Professional Documents
Culture Documents
Administration
COURSE 3038
Novell Training Services w w w. n o v e l l . c o m
A U T H O R I Z E D C O U R S E WA R E
Part #
Version 2
Proprietary Statement Trademarks
Copyright © 2010 Novell, Inc. All rights reserved. Novell, Inc. has attempted to supply trademark information
about company names, products, and services mentioned in this
The reproduction, photocopying, storing on a retrieval system,
manual. The following list of trademarks was derived from
or transmitting of this manual is protected under a Creative
various sources.
Commons Attribution-Noncommerical-Share Alike 3.0
Unported license. Novell, Inc. Trademarks
You are free to share (copy, distribute and transmit the work) Novell, the Novell logo, NetWare, BorderManager,
and to remix (adapt the work) under the following conditions: ConsoleOne, DirXML, GroupWise, iChain, ManageWise,
you must attribute the work in the manner specified by the NDPS, NDS, NetMail, Novell Directory Services, Novell
author or licensor (but not in any way that suggests that they iFolder, Novell SecretStore, Ximian, Ximian Evolution and
endorse you or your use of the work), and you many not use this ZENworks are registered trademarks; CDE, Certified
work for commercial purposes. In addition, if you alter, Directory Engineer and CNE are registered service marks;
transform, or build upon this work, you may distribute the eDirectory, Evolution, exteNd, exteNd Composer, exteNd
resulting work only under the same or similar license to this Directory, exteNd Workbench, Mono, NIMS, NLM, NMAS,
one. Novell Certificate Server, Novell Client, Novell Cluster
For any reuse or distribution, you must make clear to others the Services, Novell Distributed Print Services, Novell Internet
license terms of this work. The best way to do this is with a link Messaging System, Novell Storage Services, Nsure, Nsure
to the Creative Commons license page (http:// Resources, Nterprise, Nterprise Branch Office, Red Carpet and
creativecommons.org/licenses/by-nc-sa/3.0/). Red Carpet Enterprise are trademarks; and Certified Novell
Administrator, CNA, Certified Novell Engineer, Certified
For clarification or to apply for a waiver to any of these Novell Instructor, CNI, Master CNE, Master CNI, MCNE,
conditions, contact Novell, Inc. MCNI, Novell Education Academic Partner, NEAP, Ngage,
Novell, Inc. Novell Online Training Provider, NOTP and Novell Technical
1800 South Novell Place Services are service marks of Novell, Inc. in the United States
Provo, UT 84606-2399 and other countries. SUSE is a registered trademark of SUSE
LINUX AG, a Novell company. For more information on
Novell trademarks, please visit
Disclaimer http://www.novell.com/company/legal/trademarks/
Novell, Inc. makes no representations or warranties with tmlist.html.
respect to the contents or use of this manual, and specifically
disclaims any express or implied warranties of merchantability Other Trademarks
or fitness for any particular purpose. Adaptec is a registered trademark of Adaptec, Inc. AMD is a
trademark of Advanced Micro Devices. AppleShare and
Further, Novell, Inc. reserves the right to revise this publication
AppleTalk are registered trademarks of Apple Computer, Inc.
and to make changes in its content at any time, without
ARCserv is a registered trademark of Cheyenne Software, Inc.
obligation to notify any person or entity of such revisions or
Btrieve is a registered trademark of Pervasive Software, Inc.
changes.
EtherTalk is a registered trademark of Apple Computer, Inc.
Further, Novell, Inc. makes no representations or warranties Java is a trademark or registered trademark of Sun
with respect to any NetWare software, and specifically Microsystems, Inc. in the United States and other countries.
disclaims any express or implied warranties of merchantability Linux is a registered trademark of Linus Torvalds. LocalTalk is
or fitness for any particular purpose. a registered trademark of Apple Computer, Inc. Lotus Notes is
Further, Novell, Inc. reserves the right to make changes to any a registered trademark of Lotus Development Corporation.
and all parts of NetWare software at any time, without Macintosh is a registered trademark of Apple Computer, Inc.
obligation to notify any person or entity of such changes. Netscape Communicator is a trademark of Netscape
Communications Corporation. Netscape Navigator is a
This Novell Training Manual is published solely to instruct registered trademark of Netscape Communications
students in the use of Novell networking software. Although Corporation. Pentium is a registered trademark of Intel
third-party application software packages are used in Novell Corporation. Solaris is a registered trademark of Sun
training courses, this is for demonstration purposes only and Microsystems, Inc. The Norton AntiVirus is a trademark of
shall not constitute an endorsement of any of these software Symantec Corporation. TokenTalk is a registered trademark of
applications. Apple Computer, Inc. Tru64 is a trademark of Digital
Further, Novell, Inc. does not represent itself as having any Equipment Corp. UnitedLinux is a registered trademark of
particular expertise in these application software packages and UnitedLinux. UNIX is a registered trademark of the Open
any use by students of the same shall be done at the students’ Group. WebSphere is a trademark of International Business
own risk. Machines Corporation. Windows and Windows NT are
registered trademarks of Microsoft Corporation.
All other third-party trademarks are the property of their
respective owners.
Contents
Contents
Introduction
Course Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Intro-1
Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Intro-2
Certification and Prerequisites. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Intro-2
SLES 9 Support and Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Intro-4
SLES 9 Online Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Intro-4
Agenda . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Intro-5
Scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Intro-5
Exercise Conventions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Intro-6
Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1
Objective 1 Perform the SLES 9 Base Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2
Boot From the Installation Media . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2
Select the System Language . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-4
Select the Installation Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-5
Understand and Change the Installation Proposal . . . . . . . . . . . . . . . . . . . . . . . . . 1-6
Partition the Hard Disk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-7
Select the Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-24
Configure the Boot Loader . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-26
Start the Installation Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-28
Objective 2 Configure the SLES 9 Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-29
Set the root Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-29
Configure the Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-31
Test the Internet Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-33
Perform an Online Update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-34
Configure Network Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-34
Manage Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-35
Configure Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-39
Finalize the Installation Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-43
Objective 3 Troubleshoot the Installation Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-44
Exercise 1-1 Install SLES 9 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-46
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-53
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by TOC-1
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1
Objective 1 Understand Linux Network Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2
Objective 2 Set Up Network Devices With the ip Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-3
Display the Current Network Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-3
Change the Current Network Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-7
Objective 3 Save Device Settings to a Configuration File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-9
Configure a Device Statically . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-9
Configure a Device Dynamically With DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . 2-11
Start and Stop Configured Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-11
Objective 4 Set Up Routing With the ip Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-12
View the Routing Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-12
Add Routes to the Routing Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-13
Delete Routes from the Routing Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-14
Objective 5 Save Routing Settings to a Configuration File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-15
Objective 6 Configure Host Name and Name Resolution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-16
Set the Host and Domain Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-16
Configure Name Resolution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-16
Objective 7 Test the Network Connection With Command Line Tools . . . . . . . . . . . . . . . . . . . . . . 2-17
Use ping to Test Network Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-17
Use traceroute to Trace Network Packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-18
Exercise 2-1 Configure the Network Connection Manually . . . . . . . . . . . . . . . . . . . . . . . . 2-20
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-24
Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-1
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-1
Objective 1 Configure a DNS Server Using BIND. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2
Understand the Domain Name System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2
Install and Configure the BIND Server Software . . . . . . . . . . . . . . . . . . . . . . . . . 3-6
Configure a Caching-Only DNS server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-7
Configure a Master Server for Your Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-9
Configure One or More Slave Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-16
Configure the Client Computers to Use the DNS Server . . . . . . . . . . . . . . . . . . . 3-18
Use Command Line Tools to Query DNS Servers . . . . . . . . . . . . . . . . . . . . . . . . 3-19
Find More Information About DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-21
Exercise 3-1 Configure a DNS server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-22
TOC-2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Contents
Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-1
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-1
Objective 1 Create a Security Concept . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2
Understand the Basics of a Security Concept . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2
Perform a Communication Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2
Analyze the Protection Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-4
Analyze the Current Situation and Necessary Enhancements . . . . . . . . . . . . . . . . 4-5
Objective 2 Limit Physical Access to Server Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-11
Place the Server in a Separate, Locked Room . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-11
Secure the BIOS with a Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-11
Secure the GRUB Boot Loader with a Password . . . . . . . . . . . . . . . . . . . . . . . . . 4-12
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by TOC-3
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-1
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-1
Objective 1 Develop a Backup Strategy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-2
Choose a Backup Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-2
Choose the Right Backup Media . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-4
TOC-4 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Contents
Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-1
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-1
Objective 1 Use Basic Script Elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-3
Flow Charts for Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-3
The Basic Rules of Shell Scripting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-4
Exercise 6-1 Produce Output from a Script . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-6
How to Develop Scripts That Read User Input . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-6
Exercise 6-2 Read User Input . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-8
How to Perform Basic Script Operations with Variables . . . . . . . . . . . . . . . . . . . . 6-8
Exercise 6-3 Simple Operations with Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-10
How to Use Command Substitution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-11
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by TOC-5
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-1
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-1
Objective 1 Understand the Basics of C Programming. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-2
The Difference Between Source Code and an Executable . . . . . . . . . . . . . . . . . . . 7-2
The Structure of a Simple C Program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-3
How to Compile a Simple C Program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-5
Exercise 7-1 Compile a Simple C Program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-6
TOC-6 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Contents
Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-1
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-1
Objective 1 Find Performance Bottlenecks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-2
Analyze Processes and Processor Utilization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-2
Analyze Memory Utilization and Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-4
Analyze Storage Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-6
Analyze Network Utilization and Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-9
Exercise 8-1 Analyze System Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-12
Objective 2 Reduce System and Memory Load . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-15
Analyze CPU Intensive Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-15
Run Only Required Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-15
Keep Your Software Up to Date . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-17
Optimize Swap Partitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-17
Change Hardware Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-18
Exercise 8-2 Reduce Resource Utilization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-19
Objective 3 Optimize the Storage System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-20
Configure IDE Drives With hdparm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-20
Tune Kernel Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-21
Tune File System Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-23
Change Hardware Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-25
Exercise 8-3 Tune an IDE Hard Drive With hdparm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-26
Objective 4 Tune the Network Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-27
Change Kernel Network Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-27
Change Your Network Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-29
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-30
Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-1
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by TOC-7
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-1
Objective 1 Describe the Differences Between Devices and Interfaces. . . . . . . . . . . . . . . . . . . . . . . . 9-2
Objective 2 Describe How Device Drivers Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-3
Objective 3 Describe How Device Drivers Are Loaded . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-5
Objective 4 Describe the sysfs File System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-6
Objective 5 Describe How the SLES 9 Hotplug System Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-8
Objective 6 Use the hwup Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-11
Exercise 9-1 Trace How a Network Adapter Is Set Up With hwup and ifup. . . . . . . . . . . . 9-14
Objective 7 Add New Hardware to a SLES 9 System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-17
Add a New Drive to the System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-17
Replace a Graphics Card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-17
Add a New Network Adapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-18
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-19
Scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-1
Objective 1 Install and Configure SLES 9 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-2
Objective 2 Configure a DNS Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-3
Objective 3 Configure a Web Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-4
Objective 4 Configure a Samba File Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-5
TOC-8 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Introduction
Introduction
In the SUSE LINUX Advanced Administration (3038) course you learn the SUSE
LINUX Enterprise Server 9 (SLES 9) administration skills necessary to complete
your basic SLES 9 skill set.
These skills, along with those taught in the SUSE LINUX Fundamentals (3036) and
SUSE LINUX Administration (3037) courses, prepare you to take the Novell®
Certified Linux® Professional (Novell CLP) certification practicum test.
The SLES 9 3038 VMware Server DVD contains a VMware Workstation SLES 9
server that you can use with the SUSE LINUX Advanced Administration Self-Study
Workbook (in PDF format on your Course CD) outside the classroom to practice the
skills you need to take the Novell CLP practicum.
x Instructions for setting up a self-study environment are included in the SUSE LINUX Advanced
Administration Self-Study Workbook.
If you do not own a copy of VMware Workstation, you can obtain a 30-day evaluation version
at www.vmware.com. If you want to dedicate a machine to install SLES 9, instructions are also
provided in the Self-Study Workbook.
Course Objectives
This course teaches you how to perform the following SUSE LINUX administrative
tasks for SLES 9:
1. Install SLES 9 with a custom partitioning
2. Configure the network manually
3. Configure network services
4. Secure a SLES 9 server
5. Manage backup and recovery
6. Create shell scripts
7. Compile software from source
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Intro-1
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
The final day of class is reserved for a “LiveFire” exercise that provides a set of
scenarios to test your SLES 9 administration skills and prepare you to take the Novell
CLP Practicum.
Audience
SM
While the primary audience for this course is the current Novell CNE who has
completed courses 3036 and 3037 in the CLP curriculum, Linux professionals and
administrators with experience in other operating systems can also use this course to
help prepare for the Novell CLP Practicum.
As with all Novell certifications, course work is never required. You only need only
pass a Novell CLP Practicum (050-689) in order to achieve the certification.
The Novell CLP Practicum is a hands-on, scenario-based exam where you apply the
knowledge you have learned to solve real-life problems—demonstrating that you
know what to do and how to do it.
The practicum tests you on objectives in this course (SUSE LINUX Advanced
Administration - Course 3038) and the skills outlined in the following Novell CLP
courses:
n SUSE LINUX Fundamentals - Course 3036
n SUSE LINUX Administration - Course 3037
Intro-2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Introduction
Figure Intro-1
Novell®
Certified Linux Professional (Novell CLP):
Training/Testing Path
New to Linux
Administration
Before attending this course, you should complete the prerequisites which included
in SUSE LINUX Administration (Course 3037) or have experience managing SLES 9
servers in a networked environment.
x For more information about Novell certification programs and taking the Novell CLP Practicum,
see http://www.novell.com/education/certinfo.
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Intro-3
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
However, to receive official support and maintenance updates, you need to do one of
the following:
n Register for a free registration/serial code that provides you with 30 days of
support and maintenance.
n Purchase a copy of SLES 9 from Novell (or an authorized dealer).
You can obtain your free 30-day support and maintenance code at
http://www.novell.com/products/linuxenterpriseserver/eval.html.
x You will need to have or create a Novell login account to access the 30-day evaluation.
Intro-4 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Introduction
Agenda
The following is the agenda for this 5-day course:
Day 5 Section 10: Prepare for the Novell CLP Practicum 06:00
Scenario
The Digital Airlines management has made the decision to migrate several back-end
services to Linux servers running SLES 9. You have already installed SLES 9 before
and are familiar with administering SLES 9 from YaST and from the command line.
To be able to implement the migration plan, you need additional experience in the
following areas:
n System settings on the configuration file level
n Network services configuration from the command line
n Applying security solutions and deploying backup and recovery
n Creating basic shell scripts and compiling software from source packages
You decide to set up a test server in the lab to enhance your skills in these areas.
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Intro-5
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
Exercise Conventions
When working through an exercise, you will see conventions that indicate
information you need to enter that is specific to your server.
Intro-6 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Install SLES 9
Objectives
1. Perform the SLES 9 Base Installation
2. Configure the SLES 9 Installation
3. Troubleshoot the Installation Process
Introduction
YaST presents an installation proposal (automatically generated during installation)
that you can accept to make installation simple and quick.
However, you also need to understand the more advanced installation options
available. By changing the following installation proposal options, you can install
servers that meet a variety of needs:
n Installation mode
n Partitioning scheme
n Software selection
n Authentication method
n Hardware setup
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 1-1
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
To start the installation process, insert the SLES 9 CD 1 into the CD drive and then
reboot the computer to start the installation program.
x To start the installation program, your computer needs to be configured to start from a CD or
DVD drive. You might need to change the boot drive order in the BIOS setup of your system to
boot from the drive.
Consult the manual shipped with your hardware for further information.
When your system has started from the installation CD, the following appears:
Figure 1-1
1-2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Install SLES 9
You can use the arrow keys to select one of the following options:
n Boot from Hard Disk. Boots the system installed on the hard disk (the system
normally booted when the machine is started). This is the default option.
n Installation. Starts the normal installation process. All modern hardware
functions are enabled.
n Installation - ACPI Disabled. Starts the installation process with ACPI
(Advanced Configuration and Power Interface) disabled. If the normal
installation fails, the system hardware might not support ACPI. In this case, you
can use this option to install without ACPI support.
n Installation - Safe Settings. Starts the installation process with the DMA mode
and any interfering power management functions disabled. Use this option if the
installation fails with the other options.
n Manual Installation. When you select this installation mode, you can load
driver modules manually and change the advanced installation settings.
n Rescue System. Starts the SLES 9 rescue system. If you cannot boot your
installed Linux system, you can boot the computer from the CD and select this
option. This starts a minimal Linux system without a graphical user interface to
allow experts to access disk partitions for troubleshooting and repairing an
installed system.
n Memory Test. Starts a memory testing program, which tests system RAM by
using repeated read and write cycles. This is done in an endless loop, because
memory corruption often shows up sporadically and many read and write cycles
might be necessary to detect it.
If you suspect that your RAM might be defective, start this test and let it run for
several hours. If no errors are detected, you can assume that the memory is
intact. Terminate the test by rebooting the system.
Use the function keys, as indicated in the bar at the bottom of the screen, to change a
number of installation settings:
n F1. Opens context-sensitive help for the currently selected option of the boot
screen.
n F2. Select a graphical display modes (such as 640x480 or 1024X768) for the
installation. You can select one of these or select the text mode, which is useful
if the graphical mode causes display problems.
n F3. Select an installation media type. Normally, you install from the inserted
installation disk, but in some cases you might want to select another source, such
as FTP or NFS.
n F4. Select a installation language.
n F5. Select the debugging output level. By default, diagnostic messages of the
Linux kernel are not displayed during system start up. To display these
messages, select Native. For maximum information, select Verbose.
n F6. Add a driver update CD to the installation process. You are asked to insert
the update disk at the appropriate point in the installation process.
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 1-3
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
Select the Installation option to start the installation process. If the installation fails
for some reason, try to install with the Installation - ACPI Disabled option or the
Installation - Safe Settings option.
After you select an installation option, a minimal Linux system loads to run the YaST
installation program.
Figure 1-2
x If the installation program does not detect your mouse, you can use the Tab key to navigate
through the dialog elements, the arrow keys to scroll in lists and Enter to select buttons. You can
change the mouse settings later in the installation process.
From the language dialog, select the language of your choice, and then select Accept
to continue to the next step.
1-4 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Install SLES 9
After you have selected the installation language, the following appears:
Figure 1-3
In this dialog, YaST asks you for the installation mode. Select one of the following
options:
n New installation. Performs a normal new installation of SLES 9. This is the
default option.
n Update an existing system. Updates a previously installed SLES 8 installation.
n Repair Installed System. Repairs a previously installed SLES 9 installation.
n Boot installed system. Boots a previously installed Linux installation.
n Abort Installation. Terminates the installation process.
For a normal installation, select New Installation and then select OK to proceed to
the next step.
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 1-5
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
After you select New Installation, YaST analyzes the system and creates an
installation proposal. The proposal is displayed as shown in the following:
Figure 1-4
The proposal displays all installation settings that are necessary for a base
installation. You can change these settings by selecting the following headlines
(headings):
n System. Restarts the hardware detection process and displays a list of all
available hardware components. You can select single components, view details,
or save the list to a file.
n Mode. Changes the installation mode.
n Keyboard layout. Changes the keyboard layout. YaST selects the keyboard
layout according to your language settings. Change the keyboard settings if you
prefer a different layout.
n Mouse. Changes the mouse settings. If your mouse does not work correctly, you
can select a different mouse type in this block.
n Partitioning. Changes the hard drive partitioning. If the automatically generated
partitioning scheme does not fit your needs, you can change it by selecting this
headline.
n Software. Changes the software selection. You can select or deselect software.
n Booting. Changes the boot loader setting.
n Time zone. Changes the time zone. YaST selects the time zone of the installed
system according to your language selection. Change the time zone if you prefer
a different one.
1-6 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Install SLES 9
Of the settings described above, partitioning, software, and booting are discussed
next in more detail.
In most cases, YaST proposes a reasonable partitioning scheme that you can accept
without change. However, you might need to change the partitioning manually if
n You want to optimize the partitioning scheme for a special purpose server (such
as a file server).
n You have more than one hard drive and want to configure RAID or LVM
devices.
n You want to delete existing operating systems so you have more space available
for your SLES 9 installation.
To partition the hard drive manually, you need to know the following:
n The Basics of Hard Drive Partitioning
n The Basic Linux Partition Scheme
n Partitioning Schemes for Different Server Types
n How to Change YaST´s Partitioning Proposal
n How to Use the YaST Expert Partitioner
Partitions divide the available space of a hard drive into smaller portions. This lets
you install more than one operating system on a hard drive or to use different areas
for programs and data.
Every hard disk has a partition table with space for four entries. An entry in the
partition table can correspond to a primary partition or an extended partition. Only
one extended partition entry is allowed.
This is why extended partitions are used. Extended partitions are also continuous
ranges of disk cylinders, but can be subdivided into logical partitions. Logical
partitions do not require entries in the main partition table. In other words, an
extended partition is a container for logical partitions.
If you need more than 4 partitions, create an extended partition before you create the
fourth partition. This extended partition should include the entire remaining free
cylinder range. Then create multiple logical partitions within the extended partition.
The maximum number of logical partitions is fifteen on SCSI disks and 63 on
(E)IDE disks.
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 1-7
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
It does not matter which type of partitions you use on Linux systems; primary and
logical partitions both work well.
The optimal partition scheme for a server depends on the purpose of the server.
No matter what partition scheme you choose, you always need a swap partition and a
root partition.
The following guidelines help you determine the size of your root partition:
n 500 MB. This allows for a minimal installation with no graphical interface. With
this configuration, you can only use console applications.
n 700 MB. This allows for an installation with a minimum graphical interface.
This includes the X window system and a few graphical applications.
n 1.5 GB. This is the default installation recommended proposed by YaST. This
configuration includes a modern desktop environment (such as KDE or
GNOME), and provides enough space for large applications suites (such as
Netscape or Mozilla).
n 2.5 GB. This allows for a full installation, including all software packages
shipped with SLES 9.
If your server hosts data (such as a web server or a file server) you will probably need
more space on the root partition.
It often makes sense to create more than the default Linux partitions. The following
list provides examples of partitions for different server types:
n File server. Hard disk performance is crucial for a file server. Create an extra
partition with enough space for the data that is hosted by the server.
n Web server. You should create an extra partition for the web space hosted by
the server. Make the partition large enough to hold the expected amount of
hosted data.
n Compute server. A compute server carries out extensive calculations in the
network. Fast disk throughput is only needed for the swap partitions. If possible,
use more than one swap partition and distribute swap partitions to multiple hard
disks.
1-8 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Install SLES 9
To use YaST to change the partition scheme, select the Partitioning headline in the
installation proposal. The following appears:
Figure 1-5
In the top part of the dialog, YaST displays the automatically generated partitioning
proposal. The lower part of the dialog provides the following options:
n Accept proposal as is. Accepts the partitioning scheme and returns to the main
installation proposal.
n Base partition setup on this proposal. Starts the YaST Expert Partitioner with
the partition proposal as base setup.
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 1-9
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
Figure 1-6
When you start the YaST Expert Partitioner, the following appears:
Figure 1-7
1-10 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Install SLES 9
In the top part of the dialog, YaST lists details of the current partition setup.
Depending on your previous choice, the list contains the current physical disk setup
or the partitioning proposal created by YaST.
x Most of the changes made with the YaST Expert Partitioner are not written to disk until the
installation process is started. You can always discard your changes by selecting Back or you
can restart the Expert Partitioner to make more changes.
The following entries are displayed for every hard disk in your system:
n One entry for the hard disk itself, which has the corresponding device name in
the Device column (such as /dev/sda).
n One entry for every partition on the hard disk with the corresponding device
name and the partition number in the Device column (such as /dev/sda1).
If a hard disk is not partitioned yet, you see only the entry for the hard disk itself.
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 1-11
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
Create a new partition by selecting Create. A dialog with one of the following
options appears (the options you see depend on your hard disk setup):
n If you have more than one disk in your system, you are asked to select a disk for
the new partition first.
n If you do not have an extended partition, you are asked if you want to create a
primary or an extended partition.
n If you have an extended partition, you are asked if you want to create a primary
or a logical partition.
n If you have 3 primary partitions and an extended partition, you can only create
logical partitions.
x You need enough space on your hard disk to create a new partition. You learn later in this section
how to delete existing partitions to free used disk space.
Figure 1-8
1-12 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Install SLES 9
q FAT. Formats the partition with the FAT file system. FAT is an older
file system used in DOS and Windows. You can use this option to create
a data partition, which is accessible from Windows and Linux. You
must not create a root partition with this file system.
q JFS. Formats the partition with JFS, a journaling file system developed
by IBM.
q Reiser. Formats the partition with ReiserFS, a modern journaling file
system. (This is the default option.)
q XFS. Formats the partition with XFS, a journaling file system originally
developed by SGI.
q Swap. Formats the partition as a swap partition.
If you are not sure which file system to choose, select Reiser for root and
data partitions and Swap for swap partitions.
q Options. By selecting Options, you can change parameters for the file
system you selected. You can use the default parameters in most cases.
q Encrypt file system. If you select this option, the partition file system is
encrypted. You should only use this option for non-system partitions such as
user home directories.
n Size. Lets you configure the size of the new partition with the following:
q Start Cylinder. The start cylinder determines the first cylinder of the new
partition. YaST normally preselects the first available free cylinder of the
hard disk.
q End. The end cylinder determines the size of the new partition. To configure
the end cylinder, do one of the following:
q Enter the cylinder number.
q Enter a plus sign (+)followed by the amount of disk space for the new
partition. Use M for MB and GB for GB. YaST calculates the last
cylinder number. For example, enter +5G for a partition size of 5 GB.
n Fstab Options. Select this option to edit the fstab entry for this partition. The
default setting should work in most cases.
n Mount Point. Select the mount point of the new partition from this drop-down
list. You can also enter a mount point manually, if it's not available in the list.
After changing the parameters, select OK to add the new partition to the partition
list.
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 1-13
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
Figure 1-9
After entering the size, select OK to add the new extended partition to the partition
list.
Select a partition from the list and select Edit. You can edit only primary and logical
partitions with the Expert Partitioner. You cannot edit extended partitions or the entry
for the full hard disk.
If you edit a primary or logical partition, a dialog appears which is very similar to the
Create Partition dialog described above. You can change all options except for the
partition size.
After changing the partition parameters, select OK to save your changes to the
partition list.
To delete a partition, select a partition from the list, select Delete, and then select Yes
in the confirmation dialog. The partition is deleted from the partition list.
Remember that you also delete all logical partitions when you delete an extended
partition.
1-14 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Install SLES 9
x Although you can resize a partition without deleting it to increase free space on the hard disk,
you should always back up the data on the partition before resizing it.
If the selected partitions are formatted with the FAT or NTFS file system, do the
following before resizing the partition:
n FAT file system. To save time, first run Scan Disk and Defrag to make sure the
FAT partition is free of lost file fragments and cross links and to move files to
the beginning of the partition.
If you have optimized virtual memory settings for Windows so that a contiguous
swap file is used with the same initial (minimum) and maximum size limit,
disable them before resizing and re-enable them after the resizing has been
completed.
x If these virtual memory settings are enabled, the resizing might split the swap file into many
small parts scattered all over the FAT partition. Also, the entire swap file would need to be
moved during the resizing, which makes the process rather slow.
n NTFS file system. You must run Scan Disk and Defrag to move the files to the
beginning of the partition or the NTFS partition cannot be resized.
Figure 1-10
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 1-15
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
q Now. In the Now bar, the used space is designated by dark blue and the
available space is designated by light blue.
q After installation. In the After Installation bar the used space is designated
by dark blue and the free space is designated by light blue. The space that is
available for a new partition is designated by white.
n A slider to change the size of the partition
n Two text fields that display the amount of free space on the partition being
resized and the space available for a new partition after the resizing process
n A Do Not Resize button used to reset the partition to the original size
To resize the partition, move the slider until enough unused disk space is available for
a new partition. When you select OK, the partition size changes in the partition list.
To manage LVM (Logical Volume Manager) volumes, select the LVM button in the
YaST Expert Partitioner.
x SLES 9 supports only LVM version 2. For this reason, references to LVM in this section always
refer to LVM version 2.
Using LVM you can create logical volumes, which spread over several physical disks
and partitions. Do not confuse logical volumes with physical, logical partitions in the
extended partition of a hard disk.
You can use a logical volume like a physical partition. You can create a file system
on the volume and mount it at a mount point of your choice.
x You can also use the YaST Expert Partitioner to create logical volumes after installation. There
are also command line tools for managing logical volumes. We do not recommend that you use
LVM for the root partition of a system.
You need to understand the following terms connected with logical volumes:
n Logical volume group. A logical volume group is a group of physical partitions.
The physical partitions can be spread over different hard disks.
n Logical volume. A logical volume is a part of a logical volume group. A logical
volume can be formatted and mounted like a physical partition.
You can think of logical volume groups as logical hard disks and logical volumes as
partitions on those logical hard disks.
Before you can create a logical volume, you always need a logical volume group.
1-16 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Install SLES 9
The following shows the relationship of physical partitions, logical volume groups,
and logical volumes:
Logical
Volume
Group
Physical
Partition
Logical
Physical
Volume
Partition
If you select LVM in the YaST Expert Partitioner, the following appears:
Figure 1-12
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 1-17
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
You use this dialog to create a new logical volume group by entering the following:
n Volume Group Name. Enter the name of your volume group.
n Physical Extent Size. The physical extent size defines the smallest unit of a
logical volume group, and the maximum size of a logical volume group.
Entering a value 4 MB allows a logical volume group of 256 GB.
If you are not sure which values to enter, use the default settings.
Figure 1-13
You can use the following options this dialog to add physical partitions to your
logical volume group:
n Volume Group. Select the volume group from the drop-down list that you want
to add partitions to.
n Size. Displays the current size of the selected logical volume group.
n Remove Group. Deletes the currently selected volume group. You can delete
empty groups only.
n Add Group. Add a logical volume group.
n Partition List. Select the partition you want to add to the volume group.
n Add Volume. Add the selected partition to the volume group.
n Remove Volume. Remove the selected partition from the volume group.
1-18 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Install SLES 9
Add partitions to your logical volume group, and then select Next to continue. The
following appears:
Figure 1-14
You can use the following options in this dialog to create logical volumes in your
logical volume group:
n Volume Group. Select the volume group from this drop-down list that you want
to create partitions in.
n Space bar. Displays the available space of the selected volume group.
n Volume list. Displays physical partitions and logical volumes in the system.
n View all mount points. When you select this option, all partitions and volumes
that have entries in /etc/fstab are displayed. Otherwise, only the volumes in the
selected volume group are displayed.
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 1-19
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
n Add. Adds a new logical volume to the volume group. When you select Add,
the following appears:
Figure 1-15
This dialog is similar to the Create Partition dialog in the Expert Partitioner and
includes the following options:
q Format. Lets you choose one of the following options:
q Do Not Format. Do not format the newly created volume. Select this
option only if you want to change an existing volume instead of creating
a new one.
q Format. Formats the new volume with the file system that you select
from the drop-down list.
You can choose one of the following file systems:
q Ext2. Formats the volume with the Ext2 file system. Ext2 is a
dependable file system, but it doesn't include journaling.
q Ext3. Formats the volume with the Ext3 file system. Ext3 is the
successor of Ext2 and offers a journaling feature.
q FAT. Formats the volume with the FAT file system. FAT is used by
older versions of DOS and Windows. You can use this option to create a
data volume that is accessible from both Windows and Linux.
q JFS. Formats the volume with JFS, a journaling file system developed
by IBM.
q Reiser. Formats the volume with ReiserFS, a modern journaling file
system. (This is the default option.)
q XFS. Formats the volume with XFS, a journaling file system originally
developed by SGI.
q Swap. Formats the volume as a swap volume.
1-20 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Install SLES 9
If you are not sure which file system to choose, select Reiser for root and
data volumes and Swap for swap volumes.
q Options. Select this button to change parameters for the selected file
system. You can use the default parameters in most cases.
q Encrypt file system. Select this check box to encrypt the file system of
the volume. You should only use this option for non-system volumes
like user home directories.
q Logical volume name. Enter the name of the new logical volume.
q Size. Enter the size of the logical volume in this field. Use M for MB and
GB for GB. For example, enter 5G for a volume size of 5 GB.
q Max. Set the size of the maximum available space of the volume group.
q Stripes. If you choose a value larger than 1 from this drop-down list, every
file written to the volume will be spread in small pieces (stripes) over all
physical devices in the volume group.
This enhances disk performance by using all available disks at the same
time.
The number of stripes you select must not exceed the number of physical
disks in the system.
If you need more performance than a single disk can deliver, this might be a
good option for you. However, a real hardware RAID system is normally a
much better choice.
q Stripe Size. Select the size of a single stripe.
q Fstab Options. Select this option to edit the fstab entry for this volume. The
default setting should work in most cases.
q Mount Point. Select the mount point of the new volume from this
drop-down list. You can also enter a mount point manually if the mount
point you want is not available in the list.
After selecting all options for the new volume, select OK to add the volume.
n Edit. Change the parameters of a selected volume.
The dialog to edit a volume has the same options as the dialog to create volumes
(already described). You can also edit logical volumes directly from the Partition
list in the Expert Partitioner.
n Remove. Remove a selected volume. You can also remove logical volumes
directly from the Partition list in the Expert Partitioner.
When you are finished with the logical volume setup, select Next to save the settings
and return to the Expert Partitioner.
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 1-21
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
EVMS is a similar approach to LVM. In the latest versions of EVMS and LVM both
use the device mapper of the kernel to manage logical volumes. However, YaST´s
configuration tools are not as developed for EVMS as they are for LVM, so EVMS is
not covered in as much detail in this section.
The EVMS setup is very similar to the LVM setup with the exception that logical
volume groups are called containers in EVMS.
After selecting EVMS in the YaST Expert Partitioner, you create a container and add
physical partitions to it. Then you can create logical volumes in the container, format
them with a file system, and choose a mount point for them.
You can also use striping to enhance the performance of your EVMS volumes.
To manage soft RAID (Redundant Array of Inexpensive Disks) setups, select RAID
in the YaST Expert Partitioner.
The purpose of RAID is to combine several hard disk partitions into one large virtual
hard disk for optimizing performance and improving data security.
Hardware RAID provides better performance and data security than software RAID,
but it is also much more expensive. Use software RAID to enhance disk performance
and security if you cannot afford a hardware RAID solution.
You combine hard disks according to RAID levels. Using YaST you can set up RAID
levels 0, 1, and 5 (RAID levels 2, 3, and 4 are not available with software RAID):
n RAID 0. This level improves the performance of your data access. With RAID
0, 2 hard disks are pooled together. Disk performance is very good, but the
RAID system is vulnerable to a single point of failure. If one of the 2 disks fails,
the system is destroyed and the data is lost.
n RAID 1. This level provides enhanced security for your data because the data is
copied to both hard disks. This is also known as hard disk mirroring. If one disk
is destroyed, a copy of its contents is available on the other disk.
1-22 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Install SLES 9
By selecting Crypt File, you can create an encrypted file system within a file. This
file can be mounted and used like a normal partition.
You can use a crypt file to securely store confidential data on your computer.
We do not recommend that you create crypt files during the installation process, as
the file systems to create the crypt file on are not yet available.
To create a crypt file, start the YaST Partitioning Module after the installation process
has finished.
When you finish configuring settings in the Expert Partitioner, return to the
installation proposal by selecting Next.
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 1-23
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
Depending on the available disk space, YaST selects one of the following predefined
systems and displays it in the installation proposal:
n Minimal System (recommended only for special purposes). This includes the
core operating system with various services, but without any graphical user
interface. Select this system type for servers that require little direct user
interaction.
n Minimal Graphical System (without KDE). If you do not want the KDE
desktop or if there is insufficient disk space, install this system type. The
installed system includes the X windows system and a basic window manager.
You can use all programs that have a graphical user interface.
n Default System (with KDE). This system type includes the KDE desktop, most
of the KDE programs, and the CUPS print server. If possible, YaST selects this
system type by default.
n Full Installation. This system type is includes all packages that ship SLES 9,
except those that create dependency conflicts.
When you select Software in the installation proposal, a dialog appears that lets you
change the preselected system type to a different one.
1-24 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Install SLES 9
Figure 1-16
You can select the following options in this dialog to configure software selections:
n Filter. The Package Manager can display different views of the available
software packages. These views are displayed in the area below the drop-down
list and include the following:
q Selection. Displays the packages in logical selections. All packages in the
selection can be installed by selecting the check box.
q Package Groups. Displays the packages in a hierarchical tree view.
q Search. Displays a search dialog to search for packages.
q Installation Summary. Displays a summary of the packages selected for
installation.
n Individual package list. Individual packages are listed on the right side of the
Package Manger window. The content of this list depends on the filter selection.
You can install a package by selecting the check box for that package.
Details for the currently selected package are displayed below the package list.
n Disk usage. The disk usage of the currently selected software package is
displayed in the lower left corner of the Package Manager window.
n Check Dependencies. Select this option to check the dependencies of the
selected packages. This check is also done when you confirm the package
selection dialog.
n Autocheck. If this check box is selected, dependencies are checked every time
you select or deselect a package.
Confirm your package selection and return to the installation proposal by selecting
Accept.
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 1-25
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
During installation, YaST proposes a boot configuration for your system. Normally,
you should leave these settings unchanged. However, if you need a custom setup, you
can modify the proposal.
To change the configuration of the boot loader, select Booting in the installation
proposal to display the following:
Figure 1-17
This dialog lists the current boot loader configuration settings with 3 columns for
each setting:
n Ch. Indicates whether an entry has been changed.
n Option. Displays the boot loader option.
n Value. Displays the value of the option.
1-26 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Install SLES 9
You can use Edit Configuration Files to edit the configuration files in a text editor.
When you finish, save your changes by selecting OK.
For less experienced users, the configuration with YaST is easier than editing the files
directly. Select a boot loader option in the list and select Edit to open a dialog to
change the settings. Confirm the changes and return to the Boot Loader Setup menu
by selecting OK.
The available options in the Boot Loader Setup dialog depend on the boot loader
used. The following introduces some options of the default boot loader GRUB:
n Boot Loader Type. Use this option to switch between GRUB and LILO. You
can also create a new configuration from scratch or generate and edit a
suggestion for a configuration.
n Boot Loader Location. Use this dialog to define where to install the boot
loader:
q In the master boot record (MBR)
q In the boot sector of the boot partition (if available)
q In the boot sector of the root partition
q On a floppy disk
q Use Others to manually specify a different location
n Disk Order. If your computer has more than one hard disk, specify the boot
sequence of the disks as defined in the BIOS setup of the machine.
n Default Section. Sets the kernel or operating system that should be booted by
default. The selected system is booted after a timeout. Select Edit to display a
list of all boot menu entries. Select an entry from the list and select Set as
Default.
n Available Sections. Lists all existing entries of the boot menu.
n Activate Boot Loader Partition. Activates the partition whose boot sector holds
the boot loader.
n Replace Code in MBR. Specifies whether to overwrite the MBR. This might be
necessary if you have changed the location of the boot loader.
n Back up Affected Disk Areas. Backs up the changed hard disk areas.
n Add Saved MBR to Boot Loader Menu. Adds the backed up MBR to the Boot
Loader menu.
Use Time-out to define how many seconds the boot loader should wait for keyboard
input before the default system is booted. You can specify a number of other options
with Add. However, these options requires a thorough understanding of the boot
loader and are not covered here.
After finishing the boot loader configuration, return to the installation proposal by
selecting Finish.
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 1-27
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
After customizing the installation proposal, select Accept. A dialog appears asking
you to confirm the proposal. Start the installation process by selecting Yes, install;
Return to the installation proposal by selecting No.
Before installing software packages, YaST changes the hard disk partitioning.
Depending on your software selection and the performance of your system, the
installation process takes 15–45 minutes.
During the installation, YaST asks you to change the installation CDs. Insert the
requested CD and continue the installation by selecting OK.
After all software packages are installed, YaST reboots the computer and lets you
make configuration changes.
1-28 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Install SLES 9
root is the name of the superuser, the administrator of the system. Unlike regular
users, who might not have permission to do certain things on the system, root has
unlimited power to do anything, including the following:
n Access every file and device in the system
n Change the system configuration
n Install programs
n Set up hardware
The root account should only be used for system administration, maintenance, and
repair. Logging in as root for daily work is risky: a single mistake can lead to
irretrievable loss of many system files.
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 1-29
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
To let you set the root password during the installation process, YaST displays the
following:
Figure 1-18
You should choose a password that cannot be guessed easily. Use numbers, lowercase
and uppercase characters to avoid wordbooks (dictionary) attacks.
By selecting Expert Options, you can choose the password encryption algorithm. In
most cases, you use with the default settings.
After entering the root password, continue to the next configuration step by selecting
Next.
1-30 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Install SLES 9
To let you configure the network connection of your system, YaST displays the
following:
Figure 1-19
In the top part of the dialog, you can choose one of the following options:
n Skip Configuration. Skip the network configuration for now. You can configure
the network connection later in the installed system.
n Use Following Configuration. Use the network configuration proposal
displayed in the area below.
You can change a configuration by selecting the headline of the entry or by selecting
the entry from the Change drop-down list. This menu lets you reset all settings to the
defaults generated by YaST.
If you are not sure which settings to use, stay with the defaults generated by YaST.
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 1-31
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
After starting the network interface configuration, YaST displays a general network
configuration dialog. The top lists all network cards which are detected but
configured yet. Devices that could not be detected are listed as Other (not detected).
If you want to configure a network card that was not automatically detected, select
Other (not detected) to display the following:
Figure 1-20
1-32 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Install SLES 9
n Wireless Settings. If you are within the reach of a wireless network and your
network card is designed for this wireless network type, select Wireless Settings
to set the operating mode, the network name (ESSID), the network identifier
(NWID), the encryption key, and a nickname.
After setting these options, confirm by selecting OK.
Confirm the network device setup and return to the network device overview by
selecting Next. Then save the network device setup and return to the network
configuration proposal by selecting Finish.
YaST then asks you to test your connection to the Internet. Select one of the
following options:
n Yes, Test Connection to the Internet. YaST tries to test the Internet connection
by downloading the latest release notes and checking for available updates.
If you select this option, the results are displayed on the next dialog.
n No, Skip This Test. Skip the connection test. If you skip the test, you can't
update the system during installation.
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 1-33
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
If the Internet connection test was successful, you can select whether to perform a
YaST online update. If there are any update packages available on the SUSE update
servers, you can download and install them now to fix known bugs or security issues.
To perform the software update, select Perform Update Now, and then and select
OK. YaST's online update dialog opens up with a list of available patches (if any).
Select the patches you want to install, and then start the update process by selecting
Accept.
You can also select Skip Update to perform the update later in the installed system.
In the next installation step, YaST displays the Service Configuration dialog.
In the top part of the dialog, you can choose one of the following options:
n Skip Configuration. Skip this configuration step. You can enable the services
later in the installed system.
n Use Following Configuration. Use the automatically generated configuration
displayed below this option or select one of the following headlines to change
the configuration:
q CA Management. The purpose of a CA (certificate authority) is to
guarantee a trust relationship among all network services that communicate
with each other.
If you decide that you do not want to establish a CA, you must secure server
communications using SSL and TLS separately for each individual service.
By default, a CA is created and enabled during the installation.
q LDAP Server. You can run an LDAP service on your host to have a central
facility managing a range of configuration settings. Typically, an LDAP
server handles user account data, but with SLES 9, you can also use LDAP
for mail, DHCP, and DNS related data.
By default, an LDAP server is set up during installation. If you decide not to
use an LDAP server, the YaST mail server module does not work because it
depends on LDAP. However, you can still set up a mail server on your
system using the Mail Transfer Agent module.
If you are not sure about the correct settings, keep the defaults generated by YaST.
You can change the configuration later in the installed system.
1-34 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Install SLES 9
Manage Users
Figure 1-21
If you are not sure which method to select, stay with LDAP, which is the default for
SLES 9.
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 1-35
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
Depending on which authentication method you select, you use one of the following
to add users to the system:
n Configure the Host as a NIS Client
n Configure the System as LDAP Client
n Add Local Users
Figure 1-22
From this dialog ,you can setup your system as NIS client with the following options:
n NIS client. Select whether the host has a fixed IP address or is assigned an IP
address DHCP. If you select DHCP, you cannot specify an NIS domain or an
NIS server address manually, because these are provided by the DHCP server.
If a static IP address is used, specify the NIS domain and the NIS server
manually.
To search for NIS servers broadcasting in the network, select Find.
For each domain, select Edit to specify several server addresses or enable the
broadcast function on a per-domain basis.
n Expert. Select this option to display the Expert Setting dialog.
Select Answer to the Local Host Only to prevent other network hosts from
being able to query which server your client is using.
Select Broken Server to accept responses from servers on unprivileged ports.
1-36 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Install SLES 9
Figure 1-23
From this dialog, you can configure your system as an LDAP client. The default
configuration uses the locally installed LDAP server.
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 1-37
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
If you are not sure how to configure the LDAP setting and you want to use the locally
installed LDAP server, keep the default settings.
A dialog appears to add a user to the local LDAP server, which includes the same
fields at the Add local users dialog.
Figure 1-24
You can use the following in this dialog to add local users to the system (account
information is stored in the files /etc/passwd and /etc/shadow):
n User Data. Enter the full user name, the login name, and the password.
To provide effective security, a password should be 5-8 characters long. The
maximum length for a password is 128 characters. However, if no special
security modules are loaded, only the first eight characters are used to discern the
password.
Passwords are case-sensitive. Special characters are allowed, but they might be
hard to enter depending on the keyboard layout. Other special characters (such as
7-bit ASCII) and numbers 0-9 are allowed.
n Password Settings. Select this option to change advanced password settings
(such as password expiration). The default settings are suitable in most cases.
n Details. Select this option to edit details of the user account. The default settings
are suitable in most cases.
n Receive System Mail. Select this option to forward all emails to this user.
Usually system notifications are only sent to the root user.
1-38 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Install SLES 9
n Automatic Login. Select this option to enable automatic login for this user. This
option logs in the user automatically (without requesting a password) when the
system starts.
You should not enable this feature on a production system.
n User Management. Select this option add more users (with the YaST User
Management module).
x You can add other users later(after installation), but you should create at least 1 user during
installation so you don´t have to work as the user rootafter the system has been set up.
Configure Hardware
Next you configure the system hardware of the system from the following:
Figure 1-25
To change the automatically generated configuration, select the headline of the item
you want to change, or select the corresponding entry in the Change drop-down list.
You can also use the Change drop-down list to reset all settings to the automatically
generated configuration proposal.
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 1-39
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
You can skip the hardware configuration at this time and configure your devices later
in the installed system. However, if the settings of the graphics card in the
configuration proposal are not correct, you should change them now to avoid
problems during the first system start.
If you select the headline Graphics Cards, YaST starts the SaX2 configuration tool
to configure the graphics card settings. The following appears:
Figure 1-26
In the left navigation bar, the following main items are displayed:
n Display. Configure your monitor, graphics card, color depth, resolution, and the
position and size of the screen.
n Input Devices. Configure the keyboard, mouse, touchscreen monitor, and
graphics tablet.
n Multihead. Configure multiple screens.
n AccessX. Configure AccessX to control the mouse pointer with the keyboard.
The first 3 items have subitems that are displayed on the right side of the dialog, or
you can access them by selecting the + character in front of every item.
In most cases, you can use the automatically generated configuration should be
correct, although you might need to do the following:
n Change the Monitor Settings
n Change the Color Depth and Resolution Settings
1-40 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Install SLES 9
If the installation does not detect your monitor, you can change the monitor model.
Select Display on the left side of the dialog; then select Monitor on the right side of
the dialog. At the bottom of the dialog, change the monitor settings by selecting
Change Configuration.
Figure 1-27
x Make sure that the frequency settings are within the limits of your monitor. Your monitor
could be ruined if you use inappropriate settings.
n Expert. You can change some expert settings like the Modeline Algorithm or
the Display size.
After selecting the correct monitor model, return to the overview by selecting OK
and Finish.
You can change the color or resolution settings by selecting Desktop and Color and
Resolution.
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 1-41
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
Figure 1-28
x Make sure that your monitor can handle all of the selected resolutions. Otherwise your
monitor could be ruined when the graphic engine starts up.
Change the color and resolution settings; then return to the configuration overview
by selecting OK and Finish.
Select Finalize after making all changes. Confirm the next dialog by selecting Test.
Figure 1-29
1-42 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Install SLES 9
You can use this dialog to fine tune the X Server settings such as changing the
position and the size of the displayed area.
Confirm your hardware settings by selecting Next, and then select Finish. The
system starts the graphical login screen, where you can log in with your previously
created user. SLES 9 is installed on your system.
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 1-43
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
The following table contains an overview of the most common installation problems,
possible causes, and solutions:
The system does not start The system is not Enter the BIOS setup of the
from the installation media. configured to boot from the system and choose the CD
CD or DVD drive. or DVD drive as the first
The CD or DVD drive is boot drive. Read the system
defective. manual for details about the
BIOS setup.
The installation CD or DVD
is defective. Try to boot a different
system with SLES 9CD 1. If
it works, the CD or DVD
drive of the actual system
might be defective.
If the installation CD does
not boot on a different
system, the CD or DVD
itself could be defective.
Contact your reseller to
exchange the SLES 9 CD or
DVD set.
The installation program Your system does not Select Installation – ACPI
does not start. support newer hardware Disabled. If that doesn't fix
features correctly. the problem, select
Your system has less than Installation – Save
256 MB of main memory. Settings from the Boot
menu of the CD or DVD.
Install at least 256 MB of
main memory and start the
installation again.
The installation process Your system does not Select Installation – ACPI
stops. support newer hardware Disabled. If that doesn't fix
features correctly. the problem, select
The installation CD or DVD Installation – Save
is defective. Settings from the Boot
menu of the CD or DVD.
If the installation process
also stops on a different
system, the CD or DVD
could be defective. Contact
your reseller to exchange
the SLES 9 CD or DVD set.
1-44 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Install SLES 9
The network connection test There is no DHCP server in If you configured your
or Online Update fails. the network. network card to use DHCP,
There is no route to the assign a static IP address
Internet. and configure routing and
DNS settings manually.
The system is using the
wrong Proxy settings. Set the default gateway
correctly.
Set the right proxy
configuration in the network
configuration dialog.
You can also skip the
connection test and the
Online Update and perform
an Online Update in the
installed system.
The graphical login does not You are using the wrong Change to a text terminal
appear after the installation X11 configuration. and change to run level 3.
is completed. Start SaX2 from the
command line and correct
the X11 configuration.
Change back to run level 5
to get a graphical login
screen.
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 1-45
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
Do the following:
1. Turn on the computer.
2. Insert SLES 9 CD 1 into the CD-ROM drive.
3. Reboot the computer by selecting the Reset button or by pressing Ctrl+Alt+Del.
4. (Conditional) If your computer does not boot from the CD-ROM drive, adjust the
BIOS settings and reboot the computer.
5. When the GRUB installation screen appears, select Installation with the arrow
keys and press Enter.
Do the following
1. When YaST displays the Novell Software License Agreement, select I Agree.
2. From the language selection dialog, select your language; then select Accept.
x Although you can select any available language, the exercises in this manual are written for
English US.
1-46 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Install SLES 9
Do the following:
1. Change the partitioning settings by scrolling to and selecting Partitioning.
2. Select Create custom partition setup; then select Next.
3. Select Custom partitioning -- for experts; then select Next.
4. Delete existing partitions:
a. From the Expert Partitioner dialog, check for any existing partitions in the
partition list.
b. If there are partitions, select the hard disk entry of the corresponding
partitions (such as hda or hdc).
c. Delete all existing partitions on the selected hard disk by selecting Delete.
d. When you are asked to confirm the deletion, select Yes.
e. (Conditional) If there is more than one hard disk containing partitions in the
system, repeat Steps b, c, and d until only the hard disk entries are left in the
list.
5. Create a swap partition:
a. From the partition list, select the hard drive entry; then select Create.
If you have more than one hard disk, select the larger disk.
b. Select Primary partition; then select OK.
c. In the End field of the size settings enter +512M.
d. From the File system drop-down list, select Swap.
e. Add the swap partition by selecting OK.
6. Create the root partition:
a. Select the same hard disk you used for the swap partition; then select Create.
b. Select Primary partition; then select OK.
c. In the End field of the size settings enter +6GB.
d. Make sure that the following options are set:
q Reiser should be selected from the File system drop-down list.
q / should be selected from the Mount Point
drop-down list.
e. Add the root partition by selecting OK.
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 1-47
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
7. Create a partition for the directory /srv (used in the Apache and Samba server
exercises):
a. Select the same hard disk you used for the swap and root partitions; then
select Create.
b. Select Primary partition; then select OK.
Leave the size settings as suggested by YaST. The last partition will use the
rest of the available hard disk space.
c. Make sure that the File system drop-down list is set to Reiser.
d. From the Mount Point drop-down list, select /srv.
e. Add the /srv partition by selecting OK.
8. Confirm the partitioning setup and return to the installation proposal by selecting
Next.
Part IV: Add Compiler and Development Tools to the Software Selection
Do the following:
1. From the installation proposal dialog, scroll to and select Software.
2. Select Detailed selection.
3. In the list on the left side of the package selection dialog, select C/C++ Compiler
and Tools.
4. Return to the installation proposal by selecting Accept.
Do the following:
1. From the installation proposal, select Accept.
2. From the confirmation dialog, select Yes, install.
YaST asks you to change CDs during the installation process.
3. Insert each requested CD and select OK.
1-48 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Install SLES 9
Do the following:
1. In the first field, enter novell.
2. In the second field, enter novell.
3. Continue by selecting Next.
You are warned that the password is too simple.
4. Continue by selecting Yes.
You are warned that you are using only lowercase letters.
5. Continue by selecting Yes.
Do the following:
1. Before setting up your network connection, fill in the IP address and Host name
for your computer assigned to you by the instructor:
q IP address:
q Network mask: 255.255.255.0
q Host name:
q Domain name: digitalairlines.com
q Name server: 10.0.0.254
q Default gateway: 10.0.0.254
2. From the Network Configuration proposal, select Network Interfaces.
3. Do one of the following:
q If your network card appears in the Network cards to configure list, select
Configure; then select the first detected network card and select Configure.
or
q If your network card appears in the Already configured devices list, select
Change; then select your network card and select Edit.
4. Select Static address setup.
5. In the IP Address field, enter your IP address.
6. In the Subnet mask field, enter 255.255.255.0.
7. Configure the host name and name server:
a. Select Host name and name server.
b. Enter your host name.
c. Enter a domain name of digitalairlines.com.
d. In the Name Server 1 field, enter the 10.0.0.254 of the name server.
e. Return to the Network setup dialog by selecting OK.
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 1-49
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
8. Configure routing:
a. Select Routing.
b. In the Default Gateway field, enter 10.0.0.254.
c. Return to the Network setup dialog by selecting OK.
9. Return to the Network Configuration dialog by selecting Next.
10. Continue with the installation by selecting Finish; then select Next.
11. From the Test Internet Connection dialog, select No, Skip This Test; then select
Next.
Do the following:
1. From the Service Configuration dialog, accept the default settings by selecting
Next.
2. For the authentication method, select LDAP; then select Next.
3. Accept the defaults in the LDAP Client Configuration dialog by selecting Next.
4. Add a user:
a. First Name: Geeko
b. Last Name: Novell
c. User Login: geeko
d. Password: N0v3ll (a zero; not an uppercase o)
e. Verify password: N0v3ll
f. Create the user by selecting Next.
Do the following:
1. From the Release Notes dialog, select Next.
2. Adjust the monitor settings:
a. Review the information displayed below the Graphics Cards entry of the
Hardware Configuration proposal.
b. Make sure that the monitor model, the resolution, and the refresh rate are
appropriate for your hardware.
c. (Conditional) If the settings are correct, select Next; then skip the following
steps for monitor configuration and go to Step 4.
d. If the automatically generated settings are not appropriate, select Graphics
Cards.
e. From the left side of the dialog, change the monitor model by expanding
Desktop; then select Monitor.
f. Select Change configuration.
1-50 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Install SLES 9
Do the following:
1. When the GUI login screen appears, log in as geeko with a password of N0v3ll.
2. From the KDE desktop, select the YaST icon; then enter a password of novell and
select OK.
3. From the YaST Control Center, select Network Services > NTP Client.
4. Select When Booting System.
5. In the NTP Server field, enter 10.0.0.254.
6. Select Finish.
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 1-51
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
As a post-installation procedure, you want to make sure you have updated your
installation with the latest patches available from Novell SUSE LINUX.
In this part of the exercise, you update your SLES 9 installation using a YOU server
available on DA1.
Do the following:
1. From the YaST Control Center, select Software > Online Update.
The Welcome to YaST Online Update dialog appears.
2. From the Installation source drop-down list, select User-Defined Location.
3. In the Location field, enter http://DA1/YOU.
4. Continue by selecting Next.
The YOU update dialog appears with all the patches available.
From this dialog you can filter the patch list view and select or deselect the
patches you want to install.
5. From YaST Online Update Patch list, make sure the Optional patches (black) are
deselected.
6. Make sure all the Security (red) and Recommended (blue) patches are selected.
7. Continue by selecting Accept.
One or more warning messages appear.
8. For each warning message, select Install Patch.
YaST downloads and installs the patches.
9. When process is complete (or during the process), select Remove Source
Packages after Update.
10. When the patches have been installed, update the system configuration by
selecting Finish.
11. Reboot the X Window server by pressing Ctrl+Alt+Del; then select Logout.
13. Select Restart computer and enter a password of novell; then select OK.
14. After the system reboots, log back in to the KDE desktop as geeko with a password
of N0v3ll.
(End of Exercise)
1-52 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Install SLES 9
Summary
Objective Summary
1. Perform the SLES 9 Base In the base installation, the hard disks are prepared
Installation and the software packages are installed.
The following tasks belong to the base installation
step:
n Boot from the installation media
n Select the language
n Select the installation mode
n Understand and change the installation proposal
n Perform hard disk partitioning
n Configure LVM devices
n Change the software selection
n Configure the boot loader
n Launch the installation process
2. Configure the SLES 9 Installation In the configuration step, you customize and
configure the installed system.
The following tasks belong to the configuration step:
n Set the root password
n Configure the network
n Test the Internet connection
n Perform the Online Update
n Configure Network Services
n Manage Users
n Configure Hardware
n Finalize the Installation Process
3. Troubleshoot the Installation SLES 9 has been installed and tested on many
Process different machines and hardware platforms.
However, sometimes installation problems can
occur.
The problems can be caused by the following
reasons:
n The system is not configured to boot from the CD or
DVD drive.
n The CD or DVD drive is defective.
n The installation CD or DVD is defective.
n The system does not support newer hardware
features (ACPI) correctly.
n There is no DHCP server in the network.
n There is no route to the Internet.
n You are using the wrong Proxy settings.
n You are using the wrong X11 configuration.
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 1-53
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
1-54 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Configure the Network Manually
In this section, you learn how to configure network devices manually. You also learn
how to configure routing with command line tools and how to save the network setup
to configuration files.
Objectives
1. Understand Linux Network Terms
2. Set Up Network Devices With the ip Tool
3. Save Device Settings to a Configuration File
4. Set Up Routing With the ip Tool
5. Save Routing Settings to a Configuration File
6. Configure Host Name and Name Resolution
7. Test the Network Connection With Command Line Tools
Introduction
Although almost every step of a network configuration is done for you when you use
YaST, it´s sometimes useful to configure the network settings manually. For testing
and troubleshooting, it can be much faster to change the network setup from the
command line.
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 2-1
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
2-2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Configure the Network Manually
Changing the network card configuration at the command line is especially useful for
test purposes; but if you want a configuration to be permanent, you must save it in a
configuration file. These configuration files are generated automatically when you set
up a network card with YaST.
x You can enter /sbin/ip as a normal user to display the current network setup only. To change the
network setup, you have to be logged in as root.
IP Address Setup
To display the IP address setup of all devices, enter the following command:
ip address show
Depending on your network setup, you see information similar to the following:
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 2-3
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
The information is grouped by network devices. Every device entry starts with a
digit, called the interface index, with the device name displayed below the interface
index.
You always have the entries for the loopback and sit devices. Depending on your
hardware setup, you might have more Ethernet devices in the ip output.
Several lines of information are displayed for every network device, such as eth0 for
the example above:
The most important information of the line in this example is the device index (2)
and the device name (eth0).
The other information shows additional attributes set for this device, such as the
hardware address of the Ethernet adapter (00:30:05:4b:98:85):
The IP address (10.0.0.2) follows inet, and the broadcast address (10.0.0.255) after
brd. The length of the network mask is displayed after the IP address, separated by a
/. The length is displayed in bits (24).
2-4 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Configure the Network Manually
The address shown here is automatically assigned, even though IPv6 is not used in
the network that is connected with the device. The address is generated from the
hardware address of the device.
Depending on the device type, the information can differ. However, the most
important information (such as assigned IP addresses) is always shown.
Device Attributes
If you are only interested in the device attributes and not in the IP address setup, you
can enter the following command:
ip link show
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 2-5
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
Device Statistics
You can use the option -s with the command ip to display additional statistics
information about the devices. The command looks like the following:
By giving the device name at the end of the command line, the output is limited to
one specific device. This can also be used to display the address setup or the device
attributes.
The following is an example of the information displayed for the device eth0:
Two additional sections with information are displayed for every device. Each of the
sections has a headline with a description of the displayed information.
The section starting with RX displays information about received packets, and the
section starting with TX displays information about sent packets.
2-6 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Configure the Network Manually
You can also use the ip tool to change the network configuration by performing the
following tasks:
n Assign an IP Address to a Device
n Delete the IP Address from a Device
n Change Device Attributes
In this example, the command assigns the IP address 10.0.0.2 to the device eth0. The
network mask is 24 bits long, as determined by the /24 after the IP address. The brd
+ option sets the broadcast address automatically as determined by the network
mask.
You can enter the following command to verify the assigned IP address:
To delete the IP address from a device, use a command similar to the following:
In this example, the command deletes the IP address 10.0.0.2 from the device eth0.
Use the following command to verify that the address was deleted:
You can also change device attributes with the ip tool. The following is the basic
command to set device attributes:
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 2-7
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
The possible attributes are described in “Display Device Attributes.” The most
important attributes up and down. By setting these attributes, you can enable or
disable a network device.
2-8 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Configure the Network Manually
The configuration files for network devices are located in the directory
/etc/sysconfig/network.
If the network devices are set up with YaST, one configuration file is created for
every device.
For Ethernet devices, the filenames consist of ifcfg-eth-id- and the hardware address
of the device. For a device with the hardware address 00:30:05:4b:98:85, the
filename would be ifcfg-eth-id-00:30:05:4b:98:85.
We recommended that you set up a device with YaST first and make changes in the
configuration file. Setting up a device from scratch is a very complex task, because
the hardware driver also needs to be configured manually.
If you have more than one network adapter in your system, it might be difficult to
find the corresponding configuration file for a device.
You can use the command ip link show to display the hardware address for each
Ethernet device. Because the hardware address is part of the file name, you can
identify the right configuration file.
The content of the configuration files depends on the configuration of the device. To
change the configuration file, you need to know how to do the following:
n Configure a Device Statically
n Configure a Device Dynamically With DHCP
n Start and Stop Configured Devices
BOOTPROTO='static'
MTU=''
REMOTE_IPADDR=''
STARTMODE='onboot'
UNIQUE='oxTw.AKbXsqnOlA9'
_nm_name='bus-pci-0000:02:08.0'
BROADCAST='149.44.171.255'
IPADDR='10.0.0.2'
NETMASK='255.255.255.0'
NETWORK='10.0.0.0'
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 2-9
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
The configuration file includes several lines. Each line has an option and a value
assigned to that option, and is shown and then explained below:
n BOOTPROTO='static'
The option BOOTPROTO determines the way the device is configured. There
are 2 possible values:
q Static. The device is configured with a static IP address.
q DHCP. The device is configured automatically with an DHCP server.
n MTU=''
You can use the MTU option to specify a value for the MTU (Maximum
Transmission Unit). If you don’t specify a value, the default value is used. For an
Ethernet device, the default value is 1500 bytes.
n REMOTE_IPADDR=''
You need to set the value for the REMOTE_IPADDR option only if you are
setting up a point-to-point connection.
n STARTMODE='onboot'
The STARTMODE option determines how the device is started. The option can
include following values:
q onboot. The device is started at boot time.
q manual. The device must be started manually.
q hotplug. The device is started when it´s plugged in if your system offers PCI
hotplugging.
n UNIQUE='oxTw.AKbXsqnOlA9'
_nm_name='bus-pci-0000:02:08.0'
These 2 lines contain options added by YaST when the device is configured.
They don’t affect the network configuration itself.
n BROADCAST='149.44.171.255'
IPADDR='10.0.0.2'
NETMASK='255.255.255.0'
NETWORK='10.0.0.0'
These 4 lines contain the options for the network address configuration. The
options have the following meaning:
q BROADCAST. The broadcast address of the network.
q IPADDR. The IP address of the device.
q NETMASK. The network mask.
q NETWORK. The address of the network itself.
2-10 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Configure the Network Manually
If you want to configure a device by using a DHCP server, you set the BOOTPROTO
option to dhcp as shown in the following:
BOOTPROTO='dhcp'
When the device is configured by using DHCP, you don’t need to set any options for
the network address configuration in the file. If there are any settings, they are
overwritten by the settings of the DHCP server.
To apply changes to a configuration file, you need to stop and restart the
corresponding device. You can do this with the commands ifdown and ifup.
For example, entering the following ifdown command disables the device eth0:
ifdown eth0
ifup eth0
When the device is restarted, the new configuration is read from the configuration
file.
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 2-11
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
x Because routing is a very complex topic, this objective only covers the most common routing
scenarios.
ip route show
Every line represents an entry in the routing table. Each line in the example is shown
and explained below:
n 10.0.0.0/24 dev eth0 proto kernel scope link src \
10.0.0.2
This line represents an the route for the local network. All network packets to a
system in the same network are sent directly through the device eth0.
n 169.254.0.0/16 dev eth0 scope link
This line shows a network route for the 169.254.0.0 network. Hosts can use this
network for address auto configuration.
SLES 9 automatically assigns a free IP address from this network when no other
device configuration is present. The route to this network is always set,
especially when the system itself has no assigned IP address from that network
n 127.0.0.0/8 dev lo scope link
This is the route for the loopback device.
n default via 10.0.0.1 dev eth0
2-12 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Configure the Network Manually
This line is the entry for the default route. All network packets that cannot be
sent according to the previous entries of the routing table are sent through the
gateway defined in this entry.
Depending on the setup of your machine, the content of the routing table varies. In
most cases, you have at least 2 entries in the routing table:
n One route to the local network the system is connected to
n One route to the default gateway for all other packets
The following are the most common tasks you do when adding a route:
n Set a Route to the Locally Connected Network
n Set a Route to a Different Network
n Set a Default Route
x Remember to substitute your own network and gateway addresses when using the following
examples in a production environment.
This system in this example is in the 10.0.0.0 network. The network mask is 24 bits
long (255.255.255.0). All packets to the local network are sent directly through the
device eth0.
All packets for the network 149.44.171.0 are sent through the gateway 10.0.0.100.
Packets that cannot be sent according to previous entries in the routing table are sent
through the gateway 10.0.0.1.
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 2-13
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
To delete an entry from the routing table, use a command similar to the following:
This command deletes the route to the network 149.44.171.0 assigned to the device
eth0.
2-14 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Configure the Network Manually
Routes to the directly connected network are automatically set up when a device is
started. All other routes are saved in the configuration file
/etc/sysconfig/network/routes.
Each line of the configuration file represents an entry in the routing table. Each line is
shown and explained below:
n 149.44.171.0 10.0.0.100 255.255.255.0 eth-id-00:30:05:4b:98:85
All packets sent to the network 149.44.171.0 with the network mask
255.255.255.0 are sent through the gateway 10.0.0.100 through the device with
the id eth-id-00:30:05:4b:98:85. The id is the same as used for the device
configuration file.
n Default 10.0.0.8 - -
This entry represents a default route. All packets that are not affected by the
previous entries of the routing table are sent through the gateway 10.0.0.8. It´s
not necessary to fill out the last 2 columns of the line for a default route.
To apply changes to the routing configuration file, you need to restart the affected
network device with the commands ifdown and ifup.
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 2-15
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
da2.digitalairlines.com
The file contains the fully qualified domain name of the system, in this case,
da2.digitalairlines.com.
search digitalairlines.com
nameserver 10.0.0.1
nameserver 10.10.0.1
nameserver 10.0.10.1
2-16 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Configure the Network Manually
The tool ping lets you check network connections in a simple way between two
hosts. If the ping command works, then both the physical and logical connections are
correctly set up between the 2 hosts.
The ping command sends special network packets to the target system and waits for a
reply. In the simplest scenario, you enter ping with an IP address:
ping 10.0.0.1
You can also use the host name of the target system instead of an IP address. The
output of ping looks similar to the following:
Each line of the output represents a packet sent by ping. Ping keeps sending packets
until it´s terminated by pressing Ctrl+C.
If you get an answer from the target system, you can be sure that the basic network
device setup and routing to the target host works.
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 2-17
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
The following table provides some options for ping you can use for advanced
troubleshooting:
-c count The number of packets to be sent. After this number has been
reached, ping is terminated.
-f (Flood ping) Packets are sent one after another at the same rate
as the respective replies arrive. Only root can use this option. For
normal users the minimum time is 200 milliseconds.
The diagnosis tool traceroute is primarily used to check the routing between different
networks. To achieve this task, traceroute sends packets with an increasing TTL value
to the destination host, whereby three packets of each value are sent.
First, three datagrams with a TTL=1 are sent to the host, then three packets with a
TTL=2, and so on. The TTL of a datagram is reduced by one, every time it passes
through a router.
When the TTL reaches zero, the datagram is discarded and a message is sent to the
sender. Because the TTL is increased by one every three packets, traceroute can
collect information about every router on the way to the destination host.
You normally include a host name with the traceroute command, as in the following:
traceroute pluto.example.com
2-18 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Configure the Network Manually
It´s also possible to use an IP address instead of the host name. The output of
traceroute looks similar to the following:
The first line of the output displays general information about the traceroute call.
Each of the lines that follow represents a router on the way to the destination host.
Every router is displayed with the host name and IP address.
Traceroute also displays information about the round trip times of the 3 datagrams
returned by every router. The last line of the output represents the destination host
itself.
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 2-19
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
In this exercise, you configure the network connection manually by doing the
following:
n Part I: Note the Current Network Configuration
n Part II: Delete the Current Network Setup with YaST
n Part III: Configure the Network Manually
n Part IV: Save the Network Connection to Interface and Hardware Configuration
Files
Do the following:
1. Make sure you are logged in to the KDE Desktop as geeko with a password of
N0v3ll.
2. Open a terminal window and su (switch user) to root with a password of novell.
3. Enter ifconfig eth0.
4. Find the line starting with inet, and record the IP address with the subnet mask
displayed in that line:
q IP address:
q Subnet mask:
5. Enter ip route show.
6. Find the line starting with default and record the gateway IP address of the
gateway:
q Gateway IP address:
7. Enter ip link show eth0.
8. Find the line starting with link/ether and record the MAC address of the network
card:
q MAC address:
9. Change to the /etc/sysconfig/hardware directory by entering the following:
cd /etc/sysconfig/hardware
10. Enter ls -al; then look for one of the following files (depending on your hardware
configuration):
q hwcfg-id-PCI_address
or
q hwcfg-bus-pci-PCI_address
11. Record the name of the file:
2-20 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Configure the Network Manually
12. Display the contents of the file by entering one of the following:
q cat hwcfg-id-PCI_address
or
q cat hwcfg-bus-pci-PCI_address
13. Record the following parameters:
q MODULE=
q MODULE_OPTIONS=
q STARTMODE=
You use these parameters and the hwcfg filename in Part IV to manually create
the file.
Do the following:
1. Start YaST and select Network Devices > Network Card.
2. In the lower part of the dialog, select Change.
3. Select the network card; then select Delete.
4. Select Finish.
5. From the terminal window (as root), enter
rm /etc/sysconfig/network/routes.
6. Verify that the network connection is not working any more by entering ping
www.novell.com.
Do the following:
1. In the terminal window enter the following command:
ip address add your_IP_address/24 brd + dev eth0
2. To activate the network device, enter ip link set eth0 up.
3. To set a route to the local network enter the following:
ip route add 10.0.0.0/24 dev eth0
4. To set the default route enter the following:
ip route add default via gateway_IP_address
5. Verify that the network connection is working again by entering ping
www.novell.com.
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 2-21
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
x If you are having problems with the network interface, you might need to delete the network card
configuration with YaST, save the change, and then re-configure the network card with YaST.
This can happen if you have 2 network cards installed in your computer.
Do the following:
1. From the terminal window, change to the directory
/etc/sysconfig/network.
2. Make a copy of the network configuration template by entering the following:
cp ifcfg.template ifcfg-eth-id-MAC_address
3. Open the copied file (ifcfg-eth-id-MAC_address) with the vi editor.
4. Find the following options and enter the indicated values:
q STARTMODE='onboot'
q BOOTPROTO='static'
q IPADDR='your_IP_address/24'
q NETMASK=’255.255.255.0’
q BROADCAST=’10.0.0.255’
5. Save the file and exit vi (:wq).
6. Change to the directory /etc/sysconfig/hardware.
7. Create one of the following files with vi:
q hwcfg-id-PCI_address
or
q hwcfg-bus-pci-PCI_address
8. Enter the parameters you recorded in the last step of Part I of this exercise.
9. When you finish, save the file and exit the editor.
10. Change to the directory /etc/sysconfig/network.
default default_gateway_IP_address - -
13. Save the file and exit vi.
14. Reboot your system (init 6) and log in as geeko with a password of N0v3ll.
2-22 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Configure the Network Manually
15. From a terminal window (as root), verify that the network configuration is loaded
correctly by entering the following commands:
ifconfig eth0
ip route show
16. Verify that the network connection is working properly by entering the following
commands:
ping 10.0.0.254
ping www.novell.com.
x If the network configuration fails to work properly, and your configuration files are created
correctly, use the YaST Network Card module to delete the currently configured network card,
and then restart the Network Card module and reconfigure the network card with the proper
settings.
(End of Exercise)
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 2-23
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
Summary
Objective Summary
1. Understand Linux Network Terms The following terms are used for the Linux network
configuration:
n Device
n Interface
n Link
n Address
n Broadcast
n Route
2. Set Up Network Devices With the You can perform the following tasks with the ip tool:
ip Tool
n Display the IP address setup:
ip address show
n Display device attributes:
ip link show
n Display device statistics:
ip -s link show
n Assign an IP address to a device:
ip address add IP_address/netmask brd + dev
device_name
n Delete an IP address of a device:
ip address del IP_address dev device_name
n Change device attributes:
ip link set device_name attribute
3. Save Device Settings to a The configuration files for network devices are
Configuration File located in /etc/sysconfig/network.
For Ethernet devices, the file names consist of
ifcfg-eth-id- and the hardware address of the device.
For a statically configured device, at least the
following options need to be set:
BOOTPROTO='static'
STARTMODE='onboot'
IPADDR='10.0.0.2/24'
For devices configured with DHCP, the
BOOTPROTO option needs to be changed as
follows:
BOOTPROTO='dhcp'
Configured devices can be enabled with ifup
device_name and disabled with ifdown
device_name.
2-24 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Configure the Network Manually
Objective Summary
4. Set Up Routing With the ip Tool You can perform the following tasks with the ip tool:
n View the routing table:
ip route show
n Add routes to the routing table
ip route add network/netmask dev device_name
n Delete routes from the routing table
ip route del network/netmask dev device_name
5. Save Routing Settings to a The configuration for routing table is located in the
Configuration File file
/etc/sysconfig/network/routes.
Each line represents an entry of the routing table
and has the following columns:
n Destination network address
n Gateway address
n Netmask
n Device id
Default routes use default instead of the network
address and does not require a netmask or device
id.
6. Configure Host Name and Name The host name is configured in the file
Resolution /etc/HOSTNAME.
The name resolution is configured in the file
/etc/resolv.conf.
One line specifies the search domain; the others list
up to three available name servers.
7. Test the Network Connection With Two command line tools are available to test the
Command Line Tools network connection:
n ping
ping hostname
With ping you can test whether another host is
reachable in the network.
n traceroute
traceroute hostname
With traceroute you can test the routing in the
network.
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 2-25
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
2-26 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Configure Network Services
In this section, you learn how to configure four of the most important network
services shipped with SLES 9 (BIND, OpenLDAP, Apache, Samba).
Objectives
1. Configure a DNS Server Using BIND
2. Deploy OpenLDAP on a SLES 9 Server
3. Configure an Apache Web Server
4. Configure a Samba Server as a File Server
Introduction
In this section you learn how to install and configure four of the most popular Linux
network services at the command line:
n BIND
n OpenLDAP
n Apache
n Samba
Because configuring the services can be very complex, this section covers only the
basic functionality of the services.
The configuration is covered at the command-line level to show you a more direct
way to manipulate the behavior of the services.
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 3-1
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
To configure a DNS server (also called a name server) using the most popular
software BIND (Berkeley Internet Name Domain) you need to do the following:
n Understand the Domain Name System
n Install and Configure the BIND Server Software
n Configure a Caching-Only DNS server
n Configure a Master Server for Your Domain
n Configure One or More Slave Servers
n Configure the Client Computers to Use the DNS Server
n Use Command Line Tools to Query DNS Servers
n Find More Information About DNS
To understand the basics of name resolution with DNS, you need to know the
following:
n How Name Resolution Worked in the Early Days of the Internet
n The Internet Domain Concept
n How Name Servers Work
n How to Query DNS
Computers communicate with each other by using IP addresses, but for humans it is
more simple to address a computer by using its name. This requires some kind of
conversion that provides computers with IP addresses when a user enters a computer
name.
In the early days of the Internet, when there were relatively few computers connected
to each other, a file was maintained at the Network Information Centre (NIC) of the
Stanford Research Institute in California that provided exactly this conversion.
Every system administrator worldwide had to copy this file by FTP and distribute it
to all computers for which he was responsible.
3-2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Configure Network Services
DNS consists of several domains that can be divided into subdomains. The top level
of this structure is the root domain. It is represented simply by a dot (“.”).
There are over 13 computers worldwide that act as root name servers. In the first
layer beneath the root domain contains the top level domains (TLDs).
.arpa was used as a TLD, while the ARPAnet transferred from host files to DNS. All
computers from the ARPAnet were later put into the other TLDs. Tharpa TLD still
has a special meaning which will be explained later in this section.
These TLDs are also known as generic TLDs. Other TLDs for individual countries
were defined, such as .de for Germany, .uk for the United Kingdom, and .ch for
Switzerland.
Recently, TLDs such as .info or .biz have become operational. Each of these TLDs is
administered by its own institution (the Network Information Center or NIC).
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 3-3
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
The complete computer name or fully qualified domain name (FQDN) is made from
the actual computer name, the domain name, and the name of the TLD (one or more
subdomains might be included).
Domains are administered locally instead of using a global authority. Each domain
has its own administration point (in practice, many domains are administered from
one location).
For each domain there is one DNS server (or name server) defined as being “in
charge” of its domain. This server is known as the master server, and it is the
authority for this domain (providing authoritative answers).
There are other DNS servers called slave servers for the domain that distribute the
load and serve as backups. Slave servers keep a copy of the information on the
master server and update this information at regular intervals. This update is called
zone transfer.
3-4 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Configure Network Services
Table 3-1
Master server Has the main responsibility for a domain. Gets its data
from local files.
Slave server Gets its data from the master server using zone
transfer.
Caching-only server Queries data from other DNS servers and stores the
information in the cache until its expiration date. All
replies are nonauthoritative.
Forwarding server All queries the server cannot answer authoritatively are
forwarded to other DNS servers.
Various programs are involved in processing a request to the DNS database. The first
is the resolver. This is a set of library routines used by various programs.
The resolver makes a request to a DNS server, interprets the answer (real information
or error message), and sends back this information to the program that called it up.
If the DNS server receives a request from a resolver, one of 2 things happens:
n If the DNS server is the authority for the requested domain, the DNS server
provides the required information to the resolver (the authoritative answer).
or
n If the DNS server is not the authority for the required domain, the DNS server
queries the responsible authority for the request domain and gives the result to
the resolver.
The data is stored in the cache of the DNS server. If there is another request for
this data later, the DNS server can provide it immediately (a non-authoritative
answer). All data has a timestamp, and information is deleted from the cache
after a certain time.
Assume that your DNS server wants to find the IP address of the computer
www.suse.de. To do this, the DNS server first makes a request to one of the DNS
servers of the root domain.
Each DNS server knows the authorities responsible for the TLDs. The address for
each authority required is passed onto the requesting DNS server. For www.suse.de,
this is a DNS server for the TLD .de, that is, the computer dns2.denic.de.
Our DNS server then asks this for the authority for the domain suse.de and as an
answer is given the computer ns.suse.de.
In a third step, this DNS server is queried and (as an answer) gives the IP address of
the SUSE web server. This answer is returned by our DNS server to the requesting
resolver.
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 3-5
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
Figure 3-2
Address request from www.suse.de Name Server
for Root Domain "."
Name
Link to Name Server for ".de"
Server
Request for address of www.suse.de Name Server
for TLD ".de"
Link to Name Server for "suse.de"
Response
Request
for Domain
Address for "www.suse.de"
"suse.de"
Computer
(Resolver)
The DNS servers for the root domain play a very important role in name resolution.
In order to alleviate the server load due to queries, every DNS server stores the
information received from other names servers in its cache.
When queries are made, this information is sent without querying the root DNS
server anew. However, root DNS servers are very busy despite this caching
mechanism. Several thousand queries per second are nothing unusual.
Before starting the DNS server, you have to make some basic configuration changes.
After finishing your configuration, you can start the server using the following
command:
rcnamed start
rcnamed stop
To have the DNS server start automatically at boot time, use the following command:
insserv named
3-6 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Configure Network Services
A caching-only DNS server does not manage its own databases but merely accepts
queries and forwards them to other DNS servers. The supplied replies are saved in
the cache.
The DNS server configuration is defined in the file /etc/named.conf. You can use the
example file that is installed with the DNS package as a configuration file for a
caching-only server.
The global options are defined in the options block at the beginning of the file. The
directory containing the database files (or zone files) is listed. Normally, this is
/var/lib/named/.
All filenames that follow the /var/lib/named directory refer to the directory. The
directory is created when installing the server package. It contains several
preconfigured files. Other options can also be defined in this file.
The Global options are followed by the definition of the database files for the
domains managed by the DNS server. Several entries are needed for basic DNS
server functions such as those provided by a caching-only server.
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 3-7
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
#
# forward resolution for localhost
#
zone "localhost" in {
type master;
file "localhost.zone";
};
#
# reverse resolution for localhost
#
zone "0.0.127.in-addr.arpa" in {
type master;
file "127.0.0.zone";
};
The zone entry for the root DNS servers contains a reference to a file containing the
addresses of the root DNS servers. This file (root.hint) is generated in the directory
/var/lib/named/ during the installation of the package bind.
The 2 files for the resolution of localhost are also generated during the installation.
The structure of these files is explained later.
These entries are used to forward queries to the DNS server directly to the
responsible DNS servers. However, this resolution method can be very slow. This
problem can be solved by using forwarders.
The DNS server has the addresses of other DNS servers in case it cannot resolve a
host name itself. You might be able to use the DNS servers of an Internet provider for
this purpose, as they usually have a lot of information in their cache.
You can define these DNS servers in the options block in the file
/etc/named.conf, as in the following:
options
{
directory "/var/lib/named";
forwarders
{
10.0.0.254;
};
};
You can enter up to 3 DNS server addresses. Queries that cannot be resolved by the
local DNS server are forwarded to one of the specified DNS servers.
If these DNS servers cannot be reached, the queries are sent directly to the root DNS
servers.
3-8 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Configure Network Services
The following are the tasks you need to do to configure a master DNS server for your
domain:
n Adapt the Main Server Configuration File
n Create the Zone Files
n Create Additional Resource Records
You can adapt the configuration for the caching-only DNS server for configuring a
DNS server containing its own information files.
This configuration already contains the global entries for the directory and the
forwarders (which can be omitted) entries in the options block. The file also contains
the mandatory entries for the root servers and the resolution of localhost.
The global options are followed by definitions for the database files (or zone files)
for the domains this DNS server serves. At least 2 files are necessary for each
domain:
n A file for forward resolution (allocating an IP address to a computer name)
n A file for reverse resolution (allocating a computer name to an IP address)
If several subnets belong to a domain, then one file for each of these networks must
be created for reverse resolution.
Each definition begins with the instruction zone (this is why the database files are
also known as zone files), followed by the name of this zone.
For forward resolution, this is always the domain name. For reverse resolution, the
network prefix of the IP address must be given in reverse order (10.0.0.0 becomes
0.0.10.) to which the suffix in-addr.arpa is added (0.0.10.in-addr.arpa).
The zone name is always followed by an “in” for Internet. (DNS servers can
administer information on different name spaces, not only that of the Internet. Other
name spaces are practically never used).
The text in curly brackets defines the type of DNS server this is for the corresponding
zone (here it is always the type master; other types are introduced later).
Finally, there is the name of the file in which the entries for this zone are located.
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 3-9
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
The entries for the Digital Airlines configuration look like the following:
#
# forward resolution for the domain digitalairlines.com
#
zone "digitalairlines.com" in
{
type master;
file "master/digitalairlines.com.zone";
};
#
# reverse resolution for the network 10.0.0.0
#
zone "0.0.10.in-addr.arpa" in
{
type master;
file "master/10.0.0.zone";
};
The 2 files for the domain localhost and the file for the root DNS servers are always
included in the installation. You do not need to change these files; however, you must
create the files required for the actual domain.
You need to know the following to manually create the zone files:
n Structure of the Files
n The File /var/lib/named/master/digitalairlines.com.zone
n The File /var/lib/named/master/10.0.0.zone
n The File /var/lib/named/master/localhost.zone
n The File /var/lib/named/master/127.0.0.zone
Each of the database files consists of a series of entries, or resource records. The
syntax of these records is always as follows:
3-10 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Configure Network Services
x Individual entries must always start in the first column with the reference. If an entry does not
start in the first column, the reference is taken from the previous entry.
Unlike earlier versions of BIND, BIND 9 requires you to specify a default TTL for
all information at the beginning. This value is used whenever the TTL has not been
explicitly given for an entry.
;
; definition of a standard time to live, here: two days
;
$TTL 172800
In this example, the TTL is given in seconds. But it can be given in other units, such
as 2D for two days. Other units are M (minutes), H (hours), and W (weeks).
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 3-11
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
This is followed by the definition of the SOA (Source of Authority) entry, which
specifies which DNS server has the authority for this domain:
;
; SOA Entry
;
digitalairlines.com. IN SOA da1.digitalairlines.com.
adm.digitalairlines.com. (
2004092601 ; serial number
1D ; refresh (one day)
2H ; retry (two hours)
1W ; expiry time (one week)
3H ; "negative" validity (three hours)
)
The domain to which this entry refers (here, digitalairlines.com) is listed first. The
domain name must end with a dot. If a name does not have a dot at the end, the name
of the domain is added on, which could lead to an error here.
After the SOA entry the name of the DNS server is listed (in this example,
da1.digitalairlines.com with a dot at the end). Alternatively, you could write da1,
and the domain name digitalairlines.com would be added after the name.
Next comes the email address of the person who is responsible for the administration
of the DNS server. The “@” usually used in email addresses must be replaced by a
dot (so the email address in this example is hostmaster.example.com). This is
necessary because @ has a special meaning as an abbreviation.
After this information, there is a serial number. Any number can be used, but
normally the date and a version number are used here. After any change to the data in
this file, the serial number has to be increased.
Slave servers use this number to detect if they need to copy this zone file or not. If
the serial number on the master server is greater than that on the slave server, the file
is copied.
This is followed by the following time information (the first three entries listed here
are only important for slave servers):
n The first entry causes a slave server to query a master server after this length of
time, to see if there is a new version of the files (in the example, this is 1D or one
day).
n If the slave server cannot reach the master server, the next time entry specifies at
what intervals new attempts should be made (in the example, this is 2H or two
hours).
n If the master server is not reached for a longer period of time, the first time entry
specifies when the slave server should discard its information on this zone (in the
example, this is 1W or a week).
The basic idea here is that it is better not to pass on any information than to pass
on outdated information.
3-12 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Configure Network Services
n The fourth entry defines for how long negative responses from the DNS server
are valid. Each requesting server stores responses in its cache, even if a computer
name could not be resolved (in the example, this is 3H or 3 hours).
These time definitions are followed by the name of the computer that is responsible
for this domain as the DNS server. In all cases, the master server must be entered
here. If slave servers are used, they should also be entered, as in the following:
;
; entry for the name server
;
digitalairlines.com. IN NS da1.digitalairlines.com.
The name of the domain can be omitted at this point. Then the name from the
previous entry is taken (the SOA entry).
At the end of this file are the IP addresses that are allocated to computer names. This
is done with A (address) entries, as in the following:
;
; Allocation of IP addresses to host names
;
da10 IN A 10.0.0.10
da12 IN A 10.0.0.12
da13 IN A 10.0.0.13
The file for reverse resolution contains similar entries as the file for forward
resolution. At the beginning of the file there is the definition of a default TTL and an
SOA entry.
In the SOA and NS entries, the IP address of the network is written in reverse order:
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 3-13
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
At the end of this file are the IP addresses that are allocated to computer names, this
time with the PTR (Pointer) entry, as in the following:
;
; Allocation of host names to IP addresses
;
10 IN PTR da10.digitalairlines.com.
12 IN PTR da12.digitalairlines.com.
13 IN PTR da13.digitalairlines.com.
14 IN PTR da14.digitalairlines.com.
The following 2 files must exist for the local computer. These are created
automatically during installation and should not be modified.
$TTL 1W
@ IN SOA @ root (
42 ; serial (d. adams)
2D ; refresh
4H ; retry
6W ; expiry
1W ) ; minimum
IN NS @
IN A 127.0.0.1
In this example, the “@” character is used as an abbreviation (for this reason, it must
be replaced by a dot in the email address in the database files).
In this case, it is localhost, which is also used for the name of the DNS server (this is
why “@” appears many times in the file).
In this file, the abbreviation “@” is also used. But here the computer name must be
given explicitly with localhost (remember the dot at the end):
$TTL 1W
@ IN SOA localhost. root.localhost. (
42 ; serial (d. adams)
2D ; refresh
4H ; retry
6W ; expiry
1W ) ; minimum
IN NS localhost.
1 IN PTR localhost.
3-14 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Configure Network Services
Apart from the resource records already discussed (SOA, NS, A, PTR), there are MX
and CNAME resource records, which are used to do the following:
n Define Mail Servers for the Domain
n Assign Aliases for Computers
To achieve this, an MX (Mail Exchange) entry must be made in the database file for
forward resolution, after the DNS server entry:
digitalairlines.com. IN MX 0 mail
IN MX 10 da1
IN MX 10 da5
Several mail servers can be given. On the basis of their priorities, it is then decided to
which computer the email is sent. The priority of mail servers is defined by the
number in front of the computer name; the lower this number, the higher the priority.
In this example the computer mail.digitalairlines.com has the highest priority (is
therefore the primary mail server).da1.digitalairlines.com and da5.digitalairlines.com
both have the same priority.
If the mail server with the highest priority cannot be reached, the mail server with the
second highest priority is used. If several mail servers have the same priority, then
one of them is chosen at random. An address entry must be made for each mail
server.
If you want a computer to be reached by more than one name (such as addressing a
computer as da30.digitalairlines.com and www.digitalairlines.com), then
corresponding aliases must be given.
These are the CNAME (canonical name) entries in the database file for forward
resolution:
da30 IN A 10.0.0.30
www IN CNAME da30
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 3-15
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
x The names of the mail servers for the domain (MX entry) cannot be alias names, since some mail
servers cannot handle this correctly.
To guarantee reliable operation, at least one more DNS server besides the master
server is required. This can take over part of the load from the DNS master server.
But it is especially important in case the DNS master server is not available. This
new DNS server is set up as a DNS slave server.
The essential difference between the two types is that a slave server receives copies
of the zone files from the master server. Modifications to the zone files are only made
on the master server.
As soon as a slave server is started, it connects to the master server and receives a
copy of the zone files from it. This is called a zone transfer.
Comparison of data between the servers takes place automatically. On the one hand,
the slave server queries the master server at regular intervals and detects, using the
serial number of the zone files, whether anything has changed.
By default, the master server sends a message to all listed slave servers (called notify)
as soon as it has been restarted in order to read in modified zone files.
In the configuration file /etc/named.conf for a slave server, there are at least 2 entries
that define it as the master server: the 2 zone definitions for the loopback network
(localhost).
There might also be a zone definition for the root DNS server. But a zone definition
is only necessary if the slave server will forward requests to other DNS servers.
The definitions for zones for which it should copy data from the master server look
like the following:
zone "digitalairlines.com" in
{
type slave;
file "slave/digitalairlines.com.zone";
masters
{
10.0.0.254;
};
};
The slave server gets data from the master server with the IP address 10.0.0.254 and
stores it in the directory
/var/lib/named/slave/. This directory is created when you install the BIND package.
3-16 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Configure Network Services
zone "0.0.10.in-addr.arpa" in
{
type slave;
file "slave/10.0.0.zone";
masters
{
10.0.0.254;
};
};
In the simplest configuration, the slave server gets information from the master server
at regular intervals. This can cause the slave server to provide outdated information
for a certain length of time.
This is why it is reasonable to instruct the master server to inform the slave servers
about modifications in the database files. The slave servers then immediately carry
out a zone transfer, which always brings them up to date.
In order for the master server to be able to communicate with the slave servers, it
must know about them. By default, the master server automatically informs its slave
servers. But this can also be done in the options section of the file /etc/named.conf, as
in the following:
options
{
...
notify yes;
};
Subsequently, the slave servers must be entered as DNS servers in the database files
(of the forward and reverse resolution):
digitalairlines.com. IN NS da8.digitalairlines.com.
IN NS da8.digitalairlines.com.
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 3-17
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
You can use YaST to configure a client computer during installation to use the DNS
server (configuration of the network) or later. You simply have to enter the IP address
of the DNS server and possibly add some information about your domain.
search digitalairlines.com
nameserver 10.0.0.254
This file configures the name service switch, which is responsible for resolving host
names, network names, users, and groups.
The relevant part for resolving host names looks like the following:
#
# /etc/nsswitch.conf
#
...
hosts: files dns
networks: files dns
...
Both entries shown here define that in the first attempt to resolve a host name is done
using the file /etc/hosts. If this fails, a DNS server resolved the name. The same
applies to the resolution of network names, done using /etc/networks first.
3-18 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Configure Network Services
Several command line tools are available to query DNS server. These include the
following:
n host Command
n dig Command
host Command
The most important command line tool for querying a DNS server is called host. The
general syntax is as follows:
If a DNS server address is not provided, host contacts the servers listed in
/etc/resolv.conf. If you want to use another DNS server, you have to provide its IP
address with the command.
By default, host returns the IP address or the host name, depending on which
information is given. If you want to query domain information, you need to use the
option -t with the type of information required, as in the following:
In this example, the host names of the DNS servers for the domain novell.com are
requested.
dig Command
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 3-19
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
nameserver The IP address or name of the DNS server that should be queried.
If not specified, dig checks all DNS servers listed in
/etc/resolv.conf.
query_options Defines how the query is done and how the results are displayed.
Each query option starts with a plus sign (+).
The most important difference between host and dig is that dig does not use the
domain list from /etc/resolv.conf by default to expand the host name. This means that
the FQDN or IP address of the host must be specified. If the domain list should be
used, you need to use the query option +search.
;; QUESTION SECTION:
;ripe.net. IN NS
;; ANSWER SECTION:
ripe.net. 158814 IN NS ns2.nic.fr.
ripe.net. 158814 IN NS sunic.sunet.se.
ripe.net. 158814 IN NS auth03.ns.uu.net.
ripe.net. 158814 IN NS munnari.oz.au.
ripe.net. 158814 IN NS ns.ripe.net.
;; ADDITIONAL SECTION:
ns.ripe.net. 171939 IN A 193.0.0.193
ns.ripe.net. 171939 IN AAAA 2001:610:240:0:53::193
ns2.nic.fr. 344302 IN A 192.93.0.4
ns2.nic.fr. 344302 IN AAAA 2001:660:3005:1::1:2
sunic.sunet.se. 172586 IN A 192.36.125.2
auth03.ns.uu.net.170436 IN A 198.6.1.83
munnari.oz.au. 170107 IN A 128.250.22.2
munnari.oz.au. 170107 IN A 128.250.1.21
munnari.oz.au. 21410 IN AAAA 2001:388:c02:4000::1:21
3-20 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Configure Network Services
The QUESTION SECTION shows what was queried and the ANSWER SECTION
shows the response: a list of DNS servers of the domain ripe.net.
The IP addresses of certain DNS servers are listed under ADDITIONAL SECTION.
The address in the last line is an IPv6 address (2001:388:c02:4000::1:21).
Data about the query, such as the duration of the query (Query time), the server that
answered the query (SERVER), and the date of the query (WHEN) are listed at the
end of the output.
If there are syntax errors in one of the configuration or zone files, BIND writes
verbose messages to the file /var/log/messages. These messages also contain
information on the filename and the line in which this error occurs.
If there is an error, the processing of the file is interrupted at this point (that is, errors
later in the file are not detected now).
b For more information about BIND and DNS, see DNS and BIND by Paul Albitz and Cricket Liu
and the BIND homepage at http://www.isc.org/sw/bind/.
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 3-21
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
In this exercise, you work with a partner to configure a DNS master server and a
DNS slave server for the domain digitalairlines.com. You need to work as a team on
all parts of the exercise.
Do the following:
n Part I: Install BIND
n Part II: Configure a DNS Master Server
n Part III: Configure the DNS Slave Server
x This exercise requires extensive typing to create your DNS files. To save you some time, the files
digitalairlines.com.zone and 10.0.0.zone are included on your 3038 Course CD in the directory
/exercises/section_3.
Decide which SLES 9 server will be the DNS master server, then do the following
only on the master server:
1. Open a terminal window and su to root.
2. Open the file /etc/named.conf in a text editor.
3. Configure the forwarders line to match the following:
forwarders { 10.0.0.254; };
Make sure that you delete the comment character from the beginning of the
forwarders line.
3-22 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Configure Network Services
4. Add the following 2 zone statements after the existing zone statements:
zone “digitalairlines.com” in {
type master;
file “master/digitalairlines.com.zone”;
};
zone “0.0.10.in-addr.arpa” in {
type master;
file “master/10.0.0.zone”;
};
5. Save and close the file.
6. Create a new file digitalairlines.com.zone in the directory
/var/lib/named/master/.
7. Enter the following zone configuration in the file:
$TTL 172800
digitalairlines.com. IN NS your_FQHN.
da10 IN A 10.0.0.10
da11 IN A 10.0.0.11
da12 IN A 10.0.0.12
The SOA record (including root.digitalairlines.com) must be on a single line.
Make sure you enter your FQHN (such as da50.digitalairlines.com) in the SOA
and NS records. Use the current date and “01” as the serial number (such as
2005071501).
8. Save and close the file.
9. Create a new file 10.0.0.zone in the directory
/var/lib/named/master/.
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 3-23
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
$TTL 172800
0.0.10.in-addr.arpa. IN SOA your_FQHN.
root.digitalairlines.com. (
serial_number
1D
2H
1W
3H
)
IN NS your_FQHN.
10 IN PTR da10.digitalairlines.com.
11 IN PTR da11.digitalairlines.com.
12 IN PTR da12.digitalairlines.com.
The SOA record (including root.digitalairlines.com) must be on a single line.
Make sure you enter your FQHN (such as da50.digitairlines.com) in the SOA
and NS records. Use the current date and “01” as the serial number (such as
2005071501).
11. Save and close the file.
tail -f /var/log/messages
14. Switch to the first terminal window and start bind with the following command:
rcnamed start
x If there are errors in the file /etc/named, they are noted in the output (with specific
references and line numbers). The named daemon will not start until these errors are fixed.
15. From the second terminal window, watch the log output of bind for any messages
such as Unknown RR type or file not found.
16. If any errors occur, try to fix them and restart bind.
17. From the first terminal window, start bind automatically when the system is booted
by entering the following:
insserv named
18. Open the file /etc/resolv.conf in a text editor.
3-24 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Configure Network Services
nameserver your_ip_address
21. Save and close the file.
22. Verify that your DNS server works by entering the following command:
host da10.digitalairlines.com
23. Add a new DNS record for the slave server in the file
/var/lib/named/master/digitalairlines.com.zone:
$TTL 172800
digitalairlines.com. IN NS your_FQHN.
digitalairlines.com. IN NS slave_FQHN.
da10 IN A 10.0.0.10
da11 IN A 10.0.0.11
da12 IN A 10.0.0.12
24. Add a new DNS record for the slave server in the file
/var/lib/named/10.0.0.zone:
$TTL 172800
0.0.10.in-addr.arpa. IN OSA your_FQHN.
root.digitalairlines.com. (
serial_number
1D
2H
1W
3H
)
IN NS your_FQHN.
IN NS slave_FQHN.
10 IN PTR da10.digitalairlines.com.
11 IN PTR da11.digitalairlines.com.
12 IN PTR da12.digitalairlines.com.
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 3-25
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
zone “0.0.10.in-addr.arpa” in {
type slave;
file “slave/10.0.0.zone”;
masters
{
master_server_ip_address;
};
};
5. Save the changes and close the editor.
6. Open a second terminal window su to root.
7. Enter the following command:
tail -f /var/log/messages
8. Switch to the first terminal window and start bind by entering the following:
rcnamed start
9. From the second terminal window, watch the log output of bind for any messages
such as Unknown RR type or file not found.
10. If any errors occur, try to fix them and restart bind.
11. Start bind automatically when the system boots by entering the following:
insserv named
12. From the first terminal window, open the file /etc/resolv.conf in a text editor.
nameserver master_server_ip_address
3-26 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Configure Network Services
16. Verify whether or not your DNS server works by entering the following:
host da10.digitalairlines.com
(End of Exercise)
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 3-27
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
To deploy an OpenLDAP server with SLES 9, you need to know the following:
n The Concept of a Directory Service
n The Basics of LDAP
n How to Install and Set Up an OpenLDAP Server
n How to Add Entries to the LDAP Server
n How to Query Information from the LDAP Server
n How to Delete and Modify Entries of the LDAP Server
n How to Use Graphical LDAP Applications
There are many different ways to provide a directory service. Different methods
allow different kinds of information to be stored in the directory, place different
requirements on how that information can be referenced, queried and updated, and
determine how it is protected from unauthorized access.
Some directory services are local, providing service to a restricted context (such as
the finger service on a single machine). Other services are global, providing service
to a much broader context (such as the entire Internet).
Directory services can be used for man different purposes. Very often they are used
as databases for user authentication. By default, SLES 9 uses OpenLDAP for user
management and some configuration purposes.
LDAP stands for Lightweight Directory Access Protocol. As the name suggests, it is
a lightweight protocol for accessing directory services. LDAP runs over TCP/IP or
other connection-oriented transfer services.
3-28 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Configure Network Services
The types are typically mnemonic strings, like “cn” for common name, or “mail” for
email addresses. The syntax of values depend on the attribute type.
For example, a cn attribute might contain the value “Tux Penguin.” A mail attribute
might contain the value “tux@example.com.” A jpegPhoto attribute might contain a
photograph in the JPEG (binary) format.
In LDAP, directory entries are arranged in a hierarchical tree structure. If you use
LDAP for user management, the structure normally reflects the organizational
structure of the company or organization.
Under the root of the tree are the country, organization, organizational unit and leaf
objects (such as users).
Figure 3-3
Root
dc=us dc=com
dc=exmple
ou=Management ou=Sales
cn=tux
An entry of the tree is referenced by its DN, which is constructed by taking the name
of the entry itself (called the relative distinguished name or RDN) and concatenating
the names of its ancestor entries.
For example, the entry for Tux Penguin in the example above has a DN of
uid=tux,ou=Management,dc=example,dc=com.
In addition, LDAP allows you to control which attributes are required and allowed
through the use of objectClasses. The following objectClasses are used when LDAP
is used for Linux user authentication.
n posixAccount
n shadowAccount
n posixGroup
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 3-29
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
The following is an overview of some of the attributes used in these object classes:
Object classes are defined in schema files. OpenLDAP ships with some basic schema
files located in the directory /etc/openldap/schema.
To create the tree structure, you use container objects, which can contain other
objects. The following is a list of these objects:
n Root. The root of the directory tree
n c. Countries
n o. Organizations
n ou. Organizational units
n dc. Domain components
However, if you chose not to install the server during installation, you can set up an
LDAP server by installing the following software packages with YaST:
n openldap2
n openldap2-client
3-30 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Configure Network Services
The configuration files for OpenLDAP are located in the directory /etc/openldap/.
The directory contains 2 configuration files:
n slapd.conf. This file is the main configuration file for the OpenLDAP server.
n ldap.conf. This file contains the default configuration for LDAP clients.
If you installed the LDAP server during SLES 9 installation, the configuration file
slapd.conf has already been set up. Otherwise, you need to set the following options
of the configuration file to reflect your environment:
n suffix “dc=your-domain,dc=com”
In this line you set the domain components “dc” according to your domain name.
n rootdn “cn=Manager,dc=example,dc=com”
This line sets the administrator of the LDAP server. You can also configure the
domain components in this line.
n rootpw secret
This line specifies the password for the administrator. The default password
secret must be changed.
For security reasons, the password should be stored in an encrypted form. To
create an encrypted password, use the following command:
slappasswd -s your_password
The command outputs a string that has to be copied into the configuration file.
The entry for the command rootpw looks like the following:
rootpw {SSHA}rawtcakVvoBls6J6wz2+yPa8H02Dprax
After finishing the configuration, you can start the server with the following
command:
rcldap start
If you want to start the LDAP server automatically when the server boots, use the
following command:
insserv ldap
After you change the server configuration file, you change the client configuration
file ldap.conf. You have to set add at least 2 lines:
n host localhost
This line sets the default server that LDAP clients should connect to.
n base dc=suse,dc=de
This is the default directory search base that should be used by LDAP clients.
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 3-31
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
x The configuration shown above is for a SLES 9 authentication server. Depending on your
environment, you might need a different setup and tree structure.
OpenLDAP provides the command ldapadd to insert data that is in LDIF format into
the directory. You can use files in the LDIF format to avoid specifying all values on
the command line.
LDIF files contain the information that should be included into the directory service
in a plain text format.
You can create a different file for each user you would like to add, but you can also
multiple user records in one file. An LDIF file contains the following entries:
n dn. The distinguished name of the object you want to add.
n objectclass. The object classes of the new entry.
n attribute. An attribute of the entry. You normally add more than one attribute at
the same time.
If you installed an LDAP server during installation, the basic tree structure for user
authentication has already been created. If you set up the server later, you need to
create the structure manually with an LDIF file like the following:
dn: dc=example,dc=com
dc: example
o: example
objectClass: organization
objectClass: dcObject
dn: ou=people,dc=example,dc=com
objectClass: top
objectClass: organizationalUnit
ou: people
x Make sure that there are no empty spaces or tabs at the beginning or end of a line.
3-32 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Configure Network Services
Because LDAP uses Unicode (UTF-8), special characters in LDIF files have to be
coded into UTF-8, or they might not be evaluated. This means you need to edit the
LDIF file with a Unicode editor, or convert the file later.
The command to insert a data set that exists as an LDIF file looks like the following:
You need to use the -x option because you haven't configured SASL authentication
yet.
Use the option -D to specify who can access the directory. This should be rootdn,
specified in the server configuration file.
Use the option -W to display a password prompt. Otherwise, you must enter the
password directly at the command line, where it will be visible as plain text.
After you have set up the basic tree structure (during or after installation), you can
add a user to the directory with an LDIF file similar to the following:
dn: uid=geeko,ou=people,dc=suse,dc=de
objectClass: top
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
uid: geeko
uidNumber: 1010
gidNumber: 100
cn: Geeko Chameleon
givenName: Geeko
sn: Chameleon
homeDirectory: /home/geeko
loginShell: /bin/bash
shadowMax: 99999
shadowWarning: 7
shadowInactive: -1
shadowMin: 0
shadowLastChange: 12609
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 3-33
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
This example LDIF file creates a user based on the default LDAP setup of SLES 9.
The attributes are listed below with an explanation of each:
n uid: geeko. This attribute sets the login name of the user.
n uidNumber: 1010. This attribute sets the numerical ID of the user.
n gidNumber: 100. This attribute sets the default group ID of the user. The value
100 belongs to the group users in a SLES 9 installation.
n cn: Geeko Chameleon. This attribute sets the full name of the user.
n givenName: Geeko. This attribute sets the given name of the user.
n sn: Chameleon. This attribute sets the surname of the user.
n homeDirectory: /home/geeko. This attribute sets the path to the home directory
of the user.
n loginShell: /bin/bash. This attribute sets the login shell of the user. The default
for SLES 9 is /bin/bash.
n ShadowMax: 99999. This attribute sets the number of days before the password
expires.
n ShadowWarning: 7. Users can be warned before their passwords expire. This
attribute sets the number of days before the warning is issued. Set to -1 to disable
the warning.
n ShadowInactive: -1. This attribute sets the number of days that a user can still
log in after the password expires. Set to -1 to set an unlimited number of days.
n ShadowMin: 0. This attribute sets the minimum number of days that need to
pass before a password can be changed.
n ShadowLastChange: 12609. This attribute sets the date of the last password
change.
You can use the command ldapsearch to read data from the LDAP directory. The
following command reads the entire tree:
ldapsearch -x
The -x option forces ldapsearch to use the simple authentication method. This is
necessary if the LDAP server is not yet configured to use the SASL authentication
method.
ldapsearch reads the search base for the query out of the configuration file
/etc/openldap/ldap.conf. The search base is the entry in the directory where
ldapsearch starts the recursive search process.
If the file ldap.conf file does not exist, or if you want to use a different search base,
you can specify it with the -b option, as in the following:
ldapsearch -x -b “dc=example,dc=com”
3-34 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Configure Network Services
If you have a lot of data in your LDAP tree, you might want to limit the output of
ldapsearch to specific entries. You can do that by adding a filter expression to the
ldapsearch command, as in the following:
ldapsearch -x “(uid=g*)”
In this example, ldapsearch displays all entries that have a uid attribute starting with
g. You can use any attributes or objectClasses as a search filter.
ldapsearch displays the result in LDIF format. That means you can transfer the data
to another LDAP server by redirecting the data into a file and loading it with ldapadd
on a different machine.
The easiest way to modify data in the LDAP directory in SLES 9 is to modify an
LDIF file and apply the changes with the ldapmodify tool.
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 3-35
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
In the following example, the uidNumber of the user tux has been changed to 1011:
To delete an entry from the LDAP directory, use the following command:
In this example, the entry with the distinguished name “cn=geeko, dc=example,
dc=com” is deleted.
Graphical applications are also available to access the LDAP server. SLES 9 comes
with the graphical LDAP browser GQ. Before you can use GQ, you need to install
the package gq because it is not part of the default software selection.
After installation, you can access GQ from the KDE menu by selecting System >GQ
LDAP Client.
3-36 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Configure Network Services
Figure 3-4
GQ reads the file /etc/openldap/ldap.conf to get information about the default LDAP
server.
This is the default page that opens after you start GQ. At the top of the page are the
following text field:
n Search filter. In this field you enter the search filter for your query. The syntax
is the same as that used for ldapsearch.
n LDAP server. Choose an LDAP server from the drop-down list.
n If you want to add an additional server, you need to open the Preferences dialog
by selecting File > Preferences. On the Servers page, specify a new LDAP
server by selecting New.
n Search base. In this field you specify the search base for your query. The syntax
for the search base is the same as that used for ldapsearch.
After you have entered all necessary data, start the query by selecting Find.
The result of the query is displayed in a list below the input fields. Double-click an
entry to display detailed information.
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 3-37
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
Figure 3-5
On the left side of the page is a tree menu you can use to browse the directory. By
selecting the arrow symbol before an entry, you can expand the tree structure.
You can display the details of an entry on the right side of the page by selecting the
entry in the tree menu.
Figure 3-6
On this page you can browse the schema definition available on the LDAP server.
3-38 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Configure Network Services
In this exercise, you use the OpenLDAP server by doing the following:
n Part I: Install GQ
n Part II: Search the SLES 9 OpenLDAP Server
n Part III: Browse the SLES 9 OpenLDAP Server
n Part IV: Use an LDIF File to Add a User
Part I: Install GQ
Do the following:
1. From the KDE menu, select System > YaST.
2. Enter the root password and select OK.
3. From the YaST Control Center, select Software > Install and Remove Software.
4. From the filter drop down menu, select Search.
5. In the Search field, enter gq; then select Search.
6. On the right, select the gq package.
7. Install the GQ application by selecting Accept.
8. Insert the requested SLES 9 CD.
9. When the installation is complete, close the YaST Control Center and remove the
CD.
Do the following:
1. From the KDE menu, select System > GQ LDAP Client.
2. Make sure that the Search tab is selected.
3. In the left search field, enter uid=geeko.
4. In the right search field, enter dc=digitalairlines,dc=com.
5. Select Find.
A result line appears.
6. Double-click the result line.
The LDAP entry for the user geeko is displayed.
7. Scroll down and verify that you cannot see the userPassword entry for geeko.
8. Select Close.
9. From the menu bar, select File > Preferences.
10. From the configuration dialog, select the Servers tab.
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 3-39
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
cn=Administrator,dc=digitalairlines,dc=com
14. Close the server dialog by selecting OK.
16. Make sure that the search fields still contain the previously entered query.
18. When prompted for a password, enter novell; then select OK.
20. Make sure that you can see the userPassword entry for geeko.
Notice that access to the password is not granted to anonymous users, but to the
authenticated administrator.
21. When you finish, select Close.
Do the following:
1. From the GQ application, select Browse.
2. On the left, expand localhost.
3. Expand dc=digitalairlines,dc=com.
4. Expand people.
All users of the system are displayed. At the moment, this only includes geeko.
5. Select geeko.
The user information for geeko appears on the right.
6. Close the GQ window.
3-40 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Configure Network Services
Do the following:
1. With a text editor, create a file named tux.ldif in the directory /tmp with the
following content.:
dn:uid=tux,ou=people,dc=digitalairlines,dc=com
objectClass: top
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
cn: Tux Penguin
gidNumber: 100
givenName: Tux
homeDirectory: /home/tux
loginShell: /bin/bash
shadowInactive: -1
shadowLastChange: 12609
shadowMax: 99999
shadowMin: 0
shadowWarning: 7
sn: Penguin
uid: tux
userPassword: {crypt}GpyJ3/OQgLxZE
uidNumber: 1010
x You can also copy the LDIF file tux.ldif from the directory
/exercises/section_3 from your 3038 Course CD to the directory /tmp.
x If you are unsuccessful at authenticating as Administrator, try closing the terminal window
and opening a new terminal window. Repeat steps 3 and 4.
You do not have to be root to enter the ldapadd command; however, you need to be root for
the commands that follow.
5. Create the home directory for the user tux by entering the following:
cp -a /etc/skel/ /home/tux
6. Adjust the file system permissions by entering the following commands:
chown -R tux:users /home/tux/
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 3-41
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
(End of Exercise)
3-42 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Configure Network Services
To set up an internal Apache web server, you need to know the following:
n The Basic Functionality of a Web Server
n How to Install and Set Up a Basic Apache Web Server
n The Structure and the Basic Elements of the Apache Configuration Files
n The Basic Apache Configuration
n How to Configure Virtual Hosts
n How to Limit Access to the Web Server
n How to Configure OpenSSL for Connection Encryption
A web server delivers data that is requested by a web browser. The data can have
different formats such as HTML files, image files, Flash animations, or sound files.
Web browsers and web servers communicate using HTTP (Hyper Text Transfer
Protocol). The following diagram shows the relationship between the browser, server,
and HTTP:
Figure 3-7
In addition to delivering data to the web browser, a web server can perform tasks
such as limiting access to specific web sites, logging access to a file, and encrypting
the connection between a server and browser.
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 3-43
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
To run a basic Apache web server, you need to install the following packages with
YaST:
n apache2. The basic web server software.
n apache2-prefork. An additional Apache package that influences the
multiprocessing behavior of the web server.
n apache2-example-pages. Sample HTML pages.
SLES 9 ships with 2 Apache versions: Apache series 1 and Apache series 2. This
section covers Apache series 2 because this version will continue to be developed.
When you install the packages listed above, YaST prompts you to install also one or
more additional packages required by Apache. Confirm the additional package
installation by selecting OK to resolve all dependencies of the Apache packages.
After installing the required software, you need to start the web server. Do this as the
root user by entering the following:
rcapache2 start
As with all services, enter the following to stop the web server:
rcapache2 stop
If you want the web server to start up at boot time, you need to enter the following:
insserv apache2
To test whether the web server is properly installed, open a web browser and enter
the following address:
http://localhost
3-44 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Configure Network Services
Figure 3-8
If your SLES 9 server is connected to a network, you (and other hosts on the
network) can remotely access the web server by entering the following:
http://your_system_IP_address
If your network provides a DNS server, you can use the hostname instead of the IP
address.
This directory is also called the DocumentRoot of the web server. After the
installation, it contains the Apache example pages, which are displayed above.
You can replace the data in the DocumentRoot directory to display your own web
server content. Because the web server runs with the user id wwwrun, you have to
make sure that this user has read access to files in the DocumentRoot directory.
http://your_server/name_of_subdirectory
If no specific file is requested in the address, Apache looks for a file with the name
index.html. You can change the name of this default file in the Apache configuration
files.
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 3-45
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
To configure the Apache web server with the configuration files, you need to do the
following:
n Locate the Apache Configuration Files
n Understand the Basic Rules of the Configuration Files
The configuration of the Apache web server is spread over several configuration files
located in the directory /etc/apache2.
The options of the Apache configuration files are called directives. Directives are
case sensitive, which means that a word such as “include” is not the same as
“Include.”
3-46 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Configure Network Services
Directives can be grouped so that they do not apply to the global server
configuration. In the following, the directives only apply to the directory
/srv/www/htdocs:
<Directory "/srv/www/htdocs">
Options None
AllowOverride None
Order allow,deny
Allow from all
</Directory>
You can use the # character to indicate comments in the configuration file. All lines
starting with a # are ignored by the Apache server.
Whenever you edit the Apache configuration files, you need to reload the web server
by entering the following:
rcapache2 reload
In some cases it´s not enough to reload Apache. You need to stop and restart the web
server by entering the following:
rcapache2 restart
If you are not sure that your changes use the correct syntax, you can verify the syntax
of the configuration files by entering the following:
apache2ctl configtest
Syntax OK
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 3-47
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
In most cases the default settings are suitable and don't need to be changed.
To use the virtual host feature of Apache, you need to know the following:
n The Concept of Virtual Hosts
n How to Configure a Virtual Host
3-48 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Configure Network Services
With the default setup, the Apache server can be reached with a browser using the
following web addresses:
n http://localhost (from the computer where the web server is running)
n http://web_server_IP_address
n http://web_server_hostname
For all of these addresses, Apache serves the same files located in the DocumentRoot
directory.
To use this setup, you would need a dedicated computer for every domain of the
Internet. To avoid this, Apache lets you set up multiple virtual web servers on one
physical system. These virtual web servers are called virtual hosts.
The physical system needs to have an entry in the DNS for every virtual host of the
Apache web server.
The following outlines the steps in the process of sending a request to the virtual host
www.example.com:
1. The web browser requests the IP address of the host www.example.com.
2. The browser uses the IP address to request a file from the Apache web server
listening on the IP address of www.example.com.
3. In the HTTP request, the browser includes the hostname of the server it wants to
reach.
4. Apaches uses the hostname to determine the right virtual host and delivers the
requested data from that host.
Figure 3-9
DNS Server
Requests IP address for
The same IP address for:
www.example.com
www.example.com
www2.example.com
www3.example.com
www4.example.com
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 3-49
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
For every virtual host you need to create a configuration file in the directory
/etc/apache2/vhosts.d/. The name of the configuration file must end with .conf.
After customizing the template file, you need to reload the Apache web server. You
also need to make sure that the settings in DNS are updated so that the hostname of
your virtual host is resolved correctly.
3-50 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Configure Network Services
Normally Apache delivers data to all hosts in the network that can reach the web
server. Sometimes it can be useful to restrict access to the content delivered by
Apache.
Apache offers the following directives to limit access to the web server on an IP
address basis:
These directives must be used within a <Directory> block and control the access to
all data below that directory.
The following example allows only hosts from the network 10.0.0.0/24 to access the
data in the directory /srv/www/htdocs:
<Directory "/srv/www/htdocs">
Order deny,allow
Deny from all
Allow from 10.0.0.0/24
</Directory>
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 3-51
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
q Allow,Deny. The allow directives are evaluated before the deny directives.
Access is denied by default. Any client who does not match an allow
directive or does match a deny directive is denied access to the server.
q Mutual-failure. Only those hosts that appear in the Allow list and do not
appear on the Deny list are granted access. This has the same effect as Order
Allow,Deny and is deprecated in favor of that configuration.
n Deny from all. The Deny directive is evaluated first, and in this case access is
denied for all clients. You can use the following options with the deny and the
allow directives:
q all. This option applies to all hosts.
q A full IP address. This option applies to a specific IP address (such as
10.0.0.23).
q A partial IP address. This option applies to IP addresses starting with the
given IP address fragment (such as 10.0.0).
q A network/netmask pair. This option applies to IP addresses matching to
the given network/netmask pair (such as 10.0.0.0/255.255.255.0)
q A network/nnn CIDR specification. This option applies to IP addresses
matching to the given CIDR expression (such as 10.0.0.0/24).
n Allow from 10.0.0.0/24. This allow directive is evaluated after the deny
directive. In this case, the access is allowed for hosts in the network 10.0.0.0/24.
n </Directory>. This directive ends the directory block.
By limiting access to certain IP addresses, you can control the hosts that access the
web server, but you have no control of the over the user that sits in front of the
computer.
Apache offers another possibility of access control called basic authentication. If you
protect content on your web server with this method, users are required to log in
before they can access the data.
Before you can configure Apache to use basic authentication, you first have to create
user accounts for the web server. You can do this by using the tool htpasswd2.
The following command creates a password file and an account for the user tux.
After entering this command, htpasswd2 prompts you for a password for the user you
want to create. The passwords are stored in the file /etc/apache2/htpasswd.
You can specify a different location for the password file, but you have to make sure
that it is readable for the user wwwrun and that it is not located within the
DocumentRoot of your server.
3-52 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Configure Network Services
When you use a password file for the first time, you have to call htpasswd2 with the
-c option to create the file. If you want to add more users later, use the following
command:
To delete a user from the password file, use the following command:
After you have created the user accounts, you need to configure Apache to prompt
for a password when accessing restricted data. You need to add the following lines to
the directory block of the directory that should be restricted:
AuthType Basic
AuthName "Restricted Files"
AuthUserFile /etc/apache2/htpasswd
Require user tux
By default, the connection between the web browser and the web server are not
encrypted. Anyone who can listen to the network packets exchanged between
browser and server can access the transferred information.
Apache can use the SSL (Secure Socket Layer) protocol to encrypt the connection.
To configure an SSL encryption with an Apache web server, you need know the
following:
n The Basics of SSL Encryption
n How to Create a Test Certificate
n How to Configure Apache to Use SSL
n The Limitations of the SSL Configuration
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 3-53
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
Most of the time data is transmitted across a network in encrypted form by using
RSA keys. This method is used by the encryption software PGP (Pretty Good
Privacy) to encrypt emails, by ssh (Secure Shell) for encrypted data transfers between
two computers, and by Apache for secure data transmission between the web server
and the web browser.
This encryption is based on 2 different keys: a private key and a public key. While the
private key is known only to the owner, the public key should be accessible to the
public.
Sender
Private key of the
recipient
Public and private keys can also be used to sign data. In principle, when data is
signed, an encrypted checksum is generated from the data. The sender signs the data
with his private key.
The signature can be checked by the recipient by using the public key of the sender to
determine whether the data is really from her or whether the text has been modified
by a third party.
3-54 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Configure Network Services
This is text..
This is text..
Signature valid/
Signature Signature invalid
Sender
Public key of the
sender
A problem with the encryption procedure described above is that you cannot
determine who the owner of a public key is. The solution to this problem is a
Certificate Authority (CA) which signs the public keys with its own private keys.
CAs are well-known companies or organizations like VeriSign or VISA. The public
keys of these organizations are built into the web browsers. By verifying the
signature with the public key of the CA, the browser can make sure that a public key
of a web server is valid.
The following explains the process of using a CA with SSL encryption for a web
server:
1. The browser recognizes a web address starting with https://.
This means that the connection to this server should be encrypted. The default
port for SSL connections is 443 instead of port 80 (used for normal unencrypted
HTTP connections).
2. The web browser asks the server for its public RSA key.
3. The web server sends the public key to the web browser.
4. The web browser verifies the key of the server with the public key of the CA that
signed the key.
5. If the key is valid, the web browser and web server establish a secure connection.
You need an officially signed key to set up a secure web server. You can sign a key
by yourself, but this should only be done for test purposes.
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 3-55
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
To set up a secure web server for test purposes, you can create a certificate by
yourself. You should never use such a certificate for a production system.
To create a key pair, you need a file with as many random numbers as possible. You
can generate this file by entering the following command:
Stop this procedure after a few seconds by pressing Ctrl+C. The file generated be at
least a thousand bytes in size. You can now generate the key pair by entering the
following command:
During the process, you are prompted to enter a password. This password is used to
secure the private key of the key pair.
Next you need to sign your public key to create a certificate by entering the following
command:
During the process, you are prompted for the following information:
n Enter pass phrase for /tmp/server.key:
Enter the passphrase you chose for the server key.
n Country Name (2 letter code) [AU]
Enter the country code of your country (such as DE for Germany).
n State or Province Name (full name) [Some-State]:
Enter your state or province name. You can enter a period (.) to leave this field
blank.
n Locality Name (eg, city) []:
Enter the name of your city.
n Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Enter the name of your company.
3-56 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Configure Network Services
After you have answered all questions, the server certificate is saved into the file
server.crt.
Finally, you need to copy the files server.key and server.crt to the correct locations:
n Copy the file server.key to the directory /etc/apache2/ssl.key.
n Copy the file server.crt to the directory /etc/apache2/ssl.crt.
After you have generated the RSA key pair and the server certificate, you have to
configure Apache to use SSL. First, you need to change two settings in the file
/etc/sysconfig/apache2.
The settings in this file apply to the Apache startup script and do not belong to the
server configuration.
You also need to change the server configuration files to enable SSL by doing one of
the following:
n Configure the Main Server to Use SSL Encryption
n Configure a Virtual Host to Use SSL Encryption
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 3-57
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
To configure the main server, you need to add the following directives to the file
/etc/apache2/default-server.conf:
SSLEngine on
SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /etc/apache2/ssl.crt/server.crt
SSLCertificateKeyFile /etc/apache2/ssl.key/server.key
n SSLCertificateFile /etc/apache2/ssl.crt/server.crt
This directive points to the server certificate file.
n SSLCertificateKeyFile /etc/apache2/ssl.key/server.key
This directive points to the server key file.
After you make the described changes, you have to restart Apache. Apache prompts
you for the passphrase of the server key file.
The server might not start up correctly at boot time, because it requires the
passphrase for the server key. You should remove Apache from the init process and
start it manually after the system starts up.
You can access the SSL host by using the address https://name_of_your_host.
You can also configure a virtual host instead of the main server to use SSL. Place the
directives described above in your virtual host configuration and define you virtual
host with a directive such as the following:
<VirtualHost your_hostname:443>
3-58 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Configure Network Services
The SSL setup as described in this section is a very basic configuration. To run
Apache with SSL on a server that can be reached from the Internet, you need a more
thorough understanding of SSL and the available configuration directives.
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 3-59
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
In this exercise, you configure an Apache web server by doing the following:
n Part I: Install Apache
n Part II: Test the Installation
n Part III: Configure a Virtual Host for the Accounting Department
n Part IV: Configure User Authentication
n Part V: Configure SSL
x The file accounting.conf you create in this exercise can be difficult to modify properly. To help
you understand what needs to be changed and where parameters are placed, the file is available
on your 3038 Course CD in the directory /exercises/section_3.
Do the following:
1. From the KDE start menu, select System > YaST; then enter a password of novell
and select OK.
2. From the YaST Control Center, select Software > Install and Remove Software.
3. From the filter drop-down menu, select Search.
4. In the Search field, enter apache; then select Search.
5. On the right side, select the following packages.
q apache2
q apache2-example-pages
q apache2-prefork
6. Select Accept.
7. (Conditional) If YaST displays package dependencies, confirm by selecting
Continue.
8. When prompted, insert the requested SLES 9 CDs in the drive.
9. When installation is complete, close the YaST Control Center and remove the CD.
10. Open a terminal window and su to root.
insserv apache2
12. To start the Apache daemon, enter the following:
rcapache2 start
3-60 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Configure Network Services
Do the following:
1. From the KDE menu, select Internet > Web Browser.
2. In the address bar of the web browser, enter the following:
http://localhost
If the Apache example page appears, the web server has been installed and
started correctly.
3. (Conditional) If you are having problems displaying the page, you need to rename
the file /srv/www/htdocs/index.html.en to
/srv/www/htdocs/index.html.
Do the following:
1. From the terminal window (as root), create a directory for the virtual host by
entering the following:
mkdir /srv/www/accounting
2. Adjust the file system permissions by entering the following:
chown wwwrun /srv/www/accounting/
3. In the new directory, create a file index.html with the following content:
<html>
<head>
<title>Accounting Intranet Server</title>
</head>
<body>
<h1>Accounting Intranet</h1>
Under construction.
</body>
</html>
4. Adjust the file system permissions of the file by entering the following:
chown wwwrun index.html
5. Change to the directory /etc/apache2/vhosts.d/ by entering the following:
cd /etc/apache2/vhosts.d/
6. Copy the virtual host template file by entering the following:
cp vhost.template accounting.conf
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 3-61
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
7. Open the file accounting.conf in a text editor and make the following changes:
<VirtualHost accounting.da.com:80>
ServerName accounting.da.com
DocumentRoot /srv/www/accounting
ErrorLog /var/log/apache2/accounting.da.com-error_log
CustomLog /var/log/apache2/accounting.da.com-access_log combined
UseCanonicalName On
ScriptAlias /cgi-bin/ “/srv/www/cgi-bin”
<Directory “/srv/www/cgi-bin”>
AllowOverride None
Options +ExecCGI -Includes
Order allow,deny
Allow from all
</Directory>
<Directory “/srv/www/accounting/”>
AllowOverride None
Options Indexes FollowSymLinks
Order allow,deny
Allow from all
</Directory>
8. For testing purposes, append “accounting.da.com” to the line “127.0.0.1” in the
file /etc/hosts:
127.0.0.1 localhost accounting.da.com
9. Test the syntax of your configuration file by entering the following:
apache2ctl configtest
10. Reload Apache by entering the following:
rcapache2 reload
11. From the Konqueror browser, access the virtual host by entering the following:
http://accounting.da.com
The accounting intranet index page is displayed.
12. Close the Konqueror browser.
Do the following:
1. From the terminal window (as root), create the file htpasswd and add the user
geeko to it by entering the following:
htpasswd2 -c /etc/apache2/htpasswd geeko
2. When prompted for a password, enter novell (twice).
3-62 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Configure Network Services
Do the following:
1. From the terminal window (as root), create the file random by entering the
following:
cat /dev/random > /tmp/random
2. Press some keys on the keyboard to generate random events which help to create
the file.
3. Stop the process after about 15 seconds by pressing Ctrl+C.
4. Generate a server key by entering the following (on one line):
openssl genrsa -des3 -out /tmp/accounting.key -rand
/tmp/random 1024
5. When prompted for a pass phrase, enter novell (twice).
6. Sign the key by entering the following (on one line):
openssl req -new -x509 -key /tmp/accounting.key
-out /tmp/accounting.crt
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 3-63
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
7. When prompted for a pass phrase, enter novell; then enter the following
information:
Country Name US
3-64 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Configure Network Services
SSLEngine on
SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+
EXP:+eNULL
SSLCertificateFile /etc/apache2/ssl.crt/accounting.crt
SSLCertificateKeyFile /etc/apache2/ssl.key/accounting.key
The lines starting with SSLCipherSuite, ALL:, and LOW: should be on one
line.
x These lines are available in the file servername in the directory /exercises/section_3 on
your 3038 Course CD.
14. Open the file /etc/sysconfig/apache2 in a text editor, and change the following
lines:
APACHE_SERVER_FLAGS=”SSL”
APACHE_START_TIMEOUT=”10”
15. Save and close the file.
16. From the terminal window, check the syntax of the configuration file by entering
the following:
apache2ctl configtest
17. Restart Apache by entering the following:
rcapache2 restart
18. When prompted for the pass phrase, enter novell.
19. As the pass phrase has to be entered every time the server starts, you can prevent
the server from being started automatically at boot by entering the following:
insserv -r apache2
20. From the Konqueror browser, enter the following:
https://accounting.da.com/
As the certificate used in this exercises is self-signed, the browser displays a
warning.
21. In the warning dialogs, select Continue and Forever to view the web site.
22. In the login dialog, enter a username of geeko with a password of novell.
23. After the page displays, close the Konqueror browser and all other open windows.
(End of Exercise)
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 3-65
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
The Server Message Block (SMB) protocol is a network protocol that provides file
and print services in a Windows network. Samba enables Linux to use SMB so that
Linux can work in a Windows environment.
SMB services are provided by the NetBIOS protocol. NetBIOS makes its own name
space available, which is completely different from the domain name system.
This name space can be accessed with the Unique Naming Convention (UNC)
notation: all services provided by a server are addressed as \\Server\Servicename.
3-66 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Configure Network Services
To set up a basic Samba server, you need to install the following packages with
YaST:
n samba. This is the main Samba package. It contains the Samba server software.
n samba-client. This package contains the Samba client tools.
n samba-doc. This package provides additional documentation about Samba.
After the packages have been installed, you can start the 2 Samba daemons with the
following commands:
rcnmb start
rcsmb start
To start the Samba services automatically when the system is booting, enter the
following commands:
insserv nmb
insserv smb
The options in the this file are grouped into different sections. Each section starts
with a keyword in square brackets.
The section for the general server configuration starts with the keyword [global]. The
following is an example of a basic global section.:
[global]
workgroup = DigitalAirlines
netbios name = Fileserver
security = share
The entries of the global section in this example are described below:
n workgroup = DigitalAirlines
This line sets the Windows workgroup of the Samba server (in this case,
DigitalAirlines).
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 3-67
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
x You might need to configure additional settings for these options to work correctly. For
more information, see the man page of smb.conf.
After the global section, you need to add a section for the share of your file server.
The following example is the simplest way to set up for a share:
[data]
comment = Data
path = /srv/data
read only = Yes
guest ok = Yes
3-68 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Configure Network Services
n path = /srv/data
This option sets the path to the exported data on the local file system. You have
to make sure that the local user who needs to access the files of this share has
sufficient file system rights.
n read only = Yes
If this option is set to yes, the client accessing the share is not allowed to modify,
delete or create any files.
n guest ok = Yes
If this option is set to Yes, a password is not required to access the share.
x There many more configuration options available than those discussed in this section. For an
overview of all options, see the man page of smb.conf.
After you have created a smb.conf file, you should restart the Samba server daemons.
Before you restart the daemons, you can test the syntax of the Samba configuration
file by entering the following command:
testparm
In this case, no errors are found. If there were any errors in the file, the command
would display the errors grouped by configuration sections.
How to Use the Samba Tools to Access SMB Shares from a Linux
Computer
Although the main purpose of Samba is to provide services for Windows clients, it
also provides tools to access SMB shares from Linux. It doesn't matter if these shares
are provided by Samba or a native Windows server.
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 3-69
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
With the tool nmblookup, you can resolve NetBIOS names into IP addresses. In the
following example, the IP address for the Samba server with the NetBIOS name
Fileserver is looked up:
nmblookup Fileserver
In the first line, nmblookup states that it queries the IP address with a broadcast to the
address 10.0.0.255. In the second line, it displays the result of the query, in this case,
address 10.0.0.1 for the system with the NetBIOS name Fileserver.
x If the system you are querying is not in the same subnet as yours, the name cannot be resolved
with a broadcast query. Instead, nmblookup uses a WINS server to resolve the name.
With the smbclient tool, you can access SMB shares on the network. It's also a very
useful tool to test a Samba server configuration.
To display the shares offered by an SMB server, enter a command such as the
following.
smbclient -L //Fileserver
3-70 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Configure Network Services
smbclient first displays all available shares of the SMB server. Beside the shares you
have configured in the smb.conf file, an SMB server always offers at least 2 other
shares:
n IPC$. This share provides information about the other shares available on the
SMB server.
n ADMIN$. On a Windows computer this share points to the directory where
Windows itself is installed. This can be useful for administrative tasks. When
Samba tries to emulate a Windows server, it also offers this share. However, it is
not needed to administer a Linux server.
The lower part of the smbclient output gives some information about the workgroup
of the system.
This command can also very be valuable for testing purposes. After you have set up a
share, you can check the availability of the share with smbclient.
Some shares are not browseable without authentication. In this case, you can pass a
user name to smbclient, as in the following:
In the example, smbclient connects to the server with the user name tux and prompt
for the corresponding password.
The command to access a share on a server is similar to the command used to browse
for available shares, but instead of supplying just the server name, the full path to the
share needs to be supplied without the -L option.
In the following example, smbclient connects to the share data on the server
Fileserver:
smbclient //Fileserver/data
In this case, it is not necessary to supply a user name because the share data is
configured with the guest ok = yes option. A user name can be supplied with the -U
option.
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 3-71
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
Smb: \>
Smbclient can be used like a command-line FTP client. The most important
commands are the following:
n ls. Displays the content of the current directory.
n cd. Changes to a directory.
n get. Copies a file from the share to the current working directory.
n put. Copies a file to the share. The share must be writable to use this command.
You can use smbclient to print on shared network printers. The basic syntax of a print
command is shown in the following:
In this example, the file letter.ps is printed on a network printer accessed through the
share laser of the SMB server Printserver.
You can also use the command print on the smbclient command line after you have
connected to the server. The -c option performs the given command automatically
after the connection to the server has been established.
Instead of accessing shared files with smbclient, you can mount a share into the file
system like a hard disk partition or a CD-ROM drive.
In this example, the share data of the SMB server Fileserver is mounted into the
directory /mnt. The option -t smbfs is necessary to specify that the resource to be
mounted is an SMB share.
If the share requires authentication, you can supply a username and password, as in
the following:
3-72 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Configure Network Services
In the previous example, the Samba share is accessible without supplying a user
name and password. In most cases, this type of accessibility in not recommended.
The following shows you how to configure Samba to require authentication with a
user name and password:
n Prepare the Server for User Authentication
n Configure a Share That Is Accessible to Only One User
n Configure Shared Access for a Group of Users
n Configure the Export of Home Directories
The first task is to change the security option in the smb.conf file to the following:
security = user
The value user for the option security forces user authentication when the client
attempts to connect to the server.
In the following examples, the configuration is based on User Level Security. In this
security level, the Windows-compatible encrypted password file is stored in the file
/etc/samba/smbpasswd (by default).
Users who want to access SMB shares must first be created as Linux users. Then an
SMB password needs to be set using the smbpasswd tool.
The following example sets a SMB password for the user tux:
smbpasswd -a tux
Smbpasswd prompts you to enter the password twice and confirms the setting of the
password by displaying the following message:
If smbpasswd is called without any parameters, the current user can change his SMB
password. If smbpasswd is called with the -x option followed by a user name, that
user is deleted from the smbpasswd file.
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 3-73
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
The following example configures a share that is accessible only for the user tux:
[tux-dir]
comment = Tux Directory
path = /srv/share
valid users = tux
read only = no
The following example creates a share that is readable and writable for all users of
the UNIX group accounting:
[accounting]
comment = Accounting department
path = /srv/share
valid users = @accounting
force user = tux
force group = accounting
read only = no
Compared to the previous example, the following lines are new or have changed:
n valid users = @accounting
This line allows all users who are in the UNIX group accounting to access the
shared folder.
n force user = tux
This line forces the Samba server to perform all file operations in the shared
folder as user tux. This ensures that all files in the shared folder are readable and
writable for every user who is allowed to access the share.
3-74 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Configure Network Services
n force group
This line forces the Samba server to perform all file operations with the group
accounting.
The following example exports the home directory of all UNIX users of the Samba
server. You need to add the users to the smbpasswd file before the setup works:
[homes]
comment = Home Directories
valid users = %S
read only = No
browseable = No
In this example, you must name the share homes. If Samba finds a share with this
name in the configuration file, it is treated in a special way.
When a share is requested, Samba first scans the existing sections of the
configuration file. If no section is found, Samba uses the requested share name as a
user name and looks up the user in the local password file.
If the user is found and the correct password is supplied, Samba automatically creates
a share for the home directory of the user.
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 3-75
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
This section explained only the basic usage of Samba. Many more features and
configuration options are available to help you customize Samba for your
environment.
You can find more information about Samba and the possible configurations from the
following:
n The samba-doc package in the directory
/usr/share/doc/packages/samba/
n The man page of smb.conf
n The Samba project site at http://www.samba.org/
3-76 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Configure Network Services
In this exercise, you configure a file server with Samba by doing the following:
n Part I: Install Samba
n Part II: Configure a Share for the User Geeko
n Part III: Access the Share of the User Geeko With smbclient
n Part IV: Mount Geeko's Share
Do the following:
1. From the KDE start menu, select System > YaST.
2. When prompted for the root password, enter novell; then select OK.
3. From the YaST Control Center, select
Software > Install and Remove Software.
4. From the filter drop-down menu, select Search.
5. In the search field, enter samba; then select Search.
6. On the right, select the following packages:
q samba
q samba-client (if not already selected)
7. Install the selected packages by selecting Accept.
Do the following:
1. From a terminal window, su to root.
2. Change to the directory /etc/samba.
3. Save the default Samba configuration file by entering the following:
mv smb.conf smb.save
4. Create the file smb.conf with a text editor.
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 3-77
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
[geeko-dir]
comment = Geeko Directory
path = /srv/samba/geeko
valid users = geeko
read only = no
smbpasswd -a geeko
11. When prompted for a password, enter novell (twice).
12. Check the syntax of the configuration file by entering the following:
testparm
13. Start the Samba servers by entering the following commands:
rcsmb start
rcnmb start
3-78 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Configure Network Services
Part III: Access the Share of the User Geeko With smbclient
Do the following:
1. Open a terminal window as a normal user.
2. Access Geeko's share by entering the following:
smbclient -U geeko //localhost/geeko-dir
3. When prompted for a password, enter novell.
4. Display all available commands of smbclient by entering the following:
help
5. List the content of the share by entering the following:
ls
6. Copy the file my_file to the current directory by entering the following:
get my_file
7. Exit smbclient by pressing Ctrl+D.
8. Verify that the file my_file has been copied to the current directory by entering ls.
Do the following:
1. From the terminal window, su to root.
2. Mount geeko's share in the directory /mnt by entering the following:
mount -t smbfs -o username=geeko,password=novell
//localhost/geeko-dir /mnt
3. Display the content of the mounted share by entering the following:
ls /mnt/
You should see the file my_file.
4. Umount the share by entering the following:
umount /mnt
5. Close all open terminal windows.
(End of Exercise)
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 3-79
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
Summary
Objective Summary
1. Configure a DNS Server Using n DNS translates host names into IP addresses.
BIND
n DNS is a distributed database.
n Under SLES 9 you can use the BIND software to
set up your own DNS server.
n A caching-only DNS server is not responsible for its
own domain, it just forwards requests to other name
servers and caches the result for later requests.
n A master server is responsible for its domain. It also
provides resource information to host entries like
the IP address of the mail server.
n DNS server information is stored in zone files.
n A slave DNS server receives copies of the domain
zone files from the master server. Using slave
servers enhances the reliability of the DNS.
n On a client, the name resolution is configured in the
files /etc/resolve.conf and /etc/nsswitch.conf.
n To query DNS from the command line, you can use
the host and the dig commands.
2. Deploy OpenLDAP on a SLES 9 n OpenLDAP is the most popular open source LDAP
Server (continued) directory and is used for user authentication in
SLES 9.
n If you did not configure an OpenLDAP server during
the installation, you need to install the following
software packages.
n openldap2
n openldap2-client
n The configuration of the OpenLDAP server is
located in the file /etc/openldap/slapd.conf.
n You can create passwords for the administrator
entry of the configuration file with the command
slappasswd.
n The default configuration file for LDAP clients is
/etc/openldap/ldap.conf.
n Use ldapadd to insert data from LDIF files into the
directory.
n Make sure that LDIF files conform to Unicode.
n Use ldapsearch to query information from the
directory.
n Use ldapmodify to change entries in the directory.
n Use ldapdelete to delete directory entries.
n You can use the graphical program GQ to browse
and query the directory.
3-80 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Configure Network Services
Objective Summary
3. Configure an Apache Web Server n Apache is the leading web server software.
n Apache delivers data to a web browser using the
HTTP protocol.
n For a basic web server, you need to install the
following packages:
n apache2
n apache2-prefork
n apache2-example-pages
n The locally running web server can be accessed
using the address http://localhost.
n The default document root of the web server is
/etc/www/htdocs.
n The Apache configuration files are located in the
directory
/etc/apache2.
n The options of the Apache configuration files are
called directives.
n You can check the syntax of the configuration file
with the command apache2ctl configtest.
n By configuring virtual hosts you can host multiple
domains on one physical machine.
n You need to create a configuration file in the
directory
n /etc/apache2/vhosts.d/ for every virtual host.
n You can limit the access to the Apache web server
n On an IP address basis
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 3-81
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
Objective Summary
4. Configure a Samba Server as a n Samba can be used to integrate a Linux system into
File Server a Windows environment.
n Windows services are delivered using the SMB
protocol.
n The network protocol NetBIOS is used in a
Windows environment.
n NetBIOS creates its own name space
independently from DNS.
n An SMB share can be accessed with the address
schema
n \\server_name\service_name.
n Samba can be used for the following purposes:
n As a file and print server
n To access SMB shares
n As a domain controller
n The Samba server is configured in the file
/etc/samba/smb.conf.
n The Samba configuration file is structured in
sections.
4. Configure a Samba Server as a n You can check the syntax of the configuration file
File Server (continued) with the command testparm.
n Use nmblookup to resolve NetBIOS names to IP
addresses.
n Use smbclient to access shares from the command
line.
n Use mount -t smbfs to mount SMB shares into the
Linux file system.
n You can limit access to a Samba server with user
authentication.
3-82 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Secure a SLES 9 Server
In this section, you learn how to create a general security policy and how to secure a
SLES 9 server against local attacks.
Objectives
1. Create a Security Concept
2. Limit Physical Access to Server Systems
3. Limit the Installed Software Packages
4. Understand the Linux User Authentication
5. Ensure File System Security
6. Use ACLs for Advanced Access Control
7. Configure Security Settings With YaST
8. Stay Informed About Security Issues
9. Apply Security Updates
Introduction
Given the number of press reports about attacks on computers, it is not surprising that
computer security is being taken more seriously.
Despite the increased interest in security not all administrators and decision makers
understand what security IT means and why this is important to them.
This section begins with a general overview of security concepts. This is because
every aspect of security needs to be seen in the context of the environment. It does
not make sense to secure one server when the same data can be stolen or manipulated
on other systems.
After the introduction, you will learn details about local security. Local security
covers every threat that can be caused by users of the local system.
This section does not cover topics that belong to the area of network security. Topics
such as firewalls and packet filtering are beyond the scope of this course.
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 4-1
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
It might be possible to operate a computer system in this secure manner, but it's not
practical. To deal with network problems in the real world, a different security
concept is required.
This objective does not provide sample solutions that can be adapted to your own
problem solving. Instead, you learn how to create your own security concepts.
First, you must know what you are protecting your system from. A security concept
for a computer used by multiple users at different times is different from a security
concept for an environment in which many different users use multiple computers at
the same time.
If users work on different computers and use common resources, such as disk space
or printers, then a security concept pertaining to a network must be considered.
The formal method of creating a security concept presented in this section has been
tried and proven in practice. It helps to detect errors and sources of danger that are
not obvious and provides good documentation of the concept.
Resources are differentiated according to what a user needs and how the access to
these resources are controlled.
If users should not have access to certain resources, you can assign different access
rights. For example, you can determine which user groups can use a resource or if the
user groups can only access the resource during a certain time period.
4-2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Secure a SLES 9 Server
By answering the following questions, you can learn valuable information to use in
developing a structured overall picture of your security needs.
n What information will be exchanged across which barriers and in which
direction?
A barrier can be the virtual barrier between the home directories of two users in
a UNIX system or a firewall between two networks.
n Which data packets will be transported with which protocols to which hosts
in the network?
The fewer protocols you use, the better security you will have, simply because
there are fewer sources of error.
n What resources are available to individual users and with which access
rights?
Consider the resources users will need: printers, files on storage media, the
storage media themselves (such as CD-ROM drives), sound cards, modems, fax
cards, ISDN cards, network services (such as FTP or HTTP), and the computing
capacity of CPUs.
n Which resources must be available in each work area?
Even in small companies, different departments require different resources.
n Which data must users have access to and in which way?
It does not make sense to organize access to data for each specific user
individually. It is better to structure access rights for user groups.
n Which external users have external access to company resources, what
resources do they use, and how is access controlled?
Pay special attention to the authenticating external users.
n Which external resources does the company provide?
Usually this means web and mail servers and other Internet services.
n Should users be charged for resources?
Many organizations charge users or departments for expensive resources (such as
Internet bandwidth).
n Which tasks must external service providers be involved in?
Determine if it is necessary to exchange any security-relevant data with the
external service provider?
n How do security restrictions affect users, and how open are users to these
restrictions?
Users are more willing to live with restrictions if they understand why the
restrictions are needed.
n Will you filter transmitted or stored information on gateways between
networks or on computers?
This applies to virus control, which should take place where the viruses can be
reliably detected, on workstations and file servers.
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 4-3
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
After you have determined the communication demands, you need to analyze the
protection requirements for the data.
You should estimate the frequency of the occurrence of possible damage to use in
your calculations.
4-4 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Secure a SLES 9 Server
It is often useful to have 2 columns for individual protocols, matching the two
transport directions (IN or OUT).
Besides application level gateways, routers with activated packet filtering also count
as firewalls.
The security policy determines what security demands are required for specific data
and resources. The security policy should include the analysis of the remaining risk.
Risks that cannot be removed or can only partially be removed by taking appropriate
protective measures should be highlighted.
The security policy always also describes the current actual state of security. For this,
information is needed on who is required to do what to achieve the desired security
level.
The following table shows what topics need to be covered in the security policy. The
table also includes the physical access to the IT infrastructure.
Table 4-2 Security of network How the components and their physical storage areas
components are secured against unauthorized access
Actual state The network cabinets are freely accessible so that each
member of staff can patch his own network connections.
Target state Technical rooms are locked, so only system administrators
have access.
Task The locks must be checked and keys assigned to system
administrators.
Date 2005-02-02
Responsible Person Jenny Doe, head of System Administration department.
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 4-5
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
The reasons given in the description of the actual state show that:
n Members of the staff need to be told why they can no longer patch their network
connections themselves.
n Administrators must be made available to patch the network connections in the
future.
x The following examples should not be considered as a template for your own security policy.
Every company has its own demands and issues to be solved. The tables should give you an idea
of ways to enhance the IT security in your company.
The following table covers dial-up to and from the internal network:
Date 2005-03-30
4-6 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Secure a SLES 9 Server
Target state All servers are connected to a functioning UPS. Actual state
reflects target state.
Task
Date
Responsible Person
Estimated expense
Target state Technical rooms are equipped with fire detectors and
extinguishers outside the doors to the rooms. U.S.
headquarters technical rooms have automatic sprinklers
installed. Actual state reflects target state.
Task
Date
Responsible Person
Estimated expense
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 4-7
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
Table 4-6 Further Security How is data security controlled? How are checks made
Measures to determine whether the data stored is usable?
Date 2005-04-22
Date 2005-03-30
Estimated expense Approximately 4 days for designing the concept. The running
costs will be included in the concept.
4-8 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Secure a SLES 9 Server
Table 4-8 Further Security How are the systems protected from malicious software
Measures viruses?
Target state Virus scanners with a frequent update service are installed
on all file servers and workstations. Current virus signatures
can be downloaded at any time from the Internet from the
server of the virus scanner vendor.
The virus scanners on workstations obtain the virus
signatures from a central server, so new virus signatures
only need to be installed once.
To monitor the file servers, the product of a different vendor
than the product monitoring the workstations is used.
Overall, an efficient, two-level virus defense concept is
implemented.
Date 2005-03-30
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 4-9
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
Date 2005-03-30
4-10 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Secure a SLES 9 Server
To prevent unauthorized users from physically accessing the server, do the following:
n Place the Server in a Separate, Locked Room
n Secure the BIOS with a Password
n Secure the GRUB Boot Loader with a Password
The best way to prevent physical access to a server is to lock the server in a dedicated
server room. We highly recommended that you do this for every production system.
The server room should be locked with a solid door, and only system administrators
should have access. The room should be protected against fire and be equipped with
an automatic fire extinguishing system.
What can be done depends on the size of the company and on the available financial
resources. At the least, a separated locked room for all servers is recommended.
For test systems or workstations that are not placed in a secure room, there are some
things you can do to make it more difficult to access a system without an account.
The BIOS represents the lowest level of software and lies underneath the operating
system. Modern BIOS versions give you the option of protecting the boot process
with a password. You can also protect the BIOS settings and prevent the system from
booting from media like floppies or CDs.
b The exact procedure for protecting the BIOS depends on the BIOS vendor and version. For more
details on this, please consult your vendor documentation.
By preventing the system from booting from a different media, only the installed
system can be started. This system is password protected and cannot be accessed
without any further effort. However, a BIOS password is never a replacement for a
dedicated server room.
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 4-11
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
Another way to misuse physical access to a Linux system is to reboot and pass
additional parameters to the kernel. This makes it possible to start and access the
system without entering a password.
The boot loader GRUB can be configured to prompt for a password before any
parameters can be entered. To do this, you need to create an encrypted password with
the following parameter.
grub-md5-crypt
GRUB asks for a password that needs to be confirmed once and outputs an encrypted
string. This string looks like the following:
$1$SEVCU0$S.7WQL05kHiK4VKDsKtfI0
Then the password needs to be added to the GRUB configuration file as follows:
/boot/grub/menu.lst
You can find the global section at the beginning of the configuration file. The
password needs to be placed into that section as shown in the following example:
4-12 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Secure a SLES 9 Server
The more software is installed, the more possible security problems can occur. For
example, it does not make sense to install an X Server and graphical applications on a
system that is exclusively used as web server.
To set up a production system, you can use the minimal system as a base for the
software selection during the installation. Then you can manually add just those
software packages that are needed.
This rule is especially true for network daemons. A server should never offer any
network services that are not needed. For example, if a server is used as a dedicated
file server, it is not necessary to run a postfix mail server on the same system.
You can use the following command to check which services are configured to start
and their run levels:
chkconfig -l
The command displays a line for every service installed on the system. The following
line shows the configuration of the Samba server:
After the service name, the configuration for all six default run levels is displayed.
On means the service is configured to be started in the corresponding run level; off
means the service will not be started.
You can use the following command to remove a service from its default run levels:
insserv -r service_name
x Removing a service from the run level configuration does not stop an already running daemon.
A daemon that is already running needs to be stopped manually or the system needs to be
rebooted to start with the new run-level configuration.
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 4-13
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
Even the best mechanisms for administering and setting user permissions would be
useless if a normal user could log in to a system as the system administrator.
For example, if a user logs into a Linux system on a virtual terminal, a program
called login is usually involved in this process.
Login requires a user's login name and the password. The password is encrypted and
then compared with the encrypted password stored in an authentication database. If
the encrypted passwords are identical, login grants the user access to the system by
starting the user´s login shell.
Before PAM was introduced, login and all other applications that handle
authentication like FTP, SSH, or the KDM Display Manager had to be extended to
support a chip card reader.
PAM makes things easier. PAM creates a software level with clearly defined
interfaces between applications (such as login) and the current authentication
mechanism. Instead of modifying every program, a new PAM module just needs to
be added to enable authentication with a chip card reader.
4-14 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Secure a SLES 9 Server
Figure 4-1
Applications that handle authentication
PAM
Authentication mechanisms
PAM Configuration
The PAM modules are located in the directory /lib/security. Every filename of a
module starts with the prefix pam_.
The name of the configuration file usually corresponds to the name of the
application. For example, the name of the configuration file for the application login
is also login.
There is one special configuration file with the name other. This file contains the
default configuration if no application-specific file is found.
Every line in a configuration file enables a PAM module. Each line consists from the
left to the right of the following entries:
n module-type. One of four PAM module types. The four types are as follows:
q auth. These modules provide two ways of authenticating the user.
First, it establishes that the user is who he claims to be by instructing the
application to prompt the user for a password or other means of
identification.
Second, the module can grant group membership or other privileges through
its credential granting properties.
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 4-15
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
4-16 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Secure a SLES 9 Server
The following is the default configuration file for the login program on SLES 9:
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 4-17
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
b For an overview of the default PAM modules and their configuration options consult the PAM
documentation under /usr/share/doc/packages/pam.
Third party vendors can supply other PAM modules to enable specific authentication features
for their products, such as the PAM modules that enable Novell´s Linux User Management
(LUM) authentication with eDirectory.
Even the best security setup for a system can be defeated if users choose easy to
guess passwords. With today's computing power, a simple computer can be used to
crack an easy password within seconds.
These attacks are also called dictionary attacks, as the password cracking program
just tries one word after another from a dictionary file.
To check whether user passwords fulfill this requirement, you can enable a special
PAM module to test a password first before a user can set it. The PAM module is
called pam_pwcheck.so and uses the cracklib library to test the security of
passwords.
If a user enters a password that is not secure enough, the following message is
displayed:
Bad password: too simple
There are also dedicated password check programs available like John the Ripper
(http://www.openwall.com/john/).
You can also force users to change their passwords after a specific period of time.
4-18 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Secure a SLES 9 Server
Exercise 4-1 Change the PAM Configuration to Disable the Graphical Root Login
In this exercise, you change the PAM configuration by doing the following:
1. Log out of the KDE desktop environment.
2. When the KDM login screen appears, log in with the following:
q Username: root
q Password: novell
Notice that you can log in as root without a root entry in the login screen.
3. Log out again from the KDE desktop environment.
4. Log in as geeko with a password of N0v3ll.
5. Open a terminal window and su to root.
6. Open the file /etc/pam.d/xdm in a text editor.
7. Add the following as the second line of the file:
auth required pam_securetty.so
8. Save and close the file.
9. Log out and try to log in as root user at the KDM login screen again.
The root login is denied.
10. Log in as geeko again.
x If you cannot log in as geeko, restart the X server by pressing Ctrl+Alt+Backspace and try
again. You might also need to reboot your server.
12. Open the file /etc/pam.d/xdm in a text editor and remove or comment out the
following line (the line you added):
auth required pam_securetty.so
13. Save and close the file.
14. Log out and try to log in as root at the KDM login screen again.
x If you cannot log in as root, restart the X-server using Ctrl+Alt+Backspace and try again.
15. Log out of the KDE desktop environment and log back in as geeko.
(End of Exercise)
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 4-19
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
In UNIX systems like Linux, file system security is especially important as every
resource available on the system is represented as a file.
For example, when a user tries to access the sound card to play back audio data, the
access rights of the sound card are determined by the permission settings of the
corresponding device file in the /dev directory.
To ensure a basic file system security, you need to know the following:
n The Basic Rule for User Write Access
n The Basic Rule for User Read Access
n How Special File Permissions Affect the Security of the System
The file systems used in Linux are structurally UNIX file systems. They support the
typical file access permissions (read, write, execute, sticky bit, SUID, SGID, etc.).
Apart from additional standard functionalities, such as various time stamps, the
access permissions can be administered separately for file owners, user groups, and
the rest of the world (user, group, other).
As a general rule, a normal user should only have write access in the following
directories:
n The home directory of the user
n The /tmp directory to store temporary files
Some device files (like those for sound cards) might also be writable for users since
applications need to send data to the corresponding devices.
Some files in the system should be protected from user read access. This is important
for files that store passwords.
No normal user account should be able to read the content of such files. Even when
the passwords in a file are encrypted, the files must be protected from any
unauthorized access.
4-20 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Secure a SLES 9 Server
x This list is not complete. There can be more password files on your system, depending on your
system configuration and your software selection.
Some password files can be readable for a nonroot account. This is normally the
account under which user ID a service daemon is running.
For example, the Apache web server runs under the user id of the user wwwrun. For
this reason, the password files must be readable for the user wwwrun.
In this case you have to make sure that only this daemon account can read the file and
not any other user.
There are three file system rights that influence the security in a special way:
n The SUID bit. If the SUID bit is set for an executable, the program is started
under the user ID of the owner of the file. In most cases, this is used to allow
normal users to run application with the rights of the root users.
This bit should only be set for applications that are well tested and in cases
where no other way can be used to grant access to a specific task.
An attacker could get access to the root account by exploiting an application that
runs under the UID of root.
n The SGID bit. If this bit is set, it lets a program run under the GID of the group
the executable file belongs to. It should be used as carefully as the SUID bit.
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 4-21
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
n The sticky bit. The sticky bit can influence the security of a system in a positive
way. In a globally writable directory, it prevents users from deleting each others
files that are stored in these directories.
Typical application areas for the sticky bit include directories for temporary
storage (such as /tmp and /var/tmp). Such a directory must be writable by all
users of a system.
However, the write permissions for a directory do not only include the
permission to create files and subdirectories, but also the permission to delete
these, regardless of whether the user has access to these files and subdirectories.
If the sticky bit is set for such a writable directory, deleting or renaming files in
this directory is only possible if one of the following conditions is fulfilled:
q The effective UID of the deleting or renaming process is that of the file
owner.
q The effective UID of the deleting or renaming process is that of the owner of
the writable directory marked with the sticky bit.
q The superuser root is allowed to do anything.
4-22 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Secure a SLES 9 Server
Traditionally, 3 sets of permissions are defined for each file object on a Linux
system. These sets include the read (r), write (w), and execute (x) permissions for
each of three types of users the file owner, the group, and other users.
This concept is adequate for most practical cases. In the past however, for more
complex scenarios or advanced applications, system administrators had to use a
number of tricks to circumvent the limitations of the traditional permission concept.
ACLs (Access Control Lists) provide an extension of the traditional file permission
concept. They allow you to assign permissions to individual users or groups even if
these do not correspond to the original owner or the owning group.
ACLs are a feature of the Linux kernel and are supported by the ReiserFS, Ext2,
Ext3, JFS, and XFS file systems. Using ACLs, you can create complex scenarios
without implementing complex permission models on the application level.
The advantages of ACLs are clearly evident in situations like replacing a Windows
server with a Linux server providing file and print services with Samba.
Since Samba supports ACLs, user permissions can be configured both on the Linux
server and in Windows with a graphical user interface (only on Windows NT and
later).
With winbindd, it is even possible to assign permissions to users that only exist in the
Windows domain without any account on the Linux server.
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 4-23
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
ACL Types
ACLs extend the classic Linux file permission by the following permission types:
n named user. With this type, you can assign permissions to one or more users.
n named group. With this type, you can assign permissions to one or more
groups.
n mask. With this type, you can limit the permissions of named users or groups.
owner user::rwx
mask mask::rwx
other other::rwx
4-24 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Secure a SLES 9 Server
The permissions defined in the entries owner and other are always effective. Except
for the mask entry, all other entries (named user, owning group, and named group)
can be either effective or masked.
If permissions exist in the named user, owning group, or named group entries as well
as in the mask, they are effective. Permissions contained only in the mask or only in
the actual entry are not effective.
This means that the entries for named user, owning group, and named group are
combined by a logical AND with the mask entry.
The following example determines the effective permissions for the user jane:
mask mask::rw- rw
The ACL contains two entries, one for the named user jane and one mask entry. Jane
has permissions to read and execute the corresponding file, but the mask only
contains permissions for reading and writing.
Because of the AND combination, the effective rights allow jane to read the file only.
When you assign an ACL to a file or directory, the permissions set in the ACL are
mapped to the standard UNIX permissions.
Figure 4-2
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 4-25
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
Figure 4-3
In both cases, the owner class permissions are mapped to the ACL entry owner. Other
class permissions are mapped to their respective ACL entries. However, the mapping
of the group class permissions is different in the second case.
In the case of a minimum ACL without a mask, the group class permissions are
mapped to the ACL entry owning group. In the case of an extended ACL with a
mask, the group class permissions are mapped to the mask entry.
The access permissions that were assigned by permission bits represent the upper
limit for all other adjustments made by ACLs.
Any permissions not reflected here are either not in the ACL or are not effective.
Changes made to the permission bits are reflected by the ACL and vice versa.
4-26 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Secure a SLES 9 Server
To manage the ACL settings, you can use the following command line tools:
n getfacl. The command getfacl can be used to display the ACL of a file.
n setfacl. The command setfacl can be used to change the ACL of a file.
The following are the most important options for the setfacl command:
The options -m and -x expect an ACL definition on the command line. The following
are the definitions for the extended ACL types:
n named user. The following is an example entry for the user tux:
setfacl -m u:tux:rx my_file
The user tux gets read and execute permissions for the file my_file.
n named groups. The following is an example entry for the group accounting:
setfacl -m g:accounting:rw my_file
The group accounting gets read and write permissions for the file my_file.
n mask. Sets the ACL mask:
setfacl -m m:rx
Sets the mask for the read and execute permissions.
x For more information about umask, see the corresponding man page man umask.
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 4-27
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
The command mkdir mydir should create the mydir directory with the default
permissions as set by umask. Enter the following command to check if all
permissions were assigned correctly:
ls -dl mydir
The output of the command looks like the following:
2. Check the initial state of the ACL by entering the following command:
getfacl mydir.
The output of the command looks like the following:
# file: mydir
# owner: tux
# group: project3
user::rwx
group::r-x
other::---
The output of getfacl precisely reflects the mapping of permission bits and ACL
entries as described before. The first three output lines display the name, owner,
and owning group of the directory.
The next three lines contain the three ACL. In fact, in the case of this minimum
ACL, the getfacl command does not produce any information you could not have
obtained with ls.
Your first modification of the ACL is the assignment of read, write, and execute
permissions to an additional user jane and an additional group jungle by entering
the following:
setfacl -m user:jane:rwx,group:jungle:rwx mydir
The option -m prompts setfacl to modify the existing ACL. The following
argument indicates the ACL entries to modify (several entries are separated by
commas). The final part specifies the name of the directory to which these
modifications should be applied.
Use the getfacl command to take a look at the resulting ACL:
getfacl mydir
The output of the command looks like the following:
# file: mydir
# owner: tux
# group: project3
user::rwx
user:jane:rwx
group::r-x
group:jungle:rwx
mask::rwx
other::---
4-28 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Secure a SLES 9 Server
In addition to the entries initiated for the user jane and the group jungle, a mask
entry has been generated.
This mask entry is set automatically to reduce all entries in the group class to a
common denominator. In addition, setfacl automatically adapts existing mask
entries to the settings you modified, provided you do not deactivate this feature
with -n.
The mask type defines the maximum effective access permissions for all entries
in the group class. This includes named user, named group, and owning group.
The group class permission bits that would be displayed by
ls -dl mydir now correspond to the mask entry:
The first column of the output now contains an additional + to indicate that there
is an extended ACL for this item.
3. According to the output of the ls command, the permissions for the mask entry
include write access. Traditionally, such permission bits would mean that the
owning group (in this example project3) also has write access to the directory
mydir.
However, the effective access permissions for the owning group correspond to
the overlapping portion of the permissions defined for the owning group and for
the mask, which is r-x in the example.
As far as the effective permissions of the owning group are concerned, nothing
has changed even after adding the ACL entries.
In the following example, the write permission for the owning group is removed
with the chmod command:
After executing the chmod command to remove the write permission from the
group class bits, the output of the ls command is sufficient to see that the mask
bits have changed accordingly: write permission is again limited to the owner of
mydir.
The output of the getfacl confirms this. This output includes a comment for all
those entries in which the effective permission bits do not correspond to the
original permissions because they are filtered according to the mask entry.
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 4-29
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
Directories can have a default ACL, which is a special kind of ACL that defines the
access permissions that objects under the directory inherit when they are created. A
default ACL affects subdirectories as well as files.
There are two different ways in which the permissions of a directory's default ACL
are passed to the files and subdirectories in it:
n A subdirectory inherits the default ACL of the parent directory both as its own
default ACL and as an access ACL.
n A file inherits the default ACL as its own access ACL.
All system functions that create file system objects use a mode parameter that defines
the access permissions for the newly created file system object.
If the parent directory does not have a default ACL, the permission bits as defined by
the umask are subtracted from the permissions as passed by the mode parameter, with
the result being assigned to the new object.
If a default ACL exists for the parent directory, the permission bits assigned to the
new object correspond to the overlapping portion of the permissions of the mode
parameter and those that are defined in the default ACL. The umask command is
disregarded in this case.
The following three examples show the main operations for directories and default
ACLs:
n Add a default ACL to the existing directory mydir with the following command:
setfacl -d -m group:jungle:r-x mydir
The option -d of the setfacl command prompts setfacl to perform the following
modifications (option -m) in the default ACL.
4-30 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Secure a SLES 9 Server
getfacl mydir
# file: mydir
# owner: tux
# group: project3
user::rwx
user:jane:rwx
group::r-x
group:jungle:rwx
mask::rwx
other::---
default:user::rwx
default:group::r-x
default:group:jungle:r-x
default:mask::r-x
default:other::---
getfaclreturns both the access ACL and the default ACL. The default ACL is
formed by all lines that start with default.
Although you merely executed the setfacl command with an entry for the jungle
group for the default ACL, setfacl automatically copied all other entries from the
access ACL to create a valid default ACL.
Default ACLs do not have an immediate effect on access permissions. They only
come into play when file system objects are created. These new objects inherit
permissions only from the default ACL of their parent directory.
n In the following example, mkdir is used to create a subdirectory in mydir, which
inherits the default ACL:
mkdir mydir/mysubdir
getfacl mydir/mysubdir
# file: mydir/mysubdir
# owner: tux
# group: project3
user::rwx
group::r-x
group:jungle:r-x
mask::r-x
other::---
default:user::rwx
default:group::r-x
default:group:jungle:r-x
default:mask::r-x
default:other::---
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 4-31
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
n In the following example, touch is used to create a file in the mydir directory:
touch mydir/myfile
ls -l mydir/myfile
-rw-r-----+ ... tux project3 ... mydir/myfile
getfacl mydir/myfile
# file: mydir/myfile
# owner: tux
# group: project3
user::rwgroup:: r-x # effective:r--
group:jungle:r-x # effective:r--
mask::r--
other::---
touch passes a mode with the value 0666, which means that new files are created
with read and write permissions for all user classes, provided no other
restrictions exist in umask or in the default ACL.
In effect, this means that all access permissions not contained in the mode value
are removed from the respective ACL entries. Although no permissions were
removed from the ACL entry of the group class, the mask entry was modified to
mask permissions not set using mode.
This approach ensures the smooth interaction of applications, such as compilers,
with ACLs. You can create files with restricted access permissions and
subsequently assign them as executable. The mask mechanism guarantees that
the right users and groups can execute them as desired.
As a basic rule, the ACL entries are examined in the following sequence: owner,
named user, owning group or named group, and other. The access is handled in
accordance with the entry that best suits the process. Permissions do not accumulate.
Things are more complicated if a process belongs to more than one group and
belongs to several group entries. An entry is randomly selected from the suitable
entries with the required permissions.
It is irrelevant which of the entries triggers the final result, which is access granted.
Likewise, if none of the suitable group entries contains the correct permissions, a
randomly selected entry triggers the final result, which is access denied.
4-32 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Secure a SLES 9 Server
As described in the preceding sections, you can use ACLs to implement very
complex permission scenarios that meet the requirements of applications.
The traditional permission concept and ACLs can be combined in a smart manner.
However, some important applications still lack ACL support. Except for the star
archiver, there are currently no backup applications that guarantee the full
preservation of ACLs.
The basic file commands (cp, mv, ls, and so on) support ACLs, but many editors and
file managers (such as Konqueror) do not.
For example, when you copy files with Konqueror, the ACLs of these files are lost.
When you modify files with an editor, the ACLs of files are sometimes preserved,
sometimes not, depending on the backup mode of the editor used.
If the editor writes the changes to the original file, the access ACL is preserved. If the
editor saves the updated contents to a new file that is subsequently renamed to the old
filename, the ACLs might be lost, unless the editor supports ACLs.
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 4-33
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
Do the following:
1. Open a terminal window and su to root.
2. Change to the directory /tmp by entering the following:
cd /tmp
3. Create a test directory by entering the following:
mkdir acl_test
4. Limit the file system permissions for the directory by entering the following:
chmod 700 acl_test
5. Open a second terminal window as the user geeko.
6. Try changing to the test directory by entering the following:
cd /tmp/acl_test/
The command fails because geeko (who is not the owner of the directory) has no
permission to read the directory.
7. Switch to the root terminal.
8. Display the minimum ACL of the directory by entering the following:
getfacl acl_test
9. Add an extended ACL by entering the following:
setfacl -m u:geeko:rwx acl_test/
10. Switch to the geeko terminal and try to access the directory again by entering the
following:
cd /tmp/acl_test
Because of the extended ACL, you can view the directory.
11. Switch to the root terminal and display the extended ACL of the directory by
entering the following:
getfacl /tmp/acl_test/
4-34 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Secure a SLES 9 Server
Do the following:
1. From the root terminal window, change to the directory acl_test by entering the
following:
cd /tmp/acl_test
2. Create a file by entering the following:
touch without_default_acl
3. Display the ACL of the new file by entering the following:
getfacl without_default_acl
As there is no default ACL for the parent directory, the new file does not have an
extended ACL either.
4. Set a default ACL for the directory acl_test by entering the following:
setfacl -d -m u:geeko:rw /tmp/acl_test/
5. Create another test file by entering the following:
touch with_default_acl
6. Display the ACL of the new file by entering the following:
getfacl with_default_acl
As this file was created after the default ACL of the parent directory was set, the
new file inherited the ACL.
Do the following:
1. From the root terminal window, remove the ACL by entering the following:
setfacl -x u:geeko with_default_acl
2. Display the ACL again by entering the following:
getfacl with_default_acl
As you can see, the ACL for the user geeko has been removed. If there were
ACLs for other users, they would remain unaffected.
3. View the file attributes of with_default_acl by entering the following:
ls -l with_default_acl
There are still extended attributes (such as the mask “+”) in the output.
4. Remove all ACLs by entering the following:
setfacl -b with_default_acl
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 4-35
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
(End of Exercise)
4-36 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Secure a SLES 9 Server
With the module you can easily change the following settings of the system
configuration:
n The password settings
n The boot behavior of the system
n The login behavior
n The user ID limitations
n General file system security
Figure 4-4
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 4-37
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
Custom Settings This option lets you create your own level of
local security.
By selecting one of the three predefined security levels and selecting Next, the
chosen security level is applied. By selecting Details, you can change the settings for
the security level you have selected.
If you choose the Customs Settings and then select Next, you can directly change
the details of the security configuration.
The dialogs for the detail settings look the same for every security level, but the
preselected options are different. In the following dialogs, you see the settings for
Level 3 (Network Server).
In the first dialog you can change the default password requirements that are
accepted by the systems:
Figure 4-5
4-38 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Secure a SLES 9 Server
Minimum Acceptable Password Length This value determines the minimum length
of a password. The shorter a password is,
the easier it is to crack it.
A password should never be shorter than 6
characters.
Days To Password Change Warnings The name of this option is a little bit
misleading. There are two values to be set:
n Minimum. The number of days after a
user can change the password.
n Maximum. The number of days after a
user must change the password.
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 4-39
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
Days Before Password Expires Warning This option determines how many days
before a password has to be changed, a
warning should be given to the user.
After adapting the options to your needs, select Next to proceed to the next dialog.
Figure 4-6
In this dialog you can configure how the system can be rebooted.
4-40 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Secure a SLES 9 Server
Shutdown Behavior Of KDM This option determines how the system can
be halted with the graphical login manager
KDM. You have the following choices:
n Only Root. To halt the system, the root
password has to be entered.
n All users. Everyone, even remotely
connected users, can halt the system
using KDM.
n Nobody. Nobody can halt the system with
KDM.
n Local Users. Only locally connected
users can halt the system with KDM.
n Automatic. The system is halted
automatically after log out.
For a server system you should use Only
Root or Nobody to prevent normal or even
remote users from halting the system.
Figure 4-7
In this dialog you can configure the login behavior of the system.
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 4-41
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
Delay After Incorrect Login Attempts The value of this option determines the
number of seconds the next login try will be
delayed after a failed login attempt.
This is useful to prevent attackers from
trying various passwords very quickly.
The default value 3 is sufficient in most
cases.
Allow Remote Graphical Login. The display manager KDM lets you log in
remotely to the X-Window system.
If this option is selected, remote login is
allowed.
For a server system, you should not enable
this option unless it is needed for purpose
of the server (for example, the system is a
terminal server.)
After adjusting the settings in this dialog, select Next to proceed to the next dialog.
4-42 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Secure a SLES 9 Server
Figure 4-8
In this dialog you can adjust the Minimum and the Maximum value for User and
Group IDs. The default values should be acceptable for most purposes.
Figure 4-9
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 4-43
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
Setting Of File Permissions From this menu, you can choose between
three different presets for file system
permissions.
You have the following options:
n Easy. Most configuration files are
readable for normal users.
n Secure. Certain system files (like
/var/log/messages) can only be viewed by
root. Some programs can only launched
by root or by daemons.
n Paranoid. This is the preset with the
highest level of file system security.
Access rights are even more restricted
than with the Secure setting.
The security settings for every preset are
read from configuration files following the
naming scheme
/etc/permissions.<level>.
For example, the configuration for the
Secure level is read from the file
/etc/permissions.secure
Each file contains a description of the file
syntax and purpose of the preset.
You can also add your own rules to the file
/etc/permissions.local.
4-44 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Secure a SLES 9 Server
Current Directory In Path Of Regular Users If this option is selected, the current
directory is added to the search path of
normal users.
In a security sensitive environment, this
option should not be enabled.
After confirming this dialog with Finish, the changes are saved and applied to the
system.
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 4-45
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
Damage can be prevented only when security patches are installed as quickly as
possible.
You can use the following resources to gather information about Linux-related
security issues:
n http://www.suse.de/en/business/security.html. This web site is the central
security information site of SUSE. All security issues affecting the SUSE
products are announced here.
You will also find information about security and OpenSource software and the
SUSE security team.
n http://www.suse.de/en/business/mailinglists.html. This web site offers an
overview of all SUSE related mailing lists.
There are two security related mailing lists that you can subscribe to for further
security information.
q suse-security. This mailing list is intended for security-relevant discussions.
q suse-security-announce. This mailing list announces security issues and
fixes. This mailing list is read only. For discussions please use suse-security.
To subscribe to a mailing list, select the check boxes by the name of the list,
enter your mail address at the bottom of the page, and then click OK.
n http://www.securityfocus.com/. This web site is about general IT security. It
also offers various security-relevant mailing lists.
4-46 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Secure a SLES 9 Server
In this exercise, you subscribe to the SUSE security mailing list. This means that
Novell/SUSE will inform you by email about current security issues of SUSE Linux
Products.
Do the following:
1. From the KDE start menu, select Internet > Web Browser.
2. In the address bar of the browser, enter the following:
http://www.suse.com/us/business/mailinglists.html
3. Scroll down to the entry suse-security-announce; then select the check box for
that entry.
4. Scroll down to the bottom of that page and in the email address field enter your
email address.
5. Subscribe to the list by selecting OK.
6. Close the web browser window.
(End of Exercise)
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 4-47
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
Software updates can be managed with YaST Online Update (YOU). This YaST
module downloads and installs software updates and security patches.
To access the update packages you need to enter a user name and a password. To get
these credentials, you need to create an account for the SUSE support portal.
After you have created an account, you need to register your product in the portal
with the registration code delivered with the SLES 9 CDs.
First you need to start the YOU module from the YaST Control Center by selecting
Software > Online Update.
4-48 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Secure a SLES 9 Server
Figure 4-10
Select Next to start the update process. There are some additional configuration
options but the defaults are sufficient unless you want to run your own YOU server.
In the next step, YOU asks you for your account at the SUSE support portal. Enter
your login name and password in the following dialog:
Figure 4-11
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 4-49
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
Select Login to proceed to the next step. YOU retrieves information about the
available patches and displays the following dialog:
Figure 4-12
On the top left side of the dialog all available patches are displayed. Security relevant
patches are indicated by red characters.
By selecting the check box by an entry, the corresponding update is installed in the
next step. Normally YOU autoselects the updates that are relevant for your system.
By selecting an entry itself, details for the corresponding update are displayed on the
right side of the dialog.
4-50 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Secure a SLES 9 Server
Figure 4-13
You can display additional information for some updates. These dialogs need to be
confirmed to install the corresponding software package.
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 4-51
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
Summary
Objective Summary
1. Create a Security Concept The security of a system must always be seen in the
context of the whole IT environment.
We highly recommended that you create a security
concept for the company.
The process of creating a security concept includes
the following steps.
n Understand the basics of a security concept.
n Perform a communication analysis.
n Analyze the protection requirements.
n Analyze the current situation and necessary
enhancements.
3. Limit the Installed Software You should install only those software packages that
Packages are needed to fulfill the purpose of a server.
To set up a production system, minimize the
software selections you install and add only
packages which are definitely needed.
It is important that no network services are installed
that are not needed on a server.
4-52 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Secure a SLES 9 Server
Objective Summary
4. Understand the Linux User User authentication is the base for every kind of
Authentication access control.
The user authentication of a modern Linux system is
based on PAM, the Pluggable Authentication
Modules.
PAM creates a software layer between the
applications, handling user authentication, and the
currently used authentication mechanism.
PAM is configured in the directory /etc/pam.d/
This directory contains a configuration file for every
application that uses PAM.
Every line of a configuration file enables a PAM
module for the corresponding application.
Another important aspect of user authentication is
the requirements for a secure password.
5. Ensure File System Security The permission settings in the files system have an
important meaning to the overall system security.
You should always follow some basic rules about file
system security.
n A user should only have write access in the home
and the
/tmp directory.
n Users should never have read access to
configuration files that contain passwords.
n The following special file permissions affect the
security of a system:
n The SUID bit
n The SGID bit
n The sticky bit
6. Use ACLs for Advanced Access ACLs extend the classic Linux file system
Control permissions.
They let you assign permissions to named users and
named groups.
ACLs also provide a mask entry, which basically
limits the permissions of named users and names
groups.
The ACL entries are managed with getfacl and
setfacl.
Directories can have a default ACL that is inherited
by newly created files or subdirectories.
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 4-53
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
Objective Summary
7. Configure Security Settings With YaST offers a module that can be used to configure
YaST various security relevant system settings.
The module can be found in the YaST Control
Center under Security and Users > Security
Settings.
You can change the following settings:
n The password settings
n The boot behavior
n The login behavior
n The user and group ID imitations
n The file system security
8. Stay Informed About Security It is very important to be informed about the current
Issues security issues.
The following resources can be used to gather
security relevant information:
n http://www.suse.de/en/
business/security.html
n http://www.suse.de/en/
business/mailinglists.html
n http://www.securityfocus.
com/
9. Apply Security Updates To get and apply security updates for SLES 9, you
need to do the following:
Register SLES 9 at the SUSE support portal at
http://portal.suse.com.
Download and apply updates with YOU, the YaST
Online Update.
The YOU module can be found in the YaST Control
Center under Software > Online Update.
4-54 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Manage Backup and Recovery
In this section, you learn how to develop a backup strategy and how to use the
backup tools shipped with SLES 9. You also learn about possible problems you
might encounter during the boot process and how to configure the GRUB boot
loader.
Objectives
1. Develop a Backup Strategy
2. Create Backup Files With tar
3. Work With Magnetic Tapes
4. Copy Data With the dd Command
5. Mirror Directories With the rsync Command
6. Automate Data Backups With the cron Service
7. Troubleshoot the Boot Process of a SLES 9 System
8. Configure and Install the GRUB Boot Loader
Introduction
Even the best security measures cannot guarantee that data will never be lost. There
is always the possibility that
n A hard disk failure will occur, destroying data on the affected disk.
n Users will delete files by accident.
n A virus will delete important files on a desktop computer.
n A notebook will be lost or destroyed.
n An attacker will delete data on a server.
n Natural influences like thunderstorms will destroy storage systems.
It is very important to ensure that you have a reliable backup of important data.
In this section you learn how to develop a backup strategy and how to use the
standard UNIX backup tools tar, rsync, and dd.
You will learn about possible issues during the boot process and how to configure the
GRUB boot loader.
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 5-1
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
In a full backup, all system data is copied to a backup media once a day. To restore
the data, the most current backup media is copied back to the system´s hard disk.
The disadvantage of this method is the backup window. The backup window is the
time frame available to perform backups.
Backups should be performed when the system is not used, to avoid data changes on
the disk during the backup. These data changes would lead to inconsistent data on the
backup media.
Therefore, a backup is normally performed at night when systems are not needed.
In some cases, especially in larger companies, the backup window might be too small
to perform a full backup every day.
In most cases, a combination of both reasons prevents you from using a full backup.
To circumvent this problem, you can use a backup method other than full backup.
The following are 2 basic backup alternatives:
n Perform an Incremental Backup
n Perform a Differential Backup
In an incremental backup, you normally perform a full backup once a week (such as
on the weekend). Then you perform a backup every day that copies only files that
have changed since the backup the day before.
5-2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Manage Backup and Recovery
For example, if you might perform a full backup on Sunday, while on Monday you
just backup the files which have changed since Sunday. On Tuesday you back up the
files which have changed since Monday, and so on.
In an incremental backup, you perform a full backup once a week, then you perform
backups every day to record the files that have changed since the last full backup.
For example, suppose you perform a full backup on Sunday. On Monday you back up
the files that have changed since Sunday, on Tuesday you also back up the files that
have changed since Sunday, and so on.
The following illustrates the difference between incremental and differential backups:
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 5-3
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
You must choose the right backup media for the amount of data to be backed up and
the backup method.
Tape drives are used most often because they still have the best price-to-capacity
ratio. Normally these are SCSI drives, so that all kinds of tape drives can be accessed
in the same way (such as DAT, EXABYTE, and DLT). In addition, tapes can be
reused.
Other media for data backup include writable CDs or DVDs, removable hard drives,
and magnetic-optical (MO) drives.
More and more frequently, Storage Area Networks (SANs) are used. With a SAN, a
storage network is set up to exclusively back up data from different computers on a
central backup server. But even a SAN often uses magnetic tapes to store the data.
Backup media should always be stored separately from the backed up systems. This
prevents the backups from being lost in case of a fire in the server room. Sensitive
backup media should be stored safely offsite.
5-4 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Manage Backup and Recovery
The following are tasks you perform when backing up files with tar:
n Create tar Archives
n Unpack tar Archives
n Exclude Files from Backup
n Perform Incremental and Differential Backups
n Use tar Command Line Options
The tar format is a container format for files and directory structures. By convention,
the extension of the archive files end in
.tar.
tar archives can be saved to a file to store them on a file system, or they can be
written directly to a backup tape.
Normally the data in the archive files is not compressed, but you can enable
compression with additional compression commands. If archive files are compressed
(usually with the command gzip), then the extension of the filename is either .tar.gz
or .tgz.
The tar command first expects an option, then the name of the archive to be written
(or the device file of a tape recorder), and the name of the directory to be backed up.
All directories and files under this directory are also saved.
In this example, the tar command backs up the complete contents of the directory /etc
to the file /backup/etc.tar.
The option -c (create) creates the archive. The option -v (verbose) displays a more
detailed output of the backup process. The name of the archive to be created entered
after the option -f (file).
This can either be a normal file or a device file (such as a tape drive), as in the
following:
In this example, the /home directory is backed up to the tape recorder /dev/st0.
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 5-5
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
When an archive is created, absolute paths are made relative by default. This means
that the leading / is removed, as in the following output:
This writes all files in the archive to the current directory. Due to the relative path
specifications in the tar archive, the directory structure of the archive is created here.
If you want to extract to another directory, this can be done with the option -C,
followed by the directory name.
If you want to extract just one file, you can specify the name of the file with the -C
option, as in the following:
If you want to exclude specific files from the backup, a list of these files must be
written in an exclude file, line by line, as in the following:
/home/user1/.bashrc
/home/user2/Text*
In this example, the file /home/user1/.bashrc from user1 and all files that begin with
Text in the home directory of user2 will be excluded from the backup.
This list is then passed to tar with the option -X, as in the following:
5-6 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Manage Backup and Recovery
In an incremental or differential backup, only files that have been changed or newly
created since a specific date must be backed up.
The following are 2 methods you can use to accomplish the same thing with tar:
n Use a Snapshot File for Incremental Backups
n Use the find Command to Search for Files to Back Up
Tar lets you use a snapshot file that contains information about the last backup
process. This file needs to be specified with the -g option.
First, you need to make a full backup with a tar command, as in the following:
The next time, you can perform an incremental backup with the following command:
In this example, tar uses the snapshot file to determine which files or directories have
changed since the last backup. Only changed files are included in the new backup
/backup/backup_mon.tar.gz.
You can also use the find command to find files that need to be backed up as a
differential backup.
In this example, all files (-type f) in the directory /home that are newer than the file
/backup/backup_mon.tar.gz are archived.
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 5-7
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
The options -print0 and --null ensure that files with spaces in their names are also
archived. The option -T determines that files piped to stdin are included in the
archive.
Table 5-1
-c Creates an archive.
-u Only includes files in an archive that are newer than the version in
the archive (update).
b For more information about tar, consult the man page for tar.
5-8 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Manage Backup and Recovery
x In this exercise, you copy backup files to the directory /tmp. This is only done to demonstrate
using backup methods. You should never make an actual backup to the directory /tmp.
Do the following:
1. Open a terminal window and su to root.
2. Change to the directory /srv/www by entering the following:
cd /srv/www/
3. Create a tar archive of the directory htdocs by entering the following:
tar czf /tmp/htdocs.tar.gz htdocs
4. Delete the directory htdocs by entering the following:
rm -r htdocs
5. Copy the backup archive to the directory /srv/www by entering the following:
cp /tmp/htdocs.tar.gz /srv/www
6. Restore the directory htdocs by entering the following:
tar xzf htdocs.tar.gz
7. View the content of the restored directory by entering ls htdocs.
Do the following:
1. From the root terminal window, change to the directory
/srv/www by entering the following:
cd /srv/www
2. Create a full backup by entering the following command:
tar czv -g /tmp/snapshot_file -f /tmp/htdocs_full.tar.gz htdocs
3. Create a new file in the directory htdocs by entering the following:
touch htdocs/incremental.html
4. Perform an incremental backup by entering the following command:
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 5-9
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
(End of Exercise)
5-10 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Manage Backup and Recovery
Magnetic tape drives used under Linux are always SCSI devices and can be accessed
with the following device names:
n /dev/st0. Refers to the first tape drive.
n /dev/nst0. Addresses the same tape drive in the no rewind mode. This means that
after writing or reading, the tape remains at that position and is not rewound
back to the beginning.
For reasons of compatibility with other UNIX versions, 2 symbolic links exist:
/dev/rmt0 and /dev/nrmt0.
You can query the status of the tape by entering the following command:
mt -f /dev/st0 status
In this example, the -f option is used to indicate the device name of the tape drive.
The command status displays the status of the tape drive.
The most important information in this example is the file number (file number,
starting at 0) and the block numbers (block number, starting at 0).
These parameters determine the position of the tape. In this example, the tape is
positioned at the beginning of the first file.
To position the tape at the beginning of the next file, use the following command:
mt -f /dev/nst0 fsf 1
In this example, the command fsf forwards the tape by the given number of files, and
the tape will start before the first block of the second file.
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 5-11
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
mt -f /dev/nst0 status
drive type = Generic SCSI-2 tape drive
status = 620756992
sense key error = 0
residue count = 0
file number = 1
block number = 0
Tape block size 0 bytes.
Density code 0x25 (unknown).
Soft error count since last status=0
General status bits on (81010000):
EOF ONLINE IM_REP_EN
Now the file number is set to 1, and the final line of the output contains EOF (end of
file) instead of BOT (beginning of tape).
With the option bsf, the tape can be repositioned back by a corresponding number of
files.
In general, when positioning the tape, you should use a non rewinding device file like
/dev/nst0.
If you want the tape to be spooled back to the beginning after the reading or writing
process, enter the following command:
mt -f /dev/nst0 rewind
If you want to eject the tape from the drive, then enter the following command:
mt -f /dev/nst0 offline
mt -f /dev/st0 datcompression
If the parameter on or off is specified at the end of the command, then data
compression will be switched on or off. By default, compression is switched on.
5-12 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Manage Backup and Recovery
In the simplest case, a file can be copied with the following command:
dd if=/etc/protocols of=protocols.org
12+1 records in
12+1 records out
Use the option if= (input file) to specify the file to be copied, and the option of=
(output file) to specify the name of the copy.
Copying files in this way is done using records. The standard size for a record is 512
bytes. The output shown above indicates that 12 complete records of the standard
size and an incomplete record (that is, less than 512 bytes) were copied.
If the record size is now modified by the option bs=block size, then the output will
also be modified:
ls -l protocols*
-rw-r--r-- 1 root root 6561 Apr 30 11:28 protocols
-rw-r--r-- 1 root root 6561 Apr 30 11:30 protocols.old
If you want to copy a complete partition, then the corresponding device file of the
partition should be given as the input, as in the following:
dd if=/dev/sda1 of=boot.partition
In this example, the whole partition /dev/sda1 is written to the file boot.partition.
You can also use dd to create a backup copy of the MBR (master boot record), as in
the following:
In this example, a copy of the MBR is created from the hard disk
/dev/sda and is written to the file /tmp/mbr_copy.
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 5-13
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
In this exercise, you use dd to create a drive image by doing the following:
1. From a root terminal window, display the content of the file
/etc/fstab by entering the following:
cat /etc/fstab
2. Find an entry such as /media/dvd, /media/cdrom, or /media/cdrecorder and note
the corresponding device name (listed in the first column of the output).
3. Insert the 3038 Course CD in the CD or DVD drive.
4. Copy an image of the CD to the hard disk by entering the following command:
dd if=/dev/device_name of=/tmp/course_cd.iso
5. When the copy process is complete, mount the image file by entering the following
command:
mount -o loop /tmp/course_cd.iso /mnt/
6. Change to the directory /mnt/ by entering cd /mnt.
7. Display the content of the image file by entering ls.
8. Change to the directory /media/device_name and enter ls.
Note that the content of the image file is identical to the original media.
9. Change to your home directory and unmount the image file by entering the
following commands:
cd
umount /mnt
10. Delete the image file by entering the following:
rm /tmp/course_cd.iso
(End of Exercise)
5-14 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Manage Backup and Recovery
When coping data, rsync compares the source and the target directory and transfers
only data that has changed or been created.
rsync is the ideal tool to mirror the content of directories or to back up data across a
network.
The directory /home is first created in the directory /shadow, and then the actual
home directories of the users are created under
/home.
If you want to mirror the content of a directory and not the directory itself, you can
use a command such as the following:
By adding a /. to the end of the source directory, only the data under /home is copied.
If you run the same command again, only files that have changed or that are new will
be transfered.
The option -a used in the examples puts rsync into archive mode. Archive mode is a
combination of various other options (namely rlptgoD) and ensures that the
characteristics of the copied files are identical to the originals.
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 5-15
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
In this example, all files listed in the file /home/exclude are not backed up. Empty
lines or lines beginning with ; or # are ignored.
5-16 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Manage Backup and Recovery
With rsync and SSH, you can log in to other systems and perform data
synchronization remotely over the network.
The following command copies the home directory of the user tux to a backup server:
In this example, the option -e specifies the remote shell (ssh) that should be used for
the transmission. The source directory is specified by the expression
root@DA1:/home/tux. This means that rsync should log in to DA1 as root and
transfer the directory
/home/tux.
Of course, this also works in the other direction. In the following example, the
backup of the home directory is copied back to the DA1 system:
x rsync must be installed on both the source and the target computer.
There is also another way to perform remote synchronization with rsync by running
an rsync server. This way you can enable remote synchronization without allowing
an SSH login.
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 5-17
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
Do the following:
1. Open a terminal window and su to root.
2. Create a test backup directory by entering the following:
mkdir /tmp/rsync_test
3. Copy geeko's home directory to the backup directory by entering the following:
rsync -av /home/geeko /tmp/rsync_test
4. Open another terminal window as user geeko.
5. Create a new file by entering the following:
touch new_file
6. Switch to the root terminal window and enter the same rsync command again:
rsync -av /home/geeko /tmp/rsync_test
Notice that rsync transfers only the new file and the corresponding directory.
Wait until a partner has completed the previous steps in the exercise, and then do the
following:
1. From the root terminal window, perform a remote backup of your partner's geeko
home directory by entering the following command:
rsync -ave ssh root@partner_ip_address:/home/geeko
/tmp/rsync_test
2. When a connection message appears, continue by entering yes; then enter a
password of novell.
3. Ask your partner to create a new file in the geeko home directory by entering the
following:
touch new_file2
5-18 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Manage Backup and Recovery
(End of Exercise)
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 5-19
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
System jobs are controlled with the file /etc/crontab and the files in the directory
/etc/cron.d. They are defined with the scripts in the directories /etc/cron.hourly,
/etc/cron.daily, /etc/cron.weekly, and
/etc/cron.monthly.
Specifying which users can create cron jobs is done through the files
/var/spool/cron/allow and /var/spool/cron/deny, which are evaluated in this order. If
both files do not exist, then only root can define jobs.
In this example, the script /root/bin/backup is started every Friday at 10 P.M. The
format for the line is described in man crontab.
5-20 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Manage Backup and Recovery
In this exercise, you use cron for data backup by doing the following:
1. Open a terminal window and su to root.
2. Change to the directory /usr/local/bin/ by entering the following:
cd /usr/local/bin
3. Create the file home_backup.sh in the directory and enter the following
commands in the file:
#!/bin/bash
rsync -av /home/geeko /tmp/rsync_test
4. Save the file and close the editor.
5. Make the file executable by entering the following:
chmod 744 home_backup.sh
6. Open the file /etc/crontab in the crontab editor by entering crontab -e.
7. Add the following at the end of the file:
30 15 * * * root /usr/local/bin/home_backup.sh
8. Check after 3:30 pm (or tomorrow) to see if the backup has been completed by
entering the following:
ls /tmp/rsync_test
9. (Optional) Try changing the time of the backup job.
(End of Exercise)
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 5-21
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
To perform basic troubleshooting of the boot process, you need to know the
following:
n System Boot Process Issues
n How to Boot a Corrupted System Directly into a Shell
n How to Boot a Corrupted System With the Installation Media
n How to Start and Use the SLES 9 Rescue System
The boot process of a modern Linux system can be very complex, and its possible to
encounter problems during the boot process.
In all of these cases you must access the file system of the corrupted system to detect
and fix the problem.
In this objective, you learn how to access a system which is not booting any longer.
The boot screen of the GRUB boot loader lets you pass parameters that modify the
Linux kernel before the kernel is actually loaded.
At the bottom of the GRUB boot screen is a Boot Options field. When you select an
operating system in the boot screen, the boot options for that operating system are
displayed in the field.
To add a boot option, select an operating system and type the additional boot option
in the Boot Options field.
One way to access a system that is not booting anymore is to set a different program
for the init process. Normally, the Linux kernel tries to find a program with the name
init and starts this program as the first process. All other processes are then started by
init.
5-22 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Manage Backup and Recovery
With the boot parameter init=new_init_program, you can change the first program
loaded by the kernel. For example, by entering the the boot parameter
init=/bin/bash, the system is started directly into a bash shell.
You can use this bash file to access the file system and to fix a misconfiguration.
x The file systems are mounted read-only after booting into a shell. To change configuration files,
you need to remount the file system with the following command:
You can use the SUSE LINUX installation media to boot a system with a
misconfigured boot loader. To boot the system, you need to do the following:
1. Insert SLES 9 CD 1 into the CD-ROM drive and reboot the system.
Make sure that the system boots from the drive.
2. Select Installation; then press Enter.
Wait until the installation program starts.
3. When YaST displays the language selection dialog, select Accept.
4. In the next dialog, select Boot installed system; then select OK.
YaST analyzes the hard disk and displays all Linux root partitions.
5. Select the root partition of the system you would like to boot; then select Boot.
The selected system is now booted.
After the system has started, you can log in as root user and fix the boot loader
problem.
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 5-23
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
Another way to access a corrupted system is to use the SLES 9 Rescue System. The
Rescue System is a Linux system that can be booted directly from the installation
media.
When this system is running, you can mount partitions from the corrupted system
and fix problems.
To access the file system of the corrupted system, you need to mount the
corresponding partition, as in the following:
In this example, the partition /dev/hda6 is mounted into the directory /mnt.
Now you can access the file system, fix any errors, or copy data to another media.
5-24 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Manage Backup and Recovery
In SLES 9 (by default) this task is handled by the boot manager GRUB (GRand
Unified Boot Loader).
To configure the GRUB boot loader, you need to know the following:
n The Basic Functionality of a Boot Loader
n The Basics of GRUB
n How to Configure the GRUB Boot Loader
GRUB is the standard boot loader of SLES 9 and includes the following features:
n Stage 2 File System Drivers. Stage 2 of GRUB includes file system drivers for
ReiserFS, ext2, ext3, Minix, JFS, XFS, FAT, and FFS (BSD).
This means that GRUB can be used to access files by means of filenames even
before the operating system is loaded. This feature is used to search for kernel
and initrd images.
n GRUB Shell. GRUB has its own shell that enables interactive control of the boot
manager.
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 5-25
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
You configure GRUB by editing the file /boot/grub/menu.lst. The following is the
general structure of the file:
n First, the general options such as the background color of the boot manager
menu are listed:
n This is followed by options for the various operating systems that can be booted
with the boot manager. Each entry for an operating system begins with a
command title, as in the following:
title linux
kernel (hd0,0)/boot/vmlinuz root=/dev/hda1
initrd (hd0,0)/boot/initrd
default 0
timeout 8
title linux
kernel (hd0,0)/boot/vmlinuz
root=/dev/hda1
initrd (hd0,0)/boot/initrd
5-26 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Manage Backup and Recovery
n root=/dev/hda1
The root= option specifies the root partition of the system. This can be followed
by other kernel parameters.
n initrd (hd0,0)/boot/initrd
This entry sets the location of the initial ramdisk (initrd). The initrd contains
hardware drivers that are needed before the kernel can access the hard disk (such
as a driver for the IDE or SCSI controller).
This file is read only once when the boot loader is first installed.
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 5-27
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
Exercise 5-5 Boot to a Shell and Configure the GRUB Boot Loader
Your SLES 9 system is corrupted and no longer booting. To access the file system
and configure the GRUB boot loader with an option to boot to runlevel 3, you do the
following:
n Part I: Boot the Rescue System
n Part II: Edit and Test the GRUB Configuration File
x This exercise demonstrates booting from the Rescue System and editing the GRUB
configuration file for learning purposes, and does not necessarily reflect what you might do in
an emergency situation.
For example, you can boot the Rescue System and enter a 3 in the boot options field to boot into
runlevel 3 without editing the GRUB configuration file.
Do the following:
1. Open a terminal window and su to root.
2. Enter mount; then look for a file system which is mounted on root (/) and note the
corresponding device name.
3. Insert SLES 9 CD 1 in the CD-ROM drive; then reboot the system.
x Make sure that your system boots from the CD-ROM drive. If not, you might need to adjust
the BIOS settings.
Do the following:
1. After logging in to the rescue system, mount the root partition of the system by
entering the following:
mount root_device_name /mnt
2. Open the GRUB configuration file of the installed system with vi by entering the
following:
vi /mnt/boot/grub/menu.lst
3. Duplicate all 3 lines which belong to the first entry (title Linux) in the
configuration file.
5-28 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Manage Backup and Recovery
4. When you have duplicated the entry, change the title of the copy to the following:
title Linux-Runlevel 3
5. Add a 3 (preceded by a space) at the end of the line with the kernel parameters.
6. Save and close the GRUB configuration file.
7. Unmount the root partition by entering umount /mnt.
8. Remove SLES 9 CD 1 from the drive.
9. Restart the computer by entering reboot.
10. At the boot prompt, highlight the entry Linux-Runlevel 3 and press Enter.
x You can also boot to runlevel 3 by entering 3 in the Boot Options field.
11. When the system boots to runlevel 3, log in as root; then access the graphical login
by entering init 5 and log in as geeko.
(End of Exercise)
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 5-29
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
Summary
Objective Summary
2. Create Backup Files With tar tar is a commonly-used tool for performing data
backups under Linux.
tar can write data directly to a backup media or to an
archive file.
Archive files normally end in .tar, if they are
compressed in .tar.gz or .tgz.
2. Create Backup Files With tar The following is the basic syntax to create a tar
(continued) archive:
tar -cvf home.tar /home
To unpack a tar archive, use the following command:
tar -xvf /home.tar
If you want to use tar with gzip for compression, you
need to add the option z to the tar command.
Archives can also be written directly to tape drives.
In this case, the device name of the tape drive must
be used instead of a filename.
tar can also be used for incremental or differential
backups.
5-30 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Manage Backup and Recovery
Objective Summary
3. Work With Magnetic Tapes mt is the Linux standard tool to work with magnetic
tapes.
Use the following command to query the status of
the drive:
mt -f /dev/st0 status
The following command moves the tape to the
beginning of the next file:
mt -f /dev/nst0 fsf 1
To rewind the tape by a certain amount of files, use
the bsf command.
3. Work With Magnetic Tapes To rewind the tape to the beginning, use the
(continued) following:
mt -f /dev/nst0 rewind
The following command ejects the tape from the
drive:
mt -f /dev/nst0 offline
4. Copy Data With the dd Command With the command dd files can be converted and
copied byte-wise.
To copy a file, use the following command:
dd if=/etc/protocols of=protocols.org
To copy an entire partition into a file, use the
following command:
dd if=/dev/sda1 of=boot.partition
5. Mirror Directories With the rsync The command rsync is used to synchronize the
Command content of directories, locally or remotely, over the
network.
rsync uses special algorithms to ensure that only
those files are transferred that are new or have been
changed since the last synchronization.
The basic command to synchronize the content of
two local directories is the following:
rsync -a /home /shadow
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 5-31
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
Objective Summary
6. Automate Data Backups With the Because backups are recurring tasks, they can be
cron Service automated with the cron daemon.
System jobs are controlled using the file /etc/crontab
and the files in the directory /etc/cron.d.
The jobs are defined by the scripts in the directories
/etc/cron.hourly, /etc/cron.daily,
/etc/cron.weekly and
/etc/cron.monthly.
The following is an example of a job entry:
0 22 * * 5 /bin/backup
7. Troubleshoot the Boot Process of A SLES 9 installation can be prevented from booting
a SLES 9 System normally if
n The system cannot boot due to a misconfigured
boot loader.
n The system cannot boot because of a file system
corruption.
n An init script malfunctioned and is blocking the boot
process.
n The system does not start correctly because of
hardware changes.
7. Troubleshoot the Boot Process of When a system is not booting any more, you can do
a SLES 9 System (continued) the following to access the file system of the
corrupted system:
n Boot a corrupted system directly into a shell.
n Boot a corrupted system with the installation media.
n Start and use the SLES 9 Rescue System.
8. Configure and Install the GRUB The most important configuration file for GRUB is
Boot Loader /boot/grub/menu.lst.
The file contains a general section at the beginning
and a section for every operating system.
A section for a Linux operating system contains at
least the following options:
n title
This is the title of the system that is displayed in the
boot menu.
n Kernel
This option specifies the location of the Linux
kernel.
n Root
This option sets the root partition of the system.
n Initrd
This option points to the initrd file of the system.
5-32 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Create Shell Scripts
In this section, you learn about the basic scripting elements and structures of the shell
programing language.
Objectives
1. Use Basic Script Elements
2. Use Variable Substitution Operators
3. Use Control Structures
4. Use Advanced Scripting Techniques
5. Use Shell Functions
6. Learn About Useful Commands in Shell Scripts
Introduction
The Linux shell can control the system with commands and perform file operations
or start applications. You can also create a file that includes several shell commands
and start this file like a application.
This type of file is called a shell script. The following are several reasons why you
need to understand and create shell scripts:
n You can automate many daily tasks with shell scripts. In many cases this
increases speed and convenience in everyday work.
n The boot procedure and many other system functions are controlled by shell
scripts. To understand and manipulate the system behavior, you need a basic
understanding of shell programming.
n Shell programming is relatively easy to learn compared to other programming
languages.
n A shell script runs on almost every UNIX-like operating system and does not
need to be adapted to other platforms.
As you might have noticed, a Linux system offers different shell types. Shell scripts
that are developed for one shell can sometimes be executed with a different shell, but
this cannot be guaranteed.
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 6-1
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
For this reason, this section focuses on the Bash shell, which is the default shell in
SLES 9.
As with all programing languages, shell scripting is learned best by actually writing
code.
The exercises in this section include a description of a script that needs to be written.
At the end of the section are the solutions to the exercises. We recommend
attempting to create the script, and then comparing your script to the solution to
understand the scripting concepts covered.
You can find all these scripts on the 3038 Course CD in the directory
/exercises/section_6. By using these scripts as a template, you can customize them to
meet the needs of your production environment.
Although shell programing can be difficult at first, it becomes easier as you using the
shell scripting language to automate tasks on your own system.
6-2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Create Shell Scripts
In this objective, you learn the following about the basics of the shell programming
language and simple shell scripts:
n Flow Charts for Scripts
n The Basic Rules of Shell Scripting
n How to Develop Scripts That Read User Input
n How to Perform Basic Script Operations with Variables
n How to Use Command Substitution
n How to Use Arithmetic Operations
Programming elements of a script are often visualized by using program flow charts.
Illustrating a program through a flow chart provides the following benefits:
n They force the author to lay down the steps the script should perform to achieve
the desired goal, making it clearer which constructs need to be used.
n They provide a clear symbolic outline of the algorithm, which can be used as a
guide during the programming process.
Figure 6-1
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 6-3
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
Before writing your first shell script, you should consider a few points about scripting
in general.
However, the execute permission is not granted by default to newly created file. To
assign this permission, you need to use a command such as the following:
chmod +x script.sh
You can also run the script from another shell with a command such as the following:
sh script.sh
In this example, it is not necessary to make the script executable. On SLES 9, /bin/sh
is a link to /bin/bash. It doesn't really matter whether you call the script with sh
script.sh or bash script.sh.
Another important point is that the directory where the script is located must actually
be in the user´s search path for executables.
A good way to deal with this is to create a /bin directory for scripts under each user´s
home directory. Then you can add this directory to the user's search path by adding a
line such as the following to your ~.bashrc:
export PATH=$PATH:~/bin
When naming script files, it is a good idea to add an .sh extension to the filename.
This ensures that the file can easily be recognized as a shell script.
If you do not add the suffix, you need to make sure the filename is not identical to
existing commands. For example, a common mistake is to name a script test.
The basic structure of a shell script can be illustrated with a simple program that does
nothing more than print the message “Hello world.”
Figure 6-2
6-4 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Create Shell Scripts
The following illustrates the 3 elements with the corresponding script code on the
right:
Figure 6-3
Before looking closer at each of the 3 elements, you need to understand that the
general rules for creating shell scripts, as explained in this section, can be applied to
any conceivable script.
Every script that you write should use this basic structure.
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 6-5
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
Do the following:
1. Write a script that outputs “Hello world.” Use the following command in the
script:
echo -e “\aHello\nworld”
2. Find out the purpose of the \a, the \n and the -e options (try accessing the man
pages).
3. Compare your solution with the script at the end of the section.
(End of Exercise)
One way to create scripts that read user input is to use the command read. The read
command takes a variable as an argument and stores the read input in the variable.
The variable can then be used to process the user input.
The following example reads user input into the variable with the name VARIABLE:
read VARIABLE
The script pauses at this point, waiting for user input until the Enter key is pressed.
To tell the user to enter something, you need to print (echo) a line with some
information, such as the following:
6-6 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Create Shell Scripts
The following flow chart illustrates the structure of a script that reads user input:
Figure 6-4
First, the script produces some output with echo to ask the user to enter something.
Then the read command waits until the input is provided to store it in the variable
VARIABLE. At the end the content, the variable is printed out with echo.
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 6-7
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
Do the following:
1. Create a simple shell script that prompts the user to enter her first and last name,
and then greets the user with her full name.
2. Compare your solution with the script at the end of the section.
(End of Exercise)
In this part of the section, you learn how to uses variables in shell scripts.
The following flowchart and script show how a string value can be assigned to a
variable:
Figure 6-5
You want to read the user’s first and last name and then print both names to the
screen. However, this time you create a variable called NAME, which holds both the
first and the last name.
6-8 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Create Shell Scripts
NAME=$FIRSTNAME $LASTNAME
This line shows how you can combine two variables, in this case, FIRSTNAME and
LASTNAME, and assign the combined value to another variable, in this case,
NAME.
In this example, you can also see another rule of the variable handling in shell scripts.
If you assign a value to a variable, you use just the name of the variable, in this case,
NAME=.
If you want to use the value of a variable, put a $ before the name, in this case,
$FIRSTNAME.
It is often useful to assign a default value to a variable. This might prevent errors, if
the user has entered a value that cannot be interpreted in a meaningful way.
If the variable FIRSTNAME is empty, the default value FLORIAN is used instead, as
in the following:
NAME=${FIRSTNAME:=FLORIAN}
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 6-9
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
Do the following:
1. Modify your script from Exercise 6-2 so that it reads the user's first and last name,
combines both in one variable, and outputs the variable.
2. Compare your solution with the script at the end of the section.
(End of Exercise)
6-10 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Create Shell Scripts
The term command substitution basically means that the output of a command is
used in a shell command line or a shell script.
In the following example, the output of the command date is used to generate the
output of the current date:
#!/bin/bash
Instead of printing the output of a command to the screen with echo, it can also be
assigned to a variable, as in the following:
#!/bin/bash
TODAY=`date +%m/%d/%Y`
echo "Today is $TODAY"
In this case, the output of date is assigned to the variable TODAY, and then TODAY
is printed to the screen with echo. Make sure that there are no spaces before or after
the equal sign.
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 6-11
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
Do the following:
1. Create a shell script that outputs the current login name and the current working
directory.
The output of the commands whoami and pwd should be read into variables
with the variables printed to the screen.
2. Compare your solution with the script at the end of the section.
(End of Exercise)
6-12 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Create Shell Scripts
Shell scripts often use values assigned to variables for calculation. There are several
ways to implement this.
The Bourne shell is limited in this regard, but it can perform such operations by
relying on external commands (such as expr).
The Bash shell comes with built-in support for arithmetic operations, but there are
some limitations to this as well. Specifically, the arithmetic capabilities of Bash are
limited in the following ways:
n Only operations with whole numbers (integers) can be performed.
n All values are signed 64-bit values. Thus, possible values range from -263 to
+263 -1.
So even when using Bash, you might need to use external commands, such as bc for
floating-point calculations.
The following paragraphs list all the possible methods and formats for arithmetic
operations. All of them use this sample operation:
A=B+10
A=`expr $B + 10`
Since an external command is used, this method will also work with the Bourne
shell. Scripts using external commands will always perform slower than those
relying on built-in commands.
n Use the Bash built-in command let
In Bash, you can use the let command to perform an arithmetic expression.
n Use arithmetic expressions inside parentheses or brackets (two different
formats)
A=$((B + 10))
or
A=$[B + 10]
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 6-13
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
declare -i A
declare -i B
A=B+10
With the expr command, only the following five operators are available: + , - , * , / ,
and %. Additional operators (which are identical to those of the C programming
language) can be used with all of the above Bash formats.
It makes sense to limit yourself to using one of the described possibilities. As far as
Bash is concerned, a good choice might be to only use the declare command, since it
makes the best use of the available features.
6-14 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Create Shell Scripts
Do the following:
1. Review the following flowchart:
Figure 6-6
(End of Exercise)
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 6-15
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
They also allow you to set a default for a variable for situations where no value can
be assigned to it.
The substitution operators returning or setting a default value (- , = , and +) can also
be prefixed with a colon so that substitution happens if the variable does not exist of
if it exists but has a null value (is empty).
6-16 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Create Shell Scripts
The following are some examples of how to use the substitution operators:
tux@DA1:~> VAR=
tux@DA1:~> echo ${VAR=value}
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 6-17
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
Do the following:
1. Write a script that asks the user for a filename, and then performs a search for that
filename using the command find.
Use a variable substitution to assign a default value for the filename (such as
*.bak) in case the user enters nothing.
2. Compare your solution with the script at the end of the section.
(End of Exercise)
6-18 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Create Shell Scripts
In this objective, you learn how to use control structures to make the execution of
parts of your script dependent on certain conditions or to repeat script parts.
You can use the if command to perform certain actions in your script that depend on
a condition.
if condition
then
commands
fi
The if statement can be extended with an optional else statement, as in the following:
if condition
then
command1
else
command2
fi
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 6-19
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
In a program flow chart, a branch created with an if statement can be represented like
the following:
Figure 6-7
A branch of this type must begin with if and end with fi. Command1 is only executed
if the condition is true.
If the return code of a command is used as condition, the exit code zero (success)
represents true. If the exit status is not zero or the condition is not true, the shell goes
to the end of the branch or, if an else statement is present, to the else statement.
When you use these control structures in a shell script, individual commands (such as
if, then, and fi) must follow immediately after a command separator.
In the above case, the separator is a new line. The separator could also be a
semicolon, which would allow you to enter the same if statement as one command,
as in the following:
6-20 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Create Shell Scripts
The following example uses a sample script to explain how an if branch works:
Figure 6-8
This script asks the user to enter his date of birth; if that happens to be today, the
script congratulates him on his birthday. It does nothing if his birthday is another day.
There are a number of items to consider when writing this script. From the flow
chart, it should be obvious that the script consists of 2 basic steps:
n Prompt the user to enter the date of birth.
n Compare the date as entered by the user with the current date. If the dates are the
same, the user sees “congratulations.” If they are not equal, nothing appears.
The branch is the actual mechanism that compares the current date and the date of
birth.
Before the comparison can be performed, both dates must be available in the same
format. The user should be asked to specify the date of birth in a suitable format.
You need to know the format in which the system obtains the current date. The
obvious choice to get a date string is with the command date.
The command date + %m-%d returns the current date in the form month-day, as in
the following:
date + %m-%d
06-21
This format should also be used for the birth date the user is requested to enter:
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 6-21
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
The second part of the listing consists of several items. To check if the user´s
birthday is today, 2 dates must be compared: the birthday and the current date.
The user´s birthday is stored in the variable BIRTHDAY. The current date must also
be stored in a variable for the comparison. This can be done using command
substitution, as in the following:
TODAY=`date + %m-%d`
A closer examination of the comparison reveals that the values in the variables
cannot be compared with each other (BIRTHDAY: 1973-12-21, TODAY: 09-24).
Therefore, the dates must be compared without the year.
To do this, the variable substitutions of the Bash shell can be used to truncate the year
from the date. The first part of the script should look like the following:
#!/bin/bash
echo "Please enter your date of birth (YYYY-MM-DD, for instance
1978-06-21): "
read BIRTHDAY
BIRTHDAY=${BIRTHDAY#*-}
TODAY= date + %m-%d
Now you can compare the two values with the help of an if branch. Most variables
are compared using the test command. The test command is followed by a string
condition such as
test $VARIABLE1 = $VARIABLE2.
If the condition is met (if the value of VARIABLE1 is identical to the value of
VARIABLE2), test returns a zero to indicate success.
So the second part of the shell script could look like the following:
Finally, you want the script to use the exit command to finish with a certain exit
status, which depends on whether today is the user´s birthday. This is implemented
by defining yet another variable, as in the following:
6-22 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Create Shell Scripts
Several if branches are often nested in each other. The command elif, which
represents a more compact way of writing the command sequence else if, is useful
for the following kind of structures:
if condition1
then
command1
elif condition2
command2
else
command3
fi
Figure 6-9
There are several ways to use the Bash shell to successively execute several
commands. This includes using the separators && and ||, which make it possible to
execute a second command depending on the success or failure of the first, as in the
following:
n The && separator executes command2 if the command1 exits with success.
n The || separator executes command2 if the command1 exits with a failure.
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 6-23
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
if test -e file
then
. file
fi
Whenever the comparison is a simple one as in the example above, you can replace
the relatively complex if. . .then. . .fi structure with a command line that uses && or ||
to chain the commands.
6-24 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Create Shell Scripts
Do the following:
1. Write a shell script that checks for the existence of a given file, and if the file is
executable.
A message should be displayed for each of the following scenarios:
q The file does not exist.
q The file exists.
q The file exists and is executable.
You can use the command test -x to check whether a file is executable.
2. Compare your solution with the script at the end of the section.
(End of Exercise)
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 6-25
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
You can create multiple branches with case. In a case statement, the expression
contained in a variable is compared with a number of expressions, and a command is
executed for each expression matched.
case $variable in
expression1) command1;;
expression2) command2;;
esac
In a flow chart, multiple branching with case looks similar to a simple branch created
with if:
Figure 6-10
6-26 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Create Shell Scripts
#!/bin/bash
cat << EOF
Name me an animal and I will tell you how many legs it has!
EOF
read CREATURE
case "$CREATURE" in
dog | cat | mouse ) echo "A $CREATURE has 4 legs."
;;
bird | human | monkey ) echo "A $CREATURE has 2 legs."
;;
spider ) echo "A $CREATURE has 8 legs."
;;
fly ) echo "A $CREATURE has 6 legs."
;;
* ) echo "I haven t the faintest idea how many
legs a(n) $CREATURE has."
;;
esac
exit 0
This script prompts the user to enter the name of an animal. The name is then stored
in a variable and compared with a number of possible matches. For the matches
found, the script tells the user how many legs the animal has.
To allow for several expressions to be matched within one and the same branch,
several expressions can be listed on one line with a | symbol as a separator.
The case statement then compares this value against each of the expressions provided
as alternatives. For instance, if the user enters cat, the script prints the matching
sentence that says that this animal has four legs.
The asterisk (*) is often used as the last expression to be evaluated to cover all cases
not matched by the other alternatives. The corresponding message states that the
number of legs is not known.
It is important that the expressions provide for an exact match of any allowable
expression. For instance, if someone entered Dog instead of dog, the script will not
know the number of legs for this strange kind of animal.
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 6-27
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
For this reason, it is useful to supply the possible alternatives beforehand, as in the
following:
...
case "$CREATURE" in
[dD]og | [cC]at | [mM]ouse )
...
You can provide such alternatives in brackets, in the same way as the shell´s filename
expansion mechanism.
6-28 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Create Shell Scripts
Do the following:
1. Create an example (not a complete script) to show how a script can use a case
statement to process a user's answer to a Yes/No question. Include the responses
as “yeah” and “nope.”
2. Compare your solution with the example at the end of the section.
(End of Exercise)
The purpose of a loop is to test a certain condition and to execute a given command
while the condition is true (while loop) or until the condition becomes true (until
loop).
while condition
do
commands
done
until condition
do
commands
done
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 6-29
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
Figure 6-11
These loops actually rely on the exit status of a terminating condition: a while loop
remains operative as long as the condition's exit status is zero (path B in the flow
chart), but an until loop is terminated if the status is zero (path A in the flow chart).
A while loop is terminated when the exit status becomes nonzero (when the condition
is not true), but an until loop is operative as long as the status is nonzero.
6-30 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Create Shell Scripts
Do the following:
1. Create a script that performs a simple while loop 100 times. In every iteration, the
number of the current iteration should be printed to screen.
2. Write a second script which uses until instead of while.
3. Compare your solution with the scripts at the end of the section.
x These scripts are also available as counter1.sh and counter2.sh in the directory
/exercises/section_6 on your 3038 Course CD.
(End of Exercise)
The purpose of a for loop is to process a list of elements. It has the following syntax:
A for loop executes the given commands once for every element on the list, and the
value of the variable matches one list element with each loop iteration. The list itself
is often created through command substitution.
If the for command is not accompanied by a list of elements, the loop will be
executed with the contents of the variables $1, $2, $3, and so on. These elements
represent the command line parameters that are passed to the script.
for i in 1 2 3 4 5 6 7 8
do
ping -c1 DA$i
done
In the example above, the command separator is a line break and the loop is started
only after entering the final done.
You could use a semicolon as a separator instead, In this case, the same loop looks
like the following:
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 6-31
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
If you want to use a range of numbers in your for loop, you can use the following
C-Style syntax:
LIMIT=10
In this example, the variable a is a count from 1 to 10. The for expression contains
the following 3 elements:
n a=1.This determines the start value for a.
n a <= LIMIT. This is the condition when the for loop should be terminated; in
this case, when the a variable reaches the value determined by the LIMIT
variable (in this example, the value 10).
n a++. This command adds 1 to the a variable for every pass of the for loop.
6-32 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Create Shell Scripts
Do the following:
1. Create a shell script that renames all files in the current directory with uppercase
letters transformed to lowercase.
Hints:
q Use the command find . -type f -maxdepth 1 to find all files in the current
directory.
q You can use the command tr [A-Z] [a-z] to convert uppercase letters to
lowercase.
q If you don’t know how to start, have a brief look at the solution at the end of
the section.
q Test your script in a directory that does not contain important files.
2. Compare your solution with the script at the end of the section.
(End of Exercise)
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 6-33
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
Use the continue command to exit from the current iteration of a loop (while, until,
for, and select) and resume with the next iteration of the loop.
This allows a script to test for an additional condition with each iteration without
stopping completely (as a result of the terminating condition becoming true, for
instance).
This script writes a backup copy of all files ending with .mp3 to the directory /MP3/
unless there is already a file with the same name in that directory. If there is, the
script prints a message stating that the file already exists and exits from the current
loop iteration.
The break command is another way to introduce a new condition within a loop.
Unlike continue, it causes the loop (not the current loop iteration) to be terminated
completely if the condition is met.
6-34 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Create Shell Scripts
Do the following:
1. Modify the script from Exercise 6-10 so that existing files in the current directory
are not overwritten.
Use continue to interrupt the iteration over the files in the directory if a file with
the target name already exists.
2. Compare your solution with the script at the end of the section.
(End of Exercise)
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 6-35
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
Sometime you need to perform a task multiple times in a shell script. Instead of
writing the same code again and again, you can use functions.
Shell functions act like script modules because they make an entire script section
available with a single name. Shell functions are normally defined at the beginning of
a script. You can store several functions in a file and include this file whenever the
functions are needed.
functionname () {
commands
commands
}
function functionname {
commands
commands
}
The function name can be composed of any regular character string that then can be
used to call the function.
The following is a simple function that creates a directory and then changes to that
directory:
mcd (){
mkdir $1
cd $1
}
6-36 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Create Shell Scripts
After having been created, this function can be called in a shell scripts, as in the
following:
...
mcd directory
...
The following function can be used to create a pause in a script. The script resumes
only after the Enter key is pressed:
pause (){
echo "To continue, hit RETURN."
read q
}
You can also create functions that stop their processing from within, similar to
exiting a loop (iteration) with the commands break and continue.
To exit a function, use the command return. If return is called without an argument,
the return value of the function is identical to the exit status of the last command
executed in that function.
Otherwise, the return value is identical to the one supplied as an argument to return.
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 6-37
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
Do the following:
1. Review the following shell function:
yesno (){
while true
do
echo "$*"
echo "Please answer by entering (y)es or (n)o:"
read ANSWER
case "$ANSWER" in
[yY] | [yY][eE][sS] )
return 0
;;
[nN] | [nN][oO] )
return 1
;;
* )
echo "I cannot understand you over here."
;;
esac
done }
This function asks the user to enter y or n. Depending on the answer, the function
returns 0 or 1. If the answer is wrong, an error message is displayed.
The command echo “$*” is used to print a question, which is passed as a
parameter to the function.
2. Use the above yesno function to write a script that lets the system administrator
delete user accounts.
The script should prompt for the account to delete, and then asks whether the
user's home directory should also be deleted.
If the question is answered with no, the script should change the user and group
ownership of the corresponding home directory to root.
After doing so, the script should use the yesno function again to ask whether the
administrator really wants to delete the account.
Use the commands userdel and chown in the script to perform the necessary
tasks.
You can assume that the home directory of the user is always located in /home
and that the name of the directory is the same as the login name of the user.
3. Test your solution by adding a user account (enter useradd -m tux2) and deleting
it.
6-38 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Create Shell Scripts
4. Compare your solution with the script at the end of the section.
(End of Exercise)
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 6-39
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
With the shell built-in command getopts, you can extract the options supplied to a
script on the command line. The shell interprets command-line arguments as
command options only if they are prefixed with a - (the default when using the shell
interactively).
This makes it possible to place options in different positions on the command line
and to supply them in an arbitrary order.
cp -R *.txt -d texts/ -p
getopts recognizes options in the same way. The following is the getopts syntax:
The optionstring describes all options to be recognized. For instance, getopts abc
declares a, b, and c as the options to be processed.
The option string is followed by a variable to which all the command-line options
specified are assigned as a list.
The getopts command is mostly frequently used in a while loop together with case to
define which command to execute for a given option, as in the following:
echo $option_c
If the option -a or -b is used, the script prints out a message that the corresponding
option was used. If the option -c value is used, the value is assigned to the variable
option_c, which is printed to the screen at the end of the script.
6-40 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Create Shell Scripts
Do the following:
1. Modify the script from Exercise 6-12 so that it does not prompt the user for input.
Instead, the script should use the following options:
q -u username. This option determines the user which shall be deleted.
q -r. If this option is set, the home directory should be removed. If this option
is not set, the owner of the home directory should be set to root.
2. Test you solution by adding a user account (enter useradd -m tux2) and deleting
it.
3. Compare your solution with the script at the end of the section.
(End of Exercise)
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 6-41
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
When combined with the here operator (<<), the cat command is a good choice to
output several lines of text from a script. In interactive use, the command is mostly
run with a filename as an argument, in which case cat prints the file contents on
standard output.
You can use the cut command to cut out sections of lines from a file, so only the
specified section is printed on standard output.
The command is applied to each line of text as available in a file or on standard input.
You can use cut -f to cut out text fields. cut -c works with the specified characters.
You can specify single sections (characters or fields) or several sections. The default
delimiter to separate fields from each other is a tab, but you can specify a different
field separator with the -d option.
6-42 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Create Shell Scripts
The above command specifies that the field separator should be a colon. In every line
of /etc/passwd, the field that comes before the first colon is taken and printed to
stdout:
The above command takes the output of the ls command and cuts out everything
from the thirty-fifth character. This is piped to sort, so the final output is sorted
according to file size.
You can use the date command whenever there is a need to obtain a date or time
string for further processing by a script. Without any options specified, the
command´s output looks like the following:
date
Fre Sep 03 14:18:12 CEST 2004
The date command lets you change the output format in almost every detail. With the
-I option (as in the following), date prints the date and time in ISO format (which is
the same as if the options had been +%Y-%m-%d):
date -I
2004-09-03
date +%D, %r
09/03/02, 02:19:58 PM
date +%d.%m.%y
03.09.02
date +%d.%m.%Y
03.09.2004
To view a list with all the possible format options for date, see man date. In any
case, you should be able to customize the output to exactly match the requirements of
your script.
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 6-43
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
The echo command, which exists both as a shell built-in command and as an external
command, prints text lines on standard output. A line break is inserted automatically
after each line. When called with the -e option, echo accepts a number of additional
options.
The following are some of the special sequences recognized by echo when run with
the -e option:
n \a. Outputs an alert (sounding the bell). This does not work in the KDE Konsole.
n \c. Do not add a new line at the end of the output.
n \n. Add a new line (line break).
The cat command is preferred over echo to output a text file or several lines of text.
The command grep and its variant egrep are used to search files for certain patterns,
and use the following syntax:
The command prints lines that contain the given search pattern. You can specify
several files, in which case the output will print the matching line and the
corresponding filenames.
Several options are available to specify that only the line number should be printed,
for instance, or that the matching line should be printed together with leading and
trailing context lines.
Search patterns can be supplied in the form of regular expressions, although the bare
grep command is limited in this regard.
To search for more complex patterns, use the egrep command, which accepts
extended regular expressions. As a simple way to deal with the difference between
the two variants, make sure you use egrep in all of your shell scripts.
The regular expressions used with egrep need to be in accordance with the standard
regex syntax.
To avoid having special characters in search patterns interpreted by the shell, enclose
the pattern in quotation marks, as in the following:
6-44 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Create Shell Scripts
The sed program is a stream editor, an editor used from the command line rather than
interactively. sed performs text transformations on a line-by-line basis.
You can specify sed commands either directly on the command line or in a special
command script loaded by the program on execution.
As with other commands, the output of sed normally goes to standard output, but it
can also be redirected to a file.
Each sed command must be preceded by an exact address or address range specifying
the lines to which the editing command applies.
Apart from the single-character commands for text transformations, you can also
specify options to influence the overall behavior of the sed program.
For many editing commands, it is important to specify the exact line or lines that
should be processed by the command. One of the more frequently used address labels
is $, which stands for the last line.
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 6-45
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
You can use a regular expression to define the address or address range for an editing
command. Regular expressions must be enclosed in forward slashes. If an address is
defined with such an expression, sed processes every line that includes the given
pattern.
This example prints all lines that have the pattern Murphy.* in them.
If you want sed to perform several editing commands for the same address, you need
to enclose the commands in braces, as in the following:
The following lists the most important editing commands available for sed:
6-46 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Create Shell Scripts
You can use the following options with the s command (search and replace):
n I. Do not distinguish between uppercase and lowercase letters.
n g. Replace globally wherever the search pattern is found in the line (instead of
replacing only the first instance).
n n. Replace the nth matching pattern only.
n p. Print the line after replacing.
n w. Write the resulting text to the specified file rather than printing it on stdout.
The test command exists both, as a built-in command and as an external command. It
is used to compare values and to check for files and their properties (whether a file
exists, whether it is executable, and so on).
If a tested condition is true, test returns an exit status of 0; if the condition is not true,
the exit status is 1. In shell scripts, ttest is used mainly to declare conditions to
influence the operation of loops, branches, and other statements.
test condition
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 6-47
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
-e File exists
-ef Refers to the same inode (such as in the case of a hard link)
-eq Equal
test -z string Exit status is 0 (true) if the string has zero length
(is empty).
test string1 = string2 Exit status is 0 (true) if the strings are equal.
test string1 != string2 Exit status is 0 (true) if the strings are not equal.
6-48 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Create Shell Scripts
b For more detailed information about test, enter help test or man test (the built-in test command
and the external one have identical features).
A complete list of all special characters handled by tr is included in the man page of
the program.
tr set1 set2
The characters included in set1 are replaced with the characters included in set2.
You can use tr to delete characters from the first set by entering the following:
tr -d set1
This will not translate anything; it only deletes the ones included in set1, printing the
rest to standard output.
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 6-49
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
VAR=’echo $VAR | tr -d %’
In this example, tr deletes the percent sign from the original value of VAR and the
result is assigned as a new value to the same variable.
tr -s set1 char
you can also use tr to replace a set of characters with a single character.
6-50 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Create Shell Scripts
Exercise Answers
The following are answers to the exercises in this section.
#!/bin/bash
# This script prints a "Hello world" greeting
# Author: Tux Penguin
# Created: 8/22/2005
echo -e "\aHello\nworld"
exit 0
#!/bin/bash
# This script reads the users first and last name
# and then prints a greeting with the full name.
# Author: Tux Penguin
# Created: 8/22/2004
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 6-51
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
#!/bin/bash
# This scripts reads the users first and last name
# and then prints a greeting with this full name.
# Author: Tux Penguin
# Created: 8/22/2005
exit 0
#!/bin/bash
# This script prints information about
# the current login
# and the current working directory.
# Author: Tux Penguin
# Created: 8/22/2005
login=`whoami`
path=`pwd`
6-52 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Create Shell Scripts
#!/bin/bash
# This script lets the user specify two whole
# numbers and then adds them together. All kinds of
# arithmetic formats that are possible
# under Bash are used, one after another.
# Author: Tux Penguin
# Created: 8/22/2005
declare -i INTEGER1
declare -i INTEGER2
declare -i SUM
exit 0
#!/bin/bash
# This script searches for files in the current
# directory.
# The user is prompted to enter a filename;
# if no name is entered, we search for the default
# value anyway, which is set to "*.bak"
# Author: Tux Penguin
# Created: 8/22/2005
echo "Please enter the file to be searched for (default is: *.bak):"
read FILE
find . -name "${FILE:="*.bak"}"
exit 0
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 6-53
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
#!/bin/bash
# This script checks whether a file exists and if
# its executable
# Author: Tux Penguin
# Created: 8/22/2005
read FILENAME
if test -e $FILENAME
then
if test -x $FILENAME
then
echo "The file exists and is executable."
else
echo "The file exists but is not executable."
fi
else
echo "The file does not exist."
fi
exit 0
case "$VARIABLE" in
[yY] | [yY][eE][sS] | [yY] [eE] [aA] [hH] )
... ;;
[nN] | [nN][oO] | [nN][oO][pP][eE] )
... ;;
* )
echo error message ;;
esac
6-54 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Create Shell Scripts
#!/bin/bash
# A script to iterate over a simple "while" loop 100
# times.
# Author: Tux Penguin
# Created: 8/22/2005
declare -i COUNTER=1
exit 0
#!/bin/bash
# A script to iterate over a simple until loop 100 times.
# Author: Tux Penguin
# Created: 8/22/2005
declare -i COUNTER=1
exit 0
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 6-55
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
#!/bin/bash
# This script renames all files in the current
# directory so that they have all lowercase file
# names.
# Author: Tux Penguin
# Created: 8/22/2005
exit 0
#!/bin/bash
# This script renames all files in the current
# directory so that they have all-lowercase file
# names.
# 2nd version: Now we also check whether the file
# already exists with lowercase lettering.
# Author: Tux Penguin
# Created: 8/22/2005
6-56 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Create Shell Scripts
For testing purposes, an echo is put before all important commands, such as chown
and userdel. There should be no spaces between [yY][eE][sS]. The same is true of
[nN][oO].
#!/bin/bash
# This script prompts for a user name and
# then deletes the corresponding account.
# Author: Tux Penguin
# Created: 8/22/2005
yesno (){
while true
do
echo "$*"
echo "Please answer by entering (y)es or (n)o:"
read ANSWER
case "$ANSWER" in
[yY] | [yY][eE][sS] )
return 0
;;
[nN] | [nN][oO] )
return 1
;;
* )
echo "I can't understand you over here."
;;
esac
done
}
read -p "Delete which user? " user
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 6-57
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
#!/bin/bash
# This script prompts for a user name and then deletes
# the corresponding account. Optionally, the user's
# home directory is deleted as well.
# Author: Tux Penguin
# Created: 8/22/2005
exit 0
6-58 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Create Shell Scripts
Summary
Objective Summary
1. Use Basic Script Elements n Before writing a shell script, it is useful to draw a
program flow chart.
n Before a file can be run as a shell script, it must
have both read and execute permissions.
n To produce some simple output from a script, you
can use the echo command.
n To read user input for processing by a script, you
can use the read command.
n There are several ways to perform arithmetic
operations in a script:
n Use the external command expr.
n Use the Bash built-in command let.
n Enclose arithmetic expressions in double
parentheses for expansion by the shell.
n In Bash, arithmetic operations can also be
performed with plain variables, provided that
these have been declared as integers before.
2. Use Variable Substitution n In Bash, you can use special variable substitution
Operators operators to assign different values to variables
without having to rely on external commands.
n These special substitution operators allow changing
variables by deleting certain patterns in their values
and returning the rest, for instance.
n They also allow you to set a default for a variable for
situations where no value can be assigned to it.
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 6-59
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
Objective Summary
5. Learn About Useful Commands in n You can use external commands in Shell scripts to
Shell Scripts perform certain tasks.
n The following is a list of commonly-used
commands:
n cat
n cut
n date
n echo
n grep and egrep
n sed
n test
n tr
6-60 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Compile Software from Source
In this section, you learn how to compile and install software that is available as
source code.
Objectives
1. Understand the Basics of C Programming
2. Understand the GNU Build Tool Chain
3. Understand the Concept of Shared Libraries
4. Perform a Standard Build Process
Introduction
Although SLES 9 is shipped with software packages for almost all purposes, you
might want to install software from other sources.
In many cases, however, open source projects provide only tar archives with the
source code of an application. In this section you learn how to compile and install
software from these source archives.
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 7-1
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
x The C++ language is considered the successor of C. The syntax of C++ is very similar to C, but
C++ lets you create object-oriented code. However, many applications and the Linux kernel are
still written in C.
7-2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Compile Software from Source
The following are advantages and disadvantages of each programing language type:
x The summary in this table is not complete. There are programming languages like Java that are
classified between the described programing language types.
#include <stdio.h>
int main(void)
{
char name[80];
return(0);
}
This program prompts the user to enter his name, and then it prints out Your name is:
and the name the user has entered.
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 7-3
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
7-4 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Compile Software from Source
To compile the simple example program, you invoke the compiler with the following
command:
First, the name of the file that contains the source code is passed to gcc, followed by
the -o option and the name of the output binary file.
After the compilation has finished, the binary can be started like any other command
line program, as in the following:
./my_name
Please enter your name: Florian
Your name is: Florian
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 7-5
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
x As part of the SLES 9 installation exercise in Section 1, you already installed the necessary
packages for compiling C source (C/C++ Compiler and Tool).
If you did not complete this successfully, use the YaST Install and Remove Software module to
install this software before starting the exercise.
Do the following:
1. Open a terminal window.
2. Insert the 3038 Course CD in the CD-ROM drive.
3. Copy the source code package of the example application to the /tmp directory by
entering the following:
cp /media/mount_point/exercises/section_7/my_name.c /tmp
(where mount_point is cdrom, cdrecorder, or dvd, depending on your installed
hardware)
4. Change to the directory /tmp/ by entering cd /tmp.
5. Compile the C source file by entering the following:
gcc my_name.c -o my_name
6. After the program compiles, start the program by entering the following:
./my_name
7. Verify that the program works properly by entering a name.
8. Close the terminal window and remove the CD.
(End of Exercise)
7-6 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Compile Software from Source
It would be very difficult to compile a program with multiple source code files
manually on the command line. Fortunately some tools are available to manage the
compilation process.
In this objective, you learn how to do the following to perform a standard build
process:
n Use configure to Prepare the Build Process
n Use make to Compile the Source Code
n Use make install to Install the Compiled Program
n Install the Required Packages for a Build Environment
Before the actual compilation process can be started, you must prepare the source
code with a configure script. This needs to be done for the following reasons:
n Many applications can be compiled on different UNIX systems, Linux
distributions, and hardware platforms. To make this possible, the build process
needs to be prepared for the actual environment.
n The build process itself is controlled by a program called make. The instructions
for how to compile the different source files are read from Makefiles. The
configure script generates these Makefiles depending on the system
environment.
n You can use configure to enable or disable certain features of an application.
To run the configure script, you need to use the following command at the top of the
source directory:
./configure
You can use the following command to list all available configure options:
./configure --help
You use the tool make to compile multiple source files in the correct order. Make is
controlled by Makefiles. Normally, these Makefiles are generated by the configure
script, but you can also create them manually.
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 7-7
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
You can also use make to install and uninstall the program to or from the right
location on the hard disk.
all: my_name
my_name: my_name.c
gcc my_name.c -o my_name
install: my_name
install -m 755 my_name /usr/local/bin/my_name
uninstall: /usr/local/bin/my_name
rm -f /usr/local/bin/my_name
clean:
rm -f my_name
Every Makefile consists of targets, dependencies, and commands for the targets.
Targets and dependencies are separated by a colon. The commands must be placed
under the target, indented with one tab space. A # introduces comments.
If you execute the command make while you are in the respective directory, the
program make will search this directory for the files GNUMakefile, Makefile, or
makefile.
If make is executed without any parameters, the first target of a Makefile is used. In
the example above, this is all. This target is associated with the target my_name,
which specifies the step to take: compile the file my_name.c with gcc.
The command make can also be used with individual targets. For example, the
command make install (as root) installs the binary file at the specified location and
make uninstall removes the binary file.
Even large software projects are created in the same way, but the Makefiles are much
more extensive and complex. If the software will be compiled to a functional
program on multiple architectures, things are much more complicated.
For this reason, the Makefile is usually generated by the configure script.
7-8 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Compile Software from Source
The last step when installing a program from source is to install the binary file and
additional files belonging to the application.
This step is usually done with make and an install target in the corresponding
Makefile.
make install
You must enter this comment as root at the top level of the source directory.
A lot of different software packages are required to perform the described build
process. The easiest way to install all required packages is to select the selection
C/C++ Compiler and Tools in the YaST package manager.
To access the predefined selections, select Selections from the filter drop-down list as
shown in the following:
Figure 7-1
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 7-9
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
It would not make sense to implement the functionality of opening PNG files again
and again in every application. Therefore, program functionality can be stored in
shared libraries.
In the case of opening and displaying PNG files, the functionality is provided by the
shared library libpng.
Physically, a shared library is a file on the hard disk that is loaded into the main
memory when an application is started that requires the functionality of the library.
The task of finding and loading the required libraries is performed by the program ld.
Figure 7-2
libpng
Graphic
Web Browser
Program
This means that the header files of a library need to be installed on a system to
compile software that uses functions of that library. To run already compiled
software, only the shared library files are necessary.
7-10 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Compile Software from Source
Because the software that ships with SLES 9 is already compiled, the header files of
some libraries are not installed by default. These libraries are split into two packages:
the software packages that contain the header files have the extension -devel attached
to the package name.
For example, the package libpng contains the shared library, and the package
libpng-devel contains the corresponding header files.
When you run the configure script, it sometimes prompts you about missing libraries
that should be installed on the system. If you install the required packages with YaST,
you have to make sure that you select both the shared library and the corresponding
devel package.
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 7-11
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
The xpenguins program can be downloaded in a tar archive with the name
xpenguins-2.2.tar.gz.
Before you start the build process, you need to extract the tar archive by entering the
following command:
x Some tar archives end in .bz. In this case, the archive is compressed with bzip and needs to be
extracted with the options xjf.
After the archive is extracted, you need to change to the source directory which has
been created by entering the following:
cd xpenguins-2.2/
In the source directory, you need to run the configure script with the following
command:
./configure
7-12 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Compile Software from Source
In the last lines of the output you can see that the Makefiles are created.
If the configure script does not report any errors, you can start the compilation
process by entering the following:
make
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 7-13
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
make all-recursive
make[1]: Entering directory `/tmp/xpenguins-2.2'
Making all in src
make[2]: Entering directory `/tmp/xpenguins-2.2/src'
gcc -DHAVE_CONFIG_H -I. -I. -I.. -I/usr/X11R6/include -g -O2
-DPKGDATADIR=\""/usr/local/share/xpenguins"\" -c main.c
gcc -DHAVE_CONFIG_H -I. -I. -I.. -I/usr/X11R6/include -g -O2
-DPKGDATADIR=\""/usr/local/share/xpenguins"\" -c
xpenguins_config.c
gcc -DHAVE_CONFIG_H -I. -I. -I.. -I/usr/X11R6/include -g -O2
-DPKGDATADIR=\""/usr/local/share/xpenguins"\" -c
xpenguins_core.c
gcc -DHAVE_CONFIG_H -I. -I. -I.. -I/usr/X11R6/include -g -O2
-DPKGDATADIR=\""/usr/local/share/xpenguins"\" -c
xpenguins_theme.c
gcc -DHAVE_CONFIG_H -I. -I. -I.. -I/usr/X11R6/include -g -O2
-DPKGDATADIR=\""/usr/local/share/xpenguins"\" -c
toon_associate.c
gcc -DHAVE_CONFIG_H -I. -I. -I.. -I/usr/X11R6/include -g -O2
-DPKGDATADIR=\""/usr/local/share/xpenguins"\" -c toon_draw.c
gcc -DHAVE_CONFIG_H -I. -I. -I.. -I/usr/X11R6/include -g -O2
-DPKGDATADIR=\""/usr/local/share/xpenguins"\" -c
toon_globals.c
gcc -DHAVE_CONFIG_H -I. -I. -I.. -I/usr/X11R6/include -g -O2
-DPKGDATADIR=\""/usr/local/share/xpenguins"\" -c toon_query.c
gcc -DHAVE_CONFIG_H -I. -I. -I.. -I/usr/X11R6/include -g -O2
-DPKGDATADIR=\""/usr/local/share/xpenguins"\" -c toon_set.c
gcc -DHAVE_CONFIG_H -I. -I. -I.. -I/usr/X11R6/include -g -O2
-DPKGDATADIR=\""/usr/local/share/xpenguins"\" -c toon_core.c
gcc -DHAVE_CONFIG_H -I. -I. -I.. -I/usr/X11R6/include -g -O2
-DPKGDATADIR=\""/usr/local/share/xpenguins"\" -c toon_end.c
gcc -DHAVE_CONFIG_H -I. -I. -I.. -I/usr/X11R6/include -g -O2
-DPKGDATADIR=\""/usr/local/share/xpenguins"\" -c toon_init.c
gcc -DHAVE_CONFIG_H -I. -I. -I.. -I/usr/X11R6/include -g -O2
-DPKGDATADIR=\""/usr/local/share/xpenguins"\" -c toon_root.c
gcc -DHAVE_CONFIG_H -I. -I. -I.. -I/usr/X11R6/include -g -O2
-DPKGDATADIR=\""/usr/local/share/xpenguins"\" -c toon_signal.c
gcc -I/usr/X11R6/include -g -O2 -DPKGDATADIR=
""/usr/local/share/xpenguins"\" -o xpenguins main.o
xpenguins_config.o xpenguins_core.o xpenguins_theme.o
toon_associate.o toon_draw.o toon_globals.o toon_query.o
toon_set.o toon_core.o toon_end.o toon_init.o toon_root.o
[...]
The most important part in the output of make are the compiler calls starting with:
When the compilation process has finished without any errors, you can install the
software by entering the following (as root):
make install
7-14 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Compile Software from Source
Do the following:
1. Open a terminal window.
2. Insert the 3038 Course CD in your CD-ROM drive.
3. Copy the source code package of the example application to the directory /tmp/ by
entering the following (on one line):
cp /media/drive/exercises/section_7/xpenguins-2.2.tar.gz
/tmp
4. Change to the directory /tmp by entering cd /tmp.
5. Unpack the source archive by entering the following:
tar xzf xpenguins-2.2.tar.gz
6. Change to the source directory by entering cd xpenguins-2.2/.
7. Start the configure script by entering ./configure.
8. (Conditional) If the configure script displays an error message indicating that the
header files of the X Window system are not installed, install the package
XFree86-devel with YaST and run the configure script again before continuing.
9. When the configure script finishes, enter make.
10. When the make command finishes, su to root.
cd /tmp/xpenguins-2.2/
12. Install the compiled application by entering make install.
To run the application xpenguins, you need to make an adjustment from the KDE
Control Center that is not part of the standard build process.
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 7-15
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
3. Select the check box for Allow programs in desktop window; then select Apply
and close the Control Center.
4. Open a terminal window.
5. Start the application by entering the following:
/usr/local/bin/xpenguins
6. Stop the program by pressing Ctrl+C (from the terminal window).
Have a lot of fun :-).
7. Close the terminal window.
(End of Exercise)
7-16 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Compile Software from Source
Summary
Objective Summary
2. Understand the GNU Build Tool The standard build process consists of the following
Chain steps:
n The build process must be prepared with the
configure script.
n The make command is used to compile the source
code.
n The make program is used again to install the
application.
The easiest way to install all necessary software
packages for a build environment is to select the
C/C++ Compiler and Tools selection in the YaST
package manager.
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 7-17
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
Objective Summary
3. Understand the Concept of Shared libraries contain certain functions that are
Shared Libraries needed by many programs.
These files are loaded when an application needs a
function from the corresponding library.
A shared library consists of 2 basic parts:
n The shared object
n The header file
Some libraries are split into 2 software packages on
SLES 9.
To run applications, you just need the base library
package. To compile software, you also need the
header files in the package with the extension
-devel.
4. Perform a Standard Build Process The following are the command lines that are
needed to build a software from source, shown by
example of the xpenguins game:
n tar xzf xpenguins-2.2.tar.gz
This extracts the source archive.
n cd xpenguins-2.2/
This changes to the source directory.
n ./configure
This runs the configure script.
n make
This starts the compilation process.
n make install
This installs the program.
7-18 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Perform a Health Check and Performance Tuning
In this section, you learn how to analyze performance on a SLES 9 system and what
you can do to prevent these bottlenecks.
Objectives
1. Find Performance Bottlenecks
2. Reduce System and Memory Load
3. Optimize the Storage System
4. Tune the Network Performance
Introduction
As with any system, sometimes the performance of a SLES 9 system is not sufficient.
In this section, you learn about monitoring utilities that help you find the component
having performance problems.
You also learn some hints for solving performance problems. Remember that the
solutions for your problems need to be based on the result of your performance
analysis and depend on your system type.
No matter what measures you choose, make sure that all changes are well tested
before you enable them on the actual production system. Changes to the kernel
parameters need to be tested very carefully.
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 8-1
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
Complaints from users or customers about a slow system are normally of a general
character and do not provide detailed information about the cause of a problem.
Before you start to troubleshoot a system, you should ask for more information to
gain a better overview about the whole situation. The following is a list of questions
that can help you to find the performance bottleneck:
n What kind of server is affected? This includes information about the hardware
and the purpose of the server.
n What are the exact symptoms of a problem? The more information you have,
the more likely you are to determine the cause of a problem.
n Does the problem occur at specific times of the day or the week? For
example, performance problems might occur in the morning when people start to
work or after lunch break when people return to work.
n When and how did the problem start? Did the problem occur quickly or
slowly over several days or months?
n Who is experiencing the problems? Does just one person have the problem, or
is it a group of people who are using the same file server?
n Can the problem be reproduced? This can be very helpful when you are
analyzing the system.
When you have gathered enough information, you can start to analyze the system by
doing the following;
n Analyze Processes and Processor Utilization
n Analyze Memory Utilization and Performance
n Analyze Storage Performance
n Analyze Network Utilization and Performance
When you have a performance problem, you should look at the processor utilization
first. If the processor is not fast enough to run all of your applications at a reasonable
speed, this is the bottleneck you have to work on.
One way to measure processor utilization is the system load. The load value can be
displayed with various monitoring tools such as top or uptime.
8-2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Perform a Health Check and Performance Tuning
To assign the CPU time, the kernel puts the running processes into a queue.
Depending on the priority of a process and the time since it was executed last, the
kernel decides which process should be executed next.
The load value is basically the average number of waiting processes in the process
queue in a specific amount of time. Therefore programs like top or uptime display
load values for the last 1,5 and 15 minutes.
On a system with a single processor, an average load value of 1 means that the full
processing capacity is used by applications and the operating system.
If the value is lower than 1, some capacity is not used. If the average value is higher
than 1, the processor is not fast enough to handle all currently running processes.
x On a multiprocessor system, the load value can be higher. As a rule of thumb, the load value
should not be higher than the number of processors installed in the system.
A process that is started on a system does not always require CPU time. Depending
on the kind of the process it is running, the CPU spends quite a lot of time to waiting
for I/O processes to be finished. For example, an I/O process can be user input or
data that is read from or written to the hard disk.
During these times the processes are not waiting in the kernel's process queue and do
not influence the load value of a system. This means that an application can be slow,
but CPU time is not the reason for it.
The following is a list of monitoring utilities that can be used to display the current
CPU utilization and the average load values:
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 8-3
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
The memory is controlled by the Memory Management system of the Linux kernel.
Every application has to ask the kernel to allocate memory, and every application is
only allowed to write into its own memory space.
You can view the utilization of the physical and the swap memory with the free
program by entering the following:
free
8-4 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Perform a Health Check and Performance Tuning
n -/+ buffers/cache. Some of the memory on a Linux system is used to cache data
for applications or devices. Parts of this memory can be freed when it is needed
for other purposes.
The free column displays the buffer adjusted line, which shows the memory that
would be used and available if the buffer and the cache were freed.
n Swap. This line shows informations about the utilization of the swap memory.
The information includes the amount of total, used and free available memory.
As accessing the hard disk is much slower than accessing physical memory, the
performance of the whole system is affected when a lot of swap space has to be used.
Usually this happens when there is not enough physical memory to perform the
desired functionality of a system. It can also happen if an application requests much
more memory than it actually needs.
This can happen when the application crashes. It can also happen during normal
operation, when the implementation of the program is faulty. In this case, the
application has a memory leak.
You can use the top command to find programs that use a lot of memory. By default,
top sorts the process list by CPU utilization. By typing F, n, and then pressing the
Enter key, you can change the sorting column memory utilization. This way the top
memory consumers can be found at the top of the list.
If a lot of used swap memory is displayed in free, this can indicate a performance
bottleneck caused by a lack of physical memory but is not always the case.
Sometimes a lot of memory is copied to the
swap partition but is never touched again. The performance of the system is only
affected when the swap memory is actually accessed.
You can use the command vmstat to display the activity of swap memory, as in the
following:
vmstat 1
The option 1 lets vmstat repeat its output every second. This way the usage of swap
memory can be displayed over a period of time. You can terminate the program
pressing Ctrl+C.
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 8-5
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
The output in the columns si and so are of interest in this case. si stands for swap in,
which means that data is copied to the swap memory. so for swap out, which means
that data is copied back into the physical memory. In the example above, there is no
activity for the swap memory.
The first line of the output displays the average values since the system was started.
The lines that follow show the average values since the last output.
The following output of vmstat is captured on a different system which ran out of
memory and shows a lot of activity in swap memory:
In this example, there is much more activity in the si and so columns than before. The
number displayed represents the amount of memory that is copied to or from swap
memory.
A system that shows a constant vmstat output like this has a performance bottleneck
caused by a lack of physical memory.
The following are commands and an application you can use to display memory
utilization:
KDE System Guard Offers the capability to display memory usage. Choose
the signal plotter visualization to follow the memory
usage over a period of time.
The performance of the storage system can be an issue, especially on systems that
face heavy hard disk utilization like ftp, web, or other kinds of file servers.
Before you analyze the hard disk performance and utilization, you should make sure
that you don’t have any problems with a too-high system load or a lack of physical
memory.
8-6 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Perform a Health Check and Performance Tuning
A system where the performance problems are caused by the disk subsystem usually
shows a relatively low network and CPU utilization but a high activity of the installed
disks that is not caused by memory paging or swapping.
In this case, you can use the command vmstat to display the activity of the disk
subsystem. You start vmstat by entering the following:
vmstat 1
The program should be started on the system when the performance problem occurs.
The following is the output of a system with almost no disk operations:
In this example, the columns of interest are bi and bo. They display the number of
blocks that are read from (bi) or written to (bo) the disk subsystem.
The following shows a system with a high utilization of the disk subsystem:
As you can see in this column, the system has to deal with a lot of writing activity to
the disk subsystem.
However, a lot of data read from or written to the disk does not necessarily mean that
the disk subsystem is too slow. Depending on the available disk types and the disk
configuration, a disk load that totally blocks one system can be easily handled by
another system.
A performance problem that is caused by the disk subsystem usually occurs when a
process has to wait for data being delivered from or written to the disk.
You can use the command iostat to determine the average time a program has to wait
for data from the disk.
x The iostat command is not part of the SLES 9 default installation. You need to install the package
sysstat to use it.
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 8-7
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
The following command displays information about the disk device /dev/hda:
iostat -x 1 /dev/hda
The option -x enables the output of some additional information. 1 sets the interval in
which iostat repeats its output to 1 second. The device name specifies the disk that
should be monitored. If no disk is specified on the command line, all disks that are
used by the system are monitored.
Device: rrqm/s wrqm/s r/s w/s rsec/s wsec/s rkB/s wkB/s avgrq-sz
avgqu-sz await svctm %util
hda 3.18 17.90 3.37 1.32 146.73 153.78 73.36 76.89 64.11
0.25 53.50 4.57 2.14
Device: rrqm/s wrqm/s r/s w/s rsec/s wsec/s rkB/s wkB/s avgrq-sz
avgqu-sz await svctm %util
hda 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00
0.00 0.00 0.00 0.00
Device: rrqm/s wrqm/s r/s w/s rsec/s wsec/s rkB/s wkB/s avgrq-sz
avgqu-sz await svctm %util
hda 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00
0.00 0.00 0.00 0.00
Every output contains two blocks of information. The first block displays information
of the CPU utilization, like top or uptime. The second block shows the information
about the requested disk device.
The first output represents the average values since the system was started. All
following lines show the average values since the last update period.
The block that displays the device information shows first some details about the
amount of data that is read from or written to the device. To find out if the disk
subsystem has a performance bottleneck, focus on the following 2 columns:
n await. This column displays the average time in milliseconds an application has
to wait till its I/O request is performed.
n svctm. This column displays the average time in milliseconds that an I/O request
needs to be performed.
As you can see in the output above, the concerned system is not really busy. The
average await time since the system was booted is 53.50 milliseconds and the average
svctm time is 2.14 milliseconds.
As you can see in the following lines, the current disk utilization is even far below
the average with await and svctm times of 0 milliseconds.
8-8 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Perform a Health Check and Performance Tuning
Compare this with the following output of a system with a higher I/O load:
Device: rrqm/s wrqm/s r/s w/s rsec/s wsec/s rkB/s wkB/s avgrq-sz
avgqu-sz await svctm %util
hda 0,00 9105,94 0,00 44,55 0,00 73140,59 0,00 36570,30 1641,60
99,97 2441,89 22,24 99,11
Device: rrqm/s wrqm/s r/s w/s rsec/s wsec/s rkB/s wkB/s avgrq-sz
avgqu-sz await svctm %util
hda 0,00 10313,13 0,00 41,41 0,00 82828,28 0,00 41414,14 2000,00
93,90 2529,10 24,41 101,11
Device: rrqm/s wrqm/s r/s w/s rsec/s wsec/s rkB/s wkB/s avgrq-sz
avgqu-sz await svctm %util
hda 0,00 9293,00 0,00 41,00 0,00 74640,00 0,00 37320,00 1820,49
92,70 2447,00 24,41 100,10
As you can see, the average await time on this system far beyond 2000 milliseconds,
and the svctm time is much higher than before. Such a system cannot fulfill the
requested I/O operation at an adequate speed.
The following is an overview of commands that you can use to analyze disk
utilization:
You can monitor these parameters with KDE System Guard. To start KDE System
guard from the KDE start menu, select
System > Monitor > KDE System Guard.
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 8-9
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
Figure 8-1
On the left side of the window, you can browse the available monitoring sensors.
Browse to Network > Interfaces > Interface_you_want_to_monitor.
The following describes some of the available sensors you can use to analyze
network problems:
8-10 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Perform a Health Check and Performance Tuning
Dropped Packets This sensor displays the number of packets that are
either dropped when they are received by the host or
by other network components like routers on their way
to the destination.
Too many dropped packets can have a bad influence
on the network performance. The following are some
reasons for dropped packets:
n Network components are running at a different speed.
For example, the server runs at 100 Mbps, but the
router at only 10 Mbps.
n The network or system load of a server is too high to
handle all received network packets properly.
n A network component runs with a misconfigured
packet filter that drops network packets.
Besides problems that are caused by the network or network setup itself, some
network services can interfere the overall system performance. These network
services might not even be running on the same host that actually experiences
performance problems.
The following are tools that you can use to monitor the network:
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 8-11
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
Do the following:
1. Make sure, that you have installed the software selection C/C++ Compiler and
Tools as well as the package
kernel-source.
If these packages are not installed, install them with the YaST software installer.
2. Open a terminal window.
3. Enter top.
Watch the information about the system load and the process list for a few
moments.
4. Open a second terminal window and su to root.
5. Enter the following commands:
cd /usr/src/linux
make cloneconfig
x If the directory /usr/src/linux does not exist, you need to install the package kernel-source.
6. When the second command finishes, start a Linux kernel compilation by entering
make bzImage.
The compilation generates a high load on the system:
7. From the first terminal window, watch the load numbers.
Notice that the load values are constantly rising. The 3 values differ as they
display the average of three different periods of time.
8. Wait until the load average value has reached 1; then quit the compilation process
in the second terminal window by pressing Ctrl+C.
9. In the second terminal window, restore the initial state by entering make clean.
10. From the first terminal window, watch the load values for a few moments.
8-12 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Perform a Health Check and Performance Tuning
Do the following:
1. In the first terminal window, enter vmstat 1.
2. Watch the vmstat output for a few moments, especially the columns si (swap in)
and so (swap out).
3. In the second terminal window, enter make -j bzImage.
4. In the first terminal window, watch the so and si columns.
Notice that the command make utilizes a lot of memory. As a result, after a few
minutes (normally 3 or 4) the system starts using swap memory.
5. In the second terminal window, stop the make process by pressing Ctrl+C.
6. In the first terminal window, watch as the swap activity declines.
7. Terminate the command vmstat by pressing Ctrl+C.
8. In the second terminal window, enter make clean.
Do the following:
1. Using the YaST package manager, install the package sysstat.
2. In the first terminal window, enter the following:
iostat -x 2 /dev/hda
If your root partition is on a different device than hda (such as hdc), adjust the
command accordingly.
3. Watch the output of iostat for a while, particularly the columns await and svctm.
4. In the second terminal window, enter make -j bzImage.
5. Watch the iostat values in the columns await and svctm.
Notice that both values are rising due to high disk utilization caused by the
command make.
6. In the second terminal window, stop the command make by pressing Ctrl+C.
7. Watch how the await and svctm times decrease again.
8. End iostat by pressing Ctrl+C.
9. In the second terminal window, enter make clean.
10. Close both terminal windows.
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 8-13
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
Do the following:
1. From the KDE start menu, select System > Monitor > KDE System Guard.
2. From the menu bar, select File > New.
3. Enter a title of Network.
4. Select 2 rows and 1 columns.
5. Select OK.
6. On the left side of the KDE System Guard window, browse to Network >
Interfaces > eth0.
7. Open Receiver and Transmitter.
8. Drag the Packets sensor from the Receiver and drop it in the upper part of the
Network worksheet.
9. For the display mode, select Signal Plotter.
10. Drag the Packets sensor from the Transmitter and drop it in the lower part of the
Network worksheet.
11. For the display mode, select Signal Plotter.
14. Wait until a partner has reached this step of the exercise.
15. Produce some network load with the system of your partner by entering the
following:
ping -f partner_ip_address
16. Watch the network load rise in the receiver and the transmitter.
(End of Exercise)
8-14 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Perform a Health Check and Performance Tuning
A high system and memory load is often caused by single application. You can use
the top utility to find out which process uses the most resources on your system.
In this case, you should try to get more information about the issue by searching the
Internet and the web site of the vendor or the OpenSource project.
If the process starts to utilize the same amount of system resources after it has been
restarted, the system is probably not fast enough to run the process. Refer to “Run
Only Required Software” below for details on how to solve this issue.
The easiest but most effective way to reduce the system load is to run only the
software that is required to fulfill the purpose of a system. This includes the
following methods:
n Run a Server System without X
n Reduce the Number of Daemon Processes
Usually, it's not necessary to run an X-Server on a server system. Most administrative
tasks including those done in YaST can be done on the text console or remotely with
SSH or SUSE LINUX Remote Administration.
Preventing the X-Server from being started saves memory and CPU utilization. To do
so, you can switch to runlevel 3 manually by entering the following:
init 3
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 8-15
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
You can also set the default runlevel to 3 to boot the system to runlevel 3
automatically.
To change the default runlevel, you need to open the file /etc/initab with a text editor.
In the file, look for a line like the following:
id:5:initdefault:
By changing 5 to 3, you can change the default runlevel from 5 (multiuser, network,
graphical login) to 3 (multiuser, network).
In most cases, a server offers only a few services but a lot more daemons are actually
running. By reducing the number of running daemon processes, you can reduce the
processor and the memory load.
To get an overview of the current service configuration, you can use the chkconfig
command by entering the following:
chkconfig -l
The -l option lists all services and their configuration in each runlevel. For example,
the following is the output of the Apache web server:
Review the list and make sure that the only services that are running are those needed
in the default runlevel of your server. If you find a service that is not necessary, you
can prevent it from starting up at boot time by removing its start script from the init
process.
Use a command like the following to remove a service from the init process:
chkconfig apache2 3
Changing the runlevel configuration does not affect the currently running instance of
a service. If you don’t want to reboot your system with the new configuration, you
need to stop a running service by calling its rc script manually.
8-16 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Perform a Health Check and Performance Tuning
rcapache2 stop
There are many reasons to keep your software up to date. Beside possible security
issues caused by outdated software, up to date software can improve performance.
However, there might be exceptions to the rule. For this reason, you should test new
releases carefully before using them in a production environment.
On a system with a lot of swapping, you should usually add more main memory to
enhance the performance. However, you can't do so, optimizing the swap partitions
can help.
First, you should make sure that you have enough available swap space. The old
rule–that you should have double the size of the physical memory as swap space–is a
bit outdated but still a reasonable starting point.
The key to speeding up the swap space is to spread it over several disks. This works
only on systems that have more than one installed disk.
Every swap partition has an entry in the file /etc/fstab that looks like the following:
You can use more than one swap partition by creating partitions and adding these to
/etc/fstab, as in the following:
In this example, 3 partitions are used on 3 different disks. The additional parameter
pri=1 assigns the same priority to all swap partitions.
With a priority 1 assigned to all swap partitions, the kernel can use the partitions in
parallel. This leads to a higher overall performance of swapping operations.
The drives that hold swap partitions should run at the same speed.
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 8-17
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
If the above methods to reduce the system load do not lead to a lower resource
utilization, you should consider upgrading the following hardware:
n Upgrade the CPU
n Upgrade the Memory
If your system shows a high system load but all other parameters like memory,
network and storage load or utilization are not significantly high, you should consider
upgrading the CPU.
However, you need to consider the following before upgrading the CPU:
n Are there significantly faster CPUs available for the type of system you are using
(socket type, BIOS support)?
n Are the rest of the system components fast enough for the new CPU? Otherwise,
you could work on one bottleneck and create a new one.
n Is the system going to be replaced in the near future?
n Are other, faster systems available in your organization that could be used
instead of the current system?
Depending on the answers to these questions, you might decide to replace the whole
system instead of just the CPU. In some cases, this might be even more economical
in the long run than just a CPU upgrade.
Upgrading the memory usually means installing more physical memory. The first
question you might ask is how much additional memory you should install.
A way to answer this question is to look at the amount of swap space that is used by
the system when the performance problems occur. Adding double the amount of used
swap space might be a good starting point.
However, you should also compare the cost of a memory upgrade with the cost of
installing a new system.
Remember that if you add additional physical memory, you should also add
additional swap space. However, in most cases, more than 1 GB of swap space does
not increase performance significantly.
8-18 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Perform a Health Check and Performance Tuning
Do the following:
1. Log out of the KDE desktop environment and reboot your system.
2. When the KDM login appears, change to a text console by pressing Ctrl+Alt+F2.
3. Login as root.
4. Enter free.
Notice the amount of free physical memory.
5. Open the file /etc/inittab with the vi editor:
6. Look for the line id:5:initdefault: and change it to the following:
id:3:initdefault:
7. Save and close the file.
8. Reboot your system by entering reboot.
The system boots to runlevel 3.
9. Log in as root; then enter free.
10. Compare the amount of free physical memory with the number you noted earlier.
x The success of this depends on the amount of free memory you have available on your
hardware.
13. Edit the line id:3:initdefault: in /etc/inittab to change the default runlevel back to 5.
(End of Exercise)
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 8-19
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
You can use the tool hdparm to tune some settings of IDE hard drives. Entering the
following command displays the current settings of a drive:
hdparm -i /dev/hda
The most important setting you can change with hdparm is DMA (direct memory
access). With DMA, data from a disk can be written directly to the main memory of a
system without CPU utilization. This enhances performance in 2 ways:
n The transfer itself is much faster than with disabled DMA.
n The CPU is not utilized and can be used for other tasks.
By default, DMA should be enabled for IDE hard disks. However, if you experience
a weak disk performance, you should check the settings. DMA can also be enabled
for CD/DVD drives, which increases performance, especially for large data transfers.
You can use following command to check the current status of the DMA
configuration:
hdparm -d /dev/hda
In this example, the DMA settings for the device hda are checked, with an output
similar to the following:
/dev/hda:
using_dma = 1 (on)
In this example, DMA is enabled for the device hda; otherwise, the variable
using_dma would have the value 0.
hdparm -d 1 /dev/hda
8-20 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Perform a Health Check and Performance Tuning
With hdparm, you can also use command line options that affect a drive's
performance. The following lists the most important options:
x Before you change any settings with hdparm, you should make sure that important files on your
system are saved and backed up. Improper settings can lead to system crashes or data loss. For
more information, see man hdparm.
hdparm also provides an option to measure the transfer performance of a hard disk,
as in the following command for the device hda:.
hdparm -t /dev/hda
The output for this command might look like the following:
/dev/hda:
Timing buffered disk reads: 156 MB in 3.01 seconds = 51.75 MB/sec
In this example, the disk offers a sequential transfer rate of 51.75 Mbps. To achieve
valid results, you should repeat the test several time and compare the results. In
general, the test should be run at a low system and storage load.
All changes that are made with hdparm are active only until the next reboot. To make
sure hdparm commands are executed every time the system boots, you can add them
to the file /etc/init.d/boot.local.
The components of the Linux kernel that are responsible for hard disk access offer
some parameters that can be changed at runtime.
None of these parameters are saved permanently. If you want to set them every time
the system starts up, you can enter a command to set a parameter in the file
/etc/init.d/boot.local.
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 8-21
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
Because Linux is a multitasking operating system, more than one process at a time
might need to access the hard disk.
For this reason, the Linux kernel contains a component called the I/O Scheduler. This
scheduler collects requests from the processes and hands them over to the hardware
driver that is responsible for the drive.
The SLES 9 I/O Scheduler has one parameter that you can used to tune the I/O
performance. The parameter is stored in the file
/sys/block/device/queue/iosched/quantum
The parameter determines how many I/O requests are stored in a queue before they
are handed over to the driver. By queuing the requests, the scheduler can optimize the
order of the requests.
When you use this parameter, there is a tradeoff between data throughput and latency.
Use the following rule:
n Lower value = Shorter latency but lower data throughput
n Higher value = Longer latency but higher data throughput
You can set the value of the parameter with a command similar to the following:
When you change the value, you should always benchmark your application to
measure the success of the change.
8-22 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Perform a Health Check and Performance Tuning
Another kernel parameter lets you determine how much data should be used for the
read-ahead. Read-ahead basically means that more data from a file is read than
requested by an application.
This is done because an application usually wants to read all data from a file, not just
the data at the beginning. You can set the read-ahead parameter in the file
/sys/block/device/queue/read_ahead_kb.
The value determines how much data (in KB) is read ahead from file. The default
value on SLES 9 is 128 KB. Larger values can lead to a better overall throughput
with the drawback of a higher latency.
The swappiness parameter affects both the memory and the I/O performance. It
basically determines when a system starts to swap out data to the disk, and can be set
in the file
/proc/sys/vm/swappiness.
You can set the parameter value from 0 and 100. The higher the value, the more the
system will swap. The default value for SLES 9 is 60.
You can set the parameter with a command like the following:
The parameter determines how much you value the page cache over program
memory.
To achieve a performance advantage for an application, you can control the way the
kernel accesses the file system by doing the following:
n Disable atime Update
n Implement File System Dependent Tuning Options
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 8-23
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
To keep the atime information up to date, the kernel needs to update the atime
attribute every time a file is accessed. Updating the atime means that the kernel needs
to perform a write process, which causes additional load for the hard disk.
If the atime attribute is not important to you, you can mount a data partition with the
noatime option.
The following shows an fstab entry for the partition /dev/hda2 that uses the noatime
option:
Beside the general disk tuning options, you can also configure the file system to
n Mount a Reiser File System With the notail Option
n Configure the Journaling Mode of Ext3
On traditional UNIX files systems, small files or the rest of a big file (the tail) are use
a full block of the file system although they are don’t really fill the block.
Reiserfs can store this data much more efficiently in the file system internal structure.
However, this costs some performance. You can use the mount option notail to
disable this feature. The drawback is a less space-efficient data storage.
You can use the notail option either with the -o option of mount or in the /etc/fstab
file, as in the following:
8-24 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Perform a Health Check and Performance Tuning
The ext3 file system offers journaling functionality. In journaling, every file system
transaction is logged in a special area of a partition, called the journal. The data in
the journal helps to restore a consistent file system in case of a system crash or a
power failure.
The ext3 file system offers 3 journaling modes that also affect the disk performance:
n data=journal. If you use this mode, the data of a transaction and the file
metadata are logged in the journal. This is the most secure option for data
security.
n data=ordered. When an ext3 file system is mounted with this option, only the
file metadata is stored in the journal. However, it forces the file data to be written
to disk before the metadata.
This option is a good compromise between speed and reliability, and is the
default for SLES 9.
n data=writeback. This is the fastest journaling option. Metadata is logged to the
journal, but file data is not treated in a special way. However, you still have the
advantages of a journaling file system when a crash or a power failure occurs.
You can use these options with the -o option of the mount command, or add them to
the /etc/fstab, as in the following:
If all of the above mentioned options do not improve disk performance, you might
need to consider upgrading your hardware.
From a performance perspective, a true SCSI hardware RAID system might be the
best choice. But upgrading to a newer IDE or SCSI disk can produce some of the
same results.
However, you have to compare the costs and the estimated advantages of an upgrade
with the purchase of a new system. A hardware upgrade has always the risk of
creating a new performance bottleneck somewhere else in the system.
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 8-25
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
In this exercise, you tune your IDE hard drive. It is assumed that the IDE hard disk is
/dev/hda. If your IDE hard disk is connected differently (such as hdc), use the
correct device name in the following steps.
Do the following:
1. Open a terminal window and su to root.
2. Make sure that the DMA mode is activated by entering the following command:
hdparm -d 1 /dev/hda
3. Run a performance test by entering the following:
hdparm -t /dev/hda
Notice the data throughput in MB/sec.
4. Disable the DMA mode by entering the following:
hdparm -d 0 /dev/hda
5. Run the performance test again by entering the following:
hdparm -t /dev/hda
Compare the result with the DMA enabled throughput.
6. Re-enable DMA by entering the following:
hdparm -d 1 /dev/hda
7. Close the terminal window.
(End of Exercise)
8-26 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Perform a Health Check and Performance Tuning
The Linux kernel lets you change some network parameters during runtime. This
makes sense on systems that have to deal with a lot of parallel connections (such as
web servers).
The parameters can be set with the sysctl command. To use this command, you have
to be the root user, because changing kernel parameters is not permitted for normal
users.
The most important command line parameter of sysctl is -w. With this option, you
can write a value into a kernel configuration parameter.
You can also access the kernel parameters from the proc file system, which is
mounted under /proc. You change the parameters by writing them into the
corresponding files in the /proc directory.
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 8-27
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
The following lists several sysctl commands and their effect on network
performance:
8-28 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Perform a Health Check and Performance Tuning
Because networking involves more than one system, you should consider which
changes to other hosts or your network infrastructure can improve the network
performance.
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 8-29
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
Summary
Objective Summary
2. Reduce System and Memory To reduce the system and memory load, you can do
Load the following:
n Determine which processes utilize most of the
processing power. Determine whether this is a
failure or part of normal operation.
n Run only software that is required to fulfill the
purpose of the system.
n Keep your software up to date.
n Optimize swap memory by spreading it over
multiple disks.
n Upgrade the CPU and the physical memory.
3. Optimize the Storage System To enhance the performance of the storage system,
you can do the following:
n Use hdparm to ensure an optimal configuration of
your hard disks.
n Set kernel parameters to optimize disk access.
n Tune access to the file systems on your disks.
n Exchange slow components of your storage
system.
8-30 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Perform a Health Check and Performance Tuning
Objective Summary
4. Tune the Network Performance n Adapt the network parameters of the Linux kernel
for your needs.
n Reconfigure your network environment. This
includes the following:
n Reduce the collision domain of Ethernet
networks.
n Check the physical quality of the connection
(such as cables and plugs)
n Check both sides of a faulty network
connection.
n Replace or upgrade your network equipment.
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 8-31
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
8-32 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Manage Hardware and Component Changes
In this section, you learn how SLES 9 handles hardware and device drivers. You also
learn how to add and replace certain types of hardware.
Objectives
1. Describe the Differences Between Devices and Interfaces
2. Describe How Device Drivers Work
3. Describe How Device Drivers Are Loaded
4. Describe the sysfs File System
5. Describe How the SLES 9 Hotplug System Works
6. Use the hwup Command
7. Add New Hardware to a SLES 9 System
Introduction
Although most hardware devices can be configured with YaST or are even
automatically detected when plugged into the system, it is sometimes helpful to
understand how things work in the background.
In the this section, you are introduced to SLES 9 hardware management and how
device drivers are loaded.
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 9-1
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
This course uses the following definitions for device and interface:
n Device. A device is a real, physical piece of hardware. This can be a PCI
network card, an AGP graphic adapter, a USB printer, or any kind of hardware
that you can hold, feel, or break if you want to.
n Interface. An interface is a software component associated with a device. To use
a physical piece of hardware, it needs to be accessed by a software interface.
A device can have more than one interface.
9-2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Manage Hardware and Component Changes
The following illustrates the roles of kernel and user space drivers:
Figure 9-1
Application
IPP Protocol
USB Interface
USB-Bus
Printer
While the handling of user space drivers depends on the framework they are used in,
you can mange kernel modules with the following commands:
n lsmod. This command lists all loaded kernel modules. For example:
lsmod
n modprobe. This command loads kernel modules. Because kernel modules can
depend on each other, modprobe automatically resolves these dependencies and
loads all required modules. For example:
modprobe usb-storage
In this example, modprobe loads the usb-storage, module which is needed to
access storage devices connected with the USB bus.
Because this module requires other USB modules, modprobe also loads these
modules.
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 9-3
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
Because modules normally work only with the kernel version they are built for, a new
directory is created for every kernel update you install.
Modules are stored in several subdirectories with a filename extension of .ko for
kernel object. When loading a module with modprobe, you can mot the extension and
use just the module name.
9-4 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Manage Hardware and Component Changes
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 9-5
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
sysfsis a virtual file system that is mounted under /sys. In a virtual file system, there
is no physical device that holds the information. Instead, the file system is generated
virtually by the kernel.
sysfs represents all devices and interfaces of a Linux system. In sysfs, there are 4
main directories:
n /sys/bus and /sys/devices. These directories contain different representations of
system hardware. Devices are represented here.
For example, the following represents a digital camera connected to the USB
bus:
/sys/bus/usb/devices/1-1/
This directory contains several files that provide information about the device.
The following is a listing of the files in this directory:
For example, by reading the content from the manufacturer file, you can
determine the manufacturer of the device:
cat manufacturer
OLYMPUS
9-6 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Manage Hardware and Component Changes
The subdirectory /sda1 represents the interface to the first partition on the
cameras memory card. For example, by reading the content of /sda1/size, you
can determine the size of the partition:
cat sda1/size
31959
The partition has a size of 31959 512-byte blocks, which is about 16 MB.
To connect an interface with a device, file system links are used. In the Olympus
digital camera example, a link exists from the file /sys/block/sda/device to the
corresponding device:
ll device
lrwxrwxrwx 1 root root 0 Aug 17 14:03 device ->
../../devices/pci0000:00/0000:00:1d.0/usb1/1-1/1-1:1.0/host0/0:0:0:0
In this way, all interfaces of the system are linked with their corresponding devices.
Beside the representation in sysfs, there are also the device files in the /dev directory.
These files are needed for applications to access the interfaces of a device. The name
“device file” is a bit misleading, as in our terminology the name “interface file”
would be more suitable.
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 9-7
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
The name “hotplug” is a bit misleading, because the hotplug system sets up different
kinds of devices, not only those that are really hot pluggable, like USB or Firewire
devices.
Every action hotplug performs must be triggered by a hotplug event. Hotplug events
can be created in the following ways:
n By the Linux kernel. The Linux kernel triggers a hotplug event when a
connection to a device is established, or when a driver is already loaded for a
connected device.
For example, when you plug in a USB device or insert a hotplug PCI adapter a
hotplug event is triggered.
n By Coldplug. Coldplug is a script that starts at boot time. It scans the system and
creates a hotplug event for every device it finds.
This way, the hotplug system is used for devices other than hot pluggable
devices.
Every hotplug event has an event type. The event type is determined by a single
parameter that is passed to the hotplug script and some additional environment
variables that can be read by the hotplug script.
The command line parameters determines the subsystem that has issued the event in
the kernel.
The environment variables provided for a hotplug event depending on the event type.
Basically, the environment variables provide the action of the event (such as add
when a device has been added or remove when a device has been removed) and
additional information about the affected device.
9-8 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Manage Hardware and Component Changes
Depending on the event type, the hotplug script starts the hotplug agents.
It might not be possible to start some devices with the hwup script, because no
configuration file can be found.
In this case, the agents have routines to find and load the correct driver module
automatically by searching module map files in the directories /etc/hotplug/ and
/lib/modules/kernelversion/.
The file /etc/hotplug/blacklist contains a list of driver modules that should never be
loaded by hotplug.
Sometimes coldplug and hotplug can cause errors during system startup; for
example, when a broken kernel module is loaded. In this case, you can switch off
both coldplug and hotplug with the following boot parameters:
n NOCOLDPLUG=1
This switches coldplug off.
n NOHOTPLUG=1
This switches hotplug off.
The following is the hotplug process for attaching a USB camera to the system:
1. The camera is plugged into the system.
2. The USB subsystem recognizes the camera and triggers a hotplug event by calling
the hotplug script.
3. The subsystem passes usb as the parameter to the script and provides additional
information about the new device in environment variables.
4. Because of the usb parameter, the hotplug script calls the USB hotplug agent.
5. The USB agent tries to configure the device by calling hwup.
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 9-9
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
6. If hwup fails, the agent tries to find the correct usb module by searching module
mapfiles in /etc/hotplug and
/lib/modules/kernelversion.
7. If a driver is found, the corresponding module is loaded.
The following illustrates the Linux hotplug process for a USB camera:
Figure 9-2
Linux System
Linux Kernel
Hotplug Script
USB Agent
1.hwup
2. Automatic module
loading
/etc/hotplug/usb.usermap
/etc/hotplug/usb.handmap
/lib/modules/<version>
/modules.usbmap
9-10 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Manage Hardware and Component Changes
hwcfg-bus-pci-0000:02:08.0
You can display the PCI address of a device with the lspci command, as in the
following:
...
0000:02:08.0 Ethernet controller: Intel Corp. 82801BD PRO/100 VE (LOM)
Ethernet Controller (rev 81)
...
Other devices types might use different elements in their configuration filename. For
more information about the naming scheme, see the manpage of getcfg (man getcfg).
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 9-11
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
9-12 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Manage Hardware and Component Changes
MODULE='e100'
MODULE_OPTIONS=''
STARTMODE='auto'
The module e100 is loaded, there are no options for this module and the device is
started automatically at boot time.
The hwup command is usually called by hotplug agents, but you can also use it
manually. For example, the following command starts the network card shown in the
previous:
hwup bus-pci-0000:02:08.0
You can use the command hwdown to deconfigure devices, as in the following:
hwdown bus-pci-0000:02:08.0
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 9-13
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
Exercise 9-1 Trace How a Network Adapter Is Set Up With hwup and ifup
Do the following:
1. Log out of the KDE desktop environment and reboot your system.
2. When the SLES 9 boot screen appears, add the following to the Boot Options field:
NOCOLDPLUG=1 NOHOTPLUG=1
These parameters are case-sensitive.
3. Boot the system by pressing Enter.
4. At the KDM login screen, log in as geeko.
5. Open a terminal window.
6. Try to ping the system of a partner by entering the following:
ping partner_ip_address
Notice that the network connection is not working.
Do the following:
1. From the terminal window, su to root.
2. Enter lspci.
3. Look for a line with the description Ethernet controller in the second column.
Note the PCI address (in the first column), such as the following:
0000:02:00.0
4. Look for one of the following files in /etc/sysconfig/hardware:
q hwcfg-bus-pci-address_ethernet_controller
or
q hwcfg-id-address_ethernet_controller
5. Open the file with a text editor.
6. Look for a line starting with MODULE=.
Notice the name of the module after this option. This is the hardware driver for
your network adapter.
9-14 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Manage Hardware and Component Changes
ping partner_ip_address
Notice that the network connection is now working.
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 9-15
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
(End of Exercise)
9-16 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Manage Hardware and Component Changes
The following explains how to add a new drive to a SLES 9 installation. For this
example, assume the following:
n The system is equipped with a single hard disk and is used as a web server.
n The system is running out of disk space, so you need to add a new hard disk for
the /srv directory.
Do the following:
1. Shut down the system and install the new drive.
2. Boot the system into runlevel 1 by passing the boot parameter 1 to the Linux
kernel.
3. Use YaST or command line tools to create a partition and a file system on the new
drive.
4. Mount the drive temporarily in the /mnt directory.
5. Copy the existing data from /srv to /mnt. Make sure that the file permissions copy
properly. (Use the -a option for the cp command.)
6. Verify the copied data and delete the content of the /srv directory.
7. Umount the new hard disk.
8. Edit the file /etc/fstab to mount the new hard drive automatically at boot time.
9. Reboot the system to the default runlevel.
When you add a new graphics card to the system, the X Server starts up with the
wrong driver configuration when booting into runlevel 5.
x A similar problem occurs when you replace the monitor of your system. You can also use the
following instructions in this situation.
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 9-17
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
Do the following:
1. Shut down the system and replace the graphics card.
2. Boot the system into runlevel 3 by passing the boot parameter 3 to the Linux
kernel.
3. Log in as root and start sax2 to configure the new graphics card.
4. When finished, change to runlevel 5.
When adding a second network adapter, you have to make sure that the interface
names of the devices are not confused.
The interface names are determined by the order of the network adapters in the PCI
bus. So and adapter might get a different interface name after another one has been
plugged in.
Do the following:
1. Before you install the new adapter, open the interface configuration file of the
existing adapter in
/etc/sysconfig/network/.
2. Add the following line to the configuration file:
PERSISTENT_NAME='external'
This ensures that the device always gets the interface name external.
3. Shut down the system and install the new network adapter.
4. Start the system and boot into runlevel 1.
5. Configure the new network adapter with YaST.
6. Open the interface configuration file of the new network adapter and add the
following line:
PERSISTENT_NAME='internal'
7. Reboot the system into the default runlevel.
With this method, the old adapter always gets the interface external while the new
adapter gets internal.
9-18 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Manage Hardware and Component Changes
Summary
Objective Summary
1. Describe the Differences Between n The terms device and interface are often confused.
Devices and Interfaces This section uses the following definitions:
n Device. A device is a physical piece of
hardware.
n Interface. An interface is a software component
that is used to access a device.
n One device can have more than one interface.
n An interface is created by a device driver.
2. Describe How Device Drivers n There are 2 basic kinds of device drivers:
Work
n Kernel modules. Kernel modules are loaded
into the Linux kernel and extend its functionality.
n User space drivers. These drivers run within
user space applications.
n Some devices require both, kernel modules and
user space drivers.
n You can use the following commands to manage
kernel modules:
n lsmod. Use lsmod to list loaded drivers.
n modprobe. Use modprobe load kernel
modules.
2. Describe How Device Drivers n rmmod. Use rmmod to remove loaded kernel
Work (continued) modules.
n The kernel modules are files that are stored in the
directory /lib/modules/kernel-version/.
3. Describe How Device Drivers Are In a SLES 9 system, kernel modules are loaded in
Loaded the following ways:
n From initrd
n By initscripts
n By hotplug
n By the X Server
n Manually by the user root
4. Describe the sysfs File System n The sysfs file system provides a representation of
all devices and interfaces of a system.
n Devices are represented in the directories: /sys/bus
and
/sys/devices.
n Interfaces are represented by the directories
/sys/class and
/sys/block.
n A device and its interfaces are connected with file
system links.
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 9-19
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
Objective Summary
5. Describe How the SLES 9 Hotplug n The hotplug system is used to configure some
System Works devices of a SLES 9 system.
n The following is the standard hotplug process when
a new device is plugged into the system:
1. The device is plugged into the system.
2. The USB subsystem recognizes the device and
triggers a hotplug event by calling the hotplug
script.
3. The subsystem passes usb as the parameter to
script and provides additional information about
the new device in environment variables.
4. Because of the usb parameter, the hotplug
script calls the usb hotplug agent.
5. The USB agent tries to configure the device by
calling hwup.
6. If hwup fails, the agent tries to find the correct
usb module by searching module mapfiles in
/etc/hotplug and
/lib/modules/kernelversion.
7. If a driver is found, the corresponding module is
loaded.
6. Use the hwup Command n The hwup command is used to start preconfigured
devices.
n The device configuration files are stored in the
directory
/etc/sysconfig/hardware/.
n The filename of the configuration file contains a
unique identifier for the corresponding device.
In the configuration file, the following variables can
be used:
n STARTMODE
n MODULE
n MODULE_OPTIONS
n SCRIPT{UP,DOWN}_[type]
n SCRIPT{UP,DOWN}
7. Add New Hardware to a SLES 9 In general, new hardware is either detected with
System hotplug or can be easily configured with YaST.
It some cases, however, some manual work is
necessary to integrate new devices properly into the
system.
The following are 3 examples of situations that
require manual configuration:
n Adding a hard drive
n Replacing a graphic adapter
n Adding a new network adapter
9-20 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Prepare for the Novell CLP Practicum
In this section, you work through the following scenarios to help you to prepare for
the Novell CLP (Certified Linux Professional) practicum exam:
1. Install and Configure SLES 9
2. Configure a DNS Server
3. Configure a Web Server
4. Configure a Samba File Server
You must complete Scenario 1. You can then select any of the remaining scenarios to
complete, depending on available time.
Remember that skills from all 3 Novell CLP courses might be necessary to fulfill the
required tasks.
Scenario
Digital Airlines is planning on deploying SUSE LINUX in its IT infrastructure.
During the first phase, SLES 9 will be used on the back-end systems like file, web,
and network-infrastructure servers.
As the network administrator for your Digital Airlines office, you (along with
management) have designed a migration plan which includes the following services
to be migrated to SLES 9:
n DNS services on the internal network
n Intranet Web server
n File and Print services for Windows clients
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 10-1
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
Read through these requirements carefully, then install and configure the server.
10-2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Prepare for the Novell CLP Practicum
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 10-3
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
Because the web server needs to be migrated to SLES 9, you decide to create a
prototype system for the general portal site and 2 departments (accounting and
marketing) on the test server.
10-4 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Prepare for the Novell CLP Practicum
You decide to test this migration for the marketing department on the test server in
your lab.
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 10-5
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
10-6 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Novell CLP and LPI Requirements
This appendix provides information about the LPI Level I objectives covered in this
and the other Novell CLP certification courses.
LPI objectives named 1.xxx.y are part of exams 101 and 102 (LPI Certification Level
1). LPI objectives named 2.xxx.y are part of exams 201 and 202 (LPI Certification
Level 2). CLP courses include the section (such as 3037/3 for Course 3037 Section
3).
Because the Novell CLP courses use SUSE LINUX exclusively, there are some
differences in the software used in those courses and those covered by the LPI
objectives (such as CUPS for printing in SLES 9 and lpr in the LPI objectives).
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by A-1
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
1.104.8 Find system files and place files in the correct 3036/6
location
A-2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Novell CLP and LPI Requirements
Topic 110: X
1.111.1 Manage users and group accounts and related 3036/5, 3037/2
system files
1.111.3 Configure and use system log files to meet 3037/6, 3038/8
administrative and security needs
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by A-3
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
1.113.4 Properly manage the NFS, smb, and nmb 3037/9, 3038/3
daemons
A-4 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Novell CLP and LPI Requirements
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by A-5
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
A-6 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Index
Index
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Index-1
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
G M
generate 1-27, 3-56, 3-63, 6-11 MAIL 6-42
global 2-3–2-4, 3-4, 3-7, 3-9, 3-20, 3-28, 3-46–3-47, management Intro-5, 1-3, 1-22, 1-24, 1-34, 1-39,
3-67–3-68, 3-78, 4-12 3-28–3-29, 4-4, 4-6, 4-8, 4-16, 4-18, 8-4, 9-1,
graphical 10-1, A-1, A-6
user interface 4-23 master 1-27, 3-4–3-5, 3-8–3-14, 3-16–3-17, 3-22–3-23,
group 3-74, 4-29 3-25–3-26, 3-71, 3-80, 5-13, 5-25, 10-3
GUI 1-51–1-52 memory 1-3, 1-8, 1-15, 1-44, 7-10, 8-4–8-7, 8-13,
8-15–8-20, 8-23, 8-29–8-30, 9-5, 9-7
migrate Intro-5, 10-4
H modify 4-28
monitor 1-39–1-42, 1-50–1-51, 4-9, 8-9–8-11, 8-14,
hardware Intro-2, Intro-5, 1-1–1-3, 1-6, 1-21–1-22, 1-29,
1-33, 1-39–1-40, 1-43–1-44, 1-47, 1-50–1-51, 8-29–8-30, 9-17, A-2
1-53, 2-4–2-5, 2-9, 2-20, 2-22, 2-24, 4-10, 5-22, mount
5-27, 5-32, 7-6–7-7, 8-2, 8-18–8-19, 8-22, 8-25, point 1-11, 1-13, 1-16, 1-21–1-23, 1-48
9-1–9-3, 9-5–9-6, 9-8, 9-11, 9-14–9-15, 9-17, mouse 6-27
9-19–9-20, A-1, A-5
header 3-20, 7-4, 7-10–7-11, 7-13, 7-15, 7-18
health Intro-2, Intro-5, 8-1 N
check Intro-2, Intro-5, 8-1 name
high availability 4-4 space 3-68
home directories 3-75 navigation 1-40
HTTP 3-43 Netscape 1-8
network 3-16, 8-10–8-11, 8-14
I packets 2-12–2-13, 2-17–2-18, 3-53, 8-11
NFS 1-3, 8-11, A-4–A-5
index 2-4
Notes 1-33, 1-50
installation 1-3–1-4, 1-39, 1-44
Internet 3-61, 4-47
interval 8-8 O
IP 2-6, 2-24 object 3-29, 4-24
Index-2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
Index
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Index-3
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
U
update 4-48
upgrade 8-18, 8-25, 8-29–8-31
user 3-74, 4-16, 6-57, 8-8–8-9
account 1-34, 1-38, 3-42, 4-20, 6-38, 6-41, 10-2
interface 4-23
management 4-18
V
value 3-29, 6-16–6-17, 8-22
volume 1-21
W
web
server 1-8, 2-4, 3-5, 3-43–3-56, 3-60–3-61, 3-81, 4-5,
4-13, 4-21, 8-16, 9-17, 10-1–10-2, 10-4, A-5
services A-5
write 4-23–4-24
Z
zone 1-6, 1-47, 3-4–3-5, 3-7–3-14, 3-16–3-17, 3-21–3-26,
3-80, 4-8, 10-3
Index-4 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.