSID is set for all participating wireless devices, and that they are all communicating over the same channel.— Set
- BSSID
- The Basic Service Set Identifier (BSSID) is the MAC address of the specific wireless access point you are connecting to when in Infrastructure mode. This field is blank by default, and you are able to connect to a wireless access point by SSID without having to specify its BSSID. If the BSSID is specified, it will force the system to associate to a specific access point only.For ad-hoc networks, the BSSID is generated randomly by the
mac80211
subsystem when the ad-hoc network is created. It is not displayed by NetworkManager - MAC address
- Like an Ethernet Network Interface Card (NIC), a wireless adapter has a unique MAC address (Media Access Control; also known as a hardware address) that identifies it to the system. Running the
ip addr
command will show the MAC address associated with each interface. For example, in the followingip addr
output, the MAC address for thewlan0
interface (which is00:1c:bf:02:f8:70
) immediately follows thelink/ether
keyword:~]#
ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000 link/ether 52:54:00:26:9e:f1 brd ff:ff:ff:ff:ff:ff inet 192.168.122.251/24 brd 192.168.122.255 scope global eth0 inet6 fe80::5054:ff:fe26:9ef1/64 scope link valid_lft forever preferred_lft forever 3: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000 link/ether 00:1c:bf:02:f8:70 brd ff:ff:ff:ff:ff:ff inet 10.200.130.67/24 brd 10.200.130.255 scope global wlan0 inet6 fe80::21c:bfff:fe02:f870/64 scope link valid_lft forever preferred_lft foreverA single system could have one or more wireless network adapters connected to it. The MAC address field therefore allows you to associate a specific wireless adapter with a specific connection (or connections). As mentioned, you can determine the MAC address using theip addr
command, and then copy and paste that value into the MAC address text-entry field. - MTU
- The MTU (Maximum Transmission Unit) value represents the size in bytes of the largest packet that the connection will use to transmit. If set to a non-zero number, only packets of the specified size or smaller will be transmitted. Larger packets are broken up into multiple Ethernet frames. It is recommended to leave this setting on.
Saving Your New (or Modified) Connection and Making Further Configurations
- security authentication for the wireless connection, click the Wireless Security tab and proceed to Section 10.3.9.2, “Configuring Wireless Security”;
- IPv4 settings for the connection, click the IPv4 Settings tab and proceed to Section 10.3.9.4, “Configuring IPv4 Settings”; or,
- IPv6 settings for the connection, click the IPv6 Settings tab and proceed to Section 10.3.9.5, “Configuring IPv6 Settings”.
10.3.3. Establishing a Mobile Broadband Connection
- 2G — GPRS (General Packet Radio Service) or EDGE (Enhanced Data Rates for GSM Evolution)
- 3G — UMTS (Universal Mobile Telecommunications System) or HSPA (High Speed Packet Access)
Procedure 10.3. Adding a New Mobile Broadband Connection
- Right-click on the NetworkManager applet icon in the Notification Area and click Edit Connections. The Network Connections window appears.
- Click the Mobile Broadband and then click . The Set up a Mobile Broadband Connection assistant appears.button to open the selection list. Select
- Under Create a connection for this mobile broadband device, choose the 2G- or 3G-capable device you want to use with the connection. If the dropdown menu is inactive, this indicates that the system was unable to detect a device capable of mobile broadband. In this case, click Cancel, ensure that you do have a mobile broadband-capable device attached and recognized by the computer and then retry this procedure. Click the Forward button.
- Select the country where your service provider is located from the list and click the Forward button.
- Select your provider from the list or enter it manually. Click the Forward button.
- Select your payment plan from the dropdown menu and confirm the Access Point Name (APN) is correct. Click the Forward button.
- Review and confirm the settings and then click the Apply button.
- Edit the mobile broadband-specific settings by referring to the Configuring the Mobile Broadband Tab description below .
Procedure 10.4. Editing an Existing Mobile Broadband Connection
- Right-click on the NetworkManager applet icon in the Notification Area and click Edit Connections. The Network Connections window appears.
- Select the connection you want to edit and click the Edit button.
- Select the Mobile Broadband tab.
- Configure the connection name, auto-connect behavior, and availability settings.Three settings in the Editing dialog are common to all connection types:
- Connection name — Enter a descriptive name for your network connection. This name will be used to list this connection in the Mobile Broadband section of the Network Connections window.
- Connect automatically — Check this box if you want NetworkManager to auto-connect to this connection when it is available. See Section 10.2.3, “Connecting to a Network Automatically” for more information.
- Available to all users — Check this box to create a connection available to all users on the system. Changing this setting may require
root
privileges. See Section 10.2.4, “User and System Connections” for details.
- Edit the mobile broadband-specific settings by referring to the Configuring the Mobile Broadband Tab description below .
Saving Your New (or Modified) Connection and Making Further Configurations
- Point-to-point settings for the connection, click the PPP Settings tab and proceed to Section 10.3.9.3, “Configuring PPP (Point-to-Point) Settings”;
- IPv4 settings for the connection, click the IPv4 Settings tab and proceed to Section 10.3.9.4, “Configuring IPv4 Settings”; or,
- IPv6 settings for the connection, click the IPv6 Settings tab and proceed to Section 10.3.9.5, “Configuring IPv6 Settings”.
Configuring the Mobile Broadband Tab
- Number
- The number that is dialed to establish a PPP connection with the GSM-based mobile broadband network. This field may be automatically populated during the initial installation of the broadband device. You can usually leave this field blank and enter the APN instead.
- Username
- Enter the user name used to authenticate with the network. Some providers do not provide a user name, or accept any user name when connecting to the network.
- Password
- Enter the password used to authenticate with the network. Some providers do not provide a password, or accept any password.
- APN
- Enter the Access Point Name (APN) used to establish a connection with the GSM-based network. Entering the correct APN for a connection is important because it often determines:
- how the user is billed for their network usage; and/or
- whether the user has access to the Internet, an intranet, or a subnetwork.
- Network ID
- Entering a Network ID causes NetworkManager to force the device to register only to a specific network. This can be used to ensure the connection does not roam when it is not possible to control roaming directly.
- Type
- Any — The default value of Any leaves the modem to select the fastest network.3G (UMTS/HSPA) — Force the connection to use only 3G network technologies.2G (GPRS/EDGE) — Force the connection to use only 2G network technologies.Prefer 3G (UMTS/HSPA) — First attempt to connect using a 3G technology such as HSPA or UMTS, and fall back to GPRS or EDGE only upon failure.Prefer 2G (GPRS/EDGE) — First attempt to connect using a 2G technology such as GPRS or EDGE, and fall back to HSPA or UMTS only upon failure.
- Allow roaming if home network is not available
- Uncheck this box if you want NetworkManager to terminate the connection rather than transition from the home network to a roaming one, thereby avoiding possible roaming charges. If the box is checked, NetworkManager will attempt to maintain a good connection by transitioning from the home network to a roaming one, and vice versa.
- PIN
- If your device's SIM (Subscriber Identity Module) is locked with a PIN (Personal Identification Number), enter the PIN so that NetworkManager can unlock the device. NetworkManager must unlock the SIM if a PIN is required in order to use the device for any purpose.
10.3.4. Establishing a VPN Connection
- it adds an Authentication Header for routing and authentication purposes;
- it encrypts the packet data; and,
- it encloses the data with an Encapsulating Security Payload (ESP), which constitutes the decryption and handling instructions.
Procedure 10.5. Adding a New VPN Connection
- You can configure a new VPN connection by opening the Network Connections window, clicking the button and selecting a type of VPN from the VPN section of the new connection list.
- Right-click on the NetworkManager applet icon in the Notification Area and click Edit Connections. The Network Connections window appears.
- Click thebutton.
- The Choose a Connection Type list appears.
Note
The appropriate NetworkManager VPN plug-in for the VPN type you want to configure must be installed (see Section 8.2.4, “Installing Packages” for more information on how to install new packages in Red Hat Enterprise Linux 6).The VPN section in the Choose a Connection Type list will not appear if you do not have a suitable plug-in installed.- Select the VPN protocol for the gateway you are connecting to from the Choose a Connection Type list. The VPN protocols available for selection in the list correspond to the NetworkManager VPN plug-ins installed. For example, if NetworkManager-openswan, the NetworkManager VPN plug-in for libreswan, is installed, then the IPsec based VPN will be selectable from the Choose a Connection Type list.
Note
In Red Hat Enterprise Linux 6.8, openswan has been obsoleted by libreswan. NetworkManager-openswan has been modified to support both openswan and libreswan.After selecting the correct one, press thebutton. - The Editing VPN Connection 1 window then appears. This window presents settings customized for the type of VPN connection you selected in Step 6.
Procedure 10.6. Editing an Existing VPN Connection
- Right-click on the NetworkManager applet icon in the Notification Area and click Edit Connections. The Network Connections window appears.
- Select the connection you want to edit and click the Edit button.
Figure 10.13. Editing the newly created IPsec VPN connection 1
Configuring the Connection Name, Auto-Connect Behavior, and Availability Settings
- Connection name — Enter a descriptive name for your network connection. This name will be used to list this connection in the VPN section of the Network Connections window.
- Connect automatically — Check this box if you want NetworkManager to auto-connect to this connection when it is available. See Section 10.2.3, “Connecting to a Network Automatically” for more information.
- Available to all users — Check this box to create a connection available to all users on the system. Changing this setting may require
root
privileges. See Section 10.2.4, “User and System Connections” for details.
Configuring the VPN Tab
- Gateway
- The name or IP address of the remote VPN gateway.
- Group name
- The name of a VPN group configured on the remote gateway.
- User password
- If required, enter the password used to authenticate with the VPN.
- Group password
- If required, enter the password used to authenticate with the VPN.
- User name
- If required, enter the user name used to authenticate with the VPN.
- Phase1 Algorithms
- If required, enter the algorithms to be used to authenticate and set up an encrypted channel.
- Phase2 Algorithms
- If required, enter the algorithms to be used for the IPsec negotiations.
- Domain
- If required, enter the Domain Name.
- NAT traversal
- Disable Dead Peer Detection — Disable the sending of probes to the remote gateway or endpoint.
Saving Your New (or Modified) Connection and Making Further Configurations
- IPv4 settings for the connection, click the IPv4 Settings tab and proceed to Section 10.3.9.4, “Configuring IPv4 Settings”.
10.3.5. Establishing a DSL Connection
Procedure 10.7. Adding a New DSL Connection
- Right-click on the NetworkManager applet icon in the Notification Area and click Edit Connections. The Network Connections window appears.
- Click thebutton.
- The Choose a Connection Type list appears.
- Select DSL and press the button.
- The Editing DSL Connection 1 window appears.
Procedure 10.8. Editing an Existing DSL Connection
- Right-click on the NetworkManager applet icon in the Notification Area and click Edit Connections. The Network Connections window appears.
- Select the connection you want to edit and click the Edit button.
Configuring the Connection Name, Auto-Connect Behavior, and Availability Settings
- Connection name — Enter a descriptive name for your network connection. This name will be used to list this connection in the DSL section of the Network Connections window.
- Connect automatically — Check this box if you want NetworkManager to auto-connect to this connection when it is available. See Section 10.2.3, “Connecting to a Network Automatically” for more information.
- Available to all users — Check this box to create a connection available to all users on the system. Changing this setting may require
root
privileges. See Section 10.2.4, “User and System Connections” for details.
Configuring the DSL Tab
- Username
- Enter the user name used to authenticate with the service provider.
- Service
- Leave blank unless otherwise directed.
- Password
- Enter the password supplied by the service provider.
Saving Your New (or Modified) Connection and Making Further Configurations
- The MAC address and MTU settings, click the Wired tab and proceed to the section called “Configuring the Wired Tab”;
- Point-to-point settings for the connection, click the PPP Settings tab and proceed to Section 10.3.9.3, “Configuring PPP (Point-to-Point) Settings”;
- IPv4 settings for the connection, click the IPv4 Settings tab and proceed to Section 10.3.9.4, “Configuring IPv4 Settings”.
10.3.6. Establishing a Bond Connection
Note
NM_BOND_VLAN_ENABLED
directive and then NetworkManager must be restarted. See Section 11.2.1, “Ethernet Interfaces” for an explanation of NM_CONTROLLED
and the NM_BOND_VLAN_ENABLED
directive. See Section 12.3.4, “Restarting a Service” for an explanation of restarting a service such as NetworkManager from the command line. Alternatively, for a graphical tool see Section 12.2.1, “Using the Service Configuration Utility”.
Procedure 10.9. Adding a New Bond Connection
- Right-click on the NetworkManager applet icon in the Notification Area and click Edit Connections. The Network Connections window appears.
- Click the Bond and then click . The Editing Bond connection 1 window appears.button to open the selection list. Select
- On the Bond tab, click and select the type of interface you want to use with the bond connection. Click the button. Note that the dialog to select the slave type only comes up when you create the first slave; after that, it will automatically use that same type for all further slaves.
- The Editing bond0 slave 1 window appears. Fill in the MAC address of the first interface to be bonded. The first slave's MAC address will be used as the MAC address for the bond interface. If required, enter a clone MAC address to be used as the bond's MAC address. Click the button.
- The Authenticate window appears. Enter the
root
password to continue. Click the button. - The name of the bonded slave appears in the Bonded Connections window. Click the button to add further slave connections.
- Review and confirm the settings and then click the Apply button.
- Edit the bond-specific settings by referring to the section called “Configuring the Bond Tab” below.
Figure 10.14. Editing the newly created Bond connection 1
Procedure 10.10. Editing an Existing Bond Connection
- Right-click on the NetworkManager applet icon in the Notification Area and click Edit Connections. The Network Connections window appears.
- Select the connection you want to edit and click the Edit button.
- Select the Bond tab.
- Configure the connection name, auto-connect behavior, and availability settings.Three settings in the Editing dialog are common to all connection types:
- Connection name — Enter a descriptive name for your network connection. This name will be used to list this connection in the Bond section of the Network Connections window.
- Connect automatically — Select this box if you want NetworkManager to auto-connect to this connection when it is available. See Section 10.2.3, “Connecting to a Network Automatically” for more information.
- Available to all users — Select this box to create a connection available to all users on the system. Changing this setting may require
root
privileges. See Section 10.2.4, “User and System Connections” for details.
- Edit the bond-specific settings by referring to the section called “Configuring the Bond Tab” below.
Saving Your New (or Modified) Connection and Making Further Configurations
- IPv4 settings for the connection, click the IPv4 Settings tab and proceed to Section 10.3.9.4, “Configuring IPv4 Settings”; or,
- IPv6 settings for the connection, click the IPv6 Settings tab and proceed to Section 10.3.9.5, “Configuring IPv6 Settings”.
Configuring the Bond Tab
- Mode
- The mode that is used to share traffic over the slave connections which make up the bond. The default is Round-robin. Other load sharing modes, such as
802.3ad
, can be selected by means of the drop-down list. - Link Monitoring
- The method of monitoring the slaves ability to carry network traffic.
- Round-robin
- Sets a round-robin policy for fault tolerance and load balancing. Transmissions are received and sent out sequentially on each bonded slave interface beginning with the first one available. This mode might not work behind a bridge with virtual machines without additional switch configuration.
- Active backup
- Sets an active-backup policy for fault tolerance. Transmissions are received and sent out via the first available bonded slave interface. Another bonded slave interface is only used if the active bonded slave interface fails. Note that this is the only mode available for bonds of InfiniBand devices.
- XOR
- Sets an XOR (exclusive-or) policy. Transmissions are based on the selected hash policy. The default is to derive a hash by XOR of the source and destination MAC addresses multiplied by the modulo of the number of slave interfaces. In this mode traffic destined for specific peers will always be sent over the same interface. As the destination is determined by the MAC addresses this method works best for traffic to peers on the same link or local network. If traffic has to pass through a single router then this mode of traffic balancing will be suboptimal.
- Broadcast
- Sets a broadcast policy for fault tolerance. All transmissions are sent on all slave interfaces. This mode might not work behind a bridge with virtual machines without additional switch configuration.
- 802.3ad
- Sets an IEEE
802.3ad
dynamic link aggregation policy. Creates aggregation groups that share the same speed and duplex settings. Transmits and receives on all slaves in the active aggregator. Requires a network switch that is802.3ad
compliant. - Adaptive transmit load balancing
- Sets an adaptive Transmit Load Balancing (TLB) policy for fault tolerance and load balancing. The outgoing traffic is distributed according to the current load on each slave interface. Incoming traffic is received by the current slave. If the receiving slave fails, another slave takes over the MAC address of the failed slave. This mode is only suitable for local addresses known to the kernel bonding module and therefore cannot be used behind a bridge with virtual machines.
- Adaptive load balancing
- Sets an Adaptive Load Balancing (ALB) policy for fault tolerance and load balancing. Includes transmit and receive load balancing for
IPv4
traffic. Receive load balancing is achieved throughARP
negotiation. This mode is only suitable for local addresses known to the kernel bonding module and therefore cannot be used behind a bridge with virtual machines.
- MII (Media Independent Interface)
- The state of the carrier wave of the interface is monitored. This can be done by querying the driver, by querying MII registers directly, or by using ethtool to query the device. Three options are available:
- Monitoring Frequency
- The time interval, in milliseconds, between querying the driver or MII registers.
- Link up delay
- The time in milliseconds to wait before attempting to use a link that has been reported as up. This delay can be used if some gratuitous
ARP
requests are lost in the period immediately following the link being reported as “up”. This can happen during switch initialization for example. - Link down delay
- The time in milliseconds to wait before changing to another link when a previously active link has been reported as “down”. This delay can be used if an attached switch takes a relatively long time to change to backup mode.
- ARP
- The address resolution protocol (
ARP
) is used to probe one or more peers to determine how well the link-layer connections are working. It is dependent on the device driver providing the transmit start time and the last receive time.Two options are available:- Monitoring Frequency
- The time interval, in milliseconds, between sending
ARP
requests. - ARP targets
- A comma separated list of
IP
addresses to sendARP
requests to.
10.3.7. Establishing a VLAN Connection
Procedure 10.11. Adding a New VLAN Connection
- Right-click on the NetworkManager applet icon in the Notification Area and click Edit Connections. The Network Connections window appears.
- Click the VLAN and then click . The Editing VLAN Connection 1 window appears.button to open the selection list. Select
- On the VLAN tab, select the parent interface from the drop-down list you want to use for the VLAN connection.
- Enter the VLAN ID
- Enter a VLAN interface name. This is the name of the VLAN interface that will be created. For example, "eth0.1" or "vlan2". (Normally this is either the parent interface name plus "." and the VLAN ID, or "vlan" plus the VLAN ID.)
- Review and confirm the settings and then click the Apply button.
- Edit the VLAN-specific settings by referring to the Configuring the VLAN Tab description below .
Procedure 10.12. Editing an Existing VLAN Connection
- Right-click on the NetworkManager applet icon in the Notification Area and click Edit Connections. The Network Connections window appears.
- Select the connection you want to edit and click the Edit button.
- Select the VLAN tab.
- Configure the connection name, auto-connect behavior, and availability settings.Three settings in the Editing dialog are common to all connection types:
- Connection name — Enter a descriptive name for your network connection. This name will be used to list this connection in the VLAN section of the Network Connections window.
- Connect automatically — Check this box if you want NetworkManager to auto-connect to this connection when it is available. See Section 10.2.3, “Connecting to a Network Automatically” for more information.
- Available to all users — Check this box to create a connection available to all users on the system. Changing this setting may require
root
privileges. See Section 10.2.4, “User and System Connections” for details.
- Edit the VLAN-specific settings by referring to the Configuring the VLAN Tab description below .
Saving Your New (or Modified) Connection and Making Further Configurations
- IPv4 settings for the connection, click the IPv4 Settings tab and proceed to Section 10.3.9.4, “Configuring IPv4 Settings”.
Configuring the VLAN Tab
- Parent Interface
- A previously configured interface can be selected in the drop-down list.
- VLAN ID
- The identification number to be used to tag the VLAN network traffic.
- VLAN interface name
- The name of the VLAN interface that will be created. For example, "eth0.1" or "vlan2".
- Cloned MAC address
- Optionally sets an alternate MAC address to use for identifying the VLAN interface. This can be used to change the source MAC address for packets sent on this VLAN.
- MTU
- Optionally sets a Maximum Transmission Unit (MTU) size to be used for packets to be sent over the VLAN connection.
10.3.8. Establishing an IP-over-InfiniBand (IPoIB) Connection
Procedure 10.13. Adding a New InfiniBand Connection
- Right-click on the NetworkManager applet icon in the Notification Area and click Edit Connections. The Network Connections window appears.
- Click the InfiniBand and then click . The Editing InfiniBand Connection 1 window appears.button to open the selection list. Select
- On the InfiniBand tab, select the transport mode from the drop-down list you want to use for the InfiniBand connection.
- Enter the InfiniBand MAC address.
- Review and confirm the settings and then click the Apply button.
- Edit the InfiniBand-specific settings by referring to the Configuring the InfiniBand Tab description below .
Figure 10.15. Editing the newly created InfiniBand connection 1
Procedure 10.14. Editing an Existing InfiniBand Connection
- Right-click on the NetworkManager applet icon in the Notification Area and click Edit Connections. The Network Connections window appears.
- Select the connection you want to edit and click the Edit button.
- Select the InfiniBand tab.
- Configure the connection name, auto-connect behavior, and availability settings.Three settings in the Editing dialog are common to all connection types:
- Connection name — Enter a descriptive name for your network connection. This name will be used to list this connection in the InfiniBand section of the Network Connections window.
- Connect automatically — Check this box if you want NetworkManager to auto-connect to this connection when it is available. See Section 10.2.3, “Connecting to a Network Automatically” for more information.
- Available to all users — Check this box to create a connection available to all users on the system. Changing this setting may require
root
privileges. See Section 10.2.4, “User and System Connections” for details.
- Edit the InfiniBand-specific settings by referring to the Configuring the InfiniBand Tab description below .
Saving Your New (or Modified) Connection and Making Further Configurations
- IPv4 settings for the connection, click the IPv4 Settings tab and proceed to Section 10.3.9.4, “Configuring IPv4 Settings”; or,
- IPv6 settings for the connection, click the IPv6 Settings tab and proceed to Section 10.3.9.5, “Configuring IPv6 Settings”.
Configuring the InfiniBand Tab
- Transport mode
- Datagram or Connected mode can be selected from the drop-down list. Select the same mode the rest of your IPoIB network is using.
- Device MAC address
- The MAC address of the InfiniBand capable device to be used for the InfiniBand network traffic.This hardware address field will be pre-filled if you have InfiniBand hardware installed.
- MTU
- Optionally sets a Maximum Transmission Unit (MTU) size to be used for packets to be sent over the InfiniBand connection.
10.3.9. Configuring Connection Settings
10.3.9.1. Configuring 802.1X Security
Procedure 10.15. For a wired connection...
- Either click, select a new network connection for which you want to configure 802.1X security and then click , or select an existing connection and click .
- Then select the 802.1X Security tab and check the Use 802.1X security for this connection check box to enable settings configuration.
Procedure 10.16. For a wireless connection...
- Either click on, select a new network connection for which you want to configure 802.1X security and then click , or select an existing connection and click .
- Select the Wireless Security tab.
- Then click the Security dropdown and choose one of the following security methods: , , or .
- See Section 10.3.9.1.1, “Configuring TLS (Transport Layer Security) Settings” for descriptions of which EAP types correspond to your selection in the Security dropdown.
10.3.9.1.1. Configuring TLS (Transport Layer Security) Settings
- Identity
- Identity string for EAP authentication methods, such as a user name or login name.
- User certificate
- Click to browse for, and select, a user's certificate.
- CA certificate
- Click to browse for, and select, a Certificate Authority's certificate.
- Private key
- Click to browse for, and select, a user's private key file. Note that the key must be password protected.
- Private key password
- Enter the user password corresponding to the user's private key.
10.3.9.1.2. Configuring Tunneled TLS Settings
- Anonymous identity
- This value is used as the unencrypted identity.
- CA certificate
- Click to browse for, and select, a Certificate Authority's certificate.
- Inner authentication
- Username
- Enter the user name to be used in the authentication process.
- Password
- Enter the password to be used in the authentication process.
10.3.9.1.3. Configuring Protected EAP (PEAP) Settings
- Anonymous Identity
- This value is used as the unencrypted identity.
- CA certificate
- Click to browse for, and select, a Certificate Authority's certificate.
- PEAP version
- The version of Protected EAP to use. Automatic, 0 or 1.
- Inner authentication
- Username
- Enter the user name to be used in the authentication process.
- Password
- Enter the password to be used in the authentication process.
10.3.9.2. Configuring Wireless Security
- Security
- Password
- Enter the password to be used in the authentication process.
Note
Figure 10.16. Editing the Wireless Security tab and selecting the WPA protocol
10.3.9.3. Configuring PPP (Point-to-Point) Settings
- Configure Methods
- Use point-to-point encryption (MPPE)
- Microsoft Point-To-Point Encryption protocol (RFC 3078).
- Allow BSD data compression
- PPP BSD Compression Protocol (RFC 1977).
- Allow Deflate data compression
- PPP Deflate Protocol (RFC 1979).
- Use TCP header compression
- Compressing TCP/IP Headers for Low-Speed Serial Links (RFC 1144).
- Send PPP echo packets
- LCP Echo-Request and Echo-Reply Codes for loopback tests (RFC 1661).
10.3.9.4. Configuring IPv4 Settings
Figure 10.17. Editing the IPv4 Settings Tab
Setting the Method
Available IPv4 Methods by Connection Type
- Method
- DHCP client ID field.— Choose this option if the network you are connecting to uses a DHCP server to assign IP addresses. You do not need to fill in the
- Wired, Wireless and DSL Connection Methods
- Mobile Broadband Connection Methods
- VPN Connection Methods
- DSL Connection Methods
PPPoE Specific Configuration Steps
- Enter the MAC address in nm-connection-editor for that connection. Optionally select Connect automatically and Available to all users to make the connection come up without requiring user login after system start.
- Set the hardware-address in the [802-3-ethernet] section in the appropriate file for that connection in
/etc/NetworkManager/system-connections/
as follows:[802-3-ethernet] mac-address=00:11:22:33:44:55
Mere presence of the file in/etc/NetworkManager/system-connections/
means that it is “available to all users”. Ensure thatautoconnect=true
appears in the [connection] section for the connection to be brought up without requiring user login after system start.
10.3.9.5. Configuring IPv6 Settings
- Method
- Addresses
10.3.9.6. Configuring Routes
Figure 10.18. Configuring static network routes
- Addresses
- Ignore automatically obtained routes
- Select this check box to only use manually entered routes for this connection.
- Use this connection only for resources on its network
- Select this check box to prevent the connection from becoming the default route. Typical examples are where a connection is a VPN or a leased line to a head office and you do not want any Internet bound traffic to pass over the connection. Selecting this option means that only traffic specifically destined for routes learned automatically over the connection or entered here manually will be routed over the connection.
Chapter 11. Network Interfaces
/etc/sysconfig/network-scripts/
directory. The scripts used to activate and deactivate these network interfaces are also located here. Although the number and type of interface files can differ from system to system, there are three categories of files that exist in this directory:
- Interface configuration files
- Interface control scripts
- Network function files
11.1. Network Configuration Files
-
/etc/hosts
- The main purpose of this file is to resolve host names that cannot be resolved any other way. It can also be used to resolve host names on small networks with no
DNS
server. Regardless of the type of network the computer is on, this file should contain a line specifying theIP
address of the loopback device (127.0.0.1
) aslocalhost.localdomain
. For more information, see thehosts(5)
manual page. -
/etc/resolv.conf
- This file specifies the
IP
addresses ofDNS
servers and the search domain. Unless configured to do otherwise, the network initialization scripts populate this file. For more information about this file, see theresolv.conf(5)
manual page. -
/etc/sysconfig/network
- This file specifies routing and host information for all network interfaces. It is used to contain directives which are to have global effect and not to be interface specific. For more information about this file and the directives it accepts, see Section D.1.14, “/etc/sysconfig/network”.
-
/etc/sysconfig/network-scripts/ifcfg-interface-name
- For each network interface, there is a corresponding interface configuration script. Each of these files provide information specific to a particular network interface. See Section 11.2, “Interface Configuration Files” for more information on this type of file and the directives it accepts.
Important
Warning
/etc/sysconfig/networking/
directory is used by the now deprecated Network Administration Tool (system-config-network
). Its contents should not be edited manually. Using only one method for network configuration is strongly encouraged, due to the risk of configuration deletion. For more information about configuring network interfaces using graphical configuration tools, see Chapter 10, NetworkManager.
11.1.1. Setting the Host Name
/etc/sysconfig/network
file. For example:
HOSTNAME=penguin.example.com
/etc/sysconfig/network
, or by the /etc/hosts
file. The default setting of hosts: files dns
in /etc/nsswitch.conf
causes the configuration files to be checked before a resolver. The default setting of multi on
in the /etc/host.conf
file means that all valid values in the /etc/hosts
file are returned, not just the first.
/etc/hosts
file instead of the HOSTNAME directive in /etc/sysconfig/network
, for example, when DNS is not running during system bootup.
/etc/hosts
file, add lines to it in the following format:
192.168.1.2 penguin.example.com penguin
11.2. Interface Configuration Files
ifcfg-name
, where name refers to the name of the device that the configuration file controls.
11.2.1. Ethernet Interfaces
/etc/sysconfig/network-scripts/ifcfg-eth0
, which controls the first Ethernet network interface card or NIC in the system. In a system with multiple NICs, there are multiple ifcfg-ethX
files (where X is a unique number corresponding to a specific interface). Because each device has its own configuration file, an administrator can control how each interface functions individually.
ifcfg-eth0
file for a system using a fixed IP
address:
DEVICE=eth0 BOOTPROTO=none ONBOOT=yes NETMASK=255.255.255.0 IPADDR=10.0.1.27 USERCTL=no
ifcfg-eth0
file for an interface using DHCP
looks different because IP
information is provided by the DHCP
server:
DEVICE=eth0 BOOTPROTO=dhcp ONBOOT=yes
-
BONDING_OPTS
=parameters - sets the configuration parameters for the bonding device, and is used in
/etc/sysconfig/network-scripts/ifcfg-bondN
(see Section 11.2.4, “Channel Bonding Interfaces”). These parameters are identical to those used for bonding devices in/sys/class/net/bonding_device/bonding
, and the module parameters for the bonding driver as described inbonding
Module Directives.This configuration method is used so that multiple bonding devices can have different configurations. In Red Hat Enterprise Linux 6, place all interface-specific bonding options after theBONDING_OPTS
directive inifcfg-name
files. See Where to specify bonding module parameters for more information. -
BOOTPROTO
=protocol - where protocol is one of the following:
none
— No boot-time protocol should be used.bootp
— TheBOOTP
protocol should be used.dhcp
— TheDHCP
protocol should be used.
BROADCAST
=address- where address is the broadcast address. This directive is deprecated, as the value is calculated automatically with
ipcalc
. -
DEVICE
=name - where name is the name of the physical device (except for dynamically-allocated
PPP
devices where it is the logical name). DHCP_HOSTNAME
=name- where name is a short host name to be sent to the
DHCP
server. Use this option only if theDHCP
server requires the client to specify a host name before receiving anIP
address. DHCPV6C
=answer- where answer is one of the following:
yes
— UseDHCP
to obtain anIPv6
address for this interface.no
— Do not useDHCP
to obtain anIPv6
address for this interface. This is the default value.
AnIPv6
link-local address will still be assigned by default. The link-local address is based on the MAC address of the interface as per RFC 4862. DHCPV6C_OPTIONS
=answer- where answer is one of the following:
-P
— EnableIPv6
prefix delegation.-S
— UseDHCP
to obtain stateless configuration only, not addresses, for this interface.-N
— Restore normal operation after using the-T
or-P
options.-T
— UseDHCP
to obtain a temporaryIPv6
address for this interface.-D
— Override the default when selecting the type of DHCP Unique Identifier (DUID) to use.By default, theDHCP
client (dhclient) creates a DHCP Unique Identifier (DUID) based on the link-layer address (DUID-LL) if it is running in stateless mode (with the-S
option, to not request an address), or it creates an identifier based on the link-layer address plus a timestamp (DUID-LLT) if it is running in stateful mode (without-S
, requesting an address). The-D
option overrides this default, with a value of eitherLL
orLLT
.
DNS{1,2}
=address- where address is a name server address to be placed in
/etc/resolv.conf
provided that thePEERDNS
directive is not set tono
. -
ETHTOOL_OPTS
=options - where options are any device-specific options supported by
ethtool
. For example, if you wanted to force 100Mb, full duplex:ETHTOOL_OPTS="autoneg off speed 100 duplex full"
Instead of a custom initscript, useETHTOOL_OPTS
to set the interface speed and duplex settings. Custom initscripts run outside of the network init script lead to unpredictable results during a post-boot network service restart.Important
Changing speed or duplex settings almost always requires disabling auto-negotiation with theautoneg off
option. This option needs to be stated first, as the option entries are order-dependent.