RH133 Redhat Enterprise Linux System Administration

RH133 Redhat Enterprise Linux System Administration

RH133

Redhat Enterprise Linux System

Administration

Unit 1

Installation

Hardware Overview

Kernel Support

Core support: CPU, Memory, Process

Management , Interrupt/Exception Handling etc.

Dynamically Loadable Kernel Modules

Device Drivers

Additional Functionality

User Mode Access to kernel facilities

System Calls and Signals

Filesystem Device Nodes

Network Interfaces

Are not accessed through a device node but instead are accessed through a “network interface” abstraction.

CPU and Memory

Seven Supported Architectures: x86, Itanium2,

AMD64/EM64T, S/390, zSeries, iSeries, pSeries.

CPU Support on x86

Technical support for more than 2 physical CPUs only on

AS variant (may use Hyper-Threading)

Up to 32 Physical CPUs with SMP or hugemem kernel.

Memory support on x86

Technical support for more than 16 GB on AS or WS

Standard i686/athlon kernel: 4GB

SMP i686/athlon kernel:

Hugemem SMP kernel:

16GB

64GB

Preparing to Install

Read the RELEASE-NOTES file on the first

CD or at http://www.redhat.com

Check Hardware Compatibility

Redhat Supported Hardware List

Hardware compatible with Redhat Linux

 http://hardware.redhat.com/hcl

XFree86 supported video cards.

 http://xorg.freedesktop.org

 http://www.x.org/wiki

Multiboot systems

Redhat Enterprise Linux and the GRUB boot loader can co-exist with other operating systems, including the following:

Windows NT/2000/XP/2003

DOS, Windows 3.x/9x/ME

NetBSD, FreeBSD and other open systems.

Two major issues arise when implementing multiboot systems:

Partitioning and the boot process.

A boot loader such as System Commander or

NTLDR is already on the system and will launch

GRUB as a secondary boot loader.

Device Node Examples

Block devices:

 hd[a-t] sd[a-z]+ fd[0-7] md[0-31] loop[0-15] ram[0-9]

Character Devices:

 tty[0-31] ttyS[0-9]+ lp[0-3] null zero

[u]random fb[0-31]

Symbolic Links:

IDE devices

SCSI devices

Standard floppy drives software RAID metadisks loopback devices ramdisks virtual consoles

Serial ports

Parallel Ports infinite sink ( the bit bucket) infinite source of zeros sources of random information framebuffer devices

/dev/cdrom - - >

/dev/modem - - >

/dev/hd[a-t], /dev/sd[a-z]+

/dev/ttyS[0-9]+

/dev/pilot - - > /dec/ttyS[0-9]+

The RHEL Installer

First Stage Installer Images

 diskboot.img

– VFAT filesystem image for bootable media larger than a floppy

You will need to use the dd command to move this image to you media. For instance:

dd <diskboot.img > /dev/sda

Floppy installation is no longer supported boot.iso -- ISO9660 bootable CD image

Booting form boot.iso is the same as passing the askmethod argument to the installer when booting from CD 1.

You can create a bootable CD using the cdrecord command. For instance

cdrecord dev=/dec/hdc boot.iso

pxeboot Directory

Pre-boot Execution Environment (PXE) provides for a diskless installation.

Read /usr/share/doc/syslinux-2.11/prelinux.doc

Second Stage Installer

Graphical or textual

Can be invoked in noprobe or Kickstart mode

Once located and loaded by the first stage, drives the remainder of the installation process.

Installer Features

noprobe and Kickstart modes available

mediacheck tests media integrity

Multiple Interfaces:

Graphical

Starts X server and a GUI installer

Can be started in lowers mode.

Works with hard drive, CDROM, NFS Installation

Graphical is the default

Text

Menu-based terminal interface

Works with all installation methods (ftp and http)

RHEL Installation Overview

Language, Keyboard and mouse selection

Media selection if applicable

Disk partitioning

Bootloader configuration

Network and firewall configuration

Authentication Setup

Package Selection

X server configuration

Partitioning Hard Drives

Hard drives are divided into partitions.

Partitions normally contain file systems.

Primary, extended and logical partitions

The default filesystem is ext3

Multiple partitions may be assembled into a larger virtual partitions: software RAID and

LVM

Filesystems are accessed via a mount point, which is a designed directory in the file system hierarchy.

Software RAID

Redundant Array of Inexpensive Disks

Multiple partitions on different disks combined into one RAID device

Fault tolerance, larger disk size, performance

Install-time RAID levels:

RAID 0:

RAID 1:

RAID 5:

Striping (no redundancy)

Mirroring

Striping with distributed parity

Configuring File Systems

Must select mount points, partition sizes, and file system types in the installer

Can set up manually or automatically

There are many layouts which may be used

/ mast include /etc, /lib, /bin, /sbin, /dev

Swap space is typically 2x physical RAM

Typical mount points: /boot, /home, /usr, /var,

/tmp, /usr/local, /opt

Network Configuration

Can configure each NIC independently

DHCP or static IP configuration

Determine if automatically activated on boot

LVM: Logical Volume Manager

Manages storage on one or more partitions as virtual partitions, or logical volumes

Real partitions are physical volumes and are assigned to a volume group (a virtual disk)

Disk space in the volume group is divided into extends which are assigned to a logical volume

Easy to resize logical volumes

Add a physical volume to the volume group and assign the new extents to the logical volume.

Firewall Setup

Installer can set up a kernel mode stateful packet filter

Choice of two settings: “Enabled” and “No

Firewall”

“Trusted Devices” can bypass the firewall

Can allow access to arbitrary services.

Security Enhanced Linux

Access control determines what actions processes can perform on what objects

Discretionary Access Control (Traditional

Linux)

Users control permissions on objects

Mandatory Access Control (SELinux)

System policy restricts permission which can be granted.

SELinux Installation Options

Installation Options:

Disabled

Warn (Permissive)

Active (default) (Enforcing)

Package Selection

Package Selection

Universally (“Everything”)

By predefined components

Defined in RedHat/base/comps.xml

Individually

Validating Installation

Virtual consoles during installation

Post-boot validation

 dmesg and /var/log/dmesg

/var/log/messages

/root/install.log

GRUB drops to a prompts if there is a problem loading files.

noprobe Mode and Driver Disks

Method for supporting hardware newer than the install program

Used at install time for less common hardware

Prompt for Driver Disk

When run in noprobe mode

When started with: linux dd

When no PCI devices are detected.

Post-Install Configuration

Setup Agent (firstboot)

Configure X window System if necessary

Set date and time

Register with Redhat Network and get updated

RPMs

Install additional RPMs or Redhat

Documentation from CDROM

Setup users system-config-* configuration tools

Unit 2

System Initialization and Services

Boot Sequence Overview

BIOS initialization

Boot Loader

Kernel Initialization init starts and enters desired run level by executing:

/etc/rc.d/rc.sysinit

/etc/rc.d/rc and /etc/rc.d/rc?.d

/etc/rc.d/rc.local

X Display Manager if appropriate

BIOS initialization

Peripheral detected

Boot device selected

First sector of boot device read and executed

Boot Loader Components

Boot Loader

1 st

Stage – small, resides in MBR or boot sector

2 nd

Stage – loaded from boot partition

Minimum Specifications for Linux:

Label, kernel location, OS root filesystem and

Location of the initial ramdisk (initrd)

Minimum specification for other OS:

Boot device, label

GRUB and grub.conf

GRUB – The Grand Unified Bootloader

Command-line interface available at boot prompt

Boot from ext2/ext3, ReiserFS, JFS, FAT, minix, or FFS filesystems

Support MD5 password protection

/boot/grub/grub.conf

Changes to grub.conf take effect immediately

If MBR on /dev/had is corrupted, reinstall the first stage bootloader with:

/sbin/grub-install /dev/hda

Starting the Boot Process: GRUB

Image selection

Select with space followed by up/down arrows on the boot splash screen

Argument passing

Change an exiting stanza in menu editing mode

Issue boot commands interactively on the

GRUB command line

init Initialization

 init reads its config: /etc/inittab

Initial run level

System initialization scripts

Run level specific script directories

Trap certain key sequences

Define UPS power fall/restore scripts

Spawn gettys on virtual consoles

Initialize X in run level 5

Kernel Initialization

Kernel boot time functions

Device detection

Device driver initialization

Mounts root filesystem read only

Loads initial process (init)

/etc/rc.d/rc.sysinit

Important tasks include:

Activate udev and selinux

Sets kernel parameters in /etc/sysctl.conf

Sets the system clock

Loads keymaps

Enables swap partitions

Sets hostname

Root filesystem check and remount

Active RAID and LVM devices

Enable disk quotas

Check and mount other filesystems

Cleans up stale locks and PID files.

System V run levels

Run level defines which services to start

Each run level has a corresponding directory

/etc/rc.d/rcX.d

The system V init scripts reside in:

/etc/rc.d/init.d

Symbolic links in the run level directories call the init.d scripts with a start or stop arguments.

Daemon Processes

A daemon process is a program that is run in the background, providing some sytem service

Two types of daemons:

Standalone

Transient – Controlled by the “Super-daemon”

xinetd

/etc/rc.d/rc

 initiallzes the default run level per the

/etc/inittab file initdefault line such as

 id:3:initdefault

10:0:wait:/etc/rc.d/rc 0

11:1:wait:/etc/rc.d/rc 1

12:2:wait:/etc/rc.d/rc 2

13:3:wait:/etc/rc.d/rc 3 <--- (run level 3)

14:4:wait:/etc/rc.d/rc 4

15:5:wait:/etc/rc.d/rc 5

16:6:wait:/etc/rc.d/rc 6

17:7:wait:/etc/rc.d/rc 7

/etc/rc.d/rc.local

Run after the run level specific scripts

Common place for custom modification

In most cases it is recommended that you create a System V init script in

/etc/rc.d/init.d unless the service you are starting is so trivial it doesn’t warrant it.

Existing scripts can be used as a starting point.

Virtual Consoles

Multiple independent VT100-like terminals

Defined in /etc/inittab

Accessed with Ctrl-Alt-F_key from an X session

/dev/ttyn: virtual console n

/dev/tty0: the current virtual console

Default RedHat Enterprise Linux Configuration

12 consoles defined

Consoles 1-6 accept logins

X server starts on the first available console, usually 7.

Controlling Services

Utilities to control default service startup

system-config-services: graphical utility that requires and X interface

ntsysv : ncurses based utility usuable in virtual consoles

chkconfig:

a fast, versatile command line utility that works well and is usable with scripts and Kickstart installations

Utilities to control services manually

service: immediately Start or stop a standalone service

chkconfig: immediately starts and stop xinetd- managed service.

System Shutdown

Shutting down the system

 shutdown –h now halt poweroff init 0

System Reboot

Rebooting rarely fixes problem in Linux

If you feel a reboot is necessary try bringing the system down to runlevel 1 and the back up to runlevel 3 or 5. This is much faster than a reboot.

Rebooting the system:

 shutdown –r now reboot init 6

Unit 3

Kernel Services and Configuration

Kernel Modules

Modular kernel components

Components that need not be resident in the kernel for all configurations and hardware

Peripheral device drivers

Supplementary filesystems

Modules configurable at load time

/lib/modules

Controlling Modules

 lsmode, modprobe

Kernel Tainting

Kernel Module Configuration

Module examination: /sbin/modinfo

Parameters, license

Module Configuration: /etc/modprobe.conf

Aliases, parameters, actions

Module Dependencies: modules.dep, depmod

Manual control: insmod, rmmod

The /proc filesystem

/proc is a vital filesystem containing information about the running kernel

Contens of “files” under /proc may be viewed using cat

Example

 cat /proc/interrupts

Provides information on system hardware, networking settings and activity, memory usage, and more.

The /proc filesystem, cont’d

/proc subdirectories

The /proc/sys subdirectory allows administrators to modify certain parameters of a running kernel.

/proc/sys configuration with sysctl

/proc/sys modifications are temporary and not saved at system shutdown

The sysctl command manages such settings in a static and centralized fashion:

/etc/sysctl.conf

sysctl is called at boot time by rc.sysinit and uses setting sin /etc/sysctl.conf

General Hardware Resources

 dmesg and /var/log/dmesg kudzu

/etc/sysconfig/hwconf

/usr/share/hwdata/

/proc filesystem hwbrowser

System Bus Support

PCI Bus

/sbin/lspci

/proc/bus/pci

ISA Bus

/proc/isapnp

Hotswappable Bus Support

USB and IEEE 1394 Buses

/sbin/hotplug, (/etc/hotplug/)

Information in /proc/bus subdirectories

/sbin/lsusb and /sbin/usbmodules utilities

USB devices in /dev/usb

PCMCIA Bus

/sbin/cardmgr, (/etc/pcmcia/)

Information in /proc/bus/pccard

/sbin/cardctl utility

System Monitoring and Process Control

 top, gnome-system-monitor  display snapshot of processes ymstat – reports virtual memory stats iostat – lists information on resource usage, including I/O statistics free – summary of system memory usage renice – change priority of a process kill – send system signal to a process

Unit 4

Filesystem Management

System Initialization: Device

Recognition

Master Boot Record (MBR) contains:

Executable code to load operating system

Space for partition table information, including:

Partition id and type

Starting cylinder for partition

Number of cylinder for partition

Disk Partitioning

An extended partition points to additional partition descriptors

Total maximum number of partitions supported by the kernel:

63 for IDE drives

15 for SCSI drives

Why partition drives?

Containment, performance, quotas, recovery

Managing Partitions

Create partition using:

 fdisk sfdisk

GNU parted – Advanced partition manipulation

(create, copy, resize, etc)

Partprobe – reinitializes the kernel’s in memory version of the partition table.

Managing Data: Filesystem creation

 mkfs mkfs.ext2, mkfs.ext3, mkfs.minix, mkfs.msdos

Specific filesystem utilities may be called directly

 mke2fs [options] device

Journaling for ext2 filesystems: ext3

 ext3 is essentially an ext3 filesystem that uses a journal for file transaction automatically.

ext3 filesystems can be created natively or easily converted from ext2

Ext3 has three journaling modes:

Ordered – the default, journals only meta-data

Journaled – Journals data as well as meta-data

Writeback – Journals updates are not automatic, but gives better performance at possible expense of data integrity.

Managing data: mount

 mount [options] [device] [mount_point] device (or filesystem label) points to the filesystem to mount.

mount_point is the directory under which the files on the filesystem will be located.

Managing Data: mount options

-t vfstype (vfat, ext2, ext3, iso9660, etc.)

Not normally needed

-o options

Default options for the ext2/ext3 filesystem:

 rw, suid, dev, exec, auto, nouse, and async

Managing Data: Unmounting

Filesystems

umount [options] device | mnt_point

A filesystem “in use” may not be unmounted

Use fuser to check and/or kill processes

Use the remount option to change a mounted filesystem’s options

“automatically”

 mount –o remount,ro /data

Managing Data: Filesystem Labels

Alternate way to refer to devices

Device independent

 e2lable <special_dev_file> mount [options] LABEL=fslabel mount_point

Managing Data: mount, by example

Sample filesystem requirements met using options:

Disabling execute access

Mounting a filesystem image

Mounting a pc-compatible filesytem.

Disabling access time updates.

Setting up a mount alias

Managing Data: Connecting Network

Resources

Mounting NFS resources

Requires hostname or address of server

Requires name of exported directory

Mounting SMB resources

Requires hostname and address of server

Requires share name

May require username and password

Managing Data: /etc/fstab

Configuring of the filesystem hierarchy

Used by mount, fsck, and other programs

Maintains the hierarchy between system reboots

May use filesystem volume labels in the device field

Managing Data: The auto-Mounter

System administrator specifies mount points to be controlled by the automounter daemon process.

The automounter monitors access to these directories and mount the filesystem on request.

Filesystems automatically unmounted after a specified interval of inactivity.

Enable /etc/auto.net to “browse” all NFS exports on the network.

ext2/ext3 Filesystem Attributes

 ext2 and ext3 support attributes that affect the manipulation of the file data.

 lsattr display file attributes chattr changes file attributes

Some attributes are not currently supported by the

Linux kernel.

Virtual Memory

Swap space is supplement to system RAM

Basic setup involves:

Create swap partition or file

Write special signature using mkswap

Add appropriate entries to /etc/fstab

Activate swap space with swapon -a

Filesystem Maintenance

Maintaining consistency with fsck

Filesystems checked at boot up sulogin session started if errors are sever lost+found tune2fs dump2fs debugfs parted

Adding a Drive

Physically connect the new drive

Create partitions

If required, reread partition table with partprobe

Verify with fdisk –l and cat /proc/partitions

Create filesystems for new partitions, or

Write signature to new swap partitions

Optionally create disk label

Create any needed mount points

Add new entries to /etc/fstab

Unit 5

Network Configuration

Device Recognition

All drivers for network interface cards are built as module

Networking scripts reference logical interface names, eg:

 eth0

/etc/modprobe.conf maps logical names to specific module name

Example:

Alias eth0 3c59x

Network Interfaces

Interface Names:

Ethernet :

Token Ring :

FDDI

PPP

:

: eth0, eth1, ethN tr0, tr1, trN fddi0, fddi1, fddiN ppp0, ppp1, pppN

Data link layer addresses

 ifconfig

mii-tool

Views and controls the negotiated media speed (100baseTX, 10baseT) of some ethernet cards.

Useful for forcing specific ethernet speed and duplex settings

Changes with mii-tools should be made on inactive interfaces.

ifconfig

Used to configure and set IP address on network interfaces

Not Usually called directly, but by other scripts

Also used to view properties of active and inactive network interfaces.

ifup/ifdown

 if (up | down) interface

Start and Stop network interfaces

Take care of details specific to interface

Changing/adding/deleting routes

Obtains addresses as needed

BOOTP, DHCP

Interface configuration file

 ifcfg-xxx

Located in:

/etc/sysconfig/network-scripts/

Configuration methods

Static dhcp bootp

Configuration Utilities

 netconfig

Text-based network configuration tool

Only writes config files. Does not activate device or changes. Use ifup/ifdown to activate changes

Used by kudzu when new network card found at boot time.

system-config-network

GNOME-based network configuration tool

Can be launched by a non-privileged user, but requires authentication as root.

Binding multiple IP addresses

Use multiple IP addresses on a NIC

Virtual interface (s)

For a small number of IPs, create an ifcfg file for each virtual interface

 ifcfg-ethX:xxx

For a large number of IPs, create an ifcfg range file

 ifcfg-ethx-rangeX

DHCP/BOOTP

The dhclient daemon manages client-side

DHCP and BOOTP

For DHCP, dhclient:

Obtains a lease

Performs automatic lease renewal

Normally run by ifup/ifdown

Can be run manually to force renewal or release of a lease

Global Network Parameters

/etc/sysconfig/network

NETWORKING=yes|no

HOSTNAME=<fqdn by default>

GATEWAY=<gateway IP>

NISDOMAIN=<nis domain name>

Default Route

Global default defined in:

/etc/sysconfig/network

GATEWAY=xxx.xxx.xxx.xxx

Default gateway can also be defined in

/etc/sysconfig/network-scripts/ifcfg-XXX

 ifcfg-xxx default overrides Global default routes

GATEWAY=xxx.xxx.xxx.xxx

Static Routes

Connected networks

Linux kernel automatically creates a network route for connected networks

Static routes defines per interface

/etc/sysconfig/network-scripts/route-eth0

/etc/sysconfig/networking/devices/eth0.route

Display with:

 route –n netstat -rn

Name Resolution

 hostname – display or set the system’s name

Is initially set by rc.sysinit from $HOSTNAME variable

/etc/sysconfig/network

/etc/hosts – local database of hostname to

IP address mappings

Checked before DNS

Useful for small isolated networks

DNS client configuration

/etc/resolv.conf

Defines which name servers to use

Servers are checked in order listed

DNS Utilites

Useful utilites in bind-utils RPM package include:

 host : gather host/domain information

 host ns1.redhat.com

 host –a redhat.com

dig: send queries to name server directly

Dig @ns1.redhat.com mx redhat.com

nslookup

Network diagnostics

 ping:

Network packet loss and latency measurement tool traceroute, mtr

Display network path to a destination netstat

Multi-purpose network information tool

Unit 6

RPM and Kickstart

The RPM Way

Package installation is never interactive

Applies to all software (core OS and addons)

No such thing as a patch to a package

RPM Package Manager

RPM Components

 local database rpm and related executables package files

Primary functions

 install/remove query verify build

Installing and Removing Software

Primary RPM Options:

Install

Upgrade

Freshen

Erase

: rpm –i, -- install

: rpm –U, --upgrade

: rpm –F, --freshen

: rpm –e, --erase

Output Options: -v, -h

URL support: ftp:// (with globbing), http://

Many other install-options are available to address special cases.

Updating a Kernel RPM

Make sure to install kernel updates

Do not use rpm –U or rpm –F !

 rpm –ivh kernel-version.arch.rpm

Boot new kernel to test

Revert to old kernel if a problem arises rpm –e kernel-olderversion if no problems

rpm queries

Syntax:

 rpm –q what_packages what_information

Installed Package options:

 rpm –qa List installed packages rpm –qi filename rpm –qi package_name shows owning package general information rpm –qi package_name lists files in package

Uninstalled Package Options

 rpm -qip packages_file.i386.rpm

 rpm –qlp packages_file.i686.rpm

rpm verification

Installed RPM file Verification:

 rpm –V package_name rpm –Vp package_file.i386.rpm

rpm –Va

Signature verification BEFORE package install:

 rpm –import gpg_key rpm –checksig package_file.i386.rpm

Other RPM Utilities and Features

 rpm2cpio: file extraction rpmdb-redhat: distribution database

 rpm –redhatprovides filename rpm –redhatprovides capability system-config-packages

Automatic Dependency Resolution

Automatic installation of dependent packages

Invokes with –aid option

Use in conjunction with rpmdb-redhat

Macro can indicate where packages files found.

RedHat Network (RHN)

RHN Components

RHN Account

System identity

/usr/sbin/up2date rhnsd daemon and queued actions

Advantages

Errata concurrency

Collective and remote administration

Base metal provisioning

RHN in the Enterprise

Management Entitlements

System grouping

Multiple administrators

Proxy Server

Updates cached locally conserving bandwidth

Private channels

Satellite Server

Client profiles stored locally

Custom channel management

Provisioning Module

RHN Registration

/usr/sbin/up2date

 username, password, system name

Remote Information

Hardware Profile

Software Profile (RPM list)

Subscribed Channel

Local Digital Certificate

/etc/sysconfig/rhn/systemid

The up2date utility

Interactive or batch invocations

Functions

Freshen with published errata/updates

Install new packages

Resolve package dependencies

/usr/sbin/up2date-config

Install or download only

Cache dir: /var/spool/up2date

Remote Administration

Web based administration https://rhn.redhat.com

Queuing of actions

Local polling: rhnsd

Every 4 hours by default

Tuned in /etc/sysconfig/rhnsd

/usr/sbin/rhn_check does the hard work.

Network Installation Server

Necessary for network-based Installs

Often faster than CDROM-based installation methods

Provides an easy distribution platforms for the enterprise

Shares the Redhat directory via NFS, FTP and/or HTTP

Using Kickstart to automate Installation

Kickstart is a component of the installer that automates in installation

Kickstart supports all installation methods.

The installer reads information from an ASCII file rather than prompting for it

Kickstart files can be made available via floppy, cdrom, hard disk, initrd, nfs, ftp and http. They can also be dynamically generated using cgi scripts and specified using dhcp/pxe.

Kickstart: Commands Sections

Constructs arguments that are passed to configuration utilites (“commands”)

The absence of required specifications

(e.g., keyboard) will raise the appropriate utility.

Commands section must come first.

Kickstart: %packages

%packages specifies components groups and RPMs to install.

Component groups in the comps.xml file are specified with @ component-group

Third party RPMs cannot be specified without modifying hdlist

Package names only (not version).

Kickstart: %pre, %post

%pre gives you the first word

Executes as a bash shell script

Executes after kickstart file is parsed

%post gives you the final word

Can specify interpreter (bash is default) chroot’ed by default, but may be run without chroot.

Unit 7

User Administration

User Policy Considerations

Amount of system access outside of user’s account

Determine “need to know”

Expiration of passwords and accounts

Disk usage and CPU limits

User Account Database: /etc/passwd

Contains account information used at login and by other programs

One account per line with seven colondelimited

Should have permission rw-r-- r--

Adding a New User Account

Most common method is useradd:

 useradd username

Running useradd is equivalent to :

Edit /etc/passwd, /etc/shadow, /etc/group

Create and populate home directory

Set permissions and ownership

Set account password and using passwd

Accounts may be added in a batch with newusers.

User Private Groups

When user accounts are created, a private group is also created with the same name.

Users are assigned to this private group.

User’s new files affiliated with this group.

Advantage: Prevents new files from belonging to a “Public” group.

Disadvantage: may encourage making files “world-accessible”

Group Administration

Entries to /etc/group

 groupadd groupmod groupdel

Modifying/Deleting Accounts

To change files in a user’s /etc/passwd entry you can:

Edit the file by hand

Use usermod [options] username

To remove a user either:

Manually remove the user from /etc/passwd

/etc/shadow, /etc/group, /var/spool/mail

Use userdel [-r] username

Password Aging Policies

By default, passwords do not expire.

Forcing passwords to expire is part of a strong security policy.

Modify default expiration settings in

/etc/login.defs

To modify password aging for exiting users, use the chage command

 chage [options] username

Login Shell Scripts

/etc/profile

/etc/profile.d/*.sh

~/.bash_profile

~/.bashrc

/etc/bashrc

Non Login Shell Scripts

~/.bashrc

/etc/bashrc

/etc/profile.d/*.sh

Switching Accounts

Syntax:

 su [-] [user] su [-] [user] –c command

Allows the user to temporarily before another user.

Default user is root

The “-” option makes the new shell a login shell.

sudo

Users listed in /etc/sudoers execute commands with:

An effective user id of 0

Group id of root’s group

An administrator will be contracted if a user not listed in /etc/sudoers attempts to use sudo.

Network Users

Information about users may be centrally stored and managed on a remote server.

Two types of information must always be provided for each user account.

Account Information: UID number, default shell, home directory, group memberships, and so on.

Authentication: a way to tell that the password provided on login for an account is correct.

Authentication Configuration

 system-config-authentication

GUI tool to configure authentication

For text-based tool, use –nox option

Supported account information services:

(local files), NIS, LDAP, Hesoid, Windbind

Supported authentication mechanisms:

(NSS), kerberos, LDAP, SMB, Winbind

Example: NIS Configuration

Must install ypbind and portmap RPMs

Run system-config-authentication

Enable NIS to provide User Information

Specify NIS Server and NIS domain name

Keep default authentication (through NSS)

What does this actually do?

Four text-based configuration files are changed.

Example: LDAP Configuration

Must install nss-ldap and openldap RPMs

Run system-config-authentication

Enable LDAP to provide User Information

Specify server, the search base DN and TLS

Enable LDAP to provide Authentication

What does this actually do?

Four text-based configuration files are changed.

File Ownership

Every file has both user and group

“ownership”

A newly created file will be owned by:

The user who creates it

The current primary group of that user

SGID directories may change this behavior

The chown command can be used by root to change ownership.

Linux File Permissions

Access levels

Access modes

Flags indicate access mode for each access level

File mode is a concise collective expression of flags’ values.

SUID/SGID Executables

Normally processes started by a user run under the user and group security context of that user.

SUID and/or SGID bit set on an executable file cause it to run under the user and/or group security context of the file’s owner and/or group.

Default File Permissions

Read and write for all is the default for files.

Read, write and execute is the default for directories.

umask can be used to withhold permissions on file creation.

Non-system users’ umask is 002

Files will have permission of 664

Directories will have permission of 775

Supports users private groups

System User’s umask 022

The Setgid Access Mode

Normally, files created in a directory belong to the default group of the user.

When a file is created in a directory with the setgid bit set, it belongs to the same group as the directory.

SELinux

Each process or object (file, directory, network socket also has a SELinux context.

 identity:role:domain/type

The SELinux policy controls

What identities can use which roles

What roles can enter which domains

What domains can access which types.

Access Control Lists (ACLs)

Grant RWX access files to multiple users or groups

 mount –o acl getfacl file|directory setfacl –m u:gandolf:rwx setfacl –m g:nazgul:rw setfacl –m d:u:frodo:rw setfacl –x u:samwise

Controlling SELinux

 system-config-securitylevel setneforce and setsebool

/etc/sysconfig/selinux enforcing=0

/selinux virtual file system

SELinux Contexts

List process contexts: ps –Z

List file contexts: ls –Z

Change file contexts: chcon

 chron –t httpd_sys_content_t index.html

chron –reference=/var/www/html index.html

Troubleshooting SELinux

What is the error?

Check /var/log/messages for AVC denials

Is the process doing something it shouldn’t?

Does the target have the right context?

Does a Boolean setting need adjustment?

Unit 8

Printing and Administration Tools

CUPS Overview

New IPP protocol based on HTTP/1.1

Web administration interface on port 631

Can communicate with LPD print servers

System V and BSD command interface

Classes support automatic job redirection and printer pooling

Authentication by user/host/digital certificate

Log files in web server Common Log Format

Print Queue Design

 program  lp  cupsd  filter  printer

CUPS Configuration Files

/etc/cups/cupsd.conf

 cupsd server configuration file

Similar syntax to Apache httpd.conf file

/etc/cups/printers.conf

Print queue configuration file

Automatically generated by lpdadmin, systemconfig-printer or the CUPS web administration interface.

CUPS Queue Management

 system-config-printer system-config-printer-tui

Web interface: http://localhost:631/

To authenticate, user must be a member of the SystemGroup (sys by default) listed on

/etc/cups/cupsd.conf

Connection is not encrypted lpadmin – command line tool for printer administration

cron

Used to schedule recurring events

Use crontab to edit, install, and view job schedules

Syntax

 crontab [-u user] file crontab [-l|-r|e]

-l lists crontab

-r removes crontab

-e edit crontab using $EDITOR

Controlling Access to cron

Restrict/allow user access to cron

/etc/cron.allow

/etc/cron.deny

Contain usernames to allow/deny access.

System crontab files

Different format than user crontab files

Master crontab file /etc/crontab runs executables in

/etc/cron.hourly

/etc/cron.daily

/etc/cron.weekly

/etc/cron.monthly

/etc/cron.d/ directory contains additional system crontab files.

System cron job : tmpwatch

Cleans old files out specified directories

Useful for keeping /tmp directory from filling up tmpwatch is run daily in /etc/cron.daily

System cron Job: logwatch

Monitor with logwatch

Helps catch problem issues

Detects suspicious behavior logwatch is run daily in /etc/cron.daily

Configuration file:

/etc/log.d/conf/logwatch.conf

Sends nightly email report

Other tools

System Cron Job: logrotate

Maintain log files from getting too large

Keeps log files from getting too large

Keeps filesystem from filling up logrotate is run daily in /etc/cron.daily

Highly configurable

Configure all logs in /etc/logrotate.conf

Configure individual log files in files within

/etc/logrotate.d

syslog Configuration

 syslog System V initialization script in

/etc/rc.d/init.d

controls both the syslogd and the klogd daemons

/etc/syslog.conf

Configures system logging

/etc/sysconfig/syslog

Sets switches used when starting syslogd and klogd from the System V initialization Scripts

Tape Drives

SCSI tape devices (i.e, DDS, DLT)

/dev/[n]st0, /dev/[n]st1, etc.

Devices with ‘n’ do not automatically rewind

Use the mt utility to control tape drive

 mt –f /dev/st0 rewind mt –f /dev/st0 fst 50 mt –f /dev/st0 offline mt –f /dev/st0 erase mt –f /dev/st0 rewoff

(rewind)

(Position)

(Eject)

(Erase)

(Rewind, Eject)

Using tar/star

Archives to tapes or other media or files

star backs up SELinux context and ACL attributes

Parameter:

 c create t list z gzip compression j x v extra verbose bzip2 compression

Examples:

 cd /tmp && tar xvf ~/archive.tar

tar cvf /dev/st0 /data /foo /bar

Using dump/restore

Back up and restore ext2/3 filesystems

Does not work with other filesystems

dump should only be used on unmounted filesystems or filesystems that are read only

Can do full or incremental backups

Examples

dump -0u –f /dev/nst0 /dev/hda2 restore –fr /dev/nst0

Using cpio

Similar to tar

Does no recurse directories by itself

Can archive special files

Piping output from find into cpio is common

Examples:

 find /data | cpio –ocv > /dev/nst0 cpio -icdvm < /dev/nst0 cpio -tvf < mybackup.cpio

Remote Backups

Dump and tar call use rmt (remote tape mgr)

 dump -0uf [email protected]:/dev/nst0 /home

Use [email protected]:path format to specify the remote user, host and device.

dump can use ssh for secure backups when RSH environment variable to set to ssh.

Other backup software

Higher-level applications for tape backup include:

Amanda

Highly-scalable command-line client-server archiver included with RHEL

Commertial applications

Arkeia, Bru, Tivoli, Veritas (client), UNiBACK,

ArcServe

Unit 9

The X Window System

Xorg: The X11 Server

Foundation for the Redhat Enterprise

Linux graphical user interface (GUI)

Open Source implementation of X11

Client/Server Architecture

Relies on networking

IP or Local UNIX domain-sockets

Designed as one server to many clients

Highly flexible protocol

Xorg Server Design

System video hardware I/O Management

Display, video and input device coordination

Core server: /usr/X11r6/bin/Xorg

Enhanced by dynamically loaded modules

Drivers: ati, nv, mouse, keyboard, etc.

Extensions: dri, glx and extmod

Font Rendering

Native server: xfs

Fontconfig/Xlf libraries

XOrg Server Configuration

Typically configured after installation

Post-install configuration:

Best results while in runlevel 3!

system-config-display

Options:

--noui

--reconfig

Stored in /etc/X11/xorg.conf

XOrg Modularity

The X server and it’s client may be individually configured and combined

Server extensions provide enhanced rendering capabilities

To view server capabilities: xdpyinfo

Display Managers

 gdm, kdm and xdm

Window Managers

 metacity, kwin and twm

Server and Client Relationship

Window Manager

Xorg

Server

Application

Console

Display

Manager

Xorg in runlevel 3

Two methods to establish the environment

/usr/X11R6/bin/xinit

/usr/X11R6/bin/startx

Environment configuration

/etc/X11/xinit/xinitrc and ~/.xinitrc

/etc/X11/xinit/Xclients and ~/.Xclients

/etc/sysconfig/desktop

XOrg in runlevel 5

Environment established by /sbin/init

Environment configuration

/etc/inittab

/etc/X11/prefdm

/etc/sysconfig/desktop

DESKTOP defines the window manager

DIPLAYMANGER defines the display manager

/etc/X11/xdm/Xsession

/etc/X11/xinit/xinitrc.d/*

~/.xsession or ~/.Xclients

Configuration Utilites

Server:

 system-config-display, mouseconfig

Fonts and Typefaces

 xfs, chkfontpath, fc-cache

Display and Window Managers

 switchdesk, /etc/sysconfig/desktop, gconftool-

2

Remote X sessions

X protocol communication is unencrypted

Host-based sessions implemented through the xhost command

User-based sessions implemented through the Xauthority mechanism.

sshd may automatically install xauth keys on remote machine

Tunnels x protocol over secure encrypted ssh connection

Unit 10

Advanced Filesystem Managerment

Software RAID Configuration

Create and define RAID device using mdadm mdadm –C /dev/md0 -1 0 –n 2 /dev/hda5

/dev/hda7

Format each RAID device with a filesystem

 mke2fs –j /dev/md0

Test the RAID devices mdadm allows you to check the status of your RAID devices

 mdadm –detail /dev/md0

Software RAID Recovery

Simulating disk failure

 mdadm /dev/md0 –f /dev/sda1

Recovering from a software RAID disk failure

Replace the failed hard drive and power on

Reconstruct partitions on the replacement drive

 mdadm /dev/md0 –a /dev/sda1 mdadm, /proc/mdstat, and syslog messages

Converting LVM1 to LVM2

RHEL4 Uses the LVM2 format for metadata

More compact

Supports transactional changes and replication

Human readable and editable in an emergency

Existing LVM1 volumes can be converted to LVM2 with the vgconvert command

 vgconvert –M2 vgo

Converts the volume group vg0 from LVM1 to

LVM2

Creating Logical Volumes

Create physical volumes

 pvcreate /dev/hda3

Assign physical volumes to volume groups

 vgcreate vg0 /dev/hda3

Create logical volumes from volume groups

 lvcreate –L 256M –n data vg0 mke2fs –j /dev/vg0/data

Resizing Logical Volumes

 lvextend and ext2online can extend mounted ext2/3 filesystems.

 lvextend first grow the logical volume

You can not shirnk mounted filesystems.

Physical volumes may be added to or removed

 vgextend vg0 /dev/sdb1 pvmode /dev/hda3 vgreduce vg0 /dev/hda3

The Linux Quota System

Overview

Implemented within kernel

Enabled on a per-filesystem basis

Individual policies for groups or users

Limit by number of blocks or inodes

Implement both soft and hard limits

Initialization

Partition mount options: usrquota, grpquota

Initialize database: quotacheck

The Linux Quota System (cont.)

Implementation

Start or stop quotas: quotaon, quotaoff

Edit quotas directly: edquota username

From a shell

 setquota username 4086 5120 40 50 /foo

Define prototypical users:

 edquota –p user1 user2

The Linux Quota System (cont.)

Reporting

User inspection : quota

Quota overviews: repquota

Miscellaneous utilites: wantquota

Unit 11

Troubleshooting

Unit 11: Agenda

Troubleshooting Strategies

Things to check

Boot procedures

Rescue Environment

Troubleshooting

Treat the problem as a symptom

Gather data by identifying other problems

Identify what still works

From a hypothesis about what is wrong

Check log files for supporting evidence

Backup config files before editing them

Things to Check: X

Never debug X while in runlevel 5!

Try system-config-display first

X –probeonly

Is /home or /tmp full, or has the user reached a hard quota?

Is xfs running?

Things to Check : Networking

Hostname resolution

 dig www.redhat.com

IP configuration

 ifconfig

Default gateway

 route –n

Module specification

Device activation

Order of the Boot Process

Bootloader configuration

Kernel

/sbin/init

Starting init

/etc/rc.d/rc.sysinit

/etc/rc.d/rc, /etc/rc.d/rc?.d

Entering runlevel X

/etc/rc.d/rc.local

X

Filesystem Corruption

Common after crash or improper shutdown ext2 mounted for writing marked “dirty”

If not mounted or mounted read only, “clean”

If not mounted and “dirty”, may be corrupted

Repair requires exhaustive check ext3 usually marked “clean”

Journal indicates if recovery is needed

Only need to check files recorded in journal

Filesystem recovery

If / has journal, kernel examines it at boot

/etc/rc.d/rc.sysinit runs fsck on filesystems marked in the /etc/fstab

Fack is a front end to other programs

A “failed” fsck must be run manually

Recovery Run-Levels

Pass run-level to init

On boot from GRUB splash screen

Runlevel 1

Process rc.sysinit and rc1.d scripts

Runlevel s,S or single

Process only rc.sysinit

Emergency

Run sulogin only

Rescue Environment

Required when root filesystem is unavailable

Non-system specific

Boot from CDROM (boot.iso or CD #1)

Boot from diskboot.img on USB key

Rescue Environment Utilities

Disk Maintenance Utilities

Networking Utilities

Miscellaneous Utilities

Logging : /tmp/syslog or

/tmp/anaconda.log

Rescue Environment Details

Filesystem reconstruction

Anaconda will ask if filesystems should be mounted

Watch for error messages

/mnt/sysimage/*

/mnt/source

$PATH includes hard drive’s directories

Filesystem nodes

System-specific device files provided

Mknod knows major/minor #’s

End of Unit 11

Questions and Answers

Summary

What are some things to check for

X problems?

Service problems?

Networking problems?

Boot Problems?

How might you repair an ext2 filesystem?

What are some alternate boot methods?

Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertisement