3038 All Manual

SUSE LINUX Advanced
Administration
COURSE 3038
Novell Training Services w w w. n o v e l l . c o m
A U T H O R I Z E D C O U R S E WA R E
Part #
Version 2
Proprietary Statement Trademarks
Copyright © 2010 Novell, Inc. All rights reserved. Novell, Inc. has attempted to supply trademark information
about company names, products, and services mentioned in this
The reproduction, photocopying, storing on a retrieval system,
manual. The following list of trademarks was derived from
or transmitting of this manual is protected under a Creative
various sources.
Commons Attribution-Noncommerical-Share Alike 3.0
Unported license. Novell, Inc. Trademarks
You are free to share (copy, distribute and transmit the work) Novell, the Novell logo, NetWare, BorderManager,
and to remix (adapt the work) under the following conditions: ConsoleOne, DirXML, GroupWise, iChain, ManageWise,
you must attribute the work in the manner specified by the NDPS, NDS, NetMail, Novell Directory Services, Novell
author or licensor (but not in any way that suggests that they iFolder, Novell SecretStore, Ximian, Ximian Evolution and
endorse you or your use of the work), and you many not use this ZENworks are registered trademarks; CDE, Certified
work for commercial purposes. In addition, if you alter, Directory Engineer and CNE are registered service marks;
transform, or build upon this work, you may distribute the eDirectory, Evolution, exteNd, exteNd Composer, exteNd
resulting work only under the same or similar license to this Directory, exteNd Workbench, Mono, NIMS, NLM, NMAS,
one. Novell Certificate Server, Novell Client, Novell Cluster
For any reuse or distribution, you must make clear to others the Services, Novell Distributed Print Services, Novell Internet
license terms of this work. The best way to do this is with a link Messaging System, Novell Storage Services, Nsure, Nsure
to the Creative Commons license page (http:// Resources, Nterprise, Nterprise Branch Office, Red Carpet and
creativecommons.org/licenses/by-nc-sa/3.0/). Red Carpet Enterprise are trademarks; and Certified Novell
Administrator, CNA, Certified Novell Engineer, Certified
For clarification or to apply for a waiver to any of these Novell Instructor, CNI, Master CNE, Master CNI, MCNE,
conditions, contact Novell, Inc. MCNI, Novell Education Academic Partner, NEAP, Ngage,
Novell, Inc. Novell Online Training Provider, NOTP and Novell Technical
1800 South Novell Place Services are service marks of Novell, Inc. in the United States
Provo, UT 84606-2399 and other countries. SUSE is a registered trademark of SUSE
LINUX AG, a Novell company. For more information on
Novell trademarks, please visit
Disclaimer http://www.novell.com/company/legal/trademarks/
Novell, Inc. makes no representations or warranties with tmlist.html.
respect to the contents or use of this manual, and specifically
disclaims any express or implied warranties of merchantability Other Trademarks
or fitness for any particular purpose. Adaptec is a registered trademark of Adaptec, Inc. AMD is a
trademark of Advanced Micro Devices. AppleShare and
Further, Novell, Inc. reserves the right to revise this publication
AppleTalk are registered trademarks of Apple Computer, Inc.
and to make changes in its content at any time, without
ARCserv is a registered trademark of Cheyenne Software, Inc.
obligation to notify any person or entity of such revisions or
Btrieve is a registered trademark of Pervasive Software, Inc.
changes.
EtherTalk is a registered trademark of Apple Computer, Inc.
Further, Novell, Inc. makes no representations or warranties Java is a trademark or registered trademark of Sun
with respect to any NetWare software, and specifically Microsystems, Inc. in the United States and other countries.
disclaims any express or implied warranties of merchantability Linux is a registered trademark of Linus Torvalds. LocalTalk is
or fitness for any particular purpose. a registered trademark of Apple Computer, Inc. Lotus Notes is
Further, Novell, Inc. reserves the right to make changes to any a registered trademark of Lotus Development Corporation.
and all parts of NetWare software at any time, without Macintosh is a registered trademark of Apple Computer, Inc.
obligation to notify any person or entity of such changes. Netscape Communicator is a trademark of Netscape
Communications Corporation. Netscape Navigator is a
This Novell Training Manual is published solely to instruct registered trademark of Netscape Communications
students in the use of Novell networking software. Although Corporation. Pentium is a registered trademark of Intel
third-party application software packages are used in Novell Corporation. Solaris is a registered trademark of Sun
training courses, this is for demonstration purposes only and Microsystems, Inc. The Norton AntiVirus is a trademark of
shall not constitute an endorsement of any of these software Symantec Corporation. TokenTalk is a registered trademark of
applications. Apple Computer, Inc. Tru64 is a trademark of Digital
Further, Novell, Inc. does not represent itself as having any Equipment Corp. UnitedLinux is a registered trademark of
particular expertise in these application software packages and UnitedLinux. UNIX is a registered trademark of the Open
any use by students of the same shall be done at the students’ Group. WebSphere is a trademark of International Business
own risk. Machines Corporation. Windows and Windows NT are
registered trademarks of Microsoft Corporation.
All other third-party trademarks are the property of their
respective owners.
Contents
Contents
Introduction
Course Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Intro-1
Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Intro-2
Certification and Prerequisites. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Intro-2
SLES 9 Support and Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Intro-4
SLES 9 Online Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Intro-4
Agenda . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Intro-5
Scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Intro-5
Exercise Conventions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Intro-6
SECTION 1 Install SLES 9
Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1
Objective 1 Perform the SLES 9 Base Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2
Boot From the Installation Media . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2
Select the System Language . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-4
Select the Installation Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-5
Understand and Change the Installation Proposal . . . . . . . . . . . . . . . . . . . . . . . . . 1-6
Partition the Hard Disk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-7
Select the Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-24
Configure the Boot Loader . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-26
Start the Installation Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-28
Objective 2 Configure the SLES 9 Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-29
Set the root Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-29
Configure the Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-31
Test the Internet Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-33
Perform an Online Update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-34
Configure Network Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-34
Manage Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-35
Configure Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-39
Finalize the Installation Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-43
Objective 3 Troubleshoot the Installation Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-44
Exercise 1-1 Install SLES 9 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-46
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-53
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by TOC-1
a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported license.
SUSE LINUX Advanced Administration
SECTION 2 Configure the Network Manually
Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1
Objective 1 Understand Linux Network Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2
Objective 2 Set Up Network Devices With the ip Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-3
Display the Current Network Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-3
Change the Current Network Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-7
Objective 3 Save Device Settings to a Configuration File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-9
Configure a Device Statically . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-9
Configure a Device Dynamically With DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . 2-11
Start and Stop Configured Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-11
Objective 4 Set Up Routing With the ip Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-12
View the Routing Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-12
Add Routes to the Routing Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-13
Delete Routes from the Routing Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-14
Objective 5 Save Routing Settings to a Configuration File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-15
Objective 6 Configure Host Name and Name Resolution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-16
Set the Host and Domain Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-16
Configure Name Resolution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-16
Objective 7 Test the Network Connection With Command Line Tools . . . . . . . . . . . . . . . . . . . . . . 2-17
Use ping to Test Network Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-17
Use traceroute to Trace Network Packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-18
Exercise 2-1 Configure the Network Connection Manually . . . . . . . . . . . . . . . . . . . . . . . . 2-20
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-24
SECTION 3 Configure Network Services
Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-1
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-1
Objective 1 Configure a DNS Server Using BIND. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2
Understand the Domain Name System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2
Install and Configure the BIND Server Software . . . . . . . . . . . . . . . . . . . . . . . . . 3-6
Configure a Caching-Only DNS server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-7
Configure a Master Server for Your Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-9
Configure One or More Slave Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-16
Configure the Client Computers to Use the DNS Server . . . . . . . . . . . . . . . . . . . 3-18
Use Command Line Tools to Query DNS Servers . . . . . . . . . . . . . . . . . . . . . . . . 3-19
Find More Information About DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-21
Exercise 3-1 Configure a DNS server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-22
TOC-2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
Contents
Objective 2 Deploy OpenLDAP on a SLES 9 Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-28

The Concept of a Directory Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-28
The Basics of LDAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-28
How to Install and Set Up an OpenLDAP Server . . . . . . . . . . . . . . . . . . . . . . . . 3-30
How to Add Entries to the LDAP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-32
How to Query Information from the LDAP Server . . . . . . . . . . . . . . . . . . . . . . . 3-34
How to Delete and Modify Entries of the LDAP Server . . . . . . . . . . . . . . . . . . . 3-35
How to Use Graphical LDAP Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-36
Exercise 3-2 Use the SLES 9 OpenLDAP server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-39
Objective 3 Configure an Apache Web Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-43
The Basic Functionality of a Web Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-43
How to Install and Set Up a Basic Apache Web Server . . . . . . . . . . . . . . . . . . . 3-43
The Structure and the Basic Elements of the Apache Configuration Files . . . . . 3-46
The Basic Apache Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-48
How to Configure Virtual Hosts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-48
How to Limit Access to the Web Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-51
How to Configure OpenSSL for Connection Encryption . . . . . . . . . . . . . . . . . . 3-53
Exercise 3-3 Configure an Apache Web Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-60
Objective 4 Configure a Samba Server as a File Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-66
The Purpose and the Possibilities of Samba . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-66
How to Install and Set Up a Basic Samba Server . . . . . . . . . . . . . . . . . . . . . . . . 3-67
The Structure and Elements of the Samba Configuration File . . . . . . . . . . . . . . . 3-67
How to Use the Samba Tools to Access SMB Shares from a Linux Computer . 3-69
How to Configure a File Server with User Authentication . . . . . . . . . . . . . . . . . 3-73
Additional Possibilities with Samba . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-76
Exercise 3-4 Configure a File Server With Samba. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-77
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-80
SECTION 4 Secure a SLES 9 Server
Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-1
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-1
Objective 1 Create a Security Concept . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2
Understand the Basics of a Security Concept . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2
Perform a Communication Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2
Analyze the Protection Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-4
Analyze the Current Situation and Necessary Enhancements . . . . . . . . . . . . . . . . 4-5
Objective 2 Limit Physical Access to Server Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-11
Place the Server in a Separate, Locked Room . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-11
Secure the BIOS with a Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-11
Secure the GRUB Boot Loader with a Password . . . . . . . . . . . . . . . . . . . . . . . . . 4-12
Objective 3 Limit the Installed Software Packages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-13

Objective 4 Understand the Linux User Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-14
How PAM Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-14
PAM Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-15
The Requirements for a Secure Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-18
Exercise 4-1 Change the PAM Configuration to Disable the Graphical Root Login. . . . . . 4-19
Objective 5 Ensure File System Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-20
The Basic Rule for User Write Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-20
The Basic Rule for User Read Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-20
How Special File Permissions Affect the Security of the System . . . . . . . . . . . . 4-21
Objective 6 Use ACLs for Advanced Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-23
The Basics of ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-23
Important ACL Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-24
ACL Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-24
How ACLs and Permission Bits Map to Each Other . . . . . . . . . . . . . . . . . . . . . . 4-25
How to Use the ACL Command Line Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-27
How to Configure a Directory With an Access ACL . . . . . . . . . . . . . . . . . . . . . . 4-27
How to Configure a Directory With a Default ACL . . . . . . . . . . . . . . . . . . . . . . 4-30
The ACL Check Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-32
How Applications Handle ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-33
Exercise 4-2 Use ACLs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-34
Objective 7 Configure Security Settings With YaST . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-37
Objective 8 Stay Informed About Security Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-46
Exercise 4-3 Subscribe to the SUSE Security Announcements . . . . . . . . . . . . . . . . . . . . . . 4-47
Objective 9 Apply Security Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-48
Register Your Product . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-48
Use the YaST Online Update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-48
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-52
SECTION 5 Manage Backup and Recovery
Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-1
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-1
Objective 1 Develop a Backup Strategy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-2
Choose a Backup Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-2
Choose the Right Backup Media . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-4
Contents
Objective 2 Create Backup Files With tar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-5

Create tar Archives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-5
Unpack tar Archives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-6
Exclude Files from Backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-6
Perform Incremental and Differential Backups . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-7
Use tar Command Line Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-8
Exercise 5-1 Create Backup Files With tar. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-9
Objective 3 Work With Magnetic Tapes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-11
Objective 4 Copy Data With the dd Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-13
Exercise 5-2 Create Drive Images With dd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-14
Objective 5 Mirror Directories With the rsync Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-15
Perform Local Copying With rsync . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-15
Perform Remote Copying with rsync . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-17
Exercise 5-3 Create a Backup of a Home Directory With rsync . . . . . . . . . . . . . . . . . . . . . 5-18
Objective 6 Automate Data Backups With the cron Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-20
Exercise 5-4 Configure a cron Job for Data Backups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-21
Objective 7 Troubleshoot the Boot Process of a SLES 9 System. . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-22
System Boot Process Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-22
How to Boot a Corrupted System Directly into a Shell . . . . . . . . . . . . . . . . . . . . 5-22
How to Boot a Corrupted System With the Installation Media . . . . . . . . . . . . . . 5-23
How to Start and Use the SLES 9 Rescue System . . . . . . . . . . . . . . . . . . . . . . . . 5-24
Objective 8 Configure and Install the GRUB Boot Loader . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-25
The Basic Functionality of a Boot Loader . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-25
The Basics of GRUB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-25
How to Configure the GRUB Boot Loader . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-26
Exercise 5-5 Boot to a Shell and Configure the GRUB Boot Loader . . . . . . . . . . . . . . . . . 5-28
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-30
SECTION 6 Create Shell Scripts
Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-1
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-1
Objective 1 Use Basic Script Elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-3
Flow Charts for Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-3
The Basic Rules of Shell Scripting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-4
Exercise 6-1 Produce Output from a Script . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-6
How to Develop Scripts That Read User Input . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-6
Exercise 6-2 Read User Input . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-8
How to Perform Basic Script Operations with Variables . . . . . . . . . . . . . . . . . . . . 6-8
Exercise 6-3 Simple Operations with Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-10
How to Use Command Substitution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-11
Exercise 6-4 Use Command Substitution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-12

How to Use Arithmetic Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-13
Exercise 6-5 Use Arithmetic Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-15
Objective 2 Use Variable Substitution Operators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-16
Exercise 6-6 Use Variable Substitution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-18
Objective 3 Use Control Structures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-19
Create Basic Branches With the if Command . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-19
Exercise 6-7 Use the if Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-25
Build Multiple Branches With a case Statement . . . . . . . . . . . . . . . . . . . . . . . . . 6-26
Exercise 6-8 Use the case Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-29
Create Loops Using the while and until Commands . . . . . . . . . . . . . . . . . . . . . . 6-29
Exercise 6-9 Use the while and until Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-31
Process Lists with the for Loop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-31
Exercise 6-10 Use the for Loop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-33
Interrupt Loop Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-34
Exercise 6-11 Interrupt Loop Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-35
Objective 4 Use Advanced Scripting Techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-36
Use Shell Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-36
Exercise 6-12 Use Shell Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-38
Read Options with getopts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-40
Exercise 6-13 Use the getopts Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-41
Objective 5 Learn About Useful Commands in Shell Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-42
Use the cat Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-42
Use the cut Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-42
Use the date Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-43
Use the echo Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-44
Use the grep and egrep Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-44
Use the sed Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-45
Use the test Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-47
Use the tr Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-49
Exercise Answers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-51
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-59
SECTION 7 Compile Software from Source
Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-1
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-1
Objective 1 Understand the Basics of C Programming. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-2
The Difference Between Source Code and an Executable . . . . . . . . . . . . . . . . . . . 7-2
The Structure of a Simple C Program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-3
How to Compile a Simple C Program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-5
Exercise 7-1 Compile a Simple C Program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-6
Contents
Objective 2 Understand the GNU Build Tool Chain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-7

Use configure to Prepare the Build Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-7
Use make to Compile the Source Code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-7
Use make install to Install the Compiled Program . . . . . . . . . . . . . . . . . . . . . . . . . 7-9
Install the Required Packages for a Build Environment . . . . . . . . . . . . . . . . . . . . 7-9
Objective 3 Understand the Concept of Shared Libraries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-10
Objective 4 Perform a Standard Build Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-12
Exercise 7-2 Compile Software from a Source Package . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-15
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-17
SECTION 8 Perform a Health Check and Performance Tuning
Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-1
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-1
Objective 1 Find Performance Bottlenecks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-2
Analyze Processes and Processor Utilization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-2
Analyze Memory Utilization and Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-4
Analyze Storage Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-6
Analyze Network Utilization and Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-9
Exercise 8-1 Analyze System Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-12
Objective 2 Reduce System and Memory Load . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-15
Analyze CPU Intensive Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-15
Run Only Required Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-15
Keep Your Software Up to Date . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-17
Optimize Swap Partitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-17
Change Hardware Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-18
Exercise 8-2 Reduce Resource Utilization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-19
Objective 3 Optimize the Storage System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-20
Configure IDE Drives With hdparm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-20
Tune Kernel Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-21
Tune File System Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-23
Change Hardware Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-25
Exercise 8-3 Tune an IDE Hard Drive With hdparm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-26
Objective 4 Tune the Network Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-27
Change Kernel Network Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-27
Change Your Network Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-29
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-30
SECTION 9 Manage Hardware and Component Changes
Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-1
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-1
Objective 1 Describe the Differences Between Devices and Interfaces. . . . . . . . . . . . . . . . . . . . . . . . 9-2
Objective 2 Describe How Device Drivers Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-3
Objective 3 Describe How Device Drivers Are Loaded . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-5
Objective 4 Describe the sysfs File System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-6
Objective 5 Describe How the SLES 9 Hotplug System Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-8
Objective 6 Use the hwup Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-11
Exercise 9-1 Trace How a Network Adapter Is Set Up With hwup and ifup. . . . . . . . . . . . 9-14
Objective 7 Add New Hardware to a SLES 9 System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-17
Add a New Drive to the System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-17
Replace a Graphics Card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-17
Add a New Network Adapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-18
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-19
SECTION 10 Prepare for the Novell CLP Practicum
Scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-1
Objective 1 Install and Configure SLES 9 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-2
Objective 2 Configure a DNS Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-3
Objective 3 Configure a Web Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-4
Objective 4 Configure a Samba File Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-5
APPENDIX A Novell CLP and LPI Requirements
Introduction
Introduction
In the SUSE LINUX Advanced Administration (3038) course you learn the SUSE
LINUX Enterprise Server 9 (SLES 9) administration skills necessary to complete
your basic SLES 9 skill set.
These skills, along with those taught in the SUSE LINUX Fundamentals (3036) and
SUSE LINUX Administration (3037) courses, prepare you to take the Novell®
Certified Linux® Professional (Novell CLP) certification practicum test.
The contents of your student kit include the following:

n SUSE LINUX Advanced Administration Manual
n SUSE LINUX Advanced Administration Course CD
n SLES 9 VMware Server DVD
n SUSE LINUX Enterprise Server 9 CDs (CD 1 – CD 6)
The SLES 9 3038 VMware Server DVD contains a VMware Workstation SLES 9
server that you can use with the SUSE LINUX Advanced Administration Self-Study
Workbook (in PDF format on your Course CD) outside the classroom to practice the
skills you need to take the Novell CLP practicum.
x Instructions for setting up a self-study environment are included in the SUSE LINUX Advanced
Administration Self-Study Workbook.
If you do not own a copy of VMware Workstation, you can obtain a 30-day evaluation version
at www.vmware.com. If you want to dedicate a machine to install SLES 9, instructions are also
provided in the Self-Study Workbook.
Course Objectives
This course teaches you how to perform the following SUSE LINUX administrative
tasks for SLES 9:
1. Install SLES 9 with a custom partitioning
2. Configure the network manually
3. Configure network services
4. Secure a SLES 9 server
5. Manage backup and recovery
6. Create shell scripts
7. Compile software from source
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Intro-1
8. Perform a health check and performance tuning

9. Manage hardware and component changes
These are tasks common to an experienced SUSE LINUX administrator in an

enterprise environment.
The final day of class is reserved for a “LiveFire” exercise that provides a set of
scenarios to test your SLES 9 administration skills and prepare you to take the Novell
CLP Practicum.
Audience
SM
While the primary audience for this course is the current Novell CNE who has
completed courses 3036 and 3037 in the CLP curriculum, Linux professionals and
administrators with experience in other operating systems can also use this course to
help prepare for the Novell CLP Practicum.
Certification and Prerequisites

This course helps you prepare for the Novell Certified Linux Professional (Novell
CLP) Practical Test, called a practicum. The Novell CLP is an entry-level
certification for people interested in becoming SUSE LINUX administrators.
As with all Novell certifications, course work is never required. You only need only
pass a Novell CLP Practicum (050-689) in order to achieve the certification.
The Novell CLP Practicum is a hands-on, scenario-based exam where you apply the
knowledge you have learned to solve real-life problems—demonstrating that you
know what to do and how to do it.
The practicum tests you on objectives in this course (SUSE LINUX Advanced
Administration - Course 3038) and the skills outlined in the following Novell CLP
courses:
n SUSE LINUX Fundamentals - Course 3036
n SUSE LINUX Administration - Course 3037
Intro-2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
Introduction
The following illustrates the training/testing path for Novell CLP:
Figure Intro-1
Novell®
Certified Linux Professional (Novell CLP):
Training/Testing Path
New to Linux
Administration
SUSE LINUX Fundamentals

(Course 3036)
(Training opportunity)*
SUSE LINUX Administration

(Course 3037)
(Training opportunity)*
SUSE LINUX Advanced Linux

Advanced Administration Administrators
(Previous Linux certifications)
(Course 3038) (Training opportunity)*
Novell Practicum: 050-689 Migrating to SUSE LINUX

Novell CLP (Course 3019)
(Required Practical Exam) (Training opportunity)*
*Courses are not required for Novell

Novell CLP certification. Passing the Novell
Certified Linux Professional Practicum (050-689) is required.
Before attending this course, you should complete the prerequisites which included
in SUSE LINUX Administration (Course 3037) or have experience managing SLES 9
servers in a networked environment.
x For more information about Novell certification programs and taking the Novell CLP Practicum,
see http://www.novell.com/education/certinfo.
SLES 9 Support and Maintenance

The copy of SUSE LINUX Enterprise Server 9 (SLES 9) you receive in your student
kit is a fully functioning copy of the SLES 9 product.
However, to receive official support and maintenance updates, you need to do one of
the following:
n Register for a free registration/serial code that provides you with 30 days of
support and maintenance.
n Purchase a copy of SLES 9 from Novell (or an authorized dealer).
You can obtain your free 30-day support and maintenance code at
http://www.novell.com/products/linuxenterpriseserver/eval.html.
x You will need to have or create a Novell login account to access the 30-day evaluation.
SLES 9 Online Resources

Novell provides a variety of online resources to help you configure and implement
SLES 9.
These include the following:

n http://www.novell.com/products/linuxenterpriseserver/
This is the Novell home page for SLES 9.
n http://www.novell.com/documentation/sles9/index.html
This is the Novell Documentation web site for SLES 9.
n http://support.novell.com/linux/
This is the home page for all Novell Linux support, and includes links to support
options such as the Knowledgebase, downloads, and FAQs.
n http://www.novell.com/coolsolutions
This Novell web site provides the latest implementation guidelines and
suggestions from Novell on a variety of products, including SUSE LINUX.
Introduction
Agenda
The following is the agenda for this 5-day course:
Table Intro-1 Section Duration
Day 1 Introduction 00:30
Section 1: Install SLES 9 03:30
Section 2: Configure the Network Manually 02:00
Day 2 Section 3: Configure Network Services 04:00
Section 4: Secure a SLES 9 Server 02:00
Day 3 Section 4: Secure a SLES 9 Server (continued) 01:00
Section 5: Manage Backup and Recovery 01:00
Section 6: Create Shell Scripts 03:00
Section 7: Compile Software from Source 01:30
Day 4 Section 8: Perform a Health Check and Performance 03:00

Tuning
Section 9: Manage Hardware and Component Changes 02:00
Day 5 Section 10: Prepare for the Novell CLP Practicum 06:00
Scenario
The Digital Airlines management has made the decision to migrate several back-end
services to Linux servers running SLES 9. You have already installed SLES 9 before
and are familiar with administering SLES 9 from YaST and from the command line.
To be able to implement the migration plan, you need additional experience in the
following areas:
n System settings on the configuration file level
n Network services configuration from the command line
n Applying security solutions and deploying backup and recovery
n Creating basic shell scripts and compiling software from source packages
You decide to set up a test server in the lab to enhance your skills in these areas.
Exercise Conventions
When working through an exercise, you will see conventions that indicate
information you need to enter that is specific to your server.
The following describes the most common conventions:

n italicized/bolded text. This is a reference to your unique situation, such as the
host name of your server.
For example, if the host name of your server is DA50, and you see the following,
hostname.digitalairlines.com
you would enter
DA50.digitalairlines.com
n 10.0.0.xx. This is the IP address that is assigned to your SLES 9 server.
For example, if your IP address is 10.0.0.50, and you see the following
10.0.0.xx
you would enter
10.0.0.50
n Select. The word select is used in exercise steps to indicate a variety of actions
including clicking a button on the interface and selecting a menu item.
n Enter and Type. The words enter and type have distinct meanings.
The word enter means to type text in a field or at a command line and press the
Enter key when necessary. The word type means to type text without pressing the
Enter key.
If you are directed to type a value, make sure you do not press the Enter key or
you might activate a process that you are not ready to start.
Install SLES 9
SECTION 1 Install SLES 9
In this section, you install SUSE Linux Enterprise Server 9

(SLES 9). You also learn how to use advanced installation options and to
troubleshoot the installation process.
Objectives
1. Perform the SLES 9 Base Installation
2. Configure the SLES 9 Installation
3. Troubleshoot the Installation Process
Introduction
YaST presents an installation proposal (automatically generated during installation)
that you can accept to make installation simple and quick.
However, you also need to understand the more advanced installation options
available. By changing the following installation proposal options, you can install
servers that meet a variety of needs:
n Installation mode
n Partitioning scheme
n Software selection
n Authentication method
n Hardware setup
This section describes these and other SLES 9 installation options.
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by 1-1
Objective 1 Perform the SLES 9 Base Installation

Installing SLES 9 consists of a base installation phase and a configuration phase.
To perform the base installation do the following:

n Boot From the Installation Media
n Select the System Language
n Select the Installation Mode
n Understand and Change the Installation Proposal
n Partition the Hard Disk
n Select the Software
n Configure the Boot Loader
n Start the Installation Process
Boot From the Installation Media
To start the installation process, insert the SLES 9 CD 1 into the CD drive and then
reboot the computer to start the installation program.
x To start the installation program, your computer needs to be configured to start from a CD or
DVD drive. You might need to change the boot drive order in the BIOS setup of your system to
boot from the drive.
Consult the manual shipped with your hardware for further information.
When your system has started from the installation CD, the following appears:
Figure 1-1
1-2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
Install SLES 9
You can use the arrow keys to select one of the following options:
n Boot from Hard Disk. Boots the system installed on the hard disk (the system
normally booted when the machine is started). This is the default option.
n Installation. Starts the normal installation process. All modern hardware
functions are enabled.
n Installation - ACPI Disabled. Starts the installation process with ACPI
(Advanced Configuration and Power Interface) disabled. If the normal
installation fails, the system hardware might not support ACPI. In this case, you
can use this option to install without ACPI support.
n Installation - Safe Settings. Starts the installation process with the DMA mode
and any interfering power management functions disabled. Use this option if the
installation fails with the other options.
n Manual Installation. When you select this installation mode, you can load
driver modules manually and change the advanced installation settings.
n Rescue System. Starts the SLES 9 rescue system. If you cannot boot your
installed Linux system, you can boot the computer from the CD and select this
option. This starts a minimal Linux system without a graphical user interface to
allow experts to access disk partitions for troubleshooting and repairing an
installed system.
n Memory Test. Starts a memory testing program, which tests system RAM by
using repeated read and write cycles. This is done in an endless loop, because
memory corruption often shows up sporadically and many read and write cycles
might be necessary to detect it.
If you suspect that your RAM might be defective, start this test and let it run for
several hours. If no errors are detected, you can assume that the memory is
intact. Terminate the test by rebooting the system.
Use the function keys, as indicated in the bar at the bottom of the screen, to change a
number of installation settings:
n F1. Opens context-sensitive help for the currently selected option of the boot
screen.
n F2. Select a graphical display modes (such as 640x480 or 1024X768) for the
installation. You can select one of these or select the text mode, which is useful
if the graphical mode causes display problems.
n F3. Select an installation media type. Normally, you install from the inserted
installation disk, but in some cases you might want to select another source, such
as FTP or NFS.
n F4. Select a installation language.
n F5. Select the debugging output level. By default, diagnostic messages of the
Linux kernel are not displayed during system start up. To display these
messages, select Native. For maximum information, select Verbose.
n F6. Add a driver update CD to the installation process. You are asked to insert
the update disk at the appropriate point in the installation process.
Select the Installation option to start the installation process. If the installation fails
for some reason, try to install with the Installation - ACPI Disabled option or the
Installation - Safe Settings option.
After you select an installation option, a minimal Linux system loads to run the YaST
installation program.
Select the System Language
After YaST starts, the following appears:
Figure 1-2
Almost all YaST installation dialogs use the same format:

n The left side displays an overview of the installation status.
n From the lower left side, you can select a help button to get information about
the current installation step.
n The right side displays the current installation step.
n The lower right side provides buttons for navigating to the previous or next
installation steps, or to abort the installation.
x If the installation program does not detect your mouse, you can use the Tab key to navigate
through the dialog elements, the arrow keys to scroll in lists and Enter to select buttons. You can
change the mouse settings later in the installation process.
From the language dialog, select the language of your choice, and then select Accept
to continue to the next step.
Install SLES 9
Select the Installation Mode
After you have selected the installation language, the following appears:
Figure 1-3
In this dialog, YaST asks you for the installation mode. Select one of the following
options:
n New installation. Performs a normal new installation of SLES 9. This is the
default option.
n Update an existing system. Updates a previously installed SLES 8 installation.
n Repair Installed System. Repairs a previously installed SLES 9 installation.
n Boot installed system. Boots a previously installed Linux installation.
n Abort Installation. Terminates the installation process.
For a normal installation, select New Installation and then select OK to proceed to
the next step.
Understand and Change the Installation Proposal
After you select New Installation, YaST analyzes the system and creates an
installation proposal. The proposal is displayed as shown in the following:
Figure 1-4
The proposal displays all installation settings that are necessary for a base
installation. You can change these settings by selecting the following headlines
(headings):
n System. Restarts the hardware detection process and displays a list of all
available hardware components. You can select single components, view details,
or save the list to a file.
n Mode. Changes the installation mode.
n Keyboard layout. Changes the keyboard layout. YaST selects the keyboard
layout according to your language settings. Change the keyboard settings if you
prefer a different layout.
n Mouse. Changes the mouse settings. If your mouse does not work correctly, you
can select a different mouse type in this block.
n Partitioning. Changes the hard drive partitioning. If the automatically generated
partitioning scheme does not fit your needs, you can change it by selecting this
headline.
n Software. Changes the software selection. You can select or deselect software.
n Booting. Changes the boot loader setting.
n Time zone. Changes the time zone. YaST selects the time zone of the installed
system according to your language selection. Change the time zone if you prefer
a different one.
Install SLES 9
Of the settings described above, partitioning, software, and booting are discussed
next in more detail.
Partition the Hard Disk
In most cases, YaST proposes a reasonable partitioning scheme that you can accept
without change. However, you might need to change the partitioning manually if
n You want to optimize the partitioning scheme for a special purpose server (such
as a file server).
n You have more than one hard drive and want to configure RAID or LVM
devices.
n You want to delete existing operating systems so you have more space available
for your SLES 9 installation.
To partition the hard drive manually, you need to know the following:
n The Basics of Hard Drive Partitioning
n The Basic Linux Partition Scheme
n Partitioning Schemes for Different Server Types
n How to Change YaST´s Partitioning Proposal
n How to Use the YaST Expert Partitioner
The Basics of Hard Drive Partitioning
Partitions divide the available space of a hard drive into smaller portions. This lets
you install more than one operating system on a hard drive or to use different areas
for programs and data.
Every hard disk has a partition table with space for four entries. An entry in the
partition table can correspond to a primary partition or an extended partition. Only
one extended partition entry is allowed.
A primary partition consists of a continuous range of cylinders (physical disk areas)

assigned to a particular operating system. If you use only primary partitions, you are
limited to 4 partitions per hard disk (because the partition table can only hold 4
primary partitions).
This is why extended partitions are used. Extended partitions are also continuous
ranges of disk cylinders, but can be subdivided into logical partitions. Logical
partitions do not require entries in the main partition table. In other words, an
extended partition is a container for logical partitions.
If you need more than 4 partitions, create an extended partition before you create the
fourth partition. This extended partition should include the entire remaining free
cylinder range. Then create multiple logical partitions within the extended partition.
The maximum number of logical partitions is fifteen on SCSI disks and 63 on
(E)IDE disks.
It does not matter which type of partitions you use on Linux systems; primary and
logical partitions both work well.
The Basic Linux Partition Scheme
The optimal partition scheme for a server depends on the purpose of the server.
A SLES 9 installation needs at least two partitions:

n Swap partition. This partition is used by Linux to move unused data from the
main memory to the hard dive. Moving unused data from the main memory to
the hard drive helps improve the performance of the system.
n Root partition. This is the partition for the operating system itself, and is
mounted under / in the installed system.
No matter what partition scheme you choose, you always need a swap partition and a
root partition.
The following guidelines help you determine the size of your root partition:
n 500 MB. This allows for a minimal installation with no graphical interface. With
this configuration, you can only use console applications.
n 700 MB. This allows for an installation with a minimum graphical interface.
This includes the X window system and a few graphical applications.
n 1.5 GB. This is the default installation recommended proposed by YaST. This
configuration includes a modern desktop environment (such as KDE or
GNOME), and provides enough space for large applications suites (such as
Netscape or Mozilla).
n 2.5 GB. This allows for a full installation, including all software packages
shipped with SLES 9.
If your server hosts data (such as a web server or a file server) you will probably need
more space on the root partition.
Partitioning Schemes for Different Server Types
It often makes sense to create more than the default Linux partitions. The following
list provides examples of partitions for different server types:
n File server. Hard disk performance is crucial for a file server. Create an extra
partition with enough space for the data that is hosted by the server.
n Web server. You should create an extra partition for the web space hosted by
the server. Make the partition large enough to hold the expected amount of
hosted data.
n Compute server. A compute server carries out extensive calculations in the
network. Fast disk throughput is only needed for the swap partitions. If possible,
use more than one swap partition and distribute swap partitions to multiple hard
disks.
Install SLES 9
n Desktop workstation. Create a separate partition for users' home directories.

This lets you reinstall the operating system without losing user data.
How to Change YaST´s Partitioning Proposal
To use YaST to change the partition scheme, select the Partitioning headline in the
installation proposal. The following appears:
Figure 1-5
In the top part of the dialog, YaST displays the automatically generated partitioning
proposal. The lower part of the dialog provides the following options:
n Accept proposal as is. Accepts the partitioning scheme and returns to the main
installation proposal.
n Base partition setup on this proposal. Starts the YaST Expert Partitioner with
the partition proposal as base setup.
n Create custom partition setup. Displays the following:
Figure 1-6
In this dialog, you can select

q A hard disk completely or in parts
q Create a custom partitioning by using the YaST Expert Partitioner
How to Use the YaST Expert Partitioner
When you start the YaST Expert Partitioner, the following appears:
Figure 1-7
Install SLES 9
In the top part of the dialog, YaST lists details of the current partition setup.
Depending on your previous choice, the list contains the current physical disk setup
or the partitioning proposal created by YaST.
x Most of the changes made with the YaST Expert Partitioner are not written to disk until the
installation process is started. You can always discard your changes by selecting Back or you
can restart the Expert Partitioner to make more changes.
The following entries are displayed for every hard disk in your system:
n One entry for the hard disk itself, which has the corresponding device name in
the Device column (such as /dev/sda).
n One entry for every partition on the hard disk with the corresponding device
name and the partition number in the Device column (such as /dev/sda1).
If a hard disk is not partitioned yet, you see only the entry for the hard disk itself.
Each entry in the list includes information in the following columns:

n Device. Displays the device name for the hard disk or the partition.
n Size. Displays the size for the hard disk or partition.
n F. When the character “F” is displayed in this column, the partition will be
formatted during the installation process.
n Type. Displays the partition or hard disk type.
n Mount. Displays the mount point of a partition. For swap partitions, only the
keyword swap is used.
n Start. Displays the start cylinder of a hard disk or partition. Hard disk entries
starts always with 0.
n End. Displays the end cylinder of a hard disk or partition.
The buttons in the lower part of the dialog let you

n Create New Partitions
n Edit Existing Partitions
n Delete Existing Partitions
n Resize Existing Partitions
These administrative tasks are covered in more detail below.
In addition, you can do the following:

n Manage LVM Volumes
n Manage EVMS Volumes
n Manage Soft RAID Setups
n Create Crypt File Partitions
n Perform Expert Tasks
Create New Partitions
Create a new partition by selecting Create. A dialog with one of the following
options appears (the options you see depend on your hard disk setup):
n If you have more than one disk in your system, you are asked to select a disk for
the new partition first.
n If you do not have an extended partition, you are asked if you want to create a
primary or an extended partition.
n If you have an extended partition, you are asked if you want to create a primary
or a logical partition.
n If you have 3 primary partitions and an extended partition, you can only create
logical partitions.
x You need enough space on your hard disk to create a new partition. You learn later in this section
how to delete existing partitions to free used disk space.
If you choose to create a primary or a logical partition, the following appears:
Figure 1-8
This dialog provides the following options:

n Format. This lets you choose one of the following options:
q Do not format. Do not format the newly created partition. Select this only if
you need to change an existing partition instead of creating a new one.
q Format. Formats the new partition with the file system you select from the
File System drop-down list.
You can choose from the following file systems:
q Ext2. Formats the partition with the Ext2 file system. Ext2 is an old and
proven file system, but it does not include journaling.
q Ext3. Formats the partition with the Ext3 file system. Ext3 is the
successor of Ext2 and offers a journaling feature.
Install SLES 9
q FAT. Formats the partition with the FAT file system. FAT is an older
file system used in DOS and Windows. You can use this option to create
a data partition, which is accessible from Windows and Linux. You
must not create a root partition with this file system.
q JFS. Formats the partition with JFS, a journaling file system developed
by IBM.
q Reiser. Formats the partition with ReiserFS, a modern journaling file
system. (This is the default option.)
q XFS. Formats the partition with XFS, a journaling file system originally
developed by SGI.
q Swap. Formats the partition as a swap partition.
If you are not sure which file system to choose, select Reiser for root and
data partitions and Swap for swap partitions.
q Options. By selecting Options, you can change parameters for the file
system you selected. You can use the default parameters in most cases.
q Encrypt file system. If you select this option, the partition file system is
encrypted. You should only use this option for non-system partitions such as
user home directories.
n Size. Lets you configure the size of the new partition with the following:
q Start Cylinder. The start cylinder determines the first cylinder of the new
partition. YaST normally preselects the first available free cylinder of the
hard disk.
q End. The end cylinder determines the size of the new partition. To configure
the end cylinder, do one of the following:
q Enter the cylinder number.
q Enter a plus sign (+)followed by the amount of disk space for the new
partition. Use M for MB and GB for GB. YaST calculates the last
cylinder number. For example, enter +5G for a partition size of 5 GB.
n Fstab Options. Select this option to edit the fstab entry for this partition. The
default setting should work in most cases.
n Mount Point. Select the mount point of the new partition from this drop-down
list. You can also enter a mount point manually, if it's not available in the list.
After changing the parameters, select OK to add the new partition to the partition
list.
If you chose to create an extended partition, the following appears:
Figure 1-9
You can enter the following:

n Start cylinder. The start cylinder determines the first cylinder of the new
partition. YaST normally preselects the first available free cylinder of the hard
disk.
n End. The end cylinder determines the size of the new partition. To configure the
end cylinder, do one of the following:
q Enter the cylinder number.
q Enter a plus sign (+) followed by the amount of disk space for the new
partition. Use M for MB and GB for GB. YaST calculates the last cylinder
number.
For example, enter +5G for a partition size of 5 GB.
After entering the size, select OK to add the new extended partition to the partition
list.
Edit Existing Partitions
Select a partition from the list and select Edit. You can edit only primary and logical
partitions with the Expert Partitioner. You cannot edit extended partitions or the entry
for the full hard disk.
If you edit a primary or logical partition, a dialog appears which is very similar to the
Create Partition dialog described above. You can change all options except for the
partition size.
After changing the partition parameters, select OK to save your changes to the
partition list.
Delete Existing Partitions
To delete a partition, select a partition from the list, select Delete, and then select Yes
in the confirmation dialog. The partition is deleted from the partition list.
Remember that you also delete all logical partitions when you delete an extended
partition.
Install SLES 9
Resize Existing Partitions
Select a partition from the list and select Resize.
x Although you can resize a partition without deleting it to increase free space on the hard disk,
you should always back up the data on the partition before resizing it.
If the selected partitions are formatted with the FAT or NTFS file system, do the
following before resizing the partition:
n FAT file system. To save time, first run Scan Disk and Defrag to make sure the
FAT partition is free of lost file fragments and cross links and to move files to
the beginning of the partition.
If you have optimized virtual memory settings for Windows so that a contiguous
swap file is used with the same initial (minimum) and maximum size limit,
disable them before resizing and re-enable them after the resizing has been
completed.
x If these virtual memory settings are enabled, the resizing might split the swap file into many
small parts scattered all over the FAT partition. Also, the entire swap file would need to be
moved during the resizing, which makes the process rather slow.
n NTFS file system. You must run Scan Disk and Defrag to move the files to the
beginning of the partition or the NTFS partition cannot be resized.
After you select Resize, the following appears:
Figure 1-10
This dialog includes the following:

n Two bars representing the partition before and after the resizing process
q Now. In the Now bar, the used space is designated by dark blue and the
available space is designated by light blue.
q After installation. In the After Installation bar the used space is designated
by dark blue and the free space is designated by light blue. The space that is
available for a new partition is designated by white.
n A slider to change the size of the partition
n Two text fields that display the amount of free space on the partition being
resized and the space available for a new partition after the resizing process
n A Do Not Resize button used to reset the partition to the original size
To resize the partition, move the slider until enough unused disk space is available for
a new partition. When you select OK, the partition size changes in the partition list.
Manage LVM Volumes
To manage LVM (Logical Volume Manager) volumes, select the LVM button in the
YaST Expert Partitioner.
x SLES 9 supports only LVM version 2. For this reason, references to LVM in this section always
refer to LVM version 2.
Using LVM you can create logical volumes, which spread over several physical disks
and partitions. Do not confuse logical volumes with physical, logical partitions in the
extended partition of a hard disk.
You can use a logical volume like a physical partition. You can create a file system
on the volume and mount it at a mount point of your choice.
x You can also use the YaST Expert Partitioner to create logical volumes after installation. There
are also command line tools for managing logical volumes. We do not recommend that you use
LVM for the root partition of a system.
You need to understand the following terms connected with logical volumes:
n Logical volume group. A logical volume group is a group of physical partitions.
The physical partitions can be spread over different hard disks.
n Logical volume. A logical volume is a part of a logical volume group. A logical
volume can be formatted and mounted like a physical partition.
You can think of logical volume groups as logical hard disks and logical volumes as
partitions on those logical hard disks.
Before you can create a logical volume, you always need a logical volume group.
Install SLES 9
The following shows the relationship of physical partitions, logical volume groups,
and logical volumes:
Figure 1-11 Hard Disk 1 Hard Disk 2
Logical
Volume
Group
Physical
Partition
Logical
Physical
Volume
Partition
Logical volumes have the following advantages:

n They can be resized more easily than a physical partition.
n They can spread over multiple disks.
n You can easily add new hard disks to logical volume groups.
n You can create extremely large logical volumes.
n They provide a snapshot functionality for consistent backups.
If you select LVM in the YaST Expert Partitioner, the following appears:
Figure 1-12
You use this dialog to create a new logical volume group by entering the following:
n Volume Group Name. Enter the name of your volume group.
n Physical Extent Size. The physical extent size defines the smallest unit of a
logical volume group, and the maximum size of a logical volume group.
Entering a value 4 MB allows a logical volume group of 256 GB.
If you are not sure which values to enter, use the default settings.
After you select OK, the following appears:
Figure 1-13
You can use the following options this dialog to add physical partitions to your
logical volume group:
n Volume Group. Select the volume group from the drop-down list that you want
to add partitions to.
n Size. Displays the current size of the selected logical volume group.
n Remove Group. Deletes the currently selected volume group. You can delete
empty groups only.
n Add Group. Add a logical volume group.
n Partition List. Select the partition you want to add to the volume group.
n Add Volume. Add the selected partition to the volume group.
n Remove Volume. Remove the selected partition from the volume group.
Install SLES 9
Add partitions to your logical volume group, and then select Next to continue. The
following appears:
Figure 1-14
You can use the following options in this dialog to create logical volumes in your
logical volume group:
n Volume Group. Select the volume group from this drop-down list that you want
to create partitions in.
n Space bar. Displays the available space of the selected volume group.
n Volume list. Displays physical partitions and logical volumes in the system.
n View all mount points. When you select this option, all partitions and volumes
that have entries in /etc/fstab are displayed. Otherwise, only the volumes in the
selected volume group are displayed.
n Add. Adds a new logical volume to the volume group. When you select Add,
the following appears:
Figure 1-15
This dialog is similar to the Create Partition dialog in the Expert Partitioner and
includes the following options:
q Format. Lets you choose one of the following options:
q Do Not Format. Do not format the newly created volume. Select this
option only if you want to change an existing volume instead of creating
a new one.
q Format. Formats the new volume with the file system that you select
from the drop-down list.
You can choose one of the following file systems:
q Ext2. Formats the volume with the Ext2 file system. Ext2 is a
dependable file system, but it doesn't include journaling.
q Ext3. Formats the volume with the Ext3 file system. Ext3 is the
successor of Ext2 and offers a journaling feature.
q FAT. Formats the volume with the FAT file system. FAT is used by
older versions of DOS and Windows. You can use this option to create a
data volume that is accessible from both Windows and Linux.
q JFS. Formats the volume with JFS, a journaling file system developed
by IBM.
q Reiser. Formats the volume with ReiserFS, a modern journaling file
system. (This is the default option.)
q XFS. Formats the volume with XFS, a journaling file system originally
developed by SGI.
q Swap. Formats the volume as a swap volume.
Install SLES 9
If you are not sure which file system to choose, select Reiser for root and
data volumes and Swap for swap volumes.
q Options. Select this button to change parameters for the selected file
system. You can use the default parameters in most cases.
q Encrypt file system. Select this check box to encrypt the file system of
the volume. You should only use this option for non-system volumes
like user home directories.
q Logical volume name. Enter the name of the new logical volume.
q Size. Enter the size of the logical volume in this field. Use M for MB and
GB for GB. For example, enter 5G for a volume size of 5 GB.
q Max. Set the size of the maximum available space of the volume group.
q Stripes. If you choose a value larger than 1 from this drop-down list, every
file written to the volume will be spread in small pieces (stripes) over all
physical devices in the volume group.
This enhances disk performance by using all available disks at the same
time.
The number of stripes you select must not exceed the number of physical
disks in the system.
If you need more performance than a single disk can deliver, this might be a
good option for you. However, a real hardware RAID system is normally a
much better choice.
q Stripe Size. Select the size of a single stripe.
q Fstab Options. Select this option to edit the fstab entry for this volume. The
default setting should work in most cases.
q Mount Point. Select the mount point of the new volume from this
drop-down list. You can also enter a mount point manually if the mount
point you want is not available in the list.
After selecting all options for the new volume, select OK to add the volume.
n Edit. Change the parameters of a selected volume.
The dialog to edit a volume has the same options as the dialog to create volumes
(already described). You can also edit logical volumes directly from the Partition
list in the Expert Partitioner.
n Remove. Remove a selected volume. You can also remove logical volumes
directly from the Partition list in the Expert Partitioner.
When you are finished with the logical volume setup, select Next to save the settings
and return to the Expert Partitioner.
Manage EVMS Volumes
To manage EVMS (Enterprise Volume Management System) volumes, select EVMS

in the YaST Expert Partitioner.
EVMS is a similar approach to LVM. In the latest versions of EVMS and LVM both
use the device mapper of the kernel to manage logical volumes. However, YaST´s
configuration tools are not as developed for EVMS as they are for LVM, so EVMS is
not covered in as much detail in this section.
The EVMS setup is very similar to the LVM setup with the exception that logical
volume groups are called containers in EVMS.
After selecting EVMS in the YaST Expert Partitioner, you create a container and add
physical partitions to it. Then you can create logical volumes in the container, format
them with a file system, and choose a mount point for them.
You can also use striping to enhance the performance of your EVMS volumes.
Manage Soft RAID Setups
To manage soft RAID (Redundant Array of Inexpensive Disks) setups, select RAID
in the YaST Expert Partitioner.
The purpose of RAID is to combine several hard disk partitions into one large virtual
hard disk for optimizing performance and improving data security.
There are 2 types of RAID configurations:

n Hardware RAID. Hard disks are combined by the hard disk controller. The
operating system sees the combined hard disks as one device. No additional
RAID configuration is necessary at the operating system level.
n Software RAID. Hard disks are combined by the operating system. The
operating system sees every single disk and needs to be configured to use them
as a RAID system.
Hardware RAID provides better performance and data security than software RAID,
but it is also much more expensive. Use software RAID to enhance disk performance
and security if you cannot afford a hardware RAID solution.
In this section, you learn how to set up software RAID.
You combine hard disks according to RAID levels. Using YaST you can set up RAID
levels 0, 1, and 5 (RAID levels 2, 3, and 4 are not available with software RAID):
n RAID 0. This level improves the performance of your data access. With RAID
0, 2 hard disks are pooled together. Disk performance is very good, but the
RAID system is vulnerable to a single point of failure. If one of the 2 disks fails,
the system is destroyed and the data is lost.
n RAID 1. This level provides enhanced security for your data because the data is
copied to both hard disks. This is also known as hard disk mirroring. If one disk
is destroyed, a copy of its contents is available on the other disk.
Install SLES 9
n RAID 5. RAID 5 is an optimized compromise between RAID 0 and RAID 1 in

terms of performance and redundancy. The data is distributed over the hard disks
as with RAID 0, while one partition saves a checksum of the written data.
If one hard disk fails, it must be replaced as soon as possible to avoid the risk of
losing data. If more than one hard disk fails at the same time, the data on the
disks is lost.
To create software RAID with YaST, do the following:

n Partition your hard disks. For RAID 0 and RAID 1, at least 2 partitions on
different disks are needed (RAID 1 requires 2 partitions; no more) RAID 5
requires at least 3 partitions. We recommend that you use only partitions of the
same size.
n Set up RAID. Select RAID in the YaST Expert Partitioner to open a dialog to
choose between the RAID levels 0, 1, and 5, and then add partitions to the new
RAID.
Choose a file system and a mount point for your RAID. By changing the chunk
size, you can fine tune the RAID performance.
Select Persistent Superblock to ensure that the partitions are recognized as
RAID when booting.
After finishing the configuration, the RAID partitions appear in the partition list
of the Expert Partitioner.
Create Crypt File Partitions
By selecting Crypt File, you can create an encrypted file system within a file. This
file can be mounted and used like a normal partition.
You can use a crypt file to securely store confidential data on your computer.
We do not recommend that you create crypt files during the installation process, as
the file systems to create the crypt file on are not yet available.
To create a crypt file, start the YaST Partitioning Module after the installation process
has finished.
Perform Expert Tasks
When you select Expert, the following options are available:

n Reread the partition table. Resets the partition list to the actual physical disk
setup. All changes will be lost.
n Import mount points from existing/etc/fstab. Scans the hard disks for an
/etc/fstab file. You can load this file and set the mount points accordingly.
n Delete partition table and disk label. Deletes the partition table and the disk
label of the selected hard disk. All data on that disk will be lost.
When you finish configuring settings in the Expert Partitioner, return to the
installation proposal by selecting Next.
Select the Software
SLES 9 contains a number of software packages for various application purposes.

Instead of selecting needed packages one by one, you can select from four system
types with various installation scopes.
Depending on the available disk space, YaST selects one of the following predefined
systems and displays it in the installation proposal:
n Minimal System (recommended only for special purposes). This includes the
core operating system with various services, but without any graphical user
interface. Select this system type for servers that require little direct user
interaction.
n Minimal Graphical System (without KDE). If you do not want the KDE
desktop or if there is insufficient disk space, install this system type. The
installed system includes the X windows system and a basic window manager.
You can use all programs that have a graphical user interface.
n Default System (with KDE). This system type includes the KDE desktop, most
of the KDE programs, and the CUPS print server. If possible, YaST selects this
system type by default.
n Full Installation. This system type is includes all packages that ship SLES 9,
except those that create dependency conflicts.
You need to understand the following term to understand YaST software

management:
n Package. An RPM file, which is available on the SLES 9 installation media. A
package typically contains an application and all additional files required to use
the software.
Sometimes larger applications can be split into multiple packages and several
small applications can be bundled into a single package.
n Dependencies. Sometimes one software package needs another one to run.
These dependencies are stored in the RPM packages. YaST can automatically
select software packages when another package requires them.
When you select Software in the installation proposal, a dialog appears that lets you
change the preselected system type to a different one.
Install SLES 9
Select Detailed selection to start the YaST Package Manager:
Figure 1-16
You can select the following options in this dialog to configure software selections:
n Filter. The Package Manager can display different views of the available
software packages. These views are displayed in the area below the drop-down
list and include the following:
q Selection. Displays the packages in logical selections. All packages in the
selection can be installed by selecting the check box.
q Package Groups. Displays the packages in a hierarchical tree view.
q Search. Displays a search dialog to search for packages.
q Installation Summary. Displays a summary of the packages selected for
installation.
n Individual package list. Individual packages are listed on the right side of the
Package Manger window. The content of this list depends on the filter selection.
You can install a package by selecting the check box for that package.
Details for the currently selected package are displayed below the package list.
n Disk usage. The disk usage of the currently selected software package is
displayed in the lower left corner of the Package Manager window.
n Check Dependencies. Select this option to check the dependencies of the
selected packages. This check is also done when you confirm the package
selection dialog.
n Autocheck. If this check box is selected, dependencies are checked every time
you select or deselect a package.
Confirm your package selection and return to the installation proposal by selecting
Accept.
Configure the Boot Loader
During installation, YaST proposes a boot configuration for your system. Normally,
you should leave these settings unchanged. However, if you need a custom setup, you
can modify the proposal.
To change the configuration of the boot loader, select Booting in the installation
proposal to display the following:
Figure 1-17
This dialog lists the current boot loader configuration settings with 3 columns for
each setting:
n Ch. Indicates whether an entry has been changed.
n Option. Displays the boot loader option.
n Value. Displays the value of the option.
Below the list, there are several buttons:

n Add. Adds an additional option.
n Edit. Edits the selected option.
n Delete. Deletes an option.
n Reset. Provides the following options:
q Propose New Configuration. Generates a new configuration suggestion.
Older Linux versions or other installed operating systems are added to the
boot menu.
q Start from Scratch. Enables you to create the entire configuration from
scratch. No suggestions are generated.
q Propose and Merge with Existing GRUB Menus. If another Linux version
is installed on the system, the boot menu can be transferred from that
installation. You cannot do this if LILO is used as boot loader.
Install SLES 9
You can use Edit Configuration Files to edit the configuration files in a text editor.
When you finish, save your changes by selecting OK.
For less experienced users, the configuration with YaST is easier than editing the files
directly. Select a boot loader option in the list and select Edit to open a dialog to
change the settings. Confirm the changes and return to the Boot Loader Setup menu
by selecting OK.
The available options in the Boot Loader Setup dialog depend on the boot loader
used. The following introduces some options of the default boot loader GRUB:
n Boot Loader Type. Use this option to switch between GRUB and LILO. You
can also create a new configuration from scratch or generate and edit a
suggestion for a configuration.
n Boot Loader Location. Use this dialog to define where to install the boot
loader:
q In the master boot record (MBR)
q In the boot sector of the boot partition (if available)
q In the boot sector of the root partition
q On a floppy disk
q Use Others to manually specify a different location
n Disk Order. If your computer has more than one hard disk, specify the boot
sequence of the disks as defined in the BIOS setup of the machine.
n Default Section. Sets the kernel or operating system that should be booted by
default. The selected system is booted after a timeout. Select Edit to display a
list of all boot menu entries. Select an entry from the list and select Set as
Default.
n Available Sections. Lists all existing entries of the boot menu.
n Activate Boot Loader Partition. Activates the partition whose boot sector holds
the boot loader.
n Replace Code in MBR. Specifies whether to overwrite the MBR. This might be
necessary if you have changed the location of the boot loader.
n Back up Affected Disk Areas. Backs up the changed hard disk areas.
n Add Saved MBR to Boot Loader Menu. Adds the backed up MBR to the Boot
Loader menu.
Use Time-out to define how many seconds the boot loader should wait for keyboard
input before the default system is booted. You can specify a number of other options
with Add. However, these options requires a thorough understanding of the boot
loader and are not covered here.
After finishing the boot loader configuration, return to the installation proposal by
selecting Finish.
Start the Installation Process
After customizing the installation proposal, select Accept. A dialog appears asking
you to confirm the proposal. Start the installation process by selecting Yes, install;
Return to the installation proposal by selecting No.
Before installing software packages, YaST changes the hard disk partitioning.
Depending on your software selection and the performance of your system, the
installation process takes 15–45 minutes.
During the installation, YaST asks you to change the installation CDs. Insert the
requested CD and continue the installation by selecting OK.
After all software packages are installed, YaST reboots the computer and lets you
make configuration changes.
Install SLES 9
Objective 2 Configure the SLES 9 Installation

In this part of the installation process, you use YaST perform the following
configuration tasks:
n Set the root Password
n Configure the Network
n Test the Internet Connection
n Perform an Online Update
n Manage Users
n Configure Network Services
n Configure Hardware
n Finalize the Installation Process
Set the root Password
root is the name of the superuser, the administrator of the system. Unlike regular
users, who might not have permission to do certain things on the system, root has
unlimited power to do anything, including the following:
n Access every file and device in the system
n Change the system configuration
n Install programs
n Set up hardware
The root account should only be used for system administration, maintenance, and
repair. Logging in as root for daily work is risky: a single mistake can lead to
irretrievable loss of many system files.
To let you set the root password during the installation process, YaST displays the
following:
Figure 1-18
Enter the same password in both text fields of the dialog.
You should choose a password that cannot be guessed easily. Use numbers, lowercase
and uppercase characters to avoid wordbooks (dictionary) attacks.
By selecting Expert Options, you can choose the password encryption algorithm. In
most cases, you use with the default settings.
After entering the root password, continue to the next configuration step by selecting
Next.
Install SLES 9
Configure the Network
To let you configure the network connection of your system, YaST displays the
following:
Figure 1-19
In the top part of the dialog, you can choose one of the following options:
n Skip Configuration. Skip the network configuration for now. You can configure
the network connection later in the installed system.
n Use Following Configuration. Use the network configuration proposal
displayed in the area below.
The network configuration proposal is similar to the installation proposal at the

beginning of the base installation, and includes the following entries:
n Network Interfaces. Displays the configuration of the network interfaces (such
as Ethernet or a Wireless-LAN adapter).
n DSL Connections. Displays the configuration of DSL devices. These can be
DSL modems connected with an Ethernet adapter or internal DSL modems.
n ISDN Adapters. Displays the configuration of ISDN devices.
n Modems. Displays the configuration of analog modems.
n Proxy. Displays the HTTP and FTP proxy settings.
n VNC Remote Administration. Displays the configuration of remote
administration using VNC.
You can change a configuration by selecting the headline of the entry or by selecting
the entry from the Change drop-down list. This menu lets you reset all settings to the
defaults generated by YaST.
If you are not sure which settings to use, stay with the defaults generated by YaST.
Configure Network Interfaces
After starting the network interface configuration, YaST displays a general network
configuration dialog. The top lists all network cards which are detected but
configured yet. Devices that could not be detected are listed as Other (not detected).
The bottom part the dialog lists configured devices.
At this point, you can do one of the following:

n Configure a Network Card Manually
n Change an Existing Configuration
Configure a Network Card Manually
If you want to configure a network card that was not automatically detected, select
Other (not detected) to display the following:
Figure 1-20
From this dialog, you can configure the following:

n Device Type. Specifies the network device type and the device number.
n Kernel Module. If your network card is a PCMCIA or USB device, select the
corresponding check boxes and confirm selecting Next.
n Otherwise, select Select from List and select your network card from the list.
YaST automatically loads the appropriate driver for the selected card. Confirm
by selecting Next.
Install SLES 9
n Wireless Settings. If you are within the reach of a wireless network and your
network card is designed for this wireless network type, select Wireless Settings
to set the operating mode, the network name (ESSID), the network identifier
(NWID), the encryption key, and a nickname.
After setting these options, confirm by selecting OK.
When you are finished with this dialog, select Next.
Change an Existing Configuration
After configuring a network card manually, or selecting an automatically detected

card, the Network Setup dialog appears with the following options:
n Automatic Address Setup (via DHCP). If your network has a DHCP server,
you can set up your network address automatically. You should also use this
option if you are using a DSL line with no static IP address assigned by the ISP.
If you decide to use DHCP, you can configure the details after selecting DHCP
Client Options from the Advanced drop-down list. Specify whether the DHCP
server should always broadcast its responses and any identifier to use.
By default, DHCP servers use the network card's hardware address to identify an
interface. If you have a virtual host setup where different hosts communicate
through the same interface, an identifier is necessary to distinguish them.
n Static Address Setup. If your have a static address, select the corresponding
check box. Then enter the address and subnet mask for your network. The preset
subnet mask should match the requirements of a typical home network.
n Host name and name server. Select this option to set the host name and the
name server manually.
n Routing. Select this option to configure routing manually.
Confirm the network device setup and return to the network device overview by
selecting Next. Then save the network device setup and return to the network
configuration proposal by selecting Finish.
After finishing the Network Configuration, select Next.
Test the Internet Connection
YaST then asks you to test your connection to the Internet. Select one of the
following options:
n Yes, Test Connection to the Internet. YaST tries to test the Internet connection
by downloading the latest release notes and checking for available updates.
If you select this option, the results are displayed on the next dialog.
n No, Skip This Test. Skip the connection test. If you skip the test, you can't
update the system during installation.
Select one of the options and select Next.
Perform an Online Update
If the Internet connection test was successful, you can select whether to perform a
YaST online update. If there are any update packages available on the SUSE update
servers, you can download and install them now to fix known bugs or security issues.
To perform the software update, select Perform Update Now, and then and select
OK. YaST's online update dialog opens up with a list of available patches (if any).
Select the patches you want to install, and then start the update process by selecting
Accept.
You can also select Skip Update to perform the update later in the installed system.
Configure Network Services
In the next installation step, YaST displays the Service Configuration dialog.
In the top part of the dialog, you can choose one of the following options:
n Skip Configuration. Skip this configuration step. You can enable the services
later in the installed system.
n Use Following Configuration. Use the automatically generated configuration
displayed below this option or select one of the following headlines to change
the configuration:
q CA Management. The purpose of a CA (certificate authority) is to
guarantee a trust relationship among all network services that communicate
with each other.
If you decide that you do not want to establish a CA, you must secure server
communications using SSL and TLS separately for each individual service.
By default, a CA is created and enabled during the installation.
q LDAP Server. You can run an LDAP service on your host to have a central
facility managing a range of configuration settings. Typically, an LDAP
server handles user account data, but with SLES 9, you can also use LDAP
for mail, DHCP, and DNS related data.
By default, an LDAP server is set up during installation. If you decide not to
use an LDAP server, the YaST mail server module does not work because it
depends on LDAP. However, you can still set up a mail server on your
system using the Mail Transfer Agent module.
If you are not sure about the correct settings, keep the defaults generated by YaST.
You can change the configuration later in the installed system.
When you are finished, select Next.
Install SLES 9
Manage Users
To manage users during this configuration step, do the following:

n Select the Authentication Method
n Add Users to the Systems
Select the Authentication Method
YaST displays the following dialog to configure the authentication method:
Figure 1-21
You can selecting one of the following options:

n NIS. If you have a NIS server in your network, you can configure your system as
a NIS client.
n LDAP. If you have an LDAP server in your network, you can configure your
system as an LDAP client. You can also use the previously started LDAP server
on the local host.
n Local (/etc/passwd). Select this option to configure the system to use the
traditional file-based authentication method.
If you are not sure which method to select, stay with LDAP, which is the default for
SLES 9.
After selecting an authentication method, select Next.
Add Users to the Systems
Depending on which authentication method you select, you use one of the following
to add users to the system:
n Configure the Host as a NIS Client
n Configure the System as LDAP Client
n Add Local Users
Configure the Host as a NIS Client
If you chose NIS as the authentication method, the following appears:
Figure 1-22
From this dialog ,you can setup your system as NIS client with the following options:
n NIS client. Select whether the host has a fixed IP address or is assigned an IP
address DHCP. If you select DHCP, you cannot specify an NIS domain or an
NIS server address manually, because these are provided by the DHCP server.
If a static IP address is used, specify the NIS domain and the NIS server
manually.
To search for NIS servers broadcasting in the network, select Find.
For each domain, select Edit to specify several server addresses or enable the
broadcast function on a per-domain basis.
n Expert. Select this option to display the Expert Setting dialog.
Select Answer to the Local Host Only to prevent other network hosts from
being able to query which server your client is using.
Select Broken Server to accept responses from servers on unprivileged ports.
Install SLES 9
n Start Automounter. If your NIS server provides information about the

automatic mounting of file systems (such as home directories), you can start the
automounter and use this information for it.
After configuring the NIS client settings, select Finish.
Configure the System as LDAP Client
If you select LDAP as authentication method, the following appears:
Figure 1-23
From this dialog, you can configure your system as an LDAP client. The default
configuration uses the locally installed LDAP server.
You can change the configuration with the following options:

n LDAP client. You can configure the following:
q LDAP base DN. Enter the search base on the server.
q Addresses of LDAP Servers. Enter the address of the LDAP server.
q LDAP TSL/SSL. Select this option to encrypt the communication with the
LDAP server.
q LDAP Version2. Select this option if your LDAP server only support LDAP
version 2. By default, LDAP version 3 is used.
n Start Automounter. If your LDAP server provides information about the
automatic mounting of file systems (such as home directories), you can start the
automounter and use the automount information for the LDAP server.
n Advanced Configuration. Selecting this option to change advanced LDAP
settings.
If you are not sure how to configure the LDAP setting and you want to use the locally
installed LDAP server, keep the default settings.
When finished the LDAP configuration, select Next.
A dialog appears to add a user to the local LDAP server, which includes the same
fields at the Add local users dialog.
Add Local Users
If you select Local as the authentication method, the following appears:
Figure 1-24
You can use the following in this dialog to add local users to the system (account
information is stored in the files /etc/passwd and /etc/shadow):
n User Data. Enter the full user name, the login name, and the password.
To provide effective security, a password should be 5-8 characters long. The
maximum length for a password is 128 characters. However, if no special
security modules are loaded, only the first eight characters are used to discern the
password.
Passwords are case-sensitive. Special characters are allowed, but they might be
hard to enter depending on the keyboard layout. Other special characters (such as
7-bit ASCII) and numbers 0-9 are allowed.
n Password Settings. Select this option to change advanced password settings
(such as password expiration). The default settings are suitable in most cases.
n Details. Select this option to edit details of the user account. The default settings
are suitable in most cases.
n Receive System Mail. Select this option to forward all emails to this user.
Usually system notifications are only sent to the root user.
Install SLES 9
n Automatic Login. Select this option to enable automatic login for this user. This
option logs in the user automatically (without requesting a password) when the
system starts.
You should not enable this feature on a production system.
n User Management. Select this option add more users (with the YaST User
Management module).
x You can add other users later(after installation), but you should create at least 1 user during
installation so you don´t have to work as the user rootafter the system has been set up.
After you enter all required information, select Next.
Configure Hardware
Next you configure the system hardware of the system from the following:
Figure 1-25
The configuration proposal contains the following items:

n Graphics Cards. Displays the graphic card and monitor setup.
n Printers. Displays the printer and printer server settings.
n Sound. Displays the configuration of the sound card.
To change the automatically generated configuration, select the headline of the item
you want to change, or select the corresponding entry in the Change drop-down list.
You can also use the Change drop-down list to reset all settings to the automatically
generated configuration proposal.
You can skip the hardware configuration at this time and configure your devices later
in the installed system. However, if the settings of the graphics card in the
configuration proposal are not correct, you should change them now to avoid
problems during the first system start.
Configure the Graphics Card
If you select the headline Graphics Cards, YaST starts the SaX2 configuration tool
to configure the graphics card settings. The following appears:
Figure 1-26
In the left navigation bar, the following main items are displayed:
n Display. Configure your monitor, graphics card, color depth, resolution, and the
position and size of the screen.
n Input Devices. Configure the keyboard, mouse, touchscreen monitor, and
graphics tablet.
n Multihead. Configure multiple screens.
n AccessX. Configure AccessX to control the mouse pointer with the keyboard.
The first 3 items have subitems that are displayed on the right side of the dialog, or
you can access them by selecting the + character in front of every item.
In most cases, you can use the automatically generated configuration should be
correct, although you might need to do the following:
n Change the Monitor Settings
n Change the Color Depth and Resolution Settings
Install SLES 9
Change the Monitor Settings
If the installation does not detect your monitor, you can change the monitor model.
Select Display on the left side of the dialog; then select Monitor on the right side of
the dialog. At the bottom of the dialog, change the monitor settings by selecting
Change Configuration.
On the next dialog, select Properties. The following appears:
Figure 1-27
The dialog has three tab pages:

n Monitor-Model. Select your monitor model on this page. If your model is not
listed, you can also select one of the VESA or LCD standard settings.
n Frequencies. The frequency settings are usually determined by the chosen
monitor model. If those settings are not correct, you can change them manually.
x Make sure that the frequency settings are within the limits of your monitor. Your monitor
could be ruined if you use inappropriate settings.
n Expert. You can change some expert settings like the Modeline Algorithm or
the Display size.
After selecting the correct monitor model, return to the overview by selecting OK
and Finish.
Change the Color Depth and Resolution Settings
You can change the color or resolution settings by selecting Desktop and Color and
Resolution.
From the next dialog, select Properties. The following appears:
Figure 1-28
The dialog provides the following tab pages:

n Colors. Select the color resolution from the drop-down list.
n Resolution(s). Select one or more resolutions from the list. The graphic engine
always starts with the highest selected resolution. You can change to lower
selected resolutions during runtime.
n Expert. You can add user defined resolutions to the Resolutions list. This can be
useful for nonstandard sized displays or monitors.
x Make sure that your monitor can handle all of the selected resolutions. Otherwise your
monitor could be ruined when the graphic engine starts up.
Change the color and resolution settings; then return to the configuration overview
by selecting OK and Finish.
Select Finalize after making all changes. Confirm the next dialog by selecting Test.
The X Server starts up and the following appears:
Figure 1-29
Install SLES 9
You can use this dialog to fine tune the X Server settings such as changing the
position and the size of the displayed area.
When you are done, select Save.
Finalize the Installation Process
Confirm your hardware settings by selecting Next, and then select Finish. The
system starts the graphical login screen, where you can log in with your previously
created user. SLES 9 is installed on your system.
Objective 3 Troubleshoot the Installation Process

SLES 9 has been installed and tested on many different machines and hardware
platforms. However, sometimes problems can occur.
The following table contains an overview of the most common installation problems,
possible causes, and solutions:
Table 1-1 Problem Cause Solution
The system does not start The system is not Enter the BIOS setup of the
from the installation media. configured to boot from the system and choose the CD
CD or DVD drive. or DVD drive as the first
The CD or DVD drive is boot drive. Read the system
defective. manual for details about the
BIOS setup.
The installation CD or DVD
is defective. Try to boot a different
system with SLES 9CD 1. If
it works, the CD or DVD
drive of the actual system
might be defective.
If the installation CD does
not boot on a different
system, the CD or DVD
itself could be defective.
Contact your reseller to
exchange the SLES 9 CD or
DVD set.
The installation program Your system does not Select Installation – ACPI
does not start. support newer hardware Disabled. If that doesn't fix
features correctly. the problem, select
Your system has less than Installation – Save
256 MB of main memory. Settings from the Boot
menu of the CD or DVD.
Install at least 256 MB of
main memory and start the
installation again.
The installation process Your system does not Select Installation – ACPI
stops. support newer hardware Disabled. If that doesn't fix
features correctly. the problem, select
The installation CD or DVD Installation – Save
is defective. Settings from the Boot
menu of the CD or DVD.
If the installation process
also stops on a different
system, the CD or DVD
could be defective. Contact
your reseller to exchange
the SLES 9 CD or DVD set.
Install SLES 9
(continued) Table 1-1 Problem Cause Solution
The network connection test There is no DHCP server in If you configured your
or Online Update fails. the network. network card to use DHCP,
There is no route to the assign a static IP address
Internet. and configure routing and
DNS settings manually.
The system is using the
wrong Proxy settings. Set the default gateway
correctly.
Set the right proxy
configuration in the network
configuration dialog.
You can also skip the
connection test and the
Online Update and perform
an Online Update in the
installed system.
The graphical login does not You are using the wrong Change to a text terminal
appear after the installation X11 configuration. and change to run level 3.
is completed. Start SaX2 from the
command line and correct
the X11 configuration.
Change back to run level 5
to get a graphical login
screen.
Exercise 1-1 Install SLES 9
In this exercise, you install SLES 9 by doing the following:

n Part I: Boot From the Installation Media
n Part II: Start the Installation Proposal
n Part III: Configure the Partitions for Your Hard Drive
n Part IV: Add Compiler and Development Tools to the Software Selection
n Part V: Start the Installation Process
n Part VI: Set the root Password
n Part VII: Set Up the Network Connection
n Part VIII: Set Up Services and Users
n Part IX: Configure Hardware Devices
n Part X: Configure NTP
n Part XI: Update Your SLES 9 Server With YOU
Part I: Boot From the Installation Media
Do the following:
1. Turn on the computer.
2. Insert SLES 9 CD 1 into the CD-ROM drive.
3. Reboot the computer by selecting the Reset button or by pressing Ctrl+Alt+Del.
4. (Conditional) If your computer does not boot from the CD-ROM drive, adjust the
BIOS settings and reboot the computer.
5. When the GRUB installation screen appears, select Installation with the arrow
keys and press Enter.
Part II: Start the Installation Proposal
Do the following
1. When YaST displays the Novell Software License Agreement, select I Agree.
2. From the language selection dialog, select your language; then select Accept.
x Although you can select any available language, the exercises in this manual are written for
English US.
3. (Conditional) If an installation mode dialog appears, select New installation; then

select OK.
An Installation Settings proposal dialog appears.
Install SLES 9
4. Scroll down to and select Keyboard layout.

5. Select your keyboard layout; then select Accept.
You are returned to the Installation Proposal dialog.
6. Scroll down to and select Time zone.
7. Select your region; then select your time zone.
8. Make sure that the hardware clock is set to UTC; then select Accept.
Part III: Configure the Partitions for Your Hard Drive
Do the following:
1. Change the partitioning settings by scrolling to and selecting Partitioning.
2. Select Create custom partition setup; then select Next.
3. Select Custom partitioning -- for experts; then select Next.
4. Delete existing partitions:
a. From the Expert Partitioner dialog, check for any existing partitions in the
partition list.
b. If there are partitions, select the hard disk entry of the corresponding
partitions (such as hda or hdc).
c. Delete all existing partitions on the selected hard disk by selecting Delete.
d. When you are asked to confirm the deletion, select Yes.
e. (Conditional) If there is more than one hard disk containing partitions in the
system, repeat Steps b, c, and d until only the hard disk entries are left in the
list.
5. Create a swap partition:
a. From the partition list, select the hard drive entry; then select Create.
If you have more than one hard disk, select the larger disk.
b. Select Primary partition; then select OK.
c. In the End field of the size settings enter +512M.
d. From the File system drop-down list, select Swap.
e. Add the swap partition by selecting OK.
6. Create the root partition:
a. Select the same hard disk you used for the swap partition; then select Create.
c. In the End field of the size settings enter +6GB.
d. Make sure that the following options are set:
q Reiser should be selected from the File system drop-down list.
q / should be selected from the Mount Point
drop-down list.
e. Add the root partition by selecting OK.
7. Create a partition for the directory /srv (used in the Apache and Samba server
exercises):
a. Select the same hard disk you used for the swap and root partitions; then
select Create.
Leave the size settings as suggested by YaST. The last partition will use the
rest of the available hard disk space.
c. Make sure that the File system drop-down list is set to Reiser.
d. From the Mount Point drop-down list, select /srv.
e. Add the /srv partition by selecting OK.
8. Confirm the partitioning setup and return to the installation proposal by selecting
Next.
Part IV: Add Compiler and Development Tools to the Software Selection
Do the following:
1. From the installation proposal dialog, scroll to and select Software.
2. Select Detailed selection.
3. In the list on the left side of the package selection dialog, select C/C++ Compiler
and Tools.
4. Return to the installation proposal by selecting Accept.
Part V: Start the Installation Process
Do the following:
1. From the installation proposal, select Accept.
2. From the confirmation dialog, select Yes, install.
YaST asks you to change CDs during the installation process.
3. Insert each requested CD and select OK.
Install SLES 9
Part VI: Set the root Password
Do the following:
1. In the first field, enter novell.
2. In the second field, enter novell.
3. Continue by selecting Next.
You are warned that the password is too simple.
4. Continue by selecting Yes.
You are warned that you are using only lowercase letters.
5. Continue by selecting Yes.
Part VII: Set Up the Network Connection
Do the following:
1. Before setting up your network connection, fill in the IP address and Host name
for your computer assigned to you by the instructor:
q IP address:
q Network mask: 255.255.255.0
q Host name:
q Domain name: digitalairlines.com
q Name server: 10.0.0.254
q Default gateway: 10.0.0.254
2. From the Network Configuration proposal, select Network Interfaces.
3. Do one of the following:
q If your network card appears in the Network cards to configure list, select
Configure; then select the first detected network card and select Configure.
or
q If your network card appears in the Already configured devices list, select
Change; then select your network card and select Edit.
4. Select Static address setup.
5. In the IP Address field, enter your IP address.
6. In the Subnet mask field, enter 255.255.255.0.
7. Configure the host name and name server:
a. Select Host name and name server.
b. Enter your host name.
c. Enter a domain name of digitalairlines.com.
d. In the Name Server 1 field, enter the 10.0.0.254 of the name server.
e. Return to the Network setup dialog by selecting OK.
8. Configure routing:
a. Select Routing.
b. In the Default Gateway field, enter 10.0.0.254.
c. Return to the Network setup dialog by selecting OK.
9. Return to the Network Configuration dialog by selecting Next.
10. Continue with the installation by selecting Finish; then select Next.
11. From the Test Internet Connection dialog, select No, Skip This Test; then select
Next.
Part VIII: Set Up Services and Users
Do the following:
1. From the Service Configuration dialog, accept the default settings by selecting
Next.
2. For the authentication method, select LDAP; then select Next.
3. Accept the defaults in the LDAP Client Configuration dialog by selecting Next.
4. Add a user:
a. First Name: Geeko
b. Last Name: Novell
c. User Login: geeko
d. Password: N0v3ll (a zero; not an uppercase o)
e. Verify password: N0v3ll
f. Create the user by selecting Next.
Part IX: Configure Hardware Devices
Do the following:
1. From the Release Notes dialog, select Next.
2. Adjust the monitor settings:
a. Review the information displayed below the Graphics Cards entry of the
Hardware Configuration proposal.
b. Make sure that the monitor model, the resolution, and the refresh rate are
appropriate for your hardware.
c. (Conditional) If the settings are correct, select Next; then skip the following
steps for monitor configuration and go to Step 4.
d. If the automatically generated settings are not appropriate, select Graphics
Cards.
e. From the left side of the dialog, change the monitor model by expanding
Desktop; then select Monitor.
f. Select Change configuration.
Install SLES 9
g. From the next dialog, select Properties.

h. From the left side, select your vendor; from the right side, select your model.
i. (Conditional) If your model is not in the list, select one of the generic LDC or
VESA entries. (You can also enter the frequencies manually on the
Frequencies page of the dialog).
j. Continue by selecting OK.
k. Select Finish.
l. Change the color and resolution settings by selecting
Color and Resolution on the left; then select Change configuration.
m. From the next dialog, select Properties.
n. From the drop-down list, select your desired color resolution.
o. From the Resolutions page, select your desired display resolution (deselect all
other resolutions).
p. Continue by selecting OK.
q. Select Finish.
r. Finish the monitor setup by selecting Finalize.
s. Test the new settings by selecting Test.
t. If the screen does not display properly, press Ctrl+Alt+Backspace, then
repeat the above steps to adjust the selected settings.
u. Adjust Size and Position.
v. When you are finished, select Save; then select OK.
3. From the Hardware Configuration dialog, select Next.
4. Complete the installation process by selecting Finish.
Part X: Configure NTP
Do the following:
1. When the GUI login screen appears, log in as geeko with a password of N0v3ll.
2. From the KDE desktop, select the YaST icon; then enter a password of novell and
select OK.
3. From the YaST Control Center, select Network Services > NTP Client.
4. Select When Booting System.
5. In the NTP Server field, enter 10.0.0.254.
6. Select Finish.
Part XI: Update Your SLES 9 Server With YOU
As a post-installation procedure, you want to make sure you have updated your
installation with the latest patches available from Novell SUSE LINUX.
In this part of the exercise, you update your SLES 9 installation using a YOU server
available on DA1.
Do the following:
1. From the YaST Control Center, select Software > Online Update.
The Welcome to YaST Online Update dialog appears.
2. From the Installation source drop-down list, select User-Defined Location.
3. In the Location field, enter http://DA1/YOU.
4. Continue by selecting Next.
The YOU update dialog appears with all the patches available.
From this dialog you can filter the patch list view and select or deselect the
patches you want to install.
5. From YaST Online Update Patch list, make sure the Optional patches (black) are
deselected.
6. Make sure all the Security (red) and Recommended (blue) patches are selected.
7. Continue by selecting Accept.
One or more warning messages appear.
8. For each warning message, select Install Patch.
YaST downloads and installs the patches.
9. When process is complete (or during the process), select Remove Source
Packages after Update.
10. When the patches have been installed, update the system configuration by
selecting Finish.
11. Reboot the X Window server by pressing Ctrl+Alt+Del; then select Logout.
After rebooting, you are returned to the GUI login interface.

12. Select Menu > Shutdown.
13. Select Restart computer and enter a password of novell; then select OK.
14. After the system reboots, log back in to the KDE desktop as geeko with a password
of N0v3ll.
(End of Exercise)
Install SLES 9
Summary
Objective Summary
1. Perform the SLES 9 Base In the base installation, the hard disks are prepared
Installation and the software packages are installed.
The following tasks belong to the base installation
step:
n Boot from the installation media
n Select the language
n Select the installation mode
n Understand and change the installation proposal
n Perform hard disk partitioning
n Configure LVM devices
n Change the software selection
n Configure the boot loader
n Launch the installation process
2. Configure the SLES 9 Installation In the configuration step, you customize and
configure the installed system.
The following tasks belong to the configuration step:
n Set the root password
n Configure the network
n Test the Internet connection
n Perform the Online Update
n Configure Network Services
n Manage Users
n Configure Hardware
n Finalize the Installation Process
3. Troubleshoot the Installation SLES 9 has been installed and tested on many
Process different machines and hardware platforms.
However, sometimes installation problems can
occur.
The problems can be caused by the following
reasons:
n The system is not configured to boot from the CD or
DVD drive.
n The CD or DVD drive is defective.
n The installation CD or DVD is defective.
n The system does not support newer hardware
features (ACPI) correctly.
n There is no DHCP server in the network.
n There is no route to the Internet.
n You are using the wrong Proxy settings.
n You are using the wrong X11 configuration.
Configure the Network Manually
SECTION 2 Configure the Network Manually
In this section, you learn how to configure network devices manually. You also learn
how to configure routing with command line tools and how to save the network setup
to configuration files.
Objectives
1. Understand Linux Network Terms
2. Set Up Network Devices With the ip Tool
3. Save Device Settings to a Configuration File
4. Set Up Routing With the ip Tool
5. Save Routing Settings to a Configuration File
6. Configure Host Name and Name Resolution
7. Test the Network Connection With Command Line Tools
Introduction
Although almost every step of a network configuration is done for you when you use
YaST, it´s sometimes useful to configure the network settings manually. For testing
and troubleshooting, it can be much faster to change the network setup from the
command line.
Objective 1 Understand Linux Network Terms

Before you can configure the network manually with ip, you need to understand the
following Linux networking terms:
n Device.The network adapter built into the system. To use a physical device, a
software component creates an interface to the device. This interface can be used
by other software applications.
The software component which creates the interface is also called a driver.
In Linux, network interfaces use a standard naming scheme. Interfaces to
Ethernet adapters follow the naming scheme eth0, eth1, eth2, and so on. For
every adapter installed in the system, an interface is created when the appropriate
driver is loaded.
The command line tools for the network configuration use the term device when
they actually mean an interface. The term device is used in this section for both
physical devices and software interfaces.
n Link. The command line tool ip uses the term link to refer to the connection of a
device to the network.
n Address. The IP address assigned to a device. The address can be either an IPv4
or an IPv6 address. To use a device in a network, you have to assign at least one
address to it. However, you can assign more than one address to a device.
n Broadcast. The term broadcast refers the broadcast address of a network. By
sending a network packet to the broadcast address, you can reach all hosts in the
locally connected network at the same time. When you assign an IP address to a
device, you can also set this broadcast address.
n Route. The path an IP packet takes from the source to the destination host. The
term route also refers to an entry in the routing table of the Linux kernel.
Objective 2 Set Up Network Devices With the ip Tool

You normally configure a network card with YaST during or after installation. You
can use the tool ip to change the network card configuration quickly from the
command line.
Changing the network card configuration at the command line is especially useful for
test purposes; but if you want a configuration to be permanent, you must save it in a
configuration file. These configuration files are generated automatically when you set
up a network card with YaST.
You can use ip to perform the following tasks:

n Display the Current Network Configuration
n Change the Current Network Configuration
x You can enter /sbin/ip as a normal user to display the current network setup only. To change the
network setup, you have to be logged in as root.
Display the Current Network Configuration
With the ip tool, you can display the following information:

n IP Address Setup
n Device Attributes
n Device Statistics
IP Address Setup
To display the IP address setup of all devices, enter the following command:
ip address show
Depending on your network setup, you see information similar to the following:
DA1:~ # ip address show

1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,NOTRAILERS,UP> mtu 1500 qdisc
pfifo_fast qlen 1000
link/ether 00:30:05:4b:98:85 brd ff:ff:ff:ff:ff:ff
inet 10.0.0.2/24 brd 10.0.0.255 scope global eth0
inet6 fe80::230:5ff:fe4b:9885/64 scope link
3: sit0: <NOARP> mtu 1480 qdisc noqueue
link/sit 0.0.0.0 brd 0.0.0.0
The information is grouped by network devices. Every device entry starts with a
digit, called the interface index, with the device name displayed below the interface
index.
In the above example, there are 3 devices:

n lo. The loopback device, which is available on every Linux system, even when
no network adapter is installed. Using this virtual device, applications on the
same machine can use the network to communicate with each other.
For example, you can use the IP address of the loopback device to access a
locally installed web server by typing http://127.0.0.1 in the address bar of your
web browser.
n eth0. The first Ethernet adapter of the computer in this example. This is a
physical device which is connected to the local network. Ethernet devices are
normally called eth0, eth1, eth2, and so on.
n sit0. This a special virtual device which can be used to encapsulate IPv4 into
IPv6 packets. It´s not used in a normal IPv4 network.
You always have the entries for the loopback and sit devices. Depending on your
hardware setup, you might have more Ethernet devices in the ip output.
Several lines of information are displayed for every network device, such as eth0 for
the example above:
2: eth0: <BROADCAST,MULTICAST,NOTRAILERS,UP> mtu 1500 qdisc

pfifo_fast qlen 1000
The most important information of the line in this example is the device index (2)
and the device name (eth0).
The other information shows additional attributes set for this device, such as the
hardware address of the Ethernet adapter (00:30:05:4b:98:85):
In the following line, the IPv4 setup of the device is displayed:
inet 10.0.0.2/24 brd 10.0.0.255 scope global eth0
The IP address (10.0.0.2) follows inet, and the broadcast address (10.0.0.255) after
brd. The length of the network mask is displayed after the IP address, separated by a
/. The length is displayed in bits (24).
The following lines show the IPv6 configuration of the device:
inet6 fe80::230:5ff:fe4b:9885/64 scope link

The address shown here is automatically assigned, even though IPv6 is not used in
the network that is connected with the device. The address is generated from the
hardware address of the device.
Depending on the device type, the information can differ. However, the most
important information (such as assigned IP addresses) is always shown.
Device Attributes
If you are only interested in the device attributes and not in the IP address setup, you
can enter the following command:
ip link show
The command produces an output similar to the following:

link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,NOTRAILERS,UP> mtu 1500 qdisc pfifo_fast
qlen 1000
3: sit0: <NOARP> mtu 1480 qdisc noqueue
link/sit 0.0.0.0 brd 0.0.0.0
The information is similar to the what you seen when entering

ip address show, but the information about the address setup is missing. The device
attributes are displayed in brackets right after the device name.
The following is a list of possible attributes and their meanings:

n UP. The device is turned on. It is ready to accept packets for transmission and
it´s ready to receive packets from the network.
n LOOPBACK. The device is a loopback device.
n BROADCAST. The device can send packets to all hosts sharing the same
network.
n POINTOPOINT. The device is only connected to one other device. All packets
are sent to and received from the other device.
n MULTICAST. The device can send packets to a group of other systems at the
same time.
n PROMISC. The device listens to all packets on the network, not only to those
sent to the device's hardware address. This is usually used for network
monitoring.
Device Statistics
You can use the option -s with the command ip to display additional statistics
information about the devices. The command looks like the following:
ip -s link show eth0
By giving the device name at the end of the command line, the output is limited to
one specific device. This can also be used to display the address setup or the device
attributes.
The following is an example of the information displayed for the device eth0:
2: eth0: <BROADCAST,MULTICAST,NOTRAILERS,UP> mtu 1500 qdisc pfifo_fast

qlen 1000
RX: bytes packets errors dropped overrun mcast
849172787 9304150 0 0 0 0
TX: bytes packets errors dropped carrier collsns
875278145 1125639 0 0 0 0
Two additional sections with information are displayed for every device. Each of the
sections has a headline with a description of the displayed information.
The section starting with RX displays information about received packets, and the
section starting with TX displays information about sent packets.
The sections display the following information:

n Bytes. The total number of bytes received or transmitted by the device.
n Packets. The total number of packets received or transmitted by the device.
n Errors. The total number of receiver or transmitter errors.
n Dropped. The total number of packets dropped due to a lack of resources.
n Overrun. The total number of receiver overruns resulting in dropped packets.
As a rule, if a device is overrun, it means that there are serious problems in the
Linux kernel or that your computer is too slow for the device.
n Mcast. The total number of received multicast packets. This option is supported
by only a few devices.
n Carrier. The total number of link media failures, because of a lost carrier.
n Collsns. The total number of collision events on Ethernet-like media.
n Compressed. The total number of compressed packets.
Change the Current Network Configuration
You can also use the ip tool to change the network configuration by performing the
following tasks:
n Assign an IP Address to a Device
n Delete the IP Address from a Device
n Change Device Attributes
Assign an IP Address to a Device
To assign an address to a device, use a command similar to the following:
ip address add 10.0.0.2/24 brd + dev eth0
In this example, the command assigns the IP address 10.0.0.2 to the device eth0. The
network mask is 24 bits long, as determined by the /24 after the IP address. The brd
+ option sets the broadcast address automatically as determined by the network
mask.
You can enter the following command to verify the assigned IP address:
ip address show dev eth0
The assigned IP address is displayed in the output of the command line.
You can assign more than one IP address to a device.
Delete the IP Address from a Device
To delete the IP address from a device, use a command similar to the following:
ip address del 10.0.0.2 dev eth0
In this example, the command deletes the IP address 10.0.0.2 from the device eth0.
Use the following command to verify that the address was deleted:
ip address show eth0
Change Device Attributes
You can also change device attributes with the ip tool. The following is the basic
command to set device attributes:
ip link set device attribute
The possible attributes are described in “Display Device Attributes.” The most
important attributes up and down. By setting these attributes, you can enable or
disable a network device.
To enable a network device (such as eth0), enter the following command:
ip link set eth0 up
To disable a network device (such as eth0), enter the following command:
ip link set eth0 down
Objective 3 Save Device Settings to a Configuration File

All device configuration changes you make with ip are lost when the system is
rebooted. To restore the device configuration automatically when the system is
started, the settings need to be saved in configuration files.
The configuration files for network devices are located in the directory
/etc/sysconfig/network.
If the network devices are set up with YaST, one configuration file is created for
every device.
For Ethernet devices, the filenames consist of ifcfg-eth-id- and the hardware address
of the device. For a device with the hardware address 00:30:05:4b:98:85, the
filename would be ifcfg-eth-id-00:30:05:4b:98:85.
We recommended that you set up a device with YaST first and make changes in the
configuration file. Setting up a device from scratch is a very complex task, because
the hardware driver also needs to be configured manually.
If you have more than one network adapter in your system, it might be difficult to
find the corresponding configuration file for a device.
You can use the command ip link show to display the hardware address for each
Ethernet device. Because the hardware address is part of the file name, you can
identify the right configuration file.
The content of the configuration files depends on the configuration of the device. To
change the configuration file, you need to know how to do the following:
n Configure a Device Statically
n Configure a Device Dynamically With DHCP
n Start and Stop Configured Devices
Configure a Device Statically
The content of a configuration file of a statically configured device is similar to the

following:
BOOTPROTO='static'
MTU=''
REMOTE_IPADDR=''
STARTMODE='onboot'
UNIQUE='oxTw.AKbXsqnOlA9'
_nm_name='bus-pci-0000:02:08.0'
BROADCAST='149.44.171.255'
IPADDR='10.0.0.2'
NETMASK='255.255.255.0'
NETWORK='10.0.0.0'
The configuration file includes several lines. Each line has an option and a value
assigned to that option, and is shown and then explained below:
n BOOTPROTO='static'
The option BOOTPROTO determines the way the device is configured. There
are 2 possible values:
q Static. The device is configured with a static IP address.
q DHCP. The device is configured automatically with an DHCP server.
n MTU=''
You can use the MTU option to specify a value for the MTU (Maximum
Transmission Unit). If you don’t specify a value, the default value is used. For an
Ethernet device, the default value is 1500 bytes.
n REMOTE_IPADDR=''
You need to set the value for the REMOTE_IPADDR option only if you are
setting up a point-to-point connection.
n STARTMODE='onboot'
The STARTMODE option determines how the device is started. The option can
include following values:
q onboot. The device is started at boot time.
q manual. The device must be started manually.
q hotplug. The device is started when it´s plugged in if your system offers PCI
hotplugging.
n UNIQUE='oxTw.AKbXsqnOlA9'
_nm_name='bus-pci-0000:02:08.0'
These 2 lines contain options added by YaST when the device is configured.
They don’t affect the network configuration itself.
n BROADCAST='149.44.171.255'
IPADDR='10.0.0.2'
NETMASK='255.255.255.0'
NETWORK='10.0.0.0'
These 4 lines contain the options for the network address configuration. The
options have the following meaning:
q BROADCAST. The broadcast address of the network.
q IPADDR. The IP address of the device.
q NETMASK. The network mask.
q NETWORK. The address of the network itself.
The file /etc/sysconfig/network/ifcfg.template contains a template that you can use as

a base for device configuration files.
Configure a Device Dynamically With DHCP
If you want to configure a device by using a DHCP server, you set the BOOTPROTO
option to dhcp as shown in the following:
BOOTPROTO='dhcp'
When the device is configured by using DHCP, you don’t need to set any options for
the network address configuration in the file. If there are any settings, they are
overwritten by the settings of the DHCP server.
Start and Stop Configured Devices
To apply changes to a configuration file, you need to stop and restart the
corresponding device. You can do this with the commands ifdown and ifup.
For example, entering the following ifdown command disables the device eth0:
ifdown eth0
The following ifup command enables eth0 again:
ifup eth0
When the device is restarted, the new configuration is read from the configuration
file.
Objective 4 Set Up Routing With the ip Tool

You can use the ip tool to configure the routing table of the Linux kernel. The routing
table determines the path IP packets use to reach the destination system.
x Because routing is a very complex topic, this objective only covers the most common routing
scenarios.
You can use the ip tool to perform the following tasks:

n View the Routing Table
n Add Routes to the Routing Table
n Delete Routes from the Routing Table
View the Routing Table
To view the current routing table, enter the following command:
ip route show
For most systems, the output looks similar to the following:
10.0.0.0/24 dev eth0 proto kernel scope link src \

10.0.0.2
169.254.0.0/16 dev eth0 scope link
127.0.0.0/8 dev lo scope link
default via 10.0.0.1 dev eth0
Every line represents an entry in the routing table. Each line in the example is shown
and explained below:
n 10.0.0.0/24 dev eth0 proto kernel scope link src \
10.0.0.2
This line represents an the route for the local network. All network packets to a
system in the same network are sent directly through the device eth0.
n 169.254.0.0/16 dev eth0 scope link
This line shows a network route for the 169.254.0.0 network. Hosts can use this
network for address auto configuration.
SLES 9 automatically assigns a free IP address from this network when no other
device configuration is present. The route to this network is always set,
especially when the system itself has no assigned IP address from that network
n 127.0.0.0/8 dev lo scope link
This is the route for the loopback device.
n default via 10.0.0.1 dev eth0
This line is the entry for the default route. All network packets that cannot be
sent according to the previous entries of the routing table are sent through the
gateway defined in this entry.
Depending on the setup of your machine, the content of the routing table varies. In
most cases, you have at least 2 entries in the routing table:
n One route to the local network the system is connected to
n One route to the default gateway for all other packets
Add Routes to the Routing Table
The following are the most common tasks you do when adding a route:
n Set a Route to the Locally Connected Network
n Set a Route to a Different Network
n Set a Default Route
x Remember to substitute your own network and gateway addresses when using the following
examples in a production environment.
Set a Route to the Locally Connected Network
The following command sets a route to the locally connected network:
ip route add 10.0.0.0/24 dev eth0
This system in this example is in the 10.0.0.0 network. The network mask is 24 bits
long (255.255.255.0). All packets to the local network are sent directly through the
device eth0.
Set a Route to a Different Network
The following command sets a route to different network:
ip route add 149.44.171.0/24 via 10.0.0.100
All packets for the network 149.44.171.0 are sent through the gateway 10.0.0.100.
Set a Default Route
The following command sets a default route:
ip route add default via 10.0.0.1
Packets that cannot be sent according to previous entries in the routing table are sent
through the gateway 10.0.0.1.
Delete Routes from the Routing Table
To delete an entry from the routing table, use a command similar to the following:
ip route delete 149.44.171.0/24 dev eth0
This command deletes the route to the network 149.44.171.0 assigned to the device
eth0.
Objective 5 Save Routing Settings to a Configuration File

Routing settings made with the ip tool are lost when you reboot your system. Settings
have to be written to configuration files to be restored at boot time.
Routes to the directly connected network are automatically set up when a device is
started. All other routes are saved in the configuration file
/etc/sysconfig/network/routes.
The following shows the content of a typical configuration file:
149.44.171.0 10.0.0.100 255.255.255.0 eth-id-00:30:05:4b:98:85

default 10.0.0.8 - -
Each line of the configuration file represents an entry in the routing table. Each line is
shown and explained below:
n 149.44.171.0 10.0.0.100 255.255.255.0 eth-id-00:30:05:4b:98:85
All packets sent to the network 149.44.171.0 with the network mask
255.255.255.0 are sent through the gateway 10.0.0.100 through the device with
the id eth-id-00:30:05:4b:98:85. The id is the same as used for the device
configuration file.
n Default 10.0.0.8 - -
This entry represents a default route. All packets that are not affected by the
previous entries of the routing table are sent through the gateway 10.0.0.8. It´s
not necessary to fill out the last 2 columns of the line for a default route.
To apply changes to the routing configuration file, you need to restart the affected
network device with the commands ifdown and ifup.
Objective 6 Configure Host Name and Name Resolution

The host name and the name resolution can also be set up manually. In this objective,
you learn how to do the following:
n Set the Host and Domain Name
n Configure Name Resolution
Set the Host and Domain Name
The host name is configured in the file /etc/HOSTNAME.
The content of the file is similar to the following:
da2.digitalairlines.com
The file contains the fully qualified domain name of the system, in this case,
da2.digitalairlines.com.
Configure Name Resolution
The name resolution is configured in the file /etc/resolv.conf.
The content of the file is similar to the following:
search digitalairlines.com
nameserver 10.0.0.1
nameserver 10.10.0.1
The file contains 2 types of entries:

n search. The domain name in this option is used to complete incomplete host
names. For example, if you look up the host name da3,the name is automatically
completed to the fully qualified domain name da3.digitalairlines.com.
n nameserver. Every entry starting with nameserver is followed by an IP address
of a name server. You can configure up to 3 name servers. If the first name
server fails, the next one is used.
Objective 7 Test the Network Connection With Command Line

Tools
After the network is configured, you might want to test the network connection by
doing the following:
n Use ping to Test Network Connections
n Use traceroute to Trace Network Packets
Use ping to Test Network Connections
The tool ping lets you check network connections in a simple way between two
hosts. If the ping command works, then both the physical and logical connections are
correctly set up between the 2 hosts.
The ping command sends special network packets to the target system and waits for a
reply. In the simplest scenario, you enter ping with an IP address:
ping 10.0.0.1
You can also use the host name of the target system instead of an IP address. The
output of ping looks similar to the following:
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data.

64 bytes from 10.0.0.1: icmp_seq=1 ttl=60 time=2.95 ms
Each line of the output represents a packet sent by ping. Ping keeps sending packets
until it´s terminated by pressing Ctrl+C.
The output displays the following information:

n The size of an ICMP datagram (64 bytes).
n The IP address of the target system (from 10.0.0.1).
n The sequence number of each datagram (seq=1).
n The TTL (TTL, time to live) of the datagram (ttl=60).
n The amount of time that passes between the transmission of a packet and the
time a corresponding answer is received (time=2.95 ms). This time is also called
the Round Trip Time.
If you get an answer from the target system, you can be sure that the basic network
device setup and routing to the target host works.
The following table provides some options for ping you can use for advanced
troubleshooting:
Table 2-1 Option Description
-c count The number of packets to be sent. After this number has been
reached, ping is terminated.
-I device_addr Specifies the network device to be used on a computer with

several network devices.
-i seconds Specifies the number of seconds to wait between individual packet

shipments. The default setting is 1 second.
-f (Flood ping) Packets are sent one after another at the same rate
as the respective replies arrive. Only root can use this option. For
normal users the minimum time is 200 milliseconds.
-l preload Sends packets without waiting for a reply.
-n The numerical output of the IP address. Address resolutions to

host names are not carried out.
-t ttl Sets the Time To Live for packets to be sent.
-w maxwait Specifies a timeout in seconds, before ping exits regardless of

how many packets have been sent or received.
-b Sends packets to the broadcast address of the network.
Use traceroute to Trace Network Packets
The diagnosis tool traceroute is primarily used to check the routing between different
networks. To achieve this task, traceroute sends packets with an increasing TTL value
to the destination host, whereby three packets of each value are sent.
Traceroute also uses UDP packets, which are called datagrams.
First, three datagrams with a TTL=1 are sent to the host, then three packets with a
TTL=2, and so on. The TTL of a datagram is reduced by one, every time it passes
through a router.
When the TTL reaches zero, the datagram is discarded and a message is sent to the
sender. Because the TTL is increased by one every three packets, traceroute can
collect information about every router on the way to the destination host.
You normally include a host name with the traceroute command, as in the following:
traceroute pluto.example.com
It´s also possible to use an IP address instead of the host name. The output of
traceroute looks similar to the following:
traceroute to pluto.example.com (192.168.2.1), 30 hops max, 40 byte

packets
1 sun.example.com (192.168.0.254) 0 ms 0 ms 0 ms
2 antares.example.com (192.168.1.254) 14 ms 18 ms 14 ms
3 pluto.example.com (192.168.2.1) 19 ms * 26 ms
The first line of the output displays general information about the traceroute call.
Each of the lines that follow represents a router on the way to the destination host.
Every router is displayed with the host name and IP address.
Traceroute also displays information about the round trip times of the 3 datagrams
returned by every router. The last line of the output represents the destination host
itself.
Exercise 2-1 Configure the Network Connection Manually
In this exercise, you configure the network connection manually by doing the
following:
n Part I: Note the Current Network Configuration
n Part II: Delete the Current Network Setup with YaST
n Part III: Configure the Network Manually
n Part IV: Save the Network Connection to Interface and Hardware Configuration
Files
Part I: Note the Current Network Configuration
Do the following:
1. Make sure you are logged in to the KDE Desktop as geeko with a password of
N0v3ll.
2. Open a terminal window and su (switch user) to root with a password of novell.
3. Enter ifconfig eth0.
4. Find the line starting with inet, and record the IP address with the subnet mask
displayed in that line:
q IP address:
q Subnet mask:
5. Enter ip route show.
6. Find the line starting with default and record the gateway IP address of the
gateway:
q Gateway IP address:
7. Enter ip link show eth0.
8. Find the line starting with link/ether and record the MAC address of the network
card:
q MAC address:
9. Change to the /etc/sysconfig/hardware directory by entering the following:
cd /etc/sysconfig/hardware
10. Enter ls -al; then look for one of the following files (depending on your hardware
configuration):
q hwcfg-id-PCI_address
or
q hwcfg-bus-pci-PCI_address
11. Record the name of the file:
12. Display the contents of the file by entering one of the following:
q cat hwcfg-id-PCI_address
or
q cat hwcfg-bus-pci-PCI_address
13. Record the following parameters:
q MODULE=
q MODULE_OPTIONS=
q STARTMODE=
You use these parameters and the hwcfg filename in Part IV to manually create
the file.
Part II: Delete the Current Network Setup with YaST
Do the following:
1. Start YaST and select Network Devices > Network Card.
2. In the lower part of the dialog, select Change.
3. Select the network card; then select Delete.
4. Select Finish.
5. From the terminal window (as root), enter
rm /etc/sysconfig/network/routes.
6. Verify that the network connection is not working any more by entering ping
www.novell.com.
Part III: Configure the Network Manually
Do the following:
1. In the terminal window enter the following command:
ip address add your_IP_address/24 brd + dev eth0
2. To activate the network device, enter ip link set eth0 up.
3. To set a route to the local network enter the following:
ip route add 10.0.0.0/24 dev eth0
4. To set the default route enter the following:
ip route add default via gateway_IP_address
5. Verify that the network connection is working again by entering ping
www.novell.com.
x If you are having problems with the network interface, you might need to delete the network card
configuration with YaST, save the change, and then re-configure the network card with YaST.
This can happen if you have 2 network cards installed in your computer.
Part IV: Save the Network Connection to Interface and Hardware

Configuration Files
Do the following:
1. From the terminal window, change to the directory
/etc/sysconfig/network.
2. Make a copy of the network configuration template by entering the following:
cp ifcfg.template ifcfg-eth-id-MAC_address
3. Open the copied file (ifcfg-eth-id-MAC_address) with the vi editor.
4. Find the following options and enter the indicated values:
q STARTMODE='onboot'
q BOOTPROTO='static'
q IPADDR='your_IP_address/24'
q NETMASK=’255.255.255.0’
q BROADCAST=’10.0.0.255’
5. Save the file and exit vi (:wq).
6. Change to the directory /etc/sysconfig/hardware.
7. Create one of the following files with vi:
q hwcfg-id-PCI_address
or
q hwcfg-bus-pci-PCI_address
8. Enter the parameters you recorded in the last step of Part I of this exercise.
9. When you finish, save the file and exit the editor.
10. Change to the directory /etc/sysconfig/network.
11. Create a new file with vi called routes.
12. Add the following line to the file:
default default_gateway_IP_address - -
13. Save the file and exit vi.
14. Reboot your system (init 6) and log in as geeko with a password of N0v3ll.
15. From a terminal window (as root), verify that the network configuration is loaded
correctly by entering the following commands:
ifconfig eth0
ip route show
16. Verify that the network connection is working properly by entering the following
commands:
ping 10.0.0.254
ping www.novell.com.
x If the network configuration fails to work properly, and your configuration files are created
correctly, use the YaST Network Card module to delete the currently configured network card,
and then restart the Network Card module and reconfigure the network card with the proper
settings.
(End of Exercise)
Summary
Objective Summary
1. Understand Linux Network Terms The following terms are used for the Linux network
configuration:
n Device
n Interface
n Link
n Address
n Broadcast
n Route
2. Set Up Network Devices With the You can perform the following tasks with the ip tool:
ip Tool
n Display the IP address setup:
ip address show
n Display device attributes:
ip link show
n Display device statistics:
ip -s link show
n Assign an IP address to a device:
ip address add IP_address/netmask brd + dev
device_name
n Delete an IP address of a device:
ip address del IP_address dev device_name
n Change device attributes:
ip link set device_name attribute
3. Save Device Settings to a The configuration files for network devices are
Configuration File located in /etc/sysconfig/network.
For Ethernet devices, the file names consist of
ifcfg-eth-id- and the hardware address of the device.
For a statically configured device, at least the
following options need to be set:
BOOTPROTO='static'
STARTMODE='onboot'
IPADDR='10.0.0.2/24'
For devices configured with DHCP, the
BOOTPROTO option needs to be changed as
follows:
BOOTPROTO='dhcp'
Configured devices can be enabled with ifup
device_name and disabled with ifdown
device_name.
Objective Summary
4. Set Up Routing With the ip Tool You can perform the following tasks with the ip tool:
n View the routing table:
ip route show
n Add routes to the routing table
ip route add network/netmask dev device_name
n Delete routes from the routing table
ip route del network/netmask dev device_name
5. Save Routing Settings to a The configuration for routing table is located in the
Configuration File file
/etc/sysconfig/network/routes.
Each line represents an entry of the routing table
and has the following columns:
n Destination network address
n Gateway address
n Netmask
n Device id
Default routes use default instead of the network
address and does not require a netmask or device
id.
6. Configure Host Name and Name The host name is configured in the file
Resolution /etc/HOSTNAME.
The name resolution is configured in the file
/etc/resolv.conf.
One line specifies the search domain; the others list
up to three available name servers.
7. Test the Network Connection With Two command line tools are available to test the
Command Line Tools network connection:
n ping
ping hostname
With ping you can test whether another host is
reachable in the network.
n traceroute
traceroute hostname
With traceroute you can test the routing in the
network.
SECTION 3 Configure Network Services
In this section, you learn how to configure four of the most important network
services shipped with SLES 9 (BIND, OpenLDAP, Apache, Samba).
Objectives
1. Configure a DNS Server Using BIND
2. Deploy OpenLDAP on a SLES 9 Server
3. Configure an Apache Web Server
4. Configure a Samba Server as a File Server
Introduction
In this section you learn how to install and configure four of the most popular Linux
network services at the command line:
n BIND
n OpenLDAP
n Apache
n Samba
Because configuring the services can be very complex, this section covers only the
basic functionality of the services.
The configuration is covered at the command-line level to show you a more direct
way to manipulate the behavior of the services.
The services as described in this section should be used within an internal

network.You should make the services accessible from the Internet only if you have
sufficient knowledge about network security.
Objective 1 Configure a DNS Server Using BIND

The Domain Name System (DNS) is one of the most important network services.
Without DNS, it would be difficult, if not impossible, to work with networked
computers.
To configure a DNS server (also called a name server) using the most popular
software BIND (Berkeley Internet Name Domain) you need to do the following:
n Understand the Domain Name System
n Install and Configure the BIND Server Software
n Configure a Caching-Only DNS server
n Configure a Master Server for Your Domain
n Configure One or More Slave Servers
n Configure the Client Computers to Use the DNS Server
n Use Command Line Tools to Query DNS Servers
n Find More Information About DNS
Understand the Domain Name System
To understand the basics of name resolution with DNS, you need to know the
following:
n How Name Resolution Worked in the Early Days of the Internet
n The Internet Domain Concept
n How Name Servers Work
n How to Query DNS
How Name Resolution Worked in the Early Days of the Internet
Computers communicate with each other by using IP addresses, but for humans it is
more simple to address a computer by using its name. This requires some kind of
conversion that provides computers with IP addresses when a user enters a computer
name.
In the early days of the Internet, when there were relatively few computers connected
to each other, a file was maintained at the Network Information Centre (NIC) of the
Stanford Research Institute in California that provided exactly this conversion.
Whenever system administrators added a new computer to the Internet or changed

the name of an already connected computer, these changes were sent by email to the
SRI-NIC where they were written to a file called hosts.txt.
Every system administrator worldwide had to copy this file by FTP and distribute it
to all computers for which he was responsible.
In 1984, Paul Mockapetris created a powerful solution: the

Domain Name System (or DNS). DNS is a distributed database system that allows
local administration of areas and guarantees unique computer names worldwide. Its
hierarchical structure is very similar to the tree structure of the Linux file system.
The Internet Domain Concept
DNS consists of several domains that can be divided into subdomains. The top level
of this structure is the root domain. It is represented simply by a dot (“.”).
There are over 13 computers worldwide that act as root name servers. In the first
layer beneath the root domain contains the top level domains (TLDs).
In the early days of DNS there were 7 TLDs:

n .com for commercial institutions (such as novell.com and suse.com)
n .edu for educational institutions and research institutes (such as harvard.edu and
stsci.edu)
n .gov for institutions of the U.S. government (such as nasa.gov and
whitehouse.gov)
n .int for international institutions (such as un.int and ecb.int)
n .mil for military institutions (such as army.mil and navy.mil)
n .net for institutions that provide and manage network infrastructure (such as
internic.net and att.net)
n .org for noncommercial institutions (such as eso.org andeff.org)
.arpa was used as a TLD, while the ARPAnet transferred from host files to DNS. All
computers from the ARPAnet were later put into the other TLDs. Tharpa TLD still
has a special meaning which will be explained later in this section.
These TLDs are also known as generic TLDs. Other TLDs for individual countries
were defined, such as .de for Germany, .uk for the United Kingdom, and .ch for
Switzerland.
Recently, TLDs such as .info or .biz have become operational. Each of these TLDs is
administered by its own institution (the Network Information Center or NIC).
Part of the Internet namespace is shown in the following:
Figure 3-1 Root Domain
gov edu org de ch Top Level Domains
loc nasa linux suse Domains
ksc jpl ssl www Subdomains
www mars www
The complete computer name or fully qualified domain name (FQDN) is made from
the actual computer name, the domain name, and the name of the TLD (one or more
subdomains might be included).
Examples of FQDNs are ns.suse.de, www.astro.physik.uni-goettingen.de and

mail.novell.com. To be precise, all these names end with a dot (such as ns.suse.de)
indicating the root domain. But as a rule the dot normally is not used.
How Name Servers Work
Domains are administered locally instead of using a global authority. Each domain
has its own administration point (in practice, many domains are administered from
one location).
For each domain there is one DNS server (or name server) defined as being “in
charge” of its domain. This server is known as the master server, and it is the
authority for this domain (providing authoritative answers).
This authoritative information is important because DNS servers also temporarily

store information on other domains in a cache and can pass this information on, with
the note that it is a non-authoritative answer.
There are other DNS servers called slave servers for the domain that distribute the
load and serve as backups. Slave servers keep a copy of the information on the
master server and update this information at regular intervals. This update is called
zone transfer.
The following describe the DNS server types available:
Table 3-1
Master server Has the main responsibility for a domain. Gets its data
from local files.
Slave server Gets its data from the master server using zone
transfer.
Caching-only server Queries data from other DNS servers and stores the
information in the cache until its expiration date. All
replies are nonauthoritative.
Forwarding server All queries the server cannot answer authoritatively are
forwarded to other DNS servers.
How to Query DNS
Various programs are involved in processing a request to the DNS database. The first
is the resolver. This is a set of library routines used by various programs.
The resolver makes a request to a DNS server, interprets the answer (real information
or error message), and sends back this information to the program that called it up.
If the DNS server receives a request from a resolver, one of 2 things happens:
n If the DNS server is the authority for the requested domain, the DNS server
provides the required information to the resolver (the authoritative answer).
or
n If the DNS server is not the authority for the required domain, the DNS server
queries the responsible authority for the request domain and gives the result to
the resolver.
The data is stored in the cache of the DNS server. If there is another request for
this data later, the DNS server can provide it immediately (a non-authoritative
answer). All data has a timestamp, and information is deleted from the cache
after a certain time.
Assume that your DNS server wants to find the IP address of the computer
www.suse.de. To do this, the DNS server first makes a request to one of the DNS
servers of the root domain.
Each DNS server knows the authorities responsible for the TLDs. The address for
each authority required is passed onto the requesting DNS server. For www.suse.de,
this is a DNS server for the TLD .de, that is, the computer dns2.denic.de.
Our DNS server then asks this for the authority for the domain suse.de and as an
answer is given the computer ns.suse.de.
In a third step, this DNS server is queried and (as an answer) gives the IP address of
the SUSE web server. This answer is returned by our DNS server to the requesting
resolver.
This procedure is illustrated in the following figure:
Figure 3-2
Address request from www.suse.de Name Server
for Root Domain "."
Name
Link to Name Server for ".de"
Server
Request for address of www.suse.de Name Server
for TLD ".de"
Link to Name Server for "suse.de"
Request for address of www.suse.de Name Server
Response
Request
for Domain
Address for "www.suse.de"
"suse.de"
Computer
(Resolver)
The DNS servers for the root domain play a very important role in name resolution.
In order to alleviate the server load due to queries, every DNS server stores the
information received from other names servers in its cache.
When queries are made, this information is sent without querying the root DNS
server anew. However, root DNS servers are very busy despite this caching
mechanism. Several thousand queries per second are nothing unusual.
Install and Configure the BIND Server Software
To run a DNS server, you need to install the following packages:

n bind. The BIND server software (version 9 in SLES 9)
n bind-utils. Utilities to query and test BIND (included in standard installation)
Before starting the DNS server, you have to make some basic configuration changes.
After finishing your configuration, you can start the server using the following
command:
rcnamed start
To stop a running server, use the following command:
rcnamed stop
To have the DNS server start automatically at boot time, use the following command:
insserv named
This creates the necessary links in the runlevel directories.
Configure a Caching-Only DNS server
A caching-only DNS server does not manage its own databases but merely accepts
queries and forwards them to other DNS servers. The supplied replies are saved in
the cache.
A caching-only DNS server can be used on a workstation or a gateway that has

access to an external DNS server.
The DNS server configuration is defined in the file /etc/named.conf. You can use the
example file that is installed with the DNS package as a configuration file for a
caching-only server.
The following example shows a simple configuration:
DA1:~ # ip address show

#
# /etc/named.conf: Configuration of the name server (BIND9)
#
# Global options
#
options
{
#
# In which directory are the database files?
#
directory "/var/lib/named";
};
The global options are defined in the options block at the beginning of the file. The
directory containing the database files (or zone files) is listed. Normally, this is
/var/lib/named/.
All filenames that follow the /var/lib/named directory refer to the directory. The
directory is created when installing the server package. It contains several
preconfigured files. Other options can also be defined in this file.
The Global options are followed by the definition of the database files for the
domains managed by the DNS server. Several entries are needed for basic DNS
server functions such as those provided by a caching-only server.
Three entries are needed for every DNS server:

n The entry for root DNS servers (not needed for BIND 9 because it has the list of
root DNS servers compiled into the software).
n The forward resolution for localhost
n The reverse resolution for the network 127.0.0.0 (localhost)
The following are examples of these entries:
## entry for root nameservers#

zone "." in { type hint;
file "root.hint";
};
#
# forward resolution for localhost
#
zone "localhost" in {
type master;
file "localhost.zone";
};
#
# reverse resolution for localhost
#
zone "0.0.127.in-addr.arpa" in {
type master;
file "127.0.0.zone";
};
The zone entry for the root DNS servers contains a reference to a file containing the
addresses of the root DNS servers. This file (root.hint) is generated in the directory
/var/lib/named/ during the installation of the package bind.
The 2 files for the resolution of localhost are also generated during the installation.
The structure of these files is explained later.
These entries are used to forward queries to the DNS server directly to the
responsible DNS servers. However, this resolution method can be very slow. This
problem can be solved by using forwarders.
The DNS server has the addresses of other DNS servers in case it cannot resolve a
host name itself. You might be able to use the DNS servers of an Internet provider for
this purpose, as they usually have a lot of information in their cache.
You can define these DNS servers in the options block in the file
/etc/named.conf, as in the following:
options
{
directory "/var/lib/named";
forwarders
{
10.0.0.254;
};
};
You can enter up to 3 DNS server addresses. Queries that cannot be resolved by the
local DNS server are forwarded to one of the specified DNS servers.
If these DNS servers cannot be reached, the queries are sent directly to the root DNS
servers.
Configure a Master Server for Your Domain
The following are the tasks you need to do to configure a master DNS server for your
domain:
n Adapt the Main Server Configuration File
n Create the Zone Files
n Create Additional Resource Records
Adapt the Main Server Configuration File
You can adapt the configuration for the caching-only DNS server for configuring a
DNS server containing its own information files.
This configuration already contains the global entries for the directory and the
forwarders (which can be omitted) entries in the options block. The file also contains
the mandatory entries for the root servers and the resolution of localhost.
The global options are followed by definitions for the database files (or zone files)
for the domains this DNS server serves. At least 2 files are necessary for each
domain:
n A file for forward resolution (allocating an IP address to a computer name)
n A file for reverse resolution (allocating a computer name to an IP address)
If several subnets belong to a domain, then one file for each of these networks must
be created for reverse resolution.
Each definition begins with the instruction zone (this is why the database files are
also known as zone files), followed by the name of this zone.
For forward resolution, this is always the domain name. For reverse resolution, the
network prefix of the IP address must be given in reverse order (10.0.0.0 becomes
0.0.10.) to which the suffix in-addr.arpa is added (0.0.10.in-addr.arpa).
The zone name is always followed by an “in” for Internet. (DNS servers can
administer information on different name spaces, not only that of the Internet. Other
name spaces are practically never used).
The text in curly brackets defines the type of DNS server this is for the corresponding
zone (here it is always the type master; other types are introduced later).
Finally, there is the name of the file in which the entries for this zone are located.
The entries for the Digital Airlines configuration look like the following:
#
# forward resolution for the domain digitalairlines.com
#
zone "digitalairlines.com" in
{
type master;
file "master/digitalairlines.com.zone";
};
#
# reverse resolution for the network 10.0.0.0
#
zone "0.0.10.in-addr.arpa" in
{
type master;
file "master/10.0.0.zone";
};
Create the Zone Files
The 2 files for the domain localhost and the file for the root DNS servers are always
included in the installation. You do not need to change these files; however, you must
create the files required for the actual domain.
The subdirectory /var/lib/named/master/ is used for the database files of a master

server.
You need to know the following to manually create the zone files:
n Structure of the Files
n The File /var/lib/named/master/digitalairlines.com.zone
n The File /var/lib/named/master/10.0.0.zone
n The File /var/lib/named/master/localhost.zone
n The File /var/lib/named/master/127.0.0.zone
x In these files, the semicolon is used as a comment sign.
Structure of the Files
Each of the database files consists of a series of entries, or resource records. The
syntax of these records is always as follows:
reference [TTL] class type value
The following describes each part of a record:

n reference. The reference to which the record refers. This can be a domain (or
subdomain) or a standalone computer (name or IP address).
n TTL. The Time To Live value for the record. If this expires, a default TTL value
is used.
n class. The class of the record. For TCP/IP networks, this is always IN (internet).
n type. The type of the record. The most important types are listed in the table
below.
n value. The value of the record. The value depends on the type of record as listed
in the following:
Table 3-2 Record Type Meaning Value
SOA Start of Authority (term for Parameter for the domain

the authority)
NS DNS server Name of one of the DNS servers

for this domain
MX Mail exchanger Name and priority of a mail server

for this domain
A Address IP address of a computer
PTR Pointer Name of a computer
CNAME Canonical name Alias name for a computer
x Individual entries must always start in the first column with the reference. If an entry does not
start in the first column, the reference is taken from the previous entry.
The File /var/lib/named/master/digitalairlines.com.zone
Unlike earlier versions of BIND, BIND 9 requires you to specify a default TTL for
all information at the beginning. This value is used whenever the TTL has not been
explicitly given for an entry.
You define the TTL with the following instruction:
;
; definition of a standard time to live, here: two days
;
$TTL 172800
In this example, the TTL is given in seconds. But it can be given in other units, such
as 2D for two days. Other units are M (minutes), H (hours), and W (weeks).
This is followed by the definition of the SOA (Source of Authority) entry, which
specifies which DNS server has the authority for this domain:
;
; SOA Entry
;
digitalairlines.com. IN SOA da1.digitalairlines.com.
adm.digitalairlines.com. (
2004092601 ; serial number
1D ; refresh (one day)
2H ; retry (two hours)
1W ; expiry time (one week)
3H ; "negative" validity (three hours)
)
The domain to which this entry refers (here, digitalairlines.com) is listed first. The
domain name must end with a dot. If a name does not have a dot at the end, the name
of the domain is added on, which could lead to an error here.
After the SOA entry the name of the DNS server is listed (in this example,
da1.digitalairlines.com with a dot at the end). Alternatively, you could write da1,
and the domain name digitalairlines.com would be added after the name.
Next comes the email address of the person who is responsible for the administration
of the DNS server. The “@” usually used in email addresses must be replaced by a
dot (so the email address in this example is hostmaster.example.com). This is
necessary because @ has a special meaning as an abbreviation.
After this information, there is a serial number. Any number can be used, but
normally the date and a version number are used here. After any change to the data in
this file, the serial number has to be increased.
Slave servers use this number to detect if they need to copy this zone file or not. If
the serial number on the master server is greater than that on the slave server, the file
is copied.
This is followed by the following time information (the first three entries listed here
are only important for slave servers):
n The first entry causes a slave server to query a master server after this length of
time, to see if there is a new version of the files (in the example, this is 1D or one
day).
n If the slave server cannot reach the master server, the next time entry specifies at
what intervals new attempts should be made (in the example, this is 2H or two
hours).
n If the master server is not reached for a longer period of time, the first time entry
specifies when the slave server should discard its information on this zone (in the
example, this is 1W or a week).
The basic idea here is that it is better not to pass on any information than to pass
on outdated information.
n The fourth entry defines for how long negative responses from the DNS server
are valid. Each requesting server stores responses in its cache, even if a computer
name could not be resolved (in the example, this is 3H or 3 hours).
These time definitions are followed by the name of the computer that is responsible
for this domain as the DNS server. In all cases, the master server must be entered
here. If slave servers are used, they should also be entered, as in the following:
;
; entry for the name server
;
digitalairlines.com. IN NS da1.digitalairlines.com.
The name of the domain can be omitted at this point. Then the name from the
previous entry is taken (the SOA entry).
At the end of this file are the IP addresses that are allocated to computer names. This
is done with A (address) entries, as in the following:
;
; Allocation of IP addresses to host names
;
da10 IN A 10.0.0.10
da12 IN A 10.0.0.12
da13 IN A 10.0.0.13
The File /var/lib/named/master/10.0.0.zone
The file for reverse resolution contains similar entries as the file for forward
resolution. At the beginning of the file there is the definition of a default TTL and an
SOA entry.
In the SOA and NS entries, the IP address of the network is written in reverse order:
; Database file for the domain digitalairlines.com:

; reverse resolution for the network
; 10.0.0.0
;
; Definition of a default TTL,here: two days
;
$TTL 172800
;
; SOA entry
;
0.0.10.in-addr.arpa. IN SOA da1.digitalairlines.com.
adm.digitalairlines.com. (
2004092601 ; serial number
1D ; refresh (one day)
2H ; retry (two hours)
1W ; expiry time (one week)
3H ; "negative" validity(three hours)
)
;; Entry for the name server
;
IN NS da1.digitalairlines.com.
At the end of this file are the IP addresses that are allocated to computer names, this
time with the PTR (Pointer) entry, as in the following:
;
; Allocation of host names to IP addresses
;
10 IN PTR da10.digitalairlines.com.
The following 2 files must exist for the local computer. These are created
automatically during installation and should not be modified.
The File /var/lib/named/master/localhost.zone
The following is an example of the file /var/lib/named/master/localhost.zone:
$TTL 1W
@ IN SOA @ root (
42 ; serial (d. adams)
2D ; refresh
4H ; retry
6W ; expiry
1W ) ; minimum
IN NS @
IN A 127.0.0.1
In this example, the “@” character is used as an abbreviation (for this reason, it must
be replaced by a dot in the email address in the database files).
Using “@” instead of the domain name causes the file

/etc/named.conf to be read to see for which domain this file is responsible.
In this case, it is localhost, which is also used for the name of the DNS server (this is
why “@” appears many times in the file).
The File /var/lib/named/master/127.0.0.zone
In this file, the abbreviation “@” is also used. But here the computer name must be
given explicitly with localhost (remember the dot at the end):
$TTL 1W
@ IN SOA localhost. root.localhost. (
42 ; serial (d. adams)
2D ; refresh
4H ; retry
6W ; expiry
1W ) ; minimum
IN NS localhost.
1 IN PTR localhost.
Create Additional Resource Records
Apart from the resource records already discussed (SOA, NS, A, PTR), there are MX
and CNAME resource records, which are used to do the following:
n Define Mail Servers for the Domain
n Assign Aliases for Computers
Define Mail Servers for the Domain
To be able to use email addresses in the form geeko@digitalairlines.com, the email

server responsible for the domain must be defined (the email cannot be sent directly
to the domain, but must be sent to a mail server).
To achieve this, an MX (Mail Exchange) entry must be made in the database file for
forward resolution, after the DNS server entry:
digitalairlines.com. IN MX 0 mail
IN MX 10 da1
IN MX 10 da5
If an email is now sent to the address geeko@digitalairlines.com, the computer

sending the mail asks the DNS server which computer is the mail server, and is sent
the list of the MX entries in return.
Several mail servers can be given. On the basis of their priorities, it is then decided to
which computer the email is sent. The priority of mail servers is defined by the
number in front of the computer name; the lower this number, the higher the priority.
In this example the computer mail.digitalairlines.com has the highest priority (is
therefore the primary mail server).da1.digitalairlines.com and da5.digitalairlines.com
both have the same priority.
If the mail server with the highest priority cannot be reached, the mail server with the
second highest priority is used. If several mail servers have the same priority, then
one of them is chosen at random. An address entry must be made for each mail
server.
Assign Aliases for Computers
If you want a computer to be reached by more than one name (such as addressing a
computer as da30.digitalairlines.com and www.digitalairlines.com), then
corresponding aliases must be given.
These are the CNAME (canonical name) entries in the database file for forward
resolution:
da30 IN A 10.0.0.30
www IN CNAME da30
x The names of the mail servers for the domain (MX entry) cannot be alias names, since some mail
servers cannot handle this correctly.
Configure One or More Slave Servers
To guarantee reliable operation, at least one more DNS server besides the master
server is required. This can take over part of the load from the DNS master server.
But it is especially important in case the DNS master server is not available. This
new DNS server is set up as a DNS slave server.
The essential difference between the two types is that a slave server receives copies
of the zone files from the master server. Modifications to the zone files are only made
on the master server.
As soon as a slave server is started, it connects to the master server and receives a
copy of the zone files from it. This is called a zone transfer.
Comparison of data between the servers takes place automatically. On the one hand,
the slave server queries the master server at regular intervals and detects, using the
serial number of the zone files, whether anything has changed.
By default, the master server sends a message to all listed slave servers (called notify)
as soon as it has been restarted in order to read in modified zone files.
In the configuration file /etc/named.conf for a slave server, there are at least 2 entries
that define it as the master server: the 2 zone definitions for the loopback network
(localhost).
There might also be a zone definition for the root DNS server. But a zone definition
is only necessary if the slave server will forward requests to other DNS servers.
The definitions for zones for which it should copy data from the master server look
like the following:
zone "digitalairlines.com" in
{
type slave;
file "slave/digitalairlines.com.zone";
masters
{
10.0.0.254;
};
};
The slave server gets data from the master server with the IP address 10.0.0.254 and
stores it in the directory
/var/lib/named/slave/. This directory is created when you install the BIND package.
A similar configuration must be made for reverse resolution, as in the following:
zone "0.0.10.in-addr.arpa" in
{
type slave;
file "slave/10.0.0.zone";
masters
{
10.0.0.254;
};
};
In the simplest configuration, the slave server gets information from the master server
at regular intervals. This can cause the slave server to provide outdated information
for a certain length of time.
This is why it is reasonable to instruct the master server to inform the slave servers
about modifications in the database files. The slave servers then immediately carry
out a zone transfer, which always brings them up to date.
In order for the master server to be able to communicate with the slave servers, it
must know about them. By default, the master server automatically informs its slave
servers. But this can also be done in the options section of the file /etc/named.conf, as
in the following:
options
{
...
notify yes;
};
Subsequently, the slave servers must be entered as DNS servers in the database files
(of the forward and reverse resolution):
digitalairlines.com. IN NS da8.digitalairlines.com.
IN NS da8.digitalairlines.com.
This informs the slave server, da8.digitalairlines.com, about all modifications.
Configure the Client Computers to Use the DNS Server
You can use YaST to configure a client computer during installation to use the DNS
server (configuration of the network) or later. You simply have to enter the IP address
of the DNS server and possibly add some information about your domain.
This information is written to the file /etc/resolv.conf, as in the following:
search digitalairlines.com
Normally, this file has the following 2 types of entries:

n search. A list of the names of domains (or subdomains) is provided after this
keyword. Several domain names are entered on one line. This allows only the
host name to be used to resolve to the correct IP address.
The host name is expanded by the domain names specified here until a matching
IP address is found.
For example, if you provide digitalairlines.com and atl.digitalairlines.com as
domain names, the host DNS server is expanded to server.digitalairlines.com and
server.atl.digitalairlines.com to look for a corresponding IP address. The first
matching IP address is returned.
If both of these host names exist, you have to specify the FQDN to resolve the IP
address.
n nameserver. The keyword nameserver specifies the IP address of a DNS server
to use. You can have up to 3 entries, but each of them must only contain 1 server
address. If several entries of this type exist, the DNS servers are queried in this
order.
There is another important file for the clients:

/etc/nsswitch.conf. This file applies to all programs that use the resolver functions of
the current GNU C Library (libc6). (The predecessor of this file is /etc/host.conf,
which applies to older versions of the GNU C Library.)
This file configures the name service switch, which is responsible for resolving host
names, network names, users, and groups.
The relevant part for resolving host names looks like the following:
#
# /etc/nsswitch.conf
#
...
hosts: files dns
networks: files dns
...
Both entries shown here define that in the first attempt to resolve a host name is done
using the file /etc/hosts. If this fails, a DNS server resolved the name. The same
applies to the resolution of network names, done using /etc/networks first.
Use Command Line Tools to Query DNS Servers
Several command line tools are available to query DNS server. These include the
following:
n host Command
n dig Command
host Command
The most important command line tool for querying a DNS server is called host. The
general syntax is as follows:
host computer nameserver
The following example shows how it is used:
da2:~ # host da50

da50.digitalairlines.com has address 10.0.0.50
da2:~ # host 10.0.0.49
49.0.0.10.in-addr.arpa domain name pointer da49.digitalairlines.com.
...
If a DNS server address is not provided, host contacts the servers listed in
/etc/resolv.conf. If you want to use another DNS server, you have to provide its IP
address with the command.
By default, host returns the IP address or the host name, depending on which
information is given. If you want to query domain information, you need to use the
option -t with the type of information required, as in the following:
da2:~ # host -t ns novell.com

novell.com name server ns.novell.com.
novell.com name server ns1.westnet.net.
novell.com name server ns.utah.edu.
In this example, the host names of the DNS servers for the domain novell.com are
requested.
dig Command
A more verbose command is dig, which is normally used to troubleshoot DNS

problems. The general syntax is as follows:
dig @nameserver computer type query_options
The options are listed in the following table:
nameserver The IP address or name of the DNS server that should be queried.
If not specified, dig checks all DNS servers listed in
/etc/resolv.conf.
computer The resource record to query about (such as a host name, an IP

address, or a domain name).
type The type of resource record to be returned, such as A (IP

address), NS (DNS server), MX (mail exchanger), -x (pointer), or
ANY (all information).
query_options Defines how the query is done and how the results are displayed.
Each query option starts with a plus sign (+).
The most important difference between host and dig is that dig does not use the
domain list from /etc/resolv.conf by default to expand the host name. This means that
the FQDN or IP address of the host must be specified. If the domain list should be
used, you need to use the query option +search.
The following example demonstrates the application:
da2:~ # dig ripe.net ns
; <<>> DiG 9.2.3 <<>> ripe.net ns

;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1315
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0,
ADDITIONAL: 9
;; QUESTION SECTION:
;ripe.net. IN NS
;; ANSWER SECTION:
ripe.net. 158814 IN NS ns2.nic.fr.
ripe.net. 158814 IN NS sunic.sunet.se.
ripe.net. 158814 IN NS auth03.ns.uu.net.
ripe.net. 158814 IN NS munnari.oz.au.
ripe.net. 158814 IN NS ns.ripe.net.
;; ADDITIONAL SECTION:
ns.ripe.net. 171939 IN A 193.0.0.193
ns.ripe.net. 171939 IN AAAA 2001:610:240:0:53::193
ns2.nic.fr. 344302 IN A 192.93.0.4
ns2.nic.fr. 344302 IN AAAA 2001:660:3005:1::1:2
sunic.sunet.se. 172586 IN A 192.36.125.2
auth03.ns.uu.net.170436 IN A 198.6.1.83
munnari.oz.au. 170107 IN A 128.250.22.2
munnari.oz.au. 170107 IN A 128.250.1.21
munnari.oz.au. 21410 IN AAAA 2001:388:c02:4000::1:21
;; Query time: 51 msec

;; SERVER: 10.0.0.254#53(10.0.0.254)
;; WHEN: Mon Sep 27 15:27:01 2004
;; MSG SIZE rcvd: 329
The QUESTION SECTION shows what was queried and the ANSWER SECTION
shows the response: a list of DNS servers of the domain ripe.net.
The IP addresses of certain DNS servers are listed under ADDITIONAL SECTION.
The address in the last line is an IPv6 address (2001:388:c02:4000::1:21).
Data about the query, such as the duration of the query (Query time), the server that
answered the query (SERVER), and the date of the query (WHEN) are listed at the
end of the output.
Find More Information About DNS
If there are syntax errors in one of the configuration or zone files, BIND writes
verbose messages to the file /var/log/messages. These messages also contain
information on the filename and the line in which this error occurs.
If there is an error, the processing of the file is interrupted at this point (that is, errors
later in the file are not detected now).
b For more information about BIND and DNS, see DNS and BIND by Paul Albitz and Cricket Liu
and the BIND homepage at http://www.isc.org/sw/bind/.
Exercise 3-1 Configure a DNS server
In this exercise, you work with a partner to configure a DNS master server and a
DNS slave server for the domain digitalairlines.com. You need to work as a team on
all parts of the exercise.
Do the following:
n Part I: Install BIND
n Part II: Configure a DNS Master Server
n Part III: Configure the DNS Slave Server
x This exercise requires extensive typing to create your DNS files. To save you some time, the files
digitalairlines.com.zone and 10.0.0.zone are included on your 3038 Course CD in the directory
/exercises/section_3.
Part I: Install BIND
Do the following on both SLES 9 servers:

1. From the KDE menu, select System > YaST.
2. Enter the root password and select OK.
3. From the YaST Control Center, select Software > Install and Remove Software.
4. From the filter drop-down menu, select Search.
5. In the Search field, enter bind; then select Search.
6. On the right, select the bind package.
7. Select Accept; then insert the requested SLES 9 CD.
8. When installation is complete, remove the CD and close the YaST Control Center.
Part II: Configure a DNS Master Server
Decide which SLES 9 server will be the DNS master server, then do the following
only on the master server:
1. Open a terminal window and su to root.
2. Open the file /etc/named.conf in a text editor.
3. Configure the forwarders line to match the following:
forwarders { 10.0.0.254; };
Make sure that you delete the comment character from the beginning of the
forwarders line.
4. Add the following 2 zone statements after the existing zone statements:
zone “digitalairlines.com” in {
type master;
file “master/digitalairlines.com.zone”;
};
zone “0.0.10.in-addr.arpa” in {
type master;
file “master/10.0.0.zone”;
};
5. Save and close the file.
6. Create a new file digitalairlines.com.zone in the directory
/var/lib/named/master/.
7. Enter the following zone configuration in the file:
$TTL 172800
digitalairlines.com. IN SOA your_FQHN. root.digitalairlines.com. (

serial_number
1D
2H
1W
3H
)
digitalairlines.com. IN NS your_FQHN.
da10 IN A 10.0.0.10
da11 IN A 10.0.0.11
da12 IN A 10.0.0.12
The SOA record (including root.digitalairlines.com) must be on a single line.
Make sure you enter your FQHN (such as da50.digitalairlines.com) in the SOA
and NS records. Use the current date and “01” as the serial number (such as
2005071501).
9. Create a new file 10.0.0.zone in the directory
/var/lib/named/master/.
10. Enter the following zone configuration in the file:
$TTL 172800
0.0.10.in-addr.arpa. IN SOA your_FQHN.
root.digitalairlines.com. (
serial_number
1D
2H
1W
3H
)
IN NS your_FQHN.
The SOA record (including root.digitalairlines.com) must be on a single line.
Make sure you enter your FQHN (such as da50.digitairlines.com) in the SOA
and NS records. Use the current date and “01” as the serial number (such as
2005071501).
12. Open a second terminal window and su to root.
13. Enter the following command:
tail -f /var/log/messages
14. Switch to the first terminal window and start bind with the following command:
rcnamed start
x If there are errors in the file /etc/named, they are noted in the output (with specific
references and line numbers). The named daemon will not start until these errors are fixed.
15. From the second terminal window, watch the log output of bind for any messages
such as Unknown RR type or file not found.
16. If any errors occur, try to fix them and restart bind.
x One solution is to edit the digitalairlines.com.zone file by replacing “digitalairlines.com.

IN SOA...” with “@ IN SOA...” and to edit the 10.0.0.zone file by replacing
“0.0.10.in-addr.arpa. IN SOA...” with “@ IN SOA...”.
17. From the first terminal window, start bind automatically when the system is booted
by entering the following:
insserv named
18. Open the file /etc/resolv.conf in a text editor.
19. Delete all existing nameserver entries.
20. Add the following entry:
nameserver your_ip_address
22. Verify that your DNS server works by entering the following command:
host da10.digitalairlines.com
23. Add a new DNS record for the slave server in the file
/var/lib/named/master/digitalairlines.com.zone:
$TTL 172800
digitalairlines.com. IN SOA your_FQHN. root.digitalairlines.com. (

serial_number
1D
2H
1W
3H
)
digitalairlines.com. IN NS your_FQHN.
digitalairlines.com. IN NS slave_FQHN.
da10 IN A 10.0.0.10
da11 IN A 10.0.0.11
da12 IN A 10.0.0.12
24. Add a new DNS record for the slave server in the file
/var/lib/named/10.0.0.zone:
$TTL 172800
0.0.10.in-addr.arpa. IN OSA your_FQHN.
root.digitalairlines.com. (
serial_number
1D
2H
1W
3H
)
IN NS your_FQHN.
IN NS slave_FQHN.
Part III: Configure the DNS Slave Server
From the DNS slave server, do the following:

2. Open the file /etc/named.conf in a text editor.
3. Configure the forwarder by entering the following:
forwarders { 10.0.0.254; };
4. Enter the following two zone statements after the existing statements:
zone “digitalairlines.com” in {
type slave;
file “slave/digitalairlines.com.zone”;
masters
{
master_server_ip_address;
};
};
zone “0.0.10.in-addr.arpa” in {
type slave;
file “slave/10.0.0.zone”;
masters
{
master_server_ip_address;
};
};
5. Save the changes and close the editor.
6. Open a second terminal window su to root.
7. Enter the following command:
tail -f /var/log/messages
8. Switch to the first terminal window and start bind by entering the following:
rcnamed start
9. From the second terminal window, watch the log output of bind for any messages
such as Unknown RR type or file not found.
10. If any errors occur, try to fix them and restart bind.
11. Start bind automatically when the system boots by entering the following:
insserv named
12. From the first terminal window, open the file /etc/resolv.conf in a text editor.
13. Delete all existing nameserver entries.
14. Add the following entry:
nameserver master_server_ip_address
16. Verify whether or not your DNS server works by entering the following:
host da10.digitalairlines.com
(End of Exercise)
Objective 2 Deploy OpenLDAP on a SLES 9 Server

OpenLDAP is the most popular open source LDAP suite. It provides not only the
LDAP server itself, but also applications and tools to control and query the server and
to develop LDAP-based software.
To deploy an OpenLDAP server with SLES 9, you need to know the following:
n The Concept of a Directory Service
n The Basics of LDAP
n How to Install and Set Up an OpenLDAP Server
n How to Add Entries to the LDAP Server
n How to Query Information from the LDAP Server
n How to Delete and Modify Entries of the LDAP Server
n How to Use Graphical LDAP Applications
The Concept of a Directory Service
A directory is a specialized database that is optimized for reading, browsing and

searching. Directories contain descriptive, attribute-based information and support
sophisticated filtering.
Directories are tuned to give quick response to high-volume lookup or search

operations. They can replicate information widely in order to increase availability
and reliability, while reducing response time.
There are many different ways to provide a directory service. Different methods
allow different kinds of information to be stored in the directory, place different
requirements on how that information can be referenced, queried and updated, and
determine how it is protected from unauthorized access.
Some directory services are local, providing service to a restricted context (such as
the finger service on a single machine). Other services are global, providing service
to a much broader context (such as the entire Internet).
Directory services can be used for man different purposes. Very often they are used
as databases for user authentication. By default, SLES 9 uses OpenLDAP for user
management and some configuration purposes.
The Basics of LDAP
LDAP stands for Lightweight Directory Access Protocol. As the name suggests, it is
a lightweight protocol for accessing directory services. LDAP runs over TCP/IP or
other connection-oriented transfer services.
The LDAP information model is based on entries. An entry is a collection of

attributes that has a globally-unique distinguished name (DN). The DN is used to
refer to the entry. Each of the entry's attributes has a type and one or more values.
The types are typically mnemonic strings, like “cn” for common name, or “mail” for
email addresses. The syntax of values depend on the attribute type.
For example, a cn attribute might contain the value “Tux Penguin.” A mail attribute
might contain the value “tux@example.com.” A jpegPhoto attribute might contain a
photograph in the JPEG (binary) format.
In LDAP, directory entries are arranged in a hierarchical tree structure. If you use
LDAP for user management, the structure normally reflects the organizational
structure of the company or organization.
Under the root of the tree are the country, organization, organizational unit and leaf
objects (such as users).
The following illustrates a LDAP tree:
Figure 3-3
Root
dc=us dc=com
dc=exmple
ou=Management ou=Sales
cn=tux
Name: Tux Penguin
An entry of the tree is referenced by its DN, which is constructed by taking the name
of the entry itself (called the relative distinguished name or RDN) and concatenating
the names of its ancestor entries.
For example, the entry for Tux Penguin in the example above has a DN of
uid=tux,ou=Management,dc=example,dc=com.
In addition, LDAP allows you to control which attributes are required and allowed
through the use of objectClasses. The following objectClasses are used when LDAP
is used for Linux user authentication.
n posixAccount
n shadowAccount
n posixGroup
The following is an overview of some of the attributes used in these object classes:
Table 3-4 Attribute Abbreviation Description
uid Login of the user
uidNumber Numerical user ID
gid Group name
gidNumber Numerical group ID
homeDirectory Home directory
loginShell Login shell
shadowLastChange Date of the last password change
Object classes are defined in schema files. OpenLDAP ships with some basic schema
files located in the directory /etc/openldap/schema.
To create the tree structure, you use container objects, which can contain other
objects. The following is a list of these objects:
n Root. The root of the directory tree
n c. Countries
n o. Organizations
n ou. Organizational units
n dc. Domain components
How to Install and Set Up an OpenLDAP Server
To install and set up an OpenLDAP server, you need to do the following:

n Install the Required Software and Start the Server
n Edit the OpenLDAP Configuration Files
Install the Required Software and Start the Server
Normally, YaST sets up an OpenLDAP server during the installation process of

SLES 9.
However, if you chose not to install the server during installation, you can set up an
LDAP server by installing the following software packages with YaST:
n openldap2
n openldap2-client
Edit the OpenLDAP Configuration Files
The configuration files for OpenLDAP are located in the directory /etc/openldap/.
The directory contains 2 configuration files:
n slapd.conf. This file is the main configuration file for the OpenLDAP server.
n ldap.conf. This file contains the default configuration for LDAP clients.
If you installed the LDAP server during SLES 9 installation, the configuration file
slapd.conf has already been set up. Otherwise, you need to set the following options
of the configuration file to reflect your environment:
n suffix “dc=your-domain,dc=com”
In this line you set the domain components “dc” according to your domain name.
n rootdn “cn=Manager,dc=example,dc=com”
This line sets the administrator of the LDAP server. You can also configure the
domain components in this line.
n rootpw secret
This line specifies the password for the administrator. The default password
secret must be changed.
For security reasons, the password should be stored in an encrypted form. To
create an encrypted password, use the following command:
slappasswd -s your_password
The command outputs a string that has to be copied into the configuration file.
The entry for the command rootpw looks like the following:
rootpw {SSHA}rawtcakVvoBls6J6wz2+yPa8H02Dprax
After finishing the configuration, you can start the server with the following
command:
rcldap start
If you want to start the LDAP server automatically when the server boots, use the
following command:
insserv ldap
After you change the server configuration file, you change the client configuration
file ldap.conf. You have to set add at least 2 lines:
n host localhost
This line sets the default server that LDAP clients should connect to.
n base dc=suse,dc=de
This is the default directory search base that should be used by LDAP clients.
x The configuration shown above is for a SLES 9 authentication server. Depending on your
environment, you might need a different setup and tree structure.
How to Add Entries to the LDAP Server
OpenLDAP provides the command ldapadd to insert data that is in LDIF format into
the directory. You can use files in the LDIF format to avoid specifying all values on
the command line.
LDIF files contain the information that should be included into the directory service
in a plain text format.
You can create a different file for each user you would like to add, but you can also
multiple user records in one file. An LDIF file contains the following entries:
n dn. The distinguished name of the object you want to add.
n objectclass. The object classes of the new entry.
n attribute. An attribute of the entry. You normally add more than one attribute at
the same time.
If you installed an LDAP server during installation, the basic tree structure for user
authentication has already been created. If you set up the server later, you need to
create the structure manually with an LDIF file like the following:
dn: dc=example,dc=com
dc: example
o: example
objectClass: organization
objectClass: dcObject
dn: ou=people,dc=example,dc=com
objectClass: top
objectClass: organizationalUnit
ou: people
The file creates 2 entries in the directory tree:

n The base entry with the DN dc=example,dc=com.
n An entry below the base entry for the ou people. The dn for this entry is
ou=people,dc=example,dc=com.
Every entry in an LDIF file does the following:

n Sets the distinguished name of the entry.
n Lists the object classes used for the entry.
n Lists the attributes and their corresponding values.
x Make sure that there are no empty spaces or tabs at the beginning or end of a line.
Because LDAP uses Unicode (UTF-8), special characters in LDIF files have to be
coded into UTF-8, or they might not be evaluated. This means you need to edit the
LDIF file with a Unicode editor, or convert the file later.
You can convert the file by entering the following command:
recode lat1.utf8 ldif_file
The command to insert a data set that exists as an LDIF file looks like the following:
ldapadd -x -D dn_of_the_administrator -W -f file.ldif
You need to use the -x option because you haven't configured SASL authentication
yet.
Use the option -D to specify who can access the directory. This should be rootdn,
specified in the server configuration file.
Use the option -W to display a password prompt. Otherwise, you must enter the
password directly at the command line, where it will be visible as plain text.
Finally, specify the LDIF file with the option -f.
If the LDIF file is called example.ldif, ldapadd should be run as follows:
ldapadd -x -D "cn=Manager,dc=example,dc=com" -W -f example.ldif

Enter LDAP Password:
adding new entry "dc=example,dc=com"
adding new entry "cn=people,dc=example,dc=com"
After you have set up the basic tree structure (during or after installation), you can
add a user to the directory with an LDIF file similar to the following:
dn: uid=geeko,ou=people,dc=suse,dc=de
objectClass: top
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
uid: geeko
uidNumber: 1010
gidNumber: 100
cn: Geeko Chameleon
givenName: Geeko
sn: Chameleon
homeDirectory: /home/geeko
loginShell: /bin/bash
shadowMax: 99999
shadowWarning: 7
shadowInactive: -1
shadowMin: 0
shadowLastChange: 12609
This example LDIF file creates a user based on the default LDAP setup of SLES 9.
The attributes are listed below with an explanation of each:
n uid: geeko. This attribute sets the login name of the user.
n uidNumber: 1010. This attribute sets the numerical ID of the user.
n gidNumber: 100. This attribute sets the default group ID of the user. The value
100 belongs to the group users in a SLES 9 installation.
n cn: Geeko Chameleon. This attribute sets the full name of the user.
n givenName: Geeko. This attribute sets the given name of the user.
n sn: Chameleon. This attribute sets the surname of the user.
n homeDirectory: /home/geeko. This attribute sets the path to the home directory
of the user.
n loginShell: /bin/bash. This attribute sets the login shell of the user. The default
for SLES 9 is /bin/bash.
n ShadowMax: 99999. This attribute sets the number of days before the password
expires.
n ShadowWarning: 7. Users can be warned before their passwords expire. This
attribute sets the number of days before the warning is issued. Set to -1 to disable
the warning.
n ShadowInactive: -1. This attribute sets the number of days that a user can still
log in after the password expires. Set to -1 to set an unlimited number of days.
n ShadowMin: 0. This attribute sets the minimum number of days that need to
pass before a password can be changed.
n ShadowLastChange: 12609. This attribute sets the date of the last password
change.
How to Query Information from the LDAP Server
You can use the command ldapsearch to read data from the LDAP directory. The
following command reads the entire tree:
ldapsearch -x
The -x option forces ldapsearch to use the simple authentication method. This is
necessary if the LDAP server is not yet configured to use the SASL authentication
method.
ldapsearch reads the search base for the query out of the configuration file
/etc/openldap/ldap.conf. The search base is the entry in the directory where
ldapsearch starts the recursive search process.
If the file ldap.conf file does not exist, or if you want to use a different search base,
you can specify it with the -b option, as in the following:
ldapsearch -x -b “dc=example,dc=com”
If you have a lot of data in your LDAP tree, you might want to limit the output of
ldapsearch to specific entries. You can do that by adding a filter expression to the
ldapsearch command, as in the following:
ldapsearch -x “(uid=g*)”
In this example, ldapsearch displays all entries that have a uid attribute starting with
g. You can use any attributes or objectClasses as a search filter.
The output of ldapsearch looks like the following:
# geeko, people, suse.de

objectClass: top
cn: Geeko Chameleon
gidNumber: 100
givenName: Geeko
shadowInactive: -1
shadowMax: 99999
shadowMin: 0
shadowWarning: 7
sn: Chameleon
uid: geeko
uidNumber: 1010
ldapsearch displays the result in LDIF format. That means you can transfer the data
to another LDAP server by redirecting the data into a file and loading it with ldapadd
on a different machine.
How to Delete and Modify Entries of the LDAP Server
The easiest way to modify data in the LDAP directory in SLES 9 is to modify an
LDIF file and apply the changes with the ldapmodify tool.
In the following example, the uidNumber of the user tux has been changed to 1011:
# geeko, people, suse.de

objectClass: top
cn: Geeko Chameleon
gidNumber: 100
givenName: Geeko
shadowInactive: -1
shadowMax: 99999
shadowMin: 0
shadowWarning: 7
sn: Chameleon
uid: geeko
uidNumber: 1011
To apply the changes, use the following command:
ldapmodify -x -D “cn=Manager,dc=example,dc=com” -W -f geeko.ldif
Using the ldapmodify command is similar to using ldapadd. ldapmodify compares

the data in the directory with the data from the LDIF file and applies the changes to
the directory entries.
To delete an entry from the LDAP directory, use the following command:
ldapdelete -D cn=Administrator,dc=example,dc=com -x -W “cn=geeko,

dc=example, dc=com”
In this example, the entry with the distinguished name “cn=geeko, dc=example,
dc=com” is deleted.
How to Use Graphical LDAP Applications
Graphical applications are also available to access the LDAP server. SLES 9 comes
with the graphical LDAP browser GQ. Before you can use GQ, you need to install
the package gq because it is not part of the default software selection.
After installation, you can access GQ from the KDE menu by selecting System >GQ
LDAP Client.
After starting GQ, the following appears:
Figure 3-4
GQ reads the file /etc/openldap/ldap.conf to get information about the default LDAP
server.
You can do the following with the LDAP directory:

n Search the Directory
n Browse the Directory
n Explore the Schema Definitions
Search the Directory
This is the default page that opens after you start GQ. At the top of the page are the
following text field:
n Search filter. In this field you enter the search filter for your query. The syntax
is the same as that used for ldapsearch.
n LDAP server. Choose an LDAP server from the drop-down list.
n If you want to add an additional server, you need to open the Preferences dialog
by selecting File > Preferences. On the Servers page, specify a new LDAP
server by selecting New.
n Search base. In this field you specify the search base for your query. The syntax
for the search base is the same as that used for ldapsearch.
After you have entered all necessary data, start the query by selecting Find.
The result of the query is displayed in a list below the input fields. Double-click an
entry to display detailed information.
Browse the Directory
The following is the Browse page of GQ:
Figure 3-5
On the left side of the page is a tree menu you can use to browse the directory. By
selecting the arrow symbol before an entry, you can expand the tree structure.
You can display the details of an entry on the right side of the page by selecting the
entry in the tree menu.
Explore the Schema Definitions
The following is the Schema page of GQ:
Figure 3-6
On this page you can browse the schema definition available on the LDAP server.
Exercise 3-2 Use the SLES 9 OpenLDAP server
In this exercise, you use the OpenLDAP server by doing the following:
n Part I: Install GQ
n Part II: Search the SLES 9 OpenLDAP Server
n Part III: Browse the SLES 9 OpenLDAP Server
n Part IV: Use an LDIF File to Add a User
Part I: Install GQ
Do the following:
1. From the KDE menu, select System > YaST.
2. Enter the root password and select OK.
4. From the filter drop down menu, select Search.
5. In the Search field, enter gq; then select Search.
6. On the right, select the gq package.
7. Install the GQ application by selecting Accept.
8. Insert the requested SLES 9 CD.
9. When the installation is complete, close the YaST Control Center and remove the
CD.
Part II: Search the SLES 9 OpenLDAP Server
Do the following:
1. From the KDE menu, select System > GQ LDAP Client.
2. Make sure that the Search tab is selected.
3. In the left search field, enter uid=geeko.
4. In the right search field, enter dc=digitalairlines,dc=com.
5. Select Find.
A result line appears.
6. Double-click the result line.
The LDAP entry for the user geeko is displayed.
7. Scroll down and verify that you cannot see the userPassword entry for geeko.
8. Select Close.
9. From the menu bar, select File > Preferences.
10. From the configuration dialog, select the Servers tab.
11. Select the entry localhost; then select Edit.
12. From the server dialog, select Details.
13. In the Bind DN field enter the following:
cn=Administrator,dc=digitalairlines,dc=com
14. Close the server dialog by selecting OK.
15. Close the configuration dialog by selecting OK.
16. Make sure that the search fields still contain the previously entered query.
17. Select Find.
18. When prompted for a password, enter novell; then select OK.
19. Double-click the result line.
20. Make sure that you can see the userPassword entry for geeko.
Notice that access to the password is not granted to anonymous users, but to the
authenticated administrator.
21. When you finish, select Close.
Part III: Browse the SLES 9 OpenLDAP Server
Do the following:
1. From the GQ application, select Browse.
2. On the left, expand localhost.
3. Expand dc=digitalairlines,dc=com.
4. Expand people.
All users of the system are displayed. At the moment, this only includes geeko.
5. Select geeko.
The user information for geeko appears on the right.
6. Close the GQ window.
Part IV: Use an LDIF File to Add a User
Do the following:
1. With a text editor, create a file named tux.ldif in the directory /tmp with the
following content.:
dn:uid=tux,ou=people,dc=digitalairlines,dc=com
objectClass: top
cn: Tux Penguin
gidNumber: 100
givenName: Tux
homeDirectory: /home/tux
shadowInactive: -1
shadowMax: 99999
shadowMin: 0
shadowWarning: 7
sn: Penguin
uid: tux
userPassword: {crypt}GpyJ3/OQgLxZE
uidNumber: 1010
x You can also copy the LDIF file tux.ldif from the directory
/exercises/section_3 from your 3038 Course CD to the directory /tmp.
2. Save the file and close the text editor.

3. From a terminal window (as root), add the user tux by entering the following (all
on one line):
ldapadd -x -D “cn=Administrator,dc=digitalairlines,dc=com” -W -f
/tmp/tux.ldif
4. When prompted for a password, enter novell.
x If you are unsuccessful at authenticating as Administrator, try closing the terminal window
and opening a new terminal window. Repeat steps 3 and 4.
You do not have to be root to enter the ldapadd command; however, you need to be root for
the commands that follow.
5. Create the home directory for the user tux by entering the following:
cp -a /etc/skel/ /home/tux
6. Adjust the file system permissions by entering the following commands:
chown -R tux:users /home/tux/
7. Log out as root by entering exit.

8. Switch to the user tux by entering the following:
su - tux
9. Log in to the tux user account by entering a password of Novell.
10. Log out as tux by pressing Ctrl+D.
11. Close the terminal window.
(End of Exercise)
Objective 3 Configure an Apache Web Server

The Apache web server is the leading web server software. Apache was developed as
open source software and is shipped with SLES 9.
To set up an internal Apache web server, you need to know the following:
n The Basic Functionality of a Web Server
n How to Install and Set Up a Basic Apache Web Server
n The Structure and the Basic Elements of the Apache Configuration Files
n The Basic Apache Configuration
n How to Configure Virtual Hosts
n How to Limit Access to the Web Server
n How to Configure OpenSSL for Connection Encryption
The Basic Functionality of a Web Server
A web server delivers data that is requested by a web browser. The data can have
different formats such as HTML files, image files, Flash animations, or sound files.
Web browsers and web servers communicate using HTTP (Hyper Text Transfer
Protocol). The following diagram shows the relationship between the browser, server,
and HTTP:
Figure 3-7
Web Browser Web Server

HTTP
In addition to delivering data to the web browser, a web server can perform tasks
such as limiting access to specific web sites, logging access to a file, and encrypting
the connection between a server and browser.
How to Install and Set Up a Basic Apache Web Server
To set up a basic Apache web server, you need to do the following:

n Install the Required Software Packages
n Start and Test the Web Server
n Locate the DocumentRoot of the Web Server
Install the Required Software Packages
To run a basic Apache web server, you need to install the following packages with
YaST:
n apache2. The basic web server software.
n apache2-prefork. An additional Apache package that influences the
multiprocessing behavior of the web server.
n apache2-example-pages. Sample HTML pages.
SLES 9 ships with 2 Apache versions: Apache series 1 and Apache series 2. This
section covers Apache series 2 because this version will continue to be developed.
When you install the packages listed above, YaST prompts you to install also one or
more additional packages required by Apache. Confirm the additional package
installation by selecting OK to resolve all dependencies of the Apache packages.
Start and Test the Web Server
After installing the required software, you need to start the web server. Do this as the
root user by entering the following:
rcapache2 start
As with all services, enter the following to stop the web server:
rcapache2 stop
If you want the web server to start up at boot time, you need to enter the following:
insserv apache2
To test whether the web server is properly installed, open a web browser and enter
the following address:
http://localhost
The browser displays the following page:
Figure 3-8
If your SLES 9 server is connected to a network, you (and other hosts on the
network) can remotely access the web server by entering the following:
http://your_system_IP_address
If your network provides a DNS server, you can use the hostname instead of the IP
address.
Locate the DocumentRoot of the Web Server
The default directory of the data provided by Apache is

/srv/www/htdocs.
This directory is also called the DocumentRoot of the web server. After the
installation, it contains the Apache example pages, which are displayed above.
You can replace the data in the DocumentRoot directory to display your own web
server content. Because the web server runs with the user id wwwrun, you have to
make sure that this user has read access to files in the DocumentRoot directory.
If you create subdirectories in DocumentRoot, you can access those subdirectories

with the following web address scheme:
http://your_server/name_of_subdirectory
If no specific file is requested in the address, Apache looks for a file with the name
index.html. You can change the name of this default file in the Apache configuration
files.
The Structure and the Basic Elements of the Apache Configuration

Files
To configure the Apache web server with the configuration files, you need to do the
following:
n Locate the Apache Configuration Files
n Understand the Basic Rules of the Configuration Files
Locate the Apache Configuration Files
The configuration of the Apache web server is spread over several configuration files
located in the directory /etc/apache2.
The following is a list of the most important Apache configuration files:

n httpd.conf. This is the main Apache configuration file. All other configuration
files are included by this files.
n default-server.conf. This file contains the basic web server setup. However, all
options set in this file can be overwritten by other configuration files.
n vhost.d/. This is a directory containing configuration files for virtual host setups.
Learn more about virtual hosts later in this section.
n uid.conf. This configuration file sets the user and group id for Apache. By
default, Apache uses the user id wwwrun and the group id www.
n listen.conf. In this configuration file, you can specify the IP addresses and
TCP/IP ports Apache is listening to. By default, Apache listens to all assigned
interfaces on port 80.
n server-tuning.conf. You can use this configuration file to fine tune the
performance of Apache. The default values should be fine unless you are going
to run a web server that has to handle a lot of requests at the same time.
n error.conf. In this file you configure the behavior of Apache when a request
cannot be performed correctly.
n ssl-global.conf. Configure the connection encryption with SSL in this
configuration file.
Understand the Basic Rules of the Configuration Files
The options of the Apache configuration files are called directives. Directives are
case sensitive, which means that a word such as “include” is not the same as
“Include.”
Directives can be grouped so that they do not apply to the global server
configuration. In the following, the directives only apply to the directory
/srv/www/htdocs:
<Directory "/srv/www/htdocs">
Options None
AllowOverride None
Order allow,deny
Allow from all
</Directory>
The directives are grouped by <Directory “/srv/www/htdocs”> and </Directory>

which limits their validity to the directory
/srv/www/htdocs only.
You can use the # character to indicate comments in the configuration file. All lines
starting with a # are ignored by the Apache server.
Whenever you edit the Apache configuration files, you need to reload the web server
by entering the following:
rcapache2 reload
In some cases it´s not enough to reload Apache. You need to stop and restart the web
server by entering the following:
rcapache2 restart
If you are not sure that your changes use the correct syntax, you can verify the syntax
of the configuration files by entering the following:
apache2ctl configtest
If the syntax is correct, the command displays the following message:
Syntax OK
The Basic Apache Configuration
You do the main Apache web server configuration in the file

/etc/apache2/default-server.conf by using directives such as the following:
Table 3-5 Directive Description
DocumentRoot Specifies the DocumentRoot of the web

server.
Directory “dir_name” All directives used within this block, apply

/Directory only to the specified directory.
Options With this directive additional options can

applied to logical blocks like directories.
AllowOverride Determines whether other directives are

allowed to be overwritten by a configuration
found in a .htaccess file of a directory.
Alias “fakename” “realname” Allows you to create an alias to a directory.
ScriptAlias Allows you to create an alias to a directory

containing scripts for dynamic content
generation.
In most cases the default settings are suitable and don't need to be changed.
b An overview of all Apache directives can be found at

http://httpd.apache.org/docs-2.0/mod/directives.html.
How to Configure Virtual Hosts
To use the virtual host feature of Apache, you need to know the following:
n The Concept of Virtual Hosts
n How to Configure a Virtual Host
The Concept of Virtual Hosts
With the default setup, the Apache server can be reached with a browser using the
following web addresses:
n http://localhost (from the computer where the web server is running)
n http://web_server_IP_address
n http://web_server_hostname
For all of these addresses, Apache serves the same files located in the DocumentRoot
directory.
To use this setup, you would need a dedicated computer for every domain of the
Internet. To avoid this, Apache lets you set up multiple virtual web servers on one
physical system. These virtual web servers are called virtual hosts.
The physical system needs to have an entry in the DNS for every virtual host of the
Apache web server.
The following outlines the steps in the process of sending a request to the virtual host
www.example.com:
1. The web browser requests the IP address of the host www.example.com.
2. The browser uses the IP address to request a file from the Apache web server
listening on the IP address of www.example.com.
3. In the HTTP request, the browser includes the hostname of the server it wants to
reach.
4. Apaches uses the hostname to determine the right virtual host and delivers the
requested data from that host.
The following illustrates this process:
Figure 3-9
DNS Server
Requests IP address for
The same IP address for:
www.example.com
www.example.com
www2.example.com
www3.example.com
www4.example.com
Uses the IP addresses to request Web Server

data from the Virtual Host
Virtual Hosts for:
www.example.com
Web Browser www.example.com
www2.example.com
www3.example.com
www4.example.com
How to Configure a Virtual Host
For every virtual host you need to create a configuration file in the directory
/etc/apache2/vhosts.d/. The name of the configuration file must end with .conf.
You can find a template file vhost.template in the directory

/etc/apache2/vhosts.d/ to use as a base for your configuration file.
You need to edit the following directives in the template:
ServerAdmin Enter the email address of the Virtual Host

administrator here.
ServerName Enter the hostname of the virtual host as
it´s configured in the DNS.
DocumentRoot Set the DocumentRoot of the virtual host.
The directory and the files in the directory
must be readable by the user wwwrun.
ErrorLog Enter a filename for the error log. The file
must be writable for the user wwwrun.
CustomLog Enter a filename for the general log file.
The file must be writable for the user
wwwrun.
ScriptAlias Set the ScriptAlias to a directory of your
choice. The directory must not be under the
DocumentRoot of the virtual host. If you
don’t need scripts for dynamic content
creation, delete this directive.
<Directory “script_dir”> If you set a ScriptAlias before, you have
adjust the settings for script directory
accordingly. If you are not using a script
directory, delete this directory block.
<Directory “document_root”> You need to adjust the path name of this
directory directive to the path of your
DocumentRoot.
After customizing the template file, you need to reload the Apache web server. You
also need to make sure that the settings in DNS are updated so that the hostname of
your virtual host is resolved correctly.
How to Limit Access to the Web Server
Normally Apache delivers data to all hosts in the network that can reach the web
server. Sometimes it can be useful to restrict access to the content delivered by
Apache.
The following are the most common methods used:

n Limit Access on an IP Address Basis
n Limit Access with User Authentication
Limit Access on an IP Address Basis
Apache offers the following directives to limit access to the web server on an IP
address basis:
allow IP addresses or networks listed after this

directive are allowed to access the web
server.
deny IP addresses or networks listed after this
directive are not allowed to access the web
server.
order This directive sets the order in which the
allow and deny directives are evaluated.
These directives must be used within a <Directory> block and control the access to
all data below that directory.
The following example allows only hosts from the network 10.0.0.0/24 to access the
data in the directory /srv/www/htdocs:
<Directory "/srv/www/htdocs">
Order deny,allow
Deny from all
Allow from 10.0.0.0/24
</Directory>
The following lists and describes the lines in the example:

n <Directory “/srv/www/htdocs”>. This directive starts the directory block. The
directives that follow apply to the directory /srv/www/htdocs only.
n Order deny,allow. The Order directive determines in which order the allow and
deny directives are evaluated.
You have the following options:
q Deny,Allow. The deny directives are evaluated before the allow directives.
Access is allowed by default. Any client who does not match a deny
directive or does match an allow directive is allowed access to the server.
q Allow,Deny. The allow directives are evaluated before the deny directives.
Access is denied by default. Any client who does not match an allow
directive or does match a deny directive is denied access to the server.
q Mutual-failure. Only those hosts that appear in the Allow list and do not
appear on the Deny list are granted access. This has the same effect as Order
Allow,Deny and is deprecated in favor of that configuration.
n Deny from all. The Deny directive is evaluated first, and in this case access is
denied for all clients. You can use the following options with the deny and the
allow directives:
q all. This option applies to all hosts.
q A full IP address. This option applies to a specific IP address (such as
10.0.0.23).
q A partial IP address. This option applies to IP addresses starting with the
given IP address fragment (such as 10.0.0).
q A network/netmask pair. This option applies to IP addresses matching to
the given network/netmask pair (such as 10.0.0.0/255.255.255.0)
q A network/nnn CIDR specification. This option applies to IP addresses
matching to the given CIDR expression (such as 10.0.0.0/24).
n Allow from 10.0.0.0/24. This allow directive is evaluated after the deny
directive. In this case, the access is allowed for hosts in the network 10.0.0.0/24.
n </Directory>. This directive ends the directory block.
Limit Access with User Authentication
By limiting access to certain IP addresses, you can control the hosts that access the
web server, but you have no control of the over the user that sits in front of the
computer.
Apache offers another possibility of access control called basic authentication. If you
protect content on your web server with this method, users are required to log in
before they can access the data.
Before you can configure Apache to use basic authentication, you first have to create
user accounts for the web server. You can do this by using the tool htpasswd2.
The following command creates a password file and an account for the user tux.
htpasswd2 -c /etc/apache2/htpasswd tux
After entering this command, htpasswd2 prompts you for a password for the user you
want to create. The passwords are stored in the file /etc/apache2/htpasswd.
You can specify a different location for the password file, but you have to make sure
that it is readable for the user wwwrun and that it is not located within the
DocumentRoot of your server.
When you use a password file for the first time, you have to call htpasswd2 with the
-c option to create the file. If you want to add more users later, use the following
command:
htpasswd2 /etc/apache2/htpasswd username
To delete a user from the password file, use the following command:
htpasswd2 -D /etc/apache2/htpasswd username
After you have created the user accounts, you need to configure Apache to prompt
for a password when accessing restricted data. You need to add the following lines to
the directory block of the directory that should be restricted:
AuthType Basic
AuthName "Restricted Files"
AuthUserFile /etc/apache2/htpasswd
Require user tux
The following describes each line:

n AuthType Basic. This directive sets the authentication method. For the type
described in this section, the value is Basic.
n AuthName “Restricted Files”. With this directive, you have to choose a name
for the restricted directory of your web server. This name is used for the
authentication process between the browser and the web server.
n AuthUserFile /etc/apache2/htpasswd. This directive sets the password file used
for the restricted directory.
n Require user tux. This directive lists the user of the password file who is
allowed to access the directory. You can add more than one user by separating
the user names with spaces, or you can use the following directive:
Require user valid-user
In this case, access is granted to all users of the password file.
How to Configure OpenSSL for Connection Encryption
By default, the connection between the web browser and the web server are not
encrypted. Anyone who can listen to the network packets exchanged between
browser and server can access the transferred information.
Apache can use the SSL (Secure Socket Layer) protocol to encrypt the connection.
To configure an SSL encryption with an Apache web server, you need know the
following:
n The Basics of SSL Encryption
n How to Create a Test Certificate
n How to Configure Apache to Use SSL
n The Limitations of the SSL Configuration
The Basics of SSL Encryption
Most of the time data is transmitted across a network in encrypted form by using
RSA keys. This method is used by the encryption software PGP (Pretty Good
Privacy) to encrypt emails, by ssh (Secure Shell) for encrypted data transfers between
two computers, and by Apache for secure data transmission between the web server
and the web browser.
This encryption is based on 2 different keys: a private key and a public key. While the
private key is known only to the owner, the public key should be accessible to the
public.
The following shows the encryption process:
Figure 3-10 Public key of the

recipient
Recipient
This is Mtdte86led This is

unencrypted 8rklgBx34kl unencrypted
text. 6yPl0kUm23 text.
Sender
Private key of the
recipient
Public and private keys can also be used to sign data. In principle, when data is
signed, an encrypted checksum is generated from the data. The sender signs the data
with his private key.
The signature can be checked by the recipient by using the public key of the sender to
determine whether the data is really from her or whether the text has been modified
by a third party.
The following illustrates the signing process:
Figure 3-11 Private key of the

sender
Recipient
This is text..
This is text..
Signature valid/
Signature Signature invalid
Sender
Public key of the
sender
A problem with the encryption procedure described above is that you cannot
determine who the owner of a public key is. The solution to this problem is a
Certificate Authority (CA) which signs the public keys with its own private keys.
A public key that is signed by a CA is also called a Certificate.
CAs are well-known companies or organizations like VeriSign or VISA. The public
keys of these organizations are built into the web browsers. By verifying the
signature with the public key of the CA, the browser can make sure that a public key
of a web server is valid.
The following explains the process of using a CA with SSL encryption for a web
server:
1. The browser recognizes a web address starting with https://.
This means that the connection to this server should be encrypted. The default
port for SSL connections is 443 instead of port 80 (used for normal unencrypted
HTTP connections).
2. The web browser asks the server for its public RSA key.
3. The web server sends the public key to the web browser.
4. The web browser verifies the key of the server with the public key of the CA that
signed the key.
5. If the key is valid, the web browser and web server establish a secure connection.
You need an officially signed key to set up a secure web server. You can sign a key
by yourself, but this should only be done for test purposes.
How to Create a Test Certificate
To set up a secure web server for test purposes, you can create a certificate by
yourself. You should never use such a certificate for a production system.
To create a test certificate, you do the following:

n Create an RSA Key Pair
n Sign the Public Key to Create a Certificate
Create an RSA Key Pair
To create a key pair, you need a file with as many random numbers as possible. You
can generate this file by entering the following command:
cat /dev/random > /tmp/random
Stop this procedure after a few seconds by pressing Ctrl+C. The file generated be at
least a thousand bytes in size. You can now generate the key pair by entering the
following command:
opensslgenrsa -des3 -out server.key -rand /tmp/random 1024
During the process, you are prompted to enter a password. This password is used to
secure the private key of the key pair.
The generated keys are saved together in the file server.key.
Sign the Public Key to Create a Certificate
Next you need to sign your public key to create a certificate by entering the following
command:
openssl req -new -x509 -key server.key -out server.crt
During the process, you are prompted for the following information:
n Enter pass phrase for /tmp/server.key:
Enter the passphrase you chose for the server key.
n Country Name (2 letter code) [AU]
Enter the country code of your country (such as DE for Germany).
n State or Province Name (full name) [Some-State]:
Enter your state or province name. You can enter a period (.) to leave this field
blank.
n Locality Name (eg, city) []:
Enter the name of your city.
n Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Enter the name of your company.
n Organizational Unit Name (eg, section) []:

Enter the name of your unit, or you can enter a period (.) to leave it blank.
n Common Name (eg, YOUR name) []:
Enter the full hostname of your system (such as www.example.com). The
certificate will be valid for this hostname only.
n Email Address []:
Enter the email address of the administrator who is responsible for the server.
After you have answered all questions, the server certificate is saved into the file
server.crt.
Finally, you need to copy the files server.key and server.crt to the correct locations:
n Copy the file server.key to the directory /etc/apache2/ssl.key.
n Copy the file server.crt to the directory /etc/apache2/ssl.crt.
How to Configure Apache to Use SSL
After you have generated the RSA key pair and the server certificate, you have to
configure Apache to use SSL. First, you need to change two settings in the file
/etc/sysconfig/apache2.
The settings in this file apply to the Apache startup script and do not belong to the
server configuration.
Set the following variables to the appropriate values:

n APACHE_START_TIMEOUT=”10”
This setting extends the start timeout of Apache so that you have more time to
enter the passphrase of the private RSA key.
n APACHE_SERVER_FLAGS=”SSL”
The additional server flag SSL defines the SSL variable when evaluating the
Apache configuration files. This enables some directives that are necessary for
SSL encryption.
For example, it lets Apache listen on port 443 instead of only to port 80.
You also need to change the server configuration files to enable SSL by doing one of
the following:
n Configure the Main Server to Use SSL Encryption
n Configure a Virtual Host to Use SSL Encryption
Configure the Main Server to Use SSL Encryption
To configure the main server, you need to add the following directives to the file
/etc/apache2/default-server.conf:
SSLEngine on
SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /etc/apache2/ssl.crt/server.crt
SSLCertificateKeyFile /etc/apache2/ssl.key/server.key
Each line is described below:

n SSLEngine on
This directive enables the Apache SSL engine.
n SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+
EXP:+eNULL
This directive sets the details of the encryption method. The line displayed above
is the default configuration that comes with Apache.
x For more information about this directive, go to

http://httpd.apache.org/docs-2.0/mod/mod_ssl.html#sslciphersuite.
n SSLCertificateFile /etc/apache2/ssl.crt/server.crt
This directive points to the server certificate file.
n SSLCertificateKeyFile /etc/apache2/ssl.key/server.key
This directive points to the server key file.
After you make the described changes, you have to restart Apache. Apache prompts
you for the passphrase of the server key file.
The server might not start up correctly at boot time, because it requires the
passphrase for the server key. You should remove Apache from the init process and
start it manually after the system starts up.
You can access the SSL host by using the address https://name_of_your_host.
Configure a Virtual Host to Use SSL Encryption
You can also configure a virtual host instead of the main server to use SSL. Place the
directives described above in your virtual host configuration and define you virtual
host with a directive such as the following:
<VirtualHost your_hostname:443>
The Limitations of the SSL Configuration
The SSL setup as described in this section is a very basic configuration. To run
Apache with SSL on a server that can be reached from the Internet, you need a more
thorough understanding of SSL and the available configuration directives.
b For more information about this topic, go to http://httpd.apache.org/docs-2.0/.
Exercise 3-3 Configure an Apache Web Server
In this exercise, you configure an Apache web server by doing the following:
n Part I: Install Apache
n Part II: Test the Installation
n Part III: Configure a Virtual Host for the Accounting Department
n Part IV: Configure User Authentication
n Part V: Configure SSL
x The file accounting.conf you create in this exercise can be difficult to modify properly. To help
you understand what needs to be changed and where parameters are placed, the file is available
on your 3038 Course CD in the directory /exercises/section_3.
Part I: Install Apache
Do the following:
1. From the KDE start menu, select System > YaST; then enter a password of novell
and select OK.
4. In the Search field, enter apache; then select Search.
5. On the right side, select the following packages.
q apache2
q apache2-example-pages
q apache2-prefork
6. Select Accept.
7. (Conditional) If YaST displays package dependencies, confirm by selecting
Continue.
8. When prompted, insert the requested SLES 9 CDs in the drive.
9. When installation is complete, close the YaST Control Center and remove the CD.
11. To start Apache at boot time, enter the following:
insserv apache2
12. To start the Apache daemon, enter the following:
rcapache2 start
Part II: Test the Installation
Do the following:
1. From the KDE menu, select Internet > Web Browser.
2. In the address bar of the web browser, enter the following:
http://localhost
If the Apache example page appears, the web server has been installed and
started correctly.
3. (Conditional) If you are having problems displaying the page, you need to rename
the file /srv/www/htdocs/index.html.en to
/srv/www/htdocs/index.html.
Part III: Configure a Virtual Host for the Accounting Department
Do the following:
1. From the terminal window (as root), create a directory for the virtual host by
entering the following:
mkdir /srv/www/accounting
2. Adjust the file system permissions by entering the following:
chown wwwrun /srv/www/accounting/
3. In the new directory, create a file index.html with the following content:
<html>
<head>
<title>Accounting Intranet Server</title>
</head>
<body>
<h1>Accounting Intranet</h1>
Under construction.
</body>
</html>
x This file is also available on your 3038 Course CD in the directory

4. Adjust the file system permissions of the file by entering the following:
chown wwwrun index.html
5. Change to the directory /etc/apache2/vhosts.d/ by entering the following:
cd /etc/apache2/vhosts.d/
6. Copy the virtual host template file by entering the following:
cp vhost.template accounting.conf
7. Open the file accounting.conf in a text editor and make the following changes:
<VirtualHost accounting.da.com:80>
ServerName accounting.da.com
DocumentRoot /srv/www/accounting
ErrorLog /var/log/apache2/accounting.da.com-error_log
CustomLog /var/log/apache2/accounting.da.com-access_log combined
UseCanonicalName On
ScriptAlias /cgi-bin/ “/srv/www/cgi-bin”
<Directory “/srv/www/cgi-bin”>
AllowOverride None
Options +ExecCGI -Includes
Order allow,deny
Allow from all
</Directory>
<Directory “/srv/www/accounting/”>
AllowOverride None
Options Indexes FollowSymLinks
Order allow,deny
Allow from all
</Directory>
8. For testing purposes, append “accounting.da.com” to the line “127.0.0.1” in the
file /etc/hosts:
127.0.0.1 localhost accounting.da.com
9. Test the syntax of your configuration file by entering the following:
10. Reload Apache by entering the following:
rcapache2 reload
11. From the Konqueror browser, access the virtual host by entering the following:
http://accounting.da.com
The accounting intranet index page is displayed.
12. Close the Konqueror browser.
Part IV: Configure User Authentication
Do the following:
1. From the terminal window (as root), create the file htpasswd and add the user
geeko to it by entering the following:
htpasswd2 -c /etc/apache2/htpasswd geeko
2. When prompted for a password, enter novell (twice).
3. Open the virtual host configuration file

/etc/apache2/vhosts.d/accounting.conf in a text editor.
4. Find the following directory directive:
<Directory “/srv/www/accounting/”>
5. Within this directory block, add the following lines:
AuthType Basic
AuthName “Accounting Intranet”
AuthUserFile /etc/apache2/htpasswd
Require user geeko
6. Check the syntax of the configuration file by entering the following command:
7. Reload the Apache server by entering the following:
rcapache2 reload
8. Open the Konqueror browser; then enter the following:
http://accounting.da.com
A password dialog appears.
9. Enter a user name of geeko and a password of novell.
10. Access the protected web site by selecting OK.
Part V: Configure SSL
Do the following:
1. From the terminal window (as root), create the file random by entering the
following:
cat /dev/random > /tmp/random
2. Press some keys on the keyboard to generate random events which help to create
the file.
3. Stop the process after about 15 seconds by pressing Ctrl+C.
4. Generate a server key by entering the following (on one line):
openssl genrsa -des3 -out /tmp/accounting.key -rand
/tmp/random 1024
5. When prompted for a pass phrase, enter novell (twice).
6. Sign the key by entering the following (on one line):
openssl req -new -x509 -key /tmp/accounting.key
-out /tmp/accounting.crt
7. When prompted for a pass phrase, enter novell; then enter the following
information:
Table 3-8 Option Value
Country Name US
State or Province Name Utah
Locality Name Provo
Organization Name Digital Airlines
Organizational Unit Name Accounting
Common Name accounting.da.com
Email Address webmaster@da.com
8. Copy the files by entering the following commands:

cp /tmp/accounting.key /etc/apache2/ssl.key/
cp /tmp/accounting.crt /etc/apache2/ssl.crt/
9. Delete the temporary files by entering the following:
rm /tmp/accounting*
10. Adjust the file system permissions by entering the following commands:
chmod 400 /etc/apache2/ssl.key/accounting.key

chmod 400 /etc/apache2/ssl.crt/accounting.crt
11. Open the file /etc/apache2/vhosts.d/accounting.conf in a text editor, and change
the following lines:
to
and
ServerName accounting.da.com
to
ServerName accounting.da.com:443
12. Add the following lines after the ServerName directive:
SSLEngine on
SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+
EXP:+eNULL
SSLCertificateFile /etc/apache2/ssl.crt/accounting.crt
SSLCertificateKeyFile /etc/apache2/ssl.key/accounting.key
The lines starting with SSLCipherSuite, ALL:, and LOW: should be on one
line.
x These lines are available in the file servername in the directory /exercises/section_3 on
your 3038 Course CD.
14. Open the file /etc/sysconfig/apache2 in a text editor, and change the following
lines:
APACHE_SERVER_FLAGS=”SSL”
APACHE_START_TIMEOUT=”10”
16. From the terminal window, check the syntax of the configuration file by entering
the following:
17. Restart Apache by entering the following:
rcapache2 restart
18. When prompted for the pass phrase, enter novell.
19. As the pass phrase has to be entered every time the server starts, you can prevent
the server from being started automatically at boot by entering the following:
insserv -r apache2
20. From the Konqueror browser, enter the following:
https://accounting.da.com/
As the certificate used in this exercises is self-signed, the browser displays a
warning.
21. In the warning dialogs, select Continue and Forever to view the web site.
22. In the login dialog, enter a username of geeko with a password of novell.
23. After the page displays, close the Konqueror browser and all other open windows.
(End of Exercise)
Objective 4 Configure a Samba Server as a File Server

Samba is a suite of applications used to integrate a Linux system into a Windows
network. Samba is most commonly used as a file server for Windows hosts.
To configure a Samba file server, you need to know the following:

n The Purpose and the Possibilities of Samba
n How to Install and Set Up a Basic Samba Server
n The Structure and Elements of the Samba Configuration File
n How to Use the Samba Tools to Access SMB Shares from a Linux Computer
n How to Configure a File Server with User Authentication
n Additional Possibilities with Samba
The Purpose and the Possibilities of Samba
The Server Message Block (SMB) protocol is a network protocol that provides file
and print services in a Windows network. Samba enables Linux to use SMB so that
Linux can work in a Windows environment.
You can use Samba for the following purposes:

n Use the Samba server to provide file and print services for Windows clients.
n Use the Samba tools to access SMB file and print services on a Linux system.
n Use Samba as a domain controller for Windows clients.
SMB services are provided by the NetBIOS protocol. NetBIOS makes its own name
space available, which is completely different from the domain name system.
This name space can be accessed with the Unique Naming Convention (UNC)
notation: all services provided by a server are addressed as \\Server\Servicename.
File or print services offered by a server are also called shares.
The server side of Samba consists of 2 parts:

n nmbd. This daemon handles all NetBIOS-related tasks.
n smbd. This daemon provides file and print services for clients in the network.
To integrate Linux as client in a Windows environment, Samba provides 2 tools:

n nmblookup. This tool can be used for NetBIOS name resolution and testing.
n smbclient. This tool provides access to SMB file and print services.
How to Install and Set Up a Basic Samba Server
To set up a basic Samba server, you need to install the following packages with
YaST:
n samba. This is the main Samba package. It contains the Samba server software.
n samba-client. This package contains the Samba client tools.
n samba-doc. This package provides additional documentation about Samba.
After the packages have been installed, you can start the 2 Samba daemons with the
following commands:
rcnmb start
rcsmb start
To start the Samba services automatically when the system is booting, enter the
following commands:
insserv nmb
insserv smb
The Structure and Elements of the Samba Configuration File
The Samba services are configured in the file /etc/samba/smb.conf.
The options in the this file are grouped into different sections. Each section starts
with a keyword in square brackets.
To set up a simple file server with Samba, do the following:

n Create a Section for the General Server Configuration
n Create a Section for the Files to be Shared
Create a Section for the General Server Configuration
The section for the general server configuration starts with the keyword [global]. The
following is an example of a basic global section.:
[global]
workgroup = DigitalAirlines
netbios name = Fileserver
security = share
The entries of the global section in this example are described below:
n workgroup = DigitalAirlines
This line sets the Windows workgroup of the Samba server (in this case,
DigitalAirlines).
n netbios name = Fileserver

This line sets the name of the system in the NetBIOS name space (in this case,
Fileserver).
n security = share
This line determines how a client has to authenticate itself when accessing a
share. This option can have the following values:
q share. The client does not need to provide a password when initially
connecting to the server. However, a password might be necessary when the
client tries to access a share.
q user. The client needs to provide a user name and password when
connecting to the server. Samba validates the password against the users
available on the Linux system and its own password file.
q server. The client needs to provide a user name and password when it
connects to the server. Samba contacts another SMB server in the network to
validate the password.
q domain. The client needs to provided a user name and password when
connecting to the server. Samba connects to the domain controller and
validates the password. This works only if Samba joins a Windows domain.
q ads. Samba acts as domain member of an ADS realm to validate the user
name and password.
x You might need to configure additional settings for these options to work correctly. For
more information, see the man page of smb.conf.
Create a Section for the Files to be Shared
After the global section, you need to add a section for the share of your file server.
The following example is the simplest way to set up for a share:
[data]
comment = Data
path = /srv/data
read only = Yes
guest ok = Yes
The entries of the section in this example are described below:

n [data]
This is the identifier for the share. The share can later be accessed with the
address \\Fileserver\data.
n comment = Data
This option is a comment with additional information about the share. The
comment is displayed when you browse the network with Windows Explorer.
n path = /srv/data
This option sets the path to the exported data on the local file system. You have
to make sure that the local user who needs to access the files of this share has
sufficient file system rights.
n read only = Yes
If this option is set to yes, the client accessing the share is not allowed to modify,
delete or create any files.
n guest ok = Yes
If this option is set to Yes, a password is not required to access the share.
x There many more configuration options available than those discussed in this section. For an
overview of all options, see the man page of smb.conf.
After you have created a smb.conf file, you should restart the Samba server daemons.
Before you restart the daemons, you can test the syntax of the Samba configuration
file by entering the following command:
testparm
The output of the command looks like the following:
Load smb config files from /etc/samba/smb.conf

processing section "[data]"
Loaded services file OK.
Server role: ROLE_STANDALONE
Press enter to see a dump of your service definitions
In this case, no errors are found. If there were any errors in the file, the command
would display the errors grouped by configuration sections.
How to Use the Samba Tools to Access SMB Shares from a Linux
Computer
Although the main purpose of Samba is to provide services for Windows clients, it
also provides tools to access SMB shares from Linux. It doesn't matter if these shares
are provided by Samba or a native Windows server.
You can perform 3 basic tasks with the Samba tools:

n Use nmblookup for Name Resolution in a NetBIOS Network
n Use smbclient to Access SMB Shares
n Mount SMB Shares into the Linux File System
Use nmblookup for Name Resolution in a NetBIOS Network
With the tool nmblookup, you can resolve NetBIOS names into IP addresses. In the
following example, the IP address for the Samba server with the NetBIOS name
Fileserver is looked up:
nmblookup Fileserver
querying Fileserver on 10.0.0.255

10.0.0.1 Fileserver<00>
In the first line, nmblookup states that it queries the IP address with a broadcast to the
address 10.0.0.255. In the second line, it displays the result of the query, in this case,
address 10.0.0.1 for the system with the NetBIOS name Fileserver.
x If the system you are querying is not in the same subnet as yours, the name cannot be resolved
with a broadcast query. Instead, nmblookup uses a WINS server to resolve the name.
For more information, see the man page for nmblookup.
Use smbclient to Access SMB Shares
With the smbclient tool, you can access SMB shares on the network. It's also a very
useful tool to test a Samba server configuration.
You can perform 3 basic tasks with smbclient.

n Browse the Shares Provided by a Server
n Access Files Provided by an SMB Server
n Print on Printers Provided by an SMB Server
Browse the Shares Provided by a Server
To display the shares offered by an SMB server, enter a command such as the
following.
smbclient -L //Fileserver
When smbclient asks for a password, press Enter to proceed.
The output of smbclient looks like the following:
Domain=[DigitalAirlines] OS=[Unix] Server=[Samba 3.0.4-SUSE]

Sharename Type Comment
--------- ---- -------
data Disk Data
IPC$ IPC IPC Service
ADMIN$ IPC IPC Service
Domain=[DigitalAirlines] OS=[Unix] Server=[Samba 3.0.4-SUSE]
Server Comment
--------- -------
Workgroup Master
--------- -------
DigitalAirlines Fileserver
smbclient first displays all available shares of the SMB server. Beside the shares you
have configured in the smb.conf file, an SMB server always offers at least 2 other
shares:
n IPC$. This share provides information about the other shares available on the
SMB server.
n ADMIN$. On a Windows computer this share points to the directory where
Windows itself is installed. This can be useful for administrative tasks. When
Samba tries to emulate a Windows server, it also offers this share. However, it is
not needed to administer a Linux server.
The lower part of the smbclient output gives some information about the workgroup
of the system.
This command can also very be valuable for testing purposes. After you have set up a
share, you can check the availability of the share with smbclient.
Some shares are not browseable without authentication. In this case, you can pass a
user name to smbclient, as in the following:
smbclient -L //Fileserver -U tux
In the example, smbclient connects to the server with the user name tux and prompt
for the corresponding password.
Access Files Provided by an SMB Server
The command to access a share on a server is similar to the command used to browse
for available shares, but instead of supplying just the server name, the full path to the
share needs to be supplied without the -L option.
In the following example, smbclient connects to the share data on the server
Fileserver:
smbclient //Fileserver/data
In this case, it is not necessary to supply a user name because the share data is
configured with the guest ok = yes option. A user name can be supplied with the -U
option.
After smbclient has connected to a share, it displays the following prompt:
Smb: \>
Smbclient can be used like a command-line FTP client. The most important
commands are the following:
n ls. Displays the content of the current directory.
n cd. Changes to a directory.
n get. Copies a file from the share to the current working directory.
n put. Copies a file to the share. The share must be writable to use this command.
Print on Printers Provided by an SMB Server
You can use smbclient to print on shared network printers. The basic syntax of a print
command is shown in the following:
smbclient //Printserver/laser -c 'print letter.ps'
In this example, the file letter.ps is printed on a network printer accessed through the
share laser of the SMB server Printserver.
You can also use the command print on the smbclient command line after you have
connected to the server. The -c option performs the given command automatically
after the connection to the server has been established.
Mount SMB Shares into the Linux File System
Instead of accessing shared files with smbclient, you can mount a share into the file
system like a hard disk partition or a CD-ROM drive.
The basic mount command is shown in the following:
mount -t smbfs //Fileserver/data /mnt
In this example, the share data of the SMB server Fileserver is mounted into the
directory /mnt. The option -t smbfs is necessary to specify that the resource to be
mounted is an SMB share.
If the share requires authentication, you can supply a username and password, as in
the following:
mount -t smbfs -o username=tux,password=novell

//Fileserver/data /mnt
How to Configure a File Server with User Authentication
In the previous example, the Samba share is accessible without supplying a user
name and password. In most cases, this type of accessibility in not recommended.
The following shows you how to configure Samba to require authentication with a
user name and password:
n Prepare the Server for User Authentication
n Configure a Share That Is Accessible to Only One User
n Configure Shared Access for a Group of Users
n Configure the Export of Home Directories
Prepare the Server for User Authentication
The first task is to change the security option in the smb.conf file to the following:
security = user
The value user for the option security forces user authentication when the client
attempts to connect to the server.
In the following examples, the configuration is based on User Level Security. In this
security level, the Windows-compatible encrypted password file is stored in the file
/etc/samba/smbpasswd (by default).
Users who want to access SMB shares must first be created as Linux users. Then an
SMB password needs to be set using the smbpasswd tool.
The following example sets a SMB password for the user tux:
smbpasswd -a tux
Smbpasswd prompts you to enter the password twice and confirms the setting of the
password by displaying the following message:
New SMB password: novell

Reenter smb password: novell
Added user tux
If smbpasswd is called without any parameters, the current user can change his SMB
password. If smbpasswd is called with the -x option followed by a user name, that
user is deleted from the smbpasswd file.
Configure a Share That Is Accessible to Only One User
The following example configures a share that is accessible only for the user tux:
[tux-dir]
comment = Tux Directory
path = /srv/share
valid users = tux
read only = no
Each line of this share is described below:

n comment = Tux Directory
This option sets the comment for the share.
n path = /srv/share
This option sets the path to the share.
n valid users = tux
This option lists all user who are allowed to connect to this share. User names
have to be separated by commas. You can add an entire UNIX group with the
syntax @group_name. However, all the users of the UNIX group need accounts
in the smbpasswd file.
n read only = no
This option makes the share writable by setting the read only option to no.
Configure Shared Access for a Group of Users
The following example creates a share that is readable and writable for all users of
the UNIX group accounting:
[accounting]
comment = Accounting department
path = /srv/share
valid users = @accounting
force user = tux
force group = accounting
read only = no
Compared to the previous example, the following lines are new or have changed:
n valid users = @accounting
This line allows all users who are in the UNIX group accounting to access the
shared folder.
n force user = tux
This line forces the Samba server to perform all file operations in the shared
folder as user tux. This ensures that all files in the shared folder are readable and
writable for every user who is allowed to access the share.
n force group
This line forces the Samba server to perform all file operations with the group
accounting.
Configure the Export of Home Directories
The following example exports the home directory of all UNIX users of the Samba
server. You need to add the users to the smbpasswd file before the setup works:
[homes]
comment = Home Directories
valid users = %S
read only = No
browseable = No
In this example, you must name the share homes. If Samba finds a share with this
name in the configuration file, it is treated in a special way.
When a share is requested, Samba first scans the existing sections of the
configuration file. If no section is found, Samba uses the requested share name as a
user name and looks up the user in the local password file.
If the user is found and the correct password is supplied, Samba automatically creates
a share for the home directory of the user.
The following describes the lines in the example:

n valid users = %S
The %S macro sets the value of the valid users option to the name of the
requested share.
n read only = No
The exported home directory should be readable and writable for the
authenticated user.
n browseable = No
For security reasons, the share is not browseable.
To access an exported home directory, use the address

//server_name/user_name.
Additional Possibilities with Samba
This section explained only the basic usage of Samba. Many more features and
configuration options are available to help you customize Samba for your
environment.
For example, you could

n Use Samba as member server of a Windows domain.
n Use Samba as domain controller.
You can find more information about Samba and the possible configurations from the
following:
n The samba-doc package in the directory
/usr/share/doc/packages/samba/
n The man page of smb.conf
n The Samba project site at http://www.samba.org/
Exercise 3-4 Configure a File Server With Samba.
In this exercise, you configure a file server with Samba by doing the following:
n Part I: Install Samba
n Part II: Configure a Share for the User Geeko
n Part III: Access the Share of the User Geeko With smbclient
n Part IV: Mount Geeko's Share
Part I: Install Samba
Do the following:
1. From the KDE start menu, select System > YaST.
2. When prompted for the root password, enter novell; then select OK.
3. From the YaST Control Center, select
Software > Install and Remove Software.
5. In the search field, enter samba; then select Search.
6. On the right, select the following packages:
q samba
q samba-client (if not already selected)
7. Install the selected packages by selecting Accept.
Part II: Configure a Share for the User Geeko
Do the following:
1. From a terminal window, su to root.
2. Change to the directory /etc/samba.
3. Save the default Samba configuration file by entering the following:
mv smb.conf smb.save
4. Create the file smb.conf with a text editor.
5. Add the following lines to the configuration file:

[global]
workgroup = Accounting
netbios name = Fileserver_your_host_name
security = user
[geeko-dir]
comment = Geeko Directory
path = /srv/samba/geeko
valid users = geeko
read only = no
x This file is available on your 3038 Course CD in the directory


7. Create the directory to export by entering the following commands:
mkdir /srv/samba/
mkdir /srv/samba/geeko
8. Create a test file in the directory by entering the following:
touch /srv/samba/geeko/my_file
9. Adjust the directory permissions by entering the following commands:
chown geeko /srv/samba/geeko
chown geeko /srv/samba/geeko/my_file
10. Add geeko to the file smbpasswd file by entering the following:
smbpasswd -a geeko
11. When prompted for a password, enter novell (twice).
12. Check the syntax of the configuration file by entering the following:
testparm
13. Start the Samba servers by entering the following commands:
rcsmb start
rcnmb start
Part III: Access the Share of the User Geeko With smbclient
Do the following:
1. Open a terminal window as a normal user.
2. Access Geeko's share by entering the following:
smbclient -U geeko //localhost/geeko-dir
3. When prompted for a password, enter novell.
4. Display all available commands of smbclient by entering the following:
help
5. List the content of the share by entering the following:
ls
6. Copy the file my_file to the current directory by entering the following:
get my_file
7. Exit smbclient by pressing Ctrl+D.
8. Verify that the file my_file has been copied to the current directory by entering ls.
Part IV: Mount Geeko's Share
Do the following:
1. From the terminal window, su to root.
2. Mount geeko's share in the directory /mnt by entering the following:
mount -t smbfs -o username=geeko,password=novell
//localhost/geeko-dir /mnt
3. Display the content of the mounted share by entering the following:
ls /mnt/
You should see the file my_file.
4. Umount the share by entering the following:
umount /mnt
5. Close all open terminal windows.
(End of Exercise)
Summary
Objective Summary
1. Configure a DNS Server Using n DNS translates host names into IP addresses.
BIND
n DNS is a distributed database.
n Under SLES 9 you can use the BIND software to
set up your own DNS server.
n A caching-only DNS server is not responsible for its
own domain, it just forwards requests to other name
servers and caches the result for later requests.
n A master server is responsible for its domain. It also
provides resource information to host entries like
the IP address of the mail server.
n DNS server information is stored in zone files.
n A slave DNS server receives copies of the domain
zone files from the master server. Using slave
servers enhances the reliability of the DNS.
n On a client, the name resolution is configured in the
files /etc/resolve.conf and /etc/nsswitch.conf.
n To query DNS from the command line, you can use
the host and the dig commands.
2. Deploy OpenLDAP on a SLES 9 n Directory services are tree-like structured

Server databases that contain entry-based information.
2. Deploy OpenLDAP on a SLES 9 n OpenLDAP is the most popular open source LDAP
Server (continued) directory and is used for user authentication in
SLES 9.
n If you did not configure an OpenLDAP server during
the installation, you need to install the following
software packages.
n openldap2
n openldap2-client
n The configuration of the OpenLDAP server is
located in the file /etc/openldap/slapd.conf.
n You can create passwords for the administrator
entry of the configuration file with the command
slappasswd.
n The default configuration file for LDAP clients is
/etc/openldap/ldap.conf.
n Use ldapadd to insert data from LDIF files into the
directory.
n Make sure that LDIF files conform to Unicode.
n Use ldapsearch to query information from the
directory.
n Use ldapmodify to change entries in the directory.
n Use ldapdelete to delete directory entries.
n You can use the graphical program GQ to browse
and query the directory.
Objective Summary
3. Configure an Apache Web Server n Apache is the leading web server software.
n Apache delivers data to a web browser using the
HTTP protocol.
n For a basic web server, you need to install the
following packages:
n apache2
n apache2-prefork
n apache2-example-pages
n The locally running web server can be accessed
using the address http://localhost.
n The default document root of the web server is
/etc/www/htdocs.
n The Apache configuration files are located in the
directory
/etc/apache2.
n The options of the Apache configuration files are
called directives.
n You can check the syntax of the configuration file
with the command apache2ctl configtest.
n By configuring virtual hosts you can host multiple
domains on one physical machine.
n You need to create a configuration file in the
directory
n /etc/apache2/vhosts.d/ for every virtual host.
n You can limit the access to the Apache web server
n On an IP address basis
3. Configure an Apache Web Server n Based on user authentication

(continued)
n To encrypt the connection between the browser and
server, you can configure Apache to use SSL.
n To run a production system under SSL, you need a
certificate signed by a CA.
n To access an SSL-enabled system, use an address
starting with https://.
Objective Summary
4. Configure a Samba Server as a n Samba can be used to integrate a Linux system into
File Server a Windows environment.
n Windows services are delivered using the SMB
protocol.
n The network protocol NetBIOS is used in a
Windows environment.
n NetBIOS creates its own name space
independently from DNS.
n An SMB share can be accessed with the address
schema
n \\server_name\service_name.
n Samba can be used for the following purposes:
n As a file and print server
n To access SMB shares
n As a domain controller
n The Samba server is configured in the file
/etc/samba/smb.conf.
n The Samba configuration file is structured in
sections.
4. Configure a Samba Server as a n You can check the syntax of the configuration file
File Server (continued) with the command testparm.
n Use nmblookup to resolve NetBIOS names to IP
addresses.
n Use smbclient to access shares from the command
line.
n Use mount -t smbfs to mount SMB shares into the
Linux file system.
n You can limit access to a Samba server with user
authentication.
Secure a SLES 9 Server
SECTION 4 Secure a SLES 9 Server
In this section, you learn how to create a general security policy and how to secure a
SLES 9 server against local attacks.
Objectives
1. Create a Security Concept
2. Limit Physical Access to Server Systems
3. Limit the Installed Software Packages
4. Understand the Linux User Authentication
5. Ensure File System Security
6. Use ACLs for Advanced Access Control
7. Configure Security Settings With YaST
8. Stay Informed About Security Issues
9. Apply Security Updates
Introduction
Given the number of press reports about attacks on computers, it is not surprising that
computer security is being taken more seriously.
Despite the increased interest in security not all administrators and decision makers
understand what security IT means and why this is important to them.
An entire branch of the IT industry is concerned with security. Many security

products have been created in recent years. Firewall solutions and antivirus software
have become bestsellers, and yet an important component of every security
concept–perhaps even the most important component–is being neglected. This is
know-how.
Without the appropriate knowledge you cannot recognize and understand

security-critical issues in complex IT infrastructures.
This section begins with a general overview of security concepts. This is because
every aspect of security needs to be seen in the context of the environment. It does
not make sense to secure one server when the same data can be stolen or manipulated
on other systems.
After the introduction, you will learn details about local security. Local security
covers every threat that can be caused by users of the local system.
This section does not cover topics that belong to the area of network security. Topics
such as firewalls and packet filtering are beyond the scope of this course.
Objective 1 Create a Security Concept

“It is easy to run a secure computer system. You merely have to disconnect all
dial-up connections and permit only direct wired terminals, put the machine and its
terminals in a shielded room and post a guard at the door.”
F.T. Grampp and R.H. Morris
It might be possible to operate a computer system in this secure manner, but it's not
practical. To deal with network problems in the real world, a different security
concept is required.
This objective does not provide sample solutions that can be adapted to your own
problem solving. Instead, you learn how to create your own security concepts.
The process of creating a security concept consists of the following parts:

n Understand the Basics of a Security Concept
n Perform a Communication Analysis
n Analyze the Protection Requirements
n Analyze the Current Situation and Necessary Enhancements
Understand the Basics of a Security Concept
First, you must know what you are protecting your system from. A security concept
for a computer used by multiple users at different times is different from a security
concept for an environment in which many different users use multiple computers at
the same time.
If users work on different computers and use common resources, such as disk space
or printers, then a security concept pertaining to a network must be considered.
The formal method of creating a security concept presented in this section has been
tried and proven in practice. It helps to detect errors and sources of danger that are
not obvious and provides good documentation of the concept.
Perform a Communication Analysis
Creating a security concept begins with a communication analysis. This includes

analyzing the security situation and evaluating the dangers.
Resources are differentiated according to what a user needs and how the access to
these resources are controlled.
If users should not have access to certain resources, you can assign different access
rights. For example, you can determine which user groups can use a resource or if the
user groups can only access the resource during a certain time period.
By answering the following questions, you can learn valuable information to use in
developing a structured overall picture of your security needs.
n What information will be exchanged across which barriers and in which
direction?
A barrier can be the virtual barrier between the home directories of two users in
a UNIX system or a firewall between two networks.
n Which data packets will be transported with which protocols to which hosts
in the network?
The fewer protocols you use, the better security you will have, simply because
there are fewer sources of error.
n What resources are available to individual users and with which access
rights?
Consider the resources users will need: printers, files on storage media, the
storage media themselves (such as CD-ROM drives), sound cards, modems, fax
cards, ISDN cards, network services (such as FTP or HTTP), and the computing
capacity of CPUs.
n Which resources must be available in each work area?
Even in small companies, different departments require different resources.
n Which data must users have access to and in which way?
It does not make sense to organize access to data for each specific user
individually. It is better to structure access rights for user groups.
n Which external users have external access to company resources, what
resources do they use, and how is access controlled?
Pay special attention to the authenticating external users.
n Which external resources does the company provide?
Usually this means web and mail servers and other Internet services.
n Should users be charged for resources?
Many organizations charge users or departments for expensive resources (such as
Internet bandwidth).
n Which tasks must external service providers be involved in?
Determine if it is necessary to exchange any security-relevant data with the
external service provider?
n How do security restrictions affect users, and how open are users to these
restrictions?
Users are more willing to live with restrictions if they understand why the
restrictions are needed.
n Will you filter transmitted or stored information on gateways between
networks or on computers?
This applies to virus control, which should take place where the viruses can be
reliably detected, on workstations and file servers.
n How available do individual resources need to be?

Not every file server in the company needs to have a high availability setup. This
is why it is important to calculate exactly what costs are incurred if a resource
fails.
Analyze the Protection Requirements
After you have determined the communication demands, you need to analyze the
protection requirements for the data.
The expense of securing individual resources is determined by the amount of

potential damage that could be caused by an attack, a faulty operation, or a natural
catastrophe.
You should estimate the frequency of the occurrence of possible damage to use in
your calculations.
To determine your protection needs, ask yourself the following questions:

n Which groups of people can access which information?
Is there information reserved for management, while other information is
available to all employees?
n Where is protected data located?
The degree of data protection needed determines the degree of protection for
each individual computer in the corresponding network.
n Which zones exist and what security needs do they have?
You should create corresponding security zones for computers belonging to the
same protection class.
n What might happen to security zones if security barriers are breached?
This question is not difficult to answer if the security zones have previously been
clearly defined.
n Who are potential attackers?
You also need to estimate the financial and technical means of the potential
attackers.
n What information is of special interest to others?
This question helps you group zones with different security needs.
n What are the remaining risks when the security concept is implemented?
This question can only be asked at the end of the analysis. Consider all questions
asked, the relevant answers, and the technical and organizational implementation
of the security concept.
Important parts of the communication analysis can be represented in tables, also

known as access matrices.
The following table shows a simple access matrix:
Table 4-1 Proxy Server Web Server Mail Server
Workstation Office 8080
Workstation Web Designer 8080 ssh
Workstation Sysad 8080 ssh ssh
Mail Server Intranet smtp
It is often useful to have 2 columns for individual protocols, matching the two
transport directions (IN or OUT).
Besides application level gateways, routers with activated packet filtering also count
as firewalls.
Analyze the Current Situation and Necessary Enhancements
A company-wide security policy should guarantee the confidentiality, data integrity,

availability, and transparency of a company's business processes and prevent damage.
The security policy determines what security demands are required for specific data
and resources. The security policy should include the analysis of the remaining risk.
Risks that cannot be removed or can only partially be removed by taking appropriate
protective measures should be highlighted.
The security policy always also describes the current actual state of security. For this,
information is needed on who is required to do what to achieve the desired security
level.
The following table shows what topics need to be covered in the security policy. The
table also includes the physical access to the IT infrastructure.
Table 4-2 Security of network How the components and their physical storage areas
components are secured against unauthorized access
Actual state The network cabinets are freely accessible so that each
member of staff can patch his own network connections.
Target state Technical rooms are locked, so only system administrators
have access.
Task The locks must be checked and keys assigned to system
administrators.
Date 2005-02-02
Responsible Person Jenny Doe, head of System Administration department.
Estimated expense Approximately 5 days and $1200.
Done/checked 2005-03-01 Henry Boardman, Assistant to the Board.
The reasons given in the description of the actual state show that:
n Members of the staff need to be told why they can no longer patch their network
connections themselves.
n Administrators must be made available to patch the network connections in the
future.
x The following examples should not be considered as a template for your own security policy.
Every company has its own demands and issues to be solved. The tables should give you an idea
of ways to enhance the IT security in your company.
The following table covers dial-up to and from the internal network:
Table 4-3 Do connections to other networks or dial-up

Security of network possibilities to the internal network exist? How are
components these accesses protected?
Actual state In the departments of the U.S. branches, there is an

undefined number of Internet accesses through a local
provider. It is not known if the computers used for the dial-up
are connected to the internal network.
A number of administrators are using Windows NT RAS
access to administer from home. The NT RAS is operated
using Chap and Callback. The situation at the other
locations is not known.
Target state There is no local Internet access. Members of staff who

require Internet access can obtain this using the central
firewall.
Task All worldwide locations are connected by VPN to the

headquarters in the U.S. in accordance with a board
decision.
A 2 MB Internet access is used in the headquarters, secured
by a three-level firewall with an application level gateway.
Local Internet access is removed.
Date 2005-03-30

Management provides Ms. Doe with appropriate powers.
Estimated expense Approximately 15 days and approximately $200,000.
The following tables covers power failure measures:
Table 4-4 Further Security

Measures How are the servers protected against power failure?
Actual state In all technical rooms, a UPS is installed so servers

automatically shut down in case of power failure. The UPS
and server connecting cables are checked regularly.
Target state All servers are connected to a functioning UPS. Actual state
reflects target state.
Task
Date
Responsible Person
Estimated expense
The following table covers fire fighting measures:

Measures What forfeiting means are available?
Actual state Suitable fire extinguishers are installed in front of all

technical rooms. Suitable fire detectors are installed in all
technical rooms. The large technical rooms at the U.S.
headquarters are equipped with automatic fire extinguishing
equipment.
Target state Technical rooms are equipped with fire detectors and
extinguishers outside the doors to the rooms. U.S.
headquarters technical rooms have automatic sprinklers
installed. Actual state reflects target state.
Task
Date
Responsible Person
Estimated expense
The following table covers data storage issues:
Table 4-6 Further Security How is data security controlled? How are checks made
Measures to determine whether the data stored is usable?
Actual state Important servers and workplace machines are equipped

with tape drives. Backups take place daily. Responsibility for
data backups lies with those members of staff in the
technical departments who have been briefed for this.
Target state At each location, backups are made on tape libraries by

means of network backup software. The tapes are cloned,
regularly recycled, and stored in fireproof safes.
Task A data backup concept must be drawn up and implemented.

An external consultant should be hired.
Date 2005-04-22

Management provides Ms. Doe with appropriate powers.
Estimated expense A cost estimate will be made by an external consultant.
Done/checked 2005-01-14 Florian Sailer, Co-Assistant to the Board.
The following table covers software security updates:
Table 4-7 How can we guarantee that available software updates

Further Security to close known security loopholes are tested and
Measures installed?
Actual state Installing software updates is left to the judgment of the

appropriate administrator, but this is discussed in detail with
colleagues and suppliers or vendors.
Target state Software updates will be recorded, tested, and released

company-wide by two accountable members of staff.
Security-relevant software updates will be installed
especially on systems in the demilitarized zone.
Only in exceptional cases, justified in writing, will software
updates in the DMZ be delayed. In such cases, the head of
System Administration must determine if other kinds of
protective measures can be used.
Task The head of the System Administration department will

name two system administrators who will design a software
update concept and who will then be responsible for
software updates.
Date 2005-03-30
Responsible Person Jenny Doe, head of System Administration department
Estimated expense Approximately 4 days for designing the concept. The running
costs will be included in the concept.
Done/Checked 2005-03-30 Henry Boardman, Assistant to the Board.
The following table covers the virus protection of the IT systems:
Table 4-8 Further Security How are the systems protected from malicious software
Measures viruses?
Actual state Virus scanners are only installed on certain workplace

computers.
Target state Virus scanners with a frequent update service are installed
on all file servers and workstations. Current virus signatures
can be downloaded at any time from the Internet from the
server of the virus scanner vendor.
The virus scanners on workstations obtain the virus
signatures from a central server, so new virus signatures
only need to be installed once.
To monitor the file servers, the product of a different vendor
than the product monitoring the workstations is used.
Overall, an efficient, two-level virus defense concept is
implemented.
Task The head of the System Administration department names

two accountable persons who will design a virus defense
concept and who will later on be responsible for the
operation of the virus defense.
Date 2005-03-30
Estimated expense Approximately 10 days for the product evaluation and

concept design. Operating costs will be included in the
concept.
Done/checked 2005-03-30 Florian Sailer, Co-Assistant to the Board.
The following table covers the documentation of the IT infrastructure:

Measures How is the system configuration documented?
Actual state Everyone who has configured a machine on the network

writes down or remembers the configuration data.
Target state All system configurations (hardware and software) are

documented centrally in electronic form at the corresponding
location. System administrators at the U.S. headquarters
can access the documentation from all locations.
Task The head of the System Administration department shall

name two system administrators who will draw up
documentation guidelines.
Date 2005-03-30
Estimated expense Approximately 20 days to design a concept. The estimated

cost of implementing this will be included in the concept.
Objective 2 Limit Physical Access to Server Systems

If a server is not protected from unauthorized physical access, even the best software
configuration cannot prevent someone from misusing it. By rebooting a system from
a floppy or CD, or by passing boot parameters to the Linux kernel, someone can
access the server without knowing the password.
To prevent unauthorized users from physically accessing the server, do the following:
n Place the Server in a Separate, Locked Room
n Secure the BIOS with a Password
n Secure the GRUB Boot Loader with a Password
Place the Server in a Separate, Locked Room
The best way to prevent physical access to a server is to lock the server in a dedicated
server room. We highly recommended that you do this for every production system.
The server room should be locked with a solid door, and only system administrators
should have access. The room should be protected against fire and be equipped with
an automatic fire extinguishing system.
What can be done depends on the size of the company and on the available financial
resources. At the least, a separated locked room for all servers is recommended.
Secure the BIOS with a Password
For test systems or workstations that are not placed in a secure room, there are some
things you can do to make it more difficult to access a system without an account.
One of these is to set a password for the BIOS setup.
The BIOS represents the lowest level of software and lies underneath the operating
system. Modern BIOS versions give you the option of protecting the boot process
with a password. You can also protect the BIOS settings and prevent the system from
booting from media like floppies or CDs.
b The exact procedure for protecting the BIOS depends on the BIOS vendor and version. For more
details on this, please consult your vendor documentation.
By preventing the system from booting from a different media, only the installed
system can be started. This system is password protected and cannot be accessed
without any further effort. However, a BIOS password is never a replacement for a
dedicated server room.
Secure the GRUB Boot Loader with a Password
Another way to misuse physical access to a Linux system is to reboot and pass
additional parameters to the kernel. This makes it possible to start and access the
system without entering a password.
The boot loader GRUB can be configured to prompt for a password before any
parameters can be entered. To do this, you need to create an encrypted password with
the following parameter.
grub-md5-crypt
GRUB asks for a password that needs to be confirmed once and outputs an encrypted
string. This string looks like the following:
$1$SEVCU0$S.7WQL05kHiK4VKDsKtfI0
Then the password needs to be added to the GRUB configuration file as follows:
/boot/grub/menu.lst
You can find the global section at the beginning of the configuration file. The
password needs to be placed into that section as shown in the following example:
color white/blue black/light-gray

default 0
timeout 8
gfxmenu (hd0,5)/boot/message
password --md5 $1$h8GCU0$Vt3impL0.Cr0nkGQY1jjJ1
Objective 3 Limit the Installed Software Packages

Every software package that is installed on a system, but is not needed by that
system, should be removed from a production server.
The more software is installed, the more possible security problems can occur. For
example, it does not make sense to install an X Server and graphical applications on a
system that is exclusively used as web server.
To set up a production system, you can use the minimal system as a base for the
software selection during the installation. Then you can manually add just those
software packages that are needed.
This rule is especially true for network daemons. A server should never offer any
network services that are not needed. For example, if a server is used as a dedicated
file server, it is not necessary to run a postfix mail server on the same system.
You can use the following command to check which services are configured to start
and their run levels:
chkconfig -l
The command displays a line for every service installed on the system. The following
line shows the configuration of the Samba server:
smb 0:off 1:off 2:off 3:on 4:off 5:on 6:off
After the service name, the configuration for all six default run levels is displayed.
On means the service is configured to be started in the corresponding run level; off
means the service will not be started.
You can use the following command to remove a service from its default run levels:
insserv -r service_name
x Removing a service from the run level configuration does not stop an already running daemon.
A daemon that is already running needs to be stopped manually or the system needs to be
rebooted to start with the new run-level configuration.
Objective 4 Understand the Linux User Authentication

User authentication plays a central role in IT security. Users are almost always
granted access to programs and data based on password authentication.
Even the best mechanisms for administering and setting user permissions would be
useless if a normal user could log in to a system as the system administrator.
Authentication on a Linux system is based on Pluggable Authentication Modules

(PAM). To understand and use PAM properly, you need to know the following:
n How PAM Works
n PAM Configuration
n The Requirements for a Secure Password
How PAM Works
The Pluggable Authentication Modules (PAM) for Linux is a collection of software

modules that handle the authentication process. A Linux system administrator can
use these modules to configure the way programs should authenticate users.
For example, if a user logs into a Linux system on a virtual terminal, a program
called login is usually involved in this process.
Login requires a user's login name and the password. The password is encrypted and
then compared with the encrypted password stored in an authentication database. If
the encrypted passwords are identical, login grants the user access to the system by
starting the user´s login shell.
This is sufficient if authentication is done using Linux or UNX passwords. If other

authentication procedures are used, such as chip cards instead of passwords, all
programs that perform user authentication must be able to work together with these
chip cards.
Before PAM was introduced, login and all other applications that handle
authentication like FTP, SSH, or the KDM Display Manager had to be extended to
support a chip card reader.
PAM makes things easier. PAM creates a software level with clearly defined
interfaces between applications (such as login) and the current authentication
mechanism. Instead of modifying every program, a new PAM module just needs to
be added to enable authentication with a chip card reader.
The following graphic illustrates the role of PAM:
Figure 4-1
Applications that handle authentication
login SSH FTP ...
PAM
passwd LDAP SmartCard ...
Authentication mechanisms
PAM Configuration
The PAM modules are located in the directory /lib/security. Every filename of a
module starts with the prefix pam_.
PAM configuration is done in the directory /etc/pam.d/. This directory contains a

configuration file for every application that uses PAM.
The name of the configuration file usually corresponds to the name of the
application. For example, the name of the configuration file for the application login
is also login.
There is one special configuration file with the name other. This file contains the
default configuration if no application-specific file is found.
Every line in a configuration file enables a PAM module. Each line consists from the
left to the right of the following entries:
n module-type. One of four PAM module types. The four types are as follows:
q auth. These modules provide two ways of authenticating the user.
First, it establishes that the user is who he claims to be by instructing the
application to prompt the user for a password or other means of
identification.
Second, the module can grant group membership or other privileges through
its credential granting properties.
q account. These modules perform nonauthentication based account

management.
It is typically used to restrict or permit access to a service based on the time
of day, currently available system resources (maximum number of users) or
perhaps the location of the applicant user (for example, to limit `root' login
to the console).
q session. These modules are associated with performing tasks that need to be
done for the user before she can be given access to a service or after a
service is provided to her.
Such things include logging information concerning mounting directories
and the opening and closing of some data exchange with another user.
q password. This last module type is required for updating the authentication
token associated with the user. Typically, there is one module for each
challenge/response-based authentication (auth) module type.
Some PAM modules (such as pam_unix2.so) can be used for different module
type settings listed below:
n control-flag. The control-flag indicates how PAM will react to the success or
failure of the module it is associated with.
Since modules can be stacked (modules of the same type execute in a series, one
after another), the control-flags determine the relative importance of each
module.
The Linux-PAM library interprets these keywords in the following manner:
q required. This indicates that the success of the module is required for the
module-type facility to succeed. Failure of this module is not apparent to the
user until all of the remaining modules (of the same module-type) have been
executed.
q requisite. Like required, however, in the case that such a module returns a
failure, control is directly returned to the application. The return value is
associated with the first required or requisite module to fail.
q sufficient. The success of this module is deemed “sufficient” to satisfy the
Linux-PAM library that this module-type has succeeded in its purpose.
If no previous required module has failed, no more “stacked” modules of
this type are invoked. Even if this module type fails, the application can be
satisfied that the module type has succeeded.
q optional. As its name suggests, this control-flag marks the module as not
being critical to the success or failure of the user's application for service.
n module-path. The pathname to the module itself. If the first character of the
module path is /, it is assumed to be a complete path. If this is not the case, the
given module path is appended to the default module path /lib/security.
n args. The args are a list of tokens that are passed to the module when it is
invoked, much like arguments to a typical Linux shell command. Valid
arguments are usually optional and are specific to any given module.
The following is the default configuration file for the login program on SLES 9:
auth requisite pam_unix2.so nullok

auth required pam_securetty.so
auth required pam_nologin.so
auth required pam_env.so
auth required pam_mail.so
account required pam_unix2.so
password required pam_pwcheck.so nullok
password required pam_unix2.so nullok use_first_pass use_authtok
session required pam_unix2.so none
session required pam_limits.so
The configured modules perform the following tasks:

n auth requisite pam_unix2.so nullok
The module pam_unix2.so is used during the authentication process to validate
the login and password provided by the user.
The control flag is set to requisite; that means that a failure of this module (such
as a wrong password) stops the whole authentication process.
n auth required pam_securetty.so
This module checks the file /etc/securetty for a list of valid login terminals. If a
terminal is not listed in that file, the login is denied from that terminal. This
concerns only the root user.
n auth required pam_nologin.so
This module checks whether a file /etc/nologin exists. If such a file is found,
login is denied for all but the root user.
n auth required pam_env.so
This module can be used to set additional environment variables. The variables
can be configured in the file
/etc/security/pam_env.conf.
n auth required pam_mail.so
This module displays a message if any new mail is in the user's mail box. It also
sets an environment variable pointing to the
user´s mail directory.
n account required pam_unix2.so
In this entry the pam_unix2.so module is used again, but in this case it checks
whether the password of the user is still valid or if the user needs to create a new
one.
n password required pam_pwcheck.so nullok
This is an entry for a module of the type password. It is used when a user
attempts to change the password. In this case, the module pam_pwcheck.so is
used to check if a new password is secure enough.
n password required pam_unix2.so nullok use_first_pass use_authtok

The pam_unix2.so module is also necessary when changing a password. It takes
the new password, encrypts it, and writes it to the authentication database.
n session required pam_unix2.so none
Here the session component of the pam_unix2.somodule is used. It uses the
syslog daemon to log the user's login.
n session required pam_limits.so
The pam_limits.so sets resource limits for the users that can be configured in the
file /etc/security/limits.conf.
b For an overview of the default PAM modules and their configuration options consult the PAM
documentation under /usr/share/doc/packages/pam.
Third party vendors can supply other PAM modules to enable specific authentication features
for their products, such as the PAM modules that enable Novell´s Linux User Management
(LUM) authentication with eDirectory.
The Requirements for a Secure Password
Even the best security setup for a system can be defeated if users choose easy to
guess passwords. With today's computing power, a simple computer can be used to
crack an easy password within seconds.
These attacks are also called dictionary attacks, as the password cracking program
just tries one word after another from a dictionary file.
Therefore, a password should never be a word which could be found in a dictionary.

A good, secure password should always contain some numbers and uppercase
characters.
To check whether user passwords fulfill this requirement, you can enable a special
PAM module to test a password first before a user can set it. The PAM module is
called pam_pwcheck.so and uses the cracklib library to test the security of
passwords.
By default, this PAM module is enabled on SLES 9.
If a user enters a password that is not secure enough, the following message is
displayed:
Bad password: too simple
and the user is prompted enter a different one.
There are also dedicated password check programs available like John the Ripper
(http://www.openwall.com/john/).
You can also force users to change their passwords after a specific period of time.
Exercise 4-1 Change the PAM Configuration to Disable the Graphical Root Login
In this exercise, you change the PAM configuration by doing the following:
1. Log out of the KDE desktop environment.
2. When the KDM login screen appears, log in with the following:
q Username: root
q Password: novell
Notice that you can log in as root without a root entry in the login screen.
3. Log out again from the KDE desktop environment.
4. Log in as geeko with a password of N0v3ll.
6. Open the file /etc/pam.d/xdm in a text editor.
7. Add the following as the second line of the file:
9. Log out and try to log in as root user at the KDM login screen again.
The root login is denied.
10. Log in as geeko again.
x If you cannot log in as geeko, restart the X server by pressing Ctrl+Alt+Backspace and try
again. You might also need to reboot your server.
12. Open the file /etc/pam.d/xdm in a text editor and remove or comment out the
following line (the line you added):
14. Log out and try to log in as root at the KDM login screen again.
You can now log in as root.
x If you cannot log in as root, restart the X-server using Ctrl+Alt+Backspace and try again.
15. Log out of the KDE desktop environment and log back in as geeko.
(End of Exercise)
Objective 5 Ensure File System Security

After a user has logged in to the system, what he can and can't do is mainly
determined by the security settings of the file system.
In UNIX systems like Linux, file system security is especially important as every
resource available on the system is represented as a file.
For example, when a user tries to access the sound card to play back audio data, the
access rights of the sound card are determined by the permission settings of the
corresponding device file in the /dev directory.
To ensure a basic file system security, you need to know the following:
n The Basic Rule for User Write Access
n The Basic Rule for User Read Access
n How Special File Permissions Affect the Security of the System
The Basic Rule for User Write Access
The file systems used in Linux are structurally UNIX file systems. They support the
typical file access permissions (read, write, execute, sticky bit, SUID, SGID, etc.).
Apart from additional standard functionalities, such as various time stamps, the
access permissions can be administered separately for file owners, user groups, and
the rest of the world (user, group, other).
As a general rule, a normal user should only have write access in the following
directories:
n The home directory of the user
n The /tmp directory to store temporary files
Depending on the purpose of a computer other directories can be writable by users.

For example, if you install a Samba file server, a writable share needs a directory that
is also writable for the UNIX user the connection is mapped to.
Some device files (like those for sound cards) might also be writable for users since
applications need to send data to the corresponding devices.
The Basic Rule for User Read Access
Some files in the system should be protected from user read access. This is important
for files that store passwords.
No normal user account should be able to read the content of such files. Even when
the passwords in a file are encrypted, the files must be protected from any
unauthorized access.
The following lists some files containing passwords on a Linux system.

n /etc/shadow. This file contains user passwords in an encrypted form. Even when
LDAP is used for user authentication, this file contains at least the root
password.
n /etc/samba/smbpasswd. This file contains the passwords for Samba users.
n Files with Apache passwords. The location of these files depend on your
configuration. They contain passwords for the authorized access to the web
server.
n /etc/openldap/slapd.conf. This file contains the root password for the
openLDAP server.
n /boot/grub/menu.lst. This file can contain the password for the GRUB boot
loader.
x This list is not complete. There can be more password files on your system, depending on your
system configuration and your software selection.
Some password files can be readable for a nonroot account. This is normally the
account under which user ID a service daemon is running.
For example, the Apache web server runs under the user id of the user wwwrun. For
this reason, the password files must be readable for the user wwwrun.
In this case you have to make sure that only this daemon account can read the file and
not any other user.
How Special File Permissions Affect the Security of the System
There are three file system rights that influence the security in a special way:
n The SUID bit. If the SUID bit is set for an executable, the program is started
under the user ID of the owner of the file. In most cases, this is used to allow
normal users to run application with the rights of the root users.
This bit should only be set for applications that are well tested and in cases
where no other way can be used to grant access to a specific task.
An attacker could get access to the root account by exploiting an application that
runs under the UID of root.
n The SGID bit. If this bit is set, it lets a program run under the GID of the group
the executable file belongs to. It should be used as carefully as the SUID bit.
n The sticky bit. The sticky bit can influence the security of a system in a positive
way. In a globally writable directory, it prevents users from deleting each others
files that are stored in these directories.
Typical application areas for the sticky bit include directories for temporary
storage (such as /tmp and /var/tmp). Such a directory must be writable by all
users of a system.
However, the write permissions for a directory do not only include the
permission to create files and subdirectories, but also the permission to delete
these, regardless of whether the user has access to these files and subdirectories.
If the sticky bit is set for such a writable directory, deleting or renaming files in
this directory is only possible if one of the following conditions is fulfilled:
q The effective UID of the deleting or renaming process is that of the file
owner.
q The effective UID of the deleting or renaming process is that of the owner of
the writable directory marked with the sticky bit.
q The superuser root is allowed to do anything.
Objective 6 Use ACLs for Advanced Access Control

To use ACLs for advanced file system access control you need to know the
following:
n The Basics of ACLs
n Important ACL Terms
n ACL Types
n How ACLs and Permission Bits Map to Each Other
n How to Use the ACL Command Line Tools
n How to Configure a Directory With an Access ACL
n How to Configure a Directory With a Default ACL
n The ACL Check Algorithm
n How Applications Handle ACLs
The Basics of ACLs
Traditionally, 3 sets of permissions are defined for each file object on a Linux
system. These sets include the read (r), write (w), and execute (x) permissions for
each of three types of users the file owner, the group, and other users.
This concept is adequate for most practical cases. In the past however, for more
complex scenarios or advanced applications, system administrators had to use a
number of tricks to circumvent the limitations of the traditional permission concept.
ACLs (Access Control Lists) provide an extension of the traditional file permission
concept. They allow you to assign permissions to individual users or groups even if
these do not correspond to the original owner or the owning group.
ACLs are a feature of the Linux kernel and are supported by the ReiserFS, Ext2,
Ext3, JFS, and XFS file systems. Using ACLs, you can create complex scenarios
without implementing complex permission models on the application level.
The advantages of ACLs are clearly evident in situations like replacing a Windows
server with a Linux server providing file and print services with Samba.
Since Samba supports ACLs, user permissions can be configured both on the Linux
server and in Windows with a graphical user interface (only on Windows NT and
later).
With winbindd, it is even possible to assign permissions to users that only exist in the
Windows domain without any account on the Linux server.
Important ACL Terms
The following list defines terms concerning ACLs:

n user class. The conventional POSIX permission concept uses three classes of
users for assigning permissions in the file system: the owner, the owning group,
and other users.
Three permission bits can be set for each user class, giving permission to read
(r), write (w), and execute (x).
n access ACL. The user and group access permissions for all kinds of file system
objects (files and directories) are determined by access ACLs.
n default ACL. Default ACLs can only be applied to directories. They determine
the permissions a file system object inherits from its parent directory when it is
created.
n ACL entry. Each ACL consists of a set of ACL entries. An ACL entry contains
a type, a qualifier for the user or group to which the entry refers, and a set of
permissions. For some entry types, the qualifier for the group or users is
undefined.
ACL Types
There are two basic classes of ACLs:

n Minimum ACL. A minimum ACL comprises the entries for the types owner,
owning group, and other, which correspond to the conventional permission bits
for files and directories.
n Extended ACL. An extended ACL goes beyond this. It contains a mask entry
and can contain several entries of the named user and named group types.
ACLs extend the classic Linux file permission by the following permission types:
n named user. With this type, you can assign permissions to one or more users.
n named group. With this type, you can assign permissions to one or more
groups.
n mask. With this type, you can limit the permissions of named users or groups.
The following is an overview of all possible ACL types:
Table 4-10 Type Text Form
owner user::rwx
named user user:name:rwx
owning group group::rwx
named group group:name:rwx
mask mask::rwx
other other::rwx
The permissions defined in the entries owner and other are always effective. Except
for the mask entry, all other entries (named user, owning group, and named group)
can be either effective or masked.
If permissions exist in the named user, owning group, or named group entries as well
as in the mask, they are effective. Permissions contained only in the mask or only in
the actual entry are not effective.
This means that the entries for named user, owning group, and named group are
combined by a logical AND with the mask entry.
The following example determines the effective permissions for the user jane:
Table 4-11 Entry Type Text Form Permissions
named user user:jane:r-x r-x
mask mask::rw- rw
Effective permissions: r--
The ACL contains two entries, one for the named user jane and one mask entry. Jane
has permissions to read and execute the corresponding file, but the mask only
contains permissions for reading and writing.
Because of the AND combination, the effective rights allow jane to read the file only.
How ACLs and Permission Bits Map to Each Other
When you assign an ACL to a file or directory, the permissions set in the ACL are
mapped to the standard UNIX permissions.
The following figure illustrates the mapping of a minimum ACL:
Figure 4-2
The figure is structured in three blocks:

n The left block shows the type specifications of the ACL entries.
n The center block displays an example ACL.
n The right block shows the respective permission bits according to the
conventional permission concept as displayed by ls -l, for example.
The following is an example of an extended ACL:
Figure 4-3
In both cases, the owner class permissions are mapped to the ACL entry owner. Other
class permissions are mapped to their respective ACL entries. However, the mapping
of the group class permissions is different in the second case.
In the case of a minimum ACL without a mask, the group class permissions are
mapped to the ACL entry owning group. In the case of an extended ACL with a
mask, the group class permissions are mapped to the mask entry.
This mapping approach ensures the smooth interaction of applications, regardless of

whether they have ACL support.
The access permissions that were assigned by permission bits represent the upper
limit for all other adjustments made by ACLs.
Any permissions not reflected here are either not in the ACL or are not effective.
Changes made to the permission bits are reflected by the ACL and vice versa.
How to Use the ACL Command Line Tools
To manage the ACL settings, you can use the following command line tools:
n getfacl. The command getfacl can be used to display the ACL of a file.
n setfacl. The command setfacl can be used to change the ACL of a file.
The following are the most important options for the setfacl command:
-m Adds or modifies an ACL entry.
-x Removes an ACL entry.
-d Sets a default ACL.
-b Removes all extended ACL entries.
The options -m and -x expect an ACL definition on the command line. The following
are the definitions for the extended ACL types:
n named user. The following is an example entry for the user tux:
setfacl -m u:tux:rx my_file
The user tux gets read and execute permissions for the file my_file.
n named groups. The following is an example entry for the group accounting:
setfacl -m g:accounting:rw my_file
The group accounting gets read and write permissions for the file my_file.
n mask. Sets the ACL mask:
setfacl -m m:rx
Sets the mask for the read and execute permissions.
How to Configure a Directory With an Access ACL
To configure a directory with ACL access, do the following:

1. Before you create the directory, use the umask command to define which access
permissions should be masked each time a file object is created.
The command umask 027 sets the default permissions by giving the owner the
full range of permissions (0), denying the group write access (2), and giving
other users no permissions at all (7).
umask actually masks the corresponding permission bits or turns them off.
x For more information about umask, see the corresponding man page man umask.
The command mkdir mydir should create the mydir directory with the default
permissions as set by umask. Enter the following command to check if all
permissions were assigned correctly:
ls -dl mydir
drwxr-x--- ... tux project3 ... mydir
2. Check the initial state of the ACL by entering the following command:
getfacl mydir.
# file: mydir
# owner: tux
# group: project3
user::rwx
group::r-x
other::---
The output of getfacl precisely reflects the mapping of permission bits and ACL
entries as described before. The first three output lines display the name, owner,
and owning group of the directory.
The next three lines contain the three ACL. In fact, in the case of this minimum
ACL, the getfacl command does not produce any information you could not have
obtained with ls.
Your first modification of the ACL is the assignment of read, write, and execute
permissions to an additional user jane and an additional group jungle by entering
the following:
setfacl -m user:jane:rwx,group:jungle:rwx mydir
The option -m prompts setfacl to modify the existing ACL. The following
argument indicates the ACL entries to modify (several entries are separated by
commas). The final part specifies the name of the directory to which these
modifications should be applied.
Use the getfacl command to take a look at the resulting ACL:
getfacl mydir
# file: mydir
# owner: tux
# group: project3
user::rwx
user:jane:rwx
group::r-x
group:jungle:rwx
mask::rwx
other::---
In addition to the entries initiated for the user jane and the group jungle, a mask
entry has been generated.
This mask entry is set automatically to reduce all entries in the group class to a
common denominator. In addition, setfacl automatically adapts existing mask
entries to the settings you modified, provided you do not deactivate this feature
with -n.
The mask type defines the maximum effective access permissions for all entries
in the group class. This includes named user, named group, and owning group.
The group class permission bits that would be displayed by
ls -dl mydir now correspond to the mask entry:
drwxrwx---+ ... tux project3 ... mydir
The first column of the output now contains an additional + to indicate that there
is an extended ACL for this item.
3. According to the output of the ls command, the permissions for the mask entry
include write access. Traditionally, such permission bits would mean that the
owning group (in this example project3) also has write access to the directory
mydir.
However, the effective access permissions for the owning group correspond to
the overlapping portion of the permissions defined for the owning group and for
the mask, which is r-x in the example.
As far as the effective permissions of the owning group are concerned, nothing
has changed even after adding the ACL entries.
In the following example, the write permission for the owning group is removed
with the chmod command:
chmod g-w mydir

ls -dl mydir
drwxr-x---+ ... tux project3 ... mydir
getfacl mydir
# file: mydir
# owner: tux
# group: project3
user::rwx
user:jane:rwx # effective: r-x
group::r-x
group:jungle:rwx # effective: r-x
mask::r-x
other::---
After executing the chmod command to remove the write permission from the
group class bits, the output of the ls command is sufficient to see that the mask
bits have changed accordingly: write permission is again limited to the owner of
mydir.
The output of the getfacl confirms this. This output includes a comment for all
those entries in which the effective permission bits do not correspond to the
original permissions because they are filtered according to the mask entry.
The original permissions can be restored at any time with chmod:
chmod g+w mydir

ls -dl mydir
drwxrwx---+ ... tux project3 ... mydir
getfacl mydir
# file: mydir
# owner: tux
# group: project3
user::rwx
user:jane:rwx
group::r-x g
group:jungle:rwx
mask::rwx
other::---
How to Configure a Directory With a Default ACL
Directories can have a default ACL, which is a special kind of ACL that defines the
access permissions that objects under the directory inherit when they are created. A
default ACL affects subdirectories as well as files.
There are two different ways in which the permissions of a directory's default ACL
are passed to the files and subdirectories in it:
n A subdirectory inherits the default ACL of the parent directory both as its own
default ACL and as an access ACL.
n A file inherits the default ACL as its own access ACL.
All system functions that create file system objects use a mode parameter that defines
the access permissions for the newly created file system object.
If the parent directory does not have a default ACL, the permission bits as defined by
the umask are subtracted from the permissions as passed by the mode parameter, with
the result being assigned to the new object.
If a default ACL exists for the parent directory, the permission bits assigned to the
new object correspond to the overlapping portion of the permissions of the mode
parameter and those that are defined in the default ACL. The umask command is
disregarded in this case.
The following three examples show the main operations for directories and default
ACLs:
n Add a default ACL to the existing directory mydir with the following command:
setfacl -d -m group:jungle:r-x mydir
The option -d of the setfacl command prompts setfacl to perform the following
modifications (option -m) in the default ACL.
Take a closer look at the result of this command:
getfacl mydir
# file: mydir
# owner: tux
# group: project3
user::rwx
user:jane:rwx
group::r-x
group:jungle:rwx
mask::rwx
other::---
default:user::rwx
default:group::r-x
default:group:jungle:r-x
default:mask::r-x
default:other::---
getfaclreturns both the access ACL and the default ACL. The default ACL is
formed by all lines that start with default.
Although you merely executed the setfacl command with an entry for the jungle
group for the default ACL, setfacl automatically copied all other entries from the
access ACL to create a valid default ACL.
Default ACLs do not have an immediate effect on access permissions. They only
come into play when file system objects are created. These new objects inherit
permissions only from the default ACL of their parent directory.
n In the following example, mkdir is used to create a subdirectory in mydir, which
inherits the default ACL:
mkdir mydir/mysubdir
getfacl mydir/mysubdir
# file: mydir/mysubdir
# owner: tux
# group: project3
user::rwx
group::r-x
group:jungle:r-x
mask::r-x
other::---
default:user::rwx
default:group::r-x
default:group:jungle:r-x
default:mask::r-x
default:other::---
As expected, the newly-created subdirectory mysubdir has permissions from the

default ACL of the parent directory.
The access ACL of mysubdir is an exact reflection of the default ACL of mydir,
as is the default ACL that this directory hands down to its subordinate objects.
n In the following example, touch is used to create a file in the mydir directory:
touch mydir/myfile
ls -l mydir/myfile
-rw-r-----+ ... tux project3 ... mydir/myfile
getfacl mydir/myfile
# file: mydir/myfile
# owner: tux
# group: project3
user::rwgroup:: r-x # effective:r--
group:jungle:r-x # effective:r--
mask::r--
other::---
touch passes a mode with the value 0666, which means that new files are created
with read and write permissions for all user classes, provided no other
restrictions exist in umask or in the default ACL.
In effect, this means that all access permissions not contained in the mode value
are removed from the respective ACL entries. Although no permissions were
removed from the ACL entry of the group class, the mask entry was modified to
mask permissions not set using mode.
This approach ensures the smooth interaction of applications, such as compilers,
with ACLs. You can create files with restricted access permissions and
subsequently assign them as executable. The mask mechanism guarantees that
the right users and groups can execute them as desired.
The ACL Check Algorithm
A check algorithm is applied before any process or application is granted access to an

ACL-protected file system object.
As a basic rule, the ACL entries are examined in the following sequence: owner,
named user, owning group or named group, and other. The access is handled in
accordance with the entry that best suits the process. Permissions do not accumulate.
Things are more complicated if a process belongs to more than one group and
belongs to several group entries. An entry is randomly selected from the suitable
entries with the required permissions.
It is irrelevant which of the entries triggers the final result, which is access granted.
Likewise, if none of the suitable group entries contains the correct permissions, a
randomly selected entry triggers the final result, which is access denied.
How Applications Handle ACLs
As described in the preceding sections, you can use ACLs to implement very
complex permission scenarios that meet the requirements of applications.
The traditional permission concept and ACLs can be combined in a smart manner.
However, some important applications still lack ACL support. Except for the star
archiver, there are currently no backup applications that guarantee the full
preservation of ACLs.
The basic file commands (cp, mv, ls, and so on) support ACLs, but many editors and
file managers (such as Konqueror) do not.
For example, when you copy files with Konqueror, the ACLs of these files are lost.
When you modify files with an editor, the ACLs of files are sometimes preserved,
sometimes not, depending on the backup mode of the editor used.
If the editor writes the changes to the original file, the access ACL is preserved. If the
editor saves the updated contents to a new file that is subsequently renamed to the old
filename, the ACLs might be lost, unless the editor supports ACLs.
b For more information about ACLs go to

http://sdb.suse.de/en/sdb/html/81_acl.html and http://acl.bestbits.at/. Also see the man pages for
getfacl, acl(5), and setfacl(1).
Exercise 4-2 Use ACLs
In this exercise, you practice using ACLs by doing the following:

n Part I: Configure the ACL of a Directory
n Part II: Configure a Default ACL for a Directory
n Part III: Delete an ACL
Part I: Configure the ACL of a Directory
Do the following:
2. Change to the directory /tmp by entering the following:
cd /tmp
3. Create a test directory by entering the following:
mkdir acl_test
4. Limit the file system permissions for the directory by entering the following:
chmod 700 acl_test
5. Open a second terminal window as the user geeko.
6. Try changing to the test directory by entering the following:
cd /tmp/acl_test/
The command fails because geeko (who is not the owner of the directory) has no
permission to read the directory.
7. Switch to the root terminal.
8. Display the minimum ACL of the directory by entering the following:
getfacl acl_test
9. Add an extended ACL by entering the following:
setfacl -m u:geeko:rwx acl_test/
10. Switch to the geeko terminal and try to access the directory again by entering the
following:
cd /tmp/acl_test
Because of the extended ACL, you can view the directory.
11. Switch to the root terminal and display the extended ACL of the directory by
getfacl /tmp/acl_test/
Part II: Configure a Default ACL for a Directory
Do the following:
1. From the root terminal window, change to the directory acl_test by entering the
following:
cd /tmp/acl_test
2. Create a file by entering the following:
touch without_default_acl
3. Display the ACL of the new file by entering the following:
getfacl without_default_acl
As there is no default ACL for the parent directory, the new file does not have an
extended ACL either.
4. Set a default ACL for the directory acl_test by entering the following:
setfacl -d -m u:geeko:rw /tmp/acl_test/
5. Create another test file by entering the following:
touch with_default_acl
6. Display the ACL of the new file by entering the following:
getfacl with_default_acl
As this file was created after the default ACL of the parent directory was set, the
new file inherited the ACL.
Part III: Delete an ACL
Do the following:
1. From the root terminal window, remove the ACL by entering the following:
setfacl -x u:geeko with_default_acl
2. Display the ACL again by entering the following:
As you can see, the ACL for the user geeko has been removed. If there were
ACLs for other users, they would remain unaffected.
3. View the file attributes of with_default_acl by entering the following:
ls -l with_default_acl
There are still extended attributes (such as the mask “+”) in the output.
4. Remove all ACLs by entering the following:
setfacl -b with_default_acl
5. Display the ACL again by entering the following commands:

ls -l with_default_acl
Notice that the ACL has been removed.
6. Close all terminal windows.
(End of Exercise)
Objective 7 Configure Security Settings With YaST

YaST offers a module to configure certain system settings that affect the local
security. You can access the module from the YaST Control Center by selecting
Security and Users > Security settings.
With the module you can easily change the following settings of the system
configuration:
n The password settings
n The boot behavior of the system
n The login behavior
n The user ID limitations
n General file system security
When you start the module, the following appears:
Figure 4-4
In the dialog you can choose from 4 levels of local security:
Table 4-13 Level Description
Level 1 (Home Workstation) This option represents the lowest level of

local security. It should only be used on a
home workstation that is not connected to
any kind of network.
Level 2 (Networked Workstation) This option provides an intermediate level

of local security. It is suitable for
workstations that are connected to a
network.
(continued) Table 4-13 Level Description
Level 3 (Network Server) This option enables a high level of local

security. Systems that are used as a
network server should be run with this
setting.
Custom Settings This option lets you create your own level of
local security.
By selecting one of the three predefined security levels and selecting Next, the
chosen security level is applied. By selecting Details, you can change the settings for
the security level you have selected.
If you choose the Customs Settings and then select Next, you can directly change
the details of the security configuration.
The dialogs for the detail settings look the same for every security level, but the
preselected options are different. In the following dialogs, you see the settings for
Level 3 (Network Server).
In the first dialog you can change the default password requirements that are
accepted by the systems:
Figure 4-5
Checks This option enables the checking of newly

created passwords. The following two
methods can be enabled:
n Checking New Passwords. New
passwords will be checked to see if they
can be found in a dictionary.
n Plausibility Test For Passwords.
Passwords will be checked to see if they
contain a mixture of different kind of
characters (such as lowercase and
uppercase characters).
For a server system, you should at least
enable Checking New Passwords.
Password Encryption Method You can choose between different kinds of

password encryption methods. This option
sets the maximum length of the password.
The default option DES supports only
passwords with a length up to 8 characters.
MD5and blowfish support longer

passwords but are not well supported by
older systems and applications.
Unless your system does not need to meet
very high security demands, you can stay
with the default DES.
Number Of Significant Characters In The This option corresponds to the previous

Password one. You can only choose a value higher
than 8 if you have chosen a different
encryption method than DES.
For normal security demands, a value of 8
is sufficient.
Minimum Acceptable Password Length This value determines the minimum length
of a password. The shorter a password is,
the easier it is to crack it.
A password should never be shorter than 6
characters.
Days To Password Change Warnings The name of this option is a little bit
misleading. There are two values to be set:
n Minimum. The number of days after a
user can change the password.
n Maximum. The number of days after a
user must change the password.
(continued) Table 4-14 Option Description
Days Before Password Expires Warning This option determines how many days
before a password has to be changed, a
warning should be given to the user.
After adapting the options to your needs, select Next to proceed to the next dialog.
The following dialog appears:
Figure 4-6
In this dialog you can configure how the system can be rebooted.
Interpretation Of Crtl+Alt+Del This option determines how the Key

Combination Crtl+Alt+Del is evaluated. You
can choose between the following
possibilities:
n Ignore. The key combination is ignored;
nothing happens.
n Reboot. When the combination is
pressed, the system reboots.
n Halt. The can be halted by pressing the
key combination.
On a server you should always choose
Ignore because otherwise someone could
halt or reboot the system even without
being logged in.
Shutdown Behavior Of KDM This option determines how the system can
be halted with the graphical login manager
KDM. You have the following choices:
n Only Root. To halt the system, the root
password has to be entered.
n All users. Everyone, even remotely
connected users, can halt the system
using KDM.
n Nobody. Nobody can halt the system with
KDM.
n Local Users. Only locally connected
users can halt the system with KDM.
n Automatic. The system is halted
automatically after log out.
For a server system you should use Only
Root or Nobody to prevent normal or even
remote users from halting the system.
After selecting Next, the following appears:
Figure 4-7
In this dialog you can configure the login behavior of the system.
Delay After Incorrect Login Attempts The value of this option determines the
number of seconds the next login try will be
delayed after a failed login attempt.
This is useful to prevent attackers from
trying various passwords very quickly.
The default value 3 is sufficient in most
cases.
Record Failed Login Attempts If this option is checked, failed login

attempts are logged.
This option should be enabled.
Record Successful Login Attempts If this option is checked, successful login

attempts are logged.
This option should also be enabled.
Allow Remote Graphical Login. The display manager KDM lets you log in
remotely to the X-Window system.
If this option is selected, remote login is
allowed.
For a server system, you should not enable
this option unless it is needed for purpose
of the server (for example, the system is a
terminal server.)
After adjusting the settings in this dialog, select Next to proceed to the next dialog.
The next dialog provides the following options:
Figure 4-8
In this dialog you can adjust the Minimum and the Maximum value for User and
Group IDs. The default values should be acceptable for most purposes.
Select Next to continue to the las page of the security configuration.
The following appears:
Figure 4-9
Setting Of File Permissions From this menu, you can choose between
three different presets for file system
permissions.
n Easy. Most configuration files are
readable for normal users.
n Secure. Certain system files (like
/var/log/messages) can only be viewed by
root. Some programs can only launched
by root or by daemons.
n Paranoid. This is the preset with the
highest level of file system security.
Access rights are even more restricted
than with the Secure setting.
The security settings for every preset are
read from configuration files following the
naming scheme
/etc/permissions.<level>.
For example, the configuration for the
Secure level is read from the file
/etc/permissions.secure
Each file contains a description of the file
syntax and purpose of the preset.
You can also add your own rules to the file
/etc/permissions.local.
User Launching Updatedb This option determines under which user

ID the command updatedb is executed by
cron.
The updatedb program indexes all files in
the file system. The generated database
can be queried with the locate command.
The choices of this option are:
n nobody. The command is launched under
the user ID of the system user nobody.
This way only files that are accessible for
the user nobody are indexed.
n root. The command is executed under the
user ID of the root user.
This way all files in the file system can be
indexed.
For security reasons you should use the
user nobody. This way no files are indexed
that should not be accessible for normal
users.
Current Directory In Root Path If this option is selected, the current

directory is added to the search path of
root.
This could lead to security problems if an
attacker places an executable with a
common name like ls into a directory.
If root enters ls in that directory, the
executable of the attacker could be
launched instead of the normal ls
command.
Never select this option.
Current Directory In Path Of Regular Users If this option is selected, the current
directory is added to the search path of
normal users.
In a security sensitive environment, this
option should not be enabled.
Enable Magic SysRq Keys This option enables special key

combinations that give you some control
over the system even in the case of a
system crash.
This is useful for debugging purposes but
should be disabled on production systems.
After confirming this dialog with Finish, the changes are saved and applied to the
system.
In most cases it should be sufficient to choose one of the preconfigured security

levels.
Objective 8 Stay Informed About Security Issues

One of the most important security tasks for an administrator is to stay informed
about current security issues.
Damage can be prevented only when security patches are installed as quickly as
possible.
You can use the following resources to gather information about Linux-related
security issues:
n http://www.suse.de/en/business/security.html. This web site is the central
security information site of SUSE. All security issues affecting the SUSE
products are announced here.
You will also find information about security and OpenSource software and the
SUSE security team.
n http://www.suse.de/en/business/mailinglists.html. This web site offers an
overview of all SUSE related mailing lists.
There are two security related mailing lists that you can subscribe to for further
security information.
q suse-security. This mailing list is intended for security-relevant discussions.
q suse-security-announce. This mailing list announces security issues and
fixes. This mailing list is read only. For discussions please use suse-security.
To subscribe to a mailing list, select the check boxes by the name of the list,
enter your mail address at the bottom of the page, and then click OK.
n http://www.securityfocus.com/. This web site is about general IT security. It
also offers various security-relevant mailing lists.
Exercise 4-3 Subscribe to the SUSE Security Announcements
In this exercise, you subscribe to the SUSE security mailing list. This means that
Novell/SUSE will inform you by email about current security issues of SUSE Linux
Products.
If you don't want to receive these messages, skip this exercise.
Do the following:
1. From the KDE start menu, select Internet > Web Browser.
2. In the address bar of the browser, enter the following:
http://www.suse.com/us/business/mailinglists.html
3. Scroll down to the entry suse-security-announce; then select the check box for
that entry.
4. Scroll down to the bottom of that page and in the email address field enter your
email address.
5. Subscribe to the list by selecting OK.
6. Close the web browser window.
(End of Exercise)
Objective 9 Apply Security Updates

SLES 9is usually delivered with system maintenance. This system maintenance
includes updates and security patches.
Software updates can be managed with YaST Online Update (YOU). This YaST
module downloads and installs software updates and security patches.
To apply security updates, you need to do the following:

n Register Your Product
n Use the YaST Online Update
Register Your Product
To access the update packages you need to enter a user name and a password. To get
these credentials, you need to create an account for the SUSE support portal.
The SUSE support portal can be accessed at http://portal.suse.com.
After you have created an account, you need to register your product in the portal
with the registration code delivered with the SLES 9 CDs.
Only registered products can be updated with the YOU module.
Use the YaST Online Update
The following is a quick guide to applying software updates with YOU.
First you need to start the YOU module from the YaST Control Center by selecting
Software > Online Update.
Figure 4-10
Select Next to start the update process. There are some additional configuration
options but the defaults are sufficient unless you want to run your own YOU server.
In the next step, YOU asks you for your account at the SUSE support portal. Enter
your login name and password in the following dialog:
Figure 4-11
Select Login to proceed to the next step. YOU retrieves information about the
available patches and displays the following dialog:
Figure 4-12
On the top left side of the dialog all available patches are displayed. Security relevant
patches are indicated by red characters.
By selecting the check box by an entry, the corresponding update is installed in the
next step. Normally YOU autoselects the updates that are relevant for your system.
By selecting an entry itself, details for the corresponding update are displayed on the
right side of the dialog.
By selecting Accept, the selected updates are downloaded and installed.
During the process YOU displays the following dialog:
Figure 4-13
You can display additional information for some updates. These dialogs need to be
confirmed to install the corresponding software package.
Summary
Objective Summary
1. Create a Security Concept The security of a system must always be seen in the
context of the whole IT environment.
We highly recommended that you create a security
concept for the company.
The process of creating a security concept includes
the following steps.
n Understand the basics of a security concept.
n Perform a communication analysis.
n Analyze the protection requirements.
n Analyze the current situation and necessary
enhancements.
2. Limit Physical Access to Server If a server is not protected from unauthorized

Systems physical access, even the best software
configuration cannot prevent someone from
misusing a system.
To make the server as secure as possible, do the
following:
n Place the server in a separated and locked server
room.
n Secure the BIOS with a password.
n Secure the GRUB boot loader with a password.
3. Limit the Installed Software You should install only those software packages that
Packages are needed to fulfill the purpose of a server.
To set up a production system, minimize the
software selections you install and add only
packages which are definitely needed.
It is important that no network services are installed
that are not needed on a server.
Objective Summary
4. Understand the Linux User User authentication is the base for every kind of
Authentication access control.
The user authentication of a modern Linux system is
based on PAM, the Pluggable Authentication
Modules.
PAM creates a software layer between the
applications, handling user authentication, and the
currently used authentication mechanism.
PAM is configured in the directory /etc/pam.d/
This directory contains a configuration file for every
application that uses PAM.
Every line of a configuration file enables a PAM
module for the corresponding application.
Another important aspect of user authentication is
the requirements for a secure password.
4. Understand the Linux User A password should never be a word from a

Authentication (continued) dictionary and should always contain some
uppercase characters and numbers.
5. Ensure File System Security The permission settings in the files system have an
important meaning to the overall system security.
You should always follow some basic rules about file
system security.
n A user should only have write access in the home
and the
/tmp directory.
n Users should never have read access to
configuration files that contain passwords.
n The following special file permissions affect the
security of a system:
n The SUID bit
n The SGID bit
n The sticky bit
6. Use ACLs for Advanced Access ACLs extend the classic Linux file system
Control permissions.
They let you assign permissions to named users and
named groups.
ACLs also provide a mask entry, which basically
limits the permissions of named users and names
groups.
The ACL entries are managed with getfacl and
setfacl.
Directories can have a default ACL that is inherited
by newly created files or subdirectories.
Objective Summary
7. Configure Security Settings With YaST offers a module that can be used to configure
YaST various security relevant system settings.
The module can be found in the YaST Control
Center under Security and Users > Security
Settings.
You can change the following settings:
n The password settings
n The boot behavior
n The login behavior
n The user and group ID imitations
n The file system security
8. Stay Informed About Security It is very important to be informed about the current
Issues security issues.
The following resources can be used to gather
security relevant information:
n http://www.suse.de/en/
business/security.html
n http://www.suse.de/en/
business/mailinglists.html
n http://www.securityfocus.
com/
9. Apply Security Updates To get and apply security updates for SLES 9, you
need to do the following:
Register SLES 9 at the SUSE support portal at
http://portal.suse.com.
Download and apply updates with YOU, the YaST
Online Update.
The YOU module can be found in the YaST Control
Center under Software > Online Update.
Manage Backup and Recovery
SECTION 5 Manage Backup and Recovery
In this section, you learn how to develop a backup strategy and how to use the
backup tools shipped with SLES 9. You also learn about possible problems you
might encounter during the boot process and how to configure the GRUB boot
loader.
Objectives
1. Develop a Backup Strategy
2. Create Backup Files With tar
3. Work With Magnetic Tapes
4. Copy Data With the dd Command
5. Mirror Directories With the rsync Command
6. Automate Data Backups With the cron Service
7. Troubleshoot the Boot Process of a SLES 9 System
8. Configure and Install the GRUB Boot Loader
Introduction
Even the best security measures cannot guarantee that data will never be lost. There
is always the possibility that
n A hard disk failure will occur, destroying data on the affected disk.
n Users will delete files by accident.
n A virus will delete important files on a desktop computer.
n A notebook will be lost or destroyed.
n An attacker will delete data on a server.
n Natural influences like thunderstorms will destroy storage systems.
It is very important to ensure that you have a reliable backup of important data.
In this section you learn how to develop a backup strategy and how to use the
standard UNIX backup tools tar, rsync, and dd.
You will learn about possible issues during the boot process and how to configure the
GRUB boot loader.
Objective 1 Develop a Backup Strategy

Backing up data is one of the most important tasks of a system administrator. But
before you can actually back up data, you need to develop a backup strategy by doing
the following:
n Choose a Backup Method
n Choose the Right Backup Media
Choose a Backup Method
The best possible method of data backup is the full backup.
In a full backup, all system data is copied to a backup media once a day. To restore
the data, the most current backup media is copied back to the system´s hard disk.
The disadvantage of this method is the backup window. The backup window is the
time frame available to perform backups.
Backups should be performed when the system is not used, to avoid data changes on
the disk during the backup. These data changes would lead to inconsistent data on the
backup media.
Therefore, a backup is normally performed at night when systems are not needed.
In some cases, especially in larger companies, the backup window might be too small
to perform a full backup every day.
This can happen for the following reasons:

n The amount of data to be backed up is so large, it takes too long to copy all data
to a backup media during the backup window.
n The affected systems have to be available around the clock, so the backup
window is very small.
In most cases, a combination of both reasons prevents you from using a full backup.
To circumvent this problem, you can use a backup method other than full backup.
The following are 2 basic backup alternatives:
n Perform an Incremental Backup
n Perform a Differential Backup
Perform an Incremental Backup
In an incremental backup, you normally perform a full backup once a week (such as
on the weekend). Then you perform a backup every day that copies only files that
have changed since the backup the day before.
For example, if you might perform a full backup on Sunday, while on Monday you
just backup the files which have changed since Sunday. On Tuesday you back up the
files which have changed since Monday, and so on.
Before performing an incremental backup, you need to understand the following

advantage and disadvantage of this method:
n Advantage. Because you only back up files that have changed since the last
backup, the backup window can be much smaller than the one you need for a
daily full backup.
n Disadvantage. The recovery time is longer. For example, you have perform a
full backup on Sunday and incremental backups on Monday, Tuesday and
Wednesday. On Thursday the server crashes and all data is lost.
To restore the server you now need all incremental backups and the full backup
since last Sunday. All these backups need to be copied to the server in the correct
order.
Perform a Differential Backup
In an incremental backup, you perform a full backup once a week, then you perform
backups every day to record the files that have changed since the last full backup.
For example, suppose you perform a full backup on Sunday. On Monday you back up
the files that have changed since Sunday, on Tuesday you also back up the files that
have changed since Sunday, and so on.
Before performing a differential backup, you need to understand the following

advantage and disadvantage of the method:
n Advantage. To restore data from a differential backup, you need just 2 backup
media:, the last full backup and the last differential backup. This makes the
average time needed to restore a system shorter.
n Disadvantage. The amount of data to be backed up grows every day. At the end
of the backup cycle, the amount of data might be too large for the available
backup window.
The following illustrates the difference between incremental and differential backups:
Figure 5-1 Mon Full backup

Tue Incremental backup
Wed
Thur
Fri
Mon Full backup

Tue Differential backup
Wed
Thur
Fri
Choose the Right Backup Media
You must choose the right backup media for the amount of data to be backed up and
the backup method.
Tape drives are used most often because they still have the best price-to-capacity
ratio. Normally these are SCSI drives, so that all kinds of tape drives can be accessed
in the same way (such as DAT, EXABYTE, and DLT). In addition, tapes can be
reused.
Other media for data backup include writable CDs or DVDs, removable hard drives,
and magnetic-optical (MO) drives.
More and more frequently, Storage Area Networks (SANs) are used. With a SAN, a
storage network is set up to exclusively back up data from different computers on a
central backup server. But even a SAN often uses magnetic tapes to store the data.
Backup media should always be stored separately from the backed up systems. This
prevents the backups from being lost in case of a fire in the server room. Sensitive
backup media should be stored safely offsite.
Objective 2 Create Backup Files With tar

The tar (tape archiver) tool is the most commonly used application for data backup
on Linux systems. It archives files in a special format, either directly on a backup
medium (such as magnetic tape or floppy disk), or to an archive file.
The following are tasks you perform when backing up files with tar:
n Create tar Archives
n Unpack tar Archives
n Exclude Files from Backup
n Perform Incremental and Differential Backups
n Use tar Command Line Options
Create tar Archives
The tar format is a container format for files and directory structures. By convention,
the extension of the archive files end in
.tar.
tar archives can be saved to a file to store them on a file system, or they can be
written directly to a backup tape.
Normally the data in the archive files is not compressed, but you can enable
compression with additional compression commands. If archive files are compressed
(usually with the command gzip), then the extension of the filename is either .tar.gz
or .tgz.
The tar command first expects an option, then the name of the archive to be written
(or the device file of a tape recorder), and the name of the directory to be backed up.
All directories and files under this directory are also saved.
Directories are typically backed up with a command such as the following:

tar -cvf /backup/etc.tar /etc
In this example, the tar command backs up the complete contents of the directory /etc
to the file /backup/etc.tar.
The option -c (create) creates the archive. The option -v (verbose) displays a more
detailed output of the backup process. The name of the archive to be created entered
after the option -f (file).
This can either be a normal file or a device file (such as a tape drive), as in the
following:
tar -cvf /dev/st0 /home
In this example, the /home directory is backed up to the tape recorder /dev/st0.
When an archive is created, absolute paths are made relative by default. This means
that the leading / is removed, as in the following output:
tar: Removing leading / from member names
You can view the contents of an archive by entering the following:
tar -tvf /backup/etc.tar
Unpack tar Archives
To unpack files from an archive, enter the following command:
tar -xvf /dev/st0
This writes all files in the archive to the current directory. Due to the relative path
specifications in the tar archive, the directory structure of the archive is created here.
If you want to extract to another directory, this can be done with the option -C,
followed by the directory name.
If you want to extract just one file, you can specify the name of the file with the -C
option, as in the following:
tar -xvf /test1/backup.tar -C /home/user1/.bashrc
Exclude Files from Backup
If you want to exclude specific files from the backup, a list of these files must be
written in an exclude file, line by line, as in the following:
/home/user1/.bashrc
/home/user2/Text*
In this example, the file /home/user1/.bashrc from user1 and all files that begin with
Text in the home directory of user2 will be excluded from the backup.
This list is then passed to tar with the option -X, as in the following:
tar -cvf /dev/st0 /home -X exclude.files
Perform Incremental and Differential Backups
In an incremental or differential backup, only files that have been changed or newly
created since a specific date must be backed up.
The following are 2 methods you can use to accomplish the same thing with tar:
n Use a Snapshot File for Incremental Backups
n Use the find Command to Search for Files to Back Up
Use a Snapshot File for Incremental Backups
Tar lets you use a snapshot file that contains information about the last backup
process. This file needs to be specified with the -g option.
First, you need to make a full backup with a tar command, as in the following:
tar -cz -g /backup/snapshot_file -f /backup/backup_full.tar.gz /home
In this example, the directory /home is backed up to the file

/backup/backup_full.tar.gz. The snapshot file /backup/snapshot_file does not exist
and is created.
The next time, you can perform an incremental backup with the following command:
tar -cz -g /backup/snapshot_file -f /backup/backup_mon.tar.gz /home
In this example, tar uses the snapshot file to determine which files or directories have
changed since the last backup. Only changed files are included in the new backup
/backup/backup_mon.tar.gz.
Use the find Command to Search for Files to Back Up
You can also use the find command to find files that need to be backed up as a
differential backup.
First, you use the following command to make a full backup:
tar -czf /backup/backup_full.tar.gz /home
In this example, the /home directory is backed up into the file

/backup/backup_full.tar.gz. Then you can use the following command to back up all
files that are newer than the full backup:
find /home -type f -newer /backup/backup_full.tar.gz \ -print0 | tar --null -cvf

/backup/backup_mon.tar.gz -T -
In this example, all files (-type f) in the directory /home that are newer than the file
/backup/backup_mon.tar.gz are archived.
The options -print0 and --null ensure that files with spaces in their names are also
archived. The option -T determines that files piped to stdin are included in the
archive.
Use tar Command Line Options
The following are some useful tar options:
Table 5-1
-c Creates an archive.
-C Changes to the specified directory.
-d Compares files in the archive with those in the file system.
-f Uses the specified archive file or device.
-j Directly compresses or decompresses the tar archive using bzip2,

a modern efficient compression program.
-r Appends files to an archive.
-u Only includes files in an archive that are newer than the version in
the archive (update).
-v Displays the files, which are being processed (verbose mode).
-x Extracts files from an archive.
-X Excludes files listed in a file.
-z Directly compresses or decompresses the tar archive using gzip.
b For more information about tar, consult the man page for tar.
Exercise 5-1 Create Backup Files With tar
In this exercise, you use tar to do the following:

n Part I: Create a Full Backup
n Part II: Create an Incremental Backup
x In this exercise, you copy backup files to the directory /tmp. This is only done to demonstrate
using backup methods. You should never make an actual backup to the directory /tmp.
Part I: Create a Full Backup
Do the following:
2. Change to the directory /srv/www by entering the following:
cd /srv/www/
3. Create a tar archive of the directory htdocs by entering the following:
tar czf /tmp/htdocs.tar.gz htdocs
4. Delete the directory htdocs by entering the following:
rm -r htdocs
5. Copy the backup archive to the directory /srv/www by entering the following:
cp /tmp/htdocs.tar.gz /srv/www
6. Restore the directory htdocs by entering the following:
tar xzf htdocs.tar.gz
7. View the content of the restored directory by entering ls htdocs.
Part II: Create an Incremental Backup
Do the following:
1. From the root terminal window, change to the directory
/srv/www by entering the following:
cd /srv/www
2. Create a full backup by entering the following command:
tar czv -g /tmp/snapshot_file -f /tmp/htdocs_full.tar.gz htdocs
3. Create a new file in the directory htdocs by entering the following:
touch htdocs/incremental.html
4. Perform an incremental backup by entering the following command:
tar czv -g /tmp/snapshot_file -f

/tmp/htdocs_incremental.tar.gz htdocs
Note that tar backs up the file incrementally.
5. View the content of the incremented backup file by entering the following:
tar -tzf /tmp/htdocs_incremental.tar.gz
6. Remove the directory htdocs by entering the following:
rm -r htdocs
7. Start restoring the directory by unpacking the backup by entering the following:
tar xzf /tmp/htdocs_full.tar.gz
8. Unpack the incremental backup by entering the following command:
tar xzf /tmp/htdocs_incremental.tar.gz
(End of Exercise)
Objective 3 Work With Magnetic Tapes

To work with magnetic tapes in SLES 9, use the command mt. With this command,
you can position tapes, switch compression on or off (with some SCSI-2 tape drives),
and query the tape status.
Magnetic tape drives used under Linux are always SCSI devices and can be accessed
with the following device names:
n /dev/st0. Refers to the first tape drive.
n /dev/nst0. Addresses the same tape drive in the no rewind mode. This means that
after writing or reading, the tape remains at that position and is not rewound
back to the beginning.
For reasons of compatibility with other UNIX versions, 2 symbolic links exist:
/dev/rmt0 and /dev/nrmt0.
You can query the status of the tape by entering the following command:
mt -f /dev/st0 status
In this example, the -f option is used to indicate the device name of the tape drive.
The command status displays the status of the tape drive.
drive type = Generic SCSI-2 tape drive

status = 620756992
sense key error = 0
residue count = 0
file number = 0
block number = 0
Tape block size 0 bytes. Density code 0x25 (unknown). Soft error count
since last status=0
General status bits on (41010000):
BOT ONLINE IM_REP_EN
The most important information in this example is the file number (file number,
starting at 0) and the block numbers (block number, starting at 0).
These parameters determine the position of the tape. In this example, the tape is
positioned at the beginning of the first file.
x The file count starts with 0.
To position the tape at the beginning of the next file, use the following command:
mt -f /dev/nst0 fsf 1
In this example, the command fsf forwards the tape by the given number of files, and
the tape will start before the first block of the second file.
This can be verified with the status command, as in the following:
mt -f /dev/nst0 status
drive type = Generic SCSI-2 tape drive
status = 620756992
sense key error = 0
residue count = 0
file number = 1
block number = 0
Tape block size 0 bytes.
Density code 0x25 (unknown).
Soft error count since last status=0
General status bits on (81010000):
EOF ONLINE IM_REP_EN
Now the file number is set to 1, and the final line of the output contains EOF (end of
file) instead of BOT (beginning of tape).
With the option bsf, the tape can be repositioned back by a corresponding number of
files.
In general, when positioning the tape, you should use a non rewinding device file like
/dev/nst0.
If you want the tape to be spooled back to the beginning after the reading or writing
process, enter the following command:
mt -f /dev/nst0 rewind
If you want to eject the tape from the drive, then enter the following command:
mt -f /dev/nst0 offline
Normally, tapes should always be written without compression, because otherwise

you cannot recover the subsequent data in case of a write or read error.
To check whether data compression is switched on or off, enter the following

command:
mt -f /dev/st0 datcompression
The command shows whether data compression is switched on or off.
If the parameter on or off is specified at the end of the command, then data
compression will be switched on or off. By default, compression is switched on.
Objective 4 Copy Data With the dd Command

You can use the command dd to convert and copy files byte-wise. Normally dd reads
from the standard input and writes the result to the standard output. But with the
corresponding parameters, files can also be addressed directly.
You can copy all kinds of data with this command, including entire hard disk
partitions. Exact copies of an installed system (or just parts of it) can be created very
simply.
In the simplest case, a file can be copied with the following command:
dd if=/etc/protocols of=protocols.org
The output of dd during the copying process looks like following:
12+1 records in
12+1 records out
Use the option if= (input file) to specify the file to be copied, and the option of=
(output file) to specify the name of the copy.
Copying files in this way is done using records. The standard size for a record is 512
bytes. The output shown above indicates that 12 complete records of the standard
size and an incomplete record (that is, less than 512 bytes) were copied.
If the record size is now modified by the option bs=block size, then the output will
also be modified:
dd if=/etc/protocols of=protocols.old bs=1

6561+0 records in
6561+0 records out
A file listing shows that their sizes are identical:
ls -l protocols*
-rw-r--r-- 1 root root 6561 Apr 30 11:28 protocols
-rw-r--r-- 1 root root 6561 Apr 30 11:30 protocols.old
If you want to copy a complete partition, then the corresponding device file of the
partition should be given as the input, as in the following:
dd if=/dev/sda1 of=boot.partition
In this example, the whole partition /dev/sda1 is written to the file boot.partition.
You can also use dd to create a backup copy of the MBR (master boot record), as in
the following:
dd if=/dev/sda of=/tmp/mbr_copy bs=512 count=1
In this example, a copy of the MBR is created from the hard disk
/dev/sda and is written to the file /tmp/mbr_copy.
Exercise 5-2 Create Drive Images With dd
In this exercise, you use dd to create a drive image by doing the following:
1. From a root terminal window, display the content of the file
/etc/fstab by entering the following:
cat /etc/fstab
2. Find an entry such as /media/dvd, /media/cdrom, or /media/cdrecorder and note
the corresponding device name (listed in the first column of the output).
3. Insert the 3038 Course CD in the CD or DVD drive.
4. Copy an image of the CD to the hard disk by entering the following command:
dd if=/dev/device_name of=/tmp/course_cd.iso
5. When the copy process is complete, mount the image file by entering the following
command:
mount -o loop /tmp/course_cd.iso /mnt/
6. Change to the directory /mnt/ by entering cd /mnt.
7. Display the content of the image file by entering ls.
8. Change to the directory /media/device_name and enter ls.
Note that the content of the image file is identical to the original media.
9. Change to your home directory and unmount the image file by entering the
following commands:
cd
umount /mnt
10. Delete the image file by entering the following:
rm /tmp/course_cd.iso
(End of Exercise)
Objective 5 Mirror Directories With the rsync Command

The command rsync (remote synchronization) is actually intended to create copies of
complete directories across a network to a different computer.
When coping data, rsync compares the source and the target directory and transfers
only data that has changed or been created.
rsync is the ideal tool to mirror the content of directories or to back up data across a
network.
You can use rsync in 2 different ways:

n Perform Local Copying With rsync
n Perform Remote Copying with rsync
Perform Local Copying With rsync
You can mirror all home directories by entering the following:
rsync -a /home /shadow
In this example, the mirroring is made to the directory /shadow.
The directory /home is first created in the directory /shadow, and then the actual
home directories of the users are created under
/home.
If you want to mirror the content of a directory and not the directory itself, you can
use a command such as the following:
rsync -a /home/. /shadow
By adding a /. to the end of the source directory, only the data under /home is copied.
If you run the same command again, only files that have changed or that are new will
be transfered.
The option -a used in the examples puts rsync into archive mode. Archive mode is a
combination of various other options (namely rlptgoD) and ensures that the
characteristics of the copied files are identical to the originals.
The following describes these options:

n Symbolic links (option l)
n Access permissions (option p)
n Owners (option o)
n Group membership (option g)
n Time stamp (option t)
The option -r ensures that directories are copied recursively.
The following are some useful rsync options:
-a Puts rsync into the archive mode.

-x Saves files on one file system only, which means that rsync does
not follow symbolic links to other file systems.
-v Enables the verbose mode. Use verbose mode to outputs
information about the transferred files and the progress of the
copying process.
-z Compresses the data during the transfer. This is especially useful
for remote synchronization.
--delete Deletes files that no longer exist in the original directory from the
mirrored directory.
--exclude-from Does not back up files listed in an exclude file.
The last option can be used as follows:
rsync -a --exclude-from=/home/exclude /home/. /shadow/home
In this example, all files listed in the file /home/exclude are not backed up. Empty
lines or lines beginning with ; or # are ignored.
Perform Remote Copying with rsync
With rsync and SSH, you can log in to other systems and perform data
synchronization remotely over the network.
The following command copies the home directory of the user tux to a backup server:
rsync -ave ssh root@DA1:/home/tux /backup/home/
In this example, the option -e specifies the remote shell (ssh) that should be used for
the transmission. The source directory is specified by the expression
root@DA1:/home/tux. This means that rsync should log in to DA1 as root and
transfer the directory
/home/tux.
Of course, this also works in the other direction. In the following example, the
backup of the home directory is copied back to the DA1 system:
rsync -ave ssh /backup/home/tux root@DA1:/home/
x rsync must be installed on both the source and the target computer.
There is also another way to perform remote synchronization with rsync by running
an rsync server. This way you can enable remote synchronization without allowing
an SSH login.
b For more information, consult the rsync documentation at http://samba.anu.edu.au/rsync/.
Exercise 5-3 Create a Backup of a Home Directory With rsync
In this exercise, you do the following:

n Part I: Perform a Local Backup With rsync
n Part II: Perform a Remote Backup with rsync
Part I: Perform a Local Backup With rsync
Do the following:
2. Create a test backup directory by entering the following:
mkdir /tmp/rsync_test
3. Copy geeko's home directory to the backup directory by entering the following:
rsync -av /home/geeko /tmp/rsync_test
4. Open another terminal window as user geeko.
5. Create a new file by entering the following:
touch new_file
6. Switch to the root terminal window and enter the same rsync command again:
Notice that rsync transfers only the new file and the corresponding directory.
Part II: Perform a Remote Backup with rsync
Wait until a partner has completed the previous steps in the exercise, and then do the
following:
1. From the root terminal window, perform a remote backup of your partner's geeko
home directory by entering the following command:
rsync -ave ssh root@partner_ip_address:/home/geeko
/tmp/rsync_test
2. When a connection message appears, continue by entering yes; then enter a
password of novell.
3. Ask your partner to create a new file in the geeko home directory by entering the
following:
touch new_file2
4. Enter the rsync command again:

rsync -ave ssh root@partner_ip_address:/home/geeko
/tmp/rsync_test
Notice that only the new file is copied by rsync.
5. Clean up the backup directory by entering the following:
rm -r /tmp/rsync_test/*
6. Close all terminal windows.
(End of Exercise)
Objective 6 Automate Data Backups With the cron Service

Backing up data is a task that you should perform on a regular basis. You can
automate backups in Linux with the cron service.
System jobs are controlled with the file /etc/crontab and the files in the directory
/etc/cron.d. They are defined with the scripts in the directories /etc/cron.hourly,
/etc/cron.daily, /etc/cron.weekly, and
/etc/cron.monthly.
Specifying which users can create cron jobs is done through the files
/var/spool/cron/allow and /var/spool/cron/deny, which are evaluated in this order. If
both files do not exist, then only root can define jobs.
The jobs of individual users are stored in files in the directory

/var/spool/cron/tabs with names matching the user names. These files are processed
with the command crontab.
The following is an example of a cron job:

0 22 * * 5 /root/bin/backup
In this example, the script /root/bin/backup is started every Friday at 10 P.M. The
format for the line is described in man crontab.
Exercise 5-4 Configure a cron Job for Data Backups
In this exercise, you use cron for data backup by doing the following:
2. Change to the directory /usr/local/bin/ by entering the following:
cd /usr/local/bin
3. Create the file home_backup.sh in the directory and enter the following
commands in the file:
#!/bin/bash
4. Save the file and close the editor.
5. Make the file executable by entering the following:
chmod 744 home_backup.sh
6. Open the file /etc/crontab in the crontab editor by entering crontab -e.
7. Add the following at the end of the file:
30 15 * * * root /usr/local/bin/home_backup.sh
8. Check after 3:30 pm (or tomorrow) to see if the backup has been completed by
ls /tmp/rsync_test
9. (Optional) Try changing the time of the backup job.
(End of Exercise)
Objective 7 Troubleshoot the Boot Process of a SLES 9 System

Sometimes a Linux system cannot start up correctly. Another task of system recovery
is to access a corrupted system and to fix the problem that prevents the normal boot
process.
To perform basic troubleshooting of the boot process, you need to know the
following:
n System Boot Process Issues
n How to Boot a Corrupted System Directly into a Shell
n How to Boot a Corrupted System With the Installation Media
n How to Start and Use the SLES 9 Rescue System
System Boot Process Issues
The boot process of a modern Linux system can be very complex, and its possible to
encounter problems during the boot process.
The following are some of the most common problems:

n The system cannot boot due to a misconfigured boot loader.
n The system cannot boot because of file system corruption.
n An init script has malfunctioned and is blocking the boot process.
n The system does not start correctly because of hardware changes.
In all of these cases you must access the file system of the corrupted system to detect
and fix the problem.
In this objective, you learn how to access a system which is not booting any longer.
How to Boot a Corrupted System Directly into a Shell
The boot screen of the GRUB boot loader lets you pass parameters that modify the
Linux kernel before the kernel is actually loaded.
At the bottom of the GRUB boot screen is a Boot Options field. When you select an
operating system in the boot screen, the boot options for that operating system are
displayed in the field.
To add a boot option, select an operating system and type the additional boot option
in the Boot Options field.
One way to access a system that is not booting anymore is to set a different program
for the init process. Normally, the Linux kernel tries to find a program with the name
init and starts this program as the first process. All other processes are then started by
init.
With the boot parameter init=new_init_program, you can change the first program
loaded by the kernel. For example, by entering the the boot parameter
init=/bin/bash, the system is started directly into a bash shell.
You can use this bash file to access the file system and to fix a misconfiguration.
x The file systems are mounted read-only after booting into a shell. To change configuration files,
you need to remount the file system with the following command:
mount -o remount,rw,sync -t filesystem_type device_name mount_point
How to Boot a Corrupted System With the Installation Media
You can use the SUSE LINUX installation media to boot a system with a
misconfigured boot loader. To boot the system, you need to do the following:
1. Insert SLES 9 CD 1 into the CD-ROM drive and reboot the system.
Make sure that the system boots from the drive.
2. Select Installation; then press Enter.
Wait until the installation program starts.
3. When YaST displays the language selection dialog, select Accept.
4. In the next dialog, select Boot installed system; then select OK.
YaST analyzes the hard disk and displays all Linux root partitions.
5. Select the root partition of the system you would like to boot; then select Boot.
The selected system is now booted.
After the system has started, you can log in as root user and fix the boot loader
problem.
How to Start and Use the SLES 9 Rescue System
Another way to access a corrupted system is to use the SLES 9 Rescue System. The
Rescue System is a Linux system that can be booted directly from the installation
media.
When this system is running, you can mount partitions from the corrupted system
and fix problems.
To start the Rescue System, do the following:

1. Insert SLES 9 CD 1 into the CD-ROM drive and reboot the system.
Make sure that the system boots from the drive.
2. From the boot menu, select Rescue System; then press Enter.
3. From the language selection dialog, select your language; then press Enter.
4. At the prompt Rescue login, enter root.
5. Press the Enter key.
6. You are now logged into the Rescue System as root.
To access the file system of the corrupted system, you need to mount the
corresponding partition, as in the following:
mount -t reiserfs /dev/hda6 /mnt
In this example, the partition /dev/hda6 is mounted into the directory /mnt.
Now you can access the file system, fix any errors, or copy data to another media.
Objective 8 Configure and Install the GRUB Boot Loader

To boot the system, you need a program, called the boot loader, which loads the
operating system kernel and starts the system.
In SLES 9 (by default) this task is handled by the boot manager GRUB (GRand
Unified Boot Loader).
To configure the GRUB boot loader, you need to know the following:
n The Basic Functionality of a Boot Loader
n The Basics of GRUB
n How to Configure the GRUB Boot Loader
The Basic Functionality of a Boot Loader
The following are the 2 basic tasks of a boot loader:

n Boot various operating systems
n Pass boot parameters to the Linux kernel
The boot loader performs these tasks in the following 2 stages:

n Stage 1. The program code for the first stage of a boot loader is usually installed
in the master boot record (MBR) of the hard disk.
Because the space in the MBR is limited to 446 bytes, this program code merely
contains the information for loading the next stage. Stage 1 can be installed in
the boot sector of a partition or on a floppy disk.
n Stage 2. This stage usually contains the actual boot loader. The files of the boot
loader are located in the directory /boot.
The Basics of GRUB
GRUB is the standard boot loader of SLES 9 and includes the following features:
n Stage 2 File System Drivers. Stage 2 of GRUB includes file system drivers for
ReiserFS, ext2, ext3, Minix, JFS, XFS, FAT, and FFS (BSD).
This means that GRUB can be used to access files by means of filenames even
before the operating system is loaded. This feature is used to search for kernel
and initrd images.
n GRUB Shell. GRUB has its own shell that enables interactive control of the boot
manager.
How to Configure the GRUB Boot Loader
You configure GRUB by editing the file /boot/grub/menu.lst. The following is the
general structure of the file:
n First, the general options such as the background color of the boot manager
menu are listed:
color white/blue black/light-gray
n This is followed by options for the various operating systems that can be booted
with the boot manager. Each entry for an operating system begins with a
command title, as in the following:
title linux
kernel (hd0,0)/boot/vmlinuz root=/dev/hda1
initrd (hd0,0)/boot/initrd
The following is an example of a simple GRUB configuration file:
default 0
timeout 8
title linux
kernel (hd0,0)/boot/vmlinuz
root=/dev/hda1
initrd (hd0,0)/boot/initrd
Each line in this example is described below:

n default 0
The first entry (numbering from 0) is the default boot entry that starts
automatically if no other entry is selected with the keyboard.
n timeout 8
The default boot entry is started automatically after 8 seconds.
n title linux
This is the first entry in the boot menu. By default, this entry is started.
n kernel (hd0,0)/boot/vmlinuz
This entry describes the kernel location (in this example, the first partition of the
first hard disk).
Note the following regarding the designations for hard disks and partitions:
q GRUB does not distinguish between IDE and SCSI hard disks. The hard
disk that is recognized by the BIOS as the first hard disk is designated as
hd0, the second hard disk as hd1, and so on.
q The first partition on the first hard disk is called hd0,0, the second partition
hd0,1, and so on.
n root=/dev/hda1
The root= option specifies the root partition of the system. This can be followed
by other kernel parameters.
n initrd (hd0,0)/boot/initrd
This entry sets the location of the initial ramdisk (initrd). The initrd contains
hardware drivers that are needed before the kernel can access the hard disk (such
as a driver for the IDE or SCSI controller).
Another GRUB configuration file is /etc/grub.conf. It contains information on how

and where the components of the GRUB boot manager are supposed to be installed
(for example, whether GRUB should reside in the MBR or in the boot record of a
partition).
This file is read only once when the boot loader is first installed.
Exercise 5-5 Boot to a Shell and Configure the GRUB Boot Loader
Your SLES 9 system is corrupted and no longer booting. To access the file system
and configure the GRUB boot loader with an option to boot to runlevel 3, you do the
following:
n Part I: Boot the Rescue System
n Part II: Edit and Test the GRUB Configuration File
x This exercise demonstrates booting from the Rescue System and editing the GRUB
configuration file for learning purposes, and does not necessarily reflect what you might do in
an emergency situation.
For example, you can boot the Rescue System and enter a 3 in the boot options field to boot into
runlevel 3 without editing the GRUB configuration file.
Part I: Boot the Rescue System
Do the following:
2. Enter mount; then look for a file system which is mounted on root (/) and note the
corresponding device name.
3. Insert SLES 9 CD 1 in the CD-ROM drive; then reboot the system.
x Make sure that your system boots from the CD-ROM drive. If not, you might need to adjust
the BIOS settings.
4. At the boot screen, highlight Rescue System; then press Enter.

5. From the language selection dialog, highlight your language; then press Enter.
6. When the rescue system starts, log in by entering root.
Part II: Edit and Test the GRUB Configuration File
Do the following:
1. After logging in to the rescue system, mount the root partition of the system by
mount root_device_name /mnt
2. Open the GRUB configuration file of the installed system with vi by entering the
following:
vi /mnt/boot/grub/menu.lst
3. Duplicate all 3 lines which belong to the first entry (title Linux) in the
configuration file.
4. When you have duplicated the entry, change the title of the copy to the following:
title Linux-Runlevel 3
5. Add a 3 (preceded by a space) at the end of the line with the kernel parameters.
6. Save and close the GRUB configuration file.
7. Unmount the root partition by entering umount /mnt.
8. Remove SLES 9 CD 1 from the drive.
9. Restart the computer by entering reboot.
10. At the boot prompt, highlight the entry Linux-Runlevel 3 and press Enter.
x You can also boot to runlevel 3 by entering 3 in the Boot Options field.
11. When the system boots to runlevel 3, log in as root; then access the graphical login
by entering init 5 and log in as geeko.
(End of Exercise)
Summary
Objective Summary
1. Develop a Backup Strategy To develop a backup strategy, you need to complete

the following steps:
n Choose a backup method
n Choose a backup media
There are 3 basic backup strategies:
n Full backup. All data is backed up every day.
n Incremental backup. Only the data that has been
changed since the last Incremental or full backup is
saved every day.
n Differential backup. Only the data that has been
changed since the last full backup is saved every
day.
Which method you use depends on the backup
window.
The backup window is the time period in which a
system is not used and is available for a backup.
2. Create Backup Files With tar tar is a commonly-used tool for performing data
backups under Linux.
tar can write data directly to a backup media or to an
archive file.
Archive files normally end in .tar, if they are
compressed in .tar.gz or .tgz.
2. Create Backup Files With tar The following is the basic syntax to create a tar
(continued) archive:
tar -cvf home.tar /home
To unpack a tar archive, use the following command:
tar -xvf /home.tar
If you want to use tar with gzip for compression, you
need to add the option z to the tar command.
Archives can also be written directly to tape drives.
In this case, the device name of the tape drive must
be used instead of a filename.
tar can also be used for incremental or differential
backups.
Objective Summary
3. Work With Magnetic Tapes mt is the Linux standard tool to work with magnetic
tapes.
Use the following command to query the status of
the drive:
mt -f /dev/st0 status
The following command moves the tape to the
beginning of the next file:
mt -f /dev/nst0 fsf 1
To rewind the tape by a certain amount of files, use
the bsf command.
3. Work With Magnetic Tapes To rewind the tape to the beginning, use the
(continued) following:
mt -f /dev/nst0 rewind
The following command ejects the tape from the
drive:
mt -f /dev/nst0 offline
4. Copy Data With the dd Command With the command dd files can be converted and
copied byte-wise.
To copy a file, use the following command:
dd if=/etc/protocols of=protocols.org
To copy an entire partition into a file, use the
following command:
dd if=/dev/sda1 of=boot.partition
5. Mirror Directories With the rsync The command rsync is used to synchronize the
Command content of directories, locally or remotely, over the
network.
rsync uses special algorithms to ensure that only
those files are transferred that are new or have been
changed since the last synchronization.
The basic command to synchronize the content of
two local directories is the following:
rsync -a /home /shadow
5. Mirror Directories With the rsync To perform a remote synchronization, use a

Command (continued) command like the following:
rsync -ave ssh root@DA1:/home/tux
/backup/home/
Objective Summary
6. Automate Data Backups With the Because backups are recurring tasks, they can be
cron Service automated with the cron daemon.
System jobs are controlled using the file /etc/crontab
and the files in the directory /etc/cron.d.
The jobs are defined by the scripts in the directories
/etc/cron.hourly, /etc/cron.daily,
/etc/cron.weekly and
/etc/cron.monthly.
The following is an example of a job entry:
0 22 * * 5 /bin/backup
7. Troubleshoot the Boot Process of A SLES 9 installation can be prevented from booting
a SLES 9 System normally if
n The system cannot boot due to a misconfigured
boot loader.
n The system cannot boot because of a file system
corruption.
n An init script malfunctioned and is blocking the boot
process.
n The system does not start correctly because of
hardware changes.
7. Troubleshoot the Boot Process of When a system is not booting any more, you can do
a SLES 9 System (continued) the following to access the file system of the
corrupted system:
n Boot a corrupted system directly into a shell.
n Boot a corrupted system with the installation media.
n Start and use the SLES 9 Rescue System.
8. Configure and Install the GRUB The most important configuration file for GRUB is
Boot Loader /boot/grub/menu.lst.
The file contains a general section at the beginning
and a section for every operating system.
A section for a Linux operating system contains at
least the following options:
n title
This is the title of the system that is displayed in the
boot menu.
n Kernel
This option specifies the location of the Linux
kernel.
n Root
This option sets the root partition of the system.
n Initrd
This option points to the initrd file of the system.
Create Shell Scripts
SECTION 6 Create Shell Scripts
In this section, you learn about the basic scripting elements and structures of the shell
programing language.
Objectives
1. Use Basic Script Elements
2. Use Variable Substitution Operators
3. Use Control Structures
4. Use Advanced Scripting Techniques
5. Use Shell Functions
6. Learn About Useful Commands in Shell Scripts
Introduction
The Linux shell can control the system with commands and perform file operations
or start applications. You can also create a file that includes several shell commands
and start this file like a application.
This type of file is called a shell script. The following are several reasons why you
need to understand and create shell scripts:
n You can automate many daily tasks with shell scripts. In many cases this
increases speed and convenience in everyday work.
n The boot procedure and many other system functions are controlled by shell
scripts. To understand and manipulate the system behavior, you need a basic
understanding of shell programming.
n Shell programming is relatively easy to learn compared to other programming
languages.
n A shell script runs on almost every UNIX-like operating system and does not
need to be adapted to other platforms.
There are also some disadvantages to using shell scripts:

n Shell scripts are rather slow compared with other scripting languages.
n Shell scripts can use a lot of CPU power.
However, in most cases these disadvantages are not significant.
As you might have noticed, a Linux system offers different shell types. Shell scripts
that are developed for one shell can sometimes be executed with a different shell, but
this cannot be guaranteed.
For this reason, this section focuses on the Bash shell, which is the default shell in
SLES 9.
As with all programing languages, shell scripting is learned best by actually writing
code.
The exercises in this section include a description of a script that needs to be written.
At the end of the section are the solutions to the exercises. We recommend
attempting to create the script, and then comparing your script to the solution to
understand the scripting concepts covered.
You can find all these scripts on the 3038 Course CD in the directory
/exercises/section_6. By using these scripts as a template, you can customize them to
meet the needs of your production environment.
Although shell programing can be difficult at first, it becomes easier as you using the
shell scripting language to automate tasks on your own system.
Objective 1 Use Basic Script Elements

The shell programming language is a powerful and complete programing language.
Before you can start to create scripts, you need to become familiar with basic
scripting techniques and elements.
In this objective, you learn the following about the basics of the shell programming
language and simple shell scripts:
n Flow Charts for Scripts
n The Basic Rules of Shell Scripting
n How to Develop Scripts That Read User Input
n How to Perform Basic Script Operations with Variables
n How to Use Command Substitution
n How to Use Arithmetic Operations
Flow Charts for Scripts
Programming elements of a script are often visualized by using program flow charts.
Illustrating a program through a flow chart provides the following benefits:
n They force the author to lay down the steps the script should perform to achieve
the desired goal, making it clearer which constructs need to be used.
n They provide a clear symbolic outline of the algorithm, which can be used as a
guide during the programming process.
The following are typical symbols used to create flow charts:
Figure 6-1
The Basic Rules of Shell Scripting
Before writing your first shell script, you should consider a few points about scripting
in general.
A shell script is basically an ASCII text file containing commands to be executed in

sequence. To allow this, it is important that permissions for the script file are set to
“r” (readable) and “x” (executable) for the user that runs it.
However, the execute permission is not granted by default to newly created file. To
assign this permission, you need to use a command such as the following:
chmod +x script.sh
You can also run the script from another shell with a command such as the following:
sh script.sh
In this example, it is not necessary to make the script executable. On SLES 9, /bin/sh
is a link to /bin/bash. It doesn't really matter whether you call the script with sh
script.sh or bash script.sh.
Another important point is that the directory where the script is located must actually
be in the user´s search path for executables.
A good way to deal with this is to create a /bin directory for scripts under each user´s
home directory. Then you can add this directory to the user's search path by adding a
line such as the following to your ~.bashrc:
export PATH=$PATH:~/bin
Otherwise, shell scripts must be started with the full pathname.
When naming script files, it is a good idea to add an .sh extension to the filename.
This ensures that the file can easily be recognized as a shell script.
If you do not add the suffix, you need to make sure the filename is not identical to
existing commands. For example, a common mistake is to name a script test.
The basic structure of a shell script can be illustrated with a simple program that does
nothing more than print the message “Hello world.”
The following is the flow chart for the script:
Figure 6-2
The script consists of three elements:

n The program start
n The action to print out “Hello world”
n The program stop
The following illustrates the 3 elements with the corresponding script code on the
right:
Figure 6-3
Before looking closer at each of the 3 elements, you need to understand that the
general rules for creating shell scripts, as explained in this section, can be applied to
any conceivable script.
The following describes the 3 elements of the script:

n Start. The first line of any shell script must be the shebang (such as
#!/bin/bash). This line specifies the shell program to be called to execute the
script. As with any other program, a subshell is started to run the script.
The script’s start section should also include a comment describing what the
script does. A comment is introduced with a # character in shell scripts.
It is also a good idea to include the name of the author, the date, and the version
number of the script. Also, any variables and functions used in the script should
be defined at the top of the script.
n Commands. The sample script above includes the echo command as the only
one executed (to print the “Hello world” greeting). Shell scripts in general rely
on the echo command as the most common solution to display information on
the screen.
n Stop. Before the script ends, it might be necessary to do some cleanup. For
example, you might want to remove any temporary files created by the script.
As the very last step, you should define the script´s exit status with an exit value.
This informs the parent process how the script was terminated. The exit status as
returned by the script can be queried afterward with echo $?.
Every script that you write should use this basic structure.
Exercise 6-1 Produce Output from a Script
Do the following:
1. Write a script that outputs “Hello world.” Use the following command in the
script:
echo -e “\aHello\nworld”
2. Find out the purpose of the \a, the \n and the -e options (try accessing the man
pages).
3. Compare your solution with the script at the end of the section.
x This script is also available as hello.sh in the directory

/exercises/section_6 on your 3038 Course CD.
(End of Exercise)
How to Develop Scripts That Read User Input
One way to create scripts that read user input is to use the command read. The read
command takes a variable as an argument and stores the read input in the variable.
The variable can then be used to process the user input.
The following example reads user input into the variable with the name VARIABLE:
read VARIABLE
The script pauses at this point, waiting for user input until the Enter key is pressed.
To tell the user to enter something, you need to print (echo) a line with some
information, such as the following:
echo "Please enter a value for the variable:"

read VARIABLE
The following flow chart illustrates the structure of a script that reads user input:
Figure 6-4
First, the script produces some output with echo to ask the user to enter something.
Then the read command waits until the input is provided to store it in the variable
VARIABLE. At the end the content, the variable is printed out with echo.
Exercise 6-2 Read User Input
Do the following:
1. Create a simple shell script that prompts the user to enter her first and last name,
and then greets the user with her full name.
x This script is also available as name1.sh in the directory

(End of Exercise)
How to Perform Basic Script Operations with Variables
In this part of the section, you learn how to uses variables in shell scripts.
The following flowchart and script show how a string value can be assigned to a
variable:
Figure 6-5
You want to read the user’s first and last name and then print both names to the
screen. However, this time you create a variable called NAME, which holds both the
first and the last name.
The following is an interesting line in the script:
NAME=$FIRSTNAME $LASTNAME
This line shows how you can combine two variables, in this case, FIRSTNAME and
LASTNAME, and assign the combined value to another variable, in this case,
NAME.
In this example, you can also see another rule of the variable handling in shell scripts.
If you assign a value to a variable, you use just the name of the variable, in this case,
NAME=.
If you want to use the value of a variable, put a $ before the name, in this case,
$FIRSTNAME.
It is often useful to assign a default value to a variable. This might prevent errors, if
the user has entered a value that cannot be interpreted in a meaningful way.
If the variable FIRSTNAME is empty, the default value FLORIAN is used instead, as
in the following:
NAME=${FIRSTNAME:=FLORIAN}
Exercise 6-3 Simple Operations with Variables
Do the following:
1. Modify your script from Exercise 6-2 so that it reads the user's first and last name,
combines both in one variable, and outputs the variable.
x This script is also available as name2.sh in the directory

(End of Exercise)
How to Use Command Substitution
The term command substitution basically means that the output of a command is
used in a shell command line or a shell script.
In the following example, the output of the command date is used to generate the
output of the current date:
#!/bin/bash
echo "Today is `date +%m/%d/%Y`"
An important thing to remember is that the command date +%m/%d/%Y is included

in backticks (` ... `).
Instead of printing the output of a command to the screen with echo, it can also be
assigned to a variable, as in the following:
#!/bin/bash
TODAY=`date +%m/%d/%Y`
echo "Today is $TODAY"
In this case, the output of date is assigned to the variable TODAY, and then TODAY
is printed to the screen with echo. Make sure that there are no spaces before or after
the equal sign.
Exercise 6-4 Use Command Substitution
Do the following:
1. Create a shell script that outputs the current login name and the current working
directory.
The output of the commands whoami and pwd should be read into variables
with the variables printed to the screen.
x This script is also available as info.sh in the directory

(End of Exercise)
How to Use Arithmetic Operations
Shell scripts often use values assigned to variables for calculation. There are several
ways to implement this.
The Bourne shell is limited in this regard, but it can perform such operations by
relying on external commands (such as expr).
The Bash shell comes with built-in support for arithmetic operations, but there are
some limitations to this as well. Specifically, the arithmetic capabilities of Bash are
limited in the following ways:
n Only operations with whole numbers (integers) can be performed.
n All values are signed 64-bit values. Thus, possible values range from -263 to
+263 -1.
So even when using Bash, you might need to use external commands, such as bc for
floating-point calculations.
The following paragraphs list all the possible methods and formats for arithmetic
operations. All of them use this sample operation:
A=B+10
n Use the external command expr (Bourne shell compatible)
A=èxpr $B + 10`
Since an external command is used, this method will also work with the Bourne
shell. Scripts using external commands will always perform slower than those
relying on built-in commands.
n Use the Bash built-in command let
let A="$B + 10"
In Bash, you can use the let command to perform an arithmetic expression.
n Use arithmetic expressions inside parentheses or brackets (two different
formats)
A=$((B + 10))
or
A=$[B + 10]
Arithmetic expressions can be enclosed in double parentheses or in brackets for

expansion by Bash. Both $((. . .)) and $[. . .] are possible, but the latter is
considered deprecated and should be avoided.
n Use the built-in command declare
declare -i A
declare -i B
A=B+10
This declares a variable as an integer.

If all the variables involved in a calculation have previously been declared as
integers through declare -i, arithmetic evaluation of these variables happens
automatically when a value is assigned to them.
This means that the variable B, for example, does not have to be prefixed with
the $ to be evaluated.
With the expr command, only the following five operators are available: + , - , * , / ,
and %. Additional operators (which are identical to those of the C programming
language) can be used with all of the above Bash formats.
b For a complete list, consult the man page for bash.
It makes sense to limit yourself to using one of the described possibilities. As far as
Bash is concerned, a good choice might be to only use the declare command, since it
makes the best use of the available features.
Exercise 6-5 Use Arithmetic Operations
Do the following:
1. Review the following flowchart:
Figure 6-6
2. Write a shell script that reflects the above flowchart.

3. Modify the script to use the other fundamental arithmetic operations (subtraction,
multiplication, division).
4. Find out what happens if
q The user enters a word for each number.
q The user enters nothing (presses Enter) at each prompt.
x This script is also available as sum.sh in the directory

(End of Exercise)
Objective 2 Use Variable Substitution Operators

In Bash, you can use special variable substitution operators to assign different values
to variables without having to rely on external commands.
For example, these special substitution operators allow changing variables by

deleting certain patterns in their values and returning the rest.
They also allow you to set a default for a variable for situations where no value can
be assigned to it.
The following variable substitutions are possible:
Table 6-1 Substitution Operator Description
${variable-value} Returns value if the variable does not exist.
${variable=value} Assigns value to the variable and returns value if the

variable does not exist.
${variable+value} Returns value if the variable exists.
${#variable} Returns the number of characters in the value of

variable.
${variable#pattern} Deletes the shortest part matched by pattern from the

beginning of the variable's value and returns the rest.
${variable##pattern} Deletes the longest part matched by pattern from the

beginning of the variable's value and returns the rest.
${variable%pattern} Deletes the shortest part matched by pattern from the

end of the variable's value and returns the rest.
${variable%%pattern} Deletes the longest part matched by pattern from the

end of the variable's value and returns the rest.
The substitution operators returning or setting a default value (- , = , and +) can also
be prefixed with a colon so that substitution happens if the variable does not exist of
if it exists but has a null value (is empty).
The following are some examples of how to use the substitution operators:
tux@DA1:~> echo $VAR
tux@DA1:~> echo ${VAR-value}

value
tux@DA1:~> echo ${VAR=value}

value

value
tux@DA1:~> VAR=
tux@DA1:~> echo ${VAR=value}
tux@DA1:~> echo ${VAR:=value}

value

value
tux@DA1:~> echo ${VAR+VaLue}

VaLue
Exercise 6-6 Use Variable Substitution
Do the following:
1. Write a script that asks the user for a filename, and then performs a search for that
filename using the command find.
Use a variable substitution to assign a default value for the filename (such as
*.bak) in case the user enters nothing.
x This script is also available as find.sh in the directory

(End of Exercise)
Objective 3 Use Control Structures

Using the scripting techniques you have learned so far, you can only develop scripts
that run sequentially from the beginning to the end.
In this objective, you learn how to use control structures to make the execution of
parts of your script dependent on certain conditions or to repeat script parts.
To use control structures, you need to know how to do the following:

n Create Basic Branches With the if Command
n Build Multiple Branches With a case Statement
n Create Loops Using the while and until Commands
n Process Lists with the for Loop
n Interrupt Loop Processing
Create Basic Branches With the if Command
You can use the if command to perform certain actions in your script that depend on
a condition.
The following is the basic usage of the if command:
if condition
then
commands
fi
The if statement can be extended with an optional else statement, as in the following:
if condition
then
command1
else
command2
fi
In a program flow chart, a branch created with an if statement can be represented like
the following:
Figure 6-7
A branch of this type must begin with if and end with fi. Command1 is only executed
if the condition is true.
If the return code of a command is used as condition, the exit code zero (success)
represents true. If the exit status is not zero or the condition is not true, the shell goes
to the end of the branch or, if an else statement is present, to the else statement.
When you use these control structures in a shell script, individual commands (such as
if, then, and fi) must follow immediately after a command separator.
In the above case, the separator is a new line. The separator could also be a
semicolon, which would allow you to enter the same if statement as one command,
as in the following:
if condition; then commands; fi
The following example uses a sample script to explain how an if branch works:
Figure 6-8
This script asks the user to enter his date of birth; if that happens to be today, the
script congratulates him on his birthday. It does nothing if his birthday is another day.
There are a number of items to consider when writing this script. From the flow
chart, it should be obvious that the script consists of 2 basic steps:
n Prompt the user to enter the date of birth.
n Compare the date as entered by the user with the current date. If the dates are the
same, the user sees “congratulations.” If they are not equal, nothing appears.
The branch is the actual mechanism that compares the current date and the date of
birth.
Before the comparison can be performed, both dates must be available in the same
format. The user should be asked to specify the date of birth in a suitable format.
You need to know the format in which the system obtains the current date. The
obvious choice to get a date string is with the command date.
The command date + %m-%d returns the current date in the form month-day, as in
the following:
date + %m-%d
06-21
This format should also be used for the birth date the user is requested to enter:
echo "Please enter your date of birth (YYYY-MM-DD, for instance

1978-06-21): "
read BIRTHDAY
The second part of the listing consists of several items. To check if the user´s
birthday is today, 2 dates must be compared: the birthday and the current date.
The user´s birthday is stored in the variable BIRTHDAY. The current date must also
be stored in a variable for the comparison. This can be done using command
substitution, as in the following:
TODAY=`date + %m-%d`
A closer examination of the comparison reveals that the values in the variables
cannot be compared with each other (BIRTHDAY: 1973-12-21, TODAY: 09-24).
Therefore, the dates must be compared without the year.
To do this, the variable substitutions of the Bash shell can be used to truncate the year
from the date. The first part of the script should look like the following:
#!/bin/bash
echo "Please enter your date of birth (YYYY-MM-DD, for instance
1978-06-21): "
read BIRTHDAY
BIRTHDAY=${BIRTHDAY#*-}
TODAY= date + %m-%d
Now you can compare the two values with the help of an if branch. Most variables
are compared using the test command. The test command is followed by a string
condition such as
test $VARIABLE1 = $VARIABLE2.
If the condition is met (if the value of VARIABLE1 is identical to the value of
VARIABLE2), test returns a zero to indicate success.
So the second part of the shell script could look like the following:
if test "$BIRTHDAY" = "$TODAY"

then
echo "Tada! Happy birthday to you! Nice presents awaiting you ..."
else
echo "Sorry to disappoint you, no presents today ..."
fi
Finally, you want the script to use the exit command to finish with a certain exit
status, which depends on whether today is the user´s birthday. This is implemented
by defining yet another variable, as in the following:
if test "$BIRTHDAY" = "$TODAY"

then
echo "Tada! Happy birthday to you! Nice presents awaiting you ..."
STATUS=0
else
echo "Sorry to disappoint you, no presents today ..."
STATUS=1
fi
exit $STATUS
Several if branches are often nested in each other. The command elif, which
represents a more compact way of writing the command sequence else if, is useful
for the following kind of structures:
if condition1
then
command1
elif condition2
command2
else
command3
fi
The elif command is illustrated in the following:
Figure 6-9
There are several ways to use the Bash shell to successively execute several
commands. This includes using the separators && and ||, which make it possible to
execute a second command depending on the success or failure of the first, as in the
following:
command1 && command2

command1 || command2
n The && separator executes command2 if the command1 exits with success.
n The || separator executes command2 if the command1 exits with a failure.
These separators can also be understood as short forms of an if branch.
This means that the following structure:
if test -e file
then
. file
fi
can be condensed into the following command line:
test -e file && . file
Whenever the comparison is a simple one as in the example above, you can replace
the relatively complex if. . .then. . .fi structure with a command line that uses && or ||
to chain the commands.
Exercise 6-7 Use the if Command
Do the following:
1. Write a shell script that checks for the existence of a given file, and if the file is
executable.
A message should be displayed for each of the following scenarios:
q The file does not exist.
q The file exists.
q The file exists and is executable.
You can use the command test -x to check whether a file is executable.
x This script is also available as file_check.sh in the directory

(End of Exercise)
Build Multiple Branches With a case Statement
You can create multiple branches with case. In a case statement, the expression
contained in a variable is compared with a number of expressions, and a command is
executed for each expression matched.
A case statement has the following structure:
case $variable in
expression1) command1;;
expression2) command2;;
esac
In a flow chart, multiple branching with case looks similar to a simple branch created
with if:
Figure 6-10
The following is an example of how a multiple branch works:
#!/bin/bash
cat << EOF
Name me an animal and I will tell you how many legs it has!
EOF
read CREATURE
case "$CREATURE" in
dog | cat | mouse ) echo "A $CREATURE has 4 legs."
;;
bird | human | monkey ) echo "A $CREATURE has 2 legs."
;;
spider ) echo "A $CREATURE has 8 legs."
;;
fly ) echo "A $CREATURE has 6 legs."
;;
* ) echo "I haven t the faintest idea how many
legs a(n) $CREATURE has."
;;
esac
exit 0
This script prompts the user to enter the name of an animal. The name is then stored
in a variable and compared with a number of possible matches. For the matches
found, the script tells the user how many legs the animal has.
To allow for several expressions to be matched within one and the same branch,
several expressions can be listed on one line with a | symbol as a separator.
The user input is read and assigned to the CREATURE variable.
The case statement then compares this value against each of the expressions provided
as alternatives. For instance, if the user enters cat, the script prints the matching
sentence that says that this animal has four legs.
The asterisk (*) is often used as the last expression to be evaluated to cover all cases
not matched by the other alternatives. The corresponding message states that the
number of legs is not known.
It is important that the expressions provide for an exact match of any allowable
expression. For instance, if someone entered Dog instead of dog, the script will not
know the number of legs for this strange kind of animal.
For this reason, it is useful to supply the possible alternatives beforehand, as in the
following:
...
case "$CREATURE" in
[dD]og | [cC]at | [mM]ouse )
...
You can provide such alternatives in brackets, in the same way as the shell´s filename
expansion mechanism.
Exercise 6-8 Use the case Command
Do the following:
1. Create an example (not a complete script) to show how a script can use a case
statement to process a user's answer to a Yes/No question. Include the responses
as “yeah” and “nope.”
2. Compare your solution with the example at the end of the section.
x This example t is also available as yes_no.sh in the directory

(End of Exercise)
Create Loops Using the while and until Commands
The purpose of a loop is to test a certain condition and to execute a given command
while the condition is true (while loop) or until the condition becomes true (until
loop).
The following is the structure of a while loop:
while condition
do
commands
done
The following is a structure of until loop:
until condition
do
commands
done
The following illustrates the loop constructs:
Figure 6-11
These loops actually rely on the exit status of a terminating condition: a while loop
remains operative as long as the condition's exit status is zero (path B in the flow
chart), but an until loop is terminated if the status is zero (path A in the flow chart).
A while loop is terminated when the exit status becomes nonzero (when the condition
is not true), but an until loop is operative as long as the status is nonzero.
Exercise 6-9 Use the while and until Commands
Do the following:
1. Create a script that performs a simple while loop 100 times. In every iteration, the
number of the current iteration should be printed to screen.
2. Write a second script which uses until instead of while.
3. Compare your solution with the scripts at the end of the section.
x These scripts are also available as counter1.sh and counter2.sh in the directory
(End of Exercise)
Process Lists with the for Loop
The purpose of a for loop is to process a list of elements. It has the following syntax:
for variable in element1 element2 element3

do
commands
done
A for loop executes the given commands once for every element on the list, and the
value of the variable matches one list element with each loop iteration. The list itself
is often created through command substitution.
If the for command is not accompanied by a list of elements, the loop will be
executed with the contents of the variables $1, $2, $3, and so on. These elements
represent the command line parameters that are passed to the script.
As with similar constructs, a command separator must immediately precede the do

and done parts of the for loop. This means that a for loop can be entered in 2 different
ways:
for i in 1 2 3 4 5 6 7 8
do
ping -c1 DA$i
done
In the example above, the command separator is a line break and the loop is started
only after entering the final done.
You could use a semicolon as a separator instead, In this case, the same loop looks
like the following:
for i in 1 2 3 4 5 6 7 8; do ping -c1 DA$i; done
If you want to use a range of numbers in your for loop, you can use the following
C-Style syntax:
LIMIT=10
for ((a=1; a <= LIMIT ; a++))

do
echo -n "$a "
done
In this example, the variable a is a count from 1 to 10. The for expression contains
the following 3 elements:
n a=1.This determines the start value for a.
n a <= LIMIT. This is the condition when the for loop should be terminated; in
this case, when the a variable reaches the value determined by the LIMIT
variable (in this example, the value 10).
n a++. This command adds 1 to the a variable for every pass of the for loop.
Exercise 6-10 Use the for Loop
Do the following:
1. Create a shell script that renames all files in the current directory with uppercase
letters transformed to lowercase.
Hints:
q Use the command find . -type f -maxdepth 1 to find all files in the current
directory.
q You can use the command tr [A-Z] [a-z] to convert uppercase letters to
lowercase.
q If you don’t know how to start, have a brief look at the solution at the end of
the section.
q Test your script in a directory that does not contain important files.
x This script is also available as lowercase1.sh in the directory

(End of Exercise)
Interrupt Loop Processing
Use the continue command to exit from the current iteration of a loop (while, until,
for, and select) and resume with the next iteration of the loop.
This allows a script to test for an additional condition with each iteration without
stopping completely (as a result of the terminating condition becoming true, for
instance).
The following is an example of using the continue command:
for FILE in ls *.mp3

do
if test -e /MP3/$FILE
then
echo "The file $FILE exists."
continue
fi
cp $FILE /MP3
done
This script writes a backup copy of all files ending with .mp3 to the directory /MP3/
unless there is already a file with the same name in that directory. If there is, the
script prints a message stating that the file already exists and exits from the current
loop iteration.
The break command is another way to introduce a new condition within a loop.
Unlike continue, it causes the loop (not the current loop iteration) to be terminated
completely if the condition is met.
Exercise 6-11 Interrupt Loop Processing
Do the following:
1. Modify the script from Exercise 6-10 so that existing files in the current directory
are not overwritten.
Use continue to interrupt the iteration over the files in the directory if a file with
the target name already exists.
x This script is also available as lowercase2.sh in the directory

(End of Exercise)
Objective 4 Use Advanced Scripting Techniques

In this objective, you learn the following advanced scripting techniques that can help
you solve common problems of script development:
n Use Shell Functions
n Read Options with getopts
Use Shell Functions
Sometime you need to perform a task multiple times in a shell script. Instead of
writing the same code again and again, you can use functions.
Shell functions act like script modules because they make an entire script section
available with a single name. Shell functions are normally defined at the beginning of
a script. You can store several functions in a file and include this file whenever the
functions are needed.
The following is the basic syntax of a function:
functionname () {
commands
commands
}
The following generates a function with the function command:
function functionname {
commands
commands
}
The function name can be composed of any regular character string that then can be
used to call the function.
The following is a simple function that creates a directory and then changes to that
directory:
# mcd: mkdir + cd; creates a new directory and

# changes into that new directory right away
mcd (){
mkdir $1
cd $1
}
After having been created, this function can be called in a shell scripts, as in the
following:
...
mcd directory
...
The parameter directory is called an argument. Within a function, arguments can be

accessed with the variables $1, $2, $3, and so on, depending on the number of
arguments passed to the function.
The following function can be used to create a pause in a script. The script resumes
only after the Enter key is pressed:
# pause: causes a script to take a break
pause (){
echo "To continue, hit RETURN."
read q
}
You can also create functions that stop their processing from within, similar to
exiting a loop (iteration) with the commands break and continue.
To exit a function, use the command return. If return is called without an argument,
the return value of the function is identical to the exit status of the last command
executed in that function.
Otherwise, the return value is identical to the one supplied as an argument to return.
Exercise 6-12 Use Shell Functions
Do the following:
1. Review the following shell function:
# Prompt the user to answer with "yes" or "no.

# The question itself is supplied as an argument
# when calling the function, for example:
# "yesno Do you want to continue?"
yesno (){
while true
do
echo "$*"
echo "Please answer by entering (y)es or (n)o:"
read ANSWER
case "$ANSWER" in
[yY] | [yY][eE][sS] )
return 0
;;
[nN] | [nN][oO] )
return 1
;;
* )
echo "I cannot understand you over here."
;;
esac
done }
This function asks the user to enter y or n. Depending on the answer, the function
returns 0 or 1. If the answer is wrong, an error message is displayed.
The command echo “$*” is used to print a question, which is passed as a
parameter to the function.
2. Use the above yesno function to write a script that lets the system administrator
delete user accounts.
The script should prompt for the account to delete, and then asks whether the
user's home directory should also be deleted.
If the question is answered with no, the script should change the user and group
ownership of the corresponding home directory to root.
After doing so, the script should use the yesno function again to ask whether the
administrator really wants to delete the account.
Use the commands userdel and chown in the script to perform the necessary
tasks.
You can assume that the home directory of the user is always located in /home
and that the name of the directory is the same as the login name of the user.
3. Test your solution by adding a user account (enter useradd -m tux2) and deleting
it.
x This script is also available as userdel1.sh in the directory

(End of Exercise)
Read Options with getopts
With the shell built-in command getopts, you can extract the options supplied to a
script on the command line. The shell interprets command-line arguments as
command options only if they are prefixed with a - (the default when using the shell
interactively).
This makes it possible to place options in different positions on the command line
and to supply them in an arbitrary order.
This means that the following command:
cp -dpR *.txt texts/
achieves the same thing as the command
cp -R *.txt -d texts/ -p
getopts recognizes options in the same way. The following is the getopts syntax:
getopts optionstring variable
The optionstring describes all options to be recognized. For instance, getopts abc
declares a, b, and c as the options to be processed.
If a parameter is expected for the option (such as -m maxvalue), the corresponding

option must be followed by a : in the string (as in getopts m:).
The option string is followed by a variable to which all the command-line options
specified are assigned as a list.
The getopts command is mostly frequently used in a while loop together with case to
define which command to execute for a given option, as in the following:
while getopts abc: variable

do
case $variable in
a ) echo "The option -a was used." ;;
b ) echo "The option -b was used." ;;
c ) option_c="$OPTARG"
echo "Option c has been set." ;;
esac
done
echo $option_c
If the option -a or -b is used, the script prints out a message that the corresponding
option was used. If the option -c value is used, the value is assigned to the variable
option_c, which is printed to the screen at the end of the script.
The parameter of an option can be accessed with the variable OPTARG.
Exercise 6-13 Use the getopts Command
Do the following:
1. Modify the script from Exercise 6-12 so that it does not prompt the user for input.
Instead, the script should use the following options:
q -u username. This option determines the user which shall be deleted.
q -r. If this option is set, the home directory should be removed. If this option
is not set, the owner of the home directory should be set to root.
2. Test you solution by adding a user account (enter useradd -m tux2) and deleting
it.
x This script is also available as userdel2.sh in the directory

(End of Exercise)
Objective 5 Learn About Useful Commands in Shell Scripts

You can use external commands in shell scripts to perform certain tasks. In this
objective, you learn how to
n Use the cat Command
n Use the cut Command
n Use the date Command
n Use the echo Command
n Use the grep and egrep Commands
n Use the sed Command
n Use the test Command
n Use the tr Command
Use the cat Command
When combined with the here operator (<<), the cat command is a good choice to
output several lines of text from a script. In interactive use, the command is mostly
run with a filename as an argument, in which case cat prints the file contents on
standard output.
Use the cut Command
You can use the cut command to cut out sections of lines from a file, so only the
specified section is printed on standard output.
The command is applied to each line of text as available in a file or on standard input.
You can use cut -f to cut out text fields. cut -c works with the specified characters.
You can specify single sections (characters or fields) or several sections. The default
delimiter to separate fields from each other is a tab, but you can specify a different
field separator with the -d option.
The following are some examples of using cut:
cut -d : -f1 /etc/passwd

root
bin
daemon
lp
mail
news
The above command specifies that the field separator should be a colon. In every line
of /etc/passwd, the field that comes before the first colon is taken and printed to
stdout:
ls -l somedir/ | cut -c 35- | sort -n

687 Sep 20 17:06 file2
2199 Sep 20 17:05 file1
6593 Sep 20 17:06 file3
The above command takes the output of the ls command and cuts out everything
from the thirty-fifth character. This is piped to sort, so the final output is sorted
according to file size.
Use the date Command
You can use the date command whenever there is a need to obtain a date or time
string for further processing by a script. Without any options specified, the
command´s output looks like the following:
date
Fre Sep 03 14:18:12 CEST 2004
The date command lets you change the output format in almost every detail. With the
-I option (as in the following), date prints the date and time in ISO format (which is
the same as if the options had been +%Y-%m-%d):
date -I
2004-09-03
date +%m-%d %H:%M

09-03 14:19
date +%D, %r
09/03/02, 02:19:58 PM
date +%d.%m.%y
03.09.02
date +%d.%m.%Y
03.09.2004
date +%e.%-m.%y, %l.%M %p

3.9.02, 2.20 PM
date +%A, %e. %B %Y

Friday, 3. September 2004
To view a list with all the possible format options for date, see man date. In any
case, you should be able to customize the output to exactly match the requirements of
your script.
Use the echo Command
The echo command, which exists both as a shell built-in command and as an external
command, prints text lines on standard output. A line break is inserted automatically
after each line. When called with the -e option, echo accepts a number of additional
options.
The following are some of the special sequences recognized by echo when run with
the -e option:
n \a. Outputs an alert (sounding the bell). This does not work in the KDE Konsole.
n \c. Do not add a new line at the end of the output.
n \n. Add a new line (line break).
The cat command is preferred over echo to output a text file or several lines of text.
Use the grep and egrep Commands
The command grep and its variant egrep are used to search files for certain patterns,
and use the following syntax:
grep searchpattern filename ...
The command prints lines that contain the given search pattern. You can specify
several files, in which case the output will print the matching line and the
corresponding filenames.
Several options are available to specify that only the line number should be printed,
for instance, or that the matching line should be printed together with leading and
trailing context lines.
Search patterns can be supplied in the form of regular expressions, although the bare
grep command is limited in this regard.
To search for more complex patterns, use the egrep command, which accepts
extended regular expressions. As a simple way to deal with the difference between
the two variants, make sure you use egrep in all of your shell scripts.
The regular expressions used with egrep need to be in accordance with the standard
regex syntax.
To avoid having special characters in search patterns interpreted by the shell, enclose
the pattern in quotation marks, as in the following:
tux@DA1:~> egrep (b|B)lurb file*

bash: syntax error near unexpected token |
tux@DA1:~> egrep "(b|B)lurb" file*

file1:blurb
file2:Blurb
Use the sed Command
The sed program is a stream editor, an editor used from the command line rather than
interactively. sed performs text transformations on a line-by-line basis.
You can specify sed commands either directly on the command line or in a special
command script loaded by the program on execution.
The following is the syntax for the sed command:
sed editing-command filename
The available editing commands are single-character arguments such as the

following:
n d: Delete
n s: Substitute (replace)
n p: Output line
n a: Append after
As with other commands, the output of sed normally goes to standard output, but it
can also be redirected to a file.
Each sed command must be preceded by an exact address or address range specifying
the lines to which the editing command applies.
Apart from the single-character commands for text transformations, you can also
specify options to influence the overall behavior of the sed program.
The following are some important command-line options for sed:

n -n, --quiet, --silent. By default, sed will print all lines on standard output after
they have been processed. This option suppresses the output so sed only prints
those lines for which the p editing command has been given to explicitly
re-enable printing.
n -e command1 -e command2 .... This option is necessary when specifying two or
more editing commands. It must be inserted before each additional editing
command.
n -f filename. With this option, you can specify a script file from which sed should
read its editing commands.
For many editing commands, it is important to specify the exact line or lines that
should be processed by the command. One of the more frequently used address labels
is $, which stands for the last line.
The following are 2 examples of the sed command:

n sed -n ‘1,9p’ somefile
This command prints only lines 1 through 9 on stdout.
n sed ‘10,$d’ somefile
This command deletes everything from line 10 to the end of the file and also
prints the first 9 lines of somefile.
You can use a regular expression to define the address or address range for an editing
command. Regular expressions must be enclosed in forward slashes. If an address is
defined with such an expression, sed processes every line that includes the given
pattern.
The following is an example of using regular expressions:
sed -n ‘/Murphy.*/p’ somefile
This example prints all lines that have the pattern Murphy.* in them.
If you want sed to perform several editing commands for the same address, you need
to enclose the commands in braces, as in the following:
sed ‘1,10{command1 ; command2}’
The following lists the most important editing commands available for sed:
Table 6-2 Command Exampleo Editing Action
d sed 10,$d file Delete line.
a sed ‘a\text\text’ file Insert text before the specified line.
i sed ‘i\text\text’ file Replace specified lines with the text.
c sed ‘2000,$c\text ‘ file Replace specified lines with the text.
s sed s/x/y/option Search and replace. The search

pattern x is replaced with pattern y.
The search and the replacement
pattern are regular expressions in
most cases and the search and
replace behavior can be influenced
through various options.
y sed y/abc/xyz/ (yank) Replace every character from

the set of source characters with the
character that has the same position
in the set of destination characters.
You can use the following options with the s command (search and replace):
n I. Do not distinguish between uppercase and lowercase letters.
n g. Replace globally wherever the search pattern is found in the line (instead of
replacing only the first instance).
n n. Replace the nth matching pattern only.
n p. Print the line after replacing.
n w. Write the resulting text to the specified file rather than printing it on stdout.
The following are some examples of using the s command:

n sed ‘s/:/ /’ /etc/passwd
This command replaces the first colon in each line with a space.
n sed ‘s/:/ /g’ /etc/passwd
This command replaces all colons in all lines with a space.
n sed ‘s/:/ /2’ /etc/passwd
This command replaces only the second colon in each line with a space.
n sed -n ‘s/$[aeiou]$/\1\1/Igp’
This command replaces all single vowels with double vowels. The example
shows how matched patterns can be referenced with “\1” if the search pattern is
given in parentheses (which have to be escaped). The I option ensures that sed
ignores the case.
The g option causes characters to be replaced globally. The p option tells sed to
print all lines processed in this way.
Use the test Command
The test command exists both, as a built-in command and as an external command. It
is used to compare values and to check for files and their properties (whether a file
exists, whether it is executable, and so on).
If a tested condition is true, test returns an exit status of 0; if the condition is not true,
the exit status is 1. In shell scripts, ttest is used mainly to declare conditions to
influence the operation of loops, branches, and other statements.
The following is the test syntax:
test condition
You can use the test command to do the following:

n Testing whether a file exists. Some of the available options are:
-e File exists
-f File exists and is a regular file
-d File exists and is a directory
-x File exists and is an executable file
n Comparing 2 files. Some of the available operators are:
-nt Newer than
-ot Older than
-ef Refers to the same inode (such as in the case of a hard link)
n Comparing 2 integers. The available operators are:
-eq Equal
-ne Not equal
-gt Greater than
-lt Less than
-ge Greater than or equal
-le Less than or equal
n Testing strings. The available operators are:
test -z string Exit status is 0 (true) if the string has zero length
(is empty).
test string Exit status is 0 (true) if the string has nonzero

length (consists of at least one character).
test string1 = string2 Exit status is 0 (true) if the strings are equal.
test string1 != string2 Exit status is 0 (true) if the strings are not equal.
n Combined tests. The available operators are:
test ! condition Exit status is 0 (true) if the condition

is not true
test condition1 -a condition2 Exit status is 0 (true) if both

conditions are true
test condition1 -o condition2 Exit status is 0 (true) if either

condition is true
b For more detailed information about test, enter help test or man test (the built-in test command
and the external one have identical features).
Use the tr Command
The tr command translates (replaces) or deletes characters. It reads from standard

input and prints the result on standard output. With tr, you can replace regular
characters or sequences of such characters and special characters like \t (horizontal
tab) or \r (return).
A complete list of all special characters handled by tr is included in the man page of
the program.
The following is the standard syntax of tr:
tr set1 set2
The characters included in set1 are replaced with the characters included in set2.
The following is an example of using the tr command:
cat text-file | tr a-z A-Z
This a command causes all lowercase characters in a file to be changed to uppercase,

and the result is printed to stdout.
You can use tr to delete characters from the first set by entering the following:
tr -d set1
This will not translate anything; it only deletes the ones included in set1, printing the
rest to standard output.
The following is another example of using the tr command:
VAR=’echo $VAR | tr -d %’
In this example, tr deletes the percent sign from the original value of VAR and the
result is assigned as a new value to the same variable.
By entering a command like
tr -s set1 char
you can also use tr to replace a set of characters with a single character.
Exercise Answers
The following are answers to the exercises in this section.
Solution for Exercise 6-1:
Script: /exercise/section_6/hello.sh on your 3038 Course CD
#!/bin/bash
# This script prints a "Hello world" greeting
# Author: Tux Penguin
# Created: 8/22/2005
echo -e "\aHello\nworld"
exit 0
Script: /exercise/section_6/name1.sh on your 3038 Course CD
#!/bin/bash
# This script reads the users first and last name
# and then prints a greeting with the full name.
# Created: 8/22/2004
echo "Please enter your first name:"
# first name gets assigned to variable FIRSTNAME

read FIRSTNAME
echo "Please enter your last name:"
# last name gets assigned to variable LASTNAME

read LASTNAME
#Now print the greeting:

echo "Welcome to the club, $FIRSTNAME $LASTNAME"
exit 0
Script: /exercise/section_6/name2.sh on your 3038 Course CD
#!/bin/bash
# This scripts reads the users first and last name
# and then prints a greeting with this full name.
# Created: 8/22/2005
echo "Please enter your first name:"
# first name gets assigned to variable FIRSTNAME

read FIRSTNAME
echo "Please enter your last name:"
# last name gets assigned to variable LASTNAME

read LASTNAME
# create a new NAME variable

NAME="$FIRSTNAME $LASTNAME"
# Now print the greeting:

echo "Welcome back home, $NAME"
exit 0
Script: /exercise/section_6/info.sh on your 3038 Course CD
#!/bin/bash
# This script prints information about
# the current login
# and the current working directory.
# Created: 8/22/2005
login=`whoami`
path=`pwd`
echo "The current login is: $login"

echo "The current path is: $path"
exit 0
This script uses all available methods for arithmetic operations.
Script: /exercise/section_6/sum.sh on your 3038 Course CD
#!/bin/bash
# This script lets the user specify two whole
# numbers and then adds them together. All kinds of
# arithmetic formats that are possible
# under Bash are used, one after another.
# Created: 8/22/2005
declare -i INTEGER1
declare -i INTEGER2
declare -i SUM
# read first integer

echo "Please enter first integer: "
read INTEGER1
# read second integer

echo "Please enter second integer: "
read INTEGER2
# this uses expr for Bourne shell compatibility:

RESULT=èxpr $INTEGER1 + $INTEGER2`
echo "The expr command returns the result: $RESULT."
# this uses the Bash built-in let :

let RESULT="$INTEGER1 + $INTEGER2"
echo "The let built-in returns the result: $RESULT."
# this uses a Bash-specific arithmetic expression:

RESULT=$[$INTEGER1 + $INTEGER2]
#or:
#RESULT=$(($INTEGER1 + $INTEGER2))
echo "Using an arithmetic expression in Bash, the result is: $RESULT."
# this one uses the variables declared as integers #above:

SUM=INTEGER1+INTEGER2
echo "Using the variables declared as integers, the sum is: $SUM."
exit 0
Script: /exercise/section_6/find.sh on your 3038 Course CD
#!/bin/bash
# This script searches for files in the current
# directory.
# The user is prompted to enter a filename;
# if no name is entered, we search for the default
# value anyway, which is set to "*.bak"
# Created: 8/22/2005
echo "Please enter the file to be searched for (default is: *.bak):"
read FILE
find . -name "${FILE:="*.bak"}"
exit 0
Script: /exercise/section_6/file_check.sh on your 3038 Course CD
#!/bin/bash
# This script checks whether a file exists and if
# its executable
# Created: 8/22/2005
echo "Please enter a filename: "
read FILENAME
if test -e $FILENAME
then
if test -x $FILENAME
then
echo "The file exists and is executable."
else
echo "The file exists but is not executable."
fi
else
echo "The file does not exist."
fi
exit 0
Script: /exercise/section_6/yes_no.sh on your 3038 Course CD
case "$VARIABLE" in
[yY] | [yY][eE][sS] | [yY] [eE] [aA] [hH] )
... ;;
[nN] | [nN][oO] | [nN][oO][pP][eE] )
... ;;
* )
echo error message ;;
esac
Solutions for Exercise 6-9:
Script: /exercise/section_6/counter1.sh on your 3038 Course CD
#!/bin/bash
# A script to iterate over a simple "while" loop 100
# times.
# Created: 8/22/2005
declare -i COUNTER=1
while test $COUNTER -le 100

do
echo "The counter stands at $COUNTER."
COUNTER=COUNTER+1
sleep 1
done
exit 0
Script: /exercise/section_6/counter2.sh on your 3038 Course CD
#!/bin/bash
# A script to iterate over a simple until loop 100 times.
# Created: 8/22/2005
declare -i COUNTER=1
until test $COUNTER -gt 100

do
echo "The counter stands at $COUNTER."
COUNTER=COUNTER+1
sleep 1
done
exit 0
Script: /exercise/section_6/lowercase1.sh on your 3038 Course CD
#!/bin/bash
# This script renames all files in the current
# directory so that they have all lowercase file
# names.
# Created: 8/22/2005
for FILE in `find . -type f -maxdepth 1`

do
NEWFILE=ècho $FILE | tr [A-Z] [a-z]`
if test $FILE != $NEWFILE
then
echo mv $FILE $NEWFILE
fi
done
exit 0
Script: /exercise/section_6/lowercase2.sh on your 3038 Course CD
#!/bin/bash
# This script renames all files in the current
# directory so that they have all-lowercase file
# names.
# 2nd version: Now we also check whether the file
# already exists with lowercase lettering.
# Created: 8/22/2005
for FILE in `find . -type f -maxdepth 1`

do
NEWFILE=ècho $FILE | tr [A-Z] [a-z]`
if test $FILE != $NEWFILE
then
if test -e $NEWFILE
then
echo "There is already a file
with the name $NEWFILE."
echo "$FILE will not be renamed."
# Skip the rest and begin next loop iteration:

continue
fi
echo mv $FILE $NEWFILE
fi
done
exit 0
For testing purposes, an echo is put before all important commands, such as chown
and userdel. There should be no spaces between [yY][eE][sS]. The same is true of
[nN][oO].
Script: /exercise/section_6/userdel1.sh on your 3038 Course CD
#!/bin/bash
# This script prompts for a user name and
# then deletes the corresponding account.
# Created: 8/22/2005
yesno (){
while true
do
echo "$*"
echo "Please answer by entering (y)es or (n)o:"
read ANSWER
case "$ANSWER" in
[yY] | [yY][eE][sS] )
return 0
;;
[nN] | [nN][oO] )
return 1
;;
* )
echo "I can't understand you over here."
;;
esac
done
}
read -p "Delete which user? " user
if yesno "Also delete home directory of $user?"

then
home=yes
fi
if yesno "Really delete user $user?"

then
if test "$home" = yes
then
userdel -r $user
else
home="/home/$user"
chown -R root.root $home
userdel $user
fi
fi
exit 0
Script: /exercise/section_6/userdel2.sh on your 3038 Course CD
#!/bin/bash
# This script prompts for a user name and then deletes
# the corresponding account. Optionally, the user's
# home directory is deleted as well.
# Created: 8/22/2005
while getopts u:r variable

do
case $variable in
u ) user="$OPTARG" ;;
r ) home=yes ;;
esac
done
if test "$home" = yes

then
userdel -r $user
else
home="/home/$user"
chown -R root.root $home
userdel $user
fi
exit 0
Summary
Objective Summary
1. Use Basic Script Elements n Before writing a shell script, it is useful to draw a
program flow chart.
n Before a file can be run as a shell script, it must
have both read and execute permissions.
n To produce some simple output from a script, you
can use the echo command.
n To read user input for processing by a script, you
can use the read command.
n There are several ways to perform arithmetic
operations in a script:
n Use the external command expr.
n Use the Bash built-in command let.
n Enclose arithmetic expressions in double
parentheses for expansion by the shell.
n In Bash, arithmetic operations can also be
performed with plain variables, provided that
these have been declared as integers before.
2. Use Variable Substitution n In Bash, you can use special variable substitution
Operators operators to assign different values to variables
without having to rely on external commands.
n These special substitution operators allow changing
variables by deleting certain patterns in their values
and returning the rest, for instance.
n They also allow you to set a default for a variable for
situations where no value can be assigned to it.
3. Use Control Structures n Conditional statements in shell scripts can be

implemented with an if branch.
n For relatively simple structures, you can also use
the command separators && and || to express the
same statement as a command line.
n To take decisions with a number of possible choices
in a script, create a multiple branch with a case
statement.
n With the commands while and until, create loops
that depend on certain terminating conditions.
n The for command allows you to create loops to
process a list of elements.
3. Use Control Structures n There are 2 ways to influence the operation of a

(continued) loop:
n With the break command, a loop can be
terminated completely according to a given
condition.
n The continue command allows exiting from the
current iteration of a loop if the condition is true.
Objective Summary
4. Use Advanced Scripting n If you anticipate that certain command sequences

Techniques will be used more than once in a script or if you
want to make a complex script easier to read and
understand, consider defining shell functions for
certain routines.
n A function normally comprises a part of a script and
makes it available under a user-definable name,
such that the script part can be executed simply by
stating this name further below in the script.
n Use the Bash built-in command getopts to easily
extract command-line options for shell scripts.
n With the getopts command, you can tell the script
which options it should recognize and which action
should be triggered by a given option.
5. Learn About Useful Commands in n You can use external commands in Shell scripts to
Shell Scripts perform certain tasks.
n The following is a list of commonly-used
commands:
n cat
n cut
n date
n echo
n grep and egrep
n sed
n test
n tr
Compile Software from Source
SECTION 7 Compile Software from Source
In this section, you learn how to compile and install software that is available as
source code.
Objectives
1. Understand the Basics of C Programming
2. Understand the GNU Build Tool Chain
3. Understand the Concept of Shared Libraries
4. Perform a Standard Build Process
Introduction
Although SLES 9 is shipped with software packages for almost all purposes, you
might want to install software from other sources.
Sometimes OpenSource projects or third-party vendors provide RPM packages that

are made for SLES 9 and can be installed with the RPM command line tool or with
YaST.
In many cases, however, open source projects provide only tar archives with the
source code of an application. In this section you learn how to compile and install
software from these source archives.
Objective 1 Understand the Basics of C Programming

Most applications (and the Linux kernel) are written in the C or C++ programming
language. To compile and install software from source achieves, it is useful to have a
basic understanding of C and the steps which are necessary to turn program code into
an executable file.
x The C++ language is considered the successor of C. The syntax of C++ is very similar to C, but
C++ lets you create object-oriented code. However, many applications and the Linux kernel are
still written in C.
In this objective, you learn the following C programming basics:

n The Difference Between Source Code and an Executable
n The Structure of a Simple C Program
n How to Compile a Simple C Program
The Difference Between Source Code and an Executable
There are basically 2 different types of programing languages:

n Script languages. Applications written in a script language can be easily
developed with just a text editor. The script files can be directly executed with
the help of an interpreter program.
Examples of script languages are Perl, PHP, Python, and the Shell scripting
language.
n Compiler languages. Applications written with this kind of programing
languages can also be created with a text editor, but normally there is no
interpreter software available.
Before the code can be executed, it needs to be converted into a binary format
that can be directly executed by the CPU. This conversion is done by a special
program called the compiler.
Examples of compiler languages include C, C++, and Fortran.
The following are advantages and disadvantages of each programing language type:
Table 7-1 Language Type Advantages Disadvantages
Script language n Most script languages are n The execution of scripts

relatively easy to learn. application is rather slow.
n The development process n It´s not possible to do
in a script language is system programing with
rather fast. scripting languages. (such
n Script programs can as operating systems or
basically run on all device drivers).
platforms where the
interpreter is available,
without changing the
program code.
Compiler language n The execution is very fast n Compiler languages can be

compared with scripting pretty difficult to learn.
languages. n The development process
n It is possible to do system takes usually longer.
programming (such as n The source code needs at
operating systems or least to be recompiled
device drivers). before it can be executed
on a different platform.
x The summary in this table is not complete. There are programming languages like Java that are
classified between the described programing language types.
The Structure of a Simple C Program
The following is the source code of a simple C program:
#include <stdio.h>
int main(void)
{
char name[80];
printf("Please enter your name: ");

scanf("%s", name);
printf("Your name is: %s\n", name);
return(0);
}
This program prompts the user to enter his name, and then it prints out Your name is:
and the name the user has entered.
The following describes each line:

n #include <stdio.h>
This line is a preprocessor directive. Before the actual source code is compiled
into a binary file, the file is processed by the preprocessor. In this example, the
directive instructs the preprocessor to include the file stdio.h.
A file such as stdio.h contains information about functions that are used later in
the program. This is a typical characteristic of C. Every variable or function
needs to be declared before it can be used.
Files that contain function declarations are called header files and their filenames
typically end in .h.
n int main(void)
This line starts the main function of the program. This is the function that is
initially called when the program is started. A program can consist of more
functions, but is must have at least a main function.
The function head normally has 3 parts:
q First, the type of the return value is determined; in this case, int, an integer.
q This is followed by the function name. The main function always has the
name main.
q Finally, the arguments of the function are listed in parentheses. The keyword
void means the function does not expect an argument.
n {
Every thing that belongs to a function is included in curly brackets. This line
starts the block of the main function.
n char name[80];
This line declares a variable name. The type of the variable is char, a variable
type for a single character. In this example, since you need to store more that just
one character in the variable, declare 80 char variables [80].
This shows another characteristic of C. It is not enough to declare a variable
before you can use it, you need to specify the type of variable. In the example
above, it would not be possible to store other data like integers in the variable.
Another important element is the semicolon at the end of the line. Every
declaration and every function call in C must end with a semicolon.
n printf(“Please enter your name: “);
This line prints out the message Please enter your name:. It uses the function
printf for this purpose. This line also shows a typical function call in C. The
arguments are given in parentheses after the function name.
n scanf(“%s”, name);
In this line the function scanf is used to read the input of the user. The function
takes two arguments: a format string %s, which determines the way the input
should be handled by the function, and the variable name, in which the input
should be stored.
n printf(“Your name is: %s\n”, name);

This line uses the function printf again, this time to print out the entered name of
the user. The function takes 2 arguments in this case, the string Your name is:
and the variable name, which holds the name of the user.
The content of name is output at the position of the %s format string, which acts
like a placeholder in this case.
n return(0);
This line uses the return function to return 0 as the value of the function. Because
this is the main function, it also determines the return value of whole program.
n }
This curly bracket closes the main function and the whole program.
The code of C programs should be saved in a file ending in .c. In this example,
the filename my_name.c is used.
How to Compile a Simple C Program
To execute the previously described program, it needs to be compiled into a binary

file. For this you need a C compiler. The standard C compiler in Linux is the gcc, the
Gnu C Compiler.
To compile the simple example program, you invoke the compiler with the following
command:
gcc my_name.c -o my_name
First, the name of the file that contains the source code is passed to gcc, followed by
the -o option and the name of the output binary file.
After the compilation has finished, the binary can be started like any other command
line program, as in the following:
./my_name
Please enter your name: Florian
Your name is: Florian
Exercise 7-1 Compile a Simple C Program
In this exercise, you compile a simple C program by doing the following:
x As part of the SLES 9 installation exercise in Section 1, you already installed the necessary
packages for compiling C source (C/C++ Compiler and Tool).
If you did not complete this successfully, use the YaST Install and Remove Software module to
install this software before starting the exercise.
Do the following:
1. Open a terminal window.
2. Insert the 3038 Course CD in the CD-ROM drive.
3. Copy the source code package of the example application to the /tmp directory by
cp /media/mount_point/exercises/section_7/my_name.c /tmp
(where mount_point is cdrom, cdrecorder, or dvd, depending on your installed
hardware)
4. Change to the directory /tmp/ by entering cd /tmp.
5. Compile the C source file by entering the following:
6. After the program compiles, start the program by entering the following:
./my_name
7. Verify that the program works properly by entering a name.
8. Close the terminal window and remove the CD.
(End of Exercise)
Objective 2 Understand the GNU Build Tool Chain

In most cases programs use more than one source code file. In order to structure the
source, developers tend to spread the code over multiple files.
It would be very difficult to compile a program with multiple source code files
manually on the command line. Fortunately some tools are available to manage the
compilation process.
In this objective, you learn how to do the following to perform a standard build
process:
n Use configure to Prepare the Build Process
n Use make to Compile the Source Code
n Use make install to Install the Compiled Program
n Install the Required Packages for a Build Environment
Use configure to Prepare the Build Process
Before the actual compilation process can be started, you must prepare the source
code with a configure script. This needs to be done for the following reasons:
n Many applications can be compiled on different UNIX systems, Linux
distributions, and hardware platforms. To make this possible, the build process
needs to be prepared for the actual environment.
n The build process itself is controlled by a program called make. The instructions
for how to compile the different source files are read from Makefiles. The
configure script generates these Makefiles depending on the system
environment.
n You can use configure to enable or disable certain features of an application.
To run the configure script, you need to use the following command at the top of the
source directory:
./configure
To enable or disable certain features of an application, configure takes additional

arguments. The available arguments depend on the application that will be compiled.
You can use the following command to list all available configure options:
./configure --help
Use make to Compile the Source Code
You use the tool make to compile multiple source files in the correct order. Make is
controlled by Makefiles. Normally, these Makefiles are generated by the configure
script, but you can also create them manually.
You can also use make to install and uninstall the program to or from the right
location on the hard disk.
The following is a simple Makefile that shows how make works:
# Makefile for my_name
all: my_name
my_name: my_name.c
install: my_name
install -m 755 my_name /usr/local/bin/my_name
uninstall: /usr/local/bin/my_name
rm -f /usr/local/bin/my_name
clean:
rm -f my_name
This Makefile can perform the following tasks:

n Compile the program from source
n Install the program
n Uninstall the program
n Clean up the directory where the compilation is performed
Every Makefile consists of targets, dependencies, and commands for the targets.
Targets and dependencies are separated by a colon. The commands must be placed
under the target, indented with one tab space. A # introduces comments.
If you execute the command make while you are in the respective directory, the
program make will search this directory for the files GNUMakefile, Makefile, or
makefile.
If make is executed without any parameters, the first target of a Makefile is used. In
the example above, this is all. This target is associated with the target my_name,
which specifies the step to take: compile the file my_name.c with gcc.
The command make can also be used with individual targets. For example, the
command make install (as root) installs the binary file at the specified location and
make uninstall removes the binary file.
Even large software projects are created in the same way, but the Makefiles are much
more extensive and complex. If the software will be compiled to a functional
program on multiple architectures, things are much more complicated.
For this reason, the Makefile is usually generated by the configure script.
Use make install to Install the Compiled Program
The last step when installing a program from source is to install the binary file and
additional files belonging to the application.
This step is usually done with make and an install target in the corresponding
Makefile.
You can perform the installation with the following command:
make install
You must enter this comment as root at the top level of the source directory.
Install the Required Packages for a Build Environment
A lot of different software packages are required to perform the described build
process. The easiest way to install all required packages is to select the selection
C/C++ Compiler and Tools in the YaST package manager.
To access the predefined selections, select Selections from the filter drop-down list as
shown in the following:
Figure 7-1
Objective 3 Understand the Concept of Shared Libraries

Many tasks on a system are performed by more than one application. For example,
the opening and displaying of PNG image files is performed by the web browser, the
graphic program, and other applications.
It would not make sense to implement the functionality of opening PNG files again
and again in every application. Therefore, program functionality can be stored in
shared libraries.
In the case of opening and displaying PNG files, the functionality is provided by the
shared library libpng.
Physically, a shared library is a file on the hard disk that is loaded into the main
memory when an application is started that requires the functionality of the library.
The task of finding and loading the required libraries is performed by the program ld.
The following illustrates how shared libraries work:
Figure 7-2
libpng
Both applications use functions from libpng.
Graphic
Web Browser
Program
Normally, a shared library has 2 basic parts:

n The shared library file itself, which is loaded when a program requires a function
of the corresponding library. The filenames for these files end in .so (shared
object).
n The header files of the library, which contain the functions declaration of the
library. The filenames of these files end in .h (header file).
As described at the beginning of this section, the C programing language requires

that every function used in a program has to be declared.
This means that the header files of a library need to be installed on a system to
compile software that uses functions of that library. To run already compiled
software, only the shared library files are necessary.
Because the software that ships with SLES 9 is already compiled, the header files of
some libraries are not installed by default. These libraries are split into two packages:
the software packages that contain the header files have the extension -devel attached
to the package name.
For example, the package libpng contains the shared library, and the package
libpng-devel contains the corresponding header files.
When you run the configure script, it sometimes prompts you about missing libraries
that should be installed on the system. If you install the required packages with YaST,
you have to make sure that you select both the shared library and the corresponding
devel package.
Objective 4 Perform a Standard Build Process

In this objective, the program xpenguins is compiled and installed from a source
archive as an example of a standard build process.
The xpenguins program can be downloaded in a tar archive with the name
xpenguins-2.2.tar.gz.
Before you start the build process, you need to extract the tar archive by entering the
following command:
tar xzf xpenguins-2.2.tar.gz
x Some tar archives end in .bz. In this case, the archive is compressed with bzip and needs to be
extracted with the options xjf.
After the archive is extracted, you need to change to the source directory which has
been created by entering the following:
cd xpenguins-2.2/
In the source directory, you need to run the configure script with the following
command:
./configure
The output looks like the following:
creating cache ./config.cache

checking for a BSD compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
checking whether make sets ${MAKE}... yes
checking for working aclocal... found
checking for working autoconf... found
checking for working automake... found
checking for working autoheader... found
checking for working makeinfo... missing
checking for gcc... gcc
checking whether the C compiler (gcc ) works... yes
checking whether the C compiler (gcc ) is a cross-compiler... no
checking whether we are using GNU C... yes
checking whether gcc accepts -g... yes
checking for a BSD compatible install... /usr/bin/install -c
checking how to run the C preprocessor... gcc -E
checking for X... libraries /usr/X11R6/lib, headers
/usr/X11R6/include
checking for dnet_ntoa in -ldnet... no
checking for dnet_ntoa in -ldnet_stub... no
checking for gethostbyname... yes
checking for connect... yes
checking for remove... yes
checking for shmat... yes
checking for IceConnectionNumber in -lICE... yes
checking for XpmReadFileToData in -lXpm... yes
checking for XpmFree in -lXpm... yes
checking for ANSI C header files... yes
checking for unistd.h... yes
checking whether time.h and sys/time.h may both be included... yes
checking return type of signal handlers... void
checking for select... yes
checking for strdup... yes
updating cache ./config.cache
creating ./config.status
creating Makefile
creating src/Makefile
creating themes/Makefile
...
In the last lines of the output you can see that the Makefiles are created.
If the configure script does not report any errors, you can start the compilation
process by entering the following:
make
The output of make for xpenguins looks like the following:
make all-recursive
make[1]: Entering directory `/tmp/xpenguins-2.2'
Making all in src
make[2]: Entering directory `/tmp/xpenguins-2.2/src'
gcc -DHAVE_CONFIG_H -I. -I. -I.. -I/usr/X11R6/include -g -O2
-DPKGDATADIR=\""/usr/local/share/xpenguins"\" -c main.c
-DPKGDATADIR=\""/usr/local/share/xpenguins"\" -c
xpenguins_config.c
xpenguins_core.c
xpenguins_theme.c
toon_associate.c
-DPKGDATADIR=\""/usr/local/share/xpenguins"\" -c toon_draw.c
toon_globals.c
-DPKGDATADIR=\""/usr/local/share/xpenguins"\" -c toon_query.c
-DPKGDATADIR=\""/usr/local/share/xpenguins"\" -c toon_set.c
-DPKGDATADIR=\""/usr/local/share/xpenguins"\" -c toon_core.c
-DPKGDATADIR=\""/usr/local/share/xpenguins"\" -c toon_end.c
-DPKGDATADIR=\""/usr/local/share/xpenguins"\" -c toon_init.c
-DPKGDATADIR=\""/usr/local/share/xpenguins"\" -c toon_root.c
-DPKGDATADIR=\""/usr/local/share/xpenguins"\" -c toon_signal.c
gcc -I/usr/X11R6/include -g -O2 -DPKGDATADIR=
""/usr/local/share/xpenguins"\" -o xpenguins main.o
xpenguins_config.o xpenguins_core.o xpenguins_theme.o
toon_associate.o toon_draw.o toon_globals.o toon_query.o
toon_set.o toon_core.o toon_end.o toon_init.o toon_root.o
[...]
The most important part in the output of make are the compiler calls starting with:
gcc -DHAVE_CONFIG_H -I ...
When the compilation process has finished without any errors, you can install the
software by entering the following (as root):
make install
Exercise 7-2 Compile Software from a Source Package

n Part I: Compile a Source Package
n Part II: Run the Application
Part I: Compile a Source Package
Do the following:
2. Insert the 3038 Course CD in your CD-ROM drive.
3. Copy the source code package of the example application to the directory /tmp/ by
entering the following (on one line):
cp /media/drive/exercises/section_7/xpenguins-2.2.tar.gz
/tmp
4. Change to the directory /tmp by entering cd /tmp.
5. Unpack the source archive by entering the following:
tar xzf xpenguins-2.2.tar.gz
6. Change to the source directory by entering cd xpenguins-2.2/.
7. Start the configure script by entering ./configure.
8. (Conditional) If the configure script displays an error message indicating that the
header files of the X Window system are not installed, install the package
XFree86-devel with YaST and run the configure script again before continuing.
9. When the configure script finishes, enter make.
10. When the make command finishes, su to root.
11. Change to the source directory by entering the following:
cd /tmp/xpenguins-2.2/
12. Install the compiled application by entering make install.
Part II: Run the Application
To run the application xpenguins, you need to make an adjustment from the KDE
Control Center that is not part of the standard build process.
To make this adjustment and start the application, do the following:

1. From the KDE start menu, select Control Center.
2. From the left side of the Control Center, select
Desktop > Behavior.
3. Select the check box for Allow programs in desktop window; then select Apply
and close the Control Center.
5. Start the application by entering the following:
/usr/local/bin/xpenguins
6. Stop the program by pressing Ctrl+C (from the terminal window).
Have a lot of fun :-).
(End of Exercise)
Summary
Objective Summary
1. Understand the Basics of C There are basically 2 different programing language

Programming types:
n Script languages. The source code is executed by
an interpreter software.
n Compiler languages. The source code needs to
be converted into a binary file, which can be directly
executed by the CPU.
The C and C++ programming languages are the
most important compiler languages.
C has the following basic characteristics:
n A preprocessor processes the source code before
compiling.
n Every program has at least a main function.
n Functions and variables need to be declared before
they can be used in the code.
n The declaration must include the definition of
variable types.
The name of C source files end normally in .c.
The basic command to compile a source file looks
like the following:
gcc sfile.c -o bfile
2. Understand the GNU Build Tool The standard build process consists of the following
Chain steps:
n The build process must be prepared with the
configure script.
n The make command is used to compile the source
code.
n The make program is used again to install the
application.
The easiest way to install all necessary software
packages for a build environment is to select the
C/C++ Compiler and Tools selection in the YaST
package manager.
Objective Summary
3. Understand the Concept of Shared libraries contain certain functions that are
Shared Libraries needed by many programs.
These files are loaded when an application needs a
function from the corresponding library.
A shared library consists of 2 basic parts:
n The shared object
n The header file
Some libraries are split into 2 software packages on
SLES 9.
To run applications, you just need the base library
package. To compile software, you also need the
header files in the package with the extension
-devel.
4. Perform a Standard Build Process The following are the command lines that are
needed to build a software from source, shown by
example of the xpenguins game:
n tar xzf xpenguins-2.2.tar.gz
This extracts the source archive.
n cd xpenguins-2.2/
This changes to the source directory.
n ./configure
This runs the configure script.
n make
This starts the compilation process.
n make install
This installs the program.
Perform a Health Check and Performance Tuning
SECTION 8 Perform a Health Check and Performance

Tuning
In this section, you learn how to analyze performance on a SLES 9 system and what
you can do to prevent these bottlenecks.
Objectives
1. Find Performance Bottlenecks
2. Reduce System and Memory Load
3. Optimize the Storage System
4. Tune the Network Performance
Introduction
As with any system, sometimes the performance of a SLES 9 system is not sufficient.
Because of the complexity of today's IT systems and infrastructure, performance

bottlenecks are sometimes not easy to find. All components interact with each other,
and different kinds of server types require different measures to improve system
performance.
In this section, you learn about monitoring utilities that help you find the component
having performance problems.
You also learn some hints for solving performance problems. Remember that the
solutions for your problems need to be based on the result of your performance
analysis and depend on your system type.
No matter what measures you choose, make sure that all changes are well tested
before you enable them on the actual production system. Changes to the kernel
parameters need to be tested very carefully.
b For more information about Linux performance tuning, go to

http://www.redbooks.ibm.com/abstracts/redp3862.html?Open.
Objective 1 Find Performance Bottlenecks

If you need to tune system performance, it is usually because the system is too slow.
Before you make any changes, you need to identify the bottleneck that is causing the
performance problem.
Complaints from users or customers about a slow system are normally of a general
character and do not provide detailed information about the cause of a problem.
Before you start to troubleshoot a system, you should ask for more information to
gain a better overview about the whole situation. The following is a list of questions
that can help you to find the performance bottleneck:
n What kind of server is affected? This includes information about the hardware
and the purpose of the server.
n What are the exact symptoms of a problem? The more information you have,
the more likely you are to determine the cause of a problem.
n Does the problem occur at specific times of the day or the week? For
example, performance problems might occur in the morning when people start to
work or after lunch break when people return to work.
n When and how did the problem start? Did the problem occur quickly or
slowly over several days or months?
n Who is experiencing the problems? Does just one person have the problem, or
is it a group of people who are using the same file server?
n Can the problem be reproduced? This can be very helpful when you are
analyzing the system.
When you have gathered enough information, you can start to analyze the system by
doing the following;
n Analyze Processes and Processor Utilization
n Analyze Memory Utilization and Performance
n Analyze Storage Performance
n Analyze Network Utilization and Performance
Analyze Processes and Processor Utilization
When you have a performance problem, you should look at the processor utilization
first. If the processor is not fast enough to run all of your applications at a reasonable
speed, this is the bottleneck you have to work on.
One way to measure processor utilization is the system load. The load value can be
displayed with various monitoring tools such as top or uptime.
On a multiprocessing operating system like Linux, multiple processes can run

virtually simultaneously. Since one processor can run only one process at a time, the
Linux kernel splits the available processing time of a CPU into short slices that are
assigned to the running processes.
To assign the CPU time, the kernel puts the running processes into a queue.
Depending on the priority of a process and the time since it was executed last, the
kernel decides which process should be executed next.
The load value is basically the average number of waiting processes in the process
queue in a specific amount of time. Therefore programs like top or uptime display
load values for the last 1,5 and 15 minutes.
On a system with a single processor, an average load value of 1 means that the full
processing capacity is used by applications and the operating system.
If the value is lower than 1, some capacity is not used. If the average value is higher
than 1, the processor is not fast enough to handle all currently running processes.
x On a multiprocessor system, the load value can be higher. As a rule of thumb, the load value
should not be higher than the number of processors installed in the system.
A process that is started on a system does not always require CPU time. Depending
on the kind of the process it is running, the CPU spends quite a lot of time to waiting
for I/O processes to be finished. For example, an I/O process can be user input or
data that is read from or written to the hard disk.
During these times the processes are not waiting in the kernel's process queue and do
not influence the load value of a system. This means that an application can be slow,
but CPU time is not the reason for it.
The following is a list of monitoring utilities that can be used to display the current
CPU utilization and the average load values:
Table 8-1 Program Description
top Displays a sorted list of applications and the three

values for the average load values in the last 1, 5 and
15 minutes.
When you find that your system has a high load value,
top can also be very helpful to find out which
application is actually producing it.
uptime uptime can also be used to display the system load in

the last 1, 5, and 15 minutes.
mpstat On multiprocessor systems, mpstat can be used to

display the utilization of each installed processor.
KDE System Guard KDE System Guard displays a graphical

representation of the system load.
Analyze Memory Utilization and Performance
Another bottleneck for system performance can be caused by system memory.

Applications have to be loaded into memory before they can be executed by the CPU.
The memory is also used by the Linux kernel itself and for caching I/O operations
like network or storage access.
The memory is controlled by the Memory Management system of the Linux kernel.
Every application has to ask the kernel to allocate memory, and every application is
only allowed to write into its own memory space.
There are 2 different kinds of memory available on a Linux system:

n Physical memory. This is memory that is actually installed in the system in the
form of memory bars or chips. Access to this kind of memory is usually very
fast.
n Swap memory. A Linux system should have access to at least one swap
partition. The space on this partition is used to free parts of the physical memory
by copying temporarily unused memory pages. Access to swap memory is very
slow compared to physical memory.
You can view the utilization of the physical and the swap memory with the free
program by entering the following:
free
The output looks like the following:
total used free shared buffers cached

Mem: 516204 502080 14124 0 29356 154920
-/+ buffers/cache: 317804 198400
Swap: 1036152 143320 892832
The output contains a headline with 3 lines of information:

n Mem. This line contains information about the physical memory. It contains the
following details:
q total. This entry displays the total amount of available physical memory in
KBs. The number is lower than the installed physical memory, since the
kernel itself uses a small part of the memory.
q used. This entry displays the amount of memory that is used for applications
cached data.
q free. This entry displays the memory that is not used and available at the
moment.
q Shared/buffers/cached. These columns display more detailed information
about how the memory is used.
n -/+ buffers/cache. Some of the memory on a Linux system is used to cache data
for applications or devices. Parts of this memory can be freed when it is needed
for other purposes.
The free column displays the buffer adjusted line, which shows the memory that
would be used and available if the buffer and the cache were freed.
n Swap. This line shows informations about the utilization of the swap memory.
The information includes the amount of total, used and free available memory.
As accessing the hard disk is much slower than accessing physical memory, the
performance of the whole system is affected when a lot of swap space has to be used.
Usually this happens when there is not enough physical memory to perform the
desired functionality of a system. It can also happen if an application requests much
more memory than it actually needs.
This can happen when the application crashes. It can also happen during normal
operation, when the implementation of the program is faulty. In this case, the
application has a memory leak.
You can use the top command to find programs that use a lot of memory. By default,
top sorts the process list by CPU utilization. By typing F, n, and then pressing the
Enter key, you can change the sorting column memory utilization. This way the top
memory consumers can be found at the top of the list.
If a lot of used swap memory is displayed in free, this can indicate a performance
bottleneck caused by a lack of physical memory but is not always the case.
Sometimes a lot of memory is copied to the
swap partition but is never touched again. The performance of the system is only
affected when the swap memory is actually accessed.
You can use the command vmstat to display the activity of swap memory, as in the
following:
vmstat 1
The option 1 lets vmstat repeat its output every second. This way the usage of swap
memory can be displayed over a period of time. You can terminate the program
pressing Ctrl+C.
The output of vmstat looks like the following:
procs --------memory---------- -swap- --io-- -system- ----cpu----

r b swpd free buff cache si so bi bo in cs us sy id wa
0 0 4 6728 34464 244744 0 0 447 42 1216 384 15 3 74 7
0 0 4 6728 34464 244744 0 0 0 0 1186 222 1 1 98 0
0 0 4 6760 34464 244744 0 0 0 0 1282 299 3 0 97 0
0 0 4 6696 34532 244744 0 0 0 68 1139 147 1 1 97 1
0 0 4 6696 34532 244744 0 0 0 0 1105 123 0 0 98 0
0 0 4 6696 34532 244744 0 0 0 0 1117 131 0 0 98 0
The output in the columns si and so are of interest in this case. si stands for swap in,
which means that data is copied to the swap memory. so for swap out, which means
that data is copied back into the physical memory. In the example above, there is no
activity for the swap memory.
The first line of the output displays the average values since the system was started.
The lines that follow show the average values since the last output.
The following output of vmstat is captured on a different system which ran out of
memory and shows a lot of activity in swap memory:
procs --------memory-------- -- -swap- --io-- -system- -------cpu------

0 3 167880 608 4592 93400 340 188 2588 196 1223 1315 7 3 0 90
1 3 169316 1072 4044 90352 300 1768 5968 1868 1233 1222 36 5 0 59
1 2 170268 2520 4088 89416 288 1104 1388 1224 1260 442 23 2 0 75
0 3 170652 1484 4020 90136 364 668 1844 808 1260 1142 12 3 0 85
0 4 171380 1848 3544 92424 100 868 4400 940 2491 2458 11 8 0 81
0 5 171576 1352 3504 91984 552 388 1592 388 1248 1195 15 3 0 82
In this example, there is much more activity in the si and so columns than before. The
number displayed represents the amount of memory that is copied to or from swap
memory.
A system that shows a constant vmstat output like this has a performance bottleneck
caused by a lack of physical memory.
The following are commands and an application you can use to display memory
utilization:
free Displays the current utilization of the physical and

swap memory.
vmstat Monitors the activity of swap memory and can also be

used to display other system parameters.
KDE System Guard Offers the capability to display memory usage. Choose
the signal plotter visualization to follow the memory
usage over a period of time.
Analyze Storage Performance
The performance of the storage system can be an issue, especially on systems that
face heavy hard disk utilization like ftp, web, or other kinds of file servers.
Before you analyze the hard disk performance and utilization, you should make sure
that you don’t have any problems with a too-high system load or a lack of physical
memory.
A system where the performance problems are caused by the disk subsystem usually
shows a relatively low network and CPU utilization but a high activity of the installed
disks that is not caused by memory paging or swapping.
In this case, you can use the command vmstat to display the activity of the disk
subsystem. You start vmstat by entering the following:
vmstat 1
The program should be started on the system when the performance problem occurs.
The following is the output of a system with almost no disk operations:
procs -----------memory---------- ---swap-- -----io---- --system-- ----cpu----

0 0 4 6728 34464 244744 0 0 447 42 1216 384 15 3 74 7
0 0 4 6728 34464 244744 0 0 0 0 1186 222 1 1 98 0
0 0 4 6760 34464 244744 0 0 0 0 1282 299 3 0 97 0
0 0 4 6696 34532 244744 0 0 0 68 1139 147 1 1 97 1
0 0 4 6696 34532 244744 0 0 0 0 1105 123 0 0 100 0
0 0 4 6696 34532 244744 0 0 0 0 1117 131 0 0 100 0
In this example, the columns of interest are bi and bo. They display the number of
blocks that are read from (bi) or written to (bo) the disk subsystem.
The following shows a system with a high utilization of the disk subsystem:
procs -----------memory---------- ---swap-- -----io---- --system-- ----cpu----

1 2 52 5680 6100 221688 0 0 0 36160 1273 1655 42 58 0 0
0 3 304 6896 1232 225672 0 256 4 22160 1586 1127 31 40 0 28
1 2 304 5936 1252 226540 0 0 0 28400 1487 460 15 23 0 62
1 0 304 7792 1276 224404 0 0 0 43328 1342 408 20 29 0 51
1 2 304 6256 1624 224648 0 0 0 88260 1205 439 24 42 0 35
0 2 476 6648 1672 224112 0 172 4 45452 1149 8015 29 54 0 17
0 2 476 7672 1720 223184 0 0 8 36940 1168 8310 23 44 0 33
As you can see in this column, the system has to deal with a lot of writing activity to
the disk subsystem.
However, a lot of data read from or written to the disk does not necessarily mean that
the disk subsystem is too slow. Depending on the available disk types and the disk
configuration, a disk load that totally blocks one system can be easily handled by
another system.
A performance problem that is caused by the disk subsystem usually occurs when a
process has to wait for data being delivered from or written to the disk.
You can use the command iostat to determine the average time a program has to wait
for data from the disk.
x The iostat command is not part of the SLES 9 default installation. You need to install the package
sysstat to use it.
The following command displays information about the disk device /dev/hda:
iostat -x 1 /dev/hda
The option -x enables the output of some additional information. 1 sets the interval in
which iostat repeats its output to 1 second. The device name specifies the disk that
should be monitored. If no disk is specified on the command line, all disks that are
used by the system are monitored.
The output of iostat looks like the following:
avg-cpu: %user %nice %sys %iowait %idle

8.08 0.04 1.73 1.70 88.45
Device: rrqm/s wrqm/s r/s w/s rsec/s wsec/s rkB/s wkB/s avgrq-sz
avgqu-sz await svctm %util
hda 3.18 17.90 3.37 1.32 146.73 153.78 73.36 76.89 64.11
0.25 53.50 4.57 2.14

4.90 0.00 0.98 0.00 94.12
hda 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00
0.00 0.00 0.00 0.00

5.05 0.00 0.00 0.00 94.95
hda 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00
0.00 0.00 0.00 0.00
Every output contains two blocks of information. The first block displays information
of the CPU utilization, like top or uptime. The second block shows the information
about the requested disk device.
The first output represents the average values since the system was started. All
following lines show the average values since the last update period.
The block that displays the device information shows first some details about the
amount of data that is read from or written to the device. To find out if the disk
subsystem has a performance bottleneck, focus on the following 2 columns:
n await. This column displays the average time in milliseconds an application has
to wait till its I/O request is performed.
n svctm. This column displays the average time in milliseconds that an I/O request
needs to be performed.
As you can see in the output above, the concerned system is not really busy. The
average await time since the system was booted is 53.50 milliseconds and the average
svctm time is 2.14 milliseconds.
As you can see in the following lines, the current disk utilization is even far below
the average with await and svctm times of 0 milliseconds.
Compare this with the following output of a system with a higher I/O load:

26,00 0,00 45,00 29,00 0,00
Device: rrqm/s wrqm/s r/s w/s rsec/s wsec/s rkB/s wkB/s

avgrq-sz avgqu-sz await svctm %util
hda 0,00 9198,00 4,00 39,00 32,00 73872,00 16,00 36936,00
1718,70 103,83 1430,33 23,28 100,10

20,79 0,00 39,60 39,60 0,00
hda 0,00 9105,94 0,00 44,55 0,00 73140,59 0,00 36570,30 1641,60
99,97 2441,89 22,24 99,11

26,26 0,00 45,45 28,28 0,00
hda 0,00 10313,13 0,00 41,41 0,00 82828,28 0,00 41414,14 2000,00
93,90 2529,10 24,41 101,11

24,00 0,00 48,00 28,00 0,00
hda 0,00 9293,00 0,00 41,00 0,00 74640,00 0,00 37320,00 1820,49
92,70 2447,00 24,41 100,10
As you can see, the average await time on this system far beyond 2000 milliseconds,
and the svctm time is much higher than before. Such a system cannot fulfill the
requested I/O operation at an adequate speed.
The following is an overview of commands that you can use to analyze disk
utilization:
Table 8-3 Command Description
vmstat Monitors the amount of data that is read from or written

to disk.
iostat Displays how long I/O requests from applications take.
Analyze Network Utilization and Performance
On server systems, the network connection can be a performance bottleneck. There

are many different parameters that can interfere with the network connection.
You can monitor these parameters with KDE System Guard. To start KDE System
guard from the KDE start menu, select
System > Monitor > KDE System Guard.
Figure 8-1
On the left side of the window, you can browse the available monitoring sensors.
Browse to Network > Interfaces > Interface_you_want_to_monitor.
Two different blocks of sensors available:

n Receiver. These sensors display information about the received network data.
n Transmitter. These sensors display information about the sent network data.
The following describes some of the available sensors you can use to analyze
network problems:
Table 8-4 Sensor Description
Data/Packets The amount of data or packets sent or received by the

interface. If performance problems occur during a high
network load, the network connection or type might be
too slow for the purpose of the server.
Collisions This sensor is only available for the transmitter.

Collisions usually occur more frequently when too
many hosts share the same Ethernet domain (such as
hosts that are connected with a hub and instead of a
switch).
Too many collisions can have a negative impact on the
overall network performance.
(continued) Table 8-4 Sensor Description
Dropped Packets This sensor displays the number of packets that are
either dropped when they are received by the host or
by other network components like routers on their way
to the destination.
Too many dropped packets can have a bad influence
on the network performance. The following are some
reasons for dropped packets:
n Network components are running at a different speed.
For example, the server runs at 100 Mbps, but the
router at only 10 Mbps.
n The network or system load of a server is too high to
handle all received network packets properly.
n A network component runs with a misconfigured
packet filter that drops network packets.
Errors An error occurs when a packet is transmitted but the

content of the packet is corrupted. This can be caused
by a bad physical connection or faulty network
adapters.
There is also protocol specific information under Network > Sockets.
Besides problems that are caused by the network or network setup itself, some
network services can interfere the overall system performance. These network
services might not even be running on the same host that actually experiences
performance problems.
The following are 3 examples of this:

n DNS. Many applications or services rely on the name resolution of the DNS
system. If a DNS server is not working properly, the application is waiting for
the response, which slows down its operation.
n Proxy. Applications that connect to a service using a proxy server suffer from
bad performance of this system.
n NFS. Applications or services that access data that is mounted using NFS can be
blocked completely if the NFS service is not available.
The following are tools that you can use to monitor the network:
KDE System Guard Displays network utilization and different kinds of

transmission errors.
Traffic-vis Analyzes network connections to specific hosts. You

need to install the package traffic-vis in order to use
this tool
ip Displays the status of an interface as well as

transmission errors.
Exercise 8-1 Analyze System Performance
In this exercise, you analyze system performance by doing the following:

n Part I: Analyze Processor Utilization
n Part II: Analyze Memory Utilization
n Part III: Analyze Hard Disk Utilization
n Part IV: Analyze Network Utilization
Part I: Analyze Processor Utilization
Do the following:
1. Make sure, that you have installed the software selection C/C++ Compiler and
Tools as well as the package
kernel-source.
If these packages are not installed, install them with the YaST software installer.
3. Enter top.
Watch the information about the system load and the process list for a few
moments.
4. Open a second terminal window and su to root.
5. Enter the following commands:
cd /usr/src/linux
make cloneconfig
x If the directory /usr/src/linux does not exist, you need to install the package kernel-source.
6. When the second command finishes, start a Linux kernel compilation by entering
make bzImage.
The compilation generates a high load on the system:
7. From the first terminal window, watch the load numbers.
Notice that the load values are constantly rising. The 3 values differ as they
display the average of three different periods of time.
8. Wait until the load average value has reached 1; then quit the compilation process
in the second terminal window by pressing Ctrl+C.
9. In the second terminal window, restore the initial state by entering make clean.
10. From the first terminal window, watch the load values for a few moments.
Notice that the values decrease.

11. End the top program by typing q.
Part II: Analyze Memory Utilization
Do the following:
1. In the first terminal window, enter vmstat 1.
2. Watch the vmstat output for a few moments, especially the columns si (swap in)
and so (swap out).
3. In the second terminal window, enter make -j bzImage.
4. In the first terminal window, watch the so and si columns.
Notice that the command make utilizes a lot of memory. As a result, after a few
minutes (normally 3 or 4) the system starts using swap memory.
5. In the second terminal window, stop the make process by pressing Ctrl+C.
6. In the first terminal window, watch as the swap activity declines.
7. Terminate the command vmstat by pressing Ctrl+C.
8. In the second terminal window, enter make clean.
Part III: Analyze Hard Disk Utilization
Do the following:
1. Using the YaST package manager, install the package sysstat.
2. In the first terminal window, enter the following:
iostat -x 2 /dev/hda
If your root partition is on a different device than hda (such as hdc), adjust the
command accordingly.
3. Watch the output of iostat for a while, particularly the columns await and svctm.
4. In the second terminal window, enter make -j bzImage.
5. Watch the iostat values in the columns await and svctm.
Notice that both values are rising due to high disk utilization caused by the
command make.
6. In the second terminal window, stop the command make by pressing Ctrl+C.
7. Watch how the await and svctm times decrease again.
8. End iostat by pressing Ctrl+C.
9. In the second terminal window, enter make clean.
10. Close both terminal windows.
Part IV: Analyze Network Utilization
Do the following:
1. From the KDE start menu, select System > Monitor > KDE System Guard.
2. From the menu bar, select File > New.
3. Enter a title of Network.
4. Select 2 rows and 1 columns.
5. Select OK.
6. On the left side of the KDE System Guard window, browse to Network >
Interfaces > eth0.
7. Open Receiver and Transmitter.
8. Drag the Packets sensor from the Receiver and drop it in the upper part of the
Network worksheet.
9. For the display mode, select Signal Plotter.
10. Drag the Packets sensor from the Transmitter and drop it in the lower part of the
Network worksheet.
11. For the display mode, select Signal Plotter.
12. Watch the network activity for a few moments.
14. Wait until a partner has reached this step of the exercise.
15. Produce some network load with the system of your partner by entering the
following:
ping -f partner_ip_address
16. Watch the network load rise in the receiver and the transmitter.
17. Terminate the ping command by pressing Ctrl+C.
19. Watch how the network goes down again.
20. Close the KDE System Guard window.
(End of Exercise)
Objective 2 Reduce System and Memory Load

If you have determined that your performance problem is caused by a high system
load, you do the following to reduce the load:
n Analyze CPU Intensive Applications
n Run Only Required Software
n Keep Your Software Up to Date
n Optimize Swap Partitions
n Change Hardware Components
Analyze CPU Intensive Applications
A high system and memory load is often caused by single application. You can use
the top utility to find out which process uses the most resources on your system.
Sometimes a process uses a lot of system resources because of a faulty

implementation. Usually you can determine this by restarting the process. If the
process does not use the same amount of resources after it has been restarted, a likely
cause is a faulty implementation.
In this case, you should try to get more information about the issue by searching the
Internet and the web site of the vendor or the OpenSource project.
If the process starts to utilize the same amount of system resources after it has been
restarted, the system is probably not fast enough to run the process. Refer to “Run
Only Required Software” below for details on how to solve this issue.
Run Only Required Software
The easiest but most effective way to reduce the system load is to run only the
software that is required to fulfill the purpose of a system. This includes the
following methods:
n Run a Server System without X
n Reduce the Number of Daemon Processes
Run a Server System without X
Usually, it's not necessary to run an X-Server on a server system. Most administrative
tasks including those done in YaST can be done on the text console or remotely with
SSH or SUSE LINUX Remote Administration.
Preventing the X-Server from being started saves memory and CPU utilization. To do
so, you can switch to runlevel 3 manually by entering the following:
init 3
You can also set the default runlevel to 3 to boot the system to runlevel 3
automatically.
To change the default runlevel, you need to open the file /etc/initab with a text editor.
In the file, look for a line like the following:
id:5:initdefault:
By changing 5 to 3, you can change the default runlevel from 5 (multiuser, network,
graphical login) to 3 (multiuser, network).
After the change, the line looks like the following:

id:3:initdefault:
Reduce the Number of Daemon Processes
In most cases, a server offers only a few services but a lot more daemons are actually
running. By reducing the number of running daemon processes, you can reduce the
processor and the memory load.
To get an overview of the current service configuration, you can use the chkconfig
command by entering the following:
chkconfig -l
The -l option lists all services and their configuration in each runlevel. For example,
the following is the output of the Apache web server:
apache2 0:off 1:off 2:off 3:on 4:off 5:on 6:off
As you can see, apache2 is enabled for runlevels 3 and 5.
Review the list and make sure that the only services that are running are those needed
in the default runlevel of your server. If you find a service that is not necessary, you
can prevent it from starting up at boot time by removing its start script from the init
process.
Use a command like the following to remove a service from the init process:
chkconfig apache2 off
In this example, apache2 is disabled in all runlevels. To re-enable a service, use a

command like the following:
chkconfig apache2 3
In this example, apache2 is enabled in runlevel 3.
Changing the runlevel configuration does not affect the currently running instance of
a service. If you don’t want to reboot your system with the new configuration, you
need to stop a running service by calling its rc script manually.
The command in the following example stops a running instance of apache2:
rcapache2 stop
Keep Your Software Up to Date
There are many reasons to keep your software up to date. Beside possible security
issues caused by outdated software, up to date software can improve performance.
Implementation errors that lead to a high utilization of system resources might be

fixed in a newer release. And newer, faster algorithms might be used.
However, there might be exceptions to the rule. For this reason, you should test new
releases carefully before using them in a production environment.
Optimize Swap Partitions
On a system with a lot of swapping, you should usually add more main memory to
enhance the performance. However, you can't do so, optimizing the swap partitions
can help.
First, you should make sure that you have enough available swap space. The old
rule–that you should have double the size of the physical memory as swap space–is a
bit outdated but still a reasonable starting point.
The key to speeding up the swap space is to spread it over several disks. This works
only on systems that have more than one installed disk.
Every swap partition has an entry in the file /etc/fstab that looks like the following:
/dev/hda1 swap swap 0 0
You can use more than one swap partition by creating partitions and adding these to
/etc/fstab, as in the following:
/dev/hda1 swap swap pri=1 0 0

/dev/hdb1 swap swap pri=1 0 0
/dev/hdc1 swap swap pri=1 0 0
In this example, 3 partitions are used on 3 different disks. The additional parameter
pri=1 assigns the same priority to all swap partitions.
With a priority 1 assigned to all swap partitions, the kernel can use the partitions in
parallel. This leads to a higher overall performance of swapping operations.
The drives that hold swap partitions should run at the same speed.
Change Hardware Components
If the above methods to reduce the system load do not lead to a lower resource
utilization, you should consider upgrading the following hardware:
n Upgrade the CPU
n Upgrade the Memory
Upgrade the CPU
If your system shows a high system load but all other parameters like memory,
network and storage load or utilization are not significantly high, you should consider
upgrading the CPU.
However, you need to consider the following before upgrading the CPU:
n Are there significantly faster CPUs available for the type of system you are using
(socket type, BIOS support)?
n Are the rest of the system components fast enough for the new CPU? Otherwise,
you could work on one bottleneck and create a new one.
n Is the system going to be replaced in the near future?
n Are other, faster systems available in your organization that could be used
instead of the current system?
Depending on the answers to these questions, you might decide to replace the whole
system instead of just the CPU. In some cases, this might be even more economical
in the long run than just a CPU upgrade.
Upgrade the Memory
Upgrading the memory usually means installing more physical memory. The first
question you might ask is how much additional memory you should install.
A way to answer this question is to look at the amount of swap space that is used by
the system when the performance problems occur. Adding double the amount of used
swap space might be a good starting point.
However, you should also compare the cost of a memory upgrade with the cost of
installing a new system.
Remember that if you add additional physical memory, you should also add
additional swap space. However, in most cases, more than 1 GB of swap space does
not increase performance significantly.
Exercise 8-2 Reduce Resource Utilization
Do the following:
1. Log out of the KDE desktop environment and reboot your system.
2. When the KDM login appears, change to a text console by pressing Ctrl+Alt+F2.
3. Login as root.
4. Enter free.
Notice the amount of free physical memory.
5. Open the file /etc/inittab with the vi editor:
6. Look for the line id:5:initdefault: and change it to the following:
id:3:initdefault:
8. Reboot your system by entering reboot.
The system boots to runlevel 3.
9. Log in as root; then enter free.
10. Compare the amount of free physical memory with the number you noted earlier.
Notice that runlevel 3 uses less memory than runlevel 5.
x The success of this depends on the amount of free memory you have available on your
hardware.
11. Switch to runlevel 5 by entering init 5.
12. Log in as geeko with a password of N0v3ll.
13. Edit the line id:3:initdefault: in /etc/inittab to change the default runlevel back to 5.
14. Save the file and close the editor.
(End of Exercise)
Objective 3 Optimize the Storage System

There are many different ways to optimize the performance of your storage systems,
including the following:
n Configure IDE Drives With hdparm
n Tune Kernel Parameters
n Tune File System Access
n Change Hardware Components
Configure IDE Drives With hdparm
You can use the tool hdparm to tune some settings of IDE hard drives. Entering the
following command displays the current settings of a drive:
hdparm -i /dev/hda
In this example, the settings of the device hda are listed.
The most important setting you can change with hdparm is DMA (direct memory
access). With DMA, data from a disk can be written directly to the main memory of a
system without CPU utilization. This enhances performance in 2 ways:
n The transfer itself is much faster than with disabled DMA.
n The CPU is not utilized and can be used for other tasks.
By default, DMA should be enabled for IDE hard disks. However, if you experience
a weak disk performance, you should check the settings. DMA can also be enabled
for CD/DVD drives, which increases performance, especially for large data transfers.
You can use following command to check the current status of the DMA
configuration:
hdparm -d /dev/hda
In this example, the DMA settings for the device hda are checked, with an output
similar to the following:
/dev/hda:
using_dma = 1 (on)
In this example, DMA is enabled for the device hda; otherwise, the variable
using_dma would have the value 0.
You can enable DMA with a command such as the following:
hdparm -d 1 /dev/hda
In this example, DMA is enabled for the device hda.
With hdparm, you can also use command line options that affect a drive's
performance. The following lists the most important options:
Table 8-6 Parameter Description
-c 1 Enables 32-bit transfers of disk data over the PCI bus.
-u1 A setting of 1 permits the driver to unmask other interrupts during

processing of a disk interrupt, which greatly improves Linux's
responsiveness and eliminates serial port overrun errors.
-X value Configures the drive to use a specific transfer mode.
-A 1 Enables read-ahead, which increases performance when dealing

with large, sequential file operations.
x Before you change any settings with hdparm, you should make sure that important files on your
system are saved and backed up. Improper settings can lead to system crashes or data loss. For
more information, see man hdparm.
hdparm also provides an option to measure the transfer performance of a hard disk,
as in the following command for the device hda:.
hdparm -t /dev/hda
The output for this command might look like the following:
/dev/hda:
Timing buffered disk reads: 156 MB in 3.01 seconds = 51.75 MB/sec
In this example, the disk offers a sequential transfer rate of 51.75 Mbps. To achieve
valid results, you should repeat the test several time and compare the results. In
general, the test should be run at a low system and storage load.
All changes that are made with hdparm are active only until the next reboot. To make
sure hdparm commands are executed every time the system boots, you can add them
to the file /etc/init.d/boot.local.
Tune Kernel Parameters
The components of the Linux kernel that are responsible for hard disk access offer
some parameters that can be changed at runtime.
None of these parameters are saved permanently. If you want to set them every time
the system starts up, you can enter a command to set a parameter in the file
/etc/init.d/boot.local.
Tunable parameters let you do the following:

n Tune the IO Scheduler
n Change the Read Ahead Parameter
n Change the Swappiness Parameter
Tune the IO Scheduler
Because Linux is a multitasking operating system, more than one process at a time
might need to access the hard disk.
For this reason, the Linux kernel contains a component called the I/O Scheduler. This
scheduler collects requests from the processes and hands them over to the hardware
driver that is responsible for the drive.
The SLES 9 I/O Scheduler has one parameter that you can used to tune the I/O
performance. The parameter is stored in the file
/sys/block/device/queue/iosched/quantum
The parameter determines how many I/O requests are stored in a queue before they
are handed over to the driver. By queuing the requests, the scheduler can optimize the
order of the requests.
When you use this parameter, there is a tradeoff between data throughput and latency.
Use the following rule:
n Lower value = Shorter latency but lower data throughput
n Higher value = Longer latency but higher data throughput
The default value for SLES 9 is 4 requests.
You can set the value of the parameter with a command similar to the following:
echo 6 > /sys/block/hda/queue/iosched/quantum
When you change the value, you should always benchmark your application to
measure the success of the change.
Changes to the I/O Scheduler parameters might not lead to performance

enhancements on general purpose servers. However, on systems with a high disk
utilization like database servers, it can be useful to experiment with theses settings.
Change the Read Ahead Parameter
Another kernel parameter lets you determine how much data should be used for the
read-ahead. Read-ahead basically means that more data from a file is read than
requested by an application.
This is done because an application usually wants to read all data from a file, not just
the data at the beginning. You can set the read-ahead parameter in the file
/sys/block/device/queue/read_ahead_kb.
The value determines how much data (in KB) is read ahead from file. The default
value on SLES 9 is 128 KB. Larger values can lead to a better overall throughput
with the drawback of a higher latency.
You can set the value with the following command:
echo 256 > /sys/block/device/queue/read_ahead_kb
Change the Swappiness Parameter
The swappiness parameter affects both the memory and the I/O performance. It
basically determines when a system starts to swap out data to the disk, and can be set
in the file
/proc/sys/vm/swappiness.
You can set the parameter value from 0 and 100. The higher the value, the more the
system will swap. The default value for SLES 9 is 60.
You can set the parameter with a command like the following:
echo 40 > /proc/sys/vm/swappiness
The parameter determines how much you value the page cache over program
memory.
Tune File System Access
To achieve a performance advantage for an application, you can control the way the
kernel accesses the file system by doing the following:
n Disable atime Update
n Implement File System Dependent Tuning Options
Disable atime Update
For every file Linux stores the following information:

n When the file was created.(ctime)
n When the file was modified the last time (mtime)
n When the file was accessed the last time (atime)
To keep the atime information up to date, the kernel needs to update the atime
attribute every time a file is accessed. Updating the atime means that the kernel needs
to perform a write process, which causes additional load for the hard disk.
If the atime attribute is not important to you, you can mount a data partition with the
noatime option.
The following shows an fstab entry for the partition /dev/hda2 that uses the noatime
option:
/dev/hda2 /data reiserfs noatime 0 0
Implement File System Dependent Tuning Options
Beside the general disk tuning options, you can also configure the file system to
n Mount a Reiser File System With the notail Option
n Configure the Journaling Mode of Ext3
Mount a Reiser File System With the notail Option
On traditional UNIX files systems, small files or the rest of a big file (the tail) are use
a full block of the file system although they are don’t really fill the block.
Reiserfs can store this data much more efficiently in the file system internal structure.
However, this costs some performance. You can use the mount option notail to
disable this feature. The drawback is a less space-efficient data storage.
You can use the notail option either with the -o option of mount or in the /etc/fstab
file, as in the following:
/dev/hda2 /data reiserfs notail 0 0
Configure the Journaling Mode of Ext3
The ext3 file system offers journaling functionality. In journaling, every file system
transaction is logged in a special area of a partition, called the journal. The data in
the journal helps to restore a consistent file system in case of a system crash or a
power failure.
The ext3 file system offers 3 journaling modes that also affect the disk performance:
n data=journal. If you use this mode, the data of a transaction and the file
metadata are logged in the journal. This is the most secure option for data
security.
n data=ordered. When an ext3 file system is mounted with this option, only the
file metadata is stored in the journal. However, it forces the file data to be written
to disk before the metadata.
This option is a good compromise between speed and reliability, and is the
default for SLES 9.
n data=writeback. This is the fastest journaling option. Metadata is logged to the
journal, but file data is not treated in a special way. However, you still have the
advantages of a journaling file system when a crash or a power failure occurs.
You can use these options with the -o option of the mount command, or add them to
the /etc/fstab, as in the following:
/dev/hda2 /data ext3 data=writeback 0 0
Change Hardware Components
If all of the above mentioned options do not improve disk performance, you might
need to consider upgrading your hardware.
From a performance perspective, a true SCSI hardware RAID system might be the
best choice. But upgrading to a newer IDE or SCSI disk can produce some of the
same results.
However, you have to compare the costs and the estimated advantages of an upgrade
with the purchase of a new system. A hardware upgrade has always the risk of
creating a new performance bottleneck somewhere else in the system.
Exercise 8-3 Tune an IDE Hard Drive With hdparm
In this exercise, you tune your IDE hard drive. It is assumed that the IDE hard disk is
/dev/hda. If your IDE hard disk is connected differently (such as hdc), use the
correct device name in the following steps.
Do the following:
2. Make sure that the DMA mode is activated by entering the following command:
3. Run a performance test by entering the following:
hdparm -t /dev/hda
Notice the data throughput in MB/sec.
4. Disable the DMA mode by entering the following:
5. Run the performance test again by entering the following:
hdparm -t /dev/hda
Compare the result with the DMA enabled throughput.
6. Re-enable DMA by entering the following:
(End of Exercise)
Objective 4 Tune the Network Performance

There are several different approaches to tuning the network performance of your
Linux system. Because of the nature of networks, this sometimes includes not only
your system but the whole network infrastructure.
The following are 2 ways you can tune network performance:

n Change Kernel Network Parameters
n Change Your Network Environment
Change Kernel Network Parameters
The Linux kernel lets you change some network parameters during runtime. This
makes sense on systems that have to deal with a lot of parallel connections (such as
web servers).
The parameters can be set with the sysctl command. To use this command, you have
to be the root user, because changing kernel parameters is not permitted for normal
users.
The most important command line parameter of sysctl is -w. With this option, you
can write a value into a kernel configuration parameter.
You can also access the kernel parameters from the proc file system, which is
mounted under /proc. You change the parameters by writing them into the
corresponding files in the /proc directory.
The following lists several sysctl commands and their effect on network
performance:
Table 8-7 sysctl command Effect
sysctl -w net.ipv4.tcp_tw_reuse=1 When a TCP connection has

sysctl -w net.ipv4.tcp_tw_recycle=1 been closed, the corresponding
socket stays in the TIME-WAIT
status for a while.
Setting these 2 parameters,
enables the reuse of these
sockets for new connections.
On a system with many TCP
connections, this can reduce
the number of open
connections and the utilization
of system resources.
sysctl -w net.ipv4.tcp_keepalive_time=900 TCP connections are usually

kept alive for a specific amount
of time. After this time period, a
system probes to see if the
connection partner is still
reachable. If not, the connection
is closed and the used
resources are freed.
The default time for SLES 9 is
1800 seconds. By reducing this
time, you can reduce the
number of opened but unused
connections.
Change Your Network Environment
Because networking involves more than one system, you should consider which
changes to other hosts or your network infrastructure can improve the network
performance.
The following are some suggestions for improving network performance:

n Monitor all other system components. Before you change your network
infrastructure, you should make sure that your problem is really caused by the
network connection.
Monitor all other components carefully over a longer period of time, especially
the CPU and memory utilization.
n Limit the collision domain. If you see a lot of collisions when you monitor your
system's network interface, there are probably too many systems that share the
same Ethernet collision domain.
In this case, you should restructure your network or use switches instead of hubs.
n Check cable quality. If you see a lot of transmission errors when you monitor a
network interface, you might have a problem with your network cable. Replace
the network cable and monitor the interface again.
n Check both sides of a connection. If your server has connectivity problems
with a specific client and all other
clients are working correctly, you should check the connection from the client
side.
n Change network adapters. In some cases, a driver for a network adapter can be
faulty and cause a performance bottleneck. Try switching to an adapter from a
different vendor and monitor the system to see if performance improves.
n Upgrade to a faster network type. If other measures do not lead to improved
performance, upgrading to a faster network technology (such as Gigabit
Ethernet) might help.
However, you must make sure that the other components of your system (such as
the chipset) can handle this speed.
Summary
Objective Summary
1. Find Performance Bottlenecks To find performance bottlenecks, you should monitor

the following components of your system:
n CPU. The value of the CPU load is measured by the
average number of process that are waiting to be
executed.
The load can be displayed with uptime or top. top
can also be used to display the processes that
cause the highest CPU utilization.
n Memory. A lack of physical memory is a very
common performance bottleneck.
When the system needs to page out memory pages
to swap memory, the overall system performance is
affected.
You can display the paging and swapping activities
with the tool vmstat.
n Storage System. A good indicator for the storage
load of a system is the time that an application
needs to wait for an I/O request and the amount of
time an average I/O request takes.
Both values can be displayed with the tool iostat.
1. Find Performance Bottlenecks n Network components. KDE System Guard

(continued) displays various parameters of network utilization
such as packets, errors, or collisions.
2. Reduce System and Memory To reduce the system and memory load, you can do
Load the following:
n Determine which processes utilize most of the
processing power. Determine whether this is a
failure or part of normal operation.
n Run only software that is required to fulfill the
purpose of the system.
n Keep your software up to date.
n Optimize swap memory by spreading it over
multiple disks.
n Upgrade the CPU and the physical memory.
3. Optimize the Storage System To enhance the performance of the storage system,
you can do the following:
n Use hdparm to ensure an optimal configuration of
your hard disks.
n Set kernel parameters to optimize disk access.
n Tune access to the file systems on your disks.
n Exchange slow components of your storage
system.
Objective Summary
4. Tune the Network Performance n Adapt the network parameters of the Linux kernel
for your needs.
n Reconfigure your network environment. This
includes the following:
n Reduce the collision domain of Ethernet
networks.
n Check the physical quality of the connection
(such as cables and plugs)
n Check both sides of a faulty network
connection.
n Replace or upgrade your network equipment.
Manage Hardware and Component Changes
SECTION 9 Manage Hardware and Component Changes
In this section, you learn how SLES 9 handles hardware and device drivers. You also
learn how to add and replace certain types of hardware.
Objectives
1. Describe the Differences Between Devices and Interfaces
2. Describe How Device Drivers Work
3. Describe How Device Drivers Are Loaded
4. Describe the sysfs File System
5. Describe How the SLES 9 Hotplug System Works
6. Use the hwup Command
7. Add New Hardware to a SLES 9 System
Introduction
Although most hardware devices can be configured with YaST or are even
automatically detected when plugged into the system, it is sometimes helpful to
understand how things work in the background.
In the this section, you are introduced to SLES 9 hardware management and how
device drivers are loaded.
Objective 1 Describe the Differences Between Devices and

Interfaces
This objective uses the terms “device” and “interface.” These terms are often
confused, not only by users and administrators but also by developers of operating
systems and related tools.
This course uses the following definitions for device and interface:
n Device. A device is a real, physical piece of hardware. This can be a PCI
network card, an AGP graphic adapter, a USB printer, or any kind of hardware
that you can hold, feel, or break if you want to.
n Interface. An interface is a software component associated with a device. To use
a physical piece of hardware, it needs to be accessed by a software interface.
A device can have more than one interface.
Interfaces are usually created by a driver. In Linux, a driver is usually a software

module that can be loaded into the Linux kernel. Therefore, a driver can be seen as
the glue between a device and its interfaces.
Objective 2 Describe How Device Drivers Work

As described before, device drivers access and use a device. There are 2 basic kinds
of device drivers:
n Kernel modules. The functionality of the Linux kernel can be extended by
kernel modules. These modules can be loaded and removed during runtime.
They allow the kernel to provide access to hardware.
n User space drivers. Some hardware needs additional drivers that work in user
space. Examples of this kind of hardware are printers or scanners.
The following illustrates the roles of kernel and user space drivers:
Figure 9-1
Application
IPP Protocol
User Space Driver CUPS Server

Printer Module
USB Interface
Kernel Module Linux Kernel

USB Module
USB-Bus
Printer
While the handling of user space drivers depends on the framework they are used in,
you can mange kernel modules with the following commands:
n lsmod. This command lists all loaded kernel modules. For example:
lsmod
n modprobe. This command loads kernel modules. Because kernel modules can
depend on each other, modprobe automatically resolves these dependencies and
loads all required modules. For example:
modprobe usb-storage
In this example, modprobe loads the usb-storage, module which is needed to
access storage devices connected with the USB bus.
Because this module requires other USB modules, modprobe also loads these
modules.
n rmmod. This command removes loaded kernel modules. For example:

rmmod usb-storage
Only modules that are not needed can be removed. In this example, the USB
device first has to be disconnected before the usb-storage module can be
removed.
Kernel modules are files that are stored in the directory

/lib/modules/kernel-version/.
Because modules normally work only with the kernel version they are built for, a new
directory is created for every kernel update you install.
Modules are stored in several subdirectories with a filename extension of .ko for
kernel object. When loading a module with modprobe, you can mot the extension and
use just the module name.
Objective 3 Describe How Device Drivers Are Loaded

Because it would be very inconvenient to load all kernel modules manually after
every system start, there are several methods to perform this task automatically.
The following is an overview of how device drivers are loaded in SLES 9:

n initrd. Important device drivers that are necessary to access the root partition are
loaded from initrd. initrd is a special file that is loaded into memory by the boot
loader. Examples of such modules are the scsi host controller and file system
drivers.
n initscripts. Some initscripts are dedicated to loading and setting up hardware
devices, such as the alsa sound script for sound cards.
n hotplug. hotplug also loads kernel modules.
n X Server. Although the graphics card drivers are not kernel modules, X Server
loads special drivers to enable hardware 3D support.
n manually. You can always load kernel modules on the command line or in
scripts with the modprobe command or with the hwup or hwdown commands.
Objective 4 Describe the sysfs File System

In the past it was difficult to determine which interface belonged to which device.
This changed with kernel version 2.6 when the sysfs file system was introduced.
sysfsis a virtual file system that is mounted under /sys. In a virtual file system, there
is no physical device that holds the information. Instead, the file system is generated
virtually by the kernel.
sysfs represents all devices and interfaces of a Linux system. In sysfs, there are 4
main directories:
n /sys/bus and /sys/devices. These directories contain different representations of
system hardware. Devices are represented here.
For example, the following represents a digital camera connected to the USB
bus:
/sys/bus/usb/devices/1-1/
This directory contains several files that provide information about the device.
The following is a listing of the files in this directory:
1-1:1.0 bMaxPower manufacturer

bcdDevice bNumConfigurations maxchild
bConfigurationValue bNumInterfaces power
bDeviceClass detach_state product
bDeviceProtocol devnum serial
bDeviceSubClass idProduct speed
bmAttributes idVendor version
For example, by reading the content from the manufacturer file, you can
determine the manufacturer of the device:
cat manufacturer
OLYMPUS
In this case, an Olympus digital camera is connected with the system.

n /sys/class and /sys/block. The interfaces of the devices are represented under
these 2 directories,.
For example, the interface belonging to the Olympus digital camera is
represented by the following directory:
/sys/block/sda/
The directory named /sda is the digital camera accessed like a SCSI hard disk.
The following is the content of the /sda directory:
dev queue removable size

device range sda1 stat
The subdirectory /sda1 represents the interface to the first partition on the
cameras memory card. For example, by reading the content of /sda1/size, you
can determine the size of the partition:
cat sda1/size
31959
The partition has a size of 31959 512-byte blocks, which is about 16 MB.
To connect an interface with a device, file system links are used. In the Olympus
digital camera example, a link exists from the file /sys/block/sda/device to the
corresponding device:
ll device
lrwxrwxrwx 1 root root 0 Aug 17 14:03 device ->
../../devices/pci0000:00/0000:00:1d.0/usb1/1-1/1-1:1.0/host0/0:0:0:0
In this way, all interfaces of the system are linked with their corresponding devices.
Beside the representation in sysfs, there are also the device files in the /dev directory.
These files are needed for applications to access the interfaces of a device. The name
“device file” is a bit misleading, as in our terminology the name “interface file”
would be more suitable.
Objective 5 Describe How the SLES 9 Hotplug System Works

Before you can use a hardware device, you need to load the appropriate driver
module and set up the corresponding interface. For some devices in SLES 9, this is
done by the hotplug system.
The name “hotplug” is a bit misleading, because the hotplug system sets up different
kinds of devices, not only those that are really hot pluggable, like USB or Firewire
devices.
Every action hotplug performs must be triggered by a hotplug event. Hotplug events
can be created in the following ways:
n By the Linux kernel. The Linux kernel triggers a hotplug event when a
connection to a device is established, or when a driver is already loaded for a
connected device.
For example, when you plug in a USB device or insert a hotplug PCI adapter a
hotplug event is triggered.
n By Coldplug. Coldplug is a script that starts at boot time. It scans the system and
creates a hotplug event for every device it finds.
This way, the hotplug system is used for devices other than hot pluggable
devices.
A hotplug event is basically a call of the script /sbin/hotplug. The kernel is

configured to call this script by an entry in /proc/sys/kernel/hotplug.
Every hotplug event has an event type. The event type is determined by a single
parameter that is passed to the hotplug script and some additional environment
variables that can be read by the hotplug script.
The command line parameters determines the subsystem that has issued the event in
the kernel.
The following is a list of some possible parameters and the corresponding

subsystems:
n ieee1394. This is used by the Firewire subsystem of the kernel.
n usb. This is used by the USB subsystem.
n net. This is used by the networking subsystem for any kind of networking
interfaces.
n pci. This is used for PCI devices.
The environment variables provided for a hotplug event depending on the event type.
Basically, the environment variables provide the action of the event (such as add
when a device has been added or remove when a device has been removed) and
additional information about the affected device.
Depending on the event type, the hotplug script starts the hotplug agents.
There are 2 basic types of hotplug agents:

n Device agents. These agents are responsible for loading kernel modules and
calling additional commands to set up a device. To find the correct kernel
module, they first call the hwup script, which looks for a configuration file of the
corresponding device.
n Interface agents. When the kernel module loads, it usually register an interface
for the device. The registration of the interface also triggers a hotplug event,
which might be handled by an interface agent.
In SLES 9, an interface agent is used to set up network interfaces. Instead of
calling hwup, the interface agent uses the ifup command, which reads the
corresponding interface configuration file.
The hotplug agents are located in the directory /etc/hotplug/.
It might not be possible to start some devices with the hwup script, because no
configuration file can be found.
In this case, the agents have routines to find and load the correct driver module
automatically by searching module map files in the directories /etc/hotplug/ and
/lib/modules/kernelversion/.
The file /etc/hotplug/blacklist contains a list of driver modules that should never be
loaded by hotplug.
Sometimes coldplug and hotplug can cause errors during system startup; for
example, when a broken kernel module is loaded. In this case, you can switch off
both coldplug and hotplug with the following boot parameters:
n NOCOLDPLUG=1
This switches coldplug off.
n NOHOTPLUG=1
This switches hotplug off.
The following is the hotplug process for attaching a USB camera to the system:
1. The camera is plugged into the system.
2. The USB subsystem recognizes the camera and triggers a hotplug event by calling
the hotplug script.
3. The subsystem passes usb as the parameter to the script and provides additional
information about the new device in environment variables.
4. Because of the usb parameter, the hotplug script calls the USB hotplug agent.
5. The USB agent tries to configure the device by calling hwup.
6. If hwup fails, the agent tries to find the correct usb module by searching module
mapfiles in /etc/hotplug and
/lib/modules/kernelversion.
7. If a driver is found, the corresponding module is loaded.
The following illustrates the Linux hotplug process for a USB camera:
Figure 9-2
Linux System
Linux Kernel
Hotplug Script
USB Agent
1.hwup
2. Automatic module
loading
/etc/hotplug/usb.usermap
/etc/hotplug/usb.handmap
/lib/modules/<version>
/modules.usbmap
Objective 6 Use the hwup Command

The command hwup is used by the hotplug agent to start preconfigured devices. In
this objective, you learn how to use this command and how to interpret the
corresponding configuration files.
hwup reads the device configurations from files in the directory

/etc/sysconfig/hardware/.
In order to determine the correct configuration file, the configuration filenames

follow a specific naming scheme.
The following is the filename for a PCI network adapter:
hwcfg-bus-pci-0000:02:08.0
The filename consists of the following 4 elements separated by hyphens:

n hwcfg. This is the beginning of every device configuration file.
n bus. This determines that the device is identified by the bus it is connected to.
n pci. This indicates that the device is connected to the PCI bus.
n 0000:02:08.0. This is the address of the device in the PCI bus.
You can display the PCI address of a device with the lspci command, as in the
following:
...
0000:02:08.0 Ethernet controller: Intel Corp. 82801BD PRO/100 VE (LOM)
Ethernet Controller (rev 81)
...
Other devices types might use different elements in their configuration filename. For
more information about the naming scheme, see the manpage of getcfg (man getcfg).
The following lists the possible variables in a device configuration file:
Table 9-1 Variable Description
STARTMODE This determines when and how a device will be

started:
n auto. The device is automatically started at boot
time or by hotplug when the device is connected
to the system.
n manual. The device should not be started
automatically, but it can be started manually.
n off. The device should never be started.
MODULE The value of this variable determines the name

of the kernel module that should be loaded for
the device.
If multiple modules have to be loaded, you can
use this variable multiple times with any suffix
appended.
You must then use the same suffixes for multiple
MODULE_OPTIONS variables.
Example:
MODULE_A=”foo”
MODULE_B=”bar”
MODULE_OPTIONS_A=”foo-opt”
MODULE_OPTIONS_B=”bar-opt1=xyz”
MODULE_OPTIONS With this variable, options can be passed to the

kernel module.
SCRIPT{UP,DOWN}_[type] This specifies the script to be called for

initialization and deconfiguration of a specific
device type.
This script is called if the type of the device to be
initialized matches the type given in this
parameter.
SCRIPT{UP,DOWN} This specifies the script to be called for

initialization and deconfiguration of the device.
It will be called only if no matching type-specific
scripts are configured.
The following is an example of a configuration file for a network adapter:
MODULE='e100'
MODULE_OPTIONS=''
STARTMODE='auto'
The module e100 is loaded, there are no options for this module and the device is
started automatically at boot time.
The hwup command is usually called by hotplug agents, but you can also use it
manually. For example, the following command starts the network card shown in the
previous:
hwup bus-pci-0000:02:08.0
The last 3 elements of the configuration filename specify the device.
You can use the command hwdown to deconfigure devices, as in the following:
hwdown bus-pci-0000:02:08.0
Exercise 9-1 Trace How a Network Adapter Is Set Up With hwup and ifup

n Part I: Boot the System with Hot- and Coldplug Disabled
n Part II: Use hwup to Load a Driver Module
n Part III: Use ifup to Set Up the Network Interface
Part I: Boot the System with Hot- and Coldplug Disabled
Do the following:
1. Log out of the KDE desktop environment and reboot your system.
2. When the SLES 9 boot screen appears, add the following to the Boot Options field:
NOCOLDPLUG=1 NOHOTPLUG=1
These parameters are case-sensitive.
3. Boot the system by pressing Enter.
4. At the KDM login screen, log in as geeko.
6. Try to ping the system of a partner by entering the following:
ping partner_ip_address
Notice that the network connection is not working.
Part II: Use hwup to Load a Driver Module
Do the following:
1. From the terminal window, su to root.
2. Enter lspci.
3. Look for a line with the description Ethernet controller in the second column.
Note the PCI address (in the first column), such as the following:
0000:02:00.0
4. Look for one of the following files in /etc/sysconfig/hardware:
q hwcfg-bus-pci-address_ethernet_controller
or
q hwcfg-id-address_ethernet_controller
5. Open the file with a text editor.
6. Look for a line starting with MODULE=.
Notice the name of the module after this option. This is the hardware driver for
your network adapter.
7. Close the file.

8. Verify whether the driver has been already loaded by entering the following:
lsmod | grep hardware_driver_name
Notice that the driver has not been loaded because you have disabled Coldplug
and Hotplug.
9. Load the driver module by entering one of the following:
hwup bus-pci-address_ethernet_controller
or
hwup id-address_ethernet_controller
10. Verify that the diver is loaded by entering the following:
lsmod | grep hardware_driver_name

Notice that the driver has been loaded.
Part III: Use ifup to Set Up the Network Interface
1. Display the current configuration of the network interfaces by entering the

following:
ip address show
2. Look for a line starting with eth0.
Notice that no IP address has been assigned to the interface. Also notice the
hardware address of eth0 (displayed after the words link/ether).
3. Enter cd /etc/sysconfig/network.
4. In the directory /etc/sysconfig/network, look for a file with the following name:
ifcfg-eth-id-MAC_address
5. Open this file with a text editor.
6. Look for the option IPADDR.
This is the IP address you will assign to the device.
7. Close the file.
8. Configure the interface by entering the following:
ifup eth-id-MAC_address
9. Verify that the interface has been configured by entering the following:
ip address show
Notice that the interface has been configured and is ready to use.
10. Try to ping the system of a partner by entering the following:
ping partner_ip_address
Notice that the network connection is now working.
11. Stop the ping by pressing Ctrl+C.
(End of Exercise)
Objective 7 Add New Hardware to a SLES 9 System

In general, new hardware is either detected with hotplug or can be easily configured
with YaST. In some cases, however, some manual work is necessary to integrate new
devices properly into the system.
In this objective, you learn how to perform the following tasks:

n Add a New Drive to the System
n Replace a Graphics Card
n Add a New Network Adapter
Add a New Drive to the System
The following explains how to add a new drive to a SLES 9 installation. For this
example, assume the following:
n The system is equipped with a single hard disk and is used as a web server.
n The system is running out of disk space, so you need to add a new hard disk for
the /srv directory.
Do the following:
1. Shut down the system and install the new drive.
2. Boot the system into runlevel 1 by passing the boot parameter 1 to the Linux
kernel.
3. Use YaST or command line tools to create a partition and a file system on the new
drive.
4. Mount the drive temporarily in the /mnt directory.
5. Copy the existing data from /srv to /mnt. Make sure that the file permissions copy
properly. (Use the -a option for the cp command.)
6. Verify the copied data and delete the content of the /srv directory.
7. Umount the new hard disk.
8. Edit the file /etc/fstab to mount the new hard drive automatically at boot time.
9. Reboot the system to the default runlevel.
Replace a Graphics Card
When you add a new graphics card to the system, the X Server starts up with the
wrong driver configuration when booting into runlevel 5.
x A similar problem occurs when you replace the monitor of your system. You can also use the
following instructions in this situation.
Do the following:
1. Shut down the system and replace the graphics card.
2. Boot the system into runlevel 3 by passing the boot parameter 3 to the Linux
kernel.
3. Log in as root and start sax2 to configure the new graphics card.
4. When finished, change to runlevel 5.
Add a New Network Adapter
When adding a second network adapter, you have to make sure that the interface
names of the devices are not confused.
The interface names are determined by the order of the network adapters in the PCI
bus. So and adapter might get a different interface name after another one has been
plugged in.
In this example, assume the following:

n The system has a single network adapter.
n The system should be used as a router and so you need to install a second
adapter.
Do the following:
1. Before you install the new adapter, open the interface configuration file of the
existing adapter in
/etc/sysconfig/network/.
2. Add the following line to the configuration file:
PERSISTENT_NAME='external'
This ensures that the device always gets the interface name external.
3. Shut down the system and install the new network adapter.
4. Start the system and boot into runlevel 1.
5. Configure the new network adapter with YaST.
6. Open the interface configuration file of the new network adapter and add the
following line:
PERSISTENT_NAME='internal'
7. Reboot the system into the default runlevel.
With this method, the old adapter always gets the interface external while the new
adapter gets internal.
Summary
Objective Summary
1. Describe the Differences Between n The terms device and interface are often confused.
Devices and Interfaces This section uses the following definitions:
n Device. A device is a physical piece of
hardware.
n Interface. An interface is a software component
that is used to access a device.
n One device can have more than one interface.
n An interface is created by a device driver.
2. Describe How Device Drivers n There are 2 basic kinds of device drivers:
Work
n Kernel modules. Kernel modules are loaded
into the Linux kernel and extend its functionality.
n User space drivers. These drivers run within
user space applications.
n Some devices require both, kernel modules and
user space drivers.
n You can use the following commands to manage
kernel modules:
n lsmod. Use lsmod to list loaded drivers.
n modprobe. Use modprobe load kernel
modules.
2. Describe How Device Drivers n rmmod. Use rmmod to remove loaded kernel
Work (continued) modules.
n The kernel modules are files that are stored in the
directory /lib/modules/kernel-version/.
3. Describe How Device Drivers Are In a SLES 9 system, kernel modules are loaded in
Loaded the following ways:
n From initrd
n By initscripts
n By hotplug
n By the X Server
n Manually by the user root
4. Describe the sysfs File System n The sysfs file system provides a representation of
all devices and interfaces of a system.
n Devices are represented in the directories: /sys/bus
and
/sys/devices.
n Interfaces are represented by the directories
/sys/class and
/sys/block.
n A device and its interfaces are connected with file
system links.
Objective Summary
5. Describe How the SLES 9 Hotplug n The hotplug system is used to configure some
System Works devices of a SLES 9 system.
n The following is the standard hotplug process when
a new device is plugged into the system:
1. The device is plugged into the system.
2. The USB subsystem recognizes the device and
triggers a hotplug event by calling the hotplug
script.
3. The subsystem passes usb as the parameter to
script and provides additional information about
the new device in environment variables.
4. Because of the usb parameter, the hotplug
script calls the usb hotplug agent.
5. The USB agent tries to configure the device by
calling hwup.
6. If hwup fails, the agent tries to find the correct
usb module by searching module mapfiles in
/etc/hotplug and
/lib/modules/kernelversion.
7. If a driver is found, the corresponding module is
loaded.
6. Use the hwup Command n The hwup command is used to start preconfigured
devices.
n The device configuration files are stored in the
directory
/etc/sysconfig/hardware/.
n The filename of the configuration file contains a
unique identifier for the corresponding device.
In the configuration file, the following variables can
be used:
n STARTMODE
n MODULE
n MODULE_OPTIONS
n SCRIPT{UP,DOWN}_[type]
n SCRIPT{UP,DOWN}
7. Add New Hardware to a SLES 9 In general, new hardware is either detected with
System hotplug or can be easily configured with YaST.
It some cases, however, some manual work is
necessary to integrate new devices properly into the
system.
The following are 3 examples of situations that
require manual configuration:
n Adding a hard drive
n Replacing a graphic adapter
n Adding a new network adapter
Prepare for the Novell CLP Practicum
SECTION 10 Prepare for the Novell CLP Practicum
In this section, you work through the following scenarios to help you to prepare for
the Novell CLP (Certified Linux Professional) practicum exam:
1. Install and Configure SLES 9
2. Configure a DNS Server
3. Configure a Web Server
4. Configure a Samba File Server
You must complete Scenario 1. You can then select any of the remaining scenarios to
complete, depending on available time.
Remember that skills from all 3 Novell CLP courses might be necessary to fulfill the
required tasks.
Scenario
Digital Airlines is planning on deploying SUSE LINUX in its IT infrastructure.
During the first phase, SLES 9 will be used on the back-end systems like file, web,
and network-infrastructure servers.
As the network administrator for your Digital Airlines office, you (along with
management) have designed a migration plan which includes the following services
to be migrated to SLES 9:
n DNS services on the internal network
n Intranet Web server
n File and Print services for Windows clients
You decide to start by installing and testing these services on a computer in a

computer in the test lab.
Objective 1 Install and Configure SLES 9

The following are tasks and requirements that need to be performed on the test server
before installing and configuring services (such as DNS):
n Install SLES 9 from the SLES 9 installation CDs.
n Make sure that you use a partition setup that fits your needs.
n Install only necessary applications and daemons to support a DNS server, a Web
server, and a Samba file server.
n Choose a root password
n Create one additional normal user account.
n Update the system with YOU (from server DA1) after the installation.
n Secure the GRUB boot loader with a password.
n Configure the network connection manually (with or without YaST).
n Configure runlevel 3 as the system default.
n Synchronize the system clock with DA1 using NTP.
Read through these requirements carefully, then install and configure the server.
Objective 2 Configure a DNS Server

One milestone of Digital Airlines’ move to SUSE LINUX is the implementation of
Linux-based DNS servers. As a first step you decide to setup a test DNS Server in
your lab.
On the SUSE LINUX test server in your lab, do the following:

n Configure a master DNS server for 5 test systems
(DA10-DA14).
n Test your setup (you can use the command dig).
n The server configuration files under /etc as well as the zone files should be
backed up. Write a shell script which performs a full backup every Sunday and
an incremental backup on the other days using the tar tool.
For test purposes, you can copy the backup files to the directory /tmp.
n Configure your backup script as a cron job which runs every day at 10 pm.
n With another student who is working on the same scenario, configure your
servers to be slave DNS servers for each other.
Objective 3 Configure a Web Server

Your Digital Airlines office runs an internal web server which provides vital
information for employees. The server hosts a general portal site and a virtual host
for every department.
Because the web server needs to be migrated to SLES 9, you decide to create a
prototype system for the general portal site and 2 departments (accounting and
marketing) on the test server.
Set up the prototype system using the following guidelines:

n Install and configure an Apache web server that hosts the general portal site and
2 virtual hosts for the departments accounting and marketing.
n Use the Apache example pages as demo content.
n The virtual host from accounting should run under SSL, and should only be
accessible for the users in the group accounting.
n Make additional entries in the file /etc/hosts to test the virtual host setup.
n From each department one user should be allowed to login using SSH on the
server to change the content of the virtual host.
Create two normal users JNelson and SRife on your system. JNelson should be
responsible for the marketing department and SRife for the accounting
department.
Use ACLs to make sure that JNelson and SRife can only read and access the
content in the corresponding virtual host directory.
n All pages which you have to migrate end in .htm. Create a shell script which
replaces the .htm with .html.
Objective 4 Configure a Samba File Server

As part of the SUSE LINUX migration plan for your Digital Airlines office, you
need to move file and print services to a Samba server running on SLES 9.
You decide to test this migration for the marketing department on the test server in
your lab.
Set up the Samba server using the following guidelines:

n Install the Samba server and client software.
n Configure a marketing workgroup.
n Create a UNIX group named marketing.
n Create 2 normal users (PSmith and JWattson) who are members of the
accounting group and are included in the file smbpasswd.
n Create one shared folder for the group accounting.
n Export the home directories of PSmith and JWattson as personal shared folders.
n Test your shares (you can use the smbclient).
n Create a bash script that searches for Windows executables on the shares. If an
executable is found, the file should be moved to a directory outside of the share
and a mail should be send to the root user of the Samba server.
Depending on your programing skills, you can choose one of the following
methods to determine if a file is a Windows executable:
q Search for file extensions such as .exe or .com (not a secure solution)
q Identify the file type using the command file.
Novell CLP and LPI Requirements
APPENDIX A Novell CLP and LPI Requirements
This appendix provides information about the LPI Level I objectives covered in this
and the other Novell CLP certification courses.
LPI objectives named 1.xxx.y are part of exams 101 and 102 (LPI Certification Level
1). LPI objectives named 2.xxx.y are part of exams 201 and 202 (LPI Certification
Level 2). CLP courses include the section (such as 3037/3 for Course 3037 Section
3).
Because the Novell CLP courses use SUSE LINUX exclusively, there are some
differences in the software used in those courses and those covered by the LPI
objectives (such as CUPS for printing in SLES 9 and lpr in the LPI objectives).
Table A-1 LPI Objective CLP Courses
Topic 101: Hardware & Architecture
1.101.1 Configure fundamental BIOS settings not applicable
1.101.3 Configure modem and sound cards not applicable
1.101.4 Setup SCSI devices not applicable
1.101.5 Setup different PC expansion cards not applicable
1.101.6 Configure communication devices not applicable
1.101.7 Configure USB devices not applicable
Topic 102: Linux Installation and Package

Management
1.102.1 Design hard disk layout 3037/3, 3038/1
1.102.2 Install a boot manager 3037/5, 3038/5
1.102.3 Make and install programs from source 3038/7
1.102.4 Manage shared libraries 3037/4
1.102.5 Use Debian package management not applicable
1.102.6 Use RPM Package Manager (RPM) 3036/5, 3037/4
Topic 103: GNU and Unix Commands
1.103.1 Work on the command line 3036/3, 3036/5
1.103.2 Process text streams using filters 3036/6
1.103.3 Perform basic file management 3036/6
1.103.4 Use streams, pipes, and redirects 3036/5, 3036/6
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by A-1
(continued) Table A-1 LPI Objective CLP Courses
1.103.5 Create, monitor, and kill processes 3036/8, 3037/6, 3038/8
1.103.6 Modify process execution priorities 3036/8, 3037/6, 3038/8
1.103.7 Search text files using regular expressions 3036/6
1.103.8 Perform basic file editing operations using vi 3036/7
Topic 104: Devices, Linux Filesystems, Filesystem

Hierarchy Standard
1.104.1 Create partitions and filesystems 3037/3, 3038/1
1.104.2 Maintain the integrity of filesystems 3037/3
1.104.3 Control mounting and unmounting filesystems 3036/6, 3037/3
1.104.4 Managing disk quota 3037/3
1.104.5 Use file permissions to control access to files 3036/6, 3037/2
1.104.6 Manage file ownership 3036/6, 3037/2
1.104.7 Create and change hard and symbolic links 3036
1.104.8 Find system files and place files in the correct 3036/6
location
Topic 105: Kernel
1.105.1 Manage/query kernel and kernel modules at 3037/5

runtime
1.105.2 Reconfigure, build, and install a custom kernel not applicable

and kernel modules
Topic 106: Boot, Installation, Shutdown and

Runlevels
1.106.1 Boot the system 3037/5, 3038/5
1.106.2 Change runlevels and shutdown or reboot 3036/8, 3037/5, 3037/6

system
Topic 107: Printing
1.107.2 Manage printers and print queues 3037/8
1.107.3 Print files 3037/8
1.107.4 Install and configure local and remote printers 3037/8
A-2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
Topic 108: Documentation
1.108.1 Use and manage local system documentation 3036/3
1.108.2 Find Linux documentation on the Internet 3036/3
1.108.5 Notify users on system-related issues 3036/2
Topic 109: Shells, Scripting, Programming and

Compiling
1.109.1 Customize and use the shell environment 3036/5, 3038/6
1.109.2 Customize or write simple scripts 3038/6
Topic 110: X
1.110.1 Install and configure XFree86 not applicable
1.110.2 Setup a display manager not applicable
1.110.4 Install and customize a window manager not applicable

environment
Topic 111: Administrative Tasks
1.111.1 Manage users and group accounts and related 3036/5, 3037/2
system files
1.111.2 Tune the user environment and system 3036/5, 3037/2

environment variables
1.111.3 Configure and use system log files to meet 3037/6, 3038/8
administrative and security needs
1.111.4 Automate system administration tasks by 3036/8, 3037/6

scheduling jobs to run in the future
1.111.5 Maintain an effective data backup strategy 3036/6, 3037/3, 3038/5
1.111.6 Maintain system time 3037/8
Topic 112: Networking Fundamentals
1.112.1 Fundamentals of TCP/IP 3036/9, 3037/7
1.112.3 TCP/IP configuration and troubleshooting 3036/9, 3037/7, 3038/1
1.112.4 Configure Linux as a PPP client not applicable
Topic 113: Networking Services
1.113.1 Configure and manage inetd, xinetd, and 3037/9

related services
1.113.2 Operate and perform basic configuration of not applicable

sendmail
1.113.3 Operate and perform basic configuration of 3037/8, 3038/3

Apache
1.113.4 Properly manage the NFS, smb, and nmb 3037/9, 3038/3
daemons
1.113.5 Setup and configure basic DNS services 3038/1
1.113.7 Setup secure shell (OpenSSH) 3037/10
Topic 114: Security
1.114.1 Perform security administration tasks 3038/4
1.114.2 Setup host security 3038/4
1.114.3 Setup user level security 3037/2, 3038/4
Topic 201: Linux Kernel
2.201.1 Kernel components not applicable
2.201.2 Compiling a kernel not applicable
2.201.3 Patching a kernel not applicable
2.201.4 Customizing a kernel not applicable
Topic 202: System Startup
2.202.1 Customizing system startup and boot process 3037/5, 3037/6
2.202.2 System recovery 3038/5
Topic 203: Filesystem
2.203.1 Operate the Linux filesystem 3037/3
2.203.2 Maintaining a Linux filesystem 3037/3
2.203.3 Creating and configuring filesystem options 3037/3
Topic 204: Hardware
2.204.1 Configuring RAID 3038/1
2.204.2 Adding new hardware 3038/9
2.204.3 Software and kernel configuration 3038/1
2.204.4 Configuring PCMCIA devices not applicable
Topic 205: Networking
2.205.1 Basic network configuration 3036/9, 3037/7, 3038/1
2.205.2 Advanced network configuration and 3036/9, 3037/7, 3038/1

troubleshooting
Topic 206: Mail and News
2.206.1 Configuring mailing lists not applicable
2.206.2 Using sendmail not applicable
2.206.3 Managing mail traffic not applicable
2.206.4 Serving news not applicable
Topic 207: DNS
2.207.1 Basic BIND 8 configuration not applicable
2.207.2 Create and maintain DNS zones 3038/1
2.207.3 Securing a DNS server 3038/1
Topic 208: Web Services
2.208.1 Implementing a web server 3037/9, 3038/3
2.208.2 Maintaining a web server 3037/9, 3038/3
2.208.3 Implementing a proxy server not applicable
Topic 209: File and Service Sharing
2.209.1 Configuring a samba server 3037/8, 3038/3
2.209.2 Configuring an NFS server 3037/8
Topic 210: Network Client Management
2.210.1 DHCP configuration not applicable
2.210.2 NIS configuration 3037/8
2.210.3 LDAP configuration 3037/8, 3038/2
2.210.4 PAM authentication 3037/2
Topic 211: System Maintenance
2.211.1 System logging 3037/6, 3038/8
2.211.2 Packaging software not applicable
2.211.3 Backup operations 3038/5
Topic 212: System Security
2.212.2 Configuring a router not applicable
2.212.3 Securing FTP servers not applicable
2.212.4 Secure Shell (OpenSSH) 3037/10
2.212.5 TCP wrappers 3037/9
2.212.6 Security tasks 3038/4
Topic 213: System Customization and Automation
2.213.1 Automating tasks using scripts 3037/6, 3038/6
Topic 214: Troubleshooting
2.214.2 Creating recovery disks 3037/3, 3038/5
2.214.3 Identifying boot stages 3037/5, 3038/5
2.214.4 Troubleshooting LILO not applicable
2.214.5 General troubleshooting 3038/5
2.214.6 Troubleshooting system resources 3037/5
2.214.7 Troubleshooting network issues 3037/7, 3038/1
2.214.8 Troubleshooting environment configurations 3038/5
Index
Index
A 4-17–4-19, 4-21, 4-37–4-38, 4-43–4-44, 4-49,

4-52–4-53, 5-23, 5-26–5-29, 5-32, 8-7, 8-16, 8-20,
ACL 4-24–4-36, 4-53 8-27, 8-30, 9-9, 9-11–9-13, 9-15, 9-17–9-18, 9-20,
address 2-4, 2-22, 3-21, 3-52, 3-57, 3-68, 3-75, 9-14 10-3, A-3–A-6
administration Intro-1–Intro-3 configure Intro-1, Intro-4–Intro-5, 1-7, 1-13–1-14,
1-25–1-26, 1-29, 1-31–1-40, 1-45, 1-47,
administrator 3-33 1-49–1-51, 1-53, 2-1–2-3, 2-9, 2-11–2-12, 2-16,
alias 3-48 2-20–2-22, 3-1–3-2, 3-6–3-7, 3-9, 3-16, 3-18,
Apache 1-48, 3-1, 3-43–3-54, 3-57–3-63, 3-65, 3-81, 4-21, 3-22, 3-26, 3-31, 3-43, 3-46, 3-48, 3-50,
8-16, 10-4, A-4 3-52–3-53, 3-57–3-58, 3-60–3-63, 3-66, 3-68,
3-73–3-75, 3-77, 3-80–3-81, 4-14, 4-27, 4-30,
authentication 4-16 4-34–4-35, 4-37, 4-40–4-41, 4-54–5-1, 5-21,
5-25–5-26, 5-28, 7-7–7-8, 7-11–7-13, 7-15,
B 7-17–7-18, 8-20, 8-24–8-25, 9-9, 9-15, 9-18, 9-20,
10-2–10-5, A-1–A-4
back-end Intro-5, 10-1 connection 8-31
background 5-26, 9-1 context 3-28
backup 5-7 controller 9-11
bandwidth 4-3 create Intro-1, Intro-4–Intro-5, 1-7–1-10, 1-12–1-14,
1-16–1-24, 1-26–1-27, 1-39, 1-47–1-48, 1-50,
binary 3-29, 7-2, 7-4–7-5, 7-8–7-9, 7-17
2-21–2-22, 3-10, 3-15, 3-22–3-23, 3-30–3-32,
BIND 3-2, 3-6 3-41, 3-45, 3-48, 3-50, 3-52–3-53, 3-56,
block 3-66 3-60–3-63, 3-67–3-69, 3-77–3-78, 3-80–3-81,
4-1–4-2, 4-4, 4-12, 4-17, 4-22–4-23, 4-27–4-28,
4-30–4-32, 4-34–4-35, 4-38, 4-48, 4-52, 5-5, 5-9,
C 5-13–5-15, 5-18, 5-20–5-21, 5-30, 6-1–6-4, 6-6,
6-8, 6-12, 6-19, 6-26, 6-29, 6-31, 6-33, 6-37, 6-52,
cable 8-29 6-59, 7-2, 7-7, 8-18, 9-17, 10-2, 10-4–10-5, A-2,
cache 7-13, 8-5–8-7 A-5
canonical 3-11, 3-15
Certificate Authority 3-55 D
class Intro-2, 3-10–3-11, 4-4, 4-24, 4-26, 4-29, 4-32, 9-6,
9-19 deactivate 4-29
client 3-77 device 2-8, 8-8, 9-6–9-7
CNAME 3-15 DHCP 1-33–1-34, 1-36, 1-45, 1-53, 2-10–2-11, 2-24, A-6
commands 4-33, 6-13, 6-19–6-20, 6-31, 6-36 directory 1-48, 2-9, 2-20, 2-22, 3-7–3-9, 3-16, 3-22–3-23,
3-28–3-38, 3-41, 3-45–3-53, 3-57, 3-60–3-63,
compatibility 5-11, 6-53 3-65, 3-71–3-72, 3-74–3-81, 4-15, 4-17, 4-20,
component Intro-2, Intro-5, 1-6, 2-2, 3-30–3-31, 4-1, 4-22, 4-24–4-25, 4-27–4-32, 4-34–4-35, 4-45,
4-5–4-6, 4-18, 5-27, 8-1, 8-11, 8-18, 8-21–8-22, 4-53, 5-5–5-10, 5-14–5-21, 5-24–5-25, 5-32, 6-2,
8-25, 8-29–8-30, 9-1–9-2, 9-19, A-4 6-4, 6-6, 6-8, 6-10, 6-12, 6-15, 6-18, 6-25, 6-29,
compressed 2-6, 5-5, 5-30, 7-12 6-31, 6-33–6-39, 6-41, 6-48, 6-52–6-53,
compression 5-5, 5-8, 5-11–5-12, 5-30 6-56–6-58, 7-6–7-9, 7-12, 7-14–7-15, 7-18, 8-12,
8-27, 9-4, 9-6–9-7, 9-9, 9-11, 9-15, 9-17,
confidential 1-23 9-19–9-20, 10-3–10-5
configuration Intro-5, 1-2–1-3, 1-8, 1-22–1-23, 1-26–1-35, distinguished name 3-28, 3-36
1-37–1-42, 1-45, 1-49–1-53, 2-1–2-4, 2-7, DNS 1-34, 1-45, 3-2–3-22, 3-25–3-27, 3-45, 3-49–3-50,
2-9–2-12, 2-15, 2-20, 2-22–2-25, 3-1, 3-6–3-7,
3-9–3-10, 3-16–3-18, 3-21, 3-23–3-24, 3-28, 3-80, 3-82, 8-11, 10-1–10-3, A-4–A-5
3-31–3-34, 3-39–3-40, 3-45–3-48, 3-50, 3-52, domain 3-4, 3-11, 3-16, 8-10
3-57–3-59, 3-62–3-63, 3-65, 3-67, 3-69–3-70,
3-73, 3-75–3-78, 3-80–3-82, 4-10–4-13, 4-15,
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Index-1
E address 2-4, 3-52
encrypted 1-13, 1-23, 3-31, 3-53–3-55, 3-73, 4-12, 4-14,

4-20–4-21 K
entry 3-33, 5-26, 5-28
keyword 3-67
export 3-75, 3-78, 6-4, 10-5
external 3-7, 4-3, 4-8, 6-13, 6-16, 6-42, 6-44, 6-47, 6-49,
6-59–6-60, 9-18 L
LAN 1-31
F LDIF 3-32–3-36, 3-41, 3-80
libraries 7-13
FAT 1-13, 1-15, 1-20, 5-25
limit 4-16, 6-32
file
system 1-12–1-13, 1-15–1-16, 1-20–1-23, 1-47–1-48, Linux 5-26
3-3, 3-41, 3-61, 3-64, 3-69, 3-72, 3-82, LOAD 1-3, 1-23, 3-4, 3-6, 3-16, 3-69, 8-2–8-3, 8-6–8-7,
4-20–4-21, 4-23–4-24, 4-30–4-32, 4-34, 4-37, 8-9–8-12, 8-14–8-16, 8-18, 8-21, 8-24, 8-30, 9-5,
4-44, 4-53–4-54, 5-5, 5-8, 5-16, 5-22–5-25, 9-8–9-9, 9-14–9-15, 9-19
5-28, 5-32, 8-23–8-25, 8-27, 9-5–9-7, 9-17, location 5-26
9-19 logical 1-7–1-8, 1-12, 1-14, 1-16–1-22, 1-25, 2-17, 3-48,
format 6-43 4-25
G M
generate 1-27, 3-56, 3-63, 6-11 MAIL 6-42
global 2-3–2-4, 3-4, 3-7, 3-9, 3-20, 3-28, 3-46–3-47, management Intro-5, 1-3, 1-22, 1-24, 1-34, 1-39,
3-67–3-68, 3-78, 4-12 3-28–3-29, 4-4, 4-6, 4-8, 4-16, 4-18, 8-4, 9-1,
graphical 10-1, A-1, A-6
user interface 4-23 master 1-27, 3-4–3-5, 3-8–3-14, 3-16–3-17, 3-22–3-23,
group 3-74, 4-29 3-25–3-26, 3-71, 3-80, 5-13, 5-25, 10-3
GUI 1-51–1-52 memory 1-3, 1-8, 1-15, 1-44, 7-10, 8-4–8-7, 8-13,
8-15–8-20, 8-23, 8-29–8-30, 9-5, 9-7
migrate Intro-5, 10-4
H modify 4-28
monitor 1-39–1-42, 1-50–1-51, 4-9, 8-9–8-11, 8-14,
hardware Intro-2, Intro-5, 1-1–1-3, 1-6, 1-21–1-22, 1-29,
1-33, 1-39–1-40, 1-43–1-44, 1-47, 1-50–1-51, 8-29–8-30, 9-17, A-2
1-53, 2-4–2-5, 2-9, 2-20, 2-22, 2-24, 4-10, 5-22, mount
5-27, 5-32, 7-6–7-7, 8-2, 8-18–8-19, 8-22, 8-25, point 1-11, 1-13, 1-16, 1-21–1-23, 1-48
9-1–9-3, 9-5–9-6, 9-8, 9-11, 9-14–9-15, 9-17, mouse 6-27
9-19–9-20, A-1, A-5
header 3-20, 7-4, 7-10–7-11, 7-13, 7-15, 7-18
health Intro-2, Intro-5, 8-1 N
check Intro-2, Intro-5, 8-1 name
high availability 4-4 space 3-68
home directories 3-75 navigation 1-40
HTTP 3-43 Netscape 1-8
network 3-16, 8-10–8-11, 8-14
I packets 2-12–2-13, 2-17–2-18, 3-53, 8-11
NFS 1-3, 8-11, A-4–A-5
index 2-4
Notes 1-33, 1-50
installation 1-3–1-4, 1-39, 1-44
Internet 3-61, 4-47
interval 8-8 O
IP 2-6, 2-24 object 3-29, 4-24
Index-2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2
Index
options 3-62, 4-27, 5-8, 5-15, 6-6 size 3-20

slave 3-4–3-5, 3-12–3-13, 3-16–3-17, 3-22, 3-25–3-26,
3-80, 10-3
P
SMTP 4-5
packets 2-6, 2-19 software Intro-1, Intro-5, 1-1, 1-6–1-8, 1-22–1-25, 1-28,
partition 1-27, 5-13, 5-24, 8-24 1-34, 1-46, 1-48, 1-52–1-53, 2-2, 3-2, 3-6–3-7,
3-22, 3-28, 3-30, 3-36, 3-39, 3-43–3-44, 3-54,
partitioning 1-47 3-60, 3-67, 3-77, 3-80–3-81, 4-1, 4-8–4-11,
password 4-12 4-13–4-14, 4-21, 4-46, 4-48, 4-51–4-54, 7-1–7-2,
path 3-68–3-69, 3-74, 4-16 7-6, 7-8–7-11, 7-14–7-15, 7-17–7-18, 8-12, 8-15,
physical 1-7, 1-11, 1-16–1-19, 1-21–1-23, 2-2, 2-4, 2-17, 8-17, 8-30, 9-2, 9-19, 10-5, A-1, A-5–A-6
3-49, 3-81, 4-5, 4-11–4-12, 4-52, 8-4–8-6, 8-11, space 3-68
8-17–8-19, 8-30–8-31, 9-2, 9-6, 9-19 SSL 1-34, 1-37, 3-46, 3-53–3-55, 3-57–3-59, 3-63–3-65,
ping 6-31, 8-14 3-81, 10-4
port 3-46, 3-55, 3-57, 8-21 standalone 3-11, 3-69
post-installation 1-52 start Intro-6, 1-2–1-4, 1-10–1-11, 1-13–1-14, 1-23,
printer 1-39, 3-72, 9-2 1-25–1-26, 1-28, 1-34, 1-37, 1-40, 1-44–1-46,
1-48, 2-11, 2-21, 3-6, 3-11, 3-24, 3-26, 3-30–3-31,
processor 8-2–8-3, 8-12, 8-16 3-37, 3-44, 3-57–3-58, 3-60, 3-65, 3-67,
property 1-41–1-42, 1-51, 4-15, 6-47 3-77–3-78, 4-12–4-13, 4-31, 4-37, 4-47–4-49,
protocol 4-3, 4-5, 5-13, 5-31 5-10–5-11, 5-22, 5-24, 5-32–6-1, 6-3, 6-5,
6-32–6-33, 7-6, 7-12–7-13, 7-15–7-16, 8-2, 8-7,
8-9, 8-12, 8-14, 8-16, 9-5, 9-9, 9-11, 9-18,
Q 9-20–10-1
state 9-6
query 3-21 storage 4-3, 4-5, 4-8, 4-22, 5-1, 5-4, 8-4, 8-6, 8-18,
8-20–8-21, 8-24, 8-30, 9-3–9-4
R stripe 1-21
structure 3-33
RAID 1-7, 1-21–1-23, 8-25, A-5 subdirectory 3-10, 9-7
read 4-23–4-24, 6-57 subnet 1-33, 1-49, 2-20, 3-70
resource 3-10, 3-15, 3-20, 3-72, 3-80, 4-2–4-4, 4-16, 4-18, subsystem 8-7–8-8, 9-8–9-9, 9-20
4-20, 8-18–8-19
syntax 3-74
root 3-14, 5-21, 5-28, 6-42, 6-57–6-58
SYS 7-13, 8-8–8-9, 8-22–8-23, 9-6–9-8, 9-19
system Intro-5, 1-2–1-9, 1-11–1-13, 1-15–1-16,
S 1-19–1-24, 1-26–1-29, 1-31, 1-33–1-40,
1-43–1-45, 1-47–1-48, 1-51–1-53, 2-2, 2-4,
SCSI 1-7, 5-4, 5-11–5-12, 5-26–5-27, 8-25, 9-5–9-6, A-1 2-9–2-10, 2-12–2-13, 2-15–2-17, 2-22, 3-2–3-3,
Secure Socket Layer 3-53 3-22, 3-24, 3-26, 3-36, 3-39–3-41, 3-45, 3-49,
3-56–3-58, 3-60–3-61, 3-64, 3-66–3-72, 3-77,
security Intro-5, 1-22, 1-34, 1-38, 1-52, 3-1, 3-31, 3-81–4-3, 4-5–4-6, 4-8–4-14, 4-16, 4-18,
3-67–3-68, 3-73, 3-75, 4-1–4-10, 4-13–4-18, 4-20–4-24, 4-30–4-32, 4-34, 4-37, 4-39–4-42,
4-20–4-22, 4-37–4-39, 4-43–4-48, 4-50, 4-44–4-45, 4-48, 4-50, 4-52–4-54, 5-2–5-3, 5-5,
4-52–5-1, 8-17, 8-25, A-3–A-4, A-6 5-8, 5-13, 5-16–5-17, 5-20, 5-22–5-30, 5-32–6-2,
separators 6-24, 6-59 6-21, 6-38, 7-3, 7-7, 7-10–7-11, 7-15, 8-1–8-9,
server Intro-1, Intro-4–1-1, 1-7–1-8, 1-24, 1-33–1-39, 8-11–8-25, 8-27–8-30, 9-1, 9-5–9-9, 9-12,
1-42–1-43, 1-45, 1-48–1-49, 1-51–1-53, 2-4, 9-14–9-15, 9-17–9-20, 10-2, 10-4, A-2–A-4, A-6
2-10–2-11, 2-16, 3-2, 3-4–3-22, 3-25–3-28,
3-30–3-40, 3-43–3-61, 3-63, 3-65–3-77,
3-80–4-1, 4-4–4-5, 4-7, 4-9, 4-11, 4-13, T
4-19–4-21, 4-23, 4-38–4-42, 4-49, 4-52, 5-1,
5-3–5-4, 5-17, 8-1–8-2, 8-9–8-11, 8-15–8-16, terms 9-2
8-29, 9-5, 9-17, 9-19, 10-1–10-5, A-5 time 1-6, 1-15, 1-21, 1-23, 1-25, 1-27, 1-40, 1-47, 2-2, 2-5,
service 3-71 2-10, 2-15, 2-17–2-18, 3-5–3-6, 3-11–3-14, 3-17,
3-20–3-22, 3-28, 3-32, 3-44, 3-46, 3-53–3-54,
session 4-17–4-18 3-57–3-58, 3-60, 3-65, 4-2, 4-9, 4-16, 4-18, 4-20,
settings 1-38 4-27, 4-30, 5-2–5-3, 5-7, 5-15, 5-21, 5-30, 6-8,
setup 1-33, 10-3 6-43, 7-5, 7-13, 8-2–8-3, 8-5–8-9, 8-12, 8-16,
Version 2 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Index-3
8-21–8-22, 8-24, 8-28–8-30, 9-8, 9-12–9-13,

9-17, 10-1, A-3
transaction 8-25
transmission 2-5, 2-10, 2-17, 3-54, 5-17, 8-11, 8-29
tune 1-23, 1-43, 3-46, 8-2, 8-20–8-23, 8-26–8-27, 8-30,
A-3
type 3-71, 5-11–5-12
U
update 4-48
upgrade 8-18, 8-25, 8-29–8-31
user 3-74, 4-16, 6-57, 8-8–8-9
account 1-34, 1-38, 3-42, 4-20, 6-38, 6-41, 10-2
interface 4-23
management 4-18
V
value 3-29, 6-16–6-17, 8-22
volume 1-21
W
web
server 1-8, 2-4, 3-5, 3-43–3-56, 3-60–3-61, 3-81, 4-5,
4-13, 4-21, 8-16, 9-17, 10-1–10-2, 10-4, A-5
services A-5
write 4-23–4-24
Z
zone 1-6, 1-47, 3-4–3-5, 3-7–3-14, 3-16–3-17, 3-21–3-26,
3-80, 4-8, 10-3
Index-4 Copyright © 2010 Novell, Inc. Copying or distributing all or part of this manual is protected by Version 2

3038 All Manual

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

3038 All Manual

Uploaded by

Copyright:

Available Formats

SUSE LINUX Advanced

SECTION 1 Install SLES 9

SECTION 2 Configure the Network Manually

SECTION 3 Configure Network Services

Objective 2 Deploy OpenLDAP on a SLES 9 Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-28

SECTION 4 Secure a SLES 9 Server

Objective 3 Limit the Installed Software Packages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-13

SECTION 5 Manage Backup and Recovery

Objective 2 Create Backup Files With tar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-5

SECTION 6 Create Shell Scripts

Exercise 6-4 Use Command Substitution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-12

SECTION 7 Compile Software from Source

Objective 2 Understand the GNU Build Tool Chain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-7

SECTION 8 Perform a Health Check and Performance Tuning

SECTION 9 Manage Hardware and Component Changes

SECTION 10 Prepare for the Novell CLP Practicum

APPENDIX A Novell CLP and LPI Requirements

The contents of your student kit include the following:

8. Perform a health check and performance tuning

These are tasks common to an experienced SUSE LINUX administrator in an

Certification and Prerequisites

The following illustrates the training/testing path for Novell CLP:

SUSE LINUX Fundamentals

SUSE LINUX Administration

SUSE LINUX Advanced Linux

Novell Practicum: 050-689 Migrating to SUSE LINUX

*Courses are not required for Novell

SLES 9 Support and Maintenance

SLES 9 Online Resources

These include the following:

Table Intro-1 Section Duration

Day 1 Introduction 00:30

Section 1: Install SLES 9 03:30

Section 2: Configure the Network Manually 02:00

Day 2 Section 3: Configure Network Services 04:00

Section 4: Secure a SLES 9 Server 02:00

Day 3 Section 4: Secure a SLES 9 Server (continued) 01:00

Section 5: Manage Backup and Recovery 01:00

Section 6: Create Shell Scripts 03:00

Section 7: Compile Software from Source 01:30

Day 4 Section 8: Perform a Health Check and Performance 03:00

Section 9: Manage Hardware and Component Changes 02:00

The following describes the most common conventions:

SECTION 1 Install SLES 9

In this section, you install SUSE Linux Enterprise Server 9

This section describes these and other SLES 9 installation options.

Objective 1 Perform the SLES 9 Base Installation

To perform the base installation do the following:

Boot From the Installation Media

Select the System Language

After YaST starts, the following appears:

Almost all YaST installation dialogs use the same format:

Select the Installation Mode

Understand and Change the Installation Proposal

Partition the Hard Disk

The Basics of Hard Drive Partitioning

A primary partition consists of a continuous range of cylinders (physical disk areas)

The Basic Linux Partition Scheme

A SLES 9 installation needs at least two partitions:

Partitioning Schemes for Different Server Types

n Desktop workstation. Create a separate partition for users' home directories.

How to Change YaST´s Partitioning Proposal

n Create custom partition setup. Displays the following: