此内容没有您所选择的语言版本。
System Administration Guide
For Red Hat Enterprise Linux 4
Edition 2
Copyright © 2008 Red Hat, Inc
Abstract
Introduction
- Setting up a network interface card (NIC)
- Performing a Kickstart installation
- Configuring Samba shares
- Managing your software with RPM
- Determining information about your system
- Upgrading your kernel
- Installation-Related Reference
- File Systems Reference
- Package Management
- Network Configuration
- System Configuration
- System Monitoring
1. Changes To This Manual
- Updated
Kernel Modules
andManually Updating the Kernel
Chapters - The
Kernel Modules
and theUpgrading the Kernel Manually
chapters include updated information in regards to the 2.6 kernel. Special thanks to Arjan van de Ven for his hard work in helping to complete this chapter. - An Updated Network File System (NFS) Chapter
- The Network File System (NFS) chapter has been revised and reorganized to include NFSv4. Special thanks to Steve Dickson for his hard work in helping to complete this chapter.
- An Updated OProfile Chapter
- The OProfile chapter has been revised and reorganized to include updated information in regards to the 2.6 kernel. Special thanks to Will Cohen for his hard work in helping to complete this chapter.
- An Updated X Window System Chapter
- The X Window System chapter has been revised to include information on the X11R6.8 release developed by the X.Org team.
2. More to Come
2.1. Send in Your Feedback
rh-sag
.
rh-sag
Part I. Installation-Related Information
Chapter 1. Kickstart Installations
1.1. What are Kickstart Installations?
1.2. How Do You Perform a Kickstart Installation?
- Create a kickstart file.
- Create a boot media with the kickstart file or make the kickstart file available on the network.
- Make the installation tree available.
- Start the kickstart installation.
1.3. Creating the Kickstart File
sample.ks
file found in the RH-DOCS
directory of the Red Hat Enterprise Linux Documentation CD, using the Kickstart Configurator application, or writing it from scratch. The Red Hat Enterprise Linux installation program also creates a sample kickstart file based on the options that you selected during installation. It is written to the file /root/anaconda-ks.cfg
. You should be able to edit it with any text editor or word processor that can save files as ASCII text.
- Sections must be specified in order. Items within the sections do not have to be in a specific order unless otherwise specified. The section order is:
- Command section — Refer to Section 1.4, “Kickstart Options” for a list of kickstart options. You must include the required options.
- The
%packages
section — Refer to Section 1.5, “Package Selection” for details. - The
%pre
and%post
sections — These two sections can be in any order and are not required. Refer to Section 1.6, “Pre-installation Script” and Section 1.7, “Post-installation Script” for details.
- Items that are not required can be omitted.
- Omitting any required item results in the installation program prompting the user for an answer to the related item, just as the user would be prompted during a typical installation. Once the answer is given, the installation continues unattended (unless it finds another missing item).
- Lines starting with a pound (or hash) sign (#) are treated as comments and are ignored.
- For kickstart upgrades, the following items are required:
- Language
- Language support
- Installation method
- Device specification (if device is needed to perform the installation)
- Keyboard setup
- The
upgrade
keyword - Boot loader configuration
If any other items are specified for an upgrade, those items are ignored (note that this includes package selection).
1.4. Kickstart Options
Note
autopart
(optional)- Automatically create partitions — 1 GB or more root (
/
) partition, a swap partition, and an appropriate boot partition for the architecture. One or more of the default partition sizes can be redefined with thepart
directive. ignoredisk
(optional)- Causes the installer to ignore the specified disks. This is useful if you use autopartition and want to be sure that some disks are ignored. For example, without
ignoredisk
, attempting to deploy on a SAN-cluster the kickstart would fail, as the installer detects passive paths to the SAN that return no partition table.Theignoredisk
option is also useful if you have multiple paths to your disks.The syntax is:ignoredisk --drives=drive1,drive2,...
where driveN is one ofsda
,sdb
,...,hda
,... etc. autostep
(optional)- Similar to
interactive
except it goes to the next screen for you. It is used mostly for debugging. auth
orauthconfig
(required)- Sets up the authentication options for the system. It is similar to the
authconfig
command, which can be run after the install. By default, passwords are normally encrypted and are not shadowed.--enablemd5
- Use md5 encryption for user passwords.
--enablenis
- Turns on NIS support. By default,
--enablenis
uses whatever domain it finds on the network. A domain should almost always be set by hand with the--nisdomain=
option. --nisdomain=
- NIS domain name to use for NIS services.
--nisserver=
- Server to use for NIS services (broadcasts by default).
--useshadow
or--enableshadow
- Use shadow passwords.
--enableldap
- Turns on LDAP support in
/etc/nsswitch.conf
, allowing your system to retrieve information about users (UIDs, home directories, shells, etc.) from an LDAP directory. To use this option, you must install thenss_ldap
package. You must also specify a server and a base DN (distinguished name) with--ldapserver=
and--ldapbasedn=
. --enableldapauth
- Use LDAP as an authentication method. This enables the
pam_ldap
module for authentication and changing passwords, using an LDAP directory. To use this option, you must have thenss_ldap
package installed. You must also specify a server and a base DN with--ldapserver=
and--ldapbasedn=
. --ldapserver=
- If you specified either
--enableldap
or--enableldapauth
, use this option to specify the name of the LDAP server to use. This option is set in the/etc/ldap.conf
file. --ldapbasedn=
- If you specified either
--enableldap
or--enableldapauth
, use this option to specify the DN in your LDAP directory tree under which user information is stored. This option is set in the/etc/ldap.conf
file. --enableldaptls
- Use TLS (Transport Layer Security) lookups. This option allows LDAP to send encrypted usernames and passwords to an LDAP server before authentication.
--enablekrb5
- Use Kerberos 5 for authenticating users. Kerberos itself does not know about home directories, UIDs, or shells. If you enable Kerberos, you must make users' accounts known to this workstation by enabling LDAP, NIS, or Hesiod or by using the
/usr/sbin/useradd
command to make their accounts known to this workstation. If you use this option, you must have thepam_krb5
package installed. --krb5realm=
- The Kerberos 5 realm to which your workstation belongs.
--krb5kdc=
- The KDC (or KDCs) that serve requests for the realm. If you have multiple KDCs in your realm, separate their names with commas (,).
--krb5adminserver=
- The KDC in your realm that is also running kadmind. This server handles password changing and other administrative requests. This server must be run on the master KDC if you have more than one KDC.
--enablehesiod
- Enable Hesiod support for looking up user home directories, UIDs, and shells. More information on setting up and using Hesiod on your network is in
/usr/share/doc/glibc-2.x.x/README.hesiod
, which is included in theglibc
package. Hesiod is an extension of DNS that uses DNS records to store information about users, groups, and various other items. --hesiodlhs
- The Hesiod LHS ("left-hand side") option, set in
/etc/hesiod.conf
. This option is used by the Hesiod library to determine the name to search DNS for when looking up information, similar to LDAP's use of a base DN. --hesiodrhs
- The Hesiod RHS ("right-hand side") option, set in
/etc/hesiod.conf
. This option is used by the Hesiod library to determine the name to search DNS for when looking up information, similar to LDAP's use of a base DN.Note
To look up user information for "jim", the Hesiod library looks up jim.passwd<LHS><RHS>, which should resolve to a TXT record that looks like what his passwd entry would look like (jim:*:501:501:Jungle Jim:/home/jim:/bin/bash
). For groups, the situation is identical, except jim.group<LHS><RHS> would be used.Looking up users and groups by number is handled by making "501.uid" a CNAME for "jim.passwd", and "501.gid" a CNAME for "jim.group". Note that the LHS and RHS do not have periods . put in front of them when the library determines the name for which to search, so the LHS and RHS usually begin with periods. --enablesmbauth
- Enables authentication of users against an SMB server (typically a Samba or Windows server). SMB authentication support does not know about home directories, UIDs, or shells. If you enable SMB, you must make users' accounts known to the workstation by enabling LDAP, NIS, or Hesiod or by using the
/usr/sbin/useradd
command to make their accounts known to the workstation. To use this option, you must have thepam_smb
package installed. --smbservers=
- The name of the server(s) to use for SMB authentication. To specify more than one server, separate the names with commas (,).
--smbworkgroup=
- The name of the workgroup for the SMB servers.
--enablecache
- Enables the
nscd
service. Thenscd
service caches information about users, groups, and various other types of information. Caching is especially helpful if you choose to distribute information about users and groups over your network using NIS, LDAP, or hesiod.
bootloader
(required)- Specifies how the GRUB boot loader should be installed. This option is required for both installations and upgrades. For upgrades, if GRUB is not the current boot loader, the boot loader is changed to GRUB. To preserve other boot loaders, use
bootloader --upgrade
.--append=
- Specifies kernel parameters. To specify multiple parameters, separate them with spaces. For example:
bootloader --location=mbr --append="hdd=ide-scsi ide=nodma"
--driveorder
- Specify which drive is first in the BIOS boot order. For example:
bootloader --driveorder=sda,hda
--location=
- Specifies where the boot record is written. Valid values are the following:
mbr
(the default),partition
(installs the boot loader on the first sector of the partition containing the kernel), ornone
(do not install the boot loader). --password=
- Sets the GRUB boot loader password to the one specified with this option. This should be used to restrict access to the GRUB shell, where arbitrary kernel options can be passed.
--md5pass=
- Similar to
--password=
except the password should already be encrypted. --upgrade
- Upgrade the existing boot loader configuration, preserving the old entries. This option is only available for upgrades.
clearpart
(optional)- Removes partitions from the system, prior to creation of new partitions. By default, no partitions are removed.
Note
If theclearpart
command is used, then the--onpart
command cannot be used on a logical partition.--all
- Erases all partitions from the system.
--drives=
- Specifies which drives to clear partitions from. For example, the following clears all the partitions on the first two drives on the primary IDE controller:
clearpart --drives=hda,hdb --all
--initlabel
- Initializes the disk label to the default for your architecture (for example
msdos
for x86 andgpt
for Itanium). It is useful so that the installation program does not ask if it should initialize the disk label if installing to a brand new hard drive. --linux
- Erases all Linux partitions.
--none
(default)- Do not remove any partitions.
cmdline
(optional)- Perform the installation in a completely non-interactive command line mode. Any prompts for interaction halts the install. This mode is useful on S/390 systems with the x3270 console.
device
(optional)- On most PCI systems, the installation program autoprobes for Ethernet and SCSI cards properly. On older systems and some PCI systems, however, kickstart needs a hint to find the proper devices. The
device
command, which tells the installation program to install extra modules, is in this format:device <type><moduleName> --opts=<options>
- <type>
- Replace with either
scsi
oreth
- <moduleName>
- Replace with the name of the kernel module which should be installed.
--opts=
- Mount options to use for mounting the NFS export. Any options that can be specified in
/etc/fstab
for an NFS mount are allowed. The options are listed in thenfs(5)
man page. Multiple options are separated with a comma.
driverdisk
(optional)- Driver diskettes can be used during kickstart installations. You must copy the driver diskettes's contents to the root directory of a partition on the system's hard drive. Then you must use the
driverdisk
command to tell the installation program where to look for the driver disk.driverdisk <partition> [--type=<fstype>]
Alternatively, a network location can be specified for the driver diskette:driverdisk --source=ftp://path/to/dd.img
driverdisk --source=http://path/to/dd.img
driverdisk --source=nfs:host:/path/to/img
- <partition>
- Partition containing the driver disk.
--type=
- File system type (for example, vfat or ext2).
firewall
(optional)- This option corresponds to the Firewall Configuration screen in the installation program:
firewall --enabled|--disabled [--trust=] <device> [--port=]
--enabled
- Reject incoming connections that are not in response to outbound requests, such as DNS replies or DHCP requests. If access to services running on this machine is needed, you can choose to allow specific services through the firewall.
--disabled
- Do not configure any iptables rules.
--trust=
- Listing a device here, such as eth0, allows all traffic coming from that device to go through the firewall. To list more than one device, use
--trust eth0 --trust eth1
. Do NOT use a comma-separated format such as--trust eth0, eth1
. - <incoming>
- Replace with one or more of the following to allow the specified services through the firewall.
--ssh
--telnet
--smtp
--http
--ftp
--port=
- You can specify that ports be allowed through the firewall using the port:protocol format. For example, to allow IMAP access through your firewall, specify
imap:tcp
. Numeric ports can also be specified explicitly; for example, to allow UDP packets on port 1234 through, specify1234:udp
. To specify multiple ports, separate them by commas.
firstboot
(optional)- Determine whether the Setup Agent starts the first time the system is booted. If enabled, the
firstboot
package must be installed. If not specified, this option is disabled by default.--enable
- The Setup Agent is started the first time the system boots.
--disable
- The Setup Agent is not started the first time the system boots.
--reconfig
- Enable the Setup Agent to start at boot time in reconfiguration mode. This mode enables the language, mouse, keyboard, root password, security level, time zone, and networking configuration options in addition to the default ones.
halt
(optional)- Halt the system after the installation has successfully completed. This is similar to a manual installation, where anaconda displays a message and waits for the user to press a key before rebooting. During a kickstart installation, if no completion method is specified, the
reboot
option is used as default.Thehalt
option is roughly equivalent to theshutdown -h
command.For other completion methods, refer to thepoweroff
,reboot
, andshutdown
kickstart options. install
(optional)- Tells the system to install a fresh system rather than upgrade an existing system. This is the default mode. For installation, you must specify the type of installation from
cdrom
,harddrive
,nfs
, orurl
(for FTP or HTTP installations). Theinstall
command and the installation method command must be on separate lines.cdrom
- Install from the first CD-ROM drive on the system.
harddrive
- Install from a Red Hat installation tree on a local drive, which must be either vfat or ext2.
--partition=
Partition to install from (such as, sdb2).--dir=
Directory containing theRedHat
directory of the installation tree.
For example:harddrive --partition=hdb2 --dir=/tmp/install-tree
nfs
- Install from the NFS server specified.
--server=
Server from which to install (hostname or IP).--dir=
Directory containing theRedHat
directory of the installation tree.
For example:nfs --server=nfsserver.example.com --dir=/tmp/install-tree
url
- Install from an installation tree on a remote server via FTP or HTTP.For example:
url --url http://<server>/<dir>
or:url --url ftp://<username>:<password>@<server>/<dir>
interactive
(optional)- Uses the information provided in the kickstart file during the installation, but allow for inspection and modification of the values given. You are presented with each screen of the installation program with the values from the kickstart file. Either accept the values by clickingor change the values and click to continue. Refer to the
autostep
command. keyboard
(required)- Sets system keyboard type. Here is the list of available keyboards on i386, Itanium, and Alpha machines:
be-latin1, bg, br-abnt2, cf, cz-lat2, cz-us-qwertz, de, de-latin1, de-latin1-nodeadkeys, dk, dk-latin1, dvorak, es, et, fi, fi-latin1, fr, fr-latin0, fr-latin1, fr-pc, fr_CH, fr_CH-latin1, gr, hu, hu101, is-latin1, it, it-ibm, it2, jp106, la-latin1, mk-utf, no, no-latin1, pl, pt-latin1, ro_win, ru, ru-cp1251, ru-ms, ru1, ru2, ru_win, sg, sg-latin1, sk-qwerty, slovene, speakup, speakup-lt, sv-latin1, sg, sg-latin1, sk-querty, slovene, trq, ua, uk, us, us-acentos
The file/usr/lib/python2.2/site-packages/rhpl/keyboard_models.py
also contains this list and is part of therhpl
package. lang
(required)- Sets the language to use during installation. For example, to set the language to English, the kickstart file should contain the following line:
lang en_US
The file/usr/share/system-config-language/locale-list
provides a list of the valid language codes in the first column of each line and is part of thesystem-config-language
package. langsupport
(required)- Sets the language(s) to install on the system. The same language codes used with
lang
can be used withlangsupport
.To install one language, specify it. For example, to install and use the French languagefr_FR
:langsupport fr_FR
--default=
- If language support for more than one language is specified, a default must be identified.
For example, to install English and French and use English as the default language:langsupport --default=en_US fr_FR
If you use--default
with only one language, all languages are installed with the specified language set to the default. logvol
(optional)- Create a logical volume for Logical Volume Management (LVM) with the syntax:
logvol <mntpoint> --vgname=<name> --size=<size> --name=<name><options>
The options are as follows:- --noformat
- Use an existing logical volume and do not format it.
- --useexisting
- Use an existing logical volume and reformat it.
- --pesize
- Set the size of the physical extents.
Create the partition first, create the logical volume group, and then create the logical volume. For example:part pv.01 --size 3000 volgroup myvg pv.01 logvol / --vgname=myvg --size=2000 --name=rootvol
For a detailed example oflogvol
in action, refer to Section 1.4.1, “Advanced Partitioning Example”. mouse
(required)- Configures the mouse for the system, both in GUI and text modes. Options are:
--device=
- Device the mouse is on (such as
--device=ttyS0
). --emulthree
- If present, simultaneous clicks on the left and right mouse buttons are recognized as the middle mouse button by the X Window System. This option should be used if you have a two button mouse.
After options, the mouse type may be specified as one of the following:alpsps/2, ascii, asciips/2, atibm, generic, generic3, genericps/2, generic3ps/2, genericwheelps/2, genericusb, generic3usb, genericwheelusb, geniusnm, geniusnmps/2, geniusprops/2, geniusscrollps/2, geniusscrollps/2+, thinking, thinkingps/2, logitech, logitechcc, logibm, logimman, logimmanps/2, logimman+, logimman+ps/2, logimmusb, microsoft, msnew, msintelli, msintellips/2, msintelliusb, msbm, mousesystems, mmseries, mmhittab, sun, none
This list can also be found in the/usr/lib/python2.2/site-packages/rhpl/mouse.py
file, which is part of therhpl
package.If the mouse command is given without any arguments, or it is omitted, the installation program attempts to automatically detect the mouse. This procedure works for most modern mice. network
(optional)- Configures network information for the system. If the kickstart installation does not require networking (in other words, it is not installed over NFS, HTTP, or FTP), networking is not configured for the system. If the installation does require networking and network information is not provided in the kickstart file, the installation program assumes that the installation should be done over eth0 via a dynamic IP address (BOOTP/DHCP), and configures the final, installed system to determine its IP address dynamically. The
network
option configures networking information for kickstart installations via a network as well as for the installed system.--bootproto=
- One of
dhcp
,bootp
, orstatic
.It defaults todhcp
.bootp
anddhcp
are treated the same.The DHCP method uses a DHCP server system to obtain its networking configuration. As you might guess, the BOOTP method is similar, requiring a BOOTP server to supply the networking configuration. To direct a system to use DHCP:network --bootproto=dhcp
To direct a machine to use BOOTP to obtain its networking configuration, use the following line in the kickstart file:network --bootproto=bootp
The static method requires that you enter all the required networking information in the kickstart file. As the name implies, this information is static and are used during and after the installation. The line for static networking is more complex, as you must include all network configuration information on one line. You must specify the IP address, netmask, gateway, and nameserver. For example: (the "\" indicates that this should be read as one continuous line):network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 \ --gateway=10.0.2.254 --nameserver=10.0.2.1
If you use the static method, be aware of the following two restrictions:- All static networking configuration information must be specified on one line; you cannot wrap lines using a backslash, for example.
- You can also configure multiple nameservers here. To do so, specify them as a comma-delimited list in the command line. For example:
network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 \ --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1
--device=
- Used to select a specific Ethernet device for installation. Note that using
--device=
is not effective unless the kickstart file is a local file (such asks=floppy
), since the installation program configures the network to find the kickstart file. For example:network --bootproto=dhcp --device=eth0
--ip=
- IP address for the machine to be installed.
--gateway=
- Default gateway as an IP address.
--nameserver=
- Primary nameserver, as an IP address.
--nodns
- Do not configure any DNS server.
--netmask=
- Netmask for the installed system.
--hostname=
- Hostname for the installed system.
--nostorage
- Do not auto-probe storage devices such as ISCI, IDE or RAID.
part
orpartition
(required for installs, ignored for upgrades)- Creates a partition on the system.If more than one Red Hat Enterprise Linux installation exists on the system on different partitions, the installation program prompts the user and asks which installation to upgrade.
Warning
All partitions created are formatted as part of the installation process unless--noformat
and--onpart
are used.For a detailed example ofpart
in action, refer to Section 1.4.1, “Advanced Partitioning Example”.- <mntpoint>
- The <mntpoint> is where the partition is mounted and must be of one of the following forms:
/<path>
For example,/
,/usr
,/home
swap
The partition is used as swap space.To determine the size of the swap partition automatically, use the--recommended
option:swap --recommended
The minimum size of the automatically-generated swap partition is no smaller than the amount of RAM in the system and no larger than twice the amount of RAM in the system.Using therecommended
option yields a limitation of 8GB for the swap partition. If you want to create a larger swap partition, specify the correct size in the kickstart file or create the partitions manually.raid.<id>
The partition is used for software RAID (refer toraid
).pv.<id>
The partition is used for LVM (refer tologvol
).
--size=
- The minimum partition size in megabytes. Specify an integer value here such as 500. Do not append the number with MB.
--grow
- Tells the partition to grow to fill available space (if any), or up to the maximum size setting.
--maxsize=
- The maximum partition size in megabytes when the partition is set to grow. Specify an integer value here, and do not append the number with MB.
--noformat
- Tells the installation program not to format the partition, for use with the
--onpart
command. --onpart=
or--usepart=
- Put the partition on the already existing device. For example:
partition /home --onpart=hda1
puts/home
on/dev/hda1
, which must already exist. --ondisk=
or--ondrive=
- Forces the partition to be created on a particular disk. For example,
--ondisk=sdb
puts the partition on the second SCSI disk on the system. --asprimary
- Forces automatic allocation of the partition as a primary partition, or the partitioning fails.
--type=
(replaced byfstype
)- This option is no longer available. Use
fstype
. --fstype=
- Sets the file system type for the partition. Valid values are
ext2
,ext3
,swap
, andvfat
. --start=
- Specifies the starting cylinder for the partition. It requires that a drive be specified with
--ondisk=
orondrive=
. It also requires that the ending cylinder be specified with--end=
or the partition size be specified with--size=
. --end=
- Specifies the ending cylinder for the partition. It requires that the starting cylinder be specified with
--start=
.
Note
If partitioning fails for any reason, diagnostic messages appear on virtual console 3. poweroff
(optional)- Shut down and power off the system after the installation has successfully completed. Normally during a manual installation, anaconda displays a message and waits for the user to press a key before rebooting. During a kickstart installation, if no completion method is specified, the
reboot
option is used as default.Thepoweroff
option is roughly equivalent to theshutdown -p
command.Note
Thepoweroff
option is highly dependent on the system hardware in use. Specifically, certain hardware components such as the BIOS, APM (advanced power management), and ACPI (advanced configuration and power interface) must be able to interact with the system kernel. Contact your manufacturer for more information on you system's APM/ACPI abilities.For other completion methods, refer to thehalt
,reboot
, andshutdown
kickstart options. raid
(optional)- Assembles a software RAID device. This command is of the form:
raid <mntpoint> --level=<level> --device=<mddevice><partitions*>
- <mntpoint>
- Location where the RAID file system is mounted. If it is
/
, the RAID level must be 1 unless a boot partition (/boot
) is present. If a boot partition is present, the/boot
partition must be level 1 and the root (/
) partition can be any of the available types. The <partitions*> (which denotes that multiple partitions can be listed) lists the RAID identifiers to add to the RAID array. --level=
- RAID level to use (0, 1, or 5).
--device=
- Name of the RAID device to use (such as md0 or md1). RAID devices range from md0 to md7, and each may only be used once.
--spares=
- Specifies the number of spare drives allocated for the RAID array. Spare drives are used to rebuild the array in case of drive failure.
--fstype=
- Sets the file system type for the RAID array. Valid values are ext2, ext3, swap, and vfat.
--noformat
- Use an existing RAID device and do not format the RAID array.
--useexisting
- Use an existing RAID device and reformat it.
The following example shows how to create a RAID level 1 partition for/
, and a RAID level 5 for/usr
, assuming there are three SCSI disks on the system. It also creates three swap partitions, one on each drive.part raid.01 --size=60 --ondisk=sda part raid.02 --size=60 --ondisk=sdb part raid.03 --size=60 --ondisk=sdc
part swap --size=128 --ondisk=sda part swap --size=128 --ondisk=sdb part swap --size=128 --ondisk=sdc
part raid.11 --size=1 --grow --ondisk=sda part raid.12 --size=1 --grow --ondisk=sdb part raid.13 --size=1 --grow --ondisk=sdc
raid / --level=1 --device=md0 raid.01 raid.02 raid.03 raid /usr --level=5 --device=md1 raid.11 raid.12 raid.13
For a detailed example ofraid
in action, refer to Section 1.4.1, “Advanced Partitioning Example”. reboot
(optional)- Reboot after the installation is successfully completed (no arguments). Normally during a manual installation, anaconda displays a message and waits for the user to press a key before rebooting.The
reboot
option is roughly equivalent to theshutdown -r
command.Note
Use of thereboot
option may result in an endless installation loop, depending on the installation media and method.Thereboot
option is the default completion method if no other methods are explicitly specified in the kickstart file.For other completion methods, refer to thehalt
,poweroff
, andshutdown
kickstart options. rootpw
(required)- Sets the system's root password to the <password> argument.
rootpw [--iscrypted] <password>
--iscrypted
- If this is present, the password argument is assumed to already be encrypted.
selinux
(optional)- Sets the system's SELinux mode to one of the following arguments:
--enforcing
- Enables SELinux with the default targeted policy being enforced.
Note
If theselinux
option is not present in the kickstart file, SELinux is enabled and set to--enforcing
by default. --permissive
- Outputs warnings only based on the SELinux policy, but does not actually enforce the policy.
--disabled
- Disables SELinux completely on the system.
For complete information regarding SELinux for Red Hat Enterprise Linux, refer to the Red Hat, Inc. shutdown
(optional)- Shut down the system after the installation has successfully completed. During a kickstart installation, if no completion method is specified, the
reboot
option is used as default.Theshutdown
option is roughly equivalent to theshutdown
command.For other completion methods, refer to thehalt
,poweroff
, andreboot
kickstart options. skipx
(optional)- If present, X is not configured on the installed system.
text
(optional)- Perform the kickstart installation in text mode. Kickstart installations are performed in graphical mode by default.
timezone
(required)- Sets the system time zone to <timezone> which may be any of the time zones listed by
timeconfig
.timezone [--utc] <timezone>
--utc
- If present, the system assumes the hardware clock is set to UTC (Greenwich Mean) time.
upgrade
(optional)- Tells the system to upgrade an existing system rather than install a fresh system. You must specify one of
cdrom
,harddrive
,nfs
, orurl
(for FTP and HTTP) as the location of the installation tree. Refer toinstall
for details. xconfig
(optional)- Configures the X Window System. If this option is not given, the user must configure X manually during the installation, if X was installed; this option should not be used if X is not installed on the final system.
--noprobe
- Do not probe the monitor.
--card=
- Use specified card; this card name should be from the list of cards in
/usr/share/hwdata/Cards
from thehwdata
package. The list of cards can also be found on the X Configuration screen of the Kickstart Configurator. If this argument is not provided, the installation program probes the PCI bus for the card. Since AGP is part of the PCI bus, AGP cards are detected if supported. The probe order is determined by the PCI scan order of the motherboard. --videoram=
- Specifies the amount of video RAM the video card has.
--monitor=
- Use specified monitor; monitor name should be from the list of monitors in
/usr/share/hwdata/MonitorsDB
from thehwdata
package. The list of monitors can also be found on the X Configuration screen of the Kickstart Configurator. This is ignored if--hsync
or--vsync
is provided. If no monitor information is provided, the installation program tries to probe for it automatically. --hsync=
- Specifies the horizontal sync frequency of the monitor.
--vsync=
- Specifies the vertical sync frequency of the monitor.
--defaultdesktop=
- Specify either GNOME or KDE to set the default desktop (assumes that GNOME Desktop Environment and/or KDE Desktop Environment has been installed through
%packages
). --startxonboot
- Use a graphical login on the installed system.
--resolution=
- Specify the default resolution for the X Window System on the installed system. Valid values are 640x480, 800x600, 1024x768, 1152x864, 1280x1024, 1400x1050, 1600x1200. Be sure to specify a resolution that is compatible with the video card and monitor.
--depth=
- Specify the default color depth for the X Window System on the installed system. Valid values are 8, 16, 24, and 32. Be sure to specify a color depth that is compatible with the video card and monitor.
volgroup
(optional)- Use to create a Logical Volume Management (LVM) group with the syntax:
volgroup <name><partition><options>
The options are as follows:- --noformat
- Use an existing volume group and do not format it.
- --useexisting
- Use an existing volume group and reformat it.
Create the partition first, create the logical volume group, and then create the logical volume. For example:part pv.01 --size 3000 volgroup myvg pv.01 logvol / --vgname=myvg --size=2000 --name=rootvol
For a detailed example ofvolgroup
in action, refer to Section 1.4.1, “Advanced Partitioning Example”. zerombr
(optional)- If
zerombr
is specified, andyes
is its sole argument, any invalid partition tables found on disks are initialized. This destroys all of the contents of disks with invalid partition tables. This command should be in the following format:zerombr yes
No other format is effective. %include
- Use the
%include /path/to/file
command to include the contents of another file in the kickstart file as though the contents were at the location of the%include
command in the kickstart file.
1.4.1. Advanced Partitioning Example
clearpart
, raid
, part
, volgroup
, and logvol
kickstart options in action:
clearpart --drives=hda,hdc --initlabel # Raid 1 IDE config part raid.11 --size 1000 --asprimary --ondrive=hda part raid.12 --size 1000 --asprimary --ondrive=hda part raid.13 --size 2000 --asprimary --ondrive=hda part raid.14 --size 8000 --ondrive=hda part raid.15 --size 1 --grow --ondrive=hda part raid.21 --size 1000 --asprimary --ondrive=hdc part raid.22 --size 1000 --asprimary --ondrive=hdc part raid.23 --size 2000 --asprimary --ondrive=hdc part raid.24 --size 8000 --ondrive=hdc part raid.25 --size 1 --grow --ondrive=hdc # You can add --spares=x raid / --fstype ext3 --device md0 --level=RAID1 raid.11 raid.21 raid /safe --fstype ext3 --device md1 --level=RAID1 raid.12 raid.22 raid swap --fstype swap --device md2 --level=RAID1 raid.13 raid.23 raid /usr --fstype ext3 --device md3 --level=RAID1 raid.14 raid.24 raid pv.01 --fstype ext3 --device md4 --level=RAID1 raid.15 raid.25 # LVM configuration so that we can resize /var and /usr/local later volgroup sysvg pv.01 logvol /var --vgname=sysvg --size=8000 --name=var logvol /var/freespace --vgname=sysvg --size=8000 --name=freespacetouse logvol /usr/local --vgname=sysvg --size=1 --grow --name=usrlocal
1.5. Package Selection
%packages
command to begin a kickstart file section that lists the packages you would like to install (this is for installations only, as package selection during upgrades is not supported).
RedHat/base/comps.xml
file on the first Red Hat Enterprise Linux CD-ROM for a list of groups. Each group has an id, user visibility value, name, description, and package list. In the package list, the packages marked as mandatory are always installed if the group is selected, the packages marked default are selected by default if the group is selected, and the packages marked optional must be specifically selected even if the group is selected to be installed.
Core
and Base
groups are always selected by default, so it is not necessary to specify them in the %packages
section.
%packages
selection:
%packages @ X Window System @ GNOME Desktop Environment @ Graphical Internet @ Sound and Video dhcp
@
symbol, a space, and then the full group name as given in the comps.xml
file. Groups can also be specified using the id for the group, such as gnome-desktop
. Specify individual packages with no additional characters (the dhcp
line in the example above is an individual package).
-autofs
%packages
option:
--resolvedeps
- Install the listed packages and automatically resolve package dependencies. If this option is not specified and there are package dependencies, the automated installation pauses and prompts the user. For example:
%packages --resolvedeps
--ignoredeps
- Ignore the unresolved dependencies and install the listed packages without the dependencies. For example:
%packages --ignoredeps
--ignoremissing
- Ignore the missing packages and groups instead of halting the installation to ask if the installation should be aborted or continued. For example:
%packages --ignoremissing
1.6. Pre-installation Script
ks.cfg
has been parsed. This section must be at the end of the kickstart file (after the commands) and must start with the %pre
command. You can access the network in the %pre
section; however, name service has not been configured at this point, so only IP addresses work.
Note
--interpreter /usr/bin/python
- Allows you to specify a different scripting language, such as Python. Replace /usr/bin/python with the scripting language of your choice.
1.6.1. Example
%pre
section:
%pre #!/bin/sh hds="" mymedia="" for file in /proc/ide/h* do mymedia=`cat $file/media` if [ $mymedia == "disk" ] ; then hds="$hds `basename $file`" fi done set $hds numhd=`echo $#` drive1=`echo $hds | cut -d' ' -f1` drive2=`echo $hds | cut -d' ' -f2` #Write out partition scheme based on whether there are 1 or 2 hard drives if [ $numhd == "2" ] ; then #2 drives echo "#partitioning scheme generated in %pre for 2 drives" > /tmp/part-include echo "clearpart --all" >> /tmp/part-include echo "part /boot --fstype ext3 --size 75 --ondisk hda" >> /tmp/part-include echo "part / --fstype ext3 --size 1 --grow --ondisk hda" >> /tmp/part-include echo "part swap --recommended --ondisk $drive1" >> /tmp/part-include echo "part /home --fstype ext3 --size 1 --grow --ondisk hdb" >> /tmp/part-include else #1 drive echo "#partitioning scheme generated in %pre for 1 drive" > /tmp/part-include echo "clearpart --all" >> /tmp/part-include echo "part /boot --fstype ext3 --size 75" >> /tmp/part-includ echo "part swap --recommended" >> /tmp/part-include echo "part / --fstype ext3 --size 2048" >> /tmp/part-include echo "part /home --fstype ext3 --size 2048 --grow" >> /tmp/part-include fi
%include /tmp/part-include
Note
1.7. Post-installation Script
%post
command. This section is useful for functions such as installing additional software and configuring an additional nameserver.
Note
%post
section. If you configured the network for DHCP, the /etc/resolv.conf
file has not been completed when the installation executes the %post
section. You can access the network, but you can not resolve IP addresses. Thus, if you are using DHCP, you must specify IP addresses in the %post
section.
Note
--nochroot
- Allows you to specify commands that you would like to run outside of the chroot environment.The following example copies the file
/etc/resolv.conf
to the file system that was just installed.%post --nochroot cp /etc/resolv.conf /mnt/sysimage/etc/resolv.conf
--interpreter /usr/bin/python
- Allows you to specify a different scripting language, such as Python. Replace /usr/bin/python with the scripting language of your choice.
1.7.1. Examples
/sbin/chkconfig --level 345 telnet off /sbin/chkconfig --level 345 finger off /sbin/chkconfig --level 345 lpd off /sbin/chkconfig --level 345 httpd on
runme
from an NFS share:
mkdir /mnt/temp mount -o nolock 10.10.0.2:/usr/new-machines /mnt/temp open -s -w -- /mnt/temp/runme umount /mnt/temp
Note
-o nolock
is required when mounting an NFS mount.
/usr/sbin/useradd bob /usr/bin/chfn -f "Bob Smith" bob /usr/sbin/usermod -p 'kjdf$04930FTH/ ' bob
1.8. Making the Kickstart File Available
- On a boot diskette
- On a boot CD-ROM
- On a network
1.8.1. Creating Kickstart Boot Media
ks.cfg
.
ks.cfg
and must be located in the boot CD-ROM's top-level directory. Since a CD-ROM is read-only, the file must be added to the directory used to create the image that is written to the CD-ROM. Refer to the Installation Guide for instructions on creating boot media; however, before making the file.iso
image file, copy the ks.cfg
kickstart file to the isolinux/
directory.
ks.cfg
and must be located in the flash memory's top-level directory. Create the boot image first, and then copy the ks.cfg
file.
/dev/sda
) using the dd
command:
dd if=diskboot.img of=/dev/sda bs=1M
Note
1.8.2. Making the Kickstart File Available on the Network
dhcpd.conf
file for the DHCP server:
filename
"/usr/new-machine/kickstart/";
next-server blarg.redhat.com;
filename
with the name of the kickstart file (or the directory in which the kickstart file resides) and the value after next-server
with the NFS server name.
<ip-addr>-kickstart
<ip-addr>
section of the file name should be replaced with the client's IP address in dotted decimal notation. For example, the file name for a computer with an IP address of 10.10.0.1 would be 10.10.0.1-kickstart
.
/kickstart
from the BOOTP/DHCP server and tries to find the kickstart file using the same <ip-addr>-kickstart
file name as described above.
1.9. Making the Installation Tree Available
1.10. Starting a Kickstart Installation
ks
command line argument is passed to the kernel.
- CD-ROM #1 and Diskette
- The
linux ks=floppy
command also works if theks.cfg
file is located on a vfat or ext2 file system on a diskette and you boot from the Red Hat Enterprise Linux CD-ROM #1.An alternate boot command is to boot off the Red Hat Enterprise Linux CD-ROM #1 and have the kickstart file on a vfat or ext2 file system on a diskette. To do so, enter the following command at theboot:
prompt:linux ks=hd:fd0:/ks.cfg
- With Driver Disk
- If you need to use a driver disk with kickstart, specify the
dd
option as well. For example, to boot off a boot diskette and use a driver disk, enter the following command at theboot:
prompt:linux ks=floppy dd
- Boot CD-ROM
- If the kickstart file is on a boot CD-ROM as described in Section 1.8.1, “Creating Kickstart Boot Media”, insert the CD-ROM into the system, boot the system, and enter the following command at the
boot:
prompt (whereks.cfg
is the name of the kickstart file):linux ks=cdrom:/ks.cfg
ks=nfs:<server>:/<path>
- The installation program looks for the kickstart file on the NFS server <server>, as file <path>. The installation program uses DHCP to configure the Ethernet card. For example, if your NFS server is server.example.com and the kickstart file is in the NFS share
/mydir/ks.cfg
, the correct boot command would beks=nfs:server.example.com:/mydir/ks.cfg
. ks=http://<server>/<path>
- The installation program looks for the kickstart file on the HTTP server <server>, as file <path>. The installation program uses DHCP to configure the Ethernet card. For example, if your HTTP server is server.example.com and the kickstart file is in the HTTP directory
/mydir/ks.cfg
, the correct boot command would beks=http://server.example.com/mydir/ks.cfg
. ks=floppy
- The installation program looks for the file
ks.cfg
on a vfat or ext2 file system on the diskette in/dev/fd0
. ks=floppy:/<path>
- The installation program looks for the kickstart file on the diskette in
/dev/fd0
, as file <path>. ks=hd:<device>:/<file>
- The installation program mounts the file system on <device> (which must be vfat or ext2), and look for the kickstart configuration file as <file> in that file system (for example,
ks=hd:sda3:/mydir/ks.cfg
). ks=file:/<file>
- The installation program tries to read the file <file> from the file system; no mounts are done. This is normally used if the kickstart file is already on the
initrd
image. ks=cdrom:/<path>
- The installation program looks for the kickstart file on CD-ROM, as file <path>.
ks
- If
ks
is used alone, the installation program configures the Ethernet card to use DHCP. The kickstart file is read from the "bootServer" from the DHCP response as if it is an NFS server sharing the kickstart file. By default, the bootServer is the same as the DHCP server. The name of the kickstart file is one of the following:- If DHCP is specified and the boot file begins with a
/
, the boot file provided by DHCP is looked for on the NFS server. - If DHCP is specified and the boot file begins with something other then a
/
, the boot file provided by DHCP is looked for in the/kickstart
directory on the NFS server. - If DHCP did not specify a boot file, then the installation program tries to read the file
/kickstart/1.2.3.4-kickstart
, where 1.2.3.4 is the numeric IP address of the machine being installed.
ksdevice=<device>
- The installation program uses this network device to connect to the network. For example, to start a kickstart installation with the kickstart file on an NFS server that is connected to the system through the eth1 device, use the command
ks=nfs:<server>:/<path> ksdevice=eth1
at theboot:
prompt.
Chapter 2. Kickstart Configurator
/usr/sbin/system-config-kickstart
.
2.1. Basic Configuration
Figure 2.1. Basic Configuration
system-config-language
) after installation.
2.2. Installation Method
Figure 2.2. Installation Method
- CD-ROM — Choose this option to install or upgrade from the Red Hat Enterprise Linux CD-ROMs.
- NFS — Choose this option to install or upgrade from an NFS shared directory. In the text field for the the NFS server, enter a fully-qualified domain name or IP address. For the NFS directory, enter the name of the NFS directory that contains the
RedHat
directory of the installation tree. For example, if the NFS server contains the directory/mirrors/redhat/i386/RedHat/
, enter/mirrors/redhat/i386/
for the NFS directory. - FTP — Choose this option to install or upgrade from an FTP server. In the FTP server text field, enter a fully-qualified domain name or IP address. For the FTP directory, enter the name of the FTP directory that contains the
RedHat
directory. For example, if the FTP server contains the directory/mirrors/redhat/i386/RedHat/
, enter/mirrors/redhat/i386/
for the FTP directory. If the FTP server requires a username and password, specify them as well. - HTTP — Choose this option to install or upgrade from an HTTP server. In the text field for the HTTP server, enter the fully-qualified domain name or IP address. For the HTTP directory, enter the name of the HTTP directory that contains the
RedHat
directory. For example, if the HTTP server contains the directory/mirrors/redhat/i386/RedHat/
, enter/mirrors/redhat/i386/
for the HTTP directory. - Hard Drive — Choose this option to install or upgrade from a hard drive. Hard drive installations require the use of ISO (or CD-ROM) images. Be sure to verify that the ISO images are intact before you start the installation. To verify them, use an
md5sum
program as well as thelinux mediacheck
boot option as discussed in the Installation Guide. Enter the hard drive partition that contains the ISO images (for example,/dev/hda1
) in the Hard Drive Partition text box. Enter the directory that contains the ISO images in the Hard Drive Directory text box.
2.3. Boot Loader Options
/boot
partition). Install the boot loader on the MBR if you plan to use it as your boot loader.
cdrecord
by configuring hdd=ide-scsi
as a kernel parameter (where hdd
is the CD-ROM device).
2.4. Partition Information
Figure 2.4. Partition Information
msdos
for x86 and gpt
for Itanium), select Initialize the disk label if you are installing on a brand new hard drive.
2.4.1. Creating Partitions
- In the Additional Size Options section, choose to make the partition a fixed size, up to a chosen size, or fill the remaining space on the hard drive. If you selected swap as the file system type, you can select to have the installation program create the swap partition with the recommended size instead of specifying a size.
- Force the partition to be created as a primary partition.
- Create the partition on a specific hard drive. For example, to make the partition on the first IDE hard disk (
/dev/hda
), specifyhda
as the drive. Do not include/dev
in the drive name. - Use an existing partition. For example, to make the partition on the first partition on the first IDE hard disk (
/dev/hda1
), specifyhda1
as the partition. Do not include/dev
in the partition name. - Format the partition as the chosen file system type.
Figure 2.5. Creating Partitions
2.4.1.1. Creating Software RAID Partitions
- Click thebutton.
- Select Create a software RAID partition.
- Configure the partitions as previously described, except select Software RAID as the file system type. Also, you must specify a hard drive on which to make the partition or specify an existing partition to use.
Figure 2.6. Creating a Software RAID Partition
- Click thebutton.
- Select Create a RAID device.
- Select a mount point, file system type, RAID device name, RAID level, RAID members, number of spares for the software RAID device, and whether to format the RAID device.
Figure 2.7. Creating a Software RAID Device
- Clickto add the device to the list.
2.5. Network Configuration
Figure 2.8. Network Configuration
system-config-network
). Refer to Chapter 17, Network Configuration for details.
2.6. Authentication
Figure 2.9. Authentication
- NIS
- LDAP
- Kerberos 5
- Hesiod
- SMB
- Name Switch Cache
2.7. Firewall Configuration
Figure 2.10. Firewall Configuration
port:protocol
. For example, to allow IMAP access through the firewall, specify imap:tcp
. Specify numeric ports can also be specified; to allow UDP packets on port 1234 through the firewall, enter 1234:udp
. To specify multiple ports, separate them with commas.
2.8. Display Configuration
skipx
option is written to the kickstart file.
2.8.1. General
Figure 2.11. X Configuration - General
/etc/inittab
configuration file.
2.8.2. Video Card
Figure 2.12. X Configuration - Video Card
2.8.3. Monitor
Figure 2.13. X Configuration - Monitor
2.9. Package Selection
Figure 2.14. Package Selection
%packages
section of the kickstart file after you save it. Refer to Section 1.5, “Package Selection” for details.
2.10. Pre-Installation Script
Figure 2.15. Pre-Installation Script
/usr/bin/python2.2
can be specified for a Python script. This option corresponds to using %pre --interpreter /usr/bin/python2.2
in your kickstart file.
Warning
%pre
command. It is added for you.
2.11. Post-Installation Script
Figure 2.16. Post-Installation Script
Warning
%post
command. It is added for you.
%post
section:
echo "Hackers will be punished!" > /etc/motd
Note
2.11.1. Chroot Environment
--nochroot
option in the %post
section.
/mnt/sysimage/
.
echo "Hackers will be punished!" > /mnt/sysimage/etc/motd
2.11.2. Use an Interpreter
/usr/bin/python2.2
can be specified for a Python script. This option corresponds to using %post --interpreter /usr/bin/python2.2
in your kickstart file.
2.12. Saving the File
Figure 2.17. Preview
Chapter 3. PXE Network Installations
askmethod
boot option with the Red Hat Enterprise Linux CD #1. Alternatively, if the system to be installed contains a network interface card (NIC) with Pre-Execution Environment (PXE) support, it can be configured to boot from files on another networked system rather than local media such as a CD-ROM.
tftp
server (which provides the files necessary to start the installation program), and the location of the files on the tftp
server. This is possible because of PXELINUX, which is part of the syslinux
package.
- Configure the network (NFS, FTP, HTTP) server to export the installation tree.
- Configure the files on the
tftp
server necessary for PXE booting. - Configure which hosts are allowed to boot from the PXE configuration.
- Start the
tftp
service. - Configure DHCP.
- Boot the client, and start the installation.
3.1. Setting up the Network Server
3.2. PXE Boot Configuration
tftp
server so they can be found when the client requests them. The tftp
server is usually the same server as the network server exporting the installation tree.
system-config-netboot
RPM package installed. To start the Network Booting Tool from the desktop, go to (the main menu on the
panel) => => => . Or, type the command system-config-netboot
at a shell prompt (for example, in an XTerm or a GNOME terminal).
Figure 3.1. Network Installation Setup
- Operating system identifier — Provide a unique name using one word to identify the Red Hat Enterprise Linux version and variant. It is used as the directory name in the
/tftpboot/linux-install/
directory. - Description — Provide a brief description of the Red Hat Enterprise Linux version and variant.
- Selects protocol for installation — Selects NFS, FTP, or HTTP as the network installation type depending on which one was configured previously. If FTP is selected and anonymous FTP is not being used, uncheck Anonymous FTP and provide a valid username and password combination.
- Kickstart — Specify the location of the kickstart file. The file can be a URL or a file stored locally (diskette). The kickstart file can be created with the Kickstart Configurator. Refer to Chapter 2, Kickstart Configurator for details.
- Server — Provide the IP address or domain name of the NFS, FTP, or HTTP server.
- Location — Provide the directory shared by the network server. If FTP or HTTP was selected, the directory must be relative to the default directory for the FTP server or the document root for the HTTP server. For all network installations, the directory provided must contain the
RedHat/
directory of the installation tree.
initrd.img
and vmlinuz
files necessary to boot the installation program are transfered from images/pxeboot/
in the provided installation tree to /tftpboot/linux-install/<os-identifier>/
on the tftp
server (the one you are running the Network Booting Tool on).
3.2.1. Command Line Configuration
pxeos
command line utility, which is part of the system-config-netboot
package, can be used to configure the tftp
server files :
pxeos -a -i "<description>" -p <NFS|HTTP|FTP> -D 0 -s client.example.com \ -L <net-location> -k <kernel> -K <kickstart><os-identifer>
-a
— Specifies that an OS instance is being added to the PXE configuration.-i
"<description>" — Replace "<description>" with a description of the OS instance. This corresponds to the Description field in Figure 3.1, “Network Installation Setup”.-p
<NFS|HTTP|FTP> — Specify which of the NFS, FTP, or HTTP protocols to use for installation. Only one may be specified. This corresponds to the Select protocol for installation menu in Figure 3.1, “Network Installation Setup”.-D
<0|1> — Specify "0
" which indicates that it is not a diskless configuration sincepxeos
can be used to configure a diskless environment as well.-s
client.example.com — Provide the name of the NFS, FTP, or HTTP server after the-s
option. This corresponds to the Server field in Figure 3.1, “Network Installation Setup”.-L
<net-location> — Provide the location of the installation tree on that server after the-L
option. This corresponds to the Location field in Figure 3.1, “Network Installation Setup”.-k
<kernel> — Provide the specific kernel version of the server installation tree for booting.-K
<kickstart> — Provide the location of the kickstart file, if available.- <os-identifer> — Specify the OS identifier, which is used as the directory name in the
/tftpboot/linux-install/
directory. This corresponds to the Operating system identifier field in Figure 3.1, “Network Installation Setup”.
-A 0 -u <username> -p <password>
pxeos
command, refer to the pxeos
man page.
3.3. Adding PXE Hosts
Figure 3.2. Add Hosts
Figure 3.3. Add a Host
- Hostname or IP Address/Subnet — The IP address, fully qualified hostname, or a subnet of systems that should be allowed to connect to the PXE server for installations.
- Operating System — The operating system identifier to install on this client. The list is populated from the network install instances created from the Network Installation Dialog.
- Serial Console — This option allows use of a serial console.
- Kickstart File — The location of a kickstart file to use, such as
http://server.example.com/kickstart/ks.cfg
. This file can be created with the Kickstart Configurator. Refer to Chapter 2, Kickstart Configurator for details.
3.3.1. Command Line Configuration
pxeboot
utility, a part of the system-config-netboot
package, can be used to add hosts which are allowed to connect to the PXE server:
pxeboot -a -K <kickstart> -O <os-identifier> -r <value><host>
-a
— Specifies that a host is to be added.-K
<kickstart> — The location of the kickstart file, if available.-O
<os-identifier> — Specifies the operating system identifier as defined in Section 3.2, “PXE Boot Configuration”.-r
<value> — Specifies the ram disk size.- <host> — Specifies the IP address or hostname of the host to add.
pxeboot
command, refer to the pxeboot
man page.
Chapter 4. Diskless Environments
- Install Red Hat Enterprise Linux on a system so that the files can be copied to the NFS server. (Refer to the Installation Guide for details.) Any software to be used on the clients must be installed on this system and the
busybox-anaconda
package must be installed. - Create a directory on the NFS server to contain the diskless environment such as
/diskless/i386/RHEL4-AS/
. For example:mkdir -p /diskless/i386/RHEL4-AS/
This directory is referred to as thediskless directory
. - Create a subdirectory of this directory named
root/
:mkdir -p /diskless/i386/RHEL4-AS/root/
- Copy Red Hat Enterprise Linux from the client system to the server using
rsync
. For example:rsync -a -e ssh installed-system.example.com:/ /diskless/i386/RHEL4-AS/root/
The length of this operation depends on the network connection speed as well as the size of the file system on the installed system. Depending on these factors, this operation may take a while. - Start the
tftp
server - Configure the DHCP server
- Finish creating the diskless environment as discussed in Section 4.2, “Finish Configuring the Diskless Environment”.
- Configure the diskless clients as discussed in Section 4.3, “Adding Hosts”.
- Configure each diskless client to boot via PXE and boot them.
4.1. Configuring the NFS Server
root/
and snapshot/
directories by adding them to /etc/exports
. For example:
/diskless/i386/RHEL4-AS/root/ *(ro,sync,no_root_squash) /diskless/i386/RHEL4-AS/snapshot/ *(rw,sync,no_root_squash)
*
with one of the hostname formats discussed in Section 21.3.2, “Hostname Formats”. Make the hostname declaration as specific as possible, so unwanted systems can not access the NFS mount.
service nfs start
service nfs reload
4.2. Finish Configuring the Diskless Environment
system-config-netboot
RPM package installed. To start the Network Booting Tool from the desktop, go to (the main menu on the
panel) => => => . Or, type the command system-config-netboot
at a shell prompt (for example, in an XTerm or a GNOME terminal).
- Clickon the first page.
- On the Diskless Identifier page, enter a Name and Description for the diskless environment. Click .
- Enter the IP address or domain name of the NFS server configured in Section 4.1, “Configuring the NFS Server” as well as the directory exported as the diskless environment. Click .
- The kernel versions installed in the diskless environment are listed. Select the kernel version to boot on the diskless system.
- Clickto finish the configuration.
/tftpboot/linux-install/<os-identifier>/
. The directory snapshot/
is created in the same directory as the root/
directory (for example, /diskless/i386/RHEL4-AS/snapshot/
) with a file called files
in it. This file contains a list of files and directories that must be read/write for each diskless system. Do not modify this file. If additional entries must be added to the list, create a files.custom
file in the same directory as the files
file, and add each additional file or directory on a separate line.
4.3. Adding Hosts
- Hostname or IP Address/Subnet — Specify the hostname or IP address of a system to add it as a host for the diskless environment. Enter a subnet to specify a group of systems.
- Operating System — Select the diskless environment for the host or subnet of hosts.
- Serial Console — Select this checkbox to perform a serial installation.
- Snapshot name — Provide a subdirectory name to be used to store all of the read/write content for the host.
- Ethernet — Select the Ethernet device on the host to use to mount the diskless environment. If the host only has one Ethernet card, select eth0.
Figure 4.1. Add Diskless Host
snapshot/
directory in the diskless directory, a subdirectory is created with the Snapshot name specified as the file name. Then, all of the files listed in snapshot/files
and snapshot/files.custom
are copied copy from the root/
directory to this new directory.
4.4. Booting the Hosts
root/
directory in the diskless directory as read-only. It also mounts its individual snapshot directory as read/write. Then it mounts all the files and directories in the files
and files.custom
files using the mount -o bind
over the read-only diskless directory to allow applications to write to the root directory of the diskless environment if they need to.
Chapter 5. Basic System Recovery
5.1. Common Problems
- You are unable to boot normally into Red Hat Enterprise Linux (runlevel 3 or 5).
- You are having hardware or software problems, and you want to get a few important files off of your system's hard drive.
- You forgot the root password.
5.1.1. Unable to Boot into Red Hat Enterprise Linux
/
partition changes, the boot loader might not be able to find it to mount the partition. To fix this problem, boot in rescue mode and modify the /boot/grub/grub.conf
file.
5.1.2. Hardware/Software Problems
5.2. Booting into Rescue Mode
- By booting the system from an installation boot CD-ROM.
- By booting the system from other installation boot media, such as USB flash devices.
- By booting the system from the Red Hat Enterprise Linux CD-ROM #1.
rescue
as a kernel parameter. For example, for an x86 system, type the following command at the installation boot prompt:
linux rescue
The rescue environment will now attempt to find your Linux installation and mount it under the directory /mnt/sysimage. You can then make any changes required to your system. If you want to proceed with this step choose 'Continue'. You can also choose to mount your file systems read-only instead of read-write by choosing 'Read-only'. If for some reason this process fails you can choose 'Skip' and this step will be skipped and you will go directly to a command shell.
/mnt/sysimage/
. If it fails to mount a partition, it notifies you. If you select , it attempts to mount your file system under the directory /mnt/sysimage/
, but in read-only mode. If you select , your file system is not mounted. Choose if you think your file system is corrupted.
sh-3.00b#
chroot /mnt/sysimage
rpm
that require your root partition to be mounted as /
. To exit the chroot
environment, type exit
to return to the prompt.
/foo
, and typing the following command:
mount -t ext3 /dev/mapper/VolGroup00-LogVol02 /foo
/foo
is a directory that you have created and /dev/mapper/VolGroup00-LogVol02
is the LVM2 logical volume you want to mount. If the partition is of type ext2
, replace ext3
with ext2
.
fdisk -l
pvdisplay
vgdisplay
lvdisplay
ssh
,scp
, andping
if the network is starteddump
andrestore
for users with tape drivesparted
andfdisk
for managing partitionsrpm
for installing or upgrading softwarejoe
for editing configuration filesNote
If you try to start other popular editors such asemacs
,pico
, orvi
, thejoe
editor is started.
5.2.1. Reinstalling the Boot Loader
- Boot the system from an installation boot medium.
- Type
linux rescue
at the installation boot prompt to enter the rescue environment. - Type
chroot /mnt/sysimage
to mount the root partition. - Type
/sbin/grub-install /dev/hda
to reinstall the GRUB boot loader, where/dev/hda
is the boot partition. - Review the
/boot/grub/grub.conf
file, as additional entries may be needed for GRUB to control additional operating systems. - Reboot the system.
5.3. Booting into Single-User Mode
- At the GRUB splash screen at boot time, press any key to enter the GRUB interactive menu.
- Select Red Hat Enterprise Linux with the version of the kernel that you wish to boot and type
a
to append the line. - Go to the end of the line and type
single
as a separate word (press the Spacebar and then typesingle
). Press Enter to exit edit mode.
5.4. Booting into Emergency Mode
init
files are not loaded. If init
is corrupted or not working, you can still mount file systems to recover data that could be lost during a re-installation.
single
with the keyword emergency
.
Part II. File Systems
parted
utility to manage partitions and access control lists (ACLs) to customize file permissions.
Chapter 6. The ext3 File System
6.1. Features of ext3
- Availability
- After an unexpected power failure or system crash (also called an unclean system shutdown), each mounted ext2 file system on the machine must be checked for consistency by the
e2fsck
program. This is a time-consuming process that can delay system boot time significantly, especially with large volumes containing a large number of files. During this time, any data on the volumes is unreachable.The journaling provided by the ext3 file system means that this sort of file system check is no longer necessary after an unclean system shutdown. The only time a consistency check occurs using ext3 is in certain rare hardware failure cases, such as hard drive failures. The time to recover an ext3 file system after an unclean system shutdown does not depend on the size of the file system or the number of files; rather, it depends on the size of the journal used to maintain consistency. The default journal size takes about a second to recover, depending on the speed of the hardware. - Data Integrity
- The ext3 file system provides stronger data integrity in the event that an unclean system shutdown occurs. The ext3 file system allows you to choose the type and level of protection that your data receives. By default, the ext3 volumes are configured to keep a high level of data consistency with regard to the state of the file system.
- Speed
- Despite writing some data more than once, ext3 has a higher throughput in most cases than ext2 because ext3's journaling optimizes hard drive head motion. You can choose from three journaling modes to optimize speed, but doing so means trade-offs in regards to data integrity.
- Easy Transition
- It is easy to migrate from ext2 to ext3 and gain the benefits of a robust journaling file system without reformatting. Refer to Section 6.3, “Converting to an ext3 File System” for more on how to perform this task.
6.2. Creating an ext3 File System
- Create the partition using
parted
orfdisk
. - Format the partition with the ext3 file system using
mkfs
. - Label the partition using
e2label
. - Create the mount point.
- Add the partition to the
/etc/fstab
file.
6.3. Converting to an ext3 File System
tune2fs
program can add a journal to an existing ext2 file system without altering the data already on the partition. If the file system is already mounted while it is being transitioned, the journal is visible as the file .journal
in the root directory of the file system. If the file system is not mounted, the journal is hidden and does not appear in the file system at all.
Note
/sbin/tune2fs -j <file_system>
- A mapped device — A logical volume in a volume group, for example,
/dev/mapper/VolGroup00-LogVol02
. - A static device — A traditional storage volume, for example,
/dev/hdbX
, where hdb is a storage device name and X is the partition number.
df
command to display mounted file systems. For more detailed information on the LVM file system, refer to Chapter 8, LVM Configuration.
/dev/mapper/VolGroup00-LogVol02
/etc/fstab
file.
initrd
image (or RAM disk) to boot. To create this, run the mkinitrd
program. For information on using the mkinitrd
command, type man mkinitrd
. Also, make sure your GRUB configuration loads the initrd
.
6.4. Reverting to an ext2 File System
resize2fs
, which does not yet support ext3. In this situation, it may be necessary to temporarily revert a file system to ext2.
umount /dev/mapper/VolGroup00-LogVol02
/sbin/tune2fs -O ^has_journal /dev/mapper/VolGroup00-LogVol02
/sbin/e2fsck -y /dev/mapper/VolGroup00-LogVol02
mount -t ext2 /dev/mapper/VolGroup00-LogVol02/mount/point
.journal
file at the root level of the partition by changing to the directory where it is mounted and typing:
rm -f .journal
/etc/fstab
file.
Note
ext2online
. ext2online
allows you to increase the size of an ext3 file system once it is mounted (online) and on a resizable logical volume. The root file system is set up by default on LVM2 logical volumes during installation.
ext2online
will only work on ext3 file systems. For more information, refer to man ext2online
.
Chapter 7. Logical Volume Manager (LVM)
7.1. What is LVM?
/boot/
partition. The /boot/
partition cannot be on a logical volume group because the boot loader cannot read it. If the root (/
) partition is on a logical volume, create a separate /boot/
partition which is not a part of a volume group.
Figure 7.1. Logical Volume Group
/home
and /
m and file system types, such as ext2 or ext3. When "partitions" reach their full capacity, free space from the logical volume group can be added to the logical volume to increase the size of the partition. When a new hard drive is added to the system, it can be added to the logical volume group, and partitions that are logical volumes can be expanded.
Figure 7.2. Logical Volumes
7.2. What is LVM2?
7.3. Additional Resources
7.3.1. Installed Documentation
rpm -qd lvm
— This command shows all the documentation available from thelvm
package, including man pages.lvm help
— This command shows all LVM commands available.
7.3.2. Useful Websites
- http://sourceware.org/lvm2 — LVM2 webpage, which contains an overview, link to the mailing lists, and more.
- http://tldp.org/HOWTO/LVM-HOWTO/ — LVM HOWTO from the Linux Documentation Project.
Chapter 8. LVM Configuration
lvm
package to create your own LVM configuration post-installation, but these instructions focus on using Disk Druid during installation to complete this task.
- Creating physical volumes from the hard drives.
- Creating volume groups from the physical volumes.
- Creating logical volumes from the volume groups and assign the logical volumes mount points.
Note
/dev/sda
and /dev/sdb
) are used in the following examples. They detail how to create a simple configuration using a single LVM volume group with associated logical volumes during installation.
8.1. Automatic Partitioning
- The
/boot/
partition resides on its own non-LVM partition. In the following example, it is the first partition on the first drive (/dev/sda1
). Bootable partitions cannot reside on LVM logical volumes. - A single LVM volume group (
VolGroup00
) is created, which spans all selected drives and all remaining space available. In the following example, the remainder of the first drive (/dev/sda2
), and the entire second drive (/dev/sdb1
) are allocated to the volume group. - Two LVM logical volumes (
LogVol00
andLogVol01
) are created from the newly created spanned volume group. In the following example, the recommended swap space is automatically calculated and assigned toLogVol01
, and the remainder is allocated to the root file system,LogVol00
.
Figure 8.1. Automatic LVM Configuration With Two SCSI Drives
Note
/home/
or /var/
, so that each file system has its own independent quota configuration limits.
Note
8.2. Manual LVM Partitioning
8.2.1. Creating the /boot/
Partition
Figure 8.2. Two Blank Drives, Ready For Configuration
Warning
/boot/
partition cannot reside on an LVM volume group because the GRUB boot loader cannot read it.
- Select.
- Select /boot from the Mount Point pulldown menu.
- Select ext3 from the File System Type pulldown menu.
- Select only the sda checkbox from the Allowable Drives area.
- Leave 100 (the default) in the Size (MB) menu.
- Leave the Fixed size (the default) radio button selected in the Additional Size Options area.
- Select Force to be a primary partition to make the partition be a primary partition. A primary partition is one of the first four partitions on the hard drive. If unselected, the partition is created as a logical partition. If other operating systems are already on the system, unselecting this option should be considered. For more information on primary versus logical/extended partitions, refer to the appendix section of the Installation Guide.
Figure 8.3. Creation of the Boot Partition
Figure 8.4. The /boot/
Partition Displayed
8.2.2. Creating the LVM Physical Volumes
- Select.
- Select physical volume (LVM) from the File System Type pulldown menu as shown in Figure 8.5, “Creating a Physical Volume”.
Figure 8.5. Creating a Physical Volume
- You cannot enter a mount point yet (you can once you have created all your physical volumes and then all volume groups).
- A physical volume must be constrained to one drive. For, select the drive on which the physical volume are created. If you have multiple drives, all drives are selected, and you must deselect all but one drive.
- Enter the size that you want the physical volume to be.
- Select Fixed size to make the physical volume the specified size, select Fill all space up to (MB) and enter a size in MBs to give range for the physical volume size, or select Fill to maximum allowable size to make it grow to fill all available space on the hard disk. If you make more than one growable, they share the available free space on the disk.
- Select Force to be a primary partition if you want the partition to be a primary partition.
- Clickto return to the main screen.
Figure 8.6. Two Physical Volumes Created
8.2.3. Creating the LVM Volume Groups
- Click thebutton to collect the physical volumes into volume groups. A volume group is basically a collection of physical volumes. You can have multiple logical volume groups, but a physical volume can only be in one volume group.
Note
There is overhead disk space reserved in the logical volume group. The summation of the physical volumes may not equal the size of the volume group; however, the size of the logical volumes shown is correct.Figure 8.7. Creating an LVM Volume Group
- Change the Volume Group Name if desired.
- All logical volumes inside the volume group must be allocated in physical extent units. By default, the physical extent is set to 32 MB; thus, logical volume sizes must be divisible by 32 MBs. If you enter a size that is not a unit of 32 MBs, the installation program automatically selects the closest size in units of 32 MBs. It is not recommended that you change this setting.
- Select which physical volumes to use for the volume group.
8.2.4. Creating the LVM Logical Volumes
/
, /home/
, and swap space. Remember that /boot
cannot be a logical volume. To add a logical volume, click the button in the Logical Volumes section. A dialog window as shown in Figure 8.8, “Creating a Logical Volume” appears.
Figure 8.8. Creating a Logical Volume
Note
Figure 8.9. Pending Logical Volumes
Figure 8.10. Final Manual Configuration
Chapter 9. Redundant Array of Independent Disks (RAID)
9.1. What is RAID?
9.2. Who Should Use RAID?
- Enhanced speed
- Increased storage capacity using a single virtual disk
- Lessened impact of a disk failure
9.3. Hardware RAID versus Software RAID
9.3.1. Hardware RAID
9.3.2. Software RAID
- Threaded rebuild process
- Kernel-based configuration
- Portability of arrays between Linux machines without reconstruction
- Backgrounded array reconstruction using idle system resources
- Hot-swappable drive support
- Automatic CPU detection to take advantage of certain CPU optimizations
9.4. RAID Levels and Linear Support
- Level 0 — RAID level 0, often called "striping," is a performance-oriented striped data mapping technique. This means the data being written to the array is broken down into strips and written across the member disks of the array, allowing high I/O performance at low inherent cost but provides no redundancy. The storage capacity of a level 0 array is equal to the total capacity of the member disks in a Hardware RAID or the total capacity of member partitions in a Software RAID.
- Level 1 — RAID level 1, or "mirroring," has been used longer than any other form of RAID. Level 1 provides redundancy by writing identical data to each member disk of the array, leaving a "mirrored" copy on each disk. Mirroring remains popular due to its simplicity and high level of data availability. Level 1 operates with two or more disks that may use parallel access for high data-transfer rates when reading but more commonly operate independently to provide high I/O transaction rates. Level 1 provides very good data reliability and improves performance for read-intensive applications but at a relatively high cost. [3] The storage capacity of the level 1 array is equal to the capacity of one of the mirrored hard disks in a Hardware RAID or one of the mirrored partitions in a Software RAID.
- Level 4 — Level 4 uses parity [4] concentrated on a single disk drive to protect data. It is better suited to transaction I/O rather than large file transfers. Because the dedicated parity disk represents an inherent bottleneck, level 4 is seldom used without accompanying technologies such as write-back caching. Although RAID level 4 is an option in some RAID partitioning schemes, it is not an option allowed in Red Hat Enterprise Linux RAID installations. [5] The storage capacity of Hardware RAID level 4 is equal to the capacity of member disks, minus the capacity of one member disk. The storage capacity of Software RAID level 4 is equal to the capacity of the member partitions, minus the size of one of the partitions if they are of equal size.
- Level 5 — This is the most common type of RAID. By distributing parity across some or all of an array's member disk drives, RAID level 5 eliminates the write bottleneck inherent in level 4. The only performance bottleneck is the parity calculation process. With modern CPUs and Software RAID, that usually is not a very big problem. As with level 4, the result is asymmetrical performance, with reads substantially outperforming writes. Level 5 is often used with write-back caching to reduce the asymmetry. The storage capacity of Hardware RAID level 5 is equal to the capacity of member disks, minus the capacity of one member disk. The storage capacity of Software RAID level 5 is equal to the capacity of the member partitions, minus the size of one of the partitions if they are of equal size.
- Linear RAID — Linear RAID is a simple grouping of drives to create a larger virtual drive. In linear RAID, the chunks are allocated sequentially from one member drive, going to the next drive only when the first is completely filled. This grouping provides no performance benefit, as it is unlikely that any I/O operations will be split between member drives. Linear RAID also offers no redundancy and, in fact, decreases reliability — if any one member drive fails, the entire array cannot be used. The capacity is the total of all member disks.
/
) partition exists on two 40G drives, you have 80G total but are only able to access 40G of that 80G. The other 40G acts like a mirror of the first 40G.
Chapter 10. Software RAID Configuration
- Applying software RAID partitions to the physical hard drives.If you wish to have the boot partition (
/boot/
) reside on a RAID parition, it must be on a RAID 1 partition. - Creating RAID devices from the software RAID partitions.
- Optional: Configuring LVM from the RAID devices. Refer to Chapter 8, LVM Configuration for more information on configuring LVM after first configuring RAID.
- Creating file systems from the RAID devices.
Note
/dev/sda
and /dev/sdb
) are used in the following examples. They detail how to create a simple RAID 1 configuration by implementing multiple RAID devices.
10.1. Creating the RAID Partitions
Figure 10.1. Two Blank Drives, Ready For Configuration
- In Disk Druid, choose to enter the software RAID creation screen.
- Choose Figure 10.2, “RAID Partition Options”. Note that no other RAID options (such as entering a mount point) are available until RAID partitions, as well as RAID devices, are created.to create a RAID partition as shown in
Figure 10.2. RAID Partition Options
- A software RAID partition must be constrained to one drive. For, select the drive on which RAID is to be created. If you have multiple drives, all drives are selected, and you must deselect all but one drive.
Figure 10.3. Adding a RAID Partition
- Enter the size that you want the partition to be.
- Select Fixed size to make the partition the specified size, select Fill all space up to (MB) and enter a size in MBs to give range for the partition size, or select Fill to maximum allowable size to make it grow to fill all available space on the hard disk. If you make more than one partition growable, they share the available free space on the disk.
- Select Force to be a primary partition if you want the partition to be a primary partition. A primary partition is one of the first four partitions on the hard drive. If unselected, the partition is created as a logical partition. If other operating systems are already on the system, unselecting this option should be considered. For more information on primary versus logical/extended partitions, refer to the appendix section of the Installation Guide.
- Clickto return to the main screen.
/boot/
partition as a software RAID device, leaving the root partition (/
), /home/
, and swap as regular file systems. Figure 10.4, “RAID 1 Partitions Ready, Pre-Device and Mount Point Creation” shows successfully allocated space for the RAID 1 configuration (for /boot/
), which is now ready for RAID device and mount point creation:
Figure 10.4. RAID 1 Partitions Ready, Pre-Device and Mount Point Creation
10.2. Creating the RAID Devices and Mount Points
- Select the Disk Druid main partitioning screen (refer to Figure 10.5, “RAID Options”).button on the
- Figure 10.5, “RAID Options” appears. Select Create a RAID device.
Figure 10.5. RAID Options
- Next, Figure 10.6, “Making a RAID Device and Assigning a Mount Point” appears, where you can make a RAID device and assign a mount point.
Figure 10.6. Making a RAID Device and Assigning a Mount Point
- Enter a mount point.
- Choose the file system type for the partition. At this point you can either configure a dynamic LVM file system or a traditional static ext2/ext3 file system. For more information on configuring LVM on a RAID device, select physical volume (LVM) and then refer to Chapter 8, LVM Configuration. If LVM is not required, continue on with the following instructions.
- Select a device name such as md0 for the RAID device.
- Choose your RAID level. You can choose from RAID 0, RAID 1, and RAID 5. If you need assistance in determining which RAID level to implement, refer to Chapter 9, Redundant Array of Independent Disks (RAID).
Note
If you are making a RAID partition of/boot/
, you must choose RAID level 1, and it must use one of the first two drives (IDE first, SCSI second). If you are not creating a seperate RAID partition of/boot/
, and you are making a RAID partition for the root file system (/
), it must be RAID level 1 and must use one of the first two drives (IDE first, SCSI second).Figure 10.7. The
/boot/
Mount Error - The RAID partitions created appear in the RAID Members list. Select which of these partitions should be used to create the RAID device.
- If configuring RAID 1 or RAID 5, specify the number of spare partitions. If a software RAID partition fails, the spare is automatically used as a replacement. For each spare you want to specify, you must create an additional software RAID partition (in addition to the partitions for the RAID device). Select the partitions for the RAID device and the partition(s) for the spare(s).
- After clicking Drive Summary list., the RAID device appears in the
- Repeat this chapter's entire process for configuring additional partitions, devices, and mount points, such as the root partition (
/
),/home/
, or swap.
Figure 10.8. Final Sample RAID Configuration
Figure 10.9. Final Sample RAID With LVM Configuration
Chapter 11. Swap Space
11.1. What is Swap Space?
Note
Important
free
and cat /proc/swaps
commands to verify how much and where swap is in use.
11.2. Adding Swap Space
11.2.1. Extending Swap on an LVM2 Logical Volume
/dev/VolGroup00/LogVol01
is the volume you want to extend):
- Disable swapping for the associated logical volume:
# swapoff -v /dev/VolGroup00/LogVol01
- Resize the LVM2 logical volume by 256 MB:
# lvm lvresize /dev/VolGroup00/LogVol01 -L +256M
- Format the new swap space:
# mkswap /dev/VolGroup00/LogVol01
- Enable the extended logical volume:
# swapon -va
- Test that the logical volume has been extended properly:
# cat /proc/swaps # free
11.2.2. Creating an LVM2 Logical Volume for Swap
/dev/VolGroup00/LogVol02
is the swap volume you want to add):
- Create the LVM2 logical volume of size 256 MB:
# lvm lvcreate VolGroup00 -n LogVol02 -L 256M
- Format the new swap space:
# mkswap /dev/VolGroup00/LogVol02
- Add the following entry to the
/etc/fstab
file:/dev/VolGroup00/LogVol02 swap swap defaults 0 0
- Enable the extended logical volume:
# swapon -va
- Test that the logical volume has been extended properly:
# cat /proc/swaps # free
11.2.3. Creating a Swap File
- Determine the size of the new swap file in megabytes and multiply by 1024 to determine the number of blocks. For example, the block size of a 64 MB swap file is 65536.
- At a shell prompt as root, type the following command with
count
being equal to the desired block size:dd if=/dev/zero of=/swapfile bs=1024 count=65536
- Setup the swap file with the command:
mkswap /swapfile
- To enable the swap file immediately but not automatically at boot time:
swapon /swapfile
- To enable it at boot time, edit
/etc/fstab
to include the following entry:/swapfile swap swap defaults 0 0
The next time the system boots, it enables the new swap file. - After adding the new swap file and enabling it, verify it is enabled by viewing the output of the command
cat /proc/swaps
orfree
.
11.3. Removing Swap Space
11.3.1. Reducing Swap on an LVM2 Logical Volume
/dev/VolGroup00/LogVol01
is the volume you want to extend):
- Disable swapping for the associated logical volume:
# swapoff -v /dev/VolGroup00/LogVol01
- Reduce the LVM2 logical volume by 512 MB:
# lvm lvreduce /dev/VolGroup00/LogVol01 -L -512M
- Format the new swap space:
# mkswap /dev/VolGroup00/LogVol01
- Enable the extended logical volume:
# swapon -va
- Test that the logical volume has been reduced properly:
# cat /proc/swaps # free
11.3.2. Removing an LVM2 Logical Volume for Swap
/dev/VolGroup00/LogVol02
is the swap volume you want to remove):
- Disable swapping for the associated logical volume:
# swapoff -v /dev/VolGroup00/LogVol02
- Remove the LVM2 logical volume of size 512 MB:
# lvm lvremove /dev/VolGroup00/LogVol02
- Remove the following entry from the
/etc/fstab
file:/dev/VolGroup00/LogVol02 swap swap defaults 0 0
- Test that the logical volume has been extended properly:
# cat /proc/swaps # free
Chapter 12. Managing Disk Storage
12.1. Standard Partitions using parted
parted
allows users to perform these tasks. This chapter discusses how to use parted
to perform file system tasks.
parted
package installed to use the parted
utility. To start parted
, at a shell prompt as root, type the command parted /dev/sda
, where /dev/sda is the device name for the drive you want to configure. The (parted)
prompt is displayed. Type help
to view a list of available commands.
umount
command and turn off all the swap space on the hard drive with the swapoff
command.
parted
commands” contains a list of commonly used parted
commands. The sections that follow explain some of them in more detail.
Command | Description |
---|---|
check minor-num | Perform a simple check of the file system |
cp fromto | Copy file system from one partition to another; from and to are the minor numbers of the partitions |
help | Display list of available commands |
mklabel label | Create a disk label for the partition table |
mkfs minor-numfile-system-type | Create a file system of type file-system-type |
mkpart part-typefs-typestart-mbend-mb | Make a partition without creating a new file system |
mkpartfs part-typefs-typestart-mbend-mb | Make a partition and create the specified file system |
move minor-numstart-mbend-mb | Move the partition |
name minor-numname | Name the partition for Mac and PC98 disklabels only |
print | Display the partition table |
quit | Quit parted |
rescue start-mbend-mb | Rescue a lost partition from start-mb to end-mb |
resize minor-numstart-mbend-mb | Resize the partition from start-mb to end-mb |
rm minor-num | Remove the partition |
select device | Select a different device to configure |
set minor-numflagstate | Set the flag on a partition; state is either on or off |
12.1.1. Viewing the Partition Table
parted
, type the following command to view the partition table:
print
Disk geometry for /dev/sda: 0.000-8678.789 megabytes Disk label type: msdos Minor Start End Type Filesystem Flags 1 0.031 101.975 primary ext3 boot 2 101.975 5098.754 primary ext3 3 5098.755 6361.677 primary linux-swap 4 6361.677 8675.727 extended 5 6361.708 7357.895 logical ext3 Disk geometry for /dev/hda: 0.000-9765.492 megabytes Disk label type: msdos Minor Start End Type Filesystem Flags 1 0.031 101.975 primary ext3 boot 2 101.975 611.850 primary linux-swap 3 611.851 760.891 primary ext3 4 760.891 9758.232 extended lba 5 760.922 9758.232 logical ext3
/dev/sda1
. The Start and End values are in megabytes. The Type is one of primary, extended, or logical. The Filesystem is the file system type, which can be one of ext2, ext3, fat16, fat32, hfs, jfs, linux-swap, ntfs, reiserfs, hp-ufs, sun-ufs, or xfs. The Flags column lists the flags set for the partition. Available flags are boot, root, swap, hidden, raid, lvm, or lba.
/boot/
file system, minor number 2 refers to the root file system (/
), minor number 3 refers to the swap, and minor number 5 refers to the /home/
file system.
12.1.2. Creating a Partition
Warning
parted
, where /dev/sda is the device on which to create the partition:
parted /dev/sda
print
12.1.2.1. Making the Partition
mkpart primary ext3 1024 2048
Note
mkpartfs
command instead, the file system is created after the partition is created. However, parted
does not support creating an ext3 file system. Thus, if you wish to create an ext3 file system, use mkpart
and create the file system with the mkfs
command as described later. mkpartfs
works for file system type linux-swap.
print
command to confirm that it is in the partition table with the correct partition type, file system type, and size. Also remember the minor number of the new partition so that you can label it. You should also view the output of
cat /proc/partitions
12.1.2.2. Formating the Partition
/sbin/mkfs -t ext3 /dev/sda6
Warning
12.1.2.3. Labeling the Partition
/dev/sda6
and you want to label it /work
:
e2label /dev/sda6 /work
12.1.2.4. Creating the Mount Point
mkdir /work
12.1.2.5. Add to /etc/fstab
/etc/fstab
file to include the new partition. The new line should look similar to the following:
LABEL=/work /work ext3 defaults 1 2
LABEL=
followed by the label you gave the partition. The second column should contain the mount point for the new partition, and the next column should be the file system type (for example, ext3 or swap). If you need more information about the format, read the man page with the command man fstab
.
defaults
, the partition is mounted at boot time. To mount the partition without rebooting, as root, type the command:
mount /work
12.1.3. Removing a Partition
Warning
parted
, where /dev/sda is the device on which to remove the partition:
parted /dev/sda
print
rm
. For example, to remove the partition with minor number 3:
rm 3
print
command to confirm that it is removed from the partition table. You should also view the output of
cat /proc/partitions
/etc/fstab
file. Find the line that declares the removed partition, and remove it from the file.
12.1.4. Resizing a Partition
Warning
parted
, where /dev/sda is the device on which to resize the partition:
parted /dev/sda
print
Warning
resize
command followed by the minor number for the partition, the starting place in megabytes, and the end place in megabytes. For example:
resize 3 1024 2048
print
command to confirm that the partition has been resized correctly, is the correct partition type, and is the correct file system type.
df
to make sure the partition was mounted and is recognized with the new size.
12.2. LVM Partition Management
lvm help
at a command prompt.
Command | Description |
---|---|
dumpconfig | Dump the active configuration |
formats | List the available metadata formats |
help | Display the help commands |
lvchange | Change the attributes of logical volume(s) |
lvcreate | Create a logical volume |
lvdisplay | Display information about a logical volume |
lvextend | Add space to a logical volume |
lvmchange | Due to use of the device mapper, this command has been deprecated |
lvmdiskscan | List devices that may be used as physical volumes |
lvmsadc | Collect activity data |
lvmsar | Create activity report |
lvreduce | Reduce the size of a logical volume |
lvremove | Remove logical volume(s) from the system |
lvrename | Rename a logical volume |
lvresize | Resize a logical volume |
lvs | Display information about logical volumes |
lvscan | List all logical volumes in all volume groups |
pvchange | Change attributes of physical volume(s) |
pvcreate | Initialize physical volume(s) for use by LVM |
pvdata | Display the on-disk metadata for physical volume(s) |
pvdisplay | Display various attributes of physical volume(s) |
pvmove | Move extents from one physical volume to another |
pvremove | Remove LVM label(s) from physical volume(s) |
pvresize | Resize a physical volume in use by a volume group |
pvs | Display information about physical volumes |
pvscan | List all physical volumes |
segtypes | List available segment types |
vgcfgbackup | Backup volume group configuration |
vgcfgrestore | Restore volume group configuration |
vgchange | Change volume group attributes |
vgck | Check the consistency of a volume group |
vgconvert | Change volume group metadata format |
vgcreate | Create a volume group |
vgdisplay | Display volume group information |
vgexport | Unregister a volume group from the system |
vgextend | Add physical volumes to a volume group |
vgimport | Register exported volume group with system |
vgmerge | Merge volume groups |
vgmknodes | Create the special files for volume group devices in /dev/ |
vgreduce | Remove a physical volume from a volume group |
vgremove | Remove a volume group |
vgrename | Rename a volume group |
vgs | Display information about volume groups |
vgscan | Search for all volume groups |
vgsplit | Move physical volumes into a new volume group |
version | Display software and driver version information |
Chapter 13. Implementing Disk Quotas
quota
RPM must be installed to implement disk quotas.
13.1. Configuring Disk Quotas
- Enable quotas per file system by modifying the
/etc/fstab
file. - Remount the file system(s).
- Create the quota database files and generate the disk usage table.
- Assign quota policies.
13.1.1. Enabling Quotas
/etc/fstab
file. Add the usrquota
and/or grpquota
options to the file systems that require quotas:
/dev/VolGroup00/LogVol00 / ext3 defaults 1 1 LABEL=/boot /boot ext3 defaults 1 2 none /dev/pts devpts gid=5,mode=620 0 0 none /dev/shm tmpfs defaults 0 0 none /proc proc defaults 0 0 none /sys sysfs defaults 0 0 /dev/VolGroup00/LogVol02 /home ext3 defaults,usrquota,grpquota 1 2 /dev/VolGroup00/LogVol01 swap swap defaults 0 0 . . .
/home
file system has both user and group quotas enabled.
Note
/home
partition was created during the installation of Red Hat Enterprise Linux. Although not ideal, the root (/
) partition (the installation default created partition) can be used for setting quota policies in the /etc/fstab
file.
13.1.2. Remounting the File Systems
usrquota
and/or grpquota
options, remount each file system whose fstab
entry has been modified. If the file system is not in use by any process, use one of the following methods:
- Issue the
umount
command followed by themount
command to remount the file system. - Issue the
mount -o remount /home
command to remount the file system.
13.1.3. Creating the Quota Database Files
quotacheck
command.
quotacheck
command examines quota-enabled file systems and builds a table of the current disk usage per file system. The table is then used to update the operating system's copy of disk usage. In addition, the file system's disk quota files are updated.
aquota.user
and aquota.group
) on the file system, use the -c
option of the quotacheck
command. For example, if user and group quotas are enabled for the /home
file system, create the files in the /home
directory:
quotacheck -cug /home
-c
option specifies that the quota files should be created for each file system with quotas enabled, the -u
option specifies to check for user quotas, and the -g
option specifies to check for group quotas.
-u
or -g
options are specified, only the user quota file is created. If only -g
is specified, only the group quota file is created.
quotacheck -avug
a
— Check all quota-enabled, locally-mounted file systemsv
— Display verbose status information as the quota check proceedsu
— Check user disk quota informationg
— Check group disk quota information
quotacheck
has finished running, the quota files corresponding to the enabled quotas (user and/or group) are populated with data for each quota-enabled locally-mounted file system such as /home
.
13.1.4. Assigning Quotas per User
edquota
command.
edquota username
/etc/fstab
for the /home
partition (/dev/VolGroup00/LogVol02
) and the command edquota testuser
is executed, the following is shown in the editor configured as the default for the system:
Disk quotas for user testuser (uid 501): Filesystem blocks soft hard inodes soft hard /dev/VolGroup00/LogVol02 440436 0 0 37418 0 0
Note
EDITOR
environment variable is used by edquota
. To change the editor, set the EDITOR
environment variable in your ~/.bash_profile
file to the full path of the editor of your choice.
inodes
column shows how many inodes the user is currently using. The last two columns are used to set the soft and hard inode limits for the user on the file system.
Disk quotas for user testuser (uid 501): Filesystem blocks soft hard inodes soft hard /dev/VolGroup00/LogVol02 440436 500000 550000 37418 0 0
quota testuser
13.1.5. Assigning Quotas per Group
devel
group (the group must exist prior to setting the group quota), use the command:
edquota -g devel
Disk quotas for group devel (gid 505): Filesystem blocks soft hard inodes soft hard /dev/VolGroup00/LogVol02 440400 0 0 37418 0 0
quota -g devel
13.1.6. Assigning Quotas per File System
edquota -t
edquota
commands, this one opens the current quotas for the file system in the text editor:
Grace period before enforcing soft limits for users: Time units may be: days, hours, minutes, or seconds Filesystem Block grace period Inode grace period /dev/mapper/VolGroup00-LogVol02 7days 7days
13.2. Managing Disk Quotas
13.2.1. Enabling and Disabling
quotaoff -vaug
-u
or -g
options are specified, only the user quotas are disabled. If only -g
is specified, only group quotas are disabled.
quotaon
command with the same options.
quotaon -vaug
/home
, use the following command:
quotaon -vug /home
-u
or -g
options are specified, only the user quotas are enabled. If only -g
is specified, only group quotas are enabled.
13.2.2. Reporting on Disk Quotas
repquota
utility. For example, the command repquota /home
produces this output:
*** Report for user quotas on device /dev/mapper/VolGroup00-LogVol02 Block grace time: 7days; Inode grace time: 7days Block limits File limits User used soft hard grace used soft hard grace ---------------------------------------------------------------------- root -- 36 0 0 4 0 0 kristin -- 540 0 0 125 0 0 testuser -- 440400 500000 550000 37418 0 0
-a
) quota-enabled file systems, use the command:
repquota -a
--
displayed after each user is a quick way to determine whether the block or inode limits have been exceeded. If either soft limit is exceeded, a +
appears in place of the corresponding -
; the first -
represents the block limit, and the second represents the inode limit.
grace
columns are normally blank. If a soft limit has been exceeded, the column contains a time specification equal to the amount of time remaining on the grace period. If the grace period has expired, none
appears in its place.
13.2.3. Keeping Quotas Accurate
quotacheck
. However, quotacheck
can be run on a regular basis, even if the system has not crashed. Running the following command periodically keeps the quotas more accurate (the options used have been described in Section 13.1.1, “Enabling Quotas”):
quotacheck -avug
cron
. As root, either use the crontab -e
command to schedule a periodic quotacheck
or place a script that runs quotacheck
in any one of the following directories (using whichever interval best matches your needs):
/etc/cron.hourly
/etc/cron.daily
/etc/cron.weekly
/etc/cron.monthly
quotacheck
for each file system at different times with multiple cron tasks.
cron
.
13.3. Additional Resources
13.3.1. Installed Documentation
- The
quotacheck
,edquota
,repquota
,quota
,quotaon
, andquotaoff
man pages
13.3.2. Related Books
- Introduction to System Administration ; Red Hat, Inc — Available at http://www.redhat.com/docs/ and on the Documentation CD, this manual contains background information on storage management (including disk quotas) for new Red Hat Enterprise Linux system administrators.
Chapter 14. Access Control Lists
acl
package is required to implement ACLs. It contains the utilities used to add, modify, remove, and retrieve ACL information.
cp
and mv
commands copy or move any ACLs associated with files and directories.
14.1. Mounting File Systems
mount -t ext3 -o acl <device-name><partition>
mount -t ext3 -o acl /dev/VolGroup00/LogVol02 /work
/etc/fstab
file, the entry for the partition can include the acl
option:
LABEL=/work /work ext3 acl 1 2
--with-acl-support
option. No special flags are required when accessing or mounting a Samba share.
14.1.1. NFS
no_acl
option in the /etc/exports
file. To disable ACLs on an NFS share when mounting it on a client, mount it with the no_acl
option via the command line or the /etc/fstab
file.
14.2. Setting Access ACLs
- Per user
- Per group
- Via the effective rights mask
- For users not in the user group for the file
setfacl
utility sets ACLs for files and directories. Use the -m
option to add or modify the ACL of a file or directory:
setfacl -m <rules><files>
u:<uid>:<perms>
- Sets the access ACL for a user. The user name or UID may be specified. The user may be any valid user on the system.
g:<gid>:<perms>
- Sets the access ACL for a group. The group name or GID may be specified. The group may be any valid group on the system.
m:<perms>
- Sets the effective rights mask. The mask is the union of all permissions of the owning group and all of the user and group entries.
o:<perms>
- Sets the access ACL for users other than the ones in the group for the file.
r
, w
, and x
for read, write, and execute.
setfacl
command is used, the additional rules are added to the existing ACL or the existing rule is modified.
setfacl -m u:andrius:rw /project/somefile
-x
option and do not specify any permissions:
setfacl -x <rules><files>
setfacl -x u:500 /project/somefile
14.3. Setting Default ACLs
d:
before the rule and specify a directory instead of a file name.
/share/
directory to read and execute for users not in the user group (an access ACL for an individual file can override it):
setfacl -m d:o:rx /share
14.4. Retrieving ACLs
getfacl
command:
getfacl <filename>
# file: file # owner: andrius # group: andrius user::rw- user:smoore:r-- group::r-- mask::r-- other::r--
# file: file # owner: andrius # group: andrius user::rw- user:smoore:r-- group::r-- mask::r-- other::r-- default:user::rwx default:user:andrius:rwx default:group::r-x default:mask::rwx default:other::r-x
14.5. Archiving File Systems With ACLs
Warning
tar
and dump
commands do not backup ACLs.
star
utility is similar to the tar
utility in that it can be used to generate archives of files; however, some of its options are different. Refer to Table 14.1, “Command Line Options for star
” for a listing of more commonly used options. For all available options, refer to the star
man page. The star
package is required to use this utility.
Option | Description |
---|---|
-c | Creates an archive file. |
-n | Do not extract the files; use in conjunction with -x to show what extracting the files does. |
-r | Replaces files in the archive. The files are written to the end of the archive file, replacing any files with the same path and file name. |
-t | Displays the contents of the archive file. |
-u | Updates the archive file. The files are written to the end of the archive if they do not exist in the archive or if the files are newer than the files of the same name in the archive. This option only work if the archive is a file or an unblocked tape that may backspace. |
-x | Extracts the files from the archive. If used with -U and a file in the archive is older than the corresponding file on the file system, the file is not extracted. |
-help | Displays the most important options. |
-xhelp | Displays the least important options. |
-/ | Do not strip leading slashes from file names when extracting the files from an archive. By default, they are striped when files are extracted. |
-acl | When creating or extracting, archive or restore any ACLs associated with the files and directories. |
14.6. Compatibility with Older Systems
ext_attr
attribute. This attribute can be seen using the following command:
tune2fs -l <filesystem-device>
ext_attr
attribute can be mounted with older kernels, but those kernels do not enforce any ACLs which have been set.
e2fsck
utility included in version 1.22 and higher of the e2fsprogs
package (including the versions in Red Hat Enterprise Linux 2.1 and 4) can check a file system with the ext_attr
attribute. Older versions refuse to check it.
14.7. Additional Resources
14.7.1. Installed Documentation
acl
man page — Description of ACLsgetfacl
man page — Discusses how to get file access control listssetfacl
man page — Explains how to set file access control listsstar
man page — Explains more about thestar
utility and its many options
14.7.2. Useful Websites
- http://acl.bestbits.at/ — Website for ACLs
Part III. Package Management
Chapter 15. Package Management with RPM
.tar.gz
files.
Note
15.1. RPM Design Goals
- Upgradability
- Using RPM, you can upgrade individual components of your system without completely reinstalling. When you get a new release of an operating system based on RPM (such as Red Hat Enterprise Linux), you do not need to reinstall on your machine (as you do with operating systems based on other packaging systems). RPM allows intelligent, fully-automated, in-place upgrades of your system. Configuration files in packages are preserved across upgrades, so you do not lose your customizations. There are no special upgrade files needed to upgrade a package because the same RPM file is used to install and upgrade the package on your system.
- Powerful Querying
- RPM is designed to provide powerful querying options. You can do searches through your entire database for packages or just for certain files. You can also easily find out what package a file belongs to and from where the package came. The files an RPM package contains are in a compressed archive, with a custom binary header containing useful information about the package and its contents, allowing you to query individual packages quickly and easily.
- System Verification
- Another powerful feature is the ability to verify packages. If you are worried that you deleted an important file for some package, verify the package. You are notified of any anomalies. At that point, you can reinstall the package if necessary. Any configuration files that you modified are preserved during reinstallation.
- Pristine Sources
- A crucial design goal was to allow the use of "pristine" software sources, as distributed by the original authors of the software. With RPM, you have the pristine sources along with any patches that were used, plus complete build instructions. This is an important advantage for several reasons. For instance, if a new version of a program comes out, you do not necessarily have to start from scratch to get it to compile. You can look at the patch to see what you might need to do. All the compiled-in defaults, and all of the changes that were made to get the software to build properly, are easily visible using this technique.The goal of keeping sources pristine may only seem important for developers, but it results in higher quality software for end users, too.
15.2. Using RPM
rpm --help
or refer to Section 15.5, “Additional Resources” for more information on RPM.
15.2.1. Finding RPM Packages
- The Red Hat Enterprise Linux CD-ROMs
- The Red Hat Errata Page available at http://www.redhat.com/apps/support/errata/
- A Red Hat FTP Mirror Site available at http://www.redhat.com/download/mirror.html
- Red Hat Network — Refer to Chapter 16, Red Hat Network for more details on Red Hat Network
15.2.2. Installing
foo-1.0-1.i386.rpm
. The file name includes the package name (foo
), version (1.0
), release (1
), and architecture (i386
). To install a package, log in as root and type the following command at a shell prompt:
rpm -Uvh foo-1.0-1.i386.rpm
Preparing... ########################################### [100%] 1:foo ########################################### [100%]
error: V3 DSA signature: BAD, key ID 0352860f
error: Header V3 DSA signature: BAD, key ID 0352860f
NOKEY
such as:
warning: V3 DSA signature: NOKEY, key ID 0352860f
Warning
rpm -ivh
instead. Refer to Chapter 36, Manually Upgrading the Kernel for details.
15.2.2.1. Package Already Installed
Preparing... ########################################### [100%] package foo-1.0-1 is already installed
--replacepkgs
option, which tells RPM to ignore the error:
rpm -ivh --replacepkgs foo-1.0-1.i386.rpm
15.2.2.2. Conflicting Files
Preparing... ########################################### [100%] file /usr/bin/foo from install of foo-1.0-1 conflicts with file from package bar-2.0.20
--replacefiles
option:
rpm -ivh --replacefiles foo-1.0-1.i386.rpm
15.2.2.3. Unresolved Dependency
error: Failed dependencies: bar.so.2 is needed by foo-1.0-1 Suggested resolutions: bar-2.0.20-3.i386.rpm
rpm -ivh foo-1.0-1.i386.rpm bar-2.0.20-3.i386.rpm
Preparing... ########################################### [100%] 1:foo ########################################### [ 50%] 2:bar ########################################### [100%]
--redhatprovides
option to determine which package contains the required file. You need the rpmdb-redhat
package installed to use this option.
rpm -q --redhatprovides bar.so.2
bar.so.2
is in the installed database from the rpmdb-redhat
package, the name of the package is displayed:
bar-2.0.20-3.i386.rpm
--nodeps
option.
15.2.3. Uninstalling
rpm -e foo
Note
foo
, not the name of the original package filefoo-1.0-1.i386.rpm
. To uninstall a package, replace foo
with the actual package name of the original package.
error: Failed dependencies: foo is needed by (installed) bar-2.0.20-3.i386.rpm
--nodeps
option.
15.2.4. Upgrading
rpm -Uvh foo-2.0-1.i386.rpm
foo
package. In fact, you may want to always use -U
to install packages which works even when there are no previous versions of the package installed.
Note
-U
option for installing kernel packages because RPM replaces the previous kernel package. This does not affect a running system, but if the new kernel is unable to boot during your next restart, there would be no other kernel to boot instead.
-i
option adds the kernel to your GRUB boot menu (/etc/grub.conf
). Similarly, removing an old, unneeded kernel removes the kernel from GRUB.
saving /etc/foo.conf as /etc/foo.conf.rpmsave
package foo-2.0-1 (which is newer than foo-1.0-1) is already installed
--oldpackage
option:
rpm -Uvh --oldpackage foo-1.0-1.i386.rpm
15.2.5. Freshening
rpm -Fvh foo-1.2-1.i386.rpm
rpm -Fvh *.rpm
15.2.6. Querying
rpm -q
command to query the database of installed packages. The rpm -q foo
command displays the package name, version, and release number of the installed package foo
:
foo-2.0-1
Note
foo
with the actual package name.
-q
to specify the package(s) you want to query. These are called Package Selection Options.
-a
queries all currently installed packages.-f
queries the package which owns<file>
<file>
. When specifying a file, you must specify the full path of the file (for example,/bin/ls
).-p
queries the package<packagefile>
<packagefile>
.
-i
displays package information including name, description, release, size, build date, install date, vendor, and other miscellaneous information.-l
displays the list of files that the package contains.-s
displays the state of all the files in the package.-d
displays a list of files marked as documentation (man pages, info pages, READMEs, etc.).-c
displays a list of files marked as configuration files. These are the files you change after installation to adapt the package to your system (for example,sendmail.cf
,passwd
,inittab
, etc.).
-v
to the command to display the lists in a familiar ls -l
format.
15.2.7. Verifying
rpm -V
verifies a package. You can use any of the Package Verify Options listed for querying to specify the packages you wish to verify. A simple use of verifying is rpm -V foo
, which verifies that all the files in the foo
package are as they were when they were originally installed. For example:
- To verify a package containing a particular file:
rpm -Vf /usr/bin/vim
- To verify ALL installed packages:
rpm -Va
- To verify an installed package against an RPM package file:
rpm -Vp foo-1.0-1.i386.rpm
This command can be useful if you suspect that your RPM databases are corrupt.
c
denotes a configuration file) and then the file name. Each of the eight characters denotes the result of a comparison of one attribute of the file to the value of that attribute recorded in the RPM database. A single period (.
) means the test passed. The following characters denote failure of certain tests:
5
— MD5 checksumS
— file sizeL
— symbolic linkT
— file modification timeD
— deviceU
— userG
— groupM
— mode (includes permissions and file type)?
— unreadable file
15.3. Checking a Package's Signature
rpm -K --nosignature <rpm-file>
<rpm-file>: md5 OK
is displayed. This brief message means that the file was not corrupted by the download. To see a more verbose message, replace -K
with -Kvv
in the command.
15.3.1. Importing Keys
rpm --import /usr/share/rhn/RPM-GPG-KEY
rpm -qa gpg-pubkey*
gpg-pubkey-db42a60e-37ea5438
rpm -qi
followed by the output from the previous command:
rpm -qi gpg-pubkey-db42a60e-37ea5438
15.3.2. Verifying Signature of Packages
rpm -K <rpm-file>
md5 gpg OK
. That means that the signature of the package has been verified and that it is not corrupt.
15.4. Impressing Your Friends with RPM
- Perhaps you have deleted some files by accident, but you are not sure what you deleted. To verify your entire system and see what might be missing, you could try the following command:
rpm -Va
If some files are missing or appear to have been corrupted, you should probably either re-install the package or uninstall and then re-install the package. - At some point, you might see a file that you do not recognize. To find out which package owns it, enter:
rpm -qf /usr/bin/ggv
The output would look like the following:ggv-2.6.0-2
- We can combine the above two examples in the following scenario. Say you are having problems with
/usr/bin/paste
. You would like to verify the package that owns that program, but you do not know which package ownspaste
. Enter the following command,rpm -Vf /usr/bin/paste
and the appropriate package is verified. - Do you want to find out more information about a particular program? You can try the following command to locate the documentation which came with the package that owns that program:
rpm -qdf /usr/bin/free
The output would be similar to the following:/usr/share/doc/procps-3.2.3/BUGS /usr/share/doc/procps-3.2.3/FAQ /usr/share/doc/procps-3.2.3/NEWS /usr/share/doc/procps-3.2.3/TODO /usr/share/man/man1/free.1.gz /usr/share/man/man1/pgrep.1.gz /usr/share/man/man1/pkill.1.gz /usr/share/man/man1/pmap.1.gz /usr/share/man/man1/ps.1.gz /usr/share/man/man1/skill.1.gz /usr/share/man/man1/slabtop.1.gz /usr/share/man/man1/snice.1.gz /usr/share/man/man1/tload.1.gz /usr/share/man/man1/top.1.gz /usr/share/man/man1/uptime.1.gz /usr/share/man/man1/w.1.gz /usr/share/man/man1/watch.1.gz /usr/share/man/man5/sysctl.conf.5.gz /usr/share/man/man8/sysctl.8.gz /usr/share/man/man8/vmstat.8.gz
- You may find a new RPM, but you do not know what it does. To find information about it, use the following command:
rpm -qip crontabs-1.10-7.noarch.rpm
The output would be similar to the following:Name : crontabs Relocations: (not relocatable) Version : 1.10 Vendor: Red Hat, Inc Release : 7 Build Date: Mon 20 Sep 2004 05:58:10 PM EDT Install Date: (not installed) Build Host: tweety.build.redhat.com Group : System Environment/Base Source RPM: crontabs-1.10-7.src.rpm Size : 1004 License: Public Domain Signature : DSA/SHA1, Wed 05 Jan 2005 06:05:25 PM EST, Key ID 219180cddb42a60e Packager : Red Hat, Inc <http://bugzilla.redhat.com/bugzilla> Summary : Root crontab files used to schedule the execution of programs. Description : The crontabs package contains root crontab files. Crontab is the program used to install, uninstall, or list the tables used to drive the cron daemon. The cron daemon checks the crontab files to see when particular commands are scheduled to be executed. If commands are scheduled, then it executes them.
- Perhaps you now want to see what files the
crontabs
RPM installs. You would enter the following:rpm -qlp crontabs-1.10-5.noarch.rpm
The output is similar to the following:/etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly /etc/crontab /usr/bin/run-parts
15.5. Additional Resources
15.5.1. Installed Documentation
rpm --help
— This command displays a quick reference of RPM parameters.man rpm
— The RPM man page gives more detail about RPM parameters than therpm --help
command.
15.5.2. Useful Websites
- http://www.rpm.org/ — The RPM website.
- http://www.redhat.com/mailman/listinfo/rpm-list/ — The RPM mailing list is archived here. To subscribe, send mail to
rpm-list-request@redhat.com
with the wordsubscribe
in the subject line.
Chapter 16. Red Hat Network
Figure 16.1. Your RHN
- Errata Alerts — learn when Security Alerts, Bug Fix Alerts, and Enhancement Alerts are issued for all the systems in your network
Figure 16.2. Relevant Errata
- Automatic email notifications — Receive an email notification when an Errata Alert is issued for your system(s)
- Scheduled Errata Updates — Schedule delivery of Errata Updates
- Package installation — Schedule package installation on one or more systems with the click of a button
- Package Updater — Use the Package Updater to download the latest software packages for your system (with optional package installation)
- Red Hat Network website — Manage multiple systems, downloaded individual packages, and schedule actions such as Errata Updates through a secure Web browser connection from any computer
Warning
http://www.redhat.com/apps/activate/
yum update
from a shell prompt.
Figure 16.3. Registering with RHN
- Select(the main menu on the panel) => => on your desktop
- Execute the command
yum
from a shell prompt - Use the RHN website at https://rhn.redhat.com/
- Click on the package icon when it appears in the panel to launch the Package Updater.
http://www.redhat.com/docs/manuals/RHNetwork/
Note
Part IV. Network-Related Configuration
Chapter 17. Network Configuration
- Ethernet
- ISDN
- modem
- xDSL
- token ring
- CIPE
- wireless devices
/etc/hosts
file used to store additional hostnames and IP address combinations.
system-config-network
at a shell prompt (for example, in an XTerm or a GNOME terminal). If you type the command, the graphical version is displayed if X is running; otherwise, the text-based version is displayed.
system-config-network-cmd --help
as root to view all of the options.
Figure 17.1. Network Administration Tool
Note
17.1. Overview
- Add a network device associated with the physical hardware device.
- Add the physical hardware device to the hardware list, if it does not already exist.
- Configure the hostname and DNS settings.
- Configure any hosts that cannot be looked up through DNS.
17.2. Establishing an Ethernet Connection
- Click the Devices tab.
- Click thebutton on the toolbar.
- Select Ethernet connection from the Device Type list, and click .
- If you have already added the network interface card to the hardware list, select it from the Ethernet card list. Otherwise, select Other Ethernet Card to add the hardware device.
Note
The installation program detects supported Ethernet devices and prompts you to configure them. If you configured any Ethernet devices during the installation, they are displayed in the hardware list on the Hardware tab. - If you selected Other Ethernet Card, the Select Ethernet Adapter window appears. Select the manufacturer and model of the Ethernet card. Select the device name. If this is the system's first Ethernet card, select eth0 as the device name; if this is the second Ethernet card, select eth1 (and so on). The Network Administration Tool also allows you to configure the resources for the NIC. Click to continue.
- In the Configure Network Settings window shown in Figure 17.2, “Ethernet Settings”, choose between DHCP and a static IP address. If the device receives a different IP address each time the network is started, do not specify a hostname. Click to continue.
- Click Create Ethernet Device page.on the
Figure 17.2. Ethernet Settings
Figure 17.3. Ethernet Device
17.3. Establishing an ISDN Connection
- Click the Devices tab.
- Click thebutton on the toolbar.
- Select ISDN connection from the Device Type list, and click .
- Select the ISDN adapter from the pulldown menu. Then configure the resources and D channel protocol for the adapter. Clickto continue.
Figure 17.4. ISDN Settings
- If your Internet Service Provider (ISP) is in the pre-configured list, select it. Otherwise, enter the required information about your ISP account. If you do not know the values, contact your ISP. Click.
- In the IP Settings window, select the Encapsulation Mode and whether to obtain an IP address automatically or to set a static IP instead. Click when finished.
- On the Create Dialup Connection page, click .
Figure 17.5. ISDN Device
17.4. Establishing a Modem Connection
- Click the Devices tab.
- Click thebutton on the toolbar.
- Select Modem connection from the Device Type list, and click .
- If there is a modem already configured in the hardware list (on the Hardware tab), the Network Administration Tool assumes you want to use it to establish a modem connection. If there are no modems already configured, it tries to detect any modems in the system. This probe might take a while. If a modem is not found, a message is displayed to warn you that the settings shown are not values found from the probe.
- After probing, the window in Figure 17.6, “Modem Settings” appears.
Figure 17.6. Modem Settings
- Configure the modem device, baud rate, flow control, and modem volume. If you do not know these values, accept the defaults if the modem was probed successfully. If you do not have touch tone dialing, uncheck the corresponding checkbox. Click.
- If your ISP is in the pre-configured list, select it. Otherwise, enter the required information about your ISP account. If you do not know these values, contact your ISP. Click.
- On the IP Settings page, select whether to obtain an IP address automatically or whether to set one statically. Click when finished.
- On the Create Dialup Connection page, click .
Modem
as shown in Figure 17.7, “Modem Device”.
Figure 17.7. Modem Device
17.5. Establishing an xDSL Connection
- Click the Devices tab.
- Click thebutton.
- Select xDSL connection from the Device Type list, and click .
- If your Ethernet card is in the hardware list, select the Ethernet Device from the pulldown menu from the page shown in Figure 17.8, “xDSL Settings”. Otherwise, the Select Ethernet Adapter window appears.
Note
The installation program detects supported Ethernet devices and prompts you to configure them. If you configured any Ethernet devices during the installation, they are displayed in the hardware list on the Hardware tab.Figure 17.8. xDSL Settings
- If the Select Ethernet Adapter window appears, select the manufacturer and model of the Ethernet card. Select the device name. If this is the system's first Ethernet card, select eth0 as the device name; if this is the second Ethernet card, select eth1 (and so on). The Network Administration Tool also allows you to configure the resources for the NIC. Click to continue.
- Enter the Provider Name, Login Name, and Password. If you have a T-Online account, instead of entering a Login Name and Password in the default window, click the button and enter the required information. Click to continue.
- On the Create DSL Connection page, click .
Figure 17.9. xDSL Device
17.6. Establishing a Token Ring Connection
Note
- Click the Devices tab.
- Click thebutton on the toolbar.
- Select Token Ring connection from the Device Type list and click .
- If you have already added the token ring card to the hardware list, select it from the Tokenring card list. Otherwise, select Other Tokenring Card to add the hardware device.
- If you selected Other Tokenring Card, the Select Token Ring Adapter window as shown in Figure 17.10, “Token Ring Settings” appears. Select the manufacturer and model of the adapter. Select the device name. If this is the system's first token ring card, select tr0; if this is the second token ring card, select tr1 (and so on). The Network Administration Tool also allows the user to configure the resources for the adapter. Click to continue.
Figure 17.10. Token Ring Settings
- On the Configure Network Settings page, choose between DHCP and static IP address. You may specify a hostname for the device. If the device receives a dynamic IP address each time the network is started, do not specify a hostname. Click to continue.
- Click Create Tokenring Device page.on the
Figure 17.11. Token Ring Device
17.7. Establishing a Wireless Connection
- Click the Devices tab.
- Click thebutton on the toolbar.
- Select Wireless connection from the Device Type list and click .
- If you have already added the wireless network interface card to the hardware list, select it from the Wireless card list. Otherwise, select Other Wireless Card to add the hardware device.
Note
The installation program usually detects supported wireless Ethernet devices and prompts you to configure them. If you configured them during the installation, they are displayed in the hardware list on the Hardware tab. - If you selected Other Wireless Card, the Select Ethernet Adapter window appears. Select the manufacturer and model of the Ethernet card and the device. If this is the first Ethernet card for the system, select eth0; if this is the second Ethernet card for the system, select eth1 (and so on). The Network Administration Tool also allows the user to configure the resources for the wireless network interface card. Click to continue.
- On the Configure Wireless Connection page as shown in Figure 17.12, “Wireless Settings”, configure the settings for the wireless device.
Figure 17.12. Wireless Settings
- On the Configure Network Settings page, choose between DHCP and static IP address. You may specify a hostname for the device. If the device receives a dynamic IP address each time the network is started, do not specify a hostname. Click to continue.
- Click Create Wireless Device page.on the
Figure 17.13. Wireless Device
17.8. Managing DNS Settings
Figure 17.14. DNS Configuration
Note
Warning
system-config-network
is started on the local host, you may not be able to start another X11 application. As such, you may have to re-login to a new desktop session.
17.9. Managing Hosts
/etc/hosts
file. This file contains IP addresses and their corresponding hostnames.
/etc/hosts
file before using the name servers (if you are using the default Red Hat Enterprise Linux configuration). If the IP address is listed in the /etc/hosts
file, the name servers are not used. If your network contains computers whose IP addresses are not listed in DNS, it is recommended that you add them to the /etc/hosts
file.
/etc/hosts
file, go to the Hosts tab, click the button on the toolbar, provide the requested information, and click OK. Select => or press Ctrl+S to save the changes to the /etc/hosts
file. The network or network services do not need to be restarted since the current version of the file is referred to each time an address is resolved.
Warning
localhost
entry. Even if the system does not have a network connection or have a network connection running constantly, some programs need to connect to the system via the localhost loopback interface.
Figure 17.15. Hosts Configuration
Note
/etc/host.conf
file. The line order hosts, bind
specifies that /etc/hosts
takes precedence over the name servers. Changing the line to order bind, hosts
configures the system to resolve hostnames and IP addresses using the name servers first. If the IP address cannot be resolved through the name servers, the system then looks for the IP address in the /etc/hosts
file.
17.10. Working with Profiles
eth0_office
, so that it can be recognized more easily.
eth0_office
in a profile called Office
and want to activate the logical device if the profile is selected, uncheck the eth0
device and check the eth0_office
device.
Figure 17.16. Office Profile
eth0
.
Figure 17.17. Home Profile
eth0
to activate in the Office profile only and to activate a PPP (modem) device in the Home profile only. Another example is to have the Common profile activate eth0
and an Away profile activate a PPP device for use while traveling.
netprofile=<profilename>
option. For example, if the system uses GRUB as the boot loader and /boot/grub/grub.conf
contains:
title Red Hat Enterprise Linux (2.6.9-5.EL) root (hd0,0) kernel /vmlinuz-2.6.9-5.EL ro root=/dev/VolGroup00/LogVol00 rhgb quiet initrd /initrd-2.6.9-5.EL.img
title Red Hat Enterprise Linux (2.6.9-5.EL)
root (hd0,0)
kernel /vmlinuz-2.6.9-5.EL ro root=/dev/VolGroup00/LogVol00 \
netprofile=<profilename>
\ rhgb quiet
initrd /initrd-2.6.9-5.EL.img
system-control-network
) to select a profile and activate it. The activate profile section only appears in the Network Device Control interface if more than the default Common interface exists.
system-config-network-cmd --profile <profilename> --activate
17.11. Device Aliases
eth0
—to use a static IP address (DHCP does not work with aliases), go to the Devices tab and click . Select the Ethernet card to configure with an alias, set the static IP address for the alias, and click to create it. Since a device already exists for the Ethernet card, the one just created is the alias, such as eth0:1
.
Warning
eth0
device. Notice the eth0:1
device — the first alias for eth0
. The second alias for eth0
would have the device name eth0:2
, and so on. To modify the settings for the device alias, such as whether to activate it at boot time and the alias number, select it from the list and click the button.
Figure 17.18. Network Device Alias Example
/sbin/ifconfig
. The output should show the device and the device alias with different IP addresses:
eth0 Link encap:Ethernet HWaddr 00:A0:CC:60:B7:G4 inet addr:192.168.100.5 Bcast:192.168.100.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:161930 errors:1 dropped:0 overruns:0 frame:0 TX packets:244570 errors:0 dropped:0 overruns:0 carrier:0 collisions:475 txqueuelen:100 RX bytes:55075551 (52.5 Mb) TX bytes:178108895 (169.8 Mb) Interrupt:10 Base address:0x9000 eth0:1 Link encap:Ethernet HWaddr 00:A0:CC:60:B7:G4 inet addr:192.168.100.42 Bcast:192.168.100.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 Interrupt:10 Base address:0x9000 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:5998 errors:0 dropped:0 overruns:0 frame:0 TX packets:5998 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:1627579 (1.5 Mb) TX bytes:1627579 (1.5 Mb)
17.12. Saving and Restoring the Network Configuration
/tmp/network-config
, execute the following command as root:
system-config-network-cmd -e > /tmp/network-config
system-config-network-cmd -i -c -f /tmp/network-config
-i
option means to import the data, the -c
option means to clear the existing configuration prior to importing, and the -f
option specifies that the file to import is as follows.
Chapter 18. Firewalls
Method | Description | Advantages | Disadvantages | ||||||
---|---|---|---|---|---|---|---|---|---|
NAT | Network Address Translation (NAT) places private IP subnetworks behind one or a small pool of public IP addresses, masquerading all requests to one source rather than several. The Linux kernel has built-in NAT functionality through the Netfilter kernel subsystem. |
|
| ||||||
Packet Filter | A packet filtering firewall reads each data packet that passes through a LAN. It can read and process packets by header information and filters the packet based on sets of programmable rules implemented by the firewall administrator. The Linux kernel has built-in packet filtering functionality through the Netfilter kernel subsystem. |
|
| ||||||
Proxy | Proxy firewalls filter all requests of a certain protocol or type from LAN clients to a proxy machine, which then makes those requests to the Internet on behalf of the local client. A proxy machine acts as a buffer between malicious remote users and the internal network client machines. |
|
|
18.1. Netfilter and IPTables
iptables
tool.
18.1.1. IPTables Overview
iptables
administration tool, a command line tool similar in syntax to its predecessor, ipchains
.
ipchains
requires intricate rule sets for: filtering source paths; filtering destination paths; and filtering both source and destination connection ports.
iptables
uses the Netfilter subsystem to enhance network connection, inspection, and processing. iptables
features advanced logging, pre- and post-routing actions, network address translation, and port forwarding, all in one command line interface.
iptables
.
18.2. Basic Firewall Configuration
18.2.1. Security Level Configuration Tool
[root@myServer ~] # system-config-selinux
Figure 18.1. Security Level Configuration Tool
Note
18.2.2. Enabling and Disabling the Firewall
- Disabled — Disabling the firewall provides complete access to your system and does no security checking. This should only be selected if you are running on a trusted network (not the Internet) or need to configure a custom firewall using the iptables command line tool.
Warning
Firewall configurations and any customized firewall rules are stored in the/etc/sysconfig/iptables
file. If you choose Disabled and click , these configurations and firewall rules will be lost. - Enabled — This option configures the system to reject incoming connections that are not in response to outbound requests, such as DNS replies or DHCP requests. If access to services running on this machine is needed, you can choose to allow specific services through the firewall.If you are connecting your system to the Internet, but do not plan to run a server, this is the safest choice.
18.2.3. Trusted Services
- WWW (HTTP)
- The HTTP protocol is used by Apache (and by other Web servers) to serve web pages. If you plan on making your Web server publicly available, select this check box. This option is not required for viewing pages locally or for developing web pages. This service requires that the
httpd
package be installed.Enabling WWW (HTTP) will not open a port for HTTPS, the SSL version of HTTP. If this service is required, select the Secure WWW (HTTPS) check box. - FTP
- The FTP protocol is used to transfer files between machines on a network. If you plan on making your FTP server publicly available, select this check box. This service requires that the
vsftpd
package be installed. - SSH
- Secure Shell (SSH) is a suite of tools for logging into and executing commands on a remote machine. To allow remote access to the machine via ssh, select this check box. This service requires that the
openssh-server
package be installed. - Telnet
- Telnet is a protocol for logging into remote machines. Telnet communications are unencrypted and provide no security from network snooping. Allowing incoming Telnet access is not recommended. To allow remote access to the machine via telnet, select this check box. This service requires that the
telnet-server
package be installed. - Mail (SMTP)
- SMTP is a protocol that allows remote hosts to connect directly to your machine to deliver mail. You do not need to enable this service if you collect your mail from your ISP's server using POP3 or IMAP, or if you use a tool such as
fetchmail
. To allow delivery of mail to your machine, select this check box. Note that an improperly configured SMTP server can allow remote machines to use your server to send spam. - NFS4
- The Network File System (NFS) is a file sharing protocol commonly used on *NIX systems. Version 4 of this protocol is more secure than its predecessors. If you want to share files or directories on your system with other network users, select this check box.
- Samba
- Samba is an implementation of Microsoft's proprietary SMB networking protocol. If you need to share files, directories, or locally-connected printers with Microsoft Windows machines, select this check box.
18.2.4. Other Ports
iptables
. For example, to allow IRC and Internet printing protocol (IPP) to pass through the firewall, add the following to the Other ports section:
194:tcp,631:tcp
18.2.5. Saving the Settings
iptables
commands and written to the /etc/sysconfig/iptables
file. The iptables
service is also started so that the firewall is activated immediately after saving the selected options. If Disable firewall was selected, the /etc/sysconfig/iptables
file is removed and the iptables
service is stopped immediately.
/etc/sysconfig/system-config-selinux
file so that the settings can be restored the next time the application is started. Do not edit this file by hand.
iptables
service is not configured to start automatically at boot time. Refer to Section 18.2.6, “Activating the IPTables Service” for more information.
18.2.6. Activating the IPTables Service
iptables
service is running. To manually start the service, use the following command:
[root@myServer ~] # service iptables restart
iptables
starts when the system is booted, use the following command:
[root@myServer ~] # chkconfig --level 345 iptables on
ipchains
service is not included in Red Hat Enterprise Linux. However, if ipchains
is installed (for example, an upgrade was performed and the system had ipchains
previously installed), the ipchains
and iptables
services should not be activated simultaneously. To make sure the ipchains
service is disabled and configured not to start at boot time, use the following two commands:
[root@myServer ~] # service ipchains stop [root@myServer ~] # chkconfig --level 345 ipchains off
18.3. Using IPTables
iptables
is to start the iptables
service. Use the following command to start the iptables
service:
[root@myServer ~] # service iptables start
Note
ip6tables
service can be turned off if you intend to use the iptables
service only. If you deactivate the ip6tables
service, remember to deactivate the IPv6 network also. Never leave a network device active without the matching firewall.
iptables
to start by default when the system is booted, use the following command:
[root@myServer ~] # chkconfig --level 345 iptables on
iptables
to start whenever the system is booted into runlevel 3, 4, or 5.
18.3.1. IPTables Command Syntax
iptables
command illustrates the basic command syntax:
[root@myServer ~ ] # iptables -A <chain> -j <target>
-A
option specifies that the rule be appended to <chain>. Each chain is comprised of one or more rules, and is therefore also known as a ruleset.
-j <target>
option specifies the target of the rule; i.e., what to do if the packet matches the rule. Examples of built-in targets are ACCEPT, DROP, and REJECT.
iptables
man page for more information on the available chains, options, and targets.
18.3.2. Basic Firewall Policies
iptables
chain is comprised of a default policy, and zero or more rules which work in concert with the default policy to define the overall ruleset for the firewall.
[root@myServer ~ ] # iptables -P INPUT DROP [root@myServer ~ ] # iptables -P OUTPUT DROP
[root@myServer ~ ] # iptables -P FORWARD DROP
18.3.3. Saving and Restoring IPTables Rules
iptables
are transitory; if the system is rebooted or if the iptables
service is restarted, the rules are automatically flushed and reset. To save the rules so that they are loaded when the iptables
service is started, use the following command:
[root@myServer ~ ] # service iptables save
/etc/sysconfig/iptables
and are applied whenever the service is started or the machine is rebooted.
18.4. Common IPTables Filtering
[root@myServer ~ ] # iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
[root@myServer ~ ] # iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
Important
iptables
ruleset, order is important.
-I
option. For example:
[root@myServer ~ ] # iptables -I INPUT 1 -i lo -p all -j ACCEPT
iptables
to accept connections from remote SSH clients. For example, the following rules allow remote SSH access:
[root@myServer ~ ] # iptables -A INPUT -p tcp --dport 22 -j ACCEPT [root@myServer ~ ] # iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
iptables
filtering rules.
18.5. FORWARD
and NAT Rules
iptables
provides routing and forwarding policies that can be implemented to prevent abnormal usage of network resources.
FORWARD
chain allows an administrator to control where packets can be routed within a LAN. For example, to allow forwarding for the entire LAN (assuming the firewall/gateway is assigned an internal IP address on eth1), use the following rules:
[root@myServer ~ ] # iptables -A FORWARD -i eth1 -j ACCEPT [root@myServer ~ ] # iptables -A FORWARD -o eth1 -j ACCEPT
eth1
device.
Note
[root@myServer ~ ] # sysctl -w net.ipv4.ip_forward=1
/etc/sysctl.conf
file as follows:
net.ipv4.ip_forward = 0
net.ipv4.ip_forward = 1
sysctl.conf
file:
[root@myServer ~ ] # sysctl -p /etc/sysctl.conf
18.5.1. Postrouting and IP Masquerading
[root@myServer ~ ] # iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
-t nat
) and specifies the built-in POSTROUTING chain for NAT (-A POSTROUTING
) on the firewall's external networking device (-o eth0
).
-j MASQUERADE
target is specified to mask the private IP address of a node with the external IP address of the firewall/gateway.
18.5.2. Prerouting
-j DNAT
target of the PREROUTING chain in NAT to specify a destination IP address and port where incoming packets requesting a connection to your internal service can be forwarded.
[root@myServer ~ ] # iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 172.31.0.23:80
Note
[root@myServer ~ ] # iptables -A FORWARD -i eth0 -p tcp --dport 80 -d 172.31.0.23 -j ACCEPT
18.5.3. DMZs and IPTables
iptables
rules to route traffic to certain machines, such as a dedicated HTTP or FTP server, in a demilitarized zone (DMZ). A DMZ is a special local subnetwork dedicated to providing services on a public carrier, such as the Internet.
PREROUTING
table to forward the packets to the appropriate destination:
[root@myServer ~ ] # iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 10.0.4.2:80
18.6. Malicious Software and Spoofed IP Addresses
[root@myServer ~ ] # iptables -A OUTPUT -o eth0 -p tcp --dport 31337 --sport 31337 -j DROP [root@myServer ~ ] # iptables -A FORWARD -o eth0 -p tcp --dport 31337 --sport 31337 -j DROP
[root@myServer ~ ] # iptables -A FORWARD -s 192.168.1.0/24 -i eth0 -j DROP
Note
DROP
and REJECT
targets when dealing with appended rules.
REJECT
target denies access and returns a connection refused
error to users who attempt to connect to the service. The DROP
target, as the name implies, drops the packet without any warning.
REJECT
target is recommended.
18.7. IPTables and Connection Tracking
iptables
uses a method called connection tracking to store information about incoming connections. You can allow or deny access based on the following connection states:
NEW
— A packet requesting a new connection, such as an HTTP request.ESTABLISHED
— A packet that is part of an existing connection.RELATED
— A packet that is requesting a new connection but is part of an existing connection. For example, FTP uses port 21 to establish a connection, but data is transferred on a different port (typically port 20).INVALID
— A packet that is not part of any connections in the connection tracking table.
iptables
connection tracking with any network protocol, even if the protocol itself is stateless (such as UDP). The following example shows a rule that uses connection tracking to forward only the packets that are associated with an established connection:
[root@myServer ~ ] # iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
18.8. IPv6
ip6tables
command. In Red Hat Enterprise Linux 5, both IPv4 and IPv6 services are enabled by default.
ip6tables
command syntax is identical to iptables
in every aspect except that it supports 128-bit addresses. For example, use the following command to enable SSH connections on an IPv6-aware network server:
[root@myServer ~ ] # ip6tables -A INPUT -i eth0 -p tcp -s 3ffe:ffff:100::1/128 --dport 22 -j ACCEPT
18.9. Additional Resources
18.9.1. Installed Documentation
- The
iptables
man page contains a brief summary of the various options.
18.9.2. Useful Websites
- http://www.netfilter.org/ — The official homepage of the Netfilter and
iptables
project. - http://www.tldp.org/ — The Linux Documentation Project contains several useful guides relating to firewall creation and administration.
- http://www.iana.org/assignments/port-numbers — The official list of registered and common service ports as assigned by the Internet Assigned Numbers Authority.
18.9.3. Related Documentation
- Red Hat Linux Firewalls, by Bill McCarty; Red Hat Press — a comprehensive reference to building network and server firewalls using open source packet filtering technology such as Netfilter and
iptables
. It includes topics that cover analyzing firewall logs, developing firewall rules, and customizing your firewall using various graphical tools. - Linux Firewalls, by Robert Ziegler; New Riders Press — contains a wealth of information on building firewalls using both 2.2 kernel
ipchains
as well as Netfilter andiptables
. Additional security topics such as remote access issues and intrusion detection systems are also covered.
Chapter 19. Controlling Access to Services
httpd
if you are running a Web server). However, if you do not need to provide a service, you should turn it off to minimize your exposure to possible bug exploits.
xinetd
and the services in the /etc/rc.d/init.d
hierarchy (also known as SysV services) can be configured to start or stop using three different applications:
- Services Configuration Tool — a graphical application that displays a description of each service, displays whether each service is started at boot time (for runlevels 3, 4, and 5), and allows services to be started, stopped, and restarted.
- ntsysv — a text-based application that allows you to configure which services are started at boot time for each runlevel. Non-
xinetd
services can not be started, stopped, or restarted using this program. chkconfig
— a command line utility that allows you to turn services on and off for the different runlevels. Non-xinetd
services can not be started, stopped, or restarted using this utility.
/etc/rc.d
by hand or editing the xinetd
configuration files in /etc/xinetd.d
.
iptables
to configure an IP firewall. If you are a new Linux user, please realize that iptables
may not be the best solution for you. Setting up iptables
can be complicated and is best tackled by experienced Linux system administrators.
iptables
is flexibility. For example, if you need a customized solution which provides certain hosts access to certain services, iptables
can provide it for you. Refer to the Reference Guide and the Security Guide for more information about iptables
.
system-config-securitylevel
), which allows you to select the security level for your system, similar to the Firewall Configuration screen in the installation program.
iptables
chapter in the Reference Guide.
19.1. Runlevels
/etc/rc.d/rc<x>.d
, where <x> is the number of the runlevel.
- 0 — Halt
- 1 — Single-user mode
- 2 — Not used (user-definable)
- 3 — Full multi-user mode
- 4 — Not used (user-definable)
- 5 — Full multi-user mode (with an X-based login screen)
- 6 — Reboot
/etc/inittab
file, which contains a line near the top of the file similar to the following:
id:5:initdefault:
telinit
followed by the runlevel number. You must be root to use this command. The telinit
command does not change the /etc/inittab
file; it only changes the runlevel currently running. When the system is rebooted, it continues to boot the runlevel as specified in /etc/inittab
.
19.2. TCP Wrappers
xinetd
(as well as any program with built-in support for libwrap
) can use TCP wrappers to manage access. xinetd
can use the /etc/hosts.allow
and /etc/hosts.deny
files to configure access to system services. As the names imply, hosts.allow
contains a list of rules that allow clients to access the network services controlled by xinetd
, and hosts.deny
contains rules to deny access. The hosts.allow
file takes precedence over the hosts.deny
file. Permissions to grant or deny access can be based on individual IP address (or hostnames) or on a pattern of clients. Refer to the Reference Guide and hosts_access
in section 5 of the man pages (man 5 hosts_access
) for details.
19.2.1. xinetd
xinetd
, which is a secure replacement for inetd
. The xinetd
daemon conserves system resources, provides access control and logging, and can be used to start special-purpose servers. xinetd
can be used to provide access only to particular hosts, to deny access to particular hosts, to provide access to a service at certain times, to limit the rate of incoming connections and/or the load created by connections, and more
xinetd
runs constantly and listens on all ports for the services it manages. When a connection request arrives for one of its managed services, xinetd
starts up the appropriate server for that service.
xinetd
is /etc/xinetd.conf
, but the file only contains a few defaults and an instruction to include the /etc/xinetd.d
directory. To enable or disable an xinetd
service, edit its configuration file in the /etc/xinetd.d
directory. If the disable
attribute is set to yes
, the service is disabled. If the disable
attribute is set to no
, the service is enabled. You can edit any of the xinetd
configuration files or change its enabled status using the Services Configuration Tool, ntsysv, or chkconfig
. For a list of network services controlled by xinetd
, review the contents of the /etc/xinetd.d
directory with the command ls /etc/xinetd.d
.
19.3. Services Configuration Tool
/etc/rc.d/init.d
directory are started at boot time (for runlevels 3, 4, and 5) and which xinetd
services are enabled. It also allows you to start, stop, and restart SysV services as well as restart xinetd
.
system-config-services
at a shell prompt (for example, in an XTerm or a GNOME terminal).
Figure 19.1. Services Configuration Tool
/etc/rc.d/init.d
directory as well as the services controlled by xinetd
. Click on the name of the service from the list on the left-hand side of the application to display a brief description of that service as well as the status of the service. If the service is not an xinetd
service, the status window shows whether the service is currently running. If the service is controlled by xinetd
, the status window displays the phrase xinetd service.
xinetd
service, the action buttons are disabled because they can not be started or stopped individually.
xinetd
service by checking or unchecking the checkbox next to the service name, you must select => from the pulldown menu to restart xinetd
and immediately enable/disable the xinetd
service that you changed. xinetd
is also configured to remember the setting. You can enable/disable multiple xinetd
services at a time and save the changes when you are finished.
rsync
to enable it in runlevel 3 and then save the changes. The rsync
service is immediately enabled. The next time xinetd
is started, rsync
is still enabled.
Warning
xinetd
services, xinetd
is restarted, and the changes take place immediately. When you save changes to other services, the runlevel is reconfigured, but the changes do not take effect immediately.
xinetd
service to start at boot time for the currently selected runlevel, check the checkbox beside the name of the service in the list. After configuring the runlevel, apply the changes by selecting => from the pulldown menu. The runlevel configuration is changed, but the runlevel is not restarted; thus, the changes do not take place immediately.
httpd
service from checked to unchecked and then select , the runlevel 3 configuration changes so that httpd
is not started at boot time. However, runlevel 3 is not reinitialized, so httpd
is still running. Select one of following options at this point:
- Stop the
httpd
service — Stop the service by selecting it from the list and clicking the button. A message appears stating that the service was stopped successfully. - Reinitialize the runlevel — Reinitialize the runlevel by going to a shell prompt and typing the command
telinit 3
(where 3 is the runlevel number). This option is recommended if you change the Start at Boot value of multiple services and want to activate the changes immediately. - Do nothing else — You do not have to stop the
httpd
service. You can wait until the system is rebooted for the service to stop. The next time the system is booted, the runlevel is initialized without thehttpd
service running.
19.4. ntsysv
xinetd
-managed service on or off. You can also use ntsysv to configure runlevels. By default, only the current runlevel is configured. To configure a different runlevel, specify one or more runlevels with the --level
option. For example, the command ntsysv --level 345
configures runlevels 3, 4, and 5.
Warning
xinetd
are immediately affected by ntsysv. For all other services, changes do not take effect immediately. You must stop or start the individual service with the command service daemon stop
. In the previous example, replace daemon with the name of the service you want to stop; for example, httpd
. Replace stop
with start
or restart
to start or restart the service.
19.5. chkconfig
chkconfig
command can also be used to activate and deactivate services. The chkconfig --list
command displays a list of system services and whether they are started (on
) or stopped (off
) in runlevels 0-6. At the end of the list is a section for the services managed by xinetd
.
chkconfig --list
command is used to query a service managed by xinetd
, it displays whether the xinetd
service is enabled (on
) or disabled (off
). For example, the command chkconfig --list finger
returns the following output:
finger on
finger
is enabled as an xinetd
service. If xinetd
is running, finger
is enabled.
chkconfig --list
to query a service in /etc/rc.d
, service's settings for each runlevel are displayed. For example, the command chkconfig --list httpd
returns the following output:
httpd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
chkconfig
can also be used to configure a service to be started (or not) in a specific runlevel. For example, to turn nscd
off in runlevels 3, 4, and 5, use the following command:
chkconfig --level 345 nscd off
Warning
xinetd
are immediately affected by chkconfig
. For example, if xinetd
is running, finger
is disabled, and the command chkconfig finger on
is executed, finger
is immediately enabled without having to restart xinetd
manually. Changes for other services do not take effect immediately after using chkconfig
. You must stop or start the individual service with the command service daemon stop
. In the previous example, replace daemon with the name of the service you want to stop; for example, httpd
. Replace stop
with start
or restart
to start or restart the service.
19.6. Additional Resources
19.6.1. Installed Documentation
- The man pages for
ntsysv
,chkconfig
,xinetd
, andxinetd.conf
. man 5 hosts_access
— The man page for the format of host access control files (in section 5 of the man pages).
19.6.2. Useful Websites
- http://www.xinetd.org — The
xinetd
webpage. It contains a more detailed list of features and sample configuration files.
19.6.3. Related Books
- Reference Guide , Red Hat, Inc — This companion manual contains detailed information about how TCP wrappers and
xinetd
allow or deny access as well as how to configure network access using them. It also provides instructions for creatingiptables
firewall rules. - Security Guide Red Hat, Inc — This manual discusses securing services with TCP wrappers and
xinetd
such as logging denied connection attempts.
Chapter 20. OpenSSH
telnet
, ftp
, rlogin
, rsh
, and rcp
with secure, encrypted network connectivity tools. OpenSSH supports versions 1.3, 1.5, and 2 of the SSH protocol. Since OpenSSH version 2.9, the default protocol is version 2, which uses RSA keys as the default.
20.1. Why Use OpenSSH?
Telnet
and ftp
use plain text passwords and send all information unencrypted. The information can be intercepted, the passwords can be retrieved, and your system could be compromised by an unauthorized person logging in to your system using one of the intercepted passwords. The OpenSSH set of utilities should be used whenever possible to avoid these security problems.
DISPLAY
variable to the client machine. In other words, if you are running the X Window System on your local machine, and you log in to a remote machine using the ssh
command, when you run a program on the remote machine that requires X, it will be displayed on your local machine. This feature is convenient if you prefer graphical system administration tools but do not always have physical access to your server.
20.2. Configuring an OpenSSH Server
openssh-server
package is required and depends on the openssh
package.
/etc/ssh/sshd_config
. The default configuration file should be sufficient for most purposes. If you want to configure the daemon in ways not provided by the default sshd_config
, read the sshd
man page for a list of the keywords that can be defined in the configuration file.
/sbin/service sshd start
. To stop the OpenSSH server, use the command /sbin/service sshd stop
. If you want the daemon to start automatically at boot time, refer to Chapter 19, Controlling Access to Services for information on how to manage services.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that the RSA host key has just been changed.
/etc/ssh/ssh_host*key*
files and restore them after the reinstall. This process retains the system's identity, and when clients try to connect to the system after the reinstall, they will not receive the warning message.
20.3. Configuring an OpenSSH Client
openssh-clients
and openssh
packages installed on the client machine.
20.3.1. Using the ssh
Command
ssh
command is a secure replacement for the rlogin
, rsh
, and telnet
commands. It allows you to log in to a remote machine as well as execute commands on a remote machine.
ssh
is similar to using telnet
. To log in to a remote machine named penguin.example.net, type the following command at a shell prompt:
ssh penguin.example.net
ssh
to a remote machine, you will see a message similar to the following:
The authenticity of host 'penguin.example.net' can't be established. DSA key fingerprint is 94:68:3a:3a:bc:f3:9a:9b:01:5d:b3:07:38:e2:11:0c. Are you sure you want to continue connecting (yes/no)?
yes
to continue. This will add the server to your list of known hosts (~/.ssh/known_hosts/
) as seen in the following message:
Warning: Permanently added 'penguin.example.net' (RSA) to the list of known hosts.
ssh username@penguin.example.net
ssh -l username penguin.example.net
.
ssh
command can be used to execute a command on the remote machine without logging in to a shell prompt. The syntax is ssh hostnamecommand
. For example, if you want to execute the command ls /usr/share/doc
on the remote machine penguin.example.net, type the following command at a shell prompt:
ssh penguin.example.net ls /usr/share/doc
/usr/share/doc
will be displayed, and you will return to your local shell prompt.
20.3.2. Using the scp
Command
scp
command can be used to transfer files between machines over a secure, encrypted connection. It is similar to rcp
.
scp <localfile>username@tohostname:<remotefile>
/var/log/maillog
. The <remotefile> specifies the destination, which can be a new filename such as /tmp/hostname-maillog
. For the remote system, if you do not have a preceding /
, the path will be relative to the home directory of username, typically /home/username/
.
shadowman
to the home directory of your account on penguin.example.net, type the following at a shell prompt (replace username with your username):
scp shadowman username@penguin.example.net:shadowman
shadowman
to /home/username/shadowman
on penguin.example.net. Alternately, you can leave off the final shadowman
in the scp
command.
scp username@tohostname:<remotefile><newlocalfile>
downloads/
to an existing directory called uploads/
on the remote machine penguin.example.net, type the following at a shell prompt:
scp downloads/* username@penguin.example.net:uploads/
20.3.3. Using the sftp
Command
sftp
utility can be used to open a secure, interactive FTP session. It is similar to ftp
except that it uses a secure, encrypted connection. The general syntax is sftp username@hostname.com
. Once authenticated, you can use a set of commands similar to those used by FTP. Refer to the sftp
man page for a list of these commands. To read the man page, execute the command man sftp
at a shell prompt. The sftp
utility is only available in OpenSSH version 2.5.0p1 and higher.
20.3.4. Generating Key Pairs
ssh
, scp
, or sftp
to connect to a remote machine, you can generate an authorization key pair.
~/.ssh/authorized_keys2
, ~/.ssh/known_hosts2
, and /etc/ssh_known_hosts2
are obsolete. SSH Protocol 1 and 2 share the ~/.ssh/authorized_keys
, ~/.ssh/known_hosts
, and /etc/ssh/ssh_known_hosts
files.
Note
.ssh
directory in your home directory. After reinstalling, copy this directory back to your home directory. This process can be done for all users on your system, including root.
20.3.4.1. Generating an RSA Key Pair for Version 2
- To generate an RSA key pair to work with version 2 of the protocol, type the following command at a shell prompt:
ssh-keygen -t rsa
Accept the default file location of~/.ssh/id_rsa
. Enter a passphrase different from your account password and confirm it by entering it again.The public key is written to~/.ssh/id_rsa.pub
. The private key is written to~/.ssh/id_rsa
. Never distribute your private key to anyone. - Change the permissions of the
.ssh
directory using the following command:chmod 755 ~/.ssh
- Copy the contents of
~/.ssh/id_rsa.pub
into the file~/.ssh/authorized_keys
on the machine to which you want to connect. If the file~/.ssh/authorized_keys
exist, append the contents of the file~/.ssh/id_rsa.pub
to the file~/.ssh/authorized_keys
on the other machine. - Change the permissions of the
authorized_keys
file using the following command:chmod 644 ~/.ssh/authorized_keys
- If you are running GNOME, skip to Section 20.3.4.4, “Configuring
ssh-agent
with GNOME”. If you are not running the X Window System, skip to Section 20.3.4.5, “Configuringssh-agent
”.
20.3.4.2. Generating a DSA Key Pair for Version 2
- To generate a DSA key pair to work with version 2 of the protocol, type the following command at a shell prompt:
ssh-keygen -t dsa
Accept the default file location of~/.ssh/id_dsa
. Enter a passphrase different from your account password and confirm it by entering it again.Note
A passphrase is a string of words and characters used to authenticate a user. Passphrases differ from passwords in that you can use spaces or tabs in the passphrase. Passphrases are generally longer than passwords because they are usually phrases instead of a single word.The public key is written to~/.ssh/id_dsa.pub
. The private key is written to~/.ssh/id_dsa
. It is important never to give anyone the private key. - Change the permissions of the
.ssh
directory with the following command:chmod 755 ~/.ssh
- Copy the contents of
~/.ssh/id_dsa.pub
into the file~/.ssh/authorized_keys
on the machine to which you want to connect. If the file~/.ssh/authorized_keys
exist, append the contents of the file~/.ssh/id_dsa.pub
to the file~/.ssh/authorized_keys
on the other machine. - Change the permissions of the
authorized_keys
file using the following command:chmod 644 ~/.ssh/authorized_keys
- If you are running GNOME, skip to Section 20.3.4.4, “Configuring
ssh-agent
with GNOME”. If you are not running the X Window System, skip to Section 20.3.4.5, “Configuringssh-agent
”.
20.3.4.3. Generating an RSA Key Pair for Version 1.3 and 1.5
- To generate an RSA (for version 1.3 and 1.5 protocol) key pair, type the following command at a shell prompt:
ssh-keygen -t rsa1
Accept the default file location (~/.ssh/identity
). Enter a passphrase different from your account password. Confirm the passphrase by entering it again.The public key is written to~/.ssh/identity.pub
. The private key is written to~/.ssh/identity
. Do not give anyone the private key. - Change the permissions of your
.ssh
directory and your key with the commandschmod 755 ~/.ssh
andchmod 644 ~/.ssh/identity.pub
. - Copy the contents of
~/.ssh/identity.pub
into the file~/.ssh/authorized_keys
on the machine to which you wish to connect. If the file~/.ssh/authorized_keys
does not exist, you can copy the file~/.ssh/identity.pub
to the file~/.ssh/authorized_keys
on the remote machine. - If you are running GNOME, skip to Section 20.3.4.4, “Configuring
ssh-agent
with GNOME”. If you are not running GNOME, skip to Section 20.3.4.5, “Configuringssh-agent
”.
20.3.4.4. Configuring ssh-agent
with GNOME
ssh-agent
utility can be used to save your passphrase so that you do not have to enter it each time you initiate an ssh
or scp
connection. If you are using GNOME, the openssh-askpass-gnome
package contains the application used to prompt you for your passphrase when you log in to GNOME and save it until you log out of GNOME. You will not have to enter your password or passphrase for any ssh
or scp
connection made during that GNOME session. If you are not using GNOME, refer to Section 20.3.4.5, “Configuring ssh-agent
”.
- You will need to have the package
openssh-askpass-gnome
installed; you can use the commandrpm -q openssh-askpass-gnome
to determine if it is installed or not. If it is not installed, install it from your Red Hat Enterprise Linux CD-ROM set, from a Red Hat FTP mirror site, or using Red Hat Network. - Select Sessions, and click on the Startup Programs tab. Click and enter(on the Panel) => => =>
/usr/bin/ssh-add
in the Startup Command text area. Set it a priority to a number higher than any existing commands to ensure that it is executed last. A good priority number forssh-add
is 70 or higher. The higher the priority number, the lower the priority. If you have other programs listed, this one should have the lowest priority. Click to exit the program. - Log out and then log back into GNOME; in other words, restart X. After GNOME is started, a dialog box will appear prompting you for your passphrase(s). Enter the passphrase requested. If you have both DSA and RSA key pairs configured, you will be prompted for both. From this point on, you should not be prompted for a password by
ssh
,scp
, orsftp
.
20.3.4.5. Configuring ssh-agent
ssh-agent
can be used to store your passphrase so that you do not have to enter it each time you make a ssh
or scp
connection. If you are not running the X Window System, follow these steps from a shell prompt. If you are running GNOME but you do not want to configure it to prompt you for your passphrase when you log in (refer to Section 20.3.4.4, “Configuring ssh-agent
with GNOME”), this procedure will work in a terminal window, such as an XTerm. If you are running X but not GNOME, this procedure will work in a terminal window. However, your passphrase will only be remembered for that terminal window; it is not a global setting.
- At a shell prompt, type the following command:
exec /usr/bin/ssh-agent $SHELL
- Then type the command:
ssh-add
and enter your passphrase(s). If you have more than one key pair configured, you will be prompted for each one. - When you log out, your passphrase(s) will be forgotten. You must execute these two commands each time you log in to a virtual console or open a terminal window.
20.4. Additional Resources
20.4.1. Installed Documentation
- The
ssh
,scp
,sftp
,sshd
, andssh-keygen
man pages — These man pages include information on how to use these commands as well as all the parameters that can be used with them.
20.4.2. Useful Websites
- http://www.openssh.com/ — The OpenSSH FAQ page, bug reports, mailing lists, project goals, and a more technical explanation of the security features.
- http://www.openssl.org/ — The OpenSSL FAQ page, mailing lists, and a description of the project goal.
- http://www.freessh.org/ — SSH client software for other platforms.
20.4.3. Related Books
- Reference Guide — Learn the event sequence of an SSH connection, review a list of configuration files, and discover how SSH can be used for X forwarding.
Chapter 21. Network File System (NFS)
21.1. Why Use NFS?
/myproject
. To access the shared files, the user goes into the /myproject
directory on his machine. There are no passwords to enter or special commands to remember. Users work as if the directory is on their local machines.
21.2. Mounting NFS File Systems
mount
command to mount a shared NFS directory from another machine:
mount shadowman.example.com:/misc/export
/misc/local
Warning
/misc/local
in the above example) must exist before this command can be executed.
shadowman.example.com
is the hostname of the NFS file server, /misc/export
is the directory that shadowman
is exporting, and /misc/local
is the location to mount the file system on the local machine. After the mount
command runs (and if the client has proper permissions from the shadowman.example.com
NFS server) the client user can execute the command ls /misc/local
to display a listing of the files in /misc/export
on shadowman.example.com
.
21.2.1. Mounting NFS File Systems using /etc/fstab
/etc/fstab
file. The line must state the hostname of the NFS server, the directory on the server being exported, and the directory on the local machine where the NFS share is to be mounted. You must be root to modify the /etc/fstab
file.
/etc/fstab
is as follows:
server:/usr/local/pub /pub nfs rsize=8192,wsize=8192,timeo=14,intr
/pub
must exist on the client machine before this command can be executed. After adding this line to /etc/fstab
on the client system, type the command mount /pub
at a shell prompt, and the mount point /pub
is mounted from the server.
21.2.2. Mounting NFS File Systems using autofs
/etc/auto.master
to determine which mount points are defined. It then starts an automount process with the appropriate parameters for each mount point. Each line in the master map defines a mount point and a separate map file that defines the file systems to be mounted under this mount point. For example, the /etc/auto.misc
file might define mount points in the /misc
directory; this relationship would be defined in the /etc/auto.master
file.
auto.master
has three fields. The first field is the mount point. The second field is the location of the map file, and the third field is optional. The third field can contain information such as a timeout value.
/proj52
on the remote machine penguin.example.net at the mount point /misc/myproject
on your machine, add the following line to auto.master
:
/misc /etc/auto.misc --timeout 60
/etc/auto.misc
:
myproject -rw,soft,intr,rsize=8192,wsize=8192 penguin.example.net:/proj52
/etc/auto.misc
is the name of the /misc
subdirectory. This subdirectory is created dynamically by automount. It should not actually exist on the client machine. The second field contains mount options such as rw
for read and write access. The third field is the location of the NFS export including the hostname and directory.
Note
/misc
must exist on the local file system. There should be no subdirectories in /misc
on the local file system.
/sbin/service autofs restart
/sbin/service autofs status
/etc/auto.master
configuration file while autofs is running, you must tell the automount daemon(s) to reload by typing the following command at a shell prompt:
/sbin/service autofs reload
21.2.3. Using TCP
-o udp
option to mount
when mounting the NFS-exported file system on the client system.
/etc/fstab
file (client side), and automatically via autofs configuration files, such as /etc/auto.master
and /etc/auto.misc
(server side with NIS).
mount -o udp shadowman.example.com:/misc/export /misc/local
/etc/fstab
(client side):
server:/usr/local/pub /pub nfs rsize=8192,wsize=8192,timeo=14,intr,udp
myproject -rw,soft,intr,rsize=8192,wsize=8192,udp penguin.example.net:/proj52
-o udp
option is not specified, the NFS-exported file system is accessed via TCP.
- Improved connection durability, thus less
NFS stale file handles
messages. - Performance gain on heavily loaded networks because TCP acknowledges every packet, unlike UDP which only acknowledges completion.
- TCP has better congestion control than UDP (which has none). On a very congested network, UDP packets are the first packets that are dropped. This means that if NFS is writing data (in 8K chunks) all of that 8K must be retransmitted over UDP. Because of TCP's reliability, only parts of that 8K data are transmitted at a time.
- Error detection. When a TCP connection breaks (due to the server being unavailable) the client stops sending data and restarts the connection process once the server becomes available. With UDP, since it's connection-less, the client continues to pound the network with data until the server reestablishes a connection.
21.2.4. Preserving ACLs
21.3. Exporting NFS File Systems
system-config-nfs
RPM package installed. To start the application, select the (on the Panel) => => => , or type the command system-config-nfs
.
Figure 21.1. NFS Server Configuration Tool
- Directory — Specify the directory to share, such as
/tmp
. - Host(s) — Specify the host(s) with which to share the directory. Refer to Section 21.3.2, “Hostname Formats” for an explanation of possible formats.
- Basic permissions — Specify whether the directory should have read-only or read/write permissions.
- Allow connections from port 1024 and higher — Services started on port numbers less than 1024 must be started as root. Select this option to allow the NFS service to be started by a user other than root. This option corresponds to
insecure
. - Allow insecure file locking — Do not require a lock request. This option corresponds to
insecure_locks
. - Disable subtree checking — If a subdirectory of a file system is exported, but the entire file system is not exported, the server checks to see if the requested file is in the subdirectory exported. This check is called subtree checking. Select this option to disable subtree checking. If the entire file system is exported, selecting to disable subtree checking can increase the transfer rate. This option corresponds to
no_subtree_check
. - Sync write operations on request — Enabled by default, this option does not allow the server to reply to requests before the changes made by the request are written to the disk. This option corresponds to
sync
. If this is not selected, theasync
option is used.- Force sync of write operations immediately — Do not delay writing to disk. This option corresponds to
no_wdelay
.
- Treat remote root user as local root — By default, the user and group IDs of the root user are both 0. Root squashing maps the user ID 0 and the group ID 0 to the user and group IDs of anonymous so that root on the client does not have root privileges on the NFS server. If this option is selected, root is not mapped to anonymous, and root on a client has root privileges to exported directories. Selecting this option can greatly decrease the security of the system. Do not select it unless it is absolutely necessary. This option corresponds to
no_root_squash
. - Treat all client users as anonymous users — If this option is selected, all user and group IDs are mapped to the anonymous user. This option corresponds to
all_squash
.- Specify local user ID for anonymous users — If Treat all client users as anonymous users is selected, this option lets you specify a user ID for the anonymous user. This option corresponds to
anonuid
. - Specify local group ID for anonymous users — If Treat all client users as anonymous users is selected, this option lets you specify a group ID for the anonymous user. This option corresponds to
anongid
.
/etc/exports.bak
. The new configuration is written to /etc/exports
.
/etc/exports
configuration file. Thus, the file can be modified manually after using the tool, and the tool can be used after modifying the file manually (provided the file was modified with correct syntax).
21.3.1. Command Line Configuration
/etc/exports
file controls what directories the NFS server exports. Its format is as follows:
directoryhostname(options)
sync
or async
(sync
is recommended). If sync
is specified, the server does not reply to requests before the changes made by the request are written to the disk.
/misc/export
speedy.example.com(sync)
speedy.example.com
to mount /misc/export
with the default read-only permissions, but,
/misc/export
speedy.example.com(rw,sync)
speedy.example.com
to mount /misc/export
with read/write privileges.
Warning
/etc/exports
file. If there are no spaces between the hostname and the options in parentheses, the options apply only to the hostname. If there is a space between the hostname and the options, the options apply to the rest of the world. For example, examine the following lines:
/misc/export speedy.example.com(rw,sync) /misc/export speedy.example.com (rw,sync)
speedy.example.com
read-write access and denies all other users. The second line grants users from speedy.example.com
read-only access (the default) and allows the rest of the world read-write access.
/etc/exports
, you must inform the NFS daemon of the change, or reload the configuration file with the following command:
/sbin/service nfs reload
21.3.2. Hostname Formats
- Single machine — A fully qualified domain name (that can be resolved by the server), hostname (that can be resolved by the server), or an IP address.
- Series of machines specified with wildcards — Use the * or ? character to specify a string match. Wildcards are not to be used with IP addresses; however, they may accidentally work if reverse DNS lookups fail. When specifying wildcards in fully qualified domain names, dots (.) are not included in the wildcard. For example,
*.example.com
includes one.example.com but does not include one.two.example.com. - IP networks — Use a.b.c.d/z, where a.b.c.d is the network and z is the number of bits in the netmask (for example 192.168.0.0/24). Another acceptable format is a.b.c.d/netmask, where a.b.c.d is the network and netmask is the netmask (for example, 192.168.100.8/255.255.255.0).
- Netgroups — In the format @group-name, where group-name is the NIS netgroup name.
21.3.3. Starting and Stopping the Server
nfs
service must be running.
/sbin/service nfs status
/sbin/service nfs start
/sbin/service nfs stop
nfs
service at boot time, use the command:
/sbin/chkconfig --level 345 nfs on
chkconfig
, ntsysv or the Services Configuration Tool to configure which services start at boot time. Refer to Chapter 19, Controlling Access to Services for details.
21.4. Additional Resources
21.4.1. Installed Documentation
- The man pages for
nfsd
,mountd
,exports
,auto.master
, andautofs
(in manual sections 5 and 8) — These man pages show the correct syntax for the NFS and autofs configuration files.
21.4.2. Useful Websites
- http://nfs.sourceforge.net/ — the NFS webpage, includes links to the mailing lists and FAQs.
- http://www.tldp.org/HOWTO/NFS-HOWTO/index.html — The Linux NFS-HOWTO from the Linux Documentation Project.
Chapter 22. Samba
22.1. Why Use Samba?
22.2. Configuring a Samba Server
/etc/samba/smb.conf
) allows users to view their home directories as a Samba share. It also shares all printers configured for the system as Samba shared printers. In other words, you can attach a printer to the system and print to it from the Windows machines on your network.
22.2.1. Graphical Configuration
/etc/samba/
directory. Any changes to these files not made using the application are preserved.
system-config-samba
RPM package installed. To start the Samba Server Configuration Tool from the desktop, go to the (on the Panel) => => => or type the command system-config-samba
at a shell prompt (for example, in an XTerm or a GNOME terminal).
Figure 22.1. Samba Server Configuration Tool
Note
22.2.1.1. Configuring Server Settings
Figure 22.2. Configuring Basic Server Settings
workgroup
and server string
options in smb.conf
.
Figure 22.3. Configuring Security Server Settings
- Authentication Mode — This corresponds to the
security
option. Select one of the following types of authentication.- ADS — The Samba server acts as a domain member in an Active Directory Domain (ADS) realm. For this option, Kerberos must be installed and configured on the server, and Samba must become a member of the ADS realm using the
net
utility, which is part of thesamba-client
package. Refer to thenet
man page for details. This option does not configure Samba to be an ADS Controller. Specify the realm of the Kerberos server in the Kerberos Realm field.Note
The Kerberos Realm field must be supplied in all uppercase letters, such asEXAMPLE.COM
.Use of your Samba server as a domain member in an ADS realm assumes proper configuration of Kerberos, including the/etc/krb5.conf
file. - Domain — The Samba server relies on a Windows NT Primary or Backup Domain Controller to verify the user. The server passes the username and password to the Controller and waits for it to return. Specify the NetBIOS name of the Primary or Backup Domain Controller in the Authentication Server field.The Encrypted Passwords option must be set to Yes if this is selected.
- Server — The Samba server tries to verify the username and password combination by passing them to another Samba server. If it can not, the server tries to verify using the user authentication mode. Specify the NetBIOS name of the other Samba server in the Authentication Server field.
- Share — Samba users do not have to enter a username and password combination on a per Samba server basis. They are not prompted for a username and password until they try to connect to a specific shared directory from a Samba server.
- User — (Default) Samba users must provide a valid username and password on a per Samba server basis. Select this option if you want the Windows Username option to work. Refer to Section 22.2.1.2, “Managing Samba Users” for details.
- Encrypt Passwords — This option must be enabled if the clients are connecting from a system with Windows 98, Windows NT 4.0 with Service Pack 3, or other more recent versions of Microsoft Windows. The passwords are transfered between the server and the client in an encrypted format instead of as a plain-text word that can be intercepted. This corresponds to the
encrypted passwords
option. Refer to Section 22.2.3, “Encrypted Passwords” for more information about encrypted Samba passwords. - Guest Account — When users or guest users log into a Samba server, they must be mapped to a valid user on the server. Select one of the existing usernames on the system to be the guest Samba account. When guests log in to the Samba server, they have the same privileges as this user. This corresponds to the
guest account
option.
22.2.1.2. Managing Samba Users
Figure 22.4. Managing Samba Users
22.2.2. Command Line Configuration
/etc/samba/smb.conf
as its configuration file. If you change this configuration file, the changes do not take effect until you restart the Samba daemon with the command service smb restart
.
smb.conf
file:
workgroup = WORKGROUPNAME server string = BRIEF COMMENT ABOUT SERVER
smb.conf
file (after modifying it to reflect your needs and your system):
[sharename] comment = Insert a comment here path = /home/share/ valid users = tfox carole public = no writable = yes printable = no create mask = 0765
/home/share
, on the Samba server, from a Samba client.
22.2.3. Encrypted Passwords
- Create a separate password file for Samba. To create one based on your existing
/etc/passwd
file, at a shell prompt, type the following command:cat /etc/passwd | mksmbpasswd.sh > /etc/samba/smbpasswd
If the system uses NIS, type the following command:ypcat passwd | mksmbpasswd.sh > /etc/samba/smbpasswd
Themksmbpasswd.sh
script is installed in your/usr/bin
directory with thesamba
package. - Change the permissions of the Samba password file so that only root has read and write permissions:
chmod 600 /etc/samba/smbpasswd
- The script does not copy user passwords to the new file, and a Samba user account is not active until a password is set for it. For higher security, it is recommended that the user's Samba password be different from the user's system password. To set each Samba user's password, use the following command (replace username with each user's username):
smbpasswd username
- Encrypted passwords must be enabled. Since they are enabled by default, they do not have to be specifically enabled in the configuration file. However, they can not be disabled in the configuration file either. In the file
/etc/samba/smb.conf
, verify that the following line does not exist:encrypt passwords = no
If it does exist but is commented out with a semi-colon (;
) at the beginning of the line, then the line is ignored, and encrypted passwords are enabled. If this line exists but is not commented out, either remove it or comment it out.To specifically enable encrypted passwords in the configuration file, add the following lines toetc/samba/smb.conf
:encrypt passwords = yes smb passwd file = /etc/samba/smbpasswd
- Make sure the
smb
service is started by typing the commandservice smb restart
at a shell prompt. - If you want the
smb
service to start automatically, use ntsysv,chkconfig
, or the Services Configuration Tool to enable it at runtime. Refer to Chapter 19, Controlling Access to Services for details.
pam_smbpass
PAM module can be used to sync users' Samba passwords with their system passwords when the passwd
command is used. If a user invokes the passwd
command, the password he uses to log in to the Red Hat Enterprise Linux system as well as the password he must provide to connect to a Samba share are changed.
/etc/pam.d/system-auth
below the pam_cracklib.so
invocation:
password required /lib/security/pam_smbpass.so nullok use_authtok try_first_pass
22.2.4. Starting and Stopping the Server
smb
service must be running.
/sbin/service smb status
/sbin/service smb start
/sbin/service smb stop
smb
service at boot time, use the command:
/sbin/chkconfig --level 345 smb on
chkconfig
, ntsysv, or the Services Configuration Tool to configure which services start at boot time. Refer to Chapter 19, Controlling Access to Services for details.
22.4. Additional Resources
22.4.1. Installed Documentation
smb.conf
man page — explains how to configure the Samba configuration filesmbd
man page — describes how the Samba daemon workssmbclient
andfindsmb
man pages — learn more about these client tools/usr/share/doc/samba-<version-number>/docs/
— help files included with thesamba
package
22.4.2. Useful Websites
- http://www.samba.org/ — The Samba webpage contains useful documentation, information about mailing lists, and a list of GUI interfaces.
- http://www.samba.org/samba/docs/using_samba/toc.html — an online version of Using Samba, 2nd Edition by Jay Ts, Robert Eckstein, and David Collier-Brown; O'Reilly &Associates
Chapter 23. Dynamic Host Configuration Protocol (DHCP)
23.1. Why Use DHCP?
23.2. Configuring a DHCP Server
/etc/dhcpd.conf
configuration file must be created. A sample file can be found at /usr/share/doc/dhcp-<version>/dhcpd.conf.sample
.
/var/lib/dhcp/dhcpd.leases
to store the client lease database. Refer to Section 23.2.2, “Lease Database” for more information.
23.2.1. Configuration File
ddns-update-style ad-hoc;
ddns-update-style interim;
dhcpd.conf
man page for details about the different modes.
- Parameters — State how to perform a task, whether to perform a task, or what network configuration options to send to the client.
- Declarations — Describe the topology of the network, describe the clients, provide addresses for the clients, or apply a group of parameters to a group of declarations.
option
keyword and are referred to as options. Options configure DHCP options; whereas, parameters configure values that are not optional or control how the DHCP server behaves.
Important
service dhcpd restart
.
Note
omshell
command provides an interactive way to connect to, query, and change the configuration of a DHCP server. By using omshell
, all changes can be made while the server is running. For more information on omshell
, refer to the omshell
man page.
routers
, subnet-mask
, domain-name
, domain-name-servers
, and time-offset
options are used for any host
statements declared below it.
subnet
can be declared, a subnet
declaration must be included for every subnet in the network. If it is not, the DHCP server fails to start.
range
declared. Clients are assigned an IP address within the range
.
Example 23.1. Subnet Declaration
subnet 192.168.1.0 netmask 255.255.255.0 { option routers 192.168.1.254; option subnet-mask 255.255.255.0; option domain-name "example.com"; option domain-name-servers 192.168.1.1; option time-offset -18000; # Eastern Standard Time range 192.168.1.10 192.168.1.100; }
shared-network
declaration as shown in Example 23.2, “Shared-network Declaration”. Parameters within the shared-network
, but outside the enclosed subnet
declarations, are considered to be global parameters. The name of the shared-network
should be a descriptive title for the network, such as using the title 'test-lab' to describe all the subnets in a test lab environment.
group
declaration can be used to apply global parameters to a group of declarations. For example, shared networks, subnets, and hosts can be grouped.
Example 23.3. Group Declaration
group { option routers 192.168.1.254; option subnet-mask 255.255.255.0; option domain-name "example.com"; option domain-name-servers 192.168.1.1; option time-offset -18000; # Eastern Standard Time host apex { option host-name "apex.example.com"; hardware ethernet 00:A0:78:8E:9E:AA; fixed-address 192.168.1.4; } host raleigh { option host-name "raleigh.example.com"; hardware ethernet 00:A1:DD:74:C3:F2; fixed-address 192.168.1.6; } }
range
192.168.1.10 and 192.168.1.100 to client systems.
Example 23.4. Range Parameter
default-lease-time 600; max-lease-time 7200; option subnet-mask 255.255.255.0; option broadcast-address 192.168.1.255; option routers 192.168.1.254; option domain-name-servers 192.168.1.1, 192.168.1.2; option domain-name "example.com"; subnet 192.168.1.0 netmask 255.255.255.0 { range 192.168.1.10 192.168.1.100; }
hardware ethernet
parameter within a host
declaration. As demonstrated in Example 23.5, “Static IP Address using DHCP”, the host apex
declaration specifies that the network interface card with the MAC address 00:A0:78:8E:9E:AA always receives the IP address 192.168.1.4.
host-name
can also be used to assign a host name to the client.
Example 23.5. Static IP Address using DHCP
host apex { option host-name "apex.example.com"; hardware ethernet 00:A0:78:8E:9E:AA; fixed-address 192.168.1.4; }
Note
cp /usr/share/doc/dhcp-<version-number>/dhcpd.conf.sample /etc/dhcpd.conf
(where <version-number> is the DHCP version number).
dhcp-options
man page.
23.2.2. Lease Database
/var/lib/dhcp/dhcpd.leases
stores the DHCP client lease database. This file should not be modified by hand. DHCP lease information for each recently assigned IP address is automatically stored in the lease database. The information includes the length of the lease, to whom the IP address has been assigned, the start and end dates for the lease, and the MAC address of the network interface card that was used to retrieve the lease.
dhcpd.leases
file is renamed dhcpd.leases~
and the temporary lease database is written to dhcpd.leases
.
dhcpd.leases
file does not exist, but it is required to start the service. Do not create a new lease file. If you do, all old leases are lost which causes many problems. The correct solution is to rename the dhcpd.leases~
backup file to dhcpd.leases
and then start the daemon.
23.2.3. Starting and Stopping the Server
Important
dhcpd.leases
file exists. Use the command touch /var/lib/dhcp/dhcpd.leases
to create the file if it does not exist.
named
service automatically checks for a dhcpd.leases
file.
/sbin/service dhcpd start
. To stop the DHCP server, use the command /sbin/service dhcpd stop
.
/etc/sysconfig/dhcpd
, add the name of the interface to the list of DHCPDARGS
:
# Command line options here DHCPDARGS=eth0
/etc/sysconfig/dhcpd
include:
-p <portnum>
— Specify the UDP port number on whichdhcpd
should listen. The default is port 67. The DHCP server transmits responses to the DHCP clients at a port number one greater than the UDP port specified. For example, if the default port 67 is used, the server listens on port 67 for requests and responses to the client on port 68. If a port is specified here and the DHCP relay agent is used, the same port on which the DHCP relay agent should listen must be specified. Refer to Section 23.2.4, “DHCP Relay Agent” for details.-f
— Run the daemon as a foreground process. This is mostly used for debugging.-d
— Log the DHCP server daemon to the standard error descriptor. This is mostly used for debugging. If this is not specified, the log is written to/var/log/messages
.-cf <filename>
— Specify the location of the configuration file. The default location is/etc/dhcpd.conf
.-lf <filename>
— Specify the location of the lease database file. If a lease database file already exists, it is very important that the same file be used every time the DHCP server is started. It is strongly recommended that this option only be used for debugging purposes on non-production machines. The default location is/var/lib/dhcp/dhcpd.leases
.-q
— Do not print the entire copyright message when starting the daemon.
23.2.4. DHCP Relay Agent
dhcrelay
) allows for the relay of DHCP and BOOTP requests from a subnet with no DHCP server on it to one or more DHCP servers on other subnets.
/etc/sysconfig/dhcrelay
with the INTERFACES
directive.
service dhcrelay start
.
23.3. Configuring a DHCP Client
/etc/sysconfig/network
file to enable networking and the configuration file for each network device in the /etc/sysconfig/network-scripts
directory. In this directory, each device should have a configuration file named ifcfg-eth0
, where eth0
is the network device name.
/etc/sysconfig/network
file should contain the following line:
NETWORKING=yes
NETWORKING
variable must be set to yes
if you want networking to start at boot time.
/etc/sysconfig/network-scripts/ifcfg-eth0
file should contain the following lines:
DEVICE=eth0 BOOTPROTO=dhcp ONBOOT=yes
DHCP_HOSTNAME
— Only use this option if the DHCP server requires the client to specify a hostname before receiving an IP address. (The DHCP server daemon in Red Hat Enterprise Linux does not support this feature.)PEERDNS=<answer>
, where<answer>
is one of the following:yes
— Modify/etc/resolv.conf
with information from the server. If using DHCP, thenyes
is the default.no
— Do not modify/etc/resolv.conf
.
SRCADDR=<address>
, where<address>
is the specified source IP address for outgoing packets.USERCTL=<answer>
, where<answer>
is one of the following:yes
— Non-root users are allowed to control this device.no
— Non-root users are not allowed to control this device.
Note
dhclient
and dhclient.conf
man pages.
23.4. Additional Resources
23.4.1. Installed Documentation
dhcpd
man page — Describes how the DHCP daemon works.dhcpd.conf
man page — Explains how to configure the DHCP configuration file; includes some examples.dhcpd.leases
man page — Explains how to configure the DHCP leases file; includes some examples.dhcp-options
man page — Explains the syntax for declaring DHCP options indhcpd.conf
; includes some examples.dhcrelay
man page — Explains the DHCP Relay Agent and its configuration options./usr/share/doc/dhcp-<version>/
— Contains sample files, README files, and release notes for the specific version of the DHCP service.
Chapter 24. Apache HTTP Server Configuration
/usr/share/doc/httpd-<ver>/migration.html
or the Reference Guide for details.
httpd
and system-config-httpd
RPM packages need to be installed to use the HTTP Configuration Tool. It also requires the X Window System and root access. To start the application, go to the => => => or type the command system-config-httpd
at a shell prompt (for example, in an XTerm or GNOME Terminal).
/etc/httpd/conf/httpd.conf
configuration file for the Apache HTTP Server. It does not use the old srm.conf
or access.conf
configuration files; leave them empty. Through the graphical interface, you can configure directives such as virtual hosts, logging attributes, and maximum number of connections.
Warning
/etc/httpd/conf/httpd.conf
configuration file by hand if you wish to use this tool. The HTTP Configuration Tool generates this file after you save your changes and exit the program. If you want to add additional modules or configuration options that are not available in HTTP Configuration Tool, you cannot use this tool.
- Configure the basic settings under the Main tab.
- Click on the Virtual Hosts tab and configure the default settings.
- Under the Virtual Hosts tab, configure the Default Virtual Host.
- To serve more than one URL or virtual host, add any additional virtual hosts.
- Configure the server settings under the Server tab.
- Configure the connections settings under the Performance Tuning tab.
- Copy all necessary files to the
DocumentRoot
andcgi-bin
directories. - Exit the application and select to save your settings.
24.1. Basic Settings
Figure 24.1. Basic Settings
ServerName
directive in httpd.conf
. The ServerName
directive sets the hostname of the Web server. It is used when creating redirection URLs. If you do not define a server name, the Web server attempts to resolve it from the IP address of the system. The server name does not have to be the domain name resolved from the IP address of the server. For example, you might set the server name to www.example.com while the server's real DNS name is foo.example.com.
ServerAdmin
directive in httpd.conf
. If you configure the server's error pages to contain an email address, this email address is used so that users can report a problem to the server's administrator. The default value is root@localhost.
Listen
directive in httpd.conf
. By default, Red Hat configures the Apache HTTP Server to listen to port 80 for non-secure Web communications.
Note
httpd
can be started as a regular user.
Figure 24.2. Available Addresses
24.2. Default Settings
24.2.1. Site Configuration
Figure 24.3. Site Configuration
DirectoryIndex
directive. The DirectoryIndex
is the default page served by the server when a user requests an index of a directory by specifying a forward slash (/) at the end of the directory name.
http://www.example.com/this_directory/
, they are going to get either the DirectoryIndex
page, if it exists, or a server-generated directory list. The server tries to find one of the files listed in the DirectoryIndex
directive and returns the first one it finds. If it does not find any of these files and if Options Indexes
is set for that directory, the server generates and returns a list, in HTML format, of the subdirectories and files in the directory.
ErrorDocument
directive. If a problem or error occurs when a client tries to connect to the Apache HTTP Server, the default action is to display the short error message shown in the Error Code column. To override this default configuration, select the error code and click the Edit button. Choose to display the default short error message. Choose to redirect the client to an external URL and enter a complete URL, including the http://
, in the Location field. Choose to redirect the client to an internal URL and enter a file location under the document root for the Web server. The location must begin the a slash (/) and be relative to the Document Root.
404.html
, copy 404.html
to DocumentRoot/../error/404.html
. In this case, DocumentRoot is the Document Root directory that you have defined (the default is /var/www/html/
). If the Document Root is left as the default location, the file should be copied to /var/www/error/404.html
. Then, choose as the Behavior for 404 - Not Found error code and enter /error/404.html
as the .
- Show footer with email address — Display the default footer at the bottom of all error pages along with the email address of the website maintainer specified by the
ServerAdmin
directive. Refer to Section 24.3.1.1, “General Options” for information about configuring theServerAdmin
directive. - Show footer — Display just the default footer at the bottom of error pages.
- No footer — Do not display a footer at the bottom of error pages.
24.2.2. Logging
/var/log/httpd/access_log
file and the error log to the /var/log/httpd/error_log
file.
TransferLog
directive.
Figure 24.4. Logging
LogFormat
directive. Refer to http://httpd.apache.org/docs-2.0/mod/mod_log_config.html#formats for details on the format of this directive.
ErrorLog
directive.
LogLevel
directive.
HostnameLookups
directive. Choosing No Reverse Lookup sets the value to off. Choosing Reverse Lookup sets the value to on. Choosing Double Reverse Lookup sets the value to double.
24.2.3. Environment Variables
mod_env
module to configure the environment variables which are passed to CGI scripts and SSI pages. Use the Environment Variables page to configure the directives for this module.
MAXNUM
to 50
, click the button inside the Set for CGI Script section, as shown in Figure 24.5, “Environment Variables”, and type MAXNUM
in the Environment Variable text field and 50
in the Value to set text field. Click to add it to the list. The Set for CGI Scripts section configures the SetEnv
directive.
env
at a shell prompt. Click the button inside the Pass to CGI Scripts section and enter the name of the environment variable in the resulting dialog box. Click to add it to the list. The Pass to CGI Scripts section configures the PassEnv
directive.
Figure 24.5. Environment Variables
UnsetEnv
directive.
http://httpd.apache.org/docs-2.0/env.html
24.2.4. Directories
<Directory>
directive.
Figure 24.6. Directories
Options
directive within the <Directory>
directive. You can configure the following options:
- ExecCGI — Allow execution of CGI scripts. CGI scripts are not executed if this option is not chosen.
- FollowSymLinks — Allow symbolic links to be followed.
- Includes — Allow server-side includes.
- IncludesNOEXEC — Allow server-side includes, but disable the
#exec
and#include
commands in CGI scripts. - Indexes — Display a formatted list of the directory's contents, if no
DirectoryIndex
(such asindex.html
) exists in the requested directory. - Multiview — Support content-negotiated multiviews; this option is disabled by default.
- SymLinksIfOwnerMatch — Only follow symbolic links if the target file or directory has the same owner as the link.
Order
directive with the left-hand side options. The Order
directive controls the order in which allow and deny directives are evaluated. In the Allow hosts from and Deny hosts from text field, you can specify one of the following:
- Allow all hosts — Type
all
to allow access to all hosts. - Partial domain name — Allow all hosts whose names match or end with the specified string.
- Full IP address — Allow access to a specific IP address.
- A subnet — Such as
192.168.1.0/255.255.255.0
- A network CIDR specification — such as
10.3.0.0/16
Figure 24.7. Directory Settings
.htaccess
file take precedence.
24.3. Virtual Hosts Settings
<NameVirtualHost>
directive for a name based virtual host.