RH 133 Redhat Enterprise Linux System Administration

RH 133 Redhat Enterprise Linux System Administration

Unit 1 p Installation

Hardware Overview p Kernel Support n n n Core support: CPU, Memory, Process Management , Interrupt/Exception Handling etc. Dynamically Loadable Kernel Modules p p p Device Drivers Additional Functionality User Mode Access to kernel facilities n n n System Calls and Signals Filesystem Device Nodes Network Interfaces p Are not accessed through a device node but instead are accessed through a “network interface” abstraction.

CPU and Memory p p Seven Supported Architectures: x 86, Itanium 2, AMD 64/EM 64 T, S/390, z. Series, i. Series, p. Series. CPU Support on x 86 n n p Technical support for more than 2 physical CPUs only on AS variant (may use Hyper-Threading) Up to 32 Physical CPUs with SMP or hugemem kernel. Memory support on x 86 n n Technical support for more than 16 GB on AS or WS Standard i 686/athlon kernel: 4 GB SMP i 686/athlon kernel: 16 GB Hugemem SMP kernel: 64 GB

Preparing to Install Read the RELEASE-NOTES file on the first CD or at http: //www. redhat. com p Check Hardware Compatibility p n n Redhat Supported Hardware List Hardware compatible with Redhat Linux p n http: //hardware. redhat. com/hcl XFree 86 supported video cards. http: //xorg. freedesktop. org p http: //www. x. org/wiki p

Multiboot systems p Redhat Enterprise Linux and the GRUB boot loader can co-exist with other operating systems, including the following: n n n p Two major issues arise when implementing multiboot systems: n p Windows NT/2000/XP/2003 DOS, Windows 3. x/9 x/ME Net. BSD, Free. BSD and other open systems. Partitioning and the boot process. A boot loader such as System Commander or NTLDR is already on the system and will launch GRUB as a secondary boot loader.

Device Node Examples p Block devices: p p p p IDE devices SCSI devices Standard floppy drives software RAID metadisks loopback devices ramdisks tty[0 -31] tty. S[0 -9]+ lp[0 -3] null zero [u]random fb[0 -31] virtual consoles Serial ports Parallel Ports infinite sink ( the bit bucket) infinite source of zeros sources of random information framebuffer devices Character Devices: p p p p hd[a-t] sd[a-z]+ fd[0 -7] md[0 -31] loop[0 -15] ram[0 -9] Symbolic Links: p p p /dev/cdrom - - > /dev/hd[a-t], /dev/sd[a-z]+ /dev/modem - - > /dev/tty. S[0 -9]+ /dev/pilot - - > /dec/tty. S[0 -9]+

The RHEL Installer p p First Stage Installer Images n diskboot. img – VFAT filesystem image for bootable media larger than a floppy p You will need to use the dd command to move this image to you media. For instance: dd /dev/sda p Floppy installation is no longer supported n boot. iso -- ISO 9660 bootable CD image p Booting form boot. iso is the same as passing the askmethod argument to the installer when booting from CD 1. p You can create a bootable CD using the cdrecord command. For instance cdrecord dev=/dec/hdc boot. iso n pxeboot Directory p Pre-boot Execution Environment (PXE) provides for a diskless installation. p Read /usr/share/doc/syslinux-2. 11/prelinux. doc Second Stage Installer n Graphical or textual n Can be invoked in noprobe or Kickstart mode n Once located and loaded by the first stage, drives the remainder of the installation process.

Installer Features noprobe and Kickstart modes available p mediacheck tests media integrity p Multiple Interfaces: p n Graphical Starts X server and a GUI installer p Can be started in lowers mode. p Works with hard drive, CDROM, NFS Installation p Graphical is the default p n Text Menu-based terminal interface p Works with all installation methods (ftp and http) p

RHEL Installation Overview Language, Keyboard and mouse selection p Media selection if applicable p Disk partitioning p Bootloader configuration p Network and firewall configuration p Authentication Setup p Package Selection p X server configuration p

Partitioning Hard Drives Hard drives are divided into partitions. p Partitions normally contain file systems. p n n n p Primary, extended and logical partitions The default filesystem is ext 3 Multiple partitions may be assembled into a larger virtual partitions: software RAID and LVM Filesystems are accessed via a mount point, which is a designed directory in the file system hierarchy.

Software RAID p Redundant Array of Inexpensive Disks n n p Multiple partitions on different disks combined into one RAID device Fault tolerance, larger disk size, performance Install-time RAID levels: n n n RAID 0: RAID 1: RAID 5: Striping (no redundancy) Mirroring Striping with distributed parity

Configuring File Systems p Must select mount points, partition sizes, and file system types in the installer n p Can set up manually or automatically There are many layouts which may be used n n n / mast include /etc, /lib, /bin, /sbin, /dev Swap space is typically 2 x physical RAM Typical mount points: /boot, /home, /usr, /var, /tmp, /usr/local, /opt

Network Configuration p Can configure each NIC independently n n DHCP or static IP configuration Determine if automatically activated on boot

LVM: Logical Volume Manager p Manages storage on one or more partitions as virtual partitions, or logical volumes n n p Real partitions are physical volumes and are assigned to a volume group (a virtual disk) Disk space in the volume group is divided into extends which are assigned to a logical volume Easy to resize logical volumes n Add a physical volume to the volume group and assign the new extents to the logical volume.

Firewall Setup Installer can set up a kernel mode stateful packet filter p Choice of two settings: “Enabled” and “No Firewall” p “Trusted Devices” can bypass the firewall p Can allow access to arbitrary services. p

Security Enhanced Linux p Access control determines what actions processes can perform on what objects n Discretionary Access Control (Traditional Linux) p n Users control permissions on objects Mandatory Access Control (SELinux) p System policy restricts permission which can be granted.

SELinux Installation Options p Installation Options: n n n Disabled Warn (Permissive) Active (default) (Enforcing)

Package Selection p Package Selection n n Universally (“Everything”) By predefined components p n Defined in Red. Hat/base/comps. xml Individually

Validating Installation Virtual consoles during installation p Post-boot validation p n n n p dmesg and /var/log/dmesg /var/log/messages /root/install. log GRUB drops to a prompts if there is a problem loading files.

noprobe Mode and Driver Disks Method for supporting hardware newer than the install program p Used at install time for less common hardware p Prompt for Driver Disk p n n n When run in noprobe mode When started with: linux dd When no PCI devices are detected.

Post-Install Configuration p Setup Agent (firstboot) n n n p Configure X window System if necessary Set date and time Register with Redhat Network and get updated RPMs Install additional RPMs or Redhat Documentation from CDROM Setup users system-config-* configuration tools

Unit 2 p System Initialization and Services

Boot Sequence Overview BIOS initialization p Boot Loader p Kernel Initialization p init starts and enters desired run level by executing: p n n /etc/rc. d/rc. sysinit /etc/rc. d/rc and /etc/rc. d/rc? . d /etc/rc. d/rc. local X Display Manager if appropriate

BIOS initialization Peripheral detected p Boot device selected p First sector of boot device read and executed p

Boot Loader Components p Boot Loader n n p Minimum Specifications for Linux: n p 1 st Stage – small, resides in MBR or boot sector 2 nd Stage – loaded from boot partition Label, kernel location, OS root filesystem and Location of the initial ramdisk (initrd) Minimum specification for other OS: n Boot device, label

GRUB and grub. conf p GRUB – The Grand Unified Bootloader n n n p p p Command-line interface available at boot prompt Boot from ext 2/ext 3, Reiser. FS, JFS, FAT, minix, or FFS filesystems Support MD 5 password protection /boot/grub. conf Changes to grub. conf take effect immediately If MBR on /dev/had is corrupted, reinstall the first stage bootloader with: n /sbin/grub-install /dev/hda

Starting the Boot Process: GRUB p Image selection n p Select with space followed by up/down arrows on the boot splash screen Argument passing n n Change an exiting stanza in menu editing mode Issue boot commands interactively on the GRUB command line

init Initialization p init reads its config: /etc/inittab n n n n Initial run level System initialization scripts Run level specific script directories Trap certain key sequences Define UPS power fall/restore scripts Spawn gettys on virtual consoles Initialize X in run level 5

Kernel Initialization p Kernel boot time functions n n Device detection Device driver initialization Mounts root filesystem read only Loads initial process (init)

/etc/rc. d/rc. sysinit p Important tasks include: n n n Activate udev and selinux Sets kernel parameters in /etc/sysctl. conf Sets the system clock Loads keymaps Enables swap partitions Sets hostname Root filesystem check and remount Active RAID and LVM devices Enable disk quotas Check and mount other filesystems Cleans up stale locks and PID files.

System V run levels p Run level defines which services to start n Each run level has a corresponding directory p n The system V init scripts reside in: p n /etc/rc. d/rc. X. d /etc/rc. d/init. d Symbolic links in the run level directories call the init. d scripts with a start or stop arguments.

Daemon Processes A daemon process is a program that is run in the background, providing some sytem service p Two types of daemons: p n n Standalone Transient – Controlled by the “Super-daemon” xinetd

/etc/rc. d/rc p initiallzes the default run level per the /etc/inittab file initdefault line such as n id: 3: initdefault 10: 0: wait: /etc/rc. d/rc p 11: 1: wait: /etc/rc. d/rc p 12: 2: wait: /etc/rc. d/rc p 13: 3: wait: /etc/rc. d/rc p 14: 4: wait: /etc/rc. d/rc p 15: 5: wait: /etc/rc. d/rc p 16: 6: wait: /etc/rc. d/rc p 17: 7: wait: /etc/rc. d/rc p 0 1 2 3 <--- (run level 3) 4 5 6 7

/etc/rc. d/rc. local Run after the run level specific scripts p Common place for custom modification p In most cases it is recommended that you create a System V init script in p /etc/rc. d/init. d unless the service you are starting is so trivial it doesn’t warrant it. Existing scripts can be used as a starting point. p

Virtual Consoles p p p Multiple independent VT 100 -like terminals Defined in /etc/inittab Accessed with Ctrl-Alt-F_key from an X session /dev/ttyn: virtual console n /dev/tty 0: the current virtual console Default Red. Hat Enterprise Linux Configuration n 12 consoles defined Consoles 1 -6 accept logins X server starts on the first available console, usually 7.

Controlling Services p Utilities to control default service startup n n n p system-config-services: graphical utility that requires and X interface ntsysv : ncurses based utility usuable in virtual consoles chkconfig: a fast, versatile command line utility that works well and is usable with scripts and Kickstart installations Utilities to control services manually n n service: immediately Start or stop a standalone service chkconfig: immediately starts and stop xinetdmanaged service.

System Shutdown p Shutting down the system n n shutdown –h now halt poweroff init 0

System Reboot p Rebooting rarely fixes problem in Linux n p If you feel a reboot is necessary try bringing the system down to runlevel 1 and the back up to runlevel 3 or 5. This is much faster than a reboot. Rebooting the system: n n n shutdown –r now reboot init 6

Unit 3 p Kernel Services and Configuration

Kernel Modules p Modular kernel components n Components that need not be resident in the kernel for all configurations and hardware Peripheral device drivers p Supplementary filesystems p n Modules configurable at load time /lib/modules p Controlling Modules p n p lsmode, modprobe Kernel Tainting

Kernel Module Configuration p Module examination: /sbin/modinfo n p Parameters, license Module Configuration: /etc/modprobe. conf n Aliases, parameters, actions Module Dependencies: modules. dep, depmod p Manual control: insmod, rmmod p

The /proc filesystem /proc is a vital filesystem containing information about the running kernel p Contens of “files” under /proc may be viewed using cat p Example p n p cat /proc/interrupts Provides information on system hardware, networking settings and activity, memory usage, and more.

The /proc filesystem, cont’d /proc subdirectories p The /proc/sys subdirectory allows administrators to modify certain parameters of a running kernel. p

/proc/sys configuration with sysctl /proc/sys modifications are temporary and not saved at system shutdown p The sysctl command manages such settings in a static and centralized fashion: p n p /etc/sysctl. conf sysctl is called at boot time by rc. sysinit and uses setting sin /etc/sysctl. conf

General Hardware Resources dmesg and /var/log/dmesg p kudzu p n n /etc/sysconfig/hwconf /usr/share/hwdata/ /proc filesystem p hwbrowser p

System Bus Support p PCI Bus n n p /sbin/lspci /proc/bus/pci ISA Bus n /proc/isapnp

Hotswappable Bus Support p USB and IEEE 1394 Buses n n p /sbin/hotplug, (/etc/hotplug/) Information in /proc/bus subdirectories /sbin/lsusb and /sbin/usbmodules utilities USB devices in /dev/usb PCMCIA Bus n n n /sbin/cardmgr, (/etc/pcmcia/) Information in /proc/bus/pccard /sbin/cardctl utility

System Monitoring and Process Control top, gnome-system-monitor display snapshot of processes p ymstat – reports virtual memory stats p iostat – lists information on resource usage, including I/O statistics p free – summary of system memory usage p renice – change priority of a process p kill – send system signal to a process p

Unit 4 p Filesystem Management

System Initialization: Device Recognition p Master Boot Record (MBR) contains: n n Executable code to load operating system Space for partition table information, including: Partition id and type p Starting cylinder for partition p Number of cylinder for partition p

Disk Partitioning An extended partition points to additional partition descriptors p Total maximum number of partitions supported by the kernel: p n n p 63 for IDE drives 15 for SCSI drives Why partition drives? n Containment, performance, quotas, recovery

Managing Partitions p Create partition using: n n n p fdisk sfdisk GNU parted – Advanced partition manipulation (create, copy, resize, etc) Partprobe – reinitializes the kernel’s in memory version of the partition table.

Managing Data: Filesystem creation mkfs p mkfs. ext 2, mkfs. ext 3, mkfs. minix, mkfs. msdos p Specific filesystem utilities may be called directly p n mke 2 fs [options] device

Journaling for ext 2 filesystems: ext 3 is essentially an ext 3 filesystem that uses a journal for file transaction automatically. p ext 3 filesystems can be created natively or easily converted from ext 2 p Ext 3 has three journaling modes: p n n n Ordered – the default, journals only meta-data Journaled – Journals data as well as meta-data Writeback – Journals updates are not automatic, but gives better performance at possible expense of data integrity.

Managing data: mount [options] [device] [mount_point] p device (or filesystem label) points to the filesystem to mount. p mount_point is the directory under which the files on the filesystem will be located. p

Managing Data: mount options p -t vfstype (vfat, ext 2, ext 3, iso 9660, etc. ) n n n Not normally needed -o options Default options for the ext 2/ext 3 filesystem: p rw, suid, dev, exec, auto, nouse, and async

Managing Data: Unmounting Filesystems umount [options] device | mnt_point p A filesystem “in use” may not be unmounted p n p Use fuser to check and/or kill processes Use the remount option to change a mounted filesystem’s options “automatically” n mount –o remount, ro /data

Managing Data: Filesystem Labels Alternate way to refer to devices p Device independent p n n e 2 lable mount [options] LABEL=fslabel mount_point

Managing Data: mount, by example p Sample filesystem requirements met using options: n n n Disabling execute access Mounting a filesystem image Mounting a pc-compatible filesytem. Disabling access time updates. Setting up a mount alias

Managing Data: Connecting Network Resources p Mounting NFS resources n n p Requires hostname or address of server Requires name of exported directory Mounting SMB resources n n n Requires hostname and address of server Requires share name May require username and password

Managing Data: /etc/fstab Configuring of the filesystem hierarchy p Used by mount, fsck, and other programs p Maintains the hierarchy between system reboots p May use filesystem volume labels in the device field p

Managing Data: The auto-Mounter System administrator specifies mount points to be controlled by the automounter daemon process. p The automounter monitors access to these directories and mount the filesystem on request. p Filesystems automatically unmounted after a specified interval of inactivity. p Enable /etc/auto. net to “browse” all NFS exports on the network. p

ext 2/ext 3 Filesystem Attributes p ext 2 and ext 3 support attributes that affect the manipulation of the file data. n n lsattr display file attributes chattr changes file attributes p Some attributes are not currently supported by the Linux kernel.

Virtual Memory Swap space is supplement to system RAM p Basic setup involves: p n n Create swap partition or file Write special signature using mkswap Add appropriate entries to /etc/fstab Activate swap space with swapon -a

Filesystem Maintenance Maintaining consistency with fsck p Filesystems checked at boot up p sulogin session started if errors are sever p lost+found p tune 2 fs p dump 2 fs p debugfs p parted p

Adding a Drive Physically connect the new drive p Create partitions p If required, reread partition table with partprobe p n p Verify with fdisk –l and cat /proc/partitions Create filesystems for new partitions, or n Write signature to new swap partitions Optionally create disk label p Create any needed mount points p Add new entries to /etc/fstab p

Unit 5 p Network Configuration

Device Recognition All drivers for network interface cards are built as module p Networking scripts reference logical interface names, eg: p n eth 0 /etc/modprobe. conf maps logical names to specific module name p Example: p n Alias eth 0 3 c 59 x

Network Interfaces p Interface Names: n n p Ethernet Token Ring FDDI PPP : : eth 0, eth 1, eth. N tr 0, tr 1, tr. N fddi 0, fddi 1, fddi. N ppp 0, ppp 1, ppp. N Data link layer addresses n ifconfig

mii-tool Views and controls the negotiated media speed (100 base. TX, 10 base. T) of some ethernet cards. p Useful forcing specific ethernet speed and duplex settings p Changes with mii-tools should be made on inactive interfaces. p

ifconfig p Used to configure and set IP address on network interfaces n p Not Usually called directly, but by other scripts Also used to view properties of active and inactive network interfaces.

ifup/ifdown if (up | down) interface p Start and Stop network interfaces p Take care of details specific to interface p n n Changing/adding/deleting routes Obtains addresses as needed p BOOTP, DHCP

Interface configuration file ifcfg-xxx p Located in: p n p /etc/sysconfig/network-scripts/ Configuration methods n n n Static dhcp bootp

Configuration Utilities p netconfig n n n p Text-based network configuration tool Only writes config files. Does not activate device or changes. Use ifup/ifdown to activate changes Used by kudzu when new network card found at boot time. system-config-network n n GNOME-based network configuration tool Can be launched by a non-privileged user, but requires authentication as root.

Binding multiple IP addresses p Use multiple IP addresses on a NIC n p For a small number of IPs, create an ifcfg file for each virtual interface n p Virtual interface (s) ifcfg-eth. X: xxx For a large number of IPs, create an ifcfg range file n ifcfg-ethx-range. X

DHCP/BOOTP p The dhclient daemon manages client-side DHCP and BOOTP n For DHCP, dhclient: Obtains a lease p Performs automatic lease renewal p Normally run by ifup/ifdown p Can be run manually to force renewal or release of a lease p

Global Network Parameters p /etc/sysconfig/network n n NETWORKING=yes|no HOSTNAME= GATEWAY= NISDOMAIN=

Default Route p Global default defined in: n /etc/sysconfig/network p n GATEWAY=xxx. xxx Default gateway can also be defined in /etc/sysconfig/network-scripts/ifcfg-XXX p ifcfg-xxx default overrides Global default routes p GATEWAY=xxx. xxx p

Static Routes p Connected networks n p Static routes defines per interface n n p Linux kernel automatically creates a network route for connected networks /etc/sysconfig/network-scripts/route-eth 0 /etc/sysconfig/networking/devices/eth 0. route Display with: n n route –n netstat -rn

Name Resolution p hostname – display or set the system’s name n n p Is initially set by rc. sysinit from $HOSTNAME variable /etc/sysconfig/network /etc/hosts – local database of hostname to IP address mappings n n Checked before DNS Useful for small isolated networks

DNS client configuration p /etc/resolv. conf n n Defines which name servers to use Servers are checked in order listed

DNS Utilites p Useful utilites in bind-utils RPM package include: n host : gather host/domain information host ns 1. redhat. com p host –a redhat. com p n dig: p n send queries to name server directly Dig @ns 1. redhat. com mx redhat. com nslookup

Network diagnostics p ping: n p traceroute, mtr n p Network packet loss and latency measurement tool Display network path to a destination netstat n Multi-purpose network information tool

Unit 6 p RPM and Kickstart

The RPM Way Package installation is never interactive p Applies to all software (core OS and addons) p No such thing as a patch to a package p

RPM Package Manager p RPM Components n n n p local database rpm and related executables package files Primary functions n n install/remove query verify build

Installing and Removing Software p Primary RPM Options: n n Install Upgrade Freshen Erase : : rpm rpm –i, -- install –U, --upgrade –F, --freshen –e, --erase Output Options: -v, -h p URL support: ftp: // (with globbing), http: // p Many other install-options are available to address special cases. p

Updating a Kernel RPM Make sure to install kernel updates p Do not use rpm –U or rpm –F ! p n n rpm –ivh kernel-version. arch. rpm Boot new kernel to test Revert to old kernel if a problem arises rpm –e kernel-olderversion if no problems

rpm queries p Syntax: n p Installed Package options: n n p rpm –q what_packages what_information rpm rpm –qa –qi filename –qi package_name lists List installed packages shows owning package general information files in package Uninstalled Package Options n n rpm -qip packages_file. i 386. rpm –qlp packages_file. i 686. rpm

rpm verification p Installed RPM file Verification: n n n p rpm –V package_name rpm –Vp package_file. i 386. rpm –Va Signature verification BEFORE package install: n n rpm –import gpg_key rpm –checksig package_file. i 386. rpm

Other RPM Utilities and Features rpm 2 cpio: file extraction p rpmdb-redhat: distribution database p n n p rpm –redhatprovides filename rpm –redhatprovides capability system-config-packages

Automatic Dependency Resolution Automatic installation of dependent packages p Invokes with –aid option p Use in conjunction with rpmdb-redhat p Macro can indicate where packages files found. p

Red. Hat Network (RHN) p RHN Components n n p RHN Account System identity /usr/sbin/up 2 date rhnsd daemon and queued actions Advantages n n n Errata concurrency Collective and remote administration Base metal provisioning

RHN in the Enterprise p Management Entitlements n n p Proxy Server n n p System grouping Multiple administrators Updates cached locally conserving bandwidth Private channels Satellite Server n n n Client profiles stored locally Custom channel management Provisioning Module

RHN Registration p /usr/sbin/up 2 date n p Remote Information n p username, password, system name Hardware Profile Software Profile (RPM list) Subscribed Channel Local Digital Certificate n /etc/sysconfig/rhn/systemid

The up 2 date utility Interactive or batch invocations p Functions p n n n p Freshen with published errata/updates Install new packages Resolve package dependencies /usr/sbin/up 2 date-config n n Install or download only Cache dir: /var/spool/up 2 date

Remote Administration Web based administration p https: //rhn. redhat. com p Queuing of actions p Local polling: rhnsd p n Every 4 hours by default p n Tuned in /etc/sysconfig/rhnsd /usr/sbin/rhn_check does the hard work.

Network Installation Server Necessary for network-based Installs p Often faster than CDROM-based installation methods p Provides an easy distribution platforms for the enterprise p Shares the Redhat directory via NFS, FTP and/or HTTP p

Using Kickstart to automate Installation p p Kickstart is a component of the installer that automates in installation Kickstart supports all installation methods. The installer reads information from an ASCII file rather than prompting for it Kickstart files can be made available via floppy, cdrom, hard disk, initrd, nfs, ftp and http. They can also be dynamically generated using cgi scripts and specified using dhcp/pxe.

Kickstart: Commands Sections Constructs arguments that are passed to configuration utilites (“commands”) p The absence of required specifications (e. g. , keyboard) will raise the appropriate utility. p Commands section must come first. p

Kickstart: %packages specifies components groups and RPMs to install. p Component groups in the comps. xml file are specified with @ component-group p Third party RPMs cannot be specified without modifying hdlist p Package names only (not version). p

Kickstart: %pre, %post p %pre gives you the first word n n p Executes as a bash shell script Executes after kickstart file is parsed %post gives you the final word n n Can specify interpreter (bash is default) chroot’ed by default, but may be run without chroot.

Unit 7 p User Administration

User Policy Considerations p Amount of system access outside of user’s account n Determine “need to know” Expiration of passwords and accounts p Disk usage and CPU limits p

User Account Database: /etc/passwd p Contains account information used at login and by other programs n n One account per line with seven colondelimited Should have permission rw-r--

Adding a New User Account p Most common method is useradd: n p useradd username Running useradd is equivalent to : n n n Edit /etc/passwd, /etc/shadow, /etc/group Create and populate home directory Set permissions and ownership Set account password and using passwd p Accounts may be added in a batch with newusers. p

User Private Groups p When user accounts are created, a private group is also created with the same name. n n Users are assigned to this private group. User’s new files affiliated with this group. Advantage: Prevents new files from belonging to a “Public” group. p Disadvantage: may encourage making files “world-accessible” p

Group Administration p Entries to /etc/group n n n groupadd groupmod groupdel

Modifying/Deleting Accounts p To change files in a user’s /etc/passwd entry you can: n n p To remove a user either: n n p Edit the file by hand Use usermod [options] username Manually remove the user from /etc/passwd /etc/shadow, /etc/group, /var/spool/mail Use userdel [-r] username

Password Aging Policies By default, passwords do not expire. p Forcing passwords to expire is part of a strong security policy. p Modify default expiration settings in p /etc/login. defs To modify password aging for exiting users, use the chage command n chage [options] username

Login Shell Scripts p /etc/profile n p /etc/profile. d/*. sh ~/. bash_profile n ~/. bashrc p /etc/bashrc

Non Login Shell Scripts p ~/. bashrc n /etc/bashrc p /etc/profile. d/*. sh

Switching Accounts p Syntax: n n p Allows the user to temporarily before another user. n p su [-] [user] –c command Default user is root The “-” option makes the new shell a login shell.

sudo p Users listed in /etc/sudoers execute commands with: n n p An effective user id of 0 Group id of root’s group An administrator will be contracted if a user not listed in /etc/sudoers attempts to use sudo.

Network Users Information about users may be centrally stored and managed on a remote server. p Two types of information must always be provided for each user account. p n n Account Information: UID number, default shell, home directory, group memberships, and so on. Authentication: a way to tell that the password provided on login for an account is correct.

Authentication Configuration p system-config-authentication n n p Supported account information services: n p GUI tool to configure authentication For text-based tool, use –nox option (local files), NIS, LDAP, Hesoid, Windbind Supported authentication mechanisms: n (NSS), kerberos, LDAP, SMB, Winbind

Example: NIS Configuration Must install ypbind and portmap RPMs p Run system-config-authentication p n n n p Enable NIS to provide User Information Specify NIS Server and NIS domain name Keep default authentication (through NSS) What does this actually do? n Four text-based configuration files are changed.

Example: LDAP Configuration Must install nss-ldap and openldap RPMs p Run system-config-authentication p n n n p Enable LDAP to provide User Information Specify server, the search base DN and TLS Enable LDAP to provide Authentication What does this actually do? n Four text-based configuration files are changed.

File Ownership Every file has both user and group “ownership” p A newly created file will be owned by: p n n The user who creates it The current primary group of that user p p SGID directories may change this behavior The chown command can be used by root to change ownership.

Linux File Permissions Access levels p Access modes p Flags indicate access mode for each access level p File mode is a concise collective expression of flags’ values. p

SUID/SGID Executables Normally processes started by a user run under the user and group security context of that user. p SUID and/or SGID bit set on an executable file cause it to run under the user and/or group security context of the file’s owner and/or group. p

Default File Permissions p p Read and write for all is the default for files. Read, write and execute is the default for directories. umask can be used to withhold permissions on file creation. Non-system users’ umask is 002 n n n p Files will have permission of 664 Directories will have permission of 775 Supports users private groups System User’s umask 022

The Setgid Access Mode Normally, files created in a directory belong to the default group of the user. p When a file is created in a directory with the setgid bit set, it belongs to the same group as the directory. p

SELinux p Each process or object (file, directory, network socket also has a SELinux context. n p identity: role: domain/type The SELinux policy controls n n n What identities can use which roles What roles can enter which domains What domains can access which types.

Access Control Lists (ACLs) p Grant RWX access files to multiple users or groups n n n mount –o acl getfacl file|directory setfacl –m u: gandolf: rwx setfacl –m g: nazgul: rw setfacl –m d: u: frodo: rw setfacl –x u: samwise

Controlling SELinux system-config-securitylevel p setneforce and setsebool p /etc/sysconfig/selinux p enforcing=0 p /selinux virtual file system p

SELinux Contexts List process contexts: ps –Z p List file contexts: ls –Z p Change file contexts: chcon p n n chron –t httpd_sys_content_t index. html chron –reference=/var/www/html index. html

Troubleshooting SELinux p What is the error? n n Check /var/log/messages for AVC denials Is the process doing something it shouldn’t? Does the target have the right context? Does a Boolean setting need adjustment?

Unit 8 p Printing and Administration Tools

CUPS Overview p New IPP protocol based on HTTP/1. 1 n n p p p Web administration interface on port 631 Can communicate with LPD print servers System V and BSD command interface Classes support automatic job redirection and printer pooling Authentication by user/host/digital certificate Log files in web server Common Log Format Print Queue Design n program lp cupsd filter printer

CUPS Configuration Files p /etc/cupsd. conf n n p cupsd server configuration file Similar syntax to Apache httpd. conf file /etc/cups/printers. conf n n Print queue configuration file Automatically generated by lpdadmin, systemconfig-printer or the CUPS web administration interface.

CUPS Queue Management system-config-printer p system-config-printer-tui p Web interface: http: //localhost: 631/ p n n p To authenticate, user must be a member of the System. Group (sys by default) listed on /etc/cupsd. conf Connection is not encrypted lpadmin – command line tool for printer administration

cron Used to schedule recurring events p Use crontab to edit, install, and view job schedules p Syntax p n n crontab [-u user] file crontab [-l|-r|e] -l p -r p -e p lists crontab removes crontab edit crontab using $EDITOR

Controlling Access to cron p Restrict/allow user access to cron n n p /etc/cron. allow /etc/cron. deny Contain usernames to allow/deny access.

System crontab files Different format than user crontab files p Master crontab file /etc/crontab runs executables in p n n p /etc/cron. hourly /etc/cron. daily /etc/cron. weekly /etc/cron. monthly /etc/cron. d/ directory contains additional system crontab files.

System cron job : tmpwatch Cleans old files out specified directories p Useful for keeping /tmp directory from filling up p tmpwatch is run daily in /etc/cron. daily p

System cron Job: logwatch p Monitor with logwatch n n Helps catch problem issues Detects suspicious behavior logwatch is run daily in /etc/cron. daily p Configuration file: p n /etc/log. d/conf/logwatch. conf Sends nightly email report p Other tools p

System Cron Job: logrotate p Maintain log files from getting too large n n Keeps log files from getting too large Keeps filesystem from filling up logrotate is run daily in /etc/cron. daily p Highly configurable p n n Configure all logs in /etc/logrotate. conf Configure individual log files in files within /etc/logrotate. d

syslog Configuration p syslog System V initialization script in n n /etc/rc. d/init. d controls both the syslogd and the klogd daemons /etc/syslog. conf p n Configures system logging /etc/sysconfig/syslog p Sets switches used when starting syslogd and klogd from the System V initialization Scripts

Tape Drives p SCSI tape devices (i. e, DDS, DLT) n n p /dev/[n]st 0, /dev/[n]st 1, etc. Devices with ‘n’ do not automatically rewind Use the mt utility to control tape drive n n n mt mt mt –f –f –f /dev/st 0 /dev/st 0 rewind fst 50 offline erase rewoff (rewind) (Position) (Eject) (Erase) (Rewind, Eject)

Using tar/star p p p Archives to tapes or other media or files star backs up SELinux context and ACL attributes Parameter: n n n p c create t list z gzip compression x v j Examples: n n cd /tmp && tar xvf ~/archive. tar cvf /dev/st 0 /data /foo /bar extra verbose bzip 2 compression

Using dump/restore p Back up and restore ext 2/3 filesystems n n Does not work with other filesystems dump should only be used on unmounted filesystems or filesystems that are read only Can do full or incremental backups p Examples p dump -0 u –f /dev/nst 0 /dev/hda 2 p restore –fr /dev/nst 0 p

Using cpio p Similar to tar n n n p Does no recurse directories by itself Can archive special files Piping output from find into cpio is common Examples: n n n find /data | cpio –ocv > /dev/nst 0 cpio -icdvm < /dev/nst 0 cpio -tvf < mybackup. cpio

Remote Backups p Dump and tar call use rmt (remote tape mgr) n dump -0 uf joe@svr: /dev/nst 0 /home Use user@host: path format to specify the remote user, host and device. p dump can use ssh for secure backups when RSH environment variable to set to ssh. p

Other backup software Higher-level applications for tape backup include: p Amanda p n n Highly-scalable command-line client-server archiver included with RHEL Commertial applications p Arkeia, Bru, Tivoli, Veritas (client), UNi. BACK, Arc. Serve

Unit 9 p The X Window System

Xorg: The X 11 Server Foundation for the Redhat Enterprise Linux graphical user interface (GUI) p Open Source implementation of X 11 p Client/Server Architecture p n Relies on networking p n n IP or Local UNIX domain-sockets Designed as one server to many clients Highly flexible protocol

Xorg Server Design p System video hardware I/O Management n n n Display, video and input device coordination Core server: /usr/X 11 r 6/bin/Xorg Enhanced by dynamically loaded modules Drivers: ati, nv, mouse, keyboard, etc. p Extensions: dri, glx and extmod p n Font Rendering Native server: xfs p Fontconfig/Xlf libraries p

XOrg Server Configuration Typically configured after installation p Post-install configuration: p n n Best results while in runlevel 3! system-config-display p Options: § --noui § --reconfig p Stored in /etc/X 11/xorg. conf

XOrg Modularity p The X server and it’s client may be individually configured and combined n Server extensions provide enhanced rendering capabilities p n Display Managers p n To view server capabilities: xdpyinfo gdm, kdm and xdm Window Managers p metacity, kwin and twm

Server and Client Relationship Window Manager Application Xorg Server Display Manager Console

Xorg in runlevel 3 p Two methods to establish the environment n n p /usr/X 11 R 6/bin/xinit /usr/X 11 R 6/bin/startx Environment configuration n /etc/X 11/xinitrc and ~/. xinitrc /etc/X 11/xinit/Xclients and ~/. Xclients /etc/sysconfig/desktop

XOrg in runlevel 5 Environment established by /sbin/init p Environment configuration p n n n /etc/inittab /etc/X 11/prefdm /etc/sysconfig/desktop DESKTOP defines the window manager p DIPLAYMANGER defines the display manager p n /etc/X 11/xdm/Xsession p /etc/X 11/xinitrc. d/* § ~/. xsession or ~/. Xclients

Configuration Utilites p Server: n p Fonts and Typefaces n p system-config-display, mouseconfig xfs, chkfontpath, fc-cache Display and Window Managers n switchdesk, /etc/sysconfig/desktop, gconftool 2

Remote X sessions X protocol communication is unencrypted p Host-based sessions implemented through the xhost command p User-based sessions implemented through the Xauthority mechanism. p sshd may automatically install xauth keys on remote machine p n Tunnels x protocol over secure encrypted ssh connection

Unit 10 p Advanced Filesystem Managerment

Software RAID Configuration Create and define RAID device using mdadm p mdadm –C /dev/md 0 -1 0 –n 2 /dev/hda 5 /dev/hda 7 p Format each RAID device with a filesystem p n mke 2 fs –j /dev/md 0 Test the RAID devices p mdadm allows you to check the status of your RAID devices p n mdadm –detail /dev/md 0

Software RAID Recovery p Simulating disk failure n p mdadm /dev/md 0 –f /dev/sda 1 Recovering from a software RAID disk failure n n Replace the failed hard drive and power on Reconstruct partitions on the replacement drive p p mdadm /dev/md 0 –a /dev/sda 1 mdadm, /proc/mdstat, and syslog messages

Converting LVM 1 to LVM 2 p RHEL 4 Uses the LVM 2 format for metadata n n n p More compact Supports transactional changes and replication Human readable and editable in an emergency Existing LVM 1 volumes can be converted to LVM 2 with the vgconvert command n n vgconvert –M 2 vgo Converts the volume group vg 0 from LVM 1 to LVM 2

Creating Logical Volumes p Create physical volumes n p Assign physical volumes to volume groups n p pvcreate /dev/hda 3 vgcreate vg 0 /dev/hda 3 Create logical volumes from volume groups n n lvcreate –L 256 M –n data vg 0 mke 2 fs –j /dev/vg 0/data

Resizing Logical Volumes p lvextend and ext 2 online can extend mounted ext 2/3 filesystems. n n p lvextend first grow the logical volume You can not shirnk mounted filesystems. Physical volumes may be added to or removed n n n vgextend vg 0 /dev/sdb 1 pvmode /dev/hda 3 vgreduce vg 0 /dev/hda 3

The Linux Quota System p Overview n n n Implemented within kernel Enabled on a per-filesystem basis Individual policies for groups or users Limit by number of blocks or inodes p Implement both soft and hard limits p p Initialization n n Partition mount options: usrquota, grpquota Initialize database: quotacheck

The Linux Quota System (cont. ) p Implementation n Start or stop quotas: quotaon, quotaoff Edit quotas directly: edquota username From a shell p n setquota username 4086 5120 40 50 /foo Define prototypical users: p edquota –p user 1 user 2

The Linux Quota System (cont. ) p Reporting n n n User inspection : quota Quota overviews: repquota Miscellaneous utilites: wantquota

Unit 11 p Troubleshooting

Unit 11: Agenda Troubleshooting Strategies p Things to check p Boot procedures p Rescue Environment p

Troubleshooting Treat the problem as a symptom p Gather data by identifying other problems p Identify what still works p From a hypothesis about what is wrong p Check log files for supporting evidence p Backup config files before editing them p

Things to Check: X Never debug X while in runlevel 5! p Try system-config-display first p X –probeonly p Is /home or /tmp full, or has the user reached a hard quota? p Is xfs running? p

Things to Check : Networking p Hostname resolution n p IP configuration n p dig www. redhat. com ifconfig Default gateway n route –n Module specification p Device activation p

Order of the Boot Process Bootloader configuration p Kernel p /sbin/init p n Starting init /etc/rc. d/rc. sysinit p /etc/rc. d/rc, /etc/rc. d/rc? . d p n Entering runlevel X /etc/rc. d/rc. local p. X p

Filesystem Corruption Common after crash or improper shutdown p ext 2 mounted for writing marked “dirty” p n n n p If not mounted or mounted read only, “clean” If not mounted and “dirty”, may be corrupted Repair requires exhaustive check ext 3 usually marked “clean” n n Journal indicates if recovery is needed Only need to check files recorded in journal

Filesystem recovery If / has journal, kernel examines it at boot p /etc/rc. d/rc. sysinit runs fsck on filesystems marked in the /etc/fstab p Fack is a front end to other programs p A “failed” fsck must be run manually p

Recovery Run-Levels p Pass run-level to init n p Runlevel 1 n p Process rc. sysinit and rc 1. d scripts Runlevel s, S or single n p On boot from GRUB splash screen Process only rc. sysinit Emergency n Run sulogin only

Rescue Environment Required when root filesystem is unavailable p Non-system specific p Boot from CDROM (boot. iso or CD #1) p Boot from diskboot. img on USB key p

Rescue Environment Utilities Disk Maintenance Utilities p Networking Utilities p Miscellaneous Utilities p Logging : /tmp/syslog or /tmp/anaconda. log p

Rescue Environment Details p Filesystem reconstruction n Anaconda will ask if filesystems should be mounted Watch for error messages p /mnt/sysimage/* p /mnt/source p $PATH includes hard drive’s directories p n Filesystem nodes p System-specific device files provided § Mknod knows major/minor #’s

End of Unit 11 Questions and Answers p Summary p n What are some things to check for X problems? p Service problems? p Networking problems? p Boot Problems? p n n How might you repair an ext 2 filesystem? What are some alternate boot methods?